Release
15.1X49
Modified: 2016-01-07
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
The information in this document is current as of the date on the title page.
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.
Chapter 4 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Documentation Conventions
Caution Indicates a situation that might result in loss of data or hardware damage.
Laser warning Alerts you to the risk of personal injury from a laser.
Table 2 on page x defines the text and syntax conventions used in this guide.
Bold text like this Represents text that you type. To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this Represents output that appears on the user@host> show chassis alarms
terminal screen.
No alarms currently active
Italic text like this Introduces or emphasizes important A policy term is a named structure
new terms. that defines match conditions and
Identifies guide names. actions.
Junos OS CLI User Guide
Identifies RFC and Internet draft titles.
RFC 1997, BGP Communities Attribute
Italic text like this Represents variables (options for which Configure the machines domain name:
you substitute a value) in commands or
configuration statements. [edit]
root@# set system domain-name
domain-name
Text like this Represents names of configuration To configure a stub area, include the
statements, commands, files, and stub statement at the [edit protocols
directories; configuration hierarchy levels; ospf area area-id] hierarchy level.
or labels on routing platform The console port is labeled CONSOLE.
components.
< > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>;
# (pound sign) Indicates a comment specified on the rsvp { # Required for dynamic MPLS only
same line as the configuration statement
to which it applies.
[ ] (square brackets) Encloses a variable for which you can community name members [
substitute one or more values. community-ids ]
GUI Conventions
Bold text like this Represents graphical user interface (GUI) In the Logical Interfaces box, select
items you click or select. All Interfaces.
To cancel the configuration, click
Cancel.
> (bold right angle bracket) Separates levels in a hierarchy of menu In the configuration editor hierarchy,
selections. select Protocols>Ospf.
Documentation Feedback
Online feedback rating systemOn any page at the Juniper Networks Technical
Documentation site at http://www.juniper.net/techpubs/index.html, simply click the
stars to rate the content, and use the pop-up form to provide us with information about
your experience. Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
JTAC hours of operationThe JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Overview
Understanding vSRX
vSRX is a virtual security appliance that provides security and networking services at the
perimeter or edge in virtualized private or public cloud environments. vSRX runs as a
virtual machine (VM) on a standard x86 server.
vSRX enables advanced security and routing at the network edge in a multitenant
virtualized environment. vSRX is built on Junos OS and delivers networking and security
features similar to those available on SRX Series Services Gateways for the branch.
Some of the key benefits of vSRX in virtualized private or public cloud multitenant
environments include:
The VMware vSphere Web Client is used to deploy the vSRX VM.
Memory 4 GB
vCPUs 2
vNICs Up to 10
VMXNET3
NOTE:
We recommend the Intel X710/XL710 or X520/X540 physical NICs for
SR-IOV support on vSRX.
The Intel DPDK drivers use polling mode for all vNICs, so the NAPI and
interrupt mode features in VMXNET3 are not currently supported.
For SR-IOV limitations, see the Known Behavior section of the vSRX
Release Notes.
Hardware Recommendations
Table 4 on page 16 lists the hardware specifications for the host machine that runs the
vSRX virtual machine (VM).
NOTE:
You can check for CPU and other hardware compatibility here:
http://www.vmware.com/resources/compatibility/search.php?deviceCategory=cpu
To determine the Junos OS features supported on vSRX, use the Juniper Networks Feature
Explorer, a Web-based application that helps you to explore and compare Junos OS
feature information to find the right software release and hardware platform for your
network. Find Feature Explorer here:
If the node on which vSRX is running is different from the node to which the Intel PCI
NIC is connected, then packets will have to traverse an additional hop in the QPI link,
and this will reduce overall throughput. Use the extopo command to view information
about relative physical NIC locations. On some servers where this information is not
available, refer to the hardware documentation for the slot-to-NUMA node topology.
VMware uses the VMXNET 3 vNIC and requires promiscuous mode on the
vSwitch.
KVM uses the virtIO vNIC and requires promiscuous mode on the bridge.
Use the ifconfig bridge-name promisc command on the host OS to enable
promiscuous mode on the Linux bridge.
Table 5 on page 18 lists the factory default settings for the vSRX security policies.
Each network adapter defined for a vSRX is mapped to a specific interface, depending
on whether the vSRX instance is a standalone VM or one of a cluster pair for high
availability. The interface names and mappings in vSRX have changed since the previous
release (called Firefly Perimeter), as shown in the following tables. Note the following
changes:
In standalone mode:
In cluster mode:
Any of the traffic interfaces can be specified as the fabric links, such as ge-0/0/0
for fab0 on node 0 and ge-7/0/0 for fab1 on node 1.
Table 6 on page 18 shows the interface names and mappings for a standalone vSRX.
1 fxp0
2 ge-0/0/0
3 ge-0/0/1
4 ge-0/0/2
5 ge-0/0/3
6 ge-0/0/4
7 ge-0/0/5
8 ge-0/0/6
9 ge-0/0/7
10 ge-0/0/8
Table 7 on page 19 shows the interface names and mappings for a pair of vSRX VMs in
a cluster (node 0 and node 1).
3 ge-0/0/0 (node 0)
ge-7/0/0 (node 1)
4 ge-0/0/1 (node 0)
ge-7/0/1 (node 1)
5 ge-0/0/2 (node 0)
ge-7/0/2 (node 1)
6 ge-0/0/3 (node 0)
ge-7/0/3 (node 1)
7 ge-0/0/4 (node 0)
ge-7/0/4 (node 1)
8 ge-0/0/5 (node 0)
ge-7/0/5 (node 1)
9 ge-0/0/6 (node 0)
ge-7/0/6 (node 1)
10 ge-0/0/7 (node 0)
ge-7/0/7 (node 1)
Installing vSRX
Figure 1 on page 21 shows an example of how vSRX can be deployed to provide security
for applications running on one or more virtual machines. The following procedure
describes how to install vSRX and connect vSRX interfaces to the virtual switches for
the appropriate applications. Only the vSRX virtual switch has a connection to a physical
adapter (the uplink) so that all application traffic flows through the vSRX VM to the
external network.
1. Download the vSRX software package for VMware from the Juniper website.
3. Select a host or other valid parent for a virtual machine and click Actions > All vCenter
Actions > Deploy OVF Template.
NOTE: The Client Integration Plug-in must be installed before you can
deploy OVF templates (see your VMware documentation).
4. Click Browse to locate the vSRX software package, and then click Next.
5. Click Next in the OVF Template Details window, or click Cancel to select a different
template file.
6. Click Accept in the End User License Agreement window, and then click Next.
7. Change the default vSRX VM name in the Name box and click Next. It is advisable to
keep this name the same as the hostname you intend to give to the VM.
Datastore
Available Space
Table 8 on page 22 lists the disk formats available to store the virtual disk. You can
choose one of the three options listed.
NOTE: For detailed information on the disk formats, see Virtual Disk
Provisioning.
Thick Provision Lazy Zeroed Allocates disk space to the virtual disk without erasing the
previously stored data. The previous data is erased when the VM
is used for the first time.
Thick Provision Eager Erases the previously stored data completely and then allocates
Zeroed the disk space to the virtual disk. Creation of disks in this format is
time consuming.
Thin Provision Allocates only as much datastore space as the disk needs for its
initial operations. Use this format to save storage space.
9. Select a datastore to store the configuration file and virtual disk files in OVF template,
and then click Next.
10. Select your management network from the list, and then click Next. The management
network is assigned to the first network adapter, which is reserved for the management
interface (fxp0).
12. Open the Edit Settings page of the vSRX VM and select a virtual switch for each
network adapter. Three network adapters are created by default. Network adapter 1
is for the management network (fxp0). To add a fourth adapter, select Network from
New device list at the bottom of the page. To add more adapters, see Adding vSRX
Interfaces on page 25.
In Figure 2 on page 24, network adapter 2 uses the management network for the uplink
to the external network.
1. Select the host where the vSRX VM is installed, and select Manage > Networking
> Virtual switches.
2. In the list of virtual switches, select vSwitch0 to view the topology diagram for the
management network connected to network adapter 1.
3. Click the Edit icon at the top of the list, select Security, and select Accept next to
Promiscuous mode. Click OK.
On the Manage tab, select Settings > VM Hardware and expand CPU to verify that the
Hardware virtualization option is shown as Enabled.
vSRX for VMware supports up to 10 interfaces. The network adapter for each interface
uses SR-IOV or VMXNET 3 as the adapter type. The first network adapter is for the
management interface (fxp0) and must use VMXNET 3. All additional network adapters
should have the same adapter type. The three network adapters created by default use
VMXNET 3.
The first three network adapters are mapped sequentially to the vSRX interfaces, as
shown in Interface Naming and Mapping on page 18. As you add more network adapters,
the load balancing mechanism will disrupt the mapping sequence.
The following procedures describe how to add more than three network adapters and
maintain sequential mapping to the vSRX interfaces:
Use the following procedure to locate available VFs, add PCI devices, and maintain
sequential mapping:
a. Use SSH to log in to the ESXi server and enter the following command to view the
VFs for vmnic6 (or another vNIC):
Choose one or more VF IDs that are not active, such as 3 through 6. Note that a VF
assigned to a VM that is powered off is shown as inactive.
b. Enter the lspci command to view the VF number of the chosen VF IDs. In the
following example, find the entry that ends with [vmnic6], scroll down to the next
entry ending in VF_3, and note the associated VF number 05:10.6. Note that the
next VF_3 entry is for vmnic7.
# lspci
NOTE: You must use the vSphere Web Client to access the vCenter server,
and DO NOT delete and re-add any network adapters during the following
procedure.
a. Power off the vSRX VM and open the Edit Settings page. By default there are three
network adapters using VMXNET 3. Delete network adapter 2 and 3.
b. Select the VM Options tab, click Advanced in the left frame, and then click Edit
Configuration at the bottom of the page.
pciBridge5.present
pciBridge6.present
pciBridge7.present
e. Open the Edit Settings page again and add one or more PCI devices on the Virtual
Hardware page, up to a maximum of six PCI devices. For each device, you must
select an entry with an available VF number from Step 1. For example:
f. Click OK and open the Edit Settings page to verify that up to seven network adaptors
are shown on the Virtual Hardware page (one VMXNET 3 network adapter and up
to six SR-IOV interfaces as PCI devices).
To view the SR-IOV interface MAC addresses, select the VM Options tab, click
Advanced in the left frame, and then click Edit Configuration. In the parameters
pciPassthruN.generatedMACAddress, N indicates the PCI device number (0 through
9).
g. Power on the vSRX VM and log in to the VM to verify that VMXNET 3 network
adapter 1 is mapped to fxp0, PCI device 0 is mapped to ge-0/0/0, PCI device 1 is
mapped to ge-0/0/1, and so on.
i. Enter the CLI command request system power-off to power off the VM. Do not
use the vSphere Web Client to power off the VM.
iii. Select the VM Options tab, click Advanced in the left frame, and then click Edit
Configuration at the bottom of the page.
iv. Change the value of pciBridge5.present from FALSE to TRUE. If the following
parameters and values are not shown, click Add Row to add each of them.
Parameter Value
pciBridge5.virtualDev pcieRootPort
pciBridge5.functions 8
pciBridge5.pciSlotNumber 22
v. Repeat Step d through g to add up to three more PCI devices (the maximum is
10).
NOTE: A vSRX VM with SR-IOV interfaces cannot be cloned. You must deploy
a new vSRX VM and add the SR-IOV interfaces as described here.
NOTE: During this procedure DO NOT delete and re-add any network
adapters.
1. Power off the vSRX VM and open the Edit Settings page.
2. Using the vSphere Web Client, select the VM Options tab, click Advanced in the left
frame, and then click Edit Configuration at the bottom of the page. (Using the vSphere
desktop client, select General under Advanced in the left frame, and click Configuration
Parameters at the bottom of the page.)
pciBridge5.present
pciBridge6.present
pciBridge7.present
5. Open the Edit Settings page again and add up to four network adapters (the 4th
through the 7th network adapters) on the Virtual Hardware page. For each network
adapter, select Network from New device list at the bottom of the page, expand New
Network, and select VMXNET 3 as the adapter type.
6. Click OK and open the Edit Settings page to verify that up to seven network adaptors
are shown on the Virtual Hardware page.
7. Power on the vSRX VM and log in to the VM to verify that network adapter 1 is mapped
to fxp0, network adapter 2 is mapped to ge-0/0/0, and so on. Use the show interfaces
terse CLI command to verify that the fxp0 and ge-0/0/n interfaces are up.
NOTE: During this procedure DO NOT delete and re-add any network
adapters.
1. Enter the CLI command request system power-off to power off the VM. Do not use
the vSphere Web Client to power off the VM.
3. Using the vSphere Web Client, select the VM Options tab, click Advanced in the left
frame, and then click Edit Configuration at the bottom of the page. (Using the vSphere
desktop client, select General under Advanced in the left frame, and click Configuration
Parameters at the bottom of the page.)
Parameter Value
pciBridge5.virtualDev pcieRootPort
pciBridge5.functions 8
pciBridge5.pciSlotNumber 22
6. Open the Edit Settings page again and up to three network adapters (the 8th, 9th,
and 10th network adaptors) on the Virtual Hardware page. For each network adapter,
select Network from New device list at the bottom of the page, expand New Network,
and select VMXNET 3 as the adapter type.
7. Click OK and open the Edit Settings page to verify that up to ten network adaptors
are shown on the Virtual Hardware page.
8. Power on the vSRX VM and log in to the VM to verify that network adapter 1 is mapped
fxp0, network adapter 2 is mapped to ge-0/0/0, and so on. Use the show interfaces
terse CLI command to verify that the fxp0 and ge-0/0/n interfaces are up.
The vSRX open virtual application (OVA) image is securely signed. You can validate the
OVA image, if necessary, but you can install or upgrade vSRX without validating the OVA
image.
Before you validate the OVA image, ensure that the Linux/UNIX PC or Windows PC on
which you are performing the validation has the following utilities available: tar, openssl,
and ovftool. You can download the VMware Open Virtualization Format (OVF) tool from
https://my.vmware.com/web/vmware/details?
productId=353&downloadGroup=OVFTOOL351.
1. Download the vSRX OVA image and the Juniper Networks Root certificate file
(JuniperRootRSACA.pem) from the vSRX software download page.
NOTE: You need to download the Juniper Networks Root certificate file
only once; you can use the same file to validate OVA images for future
releases of vSRX.
2. (Optional) If you downloaded the OVA image and the certificate file to a PC running
Windows, copy the two files to a temporary directory on a PC running Linux or UNIX.
You can also copy the OVA image and the certificate file to a temporary directory
(/var/tmp or /tmp) on a vSRX node.
Ensure that the OVA image file and the Juniper Networks Root certificate file are not
modified during the validation procedure. You can do this by providing write access
to these files only to the user performing the validation procedure. This is especially
important if you use an accessible temporary directory, such as /tmp or /var/tmp,
because such directories can be accessed by several users. Take precautions to ensure
that the files are not modified by other users during the validation procedure.
tar xf ova-filename
5. Verify that the unpacked OVA image contains a certificate chain file (certchain.pem)
and a signature file (vsrx.cert).
6. Validate the signature in the unpacked OVF file (extension .ovf) by running the following
command:
ovftool ovf-filename
where ovf-filename is the filename of the unpacked OVF file contained within the
previously downloaded OVA image.
7. After the unpacked OVF file is validated, validate the signing certificate with the Juniper
Networks Root CA file by running the following command:
-bash-4.1$ ls
JuniperRootCA.pem junos-vsrx-12.1X47-D15.4-domestic.ova
-bash-4.1$ mkdir tmp
-bash-4.1$ cd tmp
-bash-4.1$ tar xf ../junos-vsrx-12.1X47-D15.4-domestic.ova
-bash-4.1$ ls
certchain.pem junos-vsrx-12.1X47-D15.4-domestic.cert
junos-vsrx-12.1X47-D15.4-domestic-disk1.vmdk junos-vsrx-12.1X47-D15.4-domestic.mf
junos-vsrx-12.1X47-D15.4-domestic.ovf
-bash-4.1$ /usr/lib/vmware-ovftool/ovftool junos-vsrx-12.1X47-D15.4-domestic.ovf
OVF version: 1.0
VirtualApp: false
Name: vSRX
Version: JUNOS 12.1
Vendor: Juniper Networks Inc.
Product URL:
http://www.juniper.net/us/en/products-services/software/security/vsrxseries/
Vendor URL: http://www.juniper.net/
Download Size: 227.29 MB
Deployment Sizes:
Flat disks: 2.00 GB
Sparse disks: 265.25 MB
Networks:
Name: VM Network
Description: The VM Network network
Virtual Machines:
Name: Juniper Virtual SRX
Operating System: freebsdguest
Virtual Hardware:
Families: vmx-07
Number of CPUs: 2
Cores per socket: 1
Memory: 2.00 GB
Disks:
Index: 0
Instance ID: 5
Capacity: 2.00 GB
NICs:
Adapter Type: E1000
Connection: VM Network
Deployment Options:
Id: 2GvRAM
Label: 2G vRAM
Description:
2G Memory
a. Determine if the contents of the OVA image have been modified. If the contents
have been modified, download the OVA image from the vSRX downloads page.
c. Retry the preceding validation steps using one or both new files.
vSRX Licensing
To enable a licensed feature, you need to purchase, install, manage, and verify a license
key that corresponds to each licensed feature. To conform to software feature licensing
requirements, you must purchase one license per feature per instance. The presence of
the appropriate software unlocking key on your virtual instance allows you to configure
and use the licensed feature.
Licenses are usually ordered when the software application is purchased, and this
information is bound to a customer ID. If you did not order the licenses when you purchased
your software application, contact your account team or Juniper Networks Customer
Care for assistance.
Licenses can be procured from the Juniper Networks License Management System (LMS).
NOTE: The license for advanced security features available on the physical
SRX Series device cannot be used with vSRX deployments.
License Types
Juniper Networks provides evaluation licenses for both basic firewall features and
advanced security features for a limited period.
If you want to use vSRX to provide basic firewall features, you can use core (basic)
licenses. However, to use some of the more advanced security features, such as
AppSecure, IDP, and UTM, you might need to purchase advanced features licenses.
This is a 60-day evaluation license for vSRX. This product unlocking license is required
for basic functions, such as networking, routing and, basic security features.
vSRX software image includes a 60-day trial license. When you download and install
the vSRX image, you are entitled to use the trial license for 60 days.
Within 30 days of the license expiration date, a license expiration warning appears when
you log in to the vSRX instance. After the product evaluation license expires, you will not
be able to use the product; it will be disabled because as flow configuration options will
not work. Only management interfaces and CLI configurations are preserved.
The advanced security features license is a 30-day trial license for vSRX that is required
for advanced security features such as UTM, IDP, and AppSecure.
You can download the trial license for advanced security features from one of the
following locations:
Installation of the trial license is similar to the regular license installation. For details, see
Managing Licenses for vSRX on page 39.
NOTE: The 30-day trial license period begins on the day you enable enhanced
security features after you install the evaluation licenses.
To continue using vSRX features after an optional 30-day period, you must
purchase and install the license; otherwise, the features are disabled.
If the license for advanced security features expires while the evaluation
license (product unlocking license) is still valid, only the advanced security
features that require license are disabled.
NOTE: Direct upgrade is not supported for upgrading from earlier Junos OS
releases for vSRX to Junos OS Release 15.1X49-D15 for vSRX. When you
download and install the vSRX image for Junos OS Release 15.1X49-D15, you
are entitled use the trial license for 60 days.
For more information on Bandwidth licenses, see vSRX License Model Numbers on
page 45.
Perpetual license: A perpetual license allows you to use the licensed software
indefinitely.
Only subscription-based licenses, which are active for a set period, require renewal.
Perpetually licensed features or capacities never expire and therefore never need to
be renewed.
For details on installing and managing licenses, see Managing Licenses for vSRX on
page 39.
License IDAlphanumeric string that uniquely identifies the license key. When a license
is generated, it is given a license ID.
License dataBlock of binary data that defines and stores all license key objects.
For example, in the following typical license key, the string E413XXXX57 is the license ID,
and the trailing block of data is the license data:
The license data conveys the customer ID and the software serial number (Juniper
Networks support reference number) to the vSRX instance.
To view the license details, select Maintain>Licenses in the J-Web user interface. The
Licenses window appears as shown in Figure 3 on page 36.
You can also view the details of a license in the CLI using the show system license
command. Figure 4 on page 37 shows details of an evaluation license in the CLI.
The information on the license management page is summarized in Table 10 on page 37.
Feature Summary
Feature Name of the licensed feature:
Licenses Used Number of licenses currently being used on the vSRX instance. Usage
is determined by the configuration. If a feature license exists and that
feature is configured, the license is considered used.
Licenses Installed Number of licenses installed on the vSRX instance for the particular
feature.
Licenses Needed Number of licenses required for legal use of the feature. Usage is
determined by the configuration on the vSRX instance: If a feature is
configured and the license for that feature is not installed, a single
license is needed.
Installed Licenses
ID Unique alphanumeric ID of the license.
Group If the license defines a group license, this field displays the group
definition.
If the license requires a group license, this field displays the required
group definition.
Enabled Features Name of the feature that is enabled with the particular license.
Software serial number The serial number is a unique 14-digit number that Juniper Networks
uses to identify your particular software installation. You can find the
software serial number in the Software Serial Number Certificate
attached to the e-mail that was sent when you ordered your Juniper
Networks software.
Within 30 days of the license expiration date, a license expiration warning appears when
you log in to the device. After license expiry, vSRX no longer functions effectively. Only
management interfaces and the CLI configuration are preserved.
vSRX software image includes a 60-day trail license. When you download and install
the vSRX image, you are entitled use the trial license for 60 days.
If you want to install evaluation license for advanced security features (30-day evaluation
license), you can download the evaluation license from one of the following options:
Installation of the evaluation license is similar to the regular license installation using the
CLI. See Adding a New License Key on page 39
NOTE: The 30-day evaluation license period begins on the day you enable
enhanced security features after installing evaluation licenses.
2. Under Installed Licenses, click Add. The Add License dialog is displayed as shown in
Figure 6 on page 40.
3. Do one of the following, using a blank line to separate multiple license keys:
Enter the full URL to the destination file containing the license key in the License
File URL box.
Paste the license key text, in plain-text format, in the License Key Text box.
4. Click OK to add the license key. The License Details window is displayed as shown in
Figure 7 on page 41.
1. From operational mode, add a license key using one of the following steps:
Enter the full URL to the destination file containing the license key.
2. When prompted, enter the license key, separating multiple license keys with a blank
line. If the license key you enter is invalid, an error is generated when you press CTRL+D
to exit license entry mode.
3. View the details of the license by entering the show system license command.
NOTE: You can save the license key to a file and upload this file to vSRX
file system through FTP or Secure Copy (SCP), and then use the request
system license add file-name command to install the license.
As a prerequisite, you must install at least one valid license key on your vSRX for required
features. License auto-update is performed based on the valid software serial number
and customer ID embedded in the license key.
1. Contact your account team or Juniper Networks Customer Care to extend the validity
period of existing license keys and obtain the URL for a valid update server.
2. Once you have successfully extended your license key and received the update server
URL, configure the auto-update parameter.
3. Configure renew options (if required). The following sample shows configuring before
expiration as 30 days and renew interval as 6 hours.
The configuration allows vSRX to contact the license server 30 days before the current
license expires and sends an automatic update request every 6 hours.
NOTE: The request system license update command will always use the
default Juniper license server https://ae1.juniper.net.
2. Check the status of the license by entering the show system license command.
This command sends a license update request to the license server immediately.
1. Select Maintain>Licenses .
2. Select the check box of the license or licenses you want to delete, as shown in
Figure 8 on page 43.
3. Click Delete.
1. From operational mode, for each license, enter the following command and specify
the license ID. You can delete only one license at a time.
Or you can use the following command to delete all installed licenses at a time.
Evaluation license for the core expires: Packet forwarding on vSRX is disabled. However,
you can manage vSRX through the fxp0 management interface, and the CLI
configuration is preserved.
To use features that require a license, you must install and configure a license key. After
the license expires, warning messages are displayed in the system log and on the J-Web
dashboard.
When a license expires, the System Alarms section of the J-Web dashboard displays a
message stating that the license has expires as shown in Figure 10 on page 45.
When license expires, the following message is displayed when you login:
Virtual Appliance License is invalid
The licenses used by all Juniper Networks devices are based on SKUs, which represent
lists of features. Each license includes a list of features that the license enables along
with information about those features.
For information about purchasing software licenses, contact your Juniper Networks sales
representative at http://www.juniper.net/in/en/contact-us/.
Bandwidth (throughput) licenses allow you to use a single instance of the software for
up to the maximum throughput specified in the license entitlement. Throughput licenses
can be combined on a single instance of the software so that the maximum throughput
for that instance is the aggregate of all the throughput licenses assigned to that instance.
A throughput license cannot be split across multiple instances. Throughput licenses are
identified in the license entitlement in Mbps, or Gbps.
vSRX provides bandwidth in the following capacities (throughput per instance): 10 Mbps,
100 Mbps, 1 Gbps, 2 Gbps, and 4 Gbps. Each of these bandwidth tiers are offered with
four different packages along with bandwidth based ala-carte advanced Layer 7 security
services SKUs.
Table 11 on page 46 describes the features available with the various license packages.
ASCB / Includes all STD features and the Subscription licenses only.
ASEC following additional AppSecure features:
AppID
See Table 13 on page 49 for
AppFW
bandwidth SKUs available for vSRX
AppQoS with AppSecure and IPS features.
AppTrack
CS Includes all STD and ASEC features with Subscription licenses only.
the addition of UTM capabilities:
Antispam
See Table 15 on page 51 for CS
Antivirus
bandwidth SKUs available for vSRX.
Content filtering
Web filtering
Table 12 on page 48 lists the standard bandwidth licenses available for vSRX.
VSRX-10M-STD-1-R
VSRX-10M-STD-3
VSRX-10M-STD-3-R
VSRX-100M-STD
VSRX-100M-STD-1
VSRX-100M-STD-1-R
VSRX-100M-STD-3
VSRX-100M-STD-3-R
VSRX-1G-STD
VSRX-1G-STD-1
VSRX-1G-STD-1-R
VSRX-1G-STD-3
VSRX-1G-STD-3-R
VSRX-2G-STD
VSRX-2G-STD-1
VSRX-2G-STD-1-R
VSRX-2G-STD-3
VSRX-2G-STD-3-R
VSRX-4G-STD
VSRX-4G-STD-1
VSRX-4G-STD-1-R
VSRX-4G-STD-3
VSRX-4G-STD-3-R
Table 13 on page 49 lists the bandwidth licenses available for vSRX with AppSecure and
IPS features.
Table 13: vSRX AppSecure and IPS (ASCB / ASEC) Bandwidth Licenses
ASCB / ASEC Licenses Model Number
VSRX-10M-ASECB-3-R
VSRX-100M-ASCB-1
VSRX-100M-ASCB-1-R
VSRX-100M-ASCB-3
VSRX-100M-ASCB-3-R
VSRX-1G-ASECB-1
VSRX-1G-ASECB-1-R
VSRX-1G-ASECB-3
VSRX-1G-ASECB-3-R
VSRX-2G-ASECB-1
VSRX-2G-ASECB-1-R
VSRX-2G-ASECB-3
VSRX-2G-ASECB-3-R
VSRX-4G-ASECB-1
VSRX-4G-ASECB-1-R
VSRX-4G-ASECB-3
VSRX-4G-ASECB-3-R
Table 14 on page 50 lists the subscription licenses available for vSRX with AppSecure
and IPS features.
10M/100M/1G/2G/4G VSRX-10M-ASEC-1
subscriptionvSRX AppSecure package
includes IPS and AppSecure (1 year and VSRX-10M-ASEC-1-R
3 years subscription)
VSRX-10M-ASEC-3
VSRX-10M-ASEC-3-R
VSRX-100M-ASEC-1
VSRX-100M-ASEC-1-R
VSRX-100M-ASEC-3
VSRX-100M-ASEC-3-R
VSRX-1G-ASEC-1
VSRX-1G-ASEC-1-R
VSRX-1G-ASEC-3
VSRX-1G-ASEC-3-R
VSRX-2G-ASEC-1
VSRX-2G-ASEC-1-R
VSRX-2G-ASEC-3
VSRX-2G-ASEC-3-R
VSRX-4G-ASEC-1
VSRX-4G-ASEC-1-R
VSRX-4G-ASEC-3
VSRX-4G-ASEC-3-R
Table 15 on page 51 lists the Content Security(CS) bandwidth licenses available for vSRX.
VSRX-10M-CS-B-3-R
VSRX-100M-CS-B-1
VSRX-100M-CS-B-1-R
VSRX-100M-CS-B-3
VSRX-100M-CS-B-3-R
VSRX-1G-CS-B-1
VSRX-1G-CS-B-1-R
VSRX-1G-CS-B-3
VSRX-1G-CS-B-3-R
VSRX-2G-CS-B-1
VSRX-2G-CS-B-1-R
VSRX-2G-CS-B-3
VSRX-2G-CS-B-3-R
VSRX-4G-CS-B-1
VSRX-4G-CS-B-1-R
VSRX-4G-CS-B-3
VSRX-4G-CS-B-3-R
VSRX-10M-CS-3-R
VSRX-100M-CS-1
VSRX-100M-CS-1-R
VSRX-100M-CS-3
VSRX-100M-CS-3-R
VSRX-1G-CS-1
VSRX-1G-CS-1-R
VSRX-1G-CS-3
VSRX-1G-CS-3-R
VSRX-2G-CS-1
VSRX-2G-CS-1-R
VSRX-2G-CS-3
VSRX-2G-CS-3-R
VSRX-4G-CS-1
VSRX-4G-CS-1-R
VSRX-4G-CS-3
VSRX-4G-CS-3-R
Table 17 on page 53 lists the Sophos antivirus (S-AV) bandwidth licenses available for
vSRX.
VSRX-10M-S-AV-3
VSRX-10M-S-AV-3-R
VSRX-100M-S-AV-1
VSRX-100M-S-AV-1-R
VSRX-100M-S-AV-3
VSRX-100M-S-AV-3-R
VSRX-1G-S-AV-1
VSRX-1G-S-AV-1-R
VSRX-1G-S-AV-3
VSRX-1G-S-AV-3-R
VSRX-2G-S-AV-1
VSRX-2G-S-AV-1-R
VSRX-2G-S-AV-3
VSRX-2G-S-AV-3-R
VSRX-4G-S-AV-1
VSRX-4G-S-AV-1-R
VSRX-4G-S-AV-3
VSRX-4G-S-AV-3-R
Table 18 on page 54 lists the enhanced Web filtering (E-EWF) subscription licenses
available for vSRX.
VSRX-10M-W-EWF-3
VSRX-10M-W-EWF-3-R
VSRX-100M-WEWF-1
VSRX-100M-WEWF-1-R
VSRX-100M-WEWF-3
VSRX-100M-WEWF-3-R
VSRX-1G-W-EWF-1
VSRX-1G-W-EWF-1-R
VSRX-1G-W-EWF-3
VSRX-1G-W-EWF-3-R
VSRX-2G-W-EWF-1
VSRX-2G-W-EWF-1-R
VSRX-2G-W-EWF-3
VSRX-2G-W-EWF-3-R
VSRX-4G-W-EWF-1
VSRX-4G-W-EWF-1-R
VSRX-4G-W-EWF-3
VSRX-4G-W-EWF-3-R
Index
Index on page 57
P
Index parentheses, in syntax descriptions..................................xi
R
RAM
Symbols
maximum...........................................................................16
#, comments in configuration statements.....................xi
( ), in syntax descriptions.......................................................xi
S
.ova
Specifications
validating..........................................................................30
vSRX....................................................................................16
< >, in syntax descriptions.....................................................xi
support, technical See technical support
[ ], in configuration statements...........................................xi
syntax conventions...................................................................x
{ }, in configuration statements..........................................xi
| (pipe), in syntax descriptions............................................xi
T
technical support
B contacting JTAC...............................................................xii
braces, in configuration statements..................................xi
brackets
V
angle, in syntax descriptions........................................xi
vCPUs
square, in configuration statements.........................xi
maximum...........................................................................16
vNICs
C maximum...........................................................................16
comments, in configuration statements.........................xi
vSRX
conventions
hardware requirements................................................16
text and syntax...................................................................x
RAM......................................................................................16
curly braces, in configuration statements.......................xi
specifications...................................................................16
customer support....................................................................xii
understanding..................................................................15
contacting JTAC...............................................................xii
validating image.............................................................30
vCPUs..................................................................................16
D
vNICs....................................................................................16
disk formats...............................................................................22
documentation
comments on....................................................................xi
F
factory default settings..........................................................17
font conventions........................................................................x
H
host OS........................................................................................16
L
licenses
displaying (J-Web).........................................................37