Security Profiles for Logical Systems
Security profiles for logical systems allow you to allocate resources. Security profiles specifies the number of resources to allocate to a logical system to which the security profile is bound. All system resources are allocated to primary logical system and the primary administrator allocates them to user logical system using security profile. For more information, see the following topics:
Understanding Logical Systems Security Profiles (Primary Administrators Only)
Logical systems allow you to virtually divide a supported SRX Series Firewall into multiple devices, isolating one from another, securing them from intrusion and attacks, and protecting them from faulty conditions outside their own contexts. To protect logical systems, security resources are configured in a manner similar to how they are configured for a discrete device. However, as the primary administrator, you must allocate the kinds and amounts of security resources to logical systems. The logical system administrator allocates resources for his own logical system.
An SRX Series Firewall running logical systems can be partitioned into user logical systems, an interconnect logical system, if desired, and the default primary logical system. When the system is initialized, the primary logical system is created at the root level. All system resources are assigned to it, effectively creating a default primary logical system security profile. To distribute security resources across logical systems, the primary administrator creates security profiles that specify the kinds and amounts of resources to be allocated to a logical system that the security profile is bound to. Only the primary administrator can configure security profiles and bind them to logical systems. The user logical system administrator configures these resources for his or her logical system.
Logical systems are defined largely by the resources allocated to them, including security components, interfaces, routing instances, static routes, and dynamic routing protocols. When the primary administrator configures a user logical system, he binds a security profile to it. Any attempt to commit a configuration for a user logical system without a security profile bound to it will fail.
This topic includes the following sections:
- Logical Systems Security Profiles
- How the System Assesses Resources Assignment and Use Across Logical Systems
- Cases: Assessments of Reserved Resources Assigned Through Security Profiles
Logical Systems Security Profiles
As primary administrator, you can configure a single security profile to assign resources to a specific logical system, use the same security profile for more than one logical system, or use a mix of both methods. You can configure up to 32 security profiles on an SRX Series Firewall running logical systems. When you reach the limit, you must delete a security profile and commit the configuration change before you can create and commit another security profile. In many cases fewer security profiles are needed because you might bind a single security profile to more than one logical system.
Security profiles allow you to:
Share the device’s resources, including policies, zones, addresses and address books, flow sessions, and various forms of NAT, among all logical systems appropriately. You can dedicate various amounts of a resource to the logical systems and allow them to compete for use of the free resources.
Security profiles protect against one logical system exhausting a resource that is required at the same time by other logical systems. Security profiles protect critical system resources and maintain a fair level of performance among user logical systems when the device is experiencing heavy traffic flow. They defend against one user logical system dominating the use of resources and depriving other user logical systems of them.
Configure the device in a scalable way to allow for future creation of additional user logical systems.
You must delete a logical system’s security profile before you delete that logical system.
How the System Assesses Resources Assignment and Use Across Logical Systems
To provision a logical system with security resources, you, as a primary administrator, configure a security profile that specifies for each resource:
A reserved quota that guarantees that the specified resource amount is always available to the logical system.
A maximum allowed quota. If a logical system requires more of a resource than its reserved amount allows, it can utilize resources configured for the global maximum amount if they are available—that is, if they are not allocated to other logical systems. The maximum allowed quota specifies the portion of the free global resources that the logical system can use. The maximum allowed quota does not guarantee that the amount specified for the resource in the security profile is available. Logical systems must compete for global resources.
If a reserved quota is not configured for a resource, the default value is 0. If a maximum allowed quota is not configured for a resource, the default value is the global system quota for the resource (global system quotas are platform-dependent). The primary administrator must configure appropriate maximum allowed quota values in the security profiles so the maximum resource usage of a specific logical system does not negatively impact other logical systems configured on the device. The primary administrator must configure the appropriate maximum-allowed quota values in the security profiles so that the maximum resource usage of a specific logical system does not negatively impact other logical systems configured on the device.
The system maintains a count of all allocated resources that are reserved, used, and made available again when a logical system is deleted. This count determines whether resources are available to use for new logical systems or to increase the amount of the resources allocated to existing logical systems through their security profiles.
When a user logical system is deleted, its reserved resource allocations are released for use by other logical systems.
Resources configured in security profiles are characterized as static modular resources or dynamic resources. For static resources, we recommend setting a maximum quota for a resource equal or close to the amount specified as its reserved quota, to allow for scalable configuration of logical systems. A high maximum quota for a resource might give a logical system greater flexibility through access to a larger amount of that resource, but it would constrain the amount available to allocate to a new user logical system.
The difference between reserved and maximum allowed amounts for a dynamic resource is not important because dynamic resources are aged out and do not deplete the pool available for assignment to other logical systems.
The following resources can be specified in a security profile:
Security policies, including schedulers
Security zones
Addresses and address books for security policies
Application firewall rule sets
Application firewall rules
Firewall authentication
Flow sessions and gates
NAT, including:
Cone NAT bindings
NAT destination rule
NAT destination pool
NAT IP address in source pool without Port Address Translation (PAT)
Note:IPv6 addresses in IPv6 source pools without PAT are not included in security profiles.
NAT IP address in source pool with PAT
NAT port overloading
NAT source pool
NAT source rule
NAT static rule
All resources except flow sessions are static.
You can modify a logical system security profile dynamically while the security profile is assigned to other logical systems. However, to ensure that the system resource quota is not exceeded, the system takes the following actions:
If a static quota is changed, system daemons that maintain logical system counts for resources specified in security profiles revalidate the security profile. This check identifies the number of resources assigned across all logical systems to determine whether the allocated resources, including their increased amounts, are available.
These quota checks are the same quota checks that the system performs when you add a new user logical system and bind a security profile to it. They are also performed when you bind a different security profile from the security profile that is presently assigned to it to an existing user logical system (or the primary logical system).
If a dynamic quota is changed, no check is performed, but the new quota is imposed on future resource usage.
Cases: Assessments of Reserved Resources Assigned Through Security Profiles
To understand how the system assesses allocation of reserved resources through security profiles, consider the following three cases that address allocation of one resource, zones. To keep the example simple, 10 zones are allocated in security-profile-1: 4 reserved zones and 6 maximum zones. This example assumes that the full maximum amount specified–six zones–is available for the user logical systems. The system maximum number of zones is 10.
These cases address configuration across logical systems. They test to see whether a configuration will succeed or fail when it is committed based on allocation of zones.
Table 1 shows the security profiles and their zone allocations.
Two Security Profiles Used in the Configuration Cases |
|---|
security-profile-1
Note:
Later the primary administrator dynamically increases the reserved zone count specified in this profile. |
primary-logical-system-profile
|
Table 2 shows three cases that illustrate how the system assesses reserved resources for zones across logical systems based on security profile configurations.
The configuration for the first case succeeds because the cumulative reserved resource quota for zones configured in the security profiles bound to all logical systems is 8, which is less than the system maximum resource quota.
The configuration for the second case fails because the cumulative reserved resource quota for zones configured in the security profiles bound to all logical systems is 12, which is greater than the system maximum resource quota.
The configuration for the third case fails because the cumulative reserved resource quota for zones configured in the security profiles bound to all logical systems is 12, which is greater than the system maximum resource quota.
Reserved Resource Quota Checks Across Logical Systems |
|---|
Example 1: Succeeds This configuration is within bounds: 4+4+0=8, maximum capacity =10. Security Profiles Used
|
Example 2: Fails This configuration is out of bounds: 4+4+4=12, maximum capacity =10.
Security Profiles
|
Example 3: Fails This configuration is out of bounds: 6+6=12, maximum capacity =10. The primary administrator modifies the reserved zones quota in security-profile-1, increasing the count to 6.
|
See Also
Example: Configuring Logical Systems Security Profiles (Primary Administrators Only)
This example shows how a primary administrator configures three logical system security profiles to assign to user logical systems and the primary logical system to provision them with security resources.
Requirements
The example uses an SRX5600 device running Junos OS with logical systems.
Before you begin, read SRX Series Logical Systems Primary Administrator Configuration Tasks Overview to understand how this task fits into the overall configuration process.
Overview
This example shows how to configure security profiles for the following logical systems:
The root-logical-system logical system. The security profile primary-profile is assigned to the primary, or root, logical system.
The ls-product-design logical system. The security profile ls-design-profile is assigned to the logical system.
The ls-marketing-dept logical system. The security profile ls-accnt-mrkt-profile is assigned to the logical system.
The ls-accounting-dept logical system. The security profile ls-accnt-mrkt-profile is assigned to the logical system.
The interconnect-logical-system, if you use one. You must assign a dummy, or null, security profile to it.
Topology
This configuration relies on the deployment shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
Configuration
Configuring Logical System Security Profiles
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set system security-profile master-profile policy maximum 65 set system security-profile master-profile policy reserved 60 set system security-profile master-profile zone maximum 22 set system security-profile master-profile zone reserved 17 set system security-profile master-profile flow-session maximum 3000 set system security-profile master-profile flow-session reserved 2100 set system security-profile master-profile icap-redirect-profile maximum 64 set system security-profile master-profile icap-redirect-profile reserved 30 set system security-profile master-profile nat-nopat-address maximum 115 set system security-profile master-profile nat-nopat-address reserved 100 set system security-profile master-profile nat-static-rule maximum 125 set system security-profile master-profile nat-static-rule reserved 100 set system security-profile master-profile idp set system security-profile master-profile root-logical-system set system security-profile ls-accnt-mrkt-profile policy maximum 65 set system security-profile ls-accnt-mrkt-profile policy reserved 60 set system security-profile ls-accnt-mrkt-profile zone maximum 22 set system security-profile ls-accnt-mrkt-profile zone reserved 17 set system security-profile ls-accnt-mrkt-profile flow-session maximum 2500 set system security-profile ls-accnt-mrkt-profile flow-session reserved 2000 set system security-profile master-profile icap-redirect-profile maximum 64 set system security-profile master-profile icap-redirect-profile reserved 30 set system security-profile ls-accnt-mrkt-profile nat-nopat-address maximum 125 set system security-profile ls-accnt-mrkt-profile nat-nopat-address reserved 100 set system security-profile ls-accnt-mrkt-profile nat-static-rule maximum 125 set system security-profile ls-accnt-mrkt-profile nat-static-rule reserved 100 set system security-profile ls-accnt-mrkt-profile logical-system ls-marketing-dept set system security-profile ls-accnt-mrkt-profile logical-system ls-accounting-dept set system security-profile ls-design-profile policy maximum 50 set system security-profile ls-design-profile policy reserved 40 set system security-profile ls-design-profile zone maximum 10 set system security-profile ls-design-profile zone reserved 5 set system security-profile ls-design-profile flow-session maximum 2500 set system security-profile ls-design-profile flow-session reserved 2000 set system security-profile master-profile icap-redirect-profile maximum 64 set system security-profile master-profile icap-redirect-profile reserved 30 set system security-profile ls-design-profile nat-nopat-address maximum 120 set system security-profile ls-design-profile nat-nopat-address reserved 100 set system security-profile ls-design-profile logical-system ls-product-design set system security-profile interconnect-profile logical-system interconnect-logical-system
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
Create three security profiles.
Create the first security profile.
Step-by-Step Procedure
Specify the number of maximum and reserved policies.
[edit system security-profile] user@host# set master-profile policy maximum 65 reserved 60
Specify the number of maximum and reserved zones.
[edit system security-profile] user@host# set master-profile zone maximum 22 reserved 17
Specify the number of maximum and reserved sessions.
[edit system security-profile] user@host# set master-profile flow-session maximum 3000 reserved 2100
Specify the number of maximum and reserved ICAP redirect profiles
[edit system security-profile] user@host# set master-profile icap-redirect-profile maximum 64 reserved 30
Specify the number of maximum and reserved source NAT no-PAT addresses and static NAT rules.
[edit system security-profile] user@host# set master-profile nat-nopat-address maximum 115 reserved 100 user@host# set master-profile nat-static-rule maximum 125 reserved 100
Enable intrusion detection and prevention (IDP). You can enable IDP only for the primary (root) logical system.
[edit system security-profile] user@host# set idp
Bind the security profile to the logical system.
[edit system security-profile] user@host# set master-profile root-logical-system
Create the second security profile.
Step-by-Step Procedure
Specify the number of maximum and reserved policies.
[edit system security-profile] user@host# set ls-accnt-mrkt-profile policy maximum 65 reserved 60
Specify the number of maximum and reserved zones.
[edit system security-profile] user@host# set ls-accnt-mrkt-profile zone maximum 22 reserved 17
Specify the number of maximum and reserved sessions.
[edit system security-profile] user@host# set ls-accnt-mrkt-profile flow-session maximum 2500 reserved 2000
Specify the number of maximum and reserved ICAP redirect profiles
[edit system security-profile] user@host# set ls-accnt-mrkt-profile icap-redirect-profile maximum 64 reserved 30
Specify the number of maximum and reserved source NAT no-PAT addresses.
[edit system security-profile] user@host# set ls-accnt-mrkt-profile nat-nopat-address maximum 125 reserved 100
Specify the number of maximum and reserved static NAT rules.
[edit system security-profile] user@host# set ls-accnt-mrkt-profile nat-static-rule maximum 125 reserved 100
Bind the security profile to two logical systems.
[edit system] user@host# set security-profile ls-accnt-mrkt-profile logical-system ls-marketing-dept user@host# set security-profile ls-accnt-mrkt-profile logical-system ls-accounting-dept
Create the third security profile.
Step-by-Step Procedure
Specify the number of maximum and reserved policies.
[edit system security-profile] user@host# set ls-design-profile policy maximum 50 reserved 40
Specify the number of maximum and reserved zones.
[edit system security-profile] user@host# set ls-design-profile zone maximum 10 reserved 5
Specify the number of maximum and reserved sessions.
[edit system security-profile] user@host# set ls-design-profile flow-session maximum 2500 reserved 2000
Specify the number of maximum and reserved ICAP redirect profiles
[edit system security-profile] user@host# setls-design-profile icap-redirect-profile maximum 64 reserved 30
Specify the number of maximum and reserved source NAT no-PAT addresses.
[edit system security-profile] user@host# set ls-design-profile nat-nopat-address maximum 120 reserved 100
Bind the security profile to a logical system.
user@host# set system security-profile ls-design-profile logical-system ls-product-design
Bind a null security profile to the interconnect logical system.
user@host# set system security-profile interconnect-profile logical-system interconnect-logical-system
Results
From configuration mode, confirm your configuration
by entering the show system security-profile command to
see all security profiles configured.
To see individual security profiles, enter the show system
security-profile master-profile, the show system security-profile
ls-accnt-mrkt-profile and, the show system security-profile
ls-design-profile commands. If the output does not display the
intended configuration, repeat the configuration instructions in this
example to correct it.
user@host# show system security-profile
interconnect-profile {
logical-system interconnect-logical-system;
}
ls-accnt-mrkt-profile {
policy {
maximum 65;
reserved 60;
}
zone {
maximum 22;
reserved 17;
}
flow-session {
maximum 2500;
reserved 2000;
}
icap-redirect-profile {
maximum 64;
reserved 30;
}
nat-nopat-address {
maximum 125;
reserved 100;
}
nat-static-rule {
maximum 125;
reserved 100;
}
logical-system [ ls-marketing-dept ls-accounting-dept ];
}
ls-design-profile {
policy {
maximum 50;
reserved 40;
}
zone {
maximum 10;
reserved 5;
}
flow-session {
maximum 2500;
reserved 2000;
}
icap-redirect-profile {
maximum 64;
reserved 30;
}
nat-nopat-address {
maximum 120;
reserved 100;
}
nat-static-rule {
maximum 125;
reserved 100;
}
logical-system ls-product-design;
}
master-profile {
policy {
maximum 65;
reserved 60;
}
zone {
maximum 22;
reserved 17;
}
flow-session {
maximum 3000;
reserved 2100;
}
icap-redirect-profile {
maximum 64;
reserved 30;
}
nat-nopat-address {
maximum 115;
reserved 100;
}
nat-static-rule {
maximum 125;
reserved 100;
}
root-logical-system;
}
user@host# show system security-profile master-profile
policy {
maximum 65;
reserved 60;
}
zone {
maximum 22;
reserved 17;
}
flow-session {
maximum 3000;
reserved 2100;
}
icap-redirect-profile {
maximum 64;
reserved 30;
}
nat-nopat-address {
maximum 115;
reserved 100;
}
nat-static-rule {
maximum 125;
reserved 100;
}
root-logical-system;
user@host# show system security-profile ls-accnt-mrkt-profile
policy {
maximum 65;
reserved 60;
}
zone {
maximum 22;
reserved 17;
}
flow-session {
maximum 2500;
reserved 2000;
}
icap-redirect-profile {
maximum 64;
reserved 30;
}
nat-nopat-address {
maximum 125;
reserved 100;
}
nat-static-rule {
maximum 125;
reserved 100;
}
logical-system [ ls-accounting-dept ls-marketing-dept ];
user@host# show system security-profile ls-design-profile
policy {
maximum 50;
reserved 40;
}
zone {
maximum 10;
reserved 5;
}
flow-session {
maximum 2500;
reserved 2000;
}
icap-redirect-profile {
maximum 64;
reserved 30;
}
nat-nopat-address {
maximum 120;
reserved 100;
}
nat-static-rule {
maximum 125;
reserved 100;
}
logical-system ls-product-design;
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the security resources that you allocated for logical systems have been assigned to them, follow this procedure for each logical system and for all its resources.
Verifying That Security Profile Resources Are Effectively Allocated for Logical Systems
Purpose
Verify security resources for each logical system. Follow this process for all configured logical systems.
Action
-
Use SSH to log in to each user logical system as its user logical system administrator.
Run SSH, specifying the IP address of your SRX Series Firewall.
Enter the login ID and password for one of the user logical systems that you created.
login: lsmarketingadmin1 password: Talk2345 lsmarketingadmin1@host:ls-marketing-dept>
Enter the following statement to identify the resources configured for the profile.
lsmarketingadmin1@host:ls-marketing-dept> show system security-profile ?
Enter the following command at the resulting prompt. Do this for each feature configured for the profile.
lsmarketingadmin1@host:ls-marketing-dept> show system security-profile zone detail logical system name : ls-marketing-dept security profile name : ls-accnt-mrkt-profile used amount : 0 reserved amount : 17 maximum quota : 22
Example: Configuring User Logical Systems Security Profiles
In this example, you configure the user logical systems security profiles. It provides the information about a resource allocated to the logical system in a security profile.
SRX4100 and SRX4200 devices support logical system in both transparent and route mode.
SRX4600 device supports logical system in route mode only.
Layer 2 cross logical system traffic is not supported.
Requirements
This example uses an SRX4100 and SRX4200 devices running Junos OS with logical systems.
Before you begin:
Understand the logical system configuration process. See User Logical Systems Configuration Overview to understand how this task fits into the overall configuration process.
Overview
Logical systems allow a primary administrator to partition an SRX Series Firewall into discrete contexts called user logical systems. User logical systems are self-contained, private contexts, separate both from one another and from the primary logical system. A user logical system has its own security, networking, logical interfaces, routing configurations, and one or more user logical system administrators.
In this example, you configure security features for the user logical system described in Table 3. This configuration used by the user logical system administrator to display resource information for a user logical system.
Field Name |
Field Description |
|---|---|
MAC flags |
Status of MAC address learning properties for each interface:
|
Ethernet switching table |
For learned entries, the time at which the entry was added to the Ethernet switching table. |
Logical system |
Name of the logical system |
Routing instance |
Name of the routing instance |
VLAN name |
Name of the VLAN |
MAC address |
MAC address or addresses learned on a logical interface |
Age |
This field is not supported |
Logical interface |
Name of the logical interface |
RTR ID |
ID of the routing device |
NH Index |
Software index of the next hop that is used to route the traffic for a given prefix. |
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set system security-profile security-profile-name logical-system logical-system-name set logical-systems logical-system-name interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode access set logical-systems logical-system-name interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members VLAN100 set logical-systems logical-system-name interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode access set logical-systems logical-system-name interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members VLAN100 set logical-systems logical-system-name interfaces xe-0/0/2 unit 0 family ethernet-switching interface-mode trunk set logical-systems logical-system-name interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members VLAN200 set logical-systems logical-system-name interfaces xe-0/0/1.0 unit 0 family ethernet-switching interface-mode trunk set logical-systems logical-system-name interfaces xe-0/0/2.0 unit 0 family ethernet-switching vlan members vlan200 set logical-systems logical-system-name interfaces irb unit 22 family inet address 10.11.11.150/24 set logical-systems logical-system-name security policies default-policy permit-all set logical-systems logical-system-name security zones security-zone trust host-inbound-traffic system-services all set logical-systems logical-system-name security zones security-zone trust host-inbound-traffic protocols all set logical-systems logical-system-name security zones security-zone trust interfaces xe-0/0/2.0 set logical-systems logical-system-name security zones security-zone untrust host-inbound-traffic system-services all set logical-systems logical-system-name security zones security-zone untrust host-inbound-traffic protocols all set logical-systems logical-system-name security zones security-zone untrust interfaces xe-0/0/2.0 set logical-systems logical-system-name security zones security-zone untrust interfaces xe-0/0/3.0 set logical-systems logical-system-name vlans VLAN100 vlan-id 100 set logical-systems logical-system-name vlans VLAN100 l3-interface irb.22
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure user logical systems security profiles:
Log in to the user logical system as the logical system administrator and enter configuration mode.
[edit] admin@host> configure admin@host#
Configure a security profile and assign it to a logical-system.
[edit system security-profile ] admin@host# set system security-profile security-profile-name logical-system
Set the interfaces to the appropriate interface modes and specify that the logical interface that will receive the untagged data packets is a member of the native VLAN.
[edit logical-systems] admin@host#set logical-systems logical-system-name interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode access admin@host# set logical-systems logical-system-name interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members VLAN100 admin@host#set logical-systems logical-system-name interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode access admin@host# set logical-systems logical-system-name interfaces xe-0/0/3 unit 0 family ethernet-switching vlan members VLAN100 admin@host#set logical-systems logical-system-name interfaces xe-0/0/2 unit 0 family ethernet-switching interface-mode trunk admin@host#set logical-systems logical-system-name interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members VLAN100 admin@host#set logical-systems logical-system-name interfaces xe-0/0/1.0 unit 0 family ethernet-switching interface-mode trunk admin@host#set logical-systems logical-system-name interfaces xe-0/0/2.0 unit 0 family ethernet-switching vlan members vlan200
Create the IRB interface and assign it an address in the subnet.
[edit interface] admin@host# set interfaces irb unit 22 family inet address 10.11.11.150/24
Create the security policy to permit traffic from the trust zone to the untrust zone and assign interfaces to each zone.
[edit security policies] admin@host# set security policies default-policy permit-all admin@host# set security zones security-zone trust host-inbound-traffic system-services all admin@host# set security zones security-zone trust host-inbound-traffic protocols all admin@host# set security zones security-zone trust interfaces xe-0/0/2.0 admin@host# set security zones security-zone untrust host-inbound-traffic system-services all admin@host# set security zones security-zone untrust host-inbound-traffic protocols all admin@host# set security zones security-zone untrust interfaces xe-0/0/2.0 admin@host# set security zones security-zone untrust interfaces xe-0/0/3.0
Associate an IRB interface with the VLAN.
[edit logical-systems] admin@host# set logical-systems logical-system-name vlans VLAN100 vlan-id 100 admin@host# set logical-systems logical-system-name vlans VLAN100 l3-interface irb.22
Results
From configuration mode, confirm your configuration
by entering the show ethernet-switching table command.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
admin@host# show ethernet-switching table
ethernet-switching table {
filter;
inner-vlan;
inter-switch-link;
interface-mode;
policer;
recovery-timeout;
storm-control;
vlan;
vlan-auto-sense;
vlan-rewrite;
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying User Logical Systems Security Profiles Configuration
Purpose
Verify security policies information.
Action
From operational mode, enter the show ethernet-switching
table command.
admin@host> show ethernet-switching table
MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC
SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)
Ethernet switching table : 1 entries, 1 learned
Logical system : LD2
Routing instance : default
Vlan MAC MAC Age Logical NH RTR
name address flags interface Index ID
VLAN100 d4:04:ff:89:fd:30 D - xe-0/0/2.0 0 0
Example: Configuring Security log stream for Logical Systems
This example shows how to configure a security profiles for a logical system.
Requirements
This example uses the SRX Series Firewalls running Junos OS with logical systems.
Before you begin:
Read SRX Series Logical Systems Primary Administrator Configuration Tasks Overview to understand how this task fits into the overall configuration process.
See Example: Configuring Logical Systems Security Profiles (Primary Administrators Only).
Overview
As primary administrator, you can configure a single security profile to assign resources to a
specific logical system. Yo can use the same security profile for more than one
logical system, or use a mix of both methods. The set logical-system LSYS1
security log command is introduced for logging support on SRX Series
Firewalls.
Configuration
Configuring Logical System Security Profiles logical-system
CLI Quick Configuration
To quickly configure this example this example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set system security-profile p1 security-log-stream-number reserved 1 set system security-profile p1 security-log-stream-number maximum 2 set system security-profile p1 logical-system LSYS1
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
Configure a security profile and specify the number of maximum and reserved policies..
[edit system] user@host# set security-profile p1 security-log-stream-number reserved 1 user@host# set security-profile p1 security-log-stream-number maximum 2
Assign the configured security profile to LSYS1.
user@host# set security-profile p1 logical-system LSYS1
Results
From configuration mode, confirm your configuration
by entering the show system security-profile command to
see all security profiles configured.
[edit]
user@host# show system security-profile
p1 {
security-log-stream-number {
maximum 2;
reserved 1;
}
logical-system LSYS1;
}
Verification
To confirm that the configuration is working properly, perform the below tasks:
- Verifying Security Profile Resources for Logical Systems
- Verifying security-log-stream-number for logical-systems
- Verifying security-log-stream-number summary for logical-systems
- Verifying security-log-stream-number detail for logical-systems
Verifying Security Profile Resources for Logical Systems
Purpose
Verify the security resources for each logical system.
Action
From operational mode, enter the show system security-profile
all-resource, show system security-profile security-log-stream-number
logical-system all, show system security-profile security-log-stream-number
summary, or show system security-profile security-log-stream-number
detail logical-system all command to see the output:
show system security-profile all-resource
user@host> show system security-profile all-resource resource usage reserved maximum [logical system name: root-logical-system] [security profile name: Default-Profile] address-book 0 0 512 auth-entry 0 0 2147483647 cpu on CP 0.00% 1.00% 80.00% cpu on SPU 0.00% 1.00% 80.00% flow-gate 0 0 524288 flow-session 2 0 6291456 nat-cone-binding 0 0 65536 nat-destination-pool 0 0 4096 nat-destination-rule 0 0 8192 nat-nopat-address 0 0 1048576 nat-pat-address 0 0 2048 nat-port-ol-ipnumber 0 0 4 nat-rule-referenced-prefix 0 0 1048576 nat-source-pool 0 0 2048 nat-source-rule 0 0 8192 nat-static-rule 0 0 20480 policy 0 0 40000 policy-with-count 0 0 1024 scheduler 0 0 64 zone 0 0 512
Meaning
The sample outputs displays information about the resources allocated to the logical system in a security profile. For each resource specified, the number used by the logical system and the configured maximum and reserved values are displayed.
Verifying security-log-stream-number for logical-systems
Purpose
Verify the security-log-stream-number for each logical system.
Action
From operational mode, enter the show system security-profile
security-log-stream-number logical-system all command to see
the output:
show system security-profile security-log-stream-number logical-system all
user@host> show system security-profile security-log-stream-number logical-system all logical system name security profile name usage reserved maximum root-logical-system Default-Profile 1 0 3 LSYS1 sp1 0 1 3 LSYS2 sp2 1 0 3
Meaning
The sample output displays the information about a resource allocated to the logical system in a security profile with security profile name. For each resource specified, the number used by the logical system and the configured maximum and reserved values are displayed.
Verifying security-log-stream-number summary for logical-systems
Purpose
Verify the security-log-stream-number summary.
Action
From operational mode, enter the show system security-profile
security-log-stream-number summary command to see the output:
show system security-profile security-log-stream-number summary
user@host> show system security-profile security-log-stream-number summary global used amount : 0 global maximum quota : 32 global available amount : 32 total logical systems : 1 total security profiles : 0 heaviest usage / user : 0 / root-logical-system lightest usage / user : 0 / root-logical-system
Meaning
The sample output displays the summary information about the resource for all logical systems.
Verifying security-log-stream-number detail for logical-systems
Purpose
Verify the security-log-stream-number detail.
Action
From operational mode, enter the show system security-profile
security-log-stream-number detail logical-system all command
to see the output:
show system security-profile security-log-stream-number detail logical-system all
user@host> show system security-profile security-log-stream-number detail logical-system all logical system name : root-logical-system security profile name : Default-Profile used amount : 0 reserved amount : 0 maximum quota : 8 logical system name : lsys0 security profile name : lsys_profile used amount : 0 reserved amount : 0 maximum quota : 8 logical system name : lsys1 security profile name : lsys_profile used amount : 0 reserved amount : 0 maximum quota : 8 logical system name : lsys2 security profile name : lsys_profile used amount : 0 reserved amount : 0 maximum quota : 8
Meaning
The sample output displays the detailed level of output for all logical systems.