SRX办事处系列分支网关(精)

行业领导者瞻博网络[NASDAQ:JNPR]成立于1996年，总部位于美国加利福尼亚州桑尼维尔，目前在全球近50个国家和地区设有办事处。

自成立之初，公司就一直帮助客户不断超越网络用户和终端数量飞速增长所引发的需求，同时满足对高性能、可靠性和绝对安全性的业务要求。

凭借我们在架构、芯片设计方面的核心能力，以及拥有业界唯一的电信级专用“纯IP”模块化网络操作系统“JUNOS® 软件”，瞻博网络一直保持着行业领先地位。

瞻博网络提供广泛的产品组合，涵盖了路由、交换、安全、应用加速、身份识别策略和控制以及管理等方面，旨在为客户提供无与伦比的性能、更出色的选择和灵活性，同时帮助降低总体拥有成本。

在每个涉入领域，瞻博网络的市场份额均位居前三甲，同时，也创造了很多个第一：第一个基于ASIC的路由器平台；第一个基于ASIC的防火墙；第一个入侵检测与防护（IDP）产品，以及最全面且最具远见的SSL VPN 产品。

企业愿景瞻博网络基于“连接一切，人人有能 (connecting everything and empowering everyone)”的理念，从根本上采用有别于竞争对手的方法来构建网络，致力于提供解决最棘手、最复杂的网络问题的解决方案，以实现“连接一切”的承诺。

背景Pradeep Sindhu在Xerox PARC的计算机科学实验室工作的11年中注意到了互联网的爆炸式增长和其重要性。

Sindhu也发现路由器的巨大潜力。

就这样，瞻博网络于1996年2月6日在加利福尼亚州成立了。

与很多新创立的公司不同，瞻博网络并没有从简单的问题着手，而是一开始就确定了它的标志性行事作风：应对最棘手的问题立即解决。

公司的首款产品，创新型M40路由器于1998年9月发售。

M40远远超越了市场上的所有其它路由产品，确立了瞻博网络在硬件市场上的创新型厂商的重要地位。

在开发M40的期间，瞻博网络开发了JUNOS软件。

该软件后来成为公司的主要优势，并为未来的一切创新奠定了强大的基础。

DATASHEETProduct DescriptionThe Juniper Networks ® SRX Series Services Gateways for the branch joins Juniper Networks SRX Series for the data center, EX Series Ethernet Switches, M Series Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and T Series Core Routers. This provides a single Juniper Networks Junos ® operating system-based portfolio of unprecedented scale. With Junos OS, enterprises and service providers can lower deployment and operational costs across their entire distributed workforce.• SRX Series for the branch runs Junos OS, the proven operating system that is used by core Internet routers in all of the top 100 service providers around the world. The rigorously tested carrier-class routing features of IPv4/IPv6, OSPF, BGP, and multicast have been proven in over 15 years of worldwide deployments.• SRX Series for the branch provides perimeter security, content security, access control, and network-wide threat visibility and control. Using zones and policies, network administrators can configure and deploy branch SRX Series gateways quickly and securely. The SRX Series also includes wizards for firewall, IPsec VPN, NAT, and initial setup to simplify configurations out of the box.• Policy-based VPNs support more complex security architectures that require dynamic addressing and split tunneling. For content security, SRX Series for the branch offers a complete suite of Unified Threat Management (UTM) services consisting of: intrusion prevention system (IPS), on-box and cloud-based antivirus, antispam, Web filtering, and data loss prevention to protect your network from the latest content-borne threats. Select SRX Series models feature Content Security Accelerator for high-performance IPS and antivirus scanning. The branch SRX Series integrates with other Juniper security products to deliver enterprise-wide unified access control (UAC) and adaptive threat management. These capabilities give security professionals powerful tools in the fight against cybercrime and data loss.• SRX Series for the branch are secure routers that bring high performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of sites. The wide variety of options allow configuration of performance, functionality, and price scaled to support from a handful to thousands of users. Ethernet, serial, T1/E1, DS3/E3, xDSL, DOCSIS3, Wi-Fi, and 3G/4G/LTE wireless are all available options for WAN or Internet connectivity to securely link your sites. Multiple form factors allow you to make cost-effective choices for mission-critical deployments. Managing the network is easy using the proven Junos OS command-line interface (CLI), scripting capabilities, a simple-to-use Web-based GUI, or Network and Security Manager (NSM) for large scale deployments.Product OverviewJuniper Networks SRX Series Services Gateways for the branch are secure routers that provide essential capabilities that connect, secure, and manage workforce locations sized from handfuls to hundreds of users. By consolidating fast, highly available switching, routing, security, and applications capabilities in a single device, enterprises can economically deliver new services, safe connectivity, and a satisfying end user experience. All SRX Series Services Gateways, including products scaled for the branch, campus, and data center applications, are powered by Juniper Networks Junos OS—the proven operating system that provides unmatched consistency, better performance with services, and superior infrastructure protection at a lower total cost of ownership.SRX SERIES SERVICES GATEWAYS FOR THE BRANCHSRX100, SRX210, SRX220, SRX240 AND SRX650Architecture and Key ComponentsKey Hardware Features of the Branch SRX Series Productsnetwork DeploymentsThe SRX Series Services Gateways for the branch are deployed at remote and branch locations in the network to provide all-in-one secure WAN connectivity, IP telephony, and connection to local PCs and servers via integrated Ethernet switching.Features and Benefitssecure routingShould you use a router and a firewall to secure your network? By building the branch SRX Series with best-in-class routing, switching and firewall capabilities in one product, enterprises don’t have to make that choice. Why forward traffic if it’s not legitimate?SRX Series for the branch checks the traffic to see if it is legitimate and permitted, and only forwards it on when it is. This reduces the load on the network, allocates bandwidth for all other mission-critical applications, and secures the network from malicious users.The main purpose of a secure router is to provide firewall protection and apply policies. The firewall (zone) functionality inspects traffic flows and state to ensure that originating and returning information in a session is expected and permitted fora particular zone. The security policy determines if the sessioncan originate in one zone and traverse to another zone. This architectural choice receives packets from a wide variety of clients and servers and keeps track of every session, of every application, and of every user. It allows the enterprise to make sure that only legitimate traffic is on its network and that traffic is flowing in the expected direction.Figure 1: Firewalls, zones, and policiesFigure 2: High availabilityTo ease the configuration of a firewall, SRX Series for the branch uses two features—“zones” and “policies.” While these can be user-defined, the default shipping configuration contains, at a minimum, a “trust” and “untrust” zone. The trust zone is used for configuration and attaching the internal LAN to the branch SRX Series. The untrust zone is commonly used for the WAN or untrusted Internet interface. To simplify installation and make configuration easier, a default policy is in place that allows traffic originating from the trust zone to flow to the untrust zone. This policy blocks all traffic originating from the untrust zone to the trust zone. A traditional router forwards all traffic without regard to a firewall (session awareness) or policy (origination and destination of a session).By using the Web interface or CLI, enterprises can create a series of security policies that will control the traffic from within and in between zones by defining policies. At the broadest level, all types of traffic can be allowed from any source in security zones to any destination in all other zones without any scheduling restrictions. At the narrowest level, policies can be created that allow only one kind of traffic between a specified host in one zone and another specified host in another zone during a scheduled time period.High AvailabilityJunos OS Services Redundancy Protocol (JSRP) is a core feature of the SRX Series for the branch. JSRP enables a pair of SRX Series systems to be easily integrated into a high availability network architecture, with redundant physical connections between the systems and the adjacent network switches. With link redundancy, Juniper Networks can address many common causes of system failures, such as a physical port going bad or a cable getting disconnected, to ensure that a connection is available without having to fail over the entire system. This is consistent with a typical active/standby nature of routing resiliency protocols.When SRX Series Services Gateways for the branch areconfigured as an active/active HA pair, traffic and configuration is mirrored automatically to provide active firewall and VPN session maintenance in case of a failure. The branch SRX Series synchronizes both configuration and runtime information. As a result, during failover, synchronization of the following information is shared: connection/session state and flow information, IPSec security associations, Network Address Translation (NAT) traffic, address book information, configuration changes, and more. InHigh AvailabilityActive /StandbyActiveActive /StandbyActive /ActiveActiveActive /Activecontrast to the typical router active/standby resiliency protocols such as Virtual Router Redundancy Protocol (VRRP), all dynamic flow and session information is lost and must be reestablished in the event of a failover. Some or all network sessions will have to restart depending on the convergence time of the links or nodes. By maintaining state, not only is the session preserved, but security is kept intact. In an unstable network, this active/active configuration also mitigates link flapping affecting session performance.session-Based Forwarding Without the Performance Hit In order to optimize the throughput and latency of the combined router and firewall, Junos OS implements session-based forwarding, an innovation that combines the session state information of a traditional firewall and the next-hop forwarding of a classic router into a single operation. With Junos OS, a session that is permitted by the forwarding policy is added tothe forwarding table along with a pointer to the next-hop route. Established sessions have a single table lookup to verify that the session has been permitted and to find the next hop. This efficient algorithm improves throughput and lowers latency for session traffic when compared with a classic router that performs multiple table lookups to verify session information and then to find a next-hop route. Figure 3 shows the session-based forwarding algorithm. When a new session is established, the session-based architecture within Junos OS verifies that the session is allowed by the forwarding policies. If the session is allowed, Junos OS will look up the next-hop route in the routing table. It then inserts the session and the next-hop route into the session and forwarding table and forwards the packet. Subsequent packets for the established session require a single table lookup in the session and forwarding table, and are forwarded to the egress interface.Figure 3: Session-based forwarding algorithmPolicy: DroppedFigure 4: The distributed enterprisesrX100srX220 srX240specificationsProtocols• IPv4, IPv6, ISO Connectionless Network Service (CLNS) routing and Multicast• Static routes• RIPv2 +v1• OSPF/OSPFv3• BGP• BGP Router Reflector3• IS-IS• Multicast (Internet Group Management Protocol (IGMPv1/2/3), PIM-SM/DM, Session Description Protocol (SDP), DistanceVector Multicast Routing Protocol (DVMRP), source-specific), MSDP• MPLS (RSVP, LDP)5iP Address Management• Static• Dynamic Host Configuration Protocol (DHCP)(client and server)• DHCP relayencapsulations• Ethernet (MAC and VLAN tagged)• Point-to-Point Protocol (PPP) (synchronous)– Multilink Point-to-Point Protocol (MLPPP)• Frame Relay– Multilink Frame Relay (MLFR) (FRF.15, FRF.16), FRF.12, LFI • High-Level Data Link Control (HDLC)• Serial (RS-232, RS-449, X.21, V.35, EIA-530)• 802.1q VLAN support• Point-to-Point Protocol over Ethernet (PPPoE)switching• 802.1D, RSTP, MSTP, 802.3adtraffic Management• 802.1p, DSCP, EXP• Marking, policing, and shaping• Class-based queuing with prioritization• Weighted random early detection (WRED)• Queuing based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multi-field (MF) filterssecurity• Firewall, zones, screens, policies• Stateful firewall, stateless filters• Screens denial of service (DoS) and provides distributed denial of service (DDoS) protection (anomaly-based)• Prevent replay attack; Anti-Replay• Unified Access Control• UTM1 (SRX220, SRX650 and high memory versions of SRX240, SRX210, and SRX100 only)– Antivirus1, antispam1, Web filtering1, IPS1– C ontent Security Accelerator in SRX210 high memory, SRX220 high memory, SRX240 high memory, and SRX6501– E xpressAV option in SRX210 high memory, SRX220 highmemory, SRX240 high memory, and SRX6501– Content filteringVPn• Tunnels (GRE, IP-IP, IPsec)• IPsec, Data Encryption Standard (DES) (56-bit), triple Data Encryption Standard (3DES) (168-bit), Advanced Encryption Standard (AES) (128-bit+) encryption• Message Digest 5 (MD5),SHA-1 , SHA-128, SHA-256 authentication• Access Manager: Dynamic VPN Client. Browser-based remote access feature requiring a license.Multimedia transport• Compressed Real-Time Transport Protocol (CRTP)High Availability• VRRP• JSRP• Stateful failover and dual box clustering• SRX650:– Redundant power (optional)– GPIM hot swap on SRX650– Future internal failover and SRE hot swap (OIR)• Backup link via 3G wireless or other WANiPv65• OSPFv3• RIPng• IPv6 Multicast Listener Discovery (MLD)• BGP• ISISWireless• CX111 Cellular 3G/4G/LTE Broadband Data Bridge supported on all branch SRX Series devices• 3G ExpressCards supported on SRX210 with built-in ExpressCard slot• AX411 Wireless LAN (Wi-Fi 802.11 a/b/g/n) Access Point supported on all6 branch SRX Series devices• WLA Series Wireless LAN Access Points and WLC Series Wireless LAN Controllers are supported on branch SRX Series devicessrX650srX210sLA, Measurement, and Monitoring• Real-time performance monitoring (RPM)• Sessions, packets, and bandwidth usage• Juniper J-Flow monitoring and accounting servicesLogging• Syslog• Traceroute• Extensive control- and data-plane structured and unstructured syslogAdministration• Juniper Networks Network and Security Manager support (NSM)• Juniper Networks STRM Series Security Threat Response Managers support• Juniper Networks Advanced Insight Solutions support• External administrator database (RADIUS, LDAP, SecureID)• Auto-configuration • Configuration rollback• Rescue configuration with button • Commit confirm for changes • Auto-record for diagnostics • Junos OS upgrade with button • Software upgrades• Juniper J-Web, USB, HTTP, FTP, SSHCertifications• Common Criteria (CC) EAL3• FIPS-140 Level 2• Supported hardware versions of the FIPS 140-2•Gateways: SRX100B, SRX210B, SRX240B and SRX650-BASE-SRE6-645AP with JNPR-FIPS-TAMPER-LBLS -Roles, Services, and Authentication: Level 3 -EMI/EMC: Level 3-Design Assurance: Level 3-FIPS-approved algorithms: Triple-DES; AES; DSA; SHS; -RNG; RSA; HMAC• NEBS Compliance for SRX240, SRX650• Department of Defense (DoD) Certification for SRX Series Services Gateways, including testing and certification by the Department of Defense Joint Interoperability Test Command (JITC) for interoperability with DoD networks and addition of the SRX Series Services Gateways to the Unified Capabilities Approved Product List (UC APL)• DOCSIS3 mini-PIM certification by CableLabsJunos OS version testedJunos OS 10.4Junos OS 11.1Junos OS 10.4Junos OS 10.4Junos OS 10.4specifications (continued)BGP instances51016206410*There are several models available for the SRX210. Please contact your Juniper or partner account representative for more information.1. Unified Threat Management—antivirus, antispam, Web filtering, and IPS require a subscription license and the high memory system option to use the feature. UTM is not supported on the low memory version. Please see the ordering section for options. Content Filtering and UAC are part of the base software with no additional license.2. SRX100B installed with 1 GB DRAM, with 512 MB accessible. Optional upgrade to 1 GB DRAM is available with purchase of memory software license key.3. BGP Route Reflector supported on SRX650. See ordering section for more information.4. 3G USB modem support planned for availability Q4 2011.5. Supported in packet mode with services.6. SRX100 supports AX411 in 2H 2011.7. When UTM is enabled capacities supported are low memory specifications, on high memory system options.8. When UTM is enabled concurrent sessions supported is 50% 0f value shown. 9. SRX650 supports a single Services and Routing Engine (SRE).10. SRX210H-POE is Class A.Juniper networks services and supportJuniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit /us/en/products-services.Ordering informationSRX650-BASE-SRE6-645APSRX650 Services Gateway with 1 ServicesRouting Engine (SRE), 4 x 10/100/1000BASE-T ports, 2 GB DRAM, 2 GB CF, fan tray, 645 W AC PoE power supply unit for SRX650. Provides 397 W system power @ 12 V and 247 W PoE power @ 50 VDC. Works with 90-250 VAC input. Includes power cord and rack mount kit.srX650 interface ModulesProduct Comparison (continued)SRX650-K-AV One year subscription for Juniper-KasperskyAbout Juniper networksJuniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at .1000281-013-EN Aug 2011Copyright 2011 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.eMeA Headquarters Juniper Networks Ireland Airside Business ParkSwords, County Dublin, Ireland Phone: 35.31.8903.600 EMEA Sales: 00800.4586.4737 Fax: 35.31.8903.601APAC HeadquartersJuniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King’s RoadTaikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803Corporate and sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 Printed on recycled paperTo purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller.。

Data SheetTable 1. SRX4100 and SRX4200 Statistics¹The SRX4100 and SRX4200 recognize more than 4,275 applications and nested applications in plain-text or SSL-encrypted transactions. The firewalls also integrate with Microsoft Active Directory and combine user information with application data to provide network-wide application and user visibility and control.Features and BenefitsTable 2. SRX4100 and SRX4200 Features and BenefitsSRX4100 and SRX4200 Services Gateways Specifications Software SpecificationsFirewall Services•Stateful and stateless firewall•Zone-based firewall•Screens and distributed denial of service (DDoS) protection •Protection from protocol and traffic anomalies•Unified Access Control (UAC)Network Address Translation (NAT)•Source NAT with Port Address T ranslation (PAT)•Bidirectional 1:1 static NAT•Destination NAT with PAT•Persistent NAT•IPv6 address translationVPN Features•Tunnels: Site-to-site, hub and spoke, dynamic endpoint,AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/Dual Stack)•Juniper Secure Connect: Remote access/SSL VPN •Configuration payload: Yes•IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, Suite B•IKE authentication algorithms: MD5, SHA-1, SHA-128,SHA-256, SHA-384•Authentication: Pre-shared key and public key infrastructure(PKI) (X.509)•IPsec (Internet Protocol Security): Authentication Header(AH) / Encapsulating Security Payload (ESP) protocol •IPsec Authentication Algorithms: hmac-md5, hmac-sha-196,hmac-sha-256•IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC,AEC-CBC, AES-GCM, Suite B•Perfect forward secrecy, anti-reply•Internet Key Exchange: IKEv1, IKEv2•Monitoring: Standard-based dead peer detection (DPD)support, VPN monitoring•VPNs GRE, IP-in-IP, and MPLS High Availability Features•Virtual Router Redundancy Protocol (VRRP) – IPv4 and IPv6•Stateful high availability:-Dual box clustering-Active/passive-Active/active-Configuration synchronization-Firewall session synchronization-Device/link detection-In-Service Software Upgrade (ISSU)•IP monitoring with route and interface failoverApplication Security Services3•Application visibility and control•Application-based firewall•Application QoS•Advanced/application policy-based routing (APBR)•Application Quality of Experience (AppQoE)•Application-based multipath routing•User-based firewallThreat Defense and Intelligence Services3•Intrusion prevention system•Antivirus•Antispam•Category/reputation-based URL filtering•SSL proxy/inspection•Protection from botnets (command and control)•Adaptive enforcement based on GeoIP•Juniper Advanced Threat Prevention, a cloud-based SaaSoffering, to detect and block zero-day attacks•Adaptive Threat Profiling•Encrypted T raffic Insights•SecIntel to provide threat intelligence•Juniper ATP Appliance, a distributed, on-premises advancedthreat prevention solution to detect and block zero-day attacks Offered as advanced security subscription license.Routing Protocols•IPv4, IPv6, static routes, RIP v1/v2•OSPF/OSPF v3•BGP with route reflector•IS-IS•Multicast: Internet Group Management Protocol (IGMP) v1/v2;Protocol Independent Multicast (PIM) sparse mode (SM)/source-specific multicast (SSM); Session Description Protocol(SDP); Distance Vector Multicast Routing Protocol (DVMRP);Multicast Source Discovery Protocol (MSDP); reverse pathforwarding (RPF)•Encapsulation: VLAN, Point-to-Point Protocol over Ethernet(PPPoE)•Virtual routers•Policy-based routing, source-based routing•Equal-cost multipath (ECMP)QoS Features•Support for 802.1p, DiffServ code point (DSCP), EXP •Classification based on VLAN, data-link connection identifier(DLCI), interface, bundles, or multifield filters•Marking, policing, and shaping•Classification and scheduling•Weighted random early detection (WRED)•Guaranteed and maximum bandwidth•Ingress traffic policing•Virtual channels Network Services•Dynamic Host Configuration Protocol (DHCP) client/server/relay•Domain Name System (DNS) proxy, dynamic DNS (DDNS)•Juniper real-time performance monitoring (RPM) and IPmonitoring•Juniper flow monitoring (J-Flow)Advanced Routing Services•Packet Mode•MPLS (RSVP, LDP)•Circuit cross-connect (CCC), translational cross-connect (TCC)•L2/L2 MPLS VPN, pseudo-wires•Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)•MPLS traffic engineering and MPLS fast re-routeManagement, Automation, Logging, and Reporting•SSH, T elnet, SNMP•Smart image download•Juniper CLI and Web UI•Juniper Networks Junos Space Security Director•Python•Junos events, commit and OP scripts•Application and bandwidth usage reporting•Debug and troubleshooting toolsHardware SpecificationsTable 3. SRX4100 and SRX4200 Hardware SpecificationsJuniper Networks Services and SupportJuniper Networks is the leader in performance-enabling services designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit https:///us/en/products.html.Ordering InformationT o order Juniper Networks SRX Series Services Gateways, and to access software licensing information, please visit the How to Buy page at https:///us/en/how-to-buy/form.html.Base System AccessoriesSRX4100 Performance Upgrade License Advanced Security Services Subscription LicensesRemote Access/Juniper Secure Connect VPN LicensesAbout Juniper NetworksAt Juniper Networks, we are dedicated to dramatically simplifyingnetwork operations and driving superior experiences for end users.Our solutions deliver industry-leading insight, automation, securityand AI to drive real business results. We believe that poweringconnections will bring us closer together while empowering us all tosolve the world’s greatest challenges of well-being, sustainabilityand equality.Corporate and Sales HeadquartersJuniper Networks, Inc.1133 Innovation WaySunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or +1.408.745.2000APAC and EMEA HeadquartersJuniper Networks International B.V.Boeing Avenue 240 1119 PZ Schiphol-RijkAmsterdam, The NetherlandsPhone: +31.207.125.700Copyright 2022 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no。

前言、版本说明 (2)一、界面菜单管理 (4)2、WEB管理界面 (4)（1）Web管理界面需要浏览器支持Flash控件。

(4)（2）输入用户名密码登陆： (4)（3）仪表盘首页 (5)3、菜单目录 (7)二、接口配置 (12)1、接口静态IP (12)2、PPPoE (13)3、DHCP (14)三、路由配置 (16)1、静态路由 (16)2、动态路由 (16)四、区域设置Zone (18)五、策略配置 (20)1、策略元素定义 (20)2、防火墙策略配置 (22)3、安全防护策略 (25)六、地址转换 (26)1、源地址转换-建立地址池 (26)2、源地址转换规则设置 (27)七、VPN配置 (30)1、建立第一阶段加密建议IKE Proposal (Phase 1) (或者用默认提议) (30)2、建立第一阶段IKE策略 (31)3、建立第一阶段IKE Gateway (32)4、建立第二阶段加密提议IKE Proposal (Phase 2) (或者用默认提议) (33)5、建立第一阶段IKE策略 (34)6、建立VPN策略 (35)八、Screen防攻击 (38)九、双机 (39)十、故障诊断 (39)前言、版本说明产品：Juniper SRX240 SH版本：JUNOS Software Release [9.6R1.13]注：测试推荐使用此版本。

此版本对浏览速度、保存速度提高了一些，并且CPU占用率明显下降很多。

9.5R2.7版本（CPU持续保持在60%以上，甚至90%）9.6R1.13版本（对菜单操作或者保存配置时，仍会提升一部分CPU）一、界面菜单管理1、管理方式JuniperSRX系列防火墙出厂默认状态下，登陆用户名为root密码为空，所有接口都已开启Web管理，但无接口地址。

终端连接防火墙后，输入用户名(root)、密码(空)，显示如下：root@srx240-1%输入cli命令进入JUNOS访问模式：root@srx240-1% cliroot@srx240-1>输入configure进入JUNOS配置模式：root@srx240-1% cliroot@srx240-1> configureEntering configuration mode[edit]root@srx240-1#防火墙至少要进行以下配置才可以正常使用：(1)设置root密码（否则无法保存配置）(2)开启ssh/telnet/http服务(3)添加用户（root权限不能作为远程telnet帐户，可以使用SHH方式）(4)分配新的用户权限2、WEB管理界面（1）Web管理界面需要浏览器支持Flash控件。

The SRX5400, SRX5600, and SRX5800 are supported by Juniper Networks Junos®Space Security Director, which enables distributed security policy management through an intuitive, centralized interface that enables enforcement across emerging and traditional risk vectors. Using intuitive dashboards and reporting features, administrators gain insight into threats, compromised devices, risky applications, and more.Based on Juniper’s Dynamic Services Architecture, the SRX5000 line provides unrivaled scalability and performance. Each services gateway can support near linear scalability with the addition of Services Processing Cards (SPCs) and I/O cards (IOCs), enabling a fully equipped SRX5800 to support up to 1.2 Tbps firewall throughput. The SPCs are designed to support a wide range of services, enabling future support of new capabilities without the need for service-specific hardware. Using SPCs on all services ensures that there are no idle resources based on specific services being used—maximizing hardware utilization.The scalability and flexibility of the SRX5000 line is supported by equally robust interfaces. The SRX5000 line employs a modular approach, where each platform can be equipped with a flexible number of IOCs that offer a wide range of connectivity options, including 1GbE, 10GbE, 40GbE, and 100GbE interfaces. With the IOCs sharing the same interface slot as the SPCs, the gateway can be configured as needed to support the ideal balance of processing and I/O. Hence, each deployment of the SRX Series can be tailored to specific network requirements. The scalability of both SPCs and IOCs in the SRX5000 line is enabled by the custom-designed switch fabric. Supporting up to 960 Gbps of data transfer, the fabric enables realizationof maximum processing and I/O capability available in any particular configuration. This level of scalability and flexibility enables future expansion and growth of the network infrastructure, providing unrivaled investment protection.The tight service integration on the SRX Series is enabled by Juniper Networks Junos® operating system. The SRX Seriesis equipped with a robust set of services that include stateful firewall, intrusion prevention system (IPS), denial of service (DoS), application security, VPN (IPsec), Network Address Translation (NAT), unified threat management (UTM), quality of service (QoS), and large-scale multitenancy. In addition to the benefit of individual services, the SRX5000 line provides a low latency solution.Junos OS also delivers carrier-class reliability with six nines system availability, the first in the industry to achieve independent verification by Telcordia. Furthermore, the SRX Series enjoys the benefit of a single source OS, and single integrated architecture traditionally available on Juniper’s carrier-class routers and switches.SRX5800The SRX5800 Services Gateway is the market-leading security solution supporting up to 1.2 Tbps firewall throughput and latency as low as 32 microseconds for stateful firewall. The SRX5800 also supports 1 Tbps IPS and 395 million concurrent sessions. Equipped with the full range of advanced security services, the SRX5800 is ideally suited for securing large enterprise, hosted, or colocated data centers, service provider core and cloud provider infrastructures, and mobile operator environments. The massive performance, scalability, and flexibility of the SRX5800 make it ideal for densely consolidated processing environments, and the service density makes it ideal for cloud and managed service providers.SRX5600The SRX5600 Services Gateway uses the same SPCs and IOCsas the SRX5800 and can support up to 570 IMIX Gbps firewall throughput, 180 million concurrent sessions, and 460 Gbps IPS. The SRX5600 is ideally suited for securing enterprise data centers as well as aggregation of various security solutions. The capability to support unique security policies per zone and its ability to scale with the growth of the network infrastructure make the SRX5600 an ideal deployment for consolidation of services in large enterprise, service provider, or mobile operator environments. SRX5400The SRX5400 Services Gateway uses the same SPCs and IOCs as the SRX5800 and can support up to 285 Gbps IMIX firewall, 90 million concurrent sessions, and 230 Gbps IPS. The SRX5400 is a small footprint, high-performance gateway ideally suited for securing large enterprise campuses as well as data centers, either for edge or core security deployments. The ability to support unique security policies per zone and a compelling price/performance/footprint ratio make the SRX5400 an optimal solution for edge or data center services in large enterprise, service provider, or mobile operator environments. Service Processing Cards (SPC)As the “brains” behind the SRX5000 line, SPCs are designedto process all available services on the platform. Without the need for dedicated hardware for specific services or capabilities, there are no instances in which a piece of hardware is taxedto the limit while other hardware is sitting idle. SPCs are designed to be pooled together, allowing the SRX5000 line to expand performance and capacities with the introduction of additional SPCs, drastically reducing management overhead and complexity. The high-performance SPC3 cards are supported on the SRX5400, SRX5600, and SRX5800 Services Gateways.I/O Cards (IOCs)To provide the most flexible solution, the SRX5000 line employs the same modular architecture for SPCs and IOCs. The SRX5000 line can be equipped with one or several IOCs, supporting the ideal mix of interfaces. With the flexibility to install an IOC or an SPC on any available slot, the SRX5000 line can be equipped to support the perfect blend of interfaces and processing capabilities, meeting the needs of the most demanding environments while ensuring investment protection. Juniper offers the IOC2, a second-generation card with superior connectivity options. The IOC2 offers 100GbE as well as 40GbE and high-density 10GbE and 1GbE connectivity options. These options reduce the need for link aggregation when connecting high throughput switches to the firewall, as well as enabling increased throughput in the firewall itself. The IOC2 is supported on all three platforms in the SRX5000 line of services gateways.The third generation of IOCs from Juniper, the IOC3, delivers the highest throughput levels yet, along with superior connectivity options including 100GbE, 40GbE, and high-density 10GbE interfaces. The IOC2 or IOC3 operates with the Express Path optimization capability, delivering higher levels of throughput—up to an industry-leading 2 Tbps on the SRX5800. The IOC3 cards are supported on the SRX5400, SRX5600, and SRX5800.Routing Engine (RE2) and Enhanced System Control Board (SCB3)The SRX5K-RE-1800X4 Routing Engine (RE2) is the latest in the family of REs for the SRX5000 line with a multicore processor running at 1800 MHz. It delivers improved performance, scalability, and reliability with 16 GB DRAM and 128 GB solid-state drive (SSD). The SRX5K-SCB3 Enhanced System Control Board (SCB3) enables 240 Gbps per slot throughput with intra as well as interchassis high availability and redundancy.Features and BenefitsNetworking and SecurityThe Juniper Networks SRX5000 line of Services Gateways has been designed from the ground up to offer robust networking andsecurity services.*Requires Junos OS 15.1x49-D10 or greater.**Requires Junos OS 18.2R1-S1 or greater.IPS CapabilitiesJuniper Networks IPS capabilities offer several unique features that assure the highest level of network security.Content Security UTM CapabilitiesThe UTM services offered on the SRX5000 line of Services Gateways include industry-leading antivirus, antispam, content filtering,and additional content security services.Advanced Threat PreventionAdvanced threat prevention (ATP) solutions that defend against sophisticated malware, persistent threats, and ransomware are available for the SRX5000 line. Two versions are available: Juniper Sky ATP, a SaaS-based service, and the Juniper ATP Appliance, anon-premises solution.More information about Juniper Sky ATP can be found at /us/en/products-services/security/sky-advanced-threat-prevention/. Additional information about the Juniper ATP Appliance can be found at /us/en/products-services/ security/advanced-threat-prevention-appliance/.Centralized ManagementJuniper Networks Junos Space Security Director delivers scalable and responsive security management that improves the reach, ease, and accuracy of security policy administration. It lets administrators manage all phases of the security policy life cycle through a single web-based interface, accessible via standard browsers. Junos Space Security Director centralizes application identification, firewall, IPS, NAT, and VPN security management for intuitive and quick policy administration. Security Director runs on the Junos Space Network Management Platform for highly extensible, network-wide management functionality, including ongoing access to Juniper and third-party Junos Space ecosystem innovations.Specifications1SRX5600Services GatewaySRX5800Services GatewaySRX5400Services Gateway Performance, capacity and features listed are based on systems running Junos OS 18.2R1 and are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployments.Firewall* Session capacity differs based on UTM/AppSecure/IPS features enabled.* Session capacity differs based on UTM/AppSecure/IPS features enabled.Maximum number of BGP and OSPF routes recommended is 100,000.Please consult the technical publication documents and release notes for a list of compatible ISSU features.T o enable dual control links on the SRX5000 line, two SRX5K-RE-1800X4 modules must be installed on each cluster member.SRX5000 line of gateways operating with Junos OS release 10.0 and later are compliant with the R6, R7, and R8 releases of 3GPP TS 20.060 with the following exceptions (not supported on the SRX5000 line): - Section 7.5A Multimedia Broadcast and Multicast Services (MBMS) messages- Section 7.5B Mobile Station (MS) info change messages- Section 7.3.12 Initiate secondary PDP context from GGSNShort term is not greater than 96 consecutive hours, and not greater than 15 days in 1 year.WarrantyFor warranty information, please visit /support/warranty/.Juniper Networks Services and SupportJuniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize yourhigh-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit /us/en/products-services .Ordering Information*These products require Junos OS 12.1X47-D15 or greater.**Requires Junos OS 15.1X49-D10 or greater.Corporate and Sales Headquarters Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or +Copyright 2019 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.APAC and EMEA Headquarters Juniper Networks International B.V.Boeing Avenue 2401119 PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: +31.0.207.125.700EXPLORE JUNIPERAbout Juniper NetworksJuniper Networks brings simplicity to networking with products, solutions and services that connect the world. Through engineering innovation, we remove the constraints and complexities of networking in the cloud era to solve the toughest challenges our customers and partners face daily. At Juniper Networks, we believe that the network is a resource for sharing knowledge and human advancement that changes the world. We are committed to imagining groundbreaking ways to deliver automated, scalable and secure networks to move at the speed of business.* I n 12.3X48-D10, the Services Offload feature was renamed Express Path and is included withoutrequiring a license for Junos OS X48 releases and beyond. With the X48 release, the Express Path feature is supported on all SRX5000 Services Gateways including the SRX5400. For versions prior to the X48 release, the Services Offload license is still required and supports only SRX5600 and SRX5800 products. Express Path is available on the SRX5400, SRX5600, and SRX5800 Services Gateways. No separate license required.。

SRX Series Services Gateway Transceiver ReferenceApril2016Contents SRX Series Services Gateway Transceivers (2)SRX Series Services Gateway Transceiver Interfaces (9)Installing Transceivers (13)Documentation and Release Notes (14)Requesting T echnical Support (14)Self-Help Online T ools and Resources (15)Opening a Case with JTAC (15)Revision History (15)SRX Series Services Gateway TransceiversYou can install transceivers of the following types in sockets in various cards or modules in SRX Series Services Gateways:•Small form-factor pluggable (SFP)•Enhanced small form-factor pluggable (SFP+)•10-Gigabit SFP (XFP)•100-Gbps form-factor pluggable (CFP)•Quad 40-Gbps form-factor pluggable plus (QSFP+)This guide describes all of the transceivers applicable to the SRX Series Services Gateways.The transceiver types are not interchangeable,with one exception:SFP+transceivers can be used in SFP interfaces.However,an SFP+transceiver installed in an SFP interface will be limited to the 1Gbps maximum data rate of the interface in which it isinstalled.NOTE:Modular Interface Cards (MICs)with SFP interfaces do not support SFP+transceivers.WARNING:Do not look directly into a fiber-optic transceiver or into the ends of fiber-optic cables.Fiber-optic transceivers and fiber-optic cable connected to a transceiver emit laser light that can damage youreyes.WARNING:Do not leave a fiber-optic transceiver uncovered except when inserting or removing cable.The safety cap keeps the port clean and prevents accidental exposure to laserlight.CAUTION:Avoid bending fiber-optic cable tighter than its minimum bend radius.An arc smaller than a few inches in diameter can damage the cable and cause problems that are difficult todiagnose.CAUTION:If you are having a problem running a Juniper Networks device that is using a third-party optic or cable,the Juniper Networks Technical Assistance Center (JTAC)can help you diagnose the source of the problem.Your JTAC engineer might recommend that you check the third-party optic or cable and potentially replace it with an equivalent Juniper Networks optic or cable that is qualified for the device.SRX Series Services Gateway Transceiver ReferenceT able 1on page 3describes the SFP transceivers applicable to SRX Series Services Gateway SFP interfaces.Table 1:SFP Gigabit Ethernet Transceivers2km62.5/125µm LCMMF1300100BASE-FXSFP 100BASE-FX Fast Ethernet optic moduleSRX-SFP-FE-FX2km50/125µm70km9/125µm LC SMF 15501000BASE-ZX SFP1000BASE-LH Gigabit Ethernet optic module SRX-SFP-1GE-LH70km9/125µm LC SMF 15501000BASE-ZX SFP1000BASE-LH Gigabit Ethernet optic module,extended temperature range (see note below)SRX-SFP-1GE-LH-ET 10km 9/125µm LC SMF 13101000BASE-LX SFP1000BASE-LH Gigabit Ethernet optic moduleSRX-SFP-1GE-LX 550m50/125µm LCMMF550m62.5/125µm10km 9/125µm LC SMF 13101000BASE-LX SFP1000BASE-LH Gigabit Ethernet optic module,extended temperature range (see note below)SRX-SFP-1GE-LX-ET550m50/125µm LCMMF550m62.5/125µm550m50/125µm LCMMF 8501000BASE-SX SFP1000BASE-SX Gigabit Ethernet optic moduleSRX-SFP-1GE-SX 275m62.5/125µmSRX Series Services Gateway TransceiversTable 1:SFP Gigabit Ethernet Transceivers (continued)550m50/125µm LCMMF8501000BASE-SXSFP1000BASE-SX Gigabit Ethernet optic module,extended temperature range (see note below)SRX-SFP-1GE-SX-ET275m62.5/125µm100m4twisted pair,category 5shieldedRJ-45Copper 1000BASE-T SFP1000BASE-T Gigabit Ethernet module (uses Cat 5cable)SRX-SFP-1GE-T 100m4twisted pair,category 5shieldedRJ-45Copper 1000BASE-T 1000BASE-T Gigabit Ethernet module (uses Cat 5cable),extendedtemperture range SRX-SFP-1GE-T-ET 20km9/125µm LC SMF(single-strand fiber)15501310100BASE-BX-U 100BASE-BX Fast Ethernet optic module SFP-FE20KT13R15EX-SFP-FE20KT13R1520km9/125µm LC SMF(single-strand fiber)131********BASE-BX-D 100BASE-BX Fast Ethernet optic module SFP-FE20KT15R13EX-SFP-FE20KT15R1310km9/125µm LC SMF(single-strand fiber)149013101000BASE-BX-U 1000BASE-BX10optic moduleSFP-GE10KT13R14EX-SFP-GE10KT13R1410km9/125µm LC SMF(single-strand fiber)155013101000BASE-BX-U 1000BASE-BX10optic moduleSFP-GE10KT13R15EX-SFP-GE10KT13R1510km9/125µm LC SMF(single-strand fiber)131014901000BASE-BX-D 1000BASE-BX10optic moduleSFP-GE10KT14R13EX-SFP-GE10KT14R1310km9/125µm LC SMF(single-strand fiber)131015501000BASE-BX-D 1000BASE-BX10optic moduleSFP-GE10KT15R13EX-SFP-GE10KT15R1340km9/125µm LC SMF(single-strand fiber)155013101000BASE-BX-U 1000BASE-BX optic moduleSFP-GE40KT13R15EX-SFP-GE40KT13R15SRX Series Services Gateway Transceiver ReferenceTable 1:SFP Gigabit Ethernet Transceivers (continued)Max.Core and SizeMediaλ (nm)ModelRXTX40km9/125µmLCSMF(single-strand fiber)131015501000BASE-BX-D1000BASE-BX optic moduleSFP-GE40KT15R13EX-SFP-GE40KT15R13NOTE:For SRX3400and SRX3600Services Gateways to meet NEBS and ETSI standards,all transceivers installed in the services gateway must be of extended temperature (ET)type.T able 2on page 5describes the SFP+10-Gigabit Ethernet transceivers applicable to SRX Series Services Gateway SFP and SFP+interfaces.Table 2:SFP+10-Gigabit Ethernet TransceiversMax.Core and SizeMediaλ (nm)SKURX TX40km9/125µmLCSMF155010GBASE-ERSFP+10-Gigabit Ethernet optic module.Meets extended temperature rangerequirements (see note below)SRX-SFP-10GE-ER10km9/125µm LC SMF 131010GBASE-LR SFP+10-Gigabit Ethernet optic module.Meets extended temperature rangerequirements (see note below)SRX-SFP-10GE-LR EX-SFP-10GE-LR300m (OM3)400m (OM4)50/125µm LCMMF 85010GBASE-SR SFP+10-Gigabit Ethernet optic moduleSRX-SFP-10GE-SR EX-SFP-10GE-SR33m62.5/125µmSRX Series Services Gateway TransceiversTable 2:SFP+10-Gigabit Ethernet Transceivers (continued)Max.Core and SizeMediaλ (nm)SKURX TX220m50/125µm LCMMF126010GBASE-LRMSFP+10GBase-LRM 10-Gigabit Ethernet optic moduleSFPP-10GE-LRM220m62.5/125µm300m50/125µmLCMMF 85010GBASE-SR SFP+10-Gigabit Ethernet optic moduleSRX-SFPP-10G-SR-ET10km9/125µm LC SMF 131010GBASE-LR SFP+10-Gigabit Ethernet optic moduleSRX-SFPP-10G-LR NOTE:For SRX3400and SRX3600Services Gateways to meet NEBS and ETSI standards,all transceivers installed in the services gateway must be of extended temperature (ET)type.T able 3on page 6describes the SFP+10-Gigabit Ethernet,Direct Attach Cables (DAC)transceivers applicable to SRX Series Services Gateway SFP+interfaces.Table 3:SFP+10-Gigabit Ethernet DAC TransceiversMax.Core and SizeMediaλ (nm)SKURX TX 1mSFP+passive Twinaxcopper cable assembly Direct Attached 30AWG10GBASE-DAC10-Gbps full-duplex serialtransmissionSRX-SFP-10GE-DAC-1M EX-SFPP-10GE-DAC-1M3mSFP+passive Twinaxcopper cable assembly Direct Attached 30AWG10GBASE-DAC10-Gbps full-duplex serialtransmissionSRX-SFP-10GE-DAC-3M EX-SFP-10GE-DAC-3M5mSFP+passive Twinaxcopper cable assemblyDirect Attached 24AWG10GBASE-DAC10-Gbps full-duplex serialtransmissionEX-SFP-10GE-DAC-5MSRX Series Services Gateway Transceiver ReferenceTable 3:SFP+10-Gigabit Ethernet DAC Transceivers (continued)7mSFP+passive Twinaxcopper cable assemblyDirect Attached 24AWG10GBASE-DAC10-Gbps full-duplex serialtransmissionEX-SFP-10GE-DAC-7MT able 4on page 7describes the XFP 10-Gigabit Ethernet transceivers applicable to SRX Series Services Gateway XFP interfaces.Table 4:XFP 10-Gigabit Ethernet Transceivers40km9/125µmLCSMF155010GBASE-ER10-Gigabit Ethernet single-mode optic moduleSRX-XFP-10GE-ER40km9/125µm LC SMF 155010GBASE-ER 10-Gigabit Ethernet single-mode optic module,extended temperature range (see note below)SRX-XFP-10GE-ER-ET 10km9/125µm LC SMF 131010GBASE-LR 10-Gigabit Ethernet single-mode optic moduleSRX-XFP-10GE-LR 10km9/125µm LC SMF 131010GBASE-LR 10-Gigabit Ethernet single-mode optic module,extended temperature range (see note below)SRX-XFP-10GE-LR-ET 10km9/125µm LC SMF 85010GBASE-SR 10-Gigabit Ethernet short-reachmultimode optic moduleSRX-XFP-10GE-SR 10km9/125µm LC SMF 85010GBASE-SR 10-Gigabit Ethernet short-reachmultimode optic module,extended temperature range (see note below)SRX-XFP-10GE-SR-ET SRX Series Services Gateway TransceiversNOTE:For SRX3400and SRX3600Services Gateways to meet NEBS and ETSI standards,all transceivers installed in the services gateway must be of extended temperature (ET)type.T able 5on page 8describes the CFP 100-Gigabit Ethernet transceivers applicable to SRX Series Services Gateway CFP interfaces.Table 5:CFP 100-Gigabit Ethernet TransceiversMax.Mediaλ (nm)SKURX TX10kmDual SCSMF1310100GBASE-LR4100-Gigabit Ethernet single-mode optic module SRX-CFP-100G-LR4100m (OM3)150m (OM4)Ribbon cable,24multimode fibersMMF850100GBASE-SR10100-Gigabit Ethernet single-mode optic moduleSRX-CFP-100G-SR10100m24-fiber MPO MMF860860100GBASE-SR10100-Gigabit Ethernet CFP2-100GBA SE-SR1010kmLCSMF 131********GBASE-LR4100-Gigabit EthernetCFP2-100GBASE-LR4T able 6on page 8describes the QSFP+40-Gigabit Ethernet transceivers applicable to SRX Series Services Gateway QSFP+interfaces.Table 6:QSFP+40-Gigabit Ethernet TransceiversMax.C onnect orMediaλ (nm)SKURX TX100m (OM3)150m (OM4)OM3,OM4,12fiber MPOconnector MMF85040GBASE-SR440-Gigabit Ethernet single-mode optic moduleSRX-QSFP-40G-SR410kmLCSMF131040GBASE-LR440-Gigabit Ethernet single-mode optic module SRX-QSFP-40G-LR4150m (OM3)OM4duplex MMFMMF131040GBASE-LX440-Gigabit Ethernet pluggableJNP-QSFP-40G-LX4SRX Series Services Gateway Transceiver ReferenceSRX Series Services Gateway Transceiver InterfacesT able 7on page 9,T able 8on page 9,T able 9on page 9,and T able 10on page 10show the different types of transceiver interfaces available on the various types of SRX Series Services Gateways.Table 7:SRX210,SRX220,and SRX240Services Gateway Transceiver Interface Types11-Port SFP Mini-PIM (not supported on SRX220)SRX-MP-1SFPSFP11-Port Gigabit Ethernet SFP Mini-PIMSRX-MP-1SFP-GE SFP Table 8:SRX550and SRX650Services Gateway Transceiver Interface Types11-Port Gigabit Ethernet SFP Mini-PIM SRX-MP-1SFP-GE (SRX550only)SFP88-Port Gigabit Ethernet SFP XPIM SRX-GP-8SFP22-Port 10-Gigabit Ethernet XPIMSRX-GP-2XE-SFPP-TXSFP+Table 9:SRX1400,SRX3400,and SRX3600Services Gateway Transceiver Interface Types16IOC SRX3K-16GE-SFPSFP6SYSIOC SRX1K-SYSIO-GE (SRX1400only)2NP-IOC SRX1K3K-NP-2XGE-SFPPSFP+3SYSIOC SRX1K-SYSIO-XGE (SRX1400only)2IOCSRX3K-2XGE-XFPXFP SRX Series Services Gateway Transceiver InterfacesTable 10:SRX5400,SRX5600,and SRX5800Services Gateway Transceiver Interface Types40IOCSRX5K-40GE-SFP SFP16Flex IOC Port Module SRX-IOC-16GE-SFP 2SPC SRX5K-SPC-2-10-402SPC SRX5K-SPC-4-15-32020MIC SRX-MIC-20GE-SFP10MIC SRX-MIC-10XG-SFPP SFP+4IOCSRX5K-4XGE-XFP XFP4Flex IOC Port Module SRX-IOC-4XGE-XFP1MIC SRX-MIC-1X100G-CFP CFP 2MICSRX-MIC-2X40G-QSFPQSFP+The following is a list of transceivers supported on the SRX300Series,SRX550High Memory,and SRX1500Services Gateways.√√√SRX-SFP-1GE-LH √√√SRX-SFP-1GE-LX √√√SRX-SFP-1GE-SX √√√SRX-SFP-1GE-T √√SRX-SFP-FE-FX √EX-SFP-10GE-LR √EX-SFP-10GE-SR √√EX-SFP-FE20KT13R15√√EX-SFP-FE20KT15R13SRX Series Services Gateway Transceiver Reference√√EX-SFP-GE10KT13R14√√EX-SFP-GE10KT13R15√√EX-SFP-GE10KT14R13√√EX-SFP-GE10KT15R13√√EX-SFP-GE40KT13R15√√EX-SFP-GE40KT15R13√EX-SFPP-10GE-DAC-1M√EX-SFPP-10GE-DAC-3M The following is a list of all the cards and supported transceivers for the SRX1400ServicesGateway.SRX Series Services Gateway Transceiver InterfacesThe following is a list of all the cards and supported transceivers for the SRX3400andSRX3600ServicesGateways.SRX Series Services Gateway Transceiver ReferenceFollowing is a list of transceivers supported on all cards,along with the Junos OS releasein which they were introduced,for the SRX5000line of ServicesGateways.Installing TransceiversTransceivers are hot-insertable and hot-removable.Removing a transceiver does notinterrupt the functioning of the card or module.T o install a transceiver:1.Attach an ESD grounding strap to your bare wrist,and connect the strap to one of theESD points on the chassis.2.T ake each transceiver to be installed out of its electrostatic bag,and identify thesocket on the card or module where you will installit.WARNING:Do not leave a fiber-optic transceiver uncovered except wheninserting or removing cable.The safety cap keeps the port clean andprevents accidental exposure to laser light.Installing TransceiversSRX Series Services Gateway Transceiver Reference3.For each fiber interface transceiver,verify that the interface port is covered by a rubbersafety cap.If it is not,cover the interface port with a safety cap.The safety cap preventsthe release of laser light that can damage your eyes.4.Carefully align the transceiver with the socket in the services gateway card or module.The connector should face the socket.5.Slide the transceiver into the socket until the connector is seated in the componentslot.If you are unable to fully insert the transceiver,make sure the connector is orientedcorrectly.See the hardware documentation for your services gateway for moreinformation about LEDs.6.Close the ejector handle of the transceiver.7.Remove the rubber safety caps from both the transceiver and from the end of thecable.Insert the cable into the transceiver.8.Verify that the status LEDs on the component faceplate indicate that the transceiveris functioning correctly.Documentation and Release NotesT o obtain the most current version of all Juniper Networks®technical documentation,see the product documentation page on the Juniper Networks website at/techpubs/.If the information in the latest release notes differs from the information in thedocumentation,follow the product Release Notes.Juniper Networks Books publishes books by Juniper Networks engineers and subjectmatter experts.These books go beyond the technical documentation to explore thenuances of network architecture,deployment,and administration.The current list canbe viewed at /books.Requesting Technical SupportT echnical product support is available through the Juniper Networks T echnical AssistanceCenter(JTAC).If you are a customer with an active J-Care or Partner Support Servicesupport contract,or are covered under warranty,and need postsales technical support,you can access our tools and resources online or open a case with JTAC.•JTAC policies—For a complete understanding of our JTAC procedures and policies,review the JTAC User Guide located at/us/en/local/pdf/resource-guides/7100059-en.pdf.•Product warranties—For product warranty information,visit/support/warranty/.•JTAC Hours of Operation—The JTAC centers have resources available24hours a day,7days a week,365days a year.Requesting T echnical SupportSelf-Help Online Tools and ResourcesFor quick and easy problem resolution,Juniper Networks has designed an onlineself-service portal called the Customer Support Center(CSC)that provides you with thefollowing features:•Find CSC offerings:/customers/support/•Find product documentation:/techpubs/•Find solutions and answer questions using our Knowledge Base:/•Download the latest versions of software and review release notes:/customers/csc/software/•Search technical bulletins for relevant hardware and software notifications:https:///alerts/•Join and participate in the Juniper Networks Community Forum:/company/communities/•Open a case online in the CSC Case Management tool:/cm/T o verify service entitlement by product serial number,use our Serial Number Entitlement(SNE)T ool:https:///SerialNumberEntitlementSearch/Opening a Case with JTACYou can open a case with JTAC on the Web or by telephone.•Use the Case Management tool in the CSC at /cm/.•Call1-888-314-JTAC(1-888-314-5822toll-free in the USA,Canada,and Mexico).For international or direct-dial options in countries without toll-free numbers,visit us at/support/requesting-support.htmlRevision HistoryJune2015—Added information about DAC and CFP2optics.August2015—Updated core and cladding size for SRX-SFP-FE-FX.October2015—Added information about DAC optics.November2015—Added OM4detail for SRX-SFP-10GE-SR.April2016—Added transceiver support information for the SRX300Series,SRX550HighMemory,and SRX1500Services Gateways.SRX Series Services Gateway Transceiver ReferenceCopyright©2016,Juniper Networks,Inc.All rights reserved.Juniper Networks,Junos,Steel-Belted Radius,NetScreen,and ScreenOS are registered trademarks of Juniper Networks,Inc.in the United States and other countries.The Juniper Networks Logo,the Junos logo,and JunosE are trademarks of Juniper Networks,Inc.All other trademarks,service marks,registered trademarks,or registered service marks are the property of their respective owners.Juniper Networks assumes no responsibility for any inaccuracies in this document.Juniper Networks reserves the right to change,modify, transfer,or otherwise revise this publication without notice.。

Quick Start GuideMount the SD-WAN Edge CPE1.Attach the brackets to the SD-WAN Edge CPE.e the screws and cage nuts supplied with the rack to securethe SD-WAN Edge CPE in the rack.Ground the SD-WAN Edge CPE1.Ensure the rack on which the SD-WAN Edge CPE is to bemounted is properly grounded and in compliance withinternational and local standards. Verify that there is a good electrical connection to the grounding point on the rack. (no paint or isolating surface treatment)2.Attach a lug (not provided) to a #18 AWG minimum groundingwire (not provided), and connect it to the grounding point on the device’s rear panel. Then connect the other end of the wire to rack ground.Connect Power1.Plug the power cord into a 100-240 VAC, 50-60 Hz AC powersource.2.Insert the other end of the power cord directly into the AC inputsocket on the back of the device.Caution: Risk of explosion if battery is replaced by anincorrect type. Dispose of used batteries according to the manufacturer’s instructions.Attention: Risque d’explosion si la batterie est remplacée par un type incorrect. Éliminez les piles usagées conformément auxinstructions.12121Caution: The earth connection must not be removed unlessall supply connections have been disconnected.Attention: Le raccordement à la terre ne doit pas être retiré sauf si toutes les connexions d’alimentation ont été débranchées.Caution: The device must be installed in a restricted-accesslocation. It should have a separate protective earthing terminal on the chassis that must be permanently connected to earth to adequately ground the chassis and protect the operator from electrical hazards.Attention: L'appareil doit être installé dans un emplacement à accès restreint. Il doit comporter une borne de terre de protection distincte sur le châssis, qui doit être connectée en permanence à la terre pour assurer une mise à la terre adéquate du châssis et protéger l'opérateur des risques électriques.Caution: Use the AC power cord supplied with the device .For International use, you may need to change the AC line cord. You must use line cord sets that have been approved for the socket type in your country.Attention: Utilisez le cordon d’alimentation secteur fourniavec l’appareil. Pour une utilisation internationale, vous devrez peut-être changer le cordon d’alimentation secteur. Vous devez utiliser des jeux de cordons d’alimentation qui ont étéapprouvés pour le type de prise dans votre pays.321SD-WAN Edge CPESDW1001.SDW100 SD-WAN Edge CPE2.Rack Mounting Kit—2 brackets and 8 screws3.Power cord—either Japan, US, Continental Europe or UK4.Console cable—RJ-45 to DB-95.Documentation—Quick Start Guide (this document)25143Package ContentsCheck the System LEDs1.Verify basic operation by checking the system LEDs. Whenoperating normally, the Power LED should be on green and the Status LED should be either on blue or blinking when the device is booting up.Connect Network Cables1.For the 1000BASE-T RJ-45 ports, connect 100-ohm Category 5,5e or better twisted-pair cable.2.For the SFP slots, first install SFP transceivers and then connectfiber optic cabling to the transceiver ports.The following transceivers are supported:⏹1000BASE-SX (ET4201-SX)⏹1000BASE-LX (ET4201-LX)⏹1000BASE-ZX (ET4201-ZX)⏹1000BASE-LHX (ET4201-LHX)3.As connections are made, check the port status LEDs to be surethe links are valid.⏹On/Blinking Green — Port has a valid link. Blinking indicates network activity.Make Initial Configuration Changes1.Connect a PC to one of the SD-WAN Edge CPE’s LAN ports.2.Log in to the web interface using the default management IPaddress 192.168.100.1 (there is no user name or password).3.Configure the Barrista controller IP address and port throughone of the following methods.⏹DHCP: Automatic configuration.⏹Static: Manually set the IP address, subnet mask, default gateway, and DNS servers.⏹PPPoE: Set the PPPoE username and password.4.Click “Save” to confirm the configuration and enable the SD-WAN Edge CPE to communicate with the Barrista controller.Hardware Specifications41153126Chassis Size (WxDxH)42.6 x 27.0 x 4.4 cm (16.8 x 10.6 x 1.7 in.)Weight 2.64 kg (5.81 lb)Temperature Operating: 0 °C to 40 °C (32 °F to 104 °F)Storage: -20 °C to 70 °C (-4 °F to 158 °F)Humidity Operating: 10% to 90% (non-condensing)InterfacesNetwork Ports 3-10: RJ-45 10/100/1000BASE-TPorts 1-2 RJ-45 10/100/1000BASE-T or SFP USB 1 USB 3.0ConsoleRS-232 serial, RJ-45 portPower AC Input100-240 VAC 50-60 Hz 2.5 APower Consumption 65 Watts Maximum Maximum Current0.9 ARegulatory Compliances EmissionsCE MarkEN 55032, Class A EN 61000-3-2, Class A EN 61000-3-3FCC Class A CNS 1343847 CPR FCC Part 15:2016, Subpart B, Class A ANSI C63.4:2014CISPR 32.2015 + COR1:2016, Class A AS/NZS CISPR 32:2015, Class ACanada Std. ICES-003:2016 Issue 6, Class A Immunity IEC 61000-4-2/3/4/5/6/8/11SafetyUL 62368-1 & CAN/CSA C22.2 No. 62368-1-14CB IEC/EN 60950-1 & IEC/EN 62368-1 2nd. BSMI Safety Standard CNS14336-1Taiwan RoHSCNS 15663Safety and Regulatory InformationFCC Class AThis equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.You are cautioned that changes or modifications not expressly approved by the party responsible for compliance could void your authority to operate the equipment.You may use unshielded twisted-pair (UTP) for RJ-45 connections - Category 3 or better for 10 Mbps connections, Category 5 or better for 100 Mbps connections, Category 5, 5e, or 6 for 1000 Mbps connections. For fiber optic connections, you may use 50/125 or 62.5/ 125 micron multimode fiber or 9/125 micron single-mode fiber.CE MarkCE Mark Declaration of Conformance for EMI and Safety (EEC)This information technology equipment complies with the requirements of the Council Directive 2014/30/EU on the Approximation of the laws of the Member States relating to Electromagnetic Compatibility and 2014/ 35/EU for electrical equipment used within certain voltage limits. For the evaluation of the compliance with these Directives, the following standards were applied:RFI Emission:⏹Limit according to EN 55032:2012+AC:2013, Class A⏹Limit for harmonic current emission according to EN 61000-3-2:2014, Class A⏹Limitation of voltage fluctuation and flicker in low-voltage supplysystem according to EN 61000-3-3:2013Immunity:⏹Product family standard according to EN 55024:2010⏹Electrostatic Discharge according to IEC 61000-4-2:2008⏹Radio-frequency electromagnetic field according to IEC 61000-4-3:2010⏹Electrical fast transient/burst according to IEC 61000-4-4:2012⏹Surge immunity test according to IEC 61000-4-5:2014⏹Immunity to conducted disturbances, Induced by radio-frequencyfields: IEC 61000-4-6:2013⏹Power frequency magnetic field immunity test according to IEC61000-4-8:2009⏹Voltage dips, short interruptions and voltage variations immunity testaccording to IEC 61000-4-11:2004LVD:⏹EN 62368-1:2014/A11: 2017The Declaration of Conformity (DoC) can be obtained from -> support -> download.Japan - VCCI Class ALaser SafetyWarning: Fiber Optic Port Safety:Avertissment: Ports pour fibres optiques - sécurité sur le plan optique: Warnhinweis: Faseroptikanschlüsse - Optische Sicherheit:Battery SafetyPower Cord SafetyPlease read the following safety information carefully before installing the device:Warning:Installation and removal of the unit must be carried out by qualified personnel only.⏹The unit must be connected to an earthed (grounded) outlet tocomply with international safety standards.⏹Do not connect the unit to an A.C. outlet (power supply) without anearth (ground) connection.⏹The appliance coupler (the connector to the unit and not the wallplug) must have a configuration for mating with an EN 60320/IEC 320 appliance inlet.⏹The socket outlet must be near to the unit and easily accessible. Youcan only remove power from the unit by disconnecting the powercord from the outlet.⏹This unit operates under SELV (Safety Extra Low Voltage) conditionsaccording to IEC 60950. The conditions are only maintained if the equipment to which it is connected also operates under SELVconditions.When using a fiber optic port, never look at thetransmit laser while it is powered on. Also, never lookdirectly at the fiber TX port and fiber cable ends whenthey are powered on.Ne regardez jamais le laser tant qu'il est sous tension.Ne regardez jamais directement le port TX(Transmission) à fibres optiques et les embouts decâbles à fibres optiques tant qu'ils sont sous tension.Niemals ein Übertragungslaser betrachten, währenddieses eingeschaltet ist. Niemals direkt auf den Faser-TX-Anschluß und auf die Faserkabelenden schauen,während diese eingeschaltet sind.Warning: If your device uses a lithium battery, do not attemptto replace the battery yourself. Return the device to themanufacturer for battery replacement.Avertissement: Si votre appareil utilise une batterie aulithium, n’essayez pas de remplacer la batterie vous-même.Renvoyez l’appareil au fabricant pour le remplacement de labatterie.If the device contains lithium batteries that are encased in asealed chassis, do not attempt to open the sealed chassis underany circumstances.Si l’appareil contient des piles au lithium logées dans unchâssis scellé, n’essayez en aucun cas d’ouvrir le châssis scellé.Risk of explosion if the battery is replaced by an incorrect type.Dispose of used batteries according to the instructions.Risque d’explosion si la batterie est remplacée par un typeincorrect. Éliminez les piles usagées conformément auxinstructions.CLASS ILASER DEVICEDISPOSITIF LASERDE CLASSE ILASERGERDER KLASSE IÄTFrance and Peru onlyThis unit cannot be powered from IT† supplies. If your supplies are of IT type, this unit must be powered by 230 V (2P+T) via an isolation transformer ratio 1:1, with the secondary connection point labeled Neutral, connected directly to earth (ground).† Impédance à la terreImportant! Before making connections, make sure you have the correct cord set. Check it (read the label on the cable) against the following:Veuillez lire à fond l’information de la sécurité suivante avant d’installer l’appareil:Avertissement: L’installation et la dépose de ce groupe doivent être confiés à un personnel qualifié.⏹Ne branchez pas votre appareil sur une prise secteur (alimentationélectrique) lorsqu’il n’y a pas de connexion de mise à la terre (mise à la masse).⏹Vous devez raccorder ce groupe à une sortie mise à la terre (mise àla masse) afin de respecter les normes internationales de sécurité.⏹Le coupleur d’appareil (le connecteur du groupe et non pas la prisemurale) doit respecter une configuration qui permet unbranchement sur une entrée d’appareil EN 60320/IEC 320.⏹La prise secteur doit se trouver à proximité de l’appareil et son accèsdoit être facile. Vous ne pouvez mettre l’appareil hors circuit qu’en débranchant son cordon électrique au niveau de cette prise.⏹L’appareil fonctionne à une tension extrêmement basse de sécuritéqui est conforme à la norme IEC 60950. Ces conditions ne sontmaintenues que si l’équipement auquel il est raccordé fonctionne dans les mêmes conditions.France et Pérou uniquement:Ce groupe ne peut pas être alimenté par un dispositif à impédance à la terre. Si vos alimentations sont du type impédance à la terre, ce groupe doit être alimenté par une tension de 230 V (2 P+T) par le biais d’un transformateur d’isolement à rapport 1:1, avec un point secondaire de connexion portant l’appellation Neutre et avec raccordement direct à la terre (masse).Bitte unbedingt vor dem Einbauen des Geräts die folgenden Sicherheitsanweisungen durchlesen:Warnung: Die Installation und der Ausbau des Geräts darf nur durch Fachpersonal erfolgen.⏹Das Gerät sollte nicht an eine ungeerdete Wechselstromsteckdoseangeschlossen werden.⏹Das Gerät muß an eine geerdete Steckdose angeschlossen werden,welche die internationalen Sicherheitsnormen erfüllt.⏹Der Gerätestecker (der Anschluß an das Gerät, nicht derWandsteckdosenstecker) muß einen gemäß EN 60320/IEC 320konfigurierten Geräteeingang haben.⏹Die Netzsteckdose muß in der Nähe des Geräts und leichtzugänglich sein. Die Stromversorgung des Geräts kann nur durch Herausziehen des Gerätenetzkabels aus der Netzsteckdoseunterbrochen werden.⏹Der Betrieb dieses Geräts erfolgt unter den SELV-Bedingungen(Sicherheitskleinstspannung) gemäß IEC 60950. Diese Bedingungen sind nur gegeben, wenn auch die an das Gerät angeschlossenen Geräte unter SELV-Bedingungen betrieben werden.电源线安全安装交换机前，请仔细阅读以下安全信息。

Data Sheet攻击缓解：入侵防御系统瞻博网络的入侵防御系统 (IPS) 已与瞻博网络的 NGFW 紧密集成，可减少威胁并防范各种攻击和漏洞。

与瞻博网络 Sky™ Advanced Threat Prevention (Sky ATP) 结合后，IPS 可对已知和未知的威胁提供全面的防御，在零日攻击袭击网络之前就开始防范。

该解决方案会持续监控对新近发现漏洞的新攻击，不断更新对新网络攻击方法的网络防护。

经由网络，针对客户端和服务器系统上的漏洞发起的攻击在造成任何损坏之前就会被阻止。

未知恶意软件：瞻博网络 Sky ATP瞻博网络 Sky ATP 是基于云的服务，可以提供全面的高级恶意软件防护。

通过与 SRX 系列防火墙集成，瞻博网络 Sky ATP 可提供动态反恶意软件解决方案来适应不断变化的威胁环境。

该解决方案提供基于云的服务来通过强大的机器学习算法动态分析 Web 和电子邮件文件，从而迅速识别新的、未知的恶意软件。

一旦得出结论，相关决策就会发送至 SRX 系列 NGFW，以供实施。

瞻博网络 Sky ATP 支持所有主流文件类型，包括Microsoft（.docx、.xls和 .ppt）、pdf 和 Android 应用程序 (APK)。

阻止已知威胁：反恶意软件保护来自多种攻击途径的恶意活动在持续激增，这种情况下，企业外围就成为了阻拦威胁进入网络的第一道防线。

反恶意软件保护将基于云的声誉情报与 SRX 系列 NGFW 的本机处理相结合，提供轻便快捷的安全保护。

其成果则是能够抵御众多已知威胁的高效外围防御，而且不会降低用户或业务的速度。

浏览防御：恶意 URL 过滤钓鱼攻击是一种流行的攻击方法，通常会导致企业内部出现严重漏洞。

毫无戒备的用户单击恶意 URL 后，就会安装利用漏洞的根程序病毒包，而此病毒包作为高级持续攻击的前导，为有价值的企业数据遭窃取创造了条件。

攻击者通常会破坏热门网站，引诱用户无意中提供其用户密码。