A bunch of Juniper SRX300 firewalls dumped cheap

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

tp1

Member
Feb 5, 2016
32
11
8
43
Does JuniperCare include IDS updates?
Oh and this is sort of rogue, but on one of these boxes you can find a reseller online who will sell you JuniperCare for $50/yr. Just don't ever mention you purchased it on eBay, give them the serial and no questions asked you'll be able to get software updates and can even RMA one of these. If you try to talk to Juniper directly they'll give you the "we don't certify eBay machines" but I've found resellers don't care, and Juniper doesn't care as long as it comes through a reseller.
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
After having won one on eBay, I did a bit of research into what it requires to get updates and use the device. It seems like Juniper really doesn't want us to reuse and resell these devices.

My understanding is that you also need a JSB, JSB-L or JSE license to be allowed to use the software.

So in reality if you buy a SRX300 from new, you should purchase a license with it.
Juniper has SKUs like srx300-sys-jb that include the device and a jsb license.

Of course, the question is in this case, if what we buy from the seller on eBay somehow includes a JSB, JSB-L or JSE license? Is it even possible to transfer ownership of one of these licenses?

On top of all that, you of course still need the core support license to get firmware updates.
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
Does JuniperCare include IDS updates?
My understanding is that Juniper do not care enough about IDS-only to sell it as a service, but given that you need a subscription for IPS signatures, I can only assume that you do not get IDS signatures with juniper care / core service license.

What I would be interested in knowing, is whether it is possible to use the IPS-engine in IDS mode only, and if you can install your own signatures in it (possibly sourced from Cisco/Talos/Snort VRT/whatever or Emerging Threats)
 

747builder

Active Member
Dec 17, 2017
112
58
28
After having won one on eBay, I did a bit of research into what it requires to get updates and use the device. It seems like Juniper really doesn't want us to reuse and resell these devices.

My understanding is that you also need a JSB, JSB-L or JSE license to be allowed to use the software.

So in reality if you buy a SRX300 from new, you should purchase a license with it.
Juniper has SKUs like srx300-sys-jb that include the device and a jsb license.

Of course, the question is in this case, if what we buy from the seller on eBay somehow includes a JSB, JSB-L or JSE license? Is it even possible to transfer ownership of one of these licenses?

On top of all that, you of course still need the core support license to get firmware updates.
you need a support contract for firmware updates. generally the JSB/JSE are honor based but could be enforced anyday with a updated firmware.
 
Last edited:

747builder

Active Member
Dec 17, 2017
112
58
28
My understanding is that Juniper do not care enough about IDS-only to sell it as a service, but given that you need a subscription for IPS signatures, I can only assume that you do not get IDS signatures with juniper care / core service license.

What I would be interested in knowing, is whether it is possible to use the IPS-engine in IDS mode only, and if you can install your own signatures in it (possibly sourced from Cisco/Talos/Snort VRT/whatever or Emerging Threats)
i have no clue. i dont use mine for IPS/IDS. i have a opnsense box stacked behind the SRX to do all that.
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
you need a support contract for firmware updates. generally the JSB/JSE are honor based but could be enforced anyway.
Yeah that is what I read too, I was thinking about buying a JSB-L license as it doesn't cost too much anyway just to be on the safe side, I don't like the thought that the device may stop working after some software update (and not updating doesn't work for me either).

Of course if the device somehow comes with a JSB license (and there was a way to determine it), that would be great.
 

747builder

Active Member
Dec 17, 2017
112
58
28
Yeah that is what I read too, I was thinking about buying a JSB-L license as it doesn't cost too much anyway just to be on the safe side, I don't like the thought that the device may stop working after some software update (and not updating doesn't work for me either).

Of course if the device somehow comes with a JSB license (and there was a way to determine it), that would be great.
Licensing on the SRX300 series is unclear from the very begining BUT with that said, the hardware is ONLY the hardware and your SUPPOSED to buy a license from juniper to be legal software wise.

of interesting note, the SRX300 and SRX320 are the same motherboard with just the Mini-PIM slots on the 320 and a few fans.

AND anybody looking for the rackmount kit, BEWARE, there are 2 different ones , one has the tray to hold the power supply and other one DOESNT.
 
  • Like
Reactions: T_Minus

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,659
2,068
113
Licensing on the SRX300 series is unclear from the very begining BUT with that said, the hardware is ONLY the hardware and your SUPPOSED to buy a license from juniper to be legal software wise.

of interesting note, the SRX300 and SRX320 are the same motherboard with just the Mini-PIM slots on the 320 and a few fans.

AND anybody looking for the rackmount kit, BEWARE, there are 2 different ones , one has the tray to hold the power supply and other one DOESNT.
Which rackmount kit do you suggest \ model that holds it?

I've got a couple coming, and if they work as expected they'll need racked if it's not overpriced vs. sticking them ona shelf :D
 

747builder

Active Member
Dec 17, 2017
112
58
28
Which rackmount kit do you suggest \ model that holds it?

I've got a couple coming, and if they work as expected they'll need racked if it's not overpriced vs. sticking them ona shelf :D
Model numbers are:
SRX300-RMK0 is 1u rackmount with the tray for the power supply to sit on.
SRX300-RMK1 is 1u rackmount with NO tray for the power supply to sit on.

NEITHER are cheap.
 
  • Like
Reactions: T_Minus

747builder

Active Member
Dec 17, 2017
112
58
28
So are these usable at home or not really?
absolutely. ive been running the srx300 at home since they came out. dead silent since they have NO fan but i run a computer fan across it in the summer time to keep it cooler.

and i ran the srx240 before the 300...
 
  • Like
Reactions: Samir

oddball

Active Member
May 18, 2018
206
121
43
42
These are extremely usable at home. It's an enterprise router/firewall that's completely silent and can do 1Gbps line-rate (with the caveat of 1500 sized packets).

In terms of licensing. I'm not really sure how they will enforce it. I purchased a JSB license for one after-market, it was ~$100. You plug it into the license activation tool online. It says "thanks" and then gives you a message that there is nothing to install on the device itself.

The device appears no different with or without the license. If you go digging on Google there are a lot of people who report the same thing. When you do "show system licenses" all it shows are additional entitlements, such as IPS, IDS, Web Filtering. In Junipers docs those are the only licensed features on the box that can be enabled.

I have a SRX345 with the JSE license, and I can't find anything on-box that looks any different than one of my hardware licensed SRX300's without a base license.

If you buy the Juniper Care on the hardware you get the software downloads, I believe it's $50/yr for the Juniper Care. That's really cheap to get full software updates in my mind.

You can purchase an IDS license for $200 at CDW if you want the updates for a year, again, fairly reasonable depending on the situation.

If you sign up with Juniper you can view the serial number lookup tool. I've pushed a few serials from the boxes I received from eBay through there. One is still so new it has the manufacturer's warranty on it for another month, it was clearly a test unit. Another had the service contract expire the month it appeared on eBay.
 
  • Like
Reactions: Samir

PigLover

Moderator
Jan 26, 2011
3,190
1,549
113
The feature licenses are enforced on the larger model SRX, but I believe it was removed on the small boxes because managing licenses at the large number of enterprise endpoints they market this too was considered too complicated.
 
  • Like
Reactions: T_Minus

Samir

Post Liker and Deal Hunter Extraordinaire!
Jul 21, 2017
3,350
1,502
113
49
HSV and SFO
These are extremely usable at home. It's an enterprise router/firewall that's completely silent and can do 1Gbps line-rate (with the caveat of 1500 sized packets).

In terms of licensing. I'm not really sure how they will enforce it. I purchased a JSB license for one after-market, it was ~$100. You plug it into the license activation tool online. It says "thanks" and then gives you a message that there is nothing to install on the device itself.

The device appears no different with or without the license. If you go digging on Google there are a lot of people who report the same thing. When you do "show system licenses" all it shows are additional entitlements, such as IPS, IDS, Web Filtering. In Junipers docs those are the only licensed features on the box that can be enabled.

I have a SRX345 with the JSE license, and I can't find anything on-box that looks any different than one of my hardware licensed SRX300's without a base license.

If you buy the Juniper Care on the hardware you get the software downloads, I believe it's $50/yr for the Juniper Care. That's really cheap to get full software updates in my mind.

You can purchase an IDS license for $200 at CDW if you want the updates for a year, again, fairly reasonable depending on the situation.

If you sign up with Juniper you can view the serial number lookup tool. I've pushed a few serials from the boxes I received from eBay through there. One is still so new it has the manufacturer's warranty on it for another month, it was clearly a test unit. Another had the service contract expire the month it appeared on eBay.
Really great information for us considering these boxes. Thank you. :)
 

747builder

Active Member
Dec 17, 2017
112
58
28
The feature licenses are enforced on the larger model SRX, but I believe it was removed on the small boxes because managing licenses at the large number of enterprise endpoints they market this too was considered too complicated.
I haven't even seen it enforced on the higher end SRX's either in the consulting work that I do.
the VAR is supposed to bundle the licenses with the hardware but I dont see too much of that these days, and CDW is beyond overpriced