Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Installing Policy Enforcer with KVM

    The Policy Enforcer Virtual Appliance Release 17.1R2 and later can be deployed on qemu-kvm (KVM) Release 1.5.3-105.el7 or later which is on CentOS Release 6.8 or later.

    Note: Juniper Networks does not provide any support for installing and configuring the KVM server. You must install the virtual appliance image and configure it as per the recommended specifications for the virtual appliance. Juniper Networks will provide support only after the Policy Enforcer Virtual Appliance has booted successfully.

    The prerequisites to deploy a Policy Enforcer Virtual Appliance on a KVM server are as follows:

    • Knowledge about configuring and installing a KVM server.
    • The KVM server and supported packages must be installed on a CentOS machine with the required kernels and packages. For information about installing a KVM server and supported packages on CentOS, refer to http://wiki.centos.org/HowTos/KVM.
    • The Virtual Machine Manager (VMM) client must be installed on your local system.
    • You use virt-manager or virt-install to install Policy Enforcer VMs. See your host OS documentation for complete details on these packages.

    The following are the minimum requirements for installing the Policy Enforcer VM.

    • 1 CPU
    • 8-GB RAM
    • 120-GB disk space

    This topic includes:

    Installing Policy Enforcer with virt-manager

    You can install and launch Policy Enforcer with the KVM virt-manager GUI package.

    Ensure that sure you have already installed KVM, qemu, virt-manager, and libvirt on your host OS.

    To install Policy Enforcer with virt-manager:

    1. Download the Policy Enforcer KVM image from the Juniper software download site.
    2. On your host OS, type virt-manager. The Virtual Machine Manager appears.

      Note: You must have admin rights on the host OS to use virt-manager.

    3. Click Create a new virtual machine. The New VM wizard appears .
    4. Enter a name for the virtual machine, select Import existing disk image, and click Forward.
    5. Browse to the location of the downloaded Policy Enforcer image and select it.
    6. Select Linux from the OS type list and select Show all OS options from the Version list.
    7. Select Red Hat Enterprise Linux 6 or later from the expanded Version list and click Forward.
    8. Set the RAM to 8192 MB and set CPUs to 1. Click Forward.
    9. Under Advanced Options, select Specify shared device name and enter the name of the bridge (typically br0) into the text box.
    10. Click Finish. The VM manager creates the virtual machine and launches the Policy Enforcer console.

    Installing Policy Enforcer with virt-install

    The virt-install and virsh tools are CLI alternatives to installing and managing Policy Enforcer VMs on a Linux host.

    Ensure that sure you have already installed KVM, qemu, virt-install, and libvirt on your host OS.

    Note: You must have root access on the host OS to use the virt-install command.

    To install Policy Enforcer with virt-install:

    1. Download the Policy Enforcer KVM image from the Juniper software download site.
    2. On your host OS, use the virt-install command with the mandatory options listed in Table 1.

      Note: See the official virt-install documentation for a complete description of available options.

      Table 1: virt-install Options

      Command Option

      Description

      --name name

      Name the Policy Enforcer VM.

      --ram megabytes

      Allocate RAM for the VM, in megabytes.

      --cpu cpu-model, cpu-flags

      Enable the vmx feature for optimal throughput. You can also enable aes for improved cryptographic throughput.

      Note: CPU flag support depends on your host OS and CPU.

      Use virsh capabilities to list the virtualization capabilities of your host OS and CPU.

      --vcpus number

      Allocate the number of vCPUs for the Policy Enforcer VM.

      --disk path

      Specify disk storage media and size for the VM. Include the following options:

      • size=gigabytes
      • device=disk
      • bus=ide
      • format=qcow2

      --os-type os-type

      --os-variant os-type

      Configure the guest OS type and variant.

      --import

      Create and boot the Policy Enforcer VM from an existing image.

      The following example creates a Policy Enforcer VM with 8192 MB RAM, 1 vCPUs, and disk storage up to 120 GB:

      hostOS# virt-install --name vPEM --ram 8192 --cpu SandyBridge,+vmx,-invtsc --vcpus=1 --arch=x86_64 --disk path=/mnt/pe.qcow2,size=120,device=disk,bus=ide,format=qcow2 --os-type linux --os-variant rhel6 --import

    Configuring Policy Enforcer Settings

    By default, when you create the Policy Enforcer VM through virt-manager or virt-install, the console window appears for you to set up and configure the Policy Enforcer settings. You can open the console at any time after the initial configuration to review or edit your settings.

    To configure Policy Enforcer settings:

    1. Log in to your virtual machine using root and abc123 as the username and password, respectively. You will be required to change the password at a later step.

      The welcome page appears.

    2. Click OK.

      The End User License Agreement (EULA) window appears.

    3. Click Accept to acknowledge the EULA. If you do not agree with the EULA, click Cancel. Your configuration will stop and you will return to the main vSphere Client page.

      The Network configuration page appears. See Figure 1.

      Figure 1: Defining the Basic Network Configuration Settings

      Defining the Basic Network Configuration
Settings
    4. Enter the following configuration information.

      Option

      Description

      Hostname

      Enter the hostname for the Policy Enforcer virtual machine; for example, pe.juniper.net.

      IP address

      Enter the IP address for the Policy Enforcer virtual machine.

      Note: Make note of this IP address as you’ll need it in a later step.

      Network mask

      Enter the netmask for the Policy Enforcer virtual machine.

      Default gateway

      Enter the IP address of the default gateway that connects your internal network to external networks.

      Primary DNS server

      Enter the IP address of your primary system registered to join the Domain Name System (DNS).

      Secondary DNS server

      Enter the IP address of a secondary DNS server. Policy Enforcer uses this address only when the primary DNS server is unavailable.

      Skip DNS servers check

      Select this check box if you do not want to check basic network settings. By default, the system will ping the gateway to ensure it receives a response indicating your settings are correct.

    5. Click Apply Changes.

      Your network settings are applied. A progress window indicates the status.

      When the system is finished updating your network settings, an NTP server window appears and prompts you to configure the NTP server list. See Figure 2.

      Figure 2: Prompt for Configuring the NTP Servers

      Prompt for Configuring
the NTP Servers
    6. Click Yes to customize the NTP server list. Click No to use the default list of 0, 1, 2 and 3.centos.pool.ntp.org.
    7. (Optional) Specify the NTP servers to use. See Figure 3. Click Apply Changes to accept your edits, Clear All to clear all fields in this window, or Cancel to discard any edits and continue to the next step.

      Figure 3: Configuring the NTP Servers

      Configuring the NTP Servers

      The Customer Information page appears. See Figure 4.

    8. Enter your customer ID. This is your SiteID tied to your support account, that entitles you to use Policy Enforcer. If you don’t have a support account with Juniper, then enter any unique 4-128 alphanumeric field (for example cust01) to identify this installation of Policy Enforcer.

      Figure 4: Entering Customer Information

      Entering Customer Information
    9. Click OK.

      The Root password change page appears. See Figure 5.

      Figure 5: Changing the Root Password

      Changing the Root Password
    10. Enter and re-enter a new administrator password for the Policy Enforcer virtual machine.

      Password restrictions are listed in the screen.

      Note: Make note of this password as you’ll need it in a later step.

      If you forget your password, see CentOS root password reset instructions.

    11. Click OK.

      The Juniper Networks Policy Enforcer page appears. See Figure 6.

      Figure 6: Reviewing and Changing Your Configuration Settings.

      Reviewing and Changing Your Configuration
Settings.
    12. Select one of the options and press Enter.

      Option

      Description

      Review configuration and finish setup

      Lets you review the configuration settings you defined one last time before applying them to the Policy Enforcer virtual machine.

      We recommend that you do not change your configuration settings after Policy Enforcer is set up within Security Director.

      Change...

      Select a setting to update its value.

      Troubleshooting menu

      Lets you ping the default gateway and custom IP address and lets you perform a DNS lookup to verify that your settings are correct.

      The Review configuration page appears. See Figure 7.

      Figure 7: Reviewing Your Configuration Settings

      Reviewing Your Configuration Settings
    13. Review your configuration settings and click Finish setup. To change any of the settings, click Change configuration.

      When you click Finish setup, the configuration settings are applied to the Policy Enforcer virtual machine. A status page indicates the progress.

      When done, the Setup Complete page appears.

    14. Click Finish to return to the main vSphere Client page.

      Note: Each time you log in to the Policy Enforcer virtual machine, you are given the option to review or change any of these settings.

    Connecting to the KVM Management Console

    By default, when you create the Policy Enforcer VM the console window appears for you to set up and configure the Policy Enforcer settings. You can open the console at any time after the initial configuration to review or edit your settings. To do this, you must have the virt-manager package or virsh installed on your host OS.

    To connect to the Policy Enforcer console using virt-manager:

    1. Launch virt-manager.
    2. Highlight the Policy Enforcer VM you want to connect to from the list of VMs displayed.
    3. Click Open.
    4. Select View>Text Consoles>Serial 1. The Policy Enforcer console appears.

    To connect to the Policy Enforcer console with virsh:

    1. Use the virsh console command on the Linux host OS. For example:
      user@host# virsh console PE-kvm-2
      Connected to domain PE-kvm-2
    2. The Policy Enforcer console appears.

    Modified: 2017-09-28