Juniper J-Partner Enterprise Solution Provider Reseller - Americas
Juniper Networks Certified Internet Specialist, SSL



Juniper Networks - Networking Security and Network Performance Solutions. Juniper Networks SRX220 Services Gateway for the Branch

Uses Dynamic Services Architecture provided by Junos to scale integrated security and network capabilities

Juniper Networks SRX220 Services Gateway

Juniper Networks Products
SRX Series Services Gateways
SRX220 Services Gateway with 8 x GE ports, 2xmini-PIM slots, and high memory (1GB RAM, 1GB FLASH)
- External power supply and cord included.		 #SRX220H
List Price: $2,199.00
SRX220 Services Gateway with 8 x GE ports, 2xmini-PIM slots, and high memory (1GB RAM, 1GB FLASH) w/ 8 Ports POE (120W)
- External power supply and cord included.		 #SRX220H-POE
List Price: $2,699.00

More pricing below, click here

SRX220 Overview:

The SRX220 Services Gateway is a secure router that supports up to 950 Mbps firewall, 100 Mbps IPSec VPN, and 100 Mbps IPS. Additional security features include Unified Threat Management (UTM), which consists of: IPS, antispam, antivirus, and Web filtering. The SRX220 Services Gateway is ideally suited for securing small to medium distributed enterprise locations.

Key Hardware Features:

  • 8 10/100/1000 Ethernet LAN ports, 2 Mini-PIM slots
  • Factory option of 8 PoE ports; PoE+ 803.3at, backwards compatible with 802.3af
  • Support for T1/E1, serial, ADSL2/2+, VDSL, G.SHDSL, DOCSIS3, and Ethernet SFP
  • Content Security Accelerator hardware for faster performance of IPS and ExpressAV
  • Full UTM1; antivirus1, antispam1, Web filtering1, intrusion prevention system1 (with high memory version)
  • Unified Access Control and content filtering
  • 1 GB DRAM, 1 GB flash default

Juniper Networks SRX Series Services Gateways for the branch are secure routers that provide essential capabilities that connect, secure, and manage workforce locations sized from handfuls to hundreds of users. By consolidating fast, highly available switching, routing, security, and applications capabilities in a single device, enterprises can economically deliver new services, safe connectivity, and a satisfying end user experience. All SRX Series Services Gateways, including products scaled for the branch, campus, and data center applications, are powered by Juniper Networks Junos OS—the proven operating system that provides unmatched consistency, better performance with services, and superior infrastructure protection at a lower total cost of ownership.

The Juniper Networks® SRX Series Services Gateways for the branch joins Juniper Networks SRX Series for the high end, EX Series Ethernet Switches, M Series Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and T Series Core Routers. This provides a single Juniper Networks Junos® operating system-based portfolio of unprecedented scale. With Junos OS, enterprises and service providers can lower deployment and operational costs across their entire distributed workforce.

  • SRX Series for the branch runs Junos OS, the proven operating system that is used by core Internet routers in all of the top 100 service providers around the world. The rigorously tested carrier-class routing features of IPv4/IPv6, OSPF, BGP, and multicast have been proven in over 15 years of worldwide deployments.

  • SRX Series Services Gateways for the branch provide perimeter security, content security, access control, and network-wide threat visibility and control. By using zones and policies, even new network administrators can configure and deploy an SRX Series gateway for the branch quickly and securely. In addition, the SRX Series now includes wizards for firewall, IPsec VPN, NAT, and initial setup to help get your SRX Series gateway configured, secure, and running right out of the box.

  • Policy-based VPNs support more complex security architectures that require dynamic addressing and split tunneling. For content security, SRX Series for the branch offers a complete suite of Unified Threat Management (UTM) services consisting of: intrusion prevention system (IPS), antivirus, antispam, Web filtering, and data loss prevention via content filtering to protect your network from the latest content-borne threats. Select models feature Content Security Accelerator for high-performance IPS and antivirus performance. The branch SRX Series integrates with other Juniper security products to deliver enterprise-wide unified access control (UAC) and adaptive threat management. These capabilities give security professionals powerful tools in the fight against cybercrime and data loss.

  • SRX Series for the branch are secure routers that bring high performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of sites. The wide variety of options allows configuration of performance, functionality, and price scaled to support from a handful to thousands of users. Ethernet, serial, T1/E1, DS3/E3, xDSL, DOCSIS3, Wi-Fi, and 3G/4G wireless are all available options for WAN or Internet connectivity to securely link your sites. Multiple form factors allow you to make cost-effective choices for mission-critical deployments. Managing the network is easy using the proven Junos OS command-line interface (CLI), Space, scripting capabilities, a simple-to-use Web-based GUI, or NSM.

Juniper Networks SRX220 Services Gateway Left Angle

1. Unified Threat Management—antivirus, antispam, Web filtering, and IPS require a subscription license and the high memory system option to use the feature. UTM is not supported on the low memory version. Please see the ordering section for options. Content Filtering and UAC are part of the base software with no additional license.

Features & Benefits:

Firewalls, zones, and policiesSecure Routing

Should you use a router and a firewall to secure your network? By building the branch SRX Series with best-in-class routing and firewall capabilities in one product, enterprises don’t have to make that choice. Why forward traffic if it’s not legitimate?

SRX Series for the branch checks the traffic to see if it is legitimate, and only forwards it on when it is. This reduces the load on the network, allocates bandwidth for all other mission-critical applications, and secures the network from hacking.

The main purpose of a secure router is to provide firewall protection and apply policies. The firewall (zone) functionality inspects traffic flows and state to ensure that originating and returning information in a session is expected and permitted for a particular zone. The security policy determines if the session can originate in one zone and traverse to another zone. This architectural choice receives packets from a wide variety of clients and servers and keeps track of every session, of every application, and of every user. It allows the enterprise to make sure that only legitimate traffic is on its network and that traffic is flowing in the expected direction.

To ease the configuration of a firewall, SRX Series for the branch uses two features—“zones” and “policies.” While these can be user-defined, the default shipping configuration contains, at a minimum, a trust and untrust zone. The trust zone is used for configuration and attaching the internal LAN to the branch SRX Series. The untrust zone is used for the WAN or untrusted Internet interface. To simplify installation and make configuration easier, a default policy is in place that allows traffic originating from the trust zone to flow to the untrust zone. This policy blocks all traffic originating from the untrust zone to the trust zone. A traditional router forwards all traffic without regard to a firewall (session awareness) or policy (origination and destination of a session).

By using the Web interface or CLI, enterprises can create a series of security policies that will control the traffic from within and in between zones by defining policies. At the broadest level, all types of traffic can be allowed from any source in security zones to any destination in all other zones without any scheduling restrictions. At the narrowest level, policies can be created that allow only one kind of traffic between a specified host in one zone and another specified host in another zone during a scheduled time period.

High Availability
High Availability

High Availability

Junos OS Services Redundancy Protocol (JSRP) is a core feature of the SRX Series for the branch. JSRP enables a pair of SRX Series systems to be easily integrated into a high availability network architecture, with redundant physical connections between the systems and the adjacent network switches. With link redundancy, Juniper Networks can address many common causes of system failures, such as a physical port going bad or a cable getting disconnected, to ensure that a connection is available without having to fail over the entire system. This is consistent with a typical active/standby nature of routing resiliency protocols.

When SRX Series Services Gateways for the branch are configured as an active/active HA pair, traffic and configuration will be mirrored automatically to provide active firewall and VPN session maintenance in case of a failure. The branch SRX Series will now synchronize both configuration and runtime information. As a result, during failover, synchronization of the following information is shared: connection/session state and flow information, IPsec security associations, Network Address Translation (NAT) traffic,

address book information, configuration changes, and more. In contrast to the typical router active/standby resiliency protocols such as Virtual Router Redundancy Protocol (VRRP), all dynamic flow and session information is lost and must be reestablished in the event of a failover. Some or all network sessions will have to restart depending on the convergence time of the links or nodes. By maintaining state, not only is the session preserved, but security is intact. In an unstable network, this active/active configuration also mitigates link flapping affecting session performance.

Session-Based Forwarding Without the Performance Hit

In order to optimize the throughput and latency of the combined router and firewall, Junos OS implements session-based forwarding, an innovation that combines the session state information of a traditional firewall and the next-hop forwarding of a classic router into a single operation. With Junos OS, a session that is permitted by the forwarding policy is added to the forwarding table along with a pointer to the next-hop route. Established sessions have a single table lookup to verify that the session has been permitted and to find the next hop. This efficient algorithm improves throughput and lowers latency for session traffic when compared with a classic router that performs multiple table lookups to verify session information and then to find a next-hop route.

Session-based forwarding algorithm shows the session-based forwarding algorithm. When a new session is established, the session-based architecture within Junos OS verifies that the session is allowed by the forwarding policies. If the session is allowed, Junos OS will look up the nexthop route in the routing table. It then inserts the session and the next-hop route into the session and forwarding table and forwards the packet. Subsequent packets for the established session require a single table lookup in the session and forwarding table, and are forwarded to the egress interface.

Session-based forwarding algorithm

Session-based forwarding algorithm

Network Deployments:

The SRX Series Services Gateways for the branch are deployed at remote and branch locations in the network to provide all-in-one secure WAN connectivity, IP telephony, and connection to local PCs and servers via integrated Ethernet switching.

Distributed Enterprise Deloyments

SRX Series Distributed Enterprise Deloyments

Technical Specifications:

SRX220 Front View
Front View

SRX220 Rear View
Rear View

Model: SRX100 SRX210 SRX220 SRX240 SRX650
  SRX100 SRX210 SRX220 SRX240 SRX650
Maximum Layer 3 Performance and Capacity
Junos OS version tested Junos OS 10.4 Junos OS 10.4 Junos OS 10.4 Junos OS 10.4 Junos OS 10.4
Firewall performance (large packets) 700 Mbps 750 Mbps 950 Mbps 1.5 Gbps 7 Gbps
Firewall performance (IMIX) 200 Mbps 250 Mbps 300 Mbps 500 Mbps 2.5 Gbps
Firewall + routing PPS (64 Byte) 70 Kpps 70 Kpps 125 Kpps 200 Kpps 850 Kpps
AES256+SHA-1/3DES+SHA-1 VPN
performance		 65 Mbps 65 Mbps 100 Mbps 300 Mbps 1.5 Gbps
IPsec VPN Tunnels 128 256 512 1,000 3,000
IPS (intrusion prevention system) 60 Mbps 60 Mbps 100 Mbps 230 Mbps 1 Gbps
Antivirus 25 Mbps 30 Mbps 34 Mbps 85 Mbps 350 Mbps
Connections per second 1,800 1,800 2,800 9,000 35,000
Maximum concurrent sessions
DRAM options		 16 K/32 K7
512 MB2/1 GB DRAM		 32 K/64 K7
512 MB/1 GB DRAM		 96 K
1 GB DRAM		 64 K/128 K7
512 MB/1 GB DRAM		 512 K8
2 GB DRAM
Maximum security policies 384 512 2,048 4,096 8,192
Maximum users supported Unrestricted Unrestricted Unrestricted Unrestricted Unrestricted
Network Connectivity SRX100 SRX210 SRX220 SRX240 SRX650
Fixed I/O 8 x 10/100 2 x
10/100/1000BASE-T + 6 x 10/100		 8 x
10/100/1000BASE-T		 16 x
10/100/1000BASE-T		 4 x
10/100/1000BASE-T
I/O slots N/A 1 x SRX Series Mini-PIM 2 x SRX Series Mini-PIM 4 x SRX Series Mini-PIM 8 x GPIM or multiple GPIM and XPIM combinations
Services and Routing Engine slots No No No No 29
ExpressCard slot (3G WAN) No Yes No No No
WAN/LAN interface options N/A See ordering information See ordering information See ordering information See ordering information
Optional maximum number of PoE ports N/A Up to 4 ports of 802.3af with maximum 50 W Up to 8 ports of 802.3af/at with maximum 120 W Up to 16 ports of 802.3af/at with maximum 150 W Up to 48 ports of 802.3af/at with maximum 247 W
USB 1 2 2 2 2 per SRE
Flash/Memory SRX100 SRX210 SRX220 SRX240 SRX650
Memory min and max(DRAM) 512 MB (Accessible), 1 GB2 512 MB, 1 GB 1 GB 512 MB, 1 GB 2 GB
Memory slots Fixed memory Fixed memory Fixed memory Fixed memory 4 DIMM
Flash memory 1 GB 1 GB 1 GB 1 GB 2 GB CF internal on SRE, External slot empty, up to 2 GB CF supported
USB port for external storage Yes Yes Yes Yes Yes
Dimensions SRX100 SRX210 SRX220 SRX240 SRX650
Dimensions (W x H x D) 8.5 x 1.4 x 5.8 in
(21.6 x 3.6 x 14.7 cm)		 11.02 x 1.73 x 7.12 in
(28.0 x 4.4 x 18.1 cm)		 14.31 x 1.73 x 7.11 in
(36.3 x 4.4 x 18.1 cm)		 17.5 x 1.75 x 15.1 in
(44.4 x 4.4 x 38.5 cm)		 17.5 x 3.5 x 18.2 in
(44.4 x 8.8 x 46.2 cm)
Weight (device and power supply) 2.5 lb (1.1 kg) 3.3 lb (1.5 kg) non-PoE / 4.4 lb (2 kg) PoE No interface modules 3.43 lb (1.56 kg) non-PoE No interface modules 11.2 lb (5.1 kg) non-PoE / 12.3 lb (5.6 kg) PoE No interface modules 24.9 lb (11.3 kg) No interface modules 1 power supply
Rack mountable Yes, 1 RU Yes, 1 RU Yes, 1 RU Yes, 1 RU Yes, 2 RU
Power SRX100 SRX210 SRX220 SRX240 SRX650
Power supply (AC) 100-240 VAC, 30 W 100–240 VAC, 60 W Non-PoE/ 150 W PoE 100–240 VAC, 60 W Non-PoE/ 200 W PoE 100–240 VAC, 150 W Non- PoE/ 350 W PoE 100–240 VAC, single 645 W or dual 645 W
Maximum PoE power N/A 50 W 120 W 150 W 247 W redundant, or 494 W nonredundant
Average power consumption 10 W 27 W (LM), 28 W (HM), 84 W (PoE) 28 W (LM) 61 W (LM), 65 W (HM), 179 W (PoE) 122 W
Input frequency 50-60 Hz 50-60 Hz 50-60 Hz 50-60 Hz 50-60 Hz
Maximum current consumption 0.25 A @ 100 VAC 0.41 A @ 100 VAC (LM), 0.44 A @ 100 VAC (HM), 1.13 A @ 100 VAC (PoE) 0.44 A @ 100 VAC (HM) 1.0 A @ 100 VAC (LM), 1.1 A @ 100 VAC (HM), 3.0 A @ 100 VAC (PoE) 5.3 A @ 100 VAC with single PSU with PoE, 8.3 A @ 100 VAC with dual PSU with PoE
Maximum inrush current 60 A 80 A for LM/HM, 60 A for PoE 80 A for HM 40 A for LM/HM, 45 A for PoE 45 A for ½ cycle
Average heat dissipation 35 BTU/hr 92 BTU/hr (SRX210B), 95 BTU/hr (SRX210H), 116 BTU/hr (SRX210H-PoE) 126 BTU/hour (SRX220H) 208 BTU/Hr (SRX240B), 222 BTU/Hr (SRX240H), 249 BTU/Hr (SRX240H-PoE) 319 BTU/Hr
Maximum heat dissipation 80 BTU/hr 120 BTU/hr (SRX210B), 126 BTU/hr (SRX210H), 157 BTU/hr (SRX210H-PoE) 126 BTU/hour (SRX220H) 344 BTU/Hr (SRX240B), 369 BTU/Hr (SRX240H), 413 BTU/Hr (SRX240H-PoE) 699 BTU/Hr
Redundant power supply (hot swappable) No No No No Yes (up to maximum capacity of single PSU)
Acoustic noise level
(Per ISO 7779 Standard)		 0 dB (fanless) 29.1 dB 51.1 dB 54.1 dB 60.9 dB
Environment SRX100 SRX210 SRX220 SRX240 SRX650
Operational temperature 32° to 104° F
(0° to 40° C)		 32° to 104° F
(0° to 40° C)		 32° to 104° F
(0° to 40° C)		 32° to 104° F
(0° to 40° C)		 32° to 104° F
(0° to 40° C)
Nonoperational temperature 4° to 158° F,
(-20° to 70° C)		 4° to 158° F,
(-20° to 70° C)		 4° to 158° F,
(-20° to 70° C)		 4° to 158° F,
(-20° to 70° C)		 4° to 158° F,
(-20° to 70° C)
Humidity 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing
Mean time between failures
(Telcordia model)		 24.8 years (SRX100B)
24.8 years (SRX100H)		 15.2 years (SRX210B)
14.3 years (SRX210H)
10.4 years
(SRX210H-PoE)		 14.3 years (SRX220H)
10.4 years (SRX220H-PoE)		 15.2 years (SRX240B)
14.3 years (SRX240H)
10.4 years (SRX240H-PoE)		 9.6 years with redundant power


Additional Specification Features:

Protocols
  • IPv4, IPv6, ISO Connectionless Network Service (CLNS)

Routing and Multicast

  • Static routes
  • RIPv2 +v1
  • OSPF/OSPFv3
  • BGP
  • BGP Router Reflector3
  • IS-IS
  • Multicast (Internet Group Management Protocol (IGMPv3), PIM,
    Session Description Protocol (SDP), Distance Vector Multicast
    Routing Protocol (DVMRP), source-specific), MSDP4
  • MPLS (RSVP, LDP)5

IP Address Management

  • Static
  • Dynamic Host Configuration Protocol (DHCP) (client and server)
  • DHCP relay

Encapsulations

  • Ethernet (MAC and tagged)
  • Point-to-Point Protocol (PPP) (synchronous)
    • Multilink Point-to-Point Protocol (MLPPP)
  • Frame Relay
    • Multilink Frame Relay (MLFR) (FRF.15, FRF.16)
  • High-Level Data Link Control (HDLC)
  • Serial (RS-232, RS-449, X.21, V.35, EIA-530)
  • 802.1q VLAN support
  • Point-to-Point Protocol over Ethernet (PPPoE)

Traffic Management

  • Marking, policing, and shaping
  • Class-based queuing with prioritization
  • Weighted random early detection (WRED)
  • Queuing based on VLAN, data-link connection identifier (DLCI), interface, bundles, or filters

Security

  • Firewall, zones, screens, policies
  • Stateful firewall, stateless filters
  • Denial of service (DoS) and distributed denial of service (DDoS)
    protection (anomaly-based)
  • Prevent replay attack; Anti-Replay
  • Unified Access Control
  • UTM1 (SRX650 and high memory versions of SRX240, SRX210, SRX220, and SRX100 only)
    • Antivirus1, antispam1, Web filtering1, IPS1
    • Content Security Accelerator in SRX210 high memory, SRX220 high memory, SRX240 high memory, and SRX6501
    • ExpressAV option in SRX210 high memory, SRX220 high
      memory, SRX240 high memory, and SRX6501
    • Content filtering

VPN

  • Tunnels (generic routing encapsulation, IP-IP, IPsec)
  • IPsec, Data Encryption Standard (DES) (56-bit), triple Data
    Encryption Standard (3DES) (168-bit), Advanced Encryption
    Standard (AES) (256-bit+) encryption
  • Message Digest 5 (MD5) and SHA-1 , SHA-128, SHA-256
    authentication
  • Access Manager: Dynamic VPN Client. Browser-based remote access feature requiring a license.
 Voice Transport
  • FRF.12
  • Link fragmentation and interleaving (LFI)
  • Compressed Real-Time Transport Protocol (CRTP)
High Availability
  • VRRP
  • Stateful failover and dual box clustering via JSRP
  • SRX650:
    • Redundant power (optional)
    • Future GPIM hot swap (online insertion and removal, OIR)
    • Future internal failover and SRE hot swap (OIR)
  • Backup link via 3G wireless or other WAN

IPv65

  • OSPFv3
  • IPv6 Multicast Listener Discovery (MLD)
  • BGP
  • Quality of service (QoS)

Wireless

  • CX111 Cellular Broadband Data Bridge supported on all branch SRX Series devices
  • 3G ExpressCards supported on SRX210 with built-in ExpressCard slot
  • AX411 Wireless LAN (WLAN) Access Point supported on all6
    branch SRX Series devices

SLA and Measurement

  • Real-time performance monitoring (RPM)
  • Sessions, packets, bandwidth usage
  • J-Flow flow monitoring and accounting services

Logging and Monitoring

  • Syslog
  • Traceroute

Administration

  • Juniper Networks Network and Security Manager support
  • Juniper Networks STRM Series Security Threat Response Managers support
  • Juniper Networks Advanced Insight Solutions support
  • External administrator database (RADIUS, LDAP, SecureID)
  • Auto configuration
  • Configuration rollback
  • Rescue configuration with button
  • Commit confirm for changes
  • Auto record for diagnostics
  • Software upgrades
  • J-Web

Certifications

  • FIPS-2 Level 2
  • Supported hardware versions of the FIPS 140-2 Gateways:
    SRX100B, SRX210B, SRX240B and SRX650-BASE-SRE6-
    645AP with JNPR-FIPS-TAMPER-LBLS
    • Roles, Services, and Authentication: Level 3
    • EMI/EMC: Level 3
    • Design Assurance: Level 3
    • FIPS-approved algorithms: Triple-DES; AES; DSA; SHS;
      RNG; RSA; HMAC

1. Unified Threat Management—antivirus, antispam, Web filtering, and IPS require a subscription license and the high memory system option to use the feature. UTM is not supported on the low memory version. Please see the ordering section for options. Content Filtering and UAC are part of the base software with no additional license.
2. SRX100B installed with 1 GB DRAM, with 512 MB accessible. Optional upgrade to 1 GB DRAM is available with purchase of memory software license key.
3. BGP Route Reflector supported on SRX650. See ordering section for more information.
4. Multicast features in SRX240 and SRX650 are supported as of the 9.6 release.
5. Supported in 9.5 in packet mode without services.
6. SRX100 and SRX220 supports AX411 in 1H 2011.
7. When UTM is enabled capacities supported are low memory specifications, on high memory system options.
8. When UTM is enabled concurrent sessions supported is 50% 0f value shown.
9. SRX650 supports a single Services and Routing Engine (SRE).
10. SRX210H-POE is Class A.

Additional Features and Comparison:

Model: SRX100 SRX210 SRX220 SRX240 SRX650
  SRX100 SRX210 SRX220 SRX240 SRX650
Routing
BGP instances 5 10 16 20 64
BGP peers 8 16 16 32 256
BGP routes 4 K/8 K 8 K/16 K 32 K 32 K/64 K 800 K
OSPF instances 4 10 16 20 64
OSPF routes 4 K/8 K 8 K/16 K 32 K 32 K/64 K 800 K
RIP v1 / v2 instances 4 10 16 20 64
RIP v2 routes 4 K/8 K 8 K/16 K 32 K 32 K/64 K 800 K
Source-based routing 4 K/8 K 8 K/16 K 32 K 32 K/64 K 800 K
Policy-based routing Yes Yes Yes Yes Yes
Equal-cost multipath (ECMP) Yes Yes Yes Yes Yes
Reverse path forwarding (RPF) Yes Yes Yes Yes Yes
RIP v1 / v2 instances Yes Yes Yes Yes Yes
MPLS5 SRX100 SRX210 SRX220 SRX240 SRX650
Layer 2 VPN (VPLS) Yes Yes Yes Yes Yes
Layer 3 VPN Yes Yes Yes Yes Yes
LDP Yes Yes Yes Yes Yes
RSVP Yes Yes Yes Yes Yes
Circuit Cross-connect (CCC) Yes Yes Yes Yes Yes
Translational Cross-connect (TCC) Yes Yes Yes Yes Yes
Multicast4 SRX100 SRX210 SRX220 SRX240 SRX650
IGMP (v1, v2, v3) Yes Yes Yes Yes Yes
PIM sparse mode (SM) Yes Yes Yes Yes Yes
PIM dense mode (DM) Yes Yes Yes Yes Yes
PIM source-specific multicast (SSM) Yes Yes Yes Yes Yes
Multicast inside IPsec tunnel Yes Yes Yes Yes Yes
IPsec VPN SRX100 SRX210 SRX220 SRX240 SRX650
Concurrent VPN tunnels 128 256 512 1,000 3,000
Tunnel interfaces 10 64 64 125 512
DES (56-bit), 3DES (168-bit) and AES
(256-bit)		 Yes Yes Yes Yes Yes
MD-5 and SHA-1 authentication Yes Yes Yes Yes Yes
Manual key, IKE,
PKI (X.509)		 Yes Yes Yes Yes Yes
Perfect forward secrecy (DH Groups) 1, 2, 5 1, 2, 5 1, 2, 5 1, 2, 5 1, 2, 5
Prevent replay attack Yes Yes Yes Yes Yes
Dynamic remote access VPN Yes Yes Yes Yes Yes
IPsec NAT traversal Yes Yes Yes Yes Yes
Redundant VPN gateways Yes Yes Yes Yes Yes
User Authentication and Access Control
Third-party user authentication RADIUS, RSA SecureID, LDAP RADIUS, RSA SecureID, LDAP RADIUS, RSA SecureID, LDAP RADIUS, RSA SecureID, LDAP RADIUS, RSA SecureID, LDAP
RADIUS accounting Yes Yes Yes Yes Yes
XAUTH VPN, Web-based, 802.X
authentication		 Yes Yes Yes Yes Yes
PKI certificate requests (PKCS 7 and
PKCS 10)		 Yes Yes Yes Yes Yes
Certificate Authorities supported VeriSign, Entrust, Microsoft, RSA Keon, iPLanet, (Netscape), Baltimore, DoD PKI VeriSign, Entrust, Microsoft, RSA Keon, iPLanet, (Netscape), Baltimore, DoD PKI VeriSign, Entrust, Microsoft, RSA Keon, iPLanet, (Netscape), Baltimore, DoD PKI VeriSign, Entrust, Microsoft, RSA Keon, iPLanet, (Netscape), Baltimore, DoD PKI VeriSign, Entrust, Microsoft, RSA Keon, iPLanet, (Netscape), Baltimore, DoD PKI
Virtualization SRX100 SRX210 SRX220 SRX240 SRX650
Maximum number of security zones 10 12 24 32 128
Maximum number of virtual routers 3 10 15 20 60
Maximum number of VLANs 16 64 128 512 4,096
Encapsulations SRX100 SRX210 SRX220 SRX240 SRX650
PPP/MLPPP N/A Yes Yes Yes Yes
MLPPP maximum physical interfaces N/A 1 2 4 12
Frame Relay N/A Yes Yes Yes Yes
MLFR (FRF .15, FRF .16) N/A Yes Yes Yes Yes
MLFR maximum physical interfaces N/A 1 2 4 12
HDLC N/A Yes Yes Yes Yes
Address Translation SRX100 SRX210 SRX220 SRX240 SRX650
Source NAT with Port Address Translation
(PAT)		 Yes Yes Yes Yes Yes
Static NAT Yes Yes Yes Yes Yes
Destination NAT with PAT Yes Yes Yes Yes Yes
IP Address Assignment SRX100 SRX210 SRX220 SRX240 SRX650
Static Yes Yes Yes Yes Yes
DHCP, PPPoE client Yes Yes Yes Yes Yes
Internal DHCP servers (PPP) Yes Yes Yes Yes Yes
DHCP relay Yes Yes Yes Yes Yes
L2 Switching SRX100 SRX210 SRX220 SRX240 SRX650
VLAN 802.1Q Yes Yes Yes Yes Yes
Link Aggregation 802.3ad/LACP Yes Yes Yes Yes Yes
Jumbo Frame (9216 Byte) No Yes Yes Yes Yes
Spanning Tree Protocol (STP) 802.1D, RSTP
802.1w, MSTP 802.1s		 Yes Yes Yes Yes Yes
Authentication 802.1x Port-based and
multiple supplicant		 Yes Yes Yes Yes Yes
Traffic Management Quality of Service (QoS)
Guaranteed bandwidth Yes Yes Yes Yes Yes
Maximum bandwidth Yes Yes Yes Yes Yes
Ingress traffic policing Yes Yes Yes Yes Yes
Priority-bandwidth utilization Yes Yes Yes Yes Yes
DiffServ marking Yes Yes Yes Yes Yes
High Availability SRX100 SRX210 SRX220 SRX240 SRX650
Active/active—L3 mode Yes Yes Yes Yes9 Yes3
Active/passive—L3 mode Yes Yes Yes Yes9 Yes3
Configuration synchronization Yes Yes Yes Yes9 Yes3
VRRP Yes Yes Yes Yes Yes
Session synchronization for firewall and VPN Yes Yes Yes Yes9 Yes3
Session failover for routing change Yes Yes Yes Yes9 Yes3
Device failure detection Yes Yes Yes Yes9 Yes3
Link failure detection Yes Yes Yes Yes9 Yes3
Firewall SRX100 SRX210 SRX220 SRX240 SRX650
Network attack detection Yes Yes Yes Yes Yes
DoS and DDos protection Yes Yes Yes Yes Yes
TCP reassembly for fragmented packet
protection		 Yes Yes Yes Yes Yes
Brute force attack mitigation Yes Yes Yes Yes Yes
SYN cookie protection Yes Yes Yes Yes Yes
Zone-based IP spoofing Yes Yes Yes Yes Yes
Malformed packet protection Yes Yes Yes Yes Yes
Unified Threat Management1 SRX100 SRX210 SRX220 SRX240 SRX650
Intrusion Prevention System (IPS) Yes10 Yes Yes Yes Yes
Protocol anomaly detection Yes10 Yes Yes Yes Yes
Stateful protocol signatures Yes10 Yes Yes Yes Yes
Intrusion prevention system (IPS) attack pattern obfuscation Yes10 Yes Yes Yes Yes
Customer signatures creation Yes10 Yes Yes Yes Yes
Frequency of updates Daily and emergency10 Daily and emergency Daily and emergency Daily and emergency Daily and emergency
Antivirus SRX100 SRX210 SRX220 SRX240 SRX650
Express AV (packet-based AV) No Yes Yes Yes Yes
File-based antivirus Yes Yes Yes Yes Yes
Signature database Yes Yes Yes Yes Yes
Protocols scanned POP3, HTTP, SMTP, IMAP, FTP POP3, HTTP, SMTP, IMAP, FTP POP3, HTTP, SMTP, IMAP, FTP POP3, HTTP, SMTP, IMAP, FTP POP3, HTTP, SMTP, IMAP, FTP
Antispyware Yes Yes Yes Yes Yes
Anti-adware Yes Yes Yes Yes Yes
Antikeylogger Yes Yes Yes Yes Yes
Antispam Yes Yes Yes Yes Yes
Integrated Web filtering Yes Yes Yes Yes Yes
Redirect Web filtering Yes Yes Yes Yes Yes
Content filtering Yes Yes Yes Yes Yes
Based on MIME type, file extension, and protocol commands Yes Yes Yes Yes Yes
System Management SRX100 SRX210 SRX220 SRX240 SRX650
Web UI Yes Yes Yes Yes Yes
Command-line interface Yes Yes Yes Yes Yes
Network and Security Manager (NSM) Yes Yes Yes Yes Yes
STRM Series Yes Yes Yes Yes Yes
Wireless SRX100 SRX210 SRX220 SRX240 SRX650
CX111 3G Bridge support Yes Yes Yes Yes Yes
Internal 3G ExpressCard slot support No Yes Yes No Yes
Max WLAN access points supported 4 4 4 4 4
Certifications SRX100 SRX210 SRX220 SRX240 SRX650
USA
Safety certifications UL 60950-1 UL 60950-1 UL 60950-1 UL 60950-1 UL 60950-1
EMC certifications FCC Class B FCC Class B10 FCC Class A FCC Class A FCC Class A
Network homologation TIA-968 TIA-968 TIA-968 TIA-968 TIA-966
Canada
Safety certifications CSA 60950-1 CSA 60950-1 CSA 60950-1 CSA 60950-1 CSA 60950-1
EMC certifications ICES class B ICES Class B10 ICES Class A ICES Class A ICES Class A
Network homologation CS-03 CS-03 CS-03 CS-03 CS-03
European Union
Safety certifications EN 60950-1 EN 60950-1 EN 60950-1 EN 60950-1 EN 60950-1
EMC certifications EN 55022 Class B, EN 300 386 EN 55022 Class B10, EN 300 386 EN 55022 Class A, EN 300 386 EN 55022 Class A, EN 300 386 EN 55022 Class A, EN 300 386
Network homologation CTR 12/13, CTR 21, DoC CTR 12/13, CTR 21, DoC CTR 12/13, CTR 21, DoC CTR 12/13, CTR 21, DoC CTR 12/13, DoC
Japan
Safety certifications CB Scheme CB Scheme CB Scheme CB Scheme CB Scheme
EMC certifications VCCI Class B VCCI Class B10 VCCI Class A VCCI Class A VCCI Class A
Network homologation Certificate for Technical Conditions Certificate for Technical Conditions Certificate for Technical Conditions Certificate for Technical Conditions Certificate for Technical Conditions
Australia
Safety certifications AS/NZS 60950-1 AS/NZS 60950-1 AS/NZS 60950-1 AS/NZS 60950-1 AS/NZS 60950-1
EMC certifications AS/NZS CISPR22 Class B AS/NZS CISPR22 Class B10 AS/NZS CISPR22 Class A AS/NZS CISPR22 Class A AS/NZS CISPR22 Class A
Network homologation AS/ACIF S 002, S 016, S 043.1, S043.2 AS/ACIF S 002, S 016, S 043.1, S043.2 AS/ACIF S 002, S 016, S 043.1, S043.2 AS/ACIF S 002, S 016, S 043.1, S043.2 AS/ACIF S 016
New Zealand
Safety certifications AS/NZS 60950-1 AS/NZS 60950-1 AS/NZS 60950-1 AS/NZS 60950-1 AS/NZS 60950-1
EMC certifications AS/NZS CISPR22 Class B AS/NZS CISPR22 Class B10 AS/NZS CISPR22 Class A AS/NZS CISPR22 Class A AS/NZS CISPR22 Class A
Network homologation PTC 217, PTC 273 PTC 217, PTC 273 PTC 217, PTC 273 PTC 217, PTC 273 PTC 217

1. Unified Threat Management—antivirus, antispam, Web filtering, and IPS require a subscription license and the high memory system option to use the feature. UTM is not supported on the low memory version. Please see the ordering section for options. Content Filtering and UAC are part of the base software with no additional license.
2. SRX100B installed with 1 GB DRAM, with 512 MB accessible. Optional upgrade to 1 GB DRAM is available with purchase of memory software license key.
3. BGP Route Reflector supported on SRX650. See ordering section for more information.
4. Multicast features in SRX240 and SRX650 are supported as of the 9.6 release.
5. Supported in 9.5 in packet mode without services.
6. SRX100 and SRX220 supports AX411 in 1H 2011.
7. When UTM is enabled capacities supported are low memory specifications, on high memory system options.
8. When UTM is enabled concurrent sessions supported is 50% 0f value shown.
9. SRX650 supports a single Services and Routing Engine (SRE).
10. SRX210H-POE is Class A.

Documentation:

PDF File
Download the Juniper Networks SRX Series Services Gateways for the Branch Datasheet (PDF).

 

Juniper Networks Products
SRX Series Services Gateways
SRX220 Services Gateway with 8 x GE ports, 2xmini-PIM slots, and high memory (1GB RAM, 1GB FLASH)
- External power supply and cord included.		 #SRX220H
List Price: $2,199.00
SRX220 Services Gateway with 8 x GE ports, 2xmini-PIM slots, and high memory (1GB RAM, 1GB FLASH) w/ 8 Ports POE (120W)
- External power supply and cord included.		 #SRX220H-POE
List Price: $2,699.00
Juniper Networks Licenses
Dynamic VPN Client
Dynamic VPN Service: 5 Simultaneous Users #SRX-RAC-5-LTU
List Price: $200.00
Dynamic VPN Service: 10 Simultaneous Users #SRX-RAC-10-LTU
List Price: $400.00
Dynamic VPN Service: 25 Simultaneous Users #SRX-RAC-25-LTU
List Price: $1,000.00
Juniper Networks Accessories
Interface Modules
1-Port ADSL2+ Mini-PIM supporting ADSL/ADSL2/ADSL2+ Annex A #SRX-MP-1ADSL2-A
List Price: $600.00
1-Port ADSL2+ Mini-PIM supporting ADSL/ADSL2/ADSL2+ Annex B #SRX-MP-1ADSL2-B
List Price: $600.00
1-Port Docsis 3.0 Cable Modem Mini-PIM for SRX. Backward compatible with Docsis 2.0 and 1.1 #SRX-MP-1DOCSIS3
List Price: $750.00
1-Port Sync Serial Mini-PIM for SRX #SRX-MP-1SERIAL
List Price: $400.00
1-Port SFP GE Mini-PIM for SRX with GE backplane support #SRX-MP-1SFP-GE
List Price: $1,000.00
1-Port T1/E1 Mini-PIM for SRX #SRX-MP-1T1E1
List Price: $700.00
1-Port VDSL2 Mini-PIM supporting Annex A, with fallback to ADSL2/ADSL2+ #SRX-MP-1VDSL2-A
List Price: $750.00
8-wire (4-pair) G.SHDSL Mini-PIM for SRX #SRX-MP-8GSHDSL
List Price: $1,050.00
Accessories
Spare SRX220 Switching Power Supply with US Power Cable, 200W (POE) #SRX220-PWR-200W-US
List Price: $300.00
Spare SRX220 Switching Power Supply with US Power Cable, 60W (non-POE) #SRX220-PWR-60W-US
List Price: $100.00
SRX220 Rack mount kit for 19" rack #SRX220-RMK
List Price: $150.00