Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Requirements for vSRX Virtual Firewall on Microsoft Hyper-V

This section presents an overview of requirements for deploying a vSRX Virtual Firewall instance on Microsoft Hyper-V.

Software Requirements

Table 1 lists the software requirements for the vSRX Virtual Firewall instance on Microsoft Hyper-V.

Note:

Only the vSRX Virtual Firewall small flavor is supported on Microsoft Hyper-V. vSRX Virtual Firewall 3.0 multi-CPU versions are supported on Microsoft Hyper-V.

Table 1: Specifications for vSRX Virtual Firewall and vSRX Virtual Firewall 3.0 for Microsoft Hyper-V

Component

Specification

Hypervisor support

  • Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy the vSRX Virtual Firewall only on Microsoft Hyper-V Windows Server 2012 R2 or 2012.

  • Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, you can deploy the vSRX Virtual Firewall on Microsoft Hyper-V Windows Server 2016.

  • Starting in Junos OS Release 22.3R1, you can deploy the vSRX Virtual Firewall 3.0 on Microsoft Hyper-V Windows Server 2019 and 2022 versions.

Memory

4 GB

Disk space

16 GB (IDE or SCSI drives)

vCPUs

2

Virtual network adapters

8 Hyper-V specific network adapters

Table 2: Specifications for vSRX Virtual Firewall 3.0 for Microsoft Hyper-V

Component

Specification

Hypervisor support

  • Microsoft Hyper-V Windows Server 2016

  • Microsoft Hyper-V Windows Server 2019

Memory

4 GB

Disk space

18 GB (IDE)

vCPUs

2

Virtual network adapters

8 Hyper-V specific network adapters

Starting in Junos OS Release 19.1R1, the vSRX Virtual Firewall 3.0 instance supports guest OS with 2 vCPUs, 4-GB virtual RAM, and a 18-GB disk space on Microsoft Hyper-V and Azure for improved performance.

Hardware Requirements

Table 3 lists the hardware specifications for the host machine that runs the vSRX Virtual Firewall VM.

Table 3: Hardware Specifications for the Host Machine

Component

Specification

Host memory size

Minimum 4 GB

Host processor type

x86 or x64-based multicore processor

Note:

DPDK requires Intel Virtualization VT-x/VT-d support in the CPU. See About Intel Virtualization Technology.

Gigabit (10/100/1000baseT) Ethernet adapter

Emulates the multiport DEC 21140 10/100TX 100 MB Ethernet network adapter with one to four network connections.

Best Practices for Improving vSRX Virtual Firewall Performance

Review the following practices to improve vSRX Virtual Firewall performance.

NUMA Nodes

The x86 server architecture consists of multiple sockets and multiple cores within a socket. Each socket also has memory that is used to store packets during I/O transfers from the NIC to the host. To efficiently read packets from memory, guest applications and associated peripherals (such as the NIC) should reside within a single socket. A penalty is associated with spanning CPU sockets for memory accesses, which might result in nondeterministic performance. For vSRX Virtual Firewall, we recommend that all vCPUs for the vSRX Virtual Firewall VM are in the same physical non-uniform memory access (NUMA) node for optimal performance.

CAUTION:

The Packet Forwarding Engine (PFE) on the vSRX Virtual Firewall will become unresponsive if the NUMA nodes topology is configured in the hypervisor to spread the instance’s vCPUs across multiple host NUMA nodes. vSRX Virtual Firewall requires that you ensure that all vCPUs reside on the same NUMA node.

We recommend that you bind the vSRX Virtual Firewall instance with a specific NUMA node by setting NUMA node affinity. NUMA node affinity constrains the vSRX Virtual Firewall VM resource scheduling to only the specified NUMA node.

Interface Mapping for vSRX Virtual Firewall on Microsoft Hyper-V

Each network adapter defined for a vSRX Virtual Firewall is mapped to a specific interface, depending on whether the vSRX Virtual Firewall instance is a standalone VM or one of a cluster pair for high availability.

Note:

Starting in Junos OS Release 15.1X49-D100 for vSRX Virtual Firewall, support for chassis clustering to provide network node redundancy is only available on Microsoft Hyper-V Server 2016 and higher.

Note the following:

  • In standalone mode:

    • fxp0 is the out-of-band management interface.

    • ge-0/0/0 is the first traffic (revenue) interface.

  • In cluster mode:

    • fxp0 is the out-of-band management interface.

    • em0 is the cluster control link for both nodes.

    • Any of the traffic interfaces can be specified as the fabric links, such as ge-0/0/0 for fab0 on node 0 and ge-7/0/0 for fab1 on node 1.

Table 4 shows the interface names and mappings for a standalone vSRX Virtual Firewall VM.

Table 4: Interface Names for a Standalone vSRX Virtual Firewall VM

Network Adapter

Interface Name in Junos OS

1

fxp0

2

ge-0/0/0

3

ge-0/0/1

4

ge-0/0/2

5

ge-0/0/3

6

ge-0/0/4

7

ge-0/0/5

8

ge-0/0/6

Table 5 shows the interface names and mappings for a pair of vSRX Virtual Firewall VMs in a cluster (node 0 and node 1).

Table 5: Interface Names for a vSRX Virtual Firewall Cluster Pair

Network Adapter

Interface Name in Junos OS

1

fxp0 (node 0 and 1)

2

em0 (node 0 and 1)

3

ge-0/0/0 (node 0)ge-7/0/0 (node 1)

4

ge-0/0/1 (node 0)ge-7/0/1 (node 1)

5

ge-0/0/2 (node 0)ge-7/0/2 (node 1)

6

ge-0/0/3 (node 0)ge-7/0/3 (node 1)

7

ge-0/0/4 (node 0)ge-7/0/4 (node 1)

8

ge-0/0/5 (node 0)ge-7/0/5 (node 1)

vSRX Virtual Firewall Default Settings on Microsoft Hyper-V

vSRX Virtual Firewall requires the following basic configuration settings:

  • Interfaces must be assigned IP addresses.

  • Interfaces must be bound to zones.

  • Policies must be configured between zones to permit or deny traffic.

Table 6 lists the factory-default settings for security policies on the vSRX Virtual Firewall.

Table 6: Factory Default Settings for Security Policies

Source Zone

Destination Zone

Policy Action

trust

untrust

permit

trust

trust

permit

untrust

trust

deny

Release History Table
Release
Description
19.1R1
Starting in Junos OS Release 19.1R1, the vSRX Virtual Firewall 3.0 instance supports guest OS with 2 vCPUs, 4-GB virtual RAM, and a 18-GB disk space on Microsoft Hyper-V and Azure for improved performance.
15.1X49-D80
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy the vSRX Virtual Firewall only on Microsoft Hyper-V Server 2012 R2 or 2012.
15.1X49-D100
Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, you can deploy the vSRX Virtual Firewall on Microsoft Hyper-V Server 2016.
15.1X49-D100
Starting in Junos OS Release 15.1X49-D100 for vSRX Virtual Firewall, support for chassis clustering to provide network node redundancy is only available on Microsoft Hyper-V Server 2016 and higher.