A firewall analyzer built for Juniper SRX and Junos.
SAMURAI is a self-hosted Juniper firewall analyzer that reads Juniper SRX (Junos OS) configuration state directly: zone-based security policies, source and destination NAT, the address book, applications, security zones, and IPsec VPNs. It is a configuration analyzer, not a log analyzer: you see the rules themselves and every change to them, attributed to the admin who made it, in the same dashboard as your Palo Alto, FortiGate, and Cisco estate.
Updated July 2026
What it analyzes
Zone-based security policies
Browse and search Junos security policies by from-zone, to-zone, source, destination, application, and action, with server-side filtering across the whole SRX estate.
Source, destination & static NAT
Junos NAT rule sets with address-book entries resolved to real prefixes, so you read the translation, not a pool name you have to chase.
Address book, resolved
Address sets and application sets expanded recursively at sync time, so you see "HTTPS (tcp/443)" and the real prefixes behind every group.
Security zones & interfaces
Zone-to-interface bindings in one view, so you can see which interfaces a policy actually governs.
IPsec VPN visibility
IKE gateways, IPsec VPNs, and the security policies that permit tunnel traffic, side by side.
Change tracking with attribution
Every Junos configuration change detected, diffed, and attributed to the admin who committed it, alongside your other vendors on one timeline.
More than a single-vendor SRX tool
Junos Space Security Director manages Juniper policy well, within the Juniper estate. SAMURAI takes a different angle: it reads SRX configuration state and puts it on the same dashboard as your Palo Alto, FortiGate, and Cisco firewalls, plus the routers, switches, and ACI fabrics around them, with effective-access, rule hygiene, and per-rule risk scoring on top.
Scope
SAMURAI
Juniper SRX plus Palo Alto, FortiGate, Cisco FMC, routers, switches, and ACI: one multi-vendor view
Single-vendor managers
Juniper-only policy management
Deployment
SAMURAI
Single Docker container, self-hosted, air-gap friendly, serving data in about five minutes
Single-vendor managers
Dedicated management appliance or VM
Analysis
SAMURAI
Effective access, shadowed/redundant/overly-broad detection, and per-rule risk scoring across vendors
Single-vendor managers
Policy authoring and push within one vendor
Change visibility
SAMURAI
Cross-vendor change timeline with commit attribution
Single-vendor managers
Juniper commit history in isolation
We'd rather be honest: for authoring and pushing Junos policy, Security Director is the specialist. SAMURAI does not push configuration. It reads SRX state, analyzes it (effective access, hygiene, risk), and shows it beside every other vendor with change attribution, self-hosted. That whole-network view is what SAMURAI is built for.
Frequently asked questions
Which Juniper devices does SAMURAI support?
Juniper SRX series firewalls running Junos OS. SAMURAI reads their configuration state, zone-based security policies, NAT, address book, applications, security zones, and IPsec VPNs, alongside your Palo Alto, FortiGate, and Cisco FMC firewalls.
Is SAMURAI a Juniper log analyzer?
No. SAMURAI is a Juniper configuration analyzer, not a log analyzer. It reads policy and configuration state from each SRX rather than parsing traffic logs or syslog, so you analyze the rules themselves and every change to them. SAMURAI can forward its own events as RFC5424 syslog, but SRX traffic-log analytics is not its focus.
How does SAMURAI read the SRX configuration?
Over Junos native interfaces, reading the structured configuration the device already exposes, read-only. SAMURAI does not modify or push Junos configuration; it syncs state continuously and diffs it.
Can it resolve address sets and applications?
Yes. Address sets and application sets are expanded recursively at sync time, so a policy shows real prefixes and "HTTPS (tcp/443)" rather than a group name you have to look up.
Does it work across Juniper and other vendors at once?
Yes, that is the point. SRX policies sit in the same searchable dashboard and change timeline as Palo Alto, FortiGate, and Cisco FMC, with path tracing across the routers, switches, and ACI fabrics between them.
Is there a free option?
Yes. A free test license ships with the SAMURAI Docker image on Docker Hub, no email required, so you can analyze your own SRX firewalls before talking to anyone. Production use is licensed per deployment, sized by device count.
Can SAMURAI run air-gapped?
Yes. It ships as a self-contained Docker image with no telemetry. Nothing leaves your perimeter.