Gordon Mosley, Content Developer, Juniper Networks

cSRX Docker Fundamentals

Learning Bytes Security
Image is of a computer running a demo with multiple lines of code filling the screen in black and white. Top of the computer screen says Launch cSRX.

Juniper Learning Byte: Sharpen your cSRX Docker skills

Do you have the skills to manage Docker cSRX instances? You will after watching this detailed educational video with Juniper’s Gordon Mosley. 

Show more

You’ll learn

  • How to use Docker to launch a cSRX instance and the steps required  

  • About the Juniper cSRX container firewall: what it is and what it can be used for 

  • Example use cases of cSRX instances 

Who is this for?

Network Professionals Security Professionals


Gordon Mosley
Content Developer, Juniper Networks


0:00 [Music]

0:13 welcome to the csrx docker fundamentals

0:16 learning byte i'm gordon mosley with the

0:18 education services department at juniper

0:20 networks let's get started

0:22 after completing this learning byte you

0:24 will be able to use docker to launch a

0:26 csrx instance

0:28 the csrx is a containerized version of

0:31 our srx series services gateway designed

0:34 primarily to protect container workloads

0:37 so the example use case i have

0:39 demonstrated at the bottom is i have an

0:42 application it's a containerized web

0:44 application and so i have several you

0:46 know web containers and every web

0:49 application always talks to a database

0:51 back in well since these are

0:52 containerized resources that i need to

0:54 secure i have traffic coming in from the

0:56 internet i want to protect my web

0:57 containers

0:58 when those web containers communicate

1:00 with my back-end database services i

1:01 also want to secure that track

1:03 and so this is a perfect example of

1:05 spinning up when i spin up these web

1:07 front ends and my database back ends i

1:09 can also orchestrate and instantiate

1:12 some csrx instances to protect secure

1:15 traffic from the internet reaching my

1:16 front-end web application and then the

1:18 communications going back to my database

1:20 back-end so full you know layer seven

1:23 advanced security services available in

1:25 a containerized format that i can deploy

1:27 in a couple of seconds

1:30 now to deploy a csrx instance

1:33 i used i have a windows laptop i

1:35 installed docker desktop for windows

1:37 there's a version for mac there's also a

1:39 linux version

1:40 and then i downloaded the csrx image

1:42 from the juniper support downloads

1:44 website i'll show you the image in a

1:45 minute

1:46 and then we will use docker commands to

1:48 create the necessary networks and launch

1:51 the csrx instance then once the csrxs is

1:54 launched to get all the functionality

1:56 out of it you're going to need a

1:57 software license and then you're going

1:59 to need to apply some configuration

2:03 here's the example csrx container we're

2:05 going to build we're going to launch a

2:07 use docker to launch a csrx instance and

2:09 we're going to create three docker

2:11 networks one of them will be the

2:13 management network we'll create use the

2:15 docker network create command we'll

2:17 create a management network

2:19 then i'm going to have two transit

2:20 networks i'm going to create one of them

2:22 i'm going to call the untrust network

2:24 you can call the network whatever you'd

2:26 like but we'll use docker network create

2:28 and create a untrust network

2:30 and a trust network and a management

2:33 network now on the interfaces that are

2:35 going to process transit traffic if you

2:37 want the csrx to perform nat functions

2:40 which is a common feature

2:42 when you create the docker networks you

2:44 must enable ipmasquerating so the csrx

2:47 is capable or it enables the csrx to

2:50 perform map functions we'll use the

2:52 docker run command to launch the

2:55 container and then we'll use the docker

2:57 network connect command to connect the

2:59 transit networks to the vsrx instance

3:02 and assign ip addresses to these two

3:04 transit interfaces

3:07 i have the commands we're going to use

3:09 to create or launch the csrx container

3:12 in this notepad document these are the

3:14 three networks where we use the docker

3:16 network create command we can create a

3:18 network called in this case mgmt

3:21 underscore net this is a variable you

3:23 can create the network you can name the

3:25 network however you choose you do not

3:27 have to specify a subnet to be

3:29 associated docker will automatically

3:31 generate or assign a

3:33 172.17

3:35 subnet to the first network that you

3:37 create but i wanted a little more

3:38 control so we're going to define the

3:40 actual management subnet range

3:43 these then i will create two transit

3:45 networks this would be the untrust

3:47 network and again you could name the

3:49 networks whatever you'd like

3:51 this is the subnet i want associated

3:53 with that untrust network here's my

3:54 trust network and the associated subnet

3:56 and since these are transit interfaces i

3:59 won't want to enable ip masquerading on

4:02 those interfaces and this will again

4:03 enable the csrx instance to perform nat

4:06 functions

4:08 the csrx instance requires a couple of

4:11 docker volumes for storage one to store

4:14 its configuration information you can

4:16 name we'll use the docker volume create

4:18 you'll name the config volume whatever

4:20 you'd like and we also need another

4:22 volume for the csrx log information so

4:25 we'll use two docker volume create

4:27 commands for that

4:28 and then we use docker run and this will

4:30 launch the container instance it'll run

4:33 in detached mode which means once you

4:35 run this command you get your prompt

4:37 back

4:38 the name of the container will be csrx01

4:41 the host name in the juno cli will

4:43 automatically be set to the same value

4:46 it runs in privileged mode

4:48 when it launches it will connect itself

4:50 the management interface on this

4:51 container instance will connect to the

4:53 management network that we defined

4:55 earlier in the process

4:57 the dash v option will attach the two

5:00 volumes the config volume and the log

5:02 volume to the container this is the only

5:05 allowed

5:06 csrx image size or container size that's

5:09 permitted it's large

5:11 now this is a nice option this csrx port

5:14 number i only need three interfaces on

5:16 this container instance i need a

5:17 management interface

5:19 and a gigi zero zero zero interface that

5:22 i want to attach to the untrust network

5:25 and a gige001 interface that i want to

5:27 attach to the trust network you can

5:30 specify up to 15 transit interfaces on

5:33 each container csrx container instance

5:36 so there's a lot there but i only need

5:38 to connect to a couple of networks here

5:40 transit wise in a management network so

5:42 that's the number of ports i want in my

5:44 container instance the root password

5:46 will automatically be set to to this

5:48 value and there will be a console that

5:50 i'll be able to connect to and and then

5:52 look around low config you know perform

5:54 operations on the container once it's

5:56 launched and once it's launched i

5:58 connect my untrust network that we

6:00 defined a little bit earlier and i also

6:02 assign an ip address to the first

6:04 container interface on that network

6:07 10.0 the first ip address is reserved by

6:10 docker for the gateway ip address to

6:12 drop traffic out of this subnet and so

6:15 the first ip address available to me to

6:17 to assign to a csrx interface is dot two

6:21 and so

6:22 the we'll connect the container to the

6:23 untrust network and we'll assign the

6:25 gigi zero zero zero interface that ip

6:27 address and then we'll also connect the

6:29 trust network to that container and

6:31 we'll assign

6:32 is the ip address for the

6:35 first interface the gigi001 interface on

6:38 that container and then we'll use the

6:40 docker exec command to connect to the

6:42 container instance and look around

6:45 so first let's make the network

6:48 let me copy this

6:50 docker network create command

6:52 and we'll go to the command prompt and

6:54 we'll begin the process

6:57 here's my command prompt i already as i

6:59 mentioned earlier downloaded the docker

7:01 image

7:02 from our support website this is the

7:04 name of the image it's about 250 megs in

7:06 size

7:08 then once i've downloaded the image you

7:10 will use the docker

7:12 load dash i command

7:15 and and the image name and this will

7:17 uncompress that downloaded image

7:19 and store it in your local docker image

7:22 repository i've already done the docker

7:25 load step it took about a minute and so

7:28 it's not very fun to watch during a

7:30 learning byte but i can run the docker

7:32 image ls command to list all of my

7:34 images

7:35 and here's the csrx image that was

7:38 uncompressed and placed in my local

7:41 docker image repository so this is the

7:43 container image that we will launch

7:46 right so first i wanted to

7:51 i lost the docker network command there

7:53 let me

7:54 copy this

7:56 we'll go back and we'll create the

7:57 management network

8:01 then i'll come back and create we copy

8:03 eclipse we copy this line

8:07 and we'll create the untrust network

8:10 prompt

8:14 let's go back and get our trust network

8:18 docker network create command

8:23 paste that back in there

8:26 so now i've created the management

8:27 network the untrust network the trust

8:30 network so those are the three networks

8:31 and the three subnets i wanted to create

8:34 now i want to go back and create the

8:35 volumes there's two commands to save

8:38 time i use the double ampersands to

8:40 combine these two docker volume create

8:42 commands together so i can just copy

8:44 this line

8:46 and paste it in

8:48 to the prompt to the command prompt and

8:50 it'll automatically run both of those

8:52 for me just to save us some time there's

8:53 the config

8:55 and the var log volume

8:57 now once the networks and the volumes

8:59 are created we can run which means we're

9:01 going to launch

9:03 our container so we'll copy this

9:07 paste that command in

9:12 and it takes a about a second or two for

9:14 the container to launch and it's up and

9:15 running you can run a docker

9:18 container ls it's how you can see your

9:21 running containers

9:23 and here's our csr csrx01 you know

9:26 container instance here's the id here's

9:28 the image that was used to to load it

9:30 you know it's been up about seven

9:31 seconds right

9:33 and then now i need to

9:35 now that it's up and running i can

9:36 attach those two transit networks to

9:38 this csrx01 container so let's go back

9:42 to the

9:43 notepad document and i've got two

9:45 commands connected here two docker

9:47 network connect commands

9:50 join together with the double ampersand

9:52 let's just paste that in there and this

9:54 will you know connect

9:55 the csrx01 instance to the untrust

9:58 network and this will be the ip address

10:00 assigned to the first interface in that

10:02 network and the same thing with the

10:03 trust network

10:05 so let's connect it

10:08 and now i have a running instance that's

10:10 connected to networks so there's one

10:12 other command i mentioned where we'll do

10:14 the docker exec

10:18 and this command will connect us to our

10:20 running container and we'll log in as

10:22 root the password was lab 123 and the

10:25 hostname was set to csrx01 for me so now

10:28 for example if i run a show

10:31 interfaces here's my gigi00 right this

10:35 was assigned to the trust

10:38 the untrust excuse me docker network and

10:40 it's up and running i know i don't have

10:42 any configuration

10:44 i can do configure if if you'd like

10:48 load set

10:51 you know terminal

10:52 and then i have some configuration that

10:54 will work

10:56 it's in set commands in this file

10:59 it'll create a you know it'll assign the

11:01 same ip addresses to the interfaces that

11:04 the docker used it sets a a nat rule

11:07 that gnats you know from the trust zone

11:09 to the untrust zone it'll perform source

11:11 nat and destination that there's you

11:13 know some security policies

11:16 so i can copy that

11:18 come back

11:21 paste it in

11:24 use the control d and then i do a commit

11:29 and then so now my interface is well i

11:31 forgot to set system often you have to

11:33 set the root password uh set system

11:36 root authentication plain text password

11:40 set the root password you you have to

11:42 when you load a config on there set the

11:44 root password before it'll accept a

11:45 commit

11:48 okay my commit process is complete now

11:50 if i do uh

11:54 i'll put a run in front of that since

11:55 i'm in configuration mode i'll actually

11:57 see more information about the

11:59 interfaces that i have configured on the

12:00 platform here's the logical unit here's

12:02 the ip address that's been assigned to

12:04 it i should have internet

12:08 connectivity you have to type it right

12:10 every time let me let me try that ping

12:12 command again

12:20 there's my ping replies coming back

12:22 now when i'm done i can exit you know

12:25 configuration mode i use exit to get

12:27 back to my local command prompt

12:29 and i can run a docker stop

12:32 c

12:33 srx01 command and stop that container i

12:37 still have the existing volumes i still

12:39 have the networks created so then once i

12:42 launch more containers i can simply

12:43 attach them to those existing objects i

12:45 don't have to build the network every

12:47 time and create the volumes every time i

12:49 do have to attach them once the

12:51 container is running now the uh when you

12:55 stop the container it seems to take

12:56 around 10 to 11 seconds for the

12:58 container to fully shut down they spin

13:00 up really quickly a second or two the

13:02 containers up and running

13:04 it does take a few seconds for it to

13:05 successfully stop

13:07 and then that's this learning bite

13:10 so in this learning by we used docker to

13:13 launch a csrx instance thank you very

13:15 much

13:18 visit the juniper education services

13:20 website to learn more about courses

13:23 view our full range of classroom online

13:26 and e-learning courses

13:28 learning paths

13:30 industry segment and technology-specific

13:32 training paths

13:34 juniper networks certification program

13:37 the ultimate demonstration of your

13:39 competence and the training community

13:42 from forums to social media join the

13:44 discussion

13:51 you

Show more