Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Tenant Systems Overview

A tenant system supports routing, services and security features.

Understanding Tenant Systems

A tenant system logically partitions the physical firewall into separate and isolated logical firewall. Although similar to logical systems, tenant systems have much higher scalability and fewer routing features. Each tenant system on a device allows you to control a discrete administrative domain for security services. By transforming your device into a multitenant system, you can provide various departments, organizations, customers, and partners—depending on your environment—private and logically separated use of system resources and tenant-specific views of security configuration and KPIs. A primary administrator creates and manages all the tenant systems. Figure 1 shows a single device with a primary logical system and discrete tenant systems.

Figure 1: Tenant SystemsTenant Systems

Differences Between Logical Systems and Tenant Systems

Table 1 describes the key differences between logical systems and tenant systems.

Table 1: Differences Between Logical Systems and Tenant Systems

Functionality

Logical Systems

Tenant Systems

Feature support

Supports all the routing features to provide optimal data routing paths.

Supports routing features and high-scale security virtualization to isolate customer environments.

Scalability

A maximum of 32 logical systems can be configured on a physical SRX Series device.

A maximum of 500 tenant systems can be configured on a physical SRX Series device to provide high scalability.

Routing protocol process

Every logical system needs an individual copy of the routing protocol process to logically separate the resources on a device.

The primary logical system has a single routing protocol process, which is shared by the tenant systems. Routing instances supported by this single routing protocol process achieve the security resource separation on the firewall.

Routing instance

A default routing instance is automatically created for every logical system.

Starting in Junos OS Release 19.2R1, the virtual-router configured in a tenant system is passed as the default routing-instance to ping, telnet, ssh, traceroute, show arp, clear arp, show ipv6 neighbors, and clear ipv6 neighbors commands.

Logical interface configuration

The primary administrator assigns the logical interfaces and the logical system administrator can configure the interface attributes.

A tenant system administrator cannot configure the logical interfaces. The primary administrator assigns the logical interfaces to a tenant system.

Use Cases for Logical Systems and Tenant Systems

A logical system is used when more than one virtual router is required. For example, you have multiple connections to the external network and they cannot co-exist in the same virtual router. Tenant systems are used when you need to separate departments, organization, or customers and each of them can be limited to one virtual router. The main difference between a logical system and a tenant system is that a logical system supports advanced routing functionality using multiple routing instances. In comparison, a tenant system supports only one routing instance, but supports the deployment of significantly more tenants per system.

Deployment Scenarios for Multitenant Systems

You can deploy an SRX Series device running a multitenant system in many environments such as a managed security service provider (MSSP), an enterprise network, or a branch office segment. Table 2 describes the various deployment scenarios and the roles played by the tenant systems in such scenarios.

Table 2: Deployment Scenarios with Respect to Tenant Systems

Deployment Scenarios

Roles of a Tenant System

Managed security service provider (MSSP)

  • In a managed security service provider (MSSP), each customer can be isolated from other customer to protect data privacy. Customers that require defined service level agreements (SLAs) can be be allocated memory and system resources to meet these SLAs.

  • The customer can configure distinct security policies for compliance and control per tenant system.

Enterprise network

  • A tenant system can be assigned to a workgroup, department, or other organizational construct within an enterprise.

  • A tenant system can define the distinct security policies for the enterprise workgroup, department, or other organizational construct of the enterprise.

Branch office segment

  • In a branch office, a tenant system can individually manage and segregate corporate and guest traffic.

  • Advanced security policies can be configured per tenant system; this approach allows granular control of the security policies.

  • A tenant system provides ease of management and troubleshooting.

Benefits of Tenant Systems

  • Curtail cost by reducing the number of physical devices required for your organization. You can consolidate services for various groups of users on a single device and reduce the hardware costs, power expenditure, and rack space.

  • Provide isolation and logical separation at the tenant system level. Provides the ability to separate tenant systems with administrative separation at large scale in which each tenant system can define its own security controls and restrictions without impacting other tenant systems.

Roles and Responsibilities of Primary Administrator and Tenant System Administrator

A primary administrator creates and manages all the tenant systems. A primary logical system is created at the root level and is allocated a single routing protocol process. Although this routing protocol process is shared, tenant systems enable logical resource separation on the firewall. By default, all system resources are assigned to the primary logical system, and the primary administrator allocates them to the tenant system administrators.

Note:

In Junos OS command-line reference, primary logical system is referred as root logical system.

A tenant system is created that is subtended by the primary logical system. Although all the tenants under the primary logical system share a single routing process, each tenant system has a single routing instance. Table 3 describes the roles and responsibilities of the primary administrator and tenant system administrator.

Table 3: Roles and Responsibilities With Respect to Tenant Systems

Roles

Definition

Responsibilities

Primary administrator

A user account with superuser configuration and verification privileges for all logical systems and tenant systems.

  • View and access all logical systems and tenant systems.

  • Create login accounts for all the tenant systems and assign the login accounts to the appropriate tenant system.

  • Create and allocate the resources to the tenant systems.

  • Create one custom routing instance under the tenant system which acts as the default routing instance for the tenant system.

  • Create a virtual router under the tenant system and assign it to the tenant system.

  • Create logical interfaces to assign to the tenant systems.

  • Manage the tenant systems in the primary logical system.

  • Ensure duplicate names for tenant system, logs, and trace file do not exist.

Tenant system administrator

A tenant system account with all configuration and verification privileges.

Note:

The configuration and verification privileges of a tenant system administrator depends on the permission assigned to them by the primary administrator while creating the tenant system administrator. Multiple tenant system administrators can be created for a tenant system with different permission levels based on your requirement.

  • Access and view the resources of the tenant system.

  • Configure the resources allocated and routing protocols.

  • Configure schedulers, security profiles, and security features.

The following privileges are not supported by the tenant system administrator:

  • Define access restrictions and the default routing instance for the tenant system.

  • Access and view the resources of other tenant systems.

  • Modify the number of allocated resources for a tenant system.

  • Create logical interfaces, virtual router, and policy options.

Tenant System Capacity

The maximum number of tenant systems that can be created on the device are listed in Table 4.

Table 4: Tenant Systems Capacity

Platform

Logical Systems Capacity

Tenant Systems Capacity for Junos OS Release 18.3R1

Tenant Systems Capacity for Junos OS Release 18.4R1

SRX1500

32

18

50

SRX4100 and SRX4200

32

168

200

SRX4600

32

268

300

SRX5400, SRX5600, and SRX5800 Series devices with SPC2 cards

32

32

100

SRX5400, SRX5600, and SRX5800 Series devices with SPC3 cards

32

0

500

SRX5400, SRX5600, and SRX5800 Series devices with SPC2 and SPC3 cards

32

NA

100

Starting in Junos OS Release 18.4R1, tenant systems can be supported on an SRX5000 series security services gateway equipped with a combination of third generation service processing cards (SRX5K-SPC3) and second generation service processing cards (SRX5K-SPC-4-15-320). Prior to Junos OS Release 18.4R1, tenant systems was supported on SPC2 only.

Tenant System Configuration Overview

The primary administrator creates a tenant system and assigns an administrator for managing the tenant system. A tenant system can have multiple administrators. The roles and responsibilities of a tenant system administrator are explained in Understanding Tenant Systems.

The primary administrator configures the logical interfaces and assigns those interfaces to the tenant system. Configure one routing instance and the routing protocols, and add options for the routing instance. See Configuring a Routing Instance for a Tenant System.

Tenant systems have their own configuration database. After successful configuration, the changes are merged to the primary database for each tenant systems. Multiple tenant systems can perform configuration changes at a time. You can commit the changes for only one tenant at a time. If the primary administrator and a tenant system administrator performs configuration changes simultaneously, the configuration changes performed by the primary administrator override the configuration changes performed by the tenant system administrator.

The following steps explain the tasks that the tenant system administrator performs to configure the security features in a tenant system:

  1. Use the SSH service to access the device, and then log in to the tenant system with the login ID and password provided by the primary administrator.

    After you are authenticated, the presence of the “>” prompt indicates that you accessed to the CLI operational mode. The prompt is preceded by a string that contains the username, the hostname of the device, and the name of the tenant system. When the CLI starts, you are at the top level in operational mode.

  2. Access the configuration mode by entering the configure command.
  3. Enter the quit command to exit the configuration mode and return to the CLI operational mode.
  4. Configure the following security features in the tenant system as necessary:

Example: Creating Tenant Systems, Tenant System Administrators, and an Interconnect VPLS Switch

This example shows how to create tenant systems, tenant system administrators, and an interconnect VPLS switch. Only the primary administrator can create user login accounts for tenant system administrators and interconnect VPLS switch.

Requirements

This example uses the following hardware and software components:

  • SRX Series device configured with tenant systems.

  • Junos OS Release 18.3R1 and later releases.

  • Before you begin creating the tenant systems, tenant system administrators, and an interconnect VPLS switch, read Tenant Systems Overview to understand how this task fits into the overall configuration process.

Overview

This example shows how to create the tenant systems TSYS1, TSYS2, and TSYS3, and the tenant system administrators for them. You can create multiple tenant system administrators for a tenant system with different permission levels based on your requirements.

This topic also covers the interconnect virtual private LAN service (VPLS) switch connecting one tenant system to another on the same device. The VPLS switch enables both transit traffic and traffic terminated at a tenant system to pass between tenant systems. To allow traffic to pass between tenant systems, logical tunnel (lt-0/0/0) interfaces should be configured in the same subnet.

Topology

The Figure 2 shows an SRX Series device deployed and configured for tenant systems. The configuration examples reflect this deployment.

Figure 2: Creating Tenant Systems and Interconnect VPLS SwitchCreating Tenant Systems and Interconnect VPLS Switch

Configuration

Configuring Tenant Systems, Tenant System Administrators, and Interconnect VPLS Switch

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Create the first tenant system TSYS1 and define its first administrator.

    Step-by-Step Procedure
    1. Create the tenant system TSYS1.

    2. Assign the user login class to the tenant system.

    3. Assign all level permission to the login class, which allows full access to the tenant system administrator.

    4. Create a tenant system administrator and assign a full name to the tenant system administrator.

    5. Associate the administrator login class with the tenant system administrator to allow the administrator to log in to the tenant system.

    6. Create a user login password for the first tenant system administrator.

  2. Configure second tenant system administrator for the first tenant system.

    Step-by-Step Procedure
    1. Configure the user login class and assign it to the tenant system.

    2. Assign the view level permission to the login class, which allows the login class to view the tenant system resources and settings but not change them.

    3. Create second tenant system administrator and assign a full name to the tenant system administrator.

    4. Associate the login class with the tenant system administrator to allow the tenant system administrator to log in to the tenant system.

    5. Create a user login password for the second tenant system administrator.

  3. Create the second tenant system TSYS2 and define its first administrator.

    Step-by-Step Procedure
    1. Create the tenant system TSYS2.

    2. Assign the user login class to the tenant system.

    3. Assign all level permission to the login class, which allows full access to the tenant system administrator.

    4. Create a tenant system administrator and assign a full name to the tenant system administrator.

    5. Associate the administrator login class with the tenant system administrator to allow the administrator to log in to the tenant system.

    6. Create a user login password for the first tenant system administrator.

  4. Configure the second tenant system administrator for the second tenant system.

    Step-by-Step Procedure
    1. Configure the user login class and assign it to the second tenant system.

    2. Assign the view level permission to the login class, which allows the login class to view the tenant system resources and settings but not change them.

    3. Create second tenant system administrator and assign a full name to the tenant system administrator.

    4. Associate the login class with the tenant system administrator to allow the tenant system administrator to log in to the tenant system.

    5. Create a user login password for the second tenant system administrator.

  5. Create the third tenant system TSYS3 and define its first administrator.

    Step-by-Step Procedure
    1. Create the tenant system TSYS3.

    2. Assign the user login class to the tenant system.

    3. Assign all level permission to the login class, which allows full access to the tenant system administrator.

    4. Create a tenant system administrator and assign a full name to the tenant system administrator.

    5. Associate the administrator login class with the tenant system administrator to allow the administrator to log in to the tenant system.

    6. Create a user login password for the first tenant system administrator.

  6. Configure second tenant system administrator for the third tenant system.

    Step-by-Step Procedure
    1. Configure the user login class and assign it to the tenant system.

    2. Assign the view level permission to the login class, which allows the login class to view the tenant system resources and settings but not change them.

    3. Create second tenant system administrator and assign a full name to the tenant system administrator.

    4. Associate the login class with the tenant system administrator to allow the tenant system administrator to log in to the tenant system.

    5. Create a user login password for the second tenant system administrator.

  7. Configure an interfaces for VPLS switch.

  8. Configure a routing instance for VPLS switch and assign logical tunnel interfaces.

Results

From configuration mode, confirm your configuration by entering the show tenants command to verify that the tenant system is created. Enter the show system login class command to view the permission level for each class that you defined. To ensure that the tenant system administrators are created, enter the show system login user command. To ensure that the lt-0/0/0 interfaces for interconnect VPLS switch are created, enter the show interfaces lt-0/0/0 command.

If the output does not display the intended configuration, repeat the configuration instructions in these examples to correct it. If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Tenant Systems and Login Configurations Using Primary Administrator

Purpose

Verify that the tenant systems exist and you can enter them from root as the primary administrator. Return from the tenant system to the root.

Action

From operational mode, use the following command to enter the tenant systems TSYS1:

Now you are entered to the tenant systems TSYS1. Use the following command to exit from tenant systems TSYS1 to the root:

Meaning

Tenant system exists and you can enter to the tenant system from the root as the primary administrator.

Verifying Tenant Systems and Login Configurations Using SSH

Purpose

Verify that the tenant systems you created exist, and that the administrator login IDs and passwords that you created are correct.

Action

Use SSH to log in to each user tenant system administrator.

  1. Run SSH specifying the IP address of your SRX Series device.

  2. Enter the login ID and password for the tenant systems administrator that you created. After you log in, the prompt shows the tenant systems administrator name. Notice how this result differs from the result produced when you log in to the tenant system from the primary logical system at root. Repeat this procedure for all of your tenant systems.

Meaning

Tenant system administrator TSYS1admin1 exists and you can login as the tenant system administrator.

Configuring a Routing Instance for a Tenant System

A routing instance is a collection of routing tables, interfaces, and routing protocol parameters. A set of interfaces that belong to the routing instance and the routing protocol parameters control the information in the routing instance. A tenant system can configure the assigned routing instance and the interfaces that belong to the routing instance within a tenant system.

Note:

Only one routing instance can be created for a tenant system.

The following procedure describes the steps to configure a routing instance and interfaces in a routing table for a tenant system:

  1. Create a tenant system named TSYS1.
  2. Create a routing instance r1 and assign the routing instance type for the tenant system.
  3. Specify the interface name for the routing instance.
  4. Specify the routing option for the routing instance.
  5. Commit the configuration.

To view the configuration for the tenant system TSYS1, run the show tenants TSYS1 command.

The show tenants TSYS1 command displays all the routing instance parameters configured for the tenant system TSYS1.

Example: Configuring Tenant Systems

This example shows how to configure the logical interfaces, routing instance, zones, and the default security policies for a tenant system.

Requirements

This example uses the following hardware and software components:

  • SRX Series device configured with the tenant system.

  • Junos OS Release 18.3R1 and later releases.

Before you begin:

Overview

A routing instance is a collection of routing tables, interfaces, and routing protocol parameters. Logical interfaces on a device are allocated among the tenant systems by the primary administrator. The primary administrator can configure the interface and its attributes for the tenant system interfaces. This example shows how the TSYS1 tenant system administrator configures the routing instance, security policies, and security zones for the TSYS1 tenant system.

Table 5 provides the parameters used in this example.

Table 5: Tenant System Configuration

Feature

Name

Configuration Parameters

Routing instance

VR1

  • Instance type: virtual router

  • Includes interfaces ge-0/0/2.0 and ge-0/0/4.0

  • Static routes:

    • 192.0.2.1/24 next-hop 198.51.100.0/24

Zones

trust

Bind to interface ge-0/0/2.0

 

untrust

Bind to interface ge-0/0/4.0

Policies

default-policy

Permit all traffic

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a tenant system:

  1. Log in to the tenant system as the administrator for tenant system and enter configuration mode.

  2. Configure the routing instance and assign interfaces.

  3. Configure static routes.

  4. Configure security policies.

  5. Configure security zones and assign interfaces to each zone.

Results

From configuration mode, confirm your configuration by entering the show routing-instances and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration

Purpose

Verify the security policy details of the TSYS1 tenant system.

Action

From operational mode, enter the show security policies detail command to view the details of all the security policies configured for the TSYS1 tenant system.

Meaning

The output displays the security policy details of the TSYS1 tenant system.

Understanding Routing and Interfaces for Tenant Systems

A routing instance is a collection of routing tables, interfaces, and routing protocol parameters. The interfaces are used for forwarding data for the routing instance, and to learn the routing information from other peers (SRX devices) using routing protocols.

A Logical interface (IFL) can be defined at either one of the following levels:

  • Global level (root logical system)

  • User logical system level

  • Tenant system level (Starting from Release Junos OS 18.4R1)

The IFL defined at the global level can be used either in root logical system or in one of the tenant systems. The IFL defined in a tenant system can be used in that tenant system only.

Default routing instance is not available for tenant systems. So, when a custom routing instance is created for a tenant system, all the interfaces defined in that tenant system should be added to that routing instance.

Example: Configuring Routing and Interfaces for Tenant Systems

This example shows how to configure interfaces and routing instances for a tenant system.

Requirements

Before you begin:

Overview

The following procedure describes the steps to configure a routing instance and interfaces in a routing table within a tenant system.

This example configures the interfaces and routing instances described in Table 6.

Table 6: User Tenant System Interface and Routing Instance Configuration

Feature

Name

Configuration Parameters

Interface

ge-0/0/2.1

ge-0/0/2.2

ge-0/0/2.3

  • IP address 10.0.0.1/24

  • IP address 10.0.0.2/24

  • IP address 10.0.0.3/24

Routing instance

r1

r2

  • Instance type: virtual router

  • Includes interfaces ge-0/0/2.1, ge-0/0/2.3, and ge-0/0/2.2

Configuration

Procedure
CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure an interface and a routing instance in a user logical system:

  1. Configure the interfaces to support VLAN tagging.

  2. Configure the IFL at the root level.

  3. Create a tenant system named TSYS1.

  4. Define the Interface in the tenant system TSYS1.

  5. Create a routing instance r1 and assign the routing instance type for the tenant system.

  6. Specify the interface name for the routing instance.

  7. Create a tenant system named TSYS2.

  8. Define the Interface in the tenant system TSYS2.

  9. Create a routing instance r2 and assign the routing instance type for the tenant system.

  10. Specify the interface name for the routing instance.

  11. Commit the configuration.

Results

From configuration mode, confirm your configuration by entering the show interfaces and show tenants commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

The show tenants command displays all the interfaces that are defined in the tenant systems TSYS1 and TSYS2, and the routing instance parameters configured for both the tenant systems.

Understanding Tenant System Security Profiles (Primary Administrators Only)

Tenant systems allow you to virtually divide a supported SRX Series device into multiple devices, securing them from intrusion and attacks, and protecting them from faulty conditions outside their own contexts. To protect tenant systems, security resources are configured in a manner similar to how they are configured for a discrete device. However, the primary administrator assigns resources to the tenant systems.

An SRX Series device running tenant systems can be partitioned into tenant systems, an interconnected tenant system, if necessary, and the default primary logical system. When the system is initialized, the primary logical system is created at the root. All system resources are assigned to it, effectively creating a default primary logical system security profile. To distribute security resources across the tenant systems, the primary administrator creates security profiles that specify the resources to be allocated to a tenant system. Only the primary administrator can configure security profiles and bind them to the tenant systems. The tenant system administrator uses these resources for the respective tenant system.

The tenant systems are defined by the resources allocated to them, including security components, interfaces, routing instance, static routes, and dynamic routing protocols. The primary administrator configures the security profiles and assigns them to the tenant systems. You cannot commit a tenant system configuration without a security profile assigned to it.

This topic includes the following sections:

Tenant Systems Security Profiles

The primary administrator can configure and assign a security profile to a specific tenant system or multiple tenant systems. The maximum number of security profiles that can be configured depends on the capacity of an SRX Series device. When the maximum number of security profiles have been created, you need to delete a security profile and commit the configuration change before you can create and commit another security profile. In many cases, fewer security profiles are needed because you can bind a single security profile to more than one tenant system.

Security profiles allow you to:

  • Share the device’s resources, including policies, zones, addresses and address books, flow sessions, and various forms of NAT, among all tenant systems appropriately. You can assign various amounts of a resource to the tenant systems and allow the tenant systems to utilize the resources effectively.

    Security profiles protect against one tenant system exhausting a resource that is required at the same time by other tenant systems. Security profiles protect critical system resources and maintain a better performance among tenant systems when the device is experiencing a heavy traffic flow. Security profiles defend against one tenant system dominating the use of resources and allow the other tenant systems to use the resources effectively.

  • Configure the device in a scalable way to allow for creation of additional tenant systems.

You need to delete the security profile of a tenant system before you can delete the tenant system.

Understanding How the System Assesses Resources Assignment and Use Across the Tenant Systems

To provision a tenant system with security features, the primary administrator configures a security profile that specifies the resource for each security feature:

  • A reserved quota that guarantees that the specified resource amount is always available to the tenant system.

  • A maximum allowed quota. If a tenant system requires additional resources that exceed the reserved quota, then it can utilize the resources configured for the global maximum amount if the global resources are not allocated to the other tenant systems. The maximum allowed quota does not guarantee that the amount specified for the resource in the security profile is available. The tenant systems need to utilize the global resources effectively based on the available resources.

If a reserved quota is not configured for a resource, the default value is 0. If a maximum allowed quota is not configured for a resource, the default value is the global system quota for the resource (global system quotas are platform-dependent). The primary administrator must configure the appropriate maximum allowed quota values in the security profiles so that the maximum resource usage of a specific tenant system does not negatively impact other tenant systems configured on the device.

The system maintains a count of all allocated resources that are reserved, used, and made available again when a tenant system is deleted. This count determines whether resources are available to use for tenant systems or to increase the amount of the resources allocated to existing tenant systems through their security profiles.

Resources configured in security profiles are characterized as static modular resources or dynamic resources. For static resources, we recommend setting a maximum quota for a resource equal or close to the amount specified as its reserved quota, to allow for scalable configuration of tenant systems. A maximum quota for a resource gives a tenant system greater flexibility through access to a larger amount of that resource, but it constrains the amount of resources available to allocate to other tenant systems.

The following security features resources can be specified in a security profile:

  • Security zones

  • Addresses and address books for security policies

  • Application firewall rule sets

  • Application firewall rules

  • Firewall authentication

  • Flow sessions and gates

  • NAT, including:

    • Cone NAT bindings

    • NAT destination rule

    • NAT destination pool

    • NAT IP address in source pool without Port Address Translation (PAT)

      Note:

      IPv6 addresses in IPv6 source pools without PAT are not included in security profiles.

    • NAT IP address in source pool with PAT

    • NAT port overloading

    • NAT source pool

    • NAT source rule

    • NAT static rule

Note:

All resources except flow sessions are static.

You can modify a tenant system security profile dynamically while the security profile is assigned to other tenant systems. However, to ensure that the system resource quota is not exceeded, the system takes the following actions:

  • If a static quota is changed, the system process that maintains the tenant system counts for resources specified in security profiles subsequently reevaluates the security profiles assigned to the profile associated with the static quota. This check identifies the number of resources assigned across all tenant systems to determine whether the allocated resources, including their increased amounts are available.

    These quota checks are the same quota checks that the system performs when you add a tenant system and bind a security profile to it. They are also performed when you bind a different security profile from the security profile that is currently assigned to it to an existing tenant system (or the primary logical system).

  • If a dynamic quota is revised, no check is performed, but the revised quota is imposed on future resource usage.

Cases: Assessments of Reserved Resources Assigned Through Security Profiles

To understand how the system assesses allocation of reserved resources through security profiles, consider the following three cases explained in Table 8 and that address allocation of the resources and zones. To keep the example simple, 10 zones are allocated in security-profile-1: 4 reserved zones and 6 maximum zones. This example assumes that the maximum amount specified—six zones—is available for the tenant systems. The system maximum number of zones is 10.

The three cases address the configuration across the tenant systems. The three cases verify whether a configuration succeeds or fails when it is committed based on the allocation of zones.

Table 7 shows the security profiles and their zone allocations.

Table 7: Security Profiles Used for Reserved Resource Assessments

Two Security Profiles Used in the Configuration Cases

security-profile-1

  • zones reserved quota = 4

  • zones maximum quota = 6

Note:

The primary administrator dynamically increases the reserved zone count specified in this profile later.

primary-logical-system-profile

  • zones maximum quota = 10

  • no reserved quota

Table 8 shows three cases that illustrate how the system assesses reserved resources for zones across the tenant systems based on the security profile configurations.

  • The configuration for the first case succeeds because the cumulative reserved resource quota for zones configured in the security profiles bound to all tenant systems is 8, which is less than the system maximum resource quota.

  • The configuration for the second case fails because the cumulative reserved resource quota for zones configured in the security profiles bound to all logical systems is 12, which is greater than the system maximum resource quota.

  • The configuration for the third case fails because the cumulative reserved resource quota for zones configured in the security profiles bound to all tenant systems is 12, which is greater than the system maximum resource quota.

Table 8: Reserved Resource Allocation Assessment Across Tenant Systems

Reserved Resource Quota Checks Across Tenant Systems

Example 1: Succeeds

This configuration is within bounds: 4+4+0=8, maximum capacity =10.

Security Profiles Used

  • The security profile security-profile-1 is bound to two tenant systems: tenant-system-1 and tenant-system-2.

  • The primary-logical-system-profile profile is used exclusively for the primary logical system.

  • tenant-system-1 = 4 reserved zones.

  • tenant-system-2 = 4 reserved zones.

  • primary-logical-system = 0 reserved zones.

Example 2: Fails

This configuration is out of bounds: 4+4+4=12, maximum capacity =10.

  • tenant-system-1 = 4 reserved zones.

  • tenant-system-2 = 4 reserved zones.

  • primary-logical-system = 0 reserved zones.

  • new-tenant-system = 4 reserved zones.

Security Profiles

  • The security profile security-profile-1 is bound to two tenant systems: tenant-system-1 and tenant-system-2.

  • The primary-logical-system-profile is bound to the primary logical system and used exclusively for it.

  • The primary administrator configures a new tenant system called new-tenant-system and binds security-profile-1 to it.

Example 3: Fails

This configuration is out of bounds: 6+6=12, maximum capacity =10.

The primary administrator modifies the reserved zones quota in security-profile-1, increasing the count to 6.

  • tenant-system-1 = 6 reserved zones.

  • tenant-system-2 = 6 reserved zones.

  • primary-logical-system = 0 reserved zones.

Example: Configuring Tenant Systems Security Profiles (Primary Administrators Only)

This example shows how the primary administrator configures security profiles for the primary logical system and two tenant systems.

Requirements

This example uses the following hardware and software components:

  • SRX Series device configured with tenant systems.

  • Junos OS Release 18.3R1 and later releases.

Before you begin:

  • Read the Understanding Tenant Systems to understand how this task fits into the overall configuration process.

  • Read the Flow for Tenant Systems to understand how to create a tenant system, a tenant system administrator, and an interconnect tenant system.

Overview

The primary administrator creates security profiles that specify the resources to be allocated across the tenant systems. You cannot commit a tenant system configuration without a security profile assigned to it.

This example shows how to configure the security profiles for different tenant systems described in Table 9.

Table 9: Security Profiles for Logical Systems

Logical Systems

Security Profile

Primary logical system

Primary profile

Tenant system TSYS1

SP1

Tenant system TSYS2

SP2

Interconnect tenant system

Null

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

  1. Create the first security profile for the primary logical system.

    Step-by-Step Procedure
    1. Specify the number of maximum and reserved security policies.

    2. Specify the number of maximum and reserved security zones.

    3. Specify the number of maximum and reserved security sessions.

    4. Specify the number of maximum and reserved source NAT, no-PAT addresses, and static NAT rules.

    5. Specify the maximum and reserved number of resources for the firewall authentication entries.

    6. Bind the security profile to the primary logical system.

  2. Create the second security profile for the first tenant system.

    Step-by-Step Procedure
    1. Specify the number of maximum and reserved security policies.

    2. Specify the number of maximum and reserved security zones.

    3. Specify the number of maximum and reserved security sessions.

    4. Specify the number of maximum and reserved source NAT, no-PAT addresses, and static NAT rules.

    5. Specify the maximum and reserved number of resources for the firewall authentication entries.

    6. Bind the security profile to the tenant system TSYS1.

  3. Create the third security profile for the second tenant system.

    Step-by-Step Procedure
    1. Specify the number of maximum and reserved security policies.

    2. Specify the number of maximum and reserved security zones.

    3. Specify the number of maximum and reserved security sessions.

    4. Specify the number of maximum and reserved source NAT, no-PAT addresses, and static NAT rules.

    5. Specify the maximum and reserved number of resources for the firewall authentication entries.

    6. Bind the security profile to the tenant system TSYS2.

  4. Bind a null security profile to the interconnect tenant system.

Results

From configuration mode, confirm your configuration by entering the show system security-profile command to view all the configured security profiles.

To view the security profile configured for the tenant systems and the primary logical system, enter the show tenants and show logical-systems root-logical-system commands respectively.

To view the individual security profiles, enter the show system security-profile master-profile, the show system security-profile SP1, and the show system security-profile SP2 commands.

If the output does not display the intended configuration, repeat the configuration instructions in these examples to correct it. If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the security resources that you allocated for tenant systems have been assigned to them, follow this procedure for each tenant system and for all its resources.

Verify the Security Profiles Assigned to the Tenant Systems

Purpose

Verify the security resources for each tenant system. Follow this process for all the configured tenant systems.

Action
  1. Use the SSH services to access the device, and then log in to each tenant system as its administrator with the login ID and password provided by the primary administrator.

  2. Enter the following statement to identify the resources that are configured for the security profile.

  3. Enter the following command at the resulting prompt. Repeat the following step for all the security features configured in the security profiles.

Meaning

The sample output shows the security resources that are configured for each tenant system.

Release History Table
Release
Description
19.2R1
Starting in Junos OS Release 19.2R1, the virtual-router configured in a tenant system is passed as the default routing-instance to ping, telnet, ssh, traceroute, show arp, clear arp, show ipv6 neighbors, and clear ipv6 neighbors commands.