advertisement
vSRX Guide for AWS
Modified: 2017-09-01
Copyright © 2017, Juniper Networks, Inc.
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000 www.juniper.net
Copyright © 2017 Juniper Networks, Inc. All rights reserved.
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates in the United States and other countries. All other trademarks may be property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
vSRX Guide for AWS
Copyright © 2017 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula/ . By downloading, installing or using such software, you agree to the terms and conditions of that
EULA.
ii Copyright © 2017, Juniper Networks, Inc.
Table of Contents
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Configuring an AWS Virtual Private Cloud for vSRX . . . . . . . . . . . . . . . . . . . . . . . . 23
Step 1: Creating a VPC and Internet Gateway . . . . . . . . . . . . . . . . . . . . . . . . . 24
Step 4: Adding Security Groups for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Step 3: Viewing the AWS System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Step 4: Adding Network Interfaces for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Step 6: Adding the vSRX Private Interfaces to the Route Tables . . . . . . . . . . 37
Step 7: Rebooting the vSRX Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Copyright © 2017, Juniper Networks, Inc.
iii
vSRX Guide for AWS
Configuring and Managing vSRX Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Understanding vSRX Preconfiguration and Factory Default . . . . . . . . . . . . . . 41
Accessing the J-Web Interface and Configuring vSRX . . . . . . . . . . . . . . . . . . 43
Managing Security Policies for Virtual Machines Using Junos Space Security
Example: Configuring VPN on vSRX Between VPCs in AWS . . . . . . . . . . . . . . . . . 48
Advanced Security Features Evaluation License . . . . . . . . . . . . . . . . . . . 55
License Management Fields Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Adding a New License Key with J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Adding a New License Key from the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
iv Copyright © 2017, Juniper Networks, Inc.
List of Figures
Figure 5: J-Web Licenses Window Showing Installed Licenses . . . . . . . . . . . . . . . 59
Figure 11: J-Web Dashboard for License Expiry Warning . . . . . . . . . . . . . . . . . . . . . 67
Copyright © 2017, Juniper Networks, Inc.
v
vSRX Guide for AWS vi Copyright © 2017, Juniper Networks, Inc.
List of Tables
Table 8: Supported AWS Instance Types for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring and Managing vSRX Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Table 13: Device Name and User Account Information . . . . . . . . . . . . . . . . . . . . . . 44
Table 16: Summary of License Management Fields . . . . . . . . . . . . . . . . . . . . . . . . 60
Copyright © 2017, Juniper Networks, Inc.
vii
vSRX Guide for AWS viii Copyright © 2017, Juniper Networks, Inc.
About the Documentation
•
Documentation and Release Notes on page ix
•
Supported Platforms on page ix
•
Documentation Conventions on page ix
•
Documentation Feedback on page xi
•
Requesting Technical Support on page xii
Documentation and Release Notes
To obtain the most current version of all Juniper Networks
® technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/ .
If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at http://www.juniper.net/books .
Supported Platforms
For the features described in this document, the following platforms are supported:
• vSRX
Documentation Conventions
defines notice icons used in this guide.
Copyright © 2017, Juniper Networks, Inc.
ix
vSRX Guide for AWS
Table 1: Notice Icons
Icon Meaning
Informational note
Caution
Warning
Laser warning
Tip
Best practice
Description
Indicates important features or instructions.
Indicates a situation that might result in loss of data or hardware damage.
Alerts you to the risk of personal injury or death.
Alerts you to the risk of personal injury from a laser.
Indicates helpful information.
Alerts you to a recommended use or implementation.
defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention Description Examples
Bold text like this
Fixed-width text like this
Represents text that you type.
Represents output that appears on the terminal screen.
To enter configuration mode, type the configure command: user@host> configure user@host> show chassis alarms
No alarms currently active
Italic text like this
Italic text like this
•
•
•
Introduces or emphasizes important new terms.
Identifies guide names.
Identifies RFC and Internet draft titles.
•
•
•
A policy term is a named structure that defines match conditions and actions.
Junos OS CLI User Guide
RFC 1997, BGP Communities Attribute
Represents variables (options for which you substitute a value) in commands or configuration statements.
Configure the machine’s domain name:
[edit] root@# set system domain-name
domain-name
x Copyright © 2017, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention Description
Text like this
< > (angle brackets)
| (pipe symbol)
Examples
Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components.
•
•
To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level.
The console port is labeled CONSOLE .
Encloses optional keywords or variables.
stub <default-metric metric>;
Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity.
broadcast | multicast
(string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
Indicates a comment specified on the same line as the configuration statement to which it applies.
rsvp { # Required for dynamic MPLS only
Encloses a variable for which you can substitute one or more values.
Identifies a level in the configuration hierarchy.
Identifies a leaf statement at a configuration hierarchy level.
community name members [
community-ids ]
[edit] routing-options { static { route default { nexthop address; retain;
}
}
}
GUI Conventions
Bold text like this
> (bold right angle bracket)
Represents graphical user interface (GUI) items you click or select.
•
•
In the Logical Interfaces box, select
All Interfaces .
To cancel the configuration, click
Cancel
.
Separates levels in a hierarchy of menu selections.
In the configuration editor hierarchy, select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods:
• Online feedback rating system—On any page of the Juniper Networks TechLibrary site at http://www.juniper.net/techpubs/index.html
, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at http://www.juniper.net/techpubs/feedback/ .
Copyright © 2017, Juniper Networks, Inc.
xi
vSRX Guide for AWS
•
E-mail—Send your comments to [email protected]. Include the document or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf
.
•
Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/ .
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:
•
Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: https://prsearch.juniper.net/
• Find product documentation: http://www.juniper.net/documentation/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/InfoCenter/
•
Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/
.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
xii Copyright © 2017, Juniper Networks, Inc.
About the Documentation
For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html
.
Copyright © 2017, Juniper Networks, Inc.
xiii
vSRX Guide for AWS xiv Copyright © 2017, Juniper Networks, Inc.
CHAPTER 1
Overview Information
•
Understanding vSRX with AWS on page 15
•
System Requirements for vSRX on AWS on page 19
•
Interface Naming and Mapping on page 20
•
vSRX Factory Default Settings on page 20
Understanding vSRX with AWS
This section presents an overview of vSRX in Amazon Web Services (AWS) public clouds.
•
•
vSRX Benefits and Use Cases on page 16
•
vSRX with AWS
vSRX is a virtual security appliance that provides security and networking services at the perimeter or edge in virtualized private or public cloud environments. vSRX runs as a virtual machine (VM) on a standard x86 server. vSRX is built on Junos OS and delivers networking and security features similar to those available on SRX Series Services
Gateways for the branch.
AWS provides on-demand services in the cloud. Services range from Infrastructure as a
Service (IaaS) and Platform as a Service (SaaS), to Application and Database as a
Service. AWS is a highly flexible, scalable, and reliable cloud platform where individuals and enterprises can host servers and services on the cloud as a pay-as-you-go (PAYG) service or bring-your-own-license (BYOL).
NOTE: vSRX PAYG images do not require any Juniper Networks licenses.
AWS Marketplace also enables you to discover and subscribe to software that supports regulated workloads through AWS Marketplace for AWS GovCloud (US).
Copyright © 2017, Juniper Networks, Inc.
15
vSRX Guide for AWS
Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, vSRX supports two bundles for PAYG that are available as 1-hour or 1-year subscriptions.
• vSRX Next-Generation Firewall Bundle 1—Includes standard (STD) features of core security, IPsec VPN, NAT, CoS, and routing services as well as the AppSecure features of AppID, AppFW, AppQoS, and AppTrack.
• vSRX Next-Generation Firewall Bundle 2—Includes the features in vSRX
Next-Generation Firewall Bundle 1 and the UTM antivirus feature.
You can deploy vSRX in a virtual private cloud (VPC) hosted by AWS as an application instance in the AWS Elastic Compute Cloud (EC2). Each EC2 instance is deployed, accessed, and configured over the Internet using the AWS Management Console, and the capacity of each instance can be scaled up or down as needed.
NOTE: In the current release, each vSRX instance uses two vCPUs and 4 GB of memory, even if the instance type selected in AWS is different.
vSRX uses hardware assisted virtual machines (HVM) for high performance (enhanced networking), and supports the following deployments in AWS cloud environments:
• As a firewall between other EC2 instances on your VPC and the Internet
•
As a VPN endpoint between your corporate network and your VPC
•
As a firewall between EC2 instances on different subnets
vSRX Benefits and Use Cases
vSRX on standard x86 servers enables you to quickly introduce new services, deliver customized services to customers, and scale security services based on dynamic needs.
vSRX is ideal for public, private, and hybrid cloud environments.
Some of the key benefits of vSRX in a virtualized private or public cloud multitenant environment include:
• Stateful firewall protection at the tenant edge
•
Faster deployment of virtual firewalls into new sites
•
Full routing, VPN, core security, and networking capabilities
• Application security features (including IPS and App-Secure)
• Content security features (including Anti Virus, Web Filtering, Anti Spam, and Content
Filtering)
•
Centralized management with Junos Space Security Director and local management with J-Web Interface
• Juniper Networks Sky Advanced Threat Prevention (Sky ATP) integration
16 Copyright © 2017, Juniper Networks, Inc.
Chapter 1: Overview Information
AWS Glossary
This section defines some common terms used in an AWS public cloud configuration.
defines common terms used for Virtual Private Clouds (VPCs) and
defines common terms for Elastic Compute Cloud (EC2) services.
Table 3: VPC Related Terminology
Term Description
VPC components that allow communications between your instances in the VPC and the Internet.
Internet gateways
IP addressing AWS includes three types of IP address:
• Public IP address–Addresses obtained from a public subnet that is publicly routable from the Internet.
Public IP addresses are mapped to primary private IP addresses through AWS NAT.
•
•
Private IP address–IP addresses in the VPC Classless Interdomain Routing (CIDR) range, as specified in
RFC 1918, that are not publicly routable.
Elastic IP address–A static IP address designed for dynamic cloud computing. When an Elastic IP address is associated with a public IP network interface, the public IP address associated with it is released until the Elastic IP address is disassociated from the network interface.
Each network interface can be associated with multiple private IP addresses. Public subnets can have multiple private IP addresses, public addresses, and Elastic IP addresses associated with the private IP address of the network interface. Private subnets can have multiple private IP addresses and Elastic IP address associated with each private IP address.
You can assign static private IP addresses in the subnet. The first five IP addresses and the last IP address in the subnet are reserved for VPC networking and routing. The first IP address is the gateway for the subnet.
Network ACL
Route tables
Subnet
VPC
AWS stateless virtual firewall operating at the subnet level.
A set of routing rules used to determine where the network traffic is directed. Each subnet needs to be associated with a route table. Subnets not explicitly associated with a route table are associated with the main route table.
Custom route tables can be created other than the default table.
A virtual addressing space in the VPC CIDR block. The IP addresses for the EC2 instances are allocated from the subnet pool of IP addresses.
You can create two types of subnets in the VPC:
•
•
Public subnets–Subnets that have traffic connections to the Internet gateway.
Private subnets–Subnets that do not have connections to the Internet gateway
NOTE: With vSRX Network Address Translation (NAT) , you can launch all customer instances in private subnets and connect vSRX interfaces to the Internet. This protects your instances from being directly exposed to Internet traffic.
Virtual private cloud.
Copyright © 2017, Juniper Networks, Inc.
17
vSRX Guide for AWS
Table 4: EC2 Related Terminology
Term Description
Amazon Machine Image
(AMI)
Cluster networking
Amazon image format that contains the information, such as the template for root volume, launch permissions, and block device mapping, that is required to launch an EC2 instance.
Instances launched in a common cluster placement group. Instances within the cluster have networks with high bandwidth and low latency.
Elastic Block Store (EBS) Persistent block storage that can be attached to an EC2 instance. Block storage volumes can be formatted and mounted on an instance. EBS optimized instances provide dedicated throughput between Amazon EC2 and Amazon EBS.
Elastic Compute Cloud
(EC2)
Amazon Web service that enables launch and management of elastic virtual servers or computers that run on the Amazon infrastructure.
Elastic IP
Enhanced networking
Instance
Key pairs
Network interfaces
Network MTU
Security groups
A static IP designed for dynamic cloud computing. The public IP is mapped to the privet subnet
IP using NAT.
Provides high packet per second performance, low latency, higher I/O performance, and lower
CPU utilization compared to traditional implementations. vSRX leverages this networking with hardware virtualized machine (HVM) Amazon Machine Images (AMIs).
A virtual machine or server on EC2 that uses XEN or, XEN-HVM hypervisor types. EC2 provides a selection of instances optimized for different use cases.
Public key cryptography used by AWS to encrypt and decrypt login information. Create these key pairs using AWS-EC2 or import your own key pairs.
NOTE: AWS does not accept DSA. Limit the public key access permissions to 400.
Virtual network interfaces that you can attach to an instance in the VPC. An Elastic Network
Interface (ENI) can have a primary private IP address, multiple secondary IP addresses, one Elastic
IP address per private IP address, one public IP address, one or more security groups, one MAC address, and a source/destination check flag.
NOTE: For vSRX instances, disable the source/destination check for all interfaces.
All Amazon instance types support an MTU of 1500. Some instance types support jumbo frames
(9100 MTU).
NOTE: Use C3, C4, CC2, M3, M4, or T2 AWS instance types for vSRX instances with jumbo frames.
An AWS-provided virtual firewall that controls the traffic for one or more instances. Security groups can be associated with an instance only at launch time.
NOTE: Because vSRX manages your firewall settings, we recommend that you ensure there is no contradiction between rule sets in AWS security groups and rule sets in your vSRX configuration.
18 Copyright © 2017, Juniper Networks, Inc.
Chapter 1: Overview Information
Release History Table
Release
Description
Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, vSRX supports two bundles for PAYG that are available as 1-hour or
1-year subscriptions.
Related
Documentation
•
AWS Tutorials
•
Getting Started with AWS
System Requirements for vSRX on AWS
System Requirements for AWS
lists the system requirements for a vSRX instance in an AWS environment.
Table 5: System Requirements for vSRX
Component Specification
Hypervisor support
Memory
Disk space vCPUs vNICs
XEN-HVM
4 GB
16 GB
2
Up to 8 vNIC type SR-IOV
Best Practices Recommendations
vSRX deployments can be complex, and there is a great deal of variability in the specifics of possible deployments. The following recommendations might apply to and improve performance and function in your particular circumstances:
•
Disable the source/destination check for all vSRX interfaces.
•
Limit public key access permissions to 400 for key pairs.
• Ensure that there are no contradictions between AWS security groups and your vSRX configuration.
•
Use C3, C4, CC2, M3, M4, or T2 AWS instance types for vSRX instances with jumbo frames.
• Use vSRX NAT to protect your EC2 instances from direct Internet traffic.
Copyright © 2017, Juniper Networks, Inc.
19
vSRX Guide for AWS
Interface Naming and Mapping
3
4
1
2
shows the vSRX and AWS interface names. The first network interface is used for the out-of-band management (fxp0) for vSRX.
Table 6: vSRX and AWS Interface Names
Interface
Number vSRX Interface AWS Interface fxp0 ge-0/0/0 ge-0/0/1 ge-0/0/2 eth0 eth1 eth2 eth3
7
8
5
6 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 eth4 eth5 eth6 eth7
We recommend putting revenue interfaces in routing instances as a best practice to avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by default. With fxp0 as part of the default routing table, there might be two default routes needed: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance.
NOTE: Ensure that interfaces belonging to the same security zone are in the same routing instance. See
KB Article - Interface must be in the same routing instance as the other interfaces in the zone
.
vSRX Factory Default Settings
vSRX requires the following basic configuration settings:
• Interfaces must be assigned IP addresses.
• Interfaces must be bound to zones.
•
Policies must be configured between zones to permit or deny traffic.
lists the factory-default settings for the vSRX security policies.
20 Copyright © 2017, Juniper Networks, Inc.
Chapter 1: Overview Information
Table 7: Factory-Default Settings for Security Policies
Source Zone Destination Zone Policy Action trust trust untrust trust permit permit
CAUTION: Do not use the load factory-default command on a vSRX AWS instance. The factory-default configuration removes the AWS preconfiguration. If you must revert to factory default, ensure that you manually reconfigure AWS preconfiguration statements before you commit the configuration; otherwise, you will lose access to the vSRX instance. See
“Configuring vSRX Using the CLI” on page 41
for AWS preconfiguration details.
Copyright © 2017, Juniper Networks, Inc.
21
vSRX Guide for AWS
22 Copyright © 2017, Juniper Networks, Inc.
CHAPTER 2
Installing vSRX in AWS
•
Configuring an AWS Virtual Private Cloud for vSRX on page 23
•
Launching an Instance of vSRX on page 31
Configuring an AWS Virtual Private Cloud for vSRX
Before you begin, you need an Amazon Web Services (AWS) account and an Identity and Access Management (IAM) role, with all required permissions to access, create, modify, and delete AWS Elastic Compute Cloud (EC2), Simple Storage Service (S3), and
Virtual Private Cloud (VPC) objects. You should also create access keys and corresponding secret access keys, X.509 certificates, and account identifiers. For better understanding of AWS terminologies and their use in vSRX AWS deployments, see
“Understanding vSRX with AWS” on page 15
.
shows an example of how you can deploy vSRX to provide security for applications running in a private subnet of a VPC. The following procedures describe how to set up a VPC with its associated Internet gateway, subnets, route table, and security groups. You can then install an instance of vSRX in the VPC (see
Instance of vSRX” on page 31 ).
Copyright © 2017, Juniper Networks, Inc.
23
vSRX Guide for AWS
Figure 1: Example of vSRX Deployment
Use the following process to create and prepare a VPC for vSRX:
NOTE: To upgrade an existing vSRX instance, see Migration, Upgrade, and
Downgrade in the vSRX Release Notes.
•
Step 1: Creating a VPC and Internet Gateway on page 24
•
Step 2: Adding Subnets for vSRX on page 26
•
Step 3: Adding Route Tables for vSRX on page 27
•
Step 4: Adding Security Groups for vSRX on page 29
Step 1: Creating a VPC and Internet Gateway
Use the following procedure to create a VPC and an Internet gateway in AWS. If you have already have a VPC and an Internet gateway, go to
“Step 2: Adding Subnets for vSRX” on page 26
.
24 Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
1.
Log in to the AWS Management Console and select Services > Networking > VPC.
2.
In the VPC Dashboard, select Your VPCs in the left pane, and click Create VPC.
3.
Specify a VPC name and a range of private IP addresses in Classless Interdomain
Routing (CIDR) format. Leave Default as the Tenancy.
4.
Click Yes, Create.
Copyright © 2017, Juniper Networks, Inc.
25
vSRX Guide for AWS
5.
Select Internet Gateways in the left pane, and click Create Internet Gateway.
6.
Specify a gateway name and click Yes, Create.
7.
Select the gateway you just created and click Attach to VPC.
8.
Select the new VPC, and click Yes, Attach.
Step 2: Adding Subnets for vSRX
In the VPC, public subnets have access to the Internet gateway, but private subnets do not. vSRX requires two public subnets and one or more private subnets for each individual instance group. The public subnets consist of one for the management interface (fxp0) and one for a revenue (data) interface. The private subnets, connected to the other vSRX interfaces, ensure that all traffic between applications on the private subnets and the
Internet must pass through the vSRX instance.
26 Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
To create each vSRX subnet:
1.
In the VPC Dashboard, select Subnets in the left pane, and click Create Subnet.
2.
Specify a subnet name, select the VPC and availability zone, and specify the range of subnet IP addresses in CIDR format.
NOTE: All subnets for a vSRX instance must be in the same availability zone. Do not use No Preference for the availability zone.
3.
Click Yes, Create.
Repeat these steps for each subnet you want to create and attach to the vSRX instance.
Step 3: Adding Route Tables for vSRX
A main route table is created for each VPC by default. We recommend that you create a custom route table for the public subnets and a separate route table for each private subnet. All subnets that are not associated with a custom route table are associated with the main route table.
Copyright © 2017, Juniper Networks, Inc.
27
vSRX Guide for AWS
To create the route tables:
1.
In the VPC Dashboard, select Route Tables in the left pane, and click Create Route
Table
.
2.
Specify a route table name, select the VPC, and click Yes, Create.
3.
Repeat steps 1 and 2 to create all the route tables.
4.
Select the route table you created for the public subnets and do the following: a.
Select the Routes tab below the list of route tables.
b.
Click Edit and click Add another route.
c.
Enter 0.0.0.0/0 as the destination, select your VPC internet gateway as the target, and click Save.
28 Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS d.
Select the Subnet Associations tab, and click Edit.
e.
Select the check boxes for the public subnets, and click Save.
5.
Select each route table you created for a private subnet and do the following: a.
Select the Subnet Associations tab, and click Edit.
b.
Select the check box for one private subnet, and click Save.
Step 4: Adding Security Groups for vSRX
A default security group is created for each VPC. We recommend that you create a separate security group for the vSRX management interface (fxp0) and another security group for all other vSRX interfaces. The security groups are assigned when a vSRX instance is launched in the EC2 Dashboard, where you can also add and manage security groups.
To create the security groups:
1.
In the VPC Dashboard, select Security Groups in the left pane, and click Create Security
Group
.
2.
For the vSRX management interface, specify a security group name in the Name Tag field, edit the Group Name field (optional), enter a description of the group, and select the VPC.
Copyright © 2017, Juniper Networks, Inc.
29
vSRX Guide for AWS
3.
Click Yes, Create.
Type
Custom TCP rule
SSH (22)
HTTP (80)
HTTPS (443)
4.
Repeat Steps
through
to create a security group for the vSRX revenue interfaces.
5.
Select the security group you created for the management interface and do the following: a.
Select the Inbound Rules tab below the list of security groups.
b.
Click Edit and click Add another rule to create the following inbound rules:
Protocol Port Source
Default 20-21 Enter CIDR address format for each rule
(0.0.0.0/0 allows any source).
Default
Default
Default
Default
Default
Default c.
Click Save.
30 d.
Select the Outbound Rules tab to view the default rule that allows all outbound traffic. Use the default rule unless you need to restrict the outbound traffic.
6.
Select the security group you created for all other vSRX interfaces and do the following:
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
Type
All Traffic
NOTE: The inbound and outbound rules should allow all traffic to avoid conflicts with the security settings on vSRX.
a.
Select the Inbound Rules tab below the list of security groups.
b.
Click Edit and create the following inbound rule:
Protocol Port Source
All All
•
•
For webservers–0.0.0.0/0
For VPN CIDR block c.
Click Save.
d.
Keep the default rule in the Outbound Rules tab. The default rule allows all outbound traffic.
Related
Documentation
•
IAM Roles for Amazon EC2
Launching an Instance of vSRX
The following procedures describe how to launch and configure a vSRX instance in the
VPC:
•
Step 1: Creating an SSH Key Pair on page 31
•
Step 2: Launching a vSRX Instance on page 33
•
Step 3: Viewing the AWS System Logs on page 35
•
Step 4: Adding Network Interfaces for vSRX on page 35
•
Step 5: Allocating Elastic IP Addresses on page 37
•
Step 6: Adding the vSRX Private Interfaces to the Route Tables on page 37
•
Step 7: Rebooting the vSRX Instance on page 38
•
Step 8: Logging in to a vSRX Instance on page 38
Step 1: Creating an SSH Key Pair
An SSH key pair is required to remotely access a vSRX instance in AWS. You can create a new key pair in the EC2 Dashboard or import a key pair created by another tool.
Copyright © 2017, Juniper Networks, Inc.
31
vSRX Guide for AWS
To create an SSH key pair in AWS:
1.
Log in to the AWS Management Console and select Services > Compute > EC2.
2.
In the EC2 Dashboard, select Key Pairs in the left pane. Verify that the region name shown in the toolbar is the same as the region where you created the VPC.
Figure 2: Verify Region
3.
Click Create Key Pair, specify a key pair name, and click Create.
32
4.
The private key file is automatically downloaded. Move the downloaded private key file (<key-pair-name>.pem) to a secure location.
5.
To use an SSH client on a Mac or Linux computer to connect to the vSRX instance, use the following command to set the permissions of the private key file so that only you can read it: host# chmod 400 <key-pair-name>.pem
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
NOTE: Alternately, use Import Key Pair to import a different key pair you generated with a third-party tool.
c3.2xlarge
c3.4xlarge
c3.8xlarge
c4.xlarge
c4.2xlarge
c4.4xlarge
c4.8xlarge
m4.xlarge
m4.2xlarge
m4.4xlarge
m4.10xlarge
Step 2: Launching a vSRX Instance
You can launch a vSRX instance based on any one of the hardware virtual machine (HVM) enhanced-networking enabled instance types in
. You can select an instance type with more than 2 virtual CPUs (vCPUs) for increased bandwidth (network performance) or more interfaces, but vSRX uses a maximum of 2 vCPUs.
Table 8: Supported AWS Instance Types for vSRX
Instance Type vCPUs Memory (GB)
Network
Performance
Maximum
Number of
Interfaces
Maximum Number of IP Addresses per
Interface c3.xlarge
4 7.5
Moderate 4 15
32
4
8
16
8
16
8
16
36
4
40
15
30
60
7.5
15
30
60
16
32
64
160
10 Gbps
High
High
High
10 Gbps
High
High
10 Gbps
Moderate
High
High
8
4
4
8
8
8
4
8
8
4
8
15
30
30
15
30
30
30
15
15
30
30
To launch a vSRX instance in the VPC:
1.
In the EC2 Dashboard, select Instances in the left pane.
2.
Click Launch Instance, search for the vSRX AMI in AWS Marketplace, and click Select next to the vSRX AMI.
Copyright © 2017, Juniper Networks, Inc.
33
vSRX Guide for AWS
3.
Select a supported instance type. See
for details.
4.
Click Next: Configure Instance Details, and specify the fields in
.
Table 9: AWS Instance Details
Field Setting
Network
Subnet
Auto-assign Public IP
Placement group
Shutdown behavior
•
•
•
Enable terminal protection
Monitoring
Network Interfaces
Select the VPC configured for vSRX.
Select the public subnet for the vSRX management interface (fxp0).
Select
Disable
(you will assign an Elastic IP address later).
Use the default.
Select Stop (the default).
Use your IT policy.
Use the default or assign a public IP address for the
Primary IP field.
5.
Click Next: Add Storage, and use the default settings or change the Volume Type and
IOPS as needed.
6.
Click Next: Tag Instance, and specify a name for the vSRX instance.
7.
Click Next: Configure Security Group, select Select an existing security group, and select the security group created for the vSRX management interface (fxp0).
34 Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
8.
Click Review and Launch, review the settings for the vSRX instance, and click Launch.
9.
Select the SSH key pair you created, select the acknowledgment check box, and click
Launch Instance .
10.
Click View Instances to display the Instances list in the EC2 Dashboard. It might take several minutes to launch a vSRX instance.
Step 3: Viewing the AWS System Logs
To debug launch time errors, you can view the AWS system logs, as follows:
1.
In the EC2 Dashboard, select Instances.
2.
Select the vSRX instance, and select Actions > Instance Settings > Get System Logs.
Step 4: Adding Network Interfaces for vSRX
AWS supports up to eight interfaces for an instance, depending on the AWS instance type selected. Use the following procedure for each of the revenue interfaces you want to add to vSRX (up to seven). The first revenue interface is ge-0/0/0, the second is ge-0/0/1, and so on (see
“Interface Naming and Mapping” on page 20
).
To add a vSRX revenue interface:
1.
In the EC2 Dashboard, select Network Interfaces in the left pane, and click Create
Network Interface
.
2.
Specify the interface settings as shown in
, and click Yes, Create.
Copyright © 2017, Juniper Networks, Inc.
35
vSRX Guide for AWS
Table 10: Network Interface Settings
Field Setting
Description
Subnet
Private IP
Security Groups
Enter an interface description for each of the revenue interfaces.
Select the public subnet created for the first revenue interface (ge-0/0/0) or the private subnet created for all the other revenue interfaces.
Enter an IP address from the selected subnet or allow the address to be assigned automatically.
Select the security group created for the vSRX revenue interfaces.
3.
Select the new interface, select Actions > Change Source/Dest. Check, select Disabled, and click Save.
Figure 3: Disable Source/Dest. Check
36 Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
4.
Select the new interface, select Attach, select the vSRX instance, and click Attach.
5.
Click the pencil icon in the new interface Name column and give the interface a name
(for example, ix-fxp0.0).
NOTE: For a private revenue interface (ge-0/0/1 through ge-0/0/7), make a note of the network name you created or the network interface ID. You will add the name or interface ID later to the route table created for the private subnet.
Step 5: Allocating Elastic IP Addresses
For public interfaces, AWS does a NAT translation of the public IP address to a private
IP address. The public IP address is called an Elastic IP address. We recommend that you assign an Elastic IP address to the public vSRX interfaces (fxp0 and ge-0/0/0). Note that when a vSRX instance is restarted, the Elastic IPs are retained, but public subnet
IPs are released.
To create and allocate Elastic IPs:
1.
In the EC2 Dashboard, select Elastic IPs in the left pane, click Allocate New Address, and click Yes, Allocate. (If your account supports EC2-Classic, you must first select
EC2-VPC from the Network platform list.)
2.
Select the new Elastic IP address, and select Actions > Associate Address.
3.
Specify the settings in
, and click Allocate.
Table 11: Elastic IP Settings
Field Setting
Network Interface Select the vSRX management interface (fxp0) or the first revenue interface
(ge-0/0/0).
Private IP Address Enter the private IP address to be associated with the Elastic IP address.
Step 6: Adding the vSRX Private Interfaces to the Route Tables
For each private revenue interface you created for vSRX, you must add the interface ID to the route table you created for the associated private subnet.
To add a private interface ID to a route table:
1.
In the VPC Dashboard, select Route Tables in the left pane.
2.
Select the route table you created for the private subnet.
Copyright © 2017, Juniper Networks, Inc.
37
vSRX Guide for AWS
3.
Select the Routes tab below the list of route tables.
4.
Click Edit and click Add another route.
5.
Specify the settings in
, and click Save.
Table 12: Private Route Settings
Field Setting
Destination
Target
Enter 0.0.0.0/0 for Internet traffic.
Type the network name or the network interface ID for the associated private subnet. The network interface must be in the private subnet shown in the
Subnet Associations tab.
NOTE: Do not select the Internet gateway (igw-nnnnnnnn).
Repeat this procedure for each private network interface. You must reboot the vSRX instance to complete this configuration.
Step 7: Rebooting the vSRX Instance
To incorporate the interface changes and complete the EC2 configuration, you must reboot the vSRX instance. Interfaces attached while the vSRX instance is running do not take effect until the instance is rebooted.
NOTE: Always use AWS to reboot the vSRX instance. Do not use the vSRX
CLI to reboot.
To reboot a vSRX instance:
1.
In the EC2 Dashboard, select Instances in the left pane.
2.
Select the vSRX instance, and select Actions > Instance State > Reboot.
It might take several minutes to reboot a vSRX instance.
Step 8: Logging in to a vSRX Instance
Use an SSH client to log in to a vSRX instance for the first time. To log in, specify the location where you saved the SSH key pair .pem file for the root user account, and the
Elastic IP address assigned to the vSRX management interface (fxp0).
ssh -i <path>/<ssh-key-pair-name>.pem root@<fxpo-elastic-IP-address>
NOTE: Root login using a Junos OS password is disabled by default. You can configure other users after the initial Junos OS setup phase.
38 Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
If you do not have the key pair filename and Elastic IP address, use these steps to view the key pair name and Elastic IP for a vSRX instance:
1.
In the EC2 Dashboard, select Instances.
2.
Select the vSRX instance, and select eth0 in the Description tab to view the Elastic
IP address for the fxp0 management interface.
3.
Click Connect above the list of instances to view the SSH key pair filename.
To configure the basic settings for the vSRX instance, see
.
NOTE: vSRX pay-as-you-go images do not require any separate licenses.
Copyright © 2017, Juniper Networks, Inc.
39
vSRX Guide for AWS
40 Copyright © 2017, Juniper Networks, Inc.
CHAPTER 3
Configuring and Managing vSRX Basics
•
Configuring vSRX Using the CLI on page 41
•
Configuring vSRX Using the J-Web Interface on page 43
•
Managing Security Policies for Virtual Machines Using Junos Space Security
•
Removing a vSRX Instance on AWS on page 46
Configuring vSRX Using the CLI
•
Understanding vSRX Preconfiguration and Factory Default on page 41
•
Adding a Basic vSRX Configuration on page 42
•
Understanding vSRX Preconfiguration and Factory Default
vSRX on AWS deploys with the following preconfiguration defaults:
•
SSH access with the RSA key pair configured during the installation
•
No password access allowed for SSH access
• The management (fxp0) interface is preconfigured with the AWS Elastic IP and default route
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, the following example summarizes the preconfiguration statements added to a factory-default configuration for vSRX on AWS instances: set system root-authentication ssh-rsa "ssh-rsa XXXRSA-KEYXXXXX” set groups aws-group system services ssh no-passwords set groups aws-group interfaces fxp0 unit 0 family inet address aws-ip-address set groups aws-group routing-options static route 0.0.0.0/0 next-hop aws-ip-address set apply-groups aws-group
For Junos OS Release 15.1X49-D70 and earlier, the following example summarizes the preconfiguration statements added to a factory-default configuration for vSRX on AWS instances: set system root-authentication ssh-rsa "ssh-rsa XXXRSA-KEYXXXXX” set system services ssh no-passwords set interfaces fxp0 unit 0 family inet addressaws-ip-address
Copyright © 2017, Juniper Networks, Inc.
41
vSRX Guide for AWS set routing-options static route 0.0.0.0/0 next-hop aws-ip-address
CAUTION: Do not use the load factory-default command on a vSRX AWS instance. The factory default configuration removes the AWS preconfiguration. If you must revert to factory default, ensure that you manually reconfigure AWS preconfiguration statements before you commit the configuration; otherwise, you will lose access to the vSRX instance.
Adding a Basic vSRX Configuration
You can either create a new configuration on vSRX or copy an existing configuration from another SRX or vSRX and load it onto your vSRX in AWS. Use the following steps to copy and load an existing configuration:
1.
Saving a Configuration File
2.
Loading a Configuration File
To configure a vSRX instance using the CLI:
1.
Log in to the vSRX instance using SSH and start the CLI.
root@% cli root@>
2.
Enter configuration mode.
root@> configure
[edit] root@#
3.
Set the root authentication password by entering a cleartext password, an encrypted password, or an SSH public key string (DSA or RSA).
root@# set system root-authentication plain-text-password
New password: password
Retype new password: password
4.
Optionally, enable passwords for SSH if you want to create password access for additional users.
root@# delete services ssh no-passwords
5.
Configure the hostname.
root@# set system host-name host-name
6.
For each vSRX revenue interface, assign the IP address defined in AWS. For example: root@# set interfaces ge-0/0/0 unit 0 family inet address 10.0.10.197/24
42 Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Configuring and Managing vSRX Basics
For multiple private addresses, enter a set command for each address. Do not assign the Elastic IP address.
7.
Specify a security zone for the public interface.
root@# set security security-zone untrust interfaces ge-0/0/0.0
8.
Specify a security zone for the private interface.
root@# set security security-zone trust interfaces ge-0/0/1.0
9.
Verify the configuration.
root@# commit check configuration check succeeds
10.
Commit the configuration to activate it on the device.
root@# commit commit complete
11.
Optionally, use the show command to display the configuration to verify that it is correct.
Adding DNS Servers
vSRX does not include any DNS servers in the default configuration. You might need DNS configured to deploy Layer 7 services, such as IPS, to pull down signature updates, for example. You can use your own external DNS server or use an AWS DNS server. If you enable DNS on your VPC, queries to the Amazon DNS server (169.254.169.253) or the reserved IP address at the base of the VPC network range plus two should succeed. See
AWS - Using DNS with Your VPC for complete details.
Related
Documentation
•
CLI User Guide
•
AWS - Using DNS with Your VPC
Configuring vSRX Using the J-Web Interface
•
Accessing the J-Web Interface and Configuring vSRX on page 43
•
Applying the Configuration on page 45
Accessing the J-Web Interface and Configuring vSRX
To configure vSRX using the J-Web Interface:
1.
Enter the AWS Elastic IP address of the eth0 interface in the browser Address box.
2.
Specify the username and password.
Copyright © 2017, Juniper Networks, Inc.
43
vSRX Guide for AWS
44
3.
Click Log In, and select the Configuration Wizards tab from the left navigation panel.
The J-Web Setup Wizard page opens.
4.
Click Setup.
You can use the Setup wizard to configure a device or edit an existing configuration.
• Select Edit Existing Configuration if you have already configured the wizard using the factory mode.
•
Select Create New Configuration to configure a device using the wizard.
The following configuration options are available in the guided setup:
• Basic
Select basic to configure the device name and user account information as shown in
• Device name and user account information
Table 13: Device Name and User Account Information
Field Description
Device name
Root password
Type the name of the device. For example: vSRX
.
Create a default root user password.
Verify password
Operator
Verify the default root user password.
Add an optional administrative account in addition to the root account.
User role options include:
•
•
•
•
Superuser : This user has full system administration rights and can add, modify, and delete settings and users.
Operator
: This user can perform system operations such as a system reset but cannot change the configuration or add or modify users.
Read only : This user can only access the system and view the configuration.
Disabled
: This user cannot access the system.
•
Select either Time Server or Manual.
lists the system time options.
Table 14: System Time Options
Field Description
Time Server
Host Name
IP
Type the hostname of the time server. For example: ntp.example.com
.
Type the IP address of the time server in the IP address entry field. For example: 192.168.1.254
.
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Configuring and Managing vSRX Basics
Table 14: System Time Options (continued)
Field Description
NOTE: You can enter either the hostname or the IP address.
Manual
Date
Time
Time Zone (mandatory)
Time Zone
Click the current date in the calendar.
Set the hour, minute, and seconds. Choose AM or PM .
Select the time zone from the list. For example: GMT Greenwich
Mean Time GMT.
• Expert
Select Expert to configure the basic options as well as the following advanced options:
•
Four or more internal zones
• Internal zone services
• Application of security policies between internal zones
Click Need Help for detailed configuration information.
You see a success message after the basic configuration is complete.
Applying the Configuration
To apply the configuration settings for vSRX:
1.
Review and ensure that the configuration settings are correct, and click Next. The
Commit Configuration page appears.
2.
Click Apply Settings to apply the configuration changes to vSRX.
3.
Check the connectivity to vSRX, because you might lose connectivity if you have changed the management zone IP. Click the URL for reconnection instructions on how to reconnect to the device.
4.
Click Done to complete the setup.
After successful completion of the setup, you are redirected to the J-Web interface.
CAUTION: After you complete the initial setup, you can relaunch the J-Web
Setup wizard by clicking Configuration>Setup. You can either edit an
Copyright © 2017, Juniper Networks, Inc.
45
vSRX Guide for AWS existing configuration or create a new configuration. If you create a new configuration, the current configuration in vSRX will be deleted.
Managing Security Policies for Virtual Machines Using Junos Space Security Director
Managing enterprise security policy has become extremely complex. The growth in network traffic, including mobile traffic and BYOD, and the emergence of cloud services, have combined into a new array of opportunities for malicious hackers.
Security management can become error-prone and time-consuming if management solutions are slow, difficult to use, or restricted in their granularity of control. Resulting misconfigurations can make the enterprise vulnerable to threats and noncompliant with regulations and policies.
As one of the Junos Space Management Applications, Junos Space Security Director helps organizations improve the reach, ease, and accuracy of security policy administration with a scalable, GUI-based management tool. It automates security provisioning through one centralized Web-based interface to help administrators manage all phases of the security policy lifecycle more quickly and intuitively, from policy creation to remediation.
Related
Documentation
•
Security Director
Removing a vSRX Instance on AWS
To remove a vSRX instance on AWS:
1.
Log in to the AWS Management Console and select Services > Compute > EC2 >
Instances
.
2.
Select the vSRX instance and select Actions > Instance State > Terminate to remove the instance.
3.
In the dialog box, expand the section and select Release associated Elastic IP.
4.
Click Yes, Terminate.
NOTE: See AWS - Clean Up to remove any unused VPCs from AWS.
Related
Documentation
• AWS - Clean Up
46 Copyright © 2017, Juniper Networks, Inc.
CHAPTER 4
vSRX in AWS Use Cases
•
Example: Configuring NAT for vSRX on page 47
•
Example: Configuring VPN on vSRX Between VPCs in AWS on page 48
Example: Configuring NAT for vSRX
This example shows how to configure vSRX to NAT all hosts behind the vSRX instance in the VPC to the IP address of the vSRX egress interface on the untrust zone. This configuration allows hosts behind vSRX in a cloud network to access the Internet.
•
•
•
•
Before You Begin
Ensure that you have installed and launched a vSRX instance in an AWS VPC.
Overview
A common cloud configuration includes hosts that you want to grant access to the
Internet, but you do not want anyone from outside your cloud to get access to your hosts.
You can use vSRX in an AWS VPC to NAT traffic inside the VPC from the public Internet.
Configuration
Configuring NAT
Step-by-Step
Procedure
To configure NAT on the vSRX instance:
1.
Log in to the vSRX console in configuration edit mode (See
“Configuring vSRX Using the CLI” on page 41 .
2.
Set the IP addresses for vSRX revenue interfaces.
set interfaces ge-0/0/0 unit 0 family inet address 10.0.10.197/24 set interfaces ge-0/0/1 unit 0 family inet address 10.0.20.1/24
Copyright © 2017, Juniper Networks, Inc.
47
vSRX Guide for AWS
3.
Set up the untrust security zone.
set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust interfaces ge-0/0/0.0
4.
Set up the trust security zone.
set security zones security-zone trust host-inbound-traffic system-services https set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
5.
Set up the security policies.
set security policies from-zone trust to-zone untrust policy test match source-address any set security policies from-zone trust to-zone untrust policy test match destination-address any set security policies from-zone trust to-zone untrust policy test match application any set security policies from-zone trust to-zone untrust policy test then permit
6.
Configure NAT.
set security nat source rule-set SNAT_RuleSet from zone trust set security nat source rule-set SNAT_RuleSet to zone untrust set security nat source rule-set SNAT_RuleSet rule SNAT_Rule match source-address
0.0.0.0/0 set security nat source rule-set SNAT_RuleSet rule SNAT_Rule then source-nat interface commit
Related
Documentation
• vSRX Virtual Firewall-Based AWS Transit VPC
Example: Configuring VPN on vSRX Between VPCs in AWS
This example shows how to configure IPsec VPN between two instances of vSRX in AWS on different VPCs.
•
•
•
vSRX1 VPN Configuration on page 49
•
Before You Begin
Ensure that you have installed and launched a vSRX instance in an AWS VPC.
48 Copyright © 2017, Juniper Networks, Inc.
Chapter 4: vSRX in AWS Use Cases
See
SRX Site-to-Site VPN Configuration Generator and
How to troubleshoot a VPN tunnel that is down or not active for additional information.
Overview
You can use IPsec VPN to secure traffic between two VPCs in AWS using two vSRX instances.
vSRX1 VPN Configuration
Step-by-Step
Procedure
To configure IPsec VPN on vSRX1:
1.
Log in to the vSRX1 console in configuration edit mode (See
2.
Set the IP addresses for vSRX1 revenue interfaces.
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24 set interfaces st0 unit 1 family inet address 10.0.250.10/24
3.
Set up the untrust security zone.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services ssh set security security-zone untrust interfaces ge-0/0/0.0
set security security-zone untrust interfaces st0.1
4.
Set up the trust security zone.
set security zone trust host-inbound-traffic system-services https set security zone trust host-inbound-traffic system-services ssh set security zone trust host-inbound-traffic system-services ping set security security-zone trust interfaces ge-0/0/1.0
5.
Configure IKE.
set security ike proposal AWS_IKE_Proposal authentication-method pre-shared-keys set security ike proposal AWS_IKE_Proposal dh-group group2 set security ike proposal AWS_IKE_Proposal authentication-algorithm sha-256 set security ike proposal AWS_IKE_Proposal encryption-algorithm aes-256-cbc set security ike proposal AWS_IKE_Proposal lifetime-seconds 1800 set security ike policy AWS-R mode aggressive set security ike policy AWS-R proposals AWS_IKE_Proposal set security ike policy AWS-R pre-shared-key ascii-text preshared-key set security ike gateway AWS-R ike-policy AWS-R set security ike gateway AWS-R address 198.51.100.10
set security ike gateway AWS-R local-identity user-at-hostname
"[email protected]" set security ike gateway AWS-R remote-identity user-at-hostname
"[email protected]" set security ike gateway AWS-R external-interface ge-0/0/0
Copyright © 2017, Juniper Networks, Inc.
49
vSRX Guide for AWS
50
6.
Configure IPsec.
set security ipsec proposal AWS_IPSEC protocol esp set security ipsec proposal AWS_IPSEC authentication-algorithm hmac-sha1-96 set security ipsec proposal AWS_IPSEC encryption-algorithm aes-256-cbc set security ipsec policy AWS_IPSEC_POL proposals AWS_IPSEC set security ipsec vpn aws-aws bind-interface st0.1
set security ipsec vpn aws-aws ike gateway AWS-R set security ipsec vpn aws-aws ike ipsec-policy AWS_IPSEC_POL set security ipsec vpn aws-aws establish-tunnels immediately
7.
Configure routing.
set routing-instances aws instance-type virtual-router set routing-instances aws interface ge-0/0/0.0
set routing-instances aws interface ge-0/0/1.0
set routing-instances aws interface st0.1
set routing-instances aws routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
set routing-instances aws routing-options static route 10.20.20.0/24 next-hop st0.1
commit vSRX2 VPN Configuration
Step-by-Step
Procedure
To configure IPsec VPN on vSRX2:
1.
Log in to the vSRX2 console in configuration edit mode (See
2.
Set the IP addresses for the vSRX2 revenue interfaces.
set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.20.20.10/24 set interfaces st0 unit 1 family inet address 10.0.250.20/24
3.
Set up the untrust security zone.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces st0.1
4.
Set up the trust security zone.
set security zones security-zone trust host-inbound-traffic system-services https set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
5.
Configure IKE.
set security ike proposal AWS_IKE_Proposal authentication-method pre-shared-keys set security ike proposal AWS_IKE_Proposal dh-group group2
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: vSRX in AWS Use Cases set security ike proposal AWS_IKE_Proposal authentication-algorithm sha-256 set security ike proposal AWS_IKE_Proposal encryption-algorithm aes-256-cbc set security ike proposal AWS_IKE_Proposal lifetime-seconds 1800 set security ike policy AWS-R mode aggressive set security ike policy AWS-R proposals AWS_IKE_Proposal set security ike policy AWS-R pre-shared-key ascii-text preshared-key set security ike gateway AWS-R ike-policy AWS-R set security ike gateway AWS-R address 203.0.113.10
set security ike gateway AWS-R local-identity user-at-hostname
"[email protected]" set security ike gateway AWS-R remote-identity user-at-hostname
"[email protected]" set security ike gateway AWS-R external-interface ge-0/0/0
6.
Configure IPsec.
set security ipsec proposal AWS_IPSEC protocol esp set security ipsec proposal AWS_IPSEC authentication-algorithm hmac-sha1-96 set security ipsec proposal AWS_IPSEC encryption-algorithm aes-256-cbc set security ipsec policy AWS_IPSEC_POL proposals AWS_IPSEC set security ipsec vpn aws-aws bind-interface st0.1
set security ipsec vpn aws-aws ike gateway AWS-R set security ipsec vpn aws-aws ike ipsec-policy AWS_IPSEC_POL set security ipsec vpn aws-aws establish-tunnels immediately
7.
Configure routing.
set routing-instances aws instance-type virtual-router set routing-instances aws interface ge-0/0/0.0
set routing-instances aws interface ge-0/0/1.0
set routing-instances aws interface st0.1
set routing-instances aws routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
set routing-instances aws routing-options static route 10.10.10.0/24 next-hop st0.1
commit
Verification
Verify Active VPN Tunnels
Purpose Verify that the tunnel is up on both vSRX instances in AWS.
Action root@> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131074 ESP:aes- cbc- 256/sha1 de836105 1504/ unlim - root 4500 52.200.89.XXX
>131074 ESP:aes- cbc- 256/sha1 b349bc84 1504/ unlim - root 4500 52.200.89.XXX
Related
Documentation
• vSRX Virtual Firewall-Based AWS Transit VPC
•
VPN Feature Guide for Security
Copyright © 2017, Juniper Networks, Inc.
51
vSRX Guide for AWS
• Application Firewall Overview
52 Copyright © 2017, Juniper Networks, Inc.
CHAPTER 5
vSRX Licensing
•
vSRX Feature Licenses Overview on page 53
•
Managing Licenses for vSRX on page 61
•
vSRX License Model Numbers for AWS on page 67
vSRX Feature Licenses Overview
Some Junos OS software features require a license to activate the feature.
To enable a licensed feature, you need to purchase, install, manage, and verify a license key that corresponds to each licensed feature. To conform to software feature licensing requirements, you must purchase one license per feature per instance. The presence of the appropriate software unlocking key on your virtual instance allows you to configure and use the licensed feature.
NOTE: If applicable for your vSRX deployment, vSRX pay-as-you-go images do not require any separate licenses. For a vSRX on Microsft Azure deployment, only the build-your-own-license (BYOL) model is supported.
•
vSRX License Procurement and Renewal on page 53
•
vSRX Evaluation License on page 54
•
•
•
•
Individual (á la carte) Feature Licenses on page 58
•
•
•
vSRX License Keys Components on page 58
•
License Management Fields Summary on page 59
vSRX License Procurement and Renewal
Licenses are usually ordered when the software application is purchased, and this information is bound to a customer ID. If you did not order the licenses when you purchased
Copyright © 2017, Juniper Networks, Inc.
53
vSRX Guide for AWS your software application, contact your account team or Juniper Networks Customer
Care for assistance.
Licenses can be procured from the
Juniper Networks License Management System (LMS)
.
For license renewal, use the show system license command to find the Juniper vSRX software serial number that you use to renew a license.
vsrx> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
Virtual Appliance 1 1 0 58 days
Licenses installed:
License identifier: E420588955
License version: 4
Software Serial Number: 20150625
Customer ID: vSRX-JuniperEval
Features:
Virtual Appliance - Virtual Appliance
count-down, Original validity: 60 days
License identifier: JUNOS657051
License version: 4
Software Serial Number: 9XXXXAXXXXXXX9
Customer ID: MyCompany
Features:
Virtual Appliance - Virtual Appliance
permanent
NOTE: Do not use the show chassis hardware command to get the serial number on vSRX, because that command is only appropriate for the physical
SRX Series devices. Also, the license for advanced security features available on the physical SRX Series devices cannot be used with vSRX deployments.
NOTE: If you are performing a software downgrade with licenses installed, you will see an error message in the CLI when you try to configure the licensed features or run the show system license status command.
We recommend deleting existing licenses before performing a software downgrade.
vSRX Evaluation License
To speed deployment of licensed features, the vSRX software image provides you with a 60-day product evaluation license and a 30-day advanced security features license, both of which allow you to use vSRX and licensed features for a specified period without having to install a license key.
lists vSRX evaluation license types.
54 Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
Table 15: vSRX Evaluation License Type
License Package
Trial license
(temporary for evaluation only)
Type Period
Product evaluation–Basic 60 days
Product evaluation–Advanced features
30 days
-
-
License Model
Number
Product Evaluation License
The vSRX software image includes a 60-day trial license. When you download and install the vSRX image, you are entitled to use this trial license for 60 days. It is intended as an evaluation license for using vSRX. This product-unlocking license is required to use the basic functions of the vSRX, such as networking, routing, and basic security features
(such as stateful firewall).
NOTE: The use of the 60-day trial license does not include vSRX support unless you already have a pre-existing vSRX support contract. If you require support during this 60-day evaluation period, please work with your Juniper
Account team or go to the J-Net Community forum ( http://forums.juniper.net/ ) and view the Support topics under the vSRX category.
Within 30 days of the license expiration date, a license expiration warning appears each time you log in to the vSRX instance. After the product evaluation license expires, you will not be able to use the vSRX; it will be disabled and flow configuration options will not work (the vSRX will stop forwarding traffic). At this point, only management interfaces and CLI configurations are preserved.
Advanced Security Features Evaluation License
The advanced security features license is a 30-day trial license for vSRX that is required for advanced security features such as UTM, IDP, and AppSecure. You can download the trial license for advanced security features from the vSRX Free Trial License Page .
The 30-day trial license period begins on the day you enable the enhanced security features after you install the 60-day product evaluation license for vSRX. To continue using vSRX features after the 30-day license period expires, you must purchase and install the license; otherwise, the features are disabled. If the license for advanced security features expires while the evaluation license (product unlocking license) is still valid, only the advanced security features that require a license are disabled.
Copyright © 2017, Juniper Networks, Inc.
55
vSRX Guide for AWS
License Types
NOTE: The UTM advanced features have a slightly different trial license strategy. UTM does not requires 30-day trial license but only a 30-day grace period. Once the 30-day advanced security features trial license expires,
Juniper Networks supports a 30-day grace period for you to continue using
UTM features. The 30-day grace period goes into effect after the 30-trial license expires.
There is also a 30-day trial license available for Juniper Sky Advanced Threat Prevention
(ATP). This is a second license that you can apply for a 30-day period in addition to the advanced security features license for vSRX to enable the Sky ATP features. You can download the Sky ATP trial license from the vSRX Free Trial License Page .
Juniper Networks provides a variety of licenses for both basic firewall features and advanced security features for different throughputs and durations.
If you want to use vSRX to provide basic firewall features, you can use standard (basic) licenses. However, to use some of the more advanced security features, such as
AppSecure, IDP, and UTM, you might need to purchase advanced features licenses.
The high-level categories for licenses are:
• Throughput–All licenses have an associated throughput. Throughput rates include 1
Gbps, 2 Gbps, and 4 Gbps on most platforms.
•
Features–Licenses are available for different combinations of feature sets, from standard (STD) through Content Security Bundle (CS-B).
• Individual or bundled–Licenses can be individual (á la carte) licenses for a set of features, or can be bundled together to provide a broad range of features in one easy license to maintain.
• Duration–All licenses have an associated time duration. You can purchase basic licenses as perpetual (never expire) or subscription based (1-year or 3-year duration). All vSRX licenses are subscription based.
•
New or renewal–All subscription licenses are either new (first-time purchase) or renewals (extending the license duration when the initial new subscription license is about to expire).
shows a sample license SKU and identifies how each field maps to these categories.
56 Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
Throughput
License Duration
Figure 4: Sample vSRX License SKU
Throughput
Bundled or individual
VSRX-10M-ASECB-3-R
Product Duration Feature set
New or renewal
These categories of licenses can also be combined, or stacked, to provide more flexibility for your vSRX use cases.
Bandwidth or throughput license types allow you to use a single instance of the software for up to the maximum throughput specified in the license entitlement. Throughput can be combined on a single instance of the software so that the maximum throughput for that instance is the aggregate of all the throughput licenses assigned to that instance.
A throughput license cannot be split across multiple instances. Throughput is identified in the license entitlement in megabits per second (Mbps), or gigabits per second (Gbps).
For example, if you want 3 Gbps of throughput for a vSRX instance using the STD features, you would purchase a 1G STD license and a 2G STD license and install both on the vSRX.
If you wanted 2 Gbps of throughput on two vSRX instances acting as a chassis cluster, you could not use the same 2 Gbps license on both vSRX instances. You would need to purchase one set of licenses for each vSRX instance in the cluster.
All licenses can be perpetual or subscription based.
•
Perpetual license–A perpetual license allows you to use the licensed software indefinitely. Perpetual licenses do not require renewals. Perpetual licenses do not include maintenance and upgrade support. You must purchase that separately, vSRX software releases such as vSRX for Azure or vSRX for AWS do not support perpetual licenses.
•
Subscription license–A subscription license is an annual license that allows you to use the licensed software feature for the matching duration. Subscriptions might involve periodic downloads of content (such as for IDP threat signature files). Subscription licenses start when you retrieve the license key or 30 days after purchase if you have not retrieved the license key. At the end of the license period, you need to renew the license to continue using it.
NOTE: All subscription licenses are renewable. To renew a subscription license, purchase a new subscription of the same license. For more information, see Subscription - Register and Install .
Copyright © 2017, Juniper Networks, Inc.
57
vSRX Guide for AWS
Individual (á la carte) Feature Licenses
Every vSRX instance requires at least one standard license to support the desired throughput rate. Beyond that, you can select from a range of individual feature licenses that provide additional security feature sets. The feature license must match the standard license rate.
NOTE: AWS and Microsoft Azure do not support individual licenses.
For example, if you need AppSecure and Sophos antivirus features at 1 Gbps of throughput for a year, you could purchase the following individual licenses:
•
VSRX-STD-1G-1—Provides the standard feature set and 1 Gbps of throughput.
• VSRX-CS-1G-1—Provides the advanced features.
Bundled Licenses
Bundled licenses simplify the license management by combining one or more individual licenses into a single bundled license. Instead of installing and managing a standard throughput license and one or more individual advanced feature licenses, you can purchase one of the bundle license options and manage one license instead.
For example, if you need AppSecure and Sophos antivirus features at 1 Gbps of throughput for a year, you could purchase the single bundled VSRX-CS-B-1G-1 license, which includes the STD throughput license. This means you only need to manage one license instead of two individual licenses.
Stacking Licenses
You can combine individual or bundled licenses to combine features or build up the overall supplied throughput for the vSRX instance.
For example, you can combine a 1-Gbps license and a 2-Gbps license to have 3 Gbps of throughput for the vSRX instance. You can also combine individual licenses, such as
Sophos antivirus (SAV) and Websense Enhanced Web Filtering (EWF) to get both sets of security features.
NOTE: Individual licenses require a STD license with the same throughput rate.
vSRX License Keys Components
A license key consists of two parts:
•
License ID—Alphanumeric string that uniquely identifies the license key. When a license is generated, it is given a license ID.
• License data—Block of binary data that defines and stores all license key objects.
58 Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
For example, in the following typical license key, the string E413XXXX57 is the license ID, and the trailing block of data is the license data:
E413XXXX57 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff
cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa
aaaaaa bbbbbb cccccc dddddd eeeeee ffffff
cccccc bbbbbb dddddd aaaaaa ffffff
The license data conveys the customer ID and the software serial number (Juniper
Networks support reference number) to the vSRX instance.
License Management Fields Summary
The Licenses window displays a summary of licensed features that are configured on the vSRX instance and a list of licenses that are installed on the vSRX instance.
To view the license details, select Maintain>Licenses in the J-Web user interface. The
Licenses window appears as shown in
.
Figure 5: J-Web Licenses Window Showing Installed Licenses
You can also view the details of a license in the CLI using the show system license command. The following sample shows details of an evaluation license in the CLI:
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
anti_spam_key_sbl 0 1 0 2016-04-15
08:00:00 CST
idp-sig 0 1 0 2016-04-15
08:00:00 CST
appid-sig 0 1 0 2016-04-15
08:00:00 CST
av_key_sophos_engine 0 3 0 2016-07-29
Copyright © 2017, Juniper Networks, Inc.
59
vSRX Guide for AWS
60
08:00:00 CST
wf_key_websense_ewf 0 1 0 2016-04-15
08:00:00 CST
Virtual Appliance 1 1 0 2016-04-25
08:00:00 CST
Licenses installed:
License identifier: E420588955
License version: 4
Software Serial Number: 20150625
Customer ID: vSRX-JuniperEval
Features:
Virtual Appliance - Virtual Appliance
count-down, Original validity: 60 days
The information on the license management page is summarized in
Table 16: Summary of License Management Fields
Field Name Definition
Feature Summary
Feature
Licenses Used
Licenses Installed
Licenses Needed
Licenses expires on
Name of the licensed feature:
•
•
Features —Software feature licenses.
All features
—All-inclusive licenses.
Number of licenses currently being used on the vSRX instance. Usage is determined by the configuration. If a feature license exists and that feature is configured, the license is considered used.
Number of licenses installed on the vSRX instance for the particular feature.
Number of licenses required for legal use of the feature. Usage is determined by the configuration on the vSRX instance: If a feature is configured and the license for that feature is not installed, a license is needed.
Date the license expires.
Installed Licenses
ID
State
Version
Group
Unique alphanumeric ID of the license.
Valid
—The installed license key is valid.
Invalid —The installed license key is not valid.
Numeric version number of the license key.
If the license defines a group license, this field displays the group definition.
NOTE: Because group licenses are currently unsupported, this field is always blank.
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
Table 16: Summary of License Management Fields (continued)
Field Name Definition
Enabled Features
Expiration
Name of the feature that is enabled with the particular license.
Date the license expires.
Software serial number The serial number is a unique 14-digit number that Juniper Networks uses to identify your particular software installation. You can find the software serial number in the Software Serial Number Certificate attached to the e-mail that was sent when you ordered your Juniper
Networks software or license. You can also use the show system license command to find the software serial number.
Customer ID ID that identifies the registered user.
Managing Licenses for vSRX
Before you begin, ensure that you have retrieved the license key from the Juniper License
Management System (LMS).
This section includes the following topics:
•
vSRX Evaluation License Installation Process on page 61
•
Adding a New License Key with J-Web on page 62
•
Adding a New License Key from the CLI on page 63
•
Updating vSRX Licenses on page 64
•
Deleting a License with J-Web on page 65
•
Deleting a License with the CLI on page 66
•
License Warning Messages on page 66
vSRX Evaluation License Installation Process
Juniper Networks provides a 60-day evaluation license for vSRX standard features. When you download and install the vSRX image, you are entitled to use this evaluation license for 60 days as a trial. In addition to the 60-day vSRX evaluation license, there is a 30-day advanced security features trial license for vSRX that is required for advanced security features such as UTM, IDP, and AppSecure.
You can download the 30-day advanced security feature trial license from the vSRX Free
Trial License Page .
There is also a 30-day trial license available for Juniper Sky Advanced Threat Prevention
(ATP). This is a second license that you can apply for a 30-day period in addition to the advanced security features license for vSRX to enable the Sky ATP features. You can download the Sky ATP trial license from the vSRX Free Trial License Page
Copyright © 2017, Juniper Networks, Inc.
61
vSRX Guide for AWS
Installation of the advanced security feature trial license is similar to the regular license installation performed from the CLI (see
“Adding a New License Key from the CLI” on page 63
).
Within 30 days of the license expiration date, a license expiration warning appears each time you log in to the vSRX instance. After the product evaluation license expires, you will not be able to use the vSRX; it will be disabled and flow configuration options will not work (the vSRX will stop forwarding traffic). At this point, only management interfaces and CLI configurations are preserved.
NOTE: The 30-day evaluation license period begins on the day you enable enhanced security features after installing evaluation licenses.
To continue using vSRX features after an optional 30-day evaluation period, you must purchase and install the license. Otherwise, the features are disabled.
For details about the 60- and 30-day license evaluation periods for the vSRX see
Feature Licenses Overview” on page 53
.
Adding a New License Key with J-Web
To install a license using the J-Web interface:
1.
Select Maintain>Licenses on the J-Web user interface. The Licenses window is displayed as shown in
Figure 6: J-Web Licenses Window
62
2.
Under Installed Licenses, click Add. The Add License window is displayed as shown in
Copyright © 2017, Juniper Networks, Inc.
Figure 7: Add License Window
Chapter 5: vSRX Licensing
3.
Do one of the following, using a blank line to separate multiple license keys:
• Enter the full URL to the destination file containing the license key in the License
File URL box.
•
Paste the license key text, in plaintext format, in the License Key Text box.
4.
Click OK to add the license key. The License Details window is displayed as shown in
.
Figure 8: License Details Window
The license key is installed and activated on the vSRX instance.
Adding a New License Key from the CLI
You can add a license key from a local file, from a remote URL, or from the terminal.
To install a license from the CLI:
1.
Use the request system license add operational mode command to either add the license from a local file or remote URL that contains the license key, or to manually paste the license key in the terminal.
user@vsrx> request system license add terminal
[Type ^D at a new line to end input,
Copyright © 2017, Juniper Networks, Inc.
63
vSRX Guide for AWS
enter blank line between each license key]
E413XXXX57 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff
cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa
aaaaaa bbbbbb cccccc dddddd eeeeee ffffff
cccccc bbbbbb dddddd aaaaaa ffffff
E413XXXX57: successfully added add license complete (no errors)
NOTE: You can save the license key to a file and upload the file to the vSRX file system through FTP or Secure Copy (SCP), and then use the request system license add file-name command to install the license.
2.
Optionally, use the show system license command to view details of the licenses.
root@host> show system license
License usage: Licenses Licenses Licenses Expiry
Feature name used installed needed wf key websense ewf 1 0 1 invalid
Licenses installed: none
The license key is installed and activated on the vSRX instance.
Updating vSRX Licenses
You can update the vSRX licenses using either of the following two methods:
•
Automatic license update using the CLI
•
Manual license update using the CLI
As a prerequisite, you must install at least one valid license key on your vSRX instance for required features. License auto-update is performed based on the valid software serial number and customer ID embedded in the license key.
To enable automatic license updates from the CLI:
1.
Contact your account team or Juniper Networks Customer Care to extend the validity period of existing license keys and obtain the URL for a valid update server.
2.
Once you have successfully extended your license key and received the update server
URL, configure the auto-update parameter: user@host> set system license autoupdate url https://ae1.juniper.net/
3.
Configure renew options (if required). The following sample allows vSRX to contact the license server 30 days before the current license expires and sends an automatic update request every 6 hours.
64 Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing user@host> set system license renew before-expiration 30 user@host> set system license renew interval 6
To manually update the licenses from the CLI:
1.
Use the following command to update the license keys manually: user@host> request system license update <url.of.license.server>
This command sends a license update request to the license server immediately.
NOTE: The request system license update command will always use the default Juniper license server: https://ae1.juniper.net
2.
Check the status of the license by entering the show system license command.
Deleting a License with J-Web
To delete a license using the J-Web interface:
1.
Select Maintain>Licenses.
2.
Select the check box of the license or licenses you want to delete as shown in
.
Figure 9: Deleting a License
3.
Click Delete.
4.
Click OK to confirm your deletion as shown in
.
Copyright © 2017, Juniper Networks, Inc.
65
vSRX Guide for AWS
Figure 10: Delete Licenses Window
The license you deleted is removed.
Deleting a License with the CLI
To delete a license using the CLI:
1.
From operational mode, for each license, enter the following command and specify the license ID. You can delete only one license at a time.
user@host> request system license delete <license-key-identifier>
Or you can use the following command to delete all installed licenses.
user@host> request system license delete all
2.
Type yes when you are prompted to confirm the deletion.
Delete license JUNOS606279 ? [yes,no] (no)
The license you deleted is removed.
License Warning Messages
You must purchase a new license or renew your existing subscription-based license to have a seamless transition from the old license to the new one.
The following conditions occur when a license expires on vSRX:
• Evaluation license for the core expires—Packet forwarding on vSRX is disabled. However, you can manage vSRX through the fxp0 management interface, and the CLI configuration is preserved.
• Subscription-based licenses for advanced security features expire but subscription-based licenses for core services are active—A 30-day grace period begins, allowing the user to continue using advanced security features. After the grace period, advanced security features are disabled. Basic features are always available in the vSRX. After subscription-based licenses for core services expire, a warning message is displayed to notify the user, but basic features will remain preserved for the user.
•
Subscription-based license for core features expires but subscription-based license for advanced security features is active—A warning message is displayed to notify the user. However, you can continue to use the basic features on the vSRX. Advanced security features are disabled when the subscription-based license for advanced security features expires, but basic features will remain preserved for the user.
66 Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
NOTE: All subscription licenses are renewable. To renew a subscription license, purchase a new subscription of the same license. For more information, see
Subscription - Register and Install
.
To use features that require a license, you must install and configure a license. After the license expires, warning messages are displayed in the system log and on the J-Web dashboard.
When a license expires, the System Alarms section of the J-Web dashboard displays a message stating that the license has expired as shown in
Figure 11: J-Web Dashboard for License Expiry Warning
When a license expires, the following message appears when you log in:
Virtual Appliance License is invalid
vSRX License Model Numbers for AWS
The licenses used by all Juniper Networks instances are based on SKUs, which represent lists of features. Each license includes a list of features that the license enables along with information about those features.
For information about purchasing software licenses, contact your Juniper Networks sales representative at http://www.juniper.net/in/en/contact-us/ .
vSRX licenses are based on application packages and processing capacity.
vSRX provides bandwidth in the following capacities (throughput per instance): 1 Gbps,
2 Gbps, and 4 Gbps. Each of these bandwidth tiers is offered with three different packages.
describes the features available with the various license packages.
Copyright © 2017, Juniper Networks, Inc.
67
vSRX Guide for AWS
68
Table 17: vSRX Licensing Package Types
License
Type Description License Model Number
STD
ASCB
CS-B
Includes the following features:
These Standard (STD) bandwidth SKUs are available for vSRX:
•
•
•
•
•
•
Core security—firewall,
ALG, screens, user firewall
IPsec VPN (site-to-site
VPN)
NAT
CoS
Routing services—BGP,
OSPF, DHCP, J-Flow, IPv4
Foundation—Static routing, management (J-Web, CLI, and NETCONF), on-box logging, diagnostics
• VSRX-1G-STD-1-AWS—1 Gbps throughput (1-year subscription)
•
•
VSRX-1G-STD-3-AWS—1 Gbps throughput (3-year subscription)
VSRX-2G-STD-1-AWS—2 Gbps throughput (1-year subscription)
•
•
VSRX-2G-STD-3-AWS—2 Gbps throughput (3-year subscription)
VSRX-4G-STD-1-AWS—4 Gbps throughput (1-year subscription)
•
VSRX-4G-STD-3-AWS—4 Gbps throughput
(3-year subscription)
Includes all STD features bundled with the following additional AppSecure features:
•
•
•
•
AppID
AppFW
AppQoS
AppTrack
Includes all STD features bundled with ASCB features and the addition of UTM antivirus.
These AppSecure Bundled (ASCB) bandwidth SKUs are available for vSRX:
• VSRX-1G-ASCB-1-AWS—1 Gbps throughput (1-year subscription)
•
•
VSRX-1G-ASCB-3-AWS—1 Gbps throughput
(3-year subscription)
VSRX-2G-ASCB-1-AWS—2 Gbps throughput
(1-year subscription)
•
•
VSRX-2G-ASCB-3-AWS—2 Gbps throughput
(3-year subscription)
VSRX-4G-ASCB-1-AWS—4 Gbps throughput
(1-year subscription)
• VSRX-4G-ASCB-3-AWS—4 Gbps throughput
(3-year subscription)
These Content Security bundled (CS-B) bandwidth
SKUs are available for vSRX:
•
•
VSRX-1G-CS-B-1-AWS—1 Gbps throughput (1-year subscription)
VSRX-1G-CS-B-3-AWS—1 Gbps throughput (3-year subscription)
•
•
VSRX-2G-CS-B-1-AWS—2 Gbps throughput (1-year subscription)
VSRX-2G-CS-B-3-AWS—2 Gbps throughput
(3-year subscription)
•
•
VSRX-4G-CS-B-1-AWS—4 Gbps throughput
(1-year subscription)
VSRX-4G-CS-B-3-AWS—4 Gbps throughput
(3-year subscription)
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
NOTE: License stacking is allowed. So, for example, to license 3 Gbps of throughput for the standard (STD) feature set for 1 year, use a
VSRX-1G-STD-1-AWS license and a VSRX-2G-STD-1-AWS.
Copyright © 2017, Juniper Networks, Inc.
69
vSRX Guide for AWS
70 Copyright © 2017, Juniper Networks, Inc.
CHAPTER 6
Troubleshooting
•
Finding the Software Serial Number for vSRX on page 71
Finding the Software Serial Number for vSRX
You need the software serial number to open a support case or to renew a vSRX license.
1.
Use the show system license command to find the vSRX software serial number.
vsrx> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
Virtual Appliance 1 1 0 58 days
Licenses installed:
License identifier: E420588955
License version: 4
Software Serial Number: 20150625
Customer ID: vSRX-JuniperEval
Features:
Virtual Appliance - Virtual Appliance
count-down, Original validity: 60 days
License identifier: JUNOS657051
License version: 4
Software Serial Number: 9XXXXAXXXXXXX9
Customer ID: MyCompany
Features:
Virtual Appliance - Virtual Appliance
permanent
Copyright © 2017, Juniper Networks, Inc.
71
vSRX Guide for AWS
72 Copyright © 2017, Juniper Networks, Inc.
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement