Transcription
Data SheetSRX4600 SERVICES GATEWAYProduct DescriptionProduct OverviewThe SRX4600 Services Gatewayis a high-performance, nextgeneration firewall andhardware-accelerated securitygateway offering up to 400Gbps of firewall performancethat supports the changingneeds of cloud-enabledenterprise and service providernetworks. Whether rolling outnew services in an enterprisedata center or campus,connecting to the cloud,complying with industrystandards, deploying distributedsecurity gateways, or offeringhigh-scale multitenant securityservices, the SRX4600 helpsorganizations realize theirbusiness objectives whileproviding scalability, highavailability, ease ofmanagement, secureconnectivity, and advancedthreat mitigation capabilities.The Juniper Networks SRX4600 Services Gateway protects mission-critical data centerand campus networks for enterprises, mobile service providers, and cloud service providers.Designed for high-performance security services architectures, the SRX4600 protects keycorporate IT assets as a next-generation firewall, acts as an enforcement point for cloudbased security solutions, and provides application visibility and control to improve the userand application experience.Integrating networking and security in a single platform, the SRX4600 features multiplehigh-speed interfaces, intrusion prevention, advanced threat protection, and authentication,along with high-performance IPsec VPN and Internet gateway capabilities. It also offershigh scalability, high availability, robust protection, application visibility, user identification,and deep content inspection to provide unparalleled control over the securityinfrastructure.The SRX4600 also acts as a central enforcement point in the Juniper Connected Securityframework, leveraging strong automation and actionable intelligence to protect users in amultivendor network environment.The SRX4600 is powered by Juniper Networks Junos operating system, the industryleading OS that keeps the world’s largest mission-critical enterprise and service providernetworks secure.Architecture and Key ComponentsThe SRX4600 hardware and software architecture provides cost-effective security in asmall 1 U form factor. Purpose-built to protect network environments and provide InternetMix (IMIX) firewall throughput up of 75 Gbps, the SRX4600 incorporates multiple securityservices and networking functions on top of Junos OS. Best-in-class security and advancedthreat mitigation capabilities on the SRX4600 are offered as 60 Gbps of next-generationfirewall, 65 Gbps of intrusion prevention system (IPS), and up to 16 Gbps of IPsec VPN indata center, enterprise campus, and regional headquarter deployments with IMIX trafficpatterns.Table 1. SRX4600 Statistics¹PerformanceSRX4600Firewall throughput95 GbpsFirewall throughput – IMIX with Express Path400 GbpsFirewall throughput—IMIX75 GbpsFirewall throughput with application security90 GbpsIPsec VPN throughput—IMIX/1400 B16/55 GbpsIntrusion prevention system (IPS)65 GbpsNGFW2 throughput60 GbpsConnections per second600,000Maximum session60 millionPerformance, capacity, and features listed are based on systems running Junos OS 19.3R1 and are measured under ideal testing conditions. Actual results mayvary based on Junos OS releases and by deployments.1Next-generation firewall (NGFW) is a combination of advanced features such as application security, IPS, and URLF in addition to the foundational services suchas logging and stateful firewall.21
SRX4600 Services GatewayThe SRX4600 recognizes more than 3500 applications and nested applications in plain text or SSL-encrypted transactions. The firewall alsointegrates with Microsoft Active Directory and combines user information with application data to provide network-wide application anduser visibility and control.Features and BenefitsTable 2. SRX4600 Features and BenefitsBusiness Requirement Feature/SolutionSRX4600 AdvantagesHigh performanceUp to 95 Gbps of firewallthroughput (up to 75 Gbps of IMIXfirewall throughput) Best suited for enterprise campus and data center edge deployments Ideal for secure router/VPN concentrator deployments at the head office Addresses diverse needs and scale for service provider deploymentsHigh-quality end-userexperienceApplication visibility and control Detects 3500 L3-L7 applications, including Web 2.0 Controls and prioritizes traffic based on application and use role Inspects and detects applications inside SSL-encrypted trafficAdvanced threatprotectionIPS, antivirus, antispam, enhancedweb filtering, Juniper AdvancedThreat Prevention Cloud, EncryptedTraffic Insights, Threat IntelligenceFeeds, and Juniper ATP Appliance Professional-gradenetworking servicesRouting, secure wire Supports carrier-class advanced routing and quality of service (QoS)Highly secureIPsec VPN, Remote access/SSL VPN Provides high-performance IPsec VPN with dedicated crypto engine Offers diverse VPN options for various network designs, including remote access and dynamic site-to-sitecommunications Simplifies large VPN deployments with auto VPN Includes hardware-based crypto acceleration Secure and flexible remote access SSL VPN with Juniper Secure ConnectHighly reliableChassis cluster, redundant powersupplies Provides stateful configuration and session synchronization Supports active/active and active/backup deployment scenarios Offers highly available hardware with redundant power supply unit (PSU) and fansEasy to manage andscaleOn-box GUI, Juniper NetworksJunos Space Security Director Enables centralized management for autoprovisioning, firewall policy management, Network Address Translation (NAT),and IPsec VPN deployments Includes simple, easy-to-use on-box GUI for local managementLow TCOJunos OS Integrates routing and security in a single device Reduces OpEx with Junos OS automation capabilitiesProvides real-time updates to IPS signatures and protects against exploitsImplements industry-leading antivirus and URL filteringDelivers open threat intelligence platform that integrates with third-party feedsProtects against zero-day attacksStops rogue and compromised devices to disseminate malwareRestores visibility that was lost due to encryption, without the heavy burden of full TLS/SSL decryptionSoftware SpecificationsFirewall Services Stateful and stateless firewall Zone-based firewall Screens and distributed denial of service (DDoS) protection Protection from protocol and traffic anomalies Unified Access Control (UAC)Network Address Translation (NAT) Source NAT with Port Address Translation (PAT)Bidirectional 1:1 static NATDestination NAT with PATPersistent NATIPv6 address translationPort Block Allocation method for CGNATDeterministic NATVPN Features Tunnels: Site-to-site, hub and spoke, dynamic endpoint,AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/Dual Stack) Juniper Secure Connect: Remote access/SSL VPN Configuration payload: Yes IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AECCBC, AES-GCM, SuiteB IKE authentication algorithms: MD5, SHA-1, SHA-128,SHA-256, SHA-384 Authentication: Pre-shared key and public key infrastructure(PKI) (X.509) IPsec (Internet Protocol Security): Authentication Header(AH) / Encapsulating Security Payload (ESP) protocol IPsec Authentication Algorithms: hmac-md5, hmac-sha-196,hmac-sha-256 IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC,AEC-CBC, AES-GCM, SuiteB Perfect forward secrecy, anti-reply2
SRX4600 Services Gateway Internet Key Exchange: IKEv1, IKEv2 Monitoring: Standard-based dead peer detection (DPD)support, VPN monitoring VPNs GRE, IP-in-IP, and MPLSHigh Availability Features Virtual Router Redundancy Protocol (VRRP)—IPv4 and IPv6 Stateful high availability:- HA clustering- Active/passive- Active/passive- Dual MACsec-enabled HA control ports (10GbE)- Dual MACsec-enabled HA fabric ports (10GbE)- Configuration synchronization- Firewall session synchronization- Device/link detection- Unified in-service software upgrade (unified ISSU) IP monitoring with route and interface failoverApplication Security Services3 Application visibility and controlApplication-based firewallApplication QoSAdvanced/application policy-based routing (APBR)Application Quality of Experience (AppQoE)Application-based multipath routingUser-based firewallThreat Defense and Intelligence Services3 3IPSAntivirusAntispamCategory/reputation-based URL filteringSSL proxy/inspectionProtection from botnets (command and control)Adaptive enforcement based on GeoIPJuniper ATP, a cloud-based SaaS offering, to detect and blockzero-day attacksAdaptive Threat ProfilingEncrypted Traffic InsightsSecIntel to provide threat intelligenceJuniper ATP Appliance, a distributed, on-premises advancedthreat prevention solution to detect and block zero-day attacksRouting Protocols IPv4, IPv6, static routes, RIP v1/v2 OSPF/OSPF v3 BGP with route reflector IS-IS Multicast: Internet Group Management Protocol (IGMP) v1/v2;Protocol Independent Multicast (PIM) sparse mode (SM)/densemode (DM)/source-specific multicast (SSM); SessionDescription Protocol (SDP); Distance Vector Multicast RoutingProtocol (DVMRP); Multicast Source Discovery Protocol(MSDP); reverse path forwarding (RPF)- Encapsulation: VLAN, Point-to-Point Protocol overEthernet (PPPoE)- Virtual routers- Policy-based routing, source-based routing- Equal-cost multipath (ECMP)QoS Features Support for 802.1p, DiffServ code point (DSCP) Classification based on interface, bundles, or multifield filters Marking, policing, and shapingClassification and schedulingWeighted random early detection (WRED)Guaranteed and maximum bandwidthNetwork Services Dynamic Host Configuration Protocol (DHCP) client/server/relay Domain Name System (DNS) proxy, dynamic DNS (DDNS) Juniper real-time performance monitoring (RPM) and IPmonitoring Juniper flow monitoring (J-Flow)Management, Automation, Logging, and Reporting SSH, Telnet, SNMPSmart image downloadJuniper CLI and Web UIJunos Space Security DirectorPythonJunos OS events, commit, and OP scriptsApplication and bandwidth usage reportingDebug and troubleshooting toolsOffered as advanced security subscription license3
SRX4600 Services GatewayHardware SpecificationsTable 3. SRX4600 Hardware 4600Application security performance in Gbps5 90 GbpsTotal onboard I/O portsUp to 24x1GbE/10GbE (SFP )44x40GbE/100GbE (QSFP28)Recommended IPS in Gbps665 GbpsNext-generation firewall in Gbps660 GbpsConnections per second (CPS)600,000Maximum security policies80,000Maximum concurrent sessions (IPv4 orIPv6)60 millionRoute table size (RIB/FIB) (IPv4 or IPv67)4 million/1.2 millionIPsec tunnels7500Number of remote access/SSL VPN(concurrent) users7500Out-of-Band (OOB) management portsRJ-45 (1 Gbps)Dedicated high availability (HA) ports2x1GbE/10GbE (SFP ) Control2x1GbE/10GbE (SFP ) DataConsoleRJ-45 (RS232)USB 2.0 ports (Type A)1Memory and StorageSystem memory (RAM)256 GBSecondary storage (SSD)2x 1 TB M.2 SSDFormatted as 960 GBDimensions and PowerForm factor1USize (WxHxD)17.4 x 1.7 x 26.5 in (44.19 x 4.32 x 67.31 cm)With AC PEMs: 17.4 x 1.7 x 27.29 in (44.19 x4.32 x 69.32 cm)With DC PEMs: 17.4 x 1.7 x 29.20 in (44.19 x4.32 x 74.17 cm)Weight (system and 2 power entrymodules)With AC PEMs: 38 lb (17.24 kg)Shipping weight: 45.47 lb (20.62 kg)With DC PEMs: 40 lb (18.14 kg)Shipping weight: 47.47 lb (21.53 kg)Redundant PSU1 1Power supply2x 1600 W AC-DC PSU redundant2x 1100 W DC-DC PSU redundantAverage power consumption650 WAverage heat dissipation2218 BTU/hourMaximum current consumption12 A (for 110 V AC power)6 A (for 220 V AC power)24 A (for -48 V DC power)Precision Time Protocol Timing PortsTime of day - RS-232 (EIA-23)1xRJ-45BITS clock1xRJ-4810-MHz timing connector (GNSS)1xInput (COAX)1xOutput (COAX)Pulse per second connection (1-PPS)1xInput (COAX)1xOutput (COAX)There are eight dedicated 1GbE/10GbE ports. The four 40GbE/100GbE ports can use breakout cables to create4x1GbE/10GbE (SFP ) ports each, resulting in a total of 24x 1GbE/10GbE ports.45Throughput numbers based on UDP packets and RFC2544 test methodology6Throughput numbers based on HTTP traffic with 44 KB transaction size and up to the numbers captured here7IPv6 FIB scale is with 32 bit maskJuniper Networks Services and SupportJuniper Networks is the leader in performance-enabling servicesthat are designed to accelerate, extend, and optimize your highperformance network. Our services allow you to maximizeoperational efficiency while reducing costs and minimizing risk,achieving a faster time to value for your network. Juniper Networksensures operational excellence by optimizing the network tomaintain required levels of performance, reliability, and availability.For services information specific to SRX Series Services Gateways,please read the Firewall Conversion Service or the SRX SeriesQuickStart Service datasheets. For more details, please onmental and Regulatory ComplianceAcoustic noise level69 dBA at normal fan speed,87 dBA at full fanspeedAirflow/coolingFront to backOperating temperature32 to 104 F (0 to 40 C)Operating humidity5% to 90% noncondensingMeantime between failures (MTBF)112,000 hoursFCC classificationClass ARoHS complianceRoHS 2NEBS complianceDesigned for NEBS Level 3PerformanceRouting/firewall (64 B packet size)throughput Gbps416 GbpsRouting/firewall (IMIX packet size)throughput Gbps475 GbpsRouting/firewall (1518 B packet size)throughput Gbps495 GbpsIPsec VPN (IMIX packet size) Gbps416 GbpsIPsec VPN (1400 B packet size) Gbps455 Gbps4
SRX4600 Services GatewayAdvanced Security Services Subscription LicensesOrdering InformationTo order Juniper Networks SRX Series Services Gateways, and toaccess software licensing information, please visit the How to Buypage at https://www.juniper.net/us/en/how-to-buy/.7Product Number DescriptionS-SRX4600-A1-1SW, A1, IPS, AppSecure, content security, 1 yearS-SRX4600-A2-1SW, A2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam,content security, 1 yearS-SRX4600-A3-1SW, A3, IPS, AppSecure, URL filtering, on box anti-virus, contentsecurity, 1 4600-A1-3SW, A1, IPS, AppSecure, content security, 3 yearManagement (CLI, J-Web, SNMP, Telnet, SSH)IncludedS-SRX4600-A2-3L2 transparent, secure wireIncludedSW, A2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam,content security, 3 yearRouting (RIP, OSPF, BGP, virtual router)IncludedS-SRX4600-A3-3SW, A3, IPS, AppSecure, URL filtering, on box anti-virus, contentsecurity, 3 yearMulticast (IGMP, PIM, SSDP, DMVRP)IncludedS-SRX4600-A1-5SW, A1, IPS, AppSecure, content security, 5 yearPacket modeIncludedOverlay (GRE, IP-IP)IncludedS-SRX4600-A2-5SW, A2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam,content security, 5 yearNetwork services (J-Flow, DHCP, QoS, BFD)IncludedS-SRX4600-A3-5Stateful firewall, screens, application-level gateways (ALGs)IncludedSW, A3, IPS, AppSecure, URL filtering, on box anti-virus, contentsecurity, 5 yearNAT (static, SNAT, DNAT)IncludedS-SRX4600-P1-1SW, P1, IPS, AppSecure, ATP, content security, 1 yearIPsec VPN (site-site VPN, auto VPN, group VPN)IncludedS-SRX4600-P2-1SW, P2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, ATP,content security, 1 yearRemote access/SSL VPN (concurrent users)7OptionalS-SRX4600-P3-1Firewall policy enforcement (UAC, Aruba CPPM)IncludedSW, P3, IPS, AppSecure, URL filtering, on box anti-virus, ATP, contentsecurity, 1 yearChassis cluster, VRRP, unified ISSUIncludedS-SRX4600-P1-3SW, P1, IPS, AppSecure, ATP, content security, 3 yearAutomation (Junos OS scripting, auto-installation)IncludedS-SRX4600-P2-3General Packet Radio Service (GPRS)/GPRS tunneling protocol (GTP)/Stream Control Transmission Protocol (SCTP)IncludedSW, P2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, ATP,content security, 3 yearS-SRX4600-P3-3Application security (AppID, AppFW, AppQoS, AppQoE, AppRoute)OptionalSW, P3, IPS, AppSecure, URL filtering, on box anti-virus, ATP, contentsecurity, 3 yearS-SRX4600-P1-5SW, P1, IPS, AppSecure, ATP, content security, 5 yearS-SRX4600-P2-5SW, P2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, ATP,content security, 5 yearS-SRX4600-P3-5SW, P3, IPS, AppSecure, URL filtering, on box anti-virus, ATP, contentsecurity, 5 yearBased on concurrent users; two free licenses includedBase SystemsProduct NumberDescriptionSRX4600-SYS-JBACSRX4600 Services Gateway includes hardware (4x100GbE, 8x10GbE,two AC power supply units, five fan trays, cables, and rack mount kit)and Junos Software Base (Firewall, NAT, IPsec, routing, MPLS)SRX4600-SYS-JBDCSRX4600 Services Gateway includes hardware (4x100GbE, 8x10GbE,two DC power supply units, five fan trays, cables, and rack mount kit)and Junos Software Base (Firewall, NAT, IPsec, routing, MPLS)All systems include dual (redundant) AC or DC power supplies, five(4 1) redundant fans, country-specific power cords, dual(redundant) solid-state drives, rack mount kit, and core Junos OSsoftware (stateful firewall, NAT, IPsec, and routing).Service SparesProduct NumberDescriptionJNP-FAN-1RUUniversal fan, 1 U chassisJNP-PWR1600-ACUniversal AC power supply, 1600 WJNP-PWR1100-DCUniversal DC power supply, 1100 WJNP-SSD-M2-1TBUniversal 1 TB SSD, in carrier, no Junos OSSRX4600-4PST-RMKRack mount kit, 4-post adjustable for SRX46005
SRX4600 Services GatewayRemote Access/Juniper Secure Connect VPN LicensesProduct NumberDescriptionS-RA3-5CCU-S-1SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, withSW support, 1 YearS-RA3-25CCU-S-1SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard,with SW support, 1 YearS-RA3-50CCU-S-1SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard,with SW support, 1 YearS-RA3-100CCU-S-1 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard,with SW support, 1 YearS-RA3-250CCU-S-1 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard,with SW support, 1 YearS-RA3-500CCU-S-1 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, withSW support, 3 YearS-RA3-1KCCU-S-1SW, Remote Access VPN - Juniper, 1000 Concurrent Users, Standard,with SW support, 1 YearS-RA3-5KCCU-S-1SW, Remote Access VPN - Juniper, 5000 Concurrent Users, Standard,with SW support, 1 YearS-RA3-5CCU-S-3SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, withSW support, 3 YearS-RA3-25CCU-S-3SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard,with SW support, 3 YearS-RA3-50CCU-S-3SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard,with SW support, 3 YearAbout Juniper NetworksJuniper Networks brings simplicity to networking with products,solutions and services that connect the world. Through engineeringinnovation, we remove the constraints and complexities ofnetworking in the cloud era to solve the toughest challenges ourcustomers and partners face daily. At Juniper Networks, we believethat the network is a resource for sharing knowledge and humanadvancement that changes the world. We are committed toimagining groundbreaking ways to deliver automated, scalable andsecure networks to move at the speed of business.S-RA3-100CCU-S-3 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard,with SW support, 3 YearS-RA3-250CCU-S-3 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard,with SW support, 3 YearS-RA3-500CCU-S-3 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard,with SW support, 3 YearS-RA3-1KCCU-S-3SW, Remote Access VPN - Juniper, 1000 Concurrent Users, Standard,with SW support, 3 YearS-RA3-5KCCU-S-3SW, Remote Access VPN - Juniper, 5000 Concurrent Users, Standard,with SW support, 3 YearCorporate and Sales HeadquartersAPAC and EMEA HeadquartersJuniper Networks, Inc.Juniper Networks International B.V. Boeing1133 Innovation WayAvenue 240 1119 PZ Schiphol-RijkSunnyvale, CA 94089 USAAmsterdam, The NetherlandsPhone: 888.JUNIPER (888.586.4737)Phone: 31.0.207.125.700or 1.408.745.2000www.juniper.netCopyright 2020 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes noresponsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.1000628-012-EN Nov 20206
The SRX4600 is powered by Juniper Networks Junos operating system, the industry-leading OS that keeps the world's largest mission-critical enterprise and service provider networks secure. Architecture and Key Components The SRX4600 hardware and software architecture provides cost-effective security in a small 1 U form factor.
