- play_arrow vSRX Virtual Firewall Deployment for KVM
- play_arrow Overview
- play_arrow Install vSRX Virtual Firewall in KVM
- Prepare Your Server for vSRX Virtual Firewall Installation
- Install vSRX Virtual Firewall with KVM
- Example: Install and Launch vSRX Virtual Firewall on Ubuntu
- Load an Initial Configuration on a vSRX Virtual Firewall with KVM
- Use Cloud-Init in an OpenStack Environment to Automate the Initialization of vSRX Virtual Firewall Instances
- play_arrow vSRX Virtual Firewall VM Management with KVM
- Configure vSRX Virtual Firewall Using the CLI
- Connect to the vSRX Virtual Firewall Management Console on KVM
- Add a Virtual Network to a vSRX Virtual Firewall VM with KVM
- Add a Virtio Virtual Interface to a vSRX Virtual Firewall VM with KVM
- SR-IOV and PCI
- Upgrade a Multi-core vSRX Virtual Firewall
- Monitor the vSRX Virtual Firewall VM in KVM
- Manage the vSRX Virtual Firewall Instance on KVM
- Recover the Root Password for vSRX Virtual Firewall in a KVM Environment
- play_arrow Configure vSRX Virtual Firewall Chassis Clusters on KVM
-
- play_arrow vSRX Virtual Firewall Deployment for Microsoft Hyper-V
- play_arrow Overview
- play_arrow Install vSRX Virtual Firewall in Microsoft Hyper-V
- play_arrow vSRX Virtual Firewall VM Management with Microsoft Hyper-V
- play_arrow Configure vSRX Virtual Firewall Chassis Clusters
-
- play_arrow vSRX Virtual Firewall Deployment for Contrail
- play_arrow Overview of vSRX Virtual Firewall Service Chains in Contrail
- play_arrow Install vSRX Virtual Firewall in Contrail
- play_arrow vSRX Virtual Firewall VM Management with Contrail
-
- play_arrow vSRX Virtual Firewall Deployment for Nutanix
- play_arrow Overview
- play_arrow Install vSRX Virtual Firewall in Nutanix
-
- play_arrow vSRX Virtual Firewall Deployment for AWS
- play_arrow Overview
- play_arrow Configure and Manage Virtual Firewall in AWS
- Configure an Amazon Virtual Private Cloud for vSRX Virtual Firewall
- Launch a vSRX Virtual Firewall Instance on an Amazon Virtual Private Cloud
- Enroll a vSRX Virtual Firewall on AWS with Juniper ATP Cloud
- Using Cloud-Init to Automate the Initialization of vSRX Virtual Firewall Instances in AWS
- AWS Elastic Load Balancing and Elastic Network Adapter
- Multi-Core Scaling Support on AWS with SWRSS and ENA
- Centralized Monitoring and Troubleshooting using AWS Features
- Deploying vSRX Virtual Firewall 3.0 for Securing Data using AWS KMS
- Configure vSRX Virtual Firewall Using the CLI
- Configure vSRX Virtual Firewall Using the J-Web Interface
- Upgrade Junos OS Software on a vSRX Virtual Firewall Instance
- Remove a vSRX Virtual Firewall Instance on AWS
- Geneve Flow Infrastructure on vSRX Virtual Firewall 3.0
- AWS Gateway Load Balancing with Geneve
- play_arrow Virtual Firewall in AWS Use Cases
-
- play_arrow vSRX Virtual Firewall Deployment for Microsoft Azure
- play_arrow Overview
- play_arrow Deploy vSRX Virtual Firewall from the Azure Portal
- play_arrow Deploy vSRX Virtual Firewall from the Azure CLI
- play_arrow Configure and Manage vSRX Virtual Firewall for Microsoft Azure
- play_arrow Configure Azure Features on vSRX Virtual Firewall and Use Cases
- Deployment of Microsoft Azure Hardware Security Module on vSRX Virtual Firewall 3.0
- Example: Configure an IPsec VPN Between Two vSRX Virtual Firewall Instances
- Example: Configure an IPsec VPN Between a vSRX Virtual Firewall and Virtual Network Gateway in Microsoft Azure
- Example: Configure Juniper ATP Cloud for vSRX Virtual Firewall
-
- play_arrow vSRX Virtual Firewall Deployment for Google Cloud Platform
- play_arrow Overview
- play_arrow Install vSRX Virtual Firewall in Google Cloud
-
- play_arrow vSRX Virtual Firewall Deployment for IBM Cloud
- play_arrow Overview
- play_arrow Installing and Configuring vSRX Virtual Firewall in IBM
- Performing vSRX Virtual Firewall Basics in IBM Cloud
- vSRX Virtual Firewall Readiness Checks in IBM Cloud
- Managing VLANs with a gateway appliance
- Working with the vSRX Virtual Firewall Default Configurations
- Migrating Legacy Configurations to the Current vSRX Virtual Firewall Architecture
- Allowing SSH and Ping to a Public Subnet
- Performing vSRX Virtual Firewall Advanced Tasks in IBM Cloud
- Upgrading the vSRX Virtual Firewall in IBM Cloud
- play_arrow Managing vSRX Virtual Firewall in IBM Cloud
- play_arrow Monitoring and Troubleshooting
-
- play_arrow vSRX Virtual Firewall Deployment for OCI
- play_arrow Overview
- play_arrow Installing vSRX Virtual Firewall in OCI
- play_arrow vSRX Virtual Firewall Licensing
-
Understand vSRX Virtual Firewall with VMware
This section presents an overview of vSRX Virtual Firewall on VMware
vSRX Virtual Firewall Overview
vSRX Virtual Firewall is a virtual security appliance that provides security and networking services at the perimeter or edge in virtualized private or public cloud environments. vSRX Virtual Firewall runs as a virtual machine (VM) on a standard x86 server. vSRX Virtual Firewall is built on the Junos operating system (Junos OS) and delivers networking and security features similar to those available on the software releases for the SRX Series Firewalls.
The vSRX Virtual Firewall provides you with a complete Next-Generation Firewall (NGFW) solution, including core firewall, VPN, NAT, advanced Layer 4 through Layer 7 security services such as Application Security, intrusion detection and prevention (IPS), and Content Security features including Enhanced Web Filtering and Anti-Virus. Combined with ATP Cloud, the vSRX Virtual Firewall offers a cloud-based advanced anti-malware service with dynamic analysis to protect against sophisticated malware, and provides built-in machine learning to improve verdict efficacy and decrease time to remediation.
Figure 1 shows the high-level architecture.
![vSRX Virtual Firewall Architecture](../../images/g004195.png)
vSRX Virtual Firewall includes the Junos control plane (JCP) and the packet forwarding engine (PFE) components that make up the data plane. vSRX Virtual Firewall uses one virtual CPU (vCPU) for the JCP and at least one vCPU for the PFE. Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, multi-core vSRX Virtual Firewall supports scaling vCPUs and GB virtual RAM (vRAM). Additional vCPUs are applied to the data plane to increase performance.
Junos OS Release 18.4R1 supports a new software architecture vSRX Virtual Firewall 3.0 that removes dual OS and nested virtualization requirement of existing vSRX Virtual Firewall architecture.
In vSRX Virtual Firewall 3.0 architecture, FreeBSD 11.x is used as the guest OS and the Routing Engine and Packet Forwarding Engine runs on FreeBSD 11.x as single virtual machine for improved performance and scalability. vSRX Virtual Firewall 3.0 uses DPDK to process the data packets in the data plane. A direct Junos upgrade from vSRX Virtual Firewall to vSRX Virtual Firewall 3.0 software is not supported.
vSRX Virtual Firewall 3.0 has the following enhancements compared to vSRX Virtual Firewall:
Removed the restriction of requiring nested VM support in hypervisors.
Removed the restriction of requiring ports connected to control plane to have Promiscuous mode enabled.
Improved boot time and enhanced responsiveness of the control plane during management operations.
Improved live migration.
Figure 2 shows the high-level software architecture for vSRX Virtual Firewall 3.0
![vSRX Virtual Firewall 3.0 Architecture](../../images/g300161.png)
vSRX Virtual Firewall Benefits and Use Cases
vSRX Virtual Firewall on standard x86 servers enables you to quickly introduce new services, deliver customized services to customers, and scale security services based on dynamic needs. vSRX Virtual Firewall is ideal for public, private, and hybrid cloud environments.
Some of the key benefits of vSRX Virtual Firewall in a virtualized private or public cloud multitenant environment include:
Stateful firewall protection at the tenant edge
Faster deployment of virtual firewalls into new sites
Ability to run on top of various hypervisors and public cloud infrastructures
Full routing, VPN, core security, and networking capabilities
Application security features (including IPS and App-Secure)
Content security features (including Anti Virus, Web Filtering, Anti Spam, and Content Filtering)
Centralized management with Junos Space Security Director and local management with J-Web Interface
Juniper Networks Juniper Advanced Threat Prevention Cloud (ATP Cloud) integration
vSRX Virtual Firewall on VMWare ESXi deployment
VMware vSphere is a virtualization environment for systems supporting the x86 architecture. VMware ESXi® is the hypervisor used to create and run virtual machines (VMs) and virtual appliances on a host machine. The VMware vCenter Server® is a service that manages the resources of multiple ESXi hosts.
The VMware vSphere Web Client is used to deploy the vSRX Virtual Firewall VM.
Figure 3 shows an example of how vSRX Virtual Firewall can be deployed to provide security for applications running on one or more virtual machines. The vSRX Virtual Firewall virtual switch has a connection to a physical adapter (the uplink) so that all application traffic flows through the vSRX Virtual Firewall VM to the external network.
![Example of vSRX Virtual Firewall Deployment](../../images/s018393.png)
vSRX Virtual Firewall Scale Up Performance
Table 1 shows the vSRX Virtual Firewall scale up performance based on the number of vCPUs and vRAM applied to a vSRX Virtual Firewall VM. The table outlines the Junos OS release in which a particular software specification for deploying vSRX Virtual Firewall on VMware was introduced. You will need to download a specific Junos OS release to take advantage of certain scale up performance features.
vCPUs | vRAM | NICs | Junos OS Release Introduced |
---|---|---|---|
2 vCPUs | 4 GB |
| Junos OS Release 15.1X49-D15 and Junos OS Release 17.3R1 |
5 vCPUs | 8 GB |
| Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1 |
9 vCPUs | 16 GB |
Note: SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and Mellanox ConnectX-4 EN/ConnectX-4 Lx EN) is required if you intend to scale the performance and capacity of a vSRX Virtual Firewall to 9 vCPUs and 16 GB vRAM. | Junos OS Release 18.4R1 |
17 vCPUs | 32 GB |
Note: SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and Mellanox ConnectX-4 EN/ConnectX-4 Lx EN) is required if you intend to scale the performance and capacity of a vSRX Virtual Firewall to 17 vCPUs and 32 GB vRAM. | Junos OS Release 18.4R1 |
1 vCPU | 4 GB | SR-IOV on the Mellanox ConnectX-3 and ConnectX-4 family adapters. | Junos OS Release 21.2R1 |
4 vCPUs | 8 GB | SR-IOV on the Mellanox ConnectX-3 and ConnectX-4 family adapters. | Junos OS Release 21.2R1 |
8 vCPUs | 16GB | SR-IOV on the Mellanox ConnectX-3 and ConnectX-4 family adapters. | Junos OS Release 21.2R1 |
16 vCPUs | 32 GB | SR-IOV on the Mellanox ConnectX-3 and ConnectX-4 family adapters. | Junos OS Release 21.2R1 |
You can scale the performance and capacity of a vSRX Virtual Firewall instance by increasing the number of vCPUs and the amount of vRAM allocated to the vSRX Virtual Firewall. The multi-core vSRX Virtual Firewall automatically selects the appropriate vCPUs and vRAM values at boot time, as well as the number of Receive Side Scaling (RSS) queues in the NIC. If the vCPU and vRAM settings allocated to a vSRX Virtual Firewall VM do not match what is currently available, the vSRX Virtual Firewall scales down to the closest supported value for the instance. For example, if a vSRX Virtual Firewall VM has 3 vCPUs and 8 GB of vRAM, vSRX Virtual Firewall boots to the smaller vCPU size, which requires a minimum of 2 vCPUs. You can scale up a vSRX Virtual Firewall instance to a higher number of vCPUs and amount of vRAM, but you cannot scale down an existing vSRX Virtual Firewall instance to a smaller setting.
The number of RSS queues typically matches with the number of data plane vCPUs of a vSRX Virtual Firewall instance. For example, a vSRX Virtual Firewall with 4 data plane vCPUs should have 4 RSS queues.
vSRX Virtual Firewall Session Capacity Increase
vSRX Virtual Firewall solution is optimized to increase the session numbers by increasing the memory.
With the ability to increase the session numbers by increasing the memory, you can enable vSRX Virtual Firewall to:
Provide highly scalable, flexible and high-performance security at strategic locations in the mobile network.
Deliver the performance that service providers require to scale and protect their networks.
Run the show security flow session summary | grep maximum
command to view the maximum number of sessions.
Starting in Junos OS Release 18.4R1, the number of flow sessions supported on a vSRX Virtual Firewall instance is increased based on the vRAM size used.
Starting in Junos OS Release 19.2R1, the number of flow sessions supported on a vSRX Virtual Firewall 3.0 instance is increased based on the vRAM size used.
Table 2 lists the flow session capacity.
vCPUs | Memory | Flow Session Capacity |
---|---|---|
2 | 4 GB | 0.5 M |
2 | 6 GB | 1 M |
2/5 | 8 GB | 2 M |
2/5 | 10 GB | 2 M |
2/5 | 12 GB | 2.5 M |
2/5 | 14 GB | 3 M |
2/5/9 | 16 GB | 4 M |
2/5/9 | 20 GB | 6 M |
2/5/9 | 24 GB | 8 M |
2/5/9 | 28 GB | 10 M |
2/5/9/17 | 32 GB | 12 M |
2/5/9/17 | 40 GB | 16 M |
2/5/9/17 | 48 GB | 20 M |
2/5/9/17 | 56 GB | 24 M |
2/5/9/17 | 64 GB | 28 M |
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.