Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Requirements for vSRX Virtual Firewall on Nutanix

These topics provide an overview of requirements for deploying a vSRX Virtual Firewall 3.0 instance on Nutanix.

System Requirements for Nutanix

This topic provides the system requirement details.

Table 1 lists the system requirements for a vSRX Virtual Firewall 3.0 instance deployed on Nutanix.

Table 1: System Requirements for vSRX Virtual Firewall 3.0

Component

Specification and Details

Hypervisor support

AHV 5.9

Memory

4 GB

Disk space

16 GB

vCPUs

2

vNICs

Up to 8

vNIC type

Virtio

Interface Mapping for vSRX Virtual Firewall 3.0 on Nutanix

Table 2 shows the vSRX Virtual Firewall 3.0 and Nutanix interface names. The first network interface is used for the out-of-band management (fxp0) for vSRX Virtual Firewall 3.0.

Table 2: vSRX Virtual Firewall 3.0 and Nutanix Interface Names

InterfaceNumber

vSRX Virtual Firewall 3.0 Interface

Nutanix Interface

1

fxp0

eth0

2

ge-0/0/0

eth1

3

ge-0/0/1

eth2

4

ge-0/0/2

eth3

5

ge-0/0/3

eth4

6

ge-0/0/4

eth5

7

ge-0/0/5

eth6

8

ge-0/0/6

eth7

We recommend putting revenue interfaces in routing instances as a best practice to avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by default. With fxp0 as part of the default routing table, there might be two default routes needed: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance.

Note:

Ensure that interfaces belonging to the same security zone are in the same routing instance. See KB Article - Interface must be in the same routing instance as the other interfaces in the zone.

vSRX Virtual Firewall 3.0 Default Settings on Nutanix

vSRX Virtual Firewall 3.0 requires the following basic configuration settings:

  • Interfaces must be assigned IP addresses.

  • Interfaces must be bound to zones.

  • Policies must be configured between zones to permit or deny traffic.

Table 3 lists the factory-default settings for security policies on the vSRX Virtual Firewall 3.0.

Table 3: Factory-Default Settings for Security Policies

Source Zone

Destination Zone

Policy Action

trust

untrust

permit

trust

trust

permit

CAUTION:

Do not use the load factory-default command on a vSRX Virtual Firewall 3.0 Nutanix instance. The factory-default configuration removes the Nutanix preconfiguration. If you must revert to factory default, ensure that you manually reconfigure Nutanix preconfiguration statements before you commit the configuration; otherwise, you will lose access to the vSRX Virtual Firewall 3.0 instance. See Configure vSRX Using the CLI for Nutanix preconfiguration details.

Best Practices for Improving vSRX Virtual Firewall 3.0 Performance

Refer the following deployment practices to improve vSRX Virtual Firewall 3.0 performance:

  • Disable the source/destination check for all vSRX Virtual Firewall 3.0 interfaces.

  • Limit public key access permissions to 400 for key pairs.

  • Ensure that there are no contradictions between Nutanix security groups and your vSRX Virtual Firewall 3.0 configuration.

  • Use vSRX Virtual Firewall 3.0 NAT to protect your instances from direct Internet traffic.

Reference Requirements

Requirements for vSRX Virtual Firewall 3.0 with different types of Hypervisors are: