Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation vSRX vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms vSRX Virtual Firewall Deployment for IBM Cloud Installing and Configuring vSRX Virtual Firewall in IBM

vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms

keyboard_arrow_up
close
keyboard_arrow_left
vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Working with the vSRX Virtual Firewall Default Configurations

date_range 27-May-23
arrow_backward
arrow_forward

Understanding the vSRX Virtual Firewall default configuration

IBM Cloud™ Juniper vSRX Virtual Firewall devices come with following default configuration:

  • SSH and Ping are permitted on both vSRX Virtual Firewall public and private gateway IP addresses

  • Juniper Web Management (J-Web) UI access is permitted on HTTPS port 8443 for both public and private gateway IP addresses

  • An address-set SERVICE is predefined for IBM service networks

  • Two security zones: SL-PRIVATE and SL-PUBLIC are predefined.

  • Access from the zone SL-PRIVATE to all services is provided by IBM and address-set SERVICE is permitted

  • All other network accesses are denied

Two redundancy groups are configured are illustrated below:

Redundancy group

Redundancy group function

redundancy-group 0

Redundancy group for control plane

redundancy-group 1

Redundancy group for data plane

Priority in the redundancy group decides which vSRX Virtual Firewall node is active. By default, node 0 is active for both control plane and data plane.

Reference Default Configuration Samples

Importing and Exporting a vSRX Virtual Firewall Configuration

The IBM Cloud™ Juniper vSRX Virtual Firewall upgrade process preserves the original configuration of the vSRX Virtual Firewall throughout the entire process, as long as the required reloads are done one at a time. However, it is still strongly recommended to export and backup your vSRX Virtual Firewall configuration settings before starting the upgrade.

After the upgrade process completes for stand alone servers, you should import the original configuration you saved if you want to restore it. For High Availability configurations, you should restore the configuration manually from your exported file only if the upgrade fails or if moving between architectures. For more information on migrating 1G configurations from the legacy architecture to the current architecture, see Migrating legacy configurations to the current vSRX architecture.

Considerations

  • The upgrade process for Standalone and High Availability (HA) are different. See Upgrading the vSRX.

  • The J-Web interface allows you to display, edit, and upload the current configuration quickly and easily without using the Junos OS CLI. See J-Web for SRX Series Documentation for more details.

  • An upgrade from the vSRX Virtual Firewall 15.1 release to a newer vSRX Virtual Firewall release, such as 19.4, results in changes to the vSRX Virtual Firewall interface mappings in the configuration file. As a result, when importing your original vSRX Virtual Firewall settings, make sure that the new “interfaces” section is not modified. There are two ways of doing this: Either import sub-sections other than the “interfaces” section, or import the entire configuration and manually restore the 19.4 SR-IOV interfaces.

The new vSRX Virtual Firewall default interface configuration for both the Linux Bridge and SR-IOV must be preserved after the import of their configurations. For example, for SR-IOV the GE interfaces have specific mappings to the host that must be preserved to enable SR-IOV. These interfaces are found in the CLI using the command show configuration interfaces. See vSRX default configurations section for more information on SR-IOV mappings. See Migrating legacy configurations to the current vSRX architecture for details on migrating 1G configurations from the legacy architecture to the current architecture.

If you prefer using the Junos OS CLI, the following contents provide different methods to export and import your configuration settings, depending on whether you want to export or import the entire configuration or just part of it. To manage the configuration settings, enter CLI mode, then run the command configure to enter configuration mode. Then to commit your changes, run the command commit.

Exporting part of the vSRX Virtual Firewall configuration

To export only part of the vSRX Virtual Firewall configuration:

  1. Enter configuration mode and ensure you are at the top of the configuration tree: edit then top

  2. Then run the show <section> command to get the current configuration, enclosed in braces.

    For example, you can run show interfaces to show all the interfaces configuration. Or, if you prefer to display the output in set mode, run the show <section> | display set command.

    The output should be similar to the following:

    content_copy zoom_out_map
    # show interfaces | display set
set interfaces ge-0/0/0 description PRIVATE_VLANs
set interfaces ge-0/0/0 flexible-vlan-tagging
set interfaces ge-0/0/0 native-vlan-id 925
set interfaces ge-0/0/0 mtu 9000
...

[edit]
    Tip:

    Set mode displays the configuration as a series of configuration mode commands required to re-create the configuration. This is useful if you are not familiar with how to use configuration mode commands or if you want to cut, paste, and edit the displayed configuration.

  3. Copy and save the output into your local workspace for later use.

Importing the entire vSRX Virtual Firewall configuration

The new vSRX Virtual Firewall default interface configuration for both the Linux Bridge and SR-IOV must be preserved after the import of their configurations. For example, for SR-IOV the GE interfaces have specific mappings to the host that must be preserved to enable SR-IOV. These interfaces are found in the CLI using the show configuration interfaces command. For more information on SR-IOV mappings, see vSRX default configuration.

To import the entire vSRX Virtual Firewall configuration:

  1. After upgrading the vSRX Virtual Firewall, copy the config file you saved earlier back to the /var/tmp folder.

  2. Run load override /var/tmp/backup.txt under the configuration mode to replace the entire current configuration with the content that you saved under the /var/tmp folder.

Importing part of the vSRX Virtual Firewall configuration

The new vSRX Virtual Firewall default interface configuration for both the Linux Bridge and SR-IOV must be preserved after the import of their configurations. For example, for SR-IOV the GE interfaces have specific mappings to the host that must be preserved to enable SR-IOV. These interfaces are found in the CLI using the show configuration interfaces command. For more information on SR-IOV mappings, see vSRX default configuration.

To import only part of the vSRX Virtual Firewall configuration:

  1. From the configuration mode, run edit <section> to go to the configuration tree level that you want.

  2. Copy the configuration settings you have saved and run the command load merge terminal relative to merge the configuration with the current one.

  3. Paste the content, hit Enter to go to a new line, then type Control + D to end the input.

    The output should be similar to the following:

    content_copy zoom_out_map
    # load merge terminal relative
[Type ^D at a new line to end input]
family inet {
           filter {
               input PROTECT-IN;
           }
       }
load complete

[edit interfaces lo0 unit 0]

Alternatively, you can also:

  1. Replace the configuration instead of merging it, by deleting the configuration first with the command delete under this configuration tree level and then performing a load merge terminal relative to copy and paste your previous configuration.

  2. Edit the configuration in set mode, by running load set terminal instead of load merge terminal relative. Then copy and paste the content you saved in set mode.

    Note:

    Ensure that you always run the load set terminal at the top.

arrow_backward PREVIOUS Managing VLANs with a gateway appliance
NEXT arrow_forward Migrating Legacy Configurations to the Current vSRX Virtual Firewall Architecture
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top