By default, the Juniper SRX100 and SRX210 set up fe-0/0/0 as your Internet connection interface and the rest of the interfaces (fe-0/0/1 – fe-0/0/7 on the SRX100) as switching ports on a single vLAN.  It is not uncommon for a network to require more than one vLAN for either political or technical reasons.  For my home, in which I am using a SRX100, I have the reason in that I want my family computers on one vLAN and my Dell T310 server with all my test virtual machines on other vLANs.  This way issues such as my test Small Business Server 2003 machine, with its own DHCP server, will not interfere with other computers which belong to my family (my wife has a mini-laptop, we also have an XBox).  Furthermore, I could go further by setting up a Windows Server 2012 Essentials machine with its own DHCP server as well and it would not interfere with the SBS 2003 virtual machine nor the family machines.  As long as everyone is on their own vLAN, all should be well.

First, type in edit interfaces vlan in the SRX to get to the vLAN interface.  Remember that each physical interface can have many logical interfaces.  Obviously, the vlan interface is not a physical interface (it doesn’t represent a physical interface on the front of the machine) yet the same rule applies nonetheless.  Type the following to create three more vLANs for this interface:

set unit 1 family inet address 192.168.5.1/24

set unit 2 family inet address 192.168.10.1/24

set unit 3 family inet address 192.168.15.1/24

When you type show you should see the following for the current config of your vlan interface (note that unit 0 is the default that was already there):

Now, we need to go to the actual vlan settings of the SRX.  Type top to get out of interfaces and back to the top of the configuration tree, then type edit vlans.  Type the following three set commands to create new vlans we will tie into our interface.

set vlan-trust2 vlan-id 4 l3-interface vlan.2

set vlan-trust3 vlan-id 5 l3-interface vlan.3

set vlan-trust4 vlan-id 6 l3-interface vlan.4

If you type show your configuration for vlans should now look like this:

Now we must set three interfaces to our new vlans – one to each vlan.  Type top to go to the top of the configuration tree and then type edit interfaces to get back in to the interface list.  For my configuration, I’m going to assign fe-0/0/7 to my fourth vlan, fe-0/0/6 to my third vlan, and fe-0/0/5 to my second vlan.  Type the following:

delete fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust

set fe-0/0/7 unit 0 ethernet-switching vlan members vlan-trust4

delete fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust

set fe-0/0/6 unit 0 ethernet-switching vlan members vlan-trust3

delete fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust

set fe-0/0/5 unit 0 ethernet-switching vlan members vlan-trust2

Our last step is to configure DHCP for one of the vlans.  I need DHCP for only one of the vlans as the other two with have a server such as Windows Server 2012 Essentials as the DHCP server.  Type top to make sure you are at the top of the configuration tree.  Then type edit system services dhcp.

Type the following commands to create a new DHCP scope and assign it to the last vlan:

delete router

set pool 192.168.1.0/24 router 192.168.1.1

set pool 192.168.15.0/24 address-range low 192.168.15.10 high 192.168.15.254

set pool 192.168.15.0/24 router 192.168.15.1

set pool 192.168.15.0/24 propagate-settings fe-0/0/0

Notice we had to delete the original router entry since it was outside the scope of any given pool and, therefore, would have propagated that router setting out to all DHCP scopes.  If you received an error typing that delete command, don’t worry, just type show to see where the router settings entry is.  If is it already in the first first pool, then skip that command and finish setting up the second pool.  After typing show your DHCP should look like this:

 

Once you are done with that, do a commit confirmed 5 which will commit your settings but give you 3 minutes to type confirmed again before rolling you back.  This way, if a mistake is made, you will get back to your last known good configuration and can try again.  While waiting your 5 minutes, be sure to connect a computer to the other interfaces on the device to see if they get connectivity.  For those interfaces without DHCP, you’ll need to statically assign an IP address.  Once you verify all is well, type commit again to make the changes permanent before you are rolled back.

We now have three vLANs on our SRX. One vLAN with interfaces fe-0/01 through fe-0/0/4 with DHCP, one at fe-0/0/5 without DHCP, one at fe-0/0/6 without DHCP, and one at fe-0/0/7 with DHCP.  The table below summarizes.

vLAN	Interface	IP Address	DHCP
0	fe-0/0/1	192.168.1.0/24	Yes
	fe-0/0/2	192.168.1.0/24
	fe-0/0/3	192.168.1.0/24
	fe-0/0/4	192.168.1.0/24
1	fe-0/0/5	192.168.5.0/24	No
2	fe-0/0/6	192.168.10.0/24	No
3	fe-0/0/7	192.168.15.0/24	Yes

 

As far as security goes, all the vLANs belong to the trust zone and follow all the policies of that zone.  Later on we will look at putting vLANs into their own zones so we can have more granular control over security.

JamesNT

In Part III of our quick start series, we went through the Juniper set up screens to set some initial configuration settings for our new device.  Today, we are going to use the CLI to explorer the default configuration given to us by those initial configurations.

To access the SRX CLI, you need Telnet.  Please note that on Windows 7 and Windows Server 2008 R2 the Telnet client is not installed by default.  You may follow these instructions to install Telnet.

Once you have Telnet installed, if you needed to install it, open a command prompt and type TELNET 192.168.1.1. 

Once you hit enter, you will be presented with a username prompt.  Use the Administrator account that we created in Part III of the Quick Start series to log in.  Note that both user names and passwords are CASE SENSITIVE.  Once logged in, you’ll see a prompt like this.

At the command prompt, type the word configure and press Enter to enter configuration mode.  There are two modes to the SRX, we will investigate them both in future posts.  Suffice to say the mode you enter into when first logging on is Operation Mode used for monitoring and the like.  Configuration Mode is where you configure the device.  Your prompt should now look like this.

Notice that the prompt changed from using a “>” symbol to using a “#” symbol.  The “#” symbol means you are in configuration mode.  The “>” means Operational Mode. 

In Configuration Mode, there are certain commands you use to navigate the configuration tree.  The following shows most, but not all, of the configuration tree:

We will be investigating many of the parts of the configuration tree in future posts.  To navigate the tree, we do have certain commands to use.

show – shows the configuration of the part of the tree you are at.  If you are at the configuration root, the show command will show you the entire tree which can take a long time if there are lots of things configured.  If, however, you have navigated to, say, System | Name-server then the show command will show you only what is in that section.  If there is more information to show than what your window will allow, the show command will fill the window and stop until you press the spacebar for the next page.  The percentage you have seen thus far is shown at the bottom.

edit – use this command to tell the CLI what part of the tree you wish to edit.  For example, if you type edit system then you will enter the system stanza of the tree.  Do notice that the prompt tells you were you are.

up – use this command to navigate up levels of the tree.  edit brings you down to levels you specify, up brings you up the next level above where you are.

top – if you want to go straight up to the configuration root, use top.

Now that we know how to move around a bit, let’s take a look at certain parts of the tree, called Stanzas.  First, type the word top to make sure you are at the top of the configuration root in case you have been playing around.  Next, type the following:

edit system name-server

This will place you in the System part of the tree in the name-server stanza.  Now type show.

You should see the IP addresses of the name servers you typed in while following along in Part III of the quick intro.  Type top to go back to the top of the configuration tree (refer to the diagram above when needed).

Now type the following commands:

edit interfaces fe-0/0/0
show

If you are using the SRX210, replace the fe with ge.  Otherwise, you should see this:

Notice where the arrow is pointing.  If in the initial configuration screen you unchecked the DHCP box and entered a static IP, that IP is here.  Otherwise, you’ll see DHCP.  This interface is the one that should be plugged in to your ISP.  In my case, it is plugged into my Linksys router which allows my other computers to get on the Internet as well.  Later on, we are going to make some configuration changes to make the SRX my router for my network and we will remove the cheap Linksys.  Type up to go up one level and then type show:

Notice that we are now looking at all the interfaces.  The show command as I mentioned earlier shows you everything in the current position of the tree, including sub-branches of that position.  Since we are at the interface level, it is showing us all the interfaces along with their configurations.  Notice you have the —(more)— at the bottom for scrolling.  Use the space bar to scroll on down.

Notice also that while fe-0/0/0 is assigned a static IP address, or DHCP depending on your choice in the initial configuration screen, the other interfaces are all assigned to a VLAN.  You also have interface lo0 which is, of course, the loopback adapter.  At the bottom, you should see the interface for the VLAN and the IP address it is assigned which is the IP address range of your internal network with the SRX.

Let’s take a look a the VLAN itself.  Type top to get to the configuration root.  Then type:

edit vlans
show

Notice we have a Virtual LAN called “vlan-trust” defined and that the interface we saw above is assigned to it.  Also, notice the shorthand for which unit to refer to.  Instead of typing the name of the VLAN then the name of the unit, we just do vlan.0 where the zero is the unit.  If you have more units, such as 10, 11, and 12, you could do vlan.10, vlan.11, vlan.12, etc. 

So what we have is an logical interface that defines the IP address range of the VLAN, which is assigned to the VLAN itself, which is in turn assigned to the other interfaces (except fe-0/0/0).  This allows us a great deal of flexibility.  Think about.  You could literally have each port on the front of the SRX assigned to a completely independent VLAN.  Let us continue.  Type top to get to the configuration root again.  Now type the following:

edit security zones
show

We are now looking at the default zones created by the SRX.  One is called trust and the other is called untrust.  Typically, trust is your internal LAN and untrust is the Internet.  Notice what we are doing:

• For inbound traffic to the trust zone, we are pretty much allowing everything to go to the SRX.  All protocols.  And we assigned our VLAN, vlan.0, to this zone.
• For the untrust zone, we assigned fe-0/0/0 and notice that we allow only dhcp and tftp.  Normally I remove these.  Do keep in mind that if you remove DHCP and you chose DHCP as the way for fe-0/0/0 to get IP address from the ISP, you will no longer be able to get on the Internet should your ISP change IP addresses on you (assuming you don’t have a static address).

This all should make sense.  fe-0/0/0 is plugged into our Internet connection and our vlan.0 is our internal network as we examined earlier.  Although, in a true production environment we may place more limitations than this even on the Internal network instead of just allowing everything.

At the CLI prompt, type up to go up one level the type edit policies then type show.

We are now looking at our one and only default security policy.  Should be pretty straight forward.  We have one policy called “trust-to-untrust” that pretty much allows anything from the internal network to go out to the Internet.  Since there is no policy allowing traffic from the Internet to the internal LAN, that means anything from the Internet is blocked.

Type up one more time then type edit nat then type show.  We are now looking at our Network Address Configuration.  We have one rule translating addresses for traffic that goes out regardless of IP address.  We do not translate any traffic coming to us since, thanks to our policy, we have no traffic coming in.

So what we have is this:

This is straight from the book I recommend on my Books I’m Reading page for learning the Juniper SRX Security Services Gateway.  This diagram gives a decent idea of how traffic is processed by the SRX. 

And this is the default configuration you are given after completing the initial setup wizard. 

To exit the CLI of the Juniper SRX, type the exit command until your telnet session is closed.

Next up, we are going to add some VLANs and assign other ports to them.  In my home network, I have my wife’s computer which will go on one VLAN, my computer which will go on another, and a Dell PowerEdge T310 server running several virtual machines that will all be on yet another VLAN.

Do keep in mind that my quick overviews and instructions on how to perform certain tasks are meant to show you how I’m using the SRX.  If you really wish to learn the device properly, I recommend the book Junos Security found here at Amazon.com for paper back or you can go Kindle edition.

JamesNT

This will be the last part of our Quick Intro series.  Further posts on the Juniper SRX will be more about doing actual configurations.  Be sure to read up on Part I, Part II, Part III, and Part IV.

In this part, we will discuss a feature of the Juniper SRX that seems to be unique amongst security devices made by its worthy competitors such as Cisco.  This feature is the concept of the Zone.

According to the documentation, “a zone is a logical construct that is applied to an interface as is used as a building block for security policies. . .”  In most devices, security policies allow traffic to go from point A to point B, such as from the local area network to the Internet. or vice versa.  Adding a Zone creates a new dimension in that it simplifies management.  You can have multiple logical interfaces that require similar security grouped into one Zone.

Zones are where you see default names like “Trust,” “Untrust,” and “DMZ” scattered throughout the Juniper documentation.  In earlier products, those were the default zones.  Starting with the SRX, you can rename your zones to what you want and have as many zones as you want.

As we mentioned earlier, logical interfaces are added to a zone.  We also know that each physical interface can have many logical interfaces, called Units.  So with this much granularity, one physical interface can handle traffic, at the same time, for a wide variety of purposes.  You can have physical interface fe-0/0/3 handle traffic for 5 different VLANs, each VLAN belonging to a different zone.  Just remember that a logical interface can be a member of only one zone.

The following is an example of the default zones that come with the SRX once you do the initial configuration:

security-zone trust {
     host-inbound-traffic {
          all;
     }
     protocols {
          all;
     }
     interfaces {
          vlan.0;
     }

Notice that we have created a security zone called “trust”.  For inbound traffic, we are allowing everything as the keyword “all” indicates to pass to the SRX.  We are also allowing all protocols.  And we are binding this policy to the vlan.0 interface.  Note that physical interface fe-0/0/1 through fe-0/0/7 was assigned to the VLAN as switching interfaces.  What this means is that ports 1 – 7 on the front of the device are all going to behave like a regular network switch and all all traffic to pass through them as long as that traffic is on the same VLAN.  Of course, this begs the question:  What about Internet traffic?

security-zone untrust {
     interfaces {
          fe-0/0/0 {
               host-inbound-traffic {
                    system-services {
                         dhcp;
                         tftp;
                    }
               }
          }
     }
}

Notice that we have another zone called “untrust.”  Appropriate name given that we are allowing Internet traffic.  Notice that, in contrast to the “trust” zone we are not allowing anywhere near as much latitude.  We allow only dhcp and tftp to pass through this zone straight to the physical interface fe-0/0/0.  So, yes, we can bind a physical interface to a zone, not just a logical one.  And we can severely restrict traffic.  DHCP is allow, of course, in the event that we do not have a static IP address from our ISP.  I’m not sure why the default configuration allows tftp.  I typically remove that.  Do keep in mind that the host-inbound traffic part of a zone is the traffic that goes to the SRX itself, not what is passed from one host to the next.  Security Policies are used to govern traffic from one host to the next.  We’ll talk about those later.

In wrapping this up, we can have a physical interface bound directly to a zone or to any number of logical interfaces that can then be bound to zones.  Zones then have Security Policies.  Obviously, we would bind interfaces, physical or logical, that have like security requirements to one particular zone.  Take a few moments to think about this arrangement and I do believe we can see how we can handle traffic in a very large number of ways.  Also, do keep in mind that all of this ability is even on the low end SRX100 which is a only a few hundred bucks.  You do not have to purchase a $5000 device to obtain what we have talked about thus far.

There is much more to discuss regarding zones, but this is only a quick intro.  As time moves on and I begin configuring the device, more we be explained in higher detail.

James

In Part III of our Quick Intro Series (don’t forget Part I and Part II), we discussed getting the SRX up quickly as a basic router.  We did, unfortunately, skip over some pretty important details along the way such as interfaces and things like that.  In this fourth part of our series, we’ll look at some of the other details of the SRX Series Gateway and introduce some additional terms one must know.

One of the things I mentioned in Part III when setting up the SRX for first use was the setting for fe-0/0/0.  Well, what is fe-0/0/0?  Let’s take a look at the ports on front of the machine:

The first ethernet-looking slot you see is the console slot that you can use a console cable to connect with and communicate with the device using Hyper Terminal.  The actual ethernet slots are the ones out to the right of the console slot and they are labeled 00 – 07.  For the Juniper SRX, the slots – interfaces as they will be called from now on – are represented by a naming scheme that describes them in detail.  The following breaks it down:

fe-0/0/0 – media type

fe-0/0/0 – Flexible PIC concentrator number

fe-0/0/0 – Physical Interface Card number

fe-0/0/0 – Port number

Obviously, for a device as small as the SRX100, we will never have to worry about the Flexible PIC number or the Physical Interface Card number ever getting above zero.  On the larger datacenter devices which may have rows and rows of interfaces, I’m pretty sure things get interesting real fast.  Let’s take a quick look at media types – the prefix of the interface name:

fe – Fast Ethernet 10/100

ge – Gigabit Ethernet 10/100/1000

xe – 10 Gigabit Ethernet

tl – T1

The media type tells what kind of interface it is.  The SRX100 is fe only which means all interfaces are 10/100 only.  The SRX210 has two Gigabit Ethernet interfaces (ge) and the rest are Ethernet (fe).  Obviously, you’ll need to go to the higher end models to get the higher end Interfaces.  I’ll not be covering all that here since my concentration is mostly going to be on the SRX100 and SRX210 for the branch office (I do not work at a large school/corporation etc. that will utilize one of the bigger models – that and I could only afford an SRX100 for my house.  )

Each physical interface can have many logical interfaces applied to it.  A Logical Interface is an entity with a protocol or suite of protocols, and perhaps a network address, assigned to it.  The Logical Interface is known as a Unit.  A Unit contains protocol definition and each physical interface can have up to 16,000 Units applied to it.  Each Unit has a Family.  A Family is a protocol configuration (Family of protocols).  Here are some examples of Families:

inet – IPv4 network

inet6 – IPv6 network

ethernet-switching – switching protocol if you want this physical interface to just be used in a switch

PPPoE – Protocol used by DSL providers

Here are some examples of Logical Interface configurations:

• First Physical Interface set with a static IP address

fe-0/0/0 {
           unit 0 {
                 family inet {
                           address 192.168.30.50/24
                  }
         }
}

This would be a typical configuration used to set this Interface up to work with a static IP address assigned by your ISP.

fe-0/0/2 {
           unit 0 {
                 family ethernet-switching {
                           members vlan-trust;
                  }
         }
}

In this example, we have set another interface up as a switching port on a Virtual LAN called “trust”.  You will see the words “trust” and “untrust” used quite a bit in the SRX documentation.  While you may name a VLAN or security zone anything you wish, “trust” and “untrust” are typically used to represent your local area network and Internet connection, respectively.

We now know that each port, or slot, on the front of the SRX is called an Interface.  We now also know that we can assign Logical Interfaces to Physical Interfaces.  Logical Interfaces include protocol families such as IP settings for different media or to merely have the port act as a switch.  For example, you could assign the necessary protocols, such as a static IP or DHCP if you don’t have a static IP, to your fe-0/0/0 for connection to your ISP and then have fe-0/0/1 – fe-0/0/7 set up as switching ports so you can plug your computers into those interfaces.  Below is how this typical configuration would look in the command line interface of the SRX:

Notice that, in the above example, fe-0/0/1 – fe0/0/7 are all members of a vlan called trust.  You could assign each interface to a different vlan (trust1, trust2, trust3, etc.) with DHCP as a service for each one thereby placing every device connected to those interfaces on its own subnet.  Believe me, the fun don’t stop there!  I’ll have examples in future posts.

In our next blog post, we will cover the concept of Zones in the SRX which will end our Quick Intro series to the Juniper SRX.  Further blog posts will cover more in-depth topics.

James

If you haven’t already, be sure to check out Part I and Part II.

In this third installment, we’ll look at what you will find when you first turn on the Juniper SRX Series Security Services Gateway and to get you through some initial configuration.  Be reminded that, as we discussed in one of the previous articles, the SRX I’m using was sold by Dell with the Dell Logo on the device and in the software.  Dell once sold the SRX as the PowerConnect J-SRX Series.  Therefore, while I fully expect there to be some differences between what I have and what you have (one not sold by Dell), I do expect them to be minimal. 

When you first power on the SRX, the first port is usually defaulted to be the port you connect to your ISP.  The other ports are arranged into switching ports all on the same vLAN.  DHCP is turned on and will start giving out IP addresses in the 192.168.1.x range.  As you may have guessed by now, the default IP address of the SRX is 192.168.1.1.

While I did mention that we will not be concerned with the Graphical User Interface of the SRX, it is the fastest way to get the machine initially configured.  If you are going to use Internet Explorer, be sure to put the address 192.168.1.1 in your trusted sites and make certain the trusted sites security setting is set to low.  Otherwise, much of the SRX website (referred to by Juniper as J-Web) will not work.  Below is the initial logon screen.

Do remember that you will not see the Dell logo or references to Dell if your SRX is not branded by and resold by Dell.  The default username is root and the default password is blank.  The root user is the super user of the SRX, and that shows off the SRX’s Unix heritage.  Once you log on the first time, you’ll see the initial setup screen.

From here you can fill in some basic information to get the device working.  Here are the values I’m entering:

• Host Name:  I set this to “Juniper”.  You may call the device anything you wish to distinguish it on your network.
• Domain Name:  I leave this blank.
• Root Password:  Of course, having a blank password is NEVER a good idea.  There are no restrictions on the password, so it is your responsibility to choose something strong.
• Verify Root Password:  What is says.
• DNS Name Servers:  Replace these with the ones assigned by your ISP.
• Domain Search:  Leave blank
• Default Gateway:  Provided by your ISP.
• Loopback Address:  Leave Blank
• fe-0/0/0.0 Address:  If you have an SRX210, this field may read ge-0/0/0.0 Address depending on what kind of interface you have.  If you are going to get addresses assigned by your ISP via DHCP, leave this field blank.  Otherwise, fill in your static IP address here.
• Enable DHCP on fe-0/0/0.0:  If you have an SRX210, this field may read ge-0/0/0.0 Address depending on what kind of interface you have. If you are going to get addresses assigned by your ISP via DHCP, check this box.  Otherwise, make sure it is unchecked.
• Time Zone:  Pretty obvious, those I have never cared for this particular way of choosing time zones.  Why can’t people just use Eastern Standard, Pacific, Central, Mountain, etc.?  Finding the closes city that matches yours is a pain sometimes.
• NTP Servers:  Fill these in if you so desire.
• Allow Telnet Access:  Make sure this is checked.  The majority of examples I give will be using Telnet as the way to connect to the device.
• Allow JUNOScript over Clear-Text Access:  Uncheck this.
• Allow SSH Access:  Make sure this is checked.  We may use it later.

Now click Apply and wait for a few moments.  Once you are done, you’ll see a dashboard like this one:

This dashboard is fairly useful if you want to get a quick estimate of machine condition.  The first thing we need to do is create a new user to use other than the all powerful root.  Go ahead and click on the CONFIGURE tab at the top, then on the left menu that appears click on SYSTEM PROPERTIES and under that click USER MANAGEMENT.  You should now see something like this:

In the upper-right hand corner, click the Edit button.  In the new window that appears, click Add.  In the Add-User field, fill out the User Name, Full Name, Password, and Confirm Password fields.  Choose Super-User as the login class.  Don’t worry about the User ID field as it is not required.  Your entry should look something like this:

Notice I called my new user Administrator.  First, I’m a Windows guy.  Get used to it.    Second, usernames are Case Sensitive.  Keep that in mind regarding the SRX.  Go ahead and click OK all the way out until you see the SRX validate your settings and then the prompt telling you that you have to commit your changes.  You’ll find the Commit Options button at the top under the Troubleshoot tab.  On that menu, click Commit.  You’ll then see a Configuration Delivery progress window appear.  Once that window goes away, you’ll see the user you just created.

You can go ahead and close the J-Web user interface.  It is doubtful we will ever use it again.  You can probably see why just by the “clunky” feel it has.

Once you are done with these initial settings, you should now have Internet access with your new SRX.  In the next post, I’ll go over the default security settings the SRX puts in place for you.  After that, another brief technical over view on interface types and things like that.  We will then be done with our quick intro series on the Juniper SRX Series Security Services Gateway and will be ready for more serious material.

James

In this second installment of our quick intro (see part I), I thought I would cover some of the performance features of the SRX.  On this blog, I will be speaking primarily about the SRX 100 and SRX 210.  For obviously financial reasons, I will not be covering information on the higher models as I doubt I’ll be working on one of those any time soon.  Fortunately, one of the best features of the SRX series is that, unlike other platforms, the base functionality remains the same despite going to a higher model (e. g. SRX 500 or something).  This means that setting up, for example, an IPSEC VPN on a higher end SRX is the exact same as it would be for a 100 or a 210.  This is a tremendous advantage over competing platforms that require to you to learn an entirely new interface (GUI or command line) the higher up their line you go. 

Anyway, let’s get on with the performance metrics.

For the SRX 100:

Service	Capacity
Connections Per Second	2,000
Max Firewall Throughput	650 Mbps
Max IPS Throughput	60 Mbps
Max VPN Throughput	65 Mbps
Max Anti-virus throughput	25 Mbps
Max Concurrent Connections	16k (512MB) | 32K (1GB) **
Max Firewall Policies	384
Max concurrent users	Unlimited
Max IPSEC VPN connections	128

For the SRX 210, we see about a 10% performance increase.

Service	Capacity
Connections Per Second	2,000
Max Firewall Throughput	750 Mbps
Max IPS Throughput	80 Mbps
Max VPN Throughput	75 Mbps
Max Anti-virus throughput	30 Mbps
Max Concurrent Connections	32k (512MB) | 64K (1GB) **
Max Firewall Policies	512
Max concurrent users	Unlimited
Max IPSEC VPN connections	256

** All SRX models come in at least two modes:  Standard and High Memory.  The SRX 100 and SRX 210 both come standard with 512MB of RAM.  High memory mode gives them 1GB of RAM.  In order to use any of the Unified Threat Management (UTM) features (e. g. anti-virus, etc.) you MUST have the high memory mode model.  Furthermore, the SRX 100 can be upgraded from 512MB to 1GB by purchasing an unlock key; however, all other models are hardware locked – meaning they cannot be upgraded.  Therefore, it is the recommendation of this blog author that you always purchase the high memory mode model.  It may cost a few more bucks, but you always have the option of purchasing the UTM features later if you wish.  If you get the standard mode model, you cannot upgrade (unless it is the SRX 100) and you cannot use any of the UTM stuff.  I’ll be covering UTM in a later post.

Getting past that, those performance numbers aren’t bad.  Especially considering the high memory mode SRX 100 is $664.99 and the high memory mode SRX 210 is $944.99 from CDW according to the website as of today’s date. 

Speaking of the SRX 210, you can get additional features such as two Power Over Ethernet ports, but I’ll cover additional features part three. 

James

I’ve been using the Juniper SRX for a few months now and I have to say I like it.  They are FAST, cost effective, and get things done.  However, make no mistake that they do have a high learning curve.  Don’t think you’re going to jump into learning these things super fast like you did your Cisco or whatever counterpart.  For one thing, pretty much everything is done via command line.  Sure, they do have a graphical user interface, but no one uses it and the documentation doesn’t reference it that much.  In fact, in this blog I won’t even be covering the user interface.  We’ll be using command line only.

Here is a quick pic of the Juniper SRX Series Security Services Gateway, specifically the SRX 100:

This unit is a bit larger than my hand.  The higher end of the series can be the size of a small refrigerator.  Notice that it has the Dell logo on it.  For a time, Dell contracted with Juniper to sell the SRX under the PowerConnect name as the PowerConnect JSRX Series.  The devices are still Juniper through and through, the only thing Dell did was pain the front of the box black and put their name on it.  Unfortunately, the relationship between Dell and Juniper has dissolved because of Dell acquiring SonicWall so Dell no longer sells Juniper products anymore.  Bummer.  Maybe what I have will be a collector’s item one day.

As we move forward, I’ll be covering the things I have learned about these cool devices.  While I’m certain most of you already have some type of solution in place for your security needs, who knows, it might be nice to know there is another option out there.

James