Requirements for vSRX Virtual Firewall on Nutanix
These topics provide an overview of requirements for deploying a vSRX Virtual Firewall 3.0 instance on Nutanix.
System Requirements for Nutanix
This topic provides the system requirement details.
- #system-requirements-for-nutanix__d21491e40
- Interface Mapping for vSRX Virtual Firewall 3.0 on Nutanix
- vSRX Virtual Firewall 3.0 Default Settings on Nutanix
- Best Practices for Improving vSRX Virtual Firewall 3.0 Performance
Table 1 lists the system requirements for a vSRX Virtual Firewall 3.0 instance deployed on Nutanix.
Component |
Specification and Details |
---|---|
Hypervisor support |
AHV 5.9 |
Memory |
4 GB |
Disk space |
16 GB |
vCPUs |
2 |
vNICs |
Up to 8 |
vNIC type |
Virtio |
Interface Mapping for vSRX Virtual Firewall 3.0 on Nutanix
Table 2 shows the vSRX Virtual Firewall 3.0 and Nutanix interface names. The first network interface is used for the out-of-band management (fxp0) for vSRX Virtual Firewall 3.0.
InterfaceNumber |
vSRX Virtual Firewall 3.0 Interface |
Nutanix Interface |
---|---|---|
1 |
fxp0 |
eth0 |
2 |
ge-0/0/0 |
eth1 |
3 |
ge-0/0/1 |
eth2 |
4 |
ge-0/0/2 |
eth3 |
5 |
ge-0/0/3 |
eth4 |
6 |
ge-0/0/4 |
eth5 |
7 |
ge-0/0/5 |
eth6 |
8 |
ge-0/0/6 |
eth7 |
We recommend putting revenue interfaces in routing instances as a best practice to avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by default. With fxp0 as part of the default routing table, there might be two default routes needed: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance.
Ensure that interfaces belonging to the same security zone are in the same routing instance. See KB Article - Interface must be in the same routing instance as the other interfaces in the zone.
vSRX Virtual Firewall 3.0 Default Settings on Nutanix
vSRX Virtual Firewall 3.0 requires the following basic configuration settings:
Interfaces must be assigned IP addresses.
Interfaces must be bound to zones.
Policies must be configured between zones to permit or deny traffic.
Table 3 lists the factory-default settings for security policies on the vSRX Virtual Firewall 3.0.
Source Zone |
Destination Zone |
Policy Action |
---|---|---|
trust |
untrust |
permit |
trust |
trust |
permit |
Do not use the load factory-default
command on a
vSRX Virtual Firewall 3.0 Nutanix instance. The factory-default configuration removes
the Nutanix preconfiguration. If you must revert to factory default,
ensure that you manually reconfigure Nutanix preconfiguration statements
before you commit the configuration; otherwise, you will lose access
to the vSRX Virtual Firewall 3.0 instance. See Configure
vSRX Using the CLI for Nutanix preconfiguration details.
Best Practices for Improving vSRX Virtual Firewall 3.0 Performance
Refer the following deployment practices to improve vSRX Virtual Firewall 3.0 performance:
Disable the source/destination check for all vSRX Virtual Firewall 3.0 interfaces.
Limit public key access permissions to 400 for key pairs.
Ensure that there are no contradictions between Nutanix security groups and your vSRX Virtual Firewall 3.0 configuration.
Use vSRX Virtual Firewall 3.0 NAT to protect your instances from direct Internet traffic.
Reference Requirements
Requirements for vSRX Virtual Firewall 3.0 with different types of Hypervisors are:
Requirements for vSRX on VMware—See Requirements for vSRX on VMware
Requirements for vSRX on KVM-Based Hypervisor—See Requirements for vSRX on KVM
Requirements for vSRX with Hype-V-Based Hypervisor—See Requirements for vSRX on Microsoft Hyper-V