Junos OS Features Supported on vSRX Virtual Firewall
SUMMARY This topic provides details of the Junos OS features supported and not supported on vSRX Virtual Firewall.
SRX Series Features Supported on vSRX Virtual Firewall
vSRX Virtual Firewall inherits most of the branch SRX Series features with the following considerations shown in Table 1.
To determine the Junos OS features supported on vSRX Virtual Firewall, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: Feature Explorer: vSRX .
|
Feature |
Description |
|
|---|---|---|
|
IDP |
The IDP feature is subscription based and must be purchased. After purchase, you can activate the IDP feature with the license key. For SRX Series IDP configuration details, see: Understanding Intrusion Detection and Prevention for SRX Series |
|
|
IPSec VPNs |
Starting in Junos OS Release 19.3R1, vSRX Virtual Firewall supports the following authentication algorithms and encryption algorithms:
Starting in Junos OS Release 20.3R1, vSRX Virtual Firewall supports 10,000 IPsec VPN tunnels. To support the increased number of IPsec VPN tunnels, a minimum of 19 vCPUs are required. Out of the 19 vCPUs, 3 vCPUs must be dedicated to RE. You must run the You can configure the number of vCPUs allocated to Junos Routing
Engine using the Note:
64 G memory is required to support 10000 tunnels in PMI mode. [See show security ipsec security-associations, show security ike tunnel-map, and show security ipsec tunnel-distribution.] |
|
| IPsec VPN - Tunnel Scaling on vSRX Virtual Firewall |
Types of Tunnels |
Number of tunnels supported |
|
Site-Site VPN tunnels |
2000 |
|
|
AutoVPN tunnels |
10,000 |
|
|
IKE SA (Site-to-site) |
2000 |
|
|
IKE SA (AutoVPN) |
10,000 |
|
|
IKE SA (Site-to-site + AutoVPN) |
10,000 |
|
|
IPSec SA pairs (Site-to-site) |
10,000 With 2000 IKE SAs, we can have 10,000 IPSec SA. |
|
|
IPSec SA pairs (AutoVPN) |
10,000 |
|
|
Site-to-site + AutoVPN IPSec SA pairs |
2000 Site-to-site 8000 AutoVPN |
|
|
Site-to-site + AutoVPN tunnels |
2000 Site-to-site 8000 AutoVPN |
|
|
ISSU |
ISSU is not supported. |
|
|
Logical Systems |
Starting in Junos OS Release 20.1R1, you can configure logical systems and tenant systems on vSRX Virtual Firewall and vSRX Virtual Firewall 3.0 instances. With Junos OS, you can partition a single security device into multiple logical devices that can perform independent tasks. Each logical system has its own discrete administrative domain, logical interfaces, routing instances, security firewall and other security features. |
|
|
PowerMode IPsec |
Starting in Junos OS Release 20.1R1, vSRX Virtual Firewall 3.0 instances support PowerMode IPsec that provides IPsec performance improvements using Vector Packet Processing (VPP) and Intel AES-NI instructions. PowerMode IPsec is a small software block inside the SRX PFE (SRX Packet Forwarding Engine) that is activated when PowerMode is enabled. Supported Features in PowerMode IPsec
Non-Supported Features in PowerMode IPsec
|
|
| Ethernet Switching and Bridging | Starting in
Junos OS Release 22.1R1, vSRX Virtual Firewall and vSRX Virtual
Firewall 3.0 instances deployed on KVM and VMware platforms support
flexible VLAN tagging on revenue and reth interfaces. Flexible VLAN tagging supports transmission of 802.1Q VLAN single-tag frames on logical interfaces on the Ethernet port. Also, avoids multiple virtual functions on the network interface card (NIC) and reduces the need of additional interfaces. [See Configuring VLAN Tagging and flexible-vlan-tagging (Interfaces).] |
|
|
Tenant Systems |
Starting in Junos OS Release 20.1R1, you can configure tenant systems on vSRX Virtual Firewall and vSRX Virtual Firewall 3.0 instances. A tenant system provides logical partitioning of the SRX Series Firewall into multiple domains similar to logical systems and provides high scalability. |
|
|
Transparent mode |
The known behaviors for transparent mode support on vSRX Virtual Firewall are:
For information about configuring transparent mode for vSRX Virtual Firewall, see Layer 2 Bridging and Transparent Mode Overview. |
|
|
Content Security |
|
|
| Tunnels |
Only GRE and IP-IP |
|
Some Junos OS software features require a license to activate the feature. To understand more about vSRX Virtual Firewall Licenses, see, Licenses for vSRX. Please refer to the Licensing Guide for general information about License Management. Please refer to the product Data Sheets for further details, or contact your Juniper Account Team or Juniper Partner.
SRX Series Features Not Supported on vSRX Virtual Firewall
vSRX Virtual Firewall inherits many features from the SRX Series Firewall product line. Table 2 lists SRX Series features that are not applicable in a virtualized environment, that are not currently supported, or that have qualified support on vSRX Virtual Firewall.
SRX Series Feature |
vSRX Virtual Firewall Notes |
|---|---|
| Application Layer Gateways | |
Avaya H.323 |
Not supported |
| Authentication with IC Series devices | |
Layer 2 enforcement in UAC deployments |
Not supported Note:
UAC-IDP and UAC-Content Security also are not supported. |
| Chassis cluster
support Note:
Support for chassis clustering to provide network node redundancy is only available on a vSRX Virtual Firewall deployment in Contrail, VMware, KVM, and Windows Hyper-V Server 2016. |
|
Chassis cluster for VirtIO driver |
Only supported with KVM Note:
The link status of VirtIO interfaces is always reported as UP, so a vSRX Virtual Firewall chassis cluster cannot receive link up and link down messages from VirtIO interfaces. |
Dual control links |
Not supported |
In-band and low-impact cluster upgrades |
Not supported |
LAG and LACP (Layer 2 and Layer 3) |
Not supported |
Layer 2 Ethernet switching |
Not supported |
Low-latency firewall |
Not supported |
| Class of service | |
High-priority queue on SPC |
Not supported |
Tunnels |
A vSRX Virtual Firewall VM deployed on Microsoft Azure Cloud does not support GRE, IP-IP and multicast. |
| Data plane security log messages (stream mode) | |
TLS protocol |
Not supported |
| Diagnostic tools | |
Flow monitoring cflowd version 9 |
Not supported |
Ping Ethernet (CFM) |
Not supported |
Traceroute Ethernet (CFM) |
Not supported |
| DNS proxy | |
Dynamic DNS |
Not supported |
| Ethernet link aggregation | |
LACP in standalone or chassis cluster mode |
Not supported |
Layer 3 LAG on routed ports |
Not supported |
Static LAG in standalone or chassis cluster mode |
Not supported |
| Ethernet link fault management | |
Physical interface (encapsulations)
|
Not supported |
Interface family
|
Not supported |
| Flow-based and packet-based processing | |
End-to-end packet debugging |
Not supported |
Network processor bundling |
|
Services offloading |
|
| Interfaces | |
Aggregated Ethernet interface |
Not supported |
IEEE 802.1X dynamic VLAN assignment |
Not supported |
IEEE 802.1X MAC bypass |
Not supported |
IEEE 802.1X port-based authentication control with multisupplicant support |
Not supported |
Interleaving using MLFR |
Not supported |
PoE |
Not supported |
PPP interface |
Not supported |
PPPoE-based radio-to-router protocol |
Not supported |
PPPoE interface Note:
Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, the vSRX Virtual Firewall supports Point-to-Point Protocol over Ethernet (PPPoE) interface. |
Not supported |
Promiscuous mode on interfaces |
Only supported if enabled on the hypervisor |
| IPSec and VPNs | |
Acadia - Clientless VPN |
Not supported |
DVPN |
Not supported |
Hardware IPsec (bulk crypto) Cavium/RMI |
Not supported |
IPsec tunnel termination in routing instances |
Supported on virtual router only |
Multicast for AutoVPN |
Not supported |
| IPv6 support | |
DS-Lite concentrator (also called Address Family Transition Router [AFTR]) |
Not supported |
DS-Lite initiator (aka B4) |
Not supported |
| J-Web | |
Enhanced routing configuration |
Not supported |
New Setup wizard (for new configurations) |
Not supported |
PPPoE wizard |
Not supported |
Remote VPN wizard |
Not supported |
Rescue link on dashboard |
Not supported |
Content Security configuration for Kaspersky antivirus and the default Web filtering profile |
Not supported |
| Log file formats for system (control plane) logs | |
Binary format (binary) |
Not supported |
WELF |
Not supported |
| Miscellaneous | |
GPRS Note:
Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, vSRX Virtual Firewall supports GPRS. |
Not supported |
Hardware acceleration |
Not supported |
Outbound SSH |
Not supported |
Remote instance access |
Not supported |
USB modem |
Not supported |
Wireless LAN |
Not supported |
| MPLS | |
Crcuit cross-connect (CCC) and translational cross-connect (TCC) |
Not supported |
Layer 2 VPNs for Ethernet connections |
Only if promiscuous mode is enabled on the hypervisor |
| Network Address Translation | |
Maximize persistent NAT bindings |
Not supported |
| Packet capture | |
Packet capture |
Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on redundant Ethernet interfaces (reth). |
| Routing | |
BGP extensions for IPv6 |
Not supported |
BGP Flowspec |
Not supported |
BGP route reflector |
Not supported |
CRTP |
Not supported |
| Switching | |
Layer 3 Q-in-Q VLAN tagging |
Not supported |
| Transparent mode | |
Content Security |
Not supported |
| Content Security | |
Express AV |
Not supported |
Kaspersky AV |
Not supported |
| Upgrading and rebooting | |
Autorecovery |
Not supported |
Boot instance configuration |
Not supported |
Boot instance recovery |
Not supported |
Dual-root partitioning |
Not supported |
OS rollback |
Not supported |
| User interfaces | |
NSM |
Not supported |
SRC application |
Not supported |
Junos Space Virtual Director |
Only supported with VMware |