User Logical Systems Overview
A user logical system enables you to configure zones, security policies, logical interfaces and security resources assigned to its own user logical system. For more information, see the following topics:
User Logical Systems Configuration Overview
When the primary administrator creates a user logical system, he assigns a user logical system administrator to manage it. A user logical system can have multiple user logical system administrators.
As a user logical system administrator, you can access and view resources in your user logical system but not those of other user logical systems or the primary logical system. You can configure resources allocated to your user logical system, but you cannot modify the numbers of allocated resources.
The following procedure lists the tasks that the user logical system administrator performs to configure resources in the user logical system:
Log in to the user logical system with the login and password configured by the primary administrator:
SSH to the management IP address configured on the device. Log in to the user logical system with the administrator login and password provided by the primary administrator.
You enter a UNIX shell in the user logical system configured by the primary administrator.
Starting in Junos OS Release 20.1R1, On SRX5400, SRX5600, and SRX5800 Series devices, Trusted Platform Module (TPM) supports only with SRX5K-RE3-128G Routing Engine (RE3). The TPM chip enables by default. To use the TPM functionality in logical systems, you must configure Master-Encryption-key (MEK) at the root logical system only, and the user logical systems will inherit the same MEK to encrypt configuration hash and public key infrastructure (PKI) key-pairs. For more information on TPM, see Using Trusted Platform Module to Bind Secrets on SRX Series Devices.
The presence of the > prompt indicates the CLI has started. The prompt is preceded by a string that contains your username, the hostname of the router, and the name of the user logical system. When the CLI starts, you are at the top level in operational mode. You enter configuration mode by entering the configure operational mode command. The CLI prompt changes from user@host: logical-system> to user@host: logical-system#.
To exit the CLI and return to the UNIX shell, enter the quit command.
Configure the logical interfaces assigned to the user logical system by the primary administrator. Configure one or more routing instances and the routing protocols and options within each instance. See Example: Configuring Interfaces and Routing Instances for a User Logical Systems.
Configure security resources for the user logical system:
Create zones for the user logical system and bind the logical interfaces to the zones. Address books can be created that are attached to zones for use in policies. See Example: Configuring Security Zones for a User Logical Systems.
Configure screen options at the zone level. See Example: Configuring Screen Options for a User Logical Systems.
Configure security policies between zones in the user logical system. See Example: Configuring Security Policies in a User Logical Systems.
Custom applications or application sets can be created for specific types of traffic. To create a custom application, use the
application
configuration statement at the [edit applications
] hierarchy level. To create an application set, use theapplication-set
configuration statement at the [edit applications
] hierarchy level.Configure firewall authentication. The primary administrator creates access profiles in the primary logical system. See Example: Configuring Access Profiles (Primary Administrators Only).
The user logical system administrator then configures a security policy that specifies firewall authentication for matching traffic and configures the type of authentication (pass-through or Web authentication), default access profile, and success banner. See Example: Configuring Firewall Authentication for a User Logical System.
Configure a route-based VPN tunnel to secure traffic between a user logical system and a remote site. The primary administrator assigns a secure tunnel interface to the user logical system and configures IKE and IPsec SAs for the VPN tunnel. See Example: Configuring IKE and IPsec SAs for a VPN Tunnel (Primary Administrators Only).
The user logical system administrator then configures a route-based VPN tunnel. See Example: Configuring a Route-Based VPN Tunnel in a User Logical Systems.
Configure Network Address Translation (NAT). See Example: Configuring Network Address Translation for a User Logical Systems.
Configure and assigning a predefined IDP policy to the user logical system. The primary administrator configures IDP policies at the root level and specifies an IDP policy in the security profile that is bound to a logical system. See Example: Configuring and Assigning a Predefined IDP Policy for a User Logical System.
The user logical system administrator then enables IDP in a security policy. See Example: Enabling IDP in a User Logical System Security Policy.
Configure and enable an IDP policy at the user logical system. See Example: Configuring an IDP Policy for a User Logical System
Display or clear application system cache (ASC) entries. See Understanding Logical Systems Application Identification Services.
Configure application firewall services on a user logical system. See Understanding Logical Systems Application Firewall Services and Example: Configuring Application Firewall Services for a User Logical System.
Configure the AppTrack application tracking tool. See Example: Configuring AppTrack for a User Logical Systems.
See Also
Understanding User Logical Systems and the User Logical System Administrator Role
Logical systems allow a primary administrator to partition an SRX Series Firewall into discrete contexts called user logical systems. User logical systems are self-contained, private contexts, separate both from one another and from the primary logical system. A user logical system has its own security, networking, logical interfaces, routing configurations, and one or more user logical system administrators.
When the primary administrator creates a user logical system, he assigns one or more user logical system administrators to manage it. A user logical system administrator has a view of the device that is limited to his logical system. Although a user logical system is managed by a user logical system administrator, the primary administrator has a global view of the device and access to all user logical systems. If necessary, the primary administrator can manage any user logical system on the device.
The role and responsibilities of a user logical system administrator differ from those of the primary administrator. As a user logical system administrator, you can access, configure, and view the configuration for your user logical system resources, but not those of other user logical systems or the primary logical system.
As a user logical system administrator, you can:
Configure zones, address books, security policies, user lists, custom services, and so forth, for your user logical system environment, based on the resources allocated to it.
For example, if the primary administrator allocates 40 zones to your user logical system, you can configure and administer those zones, but you cannot change the allocated number.
Configure routing instances and assign allotted interfaces to them. Create static routes and add them to your routing instances. Configure routing protocols.
Configure, enable, and monitor application firewall policy on your user logical system.
Configure AppTrack.
View all assigned logical interfaces and configure their attributes. The attributes that you configure for logical interfaces for your user logical system cannot be seen by other user logical system administrators.
Run operational commands for your user logical system.