Juniper SRX Configuration for Cloudstack:
CloudStack can support external firewall devices such as Juniper SRX. That is you can connect external firewall like Juniper SRX device instead of using cloudstack virtual router.
CloudStack can load configuration in external firewall device when you configure firewall, port forwarding etc. rules in cloudstack.
Adding Juniper SRX as external firewall device includes two steps:
I. pre configure the SRX to use it in cloudstack setup. (please see APPENDIX I for example configurations)
II configure the cloudstack to use the external firewall device.
I. Pre configuring SRX:
Before placing SRX in cloudstack set up you should configure the device for cloudstack network.
1. Connect SRX interfaces in cloudstack network as below
1. Connect one interface to public network of cloudstack
2. Connect one interface to private/Guest network of cloudstack
3. Connect one interface to Management interface to configure SRX
Example:
fe-0/0/0 - Management interface to access SRX
fe-0/0/1 - CS private network
fe-0/0/4 - Public Network
2. Enable the VLAN tagging on the private interface.
3. Create zones trust, untrust and add private interface to trust, public interface to untrust.
4. configure the security policies to allow traffic from trust to untrust
5. Enable ssh, xnm-clear-text system services
Note:
1. If you connect public interface to tagged n/w enable vlan tagging on it and give public interface name
(ex: fe-0/0/2.52) while adding device in CS.
2. Add the routes on the device.
II: Configuring cloudstack;
1. Add the SRX device into cloud stack.
Infra structure -> zone -><ZoneName>> Physical Network 1> NetworkService Provides -> SRX -> View Devices -> Add SRX device
2. After adding device enable the device
3. Create a network offering with the SRX device
4. Below images shows some of the configurations while Creating zone
Here public network is using VLAN so we have to configure the SRX public interface for this vlan ex: fe-0/0/4.52
5. While creating instance use the network config which we configured earlier to use the SRX.
6. In Network you can acquire new IP and configure the firewall, port forwarding rules on SRX.
NOTE:
You can observe the management logs for cloud stack loading configuration on SRX. You can see in logs get-configuration, load-configuration.
After loading, commit configuration successful in logs.
APPENDIX I
Below gives you Juniper SRX 100b configuration details for using the SRX as external firewall for the cloud stack.
SRX-default-config.txt - Default configuration on SRX
config-CS-SRX.txt - SRX configuration details and example configurations, logs
Overview
Content Tools
Apps