Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Installing cSRX Container Firewall in a Bare-Metal Linux Server

This section outlines the steps to install the cSRX Container Firewall container in a Linux bare-metal server environment that is running Ubuntu, Red Hat Enterprise Linux (RHEL) , or CentOS. The cSRX Container Firewall container is packaged in a Docker image and runs in the Docker Engine on the Linux host.

This section includes the following topics:

Before You Deploy

Before you deploy the cSRX Container Firewall Container Firewall as an advanced security service in a Linux container environment, ensure that you:

Confirming Docker Installation

Before you load the cSRX Container Firewall image, confirm that Docker is properly installed on the Linux host and that the Docker Engine is running.

To confirm Docker installation:

  1. Confirm that Docker is installed and running on the Linux server by using the service docker status command.

    root@csrx-ubuntu3:~# service docker status

    docker start/running, process 701

    You should also be able to run docker run hello-world and see a similar response.

    root@csrx-ubuntu3:~# docker run hello-world

  2. Verify the installed Docker Engine version by using the docker version command.
    Note:

    Ensure that Docker version 1.9.0 or later is installed on the Linux host.

    root@csrx-ubuntu3:~# docker version

    Client:

    Docker version 17.05.0-ce-rc1, build 2878a85

    API Version: 1.30

    Go version: go1.8.3

    Git commit: 02cid87

    Built: Fri June 23 21:17:13 2017

    OS/Arch: linux/amd64

    Server:

    Docker version 17.05.0-ce-rc1, build 2878a85

    API Version: 1.30 (minimum version 1.12)

    Go version: go1.8.3

    Git commit: 02cid87

    Built: Fri June 23 21:17:13 2017

    OS/Arch: linux/amd64

    Experimental: False

Loading the cSRX Container Firewall Image

Once the Docker Engine has been installed on the host, perform the following to download and start using the cSRX Container Firewall image:

  1. Download the cSRX Container Firewall software image from the Juniper Networks website. The filename of the downloaded cSRX Container Firewall software image must not be changed to continue with the installation.
  2. You can either download the cSRX Container Firewall image file normally using the browser or use the URL to download the image directly on your device as in the following example:

    Run the following command to downloaded images to a local registry using curl command or any other http utility. The syntax for curl commands is:

    root@csrx-ubuntu3:~csrx# curl -o <file destination path> <Download link url>

    root@csrx-ubuntu3:/var/tmp# curl -o /var/tmp/images/junos-csrx-docker-20.2R1.10.img “https://cdn.juniper.net/software/csrx/20.2R1.10/junos-csrx-docker-20.2R1.10.img?SM_USER=user =1595350694_5dbf6e62442de6bf14079d05a72464d4”

  3. Locate the cSRX Container Firewall image by using the ls Linux shell command.

    root@csrx-ubuntu3:/var/tmp/images# ls

  4. Load the downloaded cSRX Container Firewall image to the local registry.

    root@csrx-ubuntu3:/var/tmp/images# docker image load -i /var/tmp/images/junos-csrx-docker-20.2R1.10.img

  5. After the cSRX Container Firewall image loads, confirm that it is listed in the repository of Docker images.

    root@csrx-ubuntu3:/var/tmp/images# docker images

Creating the Linux Bridge Network for the cSRX Container Firewall

A Linux bridge is a virtual switch implemented as a kernel module. This Linux bridge is used within a Linux host to emulate a hardware bridge. Docker allows you to create a Linux bridge network and connect the cSRX Container Firewall container to this network to implement management and data processing sessions. The interfaces are created with the Linux VETH driver and are used to communicate with the Linux kernel.

This procedure describes how to create a three-bridge network for the cSRX Container Firewall container that includes: mgt_bridge (eth0), left_bridge (eth1), and right_bridge (eth2). The mgt_bridge is used by the cSRX Container Firewall for out-of-band management to accept management sessions and traffic, and the left_bridge and right_bridge are both used by the cSRX Container Firewall as the revenue ports to process in-band data traffic.

Note:

Docker automatically connects the management interface (eth0) to the Linux bridge and assigns an IP address. Interfaces eth1 and eth2 are for the inband traffic. cSRX Container Firewall must be bound with the Linux bridge to pass traffic.

To create a three-bridge network for a cSRX Container Firewall in the Linux host:

  1. Create the management bridge in the network.

    root@csrx-ubuntu3::~/csrx# docker network create --driver bridge mgt_bridge

    3228844986eae1d1a8d367b34b54b31b130842be072b9dcdf7da3601c95b7130

  2. Create the left bridge in the network (untrusted interface (eth1)).

    root@csrx-ubuntu3::~/csrx# docker network create --driver bridge left_bridge

    f1324b0a9072c55ababbcc51d83c83658084b67513811e13829172cccbc08e5d

  3. Create the right bridge in the network (trusted interface (eth2)).

    root@csrx-ubuntu3::~/csrx# docker network create --driver bridge right_bridge

    196bd039f7c2401df4c117ea684114548a3df0b9d406cf3cf8f17338fab96774

Related Documentation