vSRX User Guide for Private and Public Cloud rms
Published
2021-03-25
ii
Juniper Networks, Inc. 1133 nn v n Way Sunnyvale, California 94089 USA
408-745-2000 www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their r s c v owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this |
b c |
n without n c |
||
vSRX User Guide for Private and Public Cloud |
rms |
|
|
|
Copyright © 2021 Juniper Networks, Inc. All rights reserved. |
|
|
||
The n rm |
n in this document is current as of the date on the |
page. |
YEAR 2000 NOTICE
Juniper Networks hardware and s ftw r products are Year 2000 compliant. Junos OS has no known m r
m ns through the year 2038. However, the NTP c n is known to have some c y in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical |
c m n |
n consists of (or is intended for use |
||||||
with) Juniper Networks s ftw r |
Use of such s |
ftw r |
is subject to the terms and c n |
ns of the End User License |
||||
Agreement ("EULA") posted at |
s s |
r |
n r n |
s |
r |
. By downloading, installing or using such |
||
s ftw r you agree to the terms and c n |
ns of that EULA. |
|
|
|
|
iii
1
2
3
4
About This Guide | iv
Overview
vSRX Overview | 2
Managing vSRX
vSRX C n r n and Management Tools | 7
Managing Security Policies for Virtual Machines Using Junos Space Security Director | 8
C n r a vSRX Chassis Cluster in Junos OS | 9 |
||
|
Chassis Cluster Overview | |
9 |
|
||
|
Enable Chassis Cluster F rm |
n | 10 |
|
Chassis Cluster Quick Setup with J-Web | 11 |
|
|
Manually C n r a Chassis Cluster with J-Web | 13 |
|
|
|
|
Supported vSRX Features |
||
Junos OS Features Supported on vSRX | 21 |
|
w r |
Receive Side Scaling | 34 |
|
|
||||
|
Overview | 35 |
|
|
|
|
n | 36 |
||
|
|
|
|
|
||||
|
Understanding S ftw r |
Receive Side Scaling C |
n r |
|||||
GTP r |
c with TEID |
s r b |
n and SWRSS | 37 |
|
||||
|
Overview GTP r |
c |
s r b |
n with TEID |
s r b |
n and SWRSS | 37 |
||
|
||||||||
|
Enabling GTP-U TEID |
s r b |
n with SWRSS for Asymmetric Fat Tunnels | 39 |
|||||
|
|
|
|
|
|
|
||
Monitoring and |
r |
b s |
n |
|
|
|||
Monitoring | 43 |
|
|
|
|
|
|||
Backup and Recovery | 44 |
|
|
|
|||||
Finding the |
w r |
Serial Number for vSRX | 45 |
|
iv
Use this guide to understand the security features that are supported on vSRX instances.
1
CHAPTER
vSRX Overview | 2
2
SUMMARY |
IN THIS SECTION |
In this topic you learn about vSRX architecture and |
B n s | 5 |
its b n s |
|
|
|
vSRX is a virtual security appliance that provides security and networking services at the perimeter or edge in virtualized private or public cloud environments. vSRX runs as a virtual machine (VM) on a
standard x86 server. vSRX is built on the Junos |
r n |
system (Junos OS) and delivers networking |
|||||||
and security features similar to those available on the s |
ftw r releases for the SRX Series Services |
||||||||
Gateways. |
|
|
|
|
|
|
|
|
|
The vSRX provides you with a complete N x |
G n r |
n Firewall (NGFW) s |
n including core |
||||||
r w VPN, NAT, advanced Layer 4 through Layer 7 security services such as |
c |
n Security, |
|||||||
intrusion |
c |
n and r v n n (IPS), and UTM features including Enhanced Web Filtering and n |
|||||||
V r s Combined with Sky ATP, the vSRX |
|
rs a cloud-based advanced n m |
w r |
service with |
|||||
dynamic analysis to protect against s |
s |
c |
|
malware, and provides built-in machine learning to |
|||||
improve verdict |
c cy and decrease |
m |
to r m |
n |
|
|
3
Figure 1 on page 3 shows the high-level architecture.
Figure 1: vSRX Architecture
vSRX includes the Junos control plane (JCP) and the packet forwarding engine (PFE) components that make up the data plane. vSRX uses one virtual CPU (vCPU) for the JCP and at least one vCPU for the
PFE. S r n |
in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, m |
c r vSRX |
||
supports scaling vCPUs and virtual RAM (vRAM). |
n vCPUs are applied to the data plane to |
|||
increase performance. |
|
|
|
|
Junos OS Release 18.4R1 supports a new s |
ftw r |
architecture vSRX 3.0 that removes dual OS and |
||
nested v r |
z n requirement of x s n |
vSRX architecture. |
|
In vSRX 3.0 architecture, FreeBSD 11.x is used as the guest OS and the R n Engine and Packet Forwarding Engine runs on FreeBSD 11.x as single virtual machine for improved performance and scalability. vSRX 3.0 uses DPDK to process the data packets in the data plane. A direct Junos upgrade from vSRX to vSRX 3.0 s ftw r is not supported.
4
vSRX 3.0 has the following enhancements compared to vSRX:
•Removed the r s r c n of requiring nested VM support in hypervisors.
•Removed the r s r c n of requiring ports connected to control plane to have Promiscuous mode enabled.
• Improved boot m and enhanced responsiveness of the control plane during management
rns
• Improved live m r n
Figure 2 on page 4 shows the high-level architecture for vSRX 3.0
Figure 2: vSRX 3.0 Architecture
5
B n s
vSRX on standard x86 servers enables you to quickly introduce new services, deliver customized services to customers, and scale security services based on dynamic needs. vSRX is ideal for public, private, and hybrid cloud environments.
Some of the key b n |
s of vSRX in a virtualized private or public cloud m |
n n environment |
||||
include: |
|
|
|
|
|
|
• |
Stateful |
r |
w |
r c n at the tenant edge |
|
|
• |
Faster deployment of virtual r w s into new sites |
|
|
|||
• Ability to run on top of various hypervisors and public cloud infrastructures |
|
|||||
• |
Full r |
n |
VPN, core security, and networking c b |
s |
|
•c n security features (including IPS and App-Secure)
• Content security features (including n Virus, Web Filtering, n Spam, and Content Filtering)
•Centralized management with Junos Space Security Director and local management with J-Web Interface
• Juniper Networks Sky Advanced Threat r v n n (Sky ATP) n |
r |
n |
|||
Release History Table |
|
|
|
|
|
Release |
scr |
n |
|
|
|
|
|
|
|||
15.1X49-D70 |
S r n |
in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, m c r vSRX |
|||
|
supports scaling vCPUs and virtual RAM (vRAM). |
n |
vCPUs are applied to the data plane to |
||
|
increase performance. |
|
|
|
|
|
|
|
|
|
|
2
CHAPTER
vSRX C n r n and Management Tools | 7
Managing Security Policies for Virtual Machines Using Junos Space Security Director | 8
C n r a vSRX Chassis Cluster in Junos OS | 9
7
vSRX C n r n and Management Tools
SUMMARY
This topic provides an overview of the various tools available to c n r and manage a vSRX VM once it has been successfully deployed.
IN THIS SECTION
Understanding the Junos OS CLI and Junos
Scripts | 7
Understanding the J-Web Interface | 7
Understanding Junos Space Security
Director | 7
Understanding the Junos OS CLI and Junos Scripts
Junos OS CLI is a Juniper Networks s |
c c command shell that runs on top of a UNIX-based |
r n |
system kernel. |
|
|
Built into Junos OS, Junos script |
m n is an onboard toolset available on all Junos OS |
rms |
including routers, switches, and security devices running Junos OS (such as a vSRX instance).
You can use the Junos OS CLI and the Junos OS scripts to c n |
r manage, administer, and |
troubleshoot vSRX. |
|
Understanding the J-Web Interface
The J-Web interface allows you to monitor, c n r troubleshoot, and manage vSRX instances by means of a Web browser. J-Web provides access to all the c n r n statements supported by the vSRX instance.
Understanding Junos Space Security Director
As one of the Junos Space Network Management rm c ns Junos Space Security Director helps r n z ns improve the reach, ease, and accuracy of security policy m n s r n with a scalable, GUI-based management tool. Security Director automates security provisioning of a vSRX
8
instance through one centralized Web-based interface to help administrators manage all phases of the security policy life cycle more quickly and n v y from policy cr n to r m n
RELATED DOCUMENTATION
CLI User Interface Overview
J-Web Overview
Security Director
Mastering Junos m n Programming
Spotlight Secure Threat Intelligence
SUMMARY
This topic provides you an overview of how you can manage security policies for VMs using security director.
Security Director is a Junos Space management |
|
c |
|
n designed to enable quick, consistent, and |
|||||||
accurate cr |
n maintenance, and |
c |
n of network security policies for your security devices, |
||||||||
including vSRX instances. With Security Director, you can c n |
r security-related policy management |
||||||||||
including IPsec VPNs, r w policies, NAT policies, IPS policies, and UTM policies. and push the |
|||||||||||
c n |
r |
ns to your security devices. These c |
n |
r |
|
ns use objects such as addresses, services, |
|||||
NAT pools, |
c |
n signatures, policy |
r |
|
s VPN |
r |
s template |
n ns and templates. |
|||
These objects can be shared across m |
|
security c |
n |
r |
ns shared objects can be created and |
used across many security policies and devices. You can create these objects prior to cr n security
c n |
r |
ns |
|
|
|
|
|
When you |
n s |
cr |
n |
and verifying your security c n |
r |
ns from Security Director, you can |
|
publish these c |
n |
r |
ns and keep them ready to be pushed to all security devices, including vSRX |
||||
instances, from a single interface. |
|
|
9
The C |
n r tab is the workspace where all of the security c n r |
n happens. You can c n r |
r w |
IPS, NAT, and UTM policies; assign policies to devices; create and apply policy schedules; create |
and manage VPNs; and create and manage all the shared objects needed for managing your network security.
RELATED DOCUMENTATION
Security Director
C n r a vSRX Chassis Cluster in Junos OS
IN THIS SECTION |
|
|
|
Chassis Cluster Overview | |
9 |
|
Enable Chassis Cluster F rm |
n | 10 |
|
Chassis Cluster Quick Setup with J-Web | 11
Manually C n r a Chassis Cluster with J-Web | 13
Chassis cluster groups a pair of the same kind of vSRX instances into a cluster to provide network node redundancy. The vSRX instances in a chassis cluster must be running the same Junos OS release, and each instance becomes a node in the chassis cluster. You connect the control virtual interfaces on the r s c v nodes to form a control plane that synchronizes the c n r n and Junos OS kernel state
on both nodes in the cluster. The control link (a virtual network or vSwitch) facilitates the redundancy of
interfaces and services. Similarly, you connect the data plane on the r s |
c v nodes over the fabric |
||
virtual interfaces to form a n |
data plane. The fabric link (a virtual network or vSwitch) allows for the |
||
management of cross-node fl |
w processing and for the management of session redundancy. |
||
The control plane s ftw r operates in c v |
ss v mode. When c n |
r as a chassis cluster, one |
node acts as the primary and the other as the secondary to ensure stateful failover of processes and services in the event of a system or hardware failure on the primary . If the primary fails, the secondary takes over processing of control plane r c
10
NOTE: If you c |
n |
r a chassis cluster across two hosts, disable igmp-snooping on the bridge |
|
that each host physical interface belongs to and that the control virtual NICs (vNICs) use. This |
|||
ensures that the control link heartbeat is received by both nodes in the chassis cluster. |
|||
|
|||
The chassis cluster data plane operates in c v c v mode. In a chassis cluster, the data plane |
|||
updates session n |
rm |
n as r c traverses either node, and it transmits n rm |
n between the |
nodes over the fabric link to guarantee that established sessions are not dropped when a failover occurs.
In c v c v |
mode, |
r |
c can enter the cluster on one node and exit from the other node. |
Chassis cluster |
nc |
n |
y includes: |
•Resilient system architecture, with a single c v control plane for the n r cluster and m Packet Forwarding Engines. This architecture presents a single device view of the cluster.
• |
Sync |
r n z |
n of c |
n |
r |
n and dynamic r n m states between nodes within a cluster. |
||
• |
Monitoring of physical interfaces, and failover if the failure parameters cross a c n |
r threshold. |
||||||
• |
Support for generic r |
n |
|
nc s |
n (GRE) and IP-over-IP (IP-IP) tunnels used to route |
|||
|
encapsulated IPv4 or IPv6 |
r |
c by means of two internal interfaces, gr-0/0/0 and ip-0/0/0, |
|||||
|
r s |
c v y Junos OS creates these interfaces at system startup and uses these interfaces only for |
||||||
|
processing GRE and IP-IP tunnels. |
|
|
At any given instant, a cluster node can be in one of the following states: hold, primary, secondary-hold, secondary, ineligible, or disabled. M event types, such as interface monitoring, Services Processing Unit (SPU) monitoring, failures, and manual failovers, can trigger a state r ns n
Enable Chassis Cluster rm n
You create two vSRX instances to form a chassis cluster, and then you set the cluster ID and node ID on each instance to join the cluster. When a vSRX instance joins a cluster, it becomes a node of that cluster.
With the |
xc |
n of unique node s |
n s and management IP addresses, nodes in a cluster share the |
|||
same c n |
r |
n |
|
|
|
|
You can deploy up to 255 chassis clusters in a Layer 2 domain. Clusters and nodes are n |
in the |
|||||
following ways: |
|
|
|
|
|
|
• The cluster ID (a number from 1 to 255) |
n |
s the cluster. |
|
|||
• The node ID (a number from 0 to 1) |
n |
s the cluster node. |
|
11
Generally, on SRX Series devices, the cluster ID and node ID are wr n into EEPROM. On the vSRX
instance, vSRX stores and reads the IDs from boot/loader.conf and uses the IDs to n |
z the chassis |
cluster during startup. |
|
Prerequisites |
|
Ensure that your vSRX instances comply with the following prerequisites before you enable chassis clustering:
• |
You have c mm |
a basic c n r n to both vSRX instances that form the chassis cluster. See |
|
C n r vSRX Using the CLI. |
|
• |
Use show version in Junos OS to ensure that both vSRX instances have the same s ftw r version. |
•Use show system license in Junos OS to ensure that both vSRX instances have the same licenses installed.
You must set the same chassis cluster ID on each vSRX node and reboot the vSRX VM to enable chassis cluster rm n
1. |
In |
r |
n |
command mode, set the chassis cluster ID and node number on vSRX node 0. |
|
|
|
||
|
|
user@vsrx0>set chassis cluster cluster-id number node 0 reboot |
||
|
|
|
|
|
2. |
In |
r |
n |
command mode, set the chassis cluster ID and node number on vSRX node 1. |
user@vsrx1>set chassis cluster cluster-id number node 1 reboot
NOTE: The vSRX interface naming and mapping to vNICs changes when you enable chassis clustering. See Requirements for vSRX on KVM for a summary of interface names and mappings for a pair of vSRX VMs in a cluster (node 0 and node 1).
To c n r chassis cluster from J-Web:
1.Enter the vSRX node 0 interface IP address in a Web browser.
2.Enter the vSRX username and password, and click Log In. The J-Web dashboard appears.