Security VSRX Vmware Guide PWP

vSRX Deployment Guide for VMware
Modified: 2019-09-05
Copyright © 2019, Juniper Networks, Inc.

Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States
and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective
owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.

Copyright © 2019 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.
ii Copyright © 2019, Juniper Networks, Inc.

Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Creating a Service Request with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Understanding vSRX with VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
vSRX Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
vSRX Benefits and Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
vSRX on VMWare ESXi deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
vSRX Scale Up Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
vSRX Session Capacity Increase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Requirements for vSRX on VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Software Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Hardware Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Best Practices for Improving vSRX Performance . . . . . . . . . . . . . . . . . . . . . . . 24
NUMA Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
PCI NIC-to-VM Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Interface Mapping for vSRX on VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
vSRX Default Settings on VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Junos OS Features Supported on vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
SRX Series Features Supported on vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
SRX Series Features Not Supported on vSRX . . . . . . . . . . . . . . . . . . . . . . . . . 28
Chapter 2 Installing vSRX in VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Installing vSRX with VMware vSphere Web Client . . . . . . . . . . . . . . . . . . . . . . . . . 35
Loading an Initial Configuration on a vSRX with VMware . . . . . . . . . . . . . . . . . . . 38
Creating a vSRX Bootstrap ISO Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Uploading an ISO Image to a VMWare Datastore . . . . . . . . . . . . . . . . . . . . . . 41
Provisioning vSRX with an ISO Bootstrap Image on VMWare . . . . . . . . . . . . 42
Validating the vSRX .ova File for VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Copyright © 2019, Juniper Networks, Inc. iii

Chapter 3 vSRX VM Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Adding vSRX Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Adding SR-IOV Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Adding VMXNET 3 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Upgrading a Multicore vSRX with VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Power Down vSRX VM with VMware vSphere Web Client . . . . . . . . . . . . . . . 50
Upgrading a Multicore vSRX with VMware vSphere Web Client . . . . . . . . . . 50
Optimizing Performance of vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Chapter 4 Configuring and Managing vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
vSRX Configuration and Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Understanding the Junos OS CLI and Junos Scripts . . . . . . . . . . . . . . . . . . . . 53
Understanding the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Understanding Junos Space Security Director . . . . . . . . . . . . . . . . . . . . . . . . . 53
Configuring vSRX Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Configuring vSRX Using the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Accessing the J-Web Interface and Configuring vSRX . . . . . . . . . . . . . . . . . . 56
Applying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Adding vSRX Feature Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Managing Security Policies for Virtual Machines Using Junos Space Security
Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Chapter 5 Configuring vSRX Chassis Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Configuring a vSRX Chassis Cluster in Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Chassis Cluster Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Enabling Chassis Cluster Formation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Chassis Cluster Quick Setup with J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Manually Configuring a Chassis Cluster with J-Web . . . . . . . . . . . . . . . . . . . . 64
vSRX Cluster Staging and Provisioning for VMware . . . . . . . . . . . . . . . . . . . . . . . . 69
Deploying the VMs and Additional Network Interfaces . . . . . . . . . . . . . . . . . 69
Creating the Control Link Connection Using VMware . . . . . . . . . . . . . . . . . . . 70
Creating the Fabric Link Connection Using VMware . . . . . . . . . . . . . . . . . . . . 73
Creating the Data Interfaces Using VMware . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Prestaging the Configuration from the Console . . . . . . . . . . . . . . . . . . . . . . . . 76
Connecting and Installing the Staging Configuration . . . . . . . . . . . . . . . . . . . 77
Deploying vSRX Chassis Cluster Nodes Across Different ESXi Hosts Using
dvSwitch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Chapter 6 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Finding the Software Serial Number for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
iv Copyright © 2019, Juniper Networks, Inc.

List of Figures
Figure 1: vSRX Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 2: vSRX 3.0 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 3: Example of vSRX Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 4: vSRX Edit Settings Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Figure 5: Promiscuous Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Figure 6: Control vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Figure 7: Virtual Machine Properties for the Control vSwitch . . . . . . . . . . . . . . . . . 72
Figure 8: Control Interface Connected through the Control vSwitch . . . . . . . . . . . 73
Figure 9: Fabric vSwitch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Figure 10: Virtual Machine Properties for the Fabric vSwitch . . . . . . . . . . . . . . . . . 75
Figure 11: Fabric Interface Connected Through the Fabric vSwitch . . . . . . . . . . . . . 75
Figure 12: dvPortGroup3 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Figure 13: dvPortGroup6 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Copyright © 2019, Juniper Networks, Inc. v

vi Copyright © 2019, Juniper Networks, Inc.

List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Table 3: vSRX Scale Up Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Table 4: vSRX and vSRX 3.0 Flow Session Capacity Details . . . . . . . . . . . . . . . . . 20
Table 5: Specifications for vSRX on VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Table 6: Specifications for vSRX 3.0 on VMware . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table 7: Hardware Specifications for the Host Machine . . . . . . . . . . . . . . . . . . . . . 24
Table 8: Interface Names for a Standalone vSRX VM . . . . . . . . . . . . . . . . . . . . . . 26
Table 9: Interface Names for a vSRX Cluster Pair . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Table 10: Factory Default Settings for Security Policies . . . . . . . . . . . . . . . . . . . . . 27
Table 11: vSRX Feature Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Table 12: SRX Series Features Not Supported on vSRX . . . . . . . . . . . . . . . . . . . . . 28
Table 13: Disk Formats for Virtual Disk Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Chapter 4 Configuring and Managing vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Table 14: Instance Name and User Account Information . . . . . . . . . . . . . . . . . . . . 57
Table 15: System Time Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Table 16: Chassis Cluster Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Table 17: Edit Node Setting Configuration Details . . . . . . . . . . . . . . . . . . . . . . . . . 66
Table 18: Add HA Cluster Interface Configuration Details . . . . . . . . . . . . . . . . . . . . 67
Table 19: Add Redundancy Groups Configuration Details . . . . . . . . . . . . . . . . . . . 68
Table 20: Hardware Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Copyright © 2019, Juniper Networks, Inc. vii

viii Copyright © 2019, Juniper Networks, Inc.

About the Documentation
• Documentation and Release Notes on page ix

• Documentation Conventions on page ix
• Documentation Feedback on page xi
• Requesting Technical Support on page xii
Documentation and Release Notes

®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at https://www.juniper.net/books.
Documentation Conventions
Table 1 on page x defines notice icons used in this guide.
Copyright © 2019, Juniper Networks, Inc. ix

Table 1: Notice Icons
Icon Meaning Description
Informational note Indicates important features or instructions.
Caution Indicates a situation that might result in loss of data or hardware damage.
Warning Alerts you to the risk of personal injury or death.
Laser warning Alerts you to the risk of personal injury from a laser.
Tip Indicates helpful information.
Best practice Alerts you to a recommended use or implementation.
Table 2 on page x defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention Description Examples
Bold text like this Represents text that you type. To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this Represents output that appears on the user@host> show chassis alarms
terminal screen.
No alarms currently active
Italic text like this • Introduces or emphasizes important • A policy term is a named structure
new terms. that defines match conditions and
• Identifies guide names. actions.
• Junos OS CLI User Guide
• Identifies RFC and Internet draft titles.
• RFC 1997, BGP Communities Attribute
Italic text like this Represents variables (options for which Configure the machine’s domain name:
you substitute a value) in commands or
configuration statements. [edit]
root@# set system domain-name
domain-name
x Copyright © 2019, Juniper Networks, Inc.

Table 2: Text and Syntax Conventions (continued)
Convention Description Examples
Text like this Represents names of configuration • To configure a stub area, include the
statements, commands, files, and stub statement at the [edit protocols
directories; configuration hierarchy levels; ospf area area-id] hierarchy level.
or labels on routing platform • The console port is labeled CONSOLE.
components.
< > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>;
| (pipe symbol) Indicates a choice between the mutually broadcast | multicast

exclusive keywords or variables on either
side of the symbol. The set of choices is (string1 | string2 | string3)
often enclosed in parentheses for clarity.
# (pound sign) Indicates a comment specified on the rsvp { # Required for dynamic MPLS only
same line as the configuration statement
to which it applies.
[ ] (square brackets) Encloses a variable for which you can community name members [
substitute one or more values. community-ids ]
Indention and braces ( { } ) Identifies a level in the configuration [edit]

hierarchy. routing-options {
static {
route default {
; (semicolon) Identifies a leaf statement at a
nexthop address;
configuration hierarchy level.
retain;
}
}
}
GUI Conventions
Bold text like this Represents graphical user interface (GUI) • In the Logical Interfaces box, select
items you click or select. All Interfaces.
• To cancel the configuration, click
Cancel.
> (bold right angle bracket) Separates levels in a hierarchy of menu In the configuration editor hierarchy,
selections. select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback so that we can improve our documentation. You
can use either of the following methods:
• Online feedback system—Click TechLibrary Feedback, on the lower right of any page
on the Juniper Networks TechLibrary site, and do one of the following:
Copyright © 2019, Juniper Networks, Inc. xi

• Click the thumbs-up icon if the information on the page was helpful to you.
• Click the thumbs-down icon if the information on the page was not helpful to you
or if you have suggestions for improvement, and use the pop-up form to provide
feedback.
• E-mail—Send your comments to techpubs-comments@juniper.net. Include the document

or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active Juniper Care or Partner Support
Services support contract, or are covered under warranty, and need post-sales technical
support, you can access our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at
https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit

https://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
• Find CSC offerings: https://www.juniper.net/customers/support/
• Search for known bugs: https://prsearch.juniper.net/
• Find product documentation: https://www.juniper.net/documentation/
• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
• Download the latest versions of software and review release notes:

https://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:

https://kb.juniper.net/InfoCenter/
xii Copyright © 2019, Juniper Networks, Inc.

• Join and participate in the Juniper Networks Community Forum:

https://www.juniper.net/company/communities/
• Create a service request online: https://myjuniper.juniper.net
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
Creating a Service Request with JTAC

You can create a service request with JTAC on the Web or by telephone.
• Visit https://myjuniper.juniper.net.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see

https://support.juniper.net/support/requesting-support/.
Copyright © 2019, Juniper Networks, Inc. xiii

xiv Copyright © 2019, Juniper Networks, Inc.

CHAPTER 1
Overview
• Understanding vSRX with VMware on page 15

• Requirements for vSRX on VMware on page 21
• Junos OS Features Supported on vSRX on page 27
Understanding vSRX with VMware
This section presents an overview of vSRX on VMware
• vSRX Overview on page 15

• vSRX Benefits and Use Cases on page 17
• vSRX on VMWare ESXi deployment on page 18
• vSRX Scale Up Performance on page 18
• vSRX Session Capacity Increase on page 19
vSRX Overview
vSRX is a virtual security appliance that provides security and networking services at the
perimeter or edge in virtualized private or public cloud environments. vSRX runs as a
virtual machine (VM) on a standard x86 server. vSRX is built on the Junos operating
system (Junos OS) and delivers networking and security features similar to those available
on the software releases for the SRX Series Services Gateways.
The vSRX provides you with a complete Next-Generation Firewall (NGFW) solution,
including core firewall, VPN, NAT, advanced Layer 4 through Layer 7 security services
such as Application Security, intrusion detection and prevention (IPS), and UTM features
including Enhanced Web Filtering and Anti-Virus. Combined with Sky ATP, the vSRX
offers a cloud-based advanced anti-malware service with dynamic analysis to protect
against sophisticated malware, and provides built-in machine learning to improve verdict
efficacy and decrease time to remediation.
Figure 1 on page 16 shows the high-level architecture.
Copyright © 2019, Juniper Networks, Inc. 15

Figure 1: vSRX Architecture
vSRX VM
Junos Control Plane

JCP / vRE
MGD RPD
Management Routing Protocol Advanced Services
Daemon Daemon
Flow Processing
Packet Forwarding
Junos Kernel
QEMU/KVM
DPDK
Data Plane Development Kit
Juniper Linux (Guest OS)
HYPERVISORS/CLOUD ENVIRONMENTS
KVM AWS Microsoft

Microsoft Kernel-based Amazon Azure
VMware
Hyper-V Virtual Web Cloud Contrail Cloud
Machines Services Deployment Deployment
Memory Storage
g004195
Physical x86
vSRX includes the Junos control plane (JCP) and the packet forwarding engine (PFE)
components that make up the data plane. vSRX uses one virtual CPU (vCPU) for the
JCP and at least one vCPU for the PFE. Starting in Junos OS Release 15.1X49-D70 and
Junos OS Release 17.3R1, multi-core vSRX supports scaling vCPUs and GB virtual RAM
(vRAM). Additional vCPUs are applied to the data plane to increase performance.
Junos OS Release 18.4R1 supports a new software architecture vSRX 3.0 that removes
dual OS and nested virtualization requirement of existing vSRX architecture.
In vSRX 3.0 architecture, FreeBSD 11.x is used as the guest OS and the Routing Engine
and Packet Forwarding Engine runs on FreeBSD 11.x as single virtual machine for improved
performance and scalability. vSRX 3.0 uses DPDK to process the data packets in the
data plane. A direct Junos upgrade from vSRX to vSRX 3.0 software is not supported.
vSRX 3.0 has the following enhancements compared to vSRX:
• Removed the restriction of requiring nested VM support in hypervisors.
• Removed the restriction of requiring ports connected to control plane to have

Promiscuous mode enabled.
• Improved boot time and enhanced responsiveness of the control plane during
management operations.
• Improved live migration.
16 Copyright © 2019, Juniper Networks, Inc.

Chapter 1: Overview
Figure 2 on page 17 shows the high-level software architecture for vSRX 3.0
Figure 2: vSRX 3.0 Architecture
vSRX VM
Junos Control Plane

(RE)
Advanced Services
MGD RPD Flow Processing
(Management (Routing Protocol
Daemon) Daemon) Packet Forwarding
DPDK
(Data Plane Development Kit)
Junos OS
(64-bit SMP, FreeBSD 11.x)
HYPERVISORS / CLOUD ENVIRONMENTS
KVM AWS Microsoft

VMware (Kernel-based (Amazon Azure
Virtual Web Cloud Contrail Cloud
Machines) Services) Deployment Deployment
Memory Storage
g300161
Physical x86
vSRX Benefits and Use Cases

vSRX on standard x86 servers enables you to quickly introduce new services, deliver
customized services to customers, and scale security services based on dynamic needs.
vSRX is ideal for public, private, and hybrid cloud environments.
Some of the key benefits of vSRX in a virtualized private or public cloud multitenant
environment include:
• Stateful firewall protection at the tenant edge
• Faster deployment of virtual firewalls into new sites
• Ability to run on top of various hypervisors and public cloud infrastructures
• Full routing, VPN, core security, and networking capabilities
• Application security features (including IPS and App-Secure)
• Content security features (including Anti Virus, Web Filtering, Anti Spam, and Content
Filtering)
• Centralized management with Junos Space Security Director and local management
with J-Web Interface
• Juniper Networks Sky Advanced Threat Prevention (Sky ATP) integration

vSRX on VMWare ESXi deployment

VMware vSphere is a virtualization environment for systems supporting the x86
®
architecture. VMware ESXi is the hypervisor used to create and run virtual machines
®
(VMs) and virtual appliances on a host machine. The VMware vCenter Server is a service
that manages the resources of multiple ESXi hosts.
The VMware vSphere Web Client is used to deploy the vSRX VM.
Figure 3 on page 18 shows an example of how vSRX can be deployed to provide security
for applications running on one or more virtual machines. The vSRX virtual switch has a
connection to a physical adapter (the uplink) so that all application traffic flows through
the vSRX VM to the external network.
Figure 3: Example of vSRX Deployment
vSRX Scale Up Performance

Table 3 on page 18 shows the vSRX scale up performance based on the number of vCPUs
and vRAM applied to a vSRX VM. The table outlines the Junos OS release in which a
particular software specification for deploying vSRX on VMware was introduced. You
will need to download a specific Junos OS release to take advantage of certain scale up
performance features.
Table 3: vSRX Scale Up Performance
vCPUs vRAM NICs Junos OS Release Introduced
2 vCPUs 4 GB • SR-IOV (Intel 82599, X520/X540) Junos OS Release 15.1X49-D15

• VMNET3 and Junos OS Release 17.3R1
5 vCPUs 8 GB VMNET3 Junos OS Release 15.1X49-D70

and Junos OS Release 17.3R1

Chapter 1: Overview
Table 3: vSRX Scale Up Performance (continued)
vCPUs vRAM NICs Junos OS Release Introduced
9 vCPUs 16 GB • SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and Junos OS Release 18.4R1

Mellanox ConnectX-4 EN/ConnectX-4 Lx EN)
NOTE: SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and

Mellanox ConnectX-4 EN/ConnectX-4 Lx EN) is required if you
intend to scale the performance and capacity of a vSRX to 9
vCPUs and 16 GB vRAM.
17 vCPUs 32 GB • SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and Junos OS Release 18.4R1

Mellanox ConnectX-4 EN/ConnectX-4 Lx EN)
NOTE: SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and

Mellanox ConnectX-4 EN/ConnectX-4 Lx EN) is required if you
intend to scale the performance and capacity of a vSRX to 17
vCPUs and 32 GB vRAM.
You can scale the performance and capacity of a vSRX instance by increasing the number
of vCPUs and the amount of vRAM allocated to the vSRX. The multi-core vSRX
automatically selects the appropriate vCPUs and vRAM values at boot time, as well as
the number of Receive Side Scaling (RSS) queues in the NIC. If the vCPU and vRAM
settings allocated to a vSRX VM do not match what is currently available, the vSRX
scales down to the closest supported value for the instance. For example, if a vSRX VM
has 3 vCPUs and 8 GB of vRAM, vSRX boots to the smaller vCPU size, which requires a
minimum of 2 vCPUs. You can scale up a vSRX instance to a higher number of vCPUs
and amount of vRAM, but you cannot scale down an existing vSRX instance to a smaller
setting.
NOTE: The number of RSS queues typically matches with the number of
data plane vCPUs of a vSRX instance. For example, a vSRX with 4 data plane
vCPUs should have 4 RSS queues.
vSRX Session Capacity Increase

vSRX solution is optimized to increase the session numbers by increasing the memory.
With the ability to increase the session numbers by increasing the memory, you can enable
vSRX to:
• Provide highly scalable, flexible and high-performance security at strategic locations

in the mobile network.
• Deliver the performance that service providers require to scale and protect their
networks.
Run the show security flow session summary | grep maximum command to view the
maximum number of sessions.

Starting in Junos OS Release 18.4R1, the number of flow sessions supported on a vSRX
instance is increased based on the vRAM size used.
Starting in Junos OS Release 19.2R1, the number of flow sessions supported on a vSRX
3.0 instance is increased based on the vRAM size used.
Table 4 on page 20 lists the flow session capacity.
Table 4: vSRX and vSRX 3.0 Flow Session Capacity Details
vCPUs Memory Flow Session Capacity
2 4 GB 0.5 M
2 6 GB 1M
2/5 8 GB 2M
2/5 10 GB 2M
2/5 12 GB 2.5 M
2/5 14 GB 3M
2/5/9 16 GB 4M
2/5/9 20 GB 6M
2/5/9 24 GB 8M
2/5/9 28 GB 10 M
2/5/9/17 32 GB 12 M
2/5/9/17 40 GB 16 M
2/5/9/17 48 GB 20 M
2/5/9/17 56 GB 24 M
2/5/9/17 64 GB 28 M

Chapter 1: Overview
Release History Table Release Description
19.2R1 Starting in Junos OS Release 19.2R1, the number of flow sessions supported
on a vSRX 3.0 instance is increased based on the vRAM size used.
18.4R1 Starting in Junos OS Release 18.4R1, the number of flow sessions supported
on a vSRX instance is increased based on the vRAM size used.
15.1X49-D70 Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1,

multi-core vSRX supports scaling vCPUs and GB virtual RAM (vRAM).
Additional vCPUs are applied to the data plane to increase performance.
Related • VMware vSphere

Documentation
• RSS: Receive Side Scaling
Requirements for vSRX on VMware
• Software Specifications on page 21

• Hardware Specifications on page 24
• Best Practices for Improving vSRX Performance on page 24
• Interface Mapping for vSRX on VMware on page 25
• vSRX Default Settings on VMware on page 27
Software Specifications
Table 5 on page 21 lists the system software requirement specifications when deploying
vSRX on VMware. The table outlines the Junos OS release in which a particular software
specification for deploying vSRX on VMware was introduced. You must need to download
a specific Junos OS release to take advantage of certain features.
Table 5: Specifications for vSRX on VMware
Component Specification Junos OS Release Introduced
Hypervisor VMware ESXi 5.1, 5.5, or 6.0 Junos OS Release 15.1X49-D15 and Junos
support OS Release 17.3R1
VMware ESXi 5.5, 6.0, 6.5 Junos OS Release 17.4R1, 18.1R1, 18.2R1,
18.3R1
VMware ESXi 6.5 Junos OS Release 18.4R1

Table 5: Specifications for vSRX on VMware (continued)
Memory 4 GB Junos OS Release 15.1X49-D15 and Junos

OS Release 17.3R1
8GB Junos OS Release 15.1X49-D70 and

Junos OS Release 17.3R1
16 GB Junos OS Release 18.4R1
32 GB Junos OS Release 18.4R1
Disk space 16 GB (IDE or SCSI drives) Junos OS Release 15.1X49-D15 and Junos
OS Release 17.3R1
vCPUs 2 vCPUs Junos OS Release 15.1X49-D15 and Junos

OS Release 17.3R1
5 vCPUs Junos OS Release 15.1X49-D70 and

Junos OS Release 17.3R1
9 vCPUs Junos OS Release 18.4R1
17 vCPUs Junos OS Release 18.4R1

Chapter 1: Overview
Table 5: Specifications for vSRX on VMware (continued)
vNICs Up to 10 vNICs Junos OS Release 15.1X49-D15 and Junos

OS Release 17.3R1
• SR-IOV
NOTE: We recommend the Intel

X520/X540 physical NICs for SR-IOV
support on vSRX. For SR-IOV
limitations, see the Known Behavior
section of the vSRX Release Notes.
• VMNET3
NOTE: The Intel DPDK drivers use

polling mode for all vNICs, so the NAPI
and interrupt mode features in
VMXNET3 are not currently
supported.
NOTE: Starting in Junos OS Release

15.1X49-D20, in vSRX deployments
using VMware ESX, changing the
default speed (1000 Mbps) or the
default link mode (full duplex) is not
supported on VMXNET3 vNICs.
Starting in Junos OS Release 18.4R1: Junos OS Release 18.4R1
• SR-IOV (Mellanox
ConnectX-3/ConnectX-3 Pro and
Mellanox ConnectX-4
EN/ConnectX-4 Lx EN) is required if
you intend to scale the performance
and capacity of a vSRX VM to 9 or 17
vCPUs and 16 or 32 GB vRAM.
• The DPDK version has been upgraded
from 17.02 to 17.11.2 to support the
Mellanox Family Adapters.
Table 6 on page 23 lists the specifications on the vSRX virtual machine (VM).
Table 6: Specifications for vSRX 3.0 on VMware
Junos OS Release
vCPU vRAM DPDK Hugepage vNICs vDisk Introduced
2 4G 17.05 2G 2-10 20G Junos OS Release 18.2R1

Table 6: Specifications for vSRX 3.0 on VMware (continued)
Junos OS Release
vCPU vRAM DPDK Hugepage vNICs vDisk Introduced
5 8G 17.05 6G 2–10 20G Junos OS Release 18.4R1
vSRX on VMWare supports VMXNET3

through DPDK and PMD, and SR-IOV
(82599).
A maximum number of eight interfaces

are supported.
DPDK uses HugePage for improved

performance.
Hardware Specifications
Table 7 on page 24 lists the hardware specifications for the host machine that runs the
vSRX VM.
Table 7: Hardware Specifications for the Host Machine
Component Specification
Host processor type Intel x86_64 multicore CPU
NOTE: DPDK requires Intel Virtualization VT-x/VT-d support in

the CPU. See About Intel Virtualization Technology.
Virtual network adapter VMXNet3 device or VMware Virtual NIC
NOTE: Virtual Machine Communication Interface (VMCI)

communication channel is internal to the ESXi hypervisor and
the vSRX VM.
Physical NIC support on vSRX Support SR-IOV on X710/XL710

3.0
Best Practices for Improving vSRX Performance

Review the following practices to improve vSRX performance.
NUMA Nodes
The x86 server architecture consists of multiple sockets and multiple cores within a
socket. Each socket also has memory that is used to store packets during I/O transfers
from the NIC to the host. To efficiently read packets from memory, guest applications
and associated peripherals (such as the NIC) should reside within a single socket. A
penalty is associated with spanning CPU sockets for memory accesses, which might
result in nondeterministic performance. For vSRX, we recommend that all vCPUs for the
vSRX VM are in the same physical non-uniform memory access (NUMA) node for optimal
performance.

Chapter 1: Overview
CAUTION: The Packet Forwarding Engine (PFE) on the vSRX will become
unresponsive if the NUMA nodes topology is configured in the hypervisor to
spread the instance’s vCPUs across multiple host NUMA nodes. vSRX requires
that you ensure that all vCPUs reside on the same NUMA node.
We recommend that you bind the vSRX instance with a specific NUMA node
by setting NUMA node affinity. NUMA node affinity constrains the vSRX VM
resource scheduling to only the specified NUMA node.
PCI NIC-to-VM Mapping
If the node on which vSRX is running is different from the node to which the Intel PCI NIC
is connected, then packets will have to traverse an additional hop in the QPI link, and this
will reduce overall throughput. Use the esxtop command to view information about
relative physical NIC locations. On some servers where this information is not available,
refer to the hardware documentation for the slot-to-NUMA node topology.
Related • About Intel Virtualization Technology

Documentation
• DPDK Release Notes
Interface Mapping for vSRX on VMware

Each network adapter defined for a vSRX is mapped to a specific interface, depending
on whether the vSRX instance is a standalone VM or one of a cluster pair for high
availability. The interface names and mappings in vSRX are shown in Table 8 on page 26
and Table 9 on page 26.
Note the following:
• In standalone mode:
• fxp0 is the out-of-band management interface.
• ge-0/0/0 is the first traffic (revenue) interface.
• In cluster mode:
• fxp0 is the out-of-band management interface.
• em0 is the cluster control link for both nodes.
• Any of the traffic interfaces can be specified as the fabric links, such as ge-0/0/0
for fab0 on node 0 and ge-7/0/0 for fab1 on node 1.
Table 8 on page 26 shows the interface names and mappings for a standalone vSRX
VM.

Table 8: Interface Names for a Standalone vSRX VM
Network
Adapter Interface Name in Junos OS
1 fxp0
2 ge-0/0/0
3 ge-0/0/1
4 ge-0/0/2
5 ge-0/0/3
6 ge-0/0/4
7 ge-0/0/5
8 ge-0/0/6
Table 9 on page 26 shows the interface names and mappings for a pair of vSRX VMs in
a cluster (node 0 and node 1).
Table 9: Interface Names for a vSRX Cluster Pair
Network
Adapter Interface Name in Junos OS
1 fxp0 (node 0 and 1)
2 em0 (node 0 and 1)
3 ge-0/0/0 (node 0)
ge-7/0/0 (node 1)
4 ge-0/0/1 (node 0)
ge-7/0/1 (node 1)
5 ge-0/0/2 (node 0)
ge-7/0/2 (node 1)
6 ge-0/0/3 (node 0)
ge-7/0/3 (node 1)
7 ge-0/0/4 (node 0)
ge-7/0/4 (node 1)
8 ge-0/0/5 (node 0)
ge-7/0/5 (node 1)

Chapter 1: Overview
vSRX Default Settings on VMware

vSRX requires the following basic configuration settings:
• Interfaces must be assigned IP addresses.
• Interfaces must be bound to zones.
• Policies must be configured between zones to permit or deny traffic.
NOTE: For the management interface, fxp0, VMware uses the VMXNET 3
vNIC and requires promiscuous mode on the vSwitch.
Table 10 on page 27 lists the factory default settings for the vSRX security policies.
Table 10: Factory Default Settings for Security Policies
Source Zone Destination Zone Policy Action
trust untrust permit
trust trust permit
untrust trust deny
Junos OS Features Supported on vSRX
This section presents an overview of the Junos OS features on vSRX.
• SRX Series Features Supported on vSRX on page 27

• SRX Series Features Not Supported on vSRX on page 28
SRX Series Features Supported on vSRX

vSRX inherits most of the branch SRX Series features with the following considerations
shown in Table 11 on page 27.
To determine the Junos OS features supported on vSRX, use the Juniper Networks Feature
Explorer, a Web-based application that helps you to explore and compare Junos OS
feature information to find the right software release and hardware platform for your
network. Find Feature Explorer at: Feature Explorer: vSRX .
Table 11: vSRX Feature Considerations
Feature Description
Chassis cluster Generally, on SRX Series devices, the cluster ID and node ID are
written into EEPROM. For the vSRX VM, the IDs are saved in
boot/loader.conf and read during initialization.

Table 11: vSRX Feature Considerations (continued)
Feature Description
IDP The IDP feature is subscription based and must be purchased.

After purchase, you can activate the IDP feature with the license
key.
For SRX Series IDP configuration details, see:
Understanding Intrusion Detection and Prevention for SRX

Series
In J-Web, use the following steps to add or edit an IPS rule:
1. Click Security>IDP>Policy>Add.
2. On the Add IPS Rule page, select All instead of Any for the
Direction field to list all the FTP attacks.
ISSU ISSU is not supported on vSRX.
Transparent mode The known behaviors for transparent mode support on vSRX are:
• The default MAC learning table size is restricted to 16,383

entries.
For information about configuring transparent mode for vSRX,

see Layer 2 Bridging and Transparent Mode Overview.
UTM The UTM feature is subscription based and must be purchased.

After purchase, you can activate the UTM feature with the license
key.
For SRX Series UTM configuration details, see Unified Threat

Management Overview.
For SRX Series UTM antispam configuration details, see

Antispam Filtering Overview.
Some Junos OS software features require a license to activate the feature. To understand
more about vSRX Licenses, see, Licenses for vSRX. Please refer to the Licensing Guide for
general information about License Management. Please refer to the product Data Sheets
for further details, or contact your Juniper Account Team or Juniper Partner.
SRX Series Features Not Supported on vSRX

vSRX inherits many features from the SRX Series device product line. Table 12 on page 28
lists SRX Series features that are not applicable in a virtualized environment, that are
not currently supported, or that have qualified support on vSRX.
Table 12: SRX Series Features Not Supported on vSRX
SRX Series Feature vSRX Notes
Application Layer Gateways

Avaya H.323 Not supported

Chapter 1: Overview
Table 12: SRX Series Features Not Supported on vSRX (continued)
Authentication with IC Series devices

Layer 2 enforcement in UAC Not supported
deployments
NOTE: UAC-IDP and UAC-UTM
also are not supported.
Chassis cluster support
NOTE: Support for chassis clustering to provide network node redundancy is only available on a
vSRX deployment in Contrail, VMware, KVM, and Windows Hyper-V Server 2016.
Chassis cluster for VirtIO Only supported with KVM

driver
NOTE: The link status of VirtIO
interfaces is always reported as
UP, so a vSRX chassis cluster
cannot receive link up and link
down messages from VirtIO
interfaces.
Dual control links Not supported
In-band and low-impact Not supported

cluster upgrades
LAG and LACP (Layer 2 and Not supported

Layer 3)
Layer 2 Ethernet switching Not supported
Low-latency firewall Not supported
PPPoE over redundant Not supported

Ethernet interface
NOTE: Starting in Junos OS

Release 15.1X49-D100 and
Junos OS Release 17.4R1,
vSRX supports
Point-to-Point Protocol over
a redundant Ethernet
interface (PPPoE).
SR-IOV interfaces Not supported (See the Known

Behavior section of the vSRX
Release Notes for more
information about SR-IOV
limitations.)
Class of service
High-priority queue on SPC Not supported

Tunnels Only GRE and IP-IP tunnels

supported
NOTE: A vSRX VM deployed on

Microsoft Azure Cloud does not
support GRE and multicast.
Data plane security log messages (stream mode)

TLS protocol Not supported
Diagnostic tools
Flow monitoring cflowd Not supported
version 9

Release 15.1X49-D80, vSRX
supports J-Flow version 9
flow monitoring on a chassis
cluster.
Ping Ethernet (CFM) Not supported
Traceroute Ethernet (CFM) Not supported
DNS proxy
Dynamic DNS Not supported
Ethernet link aggregation

LACP in standalone or Not supported
chassis cluster mode
Layer 3 LAG on routed ports Not supported
Static LAG in standalone or Not supported

chassis cluster mode
Ethernet link fault management

Physical interface (encapsulations)
ethernet-ccc Not supported

ethernet-tcc
extended-vlan-ccc Not supported

extended-vlan-tcc
Interface family
ccc, tcc Not supported

Chapter 1: Overview
ethernet-switching Not supported
Flow-based and packet-based processing

End-to-end packet Not supported
debugging
Network processor bundling Not supported
Services offloading Not supported
Interfaces
Aggregated Ethernet Not supported
interface
IEEE 802.1X dynamic VLAN Not supported

assignment
IEEE 802.1X MAC bypass Not supported
IEEE 802.1X port-based Not supported

authentication control with
multisupplicant support
Interleaving using MLFR Not supported
PoE Not supported
PPP interface Not supported
PPPoE-based Not supported

radio-to-router protocol
PPPoE interface Not supported

Junos OS Release 17.4R1, the
vSRX supports
Point-to-Point Protocol over
Ethernet (PPPoE) interface.
Promiscuous mode on Only supported if enabled on the

interfaces hypervisor
IPSec and VPNs

Acadia - Clientless VPN Not supported
DVPN Not supported

Hardware IPsec (bulk Not supported

crypto) Cavium/RMI
IPsec tunnel termination in Supported on virtual router only

routing instances
Multicast for AutoVPN Not supported
IPv6 support
DS-Lite concentrator (also Not supported
called Address Family
Transition Router [AFTR])
DS-Lite initiator (aka B4) Not supported
J-Web
Enhanced routing Not supported
configuration
New Setup wizard (for new Not supported

configurations)
PPPoE wizard Not supported
Remote VPN wizard Not supported
Rescue link on dashboard Not supported
UTM configuration for Not supported

Kaspersky antivirus and the
default Web filtering profile
Log file formats for system (control plane) logs

Binary format (binary) Not supported
WELF Not supported
Miscellaneous
GPRS Not supported

Junos OS Release 17.3R1,
vSRX supports GPRS.
Hardware acceleration Not supported
Logical systems Not supported

Chapter 1: Overview
Outbound SSH Not supported
Remote instance access Not supported
USB modem Not supported
Wireless LAN Not supported
MPLS
Crcuit cross-connect (CCC) Not supported
and translational
cross-connect (TCC)
Layer 2 VPNs for Ethernet Only if promiscuous mode is

connections enabled on the hypervisor
Network Address Translation

Maximize persistent NAT Not supported
bindings
Packet capture
Packet capture Only supported on physical
interfaces and tunnel interfaces,
such as gr, ip, and st0. Packet
capture is not supported on
redundant Ethernet interfaces
(reth).
Routing
BGP Flowspec Not supported
BGP route reflector Not supported
Bidirectional Forwarding Not supported

Detection (BFD) for BGP
CRTP Not supported
Switching
Layer 3 Q-in-Q VLAN tagging Not supported
Transparent mode
UTM Not supported
Unified threat management

Express AV Not supported

Kaspersky AV Not supported
Upgrading and rebooting

Autorecovery Not supported
Boot instance configuration Not supported
Boot instance recovery Not supported
Dual-root partitioning Not supported
OS rollback Not supported
User interfaces
NSM Not supported
SRC application Not supported
Junos Space Virtual Director Only supported with VMware

CHAPTER 2
Installing vSRX in VMware
• Installing vSRX with VMware vSphere Web Client on page 35

• Loading an Initial Configuration on a vSRX with VMware on page 38
• Validating the vSRX .ova File for VMware on page 43
Installing vSRX with VMware vSphere Web Client
The following procedure describes how to install vSRX and connect vSRX interfaces to
the virtual switches for the appropriate applications. Only the vSRX virtual switch has a
connection to a physical adapter (the uplink) so that all application traffic flows through
the vSRX VM to the external network.
To install vSRX with the VMware vSphere Web Client:
NOTE: To upgrade an existing vSRX instance, see Migration, Upgrade, and

Downgrade in the vSRX Release Notes.
1. Download the vSRX software package for VMware from the Juniper Networks website.
NOTE: Do not change the filename of the downloaded software image

or the installation will fail.
2. Validate the vSRX .ova file if required. For more information, see “Validating the vSRX
.ova File for VMware” on page 43.
3. Enter the vCenter server hostname or address in your browser

(https://<ipaddress>:9443) to access the vSphere Web Client, and log in to the vCenter
server with your credentials.
4. Select a host or other valid parent for a virtual machine and click Actions > All vCenter
Actions > Deploy OVF Template.
NOTE: The Client Integration Plug-in must be installed before you can
deploy OVF templates (see your VMware documentation).

5. Click Browse to locate the vSRX software package, and then click Next.
6. Click Next in the OVF Template Details window.
7. Click Accept in the End User License Agreement window, and then click Next.
8. Change the default vSRX VM name in the Name box and click Next. It is advisable to
keep this name the same as the hostname you intend to give to the VM.
9. In the Datastore window, do not change the default settings for:
• Datastore
• Available Space
Table 13 on page 36 lists the disk formats available to store the virtual disk. You can
choose one of the three options listed.
NOTE: For detailed information on the disk formats, see Virtual Disk
Provisioning.
Table 13: Disk Formats for Virtual Disk Storage
Disk Format Description
Thick Provision Lazy Zeroed Allocates disk space to the virtual disk without erasing the
previously stored data. The previous data is erased when the VM
is used for the first time.
Thick Provision Eager Erases the previously stored data completely and then allocates
Zeroed the disk space to the virtual disk. Creation of disks in this format is
time consuming.
Thin Provision Allocates only as much datastore space as the disk needs for its
initial operations. Use this format to save storage space.
10. Select a datastore to store the configuration file and virtual disk files in OVF template,
and then click Next.
11. Select your management network from the list, and then click Next. The management
network is assigned to the first network adapter, which is reserved for the management
interface (fxp0).
12. Click Finish to complete the installation.
13. Open the Edit Settings page of the vSRX VM and select a virtual switch for each
network adapter. Three network adapters are created by default. Network adapter 1
is for the management network (fxp0). To add a fourth adapter, select Network from
New device list at the bottom of the page. To add more adapters, see “Adding vSRX
Interfaces” on page 47.
In Figure 4 on page 37, network adapter 2 uses the management network for the uplink
to the external network.

Chapter 2: Installing vSRX in VMware
Figure 4: vSRX Edit Settings Page
14. Enable promiscuous mode for the management virtual switch:
1. Select the host where the vSRX VM is installed, and select Manage > Networking
> Virtual switches.
2. In the list of virtual switches, select vSwitch0 to view the topology diagram for the
management network connected to network adapter 1.
3. Click the Edit icon at the top of the list, select Security, and select Accept next to
Promiscuous mode. Click OK.
NOTE: vSwitch1 corresponds to network adapter 2, vSwitch2 corresponds

to network adapter 3, and so on.
15. Enable hardware-assisted virtualization to optimize performance of the vSRX Routing

Engine that runs in a nested VM:

1. Power off the vSRX VM.
2. Right-click on the vSRX VM and select Edit Settings.
3. On the Virtual Hardware tab, expand CPU, select Expose hardware-assisted

virtualization to guest OS, and click OK.
On the Manage tab, select Settings > VM Hardware and expand CPU to verify that the
Hardware virtualization option is shown as Enabled.
NOTE: The default vSRX VM login ID is root with no password. By default,

vSRX is assigned a DHCP-based IP address if a DHCP server is available on
the network.
Loading an Initial Configuration on a vSRX with VMware
Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, you can use a
mounted ISO image to pass the initial startup Junos OS configuration to a vSRX VM. This
ISO image contains a file in the root directory called juniper.conf. The configuration file
uses curly brackets ({) and indentation to display the hierarchical structure of the
configuration. Terminating or leaf statements in the configuration hierarchy are displayed
with a trailing semicolon (;) to define configuration details, such as root password,
management IP address, default gateway, and other configuration statements.
NOTE: The juniper.conf file must be in the format same as displayed using
show configuration command and it cannot be in set command format.
The process to bootstrap a vSRX VM with an ISO configuration image is as follows:
1. Create the juniper.conf configuration file with your Junos OS configuration.
An example of a juniper.conf file follows.
system {
host-name iso-mount-test;
root-authentication {
encrypted-password
"$5$wCXP/Ma4$aqMJBhy82.wI643ijb73yHKKl9TXApPycGKKn.PjpA8"; ## SECRET-DATA
}
login {
user regress {
uid 2001;
class super-user;
authentication {
encrypted-password
"$6$FGJM2YEb$KTGIehvNt9Mf.u3ESWGB1aSQeXrSeg6zoCWZw0D6M6vnmWb8DAWsprNXyKZeW6M3kErFFTFtAuNpGjDjfwX4t.";
## SECRET-DATA
}
}
}
services {

ssh {
root-login allow;
}
telnet;
web-management {
http {
interface fxp0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
forwarding-options {
family {
inet6 {
mode flow-based;
}
}
}
policies {
default-policy {
permit-all;
}
}
zones {
security-zone AAA {
interfaces {
all;
}
}
}
}
interfaces {
ge-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 77;
family inet {
address 10.1.1.0/24 {
arp 10.1.1.10 mac 00:10:12:34:12:34;
}
}

}
}
ge-0/0/1 {
vlan-tagging;
unit 0 {
vlan-id 1177;
family inet {
address 10.1.1.1/24 {
arp 10.1.1.10 mac 00:10:22:34:22:34;
}
}
}
}
fxp0 {
unit 0 {
family inet {
address 192.168.70.9/19;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.64.1;
}
}
2. Create an ISO image that includes the juniper.conf file.
3. Mount the ISO image to the vSRX VM.
4. Boot or reboot the vSRX VM. vSRX will boot using the juniper.conf file included in the
mounted ISO image.
5. Unmount the ISO image from the vSRX VM.
NOTE: If you do not unmount the ISO image after the initial boot or reboot,
all subsequent configuration changes to the vSRX are overwritten by the ISO
image on the next reboot.
• Creating a vSRX Bootstrap ISO Image on page 40

• Uploading an ISO Image to a VMWare Datastore on page 41
• Provisioning vSRX with an ISO Bootstrap Image on VMWare on page 42
Creating a vSRX Bootstrap ISO Image

This task uses a Linux system to create the ISO image.

To create a vSRX bootstrap ISO image:
1. Create a configuration file in plaintext with the Junos OS command syntax and save
in a file called juniper.conf.
2. Create a new directory.
hostOS$ mkdir iso_dir
3. Copy juniper.conf to the new ISO directory.
hostOS$ cp juniper.conf iso_dir
NOTE: The juniper.conf file must contain the full vSRX configuration. The
ISO bootstrap process overwrites any existing vSRX configuration.
4. Use the Linux mkisofs command to create the ISO image.
hostOS$ mkisofs -l -o test.iso iso_dir
I: -input-charset not specified, using utf-8 (detected in locale settings)

Total translation table size: 0
Total rockridge attributes bytes: 0
Total directory bytes: 0
Path table size(bytes): 10
Max brk space used 0
175 extents written (0 MB)
NOTE: The -l option allows for a long filename.
See Also • Linux mkisofs command
Uploading an ISO Image to a VMWare Datastore

To upload an ISO image to a datastore:
1. On the VMware vSphere Web Client, select the datastore you want to upload the file
to.
2. Select the folder where you want to store the file and click Upload a File from the task
bar.
3. Browse to the file on your local computer and click Upload.

Optionally, refresh the datastore to see the new file.
Provisioning vSRX with an ISO Bootstrap Image on VMWare

To provision a vSRX VM with an ISO bootstrap image:
1. From VMware vSphere client, select the host server where the vSRX VM resides.
2. Right-click the vSRX VM and select Edit Settings. The Edit Setting dialogue box appears.
3. Select the Hardware tab and click Add. The Add Hardware dialog box opens.
4. Select the CD/DVD drive and click Next.
5. Select Use ISO image and click Next.
6. Click Datastore ISO File, browse to your boostrap ISO image, and click Next.
7. Click Next and Finish to save this setting.
8. Click OK to save this CD drive to the VM.
9. Right-click the vSRX VM and select Power>Power On to boot the vSRX VM.
10. After the vSRX boots, verify the configuration and then select Power> Power down to
shut down the vSRX so you can remove the ISO image.
11. Select the CD/DVD drive from the Hardware tab in the VMWare vSphere client.
12. Select the CD drive for the ISO file and click Remove to remove your boostrap ISO
image.
13. Click OK to save this setting.
14. Right-click the vSRX VM and select Power>Power On to boot the vSRX VM.

15.1X49-D80 Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, you can
use a mounted ISO image to pass the initial startup Junos OS configuration to a
vSRX VM. This ISO image contains a file in the root directory called juniper.conf.
The configuration file uses curly brackets ({) and indentation to display the
hierarchical structure of the configuration. Terminating or leaf statements in the
configuration hierarchy are displayed with a trailing semicolon (;) to define
configuration details, such as root password, management IP address, default
gateway, and other configuration statements.
Related • Linux mkisofs command

Documentation
Validating the vSRX .ova File for VMware
The vSRX open virtual application (OVA) image is securely signed. You can validate the
OVA image, if necessary, but you can install or upgrade vSRX without validating the OVA
image.
Before you validate the OVA image, ensure that the Linux/UNIX PC or Windows PC on
which you are performing the validation has the following utilities available: tar, openssl,
and ovftool. See the OVF Tool Documentation for details about the VMware Open
Virtualization Format (OVF) tool, including a Software Download link.
To validate the OVA image on a Linux machine:
1. Download the vSRX OVA image and the Juniper Networks Root certificate file
(JuniperRootRSACA.pem) from the vSRX Juniper Networks Software Download page.
NOTE: You need to download the Juniper Networks Root certificate file
only once; you can use the same file to validate OVA images for future
releases of vSRX.
2. (Optional) If you downloaded the OVA image and the certificate file to a PC running
Windows, copy the two files to a temporary directory on a PC running Linux or UNIX.
You can also copy the OVA image and the certificate file to a temporary directory
(/var/tmp or /tmp) on a vSRX node.
Ensure that the OVA image file and the Juniper Networks Root certificate file are not
modified during the validation procedure. You can do this by providing write access
to these files only to the user performing the validation procedure. This is especially
important if you use an accessible temporary directory, such as /tmp or /var/tmp,
because such directories can be accessed by several users. Take precautions to ensure
that the files are not modified by other users during the validation procedure.
3. Navigate to the directory containing the OVA image.

-bash-4.1$ ls
JuniperRootCA.pem junos-vsrx-15.1X49-DXX.4-domestic.ova
4. Unpack the OVA image by running the following command: tar xf ova-filename
where ova-filename is the filename of the previously downloaded OVA image.
-bash-4.1$ mkdir tmp
-bash-4.1$ cd tmp
-bash-4.1$ tar xf ../junos-vsrx-15.1X49-DXX.4-domestic.ova
5. Verify that the unpacked OVA image contains a certificate chain file (certchain.pem)
and a signature file (vsrx.cert).
-bash-4.1$ ls
certchain.pem junos-vsrx-15.1X49-DXX.4-domestic.cert
junos-vsrx-15.1X49-DXX.4-domestic-disk1.vmdk
junos-vsrx-15.1X49-DXX.4-domestic.mf junos-vsrx-15.1X49-DXX.4-domestic.ovf
6. Validate the unpacked OVF file (extension .ovf) by running the following command:
ovftool ovf-filename
where ovf-filename is the filename of the unpacked OVF file contained within the
previously downloaded OVA image.
-bash-4.1$ /usr/lib/vmware-ovftool/ovftool junos-vsrx-15.1X49-DXX.4-domestic.ovf
OVF version: 1.0

VirtualApp: false
Name: vSRX
Version: JUNOS 15.1
Vendor: Juniper Networks Inc.
Product URL:
https://www.juniper.net/us/en/products-services/software/security/vsrxseries/
Vendor URL: https://www.juniper.net/
Download Size: 227.29 MB
Deployment Sizes:
Flat disks: 2.00 GB
Sparse disks: 265.25 MB
Networks:
Name: VM Network
Description: The VM Network network
Virtual Machines:
Name: Juniper Virtual SRX

Operating System: freebsdguest

Virtual Hardware:
Families: vmx-07
Number of CPUs: 2
Cores per socket: 1
Memory: 2.00 GB
Disks:
Index: 0
Instance ID: 5
Capacity: 2.00 GB
Disk Types: IDE
NICs:
Adapter Type: E1000
Connection: VM Network
Adapter Type: E1000

Connection: VM Network
Deployment Options:
Id: 2GvRAM
Label: 2G vRAM
Description:
2G Memory
7. Validate the signing certificate with the Juniper Networks Root CA file by running the
following command:
openssl verify -CAfile JuniperRootRSACA.pem -untrusted Certificate-Chain-File

Signature-file
where JuniperRootRSACA.pem is the Juniper Networks Root CA file,

Certificate-Chain-File is the filename of the unpacked certificate chain file (extension
.pem) and Signature-file is the filename of the unpacked signature file (extension
.cert).
-bash-4.1$ openssl verify -CAfile ../JuniperRootCA.pem -untrusted certchain.pem

junos-vsrx-15.1X49-DXX.4-domestic.cert
junos-vsrx-15.1X49-DXX.4-domestic.cert: OK
8. (Optional) If you encounter validation issues with the OVA image:
a. Determine if the contents of the OVA image have been modified. If the contents
have been modified, download the OVA image from the vSRX downloads page.
b. Determine whether the Juniper Networks Root CA file is corrupted or modified. If

it was corrupted or modified, download the certificate file from the vSRX downloads
page.
c. Retry the preceding validation steps using one or both new files.


CHAPTER 3
vSRX VM Management
• Adding vSRX Interfaces on page 47

• Upgrading a Multicore vSRX with VMware on page 50
Adding vSRX Interfaces
The network adapter for each interface uses SR-IOV or VMXNET 3 as the adapter type.
The first network adapter is for the management interface (fxp0) and must use VMXNET
3. All additional network adapters should have the same adapter type. The three network
adapters created by default use VMXNET 3.
NOTE: Starting in Junos OS Release 18.4R1:
• SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and Mellanox ConnectX-4

EN/ConnectX-4 Lx EN) is required if you intend to scale the performance
and capacity of a vSRX VM to 9 or 17 vCPUs and 16 or 32 GB vRAM.
• The DPDK version has been upgraded from 17.02 to 17.11.2 to support the
Mellanox Family Adapters .
The network adapters are mapped sequentially to the vSRX interfaces, as shown in
“Requirements for vSRX on VMware” on page 21.
NOTE: If you have used the interface mapping workaround required for prior
Junos releases, you do not need to make any changes when you upgrade to
Junos Release 15.1X49-D70 for vSRX.
The following procedures describe how to add more network adapters:
• Adding SR-IOV Interfaces on page 48

• Adding VMXNET 3 Interfaces on page 49

Adding SR-IOV Interfaces

SR-IOV interfaces must be added as PCI devices on VMware. To add an SR-IOV interface
as a PCI Device, you must first select an available Virtual Function (VF) on the device.
Use the following procedure to locate available VFs and add PCI devices:
1. To locate one or more VFs:
a. Use SSH to log in to the ESXi server and enter the following command to view the
VFs for vmnic6 (or another vNIC):
# esxcli network sriovnic vf list -n vmnic6
VF ID Active PCI Address Owner World ID

----- ------ ----------- --------------
0 true 005:16.0 982641
1 true 005:16.2 982641
2 true 005:16.4 982641
3 false 005:16.6 -
4 false 005:17.0 -
5 false 005:17.2 -
6 false 005:17.4 -
Choose one or more VF IDs that are not active, such as 3 through 6. Note that a VF
assigned to a VM that is powered off is shown as inactive.
b. Enter the lspci command to view the VF number of the chosen VF IDs. In the
following example, find the entry that ends with [vmnic6], scroll down to the next
entry ending in VF_3, and note the associated VF number 05:10.6. Note that the
next VF_3 entry is for vmnic7.
# lspci
0000:05:00.0 Network controller: Intel Corporation 82599EB 10-Gig ...

[vmnic6]
0000:05:00.1 Network controller: Intel Corporation 82599EB 10-Gig ...
[vmnic7]
0000:05:10.0 Network controller: Intel Corporation 82599 Ethernet Controller
Virtual Function [PF_0.5.0_VF_0]
Virtual Function [PF_0.5.0_VF_3] ----- VF ID 3 on vmnic6, with VF number

Chapter 3: vSRX VM Management
05:10.6.
Virtual Function [PF_0.5.1_VF_3] ----- VF ID 3 on vmnic7.
2. To add SR-IOV interfaces to the vSRX VM:
a. Power off the vSRX VM and open the Edit Settings page. By default there are three
network adapters using VMXNET 3.
b. Add one or more PCI devices on the Virtual Hardware page. For each device, you
must select an entry with an available VF number from Step 1. For example:
05:10.6 | Intel Corporation 82599 Ethernet Controller Virtual Function
c. Click OK and open the Edit Settings page to verify that the new network adaptors
are shown on the Virtual Hardware page (one VMXNET 3 network adapter and up
to nine SR-IOV interfaces as PCI devices).
To view the SR-IOV interface MAC addresses, select the VM Options tab, click
Advanced in the left frame, and then click Edit Configuration. In the parameters
pciPassthruN.generatedMACAddress, N indicates the PCI device number (0 through
9).
d. Power on the vSRX VM and log in to the VM to verify that VMXNET 3 network
adapter 1 is mapped to fxp0, PCI device 0 is mapped to ge-0/0/0, PCI device 1 is
mapped to ge-0/0/1, and so on.
NOTE: A vSRX VM with SR-IOV interfaces cannot be cloned. You must deploy
a new vSRX VM and add the SR-IOV interfaces as described here.
Adding VMXNET 3 Interfaces

Use the following procedure to add VMXNET 3 interfaces:
1. Power off the vSRX VM and open the Edit Settings page on vSphere Web Client.
2. Add network adapters on the Virtual Hardware page. For each network adapter, select
Network from New device list at the bottom of the page, expand New Network, and
select VMXNET 3 as the adapter type.
3. Click OK and open the Edit Settings page to verify that the new network adaptors are
shown on the Virtual Hardware page.
4. Power on the vSRX VM and log in to the VM to verify that network adapter 1 is mapped
to fxp0, network adapter 2 is mapped to ge-0/0/0, and so on. Use the show interfaces
terse CLI command to verify that the fxp0 and ge-0/0/n interfaces are up.

Upgrading a Multicore vSRX with VMware
Starting in Junos OS Release 15.1X49-70 and Junos OS Release 17.3R1, you can scale the
performance and capacity of a vSRX instance by increasing the number of vCPUs and
the amount of vRAM allocated to the vSRX. See “Requirements for vSRX on VMware”
on page 21 for the software requirement specifications of a vSRX VM.
NOTE: You cannot scale down the number of vCPUs or decrease the amount
of vRAM for an existing vSRX VM.
• Power Down vSRX VM with VMware vSphere Web Client on page 50

• Upgrading a Multicore vSRX with VMware vSphere Web Client on page 50
• Optimizing Performance of vSRX on page 51
Power Down vSRX VM with VMware vSphere Web Client

In situations where you want to modify the vSRX VM XML file, you need to completely
shut down vSRX and the associated VM.
To gracefully shutdown the vSRX instance with VMware vSphere Web Client:
1. Enter the vCenter server hostname or address in your browser

(https://<ipaddress>:9443) to access the vSphere Web Client, and log in to the
vCenter server with your credentials.
2. Check the vSRX VM you want to power off.
3. Select Open Console to open a console window to the vSRX VM.
4. From the vSRX console, reboot the vSRX instance.
vsrx# request system power-off.
Upgrading a Multicore vSRX with VMware vSphere Web Client

You must power down the vSRX VM before you can update the vCPU and vRAM values
for the VM.
To scale up the vSRX VM to a higher number of vCPUs or to an increased amount of

vRAM:
1. On VMware vSphere Web Client, Select Edit Settings to open the powered down
vSRX VM to open the virtual machine details window.
2. Select Memory and set the vRAM to the desired size.

Chapter 3: vSRX VM Management
3. Select Processor and set the number of vCPUs. Click OK.
4. Click Power On. The VM manager launches the vSRX VM with the new vCPU and vRAM
settings.
NOTE: vSRX scales down to the closest supported value if the vCPU or vRAM
settings do not match what is currently available.
Optimizing Performance of vSRX

To optimize performance of vSRX on VMware:
1. For memory, select the NUMA node that line cards connect to.
2. For the CPU:
a. Disable hyper-threading.
b. Select CPUs on the selected NUMA node.
c. Select n sockets and each socket has one core.
d. Reserve the CPU resource.
3. For the TX thread:
• Configure a separate ESXi transmit thread per vNIC.
• Place transmit threads on the same NUMA node.
4. For vNICs, use either 2 vNICs or 4 vNICs if you want to scale the performance of the
vSRX VM.
15.1X49-D70 Starting in Junos OS Release 15.1X49-70 and Junos OS Release 17.3R1, you
can scale the performance and capacity of a vSRX instance by increasing
the number of vCPUs and the amount of vRAM allocated to the vSRX.


CHAPTER 4
Configuring and Managing vSRX
• vSRX Configuration and Management Tools on page 53

• Configuring vSRX Using the CLI on page 54
• Configuring vSRX Using the J-Web Interface on page 56
• Managing Security Policies for Virtual Machines Using Junos Space Security
Director on page 59
vSRX Configuration and Management Tools
This section provides an overview of the various tools available to configure and manage
a vSRX VM once it has been successfully deployed.
• Understanding the Junos OS CLI and Junos Scripts on page 53

• Understanding the J-Web Interface on page 53
• Understanding Junos Space Security Director on page 53
Understanding the Junos OS CLI and Junos Scripts

Junos OS CLI is a Juniper Networks specific command shell that runs on top of a
UNIX-based operating system kernel.
Built into Junos OS, Junos script automation is an onboard toolset available on all Junos
OS platforms, including routers, switches, and security devices running Junos OS (such
as a vSRX instance).
You can use the Junos OS CLI and the Junos OS scripts to configure, manage, administer,
and troubleshoot vSRX.
Understanding the J-Web Interface

The J-Web interface allows you to monitor, configure, troubleshoot, and manage vSRX
instances by means of a Web browser. J-Web provides access to all the configuration
statements supported by the vSRX instance.
Understanding Junos Space Security Director

As one of the Junos Space Network Management Platform applications, Junos Space
Security Director helps organizations improve the reach, ease, and accuracy of security
policy administration with a scalable, GUI-based management tool. Security Director

automates security provisioning of a vSRX instance through one centralized Web-based

interface to help administrators manage all phases of the security policy life cycle more
quickly and intuitively, from policy creation to remediation.
Related • CLI User Interface Overview

Documentation
• J-Web Overview
• Security Director
• Mastering Junos Automation Programming
• Spotlight Secure Threat Intelligence
Configuring vSRX Using the CLI
To configure the vSRX instance using the CLI:
1. Verify that the vSRX is powered on.
2. Log in as the root user. There is no password.
3. Start the CLI.
root#cli
root@>
4. Enter configuration mode.
configure
[edit]
root@#
5. Set the root authentication password by entering a cleartext password, an encrypted

password, or an SSH public key string (DSA or RSA).
[edit]
root@# set system root-authentication plain-text-password
New password: password
Retype new password: password
6. Configure the hostname.
[edit]
root@# set system host-name host-name
7. Configure the management interface.

Chapter 4: Configuring and Managing vSRX
[edit]
root@# set interfaces fxp0 unit 0 family inet dhcp-client
8. Configure the traffic interfaces.
[edit]
root@# set interfaces ge-0/0/0 unit 0 family inet dhcp-client
9. Configure basic security zones and bind them to traffic interfaces.
[edit]
root@# set security zones security-zone trust interfaces ge-0/0/0.0
10. Verify the configuration.
[edit]
root@# commit check
configuration check succeeds
11. Commit the configuration to activate it on the vSRX instance.
[edit]
root@# commit
commit complete
12. Optionally, use the show command to display the configuration to verify that it is
correct.
NOTE: Certain Junos OS software features require a license to activate the

feature. To enable a licensed feature, you need to purchase, install, manage,
and verify a license key that corresponds to each licensed feature. To conform
to software feature licensing requirements, you must purchase one license
per feature per instance. The presence of the appropriate software unlocking
key on your virtual instance allows you to configure and use the licensed
feature.
See Managing Licenses for vSRX for details.
Related • CLI User Guide

Documentation

Configuring vSRX Using the J-Web Interface
• Accessing the J-Web Interface and Configuring vSRX on page 56

• Applying the Configuration on page 58
• Adding vSRX Feature Licenses on page 58
Accessing the J-Web Interface and Configuring vSRX

Use the Junos OS CLI to configure, at a minimum, the following parameters before you
can access a vSRX VM using J-Web:
• Configure an IP address on fxp0.
• Configure a default route if the fxp0 IP address is on a different subnet than the host
server.
• Enable Web management through the fxp0 interface.
system {
services {
web-management {
http {
interface fxp0.0;
}
}
}
}
To configure vSRX using the J-Web Interface:
1. Launch a Web browser from the management instance.
2. Enter the vSRX fxp0 interface IP address in the Address box.
3. Specify the username and password.
4. Click Log In, and select the Configuration Wizards tab from the left navigation panel.
The J-Web Setup wizard page opens.
5. Click Setup.
You can use the Setup wizard to configure the vSRX VM or edit an existing
configuration.
• Select Edit Existing Configuration if you have already configured the wizard using
the factory mode.
• Select Create New Configuration to configure the vSRX VM using the wizard.
The following configuration options are available in the guided setup:
• Basic

Select basic to configure the vSRX VM name and user account information as
shown in Table 14 on page 57.
• Instance name and user account information
Table 14: Instance Name and User Account Information
Field Description
Instance name Type the name of the instance. For example: vSRX.
Root password Create a default root user password.
Verify password Verify the default root user password.
Operator Add an optional administrative account in addition to the root account.
User role options include:
• Super User: This user has full system administration rights and can add,
modify, and delete settings and users.
• Operator: This user can perform system operations such as a system
reset but cannot change the configuration or add or modify users.
• Read only: This user can only access the system and view the
configuration.
• Disabled: This user cannot access the system.
• Select either Time Server or Manual. Table 15 on page 57 lists the system time
options.
Table 15: System Time Options
Field Description
Time Server
Host Name Type the hostname of the time server. For example:
ntp.example.com.
IP Type the IP address of the time server in the IP address entry

field. For example: 192.0.2.254.
NOTE: You can enter either the hostname or the IP address.
Manual
Date Click the current date in the calendar.
Time Set the hour, minute, and seconds. Choose AM or PM.
Time Zone (mandatory)

Time Zone Select the time zone from the list. For example: GMT Greenwich
Mean Time GMT.

• Expert
Select Expert to configure the basic options as well as the following advanced
options:
• Four or more internal zones
• Internal zone services
• Application of security policies between internal zones
Click the Need Help icon for detailed configuration information.
You see a success message after the basic configuration is complete.
Applying the Configuration

To apply the configuration settings for vSRX:
1. Review and ensure that the configuration settings are correct, and click Next. The
Commit Configuration page appears.
2. Click Apply Settings to apply the configuration changes to vSRX.
3. Check the connectivity to vSRX, as you might lose connectivity if you have changed
the management zone IP. Click the URL for reconnection instructions on how to
reconnect to the instance.
4. Click Done to complete the setup.
After successful completion of the setup, you are redirected to the J-Web interface.
CAUTION: After you complete the initial setup, you can relaunch the J-Web
Setup wizard by clicking Configuration>Setup. You can either edit an
existing configuration or create a new configuration. If you create a new
configuration, the current configuration in vSRX will be deleted.
Adding vSRX Feature Licenses

Certain Junos OS software features require a license to activate the feature. To enable
a licensed feature, you need to purchase, install, manage, and verify a license key that
corresponds to each licensed feature. To conform to software feature licensing
requirements, you must purchase one license per feature per instance. The presence of
the appropriate software unlocking key on your virtual instance allows you to configure
and use the licensed feature.
See Managing Licenses for vSRX for details.

Managing Security Policies for Virtual Machines Using Junos Space Security Director
Security Director is a Junos Space management application designed to enable quick,

consistent, and accurate creation, maintenance, and application of network security
policies for your security devices, including vSRX instances. With Security Director, you
can configure security-related policy management including IPsec VPNs, firewall policies,
NAT policies, IPS policies, and UTM policies. and push the configurations to your security
devices. These configurations use objects such as addresses, services, NAT pools,
application signatures, policy profiles, VPN profiles, template definitions, and templates.
These objects can be shared across multiple security configurations; shared objects can
be created and used across many security policies and devices. You can create these
objects prior to creating security configurations.
When you finish creating and verifying your security configurations from Security Director,
you can publish these configurations and keep them ready to be pushed to all security
devices, including vSRX instances, from a single interface.
The Configure tab is the workspace where all of the security configuration happens. You
can configure firewall, IPS, NAT, and UTM policies; assign policies to devices; create and
apply policy schedules; create and manage VPNs; and create and manage all the shared
objects needed for managing your network security.
Related • Security Director

Documentation


CHAPTER 5
Configuring vSRX Chassis Clusters
• Configuring a vSRX Chassis Cluster in Junos OS on page 61

• vSRX Cluster Staging and Provisioning for VMware on page 69
• Deploying vSRX Chassis Cluster Nodes Across Different ESXi Hosts Using
dvSwitch on page 78
Configuring a vSRX Chassis Cluster in Junos OS
• Chassis Cluster Overview on page 61

• Enabling Chassis Cluster Formation on page 62
• Chassis Cluster Quick Setup with J-Web on page 63
• Manually Configuring a Chassis Cluster with J-Web on page 64
Chassis Cluster Overview

Chassis cluster groups a pair of the same kind of vSRX instances into a cluster to provide
network node redundancy. The devices must be running the same Junos OS release. You
connect the control virtual interfaces on the respective nodes to form a control plane
that synchronizes the configuration and Junos OS kernel state. The control link (a virtual
network or vSwitch) facilitates the redundancy of interfaces and services. Similarly, you
connect the data plane on the respective nodes over the fabric virtual interfaces to form
a unified data plane. The fabric link (a virtual network or vSwitch) allows for the
management of cross-node flow processing and for the management of session
redundancy.
The control plane software operates in active/passive mode. When configured as a

chassis cluster, one node acts as the primary device and the other as the secondary
device to ensure stateful failover of processes and services in the event of a system or
hardware failure on the primary device. If the primary device fails, the secondary device
takes over processing of control plane traffic.
NOTE: If you configure a chassis cluster on vSRX nodes across two physical
hosts, disable igmp-snooping on the bridge that each host physical interface
belongs to that the control vNICs use. This ensures that the control link
heartbeat is received by both nodes in the chassis cluster.

The chassis cluster data plane operates in active/active mode. In a chassis cluster, the
data plane updates session information as traffic traverses either device, and it transmits
information between the nodes over the fabric link to guarantee that established sessions
are not dropped when a failover occurs. In active/active mode, traffic can enter the cluster
on one node and exit from the other node.
Chassis cluster functionality includes:
• Resilient system architecture, with a single active control plane for the entire cluster
and multiple Packet Forwarding Engines. This architecture presents a single device
view of the cluster.
• Synchronization of configuration and dynamic runtime states between nodes within

a cluster.
• Monitoring of physical interfaces, and failover if the failure parameters cross a configured
threshold.
• Support for generic routing encapsulation (GRE) and IP-over-IP (IP-IP) tunnels used
to route encapsulated IPv4 or IPv6 traffic by means of two internal interfaces, gr-0/0/0
and ip-0/0/0, respectively. Junos OS creates these interfaces at system startup and
uses these interfaces only for processing GRE and IP-IP tunnels.
At any given instant, a cluster node can be in one of the following states: hold, primary,
secondary-hold, secondary, ineligible, or disabled. Multiple event types, such as interface
monitoring, Services Processing Unit (SPU) monitoring, failures, and manual failovers,
can trigger a state transition.
Prerequisites
Ensure that your vSRX instances comply with the following prerequisites before you
enable chassis clustering:
• Use show version in Junos OS to ensure that both vSRX instances have the same
software version.
• Use show system license in Junos OS to ensure that both vSRX instances have the
same licenses installed.
Enabling Chassis Cluster Formation

You create two vSRX instances to form a chassis cluster, and then you set the cluster ID
and node ID on each instance to join the cluster. When a vSRX VM joins a cluster, it
becomes a node of that cluster. With the exception of unique node settings and
management IP addresses, nodes in a cluster share the same configuration.
You can deploy up to 255 chassis clusters in a Layer 2 domain. Clusters and nodes are
identified in the following ways:
• The cluster ID (a number from 1 to 255) identifies the cluster.
• The node ID (a number from 0 to 1) identifies the cluster node.

Chapter 5: Configuring vSRX Chassis Clusters
On SRX Series devices, the cluster ID and node ID are written into EEPROM. On the vSRX
VM, vSRX stores and reads the IDs from boot/loader.conf and uses the IDs to initialize
the chassis cluster during startup.
The chassis cluster formation commands for node 0 and node 1 are as follows:
• On vSRX node 0:
user@vsrx0>set chassis cluster cluster-id number node 0 reboot
• On vSRX node 1:
user@vsrx1>set chassis cluster cluster-id number node 1 reboot
NOTE: Use the same cluster ID number for each node in the cluster.
NOTE: The vSRX interface naming and mapping to vNICs changes when you
enable chassis clustering.
After reboot, on node 0, configure the fabric (data) ports of the cluster that are used to
pass real-time objects (RTOs):
•
user@vsrx0# set interfaces fab0 fabric-options member-interfaces ge-0/0/0
user@vsrx0# set interfaces fab1 fabric-options member-interfaces ge-7/0/0
Chassis Cluster Quick Setup with J-Web

To configure chassis cluster from J-Web:
1. Enter the vSRX node 0 interface IP address in a Web browser.
2. Enter the vSRX username and password, and click Log In. The J-Web dashboard
appears.
3. Click Configuration Wizards>Chassis Cluster from the left panel. The Chassis Cluster
Setup wizard appears. Follow the steps in the setup wizard to configure the cluster
ID and the two nodes in the cluster, and to verify connectivity.
NOTE: Use the built-in Help icon in J-Web for further details on the Chassis
Cluster Setup wizard.

Manually Configuring a Chassis Cluster with J-Web

You can use the J-Web interface to configure the primary node 0 vSRX instance in the
cluster. Once you have set the cluster and node IDs and rebooted each vSRX, the following
configuration will automatically be synced to the secondary node 1 vSRX instance.
Select Configure>Chassis Cluster>Cluster Configuration. The Chassis Cluster configuration

page appears.
Table 16 on page 65 explains the contents of the HA Cluster Settings tab.
Table 17 on page 66 explains how to edit the Node Settings tab.
Table 18 on page 67 explains how to add or edit the HA Cluster Interfaces table.
Table 19 on page 68 explains how to add or edit the HA Cluster Redundancy Groups table.

Table 16: Chassis Cluster Configuration Page
Field Function
Node Settings
Node ID Displays the node ID.
Cluster ID Displays the cluster ID configured for the node.
Host Name Displays the name of the node.
Backup Router Displays the router used as a gateway while the Routing Engine is
in secondary state for redundancy-group 0 in a chassis cluster.
Management Interface Displays the management interface of the node.
IP Address Displays the management IP address of the node.
Status Displays the state of the redundancy group.
• Primary–Redundancy group is active.

• Secondary–Redundancy group is passive.
Chassis Cluster>HA Cluster Settings>Interfaces
Name Displays the physical interface name.
Member Interfaces/IP Displays the member interface name or IP address configured for
Address an interface.
Redundancy Group Displays the redundancy group.
Chassis Cluster>HA Cluster Settings>Redundancy Group
Group Displays the redundancy group identification number.
Preempt Displays the selected preempt option.
• True–Mastership can be preempted based on priority.

• False–Mastership cannot be preempted based on priority.
Gratuitous ARP Count Displays the number of gratuitous Address Resolution Protocol
(ARP) requests that a newly elected primary device in a chassis
cluster sends out to announce its presence to the other network
devices.
Node Priority Displays the assigned priority for the redundancy group on that
node. The eligible node with the highest priority is elected as
primary for the redundant group.

Table 17: Edit Node Setting Configuration Details
Field Function Action
Node Settings
Host Name Specifies the name of the host. Enter the name of the host.
Backup Router Displays the device used as a gateway while Enter the IP address of the
the Routing Engine is in the secondary state backup router.
for redundancy-group 0 in a chassis cluster.
Destination
IP Adds the destination address. Click Add.
Delete Deletes the destination address. Click Delete.
Interface
Interface Specifies the interfaces available for the router. Select an option.
NOTE: Allows you to add and edit two

interfaces for each fabric link.
IP Specifies the interface IP address. Enter the interface IP

address.
Add Adds the interface. Click Add.
Delete Deletes the interface. Click Delete.

Table 18: Add HA Cluster Interface Configuration Details
Fabric Link > Fabric Link 0 (fab0)
Interface Specifies fabric link 0. Enter the interface IP fabric link

0.
Add Adds fabric interface 0. Click Add.
Delete Deletes fabric interface 0. Click Delete.
Fabric Link > Fabric Link 1 (fab1)
Interface Specifies fabric link 1. Enter the interface IP for fabric

link 1.
Add Adds fabric interface 1. Click Add.
Delete Deletes fabric interface 1. Click Delete.
Redundant Ethernet
Interface Specifies a logical interface consisting of Enter the logical interface.

two physical Ethernet interfaces, one on
each chassis.
IP Specifies a redundant Ethernet IP Enter a redundant Ethernet IP

address. address.
Redundancy Group Specifies the redundancy group ID Select a redundancy group

number in the chassis cluster. from the list.
Add Adds a redundant Ethernet IP address. Click Add.
Delete Deletes a redundant Ethernet IP address. Click Delete.

Table 19: Add Redundancy Groups Configuration Details
Redundancy Group Specifies the redundancy group name. Enter the redundancy group name.
Allow preemption of Allows a node with a better priority to initiate a failover for a –
primaryship redundancy group.
NOTE: By default, this feature is disabled. When disabled, a

node with a better priority does not initiate a redundancy group
failover (unless some other factor, such as faulty network
connectivity identified for monitored interfaces, causes a
failover).
Gratuitous ARP Count Specifies the number of gratuitous Address Resolution Protocol Enter a value from 1 to 16. The
requests that a newly elected primary sends out on the active default is 4.
redundant Ethernet interface child links to notify network
devices of a change in mastership on the redundant Ethernet
interface links.
node0 priority Specifies the priority value of node0 for a redundancy group. Enter the node priority number as 0.
node1 priority Specifies the priority value of node1 for a redundancy group. Select the node priority number as
1.
Interface Monitor
Interface Specifies the number of redundant Ethernet interfaces to be Select an interface from the list.
created for the cluster.
Weight Specifies the weight for the interface to be monitored. Enter a value from 1 to 125.
Add Adds interfaces to be monitored by the redundancy group along Click Add.
with their respective weights.
Delete Deletes interfaces to be monitored by the redundancy group Select the interface from the
along with their respective weights. configured list and click Delete.
IP Monitoring
Weight Specifies the global weight for IP monitoring. Enter a value from 0 to 255.
Threshold Specifies the global threshold for IP monitoring. Enter a value from 0 to 255.
Retry Count Specifies the number of retries needed to declare reachability Enter a value from 5 to 15.
failure.
Retry Interval Specifies the time interval in seconds between retries. Enter a value from 1 to 30.
IPV4 Addresses to Be Monitored
IP Specifies the IPv4 addresses to be monitored for reachability. Enter the IPv4 addresses.

Table 19: Add Redundancy Groups Configuration Details (continued)
Weight Specifies the weight for the redundancy group interface to be Enter the weight.
monitored.
Interface Specifies the logical interface through which to monitor this IP Enter the logical interface address.
address.
Secondary IP address Specifies the source address for monitoring packets on a Enter the secondary IP address.
secondary link.
Add Adds the IPv4 address to be monitored. Click Add.
Delete Deletes the IPv4 address to be monitored. Select the IPv4 address from the list
and click Delete.
See Also • Chassis Cluster Feature Guide for Security Devices
vSRX Cluster Staging and Provisioning for VMware
Staging and provisioning a vSRX cluster includes the following tasks:
• Deploying the VMs and Additional Network Interfaces on page 69

• Creating the Control Link Connection Using VMware on page 70
• Creating the Fabric Link Connection Using VMware on page 73
• Creating the Data Interfaces Using VMware on page 75
• Prestaging the Configuration from the Console on page 76
• Connecting and Installing the Staging Configuration on page 77
Deploying the VMs and Additional Network Interfaces

The vSRX cluster uses three interfaces exclusively for clustering (the first two are
predefined):
• Out-of-band management interface (fxp0).
• Cluster control link (em0).
• Cluster fabric links (fab0 and fab1). For example, you can specify ge-0/0/0 as fab0
on node0 and ge-7/0/0 as fab1 on node1.
Initially, the VM has only two interfaces. A cluster requires three interfaces (two for the
cluster and one for management) and additional interfaces to forward data. You can
add interfaces through the VMware vSphere Web Client.
1. On the VMware vSphere Web Client, click Edit Virtual Machine Settings for each VM
to create additional interfaces.

2. Click Add Hardware and specify the attributes in Table 20 on page 70.
Table 20: Hardware Attributes
Attribute Description
Adapter Type Select SR-IOV or VMXNET 3 from the list.
Network label Select the network label from the list.
Connect at power on Ensure that there is a check mark next to this option.
Creating the Control Link Connection Using VMware

To connect the control interface through the control vSwitch using the VMware vSphere
Web Client:
1. Choose Configuration > Networking.
2. Click Add Networking to create a vSwitch for the control link.
Choose the following attributes:
• Connection Type
• Virtual Machines
• Network Access
• Create a vSphere switch
• No physical adapters
• Port Group Properties
• Network Label: HA Control
• VLAN ID: None(0)
NOTE:
Port groups are not VLANs. The port group does not segment the vSwitch
into separate broadcast domains unless the domains have different
VLAN tags.
• To use a VLAN as a dedicated vSwitch, you can use the default VLAN
tag (0) or specify a VLAN tag.
• To use a VLAN as a shared vSwitch and use a port group, assign a

VLAN tag on the port group for each chassis cluster link.
3. Right-click on the control network, click Edit Settings, and select Security.

4. Set the promiscuous mode to Accept, and click OK, as shown in Figure 5 on page 71.
Figure 5: Promiscuous Mode
NOTE: You must enable promiscuous mode on the control vSwitch for
chassis cluster.
You can use the vSwitch default settings for the remaining parameters.
5. Click Edit Settings for both vSRX VMs to add the control interface (Network adapter
2) into the control vSwitch.
See Figure 6 on page 72 for vSwitch properties and Figure 7 on page 72 for VM properties
for the control vSwitch.

Figure 6: Control vSwitch Properties
Figure 7: Virtual Machine Properties for the Control vSwitch
The control interface will be connected through the control vSwitch. See
Figure 8 on page 73.

Figure 8: Control Interface Connected through the Control vSwitch
Creating the Fabric Link Connection Using VMware

To connect the fabric interface through the fabric vSwitch using the VMware vSphere
Web Client:
2. Click Add Networking to create a vSwitch for the fabric link.
• Connection Type
• Network Access
• Network Label: HA Fabric

NOTE:
Port groups are not VLANs. The port group does not segment the vSwitch
into separate broadcast domains unless the domains have different
VLAN tags.
• To use a VLAN as a dedicated vSwitch, you can use the default VLAN
tag (0) or specify a VLAN tag.
• To use VLAN as a shared vSwitch and use a port group, assign a VLAN
tag on the port group for each chassis cluster link.
Click Properties to enable the following features:
• General-> Advanced Properties:
• MTU: 9000
• Security-> Effective Polices:
• MAC Address Changes: Accept
• Forged Transmits: Accept
3. Click Edit Settings for both vSRX VMs to add the fabric interface into the fabric vSwitch.
See Figure 9 on page 74 for vSwitch properties and Figure 10 on page 75 for VM properties
for the fabric vSwitch.
Figure 9: Fabric vSwitch Properties

Figure 10: Virtual Machine Properties for the Fabric vSwitch
The fabric interface will be connected through the fabric vSwitch. See Figure 11 on page 75.
Figure 11: Fabric Interface Connected Through the Fabric vSwitch
Creating the Data Interfaces Using VMware

To map all the data interfaces to the desired networks:
2. Click Add Networking to create a vSwitch for fabric link.

• Connection Type
• Network Access
• Network Label: chassis cluster Reth
Click Properties to enable the following features:
• Security-> Effective Polices:
• MAC Address Changes: Accept
• Forged Transmits: Accept
The data interface will be connected through the data vSwitch using the above procedure.
Prestaging the Configuration from the Console

The following procedure explains the configuration commands required to set up the
vSRX chassis cluster. The procedure powers up both nodes, adds the configuration to
the cluster, and allows SSH remote access.
1. Log in as the root user. There is no password.
2. Start the CLI.
root#cli
root@>
3. Enter configuration mode.
configure
[edit]
root@#
4. Copy the following commands and paste them into the CLI:
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.42.81/24
set groups node0 system hostname vsrx-node0
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.42.82/24
set groups node1 system hostname vsrx-node1
set apply-groups "${node}"

5. Set the root authentication password by entering a cleartext password, an encrypted

password, or an SSH public key string (DSA or RSA).
root@# set system root-authentication plain-text-password

New password: password
Retype new password: password
set system root-authentication encrypted-password "$ABC123"
6. To enable SSH remote access:
user@host#set system services ssh
7. To enable IPv6:
user@host#set security forwarding-options family inet6 mode flow-based
This step is optional and requires a system reboot.
8. Commit the configuration to activate it on the device.
user@host#commit
commit complete
9. When you have finished configuring the device, exit configuration mode.
user@host#exit
Connecting and Installing the Staging Configuration

After the vSRX cluster initial setup, set the cluster ID and the node ID, as described in
“Configuring a vSRX Chassis Cluster in Junos OS” on page 61.
After reboot, the two nodes are reachable on interface fxp0 with SSH. If the configuration
is operational, the show chassis cluster status command displays output similar to that
shown in the following sample output.
vsrx> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 1

node0 100 secondary no no
node1 150 primary no no
Redundancy group: 1 , Failover count: 1

node0 100 secondary no no
node1 150 primary no no

A cluster is healthy when the primary and secondary nodes are present and both have a
priority greater than 0.
Deploying vSRX Chassis Cluster Nodes Across Different ESXi Hosts Using dvSwitch
Before you deploy the vSRX chassis cluster nodes for ESXi 6.0 (or greater) hosts using
distributed virtual switch (dvSwitch), ensure that you make the following configuration
settings from the vSphere Web Client to ensure that the high-availability cluster control
link works properly between the two nodes:
• In the dvSwitch switch settings of the vSphere Web Client, disable IGMP snooping for
Multicast filtering mode (see Multicast Snooping on a vSphere Distributed Switch).
• In the dvSwitch port group configuration of the vSphere Web Client, enable promiscuous
mode (see Configure the Security Policy for a Distributed Port Group or Distributed Port).
This chassis cluster method uses the private virtual LAN (PVLAN) feature of dvSwitch
to deploy the vSRX chassis cluster nodes at different ESXi hosts. There is no need to
change the external switch configurations.
On the VMware vSphere Web Client, for dvSwitch, there are two PVLAN IDs for the
primary and secondary VLANs. Select Community in the menu for the secondary VLAN
ID type.
Use the two secondary PVLAN IDs for the vSRX control and fabric links. See
Figure 12 on page 78 and Figure 13 on page 79.
Figure 12: dvPortGroup3 Settings

Figure 13: dvPortGroup6 Settings
NOTE: The configurations described above must reside at an external switch

to which distributed switch uplinks are connected. If the link at the external
switch supports native VLAN, then VLAN can be set to none in the distributed
switch port group configuration. If native VLAN is not supported on the link,
this configuration should have VLAN enabled.
You can also use regular VLAN on a distributed switch to deploy vSRX chassis cluster
nodes at different ESXi hosts using dvSwitch. Regular VLAN works similarly to a physical
switch. If you want to use regular VLAN instead of PVLAN, disable IGMP snooping for
chassis cluster links.
However, use of PVLAN is recommended because:
• PVLAN does not impose IGMP snooping.
• PVLAN can save VLAN IDs.
NOTE: When the vSRX cluster across multiple ESXi hosts communicates
through physical switches, then you need to consider the other Layer 2
parameters at:
https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT21/
LAHAAppNotev4.pdf.


CHAPTER 6
Troubleshooting
• Finding the Software Serial Number for vSRX on page 81
Finding the Software Serial Number for vSRX
You need the software serial number to open a support case or to renew a vSRX license.
1. Use the show system license command to find the vSRX software serial number.
vsrx> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
Virtual Appliance 1 1 0 58 days
Licenses installed:
License identifier: E420588955
License version: 4
Software Serial Number: 20150625
Customer ID: vSRX-JuniperEval
Features:
Virtual Appliance - Virtual Appliance
count-down, Original validity: 60 days
License identifier: JUNOS657051

License version: 4
Software Serial Number: 9XXXXAXXXXXXX9
Customer ID: MyCompany
Features:
Virtual Appliance - Virtual Appliance
permanent


Security VSRX Vmware Guide PWP

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security VSRX Vmware Guide PWP

Uploaded by

Copyright:

Available Formats

vSRX Deployment Guide for VMware

Copyright © 2019, Juniper Networks, Inc.

vSRX Deployment Guide for VMware

YEAR 2000 NOTICE

END USER LICENSE AGREEMENT

ii Copyright © 2019, Juniper Networks, Inc.

Copyright © 2019, Juniper Networks, Inc. iii

Chapter 3 vSRX VM Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

iv Copyright © 2019, Juniper Networks, Inc.

Copyright © 2019, Juniper Networks, Inc. v

vi Copyright © 2019, Juniper Networks, Inc.

Copyright © 2019, Juniper Networks, Inc. vii

viii Copyright © 2019, Juniper Networks, Inc.

• Documentation and Release Notes on page ix

Documentation and Release Notes

Table 1 on page x defines notice icons used in this guide.

Copyright © 2019, Juniper Networks, Inc. ix

Table 1: Notice Icons

Icon Meaning Description

Informational note Indicates important features or instructions.

Warning Alerts you to the risk of personal injury or death.

Tip Indicates helpful information.

Best practice Alerts you to a recommended use or implementation.

Table 2: Text and Syntax Conventions

Convention Description Examples

x Copyright © 2019, Juniper Networks, Inc.

Table 2: Text and Syntax Conventions (continued)

Convention Description Examples

| (pipe symbol) Indicates a choice between the mutually broadcast | multicast

Indention and braces ( { } ) Identifies a level in the configuration [edit]

Copyright © 2019, Juniper Networks, Inc. xi

• E-mail—Send your comments to techpubs-comments@juniper.net. Include the document

Requesting Technical Support

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

• Product warranties—For product warranty information, visit

Self-Help Online Tools and Resources

• Find CSC offerings: https://www.juniper.net/customers/support/

• Search for known bugs: https://prsearch.juniper.net/

• Find product documentation: https://www.juniper.net/documentation/

• Download the latest versions of software and review release notes:

• Search technical bulletins for relevant hardware and software notifications:

xii Copyright © 2019, Juniper Networks, Inc.

• Join and participate in the Juniper Networks Community Forum:

• Create a service request online: https://myjuniper.juniper.net

Creating a Service Request with JTAC

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

Copyright © 2019, Juniper Networks, Inc. xiii

xiv Copyright © 2019, Juniper Networks, Inc.

• Understanding vSRX with VMware on page 15

Understanding vSRX with VMware

This section presents an overview of vSRX on VMware

• vSRX Overview on page 15

Figure 1 on page 16 shows the high-level architecture.

Copyright © 2019, Juniper Networks, Inc. 15

Figure 1: vSRX Architecture

Junos Control Plane

Juniper Linux (Guest OS)

KVM AWS Microsoft

vSRX 3.0 has the following enhancements compared to vSRX:

• Removed the restriction of requiring nested VM support in hypervisors.

• Removed the restriction of requiring ports connected to control plane to have

• Improved live migration.