vSRX VNF Configuration Settings
You can configure the vSRX VNF from Configuration > Network Services > Service Name > Overview > Service Configuration. Your service provider usually configures base settings for the virtual machine (VM) in which the virtualized network function (VNF) resides and you configure settings for the service, such as policies.
 | Note: A vSRX firewall virtualized network function (VNF) is always part of a service chain for a network service on a CPE device. |
Use the information in the following tables to provide values for the available settings:
- Table 1 shows the
settings you can configure for the virtual machine (VM) that contains
the VNF.
Note: Your service provider usually configures the base settings and you should not need to change them.
- Table 2 shows the firewall settings you can configure.
- Table 3 shows the network address translation (NAT) settings you can configure.
- Table 4 shows the unified threat management (UTM) settings you can configure.
Table 1: Fields for the vSRX Base Settings
Field | Description |
|---|---|
Host Name | For a cloud site, specify the hostname of the VM that contains the vSRX VNF. The field has no limit on the number of characters and accepts letters, numbers, and symbols. Example: vm-vsrx For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure this setting. |
Loopback Address | Specify an IPv4 loopback address for the management interface of the VM. Example: 192.0.2.25 |
DNS Servers | Specify the fully qualified domain names (FQDNs) or IP addresses of one or more DNS name servers. Example: 192.0.2.35 |
NTP Servers | Specify the FQDNs or IP addresses of one or more NTP servers. Example: 192.0.2.45 |
Syslog Servers | Specify the FQDNs or IP addresses of one or more system log servers. Example: 192.0.2.55 |
Enable Re-filter | Select True to enable a stateless firewall filter that protects the Routing Engine from denial-of-service (DoS) attacks or False to allow DoS attacks. Example: True |
Enable Default Screens | For a cloudsite, select True to enable the default screens security profile for the destination zone or False to disable default screening. Example: False You cannot configure this setting for an on-premise site. |
Time Zone | Specify the time zone for the VM. Example: UTC |
Right Interface | Specify the identifier of the VM interface that transmits data. Example: ge-0/0/1 For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure this setting. |
Left Interface | Specify the identifier of the VM interface that receives data. Example: ge-0/0/0 For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure this setting. |
SNMP Prefix List | If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual Appliance uses for SNMP operations when it discovers the vSRX VNF. Example: 10.0.2.0/24 |
Ping Prefix List | If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual Appliance uses for ping operations when it discovers the vSRX VNF. Example: 10.0.2.1/24 |
Space Servers | If you set the Enable Re-filter field to True, specify the IP addresses of the VMs that contain the Junos Space Virtual Appliances. Example: 10.0.2.50 |
Table 2: Fields for the vSRX Firewall Settings
Field | Description |
|---|---|
Policy Name | Specify the name of the rule. The field has no limit on the number of characters and accepts letters, numbers, and symbols. Example: policy-1 |
Source Zone | Select the security zone from which packets originate.
Zone policies are applied to traffic traveling from one security zone (source zone) to another security zone (destination zone). This combination of a source zone and a destination zone is called a context. Example: left |
Destination Zone | Select the security zone to which packets are delivered.
Zone policies are applied to traffic traveling from one security zone (source zone) to another security zone (destination zone). This combination of a source zone and a destination zone is called a context. Example: right |
Source Address | Specify the source IP address prefixes that the network service uses as match criteria for incoming traffic. To add source addresses:
Example: 10.0.2.30 |
Destination Address | Specify the destination IP address prefixes that the network service uses as match criteria for outgoing traffic. To add a destination address:
Example: 192.0.2.0/24 |
Action | Select permit to transmit packets that match the rule or deny to drop packets that match the rule. Example: permit |
Application | Specify the applications to which the policy applies. The applications are based on protocols and ports. To specify applications:
Example:
|
Table 3: Fields for the vSRX NAT Settings
Field | Guidelines |
|---|---|
NAT Source Name | Specify the source IP address of packets that the policy rules match. Example: 10.0.2.2/24 |
NAT Destination Name | Specify the destination IP address of packets that the policy rules match. Example: 10.0.2.3/24 |
NAT policy settings—For information about the following policy settings, see the firewall policy settings in Table 2.
| |
Table 4: Fields for the vSRX UTM Settings
Field | Description |
|---|---|
Antivirus | Select True to check for viruses in application layer traffic against a virus signature database. Select False to disable checking for viruses. Example: True |
Antispam | Select True to block spam e-mails or False to allow spam e-mails. Example: True |
Antispam Black List | Specify an address blacklist for local spam filtering. Blacklists contain e-mail addresses from which you do not want to receive messages. Note: When both the whitelist and blacklist are in use, the whitelist is checked first. If there is no match, then the blacklist is checked. Example: john@example.net |
Antispam White List | Specify an address whitelist for local spam filtering. Whitelists contain e-mail addresses from which you want to receive messages. Note: When both the whitelist and blacklist are in use, the whitelist is checked first. If there is no match, then the blacklist is checked. Example: user@example.net |
Antispam Action | Select the antispam action that you want the device to take when it detects spam:
Example: block |
Content Filter | Select True to block different types of traffic based on the MIME type, file extension, protocol command, and embedded object type or False to permit these types of traffic. Example: True |
Content Filter Extensions | Specify one or more file extensions to block over HTTP, FTP, SMTP, IMAP, and POP3 connections. Example: exe, pdf, js |
Content Filter Mime | Specify the MIME types to be blocked or permitted over HTTP, FTP, SMTP, IMAP, and POP3 connections. Example: application, exe |
Content Filter Protocol Commands | Specify commands for HTTP, FTP, SMTP, IMAP, and POP3 protocols to block traffic based on these commands. Example: put, mput |
Content Filter Content Type | Press and hold the Ctrl key and click one or more of the following types of content to specify filtering of traffic that is supported only for HTTP and is not covered by file extensions or MIME types:
Example: activex, exe |
Content Filter Apply To | Press and hold the Ctrl key and click one or more of the following protocols in the drop-down list to specify filtering of traffic associated with these protocols:
Example: http, ftp |
Webfilter | Select True to prevent access to specific websites and embedded object types or False to permit access to all websites. Example: True |
Web Filter Black List | Specify URLs to create a blacklist of websites to block. Note: A Web filtering profile can contain one whitelist or one blacklist with multiple user-defined categories, each with a permit or block action. Example:
|
Web Filter White List | Specify URLs to create a whitelist of websites that users can always access. With local Web filtering, the firewall intercepts every HTTP request in a TCP connection and extracts the URL. The network service then looks up the URL to determine whether it is in the whitelist or blacklist based on its user-defined category. Note: A Web filtering profile can contain one whitelist or one blacklist with multiple user-defined categories, each with a permit or block action. Example: www.example3.net |
Policy settings—For information about the following policy settings, see the firewall policy settings in Table 2.
| |
