Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure vSRX Virtual Firewall Using the CLI

Understand vSRX Virtual Firewall on AWS Preconfiguration and Factory Defaults

vSRX Virtual Firewall on AWS deploys with the following preconfiguration defaults:

  • SSH access with the RSA key pair configured during the installation

  • No password access allowed for SSH access

  • The management (fxp0) interface is preconfigured with the AWS Elastic IP and default route

Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, the following example summarizes the preconfiguration statements added to a factory-default configuration for vSRX Virtual Firewall on AWS instances:

For Junos OS Release 15.1X49-D70 and earlier, the following example summarizes the preconfiguration statements added to a factory-default configuration for vSRX Virtual Firewall on AWS instances:

CAUTION:

Do not use the load factory-default command on a vSRX Virtual Firewall AWS instance. The factory default configuration removes the AWS preconfiguration. If you must revert to factory default, ensure that you manually reconfigure AWS preconfiguration statements before you commit the configuration; otherwise, you will lose access to the vSRX Virtual Firewall instance.

Add a Basic vSRX Virtual Firewall Configuration

You can either create a new configuration on vSRX Virtual Firewall or copy an existing configuration from another SRX or vSRX Virtual Firewall and load it onto your vSRX Virtual Firewall on AWS. Use the following steps to copy and load an existing configuration:

  1. Saving a Configuration File

  2. Loading a Configuration File

To configure a vSRX Virtual Firewall instance using the CLI:

  1. Log in to the vSRX Virtual Firewall instance using SSH and start the CLI.
    Note:

    Starting in Junos OS Release 17.4R1, the default user name has changed from root@ to ec2-user@.

  2. Enter configuration mode.
  3. Set the authentication method to log into the vSRX Virtual Firewall. You can specify a password by entering a cleartext password or an encrypted password. If you require a more robust level of authentication security, we recommend that you select an SSH public key string (DSA, ECDSA, or RSA).

    or

  4. Optionally, enable passwords for SSH if you want to create password access for additional users.
  5. Configure the hostname.
  6. For each vSRX Virtual Firewall revenue interface, assign the IP address defined on AWS. For example:

    For multiple private addresses, enter a set command for each address. Do not assign the Elastic IP address.

  7. Specify a security zone for the public interface.
  8. Specify a security zone for the private interface.
  9. Configure routing to add a separate virtual router and routing option for the public and private interfaces.
    Note:

    We recommend putting the revenue (data) interfaces in routing instances as a best practice to avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by default. With fxp0 as part of the default routing table, there might be two default routes needed: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance.

  10. Verify the configuration.
  11. Commit the configuration to activate it on the device.
  12. Optionally, use the show command to display the configuration to verify that it is correct.

For an example of how to configure vSRX Virtual Firewall to NAT all hosts behind the vSRX Virtual Firewall instance in the Amazon Virtual Private Cloud (Amazon VPC) to the IP address of the vSRX Virtual Firewall egress interface on the untrust zone, see Example: Configuring NAT for vSRX. This configuration allows hosts behind vSRX Virtual Firewall in a cloud network to access the Internet.

For an example of how to configure IPsec VPN between two instances of vSRX Virtual Firewall on AWS on different Amazon VPCs, see Example: Configure VPN on vSRX Between Amazon VPCs.

Add DNS Servers

vSRX Virtual Firewall does not include any DNS servers in the default configuration. You might need DNS configured to deploy Layer 7 services, such as IPS, to pull down signature updates, for example. You can use your own external DNS server or use an AWS DNS server. If you enable DNS on your Amazon VPC, queries to the Amazon DNS server (169.254.169.253) or the reserved IP address at the base of the VPC network range plus two should succeed. See AWS - Using DNS with Your Amazon VPC for complete details.

Add vSRX Virtual Firewall Feature Licenses

Certain Junos OS software features require a license to activate the feature. To enable a licensed feature, you need to purchase, install, manage, and verify a license key that corresponds to each licensed feature. To conform to software feature licensing requirements, you must purchase one license per feature per instance. The presence of the appropriate software unlocking key on your virtual instance allows you to configure and use the licensed feature.

See Managing Licenses for vSRX for details.

Related Documentation