- play_arrow cSRX Container Firewall Deployment with Kubernetes
- cSRX Container Firewall with Kubernetes
- play_arrow Deploy and Configure cSRX in Kubernetes
- Requirements for Deploying cSRX in Kubernetes
- cSRX Environment Variables
- Download cSRX Software
- Automate Initial Configuration Load with Kubernetes ConfigMap
- cSRX Pods With External Network
- cSRX Pods With Internal Network
- cSRX Deployment in Kubernetes
- cSRX Image with Packaged Preinstalled Signatures
- cSRX Service with Load Balancing
- play_arrow cSRX Container Firewall Deployment in AWS
- play_arrow cSRX Container Firewall Deployment in Contrail Host-Based Firewall
- cSRX in Contrail Host-Based Firewall
- Junos OS Features Supported in cSRX for Contrail HBF
- Requirements to Deploy cSRX on Contrail vRouter
- play_arrow Deploy and Configure cSRX Container Firewall into a Contrail Network
- play_arrow cSRX Container Firewall Deployment in Bare-Metal Linux Server
- cSRX in Bare-Metal Linux Server
- Requirements for Deploying cSRX in Bare-Metal Linux Server
- play_arrow Deploy cSRX Container Firewall in Bare-Metal Linux Server
- play_arrow Configure and Manage cSRX Container Firewall in Bare-Metal Linux Server
Requirements for cSRX Container Firewall
This section presents an overview of requirements for deploying a cSRX Container Firewall instance and the Junos OS feature support on cSRX.
Supported SRX Series Firewall Features on cSRX Container Firewall
Table 1 provides a high-level summary of the feature categories supported on cSRX and any feature considerations.
To determine the Junos OS features supported on cSRX, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. See Feature Explorer.
Feature | Considerations |
|---|---|
Application Firewall (AppFW) | |
Application Identification (AppID) | |
Application Tracking (AppTrack) | |
Basic firewall policy | |
Brute force attack mitigation | |
Central management | CLI only. No J-Web support. |
DDoS protection | |
DoS protection | |
Interfaces | A cSRX container supports 17 interfaces:
|
Intrusion Detection and Prevention (IDP) | For SRX Series Firewall IPS configuration details, see: Understanding Intrusion Detection and Prevention for SRX Series Firewall |
IPv4 and IPv6 | |
Jumbo frames | |
Malformed packet protection | |
Network Address Translation (NAT) | Includes support for all NAT functionality on the cSRX platform, such as:
For SRX Series Firewall NAT configuration details, see: |
Routing | Basic Layer 3 forwarding with VLANs. Layer 2 through 3 forwarding functions: secure-wire forwarding or static routing forwarding |
SYN cookie protection | |
System Logs and Real-Time Logs | Starting in Junos OS Release 20.1R1, you can monitor traffic using system logs and RTlogs. |
User Firewall | Includes support for all user firewall functionality on the cSRX platform, such as:
For SRX Series Firewall user firewall configuration details, see: |
Content Security | Includes support for all Content Security functionality on the cSRX platform, such as:
For SRX Series Firewall Content Security configuration details, see: For SRX Series Firewall Content Security antispam configuration details, see: |
Zones and zone-based IP spoofing | |
ATP Cloud | |
SSL Proxy | |
Security Intelligence (SecIntel), Domain Name System (DNS), and ETI | Security Intelligence Overview |
Juniper Identity Management Service (JIMS) |
Feature | Supported on cSRX | |
|---|---|---|
IKE Features | Pre-shared key | Yes |
Certificate authentication | Yes | |
IKEv1 (main mode/aggressive mode) | No | |
IKEv2 | Yes | |
Route-based VPN | Yes | |
Site-to-site VPN | Yes | |
Auto VPN | Yes | |
Dynamic endpoint VPN | Yes | |
Point-to-point tunnel interfaces | Yes | |
Point-to-multipoint tunnel interfaces | No | |
Numbered tunnel interfaces | No | |
Unnumbered tunnel interface | Yes | |
Hub-and-spoke scenario for site-to-site VPNs | Yes | |
Unicast static and dynamic (RIP, OSPF, BGP) routing overt st0 interface | No | |
Virtual router | No | |
IKED crash recovery | Yes | |
Chassis Cluster | No | |
HA Link Encryption | No | |
Local address selection | Yes | |
Loopback address termination | No | |
DNS name as IKE gateway address | Yes | |
NAT-Traversal (NAT-T) for IPv4 IKE peers | Yes | |
Dead Peer Detection (DPD) | Yes | |
Generic proposals and policies for IPv4 and IPv6 | Yes | |
General IKE ID | Yes | |
Single proxy ID pairs | No | |
Multiple traffic selector pairs | Yes | |
Dual-stack (parallel IPv4 and IPv6 tunnels) over a single physical interface | Yes | |
Authentication Algorithms - md5, sha1, sha-256, sha-384, sha-512 | Yes | |
Encryption Algorithms - des-cbc, 3des-cbc, aes-128-cbc, aes-128-gcm, aes-192-cbc, aes-256-cbc, aes-256-gcm | Yes | |
IKE Proposal Sets - basic, compatible, standard, prime-128, prime-256, suiteb-gcm-128, suiteb-gcm-256 | Yes | |
DH groups - 1,2,5,14,15,16,19,20,21,24 | Yes | |
Local Identity - distinguished-name, hostname, ipv4/v6 address, user-at-hostname, key-id | Yes | |
Remote Identity - distinguished-name, hostname, ipv4/v6 address, user-at-hostname, key-id | Yes | |
IKE Reauthentication (initiator and responder) | Yes | |
Configuration payload | No | |
EAP | No | |
Remote Access – NCP/Licensing | No | |
Tunnel establishment - immediately, on-traffic, responder-only and responder-only-no-rekey mode | Yes | |
Distribution-Profile | No | |
Tunnel re-distribution | No | |
IKEv2 Fragmentation | Yes | |
SNMP MIB | No | |
Statistics, logs, per-tunnel debugging | Yes | |
IKE termination on lo0 interface | No | |
IPsec and Dataplane Features | ESP and AH tunnel modes | Yes |
Extended sequence number | Yes | |
Lifetime of IKE or IPsec SA, in seconds | Yes | |
Encryption Algorithms – des-cbc, 3des-cbc, aes-128-cbc, aes-192-cbc, aes-256-cbc, aes-gcm-128, aes-gcm-256 Yes | Yes | |
Authentication-algorithm - hmac-sha1-96, hmac-md5-96, hmac-sha-256-128, hmac-sha-384, hmac-sha-512 | Yes | |
Don't Fragment bit | Yes | |
IPv6 extension headers | Yes | |
IPsec fragmentation and reassembly | Yes | |
Session affinity | No | |
Power mode IPsec | Yes | |
Configurable anti-replay window | Yes | |
DSCP Copy | Yes | |
Configurable delay installation of rekeyed outbound SAs | Yes | |
Cos on st0 | No | |
SRX Series Firewall Features Not Supported on cSRX Container Firewall
Table 3 lists SRX Series Firewall features that are not applicable in a containerized environment, that are not currently supported, or that have qualified support on cSRX.
| SRX Series Firewall Feature | cSRX Container Firewall Notes |
|---|---|
| Application Layer Gateways | Avaya H.323 |
| Authentication with IC Series Devices | Layer 2 enforcement in UAC deployments Note: UAC-IDP and UAC-Content Security also are not supported. |
| Class of Service | High-priority queue on SPC |
Tunnels | |
| Data Plane Security Log Messages (Stream Mode) | TLS protocol |
| Diagnostics Tools | Flow monitoring cflowd version 9 |
Ping Ethernet (CFM) | |
Traceroute Ethernet (CFM) | |
| DNS Proxy | Dynamic DNS |
| Ethernet Link Aggregation | LACP in standalone or chassis cluster mode |
Layer 3 LAG on routed ports | |
Static LAG in standalone or chassis cluster mode | |
| Ethernet Link Fault Management | Physical interface (encapsulations) |
| |
| |
Interface family | |
| |
| |
| Flow-Based and Packet-Based Processing | End-to-end packet debugging |
Network processor bundling | |
Services offloading | |
| Interfaces | Aggregated Ethernet interface |
IEEE 802.1X dynamic VLAN assignment | |
IEEE 802.1X MAC bypass | |
IEEE 802.1X port-based authentication control with multisupplicant support | |
Interleaving using MLFR | |
PoE | |
PPP interface | |
PPPoE-based radio-to-router protocol | |
PPPoE interface | |
Promiscuous mode on interfaces | |
| VPNs | Acadia - Clientless VPN |
DVPN | |
Multicast for AutoVPN | |
| IPv6 Support | DS-Lite concentrator (also known as AFTR) |
DS-Lite initiator (also known as B4) | |
| Log File Formats for System (Control Plane) Logs | Binary format (binary) |
WELF | |
| Miscellaneous | AppQoS |
Chassis cluster | |
GPRS | |
Hardware acceleration | |
High availability | |
J-Web | |
Logical systems | |
MPLS | |
Outbound SSH | |
Remote instance access | |
RESTCONF | |
SNMP | |
Spotlight Secure integration | |
USB modem | |
Wireless LAN | |
| MPLS | CCC and TCC |
Layer 2 VPNs for Ethernet connections | |
| Network Address Translation | Maximize persistent NAT bindings |
| Packet Capture | Packet capture Note: Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on a redundant Ethernet interface (reth). |
| Routing | BGP extensions for IPv6 |
BGP Flowspec | |
BGP route reflector | |
Bidirectional Forwarding Detection (BFD) for BGP | |
CRTP | |
| Switching | Layer 3 Q-in-Q VLAN tagging |
Unsupported System Logs and Real-Time log functions | cSRX does not support all the log functions supported on other SRX Series Firewalls or vSRX Virtual Firewall instances due to limited CPU power and disk capacity. Unsupported system logs and real-time log functions on cSRX are:
|
| Transparent Mode | Content Security |
| Content Security | Express AV |
Kaspersky AV | |
| Upgrading and Rebooting | Autorecovery |
Boot instance configuration | |
Boot instance recovery | |
Dual-root partitioning | |
OS rollback | |
| User Interfaces | NSM |
SRC application | |
Junos Space Virtual Director | |
| Multinode High Availability | Not supported |
cSRX DPDK driver supports the following NICs
Supported NIcs and Interfaces on cSRX Container Firewall
| NICs and Interfaces | Specification | Supported Junos OS Release |
|---|---|---|
cSRX DPDK driver supports the following NICs | SR-IOV over Intel 82599 series | Junos OS Release 23.2R1 |
SR-IOV over Intel X710/XL710 | ||
PCI pass though over Intel 82599 series | ||
| PCI pass though over Intel X710/XL710 series | ||
Intel
| Junos OS Release 24.4R1 | |
Veth Driver modes
| ||
| ||
| cSRX poll mode supports the following interface types | Kernel bridge interfaces | |
DPDK 23.11 version c | cSRX flavors supported
| Junos OS Release 24.4R1 |
Operating System (OS) Supported
|
