Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Getting Started with Juniper vSRX Virtual Firewall on IBM Cloud

IBM Cloud™ Juniper vSRX Virtual Firewall allows you to route private and public network traffic selectively, through a full-featured, enterprise-level firewall that is powered by Junos OS software features, such as full routing stacks, QoS and traffic sharing, policy-based routing, and VPN.


For a list of known limitations with IBM Cloud™ Juniper vSRX Virtual Firewall Gateway, see Known limitations.

Overview of vSRX Virtual Firewall in IBM Cloud

The vSRX Virtual Firewall provides performance, ease of configuration, and maintenance advantages with the simplicity of running on a bare metal server. The hardware is sized to handle the routing and security load associated with multiple VLANs, and it can be ordered with redundant network links and redundant RAID arrays. All vSRX Virtual Firewall features are customer-managed.

The IBM Cloud™ Juniper vSRX Virtual Firewall is offered in two different modes: standalone mode or High Availability (HA) cluster.

For additional documentation for IBM Cloud™ Juniper vSRX Virtual Firewall, see Supplemental Documentation.

The vSRX Virtual Firewall deploys to protect your environment from external and internal threats by filtering private- and public-facing traffic. Customers can manage the vSRX Virtual Firewall themselves by defining policies and rules that allow or deny (among other actions) inbound or outbound network traffic, thereby protecting their applications from internal and external approaches. Both IPv4 and IPv6 stacks are supported in a stateful manner.

Connect your on-site data center or office to the IBM Cloud using VPN tunneling by provisioning your vSRX Virtual Firewall as a network gateway device. Remote access IPsec VPN also is supported.

For a detailed configurations on VPN, see VPN.

With the vSRX Virtual Firewall gateway appliance, you can provision application and database servers without public network interfaces, and still allow your servers access to the Internet using source NAT. For enhanced security, you can protect your servers behind the gateway device, using destination NAT.

You can set up dynamic routing using BGP, which allows you to announce your own public IP space to the IBM Cloud routers.

A VLAN (virtual local area network) is a mechanism that segregates a physical network into many virtual segments. For convenience, traffic from multiple selected VLANs can be delivered through a single network cable, using a process commonly called "trunking."

vSRX Virtual Firewall is managed in two different interfaces: The vSRX Virtual Firewall server(s) and the Gateway Appliance fixture. Servers in an associated VLAN can be reached from other VLANs only by going through your vSRX Virtual Firewall; it is not possible to circumvent the vSRX Virtual Firewall unless you bypass or disassociate the VLAN.

By default, a new Gateway Appliance is associated with two non-removable "transit" VLANs, one each for your public and private networks. These networks typically are used for administration, and they can be secured by vSRX Virtual Firewall commands separately. The vSRX Virtual Firewall can manage VLANs that are associated with it through the Gateway Appliance (only).

For information on how to manage VLANs from the Gateway Appliances Details screen, see Manage VLANs.

IBM© Cloud offers several firewalls to choose from. See Exploring firewalls section that provides comparison of the supported firewall solutions to help you choose the one that is right for you.

Benefits of vSRX Virtual Firewall in IBM Cloud

vSRX Virtual Firewall support in IBM Cloud offers you the following benefits:

  • You can use an IPsec site-to-site VPN tunnel for secure communication from your enterprise data center or office to your IBM Cloud network.

  • Empowers you with greater flexibility to build connectivity between multi-tiered applications running on different isolated networks.

  • BGP offers more flexibility for custom private network configurations, when you're using a mix of tunnels and Direct Link solutions.

  • The Gateway Appliance provides an interface (GUI and API) for selecting the VLANs you want to associate with your vSRX Virtual Firewall. Associating a VLAN with a Gateway Appliance reroutes (or "trunks") that VLAN and all of its subnets to your vSRX Virtual Firewall, gives you control over filtering, forwarding, and protection.

Choosing a vSRX Virtual Firewall license

There are two license types available for your IBM Cloud™ Juniper vSRX Virtual Firewall:

  • Standard

  • Content Security Bundle (CSB)

Each license includes a different set of features and options, and the following table outlines the differences.


You can specify your license type when ordering your vSRX Virtual Firewall, as well as change the license, see Gateway Appliance Details.

License Type



  • Core security: firewall, ALG, screens, user firewall

  • IPsec VPN (site-to-site VPN)

  • NAT

  • CoS

  • Routing services: BGP, OSPF, DHCP, J-Flow, IPv4

  • Foundation: Static routing, management (J-Web, CLI, and NETCONF), on-box logging, diagnostics

Content Security Bundle (CSB)—Includes all Standard features, along with the additional features listed in the next column.

  • AppSecure

    • Application Tracking (AppTrack)

    • Application Firewall (AppFW)

    • Application Quality of Service (AppQoS)

    • Advanced policy-based routing (APBR)

    • Application Quality of Experience (AppQoE)

  • User Firewall

  • IPS

  • Content Security

    • Anti Virus

    • Anti Spam

    • Web Filtering

    • Content Filtering

  • SSL Proxy

    • SSL Forward Proxy

    • SSL Reverse Proxy

    • SSL Decrypting Mirror

Ordering a vSRX Virtual Firewall

You can order your IBM Cloud™ Juniper vSRX Virtual Firewall by performing the following procedure:

  1. From your browser, open the Gateway Appliances page in the IBM Cloud catalog and log in to your account.

    You can also get to this page by logging in to the IBM Cloud UI console and selecting Classic Infrastructure > Network > Gateway appliance. Alternatively, from the IBM Cloud catalog, select the Network category then choose the Gateway appliance tile.

  2. Choose Juniper vSRX (up to 1 Gbps) or Juniper vSRX (up to 10 Gbps) under Gateway Vendor.

  3. Choose your license type from License add-ons, either Standard or CSB. See Choosing a vSRX Virtual Firewall license section for information on the features offered with each license.

  4. From the Gateway appliance section, enter your Host name and Domain name. These fields are already be populated with default information, so ensure that the values are correct.

  5. Check the High Availability option if needed, then select a data center Location, and the specific Pod you want from the menu.


    Only pods that already have an associated VLAN are displayed here. If you want to provision your gateway appliance in a pod you don't see listed, first create a VLAN there.

  6. From the Configuration section, choose your processor's RAM. You can also define an SSH key, if you want to use it to authenticate access to your new Gateway.

    The appropriate processor is chosen for you based on the license version you selected in step two. However, you can choose different RAM configurations.

  7. From the Storage disks section, choose the options that meet your storage requirements. Reserve more than the default disk setting if you plan to run network diagnostics that generate detailed logs.

    RAID0 and RAID1 options are available for added protection against data loss, as are hot spares (backup components that can be placed into service immediately when a primary component fails). You can have up to four disks per vSRX Virtual Firewall. "Disk size" with a RAID configuration is the usable disk size, as RAID configurations are mirrored.

  8. From the Network interface section, select your Uplink port speeds. The default selection is a single interface, but there are redundant and private only options as well. Choose the one that best fits your needs.

    The Network Interface Add Ons section allows you to select an IPv6 address if required, and shows you any additional included default options.

  9. Review your selections, check that you have read the Third Party Service Agreements, then click Create. The order is verified automatically.

After your order is approved, the provisioning of your IBM Cloud™ Juniper vSRX Virtual Firewall Gateway starts automatically. When the provisioning process is complete, the new vSRX Virtual Firewall appears in the Gateway Appliances list page. Click the gateway name to open the Gateway Details page. The IP addresses, login username, and password for the device appear. Remember that after you order and configure your gateway from the IBM Cloud catalog, you must also configure the device itself with the same settings.