ON THIS PAGE
Working with the vSRX Virtual Firewall Default Configurations
Understanding the vSRX Virtual Firewall default configuration
IBM Cloud™ Juniper vSRX Virtual Firewall devices come with following default configuration:
SSH and Ping are permitted on both vSRX Virtual Firewall public and private gateway IP addresses
Juniper Web Management (J-Web) UI access is permitted on HTTPS port 8443 for both public and private gateway IP addresses
An address-set SERVICE is predefined for IBM service networks
Two security zones: SL-PRIVATE and SL-PUBLIC are predefined.
Access from the zone SL-PRIVATE to all services is provided by IBM and address-set SERVICE is permitted
All other network accesses are denied
Two redundancy groups are configured are illustrated below:
Redundancy group |
Redundancy group function |
|---|---|
redundancy-group 0 |
Redundancy group for control plane |
redundancy-group 1 |
Redundancy group for data plane |
Priority in the redundancy group decides which vSRX Virtual Firewall node is active. By default, node 0 is active for both control plane and data plane.
Importing and Exporting a vSRX Virtual Firewall Configuration
The IBM Cloud™ Juniper vSRX Virtual Firewall upgrade process preserves the original configuration of the vSRX Virtual Firewall throughout the entire process, as long as the required reloads are done one at a time. However, it is still strongly recommended to export and backup your vSRX Virtual Firewall configuration settings before starting the upgrade.
After the upgrade process completes for stand alone servers, you should import the original configuration you saved if you want to restore it. For High Availability configurations, you should restore the configuration manually from your exported file only if the upgrade fails or if moving between architectures. For more information on migrating 1G configurations from the legacy architecture to the current architecture, see Migrating legacy configurations to the current vSRX architecture.
Considerations
The upgrade process for Standalone and High Availability (HA) are different. See Upgrading the vSRX.
The J-Web interface allows you to display, edit, and upload the current configuration quickly and easily without using the Junos OS CLI. See J-Web for SRX Series Documentation for more details.
An upgrade from the vSRX Virtual Firewall 15.1 release to a newer vSRX Virtual Firewall release, such as 19.4, results in changes to the vSRX Virtual Firewall interface mappings in the configuration file. As a result, when importing your original vSRX Virtual Firewall settings, make sure that the new “interfaces” section is not modified. There are two ways of doing this: Either import sub-sections other than the “interfaces” section, or import the entire configuration and manually restore the 19.4 SR-IOV interfaces.
The new vSRX Virtual Firewall default interface configuration for both the Linux Bridge and SR-IOV must be preserved after the import of their configurations. For example, for SR-IOV the GE interfaces have specific mappings to the host that must be preserved to enable SR-IOV. These interfaces are found in the CLI using the command show configuration interfaces. See vSRX default configurations section for more information on SR-IOV mappings. See Migrating legacy configurations to the current vSRX architecture for details on migrating 1G configurations from the legacy architecture to the current architecture.
If you prefer using the Junos OS CLI, the following contents provide different methods to export and import your configuration settings, depending on whether you want to export or import the entire configuration or just part of it. To manage the configuration settings, enter CLI mode, then run the command configure to enter configuration mode. Then to commit your changes, run the command commit.
Exporting part of the vSRX Virtual Firewall configuration
To export only part of the vSRX Virtual Firewall configuration:
Enter configuration mode and ensure you are at the top of the configuration tree: edit then top
Then run the
show <section>command to get the current configuration, enclosed in braces.For example, you can run show interfaces to show all the interfaces configuration. Or, if you prefer to display the output in set mode, run the
show <section> | display setcommand.The output should be similar to the following:
# show interfaces | display set set interfaces ge-0/0/0 description PRIVATE_VLANs set interfaces ge-0/0/0 flexible-vlan-tagging set interfaces ge-0/0/0 native-vlan-id 925 set interfaces ge-0/0/0 mtu 9000 ... [edit]
Tip:Set mode displays the configuration as a series of configuration mode commands required to re-create the configuration. This is useful if you are not familiar with how to use configuration mode commands or if you want to cut, paste, and edit the displayed configuration.
Copy and save the output into your local workspace for later use.
Importing the entire vSRX Virtual Firewall configuration
The new vSRX Virtual Firewall default interface configuration for both the Linux
Bridge and SR-IOV must be preserved after the import of their configurations.
For example, for SR-IOV the GE interfaces have specific mappings to
the host that must be preserved to enable SR-IOV. These interfaces
are found in the CLI using the show configuration interfaces command. For more information on SR-IOV mappings, see vSRX default configuration.
To import the entire vSRX Virtual Firewall configuration:
After upgrading the vSRX Virtual Firewall, copy the config file you saved earlier back to the /var/tmp folder.
Run load override /var/tmp/backup.txt under the configuration mode to replace the entire current configuration with the content that you saved under the /var/tmp folder.
Importing part of the vSRX Virtual Firewall configuration
The new vSRX Virtual Firewall default interface configuration for both the Linux
Bridge and SR-IOV must be preserved after the import of their configurations.
For example, for SR-IOV the GE interfaces have specific mappings to
the host that must be preserved to enable SR-IOV. These interfaces
are found in the CLI using the show configuration interfaces command. For more information on SR-IOV mappings, see vSRX default configuration.
To import only part of the vSRX Virtual Firewall configuration:
From the configuration mode, run
edit <section>to go to the configuration tree level that you want.Copy the configuration settings you have saved and run the command load merge terminal relative to merge the configuration with the current one.
Paste the content, hit Enter to go to a new line, then type Control + D to end the input.
The output should be similar to the following:
# load merge terminal relative [Type ^D at a new line to end input] family inet { filter { input PROTECT-IN; } } load complete [edit interfaces lo0 unit 0]
Alternatively, you can also:
Replace the configuration instead of merging it, by deleting the configuration first with the command delete under this configuration tree level and then performing a load merge terminal relative to copy and paste your previous configuration.
Edit the configuration in set mode, by running load set terminal instead of load merge terminal relative. Then copy and paste the content you saved in set mode.
Note:Ensure that you always run the
load set terminalat the top.