Configure vSRX Virtual Firewall Using the CLI
Understand vSRX Virtual Firewall on AWS Preconfiguration and Factory Defaults
vSRX Virtual Firewall on AWS deploys with the following preconfiguration defaults:
SSH access with the RSA key pair configured during the installation
No password access allowed for SSH access
The management (fxp0) interface is preconfigured with the AWS Elastic IP and default route
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, the following example summarizes the preconfiguration statements added to a factory-default configuration for vSRX Virtual Firewall on AWS instances:
set groups aws-default system root-authentication ssh-rsa "ssh-rsa XXXRSA-KEYXXXXX” set groups aws-default system services ssh no-passwords set groups aws-default system services netconf ssh set groups aws-default system services web-management https system-generated-certificate set groups aws-default interfaces fxp0 unit 0 family inet address aws-ip-address set groups aws-default routing-options static route 0.0.0.0/0 next-hop aws-ip-address set apply-groups aws-default
For Junos OS Release 15.1X49-D70 and earlier, the following example summarizes the preconfiguration statements added to a factory-default configuration for vSRX Virtual Firewall on AWS instances:
set system root-authentication ssh-rsa "ssh-rsa XXXRSA-KEYXXXXX” set system services ssh no-passwords set interfaces fxp0 unit 0 family inet addressaws-ip-address set routing-options static route 0.0.0.0/0 next-hop aws-ip-address
Do not use the load factory-default
command
on a vSRX Virtual Firewall AWS instance. The factory default configuration removes
the AWS preconfiguration. If you must revert to factory default, ensure
that you manually reconfigure AWS preconfiguration statements before
you commit the configuration; otherwise, you will lose access to the
vSRX Virtual Firewall instance.
Add a Basic vSRX Virtual Firewall Configuration
You can either create a new configuration on vSRX Virtual Firewall or copy an existing configuration from another SRX or vSRX Virtual Firewall and load it onto your vSRX Virtual Firewall on AWS. Use the following steps to copy and load an existing configuration:
To configure a vSRX Virtual Firewall instance using the CLI:
For an example of how to configure vSRX Virtual Firewall to NAT all hosts behind the vSRX Virtual Firewall instance in the Amazon Virtual Private Cloud (Amazon VPC) to the IP address of the vSRX Virtual Firewall egress interface on the untrust zone, see Example: Configuring NAT for vSRX. This configuration allows hosts behind vSRX Virtual Firewall in a cloud network to access the Internet.
For an example of how to configure IPsec VPN between two instances of vSRX Virtual Firewall on AWS on different Amazon VPCs, see Example: Configure VPN on vSRX Between Amazon VPCs.
Add DNS Servers
vSRX Virtual Firewall does not include any DNS servers in the default configuration. You might need DNS configured to deploy Layer 7 services, such as IPS, to pull down signature updates, for example. You can use your own external DNS server or use an AWS DNS server. If you enable DNS on your Amazon VPC, queries to the Amazon DNS server (169.254.169.253) or the reserved IP address at the base of the VPC network range plus two should succeed. See AWS - Using DNS with Your Amazon VPC for complete details.
Add vSRX Virtual Firewall Feature Licenses
Certain Junos OS software features require a license to activate the feature. To enable a licensed feature, you need to purchase, install, manage, and verify a license key that corresponds to each licensed feature. To conform to software feature licensing requirements, you must purchase one license per feature per instance. The presence of the appropriate software unlocking key on your virtual instance allows you to configure and use the licensed feature.
See Managing Licenses for vSRX for details.