Download This Guide
New and Changed Features
This section describes new features as well as enhancements to existing features in Junos OS Release 18.1R1 for cSRX support.
- New Features in Junos OS Release 18.1R1 for cSRX
- cSRX Architecture Illustration
- Supported Features
- Changes in Behavior and Syntax
New Features in Junos OS Release 18.1R1 for cSRX
cSRX Container Firewall
- cSRX deployment in bare-metal Linux server—Starting in Junos OS Release 18.1R1, the cSRX Container Firewall is a containerized version of the SRX Series Services Gateway with a low memory footprint. cSRX runs as a single container on a Linux bare-metal server. It uses a Linux bare-metal server as the hosting platform for the Docker container environment. The cSRX container packages all of the dependent processes (daemons) and libraries to support the different Linux host distribution methods (Ubuntu, Red Hat Enterprise Linux, or CentOS). You use standard Docker commands to manage the cSRX container. cSRX provides advanced security services, including content security, AppSecure, and unified threat management in a container form factor.
- cSRX deployment in Contrail—Starting in Junos OS Release 18.1R1, the cSRX Container Firewall can be deployed on a Docker Engine compute node as a dedicated firewall in the Contrail Networking cloud environment to provide differentiated Layer 4 through 7 security services for multiple tenants as part of a service chain. With the Contrail orchestrator, cSRX is deployed as a large scale security service, and is configured to steer traffic from vRouter with vRouter interface (VIF). Traffic and health statistics are monitored by the Contrail service orchestrator. cSRX provides advanced security services, including content security, AppSecure, and unified threat management in a container form factor.
- cSRX: UTM support—Starting in Junos OS
Release 18.1R1, the Junos OS SRX Series software provides support
for all UTM functionality on the cSRX platform. This functionality
includes features such as:
- Antispam
- Sophos Antivirus
- Web filtering
- Content filtering
- cSRX: User Firewall support—Starting
in Junos OS Release 18.1R1, the Junos OS SRX Series software provides
support for the user firewall functionality on the cSRX platform.
This functionality includes features such as:
- Policy enforcement with matching source identity criteria
- Logging with source identity information
- Integrated user firewall with active directory
- Local authentication
[See Authentication and Integrated User Firewalls Feature Guide for Security Devices.]
- cSRX: NAT Support —Starting in Junos
OS Release 18.1R1, the Junos OS SRX Series software provides support
for all NAT functionality on the cSRX platform. This functionality
includes features such as:
- Source NAT
- Destination NAT
- Static NAT
- Persistent NAT and NAT64
- NAT hairpinning
- NAT for multicast flows
[See Network Address Translation Feature Guide for Security Devices.]
cSRX Architecture Illustration
cSRX Architecture
Figure 1 is a high-level illustration of the cSRX architecture and Figure 2 is a high-level illustration of a cSRX compute node in a Contrail Networking cloud environment.
For details about the cSRX architecture, see the Overview topic in cSRX Deployment Guide for Bare-Metal Linux Server and cSRX Deployment Guide for Contrail.
Figure 1: cSRX Architecture
Figure 2: cSRX Architecture in Contrail
Supported Features
The cSRX Container Firewall inherits many of the branch SRX Series Junos OS features. This topic outlines the SRX series features supported by cSRX along with the features that are not applicable in a containerized environment.
SRX Series Features Supported on cSRX
Table 1 provides a high-level summary of the feature categories supported on cSRX and any feature considerations.
To determine the Junos OS features supported on cSRX, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. See Feature Explorer.
Table 1: SRX Series Features Supported on cSRX
Feature | Considerations |
|---|---|
Application Firewall (AppFW) | |
Application Identification (AppID) | |
Application Tracking (AppTrack) | |
Basic firewall policy | |
Brute force attack mitigation | |
Central management | CLI only. No J-Web support. |
DDoS protection | |
DoS protection | |
Interfaces | Two revenue network interfaces (eth1, and eth2). |
Intrusion Detection and Prevention (IDP) | For SRX Series IPS configuration details, see: Understanding Intrusion Detection and Prevention for SRX Series |
IPv4 and IPv6 | |
Jumbo frames | |
Malformed packet protection | |
Network Address Translation (NAT) | For SRX Series NAT configuration details, see: |
Routing | Basic Layer 3 forwarding with VLANs. Layer 2 through 3 forwarding functions: secure-wire forwarding or static routing forwarding |
SYN cookie protection | |
User Firewall | For SRX Series user firewall configuration details, see: |
Unified Threat Management (UTM) | For SRX Series UTM configuration details, see: Unified Threat Management Overview For SRX Series UTM antispam configuration details, see: |
Zones and zone-based IP spoofing |
SRX Series Features Not Supported on cSRX
Table 2 lists SRX Series features that are not applicable in a containerized environment, that are not currently supported, or that have qualified support on cSRX.
Table 2: SRX Series Features Not Supported on cSRX
| SRX Series Feature |
|---|---|
| Application Layer Gateways | |
Avaya H.323 | |
| Authentication with IC Series Devices | |
Layer 2 enforcement in UAC deployments Note: UAC-IDP and UAC-UTM also are not supported. | |
| Class of Service | |
High-priority queue on SPC | |
Tunnels | |
| Data Plane Security Log Messages (Stream Mode) | |
TLS protocol | |
| Diagnostics Tools | |
Flow monitoring cflowd version 9 | |
Ping Ethernet (CFM) | |
Traceroute Ethernet (CFM) | |
| DNS Proxy | |
Dynamic DNS | |
| Ethernet Link Aggregation | |
LACP in standalone or chassis cluster mode | |
Layer 3 LAG on routed ports | |
Static LAG in standalone or chassis cluster mode | |
| Ethernet Link Fault Management | |
Physical interface (encapsulations) | |
ethernet-ccc | |
extended-vlan-ccc | |
Interface family | |
ccc, tcc | |
ethernet-switching | |
| Flow-Based and Packet-Based Processing | |
End-to-end packet debugging | |
Network processor bundling | |
Services offloading | |
| Interfaces | |
Aggregated Ethernet interface | |
IEEE 802.1X dynamic VLAN assignment | |
IEEE 802.1X MAC bypass | |
IEEE 802.1X port-based authentication control with multisupplicant support | |
Interleaving using MLFR | |
PoE | |
PPP interface | |
PPPoE-based radio-to-router protocol | |
PPPoE interface | |
Promiscuous mode on interfaces | |
| IP Security and VPNs | |
Acadia - Clientless VPN | |
DVPN | |
Hardware IPsec (bulk crypto) Cavium/RMI | |
IPsec tunnel termination in routing instances | |
Multicast for AutoVPN | |
Suite B implementation for IPsec VPN | |
| IPv6 Support | |
DS-Lite concentrator (also known as AFTR) | |
DS-Lite initiator (also known as B4) | |
| Log File Formats for System (Control Plane) Logs | |
Binary format (binary) | |
WELF | |
| Miscellaneous | |
AppQoS | |
Chassis cluster | |
GPRS | |
Hardware acceleration | |
High availability | |
J-Web | |
Logical systems | |
MPLS | |
Outbound SSH | |
Remote instance access | |
RESTCONF | |
Sky ATP | |
SNMP | |
Spotlight Secure integration | |
USB modem | |
Wireless LAN | |
| MPLS | |
CCC and TCC | |
Layer 2 VPNs for Ethernet connections | |
| Network Address Translation | |
Maximize persistent NAT bindings | |
| Packet Capture | |
Packet capture Note: Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on a redundant Ethernet interface (reth). | |
| Routing | |
BGP extensions for IPv6 | |
BGP Flowspec | |
BGP route reflector | |
Bidirectional Forwarding Detection (BFD) for BGP | |
CRTP | |
| Switching | |
Layer 3 Q-in-Q VLAN tagging | |
| Transparent Mode | |
UTM | |
| Unified Threat Management | |
Express AV | |
Kaspersky AV | |
| Upgrading and Rebooting | |
Autorecovery | |
Boot instance configuration | |
Boot instance recovery | |
Dual-root partitioning | |
OS rollback | |
| User Interfaces | |
NSM | |
SRC application | |
Junos Space Virtual Director | |
Changes in Behavior and Syntax
This section lists the changes in behavior of cSRX features and changes in the syntax of Junos OS statements and commands in Junos OS Release 18.1 for cSRX.
For the most complete and latest information about changes in command behavior and syntax applicable to all SRX Series platforms in Junos OS Release 18.1R1, see Changes in Behavior and Syntax for SRX.
