Juniper SRX series

Discussion in 'Networking' started by oddball, Nov 1, 2018.

  1. oddball

    oddball Member

    Joined:
    May 18, 2018
    Messages:
    98
    Likes Received:
    28
    Anyone familiar with the Juniper SRX's? They're interesting machines, they're full blown routers and with a heavy dose of security features. For example they can do stateful firewalling, IDS, UTM etc.

    I purchased a cheap little SRX300 to get my feet wet. It can supposedly firewall 1Gbps line rate. It seems powerful for being a silent desktop unit.

    I'm looking for any advice on where to get started learning JunOS. I'm familiar with Cisco and Arista CLI's, and with some basic Linux and OpenBSD firewalling. At this point I just want to experiment with it, blow it away and then start over.

    Secondly does anyone have any software images for this thing? I'd like to have a backup available if I mess it up too bad, and Juniper wants me to have an active support contract. The support is around $100, and I just can't justify paying support on a machine in my office that isn't even lab status yet, it's pre-lab.

    Any help and guidance is appreciated!
     
    #1
  2. aero

    aero Active Member

    Joined:
    Apr 27, 2016
    Messages:
    293
    Likes Received:
    50
    I used to love Juniper SRX's...for edge routing and firewall duties. However, they are not well known for being good at UTM. I'd no longer recommend them in general, instead opting for Fortigate firewalls (better UTM features, and bang for $). They are solid though.

    Junos I would say is about as dissimilar to Cisco CLI as you can get. It's a lot like Vyatta. The documentation is pretty good...just dive right in.
    Do take a look at this link, describing the two forwarding modes of the SRX. Juniper Networks - [SRX] How to change forwarding mode for IPv4 from 'flow based' to 'packet based'
     
    #2
  3. oddball

    oddball Member

    Joined:
    May 18, 2018
    Messages:
    98
    Likes Received:
    28
    Awesome, this is what I was looking for. The forwarding modes are interesting.

    Flow mode looks good if I want to do IPSec tunnels and firewalling. But if this is going to be a router packet mode is the way to go.
     
    #3
  4. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    298
    Likes Received:
    105
    Well, it's basically JunOS, and JunOS is basically a customized FreeBSD image with a new kernel and Juniper specific userland utils. If you get access to a higher spec Juniper MX or T-series router (the routing engine is x64 based) you would be able to download their JunOS image and install it on a FreeBSD (it does require you to hack up the installer script) VM...which is how JNCIA techs cut their teeth learning JunOS - that or hiring labtime. Tossing JunOS on something like that makes it an "olive" (nickname for an unofficial VMWare x86/x64 based VM that runs JunOS derived from FreeBSD, tolerated within Juniper as long as it stays test-only).

    As for the SRX300, they are Cavium Octeon (MIPS64) multicore based, so setting Olives for them will not work. Do you know which specific IOS image you are looking for?
     
    #4
  5. oddball

    oddball Member

    Joined:
    May 18, 2018
    Messages:
    98
    Likes Received:
    28
    @WANg

    JunOS is really interesting so far. Sort of reminds me of our Arista switches in that it's FreeBSD (Linux for Arista) with command extensions. In both cases you can escape to the shell and run OS level commands.

    I know there is a vSRX version on Juniper's website.

    I broke down and purchased a year's support for $50, so I should be able to grab images straight from their website once everything is activated.

    What are the different software trains? I have 15x49 on the switch. But I see a 16 and 18, but from Googling people recommend staying away from them. It seems strange to be that far back. Are those dev branches?
     
    #5
  6. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    874
    Likes Received:
    638
    oops - pm'ed you earlier and just now see you purchased a contract - oh well, at least now you'll have backups :p $50 for a year is not a bad price at all
     
    #6
  7. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    298
    Likes Received:
    105
    JunOS 15 x49 is considered "Telcom" quality (long term support, 5-9s operations), while the other chains are viewed as less mature. You generally do not put the latest release on, say, a core/operations switch unless absolutely necessary.
     
    #7
  8. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    298
    Likes Received:
    105
    Well, I used SRX100s and 200s as IPSec VPN endpoints to connect data centers up, but I don't remember the SRXs having much functionality for UTM duties. For UTM stuff I went with Astaro (sold to Sophos) or PulseSecure (It was the old Juniper MAG series spinoff) - I don't use them anymore (CIO at my current gig is a big Cisco nerd), but they were decent enough. Juniper CLI does seem nicer compared to the older Cisco IOS stuff, with sane command completion and the ability to do config snapshots and automated rollbacks.
     
    #8
  9. zer0sum

    zer0sum Active Member

    Joined:
    Mar 8, 2013
    Messages:
    189
    Likes Received:
    50
    Disclaimer: I work for Juniper :)

    The Juniper firewalls these days have really advanced UTM capabilities, and are just as capable, and even more so, than equivalent firewalls from Palo Alto, Fortinet, etc. There has been a LOT of progress made in the last 2 years to build advanced features into them :)

    You can license them for all the L4-L7 stuff you'd expect like - AntiVirus, AntiSpam, Application control, SPI, DPI, Web and Content Filtering, Sandboxing both in the cloud with SkyATP, and on-premise with JATP, etc. ,etc.

    I'm not going to bore you all with the details, so I'll just like to this instead - UTM Feature Guide for Security Devices - TechLibrary - Juniper Networks

    If anyone needs an image, or has any questions let me know
     
    #9
    oddball likes this.
  10. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    298
    Likes Received:
    105
    Is there such a thing as vSRX (something like a VMWare virtual appliance that I can drop into ESXi)? I kinda want to play around with the newer SRX builds with the UTM entitlements, but hacking up an Olive using a FreeBSD VM is painful even in the JunOS 14 days, and that only work on x86 based hardware like the T-series. If I remember correctly the SRX 100-300 machines are all Cavium Octeons, and i am not sure what hardware are in them these days...
     
    #10
  11. zer0sum

    zer0sum Active Member

    Joined:
    Mar 8, 2013
    Messages:
    189
    Likes Received:
    50
    Not only is there a vSRX that runs under Vmware etc. but there is also a cSRX that runs as a docker container :)

    vSRX info
    cSRX info

    vSRX is a simple vmware ova file you can fire up and get running via cli or the Jweb GUI, but a lot of the more advanced features will require licensing.
     
    #11
  12. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    298
    Likes Received:
    105
    Oh yeah. Just found it on my Juniper.net login - I'll give the vSRX eval image a spin in my ESXi environment. That one should probably have the time limited licenses for playing with the UTM features.
     
    #12
  13. audio catalyst

    Joined:
    Jan 4, 2014
    Messages:
    84
    Likes Received:
    11

    disclaimer - netscreen dude

    can't believe you all killed screenos :)
    or even worse didnt release it to the opensource community..

    still out performs the fortios and palo alto spin offs ;)
     
    #13
  14. oddball

    oddball Member

    Joined:
    May 18, 2018
    Messages:
    98
    Likes Received:
    28
    Curious about cSRX. Is the purpose to firewall between containers and do east-west segregation. Or is meant to be deployed on a container server without the need for specialized hardware?

    And in the second scenario what sort of bandwidth can it handle?

    And then beyond this what's the interaction like? You deploy on Docker, then do you open a prompt on the image and now you're in JunOS?

    This is really interesting stuff.
     
    #14
Similar Threads: Juniper series
Forum Title Date
Networking Juniper EX4200 Help Oct 4, 2018
Networking EX3400 vs ex4300 juniper Sep 28, 2018
Networking Help Decide - Cisco C3750x, C2960S, Aruba S3500, Juniper EX2200 Sep 27, 2018
Networking Juniper NS5400 help to upgrade old to new version 6.3r25 Jul 23, 2018
Networking Juniper EX4300 & 10GBASE-T SFP+ RJ45 transceiver Jun 7, 2018

Share This Page