Basic functions of vSRX

Operation Confirmed version: vSRX Version15.1X49-D105.1, vSRX Version19.2R1.8, vSRX Version20.4R2

This section describes the basic functions executable with vSRX.

Login to vSRX (CLI access method (SSH))

You must be logged in to vSRX to perform firewall settings. The password displayed when creating the firewall instance is required. Execute the following command for the IP address assigned to the firewall instance. You will be prompted for a password, so enter the password that was displayed when you created it.

$ ssh root@"Firewall IP address"
Password: "Enter password"

There are three operation modes, shell command mode, CLI operation mode and CLI configuration mode. Enter the commands shown in the figure below to switch to each operation mode.

vSRX_mode

Enabling the GUI of vSRX

As the default, the GUI of vSRX is not usable. Make the following setting with CLI to use it.

user01@vSRX-01# set system services web-management http interface "the interface name"
user01@vSRX-01# commit

Enabling the API of vSRX

As the default, the API of vSRX is not usable. Make the following setting with CLI to use it.

1.APIの通信を許可するインターフェイスのIPアドレスを追加

user01@vSRX-01# set system services rest http addresses "IP address to allow API communication"
user01@vSRX-01# set system services rest http addresses "IP address of interface fxp0.0"

Note

  • Additional settings for the IP address of the interface fxp0.0 can be made from our controllers to your This setting is required for monitoring login by the vSRX API. If you do not have this setting, the login status is changed to "MONITORING UNAVAILABLE". and some changes will not be available in the ECL 2.0 Customer Portal. Please note.

  • For the IP address of interface fxp0.0, put IP address "100.xx.xx.xx" acquired through execution of "show interfaces fxp0.0 terse".

2.APIを通したいzone配下のhost-inbound-trafficにてAPIの通信を許可する設定をany-serviceで追加

user01@vSRX-01# set security zones security-zone "the zone name" host-inbound-traffic system-services any-service
user01@vSRX-01# commit

Note

  • Add any-service Juniper Networks official site <https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-system-service-zone-host-inbound-traffic.html> `_ And Juniper Networks Community site <https://forums.juniper.net/t5/Junos-Automation-Scripting/vSRX-REST-API/td-p/319362> Many services are allowed as indicated by `_. Customers should take measures such as individually setting only the zone to which the interface that accepts APIs belongs, or minimizing the communication allowed by policy between zones.

Setting an IP address to the interface to enable communications

A method for setting an IP address to the interface to enable communications is described.

Setting flow

1.カスタマーポータルでインターフェイスにIPアドレスを設定
2.Set an IP address (192.168.1.100/24) to the interface (ge-0/0/0 unit 0) of vSRX-02.
3.Make the interface (ge-0/0/0 unit 0) belong to the trust zone.
4.Make settings to allow the set interface (ge-0/0/0 unit 0) to check communications by means of ping.

Note

Settings needed for making the interface usable

  • In order to set the IP address for the interface (ge-0/0/0 to ge-0/0/7) to be set in vSRX and enable communication, the interface and IP address on the ECL2.0 customer portal. You need to set up.

  • Except for ge-0/0/0, settings have not been made for the interface of vSRX so as to belong to the zone in the initial status. To enable communications, the interface must surely belong to any zone of the zone base Firewall.

  • To allow communications to the IP address of the interface, settings are needed which allow corresponding communications under host-inbound-traffic.

  • To allow communications which pass vSRX, inter-zone policy settings are needed. For details, refer to Zone base Firewall setting .

Command to be entered with CLI

user01@vSRX-02# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.100/24
user01@vSRX-02# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

The configuration after completion of appropriate settings is as follows.

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.100/24;
            }
        }
    }
}
security {
   zones {
       security-zone trust {
           interfaces {
               ge-0/0/0.0 {
                   host-inbound-traffic {
                       system-services {
                           ping;
                       }
                   }
               }
           }
       }
   }
}

Operation check result

The verification log below allowed to confirm that the IP address has been set to the interface (ge-0/0/0 unit 0). Also, success of communication check by means of Ping allowed to confirm that the IP address has been set properly.

  • Output of interface status check command "show interfaces terse"

user01@vSRX-02> show interfaces terse | no-more
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.1.100/24

  (omitted)
  • Output result of a command for checking whether Ping communications are possible after IP address setting

user01@vSRX-01> ping 192.168.1.100 rapid
PING 192.168.1.100 (192.168.1.100): 56 data bytes
!!!!!
--- 192.168.1.100 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.018/0.316/0.988/0.384 ms

Login account addition setting

Register a user account for logging into vSRX and user privilege.

Setting flow

1.To register a login user with user1
2.To set the user privilege to super-user
3.To set the login password to Password123

Note

The login password must be composed of six characters at least and both capital and small letters must be used.

Command to be entered with CLI

user01@vSRX-02# set system login user user1 class super-user
user01@vSRX-02# set system login user user1 authentication plain-text-password
New password: Password123
Retype new password: Password123

 # set system services telnet

Note

The password is not visible when it is entered.

Access vSRX via telnet and confirm that you can log in using the newly set username and password. Since vSRX does not allow telnet access by default, a setting to allow telnet connection is added.

The configuration after completion of appropriate settings is as follows.

system {
    login {
        user user1 {
            uid 2002;
            class super-user;
            authentication {
                encrypted-password "$5$mysntB6x$Ulj78rNw8NZJSu/.AQ1iYE669wB8Ph59RoEQMxzc0g0"; ## SECRET-DATA
            }
        }
    }
    services {
           telnet;
    }
}

Operation check result

The verification log below allowed to confirm that vSRX-02 could be logged in with user name user1 and thus the registration was performed properly.

user01@vSRX-02> telnet 10.0.0.102
Trying 10.0.0.102...
Connected to 10.0.0.102.
Escape character is '^]'.

vSRX-02 (ttyp1)

login: user1
Password:

--- JUNOS 15.1X49-D105.1 built 2017-06-28 07:33:31 UTC
user1@vSRX-02>

(Reference) The following kinds of privilege can be set to the login user:

Login class

Access Permission

Description

operator
clear
network
reset
trace
view
Execution of the clear command and process restart is possible.
read-only
view
Only the show command can be executed.
super-user
All
All operations can be executed.
unauthorized
None
Only operations for logging in and logging out can be executed.

vSRX shutdown command

Shutdown of vSRX from the command line is possible. The command for vSRX shutdown is described in this section.

Command to be entered with CLI

user01@vSRX-01> request system power-off
warning: The configuration has been changed but not committed
Power Off the system ? [yes,no] (no)

When yes is entered, vSRX shutdown processing is started and power-off is executed. To start next time, start from the portal of ECL2.0 is required.

Note

In the case where the settings have not been committed, the message below is shown:
warning: The configuration has been changed but not committed

vSRX restart command

Restart of vSRX from the command line is possible. The command for vSRX restart is described in this section.

Command to be entered with CLI

user01@vSRX-01> request system reboot
warning: The configuration has been changed but not committed
Reboot the system ? [yes,no] (no)

Executing the yes command starts the device restart process.

Note

In the case where the settings have not been committed, the message below is shown:
warning: The configuration has been changed but not committed

Interface disabling/enabling settings

For vSRX, interface disabling/enabling settings can be made with commands. The methods for disabling and enabling the interface are described in this section.

Note

**Points to note for disabling/enabling the interface.

  • With vSRX, it is necessary to set the IP address from the customer portal in order to use the interface.

  • With vSRX, it is possible to disable/enable the interface with the command settings shown below, but for the interface that does not have an IP address set from the customer portal and the Junos management interface (fxp0), manage it with ECL2.0. As it is available, it cannot be used. When using invalidation/validation, be sure to set only the interface (ge-0/0/0 to ge-0/0/7) for which the IP address has been set from the customer portal.

  • Do not make the settings for interface (fxp0).

  • The interface not connected with a logical network has been disabled. This specification has been adopted from a security aspect to prevent customers from initiating unintended communications through inappropriate settings, by explicitly disabling the interface not to be used. Do not enable it.

  • Settings are to be made to disable and enable interface (ge-0/0/1).

Command to be entered with CLI

user01@vSRX-02# set interfaces ge-0/0/1 disable

The configurations before and after command entry are as follows:

interfaces {
    ge-0/0/1 {
        disable;
        unit 0 {
            family inet {
                address 192.168.2.102/24;
            }
        }
    }
}

Operation check result

The verification log below allowed to confirm that the interface (ge-0/0/1) of vSRX-02 was in Admin down status when the disabling setting was made.

user01@vSRX-02> show interfaces ge-0/0/1 terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/1                down  down
ge-0/0/1.0              up    down inet     192.168.2.102/24

To enable again, delete and cancel the disabling setting (disable).

Command to be entered with CLI

user01@vSRX-02# delete interfaces ge-0/0/1 disable

The configurations before and after command entry are as follows:

interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.2.102/24;
            }
        }
    }
}

Operation check result

The verification log below allowed to confirm that ge-0/0/1 of vSRX-02 was in up status.

user01@vSRX-02> show interfaces ge-0/0/1 terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.2.102/24