Juniper SRX series

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

oddball

Active Member
May 18, 2018
206
121
43
42
Anyone familiar with the Juniper SRX's? They're interesting machines, they're full blown routers and with a heavy dose of security features. For example they can do stateful firewalling, IDS, UTM etc.

I purchased a cheap little SRX300 to get my feet wet. It can supposedly firewall 1Gbps line rate. It seems powerful for being a silent desktop unit.

I'm looking for any advice on where to get started learning JunOS. I'm familiar with Cisco and Arista CLI's, and with some basic Linux and OpenBSD firewalling. At this point I just want to experiment with it, blow it away and then start over.

Secondly does anyone have any software images for this thing? I'd like to have a backup available if I mess it up too bad, and Juniper wants me to have an active support contract. The support is around $100, and I just can't justify paying support on a machine in my office that isn't even lab status yet, it's pre-lab.

Any help and guidance is appreciated!
 

aero

Active Member
Apr 27, 2016
346
86
28
54
I used to love Juniper SRX's...for edge routing and firewall duties. However, they are not well known for being good at UTM. I'd no longer recommend them in general, instead opting for Fortigate firewalls (better UTM features, and bang for $). They are solid though.

Junos I would say is about as dissimilar to Cisco CLI as you can get. It's a lot like Vyatta. The documentation is pretty good...just dive right in.
Do take a look at this link, describing the two forwarding modes of the SRX. Juniper Networks - [SRX] How to change forwarding mode for IPv4 from 'flow based' to 'packet based'
 

oddball

Active Member
May 18, 2018
206
121
43
42
Awesome, this is what I was looking for. The forwarding modes are interesting.

Flow mode looks good if I want to do IPSec tunnels and firewalling. But if this is going to be a router packet mode is the way to go.
 

WANg

Well-Known Member
Jun 10, 2018
1,302
967
113
46
New York, NY
Anyone familiar with the Juniper SRX's? They're interesting machines, they're full blown routers and with a heavy dose of security features. For example they can do stateful firewalling, IDS, UTM etc.

I purchased a cheap little SRX300 to get my feet wet. It can supposedly firewall 1Gbps line rate. It seems powerful for being a silent desktop unit.

I'm looking for any advice on where to get started learning JunOS. I'm familiar with Cisco and Arista CLI's, and with some basic Linux and OpenBSD firewalling. At this point I just want to experiment with it, blow it away and then start over.

Secondly does anyone have any software images for this thing? I'd like to have a backup available if I mess it up too bad, and Juniper wants me to have an active support contract. The support is around $100, and I just can't justify paying support on a machine in my office that isn't even lab status yet, it's pre-lab.

Any help and guidance is appreciated!
Well, it's basically JunOS, and JunOS is basically a customized FreeBSD image with a new kernel and Juniper specific userland utils. If you get access to a higher spec Juniper MX or T-series router (the routing engine is x64 based) you would be able to download their JunOS image and install it on a FreeBSD (it does require you to hack up the installer script) VM...which is how JNCIA techs cut their teeth learning JunOS - that or hiring labtime. Tossing JunOS on something like that makes it an "olive" (nickname for an unofficial VMWare x86/x64 based VM that runs JunOS derived from FreeBSD, tolerated within Juniper as long as it stays test-only).

As for the SRX300, they are Cavium Octeon (MIPS64) multicore based, so setting Olives for them will not work. Do you know which specific IOS image you are looking for?
 

oddball

Active Member
May 18, 2018
206
121
43
42
@WANg

JunOS is really interesting so far. Sort of reminds me of our Arista switches in that it's FreeBSD (Linux for Arista) with command extensions. In both cases you can escape to the shell and run OS level commands.

I know there is a vSRX version on Juniper's website.

I broke down and purchased a year's support for $50, so I should be able to grab images straight from their website once everything is activated.

What are the different software trains? I have 15x49 on the switch. But I see a 16 and 18, but from Googling people recommend staying away from them. It seems strange to be that far back. Are those dev branches?
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,076
113
33
fohdeesha.com
oops - pm'ed you earlier and just now see you purchased a contract - oh well, at least now you'll have backups :p $50 for a year is not a bad price at all
 

WANg

Well-Known Member
Jun 10, 2018
1,302
967
113
46
New York, NY
@WANg

JunOS is really interesting so far. Sort of reminds me of our Arista switches in that it's FreeBSD (Linux for Arista) with command extensions. In both cases you can escape to the shell and run OS level commands.

I know there is a vSRX version on Juniper's website.

I broke down and purchased a year's support for $50, so I should be able to grab images straight from their website once everything is activated.

What are the different software trains? I have 15x49 on the switch. But I see a 16 and 18, but from Googling people recommend staying away from them. It seems strange to be that far back. Are those dev branches?
JunOS 15 x49 is considered "Telcom" quality (long term support, 5-9s operations), while the other chains are viewed as less mature. You generally do not put the latest release on, say, a core/operations switch unless absolutely necessary.
 

WANg

Well-Known Member
Jun 10, 2018
1,302
967
113
46
New York, NY
I used to love Juniper SRX's...for edge routing and firewall duties. However, they are not well known for being good at UTM. I'd no longer recommend them in general, instead opting for Fortigate firewalls (better UTM features, and bang for $). They are solid though.

Junos I would say is about as dissimilar to Cisco CLI as you can get. It's a lot like Vyatta. The documentation is pretty good...just dive right in.
Do take a look at this link, describing the two forwarding modes of the SRX. Juniper Networks - [SRX] How to change forwarding mode for IPv4 from 'flow based' to 'packet based'
Well, I used SRX100s and 200s as IPSec VPN endpoints to connect data centers up, but I don't remember the SRXs having much functionality for UTM duties. For UTM stuff I went with Astaro (sold to Sophos) or PulseSecure (It was the old Juniper MAG series spinoff) - I don't use them anymore (CIO at my current gig is a big Cisco nerd), but they were decent enough. Juniper CLI does seem nicer compared to the older Cisco IOS stuff, with sane command completion and the ability to do config snapshots and automated rollbacks.
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
Disclaimer: I work for Juniper :)

The Juniper firewalls these days have really advanced UTM capabilities, and are just as capable, and even more so, than equivalent firewalls from Palo Alto, Fortinet, etc. There has been a LOT of progress made in the last 2 years to build advanced features into them :)

You can license them for all the L4-L7 stuff you'd expect like - AntiVirus, AntiSpam, Application control, SPI, DPI, Web and Content Filtering, Sandboxing both in the cloud with SkyATP, and on-premise with JATP, etc. ,etc.

I'm not going to bore you all with the details, so I'll just like to this instead - UTM Feature Guide for Security Devices - TechLibrary - Juniper Networks

If anyone needs an image, or has any questions let me know
 
  • Like
Reactions: oddball

WANg

Well-Known Member
Jun 10, 2018
1,302
967
113
46
New York, NY
Disclaimer: I work for Juniper :)

The Juniper firewalls these days have really advanced UTM capabilities, and are just as capable, and even more so, than equivalent firewalls from Palo Alto, Fortinet, etc. There has been a LOT of progress made in the last 2 years to build advanced features into them :)

You can license them for all the L4-L7 stuff you'd expect like - AntiVirus, AntiSpam, Application control, SPI, DPI, Web and Content Filtering, Sandboxing both in the cloud with SkyATP, and on-premise with JATP, etc. ,etc.

I'm not going to bore you all with the details, so I'll just like to this instead - UTM Feature Guide for Security Devices - TechLibrary - Juniper Networks

If anyone needs an image, or has any questions let me know
Is there such a thing as vSRX (something like a VMWare virtual appliance that I can drop into ESXi)? I kinda want to play around with the newer SRX builds with the UTM entitlements, but hacking up an Olive using a FreeBSD VM is painful even in the JunOS 14 days, and that only work on x86 based hardware like the T-series. If I remember correctly the SRX 100-300 machines are all Cavium Octeons, and i am not sure what hardware are in them these days...
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
Is there such a thing as vSRX (something like a VMWare virtual appliance that I can drop into ESXi)? I kinda want to play around with the newer SRX builds with the UTM entitlements, but hacking up an Olive using a FreeBSD VM is painful even in the JunOS 14 days, and that only work on x86 based hardware like the T-series. If I remember correctly the SRX 100-300 machines are all Cavium Octeons, and i am not sure what hardware are in them these days...
Not only is there a vSRX that runs under Vmware etc. but there is also a cSRX that runs as a docker container :)

vSRX info
cSRX info

vSRX is a simple vmware ova file you can fire up and get running via cli or the Jweb GUI, but a lot of the more advanced features will require licensing.
 

WANg

Well-Known Member
Jun 10, 2018
1,302
967
113
46
New York, NY
Not only is there a vSRX that runs under Vmware etc. but there is also a cSRX that runs as a docker container :)

vSRX info
cSRX info

vSRX is a simple vmware ova file you can fire up and get running via cli or the Jweb GUI, but a lot of the more advanced features will require licensing.
Oh yeah. Just found it on my Juniper.net login - I'll give the vSRX eval image a spin in my ESXi environment. That one should probably have the time limited licenses for playing with the UTM features.
 
Jan 4, 2014
89
13
8
Disclaimer: I work for Juniper :)

The Juniper firewalls these days have really advanced UTM capabilities, and are just as capable, and even more so, than equivalent firewalls from Palo Alto, Fortinet, etc. There has been a LOT of progress made in the last 2 years to build advanced features into them :)

You can license them for all the L4-L7 stuff you'd expect like - AntiVirus, AntiSpam, Application control, SPI, DPI, Web and Content Filtering, Sandboxing both in the cloud with SkyATP, and on-premise with JATP, etc. ,etc.

I'm not going to bore you all with the details, so I'll just like to this instead - UTM Feature Guide for Security Devices - TechLibrary - Juniper Networks

If anyone needs an image, or has any questions let me know

disclaimer - netscreen dude

can't believe you all killed screenos :)
or even worse didnt release it to the opensource community..

still out performs the fortios and palo alto spin offs ;)
 

oddball

Active Member
May 18, 2018
206
121
43
42
Disclaimer: I work for Juniper :)

The Juniper firewalls these days have really advanced UTM capabilities, and are just as capable, and even more so, than equivalent firewalls from Palo Alto, Fortinet, etc. There has been a LOT of progress made in the last 2 years to build advanced features into them :)

You can license them for all the L4-L7 stuff you'd expect like - AntiVirus, AntiSpam, Application control, SPI, DPI, Web and Content Filtering, Sandboxing both in the cloud with SkyATP, and on-premise with JATP, etc. ,etc.

I'm not going to bore you all with the details, so I'll just like to this instead - UTM Feature Guide for Security Devices - TechLibrary - Juniper Networks

If anyone needs an image, or has any questions let me know
Curious about cSRX. Is the purpose to firewall between containers and do east-west segregation. Or is meant to be deployed on a container server without the need for specialized hardware?

And in the second scenario what sort of bandwidth can it handle?

And then beyond this what's the interaction like? You deploy on Docker, then do you open a prompt on the image and now you're in JunOS?

This is really interesting stuff.