11.2.2.1. Basic functions of vSRX

Operation Confirmed Version:
 vSRX Version15.1X49-D105.1

This section describes the basic functions executable with vSRX.

Login to vSRX (CLI access method (SSH))

To make Firewall settings, vSRX needs to be logged in. The password shown at the time of Firewall instance creation is needed. The following commands are to be executed for an IP address assigned to the Firewall instance. Entry of a password is prompted. Enter the password shown at the time of Firewall instance creation.

$ ssh root@"Firewall IP address"
Password: "Enter password"

Enabling the GUI of vSRX

As the default, the GUI of vSRX is not usable. Make the following setting with CLI to use it.

user01@vSRX-01# set system services web-management http interface "GUI接続を許可したいインターフェイス名"
user01@vSRX-01# commit

Enabling the API of vSRX

As the default, the API of vSRX is not usable. Make the following setting with CLI to use it.

  1. Adding the IP address of interface which allows API communications

user01@vSRX-01# set system services rest http addresses "IP address of the Interface allow API"
user01@vSRX-01# set system services rest http addresses "Interface of fxp0.0"

Note

  • IP address addition setting regarding interface fxp0.0 is needed to monitor login from the Service Provider’ controller to a customer’s vSRX through API. Note that if this setting is not made, “MONITORING UNAVAILABLE” is indicated as the login status and some of the change functions become non-executable with the customer portal of ECL2.0.

  • For the IP address of interface fxp0.0, put IP address “100.xx.xx.xx” acquired through execution of “show interfaces fxp0.0 terse”.

  1. With any-service, adding the setting for allowing API communications in terms of host-inbound-traffic under a zone where API is to be passed.

user01@vSRX-01# set security zones security-zone "zone name" host-inbound-traffic system-services any-service
user01@vSRX-01# commit

Note

Setting an IP address to the interface to enable communications

A method for setting an IP address to the interface to enable communications is described.

Setting flow

1.Set an IP address to the interface with the customer portal.
2.Set an IP address (192.168.1.100/24) to the interface (ge-0/0/0 unit 0) of vSRX-02.
3.Make the interface (ge-0/0/0 unit 0) belong to the trust zone.
4.Make settings to allow the set interface (ge-0/0/0 unit 0) to check communications by means of ping.

Note

Settings needed for making the interface usable

  • To set an IP address to the interface (ge-0/0/0 to ge-0/0/7) which is set to vSRX and enable communications, interface and IP address settings need to be made on the customer portal of ECL2.0.

  • Except for ge-0/0/0, settings have not been made for the interface of vSRX so as to belong to the zone in the initial status. To enable communications, the interface must surely belong to any zone of the zone base Firewall.

  • To allow communications to the IP address of the interface, settings are needed which allow corresponding communications under host-inbound-traffic.

  • To allow communications which pass vSRX, inter-zone policy settings are needed. For details, refer to ‘Zone base Firewall setting <https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/fwfunction/zonebase/index.html>’_.

Command to be entered with CLI

user01@vSRX-02# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.100/24
user01@vSRX-02# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

The configuration after completion of appropriate settings is as follows.

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.100/24;
            }
        }
    }
}
security {
   zones {
       security-zone trust {
           interfaces {
               ge-0/0/0.0 {
                   host-inbound-traffic {
                       system-services {
                           ping;
                       }
                   }
               }
           }
       }
   }
}

Operation check result

The verification log below allowed to confirm that the IP address has been set to the interface (ge-0/0/0 unit 0). Also, success of communication check by means of Ping allowed to confirm that the IP address has been set properly.

  • Output of interface status check command “show interfaces terse”

user01@vSRX-02> show interfaces terse | no-more
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.1.100/24

  (省略)
  • Output result of a command for checking whether Ping communications are possible after IP address setting

user01@vSRX-01> ping 192.168.1.100 rapid
PING 192.168.1.100 (192.168.1.100): 56 data bytes
!!!!!
--- 192.168.1.100 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.018/0.316/0.988/0.384 ms

Login account addition setting

Register a user account for logging into vSRX and user privilege.

Setting flow

1.To register a login user with user1
2.To set the user privilege to super-user
3.To set the login password to Password123

Note

The login password must be composed of six characters at least and both capital and small letters must be used.

Command to be entered with CLI

user01@vSRX-02# set system login user user1 class super-user
user01@vSRX-02# set system login user user1 authentication plain-text-password
New password: Password123
Retype new password: Password123

Note

The password is not visible when it is entered.

The configuration after completion of appropriate settings is as follows.

system {
    login {
        user user1 {
            uid 2002;
            class super-user;
            authentication {
                encrypted-password "$5$mysntB6x$Ulj78rNw8NZJSu/.AQ1iYE669wB8Ph59RoEQMxzc0g0"; ## SECRET-DATA
            }
        }
    }
}

Operation check result

The verification log below allowed to confirm that vSRX-02 could be logged in with user name user1 and thus the registration was performed properly.

user01@vSRX-02> telnet 10.0.0.102
Trying 10.0.0.102...
Connected to 10.0.0.102.
Escape character is '^]'.

vSRX-02 (ttyp1)

login: user1
Password:

--- JUNOS 15.1X49-D105.1 built 2017-06-28 07:33:31 UTC
user1@vSRX-02>

(Reference) The following kinds of privilege can be set to the login user:

Login class

Access Permission

Description

operator
clear
network
reset
trace
view
Execution of the clear command and process restart is possible.
read-only
view
Only the show command can be executed.
super-user
All
All operations can be executed.
unauthorized
None
Only operations for logging in and logging out can be executed.

vSRX shutdown command

Shutdown of vSRX from the command line is possible. The command for vSRX shutdown is described in this section.

Command to be entered with CLI

user01@vSRX-01> request system halt
warning: The configuration has been changed but not committed
Halt the system ? [yes,no] (no)

When yes is entered, vSRX shutdown processing is started and power-off is executed. To start next time, start from the portal of ECL2.0 is required.

Note

In the case where the settings have not been committed, the message below is shown:
warning: The configuration has been changed but not committed

vSRX restart command

Restart of vSRX from the command line is possible. The command for vSRX restart is described in this section.

Command to be entered with CLI

user01@vSRX-01> request system reboot
warning: The configuration has been changed but not committed
Reboot the system ? [yes,no] (no)

When yes is executed, vSRX restart processing is started.

Note

In the case where the settings have not been committed, the message below is shown:
warning: The configuration has been changed but not committed

Interface disabling/enabling settings

For vSRX, interface disabling/enabling settings can be made with commands. The methods for disabling and enabling the interface are described in this section.

Note

**Points to note for disabling/enabling the interface.

  • For vSRX, IP address settings for using the interface need to be made with the customer portal.

  • For vSRX, the interface can be disabled and enabled with the command settings described below. However, the settings do not allow to use interface not having an IP address set through the customer portal and interface (fxp0) for Junos management because they are managed by ECL2.0. To use the disabling/enabling settings, be sure to make the settings only for the interface (ge-0/0/0 to ge-0/0/7) having an IP address set through the customer portal.

  • Do not make the settings for interface (fxp0).

  • The interface not connected with a logical network has been disabled. This specification has been adopted from a security aspect to prevent customers from initiating unintended communications through inappropriate settings, by explicitly disabling the interface not to be used. Do not enable it.

  • Settings are to be made to disable and enable interface (ge-0/0/1).

Command to be entered with CLI

user01@vSRX-02# set interfaces ge-0/0/1 disable

The configurations before and after command entry are as follows:

interfaces {
    ge-0/0/1 {
        disable;
        unit 0 {
            family inet {
                address 192.168.2.102/24;
            }
        }
    }
}

Operation check result

The verification log below allowed to confirm that the interface (ge-0/0/1) of vSRX-02 was in Admin down status when the disabling setting was made.

user01@vSRX-02> show interfaces ge-0/0/1 terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/1                down  down
ge-0/0/1.0              up    down inet     192.168.2.102/24

To enable again, delete and cancel the disabling setting (disable).

Command to be entered with CLI

user01@vSRX-02# delete interfaces ge-0/0/1 disable

The configurations before and after command entry are as follows:

interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.2.102/24;
            }
        }
    }
}

Operation check result

The verification log below allowed to confirm that ge-0/0/1 of vSRX-02 was in up status.

user01@vSRX-02> show interfaces ge-0/0/1 terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.2.102/24