SRX

JUNOS provides amazing capabilities for any platform that runs it. Managing the platform is the same as any other JUNOS-based. Those familiar to the JUNOS platform can use their existing skill set on the newest platform. Those not familiar with JUNOS can get started with the book "JUNOS Enterprise Routing".

The SRX provides a new configuration section “security”. In this section services such as firewall policies, NAT, and IPS services. This uses familiar ideas such as zones, screens and virtual routers from ScreenOS. For those familiar with ScreenOS can simplify the transition to JUNOS.

Can you give me a pointer to configuration security section manual ?

Thanks in advance

*am*

You can take a look at the JUNOS with enhanced services documentation for the J-Series.  

http://www.juniper.net/techpubs/software/junos-es/junos-es92/index.html

There are some differences for now (no next-gen NAT or IPS).  However, you can take a look at how policies and screens are configured.  My guess is that IPSEC will configure the same when supported on SRX with JUNOS 9.3.

Also, the ScreenOS to JUNOS for Security Platforms CBT is helpful.  It is J-series centric but much will apply to SRX.  Ultimately, we will see fewer and fewer differences.

http://www.juniper.net/training/elearning/junos_security.html 

Hi,

It supports IPS, see this thread 

http://forums.juniper.net/jnet/board/message?board.id=srx&thread.id=3

Virtual Systems aren't supported in the first release of code, dont know if this is on the roadmap.

Dont know if MPLS is supported.

Regards

Andy

Not yet.  Although SRX shares the common JUNOS code base, the traditional MPLS feature set requires hardware support in the PFE of a given platform.  MPLS PFE support is not available for SRX.  Even if the PFE were ready, we would need to figure out the implementation specifics that are required.  Typically, M/T customers want to enable a stateful firewall for L3VPN customers that terminate IP traffic.  Is this the functionality you are asking about?  

The concept of VSYS is implemented differently in JUNOS.  Logical Routers [edit logical-routers] has been in JUNOS for quite some time.  It has even been enhanced with JCS to support hardware logical routers so that T-series routers can support dedicated Routing Engines for Logical Routers.  However, at least for now, Logical Routers have not been adapted for the SRX platform.  My guess is that changes will be required to provide equivalent VSYS functionality.

FYI - Your Juniper SE can get you all of the roadmap info.  It will help better answer your question. 🙂 

Thanks for the responses!  I'm interested in the ability to delegate different managment of firewalls to different department admins like I can in larger screenOS platforms.

On a side note, can the SRX support transparent mode at this point?  

I'll definitely check with my SE for a roadmap.

Thanks much! 

Yeah, it sounds like LRs will be what you need.  You just need to find out what JUNOS release will support them on the security platforms.  They should be renamed to Logical Systems by the time it is supported on SRX.

No transparent mode right now.  Also, L2 switching and L2 control plane is not supported right now, as it is on the MX, J, and EX-series.  Beyond Transparent Mode, I expect the high GigE port density of the SRX may drive requests for logical numbered VLAN interfaces and bridge groups so that multiple GigE ports can be unnumbered and be part of the same bridge domain.

Although most of my responses today have been "roadmap", the roadmap is very strong and adds new features with a schedule that permits the aggressive testing that people come to expect from JUNOS.   More important, security customers now get 4 releases per year.  It's predictable and makes waiting easier when you can get new features every single quarter.  

Hi

Does SRX supports content filtering, L4 load balancing.

Regards

No L4 load balancing.  ScreenOS and JUNOS have never had a L4 load balancer feature set.  (The former Redline product renamed Juniper DX had load balancing features but were never ported.)

On the topic of URL content filtering, Juniper has traditionally only offered this feature on the branch office firewalls where throughput requirements are smaller (DSL, T1, to 100Mb/s Internet connections).  SRX is not any different (so far).  In terms of high-end firewalls, most Enterprises tend to use a full featured proxy with content filtering or ICAP redirection to a contenting filtering server that is out-of-band (ICAP is supported on the Juniper ISG 2000 firewall).  My theory is that local firewall content filtering is generally CPU intensive and the high-end firewalls of yesterday would not keep up.  SRX could certainly change the landscape with the scalable SPC architecture.  I would have your Juniper Account Team drive this feature request to product management, if not already on the roadmap.

I have a question regarding IPSEC licensing.

Is it needed a license to be able to work with IPSEC?

Currently I am just doing a very simple test between two SRX3400 with a Cisco Router in the middle but the IPSEC not working yet.

if need config files to analyze let me know.

Thanks in advance,

JuniperKike