vSRX Deployment Guide for Microsoft Hyper-V · networkingsecurityfeaturesforthevirtualizedservercomputingenvironment.Hyper-V ... ClickSecurity>IDP>Policy>Add. 2. IntheAddIPSRulewindow,selectAllinsteadofAnyforthe

vSRX Deployment Guide for Microsoft Hyper-V

Modified: 2018-04-13

Copyright © 2018, Juniper Networks, Inc.

Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates inthe United States and other countries. All other trademarks may be property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

vSRX Deployment Guide for Microsoft Hyper-VCopyright © 2018 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttps://www.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of thatEULA.

Copyright © 2018, Juniper Networks, Inc.ii

https://www.juniper.net/support/eula/

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Understanding vSRX with Microsoft Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

vSRX Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

vSRX Benefits and Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

vSRX in Microsoft Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Requirements for vSRX on Microsoft Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Best Practices for Improving vSRX Performance . . . . . . . . . . . . . . . . . . . . . . . 19

NUMA Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Interface Mapping for vSRX on Microsoft Hyper-V . . . . . . . . . . . . . . . . . . . . . 20

vSRX Default Settings on Microsoft Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Junos OS Features Supported on vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

SRX Series Features Supported on vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

SRX Series Features Not Supported on vSRX . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 2 Installing vSRX in Microsoft Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Preparing for vSRX Deployment in Microsoft Hyper-V . . . . . . . . . . . . . . . . . . . . . . 31

Deploying vSRX in a Hyper-V Host Using the Hyper-V Manager . . . . . . . . . . . . . . 32

Deploying vSRX in a Hyper-V Host Using Windows PowerShell . . . . . . . . . . . . . . 43

Chapter 3 vSRX VM Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Adding vSRX Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Adding Virtual Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Configuring the vSRX to Use a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Powering Down a vSRX VM with Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Chapter 4 Configuring and Managing vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

vSRX Configuration and Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Understanding the Junos OS CLI and Junos Scripts . . . . . . . . . . . . . . . . . . . . 59

Understanding the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

iiiCopyright © 2018, Juniper Networks, Inc.

Understanding Junos Space Security Director . . . . . . . . . . . . . . . . . . . . . . . . 60

Configuring vSRX Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Configuring vSRX Using the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Accessing the J-Web Interface and Configuring vSRX . . . . . . . . . . . . . . . . . . 62

Applying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Adding vSRX Feature Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Managing Security Policies for Virtual Machines Using Junos Space Security

Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Chapter 5 Configuring vSRX Chassis Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Configuring a vSRX Chassis Cluster in Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Chassis Cluster Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Enabling Chassis Cluster Formation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Chassis Cluster Quick Setup with J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Manually Configuring a Chassis Cluster with J-Web . . . . . . . . . . . . . . . . . . . . 69

vSRX Cluster Staging and Provisioning in Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . 75

Deploying the VMs and Additional Network Adapters in Hyper-V . . . . . . . . . 75

Creating the Control Link Connection in Hyper-V . . . . . . . . . . . . . . . . . . . . . . 76

Creating the Fabric Link Connection in Hyper-V . . . . . . . . . . . . . . . . . . . . . . . 79

Creating the Data Interfaces Using Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Prestaging the Configuration from the Console . . . . . . . . . . . . . . . . . . . . . . . . 81

Connecting and Installing the Staging Configuration . . . . . . . . . . . . . . . . . . . 82

Chapter 6 vSRX Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

vSRX Feature Licenses Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

vSRX License Procurement and Renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

vSRX Evaluation License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Product Evaluation License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Advanced Security Features Evaluation License . . . . . . . . . . . . . . . . . . . 87

License Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Throughput . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

License Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Individual (á la carte) Feature Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Bundled Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Stacking Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

vSRX License Keys Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

License Management Fields Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Managing Licenses for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

vSRX Evaluation License Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . 93

Adding a New License Key with J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Adding a New License Key from the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Updating vSRX Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Deleting a License with J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Deleting a License with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

License Warning Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

vSRX License Model Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Chapter 7 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Finding the Software Serial Number for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Copyright © 2018, Juniper Networks, Inc.iv


List of Figures


Figure 1: vSRX Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Figure 2: vSRX Deployment in Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17


Figure 3: Example of vSRX Deployment in Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . 32

Figure 4: Specify Name and Location Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Figure 5: Specify Generation Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Figure 6: Assign Memory Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Figure 7: Configure Networking Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Figure 8: Connect Virtual Hard Disk Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Figure 9: Summary Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Figure 10: Processor Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Figure 11: Network Adapter Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Figure 12: Network Adapter Advanced Features Pane . . . . . . . . . . . . . . . . . . . . . . 42

Chapter 3 vSRX VM Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Figure 13: Create Virtual Switch Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Figure 14: Virtual Switch Properties Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Figure 15: Adding Virtual Switch to Network Adapter Example . . . . . . . . . . . . . . . 53

Figure 16: Network Adapter Enable MAC Address Spoofing Example . . . . . . . . . . 54

Figure 17: Enable VLAN Identification Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56


Figure 18: Create Virtual Switch Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Figure 19: Virtual Switch Properties Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Figure 20: Adding Virtual Switch to Network Adapter Pane Example . . . . . . . . . . 79


Figure 21: Sample vSRX License SKU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Figure 22: J-Web LicensesWindow Showing Installed Licenses . . . . . . . . . . . . . . . 91

Figure 23: J-Web Licenses Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Figure 24: Add License Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Figure 25: License Details Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Figure 26: Deleting a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Figure 27: Delete Licenses Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Figure 28: J-Web Dashboard for License Expiry Warning . . . . . . . . . . . . . . . . . . . . 99

vCopyright © 2018, Juniper Networks, Inc.

Copyright © 2018, Juniper Networks, Inc.vi


List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x


Table 3: Specifications for vSRX for Microsoft Hyper-V . . . . . . . . . . . . . . . . . . . . . 18

Table 4: Hardware Specifications for the Host Machine . . . . . . . . . . . . . . . . . . . . . 19

Table 5: Interface Names for a Standalone vSRX VM . . . . . . . . . . . . . . . . . . . . . . 20

Table 6: Interface Names for a vSRX Cluster Pair . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Table 7: Factory Default Settings for Security Policies . . . . . . . . . . . . . . . . . . . . . . 22

Table 8: vSRX Feature Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Table 9: SRX Series Features Not Supported on vSRX . . . . . . . . . . . . . . . . . . . . . 24


Table 10: New-VM Command Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Chapter 4 Configuring and Managing vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Table 11: Instance Name and User Account Information . . . . . . . . . . . . . . . . . . . . 63

Table 12: System Time Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63


Table 13: Chassis Cluster Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Table 14: Edit Node Setting Configuration Details . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Table 15: Add HA Cluster Interface Configuration Details . . . . . . . . . . . . . . . . . . . . 73

Table 16: Add Redundancy Groups Configuration Details . . . . . . . . . . . . . . . . . . . 74


Table 17: vSRX Evaluation License Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Table 18: Summary of License Management Fields . . . . . . . . . . . . . . . . . . . . . . . . 92

Table 19: vSRX Licensing Package Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Table 20: Secure Cloud Connect (SCC) vSRX Bandwidth Licenses . . . . . . . . . . . 102

Table 21: Standard (STD) vSRX Bandwidth Licenses . . . . . . . . . . . . . . . . . . . . . . 103

Table 22: vSRX AppSecure and IPS Bundled (ASCB and ASECB) Bandwidth

Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Table 23: Individual vSRX AppSecure and IPS Subscription Licenses . . . . . . . . . 105

Table 24: vSRX Content Security Bundled (CS-B) Bandwidth Licenses . . . . . . . 106

Table 25: vSRX Individual Content Security (CS) Subscription Licenses . . . . . . . 107

Table 26: vSRX Individual Sophos Antivirus (S-AV) Bandwidth Licenses . . . . . . 108

Table 27: vSRX Individual EnhancedWeb Filtering (W-EWF) Bandwidth

Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

viiCopyright © 2018, Juniper Networks, Inc.

Copyright © 2018, Juniper Networks, Inc.viii


About the Documentation

• Documentation and Release Notes on page ix

• Supported Platforms on page ix

• Documentation Conventions on page ix

• Documentation Feedback on page xi

• Requesting Technical Support on page xii

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation,

see the product documentation page on the Juniper Networks website at

https://www.juniper.net/documentation/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore the

nuances of network architecture, deployment, and administration. The current list can

be viewed at https://www.juniper.net/books.

Supported Platforms

For the features described in this document, the following platforms are supported:

• vSRX

Documentation Conventions

Table 1 on page x defines notice icons used in this guide.

ixCopyright © 2018, Juniper Networks, Inc.

https://www.juniper.net/documentation/

https://www.juniper.net/books

https://www.juniper.net/documentation/en_US/release-independent/vsrx/information-products/pathway-pages/index.html

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page x defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• Junos OS CLI User Guide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes importantnew terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure themachine’s domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

Copyright © 2018, Juniper Networks, Inc.x


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.

• Theconsoleport is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Representsgraphicaluser interface(GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following

methods:

• Online feedback rating system—On any page of the Juniper Networks TechLibrary site

at https://www.juniper.net/documentation/index.html, simply click the stars to rate the

content, anduse thepop-up formtoprovideuswith informationabout your experience.

Alternately, you can use the online feedback form at

https://www.juniper.net/documentation/feedback/.

xiCopyright © 2018, Juniper Networks, Inc.


https://www.juniper.net/documentation/index.html

https://www.juniper.net/documentation/feedback/

• E-mail—Sendyourcommentsto [email protected]. Includethedocument

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or Partner Support Service

support contract, or are covered under warranty, and need post-sales technical support,

you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

https://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: https://www.juniper.net/customers/support/

• Search for known bugs: https://prsearch.juniper.net/

• Find product documentation: https://www.juniper.net/documentation/

• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/

• Download the latest versions of software and review release notes:

https://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

https://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: https://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at https://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

Copyright © 2018, Juniper Networks, Inc.xii


mailto:[email protected]?subject=

https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

https://www.juniper.net/support/warranty/

https://www.juniper.net/customers/support/

https://prsearch.juniper.net/

https://www.juniper.net/documentation/

https://kb.juniper.net/

https://www.juniper.net/customers/csc/software/

https://kb.juniper.net/InfoCenter/

https://www.juniper.net/company/communities/

https://www.juniper.net/cm/

https://entitlementsearch.juniper.net/entitlementsearch/

https://www.juniper.net/cm/

For international or direct-dial options in countries without toll-free numbers, see

https://www.juniper.net/support/requesting-support.html.

xiiiCopyright © 2018, Juniper Networks, Inc.


https://www.juniper.net/support/requesting-support.html

Copyright © 2018, Juniper Networks, Inc.xiv


CHAPTER 1

Overview

• Understanding vSRX with Microsoft Hyper-V on page 15

• Requirements for vSRX on Microsoft Hyper-V on page 18

• Junos OS Features Supported on vSRX on page 22

Understanding vSRXwithMicrosoft Hyper-V

This section presents an overview of vSRX as deployed in Microsoft Hyper-V.

• vSRX Overview on page 15

• vSRX Benefits and Use Cases on page 16

• vSRX in Microsoft Hyper-V on page 17

vSRXOverview

vSRX is a virtual security appliance that provides security and networking services at the

perimeter or edge in virtualized private or public cloud environments. vSRX runs as a

virtual machine (VM) on a standard x86 server. vSRX is built on the Junos operating

system(JunosOS)anddeliversnetworkingandsecurity features similar to thoseavailable

on the software releases for the SRX Series Services Gateways.

The vSRX provides you with a complete Next-Generation Firewall (NGFW) solution,

including core firewall, VPN, NAT, advanced Layer 4 through Layer 7 security services

such asApplication Security, intrusion detection andprevention (IPS), andUTM features

including EnhancedWeb Filtering and Anti-Virus. Combined with Sky ATP, the vSRX

offers a cloud-based advanced anti-malware service with dynamic analysis to protect

against sophisticatedmalware, andprovidesbuilt-inmachine learning to improve verdict

efficacy and decrease time to remediation.

Figure 1 on page 16 shows the high-level architecture for vSRX.

15Copyright © 2018, Juniper Networks, Inc.

Figure 1: vSRX Architecture

HYPERVISORS/CLOUD ENVIRONMENTS

Physical x86

g004195

vSRX VM

StorageMemory

Junos Control PlaneJCP / vRE

RPDRouting Protocol

Daemon

MGDManagement

Daemon

Junos Kernel

QEMU/KVM

Juniper Linux (Guest OS)

Advanced Services

Flow Processing

Packet Forwarding(JEXEC)

DPDKData Plane Development Kit

MicrosoftHyper-V

VMware

KVMKernel-based

VirtualMachines

AWSAmazonWeb

Services

MicrosoftAzureCloud

DeploymentContrail CloudDeployment

vSRX includes the Junos control plane (JCP) and the packet forwarding engine (PFE)

components that make up the data plane. vSRX uses one virtual CPU (vCPU) for the

JCP and at least one vCPU for the PFE.

vSRX Benefits and Use Cases

vSRX on standard x86 servers enables you to quickly introduce new services, deliver

customized services to customers, and scale security services based on dynamic needs.

vSRX is ideal for public, private, and hybrid cloud environments.

Some of the key benefits of vSRX in a virtualized private or public cloudmultitenant

environment include:

• Stateful firewall protection at the tenant edge

• Faster deployment of virtual firewalls into new sites

• Ability to run on top of various hypervisors and public cloud infrastructures

• Full routing, VPN, core security, and networking capabilities

• Application security features (including IPS and App-Secure)

• Content security features (including Anti Virus, Web Filtering, Anti Spam, and Content

Filtering)

• High Availability (HA) support for chassis clustering

Copyright © 2018, Juniper Networks, Inc.16


• Centralizedmanagement with Junos Space Security Director and local management

with J-Web Interface

• Juniper Networks Sky Advanced Threat Prevention (Sky ATP) integration

vSRX inMicrosoft Hyper-V

Microsoft Hyper-V is a hypervisor-based virtualization technology. It provides software

infrastructure and basic management tools that you can use to create andmanage a

virtualized server computing environment. This virtualized environment can be used to

address a variety of business goals aimed at improving efficiency and reducing costs.

Hyper-V works on x86- and x64-based systems runningWindows.

You deploy a vSRX virtual security appliance on a Microsoft Hyper-V server to provide

networking security features for the virtualized server computing environment. Hyper-V

implements isolationof virtualmachines in termsofapartition. ThevSRXvirtualmachine

runs in Microsoft Hyper-V as a child partition.

Note the following for deploying vSRX on a Microsoft Hyper-V server:

• Starting in JunosOSRelease 15.1X49-D80and JunosOSRelease 17.3R1, you candeploy

the vSRX only on Microsoft Hyper-V Server 2012 R2 or 2012.

• Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, you can

deploy the vSRX on Microsoft Hyper-V Server 2016.

Figure 2 on page 17 illustrates the deployment of a vSRX in a Hyper-V environment to

provide security for applications running on one or more virtual machines.

Figure 2: vSRX Deployment in Hyper-V


Chapter 1: Overview

Release History Table DescriptionRelease

Starting in JunosOSRelease 15.1X49-D80 and JunosOSRelease 17.3R1,you can deploy the vSRX only on Microsoft Hyper-V Server 2012 R2 or2012.

15.1X49-D80

Starting in JunosOSRelease 15.1X49-D100and JunosOSRelease 17.4R1,you can deploy the vSRX on Microsoft Hyper-V Server 2016.

15.1X49-D100

RelatedDocumentation

Hyper-V onWindows Server 2016•

• Microsoft Hyper-V Overview

• Microsoft Hyper-V

Requirements for vSRX onMicrosoft Hyper-V

This section presents an overview of requirements for deploying a vSRX instance on

Microsoft Hyper-V.

• Software Requirements on page 18

• Hardware Requirements on page 19

• Best Practices for Improving vSRX Performance on page 19

• Interface Mapping for vSRX on Microsoft Hyper-V on page 20

• vSRX Default Settings on Microsoft Hyper-V on page 21

Software Requirements

Table 3 on page 18 lists the software requirements for the vSRX instance on Microsoft

Hyper-V.

NOTE: Only the vSRX small flavor is supported onMicrosoft Hyper-V.

Table 3: Specifications for vSRX for Microsoft Hyper-V

SpecificationComponent

• Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you candeploy the vSRX only on Microsoft Hyper-V Server 2012 R2 or 2012.

• Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, youcan deploy the vSRX on Microsoft Hyper-V Server 2016.

Hypervisorsupport

4 GBMemory

16 GB (IDE or SCSI drives)Disk space

2vCPUs



https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server

https://technet.microsoft.com/en-us/library/hh831531(v=ws.11).aspx

https://www.microsoft.com/en-us/cloud-platform/server-virtualization

Table 3: Specifications for vSRX for Microsoft Hyper-V (continued)


8 Hyper-V specific network adaptersVirtualnetworkadapters

Hardware Requirements

Table 4 on page 19 lists the hardware specifications for the host machine that runs the

vSRX VM.

Table 4: Hardware Specifications for the Host Machine


Minimum 4 GBHost memory size

x86 or x64-basedmulticore processor

NOTE: DPDK requires IntelVirtualizationVT-x/VT-dsupportin the CPU. See About Intel Virtualization Technology.

Host processor type

Emulates themultiportDEC21140 10/100TX100MBEthernetnetwork adapter with one to four network connections.

Gigabit (10/100/1000baseT)Ethernet adapter

Best Practices for Improving vSRX Performance

Review the following practices to improve vSRX performance.

NUMANodes

The x86 server architecture consists of multiple sockets andmultiple cores within a

socket. Each socket also has memory that is used to store packets during I/O transfers

from the NIC to the host. To efficiently read packets frommemory, guest applications

and associated peripherals (such as the NIC) should reside within a single socket. A

penalty is associated with spanning CPU sockets for memory accesses, which might

result in nondeterministic performance. For vSRX, we recommend that all vCPUs for the

vSRXVMare in thesamephysicalnon-uniformmemoryaccess(NUMA)nodeforoptimal

performance.

CAUTION: The Packet Forwarding Engine (PFE) on the vSRXwill becomeunresponsive if the NUMA nodes topology is configured in the hypervisor tospreadthe instance’svCPUsacrossmultiplehostNUMAnodes. vSRXrequiresthat you ensure that all vCPUs reside on the same NUMA node.

We recommend that you bind the vSRX instancewith a specific NUMAnodeby setting NUMA node affinity. NUMA node affinity constrains the vSRX VMresource scheduling to only the specified NUMA node.


Chapter 1: Overview

http://ark.intel.com/Products/VirtualizationTechnology

InterfaceMapping for vSRX onMicrosoft Hyper-V

Each network adapter defined for a vSRX is mapped to a specific interface, depending

on whether the vSRX instance is a standalone VM or one of a cluster pair for high

availability.

NOTE: Starting in Junos OS Release 15.1X49-D100 for vSRX, support forchassis clustering to provide network node redundancy is only available onMicrosoft Hyper-V Server 2016.

Note the following:

• In standalonemode:

• fxp0 is the out-of-bandmanagement interface.

• ge-0/0/0 is the first traffic (revenue) interface.

• In cluster mode:

• fxp0 is the out-of-bandmanagement interface.

• em0 is the cluster control link for both nodes.

• Any of the traffic interfaces can be specified as the fabric links, such as ge-0/0/0

for fab0 on node 0 and ge-7/0/0 for fab1 on node 1.

Table 5 on page 20 shows the interface names andmappings for a standalone vSRX

VM.

Table 5: Interface Names for a Standalone vSRX VM

Interface Name in Junos OSNetworkAdapter

fxp01

ge-0/0/02

ge-0/0/13

ge-0/0/24

ge-0/0/35

ge-0/0/46

ge-0/0/57

ge-0/0/68



Table 6 on page 21 shows the interface names andmappings for a pair of vSRX VMs in

a cluster (node 0 and node 1).

Table 6: Interface Names for a vSRX Cluster Pair

Interface Name in Junos OSNetworkAdapter

fxp0 (node 0 and 1)1

em0 (node 0 and 1)2

ge-0/0/0 (node 0)ge-7/0/0 (node 1)

3

ge-0/0/1 (node 0)ge-7/0/1 (node 1)

4

ge-0/0/2 (node 0)ge-7/0/2 (node 1)

5

ge-0/0/3 (node 0)ge-7/0/3 (node 1)

6

ge-0/0/4 (node 0)ge-7/0/4 (node 1)

7

ge-0/0/5 (node 0)ge-7/0/5 (node 1)

8


Starting in JunosOSRelease 15.1X49-D100 for vSRX, support for chassisclustering to provide network node redundancy is only available onMicrosoft Hyper-V Server 2016.

15.1X49-D100


KB Article - Interfacemust be in the same routing instance as the other interfaces in the

zone

•

vSRX Default Settings onMicrosoft Hyper-V

vSRX requires the following basic configuration settings:

• Interfaces must be assigned IP addresses.

• Interfaces must be bound to zones.

• Policies must be configured between zones to permit or deny traffic.

Table 7 on page 22 lists the factory-default settings for security policies on the vSRX.


Chapter 1: Overview

https://kb.juniper.net/InfoCenter/index?page=content&id=KB26775&actp=search

https://kb.juniper.net/InfoCenter/index?page=content&id=KB26775&actp=search

Table 7: Factory Default Settings for Security Policies

Policy ActionDestination ZoneSource Zone

permituntrusttrust

permittrusttrust

denytrustuntrust


Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1,you can deploy the vSRX only on Microsoft Hyper-V Server 2012 R2 or2012.

15.1X49-D80

Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1,you can deploy the vSRX on Microsoft Hyper-V Server 2016.

15.1X49-D100

Starting in Junos OS Release 15.1X49-D100 for vSRX, support for chassisclustering to provide network node redundancy is only available onMicrosoft Hyper-V Server 2016.

15.1X49-D100


About Intel Virtualization Technology•

• DPDK Release Notes

Junos OS Features Supported on vSRX

This section presents an overview of the Junos OS features on vSRX. It includes

• SRX Series Features Supported on vSRX on page 22

• SRX Series Features Not Supported on vSRX on page 23

SRX Series Features Supported on vSRX

vSRX inherits most of the branch SRX Series features with the following considerations

shown in Table 8 on page 23.

Todetermine the JunosOS features supportedonvSRX, use the JuniperNetworksFeature

Explorer, a Web-based application that helps you to explore and compare Junos OS

feature information to find the right software release and hardware platform for your

network. Find Feature Explorer here:

Feature Explorer: vSRX



http://ark.intel.com/Products/VirtualizationTechnology

http://dpdk.org/doc/guides-1.8/rel_notes/known_issues.html

https://pathfinder.juniper.net/feature-explorer/select-software.html?swName=vSRX&typ=2

Table 8: vSRX Feature Considerations

DescriptionFeature

Generally, onSRXSeries instances, the cluster ID andnode ID arewritten into EEPROM. For the vSRX VM, the IDs are saved inboot/loader.conf and read during initialization.

Chassis cluster

The IDP feature is subscription based andmust be purchased.After purchase, you can activate the IDP feature with the licensekey.

For SRX Series IDP configuration details, see:

Understanding Intrusion Detection and Prevention for SRXSeries

In J-Web, use the following steps to add or edit an IPS rule:

1. Click Security>IDP>Policy>Add.

2. In the Add IPS Rule window, select All instead of Any for theDirection field to list all the FTP attacks.

IDP

ISSU is not supported on vSRX.ISSU

The knownbehaviors for transparentmode support on vSRXare:

• The default MAC learning table size is restricted to 16,383entries.

• VMware vSwitch does not supportMAC learning. It also floodstraffic to the secondary node. The traffic is silently dropped bythe flow on the secondary node.

For information on configuring transparent mode vSRX, see:

Layer 2 Bridging and Transparent Mode Overview

Transparent mode

The UTM feature is subscription based andmust be purchased.After purchase, you canactivate theUTM featurewith the licensekey.

For SRX Series UTM configuration details, see:

Unified Threat Management Overview

For SRX Series UTM antispam configuration details, see:

Antispam Filtering Overview

UTM

SRX Series Features Not Supported on vSRX

vSRX inheritsmany features from the SRXSeries device product line. Table 9 on page 24

lists SRX Series features that are not applicable in a virtualized environment, that are

not currently supported, or that have qualified support on vSRX.


Chapter 1: Overview

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-idp-index.html

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-idp-index.html

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-layer2-bridging-transparent-mode-overview.html

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-utm-overview.html

https://www.juniper.net/documentation/en_US/junos/topics/concept/utm-antispam-filter-overview.html

Table 9: SRX Series Features Not Supported on vSRX

vSRX NotesSRX Series Feature

Application Layer Gateways

Not supportedAvaya H.323

Authentication with IC Series Devices

Not supported

NOTE: UAC-IDP and UAC-UTMalso are not supported.

Layer 2 enforcement in UACdeployments

Chassis Cluster Support

NOTE: Support for chassis clustering to provide network node redundancy is only available on avSRX deployment in VMware, KVM, andWindows Hyper-V Server 2016.

Only supported with KVM

NOTE: The link status of VirtIOinterfaces is always reported asUP, so a vSRX chassis clustercannot receive link up and linkdownmessages from VirtIOinterfaces.

Chassis cluster for VirtIOdriver

Not supportedDual control links

Not supportedIn-band and low-impactcluster upgrades

Not supportedLAG and LACP (Layer 2 andLayer 3)

Not supportedLayer 2 Ethernet switching

Not supportedLow-latency firewall

Not supportedPPPoE over redundantEthernet interface

NOTE: Starting in Junos OSRelease 15.1X49-D100 andJunos OSRelease 17.4R1, thevSRX supportsPoint-to-PointProtocolovera redundant Ethernetinterface (PPPoE).

Not supported (see the KnownBehavior section of the vSRXRelease Notes for moreinformation about SR-IOVlimitations).

SR-IOV interfaces



Table 9: SRX Series Features Not Supported on vSRX (continued)


Class of Service

Not supportedHigh-priority queue on SPC

Only GRE and IP-IP tunnelssupported

NOTE: A vSRX VM deployed onMicrosoft Azure Cloud does notsupport GRE and Multicast.

Tunnels

Data Plane Security LogMessages (StreamMode)

Not supportedTLS protocol

Diagnostics Tools

Not supportedFlowmonitoring cflowdversion 9

NOTE: Starting in Junos OSRelease 15.1X49-D80, thevSRX supports J-Flowversion9 flowmonitoring ona chassis cluster.

Not supportedPing Ethernet (CFM)

Not supportedTraceroute Ethernet (CFM)

DNS Proxy

Not supportedDynamic DNS

Ethernet Link Aggregation

Not supportedLACP in standalone orchassis cluster mode

Not supportedLayer 3 LAG on routed ports

Not supportedStatic LAG in standalone orchassis cluster mode

Ethernet Link Fault Management

Physical interface (encapsulations)

Not supportedethernet-cccethernet-tcc

Not supportedextended-vlan-cccextended-vlan-tcc


Chapter 1: Overview



Interface family

Not supportedccc, tcc

Not supportedethernet-switching

Flow-Based and Packet-Based Processing

Not supportedEnd-to-end packetdebugging

Not supportedNetwork processor bundling

Not supportedServices offloading

Interfaces

Not supportedAggregated Ethernetinterface

Not supportedIEEE 802.1X dynamic VLANassignment

Not supportedIEEE 802.1X MAC bypass

Not supportedIEEE 802.1X port-basedauthentication control withmultisupplicant support

Not supportedInterleaving using MLFR

Not supportedPoE

Not supportedPPP interface

Not supportedPPPoE-basedradio-to-router protocol

Not supportedPPPoE interface

NOTE: Starting in Junos OSRelease 15.1X49-D100 andJunos OSRelease 17.4R1, thevSRX supportsPoint-to-PointProtocoloverEthernet (PPPoE) interface.

Only supported if enabled on thehypervisor

Promiscuous mode oninterfaces

IP Security and VPNs





Not supportedAcadia - Clientless VPN

Not supportedDVPN

Not supportedHardware IPsec (bulkcrypto) Cavium/RMI

Supported on virtual router onlyIPsec tunnel termination inrouting instances

Not supportedMulticast for AutoVPN

IPv6 Support

Not supportedDS-Lite concentrator (akaAFTR)

Not supportedDS-Lite initiator (aka B4)

J-Web

Not supportedEnhanced routingconfiguration

Not supportedNew SetupWizard (for newconfigurations)

Not supportedPPPoEWizard

Not supportedRemote VPNWizard

Not supportedRescue link on dashboard

Not supportedUTM configuration forKaspersky antivirus and thedefault Web filtering profile

Log File Formats for System (Control Plane) Logs

Not supportedBinary format (binary)

Not supportedWELF

Miscellaneous

Not supportedGPRS

NOTE: Starting in Junos OSRelease 15.1X49-D70 andJunos OS Release 17.3R1, thevSRX supports GPRS.


Chapter 1: Overview



Not supportedHardware acceleration

Not supportedLogical systems

Not supportedOutbound SSH

Not supportedRemote instance access

Not supportedUSBmodem

Not supportedWireless LAN

MPLS

Not supportedCCC and TCC

Only if promiscuous mode isenabled on the hypervisor

Layer 2 VPNs for Ethernetconnections

Network Address Translation

Not supportedMaximize persistent NATbindings

Packet Capture

Only supported on physicalinterfaces and tunnel interfaces,such as gr, ip, and st0. Packetcapture is not supported onredundant Ethernet interfaces(reth).

Packet capture

Routing

Not supportedBGP extensions for IPv6

Not supportedBGP Flowspec

Not supportedBGP route reflector

Not supportedBidirectional ForwardingDetection (BFD) for BGP

Not supportedCRTP

Switching

Not supportedLayer3Q-in-QVLANtagging

Transparent Mode





Not supportedUTM

Unified Threat Management

Not supportedExpress AV

Not supportedKaspersky AV

Upgrading and Rebooting

Not supportedAutorecovery

Not supportedBoot instance configuration

Not supportedBoot instance recovery

Not supportedDual-root partitioning

Not supportedOS rollback

User Interfaces

Not supportedNSM

Not supportedSRC application

Only supported with VMwareJunos Space Virtual Director


Chapter 1: Overview



CHAPTER 2

Installing vSRX in Microsoft Hyper-V

• Preparing for vSRX Deployment in Microsoft Hyper-V on page 31

• Deploying vSRX in a Hyper-V Host Using the Hyper-V Manager on page 32

• Deploying vSRX in a Hyper-V Host UsingWindows PowerShell on page 43

Preparing for vSRX Deployment in Microsoft Hyper-V

Note the following guidelines when deploying vSRX on a Microsoft Hyper-V server:





• Ensure that thehostCPUsupportsa64-bit x86 Intel processorand is runningWindows.

• Ensure that you have a user account with administrator permissions to enable the

computer to deploy a vSRX virtual machine (VM) using either Microsoft Hyper-V

Manager or Windows PowerShell.

• Create the virtual switches on the Hyper-V host computer necessary to support the

fxp0(out-of-bandmanagement) interfaceandthe traffic (revenue) interfacesupported

by thevSRXVM.Youcreatevirtual switchesusingeither theMicrosoftHyper-VManager

orWindowsPowerShell. See “Adding vSRX Interfaces” onpage47 for details onadding

virtual switches for the vSRX VM using the Virtual Switch Manager.

Figure 2 on page 17 illustrates the deployment of a vSRX in a Hyper-V environment to

provide security for applications running on one or more virtual machines.


Figure 3: Example of vSRX Deployment in Hyper-V



15.1X49-D80


15.1X49-D100


Install Hyper-V and Create a Virtual Machine•

• Create a Virtual Machine in Hyper-V

• Create a Virtual Switch for Hyper-V Virtual Machines

• Hyper-V Virtual Switch

Deploying vSRX in a Hyper-V Host Using the Hyper-VManager

Use this procedure to deploy and configure the vSRX as a virtual security appliance in

the Hyper-V environment using Hyper-V Manager.






NOTE: To upgrade an existing vSRX instance, seeMigration, Upgrade, andDowngrade in the vSRX Release Notes.



https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-machine-in-hyper-v


https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-switch-for-hyper-v-virtual-machines

https://technet.microsoft.com/en-us/windows-server-docs/networking/technologies/hyper-v-virtual-switch/hyper-v-virtual-switch

To deploy vSRX using Hyper-V Manager:

1. Download the vSRX software image for Microsoft Hyper-V from the Juniper Networks

website. The vSRX disk image supported by Microsoft Hyper-V is a virtual hard disk

(VHD) format file.

CAUTION: Donotchangethe filenameof thedownloadedsoftware imageor the installation will fail.

2. Log onto your Hyper-V host computer using the Administrator account.

3. OpentheHyper-VManagerbyselectingStart>AdministrativeTools>Hyper-VManager.

Thewelcomepage forHyper-Vappears the first time that youopenHyper-VManager.

4. Create a virtual machine by selecting Action > New > Virtual Machine. The Before You

Begin screen appears for theNewVirtualMachineWizard. ClickNext tomove through

each page of the wizard, or you can click the name of a page in the left pane to move

directly to that page.

5. From the Specify Name and Location page (see Figure 4 on page 34), enter a name

and location for thevSRXVMthat youarecreatingand thenclickNext.We recommend

that you keep this name the same as the hostname you intend to assign to the vSRX

VM.


Chapter 2: Installing vSRX in Microsoft Hyper-V

https://www.juniper.net/support/downloads/?p=vsrx#sw


Figure 4: Specify Name and Location Page

6. From the Specify Generation page (see Figure 5 on page 35), keep the default setting

of Generation 1 as the generation of the vSRX VM and then click Next.



Figure 5: Specify Generation Page

7. From the Assign Memory page (see Figure 6 on page 36), enter 4096MB as the

amount of startupmemory to assign to the vSRX VM. LeaveUseDynamicMemory for

this virtual machine clear. Click Next.



Figure 6: Assign Memory Page

8. From the Configure Networking page (see Figure 7 on page 37), select a virtual switch

from a list of existing virtual switches on the Hyper-V host computer to connect to

the vSRXmanagement interface. The default is Not connected. Click Next.

NOTE: See “Adding vSRX Interfaces” on page 47 for the procedure onaddingvirtual switches for thevSRXVMusing theVirtualSwitchManager.



Figure 7: Configure Networking Page

9. FromtheConnectVirtualHardDiskpage(seeFigure8onpage38), clickUseanexisting

virtual hard disk and browse to the location of the vSRX virtual hard disk (VHD) file

(downloaded in Step 1). Click Next.



Figure 8: Connect Virtual Hard Disk Page

10. After you have finished configuring the new virtual machine, verify your selections in

the Summary page (see Figure 9 on page 39) and then click Finish to complete the

installation.



Figure 9: Summary Page

11. Right-click the vSRX VM and select Settings from the context menu.

12. From the Settings dialog box, under the Hardware section, select Processor. The

Processor pane appears (see Figure 10 on page 40). Enter 2 in the Number of virtual

processors field (the default is 1).



Figure 10: Processor Pane

13. From the Settings dialog box, under the Hardware section, select Network Adapter.

The Network Adapter pane appears (see Figure 11 on page 41).

From the Virtual switch drop-down list, select a virtual switch to assign to a network

adapter to be used by the vSRX VM (see “Adding vSRX Interfaces” on page 47 for

details on adding virtual switches). Each network adapter that is defined for a vSRX

ismapped to a specific interface. See “Requirements for vSRX onMicrosoft Hyper-V”

on page 18 for a summary of interface names andmappings for a vSRX VM.

NOTE: If you need to add a network adapter to assign to a virtual switch,click Add Hardware > Network Adapter > Add.



Figure 11: Network Adapter Pane

14. Enable the MAC address spoofing function for the vSRX VM if a network adapter is

to be used as an interface for Layer 2 mode support on the vSRX. From the Network

Adapter pane select Advanced Features. The Advanced Features pane appears (see

Figure 12 on page 42). Click the Enable MAC address spoofing check box.

MACaddress spoofingallowseachnetworkadapter to change its sourceMACaddress

for outgoing packets to one that is not assigned to them. Enabling MAC address

spoofing ensures those packets are not dropped by the network adapter if the source

MAC address fails to match the outgoing interface MAC address.

ClickOKwhen you complete your vSRX VM selections.



Figure 12: Network Adapter Advanced Features Pane

15. Before you power on the vSRX instance we recommend that you enable nested

virtualization for the vSRX VM. Nested virtualization allows you to run Hyper-V inside

of a Hyper-V virtual machine. This procedure can only be performed in the Hyper-V

environment usingWindows PowerShell (see “Deploying vSRX in a Hyper-V Host

UsingWindows PowerShell” on page 43, Step 8). You cannot enable nested

virtualization from the Hyper-V Manager.

NOTE: Nested virtualization can only be configured on a host runningMicrosoft Hyper-V Server 2016. In addition, Dynamic Memorymust bedisabledon thevirtualmachinecontaining thenested instanceofHyper-V.



16. Launch and power on the vSRX instance in the Hyper-V Manager by selecting the

vSRXVMfromthe list of virtualmachines.Right-clickandselectStart fromthecontext

menu (or select Action > Start).

17. Configure the basic settings for the vSRX (see “Configuring vSRX Using the CLI” on

page 60).



15.1X49-D80


15.1X49-D100


Install Hyper-V and Create a Virtual Machine•


• Virtual Machine Settings in Hyper-VManager Explained

Deploying vSRX in a Hyper-V Host UsingWindows PowerShell

Use this procedure to deploy and configure the vSRX as a virtual security appliance in

the Hyper-V environment usingWindows PowerShell.






NOTE: To upgrade an existing vSRX instance, seeMigration, Upgrade, andDowngrade in the vSRX Release Notes.





http://www.altaro.com/hyper-v/hyper-v-manager-2/virtual-machine-settings/

To deploy vSRX usingWindows PowerShell:

1. Download the vSRX software image for Microsoft Hyper-V from the Juniper Networks

website. The vSRX disk image supported by Microsoft Hyper-V is a virtual hard disk

(VHD) format file.

CAUTION: Donotchangethe filenameof thedownloadedsoftware imageor the installation will fail.

2. On theWindows desktop, click the Start button and typeWindows PowerShell.

3. Right-clickWindows PowerShell and select Run as administrator.

4. Run the following command to enable Hyper–V using PowerShell:

Enable-WindowsOptionalFeature -Online -FeatureNameMicrosoft-Hyper-V -All

5. Enter the New-VM command to create the vSRX VM. The command syntax is as

follows:

PSC:>\Users\Administrator>New-VM-Name<Name>-MemoryStartupBytes<Memory>

-BootDevice <BootDevice> -VHDPath <VHDPath> -Path <Path> -Generation

<Generation> -Switch <SwitchName>

See Table 10 on page 44 for a summary of the parameters in the New-VM command.

Table 10: New-VMCommand Parameters

DescriptionParameter

Specify a name for the vSRX VM that you are creating. We recommend keeping thisname the same as the hostname you intend to give to the vSRX VM.

-Name

Enter 4GB as the amount of startupmemory to assign to the vSRX VM.-MemoryStartupBytes

Enter VHD as the device that the vSRX VM boots to when it starts.-BootDevice

Specify the location of the vSRX virtual hard disk (VHD) file that youwant to deploy.-VHDPath

Specify the location to store the vSRX VM configuration files.-Path

Enter 1 to create a generation 1 virtual machine for the vSRX.-Generation





Table 10: New-VMCommand Parameters (continued)

DescriptionParameter

Specify the name of the virtual switch that you want the vSRX VM to assign to anetwork adapter used by the vSRX VM. Each network adapter that is defined for avSRX is mapped to a specific interface. See “Requirements for vSRX on MicrosoftHyper-V” on page 18 for a summary of interface names andmappings for a vSRXVM.

NOTE: To locate the name of a previously created virtual switch, use theGet-VMSwitchcommand.See “AddingvSRX Interfaces”onpage47 for theprocedureon adding virtual switches for the vSRX VM using the Virtual Switch Manager.

-SwitchName

The following is an example of theNew-VM command syntax for creating a vSRXVM:

PS C:>\Users\Administrator> New-VM -Name vSRX_0109 -MemoryStartupBytes 4GB

-BootDevice VHD -VHDPath

C:\Users\Public\Documents\Hyper-V\vsrx-0109-powershell\vsrx\media-vsrx-vmdisk-151X49D80.hyper-v.vhd

-Path ’C:\Users\Public\Documents\Hyper-V\vsrx-0109\’ Generation 1 SwitchName

test

6. Set the number of processors for the newly created vSRX VM by entering the

Set-VMProcessor command. Specify Count 2 for the number of processors. For

example:

PS C:>\Users\Administrator> Set-VMProcessor -VMName <vSRVName> -Count 2

7. Verify the newly created vSRX VM by entering the Get-VM command. For example:

PS C:>\Users\Administrator> Get-VM -VMName <vSRVName>

The output for the command is as follows:

Name State CPUUSage(%) MemoryAssigned(M) Uptime State VersionvSRX_0109 Off 0 0 00:00:00 Operating normally 8.0

8. Enable the MAC address spoofing function for the vSRX VM if a network adapter is

tobeusedasan interface for Layer2modesupporton thevSRX.MACaddressspoofing

allows the vSRXVM’s network adapter to change its sourceMACaddress for outgoing

packets to one that is not assigned to them. Enabling MAC address spoofing ensures

those packets are not dropped by the network adapter if the source MAC address

fails to match the outgoing interface MAC address.

The command syntax is as follows:

PS C:>\Users\Administrator> Set-VMNetworkAdapter -VMName <vSRVName>

–computerName<HyperVHostName>–VMNetworkAdapter<NetworkAdapterName>

-MacAddressSpoofing On

Verify that MacAddressSpoofing is On.



PS C:>\Users\Administrator> Get-VMNetworkAdapter -VMName <vSRVName>

–computerName <HyperVHostName> | fl

<HyperVHostName>name,macaddressspoofing

The output for the command is as follows:

Name : vSRX_0109MacAddressSpoofing : On

9. Enablenestedvirtualization for thevSRXVMbyusing theSet-VMProcessorcommand,

whereVMName is the nameof the vSRXVMyou created. By default, the virtualization

extensions are disabled for each VM. Nested virtualization allows you to run Hyper-V

inside of a Hyper-V virtual machine. For example:

PS C:>\Users\Administrator> Set-VMProcessor -VMName <vSRX_0109>

-ExposeVirtualizationExtensions $true

NOTE: Nested virtualization can only be configured on a host runningMicrosoft Hyper-V Server 2016. In addition, Dynamic Memorymust bedisabledon thevirtualmachinecontaining thenested instanceofHyper-V.

10. Launch and power on the vSRX VM by using the Start-VM command, where Name is

the name of the vSRX VM you created. For example:

PS C:>\Users\Administrator> Start-VM -Name <vSRX_0109>

11. Configure the basic settings for the vSRX (see “Configuring vSRX Using the CLI” on

page 60).



15.1X49-D80


15.1X49-D100


• Hyper-VModule forWindows PowerShell


• Run Hyper-V in a Virtual Machine with Nested Virtualization





https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization

CHAPTER 3

vSRX VMManagement

• Adding vSRX Interfaces on page 47

• Powering Down a vSRX VMwith Hyper-V on page 56

Adding vSRX Interfaces

The Hyper-V virtual switch is a software-based Layer 2 Ethernet network switch that

connects VMs to either physical or virtual networks. A virtual switch can be configured

from Hyper-V Manager or Windows PowerShell . The Hyper-V host uses the virtual

switches toconnect virtualmachines to the internet through thehost computer's network

connection. You configure networking for the vSRX by adding, removing, andmodifying

its associated network adapters in the Hyper-V host as necessary.

NOTE: To perform this procedure, youmust have appropriate permissions.Contact your Virtual Server administrator to request the proper permissionsto add a virtual switch and network adapter..

For the vSRXVM, you pair a network adapter with a virtual switch for the vSRX to receive

and transmit traffic. Youmap network adapters to the specific vSRX interfaces: Network

adapter 1 ismapped to the fxp0 (out-of-bandmanagement) interface, network adapter

2 is mapped to the ge-0/0/0 (revenue) interface, network adapter 3 is mapped to

ge-0/0/1, and so on (see “Requirements for vSRX on Microsoft Hyper-V” on page 18).

Hyper-V supports a maximum of eight network adapters.

NOTE: Whenaddingvirtualswitches, thereareno limits imposedbyHyper-V.The practical limit depends on the available computing resources.

This section includes the following topics on adding vSRX interfaces in Hyper-V:

• Adding Virtual Switches on page 48

• Configuring the vSRX to Use a VLAN on page 55


Adding Virtual Switches

To add virtual switches for the vSRXVMusing the Virtual SwitchManager in theHyper-V

Manager:


2. Select Action > Virtual SwitchManager. The Virtual Switch Manager appears.

3. Under the Virtual Switches section, select New virtual network switch. The Create

Virtual Switch pane appears (see Figure 13 on page 49).



Figure 13: Create Virtual Switch Pane

4. Choose the type of virtual switch to create:

• External—Gives virtual machines access to a physical network to communicate

with servers and clients on an external network. It allows virtual machines on the

same Hyper-V server to communicate with each other.


Chapter 3: vSRX VMManagement

• Internal—Allows communication between virtual machines on the same Hyper-V

server, and between the virtual machines and themanagement host operating

system.

• Private—AllowscommunicationonlybetweenvirtualmachinesonthesameHyper-V

server. A private network is isolated fromall external network traffic on the Hyper-V

server. This type of network is useful when youmust create an isolated networking

environment, like an isolated test domain.

In most cases when adding a vSRX network adapter, select External as the type of

virtual switch. Internal andprivate virtual switchesare intended to keepnetwork traffic

within the Hyper-V server.

NOTE: For the fxp0 (out-of-bandmanagement) interface, connect it toExternal virtual switch, which could connect to an external network.

For thege-0/0/0(revenueport) interface, if onlycommunicationbetweenVMs in thesameHyper-Vserver isneeded, InternalorPrivatevirtual switchshould be sufficient. However, if communication between the VM and anexternal network is needed, connect it to External virtual switch.

5. Select Create Virtual Switch. The Virtual Switch Properties pane appears (see

Figure 14 on page 51).



Figure 14: Virtual Switch Properties Pane

6. Specify a name for the virtual switch.

7. Choose the physical network interface card b(NIC) that you want to use (only a

requirement when you select External).

8. Isolate network traffic from themanagementHyper-V host operating systemor other

virtual machines that share the same virtual switch by selecting Enable virtual LAN



identification. You can change the VLAN ID to any number or leave the default. See

“Configuring the vSRX to Use a VLAN” on page 55 for details.

9. ClickOK, then click Yes to apply networking changes and to close the Virtual Switch

Manager window.

10. If necessary, repeat Steps 3 through 9 to add additional network adapters for use by

the vSRX VM.

11. Right-click thevSRXVMandselectSettings fromthecontextmenu.FromtheSettings

dialog box, under the Hardware section, click Network Adapter. The Network Adapter

pane appears (see Figure 15 on page 53).

12. From the Virtual switch drop-down list, select the virtual switch that you want to

assign to this network adapter. See “Requirements for vSRX on Microsoft Hyper-V”

on page 18 for a summary of interface names andmappings for a vSRX VM.



Figure 15: Adding Virtual Switch to Network Adapter Example

13. If a network adapter is to be used as an interface for Layer 2 mode support on the

vSRX, then from the Network Adapter pane select Advanced Features. Select the

EnableMACaddressspoofing checkbox to enable theMACaddress spoofing function

for the network adapter (see Figure 16 on page 54).

MACaddress spoofingallowseachnetworkadapter to change its sourceMACaddress

for outgoing packets to one that is not assigned to them. Enabling MAC address

spoofing ensures those packets are not dropped by the network adapter if the source

MAC address fails to match the outgoing interface MAC address.



Figure 16: Network Adapter Enable MAC Address Spoofing Example

14. Click Apply andOK to save the changes in the Settings dialog box.

15. Launch and power on the vSRX instance in the Hyper-V Manager by selecting the

vSRX VM from the list of virtual machines, and then right-click and select Start from

the context menu (or select Action > Start).

See Also Create a Virtual Switch for Hyper-V Virtual Machines•

• Create a Virtual Network



https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-switch-for-hyper-v-virtual-machines

https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/connect-to-network

Configuring the vSRX to Use a VLAN

Hyper-V supports the configurationofVLANsonanetworkadapter in thehost computer.

For each network adapter that you configure for the vSRX VM, if required, you can add a

VLAN identifier to specify the VLAN that the vSRX VMwill use for all network

communications through the network adapter.

By default, Hyper-V enables trunk mode for a VLAN. Trunk mode allowsmultiple VLAN

IDs toshareaconnectionbetween thephysical networkadapterand thephysical network.

To give the vSRX VM external access on the virtual network in multiple VLANs, you will

need to configure the port on the physical network to be in trunk mode. You will also

need to know the specific VLANs that are used andall of theVLAN IDs usedby the virtual

machines that the virtual network supports.

To utilize a Hyper-V VLAN, ensure that you are using a physical network adapter that

supports 802.1q VLAN tagging. By default, the virtual network adapter in Hyper-V is in

untaggedmode and youmight need to enable the feature on a virtual network adapter.

NOTE: By usingWindows PowerShell, you can determine themode of thevNIC (Get-VmNetworkAdapterVlan command) and change themode of the

vNIC (Set-VmNetworkAdapterVlan command). See

Get-VMNetworkAdapterVlan and Set-VMNetworkAdapterVlan for details on

bothWindows PowerShell virtual network adapter commands.

To add a VLAN for a vSRX VM virtual network adapter:


2. Right-click the vSRX VM and select Settings from the context menu.

3. From theSettings dialog box, under theHardware section, select the network adapter

connected to the external virtual network. The Network Adapter pane appears.

4. Select Enable virtual LAN identification, and then enter the VLAN ID you intend to use

(see Figure 17 on page 56). You can change the VLAN ID to any number or leave the

default. This is the VLAN identification number that the vSRX will use for all network

communication through this network adapter.



https://technet.microsoft.com/en-us/itpro/powershell/windows/hyper-v/get-vmnetworkadaptervlan

https://technet.microsoft.com/en-us/itpro/powershell/windows/hyper-v/set-vmnetworkadaptervlan

Figure 17: Enable VLAN Identification Example

5. ClickOK, and then click Yes to apply networking changes.

6. If necessary, repeatSteps3 through5 toaddVLAN identification toadditional network

adapters in use by the vSRX VM.

See Also Hyper-V: Configure VLANs and VLAN Tagging•

• Understanding Hyper-V VLANs

Powering Down a vSRX VMwith Hyper-V

In situations where you need to modify the vSRX VM settings from Hyper-V, youmust

first perform a graceful shut down of the vSRX VM using the Shut Down command. The

vSRX VM performs an orderly closing of all programs and attempts to shut off power to

avoid data loss.



https://social.technet.microsoft.com/wiki/contents/articles/1306.hyper-v-configure-vlans-and-vlan-tagging.aspx

https://blogs.msdn.microsoft.com/adamfazio/2008/11/14/understanding-hyper-v-vlans/

NOTE: If you are using Microsoft PowerShell, use the Stop-VM command to

perform a graceful shutdown of the vSRX VM.

To gracefully shut down the vSRX instance on the Hyper-V host computer:

1. Log onto your Hyper-V host computer using the Administrator account.


3. Power down the vSRX instance in the Hyper-V Manager by selecting the vSRX VM

from the list of virtual machines, and then ight-click and select Shut Down from the

context menu (or select Action > Shut Down).

4. Power on the vSRX instance in the Hyper-V Manager by selecting the vSRX VM from

the list of virtual machines, and then right-click and select Start from the context

menu (or select Action > Start).

NOTE: If you are usingMicrosoft PowerShell, use theStart-VM command

to start the vSRX VM.





CHAPTER 4

Configuring and Managing vSRX

• vSRX Configuration and Management Tools on page 59

• Configuring vSRX Using the CLI on page 60

• Configuring vSRX Using the J-Web Interface on page 61

• Managing Security Policies for Virtual Machines Using Junos Space Security

Director on page 65

vSRX Configuration andManagement Tools

This chapter is an overview on the various tools available to configure andmanage a

vSRX VM once it has been successfully deployed.

• Understanding the Junos OS CLI and Junos Scripts on page 59

• Understanding the J-Web Interface on page 59

• Understanding Junos Space Security Director on page 60

Understanding the Junos OS CLI and Junos Scripts

The Junosoperating systemcommand-line interface (JunosOSCLI) is a JuniperNetworks

specific command shell that runs on top of a UNIX-based operating system kernel.

Built into Junos OS, Junos script automation is an onboard toolset available on all Junos

OS platforms, including routers, switches, and security devices running Junos OS (such

as a vSRX instance).

You can use Junos OS CLI and the Junos OS scripts to configure, manage, administer,

and troubleshoot vSRX.

Understanding the J-Web Interface

The J-Web interface allows you to monitor, configure, troubleshoot, andmanage vSRX

instances by means of aWeb browser. J-Web provides access to all the configuration

statements supported by the vSRX instance.

You can use J-Web to configure, manage, administer, and troubleshoot vSRX.


Understanding Junos Space Security Director

As one of the Junos Space Network Management Platform applications, Junos Space

Security Director helps organizations improve the reach, ease, and accuracy of security

policy administration with a scalable, GUI-basedmanagement tool. Security Director

automates security provisioning of a vSRX instance through one centralizedWeb-based

interface to help administrators manage all phases of security policy life cycle more

quickly and intuitively, from policy creation to remediation.


CLI User Interface Overview•

• J-Web Overview

• Security Director

• Mastering Junos Automation Programming

• Spotlight Secure Threat Intelligence

Configuring vSRXUsing the CLI

To configure the instance using the CLI:

1. Verify that the vSRX instance is powered on.

2. Log in as the root user (whose username is root). There is no password.

3. Start the CLI.

root#cliroot@>

4. Enter configuration mode.

configure[edit]root@#

5. Set the root authentication password by entering a cleartext password, an encrypted

password, or an SSH public key string (DSA or RSA). The following is an example of

a plain-text password. The CLI prompts you for the password and then encrypts it.

[edit]root@# set system root-authentication plain-text-passwordNew password: passwordRetype new password: password

6. Configure the hostname.

[edit]root@# set system host-name host-name



https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/junos-cli/junos-cli.html

https://www.juniper.net/documentation/en_US/junos15.1x49-d40/information-products/pathway-pages/jweb/jweb-srx-series.html

https://www.juniper.net/documentation/en_US/release-independent/junos-space-apps/junos-space-security-director.html

https://www.juniper.net/us/en/training/jnbooks/day-one/automation-series/mastering-junos-automation/

https://www.juniper.net/documentation/en_US/release-independent/spotlight-secure/information-products/pathway-pages/spotlight-secure/index.html

7. Configure the management interface.

[edit]root@# set interfaces fxp0 unit 0 family inet dhcp-client

8. Configure the traffic interfaces.

[edit]root@# set interfaces ge-0/0/0 unit 0 family inet dhcp-client

9. Configure basic security zones and bind them to traffic interfaces.

[edit]root@# set security zones security-zone trust interfaces ge-0/0/0.0

10. Verify the configuration changes.

[edit]root@# commit checkconfiguration check succeeds

11. Commit the configuration to activate it on the instance.

[edit]root@# commitcommit complete

NOTE: Certain Junos OS software features require a license to activate thefeature. To enable a licensed feature, you need to purchase, install, manage,andverifya licensekey thatcorresponds toeach licensed feature.Toconformto software feature licensing requirements, youmust purchase one licenseper feature per instance. Thepresenceof the appropriate software unlockingkey on your virtual instance allows you to configure and use the licensedfeature.

See “Managing Licenses for vSRX” on page 93 for details.


CLI User Guide•

• Junos OS for SRX Series

Configuring vSRXUsing the J-Web Interface

• Accessing the J-Web Interface and Configuring vSRX on page 62

• Applying the Configuration on page 64

• Adding vSRX Feature Licenses on page 64


Chapter 4: Configuring and Managing vSRX

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/junos-cli/junos-cli.html

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/srx-series/index.html

Accessing the J-Web Interface and Configuring vSRX

To configure vSRX using the J-Web Interface:

1. Launch the J-Web interface from aWeb browser.

NOTE: Youwill be prompted to accept a system-generated certificate toaccess a vSRX VM using the J-Web interface.

2. Enter the vSRX out-of-bandmanagement (fxp0) interface IP address in the Address

box.

3. Specify the username and password.

4. Click Log In, and select the ConfigurationWizards tab from the left navigation panel.

The J-Web Setup wizard page opens.

5. Click Setup.

You can use the Setup wizard to configure the vSRX VM or edit an existing

configuration.

• Select Edit Existing Configuration if you have already configured the wizard using

the factory mode.

• Select Create NewConfiguration to configure the vSRX VM using the wizard.

The following configuration options are available in the guided setup:

• Basic



Select basic to configure the vSRX VM name and user account information as

shown in Table 11 on page 63.

• Instance name and user account information

Table 11: Instance Name and User Account Information

DescriptionField

Type the name of the vSRX instance.Instance name

Create a default root user password.Root password

Verify the default root user password.Verify password

Add an optional administrative account in addition to the root account.

User role options include:

Operator

• SuperUser: This user has full systemadministration rightsandcanadd,modify, and delete settings and users.

• Operator: This user can perform system operations such as a systemreset but cannot change the configuration or add or modify users.

• Read only: This user can only access the system and view theconfiguration.

• Disabled: This user cannot access the system.

• Select either Time Server orManual. Table 12 on page 63 lists the system time

options.

Table 12: System Time Options

DescriptionField

Time Server

Type the hostname of the time server. For example:ntp.example.com.

Host Name

Type the IP address of the time server in the IP address entryfield. For example: 192.0.2.254.

IP

NOTE: You can enter either the hostname or the IP address.

Manual

Click the current date in the calendar.Date

Set the hour, minute, and seconds. Choose AM or PM.Time

Time Zone (mandatory)

Select the time zone from the list. For example: GMTGreenwichMean Time GMT.

Time Zone



• Expert

Select Expert to configure the basic options as well as the following advanced

options:

• Four or more internal zones

• Internal zone services

• Application of security policies between internal zones

Click the Need Help icon for detailed configuration information.

You see a success message after the basic configuration is complete.

Applying the Configuration

To apply the configuration settings for vSRX:

1. Review and ensure that the configuration settings are correct, and click Next. The

Commit Configuration page appears.

2. Click Apply Settings to apply the configuration changes to vSRX.

3. Check the connectivity to vSRX, as youmight lose connectivity if you have changed

themanagement zone IP. Click the URL for reconnection instructions on how to

reconnect to the instance.

4. Click Done to complete the setup.

After successful completion of the setup, you are redirected to the J-Web interface.

CAUTION: After youcomplete the initial setup, youcan relaunchthe J-WebSetup wizard by clicking Configuration>Setup. You can either edit an

existing configuration or create a new configuration. If you create a newconfiguration, the current configuration in vSRXwill be deleted.

Adding vSRX Feature Licenses

Certain Junos OS software features require a license to activate the feature. To enable

a licensed feature, you need to purchase, install, manage, and verify a license key that

corresponds to each licensed feature. To conform to software feature licensing

requirements, youmust purchase one license per feature per instance. The presence of

the appropriate software unlocking key on your virtual instance allows you to configure

and use the licensed feature.

See “Managing Licenses for vSRX” on page 93 for details.



Managing Security Policies for Virtual Machines Using Junos Space Security Director

Security Director is a Junos Spacemanagement application designed to enable quick,

consistent, and accurate creation, maintenance, and application of network security

policies for your security devices, including vSRX instances. With Security Director, you

canconfigure security-relatedpolicymanagement including IPsecVPNs, firewall policies,

NAT policies, IPS policies, andUTMpolicies. and push the configurations to your security

devices. These configurations use objects such as addresses, services, NAT pools,

application signatures, policy profiles, VPN profiles, template definitions, and templates.

These objects can be shared acrossmultiple security configurations; shared objects can

be created and used across many security policies and devices. You can create these

objects prior to creating security configurations.

When you finish creating and verifying your security configurations fromSecurityDirector,

you can publish these configurations and keep them ready to be pushed to all security

devices, including vSRX instances, from a single interface.

The Configure tab is the workspace where all of the security configuration happens. You

can configure firewall, IPS, NAT, and UTM policies, assign policies to devices, create and

apply policy schedules, create andmanage VPNs, and create andmanage all of the

shared objects needed for managing your network security.


• Security Director



https://www.juniper.net/documentation/en_US/release-independent/junos-space-apps/junos-space-security-director.html



CHAPTER 5

Configuring vSRX Chassis Clusters

• Configuring a vSRX Chassis Cluster in Junos OS on page 67

• vSRX Cluster Staging and Provisioning in Hyper-V on page 75

Configuring a vSRX Chassis Cluster in Junos OS

• Chassis Cluster Overview on page 67

• Enabling Chassis Cluster Formation on page 68

• Chassis Cluster Quick Setup with J-Web on page 69

• Manually Configuring a Chassis Cluster with J-Web on page 69

Chassis Cluster Overview

Chassis cluster groups a pair of the same kind of vSRX instances into a cluster to provide

network node redundancy. The devicesmust be running the same Junos OS release. You

connect the control virtual interfaces on the respective nodes to form a control plane

that synchronizes the configuration and Junos OS kernel state. The control link (a virtual

network or vSwitch) facilitates the redundancy of interfaces and services. Similarly, you

connect the data plane on the respective nodes over the fabric virtual interfaces to form

a unified data plane. The fabric link (a virtual network or vSwitch) allows for the

management of cross-node flow processing and for the management of session

redundancy.

The control plane software operates in active/passive mode. When configured as a

chassis cluster, one node acts as the primary device and the other as the secondary

device to ensure stateful failover of processes and services in the event of a system or

hardware failure on the primary device. If the primary device fails, the secondary device

takes over processing of control plane traffic.

NOTE: If you configure a chassis cluster on vSRX nodes across two physicalhosts, disable igmp-snooping on the bridge that each host physical interfacebelongs to that the control vNICs use. This ensures that the control linkheartbeat is received by both nodes in the chassis cluster.

The chassis cluster data plane operates in active/active mode. In a chassis cluster, the

data plane updates session information as traffic traverses either device, and it transmits


informationbetween thenodesover the fabric link toguarantee that establishedsessions

arenotdroppedwhena failoveroccurs. Inactive/activemode, traffic canenter thecluster

on one node and exit from the other node.

Chassis cluster functionality includes:

• Resilient system architecture, with a single active control plane for the entire cluster

andmultiple Packet Forwarding Engines. This architecture presents a single device

view of the cluster.

• Synchronization of configuration and dynamic runtime states between nodes within

a cluster.

• Monitoringofphysical interfaces, and failover if the failureparameters crossaconfigured

threshold.

• Support for generic routing encapsulation (GRE) and IP-over-IP (IP-IP) tunnels used

to routeencapsulated IPv4or IPv6 trafficbymeansof two internal interfaces, gr-0/0/0

and ip-0/0/0, respectively. Junos OS creates these interfaces at system startup and

uses these interfaces only for processing GRE and IP-IP tunnels.

At any given instant, a cluster node can be in one of the following states: hold, primary,

secondary-hold, secondary, ineligible, or disabled. Multiple event types, such as interface

monitoring, Services Processing Unit (SPU)monitoring, failures, andmanual failovers,

can trigger a state transition.

Prerequisites

Ensure that your vSRX instances comply with the following prerequisites before you

enable chassis clustering:

• Use show version in Junos OS to ensure that both vSRX instances have the same

software version.

• Use show system license in Junos OS to ensure that both vSRX instances have the

same licenses installed.

Enabling Chassis Cluster Formation

You create two vSRX instances to form a chassis cluster, and then you set the cluster ID

and node ID on each instance to join the cluster. When a vSRX VM joins a cluster, it

becomes a node of that cluster. With the exception of unique node settings and

management IP addresses, nodes in a cluster share the same configuration.

You can deploy up to 255 chassis clusters in a Layer 2 domain. Clusters and nodes are

identified in the following ways:

• The cluster ID (a number from 1 to 255) identifies the cluster.

• The node ID (a number from 0 to 1) identifies the cluster node.

On SRXSeries devices, the cluster ID and node ID arewritten into EEPROM.On the vSRX

VM, vSRX stores and reads the IDs from boot/loader.conf and uses the IDs to initialize

the chassis cluster during startup.



The chassis cluster formation commands for node 0 and node 1 are as follows:

• On vSRX node 0:

user@vsrx0>set chassis cluster cluster-id number node 0 reboot

• On vSRX node 1:

user@vsrx1>set chassis cluster cluster-id number node 1 reboot

NOTE: Use the same cluster ID number for each node in the cluster.

NOTE: The vSRX interface naming andmapping to vNICs changeswhen youenable chassis clustering.

After reboot, on node 0, configure the fabric (data) ports of the cluster that are used to

pass real-time objects (RTOs):

• user@vsrx0# set interfaces fab0 fabric-optionsmember-interfaces ge-0/0/0user@vsrx0# set interfaces fab1 fabric-optionsmember-interfaces ge-7/0/0

Chassis Cluster Quick Setupwith J-Web

To configure chassis cluster from J-Web:

1. Enter the vSRX node 0 interface IP address in aWeb browser.

2. Enter the vSRX username and password, and click Log In. The J-Web dashboard

appears.

3. Click ConfigurationWizards>Chassis Cluster from the left panel. The Chassis Cluster

Setup wizard appears. Follow the steps in the setup wizard to configure the cluster

ID and the two nodes in the cluster, and to verify connectivity.

NOTE: Usethebuilt-inHelp icon in J-Webfor furtherdetailson theChassisCluster Setup wizard.

Manually Configuring a Chassis Cluster with J-Web

You can use the J-Web interface to configure the primary node 0 vSRX instance in the

cluster.Onceyouhaveset thecluster andnode IDsand rebootedeachvSRX, the following

configuration will automatically be synced to the secondary node 1 vSRX instance.

SelectConfigure>ChassisCluster>ClusterConfiguration. TheChassisCluster configuration

page appears.

Table 13 on page 71 explains the contents of the HA Cluster Settings tab.


Chapter 5: Configuring vSRX Chassis Clusters

Table 14 on page 72 explains how to edit the Node Settings tab.

Table 15 on page 73 explains how to add or edit the HA Cluster Interfaces table.

Table 16onpage 74explains how toaddor edit theHACluster RedundancyGroups table.



Table 13: Chassis Cluster Configuration Page

FunctionField

Node Settings

Displays the node ID.Node ID

Displays the cluster ID configured for the node.Cluster ID

Displays the name of the node.Host Name

Displays the router used as a gateway while the Routing Engine isin secondary state for redundancy-group 0 in a chassis cluster.

Backup Router

Displays the management interface of the node.Management Interface

Displays the management IP address of the node.IP Address

Displays the state of the redundancy group.

• Primary–Redundancy group is active.

• Secondary–Redundancy group is passive.

Status

Chassis Cluster>HA Cluster Settings>Interfaces

Displays the physical interface name.Name

Displays the member interface name or IP address configured foran interface.

Member Interfaces/IPAddress

Displays the redundancy group.Redundancy Group

Chassis Cluster>HA Cluster Settings>Redundancy Group

Displays the redundancy group identification number.Group

Displays the selected preempt option.

• True–Mastership can be preempted based on priority.

• False–Mastership cannot be preempted based on priority.

Preempt

Displays the number of gratuitous Address Resolution Protocol(ARP) requests that a newly elected primary device in a chassiscluster sends out to announce its presence to the other networkdevices.

Gratuitous ARP Count

Displays the assigned priority for the redundancy group on thatnode. The eligible node with the highest priority is elected asprimary for the redundant group.

Node Priority



Table 14: Edit Node Setting Configuration Details

ActionFunctionField

Node Settings

Enter the name of the host.Specifies the name of the host.Host Name

Enter the IP address of thebackup router.

Displays the device used as a gateway whilethe Routing Engine is in the secondary statefor redundancy-group 0 in a chassis cluster.

Backup Router

Destination

Click Add.Adds the destination address.IP

Click Delete.Deletes the destination address.Delete

Interface

Select an option.Specifies the interfacesavailable for the router.

NOTE: Allows you to add and edit twointerfaces for each fabric link.

Interface

Enter the interface IPaddress.

Specifies the interface IP address.IP

Click Add.Adds the interface.Add

Click Delete.Deletes the interface.Delete



Table 15: Add HA Cluster Interface Configuration Details

ActionFunctionField

Fabric Link > Fabric Link 0 (fab0)

Enter the interface IP fabric link0.

Specifies fabric link 0.Interface

Click Add.Adds fabric interface 0.Add

Click Delete.Deletes fabric interface 0.Delete

Fabric Link > Fabric Link 1 (fab1)

Enter the interface IP for fabriclink 1.

Specifies fabric link 1.Interface

Click Add.Adds fabric interface 1.Add

Click Delete.Deletes fabric interface 1.Delete

Redundant Ethernet

Enter the logical interface.Specifies a logical interface consisting oftwo physical Ethernet interfaces, one oneach chassis.

Interface

Enter a redundant Ethernet IPaddress.

Specifies a redundant Ethernet IPaddress.

IP

Select a redundancy groupfrom the list.

Specifies the redundancy group IDnumber in the chassis cluster.

RedundancyGroup

Click Add.Adds a redundant Ethernet IP address.Add

Click Delete.Deletes a redundant Ethernet IP address.Delete



Table 16: Add Redundancy Groups Configuration Details

ActionFunctionField

Enter the redundancy group name.Specifies the redundancy group name.Redundancy Group

–Allows a node with a better priority to initiate a failover for aredundancy group.

NOTE: By default, this feature is disabled. When disabled, anodewith abetter priority does not initiate a redundancy groupfailover (unless some other factor, such as faulty networkconnectivity identified for monitored interfaces, causes afailover).

Allow preemption ofprimaryship

Enter a value from 1 to 16. Thedefault is 4.

Specifies thenumberof gratuitousAddressResolutionProtocolrequests that a newly elected primary sends out on the activeredundant Ethernet interface child links to notify networkdevices of a change in mastership on the redundant Ethernetinterface links.

Gratuitous ARP Count

Enter the nodepriority number as0.Specifies the priority value of node0 for a redundancy group.node0 priority

Select the node priority number as1.

Specifies the priority value of node1 for a redundancy group.node1 priority

InterfaceMonitor

Select an interface from the list.Specifies the number of redundant Ethernet interfaces to becreated for the cluster.

Interface

Enter a value from 1 to 125.Specifies the weight for the interface to bemonitored.Weight

Click Add.Adds interfaces tobemonitoredby the redundancygroupalongwith their respective weights.

Add

Select the interface from theconfigured list and click Delete.

Deletes interfaces to bemonitored by the redundancy groupalong with their respective weights.

Delete

IP Monitoring

Enter a value from 0 to 255.Specifies the global weight for IP monitoring.Weight

Enter a value from 0 to 255.Specifies the global threshold for IP monitoring.Threshold

Enter a value from 5 to 15.Specifies the number of retries needed to declare reachabilityfailure.

Retry Count

Enter a value from 1 to 30.Specifies the time interval in seconds between retries.Retry Interval

IPV4 Addresses to BeMonitored

Enter the IPv4 addresses.Specifies the IPv4 addresses to bemonitored for reachability.IP



Table 16: Add Redundancy Groups Configuration Details (continued)

ActionFunctionField

Enter the weight.Specifies the weight for the redundancy group interface to bemonitored.

Weight

Enter the logical interface address.Specifies the logical interface through which to monitor this IPaddress.

Interface

Enter the secondary IP address.Specifies the source address for monitoring packets on asecondary link.

Secondary IP address

Click Add.Adds the IPv4 address to bemonitored.Add

Select the IPv4address fromthe listand click Delete.

Deletes the IPv4 address to bemonitored.Delete

See Also Chassis Cluster Feature Guide for Security Devices•

vSRX Cluster Staging and Provisioning in Hyper-V

StagingandprovisioningavSRXclusteronaHyper-Vhostcomputer includes the following

tasks:

NOTE: Starting in Junos OS Release 15.1X49-D100 and Junos OS Release17.4R1, support for chassis clustering to provide network node redundancy isonly available onWindows Hyper-V Server 2016.

• Deploying the VMs and Additional Network Adapters in Hyper-V on page 75

• Creating the Control Link Connection in Hyper-V on page 76

• Creating the Fabric Link Connection in Hyper-V on page 79

• Creating the Data Interfaces Using Hyper-V on page 80

• Prestaging the Configuration from the Console on page 81

• Connecting and Installing the Staging Configuration on page 82

Deploying the VMs and Additional Network Adapters in Hyper-V

The vSRX cluster uses three interfaces exclusively for clustering (the first two are

predefined):

• Out-of-bandmanagement interface (fxp0).

• Cluster control link (em0).

• Cluster fabric links (fab0 and fab1). For example, you can specify ge-0/0/0 as fab0

on node0 and ge-7/0/0 as fab1 on node1.



https://www.juniper.net/documentation/en_US/junos15.1x49-d40/information-products/pathway-pages/security/security-chassis-cluster-index.html

A cluster requires three interfaces (two for the cluster and one for management) and

additional interfaces to forward data. This section outlines how to create the control link

and fabric link connections, and to map all data interfaces to network adapters.

NOTE: For an overview on the procedure to add virtual switches andmapthe virtual switch to a network adapter, see “Adding vSRX Interfaces” onpage 47

Creating the Control Link Connection in Hyper-V

To connect the control interface through the control link virtual switch using Hyper-V

Manager:


2. From theHyper-VManager, selectAction>VirtualSwitchManager. TheVirtual Switch

Manager appears.





Figure 18: Create Virtual Switch Pane

4. Select Internal as the type of virtual switch. Internal allows communication between

virtual machines on the same Hyper-V server, and between the virtual machines and

themanagement host operating system.

5. Select Create Virtual Switch. The Virtual Switch Properties page appears (see




Figure 19: Virtual Switch Properties Pane

6. Specify a name for the control link virtual switch. Leave the other virtual switch

properties at their default settings.

7. ClickOK and then click Yes to apply networking changes and to close the Virtual

Switch Manager window.


dialog for the vSRX VM, the Hardware section, click Network Adapter. The Network

Adapter pane appears (see Figure 20 on page 79). Assign network adapter 2 as the

control link (em0) virtual switch.



Figure 20: Adding Virtual Switch to Network Adapter Pane Example

9. From the Virtual switch drop-down assign ctrl_link to the control link virtual switch.

10. From the Network Adapter pane, select Advanced Features. Select the Enable MAC

address spoofing check box to enable the MAC address spoofing function for the

network adapter. MAC address spoofing is a requirement for the control link interface

included in the redundancy groups.

11. ClickOK and then click Yes to apply network adapter changes.

Creating the Fabric Link Connection in Hyper-V

Toconnect the fabric interface through the fabric linkvirtual switchusingHyper-VManager

1. If necessary, open the Hyper-V Manager by selecting Start > Administrative Tools >

Hyper-VManager.


Manager appears.










6. Specifyanamefor the fabric link virtual switch. Leave theother virtual switchproperties

at their default settings.




dialog for the vSRX VM, the Hardware section, click Network Adapter to access the

NetworkAdapterpane.TheNetworkAdapterpaneappears (seeFigure20onpage79).

Assign network adapter 3 as the fabric link (fab 0 or fab 1) virtual switch.

9. From the Virtual switch drop-down assign fab0or fab1 to the fabric link virtual switch.



network adapter. MAC address spoofing is a requirement for the fabric link interface


11. ClickOK and then click Yes to apply network adapter changes.

Creating the Data Interfaces Using Hyper-V

Tomap all data interfaces to the desired network adapters:

1. If necessary, open the Hyper-V Manager by selecting Start > Administrative Tools >

Hyper-VManager.


Manager appears.










6. Specify a name for the data interface virtual switch. Leave the other virtual switch

properties at their default settings.




dialog for the vSRX VM, the Hardware section, click Network Adapter to access the

NetworkAdapterpane.TheNetworkAdapterpaneappears (seeFigure20onpage79).

Assign network adapter 3 as the data interface (fab 0 or fab 1) virtual switch.

9. From the Virtual switch drop-down assign data interface to the virtual switch.



network adapter. MAC address spoofing is a requirement for the data interfaces


11. ClickOK and then click Yes to apply network adapter changes. The data interfacewill

be connected through the data virtual switch.

Prestaging the Configuration from the Console

The following procedure explains the configuration commands required to set up the

vSRX chassis cluster. The procedure powers up both nodes, adds the configuration to

the cluster, and allows SSH remote access.

1. Log in as the root user. There is no password.

2. Start the CLI.

root#cliroot@>

3. Enter configuration mode.

configure[edit]root@#



4. Copy the following commands and paste them into the CLI:

set groups node0 interfaces fxp0 unit 0 family inet address 192.168.42.81/24set groups node0 system hostname vsrx-node0set groups node1 interfaces fxp0 unit 0 family inet address 192.168.42.82/24set groups node1 system hostname vsrx-node1set apply-groups "${node}"

5. Set the root authentication password by entering a cleartext password, an encrypted

password, or an SSH public key string (DSA or RSA).

root@# set system root-authentication plain-text-passwordNew password: passwordRetype new password: passwordset system root-authentication encrypted-password "$ABC123"

6. To enable SSH remote access:

user@host#set system services ssh

7. To enable IPv6:

user@host#set security forwarding-options family inet6mode flow-based

This step is optional and requires a system reboot.

8. Commit the configuration to activate it on the device.

user@host#commitcommit complete

9. When you have finished configuring the device, exit configuration mode.

user@host#exit

Connecting and Installing the Staging Configuration

After the vSRX cluster initial setup, set the cluster ID and the node ID, as described in

“Configuring a vSRX Chassis Cluster in Junos OS” on page 67.

After reboot, the twonodesare reachable on interface fxp0withSSH. If the configuration

is operational, the show chassis cluster status command displays output similar to that

shown in the following sample output.

vsrx> show chassis cluster status

Cluster ID: 1 Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 1 node0 100 secondary no no node1 150 primary no no

Redundancy group: 1 , Failover count: 1



node0 100 secondary no no node1 150 primary no no

A cluster is healthy when the primary and secondary nodes are present and both have a

priority greater than 0.


Starting in Junos OSRelease 15.1X49-D100 and Junos OSRelease 17.4R1,support for chassis clustering to provide network node redundancy isonly available onWindows Hyper-V Server 2016.

15.1X49-D100





CHAPTER 6

vSRX Licensing

• vSRX Feature Licenses Overview on page 85

• Managing Licenses for vSRX on page 93

• vSRX License Model Numbers on page 99

vSRX Feature Licenses Overview

Some Junos OS software features require a license to activate the feature.

To enable a licensed feature, you need to purchase, install, manage, and verify a license

key that corresponds to each licensed feature. To conform to software feature licensing

requirements, youmust purchase one license per feature per instance. The presence of

the appropriate software unlocking key on your virtual instance allows you to configure

and use the licensed feature.

NOTE: If applicable for your vSRXdeployment, vSRXpay-as-you-go imagesdo not require any separate licenses.

• vSRX License Procurement and Renewal on page 85

• vSRX Evaluation License on page 86

• License Types on page 88

• Throughput on page 89

• License Duration on page 89

• Individual (á la carte) Feature Licenses on page 90

• Bundled Licenses on page 90

• Stacking Licenses on page 90

• vSRX License Keys Components on page 90

• License Management Fields Summary on page 91

vSRX License Procurement and Renewal

Licenses are usually ordered when the software application is purchased, and this

information isbound toacustomer ID. If youdidnotorder the licenseswhenyoupurchased


your software application, contact your account team or Juniper Networks Customer

Care for assistance.

Licenses can be procured from the Juniper Networks LicenseManagement System (LMS).

For license renewal, use the show system license command to find the Juniper vSRX

software serial number that you use to renew a license.

vsrx> show system licenseLicense usage: Licenses Licenses Licenses Expiry Feature name used installed needed Virtual Appliance 1 1 0 58 days

Licenses installed: License identifier: E420588955 License version: 4 Software Serial Number: 20150625 Customer ID: vSRX-JuniperEval Features: Virtual Appliance - Virtual Appliance count-down, Original validity: 60 days

License identifier: JUNOS657051 License version: 4 Software Serial Number: 9XXXXAXXXXXXX9 Customer ID: MyCompany Features: Virtual Appliance - Virtual Appliance permanent

NOTE: Do not use the show chassis hardware command to get the serial

number on vSRX, because that command is only appropriate for thephysicalSRXSeries devices. Also, the license for advanced security features availableon the physical SRX Series devices cannot be usedwith vSRX deployments.

NOTE: If you are performing a software downgrade with licenses installed,youwill seeanerrormessage in theCLIwhenyou try toconfigure the licensedfeatures or run the show system license status command.

We recommend deleting existing licenses before performing a softwaredowngrade.

vSRX Evaluation License

To speed deployment of licensed features, the vSRX software image provides you with

a 60-day product evaluation license and a 30-day advanced security features license,

both of which allow you to use vSRX and licensed features for a specified periodwithout

having to install a license key.

Table 17 on page 87 lists vSRX evaluation license types.



https://www.juniper.net/generate_license/

Table 17: vSRX Evaluation License Type

License ModelNumberPeriodTypeLicense Package

-60 daysProduct evaluation–BasicTrial license(temporary forevaluation only) -30 daysProductevaluation–Advanced

features

Product Evaluation License

ThevSRXsoftware image includesa60-day trial license.Whenyoudownloadand install

the vSRX image, you are entitled to use this trial license for 60 days. It is intended as an

evaluation license for using vSRX. This product-unlocking license is required to use the

basic functions of the vSRX, such as networking, routing, and basic security features

(such as stateful firewall).

NOTE: The use of the 60-day trial license does not include vSRX supportunless you already have a pre-existing vSRX support contract. If you requiresupport during this 60-day evaluation period, please work with your JuniperAccount team or go to the J-Net Community forum(https://forums.juniper.net/) and view the Support topics under the vSRX

category.

Within 30 days of the license expiration date, a license expiration warning appears each

time you log in to the vSRX instance. After the product evaluation license expires, you

will not be able to use the vSRX; it will be disabled and flow configuration options will

notwork (thevSRXwill stop forwarding traffic). At thispoint, onlymanagement interfaces

and CLI configurations are preserved.

Advanced Security Features Evaluation License

The advanced security features license is a 30-day trial license for vSRX that is required

for advanced security features such as UTM, IDP, and AppSecure. You can download the

trial license for advanced security features from the vSRX Free Trial License Page.

The 30-day trial license period begins on the day you enable the enhanced security

features after you install the 60-day product evaluation license for vSRX. To continue

using vSRX features after the 30-day license period expires, youmust purchase and

install the license; otherwise, the featuresaredisabled. If the license for advancedsecurity

features expireswhile the evaluation license (product unlocking license) is still valid, only

the advanced security features that require a license are disabled.


Chapter 6: vSRX Licensing

https://forums.juniper.net/

https://www.juniper.net/us/en/dm/free-vsrx-trial/

NOTE: The UTM advanced features have a slightly different trial licensestrategy. UTM does not requires 30-day trial license but only a 30-day graceperiod. Once the 30-day advanced security features trial license expires,Juniper Networks supports a 30-day grace period for you to continue usingUTM features. The 30-day grace period goes into effect after the 30-triallicense expires.

There is also a 30-day trial license available for Juniper Sky Advanced Threat Prevention

(ATP). This is a second license that you can apply for a 30-day period in addition to the

advanced security features license for vSRX to enable the Sky ATP features. You can

download the Sky ATP trial license from the vSRX Free Trial License Page.

License Types

Juniper Networks provides a variety of licenses for both basic firewall features and

advanced security features for different throughputs and durations.

If you want to use vSRX to provide basic firewall features, you can use standard (basic)

licenses. However, to use some of the more advanced security features, such as

AppSecure, IDP, and UTM, youmight need to purchase advanced features licenses.

The high-level categories for licenses are:

• Throughput–All licenses have an associated throughput. Throughput rates include 1

Gbps, 2 Gbps, and 4 Gbps onmost platforms.

• Features–Licenses are available for different combinations of feature sets, from

standard (STD) through Content Security Bundle (CS-B).

• Individual or bundled–Licenses can be individual (á la carte) licenses for a set of

features, or can be bundled together to provide a broad range of features in one easy

license to maintain.

• Duration–All licenseshaveanassociated timeduration.Youcanpurchasebasic licenses

as perpetual (never expire) or subscription based (1-year or 3-year duration). All vSRX

licenses are subscription based.

• New or renewal–All subscription licenses are either new (first-time purchase) or

renewals (extending the license duration when the initial new subscription license is

about to expire).

Figure 21 on page 89 shows a sample license SKU and identifies how each field maps to

these categories.




Figure 21: Sample vSRX License SKU

g043428

Product

Throughput

Duration

VSRX-10M-ASECB-3-RFeature set

New orrenewal

Bundled orindividual

These categories of licenses can also be combined, or stacked, to providemore flexibility

for your vSRX use cases.

Throughput

Bandwidth or throughput license types allow you to use a single instance of the software

for up to the maximum throughput specified in the license entitlement. Throughput can

be combined on a single instance of the software so that the maximum throughput for

that instance is the aggregate of all the throughput licenses assigned to that instance.

A throughput license cannot be split across multiple instances. Throughput is identified

in the license entitlement inmegabits per second (Mbps), or gigabits per second (Gbps).

For example, if youwant3Gbpsof throughput for a vSRX instanceusing theSTD features,

youwould purchase a 1G STD license and a 2GSTD license and install both on the vSRX.

If you wanted 2 Gbps of throughput on two vSRX instances acting as a chassis cluster,

you could not use the same 2 Gbps license on both vSRX instances. You would need to

purchase one set of licenses for each vSRX instance in the cluster.

License Duration

All licenses can be perpetual or subscription based.

• Perpetual license–A perpetual license allows you to use the licensed software

indefinitely. Perpetual licenses do not require renewals. Perpetual licenses do not

includemaintenance and upgrade support. Youmust purchase that separately, vSRX

software releases such as vSRX for AWS do not support perpetual licenses.

• Subscription license–A subscription license is an annual license that allows you to use

the licensed software feature for the matching duration. Subscriptions might involve

periodic downloads of content (such as for IDP threat signature files). Subscription

licenses start when you retrieve the license key or 30 days after purchase if you have

not retrieved the license key. At the end of the license period, you need to renew the

license to continue using it.

NOTE: All subscription licenses are renewable. To renew a subscriptionlicense, purchase a new subscription of the same license. For moreinformation, see Subscription - Register and Install.



https://kb.juniper.net/InfoCenter/index?page=content&id=KB9731&actp=METADATA

Individual (á la carte) Feature Licenses

Every vSRX instance requires at least one standard license to support the desired

throughput rate. Beyond that, you can select from a range of individual feature licenses

thatprovideadditional security feature sets. The feature licensemustmatch the standard

license rate.

NOTE: AWS does not support individual licenses.

Forexample, if youneedAppSecureandSophosantivirus featuresat 1Gbpsof throughput

for a year, you could purchase the following individual licenses:

• VSRX-STD-1G-1—Provides the standard feature set and 1 Gbps of throughput.

• VSRX-CS-1G-1—Provides the advanced features.

Bundled Licenses

Bundled licenses simplify the licensemanagement by combining one or more individual

licenses into a single bundled license. Instead of installing andmanaging a standard

throughput licenseandoneormore individualadvanced feature licenses, youcanpurchase

one of the bundle license options andmanage one license instead.

For example, if youneedAppSecureandSophosantivirus featuresat 1Gbpsof throughput

forayear, youcouldpurchase thesinglebundledVSRX-CS-B-1G-1 license,which includes

the STD throughput license. This means you only need to manage one license instead

of two individual licenses.

Stacking Licenses

You can combine individual or bundled licenses to combine features or build up the

overall supplied throughput for the vSRX instance.

For example, you can combine a 1-Gbps license and a 2-Gbps license to have 3 Gbps of

throughput for the vSRX instance. You can also combine individual licenses, such as

Sophos antivirus (SAV) andWebsense EnhancedWeb Filtering (EWF) to get both sets

of security features.

NOTE: Individual licenses require a STD license with the same throughputrate.

vSRX License Keys Components

A license key consists of two parts:

• License ID—Alphanumeric string thatuniquely identifies the licensekey.Whena license

is generated, it is given a license ID.

• License data—Block of binary data that defines and stores all license key objects.



For example, in the following typical license key, the string E413XXXX57 is the license ID,

and the trailing block of data is the license data:

E413XXXX57 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff

The license data conveys the customer ID and the software serial number (Juniper

Networks support reference number) to the vSRX instance.

LicenseManagement Fields Summary

The Licenses window displays a summary of licensed features that are configured on

the vSRX instance and a list of licenses that are installed on the vSRX instance.

To view the license details, selectMaintain>Licenses in the J-Web user interface. The

Licenses window appears as shown in Figure 22 on page 91.

Figure 22: J-Web LicensesWindow Showing Installed Licenses

You can also view the details of a license in the CLI using the show system license

command. The following sample shows details of an evaluation license in the CLI:

License usage: Licenses Licenses Licenses Expiry Feature name used installed needed anti_spam_key_sbl 0 1 0 2016-04-15 08:00:00 CST idp-sig 0 1 0 2016-04-15 08:00:00 CST appid-sig 0 1 0 2016-04-15 08:00:00 CST av_key_sophos_engine 0 3 0 2016-07-29



08:00:00 CST wf_key_websense_ewf 0 1 0 2016-04-15 08:00:00 CST Virtual Appliance 1 1 0 2016-04-25 08:00:00 CST


The information on the licensemanagement page is summarized in Table 18 on page 92.

Table 18: Summary of License Management Fields

DefinitionField Name

Feature Summary

Name of the licensed feature:

• Features—Software feature licenses.

• All features—All-inclusive licenses.

Feature

Number of licenses currently being used on the vSRX instance. Usageis determined by the configuration. If a feature license exists and thatfeature is configured, the license is considered used.

Licenses Used

Number of licenses installed on the vSRX instance for the particularfeature.

Licenses Installed

Number of licenses required for legal use of the feature. Usage isdetermined by the configuration on the vSRX instance: If a feature isconfigured and the license for that feature is not installed, a licenseis needed.

Licenses Needed

Date the license expires.Licenses expires on

Installed Licenses

Unique alphanumeric ID of the license.ID

Valid—The installed license key is valid.

Invalid—The installed license key is not valid.

State

Numeric version number of the license key.Version

If the license defines a group license, this field displays the groupdefinition.

NOTE: Because group licenses are currently unsupported, this fieldis always blank.

Group



Table 18: Summary of License Management Fields (continued)

DefinitionField Name

Name of the feature that is enabled with the particular license.Enabled Features

Date the license expires.Expiration

The serial number is a unique 14-digit number that Juniper Networksuses to identify your particular software installation. You can find thesoftware serial number in the Software Serial Number Certificateattached to the e-mail that was sent when you ordered your JuniperNetworks softwareor license.Youcanalsouse the showsystemlicensecommand to find the software serial number.

Software serial number

ID that identifies the registered user.Customer ID

Managing Licenses for vSRX

Before you begin, ensure that you have retrieved the license key from the Juniper License

Management System (LMS).

This section includes the following topics:

• vSRX Evaluation License Installation Process on page 93

• Adding a New License Key with J-Web on page 94

• Adding a New License Key from the CLI on page 95

• Updating vSRX Licenses on page 96

• Deleting a License with J-Web on page 97

• Deleting a License with the CLI on page 98

• LicenseWarning Messages on page 98

vSRX Evaluation License Installation Process

JuniperNetworksprovidesa60-dayevaluation license for vSRXstandard features.When

you download and install the vSRX image, you are entitled to use this evaluation license

for 60 days as a trial. In addition to the 60-day vSRX evaluation license, there is a 30-day

advanced security features trial license for vSRX that is required for advanced security

features such as UTM, IDP, and AppSecure.

You can download the 30-day advanced security feature trial license from the vSRX Free

Trial License Page.

There is also a 30-day trial license available for Juniper Sky Advanced Threat Prevention

(ATP). This is a second license that you can apply for a 30-day period in addition to the

advanced security features license for vSRX to enable the Sky ATP features. You can

download the Sky ATP trial license from the vSRX Free Trial License Page






Installation of the advanced security feature trial license is similar to the regular license

installation performed from the CLI (see “Adding a New License Key from the CLI” on

page 95).

Within 30 days of the license expiration date, a license expiration warning appears each

time you log in to the vSRX instance. After the product evaluation license expires, you

will not be able to use the vSRX; it will be disabled and flow configuration options will

notwork (thevSRXwill stop forwarding traffic). At thispoint, onlymanagement interfaces

and CLI configurations are preserved.

NOTE: The 30-day evaluation license period begins on the day you enableenhanced security features after installing evaluation licenses.

To continue using vSRX features after an optional 30-day evaluation period,youmust purchase and install the license. Otherwise, the features aredisabled.

For details about the 60- and 30-day license evaluation periods for the vSRX see “vSRX

Feature Licenses Overview” on page 85 .

Adding a New License Key with J-Web

To install a license using the J-Web interface:

1. SelectMaintain>Licenses on the J-Web user interface. The Licenses window is

displayed as shown in Figure 23 on page 94.

Figure 23: J-Web LicensesWindow

2. Under Installed Licenses, click Add. The Add License window is displayed as shown

in Figure 24 on page 95.



Figure 24: Add LicenseWindow

3. Do one of the following, using a blank line to separate multiple license keys:

• Enter the full URL to the destination file containing the license key in the License

File URL box.

• Paste the license key text, in plaintext format, in the License Key Text box.

4. ClickOK to add the license key. The License Details window is displayed as shown in

Figure 25 on page 95.

Figure 25: License DetailsWindow

The license key is installed and activated on the vSRX instance.

Adding a New License Key from the CLI

You can add a license key from a local file, from a remote URL, or from the terminal.

To install a license from the CLI:

1. Use the request system license add operational mode command to either add the

license from a local file or remote URL that contains the license key, or to manually

paste the license key in the terminal.

user@vsrx> request system license add terminal

[Type ^D at a new line to end input,



enter blank line between each license key]

E413XXXX57 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff

E413XXXX57: successfully added add license complete (no errors)

NOTE: You can save the license key to a file and upload the file to thevSRX file system through FTP or Secure Copy (SCP), and then use therequest system license add file-name command to install the license.

2. Optionally, use the show system license command to view details of the licenses.

root@host> show system license

License usage: Licenses Licenses Licenses Expiry Feature name used installed neededwf key websense ewf 1 0 1 invalid

Licenses installed: none

The license key is installed and activated on the vSRX instance.

Updating vSRX Licenses

You can update the vSRX licenses using either of the following twomethods:

• Automatic license update using the CLI

• Manual license update using the CLI

As a prerequisite, youmust install at least one valid license key on your vSRX instance

for required features. Automatic license updates as well as manual license updates are

performed based on a valid software serial number and customer ID embedded in the

license key.

To enable automatic license updates from the CLI:

1. Contact your account team or Juniper Networks Customer Care to extend the validity

period of existing license keys and obtain the URL for a valid update server.

2. Once you have successfully extended your license key and received the update server

URL, configure the auto-update parameter:

user@host> set system license autoupdate url https://ae1.juniper.net/

3. Configure renew options (if required). The following sample allows vSRX to contact

the license server 30 days before the current license expires and sends an automatic

update request every 6 hours.



user@host> set system license renew before-expiration 30user@host> set system license renew interval 6

Tomanually update the licenses from the CLI:

1. Use the following command to update the license keys manually:

user@host> request system license update <url.of.license.server>

This command sends a license update request to the license server immediately.

NOTE: The request system license update commandwill always use the

default Juniper license server: https://ae1.juniper.net

2. Check the status of the license by entering the show system license command.

Deleting a License with J-Web

To delete a license using the J-Web interface:

1. SelectMaintain>Licenses.

2. Select the check box of the license or licenses you want to delete as shown in

Figure 26 on page 97.

Figure 26: Deleting a License

3. Click Delete.

4. ClickOK to confirm your deletion as shown in Figure 27 on page 98.



https://ae1.juniper.net

Figure 27: Delete LicensesWindow

The license you deleted is removed.

Deleting a License with the CLI

To delete a license using the CLI:

1. From operational mode, for each license, enter the following command and specify

the license ID. You can delete only one license at a time.

user@host> request system license delete <license-key-identifier>

Or you can use the following command to delete all installed licenses.

user@host> request system license delete all

2. Type yeswhen you are prompted to confirm the deletion.

Delete license JUNOS606279 ? [yes,no] (no)

The license you deleted is removed.

LicenseWarningMessages

Youmust purchase a new license or renew your existing subscription-based license to

have a seamless transition from the old license to the new one.

The following conditions occur when a license expires on vSRX:

• Evaluation license for thecoreexpires—Packet forwardingonvSRX isdisabled.However,

you canmanage vSRX through the fxp0management interface, and the CLI

configuration is preserved.

• Subscription-based licenses for advanced security features expire but

subscription-based licenses for core servicesareactive—A30-daygraceperiodbegins,

allowing the user to continue using advanced security features. After the grace period,

advanced security features are disabled. Basic features are always available in the

vSRX. After subscription-based licenses for core services expire, a warning message

is displayed to notify the user, but basic features will remain preserved for the user.

• Subscription-based license for core features expires but subscription-based license

for advanced security features is active—Awarning message is displayed to notify the

user. However, you can continue to use the basic features on the vSRX. Advanced

security features are disabled when the subscription-based license for advanced

security features expires, but basic features will remain preserved for the user.



NOTE: All subscription licenses are renewable. To renew a subscriptionlicense, purchase a new subscription of the same license. For moreinformation, see Subscription - Register and Install .

To use features that require a license, youmust install and configure a license. After the

license expires, warning messages are displayed in the system log and on the J-Web

dashboard.

When a license expires, the System Alarms section of the J-Web dashboard displays a

message stating that the license has expired as shown in Figure 28 on page 99.

Figure 28: J-Web Dashboard for License ExpiryWarning

When a license expires, the following message appears when you log in:

Virtual Appliance License is invalid

vSRX LicenseModel Numbers

The licenses used by all Juniper Networks instances are based on SKUs, which represent

lists of features. Each license includes a list of features that the license enables along

with information about those features.

For information about purchasing software licenses, contact your JuniperNetworks sales

representative at https://www.juniper.net/in/en/contact-us/.

vSRX licenses are based on application packages and processing capacity.

Bandwidth (throughput) licenses allow you to use a single instance of the software for

up to themaximum throughput specified in the license entitlement. Throughput licenses

can be combined on a single instance of the software so that the maximum throughput

for that instance is the aggregate of all the throughput licenses assigned to that instance.

A throughput license cannot be split across multiple instances. Throughput licenses are

identified in the licenseentitlement inmegabitsper second(Mbps), or gigabitsper second

(Gbps).

vSRXprovidesbandwidth in the followingcapacities (throughputper instance): 10Mbps,

100Mbps, 1 Gbps, 2 Gbps, 4 Gbps, 10 Gbps, and 20 Gbps. Each of these bandwidth tiers

is offeredwith four different packages alongwith bandwidth based, a la carte, advanced

Layer 7 security services SKUs.



https://kb.juniper.net/InfoCenter/index?page=content&id=KB9731&actp=METADATA

https://www.juniper.net/in/en/contact-us/

Table 19 on page 100 describes the features available with the various license packages.

Table 19: vSRX Licensing Package Types

DurationDescriptionLicenseType

Both perpetual and subscriptionlicense options are available.

See Table 20 on page 102 for SCCbandwidth SKUs available forvSRX.

Includes the following features:

• IPsec VPN (site-to-site VPN)

• NAT

• CoS

• Routing services – BGP, OSPF, DHCP,J-Flow, IPv4, and IPv6

• Foundation – Static routing,management (J-Web, CLI, andNETCONF), on-box logging, diagnostics

• Software platform – KVM, Openstack,ESXi 6.0, Contrail

Secure CloudConnect(SCC)

Both perpetual and subscriptionlicense options are available.

See Table 21 on page 103 for STDbandwidth SKUs available forvSRX.

Includes the following features:

• Core security – firewall, ALG, screens,user firewall

• IPsec VPN (site-to-site VPN)

• NAT

• CoS

• Multicast services – IP Multicast (PIM,IGMP)

• Routing services – BGP, OSPF, DHCP,J-Flow, IPv4, and IPv6

• High availability

• Foundation – Static routing,management (J-Web, CLI, andNETCONF), on-box logging, diagnostics

• Software platform – KVM, Openstack,ESXi 6.0, Contrail

STD

Subscription licenses only.

See Table 22 on page 104 forbandwidth SKUs available forvSRX with AppSecure and IPSfeatures.

Includes all STD features bundledwith thefollowing additional AppSecure features:

• AppID

• AppFW

• AppQoS

• AppTrack

ASCB andASECB


See Table 24 on page 106 for CS-Bbandwidth SKUs available forvSRX.

Includes all STD features bundled withASEC features and the addition of UTMcapabilities:

• Antispam

• Antivirus

• Content filtering

• Web filtering

CS-B



Table 19: vSRX Licensing Package Types (continued)

DurationDescriptionLicenseType


See Table 23 on page 105 forAppSecureand IPSSKUsavailablefor vSRX.

See Table 26 on page 108 forSophos antivirus bandwidth SKUsavailable for vSRX.

Table 27 on page 109 lists theWebfiltering subscription licensesavailable for vSRX.

Individual (a la carte) Layer 7 securityservices licenses including:

• Sophos antivirus

• Websense enhancedWeb filtering

• AppSecure and IPS

• Content Security (CS)

Individual (ala carte)AdvancedSecurityServices (ASEC, S-AV,W-EWF, CS)

NOTE: License stacking is allowed. So, for example, to license 20Mbps ofthroughput for the standard (STD) feature set perpetually, use 2VSRX-10M-STD licenses.

Table 21 on page 103 lists the standard bandwidth licenses available for vSRX.



Table 20: Secure Cloud Connect (SCC) vSRX Bandwidth Licenses

Model NumberSCC Licenses

VSRX-10M-SCC

VSRX-10M-SCC-1

VSRX-10M-SCC-3

VSRX-100M-SCC

VSRX-100M-SCC-1

VSRX-100M-SCC-3

VSRX-1G-SCC

VSRX-1G-SCC-1

VSRX-1G-SCC-3

VSRX-2G-SCC

VSRX-2G-SCC-1

VSRX-2G-SCC-3

VSRX-4G-SCC

VSRX-4G-SCC-1

VSRX-4G-SCC-3

VSRX-10G-SCC

VSRX-10G-SCC-1

VSRX-10G-SCC-3

VSRX-20G-SCC

VSRX-20G-SCC-1

VSRX-20G-SCC-3

10M/100M/1G/2G/4G/10G/20Gthroughput—vSRXSCCpackage (1-year,3-year, or perpetual)



Table 21: Standard (STD) vSRX Bandwidth Licenses

Model NumberSTD Licenses

VSRX-10M-STD

VSRX-10M-STD-1

VSRX-10M-STD-3

VSRX-100M-STD

VSRX-100M-STD-1

VSRX-100M-STD-3

VSRX-1G-STD

VSRX-1G-STD-1

VSRX-1G-STD-3

VSRX-2G-STD

VSRX-2G-STD-1

VSRX-2G-STD-3

VSRX-4G-STD

VSRX-4G-STD-1

VSRX-4G-STD-3

VSRX-10G-STD

VSRX-10G-STD-1

VSRX-10G-STD-3

VSRX-20G-STD

VSRX-20G-STD-1

VSRX-20G-STD-3

10M/100M/1G/2G/4G/10G/20Gthroughput—vSRX standard package (1year, 3 years, and perpetual)

Table 22 on page 104 lists the bandwidth licenses available for vSRX bundled with

AppSecure and IPS features.



Table 22: vSRX AppSecure and IPS Bundled (ASCB and ASECB) Bandwidth Licenses

Model NumberASCB / ASECB Licenses

VSRX-10M-ASECB-1

VSRX-10M-ASECB-3

VSRX-100M-ASCB-1

VSRX-100M-ASCB-3

VSRX-1G-ASECB-1

VSRX-1G-ASECB-3

VSRX-2G-ASECB-1

VSRX-2G-ASECB-3

VSRX-4G-ASECB-1

VSRX-4G-ASECB-3

VSRX-10G-ASECB-1

VSRX-10G-ASECB-3

VSRX-20G-ASECB-1

VSRX-20G-ASECB-3

10M/100M/1G/2G/4G/10G/20Gthroughput—vSRX AppSecure packageincludes all features in the STD packagewith IPSandAppSecure (1-yearor 3-yearsubscription)

Table23onpage 105 lists the individual (a la cart) subscription licensesavailable for vSRX

with AppSecure and IPS features.



Table 23: Individual vSRX AppSecure and IPS Subscription Licenses

Model NumberASEC Licenses

VSRX-10M-ASEC-1

VSRX-10M-ASEC-3

VSRX-100M-ASEC-1

VSRX-100M-ASEC-3

VSRX-1G-ASEC-1

VSRX-1G-ASEC-3

VSRX-2G-ASEC-1

VSRX-2G-ASEC-3

VSRX-4G-ASEC-1

VSRX-4G-ASEC-3

VSRX-10G-ASEC-1

VSRX-10G-ASEC-3

VSRX-20G-ASEC-1

VSRX-20G-ASEC-3

10M/100M/1G/2G/4G/10G/20Gsubscription—vSRXAppSecurepackageincludes IPS and AppSecure (1-year or3-year subscription)

Table 24 on page 106 lists the Content Security bundled (CS-B) bandwidth licenses

available for vSRX.



Table 24: vSRX Content Security Bundled (CS-B) Bandwidth Licenses

Model NumberCS Licenses

VSRX-10M-CS-B-1

VSRX-10M-CS-B-3

VSRX-100M-CS-B-1

VSRX-100M-CS-B-3

VSRX-1G-CS-B-1

VSRX-1G-CS-B-3

VSRX-2G-CS-B-1

VSRX-2G-CS-B-3

VSRX-4G-CS-B-1

VSRX-4G-CS-B-3

VSRX-10G-CS-B-1

VSRX-10G-CS-B-3

VSRX-20G-CS-B-1

VSRX-20G-CS-B-3

10M/100M/1G/2G/4G/10G/20Gthroughput—vSRX CS package includesall features in STD, IPS, and AppSecure,enhancedWebfiltering,Sophosantivirus,antispam, content filtering, (1-year or3-year subscription).

Table 25 onpage 107 lists the individual (a la carte) CS subscription licenses available for

vSRX.



Table 25: vSRX Individual Content Security (CS) Subscription Licenses

Model NumberCS Licenses

VSRX-10M-CS-1

VSRX-10M-CS-3

VSRX-100M-CS-1

VSRX-100M-CS-3

VSRX-1G-CS-1

VSRX-1G-CS-3

VSRX-2G-CS-1

VSRX-2G-CS-3

VSRX-4G-CS-1

VSRX-4G-CS-3

VSRX-10G-CS-1

VSRX-10G-CS-3

VSRX-20G-CS-1

VSRX-20G-CS-3

10M/100M/1G/2G/4G/10G/20Gthroughput—vSRX CS package includesenhancedWebfiltering,Sophosantivirus,antispam, AppSecure and IPS (1-year or3-year subscription).

Table 26 on page 108 lists the individual (a la carte) Sophos antivirus (S-AV) bandwidth

licenses available for vSRX.



Table 26: vSRX Individual Sophos Antivirus (S-AV) Bandwidth Licenses

Model NumberS-AV Licenses

VSRX-10M-S-AV-1

VSRX-10M-S-AV-3

VSRX-100M-S-AV-1

VSRX-100M-S-AV-3

VSRX-1G-S-AV-1

VSRX-1G-S-AV-3

VSRX-2G-S-AV-1

VSRX-2G-S-AV-3

VSRX-4G-S-AV-1

VSRX-4G-S-AV-3

VSRX-10G-S-AV-1

VSRX-10G-S-AV-3

VSRX-20G-S-AV-1

VSRX-20G-S-AV-3

10M/100M/1G/2G/4G/10G/20Gthroughput—vSRX S-AV license (1-yearor 3-year subscription).

Table 27 on page 109 lists the individual (a la carte) enhancedWeb filtering (W-EWF)

subscription licenses available for vSRX.



Table 27: vSRX Individual EnhancedWeb Filtering (W-EWF) Bandwidth Licenses

Model NumberW-EWF Licenses

VSRX-10M-W-EWF-1

VSRX-10M-W-EWF-3

VSRX-100M-WEWF-1

VSRX-100M-WEWF-3

VSRX-1G-W-EWF-1

VSRX-1G-W-EWF-3

VSRX-2G-W-EWF-1

VSRX-2G-W-EWF-3

VSRX-4G-W-EWF-1

VSRX-4G-W-EWF-3

VSRX-10G-W-EWF-1

VSRX-10G-W-EWF-3

VSRX-20G-W-EWF-1

VSRX-20G-W-EWF-3

10M/100M/1G/2G/4G/10G/20Gthroughput—vSRXW-EWF license(1-year or 3 year subscription).





CHAPTER 7

Troubleshooting

• Finding the Software Serial Number for vSRX on page 111

Finding the Software Serial Number for vSRX

You need the software serial number to open a support case or to renew a vSRX license.

1. Use the show system license command to find the vSRX software serial number.

vsrx> show system licenseLicense usage: Licenses Licenses Licenses Expiry Feature name used installed needed Virtual Appliance 1 1 0 58 days


License identifier: JUNOS657051 License version: 4 Software Serial Number: 9XXXXAXXXXXXX9 Customer ID: MyCompany Features: Virtual Appliance - Virtual Appliance permanent


