vSRX Virtual Firewall Overview
SUMMARY In this topic you learn about vSRX Virtual Firewall architecture and its benefits.
vSRX Virtual Firewall is a virtual security appliance that provides security and networking services at the perimeter or edge in virtualized private or public cloud environments. vSRX Virtual Firewall runs as a virtual machine (VM) on a standard x86 server. vSRX Virtual Firewall is built on the Junos operating system (Junos OS) and delivers networking and security features similar to those available on the software releases for the SRX Series Firewalls.
The vSRX Virtual Firewall provides you with a complete Next-Generation Firewall (NGFW) solution, including core firewall, VPN, NAT, advanced Layer 4 through Layer 7 security services such as Application Security, intrusion detection and prevention (IPS), and Content Security features including Enhanced Web Filtering and Anti-Virus. Combined with ATP Cloud, the vSRX Virtual Firewall offers a cloud-based advanced anti-malware service with dynamic analysis to protect against sophisticated malware, and provides built-in machine learning to improve verdict efficacy and decrease time to remediation.
Figure 1 shows the high-level architecture.
vSRX Virtual Firewall includes the Junos control plane (JCP) and the packet forwarding engine (PFE) components that make up the data plane. vSRX Virtual Firewall uses one virtual CPU (vCPU) for the JCP and at least one vCPU for the PFE. Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, multi-core vSRX Virtual Firewall supports scaling vCPUs and virtual RAM (vRAM). Additional vCPUs are applied to the data plane to increase performance.
Junos OS runs as a VM on vSRX Virtual Firewall. Junos OS does not have direct access to the NIC and only has a virtual NIC access provided by the hypervisor which might be shared with other VMs running on the same host machine. This virtual access comes with certain restrictions such as a special mode called trust mode, mode access might not be feasible because of possible security issues. To enable RETH model to work in such environments, MAC rewrite behavior is modified Instead of copying the parent virtual MAC address to the children, we keep the children’s physical MAC address intact and copy the physical MAC address of the child belonging to the active; node of the cluster to the current MAC of the reth interface. This way, MAC rewrite access is not required when trust mode is disabled.
Setting the Trust mode for VFs (virtual functions), enables the host to change
the MAC address of the guest during the run time. This helps vSRX Virtual
Firewall interfaces to discover multiple IPv6 neighbours and perform better
under scaling conditions. ND learning on vSRX Virtual Firewall interfaces is
limited to only 10 IPv6 neighbours. For Linux setting for VF trust mode run
the ip link set dev enp134s0f1 vf 0 trust on
command
on the host machine.
Verify the configuration:
user@host:~# ip link
enp134s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq
portid 3cfdfed48ad9 state UP mode DEFAULT group default qlen
1000
link/ether 3c:fd:fe:d4:8a:d9 brd ff:ff:ff:ff:ff:ff
vf 0 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust
on.
Benefits
vSRX Virtual Firewall on standard x86 servers enables you to quickly introduce new services, deliver customized services to customers, and scale security services based on dynamic needs. vSRX Virtual Firewall is ideal for public, private, and hybrid cloud environments.
Some of the key benefits of vSRX Virtual Firewall in a virtualized private or public cloud multitenant environment include:
Stateful firewall protection at the tenant edge
Faster deployment of virtual firewalls into new sites
Ability to run on top of various hypervisors and public cloud infrastructures
Full routing, VPN, core security, and networking capabilities
Application security features (including IPS and App-Secure)
Content security features (including Anti Virus, Web Filtering, Anti Spam, and Content Filtering)
Centralized management with Junos Space Security Director and local management with J-Web Interface
Juniper Networks Juniper Advanced Threat Prevention Cloud (ATP Cloud) integration
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.