Spec Sheet
4
Data SheetSRX Series Services Gateways for the Branch
When SRX Series Services Gateways for the branch are
configured as an active/active HA pair, traffic and configuration
is mirrored automatically to provide active firewall and VPN
session maintenance in case of a failure. The branch SRX Series
synchronizes both configuration and runtime information. As a
result, during failover, synchronization of the following information
is shared: connection/session state and flow information, IPSec
security associations, Network Address Translation (NAT) traffic,
address book information, configuration changes, and more. In
contrast to the typical router active/standby resiliency protocols
such as Virtual Router Redundancy Protocol (VRRP), all dynamic
flow and session information is lost and must be reestablished
in the event of a failover. Some or all network sessions will have
to restart depending on the convergence time of the links or
nodes. By maintaining state, not only is the session preserved,
but security is kept intact. In an unstable network, this active/
active configuration also mitigates link flapping affecting session
performance.
Session-Based Forwarding Without the
Performance Hit
In order to optimize the throughput and latency of the combined
router and firewall, Junos OS implements session-based
forwarding, an innovation that combines the session state
information of a traditional firewall and the next-hop forwarding
of a classic router into a single operation. With Junos OS, a
session that is permitted by the forwarding policy is added to
the forwarding table along with a pointer to the next-hop route.
Established sessions have a single table lookup to verify that the
session has been permitted and to find the next hop. This ecient
algorithm improves throughput and lowers latency for session
trac when compared with a classic router that performs multiple
table lookups to verify session information and then to find a next-
hop route.
Figure 3 shows the session-based forwarding algorithm. When a
new session is established, the session-based architecture within
Junos OS verifies that the session is allowed by the forwarding
policies. If the session is allowed, Junos OS will look up the next-
hop route in the routing table. It then inserts the session and the
next-hop route into the session and forwarding table and forwards
the packet. Subsequent packets for the established session
require a single table lookup in the session and forwarding table,
and are forwarded to the egress interface.
Figure 2: High availability
Standby
SRX240SRX240
Active
Active/Standby
EX Series EX Series
INTERNET
Failure
SRX240SRX240
Active
Active/Standby
EX Series EX Series
INTERNET
SRX240SRX240
Active Active
Active/Active
EX Series EX Series
INTERNET
Failure
SRX240SRX240
Active
Active/Active
EX Series EX Series
INTERNET
Security Policy Evaluation
and Next-Hop Lookup
Forwarding for
Permitted Trac
Ingress
Interface
Session Initial
Packet Processing
Table
Update
Disallowed by
Policy: Dropped
Egress
Interface
Session and
Forwarding Table
Figure 3: Session-based forwarding algorithm
Standby
SRX240SRX240
Active
Active/Standby
EX Series EX Series
INTERNET
Failure
SRX240SRX240
Active
Active/Standby
EX Series EX Series
INTERNET
SRX240SRX240
Active Active
Active/Active
EX Series EX Series
INTERNET
Failure
SRX240SRX240
Active
Active/Active
EX Series EX Series
INTERNET