vSRX Deployment Guide for Microsoft Azure Cloud ·...
Transcript of vSRX Deployment Guide for Microsoft Azure Cloud ·...
vSRXDeploymentGuide forMicrosoftAzureCloud
Modified: 2018-04-13
Copyright © 2018, Juniper Networks, Inc.
Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates inthe United States and other countries. All other trademarks may be property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
vSRX Deployment Guide for Microsoft Azure CloudCopyright © 2018 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.
ENDUSER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttps://www.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of thatEULA.
Copyright © 2018, Juniper Networks, Inc.ii
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Understanding vSRX with Microsoft Azure Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . 17
vSRX Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
vSRX Benefits and Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
vSRX with Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Requirements for vSRX on Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
System Requirements for vSRX on Microsoft Azure Cloud . . . . . . . . . . . . . . . 21
Network Requirements for vSRX on Microsoft Azure Cloud . . . . . . . . . . . . . . 23
Interface Mapping for vSRX on Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . 23
vSRX Default Settings on Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Best Practices for Improving vSRX Performance . . . . . . . . . . . . . . . . . . . . . . . 24
Junos OS Features Supported on vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
SRX Series Features Supported on vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
SRX Series Features Not Supported on vSRX . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 2 Installing vSRX from the Azure Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Before You Deploy vSRX from the Azure Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Creating a Resource Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Creating a Storage Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Creating a Virtual Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Deploying the vSRX Using the Security Gateway Solution Template from Azure
Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Deploying the vSRX Using the Security Gateway Solution Template . . . . . . 46
Verifying Deployment of vSRX to Microsoft Azure . . . . . . . . . . . . . . . . . . . . . 58
Logging In to a vSRX VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Deploying the vSRX Image from Azure Marketplace . . . . . . . . . . . . . . . . . . . . . . . 60
Deploying the vSRX Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Verifying Deployment of vSRX to Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . 71
Logging In to a vSRX VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
iiiCopyright © 2018, Juniper Networks, Inc.
Chapter 3 Installing vSRX from the Azure CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Before You Deploy vSRX Using the Azure CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Deploying vSRX from the Azure CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Installing the Microsoft Azure CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Downloading the vSRX Deployment Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Changing Parameter Values in the vsrx.parameter.json File . . . . . . . . . . . . . . 80
Deploying the vSRX Using the Shell Script . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Verifying Deployment of vSRX to Microsoft Azure . . . . . . . . . . . . . . . . . . . . . 84
Logging In to a vSRX Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Chapter 4 Configuring and Managing vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
vSRX Configuration and Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Understanding the Junos OS CLI and Junos Scripts . . . . . . . . . . . . . . . . . . . . 89
Understanding the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Understanding Junos Space Security Director . . . . . . . . . . . . . . . . . . . . . . . . 90
Configuring vSRX Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configuring vSRX Using the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Accessing the J-Web Interface and Configuring vSRX . . . . . . . . . . . . . . . . . . 92
Applying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Adding vSRX Feature Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Managing Security Policies for Virtual Machines Using Junos Space Security
Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Removing a vSRX Instance from Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . 95
Chapter 5 vSRX in Microsoft Azure Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Example: Configuring an IPsec VPN Between Two vSRX Instances . . . . . . . . . . . 97
Example: Configuring an IPsec VPN Between a vSRX and Virtual Network
Gateway in Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Chapter 6 vSRX Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
vSRX Feature Licenses Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
vSRX License Procurement and Renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
vSRX Evaluation License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Product Evaluation License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Advanced Security Features Evaluation License . . . . . . . . . . . . . . . . . . . 107
License Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Throughput . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
License Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Individual (á la carte) Feature Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Bundled Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Stacking Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
vSRX License Keys Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
License Management Fields Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Managing Licenses for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
vSRX Evaluation License Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . 113
Adding a New License Key with J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Adding a New License Key from the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Updating vSRX Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Deleting a License with J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Deleting a License with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Copyright © 2018, Juniper Networks, Inc.iv
vSRX Deployment Guide for Microsoft Azure Cloud
License Warning Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
vSRX License Model Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Chapter 7 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Finding the Software Serial Number for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
vCopyright © 2018, Juniper Networks, Inc.
Table of Contents
Copyright © 2018, Juniper Networks, Inc.vi
vSRX Deployment Guide for Microsoft Azure Cloud
List of Figures
Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 1: vSRX Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 2: vSRX Deployed to Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Chapter 2 Installing vSRX from the Azure Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 3: Microsoft Azure Portal Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Figure 4: Resource Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 5: Creating a Resource Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Figure 6: Microsoft Azure Portal Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Figure 7: Azure Portal Storage Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Figure 8: Creating a Storage Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Figure 9: Microsoft Azure Portal Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Figure 10: Azure Portal Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Figure 11: Creating a Virtual Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Figure 12: Microsoft Azure Portal Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 13: Locating the vSRX Security Gateway Solution Template in the Azure
Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Figure 14: Creating vSRX VM Using Security Gateway Solution Template . . . . . . 48
Figure 15: Create vSRX Security Gateway - Basics . . . . . . . . . . . . . . . . . . . . . . . . . 49
Figure 16: Create vSRX VMGateway - Virtual Machine Settings - VM Size for
SSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Figure 17: Create vSRX VMGateway - Virtual Machine Settings - VM Size for
HDD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Figure 18: Create vSRX VMGateway - Virtual Machine Settings - Create Storage
Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Figure 19: Create vSRX VMGateway - Network Settings - Create Virtual
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Figure 20: Create vSRX VM Gateway - Network Settings - Subnets . . . . . . . . . . . 54
Figure 21: Create vSRX VM Gateway - Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Figure 22: Create vSRX VM Gateway - Purchase . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Figure 23: vSRX VM Deployment Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Figure 24: Microsoft Azure Resource Groups Page . . . . . . . . . . . . . . . . . . . . . . . . . 58
Figure 25: Microsoft Azure Resource Groups VM Example . . . . . . . . . . . . . . . . . . . 59
Figure 26: Microsoft Azure Portal Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 27: Locating the vSRX VM Image in the Azure Marketplace . . . . . . . . . . . . 62
Figure 28: Initiating vSRX VM Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Figure 29: Create Virtual Machine - Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Figure 30: Create Virtual Machine - Choose a Size . . . . . . . . . . . . . . . . . . . . . . . . . 66
Figure 31: Create Virtual Machine - Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Figure 32: Create Virtual Machine - Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Figure 33: Create Virtual Machine - Purchase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
viiCopyright © 2018, Juniper Networks, Inc.
Figure 34: Microsoft Azure Resource Groups VM Example . . . . . . . . . . . . . . . . . . . 72
Chapter 3 Installing vSRX from the Azure CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Figure 35: Microsoft Azure Resource Groups Page Example . . . . . . . . . . . . . . . . . 84
Figure 36: Microsoft Azure Resource Groups VM Example . . . . . . . . . . . . . . . . . . 85
Figure 37: Microsoft Azure Virtual Machines Page Example . . . . . . . . . . . . . . . . . . 85
Chapter 6 vSRX Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Figure 38: Sample vSRX License SKU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Figure 39: J-Web Licenses Window Showing Installed Licenses . . . . . . . . . . . . . . 111
Figure 40: J-Web Licenses Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Figure 41: Add License Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Figure 42: License Details Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Figure 43: Deleting a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Figure 44: Delete Licenses Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Figure 45: J-Web Dashboard for License Expiry Warning . . . . . . . . . . . . . . . . . . . . 119
Copyright © 2018, Juniper Networks, Inc.viii
vSRX Deployment Guide for Microsoft Azure Cloud
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Table 3: System Requirements for vSRX in Microsoft Azure - Standard_DS3_v2
VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Table 4: System Requirements for vSRX in Microsoft Azure - Standard_D4_v2
VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Table 5: vSRX and Microsoft Azure Interface Names . . . . . . . . . . . . . . . . . . . . . . . 23
Table 6: Factory-Default Settings for Security Policies . . . . . . . . . . . . . . . . . . . . . 24
Table 7: vSRX Feature Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Table 8: SRX Series Features Not Supported on vSRX . . . . . . . . . . . . . . . . . . . . . 26
Chapter 4 Configuring and Managing vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 9: Instance Name and User Account Information . . . . . . . . . . . . . . . . . . . . 93
Table 10: System Time Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Chapter 6 vSRX Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Table 11: vSRX Evaluation License Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Table 12: Summary of License Management Fields . . . . . . . . . . . . . . . . . . . . . . . . 112
Table 13: vSRX Licensing Package Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
ixCopyright © 2018, Juniper Networks, Inc.
Copyright © 2018, Juniper Networks, Inc.x
vSRX Deployment Guide for Microsoft Azure Cloud
About the Documentation
• Documentation and Release Notes on page xi
• Supported Platforms on page xi
• Documentation Conventions on page xi
• Documentation Feedback on page xiii
• Requesting Technical Support on page xiv
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®technical documentation,
see the product documentation page on the Juniper Networks website at
https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at https://www.juniper.net/books.
Supported Platforms
For the features described in this document, the following platforms are supported:
• vSRX
Documentation Conventions
Table 1 on page xii defines notice icons used in this guide.
xiCopyright © 2018, Juniper Networks, Inc.
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page xii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, type theconfigure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears on theterminal screen.
Fixed-width text like this
• A policy term is a named structurethat defines match conditions andactions.
• Junos OS CLI User Guide
• RFC 1997,BGPCommunities Attribute
• Introduces or emphasizes importantnew terms.
• Identifies guide names.
• Identifies RFC and Internet draft titles.
Italic text like this
Configure themachine’s domain name:
[edit]root@# set system domain-namedomain-name
Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.
Italic text like this
Copyright © 2018, Juniper Networks, Inc.xii
vSRX Deployment Guide for Microsoft Azure Cloud
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.
• Theconsoleport is labeledCONSOLE.
Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.
Text like this
stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.
# (pound sign)
community namemembers [community-ids ]
Encloses a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {static {route default {nexthop address;retain;
}}
}
Identifies a level in the configurationhierarchy.
Indention and braces ( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
GUI Conventions
• In the Logical Interfaces box, selectAll Interfaces.
• To cancel the configuration, clickCancel.
Representsgraphicaluser interface(GUI)items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy of menuselections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
• Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at https://www.juniper.net/documentation/index.html, simply click the stars to rate the
content, anduse thepop-up formtoprovideuswith informationabout your experience.
Alternately, you can use the online feedback form at
https://www.juniper.net/documentation/feedback/.
xiiiCopyright © 2018, Juniper Networks, Inc.
About the Documentation
• E-mail—Sendyourcommentsto [email protected]. Includethedocument
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit
https://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings: https://www.juniper.net/customers/support/
• Search for known bugs: https://prsearch.juniper.net/
• Find product documentation: https://www.juniper.net/documentation/
• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
• Download the latest versions of software and review release notes:
https://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
https://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum:
https://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: https://www.juniper.net/cm/
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
• Use the Case Management tool in the CSC at https://www.juniper.net/cm/.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Copyright © 2018, Juniper Networks, Inc.xiv
vSRX Deployment Guide for Microsoft Azure Cloud
For international or direct-dial options in countries without toll-free numbers, see
https://www.juniper.net/support/requesting-support.html.
xvCopyright © 2018, Juniper Networks, Inc.
About the Documentation
Copyright © 2018, Juniper Networks, Inc.xvi
vSRX Deployment Guide for Microsoft Azure Cloud
CHAPTER 1
Overview
• Understanding vSRX with Microsoft Azure Cloud on page 17
• Requirements for vSRX on Microsoft Azure on page 21
• Junos OS Features Supported on vSRX on page 25
Understanding vSRXwithMicrosoft Azure Cloud
This section presents an overview of vSRX as deployed in the Microsoft Azure cloud.
• vSRX Overview on page 17
• vSRX Benefits and Use Cases on page 18
• vSRX with Microsoft Azure on page 19
vSRXOverview
vSRX is a virtual security appliance that provides security and networking services at the
perimeter or edge in virtualized private or public cloud environments. vSRX runs as a
virtual machine (VM) on a standard x86 server. vSRX is built on the Junos operating
system(JunosOS)anddeliversnetworkingandsecurity features similar to thoseavailable
on the software releases for the SRX Series Services Gateways.
The vSRX provides you with a complete Next-Generation Firewall (NGFW) solution,
including core firewall, VPN, NAT, advanced Layer 4 through Layer 7 security services
such asApplication Security, intrusion detection andprevention (IPS), andUTM features
including EnhancedWeb Filtering and Anti-Virus. Combined with Sky ATP, the vSRX
offers a cloud-based advanced anti-malware service with dynamic analysis to protect
against sophisticatedmalware, andprovidesbuilt-inmachine learning to improve verdict
efficacy and decrease time to remediation.
Figure 1 on page 18 shows the high-level architecture for vSRX.
17Copyright © 2018, Juniper Networks, Inc.
Figure 1: vSRX Architecture
HYPERVISORS/CLOUD ENVIRONMENTS
Physical x86
g004195
vSRX VM
StorageMemory
Junos Control PlaneJCP / vRE
RPDRouting Protocol
Daemon
MGDManagement
Daemon
Junos Kernel
QEMU/KVM
Juniper Linux (Guest OS)
Advanced Services
Flow Processing
Packet Forwarding(JEXEC)
DPDKData Plane Development Kit
MicrosoftHyper-V
VMware
KVMKernel-based
VirtualMachines
AWSAmazonWeb
Services
MicrosoftAzureCloud
DeploymentContrail CloudDeployment
vSRX Benefits and Use Cases
vSRX on standard x86 servers enables you to quickly introduce new services, deliver
customized services to customers, and scale security services based on dynamic needs.
vSRX is ideal for public, private, and hybrid cloud environments.
Some of the key benefits of vSRX in a virtualized private or public cloudmultitenant
environment include:
• Stateful firewall protection at the tenant edge
• Faster deployment of virtual firewalls into new sites
• Full routing, VPN, core security, and networking capabilities
• Application security features (including IPS and App-Secure)
• Content security features (including Anti Virus, Web Filtering, Anti Spam, and Content
Filtering)
• Centralizedmanagement with Junos Space Security Director and local management
with J-Web Interface
• Juniper Networks Sky Advanced Threat Prevention (Sky ATP) integration
Copyright © 2018, Juniper Networks, Inc.18
vSRX Deployment Guide for Microsoft Azure Cloud
vSRXwithMicrosoft Azure
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy
thevSRX to theMicrosoftAzureCloud.MicrosoftAzure isMicrosoft's applicationplatform
for the public cloud. It is an open, flexible, enterprise-grade cloud computing platform
for building, deploying, andmanagingapplicationsandservices throughaglobal network
of Microsoft-managed data centers. It provides Software as a Service (SaaS), Platform
asaService (PaaS), and Infrastructure as aService (IaaS) services. Youplace your virtual
machines (VMs) onto Azure virtual networks, where the distributed and virtual networks
in Azure help ensure that your private network traffic is logically isolated from traffic on
other Azure virtual networks.
You can add a vSRX virtual security appliance to provide networking security features
as an application instance within an Azure virtual network. The vSRX protects the
workloads that run within the virtual network on the Microsoft Azure Cloud.
You can deploy the vSRX VM in Azure using the following deployment methods:
• Azure Marketplace—Deploy the vSRX VM from the Azure Marketplace. The Azure
Marketplace provides you with different methods to deploy a vSRX VM in your virtual
network. You can choose a customized solution template offered by Juniper Networks
to automate the vSRX VM deployment based on specific use cases (for example, a
security gateway). A solution template automates the dependencies associated with
specific deployment use cases, such as VM settings, virtual network settings (such as
multiple subsets for the management interface (fxp0) and two revenue (data)
interfaces), andsoon.Or, youcanselect thevSRXVM imageanddefine thedeployment
settings and dependencies based on your specific networking requirements. Starting
in JunosOSRelease 15.1X49-D91 for vSRX, you candeploy the vSRX toMicrosoft Azure
Cloud from the Azure Marketplace.
AzureMarketplacealsoenables you todiscoverandsubscribe tosoftware that supports
regulated workloads through Azure Marketplace for Azure Government Cloud (US).
• Azure CLI—Deploy the vSRX VM from the Azure CLI. You can customize the vSRX VM
deployment settings and dependencies based on your network requirements in
Microsoft Azure Cloud. To help automate and simplify the deployment of the vSRX
VM in theMicrosoft Azure virtual network, JuniperNetworks provides a series of scripts,
Azure ResourceManager (ARM) templates andparameter files, and configuration files
in a GitHub repository.
NOTE: Starting in Junos OS Release 15.1X49-D80 and Junos OS Release17.3R1, you can deploy the vSRX to Microsoft Azure Cloud from the AzureCLI.
In Microsoft Azure, you can host servers and services on the cloud as a pay-as-you-go
(PAYG) or bring-your-own-license (BYOL) service.
19Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Overview
NOTE: vSRX PAYG images do not require any Juniper Networks licenses.
Starting in Junos OSRelease 15.1X49-D120, vSRX onMicrosoft Azure Cloud supports the
vSRX Premium-Next Generation Firewall with Anti-Virus Protection bundle for PAYG,
available as 1-hour or 1-year subscriptions. This bundle includes:
• Standard (STD) features of core security, including core firewall, IPsec VPN, NAT, CoS,
and routing services.
• Advanced Layer 4 through 7 security services such as AppSecure features of AppID,
AppFW, AppQoS, and AppTrack, IPS and rich routing capabilities, including the UTM
antivirus feature.
Figure 2 on page 20 illustrates the deployment of a vSRX in Microsoft Azure.
In the Microsoft Azure, public subnets have access to the Internet gateway, but private
subnets do not. vSRX requires two public subnets and one or more private subnets for
each individual instance group. The public subnets consist of one for the management
interface (fxp0) and one for a revenue (data) interface. The private subnets, connected
to the other vSRX interfaces, ensure that all traffic between applications on the private
subnets and the Internet must pass through the vSRX instance.
Figure 2: vSRX Deployed to Microsoft Azure
Security Group
Management Subnet
fxp0
Security Group
Public Access Subnet
ge-0/0/0
Internet
InternetGateway
PrivateSubnet
vSRXge-0/0/1
Public IPPublic IP
Management:Allow - 443/22
Revenue:Allow All Traffic
MicrosoftAzure Cloud
One Private Subnetfor Each Private Network
g200045
For a glossary of Microsoft Azure terms seeMicrosoft Azure glossary.
Copyright © 2018, Juniper Networks, Inc.20
vSRX Deployment Guide for Microsoft Azure Cloud
Release History Table DescriptionRelease
Starting in Junos OS Release 15.1X49-D91 for vSRX, you can deploy thevSRX to Microsoft Azure Cloud from the Azure Marketplace.
15.1X49-D91
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1,you can deploy the vSRX to the Microsoft Azure Cloud.
15.1X49-D80
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1,you can deploy the vSRX to Microsoft Azure Cloud from the Azure CLI.
15.1X49-D80
Starting in JunosOSRelease 15.1X49-D120, vSRXonMicrosoftAzureCloudsupports the vSRX Premium-Next Generation Firewall with Anti-VirusProtection bundle for PAYG, available as 1-hour or 1-year subscriptions.
15.1X49-D120
RelatedDocumentation
Microsoft Azure•
• Azure Virtual Networks
• Microsoft Azure portal overview
Requirements for vSRX onMicrosoft Azure
This section presents an overview of requirements for deploying a vSRX instance on
Microsoft Azure Cloud.
• System Requirements for vSRX on Microsoft Azure Cloud on page 21
• Network Requirements for vSRX on Microsoft Azure Cloud on page 23
• Interface Mapping for vSRX on Microsoft Azure on page 23
• vSRX Default Settings on Microsoft Azure on page 24
• Best Practices for Improving vSRX Performance on page 24
SystemRequirements for vSRX onMicrosoft Azure Cloud
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy
the vSRX to the Microsoft Azure Cloud. Microsoft Azure supports a wide variety of sizes
and options for deployed Azure virtual machines (VMs).
For the vSRXdeployment inMicrosoft Azure, we recommendD-series VMs. TheD-series
VMs provided fromMicrosoft Azure are ideal for applications that demand faster CPUs
and better local disk performance, or have higher memory demands. Of the available
D-series VMs, we recommend that you select DS3_v2 Standard or D4_V2 Standard for
the vSRX VM deployment in Microsoft Azure.
There are twoperformance tiers for storage inMicrosoftAzureCloud that youcanchoose
fromwhen creating your disks -- Standard Storage and Premium Storage. Premium
Storage is backed by SSDs, and delivers high-performance, low-latency disk support for
VMs running I/O-intensive workloads. Standard Storage is backed by HDDs. and delivers
21Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Overview
cost-effective storage. For backgrounddetails, seeAbout disks storage forAzureWindows
VMs.
• For the SSD supported disk type, use DS3_v2 Standard for the vSRX VM deployment
in Microsoft Azure.
• For the HDD supported disk type, you can choose either DS3_v2 Standard or D4_V2
Standard for the vSRX VM deployment.
Table 3 on page 22 outlines the recommended system requirements for a vSRX instance,
Standard_DS3_v2 size VM.
Table 3: System Requirements for vSRX in Microsoft Azure - Standard_DS3_v2 VM
SpecificationComponent
Standard_DS3_v2Size
4CPU cores
14 GBMemory
8Maximum number of data disks
16,000/128 (172)Maximumcachedand localdisk storage throughput:IOPS/MBps (cache size in GB)
12,800/192Maximum uncached disk throughput: IOPS/MBps
4 highMaximum number of NICs/network bandwidth
Table 4 onpage 22 outlines the recommended system requirements for a vSRX instance,
Standard_D4_v2 size VM.
Table 4: System Requirements for vSRX in Microsoft Azure - Standard_D4_v2 VM
SpecificationComponent
Standard D4_v2Size
8CPU cores
28 GBMemory
16Maximum number of data disks
24000/375/187Maximumlocaldiskstorage throughput: IOPS/MBps
16/16x500Maximum data disk throughput: IOPS
8 highMaximum number of NICs/network bandwidth
Copyright © 2018, Juniper Networks, Inc.22
vSRX Deployment Guide for Microsoft Azure Cloud
NOTE: ThevSRXdoesnotprovidesupport forahigh-availabilityconfigurationinMicrosoftAzure. Inaddition, thevSRXdoesnot support Layer2 transparentmode in Microsoft Azure.
Network Requirements for vSRX onMicrosoft Azure Cloud
When you deploy a vSRX VM in a Microsoft Azure virtual network, note the following
specifics of the deployment configuration:
• A dual public IP network configuration is a requirement for vSRX VM network
connectivity; thevSRXVMrequires twopublic subnetsandoneormoreprivatesubnets
for each instance group.
• Thepublic subnets required by the vSRXVMconsist of one subnet for the out-of-band
management interface (fxp0) formanagementaccessandanother for the two revenue
(data) interfaces. By default, one interface is assigned to the untrust security zone and
the other to the trust security zone on the vSRX VM.
• In theMicrosoftAzuredeploymentof thevSRXVM, thevSRXsupports themanagement
interface (fxp0) and the two revenue (data) interfaces (port ge-0/0/0 and ge-0/0/1),
which includes public IP addressmapping and data traffic forwarding to and from the
vSRX VM.
InterfaceMapping for vSRX onMicrosoft Azure
Table 5 on page 23 lists the vSRX andMicrosoft Azure interface names. The first network
interface is used for the out-of-bandmanagement (fxp0) for vSRX.
Table 5: vSRX andMicrosoft Azure Interface Names
Microsoft Azure InterfacevSRX InterfaceInterfaceNumber
eth0fxp01
eth1ge-0/0/02
eth2ge-0/0/13
eth3ge-0/0/24
We recommend putting revenue interfaces in routing instances as a best practice to
avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by
default. With fxp0 as part of the default routing table, there might be two default routes
needed: one for the fxp0 interface for external management access, and the other for
the revenue interfaces for traffic access. Putting the revenue interfaces in a separate
routing instance avoids this situation of two default routes in a single routing instance.
Ensure that interfaces belonging to the same security zone are in the same routing
instance.
23Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Overview
RelatedDocumentation
KB Article - Interfacemust be in the same routing instance as the other interfaces in the
zone
•
vSRX Default Settings onMicrosoft Azure
vSRX requires the following basic configuration settings:
• Interfaces must be assigned IP addresses.
• Interfaces must be bound to zones.
• Policies must be configured between zones to permit or deny traffic.
Table 6 on page 24 lists the factory-default settings for security policies on the vSRX
Table 6: Factory-Default Settings for Security Policies
Policy ActionDestination ZoneSource Zone
permituntrusttrust
permittrusttrust
CAUTION: Donotusethe loadfactory-defaultcommandonthevSRX instance
in Microsoft Azure. The factory-default configuration removes the “azureprovision”preconfiguration.This groupcontainscritical system-level settingsand route information for the vSRX. Amisconfiguration in the group“azure-provision”may result in thepossible lossof connectivity to vSRX fromMicrosoft Azure. If youmust revert to factory default, ensure that you firstmanually reconfigure theMicrosoftAzurepreconfigurationstatementsbeforeyou commit the configuration; otherwise, you will lose access to the vSRXinstance.
We strongly recommend that when you commit a configuration, perform anexplicit commit confirmed to avoid the possibility of losing connectivity to
vSRX. Once you have verified that the change works correctly, you can keepthe new configuration active by entering the commit commandwithin 10
minutes. Without the timely second confirm, configuration changes will berolled back. See “Configuring vSRX Using the CLI” on page 90 forpreconfiguration details.
Best Practices for Improving vSRX Performance
Review the following deployment practices to improve vSRX performance:
• Disable the source/destination check for all vSRX interfaces.
• Limit public key access permissions to 400 for key pairs.
Copyright © 2018, Juniper Networks, Inc.24
vSRX Deployment Guide for Microsoft Azure Cloud
• Ensure that there are no contradictions between Microsoft Azure security groups and
your vSRX configuration.
• Use vSRX NAT to protect your instances from direct Internet traffic.
Release History Table DescriptionRelease
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release17.3R1, you can deploy the vSRX to the Microsoft Azure Cloud.
15.1X49-D80
RelatedDocumentation
Sizes forWindows Virtual Machines in Azure•
Junos OS Features Supported on vSRX
This section presents an overview of the Junos OS features on vSRX. It includes
• SRX Series Features Supported on vSRX on page 25
• SRX Series Features Not Supported on vSRX on page 26
SRX Series Features Supported on vSRX
vSRX inherits most of the branch SRX Series features with the following considerations
shown in Table 7 on page 25.
Todetermine the JunosOS features supportedonvSRX, use the JuniperNetworksFeature
Explorer, a Web-based application that helps you to explore and compare Junos OS
feature information to find the right software release and hardware platform for your
network. Find Feature Explorer here:
Feature Explorer: vSRX
Table 7: vSRX Feature Considerations
DescriptionFeature
Generally, onSRXSeries instances, the cluster ID andnode ID arewritten into EEPROM. For the vSRX VM, the IDs are saved inboot/loader.conf and read during initialization.
Chassis cluster
25Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Overview
Table 7: vSRX Feature Considerations (continued)
DescriptionFeature
The IDP feature is subscription based andmust be purchased.After purchase, you can activate the IDP feature with the licensekey.
For SRX Series IDP configuration details, see:
Understanding Intrusion Detection and Prevention for SRXSeries
In J-Web, use the following steps to add or edit an IPS rule:
1. Click Security>IDP>Policy>Add.
2. In the Add IPS Rule window, select All instead of Any for theDirection field to list all the FTP attacks.
IDP
ISSU is not supported on vSRX.ISSU
The knownbehaviors for transparentmode support on vSRXare:
• The default MAC learning table size is restricted to 16,383entries.
• VMware vSwitch does not supportMAC learning. It also floodstraffic to the secondary node. The traffic is silently dropped bythe flow on the secondary node.
For information on configuring transparent mode vSRX, see:
Layer 2 Bridging and Transparent Mode Overview
Transparent mode
The UTM feature is subscription based andmust be purchased.After purchase, you canactivate theUTM featurewith the licensekey.
For SRX Series UTM configuration details, see:
Unified Threat Management Overview
For SRX Series UTM antispam configuration details, see:
Antispam Filtering Overview
UTM
SRX Series Features Not Supported on vSRX
vSRX inheritsmany features from the SRXSeries device product line. Table 8 on page 26
lists SRX Series features that are not applicable in a virtualized environment, that are
not currently supported, or that have qualified support on vSRX.
Table 8: SRX Series Features Not Supported on vSRX
vSRX NotesSRX Series Feature
Application Layer Gateways
Not supportedAvaya H.323
Copyright © 2018, Juniper Networks, Inc.26
vSRX Deployment Guide for Microsoft Azure Cloud
Table 8: SRX Series Features Not Supported on vSRX (continued)
vSRX NotesSRX Series Feature
Authentication with IC Series Devices
Not supported
NOTE: UAC-IDP and UAC-UTMalso are not supported.
Layer 2 enforcement in UACdeployments
Chassis Cluster Support
NOTE: Support for chassis clustering to provide network node redundancy is only available on avSRX deployment in VMware, KVM, andWindows Hyper-V Server 2016.
Only supported with KVM
NOTE: The link status of VirtIOinterfaces is always reported asUP, so a vSRX chassis clustercannot receive link up and linkdownmessages from VirtIOinterfaces.
Chassis cluster for VirtIOdriver
Not supportedDual control links
Not supportedIn-band and low-impactcluster upgrades
Not supportedLAG and LACP (Layer 2 andLayer 3)
Not supportedLayer 2 Ethernet switching
Not supportedLow-latency firewall
Not supportedPPPoE over redundantEthernet interface
NOTE: Starting in Junos OSRelease 15.1X49-D100 andJunos OSRelease 17.4R1, thevSRX supportsPoint-to-PointProtocolovera redundant Ethernetinterface (PPPoE).
Not supported (see the KnownBehavior section of the vSRXRelease Notes for moreinformation about SR-IOVlimitations).
SR-IOV interfaces
Class of Service
Not supportedHigh-priority queue on SPC
27Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Overview
Table 8: SRX Series Features Not Supported on vSRX (continued)
vSRX NotesSRX Series Feature
Only GRE and IP-IP tunnelssupported
NOTE: A vSRX VM deployed onMicrosoft Azure Cloud does notsupport GRE and Multicast.
Tunnels
Data Plane Security LogMessages (StreamMode)
Not supportedTLS protocol
Diagnostics Tools
Not supportedFlowmonitoring cflowdversion 9
NOTE: Starting in Junos OSRelease 15.1X49-D80, thevSRX supports J-Flowversion9 flowmonitoring ona chassis cluster.
Not supportedPing Ethernet (CFM)
Not supportedTraceroute Ethernet (CFM)
DNS Proxy
Not supportedDynamic DNS
Ethernet Link Aggregation
Not supportedLACP in standalone orchassis cluster mode
Not supportedLayer 3 LAG on routed ports
Not supportedStatic LAG in standalone orchassis cluster mode
Ethernet Link Fault Management
Physical interface (encapsulations)
Not supportedethernet-cccethernet-tcc
Not supportedextended-vlan-cccextended-vlan-tcc
Interface family
Not supportedccc, tcc
Copyright © 2018, Juniper Networks, Inc.28
vSRX Deployment Guide for Microsoft Azure Cloud
Table 8: SRX Series Features Not Supported on vSRX (continued)
vSRX NotesSRX Series Feature
Not supportedethernet-switching
Flow-Based and Packet-Based Processing
Not supportedEnd-to-end packetdebugging
Not supportedNetwork processor bundling
Not supportedServices offloading
Interfaces
Not supportedAggregated Ethernetinterface
Not supportedIEEE 802.1X dynamic VLANassignment
Not supportedIEEE 802.1X MAC bypass
Not supportedIEEE 802.1X port-basedauthentication control withmultisupplicant support
Not supportedInterleaving using MLFR
Not supportedPoE
Not supportedPPP interface
Not supportedPPPoE-basedradio-to-router protocol
Not supportedPPPoE interface
NOTE: Starting in Junos OSRelease 15.1X49-D100 andJunos OSRelease 17.4R1, thevSRX supportsPoint-to-PointProtocoloverEthernet (PPPoE) interface.
Only supported if enabled on thehypervisor
Promiscuous mode oninterfaces
IP Security and VPNs
Not supportedAcadia - Clientless VPN
Not supportedDVPN
29Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Overview
Table 8: SRX Series Features Not Supported on vSRX (continued)
vSRX NotesSRX Series Feature
Not supportedHardware IPsec (bulkcrypto) Cavium/RMI
Supported on virtual router onlyIPsec tunnel termination inrouting instances
Not supportedMulticast for AutoVPN
IPv6 Support
Not supportedDS-Lite concentrator (akaAFTR)
Not supportedDS-Lite initiator (aka B4)
J-Web
Not supportedEnhanced routingconfiguration
Not supportedNew SetupWizard (for newconfigurations)
Not supportedPPPoEWizard
Not supportedRemote VPNWizard
Not supportedRescue link on dashboard
Not supportedUTM configuration forKaspersky antivirus and thedefault Web filtering profile
Log File Formats for System (Control Plane) Logs
Not supportedBinary format (binary)
Not supportedWELF
Miscellaneous
Not supportedGPRS
NOTE: Starting in Junos OSRelease 15.1X49-D70 andJunos OS Release 17.3R1, thevSRX supports GPRS.
Not supportedHardware acceleration
Not supportedLogical systems
Copyright © 2018, Juniper Networks, Inc.30
vSRX Deployment Guide for Microsoft Azure Cloud
Table 8: SRX Series Features Not Supported on vSRX (continued)
vSRX NotesSRX Series Feature
Not supportedOutbound SSH
Not supportedRemote instance access
Not supportedUSBmodem
Not supportedWireless LAN
MPLS
Not supportedCCC and TCC
Only if promiscuous mode isenabled on the hypervisor
Layer 2 VPNs for Ethernetconnections
Network Address Translation
Not supportedMaximize persistent NATbindings
Packet Capture
Only supported on physicalinterfaces and tunnel interfaces,such as gr, ip, and st0. Packetcapture is not supported onredundant Ethernet interfaces(reth).
Packet capture
Routing
Not supportedBGP extensions for IPv6
Not supportedBGP Flowspec
Not supportedBGP route reflector
Not supportedBidirectional ForwardingDetection (BFD) for BGP
Not supportedCRTP
Switching
Not supportedLayer3Q-in-QVLANtagging
Transparent Mode
Not supportedUTM
Unified Threat Management
Not supportedExpress AV
31Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Overview
Table 8: SRX Series Features Not Supported on vSRX (continued)
vSRX NotesSRX Series Feature
Not supportedKaspersky AV
Upgrading and Rebooting
Not supportedAutorecovery
Not supportedBoot instance configuration
Not supportedBoot instance recovery
Not supportedDual-root partitioning
Not supportedOS rollback
User Interfaces
Not supportedNSM
Not supportedSRC application
Only supported with VMwareJunos Space Virtual Director
Copyright © 2018, Juniper Networks, Inc.32
vSRX Deployment Guide for Microsoft Azure Cloud
CHAPTER 2
Installing vSRX from the Azure Portal
• Before You Deploy vSRX from the Azure Portal on page 33
• Creating a Resource Group on page 34
• Creating a Storage Account on page 38
• Creating a Virtual Network on page 41
• Deploying the vSRX Using the Security Gateway Solution Template from Azure
Marketplace on page 45
• Deploying the vSRX Image from Azure Marketplace on page 60
Before You Deploy vSRX from the Azure Portal
You can deploy a vSRX virtual security appliance and its advanced security features in
your virtual networkdirectly fromtheAzureportal. Thismethodprovidesabrowser-based
user interface for creating and configuring virtual machines and all related resources.
The Azure Marketplace provides you with different methods to deploy a vSRX virtual
machine (VM) in a virtual network. You can choose a customized solution template
offeredby JuniperNetworks in theAzureMarketplace to automate the vSRXdeployment
based on a specific use case (for example, a security gateway).
Solution templates allow the bundling of multiple Azure services and a software image
into a template that enables you to quickly deploy a preconfigured solution. You access
vSRX solution templates from the Azure Marketplace to simplify the end-to-end
configuration steps involved in deploying a vSRX VM in your Azure virtual network. A
solution template automates the dependencies associated with specific deployment
use cases, such as VM settings, virtual network settings (such asmultiple subsets for the
management interface (fxp0) and two revenue (data) interfaces), and so on.
A vSRX solution template is based on a customMicrosoft Azure Resource Manager
(ARM) template. The ARM template consists of JavaScript Object Notation (JSON)
expressions that construct specific values for your vSRX deployment. To integrate with
the Azure portal, each solution template usesmainTemplate.json and
createUiDefinition.json files todefine thecomponentsof thecustomizedsolution template
for vSRX VM deployment.
Youalsohave theoption to select thevSRX image fromAzureMarketplaceandcustomize
thevSRXVMdeploymentsettingsanddependenciesbasedonyournetwork requirements
33Copyright © 2018, Juniper Networks, Inc.
inMicrosoftAzureCloud.Thisdeploymentapproachmightbe required if youhaveavSRX
VMdeployment scenario that is outside of the use cases offered in the vSRXVMsolution
templates available from Juniper Networks.
Before you deploy the vSRX virtual security appliance from the Azure Marketplace:
• Review the requirements for deploying a vSRX VM in Microsoft Azure Cloud in
“Requirements for vSRX on Microsoft Azure” on page 21.
• Obtain an account for and a subscription to Microsoft Azure (seeMicrosoft Azure).
• Use your Microsoft account username and password to log into theMicrosoft Azure
portal.
• Purchase a vSRX license or request an evaluation license. Licenses can be procured
from the Juniper Networks License Management System (LMS).
• Ensure that your Azure subscription includes the following for your vSRX VM:
• Resource group, as described in “Creating a Resource Group” on page 34.
• Storage account, as described in “Creating a Storage Account” on page 38.
• Virtual network, as described in “Creating a Virtual Network” on page 41.
RelatedDocumentation
Microsoft Azure portal•
• Microsoft Azure portal overview
Creating a Resource Group
A resource group contains the resources required to successfully deploy a vSRX VM in
Azure. It is a container that holds related resources for an Azure solution. In Azure, you
logically group related resources such as storage accounts, virtual networks, and virtual
machines (VMs) to deploy, manage, andmaintain them as a single entity.
If you do not have an existing resource group in your subscription, then follow the steps
outlined in this procedure.
Copyright © 2018, Juniper Networks, Inc.34
vSRX Deployment Guide for Microsoft Azure Cloud
To create a resource group in Azure:
1. Log in to theMicrosoft Azure portal using your Microsoft account username and
password. The Dashboard appears in the Azure portal (see Figure 3 on page 35). You
see aunified dashboard for all your assets inAzure. Verify that the dashboard includes
all subscriptions to which you currently have access, and all resource groups and
associated resources.
Figure 3: Microsoft Azure Portal Dashboard
2. ClickResourcegroups from themenuof services to access theResourceGroups blade
(see Figure 4 on page 36). You will see all the resource groups in your subscription
listed in the blade.
35Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
Figure 4: Resource Groups
3. clickAdd(+) tocreateanewresourcegroup.TheCreateResourceGroupbladeappears
(see Figure 5 on page 37).
Copyright © 2018, Juniper Networks, Inc.36
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 5: Creating a Resource Group
4. Provide the following information for the new resource group.
DescriptionParameter
Enter auniquename for your new resourcegroup.A resourcegroupnamecan includealphanumeric characters, periods (.), underscores (_), hyphens (-), and parenthesis(), but the name cannot end with a period.
Resource Group Name
Select your Microsoft Azure subscription.Subscription
Select the location of the Microsoft Azure data center fromwhich you intend todeploy the vSRX VM. Specify a location where the majority of your resources willreside. Typically, select the location that is closest to your physical location.
Resource Group Location
5. ClickCreate. The resourcegroupmight takea fewseconds to create.Once it is created,
you see the resource group on the Azure portal dashboard.
37Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
RelatedDocumentation
Azure Resource Manager overview•
• Deploy resources with Resource Manager templates and Azure portal
• Manage Azure resources through portal
Creating a Storage Account
An Azure storage account provides a unique namespace to store and access your Azure
storage data objects. All objects in a storage account are billed together as a group. By
default, the data in your account is available only to the account owner.
If you do not have an existing storage account in your subscription, follow the steps
outlined in this procedure.
To create a storage account in Azure:
1. Log in to theMicrosoft Azure portal using your Microsoft account username and
password. The Dashboard appears in the Azure portal (see Figure 3 on page 35). You
see aunified dashboard for all your assets inAzure. Verify that the dashboard includes
all subscriptions to which you currently have access, and all resource groups and
associated resources.
Figure 6: Microsoft Azure Portal Dashboard
2. Click Storage Accounts from themenu of services to access the Storage Accounts
blade (see Figure 7 on page 39).
Copyright © 2018, Juniper Networks, Inc.38
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 7: Azure Portal Storage Accounts
3. Click Add (+) to create a new storage account. The Create Storage Account blade
appears (see Figure 8 on page 40).
39Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
Figure 8: Creating a Storage Account
4. Provide the following information for the new storage account.
DescriptionParameter
Enter a unique name for your new storage account. A storage account name cancontain only lowercase letters and numbers, andmust be between 3 and 24characters.
Name
Select ResourceManager as the deployment model.Deployment Model
Select the type of storage account: General purpose or Blob storage. The default isGeneral purpose.
• If General Purpose was selected, then specify the performance tier: Standard orPremium. The default is Standard.
• If Blob storagewas selected, then specify the access tier:Hot or Cool. The defaultis Hot.
Account Kind
Copyright © 2018, Juniper Networks, Inc.40
vSRX Deployment Guide for Microsoft Azure Cloud
DescriptionParameter
Select the type of performance: Standard or Premium. The default is Standard.Performance
Select the replication option for the storage account: Locally redundant storage(LRS),Geo-redundant storage (GRS), Read-access geo-redundant storage (RA-GRS),or Zone-redundant storage (ZRS). The default is RA-GRS.
Replication
Enable or disable this option to protect your data at rest. Azure Storage encryptsdata as written in an Azure datacenter, and decrypts that data once it is accessed.The default is Disabled.
Storage Service Encryption
Enable or disable this option to enhance the security of your storage account byallowing requests to the storage account by HTTPS only. The default is Disabled.
Secure Transfer Required
Select your Microsoft Azure subscription.Subscription
Select an existing resource group or create a new one (see “Creating a ResourceGroup” on page 34).
Resource Group
Select the Azure data center geographic region in which you are deploying the vSRXVM. Typically, select the location that is closest to your physical location.
Location
5. Click Create. The storage account might take a few seconds to create. Once it is
created, you see the storage account on the Azure portal dashboard.
RelatedDocumentation
Introduction to Microsoft Azure Storage•
• About Azure storage accounts
Creating a Virtual Network
The Azure Virtual Network service enables you to securely connect Azure resources to
eachotherwith virtual networks.A virtual network is a representationof yourownnetwork
in the cloud. It is a logical isolation of the Azure cloud dedicated to your subscription. You
can also connect virtual networks to your on-premises network.
If you do not have an existing Azure virtual network, follow the steps outlined in this
procedure.
41Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
To create an Azure virtual network:
1. Log in to theMicrosoft Azure portal using your Microsoft account user name and
password. The Dashboard appears in the Azure portal (see Figure 3 on page 35). You
will see a unified dashboard for all your assets in Azure. Verify that the dashboard
includes all subscriptions to which you currently have access, and all resource groups
and associated resources.
Figure 9: Microsoft Azure Portal Dashboard
2. ClickVirtualNetworks from themenuof services to access theVirtualNetworks blade
(see Figure 10 on page 43).
Copyright © 2018, Juniper Networks, Inc.42
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 10: Azure Portal Virtual Networks
3. ClickAdd(+) tocreateanewvirtual network.TheCreateVirtualNetworkbladeappears
(see Figure 11 on page 44).
43Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
Figure 11: Creating a Virtual Network
4. Provide the following information for the new virtual network.
DescriptionParameter
Enter a unique name for your new virtual network. The virtual network namemustbeginwith a letter or number, endwith a letter, number, or underscore, and the namemay contain only letters, numbers, underscore, periods, or hyphens.
Name
Enter the virtual network’s address range in CIDR notation. By default, the addressrange is 10.0.0.0/24.
NOTE: Ensure that the address space does not overlap with an existing network.
Address Space
Enter a unique name for the subnet of the Azure virtual network. The subnet namemust begin with a letter or number, end with a letter, number, or underscore, andthe namemay contain only letters, numbers, underscore, periods, or hyphens.
Subnet name
Copyright © 2018, Juniper Networks, Inc.44
vSRX Deployment Guide for Microsoft Azure Cloud
DescriptionParameter
Enter a network subnet address range in CIDR notation. It must be contained by theaddress space of the virtual network, as defined in the Address Space field. Subnetaddress ranges cannot overlap one another. By default, the address range is10.0.0.0/24.
The subnet is a range of IP addresses in your virtual network to isolate VMs. Publicsubnets have access to the Internet gateway, but private subnets do not.
NOTE: The address range of a subnet that is already in use cannot be edited.
Subnet Address Range
Select your Microsoft Azure subscription.Subscription
Select an existing resource group or create a new one (see “Creating a ResourceGroup” on page 34).
Resource Group
Select the Azure data center geographic region in which you are deploying the vSRXVM. Typically, select the location that is closest to your physical location.
Location
5. ClickCreate. The virtual networkmight takea fewseconds tocreate.Once it is created,
you will see the virtual network on the Azure portal dashboard.
RelatedDocumentation
Virtual networks andWindows virtual machines in Azure•
• Create a virtual network
• Create, change, or delete network interfaces
• Create a VM (Classic) withmultiple NICs
Deploying the vSRXUsing the Security Gateway Solution Template fromAzureMarketplace
Starting in Junos OS Release 15.1X49-D100 for vSRX, you can deploy the vSRX virtual
security appliance in your Azure virtual network through theAzure portal using one of the
available solution templates offered from Juniper Networks.
You use the security gateway solution template offered by Juniper Networks in the Azure
Marketplace to automate the vSRX VM deployment. This solution template simplifies
the configuration details of the vSRX VM through a customized deployment use case.
The solution template defines subnets for the management network (fxp0), the trust
security zone (ge-0/0/1.0), and the untrust security zone (ge-0/0/0.0) on the vSRXVM.
NOTE: Besure youhaveanaccount for andasubscription toMicrosoftAzurebefore deploying the vSRX to Azure (seeMicrosoft Azure).
If you do not have an Azure subscription, then you can create a free accountbefore you begin. See theMicrosoft Azure website for more details.
45Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
Use the following procedures to deploy a vSRX VM using the Security Gateway solution
template:
• Deploying the vSRX Using the Security Gateway Solution Template on page 46
• Verifying Deployment of vSRX to Microsoft Azure on page 58
• Logging In to a vSRX VM on page 59
Deploying the vSRXUsing the Security Gateway Solution Template
To deploy a vSRX VM into an Azure virtual network using the Security Gateway solution
template from Azure Marketplace:
1. Log in to theMicrosoft Azure portal using your Microsoft account user name and
password. The Dashboard appears in the Azure portal (see Figure 3 on page 35). You
will see a unified dashboard for all your assets in Azure. Verify that the dashboard
includes all subscriptions to which you currently have access, and all resource groups
and associated resources.
Figure 12: Microsoft Azure Portal Dashboard
2. ClickMarketplace from the dashboard to access the Azure Marketplace, and then
click Everything (or clickNew>Everything). Enter vsrx to search for the vSRX Security
Gateway solution template in the Azure Marketplace (see Figure 13 on page 47). The
vSRX image isavailableasapay-as-you-go (PAYG)orbring-your-own-license (BYOL)
service.
Copyright © 2018, Juniper Networks, Inc.46
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 13: Locating the vSRX Security Gateway Solution Template in the AzureMarketplace
3. Select the vSRX Security Gateway image from the list and then click Create to initiate
the vSRX VM deployment process (see Figure 14 on page 48).
47Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
Figure 14: Creating vSRX VMUsing Security Gateway Solution Template
4. From the Create vSRX Security Gateway blade, 1 Basics (see Figure 15 on page 49).
Enter initial VM setup information (such as VM login credentials, Azure subscription
plan, resource group, and geographic location), and then clickOK.
Copyright © 2018, Juniper Networks, Inc.48
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 15: Create vSRX Security Gateway - Basics
DescriptionParameter
Enter an administrator username to access the vSRX VM. The username cannotcontain uppercase characters, special characters, or start with a “$” or “-” character.
Admin Username
Select the required method of authentication to access the vSRX VM: Password orSSH public key. Select Password as type of authentication and then enter (andconfirm) your password.
NOTE: In JunosOSRelease 15.1X49-D91 for vSRX, SSHpublic key is not a supportedauthentication method. You will need to specify a password to log in to the vSRXVM.
Starting in Junos OS Release 15.1X49-D110 for vSRX, SSH public key is a supportedauthentication method.
Authentication type
Enter an appropriate root password used to access the vSRX VM. The passwordmust be between 12 and 72 characters.
Admin User Password
Select your Microsoft Azure subscription.Subscription
Select an existing resource group or create a new one (see “Creating a ResourceGroup” on page 34). Note that the resource groupmust be empty.
Resource Group
Select the Azure geographic region in which you are deploying the vSRX VM.Location
49Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
5. From the Create vSRX Security Gateway blade, 2 Virtual Machine Settings:
• Specify a vSRXVMname In the vSRXhost name field. The vSRXVMnamemust be
between 4 and 25 characters, and can only contain lowercase letters and numbers.
• Click VM size, and then click the right arrow to access the Choose a Size blade (see
Figure 16 on page 50).
NOTE: See “Requirements for vSRX onMicrosoft Azure” on page 21 forthe recommendedsystemrequirements foravSRX instance inMicrosoftAzure.
There are two performance tiers for storage in Microsoft Azure Cloud that you can
choose fromwhen creating your disks -- Standard Storage and Premium Storage.
Premium Storage is backed by SSDs, and delivers high-performance, low-latency
disk support for VMs running I/O-intensive workloads. Standard Storage is backed
by HDDs. and delivers cost-effective storage.
• For the SSD supported disk type, DS3_v2 Standard is used for the vSRX VM
deployment. Select DS3_v2 Standard as the vSRX VM size, and then click Select.
Figure 16: Create vSRX VMGateway - Virtual Machine Settings - VM Size for SSD
• For the HDD supported disk type, you can choose either DS3_v2 Standard or
D4_V2 Standard for the vSRX VM deployment. Choose the vSRX VM size, and
then click Select.
Copyright © 2018, Juniper Networks, Inc.50
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 17: Create vSRX VMGateway - Virtual Machine Settings - VM Size for HDD
51Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
• ClickNewStorageAccountName, and then click the right arrow toaccess theCreate
Storage Account blade (see Figure 18 on page 52). Enter information for the new
vSRX storage account in your Azure subscription, and then clickOK.
Figure 18: Create vSRXVMGateway -VirtualMachineSettings - CreateStorageAccount
DescriptionParameter
Enter a unique name for your new storage account. A storage account name cancontain only lowercase letters and numbers, andmust be between 3 and 24characters.
Name
Select the type of performance: Standard or Premium. The default is Standard.Performance
Select the replication option for the storage account: Locally redundant storage(LRS),Geo-redundant storage (GRS), Read-access geo-redundant storage (RA-GRS),or Zone-redundant storage (ZRS). The default is RA-GRS.
Replication
ClickOKwhen you complete selecting the vSRX VM size and, if necessary, a storage
account for your Azure subscription.
6. From the Create vSRX Security Gateway blade, 3 Network Settings:
Copyright © 2018, Juniper Networks, Inc.52
vSRX Deployment Guide for Microsoft Azure Cloud
• Click Virtual network, and then click the right arrow to access the Create Virtual
Networkblade (seeFigure 19onpage53). Enter information for thenewvSRXvirtual
network in your Azure subscription, and then clickOK.
Figure 19: Create vSRX VMGateway - Network Settings - Create Virtual Network
DescriptionParameter
Enter a unique name for your new virtual network. The virtual network namemustbeginwith a letter or number, endwith a letter, number, or underscore, and the namemay contain only letters, numbers, underscore, periods, or hyphens.
Name
Enter the virtual network’s address range in CIDR notation. By default, the addressrange is 10.0.0.0/16.
NOTE: Ensure that the address space does not overlap with an existing network.
Address Space
53Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
• Click Subnets, and then click the right arrow to access the Subnets blade (see
Figure 20 on page 54). Enter information for the vSRX VM subnets, and then click
OK.
Figure 20: Create vSRX VMGateway - Network Settings - Subnets
DescriptionParameter
Enter a unique name for the management subnet of the Azure virtual network. Themanagement subnet is used by the management interface (fxp0) of the vSRX VM.
Themanagement subnet namemust beginwith a letter or number, endwith a letter,number, orunderscore, and thenamemaycontainonly letters, numbers, underscore,periods, or hyphens.
Management Subnet Name
Themanagement subnet’s address range in CIDR notation. It must be contained bythe address space of the virtual network. Subnet address ranges cannot overlapone another. By default, the address range is 10.1.0.0/24.
NOTE: The address range of a subnet that is already in use cannot be edited.
Management Subnet Address Prefix
Enter a unique name for the untrust subnet (the public subnet) of the Azure virtualnetwork. The untrust subnet is used by the revenue (data) interface of the vSRXVMand connects to the Internet.
The untrust subnet namemust begin with a letter or number, end with a letter,number, orunderscore, and thenamemaycontainonly letters, numbers, underscore,periods, or hyphens.
Untrust Subnet Name
Copyright © 2018, Juniper Networks, Inc.54
vSRX Deployment Guide for Microsoft Azure Cloud
DescriptionParameter
The untrust subnet’s address range in CIDR notation. It must be contained by theaddress space of the virtual network. Subnet address ranges cannot overlap oneanother. By default, the address range is 10.1.1.0/24.
NOTE: The address range of a subnet that is already in use cannot be edited.
Untrust Subnet Address Prefix
Enter a unique name for the trust subnet (the private subnet) of the Azure virtualnetwork. The trust subnet connects to a network segment that uses private IPaddresses.
The trust subnet namemust beginwith a letter or number, endwith a letter, number,or underscore, and thenamemaycontainonly letters, numbers, underscore, periods,or hyphens.
Trust Subnet Name
The trust subnet’s address range in CIDR notation. It must be contained by theaddress space of the virtual network. Subnet address ranges cannot overlap oneanother. By default, the address range is 10.1.2.0/24.
NOTE: The address range of a subnet that is already in use cannot be edited.
Trust Subnet Address Prefix
ClickOKwhen you complete specifying the information for the vSRXVMsubnets (the
management, trust, and untrust subnets), and if necessary, creating a virtual network
for your Azure subscription.
7. From the Create vSRX Security Gateway blade, 4 Summary, review the configuration
settings (see Figure 21 on page 56). If you are satisfiedwith the configuration settings,
clickOK.
55Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
Figure 21: Create vSRX VMGateway - Summary
8. From the Create Virtual Machine blade, 5 Buy, review the offer details and the terms
of use (see Figure 22 on page 57). If you are satisfied with the offer details and terms
of use, click Purchase.
Copyright © 2018, Juniper Networks, Inc.56
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 22: Create vSRX VMGateway - Purchase
9. You return to theAzureportal dashboard, and thedashboarddisplays thedeployment
status of the vSRX VM (see Figure 23 on page 57).
Figure 23: vSRX VMDeployment Status
57Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
Verifying Deployment of vSRX toMicrosoft Azure
After the vSRX VM is created, the Azure portal dashboard lists the new vSRX VM under
Resource Groups. The corresponding cloud service and storage account also are created
and listed. Both the vSRX VM and the cloud service are started automatically and their
status is listed as Running
To verify the deployment of the vSRX instance to Microsoft Azure:
1. To view the vSRX resource group and its resources after deployment is completed,
from the right-handmenu, clickResourcegroups to access theResourceGroupspage.
Figure24onpage58showsanexampleof theResourcesGroupspage in theMicrosoft
Azure portal.
Figure 24: Microsoft Azure Resource Groups Page
2. To view details of the vSRX VM associated with the resource group, click the name
of the vSRX VM. Observe that the status is Running.
NOTE: You can stop, start, restart, and delete a vSRXVM from the VirtualMachine page in the Microsoft Azure portal.
Figure25onpage59showsanexampleofaResourcegroupsvSRXVM in theMicrosoft
Azure portal.
Copyright © 2018, Juniper Networks, Inc.58
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 25: Microsoft Azure Resource Groups VM Example
Logging In to a vSRX VM
After vSRX deployment is completed, the vSRX VM is automatically powered on and
launched. At this point you can use an SSH client to log in to the vSRX VM.
NOTE: In Microsoft Azure, individuals and enterprises can host servers andservices on the cloud as a pay-as-you-go (PAYG) or bring-your-own-license(BYOL) service. For the vSRXonMicrosoft Azure deployment, only theBYOLmodel is supported.
To log in to the vSRX VM:
1. From the Azure portal, click Resource groups from themenu of services on the
dashboard, and then select the vSRX VM. Locate the public IP address of the vSRX
VM from the Settings blade.
2. Use an SSH client to log in to a vSRX VM.
3. At the prompt, enter the following login credentials:
NOTE: The vSRX instance is automatically configured for username andpassword authentication. To log in, use the login credentials that weredefined during the vSRX VM configuration. After initially logging in to thevSRX, you can configure SSH public and private key authentication.
# ssh <username@vsrx_vm_ipaddress>
59Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
The authenticity of host ’x.x.x.x (x.x.x.x)’ ...ECDSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXX.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added ’x.x.x.x’ (ECDSA) to the list of known hosts.Password: xxxxxxxxusername@vsrx_vm_ipaddress>
4. Configure the basic settings for the vSRX VM (see “Configuring vSRX Using the CLI”
on page 90).
Release History Table DescriptionRelease
Starting in Junos OS Release 15.1X49-D100 for vSRX, you can deploy thevSRX virtual security appliance in your Azure virtual network through theAzure portal using one of the available solution templates offered fromJuniper Networks.
15.1X49-D100
RelatedDocumentation
How to Deploy in Microsoft Azure using Azure Portal and Template•
• Microsoft Azure portal overview
Deploying the vSRX Image fromAzureMarketplace
Starting in Junos OS Release 15.1X49-D91 for vSRX, you can deploy the vSRX virtual
security appliance in your Azure virtual network by selecting the vSRX image from Azure
Marketplace and customizing the vSRX VM deployment settings and dependencies
based on your network requirements in Microsoft Azure Cloud.
This deployment approachmight beneeded if youhavea vSRXVMdeployment scenario
that is outside of the use cases offered in the vSRXVMsolution templates available from
Juniper Networks.
NOTE: Besure youhaveanaccount for andasubscription toMicrosoftAzurebefore deploying the vSRX to Azure (seeMicrosoft Azure).
If you do not have an Azure subscription, then you can create a free accountbefore you begin. See theMicrosoft Azure website for more details.
Use the following procedures to deploy and configure a vSRX VM into an Azure virtual
network from the Azure portal.
• Deploying the vSRX Image on page 61
• Verifying Deployment of vSRX to Microsoft Azure on page 71
• Logging In to a vSRX VM on page 72
Copyright © 2018, Juniper Networks, Inc.60
vSRX Deployment Guide for Microsoft Azure Cloud
Deploying the vSRX Image
To deploy and configure a vSRX VM into an Azure virtual network using the vSRX image
from Azure Marketplace:
1. Log in to theMicrosoft Azure portal using your Microsoft account user name and
password. The Dashboard appears in the Azure portal (see Figure 3 on page 35). You
will see a unified dashboard for all your assets in Azure. Verify that the dashboard
includes all subscriptions to which you currently have access, and all resource groups
and associated resources.
Figure 26: Microsoft Azure Portal Dashboard
2. ClickMarketplace from the dashboard to access the Azure Marketplace, and then
click Everything (or click New> Everything). Enter vsrx to search for the available
JuniperNetworksvSRXVMimages in theAzureMarketplace(seeFigure27onpage62).
The vSRX image is available as a pay-as-you-go (PAYG) or bring-your-own-license
(BYOL) service.
61Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
Figure 27: Locating the vSRX VM Image in the Azure Marketplace
3. Select the vSRX VM image from the list and then click Create to initiate the vSRX VM
deployment process (see Figure 28 on page 63).
Copyright © 2018, Juniper Networks, Inc.62
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 28: Initiating vSRX VMDeployment
4. From the Create Virtual Machine blade, 1 Basics, configure the following parameters
(see Figure 29 on page 64).
63Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
Figure 29: Create Virtual Machine - Basics
DescriptionParameter
Specify a name for your vSRX VM. Your vSRX VM name cannot contain non-ASCIIor special characters.
Name
Specify the disk type to use for the vSRX VM: SSD or HDD. The default is SSD.VM Disk Type
Enter a username to access the vSRXVM. The username cannot contain uppercasecharacters, special characters, or start with a “$” or “-” character.
User name
Copyright © 2018, Juniper Networks, Inc.64
vSRX Deployment Guide for Microsoft Azure Cloud
DescriptionParameter
Select the required method of authentication to access the vSRX VM: Password orSSH public key. Select Password as type of authentication and then enter (andconfirm) your password.
NOTE: In JunosOSRelease 15.1X49-D91 for vSRX, SSHpublic key is not a supportedauthentication method. You will need to specify a password to log in to the vSRXVM.
Starting in Junos OS Release 15.1X49-D110 for vSRX, SSH public key is a supportedauthentication method.
Authentication type
Enter an appropriate root password used to access the vSRX VM.Password
Select your Microsoft Azure subscription.Subscription
Select an existing resource group or create a new one (see “Creating a ResourceGroup” on page 34).
Resource Group
Select the Azure geographic region in which you are deploying the vSRX VM.Location
ClickOK.
5. From the Create Virtual Machine blade, 2 Size, select DS3_v2 Standard as the vSRX
VM size (see Figure 30 on page 66). Click Select.
DS3_v2 Standard is used for a vSRXVMdeployment. See “Requirements for vSRX on
Microsoft Azure” on page 21 for the recommended system requirements for a vSRX
instance in Microsoft Azure.
65Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
Figure 30: Create Virtual Machine - Choose a Size
6. From theCreateVirtualMachine blade, 3Settings, configure the following parameters
to define the storage, networking, andmonitoring settings for the vSRX VM (see
Figure 31 on page 67). ClickOKwhen completed.
Copyright © 2018, Juniper Networks, Inc.66
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 31: Create Virtual Machine - Settings
DescriptionParameter
Storage
Specify whether you want Azure to automatically manage the availability of disksto provide data redundancy and fault tolerance without you creating andmanaginga storage account. Click No.
Used Managed Disks
If you need to change the storage account for the vSRX VM, click the right arrow toaccess the Choose Storage Account blade. Select an existing storage account forthe vSRX VM, or click Create new (+) to create a new one. See “Creating a StorageAccount” on page 38 for details about creating a new storage account.
Storage Account
Network
If you need to change the virtual network for the vSRX VM, click the right arrow toaccess the Choose Virtual Network blade. Select an existing virtual network for thevSRXVM,or clickCreatenew(+) tocreateanewone.See “CreatingaVirtualNetwork”on page 41 for details about creating a new virtual network.
Virtual Network
67Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
DescriptionParameter
Enter a subnet, which is a range of IP addresses in your virtual network to isolateVMs. Public subnets have access to the Internet gateway, but private subnets donot.
A vSRX VM requires two public subnets and one or more private subnets for eachindividual instance group. The public subnets consist of one for the managementinterface (fxp0) and another for the two revenue (data) interfaces. The privatesubnets, connected to other vSRX interfaces, ensure that all traffic betweenapplications on the private subnets and the Internet must pass through the vSRXinstance.
Tomodify the subset for the virtual network, click the right arrow toaccess theCreateSubnet blade.
Configure the following parameters:
• Subnet name—A unique name for the subnet in the Azure virtual network.
• Subnet address range—The subnet’s address range in CIDR notation. It must becontained by the address space of the virtual network. Subnet address rangescannot overlap one another. By default, the address range is 10.0.0.0/24.
NOTE: The address range of a subnet that is already in use cannot be edited.
Subnet
Specify the public IP address that allows communication to the vSRX VM fromoutside the Azure virtual network. Tomodify the public IP address for the vSRX VM,click the right arrow to access the Choose Public IP Address blade. Select a publicIP address in your Azure subscription and location, or click Create new (+) to createa new one.
Configure the following parameters:
• Name—A unique name for the public IP address.
• Assignment—There are twomethods in which an IP address is allocated to apublic IP resource: dynamic or static. By default, public IP addresses are dynamic,where an IP address is not allocated at the time of its creation. Instead, the publicIP address is allocated when you start (or create) the resource. The IP addressassociated to themmay change when the vSRX VM is deleted.
To guarantee that the vSRX VM always uses the same public IP address, werecommend you assign a static public IP address.
Public IP address
Specify a network security group, which is a set of firewall rules that control traffictoand fromthevSRXVM.Eachnetwork security groupcancontainmultiple inboundandoutboundsecurity rules that enable you to filter traffic by sourceanddestinationIP address, port, and protocol. You can apply a network security group to each NICin the VM.
Tomodify the network security group for the vSRX VM to filter traffic, click the rightarrow to access theChooseNetwork Security blade. Select a network security groupin your Azure subscription and location, or click Create new (+) to create a new one.
Configure the following parameters:
• Name—A unique name for the network security group.
• Inbound rules—You can add one or more inbound security rules to allow or denytraffic to the vSRX VM.
• Outbound rules—You can add one or more outbound security rules to allow ordeny traffic originating from the vSRX VM.
Network security group
Copyright © 2018, Juniper Networks, Inc.68
vSRX Deployment Guide for Microsoft Azure Cloud
DescriptionParameter
Extensions
No extensions are used for the vSRX VM.Extensions
High Availability
Confiigure two or more VMs in an availability set to provide redundancy to anapplication.
NOTE: Availability Set should be set toNone for the vSRXVM. Availablilty Set is notused for the vSRX VM in Azure because chassis clustering is not supported by thevSRX at this time.
Availability Set
Monitoring
Enables or disables the capturing of serial console output and screenshots of theVM running on the host to help diagnose start-up issues. The default is Enabled.
Boot Diagnostics
Enables or disables the ability to obtain metrics every minute for the VM. Choicesare: Disabled or Enabled. The default is Disabled.
Guest OS Diagnostics
Click the right arrow to view the details of the diagnostics storage account.Automatically fills in with the name of the diagnostics storage account fromwhichyou can analyze a set of metrics with your own tools.
Diagnostics Storage Account
7. From the Create Virtual Machine blade, 4Summary , review the configuration settings
(see Figure 32 on page 70). If you are satisfied with the configuration settings, click
OK.
69Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
Figure 32: Create Virtual Machine - Summary
8. From the Create Virtual Machine blade, 5 Buy review the offer details and the terms
of use (see Figure 22 on page 57). If you are satisfied with the offer details and terms
of use, click Purchase.
Copyright © 2018, Juniper Networks, Inc.70
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 33: Create Virtual Machine - Purchase
You return to the Azure portal dashboard, and the dashboard displays the deployment
status of the vSRX VM.
Verifying Deployment of vSRX toMicrosoft Azure
After the vSRX VM is created, the Azure portal dashboard lists the new vSRX VM under
Resource Groups. The corresponding cloud service and storage account also are created
and listed. Both the vSRX VM and the cloud service are started automatically and their
status is listed as Running
To verify the deployment of the vSRX instance to Microsoft Azure:
1. To view the vSRX resource group and its resources after deployment is completed,
from the right-handmenu, clickResourcegroups to access theResourceGroupspage.
2. To view details of the vSRX VM associated with the resource group, click the name
of the vSRX VM. Observe that the status is Running.
NOTE: You can stop, start, restart, and delete a vSRXVM from the VirtualMachine page in the Microsoft Azure portal.
Figure25onpage59showsanexampleofaResourcegroupsvSRXVM in theMicrosoft
Azure portal.
71Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
Figure 34: Microsoft Azure Resource Groups VM Example
Logging In to a vSRX VM
After vSRX deployment is completed, the vSRX VM is automatically powered on and
launched. At this point you can use an SSH client to log in to the vSRX VM.
NOTE: In Microsoft Azure, individuals and enterprises can host servers andservices on the cloud as a pay-as-you-go (PAYG) or bring-your-own-license(BYOL) service. For the vSRXonMicrosoft Azure deployment, only theBYOLmodel is supported.
To log in to the vSRX VM:
1. From the Azure portal, click Resource groups from themenu of services on the
dashboard, and then select the vSRX VM. Locate the public IP address of the vSRX
VM from the Settings blade.
2. Use an SSH client to log in to a vSRX VM.
3. At the prompt, enter the following login credentials:
NOTE: The vSRX instance is automatically configured for username andpassword authentication. To log in, use the login credentials that weredefined during the vSRX VM configuration (see “Deploying the vSRXImage”onpage61). After initially logging in to thevSRX, youcanconfigureSSH public and private key authentication.
# ssh <username@vsrx_vm_ipaddress>
Copyright © 2018, Juniper Networks, Inc.72
vSRX Deployment Guide for Microsoft Azure Cloud
The authenticity of host ’x.x.x.x (x.x.x.x)’ ...ECDSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXX.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added ’x.x.x.x’ (ECDSA) to the list of known hosts.Password: xxxxxxxxusername@vsrx_vm_ipaddress>
4. Configure the basic settings for the vSRX VM (see “Configuring vSRX Using the CLI”
on page 90).
Release History Table DescriptionRelease
Starting in Junos OS Release 15.1X49-D91 for vSRX, you can deploy the vSRXvirtual security appliance in your Azure virtual network by selecting the vSRXimage from Azure Marketplace and customizing the vSRX VM deploymentsettings and dependencies based on your network requirements in MicrosoftAzure Cloud.
15.1X49-D91
RelatedDocumentation
• How to Deploy in Microsoft Azure using Azure Portal and Template
• Microsoft Azure portal overview
• Virtual networks andWindows virtual machines in Azure
• Create, change, or delete network interfaces
• Create a VM (Classic) withmultiple NICs
73Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Installing vSRX from the Azure Portal
Copyright © 2018, Juniper Networks, Inc.74
vSRX Deployment Guide for Microsoft Azure Cloud
CHAPTER 3
Installing vSRX from the Azure CLI
• Before You Deploy vSRX Using the Azure CLI on page 75
• Deploying vSRX from the Azure CLI on page 77
Before You Deploy vSRXUsing the Azure CLI
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy
the vSRX from the Azure CLI and customize the vSRX VM deployment settings and
dependencies based on your network requirements in Microsoft Azure Cloud.
To help automate and simplify the deployment of the vSRX in theMicrosoft Azure virtual
network, Juniper Networks provides a series of scripts, Azure Resource Manager (ARM)
templates and parameter files, and configuration files in the GitHub repository
https://github.com/Juniper/vSRX-Azure. TheARMtemplate includes resourceparameters
that enable you to customize your vSRX VM deployment, such as login credentials,
network interfaces, and storage container name. The template consists of JavaScript
Object Notation (JSON) expressions for your vSRX deployment.
The vSRX deployment files in the GitHub repository include:
• The deploy-azure-vsrx.sh shell script to automate the deployment and configuration
of the vSRX virtual machine (VM).
• The vsrx.json template file to define the components of the Azure resource group and
virtual hardware settings (VM size, interface number and network) of the vSRX VM.
• The vsrx.parameters.json parameter file to identify the network interface parameters
used to deploy the vSRX VMin Azure.
Before you deploy the vSRX virtual security appliance from the Azure CLI:
• Review the requirements for deploying a vSRX VM in Microsoft Azure Cloud in
“Requirements for vSRX on Microsoft Azure” on page 21.
• Obtain an account for and a subscription to Microsoft Azure (seeMicrosoft Azure).
• From the Azure portal, you must first manually deploy the vSRX image (only once) by
using either the vSRXNext Generation Firewall (BYOL) or the vSRXNext Generation
Firewall (PAYG) SKU to accept the EULA terms. This is a requirement before you can
deploy the vSRX image from the Azure CLI. By default, the Azure portal deployment
75Copyright © 2018, Juniper Networks, Inc.
tool uses vSRXNext Generation Firewall (BYOL) SKU as the source image. Use your
Microsoft account username and password to log into theMicrosoft Azure portal.
NOTE: Youwill encounter aMarketplacePurchaseEligibilityFailed error if do
not first accept the EULA terms for the vSRX image in the Azure portalbefore attempting to deploy the vSRX image from the Azure CLI.
• Install Azure command line interface (Azure CLI) 1.0 and enable Azure Resource
Management (ARM)mode (see Install the Azure CLI).
NOTE: The vSRX for Azure deployment shell script deploy-azure-vsrx.sh is
written in shell and Azure CLI version 1.0 commands and does not supportAzure CLI version 2.0.
• Purchase a vSRX license or request an evaluation license. Licenses can be procured
from the Juniper Networks License Management System (LMS).
NOTE: Deployment of vSRX to Microsoft Azure does not support the use ofthe Azure CLI fromMicrosoftWindows. This is because thedeploy-azure-vsrx.sh shell script that is used as part of the deploymentprocedure can be run only from the Linux or Mac OS CLI.
When you deploy a vSRX VM in an Azure virtual network, note the following specifics of
the deployment configuration:
• Use your Microsoft account username and password to log into theMicrosoft Azure
portal.
• Ensure that your Azure subscription includes the following for your vSRX VM:
• Resource group, as described in “Creating a Resource Group” on page 34.
• Storage account, as described in “Creating a Storage Account” on page 38.
• Virtual network, as described in “Creating a Virtual Network” on page 41.
vSRX deployment from the Azure CLI is described in detail in “Deploying vSRX from the
Azure CLI” on page 77.
Copyright © 2018, Juniper Networks, Inc.76
vSRX Deployment Guide for Microsoft Azure Cloud
Release History Table DescriptionRelease
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1,you can deploy the vSRX from the Azure CLI and customize the vSRX VMdeploymentsettingsanddependenciesbasedonyournetwork requirementsin Microsoft Azure Cloud.
15.1X49-D80
RelatedDocumentation
Azure Resource Manager overview•
• Deploy resources with Resource Manager templates and Azure CLI
Deploying vSRX from the Azure CLI
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy
the vSRX from the Azure CLI and customize the vSRX VM deployment settings and
dependencies based on your network requirements in Microsoft Azure Cloud.
Use the following procedure to deploy and configure vSRX as a virtual security appliance
in a Microsoft Azure virtual network from the Azure CLI. In this procedure, you use the
Azure CLI running in Azure Resource Manager (ARM)mode.
NOTE: Besure youhaveanaccount for andasubscription toMicrosoftAzurebefore deploying the vSRX to Azure (seeMicrosoft Azure).
If you do not have an Azure subscription, then you can create a free accountbefore you begin. See theMicrosoft Azure website for more details.
NOTE: FromtheAzureportal, youmust firstmanuallydeploy thevSRX image(only once) by using either the vSRXNext Generation Firewall (BYOL) or the
vSRXNext Generation Firewall (PAYG) SKU to accept the EULA terms. This
is a requirement before you can deploy the vSRX image from the Azure CLI.By default, the Azure portal deployment tool uses vSRXNext Generation
Firewall (BYOL) SKU as the source image. Use your Microsoft account
username and password to log into theMicrosoft Azure portal.
You will encounter aMarketplacePurchaseEligibilityFailed error if do not first
accept the EULA terms for the vSRX image in the Azure portal beforeattempting to deploy the vSRX image from the Azure CLI.
• Installing the Microsoft Azure CLI on page 78
• Downloading the vSRX Deployment Tools on page 79
• Changing Parameter Values in the vsrx.parameter.json File on page 80
• Deploying the vSRX Using the Shell Script on page 82
77Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Installing vSRX from the Azure CLI
• Verifying Deployment of vSRX to Microsoft Azure on page 84
• Logging In to a vSRX Instance on page 85
Installing theMicrosoft Azure CLI
To install and log in to the Microsoft Azure CLI:
1. Install the Microsoft Azure CLI 1.0 as outlined in Install the Azure CLI. You have several
options to install the Azure CLI package for either the Linux or Mac OS; be sure to
select the correct installation package.
NOTE: The vSRX for Azure deployment shell script deploy-azure-vsrx.sh
iswritten inshellandAzureCLIversion 1.0commandsanddoesnotsupportAzure CLI version 2.0.
NOTE: Deployment of vSRX toMicrosoft Azure does not support the useof the Azure CLI fromMicrosoftWindows. This is because thedeploy-azure-vsrx.sh shell script that is used as part of the deployment
procedure can be run only from the Linux or Mac OS CLI.
2. Log into the Azure CLI.
> azure login
3. At the prompt. copy the code that appears in the command output.
Executing command loginTo sign in, use a web browser to open the page http://aka.ms/devicelogin. Enter the codeXXXXXXXXX to authenticate
4. Open aWeb browser to http://aka.ms/devicelogin, enter the code, and then click
Continue. Enter your Microsoft Azure username and password credentials. When the
process completes, the command shell completes the login process.
Added subscription Microsoft Azure EnterpriseTo sign in, use a web browser to open the page http://aka.ms/deviceloginlogin command OK
Copyright © 2018, Juniper Networks, Inc.78
vSRX Deployment Guide for Microsoft Azure Cloud
NOTE: If youhavemultipleAzuresubscriptions, connecting toAzuregrantsaccess to all subscriptions associated with your credentials. Onesubscription is selected as the default, and used by the Azure CLI whenperforming operations. You can view the subscriptions, including thecurrent default subscription, using the azure account list command.
5. Ensure that the Azure CLI is in Azure Resource Manager (ARM)mode.
> azure configmode arm
NOTE: When the Azure CLI is initially installed, the CLI is in ARMmode.
Downloading the vSRX Deployment Tools
Juniper Networks provides a set of scripts, templates, parameter files, and configuration
files in Juniper’s GitHub repository. These tools are intended to help simplify the
deployment of the vSRX to Azure when using the Azure CLI.
NOTE: For background information on the scripts, templates, parameterfiles, and configuration files, see “Before You Deploy vSRX Using the AzureCLI” on page 75.
To download the vSRX deployment tools:
1. Access GitHub by using the following link: https://github.com/Juniper/vSRX-Azure.
2. Click Clone or download to download to you computer the vSRX-Azure-master.zip file
from Github containing all files and directories from vSRX-Azure. The
vSRX-Azure-master directory includes the following directories and files:
vSRX-Azure-master README.md LICENSE sample-templates arm-templates-tool README.md deploy-azure-vsrx.sh templates app-vm vm.json vm.parameters.json vsrx-gateway vsrx.json vsrx.parameters.json utils decode_param_file.py
79Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Installing vSRX from the Azure CLI
gen_param_file.py gen_template_file.py simple-vsrx-demo README.md vsrx.json vsrx.parameters.json marketplace-solution-templates vpn-gateway createUiDefinition.json mainTemplate.json vSRX-password.json vSRX-sshPublicKey.json
3. Extract the compressed vSRX-Azure-master.zip file to a location on your computer.
Changing Parameter Values in the vsrx.parameter.json File
In the vsrx.parameters.json file, you need to modify parameter values specific to your
vSRXdeployment inMicrosoftAzure. Theseparametersareusedaspart of theautomatic
deployment performed by the deploy-azure-vsrx.sh script.
Keep in mind that by default vSRX uses fxp0 as the egress interface to the Internet. For
features requiring Internet connections that use a revenue port (such as VPN, UTM, and
so on), routing instances are required to isolate the traffic between themanagement
network and the revenue network.
To change parameter values in the vsrx.parameters.json file:
1. Open the vsrx.parameters.json file with a text editor.
2. Modify the values in the vsrx.parameters.json file based on the specifics of your vSRX
deployment. As an example, the following table outlines the parameters in the
vsrx.parameters.json file found in
sample-templates\arm-templates-tool\templates\vsrx-gateway that might require
modification.
CAUTION: It is critical that you change the vsrx-username andvsrx-password logincredentials listed in thevsrx.parameters.json filebefore
you launch the vSRX instance and login for the first time. Note that youcannot reset login credentials for the vSRX using the Microsoft Azureportal or the Azure CLI.
CommentDefault ValueParameter
Must be unique for each deployment.juniperstore01storageAccountName
Name of the Microsoft Azure storagecontainer (VHDs).
vhdsstorageContainerName
Specifies the vSRX hostname.vsrx-gwvsrx-name
Copyright © 2018, Juniper Networks, Inc.80
vSRX Deployment Guide for Microsoft Azure Cloud
CommentDefault ValueParameter
IP address of vSRX interface ge-0/0/0.0.192.168.10.20vsrx-addr-ge-0-0-0
IP address of vSRX interface ge-0/0/1.0.192.168.20.20vsrx-addr-ge-0-0-1
Change to an appropriate username forthe login credentials used to access thevSRX.
demovsrx-username
Change to an appropriate password forthe login credentials used to access thevSRX.
Demo123456vsrx-password
Specifies the root authenticationpassword for the vSRXVMby entering anSSH public key string ( RSA or DSA). Bydefault, the deploy-azure-vsrx.shdeployment script selects the passwordauthentication method, unless –p,followed by the SSH RSA public key file(id_rsa.pub by default), is specified.
NOTE: Starting in Junos OS Release15.1X49-D100 for vSRX, both passwordand SSH public key authentication aresupported, and password authenticationis chosen by default.
ssh-rsa placeholdervsrx-sshkey
The source image to create the vSRXinstance. By default, thedeploy-azure-vsrx.sh script uses thevSRXNext Generation Firewall (BYOL)SKU in the Azure Marketplace as thesource image to deploy vSRX instance,unless –i is used to explicitly specify thevSRX instance image location.
placeholdervsrx-disk
IP address prefix of the virtual network.192.168.0.0/16vnet-prefix
Name of management networkconnected to fxp0.
mgt-subnetvnet-mgt-subnet-basename
IPaddressprefixofmanagementnetworkconnected to fxp0.
192.168.0.0/24vnet-mgt-subnet-prefix
Name of network connected to trustsecurity zone: ge-0/0/1.0 on the vSRX.
trust-subnetvnet-trust-subnet-basename
IP address prefix of network connectedto trust security zone: ge-0/0/1.0 on thevSRX.
192.168.20.0/24vnet-trust-subnet-prefix
Name of network connected to untrustsecurity zone: ge-0/0/0.0 on the vSRX.
untrust-subnetvnet-untrust-subnet-basename
81Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Installing vSRX from the Azure CLI
CommentDefault ValueParameter
IP address prefix of network connectedto untrust security zone: ge-0/0/0.0 onthe vSRX.
192.168.10.0/24vnet-untrust-subnet-prefix
3. Save your changes to the vsrx.parameters.json file.
Deploying the vSRXUsing the Shell Script
The deploy-azure-vsrx.sh shell script deploys the vSRX virtual machine in a resource
group that is based on your Azure Cloud geographic location. The script uses the storage
account and network values defined in the vsrx.parameters.json file.
To deploy vSRX to the Azure virtual network:
1. At the bash prompt in the Azure CLI, run the deploy-azure-vsrx.sh script. By default,
the script deploys the vSRX VM using the vSRXNext Generation Firewall (BYOL) SKU
as the source image from the Azure Marketplace. The following information is read
from the vsrx.json file as part of the deployment:
• VM Size: Standard_D3_v2
• Publisher: Juniper Networks
• SKU: vsrx-byol-azure-image
• Offering: vsrx-next-generation-firewall
The following is an example of the command syntax. In this example, the script uses
the vSRX image to deploy the vSRX VM in resource group “example_rg” at the Azure
location “westus.” The storage account and network values are defined in the
vsrx.parameters.json file.
> ./deploy-azure-vsrx.sh -g example_rg -l westus -f
vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway/vsrx.json
-e
vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway/vsrx.parameters.json
NOTE: When you specify the vSRX source image URLwith the option -i,
the script copies the vSRX source image to create the virtual hardwaredisk file and to set the vsrx-disk parameter in vsrx.parameters.json to this
value.
The default parameter values in the command syntax include:
• example_rg is the resource group name (-g).
• westus is the Azure location (-l).
Copyright © 2018, Juniper Networks, Inc.82
vSRX Deployment Guide for Microsoft Azure Cloud
• vsrx.json in the folder
vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway is the
default Azure template file (-f).
• vsrx.parameters.json in the folder
vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway is the
default parameter file (-e).
2. Monitor the stages of deployment of vSRX toMicrosoft Azure as they occur on screen.
Deployment encompasses operations such as creating a resource group, storage
account, template group (including configuration parameters).
NOTE: Creation of the storage account can take approximately 3 to 5minutes on average. However, in some cases, it might take as long as 15to 20minutes.
arm-templates-tool ./deploy-azure-vsrx.shUse default resource group name 'vsrx'info: Executing command config modeinfo: New mode is arminfo: config mode command OKinfo: Executing command group create+ Getting resource group vsrx+ Creating resource group vsrxinfo: Created resource group vsrxdata: Id: /subscriptions/1c3367ba-71fc-48df-898a-d9eab4f1d673/resourceGroups/vsrxdata: Name: vsrxdata: Location: westusdata: Provisioning State: Succeededdata: Tags: nulldata:info: group create command OKinfo: Executing command storage account create…data: DeploymentName : deployvsrxdata: ResourceGroupName : vsrxdata: ProvisioningState : Succeededdata: Timestamp : Thu Jul 20 2017 12:31:45 GMT+0800 (CST)data: Mode : Incrementaldata: CorrelationId : a99b89f8-5919-4dbc-b8a5-6d76b30fcb67data: DeploymentParameters :data: Name Type Valuedata: ---------------------------- ------------ -------------------data: storageAccountName String jnprsa01data: storageContainerName String vhdsdata: vsrx-name String vsrx-test01data: vsrx-addr-ge-0-0-0 String 192.168.10.20data: vsrx-addr-ge-0-0-1 String 192.168.20.20data: vsrx-username String demodata: vsrx-password SecureString undefineddata: vsrx-sshkey String ssh-rsa placeholderdata: vsrx-disk String placeholderdata: vnet-prefix String 192.168.0.0/16data: vnet-mgt-subnet-basename String mgt-subnetdata: vnet-mgt-subnet-prefix String 192.168.0.0/24
83Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Installing vSRX from the Azure CLI
data: vnet-trust-subnet-basename String trust-subnetdata: vnet-trust-subnet-prefix String 192.168.20.0/24data: vnet-untrust-subnet-basename String untrust-subnetdata: vnet-untrust-subnet-prefix String 192.168.10.0/24info: group deployment create command OK
When the deployment process completes, you will see the message “info: group
deployment create commandOk.
Verifying Deployment of vSRX toMicrosoft Azure
To verify the deployment of the vSRX instance to Microsoft Azure:
1. Open aWeb browser to https://portal.azure.com/ and login to the Microsoft Azure
portal using your login credentials. The Dashboard view appears in the Azure portal .
Youwill see a unified dashboard for all your assets in Azure. Verify that the Dashboard
includes all subscriptions to which you currently have access, and all resource groups
and associated resources.
2. To view the vSRX resource group and its resources after deployment is completed,
fromthe right- handmenu, clickResourcegroups toaccess theResourceGroupspage.
Figure 24 on page 58 shows an example of the Resources group page in theMicrosoft
Azure portal.
Figure 35: Microsoft Azure Resource Groups Page Example
3. To view details of the vSRX VM associated with the resource group, click the name
of the vSRX.
Figure 25 on page 59 shows an example of the Resource groups VM in the Microsoft
Azure portal.
Copyright © 2018, Juniper Networks, Inc.84
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 36: Microsoft Azure Resource Groups VM Example
4. To see a summary view of the VMs in your subscription, including the newly deployed
vSRX, click the Virtual Machines icon in the left pane. On the Virtual machines page,
check the vSRX VM status after deployment is completed. Observe that the status is
Running.
NOTE: You can stop, start, restart, and delete a VM from the Virtualmachines page in the Microsoft Azure portal.
Figure 37 onpage85 showsanexample of theMicrosoft AzureVirtualmachinespage.
Figure 37: Microsoft Azure Virtual Machines Page Example
Logging In to a vSRX Instance
After vSRX deployment is completed, the vSRX instance is automatically powered on
and launched. At this point you can use an SSH client to log in to the vSRX instance.
85Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Installing vSRX from the Azure CLI
NOTE: In Microsoft Azure, individuals and enterprises can host servers andservices on the cloud as a pay-as-you-go (PAYG) or bring-your-own-license(BYOL) service. For the vSRXonMicrosoft Azure deployment, only theBYOLmodel is supported.
To log in to the vSRX VM:
1. From the Azure portal, click Resource groups from themenu of services on the
dashboard, and then select the vSRX VM. Locate the public IP address of the vSRX
VM from the Settings blade.
2. Use an SSH client to log in to a vSRX instance.
3. At the prompt, enter the following login credentials:
NOTE: Starting in Junos OS Release 15.1X49-D80 and Junos OS Release17.3R1, only password authentication is supported. Starting in Junos OSRelease 15.1X49-D100 for vSRX, both password and SSH public keyauthentication are supported, and password authentication is chosen bydefault.
ThevSRX instance isautomaticallyconfiguredforusernameandpasswordauthentication. To log in, use the login credentials that were defined inthe vsrx.parameters.json file (see “Changing Parameter Values in the
vsrx.parameter.json File” on page 80). After initially logging to the vSRX,you can configure SSH public and private key authentication.
# ssh <username@vsrx_vm_ipaddress>
The authenticity of host ’x.x.x.x (x.x.x.x)’ ...ECDSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXX.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added ’x.x.x.x’ (ECDSA) to the list of known hosts.Password: xxxxxxxxusername@vsrx_vm_ipaddress>
4. Configure the basic settings for the vSRX VM (see “Configuring vSRX Using the CLI”
on page 90).
Copyright © 2018, Juniper Networks, Inc.86
vSRX Deployment Guide for Microsoft Azure Cloud
Release History Table DescriptionRelease
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1,you can deploy the vSRX from the Azure CLI and customize the vSRX VMdeployment settings and dependencies based on your networkrequirements in Microsoft Azure Cloud.
15.1X49-D80
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1,only password authentication is supported.
15.1X49-D80
Starting in Junos OS Release 15.1X49-D100 for vSRX, both password andSSHpublic keyauthenticationare supported, andpasswordauthenticationis chosen by default.
15.1X49-D100
Starting in Junos OS Release 15.1X49-D100 for vSRX, both password andSSHpublic keyauthenticationare supported, andpasswordauthenticationis chosen by default.
15.1X49-D100
RelatedDocumentation
• Connect fromMicrosoft Azure CLI
87Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Installing vSRX from the Azure CLI
Copyright © 2018, Juniper Networks, Inc.88
vSRX Deployment Guide for Microsoft Azure Cloud
CHAPTER 4
Configuring and Managing vSRX
• vSRX Configuration and Management Tools on page 89
• Configuring vSRX Using the CLI on page 90
• Configuring vSRX Using the J-Web Interface on page 92
• Managing Security Policies for Virtual Machines Using Junos Space Security
Director on page 95
• Removing a vSRX Instance fromMicrosoft Azure on page 95
vSRX Configuration andManagement Tools
This chapter is an overview on the various tools available to configure andmanage a
vSRX VM once it has been successfully deployed.
• Understanding the Junos OS CLI and Junos Scripts on page 89
• Understanding the J-Web Interface on page 89
• Understanding Junos Space Security Director on page 90
Understanding the Junos OS CLI and Junos Scripts
The Junosoperating systemcommand-line interface (JunosOSCLI) is a JuniperNetworks
specific command shell that runs on top of a UNIX-based operating system kernel.
Built into Junos OS, Junos script automation is an onboard toolset available on all Junos
OS platforms, including routers, switches, and security devices running Junos OS (such
as a vSRX instance).
You can use Junos OS CLI and the Junos OS scripts to configure, manage, administer,
and troubleshoot vSRX.
Understanding the J-Web Interface
The J-Web interface allows you to monitor, configure, troubleshoot, andmanage vSRX
instances by means of aWeb browser. J-Web provides access to all the configuration
statements supported by the vSRX instance.
You can use J-Web to configure, manage, administer, and troubleshoot vSRX.
89Copyright © 2018, Juniper Networks, Inc.
Understanding Junos Space Security Director
As one of the Junos Space Network Management Platform applications, Junos Space
Security Director helps organizations improve the reach, ease, and accuracy of security
policy administration with a scalable, GUI-basedmanagement tool. Security Director
automates security provisioning of a vSRX instance through one centralizedWeb-based
interface to help administrators manage all phases of security policy life cycle more
quickly and intuitively, from policy creation to remediation.
RelatedDocumentation
CLI User Interface Overview•
• J-Web Overview
• Security Director
• Mastering Junos Automation Programming
• Spotlight Secure Threat Intelligence
Configuring vSRXUsing the CLI
To configure the instance using the CLI:
1. Verify that the instance is powered on.
2. Log in using the username and password credentials for your vSRX VM deployment
in Microsoft Azure.
3. Start the CLI.
root#cliroot@>
4. Enter configuration mode.
configure[edit]root@#
5. Set the root authentication password by entering a cleartext password, an encrypted
password, or an SSH public key string (DSA or RSA).
[edit]root@# set system root-authentication plain-text-passwordNew password: passwordRetype new password: password
6. Configure the traffic interfaces.
[edit]root@# set interfaces ge-0/0/0 unit 0 family inet address assigned_ip/netmaskroot@# set interfaces ge-0/0/1 unit 0 family inet address assigned_ip/netmask
Copyright © 2018, Juniper Networks, Inc.90
vSRX Deployment Guide for Microsoft Azure Cloud
NOTE: Configuration of themanagement interface fxp0 for the vSRX isnot necessary because it is configured during vSRX VMdeployment fromAzure (Azure portal or Azure CLI deploymentmethods). Microsoft Azureperforms its own IP addressmapping for the VMmanagement interface.Donot change the configuration for interface fxp0and thedefault routingtable or you will lose connectivity.
7. Configure routing interfaces to isolate management network and traffic network.
[edit]root@# set routing-instances vsrx-vr1 instance-type virtual-routerroot@# set routing-instances vsrx-vr1 interface ge-0/0/0.0root@# set routing-instances vsrx-vr1 interface ge-0/0/1.0root@# set routing-instances vsrx-vr1 routing-options
8. Verify the configuration changes
[edit]root@# commit checkconfiguration check succeeds
9. Commit the current configuration to make it permanent and to avoid the possibility
of losing connectivity to the vSRX.
[edit]root@# commit confirmedcommit confirmedwill be automatically rolled back in 10minutes unless confirmedcommit complete# commit confirmedwill be rolled back in 10minutes
10. Commit the configuration to activate it on the instance.
[edit]root@# commitcommit complete
11. Optionally, use the show command to display the configuration to verify that it is
correct.
91Copyright © 2018, Juniper Networks, Inc.
Chapter 4: Configuring and Managing vSRX
NOTE: Certain Junos OS software features require a license to activate thefeature. To enable a licensed feature, you need to purchase, install, manage,andverifya licensekey thatcorresponds toeach licensed feature.Toconformto software feature licensing requirements, youmust purchase one licenseper feature per instance. Thepresenceof the appropriate software unlockingkey on your virtual instance allows you to configure and use the licensedfeature.
See “Managing Licenses for vSRX” on page 113 for details.
RelatedDocumentation
Example: Configuring an IPsec VPN Between Two vSRX Instances on page 97•
• Example: Configuring an IPsec VPN Between a vSRX and Virtual Network Gateway in
Microsoft Azure on page 101
• Junos OS for SRX Series
• CLI User Guide
Configuring vSRXUsing the J-Web Interface
• Accessing the J-Web Interface and Configuring vSRX on page 92
• Applying the Configuration on page 94
• Adding vSRX Feature Licenses on page 95
Accessing the J-Web Interface and Configuring vSRX
Use the Junos OS CLI to configure, at a minimum, the following parameters before you
can access a vSRX VM using J-Web:
CAUTION: Do not change the configuration for interface fxp0 and defaultrouting table or you will lose connectivity to the vSRX in the Microsoft Azuredeployment.
To configure vSRX using the J-Web Interface:
1. Launch aWeb browser from themanagement instance.
2. Enter the vSRX fxp0 interface IP address in the Address box.
3. Specify the username and password.
4. Click Log In, and select the ConfigurationWizards tab from the left navigation panel.
The J-Web Setup wizard page opens.
5. Click Setup.
You can use the Setup wizard to configure the vSRX VM or edit an existing
configuration.
Copyright © 2018, Juniper Networks, Inc.92
vSRX Deployment Guide for Microsoft Azure Cloud
• Select Edit Existing Configuration if you have already configured the wizard using
the factory mode.
• Select Create NewConfiguration to configure the vSRX VM using the wizard.
The following configuration options are available in the guided setup:
• Basic
Select basic to configure the vSRX VM name and user account information as
shown in Table 9 on page 93.
• Instance name and user account information
Table 9: Instance Name and User Account Information
DescriptionField
Type the name of the instance. For example: vSRX.Instance name
Create a default root user password.Root password
Verify the default root user password.Verify password
Add an optional administrative account in addition to the root account.
User role options include:
Operator
• SuperUser: This user has full systemadministration rights andcanadd,modify, and delete settings and users.
• Operator: This user can perform system operations such as a systemreset but cannot change the configuration or add or modify users.
• Read only: This user can only access the system and view theconfiguration.
• Disabled: This user cannot access the system.
• Select either Time Server orManual. Table 10 on page 93 lists the system time
options.
Table 10: System Time Options
DescriptionField
Time Server
Type the hostname of the time server. For example:ntp.example.com.
Host Name
Type the IP address of the time server in the IP address entryfield. For example: 192.0.2.254.
IP
NOTE: You can enter either the hostname or the IP address.
Manual
Click the current date in the calendar.Date
93Copyright © 2018, Juniper Networks, Inc.
Chapter 4: Configuring and Managing vSRX
Table 10: System Time Options (continued)
DescriptionField
Set the hour, minute, and seconds. Choose AM or PM.Time
Time Zone (mandatory)
Select the time zone from the list. For example: GMTGreenwichMean Time GMT.
Time Zone
• Expert
Select Expert to configure the basic options as well as the following advanced
options:
• Four or more internal zones
• Internal zone services
• Application of security policies between internal zones
Click the Need Help icon for detailed configuration information.
You see a success message after the basic configuration is complete.
Applying the Configuration
To apply the configuration settings for vSRX:
1. Review and ensure that the configuration settings are correct, and click Next. The
Commit Configuration page appears.
2. Click Apply Settings to apply the configuration changes to vSRX.
3. Check the connectivity to vSRX, as youmight lose connectivity if you have changed
themanagement zone IP. Click the URL for reconnection instructions on how to
reconnect to the instance.
4. Click Done to complete the setup.
After successful completion of the setup, you are redirected to the J-Web interface.
CAUTION: After youcomplete the initial setup, youcan relaunchthe J-WebSetup wizard by clicking Configuration>Setup. You can either edit an
existing configuration or create a new configuration. If you create a newconfiguration, the current configuration in vSRXwill be deleted.
Copyright © 2018, Juniper Networks, Inc.94
vSRX Deployment Guide for Microsoft Azure Cloud
Adding vSRX Feature Licenses
Certain Junos OS software features require a license to activate the feature. To enable
a licensed feature, you need to purchase, install, manage, and verify a license key that
corresponds to each licensed feature. To conform to software feature licensing
requirements, youmust purchase one license per feature per instance. The presence of
the appropriate software unlocking key on your virtual instance allows you to configure
and use the licensed feature.
See “Managing Licenses for vSRX” on page 113 for details.
Managing Security Policies for Virtual Machines Using Junos Space Security Director
Security Director is a Junos Spacemanagement application designed to enable quick,
consistent, and accurate creation, maintenance, and application of network security
policies for your security devices, including vSRX instances. With Security Director, you
canconfigure security-relatedpolicymanagement including IPsecVPNs, firewall policies,
NAT policies, IPS policies, andUTMpolicies. and push the configurations to your security
devices. These configurations use objects such as addresses, services, NAT pools,
application signatures, policy profiles, VPN profiles, template definitions, and templates.
These objects can be shared acrossmultiple security configurations; shared objects can
be created and used across many security policies and devices. You can create these
objects prior to creating security configurations.
When you finish creating and verifying your security configurations fromSecurityDirector,
you can publish these configurations and keep them ready to be pushed to all security
devices, including vSRX instances, from a single interface.
The Configure tab is the workspace where all of the security configuration happens. You
can configure firewall, IPS, NAT, and UTM policies, assign policies to devices, create and
apply policy schedules, create andmanage VPNs, and create andmanage all of the
shared objects needed for managing your network security.
RelatedDocumentation
Security Director•
Removing a vSRX Instance fromMicrosoft Azure
To remove a vSRX instance fromMicrosoft Azure:
1. Log in to the Azure Portal.
2. In the left pane of the Azure Portal, click the Virtual Machines icon.
3. In the right pane, select the vSRX instance you want to remove, then click Delete to
delete it.
95Copyright © 2018, Juniper Networks, Inc.
Chapter 4: Configuring and Managing vSRX
NOTE: You can delete a VMwhile it is running. If desired, you can stop thevSRX instance before deleting it
4. To delete the disks attached to the deleted vSRX virtual machine, click Delete and
then select Delete the Associated VHD.
5. To delete the related cloud service for the deleted vSRX virtual machine, access the
Cloud Service tab and click Delete to remove the related cloud services.
Copyright © 2018, Juniper Networks, Inc.96
vSRX Deployment Guide for Microsoft Azure Cloud
CHAPTER 5
vSRX in Microsoft Azure Use Cases
• Example: Configuring an IPsec VPN Between Two vSRX Instances on page 97
• Example: Configuring an IPsec VPN Between a vSRX and Virtual Network Gateway in
Microsoft Azure on page 101
Example: Configuring an IPsec VPN Between Two vSRX Instances
This example shows how to configure an IPsec VPN between two instances of vSRX in
Microsoft Azure.
• Before You Begin on page 97
• Overview on page 97
• vSRX IPsec VPN Configuration on page 97
• Verification on page 100
Before You Begin
Ensure that you have installed and launched a vSRX instance in Microsoft Azure virtual
network.
See SRX Site-to-Site VPN Configuration Generator and How to troubleshoot a VPN tunnel
that is down or not active for additional information.
Overview
You can use an IPsec VPN to secure traffic between two VNETs in Microsoft Azure using
two vSRX instances.
vSRX IPsec VPN Configuration
vSRX1 VPN Configuration
Step-by-StepProcedure
To configure IPsec VPN on vSRX1:
1. Log in to the vSRX1 in configuration edit mode (see “Configuring vSRX Using the
CLI” on page 90).
2. Set the IP addresses for vSRX1 interfaces.
97Copyright © 2018, Juniper Networks, Inc.
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24set interfaces st0 unit 1 family inet address 10.0.250.10/24
3. Set up the untrust security zone.
set security zones security-zone untrust screen untrust-screenset security zones security-zone untrust host-inbound-traffic system-services ikeset security zones security-zone untrust interfaces ge-0/0/0.0set security zones security-zone untrust interfaces st0.1
4. Set up the trust security zone.
set security zone trust host-inbound-traffic system-services httpsset security zone trust host-inbound-traffic system-services sshset security zone trust host-inbound-traffic system-services pingset security security-zone trust interfaces ge-0/0/1.0
5. Configure IKE.
set security ike proposal ike-phase1-proposalA authentication-methodpre-shared-keys
set security ike proposal ike-phase1-proposalA dh-group group2set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbcset security ike proposal ike-phase1-proposalA lifetime-seconds 1800set security ike policy ike-phase1-policyAmode aggressiveset security ike policy ike-phase1-policyA proposals ike-phase1-proposalAsetsecurity ikepolicy ike-phase1-policyApre-shared-keyascii-text<preshared-key>set security ike gateway gw-siteB ike-policy ike-phase1-policyAset security ike gateway gw-siteB address 198.51.100.10set security ike gateway gw-siteB local-identity user-at-hostname"[email protected]"
set security ike gateway gw-siteB remote-identity user-at-hostname"[email protected]"
set security ike gateway gw-siteB external-interface ge-0/0/0.0
NOTE: Be sure to replace 198.51.100.10 in this example with the correct
public IP address.
6. Configure IPsec.
set security ipsec proposal ipsec-proposalA protocol espsetsecurity ipsecproposal ipsec-proposalAauthentication-algorithmhmac-sha1-96set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbcset security ipsec policy ipsec-policy-siteB proposals ipsec-proposalAset security ipsec vpn ike-vpn-siteB bind-interface st0.1set security ipsec vpn ike-vpn-siteB ike gateway gw-siteBset security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyAset security ipsec vpn ike-vpn-siteB establish-tunnels immediately
Copyright © 2018, Juniper Networks, Inc.98
vSRX Deployment Guide for Microsoft Azure Cloud
7. Configure routing.
set routing-instances siteA-vr1 instance-type virtual-routerset routing-instances siteA-vr1 interface ge-0/0/0.0set routing-instances siteA-vr1 interface ge-0/0/1.0set routing-instances siteA-vr1 interface st0.1set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop10.0.0.1
set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24next-hopst0.1
commit
vSRX2 VPNConfiguration
Step-by-StepProcedure
To configure IPsec VPN on vSRX2:
1. Log in to the vSRX2 in configuration edit mode (See “Configuring vSRX Using the
CLI” on page 90.
2. Set the IP addresses for the vSRX2 interfaces.
set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.10/24set interfaces ge-0/0/1 unit 0 family inet address 10.20.20.10/24set interfaces st0 unit 1 family inet address 10.0.250.20/24
3. Set up the untrust security zone.
set security zones security-zone untrust screen untrust-screenset security zones security-zone untrust host-inbound-traffic system-services ikeset security zones security-zone untrust interfaces ge-0/0/0.0set security zones security-zone untrust interfaces st0.1
4. Set up the trust security zone.
set security zones security-zone trust host-inbound-traffic system-services httpsset security zones security-zone trust host-inbound-traffic system-services sshset security zones security-zone trust host-inbound-traffic system-services pingset security zones security-zone trust interfaces ge-0/0/1.0
5. Configure IKE.
set security ike proposal ike-phase1-proposalA authentication-methodpre-shared-keys
set security ike proposal ike-phase1-proposalA dh-group group2set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbcset security ike proposal ike-phase1-proposalA lifetime-seconds 1800set security ike policy ike-phase1-policyAmode aggressiveset security ike policy ike-phase1-policyA proposals ike-phase1-proposalAset security ike policy ike-phase1-policyA pre-shared-key ascii-text preshared-keyset security ike gateway gw-siteB ike-policy ike-phase1-policyAset security ike gateway gw-siteB address 203.0.113.10
99Copyright © 2018, Juniper Networks, Inc.
Chapter 5: vSRX in Microsoft Azure Use Cases
set security ike gateway gw-siteB local-identity user-at-hostname"[email protected]"
set security ike gateway gw-siteB remote-identity user-at-hostname"[email protected]"
set security ike gateway gw-siteB external-interface ge-0/0/0.0
NOTE: Be sure to replace 203.0.113.10 in this example with the correct
public IP address. Also note that the SiteB local-identity andremote-identity should be in contrast with the SiteA local-identity andremote-identity.
6. Configure IPsec.
set security ipsec proposal ipsec-proposalA protocol espsetsecurity ipsecproposal ipsec-proposalAauthentication-algorithmhmac-sha1-96set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbcset security ipsec policy ipsec-policy-siteB proposals ipsec-proposalAset security ipsec vpn ike-vpn-siteB bind-interface st0.1set security ipsec vpn ike-vpn-siteB ike gateway gw-siteBset security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyAset security ipsec vpn ike-vpn-siteB establish-tunnels immediately
7. Configure routing.
set routing-instances siteA-vr1 instance-type virtual-routerset routing-instances siteA-vr1 interface ge-0/0/0.0set routing-instances siteA-vr1 interface ge-0/0/1.0set routing-instances siteA-vr1 interface st0.1set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop10.0.0.1
set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24next-hopst0.1
commit
Verification
Verify Active VPN Tunnels
Purpose Verify that the tunnel is up on both vSRX instances.
Copyright © 2018, Juniper Networks, Inc.100
vSRX Deployment Guide for Microsoft Azure Cloud
Action root@> show security ipsec security-associationsTotal active tunnels: 1ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway<131074 ESP:aes- cbc- 256/sha1 de836105 1504/ unlim - root 4500 52.200.89.XXX>131074 ESP:aes- cbc- 256/sha1 b349bc84 1504/ unlim - root 4500 52.200.89.XXX
RelatedDocumentation
IPsec VPNOverview•
• Application Firewall Overview
Example: Configuring an IPsec VPN Between a vSRX and Virtual Network Gateway inMicrosoft Azure
This example shows how to configure an IPsec VPN between a vSRX instance and a
virtual network gateway in Microsoft Azure.
• Before You Begin on page 101
• Overview on page 101
• vSRX IPsec VPN Configuration on page 101
• Microsoft Azure Virtual Network Gateway Configuration on page 103
• Verification on page 103
Before You Begin
Ensure that you have installed and launched a vSRX instance in Microsoft Azure virtual
network.
See SRX Site-to-Site VPN Configuration Generator and How to troubleshoot a VPN tunnel
that is down or not active for additional information.
Overview
You can use an IPsec VPN to secure traffic between two VNETs in Microsoft Azure, with
one vSRX protecting one VNet and the Azure virtual network gateway protecting the
other VNet.
vSRX IPsec VPN Configuration
Step-by-StepProcedure
To configure IPsec VPN on vSRX:
1. Log in to the vSRX in configuration editmode (see “Configuring vSRXUsing theCLI”
on page 90).
2. Set the IP addresses for vSRX interfaces.
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24set interfaces st0 unit 1 family inet address 10.0.250.10/24
101Copyright © 2018, Juniper Networks, Inc.
Chapter 5: vSRX in Microsoft Azure Use Cases
3. Set up the untrust security zone.
set security zones security-zone untrust screen untrust-screenset security zones security-zone untrust host-inbound-traffic system-services ikeset security zones security-zone untrust interfaces ge-0/0/0.0set security zones security-zone untrust interfaces st0.1
4. Set up the trust security zone.
set security zone trust host-inbound-traffic system-services httpsset security zone trust host-inbound-traffic system-services sshset security zone trust host-inbound-traffic system-services pingset security security-zone trust interfaces ge-0/0/1.0
5. Configure IKE.
set security ike proposal ike-phase1-proposalA authentication-methodpre-shared-keys
set security ike proposal ike-phase1-proposalA dh-group group2set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbcset security ike policy ike-phase1-policyAmodemainset security ike policy ike-phase1-policyA proposals ike-phase1-proposalAsetsecurity ikepolicy ike-phase1-policyApre-shared-keyascii-text<preshared-key>set security ike gateway gw-siteB ike-policy ike-phase1-policyAset security ike gateway gw-siteB address 52.175.210.65set security ike gateway gw-siteB version v2-onlyset security ike gateway gw-siteB external-interface ge-0/0/0.0
NOTE: Be sure to replace 52.175.210.65 in this example with the correct
public IP address.
6. Configure IPsec.
The following example illustrates a vSRX IPsec configuration using the CBC
encryption algorithm:
set security ipsec proposal ipsec-proposalA protocol espsetsecurity ipsecproposal ipsec-proposalAauthentication-algorithmhmac-sha1-96set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbcset security ipsec proposal ipsec-proposalA lifetime-seconds 7200set security ipsec proposal ipsec-proposalA lifetime-kilobytes 102400000set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalAset security ipsec vpn ike-vpn-siteB bind-interface st0.1set security ipsec vpn ike-vpn-siteB ike gateway gw-siteBset security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyAset security ipsec vpn ike-vpn-siteB establish-tunnels immediately
If required, you can use AES-GCM as the encryption algorithm in the vSRX IPsec
configuration instead of CBC:
set security ipsec proposal ipsec-proposalA protocol espset security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-gcm
Copyright © 2018, Juniper Networks, Inc.102
vSRX Deployment Guide for Microsoft Azure Cloud
set security ipsec proposal ipsec-proposalA lifetime-seconds 7200set security ipsec proposal ipsec-proposalA lifetime-kilobytes 102400000set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalAset security ipsec vpn ike-vpn-siteB bind-interface st0.1set security ipsec vpn ike-vpn-siteB ike gateway gw-siteBset security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyAset security ipsec vpn ike-vpn-siteB establish-tunnels immediately
7. Configure routing.
set routing-instances siteA-vr1 instance-type virtual-routerset routing-instances siteA-vr1 interface ge-0/0/0.0set routing-instances siteA-vr1 interface ge-0/0/1.0set routing-instances siteA-vr1 interface st0.1set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop10.0.0.1
set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24next-hopst0.1
commit
Microsoft Azure Virtual Network Gateway Configuration
Step-by-StepProcedure
To configure theMicrosoft Azure virtual network gateway, refer to the followingMicrosoft
Azure procedure:
Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections
Ensure the IPSec IKE parameters in Microsoft Azure virtual network gatewaymatch the
vSRX IPSec IKE parameters when the site-to-site VPN connection is formed.
Verification
Verify Active VPN Tunnels
Purpose Verify that the tunnel is up between the vSRX instance and the Azure virtual network
gateway.
103Copyright © 2018, Juniper Networks, Inc.
Chapter 5: vSRX in Microsoft Azure Use Cases
Action root@> show security ike security-associationsIndex State Initiator cookie Responder cookie Mode Remote Address8290401 UP b1adf15fc3dfe0b0 89cc2a12cb7e3cd7 IKEv2 52.175.210.65
root@> show security ipsec security-associationsTotal active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-gcm-256/None c0e154e2 5567/ 102399997 - root 4500 52.175.210.65
>131073 ESP:aes-gcm-256/None 383bd606 5567/ 102399997 - root 4500 52.175.210.65
RelatedDocumentation
• IPsec VPNOverview
• Application Firewall Overview
Copyright © 2018, Juniper Networks, Inc.104
vSRX Deployment Guide for Microsoft Azure Cloud
CHAPTER 6
vSRX Licensing
• vSRX Feature Licenses Overview on page 105
• Managing Licenses for vSRX on page 113
• vSRX License Model Numbers on page 119
vSRX Feature Licenses Overview
Some Junos OS software features require a license to activate the feature.
To enable a licensed feature, you need to purchase, install, manage, and verify a license
key that corresponds to each licensed feature. To conform to software feature licensing
requirements, youmust purchase one license per feature per instance. The presence of
the appropriate software unlocking key on your virtual instance allows you to configure
and use the licensed feature.
NOTE: If applicable for your vSRXdeployment, vSRXpay-as-you-go imagesdo not require any separate licenses.
• vSRX License Procurement and Renewal on page 105
• vSRX Evaluation License on page 106
• License Types on page 108
• Throughput on page 109
• License Duration on page 109
• Individual (á la carte) Feature Licenses on page 110
• Bundled Licenses on page 110
• Stacking Licenses on page 110
• vSRX License Keys Components on page 110
• License Management Fields Summary on page 111
vSRX License Procurement and Renewal
Licenses are usually ordered when the software application is purchased, and this
information isbound toacustomer ID. If youdidnotorder the licenseswhenyoupurchased
105Copyright © 2018, Juniper Networks, Inc.
your software application, contact your account team or Juniper Networks Customer
Care for assistance.
Licenses can be procured from the Juniper Networks LicenseManagement System (LMS).
For license renewal, use the show system license command to find the Juniper vSRX
software serial number that you use to renew a license.
vsrx> show system licenseLicense usage: Licenses Licenses Licenses Expiry Feature name used installed needed Virtual Appliance 1 1 0 58 days
Licenses installed: License identifier: E420588955 License version: 4 Software Serial Number: 20150625 Customer ID: vSRX-JuniperEval Features: Virtual Appliance - Virtual Appliance count-down, Original validity: 60 days
License identifier: JUNOS657051 License version: 4 Software Serial Number: 9XXXXAXXXXXXX9 Customer ID: MyCompany Features: Virtual Appliance - Virtual Appliance permanent
NOTE: Do not use the show chassis hardware command to get the serial
number on vSRX, because that command is only appropriate for thephysicalSRXSeries devices. Also, the license for advanced security features availableon the physical SRX Series devices cannot be usedwith vSRX deployments.
NOTE: If you are performing a software downgrade with licenses installed,youwill seeanerrormessage in theCLIwhenyou try toconfigure the licensedfeatures or run the show system license status command.
We recommend deleting existing licenses before performing a softwaredowngrade.
vSRX Evaluation License
To speed deployment of licensed features, the vSRX software image provides you with
a 60-day product evaluation license and a 30-day advanced security features license,
both of which allow you to use vSRX and licensed features for a specified periodwithout
having to install a license key.
Table 11 on page 107 lists vSRX evaluation license types.
Copyright © 2018, Juniper Networks, Inc.106
vSRX Deployment Guide for Microsoft Azure Cloud
Table 11: vSRX Evaluation License Type
License ModelNumberPeriodTypeLicense Package
-60 daysProduct evaluation–BasicTrial license(temporary forevaluation only) -30 daysProductevaluation–Advanced
features
Product Evaluation License
ThevSRXsoftware image includesa60-day trial license.Whenyoudownloadand install
the vSRX image, you are entitled to use this trial license for 60 days. It is intended as an
evaluation license for using vSRX. This product-unlocking license is required to use the
basic functions of the vSRX, such as networking, routing, and basic security features
(such as stateful firewall).
NOTE: The use of the 60-day trial license does not include vSRX supportunless you already have a pre-existing vSRX support contract. If you requiresupport during this 60-day evaluation period, please work with your JuniperAccount team or go to the J-Net Community forum(https://forums.juniper.net/) and view the Support topics under the vSRX
category.
Within 30 days of the license expiration date, a license expiration warning appears each
time you log in to the vSRX instance. After the product evaluation license expires, you
will not be able to use the vSRX; it will be disabled and flow configuration options will
notwork (thevSRXwill stop forwarding traffic). At thispoint, onlymanagement interfaces
and CLI configurations are preserved.
Advanced Security Features Evaluation License
The advanced security features license is a 30-day trial license for vSRX that is required
for advanced security features such as UTM, IDP, and AppSecure. You can download the
trial license for advanced security features from the vSRX Free Trial License Page.
The 30-day trial license period begins on the day you enable the enhanced security
features after you install the 60-day product evaluation license for vSRX. To continue
using vSRX features after the 30-day license period expires, youmust purchase and
install the license; otherwise, the featuresaredisabled. If the license for advancedsecurity
features expireswhile the evaluation license (product unlocking license) is still valid, only
the advanced security features that require a license are disabled.
107Copyright © 2018, Juniper Networks, Inc.
Chapter 6: vSRX Licensing
NOTE: The UTM advanced features have a slightly different trial licensestrategy. UTM does not requires 30-day trial license but only a 30-day graceperiod. Once the 30-day advanced security features trial license expires,Juniper Networks supports a 30-day grace period for you to continue usingUTM features. The 30-day grace period goes into effect after the 30-triallicense expires.
There is also a 30-day trial license available for Juniper Sky Advanced Threat Prevention
(ATP). This is a second license that you can apply for a 30-day period in addition to the
advanced security features license for vSRX to enable the Sky ATP features. You can
download the Sky ATP trial license from the vSRX Free Trial License Page.
License Types
Juniper Networks provides a variety of licenses for both basic firewall features and
advanced security features for different throughputs and durations.
If you want to use vSRX to provide basic firewall features, you can use standard (basic)
licenses. However, to use some of the more advanced security features, such as
AppSecure, IDP, and UTM, youmight need to purchase advanced features licenses.
The high-level categories for licenses are:
• Throughput–All licenses have an associated throughput. Throughput rates include 1
Gbps, 2 Gbps, and 4 Gbps onmost platforms.
• Features–Licenses are available for different combinations of feature sets, from
standard (STD) through Content Security Bundle (CS-B).
• Individual or bundled–Licenses can be individual (á la carte) licenses for a set of
features, or can be bundled together to provide a broad range of features in one easy
license to maintain.
• Duration–All licenseshaveanassociated timeduration.Youcanpurchasebasic licenses
as perpetual (never expire) or subscription based (1-year or 3-year duration). All vSRX
licenses are subscription based.
• New or renewal–All subscription licenses are either new (first-time purchase) or
renewals (extending the license duration when the initial new subscription license is
about to expire).
Figure 38 on page 109 shows a sample license SKU and identifies how each field maps
to these categories.
Copyright © 2018, Juniper Networks, Inc.108
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 38: Sample vSRX License SKU
g043428
Product
Throughput
Duration
VSRX-10M-ASECB-3-RFeature set
New orrenewal
Bundled orindividual
These categories of licenses can also be combined, or stacked, to providemore flexibility
for your vSRX use cases.
Throughput
Bandwidth or throughput license types allow you to use a single instance of the software
for up to the maximum throughput specified in the license entitlement. Throughput can
be combined on a single instance of the software so that the maximum throughput for
that instance is the aggregate of all the throughput licenses assigned to that instance.
A throughput license cannot be split across multiple instances. Throughput is identified
in the license entitlement inmegabits per second (Mbps), or gigabits per second (Gbps).
For example, if youwant3Gbpsof throughput for a vSRX instanceusing theSTD features,
youwould purchase a 1G STD license and a 2GSTD license and install both on the vSRX.
If you wanted 2 Gbps of throughput on two vSRX instances acting as a chassis cluster,
you could not use the same 2 Gbps license on both vSRX instances. You would need to
purchase one set of licenses for each vSRX instance in the cluster.
License Duration
All licenses can be perpetual or subscription based.
• Perpetual license–A perpetual license allows you to use the licensed software
indefinitely. Perpetual licenses do not require renewals. Perpetual licenses do not
includemaintenance and upgrade support. Youmust purchase that separately, vSRX
software releases such as vSRX for AWS do not support perpetual licenses.
• Subscription license–A subscription license is an annual license that allows you to use
the licensed software feature for the matching duration. Subscriptions might involve
periodic downloads of content (such as for IDP threat signature files). Subscription
licenses start when you retrieve the license key or 30 days after purchase if you have
not retrieved the license key. At the end of the license period, you need to renew the
license to continue using it.
NOTE: All subscription licenses are renewable. To renew a subscriptionlicense, purchase a new subscription of the same license. For moreinformation, see Subscription - Register and Install.
109Copyright © 2018, Juniper Networks, Inc.
Chapter 6: vSRX Licensing
Individual (á la carte) Feature Licenses
Every vSRX instance requires at least one standard license to support the desired
throughput rate. Beyond that, you can select from a range of individual feature licenses
thatprovideadditional security feature sets. The feature licensemustmatch the standard
license rate.
NOTE: AWS does not support individual licenses.
Forexample, if youneedAppSecureandSophosantivirus featuresat 1Gbpsof throughput
for a year, you could purchase the following individual licenses:
• VSRX-STD-1G-1—Provides the standard feature set and 1 Gbps of throughput.
• VSRX-CS-1G-1—Provides the advanced features.
Bundled Licenses
Bundled licenses simplify the licensemanagement by combining one or more individual
licenses into a single bundled license. Instead of installing andmanaging a standard
throughput licenseandoneormore individualadvanced feature licenses, youcanpurchase
one of the bundle license options andmanage one license instead.
For example, if youneedAppSecureandSophosantivirus featuresat 1Gbpsof throughput
forayear, youcouldpurchase thesinglebundledVSRX-CS-B-1G-1 license,which includes
the STD throughput license. This means you only need to manage one license instead
of two individual licenses.
Stacking Licenses
You can combine individual or bundled licenses to combine features or build up the
overall supplied throughput for the vSRX instance.
For example, you can combine a 1-Gbps license and a 2-Gbps license to have 3 Gbps of
throughput for the vSRX instance. You can also combine individual licenses, such as
Sophos antivirus (SAV) andWebsense EnhancedWeb Filtering (EWF) to get both sets
of security features.
NOTE: Individual licenses require a STD license with the same throughputrate.
vSRX License Keys Components
A license key consists of two parts:
• License ID—Alphanumeric string thatuniquely identifies the licensekey.Whena license
is generated, it is given a license ID.
• License data—Block of binary data that defines and stores all license key objects.
Copyright © 2018, Juniper Networks, Inc.110
vSRX Deployment Guide for Microsoft Azure Cloud
For example, in the following typical license key, the string E413XXXX57 is the license ID,
and the trailing block of data is the license data:
E413XXXX57 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff
The license data conveys the customer ID and the software serial number (Juniper
Networks support reference number) to the vSRX instance.
LicenseManagement Fields Summary
The Licenses window displays a summary of licensed features that are configured on
the vSRX instance and a list of licenses that are installed on the vSRX instance.
To view the license details, selectMaintain>Licenses in the J-Web user interface. The
Licenses window appears as shown in Figure 39 on page 111.
Figure 39: J-Web LicensesWindow Showing Installed Licenses
You can also view the details of a license in the CLI using the show system license
command. The following sample shows details of an evaluation license in the CLI:
License usage: Licenses Licenses Licenses Expiry Feature name used installed needed anti_spam_key_sbl 0 1 0 2016-04-15 08:00:00 CST idp-sig 0 1 0 2016-04-15 08:00:00 CST appid-sig 0 1 0 2016-04-15 08:00:00 CST av_key_sophos_engine 0 3 0 2016-07-29
111Copyright © 2018, Juniper Networks, Inc.
Chapter 6: vSRX Licensing
08:00:00 CST wf_key_websense_ewf 0 1 0 2016-04-15 08:00:00 CST Virtual Appliance 1 1 0 2016-04-25 08:00:00 CST
Licenses installed: License identifier: E420588955 License version: 4 Software Serial Number: 20150625 Customer ID: vSRX-JuniperEval Features: Virtual Appliance - Virtual Appliance count-down, Original validity: 60 days
The information on the licensemanagement page is summarized in Table 12 on page 112.
Table 12: Summary of License Management Fields
DefinitionField Name
Feature Summary
Name of the licensed feature:
• Features—Software feature licenses.
• All features—All-inclusive licenses.
Feature
Number of licenses currently being used on the vSRX instance. Usageis determined by the configuration. If a feature license exists and thatfeature is configured, the license is considered used.
Licenses Used
Number of licenses installed on the vSRX instance for the particularfeature.
Licenses Installed
Number of licenses required for legal use of the feature. Usage isdetermined by the configuration on the vSRX instance: If a feature isconfigured and the license for that feature is not installed, a licenseis needed.
Licenses Needed
Date the license expires.Licenses expires on
Installed Licenses
Unique alphanumeric ID of the license.ID
Valid—The installed license key is valid.
Invalid—The installed license key is not valid.
State
Numeric version number of the license key.Version
If the license defines a group license, this field displays the groupdefinition.
NOTE: Because group licenses are currently unsupported, this fieldis always blank.
Group
Copyright © 2018, Juniper Networks, Inc.112
vSRX Deployment Guide for Microsoft Azure Cloud
Table 12: Summary of License Management Fields (continued)
DefinitionField Name
Name of the feature that is enabled with the particular license.Enabled Features
Date the license expires.Expiration
The serial number is a unique 14-digit number that Juniper Networksuses to identify your particular software installation. You can find thesoftware serial number in the Software Serial Number Certificateattached to the e-mail that was sent when you ordered your JuniperNetworks softwareor license.Youcanalsouse the showsystemlicensecommand to find the software serial number.
Software serial number
ID that identifies the registered user.Customer ID
Managing Licenses for vSRX
Before you begin, ensure that you have retrieved the license key from the Juniper License
Management System (LMS).
This section includes the following topics:
• vSRX Evaluation License Installation Process on page 113
• Adding a New License Key with J-Web on page 114
• Adding a New License Key from the CLI on page 115
• Updating vSRX Licenses on page 116
• Deleting a License with J-Web on page 117
• Deleting a License with the CLI on page 118
• LicenseWarning Messages on page 118
vSRX Evaluation License Installation Process
JuniperNetworksprovidesa60-dayevaluation license for vSRXstandard features.When
you download and install the vSRX image, you are entitled to use this evaluation license
for 60 days as a trial. In addition to the 60-day vSRX evaluation license, there is a 30-day
advanced security features trial license for vSRX that is required for advanced security
features such as UTM, IDP, and AppSecure.
You can download the 30-day advanced security feature trial license from the vSRX Free
Trial License Page.
There is also a 30-day trial license available for Juniper Sky Advanced Threat Prevention
(ATP). This is a second license that you can apply for a 30-day period in addition to the
advanced security features license for vSRX to enable the Sky ATP features. You can
download the Sky ATP trial license from the vSRX Free Trial License Page
113Copyright © 2018, Juniper Networks, Inc.
Chapter 6: vSRX Licensing
Installation of the advanced security feature trial license is similar to the regular license
installation performed from the CLI (see “Adding a New License Key from the CLI” on
page 115).
Within 30 days of the license expiration date, a license expiration warning appears each
time you log in to the vSRX instance. After the product evaluation license expires, you
will not be able to use the vSRX; it will be disabled and flow configuration options will
notwork (thevSRXwill stop forwarding traffic). At thispoint, onlymanagement interfaces
and CLI configurations are preserved.
NOTE: The 30-day evaluation license period begins on the day you enableenhanced security features after installing evaluation licenses.
To continue using vSRX features after an optional 30-day evaluation period,youmust purchase and install the license. Otherwise, the features aredisabled.
For details about the 60- and 30-day license evaluation periods for the vSRX see “vSRX
Feature Licenses Overview” on page 105 .
Adding a New License Key with J-Web
To install a license using the J-Web interface:
1. SelectMaintain>Licenses on the J-Web user interface. The Licenses window is
displayed as shown in Figure 40 on page 114.
Figure 40: J-Web LicensesWindow
2. Under Installed Licenses, click Add. The Add License window is displayed as shown
in Figure 41 on page 115.
Copyright © 2018, Juniper Networks, Inc.114
vSRX Deployment Guide for Microsoft Azure Cloud
Figure 41: Add LicenseWindow
3. Do one of the following, using a blank line to separate multiple license keys:
• Enter the full URL to the destination file containing the license key in the License
File URL box.
• Paste the license key text, in plaintext format, in the License Key Text box.
4. ClickOK to add the license key. The License Details window is displayed as shown in
Figure 42 on page 115.
Figure 42: License DetailsWindow
The license key is installed and activated on the vSRX instance.
Adding a New License Key from the CLI
You can add a license key from a local file, from a remote URL, or from the terminal.
To install a license from the CLI:
1. Use the request system license add operational mode command to either add the
license from a local file or remote URL that contains the license key, or to manually
paste the license key in the terminal.
user@vsrx> request system license add terminal
[Type ^D at a new line to end input,
115Copyright © 2018, Juniper Networks, Inc.
Chapter 6: vSRX Licensing
enter blank line between each license key]
E413XXXX57 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff
E413XXXX57: successfully added add license complete (no errors)
NOTE: You can save the license key to a file and upload the file to thevSRX file system through FTP or Secure Copy (SCP), and then use therequest system license add file-name command to install the license.
2. Optionally, use the show system license command to view details of the licenses.
root@host> show system license
License usage: Licenses Licenses Licenses Expiry Feature name used installed neededwf key websense ewf 1 0 1 invalid
Licenses installed: none
The license key is installed and activated on the vSRX instance.
Updating vSRX Licenses
You can update the vSRX licenses using either of the following twomethods:
• Automatic license update using the CLI
• Manual license update using the CLI
As a prerequisite, youmust install at least one valid license key on your vSRX instance
for required features. Automatic license updates as well as manual license updates are
performed based on a valid software serial number and customer ID embedded in the
license key.
To enable automatic license updates from the CLI:
1. Contact your account team or Juniper Networks Customer Care to extend the validity
period of existing license keys and obtain the URL for a valid update server.
2. Once you have successfully extended your license key and received the update server
URL, configure the auto-update parameter:
user@host> set system license autoupdate url https://ae1.juniper.net/
3. Configure renew options (if required). The following sample allows vSRX to contact
the license server 30 days before the current license expires and sends an automatic
update request every 6 hours.
Copyright © 2018, Juniper Networks, Inc.116
vSRX Deployment Guide for Microsoft Azure Cloud
user@host> set system license renew before-expiration 30user@host> set system license renew interval 6
Tomanually update the licenses from the CLI:
1. Use the following command to update the license keys manually:
user@host> request system license update <url.of.license.server>
This command sends a license update request to the license server immediately.
NOTE: The request system license update commandwill always use the
default Juniper license server: https://ae1.juniper.net
2. Check the status of the license by entering the show system license command.
Deleting a License with J-Web
To delete a license using the J-Web interface:
1. SelectMaintain>Licenses.
2. Select the check box of the license or licenses you want to delete as shown in
Figure 43 on page 117.
Figure 43: Deleting a License
3. Click Delete.
4. ClickOK to confirm your deletion as shown in Figure 44 on page 118.
117Copyright © 2018, Juniper Networks, Inc.
Chapter 6: vSRX Licensing
Figure 44: Delete LicensesWindow
The license you deleted is removed.
Deleting a License with the CLI
To delete a license using the CLI:
1. From operational mode, for each license, enter the following command and specify
the license ID. You can delete only one license at a time.
user@host> request system license delete <license-key-identifier>
Or you can use the following command to delete all installed licenses.
user@host> request system license delete all
2. Type yeswhen you are prompted to confirm the deletion.
Delete license JUNOS606279 ? [yes,no] (no)
The license you deleted is removed.
LicenseWarningMessages
Youmust purchase a new license or renew your existing subscription-based license to
have a seamless transition from the old license to the new one.
The following conditions occur when a license expires on vSRX:
• Evaluation license for thecoreexpires—Packet forwardingonvSRX isdisabled.However,
you canmanage vSRX through the fxp0management interface, and the CLI
configuration is preserved.
• Subscription-based licenses for advanced security features expire but
subscription-based licenses for core servicesareactive—A30-daygraceperiodbegins,
allowing the user to continue using advanced security features. After the grace period,
advanced security features are disabled. Basic features are always available in the
vSRX. After subscription-based licenses for core services expire, a warning message
is displayed to notify the user, but basic features will remain preserved for the user.
• Subscription-based license for core features expires but subscription-based license
for advanced security features is active—Awarning message is displayed to notify the
user. However, you can continue to use the basic features on the vSRX. Advanced
security features are disabled when the subscription-based license for advanced
security features expires, but basic features will remain preserved for the user.
Copyright © 2018, Juniper Networks, Inc.118
vSRX Deployment Guide for Microsoft Azure Cloud
NOTE: All subscription licenses are renewable. To renew a subscriptionlicense, purchase a new subscription of the same license. For moreinformation, see Subscription - Register and Install .
To use features that require a license, youmust install and configure a license. After the
license expires, warning messages are displayed in the system log and on the J-Web
dashboard.
When a license expires, the System Alarms section of the J-Web dashboard displays a
message stating that the license has expired as shown in Figure 45 on page 119.
Figure 45: J-Web Dashboard for License ExpiryWarning
When a license expires, the following message appears when you log in:
Virtual Appliance License is invalid
vSRX LicenseModel Numbers
The licenses used by all Juniper Networks instances are based on SKUs, which represent
lists of features. Each license includes a list of features that the license enables along
with information about those features.
For information about purchasing software licenses, contact your JuniperNetworks sales
representative at https://www.juniper.net/in/en/contact-us/.
vSRX licenses are based on application packages and processing capacity.
vSRX provides bandwidth in the following capacities (throughput per instance): 1 Gbps,
2Gbps, and4Gbps. Eachof thesebandwidth tiers isofferedwith threedifferentpackages.
Table 13 on page 120 describes the features available with the various license packages.
119Copyright © 2018, Juniper Networks, Inc.
Chapter 6: vSRX Licensing
Table 13: vSRX Licensing Package Types
License Model NumberDescriptionLicenseType
These Standard (STD) bandwidth SKUs areavailable for vSRX:
• VSRX-1G-STD-CLD-1: 1-Gbps throughput (1-yearsubscription)
• VSRX-1G-STD-CLD-3: 1-Gbpsthroughput(3-yearsubscription)
• VSRX-2G-STD-CLD-1:2-Gbpsthroughput(1-yearsubscription)
• VSRX-2G-STD-CLD-3: 2-Gbps throughput(3-year subscription)
• VSRX-4G-STD-CLD-1: 4-Gbps throughput(1-year subscription)
• VSRX-4G-STD-CLD-3: 4-Gbps throughput(3-year subscription)
Includes the following features:
• Core security—firewall, ALG,screens, user firewall
• IPsec VPN (site-to-site VPN)
• NAT
• CoS
• Routingservices—BGP,OSPF,DHCP, J-Flow, IPv4
• Foundation—Static routing,management (J-Web, CLI,and NETCONF), on-boxlogging, diagnostics
STD
TheseAppSecurityBundled(ASB)bandwidthSKUsare available for vSRX:
• VSRX-1G-ASB-CLD-1: 1-Gbps throughput (1-yearsubscription)
• VSRX-1G-ASB-CLD-3: 1-Gbpsthroughput(3-yearsubscription)
• VSRX-2G-ASB-CLD-1:2-Gbpsthroughput(1-yearsubscription)
• VSRX-2G-ASB-CLD-3: 2-Gbps throughput(3-year subscription)
• VSRX-4G-ASB-CLD-1: 4-Gbps throughput(1-year subscription)
• VSRX-4G-ASB-CLD-3: 4-Gbps throughput(3-year subscription)
Includes all STD featuresbundledwith IPSandAppsecuresignatures, along with thefollowing features:
• AppID
• AppFW
• AppQoS
• AppTrack
ASCB
These Content Security bundled (CSB) bandwidthSKUs are available for vSRX:
• VSRX-1G-CSB-CLD-1: 1-Gbps throughput (1-yearsubscription)
• VSRX-1G-CSB-CLD-3: 1-Gbpsthroughput(3-yearsubscription)
• VSRX-2G-CSB-CLD-1:2-Gbpsthroughput(1-yearsubscription)
• VSRX-2G-CSB-CLD-3: 2-Gbps throughput(3-year subscription)
• VSRX-4G-CSB-CLD-1: 4-Gbps throughput(1-year subscription)
• VSRX-4G-CSB-CLD-3: 4-Gbps throughput(3-year subscription)
Includes all STD features, alongwith the features bundled withASCB, including the addition ofthe following UTM features:
• Antivirus
• Content filtering
• Web filtering
CSB
Copyright © 2018, Juniper Networks, Inc.120
vSRX Deployment Guide for Microsoft Azure Cloud
NOTE: License stacking is allowed. So, for example, to license 3 Gbps ofthroughput for the standard (STD) feature set for 1 year, use aVSRX-1G-STD-CLD-1 license and a VSRX-2G-STD-CLD-1.
121Copyright © 2018, Juniper Networks, Inc.
Chapter 6: vSRX Licensing
Copyright © 2018, Juniper Networks, Inc.122
vSRX Deployment Guide for Microsoft Azure Cloud
CHAPTER 7
Troubleshooting
• Finding the Software Serial Number for vSRX on page 123
Finding the Software Serial Number for vSRX
You need the software serial number to open a support case or to renew a vSRX license.
1. Use the show system license command to find the vSRX software serial number.
vsrx> show system licenseLicense usage: Licenses Licenses Licenses Expiry Feature name used installed needed Virtual Appliance 1 1 0 58 days
Licenses installed: License identifier: E420588955 License version: 4 Software Serial Number: 20150625 Customer ID: vSRX-JuniperEval Features: Virtual Appliance - Virtual Appliance count-down, Original validity: 60 days
License identifier: JUNOS657051 License version: 4 Software Serial Number: 9XXXXAXXXXXXX9 Customer ID: MyCompany Features: Virtual Appliance - Virtual Appliance permanent
123Copyright © 2018, Juniper Networks, Inc.
Copyright © 2018, Juniper Networks, Inc.124
vSRX Deployment Guide for Microsoft Azure Cloud