The document provides information on Juniper SRX platform updates, including: 1) vSRX updates - The virtual firewall platform now supports up to 80G FW throughput on a single server and 100G vSRX was announced. Support for VMware 5.5+SRIOV and features parity with physical SRX firewalls. 2) Physical SRX updates - New SRX3xx and SRX550 series for branches up to 500 users. The SRX1500 provides high performance networking and security for enterprise edge and data center edge. The SRX5400 supports advanced software security services. 3) Software updates - Sky ATP cloud-based malware analysis and SRX User Identity REST API.

1. Juniper SRX
update
Karel Hendrych
khe@juniper.net
Consulting Engineer

2. Platform Updates:
Virtual

3. vSRX - Industry’s Fastest Virtual Firewall
• 18G FW Large packet (1514B), 4G FW Imix
• 2 vCPU (cores), Lowest TCO
• Highest Perf/Core
• ~80G FW (8 instances) Large packet per server • VMware5.5+SRIOV
- 8 vSRX instances
on a 2.4GHz Dell
server
• VMware5.5+SRIOV
–1 vSRX instance on
a 3.4GHz Dell server
100G vSRX just got announced!

4. vSRX VM
Hypervisors
(VMware, KVM)
Physical X86 CPU, Memory, & Storage
Adv Services
+
Flow Processing
+
Packet FWD
(JEXEC)
Junos Kernel
QEMU/KVM
Juniper Linux (Guest OS)
SRIOV
Junos Control Plane
(JCP/vRE)
MGD RPD
FEATURE PARITY TO FFP
(Including Firewall, AppSecure, UTM/IDP, VPN, NAT, Routing,
HA Cluster, etc.)
PLATFORMS
• VMWare 5.1,5.5, 6.0
• Ubuntu 14.04 (KVM)
CHANGES
• Name change to vSRX
• Junos Version change to 15.1
• DPDK
• SR-IOV
• VMXNET3 and VirtIO (Driver
updates)
• Linux Base OS
• 64Bit Flowd
• Dedicated management I/F
• SCSI Support
• SNMP enhancements
• VMTools
• Min 4G vRAM and 8G HD
vSRX 2.0 (15.1X49)
• CentOS 7.0 (KVM)
• Contrail 2.2

5. Platform Updates:
Physical

6. SRX Series Services Gateways for Branch
All in one routing, switching and security in a single platform
Security at a every layer with MAC-sec, IPSec and application security
Best end-user application experience and operational efficiency

7. SRX3xx Portfolio Summary
*Performance numbers for the IMIX packet size
**NGFW = IPS + AppFW + External Logging
App Firewall*
Routing*
IPSec VPN*
NGFW**
500 Mbps 1 Gbps 2 Gbps 3 Gbps
500 Mbps 1 Gbps 1.7 Gbps 2.5 Gbps
100 Mbps
100 Mbps
200 Mbps
200 Mbps
300 Mbps
300 Mbps
350 Mbps
350 Mbps
SRX300
Retail Office
Up to 50 Users
SRX320
Small Branch
Up to 50 Users
SRX340
Mid Branch
Up to 100 Users
Large Branch
Up to 500 Users
SRX550SRX345
Mid-Large Branch
Up to 200 Users

8. SRX1500 Services Gateway
Specification SRX1500
RAM / storage 16GB / 16GB
On-board 1G ports 16xGE (w 4x SFP)
On-board 10G ports 4x SFP+
OOB Management port 1x GE
Acoustics 66 dBA
SSD Storage 120G
Power Supply 1+1 400W PSU
Forwarding capacity 1.8 Mpps
Routing / firewall 5 Gbps
IPSec VPN (IMIX) 1.2 Gbps
IPS 3.5 Gbps
NGFW 1 Gbps
Concurrent session 2,000,000
• SRX1500 is a high performance, cost effective and high
available next generation firewall
• Provide outstanding protection with Sky ATP
• Integrate networking & security in a single platform
• High port density and small form factor
• Targeted for
• Enterprise Campus Edge
• Data Center Edge
• Branch Router

9. SRX5400
• Ideal for medium to large enterprises
and Service Provider networks
• Software Security Services
– AppSecure and IPS
– AV and web filtering
• Next-generation, high-performance line
cards
SRX5400
On-board Ports 100GE-CFP/CFP2
40GE-QSFPP
10GE-SFPP, XFP
1GE - SFP
JUNOS Software Version Support JUNOS 15.1X49-D10
Firewall Performance (w/ Express Path) 65Gbps (480 Gbps)
Firewall Performance IMIX (w/ Express
Path)
32 Gbps (450 Gbps)
Firewall Performance
(Firewall + Routing PPS 64byte)
(w/Express Path)
8 Mpps (98 Mpps)
VPN Performance – AES256+SHA-1 35 Gbps
AppSecure 42 Gbps
Intrusion Prevention System 22 Gbps
Connections Per Second (CPS) 450 K
Maximum Concurrent Sessions 42 M
High Availability A/A or A/P

10. SRX5k CPS with CP-lite, scaling up to 250M sessions!
1 4 7 10 11
X49-D10 213 420 420 420 420
CP-Lite 230 1060 1815 2240 2500
0
500
1000
1500
2000
2500
3000
KCPS
TCP CPS

11. Software update

12. Next-Gen Firewall Features on SRX
Application Reporting
Application Firewalling
Geo-IP
C&C & Reputation Filtering User Firewalling
Intrusion Prevention
Web Filtering
Anti-Virus
Anti-Spam
Content Filtering
SSL Inspection
Cloud-based Anti-malware

13. 01101010 01110101 01101110 01101001 01110000
What is Sky Advanced Threat Prevention
Customer
SRX
Juniper Cloud
Customer
Sandbox
w/Deception
Static
Analysis
ATP
1. SRX extracts potentially malicious
objects and files and sends them
to the cloud for analysis
2. Known malicious files are quickly
identified and dropped before they
can infect a host
3. Multiple techniques identify new
malware, adding it to the Known
Bad list and reporting it to SecOps
4. Correlation between newly
identified malware and known
C&C sites aids analysis
5. SRX blocks known malicious file
downloads and outbound C&C
traffic
Sky Advanced
Threat Prevention
Cloud

14. The ATP verdict chain
Staged analysis: combining rapid response and deep analysis
Suspect
file
1
2
3
4
Suspect files enter the analysis chain in the cloud
Cache lookup: (~1 second)
Files we’ve seen before are identified and a verdict immediately goes back to SRX
Anti-virus scanning: (~5 second)
Multiple AV engines to return a verdict, which is then cached for future reference
Static analysis: (~30 second)
The static analysis engine does a deeper inspection, with the verdict again cached for
future reference
Dynamic analysis: (~7 minutes)
Dynamic analysis in a custom sandbox leverages deception and provocation techniques
to identify evasive malware

15. • Build for Aruba ClearPass integration but can be used by 3rd party
• https://srxhostname/api/userfw/v1/
SRX User Identity Restful API (12.3X48-D30)
Healthy(0), Checkup(10), Transition(15),
Quarantine(20), Infected(30), Unknown(100)
“Aruba ClearPass”, “UAC”, “Active Directory”
IPv4 & IPv6 support
Standard XML DateTime format (ISO8601)
logon, logoff or posture-update for logon, role-list is a
must for logoff
A list of roles, maximum 200 with each 64 characters

16. Custom AppID Signature (15.1X49-D40)
• Types of custom signatures:
• ICMP-based
• L3/L4 based
• Layer 7-based
http-get-url-parsed-param-parsed
http-header-content-type
http-header-cookie
http-header-host
http-header-user-agent
http-post-url-parsed-param-parsed
http-post-variable-parsed
http-url-parsed
http-url-parsed-param-parsed
ssl-server-name
stream

17. SSL Forward Proxy and UTM
• 12.3X48-D25 and 15.1X49-D40 support UTM with SSL Proxy
• No configuration changes on UTM side. A ssl-proxy profile must be
applied
[…]policy trust-to-untrust match source-address any
[…]policy trust-to-untrust match destination-address any
[…]policy trust-to-untrust match application junos-any
[…]policy trust-to-untrust then permit application-services ssl-proxy profile-name ssl-inspection-p
[…]policy trust-to-untrust then permit application-services utm-policy junos-av-policy
[…]policy trust-to-untrust then permit application-services application-firewall rule-set block-app
[…]policy trust-to-untrust then log session-close

18. Juniper site to site VPN Solutions update
Use Case Auto VPN Auto + AD VPN Group VPN
Network Topology
Failover Redundancy
Traffic Steering
• Large Scale of Hub and Spoke
• Cluster Hub/Spoke
• Active-Passive
• Active-Backup
• Traffic Selector with Static
Routes – Higher scalability
• Dynamic Routing
• On Demand Spoke to Spoke
• Dynamic Any-to-Any
• Cluster Hub
• Cluster Spokes (Hierarchy)
• Traffic Selector with Static
Routes – Higher scalability
• Dynamic Routing - OSPF
• Any-to-Any
• Full Mesh
• Server Cluster for Key Server
protection
• Up to 4 server in the same
cluster.
• No overlay routing
• Advance QoS for encrypted
traffic
Tunnel Technology
• Tunnel Based VPN
• St0 P2P with Traffic Selector
• St0 P2MP with Routing
• IKEv1 and IKEv2
• Dynamic Spoke to Spoke
Tunnel
• IKEv2
• Tunnel-less VPN
• Group Protection
• IKEV1
Performance / Scalability
• Up to 1 Gbps / 3 Gbps and
2000 Tunnel - SRX1500
• 15K Tunnel with TS
• 256 shortcut tunnels- SRX550M
• 512 shortcut tunnels - SRX650
and above
• 4000 group members per
server
• 16K per cluster

19. Management

20. Firewall Policy
Threat Map
Events and Logs
Application Visibility
Dashboard
Junos Space Security Director 2.0
https://www.youtube.com/watch?v=IN0g7SUfFQ0
Graphical, Intuitive, Network Wide Visibility

21. …smarter and faster
Big =
More
1
2
3

22. Future

23. Software Defined Secure Network Vision
Unify and rate threat intelligence, from
multiple sources
Create and centrally manage security
policy through user-intent based system
Enforce policy in near real time across
the network; ability to adapt to network
changes
Detection
Enforcement
Policy
Users & Roles
Departments &
Sites
Devices
Applications
Business
Needs
IT View
Switch Ports
VLANs
ACLs
IPs/Subnets
VRFs
ACLs
Firewall Zones
Rules
Users & Apps
Threats
Location

24. Thanks!