Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Launch cSRX in Bare-Metal Linux Server

You are now ready to launch the cSRX Container Firewall container that is running in Docker on the Linux bare-metal server. When you start the cSRX image, you have a running container of the image. You can stop and restart the cSRX container (see Manage cSRX in Bare-Metal Linux Server), and the container retains all the settings and file system changes unless those changes are explicitly deleted. However, the cSRX looses anything in memory and all processes are restarted.

You have a series of cSRX environment variables that enable you to modify operating characteristics of the cSRX container when it is launched. You can modify:

  • When you deploy cSRX you must enable the SSH service and SSH option for root-login. SSH service is not enabled by default.

    To enable SSH service run the set system services ssh command and for root user login run the set system services ssh root-login allow command.

  • Traffic forwarding mode (static route or secure-wire)

  • cSRX container size (small, medium, or large)

  • Packet I/O driver (polled or interrupt)

  • CPU affinity for cSRX control and data daemons

  • Address Resolution Protocol (ARP) and Neighbor Discovery Protocol (NDP) entry timeout values

  • Number of interfaces you need to add to container. Default is 3 and maximum is 17 (which means 1 management interfaces and 16 data interfaces).

Note:

Specification of an environment variable is not mandatory when launching the cSRX container; most environment variables have a default value as shown in cSRX Environment Variables Overview. You can launch the cSRX using the default environment variable settings.

To launch the cSRX container:

  1. Use the docker run command to launch the cSRX container. You include the mgt_bridge management bridge to connect the cSRX to a network.

    root@csrx-ubuntu3:~/csrx# docker run -d --privileged --network=mgt_bridge -e --name=<csrx-container-name> hub.juniper.net/security/<csrx-image-name>

    For example, to launch csrx2 using cSRX software image csrx:18.21R1.9 enter:

    root@csrx-ubuntu3:~/csrx# docker run -d --privileged --network=mgt_bridge -e --name=csrx2 hub.juniper.net/security/csrx:18.2R1.9

    Note:

    You must include the --privileged flag in the docker run command to enable the cSRX container to run in privileged mode.

  2. Connect the left and right bridges to the Docker network.

    root@csrx-ubuntu3:~/csrx# docker network connect left_bridge csrx2

    root@csrx-ubuntu3:~/csrx#

    root@csrx-ubuntu3:~/csrx# docker network connect right_bridge csrx2

    root@csrx-ubuntu3:~/csrx#

  3. Confirm that the three-bridge network has been created for the cSRX container.

    root@csrx-ubuntu3:~/csrx# docker network ls

    NETWORK ID NAME DRIVER SCOPE

    80bea9207560 bridge bridge local

    619da6736359 host host local

    112ab00aab1a left_bridge bridge local

    1484998f41bb mgt_bridge bridge local

    daf7a5a477bd none null local

    e409a4f54237 right_bridge bridge local

  4. Confirm that the cSRX container is listed as a running Docker container.

    root@csrx-ubuntu3:~/csrx# docker ps

    CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

    35e33e8aa4af csrx "/etc/rc.local init" 7 minutes ago Up 7 minutes 22/tcp, 830/tcp csrx2

  5. Confirm that the cSRX container is up and running. You should see the expected Junos OS processes, such as nsd, srxpfe, and mgd.

    root@csrx-ubuntu3:~/csrx# docker top csrx2

  6. Confirm the IP address of the management interface of the cSRX container.

    root@csrx-ubuntu3:~/csrx# docker inspect csrx2 | grep IPAddress