`
`Case 3:17-cv-05659-WHA Document 88-11 Filed 05/18/18 Page 1 of 20
`
`EXHIBIT 13
`
`
`
`Case 3:17-cv-05659-WHA Document 88-11 Filed 05/18/18 Page 2 of 20
`
`SRX Series Services
`Gateways for the Branch
`
`SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650
`
`Product Overview
`
`SRX Series Services Gateways for
`the branch are next-generation
`security gateways that provide
`essential capabilities that
`connect, secure, and manage
`workforce locations sized from
`handfuls to hundreds of users. By
`consolidating fast, highly available
`switching, routing, security,
`and next generation firewall
`capabilities in a single device,
`enterprises can protect their
`resources as well as economically
`deliver new services, safe
`connectivity, and a satisfying end-
`user experience. All SRX Series
`Services Gateways, including
`products scaled for Enterprise
`branch, Enterprise edge, and
`Data Center applications, are
`powered by Junos OS—the proven
`operating system that provides
`unmatched consistency, better
`performance with services, and
`superior infrastructure protection
`at a lower total cost of ownership.
`
`Product Description
`The Juniper Networks® SRX Series Services Gateways for the branch combine next
`generation firewall and unified threat management (UTM) services with routing and
`switching in a single, high-performance, cost-effective network device.
`
`• SRX Series for the branch runs Juniper Networks Junos® operating system, the proven
`OS that is used by core Internet routers in all of the top 100 service providers around the
`world. The rigorously tested carrier-class routing features of IPv4/IPv6, OSPF, BGP, and
`multicast have been proven in over 15 years of worldwide deployments.
`
`• SRX Series for the branch provides perimeter security, content security, application
`visibility, tracking and policy enforcement, user role-based control, threat intelligence
`through integration with Juniper Networks Spotlight Secure*, and network-wide threat
`visibility and control. Using zones and policies, network administrators can configure
`and deploy branch SRX Series gateways quickly and securely. Policy-based VPNs
`support more complex security architectures that require dynamic addressing and
`split tunneling. The SRX Series also includes wizards for firewall, IPsec VPN, Network
`Address Translation (NAT), and initial setup to simplify configurations out of the box.
`
`• For content security, SRX Series for the branch offers a complete suite of next
`generation firewall, unified threat management (UTM) and threat intelligence
`services consisting of: intrusion prevention system (IPS), application security
`(AppSecure), user role-based firewall controls, on-box and cloud-based antivirus,
`antispam, and enhanced Web filtering to protect your network from the latest
`content-borne threats. Integrated threat intelligence via Spotlight Secure offers
`adaptive threat protection against command and control (C&C) related botnets and
`policy enforcement based on GeoIP and attacker fingerprinting technology (the latter
`for Web application protection)—all of which are based on Juniper provided feeds.
`Customers may also leverage their own custom and third-party feeds for protection
`from advanced malware and other threats. The branch SRX Series integrates with
`other Juniper security products to deliver enterprise-wide unified access control
`(UAC) and adaptive threat management.
`
`• SRX Series for the branch are secure routers that bring high performance and proven
`deployment capabilities to enterprises that need to build a worldwide network of
`thousands of sites. The wide variety of options allow configuration of performance,
`functionality, and price scaled to support from a handful to thousands of users.
`Ethernet, serial, T1/E1, DS3/E3, xDSL, Wi-Fi, and 3G/4G LTE wireless are all available
`options for WAN or Internet connectivity to securely link your sites. Multiple form factors
`allow you to make cost-effective choices for mission-critical deployments. Managing
`the network is easy using the proven Junos OS command-line interface (CLI), scripting
`capabilities, a simple-to-use Web-based GUI, or Juniper Networks Junos® Space
`Security Director for centralized management.
`
`*Available on SRX550 and higher devices
`
`1
`
`Data Sheet
`
`
`
`Case 3:17-cv-05659-WHA Document 88-11 Filed 05/18/18 Page 3 of 20
`
`Architecture and Key Components
`Key Hardware Features of the Branch SRX Series Products
`
`Product
`
`Description
`
`SRX100 Services
`Gateway
`
`SRX110 Services
`Gateway
`
`SRX210 Services
`Gateway
`
`SRX220 Services
`Gateway
`
`SRX240 Services
`Gateway
`
`SRX550 Services
`Gateway
`
`SRX650 Services
`Gateway
`
`• Eight 10/100 Ethernet LAN ports and 1 USB port (support for 3G USB)
`• Full UTM1; antivirus1, antispam1, enhanced Web filtering1, and content filtering
`•
`Intrusion prevention system1, AppSecure1
`• 2 GB DRAM, 2 GB flash default
`
`• VDSL/ADSL2+ and Ethernet WAN interfaces
`• Eight 10/100 Ethernet LAN ports and two USB port (support for 3G USB)
`• Full UTM1; antivirus1, antispam1, enhanced Web filtering1, intrusion prevention system1, AppSecure1
`• Unified Access Control (UAC) and content filtering
`• 2 GB DRAM, 2 GB CF default
`
`• Two 10/100/1000 Ethernet and 6 10/100 Ethernet LAN ports, 1 Mini-PIM slot, and 2 USB ports (support for 3G USB)
`• Factory option of 4 dynamic Power over Ethernet (PoE) ports 802.3af
`• Support for T1/E1, serial, ADSL/2/2+, VDSL, G.SHDSL, and Ethernet small form-factor pluggable transceiver (SFP)
`• Content Security Accelerator hardware for faster performance of IPS and ExpressAV (with high memory version)
`• Full UTM1; antivirus1, antispam1, enhanced Web filtering1, and content filtering
`•
`Intrusion prevention system1, User role-based firewall, and AppSecure1
`• 2 GB DRAM, 2 GB flash default
`
`• Eight 10/100/1000 Ethernet LAN ports, 2 Mini-PIM slots
`• Factory option of 8 PoE ports; PoE+ 802.3at, backwards compatible with 802.3af
`• Support for T1/E1, serial, ADSL2/2+, VDSL, G.SHDSL, and Ethernet SFP
`• Content Security Accelerator hardware for faster performance of IPS and ExpressAV
`• Full UTM1; antivirus1, antispam1, enhanced Web filtering1, and content filtering
`•
`Intrusion prevention system1, User role-based firewall and AppSecure1
`• 2 GB DRAM, 2 GB CF default
`
`• 16 10/100/1000 Ethernet LAN ports, 4 Mini-PIM slots
`• Factory option of 16 PoE ports; PoE+ 802.3at, backwards compatible with 802.3af
`• Support for T1/E1, serial, ADSL2/2+, VDSL, G.SHDSL, and Ethernet SFP
`• Content Security Accelerator hardware for faster performance of IPS and ExpressAV
`• Full UTM1; antivirus1, antispam1, enhanced Web filtering1, and content filtering
`•
`Intrusion prevention system1, AppSecure1
`
`• Ten fixed Ethernet ports (6 10/100/1000 copper, 4 SFP), 2 Mini-PIM slots, 6 GPIM slots or multiple GPIM and XPIM
`combinations
`• Support for T1/E1, serial, ADSL2/2+, VDSL, G.SHDSL, DS3/E3, Gigabit Ethernet ports; supports up to 52 Ethernet
`ports including SFP; 40 switch ports with optional PoE including 802.3at, PoE+, backwards compatible with 802.3af
`(or 50 non-PoE 10/100/1000 copper ports)
`• Content Security Accelerator hardware for faster performance of IPS and ExpressAV
`• Full UTM1; antivirus1, antispam1, enhanced Web filtering1, and content filtering
`•
`Intrusion prevention system1, User role-based firewall, and AppSecure1
`• Threat intelligence for protection from command and control (C&C) botnets, Web application threats, and advanced
`malware, and policy enforcement based on GeoIP data
`• 2 GB DRAM default, 2 GB compact flash default (SRX550)
`• 4 GB DRAM default, 8 GB compact flash default (SRX550 High Memory)
`• Optional redundant AC power; standard AC power supply that is PoE-ready; PoE power up to 250 watts single power
`supply or 500 watts dual power supply
`
` Four fixed ports 10/100/1000 Ethernet LAN ports, 8 GPIM slots or multiple GPIM and XPIM combinations
`•
`• Support for T1, E1, DS3/E3, Ethernet ports; supports up to 52 Ethernet ports including SFP; 48 switch ports with
`optional PoE including 802.3at, PoE+, backwards compatible with 802.3af (or 52 non-PoE 10/100/1000 copper ports)
`• Content Security Accelerator hardware for faster performance of IPS and ExpressAV
`•
` Full UTM1; antivirus1, antispam1, enhanced Web filtering1, and content filtering
`•
`Intrusion prevention system1, User role-based firewall, and AppSecure1
`• Threat intelligence for protection from command and control (C&C) botnets, Web application threats, and advanced
`malware, and policy enforcement based on GeoIP data
`• Modular Services and Routing Engine; future internal failover and hot-swap
`• 2 GB DRAM default, 2 GB compact flash default, external compact flash slot for additional storage
`• Optional redundant AC power; standard AC power supply that is PoE-ready; PoE power up to 250 watts single power
`supply or 500 watts dual power supply
`
`Network Deployments
`
`The SRX Series Services Gateways for the branch are deployed at remote, branch and Enterprise edge locations in the network to
`provide all-in-one secure WAN connectivity, and connection to local PCs and servers via integrated Ethernet switching.
`
`1 Unified Threat Management—antivirus, antispam, Web filtering, AppSecure, and IPS require a subscription license option to use the feature. UTM is not supported on the low memory version.
`Please see the ordering section for options. Content Filtering and UAC are part of the base software with no additional license.
`
`2
`
`SRX Series Services Gateways for the Branch
`
`Data Sheet
`
`
`
`Case 3:17-cv-05659-WHA Document 88-11 Filed 05/18/18 Page 4 of 20
`
`Features and Benefits
`Next Generation Firewall
`
`“Untrust” Zone
`
`INTERNET
`
`SRX Series Services Gateways deliver next generation firewall
`protection with application awareness and extensive user role-
`based control options plus best-
`of-breed UTM to protect and
`control your business assets.
`Next generation firewalls are
`able to perform full packet
`inspection and can apply
`security policies based on layer 7
`information. This means you can
`create security policies based on
`the application running across
`your network, the user who is
`receiving or sending network
`traffic or the content that is
`traveling across your network
`to protect your environment
`against threats, manage how
`your network bandwidth is allocated, and control who has access
`to what.
`
`“Trust” Zone
`
`Intranet
`
`“Guest” Zone
`“DMZ” Zone
`
`Figure 1: Firewalls, zones,
`and policies
`
`AppSecure
`
`AppSecure is a suite of application security capabilities for
`Juniper Networks SRX Series services Gateways that identifies
`applications for greater visibility, enforcement, control, and
`protection of the network.
`
`Intrusion Prevention
`
`The intrusion prevention system (IPS) understands application
`behaviors and weaknesses to prevent application-borne security
`threats that are difficult to detect and stop.
`
`Unified Threat Management (UTM)
`
`SRX Series can include comprehensive content security against
`malware, viruses, phishing attacks, intrusions, spam and other
`threats with unified threat management (UTM). Get a best-
`of-breed solution with anti-virus, anti-spam, web filtering and
`content filtering at a great value by easily adding these services
`to your SRX Series Services Gateway. Cloud-based and on-box
`solutions are both available.
`
`User Firewall
`
`Juniper offers a range of user role-based firewall control solutions
`that support dynamic security policies. User role-based firewall
`capabilities are integrated with the SRX Series Services Gateways
`for standard next generation firewall controls. More extensive,
`scalable, granular access controls for creating dynamic policies
`are available through the integration of SRX with a Juniper
`Unified Access Control solution.
`
`Adaptive Threat Intelligence
`
`To address the evolving threat landscape that has made it
`imperative to integrate external threat intelligence into the
`firewall for thwarting advanced malware and other threats, some
`SRX Series Services Gateways include threat intelligence via
`integration with Spotlight Secure. The Spotlight Secure threat
`intelligence platform aggregates threat feeds from multiple
`sources to deliver open, consolidated, actionable intelligence to
`SRX Series Services Gateways across the organization for policy
`enforcement. These sources include Juniper threat feeds, third
`party threat feeds and threat detection technologies that the
`customer can deploy.
`
`Administrators are able to define enforcement policies from all
`feeds via a single, centralized management point, Junos Space
`Security Director.
`
`Secure Routing
`
`Many organizations use both a router and a firewall/VPN at their
`network edge to fulfill their networking and security needs. For
`many organizations, the SRX Series for the branch can fulfill
`both roles with one solution. Juniper built best-in-class routing,
`switching and firewall capabilities into one product.
`
`SRX Series for the branch checks the traffic to see if it is
`legitimate and permissible, and only forwards it on when it is.
`This reduces the load on the network, allocates bandwidth for all
`other mission-critical applications, and secures the network from
`malicious users.
`
`The main purpose of a secure router is to provide firewall
`protection and apply policies. The firewall (zone) functionality
`inspects traffic flows and state to ensure that originating and
`returning information in a session is expected and permitted for
`a particular zone. The security policy determines if the session
`can originate in one zone and traverse to another zone. Due to
`the architecture, SRX Series receives packets from a wide variety
`of clients and servers and keeps track of every session, of every
`application, and of every user. This allows the enterprise to make
`sure that only legitimate traffic is on its network and that traffic is
`flowing in the expected direction.
`
`High Availability
`Junos Services Redundancy Protocol (JSRP) is a core feature
`of the SRX Series for the branch. JSRP enables a pair of SRX
`Series systems to be easily integrated into a high availability
`network architecture, with redundant physical connections
`between the systems and the adjacent network switches. With
`link redundancy, Juniper Networks can address many common
`causes of system failures, such as a physical port going bad
`or a cable getting disconnected, to ensure that a connection
`is available without having to fail over the entire system. This
`is consistent with a typical active/standby nature of routing
`resiliency protocols.
`
`3
`
`SRX Series Services Gateways for the Branch
`
`Data Sheet
`
`
`
`Case 3:17-cv-05659-WHA Document 88-11 Filed 05/18/18 Page 5 of 20
`
`Active/Standby
`
`Active/Standby
`
`INTERNET
`
`INTERNET
`
`Active/Active
`
`INTERNET
`
`SRX240
`
`SRX240
`
`SRX240
`
`SRX240
`
`Active
`
`Standby
`
`Failure
`
`Active
`
`Active
`
`SRX240
`
`SRX240
`
`EX Series
`
`EX Series
`
`EX Series
`
`EX Series
`
`EX Series
`
`EX Series
`
`Active/Standby
`
`INTERNET
`
`Active/Active
`
`INTERNET
`
`Active/Active
`
`INTERNET
`
`SRX240
`
`SRX240
`
`Active
`
`Active
`
`SRX240
`
`SRX240
`
`Active
`
`Failure
`
`SRX240
`
`SRX240
`
`Active
`
`EX Series
`
`EX Series
`
`EX Series
`
`EX Series
`
`EX Series
`
`EX Series
`
`Figure 2: High availability
`
`When SRX Series Services Gateways for the branch are
`configured as an active/active HA pair, traffic and configuration
`is mirrored automatically to provide active firewall and VPN
`session maintenance in case of a failure. The branch SRX Series
`synchronizes both configuration and runtime information. As a
`result, during failover, synchronization of the following information
`is shared: connection/session state and flow information, IPSec
`security associations, Network Address Translation (NAT) traffic,
`address book information, configuration changes, and more. In
`contrast to the typical router active/standby resiliency protocols
`such as Virtual Router Redundancy Protocol (VRRP), all dynamic
`flow and session information is lost and must be reestablished
`in the event of a failover. Some or all network sessions will have
`to restart depending on the convergence time of the links or
`nodes. By maintaining state, not only is the session preserved,
`but security is kept intact. In an unstable network, this active/
`active configuration also mitigates link flapping affecting session
`performance.
`
`Session-Based Forwarding Without the
`Performance Hit
`
`In order to optimize the throughput and latency of the combined
`router and firewall, Junos OS implements session-based
`forwarding, an innovation that combines the session state
`information of a traditional firewall and the next-hop forwarding
`of a classic router into a single operation. With Junos OS, a
`session that is permitted by the forwarding policy is added to
`
`the forwarding table along with a pointer to the next-hop route.
`Established sessions have a single table lookup to verify that the
`session has been permitted and to find the next hop. This efficient
`algorithm improves throughput and lowers latency for session
`traffic when compared with a classic router that performs multiple
`table lookups to verify session information and then to find a next-
`hop route.
`
`Figure 3 shows the session-based forwarding algorithm. When a
`new session is established, the session-based architecture within
`Junos OS verifies that the session is allowed by the forwarding
`policies. If the session is allowed, Junos OS will look up the next-
`hop route in the routing table. It then inserts the session and the
`next-hop route into the session and forwarding table and forwards
`the packet. Subsequent packets for the established session
`require a single table lookup in the session and forwarding table,
`and are forwarded to the egress interface.
`
`Session Initial
`Packet Processing
`
`Security Policy Evaluation
`and Next-Hop Lookup
`
`Session and
`Forwarding Table
`
`Ingress
`Interface
`
`Table
`Update
`
`Disallowed by
`Policy: Dropped
`
`Forwarding for
`Permitted Tra(cid:1)c
`
`Egress
`Interface
`
`Figure 3: Session-based forwarding algorithm
`
`4
`
`SRX Series Services Gateways for the Branch
`
`Data Sheet
`
`
`
`Case 3:17-cv-05659-WHA Document 88-11 Filed 05/18/18 Page 6 of 20
`
`SRX110
`
`3G
` Connectivity
`
`Small O(cid:22)ce
`
`VDSL
`
`SRX650
`
`SRX650
`
`WLC800
`
`EX4200
`
`EX4200
`
`Large HA O(cid:22)ce
`
`Hosted
`Server
`
`Web
`Server
`
`SFP
`
`DS3/E3
`
`SRX550
`
`SRX550
`
`WLC100
`
`EX3300
`
`EX3300
`
`WLA532
`
`Internet
`
`SF.com
`Skype
`
`UC
`SIP
`Server
`Server
`App Server
`Private Data Center
`
`Private WAN
`
`T1/E1
`
`VDSL
`
`SRX240
`
`4G LTE
`
`T1/E1
`
`SRX210
`
`4G LTE
`
`CX111
`
`Mid-sized HA Branch
`
`Small, Link HA Branch
`
`Small Branch with
`Cellular Backup
`
`Figure 4: The distributed enterprise
`
`SRX100
`
`SRX110
`
`SRX210
`
`SRX220
`
`SRX240
`
`SRX550
`
`SRX650
`
`5
`
`SRX Series Services Gateways for the Branch
`
`Data Sheet
`
`
`
`Case 3:17-cv-05659-WHA Document 88-11 Filed 05/18/18 Page 7 of 20
`
`Specifications
`Protocols
`•
`IPv4, IPv6, ISO Connectionless Network Service (CLNS)
`
`Routing and Multicast
`• Static routes
`
`• RIPv2 +v1
`
`• OSPF/OSPFv3
`
`• BGP
`
`• BGP Router Reflector1
`
`•
`
`IS-IS
`
`• Multicast (Internet Group Management Protocol
`(IGMPv1/2/3), PIM-SM/DM/SSM, Session Description
`Protocol (SDP), Distance Vector Multicast Routing Protocol
`(DVMRP), source-specific, Multicast inside IPsec tunnel),
`MSDP
`
`• MPLS (RSVP, LDP, Circuit Cross-connect (CCC), Translational
`Cross-connect (TCC), Layer 2 VPN (VPLS), Layer 3 VPN,
`VPLS, NGMVPN)
`
`IP Address Management
`• Static
`
`• DHCP, PPPoE client
`
`•
`
`Internal DHCP server, DHCP Relay
`
`Address Translation
`• Source NAT with Port Address Translation (PAT)
`
`• Static NAT
`
`• Destination NAT with PAT
`
`• Persistent NAT, NAT64
`
`Encapsulations
`
`• Ethernet (MAC and VLAN tagged)
`
`• Point-to-Point Protocol (PPP) (synchronous)
`
` - Multilink Point-to-Point Protocol (MLPPP)
`
`• Frame Relay
`
`• Weighted random early detection (WRED)
`
`• Queuing based on VLAN, data-link connection identifier
`(DLCI), interface, bundles, or multi-field (MF) filters
`
`• Guaranteed bandwidth
`
`• Maximum bandwidth
`
`•
`
`Ingress traffic policing
`
`• Priority-bandwidth utilization
`
`• DiffServ marking
`
`• Virtual channels
`
`Security
`Firewall
`• Firewall, zones, screens, policies
`
`• Stateful firewall, stateless filters
`
`• Network attack detection
`
`• Screens denial of service (DoS) and provides distributed
`denial of service (DDoS) protection (anomaly-based)
`
`• Prevent replay attack; Anti-Replay
`
`• Unified Access Control
`
` - TCP reassembly for fragmented packet protection
`
` - Brute force attack mitigation
`
` - SYN cookie protection
`
` - Zone-based IP spoofing
`
` - Malformed packet protection
`
`NGFW/UTM3
`•
`Intrusion Prevention System (IPS)
`
` - Protocol anomaly detection
`
` - Stateful protocol signatures
`
` - Intrusion prevention system (IPS) attack pattern
`obfuscation
`
` - User role-based policies
`
`• Customer signatures creation
`
`• Multiple times a week and emergency updates
`
` - Multilink Frame Relay (MLFR) (FRF.15, FRF.16), FRF.12, LFI
`
`• AppSecure
`
`• High-Level Data Link Control (HDLC)
`
`• Serial (RS-232, RS-449, X.21, V.35, EIA-530)
`
`• 802.1q VLAN support
`
`• Point-to-Point Protocol over Ethernet (PPPoE)
`
`L2 Switching2
`• 802.1Q, 802.1D, RSTP, MSTP, 802.3ad (LACP)
`
`• 802.1x, LLDP, 802.1ad (Q-in-Q), IGMP Snooping
`
`• Layer 2 switching with high availability
`
`Traffic Management Quality of Service (QoS)
`• 802.1p, DSCP, EXP
`
`• Marking, policing, and shaping
`
`• Class-based queuing with prioritization
`
` - AppTrack (application visibility and tracking)
`
` - AppFirewall (policy enforcement by application name)
`
` - Custom signatures
`
` - AppQoS (network traffic prioritization and bandwidth
`management)
`
` - Dynamic signature updates
`
` - User-based application policy enforcement
`
`• Antivirus
`
` - Express AV (stream-based AV, not available on SRX100
`and SRX110)
`
` - File-based antivirus
`
`• Signature database
`
`• Protocols scanned: POP3, HTTP, SMTP, IMAP, FTP
`
`1 BGP Route Reflector supported on SRX550 and SRX650. See ordering section for more information.
`2 As of Junos 15.1X49-D40, the SRX550 High Memory unit does not support xSTP, LLDP, 802.1x, Q-in-Q, IGMP Snooping and L2 switching with HA
`3 Unified Threat Management – antivirus, antispam, Web filtering, AppSecure, and IPS require individual subscription license. UTM is not supported on the low memory version. Please see the
`ordering section for options.
`
`6
`
`SRX Series Services Gateways for the Branch
`
`Data Sheet
`
`
`
`Case 3:17-cv-05659-WHA Document 88-11 Filed 05/18/18 Page 8 of 20
`
`• Antispyware
`
`• Anti-adware
`
`• Antikeylogger
`
` - Cloud-based antivirus
`
`• Antispam
`
`•
`
`Integrated enhanced Web filtering
`
` - Category granularity (90+ categories)
`
` - Real time threat score
`
`• Redirect Web filtering
`
`• Content Security Accelerator in SRX210 high memory,
`SRX220, SRX240, SRX550, and SRX6504
`
`• ExpressAV option in SRX210 high memory, SRX220 high
`memory, SRX240, SRX550, and SRX6504
`
`• Content filtering
`
` - Based on MIME type, file extension, and protocol
`commands
`
`VPN
`• Auto VPN (Zero Touch Hub)
`
`• Tunnels (GRE, IP-IP, IPsec)
`
`•
`
`IPsec, Data Encryption Standard (DES) (56-bit), triple Data
`Encryption Standard (3DES) (168-bit), Advanced Encryption
`Standard (AES) (128-bit+) encryption
`
`• Message Digest 5 (MD5),SHA-1 , SHA-128, SHA-256
`authentication
`
`• Junos Pulse Dynamic VPN client; browser-based remote
`access feature requiring a license
`
`•
`
`IPv4 and IPv6 VPN
`
`• Multi-Proxy ID for site-to-site VPN
`
`Multimedia Transport
`• Compressed Real-Time Transport Protocol (CRTP)
`
`High Availability
`• VRRP
`
`• JSRP
`
`• Stateful failover and dual box clustering
`
`• SRX550/SRX650:
`
` - Redundant power (optional)
`
` - GPIM hot swap
`
` - Future internal failover and SRE hot swap (OIR) on
`SRX650
`
`• Backup link via 3G/4G LTE wireless or other WAN
`
`• Active/active—L3 mode5
`
`• Active/passive—L3 mode5
`
`• Configuration synchronization5
`
`• Session synchronization for firewall and VPN5
`
`• Session failover for routing change5
`
`• Device failure detection5
`
`• Link failure detection5
`
`•
`
`IP Monitoring with route and interface failover
`
`IPv6
`• OSPFv3
`
`• RIPng
`
`•
`
`IPv6 Multicast Listener Discovery (MLD)
`
`• BGP
`
`ISIS
`•
`Wireless
`• CX111 Cellular 3G/4G/LTE Broadband Data Bridge supported
`on all branch SRX Series devices
`
`• 3G USB modem support for SRX100, SRX110, and SRX210
`SLA, Measurement, and Monitoring
`• Real-time performance monitoring (RPM)
`
`• Sessions, packets, and bandwidth usage
`
`• Juniper J-Flow monitoring and accounting services
`
`IP Monitoring
`•
`Logging
`• Syslog
`
`• Traceroute
`
`• Extensive control- and data-plane structured and
`unstructured syslog
`Administration
`• Juniper Networks Network and Security Manager support
`(NSM)
`
`• Juniper Networks Junos Space Security Director support
`
`• Juniper Networks STRM Series Security Threat Response
`Managers support
`
`• Juniper Networks Advanced Insight Solutions support
`
`• External administrator database (RADIUS, LDAP, SecureID)
`
`• Auto-configuration
`
`• Configuration rollback
`
`• Rescue configuration with button
`
`• Commit confirm for changes
`
`• Auto-record for diagnostics
`
`• Software upgrades (USB upgrade option)
`
`• Juniper Networks J-Web
`
`• Command-line interface
`
`• Smart image download
`Certifications
`• NEBS Compliance for SRX240, SRX6506
`
`• Department of Defense (DoD) Certification for SRX Series
`Services Gateways, including testing and certification by the
`Department of Defense Joint Interoperability Test Command
`(JITC) for interoperability with DoD networks and addition of
`the SRX Series Services Gateways to the Unified Capabilities
`Approved Product List (UC APL)
`
`4 Unified Threat Management – antivirus, antispam, Web filtering, AppSecure and IPS require individual subscription license. UTM is not supported on the low memory version. Please see the
`ordering section for options.
`5 SRX100B installed with 1 GB DRAM, with 512 MB accessible. Optional upgrade to 1 GB DRAM is available with purchase of memory software license key.
`6 Coming soon for SRX110 and SRX550.
`
`7
`
`SRX Series Services Gateways for the Branch
`
`Data Sheet
`
`
`
`Case 3:17-cv-05659-WHA Document 88-11 Filed 05/18/18 Page 9 of 20
`
`Product Comparison
`
`SRX100
`Maximum Performance and Capacity
`Junos OS version tested
`Junos OS
`12.1X44-D15
`
`SRX110
`
`SRX210
`
`SRX220
`
`SRX240
`
`SRX550
`
`SRX650
`
`Junos OS
`12.1X44-D15
`
`Junos OS
`12.1X44-D15
`
`Junos OS
`12.1X44-D15
`
`Junos OS
`11.4R5
`
`Junos OS
`12.1/15.17
`
`Junos OS
`11.4R5
`
`Firewall performance
`(large packets)
`
`700 Mbps
`
`700 Mbps
`
`850 Mbps
`
`950 Mbps
`
`1.8 Gbps
`
`7 Gbps
`
`7 Gbps
`
`Firewall performance (IMIX)
`
`200 Mbps
`
`200 Mbps
`
`250 Mbps
`
`300 Mbps
`
`600 Mbps
`
`2 Gbps
`
`2.5 Gbps
`
`Firewall + routing PPS (64 Byte)
`
`70 Kpps
`
`70 Kpps
`
`95 Kpps
`
`125 Kpps
`
`200 Kpps
`
`700 Kpps
`
`850 Kpps
`
`Firewall performance8 (HTTP)
`
`100 Mbps
`
`100 Mbps
`
`290 Mbps
`
`350 Mbps
`
`830 Mbps
`
`2 Gbps
`
`IPsec VPN throughput (large
`packets)
`
`65 Mbps
`
`65 Mbps
`
`85 Mbps
`
`100 Mbps
`
`300 Mbps
`
`1.0 Gbps
`
`2 Gbps
`
`1.5 Gbps
`
`IPsec VPN tunnels
`
`128
`
`128
`
`256
`
`512
`
`1,000
`
`2,000
`
`3,000
`
`AppSecure firewall throughput8
`
`90 Mbps
`
`90 Mbps
`
`250 Mbps
`
`300 Mbps
`
`750 Mbps
`
`2.0 Gbps
`
`1.9 Gbps
`
`IPS (intrusion prevention system)
`
`75 Mbps9
`
`75 Mbps
`
`65 Mbps
`
`80 Mbps
`
`230 Mbps
`
`800 Mbps
`
`1 Gbps
`
`Antivirus
`
`25 Mbps
`(Sophos AV)
`
`25 Mbps
`(Sophos AV)
`
`30 Mbps
`(Sophos AV)
`
`35 Mbps
`(Sophos AV)
`
`85 Mbps
`(Sophos AV)
`
`300 Mbps
`(Sophos AV)
`
`350 Mbps
`(Sophos AV)
`
`27,000
`
`35,000
`
`Connections per second
`
`Maximum concurrent sessions
`
`1,800
`
`32 K7
`
`1,800
`
`32 K7
`
`2,200
`
`64 K7
`
`2,800
`
`96 K7
`
`8,500
`
`256 K7
`
`DRAM options
`
`2 GB DRAM
`
`2 GB DRAM
`
`2 GB DRAM
`
`2 GB DRAM
`
`2 GB DRAM
`
`375 K
`
`512 K
`
`2 GB/4 GB7
`DRAM
`
`2 GB DRAM
`
`Maximum security policies
`
`384
`
`384
`
`512
`
`2,048
`
`4,096
`
`8,000
`
`8,192
`
`Maximum users supported
`
`Unrestricted
`
`Unrestricted
`
`Unrestricted
`
`Unrestricted
`
`Unrestricted
`
`Unrestricted
`
`Unrestricted
`
`Network Connectivity
`Fixed I/O
`
`8 x 10/100
`
`8 x 10/100
`VDSL/
`ADSL2+
`WAN (Annex
`A or B)
`
`2 x
`10/100/1000
`BASE-T + 6 x
`10/100
`
`8 x
`10/100/1000
`BASE-T
`
`16 x
`10/100/1000
`BASE-T
`
`6 x
`10/100/1000
`BASE-T + 4
`SFP
`
`4 x
`10/100/1000
`BASE-T
`
`I/O slots
`
`N/A
`
`N/A
`
`1 x SRX Series
`Mini-PIM
`
`2 x SRX
`Series
`Mini-PIM
`
`4 x SRX
`Series
`Mini-PIM
`
`8 x GPIM
`or multiple
`GPIM
`and XPIM
`combinations
`
`2 x SRX
`Series
`Mini-PIM,
`6 x GPIM
`or multiple
`GPIM
`and XPIM
`combinations
`
`Services and Routing Engine
`slots
`
`WAN/LAN interface options
`
`Maximum number of PoE ports
`(PoE optional on some SRX
`Series models)
`
`No
`
`N/A
`
`N/A
`
`No
`
`N/A
`
`N/A
`
`USB
`
`1
`
`2
`
`2
`
`2
`
`2
`
`2
`
`7 Based on 2 GbE memory models, which require Junos OS 12.1X44-D15 (exception: Junos OS 11.4r5 for SRX240 only).
`8 Throughput numbers based on HTTP traffic with 44 kilobyte transaction size.
`9 Use software based IPS engine which has higher performance and less capacity
`10 SRX650 supports a single Services and Routing Engine (SRE) as of software release 11.4.
`
`No
`
`No
`
`No
`
`No
`
`210
`
`See ordering
`information
`
`See ordering
`information
`
`See ordering
`information
`
`See ordering
`information
`
`See ordering
`information
`
`Up to 4 ports
`of 802.3af
`with
`maximum
`50 W
`
`Up to 8 ports
`of 802.3af/
`at with
`maximum
`120 W
`
`Up to 16
`ports of
`802.3af/
`at with
`maximum
`150 W
`
`Up to 40
`ports of
`802.3af/
`at with
`maximum
`247 W
`
`Up to 48
`ports of
`802.3af/
`at with
`maximum
`247 W
`
`2 per SRE
`
`8
`
`SRX Series Services Gateways for the Branch
`
`Data Sheet
`
`
`
`Case 3:17-cv-05659-WHA Document 88-11 Filed 05/18/18 Page 10 of 20
`
`Routing
`Routing (Packet Mode) PPS
`
`BGP instances
`
`BGP peers
`
`BGP routes
`
`OSPF instances
`
`OSPF routes
`
`RIP v1 / v2 instances
`
`SRX100
`
`SRX110
`
`SRX210
`
`SRX220
`
`SRX240
`
`SRX550
`
`SRX650
`
`100Kpps
`
`100Kpps
`
`150Kpps
`
`200Kpps
`
`300Kpps
`
`1000Kpps
`
`1000Kpps
`
`5
`
`8
`
`8 K
`
`4
`
`8 K
`
`4
`
`5
`
`8
`
`8 K
`
`4
`
`8 K
`
`4
`
`10
`
`16
`
`16 K
`
`10
`
`16 K
`
`10
`
`16
`
`16
`
`32 K
`
`16
`
`32 K
`
`16
`
`20
`
`32
`
`600 K
`
`20
`
`200 K
`
`20
`
`56
`
`192
`
`712 K
`
`56
`
`200 K
`
`56
`
`32 K
`
`64
`
`256
`
`800 K
`
`64
`
`200 K
`
`64
`
`32 K
`
`RIP v2 routes
`
`Static routes
`
`Source-based routing
`
`Policy-based routing
`
`Equal-cost multipath (ECMP)
`
`Reverse path forwarding (RPF)
`
`IPsec VPN
`Concurrent VPN tunnels
`
`Tunnel interfaces
`
`8 K
`
`8 K
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`128
`
`10
`
`8 K
`
`8 K
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`128
`
`10
`
`16 K
`
`16 K
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`256
`
`64
`
`32 K
`
`32 K
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`512
`
`64
`
`Yes
`
`32 K
`
`100 K
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`100 K
`
`100 K
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`1,000
`
`2,000
`
`3,000
`
`128
`
`Yes
`
`456
`
`Yes
`
`512
`
`Yes
`
`DES (56-bit), 3DES (168-bit)
`and AES (256-bit)
`
`MD-5, SHA-1 and SHA-2
`authentication
`
`Manual key, Internet Key
`Exchange (IKE v1+v2), public key
`infrastructure (PKI) (X.509)
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Perfect forward secrecy (DH
`Groups)
`
`Prevent replay attack
`
`Dynamic remote access VPN
`
`IPsec NAT traversal
`
`Redundant VPN gateways
`
`1, 2, 5
`
`1, 2, 5
`
`1, 2, 5
`
`1, 2, 5
`
`1, 2, 5
`
`1, 2, 5
`
`1, 2, 5
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`25 users
`
`50 users
`
`150 users
`
`250 users
`
`500 users
`
`500 users
`
`Number of remote access users
`
`25 users
`
`User Authentication and Access Control
`Third-party user authentication
`RADIUS, RSA
`RADIUS, RSA
`SecureID,
`SecureID,
`LDAP
`LDAP
`
`RADIUS, RSA
`SecureID,
`LDAP
`
`RADIUS, RSA
`SecureID,
`LDAP
`
`RADIUS, RSA
`SecureID,
`LDAP
`
`RADIUS, RSA
`SecureID,
`LDAP
`
`RADIUS, RSA
`SecureID,
`LDAP
`
`RADIUS accounting
`
`XAUTH VPN, Web-based, 802.X
`authentication
`
`PKI certificate requests (PKCS 7
`and PKCS 10)
`
`Yes
`
`Yes
`
`Yes
`
`Certificate Authorities supported
`
`Yes
`
`Virtualization
`Maximum number of security
`zones
`
`Maximum number of virtual
`routers
`
`Maximum number of VLANs
`
`10
`
`3
`
`16
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`10
`
`3
`
`16
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`12
`
`10
`
`64
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`24
`
`15
`
`128
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`64
`
`64
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`96
`
`128
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`128
`
`128
`
`2,000
`
`3,967
`
`3,967
`
`9
`
`SRX Series Services Gateways for the Branch
`
`Data Sheet
`
`
`
`Case 3:17-cv-05659-WHA Document 88-11 Filed 05/18/18 Page 11 of 20
`
`SRX100
`
`SRX110
`
`SRX210
`
`SRX220
`
`SRX240
`
`SRX550
`
`SRX650
`
`Encapsulations
`PPP/MLPPP
`
`PPPoE
`
`PPPoA
`
`MLPPP maximum physical
`interfaces
`
`Frame Relay
`
`MLFR (FRF .15, FRF .16)
`
`MLFR maximum physical
`interfaces
`
`HDLC
`
`Wireless
`
`N/A
`
`Yes
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`CX111 3G /4G LTE Bridge support
`
`Yes
`
`N/A
`
`Yes
`
`Yes
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`N/A
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`1
`
`Yes
`
`Yes
`
`1
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`2
`
`Yes
`
`Yes
`
`2
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`4
`
`Yes
`
`Yes
`
`4
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`12
`
`Yes
`
`Yes
`
`12
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`12
`
`Yes
`
`Yes
`
`12
`
`Yes
`
`Yes
`
`Yes
`
`Junos/SRX Series management
`of CX111
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Flash and Memory
`Memory (DRAM)
`
`Memory slots
`
`Flash memory
`
`2 GB
`(SRX100H2)
`
`2 GB
`(SRX110H2)
`
`2 GB
`(SRX210HE2)
`
`2 GB
`(SRX220H2)
`
`2 GB
`(SRX240H2)
`
`2 GB/4 GB11
`
`2 GB
`(SRX650)