Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Security Profiles for Logical Systems

 

Security profiles for logical systems allow you to allocate resources. Security profiles specifies the number of resources to allocate to a logical system to which the security profile is bound. All system resources are allocated to master logical system and the master administrator allocates them to user logical system using security profile. For more information, see the following topics:

Understanding Logical Systems Security Profiles (Master Administrators Only)

Logical systems allow you to virtually divide a supported SRX Series device into multiple devices, isolating one from another, securing them from intrusion and attacks, and protecting them from faulty conditions outside their own contexts. To protect logical systems, security resources are configured in a manner similar to how they are configured for a discrete device. However, as the master administrator, you must allocate the kinds and amounts of security resources to logical systems. The logical system administrator allocates resources for his own logical system.

An SRX Series device running logical systems can be partitioned into user logical systems, an interconnect logical system, if desired, and the default master logical system. When the system is initialized, the master logical system is created at the root level. All system resources are assigned to it, effectively creating a default master logical system security profile. To distribute security resources across logical systems, the master administrator creates security profiles that specify the kinds and amounts of resources to be allocated to a logical system that the security profile is bound to. Only the master administrator can configure security profiles and bind them to logical systems. The user logical system administrator configures these resources for his or her logical system.

Logical systems are defined largely by the resources allocated to them, including security components, interfaces, routing instances, static routes, and dynamic routing protocols. When the master administrator configures a user logical system, he binds a security profile to it. Any attempt to commit a configuration for a user logical system without a security profile bound to it will fail.

This topic includes the following sections:

Logical Systems Security Profiles

As master administrator, you can configure a single security profile to assign resources to a specific logical system, use the same security profile for more than one logical system, or use a mix of both methods. You can configure up to 32 security profiles on an SRX Series device running logical systems. When you reach the limit, you must delete a security profile and commit the configuration change before you can create and commit another security profile. In many cases fewer security profiles are needed because you might bind a single security profile to more than one logical system.

Security profiles allow you to:

  • Share the device’s resources, including policies, zones, addresses and address books, flow sessions, and various forms of NAT, among all logical systems appropriately. You can dedicate various amounts of a resource to the logical systems and allow them to compete for use of the free resources.

    Security profiles protect against one logical system exhausting a resource that is required at the same time by other logical systems. Security profiles protect critical system resources and maintain a fair level of performance among user logical systems when the device is experiencing heavy traffic flow. They defend against one user logical system dominating the use of resources and depriving other user logical systems of them.

  • Configure the device in a scalable way to allow for future creation of additional user logical systems.

You must delete a logical system’s security profile before you delete that logical system.

How the System Assesses Resources Assignment and Use Across Logical Systems

To provision a logical system with security resources, you, as a master administrator, configure a security profile that specifies for each resource:

  • A reserved quota that guarantees that the specified resource amount is always available to the logical system.

  • A maximum allowed quota. If a logical system requires more of a resource than its reserved amount allows, it can utilize resources configured for the global maximum amount if they are available—that is, if they are not allocated to other logical systems. The maximum allowed quota specifies the portion of the free global resources that the logical system can use. The maximum allowed quota does not guarantee that the amount specified for the resource in the security profile is available. Logical systems must compete for global resources.

If a reserved quota is not configured for a resource, the default value is 0. If a maximum allowed quota is not configured for a resource, the default value is the global system quota for the resource (global system quotas are platform-dependent). The master administrator must configure appropriate maximum allowed quota values in the security profiles so the maximum resource usage of a specific logical system does not negatively impact other logical systems configured on the device. The master administrator must configure the appropriate maximum-allowed quota values in the security profiles so that the maximum resource usage of a specific logical system does not negatively impact other logical systems configured on the device.

The system maintains a count of all allocated resources that are reserved, used, and made available again when a logical system is deleted. This count determines whether resources are available to use for new logical systems or to increase the amount of the resources allocated to existing logical systems through their security profiles.

When a user logical system is deleted, its reserved resource allocations are released for use by other logical systems.

Resources configured in security profiles are characterized as static modular resources or dynamic resources. For static resources, we recommend setting a maximum quota for a resource equal or close to the amount specified as its reserved quota, to allow for scalable configuration of logical systems. A high maximum quota for a resource might give a logical system greater flexibility through access to a larger amount of that resource, but it would constrain the amount available to allocate to a new user logical system.

The difference between reserved and maximum allowed amounts for a dynamic resource is not important because dynamic resources are aged out and do not deplete the pool available for assignment to other logical systems.

The following resources can be specified in a security profile:

  • Security policies, including schedulers

  • Security zones

  • Addresses and address books for security policies

  • Application firewall rule sets

  • Application firewall rules

  • Firewall authentication

  • Flow sessions and gates

  • NAT, including:

    • Cone NAT bindings

    • NAT destination rule

    • NAT destination pool

    • NAT IP address in source pool without Port Address Translation (PAT)

      Note

      IPv6 addresses in IPv6 source pools without PAT are not included in security profiles.

    • NAT IP address in source pool with PAT

    • NAT port overloading

    • NAT source pool

    • NAT source rule

    • NAT static rule

Note

All resources except flow sessions are static.

You can modify a logical system security profile dynamically while the security profile is assigned to other logical systems. However, to ensure that the system resource quota is not exceeded, the system takes the following actions:

  • If a static quota is changed, system daemons that maintain logical system counts for resources specified in security profiles revalidate the security profile. This check identifies the number of resources assigned across all logical systems to determine whether the allocated resources, including their increased amounts, are available.

    These quota checks are the same quota checks that the system performs when you add a new user logical system and bind a security profile to it. They are also performed when you bind a different security profile from the security profile that is presently assigned to it to an existing user logical system (or the master logical system).

  • If a dynamic quota is changed, no check is performed, but the new quota is imposed on future resource usage.

Cases: Assessments of Reserved Resources Assigned Through Security Profiles

To understand how the system assesses allocation of reserved resources through security profiles, consider the following three cases that address allocation of one resource, zones. To keep the example simple, 10 zones are allocated in security-profile-1: 4 reserved zones and 6 maximum zones. This example assumes that the full maximum amount specified–six zones–is available for the user logical systems. The system maximum number of zones is 10.

These cases address configuration across logical systems. They test to see whether a configuration will succeed or fail when it is committed based on allocation of zones.

Table 1 shows the security profiles and their zone allocations.

Table 1: Security Profiles Used for Reserved Resource Assessments

Two Security Profiles Used in the Configuration Cases

security-profile-1

  • zones reserved quota = 4

  • zones maximum quota = 6

Note: Later the master administrator dynamically increases the reserved zone count specified in this profile.

master-logical-system-profile

  • zones maximum quota = 10

  • no reserved quota

Table 2 shows three cases that illustrate how the system assesses reserved resources for zones across logical systems based on security profile configurations.

  • The configuration for the first case succeeds because the cumulative reserved resource quota for zones configured in the security profiles bound to all logical systems is 8, which is less than the system maximum resource quota.

  • The configuration for the second case fails because the cumulative reserved resource quota for zones configured in the security profiles bound to all logical systems is 12, which is greater than the system maximum resource quota.

  • The configuration for the third case fails because the cumulative reserved resource quota for zones configured in the security profiles bound to all logical systems is 12, which is greater than the system maximum resource quota.

Table 2: Reserved Resource Allocation Assessment Across Logical Systems

Reserved Resource Quota Checks Across Logical Systems

Example 1: Succeeds

This configuration is within bounds: 4+4+0=8, maximum capacity =10.

Security Profiles Used

  • The security profile security-profile-1 is bound to two user logical systems: user-logical-system-1 and user-logical-system-2.

  • The master-logical-system-profile profile is used exclusively for the master logical system.

  • user-logical-system-1 = 4 reserved zones.

  • user-logical-system-2 = 4 reserved zones.

  • master-logical-system = 0 reserved zones.

Example 2: Fails

This configuration is out of bounds: 4+4+4=12, maximum capacity =10.

  • user-logical-system-1 = 4 reserved zones.

  • user-logical-system-2 = 4 reserved zones.

  • master-logical-system = 0 reserved zones.

  • new-user-logical-system = 4 reserved zones.

Security Profiles

  • The security profile security-profile-1 is bound to two user logical systems: user-logical-system-1 and user-logical-system-2.

  • The master-logical-system-profile is bound to the master logical system and used exclusively for it.

  • The master administrator configures a new user logical system called new-user-logical-system and binds security-profile-1 to it.

Example 3: Fails

This configuration is out of bounds: 6+6=12, maximum capacity =10.

The master administrator modifies the reserved zones quota in security-profile-1, increasing the count to 6.

  • user-logical-system-1 = 6 reserved zones.

  • user-logical-system-2 = 6 reserved zones.

  • master-logical-system = 0 reserved zones.

Example: Configuring Logical Systems Security Profiles (Master Administrators Only)

This example shows how a master administrator configures three logical system security profiles to assign to user logical systems and the master logical system to provision them with security resources.

Requirements

The example uses an SRX5600 device running Junos OS with logical systems.

Before you begin, read SRX Series Logical Systems Master Administrator Configuration Tasks Overview to understand how this task fits into the overall configuration process.

Overview

This example shows how to configure security profiles for the following logical systems:

  • The root-logical-system logical system. The security profile master-profile is assigned to the master, or root, logical system.

  • The ls-product-design logical system. The security profile ls-design-profile is assigned to the logical system.

  • The ls-marketing-dept logical system. The security profile ls-accnt-mrkt-profile is assigned to the logical system.

  • The ls-accounting-dept logical system. The security profile ls-accnt-mrkt-profile is assigned to the logical system.

  • The interconnect-logical-system, if you use one. You must assign a dummy, or null, security profile to it.

This configuration relies on the deployment shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

Configuration

Configuring Logical System Security Profiles

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

Create three security profiles.

  1. Create the first security profile.
    1. Specify the number of maximum and reserved policies.
    2. Specify the number of maximum and reserved zones.
    3. Specify the number of maximum and reserved sessions.
    4. Specify the number of maximum and reserved ICAP redirect profiles
    5. Specify the number of maximum and reserved source NAT no-PAT addresses and static NAT rules.
    6. Enable intrusion detection and prevention (IDP). You can enable IDP only for the master (root) logical system.
    7. Bind the security profile to the logical system.
  2. Create the second security profile.
    1. Specify the number of maximum and reserved policies.
    2. Specify the number of maximum and reserved zones.
    3. Specify the number of maximum and reserved sessions.
    4. Specify the number of maximum and reserved ICAP redirect profiles
    5. Specify the number of maximum and reserved source NAT no-PAT addresses.
    6. Specify the number of maximum and reserved static NAT rules.
    7. Bind the security profile to two logical systems.
  3. Create the third security profile.
    1. Specify the number of maximum and reserved policies.
    2. Specify the number of maximum and reserved zones.
    3. Specify the number of maximum and reserved sessions.
    4. Specify the number of maximum and reserved ICAP redirect profiles
    5. Specify the number of maximum and reserved source NAT no-PAT addresses.
  4. Bind the security profile to a logical system.
  5. Bind a null security profile to the interconnect logical system.

Results

From configuration mode, confirm your configuration by entering the show system security-profile command to see all security profiles configured.

To see individual security profiles, enter the show system security-profile master-profile, the show system security-profile ls-accnt-mrkt-profile and, the show system security-profile ls-design-profile commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the security resources that you allocated for logical systems have been assigned to them, follow this procedure for each logical system and for all its resources.

Verifying That Security Profile Resources Are Effectively Allocated for Logical Systems

Purpose

Verify security resources for each logical system. Follow this process for all configured logical systems.

Action

  1. Use SSH to log in to each user logical system as its user logical system administrator.

    Run SSH, specifying the IP address of your SRX Series device.

  2. Enter the login ID and password for one of the user logical systems that you created.
  3. Enter the following statement to identify the resources configured for the profile.
  4. Enter the following command at the resulting prompt. Do this for each feature configured for the profile.

Example: Configuring User Logical Systems Security Profiles

In this example, you configure the user logical systems security profiles. It provides the information about a resource allocated to the logical system in a security profile.

Note
  • SRX4100 and SRX4200 devices support logical system in both transparent and route mode.

  • SRX4600 device supports logical system in route mode only.

  • Layer 2 cross logical system traffic is not supported.

Requirements

This example uses an SRX4100 and SRX4200 devices running Junos OS with logical systems.

Before you begin:

Overview

Logical systems allow a master administrator to partition an SRX Series device into discrete contexts called user logical systems. User logical systems are self-contained, private contexts, separate both from one another and from the master logical system. A user logical system has its own security, networking, logical interfaces, routing configurations, and one or more user logical system administrators.

In this example, you configure security features for the user logical system described in Table 3. This configuration used by the user logical system administrator to display resource information for a user logical system.

Table 3: Resource Information for a User Logical System

Field Name

Field Description

MAC flags

Status of MAC address learning properties for each interface:

  • S—Static MAC address is configured

  • D—Dynamic MAC address is configured

  • L—Locally learned MAC address is configured

  • P—Persistent static

  • C—Control MAC

  • SE—MAC accounting is enabled

  • NM—Non-configured MAC

  • R—Locally learned MAC address is configured

  • O—Open vSwitch Database (OVSDB) MAC

Ethernet switching table

For learned entries, the time at which the entry was added to the Ethernet switching table.

Logical system

Name of the logical system

Routing instance

Name of the routing instance

VLAN name

Name of the VLAN

MAC address

MAC address or addresses learned on a logical interface

Age

This field is not supported

Logical interface

Name of the logical interface

RTR ID

ID of the routing device

NH Index

Software index of the next hop that is used to route the traffic for a given prefix.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure user logical systems security profiles:

  1. Log in to the user logical system as the logical system administrator and enter configuration mode.
  2. Configure a security profile and assign it to a logical-system.
  3. Set the interfaces to the appropriate interface modes and specify that the logical interface that will receive the untagged data packets is a member of the native VLAN.
  4. Create the IRB interface and assign it an address in the subnet.
  5. Create the security policy to permit traffic from the trust zone to the untrust zone and assign interfaces to each zone.
  6. Associate an IRB interface with the VLAN.

Results

From configuration mode, confirm your configuration by entering the show ethernet-switching table command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying User Logical Systems Security Profiles Configuration

Purpose

Verify security policies information.

Action

From operational mode, enter the show ethernet-switching table command.

admin@host> show ethernet-switching table

Example: Configuring Security log stream for Logical Systems

This example shows how to configure a security profiles for a logical system.

Requirements

This example uses the SRX Series devices running Junos OS with logical systems.

Before you begin:

Overview

As master administrator, you can configure a single security profile to assign resources to a specific logical system. Yo can use the same security profile for more than one logical system, or use a mix of both methods. The set logical-system LSYS1 security log command is introduced for logging support on SRX Series devices.

Configuration

Configuring Logical System Security Profiles logical-system

CLI Quick Configuration

To quickly configure this example this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

  1. Configure a security profile and specify the number of maximum and reserved policies..
  2. Assign the configured security profile to LSYS1.

Results

From configuration mode, confirm your configuration by entering the show system security-profile command to see all security profiles configured.

Verification

To confirm that the configuration is working properly, perform the below tasks:

Verifying Security Profile Resources for Logical Systems

Purpose

Verify the security resources for each logical system.

Action

From operational mode, enter the show system security-profile all-resource, show system security-profile security-log-stream-number logical-system all, show system security-profile security-log-stream-number summary, or show system security-profile security-log-stream-number detail logical-system all command to see the output:

show system security-profile all-resource

user@host> show system security-profile all-resource

Meaning

The sample outputs displays information about the resources allocated to the logical system in a security profile. For each resource specified, the number used by the logical system and the configured maximum and reserved values are displayed.

Verifying security-log-stream-number for logical-systems

Purpose

Verify the security-log-stream-number for each logical system.

Action

From operational mode, enter the show system security-profile security-log-stream-number logical-system all command to see the output:

show system security-profile security-log-stream-number logical-system all

user@host> show system security-profile security-log-stream-number logical-system all

Meaning

The sample output displays the information about a resource allocated to the logical system in a security profile with security profile name. For each resource specified, the number used by the logical system and the configured maximum and reserved values are displayed.

Verifying security-log-stream-number summary for logical-systems

Purpose

Verify the security-log-stream-number summary.

Action

From operational mode, enter the show system security-profile security-log-stream-number summary command to see the output:

show system security-profile security-log-stream-number summary

user@host> show system security-profile security-log-stream-number summary

Meaning

The sample output displays the summary information about the resource for all logical systems.

Verifying security-log-stream-number detail for logical-systems

Purpose

Verify the security-log-stream-number detail.

Action

From operational mode, enter the show system security-profile security-log-stream-number detail logical-system all command to see the output:

show system security-profile security-log-stream-number detail logical-system all

user@host> show system security-profile security-log-stream-number detail logical-system all

Meaning

The sample output displays the detailed level of output for all logical systems.