Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Data Center Edge Firewall Use Case

Deploy the SRX4700 Firewall at the data center edge to shield ingress-facing applications and services from internet-borne attacks. Configure layered controls and attack-specific policies to block threats effectively and reliably. Integrate with Software-Defined Secure Network (SDSN) framework and Juniper ATP cloud service to use automated intelligence that quickly identifies and mitigates threats across your environment.

Overview

SRX4700 Firewall is designed to secure the perimeter of data centers by providing robust protection through several advanced features. Data centers require an ingress point for clients to access services, making the perimeter a critical area to secure. As a data center edge firewall, the SRX4700 Firewall protects applications by controlling server access while handling high transactional loads, ensuring that critical applications remain secure and operational.

Use the SRX4700 Firewall to effectively block attacks targeting data center services with precision. The SRX Series provides high-performance firewall functionalities, including Screens, IPS, and security intelligence (SecIntel).

For more details see, Data Center Next-Generation Firewall Use Case—Juniper Validated Design (JVD)

Benefits

  • Enhance overall data center security by providing robust control over incoming and outgoing network traffic, thereby preventing unauthorized access and potential breaches.

  • Detect and mitigate advanced threats using a sophisticated IPS, ensuring that vulnerabilities are identified and addressed promptly.

  • Utilize real-time threat intelligence to stay ahead of emerging security threats, enabling proactive protection and reducing the risk of successful attacks.

  • Ensure high availability and minimal downtime through redundancy and failover capabilities, maintaining continuous operation and reliability of critical services.

  • Provides comprehensive protection for high transactional loads, making it suitable for sectors with stringent security demands such as financial services and cloud providers.

Topology

Deploy the SRX4700 Firewall as a data center edge firewall in segments such as financial services, SaaS providers, Web 2.0 and cloud providers for security features such as firewall, server-side IPS, high availability, and threat intelligence.

Figure 1: Data Center Edge Firewall Deployment Data Center Edge Firewall Deployment

  • Each physical port is assigned a role that aligns with the illustration. Interfaces define the firewall’s position in the topology — separating external, internal, and DMZ networks.

    • WAN interface–Connects to the router facing the Internet.

    • LAN interface–Connects to the L2 or L3 Gateway and ultimately to the data center fabric.

    • DMZ interfaces (optional)–For hosting public‑facing servers outside the trusted LAN.

We support Multinode High Availability (MNHA) in active/backup mode and in active/active mode with support of multiple services redundancy groups (SRGs). For the complete list of supported features and platforms, see Multinode High Availability in Feature Explorer.

Table 1: Topology-Aligned Section Mapping
Diagram Block SRX Series Firewall Configuration Section Purpose
Router → Firewall Interfaces, Untrust Zone, Routing Defines WAN connectivity and default route
Firewall Zones, Policies, NAT Controls all traffic between the Internet and the data center
Firewall → L2 or L3 Gateway Interfaces, Trust Zone Secures connection to the internal data center network
Switching and Servers Policies, NAT, Logging Manages how internal workloads connect externally

Baseline Configurations

The baseline configurations in this topic provide a foundational template that helps standardize deployments, improve operational reliability, and accelerate secure onboarding of the SRX4700 Firewall in a data center edge architecture.

Security Zones and Policies

The SRX4700 Firewall ships with a factory-default configuration that includes two security zones (trust and untrust), a default outbound permit policy from trust to untrust, and source NAT configured on the trust zone.

Security Zone

Security zones are the foundation of policy configuration. Security zones logically group interfaces based on trust level. All security policies in Junos OS are zone-based. You must assign traffic to zones before the policy can permit or deny it.

You can configure up to 2000 interfaces within a security zone. Define zones for your data center edge deployment (for example, internal, external, and DMZ zones).

Define what traffic is allowed between zones.

  • trust to → untrust–Allows data center servers or users to reach the Internet.

  • untrust to DMZ–Permits selective inbound traffic to public services (example: HTTP).

  • Default Deny–Blocks all other interzone traffic not explicitly allowed.

On the SRX4700 Firewall, you can configure security zones:

Define Security Policies Between Zones

  • You configure security policies in a from-zone to to-zone direction. Each policy contains:

    • A policy name
    • Match criteria (source address, destination address, application)
    • Actions (permit or deny)

    To allow traffic between zones, configure directional policies:

  • Configure bidirectional traffic flow: To allow traffic in both directions, you must configure separate policies for each direction. For example, configure a deny-all policy from untrust to trust if inbound traffic should be restricted.

  • Verify your configuration using the show security zones and the show security policies commands.

For more information, see Configuring Security Policies.

NAT

Source NAT allows internal servers (10.10.10.0/24) to access the Internet using the firewall’s public IP address. Use destination NAT when you want to expose internal or DMZ-hosted servers to the Internet (for example, a webserver).

  • Use the firewall between private data center networks and the router.
  • NAT ensures private IP addresses remain hidden and routable only internally.

Source NAT Configuration

Use the commit check command, then show security nat source summary command, and then the show security flow session command to verify your configurations.

For destination and static NAT, add rules accordingly, see Network Address Translation User Guide.

Carrier-Grade NAT

SRX4700 Firewall supports CGNAT from Junos OS Release 24.4R1 and later.

To configure CGNAT on SRX4700 Firewall, use the standard Junos OS NAT configuration hierarchy under edit security nat]

  1. Create a Source NAT Pool

  2. Configure Source NAT Rule Set

  3. Create Security Policies

Verify your configuration using the show security nat source rule all , show security nat source pool, and the show services carrier-nat statistics command.

Advanced Layer 7 Security Features

  • IDP or IPS: The intrusion prevention system on the SRX4700 Firewall, which is part of Junos OS security services, detects and prevents network attacks by inspecting traffic against signature databases, anomaly detection, and custom rules. Enable IPS in the security policy and then in actions. The configuration supports Layer 7 signature updates.

    • IDP security packages on SRX4700 Firewall requires dedicated security commands, not the general request system software add which is for Junos OS, firmware, or other system packages.

      • Download: Use the request security idp security-package download command to download the package.

      • Install: Use the request security idp security-package install command to install it.

      • Verify: Use the request security idp security-package install status command to verify or rollback if needed.

    • Configure IDP policy (create a basic rulebase).

    • To configure match attacks predefined-attacks in an IDP policy on Juniper SRX Series Firewalls (including SRX4700 Firewall), use the predefined-attacks and predefined-attack-groups statements under the rulebase-ips match conditions.

      Basic Configuration Syntax

      Example: Matching Specific Predefined Attacks

      • Predefined attacks are part of Juniper's IDP signature database, updated regularly with new attack patterns.

      • Use ordered match for compound attacks requiring specific sequence.

      • Activate the policy after configuration using the set security idp active-policy <policy-name> CLI command.

      • View available predefined attacks or groups using the [edit security idp idp-policy] CLI command.

      • Requires IDP license and signature package installation

    • Commit and verify the configurations:

  • ATP Cloud/ICAP: Juniper ATP Cloud integrates with SRX4700 Firewall for Juniper ATP, including Internet Content Adaptation Protocol (ICAP) for malware analysis at the data center edge. Use the Juniper ATP Cloud op script for automated enrollment, certificates, and connection setup.

    Prerequisites

    • Internet access from Routing Engine (control plane) and Packet Forwarding Engine (data plane).
    • Licenses for ATP Cloud using Juniper Security Director or the Junos OS CLI.
    • Onboard the SRX 4700 using Security Director Cloud or SZTP for simplified setup.

    1. Certificates and SSL profiles:

    2. Advanced anti-malware (AAMW) policy (ICAP Integration):

    3. Juniper Security Director Cloud integration: Enroll devices automatically; manage ATP using the portal (CLI not required post-enrollment).

    4. SSL proxy (Layer 7 decryption): For encrypted traffic inspection, use:

      1. SSL Proxy Profile Configuration

      2. Apply to security policies:

Multinode High Availability (MNHA)

At the data center edge, redundancy is critical—firewall failure must not take down the data center. If you are deploying dual SRX4700 Firewalls, use MNHA to provide failover, redundant control and data planes, and continuous traffic flow during maintenance or failures.

Configure MNHA on both nodes. Use configuration groups for scalability if needed.

  1. Enable configuration synchronization (for common configuration such as NAT rules/pools):

    Verify your configuration using the commands:

    • show system commit: Check sync status and history.
    • show system commit peers: List configured peers.
    • show | compare: View pending changes before sync.

  2. Services Redundancy Groups (SRGs) are failover units in Multinode High Availability (MNHA) on SRX4700, managing security services such as IPsec VPN, NAT, and firewall policies in active/active (SRG0) or active/backup (SRG1+) modes. SRG0 handles L4 through L7 services (except IPsec VPN) in active/active with stateful synchronization, while SRG1+ manages IPsec and virtual IPs with options for monitoring and failover.

    Configure SRGs (basic SRG configuration (Layer 3 MNHA example)

    1. Configure on both SRX4700 nodes after enabling MNHA (set chassis high-availability mode multinode). Use config groups for synchronization using the commit peers and commit synchronize.

    2. SRG1 (data plane services, active/active with signal routes):
    3. SRG0 (control plane, active/backup):

    4. Integrate with zones, policies, NAT, and IPsec:

      • Assign interfaces/zones, apply security policies/NAT pools identically.
      • Allow IKE/SSH on ICL zone for encryption/sync.
      • Use BGP/static routes for floating IP advertisement (example: metric for path preference)

    • Create dedicated virtual routers for signal routes:

  3. Interfaces and zones (example for ICL and revenue ports): Assign revenue interfaces to security zones. For interchassis links (ICLs), use Gigabit Ethernet ports in a routing instance for segmentation.

  4. Monitoring and failover options (SRG1) Activeness probing, BFD, IP/interface monitoring:
  5. Verify and commit:

For more information, see Multinode High Availability

Zero-Trust Security

The SRX4700 Firewall supports built-in secure zero-trust capabilities and microsegmentations through its integration with Juniper's security architecture, enabling granular policy enforcement and threat prevention in data centers and enterprise networks.

Key features include:

  • Embedded Trusted Platform Module (TPM) 2.0 and cryptographically signed 802.1AR-standard device identity (DevID) for device trust and anti-spoofing.
  • RFC-compliant secure zero-trust provisioning (SZTP) for secure, remote deployment.
  • Wire-speed MACsec on all ports (up to 400 Gbps interfaces) for data integrity and confidentiality.
  • AI-Predictive Threat Prevention using machine learning for custom signatures, line-rate anti-malware, and protection against known/zero-day threats.
  • Integration with Juniper ATP Cloud for advanced threat mitigation, including zero-day detection without breaking encryption.

These features enable zero-trust by verifying every connection, enforcing policies that follow users, devices, and applications providing network-wide visibility.

For more information, see Juniper Zero Trust Data Center Solution Brief.

Microsegmentation

Microsegmentation is achieved through security policy enforcement at the fabric edge, leveraging:

  • EVPN-VXLAN fabric integration to secure tunnels without breaking them, simplifying configuration for data center segmentation.
  • Follow-the-user and follow-the-application policies with intrusion prevention system (IPS) for granular control.
  • Unified policy management through Juniper Security Director Cloud, supporting scalable segmentation across hybrid environments.
  • High-performance throughput (up to 1.4-Tbps IMIX) and multinode high availability (MNHA) for resilient microsegmented deployments.

Microsegmentation protects data centers by extending security to every connection point, with horizontal scaling and single-policy frameworks.

For configuration, use Junos OS features such as security policies, zones, and ATP integration through J-Web, Junos OS CLI, or Juniper Security Director.

See Tunnel Inspection for EVPN-VXLAN by SRX Series Devices.