Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Upgrade a Multicore vSRX Virtual Firewall with VMware

Starting in Junos OS Release 15.1X49-70 and Junos OS Release 17.3R1, you can scale the performance and capacity of a vSRX Virtual Firewall instance by increasing the number of vCPUs and the amount of vRAM allocated to the vSRX Virtual Firewall. See Requirements for vSRX on VMware for the software requirement specifications of a vSRX Virtual Firewall VM.

Note:

You cannot scale down the number of vCPUs or decrease the amount of vRAM for an existing vSRX Virtual Firewall VM.

Power Down vSRX Virtual Firewall VM with VMware vSphere Web Client

In situations where you want to modify the vSRX Virtual Firewall VM XML file, you need to completely shut down vSRX Virtual Firewall and the associated VM.

To gracefully shutdown the vSRX Virtual Firewall instance with VMware vSphere Web Client:

  1. Enter the vCenter server hostname or address in your browser (https://<ipaddress>:9443) to access the vSphere Web Client, and log in to the vCenter server with your credentials.
  2. Check the vSRX Virtual Firewall VM you want to power off.
  3. Select Open Console to open a console window to the vSRX Virtual Firewall VM.
  4. From the vSRX Virtual Firewall console, reboot the vSRX Virtual Firewall instance.

    vsrx# request system power-off.

Upgrade a Multicore vSRX Virtual Firewall with VMware vSphere Web Client

You must power down the vSRX Virtual Firewall VM before you can update the vCPU and vRAM values for the VM.

To scale up the vSRX Virtual Firewall VM to a higher number of vCPUs or to an increased amount of vRAM:

  1. On VMware vSphere Web Client, Select Edit Settings to open the powered down vSRX Virtual Firewall VM to open the virtual machine details window.
  2. Select Memory and set the vRAM to the desired size.
  3. Select Processor and set the number of vCPUs. Click OK.
  4. Click Power On. The VM manager launches the vSRX Virtual Firewall VM with the new vCPU and vRAM settings.
Note:

vSRX Virtual Firewall scales down to the closest supported value if the vCPU or vRAM settings do not match what is currently available.

Optimize Performance of vSRX Virtual Firewall

To optimize performance of vSRX Virtual Firewall on VMware:

  1. For memory, select the NUMA node that line cards connect to.

  2. For the CPU:

    1. Disable hyper-threading.

    2. Select CPUs on the selected NUMA node.

    3. Set the number of CPUs to be assigned to the vSRX Virtual Firewall VM. Set the Cores per socket value in such a way that "Sockets: 1” is displayed as shown in the image below. This will force all CPU cores to be on the same NUMA node for optimized performance.

      Under CPU, ‘Cores per Socket’ should be n, such that ‘Sockets: 1’

      Figure 1: CPU Cores Per Socket CPU Cores Per Socket

    4. Reserve the CPU resource.

  3. For the TX thread:

    • Configure a separate ESXi transmit thread per vNIC.

    • Place transmit threads on the same NUMA node.

  4. For vNICs, use either 2 vNICs or 4 vNICs if you want to scale the performance of the vSRX Virtual Firewall VM.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
15.1X49-D70
Starting in Junos OS Release 15.1X49-70 and Junos OS Release 17.3R1, you can scale the performance and capacity of a vSRX Virtual Firewall instance by increasing the number of vCPUs and the amount of vRAM allocated to the vSRX Virtual Firewall.