vSRX VNF Configuration Settings

You can configure the vSRX VNF from Services > Service Name > Overview > Service Configuration. Your service provider usually configures base settings for the virtual machine (VM) in which the virtualized network function (VNF) resides and you configure settings for the service, such as policies.

Note A vSRX firewall virtualized network function (VNF) is always part of a service chain for a network service on a CPE device.

Use the information in the following tables to provide values for the available settings:

Table 264: Fields for the vSRX Base Settings

 

Field

Description

Host Name

For a cloud site, specify the hostname of the VM that contains the vSRX VNF. The field has no limit on the number of characters and accepts letters, numbers, and symbols.

Example: vm-vsrx

For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure this setting.

Loopback Address

Specify an IPv4 loopback address for the management interface of the VM.

Example: 192.0.2.25

DNS Servers

Specify the fully qualified domain names (FQDNs) or IP addresses of one or more DNS name servers.

Example: 192.0.2.35

NTP Servers

Specify the FQDNs or IP addresses of one or more NTP servers.

Example: 192.0.2.45

Syslog Servers

Specify the FQDNs or IP addresses of one or more system log servers.

Example: 192.0.2.55

Enable Re-filter

Select True to enable a stateless firewall filter that protects the Routing Engine from denial-of-service (DoS) attacks or False to allow DoS attacks.

Example: True

Enable Default Screens

For a cloud site, select True to enable the default screens security profile for the destination zone or False to disable default screening.

Example: False

You cannot configure this setting for an on-premise site.

Time Zone

Specify the time zone for the VM.

Example: UTC

Right Interface

Specify the identifier of the VM interface that transmits data.

Example: ge-0/0/1

For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure this setting.

Left Interface

Specify the identifier of the VM interface that receives data.

Example: ge-0/0/0

For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure this setting.

SNMP Prefix List

If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual Appliance uses for SNMP operations when it discovers the vSRX VNF.

Example: 10.0.2.0/24

Ping Prefix List

If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual Appliance uses for ping operations when it discovers the vSRX VNF.

Example: 10.0.2.1/24

Space Servers

If you set the Enable Re-filter field to True, specify the IP addresses of the VMs that contain the Junos Space Virtual Appliances.

Example: 10.0.2.50

Table 265: Fields for the vSRX Firewall Settings

 

Field

Description

Policy Name

Specify the name of the rule. The field has no limit on the number of characters and accepts letters, numbers, and symbols.

Example: policy-1

Source Zone

Select the security zone from which packets originate.

  • left—Interface that transmits data to the host

  • right— Interface that receives data transmitted from the host

Zone policies are applied to traffic traveling from one security zone (source zone) to another security zone (destination zone). This combination of a source zone and a destination zone is called a context.

Example: left

Destination Zone

Select the security zone to which packets are delivered.

  • left—Interface that transmits data to the host

  • right—Interface that receives data transmitted from the host

Zone policies are applied to traffic traveling from one security zone (source zone) to another security zone (destination zone). This combination of a source zone and a destination zone is called a context.

Example: right

Source Address

Procedure

Specify the source IP address prefixes that the network service uses as match criteria for incoming traffic.

To add source addresses:

  1. Click the Source Address column.

    The source-address page appears.

  2. Select any to match any source IP address of packets or ipp to match a specific prefix in the source IP address for which the application enforces the policy.
  3. If you select ipp, specify a prefix.
  4. Click OK.

Example: 10.0.2.30

Destination Address

Procedure

Specify the destination IP address prefixes that the network service uses as match criteria for outgoing traffic.

To add a destination address:

  1. Click the Destination Address column.

    The destination-address page appears.

  2. Select any to match any source IP address of packets or ipp to match a specific prefix in the source IP address for which the application enforces the policy.
  3. If you select ipp, specify a prefix.
  4. Click OK.

Example: 192.0.2.0/24

Action

Select permit to transmit packets that match the rule or deny to drop packets that match the rule.

Example: permit

Application

Procedure

Specify the applications to which the policy applies. The applications are based on protocols and ports.

To specify applications:

  1. Click the Application column.

    The application page appears.

  2. In the allowed_apps field, select any to match any application or app to choose specific applications.

    If you select app, press and hold the Ctrl key and click the required applications from the drop-down list.

    • junos-tcp-any

    • junos-udp-any

    • junos-ftp

    • junos-http

    • junos-https

    • junos-icmp-all

    • junos-icmp-ping

    • junos-telnet

    • junos-tftp

  3. Click OK.

Example:

  • junos-tcp-any

  • junos-udp-any