Logical system enables you to partition a single device in to secure contexts. It allows you to virtually divide a supported SRX Series devices, securing them from intrusion and attacks, and protecting them from false conditions outside their own context. Each logical system has its own discrete administrative domain, logical interfaces, routing interfaces, security firewall and other security features.
An SRX Series device with a multitenant logical systems device, can give various departments, organizations, customers, and partners a private use of the portion of its resource and a private view of the device. Using logical systems, you can share system and underlying physical machine resources among discrete user logical systems and the master logical system.
Root users can switch to Logical system context by navigating to Configure>Multi tenancy>Logical systems or Tenants page and selecting any one listed instance and clicking Enter LSYS or Enter TENANT,
Roles supported for Logical system and Tenant
J-Web supports the following roles with respect to Logical system and tenant.
Root user in normal mode
Root user entering into a Logical system
Logical system administrator
Logical system read-only user
Root user entering as tenant
Tenant administrator
Tenant read-only user
Note Tenant administrator and read-only users are created from Tenant wizard by selecting appropriate roles.
If you have opened J-Web in multiple tabs in the browser, and if in one of the tab you switch mode to Logical system or Tenant, then the other instances of J-Web in the other tabs will automatically switch to Logical system or Tenant.
J-Web maintains different session for different protocols, such as http or https.
When you refresh the screen, you will not be logged out; instead the screen is refreshed, and you will continue in the same session.
The Logical Systems page appears. Table 1 explains the contents of this page.
Enter LSYS — Enter the selected logical system. Table 2 explains the content of this page.
More— select this option to view the logical system details.
Add icon (+)— Create a new logical system. Enter information as specified in Table 3.
Edit icon (/)— Edit the selected logical system. Enter information as specified in Table 3.
Delete icon (X)—Deletes the selected logical system.
Search icon— Enables you to search a logical system in the grid.
Show Hide Column Filter icon —Enables you to show or hide a column in the grid.
Click Commit icon at the top of the J-Web page. The following commit options are displayed.
Commit—Commits the configuration and returns to the main configuration page.
Compare—Enables you to compare the current configuration with the previous configuration.
Discard—Discards the configuration changes you performed in the J-Web.
Preferences—There are two tab:
Commit preferences—You can choose to just validate or validate and commit the changes.
Confirm commit timeout (in min) —You can select the commit timeout interval.
Note During the report generation if you switch context, then a confirmation message is displayed. Click Yes to stop the report generation and to switch the context. Click No to continue to generate the report and not to switch context.
Table 1: Logical System profile page
Field | Function |
---|---|
Name | Displays the name of the logical system. |
Resource Profile | Displays the name of the resource profile. |
Users | Displays the logical system admin and users. |
Assigned Interfaces | Displays the assigned logical interfaces. |
Refresh | Displays manual refresh option must be used to refresh the above data. |
Table 2: Enter LSYS page options
Field | Function | Action |
---|---|---|
Select Widget | Specifies the following widgets:
| Drag and drop a widget to add it to your dashboard. Once widgets are added to the dashboard, they can be edited, refreshed, or removed by hovering over the widget header and selecting the option. The manual refresh option must be used to refresh the widget data. |
Add Tabs | Specify to add the dashboards | Select (+) option to add a dashboard. |
Table 3: Create-Edit the Logical System
Field | Function | Action |
---|---|---|
General | ||
Name | Displays the logical system name of a selected Resource Profile. Only one Resource Profile can be selected, per logical system. | Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters. |
Create-Edit the
security Profiles Click one:
| ||
Profile Name | Displays the name of the security profile. | Enter a unique string with an alphanumeric character and can include underscores; no spaces allowed; 31-character maximum. |
IPS Policy | Specify the IPS Policy. | Select the IPS Policy |
Resource Name | ||
nat-pat-portnum | Specify the maximum quantity and the reserved quantity of ports for the logical system as part of its security profile. | — |
dslite-softwire-initiator | Specify the number of IPv6 dual-stack lite (DS-Lite) softwire initiators that can connect to the softwire concentrator configured in either a user logical system or the master logical system. | — |
cpu | Specify the percentage of CPU utilization that is always available to a logical system. | — |
appfw-rule | Specify the number of application firewall rule configurations that a master administrator can configure for a master logical system or user logical system when the security profile is bound to the logical systems. | — |
nat-interface-port-ol | Specify the number of application firewall rule set configurations that a master administrator can configure for a master logical system or user logical system when the security profile is bound to the logical systems. | — |
nat-rule-referenced-prefix | Specify the security NAT interface port overloading the quota of a logical system. | — |
nat-port-ol-ipnumber | Specify the number of NAT port overloading IP number configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
nat-cone-binding | Specify the number of NAT cone binding configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
nat-static-rule | Specify the number of NAT static rule configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
nat-destination-rule | Specify the number of NAT destination rule configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
nat-source-rule | Specify the NAT source rule configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
nat-nopat-address | Specify the number of NAT without port address translation configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
nat-pat-address | Specify the number of NAT with port address translation (PAT) configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
nat-destination-pool | Specify the number of NAT destination pool configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
nat-source-pool | Specify the NAT source pool configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
flow-gate | Specify the number of flow gates, also known as pinholes that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
flow-session | Specify the number of flow sessions that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
policy | Specify the number of security policies with a count that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
security-log-stream-number | Specify the Security log stream number quota of a logical system. | — |
scheduler | Specify the number of schedulers that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
zone | Specify the zones that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
auth-entry | Specify the number of firewall authentication entries that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems. | — |
appfw-profile | Specify the application firewall profile quota of a logical system. | — |
address-book | Specify the entries in the address book. Address book entries can include any combination of IPv4 addresses, IPv6 addresses, DNS names, wildcard addresses, and address range. | — |
Reserved | Specify reserved quota that guarantees that the resource amount specified is always available to the logical system. | — |
Maximum | Specify the maximum allowed quota. | — |
Users Click one:
| ||
Create-Edit users | ||
User Name | Displays the user name. | Maximum length is 64 characters. |
Role | Specify the role of the user form the following options:
| Select any one option from the drop down list. |
Password | Specify the password for the user. | Select a password which is more than 6 characters but less than 128 characters. |
Confirm Password | Confirm the password. | Confirm the set password. |
Interfaces Click One:
| ||
Create-Edit logical interfaces | ||
Physical Interface Name | Displays the name of the Physical Interface. | Select a physical interface name from the grid. |
Logical Interface Unit | Displays the logical Interface Unit | Enter the logical interface unit. |
Description | Displays the description. | Enter the description. |
VLAN ID | Displays the VLAN ID. | Enter the VLAN ID. VLAN ID is mandatory. |
IPV4 Address | IPV4 Address | Enter a valid IP address. |
Subnet Mask | Subnet Mask | Enter a valid subnet mask. |
IPV6 Address | IPV6 Address | Enter a valid IP address. |
Zones Click One:
| ||
Create-Edit Security Zones | ||
Name | Displays the name of the zones. | Enter a valid name of the zone. |
Description | Displays the description of the zones. | Enter a description of the zone. |
Application Tracking | Displays the application tracking support to the zone. | Enables the application tracking support. |
Selected interface | Displays the selected interface. | Select an interface. |
System service options | Select system services from the following options:
| — |
Protocols Options | Select a protocol from the following options:
| — |
Traffic Control Options | Specify the TCP Reset. | Send RST for NON-SYN packet not matching TCP session. |