Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Deploy vSRX Virtual Firewall in a Hyper-V Host Using Windows PowerShell

Use this procedure to deploy and configure the vSRX Virtual Firewall as a virtual security appliance in the Hyper-V environment using Windows PowerShell.

Note the following for deploying vSRX Virtual Firewall on a Microsoft Hyper-V server:

  • Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy the vSRX Virtual Firewall only on Microsoft Hyper-V Server 2012 R2 or 2012.

  • Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, you can deploy the vSRX Virtual Firewall on Microsoft Hyper-V Server 2016.

Note:

To upgrade an existing vSRX Virtual Firewall instance, see Migration, Upgrade, and Downgrade in the vSRX Virtual Firewall Release Notes.

To deploy vSRX Virtual Firewall using Windows PowerShell:

  1. Download the vSRX Virtual Firewall software image for Microsoft Hyper-V from the Juniper Networks website. The vSRX Virtual Firewall disk image supported by Microsoft Hyper-V is a virtual hard disk (VHD) format file.
    CAUTION:

    Do not change the filename of the downloaded software image or the installation will fail.

  2. On the Windows desktop, click the Start button and type Windows PowerShell.
  3. Right-click Windows PowerShell and select Run as administrator.
  4. Run the following command to enable Hyper–V using PowerShell:

    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

  5. Enter the New-VM command to create the vSRX Virtual Firewall VM. The command syntax is as follows:

    PS C:>\Users\Administrator> New-VM -Name <Name> -MemoryStartupBytes <Memory> -BootDevice <BootDevice> -VHDPath <VHDPath> -Path <Path> -Generation <Generation> -Switch <SwitchName>

    See Table 1 for a summary of the parameters in the New-VM command.

    Table 1: New-VM Command Parameters

    Parameter

    Description

    -Name

    Specify a name for the vSRX Virtual Firewall VM that you are creating. We recommend keeping this name the same as the hostname you intend to give to the vSRX Virtual Firewall VM.

    -MemoryStartupBytes

    Enter 4GB as the amount of startup memory to assign to the vSRX Virtual Firewall VM.

    -BootDevice

    Enter VHD as the device that the vSRX Virtual Firewall VM boots to when it starts.

    -VHDPath

    Specify the location of the vSRX Virtual Firewall virtual hard disk (VHD) file that you want to deploy.

    -Path

    Specify the location to store the vSRX Virtual Firewall VM configuration files.

    -Generation

    Enter 1 to create a generation 1 virtual machine for the vSRX Virtual Firewall.

    -SwitchName

    Specify the name of the virtual switch that you want the vSRX Virtual Firewall VM to assign to a network adapter used by the vSRX Virtual Firewall VM. Each network adapter that is defined for a vSRX Virtual Firewall is mapped to a specific interface. See Requirements for vSRX on Microsoft Hyper-V for a summary of interface names and mappings for a vSRX Virtual Firewall VM.

    Note:

    To locate the name of a previously created virtual switch, use the Get-VMSwitch command. See Add vSRX Interfaces for the procedure on adding virtual switches for the vSRX Virtual Firewall VM using the Virtual Switch Manager.

    The following is an example of the New-VM command syntax for creating a vSRX Virtual Firewall VM:

    PS C:>\Users\Administrator> New-VM -Name vSRX_0109 -MemoryStartupBytes 4GB -BootDevice VHD -VHDPath C:\Users\Public\Documents\Hyper-V\vsrx-0109-powershell\vsrx\media-vsrx-vmdisk-151X49D80.hyper-v.vhd -Path ’C:\Users\Public\Documents\Hyper-V\vsrx-0109\’ Generation 1 SwitchName test

  6. Set the number of processors for the newly created vSRX Virtual Firewall VM by entering the Set-VMProcessor command. Specify Count 2 for the number of processors. For example:

    PS C:>\Users\Administrator> Set-VMProcessor -VMName <vSRVName> -Count 2

  7. Verify the newly created vSRX Virtual Firewall VM by entering the Get-VM command. For example:

    PS C:>\Users\Administrator> Get-VM -VMName <vSRVName>

    The output for the command is as follows:

  8. Enable the MAC address spoofing function for the vSRX Virtual Firewall VM if a network adapter is to be used as an interface for Layer 2 mode support on the vSRX Virtual Firewall. MAC address spoofing allows the vSRX Virtual Firewall VM’s network adapter to change its source MAC address for outgoing packets to one that is not assigned to them. Enabling MAC address spoofing ensures those packets are not dropped by the network adapter if the source MAC address fails to match the outgoing interface MAC address.

    The command syntax is as follows:

    PS C:>\Users\Administrator> Set-VMNetworkAdapter -VMName <vSRVName> –computerName <HyperVHostName> –VMNetworkAdapter <NetworkAdapterName> -MacAddressSpoofing On

    Verify that MacAddressSpoofing is On.

    PS C:>\Users\Administrator> Get-VMNetworkAdapter -VMName <vSRVName> –computerName <HyperVHostName> | fl <HyperVHostName>name,macaddressspoofing

    The output for the command is as follows:

  9. Enable nested virtualization for the vSRX Virtual Firewall VM by using the Set-VMProcessor command, where VMName is the name of the vSRX Virtual Firewall VM you created. By default, the virtualization extensions are disabled for each VM. Nested virtualization allows you to run Hyper-V inside of a Hyper-V virtual machine. For example:

    PS C:>\Users\Administrator> Set-VMProcessor -VMName <vSRX_0109> -ExposeVirtualizationExtensions $true

    Note:

    Nested virtualization can only be configured on a host running Microsoft Hyper-V Server 2016. In addition, Dynamic Memory must be disabled on the virtual machine containing the nested instance of Hyper-V.

  10. Launch and power on the vSRX Virtual Firewall VM by using the Start-VM command, where Name is the name of the vSRX Virtual Firewall VM you created. For example:

    PS C:>\Users\Administrator> Start-VM -Name <vSRX_0109>

  11. Configure the basic settings for the vSRX Virtual Firewall (see Configure vSRX Using the CLI).

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
15.1X49-D80
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy the vSRX Virtual Firewall only on Microsoft Hyper-V Server 2012 R2 or 2012.
15.1X49-D100
Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, you can deploy the vSRX Virtual Firewall on Microsoft Hyper-V Server 2016.