SRX4600 Services Gateway

Download Datasheet

Product Overview

The SRX4600 Services Gateway is a high-performance, next-generation firewall and hardware-accelerated security gateway offering up to 400 Gbps of firewall performance that supports the changing needs of cloud-enabled enterprise and service provider networks. The SRX4600 allows organizations to roll out new services in an enterprise data center or campus, connect to the cloud, comply with industry standards, deploy distributed security gateways, or offer high-scale multitenant security services. The SRX4600 helps organizations realize their business objectives while providing scalability, high availability, ease of management, secure connectivity, and advanced threat mitigation capabilities.

Product Description

The Juniper Networks® SRX4600 Services Gateway protects mission-critical data center and campus networks for enterprises, mobile service providers, and cloud service providers. Designed for high-performance security services architectures, the SRX4600 protects critical corporate IT assets as a next-generation firewall (NGFW), acts as an enforcement point for cloud-based security solutions, and provides application visibility and control to improve the user and application experience.

Integrating networking and security in a single platform, the SRX4600 features multiple high-speed interfaces, intrusion prevention, advanced threat protection, and authentication, along with high-performance IPsec VPN and Internet gateway capabilities. It also offers high scalability, high availability, robust protection, application visibility, user identification, and deep content inspection to provide unparalleled control over the security infrastructure.

The SRX4600 also acts as a central enforcement point, leveraging vital automation and actionable intelligence to protect users in a multivendor network environment. The SRX4600 also delivers fully automated SD-WAN to both enterprises and service providers. Due to its high performance and scale, the SRX4600 acts as a VPN hub and terminates VPN/secure overlay connections in various SD-WAN topologies.

The SRX4600 is powered by Juniper Networks Junos® operating system, the industry-leading OS that keeps the world’s largest mission-critical enterprise and service provider networks secure.

Architecture and Key Components

The SRX4600 hardware and software architecture provides cost-effective security in a small 1 U form factor. Purpose-built to protect network environments and provide Internet Mix (IMIX) firewall throughput up to 75 Gbps, the SRX4600 incorporates multiple security services and networking functions on top of Junos OS. Best-in-class security and advanced threat mitigation capabilities on the SRX4600 are offered as 60 Gbps of NGFW, 65 Gbps of intrusion prevention system (IPS), and up to 16 Gbps of IPsec VPN in data center, enterprise campus, and regional headquarter deployments with IMIX traffic patterns.

Table 1. SRX4600 Statistics¹
1 Performance, capacity, and features listed are based on systems running Junos OS 19.3R1 and are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployments.
2 NGFW is a combination of advanced features such as application security, IPS, and URLF in addition to the foundational services such as logging and stateful firewall.
Performance SRX4600
Firewall throughput 95 Gbps
Firewall throughput – IMIX with Express Path 400 Gbps
Firewall throughput—IMIX 75 Gbps
Firewall throughput with application security 90 Gbps
IPsec VPN throughput—IMIX/1400 B 16/55 Gbps
Intrusion prevention system (IPS) 65 Gbps
NGFW2 throughput 60 Gbps
Connections per second 600,000
Maximum session 60 million

The SRX4600 recognizes more than 3500 applications and nested applications in plain text or SSL-encrypted transactions. The firewall also integrates with Microsoft Active Directory and combines user information with application data to provide network-wide application and user visibility and control.

Features and Benefits

Table 2. SRX4600 Features and Benefits
Business Requirement Feature/Solution SRX4600 Advantages
High performance Up to 95 Gbps of firewall throughput (up to 75 Gbps of IMIX firewall throughput)
  • Best suited for enterprise campus and data center edge deployments
  • Ideal for secure router/VPN concentrator deployments at the head office
  • Addresses diverse needs and scales for service provider deployments
High-quality end-user experience Application visibility and control
  • Detects 3500+ L3-L7 applications, including Web 2.0
  • Controls and prioritizes traffic based on application and use role
  • Inspects and detects applications inside SSL-encrypted traffic
Advanced threat protection IPS, antivirus, antispam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, Threat Intelligence Feeds, and Juniper ATP Appliance
  • Provides real-time updates to IPS signatures and protects against exploits
  • Implements industry-leading antivirus and URL filtering
  • Delivers open threat intelligence platform that integrates with third-party feeds
  • Protects against zero-day attacks
  • Stops rogue and compromised devices to disseminate malware
  • Restores visibility lost due to encryption, without the heavy burden of full TLS/SSL decryption
Professional-grade networking services Routing, secure wire
  • Supports carrier-class advanced routing and quality of service (QoS)
Highly secure IPsec VPN, Remote access/SSL VPN
  • Provides high-performance IPsec VPN with dedicated crypto engine
  • Offers diverse VPN options for various network designs, including remote access and dynamic site-to-site communications
  • Simplifies large VPN deployments with auto VPN
  • Includes hardware-based crypto acceleration
  • Secure and flexible remote access SSL VPN with Juniper Secure Connect
Highly reliable Chassis cluster, redundant power supplies
  • Provides stateful configuration and session synchronization
  • Supports active/active and active/backup deployment scenarios
  • Offers highly available hardware with redundant power supply unit (PSU) and fans
Easy to manage and scale On-box GUI, Juniper Networks Junos Space® Security Director
  • Enables centralized management for autoprovisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments
  • Includes simple, easy-to-use on-box GUI for local management
Low TCO Junos OS
  • Integrates routing and security in a single device
  • Reduces OpEx with Junos OS automation capabilities

Software Specifications

Firewall Services

  • Stateful and stateless firewall
  • Zone-based firewall
  • Screens and distributed denial of service (DDoS) protection
  • Protection from protocol and traffic anomalies
  • Unified Access Control (UAC)

Network Address Translation (NAT)

  • Source NAT with Port Address Translation (PAT)
  • Bidirectional 1:1 static NAT
  • Destination NAT with PAT
  • Persistent NAT
  • IPv6 address translation
  • Port Block Allocation method for CGNAT
  • Deterministic NAT

VPN Features

  • Tunnels: Site-to-site, hub and spoke, dynamic endpoint, AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/Dual Stack)
  • Juniper Secure Connect: Remote access/SSL VPN
  • Configuration payload: Yes
  • IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, Suite B
  • IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
  • Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
  • IPsec (Internet Protocol Security): Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol
  • IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
  • IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, Suite B
  • Perfect forward secrecy, anti-reply
  • Internet Key Exchange: IKEv1, IKEv2
  • Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
  • VPNs GRE, IP-in-IP, and MPLS

High Availability Features

  • Virtual Router Redundancy Protocol (VRRP)—IPv4 and IPv6
  • Stateful high availability:
    • HA clustering
      • Active/active
      • Active/passive
      • Dual MACsec-enabled HA control ports (10GbE)
      • Dual MACsec-enabled HA fabric ports (10GbE)
    • Configuration synchronization
    • Firewall session synchronization
    • Device/link detection
    • Unified in-service software upgrade (unified ISSU)
  • IP monitoring with route and interface failover

Application Security Services3

  • Application visibility and control
  • Application-based firewall
  • Application QoS
  • Advanced/application policy-based routing (APBR)
  • Application Quality of Experience (AppQoE)
  • Application-based multipath routing
  • User-based firewall

Threat Defense and Intelligence Services3

  • IPS
  • Antivirus
  • Antispam
  • Category/reputation-based URL filtering
  • SSL proxy/inspection
  • Protection from botnets (command and control)
  • Adaptive enforcement based on GeoIP
  • Juniper ATP, a cloud-based SaaS offering, to detect and block zero-day attacks
  • Adaptive Threat Profiling
  • Encrypted Traffic Insights
  • SecIntel to provide threat intelligence
  • Juniper ATP Appliance, a distributed, on-premises advanced threat prevention solution to detect and block zero-day attacks

Routing Protocols

  • IPv4, IPv6, static routes, RIP v1/v2
  • OSPF/OSPF v3
  • BGP with route reflector
  • IS-IS
  • Multicast: Internet Group Management Protocol (IGMP) v1/v2; Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM); Session Description Protocol (SDP); Distance Vector Multicast Routing Protocol (DVMRP); Multicast Source Discovery Protocol (MSDP); reverse path forwarding (RPF)
    • Encapsulation: VLAN, Point-to-Point Protocol over Ethernet (PPPoE)
    • Virtual routers
    • Policy-based routing, source-based routing
    • Equal-cost multipath (ECMP)

QoS Features

  • Support for 802.1p, DiffServ code point (DSCP)
  • Classification based on interface, bundles, or multifield filters
  • Marking, policing, and shaping
  • Classification and scheduling
  • Weighted random early detection (WRED)
  • Guaranteed and maximum bandwidth

Network Services

  • Dynamic Host Configuration Protocol (DHCP) client/server/relay
  • Domain Name System (DNS) proxy, dynamic DNS (DDNS)
  • Juniper real-time performance monitoring (RPM) and IP monitoring
  • Juniper flow monitoring (J-Flow)

Management, Automation, Logging, and Reporting

  • SSH, Telnet, SNMP
  • Smart image download
  • Juniper CLI and Web UI
  • Junos Space Security Director
  • Python
  • Junos OS events, commit, and OP scripts
  • Application and bandwidth usage reporting
  • Debug and troubleshooting tools
3Offered as advanced security subscription license

Hardware Specifications

Table 3. SRX4600 Hardware Specifications
4 There are eight dedicated 1GbE/10GbE ports.  The four 40GbE/100GbE ports can use breakout cables to create 4x1GbE/10GbE (SFP+) ports each, resulting in a total of 24x 1GbE/10GbE ports.
5 Throughput numbers based on UDP packets and RFC2544 test methodology
6 Throughput numbers based on HTTP traffic with 44 KB transaction size and up to the numbers captured here
7 IPv6 FIB scale is with 32-bit mask
 
Specification SRX4600
Total onboard I/O ports Up to 24x1GbE/10GbE (SFP+)4
4x40GbE/100GbE (QSFP28)
Out-of-Band (OOB) management ports RJ-45 (1 Gbps)
Dedicated high availability (HA) ports 2x1GbE/10GbE (SFP+) Control
2x1GbE/10GbE (SFP+) Data
Console RJ-45 (RS232)
USB 2.0 ports (Type A) 1
Memory and Storage
System memory (RAM) 256 GB
Secondary storage (SSD) 2x 1 TB M.2 SSD
Dimensions and Power
Form factor 1 U
Size (WxHxD) 17.4 x 1.7 x 26.5 in (44.19 x 4.32 x 67.31 cm)
With AC PEMs: 17.4 x 1.7 x 27.29 in (44.19 x 4.32 x 69.32 cm)
With DC PEMs: 17.4 x 1.7 x 29.20 in (44.19 x 4.32 x 74.17 cm)
Weight (system and 2 power entry modules) With AC PEMs: 38 lb (17.24 kg)
Shipping weight: 45.47 lb (20.62 kg)
With DC PEMs: 40 lb (18.14 kg)
Shipping weight: 47.47 lb (21.53 kg)
Redundant PSU 1+1
Power supply 2x 1600 W AC-DC PSU redundant
2x 1100 W DC-DC PSU redundant
Average power consumption 650 W
Average heat dissipation 2218 BTU/hour
Maximum current consumption 12 A (for 110 V AC power)
6 A (for 220 V AC power)
24 A (for -48 V DC power)
Precision Time Protocol Timing Ports
Time of day - RS-232 (EIA-23) 1xRJ-45
BITS clock 1xRJ-48
10-MHz timing connector (GNSS) 1xInput (COAX)
1xOutput (COAX)
Pulse per second connection (1-PPS) 1xInput (COAX)
1xOutput (COAX)
Environmental and Regulatory Compliance
Acoustic noise level 69 dBA at normal fan speed,87 dBA at full fan speed
Airflow/cooling Front to back
Operating temperature 32° to 104° F (0° to 40° C)
Operating humidity 5% to 90% noncondensing
Meantime between failures (MTBF)111,626 hours (12.75 years) 111,626 hours (12.75 years)
FCC classification Class A
RoHS compliance RoHS 2
NEBS compliance Designed for NEBS Level 3
Performance
Routing/firewall (64 B packet size) throughput Gbps4 16 Gbps
Routing/firewall (IMIX packet size) throughput Gbps4 75 Gbps
Routing/firewall (1518 B packet size) throughput Gbps4 95 Gbps
IPsec VPN (IMIX packet size) Gbps4 16 Gbps
IPsec VPN (1400 B packet size) Gbps4 55 Gbps
Application security performance in Gbps5 90 Gbps
Recommended IPS in Gbps6 65 Gbps
Next-generation firewall in Gbps6 60 Gbps
Connections per second (CPS) 600,000
Maximum security policies 80,000
Maximum concurrent sessions (IPv4 or IPv6) 60 million
Route table size (RIB/FIB) (IPv4 or IPv67) 4 million/1.2 million
IPsec tunnels 7500
Number of remote access/SSL VPN (concurrent) users 7500

Juniper Networks Services and Support

Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For services information specific to SRX Series Services Gateways, please read the Firewall Conversion Service or the SRX Series QuickStart Service datasheets. For more details, please visit www.juniper.net/us/en/products-services.

Ordering Information

To order Juniper Networks SRX Series Services Gateways, and to access software licensing information, please visit the How to Buy page at https://www.juniper.net/us/en/how-to-buy/.

7 Based on concurrent users; two free licenses included
Description SRX4600-SYS-JB
Hardware Included
Management (CLI, J-Web, SNMP, Telnet, SSH) Included
L2 transparent, secure wire Included
Routing (RIP, OSPF, BGP, virtual router) Included
Multicast (IGMP, PIM, SSDP, DMVRP) Included
Packet mode Included
Overlay (GRE, IP-IP) Included
Network services (J-Flow, DHCP, QoS, BFD) Included
Stateful firewall, screens, application-level gateways (ALGs) Included
NAT (static, SNAT, DNAT) Included
IPsec VPN (site-site VPN, auto VPN, group VPN) Included
Remote access/SSL VPN (concurrent users)7 Optional
Firewall policy enforcement (UAC, Aruba CPPM) Included
Chassis cluster, VRRP, unified ISSU Included
Automation (Junos OS scripting, auto-installation) Included
General Packet Radio Service (GPRS)/GPRS tunneling protocol (GTP)/Stream Control Transmission Protocol (SCTP) Included
Application security (AppID, AppFW, AppQoS, AppQoE, AppRoute) Optional

Base Systems

Product Number Description
SRX4600-SYS-JB-AC SRX4600 Services Gateway includes hardware (4x100GbE, 8x10GbE, two AC power supply units, five fan trays, cables, and rack mount kit) and Junos Software Base (Firewall, NAT, IPsec, routing, MPLS)
SRX4600-SYS-JB-DC SRX4600 Services Gateway includes hardware (4x100GbE, 8x10GbE, two DC power supply units, five fan trays, cables, and rack mount kit) and Junos Software Base (Firewall, NAT, IPsec, routing, MPLS)

All systems include dual (redundant) AC or DC power supplies, five (4+1) redundant fans, country-specific power cords, dual (redundant) solid-state drives, rack mount kit, and core Junos OS software (stateful firewall, NAT, IPsec, and routing).

Advanced Security Services Subscription Licenses

Product Number Description
S-SRX4600-A1-1 SW, A1, IPS, AppSecure, content security, 1 year
S-SRX4600-A2-1 SW, A2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, content security, 1 year
S-SRX4600-A3-1 SW, A3, IPS, AppSecure, URL filtering, on box anti-virus, content security, 1 year
S-SRX4600-A1-3 SW, A1, IPS, AppSecure, content security, 3 year
S-SRX4600-A2-3 SW, A2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, content security, 3 year
S-SRX4600-A3-3 SW, A3, IPS, AppSecure, URL filtering, on box anti-virus, content security, 3 year
S-SRX4600-A1-5 SW, A1, IPS, AppSecure, content security, 5 year

S-SRX4600-A2-5

SW, A2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, content security, 5 year
S-SRX4600-A3-5 SW, A3, IPS, AppSecure, URL filtering, on box anti-virus, content security, 5 year
S-SRX4600-P1-1 SW, P1, IPS, AppSecure, ATP, content security, 1 year
S-SRX4600-P2-1 SW, P2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, ATP, content security, 1 year
S-SRX4600-P3-1 SW, P3, IPS, AppSecure, URL filtering, on box anti-virus, ATP, content security, 1 year
S-SRX4600-P1-3 SW, P1, IPS, AppSecure, ATP, content security, 3 year
S-SRX4600-P2-3 SW, P2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, ATP, content security, 3 year
S-SRX4600-P3-3 SW, P3, IPS, AppSecure, URL filtering, on box anti-virus, ATP, content security, 3 year
S-SRX4600-P1-5 SW, P1, IPS, AppSecure, ATP, content security, 5 year
S-SRX4600-P2-5 SW, P2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, ATP, content security, 5 year
S-SRX4600-P3-5 SW, P3, IPS, AppSecure, URL filtering, on box anti-virus, ATP, content security, 5 year

Service Spares

Product Number Description
JNP-FAN-1RU Universal fan, 1 U chassis
JNP-PWR1600-AC Universal AC power supply, 1600 W
JNP-PWR1100-DC Universal DC power supply, 1100 W
JNP-SSD-M2-1TB Universal 1 TB SSD, in carrier, no Junos OS
SRX4600-4PST-RMK Rack mount kit, 4-post adjustable for SRX4600

Remote Access/Juniper Secure Connect VPN Licenses

Product Number Description
S-RA3-5CCU-S-1 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-25CCU-S-1 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-50CCU-S-1 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-100CCU-S-1 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-250CCU-S-1 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-500CCU-S-1 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-1KCCU-S-1 SW, Remote Access VPN - Juniper, 1000 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-5KCCU-S-1 SW, Remote Access VPN - Juniper, 5000 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-5CCU-S-3 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-25CCU-S-3 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-50CCU-S-3 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-100CCU-S-3 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-250CCU-S-3 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-500CCU-S-3 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-1KCCU-S-3 SW, Remote Access VPN - Juniper, 1000 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-5KCCU-S-3 SW, Remote Access VPN - Juniper, 5000 Concurrent Users, Standard, with SW support, 3 Year

About Juniper Networks

Juniper Networks brings simplicity to networking with products, solutions and services that connect the world. Through engineering innovation, we remove the constraints and complexities of networking in the cloud era to solve the toughest challenges our customers and partners face daily. At Juniper Networks, we believe that the network is a resource for sharing knowledge and human advancement that changes the world. We are committed to imagining groundbreaking ways to deliver automated, scalable and secure networks to move at the speed of business.