Junos Security Feature Support Guide

JUNOS® Software

Feature Support Reference for SRX Series and J SeriesDevices

Release 10.1

Juniper Networks, Inc.1194 North Mathilda Avenue

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Revision 01Published: 2010-01-19

JUNOS Software Feature Support Reference for SRX Series and J Series DevicesRelease 10.1Copyright © 2010, Juniper Networks, Inc.All rights reserved. Printed in USA.

Revision HistoryJanuary 2010—Revision 01

The information in this document is current as of the date listed in the revision history.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS Software has no known time-related limitations through the year2038. However, the NTP application is known to have some difficulty in the year 2036.

SOFTWARE LICENSE

The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to theextent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, youindicate that you understand and agree to be bound by those terms and conditions. Generally speaking, the software license restricts the manner in whichyou are permitted to use the software and may contain prohibitions against certain uses. The software license may state conditions under which the licenseis automatically terminated. You should consult the license for further details. For complete product documentation, please see the Juniper Networks websiteat www.juniper.net/techpubs.

ii ■

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMEROR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THISAGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks(Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii)the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”)(collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customerhas paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customerpurchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “EmbeddedSoftware” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacementswhich are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusiveand non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniperor an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customerhas paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall usesuch Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of theSteel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whethersuch computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits toCustomer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Softwareto be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicablelicenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customermay operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trialperiod by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network.Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support anycommercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicablelicense(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shallnot: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except asnecessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) removeany proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy ofthe Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restrictedfeature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, evenif such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniperto any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniperreseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that theCustomer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software toany third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnishsuch records to Juniper and certify its compliance with this Agreement.

■ iii

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customershall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includesrestricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest inthe Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement thataccompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation to support the Software. Support servicesmay be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTEDBY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER ORJUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANYJUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDINGANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPERWARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whetherin contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, orif the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniperhas set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the samereflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the licensegranted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’spossession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase ofthe license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper priorto invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of anyapplicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniperwith valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications thatwould reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder.Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages relatedto any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under thisSection shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreignagency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, orwithout all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryptionor other capabilities restricting Customer’s ability to export the Software without an export license.

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosureby the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interfaceinformation needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicableterms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technologyare embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendorshall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with theSoftware and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under andsubject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License(“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate)available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, anda copy of the LGPL at http://www.gnu.org/licenses/lgpl.html.

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisionsof the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Partieshereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreementconstitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous

iv ■

http://www.gnu.org/licenses/gpl.html

http://www.gnu.org/licenses/lgpl.html

agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of aseparate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflictwith terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to inwriting by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of theremainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the Englishversion will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris toutavis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will bein the English language)).

■ v

vi ■

Table of Contents

Chapter 1 Overview 1

Chapter 2 Feature Support Tables 3

Administrator Authentication ..........................................................................3Alarms .............................................................................................................4Application Layer Gateways (ALG) ...................................................................4Attack Detection and Prevention .....................................................................5Autoinstallation ...............................................................................................7Chassis Cluster ................................................................................................7Chassis Management .......................................................................................9Class of Service (CoS) ......................................................................................9Dynamic Host Configuration Protocol (DHCP) ...............................................10Diagnostics Tools ..........................................................................................11File Management ...........................................................................................11Firewall Authentication .................................................................................12GPRS .............................................................................................................13Flow-Based and Packet-Based Processing ......................................................13Infranet Authentication .................................................................................14Integrated Convergence Services ...................................................................15Interfaces ......................................................................................................16Intrusion Detection and Prevention (IDP) ......................................................19IPsec .............................................................................................................20Layer 2 Mode ................................................................................................21Management .................................................................................................22MPLS .............................................................................................................23Multicast ........................................................................................................24Multicast VPN ................................................................................................25Netscreen Remote .........................................................................................26Network Address Translation (NAT) ..............................................................26Network Operations and Troubleshooting .....................................................27Packet Capture ..............................................................................................27Power over Ethernet (PoE) ............................................................................28Public Key Infrastructure (PKI) ......................................................................28Real-Time Performance Monitoring (RPM) Probe ..........................................30Remote Device Access ..................................................................................30Routing .........................................................................................................30Secure Web Access .......................................................................................31Security Policy ...............................................................................................32Session Logging .............................................................................................33SNMP ............................................................................................................33Stateless Firewall Filters ................................................................................34

Table of Contents ■ vii

System Log Files ............................................................................................34Transparent Mode .........................................................................................35Unified Threat Management (UTM) ...............................................................36Upgrading and Rebooting ..............................................................................36USB Modem ..................................................................................................37User Interfaces ..............................................................................................37Voice Over Internet Protocol (VoIP) with Avaya ............................................38Wireless LAN (WLAN) ....................................................................................39Zones Support ...............................................................................................39J Series and SRX Series Documentation and Release Notes ...........................40Requesting Technical Support .......................................................................40

Self-Help Online Tools and Resources .....................................................41Opening a Case with JTAC ......................................................................41

viii ■ Table of Contents

JUNOS Software Feature Support Reference for SRX Series and J Series Devices

Chapter 1

Overview

This guide provides feature support information for SRX Series Services Gatewaysand J Series Services Routers and specifies which hardware devices support thosefeatures.

NOTE: The material in this guide consolidates and updates the support informationpreviously located in the JUNOS Software Administration Guide, JUNOS SoftwareInterfaces and Routing Configuration Guide, and JUNOS Software Security ConfigurationGuide.

Powered by JUNOS Software, Juniper Networks SRX Series Services Gateways providerobust networking and security services. SRX Series Services Gateways range fromlower-end devices designed to secure small distributed enterprise locations to high-enddevices designed to secure enterprise infrastructure, data centers, and server farms.The SRX Series Services Gateways include the SRX100, SRX210, SRX240, SRX650,SRX3400, SRX3600, SRX5600, and SRX5800 devices.

Juniper Networks J Series Services Routers running JUNOS Software provide stable,reliable, and efficient IP routing, WAN and LAN connectivity, and managementservices for small to medium-sized enterprise networks. These devices also providenetwork security features, including a stateful firewall with access control policiesand screens to protect against attacks and intrusions, and IPsec VPNs. The J SeriesServices Routers include the J2320, J2350, J4350, and J6350 devices.

■ 1

2 ■


Chapter 2

Feature Support Tables

This chapter provides an alphabetical list of all features supported by the SRX Seriesand J Series devices.

Administrator Authentication

JUNOS Software supports three methods of user authentication:

■ local password authentication

■ Remote Authentication Dial-In User Service (RADIUS)

■ Terminal Access Controller Access Control System Plus (TACACS+)

With local password authentication, you configure a password for each user allowedto log in to the device.

RADIUS and TACACS+ are authentication methods for validating users who attemptto access the device using Telnet. Both are distributed client/server systems—theRADIUS and TACACS+ clients run on the device, and the server runs on a remotenetwork system.

Table 1 on page 3 lists the administrator authentication features that are supportedon SRX Series and J Series devices. For more information about administratorauthentication, see the JUNOS Software Administration Guide.

Table 1: Administrator Authentication Support

J Series

SRX3400SRX3600SRX5600SRX5800SRX650

SRX100SRX210SRX240Feature

YesYesYesYesLocal authentication

YesYesYesYesRADIUS

YesYesYesYesTACACS+

Administrator Authentication ■ 3

Alarms

JUNOS Software supports three types of alarms:

■ Chassis alarms indicate a failure on the device or one of its components. Chassisalarms are preset and cannot be modified.

■ Interface alarms indicate a problem in the state of the physical links on fixed orinstalled PIMs. To enable interface alarms, you must configure them.

■ System alarms indicate a missing rescue configuration or software license, wherevalid. System alarms are preset and cannot be modified, although you canconfigure them to appear automatically in the J-Web or CLI display.

Table 2 on page 4 lists the alarm features that are supported on SRX Series and JSeries devices. For more information about alarms, see the JUNOS SoftwareAdministration Guide.

Table 2: Alarm Support

J Series



YesYesYesYesChassis alarms

YesYesYesYesInterface alarms

YesYesYesYesSystem alarms

Application Layer Gateways (ALG)

An ALG is a software component that is designed to manage specific protocols suchas Session Initiation Protocol (SIP) or File Transfer Protocol (FTP) on SRX Series andJ Series devices running JUNOS Software. The ALG intercepts and analyzes thespecified traffic, allocates resources, and defines dynamic policies to permit the trafficto pass securely through the Juniper Networks device.

Table 3 on page 4 lists the ALG features that are supported on SRX Series and JSeries devices. For more information about ALGs, see the JUNOS Software SecurityConfiguration Guide.

Table 3: ALG Support

J Series



YesNoYesYesAvaya H.323 ALG

4 ■ Alarms


Table 3: ALG Support (continued)

J Series



YesYesYesYesDomain Name System (DNS) ALG

YesYesYesYesFTP ALG

YesNoYesYesH.323 ALG

YesNoYesYesMedia Gateway Control Protocol (MGCP) ALG

YesYesYesYesPoint-to-Point Tunneling Protocol (PPTP) ALG

YesYesYesYesReal-Time Streaming Protocol (RTSP) ALG

YesYesYesYesSun remote procedure call (SUNRPC) ALG

YesYesYesYesMicrosoft remote procedure call (MSRPC) ALG

YesYesYesYesRemote shell (RSH) ALG

YesNoYesYesSession Initiation Protocol (SIP) ALG

YesNoYesYesSkinny Call Control Protocol (SCCP) ALG

YesYesYesYesDNS Doctoring Support

YesYesYesYesStructured Query Language (SQL) ALG

YesYesYesYesTALK ALG

YesYesYesYesTrivial File Transfer Protocol (TFTP) ALG

NoSRX5600 andSRX5800 only

NoNoDNS, FTP, RTSP, and TFTP ALGs (Layer 2) withchassis clustering

Attack Detection and Prevention

Attack detection and prevention, also known as a stateful firewall, detects andprevents attacks in network traffic. An exploit can be either an information-gatheringprobe or an attack to compromise, disable, or harm a network or network resource.

Juniper Networks provides various detection methods and defense mechanisms atthe zone and policy levels to combat exploits at all stages of their execution.

■ Screen options at the zone level

■ Firewall policies at the inter-, intra-, and super-zone policy levels (super-zonehere means in global policies, where no security zones are referenced)

Attack Detection and Prevention ■ 5

Chapter 2: Feature Support Tables

Table 4 on page 6 lists attack detection and prevention features (Screens) that aresupported on SRX Series and J Series devices. For more information on IDP support,see “Intrusion Detection and Prevention (IDP)” on page 19.

For more information about attack detection and prevention, see the JUNOS SoftwareSecurity Configuration Guide.

Table 4: Attack Detection and Prevention Support (Screens)

J Series



YesYesYesYesBad IP option

YesYesYesYesBlock fragment traffic

YesYesYesYesFIN flag without ACK flag set protection

YesYesYesYesICMP flood protection

YesYesYesYesICMP fragment protection

YesYesYesYesIP address spoof

YesYesYesYesIP address sweep

YesYesYesYesIP record route option

YesYesYesYesIP security option

YesYesYesYesIP stream option

YesYesYesYesIP strict source route option

YesYesYesYesIP timestamp option

YesYesYesYesLand attack protection

YesYesYesYesLarge size ICMP packet protection

YesYesYesYesLoose source route option

YesYesYesYesPing of death attack protection

YesYesYesYesPort scan

YesYesYesYesSource IP based session limit

YesYesYesYesSYN-ACK-ACK proxy protection

YesYesYesYesSYN and FIN flags set protection

YesYesYesYesSYN flood protection

YesYesYesYesSYN fragment protection

6 ■ Attack Detection and Prevention


Table 4: Attack Detection and Prevention Support (Screens) (continued)

J Series



YesYesYesYesTeardrop attack protection

YesYesYesYesTCP packet without flag set protection

YesYesYesYesUnknown protocol protection

YesYesYesYesUDP flood protection

YesYesYesYesWinNuke attack protection

Autoinstallation

Autoinstallation provides automatic configuration for a new device that you connectto the network and turn on, or for a device configured for autoinstallation. Theautoinstallation process begins anytime a device is powered on and cannot locate avalid configuration file in the CompactFlash card. Typically, a configuration file isunavailable when a device is powered on for the first time, or if the configurationfile is deleted from the CompactFlash card. The autoinstallation feature enables youto deploy multiple devices from a central location in the network.

Table 5 on page 7 lists the autoinstallation support on SRX Series and J Seriesdevices. For more information about autoinstallation, see the JUNOS SoftwareAdministration Guide.

Table 5: Autoinstallation Support

J Series



YesNoYesYesAutoinstallation

Chassis Cluster

Chassis clustering provides network node redundancy by grouping a pair of the samekind of supported SRX Series devices or J Series devices into a cluster. The devicesmust be running JUNOS Software.

Table 6 on page 8 lists chassis cluster features that are supported on SRX Seriesand J Series devices. For more information about chassis clusters, see the JUNOSSoftware Security Configuration Guide.

Autoinstallation ■ 7


Table 6: Chassis Cluster Support

J Series



YesYesYesYesActive/active chassiscluster (that is,cross-box dataforwarding over thefabric interface)

YesYesNoSRX100 and SRX210only

Application LayerGateways (ALGs)

YesYesYesYesChassis clusterformation

YesYesYesYesControl plane failover

YesYesYesYesDampening timebetween back-to-backredundancy groupfailovers

YesYesYesYesData plane failover

NoSRX5600 and SRX5800only

NoNoDual control links

YesYesYesYesJUNOS flow-basedrouting functionality

NoYesNoNoLow-impact clusterupgrade (ISSU light)

YesYesYesYesRedundancy group 0(backup for RoutingEngine)

YesYesYesYesRedundancy groups 1through 128

YesYesYesYesRedundant Ethernetinterfaces

NoYesNoNoRedundant Ethernetinterface linkaggregation groups(LAGs)

NoYesNoNoUpstream device IPaddress monitoring

NoYesNoNoUpstream device IPaddress monitoring ona backup interface

8 ■ Chassis Cluster


Chassis Management

The chassis properties include the status of hardware components on the device.

Table 7 on page 9 lists the chassis management support on SRX Series and J Seriesdevices. For more information about chassis management, see the JUNOS SoftwareAdministration Guide.

Table 7: Chassis Management Support

J Series



YesYesYesYesChassis management

Class of Service (CoS)

When a network experiences congestion and delay, some packets must be dropped.JUNOS Software CoS allows you to divide traffic into classes and offer various levelsof throughput and packet loss when congestion occurs. This allows packet loss tohappen according to the rules you configure.

Table 8 on page 9 lists the CoS features that are supported on SRX Series and JSeries devices. For more information about CoS, see the JUNOS Software Interfacesand Routing Configuration Guide.

Table 8: CoS Support

J Series



YesYesYesYesClassifiers

YesYesYesYesCode-point aliases

YesYesYesYesForwarding classes

YesSRX5600 and SRX5800only

YesYesIngress interface policer

YesYesYesYesPolicing

Chassis Management ■ 9


Table 8: CoS Support (continued)

J Series



YesYesYesYesSchedulers:

■ Transmission Rate (no exact rateknob)

■ Delay buffer size

■ Shaping rate

■ Red drop profiles

NoYesNoNoSimple filters

YesYesYesYesTransmission queues

YesNoYesYesTunnels:

■ IP to IP

■ IPsec

■ GRE

YesNoYesYesVirtual Channels

Dynamic Host Configuration Protocol (DHCP)

DHCP is based on BOOTP, a bootstrap protocol that allows a client to discover itsown IP address, the IP address of a server host, and the name of a bootstrap file.DHCP servers can handle requests from BOOTP clients, but provide additionalcapabilities beyond BOOTP, such as the automatic allocation of reusable IP addressesand additional configuration options.

DHCP provides two primary functions:

■ Allocate temporary or permanent IP addresses to clients.

■ Store, manage, and provide client configuration parameters.

Table 9 on page 10 lists the DHCP features that are supported on SRX Series and JSeries devices. For more information about DHCP, see the JUNOS SoftwareAdministration Guide.

Table 9: DHCP Support

J Series



YesYesYesYesDHCP client

YesYesYesYesDHCP relay agent

10 ■ Dynamic Host Configuration Protocol (DHCP)


Table 9: DHCP Support (continued)

J Series



YesYesYesYesDHCP server

YesYesYesYesDHCP server address pools

YesYesYesYesDHCP server static mapping

Diagnostics Tools

SRX Series and J Series devices support a suite of J-Web tools and CLI operationalmode commands for evaluating system health and performance. Diagnostic toolsand commands test the connectivity and reachability of hosts in the network.

Table 10 on page 11 lists the diagnostics tools features that are supported on SRXSeries and J Series devices. For more information about diagnostics tools, see theJUNOS Software Administration Guide.

Table 10: Diagnostics Tools Support

J Series



YesYesYesYesCLI terminal

YesYesYesYesJ-Flow versions 5 and 8

YesYesYesYesPing host

YesNoYesYesPing MPLS

YesYesYesYesTraceroute

File Management

You can use the J-Web interface to perform routine file management operations suchas archiving log files and deleting unused log files, cleaning up temporary files andcrash files, and downloading log files from the routing platform to your computer.You can also encrypt the configuration files with the CLI configuration editor toprevent unauthorized users from viewing sensitive configuration information.

Table 11 on page 12 lists the file management features that are supported on SRXSeries and J Series devices. For more information about file management, see theJUNOS Software Administration Guide.

Diagnostics Tools ■ 11


Table 11: File Management Support

J Series



YesYesYesYesClean up unnecessary files

YesYesYesYesDelete backup software image

YesYesYesYesDelete individual files

YesYesYesYesDownload system files

YesYesYesYesEncrypt/decrypt configuration files

YesNoYesYesManage account files

Firewall Authentication

JUNOS Software supports the following two types of firewall user authentication:

■ Pass-through authentication—A host or a user from one zone tries to accessresources on another zone. You must use an FTP, Telnet, or HTTP client to accessthe IP address of the protected resource and to get authenticated by the firewall.The device uses FTP, Telnet, or HTTP to collect username and passwordinformation, and subsequent traffic from the user or host is allowed or deniedbased on the result of this authentication.

■ Web authentication—Users try to connect, using HTTP, to an IP address on thedevice that is enabled for Web authentication; in this scenario, you do not useHTTP to get to the IP address of the protected resource. You are prompted forthe username and password that are verified by the device. Subsequent trafficfrom the user or host to the protected resource is allowed or denied based onthe result of this authentication.

Table 12 on page 12 lists firewall authentication features that are supported on SRXSeries and J Series devices. For more information about firewall authentication, seethe JUNOS Software Security Configuration Guide.

Table 12: Firewall Authentication Support

J Series



YesYesYesYesLDAP authentication server

YesYesYesYesLocal authentication server

YesYesYesYesPass-through authentication

YesYesYesYesRADIUS authentication server

12 ■ Firewall Authentication


Table 12: Firewall Authentication Support (continued)

J Series



YesYesYesYesSecurID authentication server

YesYesYesYesWeb authentication

NoYesNoNoLayer 2 authentication

GPRS

General Packet Radio Service (GPRS) networks connect to several external networksincluding those of roaming partners, corporate customers, GPRS Roaming Exchange(GRX) providers, and the public Internet. GPRS network operators face the challengeof protecting their network while providing and controlling access to and from theseexternal networks. Juniper Networks provides solutions to many of the securityproblems plaguing GPRS network operators.

In the GPRS architecture, the fundamental cause of security threats to an operator’snetwork is the inherent lack of security in GPRS tunneling protocol (GTP). GTP is theprotocol used between GPRS support nodes (GSNs). Communication between differentGPRS networks is not secure, because GTP does not provide any authentication, dataintegrity, or confidentiality protection. Implementing Internet Protocol security (IPsec)for connections between roaming partners, setting traffic rate limits, and usingstateful inspection can eliminate a majority of the GTP’s security risks. JuniperNetworks security devices mitigate a wide variety of attacks on the Gp, Gn, and Giinterfaces. The GTP firewall features in JUNOS Software address key security issuesin mobile operators’ networks.

Table 12 on page 12 lists GPRS features that are supported on SRX Series and J Seriesdevices. For more information about GPRS, see the JUNOS Software SecurityConfiguration Guide.

Table 13: GPRS Support

J Series



NoYesNoNoGPRS

Flow-Based and Packet-Based Processing

A packet undergoes flow-based processing after any packet-based filters and policershave been applied to it. A flow is a stream of related packets that meet the samematching criteria and share the same characteristics. JUNOS Software treats packetsbelonging to the same flow in the same manner.

GPRS ■ 13


A packet undergoes packet-based processing when it is dequeued from its input(ingress) interface and before it is enqueued on its output (egress) interface.Packet-based processing applies stateless firewall filters and class-of-service (CoS)features to discrete packets. You can apply a firewall filter to an ingress or egressinterface, or to both.

Table 14 on page 14 lists flow-based and packet-based features that are supportedon SRX Series and J Series devices. For more information about flow-based andpacket-based processing, see the JUNOS Software Security Configuration Guide.

Table 14: Flow-based and Packet-Based Processing Support

J Series



NoYesYesYesEnd-to-end packet debugging

YesYesYesYesFlow-based processing

NoSRX5600 and SRX5800only

NoNoNetwork processor bundling

YesNoYesYesPacket-based processing

YesNoYesYesSelective stateless packet-based services

Infranet Authentication

A Unified Access Control (UAC) deployment uses infranet controllers, infranetenforcers, and infranet agents to secure a network and ensure that only qualifiedend users can access protected resources. An SRX Series or J Series device can actas an Infranet Enforcer in a UAC network. Specifically, it acts as a Layer 3 enforcementpoint, controlling access by using IP-based policies pushed down from the InfranetController. When deployed in a UAC network, an SRX Series or J Series device iscalled a JUNOS Enforcer.

Table 15 on page 14 lists infranet authentication support on SRX Series and J Seriesdevices. For more information about infranet authentication, see the JUNOS SoftwareSecurity Configuration Guide.

Table 15: Infranet Authentication Support

J Series



YesYesYesYesJUNOS Enforcers in UACdeployments

14 ■ Infranet Authentication


Integrated Convergence Services

Integrated Convergence Services optimizes and secures voice communication andapplications running on Juniper Networks SRX Series Services Gateways. It integrateshardware and software on SRX Series devices to provide the following main featuresand functions:

■ A standards-based Session Initiation Protocol (SIP) media gateway (SRX SeriesMGW) that connects SIP and time-division multiplexing (TDM) networks so thatcalls can be made from and routed to local analog telephones, fax machines,legacy PBX (Key) systems, and SIP phones within the branch and across PSTNor SIP trunks.

Integrated Convergence Services hardware on SRX Series Services Gatewaysincludes a digital signal processor, (DSP), plain old telephone service (POTS)interfaces, and expansion cards to provide additional FXS and FXO interfaces,T1/E1 interfaces, and more.

■ A SIP survivable call server (SRX Series SCS) that provides local call handling andbasic call routing for branch analog and IP phones when the centralized SIP callserver, referred to as the peer call server, that provides them under normalconditions is unreachable. Supported features include class of restriction forstations, auto-attendant, call forwarding, call transfer, voicemail forwarding,three-way calls, and more.

■ Emergency call support with the ability to dedicate trunks for emergency callsor preempt existing calls to guarantee successful emergency call completion.

■ SIP trunking from the branch integrated natively into the device to provide asecure, robust, and reliable SIP-based solution, which includes optimized Qualityof Service (QoS) and traffic engineering to route calls using the shortest pathfrom the branch to the carrier POP.

Unlike traditional SIP architectures in which traffic is backhauled to headquarters,when a local SIP trunk is used, it serves as a circuit switch trunk replacementfor TDM or analog PSTN lines from the branch. This solution results in large costsavings with dynamic pricing schemes made available by SIP trunking carriers.

Integrated Convergence Services is designed with an open and standards-basedapproach. It interoperates with leading voice and unified communications vendorpartners. This approach provides customers with the flexibility to choose the bestvendor for their unified communications requirements.

Table 16 on page 16 lists integrated convergence services support on SRX Seriesdevices. For more information about integrated convergence services, see the JUNOSSoftware Integrated Convergence Services Configuration and Administration Guide.

Integrated Convergence Services ■ 15


Table 16: Integrated Convergence Services Support

J Series



NoNoNoSRX210 and SRX240 onlyIntegrated ConvergenceServices

Interfaces

All Juniper Networks devices use network interfaces to connect to other devices. Aconnection takes place along media-specific physical wires through a port on aPhysical Interface Module (PIMs, uPIMS, ePIMs) installed in the J Series ServicesRouter or an Input/Output Card (IOC) in the SRX Series Services Gateway. SRX100,SRX210, and SRX240 devices support mPIMs, while SRX650 devices support XPIMs,GPIMs, and XGPIMs. Each device interface has a unique name that follows a namingconvention.

You must configure each network interface before it can operate on the device.Configuring an interface can define both the physical properties of the link and thelogical properties of a logical interface on the link.

Table 17 on page 16 lists the interface features that are supported on SRX Seriesand J Series devices. For more information about interfaces, see the JUNOS SoftwareInterfaces and Routing Configuration Guide.

Table 17: Interface Support

J Series



NoYesNoNo10–Gigabit Ethernetinterface

NoNoNoSRX210 only3G wireless modeminterface

YesNoYesYes3G wireless modeminterface using theCX-111 externalwireless bridge

YesNoNoSRX210 and SRX240only

Asymmetric digitalsubscriber line (ADSL)interface

YesNoNoNoChannelized E1/T1interface

YesNoNoNoChannelized ISDN PRIinterface

16 ■ Interfaces


Table 17: Interface Support (continued)

J Series



YesNoNoNoClass-of-service supportinterface

NoYesYesSRX210 and SRX240only

Copper GigabitEthernet (10–Mbps,100–Mbps, or1000–Mbps port)

NoNoNoSRX210 and SRX240only

Data over CableSystem InterfaceSpecifications (DOCSIS)Mini-PIM interface

YesNoNoNoDiscard interface

YesYesYesYesEthernet interface

YesNoNoNoE3 interface


Fractional T1/E1interface

YesYesYesYesFast Ethernet interface

YesNoYesSRX210 and SRX240only

Frame Relay interface

YesNoYesYesGeneric routingencapsulation (GRE)interface

YesYesYesYesGigabit Ethernetinterface

NoNoYesSRX210 and SRX240only

High-level Data LinkControl (HDLC)interface

YesNoNoNoInterleaving usingMLFR

YesNoNoNoInternally configuredinterface used by thesystem as a controlpath between the WXCIntegrated ServicesModule and theRouting Engine

YesNoYesYesInternally generatedGRE interface

Interfaces ■ 17



J Series



YesNoYesYesInternally generatedlink services interface

YesNoYesYesInternally generatedIP-over-IP interface

YesYesNoYesInternally generatedProtocol IndependentMulticastde-encapsulationinterface

YesYesYesYesInternally generatedProtocol IndependentMulticast encapsulationinterface

YesNoYesYesIP-over-IPencapsulation interface

YesNoNoNoISDN BRI interface

YesNoYesYesLink services interface

NoNoYesYesLink FragmentInterleaved

YesYesYesYesLoopback Interface

YesYesYesYesManagement interface

YesNoYesYesPassive monitoringinterface

YesNoYesYesPoint-to-Point Protocol(PPP) interface

NoNoYesSRX210 and SRX240only

Point-to-Point Protocolover Ethernet (PPPoE)interface

YesYesYesYesPPoE-basedradio-to-router protocol

NoYesNoNoPromiscuous mode oninterfaces

YesNoNoYesProtocol IndependentMulticastde-encapsulationinterface

18 ■ Interfaces



J Series



YesNoNoYesProtocol IndependentMulticast encapsulationinterface

YesYesYesYesSecure tunnel interface


Serial interface


Symmetric high-speedDSL (SHDSL) interface


Symmetric high-speeddigital subscriber line(G.SHDSL) interface

YesNoNoNoT3 interface

YesNoNoYesUniversal serial bus(USB) model physicalinterface

NoNoNoSRX210 and SRX240VDSL interface

Intrusion Detection and Prevention (IDP)

The JUNOS Software Intrusion Detection and Prevention (IDP) policy enables you toselectively enforce various attack detection and prevention techniques on networktraffic passing through an IDP-enabled device. It allows you to define policy rules tomatch traffic based on a zone, network, and application, and then take active orpassive preventive actions on that traffic.

Table 18 on page 19 lists IDP features that are supported on SRX Series and J Seriesdevices. For more information about IDP, see the JUNOS Software SecurityConfiguration Guide.

Table 18: IDP Support

J Series



YesYesYesYesApplication identification

NoYesNoNoApplication-level distributed denial-of-service(DDoS) rulebase

YesYesYesYesDifferentiated Services code point (DSCP) marking

Intrusion Detection and Prevention (IDP) ■ 19


Table 18: IDP Support (continued)

J Series



YesYesYesYesExtended application identification

NoYesNoNoIDP in an active/active chassis cluster

YesYesYesYesIDP logging

YesYesYesYesIDP monitoring and debugging

YesYesYesYesIDP Policy

YesYesYesYesIDP signature database

NoYesNoNoIDP SSL Inspection

NoYesNoNoIDP and UAC coordinated threat control

YesYesYesYesIntrusion prevention system (IPS) rulebase

NoYesNoNoPerformance and capacity tuning for IDP

YesYesYesYesSNMP MIB for IDP monitoring

IPsec

IP Security (IPsec) is a suite of related protocols for cryptographically securingcommunications at the IP Layer. IPsec also provides methods for the manual andautomatic negotiation of security associations (SAs) and key distribution, all theattributes for which are gathered in a Domain of Interpretation (DOI). The IPsec DOIis a document containing definitions for all the security parameters required for thesuccessful negotiation of a VPN tunnel—essentially, all the attributes required for SAand IKE negotiations.

Table 19 on page 20 lists IPsec features that are supported on SRX Series and J Seriesdevices. For more information about IPsec, see the JUNOS Software SecurityConfiguration Guide.

Table 19: IPsec Support

J Series



YesYesYesYesAntireplay (packet replay attack prevention)

YesYesYesYesAuthentication Header (AH) protocol

YesYesYesYesAutokey management

20 ■ IPsec


Table 19: IPsec Support (continued)

J Series



YesYesYesYesDead peer detection (DPD)

NoNoNoYesDynamic IPsec VPNs

YesYesYesYesEncapsulating Security Payload (ESP) protocol

YesYesYesYesIKE phase 1

YesYesYesYesIKE phase 2

YesYesYesYesManual key management

YesYesYesYesPolicy-based and route-based VPNs

YesYesYesYesTunnel mode

YesYesYesYesUAC L3 Enforcement

YesYesYesYesVPN monitoring

YesYesYesYesExternal extended authentication (Xauth) to aRadius server for remote access connections

Layer 2 Mode

Ethernet frames can be forwarded from one LAN segment or VLAN to another bybridging or switching functions on Juniper Networks devices. Bridging and switchingfunctions are performed in Layer 2 of the OSI reference model—the Data Link Layer.Though the terms bridging and switching are often used interchangeably, switchingfunctions are typically performed in hardware in application-specific integratedcircuits (ASICs) while bridging functions are usually performed in software.

Table 20 on page 21 lists the Layer 2 features that are supported on SRX Series andJ Series devices. For more information about Layer 2 features, see the JUNOS SoftwareInterfaces and Routing Configuration Guide.

Table 20: Layer 2 Mode Support

J Series



YesNoYesYes802.1x port-basednetwork authentication

YesNoYesYesFlexible Ethernetservices

Layer 2 Mode ■ 21


Table 20: Layer 2 Mode Support (continued)

J Series



YesNoYesYesGeneric VLANregistration protocol

YesNoYesYesIGMP snooping

YesYes*YesYesIntegrated routing andbridging (IRB) interface

YesNo*YesYesIntegrated routing andbridging (IRB)

YesYesYesYesLink aggregation

YesYesYesYesSpanning Treeprotocols

YesNoYesYesLink Layer DiscoveryProtocol (LLDP) andLink Layer DiscoveryProtocol—MediaEndpoint Discovery(LLDP-MED)

YesNoYesSRX210 and SRX240only

Q-in-Q tunneling

NoYesNoNoVLAN retagging

YesYesYesYesVLANs

* On SRX3400, SRX3600, SRX5600, and SRX5800 devices, we support an IRBinterface where you can terminate management connections in transparent mode.However, you cannot route traffic on that interface or terminate IPsec VPNs.

Management

The Network Time Protocol (NTP) provides the mechanisms to synchronize time andcoordinate time distribution in a large, diverse network. NTP uses a returnable-timedesign in which a distributed subnet of time servers operating in a self-organizing,hierarchical primary-secondary configuration synchronizes local clocks within thesubnet and to national time standards by means of wire or radio. The servers alsocan redistribute reference time using local routing algorithms and time daemons.

Table 21 on page 23 lists the management features that are supported on SRX Seriesand J Series devices. For more information about NTP, see the JUNOS Software SystemBasics Configuration Guide.

22 ■ Management


Table 21: Management Feature Support

J Series



YesYesYesYesNetwork Time Protocol (NTP)

MPLS

MPLS provides a framework for controlling traffic patterns across a network. TheMPLS framework allows SRX Series and J Series devices to pass traffic through transitnetworks on paths that are independent of the individual routing protocols enabledthroughout the network.

The MPLS framework supports traffic engineering and the creation of virtual privatenetworks (VPNs). Traffic is engineered (controlled) primarily by the use of signalingprotocols to establish label-switched paths (LSPs). VPN support includes Layer 2 andLayer 3 VPNs and Layer 2 circuits.

Table 22 on page 23 lists the MPLS features that are supported on SRX Series and JSeries devices. For more information about MPLS, see the JUNOS Software Interfacesand Routing Configuration Guide.

Table 22: MPLS Support

J Series



YesNoYesYesCircuit cross-connect (CCC) and translationalcross-connect (TCC)

YesNoYesSRX240 onlyConnectionless Network Service (CLNS)

YesNoYesYesInterprovider and carrier-of-carriers VPNs

YesNoYesYesLayer 2 VPNs for Ethernet connections

YesNoYesYesLayer 3 MPLS VPNs

YesNoYesYesLDP

YesNoYesYesMPLS virtual private networks (VPNs) with VPNrouting and forwarding (VRF) tables on provideredge (PE) routers

YesNoNoYesMulticast VPNs

YesNoYesYesOSPF and IS-IS traffic engineering extensions

YesNoYesYesPoint-to-multipoint connections (P2MP LSPs)

MPLS ■ 23


Table 22: MPLS Support (continued)

J Series



YesNoYesYesRSVP

YesNoYesYesSecondary and standby label-switched paths (LSPs)

YesNoYesYesStandards-based fast reroute

YesNoYesYesVirtual private LAN service (VPLS)

Multicast

Multicast traffic lies between the extremes of unicast (one source, one destination)and broadcast (one source, all destinations). Multicast is a “one source, manydestinations” method of traffic distribution, meaning that the destinations needingto receive the information from a particular source receive the traffic stream.

IP network destinations (clients) do not often communicate directly with sources(servers), so the routers between source and destination must be able to determinethe topology of the network from the unicast or multicast perspective to avoid routingtraffic haphazardly. The multicast router must find multicast sources on the network,send out copies of packets on several interfaces, prevent routing loops, connectinterested destinations with the proper source, and keep the flow of unwanted packetsto a minimum. Standard multicast routing protocols provide most of these capabilities.

Table 23 on page 24 lists the multicast features that are supported on SRX Seriesand J Series devices. For more information about multicasting, see the JUNOS SoftwareInterfaces and Routing Configuration Guide.

Table 23: Multicasting Support

J Series



YesYesYesYesFiltering PIM Register Messages

YesYesYesYesInternet Group Management Protocol (IGMP)

YesYesYesYesPIM RPF Routing Table

YesYesYesYesPrimary routing mode:

■ Dense mode

■ Sparse mode

YesYesYesYesProtocol Independent Multicast (PIM) Static RP

YesYesYesYesSession Announcement Protocol (SAP)

24 ■ Multicast


Table 23: Multicasting Support (continued)

J Series



YesYesYesYesSession Description Protocol (SDP)

Multicast VPN

MPLS multicast VPNs employ the intra-autonomous system (AS) next-generation(NGEN) BGP control plane and Protocol Independent Multicast (PIM) sparse modeas the data plane.

A multicast VPN is defined by two sets of sites, a sender site set and a receiver siteset. These sites have the following properties:

■ Hosts within the sender site set can originate multicast traffic for receivers inthe receiver site set.

■ Receivers outside the receiver site set should not be able to receive this traffic.

■ Hosts within the receiver site set can receive multicast traffic originated by anyhost in the sender site set.

■ Hosts within the receiver site set should not be able to receive multicast trafficoriginated by any host that is not in the sender site set.

Table 24 on page 25 lists the multicast VPN features that are supported on J Seriesdevices. For more information about multicast VPN, see the JUNOS Software VPNsConfiguration Guide.

Table 24: Multicast VPN Support

J Series



YesNoNoNoBasic multicast features in C-instance

YesNoNoNoMulticast VPN membership discovery with BGP

YesNoNoNoP2MP OAM - P2MP LSP ping

YesNoNoNoPoint-to-multipoint (P2MP) LSPs support

YesNoNoNoReliable multicast VPN Routing InformationExchange

Multicast VPN ■ 25


Netscreen Remote

The Juniper Networks NetScreen-Remote VPN client is a virtual private network (VPN)client that you can install on a PC or laptop computer to send and receive securecommunications over the Internet. NetScreen-Remote client is certified by theInternational Computer Security Association (ICSA) as an IPsec-compliant VPNsolution.

Table 25 on page 26 lists the NetScreen-Remote support on SRX Series and J Seriesdevices. For more information about Netscreen Remote, see the JUNOS SoftwareSecurity Configuration Guide.

Table 25: NetScreen-Remote Support

J Series



YesNoNoNoNetscreen Remote VPN Client

Network Address Translation (NAT)

Network Address Translation (NAT) is a method by which IP addresses in a packetare mapped from one group to another and, optionally, port numbers in the packetare translated into different port numbers.

NAT is described in RFC 1631 to solve IP (version 4) address depletion problems.Since then, NAT has been found to be a useful tool for firewalls, traffic redirect, loadsharing, network migrations, and so on.

Table 26 on page 26 lists NAT features that are supported on SRX Series and J Seriesdevices. For more information about NAT, see the JUNOS Software SecurityConfiguration Guide.

Table 26: NAT Support

J Series



YesYesYesYesProxy AddressResolution Protocol(ARP)

YesYesYesYesDestination IP addresstranslation

YesYesYesYesDisabling source NATport randomization

26 ■ Netscreen Remote


Table 26: NAT Support (continued)

J Series



YesYesYesYesPersistent NAT

YesYesYesYesRemoving persistentNAT query bindings

YesYesYesYesRule-based NAT

YesYesYesYesStatic NAT

YesYesYesYesSource IP addresstranslation

Network Operations and Troubleshooting

You can use commit scripts, operation scripts, and event policies to automate networkoperations and troubleshooting tasks. You can use commit scripts to enforce customconfiguration rules. Operation scripts allow you to automate network managementand troubleshooting tasks. You can configure event policies that initiate self-diagnosticactions on the occurrence of specific events.

Table 27 on page 27 lists the network operations features that are supported on SRXSeries and J Series devices. For more information about network operations, see theJUNOS Software Administration Guide.

Table 27: Network Operations and Troubleshooting Support

J Series



YesYesYesYesEvent policies

YesYesYesYesEvent scripts

YesYesYesYesExtensible Stylesheet LanguageTransformations (XSLT) commit scripts

YesYesYesYesOperation scripts

Packet Capture

Packet capture is a tool that helps you analyze network traffic and troubleshootnetwork problems. The packet capture tool captures real-time data packets, travelingover the network, for monitoring and logging.

Network Operations and Troubleshooting ■ 27


Packets are captured as binary data, without modification. You can read the packetinformation offline with a packet analyzer such as Ethereal or tcpdump.

Table 28 on page 28 lists the packet capture support on SRX Series and J Seriesdevices. For more information about packet capture, see the JUNOS SoftwareAdministration Guide.

Table 28: Packet Capture Support

J Series



YesNoYesYesPacket capture

Power over Ethernet (PoE)

PoE is the implementation of the IEEE 802.3 AF standard, which allows both dataand electrical power to pass over a copper Ethernet LAN cable.

PoE ports transfer electrical power and data to remote devices over standardtwisted-pair cable in an Ethernet network. PoE ports allow you to plug in devicesthat require both network connectivity and electrical power, such as VOIP and IPphones and wireless LAN access points.

Table 29 on page 28 lists the PoE support on SRX Series and J Series devices. Formore information about PoE, see the JUNOS Software Interfaces and RoutingConfiguration Guide.

Table 29: PoE Support

J Series

SRX3400,SRX3600,SRX5600,SRX5800SRX650

SRX100,SRX210,SRX240Feature

NoNoYesSRX210, SRX210 (media gatewaymodel), SRX210 (PoE model), andSRX240

IEEE 802.3 AF standard

NoNoYesSRX210 and SRX240 onlyIEEE 802.3 AT (draft) standard

NoNoYesSRX210 and SRX240 onlyIEEE legacy (pre-standards)

Public Key Infrastructure (PKI)

In PKI, a public-private key pair is used to encrypt and decrypt data. Data encryptedwith a public key, which the owner makes available to the public, can be decryptedwith the corresponding private key only, which the owner keeps secret and protected.

28 ■ Power over Ethernet (PoE)


The reverse process is also useful: encrypting data with a private key and decryptingit with the corresponding public key. This process is known as creating a digitalsignature. A digital certificate is an electronic means for verifying your identity througha trusted third party, known as a certificate authority (CA).

Table 30 on page 29 lists the PKI features that are supported on SRX Series and JSeries devices. For more information about PKI, see the JUNOS Software SecurityConfiguration Guide.

Table 30: PKI Support

J Series



YesNoYesYesAutomated certificateenrollment usingSimple CertificateEnrollment Protocol(SCEP)

YesYesYesYesAutomatic generationof self-signedcertificates

YesYesYesYesCRL update atuser-specified interval

YesYesYesYesDistinguishedEncoding Rules (DER),Privacy-Enhanced Mail(PEM), Public-KeyCryptographyStandard 7 (PKCS7),and X509 certificateencoding

YesYesYesYesEntrust, Microsoft, andVerisign certificateauthorities (CAs)

YesYesYesYesInternet Key Exchange(IKE) support

YesYesYesYesManual installation ofDER-encoded andPEM-encoded CRLs

YesNoNoNoOnline certificaterevocation list (CRL)retrieval through LDAPand HTTP

Public Key Infrastructure (PKI) ■ 29


Real-Time Performance Monitoring (RPM) Probe

The RPM feature allows network operators and their customers to accurately measurethe performance between two network endpoints. With the RPM probe, you configureand send probes to a specified target and monitor the analyzed results to determinepacket loss, round-trip time, and jitter.

Table 31 on page 30 lists the RPM probe support on SRX Series and J Series devices.For more information about RPM probe, see the JUNOS Software AdministrationGuide.

Table 31: RPM Probe Support

J Series



YesNoYesYesRPM probe

Remote Device Access

You can use the CLI telnet command to open a Telnet session to a remote device.

Table 32 on page 30 lists the remote device access support on SRX Series and J Seriesdevices. For more information about accessing remote devices, see the JUNOSSoftware Administration Guide.

Table 32: Remote Device Access Support

J Series



YesNoNoNoReverse Telnet

Routing

Routing is the transmission of data packets from a source to a destination address.For packets to be correctly forwarded to the appropriate host address, the host musthave a unique numeric identifier or IP address. The unique IP address of thedestination host forms entries in the routing table. These entries are primarilyresponsible for determining the path that a packet traverses when transmitted fromsource to destination.

Table 33 on page 31 lists the routing features that are supported on SRX Series andJ Series devices. For more information about routing, see the JUNOS Software Interfacesand Routing Configuration Guide.

30 ■ Real-Time Performance Monitoring (RPM) Probe


Table 33: Routing Support

J Series



YesYesYesYesBGP

YesNoYesYesBGP extensions for IPv6

YesNoNoYesCompressed Real-Time Transport Protocol(CRTP)

YesYesYesSRX210 andSRX240 only

Internet Group Management Protocol (IGMP)

YesYesYesYesIPv4 options and broadcast Internet diagrams

YesNoYesYesIPv6 routing, forwarding, global addressconfiguration, and Internet Control MessageProtocol (ICMP)

YesYesYesYesIS-IS

YesYesYesYesMultiple virtual routers

YesNoYesYesNeighbor Discovery Protocol and SecureNeighbor Discovery Protocol

YesYesYesYesOSPF v2

YesNoYesYesOSPF v3

YesNoYesYesRIP next generation (RIPng)

YesYesYesYesRIP v1, v2

YesYesYesYesStatic routing

YesYesYesYesVirtual Router Redundancy Protocol (VRRP)

Secure Web Access

You can manage a Juniper Networks device remotely through the J-Web interface.To communicate with the device, the J-Web interface uses Hypertext Transfer Protocol(HTTP). HTTP allows easy Web access but no encryption. The data that is transmittedbetween the Web browser and the device by means of HTTP is vulnerable tointerception and attack. To enable secure Web access, the Juniper Networks devicessupport Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS). You canenable HTTP or HTTPS access on specific interfaces and ports as needed.

Table 34 on page 32 lists the secure web access features that are supported on SRXSeries and J Series devices. For more information about secure web access, see theJUNOS Software Administration Guide.

Secure Web Access ■ 31


Table 34: Secure Web Access Support

J Series



YesYesYesYesCertificate authorities (CAs)

YesYesYesYesHypertext Transfer Protocol (HTTP)

Security Policy

With the advent of the Internet, the need for a secure network has become vital forbusinesses with an Internet connection. Before a network can be secured for abusiness, a network security policy has to outline all the network resources withinthat business and identify the required security level for those resources. The networksecurity policy also defines the security threats and the actions taken for such threats.JUNOS Software stateful firewall policy provides a set of tools to networkadministrators, enabling them to implement network security for their organizations.

Table 35 on page 32 lists the security policy features that are supported on SRXSeries and J Series devices. For more information about security policies, see theJUNOS Software Security Configuration Guide.

Table 35: Security Policy Support

J Series



YesYesYesYesAddress books

YesYesYesYesCustom policy applications

YesYesYesYesDynamic routing protocols predefined policyapplications

YesYesYesYesInstant messaging predefined policy applications

YesYesYesYesInternet Control Message Protocol (ICMP) predefinedpolicy application

YesYesYesYesInternet-related predefined policy applications

YesYesYesYesIP-related predefined policy applications

YesYesYesYesMail predefined policy applications

YesYesYesYesManagement predefined policy applications

YesYesYesYesMicrosoft predefined policy applications

YesYesYesYesMiscellaneous predefined policy applications

32 ■ Security Policy


Table 35: Security Policy Support (continued)

J Series



YesYesYesYesPolicy applications and application sets

YesYesYesYesPolicy application timeouts

YesYesYesYesSchedulers

YesYesYesYesSecurity and tunnel predefined policy applications

YesYesYesYesStreaming video predefined policy applications

YesYesYesSun remote procedure protocol (RPC) predefinedpolicy applications

YesYesYesYesUNIX predefined policy applications

Session Logging

You can obtain information about the sessions and packet flows active on your device,including detailed information about specific sessions. (The SRX Series device alsodisplays information about failed sessions.) You can display this information toobserve activity and for debugging purposes.

Table 36 on page 33 lists the session logging features that are supported on SRXSeries and J Series devices. For more information about session logging, see theJUNOS Software Security Configuration Guide.

Table 36: Session Logging Support

J Series



YesYesYesYesAccelerating security and traffic logging

YesYesYesYesGetting information about sessions

YesYesYesYesLogging to a single server

YesYesYesYesSession logging with NAT information

SNMP

SNMP enables the monitoring of network devices from a central location.

Session Logging ■ 33


Use SNMP to determine where and when a network failure is occurring, and to gatherstatistics about network performance in order to evaluate the overall health of thenetwork and identify bottlenecks.

Table 37 on page 34 lists the SNMP support on SRX Series and J Series devices. Formore information about SNMP, see the JUNOS Software Administration Guide.

Table 37: SNMP Support

J Series



YesYesYesYesSNMP v1, v2, v3

Stateless Firewall Filters

A stateless firewall filter evaluates the contents of packets transiting the device froma source to a destination, or packets originating from, or destined for, the RoutingEngine. Stateless firewall filters applied to the Routing Engine interface protect theprocesses and resources owned by the Routing Engine. A stateless firewall filterevaluates every packet, including fragmented packets.

A stateless firewall filter, often called a firewall filter or access control list (ACL),statically evaluates packet contents. In contrast, a stateful firewall filter usesconnection state information derived from past communications and otherapplications to make dynamic control decisions.

Table 38 on page 34 lists the stateless firewall filters support on SRX Series and JSeries devices. For more information about stateless firewall filters, see the JUNOSSoftware Interfaces and Routing Configuration Guide.

Table 38: Stateless Firewall Filters Support

J Series



YesYesYesYesStateless firewall filters (ACLs)

System Log Files

JUNOS Software supports configuring and monitoring of system log messages (alsocalled syslog messages). You can configure files to log system messages and alsoassign attributes, such as severity levels, to messages. The View Events page in theJ-Web interface enables you to filter and view system log messages.

34 ■ Stateless Firewall Filters


Table 39 on page 35 lists the system log files features that are supported on SRXSeries and J Series devices. For more information about system log files, see theJUNOS Software Administration Guide.

Table 39: System Log Files Support

J Series



YesYesYesYesArchiving system logs

YesYesYesYesConfiguring system log messages

YesYesYesYesDisabling system logs

YesYesYesYesFiltering system log messages

NoYesYesYesMultiple system log servers (control-plane logs)

YesYesYesYesSending system log messages to a file

YesYesYesYesSending system log messages to a userterminal

YesYesYesYesViewing data plane logs

YesYesYesYesViewing system log messages

Transparent Mode

In transparent mode, the SRX Series device filters packets that traverse the devicewithout modifying any of the source or destination information in the IP packetheaders. Transparent mode is useful for protecting servers that mainly receive trafficfrom untrusted sources because there is no need to reconfigure the IP settings ofrouters or protected servers.

Table 40 on page 35 lists the transparent mode features that are supported on SRXSeries devices. For more information about transparent mode features, see the JUNOSSoftware Interfaces and Routing Configuration Guide.

Table 40: Transparent Mode Support

J Series



NoYesNoNoBridge domain andtransparent mode

NoYesNoNoChassis clusters

NoYesNoNoClass of service

Transparent Mode ■ 35


Unified Threat Management (UTM)

UTM is a term used to describe the consolidation of several security features intoone device, protecting against multiple threat types. The advantage of UTM isstreamlined installation and management of these multiple security capabilities.

Table 41 on page 36 lists the UTM features that are supported on SRX Series and JSeries devices. For more information about UTM, see the JUNOS Software SecurityConfiguration Guide.

Table 41: UTM Support

J Series



YesNoYesYesAntispam

YesNoYesYesAntivirus Express

YesNoYesYesAntivirus Full

YesNoYesYesContent Filtering

YesNoYesYesWeb Filtering

YesNoYesYesWELF Support

Upgrading and Rebooting

J Series and SRX Series devices are delivered with JUNOS Software preinstalled. Whenyou power on the device, it starts (boots) up using its primary boot device. Thesedevices also support secondary boot devices allowing you to back up your primaryboot device and configuration.

As new features and software fixes become available, you must upgrade your softwareto use them. Before an upgrade, we recommend that you back up your primary bootdevice.

You can configure the primary or secondary boot device with a “snapshot” of thecurrent configuration, default factory configuration, or rescue configuration. You canalso replicate the configuration for use on another device, or configure a boot deviceto receive core dumps for troubleshooting.

Table 42 on page 37 lists the upgrading and rebooting features that are supportedon SRX Series and J Series devices. For more information about upgrading andrebooting, see the JUNOS Software Administration Guide.

36 ■ Unified Threat Management (UTM)


Table 42: Upgrading and Rebooting Support

J Series



YesYesYesYesBoot device configuration

YesYesYesYesBoot device recovery

YesYesYesYesChassis components control

YesYesYesYesChassis restart

YesYesYesYesSoftware upgrades and downgrades

USB Modem

SRX Series supports the use of USB modems for remote management. You can useTelnet or SSH to connect to the device from a remote location through two modemsover a telephone network. The USB modem is connected to the USB port on thedevice, and a second modem is connected to a remote management device such asa PC or laptop computer.

Table 43 on page 37 lists the USB modem support on SRX Series devices. For moreinformation about USB modem, see the JUNOS Software Administration Guide.

Table 43: USB Modem Support

J Series



NoNoYesYesUSB modem support

User Interfaces

You can use two user interfaces to monitor, configure, troubleshoot, and manageyour device—the J-Web interface and the command-line interface (CLI) for JUNOSSoftware.

Table 44 on page 38 lists the user interfaces features that are supported on SRXSeries and J Series devices. For more information about user interfaces, see theJUNOS Software Administration Guide.

USB Modem ■ 37


Table 44: User Interfaces Support

J Series



YesYesYesYesCommand-line interface (CLI)

YesYesYesYesJ-Web user interface

YesYesYesYesJUNOScript

YesYesYesYesNetwork and Security Manager

YesNoNoYesSession and Resource Control (SRC)application

Voice Over Internet Protocol (VoIP) with Avaya

J2320, J2350, J4350, and J6350 Services Routers support VoIP connectivity for branchoffices with the Avaya IG550 Integrated Gateway. The Avaya IG550 IntegratedGateway consists of four VoIP modules—a TGM550 Telephony Gateway Module andthree types of Telephony Interface Modules (TIMs).

Table 45 on page 38 lists the VoIP with Avaya features that are supported only on JSeries devices. For more information about VoIP with Avaya, see the JUNOS SoftwareInterfaces and Routing Configuration Guide.

Table 45: VoIP with Avaya Support

J Series



YesNoNoNoAvaya Communication Manager

YesNoNoNoAvaya VoIP Modules:

■ TGM550 Telephony Gateway Module

■ TIM508 Analog Telephony Interface Module

■ TIM510 E1/T1 Telephony Interface Module

■ TIM510 E1/T1 Telephony Interface Module




■ TIM521 BRI Telephony Interface Module

YesNoNoNoDynamic Call Admission Control

YesNoNoNoMedia Gateway Controller

38 ■ Voice Over Internet Protocol (VoIP) with Avaya


Table 45: VoIP with Avaya Support (continued)

J Series



YesNoNoNoVoIP interfaces:

■ Analog telephone or trunk port

■ T1 port

■ E1 port

■ ISDN BRI telephone or trunk port

Wireless LAN (WLAN)

A WLAN implements a flexible data communication system that frequently augmentsrather than replaces a wired LAN within a building, which minimizes the need forwired connections.

Table 46 on page 39 lists the WLAN support on SRX Series and J Series devices. Formore information about WLAN, see the JUNOS Software WLAN Configuration andAdministration Guide.

Table 46: Wireless LAN Support

J Series



NoNoYesSRX210 and SRX240 onlyWireless LAN

NoNoYesSRX210 and SRX240 onlyAX411 Access Pointclustering

NOTE: The maximum number of AX411 Access Points supported on an SRX SeriesServices Gateway is device dependent. Please see the release notes.

Zones Support

A security zone is a collection of one or more network segments requiring theregulation of inbound and outbound traffic through policies. Security zones are logicalentities to which one or more interfaces are bound. On a single device, you canconfigure multiple security zones, dividing the network into segments to which youcan apply various security options to satisfy the needs of each segment. At aminimum, you must define two security zones, basically to protect one area of thenetwork from the other.

Wireless LAN (WLAN) ■ 39


JUNOS Software supports the following two types of zones:

■ Functional zones

■ Security zones

Table 47 on page 40 lists the zones support on SRX Series and J Series devices. Formore information about user interfaces, see the JUNOS Software Security ConfigurationGuide.

Table 47: Zones Support

J Series



YesYesYesYesFunctional zone

YesYesYesYesSecurity zone

J Series and SRX Series Documentation and Release Notes

For a list of related J Series documentation, seehttp://www.juniper.net/techpubs/software/junos-jseries/index-main.html .

For a list of related SRX Series documentation, seehttp://www.juniper.net/techpubs/hardware/srx-series-main.html .

If the information in the latest release notes differs from the information in thedocumentation, follow the JUNOS Software Release Notes.

To obtain the most current version of all Juniper Networks® technical documentation,see the product documentation page on the Juniper Networks website athttp://www.juniper.net/techpubs/.

Requesting Technical Support

Technical product support is available through the Juniper Networks TechnicalAssistance Center (JTAC). If you are a customer with an active J-Care or JNASC supportcontract, or are covered under warranty, and need postsales technical support, youcan access our tools and resources online or open a case with JTAC.

■ JTAC policies—For a complete understanding of our JTAC procedures and policies,review the JTAC User Guide located athttp://www.juniper.net/customers/support/downloads/7100059-EN.pdf .

■ Product warranties—For product warranty information, visithttp://www.juniper.net/support/warranty/ .

■ JTAC Hours of Operation —The JTAC centers have resources available 24 hoursa day, 7 days a week, 365 days a year.

40 ■ J Series and SRX Series Documentation and Release Notes


http://www.juniper.net/techpubs/software/junos-jseries/index-main.html

http://www.juniper.net/techpubs/hardware/srx-series-main.html

http://www.juniper.net/techpubs/

http://www.juniper.net/customers/support/downloads/7100059-EN.pdf

http://www.juniper.net/support/warranty/

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an onlineself-service portal called the Customer Support Center (CSC) that provides you withthe following features:

■ Find CSC offerings: http://www.juniper.net/customers/support/

■ Search for known bugs: http://www2.juniper.net/kb/

■ Find product documentation: http://www.juniper.net/techpubs/

■ Find solutions and answer questions using our Knowledge Base:http://kb.juniper.net/

■ Download the latest versions of software and review release notes:http://www.juniper.net/customers/csc/software/

■ Search technical bulletins for relevant hardware and software notifications:https://www.juniper.net/alerts/

■ Join and participate in the Juniper Networks Community Forum:http://www.juniper.net/company/communities/

■ Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial NumberEntitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

■ Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

■ Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visitus at http://www.juniper.net/support/requesting-support.html

Requesting Technical Support ■ 41


http://www.juniper.net/customers/support/

http://www2.juniper.net/kb/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

https://www.juniper.net/alerts/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

http://www.juniper.net/cm/

http://www.juniper.net/support/requesting-support.html

42 ■ Requesting Technical Support


Documents

Junos Security Feature Support Guide