Software Licenses for SRX Series Firewalls
SRX Series Firewalls support subscription and perpetual licenses.
SRX Series Firewall offers the following license bundles:
You can choose the license bundle based on your use case and feature requirements.
|
SRX Series Firewalls |
Use Case |
License Bundles |
|---|---|---|
|
SRX300, SRX320, SRX340, SRX345, SRX380, SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800 |
Data center security or SD- WAN, and Next-generation firewall with Cloud or On-box based antivirus and antispam, ATP Cloud with SecIntel |
|
|
SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, and SRX4600 |
Edge Protection with ATP Cloud Data Protection with Content Security |
Go through the following tables:
|
SKU |
SKU Character Description |
|---|---|
|
S-SRX3XX/SRX1500/SRX1600/SRX2300/SRX4XXX/SRX5XXX-A1/A2/A3/P1/P2/P3-1/3/5 |
S—Software SRX3XX/SRX1500/SRX1600/SRX2300/SRX4XXX/SRX5XXX—Product name A1—Advanced 1 A2—Advanced 2 A3—Advanced 3 P1—Premium 1 P2—Premium 2 P3—Premium 3 1/3/5—Subscription term 1, 3, or 5 years |
|
SRX1500DP/EP/SRX1600DP/EP/SRX2300DP/EP/SRX4100DP/EP/SRX4200DP/EP/SRX4300DP/EP/SRX4600DP/EP-A1/A2/P1/P2-1/3/5 |
S—Software SRX1500/SRX1600/SRX2300/SRX4XXX—Product name DP—Data center protection security EP—Enterprise edge protection security A1—Advanced 1 A2—Advanced 2 P1—Premium 1 P2—Premium 2 1/3/5—Subscription term 1, 3, or 5 years |
|
Features Bundle Licenses |
SRX Series Firewalls |
Use Case |
|---|---|---|
|
IDP, Application Security*, URL filtering, On-box antivirus, and ATP Cloud |
Premium 3 |
Next-generation firewall or ATP Cloud with SecIntel |
|
IDP, Application Security*, URL filtering, Cloud antivirus and antispam, and ATP Cloud |
Premium 2 |
Next-generation firewall or ATP Cloud with SecIntel |
|
IDP, Application Security*, and ATP Cloud |
Premium 1 |
Data center security or SD-WAN or ATP Cloud with SecIntel |
|
SecIntel, IDP, Application Security*, URL filtering, On-box antivirus and antispam |
Advanced 3 |
Next-generation firewall with On-box antivirus |
|
SecIntel, IDP, Application Security*, URL filtering, Cloud antivirus and antispam |
Advanced 2 |
Next-generation firewall with Cloud based antivirus and antispam |
|
SecIntel, IDP, and Application Security* |
Advanced 1 |
Data center security or SD- WAN |
|
Junos Base JSB (routing, firewall, switching, NAT, VPN, and MPLS) |
Standard (includes hardware) |
Basic firewall and secure branch routers |
|
Features Bundle Licenses |
SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, and SRX4600 |
Use Case |
|---|---|---|
|
Includes Advanced 2 features, ATP Cloud, Adaptive Threat Profiling, Encrypted Traffic Insights, DNS Security, and IoT |
EP Premium 2 |
EP with ATP Cloud |
|
Includes Advanced 1 features, ATP Cloud, Adaptive Threat Profiling, Encrypted Traffic Insights, DNS Security, and IoT |
DP Premium 1 |
DP with ATP Cloud |
|
Includes Advanced 1 features, NextGen URL Filtering |
EP Advanced 2 |
Edge Protection (EP) |
|
Application Security, IPS, AI-Predictive Threat with Antivirus, SecIntel, and Juniper Security Director Cloud |
DP Advanced 1 |
Data Protection (DP) |
*Application Security includes application visibility and control through unified policy for next-gen firewall capabilities as well as enables SD-WAN capabilities with Advanced policy-based routing (APBR) and Application Quality of Experience (AppQoE).
SD-WAN Software Subscription license includes features supported in Junos OS.
|
SRX Series Firewalls |
Premium 1 |
Premium 2 |
Premium 3 |
Advanced 1 |
Advanced 2 |
Advanced 3 |
Standard |
|---|---|---|---|---|---|---|---|
|
SRX300, SRX320 |
Supported |
Not Supported |
Not Supported |
Supported |
Supported |
Not Supported |
Supported |
|
SRX340, SRX345, SRX380 |
Supported |
Supported |
Not Supported |
Supported |
Supported |
Not Supported |
Supported |
| SRX1600, SRX2300, and SRX4300 | Supported | Supported | Not Applicable | Supported | Supported | Not Applicable | Supported |
|
SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800 |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Subscription Licenses |
SRX300, SRX320, SRX340, SRX345, and SRX380 |
SRX1500 |
SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, and SRX4600 |
SRX4100, SRX4200, and SRX4600 |
SRX5400, SRX5600, and SRX5800 |
|---|---|---|---|---|---|
|
Premium 3 |
Not Applicable |
S-SRX1500-P3-1/3/5 |
Not Applicable |
S-SRX4XXX-P3-1/3/5 |
S-SRX5XXX-P3-1/3/5 |
| Premium 2 |
S-SRX3XX-P2-1/3/5 |
S-SRX1500-P2-1/3/5 |
S-SRX1X00EP/SRX2300EP/SRX4X00EP-P2-1/3/5 |
S-SRX4XXX-P2-1/3/5 |
S-SRX5XXX-P2-1/3/5 |
| Premium 1 |
S-SRX3XX-P1-1/3/5 |
S-SRX1500-P1-1/3/5 |
S-SRX1X00DP/SRX2300DP/SRX4X00DP-P1-1/3/5 |
S-SRX4XXX-P1-1/3/5 |
S-SRX5XXX-P1-1/3/5 |
| Advanced 3 |
Not Applicable |
S-SRX1500-A3-1/3/5 |
Not Applicable |
S-SR4XXX-A3-1/3/5 |
S-SR5XXX-A3-1/3/5 |
| Advanced 2 |
S-SRX3XX-A2-1/3/5 |
S-SRX1500-A2-1/3/5 |
S-SRX1X00EP/SRX2300EP/SRX4X00EP-A2-1/3/5 |
S-SRX4XXX-A2-1/3/5 |
S-SRX5XXX-A2-1/3/5 |
| Advanced 1 |
S-SRX3XX-A1-1/3/5 |
S-SRX1500-A1-1/3/5 |
S-SRX1X00DP/SRX2300DP/SRX4X00DP-A1-1/3/5 |
S-SRX4XXX-A1-1/3/5 |
S-SRX5XXX-A1-1/3/5 |
- Legacy Software Licenses for SRX Series Firewalls
- Understanding Chassis Cluster Licensing Requirements
- Understanding Licenses for Logical Systems and Tenant Systems on SRX Series Firewall Devices
- Understanding Content Security Licensing
- Installing and Verifying Licenses for an Application Signature Package
Legacy Software Licenses for SRX Series Firewalls
Each feature license is tied to exactly one software feature, and the license is valid for one device. You can use the license to activate the specified advanced software features on a single device. Platform support depends on the Junos OS release in your installation.
To understand more about Junos OS Software Licensing, see the Juniper Licensing Guide. Please refer to the product Data Sheets accessible from Products & Services for details, or contact your Juniper Account Team or Juniper Partner.
ATP Cloud, SecIntel, and Enhanced Web Filtering individual license are available. This is not a complete list of licenses. For the most up-to-date license models available, contact your Juniper Networks representative for license information.
|
Features with Licenses |
SRX300 |
SRX320 |
SRX340 |
SRX345 |
SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800 |
|---|---|---|---|---|---|
|
Enhanced Web Filtering |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Intrusion Detection and Prevention |
Supported |
Supported |
Supported |
Supported |
Supported on SRX5400, SRX5600, and SRX5800 |
| Intrusion Prevention Signature |
Not supported |
Not supported |
Not supported |
Not supported |
Supported on SRX1500, SRX4100, SRX4200, and SRX4600 |
|
Juniper Advanced Threat Prevention Cloud |
Supported | Supported |
Supported |
Supported |
Supported |
|
SecIntel |
Supported | Supported |
Supported |
Supported |
Supported |
| Remote Access (5, 10, 25, 50, 100, 150, 250, 500, 1000, 2000, 5000, and 10K Concurrent users, NCP) |
Not supported |
Not supported |
Not supported |
Not supported |
Supported |
|
Logical System License (1, 5, and 25 Incremental) |
Not supported |
Not supported |
Not supported |
Not supported |
Supported |
SRX4100 support enhanced performance (upgrade to firewall IMIX performance up to 20G IMIX to the base 20G IMIX firewall throughput supported and application security)
Understanding Chassis Cluster Licensing Requirements
There is no separate license required for chassis cluster. However, some Junos OS software features require a license to activate the feature. To configure and use the licensed feature in a chassis cluster setup, you must purchase one license per feature per device and the license needs to be installed on both nodes of the chassis cluster. Both devices (which are going to form a chassis cluster) must have valid, identical features licenses installed on them. If both devices do not have an identical set of licenses, then after a failover, a particular feature (that is, a feature that is not licensed on both devices) might not work or the configuration might not synchronize in chassis cluster formation. Licensing is usually ordered when the device is purchased, and this information is bound to the chassis serial number. For example, Intrusion Detection and Prevention (IDP) is a licensed feature and the license for this specific feature is tied to the serial number of the device.
For information about how to purchase software licenses, contact your Juniper Networks sales representative at https://www.juniper.net/in/en/contact-us/.
Understanding Licenses for Logical Systems and Tenant Systems on SRX Series Firewall Devices
This topic provides licensing information for SRX Series Firewalls running logical systems and tenant systems.
Starting in Junos OS Releases 20.3R3, 20.4R2, 21.1R2, and 21.2R1, you can use the features for logical systems and tenant systems without a license.
Starting in Junos OS Release 18.3R1, an SRX Series Firewall running logical systems or tenant systems includes three licenses by default. One license for a primary logical system and the other two licenses for user-defined logical system or tenant system. The system does not allow you to configure additional logical systems or tenant systems if the number of logical systems and tenant systems exceeds the number of available licenses. In the earlier releases, the system allowed you to configure an additional logical system even if the number of logical systems exceeds the number of available licenses, but with a warning message of non-licensed logical-systems do not pass traffic. You can purchase licenses for additional logical systems and tenant systems that you intend to create. If you intend to configure an interconnect logical system or interconnect tenant system to use as a switch, it also requires separate licenses.
We enforce that you do not configure more logical systems or tenant systems than the number of licenses you have purchased. If the number of logical systems or tenant systems that you attempt to configure exceeds the number of licenses that you have purchased, then the system displays an error message similar to the following:
user@host# commit error: 2 more multitenancy license(s) are needed! error: configuration check-out failed
You can use the show system license status all-logical-systems-tenants or show system license usage commands to view the active logical systems and tenant systems on the device.
user@host> show system license status all-logical-systems-tenants logical system name license status root-logical-system enabled LSYS2 enabled LSYS0 enabled LSYS11 enabled LSYS12 enabled LSYS23 enabled TSYS1 enabled TSYS2 enabled TSYS3 enabled
user@host> show system license usage
Licenses Licenses Licenses Expiry
Feature name used installed needed
logical-system 9 11 0 2019-05-18
08:00:00 CSTWhen you use SRX Series Firewalls running logical systems or tenant systems in a chassis cluster, you must purchase and install the same number of licenses for each node in the chassis cluster. Logical systems or tenant systems licenses pertain to a single chassis, or node, within a chassis cluster and not to the cluster collectively.
Understanding Content Security Licensing
The majority of Content Security features function as a subscription service requiring a license. You can redeem this license once you have purchased your subscription license SKUs. You redeem your license by entering your authorization code and chassis serial number into the Customer Service license portal interface. Once your entitlement is generated, you can use the CLI from your device to send a license update request to the license portal. The license portal then sends your subscription license directly to the device.
Content Security requires 1 GB of memory.
| Content Security Feature | Requires License |
|
Antispam |
Yes |
|
Antivirus: sophos |
Yes |
|
Content Filtering |
No |
|
Web Filtering: integrated |
Yes |
|
Web Filtering: redirect |
No |
|
Web Filtering: local |
No |
|
Web Filtering: enhanced |
Yes |
License enforcement is supported on all SRX Series Firewalls. Licensed features including anti-virus or Enhanced Web Filtering will not function until a license has been installed. The license must be installed after installing or upgrading to a new Junos OS Release version. Unlicensed features such as Content Security blocklists and allowlists will continue to function without a license.
Installing and Verifying Licenses for an Application Signature Package
The Junos OS application signature package update is a separately licensed subscription service. You must install the application signature package update license key on your device to download and install the signature database updates provided by Juniper Networks. If your license key expires, you can continue to use the locally stored application signature package content.
Licensing is usually ordered when the device is purchased, and this information is bound to the chassis serial number. These instructions assume that you already have the license. If you did not order the license during the purchase of the device, contact your account team or Juniper customer care for assistance. For more information, refer to the Knowledge Base article KB9731 at https://kb.juniper.net/InfoCenter/index?page=home.
Junos Software Base (JSB) package does not include application signatures. Please refer to the product Data Sheets at SRX Series Services Gateways for details, or contact your Juniper Account Team or Juniper Partner.
You can install the license on the SRX Series Firewall devices using either the automatic method or manual method as follows:
-
Install your license automatically on the device.
To install or update your license automatically, your device must be connected to the Internet.
user@host> request system license update
Trying to update license keys from https://ae1.juniper.net, use 'show system license' to check status.
-
Install the licenses manually on the device.
user@host> request system license add terminal
[Type ^D at a new line to end input, enter blank line between each license key]
Paste the license key and press Enter to continue.
-
Verify the license is installed on your device.
Use the
show system licensecommand to view license usage, as shown in the following example:License usage: Licenses Licenses Licenses Expiry Feature name used installed needed logical-system 4 1 3 permanent License identifier: JUNOSXXXXXX License version: 2 Valid for device: AA4XXXX005 Features: appid-sig - APPID Signature date-based, 2014-02-17 08:00:00 GMT-8 - 2015-02-11 08:00:00 GMT-8The output sample is truncated to display only license usage details.