Transcript
vSRX Guide for AWS
Modified: 2017-09-01
Copyright © 2017, Juniper Networks, Inc.
Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net Copyright © 2017 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates in the United States and other countries. All other trademarks may be property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
vSRX Guide for AWS Copyright © 2017 Juniper Networks, Inc. All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.
ii
Copyright © 2017, Juniper Networks, Inc.
Table of Contents About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Chapter 1
Overview Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Understanding vSRX with AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 vSRX with AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 vSRX Benefits and Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 AWS Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 System Requirements for vSRX on AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 System Requirements for AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Best Practices Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Interface Naming and Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 vSRX Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Chapter 2
Installing vSRX in AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Configuring an AWS Virtual Private Cloud for vSRX . . . . . . . . . . . . . . . . . . . . . . . . 23 Step 1: Creating a VPC and Internet Gateway . . . . . . . . . . . . . . . . . . . . . . . . . 24 Step 2: Adding Subnets for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Step 3: Adding Route Tables for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Step 4: Adding Security Groups for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Launching an Instance of vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Step 1: Creating an SSH Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Step 2: Launching a vSRX Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Step 3: Viewing the AWS System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Step 4: Adding Network Interfaces for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Step 5: Allocating Elastic IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Step 6: Adding the vSRX Private Interfaces to the Route Tables . . . . . . . . . . 37 Step 7: Rebooting the vSRX Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Step 8: Logging in to a vSRX Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Copyright © 2017, Juniper Networks, Inc.
iii
vSRX Guide for AWS
Chapter 3
Configuring and Managing vSRX Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Configuring vSRX Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Understanding vSRX Preconfiguration and Factory Default . . . . . . . . . . . . . . 41 Adding a Basic vSRX Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Adding DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuring vSRX Using the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Accessing the J-Web Interface and Configuring vSRX . . . . . . . . . . . . . . . . . . 43 Applying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Managing Security Policies for Virtual Machines Using Junos Space Security Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Removing a vSRX Instance on AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Chapter 4
vSRX in AWS Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Example: Configuring NAT for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Example: Configuring VPN on vSRX Between VPCs in AWS . . . . . . . . . . . . . . . . . 48
Chapter 5
vSRX Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 vSRX Feature Licenses Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 vSRX License Procurement and Renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 vSRX Evaluation License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Product Evaluation License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Advanced Security Features Evaluation License . . . . . . . . . . . . . . . . . . . 55 License Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Throughput . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 License Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Individual (á la carte) Feature Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Bundled Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Stacking Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 vSRX License Keys Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 License Management Fields Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Managing Licenses for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 vSRX Evaluation License Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . 61 Adding a New License Key with J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Adding a New License Key from the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Updating vSRX Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Deleting a License with J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Deleting a License with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 License Warning Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 vSRX License Model Numbers for AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Chapter 6
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Finding the Software Serial Number for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
iv
Copyright © 2017, Juniper Networks, Inc.
List of Figures Chapter 2
Installing vSRX in AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Figure 1: Example of vSRX Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Figure 2: Verify Region . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Figure 3: Disable Source/Dest. Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Chapter 5
vSRX Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Figure 4: Sample vSRX License SKU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Figure 5: J-Web Licenses Window Showing Installed Licenses . . . . . . . . . . . . . . . 59 Figure 6: J-Web Licenses Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Figure 7: Add License Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Figure 8: License Details Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Figure 9: Deleting a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Figure 10: Delete Licenses Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Figure 11: J-Web Dashboard for License Expiry Warning . . . . . . . . . . . . . . . . . . . . . 67
Copyright © 2017, Juniper Networks, Inc.
v
vSRX Guide for AWS
vi
Copyright © 2017, Juniper Networks, Inc.
List of Tables About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Chapter 1
Overview Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Table 3: VPC Related Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Table 4: EC2 Related Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Table 5: System Requirements for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Table 6: vSRX and AWS Interface Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Table 7: Factory-Default Settings for Security Policies . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 2
Installing vSRX in AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Table 8: Supported AWS Instance Types for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . 33 Table 9: AWS Instance Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Table 10: Network Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Table 11: Elastic IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Table 12: Private Route Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Chapter 3
Configuring and Managing vSRX Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Table 13: Device Name and User Account Information . . . . . . . . . . . . . . . . . . . . . . 44 Table 14: System Time Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Chapter 5
vSRX Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Table 15: vSRX Evaluation License Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Table 16: Summary of License Management Fields . . . . . . . . . . . . . . . . . . . . . . . . 60 Table 17: vSRX Licensing Package Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Copyright © 2017, Juniper Networks, Inc.
vii
vSRX Guide for AWS
viii
Copyright © 2017, Juniper Networks, Inc.
About the Documentation •
Documentation and Release Notes on page ix
•
Supported Platforms on page ix
•
Documentation Conventions on page ix
•
Documentation Feedback on page xi
•
Requesting Technical Support on page xii
Documentation and Release Notes ®
To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/. If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at http://www.juniper.net/books.
Supported Platforms For the features described in this document, the following platforms are supported: •
vSRX
Documentation Conventions Table 1 on page x defines notice icons used in this guide.
Copyright © 2017, Juniper Networks, Inc.
ix
vSRX Guide for AWS
Table 1: Notice Icons Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Tip
Indicates helpful information.
Best practice
Alerts you to a recommended use or implementation.
Table 2 on page x defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions Convention
Description
Examples
Bold text like this
Represents text that you type.
To enter configuration mode, type the configure command: user@host> configure
Fixed-width text like this
Italic text like this
Italic text like this
x
Represents output that appears on the terminal screen.
user@host> show chassis alarms
•
Introduces or emphasizes important new terms.
•
•
Identifies guide names.
A policy term is a named structure that defines match conditions and actions.
•
Identifies RFC and Internet draft titles.
•
Junos OS CLI User Guide
•
RFC 1997, BGP Communities Attribute
Represents variables (options for which you substitute a value) in commands or configuration statements.
No alarms currently active
Configure the machine’s domain name: [edit] root@# set system domain-name domain-name
Copyright © 2017, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued) Convention
Description
Examples
Text like this
Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components.
•
To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level.
•
The console port is labeled CONSOLE.
< > (angle brackets)
Encloses optional keywords or variables.
stub
;
| (pipe symbol)
Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity.
broadcast | multicast
# (pound sign)
Indicates a comment specified on the same line as the configuration statement to which it applies.
rsvp { # Required for dynamic MPLS only
[ ] (square brackets)
Encloses a variable for which you can substitute one or more values.
community name members [ community-ids ]
Indention and braces ( { } )
Identifies a level in the configuration hierarchy.
; (semicolon)
Identifies a leaf statement at a configuration hierarchy level.
(string1 | string2 | string3)
[edit] routing-options { static { route default { nexthop address; retain; } } }
GUI Conventions Bold text like this
Represents graphical user interface (GUI) items you click or select.
> (bold right angle bracket)
Separates levels in a hierarchy of menu selections.
•
In the Logical Interfaces box, select All Interfaces.
•
To cancel the configuration, click Cancel.
In the configuration editor hierarchy, select Protocols>Ospf.
Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: •
Online feedback rating system—On any page of the Juniper Networks TechLibrary site at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at http://www.juniper.net/techpubs/feedback/.
Copyright © 2017, Juniper Networks, Inc.
xi
vSRX Guide for AWS
•
E-mail—Send your comments to [email protected]. Include the document or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or Partner Support Service support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. •
JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•
Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: •
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: https://prsearch.juniper.net/
•
Find product documentation: http://www.juniper.net/documentation/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
•
Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/InfoCenter/
•
Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone.
xii
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Copyright © 2017, Juniper Networks, Inc.
About the Documentation
For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html.
Copyright © 2017, Juniper Networks, Inc.
xiii
vSRX Guide for AWS
xiv
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 1
Overview Information •
Understanding vSRX with AWS on page 15
•
System Requirements for vSRX on AWS on page 19
•
Interface Naming and Mapping on page 20
•
vSRX Factory Default Settings on page 20
Understanding vSRX with AWS This section presents an overview of vSRX in Amazon Web Services (AWS) public clouds. •
vSRX with AWS on page 15
•
vSRX Benefits and Use Cases on page 16
•
AWS Glossary on page 17
vSRX with AWS vSRX is a virtual security appliance that provides security and networking services at the perimeter or edge in virtualized private or public cloud environments. vSRX runs as a virtual machine (VM) on a standard x86 server. vSRX is built on Junos OS and delivers networking and security features similar to those available on SRX Series Services Gateways for the branch. AWS provides on-demand services in the cloud. Services range from Infrastructure as a Service (IaaS) and Platform as a Service (SaaS), to Application and Database as a Service. AWS is a highly flexible, scalable, and reliable cloud platform where individuals and enterprises can host servers and services on the cloud as a pay-as-you-go (PAYG) service or bring-your-own-license (BYOL).
NOTE: vSRX PAYG images do not require any Juniper Networks licenses.
AWS Marketplace also enables you to discover and subscribe to software that supports regulated workloads through AWS Marketplace for AWS GovCloud (US).
Copyright © 2017, Juniper Networks, Inc.
15
vSRX Guide for AWS
Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, vSRX supports two bundles for PAYG that are available as 1-hour or 1-year subscriptions. •
vSRX Next-Generation Firewall Bundle 1—Includes standard (STD) features of core security, IPsec VPN, NAT, CoS, and routing services as well as the AppSecure features of AppID, AppFW, AppQoS, and AppTrack.
•
vSRX Next-Generation Firewall Bundle 2—Includes the features in vSRX Next-Generation Firewall Bundle 1 and the UTM antivirus feature.
You can deploy vSRX in a virtual private cloud (VPC) hosted by AWS as an application instance in the AWS Elastic Compute Cloud (EC2). Each EC2 instance is deployed, accessed, and configured over the Internet using the AWS Management Console, and the capacity of each instance can be scaled up or down as needed.
NOTE: In the current release, each vSRX instance uses two vCPUs and 4 GB of memory, even if the instance type selected in AWS is different.
vSRX uses hardware assisted virtual machines (HVM) for high performance (enhanced networking), and supports the following deployments in AWS cloud environments: •
As a firewall between other EC2 instances on your VPC and the Internet
•
As a VPN endpoint between your corporate network and your VPC
•
As a firewall between EC2 instances on different subnets
vSRX Benefits and Use Cases vSRX on standard x86 servers enables you to quickly introduce new services, deliver customized services to customers, and scale security services based on dynamic needs. vSRX is ideal for public, private, and hybrid cloud environments. Some of the key benefits of vSRX in a virtualized private or public cloud multitenant environment include:
16
•
Stateful firewall protection at the tenant edge
•
Faster deployment of virtual firewalls into new sites
•
Full routing, VPN, core security, and networking capabilities
•
Application security features (including IPS and App-Secure)
•
Content security features (including Anti Virus, Web Filtering, Anti Spam, and Content Filtering)
•
Centralized management with Junos Space Security Director and local management with J-Web Interface
•
Juniper Networks Sky Advanced Threat Prevention (Sky ATP) integration
Copyright © 2017, Juniper Networks, Inc.
Chapter 1: Overview Information
AWS Glossary This section defines some common terms used in an AWS public cloud configuration. Table 3 on page 17 defines common terms used for Virtual Private Clouds (VPCs) and Table 4 on page 18 defines common terms for Elastic Compute Cloud (EC2) services.
Table 3: VPC Related Terminology Term
Description
Internet gateways
VPC components that allow communications between your instances in the VPC and the Internet.
IP addressing
AWS includes three types of IP address: •
Public IP address–Addresses obtained from a public subnet that is publicly routable from the Internet. Public IP addresses are mapped to primary private IP addresses through AWS NAT.
•
Private IP address–IP addresses in the VPC Classless Interdomain Routing (CIDR) range, as specified in RFC 1918, that are not publicly routable.
•
Elastic IP address–A static IP address designed for dynamic cloud computing. When an Elastic IP address is associated with a public IP network interface, the public IP address associated with it is released until the Elastic IP address is disassociated from the network interface.
Each network interface can be associated with multiple private IP addresses. Public subnets can have multiple private IP addresses, public addresses, and Elastic IP addresses associated with the private IP address of the network interface. Private subnets can have multiple private IP addresses and Elastic IP address associated with each private IP address. You can assign static private IP addresses in the subnet. The first five IP addresses and the last IP address in the subnet are reserved for VPC networking and routing. The first IP address is the gateway for the subnet. Network ACL
AWS stateless virtual firewall operating at the subnet level.
Route tables
A set of routing rules used to determine where the network traffic is directed. Each subnet needs to be associated with a route table. Subnets not explicitly associated with a route table are associated with the main route table. Custom route tables can be created other than the default table.
Subnet
A virtual addressing space in the VPC CIDR block. The IP addresses for the EC2 instances are allocated from the subnet pool of IP addresses. You can create two types of subnets in the VPC: •
Public subnets–Subnets that have traffic connections to the Internet gateway.
•
Private subnets–Subnets that do not have connections to the Internet gateway
NOTE: With vSRX Network Address Translation (NAT) , you can launch all customer instances in private subnets and connect vSRX interfaces to the Internet. This protects your instances from being directly exposed to Internet traffic. VPC
Virtual private cloud.
Copyright © 2017, Juniper Networks, Inc.
17
vSRX Guide for AWS
Table 4: EC2 Related Terminology Term
Description
Amazon Machine Image (AMI)
Amazon image format that contains the information, such as the template for root volume, launch permissions, and block device mapping, that is required to launch an EC2 instance.
Cluster networking
Instances launched in a common cluster placement group. Instances within the cluster have networks with high bandwidth and low latency.
Elastic Block Store (EBS)
Persistent block storage that can be attached to an EC2 instance. Block storage volumes can be formatted and mounted on an instance. EBS optimized instances provide dedicated throughput between Amazon EC2 and Amazon EBS.
Elastic Compute Cloud (EC2)
Amazon Web service that enables launch and management of elastic virtual servers or computers that run on the Amazon infrastructure.
Elastic IP
A static IP designed for dynamic cloud computing. The public IP is mapped to the privet subnet IP using NAT.
Enhanced networking
Provides high packet per second performance, low latency, higher I/O performance, and lower CPU utilization compared to traditional implementations. vSRX leverages this networking with hardware virtualized machine (HVM) Amazon Machine Images (AMIs).
Instance
A virtual machine or server on EC2 that uses XEN or, XEN-HVM hypervisor types. EC2 provides a selection of instances optimized for different use cases.
Key pairs
Public key cryptography used by AWS to encrypt and decrypt login information. Create these key pairs using AWS-EC2 or import your own key pairs. NOTE: AWS does not accept DSA. Limit the public key access permissions to 400.
Network interfaces
Virtual network interfaces that you can attach to an instance in the VPC. An Elastic Network Interface (ENI) can have a primary private IP address, multiple secondary IP addresses, one Elastic IP address per private IP address, one public IP address, one or more security groups, one MAC address, and a source/destination check flag. NOTE: For vSRX instances, disable the source/destination check for all interfaces.
Network MTU
All Amazon instance types support an MTU of 1500. Some instance types support jumbo frames (9100 MTU). NOTE: Use C3, C4, CC2, M3, M4, or T2 AWS instance types for vSRX instances with jumbo frames.
Security groups
An AWS-provided virtual firewall that controls the traffic for one or more instances. Security groups can be associated with an instance only at launch time. NOTE: Because vSRX manages your firewall settings, we recommend that you ensure there is no contradiction between rule sets in AWS security groups and rule sets in your vSRX configuration.
18
Copyright © 2017, Juniper Networks, Inc.
Chapter 1: Overview Information
Release History Table
Related Documentation
Release
Description
15.1X49-D70
Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, vSRX supports two bundles for PAYG that are available as 1-hour or 1-year subscriptions.
•
AWS Tutorials
•
Getting Started with AWS
System Requirements for vSRX on AWS System Requirements for AWS Table 5 on page 19 lists the system requirements for a vSRX instance in an AWS environment.
Table 5: System Requirements for vSRX Component
Specification
Hypervisor support
XEN-HVM
Memory
4 GB
Disk space
16 GB
vCPUs
2
vNICs
Up to 8
vNIC type
SR-IOV
Best Practices Recommendations vSRX deployments can be complex, and there is a great deal of variability in the specifics of possible deployments. The following recommendations might apply to and improve performance and function in your particular circumstances: •
Disable the source/destination check for all vSRX interfaces.
•
Limit public key access permissions to 400 for key pairs.
•
Ensure that there are no contradictions between AWS security groups and your vSRX configuration.
•
Use C3, C4, CC2, M3, M4, or T2 AWS instance types for vSRX instances with jumbo frames.
•
Use vSRX NAT to protect your EC2 instances from direct Internet traffic.
Copyright © 2017, Juniper Networks, Inc.
19
vSRX Guide for AWS
Interface Naming and Mapping Table 6 on page 20 shows the vSRX and AWS interface names. The first network interface is used for the out-of-band management (fxp0) for vSRX.
Table 6: vSRX and AWS Interface Names Interface Number
vSRX Interface
AWS Interface
1
fxp0
eth0
2
ge-0/0/0
eth1
3
ge-0/0/1
eth2
4
ge-0/0/2
eth3
5
ge-0/0/3
eth4
6
ge-0/0/4
eth5
7
ge-0/0/5
eth6
8
ge-0/0/6
eth7
We recommend putting revenue interfaces in routing instances as a best practice to avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by default. With fxp0 as part of the default routing table, there might be two default routes needed: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance.
NOTE: Ensure that interfaces belonging to the same security zone are in the same routing instance. See KB Article - Interface must be in the same routing instance as the other interfaces in the zone.
vSRX Factory Default Settings vSRX requires the following basic configuration settings: •
Interfaces must be assigned IP addresses.
•
Interfaces must be bound to zones.
•
Policies must be configured between zones to permit or deny traffic.
Table 7 on page 21 lists the factory-default settings for the vSRX security policies.
20
Copyright © 2017, Juniper Networks, Inc.
Chapter 1: Overview Information
Table 7: Factory-Default Settings for Security Policies Source Zone
Destination Zone
Policy Action
trust
untrust
permit
trust
trust
permit
CAUTION: Do not use the load factory-default command on a vSRX AWS instance. The factory-default configuration removes the AWS preconfiguration. If you must revert to factory default, ensure that you manually reconfigure AWS preconfiguration statements before you commit the configuration; otherwise, you will lose access to the vSRX instance. See “Configuring vSRX Using the CLI” on page 41 for AWS preconfiguration details.
Copyright © 2017, Juniper Networks, Inc.
21
vSRX Guide for AWS
22
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 2
Installing vSRX in AWS •
Configuring an AWS Virtual Private Cloud for vSRX on page 23
•
Launching an Instance of vSRX on page 31
Configuring an AWS Virtual Private Cloud for vSRX Before you begin, you need an Amazon Web Services (AWS) account and an Identity and Access Management (IAM) role, with all required permissions to access, create, modify, and delete AWS Elastic Compute Cloud (EC2), Simple Storage Service (S3), and Virtual Private Cloud (VPC) objects. You should also create access keys and corresponding secret access keys, X.509 certificates, and account identifiers. For better understanding of AWS terminologies and their use in vSRX AWS deployments, see “Understanding vSRX with AWS” on page 15. Figure 1 on page 24 shows an example of how you can deploy vSRX to provide security for applications running in a private subnet of a VPC. The following procedures describe how to set up a VPC with its associated Internet gateway, subnets, route table, and security groups. You can then install an instance of vSRX in the VPC (see “Launching an Instance of vSRX” on page 31).
Copyright © 2017, Juniper Networks, Inc.
23
vSRX Guide for AWS
Figure 1: Example of vSRX Deployment
Use the following process to create and prepare a VPC for vSRX:
NOTE: To upgrade an existing vSRX instance, see Migration, Upgrade, and Downgrade in the vSRX Release Notes.
•
Step 1: Creating a VPC and Internet Gateway on page 24
•
Step 2: Adding Subnets for vSRX on page 26
•
Step 3: Adding Route Tables for vSRX on page 27
•
Step 4: Adding Security Groups for vSRX on page 29
Step 1: Creating a VPC and Internet Gateway Use the following procedure to create a VPC and an Internet gateway in AWS. If you have already have a VPC and an Internet gateway, go to “Step 2: Adding Subnets for vSRX” on page 26.
24
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
1.
Log in to the AWS Management Console and select Services > Networking > VPC.
2. In the VPC Dashboard, select Your VPCs in the left pane, and click Create VPC.
3. Specify a VPC name and a range of private IP addresses in Classless Interdomain
Routing (CIDR) format. Leave Default as the Tenancy.
4. Click Yes, Create.
Copyright © 2017, Juniper Networks, Inc.
25
vSRX Guide for AWS
5. Select Internet Gateways in the left pane, and click Create Internet Gateway.
6. Specify a gateway name and click Yes, Create.
7. Select the gateway you just created and click Attach to VPC.
8. Select the new VPC, and click Yes, Attach.
Step 2: Adding Subnets for vSRX In the VPC, public subnets have access to the Internet gateway, but private subnets do not. vSRX requires two public subnets and one or more private subnets for each individual instance group. The public subnets consist of one for the management interface (fxp0) and one for a revenue (data) interface. The private subnets, connected to the other vSRX interfaces, ensure that all traffic between applications on the private subnets and the Internet must pass through the vSRX instance.
26
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
To create each vSRX subnet: 1.
In the VPC Dashboard, select Subnets in the left pane, and click Create Subnet.
2. Specify a subnet name, select the VPC and availability zone, and specify the range of
subnet IP addresses in CIDR format.
NOTE: All subnets for a vSRX instance must be in the same availability zone. Do not use No Preference for the availability zone.
3. Click Yes, Create.
Repeat these steps for each subnet you want to create and attach to the vSRX instance.
Step 3: Adding Route Tables for vSRX A main route table is created for each VPC by default. We recommend that you create a custom route table for the public subnets and a separate route table for each private subnet. All subnets that are not associated with a custom route table are associated with the main route table.
Copyright © 2017, Juniper Networks, Inc.
27
vSRX Guide for AWS
To create the route tables: 1.
In the VPC Dashboard, select Route Tables in the left pane, and click Create Route Table.
2. Specify a route table name, select the VPC, and click Yes, Create.
3. Repeat steps 1 and 2 to create all the route tables.
4. Select the route table you created for the public subnets and do the following: a. Select the Routes tab below the list of route tables.
b. Click Edit and click Add another route.
c. Enter 0.0.0.0/0 as the destination, select your VPC internet gateway as the target,
and click Save.
28
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
d. Select the Subnet Associations tab, and click Edit.
e. Select the check boxes for the public subnets, and click Save.
5. Select each route table you created for a private subnet and do the following: a. Select the Subnet Associations tab, and click Edit.
b. Select the check box for one private subnet, and click Save.
Step 4: Adding Security Groups for vSRX A default security group is created for each VPC. We recommend that you create a separate security group for the vSRX management interface (fxp0) and another security group for all other vSRX interfaces. The security groups are assigned when a vSRX instance is launched in the EC2 Dashboard, where you can also add and manage security groups. To create the security groups: 1.
In the VPC Dashboard, select Security Groups in the left pane, and click Create Security Group.
2. For the vSRX management interface, specify a security group name in the Name Tag
field, edit the Group Name field (optional), enter a description of the group, and select the VPC.
Copyright © 2017, Juniper Networks, Inc.
29
vSRX Guide for AWS
3. Click Yes, Create.
4. Repeat Steps 1 through 3 to create a security group for the vSRX revenue interfaces.
5. Select the security group you created for the management interface and do the
following: a. Select the Inbound Rules tab below the list of security groups.
b. Click Edit and click Add another rule to create the following inbound rules:
Type
Protocol
Port
Source
Custom TCP rule
Default
20-21
SSH (22)
Default
Default
Enter CIDR address format for each rule (0.0.0.0/0 allows any source).
HTTP (80)
Default
Default
HTTPS (443)
Default
Default
c. Click Save.
d. Select the Outbound Rules tab to view the default rule that allows all outbound
traffic. Use the default rule unless you need to restrict the outbound traffic. 6. Select the security group you created for all other vSRX interfaces and do the following:
30
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
NOTE: The inbound and outbound rules should allow all traffic to avoid conflicts with the security settings on vSRX.
a. Select the Inbound Rules tab below the list of security groups.
b. Click Edit and create the following inbound rule:
Type
Protocol
Port
Source
All Traffic
All
All
•
For webservers–0.0.0.0/0
•
For VPN CIDR block
c. Click Save.
d. Keep the default rule in the Outbound Rules tab. The default rule allows all outbound
traffic.
Related Documentation
•
IAM Roles for Amazon EC2
Launching an Instance of vSRX The following procedures describe how to launch and configure a vSRX instance in the VPC: •
Step 1: Creating an SSH Key Pair on page 31
•
Step 2: Launching a vSRX Instance on page 33
•
Step 3: Viewing the AWS System Logs on page 35
•
Step 4: Adding Network Interfaces for vSRX on page 35
•
Step 5: Allocating Elastic IP Addresses on page 37
•
Step 6: Adding the vSRX Private Interfaces to the Route Tables on page 37
•
Step 7: Rebooting the vSRX Instance on page 38
•
Step 8: Logging in to a vSRX Instance on page 38
Step 1: Creating an SSH Key Pair An SSH key pair is required to remotely access a vSRX instance in AWS. You can create a new key pair in the EC2 Dashboard or import a key pair created by another tool.
Copyright © 2017, Juniper Networks, Inc.
31
vSRX Guide for AWS
To create an SSH key pair in AWS: 1.
Log in to the AWS Management Console and select Services > Compute > EC2.
2. In the EC2 Dashboard, select Key Pairs in the left pane. Verify that the region name
shown in the toolbar is the same as the region where you created the VPC.
Figure 2: Verify Region
3. Click Create Key Pair, specify a key pair name, and click Create.
4. The private key file is automatically downloaded. Move the downloaded private key
file (.pem) to a secure location. 5. To use an SSH client on a Mac or Linux computer to connect to the vSRX instance,
use the following command to set the permissions of the private key file so that only you can read it: host# chmod 400 .pem
32
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
NOTE: Alternately, use Import Key Pair to import a different key pair you generated with a third-party tool.
Step 2: Launching a vSRX Instance You can launch a vSRX instance based on any one of the hardware virtual machine (HVM) enhanced-networking enabled instance types in Table 8 on page 33. You can select an instance type with more than 2 virtual CPUs (vCPUs) for increased bandwidth (network performance) or more interfaces, but vSRX uses a maximum of 2 vCPUs.
Table 8: Supported AWS Instance Types for vSRX Maximum Number of Interfaces
Maximum Number of IP Addresses per Interface
Instance Type
vCPUs
Memory (GB)
Network Performance
c3.xlarge
4
7.5
Moderate
4
15
c3.2xlarge
8
15
High
4
15
c3.4xlarge
16
30
High
8
30
c3.8xlarge
32
60
10 Gbps
8
30
c4.xlarge
4
7.5
Moderate
4
15
c4.2xlarge
8
15
High
8
30
c4.4xlarge
16
30
High
8
30
c4.8xlarge
36
60
10 Gbps
8
30
m4.xlarge
4
16
High
4
15
m4.2xlarge
8
32
High
4
15
m4.4xlarge
16
64
High
8
30
m4.10xlarge
40
160
10 Gbps
8
30
To launch a vSRX instance in the VPC: 1.
In the EC2 Dashboard, select Instances in the left pane.
2. Click Launch Instance, search for the vSRX AMI in AWS Marketplace, and click Select
next to the vSRX AMI.
Copyright © 2017, Juniper Networks, Inc.
33
vSRX Guide for AWS
3. Select a supported instance type. See Table 8 on page 33 for details.
4. Click Next: Configure Instance Details, and specify the fields in Table 9 on page 34.
Table 9: AWS Instance Details Field
Setting
Network
Select the VPC configured for vSRX.
Subnet
Select the public subnet for the vSRX management interface (fxp0).
Auto-assign Public IP
Select Disable (you will assign an Elastic IP address later).
Placement group
Use the default.
Shutdown behavior
Select Stop (the default).
•
Enable terminal protection
Use your IT policy.
•
Monitoring
•
Network Interfaces
Use the default or assign a public IP address for the Primary IP field.
5. Click Next: Add Storage, and use the default settings or change the Volume Type and
IOPS as needed. 6. Click Next: Tag Instance, and specify a name for the vSRX instance.
7. Click Next: Configure Security Group, select Select an existing security group, and select
the security group created for the vSRX management interface (fxp0).
34
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
8. Click Review and Launch, review the settings for the vSRX instance, and click Launch.
9. Select the SSH key pair you created, select the acknowledgment check box, and click
Launch Instance.
10. Click View Instances to display the Instances list in the EC2 Dashboard. It might take
several minutes to launch a vSRX instance.
Step 3: Viewing the AWS System Logs To debug launch time errors, you can view the AWS system logs, as follows: 1.
In the EC2 Dashboard, select Instances.
2. Select the vSRX instance, and select Actions > Instance Settings > Get System Logs.
Step 4: Adding Network Interfaces for vSRX AWS supports up to eight interfaces for an instance, depending on the AWS instance type selected. Use the following procedure for each of the revenue interfaces you want to add to vSRX (up to seven). The first revenue interface is ge-0/0/0, the second is ge-0/0/1, and so on (see “Interface Naming and Mapping” on page 20). To add a vSRX revenue interface: 1.
In the EC2 Dashboard, select Network Interfaces in the left pane, and click Create Network Interface.
2. Specify the interface settings as shown in Table 10 on page 36, and click Yes, Create.
Copyright © 2017, Juniper Networks, Inc.
35
vSRX Guide for AWS
Table 10: Network Interface Settings Field
Setting
Description
Enter an interface description for each of the revenue interfaces.
Subnet
Select the public subnet created for the first revenue interface (ge-0/0/0) or the private subnet created for all the other revenue interfaces.
Private IP
Enter an IP address from the selected subnet or allow the address to be assigned automatically.
Security Groups
Select the security group created for the vSRX revenue interfaces.
3. Select the new interface, select Actions > Change Source/Dest. Check, select Disabled,
and click Save.
Figure 3: Disable Source/Dest. Check
36
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
4. Select the new interface, select Attach, select the vSRX instance, and click Attach.
5. Click the pencil icon in the new interface Name column and give the interface a name
(for example, ix-fxp0.0).
NOTE: For a private revenue interface (ge-0/0/1 through ge-0/0/7), make a note of the network name you created or the network interface ID. You will add the name or interface ID later to the route table created for the private subnet.
Step 5: Allocating Elastic IP Addresses For public interfaces, AWS does a NAT translation of the public IP address to a private IP address. The public IP address is called an Elastic IP address. We recommend that you assign an Elastic IP address to the public vSRX interfaces (fxp0 and ge-0/0/0). Note that when a vSRX instance is restarted, the Elastic IPs are retained, but public subnet IPs are released. To create and allocate Elastic IPs: 1.
In the EC2 Dashboard, select Elastic IPs in the left pane, click Allocate New Address, and click Yes, Allocate. (If your account supports EC2-Classic, you must first select EC2-VPC from the Network platform list.)
2. Select the new Elastic IP address, and select Actions > Associate Address.
3. Specify the settings in Table 11 on page 37, and click Allocate.
Table 11: Elastic IP Settings Field
Setting
Network Interface
Select the vSRX management interface (fxp0) or the first revenue interface (ge-0/0/0).
Private IP Address
Enter the private IP address to be associated with the Elastic IP address.
Step 6: Adding the vSRX Private Interfaces to the Route Tables For each private revenue interface you created for vSRX, you must add the interface ID to the route table you created for the associated private subnet. To add a private interface ID to a route table: 1.
In the VPC Dashboard, select Route Tables in the left pane.
2. Select the route table you created for the private subnet.
Copyright © 2017, Juniper Networks, Inc.
37
vSRX Guide for AWS
3. Select the Routes tab below the list of route tables.
4. Click Edit and click Add another route.
5. Specify the settings in Table 12 on page 38, and click Save.
Table 12: Private Route Settings Field
Setting
Destination
Enter 0.0.0.0/0 for Internet traffic.
Target
Type the network name or the network interface ID for the associated private subnet. The network interface must be in the private subnet shown in the Subnet Associations tab. NOTE: Do not select the Internet gateway (igw-nnnnnnnn).
Repeat this procedure for each private network interface. You must reboot the vSRX instance to complete this configuration.
Step 7: Rebooting the vSRX Instance To incorporate the interface changes and complete the EC2 configuration, you must reboot the vSRX instance. Interfaces attached while the vSRX instance is running do not take effect until the instance is rebooted.
NOTE: Always use AWS to reboot the vSRX instance. Do not use the vSRX CLI to reboot.
To reboot a vSRX instance: 1.
In the EC2 Dashboard, select Instances in the left pane.
2. Select the vSRX instance, and select Actions > Instance State > Reboot.
It might take several minutes to reboot a vSRX instance.
Step 8: Logging in to a vSRX Instance Use an SSH client to log in to a vSRX instance for the first time. To log in, specify the location where you saved the SSH key pair .pem file for the root user account, and the Elastic IP address assigned to the vSRX management interface (fxp0). ssh -i /.pem root@
NOTE: Root login using a Junos OS password is disabled by default. You can configure other users after the initial Junos OS setup phase.
38
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Installing vSRX in AWS
If you do not have the key pair filename and Elastic IP address, use these steps to view the key pair name and Elastic IP for a vSRX instance: 1.
In the EC2 Dashboard, select Instances.
2. Select the vSRX instance, and select eth0 in the Description tab to view the Elastic
IP address for the fxp0 management interface. 3. Click Connect above the list of instances to view the SSH key pair filename.
To configure the basic settings for the vSRX instance, see “Configuring vSRX Using the CLI” on page 41.
NOTE: vSRX pay-as-you-go images do not require any separate licenses.
Copyright © 2017, Juniper Networks, Inc.
39
vSRX Guide for AWS
40
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 3
Configuring and Managing vSRX Basics •
Configuring vSRX Using the CLI on page 41
•
Configuring vSRX Using the J-Web Interface on page 43
•
Managing Security Policies for Virtual Machines Using Junos Space Security Director on page 46
•
Removing a vSRX Instance on AWS on page 46
Configuring vSRX Using the CLI •
Understanding vSRX Preconfiguration and Factory Default on page 41
•
Adding a Basic vSRX Configuration on page 42
•
Adding DNS Servers on page 43
Understanding vSRX Preconfiguration and Factory Default vSRX on AWS deploys with the following preconfiguration defaults: •
SSH access with the RSA key pair configured during the installation
•
No password access allowed for SSH access
•
The management (fxp0) interface is preconfigured with the AWS Elastic IP and default route
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, the following example summarizes the preconfiguration statements added to a factory-default configuration for vSRX on AWS instances: set system root-authentication ssh-rsa "ssh-rsa XXXRSA-KEYXXXXX” set groups aws-group system services ssh no-passwords set groups aws-group interfaces fxp0 unit 0 family inet address aws-ip-address set groups aws-group routing-options static route 0.0.0.0/0 next-hop aws-ip-address set apply-groups aws-group
For Junos OS Release 15.1X49-D70 and earlier, the following example summarizes the preconfiguration statements added to a factory-default configuration for vSRX on AWS instances: set system root-authentication ssh-rsa "ssh-rsa XXXRSA-KEYXXXXX” set system services ssh no-passwords set interfaces fxp0 unit 0 family inet addressaws-ip-address
Copyright © 2017, Juniper Networks, Inc.
41
vSRX Guide for AWS
set routing-options static route 0.0.0.0/0 next-hop aws-ip-address
CAUTION: Do not use the load factory-default command on a vSRX AWS instance. The factory default configuration removes the AWS preconfiguration. If you must revert to factory default, ensure that you manually reconfigure AWS preconfiguration statements before you commit the configuration; otherwise, you will lose access to the vSRX instance.
Adding a Basic vSRX Configuration You can either create a new configuration on vSRX or copy an existing configuration from another SRX or vSRX and load it onto your vSRX in AWS. Use the following steps to copy and load an existing configuration: 1.
Saving a Configuration File
2. Loading a Configuration File
To configure a vSRX instance using the CLI: 1.
Log in to the vSRX instance using SSH and start the CLI. root@% cli root@>
2. Enter configuration mode.
root@> configure [edit] root@#
3. Set the root authentication password by entering a cleartext password, an encrypted
password, or an SSH public key string (DSA or RSA). root@# set system root-authentication plain-text-password New password: password Retype new password: password
4. Optionally, enable passwords for SSH if you want to create password access for
additional users. root@# delete services ssh no-passwords
5. Configure the hostname.
root@# set system host-name host-name
6. For each vSRX revenue interface, assign the IP address defined in AWS. For example:
root@# set interfaces ge-0/0/0 unit 0 family inet address 10.0.10.197/24
42
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Configuring and Managing vSRX Basics
For multiple private addresses, enter a set command for each address. Do not assign the Elastic IP address. 7. Specify a security zone for the public interface.
root@# set security security-zone untrust interfaces ge-0/0/0.0
8. Specify a security zone for the private interface.
root@# set security security-zone trust interfaces ge-0/0/1.0
9. Verify the configuration.
root@# commit check configuration check succeeds
10. Commit the configuration to activate it on the device.
root@# commit commit complete
11. Optionally, use the show command to display the configuration to verify that it is
correct.
Adding DNS Servers vSRX does not include any DNS servers in the default configuration. You might need DNS configured to deploy Layer 7 services, such as IPS, to pull down signature updates, for example. You can use your own external DNS server or use an AWS DNS server. If you enable DNS on your VPC, queries to the Amazon DNS server (169.254.169.253) or the reserved IP address at the base of the VPC network range plus two should succeed. See AWS - Using DNS with Your VPC for complete details. Related Documentation
•
CLI User Guide
•
AWS - Using DNS with Your VPC
Configuring vSRX Using the J-Web Interface •
Accessing the J-Web Interface and Configuring vSRX on page 43
•
Applying the Configuration on page 45
Accessing the J-Web Interface and Configuring vSRX To configure vSRX using the J-Web Interface: 1.
Enter the AWS Elastic IP address of the eth0 interface in the browser Address box.
2. Specify the username and password.
Copyright © 2017, Juniper Networks, Inc.
43
vSRX Guide for AWS
3. Click Log In, and select the Configuration Wizards tab from the left navigation panel.
The J-Web Setup Wizard page opens. 4. Click Setup.
You can use the Setup wizard to configure a device or edit an existing configuration. •
Select Edit Existing Configuration if you have already configured the wizard using the factory mode.
•
Select Create New Configuration to configure a device using the wizard. The following configuration options are available in the guided setup: •
Basic Select basic to configure the device name and user account information as shown in Table 13 on page 44. •
Device name and user account information
Table 13: Device Name and User Account Information Field
Description
Device name
Type the name of the device. For example: vSRX.
Root password
Create a default root user password.
Verify password
Verify the default root user password.
Operator
Add an optional administrative account in addition to the root account. User role options include: •
Superuser: This user has full system administration rights and can add,
modify, and delete settings and users. •
Operator: This user can perform system operations such as a system
reset but cannot change the configuration or add or modify users. •
Read only: This user can only access the system and view the
configuration. •
•
Disabled: This user cannot access the system.
Select either Time Server or Manual. Table 14 on page 44 lists the system time options.
Table 14: System Time Options Field
Description
Time Server
44
Host Name
Type the hostname of the time server. For example: ntp.example.com.
IP
Type the IP address of the time server in the IP address entry field. For example: 192.168.1.254.
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Configuring and Managing vSRX Basics
Table 14: System Time Options (continued) Field
Description
NOTE: You can enter either the hostname or the IP address.
Manual Date
Click the current date in the calendar.
Time
Set the hour, minute, and seconds. Choose AM or PM.
Time Zone (mandatory) Time Zone
•
Select the time zone from the list. For example: GMT Greenwich Mean Time GMT.
Expert Select Expert to configure the basic options as well as the following advanced options: •
Four or more internal zones
•
Internal zone services
•
Application of security policies between internal zones
Click Need Help for detailed configuration information. You see a success message after the basic configuration is complete.
Applying the Configuration To apply the configuration settings for vSRX: 1.
Review and ensure that the configuration settings are correct, and click Next. The Commit Configuration page appears.
2. Click Apply Settings to apply the configuration changes to vSRX.
3. Check the connectivity to vSRX, because you might lose connectivity if you have
changed the management zone IP. Click the URL for reconnection instructions on how to reconnect to the device. 4. Click Done to complete the setup.
After successful completion of the setup, you are redirected to the J-Web interface.
CAUTION: After you complete the initial setup, you can relaunch the J-Web Setup wizard by clicking Configuration>Setup. You can either edit an
Copyright © 2017, Juniper Networks, Inc.
45
vSRX Guide for AWS
existing configuration or create a new configuration. If you create a new configuration, the current configuration in vSRX will be deleted.
Managing Security Policies for Virtual Machines Using Junos Space Security Director Managing enterprise security policy has become extremely complex. The growth in network traffic, including mobile traffic and BYOD, and the emergence of cloud services, have combined into a new array of opportunities for malicious hackers. Security management can become error-prone and time-consuming if management solutions are slow, difficult to use, or restricted in their granularity of control. Resulting misconfigurations can make the enterprise vulnerable to threats and noncompliant with regulations and policies. As one of the Junos Space Management Applications, Junos Space Security Director helps organizations improve the reach, ease, and accuracy of security policy administration with a scalable, GUI-based management tool. It automates security provisioning through one centralized Web-based interface to help administrators manage all phases of the security policy lifecycle more quickly and intuitively, from policy creation to remediation. Related Documentation
•
Security Director
Removing a vSRX Instance on AWS To remove a vSRX instance on AWS: 1.
Log in to the AWS Management Console and select Services > Compute > EC2 > Instances.
2. Select the vSRX instance and select Actions > Instance State > Terminate to remove
the instance. 3. In the dialog box, expand the section and select Release associated Elastic IP.
4. Click Yes, Terminate.
NOTE: See AWS - Clean Up to remove any unused VPCs from AWS.
Related Documentation
46
•
AWS - Clean Up
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 4
vSRX in AWS Use Cases •
Example: Configuring NAT for vSRX on page 47
•
Example: Configuring VPN on vSRX Between VPCs in AWS on page 48
Example: Configuring NAT for vSRX This example shows how to configure vSRX to NAT all hosts behind the vSRX instance in the VPC to the IP address of the vSRX egress interface on the untrust zone. This configuration allows hosts behind vSRX in a cloud network to access the Internet. •
Before You Begin on page 47
•
Overview on page 47
•
Configuration on page 47
•
Configuring NAT on page 47
Before You Begin Ensure that you have installed and launched a vSRX instance in an AWS VPC.
Overview A common cloud configuration includes hosts that you want to grant access to the Internet, but you do not want anyone from outside your cloud to get access to your hosts. You can use vSRX in an AWS VPC to NAT traffic inside the VPC from the public Internet.
Configuration Configuring NAT Step-by-Step Procedure
To configure NAT on the vSRX instance: 1.
Log in to the vSRX console in configuration edit mode (See “Configuring vSRX Using the CLI” on page 41.
2.
Set the IP addresses for vSRX revenue interfaces. set interfaces ge-0/0/0 unit 0 family inet address 10.0.10.197/24 set interfaces ge-0/0/1 unit 0 family inet address 10.0.20.1/24
Copyright © 2017, Juniper Networks, Inc.
47
vSRX Guide for AWS
3.
Set up the untrust security zone. set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust interfaces ge-0/0/0.0
4.
Set up the trust security zone. set security zones security-zone trust host-inbound-traffic system-services https set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
5.
Set up the security policies. set security policies from-zone trust to-zone untrust policy test match source-address any set security policies from-zone trust to-zone untrust policy test match destination-address any set security policies from-zone trust to-zone untrust policy test match application any set security policies from-zone trust to-zone untrust policy test then permit
6.
Configure NAT. set security nat source rule-set SNAT_RuleSet from zone trust set security nat source rule-set SNAT_RuleSet to zone untrust set security nat source rule-set SNAT_RuleSet rule SNAT_Rule match source-address 0.0.0.0/0 set security nat source rule-set SNAT_RuleSet rule SNAT_Rule then source-nat interface commit
Related Documentation
•
vSRX Virtual Firewall-Based AWS Transit VPC
Example: Configuring VPN on vSRX Between VPCs in AWS This example shows how to configure IPsec VPN between two instances of vSRX in AWS on different VPCs. •
Before You Begin on page 48
•
Overview on page 49
•
vSRX1 VPN Configuration on page 49
•
Verification on page 51
Before You Begin Ensure that you have installed and launched a vSRX instance in an AWS VPC.
48
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: vSRX in AWS Use Cases
See SRX Site-to-Site VPN Configuration Generator and How to troubleshoot a VPN tunnel that is down or not active for additional information.
Overview You can use IPsec VPN to secure traffic between two VPCs in AWS using two vSRX instances.
vSRX1 VPN Configuration Step-by-Step Procedure
To configure IPsec VPN on vSRX1: 1.
Log in to the vSRX1 console in configuration edit mode (See “Configuring vSRX Using the CLI” on page 41.
2.
Set the IP addresses for vSRX1 revenue interfaces. set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24 set interfaces st0 unit 1 family inet address 10.0.250.10/24
3.
Set up the untrust security zone. set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services ssh set security security-zone untrust interfaces ge-0/0/0.0 set security security-zone untrust interfaces st0.1
4.
Set up the trust security zone. set security zone trust host-inbound-traffic system-services https set security zone trust host-inbound-traffic system-services ssh set security zone trust host-inbound-traffic system-services ping set security security-zone trust interfaces ge-0/0/1.0
5.
Configure IKE. set security ike proposal AWS_IKE_Proposal authentication-method pre-shared-keys set security ike proposal AWS_IKE_Proposal dh-group group2 set security ike proposal AWS_IKE_Proposal authentication-algorithm sha-256 set security ike proposal AWS_IKE_Proposal encryption-algorithm aes-256-cbc set security ike proposal AWS_IKE_Proposal lifetime-seconds 1800 set security ike policy AWS-R mode aggressive set security ike policy AWS-R proposals AWS_IKE_Proposal set security ike policy AWS-R pre-shared-key ascii-text preshared-key set security ike gateway AWS-R ike-policy AWS-R set security ike gateway AWS-R address 198.51.100.10 set security ike gateway AWS-R local-identity user-at-hostname "[email protected]" set security ike gateway AWS-R remote-identity user-at-hostname "[email protected]" set security ike gateway AWS-R external-interface ge-0/0/0
Copyright © 2017, Juniper Networks, Inc.
49
vSRX Guide for AWS
6.
Configure IPsec. set security ipsec proposal AWS_IPSEC protocol esp set security ipsec proposal AWS_IPSEC authentication-algorithm hmac-sha1-96 set security ipsec proposal AWS_IPSEC encryption-algorithm aes-256-cbc set security ipsec policy AWS_IPSEC_POL proposals AWS_IPSEC set security ipsec vpn aws-aws bind-interface st0.1 set security ipsec vpn aws-aws ike gateway AWS-R set security ipsec vpn aws-aws ike ipsec-policy AWS_IPSEC_POL set security ipsec vpn aws-aws establish-tunnels immediately
7.
Configure routing. set routing-instances aws instance-type virtual-router set routing-instances aws interface ge-0/0/0.0 set routing-instances aws interface ge-0/0/1.0 set routing-instances aws interface st0.1 set routing-instances aws routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances aws routing-options static route 10.20.20.0/24 next-hop st0.1 commit
vSRX2 VPN Configuration Step-by-Step Procedure
To configure IPsec VPN on vSRX2: 1.
Log in to the vSRX2 console in configuration edit mode (See “Configuring vSRX Using the CLI” on page 41.
2.
Set the IP addresses for the vSRX2 revenue interfaces. set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.20.20.10/24 set interfaces st0 unit 1 family inet address 10.0.250.20/24
3.
Set up the untrust security zone. set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
4.
Set up the trust security zone. set security zones security-zone trust host-inbound-traffic system-services https set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
5.
Configure IKE. set security ike proposal AWS_IKE_Proposal authentication-method pre-shared-keys set security ike proposal AWS_IKE_Proposal dh-group group2
50
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: vSRX in AWS Use Cases
set security ike proposal AWS_IKE_Proposal authentication-algorithm sha-256 set security ike proposal AWS_IKE_Proposal encryption-algorithm aes-256-cbc set security ike proposal AWS_IKE_Proposal lifetime-seconds 1800 set security ike policy AWS-R mode aggressive set security ike policy AWS-R proposals AWS_IKE_Proposal set security ike policy AWS-R pre-shared-key ascii-text preshared-key set security ike gateway AWS-R ike-policy AWS-R set security ike gateway AWS-R address 203.0.113.10 set security ike gateway AWS-R local-identity user-at-hostname "[email protected]" set security ike gateway AWS-R remote-identity user-at-hostname "[email protected]" set security ike gateway AWS-R external-interface ge-0/0/0
6.
Configure IPsec. set security ipsec proposal AWS_IPSEC protocol esp set security ipsec proposal AWS_IPSEC authentication-algorithm hmac-sha1-96 set security ipsec proposal AWS_IPSEC encryption-algorithm aes-256-cbc set security ipsec policy AWS_IPSEC_POL proposals AWS_IPSEC set security ipsec vpn aws-aws bind-interface st0.1 set security ipsec vpn aws-aws ike gateway AWS-R set security ipsec vpn aws-aws ike ipsec-policy AWS_IPSEC_POL set security ipsec vpn aws-aws establish-tunnels immediately
7.
Configure routing. set routing-instances aws instance-type virtual-router set routing-instances aws interface ge-0/0/0.0 set routing-instances aws interface ge-0/0/1.0 set routing-instances aws interface st0.1 set routing-instances aws routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances aws routing-options static route 10.10.10.0/24 next-hop st0.1 commit
Verification Verify Active VPN Tunnels Purpose
Action
Related Documentation
Verify that the tunnel is up on both vSRX instances in AWS.
root@> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131074 ESP:aes- cbc- 256/sha1 de836105 1504/ unlim - root 4500 52.200.89.XXX >131074 ESP:aes- cbc- 256/sha1 b349bc84 1504/ unlim - root 4500 52.200.89.XXX
•
vSRX Virtual Firewall-Based AWS Transit VPC
•
VPN Feature Guide for Security
Copyright © 2017, Juniper Networks, Inc.
51
vSRX Guide for AWS
•
52
Application Firewall Overview
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 5
vSRX Licensing •
vSRX Feature Licenses Overview on page 53
•
Managing Licenses for vSRX on page 61
•
vSRX License Model Numbers for AWS on page 67
vSRX Feature Licenses Overview Some Junos OS software features require a license to activate the feature. To enable a licensed feature, you need to purchase, install, manage, and verify a license key that corresponds to each licensed feature. To conform to software feature licensing requirements, you must purchase one license per feature per instance. The presence of the appropriate software unlocking key on your virtual instance allows you to configure and use the licensed feature.
NOTE: If applicable for your vSRX deployment, vSRX pay-as-you-go images do not require any separate licenses. For a vSRX on Microsft Azure deployment, only the build-your-own-license (BYOL) model is supported.
•
vSRX License Procurement and Renewal on page 53
•
vSRX Evaluation License on page 54
•
License Types on page 56
•
Throughput on page 57
•
License Duration on page 57
•
Individual (á la carte) Feature Licenses on page 58
•
Bundled Licenses on page 58
•
Stacking Licenses on page 58
•
vSRX License Keys Components on page 58
•
License Management Fields Summary on page 59
vSRX License Procurement and Renewal Licenses are usually ordered when the software application is purchased, and this information is bound to a customer ID. If you did not order the licenses when you purchased
Copyright © 2017, Juniper Networks, Inc.
53
vSRX Guide for AWS
your software application, contact your account team or Juniper Networks Customer Care for assistance. Licenses can be procured from the Juniper Networks License Management System (LMS). For license renewal, use the show system license command to find the Juniper vSRX software serial number that you use to renew a license. vsrx> show system license License usage: Feature name Virtual Appliance
Licenses used 1
Licenses installed 1
Licenses needed 0
Expiry 58 days
Licenses installed: License identifier: E420588955 License version: 4 Software Serial Number: 20150625 Customer ID: vSRX-JuniperEval Features: Virtual Appliance - Virtual Appliance count-down, Original validity: 60 days License identifier: JUNOS657051 License version: 4 Software Serial Number: 9XXXXAXXXXXXX9 Customer ID: MyCompany Features: Virtual Appliance - Virtual Appliance permanent
NOTE: Do not use the show chassis hardware command to get the serial number on vSRX, because that command is only appropriate for the physical SRX Series devices. Also, the license for advanced security features available on the physical SRX Series devices cannot be used with vSRX deployments.
NOTE: If you are performing a software downgrade with licenses installed, you will see an error message in the CLI when you try to configure the licensed features or run the show system license status command. We recommend deleting existing licenses before performing a software downgrade.
vSRX Evaluation License To speed deployment of licensed features, the vSRX software image provides you with a 60-day product evaluation license and a 30-day advanced security features license, both of which allow you to use vSRX and licensed features for a specified period without having to install a license key. Table 15 on page 55 lists vSRX evaluation license types.
54
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
Table 15: vSRX Evaluation License Type License Package
Type
Period
License Model Number
Trial license (temporary for evaluation only)
Product evaluation–Basic
60 days
-
Product evaluation–Advanced features
30 days
-
Product Evaluation License The vSRX software image includes a 60-day trial license. When you download and install the vSRX image, you are entitled to use this trial license for 60 days. It is intended as an evaluation license for using vSRX. This product-unlocking license is required to use the basic functions of the vSRX, such as networking, routing, and basic security features (such as stateful firewall).
NOTE: The use of the 60-day trial license does not include vSRX support unless you already have a pre-existing vSRX support contract. If you require support during this 60-day evaluation period, please work with your Juniper Account team or go to the J-Net Community forum (http://forums.juniper.net/) and view the Support topics under the vSRX category.
Within 30 days of the license expiration date, a license expiration warning appears each time you log in to the vSRX instance. After the product evaluation license expires, you will not be able to use the vSRX; it will be disabled and flow configuration options will not work (the vSRX will stop forwarding traffic). At this point, only management interfaces and CLI configurations are preserved.
Advanced Security Features Evaluation License The advanced security features license is a 30-day trial license for vSRX that is required for advanced security features such as UTM, IDP, and AppSecure. You can download the trial license for advanced security features from the vSRX Free Trial License Page. The 30-day trial license period begins on the day you enable the enhanced security features after you install the 60-day product evaluation license for vSRX. To continue using vSRX features after the 30-day license period expires, you must purchase and install the license; otherwise, the features are disabled. If the license for advanced security features expires while the evaluation license (product unlocking license) is still valid, only the advanced security features that require a license are disabled.
Copyright © 2017, Juniper Networks, Inc.
55
vSRX Guide for AWS
NOTE: The UTM advanced features have a slightly different trial license strategy. UTM does not requires 30-day trial license but only a 30-day grace period. Once the 30-day advanced security features trial license expires, Juniper Networks supports a 30-day grace period for you to continue using UTM features. The 30-day grace period goes into effect after the 30-trial license expires.
There is also a 30-day trial license available for Juniper Sky Advanced Threat Prevention (ATP). This is a second license that you can apply for a 30-day period in addition to the advanced security features license for vSRX to enable the Sky ATP features. You can download the Sky ATP trial license from the vSRX Free Trial License Page.
License Types Juniper Networks provides a variety of licenses for both basic firewall features and advanced security features for different throughputs and durations. If you want to use vSRX to provide basic firewall features, you can use standard (basic) licenses. However, to use some of the more advanced security features, such as AppSecure, IDP, and UTM, you might need to purchase advanced features licenses. The high-level categories for licenses are: •
Throughput–All licenses have an associated throughput. Throughput rates include 1 Gbps, 2 Gbps, and 4 Gbps on most platforms.
•
Features–Licenses are available for different combinations of feature sets, from standard (STD) through Content Security Bundle (CS-B).
•
Individual or bundled–Licenses can be individual (á la carte) licenses for a set of features, or can be bundled together to provide a broad range of features in one easy license to maintain.
•
Duration–All licenses have an associated time duration. You can purchase basic licenses as perpetual (never expire) or subscription based (1-year or 3-year duration). All vSRX licenses are subscription based.
•
New or renewal–All subscription licenses are either new (first-time purchase) or renewals (extending the license duration when the initial new subscription license is about to expire).
Figure 4 on page 57 shows a sample license SKU and identifies how each field maps to these categories.
56
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
Figure 4: Sample vSRX License SKU Bundled or individual
Throughput
New or renewal
Product
Feature set
Duration
g043428
VSRX-10M-ASECB-3-R These categories of licenses can also be combined, or stacked, to provide more flexibility for your vSRX use cases.
Throughput Bandwidth or throughput license types allow you to use a single instance of the software for up to the maximum throughput specified in the license entitlement. Throughput can be combined on a single instance of the software so that the maximum throughput for that instance is the aggregate of all the throughput licenses assigned to that instance. A throughput license cannot be split across multiple instances. Throughput is identified in the license entitlement in megabits per second (Mbps), or gigabits per second (Gbps). For example, if you want 3 Gbps of throughput for a vSRX instance using the STD features, you would purchase a 1G STD license and a 2G STD license and install both on the vSRX. If you wanted 2 Gbps of throughput on two vSRX instances acting as a chassis cluster, you could not use the same 2 Gbps license on both vSRX instances. You would need to purchase one set of licenses for each vSRX instance in the cluster.
License Duration All licenses can be perpetual or subscription based. •
Perpetual license–A perpetual license allows you to use the licensed software indefinitely. Perpetual licenses do not require renewals. Perpetual licenses do not include maintenance and upgrade support. You must purchase that separately, vSRX software releases such as vSRX for Azure or vSRX for AWS do not support perpetual licenses.
•
Subscription license–A subscription license is an annual license that allows you to use the licensed software feature for the matching duration. Subscriptions might involve periodic downloads of content (such as for IDP threat signature files). Subscription licenses start when you retrieve the license key or 30 days after purchase if you have not retrieved the license key. At the end of the license period, you need to renew the license to continue using it.
NOTE: All subscription licenses are renewable. To renew a subscription license, purchase a new subscription of the same license. For more information, see Subscription - Register and Install.
Copyright © 2017, Juniper Networks, Inc.
57
vSRX Guide for AWS
Individual (á la carte) Feature Licenses Every vSRX instance requires at least one standard license to support the desired throughput rate. Beyond that, you can select from a range of individual feature licenses that provide additional security feature sets. The feature license must match the standard license rate.
NOTE: AWS and Microsoft Azure do not support individual licenses.
For example, if you need AppSecure and Sophos antivirus features at 1 Gbps of throughput for a year, you could purchase the following individual licenses: •
VSRX-STD-1G-1—Provides the standard feature set and 1 Gbps of throughput.
•
VSRX-CS-1G-1—Provides the advanced features.
Bundled Licenses Bundled licenses simplify the license management by combining one or more individual licenses into a single bundled license. Instead of installing and managing a standard throughput license and one or more individual advanced feature licenses, you can purchase one of the bundle license options and manage one license instead. For example, if you need AppSecure and Sophos antivirus features at 1 Gbps of throughput for a year, you could purchase the single bundled VSRX-CS-B-1G-1 license, which includes the STD throughput license. This means you only need to manage one license instead of two individual licenses.
Stacking Licenses You can combine individual or bundled licenses to combine features or build up the overall supplied throughput for the vSRX instance. For example, you can combine a 1-Gbps license and a 2-Gbps license to have 3 Gbps of throughput for the vSRX instance. You can also combine individual licenses, such as Sophos antivirus (SAV) and Websense Enhanced Web Filtering (EWF) to get both sets of security features.
NOTE: Individual licenses require a STD license with the same throughput rate.
vSRX License Keys Components A license key consists of two parts:
58
•
License ID—Alphanumeric string that uniquely identifies the license key. When a license is generated, it is given a license ID.
•
License data—Block of binary data that defines and stores all license key objects.
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
For example, in the following typical license key, the string E413XXXX57 is the license ID, and the trailing block of data is the license data:
E413XXXX57 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff
The license data conveys the customer ID and the software serial number (Juniper Networks support reference number) to the vSRX instance.
License Management Fields Summary The Licenses window displays a summary of licensed features that are configured on the vSRX instance and a list of licenses that are installed on the vSRX instance. To view the license details, select Maintain>Licenses in the J-Web user interface. The Licenses window appears as shown in Figure 5 on page 59.
Figure 5: J-Web Licenses Window Showing Installed Licenses
You can also view the details of a license in the CLI using the show system license command. The following sample shows details of an evaluation license in the CLI: License usage: Feature name anti_spam_key_sbl 08:00:00 CST idp-sig 08:00:00 CST appid-sig 08:00:00 CST av_key_sophos_engine
Copyright © 2017, Juniper Networks, Inc.
Licenses used 0
Licenses installed 1
Licenses needed 0
Expiry 2016-04-15
0
1
0
2016-04-15
0
1
0
2016-04-15
0
3
0
2016-07-29
59
vSRX Guide for AWS
08:00:00 CST wf_key_websense_ewf 08:00:00 CST Virtual Appliance 08:00:00 CST
0
1
0
2016-04-15
1
1
0
2016-04-25
Licenses installed: License identifier: E420588955 License version: 4 Software Serial Number: 20150625 Customer ID: vSRX-JuniperEval Features: Virtual Appliance - Virtual Appliance count-down, Original validity: 60 days
The information on the license management page is summarized in Table 16 on page 60.
Table 16: Summary of License Management Fields Field Name
Definition
Feature Summary Feature
Name of the licensed feature: •
Features—Software feature licenses.
•
All features—All-inclusive licenses.
Licenses Used
Number of licenses currently being used on the vSRX instance. Usage is determined by the configuration. If a feature license exists and that feature is configured, the license is considered used.
Licenses Installed
Number of licenses installed on the vSRX instance for the particular feature.
Licenses Needed
Number of licenses required for legal use of the feature. Usage is determined by the configuration on the vSRX instance: If a feature is configured and the license for that feature is not installed, a license is needed.
Licenses expires on
Date the license expires.
Installed Licenses ID
Unique alphanumeric ID of the license.
State
Valid—The installed license key is valid. Invalid—The installed license key is not valid.
Version
Numeric version number of the license key.
Group
If the license defines a group license, this field displays the group definition. NOTE: Because group licenses are currently unsupported, this field is always blank.
60
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
Table 16: Summary of License Management Fields (continued) Field Name
Definition
Enabled Features
Name of the feature that is enabled with the particular license.
Expiration
Date the license expires.
Software serial number
The serial number is a unique 14-digit number that Juniper Networks uses to identify your particular software installation. You can find the software serial number in the Software Serial Number Certificate attached to the e-mail that was sent when you ordered your Juniper Networks software or license. You can also use the show system license command to find the software serial number.
Customer ID
ID that identifies the registered user.
Managing Licenses for vSRX Before you begin, ensure that you have retrieved the license key from the Juniper License Management System (LMS). This section includes the following topics: •
vSRX Evaluation License Installation Process on page 61
•
Adding a New License Key with J-Web on page 62
•
Adding a New License Key from the CLI on page 63
•
Updating vSRX Licenses on page 64
•
Deleting a License with J-Web on page 65
•
Deleting a License with the CLI on page 66
•
License Warning Messages on page 66
vSRX Evaluation License Installation Process Juniper Networks provides a 60-day evaluation license for vSRX standard features. When you download and install the vSRX image, you are entitled to use this evaluation license for 60 days as a trial. In addition to the 60-day vSRX evaluation license, there is a 30-day advanced security features trial license for vSRX that is required for advanced security features such as UTM, IDP, and AppSecure. You can download the 30-day advanced security feature trial license from the vSRX Free Trial License Page. There is also a 30-day trial license available for Juniper Sky Advanced Threat Prevention (ATP). This is a second license that you can apply for a 30-day period in addition to the advanced security features license for vSRX to enable the Sky ATP features. You can download the Sky ATP trial license from the vSRX Free Trial License Page
Copyright © 2017, Juniper Networks, Inc.
61
vSRX Guide for AWS
Installation of the advanced security feature trial license is similar to the regular license installation performed from the CLI (see “Adding a New License Key from the CLI” on page 63). Within 30 days of the license expiration date, a license expiration warning appears each time you log in to the vSRX instance. After the product evaluation license expires, you will not be able to use the vSRX; it will be disabled and flow configuration options will not work (the vSRX will stop forwarding traffic). At this point, only management interfaces and CLI configurations are preserved.
NOTE: The 30-day evaluation license period begins on the day you enable enhanced security features after installing evaluation licenses. To continue using vSRX features after an optional 30-day evaluation period, you must purchase and install the license. Otherwise, the features are disabled.
For details about the 60- and 30-day license evaluation periods for the vSRX see “vSRX Feature Licenses Overview” on page 53 .
Adding a New License Key with J-Web To install a license using the J-Web interface: 1.
Select Maintain>Licenses on the J-Web user interface. The Licenses window is displayed as shown in Figure 6 on page 62.
Figure 6: J-Web Licenses Window
2. Under Installed Licenses, click Add. The Add License window is displayed as shown
in Figure 7 on page 63.
62
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
Figure 7: Add License Window
3. Do one of the following, using a blank line to separate multiple license keys: •
Enter the full URL to the destination file containing the license key in the License File URL box.
•
Paste the license key text, in plaintext format, in the License Key Text box.
4. Click OK to add the license key. The License Details window is displayed as shown in
Figure 8 on page 63.
Figure 8: License Details Window
The license key is installed and activated on the vSRX instance.
Adding a New License Key from the CLI You can add a license key from a local file, from a remote URL, or from the terminal. To install a license from the CLI: 1.
Use the request system license add operational mode command to either add the license from a local file or remote URL that contains the license key, or to manually paste the license key in the terminal. user@vsrx> request system license add terminal [Type ^D at a new line to end input,
Copyright © 2017, Juniper Networks, Inc.
63
vSRX Guide for AWS
enter blank line between each license key] E413XXXX57 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff E413XXXX57: successfully added add license complete (no errors)
NOTE: You can save the license key to a file and upload the file to the vSRX file system through FTP or Secure Copy (SCP), and then use the request system license add file-name command to install the license.
2. Optionally, use the show system license command to view details of the licenses. root@host> show system license License usage: Licenses Licenses Feature name used installed wf key websense ewf 1 0
Licenses needed 1
Expiry invalid
Licenses installed: none
The license key is installed and activated on the vSRX instance.
Updating vSRX Licenses You can update the vSRX licenses using either of the following two methods: •
Automatic license update using the CLI
•
Manual license update using the CLI
As a prerequisite, you must install at least one valid license key on your vSRX instance for required features. License auto-update is performed based on the valid software serial number and customer ID embedded in the license key. To enable automatic license updates from the CLI: 1.
Contact your account team or Juniper Networks Customer Care to extend the validity period of existing license keys and obtain the URL for a valid update server.
2. Once you have successfully extended your license key and received the update server
URL, configure the auto-update parameter: user@host> set system license autoupdate url https://ae1.juniper.net/
3. Configure renew options (if required). The following sample allows vSRX to contact
the license server 30 days before the current license expires and sends an automatic update request every 6 hours.
64
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
user@host> set system license renew before-expiration 30 user@host> set system license renew interval 6
To manually update the licenses from the CLI: 1.
Use the following command to update the license keys manually: user@host> request system license update
This command sends a license update request to the license server immediately.
NOTE: The request system license update command will always use the default Juniper license server: https://ae1.juniper.net
2. Check the status of the license by entering the show system license command.
Deleting a License with J-Web To delete a license using the J-Web interface: 1.
Select Maintain>Licenses.
2. Select the check box of the license or licenses you want to delete as shown in
Figure 9 on page 65.
Figure 9: Deleting a License
3. Click Delete.
4. Click OK to confirm your deletion as shown in Figure 10 on page 66.
Copyright © 2017, Juniper Networks, Inc.
65
vSRX Guide for AWS
Figure 10: Delete Licenses Window
The license you deleted is removed.
Deleting a License with the CLI To delete a license using the CLI: 1.
From operational mode, for each license, enter the following command and specify the license ID. You can delete only one license at a time. user@host> request system license delete
Or you can use the following command to delete all installed licenses. user@host> request system license delete all
2. Type yes when you are prompted to confirm the deletion. Delete license JUNOS606279 ? [yes,no] (no)
The license you deleted is removed.
License Warning Messages You must purchase a new license or renew your existing subscription-based license to have a seamless transition from the old license to the new one. The following conditions occur when a license expires on vSRX:
66
•
Evaluation license for the core expires—Packet forwarding on vSRX is disabled. However, you can manage vSRX through the fxp0 management interface, and the CLI configuration is preserved.
•
Subscription-based licenses for advanced security features expire but subscription-based licenses for core services are active—A 30-day grace period begins, allowing the user to continue using advanced security features. After the grace period, advanced security features are disabled. Basic features are always available in the vSRX. After subscription-based licenses for core services expire, a warning message is displayed to notify the user, but basic features will remain preserved for the user.
•
Subscription-based license for core features expires but subscription-based license for advanced security features is active—A warning message is displayed to notify the user. However, you can continue to use the basic features on the vSRX. Advanced security features are disabled when the subscription-based license for advanced security features expires, but basic features will remain preserved for the user.
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
NOTE: All subscription licenses are renewable. To renew a subscription license, purchase a new subscription of the same license. For more information, see Subscription - Register and Install .
To use features that require a license, you must install and configure a license. After the license expires, warning messages are displayed in the system log and on the J-Web dashboard. When a license expires, the System Alarms section of the J-Web dashboard displays a message stating that the license has expired as shown in Figure 11 on page 67.
Figure 11: J-Web Dashboard for License Expiry Warning
When a license expires, the following message appears when you log in: Virtual Appliance License is invalid
vSRX License Model Numbers for AWS The licenses used by all Juniper Networks instances are based on SKUs, which represent lists of features. Each license includes a list of features that the license enables along with information about those features. For information about purchasing software licenses, contact your Juniper Networks sales representative at http://www.juniper.net/in/en/contact-us/. vSRX licenses are based on application packages and processing capacity. vSRX provides bandwidth in the following capacities (throughput per instance): 1 Gbps, 2 Gbps, and 4 Gbps. Each of these bandwidth tiers is offered with three different packages. Table 17 on page 68 describes the features available with the various license packages.
Copyright © 2017, Juniper Networks, Inc.
67
vSRX Guide for AWS
Table 17: vSRX Licensing Package Types License Type STD
ASCB
CS-B
68
Description
License Model Number
Includes the following features:
These Standard (STD) bandwidth SKUs are available for vSRX:
•
Core security—firewall, ALG, screens, user firewall
•
VSRX-1G-STD-1-AWS—1 Gbps throughput (1-year subscription)
•
IPsec VPN (site-to-site VPN)
•
VSRX-1G-STD-3-AWS—1 Gbps throughput (3-year subscription)
•
NAT
•
•
CoS
VSRX-2G-STD-1-AWS—2 Gbps throughput (1-year subscription)
•
Routing services—BGP, OSPF, DHCP, J-Flow, IPv4
•
VSRX-2G-STD-3-AWS—2 Gbps throughput (3-year subscription)
•
Foundation—Static routing, management (J-Web, CLI, and NETCONF), on-box logging, diagnostics
•
VSRX-4G-STD-1-AWS—4 Gbps throughput (1-year subscription)
•
VSRX-4G-STD-3-AWS—4 Gbps throughput (3-year subscription)
Includes all STD features bundled with the following additional AppSecure features:
These AppSecure Bundled (ASCB) bandwidth SKUs are available for vSRX: •
VSRX-1G-ASCB-1-AWS—1 Gbps throughput (1-year subscription)
•
AppID
•
•
AppFW
VSRX-1G-ASCB-3-AWS—1 Gbps throughput (3-year subscription)
•
AppQoS
•
•
AppTrack
VSRX-2G-ASCB-1-AWS—2 Gbps throughput (1-year subscription)
•
VSRX-2G-ASCB-3-AWS—2 Gbps throughput (3-year subscription)
•
VSRX-4G-ASCB-1-AWS—4 Gbps throughput (1-year subscription)
•
VSRX-4G-ASCB-3-AWS—4 Gbps throughput (3-year subscription)
Includes all STD features bundled with ASCB features and the addition of UTM antivirus.
These Content Security bundled (CS-B) bandwidth SKUs are available for vSRX: •
VSRX-1G-CS-B-1-AWS—1 Gbps throughput (1-year subscription)
•
VSRX-1G-CS-B-3-AWS—1 Gbps throughput (3-year subscription)
•
VSRX-2G-CS-B-1-AWS—2 Gbps throughput (1-year subscription)
•
VSRX-2G-CS-B-3-AWS—2 Gbps throughput (3-year subscription)
•
VSRX-4G-CS-B-1-AWS—4 Gbps throughput (1-year subscription)
•
VSRX-4G-CS-B-3-AWS—4 Gbps throughput (3-year subscription)
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: vSRX Licensing
NOTE: License stacking is allowed. So, for example, to license 3 Gbps of throughput for the standard (STD) feature set for 1 year, use a VSRX-1G-STD-1-AWS license and a VSRX-2G-STD-1-AWS.
Copyright © 2017, Juniper Networks, Inc.
69
vSRX Guide for AWS
70
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 6
Troubleshooting •
Finding the Software Serial Number for vSRX on page 71
Finding the Software Serial Number for vSRX You need the software serial number to open a support case or to renew a vSRX license. 1.
Use the show system license command to find the vSRX software serial number. vsrx> show system license License usage: Feature name Virtual Appliance
Licenses used 1
Licenses installed 1
Licenses needed 0
Expiry 58 days
Licenses installed: License identifier: E420588955 License version: 4 Software Serial Number: 20150625 Customer ID: vSRX-JuniperEval Features: Virtual Appliance - Virtual Appliance count-down, Original validity: 60 days License identifier: JUNOS657051 License version: 4 Software Serial Number: 9XXXXAXXXXXXX9 Customer ID: MyCompany Features: Virtual Appliance - Virtual Appliance permanent
Copyright © 2017, Juniper Networks, Inc.
71
vSRX Guide for AWS
72
Copyright © 2017, Juniper Networks, Inc.