Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation vSRX vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms vSRX Virtual Firewall Deployment for AWS Configure and Manage Virtual Firewall in AWS

vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms

keyboard_arrow_up
close
keyboard_arrow_left
vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Centralized Monitoring and Troubleshooting using AWS Features

date_range 27-May-23
arrow_backward
arrow_forward

This topic provides you details on how you can perform monitoring and troubleshooting of your vSRX Virtual Firewall instances on the AWS console by integrating vSRX Virtual Firewall with CloudWatch, IAM, and Security Hub.

Understanding Centralized Monitoring Using Cloudwatch

AWS provides a comprehensive view of various metrics, logs, security events from third-party services across AWS accounts. With the support of CloudWatch, vSRX Virtual Firewall can publish native metrics and logs to cloud, which you can use to monitor vSRX Virtual Firewall running status. Security Hub is the single place that aggregates, organizes and prioritizes security alerts.

The CloudWatch logs agent provides an automated way to send log data to CloudWatch Logs from Amazon EC2 instances. The agent pushes log data to CloudWatch Logs.

The cloudagent daemon that runs on the vSRX Virtual Firewall allows integration of AWS CloudWatch and Security Hub. The cloudagent:

  • Collects device metrics and send metrics to AWS CloudWatch

  • Collects system and security logs and sends the logs to AWS CloudWatchLog

    Any event type (component or log level) that can be collected by the cloudagent under vSRX Virtual Firewall event log mode is supported for CloudWatch log collection. Events supported for CloudWatchLog are:

    • System activities such as Interfaces status (up/down), configuration changes, user login logout and so on.

    • Security events such as IDP, ATP Cloud, and security logs such as Content Security logs, and Screen, ATP Cloud and so on.

  • Collects security alerts and import those alerts to Security Hub in security finding format.

    To import security events to Security Hub, you need to configure CloudWatch log collection and import the security events based on the log messages.

    Security Hub collects security data from across AWS accounts, services, and supported third-party partners and helps you analyze your security trends and identify the highest priority security issues. After the AWS security hub support is added on vSRX Virtual Firewall, it helps administrator reduces the effort of collecting and prioritizing security findings across accounts. With the help of Security hub, you can run automated, continuous account-level configuration and compliance checks based on vSRX Virtual Firewall security output.

For the list of events and metrics that are imported, see Table 1 and Table 2.

For more information on the events and their purpose, see Juniper System Log Explorer.

Table 1: Events Imported to Security Hub

Metric

Description

AV_MANY_MSGS_NOT_SCANNED_MT

Skip antivirus scanning due to excessive traffic

WEBFILTER_URL_BLOCKED

Web request blocked

AAMW_CONTENT_FALLBACK_LOG

AAMW content fallback info

AV_MANY_MSGS_DROPPED_MT

Drop the received file due to excessive traffic

PFE_SCREEN_MT_CFG_ERROR

screen config failure

WEBFILTER_URL_REDIRECTED

Web request redirected

AV_FILE_NOT_SCANNED_PASSED_MT

The antivirus scanner passed the received traffic without scanning because of exceeding the maximum content size

RT_SCREEN_TCP_SRC_IP

TCP source IP attack

RT_SCREEN_SESSION_LIMIT

Session limit

SECINTEL_ACTION_LOG

Secintel action info

IDP_APPDDOS_APP_STATE_EVENT

IDP: DDOS application state transition event

AAMW_HOST_INFECTED_EVENT_LOG

AAMW cloud host status event info

IDP_ATTACK_LOG_EVENT

IDP attack log

IDP_SESSION_LOG_EVENT

IDP session event log

AAMW_MALWARE_EVENT_LOG

AAMW cloud malware event info

WEBFILTER_URL_PERMITTED

Web request permitted

IDP_PACKET_CAPTURE_LOG_EVENT

IDP packet captutre event log

RT_SCREEN_WHITE_LIST

Screen white list

RT_SCREEN_IP

IP attack

AAMW_SMTP_ACTION_LOG

AAMW SMTP action info

RT_SCREEN_TCP_DST_IP

TCP destination IP attack

IDP_APPDDOS_APP_ATTACK_EVENT

IDP: DDOS attack on application

RT_SCREEN_ICMP

ICMP attack

IDP_TCP_ERROR_LOG_EVENT

IDP TCP error log

AV_FILE_NOT_SCANNED_DROPPED_MT

The antivirus scanner dropped the received traffic without scanning because of exceeding the maximum content size

AAMW_ACTION_LOG

 AAMW action info

PFE_SCREEN_MT_ZONE_BINDING_ERROR

screen config failure

AV_VIRUS_DETECTED_MT

The antivirus scanner detected a virus

PFE_SCREEN_MT_CFG_EVENT

screen config

RT_SCREEN_TCP

TCP attack

RT_SCREEN_UDP

UDP attack

AV_SCANNER_DROP_FILE_MT

The antivirus scanner dropped the received traffic because of an internal error

AAMW_IMAP_ACTION_LOG

AAMW IMAP action info

AV_SCANNER_ERROR_SKIPPED_MT

Skip antivirus scanning due to an internal error

AV_MEMORY_INSUFFICIENT_MT

The DRAM size is too small to support antivirus

Table 2: Supported vSRX Virtual Firewall Metrics Published on CloudWatch by Coudagent

Metric

Unit

Description

ControlPlaneCPUUtil

Percent

Utilization of the CPU on which control plane tasks are running

DataPlaneCPUUtil

Percent

Utilization of each CPU on which data plane tasks are running

DiskUtil

Percent

Disk storage utilization

ControlPlaneMemoryUtil

Percent

Memory utilization of control plane tasks

DataPlaneMemoryUtil

Percent

Memory utilization of data plane task

FlowSessionInUse

Count

Monitors the number of flow session in use, including all those sessions are allocated in valid, invalid, pending and other states.

FlowSessionUtil

Percent

Flow session utilization

RunningProcesses

Count

Number of processes in running state.

Ge00XInputKBPS

Kilobits/Second

Interfaces input statistics on Kilobits per second. Each GE interface will be monitored separately.

Ge00XInputPPS

Count/Second

Interfaces input statistics on packets per second. Each GE interface will be monitored separately.

Ge00XOutputKBPS

Kilobits/Second

Interfaces output statistics on Kilobits per second. Each GE interface will be monitored separately.

Ge00XOutputPPS

Count/Second

Interfaces output statistics on packets per second. Each GE interface will be monitored separately.

Besides the agent running in vSRX Virtual Firewall, you must configure the AWS console to enable CloudWatch and Security Hub service for vSRX Virtual Firewall, including:

  • Grant privileges for vSRX Virtual Firewall to post data to CloudWatch and Security Hub

  • Create a role with corresponding permission in AWS Identity and Access Management (IAM) console

  • Attach the role to vSRX Virtual Firewall instances in AWS EC2 console

  • Configure CloudWatch dashboard to display metric items with chart widget

Figure 1 shows how a cloudagent collects data from vSRX Virtual Firewall and posts to AWS services.

Figure 1: Integration of AWS Cloudwatch on vSRX Virtual Firewall 3.0Integration of AWS Cloudwatch on vSRX Virtual Firewall 3.0

Benefits

  • Observability of events and data on a single platform across applications and infrastructure

  • Easiest way to collect metric in AWS and on-premises

  • Improve operational performance and resource optimization

  • Get operational visibility and insight

  • Derive actionable insights from logs

CloudWatch Overview

Amazon CloudWatch is a monitoring and management service built for developers, system operators, site reliability engineers (SRE), and IT managers. CloudWatch provides you with data and actionable insights to monitor your applications, understand and respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health.

You can use CloudWatch to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your vSRX Virtual Firewall 3.0 instances running smoothly.

CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, and visualizes it using automated dashboards so you can get a unified view of your AWS resources, applications, and services that run in AWS and on-premises. You can correlate your metrics and logs to better understand the health and performance of your resources. You can also create alarms based on metric value thresholds you specify, or that can watch for anomalous metric behavior based on machine learning algorithms. To take action quickly, you can set up automated actions to notify you if an alarm is triggered and automatically start auto scaling, for example, to help reduce mean-time-to-resolution. You can also dive deep and analyze your metrics, logs, and traces, to better understand how to improve application performance.

Security Hub Overview

AWS Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. Security Hub is the single place that aggregates, organizes, and prioritizes security alerts. vSRX Virtual Firewall supports Security Hub with authentication to post security finding data to Security Hub.

Various security alerts from your vSRX Virtual Firewall instances are collected by Security Hub. With the integration of Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from your vSRX Virtual Firewall instances. Your findings are visually summarized on integrated dashboards with actionable graphs and tables. You can also continuously monitor your environment using automated compliance checks based on the AWS best practices and Juniper standards. Enable Security Hub using the management console and once enabled, Security Hub will begin aggregating and prioritizing the findings.

Identity and Access Management Console

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

IAM is a feature of your AWS account offered at no additional charge.

Integration of vSRX Virtual Firewall with AWS Monitoring and Troubleshooting Features

This topic provides details on how to integrate CloudWatch and Security Hub with vSRX Virtual Firewall 3.0 for centralized monitoring and troubleshooting on the AWS console.

Grant Permission for vSRX Virtual Firewall to access AWS CloudWatch and Security Hub

This section provides you details on how to enable access on vSRX Virtual Firewall instances to interact with AWS CloudWatch and Security Hub.

  1. Create an IAM role using AWS IAM console.

    Login to AWS IAM console, create IAM role and attach the role to vSRX Virtual Firewall instances to grant those permissions. You must create an IAM role before you can launch an instance with that role or attach it to an instance. For more information, see IAM Roles for Amazon EC2.

  2. Configure an IAM role role on the AWS console and attach the role to vSRX Virtual Firewall instance. After you create and IAM role, the role can be viewed on IAM console and edited as necessary.
  3. To launch an instance with an IAM role or to attach or replace an IAM role for an existing instance, permissions have to be granted to pass the role to the instance. AWS has to grant permission to pass an IAM role to an instance. For more information, see Granting an IAM User Permission to Pass an IAM Role to an Instance.
  4. Attach an IAM role to vSRX Virtual Firewall instances by selecting a IAM role and the vSRX Virtual Firewall instance ID under the Attach/Replace IAM Role tab on the AWS console as shown in Figure 2. With the created role, you can enable CloudWatch and Security Hub access for vSRX Virtual Firewall instance by attaching the role.
    Figure 2: Attach or Replace IAM Role to the vSRX Virtual Firewall Instances Attach or Replace IAM Role to the vSRX Virtual Firewall Instances

Enable Monitoring of vSRX Virtual Firewall Instances with AWS CloudWatch Metric

This procedure provides us steps to enable monitoring of vSRX Virtual Firewall with AWS CloudWatch Metric.

Metric is data about the performance of the system. By enabling CloudWatch Metric monitoring, you can monitor some resources of vSRX Virtual Firewall instances.

  1. Enable CloudWatch and Security Hub using the AWS console.
  2. Configure CloudWatch metric in the Cloudwatch agent.

    To enable CloudWatch metric monitoring, you need to configure metric namespace and collection interval on the instance by executing the # set security cloud aws cloudwatch metric namespace <namespace> collect-interval <integer> command.

    A namespace is a container for CloudWatch metrics. Metric in different namespaces are isolated from each other, so that metrics from different applications are not mistakenly aggregated into the same statistics. Different vSRX Virtual Firewall instances can use same CloudWatch metric namespace. Metric from different vSRX Virtual Firewall instances can be differentiated by dimensional data (instances id/name) in metric value.

    Collection interval is the frequency at which the firewall publishes the metrics to CloudWatch. The value can be set between 1 minute and 60 minutes. The default value is 3 minutes.

    Once the Cloudwatch metric monitoring is enabled, the cloudagent running on vSRX Virtual Firewall collects all the required metric and publishes the metric data on the Cloudwatch.

    Once monitoring is enabled you can view CloudWatch Metric. CloudWatch metric can be graphed after cloudagent starts to collect and post metric data to the cloud. By selecting the metric namespaces created from vSRX Virtual Firewall on AWS CloudWatch console, administrator can check and display all metric data. Check AWS CloudWatch guide for how to filter and display on those collected metric.

  3. View the Cloudwatch metric data. CloudWatch metrics can be graphed after cloudagent starts to collect and post metric data to cloud.
  4. Configure CloudWatch dashboard to display metric items with chart widget.

    Amazon CloudWatch dashboards are customizable home pages in the CloudWatch console that you can use to monitor your resources in a single view, even those resources that are spread across different regions. You can manually create a dashboard for the vSRX Virtual Firewall under monitoring.

Collect, Store, and View vSRX Virtual Firewall Logs to AWS CloudWatch

CloudWatch Logs are used to monitor, store, and access log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Route 53, and other sources. For a vSRX Virtual Firewall instance, cloudagent collects both system and security logs and then post these logs to CloudWatchLog. The log collection in cloudagent will cache logs in a time window and post them to CloudWatchLog in a batch.

This procedure provides you details on how to enable and configure CloudWatch Logs on vSRX Virtual Firewall

  1. To enable log collection for CloudWatchLog, you need to configure a log group, collect interval and from which file to collect log messages on the device.
    content_copy zoom_out_map
    # set security cloud aws cloudwatch log group vsrx-group
# set security cloud aws cloudwatch log file mylog collect-interval 2
# set security cloud aws cloudwatch log file syslog collect-interval 1

    A log stream is a sequence of log events that share the same source. Each separate source of logs into CloudWatch Logs makes up a separate log stream. For log collection, one vSRX Virtual Firewall will post logs as a dedicated stream which means vSRX Virtual Firewall will automatically create a log stream in the destination log group.

    A log group is a group of log streams that share the same retention, monitoring, and access control settings. By defining the log groups on the vSRX Virtual Firewall instance, yiu can specify which streams are placed into which group.

    Collection interval is the frequency at which the firewall publishes logs to CloudWatchLog. The value can be set between 1 minute and 60 minutes. The default value is 3 minutes.

    Three vSRX Virtual Firewall log files can be collected in CloudWatch simultaneously per vSRX Virtual Firewall instance. Each log file will create a corresponding a log stream in Cloudwatch. The log stream will be named under log group with convention <vsrx_instance_id> <log_file_name>.

    After you enable CloudWatch logging in the cloudagent on vSRX Virtual Firewall instances, you need to configure syslog message file.

  2. Configure the syslog message file.

    Any filters can be applied based on vSRX Virtual Firewall syslog filtering. It provides the capability to define which log messages will be sent to CloudWatchLogs. For example, the below configuration means system will log any error messages to the syslog file under the /var/log and cloudagent will collect the messages from /var/log/syslog and post the messages to CloudWatchLogs.

    content_copy zoom_out_map
    # set security cloud aws cloudwatch log file syslog collect-interval 1
# set system syslog file syslog any error
  3. View and search vSRX Virtual Firewall logs on CloudWatchLog console. Log groups and stream will be created automatically after configured on vSRX Virtual Firewall instances.

    Select the log group and stream to check and search those logs sent to CloudWatch from the vSRX Virtual Firewall instance.

Enable and Configure Security Hub on vSRX Virtual Firewall

To import security events to AWS Security Hub, you need to configure CloudWatch log collection and then import the security events based on the log messages.

For example:

# set security cloud aws cloudwatch log group vsrx-group

# set security cloud aws cloudwatch log file mylog security-hub-import

# set security cloud aws cloudwatch log file mylog collect-interval 1

# set system syslog file mylog any any

# set system syslog file mylog structured-data

In the above configuration you are configuring CloudWatch log collection on file mylog under /var/log directory and any security events in the log file will be imported from the vSRX Virtual Firewall to Security Hub in the AWS security finding format.

Note:

The security-hub-import option is only supported on log files with structured-data format. Which means if a message is logged with plain text format, security events in log messages cannot be converted to AWS security finding and imported to Security Hub.

You can view the security findings posted from vSRX Virtual Firewall on the Security Hub console.

arrow_backward PREVIOUS Multi-Core Scaling Support on AWS with SWRSS and ENA
NEXT arrow_forward Deploying vSRX Virtual Firewall 3.0 for Securing Data using AWS KMS
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top