vSRX VNF Configuration Settings

You can configure the vSRX VNF from Configuration > Network Services > Service Name > Overview > Service Configuration. Your service provider usually configures base settings for the virtual machine (VM) in which the virtualized network function (VNF) resides and you configure settings for the service, such as policies.

Note A vSRX firewall virtualized network function (VNF) is always part of a service chain for a network service on a CPE device.

Note vSRX is the GWR for an on-premise CPE device.

Use the information in the following tables to provide values for the available settings:

Table 124: Fields for the vSRX Base Settings

 

Field

Description

Host Name

For a cloud site, specify the hostname of the VM that contains the vSRX VNF. The field has no limit on the number of characters and accepts letters, numbers, and symbols.

Example: vm-vsrx

For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure this setting.

Loopback Address

Specify an IPv4 loopback address for the management interface of the VM.

Example: 192.0.2.25

DNS Servers

Specify the fully qualified domain names (FQDNs) or IP addresses of one or more DNS name servers.

Example: 192.0.2.35

NTP Servers

Specify the FQDNs or IP addresses of one or more NTP servers.

Example: 192.0.2.45

Syslog Servers

Specify the FQDNs or IP addresses of one or more system log servers.

Example: 192.0.2.55

Enable Re-filter

Select True to enable a stateless firewall filter that protects the Routing Engine from denial-of-service (DoS) attacks or False to allow DoS attacks.

Example: True

Enable Default Screens

For a cloud site, select True to enable the default screens security profile for the destination zone or False to disable default screening.

Example: False

You cannot configure this setting for an on-premise site.

Time Zone

Specify the time zone for the VM.

Example: UTC

Right Interface

Specify the identifier of the VM interface that transmits data.

Example: ge-0/0/1

For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure this setting.

Left Interface

Specify the identifier of the VM interface that receives data.

Example: ge-0/0/0

For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure this setting.

SNMP Prefix List

If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual Appliance uses for SNMP operations when it discovers the vSRX VNF.

Example: 10.0.2.0/24

Ping Prefix List

If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual Appliance uses for ping operations when it discovers the vSRX VNF.

Example: 10.0.2.1/24

Space Servers

If you set the Enable Re-filter field to True, specify the IP addresses of the VMs that contain the Junos Space Virtual Appliances.

Example: 10.0.2.50

Table 125: Fields for the vSRX Firewall Settings

 

Field

Description

Policy Name

Specify the name of the rule. The field has no limit on the number of characters and accepts letters, numbers, and symbols.

Example: policy-1

Source Zone

Select the security zone from which packets originate.

  • left—Interface that transmits data to the host

  • right— Interface that receives data transmitted from the host

Zone policies are applied to traffic traveling from one security zone (source zone) to another security zone (destination zone). This combination of a source zone and a destination zone is called a context.

Example: left

Destination Zone

Select the security zone to which packets are delivered.

  • left—Interface that transmits data to the host

  • right—Interface that receives data transmitted from the host

Zone policies are applied to traffic traveling from one security zone (source zone) to another security zone (destination zone). This combination of a source zone and a destination zone is called a context.

Example: right

Source Address

Procedure

Specify the source IP address prefixes that the network service uses as match criteria for incoming traffic.

To add source addresses:

  1. Click the Source Address column.

    The source-address page appears.

  2. Select any to match any source IP address of packets or ipp to match a specific prefix in the source IP address for which the application enforces the policy.
  3. If you select ipp, specify a prefix.
  4. Click OK.

Example: 10.0.2.30

Destination Address

Procedure

Specify the destination IP address prefixes that the network service uses as match criteria for outgoing traffic.

To add a destination address:

  1. Click the Destination Address column.

    The destination-address page appears.

  2. Select any to match any source IP address of packets or ipp to match a specific prefix in the source IP address for which the application enforces the policy.
  3. If you select ipp, specify a prefix.
  4. Click OK.

Example: 192.0.2.0/24

Action

Select permit to transmit packets that match the rule or deny to drop packets that match the rule.

Example: permit

Application

Procedure

Specify the applications to which the policy applies. The applications are based on protocols and ports.

To specify applications:

  1. Click the Application column.

    The application page appears.

  2. In the allowed_apps field, select any to match any application or app to choose specific applications.

    If you select app, press and hold the Ctrl key and click the required applications from the drop-down list.

    • junos-tcp-any

    • junos-udp-any

    • junos-ftp

    • junos-http

    • junos-https

    • junos-icmp-all

    • junos-icmp-ping

    • junos-telnet

    • junos-tftp

  3. Click OK.

Example:

  • junos-tcp-any

  • junos-udp-any

Table 126: Fields for the vSRX NAT Settings

 

Field

Guidelines

NAT Source Name

Specify the source IP address of packets that the policy rules match.

Example: 10.0.2.2/24

NAT Destination Name

Specify the destination IP address of packets that the policy rules match.

Example: 10.0.2.3/24

NAT policy settings—For information about the following policy settings, see the firewall policy settings in Table 2.

  • Policy Name

  • Source Zone

  • Destination Zone

  • Source Address

  • Destination Address

  • Action

  • Application

Table 127: Fields for the vSRX UTM Settings

 

Field

Description

Antivirus

Select True to check for viruses in application layer traffic against a virus signature database. Select False to disable checking for viruses.

Example: True

Antispam

Select True to block spam e-mails or False to allow spam e-mails.

Example: True

Antispam Black List

Specify an address blacklist for local spam filtering.

Blacklists contain e-mail addresses from which you do not want to receive messages.

Note: When both the whitelist and blacklist are in use, the whitelist is checked first. If there is no match, then the blacklist is checked.

Example: john@example.net

Antispam White List

Specify an address whitelist for local spam filtering.

Whitelists contain e-mail addresses from which you want to receive messages.

Note: When both the whitelist and blacklist are in use, the whitelist is checked first. If there is no match, then the blacklist is checked.

Example: user@example.net

Antispam Action

Select the antispam action that you want the device to take when it detects spam:

  • block—Blocks the message

  • tag-subject—Tags the subject field with a preprogrammed string

  • tag-header—Tags the message header with a preprogrammed string

Example: block

Content Filter

Select True to block different types of traffic based on the MIME type, file extension, protocol command, and embedded object type or False to permit these types of traffic.

Example: True

Content Filter Extensions

Specify one or more file extensions to block over HTTP, FTP, SMTP, IMAP, and POP3 connections.

Example: exe, pdf, js

Content Filter Mime

Specify the MIME types to be blocked or permitted over HTTP, FTP, SMTP, IMAP, and POP3 connections.

Example: application, exe

Content Filter Protocol Commands

Specify commands for HTTP, FTP, SMTP, IMAP, and POP3 protocols to block traffic based on these commands.

Example: put, mput

Content Filter Content Type

Press and hold the Ctrl key and click one or more of the following types of content to specify filtering of traffic that is supported only for HTTP and is not covered by file extensions or MIME types:

  • Active X

  • Windows executable files (.exe)

  • HTTP cookie

  • Java applet

  • Zip files

Example: activex, exe

Content Filter Apply To

Press and hold the Ctrl key and click one or more of the following protocols in the drop-down list to specify filtering of traffic associated with these protocols:

  • HTTP

  • FTP

  • POP3

  • IMAP

  • SMTP

Example: http, ftp

Web filter

Select True to prevent access to specific websites and embedded object types or False to permit access to all websites.

Example: True

Web Filter Black List

Specify URLs to create a blacklist of websites to block.

Note: A Web filtering profile can contain one whitelist or one blacklist with multiple user-defined categories, each with a permit or block action.

Example:

  • www.example1.com

  • www.example2.com

Web Filter White List

Specify URLs to create a whitelist of websites that users can always access.

With local Web filtering, the firewall intercepts every HTTP request in a TCP connection and extracts the URL. The network service then looks up the URL to determine whether it is in the whitelist or blacklist based on its user-defined category.

Note: A Web filtering profile can contain one whitelist or one blacklist with multiple user-defined categories, each with a permit or block action.

Example: www.example3.net

Policy settings—For information about the following policy settings, see the firewall policy settings in Table 2.

  • Source Zone

  • Destination Zone

  • Source Address

  • Destination Address

  • Action

  • Application