Help CenterUser GuideGetting Started
 
X
User Guide
Getting Started
Contents

Configuring Multi Tenancy Logical Systems

Logical system enables you to partition a single device in to secure contexts. It allows you to virtually divide a supported SRX Series devices, securing them from intrusion and attacks, and protecting them from false conditions outside their own context. Each logical system has its own discrete administrative domain, logical interfaces, routing interfaces, security firewall and other security features.

An SRX Series device with a multitenant logical systems device, can give various departments, organizations, customers, and partners a private use of the portion of its resource and a private view of the device. Using logical systems, you can share system and underlying physical machine resources among discrete user logical systems and the master logical system.

Root users can switch to Logical system context by navigating to Configure>Multi tenancy>Logical systems or Tenants page and selecting any one listed instance and clicking Enter LSYS or Enter TENANT,

Roles supported for Logical system and Tenant

J-Web supports the following roles with respect to Logical system and tenant.

Note Tenant administrator and read-only users are created from Tenant wizard by selecting appropriate roles.

If you have opened J-Web in multiple tabs in the browser, and if in one of the tab you switch mode to Logical system or Tenant, then the other instances of J-Web in the other tabs will automatically switch to Logical system or Tenant.

J-Web maintains different session for different protocols, such as http or https.

When you refresh the screen, you will not be logged out; instead the screen is refreshed, and you will continue in the same session.

Procedure

  1. Select Configure>Multi Tenancy>Logical Systems.

    The Logical Systems page appears. Table 1 explains the contents of this page.

  2. Click one:
    • Enter LSYS — Enter the selected logical system. Table 2 explains the content of this page.

    • More— select this option to view the logical system details.

    • Add icon (+)— Create a new logical system. Enter information as specified in Table 3.

    • Edit icon (/)— Edit the selected logical system. Enter information as specified in Table 3.

    • Delete icon (X)—Deletes the selected logical system.

    • Search icon— Enables you to search a logical system in the grid.

    • Show Hide Column Filter icon —Enables you to show or hide a column in the grid.

  3. Click Commit icon at the top of the J-Web page. The following commit options are displayed.

    • Commit—Commits the configuration and returns to the main configuration page.

    • Compare—Enables you to compare the current configuration with the previous configuration.

    • Discard—Discards the configuration changes you performed in the J-Web.

    • Preferences—There are two tab:

      Commit preferences—You can choose to just validate or validate and commit the changes.

      Confirm commit timeout (in min) —You can select the commit timeout interval.

Note During the report generation if you switch context, then a confirmation message is displayed. Click Yes to stop the report generation and to switch the context. Click No to continue to generate the report and not to switch context.

Table 1: Logical System profile page

Field

Function

Name

Displays the name of the logical system.

Resource Profile

Displays the name of the resource profile.

Users

Displays the logical system admin and users.

Assigned Interfaces

Displays the assigned logical interfaces.

Refresh

Displays manual refresh option must be used to refresh the above data.

Table 2: Enter LSYS page options

Field FunctionAction

Select Widget

Specifies the following widgets:

  • Logical System Profile.

  • Logical System CPU Profile.

  • Logical System FW No Hits.

Drag and drop a widget to add it to your dashboard. Once widgets are added to the dashboard, they can be edited, refreshed, or removed by hovering over the widget header and selecting the option. The manual refresh option must be used to refresh the widget data.

Add Tabs

Specify to add the dashboards

Select (+) option to add a dashboard.

Table 3: Create-Edit the Logical System

Field FunctionAction
General

Name

Displays the logical system name of a selected Resource Profile. Only one Resource Profile can be selected, per logical system.

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

Create-Edit the security Profiles

Click one:

  • Add icon (+)— Adds Resource Profiles.

  • Edit icon (/)— Edits the selected Resource Profiles.

  • Delete icon (X) — Deletes the selected Resource Profiles.

  • Search icon—Enables you to search a Resource Profile in the grid.

  • Filter icon — Enables you to filter the selected option in the grid.

  • Show Hide Column Filter icon—Enables you to show or hide a column in the grid.

Profile Name

Displays the name of the security profile.

Enter a unique string with an alphanumeric character and can include underscores; no spaces allowed; 31-character maximum.

IPS Policy

Specify the IPS Policy.

Select the IPS Policy

Resource Name

nat-pat-portnum

Specify the maximum quantity and the reserved quantity of ports for the logical system as part of its security profile.

dslite-softwire-initiator

Specify the number of IPv6 dual-stack lite (DS-Lite) softwire initiators that can connect to the softwire concentrator configured in either a user logical system or the master logical system.

cpu

Specify the percentage of CPU utilization that is always available to a logical system.

appfw-rule

Specify the number of application firewall rule configurations that a master administrator can configure for a master logical system or user logical system when the security profile is bound to the logical systems.

nat-interface-port-ol

Specify the number of application firewall rule set configurations that a master administrator can configure for a master logical system or user logical system when the security profile is bound to the logical systems.

nat-rule-referenced-prefix

Specify the security NAT interface port overloading the quota of a logical system.

nat-port-ol-ipnumber

Specify the number of NAT port overloading IP number configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

nat-cone-binding

Specify the number of NAT cone binding configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

nat-static-rule

Specify the number of NAT static rule configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

nat-destination-rule

Specify the number of NAT destination rule configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

nat-source-rule

Specify the NAT source rule configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

nat-nopat-address

Specify the number of NAT without port address translation configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

nat-pat-address

Specify the number of NAT with port address translation (PAT) configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

nat-destination-pool

Specify the number of NAT destination pool configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

nat-source-pool

Specify the NAT source pool configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

flow-gate

Specify the number of flow gates, also known as pinholes that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

flow-session

Specify the number of flow sessions that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

policy

Specify the number of security policies with a count that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

security-log-stream-number

Specify the Security log stream number quota of a logical system.

scheduler

Specify the number of schedulers that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

zone

Specify the zones that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

auth-entry

Specify the number of firewall authentication entries that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

appfw-profile

Specify the application firewall profile quota of a logical system.

address-book

Specify the entries in the address book. Address book entries can include any combination of IPv4 addresses, IPv6 addresses, DNS names, wildcard addresses, and address range.

Reserved

Specify reserved quota that guarantees that the resource amount specified is always available to the logical system.

Maximum

Specify the maximum allowed quota.

Users

Click one:

  • Add icon (+) — Create users.

  • Edit icon (/) — Edit the selected users.

  • Delete icon (X)— Delete the selected users.

Create-Edit users

User Name

Displays the user name.

Maximum length is 64 characters.

Role

Specify the role of the user form the following options:

  • Logical System Administrator

  • Read only Access User

    Note: LSYS Read Only user can only view the options but cannot modify them.

Select any one option from the drop down list.

Password

Specify the password for the user.

Select a password which is more than 6 characters but less than 128 characters.

Confirm Password

Confirm the password.

Confirm the set password.

Interfaces

Click One:

  • Enable/Disable — Enable or disable the physical interface.

  • Add icon (+) — Add logical interfaces.

  • Edit icon (/) —Edit the selected users.

  • Delete icon (X)— Delete the selected users.

Create-Edit logical interfaces

Physical Interface Name

Displays the name of the Physical Interface.

Select a physical interface name from the grid.

Logical Interface Unit

Displays the logical Interface Unit

Enter the logical interface unit.

Description

Displays the description.

Enter the description.

VLAN ID

Displays the VLAN ID.

Enter the VLAN ID. VLAN ID is mandatory.

IPV4 Address

IPV4 Address

Enter a valid IP address.

Subnet Mask

Subnet Mask

Enter a valid subnet mask.

IPV6 Address

IPV6 Address

Enter a valid IP address.

Zones

Click One:

  • Enable/Disable — Enable or disable the physical interface.

  • Add icon (+) — Create security zones.

  • Edit icon (/) —Edit the selected security zones.

  • Delete icon (X)— Delete the selected security zone.

Create-Edit Security Zones

Name

Displays the name of the zones.

Enter a valid name of the zone.

Description

Displays the description of the zones.

Enter a description of the zone.

Application Tracking

Displays the application tracking support to the zone.

Enables the application tracking support.

Selected interface

Displays the selected interface.

Select an interface.

System service options

Select system services from the following options:


  • all - Specify all system services.

  • any-service - Specify services on entire port range..

  • appqoe- Specify the APPQOE active probe service.

  • bootp - Specify the Bootp and dhcp relay agent service.

  • dhcp - Specify the Dynamic Host Configuration Protocol.

  • dhcpv6- Enable Dynamic Host Configuration Protocol for IPV6.

  • dns- Specify the DNS service.

  • finger- Specify the finger service.

  • ftp- Specify the FTP protocol.

  • http – Specify the web management using HTTP.

  • https- Specify the web management using HTTP secured by SSL.

  • ident-reset- Specify the send back TCP RST IDENT request for port 113.

  • ike- Specify the Internet key exchange.

  • lsping-Specify the Label Switched Path ping service.

  • netconf- Specify the NETCONF Service.

  • ntp - Specify the network time protocol service.

  • ping – Specify the internet control message protocol.

  • r2cp-Enable Radio-Router Control Protocol service.

  • reverse-ssh-Specify the reverse SSH Service.

  • reverse-telnet-Specify the reverse telnet Service.

  • rlogin-Specify the Rlogin service

  • rpm-Specify the Real-time performance monitoring.

  • rsh-Specify the Rsh service.

  • snmp- Specify the Simple Network Management Protocol Service.

  • snmp-trap- Specify the Simple Network Management Protocol trap.

  • ssh-Specify the SSH service.

  • tcp-encap-Specify the TCP encapsulation service.

  • telnet-Specify the Telnet service.

  • tftp-Specify the TFTP

  • traceroute-Specify the traceroute service.

  • webapi-clear-text-Specify the Webapi service using http.

  • webapi-ssl-Specify the Webapi service using HTTP secured by SSL.

  • xnm-clear-text-Specify the JUNOScript API for unencrypted traffic over TCP.

  • xnm-ssl- Specify the JUNOScript API Service over SSL.

Protocols Options

Select a protocol from the following options:

  • bfd - Bidirectional Forwarding Detection.

  • bgp - Broder Gateway protocol.

  • dvmrp - Distance Vector Multicast Routing Protocol.

  • igmp - Internet group management protocol.

  • ldp - label Distribution Protocol.

  • msdp- Multicast source discovery protocol.

  • nhrp- Next Hop Resolution Protocol.

  • ospf- Open shortest path first.

  • ospf3- Open shortest path first version 3.

  • pgm – Pragmatic General Multicast.

  • pim- Protocol independent multicast.

  • rip- Routing information protocol.

  • ripng- Routing information protocol next generation.

  • router-discovery- Router Discovery.

  • rsvp- Resource reservation protocol.

  • sap - Session Announcement Protocol.

  • vrrp – Virtual Router redundancy protocol.

Traffic Control Options

Specify the TCP Reset.

Send RST for NON-SYN packet not matching TCP session.

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary