High Availability - Juniper SRX100 Datasheet

Active/Standby
SRX240
Active
EX Series
Active/Active
SRX240
Active
EX Series
To ease the configuration of a firewall, SRX Series for the branch
uses two features—"zones" and "policies." While these can be
user defined, the default shipping configuration contains, at a
minimum, a trust and an untrust zone. The trust zone is used for
configuration and attaching the LAN to the branch SRX Series. The
untrust zone is used for the WAN or Internet interface. To simplify
installation and make configuration easier, a default policy is in
place that allows traffic originating from the trust zone to flow to
the untrust zone. This policy blocks ALL traffic originating from
the untrust zone to the trust zone. A traditional router forwards all
traffic without regard to a firewall (session awareness) or policy
(origination and destination of a session).
By using the Web interface or CLI, enterprises can create a series
of security policies that will control the traffic from within and in
between zones by defining policies. At the broadest level, all types
of traffic can be allowed from any source in security zones to any
destination in all other zones without any scheduling restrictions.
At the narrowest level, policies can be created that allow only one
kind of traffic between a specified host in one zone and another
specified host in another zone during a scheduled time period.
INTERNET
SRX240
Standby
EX Series
INTERNET
SRX240
Active
EX Series

High Availability

Failure
EX Series
Failure
EX Series
Figure 2: High availability
High Availability
Junos OS Services Redundancy Protocol (JSRP) is a core feature
of the SRX Series for the branch. JSRP enables a pair of security
systems to be easily integrated into a high availability network
architecture, with redundant physical connections between the
systems and the adjacent network switches. With link redundancy,
Juniper Networks can address many common causes of system
failures, such as a physical port going bad or a cable getting
disconnected, to ensure that a connection is available, without
having to fail over the entire system. This is consistent with a
typical active/standby nature of routing resiliency protocols.
When SRX Series Services Gateways for the branch are configured
as an active/active pair, traffic and configuration will be mirrored
automatically to provide active firewall and VPN session
maintenance in case of a failure. The branch SRX Series will now
synchronize both configuration and runtime information. As a
result, during failover, synchronization of the following information
is shared: connection/session state and flow information, IPsec
security associations, Network Address Translation (NAT) traffic,
address book information, configuration changes, and more. In
Active/Standby
INTERNET
SRX240
Active/Active
INTERNET
SRX240
SRX240
Active
EX Series
SRX240
Active
EX Series
3