Adding SRX into Cloudplatform has two steps:

1. Preconfigure the SRX

2. Add SRX into cloudstack

Preconfigure SRX

Below explained physical device external firewall SRX configuration. This configuration has to done by the admin. This configuration is not part of the cloudstack orchestration job.

1.  Configure the system 
command to configure xnm-clear-text :

#set system services xnm-clear-text

Configure the name server:

set system name-server 10.103.128.16

set system time-zone Asia/Calcutta

set system root-authentication encrypted-password “$1$ucpHjRfH$dNkhOuzKXJxrpAtewvTu.1”

set system name-server 10.103.128.16

set system services ssh

set system services telnet

set system services xnm-clear-text

set system services dns

set system services web-management http interface vlan.0

set system services web-management http interface fe-0/0/0.0

set system services web-management https system-generated-certificate

set system services web-management https interface vlan.0

System services configuration:

srx-system-config

2.  Configure the interfaces

Choose three interfaces in the srx device. Example took fe-0/0/0, fe-0/0/1 and fe-0/0/4

Three interfaces needs to be configure.

1. Management interface    – fe-0/0/0

2. Private/Guest interface   – fe-0/0/1

3. Public Interface              – fe-0/0/4.52 where 52 is the public VLAN

Commands to configure interfaces:

set interfaces fe-0/0/0 description “Management Interface”

set interfaces fe-0/0/0 unit 0 family inet address 10.147.40.3/23

set interfaces fe-0/0/1 description “Private network”

set interfaces fe-0/0/1 vlan-tagging

set interfaces fe-0/0/4 description “Public Network”

set interfaces fe-0/0/4 vlan-tagging

set interfaces fe-0/0/4 unit 52 vlan-id 52

set interfaces fe-0/0/4 unit 52 family inet sampling input

set interfaces fe-0/0/4 unit 52 family inet sampling output

set interfaces fe-0/0/4 unit 52 family inet address 10.147.52.3/24

Interface config:

srx-interface-config

3. Create zones

3.1 Create trust zone for guest network

3.2 Create untrust zone for public network

3.3 Add management interface trust zone and public interface to untrust zone.

Commands to Configuration zones:

root# show security zones | display set

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust interfaces fe-0/0/0.0

set security zones security-zone untrust host-inbound-traffic system-services ssh

set security zones security-zone untrust host-inbound-traffic system-services ping

set security zones security-zone untrust interfaces fe-0/0/4.52

Zones Config:

srx-zones-config

4. Allow traffic from trust zone to trust zone

Commands to configure security policy:

set security policies from-zone trust to-zone trust policy accept-all match source-address any

set security policies from-zone trust to-zone trust policy accept-all match destination-address any

set security policies from-zone trust to-zone trust policy accept-all match application any

set security policies from-zone trust to-zone trust policy accept-all then permit

5.  Add the specific routes to differentiate private and public traffic.

In the below routes 10.147.40.0, 10.146.0.0, 10.147.59.0 are the management network cidrs.

There is default route to public network gateway.

Command to configure routes:

set routing-options static route 10.147.40.0/23 next-hop 10.147.40.1

set routing-options static route 10.147.40.0/23 install

set routing-options static route 10.146.0.0/24 next-hop 10.147.40.1

set routing-options static route 10.146.0.0/24 install

set routing-options static route 0.0.0.0/0 next-hop 10.147.52.1

set routing-options static route 0.0.0.0/0 install

set routing-options static route 10.147.59.0/24 next-hop 10.147.40.1

set routing-options static route 10.147.59.0/24 install

Routes config:

srx-routes

Add SRX into cloudstack

1. After configuring the SRX into cloudstack make sure that the SRX is management ip address is reachable from the management server.

 Add the SRX in cloudstack:

srx-add-device

2. Enable the SRX.

3. Create network offering to use the physical external firewall device SRX.

Dhcp: Virtual Router

Dns:    Virtual Router

Firewall: Juniper SRX

Source NAT: Juniper SRX

Static NAT: Juniper SRX

Port Forwarding: Juniper SRX

Network offering:

srx-network-offering

5. Deploy VM using the offering created for SRX.

srx-nw-create-vm

Configure source NAT rule on SRX

In network offering selected ‘Supported Source NAT type’: per zone, So you need to configure source

nat manually on the SRX.

This configuration is required for VM to reach public network

Commands to configure source NAT:

set security nat source pool 10-147-52-3 address 10.147.52.3/32

set security nat source rule-set trust from zone trust

set security nat source rule-set trust to zone untrust

set security nat source rule-set trust rule demo match source-address 10.0.32.0/20

set security nat source rule-set trust rule demo then source-nat pool 10-147-52-3

Source NAT configuration:

srx-sourcenat-config

Accessing public network after configuring Source NAT rule on SRX:

srx-vm-ping-after-SourceNATset

Cloudstack Static NAT rule on aquired ip of srxnetwork:

srx-static-nat-to-vm-set

Set Firewall rule to on the public ip of srx network:

srx-firewallrule-configured

Accessing VM using the public ip and above configured rules:

srx-accessing-vm-from-public

Cloudstack Configuration files:

The config file included the pre configuration,  config after vm deployment and config after static nat, fw configuration

https://www.dropbox.com/sh/4zhgdpj7q0rc2d8/5g-cNyWA1i