External Guest Firewall Integration for Juniper SRX (Optional)
165
To achieve the above purposes you must set up fixed configurations for the firewall. Firewall rules and
policies need not change as users are provisioned into the cloud. Any brand of hardware firewall that
supports NAT and site-to-site VPN can be used.
14.5.2. External Guest Firewall Integration for Juniper SRX
(Optional)
Note
Available only for guests using advanced networking, both shared and isolated.
CloudPlatform provides for direct management of the Juniper SRX series of firewalls. This enables
CloudPlatform to establish static NAT mappings from public IPs to guest VMs, and to use the Juniper
device in place of the virtual router for firewall services. You can have only one Juniper SRX device
per zone. This feature is optional. If Juniper integration is not provisioned, CloudPlatform will use the
virtual router for these services.
The Juniper SRX can optionally be used in conjunction with an external load balancer. External
Network elements can be deployed in a side-by-side or inline configuration.
For more information, see the Administration Guide.
CloudPlatform requires the Juniper to be configured as follows:
Note
Supported SRX software version is 10.3 or higher.
1. Install your SRX appliance according to the vendor's instructions.
2. Connect one interface to the management network and one interface to the public network.
Alternatively, you can connect the same interface to both networks and a use a VLAN for the
public network.
3. Make sure "vlan-tagging" is enabled on the private interface.
4. Record the public and private interface names. If you used a VLAN for the public interface, add
a ".[VLAN TAG]" after the interface name. For example, if you are using ge-0/0/3 for your public
interface and VLAN tag 301, your public interface name would be "ge-0/0/3.301". Your private
interface name should always be untagged because the CloudPlatform software automatically
creates tagged logical interfaces.
5. Create a public security zone and a private security zone. By default, these already exist
and are called "untrust" and "trust" zones. Add the public interface to the public zone.
CloudPlatformautomatically adds the private interface to private zone (trusted zone). Note down
the security zone names.
6. Make sure there is a security policy from the private zone to the public zone that allows all traffic.
7. Note the username and password of the account you want the CloudPlatform software to log in to
when it is programming rules.