Juniper NSX-T User Manual
Security Director
Published
2021-04-11
VMware NSX-T Integration with Juniper
Connected Security
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks
are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.
Security Director VMware NSX-T Integration with Juniper Connected Security
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
ii
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related
limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)
Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement
(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you
agree to the terms and conditions of that EULA.
Table of Contents
1
About the Documentation | v
Documentation and Release Notes | v
Documentation Conventions | v
Documentation Feedback | viii
Requesting Technical Support | viii
Self-Help Online Tools and Resources | ix
Creating a Service Request with JTAC | ix
VMWare NSX-T Integration
NSX Managers | 2
iii
Understanding Juniper Connected Security for VMware NSX-T Integration | 2
VMware NSX-T Overview | 3
vSRX Integration with NSX-T Manager and Junos Space Security Director | 3
High-Level Workflow | 4
Before You Deploy vSRX in VMware NSX-T Environment | 5
About the NSX Managers Page | 7
Tasks You Can Perform | 8
Field Descriptions | 8
Downloading the SSH Key File | 9
Add the NSX Manager | 11
Registering Security Services | 13
Deploy the vSRX as an Advanced Security Service in a VMware NSX-T Environment | 14
Create a Security Group | 15
Discover the NSX-T Manager and Register vSRX as a Security Service | 16
Deploy vSRX as a Security Service | 19
Verify vSRX Agent VM Deployment in Security Director | 20
Automatic Creation of Security Policy in the NSX-T Environment to Direct Traffic Through
the vSRX Agent VMs | 21
Delete the NSX-T Manager | 23
Delete NSX-T Manager Services | 24
About the vCenter Servers Page | 25
Tasks You Can Perform | 26
Field Descriptions | 26
About the Security Groups Page | 26
Tasks You Can Perform | 27
Field Descriptions | 27
View Members of a Security Group | 27
About the Virtual Machines Page | 28
Tasks You Can Perform | 28
Field Descriptions | 28
View Network Details of a Virtual Machine | 29
View Security Groups of a Virtual Machine | 30
Implement Threat Policy on VMWare NSX-T | 31
VMWare NSX-T Integration with Policy Enforcer and Sky ATP Overview | 31
iv
Implementation of Infected Hosts Policy Overview | 32
Register NSX Micro Service as Policy Enforcer Connector Instance Overview | 33
Before You Begin | 33
Infected Hosts Workflow in VMware NSX-T | 33
Configure VMware NSX-T with Policy Enforcer | 36
Example: Create a Firewall Rule in VMware NSX-T Using SDSN_BLOCK Tag | 38
About the Documentation
IN THIS SECTION
Documentation and Release Notes | v
Documentation Conventions | v
Documentation Feedback | viii
Requesting Technical Support | viii
Use this guide to understand how Juniper Networks vSRX Virtual Services Gateway integrates in VMware
NSX-T environment as an advanced security service with Junos Space Security Director as its security
manager. Policy Enforcer integrates with the VMware NSX solution to deliver an advanced next-generation
firewall feature set that uses vSRX for VMware microsegmentation deployments.
v
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®technical documentation, see the product
documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the documentation, follow the
product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.
These books go beyond the technical documentation to explore the nuances of network architecture,
deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Documentation Conventions
Table 1 on page vi defines notice icons used in this guide.
Table 1: Notice Icons
vi
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Caution
Indicates a situation that might result in loss of data or hardware
damage.
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page vi defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
Fixed-width text like this
Italic text like this
Represents text that you type.Bold text like this
Represents output that appears on
the terminal screen.
Introduces or emphasizes important
•
new terms.
Identifies guide names.
•
Identifies RFC and Internet draft
•
titles.
To enter configuration mode, type
the configure command:
user@host> configure
user@host> show chassis alarms
No alarms currently active
A policy term is a named structure
•
that defines match conditions and
actions.
Junos OS CLI User Guide
•
RFC 1997, BGP Communities
•
Attribute
Table 2: Text and Syntax Conventions (continued)
vii
ExamplesDescriptionConvention
Italic text like this
Text like this
< > (angle brackets)
| (pipe symbol)
Represents variables (options for
which you substitute a value) in
commands or configuration
statements.
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy
levels; or labels on routing platform
components.
variables.
Indicates a choice between the
mutually exclusive keywords or
variables on either side of the symbol.
The set of choices is often enclosed
in parentheses for clarity.
Configure the machine’s domain
name:
[edit]
root@# set system domain-name
domain-name
To configure a stub area, include
•
the stub statement at the [edit
protocols ospf area area-id]
hierarchy level.
The console port is labeled
•
CONSOLE.
stub <default-metric metric>;Encloses optional keywords or
broadcast | multicast
(string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
GUI Conventions
Indicates a comment specified on the
same line as the configuration
statement to which it applies.
Encloses a variable for which you can
substitute one or more values.
Identifies a level in the configuration
hierarchy.
Identifies a leaf statement at a
configuration hierarchy level.
rsvp { # Required for dynamic MPLS
only
community name members [
community-ids ]
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
Table 2: Text and Syntax Conventions (continued)
viii
ExamplesDescriptionConvention
Bold text like this
> (bold right angle bracket)
Represents graphical user interface
(GUI) items you click or select.
Separates levels in a hierarchy of
menu selections.
In the Logical Interfaces box, select
•
All Interfaces.
To cancel the configuration, click
•
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback so that we can improve our documentation. You can use either
of the following methods:
Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper
•
Networks TechLibrary site, and do one of the following:
Click the thumbs-up icon if the information on the page was helpful to you.
•
Click the thumbs-down icon if the information on the page was not helpful to you or if you have
•
suggestions for improvement, and use the pop-up form to provide feedback.
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document or topic name,
•
URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).
If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
covered under warranty, and need post-sales technical support, you can access our tools and resources
online or open a case with JTAC.
JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User
•
Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
Product warranties—For product warranty information, visit https://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,
•
365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called
the Customer Support Center (CSC) that provides you with the following features:
Find CSC offerings: https://www.juniper.net/customers/support/
•
Search for known bugs: https://prsearch.juniper.net/
•
ix
Find product documentation: https://www.juniper.net/documentation/
•
Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
•
Download the latest versions of software and review release notes:
•
https://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:
•
https://kb.juniper.net/InfoCenter/
Join and participate in the Juniper Networks Community Forum:
•
https://www.juniper.net/company/communities/
Create a service request online: https://myjuniper.juniper.net
•
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:
https://entitlementsearch.juniper.net/entitlementsearch/
Creating a Service Request with JTAC
You can create a service request with JTAC on the Web or by telephone.
Visit https://myjuniper.juniper.net.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
•
For international or direct-dial options in countries without toll-free numbers, see
https://support.juniper.net/support/requesting-support/.
1
PART
VMWare NSX-T Integration
NSX Managers | 2
CHAPTER 1
NSX Managers
IN THIS CHAPTER
Understanding Juniper Connected Security for VMware NSX-T Integration | 2
Before You Deploy vSRX in VMware NSX-T Environment | 5
About the NSX Managers Page | 7
Downloading the SSH Key File | 9
Add the NSX Manager | 11
Registering Security Services | 13
Deploy the vSRX as an Advanced Security Service in a VMware NSX-T Environment | 14
2
Delete the NSX-T Manager | 23
Delete NSX-T Manager Services | 24
About the vCenter Servers Page | 25
About the Security Groups Page | 26
View Members of a Security Group | 27
About the Virtual Machines Page | 28
View Network Details of a Virtual Machine | 29
View Security Groups of a Virtual Machine | 30
Implement Threat Policy on VMWare NSX-T | 31
Understanding Juniper Connected Security for VMware NSX-T Integration
IN THIS SECTION
VMware NSX-T Overview | 3
vSRX Integration with NSX-T Manager and Junos Space Security Director | 3
High-Level Workflow | 4
This section presents an overview of how Juniper Networks vSRX Virtual Services Gateway integrates in
the VMware NSX-T environment as an advanced security service with Junos Space Security Director as
its security manager.
VMware NSX-T Overview
VMware NSX-T is VMware’s network virtualization platform for the Software Defined Data Center (SDDC).
Like server virtualization, network virtualization de-couples the network functions from the physical devices.
VMware NSX-T is designed to address application frameworks and architectures that have heterogeneous
endpoints and technology stacks. VMware NSX-T is not directly coupled with vShpere and therefore it
supports various Hypervisors, Containers, BareMetal, and public clouds such as Amazon Web Service and
Azure. With VMware NSX-T, you can design hybrid cloud for organizations where critical data and services
are hosted within private cloud and web services or high availability application in Public clouds.
VMware NSX-T is the latest generation of VMware’s network virtualization product series. NSX-T is the
successor to NSX-V. NSX-T supports third-party Hypervisors and next generation overlay encapsulation
protocols such as Generic Network Virtualization Encapsulation (Geneve). NSX-T acts as a network
Hypervisor that allows software abstraction of various network services that include logical switch
(segments), logical routers (Tier-0 or Tier-1 Gateway), logical firewalls, logical load balancers, and logical
VPNs.
3
VMware NSX-T provides L2-L4 stateful firewall features, network segmentations, multi tenancy support,
L2/L3 VPN, load balancer, DHCP, source/destination NAT and many more services at Edge Gateway.
VMware NSX-T provides framework to integrate the advanced security services as North-South at Edge
Gateway.
Each virtual machine running in NSX-T environment can be protected with a full stateful firewall engine
at a very granular level policy. Such policies can be application specific including services. vSRX runs as a
service virtual machine and provides advanced services such as L4 to L7 services.
To deploy the advanced security features of the vSRX Virtual Services Gateway in the VMware NSX-T
environment, the Junos Space Security Director, vSRX, and NSX-T Manager operate together as a solution
to fully automate the provisioning and deployment of the vSRX to protect applications and data from
advanced cyberattacks.
vSRX Integration with NSX-T Manager and Junos Space Security Director
To deploy the advanced security features of the vSRX Virtual Services Gateway in the VMware NSX-T
environment, the Junos Space Security Director, vSRX, and NSX-T Manager operate together as a joint
solution to fully automate the provisioning and deployment of the vSRX to protect applications and data
from advanced cyberattacks.
Integration of the vSRX VM in the VMware NSX-T environment involves use with the following management
software:
Junos Space Security Director—The centralized security management platform responsible for service
g301445
NSX-T Manager
Security Director/
Policy Enforcer
OVF
1
2 3
4
NSX Edge Cluster
vSRX
•
registration and configuration of each vSRX instance. The Security Director provides you with the ability
to manage a distributed network of virtualized and physical firewalls from a single location. The Security
Director functions as the management interface between the NSX-T Manager and the vSRX Services
Gateway. Security Director manages the firewall policies on all vSRX instances.
NSX-T Manager—The centralized network management component of VMware NSX.
•
The NSX-T Manager is added as a registered device in the Security Director and communication is
bidirectionally synchronized by the Junos Space Policy Enforcer between the two management platforms.
All shared objects (such as security groups) are synchronized between the NSX-T Manager and Security
Director. This includes the IP addresses of all VMs, including the vSRX agent VMs. Security Director creates
an address group for each security group synchronized from the NSX-T Manager, along with the addresses
of each member of the security group. The security groups discovered from the NSX-T Manager are
mapped to dynamic address groups (DAG) in Security Director. Policy Enforcer retains the mapping of all
IP addresses between security groups and dynamic address groups.
The vSRX Services Gateway is deployed as a partner service appliance in the VMware NSX-T environment.
Use the security policies to direct all VM traffic through the vSRX VM for L4 through L7 advanced security
analysis.
4
High-Level Workflow
Figure 1 on page 4 provides a high-level workflow of how the NSX-T Manager, Security Director, and
vSRX interact to deploy vSRX as a security service in the VMware NSX-T environment.
Figure 1: vSRX, Security Director, and VMware NSX-T Integration Workflow
1. The Junos Space Security Director initiates communication with the NSX-T Manager. The Security
Director discovers, registers, and adds the NSX-T Manager as a device in its database. The Security
Director also deploys the vSRX instance from the .ovf file and registers it as a security service. The
NSX-T Manager and its inventory of shared objects (for example, security groups) and addresses are
then synchronized with the Security Director. The registration process uses Policy Enforcer to enable
bidirectional communication between Security Director and the NSX-T Manager.
2. The NSX-T Manager deploys the registered vSRX instance as a Juniper security service to the NSX
Edge Cluster. The deployment is based on the vSRX .ovf file.
3. After the vSRX agent VM is provisioned as a security service, NSX-T Manager notifies Security Director
by using REST API callbacks. Security Director pushes the initial boot configurations and Junos OS
configuration policies to each vSRX agent VM to support the NSX-T security group. Security Director
is aware of the NSX-T security groups and corresponding address groups, and all deployed vSRX agent
VMs are automatically discovered.
Security policies redirect relevant network traffic originating from the VMs in a specific security group
to the Juniper security service vSRX agent VM for further analysis.
5
The Security Director dynamically synchronizes the object database to all vSRX agent VMs deployed
in NSX Edge Cluster. Security groups discovered from NSX-T Manager are mapped to a dynamic address
group (DAG) in Security Director. The Security Director manages the firewall policies on the vSRX agent
VMs. Using Security Director, you create advanced security service policies (for example, an application
firewall policy or an IPS policy) and then push those policies.
4. The NSX-T Manager continue to send real-time updates on changes in the virtual environment to
Security Director.
RELATED DOCUMENTATION
VMware NSX-T Data Sheet
Junos Space Security Director
vSRX
Before You Deploy vSRX in VMware NSX-T Environment
Before you begin deploying the vSRX Virtual Services Gateway as an advanced security service in VMware
NSX-T:
Download the .ovf file of the vSRX software image from Juniper Networks website and save it to the
•
Policy Enforcer. The vSRX OVF URL automatically appears in the Register Security Service page of the
Security Director when you register the vSRX virtual machine (VM) as a Juniper security service on the
NSX-T Manager.
Obtain the Juniper SDSN for NSX license key (see Juniper SDSN for VMware NSX Licensing).
•
Install the VMware vCenter Server on a Windows VM or physical server, or deploy the VMware vCenter
•
Server Appliance. Connect to the vCenter Server from the vSphere Web Client. See the VMware
documentation for details.
Install NSX-T Manager. NSX-T manager can be installed on ESXI or KVM servers. See the VMware
•
documentation for details.
NOTE: Juniper Networks devices require a license to activate the feature. To understand more
about VMWare NSX Licensing, see, Licenses for Network Management. Please refer to the
Licensing Guide for general information about License Management.
6
Table 3 on page 6 lists the system software requirement specifications for the components of a vSRX,
Security Director, and VMware NSX-T Manager.
Table 3: System Software Specifications for vSRX in VMware NSX Environment
SpecificationComponent
6.5 and 6.7VMware ESXi Server
6.7 and 7.0VMware vCenter Server
3.0VMware NSX-T Manager
21.1 or laterJunos Space Security Director
21.1 or laterJunos Space Policy Enforcer
Junos OS Release vSRX 3.0 21.1 or latervSRX
4 GBMemory
16 GB (IDE or SCSI drives)Disk space
2 vCPUsvCPUs
Loading...