vsys overview
Overview
Juniper's Virtual System (VSYS) can be defined as a logical firewall, or group of logical firewalls contain in a single physical firewall. As with Checkpoint's VSX, VSYS provides service providers and Network Operations Centers the ability to manage all of their customer's firewalls in one appliance. Common components like administrative access, global policies, and virtual routers, can be shared across Virtual Systems while each Vsys contains its own address book entries, user lists, VPNs, policies, NATs, and services. Vsys is not as segmented as VSX with regards to Virtual Firewall configurations. Virtually all components can be designated as either shared or exclusive to each Vsys. Though extremely robust, this can add a greater learning curve with regards to initial configuration and troubleshooting. When components are shared, they become available to other Virtual Systems and/or the root vsys. Exclusive components are only available to the Virtual System in which it was created.
Each Vsys contains 3 primary components; vitrual routers, zones, and network interfaces. Virtual routers are created automatically when a Vsys is created. The Virtual routers is named -vr and provides the routing logic for the Vsys. Other shared virtual routers are also created and accessible to all virtual systems. When a Vsys is created, 3 default zones are also created called Trust-, Untrust-Tun-, and Global-. The network interfaces created are both shared and non-shared. The shared interface is attached to the Untrust Zone and is accessible across all Virtual Systems. This interface can be either a physical interface or a VLAN tagged subinterface. The non-shared interface is attached to the Trust Zone and can also be a physical interface or a VLAN tagged subinterface.
Traffic from the Untrust Zone is classified by the root Vsys to determine the best Virtual System to handle the traffic. As indicated when the "get route ip " command is ran from the root Vsys, there may be multiple matches for each network but the more specific route will always be chosen. Traffic classification defines which Virtual systems are bound to which zones. This allows the root vsys to decide which vsys to send traffic to. There are 2 methods of traffic classification. One if for traffic destined for a virtual interface (vpns, mips, dips). The root vsys keeps a list of virtual interfaces so it knows were to send traffic destined for a virtual interface automatically. The second method is for traffic passing through a vysy. In order for the root vsys to know where to send the traffic either VLAN tagging or IP-based classifications must be used. When defining the traffic, overlapping ranges cannot be used since shared zones are utilized.
Vsys licensing starts at 10 Virtual Systems and can be customized for virtually any number of systems from 25, 100, 250, and more.
Professional support for Virtual Systems is a lot easier than it is with Checkpoint, which currently runs on several different appliance vendors. Juniper's knowledge base is pretty extensive, which is a good thing because your going to need it. I've found that troubleshooting a Vsys can be cumbersome and involves a lot of trial and error.
Definations
Virtual Systems can be defined as virtual firewalls inside of a physical firewall, that contains both shared and exclusive components as well as its own set of allocated resources. Each vsys contains its own policy, VPNs, and objects.
Virtual routers:
When a vsys is created a Virtual Router called vr- is also created. The virtual system will have access to this vr as well as any vr’s crated in the root vsys (like untrust-vr).
Zones:
In addition to its own vr, 3 zones are also created whenever a vsys is created: Untrust-, Trust-, and Global-. The vsys will also inherit any shared zones from the root vsys
Interfaces:
The trust interface for a vsys can either be a dedicate interface, a subinterface (identified by VLAN tagging), or a shared interface (using IP-based classification). The untrust interface can be physical, a subinterface, or shared (using a physical, sub,aggrogate or redundant interface). See the notes section below for special considerations regarding VPNS.
Traffic classification:
Defines which IP’s are bound to which zones. This allows the root vsys to decide which vsys to send traffic to. There are 2 methods of traffic classification. One if for traffic destined for a virtual interface (vpn’s, mips, dips). The root vsys keeps a list of virtual interfaces so it knows were to send traffic destined for a virtual interface automatically. The second method is for traffic passing through a vysy. In order for the root vsys to know where to send the traffic either VLAN tagging or IP-based classifications must be used. When defining the traffic, overlapping ranges cannot be used since shared zones are utilized.
VLAN tagging requires the use of a subinterface and supports dot1.q tags. In addition to the firewall’s configuration, the supporting network infrastructure must also be configured for VLAN tagging.
Configuring Virtual Systems:
CLI:
1. Create a vsys
Set vsys
(vsys_name)set admin name
(vsys_name)set admin password
(sysy_name)save
2. Define either a physical, sub, or shared interface for the vsys.
Physical
Enter vsys
Set interface ethernet3/1 import
Import an unused interface. This interface must be bound to the null zone on the root vsys (get zone)
Set interface ethernet3/1 zone Trust-
Remember 3 zones are automatically created (trust-, untrust-, and global-)
Set interface ethernet3/1 ip 192.168.1.1/24
Save
Subinterface
Enter vsys .
Set interface ethernet3/1.1 zone Trust-
Set interface ethernet3/1.1 ip 192.168.1.1/24 tag 3
IP the interface and set the VLAN tag.
Save
Shared- done in root vsys
Set zone name
Requires that a shared zone be created first. This zone is applied to the shared interface.
Set zone shared
Set interface ethernet3/1 zone
Set interface ehternet3/1 ip 192.168.1.1/24
Save
3. Define the traffic that will pass through the vsys (if using ip based)
Traffic can either be classified by ip or by subnet. The configuration of the traffic classification is done in the root vsys.
Set zone ip-classification range 192.168.1.1-192.168.1.100 vsys
Set zone ip-classification
Save
4. Resource allocation.
A profile can be created to allocate resources to the vsys.
Set vsys-profile name cpu-weither 20
Set vsys-profile mips max 30
Set vsys-profile dips max 20 reserve 5
Set vsys-profile mpolicies max 5
Set vsys-profile policies max 120
Set vsys-profile sessions max 3000
Save.
WebUI:
1. Create a vsys
1. Log into the root vsys and select New in the upper right hand corner.
2. Enter the vsys name
3. create the admin account
4. Create the VR (3 options-default router, select an existing vrouter, or create a custom)
5. Click Ok
2. Create interfaces (physical, subinterface, or shared).
a. Physical
1. Long into the root vsys and select the vsys and Enter.
2. Select Network>Interfaces
3. Select Import next to the desired interface
4. Select Ok
5. Enter zone and Ip information.
b. Subinterface
1. Log into the root vsys and select the vsys and Enter.
2. Select Network>Interfaces
3. Select sub-if in the upper right corner. Select New
4. Enter the requested interface information (interface ip, mash, zone, vlan tag)
c. Shared
1. Log into the root vsys
2. Select Network>Zones>New
3. Enter a zone name and select Shared.
4. Select Ok
5. Select Network>Interfaces
6. Identify the interface you want to share. Select Edit
7. Select the Zone created above.
8. Select Ok
3. Traffic classification(if using ip based)
1. Log into the root vsys
2. Select Network>Zones
3. Select the zone and click EDIT.
4. Check the Ip Classification button
5. Select System and choose the system to map traffic to (either an Ip range or subnet).
a. For example, you want all traffic destined to 192.168.1.1/24 to be routed to this zone.
6. Enter the Ip info
7. Click OK
4. Resource allocation
1. Log into the root vsys
2. Choose vsys>profile
3. Select EDIT next to the profile
4. Enter requested values
5. Click OK
Notes and troubleshooting:
You cannot rename a vsys. You will have to remove it and ad it back.
Inbound traffic can also reach a vsys via VPN tunnels; however, if the outgoing interface is a shared interface, you
cannot create an AutoKey IKE VPN tunnel for a vsys and the root system to the same remote site.
Both ingress and egress packet handling is checked for each packet. Both must be successful inorder to pass the packet to its destination. In addition, Intra-zone traffic will also be dropped.
Ingress packet handling:
1. Checks the Ingress interface.
2a . If it’s a shared interface, it checks the source Ip classification.
2b. If it is not a shared interface, it associates the packet with the ingress interface vsys (“v-i”). From here, standard Netscreen processing is performed.
3. Is the src IP classified? If YES, the packet is associated with the classified IP vsys (“v-i”). From here, standard Netscreen processing is performed. If NO, the IP classification fails.
Egress packet handling.
1. Checks the Egree interface.
2a. If it’s a shared interface, checks the DST IP classification.
2b. If it’s not a shared interface, its associated the packet with the egree interface (“v-e”).
3.Is the DST address classified? If YES, associated the packet with the classified IP vsys (“v-e”). If NO, classification fails.
VLAN members of the same vsys can communicate with each other however VLAN members of different vysy cannot without policies.
VLAN traffic classification is more secure than IP based because IP based uses shared zones. An admin of a shared zone can snoop all zones that are shared.
To view resource allocations:
Get vsys