6. SRX Series Services Gateways for Branch
All in one routing, switching and security in a single platform
Security at a every layer with MAC-sec, IPSec and application security
Best end-user application experience and operational efficiency
7. SRX3xx Portfolio Summary
*Performance numbers for the IMIX packet size
**NGFW = IPS + AppFW + External Logging
App Firewall*
Routing*
IPSec VPN*
NGFW**
500 Mbps 1 Gbps 2 Gbps 3 Gbps
500 Mbps 1 Gbps 1.7 Gbps 2.5 Gbps
100 Mbps
100 Mbps
200 Mbps
200 Mbps
300 Mbps
300 Mbps
350 Mbps
350 Mbps
SRX300
Retail Office
Up to 50 Users
SRX320
Small Branch
Up to 50 Users
SRX340
Mid Branch
Up to 100 Users
Large Branch
Up to 500 Users
SRX550SRX345
Mid-Large Branch
Up to 200 Users
8. SRX1500 Services Gateway
Specification SRX1500
RAM / storage 16GB / 16GB
On-board 1G ports 16xGE (w 4x SFP)
On-board 10G ports 4x SFP+
OOB Management port 1x GE
Acoustics 66 dBA
SSD Storage 120G
Power Supply 1+1 400W PSU
Forwarding capacity 1.8 Mpps
Routing / firewall 5 Gbps
IPSec VPN (IMIX) 1.2 Gbps
IPS 3.5 Gbps
NGFW 1 Gbps
Concurrent session 2,000,000
• SRX1500 is a high performance, cost effective and high
available next generation firewall
• Provide outstanding protection with Sky ATP
• Integrate networking & security in a single platform
• High port density and small form factor
• Targeted for
• Enterprise Campus Edge
• Data Center Edge
• Branch Router
9. SRX5400
• Ideal for medium to large enterprises
and Service Provider networks
• Software Security Services
– AppSecure and IPS
– AV and web filtering
• Next-generation, high-performance line
cards
SRX5400
On-board Ports 100GE-CFP/CFP2
40GE-QSFPP
10GE-SFPP, XFP
1GE - SFP
JUNOS Software Version Support JUNOS 15.1X49-D10
Firewall Performance (w/ Express Path) 65Gbps (480 Gbps)
Firewall Performance IMIX (w/ Express
Path)
32 Gbps (450 Gbps)
Firewall Performance
(Firewall + Routing PPS 64byte)
(w/Express Path)
8 Mpps (98 Mpps)
VPN Performance – AES256+SHA-1 35 Gbps
AppSecure 42 Gbps
Intrusion Prevention System 22 Gbps
Connections Per Second (CPS) 450 K
Maximum Concurrent Sessions 42 M
High Availability A/A or A/P
12. Next-Gen Firewall Features on SRX
Application Reporting
Application Firewalling
Geo-IP
C&C & Reputation Filtering User Firewalling
Intrusion Prevention
Web Filtering
Anti-Virus
Anti-Spam
Content Filtering
SSL Inspection
Cloud-based Anti-malware
13. 01101010 01110101 01101110 01101001 01110000
What is Sky Advanced Threat Prevention
Customer
SRX
Juniper Cloud
Customer
Sandbox
w/Deception
Static
Analysis
ATP
1. SRX extracts potentially malicious
objects and files and sends them
to the cloud for analysis
2. Known malicious files are quickly
identified and dropped before they
can infect a host
3. Multiple techniques identify new
malware, adding it to the Known
Bad list and reporting it to SecOps
4. Correlation between newly
identified malware and known
C&C sites aids analysis
5. SRX blocks known malicious file
downloads and outbound C&C
traffic
Sky Advanced
Threat Prevention
Cloud
14. The ATP verdict chain
Staged analysis: combining rapid response and deep analysis
Suspect
file
1
2
3
4
Suspect files enter the analysis chain in the cloud
Cache lookup: (~1 second)
Files we’ve seen before are identified and a verdict immediately goes back to SRX
Anti-virus scanning: (~5 second)
Multiple AV engines to return a verdict, which is then cached for future reference
Static analysis: (~30 second)
The static analysis engine does a deeper inspection, with the verdict again cached for
future reference
Dynamic analysis: (~7 minutes)
Dynamic analysis in a custom sandbox leverages deception and provocation techniques
to identify evasive malware
15. • Build for Aruba ClearPass integration but can be used by 3rd party
• https://srxhostname/api/userfw/v1/
SRX User Identity Restful API (12.3X48-D30)
Healthy(0), Checkup(10), Transition(15),
Quarantine(20), Infected(30), Unknown(100)
“Aruba ClearPass”, “UAC”, “Active Directory”
IPv4 & IPv6 support
Standard XML DateTime format (ISO8601)
logon, logoff or posture-update for logon, role-list is a
must for logoff
A list of roles, maximum 200 with each 64 characters
17. SSL Forward Proxy and UTM
• 12.3X48-D25 and 15.1X49-D40 support UTM with SSL Proxy
• No configuration changes on UTM side. A ssl-proxy profile must be
applied
[…]policy trust-to-untrust match source-address any
[…]policy trust-to-untrust match destination-address any
[…]policy trust-to-untrust match application junos-any
[…]policy trust-to-untrust then permit application-services ssl-proxy profile-name ssl-inspection-p
[…]policy trust-to-untrust then permit application-services utm-policy junos-av-policy
[…]policy trust-to-untrust then permit application-services application-firewall rule-set block-app
[…]policy trust-to-untrust then log session-close
18. Juniper site to site VPN Solutions update
Use Case Auto VPN Auto + AD VPN Group VPN
Network Topology
Failover Redundancy
Traffic Steering
• Large Scale of Hub and Spoke
• Cluster Hub/Spoke
• Active-Passive
• Active-Backup
• Traffic Selector with Static
Routes – Higher scalability
• Dynamic Routing
• On Demand Spoke to Spoke
• Dynamic Any-to-Any
• Cluster Hub
• Cluster Spokes (Hierarchy)
• Traffic Selector with Static
Routes – Higher scalability
• Dynamic Routing - OSPF
• Any-to-Any
• Full Mesh
• Server Cluster for Key Server
protection
• Up to 4 server in the same
cluster.
• No overlay routing
• Advance QoS for encrypted
traffic
Tunnel Technology
• Tunnel Based VPN
• St0 P2P with Traffic Selector
• St0 P2MP with Routing
• IKEv1 and IKEv2
• Dynamic Spoke to Spoke
Tunnel
• IKEv2
• Tunnel-less VPN
• Group Protection
• IKEV1
Performance / Scalability
• Up to 1 Gbps / 3 Gbps and
2000 Tunnel - SRX1500
• 15K Tunnel with TS
• 256 shortcut tunnels- SRX550M
• 512 shortcut tunnels - SRX650
and above
• 4000 group members per
server
• 16K per cluster
23. Software Defined Secure Network Vision
Unify and rate threat intelligence, from
multiple sources
Create and centrally manage security
policy through user-intent based system
Enforce policy in near real time across
the network; ability to adapt to network
changes
Detection
Enforcement
Policy
Users & Roles
Departments &
Sites
Devices
Applications
Business
Needs
IT View
Switch Ports
VLANs
ACLs
IPs/Subnets
VRFs
ACLs
Firewall Zones
Rules
Users & Apps
Threats
Location