Configuring Multi Tenancy Logical Systems

Logical system enables you to partition a single device in to secure contexts. It allows you to virtually divide a supported SRX Series devices, securing them from intrusion and attacks, and protecting them from false conditions outside their own context. Each logical system has its own discrete administrative domain, logical interfaces, routing interfaces, security firewall and other security features.

An SRX Series device with a multitenant logical systems device, can give various departments, organizations, customers, and partners a private use of the portion of its resource and a private view of the device. Using logical systems, you can share system and underlying physical machine resources among discrete user logical systems and the master logical system.

Root users can switch to Logical system context by navigating to Configure>Multi tenancy>Logical systems or Tenants page and selecting any one listed instance and clicking Enter LSYS or Enter TENANT,

Roles supported for Logical system and Tenant

J-Web supports the following roles with respect to Logical system and tenant.

Root user in normal mode
Root user entering into a Logical system
Logical system administrator
Logical system read-only user
Root user entering as tenant
Tenant administrator
Tenant read-only user

Note Tenant administrator and read-only users are created from Tenant wizard by selecting appropriate roles.

If you have opened J-Web in multiple tabs in the browser, and if in one of the tab you switch mode to Logical system or Tenant, then the other instances of J-Web in the other tabs will automatically switch to Logical system or Tenant.

J-Web maintains different session for different protocols, such as http or https.

When you refresh the screen, you will not be logged out; instead the screen is refreshed, and you will continue in the same session.

Procedure

Select Configure>Multi Tenancy>Logical Systems.
The Logical Systems page appears. Table 1 explains the contents of this page.
Click one:
- Enter LSYS — Enter the selected logical system. Table 2 explains the content of this page.
- More— select this option to view the logical system details.
- Add icon (+)— Create a new logical system. Enter information as specified in Table 3.
- Edit icon (/)— Edit the selected logical system. Enter information as specified in Table 3.
- Delete icon (X)—Deletes the selected logical system.
- Search icon— Enables you to search a logical system in the grid.
- Show Hide Column Filter icon —Enables you to show or hide a column in the grid.
Click Commit icon at the top of the J-Web page. The following commit options are displayed.
- Commit—Commits the configuration and returns to the main configuration page.
- Compare—Enables you to compare the current configuration with the previous configuration.
- Discard—Discards the configuration changes you performed in the J-Web.
- Preferences—There are two tab:
  Commit preferences—You can choose to just validate or validate and commit the changes.
  Confirm commit timeout (in min) —You can select the commit timeout interval.

Note During the report generation if you switch context, then a confirmation message is displayed. Click Yes to stop the report generation and to switch the context. Click No to continue to generate the report and not to switch context.

Table 1: Logical System profile page

Field	Function
Name	Displays the name of the logical system.
Resource Profile	Displays the name of the resource profile.
Users	Displays the logical system admin and users.
Assigned Interfaces	Displays the assigned logical interfaces.
Refresh	Displays manual refresh option must be used to refresh the above data.

Table 2: Enter LSYS page options

Field	Function	Action
Select Widget	Specifies the following widgets: Logical System Profile. Logical System CPU Profile. Logical System FW No Hits.	Drag and drop a widget to add it to your dashboard. Once widgets are added to the dashboard, they can be edited, refreshed, or removed by hovering over the widget header and selecting the option. The manual refresh option must be used to refresh the widget data.
Add Tabs	Specify to add the dashboards	Select (+) option to add a dashboard.

Field

Function

Action

Select Widget

Specifies the following widgets:

Logical System Profile.
Logical System CPU Profile.
Logical System FW No Hits.

Drag and drop a widget to add it to your dashboard. Once widgets are added to the dashboard, they can be edited, refreshed, or removed by hovering over the widget header and selecting the option. The manual refresh option must be used to refresh the widget data.

Add Tabs

Specify to add the dashboards

Select (+) option to add a dashboard.

Table 3: Create-Edit the Logical System

Field	Function	Action
General
Name	Displays the logical system name of a selected Resource Profile. Only one Resource Profile can be selected, per logical system.	Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.
Create-Edit the security Profiles Click one: Add icon (+)— Adds Resource Profiles. Edit icon (/)— Edits the selected Resource Profiles. Delete icon (X) — Deletes the selected Resource Profiles. Search icon—Enables you to search a Resource Profile in the grid. Filter icon — Enables you to filter the selected option in the grid. Show Hide Column Filter icon—Enables you to show or hide a column in the grid.
Profile Name	Displays the name of the security profile.	Enter a unique string with an alphanumeric character and can include underscores; no spaces allowed; 31-character maximum.
IPS Policy	Specify the IPS Policy.	Select the IPS Policy
Resource Name
nat-pat-portnum	Specify the maximum quantity and the reserved quantity of ports for the logical system as part of its security profile.	—
dslite-softwire-initiator	Specify the number of IPv6 dual-stack lite (DS-Lite) softwire initiators that can connect to the softwire concentrator configured in either a user logical system or the master logical system.	—
cpu	Specify the percentage of CPU utilization that is always available to a logical system.	—
appfw-rule	Specify the number of application firewall rule configurations that a master administrator can configure for a master logical system or user logical system when the security profile is bound to the logical systems.	—
nat-interface-port-ol	Specify the number of application firewall rule set configurations that a master administrator can configure for a master logical system or user logical system when the security profile is bound to the logical systems.	—
nat-rule-referenced-prefix	Specify the security NAT interface port overloading the quota of a logical system.	—
nat-port-ol-ipnumber	Specify the number of NAT port overloading IP number configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
nat-cone-binding	Specify the number of NAT cone binding configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
nat-static-rule	Specify the number of NAT static rule configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
nat-destination-rule	Specify the number of NAT destination rule configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
nat-source-rule	Specify the NAT source rule configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
nat-nopat-address	Specify the number of NAT without port address translation configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
nat-pat-address	Specify the number of NAT with port address translation (PAT) configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
nat-destination-pool	Specify the number of NAT destination pool configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
nat-source-pool	Specify the NAT source pool configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
flow-gate	Specify the number of flow gates, also known as pinholes that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
flow-session	Specify the number of flow sessions that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
policy	Specify the number of security policies with a count that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
security-log-stream-number	Specify the Security log stream number quota of a logical system.	—
scheduler	Specify the number of schedulers that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
zone	Specify the zones that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
auth-entry	Specify the number of firewall authentication entries that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.	—
appfw-profile	Specify the application firewall profile quota of a logical system.	—
address-book	Specify the entries in the address book. Address book entries can include any combination of IPv4 addresses, IPv6 addresses, DNS names, wildcard addresses, and address range.	—
Reserved	Specify reserved quota that guarantees that the resource amount specified is always available to the logical system.	—
Maximum	Specify the maximum allowed quota.	—
Users Click one: Add icon (+) — Create users. Edit icon (/) — Edit the selected users. Delete icon (X)— Delete the selected users.
Create-Edit users
User Name	Displays the user name.	Maximum length is 64 characters.
Role	Specify the role of the user form the following options: Logical System Administrator Read only Access User Note: LSYS Read Only user can only view the options but cannot modify them.	Select any one option from the drop down list.
Password	Specify the password for the user.	Select a password which is more than 6 characters but less than 128 characters.
Confirm Password	Confirm the password.	Confirm the set password.
Interfaces Click One: Enable/Disable — Enable or disable the physical interface. Add icon (+) — Add logical interfaces. Edit icon (/) —Edit the selected users. Delete icon (X)— Delete the selected users.
Create-Edit logical interfaces
Physical Interface Name	Displays the name of the Physical Interface.	Select a physical interface name from the grid.
Logical Interface Unit	Displays the logical Interface Unit	Enter the logical interface unit.
Description	Displays the description.	Enter the description.
VLAN ID	Displays the VLAN ID.	Enter the VLAN ID. VLAN ID is mandatory.
IPV4 Address	IPV4 Address	Enter a valid IP address.
Subnet Mask	Subnet Mask	Enter a valid subnet mask.
IPV6 Address	IPV6 Address	Enter a valid IP address.
Zones Click One: Enable/Disable — Enable or disable the physical interface. Add icon (+) — Create security zones. Edit icon (/) —Edit the selected security zones. Delete icon (X)— Delete the selected security zone.
Create-Edit Security Zones
Name	Displays the name of the zones.	Enter a valid name of the zone.
Description	Displays the description of the zones.	Enter a description of the zone.
Application Tracking	Displays the application tracking support to the zone.	Enables the application tracking support.
Selected interface	Displays the selected interface.	Select an interface.
System service options	Select system services from the following options: all - Specify all system services. any-service - Specify services on entire port range.. appqoe- Specify the APPQOE active probe service. bootp - Specify the Bootp and dhcp relay agent service. dhcp - Specify the Dynamic Host Configuration Protocol. dhcpv6- Enable Dynamic Host Configuration Protocol for IPV6. dns- Specify the DNS service. finger- Specify the finger service. ftp- Specify the FTP protocol. http – Specify the web management using HTTP. https- Specify the web management using HTTP secured by SSL. ident-reset- Specify the send back TCP RST IDENT request for port 113. ike- Specify the Internet key exchange. lsping-Specify the Label Switched Path ping service. netconf- Specify the NETCONF Service. ntp - Specify the network time protocol service. ping – Specify the internet control message protocol. r2cp-Enable Radio-Router Control Protocol service. reverse-ssh-Specify the reverse SSH Service. reverse-telnet-Specify the reverse telnet Service. rlogin-Specify the Rlogin service rpm-Specify the Real-time performance monitoring. rsh-Specify the Rsh service. snmp- Specify the Simple Network Management Protocol Service. snmp-trap- Specify the Simple Network Management Protocol trap. ssh-Specify the SSH service. tcp-encap-Specify the TCP encapsulation service. telnet-Specify the Telnet service. tftp-Specify the TFTP traceroute-Specify the traceroute service. webapi-clear-text-Specify the Webapi service using http. webapi-ssl-Specify the Webapi service using HTTP secured by SSL. xnm-clear-text-Specify the JUNOScript API for unencrypted traffic over TCP. xnm-ssl- Specify the JUNOScript API Service over SSL.	—
Protocols Options	Select a protocol from the following options: bfd - Bidirectional Forwarding Detection. bgp - Broder Gateway protocol. dvmrp - Distance Vector Multicast Routing Protocol. igmp - Internet group management protocol. ldp - label Distribution Protocol. msdp- Multicast source discovery protocol. nhrp- Next Hop Resolution Protocol. ospf- Open shortest path first. ospf3- Open shortest path first version 3. pgm – Pragmatic General Multicast. pim- Protocol independent multicast. rip- Routing information protocol. ripng- Routing information protocol next generation. router-discovery- Router Discovery. rsvp- Resource reservation protocol. sap - Session Announcement Protocol. vrrp – Virtual Router redundancy protocol.	—
Traffic Control Options	Specify the TCP Reset.	Send RST for NON-SYN packet not matching TCP session.

Help us to improve. Rate this article.

Feedback Received. Thank You!

Multi Tenancy

Configuring Multi Tenancy Resource Profiles