-
Product Overview
The SRX1500 is a next-generation firewall and security services gateway offering outstanding protection, performance, scalability, availability, and security service integration. Designed for port density, a high-performance security services architecture, and seamless integration of networking and security in a single platform, the SRX1500 is best suited for client protection in enterprise campus, regional headquarters, or cloud-based security solutions with a focus on application visibility and control, intrusion prevention, and advanced threat protection. The SRX1500 is powered by Junos OS, the industry-leading operating system that keeps the world’s largest and most mission-critical enterprise networks secure.Product Description
The Juniper Networks® SRX1500 is a high-peformance next-generation firewall and security services gateway that protects mission-critical networks at campuses and regional headquarters. The SRX1500 provides best-in-class security and threat detection and mitigation capabilities, integrating carrier-class routing and feature-rich switching in a single platform. The SRX1500 delivers a next-generation security solution that supports the changing needs of cloud-enabled enterprise networks. Whether rolling out new services in an enterprise campus, connecting to the cloud, complying with industry standards, or achieving operational efficiency, the SRX1500 helps organizations realize their business objectives while providing scalable, easy-to-manage, secure connectivity and advanced threat detection and mitigation capabilities. The SRX1500 protects critical corporate assets as a next-generation firewall, acts as an enforcement point for cloud-based security solutions, and provides application visibility and control to improve the user and application experience. A combination of hardware and software architectures on the SRX1500 add significant performance improvements to a small 1 U form factor. The key to the SRX1500 hardware is the security flow accelerator, a programmable high-speed Layer 4 firewall chip, and a robust x86-based security compute engine for advanced security services like application visibility, intrusion prevention, and threat mitigation capabilities. The SRX1500 software architecture leverages these programmable hardware components and virtualization to deliver high-speed firewall performance, application visibility, and intrusion prevention while lowering total cost of ownership (TCO). The SRX1500 is purpose-built to protect 10GbE network environments, consolidating multiple security services and networking functions in a highly available appliance. It supports up to 9.2 Gbps of firewall performance, 3.3 Gbps of intrusion prevention, and 4.5 Gbps of IPsec VPN in enterprise campus, regional headquarters, and data center deployments.SRX1500 Highlights
The SRX1500 delivers a full complement of next-generation firewall capabilities that use advanced application identification and classification to enable greater visibility, enforcement, control, and protection over the network. It provides a detailed analysis of application volume and usage, fine-grained application control policies to allow or deny traffic based on dynamic application name or group names, and prioritization of traffic based on application information and context. The SRX1500 recognizes more than 4,275 applications and nested applications in plain-text or SSL encrypted transactions. The SRX1500 also integrates with Microsoft Active Directory and combines user information with application data to provide network-wide application and user visibility and control.For the perimeter, the SRX1500 Firewall offers a comprehensive suite of application security services, threat defenses, and intelligence services to protect networks from the latest content-borne threats. Integrated threat intelligence via Juniper Networks ATP Cloud offers adaptive threat protection against command and control (C&C)-related botnets and policy enforcement based on GeoIP. Integrating the Juniper Networks Advanced Threat Prevention Cloud solution, or working with the Juniper Networks ATP Appliance, the SRX1500 detects and enforces automated protection against known malware and zero-day threats with an extremely high degree of accuracy. The SRX1500 enables agile SecOps through automation capabilities that support Zero Touch Deployment, Python scripts for orchestration, and event scripting for operational management. The SRX1500 delivers fully automated SD-WAN to both enterprises and service providers. A Zero-Touch Provisioning (ZTP) capability simplifies branch network connectivity for initial deployment and ongoing management. Due to its high performance and scale, the SRX1500 acts as a VPN hub and terminates VPN/secure overlay connections in the various SD-WAN topologies. The SRX1500 Firewall runs Juniper Networks Junos® operating system, a proven, carrier-hardened network OS that powers the top 100 service provider networks worldwide. These rigorously tested carrier-class routing features of IPv4/IPv6, OSPF, BGP, and multicast have been proven in over 15 years of worldwide deployments.Features and Benefits
Business Requirement Feature/Solution SRX1500 Advantages High performance Up to 9 Gbps of firewall performance - Best suited for enterprise campus and data center edge deployments
- Addresses future needs for scale and feature capacity
High quality end-user experience Application visibility and control - Detects 4,275 Layer 3-7 applications, including Web 2.0
- Controls and prioritizes traffic based on application and user role
- Inspects and detects applications inside the SSL encrypted traffic
Threat protection IPS, antivirus, anti-spam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, Threat Intelligence Feeds, and Juniper ATP Appliance - Provides real-time updates to IPS signatures and protects against exploits
- Implements industry-leading antivirus and URL filtering
- Delivers open threat intelligence platform that integrates with third-party feeds
- Protects against zero-day attacks
- Restores visibility lost due to encryption, without the heavy burden of full TLS/SSL decryption
Professional-grade networking services Routing, switching, and secure wire - Supports carrier-class advanced routing, quality of service (QoS), and services
- Offers flexible deployment modes (L1/L2/L3)
Highly secure IPsec VPN, remote access/SSL VPN, secure boot - Provides high-performance IPsec VPN with dedicated crypto engine
- Simplifies large VPN deployments with auto VPN and group VPN
- Offers secure and flexible remote access SSL VPN with Juniper Secure Connect
- Verifies binaries that execute on the hardware with secure boot
High reliability Chassis cluster, redundant power supply - Provides stateful configuration and session synchronization
- Supports active/active and active/backup deployment scenarios
- Offers highly available hardware with dual PSU, redundant fans
Easy to manage and scale On-box GUI, Security Director - Enables centralized management for auto-provisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments
- Includes simple easy-to-use on-box GUI for local management
Lower TCO Junos OS - Integrates routing, switching, and security in a single device
- Reduces OpEx with Junos OS automation capabilities
SRX1500 Firewall Specifications
Software Specifications
Firewall Services
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomalies
- Integration with Pulse Unified Access Control (UAC)
- Integration with Aruba Clear Pass Policy Manager
- User role-based firewall
- SSL Inspection
Network Address Translation (NAT)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
VPN Features
- Tunnels: Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4/IPv6/Dual Stack)
- Juniper Secure Connect: Remote access/SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH)/Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
High Availability Features
- Virtual Router Redundancy Protocol (VRRP)
- Stateful high availability
- Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Service Software Upgrade (ISSU)
- IP monitoring with route and interface failover
Application Security Services1
- Application visibility and control
- Application-based firewall
- Application QoS
- Advanced/application policy-based routing (APBR)
- Application Quality of Experience (AppQoE)
- Application-based multipath routing
Threat Defense and Intelligence Services1
- Intrusion prevention
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention, a cloud-based SaaS offering, to detect and block zero-day attacks
- Juniper ATP Appliance, a distributed, on-premises advanced threat prevention solution to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- SecIntel to provide threat intelligence
Routing Protocols
- IPv4, IPv6
- Static routes
- RIP v1/v2
- OSPF/OSPF v3
- BGP with Route Reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2; Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM); Session Description Protocol (SDP); Distance Vector Multicast Routing Protocol (DVMRP); Multicast Source Discovery Protocol (MSDP); Reverse Path Forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
QoS Features
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
- Hierarchical shaping and policing
Switching Features
- ASIC-based Layer 2 forwarding
- MAC address learning
- VLAN addressing and integrated routing and bridging (IRB) support
- Link aggregation and LACP
- LLDP and LLDP-MED
- STP, RSTP, MSTP
- MVRP
- 802.1X authentication
Network Services
- Dynamic Host Configuration Protocol (DHCP) client/server/relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP monitoring
- Juniper flow monitoring (J-Flow)
- Bidirectional Forwarding Detection (BFD)
- Two-Way Active Measurement Protocol (TWAMP)
- IEEE 802.3ah Link Fault Management (LFM)
- IEEE 802.1ag Connectivity Fault Management (CFM)
Advanced Routing Services
- Packet mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L2 MPLS VPN, pseudo-wires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast reroute
Management, Automation, Logging, and Reporting
- SSH, Telnet, SNMP
- Smart image download
- Juniper CLI and Web UI
- Juniper Networks Junos Space and Security Director
- Python
- Junos OS event, commit and OP scripts
- Application and bandwidth usage reporting
- Auto installation
- Debug and troubleshooting tools
Hardware Specifications
2Performance numbers based on UDP packets and RFC2544 test methodology. 3Performance numbers based on HTTP traffic with 44 KB transaction size. 4Next-Generation firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions 5Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions -
Product Overview
The SRX300 line of firewalls combines security, SD-WAN, routing, switching, and WAN interfaces with next-generation firewall and advanced threat mitigation capabilities for cost-effective, secure connectivity across distributed enterprise locations. By consolidating fast, highly available switching, routing, security, and next-generation firewall capabilities in a single device, enterprises can remove network complexity, protect and prioritize their resources, and improve user and application experience while lowering total cost of ownership (TCO).Product Description
Juniper Networks® SRX300 line of firewalls delivers a next-generation secure SD-WAN and security solution that supports the changing needs of cloud-enabled enterprise networks. Whether rolling out new services and applications across locations, connecting to the cloud, or trying to achieve operational efficiency, the SRX300 line helps organizations realize their business objectives while providing scalable, easy to manage, secure connectivity and advanced threat mitigation capabilities. Next-generation firewall and unified threat management (UTM) capabilities also make it easier to detect and proactively mitigate threats to improve the user and application experience. The SRX300 line consists of five models:- SRX300: Securing small branch or retail offices, the SRX300 Firewall consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX300 supports up to 1.9 Gbps firewall and 336 Mbps IPsec VPN in a single, cost-effective networking and security platform.
- SRX320: Securely connecting small distributed enterprise branch offices, the SRX320 Firewall consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX320 supports up to 1.9 Gbps firewall and 336 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX340: Securely connecting midsize distributed enterprise branch offices, the SRX340 Firewall consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX340 supports up to 4.7 Gbps firewall and 733 Mbps IPsec VPN in a single, cost-effective networking and security platform.
- SRX345: Best suited for midsize to large distributed enterprise branch offices, the SRX345 Firewall consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX345 supports up to 5 Gbps firewall and 977 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX380: A high-performance and secure SD-WAN gateway, the SRX380 offers superior and reliable WAN connectivity while consolidating security, routing, and switching for distributed enterprise offices. The SRX380 features greater port density than other SRX300 models, with 16x1GbE PoE+ and 4x10GbE ports, and includes redundant dual power supplies, all in a 1 U form factor. The SRX380 supports up to 20Gbps firewall and 4.4 Gbps IPSec VPN in a single, consolidated, cost-effective networking and security platform.
SRX300 Highlights
The SRX300 line of firewalls consists of secure SD-WAN routers that bring high performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of remote sites. WAN or Internet connectivity and Wi-Fi module options include:- Ethernet, T1/E1, ADSL2/2+, and VDSL
- 3G/4G LTE wireless
- 802.11ac Wave 2 Wi-Fi
Mist AI
WAN Assurance
Mist WAN Assurance is a cloud service that brings AI-powered automation and service levels to Juniper SRX Series Firewalls, complementing the Juniper Secure SD-WAN solution. Mist WAN Assurance transforms IT operations from reactive troubleshooting to proactive remediation, turning insights into actions and delivering operational simplicity with seamless integration into existing deployments.- SRX Series firewalls, deployed as secure SD-WAN edge devices, deliver the rich Junos streaming telemetry that provides the insights needed for WAN health metrics and anomaly detection. This data is leveraged within the Mist Cloud and AI engine, driving simpler operations, reducing mean time to repair (MTTR) and providing greater visibility into end-user experiences.
- Insights derived from SRX Series SD-WAN gateway telemetry data allows WAN Assurance to compute unique “User Minutes” that indicate whether users are having a good experience.
- The Marvis assistant for WAN allows you to ask direct questions like “Why is my Zoom call bad?” and provides complete insights, correlation, and actions.
- Marvis Actions identifies and summarizes issues such as application latency conditions, congested WAN circuits, or negotiation mismatches.
Simplifying Branch Deployments (Secure Connectivity/SD-WAN)
The SRX300 line delivers fully automated SD-WAN to both enterprises and service providers.- A Zero-Touch Provisioning (ZTP) feature simplifies branch network connectivity for initial deployment and ongoing management.
- SRX300 firewalls offer best-in-class secure connectivity.
- The SRX300 firewalls efficiently utilize multiple links and load balance traffic across the enterprise WAN, blending traditional MPLS with other connectivity options such as broadband internet, leased lines, 4G/LTE, and more.
- Policy- and application-based forwarding capabilities enforce business rules created by the enterprise to steer application traffic towards a preferred path.
Comprehensive Security Suite
The SRX300 line offers a comprehensive suite of application security services, threat defenses, and intelligence services. The services consist of intrusion prevention system (IPS), application security user role-based firewall controls and cloud-based antivirus, anti-spam, and enhanced Web filtering, protecting networks from the latest content-borne threats. Integrated threat intelligence via Juniper Networks SecIntel offers adaptive threat protection against Command and Control (C&C)-related botnets and policy enforcement based on GeoIP. Customers can also leverage their own custom and third-party feeds for protection from advanced malware and other threats. Integrating the Juniper Networks Advanced Threat Protection solution, the SRX300 line detects and enforces automated protection against known malware and zero-day threats with a very high degree of accuracy.Industry-Certified Junos Operating System
SRX300 Firewalls run the Junos operating system, a proven, carrier-hardened OS that powers the top 100 service provider networks in the world. The rigorously tested, carrier-class, rich routing features such as IPv4/IPv6, OSPF, BGP, and multicast have been proven over 15 years of worldwide deployments. The SRX300 line also enables agile SecOps through automation capabilities that support Zero Touch Deployment, Python scripts for orchestration, and event scripting for operational management.Features and Benefits
Business Requirement Feature/Solution SRX300 Advantages High performance Up to 20 Gbps of routing and firewall performance - Best suited for small, medium and large branch office deployments
- Addresses future needs for scale and feature capacity
Business continuity Stateful high availability (HA), IP monitoring - Uses stateful HA to synchronize configuration and firewall sessions
- Supports multiple WAN interface with dial-on-demand backup
- Route/link failover based on real-time link performance
SD-WAN Better end-user application and cloud experience and lower operational costs - ZTP simplifies remote device provisioning
- Advanced Policy-Based Routing (APBR) orchestrates business intent policies across the enterprise WAN
- Application quality of experience (AppQoE) measures application SLAs and improves end-user experience
- Controls and prioritizes traffic based on application and user role
End-user experience WAN assurance - Complements the Juniper Secure SD-WAN solution with AI-powered automation and service levels
- Provides visibility and insights into users, applications, WAN links, control and data plane, and CPU for proactive remediation
Highly secure IPsec VPN, Remote Access/SSL VPN, Media Access Control Security (MACsec) - Creates secure, reliable, and fast overlay link over public internet
- Employs anti-counterfeit features to protect from unauthorized hardware spares
- Includes high-performance CPU with built-in hardware to assist IPsec acceleration
- Provides TPM-based protection of device secrets such as passwords and certificates
- Offers secure and flexible remote access SSL VPN with Juniper Secure Connect
Threat protection IPS, antivirus, anti-spam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, and Threat Intelligence Feeds - Provides real-time updates to IPS signatures and protects against exploits
- Protects from zero-day attacks
- Implements industry-leading antivirus and URL filtering
- Integrates open threat intelligence platform with third-party feeds
- Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption
Application visibility On-box GUI, Security Director - Detects 4,275 Layer 3-7 applications, including Web 2.0
- Inspects and detects applications inside the SSL encrypted traffic
Easy to manage and scale On-box GUI, Security Director - Includes centralized management for auto-provisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments, or simple, easy-to-use on-box GUI for local management
Minimize TCO Junos OS - Integrates routing, switching, and security in a single device
- Reduces operation expense with Junos automation capabilities
SRX300 Specifications
Software Specifications
Routing Protocols
- IPv4, IPv6, ISO, Connectionless Network Service (CLNS)
- Static routes
- RIP v1/v2
- OSPF/OSPF v3
- BGP with Route Reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2, Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM), Session Description Protocol (SDP), Distance Vector Multicast Routing Protocol (DVMRP), Multicast Source Discovery Protocol (MSDP), Reverse Path Forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol (PPP), Frame Relay, High-Level Data Link Control (HDLC), serial, Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
QoS Features
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
- Hierarchical shaping and policing
Switching Features
- ASIC-based Layer 2 Forwarding
- MAC address learning
- VLAN addressing and integrated routing and bridging (IRB) support
- Link aggregation and LACP
- LLDP and LLDP-MED
- STP, RSTP, MSTP
- MVRP
- 802.1X authentication
Firewall Services
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomaly
- Integration with Pulse Unified Access Control (UAC)
- Integration with Aruba Clear Pass Policy Manager
- User role-based firewall
- SSL Inspection (Forward-proxy)
Network Address Translation (NAT)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
VPN Features
- Tunnels: Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/ Dual Stack)
- Juniper Secure Connect: Remote access / SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
Network Services
- Dynamic Host Configuration Protocol (DHCP) client/server/relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP-monitoring
- Juniper flow monitoring (J-Flow)1
- Bidirectional Forwarding Detection (BFD)
- Two-Way Active Measurement Protocol (TWAMP)
- IEEE 802.3ah Link Fault Management (LFM)
- IEEE 802.1ag Connectivity Fault Management (CFM)
High Availability Features
- Virtual Router Redundancy Protocol (VRRP)
- Stateful high availability
- Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Band Cluster Upgrade (ICU)
- Dial on-demand backup interfaces
- IP monitoring with route and interface failover
Management, Automation, Logging, and Reporting
- SSH, Telnet, SNMP
- Smart image download
- Juniper CLI and Web UI
- Mist AI
- Simplified management
- WAN Assurance
- Junos Space and Security Director
- Python
- Junos OS event, commit, and OP script
- Application and bandwidth usage reporting
- Auto installation
- Debug and troubleshooting tools
- Zero-Touch Provisioning with Contrail Service Orchestration
Advanced Routing Services
- Packet mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L3 MPLS VPN, pseudowires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast reroute
Application Security Services1
- Application visibility and control
- Application-based firewall
- Application QoS
- Application-based advanced policy-based routing
- Application quality of experience (AppQoE)
Enhanced SD-WAN Services
- Application-based advanced policy-based routing (APBR)
- Application-based link monitoring and switchover with Application quality of experience (AppQoE)
Threat Defense and Intelligence Services1
- Intrusion prevention
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- SecIntel to provide threat intelligence
Hardware Specifications
2SRX320 with PoE+ ports available as a separate SKU: SRX320-POE. 3SRX345 with dual AC PSU model. 4SRX320 non PoE model. 5SRX320-POE with 6 ports PoE+ model. 6SRX345 with DC power supply (operating temperature as per GR-63 Issue 4 2012 test criteria). 7As per GR63 Issue 4 (2012) test criteria. Specification SRX300 SRX320 SRX340 SRX345 SRX380 Connectivity Total onboard ports 8x1GbE 8x1GbE 16x1GbE 16x1GbE 20 (16x1GbE, 4x10GbE) Onboard RJ-45 ports 6x1GbE 6x1GbE 8x1GbE 8x1GbE 16x1GbE Onboard small form-factor pluggable (SFP) transceiver ports 2x1GbE 2x1GbE 8x1GbE 8x1GbE 4x10GbE SFP+ MACsec-capable ports 2x1GbE 2x1GbE 16x1GbE 16x1GbE 16x1GbE 4x10GbE Out-of-band (OOB) management ports 0 0 1x1GbE 1x1GbE 1x1GbE Mini PIM (WAN) slots 0 2 4 4 4 Console (RJ-45 + miniUSB) 1 1 1 1 1 USB 3.0 ports (type A) 1 1 1 1 1 PoE+ ports N/A 62 0 0 16 Memory and Storage System memory (RAM) 4 GB 4 GB 4 GB 4 GB 4GB Storage 8 GB 8 GB 8 GB 8 GB 100GB SSD SSD slots 0 0 1 1 1 Dimensions and Power Form factor Desktop Desktop 1 U 1 U 1U Size (WxHxD) 12.63 x 1.37 x 7.52 in. (32.08 x 3.47 x 19.10 cm) 11.81 x 1.73 x 7.52 in. (29.99 x 4.39 x 19.10 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) / 17.36 x 1.72 x 18.7 in. (44.09 x 4.36 x 47.5 cm)3 17.36 x 1.72 x 18.7 in. (44.09 x 4.37 x 47.5 cm) / 17.36 x 1.72 x 20.47 in. (44.09 x 4.37 x 52 cm) Weight (device and PSU) 4.38 lb (1.98 kg) 3.28 lb (1.51 kg)4 / 3.4 lb (1.55 kb)5 10.80 lb (4.90 kg) 10.80 lb (4.90 kg) / 11.02 lb (5 kg)6 15 lb (6.8 kg) with 1xPSU / 16.76 lb (7.6 kg) with 2xPSU Redundant PSU No No No No Yes Power supply AC (external) AC (external) AC (internal) AC (internal) / DC (internal)6 1+1 hot-swappable AC PSU Rated DC voltage range N/A N/A N/A -48 to -60 VDC (with -15% and +20% tolerance) NA Rated DC operating voltage range N/A N/A N/A -40.8 VDC to -72 VDC6 N/A Maximum PoE power N/A 180 W5 N/A N/A 480W Average power consumption 24.9 W 46 W4/221 W5 122 W 122 W 150 W (without PoE) 510 W (with PoE) Average heat dissipation 85 BTU/h 157 BTU/h4/755 BTU/h5 420 BTU/h 420 BTU/h 511.5 BTU/hr (without PoE) Maximum current consumption 0.346 A 0.634 A4/2.755 A5 1.496 A 1.496 A / 6A @ -48 VDC6 1.79A/7.32A Acoustic noise level 0dB (fanless) 37 dBA4/40 dBA5 45.5 dBA 45.5 dBA < 50dBA @ room temperature 27C Airflow/cooling Fanless Front to back Front to back Front to back Front to back Environmental, Compliance, and Safety Certification Operational temperature -4° to 140° F (-20° to 60° C)7 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) -22° to 131° F (-30° to 55° C) for SRX345-DC 32° to 104° F (0° to 40° C) with MPIMs32° to 122° F (0° to 50° C) without MPIMs Nonoperational temperature -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -22° to 158° F (-30° to 70° C) for SRX345-DC -4° to 158° F (-20° to 70° C) Operating humidity 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing Nonoperating humidity 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing Meantime between failures (MTBF) 44.5 years 32.5 years4/ 26 years5 27 years 27.4 years 28.1 years FCC classification Class A Class A Class A Class A Class A RoHS compliance RoHS 2 RoHS 2 RoHS 2 RoHS 2 RoHS 2 FIPS 140-2 Level 2 (Junos 15.1X49-D60) Level 1 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) N/A Common Criteria certification NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) N/A Performance and Scale
8Throughput numbers based on UDP packets and RFC2544 test methodology. 9Throughput numbers based on HTTP traffic with 44 KB transaction size. 10Route scaling numbers are with enhanced route-scale features turned on. 11Next-Generation firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions 12Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions -
Product Overview
The SRX300 line of firewalls combines security, SD-WAN, routing, switching, and WAN interfaces with next-generation firewall and advanced threat mitigation capabilities for cost-effective, secure connectivity across distributed enterprise locations. By consolidating fast, highly available switching, routing, security, and next-generation firewall capabilities in a single device, enterprises can remove network complexity, protect and prioritize their resources, and improve user and application experience while lowering total cost of ownership (TCO).Product Description
Juniper Networks® SRX300 line of firewalls delivers a next-generation secure SD-WAN and security solution that supports the changing needs of cloud-enabled enterprise networks. Whether rolling out new services and applications across locations, connecting to the cloud, or trying to achieve operational efficiency, the SRX300 line helps organizations realize their business objectives while providing scalable, easy to manage, secure connectivity and advanced threat mitigation capabilities. Next-generation firewall and unified threat management (UTM) capabilities also make it easier to detect and proactively mitigate threats to improve the user and application experience. The SRX300 line consists of five models:- SRX300: Securing small branch or retail offices, the SRX300 Firewall consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX300 supports up to 1.9 Gbps firewall and 336 Mbps IPsec VPN in a single, cost-effective networking and security platform.
- SRX320: Securely connecting small distributed enterprise branch offices, the SRX320 Firewall consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX320 supports up to 1.9 Gbps firewall and 336 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX340: Securely connecting midsize distributed enterprise branch offices, the SRX340 Firewall consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX340 supports up to 4.7 Gbps firewall and 733 Mbps IPsec VPN in a single, cost-effective networking and security platform.
- SRX345: Best suited for midsize to large distributed enterprise branch offices, the SRX345 Firewall consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX345 supports up to 5 Gbps firewall and 977 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX380: A high-performance and secure SD-WAN gateway, the SRX380 offers superior and reliable WAN connectivity while consolidating security, routing, and switching for distributed enterprise offices. The SRX380 features greater port density than other SRX300 models, with 16x1GbE PoE+ and 4x10GbE ports, and includes redundant dual power supplies, all in a 1 U form factor. The SRX380 supports up to 20Gbps firewall and 4.4 Gbps IPSec VPN in a single, consolidated, cost-effective networking and security platform.
SRX300 Highlights
The SRX300 line of firewalls consists of secure SD-WAN routers that bring high performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of remote sites. WAN or Internet connectivity and Wi-Fi module options include:- Ethernet, T1/E1, ADSL2/2+, and VDSL
- 3G/4G LTE wireless
- 802.11ac Wave 2 Wi-Fi
Mist AI
WAN Assurance
Mist WAN Assurance is a cloud service that brings AI-powered automation and service levels to Juniper SRX Series Firewalls, complementing the Juniper Secure SD-WAN solution. Mist WAN Assurance transforms IT operations from reactive troubleshooting to proactive remediation, turning insights into actions and delivering operational simplicity with seamless integration into existing deployments.- SRX Series firewalls, deployed as secure SD-WAN edge devices, deliver the rich Junos streaming telemetry that provides the insights needed for WAN health metrics and anomaly detection. This data is leveraged within the Mist Cloud and AI engine, driving simpler operations, reducing mean time to repair (MTTR) and providing greater visibility into end-user experiences.
- Insights derived from SRX Series SD-WAN gateway telemetry data allows WAN Assurance to compute unique “User Minutes” that indicate whether users are having a good experience.
- The Marvis assistant for WAN allows you to ask direct questions like “Why is my Zoom call bad?” and provides complete insights, correlation, and actions.
- Marvis Actions identifies and summarizes issues such as application latency conditions, congested WAN circuits, or negotiation mismatches.
Simplifying Branch Deployments (Secure Connectivity/SD-WAN)
The SRX300 line delivers fully automated SD-WAN to both enterprises and service providers.- A Zero-Touch Provisioning (ZTP) feature simplifies branch network connectivity for initial deployment and ongoing management.
- SRX300 firewalls offer best-in-class secure connectivity.
- The SRX300 firewalls efficiently utilize multiple links and load balance traffic across the enterprise WAN, blending traditional MPLS with other connectivity options such as broadband internet, leased lines, 4G/LTE, and more.
- Policy- and application-based forwarding capabilities enforce business rules created by the enterprise to steer application traffic towards a preferred path.
Comprehensive Security Suite
The SRX300 line offers a comprehensive suite of application security services, threat defenses, and intelligence services. The services consist of intrusion prevention system (IPS), application security user role-based firewall controls and cloud-based antivirus, anti-spam, and enhanced Web filtering, protecting networks from the latest content-borne threats. Integrated threat intelligence via Juniper Networks SecIntel offers adaptive threat protection against Command and Control (C&C)-related botnets and policy enforcement based on GeoIP. Customers can also leverage their own custom and third-party feeds for protection from advanced malware and other threats. Integrating the Juniper Networks Advanced Threat Protection solution, the SRX300 line detects and enforces automated protection against known malware and zero-day threats with a very high degree of accuracy.Industry-Certified Junos Operating System
SRX300 Firewalls run the Junos operating system, a proven, carrier-hardened OS that powers the top 100 service provider networks in the world. The rigorously tested, carrier-class, rich routing features such as IPv4/IPv6, OSPF, BGP, and multicast have been proven over 15 years of worldwide deployments. The SRX300 line also enables agile SecOps through automation capabilities that support Zero Touch Deployment, Python scripts for orchestration, and event scripting for operational management.Features and Benefits
Business Requirement Feature/Solution SRX300 Advantages High performance Up to 20 Gbps of routing and firewall performance - Best suited for small, medium and large branch office deployments
- Addresses future needs for scale and feature capacity
Business continuity Stateful high availability (HA), IP monitoring - Uses stateful HA to synchronize configuration and firewall sessions
- Supports multiple WAN interface with dial-on-demand backup
- Route/link failover based on real-time link performance
SD-WAN Better end-user application and cloud experience and lower operational costs - ZTP simplifies remote device provisioning
- Advanced Policy-Based Routing (APBR) orchestrates business intent policies across the enterprise WAN
- Application quality of experience (AppQoE) measures application SLAs and improves end-user experience
- Controls and prioritizes traffic based on application and user role
End-user experience WAN assurance - Complements the Juniper Secure SD-WAN solution with AI-powered automation and service levels
- Provides visibility and insights into users, applications, WAN links, control and data plane, and CPU for proactive remediation
Highly secure IPsec VPN, Remote Access/SSL VPN, Media Access Control Security (MACsec) - Creates secure, reliable, and fast overlay link over public internet
- Employs anti-counterfeit features to protect from unauthorized hardware spares
- Includes high-performance CPU with built-in hardware to assist IPsec acceleration
- Provides TPM-based protection of device secrets such as passwords and certificates
- Offers secure and flexible remote access SSL VPN with Juniper Secure Connect
Threat protection IPS, antivirus, anti-spam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, and Threat Intelligence Feeds - Provides real-time updates to IPS signatures and protects against exploits
- Protects from zero-day attacks
- Implements industry-leading antivirus and URL filtering
- Integrates open threat intelligence platform with third-party feeds
- Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption
Application visibility On-box GUI, Security Director - Detects 4,275 Layer 3-7 applications, including Web 2.0
- Inspects and detects applications inside the SSL encrypted traffic
Easy to manage and scale On-box GUI, Security Director - Includes centralized management for auto-provisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments, or simple, easy-to-use on-box GUI for local management
Minimize TCO Junos OS - Integrates routing, switching, and security in a single device
- Reduces operation expense with Junos automation capabilities
SRX300 Specifications
Software Specifications
Routing Protocols
- IPv4, IPv6, ISO, Connectionless Network Service (CLNS)
- Static routes
- RIP v1/v2
- OSPF/OSPF v3
- BGP with Route Reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2, Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM), Session Description Protocol (SDP), Distance Vector Multicast Routing Protocol (DVMRP), Multicast Source Discovery Protocol (MSDP), Reverse Path Forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol (PPP), Frame Relay, High-Level Data Link Control (HDLC), serial, Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
QoS Features
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
- Hierarchical shaping and policing
Switching Features
- ASIC-based Layer 2 Forwarding
- MAC address learning
- VLAN addressing and integrated routing and bridging (IRB) support
- Link aggregation and LACP
- LLDP and LLDP-MED
- STP, RSTP, MSTP
- MVRP
- 802.1X authentication
Firewall Services
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomaly
- Integration with Pulse Unified Access Control (UAC)
- Integration with Aruba Clear Pass Policy Manager
- User role-based firewall
- SSL Inspection (Forward-proxy)
Network Address Translation (NAT)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
VPN Features
- Tunnels: Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/ Dual Stack)
- Juniper Secure Connect: Remote access / SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
Network Services
- Dynamic Host Configuration Protocol (DHCP) client/server/relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP-monitoring
- Juniper flow monitoring (J-Flow)1
- Bidirectional Forwarding Detection (BFD)
- Two-Way Active Measurement Protocol (TWAMP)
- IEEE 802.3ah Link Fault Management (LFM)
- IEEE 802.1ag Connectivity Fault Management (CFM)
High Availability Features
- Virtual Router Redundancy Protocol (VRRP)
- Stateful high availability
- Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Band Cluster Upgrade (ICU)
- Dial on-demand backup interfaces
- IP monitoring with route and interface failover
Management, Automation, Logging, and Reporting
- SSH, Telnet, SNMP
- Smart image download
- Juniper CLI and Web UI
- Mist AI
- Simplified management
- WAN Assurance
- Junos Space and Security Director
- Python
- Junos OS event, commit, and OP script
- Application and bandwidth usage reporting
- Auto installation
- Debug and troubleshooting tools
- Zero-Touch Provisioning with Contrail Service Orchestration
Advanced Routing Services
- Packet mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L3 MPLS VPN, pseudowires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast reroute
Application Security Services1
- Application visibility and control
- Application-based firewall
- Application QoS
- Application-based advanced policy-based routing
- Application quality of experience (AppQoE)
Enhanced SD-WAN Services
- Application-based advanced policy-based routing (APBR)
- Application-based link monitoring and switchover with Application quality of experience (AppQoE)
Threat Defense and Intelligence Services1
- Intrusion prevention
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- SecIntel to provide threat intelligence
Hardware Specifications
2SRX320 with PoE+ ports available as a separate SKU: SRX320-POE. 3SRX345 with dual AC PSU model. 4SRX320 non PoE model. 5SRX320-POE with 6 ports PoE+ model. 6SRX345 with DC power supply (operating temperature as per GR-63 Issue 4 2012 test criteria). 7As per GR63 Issue 4 (2012) test criteria. Specification SRX300 SRX320 SRX340 SRX345 SRX380 Connectivity Total onboard ports 8x1GbE 8x1GbE 16x1GbE 16x1GbE 20 (16x1GbE, 4x10GbE) Onboard RJ-45 ports 6x1GbE 6x1GbE 8x1GbE 8x1GbE 16x1GbE Onboard small form-factor pluggable (SFP) transceiver ports 2x1GbE 2x1GbE 8x1GbE 8x1GbE 4x10GbE SFP+ MACsec-capable ports 2x1GbE 2x1GbE 16x1GbE 16x1GbE 16x1GbE 4x10GbE Out-of-band (OOB) management ports 0 0 1x1GbE 1x1GbE 1x1GbE Mini PIM (WAN) slots 0 2 4 4 4 Console (RJ-45 + miniUSB) 1 1 1 1 1 USB 3.0 ports (type A) 1 1 1 1 1 PoE+ ports N/A 62 0 0 16 Memory and Storage System memory (RAM) 4 GB 4 GB 4 GB 4 GB 4GB Storage 8 GB 8 GB 8 GB 8 GB 100GB SSD SSD slots 0 0 1 1 1 Dimensions and Power Form factor Desktop Desktop 1 U 1 U 1U Size (WxHxD) 12.63 x 1.37 x 7.52 in. (32.08 x 3.47 x 19.10 cm) 11.81 x 1.73 x 7.52 in. (29.99 x 4.39 x 19.10 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) / 17.36 x 1.72 x 18.7 in. (44.09 x 4.36 x 47.5 cm)3 17.36 x 1.72 x 18.7 in. (44.09 x 4.37 x 47.5 cm) / 17.36 x 1.72 x 20.47 in. (44.09 x 4.37 x 52 cm) Weight (device and PSU) 4.38 lb (1.98 kg) 3.28 lb (1.51 kg)4 / 3.4 lb (1.55 kb)5 10.80 lb (4.90 kg) 10.80 lb (4.90 kg) / 11.02 lb (5 kg)6 15 lb (6.8 kg) with 1xPSU / 16.76 lb (7.6 kg) with 2xPSU Redundant PSU No No No No Yes Power supply AC (external) AC (external) AC (internal) AC (internal) / DC (internal)6 1+1 hot-swappable AC PSU Rated DC voltage range N/A N/A N/A -48 to -60 VDC (with -15% and +20% tolerance) NA Rated DC operating voltage range N/A N/A N/A -40.8 VDC to -72 VDC6 N/A Maximum PoE power N/A 180 W5 N/A N/A 480W Average power consumption 24.9 W 46 W4/221 W5 122 W 122 W 150 W (without PoE) 510 W (with PoE) Average heat dissipation 85 BTU/h 157 BTU/h4/755 BTU/h5 420 BTU/h 420 BTU/h 511.5 BTU/hr (without PoE) Maximum current consumption 0.346 A 0.634 A4/2.755 A5 1.496 A 1.496 A / 6A @ -48 VDC6 1.79A/7.32A Acoustic noise level 0dB (fanless) 37 dBA4/40 dBA5 45.5 dBA 45.5 dBA < 50dBA @ room temperature 27C Airflow/cooling Fanless Front to back Front to back Front to back Front to back Environmental, Compliance, and Safety Certification Operational temperature -4° to 140° F (-20° to 60° C)7 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) -22° to 131° F (-30° to 55° C) for SRX345-DC 32° to 104° F (0° to 40° C) with MPIMs32° to 122° F (0° to 50° C) without MPIMs Nonoperational temperature -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -22° to 158° F (-30° to 70° C) for SRX345-DC -4° to 158° F (-20° to 70° C) Operating humidity 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing Nonoperating humidity 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing Meantime between failures (MTBF) 44.5 years 32.5 years4/ 26 years5 27 years 27.4 years 28.1 years FCC classification Class A Class A Class A Class A Class A RoHS compliance RoHS 2 RoHS 2 RoHS 2 RoHS 2 RoHS 2 FIPS 140-2 Level 2 (Junos 15.1X49-D60) Level 1 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) N/A Common Criteria certification NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) N/A Performance and Scale
8Throughput numbers based on UDP packets and RFC2544 test methodology. 9Throughput numbers based on HTTP traffic with 44 KB transaction size. 10Route scaling numbers are with enhanced route-scale features turned on. 11Next-Generation firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions 12Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions Parameter SRX300 SRX320 SRX340 SRX345 SRX380 Routing with packet mode (64 B packet size) in Kpps8 300 300 550 750 1700 Routing with packet mode (IMIX packet size) in Mbps8 800 800 1,600 2,300 5000 Routing with packet mode (1,518 B packet size in Mbps8 1,500 1,500 3,000 5,500 10,000 Stateful firewall (64 B packet size) in Kpps8 200 200 350 550 1700 Stateful firewall (IMIX packet size) in Mbps8 600 600 1,100 1,500 6,500 Stateful firewall (1,518 B packet size) in Mbps8 1,900 1,900 4,700 5,000 20,000 IPsec VPN (IMIX packet size) in Mbps8 116 116 239 325 1400 IPsec VPN (1,400 B packet size) in Mbps8 336 336 733 977 4,400 Application visibility and control in Mbps9 500 500 1,000 1,700 6,000 Recommended IPS in Mbps9 200 200 400 600 2,000 Next-generation firewall in Mbps11 226 226 420 430 2,500 Secure Web Access firewall in Mbps12 171 171 280 295 1,800 Route table size (RIB/FIB) (IPv4 or IPv6) 256,000/256,000 256,000/256,000 1 million/600,00010 1 million/600,00010 1 million/600,00010 Maximum concurrent sessions (IPv4 or IPv6) 64,000 64,000 256,000 375,000 380,000 Maximum security policies 1,000 1,000 2,000 4,000 4,000 Connections per second 5,000 5,000 10,000 15,000 50,000 NAT rules 1,000 1,000 2,000 2,000 3,000 MAC table size 15,000 15,000 15,000 15,000 16,000 IPsec VPN tunnels 256 256 1,024 2,048 2,048 Number of remote access/SSL VPN (concurrent) users 25 50 150 250 500 GRE tunnels 256 256 512 1,024 2,048 Maximum number of security zones 16 16 64 64 128 Maximum number of virtual routers 32 32 64 128 128 Maximum number of VLANs 1,000 1,000 2,000 3,000 3,000 AppID sessions 16,000 16,000 64,000 64,000 64,000 IPS sessions 16,000 16,000 64,000 64,000 64,000 URLF sessions 16,000 16,000 64,000 64,000 64,000 WAN and Wi-Fi Interface Support Matrix
WAN and Wi-Fi Interface SRX300 SRX320 SRX340 SRX345 SRX380 1 port T1/E1 MPIM (SRX-MP-1T1E1-R) No Yes Yes Yes Yes 1 port VDSL2 Annex A/M MPIM (SRX-MP-1VDSL2-R) No Yes Yes Yes Yes 4G / LTE MPIM (SRX-MP-LTE-AA and SRX-MP-LTE-AE) No Yes Yes Yes Yes 802.11ac Wave 2 Wi-Fi MPIM No Yes Yes Yes Yes WAN and Wi-Fi Interface Module Performance Data
Interface Module Description Performance 4G/LTE Dual SIM 4G/LTE-A CAT 6 Up to 300 Mbps download and 50 Mbps upload Wi-Fi MPIM Dual band 802.11 a/b/g/n/ac Wave 2 (2x2 MIMO) Up to 866 Mbps at 5GHz / 300 Mbps at 2.4GHz Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit https://www.juniper.net/us/en/products.html.Ordering Information
To order Juniper Networks SRX Series Firewalls, and to access software licensing information, please visit the How to Buy page at https://www.juniper.net/us/en/how-to-buy/form.html11 Based on concurrent users; two free licenses included SRXnnn-SYS-JB Hardware Included Management (CLI, JWEB, SNMP, Telnet, SSH) Included Ethernet switching (L2 Forwarding, IRB, LACP etc) Included L2 Transparent, Secure Wire Included Routing (RIP, OSPF, BGP, Virtual router) Included Multicast (IGMP, PIM, SSDP, DMVRP) Included Packet Mode Included Overlay (GRE, IP-IP) Included Network Services (J-Flow, DHCP, QOS, BFD) Included Stateful Firewall, Screens, ALGs Included NAT (static, SNAT, DNAT) Included IPSec VPN (Site-to-Site VPN, Auto VPN, Group VPN) Included Firewall policy enforcement (UAC, Aruba CPPM) Included Remote Access/SSL VPN (concurrent users)11 Optional Chassis Cluster, VRRP, ISSU/ICU Included Automation (Junos scripting, auto-installation) Included MPLS, LDP, RSVP, L3 VPN, pseudo-wires, VPLS Included Base System Model Numbers
Product Number Description SRX300-SYS-JB SRX300 Firewalls includes hardware (8GbE, 4G RAM, 8G Flash, power adapter and cable) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching). RMK not included. SRX320-SYS-JB SRX320 Firewalls includes hardware (8GbE, 2x MPIM slots, 4G RAM, 8G Flash, power adapter and cable) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching). RMK not included. SRX320-SYS-JB-P SRX320 Firewalls includes hardware (8GbE, 6-port POE+, 2x MPIM slots, 4G RAM, 8G Flash, power adapter and cable) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching). RMK not included. SRX340-SYS-JB SRX340 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX345-SYS-JB SRX345 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX345-SYS-JB-2AC SRX345 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, dual AC power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX345-SYS-JB-DC SRX345 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, single DC power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX380-P-SYS-JB-AC SRX380 Firewalls includes hardware (16GbE PoE+, 4x10GbE, 4x MPIM slots, 4GB RAM, 100GB SSD, single AC power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) Software Licenses
12The S-SRXnnn-P2-1/3/5 year SKUs are only available for the SRX340, SRX345, and SRX380 models. Product Number Description S-SRXnnn-A1-1 SRXnnn Advanced 1 - JSE/SD-WAN, includes SD-WAN features App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack) and IPS; 1-year subscription (example: S-SRX380-A1-1) S-SRXnnn-A1-3 SRXnnn Advanced 1 - JSE/SD-WAN, includes SD-WAN features App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack) and IPS; 3-year subscription (example: S-SRX380-A1-3) S-SRXnnn-A1-5 SRXnnn Advanced 1 - JSE/SD-WAN, includes SD-WAN features App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack) and IPS; 5-year subscription (example: S-SRX380-A1-5] S-SRXnnn-P1-1 SRXnnn Premium 1, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Juniper ATP; 1-year subscription (example: S-SRX380-P1-1) S-SRXnnn-P1-3 SRXnnn Premium 1, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Juniper ATP; 3-year subscription (example: S-SRX380-P1-3) S-SRXnnn-P1-5 SRXnnn Premium 1, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Juniper ATP; 5-year subscription (example: S-SRX380-P1-5) S-SRXnnn-A2-1 SRXnnn Advanced 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Content Security (UTM, Cloud AV, URLF and AS); 1-year subscription (example: S-SRX380-A2-1) S-SRXnnn-A2-3 SRXnnn Advanced 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Content Security (UTM, Cloud AV, URLF and AS); 3-year subscription (example: S-SRX380-A2-3) S-SRXnnn-A2-5 SRXnnn Advanced 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Content Security (UTM, Cloud AV, URLF and AS); 5-year subscription (example: S-SRX380-A2-5) S-SRXnnn-P2-112 SRXnnn Premium 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS, Content Security (UTM, Cloud AV, URLF and AS) and Juniper Sky ATP; 1-year subscription (example: S-SRX380-P2-1) S-SRXnnn-P2-312 SRXnnn Premium 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS, Content Security (UTM, Cloud AV, URLF and AS) and Juniper Sky ATP; 3-year subscription (example: S-SRX380-P2-3) S-SRXnnn-P2-512 SRXnnn Premium 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS, Content Security (UTM, Cloud AV, URLF and AS) and Juniper Sky ATP; 5-year subscription (example: S-SRX380-P2-5) Remote Access/Juniper Secure Connect VPN Licenses
Product Number Description S-RA3-SRX300-S-1 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX320-S-1 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX340-S-1 SW, Remote Access VPN - Juniper, 150 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX345-S-1 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX380-S-1 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 1 Year S-RA3-5CCU-S-1 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 1 Year S-RA3-25CCU-S-1 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 1 Year S-RA3-50CCU-S-1 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 1 Year S-RA3-100CCU-S-1 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 1 Year S-RA3-250CCU-S-1 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 1 Year S-RA3-500CCU-S-1 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX300-S-3 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX320-S-3 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX340-S-3 SW, Remote Access VPN - Juniper, 150 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX345-S-3 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX380-S-3 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 3 Year S-RA3-5CCU-S-3 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 3 Year S-RA3-25CCU-S-3 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 3 Year S-RA3-50CCU-S-3 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 3 Year S-RA3-100CCU-S-3 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 3 Year S-RA3-250CCU-S-3 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 3 Year S-RA3-500CCU-S-3 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 3 Year Interface Modules
Product Number Description SRX-MP-1T1E1-R 1 port T1E1, MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M. ROHS complaint SRX-MP-1VDSL2-R 1 port VDSL2 (backward compatible with ADSL / ADSL2+), MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M. ROHS complaint SRX-MP-LTE-AA 4G / LTE MPIM support 1, 3, 5, 7-8, 18-19, 21, 28, 38-41 LTE bands (for Asia and Australia). Supported on SRX320, SRX340, SRX345, SRX380, and SRX550M SRX-MP-LTE-AE 4G / LTE MPIM support 1-5, 7-8, 12-13, 30, 25-26, 29-30, 41 LTE bands (for Americas and EMEA). Supported on SRX320, SRX340, SRX345, SRX380, and SRX550M SRX-MP-WLAN-US Wireless access point (Wi-Fi) MPIM for SRX320, SRX34x, SRX380, and SRX550M. Supported for U.S. regulatory bands only. SRX-MP-WLAN-WW Wireless access point (Wi-Fi) MPIM for SRX320, SRX34x, SRX380, and SRX550M. Supported for worldwide regulatory bands (excluding U.S. and Israel). SRX-MP-WLAN-IL Wireless access point (Wi-Fi) MPIM for SRX320, SRX34x, SRX380, and SRX550M. Supported for Israel regulatory bands only. SRX-MP-ANT-EXT Antenna extension cable for WLAN MPIM on SRX Series platforms Accessories
Product Number Description SRX300-RMK0 SRX300 rack mount kit with adaptor tray SRX300-RMK1 SRX300 rack mount kit without adaptor tray SRX300-WALL-KIT0 SRX300 wall mount kit with brackets SRX320-P-RMK0 SRX320-POE rack mount kit with adaptor tray SRX320-P-RMK1 SRX300-POE rack mount kit without adaptor tray SRX320-RMK0 SRX320 rack mount kit with adaptor tray SRX320-RMK1 SRX320 rack mount kit without adaptor tray SRX320-WALL-KIT0 SRX320 wall mount kit with brackets SRX34X-RMK SRX340 and SRX345 rack mount kit EX-4PST-RMK SRX380 rack mount kit JSU-SSD-MLC-100 Juniper Storage Unit, SSD, MLC, 100GB JPSU-600-AC-AFO SRX380 600W AC PSU, front-to-back -
Product Overview
The SRX300 line of firewalls combines security, SD-WAN, routing, switching, and WAN interfaces with next-generation firewall and advanced threat mitigation capabilities for cost-effective, secure connectivity across distributed enterprise locations. By consolidating fast, highly available switching, routing, security, and next-generation firewall capabilities in a single device, enterprises can remove network complexity, protect and prioritize their resources, and improve user and application experience while lowering total cost of ownership (TCO).Product Description
Juniper Networks® SRX300 line of firewalls delivers a next-generation secure SD-WAN and security solution that supports the changing needs of cloud-enabled enterprise networks. Whether rolling out new services and applications across locations, connecting to the cloud, or trying to achieve operational efficiency, the SRX300 line helps organizations realize their business objectives while providing scalable, easy to manage, secure connectivity and advanced threat mitigation capabilities. Next-generation firewall and unified threat management (UTM) capabilities also make it easier to detect and proactively mitigate threats to improve the user and application experience. The SRX300 line consists of five models:- SRX300: Securing small branch or retail offices, the SRX300 Firewall consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX300 supports up to 1.9 Gbps firewall and 336 Mbps IPsec VPN in a single, cost-effective networking and security platform.
- SRX320: Securely connecting small distributed enterprise branch offices, the SRX320 Firewall consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX320 supports up to 1.9 Gbps firewall and 336 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX340: Securely connecting midsize distributed enterprise branch offices, the SRX340 Firewall consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX340 supports up to 4.7 Gbps firewall and 733 Mbps IPsec VPN in a single, cost-effective networking and security platform.
- SRX345: Best suited for midsize to large distributed enterprise branch offices, the SRX345 Firewall consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX345 supports up to 5 Gbps firewall and 977 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX380: A high-performance and secure SD-WAN gateway, the SRX380 offers superior and reliable WAN connectivity while consolidating security, routing, and switching for distributed enterprise offices. The SRX380 features greater port density than other SRX300 models, with 16x1GbE PoE+ and 4x10GbE ports, and includes redundant dual power supplies, all in a 1 U form factor. The SRX380 supports up to 20Gbps firewall and 4.4 Gbps IPSec VPN in a single, consolidated, cost-effective networking and security platform.
SRX300 Highlights
The SRX300 line of firewalls consists of secure SD-WAN routers that bring high performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of remote sites. WAN or Internet connectivity and Wi-Fi module options include:- Ethernet, T1/E1, ADSL2/2+, and VDSL
- 3G/4G LTE wireless
- 802.11ac Wave 2 Wi-Fi
Mist AI
WAN Assurance
Mist WAN Assurance is a cloud service that brings AI-powered automation and service levels to Juniper SRX Series Firewalls, complementing the Juniper Secure SD-WAN solution. Mist WAN Assurance transforms IT operations from reactive troubleshooting to proactive remediation, turning insights into actions and delivering operational simplicity with seamless integration into existing deployments.- SRX Series firewalls, deployed as secure SD-WAN edge devices, deliver the rich Junos streaming telemetry that provides the insights needed for WAN health metrics and anomaly detection. This data is leveraged within the Mist Cloud and AI engine, driving simpler operations, reducing mean time to repair (MTTR) and providing greater visibility into end-user experiences.
- Insights derived from SRX Series SD-WAN gateway telemetry data allows WAN Assurance to compute unique “User Minutes” that indicate whether users are having a good experience.
- The Marvis assistant for WAN allows you to ask direct questions like “Why is my Zoom call bad?” and provides complete insights, correlation, and actions.
- Marvis Actions identifies and summarizes issues such as application latency conditions, congested WAN circuits, or negotiation mismatches.
Simplifying Branch Deployments (Secure Connectivity/SD-WAN)
The SRX300 line delivers fully automated SD-WAN to both enterprises and service providers.- A Zero-Touch Provisioning (ZTP) feature simplifies branch network connectivity for initial deployment and ongoing management.
- SRX300 firewalls offer best-in-class secure connectivity.
- The SRX300 firewalls efficiently utilize multiple links and load balance traffic across the enterprise WAN, blending traditional MPLS with other connectivity options such as broadband internet, leased lines, 4G/LTE, and more.
- Policy- and application-based forwarding capabilities enforce business rules created by the enterprise to steer application traffic towards a preferred path.
Comprehensive Security Suite
The SRX300 line offers a comprehensive suite of application security services, threat defenses, and intelligence services. The services consist of intrusion prevention system (IPS), application security user role-based firewall controls and cloud-based antivirus, anti-spam, and enhanced Web filtering, protecting networks from the latest content-borne threats. Integrated threat intelligence via Juniper Networks SecIntel offers adaptive threat protection against Command and Control (C&C)-related botnets and policy enforcement based on GeoIP. Customers can also leverage their own custom and third-party feeds for protection from advanced malware and other threats. Integrating the Juniper Networks Advanced Threat Protection solution, the SRX300 line detects and enforces automated protection against known malware and zero-day threats with a very high degree of accuracy.Industry-Certified Junos Operating System
SRX300 Firewalls run the Junos operating system, a proven, carrier-hardened OS that powers the top 100 service provider networks in the world. The rigorously tested, carrier-class, rich routing features such as IPv4/IPv6, OSPF, BGP, and multicast have been proven over 15 years of worldwide deployments. The SRX300 line also enables agile SecOps through automation capabilities that support Zero Touch Deployment, Python scripts for orchestration, and event scripting for operational management.Features and Benefits
Business Requirement Feature/Solution SRX300 Advantages High performance Up to 20 Gbps of routing and firewall performance - Best suited for small, medium and large branch office deployments
- Addresses future needs for scale and feature capacity
Business continuity Stateful high availability (HA), IP monitoring - Uses stateful HA to synchronize configuration and firewall sessions
- Supports multiple WAN interface with dial-on-demand backup
- Route/link failover based on real-time link performance
SD-WAN Better end-user application and cloud experience and lower operational costs - ZTP simplifies remote device provisioning
- Advanced Policy-Based Routing (APBR) orchestrates business intent policies across the enterprise WAN
- Application quality of experience (AppQoE) measures application SLAs and improves end-user experience
- Controls and prioritizes traffic based on application and user role
End-user experience WAN assurance - Complements the Juniper Secure SD-WAN solution with AI-powered automation and service levels
- Provides visibility and insights into users, applications, WAN links, control and data plane, and CPU for proactive remediation
Highly secure IPsec VPN, Remote Access/SSL VPN, Media Access Control Security (MACsec) - Creates secure, reliable, and fast overlay link over public internet
- Employs anti-counterfeit features to protect from unauthorized hardware spares
- Includes high-performance CPU with built-in hardware to assist IPsec acceleration
- Provides TPM-based protection of device secrets such as passwords and certificates
- Offers secure and flexible remote access SSL VPN with Juniper Secure Connect
Threat protection IPS, antivirus, anti-spam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, and Threat Intelligence Feeds - Provides real-time updates to IPS signatures and protects against exploits
- Protects from zero-day attacks
- Implements industry-leading antivirus and URL filtering
- Integrates open threat intelligence platform with third-party feeds
- Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption
Application visibility On-box GUI, Security Director - Detects 4,275 Layer 3-7 applications, including Web 2.0
- Inspects and detects applications inside the SSL encrypted traffic
Easy to manage and scale On-box GUI, Security Director - Includes centralized management for auto-provisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments, or simple, easy-to-use on-box GUI for local management
Minimize TCO Junos OS - Integrates routing, switching, and security in a single device
- Reduces operation expense with Junos automation capabilities
SRX300 Specifications
Software Specifications
Routing Protocols
- IPv4, IPv6, ISO, Connectionless Network Service (CLNS)
- Static routes
- RIP v1/v2
- OSPF/OSPF v3
- BGP with Route Reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2, Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM), Session Description Protocol (SDP), Distance Vector Multicast Routing Protocol (DVMRP), Multicast Source Discovery Protocol (MSDP), Reverse Path Forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol (PPP), Frame Relay, High-Level Data Link Control (HDLC), serial, Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
QoS Features
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
- Hierarchical shaping and policing
Switching Features
- ASIC-based Layer 2 Forwarding
- MAC address learning
- VLAN addressing and integrated routing and bridging (IRB) support
- Link aggregation and LACP
- LLDP and LLDP-MED
- STP, RSTP, MSTP
- MVRP
- 802.1X authentication
Firewall Services
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomaly
- Integration with Pulse Unified Access Control (UAC)
- Integration with Aruba Clear Pass Policy Manager
- User role-based firewall
- SSL Inspection (Forward-proxy)
Network Address Translation (NAT)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
VPN Features
- Tunnels: Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/ Dual Stack)
- Juniper Secure Connect: Remote access / SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
Network Services
- Dynamic Host Configuration Protocol (DHCP) client/server/relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP-monitoring
- Juniper flow monitoring (J-Flow)1
- Bidirectional Forwarding Detection (BFD)
- Two-Way Active Measurement Protocol (TWAMP)
- IEEE 802.3ah Link Fault Management (LFM)
- IEEE 802.1ag Connectivity Fault Management (CFM)
High Availability Features
- Virtual Router Redundancy Protocol (VRRP)
- Stateful high availability
- Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Band Cluster Upgrade (ICU)
- Dial on-demand backup interfaces
- IP monitoring with route and interface failover
Management, Automation, Logging, and Reporting
- SSH, Telnet, SNMP
- Smart image download
- Juniper CLI and Web UI
- Mist AI
- Simplified management
- WAN Assurance
- Junos Space and Security Director
- Python
- Junos OS event, commit, and OP script
- Application and bandwidth usage reporting
- Auto installation
- Debug and troubleshooting tools
- Zero-Touch Provisioning with Contrail Service Orchestration
Advanced Routing Services
- Packet mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L3 MPLS VPN, pseudowires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast reroute
Application Security Services1
- Application visibility and control
- Application-based firewall
- Application QoS
- Application-based advanced policy-based routing
- Application quality of experience (AppQoE)
Enhanced SD-WAN Services
- Application-based advanced policy-based routing (APBR)
- Application-based link monitoring and switchover with Application quality of experience (AppQoE)
Threat Defense and Intelligence Services1
- Intrusion prevention
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- SecIntel to provide threat intelligence
Hardware Specifications
2SRX320 with PoE+ ports available as a separate SKU: SRX320-POE. 3SRX345 with dual AC PSU model. 4SRX320 non PoE model. 5SRX320-POE with 6 ports PoE+ model. 6SRX345 with DC power supply (operating temperature as per GR-63 Issue 4 2012 test criteria). 7As per GR63 Issue 4 (2012) test criteria. Specification SRX300 SRX320 SRX340 SRX345 SRX380 Connectivity Total onboard ports 8x1GbE 8x1GbE 16x1GbE 16x1GbE 20 (16x1GbE, 4x10GbE) Onboard RJ-45 ports 6x1GbE 6x1GbE 8x1GbE 8x1GbE 16x1GbE Onboard small form-factor pluggable (SFP) transceiver ports 2x1GbE 2x1GbE 8x1GbE 8x1GbE 4x10GbE SFP+ MACsec-capable ports 2x1GbE 2x1GbE 16x1GbE 16x1GbE 16x1GbE 4x10GbE Out-of-band (OOB) management ports 0 0 1x1GbE 1x1GbE 1x1GbE Mini PIM (WAN) slots 0 2 4 4 4 Console (RJ-45 + miniUSB) 1 1 1 1 1 USB 3.0 ports (type A) 1 1 1 1 1 PoE+ ports N/A 62 0 0 16 Memory and Storage System memory (RAM) 4 GB 4 GB 4 GB 4 GB 4GB Storage 8 GB 8 GB 8 GB 8 GB 100GB SSD SSD slots 0 0 1 1 1 Dimensions and Power Form factor Desktop Desktop 1 U 1 U 1U Size (WxHxD) 12.63 x 1.37 x 7.52 in. (32.08 x 3.47 x 19.10 cm) 11.81 x 1.73 x 7.52 in. (29.99 x 4.39 x 19.10 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) / 17.36 x 1.72 x 18.7 in. (44.09 x 4.36 x 47.5 cm)3 17.36 x 1.72 x 18.7 in. (44.09 x 4.37 x 47.5 cm) / 17.36 x 1.72 x 20.47 in. (44.09 x 4.37 x 52 cm) Weight (device and PSU) 4.38 lb (1.98 kg) 3.28 lb (1.51 kg)4 / 3.4 lb (1.55 kb)5 10.80 lb (4.90 kg) 10.80 lb (4.90 kg) / 11.02 lb (5 kg)6 15 lb (6.8 kg) with 1xPSU / 16.76 lb (7.6 kg) with 2xPSU Redundant PSU No No No No Yes Power supply AC (external) AC (external) AC (internal) AC (internal) / DC (internal)6 1+1 hot-swappable AC PSU Rated DC voltage range N/A N/A N/A -48 to -60 VDC (with -15% and +20% tolerance) NA Rated DC operating voltage range N/A N/A N/A -40.8 VDC to -72 VDC6 N/A Maximum PoE power N/A 180 W5 N/A N/A 480W Average power consumption 24.9 W 46 W4/221 W5 122 W 122 W 150 W (without PoE) 510 W (with PoE) Average heat dissipation 85 BTU/h 157 BTU/h4/755 BTU/h5 420 BTU/h 420 BTU/h 511.5 BTU/hr (without PoE) Maximum current consumption 0.346 A 0.634 A4/2.755 A5 1.496 A 1.496 A / 6A @ -48 VDC6 1.79A/7.32A Acoustic noise level 0dB (fanless) 37 dBA4/40 dBA5 45.5 dBA 45.5 dBA < 50dBA @ room temperature 27C Airflow/cooling Fanless Front to back Front to back Front to back Front to back Environmental, Compliance, and Safety Certification Operational temperature -4° to 140° F (-20° to 60° C)7 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) -22° to 131° F (-30° to 55° C) for SRX345-DC 32° to 104° F (0° to 40° C) with MPIMs32° to 122° F (0° to 50° C) without MPIMs Nonoperational temperature -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -22° to 158° F (-30° to 70° C) for SRX345-DC -4° to 158° F (-20° to 70° C) Operating humidity 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing Nonoperating humidity 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing Meantime between failures (MTBF) 44.5 years 32.5 years4/ 26 years5 27 years 27.4 years 28.1 years FCC classification Class A Class A Class A Class A Class A RoHS compliance RoHS 2 RoHS 2 RoHS 2 RoHS 2 RoHS 2 FIPS 140-2 Level 2 (Junos 15.1X49-D60) Level 1 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) N/A Common Criteria certification NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) N/A Performance and Scale
8Throughput numbers based on UDP packets and RFC2544 test methodology. 9Throughput numbers based on HTTP traffic with 44 KB transaction size. 10Route scaling numbers are with enhanced route-scale features turned on. 11Next-Generation firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions 12Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions Parameter SRX300 SRX320 SRX340 SRX345 SRX380 Routing with packet mode (64 B packet size) in Kpps8 300 300 550 750 1700 Routing with packet mode (IMIX packet size) in Mbps8 800 800 1,600 2,300 5000 Routing with packet mode (1,518 B packet size in Mbps8 1,500 1,500 3,000 5,500 10,000 Stateful firewall (64 B packet size) in Kpps8 200 200 350 550 1700 Stateful firewall (IMIX packet size) in Mbps8 600 600 1,100 1,500 6,500 Stateful firewall (1,518 B packet size) in Mbps8 1,900 1,900 4,700 5,000 20,000 IPsec VPN (IMIX packet size) in Mbps8 116 116 239 325 1400 IPsec VPN (1,400 B packet size) in Mbps8 336 336 733 977 4,400 Application visibility and control in Mbps9 500 500 1,000 1,700 6,000 Recommended IPS in Mbps9 200 200 400 600 2,000 Next-generation firewall in Mbps11 226 226 420 430 2,500 Secure Web Access firewall in Mbps12 171 171 280 295 1,800 Route table size (RIB/FIB) (IPv4 or IPv6) 256,000/256,000 256,000/256,000 1 million/600,00010 1 million/600,00010 1 million/600,00010 Maximum concurrent sessions (IPv4 or IPv6) 64,000 64,000 256,000 375,000 380,000 Maximum security policies 1,000 1,000 2,000 4,000 4,000 Connections per second 5,000 5,000 10,000 15,000 50,000 NAT rules 1,000 1,000 2,000 2,000 3,000 MAC table size 15,000 15,000 15,000 15,000 16,000 IPsec VPN tunnels 256 256 1,024 2,048 2,048 Number of remote access/SSL VPN (concurrent) users 25 50 150 250 500 GRE tunnels 256 256 512 1,024 2,048 Maximum number of security zones 16 16 64 64 128 Maximum number of virtual routers 32 32 64 128 128 Maximum number of VLANs 1,000 1,000 2,000 3,000 3,000 AppID sessions 16,000 16,000 64,000 64,000 64,000 IPS sessions 16,000 16,000 64,000 64,000 64,000 URLF sessions 16,000 16,000 64,000 64,000 64,000 WAN and Wi-Fi Interface Support Matrix
WAN and Wi-Fi Interface SRX300 SRX320 SRX340 SRX345 SRX380 1 port T1/E1 MPIM (SRX-MP-1T1E1-R) No Yes Yes Yes Yes 1 port VDSL2 Annex A/M MPIM (SRX-MP-1VDSL2-R) No Yes Yes Yes Yes 4G / LTE MPIM (SRX-MP-LTE-AA and SRX-MP-LTE-AE) No Yes Yes Yes Yes 802.11ac Wave 2 Wi-Fi MPIM No Yes Yes Yes Yes WAN and Wi-Fi Interface Module Performance Data
Interface Module Description Performance 4G/LTE Dual SIM 4G/LTE-A CAT 6 Up to 300 Mbps download and 50 Mbps upload Wi-Fi MPIM Dual band 802.11 a/b/g/n/ac Wave 2 (2x2 MIMO) Up to 866 Mbps at 5GHz / 300 Mbps at 2.4GHz Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit https://www.juniper.net/us/en/products.html.Ordering Information
To order Juniper Networks SRX Series Firewalls, and to access software licensing information, please visit the How to Buy page at https://www.juniper.net/us/en/how-to-buy/form.html11 Based on concurrent users; two free licenses included SRXnnn-SYS-JB Hardware Included Management (CLI, JWEB, SNMP, Telnet, SSH) Included Ethernet switching (L2 Forwarding, IRB, LACP etc) Included L2 Transparent, Secure Wire Included Routing (RIP, OSPF, BGP, Virtual router) Included Multicast (IGMP, PIM, SSDP, DMVRP) Included Packet Mode Included Overlay (GRE, IP-IP) Included Network Services (J-Flow, DHCP, QOS, BFD) Included Stateful Firewall, Screens, ALGs Included NAT (static, SNAT, DNAT) Included IPSec VPN (Site-to-Site VPN, Auto VPN, Group VPN) Included Firewall policy enforcement (UAC, Aruba CPPM) Included Remote Access/SSL VPN (concurrent users)11 Optional Chassis Cluster, VRRP, ISSU/ICU Included Automation (Junos scripting, auto-installation) Included MPLS, LDP, RSVP, L3 VPN, pseudo-wires, VPLS Included Base System Model Numbers
Product Number Description SRX300-SYS-JB SRX300 Firewalls includes hardware (8GbE, 4G RAM, 8G Flash, power adapter and cable) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching). RMK not included. SRX320-SYS-JB SRX320 Firewalls includes hardware (8GbE, 2x MPIM slots, 4G RAM, 8G Flash, power adapter and cable) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching). RMK not included. SRX320-SYS-JB-P SRX320 Firewalls includes hardware (8GbE, 6-port POE+, 2x MPIM slots, 4G RAM, 8G Flash, power adapter and cable) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching). RMK not included. SRX340-SYS-JB SRX340 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX345-SYS-JB SRX345 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX345-SYS-JB-2AC SRX345 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, dual AC power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX345-SYS-JB-DC SRX345 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, single DC power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX380-P-SYS-JB-AC SRX380 Firewalls includes hardware (16GbE PoE+, 4x10GbE, 4x MPIM slots, 4GB RAM, 100GB SSD, single AC power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) Software Licenses
12The S-SRXnnn-P2-1/3/5 year SKUs are only available for the SRX340, SRX345, and SRX380 models. Product Number Description S-SRXnnn-A1-1 SRXnnn Advanced 1 - JSE/SD-WAN, includes SD-WAN features App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack) and IPS; 1-year subscription (example: S-SRX380-A1-1) S-SRXnnn-A1-3 SRXnnn Advanced 1 - JSE/SD-WAN, includes SD-WAN features App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack) and IPS; 3-year subscription (example: S-SRX380-A1-3) S-SRXnnn-A1-5 SRXnnn Advanced 1 - JSE/SD-WAN, includes SD-WAN features App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack) and IPS; 5-year subscription (example: S-SRX380-A1-5] S-SRXnnn-P1-1 SRXnnn Premium 1, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Juniper ATP; 1-year subscription (example: S-SRX380-P1-1) S-SRXnnn-P1-3 SRXnnn Premium 1, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Juniper ATP; 3-year subscription (example: S-SRX380-P1-3) S-SRXnnn-P1-5 SRXnnn Premium 1, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Juniper ATP; 5-year subscription (example: S-SRX380-P1-5) S-SRXnnn-A2-1 SRXnnn Advanced 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Content Security (UTM, Cloud AV, URLF and AS); 1-year subscription (example: S-SRX380-A2-1) S-SRXnnn-A2-3 SRXnnn Advanced 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Content Security (UTM, Cloud AV, URLF and AS); 3-year subscription (example: S-SRX380-A2-3) S-SRXnnn-A2-5 SRXnnn Advanced 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Content Security (UTM, Cloud AV, URLF and AS); 5-year subscription (example: S-SRX380-A2-5) S-SRXnnn-P2-112 SRXnnn Premium 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS, Content Security (UTM, Cloud AV, URLF and AS) and Juniper Sky ATP; 1-year subscription (example: S-SRX380-P2-1) S-SRXnnn-P2-312 SRXnnn Premium 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS, Content Security (UTM, Cloud AV, URLF and AS) and Juniper Sky ATP; 3-year subscription (example: S-SRX380-P2-3) S-SRXnnn-P2-512 SRXnnn Premium 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS, Content Security (UTM, Cloud AV, URLF and AS) and Juniper Sky ATP; 5-year subscription (example: S-SRX380-P2-5) Remote Access/Juniper Secure Connect VPN Licenses
Product Number Description S-RA3-SRX300-S-1 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX320-S-1 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX340-S-1 SW, Remote Access VPN - Juniper, 150 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX345-S-1 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX380-S-1 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 1 Year S-RA3-5CCU-S-1 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 1 Year S-RA3-25CCU-S-1 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 1 Year S-RA3-50CCU-S-1 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 1 Year S-RA3-100CCU-S-1 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 1 Year S-RA3-250CCU-S-1 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 1 Year S-RA3-500CCU-S-1 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX300-S-3 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX320-S-3 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX340-S-3 SW, Remote Access VPN - Juniper, 150 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX345-S-3 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX380-S-3 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 3 Year S-RA3-5CCU-S-3 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 3 Year S-RA3-25CCU-S-3 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 3 Year S-RA3-50CCU-S-3 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 3 Year S-RA3-100CCU-S-3 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 3 Year S-RA3-250CCU-S-3 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 3 Year S-RA3-500CCU-S-3 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 3 Year Interface Modules
Product Number Description SRX-MP-1T1E1-R 1 port T1E1, MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M. ROHS complaint SRX-MP-1VDSL2-R 1 port VDSL2 (backward compatible with ADSL / ADSL2+), MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M. ROHS complaint SRX-MP-LTE-AA 4G / LTE MPIM support 1, 3, 5, 7-8, 18-19, 21, 28, 38-41 LTE bands (for Asia and Australia). Supported on SRX320, SRX340, SRX345, SRX380, and SRX550M SRX-MP-LTE-AE 4G / LTE MPIM support 1-5, 7-8, 12-13, 30, 25-26, 29-30, 41 LTE bands (for Americas and EMEA). Supported on SRX320, SRX340, SRX345, SRX380, and SRX550M SRX-MP-WLAN-US Wireless access point (Wi-Fi) MPIM for SRX320, SRX34x, SRX380, and SRX550M. Supported for U.S. regulatory bands only. SRX-MP-WLAN-WW Wireless access point (Wi-Fi) MPIM for SRX320, SRX34x, SRX380, and SRX550M. Supported for worldwide regulatory bands (excluding U.S. and Israel). SRX-MP-WLAN-IL Wireless access point (Wi-Fi) MPIM for SRX320, SRX34x, SRX380, and SRX550M. Supported for Israel regulatory bands only. SRX-MP-ANT-EXT Antenna extension cable for WLAN MPIM on SRX Series platforms Accessories
Product Number Description SRX300-RMK0 SRX300 rack mount kit with adaptor tray SRX300-RMK1 SRX300 rack mount kit without adaptor tray SRX300-WALL-KIT0 SRX300 wall mount kit with brackets SRX320-P-RMK0 SRX320-POE rack mount kit with adaptor tray SRX320-P-RMK1 SRX300-POE rack mount kit without adaptor tray SRX320-RMK0 SRX320 rack mount kit with adaptor tray SRX320-RMK1 SRX320 rack mount kit without adaptor tray SRX320-WALL-KIT0 SRX320 wall mount kit with brackets SRX34X-RMK SRX340 and SRX345 rack mount kit EX-4PST-RMK SRX380 rack mount kit JSU-SSD-MLC-100 Juniper Storage Unit, SSD, MLC, 100GB JPSU-600-AC-AFO SRX380 600W AC PSU, front-to-back -
SRX380 Overview:
The SRX300 line of services gateways combines security, routing, switching, and WAN interfaces with next-generation firewall and advanced threat mitigation capabilities for costeffective, secure connectivity across distributed enterprise locations. By consolidating fast, highly available switching, routing, security, and next-generation firewall capabilities in a single device, enterprises can remove network complexity, protect and prioritize their resources, and improve user and application experience while lowering total cost of ownership (TCO).Product Description
Juniper Networks SRX300 line of services gateways delivers a next-generation networking and security solution that supports the changing needs of cloud-enabled enterprise networks. Whether rolling out new services and applications across locations, connecting to the cloud, or trying to achieve operational efficiency, the SRX300 line helps organizations realize their business objectives while providing scalable, easy to manage, secure connectivity and advanced threat mitigation capabilities. Next-generation firewall and unified threat management (UTM) capabilities also make it easier to detect and proactively mitigate threats to improve the user and application experience. The SRX300 line consists of four models:- SRX300: Securing small branch or retail offices, the SRX300 Services Gateway consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX300 supports up to 1 Gbps firewall and 300 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX320: Securely connecting small distributed enterprise branch offices, the SRX320 Services Gateway consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX320 supports up to 1 Gbps firewall and 300 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX340: Securely connecting midsize distributed enterprise branch offices, the SRX340 Services Gateway consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX340 supports up to 3 Gbps firewall and 600 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX345: Best suited for midsize to large distributed enterprise branch offices, the SRX345 Services Gateway consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX345 supports up to 5 Gbps firewall and 800 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX380: A high-performance and secure SD-WAN gateway, the SRX380 offers superior and reliable WAN connectivity while consolidating security, routing, and switching for distributed enterprise offices. The SRX380 features greater port density than other SRX300 models, with 16x1GbE PoE+ and 4x10GbE ports, and includes redundant dual power supplies, all in a 1 U form factor.
Highlights
The SRX300 line of services gateways consists of secure SD-WAN routers that bring high performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of remote sites. WAN or Internet connectivity and Wi-Fi module options include:- Ethernet, T1/E1, ADSL2/2+, and VDSL
- 3G/4G LTE wireless
- 802.11ac Wave 2 Wi-Fi
Mist AI
WAN Assurance Mist WAN Assurance is a cloud service that brings AI-powered automation and service levels to Juniper SRX Series Services Gateways, complementing the Juniper Secure SD-WAN solution. Mist WAN Assurance transforms IT operations from reactive troubleshooting to proactive remediation, turning insights into actions and delivering operational simplicity with seamless integration into existing deployments.- SRX Series firewalls, deployed as secure SD-WAN edge devices, deliver the rich Junos streaming telemetry that provides the insights needed for WAN health metrics and anomaly detection. This data is leveraged within the Mist Cloud and AI engine, driving simpler operations, reducing mean time to repair (MTTR) and providing greater visibility into end-user experiences.
- Insights derived from SRX Series SD-WAN gateway telemetry data allows WAN Assurance to compute unique “User Minutes” that indicate whether users are having a good experience.
- The Marvis assistant for WAN allows you to ask direct questions like “Why is my Zoom call bad?” and provides complete insights, correlation, and actions.
- Marvis Actions identifies and summarizes issues such as application latency conditions, congested WAN circuits, or negotiation mismatches.
- A Zero-Touch Provisioning (ZTP) feature simplifies branch network connectivity for initial deployment and ongoing management.
- SRX300 firewalls offer best-in-class secure connectivity.
- The SRX300 firewalls efficiently utilize multiple links and load balance traffic across the enterprise WAN, blending traditional MPLS with other connectivity options such as broadband internet, leased lines, 4G/LTE, and more.
- Policy- and application-based forwarding capabilities enforce business rules created by the enterprise to steer application traffic towards a preferred path.
Comprehensive Security Suite
The SRX300 line offers a comprehensive suite of application security services, threat defenses, and intelligence services. The services consist of intrusion prevention system (IPS), application security user role-based firewall controls and cloud-based antivirus, anti-spam, and enhanced Web filtering, protecting networks from the latest content-borne threats. Integrated threat intelligence via Juniper Networks SecIntel offers adaptive threat protection against Command and Control (C&C)-related botnets and policy enforcement based on GeoIP. Customers can also leverage their own custom and third-party feeds for protection from advanced malware and other threats. Integrating the Juniper Networks Advanced Threat Protection solution, the SRX300 line detects and enforces automated protection against known malware and zero-day threats with a very high degree of accuracy.Industry-Certified Junos Operating System
SRX300 Services Gateways run the Junos operating system, a proven, carrier-hardened OS that powers the top 100 service provider networks in the world. The rigorously tested, carrier-class, rich routing features such as IPv4/IPv6, OSPF, BGP, and multicast have been proven over 15 years of worldwide deployments. The SRX300 line also enables agile SecOps through automation capabilities that support Zero Touch Deployment, Python scripts for orchestration, and event scripting for operational management.Features & Benefits:
Business Requirement Feature/Solution SRX300 Advantages High performance Up to 5 Gbps of routing and firewall performance - Best suited for small, medium and large branch office deployments
- Addresses future needs for scale and feature capacity
Business continuity Stateful high availability (HA), IP monitoring - Uses stateful HA to synchronize configuration and firewall sessions
- Supports multiple WAN interface with dial-on-demand backup
- Route/link failover based on real-time link performance
SD-WAN Better end-user application and cloud experience and lower operational costs - ZTP simplifies remote device provisioning
- Advanced Policy-Based Routing (APBR) orchestrates business intent policies across the enterprise WAN
- Application quality of experience (AppQoE) measures application SLAs and improves end-user experience
- Controls and prioritizes traffic based on application and user role
End-user experience WAN assurance - Complements the Juniper Secure SD-WAN solution with AI-powered automation and service levels
- Provides visibility and insights into users, applications, WAN links, control and data plane, and CPU for proactive remediation
Highly secure IPsec VPN, Remote Access/SSL VPN, Media Access Control Security (MACsec) - Creates secure, reliable, and fast overlay link over public internet
- Employs anti-counterfeit features to protect from unauthorized hardware spares
- Includes high-performance CPU with built-in hardware to assist IPsec acceleration
- Provides TPM-based protection of device secrets such as passwords and certificates
- Offers secure and flexible remote access SSL VPN with Juniper Secure Connect
Threat protection IPS, antivirus, anti-spam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, and Threat Intelligence Feeds - Provides real-time updates to IPS signatures and protects against exploits
- Protects from zero-day attacks
- Implements industry-leading antivirus and URL filtering
- Integrates open threat intelligence platform with third-party feeds
- Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption
Application visibility On-box GUI, Security Director - Detects 3500+ Layer 3-7 applications, including Web 2.0
- Inspects and detects applications inside the SSL encrypted traffic
Easy to manage and scale On-box GUI, Security Director - Includes centralized management for auto-provisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments, or simple, easy-to-use on-box GUI for local management
Minimize TCO Junos OS - Integrates routing, switching, and security in a single device
- Reduces operation expense with Junos automation capabilities
Technical Specifications:
Model: SRX300 SRX320 SRX340 SRX345 SRX380 Connectivity Total onboard ports 8x1GbE 8x1GbE 16x1GbE 16x1GbE 20 (16x1GbE, 4x10GbE) Onboard RJ-45 ports 6x1GbE 6x1GbE 8x1GbE 8x1GbE 16x1GbE Onboard small form-factor pluggable (SFP) transceiver ports 2x1GbE 2x1GbE 8x1GbE 8x1GbE 4x10GbE SFP+ MACsec-capable ports 2x1GbE 2x1GbE 16x1GbE 16x1GbE 16x1GbE 4x10GbE Out-of-Band (OOB) management ports 0 0 1x1GbE 1x1GbE 1x1GbE Mini PIM (WAN) slots 0 2 4 4 4 Console (RJ-45 + miniUSB) 1 1 1 1 1 USB 3.0 ports (type A) 1 1 1 1 1 Optional PoE+ ports N/A 61 0 0 16 Memory and Storage System memory (RAM) 4 GB 4 GB 4 GB 4 GB 4GB Storage (flash) 8 GB 8 GB 8 GB 8 GB 100GB SSD SSD slots 0 0 1 1 1 Dimensions and Power SRX300 SRX320 SRX340 SRX345 SRX380 Form factor Desktop Desktop 1U 1U 1U Size (WxHxD) 12.63 x 1.37 x 7.52 in. (32.08 x 3.47 x 19.10 cm) 11.81 x 1.73 x 7.52 in. (29.99 x 4.39 x 19.10 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) / 17.36 x 1.72 x 18.7 in. (44.09 x 4.36 x 47.5 cm)2 17.36 x 1.72 x 18.7 in. (44.09 x 4.37 x 47.5 cm) / 17.36 x 1.72 x 20.47 in. (44.09 x 4.37 x 52 cm) Weight (device and PSU) 4.38 lb (1.98 kg) 3.28 lb (1.51 kg)3 / 3.4 lb (1.55 kb)4 10.80 lb (4.90 kg) 10.80 lb (4.90 kg) / 11.02 lb (5 kg)5 15 lb (6.8 kg) with 1xPSU / 16.76 lb (7.6 kg) with 2xPSU Redundant PSU No No No Yes Yes Power supply AC (external) AC (external) AC (external) AC (internal) / DC (internal)5 1+1 hot-swappable AC PSU DC Input N/A N/A N/A -40.8 VDC to -72 VDC5 N/A Maximum PoE power N/A 180 W4 N/A N/A 480W Average power consumption 15.4 W 27 W3 / 112 W4 122 W 122 W 150 W (without PoE) 510 W (with PoE) Average heat dissipation 85 BTU/h 157 BTU/h3 / 755 BTU/h4 420 BTU/h 420 BTU/h 511.5 BTU/hr (without PoE) Maximum current consumption 0.346 A 0.634 A3 / 2.755 A4 1.496 A 1.496 A / 6A @ -48 VDC5 1.79A/7.32A Acoustic noise level 0dB (fanless) 37 dBA3 / 40 dBA4 45.5 dBA 45.5 dBA < 50dBA @ room temperature 27C Airflow/cooling Fanless Front to back Front to back Front to back Front to back Environmental, Compliance, and Safety Certification SRX300 SRX320 SRX340 SRX345 SRX380 Operating temperature 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) -22° to 131° F (-30° to 55° C) for SRX345-DC 32° to 104° F (0° to 40° C) with MPIMs 32° to 122° F (0° to 50° C) without MPIMs Nonoperating temperature 4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -22° to 158° F (-30° to 70° C) for SRX345-DC -4° to 158° F (-20° to 70° C) Operating humidity 10% to 90% noncondensing Nonoperating humidity 5% to 95% noncondensing Meantime between failures (MTBF) 44.5 years 32.5 years3 / 26 years4 27 years 27.4 years 28.1 years FCC classification Class A Class A Class A Class A Class A RoHS compliance RoHS 2 RoHS 2 RoHS 2 RoHS 2 RoHS 2 FIPS 140-2 Level 2 (Junos 15.1X49-D60) Level 1 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) N/A Common Criteria certification NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) N/A Performance and Scale SRX300 SRX320 SRX340 SRX345 SRX380 Routing with packet mode (64 B packet size) in Kpps7 300 300 550 750 1,700 Routing with packet mode (IMIX packet size) in Mbps7 800 800 1,600 2,300 5,000 Routing with packet mode (1,518 B packet size in Mbps7 1,500 1,500 3,000 5,500 10,000 Stateful firewall (64 B packet size) in Kpps7 200 200 350 550 1,700 Stateful firewall (IMIX packet size) in Mbps7 500 500 1,100 1,700 4,000 Stateful firewall (1,518 B packet size) in Mbps7 1,000 1,000 3,000 5,000 10,000 IPsec VPN (IMIX packet size) in Mbps7 100 100 200 300 1,000 IPsec VPN (1,400 B packet size) in Mbps7 300 300 600 800 3,500 Application visibility and control in Mbps8 500 500 1,000 1,700 6,000 Recommended IPS in Mbps8 200 200 400 600 2,000 Next-generation firewall in Mbps8 100 100 200 300 1,000 Route table size (RIB/FIB) (IPv4 or IPv6) 256,000/256,000 256,000/256,000 1 million/600,0009 1 million/600,0009 1 million/600,0009 Maximum concurrent sessions (IPv4 or IPv6) 64,000 64,000 256,000 375,000 380,000 Maximum security policies 1,000 1,000 2,000 4,000 4,000 Connections per second 5,000 5,000 10,000 15,000 50,000 NAT rules 1,000 1,000 2,000 2,000 3,000 MAC table size 15,000 15,000 15,000 15,000 16,000 IPsec VPN tunnels 256 256 1,024 2,048 2,048 Number of remote access uses 25 50 150 250 500 GRE tunnels 256 256 512 1,024 2,048 Maximum number of security zones 16 16 64 64 128 Maximum number of virtual routers 32 32 64 128 128 Maximum number of VLANs 1,000 1,000 2,000 3,000 3,000 AppID sessions 16,000 16,000 64,000 64,000 64,000 IPS sessions 16,000 16,000 64,000 64,000 64,000 URLF sessions 16,000 16,000 64,000 64,000 64,000 WAN Interface SRX300 SRX320 SRX340 SRX345 SRX380 1 port T1/E1 MPIM (SRX-MP-1T1E1-R) No Yes Yes Yes Yes 1 port VDSL2 Annex A/M MPIM (SRX-MP-1VDSL2-R) No Yes Yes Yes Yes 1 port serial MPIM (SRX-MP-1SERIAL-R) No Yes Yes Yes Yes 4G / LTE MPIM (SRX-MP-LTE-AA & SRX-MP-LTE-AE) No Yes Yes Yes Yes Additional Specification Features:
Routing Protocols- IPv4, IPv6, ISO, Connectionless Network Service (CLNS)
- Static routes
- RIP v1/v2
- OSPF/OSPF v3
- BGP with Route Reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2, Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM), Session Description Protocol (SDP), Distance Vector Multicast Routing Protocol (DVMRP), Multicast Source Discovery Protocol (MSDP), Reverse Path Forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol (PPP), Frame Relay, High-Level Data Link Control (HDLC), serial, Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
- Hierarchical shaping and policing
- ASIC-based Layer 2 Forwarding
- MAC address learning
- VLAN addressing and integrated routing and bridging (IRB) support
- Link aggregation and LACP
- LLDP and LLDP-MED
- STP, RSTP, MSTP
- MVRP
- 802.1X authentication
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomaly
- Integration with Pulse Unified Access Control (UAC)
- Integration with Aruba Clear Pass Policy Manager
- User role-based firewall
- SSL Inspection (Forward-proxy)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
- Tunnels: Generic routing encapsulation (GRE)3, IP-IP3, IPsec
- Juniper Secure Connect: Remote access / SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
Network Services- Dynamic Host Configuration Protocol (DHCP) client/server/relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP-monitoring
- Juniper flow monitoring (J-Flow)
- Bidirectional Forwarding Detection (BFD)
- Two-Way Active Measurement Protocol (TWAMP)
- IEEE 802.3ah Link Fault Management (LFM)
- IEEE 802.1ag Connectivity Fault Management (CFM)
- Virtual Router Redundancy Protocol (VRRP)10
- Stateful high availability
- Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Band Cluster Upgrade (ICU)
- Dial on-demand backup interfaces
- IP monitoring with route and interface failover
- SSH, Telnet, SNMP
- Smart image download
- Juniper CLI and Web UI
- Mist AI
- Simplified management
- WAN Assurance
- Junos Space and Security Director
- Python
- Junos OS event, commit, and OP script
- Application and bandwidth usage reporting
- Auto installation
- Debug and troubleshooting tools
- Zero-Touch Provisioning with Contrail Service Orchestration
- Packet mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L3 MPLS VPN, pseudowires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast reroute
- Application visibility and control
- Application-based firewall
- Application QoS
- Application-based advanced policy-based routing
- Application quality of experience (AppQoE)
- Application-based advanced policy-based routing (APBR)
- Application-based link monitoring and switchover with Application quality of experience (AppQoE)
- Intrusion prevention
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- SecIntel to provide threat intelligence
1 SRX320 with PoE+ ports available as a separate SKU: SRX320-POE. 2 3SRX345 with dual AC PSU model. 3 4SRX320 non PoE model. 4 5SRX320-POE with 6 ports PoE+ model. 5 6SRX345 with DC power supply (operating temperature as per GR-63 Issue 4 2012 test criteria). 6 7As per GR63 Issue 4 (2012) test criteria. 7 Throughput numbers based on UDP packets and RFC2544 test methodology. 8 9Throughput numbers based on HTTP traffic with 44 KB transaction size. 9 10Route scaling numbers are with enhanced route-scale features turned on. 10 Offered as advanced security services subscription licenses.
Documentation:
Download the Juniper Networks SRX300 Line of Services Gateways Datasheet (PDF). -
Product Overview
The SRX4100 and SRX4200 Firewalls offer outstanding protection, performance, scalability, availability, and integrated security services. Designed for high-performance security services architectures and seamless integration of networking and security in a single platform, the SRX4100 and SRX4200 are best suited for enterprise data centers, campuses, and regional headquarters, with a focus on application visibility and control, intrusion prevention, advanced threat protection, authentication, confidentiality of information, and integrated cloud-based security. Both devices are powered by Junos OS, the industry-leading operating system that keeps the world’s largest mission-critical enterprise networks secure.Product Description
The Juniper Networks® SRX4100 and SRX4200 Firewalls are high-performance, next-generation firewalls and hardware-accelerated security services gateways that protect mission-critical data center networks, enterprise campuses, and regional headquarters. The SRX4100 and SRX4200 provide best-in-class security and advanced threat mitigation capabilities and integrate carrier-class routing. The SRX4100 and SRX4200 deliver fully automated SD-WAN to both enterprises and service providers. Their high performance and scale allow the SRX4100 and SRX4200 to act as VPN hubs, terminating VPN/secure overlay connections in various SD-WAN topologies. The SRX4100 and SRX4200 deliver a next-generation security solution that supports the changing needs of cloud-enabled enterprise networks, helping organizations realize their business objectives whether rolling out new services in an enterprise data center or campus, or connecting to the cloud. The SRX4100 and SRX4200 comply with industry standards, delivering the scalability, ease of management, secure connectivity, and advanced threat mitigation capabilities businesses need. The SRX4100 and SRX4200 protect critical corporate assets such as next-generation firewalls, act as enforcement points for cloud-based security solutions, and provide application visibility and control to improve the user and application experience.Architecture and Key Components
The SRX4100 and SRX4200 hardware and software architecture provides cost-effective security performance in a small 1 U form factor. Purpose-built to protect up to 40 Gbps Internet Mix (IMIX) firewall throughput network environments, the SRX4100 and SRX4200 incorporate multiple security services and networking functions on top of the industry-leading Juniper Networks Junos® operating system. The SRX4100 supports up to 22 Gbps (IMIX) of firewall performance, 9 Gbps of next- generation firewall (application security, intrusion prevention, and logging), and 14.8 Gbps of IPsec VPN in data center, enterprise campus, and regional headquarter deployments with IMIX traffic patterns. The SRX4200 supports up to 44 Gbps of firewall performance, 18 Gbps of next-generation firewall, and up to 29.6 Gbps of IPsec VPN in data center, enterprise campus, and regional headquarter deployments with IMIX traffic patterns.Table 1. SRX4100 and SRX4200 Statistics¹1Performance, capacity and features listed are based on systems running Junos OS 21.4R1 and are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployments. 2Next-Generation Datacenter Firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions 3Secure Web Access Firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions SRX4100 SRX4200 Firewall throughput 40 Gbps 80 Gbps Firewall throughput—IMIX 22 Gbps 44 Gbps Firewall throughput with application security 19.9 Gbps 39.8 Gbps IPsec VPN throughput-IMIX 14.8 Gbps 29.6 Gbps Intrusion prevention 13.9 Gbps 27.7 Gbps NGFW2 throughput 9 Gbps 18 Gbps Secure Web Access3 throughput 6.7 Gbps 13.3 Gbps Connections per second 250000 500000 Maximum session 5 million 10 million The SRX4100 and SRX4200 recognize more than 4,275 applications and nested applications in plain-text or SSL-encrypted transactions. The firewalls also integrate with Microsoft Active Directory and combine user information with application data to provide network-wide application and user visibility and control.Features and Benefits
Table 2. SRX4100 and SRX4200 Features and BenefitsBusiness Requirement Feature/Solution SRX4100/SRX4200 Advantages High performance Up to 80 Gbps of firewall throughput (up to 40 Gbps of IMIX firewall throughput) - Best suited for enterprise campus and data center edge deployments
- Ideal for secure router deployments at the head office
- Addresses future needs for scale and feature capacity
High-quality end-user experience Application visibility and control - Detects 3,500+ L3-L7 applications, including Web 2.0
- Controls and prioritizes traffic based on application and use role
- Inspects and detects applications inside SSL-encrypted traffic
Advanced threat protection IPS, antivirus, antispam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, Threat Intelligence Feeds, and Juniper ATP Appliance - Provides real-time updates to IPS signatures and protects against exploits
- Implements industry-leading antivirus and URL filtering
- Delivers open threat intelligence platform that integrates with third-party feeds
- Protects against zero-day attacks
- Restores visibility lost due to encryption, without the heavy burden of full TLS/SSL decryption
Professional-grade networking services Routing, secure wire - Supports carrier-class advanced routing and quality of service (QoS)
Highly secure IPsec VPN, Remote Access/SSL VPN - Provides high-performance IPsec VPN with dedicated crypto engine
- Offers diverse VPN options for various network designs, including remote access and dynamic site-to-site communications
- Simplifies large VPN deployments with auto VPN
- Includes hardware-based crypto acceleration
- Secure and flexible remote access SSL VPN with Juniper Secure Connect
Highly reliable Chassis cluster, redundant power supplies - Provides stateful configuration and session synchronization
- Supports active/active and active/backup deployment scenarios
- Offers highly available hardware with redundant power supply unit (PSU) and redundant fans
- Delivers dedicated control and fabric link with seamless high availability
Easy to manage and scale On-box GUI, Junos Space Security Director - Enables centralized management for auto-provisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments
- Includes simple, easy-to-use on-box GUI for local management
Low TCO Junos OS - Integrates routing and security in a single device
- Reduces OpEx with Junos OS automation capabilities
SRX4100 and SRX4200 Firewalls Specifications
Software Specifications
Firewall Services
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomalies
- Unified Access Control (UAC)
Network Address Translation (NAT)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
VPN Features
- Tunnels: Site-to-site, hub and spoke, dynamic endpoint, AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/Dual Stack)
- Juniper Secure Connect: Remote access/SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, Suite B
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, Suite B
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
High Availability Features
- Virtual Router Redundancy Protocol (VRRP) – IPv4 and IPv6
- Stateful high availability:
- Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Service Software Upgrade (ISSU)
- IP monitoring with route and interface failover
Application Security Services3
- Application visibility and control
- Application-based firewall
- Application QoS
- Advanced/application policy-based routing (APBR)
- Application Quality of Experience (AppQoE)
- Application-based multipath routing
- User-based firewall
Threat Defense and Intelligence Services3
- Intrusion prevention system
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- SSL proxy/inspection
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention, a cloud-based SaaS offering, to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- SecIntel to provide threat intelligence
- Juniper ATP Appliance, a distributed, on-premises advanced threat prevention solution to detect and block zero-day attacks
Routing Protocols
- IPv4, IPv6, static routes, RIP v1/v2
- OSPF/OSPF v3
- BGP with route reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2; Protocol Independent Multicast (PIM) sparse mode (SM)/source-specific multicast (SSM); Session Description Protocol (SDP); Distance Vector Multicast Routing Protocol (DVMRP); Multicast Source Discovery Protocol (MSDP); reverse path forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
QoS Features
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
Network Services
- Dynamic Host Configuration Protocol (DHCP) client/server/relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP monitoring
- Juniper flow monitoring (J-Flow)
Advanced Routing Services
- Packet Mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L2 MPLS VPN, pseudo-wires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast re-route
Management, Automation, Logging, and Reporting
- SSH, Telnet, SNMP
- Smart image download
- Juniper CLI and Web UI
- Juniper Networks Junos Space Security Director
- Python
- Junos events, commit and OP scripts
- Application and bandwidth usage reporting
- Debug and troubleshooting tools
Hardware Specifications
Table 3. SRX4100 and SRX4200 Hardware Specifications4Throughput numbers based on UDP packets and RFC2544 test methodology 5Performance, capacity and features listed are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployments. 6Next-Generation Datacenter Firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions. 7Secure Web Access Firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions -
Product Overview
The SRX Series are next-generation firewalls based on a revolutionary architecture offering outstanding performance, scalability, availability, and security services integration. Custom designed for flexible processing scalability, I/O scalability, and services integration, the SRX Series Firewalls exceed the security requirements of data center consolidation and services aggregation. The award-winning SRX Series is powered by Junos OS, the same industry-leading operating system that keeps the world’s largest data center networks available, manageable, and secure.Product Description
The Juniper Networks® SRX5400, SRX5600, and SRX5800 are next-generation firewalls (NGFWs) that deliver outstanding protection, market-leading performance, six nines reliability and availability, scalability, and services integration. These devices are ideally suited for service provider, large enterprise, and public sector networks, including:- Cloud and hosting provider data centers
- Mobile operator environments
- Managed service providers
- Core service provider infrastructures
- Large enterprise data centers
Based on Juniper’s Dynamic Services Architecture, the SRX5000 line provides unrivaled scalability and performance. Each firewall can support near near linear scalability with the addition of Services Processing Cards (SPCs) and I/O cards (IOCs), enabling a fully equipped SRX5800 to support up to 3.36 Tbps firewall throughput. The SPCs are designed to support a wide range of services, enabling future support of new capabilities without the need for service-specific hardware. Using SPCs on all services ensures that there are no idle resources based on specific services being used—maximizing hardware utilization. The scalability and flexibility of the SRX5000 line is supported by equally robust interfaces. The SRX5000 line employs a modular approach, where each platform can be equipped with a flexible number of IOCs that offer a wide range of connectivity options, including 1GbE, 10GbE, 40GbE, and 100GbE interfaces. With the IOCs sharing the same interface slot as the SPCs, the firewall can be configured as needed to support the ideal balance of processing and I/O. Hence, each deployment of the SRX Series can be tailored to specific network requirements. The scalability of both SPCs and IOCs in the SRX5000 line is enabled by the custom-designed switch fabric. Supporting up to 960 Gbps of data transfer, the fabric enables the realization of maximum processing and I/O capability available in any particular configuration. This level of scalability and flexibility enables future expansion and growth of the network infrastructure, providing unrivaled investment protection. The tight service integration on the SRX Series is enabled by Juniper Networks Junos® operating system. The SRX Series is equipped with a robust set of services that include stateful firewall, intrusion prevention system (IPS), denial of service (DoS), application security, VPN (IPsec), Network Address Translation (NAT), Content Security, quality of service (QoS), and large-scale multitenancy. In addition to the benefit of individual services, the SRX5000 line provides a low latency solution. Junos OS also delivers carrier-class reliability with six nines system availability, the first in the industry to achieve independent verification by Telcordia. Furthermore, the SRX Series enjoys the benefit of a single source OS, and single integrated architecture traditionally available on Juniper’s carrier-class routers and switches.SRX5800
The SRX5800 Firewall is the market-leading security solution supporting up to 3.36 Tbps firewall throughput and latency as low as 32 microseconds for the stateful firewall. The SRX5800 also supports 638 Gbps IPS and 338 million concurrent sessions. The SRX5800 is equipped with the full range of advanced security services and is ideally suited for securing large enterprise, hosted, or colocated data centers, service provider core and cloud provider infrastructures, and mobile operator environments. The massive performance, scalability, and flexibility of the SRX5800 make it ideal for densely consolidated processing environments, and the service density makes it ideal for cloud and managed service providers.SRX5600
The SRX5600 Firewall uses the same SPCs and IOCs as the SRX5800 and can support up to 1.44 Tbps firewall throughput, 182 million concurrent sessions, and 245 Gbps IPS. The SRX5600 is ideally suited for securing enterprise data centers as well as aggregating various security solutions. The capability to support unique security policies per zone and its ability to scale with the growth of the network infrastructure make the SRX5600 an ideal deployment for consolidation of services in large enterprise, service provider, or mobile operator environments.SRX5400
The SRX5600 Firewall uses the same SPCs and IOCs as the SRX5800 and can support up to 960 Gbps firewall throughput, 90 million concurrent sessions, and 172 Gbps IPS. The SRX5400 is a small footprint, high-performance firewall ideally suited for securing large enterprise campuses as well as data centers, either for edge or core security deployments. The ability to support unique security policies per zone and a compelling price/performance/footprint ratio make the SRX5400 an optimal solution for edge or data center services in large enterprise, service provider, or mobile operator environments.Service Processing Cards (SPCs)
As the “brains” behind the SRX5000 line, SPCs are designed to process all available services on the platform. Without the need for dedicated hardware for specific services or capabilities, there are no instances in which a piece of hardware is taxed to the limit while other hardware is sitting idle. SPCs are designed to be pooled together, allowing the SRX5000 line to expand performance and capacities with the introduction of additional SPCs, significantly reducing management overhead and complexity. The high-performance SPC3 cards are supported on the SRX5400, SRX5600, and SRX5800 Firewalls.I/O Cards (IOCs)
To provide the most flexible solution, the SRX5000 line employs the same modular architecture for SPCs and IOCs. The SRX5000 line can be equipped with one or several IOCs, supporting the ideal mix of interfaces. With the flexibility to install an IOC or an SPC on any available slot, the SRX5000 line can be equipped to support the perfect blend of interfaces and processing capabilities, meeting the needs of the most demanding environments while ensuring investment protection. The third generation of IOCs from Juniper, the IOC3, delivers high throughput along with superior connectivity options including 100GbE, 40GbE, and high-density 10GbE interfaces. The IOC3 cards are supported on the SRX5400, SRX5600, and SRX5800. The fourth generation of IOCs delivers the highest throughput of all available linecards of up to 480 Gbps and offers multiple connectivity options from 10GbE and 40GbE to 100GbE. IOC4 can deliver up to 480 Gbps of hardware-accelerated throughput per linecard.Routing Engine (RE3) and Enhanced System Control Board (SCB4)
The SRX5K-RE3-128G Routing Engine (RE3) is the latest in the family of REs for the SRX5000 line with a multicore processor running at 2000 MHz. It delivers improved performance, scalability, and reliability with 128 GB DRAM and includes a TPM module. The SRX5K-SCB4 enables 480 Gbps throughput per SCB and can be configured with intra- and interchassis redundancy.Features and Benefits
Networking and Security
The Juniper Networks SRX5000 line of Firewalls has been designed from the ground up to offer robust networking and security services.Feature Feature Description Benefits Purpose-built platform Built from the ground up on dedicated hardware designed for networking and security services. Delivers unrivaled performance and flexibility to protect high-speed network environments. Scalable performance Offers scalable processing based on Juniper’s Dynamic Services Architecture. Offers a simple and cost-effective solution to leverage new services with appropriate processing. System and network resiliency Provides carrier-class hardware design and proven OS. Offers the reliability needed for any critical high-speed network deployments without service interruption. Utilizes a unique architectural design based on multiple processing cores and a separation of the data and control planes. High availability (HA) Active/passive and active/active HA configurations use dedicated HA interfaces. Achieves availability and resiliency necessary for critical networks. Interface flexibility Offers flexible I/O options with modular cards based on the Dynamic Services Architecture. Offers flexible I/O configuration and independent I/O scalability (options include 1GbE, 10GbE, 40GbE, and 100GbE) to meet the port density requirements of demanding network environments. Network segmentation Security zones, virtual LANs (VLANs), and virtual routers allow administrators to deploy security policies to isolate subnetworks and use overlapping IP address ranges. Features the capability to tailor unique security and networking policies for various internal, external, and demilitarized zone (DMZ) subgroups. Robust Routing Engine Dedicated RE provides physical and logical separation to data and control planes. Enables deployment of consolidated routing and security devices, as well as ensuring the security of routing infrastructure—all via a dedicated management environment. Advanced threat protection IPS, antivirus, antispam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, Threat Intelligence Feeds, and Juniper ATP Appliance. - Provides real-time updates to IPS signatures and protects against exploits
- Implements industry-leading antivirus and URL filtering
- Delivers open threat intelligence platform that integrates with third-party feeds
- Protects against zero-day attacks
- Stops rogue and compromised devices to disseminate malware
- Restores visibility that was lost due to encryption, without the heavy burden of full TLS/SSL decryption
AppTrack Detailed analysis on application volume/usage throughout the network based on bytes, packets, and sessions. Provides the ability to track application usage to help identify high-risk applications and analyze traffic patterns for improved network management and control. AppFirewall Fine-grained application control policies to allow or deny traffic based on dynamic application name or group names. Enhances security policy creation and enforcement based on applications and user roles rather than traditional port and protocol analysis. AppQoS Leverage Juniper’s rich QoS capabilities to prioritize applications based on customers’ business and bandwidth needs. Provides the ability to prioritize traffic as well as limit and shape bandwidth based on application information and contexts for improved application and overall network performance. Application signatures Open signature library for identifying applications and nested applications with more than 3000 application signatures. Accurately identifies applications so that the resulting information can be used for visibility, enforcement, control, and protection. SSL proxy (forward and reverse) Performs SSL encryption and decryption between the client and the server. Combines with application identification to provide visibility and protection against threats embedded in SSL encrypted traffic. Stateful GTP and SCTP inspection Support for General Packet Radio Service Tunneling Protocol (GTP) and Stream Control Transmission Protocol (SCTP) firewall in mobile operator networks. Enables the SRX5000 line to provide stateful firewall capabilities for protecting key GPRS nodes within mobile operator networks. IOC3 The third-generation I/O card offers very high levels of firewall throughput and low latency. The card includes two board choices: six 40GbE interfaces and 24 10GbE interfaces, or two 100GbE interfaces and four 10GbE interfaces. The IOC3 pairs well with existing SPC2/SPC3 for maximum firewall performance in any of the SRX5000 line of Firewalls. Provides vastly superior, top-of-the-line connectivity efficiency and record-breaking high throughput I/O interfaces. Reduces the need for link aggregation to the firewall and enables very high firewall throughput of up to 2 Tbps with Express Path enabled. IOC4 The fourth-generation I/O card is being offered in two flavors. The first delivers 40x10GbE interfaces while the second, depending on the chosen optics, delivers 48x10GbE, 12x40GbE, or 4x100GbE interfaces. Provides the fastest throughput per slot and, in combination with Express Path, can deliver up to 480 Gbps of throughput per I/O card. SPC3 card Enables performance and scale with backwards compatibility to the SPC2 service cards. These cards support in-service software and in-service hardware upgrades. Delivers always-on security resiliency to meet your growing network performance needs. AutoVPN One-time hub configuration for site-to-site VPN for all spokes, even newly added ones. Configuration options include: routing, interfaces, Internet Key Exchange (IKE), and IPsec. Enables IT administrative time and cost savings with easy, zero-touch deployment for IPsec VPN networks. Remote access/SSL VPN Secure and flexible remote access SSL VPN with Juniper Secure Connect. Extends secure access to corporate resources from anywhere. Multitenancy Offers logical, large-scale segmentation and separation of security functions and features. Enables separate, logical instances to be deployed with dedicated security policies, zones, and other features and functions. Removes the need to deploy several physical or virtual firewalls. IPS Capabilities
Juniper Networks IPS capabilities offer several unique features that assure the highest level of network security.Feature Feature Description Benefits Stateful signature inspection Signatures are applied only to relevant portions of the network traffic determined by the appropriate protocol context. This minimizes false positives and offers flexible signature development. Protocol decodes This feature enables highly accurate detection and helps reduce false positives. Accuracy of signatures is improved through precise contexts of protocols. Signatures There are more than 8500 signatures for identifying anomalies, attacks, spyware, and applications. Attacks are accurately identified and attempts to exploit a known vulnerability are detected. Traffic normalization Reassembly, normalization, and protocol decoding are provided. Overcome attempts to bypass other IPS detections by using obfuscation methods. Zero-day protection Protocol anomaly detection and same-day coverage for newly found vulnerabilities are provided. Your network is already protected against any new exploits. Recommended policy Group of attack signatures are identified by Juniper Networks Security Team as critical for the typical enterprise to protect against. Installation and maintenance are simplified while ensuring the highest network security. Active/active traffic monitoring IPS monitoring on active/active SRX5000 line chassis clusters is provided. Includes support for active/active IPS monitoring, including advanced features such as in-service software upgrade. Packet capture IPS policy supports packet capture logging per rule. Conduct further analysis of surrounding traffic and determine further steps to protect target. Content Security Capabilities
The Content Security services offered on the SRX5000 line of Firewalls include industry-leading antivirus, antispam, content filtering, and additional content security services.Feature Feature Description Benefits Antivirus Antivirus includes reputation enhanced, cloud-based antivirus capabilities that detect and block spyware, adware, viruses, keyloggers, and other malware over POP3 HTTP, SMTP, IMAP, and FTP protocols. This service is provided in cooperation with Sophos Labs, a dedicated security company. Sophisticated protection from respected antivirus experts against malware attacks that can lead to data breaches and lost productivity. Antispam Multilayered spam protection, up-to-date phishing URL detection, standards-based S/MIME, Open PGP and TLS encryption, MIME type, and extension blockers are provided in cooperation with Sophos Labs, a dedicated security company. Protection against advanced persistent threats perpetrated through social networking attacks and the latest phishing scams with sophisticated e-mail filtering and content blockers. Enhanced Web filtering Enhanced Web filtering includes extensive category granulation (95+ categories) and a real-time threat score delivered with Forcepoint, an expert Web security provider. Protection against lost productivity and the impact of malicious URLs as well as helping to maintain network bandwidth for business essential traffic. Content filtering Effective content filtering is based on MIME type, file extension, and protocol commands. Protection against lost productivity and the impact of extraneous or malicious content on the network to help maintain bandwidth for business essential traffic. Advanced Threat Prevention
Advanced threat prevention (ATP) solutions that defend against sophisticated malware, persistent threats, and ransomware are available for the SRX5000 line. Two versions are available: Juniper ATP Cloud, a SaaS-based service, and the Juniper ATP Appliance, an on-premises solution.Feature Feature Description Benefits Advanced malware detection and remediation Malware analysis and sandboxing are based on machine learning and behavioral analysis. Protects enterprise users from a spectrum of malicious attacks, including advanced malware that exploits “zero-day” vulnerabilities. Comprehensive threat feeds (C2, GeoIP, custom) Curated, actionable threat intelligence feeds are delivered in near real time to SRX Series devices. Proactively blocks malware communication channels and protects from botnets, phishing, and other attacks. Encrypted Traffic Insights SRX Series firewalls collect relevant TLS/SSL connection data, including certificates used, cipher suites negotiated, and connection behavior. This information is processed by Juniper ATP Cloud, which uses network behavioral analysis and machine learning to determine whether the connection is benign or malicious. Policies configured on SRX Series firewalls can be used to block encrypted traffic identified as malicious. Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption. HTTP, HTTPs, e-mail Web- and e-mail-based threats are analyzed, including encrypted sessions. Protects users from all major threat vectors, including e-mail. Provides flexible message handling options for e-mail. The Juniper ATP Appliance includes support for cloud-based e-mail services such as Office 365 and Google Mail, and detects threats in SMB traffic. Integration with Security Director and JSA Juniper Networks Secure Analytics portfolio (JSA Series) security information and event management (SIEM) can consume and correlate threat events. Juniper ATP Cloud is also fully integrated with Security Director for provisioning and monitoring. The Juniper ATP Appliance includes a built-in management console and is not integrated with Security Director. Single pane-of-glass management with Security Director and JSA Series integration delivers a simplified policy application and monitoring experience. More information about Juniper Advanced Threat Prevention products can be found at https://www.juniper.net/us/en/products/security/advanced-threat-prevention.html.Centralized Management
Juniper Networks® Security Director is the central manager for all SRX Series Firewalls. It provides security policy management for all physical, logical, and virtual firewalls through an innovative, intuitive, and centralized web-based interface that offers enforcement across emerging and traditional threat vectors. It provides detailed visibility into application performance, reduces risk while enabling users to diagnose, and it resolves problems quickly. More information about Juniper Networks Security Director can be found at https://www.juniper.net/us/en/products/security/security-director-network-security-management.html.Specifications
Note: Performance, capacity, and features are measured under ideal lab testing conditions. Actual results may vary based on Junos OS release and by deployment.SRX5400 SRX5600 SRX5800 Maximum Performance and Capacity1 Junos OS version tested Junos OS 21.2 Junos OS 21.2 Junos OS 21.2 Firewall Performance, IMIX 960 Gbps 1.44 Tbps 3.36 Tbps Maximum performance per chassis 960 Gbps 1440 Tbps 3.36 Tbps Next-Generation Datacenter Firewall Performance2 136 Gbps 194 Gbps 504 Gbps Secure Web Access Firewall Performance3 75 Gbps 107 Gbps 277 Gbps Latency (stateful firewall) ~11µsec ~11µsec ~11µsec IPsec VPN AES-256-GCM (IMIX) 188 Gbps 269 Gbps 699 Gbps Maximum IPS performance 172 Gbps 245 Gbps 638 Gbps Maximum concurrent sessions 91 Million 182 Million 338 Million New sessions/second (sustained, tcp, 3way, firewall NAT) 1.7/1 million 3.4/2 Million 6.3/4 Million Maximum users supported Unrestricted Unrestricted Unrestricted Network Connectivity IOC4 options (SRX5K-IOC4-MRAT; SRX5K-IOC4-10G) 40x10GbE SFP+ or 12xQSFP+/QSFP28 multirate IOC3 options (SRX5K-MPC3-100G10G; SRX5K-MPC3-40G10G) 2x100GbE CFP2 and 4x10GbE SFP+ or 6x40GbE QSFP+ and 24x10GbE SFP+ Firewall Network attack detection Yes Yes Yes DoS and distributed denial of service (DDoS) protection Yes Yes Yes TCP reassembly for fragmented packet protection Yes Yes Yes Brute force attack mitigation Yes Yes Yes SYN cookie protection Yes Yes Yes Zone-based IP spoofing Yes Yes Yes Malformed packet protection Yes Yes Yes IPsec VPN Site-to-site tunnels 15,000 15,000 15,000 Tunnel interfaces 15,000 15,000 15,000 Number of remote access / SSL VPN (concurrent) users 25,000 40,000 50,000 Tunnels Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4 / IPv6 / Dual Stack) Internet Key Exchange IKEv1, IKEv2 Configuration Payload Yes Yes Yes IKE Authentication Algorithms MD5, SHA1, SHA-256, SHA-384, SHA-512 IKE Encryption Algorithms Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB Authentication Pre-shared key and public key infrastructure (PKI X.509) IPsec (Internet Protocol Security) Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol Perfect forward secrecy Yes IPsec Authentication Algorithms hmac-md5, hmac-sha-196, hmac-sha-256, hmac-sha-384, hmac-sha-512 IPsec Encryption Algorithms Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB Monitoring Standard-based Dead peer detection (DPD), VPN monitoring Prevent replay attack Yes Yes Yes VPNs (GRE, IP-in-IP, MPLS) Yes Yes Yes Redundant VPN gateways Yes Yes Yes Intrusion Prevention System (IPS) Signature-based and customizable (via templates) Yes Yes Yes Active/active traffic monitoring Yes Yes Yes Stateful protocol signatures Yes Yes Yes Attack detection mechanisms Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Attack response mechanisms Drop connection, close connection, session packet log, session summary, e-mail Drop connection, close connection, session packet log, session summary, e-mail Drop connection, close connection, session packet log, session summary, e-mail Attack notification mechanisms Structured system logging Structured system logging Structured system logging Worm protection Yes Yes Yes Simplified installation through recommended policies Yes Yes Yes Trojan protection Yes Yes Yes Spyware/adware/keylogger protection Yes Yes Yes Advanced malware protection Yes Yes Yes Protection against attack proliferation from infected systems Yes Yes Yes Reconnaissance protection Yes Yes Yes Request and response side attack protection Yes Yes Yes Compound attacks—combines stateful signatures and protocol anomalies Yes Yes Yes Custom attack signatures creation Yes Yes Yes Contexts accessible for customization 600+ 600+ 600+ Attack editing (port range, other) Yes Yes Yes Stream signatures Yes Yes Yes Protocol thresholds Yes Yes Yes Stateful protocol signatures Yes Yes Yes Frequency of updates Daily and emergency Daily and emergency Daily and emergency Content Security Antivirus Yes Yes Yes Content filtering Yes Yes Yes Enhanced Web filtering Yes Yes Yes Redirect Web filtering Yes Yes Yes Antispam Yes Yes Yes AppSecure AppTrack (application visibility and tracking) Yes Yes Yes AppFirewall (policy enforcement by application name) Yes Yes Yes AppQoS (network traffic prioritization by application name) Yes Yes Yes User-based application policy enforcement Yes Yes Yes GPRS Security GPRS stateful firewall Yes Yes Yes Destination Network Address Translation Destination NAT with Port Address Translation (PAT) Yes Yes Yes Destination NAT within same subnet as ingress interface IP Yes Yes Yes Destination addresses and port numbers to one single address and a specific port number (M:1P) Yes Yes Yes Destination addresses to one single address (M:1) Yes Yes Yes Destination addresses to another range of addresses (M:M) Yes Yes Yes Source Network Address Translation Static Source NAT—IP-shifting Dynamic Internet Protocol (DIP) Yes Yes Yes Source NAT with PAT—port translated Yes Yes Yes Source NAT without PAT—fix port Yes Yes Yes Source NAT—IP address persistency Yes Yes Yes Source pool grouping Yes Yes Yes Source pool utilization alarm Yes Yes Yes Source IP outside of the interface subnet Yes Yes Yes Interface source NAT—interface DIP Yes Yes Yes Oversubscribed NAT pool with fallback to PAT when the address pool is exhausted Yes Yes Yes Symmetric NAT Yes Yes Yes Allocate multiple ranges in NAT pool Yes Yes Yes Proxy Address Resolution Protocol (ARP) for physical port Yes Yes Yes Source NAT with loopback grouping—DIP with loopback grouping Yes Yes Yes User Authentication and Access Control Built-in (internal) database Yes Yes Yes RADIUS accounting Yes Yes Yes Web-based authentication Yes Yes Yes Public Key Infrastructure (PKI) Support PKI certificate requests (PKCS 7, PKCS 10, and CMPv2) Yes Yes Yes Automated certificate enrollment (SCEP) Yes Yes Yes Certificate authorities supported Yes Yes Yes Self-signed certificates Yes Yes Yes Virtualization Maximum custom routing instances with data plane separation 2000 2000 2000 Maximum security zones 2000 2000 2000 Maximum virtual firewalls with data plane and administrative separation (logical/tenant systems) 500 500 500 Additional off-platform virtual firewall option with Juniper Networks vSRX Virtual Firewall (VM based) Unlimited Unlimited Unlimited Maximum number of VLANs 4096 4096 4096 Routing BGP instances 1000 1000 1000 BGP peers 2000 2000 2000 BGP routes 1 Million 1 Million 1 Million OSPF instances 400 400 400 OSPF routes 1 Million 1 Million 1 Million RIP v1/v2 instances 50 50 50 RIP v2 table size 30,000 30,000 30,000 Dynamic routing Yes Yes Yes Static routes Yes Yes Yes Source-based routing Yes Yes Yes Policy-based routing Yes Yes Yes Equal cost multipath (ECMP) Yes Yes Yes Reverse path forwarding (RPF) Yes Yes Yes Multicast Yes Yes Yes IPv6 Firewall/stateless filters Yes Yes Yes Dual-stack IPv4/IPv6 firewall Yes Yes Yes RIPng Yes Yes Yes BFD, BGP Yes Yes Yes ICMPv6 Yes Yes Yes OSPFv3 Yes Yes Yes Class of service (CoS) Yes Yes Yes Mode of Operation Layer 2 (transparent) mode Yes Yes Yes Layer 3 (route and/or NAT) mode Yes Yes Yes IP Address Assignment Static Yes Yes Yes Dynamic Host Configuration Protocol (DHCP) Yes Yes Yes Internal DHCP server Yes Yes Yes DHCP relay Yes Yes Yes Traffic Management Quality of Service (QoS) Maximum bandwidth Yes Yes Yes RFC2474 IP Diffserv in IPv4 Yes Yes Yes Firewall filters for CoS Yes Yes Yes Classification Yes Yes Yes Scheduling Yes Yes Yes Shaping Yes Yes Yes Intelligent Drop Mechanisms (WRED) Yes Yes Yes Three-level scheduling Yes Yes Yes Weighted round robin for each level of scheduling Yes Yes Yes Priority of routing protocols Yes Yes Yes Traffic management/policing in hardware Yes Yes Yes High Availability (HA) Active/passive, active/active Yes Yes Yes Unified in-service software upgrade (unified ISSU) Yes Yes Yes Configuration synchronization Yes Yes Yes Session synchronization for firewall and IPsec VPN Yes Yes Yes Session failover for routing change Yes Yes Yes Device failure detection Yes Yes Yes Link and upstream failure detection Yes Yes Yes Dual control links Yes Yes Yes Interface link aggregation/Link Aggregation Control Protocol (LACP) Yes Yes Yes Redundant fabric links Yes Yes Yes Management WebUI (HTTP and HTTPS) Yes Yes Yes Command line interface (console, telnet, SSH) Yes Yes Yes Junos Space Security Director Yes Yes Yes Administration Local administrator database support Yes Yes Yes External administrator database support Yes Yes Yes Restricted administrative networks Yes Yes Yes Root admin, admin, and read-only user levels Yes Yes Yes Software upgrades Yes Yes Yes Configuration rollback Yes Yes Yes Logging/Monitoring Structured syslog Yes Yes Yes SNMP (v2 and v3) Yes Yes Yes Traceroute Yes Yes Yes Certifications Safety certifications Yes Yes Yes Electromagnetic Compatibility (EMC) certifications Yes Yes Yes RoHS2 Compliant (European Directive 2011/65/EU) Yes Yes Yes NIST FIPS-140-2 Level 2 Yes Yes Yes Common Criteria NDPP+TFFW EP + VPN EP Yes Yes Yes USGv6 Yes Yes Yes Dimensions and Power Dimensions (W x H x D) 17.45 x 8.7 x 24.5 in (44.3 x 22.1 x 62.2 cm) 17.5 x 14 x 23.8 in (44.5 x 35.6 x 60.5 cm) 17.5 x 27.8 x 23.5 in (44.5 x 70.5 x 59.7 cm) Weight Fully configured 128 lb (58.1 kg) Fully Configured: 180 lb (81.7 kg) Fully Configured: 334 lb (151.6 kg) Power supply (AC) 100 to 240 VAC 100 to 240 VAC 200 to 240 VAC Power supply (DC) -40 to -60 VDC -40 to -60 VDC -40 to -60 VDC Maximum power 4,100 watts (AC high capacity) 4,100 watts (AC high capacity) 8,200 watts (AC high capacity) Typical Power 1540 watts 2440 watts 5015 watts Environmental Operating temperature – long term 41° to 104° F (5° to 40° C) 41° to 104° F (5° to 40° C) 41° to 104° F (5° to 40° C Humidity – long term 5% to 85% noncondensing 5% to 85% noncondensing 5% to 85% noncondensing Humidity – short term 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 1 Performance, capacity and features listed are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployments. 2Next-Generation Datacenter firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions. 3Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions. -
Product Overview
The SRX550M Firewall combines security, SD-WAN, routing, switching, and WAN interfaces with next-generation firewall and advanced threat mitigation capabilities for secure, cost-effective connectivity across distributed enterprise locations. By consolidating fast, highly available switching, routing, security, and next-generation firewall in a single device, enterprises can remove network complexity, protect and prioritize their resources, and improve user and application experience while lowering total cost of ownership.Product Description
Juniper Networks® SRX550M Firewall delivers a next-generation secure SD-WAN and security solution that supports the changing needs of cloud-enabled enterprise networks. Whether rolling out new services and applications across locations, connecting to the cloud, or trying to achieve operational efficiency, the SRX550M helps organizations realize their business objectives while providing scalable, easy to manage, secure connectivity and advanced threat mitigation capabilities. Next-generation firewall (NGFW) and advanced security also make it easier to detect and proactively mitigate threats to improve the user and application experience.Architecture and Key Components
The SRX550M Firewall is a secure router that brings high performance and proven deployment capabilities to enterprises building a worldwide network composed of thousands of remote sites. WAN or Internet connectivity module options include:- Ethernet, serial, T1/E1, ADSL2/2+, and VDSL
- 3G/4G LTE wireless
- 802.11ac Wave 2 Wi-Fi
Mist AI
WAN Assurance
Mist WAN Assurance is a cloud service that brings AI-powered automation and service levels to Juniper SRX Series Firewalls, complementing the Juniper Secure SD-WAN solution. Mist WAN Assurance transforms IT operations from reactive troubleshooting to proactive remediation, turning insights into actions and delivering operational simplicity with seamless integration into existing deployments.- SRX Series firewalls, deployed as secure SD-WAN edge devices, deliver the rich Junos streaming telemetry that provides the insights needed for WAN health metrics and anomaly detection. This data is leveraged within the Mist Cloud and AI engine, driving simpler operations, reducing mean time to repair (MTTR) and providing greater visibility into end-user experiences.
- Insights derived from SRX Series SD-WAN gateway telemetry data allows WAN Assurance to compute unique “User Minutes” that indicate whether users are having a good experience.
- The Marvis assistant for WAN allows you to ask direct questions like “Why is my Zoom call bad?” and provides complete insights, correlation, and actions.
- Marvis Actions identifies and summarizes issues such as application latency conditions, congested WAN circuits, or negotiation mismatches.
Simplifying Branch Deployments (Secure Connectivity/SD-WAN)
The SRX550M line delivers fully automated SD-WAN to both enterprises and service providers.- A Zero-Touch Provisioning (ZTP) feature simplifies branch network connectivity for initial deployment and ongoing management.
- SRX550M firewalls offer best-in-class secure connectivity.
- The SRX550M firewall efficiently utilizes multiple links and load balance traffic across the enterprise WAN, blending traditional MPLS with other connectivity options such as broadband internet, leased lines, 4G/LTE, and more.
- Policy- and application-based forwarding capabilities enforce business rules created by the enterprise to steer application traffic towards a preferred path.
Comprehensive Security Suite
At the perimeter, the SRX550M offers a comprehensive suite of application security services, threat defenses, and intelligence services. The services consist of intrusion prevention system (IPS), application security user role-based firewall controls and cloud-based antivirus, antispam, and enhanced Web filtering, protecting networks from the latest content-borne threats. Integrated threat intelligence via Juniper Networks SecIntel offers adaptive threat protection against Command and Control (C&C)-related botnets and policy enforcement based on GeoIP. Customers can also leverage their own custom and third-party feeds for protection from advanced malware and other threats. Integrating the Juniper Advanced Threat Protection solution, the SRX550M detects and enforces automated protection against known malware and zero-day threats with a high degree of accuracy.Industry-Certified Junos Operating System
SRX550M Firewalls run the Junos operating system, a proven, carrier-hardened OS that powers the top 100 service provider networks in the world. The rigorously tested, carrier-class, rich routing features such as IPv4/IPv6, OSPF, BGP, and multicast have been proven over 15 years of worldwide deployments. The SRX550M enables agile SecOps through automation capabilities that support Zero Touch Deployment, Python scripts for orchestration, and event scripting for operational management.Features and Benefits
Business Requirement Feature/Solution SRX550M Advantages High performance Up to 7 Gbps of routing and firewall performance - Meets the needs of small, medium, and large branch office deployments
- Addresses future needs for scale and feature capacity
Business continuity Stateful high availability (HA), IP monitoring - Uses stateful HA to synchronize configuration and firewall sessions
- Supports multiple WAN interface with dial-on-demand backup
- Performs route/link failover based on real-time link performance
SD-WAN Better end-user application and cloud experience and lower operational costs - ZTP simplifies remote device provisioning
- Orchestrates business intent policies across the enterprise WAN via centralized or local advanced policy-based routing (APBR)
- Measures application service-level agreements (SLAs) and improves end-user experience through application quality of experience (AppQoE)
- Detects 4,275 Layer 3-7 applications, including Web 2.0
- Inspects and detects applications in SSL-encrypted traffic
- Controls and prioritizes traffic based on application and user role
End-user experience WAN assurance - Provides AI-powered automation and service levels that complement the Juniper secure SD-WAN solution
- Provides visibility and insights into users, applications, WAN links, controls, and data plane CPU for proactive remediation
High security IPsec VPN, Remote Access/SSL VPN, Media Access Control Security (MACsec) - Creates secure, reliable, and fast overlay link over public Internet
- Employs anti-counterfeit features to defend against unauthorized hardware spares
- Includes high-performance CPU with built-in hardware assist IPsec acceleration
- Offers secure and flexible remote access SSL VPN with Juniper Secure Connect
Threat protection IPS, antivirus, antispam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, and Threat Intelligence Feeds - Provides real-time updates to IPS signatures and protects against exploits
- Implements industry-leading antivirus and URL filtering
- Protects against zero-day attacks
- Integrates open threat intelligence platform with third-party feeds
- Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption
Easy management and scale On-box GUI, Security Director - Includes centralized management for autoprovisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments
- Includes simple, easy-to-use on-box GUI for local management
Minimal TCO Junos OS - Integrates routing, switching, and security in a single device
- Reduces operational expense with Junos OS automation capabilities
SRX550M Specifications
Software Specifications
Routing Protocols
- IPv4, IPv6, ISO, Connectionless Network Service (CLNS)
- Static routes
- RIP v1/v2
- OSPF/OSPF v3
- BGP with route reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2, Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM), Session Description Protocol (SDP), Distance Vector Multicast Routing Protocol (DVMRP), Multicast Source Discovery Protocol (MSDP), Reverse Path Forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol (PPP), Frame Relay, High-Level Data Link Control (HDLC), serial, Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
QoS Features
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
- Hierarchical shaping and policing
Switching Features
- ASIC-based Layer 2 forwarding
- MAC address learning
- VLAN addressing and integrated routing and bridging (IRB) support
- Link aggregation and LACP
- Link Layer Discovery Protocol (LLDP) and Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED)
- Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), Multiple Spanning Tree Protocol (MSTP)
- Multiple VLAN Registration Protocol (MVRP)
- 802.1X authentication
Firewall Services
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomaly
- Integration with Pulse Unified Access Control (UAC)
- Integration with Aruba Clear Pass Policy Manager
- User role-based firewall
- SSL Inspection (forward-proxy)
Network Address Translation (NAT)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
VPN Features
- Tunnels: Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4/IPv6/Dual Stack)
- Juniper Secure Connect: Remote access/SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH)/Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
Network Services
- Dynamic Host Configuration Protocol (DHCP) client/server/relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP-monitoring
- Juniper flow monitoring (J-Flow)
- Bidirectional Forwarding Detection (BFD)
- Two-Way Active Measurement Protocol (TWAMP)
- IEEE 802.3ah Link Fault Management (LFM)
- IEEE 802.1ag Connectivity Fault Management (CFM)
High Availability Features
- Virtual Router Redundancy Protocol (VRRP)
- Stateful high availability
- Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Band Cluster Upgrade (ICU)
- Dial on-demand backup interfaces
- IP monitoring with route and interface failover
Management, Automation, Logging, and Reporting
- SSH, Telnet, SNMP
- Smart image download
- Juniper CLI and Web UI
- Mist AI
- Simplified management
- WAN Assurance
- Junos Space and Security Director
- Python, PyEz, and Ansible modules
- Junos OS event, commit, and OP script
- Application and bandwidth usage reporting
- Auto installation
- Debug and troubleshooting tools
- ZTP with Contrail Service Orchestration
Advanced Routing Services
- Packet mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L3 MPLS VPN, pseudowires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast reroute
Application Security Services1
- Application visibility and control
- Application-based firewall
- Application QoS
Enhanced SD-WAN Services
- Application-based advanced policy-based routing (APBR)
- Application quality of experience (AppQoE)
- Application-based link monitoring and switchover with AppQoE
Threat Defense and Intelligence Services1
- Intrusion prevention system (IPS)
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- Juniper SecIntel to provide threat intelligence
Hardware Specifications
Network Connectivity
- Fixed I/O: 6 x 10/100/1000 BASE-T + 4 small form-factor pluggable transceivers (SFP transceivers)
- I/O slots: 2 x SRX Series Mini-PIM, 6 x Gigabit-Backplane Physical Interface Module (GPIM) or multiple GPIM and XPIM combinations
- Services and Routing Engine slots: No
- WAN/LAN interface options: See ordering information
- Maximum number of PoE ports (PoE optional on some SRX Series models): Up to 40 ports of 802.3af/at with maximum 247 W
- USB: 2
Flash and Memory
- Memory (DRAM): 4 GB
- Memory slots: 2 DIMM
- Flash memory: 8 GB, CF internal
- USB port for external storage: Yes
Dimensions and Power
- Dimensions (W x H x D): 17.5 x 3.5 x 18.2 in (44.4 x 8.8 x 46.2 cm)
- Weight (device and power supply): 21.96 lb (9.96 kg) (no interface modules, 1 power supply)
- Rack-mountable: Yes, 2 U
- Power supply (AC): 100-240 VAC, single 645 W or dual 645 W
- Maximum PoE power: 247 W redundant, or 494 W non-redundant
- Average power consumption: 85 W
- Input frequency: 50-60 Hz
- Maximum current consumption: 7.5 A @ 100 VAC with single PSU with PoE, 10.5 A @ 100 VAC with dual PSU with PoE
- Maximum inrush current: 45 A for half-cycle
- Average heat dissipation: 238 BTU/hr
- Maximum heat dissipation: 1449 BTU/hr
- Redundant power supply (hot swappable): Yes (up to maximum capacity of single PSU)
- Acoustic noise level (per ISO 7779 Standard): 51.8 dB
Environmental, Compliance, and Safety Certification
- Operational temperature: 32° to 104° F (0° to 40° C)
- Nonoperational temperature: 4° to 158° F, (-20° to 70° C)
- Humidity (operating): 10% to 90% noncondensing
- Humidity (nonoperating): 5% to 95% noncondensing
- Mean time between failures (Telcordia model): 9.6 years with redundant power
- FCC classification: Class A
- RoHS compliance: Yes
Performance and Scale
- Firewall performance (large packets)2: 7 Gbps
- Firewall performance (IMIX)2: 2 Gbps
- Firewall + routing pps (64 Byte)2: 700 Kpps
- Firewall performance (HTTP)3: 2 Gbps
- IPsec VPN throughput (large packets): 1.0 Gbps
- IPsec VPN tunnels: 2000
- Application firewall4: 2.0 Gbps
- Intrusion prevention system (IPS)3: 800 Mbps
- Antivirus: 300 Mbps (Sophos antivirus)
- Connections per second: 27,000
- Maximum concurrent sessions: 375,000
- Maximum security policies: 8000
- Maximum users supported: Unrestricted
- Route table size (RIB/FIB) (IPv4 or IPv6): 1.5 million/750,000
- NAT rules: 6144
- MAC table size: 15,000
- Number of remote access/SSL VPN (concurrent) users: 500
- GRE tunnels: 1500
- Maximum number of security zones: 96
- Maximum number of virtual routers: 128
- Maximum number of VLANs: 3967
- AppID sessions: 65,000
- IPS sessions: 64,000
- URL filtering (URLF) sessions: 64,000
Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit https://www.juniper.net/us/en/products.html.Ordering Information
To order Juniper Networks SRX Series Firewalls, and to access software licensing information, please visit the How to Buy page at https://www.juniper.net/us/en/how-to-buy/form.html.Product Number Description SRX550M Base System SRX550-645AP-M SRX550M Firewall with 4 GB DRAM and 8 GB CF, 2 U height, 6 GPIM slots, 2 Mini-PIM slots, 6 10/100/1000BASE-T ports, 4GbE SFP ports, dual PS slots, and fans; ships with one 645 W AC power supply with 247 W PoE power (power cord and rack-mount kit included) SRX550-645DP-M SRX550M Firewall with 4 GB DRAM and 8 GB CF, 2 U height, 6 GPIM slots, 2 Mini-PIM slots, 6 10/100/1000BASE-T ports, 4GbE SFP ports, dual PS slots, and fans; ships with one 645 W DC power supply with 247 W PoE power (no power cord or rack-mount kit included) SRX550M Power Supplies and Accessories SRX600-PWR-645AC-POE Spare 645 W AC PoE power supply unit for SRX550M systems; one is included in SRX550M base system (SRX550M-645AC) SRX600-PWR-645DC-POE 645 W DC source power supply for SRX550M provides 397 W system power @ 12 V and 248 W PoE power @ 50 VDC; works with 43-56 VDC input; no power cord SRX550-CHAS-M SRX550M Firewall, 2 U height, 6 GPIM slots, 2 Mini-PIM slots, 6 10/100/1000BASE-T ports, 4 GbE SFP ports, dual PS slots, and fans (power supply not included) SRX550M Software Licenses SRX550-IDP One-year subscription for intrusion detection and prevention (IDP) updates on SRX550M SRX550-S2-AS One-year subscription for Juniper-Sophos antispam updates on SRX550M SRX550-W-EWF One-year subscription for Juniper Web filtering updates on SRX550M SRX550-S-SMB4-CS One-year security subscription for enterprise; includes Sophos antivirus, enhanced Web filtering, Sophos antispam, AppSecure, and IDP on SRX550M SRX550-ATP-1 One-year subscription for Advanced Threat Prevention Cloud for SRX550M SRX550-S-AV-3 Three-year subscription for Juniper-Sophos antivirus updates on SRX550M SRX550-IDP-3 Three-year subscription for IDP updates on SRX550M SRX550-S2-AS-3 Three-year subscription for Juniper-Sophos antispam updates on SRX550M SRX550-W-EWF-3 Three-year subscription for Juniper Web filtering updates on SRX550M SRX550-S-SMB4-CS-3 Three-year subscription for enterprise-includes Sophos antivirus, enhanced Web filtering, Sophos antispam, AppSecure, and IDP on SRX550M SRX550-ATP-3 Three-year subscription for Advanced Threat Prevention Cloud for SRX550M SRX550-IDP-5 Five-year license for IDP updates on SRX550M SRX550-W-EWF-5 Five-year subscription for Juniper Web filtering updates on SRX550M SRX550-S-SMB4-CS-5 Five year security subscription for enterprise; includes Sophos antivirus, enhanced Web filtering, Sophos antispam, AppSecure, and IDP on SRX550M SRX550-APPSEC-A-1 One-year subscription for Application Security and IPS updates for SRX550M SRX550-APPSEC-A-3 Three-year subscription for Application Security and IPS updates for SRX550M SRX550-APPSEC-A-5 Five-year subscription for Application Security and IPS updates for SRX550M SRX550-ATP-5 Five-year subscription for Advanced Threat Prevention Cloud for SRX550 Remote Access/Juniper Secure Connect VPN Licenses S-RA3-5CCU-S-1 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 1 Year S-RA3-25CCU-S-1 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 1 Year S-RA3-50CCU-S-1 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 1 Year S-RA3-100CCU-S-1 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 1 Year S-RA3-250CCU-S-1 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 1 Year S-RA3-500CCU-S-1 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 3 Year S-RA3-5CCU-S-3 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 3 Year S-RA3-25CCU-S-3 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 3 Year S-RA3-50CCU-S-3 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 3 Year S-RA3-100CCU-S-3 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 3 Year S-RA3-250CCU-S-3 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 3 Year S-RA3-500CCU-S-3 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 3 Year Interface Modules SRX-GP-16GE-POE 16-port 10/100/1000BASE-T PoE XPIM SRX-GP-8SFP 8-port GbE copper, fiber SFP XPIM SRX-GP-DUAL-T1-E1 Dual T1/E1 GPIM SRX-GP-QUAD-T1-E1 Quad T1/E1 GPIM SRX-GP-1DS3-E3 1-port clear channel DS3/E3 GPIM single GPIM slot SRX-MP-1T1E1-R 1 port T1E1, MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls; ROHS compliant SRX-MP-1VDSL2-R 1 port VDSL2 (backward compatible with ADSL/ADSL2+), MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls; ROHS compliant SRX-MP-1SERIAL-R 1 port Synchronous Serial, MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls; ROHS compliant SRX-MP-LTE-AA 4G/LTE MPIM support for 1, 3, 5, 7-8, 18-19, 21, 28, 38-41 LTE bands (for Asia and Australia); supported on SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls SRX-MP-LTE-AE 4G/LTE MPIM support for 1-5, 7-8, 12-13, 30, 25-26, 29-30, 41 LTE bands (for Americas and EMEA); supported on SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls SRX-MP-WLAN-US Wireless access point (Wi-Fi) MPIM for SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls; supported for U.S. regulatory bands only SRX-MP-WLAN-WW Wireless access point (Wi-Fi) MPIM for SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls; supported for worldwide regulatory bands (excluding U.S. and Israel) SRX-MP-WLAN-IL Wireless access point (Wi-Fi) MPIM for SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls; supported for Israel regulatory bands only SRX-MP-ANT-EXT Antenna extension cable for WLAN MPIM on SRX Series platforms -
Product Overview
The SRX Series are next-generation firewalls based on a revolutionary architecture offering outstanding performance, scalability, availability, and security services integration. Custom designed for flexible processing scalability, I/O scalability, and services integration, the SRX Series Firewalls exceed the security requirements of data center consolidation and services aggregation. The award-winning SRX Series is powered by Junos OS, the same industry-leading operating system that keeps the world’s largest data center networks available, manageable, and secure.Product Description
The Juniper Networks® SRX5400, SRX5600, and SRX5800 are next-generation firewalls (NGFWs) that deliver outstanding protection, market-leading performance, six nines reliability and availability, scalability, and services integration. These devices are ideally suited for service provider, large enterprise, and public sector networks, including:- Cloud and hosting provider data centers
- Mobile operator environments
- Managed service providers
- Core service provider infrastructures
- Large enterprise data centers
Based on Juniper’s Dynamic Services Architecture, the SRX5000 line provides unrivaled scalability and performance. Each firewall can support near near linear scalability with the addition of Services Processing Cards (SPCs) and I/O cards (IOCs), enabling a fully equipped SRX5800 to support up to 3.36 Tbps firewall throughput. The SPCs are designed to support a wide range of services, enabling future support of new capabilities without the need for service-specific hardware. Using SPCs on all services ensures that there are no idle resources based on specific services being used—maximizing hardware utilization. The scalability and flexibility of the SRX5000 line is supported by equally robust interfaces. The SRX5000 line employs a modular approach, where each platform can be equipped with a flexible number of IOCs that offer a wide range of connectivity options, including 1GbE, 10GbE, 40GbE, and 100GbE interfaces. With the IOCs sharing the same interface slot as the SPCs, the firewall can be configured as needed to support the ideal balance of processing and I/O. Hence, each deployment of the SRX Series can be tailored to specific network requirements. The scalability of both SPCs and IOCs in the SRX5000 line is enabled by the custom-designed switch fabric. Supporting up to 960 Gbps of data transfer, the fabric enables the realization of maximum processing and I/O capability available in any particular configuration. This level of scalability and flexibility enables future expansion and growth of the network infrastructure, providing unrivaled investment protection. The tight service integration on the SRX Series is enabled by Juniper Networks Junos® operating system. The SRX Series is equipped with a robust set of services that include stateful firewall, intrusion prevention system (IPS), denial of service (DoS), application security, VPN (IPsec), Network Address Translation (NAT), Content Security, quality of service (QoS), and large-scale multitenancy. In addition to the benefit of individual services, the SRX5000 line provides a low latency solution. Junos OS also delivers carrier-class reliability with six nines system availability, the first in the industry to achieve independent verification by Telcordia. Furthermore, the SRX Series enjoys the benefit of a single source OS, and single integrated architecture traditionally available on Juniper’s carrier-class routers and switches.SRX5800
The SRX5800 Firewall is the market-leading security solution supporting up to 3.36 Tbps firewall throughput and latency as low as 32 microseconds for the stateful firewall. The SRX5800 also supports 638 Gbps IPS and 338 million concurrent sessions. The SRX5800 is equipped with the full range of advanced security services and is ideally suited for securing large enterprise, hosted, or colocated data centers, service provider core and cloud provider infrastructures, and mobile operator environments. The massive performance, scalability, and flexibility of the SRX5800 make it ideal for densely consolidated processing environments, and the service density makes it ideal for cloud and managed service providers.SRX5600
The SRX5600 Firewall uses the same SPCs and IOCs as the SRX5800 and can support up to 1.44 Tbps firewall throughput, 182 million concurrent sessions, and 245 Gbps IPS. The SRX5600 is ideally suited for securing enterprise data centers as well as aggregating various security solutions. The capability to support unique security policies per zone and its ability to scale with the growth of the network infrastructure make the SRX5600 an ideal deployment for consolidation of services in large enterprise, service provider, or mobile operator environments.SRX5400
The SRX5600 Firewall uses the same SPCs and IOCs as the SRX5800 and can support up to 960 Gbps firewall throughput, 90 million concurrent sessions, and 172 Gbps IPS. The SRX5400 is a small footprint, high-performance firewall ideally suited for securing large enterprise campuses as well as data centers, either for edge or core security deployments. The ability to support unique security policies per zone and a compelling price/performance/footprint ratio make the SRX5400 an optimal solution for edge or data center services in large enterprise, service provider, or mobile operator environments.Service Processing Cards (SPCs)
As the “brains” behind the SRX5000 line, SPCs are designed to process all available services on the platform. Without the need for dedicated hardware for specific services or capabilities, there are no instances in which a piece of hardware is taxed to the limit while other hardware is sitting idle. SPCs are designed to be pooled together, allowing the SRX5000 line to expand performance and capacities with the introduction of additional SPCs, significantly reducing management overhead and complexity. The high-performance SPC3 cards are supported on the SRX5400, SRX5600, and SRX5800 Firewalls.I/O Cards (IOCs)
To provide the most flexible solution, the SRX5000 line employs the same modular architecture for SPCs and IOCs. The SRX5000 line can be equipped with one or several IOCs, supporting the ideal mix of interfaces. With the flexibility to install an IOC or an SPC on any available slot, the SRX5000 line can be equipped to support the perfect blend of interfaces and processing capabilities, meeting the needs of the most demanding environments while ensuring investment protection. The third generation of IOCs from Juniper, the IOC3, delivers high throughput along with superior connectivity options including 100GbE, 40GbE, and high-density 10GbE interfaces. The IOC3 cards are supported on the SRX5400, SRX5600, and SRX5800. The fourth generation of IOCs delivers the highest throughput of all available linecards of up to 480 Gbps and offers multiple connectivity options from 10GbE and 40GbE to 100GbE. IOC4 can deliver up to 480 Gbps of hardware-accelerated throughput per linecard.Routing Engine (RE3) and Enhanced System Control Board (SCB4)
The SRX5K-RE3-128G Routing Engine (RE3) is the latest in the family of REs for the SRX5000 line with a multicore processor running at 2000 MHz. It delivers improved performance, scalability, and reliability with 128 GB DRAM and includes a TPM module. The SRX5K-SCB4 enables 480 Gbps throughput per SCB and can be configured with intra- and interchassis redundancy.Features and Benefits
Networking and Security
The Juniper Networks SRX5000 line of Firewalls has been designed from the ground up to offer robust networking and security services.Feature Feature Description Benefits Purpose-built platform Built from the ground up on dedicated hardware designed for networking and security services. Delivers unrivaled performance and flexibility to protect high-speed network environments. Scalable performance Offers scalable processing based on Juniper’s Dynamic Services Architecture. Offers a simple and cost-effective solution to leverage new services with appropriate processing. System and network resiliency Provides carrier-class hardware design and proven OS. Offers the reliability needed for any critical high-speed network deployments without service interruption. Utilizes a unique architectural design based on multiple processing cores and a separation of the data and control planes. High availability (HA) Active/passive and active/active HA configurations use dedicated HA interfaces. Achieves availability and resiliency necessary for critical networks. Interface flexibility Offers flexible I/O options with modular cards based on the Dynamic Services Architecture. Offers flexible I/O configuration and independent I/O scalability (options include 1GbE, 10GbE, 40GbE, and 100GbE) to meet the port density requirements of demanding network environments. Network segmentation Security zones, virtual LANs (VLANs), and virtual routers allow administrators to deploy security policies to isolate subnetworks and use overlapping IP address ranges. Features the capability to tailor unique security and networking policies for various internal, external, and demilitarized zone (DMZ) subgroups. Robust Routing Engine Dedicated RE provides physical and logical separation to data and control planes. Enables deployment of consolidated routing and security devices, as well as ensuring the security of routing infrastructure—all via a dedicated management environment. Advanced threat protection IPS, antivirus, antispam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, Threat Intelligence Feeds, and Juniper ATP Appliance. - Provides real-time updates to IPS signatures and protects against exploits
- Implements industry-leading antivirus and URL filtering
- Delivers open threat intelligence platform that integrates with third-party feeds
- Protects against zero-day attacks
- Stops rogue and compromised devices to disseminate malware
- Restores visibility that was lost due to encryption, without the heavy burden of full TLS/SSL decryption
AppTrack Detailed analysis on application volume/usage throughout the network based on bytes, packets, and sessions. Provides the ability to track application usage to help identify high-risk applications and analyze traffic patterns for improved network management and control. AppFirewall Fine-grained application control policies to allow or deny traffic based on dynamic application name or group names. Enhances security policy creation and enforcement based on applications and user roles rather than traditional port and protocol analysis. AppQoS Leverage Juniper’s rich QoS capabilities to prioritize applications based on customers’ business and bandwidth needs. Provides the ability to prioritize traffic as well as limit and shape bandwidth based on application information and contexts for improved application and overall network performance. Application signatures Open signature library for identifying applications and nested applications with more than 3000 application signatures. Accurately identifies applications so that the resulting information can be used for visibility, enforcement, control, and protection. SSL proxy (forward and reverse) Performs SSL encryption and decryption between the client and the server. Combines with application identification to provide visibility and protection against threats embedded in SSL encrypted traffic. Stateful GTP and SCTP inspection Support for General Packet Radio Service Tunneling Protocol (GTP) and Stream Control Transmission Protocol (SCTP) firewall in mobile operator networks. Enables the SRX5000 line to provide stateful firewall capabilities for protecting key GPRS nodes within mobile operator networks. IOC3 The third-generation I/O card offers very high levels of firewall throughput and low latency. The card includes two board choices: six 40GbE interfaces and 24 10GbE interfaces, or two 100GbE interfaces and four 10GbE interfaces. The IOC3 pairs well with existing SPC2/SPC3 for maximum firewall performance in any of the SRX5000 line of Firewalls. Provides vastly superior, top-of-the-line connectivity efficiency and record-breaking high throughput I/O interfaces. Reduces the need for link aggregation to the firewall and enables very high firewall throughput of up to 2 Tbps with Express Path enabled. IOC4 The fourth-generation I/O card is being offered in two flavors. The first delivers 40x10GbE interfaces while the second, depending on the chosen optics, delivers 48x10GbE, 12x40GbE, or 4x100GbE interfaces. Provides the fastest throughput per slot and, in combination with Express Path, can deliver up to 480 Gbps of throughput per I/O card. SPC3 card Enables performance and scale with backwards compatibility to the SPC2 service cards. These cards support in-service software and in-service hardware upgrades. Delivers always-on security resiliency to meet your growing network performance needs. AutoVPN One-time hub configuration for site-to-site VPN for all spokes, even newly added ones. Configuration options include: routing, interfaces, Internet Key Exchange (IKE), and IPsec. Enables IT administrative time and cost savings with easy, zero-touch deployment for IPsec VPN networks. Remote access/SSL VPN Secure and flexible remote access SSL VPN with Juniper Secure Connect. Extends secure access to corporate resources from anywhere. Multitenancy Offers logical, large-scale segmentation and separation of security functions and features. Enables separate, logical instances to be deployed with dedicated security policies, zones, and other features and functions. Removes the need to deploy several physical or virtual firewalls. IPS Capabilities
Juniper Networks IPS capabilities offer several unique features that assure the highest level of network security.Feature Feature Description Benefits Stateful signature inspection Signatures are applied only to relevant portions of the network traffic determined by the appropriate protocol context. This minimizes false positives and offers flexible signature development. Protocol decodes This feature enables highly accurate detection and helps reduce false positives. Accuracy of signatures is improved through precise contexts of protocols. Signatures There are more than 8500 signatures for identifying anomalies, attacks, spyware, and applications. Attacks are accurately identified and attempts to exploit a known vulnerability are detected. Traffic normalization Reassembly, normalization, and protocol decoding are provided. Overcome attempts to bypass other IPS detections by using obfuscation methods. Zero-day protection Protocol anomaly detection and same-day coverage for newly found vulnerabilities are provided. Your network is already protected against any new exploits. Recommended policy Group of attack signatures are identified by Juniper Networks Security Team as critical for the typical enterprise to protect against. Installation and maintenance are simplified while ensuring the highest network security. Active/active traffic monitoring IPS monitoring on active/active SRX5000 line chassis clusters is provided. Includes support for active/active IPS monitoring, including advanced features such as in-service software upgrade. Packet capture IPS policy supports packet capture logging per rule. Conduct further analysis of surrounding traffic and determine further steps to protect target. Content Security Capabilities
The Content Security services offered on the SRX5000 line of Firewalls include industry-leading antivirus, antispam, content filtering, and additional content security services.Feature Feature Description Benefits Antivirus Antivirus includes reputation enhanced, cloud-based antivirus capabilities that detect and block spyware, adware, viruses, keyloggers, and other malware over POP3 HTTP, SMTP, IMAP, and FTP protocols. This service is provided in cooperation with Sophos Labs, a dedicated security company. Sophisticated protection from respected antivirus experts against malware attacks that can lead to data breaches and lost productivity. Antispam Multilayered spam protection, up-to-date phishing URL detection, standards-based S/MIME, Open PGP and TLS encryption, MIME type, and extension blockers are provided in cooperation with Sophos Labs, a dedicated security company. Protection against advanced persistent threats perpetrated through social networking attacks and the latest phishing scams with sophisticated e-mail filtering and content blockers. Enhanced Web filtering Enhanced Web filtering includes extensive category granulation (95+ categories) and a real-time threat score delivered with Forcepoint, an expert Web security provider. Protection against lost productivity and the impact of malicious URLs as well as helping to maintain network bandwidth for business essential traffic. Content filtering Effective content filtering is based on MIME type, file extension, and protocol commands. Protection against lost productivity and the impact of extraneous or malicious content on the network to help maintain bandwidth for business essential traffic. Advanced Threat Prevention
Advanced threat prevention (ATP) solutions that defend against sophisticated malware, persistent threats, and ransomware are available for the SRX5000 line. Two versions are available: Juniper ATP Cloud, a SaaS-based service, and the Juniper ATP Appliance, an on-premises solution.Feature Feature Description Benefits Advanced malware detection and remediation Malware analysis and sandboxing are based on machine learning and behavioral analysis. Protects enterprise users from a spectrum of malicious attacks, including advanced malware that exploits “zero-day” vulnerabilities. Comprehensive threat feeds (C2, GeoIP, custom) Curated, actionable threat intelligence feeds are delivered in near real time to SRX Series devices. Proactively blocks malware communication channels and protects from botnets, phishing, and other attacks. Encrypted Traffic Insights SRX Series firewalls collect relevant TLS/SSL connection data, including certificates used, cipher suites negotiated, and connection behavior. This information is processed by Juniper ATP Cloud, which uses network behavioral analysis and machine learning to determine whether the connection is benign or malicious. Policies configured on SRX Series firewalls can be used to block encrypted traffic identified as malicious. Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption. HTTP, HTTPs, e-mail Web- and e-mail-based threats are analyzed, including encrypted sessions. Protects users from all major threat vectors, including e-mail. Provides flexible message handling options for e-mail. The Juniper ATP Appliance includes support for cloud-based e-mail services such as Office 365 and Google Mail, and detects threats in SMB traffic. Integration with Security Director and JSA Juniper Networks Secure Analytics portfolio (JSA Series) security information and event management (SIEM) can consume and correlate threat events. Juniper ATP Cloud is also fully integrated with Security Director for provisioning and monitoring. The Juniper ATP Appliance includes a built-in management console and is not integrated with Security Director. Single pane-of-glass management with Security Director and JSA Series integration delivers a simplified policy application and monitoring experience. More information about Juniper Advanced Threat Prevention products can be found at https://www.juniper.net/us/en/products/security/advanced-threat-prevention.html.Centralized Management
Juniper Networks® Security Director is the central manager for all SRX Series Firewalls. It provides security policy management for all physical, logical, and virtual firewalls through an innovative, intuitive, and centralized web-based interface that offers enforcement across emerging and traditional threat vectors. It provides detailed visibility into application performance, reduces risk while enabling users to diagnose, and it resolves problems quickly. More information about Juniper Networks Security Director can be found at https://www.juniper.net/us/en/products/security/security-director-network-security-management.html.Specifications
Note: Performance, capacity, and features are measured under ideal lab testing conditions. Actual results may vary based on Junos OS release and by deployment.SRX5400 SRX5600 SRX5800 Maximum Performance and Capacity1 Junos OS version tested Junos OS 21.2 Junos OS 21.2 Junos OS 21.2 Firewall Performance, IMIX 960 Gbps 1.44 Tbps 3.36 Tbps Maximum performance per chassis 960 Gbps 1440 Tbps 3.36 Tbps Next-Generation Datacenter Firewall Performance2 136 Gbps 194 Gbps 504 Gbps Secure Web Access Firewall Performance3 75 Gbps 107 Gbps 277 Gbps Latency (stateful firewall) ~11µsec ~11µsec ~11µsec IPsec VPN AES-256-GCM (IMIX) 188 Gbps 269 Gbps 699 Gbps Maximum IPS performance 172 Gbps 245 Gbps 638 Gbps Maximum concurrent sessions 91 Million 182 Million 338 Million New sessions/second (sustained, tcp, 3way, firewall NAT) 1.7/1 million 3.4/2 Million 6.3/4 Million Maximum users supported Unrestricted Unrestricted Unrestricted Network Connectivity IOC4 options (SRX5K-IOC4-MRAT; SRX5K-IOC4-10G) 40x10GbE SFP+ or 12xQSFP+/QSFP28 multirate IOC3 options (SRX5K-MPC3-100G10G; SRX5K-MPC3-40G10G) 2x100GbE CFP2 and 4x10GbE SFP+ or 6x40GbE QSFP+ and 24x10GbE SFP+ Firewall Network attack detection Yes Yes Yes DoS and distributed denial of service (DDoS) protection Yes Yes Yes TCP reassembly for fragmented packet protection Yes Yes Yes Brute force attack mitigation Yes Yes Yes SYN cookie protection Yes Yes Yes Zone-based IP spoofing Yes Yes Yes Malformed packet protection Yes Yes Yes IPsec VPN Site-to-site tunnels 15,000 15,000 15,000 Tunnel interfaces 15,000 15,000 15,000 Number of remote access / SSL VPN (concurrent) users 25,000 40,000 50,000 Tunnels Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4 / IPv6 / Dual Stack) Internet Key Exchange IKEv1, IKEv2 Configuration Payload Yes Yes Yes IKE Authentication Algorithms MD5, SHA1, SHA-256, SHA-384, SHA-512 IKE Encryption Algorithms Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB Authentication Pre-shared key and public key infrastructure (PKI X.509) IPsec (Internet Protocol Security) Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol Perfect forward secrecy Yes IPsec Authentication Algorithms hmac-md5, hmac-sha-196, hmac-sha-256, hmac-sha-384, hmac-sha-512 IPsec Encryption Algorithms Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB Monitoring Standard-based Dead peer detection (DPD), VPN monitoring Prevent replay attack Yes Yes Yes VPNs (GRE, IP-in-IP, MPLS) Yes Yes Yes Redundant VPN gateways Yes Yes Yes Intrusion Prevention System (IPS) Signature-based and customizable (via templates) Yes Yes Yes Active/active traffic monitoring Yes Yes Yes Stateful protocol signatures Yes Yes Yes Attack detection mechanisms Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Attack response mechanisms Drop connection, close connection, session packet log, session summary, e-mail Drop connection, close connection, session packet log, session summary, e-mail Drop connection, close connection, session packet log, session summary, e-mail Attack notification mechanisms Structured system logging Structured system logging Structured system logging Worm protection Yes Yes Yes Simplified installation through recommended policies Yes Yes Yes Trojan protection Yes Yes Yes Spyware/adware/keylogger protection Yes Yes Yes Advanced malware protection Yes Yes Yes Protection against attack proliferation from infected systems Yes Yes Yes Reconnaissance protection Yes Yes Yes Request and response side attack protection Yes Yes Yes Compound attacks—combines stateful signatures and protocol anomalies Yes Yes Yes Custom attack signatures creation Yes Yes Yes Contexts accessible for customization 600+ 600+ 600+ Attack editing (port range, other) Yes Yes Yes Stream signatures Yes Yes Yes Protocol thresholds Yes Yes Yes Stateful protocol signatures Yes Yes Yes Frequency of updates Daily and emergency Daily and emergency Daily and emergency Content Security Antivirus Yes Yes Yes Content filtering Yes Yes Yes Enhanced Web filtering Yes Yes Yes Redirect Web filtering Yes Yes Yes Antispam Yes Yes Yes AppSecure AppTrack (application visibility and tracking) Yes Yes Yes AppFirewall (policy enforcement by application name) Yes Yes Yes AppQoS (network traffic prioritization by application name) Yes Yes Yes User-based application policy enforcement Yes Yes Yes GPRS Security GPRS stateful firewall Yes Yes Yes Destination Network Address Translation Destination NAT with Port Address Translation (PAT) Yes Yes Yes Destination NAT within same subnet as ingress interface IP Yes Yes Yes Destination addresses and port numbers to one single address and a specific port number (M:1P) Yes Yes Yes Destination addresses to one single address (M:1) Yes Yes Yes Destination addresses to another range of addresses (M:M) Yes Yes Yes Source Network Address Translation Static Source NAT—IP-shifting Dynamic Internet Protocol (DIP) Yes Yes Yes Source NAT with PAT—port translated Yes Yes Yes Source NAT without PAT—fix port Yes Yes Yes Source NAT—IP address persistency Yes Yes Yes Source pool grouping Yes Yes Yes Source pool utilization alarm Yes Yes Yes Source IP outside of the interface subnet Yes Yes Yes Interface source NAT—interface DIP Yes Yes Yes Oversubscribed NAT pool with fallback to PAT when the address pool is exhausted Yes Yes Yes Symmetric NAT Yes Yes Yes Allocate multiple ranges in NAT pool Yes Yes Yes Proxy Address Resolution Protocol (ARP) for physical port Yes Yes Yes Source NAT with loopback grouping—DIP with loopback grouping Yes Yes Yes User Authentication and Access Control Built-in (internal) database Yes Yes Yes RADIUS accounting Yes Yes Yes Web-based authentication Yes Yes Yes Public Key Infrastructure (PKI) Support PKI certificate requests (PKCS 7, PKCS 10, and CMPv2) Yes Yes Yes Automated certificate enrollment (SCEP) Yes Yes Yes Certificate authorities supported Yes Yes Yes Self-signed certificates Yes Yes Yes Virtualization Maximum custom routing instances with data plane separation 2000 2000 2000 Maximum security zones 2000 2000 2000 Maximum virtual firewalls with data plane and administrative separation (logical/tenant systems) 500 500 500 Additional off-platform virtual firewall option with Juniper Networks vSRX Virtual Firewall (VM based) Unlimited Unlimited Unlimited Maximum number of VLANs 4096 4096 4096 Routing BGP instances 1000 1000 1000 BGP peers 2000 2000 2000 BGP routes 1 Million 1 Million 1 Million OSPF instances 400 400 400 OSPF routes 1 Million 1 Million 1 Million RIP v1/v2 instances 50 50 50 RIP v2 table size 30,000 30,000 30,000 Dynamic routing Yes Yes Yes Static routes Yes Yes Yes Source-based routing Yes Yes Yes Policy-based routing Yes Yes Yes Equal cost multipath (ECMP) Yes Yes Yes Reverse path forwarding (RPF) Yes Yes Yes Multicast Yes Yes Yes IPv6 Firewall/stateless filters Yes Yes Yes Dual-stack IPv4/IPv6 firewall Yes Yes Yes RIPng Yes Yes Yes BFD, BGP Yes Yes Yes ICMPv6 Yes Yes Yes OSPFv3 Yes Yes Yes Class of service (CoS) Yes Yes Yes Mode of Operation Layer 2 (transparent) mode Yes Yes Yes Layer 3 (route and/or NAT) mode Yes Yes Yes IP Address Assignment Static Yes Yes Yes Dynamic Host Configuration Protocol (DHCP) Yes Yes Yes Internal DHCP server Yes Yes Yes DHCP relay Yes Yes Yes Traffic Management Quality of Service (QoS) Maximum bandwidth Yes Yes Yes RFC2474 IP Diffserv in IPv4 Yes Yes Yes Firewall filters for CoS Yes Yes Yes Classification Yes Yes Yes Scheduling Yes Yes Yes Shaping Yes Yes Yes Intelligent Drop Mechanisms (WRED) Yes Yes Yes Three-level scheduling Yes Yes Yes Weighted round robin for each level of scheduling Yes Yes Yes Priority of routing protocols Yes Yes Yes Traffic management/policing in hardware Yes Yes Yes High Availability (HA) Active/passive, active/active Yes Yes Yes Unified in-service software upgrade (unified ISSU) Yes Yes Yes Configuration synchronization Yes Yes Yes Session synchronization for firewall and IPsec VPN Yes Yes Yes Session failover for routing change Yes Yes Yes Device failure detection Yes Yes Yes Link and upstream failure detection Yes Yes Yes Dual control links Yes Yes Yes Interface link aggregation/Link Aggregation Control Protocol (LACP) Yes Yes Yes Redundant fabric links Yes Yes Yes Management WebUI (HTTP and HTTPS) Yes Yes Yes Command line interface (console, telnet, SSH) Yes Yes Yes Junos Space Security Director Yes Yes Yes Administration Local administrator database support Yes Yes Yes External administrator database support Yes Yes Yes Restricted administrative networks Yes Yes Yes Root admin, admin, and read-only user levels Yes Yes Yes Software upgrades Yes Yes Yes Configuration rollback Yes Yes Yes Logging/Monitoring Structured syslog Yes Yes Yes SNMP (v2 and v3) Yes Yes Yes Traceroute Yes Yes Yes Certifications Safety certifications Yes Yes Yes Electromagnetic Compatibility (EMC) certifications Yes Yes Yes RoHS2 Compliant (European Directive 2011/65/EU) Yes Yes Yes NIST FIPS-140-2 Level 2 Yes Yes Yes Common Criteria NDPP+TFFW EP + VPN EP Yes Yes Yes USGv6 Yes Yes Yes Dimensions and Power Dimensions (W x H x D) 17.45 x 8.7 x 24.5 in (44.3 x 22.1 x 62.2 cm) 17.5 x 14 x 23.8 in (44.5 x 35.6 x 60.5 cm) 17.5 x 27.8 x 23.5 in (44.5 x 70.5 x 59.7 cm) Weight Fully configured 128 lb (58.1 kg) Fully Configured: 180 lb (81.7 kg) Fully Configured: 334 lb (151.6 kg) Power supply (AC) 100 to 240 VAC 100 to 240 VAC 200 to 240 VAC Power supply (DC) -40 to -60 VDC -40 to -60 VDC -40 to -60 VDC Maximum power 4,100 watts (AC high capacity) 4,100 watts (AC high capacity) 8,200 watts (AC high capacity) Typical Power 1540 watts 2440 watts 5015 watts Environmental Operating temperature – long term 41° to 104° F (5° to 40° C) 41° to 104° F (5° to 40° C) 41° to 104° F (5° to 40° C Humidity – long term 5% to 85% noncondensing 5% to 85% noncondensing 5% to 85% noncondensing Humidity – short term 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 1 Performance, capacity and features listed are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployments. 2Next-Generation Datacenter firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions. 3Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions. -
Product Overview
The SRX Series are next-generation firewalls based on a revolutionary architecture offering outstanding performance, scalability, availability, and security services integration. Custom designed for flexible processing scalability, I/O scalability, and services integration, the SRX Series Firewalls exceed the security requirements of data center consolidation and services aggregation. The award-winning SRX Series is powered by Junos OS, the same industry-leading operating system that keeps the world’s largest data center networks available, manageable, and secure.Product Description
The Juniper Networks® SRX5400, SRX5600, and SRX5800 are next-generation firewalls (NGFWs) that deliver outstanding protection, market-leading performance, six nines reliability and availability, scalability, and services integration. These devices are ideally suited for service provider, large enterprise, and public sector networks, including:- Cloud and hosting provider data centers
- Mobile operator environments
- Managed service providers
- Core service provider infrastructures
- Large enterprise data centers
Based on Juniper’s Dynamic Services Architecture, the SRX5000 line provides unrivaled scalability and performance. Each firewall can support near near linear scalability with the addition of Services Processing Cards (SPCs) and I/O cards (IOCs), enabling a fully equipped SRX5800 to support up to 3.36 Tbps firewall throughput. The SPCs are designed to support a wide range of services, enabling future support of new capabilities without the need for service-specific hardware. Using SPCs on all services ensures that there are no idle resources based on specific services being used—maximizing hardware utilization. The scalability and flexibility of the SRX5000 line is supported by equally robust interfaces. The SRX5000 line employs a modular approach, where each platform can be equipped with a flexible number of IOCs that offer a wide range of connectivity options, including 1GbE, 10GbE, 40GbE, and 100GbE interfaces. With the IOCs sharing the same interface slot as the SPCs, the firewall can be configured as needed to support the ideal balance of processing and I/O. Hence, each deployment of the SRX Series can be tailored to specific network requirements. The scalability of both SPCs and IOCs in the SRX5000 line is enabled by the custom-designed switch fabric. Supporting up to 960 Gbps of data transfer, the fabric enables the realization of maximum processing and I/O capability available in any particular configuration. This level of scalability and flexibility enables future expansion and growth of the network infrastructure, providing unrivaled investment protection. The tight service integration on the SRX Series is enabled by Juniper Networks Junos® operating system. The SRX Series is equipped with a robust set of services that include stateful firewall, intrusion prevention system (IPS), denial of service (DoS), application security, VPN (IPsec), Network Address Translation (NAT), Content Security, quality of service (QoS), and large-scale multitenancy. In addition to the benefit of individual services, the SRX5000 line provides a low latency solution. Junos OS also delivers carrier-class reliability with six nines system availability, the first in the industry to achieve independent verification by Telcordia. Furthermore, the SRX Series enjoys the benefit of a single source OS, and single integrated architecture traditionally available on Juniper’s carrier-class routers and switches.SRX5800
The SRX5800 Firewall is the market-leading security solution supporting up to 3.36 Tbps firewall throughput and latency as low as 32 microseconds for the stateful firewall. The SRX5800 also supports 638 Gbps IPS and 338 million concurrent sessions. The SRX5800 is equipped with the full range of advanced security services and is ideally suited for securing large enterprise, hosted, or colocated data centers, service provider core and cloud provider infrastructures, and mobile operator environments. The massive performance, scalability, and flexibility of the SRX5800 make it ideal for densely consolidated processing environments, and the service density makes it ideal for cloud and managed service providers.SRX5600
The SRX5600 Firewall uses the same SPCs and IOCs as the SRX5800 and can support up to 1.44 Tbps firewall throughput, 182 million concurrent sessions, and 245 Gbps IPS. The SRX5600 is ideally suited for securing enterprise data centers as well as aggregating various security solutions. The capability to support unique security policies per zone and its ability to scale with the growth of the network infrastructure make the SRX5600 an ideal deployment for consolidation of services in large enterprise, service provider, or mobile operator environments.SRX5400
The SRX5600 Firewall uses the same SPCs and IOCs as the SRX5800 and can support up to 960 Gbps firewall throughput, 90 million concurrent sessions, and 172 Gbps IPS. The SRX5400 is a small footprint, high-performance firewall ideally suited for securing large enterprise campuses as well as data centers, either for edge or core security deployments. The ability to support unique security policies per zone and a compelling price/performance/footprint ratio make the SRX5400 an optimal solution for edge or data center services in large enterprise, service provider, or mobile operator environments.Service Processing Cards (SPCs)
As the “brains” behind the SRX5000 line, SPCs are designed to process all available services on the platform. Without the need for dedicated hardware for specific services or capabilities, there are no instances in which a piece of hardware is taxed to the limit while other hardware is sitting idle. SPCs are designed to be pooled together, allowing the SRX5000 line to expand performance and capacities with the introduction of additional SPCs, significantly reducing management overhead and complexity. The high-performance SPC3 cards are supported on the SRX5400, SRX5600, and SRX5800 Firewalls.I/O Cards (IOCs)
To provide the most flexible solution, the SRX5000 line employs the same modular architecture for SPCs and IOCs. The SRX5000 line can be equipped with one or several IOCs, supporting the ideal mix of interfaces. With the flexibility to install an IOC or an SPC on any available slot, the SRX5000 line can be equipped to support the perfect blend of interfaces and processing capabilities, meeting the needs of the most demanding environments while ensuring investment protection. The third generation of IOCs from Juniper, the IOC3, delivers high throughput along with superior connectivity options including 100GbE, 40GbE, and high-density 10GbE interfaces. The IOC3 cards are supported on the SRX5400, SRX5600, and SRX5800. The fourth generation of IOCs delivers the highest throughput of all available linecards of up to 480 Gbps and offers multiple connectivity options from 10GbE and 40GbE to 100GbE. IOC4 can deliver up to 480 Gbps of hardware-accelerated throughput per linecard.Routing Engine (RE3) and Enhanced System Control Board (SCB4)
The SRX5K-RE3-128G Routing Engine (RE3) is the latest in the family of REs for the SRX5000 line with a multicore processor running at 2000 MHz. It delivers improved performance, scalability, and reliability with 128 GB DRAM and includes a TPM module. The SRX5K-SCB4 enables 480 Gbps throughput per SCB and can be configured with intra- and interchassis redundancy.Features and Benefits
Networking and Security
The Juniper Networks SRX5000 line of Firewalls has been designed from the ground up to offer robust networking and security services.Feature Feature Description Benefits Purpose-built platform Built from the ground up on dedicated hardware designed for networking and security services. Delivers unrivaled performance and flexibility to protect high-speed network environments. Scalable performance Offers scalable processing based on Juniper’s Dynamic Services Architecture. Offers a simple and cost-effective solution to leverage new services with appropriate processing. System and network resiliency Provides carrier-class hardware design and proven OS. Offers the reliability needed for any critical high-speed network deployments without service interruption. Utilizes a unique architectural design based on multiple processing cores and a separation of the data and control planes. High availability (HA) Active/passive and active/active HA configurations use dedicated HA interfaces. Achieves availability and resiliency necessary for critical networks. Interface flexibility Offers flexible I/O options with modular cards based on the Dynamic Services Architecture. Offers flexible I/O configuration and independent I/O scalability (options include 1GbE, 10GbE, 40GbE, and 100GbE) to meet the port density requirements of demanding network environments. Network segmentation Security zones, virtual LANs (VLANs), and virtual routers allow administrators to deploy security policies to isolate subnetworks and use overlapping IP address ranges. Features the capability to tailor unique security and networking policies for various internal, external, and demilitarized zone (DMZ) subgroups. Robust Routing Engine Dedicated RE provides physical and logical separation to data and control planes. Enables deployment of consolidated routing and security devices, as well as ensuring the security of routing infrastructure—all via a dedicated management environment. Advanced threat protection IPS, antivirus, antispam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, Threat Intelligence Feeds, and Juniper ATP Appliance. - Provides real-time updates to IPS signatures and protects against exploits
- Implements industry-leading antivirus and URL filtering
- Delivers open threat intelligence platform that integrates with third-party feeds
- Protects against zero-day attacks
- Stops rogue and compromised devices to disseminate malware
- Restores visibility that was lost due to encryption, without the heavy burden of full TLS/SSL decryption
AppTrack Detailed analysis on application volume/usage throughout the network based on bytes, packets, and sessions. Provides the ability to track application usage to help identify high-risk applications and analyze traffic patterns for improved network management and control. AppFirewall Fine-grained application control policies to allow or deny traffic based on dynamic application name or group names. Enhances security policy creation and enforcement based on applications and user roles rather than traditional port and protocol analysis. AppQoS Leverage Juniper’s rich QoS capabilities to prioritize applications based on customers’ business and bandwidth needs. Provides the ability to prioritize traffic as well as limit and shape bandwidth based on application information and contexts for improved application and overall network performance. Application signatures Open signature library for identifying applications and nested applications with more than 3000 application signatures. Accurately identifies applications so that the resulting information can be used for visibility, enforcement, control, and protection. SSL proxy (forward and reverse) Performs SSL encryption and decryption between the client and the server. Combines with application identification to provide visibility and protection against threats embedded in SSL encrypted traffic. Stateful GTP and SCTP inspection Support for General Packet Radio Service Tunneling Protocol (GTP) and Stream Control Transmission Protocol (SCTP) firewall in mobile operator networks. Enables the SRX5000 line to provide stateful firewall capabilities for protecting key GPRS nodes within mobile operator networks. IOC3 The third-generation I/O card offers very high levels of firewall throughput and low latency. The card includes two board choices: six 40GbE interfaces and 24 10GbE interfaces, or two 100GbE interfaces and four 10GbE interfaces. The IOC3 pairs well with existing SPC2/SPC3 for maximum firewall performance in any of the SRX5000 line of Firewalls. Provides vastly superior, top-of-the-line connectivity efficiency and record-breaking high throughput I/O interfaces. Reduces the need for link aggregation to the firewall and enables very high firewall throughput of up to 2 Tbps with Express Path enabled. IOC4 The fourth-generation I/O card is being offered in two flavors. The first delivers 40x10GbE interfaces while the second, depending on the chosen optics, delivers 48x10GbE, 12x40GbE, or 4x100GbE interfaces. Provides the fastest throughput per slot and, in combination with Express Path, can deliver up to 480 Gbps of throughput per I/O card. SPC3 card Enables performance and scale with backwards compatibility to the SPC2 service cards. These cards support in-service software and in-service hardware upgrades. Delivers always-on security resiliency to meet your growing network performance needs. AutoVPN One-time hub configuration for site-to-site VPN for all spokes, even newly added ones. Configuration options include: routing, interfaces, Internet Key Exchange (IKE), and IPsec. Enables IT administrative time and cost savings with easy, zero-touch deployment for IPsec VPN networks. Remote access/SSL VPN Secure and flexible remote access SSL VPN with Juniper Secure Connect. Extends secure access to corporate resources from anywhere. Multitenancy Offers logical, large-scale segmentation and separation of security functions and features. Enables separate, logical instances to be deployed with dedicated security policies, zones, and other features and functions. Removes the need to deploy several physical or virtual firewalls. IPS Capabilities
Juniper Networks IPS capabilities offer several unique features that assure the highest level of network security.Feature Feature Description Benefits Stateful signature inspection Signatures are applied only to relevant portions of the network traffic determined by the appropriate protocol context. This minimizes false positives and offers flexible signature development. Protocol decodes This feature enables highly accurate detection and helps reduce false positives. Accuracy of signatures is improved through precise contexts of protocols. Signatures There are more than 8500 signatures for identifying anomalies, attacks, spyware, and applications. Attacks are accurately identified and attempts to exploit a known vulnerability are detected. Traffic normalization Reassembly, normalization, and protocol decoding are provided. Overcome attempts to bypass other IPS detections by using obfuscation methods. Zero-day protection Protocol anomaly detection and same-day coverage for newly found vulnerabilities are provided. Your network is already protected against any new exploits. Recommended policy Group of attack signatures are identified by Juniper Networks Security Team as critical for the typical enterprise to protect against. Installation and maintenance are simplified while ensuring the highest network security. Active/active traffic monitoring IPS monitoring on active/active SRX5000 line chassis clusters is provided. Includes support for active/active IPS monitoring, including advanced features such as in-service software upgrade. Packet capture IPS policy supports packet capture logging per rule. Conduct further analysis of surrounding traffic and determine further steps to protect target. Content Security Capabilities
The Content Security services offered on the SRX5000 line of Firewalls include industry-leading antivirus, antispam, content filtering, and additional content security services.Feature Feature Description Benefits Antivirus Antivirus includes reputation enhanced, cloud-based antivirus capabilities that detect and block spyware, adware, viruses, keyloggers, and other malware over POP3 HTTP, SMTP, IMAP, and FTP protocols. This service is provided in cooperation with Sophos Labs, a dedicated security company. Sophisticated protection from respected antivirus experts against malware attacks that can lead to data breaches and lost productivity. Antispam Multilayered spam protection, up-to-date phishing URL detection, standards-based S/MIME, Open PGP and TLS encryption, MIME type, and extension blockers are provided in cooperation with Sophos Labs, a dedicated security company. Protection against advanced persistent threats perpetrated through social networking attacks and the latest phishing scams with sophisticated e-mail filtering and content blockers. Enhanced Web filtering Enhanced Web filtering includes extensive category granulation (95+ categories) and a real-time threat score delivered with Forcepoint, an expert Web security provider. Protection against lost productivity and the impact of malicious URLs as well as helping to maintain network bandwidth for business essential traffic. Content filtering Effective content filtering is based on MIME type, file extension, and protocol commands. Protection against lost productivity and the impact of extraneous or malicious content on the network to help maintain bandwidth for business essential traffic. Advanced Threat Prevention
Advanced threat prevention (ATP) solutions that defend against sophisticated malware, persistent threats, and ransomware are available for the SRX5000 line. Two versions are available: Juniper ATP Cloud, a SaaS-based service, and the Juniper ATP Appliance, an on-premises solution.Feature Feature Description Benefits Advanced malware detection and remediation Malware analysis and sandboxing are based on machine learning and behavioral analysis. Protects enterprise users from a spectrum of malicious attacks, including advanced malware that exploits “zero-day” vulnerabilities. Comprehensive threat feeds (C2, GeoIP, custom) Curated, actionable threat intelligence feeds are delivered in near real time to SRX Series devices. Proactively blocks malware communication channels and protects from botnets, phishing, and other attacks. Encrypted Traffic Insights SRX Series firewalls collect relevant TLS/SSL connection data, including certificates used, cipher suites negotiated, and connection behavior. This information is processed by Juniper ATP Cloud, which uses network behavioral analysis and machine learning to determine whether the connection is benign or malicious. Policies configured on SRX Series firewalls can be used to block encrypted traffic identified as malicious. Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption. HTTP, HTTPs, e-mail Web- and e-mail-based threats are analyzed, including encrypted sessions. Protects users from all major threat vectors, including e-mail. Provides flexible message handling options for e-mail. The Juniper ATP Appliance includes support for cloud-based e-mail services such as Office 365 and Google Mail, and detects threats in SMB traffic. Integration with Security Director and JSA Juniper Networks Secure Analytics portfolio (JSA Series) security information and event management (SIEM) can consume and correlate threat events. Juniper ATP Cloud is also fully integrated with Security Director for provisioning and monitoring. The Juniper ATP Appliance includes a built-in management console and is not integrated with Security Director. Single pane-of-glass management with Security Director and JSA Series integration delivers a simplified policy application and monitoring experience. More information about Juniper Advanced Threat Prevention products can be found at https://www.juniper.net/us/en/products/security/advanced-threat-prevention.html.Centralized Management
Juniper Networks® Security Director is the central manager for all SRX Series Firewalls. It provides security policy management for all physical, logical, and virtual firewalls through an innovative, intuitive, and centralized web-based interface that offers enforcement across emerging and traditional threat vectors. It provides detailed visibility into application performance, reduces risk while enabling users to diagnose, and it resolves problems quickly. More information about Juniper Networks Security Director can be found at https://www.juniper.net/us/en/products/security/security-director-network-security-management.html.Specifications
Note: Performance, capacity, and features are measured under ideal lab testing conditions. Actual results may vary based on Junos OS release and by deployment.SRX5400 SRX5600 SRX5800 Maximum Performance and Capacity1 Junos OS version tested Junos OS 21.2 Junos OS 21.2 Junos OS 21.2 Firewall Performance, IMIX 960 Gbps 1.44 Tbps 3.36 Tbps Maximum performance per chassis 960 Gbps 1440 Tbps 3.36 Tbps Next-Generation Datacenter Firewall Performance2 136 Gbps 194 Gbps 504 Gbps Secure Web Access Firewall Performance3 75 Gbps 107 Gbps 277 Gbps Latency (stateful firewall) ~11µsec ~11µsec ~11µsec IPsec VPN AES-256-GCM (IMIX) 188 Gbps 269 Gbps 699 Gbps Maximum IPS performance 172 Gbps 245 Gbps 638 Gbps Maximum concurrent sessions 91 Million 182 Million 338 Million New sessions/second (sustained, tcp, 3way, firewall NAT) 1.7/1 million 3.4/2 Million 6.3/4 Million Maximum users supported Unrestricted Unrestricted Unrestricted Network Connectivity IOC4 options (SRX5K-IOC4-MRAT; SRX5K-IOC4-10G) 40x10GbE SFP+ or 12xQSFP+/QSFP28 multirate IOC3 options (SRX5K-MPC3-100G10G; SRX5K-MPC3-40G10G) 2x100GbE CFP2 and 4x10GbE SFP+ or 6x40GbE QSFP+ and 24x10GbE SFP+ Firewall Network attack detection Yes Yes Yes DoS and distributed denial of service (DDoS) protection Yes Yes Yes TCP reassembly for fragmented packet protection Yes Yes Yes Brute force attack mitigation Yes Yes Yes SYN cookie protection Yes Yes Yes Zone-based IP spoofing Yes Yes Yes Malformed packet protection Yes Yes Yes IPsec VPN Site-to-site tunnels 15,000 15,000 15,000 Tunnel interfaces 15,000 15,000 15,000 Number of remote access / SSL VPN (concurrent) users 25,000 40,000 50,000 Tunnels Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4 / IPv6 / Dual Stack) Internet Key Exchange IKEv1, IKEv2 Configuration Payload Yes Yes Yes IKE Authentication Algorithms MD5, SHA1, SHA-256, SHA-384, SHA-512 IKE Encryption Algorithms Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB Authentication Pre-shared key and public key infrastructure (PKI X.509) IPsec (Internet Protocol Security) Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol Perfect forward secrecy Yes IPsec Authentication Algorithms hmac-md5, hmac-sha-196, hmac-sha-256, hmac-sha-384, hmac-sha-512 IPsec Encryption Algorithms Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB Monitoring Standard-based Dead peer detection (DPD), VPN monitoring Prevent replay attack Yes Yes Yes VPNs (GRE, IP-in-IP, MPLS) Yes Yes Yes Redundant VPN gateways Yes Yes Yes Intrusion Prevention System (IPS) Signature-based and customizable (via templates) Yes Yes Yes Active/active traffic monitoring Yes Yes Yes Stateful protocol signatures Yes Yes Yes Attack detection mechanisms Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Attack response mechanisms Drop connection, close connection, session packet log, session summary, e-mail Drop connection, close connection, session packet log, session summary, e-mail Drop connection, close connection, session packet log, session summary, e-mail Attack notification mechanisms Structured system logging Structured system logging Structured system logging Worm protection Yes Yes Yes Simplified installation through recommended policies Yes Yes Yes Trojan protection Yes Yes Yes Spyware/adware/keylogger protection Yes Yes Yes Advanced malware protection Yes Yes Yes Protection against attack proliferation from infected systems Yes Yes Yes Reconnaissance protection Yes Yes Yes Request and response side attack protection Yes Yes Yes Compound attacks—combines stateful signatures and protocol anomalies Yes Yes Yes Custom attack signatures creation Yes Yes Yes Contexts accessible for customization 600+ 600+ 600+ Attack editing (port range, other) Yes Yes Yes Stream signatures Yes Yes Yes Protocol thresholds Yes Yes Yes Stateful protocol signatures Yes Yes Yes Frequency of updates Daily and emergency Daily and emergency Daily and emergency Content Security Antivirus Yes Yes Yes Content filtering Yes Yes Yes Enhanced Web filtering Yes Yes Yes Redirect Web filtering Yes Yes Yes Antispam Yes Yes Yes AppSecure AppTrack (application visibility and tracking) Yes Yes Yes AppFirewall (policy enforcement by application name) Yes Yes Yes AppQoS (network traffic prioritization by application name) Yes Yes Yes User-based application policy enforcement Yes Yes Yes GPRS Security GPRS stateful firewall Yes Yes Yes Destination Network Address Translation Destination NAT with Port Address Translation (PAT) Yes Yes Yes Destination NAT within same subnet as ingress interface IP Yes Yes Yes Destination addresses and port numbers to one single address and a specific port number (M:1P) Yes Yes Yes Destination addresses to one single address (M:1) Yes Yes Yes Destination addresses to another range of addresses (M:M) Yes Yes Yes Source Network Address Translation Static Source NAT—IP-shifting Dynamic Internet Protocol (DIP) Yes Yes Yes Source NAT with PAT—port translated Yes Yes Yes Source NAT without PAT—fix port Yes Yes Yes Source NAT—IP address persistency Yes Yes Yes Source pool grouping Yes Yes Yes Source pool utilization alarm Yes Yes Yes Source IP outside of the interface subnet Yes Yes Yes Interface source NAT—interface DIP Yes Yes Yes Oversubscribed NAT pool with fallback to PAT when the address pool is exhausted Yes Yes Yes Symmetric NAT Yes Yes Yes Allocate multiple ranges in NAT pool Yes Yes Yes Proxy Address Resolution Protocol (ARP) for physical port Yes Yes Yes Source NAT with loopback grouping—DIP with loopback grouping Yes Yes Yes User Authentication and Access Control Built-in (internal) database Yes Yes Yes RADIUS accounting Yes Yes Yes Web-based authentication Yes Yes Yes Public Key Infrastructure (PKI) Support PKI certificate requests (PKCS 7, PKCS 10, and CMPv2) Yes Yes Yes Automated certificate enrollment (SCEP) Yes Yes Yes Certificate authorities supported Yes Yes Yes Self-signed certificates Yes Yes Yes Virtualization Maximum custom routing instances with data plane separation 2000 2000 2000 Maximum security zones 2000 2000 2000 Maximum virtual firewalls with data plane and administrative separation (logical/tenant systems) 500 500 500 Additional off-platform virtual firewall option with Juniper Networks vSRX Virtual Firewall (VM based) Unlimited Unlimited Unlimited Maximum number of VLANs 4096 4096 4096 Routing BGP instances 1000 1000 1000 BGP peers 2000 2000 2000 BGP routes 1 Million 1 Million 1 Million OSPF instances 400 400 400 OSPF routes 1 Million 1 Million 1 Million RIP v1/v2 instances 50 50 50 RIP v2 table size 30,000 30,000 30,000 Dynamic routing Yes Yes Yes Static routes Yes Yes Yes Source-based routing Yes Yes Yes Policy-based routing Yes Yes Yes Equal cost multipath (ECMP) Yes Yes Yes Reverse path forwarding (RPF) Yes Yes Yes Multicast Yes Yes Yes IPv6 Firewall/stateless filters Yes Yes Yes Dual-stack IPv4/IPv6 firewall Yes Yes Yes RIPng Yes Yes Yes BFD, BGP Yes Yes Yes ICMPv6 Yes Yes Yes OSPFv3 Yes Yes Yes Class of service (CoS) Yes Yes Yes Mode of Operation Layer 2 (transparent) mode Yes Yes Yes Layer 3 (route and/or NAT) mode Yes Yes Yes IP Address Assignment Static Yes Yes Yes Dynamic Host Configuration Protocol (DHCP) Yes Yes Yes Internal DHCP server Yes Yes Yes DHCP relay Yes Yes Yes Traffic Management Quality of Service (QoS) Maximum bandwidth Yes Yes Yes RFC2474 IP Diffserv in IPv4 Yes Yes Yes Firewall filters for CoS Yes Yes Yes Classification Yes Yes Yes Scheduling Yes Yes Yes Shaping Yes Yes Yes Intelligent Drop Mechanisms (WRED) Yes Yes Yes Three-level scheduling Yes Yes Yes Weighted round robin for each level of scheduling Yes Yes Yes Priority of routing protocols Yes Yes Yes Traffic management/policing in hardware Yes Yes Yes High Availability (HA) Active/passive, active/active Yes Yes Yes Unified in-service software upgrade (unified ISSU) Yes Yes Yes Configuration synchronization Yes Yes Yes Session synchronization for firewall and IPsec VPN Yes Yes Yes Session failover for routing change Yes Yes Yes Device failure detection Yes Yes Yes Link and upstream failure detection Yes Yes Yes Dual control links Yes Yes Yes Interface link aggregation/Link Aggregation Control Protocol (LACP) Yes Yes Yes Redundant fabric links Yes Yes Yes Management WebUI (HTTP and HTTPS) Yes Yes Yes Command line interface (console, telnet, SSH) Yes Yes Yes Junos Space Security Director Yes Yes Yes Administration Local administrator database support Yes Yes Yes External administrator database support Yes Yes Yes Restricted administrative networks Yes Yes Yes Root admin, admin, and read-only user levels Yes Yes Yes Software upgrades Yes Yes Yes Configuration rollback Yes Yes Yes Logging/Monitoring Structured syslog Yes Yes Yes SNMP (v2 and v3) Yes Yes Yes Traceroute Yes Yes Yes Certifications Safety certifications Yes Yes Yes Electromagnetic Compatibility (EMC) certifications Yes Yes Yes RoHS2 Compliant (European Directive 2011/65/EU) Yes Yes Yes NIST FIPS-140-2 Level 2 Yes Yes Yes Common Criteria NDPP+TFFW EP + VPN EP Yes Yes Yes USGv6 Yes Yes Yes Dimensions and Power Dimensions (W x H x D) 17.45 x 8.7 x 24.5 in (44.3 x 22.1 x 62.2 cm) 17.5 x 14 x 23.8 in (44.5 x 35.6 x 60.5 cm) 17.5 x 27.8 x 23.5 in (44.5 x 70.5 x 59.7 cm) Weight Fully configured 128 lb (58.1 kg) Fully Configured: 180 lb (81.7 kg) Fully Configured: 334 lb (151.6 kg) Power supply (AC) 100 to 240 VAC 100 to 240 VAC 200 to 240 VAC Power supply (DC) -40 to -60 VDC -40 to -60 VDC -40 to -60 VDC Maximum power 4,100 watts (AC high capacity) 4,100 watts (AC high capacity) 8,200 watts (AC high capacity) Typical Power 1540 watts 2440 watts 5015 watts Environmental Operating temperature – long term 41° to 104° F (5° to 40° C) 41° to 104° F (5° to 40° C) 41° to 104° F (5° to 40° C Humidity – long term 5% to 85% noncondensing 5% to 85% noncondensing 5% to 85% noncondensing Humidity – short term 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 1 Performance, capacity and features listed are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployments. 2Next-Generation Datacenter firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions. 3Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions. -
Product Overview
Juniper Networks PTX10000 modular routers were specifically designed to meet new service level agreements in the cloud era. As cloud and 5G trends accelerate network transformation, core and peering networks face exponential traffic growth due to the massive increase in the number of connected devices, presenting operators with the same challenges but at a faster rate. Leading the 400G transition, these modular routers set new benchmarks of scale, flexibility, and reliability with high-performance custom silicon. These platforms share a common set of components and full feature sets, with various 400GbE-capable line cards available to satisfy specific core, peering, data center, and metro-core deployments in the most demanding environments.Product Description
Increasingly sophisticated network operators and users seek highly responsive and customizable cloud-like online experiences and services that align with their unique needs and interests, creating more traffic that consumes increasing amounts of network bandwidth. The demands of the increased network traffic are driving the creation of new core and peering architectures. Cloud routing allows for more centralized, interconnected cores to help operators scale their networks to meet new service-level agreements. Competing with the ability to rapidly expand capacity is the need to reduce operational costs; providers are under enormous pressure to lower margins and compete with new entrants and disruptors that do not have legacy networks to maintain. There is immense pressure on core and peering routers to simultaneously address:- Scale: Providers may offer backbone connectivity that requires a large number of label-switched paths (LSPs). If they are using Segment Routing or RSVP to take advantage of the traffic engineering (SR-TE/RSVP-TE) functionality, the control plane signaling path must be able to scale in step with the growth of LSPs. This ability to scale is needed for both the primary and backup paths to support redundancy mechanisms like fast re-route (FRR). Today, the total number needed for backbone connectivity is a few million. This type of scaling challenge will be felt by operators who are trying to diversify their portfolios by adding a broader scope of connectivity options; for example, a data center operator who wants to provide cloud connectivity or VPN services to enterprise customers, or an operator of private line service who wants to add a collocation service to its offering.
- Operational Flexibility: Virtualized services and the explosion of cloud-based applications are creating increasingly erratic traffic patterns. To handle this unpredictability, service providers need architectures that are flexible and dynamic across all layers. Operators today rely on the flexibility and capacity of IP filters to mitigate the impact of increasing denial-of-service (DoS) attacks.
- Investment Protection: Ensuring operators are investing in platforms designed to last has become imperative to leveraging the next generation of ASIC improvements the industry is offering. The risk of packet drops from rip-and-replace strategies to yearly silicon upgrades severely impacts the reliability of future upgrades.
In order to address these challenges, network operators need a router that delivers scalability, flexibility, and reliability to the network. Juniper Networks® PTX Series Routers takes high-performance networking to the next level, easily fitting into both cloud- and service-providers networks across core, peering, data center spice, data center edge, and infrastructure edge routing. (Figure 1). The PTX Series Routers are powered by Juniper’s custom Express family ASICs, supporting 400GbE architectures and delivering predictable IP/MPLS packet performance and functionality, eliminating the complex packet profiles found in elaborate, over-engineered network processing units deployed in other core routers. The PTX Series Routers bring physical and virtual innovations to the cloud and service provider networks. These next-generation routers help network operators achieve their business goals while effectively handling current and future traffic demands through automation, optimization, and programmability. The PTX Series Routers combines the best of Juniper’s Express ASICs with the reliability and familiarity of Junos® OS. The PTX Series Routers are comprised of feature-rich, 400G-optimized fixed and modular platforms.PTX10004, PTX10008, PTX10016 Hardware
The PTX10004 (4-slot), PTX10008 (8-slot), and PTX10016 (16-slot) modular routers utilize Juniper’s Express4 ASIC powered line cards to support deep buffers, flexible packet filtering, and bandwidth demanding core and peering architectures.Table 1. PTX10004, PTX10008, PTX100016 Modular Chassis OptionsRouter Bandwidth Height 3T (30 x 100GbE; 144 x 10GbE) 4.8T (4 x 400GbE; 48 x 100GbE) 14.4T (36 x 400GbE; 144 x 100GbE) PTX10004 - 19.2T 57.6T 4 slots/7 RU PTX10008 24T 38.4T 115.2T 8 slots/13 RU PTX10016 48T 76.8T 230.4T 16 slots/21 RU The PTX10004, PTX10008, and PTX10016 are cloud-optimized to support the transition and expansion of 400GbE networks. These high density routers are designed for today’s space- and power-constrained facilities, supporting 400GbE architectures with inline Media Access Control Security (MACsec) on all ports for uncompromised security. PTX LC1201 and LC1202 line cards offer native SFP+ transceiver support through QSFP adapter, MAM1Q00A-QSA. This option enables deployments where 10GE connectivity over more than 10KM single mode fiber links is required. These modular routers enable network operators to build core architectures that optimize label-switching router (LSR), Internet backbone, peering, and optical convergence applications. As a result, operators can—for the first time—match traffic demands with enhanced core router performance and flexible deployments. With its ultra-optimized and compact form factor, the PTX10000 line is ideal for peering, collocation, and central office locations where space and power are at a premium.Silicon Innovations with Express Family ASICs
Continuous innovations in silicon enable the PTX10000 modular routers to accommodate scale-up and scale-out architectures with smooth migration paths as traffic patterns change. Juniper’s custom Express silicon allows adaptive load balancing, data structure sharing, and better resource utilization, as well as supporting value-added resources for additional filtering flexibility—all while lowering cost per bit. The PTX10004, PTX10008, and PTX10016 are powered by the highly scalable Juniper Express4 silicon, the industry’s first inline MACsec for 400GbE chip to support universal multirate QSFP56-DD. The Juniper Express4 silicon delivers consistently low latency, 8M counters, 256 Advanced Encryption Standard (AES) MACsec encryption supported on all ports, and wire-rate packet performance for IP traffic without sacrificing the optimized system power profile. Preserving the spirit of the Junos Express silicon family, Juniper Express4 silicon is the first purpose-built telecommunications silicon to incorporate a 3D memory architecture into the base design, offering the industry’s highest packet performance per gigabit in the fewest rack units. It also provides dynamic table memory allocation for massive IP routing scale while delivering tremendous power efficiency gains at 0.14 watts/gigabit. The ability to address a provider’s core networking requirements— scale, operational flexibility, and SDN control— begins with the silicon. With the PTX10000 line, operators can now deploy a core architecture with full Juniper Paragon Automation suite.Architecture and Key Components
The PTX10000 line of Packet Transport Routers features a number of key architectural elements. Dual redundant routing engines (REs) on the PTX10004, PTX10008, and PTX10016 run the Juniper Networks Junos operating system, where they manage all routing protocol processes, router interface control, and control plane functions such as chassis component, system management, and user access to the router. In addition, unique cryptographic digital identity has been added to the Trusted Platform Module (TPM 2.0), which is embedded in the latest generation of REs. This addition enables device attestation and enhances security. REs’ processes interact with the Packet Forwarding Engine (PFE) on the line cards via dedicated high- bandwidth management channels, providing a clean separation of the control and forwarding planes. The PTX10004, PTX10008, and PTX10016 Express-based line cards currently support 10GbE, 25GbE, 40GbE, 100GbE, and 400GbE interfaces. The horizontal line cards in the front of the chassis connect directly to the vertical switch fabric cards in the rear of the chassis via orthogonal interconnects without requiring a midplane. This provides unparalleled investment protection by ensuring a smooth upgrade path to higher speed switch fabric cards as they become available. The midplane-less design improves airflow with a front-to-back design and enables limitless scale. To maintain uninterrupted operation, the PTX10000 modular chassis fan trays cool the line cards and REs with redundant, variable-speed fans. In addition, the PTX10000 line power supplies convert building power to the internal voltage required by the system. All PTX10000 line components are hot-swappable, and all central functions are available in redundant configurations, providing high operational availability by allowing continuous system operation during maintenance or repairs.PTX10000 Line: Shared Hardware Components
Key hardware components of the PTX10004, PTX10008, and PTX10016 modular routers include the switch fabrics, REs, and line cards.Table 2: Shared Components Across PTX Modular ChassisPTX10004, PTX10008, PTX10016 Switch Fabrics - SF (3 Tbps/slot, Express2)
- SF3 (14.4Tbps/slot, Express4)
Routing Engines - JNP10K-RE0: The first-generation RE0 RE features a quad-core 2.5 GHz Intel processor with 32 GB memory and 2x50 GB solid-state drive (SSD) storage.
- JNP10K-RE1: The second-generation RE1 RE features a 10-core 2.2 GHz Intel processor with memory options of 64 GB or 128 GB and 2x200 GB solid-state drive (SSD) storage.
Table 3: Express-based Line CardsLine card Bandwidth Silicon 100GbE Ports 400GbE Ports PTX10K-LC1201-36CD (JNP10K-LC1201): 14.4 Tbps Express4 144 36 QSFP56-DD/ QSFP56/QSFP28-DD/QSFP28/QSFP+ PTX10K-LC1202-36MR (JNP10K-LC1202): 4.8 Tbps Express4 32 4 QSFP56-DD and QSFP28 PTX10K-LC1101 (JNP10K-LC1101): 3 Tbps Express2 30 - QSFP28/QSFP+. PTX10K-LC1102 (JNP10K-LC1102): 1.4 Tbps Express2 12 - QSFP28/QSFP+. PTX10K-LC1104 (JNP10K-LC1104): 1.2 Tbps Express2 6 - DWDM PTX10K-LC1105 (JNP10K-LC1105): 3 Tbps Express2 30 - QSFP28/QSFP+. The line cards also supports native MACsec without compromising throughput on any supported interface rate up to 400GbE, providing point-to-point security on Ethernet links. MACsec blocks security threats such as DoS, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks while securing links for most traffic frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and others. All ports can support 400GbE ZR and ZR+ optics, making it ready for full packet/optical convergence without compromising density.Power
The PTX10004 has three power supply slots, the PTX10008 offers six power supply slots, and the PTX10016 has 10 power supply slots, providing complete flexibility for provisioning and redundancy. Each power supply has its own internal fan for cooling. The PTX10000 line supports both AC and DC power supplies; however, AC and DC supplies cannot be mixed in the same chassis. Two generations of power supplies exist: the first generation is designed to support Express2 line cards, while the second generation is designed to support both Express2 and Express4 line cards.. The first generation of AC power supplies on the PTX10000 line routers accept 200 to 240 volts alternating current (VAC) input, delivering 2700 watts of power to the chassis. The first generation of DC power supplies accept -40 to -72 volts direct current (VDC) input, delivering 2500 watts of power to the chassis. Each AC and DC power supply has two inputs for feed redundancy. Second-generation AC power supplies (AC2) on the PTX10000 line routers are high-capacity, high-line models designed to support either AC or DC systems in either a low-power or high-power mode. The power supply takes AC input and provides DC output of 12.3 VDC, delivering 5000 watts with a single feed and 5500 watts with a dual feed. For AC systems, the operating input is 180 to 305 VAC; for DC systems, the operating input is190 to 410 VDC. Second-generation DC power supplies (DC2) provide two power supplies in a single housing that accepts either 60 A or 80 A using four redundant input power feeds.Cooling
The PTX10000 line supports front-to-back cooling with air drawn in through the perforations on the REs and the line cards in the front of the platform. The fan trays are in front of the fabric cards and are accessible from the rear of the chassis. Hot air exhausts through the rear of the chassis.Chassis Management
The PTX10000 line delivers powerful Junos OS chassis management that allows environmental monitoring and field-replaceable unit (FRU) control. Chassis management provides a faster primary switchover, enhanced power budgeting with a modular power management, reduced power consumption for partially populated systems, granular control over FRU power-on, adaptive cooling, and CPU leveling during monitoring intervals.Simplified Management
The PTX10000 line routers simplify management based on the elegance and simplicity of the Junos OS. Management applications can receive streaming telemetry data to provide robust protocol analytics for an SDN environment. Junos OS enables resilience by design, operational consistency, and the versatility needed to evolve your network.SONiC Support on the PTX10008
The PTX10008 supports Juniper’s SONiC implementation, delivering best-of-breed hardware for cloud operators while taking advantage of the flexibility of SONiC’s open and disaggregated architecture. The SONiC-enabled PTX10008 plugs seamlessly into a unified SONiC network infrastructure, leveraging the existing PTX10008 hardware. The Juniper-provided SONiC image, installed on the hardware at the factory, includes the platform device drivers and Juniper's Hardware Abstraction Layer (HAL), including Juniper's implementation of the Switch Abstraction Interface (SAI) for the Express4 ASIC and the line card PFE software. As a modular and dense multi-PFE 400GbE/100GbE platform, the PTX10008 is perfectly suited for large spine layer applications in data center IP fabrics. Juniper complements the SONiC OS with the containerized Routing Protocol Daemon (cRPD), a full-function routing and management stack packaged as a container. This ensures a consistent end-to-end routing experience across different tiers in the data center. In addition, the cRPD enables high-performance telemetry, automation, and programmability in a lightweight deployment. For features available with SONiC, please refer to the SONiC deployment guide.Features and Benefits
Table 1 summarizes the features available on the PTX10004, PTX10008, and PTX10016 routers.Table 1. PTX10000 Line Features and BenefitsFeature Feature Description Benefits System capacity The four-slot PTX10004 scales to 57.6 Tbps in a single chassis, supporting up to 576 10GbE, 576 25GbE, 144 40GbE, 576 100GbE, or 144 400GbE interfaces. The PTX10008 scales to 115.2 Tbps in a single chassis, supporting up to 1152 10GbE, 1152 25GbE, 288 40GbE, 1152 100GbE, or 288 400GbE interfaces. The PTX10016 has 16 slots, each supporting 3 Tbps (6 Tbps half-duplex). A fully equipped PTX10016 can support 2304 10GbE, 576 40GbE, or 480 100GbE interfaces. The PTX10000 line gives network operators the performance and scalability needed to outpace increased traffic demands. Packet performance Groundbreaking Juniper silicon innovation powers the PTX10000 line routers with unparalleled packet processing for both full IP and MPLS functionality, thereby leveraging revolutionary 3D memory architecture. Exceptional packet processing capabilities help alleviate the challenge of scaling the network as traffic increases while optimizing IP/MPLS transit functionality around superior performance and elegant deployability. Full-scale IP and MPLS routing The PTX10000 line of routers features a rich set of IP/MPLS services, consistent low latency, and wire-rate forwarding at scale while providing the reliability needed to meet strict SLAs. Supports peering applications with more than 2 million IPv4 routes and 30 million routing information base (RIB) routing tables, 3000 OSPF adjacencies, and 4000 BGP sessions required to match expanding traffic demands. Segment Routing (SR) Junos OS supports Segment Routing, which provides the ability for a trusted source node to specify a forwarding path, other than the normal shortest path, that a particular packet will traverse. Enables traffic engineering at scale, link protection using topology-independent loop-free alternates (TI-LFA) implementation, VPN traffic steering, egress peering engineering, and path verification. High availability (HA) hardware The PTX10000 line is engineered with full hardware redundancy for cooling, power supply, REs, and switch fabric. High availability (HA) is a critical requirement for maintaining an always-on infrastructure base to meet stringent SLAs across the core. High availability software The PTX10000 line features a resilient operating system that supports HA features such as graceful RE switchover (GRES) and nonstop active routing (NSR) for high availability. PTX Series routers support 48 ms redundancy switchover under load. Junos OS supports HA features that allow software upgrades and changes without disrupting network traffic. Specifications
Table 2. PTX10000 Line Specifications*These numbers are power supply ratings. Actual power usage is much lower. **Assuming a max of 14W optics if fully populated and no air filter. Feature Specifications PTX10004 Physical dimensions (W x H x D) 17.4 x 12.2 x 35 in. (44.2 x 33 x 88.9 cm); 42.2 in. (107.7 cm) depth with EMI door Maximum weight 271.2 lb (116.7 kg) Mounting Front rack mount Power system rating* 200-240 VAC/50-60 Hz -48 VDC @ 60 A Typical power consumption 10.3 kW with Express4 line cards, fully loaded Operating temperature** 32° to 115° F (0° to 46° C) at sea level PTX10008 Physical dimensions (W x H x D) 17.4 x 22.55 x 32 in.(44.2 x 57.76 x 81.28 cm); 39.37 in. (100 cm) depth with EMI door Maximum weight 493 lb (223.62 kg) Mounting Front rack mount Power system rating* 200-240 VAC / 50-60 Hz -48 VDC @ 60 A Typical power consumption 17.3 kW with Express4 line cards, fully loaded Operating temperature 32° to 115° F (0° to 46° C) at sea level PTX10016 Physical dimensions (W x H x D) 17.4 x 36.65 x 35 in(44.2 x 93.09 x 88.90 cm); 42.40 in (107.7 cm) depth with EMI door Maximum weight 596 lb (270 kg) Mounting Front rack mount Power system rating* 200-240 VAC / 50-60 Hz -48 VDC @ 60 A Typical power consumption 18 kW with Express2 line cards, fully loaded Operating temperature 32° to 115° F (0° to 46° C) at sea level Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit https://www.juniper.net/us/en/products.html.PTX10000 Line Ordering Information
For more information, please contact your Juniper Networks representative.Product Number Description PTX10004 Premium and Base Units PTX10004-PREM3 PTX10004 redundant 4-slot chassis for 57.6Tbps. Includes 2 REs, 3 AC/HVDC or DC power supplies, 2 fan trays, 2 fan tray controllers, and 6 switch fabric cards. PTX10004-PREM2 PTX10004 redundant 4-slot chassis. Includes 2 REs, 3 AC/HVDC or DC power supplies, 2 fan trays, 2 fan tray controllers, and 4 switch fabric cards. PTX10004-BASE3 PTX10004 base 4-slot chassis. Includes 1 RE, 3 AC/HVDC or DC power supplies, 2 fan trays, 2 fan tray controllers, and 3 switch fabric cards. PTX10008 Premium and Base Units PTX10008-PREM3 PTX10008 redundant 8-slot chassis for 115.2Tbps. Includes 2 REs, 6 power supplies, 2 fan trays, 2 fan tray controllers, and 6 switch fabric cards. PTX10008-PREM2 PTX10008 redundant 8-slot chassis. Includes 2 REs, 6 AC/HVDC/DC power supplies, 2 fan trays, 2 fan tray controllers, and 4 switch fabric cards PTX10008-BASE3 PTX10008 base 8-slot chassis. Includes 1 RE, 6 AC/HVDC/DC power supplies, 2 fan trays, 2 fan tray controllers, and 3 switch fabric cards PTX10008-PREMIUM PTX10008 redundant 8-slot chassis [JNP10008]. Includes 2 REs, 6 power supplies, 2 fan trays, 2 fan tray controllers, and 6 switch fabric cards. PTX10008-BASE PTX10008 8-slot chassis [JNP10008]. Includes 1 RE, 3 power supplies, 2 fan trays, 2 fan tray controllers, and 5 switch fabric cards. PTX10008-PREM3-SON PTX10008 8-slot chassis for 14.4T LC, including 1 RE running SONiC, 6 AC/HVDC/DC power supplies, 2 fan trays, 2 fan tray controllers, and 6 switch fabric cards. PTX10008-PREM2-SON PTX10008 8-slot chassis for 14.4T LC, including 1 RE running SONiC, 6 AC/HVDC/DC power supplies, 2 fan trays, 2 fan tray controllers, and 4 switch fabric cards. PTX10008-BASE3-SON PTX10008 8-slot chassis for 14.4T LC, including 1 RE running SONiC, 6 AC/HVDC/DC power supplies, 2 fan trays, 2 fan tray controllers, and 3 switch fabric cards. PTX10016 Premium and Base Units PTX10016-PREM3 PTX10008 redundant 16-slot chassis for 230.4Tbps. Includes 2 REs, 10 power supplies, 2 fan trays, 2 fan tray controllers, and 6 switch fabric cards. PTX10016-PREM2 PTX10008 redundant 16-slot chassis. Includes 2 REs, 10 AC/ HVDC/DC power supplies, 2 fan trays, 2 fan tray controllers, and 4 switch fabric cards. PTX10016-BASE3 PTX10008 base 16-slot chassis. Includes 1 RE, 10 AC/HVDC/DC power supplies, 2 fan trays, 2 fan tray controllers, and 3 switch fabric cards. PTX10016-BASE PTX10016 16-slot chassis [JNP10016]. Includes 1 RE, 5 power supplies, 2 fan trays, 2 fan tray controllers, and 5 switch fabric cards. PTX10016-PREMIUM PTX10016 redundant 16-slot chassis [JNP10016]. Includes 2 REs, 10 power supplies, 2 fan trays, 2 fan tray controllers, and 6 switch fabric cards. PTX10000 Routing Engines JNP10K-RE0-BB PTX10000/JNP10000 RE X4, base bundle JNP10K-RE0-R PTX10000/JNP10000 RE X4, redundant JNP10K-RE0 PTX10000/JNP10000 RE X4 JNP10K-RE1-BB PTX10000/JNP10000 RE X8, base bundle JNP10K-RE1-R PTX10000/JNP10000 RE X8, redundant JNP10K-RE1 PTX10000/JNP10000 RE X8 JNP10K-RE1-E-BB PTX10000/JNP10000 RE X8 with Junos Evolved, base bundle JNP10K-RE1-E-R PTX10000/JNP10000 RE X8 with Junos Evolved, redundant JNP10K-RE1-E PTX10000/JNP10000 RE X8 with Junos Evolved JNP10K-RE1-S128-BB JNP10000 RE with SONiC, base bundle JNP10K-RE1-S128 JNP10000 RE with SONiC PTX10004 Switch Fabric JNP10004-SF3-BB PTX10004/JNP10004 switch fabric card supporting up to 14.4 Tbps LC, base bundle JNP10004-SF3-R PTX10004/JNP10004 switch fabric card supporting up to 14.4 Tbps LC, redundant JNP10004-SF3 PTX10004/JNP10004 switch fabric card supporting up to 14.4 Tbps LC PTX10008 Switch Fabric JNP10008-SF3-BB PTX10008/JNP10008 switch fabric card supporting up to 14.4 Tbps LC, base bundle JNP10008-SF3-R PTX10008/JNP10008 switch fabric card supporting up to 14.4 Tbps LC, redundant JNP10008-SF3 PTX10008/JNP10008 switch fabric card supporting up to 14.4 Tbps LC JNP10008-SF-BB PTX10008/JNP10008 switch fabric card, base bundle JNP10008-SF-R PTX10008/JNP10008 switch fabric card, redundant JNP10008-SF PTX10008/JNP10008 switch fabric card PTX10016 Switch Fabric JNP10016-SF3-BB PTX10016/JNP10016 switch fabric card supporting up to 14.4 Tbps LC, base bundle JNP10016-SF3-R PTX10016/JNP10016 switch fabric card supporting up to 14.4 Tbps LC, redundant JNP10016-SF3 PTX10016/JNP10016 switch fabric card supporting up to 14.4 Tbps LC JNP10016-SF-BB PTX10016/JNP10016 switch fabric card, base JNP10016-SF-R PTX10016/JNP10016 switch fabric card, redundant JNP10016-SF PTX10016/JNP10016 switch fabric card, base bundle PTX10000 Express4 Line Cards PTX10K-LC1201-36CD 36x400GbE/36x200GbE/36x100GbE/36x40GbE line card [JNP10K-LC1201] PTX10K-LC1202-36MR 4x400GbE and 32x100GbE [JNP10K-LC1202] S-PTX10K-144C-A1-3 SW, PTX10000 14.4T RTU Adv1 Lic, 3-year term, with SW support S-PTX10K-144C-A2-3 SW, PTX10000 14.4T RTU Adv2 Lic, 3-year term, with SW support S-PTX10K-144C-P1-3 SW, PTX10000 14.4T RTU Prem1 Lic, 3-year term, with SW support S-PTX10K-144C-P2-3 SW, PTX10000 14.4T RTU Prem2 Lic, 3-year term, with SW support S-PTX10K-144C-A1-5 SW, PTX10000 14.4T RTU Adv1 Lic, 5-year term, with SW support S-PTX10K-144C-A2-5 SW, PTX10000 14.4T RTU Adv2 Lic, 5-year term, with SW support S-PTX10K-144C-P1-5 SW, PTX10000 14.4T RTU Prem1 Lic, 5-year term, with SW support S-PTX10K-144C-P2-5 SW, PTX10000 14.4T RTU Prem2 Lic, 5-year term, with SW support S-PTX10K-144C-A1-P SW, PTX10K, 14.4T, Adv1, without SW support, perpetual S-PTX10K-144C-A2-P SW, PTX10K, 14.4T, Adv2, without SW support, perpetual S-PTX10K-144C-P1-P SW, PTX10K, 14.4T, Pre1, without SW support, perpetual S-PTX10K-144C-P2-P SW, PTX10K, 14.4T, Pre2, without SW support, perpetual S-PTX10K-48C-A1-3 SW, PTX10K, 4.8T, Advanced 1, with SW support, 3 year S-PTX10K-48C-A2-3 SW, PTX10K, 4.8T, Advanced 2, with SW support, 3 year S-PTX10K-48C-P1-3 SW, PTX10K, 4.8T, Premium 1, with SW support, 3 year S-PTX10K-48C-P2-3 SW, PTX10K, 4.8T, Premium 2, with SW support, 3 year S-PTX10K-48C-A1-5 SW, PTX10K, 4.8T, Advanced 1, with SW support, 5 year S-PTX10K-48C-A2-5 SW, PTX10K, 4.8T, Advanced 2, with SW support, 5 year S-PTX10K-48C-P1-5 SW, PTX10K, 4.8T, Premium 1, with SW support, 5 year S-PTX10K-48C-P2-5 SW, PTX10K, 4.8T, Premium 2, with SW support, 5 year S-PTX10K-48C-A1-P SW, PTX10K, 4.8T, Adv1, without SW support, perpetual S-PTX10K-48C-A2-P SW, PTX10K, 4.8T, Adv2, without SW support, perpetual S-PTX10K-48C-P1-P SW, PTX10K, 4.8T, Pre1, without SW support, perpetual S-PTX10K-48C-P2-P SW, PTX10K, 4.8T, Pre2, without SW support, perpetual PTX10000 Express2 Line Cards PTX10K-LC110 30x100GbE/30x40GbE line card [JNP10K-LC1101] PTX10K-LC1101-IR 30x100GbE/30x40GbE line card [JNP10K-LC1101], IR mode PTX10K-LC1101-R 30x100GbE/30x40GbE line card [JNP10K-LC1101], R mode PTX10K-LC1102 36X40GbE/12X100GbE line card [JNP10K-LC1102] PTX10K-LC1102-IR 36X40GbE/12X100GbE line card [JNP10K-LC1102], IR mode PTX10K-LC1102-R 36X40GbE/12X100GbE line card [JNP10K-LC1102], R mode PTX10K-LC1104 6x100GbE/150GbE/200GbE DWDM line card with MACsec [JNP10K-LC1104] PTX10K-LC1105 30x100GbE/30x40GbE line card with MACsec [JNP10K-LC1105] PTX10K-LC1105-IR 30x100GbE/30x40GbE line card with MACsec [JNP10K-LC1105], IR mode PTX10K-LC1105-R 30x100GbE/30x40GbE line card with MACsec [JNP10K-LC1105], R mode PTX10004 Fan Tray and Controller JNP10004-FAN2-BB JNP10004 fan, Gen2, base bundle JNP10004-FAN2 JNP10004 fan, Gen2 JNP10004-FTC2-BB JNP10004 fan tray controller, Gen2, base bundle JNP10004-FTC2 JNP10004 fan tray controller, Gen2 PTX10008 Fan Tray and Controller JNP10008-FAN-BB PTX10008/JNP10008 fan, base bundle JNP10008-FAN PTX10008/JNP10008 fan JNP10008FANCTRL-BB PTX10008/JNP10008 fan tray controller, base bundle JNP10008-FAN-CTRL PTX10008/JNP10008 fan tray controller JNP10008-FAN2-BB JNP10008 fan, Gen2, base bundle JNP10008-FAN2 JNP10008 fan, Gen2 JNP10008-FTC2-BB JNP10008 fan tray controller, Gen2, base bundle JNP10008-FTC2 JNP10008 fan tray controller, Gen2 PTX10016 Fan Tray and Controller JNP10016-FAN-BB PTX10016/JNP10016 fan, base bundle JNP10016-FAN PTX10016/JNP10016 fan JNP10016FANCTRL-BB PTX10016/JNP10016 fan tray controller, base bundle JNP10016-FAN-CTRL PTX10016/JNP10016 fan tray controller JNP10016-FAN2-BB JNP10016 fan, Gen2, base bundle JNP10016-FAN2 JNP10016 fan, Gen2 JNP10016-FTC2-BB JNP10016 fan tray controller, Gen2, base bundle JNP10016-FTC2 JNP10016 fan tray controller, Gen2 PTX10000 Power Cables CBL-PWR2-L6-30P Power cord, JNP10000 AC2 L6-30P CBL-PWR2-L6-30P-RA Power cord, JNP10000 AC2 RA L6-30P CBL-PWR2-330P6W Power cord, JNP10000 AC2 IEC309-330P6W CBL-PWR2-330P6W-RA Power cord, JNP10000 AC2 RA IEC309-330P6W CBL-PWR2-332P6W Power cord, JNP10000 AC2 IEC309-332P6W CBL-PWR2-332P6W-RA Power cord, JNP10000 AC2 RA IEC309-332P6W PTX10000 Power Modules JNP10K-PWR-AC2-BB JNP10000 5000 watts AC/HVDC power supply base bundle JNP10K-PWR-AC2-R JNP10000 5000 watts AC/HVDC power supply redundant JNP10K-PWR-AC2 JNP10000 5000 watts AC/HVDC power supply JNP10K-PWR-DC2-BB JNP10000 5000 watts DC power supply base bundle JNP10K-PWR-DC2-R JNP10000 5000 watts DC power supply redundant JNP10K-PWR-DC2 JNP10000 5000 watts DC power supply JNP10K-PWR-AC-BB PTX10000/JNP10000 2700 W AC power supply, base bundle JNP10K-PWR-AC-R PTX10000/JNP10000 2700 W AC power supply, redundant JNP10K-PWR-AC PTX10000/JNP10000 2700 W AC power supply JNP10K-PWR-DC-BB PTX10000/JNP10000 2500 W DC power supply, base bundle JNP10K-PWR-DC-R PTX10000/JNP10000 2500 W DC power supply,redundant JNP10K-PWR-DC PTX10000/JNP10000 2500 W DC power supply PTX10004 Front Panels JNP10004-FRPNL-BB PTX10004/JNP10004 front panel, base bundle JNP10004-FRNT-PNL PTX10004/JNP10004 front panel JNP10004-FRPNL1-BB PTX10004/JNP10004 front panel with filter, base bundle JNP10004-FRPNL1 PTX10004/JNP10004 front panel with filter JNP10004-FLTR PTX10004/JNP10004 replaceable filter PTX10008 Front Panels JNP10008-FRPNL-BB PTX10008/JNP10008 front panel, base bundle JNP10008-FRNT-PNL PTX10008/JNP10008 front panel JNP10008-FRPNL1-BB PTX10008/JNP10008 front panel with filter, base bundle JNP10008-FRPNL1 PTX10008/JNP10008 front panel with filter JNP10008-FLTR PTX10008/JNP10008 replaceable filter PTX10016 Front Panels JNP10008-FLTR PTX10008/JNP10008 replaceable filter JNP10016-FRPNL-BB PTX10016/JNP10016 front panel, base bundle JNP10016-FRNT-PNL PTX10016/JNP10016 front panel JNP10016-FRPNL1-BB PTX10016/JNP10016 front panel with filter, base bundle JNP10016-FRPNL1 PTX10016/JNP10016 front panel with filter JNP10016-FLTR PTX10016/JNP10016 replaceable filter -
Product Overview
Changing market dynamics have intensified the challenge of accommodating growth with traditional products and architectures. Juniper’s secure and automated solutions help cloud-based networks quickly react to these evolving conditions, accelerating service delivery with world-class products and innovative architectural components. PTX Series Fixed Configuration Routers with custom Express3 and Express4 silicon are an integral part of this solution, delivering a massively scalable and efficient core architecture across space- and power-constrained cloud provider, service provider, and enterprise networks, reducing TCO with innovative, highly flexible, high-performance platforms built for the most demanding environments.Product Description
The Juniper Networks® PTX Series Packet Transport Routers transform the core network with physical and virtual innovations that deliver unprecedented scale at the lowest cost per bit. Four fixed-configuration platforms are available: the PTX1000 Packet Transport Router, the industry’s first 2 U packet transport routing device; the PTX10001-36MR Packet Transport Router, a compact, power-optimized 400GbE platform based on custom Express4 silicon; the PTX10002 Packet Transport Router, a second-generation device that doubles the density of the PTX1000 with Juniper Networks Express3™ silicon; and the PTX10003, the industry’s first 3U 400-GbE enabled packet transport routing device. These transport routers give cloud and communication providers the freedom to develop and deliver new virtualized services anywhere in the network with elastic architectures and precise traffic controls, without compromising the service experience.The Evolving Landscape
New traffic dynamics such as mobility, video, and cloud-based services are transforming traditional network patterns and topologies. Stratified, statically designed, and manually operated networks must evolve to support the constantly growing volumes of traffic quickly and economically. Many operators have seen their profits stagnate and TCO grow under the burden that these growing traffic volumes are imposing. Cloud and service providers need to become more agile in order to optimize their existing network resources, shorten planning cycles, and remove rigid network layers. Operators are facing the following challenges under the current environment:- Static scale: The cloud and communication providers’ backbone handles the full weight of network traffic. Therefore, it is paramount that core networks are inherently designed for scalability and efficiency. The 400GbE-capable platforms, 100/400GbE inline MACsec, silicon, system, and SDN innovations for the core empower network operators to scale faster than the traffic in an elegant, elastic, redundant package—without requiring forklift upgrades.
- Static architecture: Virtualized services and the explosion of cloud-based applications are creating increasingly unpredictable traffic patterns. To handle this unpredictability, service providers need a dynamic, scale-out architecture across all layers to create programmable, traffic-optimized networks that support any service, anywhere.
- Power costs: For cloud and communication providers, the operational cost of transmitting a packet through the core is less than the cost of the power required to move that packet. In fact, projections suggest that over a few short years, the total power draw will exceed the cost of deploying the entire network infrastructure. Efficient power utilization by the core router requires a holistic ground-up engineering approach.
- Facility limitations: Service providers cannot grow their facilities exponentially forever. They need innovations that provide a low-touch deployment model optimized around space availability, facility power requirements, and floor weight thresholds. Transport-oriented central office locations have the added burden of meeting European Telecommunications Standards Institute (ETSI) standard depth. Any transit router innovation must operate within these constraints.
Architecture and Key Components
The PTX1000, PTX10001-36MR, PTX10002, and PTX10003 fixed-configuration packet transport routers bring physical and virtual innovation to the cloud and service provider core networks, addressing concerns about operational expenditures while scaling organically to keep pace with growing traffic demands with the following features:- Core routing: The PTX1000, PTX10001-36MR, PTX10002, and PTX10003 employ a massively scalable yet compact 1, 2, or 3 U form factor with secure connectivity and high flexibility.
- Peering: The PTX Series fixed platforms are perfect for scale-out peering in space- and power-constrained environments with full traffic visibility and L3 services.
- LSR: The PTX Series fixed platforms provide 2.88 Tbps to 16 Tbps aggregate capacity for multi-plane core networks as an LSR router. They can also be positioned as an LSR fabric node in spine-leaf architectures for increased scale and reduced blast radius.
- CDN Gateway: The compact PTX Series offers high routing scale in a 1, 2, or 3 U fixed form factor for full traffic statistics visibility and deep buffers.
- Data Center Interconnect (DCI): The PTX10001-36MR and PTX10003 offer secure inline MACsec with no compromise in throughput or latency, and an extended range enabled by 400GbE ZR / ZR+.
Innovations in Silicon
Physical innovations at the core silicon level enable the PTX Series fixed-configuration routers to reduce OpEx and accommodate scale-out architectures with smooth migration paths as traffic patterns change.Express3 and Express-Based Silicon
The PTX1000 and PTX10002 are powered by Express3 silicon, delivering predictable IP/MPLS packet performance and functionality. The PTX10003 is powered by functionally equivalent Express3 Silicon to support high-density 100/200/400GbE interfaces and inline MACsec with no performance penalty while delivering the same IP/MPLS functionality. Express3 silicon eliminates the complex sawtooth packet profile found in elaborate, over-engineered network processing units (NPUs) deployed in other core routers. This delivers the peering scale required to match expanding traffic demands. These devices build upon the Juniper Networks Junos® Express silicon concepts of low consistent latency and wire-rate packet performance for both IP traffic and MPLS transport, without sacrificing the optimized system power profile. These concepts are incorporated into the PTX Series design along with full IP functionality, preserving the spirit of the original Junos Express chipset. The Express3 silicon is the first purpose-built telecommunications silicon to engineer a 3D memory architecture into the base design for more than 1.6 billion filter operations per second, dynamic table memory allocation for mammoth IP routing scale, and enormous power efficiency gains. The PTX10003 supports inline MACsec on all interfaces using 10/40/100GbE.Express4 Silicon
The PTX10001-36MR is powered by the highly scalable, next-generation ASIC in the Express silicon family, Juniper Express4 silicon—the industry’s first inline MACsec for 400GbE chips that supports universal multirate QSFP56-DD. Juniper Express4 silicon delivers consistently low latency, 8m counters, 256 AES MACsec encryption supported on all ports, and wire-rate packet performance for IP traffic without sacrificing the optimized system power profile. Preserving the spirit of the Junos Express silicon family, Juniper Express4 silicon is the first purpose-built telecommunications silicon to incorporate a 3D memory architecture into the base design, offering the industry’s highest packet performance per gigabit in the fewest rack units. It also provides dynamic table memory allocation for massive IP routing scale while delivering tremendous power efficiency gains at 0.14 Watts/Gig. The ability to address a provider’s core networking requirements—scale, operational flexibility, and SDN control—begins with the silicon. With the PTX Series fixed-configuration routers, operators can now deploy a core architecture with SDN control. Combining Juniper Networks NorthStar Controller with a robust full-featured Internet backbone router, and a regional IP/MPLS core router with integrated 100GbE coherent transport for superior performance, operators can tune their network infrastructure through proactive monitoring and what-if planning capabilities. The NorthStar Controller dynamically creates explicit routing paths using a global view based on user-defined constraints to create a fully autonomous operation. Scale is one of the guiding design principles for the PTX Series routers, allowing network operators to smoothly handle increased traffic demands. The PTX Series fixed-configuration routers simplify network engineering challenges with predictable system latency, improving the overall service experience by delivering best-in-class resiliency to help providers meet strict customer service-level agreements (SLAs). Operational efficiency is another design attribute for the PTX Series routers, focusing on power, space, and weight—fundamental concerns that affect network operators’ operational budgets. Juniper has designed the PTX Series to fit the requirements of current and future data center facilities. SDN programmability brings virtual innovations to the service provider core, while the NorthStar Controller offers an open, standards-based solution that optimizes both the IP layer and the transport layer with precise SDN control, allowing network operators to fully automate and scale their operations with ease.PTX1000, PTX10002, and PTX10003 Fixed-Configuration Packet Transport Routers
PTX1000
The PTX1000, with its rich IP/MPLS feature set, lets service providers organically distribute peering points throughout the network without sacrificing performance and deployability—the main contributors to eroding TCO for service providers when peering. The PTX1000 expands the applications scope that the PTX Series architecture addresses, enabling service providers to implement a distributed core architecture for interconnecting growing cloud services. Service providers can distribute peering points to match traffic demand with an optimized core router without sacrificing performance or deployability. The PTX1000 is a first-generation fixed-configuration core router, providing up to 3 million FIB and 10+ million routing information base (RIB) in a 2 U footprint, making it easily deployable in space-constrained Internet exchange locations, remote central offices, and embedded peering points anywhere in the network, including cloud-hosted services. The PTX1000 operates at 2.88 Tbps in a fixed core router configuration and supports flexible interface configuration options, including 288 10GbE ports via a quad small form-factor pluggable plus transceiver (QSFP+) breakout, 72 40GbE ports via QSFP+, and 24 100GbE ports via QSFP28.PTX10001-36MR
The PTX10001-36MR features a compact, 1 U form factor that is easy to deploy in space- and power-constrained Internet exchange locations, remote central offices, and embedded peering points throughout the network, including cloud- hosted services. The PTX10001-36MR is particularly suited for power-constrained environments, providing unprecedented power efficiency of 0.14 watts/Gbps. It offers up to 4 million IPv4 FIB, deep buffers, and integrated 100GbE and 400GbE MACsec capabilities. The PTX10001-36MR operates at 9.6 Tbps in a fixed core router configuration with 36 multi-rate ports—24 400GbE (QSFP56-DD) ports and 12 100GbE (QSFP28) ports to facilitate the migration from 100GbE to 400GbE deployments. The PTX10001-36MR features flexible interface configuration options with universal multi-rate QSFP-DD for 100GbE/400GbE to support 120 10GbE ports with QSFP+ breakout, 60 100GbE ports with QSFP28-DD (24x2) and QSFP28 (12), 108 100GbE ports with QSFP56-DD breakout (24x4) and QSFP28 (12), and 24 400GbE ports with QSFP56-DD. PTX10001-36MR supports MACSec on all ports, regardless of the port speed.PTX10002
The PTX10002 is a second-generation PTX Series fixed-configuration core router featuring a compact, 2 U form factor that is easy to deploy in space-constrained Internet exchange locations, remote central offices, and embedded peering points throughout the network, including cloud-hosted services. The PTX10002 operates at 6 Tbps in a fixed core router configuration. It supports flexible interface configuration options, offering 60 physical quad small form-factor pluggable 28 (QSFP28) 100GbE ports, 60 QSFP+ 40GbE ports, and 192 10GbE ports via QSFP+ breakout cables.PTX10003
The PTX10003 is a fixed-configuration core router featuring a compact, 3 U form factor that is easy to deploy in space-constrained Internet exchange locations, remote central offices, and embedded peering points throughout the network, including cloud-hosted services. It offers up to 4 million FIB, deep buffers, and integrated 100GbE MACsec capabilities. The PTX10003 uniquely addresses power-constrained environments by providing unprecedented power efficiency of 0.2 watts/Gbps. Two versions of the PTX10003 are available, supporting 8 Tbps and 16 Tbps respectively in a 3 U footprint. Operating in a fixed core router configuration, the 8 Tbps model features flexible interface configuration options with universal multi-rate QSFP-DD for 100GbE/400GbE to support 160 (QSFP+) 10GbE ports, 80 (QSFP28) 100GbE ports, 32 (QSFP28-DD) 200GbE ports, and 16 (QSFP56-DD) 400GbE ports. The 16 Tbps model also offers universal multi-rate QSFP-DD for 100GbE/400GbE to support 320 (QSFP+) 10GbE ports, 160 (QSFP28) 100GbE ports, 64 (QSFP28-DD) 200GbE ports, and 32 (QSFP56-DD) 400GbE ports. PTX10001-36MR and PTX10003 routers offer native SFP+ transceiver support through QSFP adapter, MAM1Q00A-QSA . This option enables deployments where 10GE connectivity over more than 10KM single mode fiber links is required.Features and Benefits
Performance is one of the guiding design principles for the PTX Series Packet Transport Routers. This focus empowers cloud and service providers with superior scale to match increased traffic levels and network engineering challenges with predictable system latency to improve the overall service experience, deliver best-in-class resiliency, and ensure that services meet strict customer SLAs. Deployability is the other guiding design principle for the PTX Series routers, focusing on power, space, and weight—fundamental concerns that impact service providers’ operational budget with respect to growing traffic. Infinite programmability with automation and telemetry brings virtual innovations to the cloud and service provider core, while the NorthStar Controller is an open, standards-based solution that optimizes both the IP layer and the transport layer with precise SDN control, allowing service providers to automate and scale operations with efficiency, simplicity, and security. One Junos Experience delivers operational consistency and uniformity across PTX Series platforms and solutions. The most modern OS on the market, Junos Evolved, is designed from the ground up for reliability, resiliency, velocity, and integration simplicity. Table 1 summarizes the features available on the fixed-configuration PTX Series Packet Transport Routers.Table 1. Fixed-Configuration PTX Series Features and BenefitsFeature Feature Description Benefit System capacity The PTX1000 scales to 3 Tbps in a single chassis, breaking out into 288 10GbE, 72 40GbE, and 24 100GbE interfaces. The PTX10001-36MR scales to 9.6 Tbps in a single chassis, featuring flexible interface configuration options with universal multi-rate QSFP-DD for 100GbE/400GbE to support 120 10GbE ports with QSFP+ breakout, 60 100GbE ports with QSFP28-DD (24x2) and QSFP28 (12), 108 100GbE ports with QSFP56-DD breakout (24x4) and QSFP28 (12), and 24 400GbE ports with QSFP56-DD. The PTX10002 scales to 6 Tbps in a single chassis, breaking out into 192 10GbE, 60 40GbE, and 60 100GbE interfaces. The PTX10003 8 Tbps model scales to 8 Tbps is a single chassis, breaking out into 160 10GbE, 80 100GbE, 32 200GbE, and 16 400GbE interfaces. The PTX10003 16 Tbps model scales to 16 Tbps in a single chassis, breaking out into 320 10GbE, 160 100GbE, 64 200GbE, and 32 400GbE interfaces. The PTX1000, PTX10001-36MR, PTX10002, and PTX10003 give cloud and service providers the performance and scalability needed to outpace growing traffic demands. High availability (HA) hardware The PTX1000, PTX10001-36MR, PTX10002 and PTX10003 are built with hardware redundancy for cooling, power supplies, and forwarding. HA is critical for service providers to maintain an always-on infrastructure base and meet stringent SLAs across the core. Packet performance The PTX1000 and PTX10002 include groundbreaking Express3 silicon, empowering them with unparalleled packet processing for both full IP functionality and MPLS transport, leveraging a revolutionary 3D memory architecture. The PTX10003 uses a newer version of Express3 silicon that delivers inline MACsec on all ports and dense 100/400GbE. The PTX10001-36MR uses the next generation of Express, Express4 silicon, that delivers 100/400GbE inline MACsec on all ports for dense 400GbE architectures. Exceptional packet processing capabilities help alleviate the challenge of scaling the network as traffic levels increase while optimizing IP/MPLS transit functionality around superior performance and elegant deployability. Ultra-compact 1 U, 2 U and 3 U form factor With cutting-edge innovation in power and cooling technology, the PTX fixed-configuration core routers provide compact, power-optimized scale and efficiency. The PTX1000 provides 2.88 Tbps of capacity in a 2 U form factor; the PTX10001-36MR provides 9.6 Tbps in a 1 U form factor; the PTX10002 provides 6 Tbps of capacity in a 2 U form factor; the PTX10003 provides up to 16 Tbps of capacity in a 3 U form factor. Space efficiency is a critical requirement for peering Internet exchange points, peering collocations, central offices, and regional networks, especially in emerging markets. Security The PTX Series Packet Transport routers use a combination of hardware-based mechanisms like MACsec and software-based features like firewall filters and DDoS to provide scalable security. 100GbE and 400GbE inline MACsec is supported on all ports with no compromise in latency. Inline data plane MACsec security with no throughput or latency penalties in addition to control plane security with DDoS. PTX Series Fixed-Configuration Routers Specifications
Hardware PTX1000 PTX10001-36MR PTX10002 PTX10003 (8T) PTX10003 (16T) System throughput 3 Tbps 9.6 Tbps 6 Tbps 8 Tbps 16 Tbps Forwarding capacity Up to 2 Bpps Up to 6 Bpps Up to 4 Bpps Up to 5.3 Bpps Up to 10.6 Bpps Max. 10GbE port density 288 120 192 160 320 Max. 40GbE port density 72 30 60 40 80 Max. 100GbE port density 24 108 60 80 160 Max 200GbE port density - 48 - 32 64 Max 400GbE port density - 24 - 16 32 Dimension (WxHxD) 17.4 x 3.46 x 31 in (44.2 x 8.8 x 78.7 cm) 17.3 x 1.75 x 25.5 in (44 x 4.45 x 64.8 cm) 17.4 x 3.46 x 31 in (44.2 x 8.8 x 78.7 cm) 17.4 x 5.25 x 31 in (44.2 x 13.3 x 78.7 cm) 17.4 x 5.25 x 31 in (44.2 x 13.3 x 78.7 cm) Rack units 2 U 1 U 2 U 3 U 3 U Weight 68 lb (31 kg) 39.7 lb (18 kg) 68 lb (31 kg) 88 lb (40 kg) 110 lb (50 kg) CPU Intel Quad Core Ivy Bridge 2.5 GHz CPU Intel Xeon 12-Core 2.1 GHz CPU Intel Quad Core Ivy Bridge 2.5 GHz CPU Intel Broadwell CPU with 12 Cores Intel Broadwell CPU with 12 Cores RAM 32 Gb SDRAM 64 Gb SDRAM 32 Gb SDRAM 64 Gb SDRAM 64 Gb SDRAM SSD 64 GBx2 200 GBx2 64 GBx2 200 GBx2 200 GBx2 Maximum power draw 1425 W (AC, DC), 4862 BTU/hr 2164 W (AC, DC), 7384 BTU/hr 2425 W (AC, DC), 8274 BTU/hr ~2500 W (AC,DC), 8525 BTU/hr ~4000 W (AC.DC), 13640 BTU/hr Typical power draw 1050 W (AC, DC), 3583 BTU/hr 1300 W (AC, DC), 4436 BTU/hr 1850 W (AC, DC), 6312 BTU/hr ~1600 W (AC,DC), 5456 BTU/hr ~3100W (AC,DC), 10571 BTU/hr Power supply 4x1600 watts (AC/DC) 2x3000 watts (AC/DC) 4x1600 watts (AC/DC) 2x3000 watts (AC/DC) 4x3000 watts (AC/DC) Cooling (front-to-back fan) 3 hot-swappable redundant fans 6 hot-swappable redundant fans 3 hot-swappable redundant fans 3 hot-swappable redundant fans 5 hot-swappable redundant fans Packet buffer 24 Gb 24 Gb 24 Gb 64 Gb 128 Gb Latency 2.5 µs within Packet Forwarding Engine (PFE), 5 µs between PFEs 2.5 µs within PFE, 5 us between PFEs 2.5 µs within PFE, 5 us between PFEs 2.5 µs within PFE, 5 us between PFEs 2.5 µs within PFE, 5 us between PFEs Power Efficiency (watts/Gbps) 0.4 0.14 0.3 0.2 0.2 PTX1000, PTX10002, and PTX10003 Software Feature Table
Feature PTX1000 PTX10001-36MR PTX10002 PTX10003 (8/16 Tbps) MPLS-TE Yes Yes Yes Yes MPLS LSR Yes Yes Yes Yes Firewall filters ACL Yes Yes Yes Yes SPRINGv4 Yes Yes Yes Yes DDoS control plane Yes Yes Yes Yes JFlow/SFlow Yes Yes Yes Yes BGP FlowSpec, EPE, URPF, L3VPN Yes Yes Yes Yes Integrated routing and bridging (IRB) Yes Yes Yes Yes Telemetry, NETCONF/YANG Yes Yes Yes Yes Zero Touch Provisioning (ZTP) Yes Yes Yes Yes PCEP, BGP-LS Yes Yes Yes Yes Fast restoration Yes Yes Yes Yes Operation, Administration, and Maintenance (OAM) Yes Yes Yes Yes Management Interfaces
- 1 small form-factor pluggable transceiver (SFP/SFP+) port or Precision Time Protocol (PTP) Grandmaster
- Fiber (SFP) or 10/100/1000BASE-T (RJ-45) Ethernet management port
- SMB in, SMB out, 10 MHz in, 10 MHz out
- One console port
- USB 2.0 storage interface
Environmental Ranges
- Operating temperature: 32° to 115° F (0° to 46° C) at sea level
- Storage temperature: -40° to 158° F (-40° to 70° C)
- Operating altitude: Up to 10,000 ft. (3048 m)
- Relative humidity operating: 5 to 90% (noncondensing)
- Relative humidity nonoperating: 5 to 95% (noncondensing)
- Seismic: Designed to meet GR-63, Zone 4 earthquake requirements
Safety and Compliance
Safety
- CAN/CSA-C22.2 No. 60950-1 Information Technology Equipment—Safety
- UL 60950-1 Information Technology Equipment—Safety
- EN 60950-1 Information Technology Equipment—Safety
- IEC 60950-1 Information Technology Equipment—Safety (all country deviations)
- EN 60825-1 Safety of Laser Products—Part 1: Equipment Classification
Electromagnetic Compatibility
- 47CFR Part 15, (FCC) Class A
- ICES-003 Class A
- EN 55022 Class A
- CISPR 22 Class A
- EN 55024
- CISPR 24
- EN 300 386
- VCCI Class A
- AS/NZA CISPR22 Class A
- KN22 Class A
- CNS 13438 Class A
- EN 61000-3-2
- EN 61000-3-3
- ETSI
- ETSI EN 300 019: Environmental Conditions & Environmental Tests for Telecommunications Equipment
- ETSI EN 300 019-2-1 (2000)—Storage
- ETSI EN 300 019-2-2 (1999)—Transportation
- ETSI EN 300 019-2-3 (2003)—Stationary Use at Weather-protected Locations
- ETS 300753 (1997)—Acoustic noise emitted by telecommunications equipment
Environmental Compliance
Restriction of Hazardous Substances (ROHS) 6/6 Silver PSU Efficiency Recycled material Waste Electronics and Electrical Equipment (WEEE) Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH) China Restriction of Hazardous Substances (ROHS)Telco
- Common Language Equipment Identifier (CLEI) code
Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit https://www.juniper.net/us/en/products.html.Automated Support and Prevention
Juniper’s Automated Support and Prevention consists of an ecosystem of tools, applications, and systems targeted towards simplifying and streamlining operations, delivering operational efficiency, reducing downtime, and increasing your network’s ROI running Juniper Networks Junos operating system. Automated Support and Prevention brings operational efficiency by automating several time-consuming tasks such as incident management, inventory management, proactive bug notification, and on-demand EOL/EOS/EOE reports. The Junos Space® Service Now and Service Insight service automation tools are standard entitlements of all Juniper Care contracts.Warranty
For warranty information, please visit https://support.juniper.net/support/warranty/Ordering Information
Product Number Description PTX1000 PTX1K-72Q-AC PTX1000 base system with 24-port 100GbE QSFP28/72-port 40GbE QSFP+/288-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-72Q-DC PTX1000 base system with 24-port 100GbE QSFP28/72-port 40GbE QSFP+/288-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-72Q-AC-IR PTX1000 LSR/peering system with 24-port 100GbE QSFP28/72-port 40GbE QSFP+/288-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-72Q-DC-IR PTX1000 LSR/peering system with 24-port 100GbE QSFP28/72-port 40GbE QSFP+/288-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-72Q-AC-R PTX1000 full IP system with 24-port 100GbE QSFP28/72-port 40GbE QSFP+/288-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-72Q-DC-R PTX1000 full IP system with 24-port 100GbE QSFP28/72-port 40GbE QSFP+/288-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-36Q-AC PTX1000 base system with 12-port 100GbE QSFP28/36-port 40GbE QSFP+/144-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-36Q-DC PTX1000 base system with 12-port 100GbE QSFP28/36-port 40GbE QSFP+/144-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-36Q-AC-IR PTX1000 LSR/peering system with 12-port 100GbE QSFP28/36-port 40GbE QSFP+/144-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-36Q-DC-IR PTX1000 LSR/peering system with 12-port 100GbE QSFP28/36-port 40GbE QSFP+/144-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-36Q-AC-R PTX1000 full IP system with 12-port 100GbE QSFP28/36-port 40GbE QSFP+/144-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-36Q-DC-R PTX1000 full IP system with 12-port 100GbE QSFP28/36-port 40GbE QSFP+/144-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-18Q-AC PTX1000 base system with 6-port 100GbE QSFP28/18-port 40GbE QSFP+/72-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-18Q-DC PTX1000 base system with 6-port 100GbE QSFP28/18-port 40GbE QSFP+/72-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-18Q-AC-IR PTX1000 LSR/peering system with 6-port 100GbE QSFP28/18-port 40GbE QSFP+/72-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-18Q-DC-IR PTX1000 LSR/peering system with 6-port 100GbE QSFP28/18-port 40GbE QSFP+/72-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-18Q-AC-R PTX1000 full IP system with 6-port 100GbE QSFP28/18-port 40GbE QSFP+/72-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-18Q-DC-R PTX1000 full IP system with 6-port 100GbE QSFP28/18-port 40GbE QSFP+/72-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays S-PTX1K-72Q-SCA-UP PTX1000 scale-up software license to upgrade 72 port system (base to LSR or LSR to full IP) S-PTX1K-36Q-SCA-UP PTX1000 scale-up software license to upgrade 36 port system (base to LSR or LSR to full IP) S-PTX1K-18Q-SCA-UP PTX1000 scale-up software license to upgrade 18 port system (base to LSR or LSR to full IP) S-PTX1K-UPG-18Q PTX1000 software license to add 18 more ports to base system S-PTX1K-UPG-18Q-IR PTX1000 software license to add 18 more ports to LSR/peering system S-PTX1K-UPG-18Q-R PTX1000 software license to add 18 more ports to full IP system JPSU-1600W-AC-AFO PTX1000 1600 W AC power supply JPSU-1600W-DC-AFO PTX1000 1600 W DC power supply PTX1000-FAN-S PTX1000 fan JNP-3000W-DC-AFO DC power supply for JNP10003-160C and JNP10003-80C fixed platforms PTX10001-36MR PTX10001-36MR-AC PTX10001 36 QSFP56-DD / QSFP28 multi-rate port base system with redundant AC Power supplies, FAN trays, Junos Evolved PTX10001-36MR-DC PTX10001 36 QSFP56-DD / QSFP28 multi-rate port base system with redundant DC Power supplies, FAN trays, Junos Evolved JNP-FAN2-1RU Fan Tray for JNP10001-36MR platform JNP10001-36MR JNP10001 chassis with 36 QSFP56-DD / QSFP28 multi-rate ports, no power supplies or fans JNP-3000W-AC-AFO AC power supply for JNP10001-36MR fixed platform JNP-3000W-DC-AFO DC power supply for JNP10001-36MR fixed platform S-PTX10K-108C-A1-P SW, PTX10K fixed platform, 10.8T, right-to-use Advanced1 tier, without SW support, Perpetual S-PTX10K-108C-A2-P SW, PTX10K fixed platform, 10.8T, right-to-use Advanced2 tier, without SW support, Perpetual S-PTX10K-108C-P1-P SW, PTX10K fixed platform, 10.8T, right-to-use Premium1 tier, without SW support, Perpetual S-PTX10K-108C-P2-P SW, PTX10K fixed platform, 10.8T, right-to-use Premium2 tier, without SW support, Perpetual S-PTX10K-108C-A1-5 SW, PTX10K fixed platform, 10.8T, right-to-use Advanced1 tier, with SW support, 5 Years S-PTX10K-108C-A2-5 SW, PTX10K fixed platform, 10.8T, right-to-use Advanced2 tier, with SW support, 5 Years S-PTX10K-108C-P1-5 SW, PTX10K fixed platform, 10.8T, right-to-use Premium1 tier, with SW support, 5 Years S-PTX10K-108C-P2-5 SW, PTX10K fixed platform, 10.8T, right-to-use Premium2 tier, with SW support, 5 Years S-PTX10K-108C-A1-3 SW, PTX10K fixed platform, 10.8T, right-to-use Advanced1 tier, with SW support, 3 Years S-PTX10K-108C-A2-3 SW, PTX10K fixed platform, 10.8T, right-to-use Advanced2 tier, with SW support, 3 Years S-PTX10K-108C-P1-3 SW, PTX10K fixed platform, 10.8T, right-to-use Premium1 tier, with SW support, 3 Years S-PTX10K-108C-P2-3 SW, PTX10K fixed platform, 10.8T, right-to-use Premium2 tier, with SW support, 3 Years S-PTX10K100GMSEC-P SW, PTX10K 100G MACsec License SKU, w/out Customer Support, must purchase CS SKU separately, Perpetual S-PTX10K400GMSEC-P SW, PTX10K 400G MACsec License SKU, w/out Customer Support, must purchase CS SKU separately, Perpetual PTX10002 PTX10002-60C-AC PTX10002 base system with 60-port 100GbE QSFP28/60-port 40GbE QSFP+/192-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX10002-60C-DC PTX10002 base system with 60-port 100GbE QSFP28/60-port 40GbE QSFP+/192-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX10002-60C-AC-IR PTX10002 LSR/peering system with 60-port 100GbE QSFP28/60-port 40GbE QSFP+/192-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX10002-60C-DC-IR PTX10002 LSR/peering system with 60-port 100GbE QSFP28/60-port 40GbE QSFP+/192-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX10002-60C-AC-R PTX10002 full IP system with 60-port 100GbE QSFP28/60-port 40GbE QSFP+/192-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX10002-60C-DC-R PTX10002 full IP system with 60-port 100GbE QSFP28/60-port 40GbE QSFP+/192-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX10K2-60C-H-AC PTX10002 base system with 30-port 100GbE QSFP28/30-port 40GbE QSFP+/96-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX10K2-60C-H-DC PTX10002 base system with 30-port 100GbE QSFP28/30-port 40GbE QSFP+/96-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX10K2-60C-H-ACIR PTX10002 LSR/peering system with 30-port 100GbE QSFP28/30-port 40GbE QSFP+/96-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX10K2-60C-H-DCIR PTX10002 LSR/peering system with 30-port 100GbE QSFP28/30-port 40GbE QSFP+/96-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX10K2-60C-H-AC-R PTX10002 full IP system with 30-port 100GbE QSFP28/30-port 40GbE QSFP+/96-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX10K2-60C-H-DC-R PTX10002 full IP system with 30-port 100GbE QSFP28/30-port 40GbE QSFP+/96-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays JPSU-1600W-AC-AFO PTX1000 1600 W AC power supply JPSU-1600W-DC-AFO PTX1000 1600 W DC power supply JNP10002-FAN1 PTX10002 fan S-PTX10K2-60C-S-UP PTX10002 scale-up software license to upgrade 60-port system (base to LSR or LSR to full IP) S-PTX10K2-30C-S-UP PTX10002 scale-up software license to upgrade 30-port system (base to LSR or LSR to full IP) S-PTX10K2-15C-S-UP PTX10002 scale-up software license to upgrade 15-port system (base to LSR or LSR to full IP) S-PTX10K2-U-15C PTX10002 software license to add 15 more ports to base system S-PTX10K2-U-15C-IR PTX10002 software license to add 15 more ports to LSR/peering system S-PTX10K2-U-15C-R PTX10002 software license to add 15 more ports to full IP system PTX10003 PTX10003-160C-AC PTX10003-160C base system with 160 100GbE ports or 32 400GbE ports, 4 3000W AC power supplies, 4 power cables, and 5 fan trays, with standard tier right-to-use license PTX10003-160C-DC PTX10003-160C base system with 160 100GbE ports or 32 400GbE ports, 4 3000W DC power supplies, and 5 fan trays, with standard tier right-to-use license PTX10003-80C-AC PTX10003-80C base system with 80 100GbE ports or 16 400GbE ports, 2 3000W AC power supplies, 2 power cables, and 3 fan trays, with standard tier right-to-use license PTX10003-80C-DC PTX10003-80C base system with 80 100GbE ports or 16 400GbE ports, 2 3000W DC power supplies, and 3 fan trays, with standard tier right-to-use license S-PTX10K3-16T-A1-P 16T PTX10003 Advanced1 tier right-to-use license, perpetual, without SW support S-PTX10K3-16T-A2-P 16T PTX10003 Advanced2 tier right-to-use license, perpetual, without SW support S-PTX10K3-16T-P1-P 16T PTX10003 Premium1 tier right-to-use license, perpetual, without SW support S-PTX10K3-16T-P2-P 16T PTX10003 Premium2 tier right-to-use license, perpetual, without SW support S-PTX10K3-16T-A1-5 16T PTX10003 Advanced1 tier right-to-use license, 5-year term, with SW support S-PTX10K3-16T-A2-5 16T PTX10003 Advanced2 tier right-to-use license, 5-year term, with software support S-PTX10K3-16T-P1-5 16T PTX10003 Premium1 tier right-to-use license, 5-year term, with software support S-PTX10K3-16T-P2-5 16T PTX10003 Premium2 tier right-to-use license, 5-year term, with software support S-PTX10K3-16T-A1-3 16T PTX10003 Advanced1 tier right-to-use license, 3-year term, with SW support S-PTX10K3-16T-A2-3 16T PTX10003 Advanced2 tier right-to-use license, 3-year term, with software support S-PTX10K3-16T-P1-3 16T PTX10003 Premium1 tier right-to-use license, 3-year term, with software support S-PTX10K3-16T-P2-3 16T PTX10003 Premium2 tier right-to-use license, 3-year term, with software support S-PTX10K3-8T-A1-P 8T PTX10003 Advanced1 tier right-to-use license, perpetual, without SW support S-PTX10K3-8T-A2-P 8T PTX10003 Advanced2 tier right-to-use license, perpetual, without SW support S-PTX10K3-8T-P1-P 8T PTX10003 Premium1 tier right-to-use license, perpetual, without SW support S-PTX10K3-8T-P2-P 8T PTX10003 Premium2 tier right-to-use license, perpetual, without SW support S-PTX10K3-8T-A1-5 8T PTX10003 Advanced1 tier right-to-use license, 5-year term, with software support S-PTX10K3-8T-A2-5 8T PTX10003 Advanced2 tier right-to-use license, 5-year term, with software support S-PTX10K3-8T-P1-5 8T PTX10003 Premium1 tier right-to-use license, 5-year term, with software support S-PTX10K3-8T-P2-5 8T PTX10003 Premium2 tier right-to-use license, 5-year term, with software support S-PTX10K3-8T-A1-3 8T PTX10003 Advanced1 tier right-to-use license, 3-year term, with software support S-PTX10K3-8T-A2-3 8T PTX10003 Advanced2 tier right-to-use license, 3-year term, with software support S-PTX10K3-8T-P1-3 8T PTX10003 Premium1 tier right-to-use license, 3-year term, with software support S-PTX10K3-8T-P2-3 8T PTX10003 Premium2 tier right-to-use license, 3-year term, with software support JNP10003-160C-CHAS JNP10003-160C spare chassis with 160 100GbE ports or 32 400GbE ports JNP10003-80C-CHAS JNP10003-80C spare chassis with 80 100GbE ports or 16 400GbE ports JNP10003-FAN Fan tray for 3RU 8T and 16T fixed platforms JNP-3000W-AC-AFO AC power supply for JNP10003-160C and JNP10003-80C fixed platforms -
Product Overview
Changing market dynamics have intensified the challenge of accommodating growth with traditional products and architectures. Juniper’s secure and automated solutions help cloud-based networks quickly react to these evolving conditions, accelerating service delivery with world-class products and innovative architectural components. PTX Series Fixed Configuration Routers with custom Express3 and Express4 silicon are an integral part of this solution, delivering a massively scalable and efficient core architecture across space- and power-constrained cloud provider, service provider, and enterprise networks, reducing TCO with innovative, highly flexible, high-performance platforms built for the most demanding environments.Product Description
The Juniper Networks® PTX Series Packet Transport Routers transform the core network with physical and virtual innovations that deliver unprecedented scale at the lowest cost per bit. Four fixed-configuration platforms are available: the PTX1000 Packet Transport Router, the industry’s first 2 U packet transport routing device; the PTX10001-36MR Packet Transport Router, a compact, power-optimized 400GbE platform based on custom Express4 silicon; the PTX10002 Packet Transport Router, a second-generation device that doubles the density of the PTX1000 with Juniper Networks Express3™ silicon; and the PTX10003, the industry’s first 3U 400-GbE enabled packet transport routing device. These transport routers give cloud and communication providers the freedom to develop and deliver new virtualized services anywhere in the network with elastic architectures and precise traffic controls, without compromising the service experience.The Evolving Landscape
New traffic dynamics such as mobility, video, and cloud-based services are transforming traditional network patterns and topologies. Stratified, statically designed, and manually operated networks must evolve to support the constantly growing volumes of traffic quickly and economically. Many operators have seen their profits stagnate and TCO grow under the burden that these growing traffic volumes are imposing. Cloud and service providers need to become more agile in order to optimize their existing network resources, shorten planning cycles, and remove rigid network layers. Operators are facing the following challenges under the current environment:- Static scale: The cloud and communication providers’ backbone handles the full weight of network traffic. Therefore, it is paramount that core networks are inherently designed for scalability and efficiency. The 400GbE-capable platforms, 100/400GbE inline MACsec, silicon, system, and SDN innovations for the core empower network operators to scale faster than the traffic in an elegant, elastic, redundant package—without requiring forklift upgrades.
- Static architecture: Virtualized services and the explosion of cloud-based applications are creating increasingly unpredictable traffic patterns. To handle this unpredictability, service providers need a dynamic, scale-out architecture across all layers to create programmable, traffic-optimized networks that support any service, anywhere.
- Power costs: For cloud and communication providers, the operational cost of transmitting a packet through the core is less than the cost of the power required to move that packet. In fact, projections suggest that over a few short years, the total power draw will exceed the cost of deploying the entire network infrastructure. Efficient power utilization by the core router requires a holistic ground-up engineering approach.
- Facility limitations: Service providers cannot grow their facilities exponentially forever. They need innovations that provide a low-touch deployment model optimized around space availability, facility power requirements, and floor weight thresholds. Transport-oriented central office locations have the added burden of meeting European Telecommunications Standards Institute (ETSI) standard depth. Any transit router innovation must operate within these constraints.
Architecture and Key Components
The PTX1000, PTX10001-36MR, PTX10002, and PTX10003 fixed-configuration packet transport routers bring physical and virtual innovation to the cloud and service provider core networks, addressing concerns about operational expenditures while scaling organically to keep pace with growing traffic demands with the following features:- Core routing: The PTX1000, PTX10001-36MR, PTX10002, and PTX10003 employ a massively scalable yet compact 1, 2, or 3 U form factor with secure connectivity and high flexibility.
- Peering: The PTX Series fixed platforms are perfect for scale-out peering in space- and power-constrained environments with full traffic visibility and L3 services.
- LSR: The PTX Series fixed platforms provide 2.88 Tbps to 16 Tbps aggregate capacity for multi-plane core networks as an LSR router. They can also be positioned as an LSR fabric node in spine-leaf architectures for increased scale and reduced blast radius.
- CDN Gateway: The compact PTX Series offers high routing scale in a 1, 2, or 3 U fixed form factor for full traffic statistics visibility and deep buffers.
- Data Center Interconnect (DCI): The PTX10001-36MR and PTX10003 offer secure inline MACsec with no compromise in throughput or latency, and an extended range enabled by 400GbE ZR / ZR+.
Innovations in Silicon
Physical innovations at the core silicon level enable the PTX Series fixed-configuration routers to reduce OpEx and accommodate scale-out architectures with smooth migration paths as traffic patterns change.Express3 and Express-Based Silicon
The PTX1000 and PTX10002 are powered by Express3 silicon, delivering predictable IP/MPLS packet performance and functionality. The PTX10003 is powered by functionally equivalent Express3 Silicon to support high-density 100/200/400GbE interfaces and inline MACsec with no performance penalty while delivering the same IP/MPLS functionality. Express3 silicon eliminates the complex sawtooth packet profile found in elaborate, over-engineered network processing units (NPUs) deployed in other core routers. This delivers the peering scale required to match expanding traffic demands. These devices build upon the Juniper Networks Junos® Express silicon concepts of low consistent latency and wire-rate packet performance for both IP traffic and MPLS transport, without sacrificing the optimized system power profile. These concepts are incorporated into the PTX Series design along with full IP functionality, preserving the spirit of the original Junos Express chipset. The Express3 silicon is the first purpose-built telecommunications silicon to engineer a 3D memory architecture into the base design for more than 1.6 billion filter operations per second, dynamic table memory allocation for mammoth IP routing scale, and enormous power efficiency gains. The PTX10003 supports inline MACsec on all interfaces using 10/40/100GbE.Express4 Silicon
The PTX10001-36MR is powered by the highly scalable, next-generation ASIC in the Express silicon family, Juniper Express4 silicon—the industry’s first inline MACsec for 400GbE chips that supports universal multirate QSFP56-DD. Juniper Express4 silicon delivers consistently low latency, 8m counters, 256 AES MACsec encryption supported on all ports, and wire-rate packet performance for IP traffic without sacrificing the optimized system power profile. Preserving the spirit of the Junos Express silicon family, Juniper Express4 silicon is the first purpose-built telecommunications silicon to incorporate a 3D memory architecture into the base design, offering the industry’s highest packet performance per gigabit in the fewest rack units. It also provides dynamic table memory allocation for massive IP routing scale while delivering tremendous power efficiency gains at 0.14 Watts/Gig. The ability to address a provider’s core networking requirements—scale, operational flexibility, and SDN control—begins with the silicon. With the PTX Series fixed-configuration routers, operators can now deploy a core architecture with SDN control. Combining Juniper Networks NorthStar Controller with a robust full-featured Internet backbone router, and a regional IP/MPLS core router with integrated 100GbE coherent transport for superior performance, operators can tune their network infrastructure through proactive monitoring and what-if planning capabilities. The NorthStar Controller dynamically creates explicit routing paths using a global view based on user-defined constraints to create a fully autonomous operation. Scale is one of the guiding design principles for the PTX Series routers, allowing network operators to smoothly handle increased traffic demands. The PTX Series fixed-configuration routers simplify network engineering challenges with predictable system latency, improving the overall service experience by delivering best-in-class resiliency to help providers meet strict customer service-level agreements (SLAs). Operational efficiency is another design attribute for the PTX Series routers, focusing on power, space, and weight—fundamental concerns that affect network operators’ operational budgets. Juniper has designed the PTX Series to fit the requirements of current and future data center facilities. SDN programmability brings virtual innovations to the service provider core, while the NorthStar Controller offers an open, standards-based solution that optimizes both the IP layer and the transport layer with precise SDN control, allowing network operators to fully automate and scale their operations with ease.PTX1000, PTX10002, and PTX10003 Fixed-Configuration Packet Transport Routers
PTX1000
The PTX1000, with its rich IP/MPLS feature set, lets service providers organically distribute peering points throughout the network without sacrificing performance and deployability—the main contributors to eroding TCO for service providers when peering. The PTX1000 expands the applications scope that the PTX Series architecture addresses, enabling service providers to implement a distributed core architecture for interconnecting growing cloud services. Service providers can distribute peering points to match traffic demand with an optimized core router without sacrificing performance or deployability. The PTX1000 is a first-generation fixed-configuration core router, providing up to 3 million FIB and 10+ million routing information base (RIB) in a 2 U footprint, making it easily deployable in space-constrained Internet exchange locations, remote central offices, and embedded peering points anywhere in the network, including cloud-hosted services. The PTX1000 operates at 2.88 Tbps in a fixed core router configuration and supports flexible interface configuration options, including 288 10GbE ports via a quad small form-factor pluggable plus transceiver (QSFP+) breakout, 72 40GbE ports via QSFP+, and 24 100GbE ports via QSFP28.PTX10001-36MR
The PTX10001-36MR features a compact, 1 U form factor that is easy to deploy in space- and power-constrained Internet exchange locations, remote central offices, and embedded peering points throughout the network, including cloud- hosted services. The PTX10001-36MR is particularly suited for power-constrained environments, providing unprecedented power efficiency of 0.14 watts/Gbps. It offers up to 4 million IPv4 FIB, deep buffers, and integrated 100GbE and 400GbE MACsec capabilities. The PTX10001-36MR operates at 9.6 Tbps in a fixed core router configuration with 36 multi-rate ports—24 400GbE (QSFP56-DD) ports and 12 100GbE (QSFP28) ports to facilitate the migration from 100GbE to 400GbE deployments. The PTX10001-36MR features flexible interface configuration options with universal multi-rate QSFP-DD for 100GbE/400GbE to support 120 10GbE ports with QSFP+ breakout, 60 100GbE ports with QSFP28-DD (24x2) and QSFP28 (12), 108 100GbE ports with QSFP56-DD breakout (24x4) and QSFP28 (12), and 24 400GbE ports with QSFP56-DD. PTX10001-36MR supports MACSec on all ports, regardless of the port speed.PTX10002
The PTX10002 is a second-generation PTX Series fixed-configuration core router featuring a compact, 2 U form factor that is easy to deploy in space-constrained Internet exchange locations, remote central offices, and embedded peering points throughout the network, including cloud-hosted services. The PTX10002 operates at 6 Tbps in a fixed core router configuration. It supports flexible interface configuration options, offering 60 physical quad small form-factor pluggable 28 (QSFP28) 100GbE ports, 60 QSFP+ 40GbE ports, and 192 10GbE ports via QSFP+ breakout cables.PTX10003
The PTX10003 is a fixed-configuration core router featuring a compact, 3 U form factor that is easy to deploy in space-constrained Internet exchange locations, remote central offices, and embedded peering points throughout the network, including cloud-hosted services. It offers up to 4 million FIB, deep buffers, and integrated 100GbE MACsec capabilities. The PTX10003 uniquely addresses power-constrained environments by providing unprecedented power efficiency of 0.2 watts/Gbps. Two versions of the PTX10003 are available, supporting 8 Tbps and 16 Tbps respectively in a 3 U footprint. Operating in a fixed core router configuration, the 8 Tbps model features flexible interface configuration options with universal multi-rate QSFP-DD for 100GbE/400GbE to support 160 (QSFP+) 10GbE ports, 80 (QSFP28) 100GbE ports, 32 (QSFP28-DD) 200GbE ports, and 16 (QSFP56-DD) 400GbE ports. The 16 Tbps model also offers universal multi-rate QSFP-DD for 100GbE/400GbE to support 320 (QSFP+) 10GbE ports, 160 (QSFP28) 100GbE ports, 64 (QSFP28-DD) 200GbE ports, and 32 (QSFP56-DD) 400GbE ports. PTX10001-36MR and PTX10003 routers offer native SFP+ transceiver support through QSFP adapter, MAM1Q00A-QSA . This option enables deployments where 10GE connectivity over more than 10KM single mode fiber links is required.Features and Benefits
Performance is one of the guiding design principles for the PTX Series Packet Transport Routers. This focus empowers cloud and service providers with superior scale to match increased traffic levels and network engineering challenges with predictable system latency to improve the overall service experience, deliver best-in-class resiliency, and ensure that services meet strict customer SLAs. Deployability is the other guiding design principle for the PTX Series routers, focusing on power, space, and weight—fundamental concerns that impact service providers’ operational budget with respect to growing traffic. Infinite programmability with automation and telemetry brings virtual innovations to the cloud and service provider core, while the NorthStar Controller is an open, standards-based solution that optimizes both the IP layer and the transport layer with precise SDN control, allowing service providers to automate and scale operations with efficiency, simplicity, and security. One Junos Experience delivers operational consistency and uniformity across PTX Series platforms and solutions. The most modern OS on the market, Junos Evolved, is designed from the ground up for reliability, resiliency, velocity, and integration simplicity. Table 1 summarizes the features available on the fixed-configuration PTX Series Packet Transport Routers.Table 1. Fixed-Configuration PTX Series Features and BenefitsFeature Feature Description Benefit System capacity The PTX1000 scales to 3 Tbps in a single chassis, breaking out into 288 10GbE, 72 40GbE, and 24 100GbE interfaces. The PTX10001-36MR scales to 9.6 Tbps in a single chassis, featuring flexible interface configuration options with universal multi-rate QSFP-DD for 100GbE/400GbE to support 120 10GbE ports with QSFP+ breakout, 60 100GbE ports with QSFP28-DD (24x2) and QSFP28 (12), 108 100GbE ports with QSFP56-DD breakout (24x4) and QSFP28 (12), and 24 400GbE ports with QSFP56-DD. The PTX10002 scales to 6 Tbps in a single chassis, breaking out into 192 10GbE, 60 40GbE, and 60 100GbE interfaces. The PTX10003 8 Tbps model scales to 8 Tbps is a single chassis, breaking out into 160 10GbE, 80 100GbE, 32 200GbE, and 16 400GbE interfaces. The PTX10003 16 Tbps model scales to 16 Tbps in a single chassis, breaking out into 320 10GbE, 160 100GbE, 64 200GbE, and 32 400GbE interfaces. The PTX1000, PTX10001-36MR, PTX10002, and PTX10003 give cloud and service providers the performance and scalability needed to outpace growing traffic demands. High availability (HA) hardware The PTX1000, PTX10001-36MR, PTX10002 and PTX10003 are built with hardware redundancy for cooling, power supplies, and forwarding. HA is critical for service providers to maintain an always-on infrastructure base and meet stringent SLAs across the core. Packet performance The PTX1000 and PTX10002 include groundbreaking Express3 silicon, empowering them with unparalleled packet processing for both full IP functionality and MPLS transport, leveraging a revolutionary 3D memory architecture. The PTX10003 uses a newer version of Express3 silicon that delivers inline MACsec on all ports and dense 100/400GbE. The PTX10001-36MR uses the next generation of Express, Express4 silicon, that delivers 100/400GbE inline MACsec on all ports for dense 400GbE architectures. Exceptional packet processing capabilities help alleviate the challenge of scaling the network as traffic levels increase while optimizing IP/MPLS transit functionality around superior performance and elegant deployability. Ultra-compact 1 U, 2 U and 3 U form factor With cutting-edge innovation in power and cooling technology, the PTX fixed-configuration core routers provide compact, power-optimized scale and efficiency. The PTX1000 provides 2.88 Tbps of capacity in a 2 U form factor; the PTX10001-36MR provides 9.6 Tbps in a 1 U form factor; the PTX10002 provides 6 Tbps of capacity in a 2 U form factor; the PTX10003 provides up to 16 Tbps of capacity in a 3 U form factor. Space efficiency is a critical requirement for peering Internet exchange points, peering collocations, central offices, and regional networks, especially in emerging markets. Security The PTX Series Packet Transport routers use a combination of hardware-based mechanisms like MACsec and software-based features like firewall filters and DDoS to provide scalable security. 100GbE and 400GbE inline MACsec is supported on all ports with no compromise in latency. Inline data plane MACsec security with no throughput or latency penalties in addition to control plane security with DDoS. PTX Series Fixed-Configuration Routers Specifications
Hardware PTX1000 PTX10001-36MR PTX10002 PTX10003 (8T) PTX10003 (16T) System throughput 3 Tbps 9.6 Tbps 6 Tbps 8 Tbps 16 Tbps Forwarding capacity Up to 2 Bpps Up to 6 Bpps Up to 4 Bpps Up to 5.3 Bpps Up to 10.6 Bpps Max. 10GbE port density 288 120 192 160 320 Max. 40GbE port density 72 30 60 40 80 Max. 100GbE port density 24 108 60 80 160 Max 200GbE port density - 48 - 32 64 Max 400GbE port density - 24 - 16 32 Dimension (WxHxD) 17.4 x 3.46 x 31 in (44.2 x 8.8 x 78.7 cm) 17.3 x 1.75 x 25.5 in (44 x 4.45 x 64.8 cm) 17.4 x 3.46 x 31 in (44.2 x 8.8 x 78.7 cm) 17.4 x 5.25 x 31 in (44.2 x 13.3 x 78.7 cm) 17.4 x 5.25 x 31 in (44.2 x 13.3 x 78.7 cm) Rack units 2 U 1 U 2 U 3 U 3 U Weight 68 lb (31 kg) 39.7 lb (18 kg) 68 lb (31 kg) 88 lb (40 kg) 110 lb (50 kg) CPU Intel Quad Core Ivy Bridge 2.5 GHz CPU Intel Xeon 12-Core 2.1 GHz CPU Intel Quad Core Ivy Bridge 2.5 GHz CPU Intel Broadwell CPU with 12 Cores Intel Broadwell CPU with 12 Cores RAM 32 Gb SDRAM 64 Gb SDRAM 32 Gb SDRAM 64 Gb SDRAM 64 Gb SDRAM SSD 64 GBx2 200 GBx2 64 GBx2 200 GBx2 200 GBx2 Maximum power draw 1425 W (AC, DC), 4862 BTU/hr 2164 W (AC, DC), 7384 BTU/hr 2425 W (AC, DC), 8274 BTU/hr ~2500 W (AC,DC), 8525 BTU/hr ~4000 W (AC.DC), 13640 BTU/hr Typical power draw 1050 W (AC, DC), 3583 BTU/hr 1300 W (AC, DC), 4436 BTU/hr 1850 W (AC, DC), 6312 BTU/hr ~1600 W (AC,DC), 5456 BTU/hr ~3100W (AC,DC), 10571 BTU/hr Power supply 4x1600 watts (AC/DC) 2x3000 watts (AC/DC) 4x1600 watts (AC/DC) 2x3000 watts (AC/DC) 4x3000 watts (AC/DC) Cooling (front-to-back fan) 3 hot-swappable redundant fans 6 hot-swappable redundant fans 3 hot-swappable redundant fans 3 hot-swappable redundant fans 5 hot-swappable redundant fans Packet buffer 24 Gb 24 Gb 24 Gb 64 Gb 128 Gb Latency 2.5 µs within Packet Forwarding Engine (PFE), 5 µs between PFEs 2.5 µs within PFE, 5 us between PFEs 2.5 µs within PFE, 5 us between PFEs 2.5 µs within PFE, 5 us between PFEs 2.5 µs within PFE, 5 us between PFEs Power Efficiency (watts/Gbps) 0.4 0.14 0.3 0.2 0.2 PTX1000, PTX10002, and PTX10003 Software Feature Table
Feature PTX1000 PTX10001-36MR PTX10002 PTX10003 (8/16 Tbps) MPLS-TE Yes Yes Yes Yes MPLS LSR Yes Yes Yes Yes Firewall filters ACL Yes Yes Yes Yes SPRINGv4 Yes Yes Yes Yes DDoS control plane Yes Yes Yes Yes JFlow/SFlow Yes Yes Yes Yes BGP FlowSpec, EPE, URPF, L3VPN Yes Yes Yes Yes Integrated routing and bridging (IRB) Yes Yes Yes Yes Telemetry, NETCONF/YANG Yes Yes Yes Yes Zero Touch Provisioning (ZTP) Yes Yes Yes Yes PCEP, BGP-LS Yes Yes Yes Yes Fast restoration Yes Yes Yes Yes Operation, Administration, and Maintenance (OAM) Yes Yes Yes Yes Management Interfaces
- 1 small form-factor pluggable transceiver (SFP/SFP+) port or Precision Time Protocol (PTP) Grandmaster
- Fiber (SFP) or 10/100/1000BASE-T (RJ-45) Ethernet management port
- SMB in, SMB out, 10 MHz in, 10 MHz out
- One console port
- USB 2.0 storage interface
Environmental Ranges
- Operating temperature: 32° to 115° F (0° to 46° C) at sea level
- Storage temperature: -40° to 158° F (-40° to 70° C)
- Operating altitude: Up to 10,000 ft. (3048 m)
- Relative humidity operating: 5 to 90% (noncondensing)
- Relative humidity nonoperating: 5 to 95% (noncondensing)
- Seismic: Designed to meet GR-63, Zone 4 earthquake requirements
Safety and Compliance
Safety
- CAN/CSA-C22.2 No. 60950-1 Information Technology Equipment—Safety
- UL 60950-1 Information Technology Equipment—Safety
- EN 60950-1 Information Technology Equipment—Safety
- IEC 60950-1 Information Technology Equipment—Safety (all country deviations)
- EN 60825-1 Safety of Laser Products—Part 1: Equipment Classification
Electromagnetic Compatibility
- 47CFR Part 15, (FCC) Class A
- ICES-003 Class A
- EN 55022 Class A
- CISPR 22 Class A
- EN 55024
- CISPR 24
- EN 300 386
- VCCI Class A
- AS/NZA CISPR22 Class A
- KN22 Class A
- CNS 13438 Class A
- EN 61000-3-2
- EN 61000-3-3
- ETSI
- ETSI EN 300 019: Environmental Conditions & Environmental Tests for Telecommunications Equipment
- ETSI EN 300 019-2-1 (2000)—Storage
- ETSI EN 300 019-2-2 (1999)—Transportation
- ETSI EN 300 019-2-3 (2003)—Stationary Use at Weather-protected Locations
- ETS 300753 (1997)—Acoustic noise emitted by telecommunications equipment
Environmental Compliance
Restriction of Hazardous Substances (ROHS) 6/6 Silver PSU Efficiency Recycled material Waste Electronics and Electrical Equipment (WEEE) Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH) China Restriction of Hazardous Substances (ROHS)Telco
- Common Language Equipment Identifier (CLEI) code
Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit https://www.juniper.net/us/en/products.html.Automated Support and Prevention
Juniper’s Automated Support and Prevention consists of an ecosystem of tools, applications, and systems targeted towards simplifying and streamlining operations, delivering operational efficiency, reducing downtime, and increasing your network’s ROI running Juniper Networks Junos operating system. Automated Support and Prevention brings operational efficiency by automating several time-consuming tasks such as incident management, inventory management, proactive bug notification, and on-demand EOL/EOS/EOE reports. The Junos Space® Service Now and Service Insight service automation tools are standard entitlements of all Juniper Care contracts.Warranty
For warranty information, please visit https://support.juniper.net/support/warranty/Ordering Information
Product Number Description PTX1000 PTX1K-72Q-AC PTX1000 base system with 24-port 100GbE QSFP28/72-port 40GbE QSFP+/288-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-72Q-DC PTX1000 base system with 24-port 100GbE QSFP28/72-port 40GbE QSFP+/288-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-72Q-AC-IR PTX1000 LSR/peering system with 24-port 100GbE QSFP28/72-port 40GbE QSFP+/288-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-72Q-DC-IR PTX1000 LSR/peering system with 24-port 100GbE QSFP28/72-port 40GbE QSFP+/288-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-72Q-AC-R PTX1000 full IP system with 24-port 100GbE QSFP28/72-port 40GbE QSFP+/288-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-72Q-DC-R PTX1000 full IP system with 24-port 100GbE QSFP28/72-port 40GbE QSFP+/288-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-36Q-AC PTX1000 base system with 12-port 100GbE QSFP28/36-port 40GbE QSFP+/144-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-36Q-DC PTX1000 base system with 12-port 100GbE QSFP28/36-port 40GbE QSFP+/144-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-36Q-AC-IR PTX1000 LSR/peering system with 12-port 100GbE QSFP28/36-port 40GbE QSFP+/144-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-36Q-DC-IR PTX1000 LSR/peering system with 12-port 100GbE QSFP28/36-port 40GbE QSFP+/144-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-36Q-AC-R PTX1000 full IP system with 12-port 100GbE QSFP28/36-port 40GbE QSFP+/144-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-36Q-DC-R PTX1000 full IP system with 12-port 100GbE QSFP28/36-port 40GbE QSFP+/144-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-18Q-AC PTX1000 base system with 6-port 100GbE QSFP28/18-port 40GbE QSFP+/72-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-18Q-DC PTX1000 base system with 6-port 100GbE QSFP28/18-port 40GbE QSFP+/72-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-18Q-AC-IR PTX1000 LSR/peering system with 6-port 100GbE QSFP28/18-port 40GbE QSFP+/72-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-18Q-DC-IR PTX1000 LSR/peering system with 6-port 100GbE QSFP28/18-port 40GbE QSFP+/72-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX1K-18Q-AC-R PTX1000 full IP system with 6-port 100GbE QSFP28/18-port 40GbE QSFP+/72-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX1K-18Q-DC-R PTX1000 full IP system with 6-port 100GbE QSFP28/18-port 40GbE QSFP+/72-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays S-PTX1K-72Q-SCA-UP PTX1000 scale-up software license to upgrade 72 port system (base to LSR or LSR to full IP) S-PTX1K-36Q-SCA-UP PTX1000 scale-up software license to upgrade 36 port system (base to LSR or LSR to full IP) S-PTX1K-18Q-SCA-UP PTX1000 scale-up software license to upgrade 18 port system (base to LSR or LSR to full IP) S-PTX1K-UPG-18Q PTX1000 software license to add 18 more ports to base system S-PTX1K-UPG-18Q-IR PTX1000 software license to add 18 more ports to LSR/peering system S-PTX1K-UPG-18Q-R PTX1000 software license to add 18 more ports to full IP system JPSU-1600W-AC-AFO PTX1000 1600 W AC power supply JPSU-1600W-DC-AFO PTX1000 1600 W DC power supply PTX1000-FAN-S PTX1000 fan JNP-3000W-DC-AFO DC power supply for JNP10003-160C and JNP10003-80C fixed platforms PTX10001-36MR PTX10001-36MR-AC PTX10001 36 QSFP56-DD / QSFP28 multi-rate port base system with redundant AC Power supplies, FAN trays, Junos Evolved PTX10001-36MR-DC PTX10001 36 QSFP56-DD / QSFP28 multi-rate port base system with redundant DC Power supplies, FAN trays, Junos Evolved JNP-FAN2-1RU Fan Tray for JNP10001-36MR platform JNP10001-36MR JNP10001 chassis with 36 QSFP56-DD / QSFP28 multi-rate ports, no power supplies or fans JNP-3000W-AC-AFO AC power supply for JNP10001-36MR fixed platform JNP-3000W-DC-AFO DC power supply for JNP10001-36MR fixed platform S-PTX10K-108C-A1-P SW, PTX10K fixed platform, 10.8T, right-to-use Advanced1 tier, without SW support, Perpetual S-PTX10K-108C-A2-P SW, PTX10K fixed platform, 10.8T, right-to-use Advanced2 tier, without SW support, Perpetual S-PTX10K-108C-P1-P SW, PTX10K fixed platform, 10.8T, right-to-use Premium1 tier, without SW support, Perpetual S-PTX10K-108C-P2-P SW, PTX10K fixed platform, 10.8T, right-to-use Premium2 tier, without SW support, Perpetual S-PTX10K-108C-A1-5 SW, PTX10K fixed platform, 10.8T, right-to-use Advanced1 tier, with SW support, 5 Years S-PTX10K-108C-A2-5 SW, PTX10K fixed platform, 10.8T, right-to-use Advanced2 tier, with SW support, 5 Years S-PTX10K-108C-P1-5 SW, PTX10K fixed platform, 10.8T, right-to-use Premium1 tier, with SW support, 5 Years S-PTX10K-108C-P2-5 SW, PTX10K fixed platform, 10.8T, right-to-use Premium2 tier, with SW support, 5 Years S-PTX10K-108C-A1-3 SW, PTX10K fixed platform, 10.8T, right-to-use Advanced1 tier, with SW support, 3 Years S-PTX10K-108C-A2-3 SW, PTX10K fixed platform, 10.8T, right-to-use Advanced2 tier, with SW support, 3 Years S-PTX10K-108C-P1-3 SW, PTX10K fixed platform, 10.8T, right-to-use Premium1 tier, with SW support, 3 Years S-PTX10K-108C-P2-3 SW, PTX10K fixed platform, 10.8T, right-to-use Premium2 tier, with SW support, 3 Years S-PTX10K100GMSEC-P SW, PTX10K 100G MACsec License SKU, w/out Customer Support, must purchase CS SKU separately, Perpetual S-PTX10K400GMSEC-P SW, PTX10K 400G MACsec License SKU, w/out Customer Support, must purchase CS SKU separately, Perpetual PTX10002 PTX10002-60C-AC PTX10002 base system with 60-port 100GbE QSFP28/60-port 40GbE QSFP+/192-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX10002-60C-DC PTX10002 base system with 60-port 100GbE QSFP28/60-port 40GbE QSFP+/192-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX10002-60C-AC-IR PTX10002 LSR/peering system with 60-port 100GbE QSFP28/60-port 40GbE QSFP+/192-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX10002-60C-DC-IR PTX10002 LSR/peering system with 60-port 100GbE QSFP28/60-port 40GbE QSFP+/192-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX10002-60C-AC-R PTX10002 full IP system with 60-port 100GbE QSFP28/60-port 40GbE QSFP+/192-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX10002-60C-DC-R PTX10002 full IP system with 60-port 100GbE QSFP28/60-port 40GbE QSFP+/192-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX10K2-60C-H-AC PTX10002 base system with 30-port 100GbE QSFP28/30-port 40GbE QSFP+/96-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX10K2-60C-H-DC PTX10002 base system with 30-port 100GbE QSFP28/30-port 40GbE QSFP+/96-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX10K2-60C-H-ACIR PTX10002 LSR/peering system with 30-port 100GbE QSFP28/30-port 40GbE QSFP+/96-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX10K2-60C-H-DCIR PTX10002 LSR/peering system with 30-port 100GbE QSFP28/30-port 40GbE QSFP+/96-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays PTX10K2-60C-H-AC-R PTX10002 full IP system with 30-port 100GbE QSFP28/30-port 40GbE QSFP+/96-port 10GbE SFP+ with 4 1600 W AC power supplies, 4 power cables, and 3 fan trays PTX10K2-60C-H-DC-R PTX10002 full IP system with 30-port 100GbE QSFP28/30-port 40GbE QSFP+/96-port 10GbE SFP+ with 4 1600 W DC power supplies, 4 power cables, and 3 fan trays JPSU-1600W-AC-AFO PTX1000 1600 W AC power supply JPSU-1600W-DC-AFO PTX1000 1600 W DC power supply JNP10002-FAN1 PTX10002 fan S-PTX10K2-60C-S-UP PTX10002 scale-up software license to upgrade 60-port system (base to LSR or LSR to full IP) S-PTX10K2-30C-S-UP PTX10002 scale-up software license to upgrade 30-port system (base to LSR or LSR to full IP) S-PTX10K2-15C-S-UP PTX10002 scale-up software license to upgrade 15-port system (base to LSR or LSR to full IP) S-PTX10K2-U-15C PTX10002 software license to add 15 more ports to base system S-PTX10K2-U-15C-IR PTX10002 software license to add 15 more ports to LSR/peering system S-PTX10K2-U-15C-R PTX10002 software license to add 15 more ports to full IP system PTX10003 PTX10003-160C-AC PTX10003-160C base system with 160 100GbE ports or 32 400GbE ports, 4 3000W AC power supplies, 4 power cables, and 5 fan trays, with standard tier right-to-use license PTX10003-160C-DC PTX10003-160C base system with 160 100GbE ports or 32 400GbE ports, 4 3000W DC power supplies, and 5 fan trays, with standard tier right-to-use license PTX10003-80C-AC PTX10003-80C base system with 80 100GbE ports or 16 400GbE ports, 2 3000W AC power supplies, 2 power cables, and 3 fan trays, with standard tier right-to-use license PTX10003-80C-DC PTX10003-80C base system with 80 100GbE ports or 16 400GbE ports, 2 3000W DC power supplies, and 3 fan trays, with standard tier right-to-use license S-PTX10K3-16T-A1-P 16T PTX10003 Advanced1 tier right-to-use license, perpetual, without SW support S-PTX10K3-16T-A2-P 16T PTX10003 Advanced2 tier right-to-use license, perpetual, without SW support S-PTX10K3-16T-P1-P 16T PTX10003 Premium1 tier right-to-use license, perpetual, without SW support S-PTX10K3-16T-P2-P 16T PTX10003 Premium2 tier right-to-use license, perpetual, without SW support S-PTX10K3-16T-A1-5 16T PTX10003 Advanced1 tier right-to-use license, 5-year term, with SW support S-PTX10K3-16T-A2-5 16T PTX10003 Advanced2 tier right-to-use license, 5-year term, with software support S-PTX10K3-16T-P1-5 16T PTX10003 Premium1 tier right-to-use license, 5-year term, with software support S-PTX10K3-16T-P2-5 16T PTX10003 Premium2 tier right-to-use license, 5-year term, with software support S-PTX10K3-16T-A1-3 16T PTX10003 Advanced1 tier right-to-use license, 3-year term, with SW support S-PTX10K3-16T-A2-3 16T PTX10003 Advanced2 tier right-to-use license, 3-year term, with software support S-PTX10K3-16T-P1-3 16T PTX10003 Premium1 tier right-to-use license, 3-year term, with software support S-PTX10K3-16T-P2-3 16T PTX10003 Premium2 tier right-to-use license, 3-year term, with software support S-PTX10K3-8T-A1-P 8T PTX10003 Advanced1 tier right-to-use license, perpetual, without SW support S-PTX10K3-8T-A2-P 8T PTX10003 Advanced2 tier right-to-use license, perpetual, without SW support S-PTX10K3-8T-P1-P 8T PTX10003 Premium1 tier right-to-use license, perpetual, without SW support S-PTX10K3-8T-P2-P 8T PTX10003 Premium2 tier right-to-use license, perpetual, without SW support S-PTX10K3-8T-A1-5 8T PTX10003 Advanced1 tier right-to-use license, 5-year term, with software support S-PTX10K3-8T-A2-5 8T PTX10003 Advanced2 tier right-to-use license, 5-year term, with software support S-PTX10K3-8T-P1-5 8T PTX10003 Premium1 tier right-to-use license, 5-year term, with software support S-PTX10K3-8T-P2-5 8T PTX10003 Premium2 tier right-to-use license, 5-year term, with software support S-PTX10K3-8T-A1-3 8T PTX10003 Advanced1 tier right-to-use license, 3-year term, with software support S-PTX10K3-8T-A2-3 8T PTX10003 Advanced2 tier right-to-use license, 3-year term, with software support S-PTX10K3-8T-P1-3 8T PTX10003 Premium1 tier right-to-use license, 3-year term, with software support S-PTX10K3-8T-P2-3 8T PTX10003 Premium2 tier right-to-use license, 3-year term, with software support JNP10003-160C-CHAS JNP10003-160C spare chassis with 160 100GbE ports or 32 400GbE ports JNP10003-80C-CHAS JNP10003-80C spare chassis with 80 100GbE ports or 16 400GbE ports JNP10003-FAN Fan tray for 3RU 8T and 16T fixed platforms JNP-3000W-AC-AFO AC power supply for JNP10003-160C and JNP10003-80C fixed platforms