Juniper vSRX Virtual Firewall Deployment Instruction Manual Product Information

: June 1, 2024
: JUNIPer

Table of Contents

vSRX Virtual Firewall Deployment
Product Information
Specifications
Product Usage Instructions
Overview
Installation
Configuration
Management
SR-IOV and PCI Support
- Frequently Asked Questions (FAQ)
Q: Is the vSRX Virtual Firewall compatible with all cloud
Q: Can I automate the initialization of vSRX Virtual Firewall

vSRX Virtual Firewall Deployment

“`html

Product Information

Specifications

Product Name: vSRX Virtual Firewall
Deployment Guide for Private and Public Cloud Platforms
Publisher: Juniper Networks, Inc.
Published Date: 2023-11-09
Location: 1133 Innovation Way Sunnyvale, California 94089
USA
Contact: 408-745-2000
Website: www.juniper.net

Product Usage Instructions

Overview

The vSRX Virtual Firewall provides security features for
virtualized environments. Follow the steps below to deploy and
manage the virtual firewall.

Installation

Prepare Your Server for vSRX Virtual Firewall
Installation:

Enable Nested Virtualization
Upgrade the Linux Kernel on Ubuntu
Install vSRX Virtual Firewall with KVM:
- Using virt-manager or virt-install

Configuration

Load an Initial Configuration on a vSRX Virtual Firewall with
KVM
Create a vSRX Virtual Firewall Bootstrap ISO Image
Provision vSRX Virtual Firewall with an ISO Bootstrap Image on
KVM

Management

Configure vSRX Virtual Firewall Using the CLI
Connect to the vSRX Virtual Firewall Management Console on
KVM
Add a Virtual Network to a vSRX Virtual Firewall VM with
KVM
Add a Virtio Virtual Interface to a vSRX Virtual Firewall VM
with KVM

SR-IOV and PCI Support

Details on configuring SR-IOV interfaces and limitations.

Frequently Asked Questions (FAQ)

Q: Is the vSRX Virtual Firewall compatible with all cloud

platforms?

A: The vSRX Virtual Firewall is designed to work with both
private and public cloud platforms. However, specific requirements
may vary.

Q: Can I automate the initialization of vSRX Virtual Firewall

instances in an OpenStack environment?

A: Yes, you can use Cloud-Init in an OpenStack Environment to
automate the initialization of vSRX Virtual Firewall instances.

“`

vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms
Published
2023-11-09

ii
Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms Copyright © 2023 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.

iii

Table of Contents

About This Guide | xvii

1

vSRX Virtual Firewall Deployment for KVM

Overview | 2

Understand vSRX Virtual Firewall with KVM | 2

Requirements for vSRX Virtual Firewall on KVM | 7

Install vSRX Virtual Firewall in KVM | 19 Prepare Your Server for vSRX Virtual Firewall Installation | 19
Enable Nested Virtualization | 19 Upgrade the Linux Kernel on Ubuntu | 21

Install vSRX Virtual Firewall with KVM | 21 Install vSRX Virtual Firewall with virt-manager | 22 Install vSRX Virtual Firewall with virt-install | 24

Load an Initial Configuration on a vSRX Virtual Firewall with KVM | 45 Create a vSRX Virtual Firewall Bootstrap ISO Image | 46 Provision vSRX Virtual Firewall with an ISO Bootstrap Image on KVM | 47

Use Cloud-Init in an OpenStack Environment to Automate the Initialization of vSRX Virtual Firewall Instances | 48
Perform Automatic Setup of a vSRX Virtual Firewall Instance Using an OpenStack CommandLine Interface | 52
Perform Automatic Setup of a vSRX Virtual Firewall Instance from the OpenStack Dashboard (Horizon) | 54

vSRX Virtual Firewall VM Management with KVM | 62

iv
Configure vSRX Virtual Firewall Using the CLI | 62
Connect to the vSRX Virtual Firewall Management Console on KVM | 64
Add a Virtual Network to a vSRX Virtual Firewall VM with KVM | 65
Add a Virtio Virtual Interface to a vSRX Virtual Firewall VM with KVM | 67
SR-IOV and PCI | 69 SR-IOV Overview | 69 SR-IOV HA Support with Trust Mode Disabled (KVM only) | 70 Understand SR-IOV HA Support with Trust Mode Disabled (KVM only) | 70 Configure SR-IOV support with Trust Mode Disabled (KVM only) | 72 Limitations | 73 Configure an SR-IOV Interface on KVM | 74
Upgrade a Multi-core vSRX Virtual Firewall | 78 Configure the Queue Value for vSRX Virtual Firewall VM with KVM | 78 Shutdown the vSRX Virtual Firewall Instance with virt-manager | 79 Upgrade vSRX Virtual Firewall with virt- manager | 79
Monitor the vSRX Virtual Firewall VM in KVM | 81
Manage the vSRX Virtual Firewall Instance on KVM | 82 Power On the vSRX Virtual Firewall Instance with virt-manager | 82 Power On the vSRX Virtual Firewall Instance with virsh | 82 Pause the vSRX Virtual Firewall Instance with virt-manager | 83 Pause the vSRX Virtual Firewall Instance with virsh | 83 Rebooting the vSRX Virtual Firewall Instance with virt-manager | 83 Reboot the vSRX Virtual Firewall Instance with virsh | 83 Power Off the vSRX Virtual Firewall Instance with virt-manager | 84 Power Off the vSRX Virtual Firewall Instance with virsh | 84 Shutdown the vSRX Virtual Firewall Instance with virt-manager | 85 Shutdown the vSRX Virtual Firewall Instance with virsh | 85 Remove the vSRX Virtual Firewall Instance with virsh | 86
Recover the Root Password for vSRX Virtual Firewall in a KVM Environment | 87
Configure vSRX Virtual Firewall Chassis Clusters on KVM | 89 vSRX Virtual Firewall Cluster Staging and Provisioning for KVM | 89

v

Chassis Cluster Provisioning on vSRX Virtual Firewall | 89 Creating the Chassis Cluster Virtual Networks with virt-manager | 91 Creating the Chassis Cluster Virtual Networks with virsh | 91 Configuring the Control and Fabric Interfaces with virt-manager | 93 Configuring the Control and Fabric Interfaces with virsh | 93 Configuring Chassis Cluster Fabric Ports | 93

Verify the Chassis Cluster Configuration | 105

2

vSRX Virtual Firewall Deployment for VMware

Overview | 107

Understand vSRX Virtual Firewall with VMware | 107

Requirements for vSRX Virtual Firewall on VMware | 115

Install vSRX Virtual Firewall in VMware | 124 Install vSRX Virtual Firewall with VMware vSphere Web Client | 124

Load an Initial Configuration on a vSRX Virtual Firewall with VMware | 128 Create a vSRX Virtual Firewall Bootstrap ISO Image | 132 Upload an ISO Image to a VMWare Datastore | 133 Provision vSRX Virtual Firewall with an ISO Bootstrap Image on VMWare | 134

Validate the vSRX Virtual Firewall .ova File for VMware | 135

vSRX Virtual Firewall VM Management with VMware | 139 Add vSRX Virtual Firewall Interfaces | 139
Add SR-IOV Interfaces | 140 Add VMXNET 3 Interfaces | 142

Upgrade a Multicore vSRX Virtual Firewall with VMware | 142 Power Down vSRX Virtual Firewall VM with VMware vSphere Web Client | 143 Upgrade a Multicore vSRX Virtual Firewall with VMware vSphere Web Client | 143 Optimize Performance of vSRX Virtual Firewall | 144

vi

Automate the Initialization of vSRX Virtual Firewall 3.0 Instances on VMware Hypervisor using VMware Tools | 145 Overview | 145 Provision VMware Tools for Autoconfiguration | 146

Configure vSRX Virtual Firewall Chassis Clusters in VMware | 150 vSRX Virtual Firewall Cluster Staging and Provisioning for VMware | 150
Deploying the VMs and Additional Network Interfaces | 150 Creating the Control Link Connection Using VMware | 151 Creating the Fabric Link Connection Using VMware | 155 Creating the Data Interfaces Using VMware | 158 Prestaging the Configuration from the Console | 159 Connecting and Installing the Staging Configuration | 160

Deploy vSRX Virtual Firewall Chassis Cluster Nodes Across Different ESXi Hosts Using dvSwitch | 174

3

vSRX Virtual Firewall Deployment for Microsoft Hyper-V

Overview | 179

Understand vSRX Virtual Firewall with Microsoft Hyper-V | 179

Requirements for vSRX Virtual Firewall on Microsoft Hyper-V | 181

Install vSRX Virtual Firewall in Microsoft Hyper-V | 188 Prepare for vSRX Virtual Firewall Deployment in Microsoft Hyper-V | 188

Deploy vSRX Virtual Firewall in a Hyper-V Host Using the Hyper-V Manager | 189

Deploy vSRX Virtual Firewall in a Hyper-V Host Using Windows PowerShell | 200

vSRX Virtual Firewall VM Management with Microsoft Hyper-V | 205 Configure vSRX Virtual Firewall Using the CLI | 205

Configure vSRX Virtual Firewall Using the J-Web Interface | 207 Access the J-Web Interface and Configuring vSRX Virtual Firewall | 207

vii

Apply the Configuration | 210 Add vSRX Virtual Firewall Feature Licenses | 210

Add vSRX Virtual Firewall Interfaces | 211 Add Virtual Switches | 212 Configure the vSRX Virtual Firewall to Use a VLAN | 219

Power Down a vSRX Virtual Firewall VM with Hyper-V | 221

Configure vSRX Virtual Firewall Chassis Clusters | 222 vSRX Virtual Firewall Cluster Staging and Provisioning in Hyper-V | 222
Deploying the VMs and Additional Network Adapters in Hyper-V | 223 Creating the Control Link Connection in Hyper-V | 223 Creating the Fabric Link Connection in Hyper-V | 226 Creating the Data Interfaces Using Hyper-V | 227 Prestaging the Configuration from the Console | 228 Connecting and Installing the Staging Configuration | 229

4

vSRX Virtual Firewall Deployment for Contrail

Overview of vSRX Virtual Firewall Service Chains in Contrail | 245

Understand vSRX Virtual Firewall with Contrail | 245

Requirements for vSRX Virtual Firewall on Contrail | 247

Overview of Service Chains with vSRX Virtual Firewall | 256

Install vSRX Virtual Firewall in Contrail | 267

viii

Enable Nested Virtualization | 267

Create an Image Flavor with OpenStack | 269 Create an Image Flavor for vSRX Virtual Firewall with Horizon | 269 Create an Image Flavor for vSRX Virtual Firewall with the Nova CLI | 272

Upload the vSRX Virtual Firewall Image | 273 Upload the vSRX Virtual Firewall Image with OpenStack Horizon | 273 Upload the vSRX Virtual Firewall Image with the OpenStack Glance CLI | 276

Use Cloud-Init in an OpenStack Environment to Automate the Initialization of vSRX Virtual Firewall Instances | 277
Perform Automatic Setup of a vSRX Virtual Firewall Instance Using an OpenStack CommandLine Interface | 280
Perform Automatic Setup of a vSRX Virtual Firewall Instance from the OpenStack Dashboard (Horizon) | 282

vSRX Virtual Firewall VM Management with Contrail | 291 Connect to the vSRX Virtual Firewall Management Console | 291
Connect to the vSRX Virtual Firewall Management Console with Horizon | 291 Connect to the vSRX Virtual Firewall Management Console with Contrail | 291

Upgrade Multicore vSRX Virtual Firewall with Contrail | 294 Configure Multi- queue Virtio Interface for vSRX Virtual Firewall VM with OpenStack | 294 Modify an Image Flavor for vSRX Virtual Firewall with the Dashboard | 295 Update a Service Template | 296

Monitor vSRX Virtual Firewall with Contrail | 297

5

vSRX Virtual Firewall Deployment for Nutanix

Overview | 299

Understand vSRX Virtual Firewall Deployment with Nutanix | 299

Nutanix Platform Overview | 299

ix

vSRX Virtual Firewall Deployment with Nutanix Overview | 302 Understand vSRX Virtual Firewall Deployment with Nutanix AHV | 304 Sample vSRX Virtual Firewall Deployment Using Nutanix AHV | 306

Requirements for vSRX Virtual Firewall on Nutanix | 307 System Requirements for Nutanix | 307 Reference Requirements | 310

Upgrade the Junos OS for vSRX Virtual Firewall Software Release | 324

6

vSRX Virtual Firewall Deployment for AWS

Overview | 326

Understand vSRX Virtual Firewall with AWS | 326

Requirements for vSRX Virtual Firewall on AWS | 332

Configure and Manage Virtual Firewall in AWS | 337 Configure an Amazon Virtual Private Cloud for vSRX Virtual Firewall | 337
Step 1: Create an Amazon VPC and Internet Gateway | 338 Step 2: Add Subnets for vSRX Virtual Firewall | 340 Step 3: Attach an interface to a Subnet | 341 Step 4: Add Route Tables for vSRX Virtual Firewall | 344 Step 5: Add Security Groups for vSRX Virtual Firewall | 345

Launch a vSRX Virtual Firewall Instance on an Amazon Virtual Private Cloud | 348
Step 1: Create an SSH Key Pair | 348 Step 2: Launch a vSRX Virtual Firewall Instance | 350 Step 3: View the AWS System Logs | 354 Step 4: Add Network Interfaces for vSRX Virtual Firewall | 354 Step 5: Allocate Elastic IP Addresses | 356

x
Step 6: Add the vSRX Virtual Firewall Private Interfaces to the Route Tables | 356 Step 7: Reboot the vSRX Virtual Firewall Instance | 357 Step 8: Log in to a vSRX Virtual Firewall Instance | 357
Enroll a vSRX Virtual Firewall on AWS with Juniper ATP Cloud | 359
Using Cloud-Init to Automate the Initialization of vSRX Virtual Firewall Instances in AWS | 364
AWS Elastic Load Balancing and Elastic Network Adapter | 366 Overview of AWS Elastic Load Balancing | 367 Overview of Application Load Balancer | 369 Deployment of AWS Application Load Balancer | 370 Invoking Cloud Formation Template (CFT) Stack Creation for vSRX Virtual Firewall Behind AWS Application Load Balancer Deployment | 374 Overview of AWS Elastic Network Adapter (ENA) for vSRX Virtual Firewall Instances | 383
Multi-Core Scaling Support on AWS with SWRSS and ENA | 384
Centralized Monitoring and Troubleshooting using AWS Features | 385 Understanding Centralized Monitoring Using Cloudwatch | 385 Integration of vSRX Virtual Firewall with AWS Monitoring and Troubleshooting Features | 393 Grant Permission for vSRX Virtual Firewall to access AWS CloudWatch and Security Hub | 393 Enable Monitoring of vSRX Virtual Firewall Instances with AWS CloudWatch Metric | 395 Collect, Store, and View vSRX Virtual Firewall Logs to AWS CloudWatch | 396 Enable and Configure Security Hub on vSRX Virtual Firewall | 397
Deploying vSRX Virtual Firewall 3.0 for Securing Data using AWS KMS | 398 Integrate AWS KMS with vSRX Virtual Firewall 3.0 | 398 AWS Cloud Formation Templates | 402
Configure vSRX Virtual Firewall Using the CLI | 406 Understand vSRX Virtual Firewall on AWS Preconfiguration and Factory Defaults | 406 Add a Basic vSRX Virtual Firewall Configuration | 407 Add DNS Servers | 410 Add vSRX Virtual Firewall Feature Licenses | 410
Configure vSRX Virtual Firewall Using the J-Web Interface | 411 Access the J-Web Interface and Configure vSRX Virtual Firewall | 411 Apply the Configuration Settings for vSRX Virtual Firewall | 413 Add vSRX Virtual Firewall Feature Licenses | 414

xi

Upgrade Junos OS Software on a vSRX Virtual Firewall Instance | 414 Upgrade the Junos OS for vSRX Virtual Firewall Software Release | 414 Replace the vSRX Virtual Firewall Instance on AWS | 415

Remove a vSRX Virtual Firewall Instance on AWS | 416

AWS Gateway Load Balancing with Geneve | 433 Overview of AWS Gateway Load Balancer | 433 AWS GWLB with Geneve vSRX Virtual Firewall 3.0 Deployment | 435

Example: Configure Juniper ATP Cloud for vSRX Virtual Firewall | 445 Before You Begin | 445 Overview | 445 Juniper ATP Cloud Configuration | 445

7

vSRX Virtual Firewall Deployment for Microsoft Azure

Overview | 449

Understand vSRX Virtual Firewall with Microsoft Azure Cloud | 449

xii
Requirements for vSRX Virtual Firewall on Microsoft Azure | 453 Deploy vSRX Virtual Firewall from the Azure Portal | 461 Before You Deploy vSRX Virtual Firewall from the Azure Portal | 461 Create a Resource Group | 462 Create a Storage Account | 466 Create a Virtual Network | 471 Deploy the vSRX Virtual Firewall Image from Azure Marketplace | 476
Deploy the vSRX Virtual Firewall Image | 476 Verify Deployment of vSRX Virtual Firewall to Microsoft Azure | 489 Log In to a vSRX Virtual Firewall VM | 490 Deploy vSRX Virtual Firewall from the Azure CLI | 493 Before You Deploy vSRX Virtual Firewall Using the Azure CLI | 493 Deploy vSRX Virtual Firewall from the Azure CLI | 495 Install the Microsoft Azure CLI | 496 Download the vSRX Virtual Firewall Deployment Tools | 497 Change Parameter Values in the vSRX Virtual Firewall.parameter.json File | 498 Deploy the vSRX Virtual Firewall Using the Shell Script | 502 Verify Deployment of vSRX Virtual Firewall to Microsoft Azure | 504 Log In to a vSRX Virtual Firewall Instance | 507 Configure and Manage vSRX Virtual Firewall for Microsoft Azure | 509 Configure vSRX Virtual Firewall Using the CLI | 509 Configure vSRX Virtual Firewall Using the J-Web Interface | 511 Access the J-Web Interface and Configuring vSRX Virtual Firewall | 512 Apply the Configuration | 514 Add vSRX Virtual Firewall Feature Licenses | 515 Remove a vSRX Virtual Firewall Instance from Microsoft Azure | 515 Upgrade Junos OS Software on a vSRX Virtual Firewall Instance | 515 Upgrade the Junos OS for vSRX Virtual Firewall Software Release | 516 Replace the vSRX Virtual Firewall Instance on Azure | 516 Configure Azure Features on vSRX Virtual Firewall and Use Cases | 518

xiii

Deployment of Microsoft Azure Hardware Security Module on vSRX Virtual Firewall 3.0 | 518
Microsoft Azure Key Vault Hardware Security Module Integration Overview | 519 Configure Microsoft Azure Key Vault HSM on vSRX Virtual Firewall 3.0 | 520 Change the Master Encryption Password | 524 Verify the Status of the HSM | 524 request security hsm master-encryption-password | 525 show security hsm status | 526 Understanding VPN Functionality with Microsoft Azure Key Vault HSM Service | 529 CLI Behavior With and Without HSM | 533 request security pki local-certificate enroll scep | 534

Example: Configure an IPsec VPN Between a vSRX Virtual Firewall and Virtual Network Gateway in Microsoft Azure | 543
Before You Begin | 544 Overview | 544 vSRX Virtual Firewall IPsec VPN Configuration | 544 Microsoft Azure Virtual Network Gateway Configuration | 546

Example: Configure Juniper ATP Cloud for vSRX Virtual Firewall | 548 Before You Begin | 548 Overview | 548 Juniper ATP Cloud Configuration | 548

8

vSRX Virtual Firewall Deployment for Google Cloud Platform

Overview | 552

Understand vSRX Virtual Firewall Deployment with Google Cloud | 552

Understand vSRX Virtual Firewall Deployment with Google Cloud Platform | 552

Requirements for vSRX Virtual Firewall on Google Cloud Platform | 555 Google Compute Engine Instance Types | 555 vSRX Virtual Firewall Support for Google Cloud | 556 vSRX Virtual Firewall Specifications for GCP | 557

xiv

Install vSRX Virtual Firewall in Google Cloud | 560 Prepare to setup vSRX Virtual Firewall Deployment on GCP | 560
Step 1: Google Cloud Platform Account Planning | 562 Step 2: Define Network Attributes and Generate SSH Key Pair for Authentication | 563 Step 3: Plan Google Virtual Private Cloud (VPC) Network | 565

Deploy vSRX Virtual Firewall in Google Cloud Platform | 566
Deploy the vSRX Virtual Firewall Firewall from Marketplace Launcher | 566 Deploy the vSRX Virtual Firewall Instance from GCP Portal Using Custom Private Image | 574
Upload vSRX Virtual Firewall Image to Google Cloud Storage | 574 Create vSRX Virtual Firewall Image | 576 Deploy the vSRX Virtual Firewall Firewall from GCP Portal | 578 Deploy the vSRX Virtual Firewall Firewall Using Cloud-init | 580

Upgrade the Junos OS for vSRX Virtual Firewall Software Release | 583

9

vSRX Virtual Firewall Deployment for IBM Cloud

Overview | 595

vSRX Virtual Firewall Overview | 595

Getting Started with Juniper vSRX Virtual Firewall on IBM Cloud | 598 Overview of vSRX Virtual Firewall in IBM Cloud | 598 Choosing a vSRX Virtual Firewall license | 600 Ordering a vSRX Virtual Firewall | 602

Junos OS Features Supported on vSRX Virtual Firewall | 604

Installing and Configuring vSRX Virtual Firewall in IBM | 618 Performing vSRX Virtual Firewall Basics in IBM Cloud | 618
Viewing all gateway appliances | 619

xv
Viewing gateway appliance details | 619 Renaming a gateway appliance | 619 Canceling a gateway appliance | 620 Performing additional vSRX Virtual Firewall tasks | 620
vSRX Virtual Firewall Readiness Checks in IBM Cloud | 623 Checking vSRX Virtual Firewall readiness | 623 Readiness status | 624 Correcting readiness errors | 624
Managing VLANs with a gateway appliance | 626 Associating a VLAN to a gateway appliance | 626 Routing an associated VLAN | 626 Bypassing gateway appliance routing for a VLAN | 627 Disassociating a VLAN from a gateway appliance | 627
Working with the vSRX Virtual Firewall Default Configurations | 628 Understanding the vSRX Virtual Firewall default configuration | 628 Importing and Exporting a vSRX Virtual Firewall Configuration | 629 Exporting part of the vSRX Virtual Firewall configuration | 630 Importing the entire vSRX Virtual Firewall configuration | 631 Importing part of the vSRX Virtual Firewall configuration | 631
Migrating Legacy Configurations to the Current vSRX Virtual Firewall Architecture | 633 Migrating 1G vSRX Virtual Firewall Standalone Configurations | 633 Migrating 1G vSRX Virtual Firewall High Availability configurations | 641
Allowing SSH and Ping to a Public Subnet | 642 Allowing SSH and Ping to a Public Subnet | 642
Performing vSRX Virtual Firewall Advanced Tasks in IBM Cloud | 643 Working with Firewalls | 643 Zone Policies | 644 Firewall Filters | 645 Working with sNAT | 645 Working with Failover | 645 Working with Routing | 647 Working with VPN | 648

xvi

Securing the Host Operating System | 654 Configuring the Management Interfaces | 656

Managing vSRX Virtual Firewall in IBM Cloud | 666 vSRX Virtual Firewall Configuration and Management Tools | 666

Managing Security Policies for Virtual Machines Using Junos Space Security Director | 667

Monitoring and Troubleshooting | 669

Technical Support | 669

10

vSRX Virtual Firewall Deployment for OCI

Overview | 671

Understanding vSRX Virtual Firewall Deployment in Oracle Cloud Infrastructure | 671

Overview of Oracle VM Architecture | 671 vSRX Virtual Firewall with Oracle Cloud Infrastructure | 672 OCI Glossary | 672

Requirements for vSRX Virtual Firewall on Oracle Cloud Infrastructure | 673 Minimum System Requirements for OCI | 674 vSRX Virtual Firewall Default Settings with OCI | 675 Best Practices for Deploying vSRX Virtual Firewall | 675

Installing vSRX Virtual Firewall in OCI | 676 vSRX Virtual Firewall Deployment in Oracle Cloud Infrastructure | 676
Overview | 676 Launch vSRX Virtual Firewall Instances in the OCI | 678

Upgrade the Junos OS for vSRX Virtual Firewall Software Release | 692

vSRX Virtual Firewall Licensing | 693 Licenses for vSRX Virtual Firewall | 693

xvii
About This Guide
vSRX Virtual Firewall is the virtualized form of the Juniper Networks next- generation firewall. It is positioned for use in a virtualized or cloud environment where it can protect and secure east-west and north-south traffic. This guide provides you details on deployment of vSRX Virtual Firewall on various private and public cloud platforms.

1 PART
vSRX Virtual Firewall Deployment for KVM
Overview | 2 Install vSRX Virtual Firewall in KVM | 19 vSRX Virtual Firewall VM Management with KVM | 62 Configure vSRX Virtual Firewall Chassis Clusters on KVM | 89

2
CHAPTER 1
Overview
IN THIS CHAPTER Understand vSRX Virtual Firewall with KVM | 2 Requirements for vSRX Virtual Firewall on KVM | 7
Understand vSRX Virtual Firewall with KVM
IN THIS SECTION vSRX Virtual Firewall on KVM | 2 vSRX Virtual Firewall Scale Up Performance | 3
This section presents an overview of vSRX Virtual Firewall on KVM.
vSRX Virtual Firewall on KVM
The Linux kernel uses the kernel-based virtual machine (KVM) as a virtualization infrastructure. KVM is open source software that you can use to create multiple virtual machines (VMs) and to install security and networking appliances. The basic components of KVM include: · A loadable kernel module included in the Linux kernel that provides the basic virtualization
infrastructure · A processor-specific module When loaded into the Linux kernel, the KVM software acts as a hypervisor. KVM supports multitenancy and allows you to run multiple vSRX Virtual Firewall VMs on the host OS. KVM manages and shares the system resources between the host OS and the multiple vSRX Virtual Firewall VMs.

3
NOTE: vSRX Virtual Firewall requires you to enable hardware-based virtualization on a host OS that contains an Intel Virtualization Technology (VT) capable processor. Figure 1 on page 3 illustrates the basic structure of a vSRX Virtual Firewall VM on an Ubuntu server. Figure 1: vSRX Virtual Firewall VM on Ubuntu

vSRX Virtual Firewall Scale Up Performance

Table 1 on page 3 shows the vSRX Virtual Firewall scale up performance when deployed on KVM, based on the number of vCPUs and vRAM applied to a vSRX Virtual Firewall VM along with the Junos OS release in which a particular vSRX Virtual Firewall software specification was introduced.
Table 1: vSRX Virtual Firewall Scale Up Performance

vCPUs

vRAM

NICs

Release Introduced

2 vCPUs

4 GB

· Virtio
· SR-IOV (Intel 82599, X520/540)

Junos OS Release 15.1X49-D15 and Junos OS Release 17.3R1

4

Table 1: vSRX Virtual Firewall Scale Up Performance (Continued)

vCPUs

vRAM

NICs

Release Introduced

5 vCPUs

8 GB

· Virtio
· SR-IOV (Intel 82599, X520/540)

Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1

5 vCPUs

8 GB

· SR-IOV (Intel X710/ XL710)

Junos OS Release 15.1X49-D90 and Junos OS Release 17.3R1

1 vCPU 4 vCPUs

4 GB 8 GB

SR-IOV on the Mellanox ConnectX-4 and ConnectX-5 family adapters.

Junos OS Release 21.2R1

SR-IOV on the Mellanox ConnectX-4 and ConnectX-5 family adapters.

Junos OS Release 21.2R1

8 vCPUs

16GB

SR-IOV on the Mellanox ConnectX-4 and ConnectX-5 family adapters.

Junos OS Release 21.2R1

16 vCPUs

32 GB

SR-IOV on the Mellanox ConnectX-4 and ConnectX-5 family adapters.

Junos OS Release 21.2R1

You can scale the performance and capacity of a vSRX Virtual Firewall instance by increasing the number of vCPUs and the amount of vRAM allocated to the vSRX Virtual Firewall. The multi-core vSRX Virtual Firewall automatically selects the appropriate vCPUs and vRAM values at boot time, as well as the number of Receive Side Scaling (RSS) queues in the NIC. If the vCPU and vRAM settings allocated to a vSRX Virtual Firewall VM do not match what is currently available, the vSRX Virtual Firewall scales down to the closest supported value for the instance. For example, if a vSRX Virtual Firewall VM has 3 vCPUs and 8 GB of vRAM, vSRX Virtual Firewall boots to the smaller vCPU size, which requires a minimum of 2 vCPUs. You can scale up a vSRX Virtual Firewall instance to a higher number of vCPUs

5
and amount of vRAM, but you cannot scale down an existing vSRX Virtual Firewall instance to a smaller setting.
NOTE: The number of RSS queues typically matches with the number of data plane vCPUs of a vSRX Virtual Firewall instance. For example, a vSRX Virtual Firewall with 4 data plane vCPUs should have 4 RSS queues.

vSRX Virtual Firewall Session Capacity Increase
vSRX Virtual Firewall solution is optimized to increase the session numbers by increasing the memory.
With the ability to increase the session numbers by increasing the memory, you can enable vSRX Virtual Firewall to:
· Provide highly scalable, flexible and high-performance security at strategic locations in the mobile network.
· Deliver the performance that service providers require to scale and protect their networks. Run the show security flow session summary | grep maximum command to view the maximum number of sessions.
Starting in Junos OS Release 18.4R1, the number of flow sessions supported on a vSRX Virtual Firewall instance is increased based on the vRAM size used.
Starting in Junos OS Release 19.2R1, the number of flow sessions supported on a vSRX Virtual Firewall 3.0 instance is increased based on the vRAM size used.

NOTE: Maximum of 28M sessions are supported on vSRX Virtual Firewall 3.0. You can deploy vSRX Virtual Firewall 3.0 with more than 64G memory, but the maximum flow sessions can still be only 28M.

Table 2 on page 5 lists the flow session capacity. Table 2: vSRX Virtual Firewall and vSRX Virtual Firewall 3.0 Flow Session Capacity Details

vCPUs

Memory

Flow Session Capacity

2

4 GB

0.5 M

6

Table 2: vSRX Virtual Firewall and vSRX Virtual Firewall 3.0 Flow Session Capacity Details (Continued)

vCPUs

Memory

Flow Session Capacity

2

6 GB

1 M

2/5

8 GB

2 M

2/5

10 GB

2 M

2/5

12 GB

2.5 M

2/5

14 GB

3 M

2/5/9

16 GB

4 M

2/5/9

20 GB

6 M

2/5/9

24 GB

8 M

2/5/9

28 GB

10 M

2/5/9/17

32 GB

12 M

2/5/9/17

40 GB

16 M

2/5/9/17

48 GB

20 M

2/5/9/17

56 GB

24 M

2/5/9/17

64 GB

28 M

7

Release History Table Release Description

19.2R1

Starting in Junos OS Release 19.2R1, the number of flow sessions supported on a vSRX Virtual Firewall 3.0 instance is increased based on the vRAM size used.

18.4R1

Starting in Junos OS Release 18.4R1, the number of flow sessions supported on a vSRX Virtual Firewall instance is increased based on the vRAM size used.

RELATED DOCUMENTATION Requirements for vSRX Virtual Firewall on KVM | 7 Upgrade a Multi-core vSRX Virtual Firewall | 78 Install vSRX Virtual Firewall with KVM | 21
Requirements for vSRX Virtual Firewall on KVM
IN THIS SECTION Software Specifications | 7 Hardware Specifications | 13 Best Practices for Improving vSRX Virtual Firewall Performance | 14 Interface Mapping for vSRX Virtual Firewall on KVM | 16 vSRX Virtual Firewall Default Settings on KVM | 18

This section presents an overview of requirements for deploying a vSRX Virtual Firewall instance on KVM;
Software Specifications
No Link Title lists the system software requirement specifications when deploying vSRX Virtual Firewall in a KVM environment. The table outlines the Junos OS release in which a particular software specification for deploying vSRX Virtual Firewall on KVM was introduced. You will need to download a specific Junos OS release to take advantage of certain features.

8

CAUTION: A Page Modification Logging (PML) issue related to the KVM host kernel might prevent the vSRX Virtual Firewall from successfully booting. If you experience this behavior with the vSRX Virtual Firewall, we recommend that you disable the PML at the host kernel level. See Prepare Your Server for vSRX Installation for details about disabling the PML as part of enabling nested virtualization.

Table 3: Feature Support on vSRX Virtual Firewall

Features

Specification

Junos OS Release Introduced

vCPUs/Memory

2 vCPU / 4 GB RAM

Junos OS Release 15.1X49-D15 and Junos OS Release 17.3R1 (vSRX Virtual Firewall)

5 vCPU / 8 GB RAM

Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1 (vSRX Virtual Firewall)

9 vCPU / 16 GB RAM

Junos OS Release 18.4R1 (vSRX Virtual Firewall)
Junos OS Release 19.1R1 (vSRX Virtual Firewall 3.0)

17 vCPU / 32 GB RAM

Junos OS Release 18.4R1 (vSRX Virtual Firewall)
Junos OS Release 19.1R1 (vSRX Virtual Firewall 3.0)

Flexible flow session capacity

NA

scaling by an additional vRAM

Junos OS Release 19.1R1 (vSRX Virtual Firewall)
Junos OS Release 19.2R1 (vSRX Virtual Firewall 3.0)

Multicore scaling support (Software NA RSS)

Junos OS Release 19.3R1 (vSRX Virtual Firewall 3.0 only)

9

Table 3: Feature Support on vSRX Virtual Firewall (Continued)

Features

Specification

Reserve additional vCPU cores for NA the Routing Engine (vSRX Virtual Firewall and vSRX Virtual Firewall 3.0)

Junos OS Release Introduced

Virtio (virtio-net, vhost-net) (vSRX NA Virtual Firewall and vSRX Virtual Firewall 3.0)

Supported Hypervisors Linux KVM Hypervisor support

Ubuntu 14.04.5, 16.04, and 16.10 Junos OS Release 18.4R1

Other Features Cloud-init

Ubuntu 18.04 and 20.04

Junos OS Release 20.4R1

Red Hat Enterprise Linux (RHEL) 7.3

Junos OS Release 18.4R1

Red Hat Enterprise Linux (RHEL) 7.6 and 7.7

Junos OS Release 19.2R1

Red Hat Enterprise Linux (RHEL) 8.2

Junos OS Release 20.4R1

CentOS 7.1, 7.2, 7.6, and 7.7

Junos OS Release 19.2R1

NA

Powermode IPSec (PMI)

NA

Chassis cluster

NA

10

Table 3: Feature Support on vSRX Virtual Firewall (Continued)

Features

Specification

GTP TEID based session

NA

distribution using Software RSS

Junos OS Release Introduced
Yes (Junos OS Release 19.3R1 onwards)

On-device antivirus scan engine

NA

(Avira)

Yes (Junos OS Release 19.4R1 onwards)

LLDP

NA

Junos Telemetry Interface

NA

System Requirements

Hardware acceleration/enabled

NA

VMX CPU flag in the hypervisor

Yes (Junos OS Release 21.1R1 onwards)
Yes (Junos OS Release 20.3R1 onwards)

Disk space

16 GB (IDE or SCSI drives) (vSRX Virtual Firewall)

Junos OS Release 15.1X49-D15 and Junos OS Release 17.3R1

18 GB (vSRX Virtual Firewall 3.0)

Table 4: vNIC Support on vSRX Virtual Firewall

vNICs

Release Introduced

Virtio SA and HA

SR-IOV SA and HA over Intel 82599/X520 series

Junos OS Release 15.1X49-D90 and Junos OS Release 17.3R1

SR-IOV SA and HA over Intel X710/XL710/XXV710 series

Junos OS Release 15.1X49-D90

SR-IOV SA over Intel E810 series

Junos OS Release 18.1R1

11

Table 4: vNIC Support on vSRX Virtual Firewall (Continued)

vNICs

Release Introduced

SR-IOV HA over Intel E810 series

unos OS Release 18.1R1

SR-IOV SA and HA over Mellanox ConnectX-3

Not supported

SR-IOV SA and HA over Mellanox ConnectX-4/5/6 (MLX5 driver only)

Junos OS Release 18.1R1 (vSRX Virtual Firewall)
Junos OS Release 21.2R1 onwards on vSRX Virtual Firewall 3.0

PCI passthrough over Intel 82599/X520 series PCI passthrough over Intel X710/XL710 series Data Plane Development Kit (DPDK) version 17.05

Not supported Not supported Junos OS Release 18.2R1

Data Plane Development Kit (DPDK) version 18.11

Junos OS Release 19.4R1

Starting in Junos OS Release 19.4R1, DPDK version 18.11 is supported on vSRX Virtual Firewall. With this feature the Mellanox Connect Network Interface Card (NIC) on vSRX Virtual Firewall now supports OSPF Multicast and VLANs.

Data Plane Development Kit (DPDK) version 20.11

Junos OS Release 21.2R1

Starting in Junos OS Release 21.2R1, we’ve upgraded the Data Plane Development Kit (DPDK) from version 18.11 to version 20.11. The new version supports ICE Poll Mode Driver (PMD), which enables the physical Intel E810 series 100G NIC support on vSRX Virtual Firewall 3.0.

NOTE: A vSRX Virtual Firewall on KVM deployment requires you to enable hardware-based virtualization on a host OS that contains an Intel Virtualization Technology (VT) capable processor. You can verify CPU compatibility here: http://www.linux-kvm.org/page/ Processor_support

12

No Link Title lists the specifications on the vSRX Virtual Firewall VM.
Starting in Junos OS Release 19.1R1, the vSRX Virtual Firewall instance supports guest OS using 9 or 17 vCPUs with single-root I/O virtualization over Intel X710/XL710 on Linux KVM hypervisor for improved scalability and performance.

KVM Kernel Recommendations for vSRX Virtual Firewall
Table 5 on page 12 lists the recommended Linux kernel version for your Linux host OS when deploying vSRX Virtual Firewall on KVM. The table outlines the Junos OS release in which support for a particular Linux kernel version was introduced.
Table 5: Kernel Recommendations for KVM

Linux Distributi on

Linux Kernel Version

Supported Junos OS Release

CentOS

3.10.0.229
Upgrade the Linux kernel to capture the recommended version.

Junos OS Release 15.1X49-D15 and Junos OS Release 17.3R1 or later release

Ubuntu

3.16

Junos OS Release 15.1X49-D15 and Junos OS Release 17.3R1 or later release

4.4

Junos OS Release 15.1X49-D15 and Junos OS

Release 17.3R1 or later release

18.04

Junos OS Release 20.4R1 or later release

20.04

Junos OS Release 20.4R1 or later release

RHEL

3.10

Junos OS Release 15.1X49-D15 and Junos OS Release 17.3R1 or later release

13

Additional Linux Packages for vSRX Virtual Firewall on KVM
Table 6 on page 13 lists the additional packages you need on your Linux host OS to run vSRX Virtual Firewall on KVM. See your host OS documentation for how to install these packages if they are not present on your server.
Table 6: Additional Linux Packages for KVM

Package

Version

Download Link

libvirt

0.10.0

libvirt download

virt-manager (Recommended)

0.10.0

virt-manager download

Hardware Specifications

Table 7 on page 13 lists the hardware specifications for the host machine that runs the vSRX Virtual Firewall VM.
Table 7: Hardware Specifications for the Host Machine

Component

Specification

Host processor type

Intel x86_64 multi-core CPU
NOTE: DPDK requires Intel Virtualization VT-x/VT-d support in the CPU. See About Intel Virtualization Technology.

14

Table 7: Hardware Specifications for the Host Machine (Continued)

Component

Specification

Physical NIC support for vSRX Virtual Firewall and vSRX Virtual Firewall 3.0

· Virtio · SR-IOV (Intel X710/XL710, X520/540, 82599)

· SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and Mellanox ConnectX-4 EN/ ConnectX-4 Lx EN)

NOTE: If using SR-IOV with either the Mellanox ConnectX-3 or ConnectX-4 Family Adapters, on the Linux host, if necessary, install the latest MLNX_OFED Linux driver. See Mellanox OpenFabrics Enterprise Distribution for Linux (MLNX_OFED).

NOTE: You must enable the Intel VT-d extensions to provide hardware support for directly assigning physical devices per guest. See Configure SR-IOV and PCI on KVM.

Physical NIC support for vSRX Virtual Firewall 3.0

Support SR-IOV on Intel X710/XL710/XXV710, and Intel E810.

Best Practices for Improving vSRX Virtual Firewall Performance
Review the following practices to improve vSRX Virtual Firewall performance.
NUMA Nodes
The x86 server architecture consists of multiple sockets and multiple cores within a socket. Each socket has memory that is used to store packets during I/O transfers from the NIC to the host. To efficiently read packets from memory, guest applications and associated peripherals (such as the NIC) should reside within a single socket. A penalty is associated with spanning CPU sockets for memory accesses, which might result in nondeterministic performance. For vSRX Virtual Firewall, we recommend that all vCPUs for the vSRX Virtual Firewall VM are in the same physical non-uniform memory access (NUMA) node for optimal performance.
CAUTION: The Packet Forwarding Engine (PFE) on the vSRX Virtual Firewall will become unresponsive if the NUMA nodes topology is configured in the hypervisor to spread the instance’s vCPUs across multiple host NUMA nodes. vSRX Virtual Firewall requires that you ensure that all vCPUs reside on the same NUMA node.

15

We recommend that you bind the vSRX Virtual Firewall instance with a specific NUMA node by setting NUMA node affinity. NUMA node affinity constrains the vSRX Virtual Firewall VM resource scheduling to only the specified NUMA node.
Mapping Virtual Interfaces to a vSRX Virtual Firewall VM To determine which virtual interfaces on your Linux host OS map to a vSRX Virtual Firewall VM: 1. Use the virsh list command on your Linux host OS to list the running VMs.
hostOS# virsh list

Id Name

State

—————————————————-

9 centos1

running

15 centos2

running

16 centos3

running

48 vsrx

running

50 1117-2

running

51 1117-3

running

2. Use the virsh domiflist vsrx-name command to list the virtual interfaces on that vSRX Virtual Firewall VM.

hostOS# virsh domiflist vsrx

Interface Type

Source Model

MAC

——————————————————-

vnet1

bridge brem2

virtio

52:54:00:8f:75:a5

vnet2

bridge br1

virtio

52:54:00:12:37:62

vnet3

bridge brconnect virtio

52:54:00:b2:cd:f4

NOTE: The first virtual interface maps to the fxp0 interface in Junos OS.

16

Interface Mapping for vSRX Virtual Firewall on KVM

Each network adapter defined for a vSRX Virtual Firewall is mapped to a specific interface, depending on whether the vSRX Virtual Firewall instance is a standalone VM or one of a cluster pair for high availability. The interface names and mappings in vSRX Virtual Firewall are shown in Table 8 on page 16 and Table 9 on page 17.
Note the following:
· In standalone mode:
· fxp0 is the out-of-band management interface.
· ge-0/0/0 is the first traffic (revenue) interface.
· In cluster mode:
· fxp0 is the out-of-band management interface.
· em0 is the cluster control link for both nodes.
· Any of the traffic interfaces can be specified as the fabric links, such as ge-0/0/0 for fab0 on node 0 and ge-7/0/0 for fab1 on node 1.
Table 8 on page 16 shows the interface names and mappings for a standalone vSRX Virtual Firewall VM. Table 8: Interface Names for a Standalone vSRX Virtual Firewall VM

Network Adapter

Interface Name in Junos OS for vSRX Virtual Firewall

1

fxp0

2

ge-0/0/0

3

ge-0/0/1

4

ge-0/0/2

5

ge-0/0/3

17

Table 8: Interface Names for a Standalone vSRX Virtual Firewall VM (Continued)

Network Adapter

Interface Name in Junos OS for vSRX Virtual Firewall

6

ge-0/0/4

7

ge-0/0/5

8

ge-0/0/6

Table 9 on page 17 shows the interface names and mappings for a pair of vSRX Virtual Firewall VMs in a cluster (node 0 and node 1).
Table 9: Interface Names for a vSRX Virtual Firewall Cluster Pair

Network Adapter

Interface Name in Junos OS for vSRX Virtual Firewall

1

fxp0 (node 0 and 1)

2

em0 (node 0 and 1)

3

ge-0/0/0 (node 0)

ge-7/0/0 (node 1)

4

ge-0/0/1 (node 0)

ge-7/0/1 (node 1)

5

ge-0/0/2 (node 0)

ge-7/0/2 (node 1)

6

ge-0/0/3 (node 0)

ge-7/0/3 (node 1)

7

ge-0/0/4 (node 0)

ge-7/0/4 (node 1)

18

Table 9: Interface Names for a vSRX Virtual Firewall Cluster Pair (Continued)

Network Adapter

Interface Name in Junos OS for vSRX Virtual Firewall

8

ge-0/0/5 (node 0)

ge-7/0/5 (node 1)

vSRX Virtual Firewall Default Settings on KVM

vSRX Virtual Firewall requires the following basic configuration settings: · Interfaces must be assigned IP addresses. · Interfaces must be bound to zones. · Policies must be configured between zones to permit or deny traffic. Table 10 on page 18 lists the factory-default settings for security policies on the vSRX Virtual Firewall. Table 10: Factory Default Settings for Security Policies

Source Zone

Destination Zone

Policy Action

trust

untrust

permit

trust

permit

untrust

trust

deny

RELATED DOCUMENTATION About Intel Virtualization Technology DPDK Release Notes

19
CHAPTER 2
Install vSRX Virtual Firewall in KVM
IN THIS CHAPTER Prepare Your Server for vSRX Virtual Firewall Installation | 19 Install vSRX Virtual Firewall with KVM | 21 Example: Install and Launch vSRX Virtual Firewall on Ubuntu | 27 Load an Initial Configuration on a vSRX Virtual Firewall with KVM | 45 Use Cloud-Init in an OpenStack Environment to Automate the Initialization of vSRX Virtual Firewall Instances | 48
Prepare Your Server for vSRX Virtual Firewall Installation
IN THIS SECTION Enable Nested Virtualization | 19 Upgrade the Linux Kernel on Ubuntu | 21
Enable Nested Virtualization
We recommend that you enable nested virtualization on your host OS or OpenStack compute node. Nested virtualization is enabled by default on Ubuntu but is disabled by default on CentOS. Use the following command to determine if nested virtualization is enabled on your host OS. The result should be Y. hostOS# cat /sys/module/kvm_intel/parameters/nested hostOS# Y

20
NOTE: APIC virtualization (APICv) does not work well with nested VMs such as those used with KVM. On Intel CPUs that support APICv (typically v2 models, for example E5 v2 and E7 v2), you must disable APICv on the host server before deploying vSRX Virtual Firewall.
To enable nested virtualization on the host OS: 1. Depending on your host operating system, perform the following:
· On CentOS, open the /etc/modprobe.d/dist.conf file in your default editor.
hostOS# vi /etc/modprobe.d/dist.conf · On Ubuntu, open the /etc/modprobe.d /qemu-system-x86.conf file in your default editor.
hostOS# vi /etc/modprobe.d/qemu-system-x86.conf 2. Add the following line to the file:
hostOS# options kvm-intel nested=y enable_apicv=n
NOTE: A Page Modification Logging (PML) issue related to the KVM host kernel might prevent the vSRX Virtual Firewall from successfully booting. We recommend that you add the following line to the file instead of the line listed above in Step 2: hostOS# options kvm-intel nested=y enable_apicv=n pml=n
3. Save the file and reboot the host OS. 4. (Optional) After the reboot, verify that nested virtualization is enabled.
hostOS# cat /sys/module/kvm_intel/parameters/nested
hostOS# Y

21
5. On Intel CPUs that support APICv ( for example, E5 v2 and E7 v2), disable APICv on the host OS.
root@host# sudo rmmod kvm-intel root@host# sudo sh -c “echo ‘options kvm-intel enable_apicv=n’ >> /etc/modprobe.d/dist.conf” root@host# sudo modprobe kvm- intel 6. Optionally, verify that APICv is now disabled.
root@host# cat /sys/module/kvm_intel/parameters/enable_apicv
N
Upgrade the Linux Kernel on Ubuntu
To upgrade to the latest stable Linux kernel on Ubuntu: 1. Get and install the available updated kernel.
hostOS:$ sudo apt-get install linux-image-generic-lts-utopic 2. Reboot the host OS.
hostOS:$ reboot 3. Optionally, type uname -a in a terminal on your host OS to verify that the host OS is using the latest
kernel version. hostOS:$ uname -a
3.16.0-48-generic
Install vSRX Virtual Firewall with KVM
IN THIS SECTION Install vSRX Virtual Firewall with virt-manager | 22 Install vSRX Virtual Firewall with virt-install | 24

22 You use virt-manager or virt-install to install vSRX Virtual Firewall VMs. See your host OS documentation for complete details on these packages.
NOTE: To upgrade an existing vSRX Virtual Firewall instance, see Migration, Upgrade, and Downgrade in the vSRX Virtual Firewall Release Notes.
Install vSRX Virtual Firewall with virt-manager
Ensure that sure you have already installed KVM, qemu, virt-manager, and libvirt on your host OS. You must also configure the required virtual networks and storage pool in the host OS for the vSRX Virtual Firewall VM. See your host OS documentation for details. You can install and launch vSRX Virtual Firewall with the KVM virt-manager GUI package. To install vSRX Virtual Firewall with virt-manager: 1. Download the vSRX Virtual Firewall QCOW2 image from the Juniper software download site. 2. On your host OS, type virt- manager. The Virtual Machine Manager appears. See Figure 2 on page
22. NOTE: You must have admin rights on the host OS to use virt-manager.
Figure 2: virt-manager
3. Click Create a new virtual machine as seen in Figure 3 on page 23. The New VM wizard appears .

23
Figure 3: Create a New Virtual Machine
4. Select Import existing disk image, and click Forward. 5. Browse to the location of the downloaded vSRX Virtual Firewall QCOW2 image and select the
vSRX Virtual Firewall image. 6. Select Linux from the OS type list and select Show all OS options from the Version list. 7. Select Red Hat Enterprise Linux 7 from the expanded Version list and click Forward. 8. Set the RAM to 4096 MB and set CPUs to 2. Click Forward. 9. Set the disk image size to 16 GB and click Forward. 10. Name the vSRX Virtual Firewall VM, and select Customize this configuration before install to
change parameters before you create and launch the VM. Click Finish. The Configuration dialog box appears. 11. Select Processor and expand the Configuration list. 12. Select Copy Host CPU Configuration. 13. Set CPU Feature invtsc to disabled on CPUs that support that feature. Set vmx to require for optimal throughput. You can optionally set aes to require for improved cryptographic throughput
NOTE: If the CPU feature option is not present in your version of virt- manager, you need start and stop the VM once, and then edit the vSRX Virtual Firewall VM XML file, typically found in /etc/libvirt/qemu directory on your host OS. Use virsh edit to edit the VM XML file to configure <feature policy=’require’ name=’vmx’/> under the element. Also add <feature policy=’disable’ name=’invtsc’/> if your host OS supports this CPU flag. Use the virsh capabilities command on your host OS to list the host OS and CPU virtualization capabilities. The following example shows the relevant portion of the vSRX Virtual Firewall XML file on a CentOS host:

SandyBridge Intel

24

14\. Select the disk and expand Advanced Options. 15. Select IDE from the Disk bus list. 16. Select the NIC, and select virtio from the Device model field. This first NIC is the fpx0 (management) interface for vSRX Virtual Firewall. 17. Click Add Hardware to add more virtual networks, and select virtio from the Device model list. 18. Click Apply, and click x to close the dialog box. 19. Click Begin Installation. The VM manager creates and launches the vSRX Virtual Firewall VM. NOTE: The default vSRX Virtual Firewall VM login ID is root with no password. By default, if a DHCP server is on the network, it assigns an IP address to the vSRX Virtual Firewall VM. Install vSRX Virtual Firewall with virt-install Ensure that sure you have already installed KVM, qemu, virt-install, and libvirt on your host OS. You must also configure the required virtual networks and storage pool in the host OS for the vSRX Virtual Firewall VM. See your host OS documentation for details.

25

NOTE: You must have root access on the host OS to use the virt-install command.

The virt-install and virsh tools are CLI alternatives to installing and managing vSRX Virtual Firewall VMs on a Linux host. To install vSRX Virtual Firewall with virt-install: 1. Download the vSRX Virtual Firewall QCOW2 image from the Juniper software download site. 2. On your host OS, use the virt- install command with the mandatory options listed in Table 11 on page
25.
NOTE: See the official virt-install documentation for a complete description of available options.

Table 11: virt-install Options

Command Option

Description

–name name

Name the vSRX Virtual Firewall VM.

–ram megabytes

Allocate RAM for the VM, in megabytes.

–cpu cpu-model, cpu-flags Enable the vmx feature for optimal throughput. You can also enable aes for improved cryptographic throughput.
NOTE: CPU flag support depends on your host OS and CPU.
Use virsh capabilities to list the virtualization capabilities of your host OS and CPU.

–vcpus number

Allocate the number of vCPUs for the vSRX Virtual Firewall VM.

26

Table 11: virt-install Options (Continued)

Command Option

Description

–disk path

Specify disk storage media and size for the VM. Include the following options:
· size=gigabytes · device=disk · bus=ide · format=qcow2

–os-type os-type –os-variant os-type

Configure the guest OS type and variant.

–import

Create and boot the vSRX Virtual Firewall VM from an existing image.

The following example creates a vSRX Virtual Firewall VM with 4096 MB RAM, 2 vCPUs, and disk storage up to 16 GB:
hostOS# virt-install –name vSRXVM –ram 4096 –cpu SandyBridge,+vmx,-invtsc –vcpus=2 -arch=x86_64 –disk path=/mnt/vsrx.qcow2,size=16,device=disk,bus=ide,format=qcow2 –os-type linux –os-variant rhel7 –import
The following example shows the relevant portion of the vSRX Virtual Firewall XML file on a CentOS host:

SandyBridge Intel

27

NOTE: The default vSRX Virtual Firewall VM login ID is root with no password. By default, if a DHCP server is on the network, it assigns an IP address to the vSRX Virtual Firewall VM. RELATED DOCUMENTATION Installing a virtual machine using virt-install Migration, Upgrade, and Downgrade Linux CPU Flags Example: Install and Launch vSRX Virtual Firewall on Ubuntu IN THIS SECTION Requirements | 28 Overview | 28 Quick Configuration – Install and Launch a vSRX Virtual Firewall VM on Ubuntu | 29 | 32 Step by Step Configuration | 32

28 This example shows how to install and launch a vSRX Virtual Firewall instance on an Ubuntu server with KVM.
Requirements
This example uses the following hardware and software components: · Generic x86 server · Junos OS Release 15.1X49-D20 for vSRX Virtual Firewall · Ubuntu version 14.04.2 Before you begin: · This example assumes a fresh install of the Ubuntu server software. · Ensure that your host OS meets the requirements specified in Requirements for vSRX on KVM.
Overview
This example shows how to set up your Ubuntu host server and install and launch a vSRX Virtual Firewall VM. Figure 4 on page 28 shows the basic structure of a vSRX Virtual Firewall VM on an Ubuntu server.
Figure 4: vSRX Virtual Firewall VM on Ubuntu
NOTE: This example uses static IP addresses. If you are configuring the vSRX Virtual Firewall instance in an NFV environment, you should use DHCP.

29
Quick Configuration – Install and Launch a vSRX Virtual Firewall VM on Ubuntu
IN THIS SECTION
CLI Quick Configuration | 29 Procedure | 29
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and copy and paste the commands into the Ubuntu server terminal or vSRX Virtual Firewall console as specified.
Procedure
Step-by-Step Procedure
1. If the default virtual network does not already exist, copy the following commands and paste them into the Ubuntu server terminal to create the default virtual network.
cat < /etc/libvirt/qemu/networks/default.xml

default EOF virsh net-define /etc/libvirt/qemu/networks/default.xml virsh net-start default

30
virsh net-autostart default
2. Create the left, or trusted, virtual network on the Ubuntu server.
cat < /etc/libvirt/qemu/networks/testleftnetwork.xml

TestLeft EOF virsh net-define /etc/libvirt/qemu/networks/testleftnetwork.xml virsh net-start TestLeft virsh net-autostart TestLeft 3\. Create the right, or untrusted, virtual network on the Ubuntu server. cat < /etc/libvirt/qemu/networks/testrightnetwork.xml TestRight EOF virsh net-define /etc/libvirt/qemu/networks/testrightnetwork.xml virsh net-start TestRight

31
virsh net-autostart TestRight
4. Download the vSRX Virtual Firewall KVM image from the Juniper Networks website at https:// www.juniper.net/support/downloads/?p=vsrx#sw.
5. Copy the following commands and modify the cpu parameter and flags to match your Ubuntu server CPU. Paste the resulting commands into the Ubuntu server terminal to copy the image to a mount point and create the vSRX Virtual Firewall VM.
cp junos-vsrx-vmdisk-15.1X49-D20.2.qcow2 /mnt/vsrx20one.qcow2 virt-install –name vSRX20One –ram 4096 –cpu SandyBridge,+vmx,-invtsc, –vcpus=2 -arch=x86_64 –disk path=/mnt/vsrx20one.qcow2,size=16,device=disk,bus=ide,format=qcow2 –ostype linux –os-variant rhel7 –import –network=network:default,model=virtio -network=network:TestLeft,model=virtio –network=network:TestRight,model=virtio
NOTE: The CPU model and flags in the virt-install command might vary based on the CPU and features in the Ubuntu server.
6. To set the root password on the vSRX Virtual Firewall VM, copy and paste the command into the vSRX Virtual Firewall CLI at the [edit] hierarchy level.
set system root-authentication plain-text-password
7. To create a base configuration on the vSRX Virtual Firewall VM, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the following commands into the vSRX Virtual Firewall CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set interfaces fxp0 unit 0 family inet dhcp-client set interfaces ge-0/0/0 unit 0 family inet address 192.168.123.254/24 set interfaces ge-0/0/1 unit 0 family inet dhcp-client set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic systemservices all set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic systemservices dhcp set routing-instances CUSTOMER-VR instance-type virtual- router set routing-instances CUSTOMER-VR interface ge-0/0/0.0

32
set routing-instances CUSTOMER-VR interface ge-0/0/1.0 set security nat source rule-set source-nat from zone trust set security nat source rule-set source- nat to zone untrust set security nat source rule-set source-nat rule nat1 match source-address 0.0.0.0/0 set security nat source rule-set source-nat rule nat1 then source-nat interface
IN THIS SECTION | 32
Step-by-Step Procedure
Step by Step Configuration
IN THIS SECTION Add Virtual Networks | 33 Verify the Virtual Networks | 36 Download and Installing the vSRX Virtual Firewall Image | 37 Verify the vSRX Virtual Firewall Installation | 37 Create a Base Configuration on the vSRX Virtual Firewall Instance | 40 Verify the Basic Configuration on the vSRX Virtual Firewall Instance | 43
Use the following sections for a more detailed set of procedures to install and launch a vSRX Virtual Firewall VM.

33
Add Virtual Networks
Step-by-Step Procedure You need to create virtual networks on the Ubuntu server to provide network connectivity to interfaces on the vSRX Virtual Firewall VM. Copy and paste these command into a terminal on the Ubuntu server. This example uses three virtual networks: · default– Connects the fxp0 management interface.
NOTE: The default virtual network should already exist on the Ubuntu server. Use the virsh net-list command to verify that the default network is present and active.
· TestLeft– Connects the ge-0/0/0 interface to the trusted zone. · TestRight– Connects the ge-0/0/1 interface to the untrusted zone. 1. If the default network does not exist, follow these steps:
Step-by-Step Procedure
a. Open a text editor on the Ubuntu server and create the default network XML (default.xml) file.
emacs /etc/libvirt/qemu/networks/default.xml
b. Set the forward mode to nat, configure an IP address and subnet mask, and a bridge interface, and configure DHCP to assign IP addresses to interfaces on this virtual network.
NOTE: Use the XML format specified by libvirt.

default

34

c. Define and start the default virtual network, based on the default.xml file you created. virsh net-define /etc/libvirt/qemu/networks/default.xml virsh net-start default virsh net-autostart default 2\. Remove any previously configured TestLeft virtual network. virsh net-destroy TestLeft virsh net-undefine TestLeft 3\. Remove any previously configured TestRight virtual network. virsh net-destroy TestRight virsh net-undefine TestRight 4\. Open a text editor on the Ubuntu server and create the TestLeft network XML (testleftnetwork.xml) file. emacs /etc/libvirt/qemu/networks/testleftnetwork.xml 5\. Set the forward mode to route, configure an IP address and subnet mask, and a bridge interface, and configure DHCP to assign IP addresses to interfaces on this virtual network.

35
NOTE: Use the XML format specified by libvirt.

TestLeft 6\. Open a text editor on the Ubuntu server and create the TestRight network XML (testrightnetwork.xml) file. emacs /etc/libvirt/qemu/networks/testrightnetwork.xml 7\. Set the forward mode to nat, configure an IP address and subnet mask, and a bridge interface, and configure DHCP to assign IP addresses to interfaces on this virtual network. NOTE: Use the XML format specified by libvirt. TestRight

36
8. Define and start the TestLeft virtual network, based on the testleftnetwork.xml file you created.
virsh net-define /etc/libvirt/qemu/networks/testleftnetwork.xml virsh net- start TestLeft virsh net-autostart TestLeft
9. Define and start the TestRight virtual network, based on the testrightnetwork.xml file you created.
virsh net-define /etc/libvirt/qemu/networks/testrightnetwork.xml virsh net- start TestRight virsh net-autostart TestRight

Verify the Virtual Networks Purpose Verify the new virtual network configuration on the Ubuntu server. Action Use the virsh net-list command on the Ubuntu server to verify that the new virtual interfaces are active and are set to autostart on reboot.
virsh net-list

Name

State

Autostart Persistent

———————————————————-

default

active

yes

TestLeft

active

yes

TestRight

active

yes

37
Download and Installing the vSRX Virtual Firewall Image
Step-by-Step Procedure To download and install the vSRX Virtual Firewall image on the Ubuntu server: 1. Download the vSRX Virtual Firewall KVM image from the Juniper Networks website: https://
www.juniper.net/support/downloads/?p=vsrx#sw 2. Copy the vSRX Virtual Firewall image to an appropriate mount point.
hostOS# cp junos-vsrx-vmdisk-15.1X49-D20.2.qcow2 /mnt/vsrx20one.qcow2
3. Use the virt-install command to create a vSRX Virtual Firewall VM. Modify the cpu parameter and flags to match your Ubuntu server CPU.
hostOS# virt-install –name vSRX20One –ram 4096 –cpu SandyBridge,+vmx,-invtsc, –vcpus=2 -arch=x86_64 –disk path=/mnt/vsrx20one.qcow2,size=16,device=disk,bus=ide,format=qcow2 –ostype linux –os-variant rhel7 –import –network=network:default,model=virtio -network=network:TestLeft,model=virtio –network=network:TestRight,model=virtio
NOTE: The CPU model and flags in the virt-install command might vary based on the CPU and features in the Ubuntu server.
Verify the vSRX Virtual Firewall Installation
Purpose Verify the vSRX Virtual Firewall Installation.

38
Action
1. Use the virsh console command on the Ubuntu server to access the vSRX Virtual Firewall console and watch the progress of the installation. The installation can take several minutes to complete.
hostOS# virsh console vSRx200ne
Starting install… ERROR internal error: process exited while connecting to monitor: libust[11994/11994]: Warning: HOME environment variable not set. Disabling LTTng-UST per-user tracing. (in setup_local_apps() at lttng-ust- comm.c:305) libust[11994/11995]: Error: Error opening shm /lttng-ust-wait-5 (in get_wait_shm() at lttngust-comm.c:886) libust[11994/11995]: Error: Error opening shm /lttng-ust-wait-5 (in get_wait_shm() at lttngust-comm.c:886)
Booting `Juniper Linux’
Loading Linux … Consoles: serial port BIOS drive C: is disk0 BIOS drive D: is disk1 BIOS drive E: is disk2 BIOS drive F: is disk3 BIOS 639kB/999416kB available memory
FreeBSD/i386 bootstrap loader, Revision 1.2 ([email protected], Thu Jul 30 23:20:10 UTC 2015) Loading /boot/defaults/loader.conf /kernel text=0xa3a2c0 data=0x6219c+0x11f8e0 syms=[0x4+0xb2ed0+0x4+0x1061bb] /boot/modules/libmbpool.ko text=0xce8 data=0x114 /boot/modules/if_em_vsrx.ko text=0x184c4 data=0x7fc+0x20 /boot/modules/virtio.ko text=0x2168 data=0x208 syms=[0x4+0x7e0+0x4+0x972] /boot/modules/virtio_pci.ko text=0x2de8 data=0x200+0x8 syms=[0x4+0x8f0+0x4+0xb22] /boot/modules/virtio_blk.ko text=0x299c data=0x1dc+0xc syms=[0x4+0x960+0x4+0xa0f] /boot/modules/if_vtnet.ko text=0x5ff0 data=0x360+0x10 syms=[0x4+0xdf0+0x4+0xf19] /boot/modules/pci_hgcomm.ko text=0x12fc data=0x1a4+0x44 syms=[0x4+0x560+0x4+0x61d] /boot/modules/chassis.ko text=0x9bc data=0x1d0+0x10 syms=[0x4+0x390+0x4+0x399] Hit [Enter] to boot immediately, or space bar for command prompt.

39
Booting [/kernel]… platform_early_bootinit: Early Boot Initialization GDB: debug ports: sio GDB: current port: sio KDB: debugger backends: ddb gdb KDB: current backend: ddb Copyright (c) 1996-2015, Juniper Networks, Inc. All rights reserved. Copyright (c) 1992-2007 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. JUNOS 15.1X49-D15.4 #0: 2015-07-31 02:20:21 UTC

The machine id is empty. Cleaning up … Thu Aug 27 12:06:22 UTC 2015 Aug 27 12:06:22 init: exec_command: /usr/sbin/dhcpd (PID 1422) started Aug 27 12:06:22 init: dhcp (PID 1422) started Aug 27 12:06:23 init: exec_command: /usr/sbin/pppd (PID 1428) started Amnesiac (ttyd0) login:

40
2. On the vSRX Virtual Firewall console, log in and verify the vSRX Virtual Firewall version installed. login: root
— JUNOS 15.1X49-D15.4 built 2015-07-31 02:20:21 UTC root@%
root@% cli
root>
root> show version
Model: vSRX Junos: 15.1X49-D15.4 JUNOS Software Release [15.1X49-D15.4] Create a Base Configuration on the vSRX Virtual Firewall Instance Step-by-Step Procedure To configure a base setup on the vSRX Virtual Firewall instance, enter the following steps in edit mode: 1. Create a root password.
[edit] set system root-authentication plain-text-password

41
2. Set the IP address family for the management interface, and enable the DHCP client for this interface.
set interfaces fxp0 unit 0 family inet dhcp-client
3. Set the IP address for the ge-0/0/0.0 interface.
set interfaces ge-0/0/0 unit 0 family inet address 192.168.123.254/24
4. Set the IP address family for the ge-0/0/1.0 interface, and enable the DHCP client for this interface.
set interfaces ge-0/0/1 unit 0 family inet dhcp-client
5. Add the ge-0/0/0.0 interface to the trust security zone and allow all system services from inbound traffic on that interface.
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound- traffic systemservices all
6. Add the ge-0/0/1.0 interface to the untrust security zone and allow only DHCP system services from inbound traffic on that interface.
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound- traffic systemservices dhcp
7. Create a virtual router routing instance and add the two interfaces to that routing instance.
set routing-instances CUSTOMER-VR instance-type virtual-router set routing- instances CUSTOMER-VR interface ge-0/0/0.0 set routing-instances CUSTOMER-VR interface ge-0/0/1.0
8. Create a source NAT rule set.
set security nat source rule-set source-nat from zone trust set security nat source rule-set source-nat to zone untrust

42
9. Configure a rule that matches packets and translates the source address to the address of the egress interface.
set security nat source rule-set source-nat rule nat1 match source-address 0.0.0.0/0 set security nat source rule-set source-nat rule nat1 then source- nat interface
Results
From configuration mode, confirm your configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
show interfaces
From configuration mode, confirm your security policies by entering the show security policies command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
show security policies
from-zone trust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } }
} from-zone trust to-zone untrust {
policy default-permit { match { source-address any; destination-address any; application any;

43
} then {
permit; } } } from-zone untrust to-zone trust { policy default-deny { match {
source-address any; destination-address any; application any; } then { deny; } } }
If you are done configuring the device, enter commit from configuration mode.
NOTE: As a final step, exit configuration mode and use the request system reboot command to reboot the vSRX Virtual Firewall VM. You can use the virsh console command on the Ubuntu server to reconnect to the vSRX Virtual Firewall after reboot.
Verify the Basic Configuration on the vSRX Virtual Firewall Instance
Purpose
Verify the basic configuration on the vSRX Virtual Firewall instance.

44
Action Verify that the ge-0/0/0.0 interface has an assigned IP address from the TestLeft network DHCP address range, and that the ge-0/0/1.0 has an assigned IP address from the TestRight network DHCP address range.
root> show interfaces terse

Interface ge-0/0/0 ge-0/0/0.0 gr-0/0/0 ip-0/0/0 lsq-0/0/0 lt-0/0/0 mt-0/0/0 sp-0/0/0 sp-0/0/0.0
sp-0/0/0.16383 ge-0/0/1 ge-0/0/1.0 dsc em0 em0.0 em1 em1.32768 em2 fxp0 fxp0.0 ipip irb lo0 lo0.16384 lo0.16385
lo0.32768 lsi

Admin Link Proto up up up up inet up up up up up up up up up up up up up up inet
inet6 up up inet up up up up inet up up up up up up inet up up up up inet up up up up up up inet up up up up up up up up inet up up inet
up up up up

Local

Remote

192.168.123.254/24

192.168.124.238/24 128.0.0.1/2 192.168.1.2/24 192.168.2.1/24

127.0.0.1 10.0.0.1 10.0.0.16 128.0.0.1 128.0.0.4 128.0.1.16

–> 0/0 –> 0/0 –> 0/0 –> 0/0 –> 0/0 –> 0/0

45

mtun

up up

pimd

up up

pime

up up

pp0

up up

ppd0

up up

ppe0

up up

st0

up up

tap

up up

vlan

up down

RELATED DOCUMENTATION libvirt Network XML Format libvirt Command Reference
Load an Initial Configuration on a vSRX Virtual Firewall with KVM
IN THIS SECTION Create a vSRX Virtual Firewall Bootstrap ISO Image | 46 Provision vSRX Virtual Firewall with an ISO Bootstrap Image on KVM | 47

Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, you can use a mounted ISO image to pass the initial startup Junos OS configuration to a vSRX Virtual Firewall VM. This ISO image contains a file in the root directory called juniper.conf. This file uses the standard Junos OS command syntax to define configuration details, such as root password, management IP address, default gateway, and other configuration statements. The process to bootstrap a vSRX Virtual Firewall VM with an ISO configuration image is as follows:
NOTE: SNMPv3 configuration is not supported when provisioning the vSRX Virtual Firewall platforms with an ISO bootstrap image.
1. Create the juniper.conf configuration file with your Junos OS configuration.

46
2. Create an ISO image that includes the juniper.conf file. 3. Mount the ISO image to the vSRX Virtual Firewall VM. 4. Boot or reboot the vSRX Virtual Firewall VM. vSRX Virtual Firewall will boot using the juniper.conf
file included in the mounted ISO image. 5. Unmount the ISO image from the vSRX Virtual Firewall VM.
NOTE: If you do not unmount the ISO image after the initial boot or reboot, all subsequent configuration changes to the vSRX Virtual Firewall are overwritten by the ISO image on the next reboot.
Create a vSRX Virtual Firewall Bootstrap ISO Image
This task uses a Linux system to create the ISO image. To create a vSRX Virtual Firewall bootstrap ISO image: 1. Create a configuration file in plaintext with the Junos OS command syntax and save in a file called
juniper.conf. 2. Create a new directory.
hostOS$ mkdir iso_dir
3. Copy juniper.conf to the new ISO directory.
hostOS$ cp juniper.conf iso_dir
NOTE: The juniper.conf file must contain the full vSRX Virtual Firewall configuration. The ISO bootstrap process overwrites any existing vSRX Virtual Firewall configuration.

47
4. Use the Linux mkisofs command to create the ISO image.
hostOS$ mkisofs -l -o test.iso iso_dir
I: -input-charset not specified, using utf-8 (detected in locale settings) Total translation table size: 0 Total rockridge attributes bytes: 0 Total directory bytes: 0 Path table size(bytes): 10 Max brk space used 0 175 extents written (0 MB)
NOTE: The -l option allows for a long filename.
Provision vSRX Virtual Firewall with an ISO Bootstrap Image on KVM
To provision a vSRX Virtual Firewall VM from an ISO bootstrap image: 1. Use the virsh edit command on the KVM host server where the vSRX Virtual Firewall VM resides to
add the bootstrap ISO image as a disk device.

2\. Boot or reboot the vSRX Virtual Firewall VM. user@host# virsh start ixvSRX Connected to domain ixvSRX

48
3. Optionally, use the virsh domblklist Linux command to verify that the bootstrap ISO image is part of the VM.
hostOS# virsh domblklist ixvSRX

Target Source

————————————————

hda

/home/test/vsrx209.qcow2

hdc

/home/test/test.iso

4. Verify the configuration, then power down the vSRX Virtual Firewall VM to remove the ISO image. 5. Use the virsh edit command on the KVM host server to remove the ISO image xml statements added
in step 1, and then reboot the vSRX Virtual Firewall VM.

Release History Table

Release

Description

15.1X49-D80

Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, you can use a mounted ISO image to pass the initial startup Junos OS configuration to a vSRX Virtual Firewall VM. This ISO image contains a file in the root directory called juniper.conf. This file uses the standard Junos OS command syntax to define configuration details, such as root password, management IP address, default gateway, and other configuration statements.

RELATED DOCUMENTATION Linux mkisofs command
Use Cloud-Init in an OpenStack Environment to Automate the Initialization of vSRX Virtual Firewall Instances
IN THIS SECTION Perform Automatic Setup of a vSRX Virtual Firewall Instance Using an OpenStack Command-Line Interface | 52

49
Perform Automatic Setup of a vSRX Virtual Firewall Instance from the OpenStack Dashboard (Horizon) | 54
Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, the cloud-init package (version 0.7x) comes pre-installed in the vSRX Virtual Firewall image to help simplify configuring new vSRX Virtual Firewall instances operating in an OpenStack environment according to a specified userdata file. Cloud-init is performed during the first-time boot of a vSRX Virtual Firewall instance.
Cloud-init is an OpenStack software package for automating the initialization of a cloud instance at boot-up. It is available in Ubuntu and most major Linux and FreeBSD operating systems. Cloud-init is designed to support multiple different cloud providers so that the same virtual machine (VM) image can be directly used in multiple hypervisors and cloud instances without any modification. Cloud-init support in a VM instance runs at boot time (first- time boot) and initializes the VM instance according to the specified user- data file.
A user-data file is a special key in the metadata service that contains a file that cloud-aware applications in the VM instance can access upon a first-time boot. In this case, it is the validated Junos OS configuration file that you intend to upload to a vSRX Virtual Firewall instance as the active configuration. This file uses the standard Junos OS command syntax to define configuration details, such as root password, management IP address, default gateway, and other configuration statements.
When you create a vSRX Virtual Firewall instance, you can use cloud-init with a validated Junos OS configuration file (juniper.conf) to automate the initialization of new vSRX Virtual Firewall instances. The user-data file uses the standard Junos OS syntax to define all the configuration details for your vSRX Virtual Firewall instance. The default Junos OS configuration is replaced during the vSRX Virtual Firewall instance launch with a validated Junos OS configuration that you supply in the form of a user-data file.
NOTE: If using a release earlier than Junos OS Release 15.1X49-D130 and Junos OS Release 18.4R1, the user-data configuration file cannot exceed 16 KB. If your user-data file exceeds this limit, you must compress the file using gzip and use the compressed file. For example, the gzip junos.conf command results in the junos.conf.gz file. Starting in Junos OS Release 15.1X49-D130 and Junos OS Release 18.4R1, if using a configuration drive data source in an OpenStack environment, the user-data configuration file size can be up to 64 MB.
The configuration must be validated and include details for the fxp0 interface, login, and authentication. It must also have a default route for traffic on fxp0. If any of this information is missing or incorrect, the instance is inaccessible and you must launch a new one.

50
WARNING: Ensure that the user-data configuration file is not configured to perform autoinstallation on interfaces using Dynamic Host Configuration Protocol (DHCP) to assign an IP address to the vSRX Virtual Firewall. Autoinstallation with DHCP will result in a “commit fail” for the user-data configuration file.
Starting in Junos OS Release 15.1X49-D130 and Junos OS Release 18.4R1, the cloud-init functionality in vSRX Virtual Firewall has been extended to support the use of a configuration drive data source in an OpenStack environment. The configuration drive uses the user-data attribute to pass a validated Junos OS configuration file to the vSRX Virtual Firewall instance. The user-data can be plain text or MIME file type text/plain. The configuration drive is typically used in conjunction with the Compute service, and is present to the instance as a disk partition labeled config-2. The configuration drive has a maximum size of 64 MB, and must be formatted with either the vfat or ISO 9660 filesystem.
The configuration drive data source also provides the flexibility to add more than one file that can be used for configuration. A typical use case would be to add a Day0 configuration file and a license file. In this case, there are two methods that can be employed to use a configuration drive data source with a vSRX Virtual Firewall instance:
· User-data (Junos OS Configuration File) alone–This approach uses the user- data attribute to pass the Junos OS configuration file to each vSRX Virtual Firewall instance. The user-data can be plain text or MIME file type text/plain.
· Junos OS configuration file and license file–This approach uses the configuration drive data source to send the Junos OS configuration and license file(s) to each vSRX Virtual Firewall instance.
NOTE: If a license file is to be configured in vSRX Virtual Firewall, it is recommended to use the file option rather than the user-data option to provide the flexibility to configure files larger than the 16 KB limit of user-data.
To use a configuration drive data source to send Junos OS configuration and license file(s) to a vSRX Virtual Firewall instance, the files needs to be sent in a specific folder structure. In this application, the folder structure of the configuration drive data source in vSRX Virtual Firewall is as follows:
– OpenStack – latest – junos-config – configuration.txt – junos-license

51
– License_file_name.lic – License_file_name.lic
//OpenStack//latest/junos-config/configuration.txt //OpenStack//latest/junos- license/license.lic Before you begin: · Create a configuration file with the Junos OS command syntax and save it. The configuration file can
be plain text or MIME file type text/plain. The string #junos-config must be the first line of the userdata configuration file before the Junos OS configuration.
NOTE: The #junos-config string is mandatory in the user-data configuration file; if it is not included, the configuration will not be applied to the vSRX Virtual Firewall instance as the active configuration.
· Determine the name for the vSRX Virtual Firewall instance you want to initialize with a validated Junos OS configuration file.
· Determine the flavor for your vSRX Virtual Firewall instance, which defines the compute, memory, and storage capacity of the vSRX Virtual Firewall instance.
· Starting in Junos OS Release 15.1X49-D130 and Junos OS Release 18.4R1, if using a configuration drive, ensure the following criteria is met to enable cloud-init support for a configuration drive in OpenStack: · The configuration drive must be formatted with either the vfat or iso9660 filesystem.
NOTE: The default format of a configuration drive is an ISO 9660 file system. To explicitly specify the ISO 9660/vfat format, add the config_drive_format=iso9660/vfat line to the nova.conf file.
· The configuration drive must have a filesystem label of config-2. · The folder size must be no greater than 64 MB.
Depending on your OpenStack environment, you can use either an OpenStack command-line interface (such as nova boot or openstack server create) or the OpenStack Dashboard (“Horizon”) to launch and initialize a vSRX Virtual Firewall instance.

52
Perform Automatic Setup of a vSRX Virtual Firewall Instance Using an OpenStack Command-Line Interface
You can launch and manage a vSRX Virtual Firewall instance using either the nova boot or openstack server create commands, which includes the use of a validated Junos OS configuration user-data file from your local directory to initialize the active configuration of the target vSRX Virtual Firewall instance.
To initiate the automatic setup of a vSRX Virtual Firewall instance from an OpenStack command-line client:
1. If you have not done so already, create a configuration file with the Junos OS command syntax and save the file. The configuration file can be plain text or MIME file type text/plain. The user-data configuration file must contain the full vSRX Virtual Firewall configuration that is to be used as the active configuration on each vSRX Virtual Firewall instance, and the string

junos-config must be the first line of the user-data configuration file

before the Junos OS configuration.
NOTE: The #junos-config string is mandatory in the user-data configuration file; if it is not included, the configuration will not be applied to the vSRX Virtual Firewall instance as the active configuration.
2. Copy the Junos OS configuration file to an accessible location from where it can be retrieved to launch the vSRX Virtual Firewall instance.
3. Depending on your OpenStack environment, use the nova boot or openstack server create command to launch the vSRX Virtual Firewall instance with a validated Junos OS configuration file as the specified user-data.
NOTE: You can also use the nova boot equivalent in an Orchestration service such as HEAT.
For example: · nova boot -user-data </path/to/vsrx_configuration.txt> –image vSRX_image –flavor vSRX_flavor_instance · openstack server create -user-data </path/to/vsrx_configuration.txt> –image vSRX_image –flavor
vSRX_flavor_instance Where: -user-data </path/to/vsrx_configuration.txt> specifies the location of the Junos OS configuration file. The user-data configuration file size is limited to approximately 16,384 bytes. –image vSRX_image identifies the name of a unique vSRX Virtual Firewall image. –flavor vSRX_flavor_instance identifies the vSRX Virtual Firewall flavor (ID or name).

53
Starting in Junos OS Release 15.1X49-D130 and Junos OS Release 18.4R1, to enable the use of a configuration drive for a specific request in the OpenStack compute environment, include the -configdrive true parameter in the nova boot or openstack server create command.
NOTE: It is possible to enable the configuration drive automatically on all instances by configuring the OpenStack Compute service to always create a configuration drive. To do this, specify the force_config_drive=True option in the nova.conf file.
For example, to use the user-data attribute to pass the Junos OS configuration to each vSRX Virtual Firewall instance: nova boot -config-drive true -flavor vSRX_flavor_instance -image vSRX_image -user-data </path/to/ vsrx_configuration.txt> Where: -user-data </path/to/vsrx_configuration.txt> specifies the location of the Junos OS configuration file. The user-data configuration file size is limited to approximately 64 MB. -image vSRX_image identifies the name of a unique vSRX Virtual Firewall image. -flavor vSRX_flavor_instance identifies the vSRX Virtual Firewall flavor (ID or name).
For example, to specify the configuration drive with multiple files (Junos OS configuration file and license file): nova boot -config-drive true -flavor vSRX_flavor_instance -image vSRX_image [-file /config/junos-config/ configuration.txt=/path/to/file] [-file /junos- license/license.lic=path/to/license] Where: [-file /config/junos- config/configuration.txt=/path/to/file] specifies the location of the Junos OS configuration file. [-file /config/junos-license/license.lic=path/to/license] specifies the location of the Junos OS configuration file. -image vSRX_image identifies the name of a unique vSRX Virtual Firewall image. -flavor vSRX_flavor_instance identifies the vSRX Virtual Firewall flavor (ID or name). 4. Boot or reboot the vSRX Virtual Firewall instance. During the initial boot- up sequence, the vSRX Virtual Firewall instance processes the cloud-init request.

54
NOTE: The boot time for the vSRX Virtual Firewall instance might increase with the use of the cloud-init package. This additional time in the initial boot sequence is due to the operations performed by the cloud-init package. During this operation, the cloud-init package halts the boot sequence and performs a lookup for the configuration data in each data source identified in the cloud.cfg. The time required to look up and populate the cloud data is directly proportional to the number of data sources defined. In the absence of a data source, the lookup process continues until it reaches a predefined timeout of 30 seconds for each data source.
5. When the initial boot-up sequence resumes, the user-data file replaces the original factory-default Junos OS configuration loaded on the vSRX Virtual Firewall instance. If the commit succeeds, the factory-default configuration will be permanently replaced. If the configuration is not supported or cannot be applied to the vSRX Virtual Firewall instance, the vSRX Virtual Firewall will boot using the default Junos OS configuration.
SEE ALSO
Cloud-Init Documentation OpenStack command-line clients Compute service (nova) command-line client Openstack Server Create Enabling the configuration drive (configdrive) Instances
Perform Automatic Setup of a vSRX Virtual Firewall Instance from the OpenStack Dashboard (Horizon)
Horizon is the canonical implementation of the OpenStack Dashboard. It provides a Web-based user interface to OpenStack services including Nova, Swift, Keystone, and so on. You can launch and manage a vSRX Virtual Firewall instance from the OpenStack Dashboard, which includes the use of a validated Junos OS configuration user-data file from your local directory to initialize the active configuration of the target vSRX Virtual Firewall instance.
To initiate the automatic setup of a vSRX Virtual Firewall instance from the OpenStack Dashboard:
1. If you have not done so already, create a configuration file with the Junos OS command syntax and save the file. The configuration file can be plain text or MIME file type text/plain. The user-data configuration file must contain the full vSRX Virtual Firewall configuration that is to be used as the active configuration on each vSRX Virtual Firewall instance, and the string

junosconfig must be the first line of the user-data configuration file before

the Junos OS configuration.

55
NOTE: The #junos-config string is mandatory in the user-data configuration file; if it is not included, the configuration will not be applied to the vSRX Virtual Firewall instance as the active configuration.
2. Copy the Junos OS configuration file to an accessible location from where it can be retrieved to launch the vSRX Virtual Firewall instance.
3. Log in to the OpenStack Dashboard using your login credentials and then select the appropriate project from the drop-down menu at the top left.
4. On the Project tab, click the Compute tab and select Instances. The dashboard shows the various instances with its image name, its private and floating IP addresses, size, status, availability zone, task, power state, and so on.
5. Click Launch Instance. The Launch Instance dialog box appears. 6. From the Details tab (see Figure 5 on page 55), enter an instance name for the vSRX Virtual
Firewall VM along with the associated availability zone (for example, Nova) and then click Next. We recommend that you keep this name the same as the hostname assigned to the vSRX Virtual Firewall VM.
Figure 5: Launch Instance Details Tab

56 7. From the Source tab (see Figure 6 on page 56), select a vSRX Virtual Firewall VM image source file
from the Available list and then click +(Plus). The selected vSRX Virtual Firewall image appears under Allocated. Click Next. Figure 6: Launch Instance Source Tab
8. From the Flavor tab (see Figure 7 on page 57), select a vSRX Virtual Firewall instance with a specific compute, memory, and storage capacity from the Available list and then click +(plus sign). The selected vSRX Virtual Firewall flavor appears under Allocated. Click Next.

57 Figure 7: Launch Instance Flavor Tab
9. From the Networks tab (see Figure 8 on page 58), select the specific network of the vSRX Virtual Firewall instance from the Available list and then click +(plus sign). The selected network appears under Allocated. Click Next. NOTE: Do not update any parameters in the Network Ports, Security Groups, or Key Pair tabs in the Launch Instance dialog box.

58 Figure 8: Launch Instance Networks Tab
10. From the Configuration tab (see Figure 9 on page 59), click Browse and navigate to the location of the validated Junos OS configuration file from your local directory that you want to use as the userdata file. Click Next.

59 Figure 9: Launch Instance Configuration Tab
11. Confirm that the loaded Junos OS configuration contains the #junos-config string in the first line of the user-data configuration file (see Figure 10 on page 60) and then click Next. NOTE: Do not update any parameters in the Metadata tab of the Launch Instance dialog box.

60 Figure 10: Launch Instance Configuration Tab with Loaded Junos OS Configuration
12. Click Launch Instance. During the initial boot-up sequence, the vSRX Virtual Firewall instance processes the cloud-init request. NOTE: The boot time for the vSRX Virtual Firewall instance might increase with the use of the cloud-init package. This additional time in the initial boot sequence is due to the operations performed by the cloud-init package. During this operation, the cloud-init package halts the boot sequence and performs a lookup for the configuration data in each data source identified in the cloud.cfg. The time required to look up and populate the cloud data is directly proportional to the number of data sources defined. In the absence of a data source, the lookup process continues until it reaches a predefined timeout of 30 seconds for each data source.
13. When the initial boot-up sequence resumes, the user-data file replaces the original factory-default Junos OS configuration loaded on the vSRX Virtual Firewall instance. If the commit succeeds, the factory-default configuration will be permanently replaced. If the configuration is not supported or cannot be applied to the vSRX Virtual Firewall instance, the vSRX Virtual Firewall will boot using the default Junos OS configuration.

61

SEE ALSO

Cloud-Init Documentation OpenStack Dashboard Launch and Manage Instances Horizon: The OpenStack Dashboard Project

Release History Table

Release

Description

15.1X49D130

Starting in Junos OS Release 15.1X49-D130 and Junos OS Release 18.4R1, the cloud-init functionality in vSRX Virtual Firewall has been extended to support the use of a configuration drive data source in an OpenStack environment. The configuration drive uses the user-data attribute to pass a validated Junos OS configuration file to the vSRX Virtual Firewall instance.

15.1X49D100

Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, the cloud-init package (version 0.7x) comes pre-installed in the vSRX Virtual Firewall image to help simplify configuring new vSRX Virtual Firewall instances operating in an OpenStack environment according to a specified user- data file. Cloud-init is performed during the first-time boot of a vSRX Virtual Firewall instance.

62
CHAPTER 3
vSRX Virtual Firewall VM Management with KVM
IN THIS CHAPTER Configure vSRX Virtual Firewall Using the CLI | 62 Connect to the vSRX Virtual Firewall Management Console on KVM | 64 Add a Virtual Network to a vSRX Virtual Firewall VM with KVM | 65 Add a Virtio Virtual Interface to a vSRX Virtual Firewall VM with KVM | 67 SR-IOV and PCI | 69 Upgrade a Multi- core vSRX Virtual Firewall | 78 Monitor the vSRX Virtual Firewall VM in KVM | 81 Manage the vSRX Virtual Firewall Instance on KVM | 82 Recover the Root Password for vSRX Virtual Firewall in a KVM Environment | 87
Configure vSRX Virtual Firewall Using the CLI
To configure the vSRX Virtual Firewall instance using the CLI: 1. Verify that the vSRX Virtual Firewall is powered on. 2. Log in as the root user. There is no password. 3. Start the CLI.
root#cli root@> 4. Enter configuration mode.
configure [edit] root@#

63
5. Set the root authentication password by entering a cleartext password, an encrypted password, or an SSH public key string (DSA or RSA).
[edit] root@# set system root-authentication plain-text-password New password: password Retype new password: password 6. Configure the hostname.
[edit] root@# set system host-name host-name 7. Configure the management interface.
[edit] root@# set interfaces fxp0 unit 0 family inet dhcp-client 8. Configure the traffic interfaces.
[edit] root@# set interfaces ge-0/0/0 unit 0 family inet dhcp-client 9. Configure basic security zones and bind them to traffic interfaces.
[edit] root@# set security zones security-zone trust interfaces ge-0/0/0.0 10. Verify the configuration.
[edit] root@# commit check configuration check succeeds

64
11. Commit the configuration to activate it on the vSRX Virtual Firewall instance.
[edit] root@# commit commit complete 12. Optionally, use the show command to display the configuration to verify that it is correct.
NOTE: Certain Junos OS software features require a license to activate the feature. To enable a licensed feature, you need to purchase, install, manage, and verify a license key that corresponds to each licensed feature. To conform to software feature licensing requirements, you must purchase one license per feature per instance. The presence of the appropriate software unlocking key on your virtual instance allows you to configure and use the licensed feature. See Managing Licenses for vSRX for details.
RELATED DOCUMENTATION CLI User Guide
Connect to the vSRX Virtual Firewall Management Console on KVM
Ensure that you have the virt-manager package or virsh installed on your host OS. To connect to the vSRX Virtual Firewall management console using virt- manager: 1. Launch virt-manager. 2. Highlight the vSRX Virtual Firewall VM you want to connect to from the list of VMs displayed. 3. Click Open. 4. Select View>Text Consoles>Serial 1. The vSRX Virtual Firewall console appears. To connect to the vSRX Virtual Firewall VM with virsh:

65
1. Use the virsh console command on the Linux host OS.
user@host# virsh console vSRX-kvm-2
Connected to domain vSRX-kvm-2
2. The vSRX Virtual Firewall console appears.
Add a Virtual Network to a vSRX Virtual Firewall VM with KVM
You can extend an existing vSRX Virtual Firewall VM to use additional virtual networks. To create a virtual network with virt-manager: 1. Launch virt- manager and select Edit>Connection Details. The Connection details dialog box appears. 2. Select Virtual Networks. The list of existing virtual networks appears. 3. Click + to create a new virtual network for the control link. The Create a new virtual network wizard
appears. 4. Set the subnet for this virtual network and click Forward. 5. Optionally, select Enable DHCP and click Forward. 6. Select the network type from the list and click Forward. 7. Verify the settings and click Finish to create the virtual network. To create a virtual network with virsh: 1. Use the virsh net-define command on the host OS to create an XML file that defines the new virtual
network. Include the XML fields described in Table 12 on page 66 to define this network.
NOTE: See the official virsh documentation for a complete description of available options, including how to configure IPv6 networks.

66

Table 12: virsh net-define XML Fields

Field

Description

…

Use this XML wrapper element to define a virtual network.

net-name

Specify the virtual network name.

Specify the name of the host bridge used for this virtual network.

Specify routed or nat. Do not use the element for isolated mode.

Specify the IP address and subnet mask used by this virtual network, along with the DHCP address range.

The following example shows a sample XML file that defines a new virtual network.

mgmt 2\. Use the virsh net-start command in the host OS to start the new virtual network. hostOS# virsh net-start mgmt 3\. Use the virsh net-autostart command in the host OS to automatically start the new virtual network when the host OS boots. hostOS# virsh net-autostart mgmt

67

4. Optionally, use the virsh net-list all command in the host OS to verify the new virtual network.

HostOS# # virsh net-list –all

Name

State

Autostart Persistent

———————————————————-

mgmt

active yes

yes

default

active yes

yes

RELATED DOCUMENTATION virt tools
Add a Virtio Virtual Interface to a vSRX Virtual Firewall VM with KVM
You can add additional virtio virtual interfaces to an existing vSRX Virtual Firewall VM with KVM. To add additional virtio virtual interfaces to a vSRX Virtual Firewall VM using virt-manager: 1. In virt-manager, double-click the vSRX Virtual Firewall VM and select View>Details. The vSRX Virtual
Firewall Virtual Machine details dialog box appears. 2. Click Add Hardware. The Add Hardware dialog box appears. 3. Select Network from the left navigation panel. 4. Select the host device or virtual network on which you want this new virtual interface from the
Network source list. 5. Select virtio from the Device model list and click Finish. 6. From the vSRX Virtual Firewall console, reboot the vSRX Virtual Firewall instance.
vsrx# request system reboot. vSRX Virtual Firewall reboots both Junos OS and the vSRX Virtual Firewall guest VM.
NOTE: DPDK places a limit of 64 MAC addresses on the Virtio NIC type. When deploying a protocol that generates an additional MAC address, for example VRRP, you must ensure that no more than 64 sub-interfaces are configured per Virtio NIC to avoid traffic loss.
To add additional virtio virtual interfaces to a vSRX Virtual Firewall VM using virsh:

68

1. Use the virsh attach-interface command on the host OS with the mandatory options listed in Table 13 on page 68.
NOTE: See the official virsh documentation for a complete description of available options.

Table 13: virsh attach-interface Options Command Option Description

–domain name

Specify the name of the guest VM.

–type

Specify the host OS connection type as bridge or network.

–source interface Specify the physical or logical interface on the host OS to associate with this vNIC.

–target vnic

Specify the name for the new vNIC.

–model

Specify the vNIC model.

The following example creates a new virtio vNIC from the host OS virbr0 bridge.
user@host# virsh attach-interface –domain vsrxVM –type bridge –source virbr0 –target vsrxmgmt –model virtio

Interface attached successfully

user@host# virsh dumpxml vsrxVM

69

2\. From the vSRX Virtual Firewall console, reboot the vSRX Virtual Firewall instance. vsrx# request system reboot. vSRX Virtual Firewall reboots both Junos OS and the vSRX Virtual Firewall guest VM. RELATED DOCUMENTATION virt tools SR-IOV and PCI IN THIS SECTION SR-IOV Overview | 69 SR-IOV HA Support with Trust Mode Disabled (KVM only) | 70 Configure an SR-IOV Interface on KVM | 74 This section includes the following topics on SR-IOV for a vSRX Virtual Firewall instance deployed on KVM: SR-IOV Overview vSRX Virtual Firewall on KVM supports single-root I/O virtualization (SR-IOV) interface types. SR-IOV is a standard that allows a single physical NIC to present itself as multiple vNICs, or virtual functions (VFs), that a virtual machine (VM) can attach to. SR-IOV combines with other virtualization technologies, such as Intel VT-d, to improve the I/O performance of the VM. SR-IOV allows each VM to have direct access to packets queued up for the VFs attached to the VM. You use SR-IOV when you need I/O performance that approaches that of the physical bare metal interfaces.

70
In deployments using SR-IOV interfaces, packets are dropped when a MAC address is assigned to a vSRX Virtual Firewall Junos OS interface. This issue occurs because SR-IOV does not allow MAC address changes in either the PF or the VF.
NOTE: SR-IOV in KVM does not remap interface numbers. The interface sequence in the vSRX Virtual Firewall VM XML file matches the interface sequence shown in the Junos OS CLI on the vSRX Virtual Firewall instance.
SR-IOV uses two PCI functions: · Physical Functions (PFs)–Full PCIe devices that include SR-IOV capabilities. Physical Functions are
discovered, managed, and configured as normal PCI devices. Physical Functions configure and manage the SR-IOV functionality by assigning Virtual Functions. When SR-IOV is disabled, the host creates a single PF on one physical NIC. · Virtual Functions (VFs)–Simple PCIe functions that only process I/O. Each Virtual Function is derived from a Physical Function. The number of Virtual Functions a device may have is limited by the device hardware. A single Ethernet port, the Physical Device, may map to many Virtual Functions that can be shared to guests. When SR-IOV is enabled, the host creates a single PF and multiple VFs on one physical NIC. The number of VFs depends on the configuration and driver support.
SR-IOV HA Support with Trust Mode Disabled (KVM only)
IN THIS SECTION Understand SR-IOV HA Support with Trust Mode Disabled (KVM only) | 70 Configure SR-IOV support with Trust Mode Disabled (KVM only) | 72 Limitations | 73
Understand SR-IOV HA Support with Trust Mode Disabled (KVM only)
A Redundant Ethernet Interface (RETH) is a virtual interface consisting of equal number of member interfaces from each participating node of an SRX cluster. All logical configurations such as IP address, QoS, zones, and VPNs are bound to this interface. Physical properties are applied to the member or child interfaces. A RETH interface has a virtual MAC address which is calculated using the cluster id. RETH has been implemented as an aggregated interface/LAG in Junos OS. For a LAG, the parent (logical) IFDs MAC address is copied to each of the child interfaces. When you configure the child interface under the RETH interface, the RETH interface’s virtual MAC gets overwritten on the current MAC address field of

71
the child physical interface. This also requires the virtual MAC address to be programmed on the corresponding NIC.
Junos OS runs as a VM on vSRX Virtual Firewall. Junos OS does not have direct access to the NIC and only has a virtual NIC access provided by the hypervisor which might be shared with other VMs running on the same host machine. This virtual access comes with certain restrictions such as a special mode called trust mode, which is required to program a virtual MAC address on the NIC. During deployments, providing the trust mode access might not be feasible because of possible security issues. To enable RETH model to work in such environments, MAC rewrite behavior is modified. Instead of copying the parent virtual MAC address to the children, we keep the children’s physical MAC address intact and copy the physical MAC address of the child belonging to the active node of the cluster to the current MAC of the reth interface. This way, MAC rewrite access is not required when trust mode is disabled.
In case of vSRX Virtual Firewall, the DPDK reads the physical MAC address provided by the hypervisor and shares it with the Junos OS control plane. In standalone mode, this physical MAC address is programmed on the physical IFDs. But the support for the same is unavailable in cluster mode, because of which the MAC address for the physical interface is taken from the Juniper reserved MAC pool. In an environment where trust mode is not feasible, the hypervisor is unable to provide the physical MAC address.
To overcome this problem, we have added support to use the hypervisor provided physical MAC address instead of allocating it from the reserved MAC pool. See “Configure SR-IOV support with Trust Mode Disabled (KVM only)” on page 72.

72 Configure SR-IOV support with Trust Mode Disabled (KVM only) Figure 11: Copying MAC address from active child interface to parent RETH
Starting in Junos OS Release 19.4R1, SR-IOV HA is supported with trust mode disabled. You can enable this mode by configuring the use-active-child-mac-on- reth and use-actual-mac-on-physical-interfaces configuration statements at the [edit chassis cluster] hierarchy level. If you configure commands in a cluster, the hypervisor assigns the child physical interface’s MAC address and the parent RETH interface’s MAC address is overwritten by the active child physical interface’s MAC address
NOTE: You can configure SR-IOV with trust mode disabled, only if the revenue interfaces are SRIOV. The fabric interfaces or links cannot use SR-IOV with trust mode disable when the actual MAC physical interfaces configured. Using SRIOV with trust mode disabled is supported if only the revenue interfaces are SR-IOV. You need to reboot the vSRX Virtual Firewall instance to enable this mode. Both the nodes in the cluster need to be rebooted for the commands to take effect. You need to configure the commands use-active-child-mac-on-reth and use-actual-mac-on-physical-interfaces together to enable this feature.

73
SEE ALSO use-active-child-mac-on-reth use-actual-mac-on-physical-interfaces
Limitations
SR-IOV HA support with trust mode disabled on KVM has the following limitations:
· SR-IOV HA support with trust mode disabled is only supported on KVM based systems.
· A reth interface can have maximum one port as a member on each vSRX Virtual Firewall cluster node.
· You cannot use security nat proxy-arp feature for NAT pools because no G-ARP is sent out on failover for the IP addresses in NAT pools. Instead, one can set the routes to the NAT pool range in the upstream router to point to the vSRX Virtual Firewall reth interface’s IP address as the next-hop. Or, if directly connected hosts need to access the NAT pool addresses, these NAT pool addresses can be configured for proxy ARP under the reth interface.
· If the reth interface is configured with many VLANs, it might take some time to send all the G-ARPs on a failover. This might lead to a noticeable interruption in traffic.
· A dataplane failover will result in a change of the MAC address of the reth interface. Therefore the failover is not transparent to directly connected neighboring Layer 3 devices (routers or servers). The vSRX Virtual Firewall reth IP address must be mapped to a new MAC address in the ARP table on the neighboring devices. vSRX Virtual Firewall will send out a G-ARP which will help these devices. In case these neighboring devices do not act on the G-ARP received from the vSRX Virtual Firewall or show a slow response, the traffic might be interrupted until that device updates it’s ARP table correctly.
· The following vSRX Virtual Firewall features are not supported in deployments that use SR-IOV interfaces:
These limitations apply in deployments where the PF drivers cannot be updated or controlled. The limitations do not apply when vSRX Virtual Firewall is deployed on supported Juniper Networks devices.
· High availability (HA)
· IRB interfaces
· IPv6 addressing
· Jumbo frames
· Layer 2 support

74
· Multicast with other features such as OSPF and IPv6
· Packet mode
Configure an SR-IOV Interface on KVM
If you have a physical NIC that supports SR-IOV, you can attach SR-IOV-enabled vNICs or virtual functions (VFs) to the vSRX Virtual Firewall instance to improve performance. We recommend that if you use SR-IOV, all revenue ports are configured as SR-IOV.
Note the following about SR-IOV support for vSRX Virtual Firewall on KVM:
· Starting in Junos OS Release 15.1X49-D90 and Junos OS Release 17.3R1, a vSRX Virtual Firewall instance deployed on KVM supports SR-IOV on an Intel X710/XL710 NIC in addition to Intel 82599 or X520/540.
· Starting in Junos OS Release 18.1R1, a vSRX Virtual Firewall instance deployed on KVM supports SR-IOV on the Mellanox ConnectX-3 and ConnectX-4 Family Adapters.
NOTE: See the vSRX Virtual Firewall Performance Scale Up discussion in Understand vSRX with KVM for the vSRX Virtual Firewall scale up performance when deployed on KVM, based on vNIC and the number of vCPUs and vRAM applied to a vSRX Virtual Firewall VM.
Before you can attach an SR-IOV enabled VF to the vSRX Virtual Firewall instance, you must complete the following tasks:
· Insert an SR-IOV-capable physical network adapter in the host server.
· Enable the Intel VT-d CPU virtualization extensions in BIOS on your host server. The Intel VT-d extensions provides hardware support for directly assigning a physical devices to guest. Verify the process with the vendor because different systems have different methods to enable VT-d.
· Ensure that SR-IOV is enabled at the system/server BIOS level by going into the BIOS settings during the host server boot-up sequence to confirm the SR- IOV setting. Different server manufacturers have different naming conventions for the BIOS parameter used to enable SR-IOV at the BIOS level. For example, for a Dell server ensure that the SR-IOV Global Enable option is set to Enabled.
NOTE: We recommend that you use virt-manager to configure SR-IOV interfaces. See the virsh attach-device command documentation if you want to learn how to add a PCI host device to a VM with the virsh CLI commands. Also, you must configure the interfaces in the order of 1G, 10G, 40G, and 100G. If this order is not followed, then you need to reset the network adaptors.

75
To add an SR-IOV VF to a vSRX Virtual Firewall VM using the virt-manager graphical interface: 1. In the Junos OS CLI, shut down the vSRX Virtual Firewall VM if it is running.
vsrx> request system power-off
2. In virt-manager, double-click the vSRX Virtual Firewall VM and select View>Details. The vSRX Virtual Firewall Virtual Machine details dialog box appears.
3. Select the Hardware tab, then click Add Hardware. The Add Hardware dialog box appears. 4. Select PCI Host Device from the Hardware list on the left. 5. Select the SR-IOV VF for this new virtual interface from the host device list. 6. Click Finish to add the new device. The setup is complete and the vSRX Virtual Firewall VM now has
direct access to the device. 7. From the virt-manager icon bar at the upper- left side of the window, click the Power On arrow. The
vSRX Virtual Firewall VM starts. Once the vSRX Virtual Firewall is powered on the Running status will display in the window. You can connect to the management console to watch the boot-up sequence.
NOTE: After the boot starts, you need to select View>Text Consoles>Serial 1 in virt-manager to connect to the vSRX Virtual Firewall console.
To add an SR-IOV VF to a vSRX Virtual Firewall VM using virsh CLI commands: 1. Define four virtual functions for eno2 interface, update the sriov_numvfs file with number 4.
root@LabHost:~# echo 4 > /sys/class/net/eno2/device/sriov_numvfs root@LabHost:~# more /sys/class/net/eno2/device/sriov_numvfs
2. Identify the device. Identify the PCI device designated for device assignment to the virtual machine. Use the lspci command to list the available PCI devices. You can refine the output of lspci with grep.

76
Use command lspci to check the VF number according to the VF ID.
root@ kvmsrv:~# lspci | grep Ether
…… 83:00.0 Ethernet controller: Intel Corporation Ethernet Controller XL710 for 40GbE QSFP+ (rev 02) – Physical Function 83:00.1 Ethernet controller: Intel Corporation Ethernet Controller XL710 for 40GbE QSFP+ (rev 02) – Physical Function 83:02.0 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:02.1 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:02.2 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:02.3 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:02.4 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:02.5 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:02.6 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:02.7 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:0a.0 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:0a.1 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:0a.2 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:0a.3 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:0a.4 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:0a.5 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:0a.6 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) 83:0a.7 Ethernet controller: Intel Corporation Ethernet Virtual Function 700 Series (rev 02) ………
3. Add SR-IOV device assignment from a vSRX Virtual Firewall XML profile on KVM and review device information.
The driver could use either vfio or kvm, depends on KVM server OS/kernel version and drivers for virtualization support. The address type references the unique PCI slot number for each SR-IOV VF (Virtual Function).
Information on the domain, bus, and function are available from output of the virsh nodedev-dumpxml command.

77

4\. Add PCI device in edit setting and select VF according to the VF number.

NOTE: This operation should be done when VM is powered off. Also, do not clone VMs with PCI devices which might lead to VF or MAC conflict.

5. Start the VM using the # virsh start name of virtual machine command.

Release History Table

Release

Description

18.1R1

Starting in Junos OS Release 18.1R1, a vSRX Virtual Firewall instance deployed on KVM supports SR-IOV on the Mellanox ConnectX-3 and ConnectX-4 Family Adapters.

15.1X49-D90

Starting in Junos OS Release 15.1X49-D90 and Junos OS Release 17.3R1, a vSRX Virtual Firewall instance deployed on KVM supports SR-IOV on an Intel X710/XL710 NIC in addition to Intel 82599 or X520/540.

RELATED DOCUMENTATION
Requirements for vSRX Virtual Firewall on KVM | 7 Intel SR-IOV Explanation PCI-SIG SR-IOV Primer SR-IOV Intel – SR-IOV Configuration Guide Red Hat – SRIOV – PCI Devices

78
Upgrade a Multi-core vSRX Virtual Firewall
IN THIS SECTION Configure the Queue Value for vSRX Virtual Firewall VM with KVM | 78 Shutdown the vSRX Virtual Firewall Instance with virt-manager | 79 Upgrade vSRX Virtual Firewall with virt-manager | 79
Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, you can use virt-manager to scale the performance and capacity of a vSRX Virtual Firewall instance by increasing the number of vCPUs or the amount of vRAM allocated to the vSRX Virtual Firewall. See Requirements for vSRX on KVM for the software requirement specifications for a vSRX Virtual Firewall VM. See your host OS documentation for complete details on the virt-manager package
NOTE: You cannot scale down the number of vCPUs or decrease the amount of vRAM for an existing vSRX Virtual Firewall VM.
Configure the Queue Value for vSRX Virtual Firewall VM with KVM
Before you plan to scale up vSRX Virtual Firewall performance, modify the vSRX Virtual Firewall VM XML file to configure network multi-queuing as a means to support an increased number of dataplane vCPUs for the vSRX Virtual Firewall VM. This setting updates the libvirt driver to enable multi-queue virtio-net so that network performance can scale as the number of dataplane vCPUs increases. Multiqueue virtio is an approach that enables the processing of packet sending and receiving to be scaled to the number of available virtual CPUs (vCPUs) of a guest, through the use of multiple queues. The configuration of multi-queue virtio-net, however, can only be performed in the XML file. OpenStack does not support multi-queue. To update the queue, at the <driver name=’vhost’ queues=’x’/> line in the vSRX Virtual Firewall VM XML file, match the number of queues with number of dataplane vCPUs you plan to configure for the vSRX Virtual Firewall VM. The default is 4 dataplane vCPUs, but you can scale that number to 4, 8, or 16 vCPUs.

79
The following XML file example configures 8 queues for a vSRX Virtual Firewall VM with 8 dataplane vCPUs:

Shutdown the vSRX Virtual Firewall Instance with virt-manager In situations where you want to edit and modify the vSRX Virtual Firewall VM XML file, you need to completely shut down vSRX Virtual Firewall and the associated VM. To gracefully shutdown the vSRX Virtual Firewall instance with virt-manager: 1. Launch virt-manager. 2. Check the vSRX Virtual Firewall instance you want to power off. 3. Select Open to open a console window to the vSRX Virtual Firewall instance. 4. From the vSRX Virtual Firewall console, reboot the vSRX Virtual Firewall instance. vsrx# request system power-off. 5. From virt-manager, select Shut Down to completely shutdown the VM so you can edit the XML file. NOTE: Do not use Force Reset or Force Off on any active VM as it may create file corruptions. Upgrade vSRX Virtual Firewall with virt-manager You must shut down the vSRX Virtual Firewall VM before you can update vCPU or vRAM values for the VM. You can upgrade and launch vSRX Virtual Firewall with the KVM virt-manager GUI package. To scale up a vSRX Virtual Firewall VM with virt-manager to a higher number of vCPUs or to an increased amount of vRAM: 1. On your host OS, type virt-manager. The Virtual Machine Manager appears. See Figure 12 on page 80.

80 NOTE: You must have admin rights on the host OS to use virt-manager. Figure 12: virt-manager

2. Select Open to open the powered down vSRX Virtual Firewall VM and select Edit Hardware Details to open the virtual machine details window.
3. Select Processor and set the number of vCPUs. Click Apply. 4. Select Memory and set the vRAM to the desired size. Click Apply. 5. Click Power On. The VM manager launches the vSRX Virtual Firewall VM with the new vCPU and
vRAM settings.

NOTE: vSRX Virtual Firewall scales down to the closest supported value if the vCPU or vRAM settings do not match what is currently available.

Release History Table

Release

Description

15.1X49-D70

Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, you can use virt-manager to scale the performance and capacity of a vSRX Virtual Firewall instance by increasing the number of vCPUs or the amount of vRAM allocated to the vSRX Virtual Firewall

RELATED DOCUMENTATION Understand vSRX Virtual Firewall with KVM | 2

81
Requirements for vSRX Virtual Firewall on KVM | 7 Installing a virtual machine using virt-install

Monitor the vSRX Virtual Firewall VM in KVM

You can monitor the overall state of the vSRX Virtual Firewall VM with virt- manager or virsh. To monitor the vSRX Virtual Firewall VM with virt-manager:
1. From the virt-manager GUI, select the vSRX Virtual Firewall VM you want to monitor. 2. Select View>Graph and select the statistics you want to monitor. Options include CPU, memory, disk
I/O, and network interface statistics. The window updates with thumbnail graphs for the statistics you selected. 3. Optionally, double-click on the thumbnail graph to expand the view.
To monitor the vSRX Virtual Firewall VM with virsh, use the commands listed in Table 14 on page 81. Table 14: virsh Monitor Commands

Command

Description

virsh cpu-stats vm-name

Lists the CPU statistics for the VM.

virsh domifstat vm-name interface-name

Displays the vNIC statistics for the VM.

virsh dommemstat vm-name

Displays memory statistics for the VM.

virsh vcpuinfo vm-name

Displays vCPU details for the VM.

virsh nodecpustats

Displays CPU statistics for the host OS.