SRX Quick Start June 2013

(1)

SRX QUICK START TRAINING

George Kaminski

(2)

Chapter 1: Course Introduction

(3)

INTRODUCTIONS

Before we get started…

 What is your name?

 Where do you work?

 What is your primary role in your

organization?

 What kind of network experience

do you have?

 What is the most important thing for

(4)

COURSE CONTENTS

PREREQUISITES

The prerequisites for this course are the following:

 Basic networking knowledge

 Understanding of the OSI model and TCP/IP

 Basic familiarity with the use and deployment of Firewalls, IPSec

(6)

COURSE ADMINISTRATION

The basics:

 Sign-in sheet  Schedule  Class times  Breaks  Lunch

 Break and restroom facilities

 Fire and safety procedures

 Communications

 Telephones and wireless devices

(7)

EDUCATION MATERIALS

Available materials for classroom-based

and instructor-led online classes:

 Lecture material

 Lab guide

 Lab equipment

Self-paced online courses also available

(8)

ADDITIONAL RESOURCES

For those who want more:

 Juniper Networks Technical Assistance Center (JTAC)

 http://www.juniper.net/support/requesting-support.html

 Juniper Networks books

 http://www.juniper.net/training/jnbooks/

 Hardware and software technical

documentation

 Online: http://www.juniper.net/techpubs/

 Image files for offline viewing:

http://www.juniper.net/techpubs/resources/cdrom.html

 Certification resources

(9)

SATISFACTION FEEDBACK

To receive your certificate, you must complete the survey

 Either you will receive a survey to complete at the end of class, or we

will e-mail it to you within two weeks

 Completed surveys help us serve you better!

Class Feedback

(10)

JUNIPER NETWORKS EDUCATION SERVICES

CURRICULUM

Formats:

 Classroom-based instructor-led technical courses

 Online instructor-led technical courses

 Hardware installation eLearning courses as well as technical

eLearning courses

Courses:

(11)

JUNIPER NETWORKS CERTIFICATION PROGRAM

Why earn a Juniper Networks certification?

 Juniper Networks certification makes you stand out

 Unleash your creativity across the entire network

 Set yourself apart from your peers

 Capitalize on the promise of the New Network

 Develop and deploy the services you need

 Lead the way and increase your value

 Unique benefits for certified individuals

(12)

(13)

CERTIFICATION PREPARATION

Training and study resources:

 Juniper Networks Certification Program website:

www.juniper.net/certification

 Education Services training classes:

www.juniper.net/training

 Juniper Networks documentation and white papers:

www.juniper.net/techpubs

Community:

 J-Net: http://forums.juniper.net/t5/Training-Certification-and/ bd-p/Training_and_Certification  Twitter: @JuniperCertify

(14)

FIND US ONLINE

http://www.juniper.net/jnet

http://www.juniper.net/facebook

http://www.juniper.net/youtube

http://www.juniper.net/twitter

(15)

Chapter 2: Junos OS Overview

(16)

MOVING FROM CISCO IOS TO JUNOS OS

Moving checklist:

 Call realtor  Change address  Change utilities  Gas  Electric  Garbage  Find movers  Pack

No matter the cause of the move, once the move is complete, what a difference the new place makes in your life!

(17)

JUNOS OS:

THE POWER OF ONE OPERATING SYSTEM

Deployed since 1998

 First high-performance network operating system

 14+ years of innovation and development

 Runs routing, switching, and security platforms

 Reduces complexity, achieves operational excellence

 Evolutionary architecture expands to new services and extends to

new platforms for tomorrow

It is time for a new network

 Top 130 global service providers

 96 of the Global Fortune 100

 Hundreds of federal, state, and local government agencies and higher

(18)

THE POWER OF ONE JUNOS

SECURITY ROUTERS J Series M Series T Series SWITCHES MX Series SRX Series  Reduces time/effort to operate network infrastructure  Simplifies management

One OS One Release Train

 Delivers new

functionality stably

 Reduces OPEX

One Architecture  Ensures available &

scalable software for growing needs

 Reduces TCO

EX Series

(19)

JUNOS OS MODULAR ARCHITECTURE

Independent modules

 Protected memory for stability

 No overwrites

 Contain faults and enable

rapid isolation

 Well-defined interfaces for

expansion of functions/ platforms

Kernel

 Controls the modules

 Manages communication

between the modules and to the PFE

Kernel Control P lane

...

Mo d u le n In ter face s M an ag e men t R o u ti n g

(20)

JUNOS OS SEPARATE CONTROL AND FORWARDING

Supports scale for high-performance

Assures performance of each plane

Enhances resiliency

Provides options for

redundancy

Data P lane

Routing

Engine

Packet Forwarding

Engine

Contr ol P lane

(21)

JUNOS OS: THE FOUNDATION OF

HIGH-PERFORMANCE NETWORKS

routing switching security services Data center Headquarters Campus Branch

(22)

Chapter 3: Branch SRX Overview

(23)

BRANCH SRX SOLVES CUSTOMER CHALLENGES

Easy to manage all aspects with Junos, a single OS platform Easy to activate new

security service in UTM when needed to address new concerns

Lower TCO and high performance allows IT to do more with less

All-in-One _PerformanceBest Price/

Next Gen Firewall VPN IPS, AppSecure Anti-Virus Anti-Spam Web filtering Routing / WAN UT M

WLAN, LAN, Switching

Unified Management

(24)

BRANCH SRX SERIES GATEWAYS

Delivering “No-Compromise” Services with Scale & Performance

Small Office Small to Medium Office Large Branch/ Regional Office SRX220 + 2 WAN slots, 8 x GigE, PoE 1 GB DRAM SRX240 SRX650

+ More LAN slots, Dual P/S, + Hot Swap I/O

2 GB DRAM SRX110 SRX100 SRX210 WAN slot, 2 x GigE, PoE, 1 GB DRAM

Hardware Platforms Scale from 1G to 10G

Junos Software across Security, Routing and Switching

Fixed Config 8 x FE1 1 GB DRAM Fixed Config VDSL2 WAN 8 x FE1 1 GB DRAM SRX550 12.1 + 4 WAN slots, 16 x GigE, PoE 2 GB DRAM 2mPIM+6GPIM WAN slots, 10 x GigE,

PoE, Dual P/S 2 GB DRAM

(25)

Multi-services Gateway

BRANCH SRX: SERVING MULTIPLE CUSTOMER NEEDS

Secure Router NGFW UTM

 Routing and WAN Interfaces  Firewall, VPN, NAT  In-line IPS  High availability  Transparent mode  Ease of use  Best-of-breed Anti-Virus, Anti-Spam, Web filtering  Cloud based AV - Sophos  In-line IPS

 AppSecure  Next generation firewall

(AppSecure)  In-line IPS

 Application visibility,

tracking and enforcement  User-role based policies

(26)

BRANCH SRX SERVICES GATEWAYS

Highly configurable

 Fixed & modular form factors

 WAN, WLAN, and LAN interfaces

Extensive integration

 Routing and switching capabilities

 Unmatched core and UTM security

Exceptional performance

 Magnitude greater performance

 HW Content Security Acceleration

 Control & data plane separation, redundant processing and power

Model Configuration Content SEC H/W Acceleration FW/IPS Performance SRX100/ SRX110 Fixed No 700/60 Mbps

SRX210E 1 mini PIM

slot Optional 850/85 Mbps SRX220 2 mini PIM slots Standard 950/100 Mbps SRX240 4 mini PIM slots Optional 1800/230 Mbps SRX550 2 mini PIM,

6 GPIM slots Standard 5500/800 Mbps SRX650 8 GPIM slots Standard 7000/900 Mbps Highly configurable

Extensive integration

Exceptional performance and availability

• Fixed and modular form factors • Choice of WAN – DSL, T1 / E1, DS3 • Wireless WAN and LAN

• On-board modular switching

 Full suite of JUNOS routing and switching capabilities

 Unmatched security, including FW, VPN, UTM, AppSecure, UAC, and full IPS

 Hardware-assisted Content Security Acceleration (CSA) for ExpressAV and IPS

 Control & data plane separation, redundant processing and power

(27)

BRANCH SRX PHYSICAL INTERFACES

MPIMs  T1/E1  Serial  1XGE SFP  ADSL  G.SHDSL  VDSL2  Docsis3.0 Wireless LAN  AX411 dual-radio AP  WLA  WLC2 GPIMs  16XGE  24XGE  4XT1E1  2XT1E1  2x10GE SFP+/Copper  1xDS3  8xSFP  8xSerial Wireless WAN  EVDO/HSPA/WI MAX/LTE

Supported across all Branch SRX platforms Supported on

SRX210/220/240/550

Supported on SRX550/650

(28)

NEW PIMS FOR SRX550 AND SRX650

8 Port Serial GPIM (12.1R2)

• Synchronous speeds of 8 Mbps • Interface types supported

• V.35, X.21, EIA/TIA-449 • EIA/TIA-232, EIA/TIA-530 • EIA/TIA-530A

• Line Coding : NRZ, NRZI • Uses 8 port smart connector

8 Port SFP XPIM (1Q2013)

• Line rate switching between ports • Supported SFPs

• LX, SX, BX

• T or Copper SFPs

• Full set of L2 switching features • Jumbo frame support – 9192B

JAN 2013 MAY 2012

(29)

BRANCH SRX FEATURES MATRIX

Security  Firewall  VPN  IPS  AppSecure  Antivirus

 Enhanced Web filtering  Antispam

Wireless LAN and 3G/4G WAN

 802.11n

 3G/4G WiMax & LTE

Routing & Switching

 RIP, OSPF, BGP, Multicast, IPv6  MPLS; Full BGP table  J Flow, RPM  L2 Switching  POE Options Physical Interfaces

 T1/E1, Serial, DS3/E3  VDSL, ADSL, G.SHDSL  DOCSIS Cable Modem  Ethernet 10/100/1000

(30)

SRX100

Features SRX100

On-board Ethernet 8 x FE Power over Ethernet (802.3af, 802.3at) None

WAN slots None

USB ports 1

Content Security Accelerator—ExpressAV

and Intrusion Detection and Prevention No JUNOS Software version support JUNOS 11.1 Firewall performance (Large Packets) 700 Mbps Firewall performance (IMIX) 200 Mbps Firewall performance

(Firewall + Routing PPS 64byte) 70 Kpps VPN Performance—AES256+SHA-1

3DES+SHA 1 65 Mbps

IPS performance 60 Mbps Connections Per Second (CPS) 2K CPS Maximum Concurrent Sessions

(512MB/1GB RAM) 16 K / 32K Antivirus performance 25Mbps AppSecure Throughput (HTTP) 90Mbps High Availability N/A

Ideal for small sites and managed telecommuters

Full security features  Firewall and VPN

 UTM: IPS, AppSecure, antivirus, web-filtering, and anti-spam

 UTM requires high memory version

(31)

SRX110 – IDEAL SOLUTION FOR SMALL BRANCH

Features SRX 110

On-board Ethernet 8 x FE

Primary WAN VDSL2 with

ADSL2 Fallback

Backup WAN USB Port for 3G/4G Modem Additional USB ports One (total 2) Content Security Accelerator—ExpressAV

and Intrusion Detection and Prevention No Firewall performance (Large Packets) 700 Mbps Firewall performance (IMIX) 200 Mbps Firewall performance

(Firewall + Routing PPS 64byte) 65 Kpps VPN Performance

(AES256+SHA1 / 3DES+SHA1) 65 Mbps IPS performance 60 Mbps Connections Per Second (CPS) 2K CPS Maximum Concurrent Sessions 16 K / 32K Antivirus performance 25Mbps AppSecure Throughput (HTTP) 90 Mbps High Availability N/A

Additional USB port

Front

Back

Designed for flexibility, investment protection, and lowest total cost of ownership (TCO).

Primary WAN VDSL

Backup 3G WAN

(32)

Ideal for small branches

Full security features

 Firewall and VPN

 UTM: IPS, AppSecure, antivirus,

web-filtering, and anti-spam

 UTM requires high memory

version

SRX210E

Features SRX210E

On-board Ethernet 2 x GE + 6 x FE

Power over Ethernet (802.3af, 802.3at) 4 ports, 50 W total

WAN slots 1 x mini PIM

USB ports (flash) 2

and Intrusion Detection and Prevention Yes JUNOS Software version support JUNOS 11.1

Firewall performance (Large Packets) 850 Mbps

Firewall performance (IMIX) 250 Mbps

Firewall performance

(Firewall + Routing PPS 64byte) 95 Kpps IPSec VPN Throughput 85 Mbps

IPS performance 85 Mbps

Connections Per Second (CPS) 2,200 CPS

Maximum Concurrent Sessions

(512MB/1GB RAM) 32K / 64K Antivirus performance 25 Mbps

AppSecure Throughput (HTTP) 250 Mbps

(33)

SRX220

On-board Ethernet 18x GE

Power over Ethernet (802.3af, 802.3at) 8 ports GE, 120 W

Firewall performance (Large Packets) 950 Gbps

3DES+SHA-1 100 Mbps

IPS Performance 100 Mbps

Connections Per Second (CPS) 3K CPS

(512MB/1GB RAM) 96K

Antivirus performance 34 Mbps

High Availability A/A or A/P

Ideal for small and medium

branches

Full security features

 UTM: IPS, AppSecure,

antivirus, web-filtering, and anti-spam

(34)

SRX240 - NOW WITH 2G MEMORY

On-board Ethernet 16 x GE

and Intrusion Detection and Prevention Yes JUNOS Software version support JUNOS 11.4R5

Firewall performance (Large Packets) 1.8 Gbps

3DES+SHA-1 300 Mbps

Maximum Concurrent Sessions (1GB

RAM/2GB RAM) 128K / 256K Antivirus performance 85 Mbps

New SKUs for SRX240 provide additional memory

 SRX240B2 – 1GB DRAM, 2GB Flash

 SRX240H2 – 2GB DRAM, 2GB

Flash

No changes in price, hardware architecture or security services Improved scalability for services

(35)

SRX550 SERVICES GATEWAY - NEW

Routing Performance 700 Kpps

Firewall Performance

1.7 Gbps (IMIX) 5.5 Gbps (Large

packets) AV & IDP HW Acceleration Yes

IPSec Performance 1 Gbps

“No-Compromise Services” with scale and performance

for the medium to large branch

Advanced Security

 UTM: IPS, antivirus, enhanced web-filtering, anti-spam

 Application visibility, tracking & enforcement

High Density Switching

 10 x GE on board (6 Copper, 4 SFP)

 Modular switching with POE

• Comprehensive Routing

 Wide range of WAN options: 3G/LTE, T1/E1/DS3/E3, xDSL, Nx1GE, 10 GE

 L2/L3 VPN, MPLS, VPLS, IPv6, v4

Business Continuity, Resiliency

 HA cluster (A/A or A/P)

 WAN backup and redundancy

 Control plane, data plane separation

 GPIM Online-Insertion-Removal*

 Optional redundant power supplies (AC and DC)

(36)

SRX550

On-board Ethernet 10 x GE (6 Copper,

4SFP)

WAN slots 2 mPIM, 6 x GPIM

Firewall performance (IMIX) 1.7 Gbps

3DES+SHA-1 1.0 Gbps

Maximum Concurrent Sessions (2 GB RAM) 375 K

AppSecure Throughput (HTTP) 1.5 Gbps

Ideal for enterprise medium to large branch

Ideal office-in-a-box solution for managed services or commercial business

SRX550 offers:

 Comprehensive Routing and Security Services

 High density on-board and modular switch ports, Copper and SFP

 Application Awareness and Control

 Business Continuity and Resiliency

(37)

SRX650

On-board Ethernet 4 x GE

Power over Ethernet (802.3af, 802.3at) 48 ports GE, 250W

or 500 W

WAN slots 8 x GPIM

USB ports (flash) 2 per processor

Firewall performance (IMIX) 2.5 Gbps

3DES+SHA-1 1.5 Gbps

IPS Performance 1 Gbps

(512MB/1GB RAM) 512 K

AppSecure Throughput (HTTP) 1.9 Gbps

High Availability A/A or A/P Hot swap GPIMs, Dual power

Ideal for regional sites and large branches

Full security features

 UTM: IPS, AppSecure, antivirus, web-filtering, and anti-spam

Modular

 LAN switching

 Services Routing Processors with optional redundancy

 Power supplies with optional redundancy (at FRS)

(38)

(39)

JUNIPER’S WIRELESS WAN SOLUTION – CX111

Best signal

 Get the 3G antenna out of the wiring closet to optimize reception*

More choices

 Choose 3G/LTE USB modem or standalone 3G bridge

 Choose from 90+ modems from every major manufacturer*

Higher reliability

 Tightly coupled system speeds wired to wireless failover

 Redundant radio hardware and provider diversity* Di rect Pl ug -i n USB Modem s upport

Carrier’s 3G/4G LTE Network

* Requires bridge solution

Bri

(40)

3G/4G WIRELESS WAN UPDATE

 ExpressCards form factor obsolete  GSM/HSPA+ Modem supported now  Secure Modem / Modem Cap

1H 2012

 4G LTE modem support Mid 2012  No USB 3G support on

220/240/550/650

Integrated Small Package for 3G: Now with USB modem support

 Worldwide 90+ Modems supported  LTE supported now

 CX111 supports SNMP based mgmt  Junos CLI based management in

11.4R2 Q1 2012

CX111 Bridge

Direct plug-in USB Modem Support for SRX100, 110 and 210E

CX111 3G/4G Bridge for **all** SRX, other platforms

(41)

BRANCH SRX

ADVANCED SECURITY PLATFORM

Block access to unapproved sites Real time threat score for each URL

Enhanced Web Filtering

Antivirus Stops viruses, file-based trojans or spread of

spyware, adware, keyloggers

Antispam IPS

Firewall, VPN, Unified Access Control SRX Series blocks transmission of files for Data Loss Prevention

Content Filtering Internal Threats External Threats INTERNET

IDP detects/stops Worms, Trojans, DoS (L4 & L7), Scans

AppSecure with User Role FW

Core Security

Application level visibility and classification Application security policies tied to user roles

(42)

J-WEB WIZARDS

VPN

Configuration Wizards

Initial Device Setup Firewall NAT 1 2 3 4

JavaScript and XML based with all activity executed by browser

Provides a responsive user experience

 Complete Wizard UI is loaded after hitting launch button

 Single commit

Reduces configuration time

(43)

NEW STARTUP WIZARD

New Startup Wizard that

simplifies user configuration

and reduces time to setup

device

 Guided setup (step by step)

 ‘Basic’ & ‘Expert’ Modes

 Security topology (zones), security policy and license configuration

 NAT

 Remote/Dynamic VPN

 Confirm and Apply

(Commit, Import, Export)

Available on all

Branch SRX platforms

(44)

BRANCH SRX CERTIFICATIONS - UPDATE

Branch SRX leading the industry in most stringest certifications for enterprise firewall

Common Criteria CC EAL4

Department of Defense (DoD) certification

 Testing and certification by DoD JITC for interoperability with DoD networks  Addition to Unified Capabilities Approved Product List (UC APL)

 Branch SRX certified as both router and firewall – this is a first for any vendor!

ICSA – Corporate Firewall and IPSec 1.3 USGv6 – Firewall Profile

(45)

Chapter 4: High-End SRX Overview

(46)

High End SRX Platforms

High-Speed Fabric Technology

 Expandable chassis  Linear scalability

 Processing and I/O pools  Industry’s top performance

Carrier-Class Reliability

Separation of control and data planes

Redundant everything Proven operating system

SRX Services Gateways

 DYNAMIC SERVICES ARCHITECTURE™ (DSA)

 Scales performance, capacity and service density  World’s fastest firewall and IPS

 The power of one OS, one release train

(47)

NS-5400

ISG2000

3U, 4+3 CFM, 8+4 GE, 2RE*, 1+1 PS, 20/8/8G, 2M sess,

175kcps

5U, 6+6 CFM, 8+4 GE, 2RE*, 2+2 PS, 30/10/10G, 2M sess,

175kcps 8U, 6 slot, 2RE*, 1+1 SCB,

2+2 PS, 60/15/15G, 9M sess, 350kcps

16U, 12 slot, 2RE*, 2+1 SCB, 2+2 AC, 3+1 DC, 120/30/30G,

10M sess, 350kcps

3U, 3 CFM, 12GE or 3XGE+9GE , 1+1 PS, 10/2/2G, .5M sess [at FRS], 45kcps NS-5200 ISG1000 SRX3600 SRX5800 SRX5600 SRX3400 SRX1400

Note *: Redundant REs not currently supported

SRX / HE DATA CENTER SERVICES PLATFORMS

Next-Gen Security Systems

Scalable Performance

Rich Standard Services

•Firewall •VPN •IPS •Full Routing •QoS •Application Security

•Role Based Firewall

• Extensible Security Services

(48)

HIGH-END SRX COMPONENTS

I/O Cards (IOC)

 Provide Ethernet interfaces that connect the services gateway to

your network

Network Processing Unit (NPC)

 Network Processing Cards (NPCs) receive inbound traffic from I/O

cards (IOCs) and direct it to the appropriate Services Processing Card (SPC) for processing

 In simple terms, think of it as a session load balancer

Services Processing Card (SPC)

 Provide the processing capacity to run integrated services such as

(49)

HIGH-END COMPONENTS CONTINUED

Routing Engine (RE)

 Runs the Junos operating system (Junos OS)

 Including software processes that maintain the routing tables, manage the routing protocols used on the services gateway, control the services gateway interfaces, control some chassis components, and provide the interface for system management and user access to the services

gateway

Switch Fabric Board (SFB)

 Powers on and powers off IOCs and SPCs

 Controls clocking, system resets, and booting

 Monitors and controls system functions, including fan speed, board

power status, and the system front panel

 Provides interconnections to all the IOCs within the chassis

through the switch fabrics integrated into the SCB

(50)

HIGH-END COMPONENTS CONTINUED

Network Processing I/O Cards (NP-IOCs)

 Special IOCs designed specifically for low-latency applications

 Each NP-IOC has its own network processing unit (NPU), so that

traffic traversing the NP-IOC does not have to traverse the services gateway bus to a remote network processing card (NPC)

(51)

51 Copyright © 2013 Juniper Networks, Inc. www.juniper.net  Flow Lookup Classification DoS/DDoS Policing  Ingress Packet  Egress Packet  Services FW/VPN/IDP NAT/Routing  QoS/Shaping Fabr ic Fabric Integrated in SRX5000 IOC Oversubscription Control 1.5

DYNAMIC SERVICES ARCHITECTURE

SRX SERIES FULLY INTEGRATED PACKET FLOW

I/O Card Network Processing Card Services Processing Cards

(52)

HIGH-END SRX SCALING AND PLANNING

The number of NPC and SPC resources dictates the High-End

SRX throughput and performance, i.e. number of IPSec tunnels,

IDP performance, number of FW sessions, etc.

 Generally speaking it is the SPC’s that make the real difference in

terms of performance

Juniper Networks Systems Engineers and Partner SE’s can

assist with sizing guidelines for a given desired performance

profile and application

(53)

 3 RU

 Modular chassis

– 3 expansion slots

Compact form factor modules shared with SRX3000

– Junos Software

 Massive scale

– Up to 45,000 new, sustained connections per second (CPS)

– Up to .5 million sessions [at FRS]

 High performance

– Up to 10 Gbps firewall

– Up to 2 Gbps IPS

– Up to 2 Gbps IPSec VPN

 High availability

– Redundant power and fans

– Chassis Clustering (Q2 2011)

– Modular Junos Software

– Shared HA-control ports

– High availability

 SRX3000 technology

– Common sparing possible

SRX1400

Management Module (RE) Expansion Slot (IOC) 12 on-board ports: 1400GE: 6+4+2 GE 1400XGE: 3 XGE plus 6+1+2 GE

Power supply FRU Redundant power supply (optional) Fan tray (rear) Expansion Slots (NSPC or SPC+NPC) Slot guide

(54)

SRX 3400

 3 RU

 Modular chassis

– 7 expansion slots (4 front and 3 rear)

– Compact form factor modules for I/O and service processing

– Dual, hot swappable management modules

– Junos Software

 Massive scale

– Up to 175,000 new, sustained connections per second (CPS)

– Up to 2.25 million sessions  High performance – Up to 20 Gbps firewall – Up to 6 Gbps IPS – Up to 6 Gbps IPSec VPN  High availability

– Redundant power and fans

– Redundant management

SRX3400 Front View SRX3400 Rear View Routing Engine Expansion Slot (IOC/SPC) Power supply FRU 12 on-board GbE ports USB Expansion Slot (SPC/NPC) Redundant power supply (optional) 16 x 10/100/1000 I/O card Fan tray 16 x GbE SFP I/O card Expansion Slot (SPC/NPC) Redundant Routing Engine (future) or SCM 2 x 10 GigE I/O card Front slot guide Rear slot guide Fan tray door Switch Fabric Board (SFB)

(55)

 5 RU

 Modular chassis

– 12 expansion slots (6 front and 6 rear)

– Compact form factor modules for I/O and service processing

– Dual, hot swappable management modules

– Junos Software

 Massive scale

– Up to 175,000 new, sustained connections per second (CPS) – Up to 2.25 million sessions  High performance – Up to 30 Gbps firewall – Up to 10 Gbps IPS – Up to 10 Gbps IPSec VPN  High availability

– Redundant power and fans – Redundant management – Modular Junos Software

Routing Engine Expansion slot (IOC/SPC) Power supplies FRU 12 on-board GigE ports USB Redundant Routing Engine (future) or SCM Redundant power supplies (optional) 16 x 10/100/1000 I/O card Fan tray 16 x GbE SFP I/O card Expansion slot (SPC) SRX3600 Front View SRX3600 Rear View 2 x 10 GigE I/O card Switch Fabric Board (SFB) Fan tray door Expansion slot (SPC/NPC) Front slot guide Rear slot guide

SRX3600:

(56)

IOC 2x10GE Switch Fabric Board (SFB) Routing Engine (RE) Fan tray door Air Intake Services Processing Card (SPC) IOC 16xCopper IOC 16xSFP Front Slot guide Rear Slot guide Services Processing Cards (SPC) Network Processing Cards (NPC) [or SPCs] Dual-height SFB option cover (SRX3600 only / future)

3600 COMPONENT REVIEW

(57)

SRX3000 CARDS

Switch Fabric Board (SFB)

 High speed switch fabric (320Gbps)

 Includes virtual IOC (8x10/100/1000 + 4xSFP), HA-control (2xSFP: SX, LX, LH, T) and system interface (CRAFT)

Network Processing Card (NPC)

 Single Network Processor (NP) subsystem - 10Gig throughput Services Processing Card (SPC)

 Single HD-CPU subsystem (SPU) / 10Gig throughput Routing Engine (RE)

 1.2Ghz processor /w 1GB memory

 Complete separation of control / data planes

 Includes CPP (central PFE controller) and CB (control board) Clustering Module (SCM)

 Independent control-plane GigE switch to enable second HA-control link  Requires Junos 10.2

I/O Cards (IOC)  3 versions:

 2-port 10GE-XFP (SR, LR, ER)

 16-port GE-SFP (SX, LX, LH, T [10/100/1000])

 16-port 10/100/1000 Copper

 10Gig full-duplex throughput (oversubscribed)

(58)

SRX5600: PRODUCT OVERVIEW

 8 RU

 Modular chassis

– Horizontal design – 6 expansion slots

– Modules for flexible I/O and service processing

– Junos software

 Massive scale

– Up to 350,000 new & sustained connections per second (CPS) – Up to 9 million sessions  High performance – Up to 60 Gbps firewall – Up to 15 Gbps IPS – Up to 15 Gbps IPSec VPN  High availability – Redundant management modules

– Redundant switching fabrics – Redundant fans & power

supplies

Expansion slot (fits any module) Control Panel

Upper fan tray

Services Processing Card Switch Control Boards (SCBs) 40 x GbE IOC Management Module Power supplies FRU SRX5600 Front View SRX5600 Rear View

(59)

SRX5800: PRODUCT OVERVIEW

Control Panel

Air intake Lower fan tray

Upper fan tray Services Processing Card 4 x 10GbE I/O Card 40 x GbE I/O Card  16 RU  Modular chassis – Vertical design – 12 expansion slots

– Modules for flexible I/O and service processing

– Junos software

 Massive Scale

– Up to 350,000 new & sustained connections per second (CPS) – Up to 10 million sessions  High performance – Up to 120 Gbps firewall – Up to 30 Gbps IPS – Up to 30 Gbps IPSec VPN  High availability – Redundant management modules

– Redundant switching fabrics – Redundant fans & power

supplies

Management module Switch Control Boards (SCBs)

Expansion slots (fits any module)

SRX5800 Front View

SRX5800 Rear View

Power supplies FRU

(60)

SRX QUICK START TRAINING

(61)

SRX SERIES—FIREWALL, ZONES, AND

POLICIES

ZONE “UNTRUST” Originating Zone SRX ZONE “TRUST2” ZONE “TRUST”

Default Policy—Deny All Default Policy—Allow All

INTERNET

(62)

NEXTGEN DATA PLANE (FLOW THREAD)

Per Packet Filter Per Packet Policer Per Packet Shaper Per Packet Filter

JUNOS Flow Module

Forwarding Lookup

Dest

NAT Route Zones Policy

Reverse Static NAT Services ALG Session Screens Static NAT Source NAT Match Session? NO YES

Screens TCP NAT Services ALG YES

1) Pull Packet from Queue 2) Police Packet

3) Filter Packet 4) Session Lookup

5a) No Existing Session • FW Screen Check

• Static & Destination NAT • Route Lookup

• Destination Zone Lookup • Policy Lookup

• Reverse Static & Source NAT • Setup ALG Vector

• Install Session 5b) Established Session • FW Screen Check • TCP Checks • NAT Translation • ALG Processing 6) Filter Packet 7) Shape Packet 8) Transmit Packet

(63)

FIREWALL FILTERS

Stateless Filters

Applied to interfaces, can mitigate known

un-wanted traffic before policy lookup

Common to MX, EE, SRX Junos

edit firewall filter SRX_Protection

juniper@SRX5800# set term in-ssh from source-address 10.1.20.1/24 juniper@SRX5800# set term in-ssh from protocol tcp

juniper@SRX5800# set term in-ssh from destination-port ssh juniper@SRX5800# set term in-ssh then accept

Retail _Branch

Regional

Small Office

INTERNET

(64)

APPLICATION LAYER GATEWAYS (ALG)

Advanced inspection of dynamic

applications

Can detect negotiated ports and perform

statefull inspection on dynamic

applications (FTP, SIP, SCCP,

H323,MGCP etc)

Automatically utilized when application is

referenced within the security policy

Retail _Branch Regional Small Office FTP TCP 21 PASV PORT FTP TCP 14599

(65)

SCREENS

Screens are used to mitigate

known malicious activities

such as DOS, DDOS,

Reconnaissance

Applied on Zone basis, default

screen can be applied to

“untrust” interface

Uses thresholds and

parameters to determine

traffic flows into zone

Can Drop Traffic or act as a

Proxy for TCP Connections

Retail _Branch Regional Small Office INTERNET TCP SYN TCP SYN TCP SYN ICMP Sweep

(66)

SCREENS

Regional

INTERNET

TCP SYN TCP SYN

TCP SYN ICMP Sweep juniper@SRX5800# show security screen ids-option untrusted-internet

icmp { ip-sweep threshold 1000000; fragment; large; } ip bad-option; record-route-option; timestamp-option; security-option; stream-option; spoofing; source-route-option; Loose-source-route-option; strict-source-route-option; unknown-protocol; } tcp { syn-fin; fin-no-ack; tcp-no-flag; syn-frag; port-scan threshold 1000000;

(67)

FROM THE OVERALL ARCHITECTURE PERSPECTIVE -

BEST PRACTICES STEPS

Step1 - Establish a baseline

Step 2- Build the First Line of Defense

 Police traffic close to source or at ingress into aggregation network elements, e.g. ingress into a FW

Step 3 – Build the Second Line of

Defense

 SCREENs

 IDP

 Application-level IDP

 Application Firewall

Step 4 – Build the Third Line of

Defense

 Traffic shape at the egress of a FW

Assures legitimate traffic is not impacted

Throttles all the traffic, minimizing the impact of attacks on intermediate

network elements

Eliminates all the recognized “bad” traffic

Throttles the remainder of the traffic, which includes legitimate and non-recognized “bad” traffic

(68)

CONTRASTING SCREENS AND IDP

SCREENs

 Protect from the outer layer perspective

 Are executed prior to any route look up or security policy look up

IDP

 Provides deeper packet examination

 Detects protocol anomaly

 Evoked after route and/or security policy look up

(69)

PROTECTING FROM A FIREWALL PERSPECTIVE

SCREENs Ingress Policers

& Firewall filters

L3/L4/L5 IDP Traffic Exiting SRX FW SRX FW Traffic Entering SRX FW Steps 2, 3, & 4 L4-7 IPS Statefull FW Egress Traffic Shaping

(70)

ROUTING & SWITCHING

SRX can act as a full router, supporting IPV4, IPV6, L2/L3 MPLS

Supports IPV4 RIP, OSPF, IS-IS & BGP

Layer 2 switching supported on Branch SRX, not supported on HE SRX Onboard Ethernet ports on the SRX100, SRX210, and SRX240 devices

Multiport Gigabit Ethernet XPIM on the SRX650 device

Support of Virtual Routers and Logical Tunnel Interfaces Supports full Junos COS – 8 Queues per port

Can also run in Transparent FW mode, supporting Layer2 bridged FW security

(71)

SRX PACKET FLOW

Branch SRX has 2 modes of Operation

Packet Mode: Can be run in packet mode to operate like a

traditional router, mode used to support MPLS,

VPLS

Flow Mode: Flow mode ensure Fast-Path Lookup, default

action of Branch SRX devices.

Mixed Mode: Brach SRX can also act in Mixed Mode

supporting both Flow and Branch based

connections

(72)

SRX HIGH AVAILABILITY

Features

 Stateful fail-over

 Active/Backup Control Plane

 Active/Active Data Plane

 Single System View

Benefits

 Maintains connection persistence & improves

system resiliency for services

 Load sharing across systems

 Optimized for complex routing environments

(73)

TWO CHASSIS CONNECTED TOGETHER

Control Plane (fxp1) Connection SPC-to-SPC

Data Plane (fab1) Connection

IOC to IOC Control Plane (fxp1)

Fe-0/0/7

Data Plane (fab1) IOC to IOC

(74)

INTERFACE NUMBERING

Interfaces are numbered “Hobson” style

Node0 (0-11) Node1 (12-23) ge-1/0/0 ge-13/0/0 slot 0 RE 0 slot 12 slot 23 RE 1

(75)

CHASSIS CLUSTER INTERFACES

Fxp1 - Control Plane interface

- Dedicated Interface dependant on Model - Dual Control Plane support on HE

- Synchronizes Configuration & Keepalives Fab0/1 - Data fabric interface

- Can be 1G or 10G dependant on Model

- Synchronizes Session information over RTO’s - Can be used for forward “Z” path traffic

Redundancy Group (RG)

Logical Grouping of Interfaces. SRX with Highest Metric (255) is master for each RG. Failure of interfaces decrements total

RETH

redundant Ethernet, virtual IP and MAC for associated VLAN, member of redundancy group

(76)

CHASSIS CLUSTER DEPLOYMENTS

ACTIVE/PASSIVE

Active Control Plane

Active Redundancy Group 1 Active Redundancy Group 2

(77)

CHASSIS CLUSTER DEPLOYMENTS

ACTIVE/ACTIVE

Active Control Plane

Active Redundancy Group 1 Active Redundancy Group 2

(78)

APPLICATION VISIBILITY AND CONTROL IS EASY WITH

APPSECURE

Application Awareness and Classification Engine

Application View Application Enforcement by User Role Threat Mitigation IPS What application? What user? User location? User device?

(79)

Allows different users to have different application policies based on their role and group

….NOW WITH USER ROLE FIREWALL

Marketing Sales CEO  No apps blocked  Anti-virus applied  P2P apps blocked  Youtube allowed  Anti-virus applied  P2P, Youtube blocked  Anti-virus applied Branch SRX  WF profile A  WF profile B  WF profile C 12.1 MAG/UAC

(80)

Windows ADs

USER-ROLE FIREWALL FOR ACTIVE DIRECTORY

Client

SRX Series Junos Pulse MAG/IC Series

Corporate Data Center

Apps Data Finance Video Internet 1 2 3 4 5 2 3 4 5

1 Doman user logins into domain

from domain member device

Unauthenticated Client tries to access resource through SRX, and dropped

SRX redirects client to IC for authentication process using Kerberos

Upon successful authentication and identification of user, IC gets AD group membership using LDAP and maps to Roles and sends info to SRX

Client device passes traffic through SRX per corresponding policy enforcement controls based on User/Role

(81)

COMPREHENSIVE USER POLICY ENFORCEMENT

 Host checker

 Coordinated Threat Control  SSL tunneling

 End-to-End Security Policy enforcement by user role and group

 Windows XP, Windows Vista and Windows 7

 MacOS support  Linux/Solaris support  Thin clients can be

supported using the local web portal

 Broad range of Smartphone OS – iOS, Android, others  Agent-based deployment

can provide advanced functionalities

 Agentless access can be used for unintrusive, transparent user experience

 Local web portal can be used for guest access or as a fallback mechanism

Flexibility

_{Rich OS Support}

Advanced Services

Standard Server Hardware

(82)

Monitor & Track Applications AppTrack

APPLICATION VISIBILITY FOR INFORMED RISK

ANALYSIS

View application by protocol, Web

application, and utilization

Analyze usage and trends

Log and report across security solutions and systems

Customize application monitoring

Web 2.0 application visibility

Application usage monitoring

Scalable, flexible logging & reporting

(83)

Control & Enforce Web 2.0 Apps AppFW

APPSECURE: BEYOND JUST FIREWALL OR

APPLICATION CONTROL

Inspect ports and protocols

Control nested apps, chat, file

sharing and other Web 2.0 activities

Dynamic application security

Web 2.0 policy enforcement

Threat detection & prevention

HTTP Uncover tunneled apps

(84)

Monitor & Mitigate Custom Attacks IPS

IPS FOR CUSTOMIZABLE PROTECTION

Detect and monitor suspicious

behavior

Address vulnerabilities instead of

ever-changing exploits of the vulnerability

On-going threat protection

Mobile traffic monitoring

Custom attack mitigation

Tune open signatures to detect and

mitigate tailored attacks

Uncover attacks exploiting encrypted

methods Exploits VULNERABILITY AppSecure IPS Other IPS’s

(85)

ENHANCED WEB FILTERING

SRX

Internal network

“In the Cloud”

Categorization Server

 Continuous updates  Large number of URLs  Category granularity  Real time threat score

 Productivity  Performance  Security

(86)

CUSTOMER CHOICE FOR ANTIVIRUS

On-box option: Kaspersky Cloud-based option:

Sophos

Juniper is the only vendor offering customers a choice between two market proven antivirus solutions.

(87)

CLOUD BASED AV SERVICE: SOPHOS LIVE

PROTECTION ANTI-MALWARE FOR JUNIPER SRX

 Cloud-based intelligence

delivers high performance malware protection

 Effective, instant protection

against malware and infected web sites

 Target customers that want

the performance and ease of a cloud-based antivirus solution

(88)

ANTI-SPAM

DMZ

Web Proxy Email Server

TRUST

SRX receives email destined for email server in DMZ or TRUST zone and looks up local white/black list to check local entries. Finds no entry and sends address of remote email server or source to in-the-cloud anti-spam service

1

Host

Remote Email Server SRX tags email as

***SPAM*** or is allowed through. Email server can then use tag to make supplementary decisions

3

2 Service checks host address against constantly updated list and returns a block, permit or log-and permit message to the SRX Internet

(89)

SRX210

REMOTE ACCESS VPN

Dynamic VPN Service – Access Manager Client

 Clientless – dynamic IPSEC client

automatically downloaded

 Simultaneous tunnel enforcement

 Automatic client upgrade capabilities

 Self-provisioning

 IPSec with TCP-based fallback for NAT traversal

 Windows platform support—XP,

Vista, Win 2000, and Windows 7, Windows 10 Wired Wireless 3G/4G Wireless INTERNET

(90)

WLM – Management and Access Tools

RingMaster WLM - Appliance SmartPass

JUNIPER WIRELESS - COMPLETE WLAN SOLUTION

WLA/WLC PRODUCTS SUITE

WLC – Controllers Simple - Secure - Mobile

WLA – Access Points

Plan Config Monitor Trouble shoot Report

(91)

APPSECURE SOFTWARE SERVICE SUITE

Understand security risks

Address new user behaviors

Application Intelligence and Security In Branch

 Subscription service includes all modules and updates  Juniper Security Lab provides 900+ application signatures

AppTrack AppQoS AppDoS IPS

Block access to risky apps Allows user tailored policies Prioritize important apps

Rate limit less important apps

Protect apps from bot attacks

Allow legitimate user traffic

Remediate security threats

Stay current with daily signatures

2H 2013

(92)

APPLICATION SECURITY AVAILABILITY

High End SRX Branch SRX



2H2013



AppTrack AppFW AppQoS AppDoS



IPS



(93)

LOGICAL SYSTEMS (LSYS)

HIGH-END SRX ONLY

Virtualization of many aspects of Junos, especially security

policies and enforcement options within a single HE SRX

“Complete” separation of a single device into unique virtual

instances, including:

 Administrative separation – users in one LSYS have no visibility

into or knowledge of any other LSYS instances that may be running on the box

 Traffic Separation – network traffic for a given LSYS cannot cross

into another LSYS unless security and routing policies are configured to allow it

 Resource separation – resources such as sessions, policies,

zones, and virtual routers can be budgeted between the various LSYS instances

An evolution of ScreenOS’s VSYS concept

(94)

SERVICES OFFLOAD: A.K.A. LOW LATENCY FIREWALL

HIGH-END SRX ONLY

Allows both latency-sensitive and normal traffic to be mixed on the same platform

When configured with ‘services offload’, SPC will push policy to NPC, and further processing is handled directly by NPC

Available as of Junos 11.4

Supports FW, NAT, NPU screens, and QoS No support for services that require an SPC

 Fragmented packets  IPS  Inter-LSYS traffic

SPC SPC SPC SPC PHY NPC NP PHY NPC NP PHY NPC NP PHY NPC

(95)

JUNOS SPACE

APPLICATIONS

Juniper Applications 3rd_{Party Applications}

Network Activate, ● Transport Activate ● QoS Design ● Ethernet

Design ● Security Design ● Virtual Control ● Service Now

OSS ● BSS ● Green/Energy ● End-user Forensics Adapters (MTOSI, OneAPI) ● … others

Device Management Interface (DMI) RESTful Web Service API

JUNOS SPACE PLATFORM

Network Widgets Infrastructure Widgets

Open Network Application Platform

Network Application

Platform

 Open, extensible, standards-based (SOA)

 Abstractions for generic service definitions

 Purpose-built for network orchestration and automation  Carrier-grade scale

 Transparent communication with all Junos devices (any device, any OS version) – total management of Juniper infrastructure

 Easy integration with OSS via NBI/SDK

(96)

SECURITY THREAT RESPONSE MANAGER (STRM)

STRM supports SRX Series

 Intrusion Prevention System (IPS) and AppSecure

 220+ out-of-the box report templates

 Fully customizable reporting engine:

creating, branding and scheduling delivery of reports

 Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA

 Reports based on control frameworks: NIST, ISO and CoBIT

(97)

JUNOS SCRIPTS

Configuration Automation - Instructs Junos during the

commit process

Options to provide warnings, post log messages, automatically fail the commit, or change the

configuration

Operations Automation - Instructs Junos as prompted by the

command-line and other scripts:

Create custom operational commands for specific user and environment needs

Event Automation - Instructs Junos of actions to take in

response to events:

Gather relevant troubleshooting information and correlate events from the first leading indicators

(98)

(99)

Chapter 6: Junos OS Command Line Interface (CLI) Introduction

(100)

MULTIPLE WAYS TO MANAGE!

JUNOS CLI  Telnet, SSH  Commit model  JUNOScript: Automated Configuration, Operations J-Web

 Quick Setup with Templates  Dashboard View

 Performance Monitoring

Security Director

 Manage multiple devices  Global, group and device

(101)

CONFIGURATION HISTORY

Active configuration stored in /config/juniper.conf.gz Rollback files stored in

/config/juniper.conf.n.gz (n=1–3) /var/db/config/juniper.conf.n.gz (n=4–49) commit rollback n Candidate Configuration Active Configuration

1

2 ...

0

49

configure

(102)

JUNOS OS CONFIGURATION PROCESS

Separation of configuration edit and activation

 Validation checks

 Version control

 Automated rollback

Convenient deployment of standard configurations and policy

language across the network

Load commit confirmed candidate configuration commit validations commit commit scripts validated

(103)

JUNOS OS CONFIGURATION PROCESS (CONT’D)

Basic steps in the configuration process

1. Enter changes in the candidate

2. Commit the candidate

3. Candidate becomes active

Load commit confirmed 1 2 3 candidate configuration active configuration ro llb ack commit validations commit commit scripts validated configuration 1 49

(104)

THE RESCUE CONFIGURATION

A rescue configuration is designed to restore basic connectivity in the event of configuration problems

 Contents are user defined

 Include a root password!

 By default, there is no rescue configuration

 Can be saved using J-Web or the CLI

 Once saved, the rescue configuration can be activated with the CLI or a momentary push of the recessed CONFIG button

(105)

CLI MODES AND FEATURE OVERVIEW

CLI operational mode:

 Editing command lines

 Command completion and history

 Context-sensitive and documentation-based help

 UNIX-style pipes

CLI configuration mode:

 Object-oriented hierarchy

 Jumping between levels

 Candidate configuration with sanity checking

 Automatic rollback capability

 Showing portions of configuration while configuring

 Saving, loading, and deleting configuration files

(106)

CLI MODES

Operational mode:

 Monitor and troubleshoot the software, network connectivity, and

router hardware

Configuration mode:

 Configure the router, including interfaces, general routing

information, routing protocols, user access, and system hardware properties

user@host>

user@host

#

[edit]

The > character identifies operational mode

The # character identifies configuration mode

(107)

host (ttyd0) login: root Password:

--- JUNOS 8.3R2.8 built 2007-07-07 00:21:56 UTC root@host% cli

root@host>



When logging in:

–

Nonroot users are placed into the CLI automatically

host (ttyd0) login: user Password:

--- JUNOS 8.3R2.8 built 2007-07-07 00:21:56 UTC user@host>

–

The root user must start the CLI from the shell

 Do not forget to exit root shell after logging out of the CLI!

Shell Prompt

CLI Prompt

(108)

CLI OPERATIONAL MODE



Execute commands (mainly) from the default CLI

level (user@host>)

–

Can execute from configuration mode with the

run

command

–

Hierarchy of commands

–

Example:

show ospf neighbor

Less Specific

More Specific

database interface route statistics chassis configuration

configure file help monitor etc.

neighbor bgp

clear set show

ospf rip route version etc.

(109)



EMACS-style editing sequences are supported

 The default VT100 terminal type also supports cursor positioning with the arrow keys

EDITING COMMAND LINES

user@host> show interfaces

• Ctrl+b

• Ctrl+a

• Ctrl+f

• Ctrl+e

Cursor position Keyboard

SRX Quick Start June 2013

SRX QUICK START TRAINING

INTRODUCTIONS

Before we get started…

COURSE CONTENTS

Contents:

PREREQUISITES

The prerequisites for this course are the following:

COURSE ADMINISTRATION

The basics:

EDUCATION MATERIALS

Available materials for classroom-based

and instructor-led online classes:

Self-paced online courses also available

ADDITIONAL RESOURCES

For those who want more:

SATISFACTION FEEDBACK

To receive your certificate, you must complete the survey

JUNIPER NETWORKS EDUCATION SERVICES

CURRICULUM

Formats:

Courses:

JUNIPER NETWORKS CERTIFICATION PROGRAM

Why earn a Juniper Networks certification?

CERTIFICATION PREPARATION

Training and study resources:

Community:

FIND US ONLINE

http://www.juniper.net/jnet

http://www.juniper.net/facebook

http://www.juniper.net/youtube

http://www.juniper.net/twitter

MOVING FROM CISCO IOS TO JUNOS OS

Moving checklist:

JUNOS OS:

THE POWER OF ONE OPERATING SYSTEM

Deployed since 1998

It is time for a new network

THE POWER OF ONE JUNOS

JUNOS OS MODULAR ARCHITECTURE

Independent modules

Kernel

...

JUNOS OS SEPARATE CONTROL AND FORWARDING

Supports scale for high-performance

Assures performance of each plane

Enhances resiliency

Provides options for

redundancy

Routing

Engine

Packet Forwarding

Engine

JUNOS OS: THE FOUNDATION OF

HIGH-PERFORMANCE NETWORKS

BRANCH SRX SOLVES CUSTOMER CHALLENGES

BRANCH SRX SERIES GATEWAYS

BRANCH SRX: SERVING MULTIPLE CUSTOMER NEEDS

BRANCH SRX SERVICES GATEWAYS

Highly configurable

Extensive integration

Exceptional performance

BRANCH SRX PHYSICAL INTERFACES

NEW PIMS FOR SRX550 AND SRX650

BRANCH SRX FEATURES MATRIX

SRX100

SRX110 – IDEAL SOLUTION FOR SMALL BRANCH

Ideal for small branches

Full security features

SRX210E

SRX220

Ideal for small and medium

branches

Full security features

SRX240 - NOW WITH 2G MEMORY

SRX550 SERVICES GATEWAY - NEW

“No-Compromise Services” with scale and performance

for the medium to large branch

SRX550

SRX650