SRX4600 Firewall Datasheet

Product Overview

The SRX4600 is a high-performance, next-generation firewall and hardware-accelerated security gateway offering up to 400 Gbps of firewall performance that supports the changing needs of cloud-enabled enterprise and service provider networks. The SRX4600 allows organizations to roll out new services in an enterprise data center or campus, connect to the cloud, comply with industry standards, deploy distributed security gateways, or offer high-scale multitenant security services. The SRX4600 helps organizations realize their business objectives while providing scalability, high availability, ease of management, secure connectivity, and advanced threat mitigation capabilities.

Product Description

The SRX4600 Firewall protects mission-critical data center and campus networks for enterprises, mobile service providers, and cloud service providers. Designed for high-performance security services architectures, the SRX4600 protects critical corporate IT assets as a next-generation firewall (NGFW), acts as an enforcement point for cloud-based security solutions, and provides application visibility and control to improve the user and application experience.

Integrating networking and security in a single platform, the SRX4600 features multiple high-speed interfaces, intrusion prevention, advanced threat protection, and authentication, along with high-performance IPsec VPN and Internet gateway capabilities. It also offers high scalability, high availability, robust protection, application visibility, user identification, and deep content inspection to provide unparalleled control over the security infrastructure.

The SRX4600 also acts as a central enforcement point, leveraging vital automation and actionable intelligence to protect users in a multivendor network environment. The SRX4600 also delivers fully automated SD-WAN to both enterprises and service providers. Due to its high performance and scale, the SRX4600 acts as a VPN hub and terminates VPN/secure overlay connections in various SD-WAN topologies.

The SRX4600 is powered by Juniper Networks Junos^® operating system, the industry-leading OS that keeps the world’s largest mission-critical enterprise and service provider networks secure.

Architecture and Key Components

The SRX4600 hardware and software architecture provides cost-effective security in a small 1 U form factor. Purpose-built to protect network environments and provide Internet Mix (IMIX) firewall throughput up to 400 Gbps, the SRX4600 incorporates multiple security services and networking functions on top of Junos OS. Best-in-class security and advanced threat mitigation capabilities on the SRX4600 are offered as 33 Gbps of NGFW, 45.4 Gbps of intrusion prevention system (IPS), and up to 44 Gbps of IPsec VPN in data center, enterprise campus, and regional headquarter deployments with IMIX traffic patterns.

Table 1. SRX4600 Statistics¹

¹ Performance, capacity, and features listed are based on systems running Junos OS 21.3R1 and are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployments.
² Next-Generation Datacenter firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions.
³ Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions.
Performance	SRX4600
Firewall throughput—IMIX	400 Gbps/400 Gbps
Firewall throughput with application security	90 Gbps
IPsec VPN throughput—IMIX/1400 B	44/70 Gbps
Intrusion prevention system (IPS)	45.4 Gbps
Next-Generation Datacenter Firewall² throughput	33 Gbps
Secure Web Access Firewall³ throughput	22.6 Gbps
Connections per second	600,000
Maximum session 60	60 million

The SRX4600 recognizes more than 4,275 applications and nested applications in plain text or SSL-encrypted transactions. The firewall also integrates with Microsoft Active Directory and combines user information with application data to provide network-wide application and user visibility and control.

Features and Benefits

Table 2. SRX4600 Features and Benefits

Business Requirement	Feature/Solution	SRX4600 Advantages
High performance	Up to 400 Gbps of IMIX firewall throughput	Best suited for enterprise campus and data center edge deployments Ideal for secure router/VPN concentrator deployments at the head office Addresses diverse needs and scales for service provider deployments
High-quality end-user experience	Application visibility and control	Detects 4,275 L3-L7 applications, including Web 2.0 Controls and prioritizes traffic based on application and use role Inspects and detects applications inside SSL-encrypted traffic
Advanced threat protection	IPS, antivirus, antispam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, Threat Intelligence Feeds, and Juniper ATP Appliance	Provides real-time updates to IPS signatures and protects against exploits Implements industry-leading antivirus and URL filtering Delivers open threat intelligence platform that integrates with third-party feeds Protects against zero-day attacks Stops rogue and compromised devices to disseminate malware Restores visibility lost due to encryption, without the heavy burden of full TLS/SSL decryption
Professional-grade networking services	Routing, secure wire	Supports carrier-class advanced routing and quality of service (QoS)
Highly secure	IPsec VPN, Remote access/SSL VPN	Provides high-performance IPsec VPN with dedicated crypto engine Offers diverse VPN options for various network designs, including remote access and dynamic site-to-site communications Simplifies large VPN deployments with auto VPN Includes hardware-based crypto acceleration Secure and flexible remote access SSL VPN with Juniper Secure Connect
Highly reliable	Chassis cluster, redundant power supplies	Provides stateful configuration and session synchronization Supports active/active and active/backup deployment scenarios Offers highly available hardware with redundant power supply unit (PSU) and fans
Easy to manage and scale	On-box GUI, Juniper Networks Security Director	Enables centralized management for autoprovisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments Includes simple, easy-to-use on-box GUI for local management
Low TCO	Junos OS	Integrates routing and security in a single device Reduces OpEx with Junos OS automation capabilities

Software Specifications

Firewall Services

Stateful and stateless firewall
Zone-based firewall
Screens and distributed denial of service (DDoS) protection
Protection from protocol and traffic anomalies
Unified Access Control (UAC)

Network Address Translation (NAT)

Source NAT with Port Address Translation (PAT)
Bidirectional 1:1 static NAT
Destination NAT with PAT
Persistent NAT
IPv6 address translation
Port Block Allocation method for CGNAT
Deterministic NAT

VPN Features

Tunnels: Site-to-site, hub and spoke, dynamic endpoint, AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/Dual Stack)
Juniper Secure Connect: Remote access/SSL VPN
Configuration payload: Yes
IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, Suite B
IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
IPsec (Internet Protocol Security): Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol
IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, Suite B
Perfect forward secrecy, anti-reply
Internet Key Exchange: IKEv1, IKEv2
Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
VPNs GRE, IP-in-IP, and MPLS

High Availability Features

Virtual Router Redundancy Protocol (VRRP)—IPv4 and IPv6
Stateful high availability:
- HA clustering
  - Active/active
  - Active/passive
  - Dual MACsec-enabled HA control ports (10GbE)
  - Dual MACsec-enabled HA fabric ports (10GbE)
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- Unified in-service software upgrade (unified ISSU)
IP monitoring with route and interface failover

Application Security Services³

Application visibility and control
Application-based firewall
Application QoS
Advanced/application policy-based routing (APBR)
Application Quality of Experience (AppQoE)
Application-based multipath routing
User-based firewall

Threat Defense and Intelligence Services³

IPS
Antivirus
Antispam
Category/reputation-based URL filtering
SSL proxy/inspection
Protection from botnets (command and control)
Adaptive enforcement based on GeoIP
Juniper ATP, a cloud-based SaaS offering, to detect and block zero-day attacks
Adaptive Threat Profiling
Encrypted Traffic Insights
SecIntel to provide threat intelligence
Juniper ATP Appliance, a distributed, on-premises advanced threat prevention solution to detect and block zero-day attacks

Routing Protocols

IPv4, IPv6, static routes, RIP v1/v2
OSPF/OSPF v3
BGP with route reflector
IS-IS
Multicast: Internet Group Management Protocol (IGMP) v1/v2; Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM); Session Description Protocol (SDP); Distance Vector Multicast Routing Protocol (DVMRP); Multicast Source Discovery Protocol (MSDP); reverse path forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)

QoS Features

Support for 802.1p, DiffServ code point (DSCP)
Classification based on interface, bundles, or multifield filters
Marking, policing, and shaping
Classification and scheduling
Weighted random early detection (WRED)
Guaranteed and maximum bandwidth

Network Services

Dynamic Host Configuration Protocol (DHCP) client/server/relay
Domain Name System (DNS) proxy, dynamic DNS (DDNS)
Juniper real-time performance monitoring (RPM) and IP monitoring
Juniper flow monitoring (J-Flow)

Management, Automation, Logging, and Reporting

SSH, Telnet, SNMP
Smart image download
Juniper CLI and Web UI
Security Director
Python
Junos OS events, commit, and OP scripts
Application and bandwidth usage reporting
Debug and troubleshooting tools

³Offered as advanced security subscription license

Hardware Specifications

Table 3. SRX4600 Hardware Specifications

⁴There are eight dedicated 1GbE/10GbE ports. The four 40GbE/100GbE ports can use breakout cables to create 4x1GbE/10GbE (SFP+) ports each, resulting in a total of 24x 1GbE/10GbE ports.
⁵ Throughput numbers based on UDP packets and RFC2544 test methodology.
⁶ Next-Generation Datacenter firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions.
⁷ Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions.
⁸ IPv6 FIB scale is with 32-bit mask.

Specification	SRX4600
Total onboard I/O ports	Up to 24x1GbE/10GbE (SFP+)⁴ 4x40GbE/100GbE (QSFP28)
Out-of-Band (OOB) management ports	RJ-45 (1 Gbps)
Dedicated high availability (HA) ports	2x1GbE/10GbE (SFP+) Control 2x1GbE/10GbE (SFP+) Data
Console	RJ-45 (RS232)
USB 2.0 ports (Type A)	1
Memory and Storage
System memory (RAM)	256 GB
Secondary storage (SSD)	2x 1 TB M.2 SSD
Dimensions and Power
Form factor	1 U
Size (WxHxD)	17.4 x 1.7 x 26.5 in (44.19 x 4.32 x 67.31 cm) With AC PEMs: 17.4 x 1.7 x 27.29 in (44.19 x 4.32 x 69.32 cm) With DC PEMs: 17.4 x 1.7 x 29.20 in (44.19 x 4.32 x 74.17 cm)
Weight (system and 2 power entry modules)	With AC PEMs: 38 lb (17.24 kg) Shipping weight: 45.47 lb (20.62 kg) With DC PEMs: 40 lb (18.14 kg) Shipping weight: 47.47 lb (21.53 kg)
Redundant PSU	1+1
Power supply	2x 1600 W AC-DC PSU redundant 2x 1100 W DC-DC PSU redundant
Average power consumption	650 W
Average heat dissipation	2218 BTU/hour
Maximum current consumption	12 A (for 110 V AC power) 6 A (for 220 V AC power) 24 A (for -48 V DC power)
Precision Time Protocol Timing Ports
Time of day – RS-232 (EIA-23)	1xRJ-45
BITS clock	1xRJ-48
10-MHz timing connector (GNSS)	1xInput (COAX) 1xOutput (COAX)
Pulse per second connection (1-PPS)	1xInput (COAX) 1xOutput (COAX)
Environmental and Regulatory Compliance
Acoustic noise level	69 dBA at normal fan speed,87 dBA at full fan speed
Airflow/cooling	Front to back
Operating temperature	32° to 104° F (0° to 40° C)
Operating humidity	5% to 90% noncondensing
Meantime between failures (MTBF)111,626 hours (12.75 years)	111,626 hours (12.75 years)
FCC classification	Class A
RoHS compliance	RoHS 2
NEBS compliance	Designed for NEBS Level 3
Performance
Routing/firewall (64 B packet size) throughput Gbps⁴	104 Gbps
Routing/firewall (IMIX packet size) throughput Gbps⁴	400 Gbps
Routing/firewall (1518 B packet size) throughput Gbps⁴	400 Gbps
IPsec VPN (IMIX packet size) Gbps⁴	44.4 Gbps
IPsec VPN (1400 B packet size) Gbps⁴	69.6 Gbps
Application security performance in Gbps⁵	75.5 Gbps
Recommended IPS in Gbps⁶	45.5 Gbps
Next-generation firewall in Gbps⁶	33 Gbps
Secure Web Access firewall in Gbps ⁷	22.6 Gbps
Connections per second (CPS)	600,000
Maximum security policies	80,000
Maximum concurrent sessions (IPv4 or IPv6)	60 million
Route table size (RIB/FIB) (IPv4 or IPv6⁸)	4 million/1.2 million
IPsec tunnels	7500
Number of remote access/SSL VPN (concurrent) users	7500

Juniper Networks Services and Support

Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For services specific information specific to SRX Series Firewalls, please read the Firewall Conversion Service or the SRX Series QuickStart Service datasheets. For more details, please visit https://www.juniper.net/us/en/products.html.

Ordering Information

To order Juniper Networks SRX Series Firewalls, and to access software licensing information, please visit the How to Buy page at https://www.juniper.net/us/en/how-to-buy/form.html.

⁷ Based on concurrent users; two free licenses included
Description	SRX4600-SYS-JB
Hardware	Included
Management (CLI, J-Web, SNMP, Telnet, SSH)	Included
L2 transparent, secure wire	Included
Routing (RIP, OSPF, BGP, virtual router)	Included
Multicast (IGMP, PIM, SSDP, DMVRP)	Included
Packet mode	Included
Overlay (GRE, IP-IP)	Included
Network services (J-Flow, DHCP, QoS, BFD)	Included
Stateful firewall, screens, application-level gateways (ALGs)	Included
NAT (static, SNAT, DNAT)	Included
IPsec VPN (site-site VPN, auto VPN, group VPN)	Included
Remote access/SSL VPN (concurrent users)⁷	Optional
Firewall policy enforcement (UAC, Aruba CPPM)	Included
Chassis cluster, VRRP, unified ISSU	Included
Automation (Junos OS scripting, auto-installation)	Included
General Packet Radio Service (GPRS)/GPRS tunneling protocol (GTP)/Stream Control Transmission Protocol (SCTP)	Included
Application security (AppID, AppFW, AppQoS, AppQoE, AppRoute)	Optional

Base Systems

Product Number	Description
SRX4600-SYS-JB-AC	SRX4600 Firewall includes hardware (4x100GbE, 8x10GbE, two AC power supply units, five fan trays, cables, and rack mount kit) and Junos Software Base (Firewall, NAT, IPsec, routing, MPLS)
SRX4600-SYS-JB-DC	SRX4600 Firewall includes hardware (4x100GbE, 8x10GbE, two DC power supply units, five fan trays, cables, and rack mount kit) and Junos Software Base (Firewall, NAT, IPsec, routing, MPLS)

All systems include dual (redundant) AC or DC power supplies, five (4+1) redundant fans, country-specific power cords, dual (redundant) solid-state drives, rack mount kit, and core Junos OS software (stateful firewall, NAT, IPsec, and routing).

Advanced Security Services Subscription Licenses

Product Number	Description
S-SRX4600-A1-1	SW, A1, IPS, AppSecure, content security, 1 year
S-SRX4600-A2-1	SW, A2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, content security, 1 year
S-SRX4600-A3-1	SW, A3, IPS, AppSecure, URL filtering, on box anti-virus, content security, 1 year
S-SRX4600-A1-3	SW, A1, IPS, AppSecure, content security, 3 year
S-SRX4600-A2-3	SW, A2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, content security, 3 year
S-SRX4600-A3-3	SW, A3, IPS, AppSecure, URL filtering, on box anti-virus, content security, 3 year
S-SRX4600-A1-5	SW, A1, IPS, AppSecure, content security, 5 year
S-SRX4600-A2-5	SW, A2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, content security, 5 year
S-SRX4600-A3-5	SW, A3, IPS, AppSecure, URL filtering, on box anti-virus, content security, 5 year
S-SRX4600-P1-1	SW, P1, IPS, AppSecure, ATP, content security, 1 year
S-SRX4600-P2-1	SW, P2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, ATP, content security, 1 year
S-SRX4600-P3-1	SW, P3, IPS, AppSecure, URL filtering, on box anti-virus, ATP, content security, 1 year
S-SRX4600-P1-3	SW, P1, IPS, AppSecure, ATP, content security, 3 year
S-SRX4600-P2-3	SW, P2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, ATP, content security, 3 year
S-SRX4600-P3-3	SW, P3, IPS, AppSecure, URL filtering, on box anti-virus, ATP, content security, 3 year
S-SRX4600-P1-5	SW, P1, IPS, AppSecure, ATP, content security, 5 year
S-SRX4600-P2-5	SW, P2, IPS, AppSecure, URL filtering, cloud anti-virus/anti-spam, ATP, content security, 5 year
S-SRX4600-P3-5	SW, P3, IPS, AppSecure, URL filtering, on box anti-virus, ATP, content security, 5 year

Service Spares

Product Number	Description
JNP-FAN-1RU	Universal fan, 1 U chassis
JNP-PWR1600-AC	Universal AC power supply, 1600 W
JNP-PWR1100-DC	Universal DC power supply, 1100 W
JNP-SSD-M2-1TB	Universal 1 TB SSD, in carrier, no Junos OS
SRX4600-4PST-RMK	Rack mount kit, 4-post adjustable for SRX4600

Remote Access/Juniper Secure Connect VPN Licenses

Product Number	Description
S-RA3-5CCU-S-1	SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-25CCU-S-1	SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-50CCU-S-1	SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-100CCU-S-1	SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-250CCU-S-1	SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-500CCU-S-1	SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-1KCCU-S-1	SW, Remote Access VPN - Juniper, 1000 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-5KCCU-S-1	SW, Remote Access VPN - Juniper, 5000 Concurrent Users, Standard, with SW support, 1 Year
S-RA3-5CCU-S-3	SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-25CCU-S-3	SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-50CCU-S-3	SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-100CCU-S-3	SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-250CCU-S-3	SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-500CCU-S-3	SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-1KCCU-S-3	SW, Remote Access VPN - Juniper, 1000 Concurrent Users, Standard, with SW support, 3 Year
S-RA3-5KCCU-S-3	SW, Remote Access VPN - Juniper, 5000 Concurrent Users, Standard, with SW support, 3 Year

About Juniper Networks

At Juniper Networks, we are dedicated to dramatically simplifying network operations and driving superior experiences for end users. Our solutions deliver industry-leading insight, automation, security and AI to drive real business results. We believe that powering connections will bring us closer together while empowering us all to solve the world’s greatest challenges of well-being, sustainability and equality.

1000628 - 021 - EN SEPT 2022