Juniper SRX Series FAQ
Juniper provides wealth of information regarding their SRX Services Gateway, here are some of the most commonly asked question from our customers who inquire about the Juniper SRX Series.
Question: Does the SRX series supports Layer2 / transparent firewalling?
Answer: Yes the SRX series supports Layer 2 / Transparent Firewall in all models (Branch and Enterprise models).
Question: Are there any additional interfaces / software features / costs needed for failover/HA support?
Answer: While high-availability comes at no additional cost, some additional software features such as Web-sense filtering, and third-party AV/AS Software require licenses. In addition, some functionality is not available to some base memory models and require memory upgrade (Done via software unlock). Additional interfaces are available on certain models.
Question: Is there any impact on the performance if we apply large policy rules. Are the policy rules processed in hardware?
Answer: The bigger firewalls can off-load policy processes onto service cards, while the low end models without slot for additional cards process policy within its CPU. However, Juniper’s SRX series like their other products separates its forwarding plane (PFE) and its control plane (SRE) which means that unless a packets triggers a policy, it will be forwarded without further processing.
Question: What are the upgrade options for the SRX Series branch models (in terms of CPU/memory)?
Answer: The smaller fixed-configuration branch models usually comes in a Base-Memory Model and a High-Memory Model. Both models carries the same amount of memory but the Base-Memory models’ additional memory are locked with options to upgrade via license. the SRX550 and SRX650 do not have any memory or CPU upgrade options.
Question: Does SRX supports hot-swappable modules and if yes which ones?
Answer: Samll fix-configuration platform such as the SRX2xx series have slots for Mini-PIM which are not hot-swappable. They range from 1 to 4 slot. SRX550 and SRX650 have slots for GPIM which are hot-swappable.
Question: In failover/HA configuration does the system supports non-stop upgrades of software and hardware (upgrade secondary, fail-over, upgrade primary, fail-back).
Answer: ISSU is only available in Enterprise models and not available to Branch models even in HA/Cluster Mode. However, Juniper offers configuration that can minimize your down-time for Branch model upgrades.
Question: Does the system supports hardware accelerated VPN and/or IDS/IPS modules; if so does this impact the performance of the device?
Answer: IDS/IPS are available to only High-Memory models of the lower-end Branch models. In addition, IDP Signature Update is a subscription based services. Juniper provides performance metrics for each feature. For indepth information, click here.
Quick Comparison Chart of Juniper SRX Branch Performance
Models | SRX100 | SRX110 | SRX210 | SRX220 | SRX240 | SRX550 | SRX650 |
Firewall (Large Pkts) | 700 Mbps | 700 Mbps | 850 Mbps | 950 Mbps | 1.8 Gbps | 5.5 Gbps | 7 Gbps |
Firewall IMIX | 200 Mbps | 200 Mbps | 250 Mbps | 300 Mbps | 600 Mbps | 1.7 Gbps | 2.5 Gbps |
Firewall + routing PPS (64Byte) | 70 Kpps | 70 Kpps | 95 Kpps | 125 Kpps | 200 Kpps | 700 Kpps | 850 Kpps |
Firewall HTTP | 100 Mbps | 100 Mbps | 290 Mbps | 350 Mbps | 830 Mbps | 1.5 Gbps | 2 Gbps |
IPsec VPN Throughput (Large Pkts) | 65 Mbps | 65 Mbps | 85 Mbps | 100 Mbps | 300 Mbps | 1.0 Gbps | 1.5 Gbps |
IPS | 60 Mbps | 60 Mbps | 85 Mbps | 100 Mbps | 230 Mbps | 800 Mbps | 1 Gbps |