Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Install vSRX Virtual Firewall with KVM

You use virt-manager or virt-install to install vSRX Virtual Firewall VMs. See your host OS documentation for complete details on these packages.

Note:

To upgrade an existing vSRX Virtual Firewall instance, see Migration, Upgrade, and Downgrade in the vSRX Virtual Firewall Release Notes.

Install vSRX Virtual Firewall with virt-manager

Ensure that sure you have already installed KVM, qemu, virt-manager, and libvirt on your host OS. You must also configure the required virtual networks and storage pool in the host OS for the vSRX Virtual Firewall VM. See your host OS documentation for details.

You can install and launch vSRX Virtual Firewall with the KVM virt-manager GUI package.

To install vSRX Virtual Firewall with virt-manager:

  1. Download the vSRX Virtual Firewall QCOW2 image from the Juniper software download site.
  2. On your host OS, type virt-manager. The Virtual Machine Manager appears. See Figure 1.
    Note:

    You must have admin rights on the host OS to use virt-manager.

    Figure 1: virt-managervirt-manager
  3. Click Create a new virtual machine as seen in Figure 2. The New VM wizard appears .
    Figure 2: Create a New Virtual MachineCreate a New Virtual Machine
  4. Select Import existing disk image, and click Forward.
  5. Browse to the location of the downloaded vSRX Virtual Firewall QCOW2 image and select the vSRX Virtual Firewall image.
  6. Select Linux from the OS type list and select Show all OS options from the Version list.
  7. Select Red Hat Enterprise Linux 7 from the expanded Version list and click Forward.
  8. Set the RAM to 4096 MB and set CPUs to 2. Click Forward.
  9. Set the disk image size to 16 GB and click Forward.
  10. Name the vSRX Virtual Firewall VM, and select Customize this configuration before install to change parameters before you create and launch the VM. Click Finish. The Configuration dialog box appears.
  11. Select Processor and expand the Configuration list.
  12. Select Copy Host CPU Configuration.
  13. Set CPU Feature invtsc to disabled on CPUs that support that feature. Set vmx to require for optimal throughput. You can optionally set aes to require for improved cryptographic throughput
    Note:

    If the CPU feature option is not present in your version of virt-manager, you need start and stop the VM once, and then edit the vSRX Virtual Firewall VM XML file, typically found in /etc/libvirt/qemu directory on your host OS. Use virsh edit to edit the VM XML file to configure <feature policy='require' name='vmx'/> under the <cpu mode> element. Also add <feature policy='disable' name='invtsc'/> if your host OS supports this CPU flag. Use the virsh capabilities command on your host OS to list the host OS and CPU virtualization capabilities.

    The following example shows the relevant portion of the vSRX Virtual Firewall XML file on a CentOS host:

  14. Select the disk and expand Advanced Options.
  15. Select IDE from the Disk bus list.
  16. Select the NIC, and select virtio from the Device model field. This first NIC is the fpx0 (management) interface for vSRX Virtual Firewall.
  17. Click Add Hardware to add more virtual networks, and select virtio from the Device model list.
  18. Click Apply, and click x to close the dialog box.
  19. Click Begin Installation. The VM manager creates and launches the vSRX Virtual Firewall VM.
Note:

The default vSRX Virtual Firewall VM login ID is root with no password. By default, if a DHCP server is on the network, it assigns an IP address to the vSRX Virtual Firewall VM.

Install vSRX Virtual Firewall with virt-install

Ensure that sure you have already installed KVM, qemu, virt-install, and libvirt on your host OS. You must also configure the required virtual networks and storage pool in the host OS for the vSRX Virtual Firewall VM. See your host OS documentation for details.

Note:

You must have root access on the host OS to use the virt-install command.

The virt-install and virsh tools are CLI alternatives to installing and managing vSRX Virtual Firewall VMs on a Linux host.

To install vSRX Virtual Firewall with virt-install:

  1. Download the vSRX Virtual Firewall QCOW2 image from the Juniper software download site.
  2. On your host OS, use the virt-install command with the mandatory options listed in Table 1.
    Note:

    See the official virt-install documentation for a complete description of available options.

    Table 1: virt-install Options

    Command Option

    Description

    --name name

    Name the vSRX Virtual Firewall VM.

    --ram megabytes

    Allocate RAM for the VM, in megabytes.

    --cpu cpu-model, cpu-flags

    Enable the vmx feature for optimal throughput. You can also enable aes for improved cryptographic throughput.

    Note:

    CPU flag support depends on your host OS and CPU.

    Use virsh capabilities to list the virtualization capabilities of your host OS and CPU.

    --vcpus number

    Allocate the number of vCPUs for the vSRX Virtual Firewall VM.

    --disk path

    Specify disk storage media and size for the VM. Include the following options:

    • size=gigabytes

    • device=disk

    • bus=ide

    • format=qcow2

    --import

    Create and boot the vSRX Virtual Firewall VM from an existing image.

    The following example creates a vSRX Virtual Firewall VM with 4096 MB RAM, 2 vCPUs, and disk storage up to 16 GB:

The following example shows the relevant portion of the vSRX Virtual Firewall XML file on a CentOS host:

Note:

The default vSRX Virtual Firewall VM login ID is root with no password. By default, if a DHCP server is on the network, it assigns an IP address to the vSRX Virtual Firewall VM.