Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Install and Launch vSRX Virtual Firewall on Ubuntu

This example shows how to install and launch a vSRX Virtual Firewall instance on an Ubuntu server with KVM.

Requirements

This example uses the following hardware and software components:

  • Generic x86 server

  • Junos OS Release 15.1X49-D20 for vSRX Virtual Firewall

  • Ubuntu version 14.04.2

Before you begin:

  • This example assumes a fresh install of the Ubuntu server software.

  • Ensure that your host OS meets the requirements specified in Requirements for vSRX on KVM.

Overview

This example shows how to set up your Ubuntu host server and install and launch a vSRX Virtual Firewall VM. Figure 1 shows the basic structure of a vSRX Virtual Firewall VM on an Ubuntu server.

Figure 1: vSRX Virtual Firewall VM on UbuntuvSRX Virtual Firewall VM on Ubuntu
Note:

This example uses static IP addresses. If you are configuring the vSRX Virtual Firewall instance in an NFV environment, you should use DHCP.

Quick Configuration - Install and Launch a vSRX Virtual Firewall VM on Ubuntu

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and copy and paste the commands into the Ubuntu server terminal or vSRX Virtual Firewall console as specified.

Procedure

Step-by-Step Procedure

  1. If the default virtual network does not already exist, copy the following commands and paste them into the Ubuntu server terminal to create the default virtual network.

  2. Create the left, or trusted, virtual network on the Ubuntu server.

  3. Create the right, or untrusted, virtual network on the Ubuntu server.

  4. Download the vSRX Virtual Firewall KVM image from the Juniper Networks website at https://www.juniper.net/support/downloads/?p=vsrx#sw.

  5. Copy the following commands and modify the cpu parameter and flags to match your Ubuntu server CPU. Paste the resulting commands into the Ubuntu server terminal to copy the image to a mount point and create the vSRX Virtual Firewall VM.

    Note:

    The CPU model and flags in the virt-install command might vary based on the CPU and features in the Ubuntu server.

  6. To set the root password on the vSRX Virtual Firewall VM, copy and paste the command into the vSRX Virtual Firewall CLI at the [edit] hierarchy level.

  7. To create a base configuration on the vSRX Virtual Firewall VM, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the following commands into the vSRX Virtual Firewall CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

Step by Step Configuration

Use the following sections for a more detailed set of procedures to install and launch a vSRX Virtual Firewall VM.

Add Virtual Networks

Step-by-Step Procedure

You need to create virtual networks on the Ubuntu server to provide network connectivity to interfaces on the vSRX Virtual Firewall VM. Copy and paste these command into a terminal on the Ubuntu server.

This example uses three virtual networks:

  • default— Connects the fxp0 management interface.

    Note:

    The default virtual network should already exist on the Ubuntu server. Use the virsh net-list command to verify that the default network is present and active.

  • TestLeft— Connects the ge-0/0/0 interface to the trusted zone.

  • TestRight— Connects the ge-0/0/1 interface to the untrusted zone.

  1. If the default network does not exist, follow these steps:

    Step-by-Step Procedure

    1. Open a text editor on the Ubuntu server and create the default network XML (default.xml) file.

    2. Set the forward mode to nat, configure an IP address and subnet mask, and a bridge interface, and configure DHCP to assign IP addresses to interfaces on this virtual network.

      Note:

      Use the XML format specified by libvirt.

    3. Define and start the default virtual network, based on the default.xml file you created.

  2. Remove any previously configured TestLeft virtual network.

  3. Remove any previously configured TestRight virtual network.

  4. Open a text editor on the Ubuntu server and create the TestLeft network XML (testleftnetwork.xml) file.

  5. Set the forward mode to route, configure an IP address and subnet mask, and a bridge interface, and configure DHCP to assign IP addresses to interfaces on this virtual network.

    Note:

    Use the XML format specified by libvirt.

  6. Open a text editor on the Ubuntu server and create the TestRight network XML (testrightnetwork.xml) file.

  7. Set the forward mode to nat, configure an IP address and subnet mask, and a bridge interface, and configure DHCP to assign IP addresses to interfaces on this virtual network.

    Note:

    Use the XML format specified by libvirt.

  8. Define and start the TestLeft virtual network, based on the testleftnetwork.xml file you created.

  9. Define and start the TestRight virtual network, based on the testrightnetwork.xml file you created.

Verify the Virtual Networks

Purpose

Verify the new virtual network configuration on the Ubuntu server.

Action

Use the virsh net-list command on the Ubuntu server to verify that the new virtual interfaces are active and are set to autostart on reboot.

Download and Installing the vSRX Virtual Firewall Image

Step-by-Step Procedure

To download and install the vSRX Virtual Firewall image on the Ubuntu server:

  1. Download the vSRX Virtual Firewall KVM image from the Juniper Networks website: https://www.juniper.net/support/downloads/?p=vsrx#sw

  2. Copy the vSRX Virtual Firewall image to an appropriate mount point.

  3. Use the virt-install command to create a vSRX Virtual Firewall VM. Modify the cpu parameter and flags to match your Ubuntu server CPU.

    Note:

    The CPU model and flags in the virt-install command might vary based on the CPU and features in the Ubuntu server.

Verify the vSRX Virtual Firewall Installation

Purpose

Verify the vSRX Virtual Firewall Installation.

Action

  1. Use the virsh console command on the Ubuntu server to access the vSRX Virtual Firewall console and watch the progress of the installation. The installation can take several minutes to complete.

  2. On the vSRX Virtual Firewall console, log in and verify the vSRX Virtual Firewall version installed.

Create a Base Configuration on the vSRX Virtual Firewall Instance

Step-by-Step Procedure

To configure a base setup on the vSRX Virtual Firewall instance, enter the following steps in edit mode:

  1. Create a root password.

  2. Set the IP address family for the management interface, and enable the DHCP client for this interface.

  3. Set the IP address for the ge-0/0/0.0 interface.

  4. Set the IP address family for the ge-0/0/1.0 interface, and enable the DHCP client for this interface.

  5. Add the ge-0/0/0.0 interface to the trust security zone and allow all system services from inbound traffic on that interface.

  6. Add the ge-0/0/1.0 interface to the untrust security zone and allow only DHCP system services from inbound traffic on that interface.

  7. Create a virtual router routing instance and add the two interfaces to that routing instance.

  8. Create a source NAT rule set.

  9. Configure a rule that matches packets and translates the source address to the address of the egress interface.

Results

From configuration mode, confirm your configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

From configuration mode, confirm your security policies by entering the show security policies command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Note:

As a final step, exit configuration mode and use the request system reboot command to reboot the vSRX Virtual Firewall VM. You can use the virsh console command on the Ubuntu server to reconnect to the vSRX Virtual Firewall after reboot.

Verify the Basic Configuration on the vSRX Virtual Firewall Instance

Purpose

Verify the basic configuration on the vSRX Virtual Firewall instance.

Action

Verify that the ge-0/0/0.0 interface has an assigned IP address from the TestLeft network DHCP address range, and that the ge-0/0/1.0 has an assigned IP address from the TestRight network DHCP address range.