Juniper Mist WAN Assurance Platform Considerations

Juniper’s AI-driven SD-WAN solution with Juniper Mist WAN Assurance is a complete, SD-WAN logical abstraction of the Transport layer, simplifying your network. Before you deploy, you must know your Juniper platform for Juniper Mist WAN Assurance. The Juniper Networks® SRX Series Firewalls and the Juniper Networks® SSR Series Router (Session Smart™ Router) feed real-time statistics for monitoring and troubleshooting analysis. In the Mist portal (the portal), you can then deploy, monitor, optimize, and troubleshoot Mist devices across the LAN, wireless LAN (WLAN), and SD-WAN infrastructure through a unified dashboard. Both platforms create and manage a secure SD-WAN by creating an overlay across the WAN. However, the two platforms approach the challenge differently.

This is why understanding your Juniper Mist WAN Assurance platform matters. Each solution uniquely solves the Transport Layer network's complexity, monitoring issues, and expense issues. The Juniper Networks SRX Series Firewall and WAN Assurance are ideal for your current SRX Series deployments. The SRX Series becomes a full Juniper AI-driven SD-WAN device with Juniper Mist WAN Assurance that uses traditional IPsec tunnels for secure and predictable connectivity across your overlay network. Alternatively, you can use Juniper Mist WAN Assurance to deploy the proprietary Secure Vector Routing (SVR) technology on Session Smart™ Routers in the following scenarios:

You are migrating from the Conductor-managed Session Smart™ Router to Juniper Mist WAN Assurance
You want to use the Session Smart™ solution in Mist.

SRX Series in Juniper Mist WAN Assurance

The Juniper Networks® SRX Series is a hardware-based firewall and security platform that is a powerful routing solution in Juniper Mist WAN Assurance. The SRX Series helps protect your enterprise network against distinct cyber threats. The SRX Series provides the following benefits:

Comprehensive security features
The ability to be configured to create secure VPNs.
Deployment capabilities for enterprises that need a worldwide network.
Advanced analytics and reporting

The SRX Series' comprehensive security features include the following:

Intrusion prevention
Anti-virus monitoring
Anti-spam filtering
Web filtering

When you deploy the SRX Series as a router in Juniper Mist WAN Assurance, you’ll use the SRX Series’ ability to create secure IPsec tunnels. Those tunnels between various locations build the SD-WAN across an overlay network for secure connectivity. The SRX Series runs the Juniper Networks Junos® operating system (Junos OS) to send and route traffic via IPv4 or IPv6, OSPF, BGP, and multicast across multiple interfaces. The SRX Series monitors these connections and provides advanced analytics and reporting capabilities in Juniper Mist WAN Assurance. This telemetry gives you greater visibility into network activity and security threats. In addition to its security features, the SRX Series in Juniper Mist WAN Assurance gives you high network availability and scalability. Because the SRX Series is versatile, you can automate zero-touch provisioning (ZTP) and agile security operations that support Python scripts. Using these tools, you can script and orchestrate network events to simplify network operations.

If you are upgrading to Juniper Mist WAN Assurance on your existing SRX Series, you’re no longer authoring multiple policies and filters to ensure that routing behaves as expected. Using the SRX as a router before Mist required many lines of code to ensure the desired behavior. This is no longer the case with the intent-driven model of Juniper Mist WAN Assurance. Mist AI automatically generates the requisite routing policies and filters for destinations with a few simple clicks.

First, you identify which source (Network) goes to which destination (Application).
Next, you choose how that traffic egresses your device and on which interface (Traffic Steering).
Finally, express how the source of traffic gets to the destination using the intent-driven model in Mist AI (Application Policy).

With this simple expression, WAN Assurance generates your routing rules and policies for you.

As a security-based product, the SRX Series router lets you control connections across multiple network interfaces. You can control connections while managing and securing Multi-Protocol Label Switched (MPLS), broadband, and 4G LTE wireless links. These links span supported legacy interfaces, and you can expand the SRX Series router interfaces with WAN modules. These flexible, redundant WAN modules include T1/E1, ADSL2/2+, VDSL2, and 3G/4G LTE options.

The SRX Series is more than just a firewall with Juniper Mist WAN Assurance. You gain application-based context across the WAN for liveness, path quality, and utilization. This visibility means no sifting through hours of packet captures for faster diagnostics, shortening WAN mean time to repair (MTTR). The SRX Series also provides network segmentation. Segmentation enables you to tailor security and management policies based on zones, VLANs, and IPsec VPNs. Segmentation also enables virtual routers to create internal, external, and DMZ subgroups.

Finally, The SRX Series router in Juniper Mist WAN Assurance provides ZTP to simplify initial deployments in branches where IT resources may be limited or unavailable. You can deploy your organization with thousands of configured devices in hours, not weeks, using templates, variables, and scaling with Juniper Mist WAN Assurance.

Important things to note when routing with the SRX Series in WAN Assurance in no particular order:

Interface Assignment in Juniper Mist WAN Assurance

Spokes initiate the conversation to the hub via secure IPsec tunnels to create the SD-WAN overlay.
LAN and WAN configurations on the device itself configure the interfaces and security zones as follows:
- For the LAN, Mist derives the zone's name from the specified network's name.
- For the WAN, Mist derives the zone's name from the WAN's name.
- The WAN interfaces become the connection across the SD-WAN.

Juniper Mist WAN Assurance Networks

WAN Assurance Networks define the Address Books for the SRX Series used as the source in Security Policies and APBR Policy.

Juniper Mist WAN Assurance Applications

The WAN Assurance Application determines the destination used in a Security Policy as follows:

Custom Apps is a Layer 3/Layer 4 IP and port.
Apps use the on-box SRX Layer 7 AppID engine.
URL Categories are force-point URL categories.

Juniper Mist WAN Assurance Traffic Steering

WAN Assurance Traffic Steering configures Forwarding-type Routing Instances and the relevant routing policy to import routes.

Juniper Mist WAN Assurance Application Policy

WAN Assurance Application Policy configures the SRX Series security policy.
Application Policy also configures the APBR based on the Traffic Steering and NAT based on your WAN configuration.

Session Smart™ Router in WAN Assurance

Juniper® SD-WAN driven by Mist AI™, combined with Juniper® Session Smart™ Routers deployed in Juniper Mist™ WAN Assurance, provides several benefits. These benefits include a patented, tunnel-free approach that offers network insights, anomaly detection, and automated troubleshooting. Mist WAN Assurance comes with zero-trust security, zero-touch provisioning (ZTP), and WAN Assurance telemetry-based insights. The Mist portal showcases metrics like liveness, jitter, latency, loss, or mean opinion score (MOS) for critical applications and traffic. By monitoring these metrics, the Session Smart Router implements stateful failovers in real-time. When links do not meet the Session Smart service-level agreement (SLA), that whole session fails over in a stateful transition to a better-performing path with minimal interruption to the service. Regardless of transport, this stateful failover for critical applications is imperceptible to the user.

Benefits of the Session Smart™ Router
A Session Smart™ AI-driven SD-WAN solution
Comparison: Session Smart™ Conductor Deployment
The Session Smart Overlay

Benefits of the Session Smart™ Router

With the Session Smart Router, you experience zero-trust, service-based, dynamic next-hop routing via a patented and unique approach to routing called secure vector routing (SVR). This type of routing doesn’t consist of simple IPsec tunnels to create an overlay network. Using SVR, the Session Smart Router builds routes by checking the request's source and destination. The Session Smart Router constructs a list of next hops through a proprietary conversation between peers over Bidirectional Forwarding Detection (BFD) on port 1280. That Session Smart™ Routing conversation includes the Session Smart Router’s unique implementation of bidirectional forwarding detection for liveness and path health to peer Session Smart Routers. The conversation also consists of a metadata exchange between routers to better inform them of routing variables. These variables include source and destination, session counts, path and router health, and metrics for path selection.

A Session Smart™ AI-driven SD-WAN solution

Juniper Mist WAN Assurance and the Juniper Session Smart Router build a complete, software-defined WAN (SD-WAN) solution. The Mist AI dashboard replaces the Conductor (for those familiar with Juniper® Session Smart™ Conductor-based deployments). Mist manages all the Session Smart global data for you. Newly spun-up Session Smart Routers are automatically configured with pushed-down organization-wide information. Finally, in WAN Assurance, routing policies are simplified with the intent-driven policies within Mist AI. You no longer map PCI addresses, establish services, or tag network interfaces to tenants. In addition, Mist AI ensures that all the proprietary SVR occurs seamlessly, without the heavy up-front configuration of the Conductor deployment. Mist WAN Assurance removes pain points and keyboard time. Tasks such as configuring multiple sites, monitoring a whole network, and resolving issues are simplified.

Comparison: Session Smart™ Conductor Deployment

Session Smart Routers are managed by the Session Smart Conductor for air gap or on-premises needs. But when connectivity to the cloud is possible, you can leverage all the benefits of Juniper’s AI-driven SD-WAN solution. You cannot manage a Conductor-based Session Smart Router with the Mist Cloud. There is the option for telemetry, where Mist monitors the Session Smart BFD communication. However, there are no Juniper AI-driven SD-WAN benefits with this option. So, what’s different when using a Mist-managed Session Smart Router SD-WAN deployment? Unlike the configuration for the Conductor, there’s no need to express individual interface addresses and values.

The Session Smart Overlay

The whole point of SD-WAN is the abstraction of the Transport Layer to simplify troubleshooting and maximize connectivity across interfaces. In Mist, you don’t need to spend hours in the configuration like a Conductor-managed Session Smart Router. But, in the background, Mist still configures the Session Smart values of Services, Tenants, Peers, and Neighborhoods to leverage the benefits of the tunnel-free Secure Vector Routing. The Conductor-based lexicon is translated on-box from a REST call in JSON that is pushed down from the Mist cloud to the WAN Assurance device.

The Session Smart Router in WAN Assurance functions as follows:

The Session Smart Router is, first and foremost, a router and will use the most specific matches for addresses.
Spokes initiate the conversation to the hub via Secure Vector Routes between Session Smart peers to create the SD-WAN overlay.