Deploy the vSRX as an Advanced Security Service in a VMware NSX-T Environment
Use the following procedures to deploy the vSRX as an advanced security service virtual machine (VM) in the VMware NSX-T environment. The vSRX VM is deployed in conjunction with Juniper Networks Junos Space Security Director and VMware NSX-T Manager.
Create a Security Group
You can create a security group by using the VMware NSX-T Manager. Each security group is a logical collection of objects which include VMs that you want to be members in the same security group and to which you will apply the vSRX as a Juniper security service. You can apply an advanced security service policy to all the objects contained in a security group.
To create a security group:
- Log in to the VMware NSX-T Manager.
- Select Inventory > Groups.
- Click ADD GROUP icon to create a new security group that contains the specific VMs you want as members of the same group, as shown in Figure 1.
- Type a group name and then click Set members.
- On the Select Members page, define the criteria that an object must meet for it to be added to the security group you are creating. You can define a dynamic group membership criteria for the VMs that are to be part of each security group. For example, VM membership in a security group can be tagged by name. You define the exact membership criteria that you want to use to group VMs. Group membership is associated dynamically at runtime.
- Click Apply to complete creating the security group.
Discover the NSX-T Manager and Register vSRX as a Security Service
The NSX-T Manager is added as a device in Security Director, and its inventory is synchronized with Security Director.
Ensure that SNMP is disabled in Security Director while performing device discovery for the vSRX agent VM. If SNMP is enabled in Security Director, the vSRX agent VM discovery operation fails.
To discover the NSX-T Manager from Security Director:
- Select Security Director > Devices > NSX Managers.
The NSX Managers page appears.
- Click the Add icon (+) to add the NSX Manager
to Security Director.
The Add NSX Manager page appears, as shown in Figure 2.
- In the NSX Manager section, enter the following information:
Name—Enter the name of the NSX Manager.
Host—Enter the IP address of the NSX Manager.
Port—Enter the port number of the NSX Manager. The NSX Manager and Security Director use SSL to communicate on TCP port 443.
Username, Password—Enter the username and password of the NSX Manager that are required for communication to be authenticated by the Security Director.
Description—Enter a description for the NSX Manager you are to add to the Security Director.
NSX-T is the successor to the NSX-V product. VMware NSX-T is the latest generation of VMware’s network virtualization product series.
- Click Next.
- In the Service Manager Registration section, enter the
following details about the Security Director:
SD Username, SD Password—Enter the username and password of Security Director to allow the NSX-T Manager to authenticate communication to the Security Director.
License Key—Enter the license key for the previously procured Juniper SDSN for NSX license (see Juniper SDSN for VMware NSX Licensing for details).
- Click Next.
- In the vCenter Server section, click the + icon to add
vCenter servers. Provide the following details on the Associate vCenter
Host—Enter the IP address of the VMWare vCenter Server.
Port—Enter the port number of the VMWare vCenter Server. By default, 443 is used.
Username, Password—Enter the username and password of the VMware vCenter Server. Security Director uses these credentials to discover the vCenter Server and fetch the VM inventory details.
- Click Finish.
The Summary page of configuration changes appears. Click OK to add the NSX-T Manager. When you return to the NSX Managers page, you will see the discovered NSX-T Manager listed.
After adding the NSX-T Manager, you must register the vSRX VM as a Juniper security service with the NSX-T Manager.
To register the vSRX instance as a Juniper security service:
- Select the NSX-T Manager for which service needs to be
registered, right-click or from the More list, select Register
The Register Security Service page appears, as shown in Figure 3.
- In the Service Name field, enter the name of the Juniper security service.
- From the vSRX OVF URL list, select the available vSRX OVF image that you copied to the Policy Enforcer machine.
- In the vSRX Root Password field, enter the root password of the vSRX instance. The same root password will be set for all the vSRX instances deployed in NSX.
- Select the firewall type as North-South. This is the perimeter
firewall for the north-south traffic. This provides a consistent north-south
security for members of the security groups, if the members move across
By default, the firewall type is East-West.
- Click Register.
A confirmation message indicates whether the registration is successful or not.
The vSRX is added as a network service that can be deployed by the NSX-T Manager.
In the VMware NSX-T Manager, verify the following:
Select System > Service Deployments and then select the CATALOG tab. Verify that the service name provided while registering the Security Service is listed in the table (the newly registered vSRX VM) as shown in Figure 4.
The NSX-T Manager and its inventory are now synchronized with the Security Director. All shared objects (such as security groups) are synchronized between the NSX-T Manager and Security Director. The shared objects include the IP addresses of all VMs, including the vSRX agent VMs. Security Director creates a dynamic address group(DAG) for each security group synchronized from the NSX-T Manager, along with the addresses of each member of the security group.
After you register a Juniper security service in the NSX-T Manager, the NSX-T Manager uses the vSRX agent VM to communicate the service status. The NSX-T Manager transmits messages to Security Director when any changes or activities are happening in the NSX-T Manager that are related to the Juniper security service.
If the firewall type is East-West, after registering the security service, you must add a service segment, service profile, and a service chain.
Navigate to Security > Network Introspection Settings and do the following:
In the SERVICE SEGMENT tab, add a service segment:
- Click ADD SERVICE SEGMENT.
- Enter the service segment name.
- Select the transport zone.
- Select the Tier0/Tier1 gateway to which the service segment is connected.
- Click SAVE.
In the Service Profiles tab, add a service profile:
- Select the partner service.
It is the service name used while registering the service in Security Director.
- Click ADD SERVICE PROFILE.
- Enter the service profile name.
- Select the vendor template.
- Click Save.
In the Service Chains tab, add a service chain:
- Click ADD CHAIN.
- Enter the service chain name.
- Select the service segment.
- Click the Set Forward Path link.
The Set Forward Path page is displayed.
- Click ADD PROFILE IN SEQUENCE, select a service
profile and click SAVE.
The service profile is mapped in the forward path.
- Click SAVE.
Deploy vSRX as a Security Service
The next step is to deploy the Juniper security service.
To deploy the vSRX agent VM as a security service:
- Select System > Service Deployments and then click the DEPLOYMENT tab.
- Select the partner service as the registered service and
then click Deploy Service.
- Enter the service deployment name.
- Select the attachment point as Tier1 gateway or Tier 0 gateway.
- Select the Compute Manager as vCenter.
- Select the Cluster on which the vSRX agent VM is to be
For East-West traffic, the deployment type can be host based or cluster based.
- Select the datastore on which to allocate shared storage for the vSRX agent VM.
- Click Set and then provide the network details such as, primary interface network, primary interface IP, primary gateway address, primary subnet mask and click Save.
- Click SAVE to deploy the vSRX agent VM as a
The Security Director automatically discovers all the deployed vSRX VM agents by using the device-initiated discovery. A new firewall and IPS group policies are created and all devices are assigned to these group policies.
The Security Director creates predefined IPS policies with a single IPS template. You can either add more IPS templates or convert the predefined IPS policies to custom IPS policies.
You must register different service for each service deployment.
Verify vSRX Agent VM Deployment in Security Director
In Security Director, based on the NSX Manager discovery, NSX security groups are automatically synchronized with Security Director. For each service group in NSX Manager, Security Director creates a corresponding dynamic address group.
To verify that the vSRX agent VMs have been deployed:
- Select Security Director > Devices > NSX Managers.
The NSX Managers page appears with the discovered NSX Manager and the vSRX instance registered as a new service.
- Select Security Director > Monitor > NSX Inventory > Security Groups.
The Security Groups page appears listing all the security groups obtained from NSX and the corresponding dynamic address groups created by the Security Director.
- Select Security Director > Monitor > vCenter Server Inventory > Virtual Machines.
The Virtual Machines page appears, listing the VMs that are dynamically fetched by the associated vCenter, as shown in Figure 5. You can view the security groups associated with each VM. Also, you can view security groups associated with each VM.
Automatic Creation of Security Policy in the NSX-T Environment to Direct Traffic Through the vSRX Agent VMs
After you deploy vSRX agent VM security services, security policies are automatically created to redirect any network traffic originating from the VMs in a specific security group to the Juniper security service vSRX agent VM for further analysis.
To direct the traffic to the vSRX agent VMs by using the automatically created security policies:
- In Security Director, install the IPS signature to all the vSRX VM agents.
- On the Firewall and IPS Policies page, add new rules to the automatically created firewall or IPS policies with respective dynamic address groups. You can also use the application firewalls in the firewall rules.
- After creating policy rules, publish and update the firewall and IPS policies.
- After the firewall and IPS policies are successfully updated
in the Security Director, log in to the VMware NSX-T Manager to verify
the security policies.
Select Security > Network Introspection (N-S). The security policies are automatically created from Security Director, as shown Figure 6.
In the case of East-West traffic, you must select Security > Network Introspection (E-W).
When you return to Security Director > Devices > Security Devices, you can view the active configuration for the vSRX agent VMs, as shown in Figure 7.
The NSX-T Manager is aware of the security groups that the Juniper security service monitors. If any changes occur in the security group, the NSX-T Manager notifies Security Director about those changes. If membership changes, NSX-T Manager notifies Security Director of the changes and Security Director updates its database based on the new membership.