Understand vSRX Virtual Firewall with VMware
This section presents an overview of vSRX Virtual Firewall on VMware
vSRX Virtual Firewall Overview
vSRX Virtual Firewall is a virtual security appliance that provides security and networking services at the perimeter or edge in virtualized private or public cloud environments. vSRX Virtual Firewall runs as a virtual machine (VM) on a standard x86 server. vSRX Virtual Firewall is built on the Junos operating system (Junos OS) and delivers networking and security features similar to those available on the software releases for the SRX Series Firewalls.
The vSRX Virtual Firewall provides you with a complete Next-Generation Firewall (NGFW) solution, including core firewall, VPN, NAT, advanced Layer 4 through Layer 7 security services such as Application Security, intrusion detection and prevention (IPS), and Content Security features including Enhanced Web Filtering and Anti-Virus. Combined with ATP Cloud, the vSRX Virtual Firewall offers a cloud-based advanced anti-malware service with dynamic analysis to protect against sophisticated malware, and provides built-in machine learning to improve verdict efficacy and decrease time to remediation.
Figure 1 shows the high-level architecture.
vSRX Virtual Firewall includes the Junos control plane (JCP) and the packet forwarding engine (PFE) components that make up the data plane. vSRX Virtual Firewall uses one virtual CPU (vCPU) for the JCP and at least one vCPU for the PFE. Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, multi-core vSRX Virtual Firewall supports scaling vCPUs and GB virtual RAM (vRAM). Additional vCPUs are applied to the data plane to increase performance.
Junos OS Release 18.4R1 supports a new software architecture vSRX Virtual Firewall 3.0 that removes dual OS and nested virtualization requirement of existing vSRX Virtual Firewall architecture.
In vSRX Virtual Firewall 3.0 architecture, FreeBSD 11.x is used as the guest OS and the Routing Engine and Packet Forwarding Engine runs on FreeBSD 11.x as single virtual machine for improved performance and scalability. vSRX Virtual Firewall 3.0 uses DPDK to process the data packets in the data plane. A direct Junos upgrade from vSRX Virtual Firewall to vSRX Virtual Firewall 3.0 software is not supported.
vSRX Virtual Firewall 3.0 has the following enhancements compared to vSRX Virtual Firewall:
Removed the restriction of requiring nested VM support in hypervisors.
Removed the restriction of requiring ports connected to control plane to have Promiscuous mode enabled.
Improved boot time and enhanced responsiveness of the control plane during management operations.
Improved live migration.
Figure 2 shows the high-level software architecture for vSRX Virtual Firewall 3.0
vSRX Virtual Firewall Benefits and Use Cases
vSRX Virtual Firewall on standard x86 servers enables you to quickly introduce new services, deliver customized services to customers, and scale security services based on dynamic needs. vSRX Virtual Firewall is ideal for public, private, and hybrid cloud environments.
Some of the key benefits of vSRX Virtual Firewall in a virtualized private or public cloud multitenant environment include:
Stateful firewall protection at the tenant edge
Faster deployment of virtual firewalls into new sites
Ability to run on top of various hypervisors and public cloud infrastructures
Full routing, VPN, core security, and networking capabilities
Application security features (including IPS and App-Secure)
Content security features (including Anti Virus, Web Filtering, Anti Spam, and Content Filtering)
Centralized management with Junos Space Security Director and local management with J-Web Interface
Juniper Networks Juniper Advanced Threat Prevention Cloud (ATP Cloud) integration
vSRX Virtual Firewall on VMWare ESXi deployment
VMware vSphere is a virtualization environment for systems supporting the x86 architecture. VMware ESXi® is the hypervisor used to create and run virtual machines (VMs) and virtual appliances on a host machine. The VMware vCenter Server® is a service that manages the resources of multiple ESXi hosts.
The VMware vSphere Web Client is used to deploy the vSRX Virtual Firewall VM.
Figure 3 shows an example of how vSRX Virtual Firewall can be deployed to provide security for applications running on one or more virtual machines. The vSRX Virtual Firewall virtual switch has a connection to a physical adapter (the uplink) so that all application traffic flows through the vSRX Virtual Firewall VM to the external network.
vSRX Virtual Firewall Scale Up Performance
Table 1 shows the vSRX Virtual Firewall scale up performance based on the number of vCPUs and vRAM applied to a vSRX Virtual Firewall VM. The table outlines the Junos OS release in which a particular software specification for deploying vSRX Virtual Firewall on VMware was introduced. You will need to download a specific Junos OS release to take advantage of certain scale up performance features.
vCPUs |
vRAM |
NICs |
Junos OS Release Introduced |
|---|---|---|---|
2 vCPUs |
4 GB |
|
Junos OS Release 15.1X49-D15 and Junos OS Release 17.3R1 |
5 vCPUs |
8 GB |
|
Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1 |
9 vCPUs |
16 GB |
Note:
SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and Mellanox ConnectX-4 EN/ConnectX-4 Lx EN) is required if you intend to scale the performance and capacity of a vSRX Virtual Firewall to 9 vCPUs and 16 GB vRAM. |
Junos OS Release 18.4R1 |
17 vCPUs |
32 GB |
Note:
SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and Mellanox ConnectX-4 EN/ConnectX-4 Lx EN) is required if you intend to scale the performance and capacity of a vSRX Virtual Firewall to 17 vCPUs and 32 GB vRAM. |
Junos OS Release 18.4R1 |
| 1 vCPU |
4 GB |
SR-IOV on the Mellanox ConnectX-3 and ConnectX-4 family adapters. |
Junos OS Release 21.2R1 |
| 4 vCPUs |
8 GB |
SR-IOV on the Mellanox ConnectX-3 and ConnectX-4 family adapters. |
Junos OS Release 21.2R1 |
| 8 vCPUs |
16GB |
SR-IOV on the Mellanox ConnectX-3 and ConnectX-4 family adapters. |
Junos OS Release 21.2R1 |
| 16 vCPUs |
32 GB |
SR-IOV on the Mellanox ConnectX-3 and ConnectX-4 family adapters. |
Junos OS Release 21.2R1 |
You can scale the performance and capacity of a vSRX Virtual Firewall instance by increasing the number of vCPUs and the amount of vRAM allocated to the vSRX Virtual Firewall. The multi-core vSRX Virtual Firewall automatically selects the appropriate vCPUs and vRAM values at boot time, as well as the number of Receive Side Scaling (RSS) queues in the NIC. If the vCPU and vRAM settings allocated to a vSRX Virtual Firewall VM do not match what is currently available, the vSRX Virtual Firewall scales down to the closest supported value for the instance. For example, if a vSRX Virtual Firewall VM has 3 vCPUs and 8 GB of vRAM, vSRX Virtual Firewall boots to the smaller vCPU size, which requires a minimum of 2 vCPUs. You can scale up a vSRX Virtual Firewall instance to a higher number of vCPUs and amount of vRAM, but you cannot scale down an existing vSRX Virtual Firewall instance to a smaller setting.
The number of RSS queues typically matches with the number of data plane vCPUs of a vSRX Virtual Firewall instance. For example, a vSRX Virtual Firewall with 4 data plane vCPUs should have 4 RSS queues.
vSRX Virtual Firewall Session Capacity Increase
vSRX Virtual Firewall solution is optimized to increase the session numbers by increasing the memory.
With the ability to increase the session numbers by increasing the memory, you can enable vSRX Virtual Firewall to:
Provide highly scalable, flexible and high-performance security at strategic locations in the mobile network.
Deliver the performance that service providers require to scale and protect their networks.
Run the show security flow session summary | grep maximum command to view the maximum number of sessions.
Starting in Junos OS Release 18.4R1, the number of flow sessions supported on a vSRX Virtual Firewall instance is increased based on the vRAM size used.
Starting in Junos OS Release 19.2R1, the number of flow sessions supported on a vSRX Virtual Firewall 3.0 instance is increased based on the vRAM size used.
Table 2 lists the flow session capacity.
vCPUs |
Memory |
Flow Session Capacity |
|---|---|---|
2 |
4 GB |
0.5 M |
2 |
6 GB |
1 M |
2/5 |
8 GB |
2 M |
2/5 |
10 GB |
2 M |
2/5 |
12 GB |
2.5 M |
2/5 |
14 GB |
3 M |
2/5/9 |
16 GB |
4 M |
2/5/9 |
20 GB |
6 M |
2/5/9 |
24 GB |
8 M |
2/5/9 |
28 GB |
10 M |
2/5/9/17 |
32 GB |
12 M |
2/5/9/17 |
40 GB |
16 M |
2/5/9/17 |
48 GB |
20 M |
2/5/9/17 |
56 GB |
24 M |
2/5/9/17 |
64 GB |
28 M |
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.