Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Requirements for cSRX Container Firewall

This section presents an overview of requirements for deploying a cSRX Container Firewall instance and the Junos OS feature support on cSRX.

cSRX DPDK driver supports the following NICs

Supported SRX Series Firewall Features on cSRX Container Firewall

Table 1 provides a high-level summary of the feature categories supported on cSRX and any feature considerations.

To determine the Junos OS features supported on cSRX, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. See Feature Explorer.

Table 1: SRX Series Firewall Features Supported on cSRX Container Firewall

Feature

Considerations

Application Firewall (AppFW)

Application Firewall Overview

Application Identification (AppID)

Understanding Application Identification Techniques

Application Tracking (AppTrack)

Understanding AppTrack

Basic firewall policy

Understanding Security Basics

Brute force attack mitigation

Intrusion Detection and Prevention User Guide

Central management

CLI only. No J-Web support.

DDoS protection

DoS Attack Overview

DoS protection

DoS Attack Overview

Interfaces

A cSRX container supports 17 interfaces:

  • 1 Out-of-band management Interface (eth0)

  • 16 In-band interfaces (ge-0/0/0 to ge-0/0/15).

Network Interfaces

Intrusion Detection and Prevention (IDP)

For SRX Series Firewall IPS configuration details, see:

Understanding Intrusion Detection and Prevention for SRX Series Firewall

IPv4 and IPv6

Understanding IPv4 Addressing

Understanding IPv6 Address Space

Jumbo frames

Understanding Jumbo Frames Support for Ethernet Interfaces

Malformed packet protection

Understanding IDS Screens for Network Attack Protection

Network Address Translation (NAT)

Includes support for all NAT functionality on the cSRX platform, such as:

  • Source NAT

  • Destination NAT

  • Static NAT

  • Persistent NAT and NAT64

  • NAT hairpinning

  • NAT for multicast flows

For SRX Series Firewall NAT configuration details, see:

Introduction to NAT

Routing

Basic Layer 3 forwarding with VLANs.

Layer 2 through 3 forwarding functions: secure-wire forwarding or static routing forwarding

SYN cookie protection

Understanding SYN Cookie Protection

System Logs and Real-Time Logs

Starting in Junos OS Release 20.1R1, you can monitor traffic using system logs and RTlogs.

User Firewall

Includes support for all user firewall functionality on the cSRX platform, such as:

  • Policy enforcement with matching source identity criteria

  • Logging with source identity information

  • Integrated user firewall with active directory

  • Local authentication

For SRX Series Firewall user firewall configuration details, see:

Overview of Integrated User Firewall

Content Security

Includes support for all Content Security functionality on the cSRX platform, such as:

  • Antispam

  • Sophos Antivirus

  • Web filtering

  • Content filtering

For SRX Series Firewall Content Security configuration details, see:

Unified Threat Management Overview

For SRX Series Firewall Content Security antispam configuration details, see:

Antispam Filtering Overview

Zones and zone-based IP spoofing

Understanding IP Spoofing

ATP Cloud

Juniper Advanced Threat Prevention Cloud (ATP Cloud)

SSL Proxy

SSL Proxy

Security Intelligence (SecIntel), Domain Name System (DNS), and ETI

Security Intelligence Overview

Understanding and Configuring DNS

Security Director

Juniper Identity Management Service (JIMS)

Juniper Identity Management Service User Guide
Table 2: IKE and IPsec features

Feature

Supported on cSRX

IKE Features

Pre-shared key

Yes

Certificate authentication

Yes

IKEv1 (main mode/aggressive mode)

No

IKEv2

Yes

Route-based VPN

Yes

Site-to-site VPN

Yes

Auto VPN

Yes

Dynamic endpoint VPN

Yes

Point-to-point tunnel interfaces

Yes

Point-to-multipoint tunnel interfaces

No

Numbered tunnel interfaces

No

Unnumbered tunnel interface

Yes

Hub-and-spoke scenario for site-to-site VPNs

Yes

Unicast static and dynamic (RIP, OSPF, BGP) routing overt st0 interface

No

Virtual router

No

IKED crash recovery

Yes

Chassis Cluster

No

HA Link Encryption

No

Local address selection

Yes

Loopback address termination

No

DNS name as IKE gateway address

Yes

NAT-Traversal (NAT-T) for IPv4 IKE peers

Yes

Dead Peer Detection (DPD)

Yes

Generic proposals and policies for IPv4 and IPv6

Yes

General IKE ID

Yes

Single proxy ID pairs

No

Multiple traffic selector pairs

Yes

Dual-stack (parallel IPv4 and IPv6 tunnels) over a single physical interface

Yes

Authentication Algorithms - md5, sha1, sha-256, sha-384, sha-512

Yes

Encryption Algorithms - des-cbc, 3des-cbc, aes-128-cbc, aes-128-gcm, aes-192-cbc, aes-256-cbc, aes-256-gcm

Yes

IKE Proposal Sets - basic, compatible, standard, prime-128, prime-256, suiteb-gcm-128, suiteb-gcm-256

Yes

DH groups - 1,2,5,14,15,16,19,20,21,24

Yes

Local Identity - distinguished-name, hostname, ipv4/v6 address, user-at-hostname, key-id

Yes

Remote Identity - distinguished-name, hostname, ipv4/v6 address, user-at-hostname, key-id

Yes

IKE Reauthentication (initiator and responder)

Yes

Configuration payload

No

EAP

No

Remote Access – NCP/Licensing

No

Tunnel establishment - immediately, on-traffic, responder-only and responder-only-no-rekey mode

Yes

Distribution-Profile

No

Tunnel re-distribution

No

IKEv2 Fragmentation

Yes

SNMP MIB

No

Statistics, logs, per-tunnel debugging

Yes

IKE termination on lo0 interface

No

IPsec and Dataplane Features

ESP and AH tunnel modes

Yes

Extended sequence number

Yes

Lifetime of IKE or IPsec SA, in seconds

Yes

Encryption Algorithms – des-cbc, 3des-cbc, aes-128-cbc, aes-192-cbc, aes-256-cbc, aes-gcm-128, aes-gcm-256 Yes

Yes

Authentication-algorithm - hmac-sha1-96, hmac-md5-96, hmac-sha-256-128, hmac-sha-384, hmac-sha-512

Yes

Don't Fragment bit

Yes

IPv6 extension headers

Yes

IPsec fragmentation and reassembly

Yes

Session affinity

No

Power mode IPsec

Yes

Configurable anti-replay window

Yes

DSCP Copy

Yes

Configurable delay installation of rekeyed outbound SAs

Yes

Cos on st0

No

SRX Series Firewall Features Not Supported on cSRX Container Firewall

Table 3 lists SRX Series Firewall features that are not applicable in a containerized environment, that are not currently supported, or that have qualified support on cSRX.

Table 3: SRX Series Firewall Features Not Supported on cSRX Container Firewall
SRX Series Firewall Feature cSRX Container Firewall Notes
Application Layer Gateways

Avaya H.323
Authentication with IC Series Devices

Layer 2 enforcement in UAC deployments

Note:

UAC-IDP and UAC-Content Security also are not supported.
Class of Service

High-priority queue on SPC

Tunnels
Data Plane Security Log Messages (Stream Mode)

TLS protocol
Diagnostics Tools

Flow monitoring cflowd version 9

Ping Ethernet (CFM)

Traceroute Ethernet (CFM)
DNS Proxy

Dynamic DNS
Ethernet Link Aggregation

LACP in standalone or chassis cluster mode

Layer 3 LAG on routed ports

Static LAG in standalone or chassis cluster mode
Ethernet Link Fault Management

Physical interface (encapsulations)

ethernet-cccethernet-tcc

extended-vlan-cccextended-vlan-tcc

Interface family

ccc, tcc

ethernet-switching
Flow-Based and Packet-Based Processing

End-to-end packet debugging

Network processor bundling

Services offloading
Interfaces

Aggregated Ethernet interface

IEEE 802.1X dynamic VLAN assignment

IEEE 802.1X MAC bypass

IEEE 802.1X port-based authentication control with multisupplicant support

Interleaving using MLFR

PoE

PPP interface

PPPoE-based radio-to-router protocol

PPPoE interface

Promiscuous mode on interfaces

VPNs

Acadia - Clientless VPN

DVPN

Multicast for AutoVPN
IPv6 Support

DS-Lite concentrator (also known as AFTR)

DS-Lite initiator (also known as B4)
Log File Formats for System (Control Plane) Logs

Binary format (binary)

WELF
Miscellaneous

AppQoS

Chassis cluster

GPRS

Hardware acceleration

High availability

J-Web

Logical systems

MPLS

Outbound SSH

Remote instance access

RESTCONF

SNMP

Spotlight Secure integration

USB modem

Wireless LAN
MPLS

CCC and TCC

Layer 2 VPNs for Ethernet connections
Network Address Translation

Maximize persistent NAT bindings
Packet Capture

Packet capture

Note:

Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on a redundant Ethernet interface (reth).
Routing

BGP extensions for IPv6

BGP Flowspec

BGP route reflector

Bidirectional Forwarding Detection (BFD) for BGP

CRTP
Switching

Layer 3 Q-in-Q VLAN tagging

Unsupported System Logs and Real-Time log functions

cSRX does not support all the log functions supported on other SRX Series Firewalls or vSRX Virtual Firewall instances due to limited CPU power and disk capacity.

Unsupported system logs and real-time log functions on cSRX are:

  • The binary log

  • On box logs (the LLMD daemon is not ported.)

  • On box reports (the LLMD daemon is not ported.)

  • TLS is not supported for sending stream mode security log to remote log server.

  • LSYS and Tenant related functions.
Transparent Mode

Content Security
Content Security

Express AV

Kaspersky AV
Upgrading and Rebooting

Autorecovery

Boot instance configuration

Boot instance recovery

Dual-root partitioning

OS rollback
User Interfaces

NSM

SRC application

Junos Space Virtual Director
Multinode High Availability

Not supported

Supported NIcs and Interfaces on cSRX Container Firewall

Table 4: NIC and Interface Support on cSRX
NICs and Interfaces Specification Release Introduced

cSRX DPDK driver supports the following NICs

SR-IOV over Intel 82599 series

Junos OS Release 23.2R1

SR-IOV over Intel X710/XL710

PCI pass though over Intel 82599 series

PCI pass though over Intel X710/XL710 series
cSRX poll mode supports the following interface types

Kernel bridge interfaces