Juniper Logical Systems, Tenant Systems User Manual
Junos® OS
Logical Systems and Tenant Systems User Guide for Security Devices
Published
2021-04-18
ii
Juniper Networks, Inc. 1133 nn v n Way Sunnyvale, California 94089 USA
408-745-2000 www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their r s c v owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this b c n without n c
Junos® OS Logical Systems and Tenant Systems User Guide for Security Devices
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The n rm n in this document is current as of the date on the page.
YEAR 2000 NOTICE
Juniper Networks hardware and s ftw r products are Year 2000 compliant. Junos OS has no known m r
m ns through the year 2038. However, the NTP c n is known to have some c y in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical |
c m n |
n consists of (or is intended for use |
||||||
with) Juniper Networks s ftw r |
Use of such s |
ftw r |
is subject to the terms and c n |
ns of the End User License |
||||
Agreement ("EULA") posted at |
s s |
r |
n r n |
s |
r |
. By downloading, installing or using such |
||
s ftw r you agree to the terms and c n |
ns of that EULA. |
|
|
|
|
|||
iii
Table of Contents
1
2
About This Guide | xxiv
Overview
Logical Systems and Tenant Systems Overview | 2
Logical Systems
Logical Systems Overview | 5
Understanding Logical Systems for SRX Series Services Gateways | 5
Features and m ns of Logical Systems | 8
Understanding Licenses for Logical Systems and Tenant Systems on SRX Series Devices | 10
Understanding the Interconnect Logical System and Logical Tunnel Interfaces | 11
Understanding Packet Flow in Logical Systems for SRX Series Devices | 12
Logical Systems and Tenant Systems support for VSRX and VSRX 3.0 Instances | 21
Primary Logical Systems Overview | 23
Understanding the Primary Logical Systems and the Primary Administrator Role | 23 |
||
SRX Series Logical Systems Primary Administrator C n |
r |
n Tasks Overview | 25 |
Example: C |
n |
r n M |
VPLS Switches and LT Interfaces for Logical Systems | 27 |
||
|
Requirements | 28 |
|
|||
|
Overview | 28 |
|
|||
|
C |
n |
r |
n | 31 |
|
|
V |
r c |
|
n | 48 |
|
|
|
|
|
|
|
User Logical Systems Overview | 51
User Logical Systems C n r n Overview | 51
Understanding User Logical Systems and the User Logical System Administrator Role | 53
S n Up a Logical System | 54
Example: C n r n Root Password for Logical Systems | 55
Requirements | 55
iv
|
Overview | 55 |
|
|
|
|
|
|||
|
C n |
r |
n | |
56 |
|
|
|
|
|
Example: Cr |
n User Logical Systems, Their Administrators, Their Users, and an Interconnect |
||||||||
|
Logical System | 56 |
|
|
|
|
||||
|
Requirements | |
57 |
|
|
|
|
|||
|
|
|
|
|
|||||
|
Overview | 57 |
|
|
|
|
|
|||
|
C n |
r |
n | |
60 |
|
|
|
|
|
|
V r c |
|
n | 68 |
|
|
|
|
||
Security |
r |
s for Logical Systems | 70 |
|
|
|
||||
Understanding Logical Systems Security r |
s (Primary Administrators Only) | 71 |
||||||||
Example: C |
n |
r n |
Logical Systems Security |
r |
s (Primary Administrators Only) | 78 |
||||
|
Requirements | |
78 |
|
|
|
|
|||
|
|
|
|
|
|||||
|
Overview | 78 |
|
|
|
|
|
|||
|
C n |
r |
n | |
79 |
|
|
|
|
|
|
V r c |
|
n | 88 |
|
|
|
|
||
Example: C |
n |
r n |
User Logical Systems Security |
r |
s | 90 |
||||
|
Requirements | |
90 |
|
|
|
|
|||
|
|
|
|
|
|||||
|
Overview | 90 |
|
|
|
|
|
|||
|
C n |
r |
n | |
92 |
|
|
|
|
|
|
V r c |
|
n | 96 |
|
|
|
|
||
Example: C |
n |
r n |
Security log stream for Logical Systems | 97 |
||||||
|
Requirements | |
97 |
|
|
|
|
|||
|
|
|
|
|
|||||
|
Overview | 97 |
|
|
|
|
|
|||
|
C n |
r |
n | |
97 |
|
|
|
|
|
|
V r c |
|
n | 99 |
|
|
|
|
||
CPU |
c |
n for Logical Systems | 103 |
|
|
|
||||
Understanding CPU |
c |
n and Control | 103 |
|
|
|||||
Example: C |
n |
r n |
CPU |
z n (Primary Administrators Only) | 108 |
|||||
|
Requirements | |
108 |
|
|
|
|
|||
|
|
|
|
|
|||||
|
Overview | 109 |
|
|
|
|
||||
|
C n |
r |
n | |
109 |
|
|
|
|
|
|
V r c |
|
n | 112 |
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
v
Rn and Interfaces for Primary Logical Systems | 113
Understanding Logical Systems Interfaces and R n Instances | 113
Example: C n r n Interfaces, R n Instances, and S c Routes for the Primary and Interconnect Logical Systems and Logical Tunnel Interfaces for the User Logical Systems (Primary Administrators Only) | 115
|
Requirements | 115 |
||
|
Overview | 115 |
||
|
C n |
r |
n | 118 |
|
V r |
c |
n | 125 |
Example: C n |
r n OSPF R n Protocol for the Primary Logical Systems | 126 |
||
|
Requirements | 126 |
||
|
|||
|
Overview | 127 |
||
|
C n |
r |
n | 127 |
|
V r |
c |
n | 130 |
|
|
|
|
Rn Interfaces, and NAT for User Logical Systems | 132
Understanding Logical Systems Network Address |
r ns |
n | 132 |
||||
Example: C |
n |
r n Network Address |
r ns |
n for a User Logical Systems | 133 |
||
|
Requirements | 134 |
|
|
|
||
|
|
|
|
|||
|
Overview | 134 |
|
|
|
||
|
C n |
r |
n | 135 |
|
|
|
|
V r c |
|
n | 137 |
|
|
|
Example: C |
n |
r n Interfaces and R |
n Instances for a User Logical Systems | 138 |
|||
|
Requirements | 138 |
|
|
|
||
|
|
|
|
|||
|
Overview | 138 |
|
|
|
||
|
C n |
r |
n | 139 |
|
|
|
Example: C |
n |
r n OSPF R n Protocol for a User Logical Systems | 142 |
||||
|
Requirements | 142 |
|
|
|
||
|
|
|
|
|||
|
Overview | 142 |
|
|
|
||
|
C n |
r |
n | 143 |
|
|
|
|
V r c |
|
n | 146 |
|
|
|
|
|
|
|
|
|
|
Security Zones in Logical Systems | 148
Understanding Logical Systems Zones | 148
vi
Example: C |
n |
r n User Logical Systems | 149 |
|
|||||
|
Requirements | 150 |
|
|
|
|
|||
|
|
|
|
|
||||
|
Overview | 150 |
|
|
|
|
|||
|
C n |
|
r |
n | 154 |
|
|
|
|
|
V r |
c |
|
n | 166 |
|
|
|
|
Example: C |
n |
r n Security Zones for a User Logical Systems | 167 |
||||||
|
Requirements | 167 |
|
|
|
|
|||
|
|
|
|
|
||||
|
Overview | 167 |
|
|
|
|
|||
|
C n |
|
r |
n | 168 |
|
|
|
|
User |
n |
c |
n for Logical Systems | 172 |
|
||||
Example: C |
n |
r n Access r |
s (Primary Administrators Only) | 172 |
|||||
|
Requirements | 172 |
|
|
|
|
|||
|
|
|
|
|
||||
|
Overview | 173 |
|
|
|
|
|||
|
C n |
|
r |
n | 173 |
|
|
|
|
Example: C |
n |
r n Security Features for the Primary Logical Systems | 176 |
||||||
|
Requirements | 176 |
|
|
|
|
|||
|
|
|
|
|
||||
|
Overview | 176 |
|
|
|
|
|||
|
C n |
|
r |
n | 178 |
|
|
|
|
|
V r |
c |
|
n | 184 |
|
|
|
|
Understanding Logical System Firewall |
n |
c |
n | 184 |
|||||
Example: C |
n |
r n Firewall |
n c |
n for a User Logical System | 186 |
||||
|
Requirements | 186 |
|
|
|
|
|||
|
|
|
|
|
||||
|
Overview | 187 |
|
|
|
|
|||
|
C n |
|
r |
n | 188 |
|
|
|
|
|
V r |
c |
|
n | 191 |
|
|
|
|
Understanding Integrated User Firewall support in a Logical System | 192 |
||||||||
Example: C |
n |
r n Integrated User Firewall |
n |
c n Management for a User Logical |
||||
|
System | 194 |
|
|
|
|
|||
|
Requirements | 194 |
|
|
|
|
|||
|
|
|
|
|
||||
|
Overview | 195 |
|
|
|
|
|||
|
C n |
|
r |
n | 195 |
|
|
|
|
|
V r |
c |
|
n | 201 |
|
|
|
|
|
|
|
|
|
|
|
|
|
vii
Example: C |
n |
r Integrated User Firewall in Customized Model for Logical System | 204 |
||
|
Requirements | 204 |
|||
|
Overview | 205 |
|||
|
C |
n |
r |
n | 205 |
|
V |
r c |
|
n | 209 |
|
|
|
|
|
Security Policies for Logical Systems | 212
Understanding Logical Systems Security Policies | 213
Example: C |
n |
r n Security Policies in a User Logical Systems | 215 |
||||
|
Requirements | 215 |
|
|
|||
|
|
|
||||
|
Overview | 216 |
|
|
|||
|
C n |
r |
n | 217 |
|
|
|
|
V r |
c |
|
n | 219 |
|
|
C n |
r n |
Dynamic Address for Logical Systems | 220 |
||||
Screen |
ns for User Logical Systems | 222 |
|||||
Understanding Logical Systems Screen |
ns | 222 |
|||||
Example: C |
n |
r n Screen |
ns for a User Logical Systems | 223 |
|||
|
Requirements | 223 |
|
|
|||
|
|
|
||||
|
Overview | 223 |
|
|
|||
|
C n |
r |
n | 224 |
|
|
|
|
|
|
|
|
|
|
Secure Wire for Logical Systems | 226
Secure Wire for Logical Systems Overview | 227
Example: C |
n |
r Secure Wire for User Logical Systems | 228 |
||
|
Requirements | 229 |
|||
|
Overview | 229 |
|||
|
C |
n |
r |
n | 229 |
|
V |
r c |
|
n | 231 |
|
|
|
|
|
VPNs in Logical Systems | 232
Understanding Route-Based VPN Tunnels in Logical Systems | 233
Example: C n r n IKE and IPsec SAs for a VPN Tunnel (Primary Administrators Only) | 234
Requirements | 235
Overview | 235
viii
|
C n |
r |
n | 237 |
|
V r |
c |
n | 242 |
Example: C n |
r n a Route-Based VPN Tunnel in a User Logical Systems | 245 |
||
|
Requirements | 245 |
||
|
|||
|
Overview | 245 |
||
|
C n |
r |
n | 246 |
|
V r |
c |
n | 249 |
|
|
|
|
UTM for Logical Systems | 250
Understanding UTM Features in Logical Systems | 251
Example: C n r n UTM for the Primary Logical System | 252
|
Requirements | 252 |
||
|
Overview | 252 |
||
|
C n |
r |
n | 254 |
|
V r |
c |
n | 258 |
Example: C n |
r n UTM for a User Logical System | 262 |
||
|
Requirements | 262 |
||
|
|||
|
Overview | 263 |
||
|
C n |
r |
n | 265 |
|
V r |
c |
n | 270 |
|
|
|
|
IDP for Logical Systems | 273
IDP in Logical Systems Overview | 274
Understanding IDP Features in Logical Systems | 276
Example: C |
n |
r n an IDP Policy for the Primary Logical Systems | 280 |
||
|
Requirements | 280 |
|
||
|
|
|||
|
Overview | 280 |
|
||
|
C n |
r |
n | 282 |
|
|
V r c |
|
n | 288 |
|
Example: C |
n |
r n and Assigning a r |
n IDP Policy for a User Logical System | 289 |
|
|
Requirements | 289 |
|
||
|
|
|||
|
Overview | 290 |
|
||
|
C n |
r |
n | 290 |
|
|
V r c |
|
n | 291 |
|
|
|
|
|
|
ix
Example: Enabling IDP in a User Logical System Security Policy | 292
|
Requirements | 292 |
||||
|
Overview | 293 |
|
|||
|
C n |
r |
|
n | 293 |
|
|
V r |
c |
n | 295 |
||
Example: C n |
|
r n |
an IDP Policy for a User Logical System | 296 |
||
|
Requirements | 296 |
||||
|
|||||
|
Overview | 297 |
|
|||
|
C n |
r |
|
n | 297 |
|
|
V r |
c |
n | 303 |
||
ALG for Logical Systems | 305 |
|||||
Understanding |
c |
n Layer Gateway (ALG) in Logical Systems | 305 |
|||
Enabling and Disabling ALG for Logical System | 306
Example: Enabling FTP ALG in a Logical System | 312
Requirements | 312
Overview | 312
C |
n |
r |
n | 312 |
V |
r |
c |
n | 319 |
DHCP for Logical Systems | 323
Understanding DHCP Support for Logical Systems | 324
Minimum DHCPv6 Relay Agent C n r |
n for Logical Systems | 324 |
|||
Example: C |
n |
r n the DHCPv6 Client for Logical Systems | 326 |
||
|
Requirements | 326 |
|
||
|
|
|||
|
Overview | 326 |
|
||
|
C n |
r |
n | 327 |
|
|
V r c |
|
n | 331 |
|
Example: C |
n |
r n the DHCPv6 Server |
ns for Logical Systems | 334 |
|
|
Requirements | 334 |
|
||
|
|
|||
|
Overview | 334 |
|
||
|
C n |
r |
n | 335 |
|
|
V r c |
|
n | 338 |
|
|
|
|
|
|
x
cn Security in Logical Systems | 339
Understanding Logical Systems |
c |
n n c n Services | 340 |
||||
Understanding Logical Systems |
c |
n Firewall Services | 341 |
||||
Example: C |
n |
r n |
c |
n Firewall Services for a Primary Logical Systems | 342 |
||
|
Requirements | 343 |
|
|
|||
|
|
|
||||
|
Overview | 343 |
|
|
|
||
|
C n |
r |
n | 344 |
|
|
|
|
V r c |
|
n | 347 |
|
|
|
Understanding Logical Systems |
c |
n Tracking Services | 348 |
||||
Example: C |
n |
r n |
c |
n Firewall Services for a User Logical System | 349 |
||
|
Requirements | 350 |
|
|
|||
|
|
|
||||
|
Overview | 350 |
|
|
|
||
|
C n |
r |
n | 351 |
|
|
|
|
V r c |
|
n | 354 |
|
|
|
Example: C |
n |
r n |
AppTrack for a User Logical Systems | 355 |
|||
|
Requirements | 356 |
|
|
|||
|
|
|
||||
|
Overview | 356 |
|
|
|
||
|
C n |
r |
n | 356 |
|
|
|
|
V r c |
|
n | 358 |
|
|
|
|
|
|
|
|
|
|
IPv6 for Logical Systems | 360
IPv6 Addresses in Logical Systems Overview | 360
Understanding IPv6 Dual-Stack Lite in Logical Systems | 361
Example: C n |
r n IPv6 for the Primary, Interconnect, and User Logical Systems (Primary |
Administrators Only) | 363 |
|
|
Requirements | 363 |
||
|
Overview | 363 |
||
|
C n |
r |
n | 366 |
|
V r c |
|
n | 373 |
Example: C |
n |
r n IPv6 Zones for a User Logical Systems | 374 |
|
Requirements | 374
Overview | 374
xi
|
C n |
r |
n | 375 |
Example: C |
n |
r n IPv6 Security Policies for a User Logical Systems | 379 |
|
|
Requirements | 379 |
||
|
Overview | 380 |
||
|
C n |
r |
n | 381 |
|
V r |
c |
n | 383 |
Example: C n |
r n IPv6 Dual-Stack Lite for a User Logical Systems | 384 |
||
|
Requirements | 384 |
||
|
|||
|
Overview | 385 |
||
|
C n |
r |
n | 385 |
|
V r |
c |
n | 386 |
|
|
|
|
SSL Proxy for Logical Systems | 388
Understanding SSL Forward and Reverse Proxy for Logical Systems | 388
Example: C |
n |
r n SSL Forward and Reverse Proxy for Logical Systems | 389 |
||
|
Requirements | 389 |
|||
|
Overview | 389 |
|||
|
C |
n |
r |
n | 389 |
|
V |
r c |
|
n | 392 |
|
|
|
|
|
ICAP Redirects for Logical Systems | 394
ICAP Redirect Support for Logical Systems | 394
Example: C |
n |
r n ICAP Redirect Service on SRX Devices | 395 |
||
|
Requirements | 396 |
|||
|
Overview | 396 |
|||
|
C |
n |
r |
n | 397 |
|
V |
r c |
|
n | 401 |
|
|
|
|
|
AppQoS for Logical Systems | 403
cn Quality of Service Support for Logical Systems Overview | 403
Example: C |
n |
r |
c n Quality of Service for Logical Systems | 404 |
||
|
Requirements | 404 |
|
|||
|
Overview | 405 |
|
|||
|
C |
n |
r |
n | 405 |
|
|
V |
r c |
|
n | 409 |
|
|
|
|
|
|
|
xii
Logical Systems in a Chassis Cluster | 410
Understanding Logical Systems in the Context of Chassis Cluster | 411
Example: C |
n |
r n Logical Systems in an |
c |
v |
ss v Chassis Cluster (Primary |
|
|
Administrators Only) | 412 |
|
|
|
||
|
Requirements | 412 |
|
|
|
||
|
|
|
|
|||
|
Overview | 413 |
|
|
|
||
|
C n |
r |
n | 417 |
|
|
|
|
V r c |
|
n | 449 |
|
|
|
Example: C |
n |
r n Logical Systems in an |
c |
v |
ss v Chassis Cluster (IPv6) (Primary |
|
|
Administrators Only) | 458 |
|
|
|
||
|
Requirements | 458 |
|
|
|
||
|
|
|
|
|||
|
Overview | 459 |
|
|
|
||
|
C n |
r |
n | 463 |
|
|
|
|
V r c |
|
n | 495 |
|
|
|
|
|
|
|
|
|
|
Flow Trace for Logical Systems | 504
Flow Trace Support for Logical Systems Overview | 505
C n r Flow Trace Support for Logical Systems | 505
Example: |
n a Logical System | 507 |
Requirements | 507
Overview | 507
C |
n |
r |
n | 508 |
V |
r |
c |
n | 511 |
rb s n Logical Systems | 512
Understanding Security Logs and Logical Systems | 512
C n r n On-Box R r n for logical Systems | 514
Example: C n r Security Log for Logical Systems | 515
Requirements | 516
Overview | 516
C |
n |
r |
n | 516 |
V |
r |
c |
n | 520 |
xiii
C |
n |
r n |
On-Box Binary Security Log Files for Logical System | 521 |
C |
n |
r n |
B x Binary Security Log Files for Logical System | 523 |
Understanding Data Path Debugging for Logical Systems | 524
Performing Tracing for Logical Systems (Primary Administrators Only) | 524
r b s |
n DNS Name R s |
n in Logical System Security Policies (Primary |
Administrators Only) | 531 |
|
|
3Tenant Systems
Tenant Systems Overview | 534
Understanding Tenant Systems | 534
Tenant System C n |
r |
n Overview | 541 |
|
|||||
Example: Cr |
|
n Tenant Systems, Tenant System Administrators, and an Interconnect VPLS |
||||||
|
Switch | 543 |
|
|
|
|
|||
|
Requirements | 544 |
|
|
|
||||
|
|
|
|
|||||
|
Overview | 544 |
|
|
|
|
|||
|
C n |
r |
|
n | 545 |
|
|
|
|
|
V r |
c |
n | 555 |
|
|
|
||
C n r n a R |
n |
Instance for a Tenant System | 557 |
||||||
Example: C n |
|
r n |
Tenant Systems | 559 |
|
|
|||
|
Requirements | 559 |
|
|
|
||||
|
|
|
|
|||||
|
Overview | 559 |
|
|
|
|
|||
|
C n |
r |
|
n | 560 |
|
|
|
|
|
V r |
c |
n | 563 |
|
|
|
||
Understanding R |
n and Interfaces for Tenant Systems | 564 |
|||||||
|
Example: C |
n |
r n |
R n and Interfaces for Tenant Systems | 565 |
||||
|
||||||||
Understanding Tenant System Security r |
s (Primary Administrators Only) | 572 |
|||||||
Example: C n |
|
r n |
Tenant Systems Security r |
s (Primary Administrators Only) | 578 |
||||
|
Requirements | 578 |
|
|
|
||||
|
|
|
|
|||||
|
Overview | 579 |
|
|
|
|
|||
|
C n |
r |
|
n | 579 |
|
|
|
|
|
V r |
c |
n | 589 |
|
|
|
||
|
|
|
|
|
|
|
|
|
xiv
Security Zones for Tenant Systems | 591
Understanding Zones for Tenant Systems | 591 |
|||
Example: C |
n |
r n Zones in the Tenant System | 592 |
|
|
Requirements | 593 |
||
|
|||
|
Overview | 593 |
||
|
C n |
r |
n | 593 |
|
V r c |
|
n | 595 |
|
|
|
|
Flow for Tenant Systems | 597
Session Cr |
|
n for Devices Running Tenant Systems | 597 |
|
||
C |
n |
r n |
Logical Systems and Tenant Systems Interconnect with M |
VPLS Switches | 603 |
|
|
Requirements | 604 |
|
|||
|
|
||||
|
Overview | 604 |
|
|||
|
C n |
r |
n | 605 |
|
|
|
V r |
c |
|
n | 613 |
|
C |
n |
r n |
tenant systems Interconnect with Logical Tunnel Interface point-to-point |
||
|
c nn c |
|
n | 615 |
|
|
|
Requirements | 615 |
|
|||
|
|
||||
|
Overview | 615 |
|
|||
|
C n |
r |
n | 616 |
|
|
|
V r |
c |
|
n | 624 |
|
C |
n |
r n |
Logical System and Tenant System Interconnect with a Logical Tunnel Interface |
||
|
point-to-point c nn c n | 625 |
|
|||
|
Requirements | 625 |
|
|||
|
|
||||
|
Overview | 625 |
|
|||
|
C n |
r |
n | 626 |
|
|
|
V r |
c |
|
n | 631 |
|
|
|
|
|
|
|
Flow Trace for Tenant Systems | 633
Flow Trace Support for Tenant Systems Overview | 634
C n r Flow Trace Support for Tenant Systems | 634
Firewall |
n c |
n for Tenant Systems | 636 |
Understanding Tenant System Firewall |
n c |
n | 636 |
xv
C n |
r n |
Firewall |
n c n for a Tenant System | 639 |
||
|
Requirements | 639 |
||||
|
|||||
|
Overview | 640 |
|
|||
|
C n |
r |
n | 642 |
||
|
V r |
c |
|
n | 653 |
|
Understanding Integrated User Firewall Support in a Tenant System | 654 |
|||||
Example: C |
n |
r n |
Integrated User Firewall n c n Management for a Tenant System | 656 |
||
|
Requirements | 656 |
||||
|
|||||
|
Overview | 657 |
|
|||
|
C n |
r |
n | 657 |
||
|
V r |
c |
|
n | 663 |
|
Example: C |
n |
r Integrated User Firewall in Customized Model for Tenant System | 665 |
|||
|
Requirements | 666 |
||||
|
|||||
|
Overview | 666 |
|
|||
|
C n |
r |
n | 667 |
||
|
V r |
c |
|
n | 670 |
|
|
|
|
|
|
|
Security Policies for Tenant Systems | 673
Understanding Security Policies for Tenant Systems | 674
Example: C |
n |
r n Security Policies in the Tenant System | 676 |
||||
|
Requirements | 676 |
|
|
|||
|
|
|
||||
|
Overview | 676 |
|
|
|||
|
C n |
r |
n | 677 |
|
|
|
|
V r |
c |
|
n | 680 |
|
|
C n |
r n |
Dynamic Address for Tenant Systems | 681 |
||||
Screen |
ns for Tenant Systems | 684 |
|
||||
Understanding Tenant System Screen |
ns | 684 |
|||||
Example: C |
n |
r n Screen |
ns for a Tenant System | 684 |
|||
|
Requirements | 685 |
|
|
|||
|
|
|
||||
|
Overview | 685 |
|
|
|||
|
C n |
r |
n | 685 |
|
|
|
|
V r |
c |
|
n | 690 |
|
|
|
|
|
|
|
|
|
xvi
NAT for Tenant Systems | 692
Understanding Network Address r ns |
n for Tenant systems | 692 |
||||
Example: C |
n |
r n Network Address |
r ns |
n for the Tenant Systems | 693 |
|
|
Requirements | 693 |
|
|
||
|
|
|
|||
|
Overview | 694 |
|
|
||
|
C n |
r |
n | 694 |
|
|
|
V r c |
|
n | 699 |
|
|
|
|
|
|
|
|
UTM for Tenant Systems | 702
Understanding UTM Features in Tenant Systems | 703
Example: C n |
r n UTM for the Tenant System | 704 |
|||
|
Requirements | 704 |
|||
|
Overview | 704 |
|||
|
C |
n |
r |
n | 705 |
|
V |
r |
c |
n | 709 |
|
|
|
|
|
IDP for Tenant Systems | 710
Understanding IDP for Tenant Systems | 710
Understanding IDP Features in Tenant Systems | 712
Example: C |
n |
r n IDP Policies and |
c s for Tenant Systems | 714 |
||
|
Requirements | 714 |
|
|||
|
Overview | 715 |
|
|||
|
C |
n |
r |
n | 715 |
|
|
V |
r c |
|
n | 729 |
|
|
|
|
|
|
|
ALG for Tenant Systems | 733
Understanding ALG Support for Tenant System | 733
Enabling and Disabling ALG for Tenant System | 734
Example: C n |
r n ALG in Tenant System | 739 |
|||
|
Requirements | 740 |
|||
|
Overview | 740 |
|||
|
C |
n |
r |
n | 740 |
|
V |
r |
c |
n | 745 |
|
|
|
|
|
DHCP for Tenant Systems | 747
xvii
Understanding DHCP support for Tenant Systems | 747
Minimum DHCPv6 Relay Agent C n r n for Tenant Systems | 747
Example: C n |
r n a DHCPv6 Client for Tenant Systems | 749 |
|||
|
Requirements | 749 |
|||
|
Overview | 749 |
|||
|
C |
n |
r |
n | 750 |
|
V |
r |
c |
n | 754 |
|
|
|
|
|
Security Log for Tenant Systems | 757
Understanding of Security Log for Tenant Systems | 757
Example: C |
n |
r Security Log for Tenant Systems | 759 |
||
|
Requirements | 759 |
|||
|
||||
|
Overview | 760 |
|||
|
C |
n |
r |
n | 760 |
|
V |
r c |
|
n | 764 |
|
|
|
|
|
Understanding On-Box R |
r |
n for Tenant Systems | 764 |
|||
C n |
r n |
On-Box R r |
n |
for Tenant Systems | 765 |
|
Understanding On-Box and |
|
B x Logging for Tenant System | 766 |
|||
C |
n |
r n |
On-Box Binary Security Log Files for Tenant System | 767 |
||
C |
n |
r n |
B x Binary Security Log Files for Tenant System | 769 |
||
AppQoS for Tenant Systems | 770
cn Quality of Service for Tenant Systems Overview | 770
Example: C |
n |
r |
c n Quality of Service for Tenant Systems | 771 |
||
|
Requirements | 772 |
|
|||
|
Overview | 772 |
|
|||
|
C |
n |
r |
n | 772 |
|
|
V |
r c |
|
n | 776 |
|
|
|
|
|
|
|
cn Security for Tenant Systems | 778
|
|
|
c |
n n c n Services for Tenant Systems Overview | 778 |
4 |
C n |
r |
n Statements |
|
address-book (System) | 783
xviii
address-name | 785 |
|
|
|
||||||
n |
s |
m |
| 787 |
|
|
|
|
||
n |
v r |
s |
| 789 |
|
|
|
|
||
auth-entry | 793 |
|
|
|
|
|||||
c n |
n |
y | 795 |
|
|
|
||||
c |
n |
n |
|
r n |
(Logical System Security Feature r |
) | 796 |
|||
cpu | 799 |
|
|
|
|
|
|
|||
s |
|
s |
ftw r |
n |
r | 801 |
|
|
|
|
dynamic-address | 803 |
|
|
|
||||||
r w |
|
n |
c |
n (tenants) | 805 |
|
||||
w b |
|
|
n c |
|
n | 808 |
|
|
|
|
pass-through | 810 |
|
|
|
||||||
fl |
w |
|
|
| 812 |
|
|
|
|
|
fl |
w s ss |
n | 814 |
|
|
|
||||
idp (logical-systems) | 816 |
|
|
|
||||||
idp-policy | 818 |
|
|
|
|
|||||
log (Security) | 819 |
|
|
|
||||||
log (Logical Systems and Tenant Systems) | 825 |
|
||||||||
logical-system (System Security |
r |
) | 829 |
|
||||||
|
c |
|
m n |
|
n y m n |
m n |
| 830 |
|
|
logical-systems (All) | 833 |
|
|
|
||||||
nat | 835 |
|
|
|
|
|
|
|||
nat-cone-binding | 841 |
|
|
|
||||||
n |
|
s |
n |
n |
|
| 843 |
|
|
|
n |
|
s |
n |
n r |
| 845 |
|
|
|
|
xix
nat-interface-port-ol (System) | 847
nat-nopat-address | 849 |
|
|||||
nat-pat-address | 851 |
|
|
||||
nat-pat-portnum | 853 |
|
|
||||
nat-port-ol-ipnumber | 855 |
|
|||||
n |
r |
r |
r nc |
r |
x (System) | 857 |
|
nat-source-pool | 859 |
|
|
||||
nat-source-rule | 861 |
|
|
||||
n |
s |
c r |
| 863 |
|
|
|
policy (System Security |
r |
) | 866 |
||||
policy-with-count | 868 |
|
|
||||
r| 870
protocols (Tenant Systems) | 872 |
|
|||||
purging | 873 |
|
|
||||
r |
|
|
|
n c |
n | 875 |
|
root-logical-system | 877 |
|
|||||
root-streaming | 878 |
|
|||||
secure-wire (System Security r |
) | 881 |
|||||
scheduler (System Security r |
) | 883 |
|||||
screen |
|
| 885 |
|
|
||
s |
c |
r |
y |
r |
| 891 |
|
s |
c |
r |
y |
r |
r s rc s | 896 |
|
stream (Logical Systems and Tenant Systems) | 898 s ftw r s | 901
url | 903
xx
w b |
r n (Logical System Security Feature r |
) | 904 |
|
zone (System Security r |
) | 909 |
|
|
5 |
r |
n Commands |
|
|
|
|
|
|
|
clear class-of-service |
c |
n |
r |
c c |
n r |
counter | 916 |
|
|
clear class-of-service |
c |
n |
r |
c c |
n r |
rate-limiters | 918 |
|
|
clear class-of-service |
c |
n |
r |
c c |
n r |
s s cs rule | 920 |
|
clear security |
c |
n |
r |
w |
rule-set s |
s |
cs logical-system | 922 |
|
clear security dns-cache | 924 |
|
|
|
|
||||
clear security |
r w |
|
n |
c |
n users | 926 |
|||
clear security |
r w |
|
n |
c |
n history | 929 |
|||
clear security idp |
c table | 932 |
|
|
|
||||
clear security idp counters ips | 933 |
|
|
|
|||||
clear security idp counters pdf-decoder | 935 |
|
|
||||||
clear security idp counters ss |
ns |
c |
n | 937 |
|
||||
clear security idp counters memory | 939 |
|
|
||||||
clear security idp counters memory | 941 |
|
|
||||||
clear security idp counters tcp-reassembler | 942 |
||||||||
clear security idp counters |
|
c |
n |
n |
c |
n | 944 |
||
clear security idp counters |
c |
n | 946 |
|
|
||||
clear security idp counters dfa | 948 |
|
|
|
|||||
clear security idp counters fl |
w | 949 |
|
|
|
||||
clear security idp counters log | 951 |
|
|
|
|||||
clear security idp counters |
|
|
c |
r | 953 |
|
|||
clear security idp counters packet-log | 954 |
|
|
||||||
clear security idp counters packet | 956 |
|
|
||||||
xxi
clear security idp counters policy-manager | 958
clear security fl |
|
w session tenant | 960 |
|
|
||||
clear services s r |
n |
c |
n |
c |
m n |
n y m n m n counters | 962 |
||
request security datapath-debug capture start | 964 |
||||||||
request security datapath-debug capture stop | 965 |
||||||||
set chassis cluster cluster-id node node-number reboot | 967 |
||||||||
show chassis cluster status | 969 |
|
|
|
|||||
show class-of-service |
|
c |
n |
r c c |
n r |
rate-limiters | 974 |
||
show log | 986 |
|
|
|
|
|
|
|
|
show route tenant | 994 |
|
|
|
|
|
|||
show security |
|
c |
n |
r w |
rule-set | 997 |
|||
show security |
|
c |
n |
r w |
rule-set logical-system | 1003 |
|||
show security |
|
c |
n |
r c |
n |
counters | 1007 |
||
show security alg status logical-system | 1010 |
|
|||||||
show security datapath-debug capture | 1015 |
|
|||||||
show security datapath-debug counter | 1017 |
|
|||||||
show security dns-cache |
| 1019 |
|
|
|
||||
show security dynamic-address | 1021 |
|
|
||||||
show security |
r w |
|
n |
c |
n history | 1032 |
|||
show security |
r w |
|
n |
c |
n users | 1036 |
|||
show security fl |
w session | 1041 |
|
|
|||||
show security fl |
w session tenant | 1054 |
|
|
|||||
show security idp logical system | 1058 |
|
|
||||||
show security idp |
c table | 1059 |
|
|
|||||
show security idp counters c |
n | 1062 |
|
|
|||||
xxii
show security idp counters |
|
c |
n |
n |
c |
n | 1066 |
|||
show security idp counters memory | 1073 |
|
|
|||||||
show security idp counters ss |
ns |
c |
n | 1077 |
|
|||||
show security idp counters pdf-decoder | 1082 |
|
||||||||
show security idp counters log | 1086 |
|
|
|
||||||
show security idp counters ips | 1093 |
|
|
|
||||||
show security idp counters dfa | 1102 |
|
|
|
||||||
show security idp counters fl |
w | 1105 |
|
|
||||||
show security idp counters |
|
|
c |
r | 1120 |
|
||||
show security idp counters packet-log | 1124 |
|
||||||||
show security idp counters packet | 1128 |
|
|
|||||||
show security idp counters policy-manager | 1136 |
|||||||||
show security idp counters tcp-reassembler | 1139 |
|||||||||
show security idp logical-system |
cy |
ss |
c |
n | 1147 |
|||||
show security idp policies | 1149 |
|
|
|
|
|||||
show security idp policy-commit-status | 1151 |
|
||||||||
show security idp policy-templates-list | 1154 |
|
||||||||
show security idp security-package-version | 1156 |
|||||||||
show security ike s |
c |
r |
y |
ss |
c |
ns | 1159 |
|
||
show security ipsec s |
c |
r |
y |
ss c |
|
ns | 1178 |
|
||
show security log report | 1213 |
|
|
|
|
|||||
show security match-policies | 1216 |
|
|
|
||||||
show security nat |
s |
n |
|
n rule | 1225 |
|
|
|||
show security nat |
s |
n |
|
n summary | 1231 |
|
||||
show security nat source rule | 1235
xxiii
show security nat source summary | 1242 |
|
|
|
|||||||
show security nat s |
|
c rule | 1246 |
|
|
|
|
||||
show security policies | 1253 |
|
|
|
|
||||||
show security screen s |
|
s |
cs | 1275 |
|
|
|
||||
show services |
s r |
|
n |
c |
n |
n c |
n |
b |
| 1291 |
|
show services |
s r |
|
n |
c |
n |
c |
m n |
n |
y m n m n | 1315 |
|
show system s c r |
y |
r |
|
| 1319 |
|
|
|
|
||
show system s c |
r |
y |
r |
|
secure-wire | 1328 |
|
|
|||
show system s c |
r |
y |
r |
|
scheduler | 1333 |
|
|
|||
show system s c |
r |
y |
r |
|
security-log-stream-number detail | 1338 |
|||||
show system s c |
r |
y |
r |
|
security-log-stream-number | 1342 |
|||||
show system s c |
r |
y |
r |
|
security-log-stream-number summary | 1346 |
|||||
show security s |
ftw r |
s | 1349 |
|
|
|
|
||||
show security s |
ftw r |
s map-e c n |
n |
y status | 1352 |
||||||
show security s ftw r |
s map-e domain | 1353 |
|
|
|||||||
show security zones | 1356 |
|
|
|
|
|
|||||
xxiv
About This Guide
Use this guide to c n r logical systems and tenant Systems in Junos OS on the SRX Series devices to r n a single device into m domains to perform security and r n nc ns
1
CHAPTER
Overview
Logical Systems and Tenant Systems Overview | 2
2
Logical Systems and Tenant Systems Overview
With the Junos |
r n system (Junos OS) on SRX Series device, you can |
r |
n a single security |
||||||
device into m |
logical devices that can perform independent tasks. Because logical systems |
||||||||
perform a subset of the tasks once handled by the main device, logical systems |
r an |
c v way to |
|||||||
maximize the use of a single security |
rm |
|
|
|
|
|
|
|
|
A complex network design requires m |
layers of switches, routers, and security devices, which |
||||||||
might lead to challenges in maintenance, c n |
r |
n and |
r |
n To reduce such complexity, |
|||||
Juniper Networks supports logical systems. Logical systems perform a subset of the c |
ns of the main |
||||||||
device and have their own unique r |
n tables, interfaces, policies, and r |
n |
instances. |
||||||
For SRX Series devices, you can r |
n a single device into following secure contexts: |
|
|||||||
•Logical systems
•Tenant systems
Each logical system has its own discrete m n s r v domain, logical interfaces, r |
n instances, |
|
security r w |
and other security features. A tenant system provides logical r |
n n of the SRX |
device into m |
domains similar to logical systems and provides high scalability. |
|
2
CHAPTER
Logical Systems
Logical Systems Overview | 5
Primary Logical Systems Overview | 23
User Logical Systems Overview | 51
Sn Up a Logical System | 54
Security |
r |
s for Logical Systems | 70 |
|
CPU |
|
c |
n for Logical Systems | 103 |
R |
n |
and Interfaces for Primary Logical Systems | 113 |
|
R |
n |
Interfaces, and NAT for User Logical Systems | 132 |
|
Security Zones in Logical Systems | 148 |
|||
User |
|
n |
c n for Logical Systems | 172 |
Security Policies for Logical Systems | 212 |
|||
Screen |
|
ns for User Logical Systems | 222 |
|
Secure Wire for Logical Systems | 226 |
|||
VPNs in Logical Systems | 232 |
|||
UTM for Logical Systems | 250 |
|||
IDP for Logical Systems | 273 |
|||
ALG for Logical Systems | 305 |
|||
DHCP for Logical Systems | 323 |
|||
|
c |
n Security in Logical Systems | 339 |
|
IPv6 for Logical Systems | 360
SSL Proxy for Logical Systems | 388
ICAP Redirects for Logical Systems | 394
AppQoS for Logical Systems | 403
Logical Systems in a Chassis Cluster | 410
Flow Trace for Logical Systems | 504
Example: |
n a Logical System | 507 |
r b s |
n Logical Systems | 512 |
|
|
5
Logical Systems Overview
IN THIS SECTION
Understanding Logical Systems for SRX Series Services Gateways | 5
Features and m ns of Logical Systems | 8
Understanding Licenses for Logical Systems and Tenant Systems on SRX Series Devices | 10
Understanding the Interconnect Logical System and Logical Tunnel Interfaces | 11
Understanding Packet Flow in Logical Systems for SRX Series Devices | 12
Logical Systems and Tenant Systems support for VSRX and VSRX 3.0 Instances | 21
Logical systems enable you to |
r |
n a single device into m |
secure contexts that perform |
independent tasks. For more n |
rm |
n see the following topics: |
|
Understanding Logical Systems for SRX Series Services Gateways
Logical systems for SRX Series devices enable you to |
r |
n a single device into secure contexts. Each |
|||
logical system has its own discrete |
m n s r v domain, logical interfaces, r |
n |
instances, security |
||
r w and other security features. By transforming an SRX Series device into a m |
n n logical |
||||
systems device, you can give various departments, r |
n z |
ns customers, and partners—depending |
|||
on your environment—private use of |
r ns of its resources and a private view of the device. Using |
||||
logical systems, you can share system and underlying physical machine resources among discrete user logical systems and the primary logical system.
The top part of Figure 1 on page 6 shows the three main c n r |
n components of a logical |
|
system. The lower part of the |
r shows a single device with a primary logical system and discrete |
|
user logical systems. |
|
|
Logical systems include both primary and user logical systems and their administrators. The roles and r s ns b s of the primary administrator and those of a user logical system administrator r
6
greatly. This |
r n |
n of privileges and r s ns b |
s is considered role-based m n s r |
n and |
control. |
|
|
|
|
Figure 1: Understanding Logical Systems
Logical systems on SRX Series devices |
r many b n s allowing you to: |
Loading...