Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation vSRX vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms vSRX Virtual Firewall Deployment for OCI Installing vSRX Virtual Firewall in OCI

vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms

keyboard_arrow_up
close
keyboard_arrow_left
vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

vSRX Virtual Firewall Deployment in Oracle Cloud Infrastructure

date_range 30-Jul-24
arrow_backward
arrow_forward

The topics in this section help you launch vSRX Virtual Firewall instances in Oracle Cloud Infrastructure.

Overview

This topic provides you an overview and pre-requisites to deploy vSRX Virtual Firewall virtual Firewall in Oracle Cloud Infrastructure. vSRX Virtual Firewall provides security and networking services for virtualized private or public Oracle Cloud environments.

Starting in Junos OS Release 20.4R2, vSRX Virtual Firewall 3.0 is available for OCI deployments.

Note:

vSRX Virtual Firewall 3.0 image is not available in the OCI Marketplace. You must download the vSRX Virtual Firewall 3.0 software from Juniper Support Downloads and upload into an OCI compartment.​

Pre-Requisites​

  • Ensure you have proper accounts and permissions before you attempt to deploy the vSRX Virtual Firewall in OCI​.

  • Copy the .oci image to an object storage compartment in your OCI account.

    An example file name is junos-vsrx3-x86-64-xxxx.oci. After you purchase the vSRX Virtual Firewall 3.0 software you can downloaded the software from: Juniper Support page.

    Note:

    .oci image extensions are built for the vSRX Virtual Firewall images to be deployed in OCI. This is because on OCI, when the qcow2 images are deployed, the default emulation selected for the vNIC is e-1000. ​The .oci images of the vSRX Virtual Firewall pass the metadata needed for the emulation type to be set to virtIO upon deployment of the vSRX Virtual Firewall which ensure a better throughput.

  • Create Virtual Network subnets for your deployment​.

For better understanding of Oracle terminologies and their use in vSRX Virtual Firewall 3.0 deployments, see Understanding vSRX Virtual Firewall Deployment in Oracle Cloud Infrastructure.

Example Topology

A common cloud configuration includes hosts that you want to grant access to the Internet, but you do not want anyone from outside your cloud to get access to your hosts. You can use vSRX Virtual Firewall in the OCI to NAT traffic inside the OCI from the public Internet.

The diagram shows an example VCN with three subnets:

  • Public (10.0.1.0/24), for management interfaces with access to the internet through an internet gateway

  • Public (10.0.2.0/24), for revenue (data) interfaces with access to the internet through an internet gateway

  • Private (10.0.3.0/24), a private subnet with no access to the internet

The following topology is used as an example for this deployment.

Figure 1: Example VCN for vSRX Virtual Firewall Deployment in OCI Example VCN for vSRX Virtual Firewall Deployment in OCI

Launch vSRX Virtual Firewall Instances in the OCI

This topic provides details on how you can launch vSRX Virtual Firewall instances in the OCI.

  1. Log in to the OCI Management Console. The Console is an intuitive, graphical interface that lets you create and manage your instances, cloud networks, and storage volumes, as well as your users and permissions. After you sign in, the console home page is displayed.
  2. Choose a compartment for your resources.

    Compartments help you organize and control access to your resources. A compartment is a collection of related resources (such as cloud networks, compute instances, or block volumes) that can be accessed only by those groups that have been given permission by an administrator in your organization. For example, one compartment could contain all the servers and storage volumes that make up the production version of your company's Human Resources system. Only users with permission to that compartment can manage those servers and volumes.

    • Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.

    • Select the Sandbox compartment (or the compartment designated by your administrator) from the list on the left. If the Sandbox compartment does not exist, you can create. For more information, see Creating a Compartment.

  3. Load the .oci onto OCI platform.

    1. From the main menu click Object Storage.

      Figure 2: Object Storage Object Storage

    2. Select the compartment in which you want to create the bucket. If you have a bucket already, click the name of “your bucket”. Or create a bucket.

      Figure 3: Create Bucket

    3. Then Click Upload Objects.

      Provide the required information when a pop-up window appears.

      Figure 4: Upload Objects Upload Objects

      View Object Details: After the .oci image is loaded, choose the object right click the object and select View Object Details.

      Figure 5: View Object Details
      Note:

      There will be an URL path for this object as OCI ID, which can be used in the during importing images.

  4. Create a virtual cloud network (VCN) with subnets. Multiple subnets within a single VCN network is possible.

    You will then launch your instance into one of the subnets of your VCN and connect to it.

    Note:

    Ensure that the Sandbox compartment (or the compartment designated for you) is selected in the Compartment list on the left.

    1. Open the Navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.

    2. Click Create VCN and enter the data for VCN Name, Compartment, select an IPv4 VCN CIDR Block, Public Subnet CIDR Block. Accept the defaults for any other fields and click Create VCN.

    Figure 6: Create Virtual Cloud Network Create Virtual Cloud Network
    Figure 7: CIDR Block CIDR Block

    The cloud network created will have resources such as Internet and NAT gateway, Service gateway with access to the Oracle Services Network, A regional public subnet with access to the internet gateway, and A regional private subnet with access to the NAT gateway and service gateway.

  5. Create Subnets for the vSRX Virtual Firewall VCN created.

    vSRX Virtual Firewall requires two public subnets and one or more private subnets for each individual instance group. One public subnet is for the management interface (fxp0), and the other is for a revenue (data) interface. The private subnets, connected to the other vSRX Virtual Firewall interfaces, ensure that all traffic between applications on the private subnets and the internet must pass through the vSRX Virtual Firewall instance.

    1. Configure the Public Subnet (Management Interface)

      To create this public subnet, click Create Subnet and define a route rule for the route table Default Route Table in which the internet gateway is configured as the route target for all traffic (0.0.0.0/0) as shown below.

      Figure 8: Route Rules Route Rules

      For details about how to create subnets, see VCNs and Subnets.

      For the subnet's security list Default Security List, create an egress rule to allow traffic to all destinations. Create ingress rules that allow access on TCP port 22 from the public internet and on TCP port 80/443 for accessing the web application from the public internet as shown below.

      Figure 9: Stateful Rules (Default Security List) Stateful Rules (Default Security List)
    2. Configure the Public Subnet (Revenue Interface)

      Create this public subnet, and define a route rule for the route table Public RT in which the internet gateway is configured as the route target for all traffic (0.0.0.0/0).

      For the subnet's security list Public Subnet SL, create an egress rule to allow traffic to all destinations. Create ingress rules that allow access on TCP port 80/443 for accessing the web application from the public internet and on ICMP if needed to check the connectivity as shown below.

      Figure 10: Stateful Rules (Public Subnet Security List) Stateful Rules (Public Subnet Security List)
    3. Configure the Private Subnet

      Create this private subnet, and define a route rule for the route table Private RT in which the vSRX Virtual Firewall second vNIC’s private IP address (10.0.3.3) is configured as the route target for all traffic 0.0.0.0/0.

      Note:

      Configure the route rule after you create and attach the secondary VNICs.

  6. Create Internet Gateway. To create internet gateway click Internet Gateways, set an internet gateway for the vSRX Virtual Firewall to be reachable from outside.
    Figure 11: Internet Gateway Internet Gateway
  7. Security list information to enable the SSH option. Select the default security list and the Ingress Rules like ICMP rule to allow ping from traffic by setting source CIDR of any any.
    Figure 12: Security List Information Security List Information Security List Information
  8. Create your vSRX Virtual Firewall instance in the VNC created.

    1. Open the navigation menu. Under Core Infrastructure, select Compute and click Instances, and then click on Create Instance.

    2. Figure 13: Create Compute Instance Create Compute Instance Create Compute Instance Create Compute Instance

    3. On the Create Instance page, enter the name of your instance.

    4. Choose an operating system or image source: Click Change Image and then click Image Source to select the image that you want to use. Select Custom Images and choose the image from the compartment. OCI vSRX Virtual Firewall image you want and then click Select Image.

      .

      Instance type – Virtual Machine.

    5. Choose Instance Shape: Click Change Shape to select the standard predefined OCI shape. Select the VM standard 2.4 which has 4 NICs and 4 OCPUs and click Selcect Shape.

      Note:

      vSRX Virtual Firewall needs a minimum of 2 vCPUs to launch.

    6. Under Networking tab select the virtual cloud network compartment, virtual cloud network, subnet compartments, subnet.

    7. To create a public IP address for the instance, select the Assign a public IPv4 address option.

      Note:

      Accept default options for Availability Domain, Instance Type, and Instance Shape.

    8. Add SSH keys: Under Add SSH keys tab, you can paste a public key by selecting the Paste public keys option and paste the public SSH key that was generated or you can create a new SSH key to access the vSRX Virtual Firewall and then click Create.

    After a few minutes, we can ssh the instance using the public IP allocated for the instance (this would be displayed on the instance). Reboot the instance after adding interfaces.

    The instance is displayed in the Console in a provisioning state. Expect provisioning to take several minutes before the status updates to Running. Do not refresh the page. After the instance is running, allow another few minutes for the operating system to boot before you attempt to connect. When you are ready to connect to the instance, make a note of both the public IP address and the initial password.

    After the instance is provisioned, details about it appear in the instance list as shown below.

    Figure 14: vSRX Virtual Firewall Instance Launched in OCI vSRX Virtual Firewall Instance Launched in OCI
    Note:

    The default user-name for the vSRX Virtual Firewall instance is oci-user. For example, to login to the vSRX Virtual Firewall using SSH:

    content_copy zoom_out_map
    user@host % ssh -i <private-key> oci-user@<vsrx-ip-address>
The authenticity of host 'vsrx-ip-address (vsrx-ip-address)' can't be established.
ECDSA key fingerprint is SHA256:z4X9YoWseVnKIeXh1kcpsVmAxTv1/E5lOQ51MU0N66g.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'vsrx-ip-address' (ECDSA) to the list of known hosts.
--- JUNOS 20.4R2.7 Kernel 64-bit XEN JNPR-11.0-20210220.a5d6a89_buil
oci-user> 


oci-user> show version 
Model: vSRX
Junos: 20.4R2.7
  9. Adding interfaces for traffic.

    Network interfaces need to be added after the instance has been created.

    1. Click Attached VNICs and select Create VNIC (ge000 -public and ge001-private). Select the subnet that was created and click Save Changes to add VNICs to the instance.

      Note:

      Order of attaching network interfaces is important. You must map the first network interface to fxp0, then the second interface to ge-0/0/0, then to ge-0/0/1 and so on.

      Figure 15: Attached VNICs Attached VNICs Attached VNICs
  10. Connect to the launched vSRX Virtual Firewall instance. Open your SSH client to access the launched vSRX Virtual Firewall instance. At first boot you can only SSH the vSRX Virtual Firewall. vSRX Virtual Firewall boots up with the default OCI configuration. Use your private key to SSH the vSRX Virtual Firewall instance.
arrow_backward PREVIOUS Requirements for vSRX Virtual Firewall on Oracle Cloud Infrastructure
NEXT arrow_forward Upgrade the Junos OS for vSRX Virtual Firewall Software Release
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top