Use this procedure to deploy and configure
the vSRX Virtual Firewall as a virtual security appliance in the Hyper-V environment
using Windows PowerShell.
Note the following for deploying vSRX Virtual Firewall on a Microsoft Hyper-V
server:
Starting
in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you
can deploy the vSRX Virtual Firewall only on Microsoft Hyper-V Server 2012 R2 or 2012.
Starting
in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, you
can deploy the vSRX Virtual Firewall on Microsoft Hyper-V Server 2016.
Note: To upgrade an existing vSRX Virtual Firewall instance, see Migration,
Upgrade, and Downgrade in the vSRX Virtual Firewall Release Notes.
To deploy vSRX Virtual Firewall using Windows PowerShell:
- Download the vSRX Virtual Firewall software image for Microsoft Hyper-V
from the Juniper
Networks website. The vSRX Virtual Firewall disk image supported by Microsoft
Hyper-V is a virtual hard disk (VHD) format file.
CAUTION:
Do not change the filename of the downloaded software
image or the installation will fail.
- On the Windows desktop, click the Start button
and type Windows PowerShell.
- Right-click Windows PowerShell and select Run as administrator.
- Run the following command to enable Hyper–V using
PowerShell:
Enable-WindowsOptionalFeature -Online -FeatureName
Microsoft-Hyper-V -All
- Enter the
New-VM
command to create the vSRX Virtual Firewall
VM. The command syntax is as follows:PS C:>\Users\Administrator> New-VM -Name <Name> -MemoryStartupBytes <Memory> -BootDevice <BootDevice> -VHDPath <VHDPath> -Path <Path> -Generation <Generation> -Switch <SwitchName>
See Table 1 for a summary of
the parameters in the New-VM
command.
Table 1: New-VM Command ParametersParameter
|
Description
|
-Name
|
Specify a name for the vSRX Virtual Firewall VM that you are creating.
We recommend keeping this name the same as the hostname you intend
to give to the vSRX Virtual Firewall VM.
|
-MemoryStartupBytes
|
Enter 4GB as the amount of startup memory
to assign to the vSRX Virtual Firewall VM.
|
-BootDevice
|
Enter VHD as the device that the vSRX Virtual Firewall VM boots
to when it starts.
|
-VHDPath
|
Specify the location of the vSRX Virtual Firewall virtual hard disk (VHD)
file that you want to deploy.
|
-Path
|
Specify the location to store the vSRX Virtual Firewall VM configuration
files.
|
-Generation
|
Enter 1 to create a generation 1 virtual machine
for the vSRX Virtual Firewall.
|
-SwitchName
|
Specify the name of the virtual switch that you want
the vSRX Virtual Firewall VM to assign to a network adapter used by the vSRX Virtual Firewall VM. Each
network adapter that is defined for a vSRX Virtual Firewall is mapped to a specific
interface. See Requirements for vSRX
on Microsoft Hyper-V for a summary of interface names
and mappings for a vSRX Virtual Firewall VM.
Note: To locate the name of a previously created virtual switch,
use the Get-VMSwitch command. See Add vSRX Interfaces for the procedure
on adding virtual switches for the vSRX Virtual Firewall VM using the Virtual Switch
Manager.
|
The following is an example of the New-VM
command
syntax for creating a vSRX Virtual Firewall VM:
PS C:>\Users\Administrator> New-VM -Name vSRX_0109
-MemoryStartupBytes 4GB -BootDevice VHD -VHDPath C:\Users\Public\Documents\Hyper-V\vsrx-0109-powershell\vsrx\media-vsrx-vmdisk-151X49D80.hyper-v.vhd
-Path ’C:\Users\Public\Documents\Hyper-V\vsrx-0109\’ Generation
1 SwitchName test
- Set the number of processors for the newly created vSRX Virtual Firewall
VM by entering the
Set-VMProcessor
command. Specify Count 2
for the number of processors. For example:PS C:>\Users\Administrator> Set-VMProcessor -VMName <vSRVName> -Count 2
- Verify the newly created vSRX Virtual Firewall VM by entering the
Get-VM
command. For example:PS C:>\Users\Administrator> Get-VM -VMName <vSRVName>
The output for the command is as follows:
Name State CPUUSage(%) MemoryAssigned(M) Uptime State Version
vSRX_0109 Off 0 0 00:00:00 Operating normally 8.0
- Enable the MAC address spoofing function for the vSRX Virtual Firewall
VM if a network adapter is to be used as an interface for Layer 2
mode support
on the vSRX Virtual Firewall. MAC address spoofing allows the vSRX Virtual Firewall VM’s network
adapter to change its source MAC address for outgoing packets to one
that is not assigned to them. Enabling MAC address spoofing ensures
those packets are not dropped by the network adapter if the source
MAC address fails to match the outgoing interface MAC address.
The command syntax is as follows:
PS C:>\Users\Administrator> Set-VMNetworkAdapter
-VMName <vSRVName> –computerName <HyperVHostName> –VMNetworkAdapter <NetworkAdapterName> -MacAddressSpoofing On
Verify that MacAddressSpoofing is On.
PS C:>\Users\Administrator> Get-VMNetworkAdapter
-VMName <vSRVName> –computerName <HyperVHostName> | fl <HyperVHostName>name,macaddressspoofing
The output for the command is as follows:
Name : vSRX_0109
MacAddressSpoofing : On
- Enable nested virtualization for the vSRX Virtual Firewall VM by using
the
Set-VMProcessor
command, where VMName
is the name of the vSRX Virtual Firewall VM you created. By default, the virtualization
extensions are disabled for each VM. Nested virtualization allows
you to run Hyper-V inside of a Hyper-V virtual machine. For example:PS C:>\Users\Administrator> Set-VMProcessor -VMName <vSRX_0109> -ExposeVirtualizationExtensions $true
Note: Nested virtualization can only be configured on a host
running Microsoft Hyper-V Server 2016. In addition, Dynamic Memory
must be disabled on the virtual machine containing the nested instance
of Hyper-V.
- Launch and power on the vSRX Virtual Firewall VM by using the
Start-VM
command, where Name
is the name
of the vSRX Virtual Firewall VM you created. For example:PS C:>\Users\Administrator> Start-VM -Name <vSRX_0109>
- Configure the basic settings for the vSRX Virtual Firewall (see Configure vSRX Using the CLI).
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
15.1X49-D80
Starting
in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you
can deploy the vSRX Virtual Firewall only on Microsoft Hyper-V Server 2012 R2 or 2012.
15.1X49-D100
Starting
in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, you
can deploy the vSRX Virtual Firewall on Microsoft Hyper-V Server 2016.