Datasheet

SRX4300 FIREWALL DATASHEET

Product Description
Juniper Networks® SRX4300 Firewall is a high-performance, next-generation firewall
(NGFW) designed to safeguard your enterprise campus, data center edge, and core. It also
supports roaming and SD-WAN secure hub firewall use cases. Combining carrier-grade
routing with state-of-the-art switching, this platform delivers robust security, effective
threat detection, and comprehensive automation and mitigation capabilities.

Product Overview

As data centers evolve from

traditional architecture to
distributed, the firewall’s role
needs to expand. Rather than
being a perimeter technology,
firewalls need to be part of a Figure 1: Juniper SRX Firewalls have achieved the highest scores in security effectiveness by CyberRatings and
security fabric woven NetSecOpen

throughout the network. A

SRX4300 delivers NGFW features that support the changing needs of cloud-enabled
security fabric ensures that
security is maintained at every enterprise networks and data centers. Whether rolling out new services within an
point of connection. enterprise campus, connecting to the cloud seamlessly, complying with industry standards,
Juniper Networks SRX4300 or achieving operational efficiency, the SRX4300 empowers organizations to operationalize
next-generation firewall is zero-trust principles at scale while realizing their business objectives. The SRX4300
integral to this new architecture, protects critical corporate assets with features such as intrusion prevention system (IPS),
and it empowers organizations follow-the-user and follow-the-application access policies, and Juniper’s AI-Predictive
to operationalize security across Threat Prevention. Furthermore, SRX4300 works with Juniper’s cloud security solutions to
their networks. This 1 U, power- secure hybrid-cloud environments with networkwide visibility and control, providing
efficient firewall features built-in consistently secure on-premises and cloud environments.
zero-trust, Ethernet VPN-Virtual As network architectures become more distributed and decentralized, Juniper Networks
Extensible LAN (EVPN-VXLAN)
SRX Series Firewalls ensure seamless integration with other Juniper and third-party
fabric integration and AI-
networking platforms, and facilitate architectural transformation. At the same time, the
Predictive Threat Prevention to
NGFWs facilitate architectural transformation, taking organizations from on-premises to
secure your network. The
hybrid cloud environments seamlessly and cost effectively. SRX Series Firewalls are the first
SRX4300 delivers next-
generation firewall throughput to implement industry-standard Ethernet VPN (EVPN) type 5 and Virtual Extensible LAN
of 45 Gbps per rack unit and (VXLAN) protocols within data center environments, enabling the SRX4300 to act as a
supports multiple 100 Gbps secure, fabric aware leaf in the data center spine-leaf architecture.
interfaces with wire speed The SRX4300 participates in the industry-first Connected Security Distributed Services
MACsec. Architecture, enabling organizations to scale both horizontally and elastically, and it
simplifies operational management of large-scale firewall networks. With this architecture,
several SRX4300 platforms can work together as a single large logical firewall to provide
security at higher performance and scale.
The SRX4300 is powered by Junos® operating system, the OS that underpins and helps
secure the world’s largest mission-critical enterprise and service provider networks. It is
managed by Juniper Security Director Cloud, Juniper’s unified management experience that
connects the organization’s current deployments with future architectural rollouts. Security
Director Cloud uses a single policy framework enabling consistent security policies across

1
SRX4300 Firewall Datasheet

any environment and expanding zero trust to all parts of the Touch Provisioning (sZTP) to deploy products in your network
network from the edge into the data center. This provides efficiently, expediently, and remotely. Additionally, the SRX4300
unbroken visibility, policy configuration, administration, and supports MACsec at wire speed, ensuring data integrity, and
collective threat intelligence all in one place. confidentiality.

Architecture and Key Components Connected Security Distributed Services Architecture

The SRX4300 hardware and software architecture provides cost- The SRX4300 is part of Juniper’s Connected Security Distributed
effective security in a compact, scalable 1U form factor. Purpose- Services Architecture which revolutionizes data center security.
built to protect network environments and provide Internet Mix With Juniper’s Connected Security Distributed Services
(IMIX) firewall throughput of up to 50 Gbps, the SRX4300 Architecture, firewall performance can scale horizontally by
incorporates multiple security services and networking functions on interconnecting traffic forwarding and security services across
top of Junos OS, providing highly customizable threat protection, multiple geographic locations. Juniper’s solution also provides
automation, and integration capabilities. Best-in-class advanced automated failover and backup nodes for both forwarding and
security capabilities on the SRX4300 are offered as 45 Gbps of inspection components. In addition to redundancy and load
NGFW, 45 Gbps of IPS, and up to 30 Gbps of IPsec VPN in the balancing, Juniper’s Connected Security Distributed Services
data center, enterprise campus, and regional headquarters Architecture simplifies how large-scale data center firewall
deployments with IMIX traffic patterns. networks are managed and operated. Regardless of how many
firewall engines across the various form factors (physical, virtual,
Built-in Zero Trust containerized) are added, they can all be managed as one logical
unit. This centralized management eliminates the complexity that
To increase trust and streamline operations, the SRX4300 features
has been an unintended consequence of a traditional scale-out
several built-in zero trust device capabilities, including an embedded
approach.
Trusted Platform Module (TMP) 2.0 and cryptographically signed
device ID. The SRX4300 supports RFC compliant Secure Zero

Features and Benefits

Business Requirement Feature/Solution SRX4300 Advantages
High performance Hardware accelerated • Offloads CPU intensive encryption/decryption tasks
encryption/decryption • Improves performance for SSL and IPsec

High-quality, end-user Application visibility and • Updates application continuously and decodes custom applications
experience control • Controls and prioritizes traffic based on application and user role
• Inspects and detects applications inside SSL-encrypted traffic, including Web and SaaS

Advanced threat NGFW Services: IPS, antivirus, • Prevents exploits with 99.9% effectiveness2; signatures update in real time
protection antispam, Web filtering • Protects against known malware and malicious Web and DNS traffic
Juniper Advanced Threat
Prevention Cloud: sandboxing, • Sandboxing for unknown malware across multiple OS types, including iOS, Windows, Android, and CentOS
Encrypted Traffic Insights, • Delivers threat intelligence in an open platform to accommodate for third-party and custom threat feeds
SecIntel threat intelligence • Detects threats hidden inside encrypted traffic without decrypting
feeds
Zero-day protection Juniper’s AI-Predictive Threat • Predicts and prevents malware at line rate by using AI to effectively identify threats from packet snippets
Prevention • Eliminates patient-zero infections
• Auto-generates protective signatures that remain active for the full attack lifecycle, keeping the network safe from subsequent
attacks

Secure data transactions Juniper Secure Connect: IPsec • Provides high-performance IPsec VPN with dedicated crypto engine
VPN, remote access/SSL VPN • Offers diverse VPN options for various network designs, including remote access and dynamic site-to-site communications
• Simplifies large VPN deployments with auto-VPN
• Includes hardware-based crypto acceleration
• Secure and flexible remote access SSL VPN

Advanced networking Routing, secure wire • Supports carrier-class advanced routing and quality of service (QoS)
services
Security embedded into EVPN-VXLAN (EVPN Type 5 • Enhances tunnel inspection for VXLAN encapsulated traffic with Layer 4-7 security services
the data center fabric route) • Eases operations with Type 5 support through BGP
• Does not require decapsulation for EVPN-VXLAN traffic

2
 SRX4300 Firewall Datasheet

Business Requirement Feature/Solution SRX4300 Advantages

Reliability Chassis cluster, redundant • Provides stateful configuration and session state synchronization
power supplies • Supports active/active and active/backup deployment scenarios
• Offers highly available hardware with redundant power supply unit (PSU) and fans

Easy to manage and scale Juniper Security Director • Provides centralized management via Juniper’s unified management experience, including zero-touch provisioning (ZTP),
Cloud, on-box GUI unbroken visibility, intelligent rule placement, and simplified policy configuration and automation
• Supports Network Address Translation (NAT), and automated IPsec VPN deployments via wizards
• Supports on-box GUI

Built-in zero trust DevID with TPM 2.0 Module • Verifies the device’s trust posture easily
capabilities • Provides cryptographically signed device ID that supports RFC-compliant sZTP for hardware and software attestation
• Mitigates the risks of supply chain attacks

Low TCO Junos OS • Integrates routing and security capabilities into a single device
• Reduces OpEx with Junos OS automation capabilities
• Automated integration with other devices running Junos OS, such as Juniper MX, PTX, and ACX routers, EX and QFX switches,
and Cloud-Native Contrail Networking (CN2)

2
Exploit block rate results tested by CyberRatings’ 2023 Enterprise Firewall test report

Figure 2: SRX4300 firewall

Software Specifications
Firewall Services VPN Features

• Stateful firewall services • Tunnels: Site-to-site, hub and spoke, dynamic endpoint,
• Zone-based firewall AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/Dual Stack)
• Screens and distributed denial of service (DDoS) protection • Juniper Secure Connect: Remote access/SSL VPN
• Protection from protocol and traffic anomalies • Configuration payload: Yes
• Unified Access Control (UAC) • IKE encryption algorithms: Prime, 3DES-CBC, AEC-CBC, AES-
• Integration with Juniper Mist™ Access Assurance GCM, Suite B
• Authentication: Pre-shared key and public key infrastructure
(PKI) (X.509)
Carrier-Grade Network Address Translation (CGNAT) • IPsec: Authentication Header (AH) / Encapsulating Security
• Carrier-grade Network Address Translation (Large-scale NAT) Payload (ESP) protocol
• IPv4 and IPv6 address translation NAT44, NAPT44, NAT66, • IPsec authentication algorithms: hmac-md5, hmac-sha-196,
NAPT66, NAT64, NAT46 hmac-sha-256
• Static and dynamic 1-1 translation • IPsec encryption algorithms: Prime, DES-CBC, 3DES-CBC,
• Source NAT with Port Address Translation (PAT) AEC-CBC, AES-GCM, Suite B
• Destination NAT with Port Address Translation (PAT) • Perfect forward secrecy, anti-replay
• Persistent NAT (EIM/EIF) • Internet Key Exchange: IKEv1, IKEv2
• Port Block Allocation (PBA) • Monitoring: Standard-based dead peer detection (DPD)
• Deterministic NAT (DetNAT) support, VPN monitoring
• Port overload • VPNs GRE, IP-in-IP, and MPLS
• Twice-NAT44
• DS-lite and Port Control Protocol (PCP)

3
SRX4300 Firewall Datasheet

High Availability Features • Multicast: Internet Group Management Protocol (IGMP) v1/v2;
Protocol Independent Multicast (PIM) sparse mode (SM)/
• Virtual Router Redundancy Protocol (VRRP): IPv4 and IPv6
• Stateful high availability: Dual box clustering source-specific multicast (SSM); Session Description Protocol
- Active/passive (SDP); Distance Vector Multicast Routing Protocol (DVMRP);
Multicast Source Discovery Protocol (MSDP); reverse path
- Active/active
forwarding (RPF)
- Configuration synchronization
• Encapsulation: VLAN, Point-to-Point Protocol over Ethernet
- Firewall session synchronization
(PPPoE)
- Device/link detection
• Virtual routers
- In-Service Software Upgrade (ISSU)
• Policy-based routing, source-based routing
- IP monitoring with route and interface failover
• EVPN-VXLAN (EVPN Type 5 route)
- BFD monitoring
• Equal-cost multipath (ECMP)
• Chassis cluster HA and Multinode HA (MNHA)

QoS Features
Application Security Services (offered as advanced security
subscription license) • Support for 802.1p, DiffServ code point (DSCP), EXP
• Application visibility and control • Classification based on VLAN, data-link connection identifier
• Application QoS (DLCI), interface, bundles, or multifield filters
• Advanced/application policy-based routing (APBR) • Marking, policing, and shaping
• Application Quality of Experience (AppQoE) • Classification and scheduling
• Application-based multipath routing • Weighted random early detection (WRED) Guaranteed and
• User-based firewall maximum bandwidth
• Ingress traffic policing
• Virtual channels
Threat Defense and Intelligence Services (offered as advanced
security subscription license)
• Intrusion prevention system Network Services
• AI-Predictive Threat Prevention • Dynamic Host Configuration Protocol (DHCP) client/server/
• Antivirus relay
• Antispam • Domain Name System (DNS) proxy, dynamic DNS (DDNS)
• Category/reputation-based URL filtering • Juniper real-time performance monitoring (RPM) and IP
• SSL proxy/inspection monitoring
• Protection from botnets (command and control) • Juniper flow monitoring (J-Flow)
• Adaptive enforcement based on GeoIP
• Juniper Advanced Threat Prevention, a cloud-based SaaS
offering, to detect and block zero-day attacks Advanced Routing Services
• Adaptive Threat Profiling • MPLS (RSVP, LDP)
• Encrypted Traffic Insights • Circuit cross-connect (CCC), translational cross-connect (TCC)
• SecIntel threat intelligence • L2/L2 MPLS VPN, pseudo-wires
• Juniper ATP virtual appliance, a distributed, on-premises • Virtual private LAN service (VPLS), next-generation multicast
advanced threat prevention solution to detect and block zero- VPN (NG-MVPN))
day attacks • MPLS traffic engineering and MPLS fast re-route

Routing Protocols Management, Automation, Logging, and Reporting

• IPv4, IPv6, static routes, RIP v1/v2 • SSH, Telnet, SNMP-MIBs, Traps
• OSPF/OSPF v3 • Smart image download
• BGP with route reflector • Juniper CLI and Web UI, NetCONF, XML APIs, RMON
• IS-IS • Juniper Networks Security Director Cloud

4
SRX4300 Firewall Datasheet

• Python Specifications SRX4300

• Junos events, commit and OP scripts Secure Web Access Firewall (CPS**) 45 Gbps
• Application and bandwidth usage reporting Advanced Threat (CPS**)6 15 Gbps
• Debug and troubleshooting tools Connections per second (64B) 550,000
Maximum concurrent sessions (IPv4
10 Million
or IPv6)
Route table size (RIB/FIB) (IPv4) 2 Million/1 Million
Hardware Specifications
IPsec VPN tunnels 8,000
Table 3. SRX4300 Hardware Specifications

Specifications SRX4300
3
Throughput numbers based on UDP packets and RFC2544 test methodology
4
Next-generation firewall performance is measured with firewall, application security, and IPS enabled
5
Secure Web Access firewall performance is measured with firewall, application security, IPS, SecIntel, and URL filtering
Connectivity enabled
6
Advanced Threat performance is measured with Firewall, Application Security, IPS, SecIntel, URL Filtering and Malware
Onboard ports 8 x 1 GbE/2.5 GbE/5 GbE/10 GbE BASE-T Protection enabled
#
TPS Method: Throughput performance of average HTTP sessions
Onboard small form-factor pluggable 8 x 1 GbE/10 GbE SFP+ **
CPS Method: Short-lived sessions
plus (SFP+) transceiver ports 4 x 1 GbE/10 GbE/25 GbE SFP28
6 x 40 GbE/100 GbE QSFP28
Out-of-Band (OOB) management
1 x 1 GbE G (RJ-45)
Juniper Networks Services and Support
ports
Dedicated high availability (HA) ports 2 x 1 GbE SFP
Juniper Networks is the leader in performance-enabling services
Console 1 (RJ-45) designed to accelerate, extend, and optimize your high-
USB 3.0 ports (Type A) 1 performance network. Our services allow you to maximize
Storage operational efficiency while reducing costs and minimizing risk,
Storage (SSD) 1 x 120 GB (primary), 1 x 960 GB (secondary + achieving a faster time to value. Juniper Networks ensures
logging disk)
operational excellence by optimizing the network to maintain
Dimensions and Power
required levels of performance, reliability, and availability. For more
Form factor 1U
details, please visit https://www.juniper.net/us/en/products.html.
Size (W x H x D) 17.28 x 1.74 x 18.20 in
(43.89 x 4.42 x 46.23 cm)
Weight (device and PSU) Chassis with two AC PSU: 20.2 lb (9.2 kg)
Chassis with two DC PSU: 20.5 lb (9.3 kg) Ordering Information
Chassis with package: 36.6 lb (16.6 kg)
Redundant PSU 1+1
To order Juniper Networks SRX Series Firewalls, and to access
Power supply 2 x 850W AC PSU redundant software licensing information, please visit the How to Buy page at
2 x 850 W DC PSU redundant https://www.juniper.net/us/en/how-to-buy/form.html.
Average heat dissipation 1 x DC PSU (40V): 1221.5 BTU/h
2 x DC PSU (40V): 1224.9 BTU/h
1 x AC PSU (110V): 1206.2 BTU/h
1 x AC PSU (230V): 1175.5 BTU/h About Juniper Networks
2 x AC PSU (110V): 1228.4 BTU/h
2 x AC PSU (230V): 1206.2 BTU/h At Juniper Networks, we are dedicated to dramatically simplifying
Maximum current consumption 4.67 A (for 110 V AC PSM) network operations and driving superior experiences for end users.
2.188 A (for 230 V AC PSM)
11.53 A (for -40 V DC Power) Our solutions deliver industry-leading insight, automation, security
Maximum inrush current 40 A for 1 cycle of AC (AC PSM) and AI to drive real business results. We believe that powering
40 A-pk (DC PSM)
connections will bring us closer together while empowering us all to
Environment and Regulatory Compliance
solve the world’s greatest challenges of well-being, sustainability
Airflow/cooling Front to back
Operating temperature 32° to 104° F (0° to 40° C at 6000 ft altitude)
and equality.
Operating humidity 5% to 90% non-condensing
Meantime between failures (MTBF) Over 100,000 hours (12 years)
FCC classification Class A
RoHS compliance RoHS 6

Performance and Scale

Firewall throughput3 (IMIX) 50 Gbps
Firewall throughput3 (1518B) 90 Gbps
IPsec VPN throughput (IMIX)
3
30 Gbps
IPsec VPN throughput3 (1400B) 75 Gbps
Application security performance
60 Gbps
(TPS#)
Next-generation firewall (TPS) 4
45 Gbps

5
 SRX4300 Firewall Datasheet

Statement of Product Direction

The information on this page may contain Juniper's development
and plans for future products, features, or enhancements (“SOPD
Information”). SOPD Information is subject to change at any time,
without notice. Juniper provides no assurances, and assumes no
responsibility, that future products, features, or enhancements will
be introduced. In no event should any purchase decision be based
upon reliance of timeframes or specifics outlined as part of SOPD
Information, because Juniper may delay or never introduce the
future products, features, or enhancements.
Any SOPD Information within, or referenced or obtained from, this
website by any person does not give rise to any reliance claim, or
any estoppel, against Juniper in connection with, or arising out of,
any representations set forth in the SOPD Information. Juniper is
not liable for any loss or damage (howsoever incurred) by any
person in connection with, or arising out of, any representations set
forth in the SOPD Information.

Corporate and Sales Headquarters APAC and EMEA Headquarters

Juniper Networks, Inc. Juniper Networks International B.V.

1133 Innovation Way Boeing Avenue 240 1119 PZ Schiphol-Rijk

Sunnyvale, CA 94089 USA Amsterdam, The Netherlands

Phone: 888.JUNIPER (888.586.4737) Phone: +31.207.125.700

or +1.408.745.2000

www.juniper.net

Copyright 2023 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no
responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

1000779-003-EN Dec 2023 6