Firewall(vSRX)

Service Menu Overview

Service Menu Overview

This menu provides Juniper NetworksRvSRX Virtual Firewall (hereinafter vSRX).

  • This menu, Firewall(vSRX), provides a virtual server installed vSRX.

  • Creating, configuring and deleting Firewall (vSRX) are completely automated. Customers are able to utilize them on-demand.

Service Menu Features

The following are features of Firewall (vSRX) menu:

  • Offering vSRX’s functions as much as possible

    • This menu provides almost all functions of vSRX to Customers, as such it provides high performance network functions.

  • Automated provisioning with SDN-utilized technology.

    • Provisioning Firewall (vSRX) is automated with SDN technology, which enables customers to utilize flexible resources without any complicated operations.

Definition of Terms

  • Customer Portal/API: Portal/API provided by NTT Com

  • vSRX Portal/API/CLI: Portal/API/CLI provided as a standard function of vSRX

Available Functions

List of Functions

  • The following are functions available in this menu.This menu provide Portal/API/CLI for using each function.

No.

Functions

Description

Method of Operation

1

Instance Control Function

Provide functions such as creating, viewing information, editing, deleting Firewall (vSRX) and so on.

Customer Portal / API

2

Firewall Function

Offer vSRX panel to customers and provide most of the Firewall functionality of vSRX.

vSRX Portal/API/CLI


Description of Functions

1.Instance Control Function

Create Firewall (vSRX)

  • Customer can create a new Firewall (vSRX) on Customers’ own via Customer Portal/API.

  • Customers can assign the following parameters while creating a Firewall (vSRX):

  • For the items referable with API, refer to API reference .

Available Parameters

Details

Required/Optional

Name

Specify name of Firewall (vSRX)

Optional

Description

Specify description of Firewall (vSRX)

Optional

Tags

You can specify tag information of firewall (vSRX).

Optional

Plan

Specify plan for Firewall (vSRX).

Mandatory

Zone / Group

Specify a Zone / Group where Firewall (vSRX) is accommodated

Optional

Name of interface

Specify name of interface.

Optional

Logical Network

Specify one Logical Network connected to Firewall (vSRX).

Mandatory

IP Address

One IP address can be specified for the interface (ge-0/0/0.0) of the firewall (vSRX). The specified IP address is set to the firewall (vSRX).

Mandatory

Default Gateway

Specify the Default Gateway of Firewall (vSRX)

Optional

Note

  • This operation may take about 20-30 minutes. Please estimate process based on this time.

  • The IP address of the interface (ge-0/0/0.0) specified with this parameter serves for the access point to the portal/API/CLI of vSRX.

  • When the firewall (vSRX) is created, the interface (ge-0/0/0.0) has been set to the Trust zone. After the creation, the customer is expected to change the setting through vSRX portal/API/CLI, in accordance with their design.

  • After creation of the firewall (vSRX), IP address settings cannot be made on customer portal/API. Addition, change and deletion of an IP address is to be executed through vSRX portal/API/CLI.

  • After creation of the firewall (vSRX), addition, change and deletion of the default gateway are to be executed through vSRX portal/API/CLI.

  • The logical network and subnet for firewall (vSRX) connections must have been created beforehand.

  • Firewall (Brocade 5600 vRouter) can connect to the Logical Network (Data Plane) only. It cannot connect to the Logical Network (Storage Plane).

  • In the case where processing fails at the time of firewall (vSRX) creation and the firewall (vSRX) is not deleted by the customer through the customer portal/API, it is automatically deleted when 30 days elapse.

View Firewall (vSRX) Information

  • Customers can view Firewall (vSRX)’s information on Customers’ own via Customer Portal/API.

  • When the information is viewed, the following parameters can be viewed through the customer portal:

  • For the items referable with API, refer to API reference .

Available Information

Details

Name

View name of Firewall (vSRX)

ID

View ID of Firewall (vSRX)

Description

View descriptions of Firewall (vSRX)

Tags

You can refer to tag information of firewall (vSRX).

Plan

View plan of Firewall (vSRX)

Applience Type

View applience type of Firewall (vSRX)

Tenant ID

View the tenant ID to which the firewall (vSRX) belongs.

Zone / Group

View Zone/Group where Firewall (vSRX) is accommodated

Monitoring Status(OS Monitoring Status)

View the result of judgment about whether monitoring by SNMP is normal, through the return value having SNMP sysUptime acquired from the firewall (vSRX).

Login Status(OS Login Status)

View the result of judgment about whether login to the firewall (vSRX) with restAPI is possible.

Virtual Server Status(VM Status)

View the status of the virtual server on which the firewall (vSRX) is running.

Operation

View the status of operations performed for the firewall (vSRX).

Note

  • For the detail definitions of the monitoring status (OS Monitoring Status), login status (OS Login Status), and virtual server status (VM Status), refer to Service Description (Monitoring) .

  • When ERROR is indicated for the virtual server status (VM Status), stop the firewall (vSRX) and check that it has been stopped. If it cannot be stopped, check fault information (etc.) provided by the Knowledge Center and then, if needed, make an inquiry with a ticket.

  • For information on the default gateway specified at the time of firewall (vSRX) creation, check with the operation history.

Edit Firewall(vSRX)

  • Customer can edit a new Firewall (vSRX) on Customers’ own via Customer Portal/API.

  • Customers can assign the following parameters while editing a Firewall (vSRX):

  • For the items editable with API, refer to API reference .

Available Parameters

Details

Required/Optional

Name

Specify name of Firewall (vSRX)

Optional

Description

Specify description of Firewall (vSRX)

Optional

Tags

You can specify tag information of firewall (vSRX).

Optional

Edit Firewall(vSRX) interface

  • Customer can edit Firewall (vSRX) interface on Customers’ own via Customer Portal/API.

  • Customers can assign the following parameters while editing a Firewall (vSRX):

  • For the items editable with API, refer to API reference .

Available Parameters

Details

Required/Optional

Name

Specify name of interface.

Optional

Description

You can specify the interface description of the firewall (vSRX).

Optional

Tags

You can specify tag information for the firewall (vSRX) interface.

Optional

Logical Network

A customer can specify multiple logical networks as connection/disconnection targets.

Mandatory

IP Address

You can specify multiple IP addresses of the firewall (vSRX) interface. It is also possible to select "Automatic payment".

Optional

Note

  • Interface “1-8” on Customer portal / API are associated with Interface “ge-0/0/0 - ge-0/0/7” on API/CLI on vSRX portal.

  • It takes about 15 to 20 minutes when editing Logical Network and IP address.

  • If connections with the same logical network have already been made or duplication occurs on the network address of the logical network, execution of the edit results in an error.

  • The IP address specified at the time of editing or automatically issued is not set to vSRX unlike the time of firewall (vSRX) creation. Please execute on portal / API / CLI of vSRX.

  • If a message indicating an error is shown as operation warning after completion of the interface edit, the initiation of vSRX may not have been completed or the configuration change (enable/disable interface) may not have been made. If this is the case, the customer is expected to stop/start vSRX and make the configuration change on their own. If warning is still indicated when operations are performed again after a while, make an inquiry with a ticket.

Edit allowed address pairs

  • Customer can edit Firewall (vSRX) allowed address pairs on Customers’ own via Customer Portal/API.

  • Customers can assign the following parameters while editing a Firewall (vSRX):

  • For the items editable with API, refer to API reference .

Available Parameters

Details

Required/Optional

IP Address(allowed address pairs)

A customer can specify an address pair (IP address) by which communications through the target interface of the firewall (vSRX) are allowed.

Mandatory

IP Address(allowed address pairs)

A customer can specify a protocol to be registered for an address pair by which communications through the target interface of the firewall (vSRX) are allowed.

Mandatory

Mac Address(allowed address pairs)

A customer can specify an address pair (MAC address) by which communications through the target interface of the firewall (vSRX) are allowed.

Arbitrary (Mandatory if the type of the IP address pair allowed has not been specified)

VRID(allowed address pairs)

A customer can specify VRID if having specified VRRP as the type of the IP address pair allowed.

Arbitrary (Mandatory if having specified VRRP as the type of the IP address pair allowed)

Note

  • To use VRRP, this setting must be made. If this setting is not made, communications to a virtual IP address used with VRRP are not performed properly.

  • Regarding the address pair allowed, the upper limit number per interface is 1.

  • VRRP settings must be made for each firewall (vSRX) which is a VRRP constituent.

  • To actually perform communications using VRRP, this setting must be followed by VRRP settings through vSRX portal/API/CLI.

  • If a message indicating an error is shown as operation warning after edit completion of the address pair allowed, the specified address pair may not have been set or edit of the address pair may not be executable for the target port. If this is the case, the customer is expected to disconnect the logical network with which the target interface is connected, make reconnection, and then edit the address pair allowed.

  • An address in the address range of ISP shared address (100.64.0.0/10) cannot be registered for the address pair allowed.

Console connections with the firewall (vSRX) instance

  • A customer is allowed to make console connections to the contracted firewall (vSRX) instance through the customer portal on their own.

Note

  • Send Ctrl + Alt + Del at the upper right of the screen does not work, please execute “Reboot Firewall(vSRX)” to reboot the firewall instance.

Stop/start of the firewall (vSRX)

  • A customer is allowed to stop and start the contracted firewall (vSRX) through the customer portal or API operations on their own.

Note

  • This operation takes about 10 minutes to complete. Keep the time in mind when estimating the workload.

  • Please be aware that billing will be continued after stopping the firewall or disconnecting the logical network. If you want to stop billing, please delete the firewall.

Reboot Firewall(vSRX)

  • Customers can reboot their own Firewall (vSRX) on Customers’ own via Customer Portal/API.

Note

  • This operation takes about 10 minutes to complete. Keep the time in mind when estimating the workload.

Password reset for the firewall (vSRX)

  • A customer is allowed to reset the password of the account used for access to the firewall (vSRX), through the customer portal or API operations on their own.

Note

  • Password reset for the firewall (vSRX) is executable only for the initial account (root).

  • For accounts created by a customer, password reset needs to be executed through vSRX portal/CLI/API.

  • If a message indicating an error is shown as operation warning after execution of password reset, password change may not have been made. If this is the case, the customer is expected to attempt logging in with the new password, and if the login fails, execute password reset again.

Deletion of the firewall (vSRX)

  • A customer is allowed to delete the contracted firewall (vSRX) through the customer portal or API operations on their own.

2.Firewall Functions

Function Overview

  • vSRX is set up on a virtual server and firewall functions are provided.

  • Firewall functions can be set and used through vSRX portal/API/CLI.

  • To use the functions provided through the customer portal/API, the vSRX use conditions must be followed. For details, refer to Restrictions .

  • Regarding the functions whose operations have been confirmed by NTT Communications, information has been released through Operation-confirmed setting examples and Operation-confirmed usage models . Be sure to check the described settings absolutely needed for operations on the ECL2.0 platform and check with Version-specific points to note .

  • For other functions provided by vSRX, refer to Juniper Networks, Inc. TechLibrary vSRX .

  • Some of the functions of the SRX series of Juniper Networks cannot be used or are not supported for vSRX provided by this service. For the function list, refer to SRX Series Features Not Supported on vSRX.

  • When the virtual server platform has a malfunction, switching to another normally-functioning server is automatically made with the HA function of the virtual server. For details about the virtual server and the HA function, refer to Virtual Server Service Description .

Version

  • The version provided regarding the firewall (vSRX) is as follows:

No

Version

1 15.1X49-D105.1

License type

  • The license type provided regarding the firewall (vSRX) is as follows:

No

Type of Licensing

1 STD(Standard)

Lifecycle Policy

Life cycle policy regarding the firewall (vSRX) is as follows:

  • Basic Policy
    • Provides up to 2 versions.(As an exceptions, provides 3 versions at the same time considering replacement time from old version to new one.)

    • Provided version is decided by NTTCom considering stability, use condition, support term and so on.

    • When a new region is released on ECL 2.0, only the latest version at the time of region release will be offered.

  • End of Sales (EOS) Policy
    • When new version is provided, if exceeding the number provided above(2 versions), stop selling old version about 1 year after offering date.

    • For the EoE/EoS information of the OS version provided by this menu, refer to Junos Dates & Milestones .

    • *1 End of Engineering (EoE): Status where function addition and fault repair by Juniper Networks are not possible

    • *2 End of Support (EoS): Date when technical support by Juniper Networks ends

  • End of Life (EOL) Policy
    • We will respond to inquiries from product manufacturers regarding EOL, including inquiries regarding the technical content and usage of our provided versions including those that have been discontinued.

    • Support contents refers to Support coverage .

    • After EOL, we will not provide support other than virtual server infrastructure and customer portal / API failure support. Please keep in mind that billing will continue at the same amount and will not guarantee future operations after changing the infrastructure version.

  • How to replace version
    • If a new version is provided in the future, this menu does not provide an upgrade to the new version, so contract the new version of the firewall (vSRX) separately and switch from the old version of the firewall (vSRX) for use.

    • Please consider replacing plan with customer’s cost and responsibility referring to the following EOS / EOL information.

  • EOS/EOL Information

Version

EOS EOL
15.1X49-D105.1

Expected in February, 2020

Planned for February 2021

  • This information is subject to change without prior notice to customers.

Service Plan

Service List

  • Following Plans are provided:

Plan

CPU MEM(GB)

Number of interfaces

2CPU-4GB-8IF 2 4 8

Subscription Methods

  • The type of application is as follows. It should be noted, by the following application, that the billing amount is subject to change.

Subscription Types

Subscription Methods

Offering Date

Create Firewall(vSRX)

Apply by customer’s own operation via customer portal / API

Instant delivery

Delete Firewall(vSRX)

Apply by customer’s own operation via customer portal / API

Instant delivery


Delete Load Balancer (NetScaler VPX)

  • Regarding the firewall (vSRX), the upper limit number, lower limit number, and sales unit per tenant are as follows:

Maximum Number

Minimum Number

Unit

64 0 1

Terms and Conditions

Usage Conditions with Other Service Menus

  • There is no specific conditions. Customers may subscribe this menu in combination with all the menus of Enterprise Cloud 2.0.


Minimum Usage Period

  • There is no minimum contract period.


Pricing

Initial Fee

  • There is no initial fee.


Monthly Fees

  • Monthly fee is applied for this menu.

  • Every monthly fee consists with monthly capped max. metered bill.


Quality of Service

Support Coverage

  • This menu’s virtual server platform, vSRX, and customer portal/API are to be covered.

  • For inquiries about the functions to be operated through the customer portal/API, the setting methods are supported by NTT Communications.

  • Inquiries about the functions to be executed through vSRX portal/API/CLI

    • Charge-free support will be provided for usage which conforms to the following contents of the tutorials released by NTT Communications: Operation-confirmed setting examples and Operation-confirmed usage models .

    • For product functions not confirmed by NTT Communications, vendor escalation can be provided to customers who have applied for the advanced plan (paid), to check. Note, however, that inquiries about the following technical supports, for example, are not covered by this service: support for architecture and design, performance tuning in a customer’s environment, and verification of applications (etc.) adopted by a customer separately. For details about the specifications of the advanced plan, refer to Service Instruction Manual (Support) .

Operations

For this menu’s virtual server platform, operations are executed as follows:

  • Infrastructure of this menu is monitored 24/7.

  • Maintenance and troubleshooting are provided based on the details on Support menu described in other documents.

  • This menu has an HA function. Therefore, when the platform which houses the virtual server has a malfunction, switching to another normally-functioning server is automatically made. When this occurs, the system is restarted and communication disconnection attributed to the switching takes place. Be careful that the virtual sever cannot be operated at the time of switching.

  • The operational quality conforms to the one determined for this service as the standard. For details, refer to Service Description(Virtual Server) and Service Description (Support) .

  • The result of alive monitoring for the virtual server can be checked with the virtual server status (VM Status).

Operations of the OS layer of this menu are expected to be performed as follows in accordance with the customer’s needs.

  • The result of alive monitoring for the OS can be checked with the monitoring status (OS Monitoring Status) and login status (OS Login Status).

  • Alarm settings can be made by setting a threshold to each monitoring item. The alarm is sent to the specified email address.

  • For details, refer to Service Description (Monitoring) .


SLA

  • The SLA for this Service Menu meets the SLA Standards defined by Enterprise Cloud 2.0.


Restrictions

Note

Providing Method

  • vSRX is installed on the virtual server before the server is provided.

  • Up to 64 firewalls (vSRX) can be used per tenant.

  • To use the functions provided through the customer portal/API, the vSRX use conditions must be followed. For details, refer to the items other than “Providing Method” under “Restrictions”.

  • Filtering rules are not set by default. From a point of view of security, please only connect to the private network and set filtering rules before connecting to the Internet .

  • Regarding the functions whose operations have been confirmed by NTT Communications, information has been released through Operation-confirmed setting examples and Operation-confirmed usage models. The settings absolutely needed for operations on the ECL2.0 platform have also been described, and thus be sure to check with it. For other functions provided by vSRX, refer to Juniper Networks, Inc. TechLibrary vSRX .

  • Some of the items settable with CLI cannot be set with vSRX portal. Setting through CLI operations is recommended. The portal is accessible after addition of settings with CLI. For the procedure, refer to Tutorial .

  • Some of the functions of the SRX series of Juniper Networks cannot be used or are not supported for vSRX provided by this service. For the function list, refer to SRX Series Features Not Supported on vSRX .

  • Please be aware that billing will be continued after stopping the firewall or disconnecting the logical network. If you want to stop billing, please delete the firewall.

License

  • The license which has been set for this service must not be used in environments other than ECL2.0 and must not be used with vSRX. If an invalid use is identified, use of this service is disabled.

  • No restrictions are imposed to adoption of a vSRX function expansion license by customers. Check with the license provider that the license is usable to the cloud service of NTT communications and use the license on the customer’s responsibility. Before a customer who uses a function expansion license intends to inquire of NTT communications, the customer is expected to check that the problem is not attributed to the expanded portion, for example, by temporarily removing the expansion license to see if the same problem still occurs. If NTT communication cannot confirm that the problem is not attributed to the expanded portion, support provision may be declined.

** Interface related **

  • Connect to a logical network through “Create firewall (vSRX)” or “Interface connection” via customer portal/API.

  • It takes about 15 to 20 minutes when editing Logical Network and IP address.

  • The logical network and subnet for firewall (vSRX) connections must have been created beforehand.

  • Firewall (Brocade 5600 vRouter) can connect to the Logical Network (Data Plane) only. It cannot connect to the Logical Network (Storage Plane).

  • If connections with the same logical network have already been made or duplication occurs on the network address of the logical network, execution of the edit results in an error.

  • Unlike when creating a firewall (vSRX), the IP address specified or automatically assigned when editing the interface is not set to vSRX. Please execute on portal / API / CLI of vSRX.

  • When the firewall (vSRX) is created, the interface (ge-0/0/0.0) has been set to the Trust zone. After the creation, the customer is expected to change the setting through vSRX portal/API/CLI, in accordance with their design.

  • Firewall (Brocade 5600 vRouter) is rebooted when customers connect / disconnect the interface. If necessary, please save the configuration file before connecting / disconnecting the interface.

  • Please be aware that if you connect / disconnect the interface, the MAC address of the interface will be changed.

  • If a message indicating an error is shown as operation warning after completion of the interface edit, the initiation of vSRX may not have been completed or the configuration change (enable/disable interface) may not have been made. If this is the case, the customer is expected to stop/start vSRX and make the configuration change on their own. If warning is still indicated when operations are performed again after a while, make an inquiry with a ticket.

  • The interface not connected with a logical network is deactivated. Do not activate the deactivated interface.

Address/routing related

  • The IP address specified at the time of firewall (vSRX) creation serves for the access point to the portal/API/CLI of vSRX.

  • Except when the firewall (vSRX) is created, IP address setting to the firewall (vSRX) through the customer portal/API is not made. Therefore, change the setting through vSRX portal/API/CLI, based on the design of the customer.

  • The default gateway is to be set only when the firewall (vSRX) is created with customer portal/API. Change and deletion of the default gateway are to be executed through vSRX portal/API/CLI.

  • Addition of the default gateway is to be executed through vSRX portal/API/CLI if not specified at the time of firewall (vSRX) creation.

  • For information on the default gateway specified at the time of firewall (vSRX) creation, check with the operation history.

  • IP address of ge-0/0/0.0 is to be set only when the firewall (vSRX) is created.

Redundancy (VRRP) related

  • Regarding the address pair allowed, the upper limit number per interface is 1.

  • If a message indicating an error is shown as operation warning after edit completion of the address pair allowed, it may be uncertain whether the specified address pair has been set or the subsequent edit of the address pair may not be executable for the target port. If this is the case, the customer is expected to disconnect the logical network with which the target interface is connected, make reconnection, and then edit the address pair allowed.

  • An address in the address range of ISP shared address (100.64.0.0/10) cannot be registered for the address pair allowed.

  • In this menu, VRRP can be used as a redundancy protocol.

  • When using VRRP, enable the DHCP function (address setting function) of the logical network to be connected. With the DHCP function disabled, an ARP request is sent from the network of NTT Communications, with source address 0.0.0.0. It has been confirmed that ARP replies are not made in terms of some appliances, in this case.

  • Regarding the VRRP settings, VRRP configuration settings must be made through vSRX portal/API/CLI after an allowed address pair is set through the customer portal/API. For parameters such as a VRID (VRRP group ID), set the same values.

  • For the VRID (VRRP group ID), specify a value which is not duplicate in the same segment.

  • It is mandatory that VRRP preempt is valid (True). If preempt is disabled, the status may not match on all interfaces, and the communication may be discontinued.

  • VRRP settings must be made for each firewall (vSRX) which is a VRRP constituent.

  • To actually perform communications using VRRP, this setting must be followed by VRRP settings through vSRX portal/API/CLI.

  • This service does not support asymmetric communications.

Account related

  • Password reset for the firewall (vSRX) is executable only for the initial account (root).

  • For accounts created by a customer, password reset needs to be executed through vSRX portal/CLI/API.

  • If a message indicating an error is shown as operation warning after execution of password reset, password change may not have been made. If this is the case, the customer is expected to attempt logging in with the new password, and if the login fails, execute password reset again.

  • The account which starts with “provider-” is used by the service provider, so do not perform any operations such as edit, password reset and deletion. If any of those operations is identified, use of the service is disabled by NTT Communications.

Management Communication related

  • The service provider uses management interface (fxp0) to provide the service. Customers must not impose communication restrictions to the management interface (fxp0) through setting change, ALC, or any other method. Doing it disables service provision.

  • To enable the communications aforementioned, the service provider performs the following through fxp0. Therefore, do not delete the corresponding settings.

    • Metrics acquisition for monitoring-service provision through snmp

    • Various operations through the customer portal

    • Login for troubleshooting (etc.) when the service provider considers it necessary

    • IP address assignment to Static Route and fxp0 to enable the communications aforementioned

  • Do not execute the command below which restores the factory default status. The execution is equivalent to deletion.

    • load factory-default
  • If any of the following is identified, the service is disabled without prior notice not matter whether it is arbitrary or not: revision or misuse of the configuration and invalid communications from the management interface used by the service provider.

  • For details about the configuration set by the service provider, refer to Descriptions of the configuration set up by the service provider . Addition or revision may be performed without notice when NTT Communications consider it necessary for service provision.

Version upgrade for

  • When a new version is provided in the future, make a new contract for the firewall (vSRX) of the new version and use it instead of the (vSRX) of the old version.

Log related

  • To prevent load increase and influence on communications, minimize log acquisition targets.

Reference Performance Information

  • Firewall (vSRX) performance measurement results have been released through (Reference) Firewall (vSRX) performance measurement results .

  • The maximum value in each performance item is measured and not all the maximum values of each performance item are measured at the same time.

  • Please note that this verification result is a reference value, it does not guaranteed performance.

  • For the number of sessions, restrictions exist in terms of the virtual server on which the firewall (vSRX) is installed. For details, refer to Instance restrictions .