SRX Series Services Gateways for the Branch

SRX Series Services Gateways for the Branch
Data Sheet
SRX Series Services
Gateways for the Branch
SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650
Product Overview
Product Description
SRX Series Services Gateways for
The Juniper Networks® SRX Series Services Gateways for the branch combine next
the branch are next-generation
generation firewall and unified threat management (UTM) services with routing and
security gateways that provide
switching in a single, high-performance, cost-effective network device.
essential capabilities that
connect, secure, and manage
• SRX Series for the branch runs Juniper Networks Junos® operating system, the proven
workforce locations sized from
OS that is used by core Internet routers in all of the top 100 service providers around the
handfuls to hundreds of users. By
world. The rigorously tested carrier-class routing features of IPv4/IPv6, OSPF, BGP, and
consolidating fast, highly available
multicast have been proven in over 15 years of worldwide deployments.
switching, routing, security,
and next generation firewall
capabilities in a single device,
enterprises can protect their
• SRX Series for the branch provides perimeter security, content security, application
visibility, tracking and policy enforcement, user role-based control, threat intelligence
through integration with Juniper Networks Spotlight Secure*, and network-wide threat
resources as well as economically
visibility and control. Using zones and policies, network administrators can configure
deliver new services, safe
and deploy branch SRX Series gateways quickly and securely. Policy-based VPNs
connectivity, and a satisfying end-
support more complex security architectures that require dynamic addressing and
user experience. All SRX Series
split tunneling. The SRX Series also includes wizards for firewall, IPsec VPN, Network
Services Gateways, including
Address Translation (NAT), and initial setup to simplify configurations out of the box.
products scaled for Enterprise
branch, Enterprise edge, and
Data Center applications, are
powered by Junos OS—the proven
• For content security, SRX Series for the branch offers a complete suite of next
generation firewall, unified threat management (UTM) and threat intelligence
services consisting of: intrusion prevention system (IPS), application security
operating system that provides
(AppSecure), user role-based firewall controls, on-box and cloud-based antivirus,
unmatched consistency, better
antispam, and enhanced Web filtering to protect your network from the latest
performance with services, and
content-borne threats. Integrated threat intelligence via Spotlight Secure offers
superior infrastructure protection
adaptive threat protection against command and control (C&C) related botnets and
at a lower total cost of ownership.
policy enforcement based on GeoIP and attacker fingerprinting technology (the latter
for Web application protection)—all of which are based on Juniper provided feeds.
Customers may also leverage their own custom and third-party feeds for protection
from advanced malware and other threats. The branch SRX Series integrates with
other Juniper security products to deliver enterprise-wide unified access control
(UAC) and adaptive threat management.
• SRX Series for the branch are secure routers that bring high performance and proven
deployment capabilities to enterprises that need to build a worldwide network of
thousands of sites. The wide variety of options allow configuration of performance,
functionality, and price scaled to support from a handful to thousands of users.
Ethernet, serial, T1/E1, DS3/E3, xDSL, Wi-Fi, and 3G/4G LTE wireless are all available
options for WAN or Internet connectivity to securely link your sites. Multiple form factors
allow you to make cost-effective choices for mission-critical deployments. Managing
the network is easy using the proven Junos OS command-line interface (CLI), scripting
capabilities, a simple-to-use Web-based GUI, or Juniper Networks Junos® Space
Security Director for centralized management.
Your ideas. Connected.™
*Available on SRX550 and higher devices
1
SRX Series Services Gateways for the Branch
Data Sheet
Architecture and Key Components
Key Hardware Features of the Branch SRX Series Products
Product
Description
SRX100 Services
Gateway
•
•
•
•
Eight 10/100 Ethernet LAN ports and 1 USB port (support for 3G USB)
Full UTM1; antivirus1, antispam1, enhanced Web filtering1, and content filtering
Intrusion prevention system1, AppSecure1
2 GB DRAM, 2 GB flash default
SRX110 Services
Gateway
•
•
•
•
•
VDSL/ADSL2+ and Ethernet WAN interfaces
Eight 10/100 Ethernet LAN ports and two USB port (support for 3G USB)
Full UTM1; antivirus1, antispam1, enhanced Web filtering1, intrusion prevention system1, AppSecure1
Unified Access Control (UAC) and content filtering
2 GB DRAM, 2 GB CF default
SRX210 Services
Gateway
•
•
•
•
•
•
•
Two 10/100/1000 Ethernet and 6 10/100 Ethernet LAN ports, 1 Mini-PIM slot, and 2 USB ports (support for 3G USB)
Factory option of 4 dynamic Power over Ethernet (PoE) ports 802.3af
Support for T1/E1, serial, ADSL/2/2+, VDSL, G.SHDSL, and Ethernet small form-factor pluggable transceiver (SFP)
Content Security Accelerator hardware for faster performance of IPS and ExpressAV (with high memory version)
Full UTM1; antivirus1, antispam1, enhanced Web filtering1, and content filtering
Intrusion prevention system1, User role-based firewall, and AppSecure1
2 GB DRAM, 2 GB flash default
SRX220 Services
Gateway
•
•
•
•
•
•
•
Eight 10/100/1000 Ethernet LAN ports, 2 Mini-PIM slots
Factory option of 8 PoE ports; PoE+ 802.3at, backwards compatible with 802.3af
Support for T1/E1, serial, ADSL2/2+, VDSL, G.SHDSL, and Ethernet SFP
Content Security Accelerator hardware for faster performance of IPS and ExpressAV
Full UTM1; antivirus1, antispam1, enhanced Web filtering1, and content filtering
Intrusion prevention system1, User role-based firewall and AppSecure1
2 GB DRAM, 2 GB CF default
SRX240 Services
Gateway
•
•
•
•
•
•
16 10/100/1000 Ethernet LAN ports, 4 Mini-PIM slots
Factory option of 16 PoE ports; PoE+ 802.3at, backwards compatible with 802.3af
Support for T1/E1, serial, ADSL2/2+, VDSL, G.SHDSL, and Ethernet SFP
Content Security Accelerator hardware for faster performance of IPS and ExpressAV
Full UTM1; antivirus1, antispam1, enhanced Web filtering1, and content filtering
Intrusion prevention system1, AppSecure1
SRX550 Services
Gateway
• Ten fixed Ethernet ports (6 10/100/1000 Copper, 4 SFP), 2 Mini-PIM slots, 6 GPIM slots or multiple GPIM and XPIM
combinations
• Support for T1/E1, serial, ADSL2/2+, VDSL, G.SHDSL, DS3/E3, Gigabit Ethernet ports; supports up to 52 Ethernet
ports including SFP; 40 switch ports with optional PoE including 802.3at, PoE+, backwards compatible with 802.3af
(or 50 non-PoE 10/100/1000 Copper ports), 10GbE
• Content Security Accelerator hardware for faster performance of IPS and ExpressAV
• Full UTM1; antivirus1, antispam1, enhanced Web filtering1, and content filtering
• Intrusion prevention system1, User role-based firewall, and AppSecure1
• Threat intelligence for protection from command and control (C&C) botnets, Web application threats, and advanced
malware, and policy enforcement based on GeoIP data
• 2 GB DRAM default, 2 GB compact flash default (SRX550)
• 4 GB DRAM default, 8 GB compact flash default (SRX550 High Memory)
• Optional redundant AC power; standard AC power supply that is PoE-ready; PoE power up to 250 watts single power
supply or 500 watts dual power supply
SRX650 Services
Gateway
• F
our fixed ports 10/100/1000 Ethernet LAN ports, 8 GPIM slots or multiple GPIM and XPIM combinations
• Support for T1, E1, DS3/E3, Ethernet ports; supports up to 52 Ethernet ports including SFP; 48 switch ports with
optional PoE including 802.3at, PoE+, backwards compatible with 802.3af (or 52 non-PoE 10/100/1000 Copper
ports), 10GbE
• Content Security Accelerator hardware for faster performance of IPS and ExpressAV
• Full UTM1; antivirus1, antispam1, enhanced Web filtering1, and content filtering
• Intrusion prevention system1, User role-based firewall, and AppSecure1
• Threat intelligence for protection from command and control (C&C) botnets, Web application threats, and advanced
malware, and policy enforcement based on GeoIP data
• Modular Services and Routing Engine; future internal failover and hot-swap
• 2 GB DRAM default, 2 GB compact flash default, external compact flash slot for additional storage
• Optional redundant AC power; standard AC power supply that is PoE-ready; PoE power up to 250 watts single power
supply or 500 watts dual power supply
Network Deployments
The SRX Series Services Gateways for the branch are deployed at remote, branch and Enterprise edge locations in the network to
provide all-in-one secure WAN connectivity, and connection to local PCs and servers via integrated Ethernet switching.
1
Unified Threat Management—antivirus, antispam, Web filtering, AppSecure, and IPS require a subscription license option to use the feature. UTM is not supported on the low memory version.
Please see the ordering section for options. Content Filtering and UAC are part of the base software with no additional license.
2
SRX Series Services Gateways for the Branch
Data Sheet
Features and Benefits
Adaptive Threat Intelligence
Next Generation Firewall
To address the evolving threat landscape that has made it
SRX Series Services Gateways deliver next generation firewall
protection with application awareness and extensive user rolebased control options plus best“Untrust” Zone
of-breed UTM to protect and
control your business assets.
INTERNET
Next generation firewalls are
able to perform full packet
inspection and can apply
security policies based on layer 7
information. This means you can
“Trust” Zone
Intranet
imperative to integrate external threat intelligence into the
firewall for thwarting advanced malware and other threats, some
SRX Series Services Gateways include threat intelligence via
integration with Spotlight Secure. The Spotlight Secure threat
intelligence platform aggregates threat feeds from multiple
sources to deliver open, consolidated, actionable intelligence to
SRX Series Services Gateways across the organization for policy
enforcement. These sources include Juniper threat feeds, third
party threat feeds and threat detection technologies that the
customer can deploy.
create security policies based on
Administrators are able to define enforcement policies from all
the application running across
feeds via a single, centralized management point, Junos Space
your network, the user who is
Security Director.
receiving or sending network
Secure Routing
“Guest” Zone
traffic or the content that is
“DMZ” Zone
traveling across your network
Many organizations use both a router and a firewall/VPN at their
to protect your environment
network edge to fulfill their networking and security needs. For
against threats, manage how
many organizations, the SRX Series for the branch can fulfill
Figure 1: Firewalls, zones,
and policies
your network bandwidth is allocated, and control who has access
both roles with one solution. Juniper built best-in-class routing,
to what.
switching and firewall capabilities into one product.
AppSecure
SRX Series for the branch checks the traffic to see if it is
legitimate and permissible, and only forwards it on when it is.
AppSecure is a suite of application security capabilities for
This reduces the load on the network, allocates bandwidth for all
Juniper Networks SRX Series services Gateways that identifies
other mission-critical applications, and secures the network from
applications for greater visibility, enforcement, control, and
malicious users.
protection of the network.
The main purpose of a secure router is to provide firewall
Intrusion Prevention
protection and apply policies. The firewall (zone) functionality
The intrusion prevention system (IPS) understands application
inspects traffic flows and state to ensure that originating and
behaviors and weaknesses to prevent application-borne security
returning information in a session is expected and permitted for
threats that are difficult to detect and stop.
a particular zone. The security policy determines if the session
Unified Threat Management (UTM)
can originate in one zone and traverse to another zone. Due to
the architecture, SRX Series receives packets from a wide variety
SRX Series can include comprehensive content security against
of clients and servers and keeps track of every session, of every
malware, viruses, phishing attacks, intrusions, spam and other
application, and of every user. This allows the enterprise to make
threats with unified threat management (UTM). Get a best-
sure that only legitimate traffic is on its network and that traffic is
of-breed solution with anti-virus, anti-spam, web filtering and
flowing in the expected direction.
content filtering at a great value by easily adding these services
to your SRX Series Services Gateway. Cloud-based and on-box
High Availability
solutions are both available.
Junos Services Redundancy Protocol (JSRP) is a core feature
User Firewall
Juniper offers a range of user role-based firewall control solutions
that support dynamic security policies. User role-based firewall
capabilities are integrated with the SRX Series Services Gateways
for standard next generation firewall controls. More extensive,
scalable, granular access controls for creating dynamic policies
are available through the integration of SRX with a Juniper
Unified Access Control solution.
of the SRX Series for the branch. JSRP enables a pair of SRX
Series systems to be easily integrated into a high availability
network architecture, with redundant physical connections
between the systems and the adjacent network switches. With
link redundancy, Juniper Networks can address many common
causes of system failures, such as a physical port going bad
or a cable getting disconnected, to ensure that a connection
is available without having to fail over the entire system. This
is consistent with a typical active/standby nature of routing
resiliency protocols.
3
SRX Series Services Gateways for the Branch
Active/Standby
Active/Standby
Active/Active
INTERNET
INTERNET
INTERNET
SRX240
SRX240
Active
SRX240
Standby
EX Series
EX Series
SRX240
Failure
Active
EX Series
EX Series
Active/Standby
Active/Active
Active/Active
INTERNET
INTERNET
INTERNET
X240
es
Data Sheet
SRX240
Active
EX Series
Active
SRX240
EX Series
SRX240
Active
EX Series
Failure
SRX240
SRX240
EX Series
Active
SRX240
SRX2
EX Series
EX
Active
EX Series
Figure 2: High availability
When SRX Series Services Gateways for the branch are
the forwarding table along with a pointer to the next-hop route.
configured as an active/active HA pair, traffic and configuration
Established sessions have a single table lookup to verify that the
is mirrored automatically to provide active firewall and VPN
session has been permitted and to find the next hop. This efficient
session maintenance in case of a failure. The branch SRX Series
algorithm improves throughput and lowers latency for session
synchronizes both configuration and runtime information. As a
traffic when compared with a classic router that performs multiple
result, during failover, synchronization of the following information
table lookups to verify session information and then to find a next-
is shared: connection/session state and flow information, IPSec
hop route.
security associations, Network Address Translation (NAT) traffic,
address book information, configuration changes, and more. In
contrast to the typical router active/standby resiliency protocols
such as Virtual Router Redundancy Protocol (VRRP), all dynamic
flow and session information is lost and must be reestablished
in the event of a failover. Some or all network sessions will have
to restart depending on the convergence time of the links or
nodes. By maintaining state, not only is the session preserved,
but security is kept intact. In an unstable network, this active/
active configuration also mitigates link flapping affecting session
Figure 3 shows the session-based forwarding algorithm. When a
new session is established, the session-based architecture within
Junos OS verifies that the session is allowed by the forwarding
policies. If the session is allowed, Junos OS will look up the nexthop route in the routing table. It then inserts the session and the
next-hop route into the session and forwarding table and forwards
the packet. Subsequent packets for the established session
require a single table lookup in the session and forwarding table,
and are forwarded to the egress interface.
performance.
Session-Based Forwarding Without the
Performance Hit
In order to optimize the throughput and latency of the combined
router and firewall, Junos OS implements session-based
forwarding, an innovation that combines the session state
information of a traditional firewall and the next-hop forwarding
of a classic router into a single operation. With Junos OS, a
Security Policy Evaluation
and Next-Hop Lookup
Session Initial
Packet Processing
Session and
Forwarding Table
Table
Update
Ingress
Interface
Forwarding for
Permitted Traffic
Egress
Interface
Disallowed by
Policy: Dropped
Figure 3: Session-based forwarding algorithm
session that is permitted by the forwarding policy is added to
4
SRX Series Services Gateways for the Branch
Data Sheet
3G
Connectivity
SRX110
Internet
SF.com
Facebook
Skype
Google
Small Office
SIP
Server
UC
Server
App Server
Private Data Center
VDSL
Private WAN
SRX650
EX4200
WLC800
Large HA Office
Hosted
Server
SRX650
EX4200
4G LTE
Web
Server
SFP
T1/E1
DS3/E3
VDSL
T1/E1
SRX210
SRX240
4G LTE
CX111
SRX550
WLC100
EX3300
SRX550
EX3300
WLA532
Mid-sized HA Branch
Small Branch with
Cellular Backup
Small, Link HA Branch
Figure 4: The distributed enterprise
SRX100
SRX110
SRX220
SRX550
SRX210
SRX240
SRX650
5
SRX Series Services Gateways for the Branch
Data Sheet
Specifications
• Weighted random early detection (WRED)
Protocols
• Queuing based on VLAN, data-link connection identifier
(DLCI), interface, bundles, or multi-field (MF) filters
• IPv4, IPv6, ISO Connectionless Network Service (CLNS)
• Guaranteed bandwidth
Routing and Multicast
• Maximum bandwidth
• Static routes
• Ingress traffic policing
• RIPv2 +v1
• Priority-bandwidth utilization
• OSPF/OSPFv3
• DiffServ marking
• BGP
• BGP Router Reflector1
• IS-IS
• Multicast (Internet Group Management Protocol
(IGMPv1/2/3), PIM-SM/DM/SSM, Session Description
Protocol (SDP), Distance Vector Multicast Routing Protocol
(DVMRP), source-specific, Multicast inside IPsec tunnel),
MSDP
• Virtual channels
Security
Firewall
• Firewall, zones, screens, policies
• Stateful firewall, stateless filters
• Network attack detection
• Screens denial of service (DoS) and provides distributed
denial of service (DDoS) protection (anomaly-based)
• MPLS (RSVP, LDP, Circuit Cross-connect (CCC), Translational
Cross-connect (TCC), Layer 2 VPN (VPLS), Layer 3 VPN,
VPLS, NGMVPN)
• Prevent replay attack; Anti-Replay
• Unified Access Control
IP Address Management
• Static
-- TCP reassembly for fragmented packet protection
• DHCP, PPPoE client
-- Brute force attack mitigation
• Internal DHCP server, DHCP Relay
-- SYN cookie protection
-- Zone-based IP spoofing
Address Translation
-- Malformed packet protection
• Source NAT with Port Address Translation (PAT)
• Static NAT
NGFW/UTM3
• Destination NAT with PAT
• Persistent NAT, NAT64
Encapsulations
• Ethernet (MAC and VLAN tagged)
• Point-to-Point Protocol (PPP) (synchronous)
-- Multilink Point-to-Point Protocol (MLPPP)
• Frame Relay
-- Multilink Frame Relay (MLFR) (FRF.15, FRF.16), FRF.12, LFI
• High-Level Data Link Control (HDLC)
• Serial (RS-232, RS-449, X.21, V.35, EIA-530)
• 802.1q VLAN support
• Point-to-Point Protocol over Ethernet (PPPoE)
L2 Switching2
• Intrusion Prevention System (IPS)
-- Protocol anomaly detection
-- Stateful protocol signatures
-- Intrusion prevention system (IPS) attack pattern
obfuscation
-- User role-based policies
• Customer signatures creation
• Multiple times a week and emergency updates
• AppSecure
-- AppTrack (application visibility and tracking)
-- AppFirewall (policy enforcement by application name)
-- Custom signatures
-- AppQoS (network traffic prioritization and bandwidth
management)
• 802.1Q, 802.1D, RSTP, MSTP, 802.3ad (LACP)
-- Dynamic signature updates
• 802.1x, LLDP, 802.1ad (Q-in-Q), IGMP Snooping
-- User-based application policy enforcement
• Layer 2 switching with high availability
Traffic Management Quality of Service (QoS)
• 802.1p, DSCP, EXP
• Marking, policing, and shaping
• Class-based queuing with prioritization
• Antivirus
-- Express AV (stream-based AV, not available on SRX100
and SRX110)
-- File-based antivirus
• Signature database
• Protocols scanned: POP3, HTTP, SMTP, IMAP, FTP
1
BGP Route Reflector supported on SRX550 and SRX650. See ordering section for more information.
2
As of Junos 15.1X49-D40, the SRX550 High Memory unit does not support xSTP, LLDP, 802.1x, Q-in-Q, IGMP Snooping and L2 switching with HA
3
Unified Threat Management – antivirus, antispam, Web filtering, AppSecure, and IPS require individual subscription license. UTM is not supported on the low memory version. Please see the
ordering section for options.
6
SRX Series Services Gateways for the Branch
• Antispyware
Data Sheet
IPv6
• Anti-adware
• OSPFv3
• Antikeylogger
• RIPng
-- Cloud-based antivirus
• IPv6 Multicast Listener Discovery (MLD)
• Antispam
• BGP
• Integrated enhanced Web filtering
• ISIS
-- Category granularity (90+ categories)
-- Real time threat score
• Redirect Web filtering
• Content Security Accelerator in SRX210 high memory,
SRX220, SRX240, SRX550, and SRX6504
Wireless
• CX111 Cellular 3G/4G/LTE Broadband Data Bridge supported
on all branch SRX Series devices
• 3G USB modem support for SRX100, SRX110, and SRX210
SLA, Measurement, and Monitoring
• ExpressAV option in SRX210 high memory, SRX220 high
memory, SRX240, SRX550, and SRX6504
• Real-time performance monitoring (RPM)
• Content filtering
• Juniper J-Flow monitoring and accounting services
-- Based on MIME type, file extension, and protocol
commands
VPN
• Sessions, packets, and bandwidth usage
• IP Monitoring
Logging
• Syslog
• Auto VPN (Zero Touch Hub)
• Traceroute
• Tunnels (GRE, IP-IP, IPsec)
• Extensive control- and data-plane structured and
unstructured syslog
• IPsec, Data Encryption Standard (DES) (56-bit), triple Data
Encryption Standard (3DES) (168-bit), Advanced Encryption
Standard (AES) (128-bit+) encryption
• Message Digest 5 (MD5),SHA-1 , SHA-128, SHA-256
authentication
• Junos Pulse Dynamic VPN client; browser-based remote
access feature requiring a license
Administration
• Juniper Networks Network and Security Manager support
(NSM)
• Juniper Networks Junos Space Security Director support
• IPv4 and IPv6 VPN
• Juniper Networks STRM Series Security Threat Response
Managers support
• Multi-Proxy ID for site-to-site VPN
• Juniper Networks Advanced Insight Solutions support
Multimedia Transport
• Compressed Real-Time Transport Protocol (CRTP)
High Availability
• VRRP
• JSRP
• Stateful failover and dual box clustering
• SRX550/SRX650:
-- Redundant power (optional)
-- GPIM hot swap
-- Future internal failover and SRE hot swap (OIR) on
SRX650
• Backup link via 3G/4G LTE wireless or other WAN
• Active/active—L3 mode5
• Active/passive—L3 mode5
• Configuration synchronization5
• Session synchronization for firewall and VPN5
• Session failover for routing change5
• External administrator database (RADIUS, LDAP, SecureID)
• Auto-configuration
• Configuration rollback
• Rescue configuration with button
• Commit confirm for changes
• Auto-record for diagnostics
• Software upgrades (USB upgrade option)
• Juniper Networks J-Web
• Command-line interface
• Smart image download
Certifications
• NEBS Compliance for SRX240, SRX6506
• Department of Defense (DoD) Certification for SRX Series
Services Gateways, including testing and certification by the
Department of Defense Joint Interoperability Test Command
(JITC) for interoperability with DoD networks and addition of
the SRX Series Services Gateways to the Unified Capabilities
Approved Product List (UC APL)
• Device failure detection5
• Link failure detection5
• IP Monitoring with route and interface failover
Unified Threat Management – antivirus, antispam, Web filtering, AppSecure and IPS require individual subscription license. UTM is not supported on the low memory version. Please see the
ordering section for options.
SRX100B installed with 1 GB DRAM, with 512 MB accessible. Optional upgrade to 1 GB DRAM is available with purchase of memory software license key.
6
Coming soon for SRX110 and SRX550.
4
5
7
SRX Series Services Gateways for the Branch
Data Sheet
Product Comparison
SRX100
SRX110
SRX210
SRX220
SRX240
SRX550
SRX650
Maximum Performance and Capacity
Junos OS version tested
Junos OS
12.1X44-D15
Junos OS
12.1X44-D15
Junos OS
12.1X44-D15
Junos OS
12.1X44-D15
Junos OS
11.4R5
Junos OS
12.1/15.17
Junos OS
11.4R5
Firewall performance
(large packets)
700 Mbps
700 Mbps
850 Mbps
950 Mbps
1.8 Gbps
7 Gbps
7 Gbps
Firewall performance (IMIX)
200 Mbps
200 Mbps
250 Mbps
300 Mbps
600 Mbps
2 Gbps
2.5 Gbps
Firewall + routing PPS (64 Byte)
70 Kpps
70 Kpps
95 Kpps
125 Kpps
200 Kpps
700 Kpps
850 Kpps
Firewall performance8 (HTTP)
100 Mbps
100 Mbps
290 Mbps
350 Mbps
830 Mbps
2 Gbps
2 Gbps
IPsec VPN throughput (large
packets)
65 Mbps
65 Mbps
85 Mbps
100 Mbps
300 Mbps
1.0 Gbps
1.5 Gbps
128
128
256
512
1,000
2,000
3,000
IPsec VPN tunnels
AppSecure firewall throughput
90 Mbps
90 Mbps
250 Mbps
300 Mbps
750 Mbps
2.0 Gbps
1.9 Gbps
IPS (intrusion prevention system)
75 Mbps9
75 Mbps
65 Mbps
80 Mbps
230 Mbps
800 Mbps
1 Gbps
Antivirus
25 Mbps
(Sophos AV)
25 Mbps
(Sophos AV)
30 Mbps
(Sophos AV)
35 Mbps
(Sophos AV)
85 Mbps
(Sophos AV)
300 Mbps
(Sophos AV)
350 Mbps
(Sophos AV)
Connections per second
1,800
1,800
2,200
2,800
8,500
27,000
35,000
Maximum concurrent sessions
32 K
32 K
64 K
96 K
256 K
375 K
512 K
DRAM options
2 GB DRAM
2 GB DRAM
2 GB DRAM
2 GB DRAM
2 GB DRAM
2 GB/4 GB7
DRAM
2 GB DRAM
Maximum security policies
384
384
512
2,048
4,096
8,000
8,192
Maximum users supported
Unrestricted
Unrestricted
Unrestricted
Unrestricted
Unrestricted
Unrestricted
Unrestricted
Fixed I/O
8 x 10/100
8 x 10/100
VDSL/
ADSL2+
WAN (Annex
A or B)
2x
10/100/1000
BASE-T + 6 x
10/100
8x
10/100/1000
BASE-T
16 x
10/100/1000
BASE-T
6x
10/100/1000
BASE-T + 4
SFP
4x
10/100/1000
BASE-T
I/O slots
N/A
N/A
1 x SRX Series
Mini-PIM
2 x SRX
Series
Mini-PIM
4 x SRX
Series
Mini-PIM
2 x SRX
Series
Mini-PIM,
6 x GPIM
or multiple
GPIM
and XPIM
combinations
8 x GPIM
or multiple
GPIM
and XPIM
combinations
Services and Routing Engine
slots
No
No
No
No
No
No
210
WAN/LAN interface options
N/A
N/A
See ordering
information
See ordering
information
See ordering
information
See ordering
information
See ordering
information
Maximum number of PoE ports
(PoE optional on some SRX
Series models)
N/A
N/A
Up to 4 ports
of 802.3af
with
maximum
50 W
Up to 8 ports
of 802.3af/
at with
maximum
120 W
Up to 16
ports of
802.3af/
at with
maximum
150 W
Up to 40
ports of
802.3af/
at with
maximum
247 W
Up to 48
ports of
802.3af/
at with
maximum
247 W
USB
1
2
2
2
2
2
2 per SRE
8
7
7
7
7
7
Network Connectivity
Based on 2 GbE memory models, which require Junos OS 12.1X44-D15 (exception: Junos OS 11.4r5 for SRX240 only).
Throughput numbers based on HTTP traffic with 44 kilobyte transaction size.
Use software based IPS engine which has higher performance and less capacity
10
SRX650 supports a single Services and Routing Engine (SRE) as of software release 11.4.
7
8
9
8
SRX Series Services Gateways for the Branch
Data Sheet
SRX100
SRX110
SRX210
SRX220
SRX240
SRX550
SRX650
Routing (Packet Mode) PPS
100Kpps
100Kpps
150Kpps
200Kpps
300Kpps
1000Kpps
1000Kpps
BGP instances
5
5
10
16
20
56
64
BGP peers
8
8
16
16
32
192
256
BGP routes
8K
8K
16 K
32 K
600 K
712 K
800 K
OSPF instances
4
4
10
16
20
56
64
OSPF routes
8K
8K
16 K
32 K
200 K
200 K
200 K
RIP v1 / v2 instances
4
4
10
16
20
56
64
RIP v2 routes
8K
8K
16 K
32 K
32 K
32 K
32 K
Static routes
8K
8K
16 K
32 K
100 K
100 K
100 K
Source-based routing
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Policy-based routing
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Equal-cost multipath (ECMP)
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Reverse path forwarding (RPF)
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Concurrent VPN tunnels
128
128
256
512
1,000
2,000
3,000
Tunnel interfaces
10
10
64
64
128
456
512
DES (56-bit), 3DES (168-bit)
and AES (256-bit)
Yes
Yes
Yes
Yes
Yes
Yes
Yes
MD-5, SHA-1 and SHA-2
authentication
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Manual key, Internet Key
Exchange (IKE v1+v2), public key
infrastructure (PKI) (X.509)
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Perfect forward secrecy (DH
Groups)
1, 2, 5
1, 2, 5
1, 2, 5
1, 2, 5
1, 2, 5
1, 2, 5
1, 2, 5
Prevent replay attack
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Dynamic remote access VPN
Yes
Yes
Yes
Yes
Yes
Yes
Yes
IPsec NAT traversal
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Redundant VPN gateways
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Number of remote access users
25 users
25 users
50 users
150 users
250 users
500 users
500 users
Routing
IPsec VPN
User Authentication and Access Control
Third-party user authentication
RADIUS, RSA
SecureID,
LDAP
RADIUS, RSA
SecureID,
LDAP
RADIUS, RSA
SecureID,
LDAP
RADIUS, RSA
SecureID,
LDAP
RADIUS, RSA
SecureID,
LDAP
RADIUS, RSA
SecureID,
LDAP
RADIUS, RSA
SecureID,
LDAP
RADIUS accounting
Yes
Yes
Yes
Yes
Yes
Yes
Yes
XAUTH VPN, Web-based, 802.X
authentication
Yes
Yes
Yes
Yes
Yes
Yes
Yes
PKI certificate requests (PKCS 7
and PKCS 10)
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Certificate Authorities supported
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Maximum number of security
zones
10
10
12
24
64
96
128
Maximum number of virtual
routers
3
3
10
15
64
128
128
Maximum number of VLANs
16
16
64
128
2,000
3,967
3,967
Virtualization
9
SRX Series Services Gateways for the Branch
SRX100
Data Sheet
SRX110
SRX210
SRX220
SRX240
SRX550
SRX650
Encapsulations
PPP/MLPPP
N/A
N/A
Yes
Yes
Yes
Yes
Yes
PPPoE
Yes
Yes
Yes
Yes
Yes
Yes
Yes
PPPoA
N/A
Yes
Yes
Yes
Yes
Yes
Yes
MLPPP maximum physical
interfaces
N/A
N/A
1
2
4
12
12
Frame Relay
N/A
N/A
Yes
Yes
Yes
Yes
Yes
MLFR (FRF .15, FRF .16)
N/A
N/A
Yes
Yes
Yes
Yes
Yes
MLFR maximum physical
interfaces
N/A
N/A
1
2
4
12
12
HDLC
N/A
N/A
Yes
Yes
Yes
Yes
Yes
CX111 3G /4G LTE Bridge support
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Junos/SRX Series management
of CX111
Yes
Yes
Yes
Yes
Yes
Yes
Yes
2 GB
(SRX100H2)
2 GB
(SRX110H2)
2 GB
2 GB
(SRX220H2)
2 GB
(SRX240H2)
2 GB/4 GB11
(SRX210HE2)
2 GB
(SRX650)
Memory slots
Fixed
memory
Fixed
memory
Fixed
memory
Fixed
memory
Fixed
memory
2 DIMM
4 DIMM
Flash memory
2 GB
2 GB CF,
externally
accessible
2 GB
2 GB CF,
externally
accessible
2 GB
2 GB/8 GB11
CF internal
2 GB CF
internal on
SRE, external
slot empty,
up to 2 GB CF
supported
USB port for external storage
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Dimensions (W x H x D)
8.5 x 1.4 x
5.8 in (21.6 x
3.6 x 14.7 cm)
11.02 x 1.72 x
8.385 in
(28 x 4.37 x
21.3 cm)
11.02 x 1.73 x
7.12 in (28.0 x
4.4 x 18.1 cm)
14.31 x 1.73 x
7.11 in (36.3 x
4.4 x 18.1 cm)
17.5 x 1.75 x
15.1 in (44.4
x 4.4 x 38.5
cm)
17.5 x 3.5 x
18.2 in (44.4
x 8.8 x 46.2
cm)
17.5 x 3.5 x
18.2 in (44.4
x 8.8 x 46.2
cm)
Weight (device and power
supply)
2.5 lb (1.1 kg)
6.7 lb
(3.06 kg)
3.3 lb (1.5 kg)
non-PoE /
4.4 lb
(2 kg) PoE
No interface
modules
3.43 lb
(1.56 kg)
non-PoE
No interface
modules
For LM and
HM-AC: 11.2
lb (5.1 kg)
For HM - DC:
12.56 lb (5.7
kg) / 12.3 lb
(5.6 kg) PoE
No interface
modules
21.96 lb
(9.96 kg)
No interface
modules
1 power
supply
24.9 lb
(11.3 kg)
No interface
modules
1 power
supply
Rack-mountable
Yes, 1 RU
Yes, 1 RU
Yes, 1 RU
Yes, 1 RU
Yes, 1 RU
Yes, 2 RU
Yes, 2 RU
Power supply (AC)
100-240
VAC, 30 W
100-240
VAC, 60 W
100–240
VAC,
60 W nonPoE/
150 W PoE
100–240
VAC,
60 W nonPoE /
200 W PoE
150 W for LM
and HM
190 W for HM
with DC
360 W for
PoE
100–240
VAC,
single 645
W or
dual 645 W
100–240
VAC,
single 645
W or
dual 645 W
Maximum PoE power
N/A
N/A
50 W
120 W
150 W
247 W
redundant, or
494 W nonredundant
247 W
redundant, or
494 W nonredundant
Wireless
Flash and Memory
Memory (DRAM)
Dimensions and Power
11
7: 4 GB DRAM and 8 GB CF is default on the SRX550 High Memory SKUs
10
SRX Series Services Gateways for the Branch
Data Sheet
SRX100
SRX110
SRX210
SRX220
SRX240
SRX550
SRX650
Average power consumption
10 W
24 W
28 W,
84 W (PoE)
28 W
SRX240H2
- 74 W
SRX240H2DC - 72 W
SRX240H2PoE- 86 W
85 W
122 W
Input frequency
50-60 Hz
50-60 Hz
50-60 Hz
50-60 Hz
50-60 Hz
50-60 Hz
50-60 Hz
Maximum current consumption
0.25 A @ 100
VAC
1.75 A @ 100
VAC
0.44 A @ 100
VAC, 1.13 A
@ 100 VAC
(PoE)
0.44 A @ 100
VAC
1.1 A @ 100
VAC, 3.0 A
@ 100 VAC
(PoE)
7.5 A @ 100
VAC with
single PSU
with PoE, 10.5
A @ 100 VAC
with dual
PSU with PoE
5.3 A @ 100
VAC with
single PSU
with PoE, 8.3
A @ 100 VAC
with dual
PSU with PoE
Maximum inrush current
60 A
70 A
80 A, 60 A
for PoE
80 A
40 A, 45 A for
PoE
45 A for ½
cycle
45 A for ½
cycle
Average heat dissipation
35 BTU/hr
81 BTU/hr
95 BTU/hr
104 BTU/
hour
(SRX220H2)
253 BTU/hr
238 BTU/hr
319 BTU/hr
(SRX210HE2)
116 BTU/hr
(SRX210HE2PoE)
(SRX240H2)
246 BTU/hr
(SRX240H2DC
294 BTU/hr
(SRX40H2PoE)
Maximum heat dissipation
80 BTU/hr
99 BTU/hr
126 BTU/hr
(SRX210HE2)
126 BTU/hour
(SRX220H2)
427 BTU/hr
(SRX240H2)
409 BTU/hr
(SRX240H2DC)
560 BTU/hr
(SRX240H2PoE)
1,449 BTU/hr
699 BTU/hr
157 BTU/hr
(SRX210HE2PoE)
Redundant power supply (hot
swappable)
No
No
No
No
No
Yes (up to
maximum
capacity of
single PSU)
Yes (up to
maximum
capacity of
single PSU)
Acoustic noise level
(Per ISO 7779 Standard)
0 dB
(fanless)
0 dB
(fanless)
29.1 dB
51.1 dB
70.0 dB
51.8 dB
60.9 dB
Operational temperature
32° to 104° F
(0° to 40° C)
32° to 104° F
(0° to 40° C)
32° to 104° F
(0° to 40° C)
32° to 104° F
(0° to 40° C)
32° to 104° F
(0° to 40° C)
32° to 104° F
(0° to 40°C)
32° to 104° F
(0° to 40°C)
Nonoperational temperature
4° to 158° F,
(-20° to
70° C)
4° to 158° F,
(-20° to
70° C)
4° to 158° F,
(-20° to
70° C)
4° to 158° F,
(-20° to
70° C)
-40° to
158° F,
(-40° to
70° C)
4° to 158° F,
(-20° to
70° C)
4° to 158° F,
(-20° to
70° C)
9.6 years
with
redundant
power
9.6 years
with
redundant
power
Environment
Humidity (operating)
10% to 90% noncondensing
Humidity (nonoperating)
Mean time between failures
(Telcordia model)
5% to 95% noncondensing
24.8 years
24.8 years
14.03 years
(SRX210HE2)
10.26 years
(SRX210HE2PoE)
13.46 years
(SRX220H2)
11.06 years
(SRX220H2PoE)
11.63 years
(SRX240H2)
9.92 years
(SRX240H2PoE)
11
SRX Series Services Gateways for the Branch
SRX100
Data Sheet
SRX110
SRX210
SRX220
SRX240
SRX550
SRX650
Certifications and Network Homologation
USA
Safety certifications
UL 60950-1
UL 60950-1
UL 60950-1
UL 60950-1
UL 60950-1
UL 60950-1
UL 60950-1
EMC certifications
FCC Class B
FCC Class B
FCC Class B
FCC Class A
FCC Class A
FCC Class A
FCC Class A
Network homologation
TIA-968
TIA-968
TIA-968
TIA-968
TIA-968
TIA-966
TIA-966
Safety certifications
CSA 60950-1
CSA 60950-1
CSA 60950-1
CSA 60950-1
CSA 60950-1
CSA 60950-1
CSA 60950-1
EMC certifications
ICES class B
ICES class B
ICES class B
ICES Class A
ICES class A
ICES class A
ICES class A
Network homologation
CS-03
CS-03
CS-03
CS-03
CS-03
CS-03
CS-03
Safety certifications
AS / NZS
60950-1
AS / NZS
60950-1
AS / NZS
60950-1
AS / NZS
60950-1
AS / NZS
60950-1
AS / NZS
60950-1
AS / NZS
60950-1
EMC certifications
AS / NZS
CISPR22
Class B
AS / NZS
CISPR22
Class B
AS / NZS
CISPR22
Class B1
AS / NZS
CISPR22
Class A
AS / NZS
CISPR22
Class A
AS / NZS
CISPR22
Class A
AS / NZS
CISPR22
Class A
Network homologation
AS / ACIF
S 002, S
016, S 043.1,
S043.2
AS / ACIF
S 002, S
016, S 043.1,
S043.2
AS / ACIF
S 002, S
016, S 043.1,
S043.2
AS / ACIF
S 002, S
016, S 043.1,
S043.2
AS / ACIF
S 002, S
016, S 043.1,
S043.2
AS / ACIF S
016
AS / ACIF S
016
Safety certifications
AS / NZS
60950-1
AS / NZS
60950-1
AS / NZS
60950-1
AS / NZS
60950-1
AS / NZS
60950-1
AS / NZS
60950-1
AS / NZS
60950-1
EMC certifications
AS / NZS
CISPR22
Class B
AS / NZS
CISPR22
Class B
AS / NZS
CISPR22
Class B1
AS / NZS
CISPR22
Class A
AS / NZS
CISPR22
Class A
AS / NZS
CISPR22
Class A
AS / NZS
CISPR22
Class A
Network homologation
PTC 217, PTC
273
PTC 217, PTC
273
PTC 217, PTC
273
PTC 217, PTC
273
PTC 217, PTC
273
PTC 217
PTC 217
1
Canada
1
Australia
New Zealand
Japan
Safety certifications
EMC certifications
Comply safety certifications (UL/CUL/CSA) by CB Scheme
VCCI Class B
VCCI Class B
VCCI Class B1
VCCI Class A
VCCI Class A
VCCI Class A
VCCI Class A
Safety certifications
EN 60950-1
EN 60950-1
EN 60950-1
EN 60950-1
EN 60950-1
EN 60950-1
EN 60950-1
EMC certifications
EN 55022
Class B,
EN 300 386
EN 55022
Class B,
EN 300 386
EN 55022
Class B12,
EN 300 386
EN 55022
Class A,
EN 300 386
EN 55022
Class A,
EN 300 386
EN 55022
Class A,
EN 300 386
EN 55022
Class A,
EN 300 386
Network homologation
CTR 12/13,
CTR 21, DoC
CTR 12/13,
CTR 21, DoC
CTR 12/13,
CTR 21, DoC
CTR 12/13,
CTR 21, DoC
CTR 12/13,
CTR 21, DoC
CTR 12/13,
DoC
CTR 12/13,
DoC
NIST FIPS-140-2 Level 2
Yes
Yes
Yes
Yes
Yes
In Progress
Yes
ISO Common Criteria
NDPP+TFFW EP
Yes
Yes
Yes
Yes
Yes
Yes
Yes
ICSA Network Firewall
Yes
Yes
Yes
Yes
Yes
Yes
Yes
ICSA IPsec
Yes
Yes
Yes
Yes
Yes
Yes
Yes
USGv6
Yes
Yes
Yes
Yes
Yes
Yes
Yes
European Union
Software Certifications
SRX210H-POE is class A.
12
*There are several models available for the SRX210 and SRX240 including the enhanced version. Please contact your Juniper or partner account representative for more information.
12
SRX Series Services Gateways for the Branch
Data Sheet
Interface Modules Compatibility Matrix
Component
Description
SRX-GP-16GE
16-port
10/100/1000BASE-T
XPIM
X
X
X
X
X
313
3
SRX-GP-16GE-POE
16-port
10/100/1000BASE-T PoE
XPIM
X
X
X
X
X
3
3
SRX-GP-2XESFPPTX
2-port 10GbE
SFP+/10GbE BASE-T
Copper XPIM
X
X
X
X
X
313
3
SRX-GP-24GE
24-port
10/100/1000BASE-T
XPIM, includes
4 SFP slots
X
X
X
X
X
313
3
SRX-GP-24GE-POE
24-port
10/100/1000BASE-T
PoE XPIM, includes 4 SFP
slots
X
X
X
X
X
313
3
SRX-GP-8SFP
8-port GbE copper, fiber
SFP XPIM
X
X
X
X
X
3
3
SRX-GP-DUAL-T1-E1
Dual T1/E1 GPIM
X
X
X
X
X
3
3
SRX-GP-QUAD-T1-E1
Quad T1/E1 GPIM
X
X
X
X
X
3
3
SRX-GP-1DS3-E3
1-port clear channel DS3/
E3 GPIM single GPIM slot
X
X
X
X
X
3
3
SRX-GP-8SERIAL
Eight-port Sync Serial
GPIM
X
X
X
X
X
313
3
SRX-MP-1SERIAL
1-port Sync Serial
Mini-PIM
X
X
3
3
3
313
X
SRX-MP-1ADSL2-A
1-port ADSL2+ Mini-PIM
supporting ADSL/ADSL2/
ADSL2+ Annex A
X
X
3
3
3
313
X
SRX-MP-1ADSL2-B
1-port ADSL2+ Mini-PIM
supporting ADSL/ADSL2/
ADSL2+ Annex B
X
X
3
3
3
313
X
SRX-MP-1VDSL2-A
1-port VDSL2 Mini-PIM
supporting Annex A,
with fallback to ADSL2/
ADSL2+
X
X
3
3
3
313
X
SRX-MP-8GSHDSL
8-wire (4-pair) G.SHDSL
Mini-PIM
X
X
3
3
3
313
X
SRX-MP-1SFP-GE
1-port SFP Mini-PIM
X
X
3
3
3
313
X
SRX-MP-1T1E1
1-port T1 or E1 Mini-PIM
X
X
3
3
3
313
X
SRX-MP-1T1E1-R
1-port T1 or E1 Mini-PIM
(ROHS version)
X
X
X
X
X
3
14
X
SRX-MP-1VDSL2-R
1-port VDSL2 Mini-PIM
supporting Annex A,
with fallback to ADSL2/
ADSL2+ (ROHS version)
X
X
X
X
X
314
X
SRX-MP-1SERIAL-R
1-port Sync Serial MiniPIM (ROHS version)
X
X
X
X
X
314
X
13
Not supported on the SRX550 High Memory
14
Only supported on the SRX550 High Memory
SRX100
SRX110
SRX210
SRX220
SRX240
SRX550
SRX650
Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your highperformance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a
faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required
levels of performance, reliability, and availability. For more details, please visit www.juniper.net/us/en/products-services.
13
SRX Series Services Gateways for the Branch
Data Sheet
Ordering Information
Model Number
Model Number
Description
SRX650-S-AV-3
Three year subscription for Juniper-Sophos AV
updates on SRX650
SRX650 Services Gateway with SRE 6,
645 W AC PoE PSU; includes 4 onboard
10/100/1000BASE-T ports, 2 GB DRAM, 2 GB
CF, 247 W PoE power, fan tray, power cord and
rack-mount kit
SRX650-IDP-3
Three year subscription for IDP updates on
SRX650
SRX650-S2-AS-3
Three year subscription for Juniper-Sophos
antispam updates on SRX650
SRX650 Services Gateway with SRE 6,
645 W DC PoE PSU; includes 4 onboard
10/100/1000BASE-T ports, 2 GB DRAM, 2 GB
CF, 247 W PoE power, fan tray, power cord and
rack-mount kit
SRX650-W-WF-3
Three year subscription for Juniper-Websense
Web filtering updates on SRX650
SRX650-SMB4-CS-3
Three year security subscription for
enterprise—includes Kaspersky AV, enhanced
WF, Sophos AS, AppSecure and IDP on
SRX650
SRX650-S-SMB4CS-3
Three year security subscription for
enterprise–includes Sophos AV, enhanced
WF, Sophos AS, AppSecure and IDP on
SRX650
SRX-BGP-ADV-LTU
Advanced BGP License for SRX650 only
SRX650-K-AV-5
Five year subscription for Juniper-Kaspersky
AV updates on SRX650
SRX650-S-AV-5
Five year subscription for Juniper-Sophos AV
updates on SRX650
SRX650-IDP-5
Five year license for IDP updates for SRX650
SRX650-W-WF-5
Five year subscription for Juniper-Websense
Web filtering updates on SRX650
SRX650-SMB4-CS-5
Five year security subscription for enterprise—
includes Kaspersky AV, enhanced WF, Sophos
AS, AppSecure and IDP on SRX650
SRX650-S-SMB4CS-5
Five year security subscription for enterprise—
includes Sophos AV, enhanced WF, Sophos
AS, AppSecure and IDP on SRX650
SRX-RAC-5-LTU
Dynamic VPN Client: 5 simultaneous users for
SRX100, SRX110, SRX210, SRX220, SRX240,
SRX550, and SRX650
SRX-RAC-10-LTU
Dynamic VPN Client: 10 simultaneous users
for SRX100, SRX110, SRX210, SRX220,
SRX240, SRX550, and SRX650
SRX-RAC-25-LTU
Dynamic VPN Client: 25 simultaneous
users for SRX100, SRX110, SRX210, SRX220,
SRX240, SRX550, and SRX650
SRX-RAC-50-LTU
Dynamic VPN Client: 50 simultaneous users
for SRX210, SRX220, SRX240, SRX550, and
SRX650 only
SRX-RAC-100-LTU
Dynamic VPN Client: 100 simultaneous users
for SRX220, SRX240, SRX550, and SRX650
only
SRX-RAC-150-LTU
Dynamic VPN Client: 150 simultaneous users
for SRX220, SRX240, SRX550, and SRX650
only
Description
SRX650 Base System
SRX650-BASESRE6-645AP
SRX650-BASESRE6-645DP
SRX650B-SRE6645AP-TAA
Trade Agreement Act-compliant SRX650
Services Gateway with SRE 6, 645
W AC PoE PSU; includes 4 onboard
10/100/1000BASE-T ports, 2 GB DRAM, 2 GB
CF, 247 W PoE power, fan tray, power cord and
rack-mount kit
SRX650 Power Supplies and Accessories
SRX600-PWR645AC-POE
SRX600-PWR645DC-POE
Spare 645 W AC PoE power supply unit for
SRX650, SRX550 systems—one is included
in SRX650, SRX550 base system (SRX650BASE-SRE6-645AP, SRX550-645AP)
645 W DC source power supply for SRX550
and SRX650; provides 397 W system power
@ 12 V and 248 W PoE power @ 50 VDC;
works with 43-56 VDC input—no power cord
SRX600-SRE6H
Spare SRE6-H for SRX650—one is included in
SRX650 base system (SRX650-BASE-SRE6645AP)
SRX650-CHAS
SRX650 chassis including fan tray—no system
processor (SRE) and no power supply unit
SRX650-FAN-01
Spare SRX650 fan tray, one is included in
SRX650 chassis spare (SRX650-CHAS), and
included in SRX650 base system (SRX650BASE-SRE6-645AP)
SRX650-FILT-01
Not included in SRX650 chassis spare
(SRX650-CHAS), and not included in
SRX650 base system (SRX650-BASE-SRE6645AP)—optional, as this is not required for
normal operations, but recommended for
dusty environments
SRX650 Additional Software Feature Licenses
SRX650-K-AV
One year subscription for Juniper-Kaspersky
antivirus updates on SRX650
SRX650-S-AV
One year subscription for Juniper-Sophos
antivirus updates on SRX650
SRX650-IDP
One year subscription for IDP updates on
SRX650
SRX650-S2-AS
One year subscription for Juniper-Sophos
antispam updates on SRX650
SRX650-W-WF
One year subscription for Juniper-Websense
Web filtering updates on SRX650
SRX-RAC-250-LTU
Dynamic VPN Client: 250 simultaneous users
for SRX240, SRX550, and SRX650 only
SRX650-SMB4-CS
One year security subscription for enterprise—
includes Kaspersky AV, enhanced WF, Sophos
AS, AppSecure and IDP on SRX650
SRX-RAC-500-LTU
Dynamic VPN Client: 500 simultaneous users
for SRX550 and SRX650 only
SRX650-S-SMB4-CS
One year security subscription for enterprise—
includes Sophos AV, enhanced WF, Sophos
AS, AppSecure and IDP on SRX650
SRX650-APPSEC-A-1
One year subscription for Application Security
and IPS updates for SRX650
SRX650APPSEC-A-3
Three year subscription for Application
Security and IPS updates for SRX650
SRX650APPSEC-A-5
Five year subscription for Application Security
and IPS updates for SRX650
SRX650-K-AV-3
Three year subscription for Juniper-Kaspersky
AV updates on SRX650
14
SRX Series Services Gateways for the Branch
Model Number
Description
SRX550 Base System
SRX550-645AP-M
SRX550-645DP-M
SRX550- 645AP
SRX550- 645DP
SRX550 Services Gateway with 4 GB DRAM
and 8 GB CF, 2 RU height, 6 GPIM slots, 2
Mini-PIM slots, 6 10/100/1000BASE-T ports,
4GbE SFP ports, dual PS slots, fans; ships
with one 645 watt AC power supply with 247
W PoE power (power cord and rack-mount kit
included)
SRX550 Services Gateway with 4 GB DRAM
and 8 GB CF, 2 RU height, 6 GPIM slots, 2
Mini-PIM slots, 6 10/100/1000BASE-T ports,
4GbE SFP ports, dual PS slots, fans; ships
with one 645 watt DC power supply with 247
W PoE power (no power cord or rack-mount
kit included)
SRX550 Services Gateway, 2 RU
height, 6 GPIM slots, 2 Mini-PIM slots, 6
10/100/1000BASE-T ports, 4GbE SFP ports,
dual PS slots, fans; ships with one 645 watt
AC power supply with 247 W PoE power
(power cord and rack-mount kit included)
SRX550 Services Gateway, 2 RU
height, 6 GPIM slots, 2 Mini-PIM slots, 6
10/100/1000BASE-T ports, 4GbE SFP ports,
dual PS slots, fans; ships with one 645 watt
DC power supply with 247 W PoE power (no
power cord and rack-mount kit Included)
SRX550 Power Supplies and Accessories
SRX600-PWR645AC-POE
Spare 645 W AC PoE power supply unit
for SRX550 and SRX650 systems—one
is included in SRX550 and SRX650 base
systems (SRX650-BASE-SRE6-645AP,
SRX550-645AC)
SRX600-PWR645DC-POE
645 W DC source power supply for SRX550,
SRX650 provides 397 W system power @ 12
V and 248 W PoE power @ 50 VDC; works
with 43-56 VDC input—no power cord
SRX550-CHAS
SRX550 Services Gateway, 2 RU
height, 6 GPIM slots, 2 Mini-PIM slots, 6
10/100/1000BASE-T ports, 4 GbE SFP
ports, dual PS slots, fans (power supply not
included)
SRX550-FILT-01
Not included in SRX550 systems, optional, as
this is not required for normal operations, but
recommended for dusty environments
Data Sheet
Model Number
Description
SRX550-S2-AS-3
Three year subscription for Juniper-Sophos
antispam updates on SRX550
SRX550-W-WF-3
Three year subscription for Juniper-Websense
Web filtering updates on SRX550
SRX550-SMB4-CS-3
Three year security subscription for
enterprise—includes Kaspersky AV, enhanced
WF, Sophos AS, AppSecure and IDP on
SRX550
SRX550-S-SMB4CS-3
Three year security subscription for
enterprise–includes Sophos AV, enhanced
WF, Sophos AS, AppSecure and IDP on
SRX550
SRX550-K-AV-5
Five year subscription for Juniper-Kaspersky
AV updates on SRX550
SRX550-S-AV-5
Five year subscription for Juniper-Sophos AV
updates on SRX550
SRX550-IDP-5
Five year license for IDP updates for SRX550
SRX550-W-WF-5
Five year subscription for Juniper-Websense
Web filtering updates on SRX550
SRX550-SMB4-CS-5
Five year security subscription for enterprise—
includes Kaspersky AV, enhanced WF, Sophos
AS, AppSecure and IDP on SRX550
SRX550-S-SMB4CS-5
Five year security subscription for enterprise—
includes Sophos AV, enhanced WF, Sophos
AS, AppSecure and IDP on SRX550
SRX-RAC-5-LTU
Dynamic VPN Client: 5 simultaneous users for
SRX100, SRX110, SRX210, SRX220, SRX240,
SRX550, and SRX650
SRX-RAC-10-LTU
Dynamic VPN Client: 10 simultaneous users
for SRX100, SRX110, SRX210, SRX220,
SRX240, SRX550, and SRX650
SRX-RAC-25-LTU
Dynamic VPN Client: 25 simultaneous
users for SRX100, SRX110, SRX210, SRX220,
SRX240, SRX550, and SRX650
SRX-RAC-50-LTU
Dynamic VPN Client: 50 simultaneous users
for SRX210, SRX220, SRX240, SRX550, and
SRX650 only
SRX-RAC-100-LTU
Dynamic VPN Client: 100 simultaneous users
for SRX220, SRX240, SRX550, and SRX650
only
SRX-RAC-150-LTU
Dynamic VPN Client: 150 simultaneous users
for SRX220, SRX240, SRX550, and SRX650
only
SRX550 Additional Software Feature Licenses
SRX550-K-AV
One year subscription for Juniper-Kaspersky
antivirus updates on SRX550
SRX-RAC-250-LTU
Dynamic VPN Client: 250 simultaneous users
for SRX240, SRX550, and SRX650 only
SRX550-S-AV
One year subscription for Juniper-Sophos
antivirus updates on SRX550
SRX-RAC-500-LTU
Dynamic VPN Client: 500 simultaneous users
for SRX550 and SRX650 only
SRX550-IDP
One year subscription for IDP updates on
SRX550
SRX550-APPSEC-A-1
One year subscription for Application Security
and IPS updates for SRX550
SRX550-S2-AS
One year subscription for Juniper-Sophos
antispam updates on SRX550
SRX550APPSEC-A-3
Three year subscription for Application
Security and IPS updates for SRX550
SRX550-W-WF
One year subscription for Juniper-Websense
Web filtering updates on SRX550
SRX550APPSEC-A-5
Five year subscription for Application Security
and IPS updates for SRX550
SRX550-SMB4-CS
One year security subscription for enterprise—
includes Kaspersky AV, enhanced WF, Sophos
AS, AppSecure and IDP on SRX550
SRX550-S-SMB4-CS
One year security subscription for enterprise—
includes Sophos AV, enhanced WF, Sophos
AS, AppSecure and IDP on SRX550
SRX550-K-AV-3
Three year subscription for Juniper-Kaspersky
AV updates on SRX550
SRX550-S-AV-3
Three year subscription for Juniper-Sophos AV
updates on SRX550
SRX550-IDP-3
Three year subscription for IDP updates on
SRX550
SRX240 Base System
SRX240H2
SRX240 Services Gateway with 16 x GbE
ports, 4x mini-PIM slots, and high memory
(2 GB DRAM, 2 GB Flash); integrated power
supply with power cord, and 19” rack mount
kit included
SRX240H2-POE
SRX240 Services Gateway with 16 x GbE
ports, 4x mini-PIM slots, and high memory
(2 GB RAM, 2 GB Flash), with 16 ports PoE
(150 W); integrated power supply with
power cord, and 19” rack mount kit included
15
SRX Series Services Gateways for the Branch
Data Sheet
Model Number
Description
Model Number
Description
SRX240H2-DC
SRX240 Services Gateway with 16 x GbE
ports, 4x mini-PIM slots, and high memory
(2 GB RAM, 2 GB Flash); integrated -48 V
DC power supply with 19” rack mount kit
included
SRX240-SMB4CS-5
Five year security subscription for
enterprise—includes Kaspersky AV,
enhanced WF, Sophos AS, AppSecure and
IDP on SRX240
SRX240-RMK
SRX240 rack-mount kit for 19 in rack (holds
one unit)
SRX240-S-SMB4CS-5
SRX240H-TAA
Trade Agreement Act-compliant SRX240
Services Gateway with 16 GbE ports, 4 MiniPIM slots, and high memory (1 GB RAM, 1 GB
Flash)
Five year security subscription for
enterprise—includes Sophos AV, enhanced
WF, Sophos AS, AppSecure and IDP on
SRX240
SRX240-S2-AS-5
Five year subscription for Juniper-Sophos
antispam updates on SRX240
SRX240-W-WF-5
Five year subscription for Juniper-Websense
Web filtering updates on SRX240
SRX240-SMB2CS-5
Five year security subscription for
enterprise—includes Kaspersky antivirus,
Web filtering, Sophos antispam, and IDP on
SRX240
SRX240-S-SMBCS-5
Five year security subscription for enterprise—
includes Sophos antivirus, Web filtering,
Sophos antispam and IPS on SRX240
SRX-RAC-5-LTU
Dynamic VPN Client: 5 simultaneous users
for SRX100, SRX110, SRX210, SRX220,
SRX240, SRX550, and SRX650
SRX-RAC-10-LTU
Dynamic VPN Client: 10 simultaneous
users for SRX100, SRX110, SRX210, SRX220,
SRX240, SRX550, and SRX650
SRX-RAC-25-LTU
Dynamic VPN Client: 25 simultaneous
users for SRX100, SRX110, SRX210, SRX220,
SRX240, SRX550, and SRX650
SRX-RAC-50-LTU
Dynamic VPN Client: 50 simultaneous
users for SRX210, SRX22, SRX240, SRX550
and SRX650 only
SRX-RAC-100-LTU
Dynamic VPN Client: 100 simultaneous
users for SRX220, SRX240, SRX550, and
SRX650 only
SRX-RAC-150-LTU
Dynamic VPN Client: 150 simultaneous
users for SRX220, SRX240, SRX550, and
SRX650 only
SRX-RAC-250-LTU
Dynamic VPN Client: 250 simultaneous
users for SRX240, SRX550, and SRX650
only
SRX240APPSEC-A-1
One year subscription for Application
Security and IPS updates for SRX240
SRX240APPSEC-A-3
Three year subscription for Application
Security and IPS updates for SRX240
SRX240APPSEC-A-5
Five year subscription for Application
Security and IPS updates for SRX240
SRX240H-POE-TAA
Trade Agreement Act-compliant SRX240
Services Gateway with 16 GbE ports, 4 MiniPIM slots, and high memory (1 GB RAM, 1 GB
Flash), with 16 ports PoE (150 W)
SRX240 Additional Software Feature Licenses
SRX240-K-AV
One year subscription for Juniper-Kaspersky
antivirus updates on SRX240
SRX240-S-AV
One year subscription for Juniper-Sophos
antivirus updates on SRX240
SRX240-IDP
One year subscription for IDP updates on
SRX240
SRX240-S2-AS
One year subscription for Juniper-Sophos
antispam updates on SRX240
SRX240-W-WF
One year subscription for Juniper-Websense
Web filtering updates on SRX240
SRX240-SMB4-CS
One year security subscription for enterprise—
includes Kaspersky AV, enhanced WF, Sophos
AS, AppSecure and IDP on SRX240
SRX240-S-SMB4-CS
One year security subscription for enterprise—
includes Sophos AV, enhanced WF, Sophos
AS, AppSecure and IDP on SRX240
SRX240-K-AV-3
Three year subscription for Juniper-Kaspersky
antivirus updates on SRX240
SRX240-S-AV-3
Three year subscription for Juniper-Sophos
antivirus updates on SRX240
SRX240-IDP-3
Three year subscription for IDP updates on
SRX240
SRX240-S2-AS-3
Three year subscription for Juniper-Sophos
antispam updates on SRX240
SRX240-W-WF-3
Three year subscription for JuniperWebsense Web filtering updates on SRX240
SRX240-SMB4CS-3
Three year security subscription for
enterprise—includes Kaspersky AV,
enhanced WF, Sophos AS, AppSecure and
IDP on SRX240
SRX240-S-SMB4CS-3
Three year security subscription for
enterprise—includes Sophos AV, enhanced
WF, Sophos AS, AppSecure and IDP on
SRX240
SRX220 Base System
SRX220H2
SRX220 Services Gateway with 8 GbE ports,
2 Mini-PIM slots, and high memory (2 GB
RAM, 2 GB Flash)—external power supply
and cord included
SRX220H2-POE
SRX220 Services Gateway with 8 GbE ports,
2 Mini-PIM slots, and high memory (2 GB
RAM, 2 GB Flash), with 8 ports PoE (120 W)*
SRX240-K-AV-5
Five year subscription for Juniper-Kaspersky
antivirus updates on SRX240
SRX240-S-AV-5
Five year subscription for Juniper-Sophos
antivirus updates on SRX240
SRX240-IDP-5
Five year subscription for IDP updates on
SRX240
SRX220-RMK
SRX240-S2-AS-5
Five year subscription for Juniper-Sophos
antispam updates on SRX240
SRX220 rack-mount kit for 19 in rack (holds
one unit)
SRX220-WALL-KIT
SRX220 wall mount kit (holds one unit)
SRX240-W-WF-5
Five year subscription for Juniper-Websense
Web filtering updates on SRX240
SRX220-PWR60W*
Spare SRX220 switching power supply,
60 W (non-POE)
*See price list for country-specific power cord model numbers.
16
SRX Series Services Gateways for the Branch
Model Number
Description
SRX220 Additional Software Feature Licenses
Data Sheet
Model Number
Description
SRX-RAC-150-LTU
Dynamic VPN Client: 150 simultaneous users
for SRX220, SRX240, SRX550, and SRX650
SRX220-K-AV
One year subscription for Juniper-Kaspersky
antivirus updates on SRX220
SRX220-APPSEC-A-1
One year subscription for Application Security
and IPS updates for SRX220
SRX220-S-AV
One year subscription for Juniper-Sophos
antivirus updates on SRX220
SRX220APPSEC-A-3
Three year subscription for Application
Security and IPS updates for SRX220
SRX220-IDP
One year subscription for IDP updates on
SRX220
SRX220APPSEC-A-5
Five year subscription for Application Security
and IPS updates for SRX220
SRX220-S2-AS
One year subscription for Juniper-Sophos
antispam updates on SRX220
SRX220-W-WF
One year subscription for Juniper-Websense
Web filtering updates on SRX220
SRX220-SMB4-CS
One year security subscription for
enterprise—includes Kaspersky AV,
enhanced WF, Sophos AS, AppSecure and
IDP on SRX220
SRX220-S-SMB4-CS
One year security subscription for enterprise—
includes Sophos AV, enhanced WF, Sophos
AS, AppSecure and IDP on SRX220
SRX220-K-AV-3
Three year subscription for JuniperKaspersky antivirus updates on SRX220
SRX220-S-AV-3
Three year subscription for Juniper-Sophos
antivirus updates on SRX220
SRX220-IDP-3
Three year subscription for IDP updates on
SRX220
SRX220-S2-AS-3
Three year subscription for Juniper-Sophos
antispam updates on SRX220
SRX220-W-WF-3
Three year subscription for JuniperWebsense Web filtering updates on SRX220
SRX210-K-AV
One year subscription for Juniper-Kaspersky
antivirus updates on SRX210
SRX220-SMB4-CS-3
Three year security subscription for
enterprise—includes Kaspersky AV,
enhanced WF, Sophos AS, AppSecure and
IDP on SRX220
SRX210-S-AV
One year subscription for Juniper-Sophos
antivirus updates on SRX210
SRX210-IDP
One year subscription for IDP updates on
SRX210
SRX210-S2-AS
One year subscription for Juniper-Sophos
antispam updates on SRX210
SRX210-W-WF
One year subscription for Juniper-Websense
Web filtering updates on SRX210
SRX210-SMB4-CS
One year security subscription for
enterprise—includes Kaspersky AV,
enhanced WF, Sophos AS, AppSecure and
IDP on SRX210
SRX210-S-SMB4-CS
One year security subscription for
enterprise—includes Sophos AV, enhanced
WF, Sophos AS, AppSecure and IDP on
SRX210
SRX210-K-AV-3
Three year subscription for JuniperKaspersky antivirus updates on SRX210
SRX210-S-AV-3
Three year subscription for Juniper-Sophos
antivirus updates on SRX210
SRX210 Base System
SRX210HE2
SRX210 Services Gateway with 2 GbE+ 6 Fast
Ethernet ports, 1 Mini-PIM slot, 1 ExpressCard
slot and high memory (2 GB RAM, 2 GB Flash)
SRX210HE2-POE
SRX210 Services Gateway with 2 GbE + 6 Fast
Ethernet ports, 1 Mini-PIM slot, 1 ExpressCard
slot and high memory (2 GB RAM, 2 GB
Flash), with 4 ports PoE (50 W)
SRX210 Additional Hardware
SRX210-DESKSTAND
SRX210 desk top stand (holds one unit)
SRX210-RMK
SRX210 rack-mount kit for 19 in rack (holds
one unit)
SRX210-WALL-KIT
SRX210 wall mount kit (holds one unit)
SRX210-PWR60W-*
Spare SRX210 switching power supply,
60 W (non-PoE)
SRX210-PWR150W-*
Spare SRX210 switching power supply,
150 W (PoE)
SRX210 Additional Software Feature Licenses
SRX220-S-SMB4CS-3
Three year security subscription for
enterprise—includes Sophos AV, enhanced
WF, Sophos AS, AppSecure and IDP on
SRX220
SRX220-K-AV-5
Five year subscription for Juniper-Kaspersky
antivirus updates on SRX220
SRX220-S-AV-5
Five year subscription for Juniper-Sophos
antivirus updates on SRX220
SRX220-IDP-5
Five year subscription for IDP updates on
SRX220
SRX220-W-WF-5
Five year subscription for Juniper-Websense
Web filtering updates on SRX220
SRX220-SMB4CS-5
Five year security subscription for
enterprise—includes Kaspersky AV,
enhanced WF, Sophos AS, AppSecure and
IDP on SRX220
SRX220-S-SMB4CS-5
Five year security subscription for enterprise—
includes Sophos AV, enhanced WF, Sophos
AS, AppSecure and IDP on SRX220
SRX210-IDP-3
SRX-RAC-5-LTU
Dynamic VPN Client: 5 simultaneous users for
SRX100, SRX110, SRX210, SRX220, SRX240,
SRX550, and SRX650
Three year subscription for IDP updates on
SRX210
SRX210-S2-AS-3
SRX-RAC-10-LTU
Dynamic VPN Client: 10 simultaneous
users for SRX100, SRX110, SRX210, SRX220,
SRX240, SRX550, and SRX650
Three year subscription for Juniper-Sophos
antispam updates on SRX210
SRX210-W-WF-3
Three year subscription for JuniperWebsense Web filtering updates on SRX210
SRX-RAC-25-LTU
Dynamic VPN Client: 25 simultaneous
users for SRX100, SRX110, SRX210, SRX220,
SRX240, SRX550, and SRX650
SRX210-SMB4-CS-3
SRX-RAC-50-LTU
Dynamic VPN Client: 50 simultaneous users
for SRX210, SRX220, SRX240, SRX550, and
SRX650
Three year security subscription for
enterprise—includes Kaspersky AV,
enhanced WF, Sophos AS, AppSecure and
IDP on SRX210
SRX-RAC-100-LTU
Dynamic VPN Client: 100 simultaneous users
for SRX220, SRX240, SRX550, and SRX650
SRX210-S-SMB4CS-3
Three year security subscription for
enterprise—includes Sophos AV, enhanced
WF, Sophos AS, AppSecure and IDP on
SRX210
17
SRX Series Services Gateways for the Branch
Model Number
Description
SRX210-K-AV-5
Five year subscription for Juniper-Kaspersky
antivirus updates on SRX210
SRX210-S-AV-5
Five year subscription for Juniper-Sophos
antivirus updates on SRX210
SRX210-IDP-5
Five year subscription for IDP updates on
SRX210
SRX210-S2-AS-5
Five year subscription for Juniper-Sophos
antispam updates on SRX210
SRX210-W-WF-5
Five year subscription for Juniper-Websense
Web filtering updates on SRX210
SRX210-SMB4-CS-5
Five year security subscription for
enterprise—includes Kaspersky AV,
enhanced WF, Sophos AS, AppSecure and
IDP on SRX210
SRX210-S-SMB4CS-5
Five year security subscription for
enterprise—includes Sophos AV, enhanced
WF, Sophos AS, AppSecure and IDP on
SRX210
SRX-RAC-5-LTU
SRX-RAC-10-LTU
SRX-RAC-25-LTU
SRX-RAC-50-LTU
Dynamic VPN Client: 5 simultaneous users
for SRX100, SRX110, SRX210, SRX220,
SRX240, SRX550, and SRX650
Dynamic VPN Client: 10 simultaneous users
for SRX100, SRX110, SRX210, SRX220,
SRX240, SRX550, and SRX650
Dynamic VPN Client: 25 simultaneous
users for SRX100, SRX110, SRX210, SRX220,
SRX240, SRX550, and SRX650
Dynamic VPN Client: 50 simultaneous users
for SRX210, SRX220, SRX240, SRX550, and
SRX650 only
Data Sheet
Model Number
Description
SRX110 Additional Hardware
SRX110-DESKSTAND
SRX110 desktop stand; holds one unit
SRX110-RMK
SRX110 rack-mount kit; holds one unit
SRX110-WALL-KIT
SRX110 wall mount kit; holds one unit
SRX100 Base System
SRX100H2
SRX100 Services Gateway with 8xFE ports
and high memory (2 GB RAM, 2 GB Flash)
SRX100 Additional Hardware
SRX100-PWR30W-*
Spare SRX100 switching power supply,
30 W (non-PoE)
SRX-100-RMK
SRX100 19” rack-mount kit (holds two units)
SRX100-WALL-KIT
SRX100 wall mount kit (holds one unit)
SRX100-DESKSTAND
SRX100 desk stand (holds one unit)
SRX100/SRX110 Dynamic VPN Client
SRX-RAC-5-LTU
5 simultaneous users for SRX100, SRX110,
SRX210, SRX220, SRX240, SRX550, and
SRX650
SRX-RAC-10-LTU
10 simultaneous users for SRX100, SRX110,
SRX210, SRX220, SRX240, SRX550, and
SRX650
SRX-RAC-25-LTU
25 simultaneous users for SRX100, SRX110,
SRX210, SRX220, SRX240, SRX550, and
SRX650
SRX100/SRX110 Additional Software Feature
Licenses **
SRX210-APPSEC-A-1
One year subscription for Application
Security and IPS updates for SRX210
SRX1XX-K-AV
SRX210APPSEC-A-3
Three year subscription for Application
Security and IPS updates for SRX210
One year subscription for Juniper-Kaspersky
AV updates
SRX1XX-K-AV-3
SRX210APPSEC-A-5
Five year subscription for Application
Security and IPS updates for SRX210
Three year subscription for JuniperKaspersky AV updates
SRX1XX-K-AV-5
Five year subscription for Juniper-Kaspersky
AV updates
SRX1XX-S-AV
One year subscription for Juniper-Sophos
AV updates
SRX1XX-S-AV-3
Three year subscription for Juniper-Sophos
AV updates
SRX1XX-S-AV-5
Five year subscription for Juniper-Sophos AV
updates
SRX1XX-S2-AS
One year subscription for Juniper-Sophos
antispam updates
SRX1XX-S2-AS-3
Three year subscription for Juniper-Sophos
antispam updates
SRX1XX-S2-AS-5
Five year subscription for Juniper-Sophos
antispam updates
SRX1XX-W-EWF
One year subscription for Juniper-Websense
enhanced Web filtering updates
SRX1XX-W-EWF-3
Three year subscription for JuniperWebsense enhanced Web filtering updates
SRX1XX-W-EWF-5
Five year subscription for Juniper-Websense
enhanced Web filtering updates
SRX1XX-SMB4-CS
One year security subscription for enterprise—
includes Kaspersky AV, enhanced WF, Sophos
AS, AppSecure and IDP
SRX1XX-SMB4-CS-3
Three year security subscription for
Kaspersky AV, enhanced WF, Sophos AS,
AppSecure and IDP
Small Form Factor Pluggable (SFP) Transceivers
SRX-SFP-1GE-LH
SFP 1000BASE-LH Optical Transceiver
SRX-SFP-1GE-LX
SFP 1000BASE-LX Optical Transceiver
SRX-SFP-1GE-SX
SFP 1000BASE-SX Optical Transceiver
SRX-SFP-1GE-T
SFP 1000BASE-T Copper Transceiver
SRX-SFP-FE-FX
SFP 100BASE-FX Optical Transceiver
SRX-MP-1SFP-GE
Single-port SFP Mini-PIM
SRX-GP-8SFP
8-port GbE copper, fiber SFP XPIM
SRX110 Base System
SRX110H2-VA
SRX110H2-VB
SRX110 Services Gateway with 8xFE ports,
2 GB RAM and Flash, 1-port VDSL2/ADSL2+
over POTS, USB port for cellular modem
connectivity, and external PS and cord
included
SRX110 Services Gateway with 8xFE ports,
2 GB RAM and Flash, 1-port VDSL2/ADSL2+
over ISDN BRI, USB port for cellular modem
connectivity, and external PS and cord
included
*See price list for country-specific power cord model numbers.
**The additional software feature licenses apply to both the SRX100 and the SRX110.
18
SRX Series Services Gateways for the Branch
Data Sheet
Model Number
Description
Model Number
Description
SRX1XX-SMB4-CS-5
Five year security subscription for
enterprise—includes Kaspersky AV,
enhanced WF, Sophos AS, AppSecure and
IDP
SRX1XX-SMB4CS-R
One year renewal security subscription
for enterprise—includes Kaspersky AV,
enhanced WF, Sophos AS, AppSecure and
IDP
SRX1XX-S-SMB4-CS
One year security subscription for
enterprise—includes Sophos AV, enhanced
WF, Sophos AS, AppSecure, AppSecure and
IDP
SRX1XX-SMB4-CS3-R
Three year renewal security subscription
for enterprise—includes Kaspersky AV,
enhanced WF, Sophos AS, AppSecure and
IDP
SRX1XX-S-SMB4CS-3
Three year security subscription for
enterprise—includes Sophos AV, enhanced
WF, Sophos AS, AppSecure and IDP
SRX1XX-SMB4-CS5-R
Five year renewal security subscription for
enterprise—includes Kaspersky AV, enhanced
WF, Sophos AS, AppSecure and IDP
SRX1XX-S-SMB4CS-5
Five year security subscription for
enterprise—includes Sophos AV, enhanced
WF, Sophos AS, AppSecure and IDP
SRX1XX-S-SMB4CS-R
One year renewal security subscription for
enterprise—includes Sophos AV, enhanced
WF, Sophos AS, AppSecure and IDP
SRX1XX-IDP
One year license for IDP updates
SRX1XX-IDP-3
Three year license for IDP updates
SRX1XX-S-SMB4CS-3-R
Three year renewal security subscription for
enterprise—includes Sophos AV, enhanced
WF, Sophos AS, AppSecure and IDP
SRX1XX-IDP-5
Five year license for IDP updates
SRX1XX-K-AV-3-R
Three year renewal subscription for JuniperKaspersky AV updates
SRX1XX-S-SMB4CS-5-R
Five year renewal security subscription for
enterprise—includes Sophos AV, enhanced
WF, Sophos AS, AppSecure and IDP
SRX1XX-K-AV-5-R
Five year renewal subscription for JuniperKaspersky AV updates
SRX1XX-IDP-R
One year renewal subscription for IDP
Signature service
SRX1XX-K-AV-R
One year renewal subscription for JuniperKaspersky AV updates
SRX1XX-IDP-3-R
Three year renewal subscription for IDP
Signature service
SRX1XX-S-AV-3-R
Three year renewal subscription for JuniperSophos AV updates
SRX1XX-IDP-5-R
Five year renewal subscription for IDP
Signature service
SRX1XX-S-AV-5-R
Five year renewal subscription for JuniperSophos AV updates
SRX100APPSEC-A-1
One year subscription for Application
Security and IPS updates for SRX100
SRX1XX-S-AV-R
One year renewal subscription for JuniperSophos AV updates
SRX100APPSEC-A-3
Three year subscription for Application
Security and IPS updates for SRX100
SRX1XX-S2-AS-3-R
Three year renewal subscription for JuniperSophos antispam updates
SRX100APPSEC-A-5
Five year subscription for Application
Security and IPS updates for SRX100
SRX1XX-S2-AS-5-R
Five year renewal subscription for JuniperSophos antispam updates
SRX1XX-S2-AS-R
One year renewal subscription for JuniperSophos antispam updates
SRX1XX-W-EWF-3-R
Three year renewal subscription for Juniperenhanced Websense enhanced Web
filtering updates
SRX1XX-W-EWF5-R
Five year renewal subscription for Juniperenhanced Websense enhanced Web
filtering updates
SRX1XX-W-EWF-R
One year renewal subscription for Juniperenhanced Websense enhanced Web
filtering updates
** The additional software feature licenses apply to both the SRX100 and the SRX110.
About Juniper Networks
Juniper Networks is in the business of network innovation. From
devices to data centers, from consumers to cloud providers,
Juniper Networks delivers the software, silicon and systems that
transform the experience and economics of networking. The
company serves customers and partners worldwide. Additional
information can be found at www.juniper.net.
Corporate and Sales Headquarters
APAC and EMEA Headquarters
Juniper Networks, Inc.
Juniper Networks International B.V.
1133 Innovation Way
Boeing Avenue 240
Sunnyvale, CA 94089 USA
1119 PZ Schiphol-Rijk
Phone: 888.JUNIPER (888.586.4737)
Amsterdam, The Netherlands
or +1.408.745.2000
Phone: +31.0.207.125.700
Fax: +1.408.745.2100
Fax: +31.0.207.125.701
www.juniper.net
Copyright 2016 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos
and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
All other trademarks, service marks, registered marks, or registered service marks are the property of their
respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
1000281-030-EN Mar 2016
Data Sheet
SRX300 Line of Services
Gateways for the Branch
Product Overview
Product Description
The SRX300 line of services
Juniper Networks® SRX300 line of services gateways delivers a next-generation
gateways combines security,
networking and security solution that supports the changing needs of cloud-enabled
routing, switching, and WAN
enterprise networks. Whether rolling out new services and applications across locations,
interfaces with next-generation
connecting to the cloud, or trying to achieve operational efficiency, the SRX300 line helps
firewall and advanced threat
mitigation capabilities for costeffective, secure connectivity
across distributed enterprise
locations. By consolidating
fast, highly available switching,
organizations realize their business objectives while providing scalable, easy to manage,
secure connectivity and advanced threat mitigation capabilities. Next-generation firewall
and unified threat management (UTM) capabilities also make it easier to detect and
proactively mitigate threats to improve the user and application experience.
The SRX300 line consists of four models:
routing, security, and nextgeneration firewall capabilities
• SRX300: Securing small branch or retail offices, the SRX300 Services Gateway
in a single device, enterprises
consolidates security, routing, switching, and WAN connectivity in a small desktop
can remove network complexity,
device. The SRX300 supports up to 1 Gbps firewall and 300 Mbps IPsec VPN in a
protect and prioritize their
single, consolidated, cost-effective networking and security platform.
resources, and improve user and
application experience while
lowering total cost of ownership
(TCO).
• SRX320: Securely connecting small distributed enterprise branch offices, the SRX320
Services Gateway consolidates security, routing, switching, and WAN connectivity in
a small desktop device. The SRX320 supports up to 1 Gbps firewall and 300 Mbps
IPsec VPN in a single, consolidated, cost-effective networking and security platform.
• SRX340: Securely connecting midsize distributed enterprise branch offices, the
SRX340 Services Gateway consolidates security, routing, switching, and WAN
connectivity in a 1 U form factor. The SRX340 supports up to 3 Gbps firewall and
600 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security
platform.
• SRX345: Best suited for midsize to large distributed enterprise branch offices,
the SRX345 Services Gateway consolidates security, routing, switching, and WAN
connectivity in a 1 U form factor. The SRX345 supports up to 5 Gbps firewall and
800 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security
platform.
SRX300 Highlights
The SRX300 line of services gateways consists of secure routers that bring high
performance and proven deployment capabilities to enterprises that need to build a
worldwide network of thousands of remote sites. Ethernet, serial, T1/E1, xDSL, and 3G/4G
LTE wireless are all available options for WAN or Internet connectivity to link sites. Industry
best, high-performance IPsec VPN solutions provide comprehensive encryption and
authentication capabilities to secure intersite communications. Multiple form factors with
Ethernet switching support on native Gigabit Ethernet ports allow cost-effective choices
for mission-critical deployments. Juniper Networks Junos® automation and scripting
Your ideas. Connected.™
capabilities and Junos Space Security Director reduce operational complexity and simplify
the provisioning of new sites.
1
SRX300 Line of Services Gateways for the Branch
Data Sheet
The SRX300 line of devices recognizes more than 3,500 Layer
content-borne threats. Integrated threat intelligence via Juniper
3-7 applications, including Web 2.0 and evasive peer-to-peer
Networks Spotlight Secure offers adaptive threat protection
(P2P) applications like Skype, torrents, and others. Correlating
against Command and Control (C&C)-related botnets and policy
application information with user contextual information, the
enforcement based on GeoIP. Customers can also leverage their
SRX300 line can generate bandwidth usage reports, enforce
own custom and third-party feeds for protection from advanced
access control policies, prioritize and rate-limit traffic going
malware and other threats.
out of WAN interfaces, and proactively secure remote sites.
The SRX300 line enables agile SecOps through automation
This optimizes resources in the branch office and improves the
capabilities that support Zero Touch Deployment, Python scripts
application and user experience.
for orchestration, and event scripting for operational management.
For the perimeter, the SRX300 line offers a comprehensive
SRX300 services gateways run Juniper Networks Junos operating
suite of application security services, threat defenses, and
intelligence services. The services consist of intrusion prevention
system (IPS), application security user role-based firewall
controls, and on-box and cloud-based antivirus, anti-spam, and
enhanced Web filtering, protecting networks from the latest
system, a proven, carrier-hardened network OS that powers
the top 100 service provider networks around the world. The
rigorously tested, carrier-class, rich routing features such as IPv4/
IPv6, OSPF, BGP, and multicast have been proven in over 15 years
of worldwide deployments.
Features and Benefits
Business Requirement
Feature/Solution
SRX300 Advantages
High performance
Up to 5 Gbps of routing and firewall
performance
• Best suited for small, medium and large branch office deployments
• Addresses future needs for scale and feature capacity
Business continuity
Stateful high availability (HA), IP
monitoring
• Uses stateful HA to synchronize configuration and firewall sessions
• Supports multiple WAN interface with dial-on-demand backup
• Route/link failover based on real-time link performance
End-user experience
App visibility and control
• Detects 3,500+ Layer 3-7 applications, including Web 2.0
• Controls and prioritizes traffic based on application and use role
• Inspects and detects applications inside the SSL encrypted traffic
Highly secure
IPsec VPN, Media Access Control
Security (MACsec)
• Creates secure, reliable, and fast overlay link over public internet
• Uses MACsec to secure the point-to-point LAN/WAN communication
• Employs anti-counterfeit features to protect from unauthorized
hardware spares
Threat protection
IPS, antivirus, anti-spam, Spotlight
Secure
• Enables zone-based stateful firewall by default
• Protects from malware and attacks with IPS and antivirus
• Integrates open threat intelligence platform with third-party feeds
Easy to manage and scale
On-box GUI, Security Director
• Includes centralized management for auto-provisioning, firewall policy
management, Network Address Translation (NAT), and IPsec VPN
deployments
• Includes simple easy-to-use on-box GUI for local management
Minimize TCO
Junos OS
• Integrates routing, switching, and security in a single device
• Reduces operation expense with Junos automation capabilities
SRX300
SRX320
SRX340
SRX345
2
SRX300 Line of Services Gateways for the Branch
SRX300 Specifications
Data Sheet
VPN Features
• Tunnels: Generic routing encapsulation (GRE), IP-IP, IPsec
Software Specifications
• Site-site IPsec VPN, auto VPN, group VPN
Routing Protocols
• IPsec crypto algorithms: Data Encryption Standard (DES),
triple DES (3DES), Advanced Encryption Standard (AES-256)
• IPv4, IPv6, ISO, Connectionless Network Service (CLNS)
• Static routes
• RIP v1/v2
• IPsec authentication algorithms: MD5, SHA-1, SHA-128,
SHA-256
• OSPF/OSPF v3
• Pre-shared key and public key infrastructure (PKI) (X.509)
• BGP with Route Reflector
• Perfect forward secrecy, anti-reply
• IS-IS
• IPv4 and IPv6 IPsec VPN
• Multicast: Internet Group Management Protocol (IGMP)
v1/v2, Protocol Independent Multicast (PIM) sparse mode
(SM)/dense mode (DM)/source-specific multicast (SSM),
Session Description Protocol (SDP), Distance Vector
Multicast Routing Protocol (DVMRP), Multicast Source
Discovery Protocol (MSDP), Reverse Path Forwarding (RPF)
• Multi-proxy ID for site-site VPN
• Encapsulation: VLAN, Point-to-Point Protocol (PPP), Frame
Relay, High-Level Data Link Control (HDLC), serial, Multilink
Point-to-Point Protocol (MLPPP), Multilink Frame Relay
(MLFR), and Point-to-Point Protocol over Ethernet (PPPoE)
• Internet Key Exchange (IKEv1, IKEv2), NAT-T
• Virtual router and quality-of-service (QoS) aware
• Standard-based dead peer detection (DPD) support
Network Services
• Dynamic Host Configuration Protocol (DHCP) client/server/
relay
• Domain Name System (DNS) proxy, dynamic DNS (DDNS)
• Juniper real-time performance monitoring (RPM) and IPmonitoring
• Virtual routers
• Policy-based routing, source-based routing
• Juniper flow monitoring (J-Flow)
• Equal-cost multipath (ECMP)
QoS Features
High Availability Features
• Virtual Router Redundancy Protocol (VRRP)
• Support for 802.1p, DiffServ code point (DSCP), EXP
• Stateful high availability
• Classification based on VLAN, data-link connection
identifier (DLCI), interface, bundles, or multifield filters
-- Dual box clustering
• Marking, policing, and shaping
-- Active/passive
• Classification and scheduling
-- Active/active
• Weighted random early detection (WRED)
-- Configuration synchronization
• Guaranteed and maximum bandwidth
-- Firewall session synchronization
-- Device/link detection
• Ingress traffic policing
• Dial on-demand backup interfaces
• Virtual channels
• IP monitoring with route and interface failover
Switching Features
• ASIC-based Layer 2 Forwarding
Management, Automation, Logging, and Reporting
• MAC address learning
• SSH, Telnet, SNMP
• VLAN addressing and integrated routing and bridging (IRB)
support
• Smart image download
• Juniper CLI and Web UI
Firewall Services
• Junos Space and Security Director
• Stateful and stateless firewall
• Python
• Zone-based firewall
• Junos OS event, commit, and OP script
• Screens and distributed denial of service (DDoS) protection
• Application and bandwidth usage reporting
• Protection from protocol and traffic anomaly
• Auto installation
• Unified Access Control (UAC)
• Debug and troubleshooting tools
• Network Address Translation (NAT)
Advanced Routing Services1
• Source NAT with Port Address Translation (PAT)
• MPLS (RSVP, LDP)
• Bidirectional 1:1 static NAT
• Destination NAT with PAT
• Circuit cross-connect (CCC), translational cross-connect
(TCC)
• Persistent NAT
• L2/L3 MPLS VPN, pseudowires
• IPv6 address translation
• Virtual private LAN service (VPLS), next-generation
multicast VPN (NG-MVPN)
• User role-based firewall
• MPLS traffic engineering and MPLS fast reroute
1
Available as part of Juniper Secure Edge (JSE) software package.
3
SRX300 Line of Services Gateways for the Branch
Data Sheet
Application Security Services2
Threat Defense and Intelligence Services3
• Application visibility and control
• Intrusion prevention
• Application-based firewall
• Antivirus
• Application QoS
• Antispam
• SSL inspection
• Category/reputation-based URL filtering
• Spotlight Secure threat intelligence
Hardware Specifications
Specification
SRX300
SRX320
SRX340
SRX345
Total onboard ports
8x1GbE
8x1GbE
16x1GbE
16x1GbE
Onboard RJ-45 ports
6x1GbE
6x1GbE
8x1GbE
8x1GbE
Onboard small form-factor
pluggable (SFP) transceiver ports
2x1GbE
2x1GbE
8x1GbE
8x1GbE
MACsec ports
2x1GbE
2x1GbE
16x1GbE
16x1GbE
Out-of-band (OOB) management
ports
0
0
1x1GbE
1x1GbE
Mini PIM (WAN) slots
0
2
4
4
Console (RJ-45 + miniUSB)
1
1
1
1
USB 2.0 ports (type A)
1
1
1
1
Optional PoE+ ports
N/A
6
0
0
System memory (RAM)
4 GB
4 GB
4 GB
4 GB
Storage (flash)
8 GB
8 GB
8 GB
8 GB
SSD slots
0
0
1
1
Form factor
Desktop
Desktop
1U
1U
Size (WxHxD)
12.63 x 1.37 x 7.52 in.
(32.08 x 3.47 x 19.10 cm)
11.81 x 1.73 x 7.52 in.
(29.99 x 4.39 x 19.10 cm)
17.36 x 1.72 x 14.57 in.
(44.09 x 4.36 x 37.01 cm)
17.36 x 1.72 x 14.57 in.
(44.09 x 4.36 x 37.01 cm)
Weight (device and PSU)
4.38 lb (1.98 kg)
3.28 lb (1.51 kg)5 / 3.4 lb
(1.55 kb)6
10.80 lb (4.90 kg)
10.80 lb (4.90 kg)
Redundant PSU
No
No
No
No
Power supply
AC (external)
AC (external)
AC (internal)
AC (internal)
Maximum PoE power
N/A
90 W
N/A
N/A
Average power consumption
15.4 W
27 W5/112 W6
122 W
122 W
Average heat dissipation
85 BTU/h
157 BTU/h5/755 BTU/h6
420 BTU/h
420 BTU/h
Maximum current consumption
0.254 A
0.473 A /2.07 A
1.364 A
1.364 A
Acoustic noise level
0dB (fanless)
35 dBA5/40 dBA6
35 dBA
35 dBA
Airflow/cooling
Fanless
Front to back
Front to back
Front to back
Connectivity
4
Memory and Storage
Dimensions and Power
6
5
6
Environmental, Compliance, and Safety Certification
Operational temperature
32° to 104° F (0° to 40° C)
Nonoperational temperature
4° to 158° F (-20° to 70° C)
Operating humidity
10% to 90% noncondensing
Nonoperating humidity
5% to 95% noncondensing
Meantime between failures (MTBF)
44.5 years
32.5 years5/ 26 years6
27 years
27.4 years
FCC classification
Class A
Class A
Class A
Class A
RoHS compliance
RoHS 2
RoHS 2
RoHS 2
RoHS 2
Available as part of Juniper Secure Edge (JSE) software package or advanced security subscription licenses.
3
Offered as advanced security services subscription licenses.
4
PoE ports on SRX320 available as a separate SKU SRX320-POE
5
SRX320 non POE model
6
SRX320-POE with 6 ports POE+ model
2
4
SRX300 Line of Services Gateways for the Branch
Data Sheet
Performance and Scale*
Parameter
Routing/firewall (64 B packet size) in Kpps
7
Routing/firewall (IMIX packet size)7
Routing/firewall (1,518 B packet size) in Gbps
IPsec VPN (IMIX packet size) in Mbps7
IPsec VPN (1,400 B packet size) in Mbps
SRX320
SRX340
SRX345
200
200
350
550
500 Mbps
500 Mbps
1 Gbps
1.7 Gbps
1
1
3
5
100
100
200
300
300
300
600
800
Application visibility and control8
500 Mbps
500 Mbps
1 Gbps
1.7 Gbps
Recommended IPS in Mbps8
200
200
400
600
Next-generation firewall in Mbps
7
7
SRX300
7
100
100
200
300
Route table size (RIB/FIB) (IPv4 or IPv6)
256,000/256,000
256,000/256,000
1 mil/600,0009
1 mil/600,0009
Maximum concurrent sessions (IPv4 or IPv6)
64,000
64,000
256,000
375,000
Maximum security policies
1,000
1,000
2,000
4,000
Connections per second
5,000
5,000
10,000
15,000
NAT rules
1,000
1,000
2,000
2,000
MAC table size
15,000
15,000
15,000
15,000
IPsec VPN tunnels
256
256
1,024
2,048
GRE tunnels
256
256
512
1,024
Maximum number of security zones
16
16
64
64
Maximum number of virtual routers
32
32
64
128
Maximum number of VLANs
1,000
1,000
2,000
3,000
AppID sessions
16,000
16,000
64,000
64,000
IPS sessions
16,000
16,000
64,000
64,000
URLF sessions
16,000
16,000
64,000
64,000
8
Throughput numbers based on UDP packets and RFC2544 test methodology
8
Throughput numbers based on HTTP traffic with 44 KB transaction size
9
Route scaling numbers are with enhanced route-scale features turned on
WAN Interface Support Matrix
WAN Interface
SRX300
SRX320
SRX340
SRX345
1 port T1/E1 MPIM
No
Yes
Yes
Yes
1 port VDSL2 Annex A/M MPIM
No
Yes
Yes
Yes
1 port serial MPIM
No
Yes
Yes
Yes
Ordering Information
Juniper Networks Services and Support
To order Juniper Networks SRX Series Services Gateways, please
Juniper Networks is the leader in performance-enabling services
visit the How to Buy page.
that are designed to accelerate, extend, and optimize your
high-performance network. Our services allow you to maximize
operational efficiency while reducing costs and minimizing
risk, achieving a faster time to value for your network. Juniper
Networks ensures operational excellence by optimizing the
network to maintain required levels of performance, reliability,
and availability. For more details, please visit www.juniper.net/us/
en/products-services.
*All performance and scaling numbers are based on ideal lab test conditions.
5
SRX300 Line of Services Gateways for the Branch
Data Sheet
About Juniper Networks
Juniper Networks is in the business of network innovation. From
devices to data centers, from consumers to cloud providers,
Juniper Networks delivers the software, silicon and systems that
transform the experience and economics of networking. The
company serves customers and partners worldwide. Additional
information can be found at www.juniper.net.
Corporate and Sales Headquarters
APAC and EMEA Headquarters
Juniper Networks, Inc.
Juniper Networks International B.V.
1133 Innovation Way
Boeing Avenue 240
Sunnyvale, CA 94089 USA
1119 PZ Schiphol-Rijk
Phone: 888.JUNIPER (888.586.4737)
Amsterdam, The Netherlands
or +1.408.745.2000
Phone: +31.0.207.125.700
Fax: +1.408.745.2100
Fax: +31.0.207.125.701
www.juniper.net
Copyright 2016 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos
and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
All other trademarks, service marks, registered marks, or registered service marks are the property of their
respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
1000550-004-EN May 2016
EXPLORE JUNIPER
Get the App.
Data Sheet
SRX1400 Services
Gateway
Product Overview
Product Description
SRX Series Services Gateways are
The SRX1400 Services Gateway is a professional-grade platform for security ideally suited
next-generation firewalls based
for small to mid-size data centers, enterprise, and service provider network deployments
on a revolutionary architecture
where consolidated functionality, uncompromising 10 Gbps performance, compact
offering outstanding protection,
environmental footprint, and affordability are key requirements.
performance, scalability,
availability, and security service
The SRX1400 expands the SRX Series family of next-generation firewalls, delivering
integration. Custom designed for
market-leading performance and extensive service integration to 10GbE environments
flexible processing scalability,
where the features are required without the massive scalability provided by SRX3000 and
I/O scalability, and services
SRX5000 lines.
integration, the SRX Series
exceeds the security requirements
In terms of security, the SRX1400 features next-generation firewall services such as
of data center consolidation
application security, Unified Threat Management (UTM) and Intrusion Prevention System
and services aggregation. The
(IPS). Integrated threat intelligence via Spotlight Secure offers adaptive threat protection
SRX Series is powered by Junos
against command and control (C&C) related botnets and policy enforcement based on
OS, the same industry-leading
GeoIP and attacker fingerprinting technology (the latter for Web application protection)—
operating system platform
all of which are based on Juniper provided feeds. Customers may also leverage their own
that keeps the world’s largest
custom and third-party feeds for protection from advanced malware and other threats.
networks available, manageable,
and secure for the data center.
The SRX1400 is available in two base configurations offering a choice of built-in highdensity 1GbE ports or combination of built-in 10GbE ports and 1GbE ports. For enhanced
flexibility, the SRX1400 can use the integrated SRX1400 NSPC processing card or use
separate NPC and SPC cards from the SRX3000 line, simplifying sparing logistics and
interoperability. The appliance includes one expansion slot on the front panel.
Purpose-built to protect 10GbE network environments, the SRX1400 consolidates multiple
security services and networking functions in a highly-available appliance. Featuring
a modular design that uses common form-factor modules serviceable from the front
panel, the SRX1400 incorporates innovation that improves reliability, enhances network
availability and delivers deterministic performance of concurrent security services at scale.
Combining Juniper’s Dynamic Services Architecture and Juniper Networks Junos® operating
system with carrier-class features based on the proven design of the SRX3000 line of
services gateways, SRX1400 sets a new standard in value by extending the SRX Series data
center line to cost-effectively satisfy network security requirements in smaller environments.
Each SRX1400 Services Gateway consolidates multiple security services in one chassis under
one integrated security policy, while delivering the uncompromised performance needed to
support 10GbE environments in today’s high-performance networks.
Purpose-Built for Network Security Professionals
The SRX1400 is a carrier grade appliance designed from the ground up for long, troublefree service life of continuous operation in demanding, high-performance data center
network environments. Designed and produced using a TL 9000 registered quality
Your ideas. Connected.
™
management system, the SRX1400 is 100% Juniper software, support services and
1
SRX1400 Services Gateway
Data Sheet
hardware including innovative new chipsets to separate control
operations, equipment replacements, migration and upgrade
and user planes, enabling performance to scale to new levels
from SRX1400 to the SRX3000 line are straightforward.
required to meet the needs of high performance networks.
Dynamic Services Architecture
The high-end SRX Series uses the Juniper Dynamic Services
Architecture to distribute data sessions between multi-core
processing resources dynamically, on-the-fly. Instead of binding
network traffic and services to specific CPU cores and processing
resources in a fixed or rigid manner, as other vendors do, Dynamic
Services Architecture balances traffic session processing
work load dynamically within a pool formed from all available
With the exception of the hot-swappable fan tray, which is
accessible from the rear panel, all modules and connections on
the SRX1400 are accessible from the front panel.
Choice of Base Systems
Two base systems are available for the SRX1400 - a GE version
and an XGE version. Both base system versions include a discrete
Routing Engine module, one power supply (AC or DC), and a fan
tray assembly.
resources. This avoids an all-too-common situation experienced
GE-Base System
on general-purpose computing platforms used for security, where
The GE-Base System contains twelve GbE ports. Six of the
a subset of resources operate at or near their maximum limits
twelve GbE ports are 10/100/1000 copper (RJ45), and six are
while other resources are under-used or idle.
1000BASE-X. Two of the six 1000BASE-X ports can be used for
The Dynamic Services Architecture in SRX Series services
either high availability (HA) cluster control or as data ports. The
gateways is what enables Juniper to deliver massive scalability,
1000BASE-X ports accept small form-factor pluggable (SFP)
market-leading throughput, and deterministic performance
transceivers which are available in copper, short reach (SX)
with multiple security services operating concurrently. With the
multimode (MM fiber) and long reach (LX) single mode (SM fiber).
chassis-based SRX Series gateways, additional processing cards
XGE-Base System
can be easily installed adding to the resource pool as your traffic
grows over time.
The XGE-Base System contains three ports of 10GbE and nine
ports of GbE. Six of the nine GbE ports are 10/100/1000 copper
Centralized Management
(RJ45) and three are 1000BASE-X. Two of the three 1000BASE-X
Juniper Networks Junos Space Security Director delivers scalable
ports can be used for either HA cluster control or as data ports.
and responsive security management that improves the reach,
The 1000BASE-X ports accept SFP transceivers which are
ease, and accuracy of security policy administration. It lets
available in copper, SX (MM fiber) and LX (SM fiber). The three
administrators manage all phases of the security policy lifecycle
10GbE ports accept SFP+ transceivers which are available in SR
through a single Web-based interface, accessible via standard
(MM fiber), LR (SM fiber), and ER (SM fiber).
browsers. Junos Space Security Director centralizes application
In addition to a base system, processing resources—either one
identification, firewall, IPS, NAT, and VPN security management
integrated NSPC, or the combination of one SRX3000 line NPC,
for intuitive and quick policy administration.
one SRX3000 line SPC, and one double wide tray—must be
Junos Space Security Director runs on the Junos Space
installed in order to have an operational system.
Management Platform for highly extensible, network-wide
Options
®
management functionality, including ongoing access to Juniper
and third-party Junos Space ecosystem innovations.
SRX1400 Architecture and Key
Components
Based on the time-tested, proven design of the SRX3000 line,
the SRX1400 delivers deterministic performance optimized
Optional modules that can be added include one additional
(redundant) power supply (AC or DC) and one IOC for additional
Ethernet connectivity. The SRX3000 line and SRX1400 use the
same interchangeable IOC modules. The SRX1400 is designed
for future expansion, including the ability to accommodate nextgeneration silicon from Juniper Networks.
for 10GbE. A functional SRX1400 system consists of a base
SRX1400 NSPC1
configuration together with a Network and Services Processing
Providing the power inside the SRX1400, the integrated NSPC is
Card (NSPC) designed specifically for the SRX1400, or a
optimized to perform all packet processing and inspection for all
combination of base configuration together with interchangeable
available services on the platform. The Juniper Dynamic Services
SRX3000 line processing cards. The capability of the SRX1400
Architecture manages the multiple cores of processing power on
to use SRX3000 line cards can provide significant advantages
the NSPC as one pool or reservoir of resources, and dynamically
and a lower total cost of ownership (TCO). Customers can
allocates resources to services as needed. To ensure maximum
simplify operations and maintenance by using one common
processing performance and flexibility, the SRX Series high-end
security policy and a common set of spares that are compatible
products use network processors (NPCs) to distribute inbound
and interoperable between SRX1400 and SRX3000 line
and outbound traffic to SPCs and IOCs, apply QoS, and enforce
services gateways. Policy and configuration backup and restore
protection from DoS/DDoS attack scenarios.
2
SRX1400 Services Gateway
Data Sheet
SRX3000 Line NPC and SPC
In addition, the SRX1400 and SRX3000 line also has a combined
The SRX1400 will interoperate with the SRX3000 NPC and SPC
NPC/IOC card (NP-IOC). This card expands the gateway’s
cards. In order to use the SRX3000 line NPC and SRX3000 SPC in
performance by serving two functions, network processing and
the SRX1400, it is necessary to use the optional double wide tray.
input/output, with just one card in one slot. Like the other cards,
this one supports in-service software upgrades; In addition, it
I/O Cards (IOC)
also supports in-service hardware upgrades. It is fully, backward
Supporting a wide variety of use cases and to accommodate
interfacing between different Ethernet standards, the SRX1400
provides for additional front panel I/O to complement the
compatible with the current SRX1400 chassis and cards.
Power Supplies
excellent port density provided in the base system. SRX1400 and
The SRX1400 accommodates one or two AC or DC power
SRX3000 line of products use the same IOCs interchangeably.
supply modules. Each individual power supply is fully capable
Each SRX1400 Services Gateway can accommodate one
additional IOC; either 16 gigabit interfaces (16 x 10/100/1000
copper GbE or 16 x 1000BASE-X fiber GbE), or two 10GbE
interfaces (2 x 10GbE XFP Ethernet).
of furnishing all of the power the SRX1400 needs. The second
power supply is redundant to the first and is used to increase
availability in the event of a power supply failure. Power supplies
are hot-swappable, Network Equipment Building System (NEBSIII) ready, and accessible from the front panel.
Features and Benefits
Loaded with features and optimized for 10GbE networks, the SRX1400 has many attributes that make it superior to other products
on the market:
Table 1: SRX1400 Features and Benefits
Feature
Description
Benefit
Professional-grade networking
security services
• Purpose-built platform for security built
from the ground up to provide many years of
professional-grade, high-performance, highavailability networking security services.
• Powerful command-line interface (CLI) and
extensive scripting capability.
• Network security solutions you can trust because
they work as expected, day in and day out, year
after year.
Consolidated security services
Consolidation of multiple security services into one
chassis-based system (IP, GTP, and application
firewall; IP and GTP IPS; NAT; IP and application
QoS; dynamic routing; application identification,
tracking and reporting; and more.
• Deploy fewer unique devices.
• Reduce latency, performance, and availability
impacts from multiple devices.
• Reduce operation and maintenance (O&M)
costs with single, integrated policy and device
management system, common spares, and
technical training.
Threat intelligence
Integration with Spotlight Secure for application of
advanced threat detection technologies and feeds
for policy enforcement
Policy enforcement based on optimized and
up-to-date threat intelligence is automatically
syndicated across the firewall estate, enabling
higher security effectiveness and operational
efficiency.
Dynamic Services Architecture
• Separate control and data plane.
• Discrete routing engine.
• Multiple CPU cores form a pool of resources
where idle and under used processing resources
are dynamically allocated to the security
services that need them.
• Superior performance under varying traffic
loads, especially DoS and DDoS attacks.
• Significant reduction in TCO.
• Significant improvement in network reliability,
availability, and performance.
• Improvement in customer satisfaction and time
to market.
Interoperable SRX3000 line IOC
and processing cards
• SRX1400 is a derivative of the SRX3000 line,
making device configuration, policy, NPC, SPC
and IOCs interoperable and interchangeable.
• Technical hardware and software knowledge,
in addition to spares, can be leveraged easily
across the organization.
Simplified logistics and spares, reduced operations
and maintenance costs, and improved network
availability.
I/O flexibility, density, integration,
and scale
• SRX1400 has the I/O flexibility and density,
consolidated services, and performance at scale
to satisfy multiple requirements and use cases.
• Individual security services are top rated by
industry analyst organizations.
• Multiple services are tightly integrated under
a common security policy and management
system.
One appliance satisfies a wide variety of use
cases.
• Radically simplifies and reduces total cost
of ownership of large scale deployments,
particularly Long Term Evolution (LTE).
3
SRX1400 Services Gateway
Data Sheet
Feature
Description
Benefit
Investment protection
• SRX1400 is chassis-based and designed to be
compatible with next-generation silicon from
Juniper Networks.
• Additional services can be delivered through the
Junos OS release train.
• AppSecure plus related upcoming features can
significantly enhance data center/server farm
protection use case scenarios.
• SRX1400 design includes expansion slot.
• SRX3000 line NPC and SPC can interoperate in
SRX1400 IOCs are interchangeable.
Juniper’s strategy and product roadmap is
designed to protect customer investment into
the future.
NP-IOC
Combined card supports both network processing
and input/output capabilities with sub-10 µs
latency. Like the other cards, this one supports
in-service software upgrades; In addition, it also
supports in-service hardware upgrades. It is fully,
backward compatible with the current SRX1400
chassis and cards.
Meets business requirements by expanding the
gateway’s performance and serving latency
sensitive applications such as high-speed financial
trading
AutoVPN
One time hub configuration for site-to-site VPN for
all spokes, even newly added ones. Configuration
options include: routing, interfaces, IKE, and IPsec.
Enables IT administrative time and cost savings
with easy, no-touch deployment for IPsec VPN
networks.
AppSecure
Juniper Networks AppSecure is a suite of next-generation firewall capabilities that utilize advanced application identification and
classification to deliver greater visibility, enforcement, control and protection over the network.
Feature
Description
Benefit
AppTrack
Detailed analysis on application volume/usage
throughout the network based on bytes, packets
and sessions.
Provides the ability to track application usage
to help identify high-risk applications and
analyze traffic patterns for improved network
management and control.
AppFirewall
Fine grained application control policies to allow
or deny traffic based on dynamic application
name or group names.
Enhances security policy creation and
enforcement based on applications and user
roles rather than traditional port and protocol
analysis.
AppQoS
Set prioritization of traffic based on application
information and contexts.
Provides the ability to prioritize traffic as well as
limit and shape bandwidth based on application
information and contexts for improved
application and overall network performance.
Application signatures
Open signature library for identifying applications
and nested applications..
Applications are accurately identified and the
resulting information can be used for visibility,
enforcement, control and protection.
SSL Proxy (forward and reverse)
Performs SSL encryption and decryption between
the client and the server
Combined with application identification,
provides visibility and protection against threats
embedded in SSL encrypted traffic.
User identity-based access control
enforcement
Secure access to data center resources via tight
integration of standards-based access control
capabilities of Junos Pulse Access Control Service
and the SRX3000 line.
Enables agent-based and agentless identity
security services for enterprise data centers by
integrating the SRX3000 line with the standardsbased access control capabilities of Junos Pulse
Access Control Service. This integration enables
administrative flexibility to manage a variety
of user access, including corporate, guest, and
mobile.
4
SRX1400 Services Gateway
Data Sheet
IPS Capabilities
Juniper Networks IPS capabilities offer several unique features that assure the highest level of network security.
Feature
Description
Benefit
Stateful signature inspection
Signatures are applied only to relevant portions of
the network traffic determined by the appropriate
protocol context.
Minimize false positives and offer flexible
signature development.
Protocol decodes
Enables most accurate detection and helps
reduce false positives.
Accuracy of signatures is improved through
precise contexts of protocols.
Signatures
There are more than 8,500 signatures for
identifying anomalies, attacks, spyware, and
applications.
Attacks are accurately identified and attempts to
exploit a known vulnerability are detected.
Traffic normalization
Reassembly, normalization, and protocol
decoding are provided.
Overcome attempts to bypass other IPS
detections by using obfuscation methods.
Zero-day protection
Protocol anomaly detection and same-day
coverage for newly found vulnerabilities are
provided.
Your network is already protected against any
new exploits.
Recommended policy
Group of attack signatures are identified by
Juniper Networks Security Team as critical for the
typical enterprise to protect against.
Installation and maintenance are simplified while
ensuring the highest network security.
Active/active traffic monitoring
IPS monitoring on active/active SRX3000 line
chassis clusters.
Support for active/active IPS monitoring including
advanced features such as in-service software
upgrade.
Packet capture
IPS policy supports packet capture logging
per rule.
Conduct further analysis of surrounding traffic
and determine further steps to protect target.
Traffic Inspection Methods
The SRX Series supports various detection methods to accurately identify the application and traffic flow through the network.
Feature
Description
Benefit
Application identification
Identifies applications and tunneled applications
independent of protocol and port numbers.
Granular control over application traffic through
smart
firewall policies.
Protocol anomaly detection
Protocol usage against published RFCs is verified
to detect any violations or abuse.
Proactively protect network from undiscovered
vulnerabilities.
Traffic anomaly detection
Heuristic rules detect unexpected traffic patterns
that may suggest reconnaissance or attacks.
Proactively prevent reconnaissance activities or
block DDoS attacks.
IP spoofing detection
Validate IP addresses by checking allowed
addresses inside and outside the network.
Permit only authentic traffic while blocking
disguised sources.
DoS detection
Protection against SYN flood, IP, ICMP, and
application attacks.
Protect your key network assets from being
overwhelmed by denial of service attacks.
SRX1400 Specifications
Network Interfaces
• 1GbE ports:
-- Built-in: 9 or 12
-- IOC: 16
• 10GbE ports:
-- Built-in: 0 or 3
SRX1400 shown with XGE base system, optional IOC and
optional redundant power supply.
-- IOC: 2
• Chassis HA control ports: 2 shared 1GbE
• Expansion slot: 1 single-wide SRX3000 IOC
• Power supply: A
C or DC, one supplied, one optional
redundant, hot-swappable
System Performance (maximum)
• Junos OS version tested: Junos OS 12.1X46
• Firewall performance (max): 10 Gbps
• Firewall performance (IMIX): 5 Gbps
• Firewall packets per second (64 bytes): 1.5 Mpps
5
SRX1400 Services Gateway
Data Sheet
• Maximum AES256+SHA-1 VPN performance: 4 Gbps
Consolidated Security Services
• Maximum 3DES+SHA-1 VPN performance: 4 Gbps
The SRX1400 consolidates multiple security services and
• Maximum IPS performance: 3 Gbps
networking functions into one physical appliance by tightly
• Maximum AppFW performance: 6.5 Gbps
integrating the configuration, security policy, and device
• Maximum AppTrack performance: 6 Gbps
management of these services within Junos OS. All services are
• Maximum concurrent sessions: 1.5 Million
• New sessions/second (sustained, tcp, 3way): 70,000
• Maximum security policies: 40,000
included in the Junos OS image, and all services are available
when the OS is running. This means that no additional software
components need to be installed, activated, or configured when
more services are needed, thereby, greatly simplifying system
• Antivirus (Sophos AV) throughput: 1,290 Mbps
administration and reducing costs. Services can be used (or not)
• Enhanced Web filter throughput: 4 Gbps
depending on the rules in the security policy. Services available
Dimensions (W x H x D) and Power:
on the SRX1400 include:
• 17.5 x 5.25 x 13.8 in (44.5 x 13.3 x 35.05 cm)
• Stateful firewall
• Rack mount: 3 RU
• Stateless firewall filter
• Maximum power draw: 485 W (AC/DC power)
• IPsec VPN
• Intrusion prevention system (IPS)
Weight:
• Base chassis: 29.3 lb (13.3 kg)
• Network address translation (NAT)
• Fully configured chassis: 42.5 lb (19.3 kg)
Source Power:
• User authentication and access control
• Provisioning requirements:
• Virtualization
• 100 to 127 VAC, 60 Hz, 13.0 A
• Dynamic Routing
• 200 to 240 VAC, 50 Hz, 2.5 A
• IPv6
• Public key infrastructure (PKI) support
• Layer 2 (transparent) mode
Thermal:
• Thermal load: 1654 BTU/hr AC or DC power
• Layer 3 (route and/or NAT) mode
• IP address assignment
Environmental Ranges:
• Non-operating storage temperature: -40° to 158° F
(-40° to 70° C)
• Traffic management QoS
• HA
• Altitude: 10,000 ft (3,048 m)
• Application Security
• Operating temperature (long term): 41° to 104° F (5° to 40°
C)
• Management
• Operating temperature (short term6): 23° to 131° F (-5° to
55° C)
• Logging/monitoring
• Administration
• Stateful inspection of IPv4, IPv6, General Packet Radio
Service tunneling protocol (GTP), and applications at layers
4-7
• Humidity (long term): 5% to 85% noncondensing
• Humidity (short term ): 5% to 93% noncondensing but not
to exceed 0.026 kg water/kg of dry air
2
• SSL decryption
Registration, Compliance, Certification
• IP and GTP IPS
• SRX Series production employs a TL-9000 registered quality
management system.
• Denial of service/distributed denial of service (DoS/DDoS)
protection, including protection from attacks on business and
application logic
• 3GPP TS 20.0603 R6: version 6.21.0
R7: version 7.3.0
R8: version 8.3.0
• Multiple (virtual) routing instances
• AppSecure (AppFW, AppTrack, AppQoS, and IPS)
• Safety certifications: Yes
• LSYS
• Electromagnetic Compatibility (EMC) certifications: Yes
• In-Service Software Upgrade (ISSU)4 , In-Service Hardware
Upgrade (ISHU)
• Designed for NEBS Level 3: Yes
• NIST FIPS-140-2 Level 2: Yes (with Junos 1O.4R4)
• Streams Control Transmission Protocol (SCTP)
• ISO Common Criteria NDPP+TFFW EP: Yes (with Junos OS
12.1x44)
• Application-level gateways (ALGs)
• ICSA Network Firewall: Yes
• IPsec: Yes
2
Short term is not greater than 96 consecutive hours, and not greater than 15 days in one year
3
Exceptions:
- Section 7.5A Multimedia Broadcast and Multicast Services (MBMS) messages
- Section 7.5B Mobile Station (MS) information change messages
- Section 7.3.12 Initiate secondary PDP context from gateway GSN (GGSN)
4
Please check the technical publication documents and release notes for the list of
compatible features for ISSU.
• USGv6: Yes (with Junos OS 11.4R1
6
SRX1400 Services Gateway
Data Sheet
Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services
Model Number
Description
that are designed to accelerate, extend, and optimize your
SRX3000 Line Processing Cards Interoperable With
SRX1400
high-performance network. Our services allow you to maximize
SRX3K-SPC-1-10-40
SPC for SRX1400 and SRX3000 line, single
processor, 1 GHz processor, 4 GB memory/
CPU
SRX1K3K-NP-2XGESFPP
Network Processing and I/O Card for
SRX1400 and SRX3000 line
SRX3K-NPC
NPC for SRX1400 and SRX3000 line
operational efficiency while reducing costs and minimizing
risk, achieving a faster time to value for your network. Juniper
Networks ensures operational excellence by optimizing the
network to maintain required levels of performance, reliability,
and availability. For more details, please visit www.juniper.net/us/
en/products-services.
Ordering Information
Model Number
Description
Base System
SRX1400BASE-GE-AC
SRX1400 chassis, fan, Routing Engine,
GbE-System I/O card, AC power supply,
C13 power cord (no SPC, no NPC, no NSPC,
no IOC)
SRX1400BASE-XGE-AC
SRX1400 chassis, fan, Routing Engine,
10GbE-System I/O card, AC power supply,
C13 power cord (no SPC, no NPC, no NSPC,
no IOC)
SRX1400BASE-GE-DC
SRX1400 chassis, backplane, PSU,
GE-SYSIO (no NPC/SPC)
SRX1400BASE-XGE-DC
SRX1400 chassis, fan, Routing Engine,
10GbE-System I/O card, AC power supply,
C13 power cord (no SPC, no NPC, no NSPC,
no IOC)
Tray for SRX3000 Line Processing Cards
SRX1K3K-2CFM-TRAY
I/O Cards (IOCs)
SRX1K3K-NP-2XGESFPP
SRX1400 and SRX3000 line Network
Processing and I/O Card
SRX3K-16GE-SFP
16 x 1GbE SFP I/O card for SRX1400 and
SRX3000 line
SRX3K-16GE-TX
16 x 10/100/1000 copper I/O card for
SRX1400 and SRX3000 line
SRX3K-2XGE-XFP
2 x 10GbE XFP I/O card for SRX1400 and
SRX3000 line
1GbE Transceivers and Optic Modules
SRX-SFP-1GE-LH
SFP 1000BASE-LH gigabit Ethernet optic
module
SRX-SFP-1GE-LX
SFP 1000BASE-LX gigabit Ethernet optic
module
SRX-SFP-1GE-SX
SFP 1000BASE-SX gigabit Ethernet optic
module
SRX-SFP-1GE-T
SFP 1000BASE-T gigabit Ethernet module
(uses Cat 5 cable)
Network and Services Processing Cards5
SRX1K-NPCSPC-1-10-40
5
Network and Services Processing Card
(NSPC) for SRX1400, single processor,
1 GHz, 4 GB memory/CPU
Processing card(s) must be installed in the SRX1400 in order for proper operation. If
the SRX1400 NSPC is not installed, then separate SRX3000 line NPC and SPC cards
mounted on a double-wide tray must be installed in order for the SRX1400 system to
function properly.
Field Replaceable Units (FRU)
SRX1400-CHAS
SRX1400 chassis (includes back plane)
SRX1400-FAN
SRX1400 fan tray
SRX1400-FAN-BLANK
SRX1400 fan tray cover/door
SRX1400-FLTR
SRX1400 replacement fan filter
SRX1K-PWR-AC
AC power supply for SRX1400
SRX1K-PWR-DC
DC power supply for SRX1400
SRX1K-PWR-BLANK
Blank power supply cover for SRX1400
SRX1K-RE-12-10
Routing Engine with 1200 MHz processor
and 1 GB memory for SRX1400 (included in
base system)
SRX1K-SYSIO-GE
GE System I/O card with 6 x 10/100/1000
copper and 6 x GbE SFP for SRX1400
(included in GE base system)
SRX1K-SYSIO-XGE
XGE System I/O card with 3 x 10GbE SFP+,
6x10/100/1000 copper and 3xGE SFP for
SRX1400 (included in XGE base system)
Double wide tray holder for two single wide
SRX3000 line modules
10GbE Transceivers and Optic Modules
SFP+ Transceivers (for XGE Base System)
SRX-SFP-10GE-DAC-1M
SFP+ 10GbE direct attach copper (twinax
copper cable) 1 m
SRX-SFP-10GE-DAC-3M
SFP+ 10GbE direct attach copper (twinax
copper cable) 3 m
SRX-SFP-10GE-ER
SFP+ 10GbE ER optics, 1550 nm for 40 km
transmission
SRX-SFP-10GE-LR
SFP+ 10GbE LR optics, 1310 nm for 10 km
transmission
SRX-SFP-10GE-LRM
SFP+ 10GbE LRM optics, 1310 nm for 220 m
transmission
SRX-SFP-10GE-SR
SFP+ 10GbE SR optics, 850 nm for up to
300 m transmission
XFP Transceivers for 10GbE IOC
SRX-XFP-10GE-ER
10GbE 40 km single mode pluggable
interface
SRX-XFP-10GE-LR
10GbE XFP pluggable transceiver; single
mode 1310 nm 10 km reach
SRX-XFP-10GE-SR
10GbE short reach multimode pluggable
interface
7
SRX1400 Services Gateway
Model Number
Data Sheet
Description
Model Number
Description
C13 Straight Power Cables6
UTM Subscription
CBL-JX-PWR-UK
Power cord, AC, Great Britain and Ireland,
C19 at 70-80 mm, 13 A/250 V, 2.5 m
SRX1400-CS-BUN-1
CBL-JX-PWR-US
Power cord, AC, Japan/US, NEMA 5-15 to
C19 at 70-80 mm, 15 A/125 V, 2.5 m
One year subscription for AppSecure,
IDP, EWF, AV and Anti-spam service on
SRX1400
SRX1400-CS-BUN-3
CBL-JX-PWR-AU
Power cord, AC, Australia/New Zealand,
C19 at 70-80 mm, 15 A/250 V, 2.5 m
Three year subscription for AppSecure,
IDP, EWF, AV and Anti-spam service on
SRX1400
CBL-JX-PWR-CH
Power cord, AC, China, C19, 16 A/250 V,
2.5 m
SRX1400-CS-BUN-5
Five year subscription for AppSecure,
IDP, EWF, AV and Anti-spam service on
SRX1400
CBL-JX-PWR-EU
Power cord, AC, Continental Europe, C19,
16 A/250 V, 2.5 m
SRX1400-S-AS-1
One year subscription for Juniper-Sophos
Anti-spam service on SRX1400
CBL-JX-PWR-IT
Power cord, AC, Italy, C19 at 70-80 mm,
16 A/250 V, 2.5 m
SRX1400-S-AS-3
Three year subscription for Juniper-Sophos
Anti-spam service on SRX1400
CBL-JX-PWR-JP
Power cord, AC, Japan, NEMA 6-20 to C19,
16 A/250 V, 2.5 m
SRX1400-S-AS-5
Five year subscription for Juniper-Sophos
Anti-spam service on SRX1400
SRX1400-S-AV-1
One year subscription for Juniper-Sophos
AV service on SRX1400
SRX1400-S-AV-3
Three year subscription for Juniper-Sophos
AV service on SRX1400
SRX1400-S-AV-5
Five year subscription for Juniper-Sophos
AV service on SRX1400
SRX1400-W-EWF-1
One year subscription for Juniper-Websense
Enhanced Web Filtering service on SRX1
SRX1400-W-EWF-3
Three year subscription for JuniperWebsense Enhanced Web Filtering service
on SRX1400
SRX1400-W-EWF-5
Five year subscription for Juniper-Websense
Enhanced Web Filtering service on
SRX1400
6
AC power cord for appropriate region is included in base system.
AppSecure Subscription
SRX1400-APPSEC-A-1
One year subscription for Application
Security and IPS updates for SRX1400
SRX1400-APPSEC-A-3
Three year subscription for Application
Security and IPS updates for SRX1400
SRX1400-APPSECA-1-R
One year subscription renewal for
Application Security and IPS updates for
SRX1400
SRX1400-APPSEC-A3-R
Three year subscription renewal for
Application Security and IPS updates for
SRX1400
IDP Subscription
SRX1400-IDP
One year IDP signature subscription for SRX
1400
SRX1400-IDP-3
Three year IDP signature subscription for
SRX 1400
Juniper Networks is in the business of network innovation. From
SRX1400-IDP-5
Five year IDP signature subscription for
SRX 1400
Juniper Networks delivers the software, silicon and systems that
About Juniper Networks
devices to data centers, from consumers to cloud providers,
transform the experience and economics of networking. The
company serves customers and partners worldwide. Additional
information can be found at www.juniper.net.
Corporate and Sales Headquarters
APAC and EMEA Headquarters
Juniper Networks, Inc.
Juniper Networks International B.V.
1133 Innovation Way
Boeing Avenue 240
Sunnyvale, CA 94089 USA
1119 PZ Schiphol-Rijk
Phone: 888.JUNIPER (888.586.4737)
Amsterdam, The Netherlands
or +1.408.745.2000
Phone: +31.0.207.125.700
Fax: +1.408.745.2100
Fax: +31.0.207.125.701
www.juniper.net
Copyright 2014 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos
and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
All other trademarks, service marks, registered marks, or registered service marks are the property of their
respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
1000336-012-EN Oct 2015
Data Sheet
SRX1500 Services Gateway
Next-Generation Firewall for the Distributed Enterprise
Product Overview
Product Description
The SRX1500 Services Gateway
The Juniper Networks® SRX1500 Services Gateway is a high-performance next-generation
is a next-generation firewall
firewall and security services gateway that protects mission-critical enterprise campuses,
and security services gateway
regional headquarters, and data center networks. The SRX1500 is the only product in its
offering outstanding protection,
class that not only provides best-in-class security and threat mitigation capabilities, but
performance, scalability,
availability, and security service
also integrates carrier-class routing and feature-rich switching in a single platform.
integration. Designed for port
The SRX1500 delivers a next-generation security solution that supports the changing
density, a high-performance
needs of cloud-enabled enterprise networks. Whether rolling out new services in an
security services architecture,
enterprise campus, connecting to the cloud, complying with industry standards, or
and seamless integration of
achieving operational efficiency, the SRX1500 helps organizations realize their business
networking and security in a
objectives while providing scalable, easy to manage, secure connectivity and advanced
single platform, the SRX1500 is
best suited for client protection
in enterprise campus, regional
headquarters or cloud-based
threat mitigation capabilities. The SRX1500 protects key corporate assets as a nextgeneration firewall, acts as an enforcement point for cloud-based security solutions, and
provides application visibility and control to improve the user and application experience.
security solutions with a focus
A combination of new hardware and software architectures on the SRX1500 add
on application visibility and
significant performance improvements to a small 1 U form factor. The key to the SRX1500
control, intrusion prevention,
and advanced threat protection.
The SRX1500 is powered by
Junos OS, the industry-leading
operating system that keeps
hardware is the security flow accelerator, a programmable high-speed Layer 4 firewall
chip, and a powerful x86-based security compute engine for advanced security services
like application visibility, intrusion prevention, and threat mitigation capabilities. The
SRX1500 software architecture leverages these programmable hardware components and
the world’s largest and most
virtualization to deliver high-speed firewall performance, application visibility, and intrusion
mission-critical enterprise
prevention while lowering total cost of ownership (TCO).
networks secure.
The SRX1500 is purpose-built to protect 10GbE network environments, consolidating
multiple security services and networking functions in a highly available appliance. It
supports up to 9 Gbps of firewall performance, 3 Gbps of intrusion prevention, and 4 Gbps
of IPsec VPN in enterprise campus, regional headquarters, and data center deployments.
SRX1500 Highlights
The SRX1500 Services Gateway delivers a full complement of next-generation firewall
capabilities that use advanced application identification and classification to enable
greater visibility, enforcement, control, and protection over the network. It provides detailed
analysis on application volume and usage, fine-grained application control policies to allow
or deny traffic based on dynamic application name or group names, and prioritization of
traffic based on application information and contexts.
The SRX1500 recognizes more than 3,500 applications and nested applications in plaintext or SSL encrypted transactions. The SRX1500 also integrates with Microsoft Active
Directory and combines user information with application data to provide network-wide
application and user visibility and control.
Your ideas. Connected.™
1
SRX1500 Services Gateway
Data Sheet
For the perimeter, the SRX1500 Services Gateway offers a
The SRX1500 enables agile SecOps through automation
comprehensive suite of application security services, threat
capabilities that support Zero Touch Deployment, Python scripts
defenses, and intelligence services to protect networks from
for orchestration, and event scripting for operational management.
the latest content-borne threats. Integrated threat intelligence
via Juniper Networks Spotlight Secure offers adaptive threat
protection against command and control (C&C)-related botnets
and policy enforcement based on GeoIP. Integrating the Juniper
Networks Sky Advanced Threat Protection solution, the SRX1500
detects and enforces automated protection against known
malware and zero-day threats with a very high degree of accuracy.
The SRX1500 Services Gateway runs Juniper Networks Junos®
operating system, a proven, carrier-hardened network OS that
powers the top 100 service provider networks around the world.
The rigorously tested carrier-class routing features of IPv4/IPv6,
OSPF, BGP, and multicast have been proven in over 15 years of
worldwide deployments.
Features and Benefits
Business Requirement
Feature/Solution
SRX1500 Advantages
High performance
Up to 9 Gbps of firewall
performance
• Best suited for enterprise campus and data center edge deployments
• Addresses future needs for scale and feature capacity
High quality end-user
experience
Application visibility and
control
• Detects 3,500+ Layer 3-7 applications, including Web 2.0
• Controls and prioritizes traffic based on application and use role
• Inspects and detects applications inside the SSL encrypted traffic
Threat protection
Intrusion prevention system
(IPS), antivirus, anti-spam,
Spotlight Secure, Sky
Advanced Threat Prevention
•
•
•
•
Professional-grade
networking services
Routing, switching, and secure
wire
• Supports carrier-class advanced routing, quality of service (QoS), and services
• Offers flexible deployment modes (L1/L2/L3)
Highly secure
IPsec VPN, secure boot
• Provides high-performance IPsec VPN with dedicated crypto engine
• Simplifies large VPN deployments with auto VPN and group VPN
• Verifies binaries that execute on the hardware with secure boot
High reliability
Chassis cluster,
redundant power supply
• Provides stateful configuration and session synchronization
• Supports active/active and active/backup deployment scenarios
• Offers highly available hardware with dual PSU, dual boot storage
Easy to manage and scale
On-box GUI, Security Director
• Enables centralized management for auto provisioning, firewall policy
management, Network Address Translation (NAT), and IPsec VPN
deployments
• Includes simple easy-to-use on-box GUI for local management
Lower TCO
Junos OS
• Integrates routing, switching, and security in a single device
• Reduces OpEx with Junos OS automation capabilities
Provides real-time updates to IPS signatures and protects against exploits
Implements industry-leading antivirus and URL filtering
Delivers open threat intelligence platform that integrates with third-party feeds
Protects against zero-day attacks
Network Address Translation (NAT)
• Source NAT with Port Address Translation (PAT)
• Bidirectional 1:1 static NAT
• Destination NAT with PAT
SRX1500
• Persistent NAT
• IPv6 address translation
SRX1500 Services Gateway Specifications
VPN Features
• Tunnels: Generic routing encapsulation (GRE), IP-IP, IPsec
Software Specifications
• Site-site IPsec VPN, auto VPN, group VPN
Firewall Services
• IPsec crypto algorithms: Data Encryption Standard (DES),
triple DES (3DES), Advanced Encryption Standard (AES256)
• Stateful and stateless firewall
• Zone-based firewall
• Screens and distributed denial of service (DDoS) protection
• Protection from protocol and traffic anomalies
• Unified Access Control (UAC)
• IPsec authentication algorithms: MD5, SHA-1, SHA-128,
SHA-256
• Pre-shared key and public key infrastructure (PKI) (X.509)
• Perfect forward secrecy, anti-reply
• IPv4 and IPv6 IPsec VPN
• Multi-proxy ID for site-site VPN
2
SRX1500 Services Gateway
Data Sheet
• Internet Key Exchange (IKEv1, IKEv2), NAT-T
• Marking, policing, and shaping
• Virtual router and quality-of-service (QoS) aware
• Classification and scheduling
• Standard-based dead peer detection (DPD) support
• Weighted random early detection (WRED)
High Availability Features
• Guaranteed and maximum bandwidth
• Virtual Router Redundancy Protocol (VRRP)
• Ingress traffic policing
• Stateful high availability
• Virtual channels
-- Dual box clustering
-- Active/passive
Network Services
-- Active/active
• Dynamic Host Configuration Protocol (DHCP) client/server/
relay
-- Configuration synchronization
• Domain Name System (DNS) proxy, dynamic DNS (DDNS)
-- Firewall session synchronization
• Juniper real-time performance monitoring (RPM) and IP
monitoring
-- Device/link detection
• IP monitoring with route and interface failover
Application Security Services
• Application visibility and control
• Juniper flow monitoring (J-Flow)
Advanced Routing Services
• MPLS (RSVP, LDP)
• Application-based firewall
• Circuit cross-connect (CCC), translational cross-connect
(TCC)
• Application QoS
• L2/L2 MPLS VPN, pseudowires
• User-based firewall
• Intrusion prevention
• Virtual private LAN service (VPLS), next-generation
multicast VPN (NG-MVPN)
• Antivirus
• MPLS traffic engineering and MPLS fast reroute
• Antispam
Management, Automation, Logging, and Reporting
• Category/reputation-based URL filtering
• SSH, Telnet, SNMP
• SSL inspection
• Smart image download
Threat Defense and Intelligence Services
• Juniper CLI and Web UI
• Spotlight Secure threat intelligence
• Juniper Networks Junos Space and Security Director
• Protection from botnets (command and control)
• Python
• Adaptive enforcement based on GeoIP
• Junos OS even, commit and OP scripts
• Sky Advanced Threat Prevention to detect and block zeroday attacks
• Application and bandwidth usage reporting
Routing Protocols
• IPv4, IPv6
• Static routes
• Auto installation
• Debug and troubleshooting tools
Hardware Specifications
• RIP v1/v2
Specification
• OSPF/OSPF v3
Connectivity
• BGP with Route Reflector
• IS-IS
• Multicast: Internet Group Management Protocol (IGMP)
v1/v2; Protocol Independent Multicast (PIM) sparse mode
(SM)/dense mode (DM)/source-specific multicast (SSM);
Session Description Protocol (SDP); Distance Vector
Multicast Routing Protocol (DVMRP); Multicast Source
Discovery Protocol (MSDP); Reverse Path Forwarding (RPF)
• Encapsulation: VLAN, Point-to-Point Protocol over Ethernet
(PPPoE)
• Virtual routers
SRX1500
Total onboard ports
16x1GbE and 4x10GbE
Onboard RJ-45 ports
12x1GbE
Onboard small form-factor pluggable
(SFP) transceiver ports
4x1GbE
Onboard SFP+ ports
4x10GbE
Out-of-Band (OOB) management ports
1x1GbE
Dedicated high availability (HA) ports
1x1GbE (SFP)
PIM slots
2
Console (RJ-45 + miniUSB)
1
USB 2.0 ports (type A)
1
Memory and Storage
• Policy-based routing, source-based routing
System memory (RAM)
16 GB
• Equal-cost multipath (ECMP)
Primary boot storage (mSATA)
16 GB
Secondary storage (SSD)
120 GB
QoS Features
• Support for 802.1p, DiffServ code point (DSCP), EXP
• Classification based on VLAN, data-link connection
identifier (DLCI), interface, bundles, or multifield filters
3
SRX1500 Services Gateway
Data Sheet
Dimensions and Power
Form factor
1U
Size (WxHxD)
17.5 x 18.2 x 1.75 in
(44.45 x 46.22 x
4.44 cm)
Route table size (RIB/FIB) (IPv4 or IPv6)
2 million / 1 million
Maximum concurrent sessions
(IPv4 or IPv6)
2,000,000
Maximum security policies
16,000
Connections per second
50,000
NAT rules
8,000
Media access control (MAC) table size
64,000
IPsec VPN tunnels
2,000
GRE tunnels
2,000
Maximum security zones
512
Maximum virtual router
512
Maximum VLANs
3,900
AppID sessions
512,000
IPS sessions
512,000
URL filtering sessions
512,000
Weight (device and PSU)
16.1 lb (7.30 kg)
Redundant PSU
1+1
Power supply
AC/DC (external)
Average power consumption
150 W
Average heat dissipation
614 BTU / hour
Maximum current consumption
8A (for AC PSU);
20A (for DC PSU)
Maximum inrush current
50A by 1 AC cycle
Acoustic noise level
66.5dBA
Airflow/cooling
Front to back
Operating temperature
32° to 104° F
(0° to 40° C)
Nonoperating temperature
4° to 158° F
(-20° to 70° C)
Operating humidity
10% to 90%
noncondensing
that are designed to accelerate, extend, and optimize your
Nonoperating humidity
5% to 95%
noncondensing
operational efficiency while reducing costs and minimizing
Meantime between failures (MTBF)
9.78 years
(85,787 hours)
FCC classification
Class A
network to maintain required levels of performance, reliability,
RoHS compliance
RoHS 2
and availability. For more details, please visit www.juniper.net/us/
Juniper Networks is the leader in performance-enabling services
high-performance network. Our services allow you to maximize
risk, achieving a faster time to value for your network. Juniper
Networks ensures operational excellence by optimizing the
en/products-services.
Performance and Scale
Parameter
Routing/firewall (64 B packet size) Mpps
Juniper Networks Services and Support
SRX1500
1
1.7
Ordering Information
To order Juniper Networks SRX Series Services Gateways, and for
Routing/firewall (IMIX packet size) Gbps1
5
Routing/firewall (1,518 B packet size) Gbps1
9
IPsec VPN (IMIX packet size) Gbps1
1.3
IPsec VPN (1,400 B packet size) Gbps1
4
About Juniper Networks
Application visibility and control in Gbps2
5
Juniper Networks is in the business of network innovation. From
Recommended IPS in Gbps2
3
devices to data centers, from consumers to cloud providers,
Next-generation firewall in Gbps2
1.5
Juniper Networks delivers the software, silicon and systems that
software licensing information, please visit the How to Buy page
or refer to the SRX Series Ordering Guide
transform the experience and economics of networking. The
company serves customers and partners worldwide. Additional
1
Throughput numbers based on UDP packets and RFC2544 test methodology
2
Throughput numbers based on HTTP traffic with 44 KB transaction size
information can be found at www.juniper.net.
Corporate and Sales Headquarters
APAC and EMEA Headquarters
Juniper Networks, Inc.
Juniper Networks International B.V.
1133 Innovation Way
Boeing Avenue 240
Sunnyvale, CA 94089 USA
1119 PZ Schiphol-Rijk
Phone: 888.JUNIPER (888.586.4737)
Amsterdam, The Netherlands
or +1.408.745.2000
Phone: +31.0.207.125.700
Fax: +1.408.745.2100
Fax: +31.0.207.125.701
www.juniper.net
Copyright 2016 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos
and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
All other trademarks, service marks, registered marks, or registered service marks are the property of their
respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
1000551-003-EN Apr 2016
EXPLORE JUNIPER
Get the App.
Data Sheet
SRX3400 and SRX3600
Services Gateways
Product Overview
Product Description
SRX Series Services Gateways
Juniper Networks® SRX3400 Services Gateway and SRX3600 Services Gateway are
are next-generation security
next-generation security plaforms that deliver outstanding protection, market-leading
platforms based on a
performance, scalability and service integration in a mid-sized form factor. These devices
revolutionary architecture
are ideally suited for medium to large enterprise, public sector and service provider
offering outstanding protection,
networks, including:
performance, scalability,
availability, and security service
• Enterprise server farms/data centers
integration. Custom designed for
• Mobile operator environments
flexible processing scalability,
• Aggregation of departmental or segmented security solutions
I/O scalability, and services
integration, the SRX Series
exceeds the security requirements
• Cloud and hosting provider data centers
• Managed services deployments
of data center consolidation
In terms of security, these platforms feature next-generation firewall services such as
and services aggregation. The
application security, Unified Threat Management (UTM) and Intrusion Prevention System
SRX Series is powered by Junos
(IPS). Integrated threat intelligence via Spotlight Secure offers adaptive threat protection
OS, the same industry-leading
against command and control (C&C) related botnets, and policy enforcement based on
operating system platform
GeoIP and attacker fingerprinting technology (the latter for Web application protection)—
that keeps the world’s largest
all of which are based on Juniper provided feeds. Customers may also leverage their own
networks available, manageable,
custom and third-party feeds for protection from advanced malware and other threats.
and secure for the data center.
Based on an innovative mid-plane design and Juniper’s dynamic services architecture,
the SRX3000 line resets the bar in price/performance for enterprise and service provider
environments. Each services gateway can support near linear scalability with each
additional Services Processing Card (SPC), enabling the SRX3600 to support up to 55
Gbps of firewall throughput. The SPCs are designed to support a wide range of services
enabling future support of new capabilities without the need for service-specific hardware.
Using SPCs on all services ensures that there are no idle resources based on specific
services in operation—maximizing hardware utilization.
Market leading flexibility and price/performance of the SRX3000 line comes from the
modular architecture. Based on Juniper’s dynamic services architecture, the gateway
can be equipped with a flexible number of I/O cards (IOCs), network processing cards
(NPCs) and service processing cards (SPCs)—allowing the system to be configured to
support the ideal balance of performance and port density enabling each deployment
of the Juniper Networks SRX Series Services Gateways to be tailored to specific network
requirements. With this flexibility, the SRX3600 can be configured to support more than
100 Gbps interfaces with choices of Gigabit Ethernet or 10-Gigabit Ethernet ports; firewall
performance up to 55 Gbps; and services processing to match specific business needs.
Your ideas. Connected.™
1
SRX3400 and SRX3600 Services Gateways
The switch fabric employed in the SRX3000 line enables the
scalability of SPCs, NPCs, and IOCs. Supporting up to 320 Gbps
of data transfer, the fabric enables the realization of maximum
processing and I/O capability available in any particular
configuration. This level of scalability and flexibility facilitates
future expansion and growth of the network infrastructure,
providing unrivaled investment protection.
Data Sheet
SRX3000 Line Service Processing Cards*
As the “brains” behind the SRX3000 line, SPCs are designed to
process all available services on the platform. By eliminating the
need for dedicated hardware for specific services or capabilities,
there are no instances in which any piece of hardware is taxed
to the limit while other hardware sits idle. SPCs are designed
to be pooled together, allowing the SRX3000 line to expand
The flexibility of the SRX3000 line extends beyond the
performance and capacities with the introduction of additional
innovation and proven benefit of the dynamic services
SPCs, drastically reducing management overhead and
architecture. Enabling the installation of SPCs on both the front
complexity. The same SPCs are supported on both the SRX3600
and the back of the SRX3000 line, the mid-plane design delivers
and SRX3400. (Note: A minimum of one NPC and one SPC is
market-leading flexibility and scalability. By doubling the number
required for proper system functionality.)
of SPCs supported in half the rack space needed, the SRX3000
line offers not only underlying architectural innovation but also an
SRX3000 Line I/O Cards*
innovative physical design.
In addition to supporting an ideal mix of built-in copper, small
The tight service integration on SRX Series Services Gateways
is enabled by Juniper Networks Junos® operating system. By
combining the routing heritage of Junos OS and the security
heritage of ScreenOS®, the SRX Series Services Gateways are
equipped with a robust list of features that include firewall,
intrusion prevention system (IPS), VPN (IPsec), denial of service
(DoS), application security, Network Address Translation (NAT),
unified threat management (UTM), and quality of service (QoS).
In addition, incorporating multiple networking and security
services under a single OS greatly optimizes the flow of traffic
through the platform. With Junos OS, the SRX Series enjoys the
benefit of a single source OS and one architecture that is also
available across Juniper’s carrier-class routers and switches.
SRX3600
The SRX3600 Services Gateway is a market-leading security
solution supporting up to 55 Gbps firewall, 15 Gbps firewall and
IPS, or 15 Gbps of IPsec VPN along with up to 270,000 new
connections per second. Equipped with the full range of security
services, the SRX3600 is ideally suited for securing medium to
large enterprise data centers, hosted or co-located data centers,
or securing next-generation enterprise services/applications. It
can also be deployed to secure cloud provider infrastructures
form-factor pluggable transceiver (SFP) and high availability
(HA) ports, the SRX3000 line allows the greatest I/O port
density of any comparable offering in the same class. Each
services gateway in the SRX3000 line can be equipped with one
or several IOCs, each supporting either 16-gigabit interfaces (16
x 1 copper or fiber Gigabit Ethernet), or 20-gigabit interfaces (2 x
10 Gigabit XFP Ethernet). With the flexibility to provide multiple
IOCs, the SRX3000 line can be equipped to support an ideal
balance between interfaces and processing capabilities. (Note:
A minimum of one NPC and one SPC is required for proper
system functionality.)
SRX3000 Line Network Processing Cards*
To ensure maximum processing performance and flexibility,
the SRX3000 line utilizes NPCs to distribute inbound and
outbound traffic to the appropriate SPCs and IOCs, apply
QoS, and enforce DoS/distributed denial of service (DDoS)
protections. The SRX3600 can be configured to support one to
three NPCs, while the SRX3400 can be configured to support
one or two NPCs. Providing additional NPCs to the SRX3000
line allows organizations to tailor the solution to fit their specific
performance requirements. (Note: A minimum of one NPC and
one SPC is required for proper system functionality.)
where multi-tenancy is a requirement or to secure mobile
In addition, the SRX3000 line also has a new combination NPC/
operator environments. The scalability and flexibility of the
IOC card, NP-IOC. This card expands the gateway’s capacity by
services gateway makes it ideal for consolidating legacy security
serving the two functions, network processing and input/output,
appliances in densely populated data centers, and the service
with just one card in one slot. Like the other cards, this one
density makes it ideal for cloud or mobile providers.
supports In-service software upgrades; In addition It supports in-
SRX3400
The SRX3400 Services Gateway uses the same SPCs, IOCs and
NPCs as the SRX3600 and can support up to 30 Gbps firewall,
8 Gbps firewall and IPS, or 8 Gbps of IPsec VPN, along with up
to 150,000 new connections per second. The SRX3400 is ideally
suited for securing and segmenting enterprise data centers/
network infrastructure as well as aggregation of various security
solutions. The capability to support unique security policies per
zones and its ability to scale with the growth of the network
service hardware upgrades. It is fully, backward compatible with
the current SRX3000 chassis and cards.
*The Juniper Networks SRX3000 line utilizes the same market
leading, high-performance dynamic architecture as the SRX5000
line, but in a mid-plane form factor. The SRX3000 line SPCs,
IOCs, and NPCs are based on a common form-factor module
(CFM) design and are not compatible with the SRX5000 line.
Likewise, all SRX5000 line modules are not compatible with the
SRX3000 line.
makes the SRX3400 an ideal deployment for small to midsized
server farms, hosting sites, or mobile operators.
2
SRX3400 and SRX3600 Services Gateways
Data Sheet
Features and Benefits
Networking and Security
The SRX3000 line has been designed from the ground up to offer robust networking and security services.
Features
Feature Description
Benefits
Purpose-built platform
Built from the ground up on dedicated hardware—
designed for networking and security services.
Delivers unrivaled performance and flexibility to
protect high-speed network environments.
Scalable performance
Offers scalable processing based on the Dynamic
Services Architecture.
Provides a simple and cost-effective solution to
leverage new services with appropriate processing.
System and network resiliency
Provides carrier-class hardware design and
proven OS.
Offers reliability needed for any critical highspeed network deployments. Utilizes a unique
architectural design based on multiple processing
cores and a separation of the data and control
planes.
High availability (HA)
Active/passive and active/active HA configurations
using dedicated HA-control interfaces.
Achieve availability and resiliency necessary for
critical networks.
Interface flexibility
Offers flexible I/O options including on-board ports
and modular CFM I/O cards.
Offers flexible I/O configuration and independent
I/O scalability to meet the port density
requirements of multiple network environments.
Network segmentation
Provides security zones, VLANs, and virtual routers
that allow administrators to deploy security
policies to isolate guests and regional servers or
databases.
Features the capability to tailor unique security
and networking policies for various internal,
external, and DMZ subgroups.
Robust routing engine
Dedicated routing engine that provides physical
and logical separation to data and control planes.
Enables deployment of consolidated routing and
security devices, as well as ensuring the security
of routing infrastructure—all via a dedicated
management environment.
Threat intelligence
Integration with Spotlight Secure for application of
advanced threat detection technologies and feeds
for policy enforcement
Policy enforcement based on optimized and
up-to-date threat intelligence is automatically
syndicated across the firewall estate, enabling
higher security effectiveness and operational
efficiency.
Unified threat management
(UTM)
Strong UTM capabilities including IPS, antivirus,
antispam, Web and content filtering. Available
on-box with preinstalled, expanding, and adaptive
capabilities that are quickly activated for zero-day,
easy, and instant protection. Antivirus options are
available from Sophos and Kaspersky, Web filtering
from Websense, and antispam from Sophos.
Best-in-class UTM protection with strong,
high-performance content security leveraging
intelligence from multiple expert security
companies.
AppTrack
Detailed analysis on application volume/usage
throughout the network based on bytes, packets
and sessions.
Provides the ability to track application usage to
help identify high-risk applications and analyze
traffic patterns for improved network management
and control.
AppFirewall
Fine grained application control policies to allow or
deny traffic based on dynamic application name
or group names.
Enhances security policy creation and enforcement
based on applications and user roles rather than
traditional port and protocol analysis.
AppQoS
Leverage Juniper's rich QoS capabilities
Provides the ability to prioritize traffic as well as
limit and shape bandwidth based on application
information and contexts for improved application
and overall network performance.
Application signatures
Open signature library for identifying applications
and nested applications.
Applications are accurately identified and the
resulting information can be used for visibility,
enforcement, control and protection.
SSL Proxy (forward and reverse)
Performs SSL encryption and decryption between
the client and the server
Combined with application identification, provides
visibility and protection against threats embedded
in SSL encrypted traffic.
Intrusion Prevention System (IPS)
Detects known and unknown exploits and
anomalies in network traffic streams
Adds critical layer of protection beyond stateful
firewall, enabling detection of vulnerabilities in
network traffic and highly granular control over IPS
policy enforcement
Stateful GPRS and SCTP
inspection
Support for GPRS and SCTP firewall in mobile
operator networks.
Enables the SRX3000 line to provide stateful
firewall capabilities for protecting key GPRS nodes
within mobile operator networks.
3
SRX3400 and SRX3600 Services Gateways
Data Sheet
Features
Feature Description
Benefits
User identity-based access
control enforcement
Secure access to data center resources via tight
integration of standards-based access control
capabilities of Juniper Pulse Access Control
Service and the SRX3000 line.
Enables agent-based and agentless identity
security services for enterprise data centers by
integrating the SRX3000 line with the standardsbased access control capabilities of Juniper Pulse
Access Control Service. This integration enables
administrative flexibility to manage a variety
of user access, including corporate, guest, and
mobile.
NP-IOC
Like the other cards, this one supports In-service
software upgrades; In addition It supports inservice hardware upgrades. It is fully, backward
compatible with the current SRX3000 chassis and
cards.
Meets business requirements by expanding
gateway’s capacity and serving latency sensitive
applications such as high-speed financial trading
AutoVPN
One time hub configuration for site-to-site VPN for
all spokes, even newly added ones. Configuration
options include: routing, interfaces, IKE, and IPsec.
Enables IT administrative time and cost savings
with easy, no-touch deployment for IPsec VPN
networks.
IPS Capabilities
Juniper Networks IPS capabilities offer several unique features that assure the highest level of network security.
Features
Feature Description
Benefits
Stateful signature
inspection
Signatures are applied only to relevant portions of the
network traffic determined by the appropriate protocol
context.
Minimize false positives and offer flexible signature
development.
Protocol decodes
Enables most accurate detection and helps reduce
false positives.
Accuracy of signatures is improved through precise
contexts of protocols.
Signatures
There are more than 8,500 signatures for identifying
anomalies, attacks, spyware, and applications.
Attacks are accurately identified and attempts at
exploiting a known vulnerability are detected.
Traffic normalization
Reassembly, normalization, and protocol decoding are
provided.
Overcome attempts to bypass other IPS detections by
using obfuscation methods.
Zero-day protection
Protocol anomaly detection and same-day coverage for
newly found vulnerabilities are provided.
Your network is already protected against any new
exploits.
Recommended policy
Group of attack signatures are identified by Juniper
Networks Security Team as critical for the typical
enterprise to protect against.
Installation and maintenance are simplified while
ensuring the highest network security.
Active/active traffic
monitoring
IPS monitoring on active/active SRX3000 line chassis
clusters.
Support for active/active IPS monitoring including
advanced features such as in-service software upgrade.
Packet capture
IPS policy supports packet capture logging per rule.
Conduct further analysis of surrounding traffic and
determine further steps to protect target.
Additional UTM Capabilities
The UTM services offered on Juniper Networks SRX3000 includes industry-leading antivirus, antispam, content filtering, and
additional content security services.
Features
Feature Description
Benefits
Antivirus
Antivirus includes reputation enhanced, cloud-based
antivirus capabilities that detect and block spyware,
adware, viruses, keyloggers, and other malware over
POP3 HTTP, SMTP, IMAP, and FTP protocols. This
service is provided in cooperation with Sophos Labs, a
dedicated security company.
Sophisticated protection from respected antivirus
experts against malware attacks that can lead to data
breaches and lost productivity.
Antispam
Multilayered spam protection, up-to-date phishing
URL detection, standards-based S/MIME, Open PGP
and TLS encryption, and MIME type and extension
blockers are provided in cooperation with Sophos Labs,
a dedicated security company.
Protection against advanced persistent threats
perpetrated through social networking attacks and the
latest phishing scams with sophisticated e-mail filtering
and content blockers.
Enhanced Web filtering
Enhanced Web filtering includes extensive category
granulation (95+ categories) and a real-time threat
score delivered with Websense, an expert Web security
provider.
Protection against lost productivity and the impact of
malicious URLs as well as helping to maintain network
bandwidth for business essential traffic.
Content filtering
Effective content filtering based on MIME type, file
extension, and protocol commands.
Protection against lost productivity and the impact of
extraneous or malicious content on the network to help
maintain bandwidth for business essential traffic.
4
SRX3400 and SRX3600 Services Gateways
Data Sheet
Centralized Management
Juniper Networks Junos® Space Security Director delivers scalable
identification, firewall, IPS, NAT, and VPN security management
and responsive security management that improves the reach,
for intuitive and quick policy administration.
ease, and accuracy of security policy administration. It lets
administrators manage all phases of the security policy lifecycle
through a single Web-based interface, accessible via standard
browsers. Junos Space Security Director centralizes application
Junos Space Security Director runs on the Junos Space Network
Management Platform for highly extensible, network-wide
management functionality, including ongoing access to Juniper
and third-party Junos Space ecosystem innovations.
SRX3400
Services Gateway
SRX3600
Services Gateway
Specifications
SRX3400
SRX3600
Junos OS version tested
Junos OS 12.1X47
Junos OS 12.1X47
Firewall performance (max)
30 Gbps
55 Gbps
Firewall performance (IMIX)
10 Gbps
20 Gbps
Maximum AES256+SHA-1 VPN performance
8 Gbps
15 Gbps
Maximum 3DES+SHA-1 VPN performance
8 Gbps
15 Gbps
Maximum IPS performance (NSS 4.2.1)
8 Gbps
Maximum concurrent sessions
2.25/3 million
2.25/6 million2
New sessions/second, (sustained, TCP, three-way)
150,000
150,000/270,0002
Maximum user supported
Unrestricted
Unrestricted
Latency
Sub-10 µs
Sub-10 µs
Fixed I/O
8 10/100/1000 + 4 SFP
8 10/100/1000 + 4 SFP
LAN interface options
16 x 1 10/100/1000 copper
16 x 1-Gigabit Ethernet SFP
2 x 10-Gigabit Ethernet XFP
16 x 1 10/100/1000 copper
16 x 1-Gigabit Ethernet SFP
2 x 10-Gigabit Ethernet XFP
Maximum available slots for IOCs
Four (front slots)
Six (front slots)
Maximum available slots for SPCs3
Up to four SPCs supported per
chassis4 (any slot)
Up to seven SPCs supported per
chassis (any slot)
Maximum available slots for NPCs3
Up to two NPCs supported per
chassis4 (three rear slots)
Up to three NPCs supported per
chassis (three rear-right slots)
Maximum Performance and Capacity1
15 Gbps
2
Network Connectivity
Processing Scalability
Performance, capacity, and features listed are based upon systems running Junos OS12.1.X44 and are measured under ideal testing conditions. Actual results may vary based on Junos OS
releases and by deployment. For a complete list of supported Junos OS versions for the SRX Series Services Gateways, please visit the Juniper Customer Support Center (www.juniper.net/
customers/support/).
2
Additional Extreme License required for 3 million and 6 million sessions.
3
Each SRX3000 line of Services Gateways employ multiple common form-factor module (CFM) expansion slots on the front and rear of the chassis to allow custom configurations of
I/O and processing capacities based on customer requirements. SPCs and NPCs are supported on all available CFM slots. However, for proper system functionality and allowing for I/O
expansion, the SRX3400 supports a maximum of up to four SPCs and two NPCs per chassis, and the SRX3600 supports a maximum of up to seven SPCs and three NPCs per chassis.
Please refer to the respective hardware guides for more information on SPCs and NPCs as well as for guidelines on placements.
4
Refer to user guide for guidelines when using DC power supplies.
1
5
SRX3400 and SRX3600 Services Gateways
Data Sheet
SRX3400
SRX3600
Network attack detection
Yes
Yes
DoS and DDoS protection
Yes
Yes
TCP reassembly for fragmented packet protection
Yes
Yes
Brute-force attack mitigation
Yes
Yes
SYN cookie protection
Yes
Yes
Zone-based IP spoofing
Yes
Yes
Malformed packet protection
Yes
Yes
Site-to-site tunnels
7,500
7,500
Tunnel interfaces
7,500
7,500
DES (56-bit), 3DES (168-bit), and AES encryption
Yes
Yes
MD5 and SHA-1 authentication
Yes
Yes
Manual key, IKE, PKI (X.509)
Yes
Yes
Perfect forward secrecy (DH groups)
1,2,6
1,2,6
Prevent replay attack
Yes
Yes
Remote access VPN
Yes
Yes
IPv4 and IPv6 VPN
Yes
Yes
Redundant VPN gateways
Yes
Yes
Signatures based and customizable (via templates)
Yes
Yes
Active/active traffic monitoring
Yes
Yes
Stateful protocol signatures
Yes
Yes
Attack detection mechanisms
Stateful signatures, protocol anomaly
detection (zero-day coverage),
application identification
Stateful signatures, protocol anomaly
detection (zero-day coverage),
application identification
Attack response mechanisms
Drop connection, close connection,
session packet log, session summary,
email, custom session
Drop connection, close connection,
session packet log, session summary,
email, custom session
Attack notification mechanisms
Structured system logging
Structured system logging
Worm protection
Yes
Yes
Simplified installation through recommended policies
Yes
Yes
Trojan protection
Yes
Yes
Spyware/adware/keylogger protection
Yes
Yes
Other malware protection
Yes
Yes
Application denial of service protection
Yes
Yes
Protection against attack proliferation from infected systems
Yes
Yes
Reconnaissance protection
Yes
Yes
Request and response-side attack protection
Yes
Yes
Compound attacks—combines stateful signatures and protocol
anomalies
Yes
Yes
Create custom attack signatures
Yes
Yes
Access contexts for customization
600+
600+
Attack editing (port range, other)
Yes
Yes
Stream signatures
Yes
Yes
Protocol thresholds
Yes
Yes
Stateful protocol signatures
Yes
Yes
Approximate number of attacks covered
15,000+
15,000+
Detailed threat descriptions and remediation/patch info
Yes
Yes
Firewall
IPsec VPN
Intrusion Prevention System
6
SRX3400 and SRX3600 Services Gateways
Data Sheet
SRX3400
SRX3600
Create and enforce appropriate application-usage policies
Yes
Yes
Attacker and target audit trail and reporting
Yes
Yes
Frequency of updates
Daily and emergency
Daily and emergency
Antivirus (Sophos AV) throughput
2.5 Gbps
4.5 Gbps
Enhanced Web filter throughput
8 Gbps
14 Gbps
Yes
Yes
Destination NAT with PAT
Yes
Yes
Destination NAT within same subnet as ingress interface IP
Yes
Yes
Destination addresses and port numbers to one single address
and a specific port number (M:1P)
Yes
Yes
Destination addresses to one single address (M:1)
Yes
Yes
Destination addresses to another range of addresses (M:M)
Yes
Yes
Static Source NAT – IP-shifting DIP
Yes
Yes
Source NAT with PAT – port-translated
Yes
Yes
Source NAT without PAT – fix-port
Yes
Yes
Source NAT – IP address persistency
Yes
Yes
Source pool grouping
Yes
Yes
Source pool utilization alarm
Yes
Yes
Source IP outside of the interface subnet
Yes
Yes
Interface source NAT – interface DIP
Yes
Yes
Oversubscribed NAT pool with fallback to PAT when the address
pool is exhausted
Yes
Yes
Symmetric NAT
Yes
Yes
Allocate multiple ranges in NAT pool
Yes
Yes
Proxy ARP for physical port
Yes
Yes
Source NAT with loopback grouping – DIP loopback grouping
Yes
Yes
Built-in (internal) database
Yes
Yes
RADIUS accounting
Yes
Yes
Web-based authentication
Yes
Yes
UAC enforcement point
Yes
Yes
PKI certificate requests (PKCS 7 and PKCS 10)
Yes
Yes
Automated certificate enrollment (SCEP)
Yes
Yes
Certificate authorities supported
Yes
Yes
Self-signed certificates
Yes
Yes
Maximum virtual firewalls with data plane traffic segregation
(virtual routers (1,000) and zones (512))
512
512
Maximum virtual firewalls with data plane and administrative
separation (logical systems)
32
32
Additional off-platform virtual firewall option with Firefly (VM
based)
Unlimited
Unlimited
Maximum number of L3 subinterfaces
16,3845
16,3845
Maximum number of VLANs
4,096
4,096
Unified Threat Management
GPRS Security
GPRS stateful firewall
Destination Network Address Translation
Source Network Address Translation
User Authentication and Access Control
Public Key Infrastructure (PKI) Support
Virtualization
7
SRX3400 and SRX3600 Services Gateways
Data Sheet
SRX3400
SRX3600
BGP instances
1,000
1,000
BGP peers
2,000
BGP routes
1,000,000
1,000,0006
OSPF instances
256
256
OSPF routes
1,000,000
1,000,0006
RIP v1/v2 instances
50
50
RIP v2 table size
30,000
30,000
Dynamic routing
Yes
Yes
Static routes
Yes
Yes
Filter-based forwarding (FBF)
Yes
Yes
Equal-cost multipath (ECMP)
Yes
Yes
Reverse path forwarding (RPF)
Yes
Yes
Multicast
Yes
Yes
Firewall/stateless filters
Yes
Yes
VPN
Yes
Yes
Dual stack IPv4/IPv6 firewall
Yes
Yes
RIPng
Yes
Yes
BFD, BGP
Yes
Yes
ICMPv6
Yes
Yes
OSPFv3
Yes
Yes
Class of service
Yes
Yes
Layer 2 (transparent) mode
Yes
Yes
Layer 3 (route and/or NAT) mode
Yes
Yes
Static
Yes
Yes
Dynamic Host Configuration Protocol (DHCP)
Yes
Yes
Internal DHCP server
Yes
Yes
DHCP relay
Yes
Yes
Maximum bandwidth
Yes
Yes
RFC2474 IP DiffServ in IPv4
Yes
Yes
Filters for CoS
Yes
Yes
Classification
Yes
Yes
Scheduling
Yes
Yes
Shaping
Yes
Yes
Intelligent Drop Mechanisms (WRED)
Yes
Yes
Three-level scheduling
Yes
Yes
Weighted round-robin for each level of scheduling
Yes
Yes
Priority of routing protocols
Yes
Yes
Routing
2,000
6
6
IPv6
Mode of Operation
IP Address Assignment
Traffic Management QoS
5
6
Maximum number of supported L3 subinterfaces in HA configuration is 1,000.
Maximum number of BGP and OSPF routes recommended is 100,000.
8
SRX3400 and SRX3600 Services Gateways
Data Sheet
SRX3400
SRX3600
Active/passive, active/active
Yes
Yes
Low impact chassis cluster upgrades
Yes
Yes
Configuration synchronization
Yes
Yes
Session synchronization for firewall and IPsec VPN
Yes
Yes
Session failover for routing change
Yes
Yes
Device failure detection
Yes
Yes
Link and upstream failure detection
Yes
Yes
Interface link aggregation/LACP
Yes
Yes
Redundant data and control links7
Yes
Yes
Yes
Yes
WebUI (HTTP and HTTPS)
Yes
Yes
Command-line interface (console)
Yes
Yes
Network and Security Manager version 2008.2 or later
Yes
Yes
Local administrator database support
Yes
Yes
External administrator database support
Yes
Yes
Restricted administrative networks
Yes
Yes
Root admin, admin, and read-only user levels
Yes
Yes
Software upgrades
Yes
Yes
Configuration rollback
Yes
Yes
Structured system log
Yes
Yes
SNMP (v2/v3)
Yes
Yes
Traceroute
Yes
Yes
Dimensions (W x H x D)
17.5 x 5.25 x 25.5 in
(44.5 x 13.3 x 64.8 cm)
17.5 x 8.75 x 25.5 in
(44.5 x 22.2 x 64.8 cm)
Weight
Chassis: 32.3 lb (14.7 kg)
Fully configured: 75 lb (34.1 kg)
Chassis: 43.6 lb (19.8 kg)
Fully configured: 115.7 lb (52.6 Kg)
Power supply (AC)
100 to 240 VAC
100 to 240 VAC
Power supply (DC)
-40 to -72 VDC
-40 to -72 VDC
Maximum power draw
1,100 W (AC power)
1,050 W (DC power)
1,750 W (AC power)
1,850 W (DC power)
Power supply redundancy
1+1
2+1/2+2
Safety certifications
Yes
Yes
Electromagnetic compatibility (EMC) certifications
Yes
Yes
Designed for NEBS Level 3
Yes
Yes
NIST FIPS-140-2 Level 2
Yes (with Junos OS 10.4R4)
Yes (with Junos OS 10.4R4)
ISO Common Criteria NDPP+TFFW EP
Yes (with Junos OS 12.1x44)
Yes (with Junos OS 12.1x44)
ICSA Network Firewall
Yes
Yes
IPsec
Yes
Yes
USGv6
Yes (with Junos OS 11.4R1)
Yes (with Junos OS 11.4R1)
High Availability
In-Service Software Upgrade (ISSU)
8
Management
Administration
Logging/Monitoring
Dimensions and Power
Certifications
7
8
To enable dual control links on the SRX3000 line, the SRX3K CRM module must be installed on each cluster member.
Please check the technical publication documents and release notes for the list of compatible features for ISSU.
9
SRX3400 and SRX3600 Services Gateways
Data Sheet
SRX3400
SRX3600
R6: 3GPP TS 29.060 version 6.21.0
Yes
Yes
R7: 3GPP TS 29.060 version 7.3.0
Yes
Yes
R8: 3GPP TS 29.060 version 8.3.0
Yes
Yes
Operating temperature (long term)
41° to 104° F (5° to 40° C)
41° to 104° F (5° to 40° C)
Operating temperature (short term )
23° to 131° F (-5° to 55° C)
23° to 131° F (-5° to 55° C)
Humidity (long term)
5% to 85% noncondensing
5% to 85% noncondensing
Humidity (short term10)
5% to 93% noncondensing but not to
exceed 0.026kg water/kg of dry air
5% to 93% noncondensing but not to
exceed 0.026kg water/kg of dry air
3GPP TS 20.060 Compliance9
Environmental
10
SRX3000 line gateways operating with Junos OS release 10.0 and later are compliant with the R6, R7, and R8 releases of 3GPP TS 20.060 with the following exceptions
(not supported on the SRX3000 line):
- Section 7.5A Multimedia Broadcast and Multicast Services (MBMS) messages
- Section 7,5B Mobile Station (MS) info change messages
- Section 7.3.12 Initiate secondary PDP context from GGSN
10
Short term is not greater than 96 consecutive hours, and not greater than 15 days in 1 year
9
Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your highperformance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a
faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required
levels of performance, reliability, and availability. For more details, please visit www.juniper.net/us/en/products-services.
Ordering Information
Model Number
Description
Model Number
Description
Transceivers
Base System
SRX3400BASE-AC
SRX3400 chassis, midplane, fan, routing
engine, SFB-12 Gigabit Ethernet, AC PEM* no power cord - no SPC - no NPC
SRX3400BASE-DC2
SRX3400 chassis, midplane, fan, routing
engine, SFB-12 Gigabit Ethernet, DC2 PEM no SPC - no NPC
SRX3600BASE-AC
SRX3600 chassis, midplane, fan, routing
engine, SFB-12 Gigabit Ethernet, 2xAC PEM* no power cords - no SPC - no NPC
SRX3600BASE-DC2
SRX3600 chassis, midplane, fan, routing
engine, SFB-12 Gigabit Ethernet, 2xDC PEM no SPC - no NPC
SRX3000 Line Components
SRX3K-SPC-1-10-40
SRX3000 line Services Processing Card with 1
GHz processor and 4 GB memory
SRX1K3K-NP-2XGESFPP
SRX3000 line Network Processing and I/O
Card
SRX3K-NPC
SRX3000 line Network Processing Card
SRX3K-16GE-TX
16 x 1 10/100/1000 Copper CFM I/O Card for
SRX3000 line
SRX3K-16GE-SFP
16 x 1 Gigabit SFP Ethernet I/O Card for
SRX3000 line, no transceivers
SRX3K-2XGE-XFP
2 x 10 Gigabit XFP Ethernet I/O Card for
SRX3000 line, no transceivers
SRX3K-CRM
Clustering module for the SRX3000 line
to enable redundant control links in highavailability clusters
SRX-SFP-1GE-LH
Small form factor pluggable 1000BASE-LH
Gigabit Ethernet optic module
SRX-SFP-1GE-LX
Small form-factor pluggable 1000BASE-LX
Gigabit Ethernet optic module
SRX-SFP-1GE-SX
Small form-factor pluggable 1000BASE-SX
Gigabit Ethernet optic module
SRX-SFP-1GE-T
Small form-factor pluggable 1000BASE-T
Gigabit Ethernet module
SRX-XFP-10GE-SR
10-Gigabit Ethernet pluggable transceiver,
short reach multimode
SRX-XFP-10GE-LR
10-Gigabit Ethernet pluggable transceiver,
10 Km, single mode
SRX-XFP-10GE-ER
10-Gigabit Ethernet pluggable transceiver,
40 Km, single mode
Logical System License
SRX-3400-LSYS-1
1 incremental Logical Systems License for
SRX3400
SRX-3400-LSYS-5
5 incremental Logical Systems License for
SRX3400
SRX-3400-LSYS-25
25 incremental Logical Systems License for
SRX3400
SRX-3600-LSYS-1
1 incremental Logical Systems License for
SRX3600
SRX-3600-LSYS-5
5 incremental Logical Systems License for
SRX3600
SRX-3600-LSYS-25
25 incremental Logical Systems License for
SRX3600
10
SRX3400 and SRX3600 Services Gateways
Model Number
Description
Data Sheet
Model Number
Description
AppSecure Subscription
SRX3600-S-AS-5
SRX3400APPSEC-A-1
One year subscription for Application Security
and IPS updates for SRX3400
Five year subscription for Juniper-Sophos
Anti-spam service on SRX3600
SRX3400-S-AV-1
SRX3400APPSEC-A-3
Three year subscription for Application
Security and IPS updates for SRX3400
One year subscription for Juniper-Sophos AV
service on SRX3400
SRX3400-S-AV-3
SRX3400APPSEC-A-5
Five year Subscription for Application Security
and IPS updates for SRX3400
Three year subscription for Juniper-Sophos AV
service on SRX3400
SRX3400-S-AV-5
SRX3600APPSEC-A-1
One year subscription for Application Security
and IPS updates for SRX3600
Five year subscription for Juniper-Sophos AV
service on SRX3400
SRX3600-S-AV-1
SRX3600APPSEC-A-3
Three year subscription for Application
Security and IPS updates for SRX3600
One year subscription for Juniper-Sophos AV
service on SRX3600
SRX3600-S-AV-3
SRX3600APPSEC-A-5
Five year Subscription for Application Security
and IPS updates for SRX3600
Three year subscription for Juniper-Sophos AV
service on SRX3600
SRX3600-S-AV-5
Five year subscription for Juniper-Sophos AV
service on SRX3600
SRX3400-W-EWF-1
One year subscription for Juniper-Websense
Enhanced Web Filtering service on SRX3400
SRX3400-W-EWF-3
Three year subscription for Juniper-Websense
Enhanced Web Filtering service on SRX3400
Services Offload License
SRX3K-SVCSOFFLOAD-RTU
Services offload license for SRX3000 line; this
is not an annual license subscription
IPS Subscription
SRX3K-IDP
One year IPS signature subscription for
SRX3000 line
SRX3400-W-EWF-5
Five year subscription for Juniper-Websense
Enhanced Web Filtering service on SRX3400
SRX3K-IDP-3
Three year IPS signature subscription for
SRX3000 line
SRX3600-W-EWF-1
One year subscription for Juniper-Websense
Enhanced Web Filtering service on SRX3600
SRX3K-IDP-5
Five year IDP signature subscription for SRX
3000 line
SRX3600-W-EWF-3
Three year subscription for Juniper-Websense
Enhanced Web Filtering service on SRX3600
SRX3600-W-EWF-5
Five year subscription for Juniper-Websense
Enhanced Web Filtering service on SRX3600
IPS Subscription
SRX3K-IDP
One year IPS signature subscription for
SRX3000 line
Extreme LTU
SRX3K-IDP-3
Three year IPS signature subscription for
SRX3000 line
SRX3K-EXTREMELTU
SRX3K-IDP-5
Five year IDP signature subscription for SRX
3000 line
C19 Straight Power Cables
UTM Subscription
Expanded performance and capacity Extreme
License for SRX3000 line
CBL-PWR-C19S132-UK
Power cord, AC, Great Britain & Ireland, C19 at
70-80 mm, 13 A/250 V, 2.5 mm, straight
SRX3400-CS-BUN-1
One year subscription for AppSecure, IDP,
EWF, AV and Anti-spam service on SRX3400
CBL-PWR-C19S-151US15
Power cord, AC, Japan/US, NEMA 5-15 to C19
at 70-80 mm, 15 A/125 V, 2.5 m, straight
SRX3400-CS-BUN-3
Three year subscription for AppSecure, IDP,
EWF, AV and Anti-spam service on SRX3400
CBL-PWR-C19S152-AU
Power cord, AC, Australia/New Zealand, C19
at 70-80 mm, 15 A/250 V, 2.5 m, straight
SRX3400-CS-BUN-5
Five year subscription for AppSecure, IDP,
EWF, AV and Anti-spam service on SRX3400
CBL-PWR-C19S162-CH
Power cord, AC, China, C19, 16 A/250 V,
2.5 m, straight
SRX3600-CS-BUN-1
One year subscription for AppSecure, IDP,
EWF, AV and Anti-spam service on SRX3600
CBL-PWR-C19S162-EU
Power cord, AC, Continental Europe, C19,
16 A/250 V, 2.5 m, RA
SRX3600-CS-BUN-3
Three year subscription for AppSecure, IDP,
EWF, AV and Anti-spam service on SRX3600
CBL-PWR-C19S162-IT
Power cord, AC, Italy, C19 at 70-80 mm,
16 A/250 V, 2.5 m, straight
SRX3600-CS-BUN-5
Five year subscription for AppSecure, IDP,
EWF, AV and Anti-spam service on SRX3600
CBL-PWR-C19S162-JP
Power cord, AC, Japan, NEMA 6-20 to C19,
16 A/250 V, 2.5 m, straight
SRX3400-S-AS-1
One year subscription for Juniper-Sophos
Anti-spam service on SRX3400
CBL-PWR-C19S162-JPL
Power cord, AC, Japan/US, C19 at
70-80 mm, 16 A/250 V, 2.5 m, straight,
locking plug
SRX3400-S-AS-3
Three year subscription for Juniper-Sophos
Anti-spam service on SRX3400
CBL-PWR-C19S162-US
Power cord, AC, Japan/US, NEMA 6-20 to C19
at 70-80 mm, 16 A/250 V, 2.5 m, straight
SRX3400-S-AS-5
Five year subscription for Juniper-Sophos
Anti-spam service on SRX3400
CBL-PWR-C19S-162USL
Power cord, AC, US, NEMA L6-20 to C19,
16 A/250 V, 2.5 m, straight, locking plug
SRX3600-S-AS-1
One year subscription for Juniper-Sophos
Anti-spam service on SRX3600
SRX3600-S-AS-3
Three year subscription for Juniper-Sophos
Anti-spam service on SRX3600
*AC power cords are not included. One C19-Straight cable with appropriate wall-plug for the
final destination of the system is required for each power supply.
11
SRX3400 and SRX3600 Services Gateways
Data Sheet
About Juniper Networks
Juniper Networks is in the business of network innovation. From
devices to data centers, from consumers to cloud providers,
Juniper Networks delivers the software, silicon and systems that
transform the experience and economics of networking. The
company serves customers and partners worldwide. Additional
information can be found at www.juniper.net.
Corporate and Sales Headquarters
APAC and EMEA Headquarters
Juniper Networks, Inc.
Juniper Networks International B.V.
1133 Innovation Way
Boeing Avenue 240
Sunnyvale, CA 94089 USA
1119 PZ Schiphol-Rijk
Phone: 888.JUNIPER (888.586.4737)
Amsterdam, The Netherlands
or +1.408.745.2000
Phone: +31.0.207.125.700
Fax: +1.408.745.2100
Fax: +31.0.207.125.701
www.juniper.net
Copyright 2014 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos
and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
All other trademarks, service marks, registered marks, or registered service marks are the property of their
respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
1000267-019-EN Oct 2014
Data Sheet
SRX5400, SRX5600,
and SRX5800
Services Gateways
Product Overview
Product Description
SRX Series Services Gateways
The Juniper Networks® SRX5400, SRX5600, and SRX5800 Services Gateways are
are next-generation intelligent
next-generation intelligent security platforms that deliver outstanding protection,
security platforms based on
market-leading performance, six nines reliability and availability, scalability, and services
a revolutionary architecture
integration. These devices are ideally suited for service provider, large enterprise, and public
offering outstanding protection,
performance, scalability,
sector networks, including:
availability, and security services
• Cloud and hosting provider data centers
integration. Custom designed for
• Mobile operator environments
flexible processing scalability,
• Managed service providers
I/O scalability, and services
integration, the SRX Series exceed
the security requirements of data
• Core service provider infrastructures
• Large enterprise data centers
center consolidation and services
Delivering the highest level of protection from Layer 3 to Layer 7, these platforms feature a
aggregation. The award-winning
carrier grade next generation firewall with advanced security services such as application
SRX Series is powered by Junos
security, Unified Threat Management (UTM), Intrusion Prevention System (IPS), and
OS, the same industry-leading
operating system platform
integrated threat intelligence services.
that keeps the world’s largest
For advanced protection, the SRX Series now offers integrated threat intelligence services via
networks available, manageable,
Spotlight Secure, Juniper’s open threat intelligence platform in the cloud. Spotlight Secure
and secure for the data center.
delivers actionable security intelligence to SRX Series that enables advanced protection
against command and control (C&C) related botnets and web application threats, and in
addition allows policy enforcement based on GeoIP data—all based on Juniper provided
feeds. Customers may also leverage their own custom and third-party feeds for protection
from advanced malware and other threats unique to their business environment. This
advanced, customer relevant and consolidated threat intelligence service is delivered to the
SRX Series on premises from the cloud, and centrally managed by Junos Space/Security
Director for distributed enforcement by the SRX firewalls within seconds.
Based on Juniper’s Dynamic Services Architecture, the SRX5000 line provides unrivaled
scalability and performance. Each services gateway can support near linear scalability, with
the addition of Services Processing Cards (SPCs) and Input/Output Cards (IOCs), enabling
a fully equipped SRX5800 to support up to 2 Tbps firewall throughput with Express Path
enabled—an industry first for firewall performance. The SPCs are designed to support
a wide range of services, enabling future support of new capabilities without the need
for service-specific hardware. Using SPCs on all services ensures that there are no idle
resources based on specific services being used—maximizing hardware utilization.
The scalability and flexibility of the SRX5000 line is supported by equally robust interfaces.
The SRX5000 line employs a modular approach to interfaces, where each platform can be
equipped with a flexible number of IOCs that offer a wide range of connectivity options—
from 1GbE to 100GbE interfaces. With the IOCs sharing the same interface slot as the SPCs,
Your ideas. Connected.™
the gateway can be configured as needed to support the ideal balance of processing and
1
SRX5400, SRX5600, and SRX5800 Services Gateways
I/O. Hence, each deployment of the SRX Series can be tailored to
specific network requirements. With this flexibility, the SRX5800
can be configured to support up to 22 100GbE ports, 44 40GbE
ports, 220 10GbE ports, or 440 1GbE ports.
Data Sheet
SRX5400
The SRX5400 Services Gateway uses the IOC2 and SPC2 and
can support up to 480 Gbps firewall with Express Path, 28 million
concurrent sessions and 22 Gbps IPS. The SRX5400 is a small
The scalability of both SPCs and IOCs in the SRX5000 line is
footprint, high-performance gateway ideally suited for securing
enabled by the custom designed switch fabric. Supporting up
large enterprise campuses as well as data centers, either for edge
to 960 Gbps of data transfer, the fabric enables realization
or core security deployments. The capability to support unique
of maximum processing and I/O capability available in
security policies per zone and a compelling price/performance/
any particular configuration. This level of scalability and
footprint ratio make the SRX5400 an optimal solution for edge
flexibility enables future expansion and growth of the network
or data center services in large enterprise, service provider, or
infrastructure, providing unrivaled investment protection.
mobile operator environments.
The tight service integration on the SRX Series is enabled by
Service Processing Cards (SPC)
Juniper Networks Junos® operating system. The SRX Series is
As the “brains” behind the SRX5000 line, SPCs are designed
equipped with a robust set of services that include stateful
to process all available services on the platform. Without the
firewall, intrusion prevention system (IPS), denial of service
need for dedicated hardware for specific services or capabilities,
(DoS), application security, VPN (IPsec), Network Address
there are no instances in which a piece of hardware is taxed
Translation (NAT), unified threat management (UTM), and
to the limit while other hardware is sitting idle. SPCs are
quality of service (QoS). In addition to the benefit of individual
designed to be pooled together, allowing the SRX5000 line to
services, the SRX5K series offers an ultra-low latency solution.
expand performance and capacities with the introduction of
Junos OS also delivers carrier-class reliability (with six
additional SPCs, drastically reducing management overhead and
nines system availability), the first in the industry to achieve
complexity. The same SPCs are supported on both SRX5600
independent verification by Telcordia. Furthermore, the SRX
and SRX5800 Services Gateways.
Series enjoys the benefit of a single source OS, and single
Juniper offers the SPC2, a newer SPC with superior performance
integrated architecture traditionally available on Juniper’s carrier-
and scale. The SPC2 also features in-service software and in-
class routers and switches.
service hardware upgrades to ensure that security is always
SRX5800
on. The SPC2 is supported on the SRX5400, SRX5600, and
The SRX5800 Services Gateway is the market-leading security
solution supporting up to 2 Tbps firewall throughput and latency
as low as 7 microseconds with the Express Path™ capability. The
SRX5800 also supports 100 Gbps IPS and 100 million concurrent
sessions. Equipped with the full range of advanced security
services, SRX5800 is ideally suited for securing large enterprise,
hosted or co-located data centers, service provider core and
SRX5800 Services Gateways.
Input/Output Cards (IOCs)
To provide the most flexible solution, the SRX5000 line employs
the same modular architecture for SPCs and IOCs. The SRX5000
line can be equipped with one or several IOCs, supporting the
ideal mix of interfaces. With the flexibility to install an IOC or an
cloud provider infrastructures, and mobile operator environments.
SPC on any available slot, the SRX5000 line can be equipped
The massive performance, scalability, and flexibility of the
to support the perfect blend of interfaces and processing
SRX5800 makes it ideal for densely consolidated processing
capabilities to meet the needs of the most demanding
environments, and the service density make it ideal for cloud and
environments while ensuring investment protection.
managed service providers.
SRX5600
The SRX5600 Services Gateway uses the same SPCs and
IOCs as the SRX5800 and can support up to 960 Gbps firewall
throughput with Express Path, 76 million concurrent sessions
and 50 Gbps IPS. The SRX5600 is ideally suited for securing
enterprise data centers as well as aggregation of various security
solutions. The capability to support unique security policies
Juniper offers the IOC2, a second-generation card with superior
connectivity options. The IOC2 offers the industry’s first 100GbE
as well as 40GbE and high-density 10GbE and 1GbE connectivity
options. These options reduce the need for link aggregation
when connecting high throughput switches to the firewall, as
well as enabling increased throughput in the firewall itself. The
IOC2 is supported on all three platforms in the SRX5000 line of
services gateways.
per zone and its ability to scale with the growth of the network
The third generation of IOCs from Juniper, the IOC3, delivers the
infrastructure makes the SRX5600 an ideal deployment for
highest throughput levels yet, along with superior connectivity
consolidation of services in large enterprise, service provider, or
options including 100GbE, 40GbE and high-density 10GbE interfaces.
mobile operator environments.
The IOC3 operates with the Express Path optimization capability,
delivering all the benefits of the IOC2 cards while enabling the
firewalls to deliver higher levels of throughput—up to an industryleading 2 Tbps on the SRX5800. The IOC3 cards are supported on
the SRX5400, SRX5600 and SRX5800.
2
SRX5400, SRX5600, and SRX5800 Services Gateways
Enhanced System Control board (SCBE) and
Routing Engine (RE-1800X4)
The Routing-Engine RE-1800x4 is the latest in the family of routing
engines for the SRX5000 line with multi-core processor running
at 1800Mhz, and delivers improved performance, scalability and
reliability with 16G DRAM and 128G SSD. The Enhanced System
Control Board (SCBE) enables 120G per slot throughput with
intra- as well as inter-chassis high availability and redundancy.
Express Path
Data Sheet
per-policy basis within the same line card, Express Path identifies
and prioritizes active session flows to receive appropriate security
treatment based on the type of traffic and the level of inspection
required, assuring that security is maintained at all times while
performance and latency needs are met. Express Path significantly
reduces network latency and improves performance of selected
traffic types, making it ideal for high-speed latency-sensitive
applications. With Express Path, the SRX5000 Services Gateways
deliver low latency and high throughput with six-nines reliability.
With Express Path, SRX5000 Services Gateways can support single,
The IOC, IOC2 and IOC3 cards support the Express Path capability,
extremely high bandwidth flows of up to 40 Gbps and 100 Gbps,
which securely optimizes the SRX5000 line performance to
dramatically increasing the amount of secured traffic that can be
improve IMIX bandwidth by identifying traffic flows that do not
exchanged for express downloads and frequent data transfers.
require additional inspection or deep processing. Configurable on a
Features and Benefits
Networking and Security
Juniper Networks SRX5000 line has been designed from the ground up to offer robust networking and security services.
Feature
Feature Description
Benefits
Purpose-built platform
Built from the ground up on dedicated hardware
designed for networking and security services.
Delivers unrivaled performance and flexibility to
protect high-speed network environments.
Scalable performance
Offers scalable processing based on the Dynamic
Services Architecture.
Simple and cost-effective solution to leverage new
services with appropriate processing.
System and network
resiliency
Provides carrier-class hardware design and proven OS.
Offers the reliability needed for any critical high-speed
network deployments without service interruption.
Utilizes a unique architectural design based on
multiple processing cores and a separation of the data
and control planes.
High availability (HA)
Active/passive and active/active HA configurations
using dedicated high availability interfaces.
Achieve availability and resiliency necessary for critical
networks.
Interface flexibility
Offers flexible I/O options with modular cards based
on the Dynamic Services Architecture.
Offers flexible I/O configuration and independent I/O
scalability (options include 1, 10, 40, and 100GbE) to
meet the port density requirements of demanding
network environments.
Network segmentation
Security zones, virtual LANs (VLANs), and virtual
routers that allow administrators to deploy security
policies to isolate subnetworks and use overlapping IP
address ranges.
Features the capability to tailor unique security and
networking policies for various internal, external, and
demilitarized zone (DMZ) subgroups.
Robust routing engine
Dedicated routing engine that provides physical and
logical separation to data and control planes.
Enables deployment of consolidated routing and
security devices, as well as ensuring the security
of routing infrastructure—all via a dedicated
management environment.
Threat intelligence
Integration with Spotlight Secure for application of
advanced threat detection technologies and feeds for
policy enforcement.
Policy enforcement based on optimized and up-todate threat intelligence is automatically syndicated
across the firewall estate, enabling higher security
effectiveness and operational efficiency.
AppTrack
Detailed analysis on application volume/usage
throughout the network based on bytes, packets and
sessions.
Provides the ability to track application usage to help
identify high-risk applications and analyze traffic
patterns for improved network management and
control.
AppFirewall
Fine grained application control policies to allow or
deny traffic based on dynamic application name or
group names.
Enhances security policy creation and enforcement
based on applications and user roles rather than
traditional port and protocol analysis.
AppQoS
Leverage Juniper’s rich QoS capabilities to prioritize
applications based on customers’ business and
bandwidth needs.
Provides the ability to prioritize traffic as well as
limit and shape bandwidth based on application
information and contexts for improved application and
overall network performance.
Application signatures
Open signature library for identifying applications
and nested applications with over 3000 application
signatures
Applications are accurately identified and the resulting
information can be used for visibility, enforcement,
control and protection.
3
SRX5400, SRX5600, and SRX5800 Services Gateways
Data Sheet
Feature
Feature Description
Benefits
SSL Proxy (forward and
reverse)
Performs SSL encryption and decryption between the
client and the server.
Combined with application identification, provides
visibility and protection against threats embedded in
SSL encrypted traffic.
Intrusion Prevention System
(IPS)
Detects known and unknown exploits and anomalies
in network traffic streams.
Adds critical layer of protection beyond stateful
firewall, enabling detection of vulnerabilities in
network traffic and highly granular control over IPS
policy enforcement.
Stateful GPRS and SCTP
inspection
Support for GPRS and SCTP firewall in mobile
operator networks.
Enables the SRX5000 line to provide stateful firewall
capabilities for protecting key GPRS nodes within
mobile operator networks.
User identity-based access
control enforcement
Secure access to data center resources via tight
integration of standards-based access control
capabilities of Juniper Networks Junos Pulse Access
Control Service and SRX5000 line.
Enables agent-based and agentless identity security
services for enterprise data centers by integrating
the SRX5000 line with the standards-based access
control capabilities of Junos Pulse Access Control
Service. This integration enables administrative
flexibility to manage a variety of user access, including
corporate, guest, and mobile.
Unified threat management
(UTM)
Strong UTM capabilities, including IPS, antivirus,
antispam, Web, and content filtering. Available on-box
with preinstalled, expanding and adaptive capabilities
that are quickly activated for zero-day, easy, and
instant protection. Antivirus options are available from
Sophos, Web filtering from Websense, and antispam
from Sophos.
Best-in-class UTM protection with strong, highperformance content security leveraging intelligence
from multiple expert security companies.
IOC2 supports 2 MICs
The first firewall I/O card in the industry to offer
100GbE connectivity. The card includes a choice of ten
10GbE, twenty 1 GbE, two 40GbE, or one 100GbE I/O
interfaces. Pairs well with SPC2s for maximized firewall
performance in any of the SRX5000 line of gateways.
Increases connectivity efficiency with high throughput
I/O interfaces. Reduces the need for link aggregation
to the firewall and enables higher firewall throughput.
IOC3*
The third-generation I/O card offers very high levels
of firewall throughput and low latency. The card
includes two board choices: six 40GbE interfaces
and 24 10GbE interfaces, or two 100GbE interfaces
and four 10GbE interfaces. The IOC3 pairs well with
SPC2 for maximum firewall performance in any of the
SRX5000 services gateways.
Vastly superior, top-of-the-line connectivity
efficiency and record-breaking high throughput I/O
interfaces. Reduces the need for link aggregation to
the firewall and enables very high firewall throughput
of up to 2 Tbps.
SPC2 card
Enables performance and scale with full, backwards
compatibility to SRX5000 chassis and cards. Like
current SPCs, these cards support in-service software
and in-service hardware upgrades
Delivers always-on security resiliency to meet your
growing network performance needs.
Express Path
An optional optimization capability (formerly
Services Offload) for the SRX5000 line that improves
throughput and lowers latency by identifying
and accelerating traffic flows that do not require
deep inspection. Provides support for single, highbandwidth flows of 40 Gbps and 100 Gbps. Can be
configured on a per-policy basis.
Securely delivers extremely high levels of throughput,
making it the ideal solution for high-speed, latencysensitive networks and applications, as well as highperformance compute networks.
AutoVPN
One time hub configuration for site-to-site VPN for all
spokes, even newly added ones. Configuration options
include: routing, interfaces, IKE, and IPsec.
Enables IT administrative time and cost savings with
easy, zero-touch deployment for IPsec VPN networks.
*Requires Junos 15.1x49-D10 or greater.
IPS Capabilities
Juniper Networks IPS capabilities offer several unique features that assure the highest level of network security.
Feature
Feature Description
Benefits
Stateful signature inspection
Signatures are applied only to relevant portions of the
network traffic determined by the appropriate protocol
context.
Minimize false positives and offer flexible signature
development.
Protocol decodes
Enables most accurate detection and helps reduce
false positives.
Accuracy of signatures are improved through precise
contexts of protocols.
Signatures
There are more than 8,500 signatures for identifying
anomalies, attacks, spyware, and applications.
Attacks are accurately identified and attempts to
exploit a known vulnerability are detected.
Traffic normalization
Reassembly, normalization, and protocol decoding are
provided.
Overcome attempts to bypass other IPS detections by
using obfuscation methods.
Zero-day protection
Protocol anomaly detection and same-day coverage
for newly found vulnerabilities are provided.
Your network is already protected against any new
exploits.
(See http://pathfinder.juniper.net/compliance for specific platform and release compliance.)
4
SRX5400, SRX5600, and SRX5800 Services Gateways
Data Sheet
Feature
Feature Description
Benefits
Recommended policy
Group of attack signatures are identified by Juniper
Networks Security Team as critical for the typical
enterprise to protect against.
Installation and maintenance are simplified while
ensuring the highest network security.
Active/active traffic
monitoring
IPS monitoring on active/active SRX5000 line chassis
clusters.
Support for active/active IPS monitoring including
advanced features such as in-service software
upgrade.
Packet capture
IPS policy supports packet capture logging per rule.
Conduct further analysis of surrounding traffic and
determine further steps to protect target.
Content Security UTM Capabilities
The UTM services offered on the SRX5000 line of gateways include industry-leading antivirus, antispam, content filtering, and
additional content security services.
Feature
Feature Description
Benefits
Antivirus
Antivirus includes reputation-enhanced, cloud-based
antivirus capabilities that detect and block spyware,
adware, viruses, keyloggers, and other malware over
POP3 HTTP, SMTP, IMAP, and FTP protocols. This
service is provided in cooperation with Sophos Labs, a
dedicated security company.
Sophisticated protection from respected antivirus
experts against malware attacks that can lead to data
breaches and lost productivity.
Antispam
Multilayered spam protection, up-to-date phishing URL
detection, standards-based S/MIME, Open PGP and
TLS encryption, MIME type and extension blockers are
provided in cooperation with Sophos Labs, a dedicated
security company.
Protection against advanced persistent threats
perpetrated through social networking attacks and the
latest phishing scams with sophisticated e-mail filtering
and content blockers.
Enhanced Web filtering
Enhanced Web filtering includes extensive category
granulation (95+ categories) and a real-time threat
score delivered with Websense, an expert Web security
provider.
Protection against lost productivity and the impact of
malicious URLs as well as helping to maintain network
bandwidth for business essential traffic.
Content filtering
Effective content filtering based on MIME type, file
extension, and protocol commands.
Protection against lost productivity and the impact of
extraneous or malicious content on the network to help
maintain bandwidth for business essential traffic.
Centralized Management
Juniper Networks Junos Space Security Director delivers scalable and responsive security management that improves the reach, ease,
and accuracy of security policy administration. It lets administrators manage all phases of the security policy lifecycle through a single
Web-based interface, accessible via standard browsers. Junos Space Security Director centralizes application identification, firewall,
IPS, NAT, and VPN security management for intuitive and quick policy administration.
Junos Space Security Director runs on the Junos Space Network Management Platform for highly extensible, network-wide
management functionality, including ongoing access to Juniper and third-party Junos Space ecosystem innovations.
SRX5400
Services Gateway
SRX5600
Services Gateway
SRX5800
Services Gateway
5
SRX5400, SRX5600, and SRX5800 Services Gateways
Data Sheet
Specifications
SRX5400
SRX5600
SRX5800
Junos OS version tested
Junos OS 15.1x49
Junos OS 15.1x49
Junos OS 15.1x49
Firewall performance, large packet (with Express Path)
480 Gbps
960 Gbps
2 Tbps
Firewall performance, IMIX (with Express Path)
468 Gbps
936 Gbps
2 Tbps
Firewall performance
65 Gbps
130 Gbps
320 Gbps
Latency (with Express Path)
~7-11µsec
~7-11µsec
~7-11µsec
Maximum AES256+SHA-1 VPN performance
35 Gbps
100 Gbps
200 Gbps
Maximum IPS performance
22 Gbps
50 Gbps
100 Gbps
Maximum concurrent sessions
42 Million
114 Million
230 Million
New sessions/second (sustained, tcp, 3way)2
420,000
1 Million
2 Million
Maximum user supported
Unrestricted
Unrestricted
Unrestricted
2
5
11
Maximum Performance and Capacity
2
1
Network Connectivity
Maximum available slots for IOCs
IOC3 options
(SRX5K-MPC3-100G10G; SRX5K-MPC3-40G10G)
2x100GbE CFP2 and 4x10GbE SFP+ or 6x40GbE QSFP+ and 24x10GbE SFP+
Supports 2 pluggable MIC modules per card. MICs can be mixed from the
following models:
20 x 1GbE SFP
10 x 10GbE SFP+
2 x 40GbE QSFP
1 x 100GbE CFP
IOC2 options
(SRX5K-MPC)
IOC options3
(SRX5K-40GE-SFP; SRX5K-4XGE-XFP)
40 x 1GbE SFP or
4 x 10GbE XFP
Supports 2 pluggable IOC modules per card.
IOCs can be mixed from the following models:
16 x 1GbE RJ-45
16 x 1GbE SFP
4 x 10GbE XSP
Flex IOC options3
(SRX5K-FPC-IOC)
SRX5400
SRX5600
SRX5800
Maximum available slots for SPCs
2
5
11
Services Process Card (SPC) options
SPC2: Quad CPU
SPC: Dual CPU
SPC2: Quad CPU
SPC: Dual CPU
SPC2: Quad CPU
Network attack detection
Yes
Yes
Yes
DoS and DDoS protection
Yes
Yes
Yes
TCP reassembly for fragmented packet protection
Yes
Yes
Yes
Brute force attack mitigation
Yes
Yes
Yes
SYN cookie protection
Yes
Yes
Yes
Zone-based IP spoofing
Yes
Yes
Yes
Malformed packet protection
Yes
Yes
Yes
Site-to-site tunnels
15,000
15,000
15,000
Tunnel interfaces
15,000
15,000
15,000
DES (56-bit), 3DES (168-bit), and AES encryption
Yes
Yes
Yes
MD5 and SHA-1 authentication
Yes
Yes
Yes
Processing Scalability
Firewall
IPsec VPN
Performance, capacity and features listed are based on systems running Junos OS 15.1x49 and are measured under ideal testing conditions. Actual results may vary based on Junos OS
releases and by deployments.
1
Maximum concurrent sessions and new sessions/second improvements are a result of Junos 15.1X49-D30.
2
IOC and Flex IOC are not compatible with SRX5400E, SRX5600E, SRX5800E, SRX5400X, SRX5600X, and SRX5800E.
3
6
SRX5400, SRX5600, and SRX5800 Services Gateways
Data Sheet
SRX5400
SRX5600
SRX5800
Manual key, IKE, PKI (X.509)
Yes
Yes
Yes
Perfect forward secrecy (DH groups)
1, 2, 5
1, 2, 5
1, 2, 5
Prevent replay attack
Yes
Yes
Yes
IPv4 and IPv6
Yes
Yes
Yes
Redundant VPN gateways
Yes
Yes
Yes
Signatures based and customizable (via templates)
Yes
Yes
Yes
Active/active traffic monitoring
Yes
Yes
Yes
Stateful protocol signatures
Yes
Yes
Yes
Attack detection mechanisms
Stateful signatures,
protocol anomaly
detection (zero-day
coverage), application
identification
Stateful signatures,
protocol anomaly
detection (zero-day
coverage), application
identification
Stateful signatures,
protocol anomaly
detection (zero-day
coverage), application
identification
Attack response mechanisms
Drop connection, close
connection,
session packet log, session
summary, email
Drop connection, close
connection,
session packet log, session
summary, email
Drop connection, close
connection,
session packet log, session
summary, email
Attack notification mechanisms
Structured syslog
Structured syslog
Structured syslog
Worm protection
Yes
Yes
Yes
Simplified installation through recommended policies
Yes
Yes
Yes
Trojan protection
Yes
Yes
Yes
Spyware/adware/keylogger protection
Yes
Yes
Yes
Advanced malware protection
Yes
Yes
Yes
Protection against attack proliferation from infected
systems
Yes
Yes
Yes
Reconnaissance protection
Yes
Yes
Yes
Request and response side attack protection
Yes
Yes
Yes
Compound attacks—combines stateful signatures and
protocol anomalies
Yes
Yes
Yes
Create custom attack signatures
Yes
Yes
Yes
Access contexts for customization
600+
600+
600+
Attack editing (port range, other)
Yes
Yes
Yes
Stream signatures
Yes
Yes
Yes
Protocol thresholds
Yes
Yes
Yes
Stateful protocol signatures
Yes
Yes
Yes
Approximate number of attacks covered
15,000+
15,000+
15,000+
Detailed threat descriptions and remediation/patch info
Yes
Yes
Yes
Create and enforce appropriate application-usage
policies
Yes
Yes
Yes
Attacker and target audit trail and reporting
Yes
Yes
Yes
Frequency of updates
Daily and emergency
Daily and emergency
Daily and emergency
Intrusion Prevention System (IPS)*
* Session capacity differs based on UTM/AppSecure/IPS features enabled.
7
SRX5400, SRX5600, and SRX5800 Services Gateways
Data Sheet
SRX5400
SRX5600
SRX5800
Antivirus
Yes
Yes
Yes
Content filtering
Yes
Yes
Yes
Enhanced Web filtering
Yes
Yes
Yes
Redirect Web filtering
Yes
Yes
Yes
Antispam
Yes
Yes
Yes
AppTrack (application visibility and tracking)
Yes
Yes
Yes
AppFirewall (policy enforcement by application name)
Yes
Yes
Yes
AppQoS (network traffic prioritization by application
name)
Yes
Yes
Yes
User-based application policy enforcement
Yes
Yes
Yes
Yes
Yes
Yes
Destination NAT with PAT
Yes
Yes
Yes
Destination NAT within same subnet as ingress
interface IP
Yes
Yes
Yes
Destination addresses and port numbers to one single
address and a specific port number (M:1P)
Yes
Yes
Yes
Destination addresses to one single address (M:1)
Yes
Yes
Yes
Destination addresses to another range of addresses
(M:M)
Yes
Yes
Yes
Static Source NAT - IP-shifting DIP
Yes
Yes
Yes
Source NAT with PAT - port-translated
Yes
Yes
Yes
Source NAT without PAT - fix-port
Yes
Yes
Yes
Source NAT - IP address persistency
Yes
Yes
Yes
Source pool grouping
Yes
Yes
Yes
Source pool utilization alarm
Yes
Yes
Yes
Source IP outside of the interface subnet
Yes
Yes
Yes
Interface source NAT - interface DIP
Yes
Yes
Yes
Oversubscribed NAT pool with fallback to PAT when the
address pool is exhausted
Yes
Yes
Yes
Symmetric NAT
Yes
Yes
Yes
Allocate multiple ranges in NAT pool
Yes
Yes
Yes
Proxy ARP for physical port
Yes
Yes
Yes
Source NAT with loopback grouping - DIP with loopback
grouping
Yes
Yes
Yes
Built-in (internal) database
Yes
Yes
Yes
RADIUS accounting
Yes
Yes
Yes
Web-based authentication
Yes
Yes
Yes
UTM
*
AppSecure*
GPRS Security
GPRS stateful firewall
Destination Network Address Translation
Source Network Address Translation
User Authentication and Access Control
* Session capacity differs based on UTM/AppSecure/IPS features enabled.
8
SRX5400, SRX5600, and SRX5800 Services Gateways
Data Sheet
SRX5400
SRX5600
SRX5800
PKI certificate requests (PKCS 7 and PKCS 10)
Yes
Yes
Yes
Automated certificate enrollment (SCEP)
Yes
Yes
Yes
Certificate authorities supported
Yes
Yes
Yes
Self-signed certificates
Yes
Yes
Yes
Maximum virtual firewalls with data plane traffic
segregation (virtual routers)
2,000
2,000
2,000
Maximum security zones
2,000
2,000
2,000
Maximum virtual firewalls with data plane and
administrative separation (logical systems)
32
32
32
Additional off-platform virtual firewall option with Firefly
(VM based)
Unlimited
Unlimited
Unlimited
Maximum number of VLANs
4,096
4,096
4,096
BGP instances
1,000
1,000
1,000
BGP peers
2,000
BGP routes
1 Million
1 Million
1 Million4
OSPF instances
400
400
400
OSPF routes
1 Million
1 Million
1 Million4
RIP v1/v2 instances
50
50
50
RIP v2 table size
30,000
30,000
30,000
Dynamic routing
Yes
Yes
Yes
Static routes
Yes
Yes
Yes
Source-based routing
Yes
Yes
Yes
Policy-based routing
Yes
Yes
Yes
Equal cost multipath (ECMP)
Yes
Yes
Yes
Reverse path forwarding (RPF)
Yes
Yes
Yes
Multicast
Yes
Yes
Yes
Firewall/stateless filters
Yes
Yes
Yes
Dual stack IPv4/IPv6 firewall
Yes
Yes
Yes
RIPng
Yes
Yes
Yes
BFD, BGP
Yes
Yes
Yes
ICMPv6
Yes
Yes
Yes
OSPFv3
Yes
Yes
Yes
Class of service
Yes
Yes
Yes
Layer 2 (transparent) mode
Yes
Yes
Yes
Layer 3 (route and/or NAT) mode
Yes
Yes
Yes
Static
Yes
Yes
Yes
Dynamic Host Configuration Protocol (DHCP)
Yes
Yes
Yes
Internal DHCP server
Yes
Yes
Yes
DHCP relay
Yes
Yes
Yes
Public Key Infrastructure (PKI) Support
Virtualization
Routing
2,000
4
4
2,000
4
4
IPv6
Mode of Operation
IP Address Assignment
4
Maximum number of BGP and OSPF routes recommended is 100,000.
9
SRX5400, SRX5600, and SRX5800 Services Gateways
Data Sheet
SRX5400
SRX5600
SRX5800
Traffic Management Quality of Service (QoS)
Maximum bandwidth
Yes
Yes
Yes
RFC2474 IP Diffserv in IPv4
Yes
Yes
Yes
Firewall filters for COS
Yes
Yes
Yes
Classification
Yes
Yes
Yes
Scheduling
Yes
Yes
Yes
Shaping
Yes
Yes
Yes
Intelligent Drop Mechanisms (WRED)
Yes
Yes
Yes
Three level scheduling
Yes
Yes
Yes
Weighted round robin for each level of scheduling
Yes
Yes
Yes
Priority of routing protocols
Yes
Yes
Yes
Traffic management/policing in hardware
Yes
Yes
Yes
Yes
Yes
Yes
In-Service Software Upgrade (ISSU)
Yes
Yes
Yes
Configuration synchronization
Yes
Yes
Yes
Session synchronization for firewall and IPsec VPN
Yes
Yes
Yes
Session failover for routing change
Yes
Yes
Yes
Device failure detection
Yes
Yes
Yes
Link and upstream failure detection
Yes
Yes
Yes
Dual control links
No
Yes
Yes
Interface link aggregation/LACP
Yes
Yes
Yes
Redundant fabric links
Yes
Yes
Yes
WebUI (HTTP and HTTPS)
Yes
Yes
Yes
Command line interface (console, telnet, SSH)
Yes
Yes
Yes
Junos Space Security Director
Yes
Yes
Yes
Local administrator database support
Yes
Yes
Yes
External administrator database support
Yes
Yes
Yes
Restricted administrative networks
Yes
Yes
Yes
Root admin, admin, and read only user levels
Yes
Yes
Yes
Software upgrades
Yes
Yes
Yes
Configuration rollback
Yes
Yes
Yes
Structured syslog
Yes
Yes
Yes
SNMP (v2 and v3)
Yes
Yes
Yes
Traceroute
Yes
Yes
Yes
High Availability (HA)
Active/passive, active/active
5
6
Management
Administration
Logging/Monitoring
5
Please consult the technical publication documents and release notes for a list of compatible ISSU features.
6
To enable dual control links on the SRX5000 line, two SRX5K-RE-13-20 modules must be installed on each cluster member.
10
SRX5400, SRX5600, and SRX5800 Services Gateways
Data Sheet
SRX5400
SRX5600
SRX5800
R6: 3GPP TS 29.060 version 6.21.0
Yes
Yes
Yes
R7: 3GPP TS 29.060 version 7.3.0
Yes
Yes
Yes
R8: 3GPP TS 29.060 version 8.3.0
Yes
Yes
Yes
Safety certifications
Yes
Yes
Yes
Electromagnetic Compatibility (EMC) certifications
Yes
Yes
Yes
RoHS2 Compliant (European Directive 2011/65/EU)
Yes
Yes
Yes
Designed for NEBS Level 3
Yes
Yes
Yes
NIST FIPS-140-2 Level 2
In progress
Yes (with Junos OS 10.4R4)
Yes (with Junos OS 10.4R4)
Common Criteria NDPP+TFFW EP + VPN EP
Yes (with Junos OS
12.1x46)
Yes (with Junos OS
12.1x46)
Yes (with Junos OS
12.1x46)
ICSA Network Firewall
Yes
Yes
Yes
ICSA IPsec
Yes
Yes
Yes
USGv6
Yes (with Junos OS
12.1x46)
Yes (with Junos OS
12.1x46)
Yes (with Junos OS
12.1x46)
Dimensions (W x H x D)
17.45 x 8.7 x 24.5 in
(44.3 x 22.1 x 62.2 cm)
17.5 x 14 x 23.8 in
(44.5 x 35.6 x 60.5 cm)
17.5 x 27.8 x 23.5 in
(44.5 x 70.5 x 59.7 cm)
Weight
Fully configured 128 lb
(58.1 kg)
Fully Configured: 180 lb
(81.7 kg)
Fully Configured: 334 lb
(151.6 kg)
Power supply (AC)
100 to 240 VAC
100 to 240 VAC
200 to 240 VAC
Power supply (DC)
-40 to -60 VDC
-40 to -60 VDC
-40 to -60 VDC
Maximum power
4,100 watts
(AC high capacity)
4,100 watts (AC high
capacity)
8,200 watts (AC high
capacity)
Typical Power
1540 watts
2440 watts
5015 watts
41° to 104° F (5° to 40° C)
41° to 104° F (5° to 40° C)
41° to 104° F (5° to 40° C)
3GPP TS 20.060 Compliance
7
Certifications
Dimensions and Power
Environmental
Operating temperature – long term
Operating temperature – short term
23° to 131° F (-5° to 55° C)
23° to 131° F (-5° to 55° C)
23° to 131° F (-5° to 55° C)
Humidity – long term
5% to 85% noncondensing
5% to 85% noncondensing
5% to 85% noncondensing
Humidity – short term8
5% to 93% noncondensing
but not to exceed 0.026kg
water/kg of dry air
5% to 93% noncondensing
but not to exceed 0.026kg
water/kg of dry air
5% to 93% noncondensing
but not to exceed 0.026kg
water/kg of dry air
8
SRX5000 line of gateways operating with Junos OS release 10.0 and later are compliant with the R6, R7, and R8 releases of 3GPP TS 20.060 with the following exceptions
(not supported on the SRX5000 line):
- Section 7.5A Multimedia Broadcast and Multicast Services (MBMS) messages
- Section 7,5B Mobile Station (MS) info change messages
- Section 7.3.12 Initiate secondary PDP context from GGSN
8
Short term is not greater than 96 consecutive hours, and not greater than 15 days in 1 year
7
Warranty
Ordering Information
For warranty information, please visit www.juniper.net/support/
Model Number
warranty/.
Base/Bundle
Juniper Networks Services and Support
SRX5400BB-AC
SRX5400 base bundle includes Chassis,
Routing Engine (RE), SCB, two AC HC
power supplies, SRX5K-SPC-4-15-320,
SRX5K-MPC, and SRX-MIC-10XG-SFPP
SRX5400E-B1-AC†
SRX5400 Configuration 1 includes chassis,
standard midplane, SRX5K-RE-1800X4,
SRX5K-SCBE, 2xAC HC PEM, HC fan tray,
SRX5K-SPC-4-15-320, SRX5K-MPC, and
SRX-MIC-10XG-SFPP
SRX5400BB-DC
SRX5400 base bundle includes Chassis,
RE, SCB, two DC HC power supplies,
SRX5K-SPC-4-15-320, SRX5K-MPC, and
SRX-MIC-10XG-SFPP
Juniper Networks is the leader in performance-enabling services
that are designed to accelerate, extend, and optimize your
high-performance network. Our services allow you to maximize
operational efficiency while reducing costs and minimizing
risk, achieving a faster time to value for your network. Juniper
Networks ensures operational excellence by optimizing the
network to maintain required levels of performance, reliability,
and availability. For more details, please visit www.juniper.net/us/
en/products-services.
†
Description
These products require Junos 12.1X47-D15 or greater.
11
SRX5400, SRX5600, and SRX5800 Services Gateways
Model Number
SRX5400E-B1-DC
†
Description
Model Number
SRX5400 Configuration 1 includes chassis,
standard midplane, SRX5K-RE-1800X4,
SRX5K-SCBE, 2xDC HC PEM, HC fan tray,
SRX5K-SPC-4-15-320, SRX5K-MPC, and
SRX-MIC-10XG-SFPP
SRX5600X-BASE :
SRX5600 Configuration includes chassis,
enhanced midplane, SRX5K-RE-1800X4,
SRX5K-SCB3, 2xHC PEM, HC fan tray
SRX5800BASE-HC-AC
AC SRX5800 chassis, includes RE, 2xSCB,
2 AC high capacity power supplies
SRX5800E-BASE-HCAC†
SRX5800 chassis includes standard
midplane, SRX5K-RE-1800X4, 2xSRX5KSCBE, 2xAC HC PEM, 2X HC
fan tray
SRX5800BASE-HC-DC
DC SRX5800 chassis, includes RE, 2xSCB,
2x high capacity DC power supplies
SRX5800E-BASE-HCDC†
SRX5800 chassis includes standard
midplane, SRX5K-RE-1800X4, 2xSRX5KSCBE, 2xDC HC PEM, 2X HC
fan tray
SRX5800X-BASE‡:
SRX5800 Configuration includes chassis,
enhanced midplane, SRX5K-RE-1800X4,
2xSRX5K-SCB3, 2xHC PEM, 2xHC fan tray
SRX5400B2-AC
SRX5400 bundle 2 includes Chassis,
RE, SCB, two AC HC power supplies, two
SRX5K-SPC-4-15-320, SRX5K-MPC, and
SRX-MIC-10XG-SFPP
SRX5400E-B2-AC†
SRX5400 Configuration 2 includes chassis,
standard midplane, SRX5K-RE-1800X4,
SRX5K-SCBE, 2xAC HC PEM, HC fan tray,
2xSRX5K-SPC-4-15-320, SRX5K-MPC,
and SRX-MIC-10XG-SFPP
SRX5400B2-DC
SRX5400E-B2-DC†
SRX5400E-B5-AC
SRX5400E-B5-DC
Data Sheet
Description
‡
SRX5400 bundle 2 includes chassis, RE,
SCB, two DC HC power Supplies, two
SRX5K-SPC-4-15-320, SRX5K-MPC, and
SRX-MIC-10XG-SFPP
SRX5400 Configuration 2 includes chassis,
standard midplane, SRX5K-RE-1800X4,
SRX5K-SCBE, 2xDC HC PEM, HC fan tray,
2xSRX5K-SPC-4-15-320 , SRX5K-MPC,
and SRX-MIC-10XG-SFPP
SRX5400E cluster bundle (promotional
offer) includes 2xSRX5400E-B1-AC
(SCB2, RE2, 1xSPC2, 1xIOC2, 1x10GbE MIC,
2xAC PEMs), 4xSRX5600-PWR-2520AC-S (extra redundant AC PEMS), and
2xSRX5400-APPSEC-1 (1 year)
SRX5400E cluster bundle (promotional
offer) includes 2xSRX5400E-B1-DC
(SCB2, RE2, 1xSPC2, 1xIOC2, 1x10GbE MIC,
2xDC PEMs), 4xSRX5600-PWR-2400DC-S (extra redundant DC PEMS), and
2xSRX5400-APPSEC-1 (1 year)
SRX5000 Line Components
Compatible
Systems
SRX5K-SCB
SCB SRX5000 line
Switch Control Board
SRX5400
SRX5600
SRX5800
SRX5K-SCBE†
SRX5K Enhanced
Switch Control Board
SRX5400E
SRX5600E
SRX5800E
SRX5K-SCB3‡
SRX5000 SCB3
Switch Control Board
SRX5400X
SRX5600X
SRX5800X
SRX5K-RE-13-20
SRX5000 line Routing
Engine, 1.3 GHz,
2 GB DRAM
SRX5400
SRX5600
SRX5800
SRX5K-RE-1800X4†
SRX5K Route Engine,
1.8Ghz quad-core
Xeon, 16GB DRAM,
128GB SSD
SRX5400E
SRX5600E
SRX5800E
SRX5400X
SRX5600X
SRX5800X
SRX5400X-B1‡:
SRX5400 Configuration includes chassis,
enhanced midplane, SRX5K-RE-1800X4,
SRX5K-SCB3, 2xHC PEM, HC fan tray,
SRX5K-SPC-4-15-320, SRX5K-MPC, SRXMIC-10XG-SFPP
SRX5400X-B2‡:
SRX5400 Configuration includes chassis,
enhanced midplane, SRX5K-RE-1800X4,
SRX5K-SCB3, 2xHC PEM, HC fan tray,
SRX5K-SPC-4-15-320, SRX5K-MPC340G10G
SRX5K-SPC-4-15-320
All models
SRX5400 Configuration includes chassis,
enhanced midplane, SRX5K-RE-1800X4,
SRX5K-SCB3, 2xHC PEM, HC fan tray,
SRX5K-SPC-4-15-320, SRX5K-MPC3100G10G
SRX5000 line NextGeneration Service
Processing Card
(featuring 20 million
sessions)
SRX5K-SPC-2-10-40
SRX5000 line Service
Processing Card
SRX5600
SRX5800
SRX5K-4XGE-XFP
4x10 Gigabit XFP
Ethernet I/O Card for
the SRX5000 line, no
transceivers
SRX5600
SRX5800
SRX5K-40GE-SFP
40x1 Gigabit SFP
Ethernet I/O Card for
the SRX5000 line, no
transceivers
SRX5600
SRX5800
SRX5K-FPC-IOC
SRX5000 line Flex IOC
SRX5600
SRX5800
Supports 2 Flex
IOC modules
SRX-IOC-16GE-TX
SRX5000 line Flex IOC
16-port 10/100/1000
Ethernet module
Flex IOC module
for SRX5k-FPCIOC
SRX5600
SRX5800
SRX-IOC-16GE-SFP
SRX5000 line Flex
IOC 16-port SFP
Ethernet module, no
transceivers
Flex IOC module
for SRX5k-FPCIOC
SRX5600
SRX5800
SRX5400X-B3‡:
SRX5400X-B5-AC
SRX5400X-B5-DC
SRX5400X cluster bundle (promotional
offer) includes 2xSRX5400X-B1 (SCB3,
RE2, 1xSPC2, 1xIOC2, 1x10GbE MIC,
2xAC PEMs), 4xSRX5600-PWR-2520AC-S (extra redundant AC PEMS), and
2xSRX5400-APPSEC-1 (1 year)
SRX5400X cluster bundle (promotional
offer) includes 2xSRX5400X-B1 (SCB3,
RE2, 1xSPC2, 1xIOC2, 1x10GbE MIC,
2xDC PEMs), 4xSRX5600-PWR-2400DC-S (extra redundant DC PEMS), and
2xSRX5400-APPSEC-1 (1 year)
SRX5600BASE-HC-AC
AC SRX5600 chassis includes RE, SCB, 2
AC high capacity power supplies
SRX5600E-BASE-HCAC†
SRX5600 chassis includes standard
midplane, SRX5K-RE-1800X4, SRX5KSCBE, 2xAC HC PEM, HC fan tray
SRX5600BASE-HC-DC
DC SRX5600 chassis, includes RE, SCB, 2
DC high capacity power supplies
SRX5600E-BASE-HCDC†
SRX5600 chassis includes standard
midplane, SRX5K-RE-1800X4, SRX5KSCBE, 2xDC HC PEM, HC fan tray
†
These products require Junos 12.1X47-D15 or greater.
12
SRX5400, SRX5600, and SRX5800 Services Gateways
Data Sheet
Model Number
Description
SRX-IOC-4XGE-XFP
SRX5000 line Flex
IOC 4x10 Gigabit XFP
Ethernet module, no
transceivers
Flex IOC module
for SRX5k-FPCIOC
SRX5600
SRX5800
SRX5K-IOC-BLANK
Blank Panel for
SRX5K-FPC-IOC
SRX5600
SRX5800
SRX-5K-BLANK
Blank Panel for SRX5K
All models
SRX5K-MPC3100G10G‡
SRX5K IOC3,
2x100GbE and
4x10GbE port
SRX5400E
SRX5600E
SRX5800E
SRX5400X
SRX5600X
SRX5800X
SRX5K-MPC3-40G10G
‡
SRX5K IOC3, 6x40GbE
and 24x10GbE ports
SRX5400E
SRX5600E
SRX5800E
SRX5400X
SRX5600X
SRX5800X
Description
SRX-XFP-10GE-ER
10-Gigabit Ethernet
pluggable transceiver,
40 Km, single mode
SRX5K-4XGEXFP
SRX-IOC-4XGEXFP
SRX-SFP-10GE-LR
10GbE SFP+ optical
transceiver, LR
SRX5K-MPC
SRX5K-MPC3
SRX-SFP-10GE-SR
10GbE SFP+ optical
transceiver, SR
SRX5K-MPC
SRX5K-MPC3
SRX-CFP-100G-LR4
100GbE LR4 CFP
transceiver (IEEE
802.3ba) for SRX-MIC1X100G-CFP
SRX5K-MPC
SRX-CFP-100G-SR10
100GbE SR10 CFP
transceiver, MMF,
100M, OM3 for SRXMIC-1X100G-CFP
SRX5K-MPC
SRX-QSFP-40G-SR4
40GbE SR4 QSFP+
transceiver for SRXMIC-2X40G-QSFP
SRX5400
SRX5K-MPC
SRX5K-MPC3
SRX5K-MPC
MPC for 100GbE,
40GbE, 10GbE and
1GbE MIC Interfaces
All models;
supports 2 MIC
modules
SRX-SFPP-10G-SR-ET
10GbE SR SFP+
transceiver, 200M ET
0-85
SRX5K-MPC
SRX5K-MPC3
SRX-MIC-1X100G-CFP
MIC with 1x100GbE
CFP Interface MIC
module for SRX5KMPC
All models
SRX-SFPP-10G-LR
10GE SFP+ optical
transceiver, LR
SRX5K-MPC
SRX5K-MPC3
SRX-QSFP-40G-LR4
40GE QSFP+ optical
transceiver, LR
SRX5K-MPC
SRX5K-MPC3
SRX-MIC-2X40G-QSFP
MIC with 2x40GbE
QSFP+ Interfaces MIC
module for SRX5KMPC
All models
CFP2-100GBASE-SR10
CFP2 100G optical
transceiver, SR
SRX5K-MPC3100G10G
CFP2-100GBASE-LR4
SRX-MIC-10XG-SFPP
MIC with 10x10GbE
SFP+ Interfaces, MIC
module for SRX5KMPC
All models
CFP2 100G optical
transceiver, LR
SRX5K-MPC3100G10G
JNP-QSFP-40G-LX4
SRX5K-MPC,
SRX5K-MPC340G10G
MIC with 20x1GbE SFP
Interfaces, MIC module
for SRX5K-MPC
All models
QSFP+ 40GBASE-LX4
40G transceiver, 100m
(150m) with OM3
(OM4) duplex MMF
fiber
Small form factor
pluggable 1000BASELH Gigabit Ethernet
optic module
SRX-IOC-16GESFP
SRX5K-40GESFP
Small form-factor
pluggable 1000BASELX Gigabit Ethernet
Optic Module
SRX-MIC-20GESFP
SRX-IOC-16GESFP
SRX5K-40GESFP
SRX-MIC-20GE-SFP
AppSecure Subscription
Transceivers
SRX-SFP-1GE-LH
SRX-SFP-1GE-LX
SRX-SFP-1GE-SX
SRX-SFP-1GE-T
SRX-XFP-10GE-SR
SRX-XFP-10GE-LR
‡
Model Number
Small form-factor
pluggable 1000BASESX Gigabit Ethernet
Optic Module
SRX-MIC-20GESFP
SRX-IOC-16GESFP
SRX5K-40GESFP
Small formfactor pluggable
1000BASE-T Gigabit
Ethernet Module (uses
Cat 5 cable)
SRX-MIC-20GESFP
SRX-IOC-16GESFP
SRX5K-40GESFP
10-Gigabit Ethernet
pluggable transceiver,
short reach multimode
SRX5K-4XGEXFP
SRX-IOC-4XGEXFP
10-Gigabit Ethernet
pluggable transceiver,
10 Km, single mode
SRX5K-4XGEXFP
SRX-IOC-4XGEXFP
SRX5400-APPSEC-1
One year subscription for Application
Security and IPS updates for SRX5400,
SRX5400E
SRX5400-APPSEC-3
Three year subscription for Application
Security and IPS updates for SRX5400,
SRX5400E
SRX5400-APPSEC-5
Five year subscription for Application
Security and IPS updates for SRX5400,
SRX5400E
SRX5600-APPSEC-A-1
One year subscription for Application
Security and IPS updates for SRX5600,
SRX5600E
SRX5600-APPSEC-A-3
Three year subscription for Application
Security and IPS updates for SRX5600 ,
SRX5600E
SRX5600-APPSEC-A-5
Give year Subscription for Application
Security and IPS updates for SRX5600,
SRX5600E
SRX5800-APPSEC-A-1
One year subscription for Application
Security and IPS updates for SRX5800,
SRX5800E
SRX5800-APPSEC-A-3
Three year subscription for Application
Security and IPS updates for SRX5800
SRX5800-APPSEC-A-5
Five year Subscription for Application
Security and IPS updates for SRX5800,
SRX5800E
Requires Junos 15.1X49-D10 or greater
13
SRX5400, SRX5600, and SRX5800 Services Gateways
Model Number
Description
IPS Subscription
SRX5K-IDP
One year IPS signature subscription for
SRX 5000 line
SRX5K-IDP-3
Three year IPS signature subscription for
SRX 5000 line
SRX5K-IDP-5
Five year IPS signature subscription for SRX
5000 line
Data Sheet
Model Number
Description
Services Offload License*
Compatible
Systems**
SRX5K-SVCSOFFLOAD-RTU
SRX5400
SRX5600
SRX5800
Services offload
license for
SRX5000 line; this
is not an annual
license subscription
Logical Systems License
UTM Subscription
SRX5400-CS-BUN-1
One year subscription for AppSecure,
IDP, EWF, AV and Anti-spam service on
SRX5400, SRX5400E
SRX5400-CS-BUN-3
Three year subscription for AppSecure,
IDP, EWF, AV and Anti-spam service on
SRX5400, SRX5400E
SRX5400-CS-BUN-5
Five year subscription for AppSecure,
IDP, EWF, AV and Anti-spam service on
SRX5400, SRX5400E
SRX-5400-LSYS-1
1 incremental Logical Systems License for
SRX5400, SRX5400E
SRX-5400-LSYS-5
5 incremental Logical Systems License for
SRX5400, SRX5400E
SRX-5400-LSYS-25
25 incremental Logical Systems License
for SRX5400, SRX5400E
SRX-5600-LSYS-1
1 incremental Logical Systems License for
SRX5600
SRX-5600-LSYS-5
5 incremental Logical Systems License for
SRX5600, SRX5600E
SRX-5600-LSYS-25
25 incremental Logical Systems License
for SRX5600
SRX5400-S-AS-1
One year subscription for JuniperSophos Anti-spam service on SRX5400,
SRX5400E
SRX5400-S-AS-3
Three year subscription for JuniperSophos Anti-spam service on SRX5400,
SRX5400E
SRX-5800-LSYS-1
SRX5400-S-AS-5
Five year subscription for JuniperSophos Anti-spam service on SRX5400,
SRX5400E
1 incremental Logical Systems License for
SRX5800, SRX5800E
SRX-5800-LSYS-5
SRX5400-S-AV-1
One year subscription for Juniper-Sophos
AV service on SRX5400, SRX5400E
5 incremental Logical Systems License for
SRX5800, SRX5800E
SRX-5800-LSYS-25
SRX5400-S-AV-3
Three year subscription for Juniper-Sophos
AV service on SRX5400, SRX5400E
25 incremental Logical Systems License
for SRX5800, SRX5800E
Power Cords
SRX5400-S-AV-5
Five year subscription for Juniper-Sophos
AV service on SRX5400, SRX5400E
CBL-M-PWR-RA-AU
SRX5400-W-EWF-1
One year subscription for JuniperWebsense Enhanced Web Filtering service
on SRX5400, SRX5400E
AC power cord, Australia (SAA/3/15), C19,
15 A/250 V, 2.5 m, Right Angle
CBL-M-PWR-RA-CH
AC power cord, China (GB 2099.1-1996,
Angle), C19, 16 A/250 V, 2.5 m, Right Angle
SRX5400-W-EWF-3
Three year subscription for JuniperWebsense Enhanced Web Filtering service
on SRX5400, SRX5400E
CBL-M-PWR-RA-EU
AC power cord, Cont. Europe (VII), C19,
16 A/250 V, 2.5 m, Right Angle
SRX5400-W-EWF-5
Five year subscription for JuniperWebsense Enhanced Web Filtering service
on SRX5400, SRX5400E
CBL-M-PWR-RA-IT
AC power cord, Italy (I/3/16), C19,
16 A/250 V, 2.5 m, Right Angle
CBL-M-PWR-RA-JP
SRX5600-CS-BUN-1
One year subscription for AppSecure,
IDP, EWF, AV and Anti-spam service on
SRX5600, SRX5600E
AC power cord, Japan (NEMA LOCKING),
C19, 20 A/250 V, 2.5 m, Right Angle
CBL-M-PWR-RATWLK-US
AC power cord, US (NEMA LOCKING), C19,
20 A/250 V, 2.5 m, Right Angle
SRX5600-S-AS-1
One year subscription for JuniperSophos Anti-spam service on SRX5600,
SRX5600E
CBL-M-PWR-RA-UK
AC power cord, UK (BS89/13), C19,
13 A/250 V, 2.5 m, Right Angle
SRX5600-S-AV-1
One year subscription for Juniper-Sophos
AV service on SRX5600, SRX5600E
CBL-M-PWR-RA-US
AC power cord, USA/Canada (N6/20), C19,
20 A/250 V, 2.5 m, Right Angle
SRX5600-W-EWF-1
One year subscription for JuniperWebsense Enhanced Web Filtering service
on SRX5600, SRX5600E
CBL-PWR-RA-JP15
AC power cable, JIS 8303 15 A/125 V
2.5 m length for Japan, Right Angle
SRX5800-CS-BUN-1
One year subscription for AppSecure,
IDP, EWF, AV and Anti-spam service on
SRX5800, SRX5800E
CBL-PWR-RA-TWLKUS15
AC power cable, NEMA L5-15P (twist lock)
15 A/125 V 2.5 m length for U.S., Canada,
and Mexico, Right Angle
SRX5800-S-AS-1
One year subscription for JuniperSophos Anti-spam service on SRX5800,
SRX5800E
CBL-PWR-RA-US15
SRX5800-S-AV-1
One year subscription for Juniper-Sophos
AV service on SRX5800, SRX5800E
AC power cable, NEMA 5-15 15 A/125 V,
2.5 m length for North America, parts of
South America, parts of Central America,
parts of Africa, and parts of Asia, Right
Angle
SRX5800-W-EWF-1
One year subscription for JuniperWebsense Enhanced Web Filtering service
on SRX5800, SRX5800E
* In 12.3X48-D10, the Services Offload feature was renamed Express Path and is included
without requiring a license for Junos X48 releases and beyond. With the X48 release,
the Express Path feature is supported on all SRX5000 Services Gateways including
the SRX5400. For versions prior to the X48 release, the Services Offload license is still
required and supports only SRX5600 and SRX5800 products.
** Express Path is available on the SRX5400, SRX5600 and SRX5800 Services Gateways.
No separate license is required.
14
SRX5400, SRX5600, and SRX5800 Services Gateways
Data Sheet
About Juniper Networks
Juniper Networks is in the business of network innovation. From
devices to data centers, from consumers to cloud providers,
Juniper Networks delivers the software, silicon and systems that
transform the experience and economics of networking. The
company serves customers and partners worldwide. Additional
information can be found at www.juniper.net.
Corporate and Sales Headquarters
APAC and EMEA Headquarters
Juniper Networks, Inc.
Juniper Networks International B.V.
1133 Innovation Way
Boeing Avenue 240
Sunnyvale, CA 94089 USA
1119 PZ Schiphol-Rijk
Phone: 888.JUNIPER (888.586.4737)
Amsterdam, The Netherlands
or +1.408.745.2000
Phone: +31.0.207.125.700
Fax: +1.408.745.2100
Fax: +31.0.207.125.701
www.juniper.net
Copyright 2016 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos
and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
All other trademarks, service marks, registered marks, or registered service marks are the property of their
respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
1000254-029-EN Feb 2016
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement