Data Center Technologists
Showing results for 
Search instead for 
Do you mean 

SRX and OpenStack: Neutron Firewall Plugin

by Juniper Employee ‎04-21-2015 11:05 PM - edited ‎07-06-2015 01:38 AM

Juniper's OpenStack Firewall Service plugin will enable perimeter firewall protection for OpenStack networks to configure security policies on Juniper’s SRX and vSRX devices.


OpenStack networks can be secured in two ways:

  • Security Groups
  • Firewalls

The security groups provide security between the east to west traffic or Intra VLAN traffic. Firewalls on the other hand add perimeter firewall protection to OpenStack networks and help in securing the North to South traffic such as Inter VLAN and Edge traffic.


Juniper's Firewall-as-a-Service (FWaaS) plugin builds on top of Juniper’s ML2 and L3 plugins. It enables Neutron to configure firewall rules and policies on SRX/vSRX devices. In OpenStack, one firewall can be created per tenant and can be assigned one security policy at a given point of time. A security policy is a collection of firewall rules. The below pictures illustrates this relationship:



Firewall Rule: Defines the source address & port(s), destination address & port(s), protocol and the action to be taken on the matching traffic.

Firewall Policy: is a collection of firewall rules.

Firewall: The construct representing a firewall device


The below picture will be used as a reference topology for this blog to explain the various concepts of FWaaS and how Juniper’s plugin configures the network at the various levels.


Reference Topology


In this topology, the connection between Switches 1 & 2 to the aggregation switch and the connection between the aggregation switch and the SRX are trunk links preconfigured to carry all VLAN members.


Let’s take a scenario where an OpenStack tenant has a virtual network topology created as shown in the table below:



Assigned VLAN

VM Name





Switch Port




Hypervisor 2

QFX 5100 Switch 1





Hypervisor 6

QFX 5100 Switch 2



When the VMs are spawned on a network, the ML2 plugin will configure the corresponding VLANs on the trunk ports connecting the hypervisors to the switches 1 & 2.


The tenant can create a router next and add the gateways IP addresses from the networks Thirty and Forty to it. At this point, Juniper’s L3 plugin creates a routing instance (vRouter) on the SRX and generates IFLs on ge-0/0/10 of SRX for each VLAN and adds them to the router. For the initial version of FWaaS plugin implementation, the SRX acts as both a router as well as a firewall in the topology. The below picture captures the resulting OpenStack topology:


OpenStack Topology


Once the router is created the tenant can create an OpenStack firewall and start adding security policy rules to it. This is the point at which Juniper’s FWaaS plugin steps in. Let’s take the case where the tenant wants to enable ICMP traffic from VM-30 à VM-40 but drop any other traffic.


Using OpenStack Horizon, first create a firewall rule which allows ICMP traffic from VM-30 to VM-40. Then create a firewall policy and assign the rule to it. Finally, create a firewall and assign the firewall policy to it.


Note: It is a good practice to set the default policy on the SRX to deny all traffic.


The following table captures the configuration that is done at each stage of the flow:



ML2 Plugin (VLAN Type driver)

QFX 5100 Switch #1

Assign VLAN 1000 to port ge-0/0/20 as a VLAN member

QFX 5100 Switch #2

Assign VLAN 1001 to port ge-0/0/30 as a VLAN member

L3 Service Plugin


Create a Routing Instance (RI)


Create IFLs corresponding to the two subnets and add them to the RI

Firewall Service Plugin (FWaaS)


Create a Zone for each router belonging to the tenant.


Add the gateway IFLS associated with each router to its corresponding Zone


Segregate the Firewall rules to their corresponding routers by evaluating their definition


Push the firewall rules on to their corresponding router zone


To see the sample config that got pushed to the SRX/vSRX device click here


Juniper’s FWaaS plugin brings the power of high performance, low latency and highly scalable data center security to the OpenStack virtual networks. It supports both physical and virtual form factors of SRX. Tenants can create and enable perimeter firewall protection for their OpenStack networks right from the OpenStack UI. In the initial release, OpenStack releases Icehouse, Juno and Kilo will be supported by the plugin.



You can download the plugin here



on ‎04-29-2015 08:19 AM

Wouldn't be better just to use OpenContrail Policy Groups? This configuration looks functional but highly complicated, you need anyway a distributed switch/router at the host level. 

on ‎04-29-2015 05:35 PM



It's good news for us.

Could you tell me how can we get this plugin software? 

I could not find at software download URL.


by Juniper Employee
on ‎05-04-2015 11:39 PM


This solution is for customers having only OpenStack as the controller and want to use Juniper's SRX as the firewall.

by Ramesh_NG
on ‎06-01-2015 04:21 AM
hi Sharath, Where we can get this plugin for SRX? Do you have any deployment examples?
by Juniper Employee
on ‎07-06-2015 01:37 AM

The plugin has got released and can be downloaded @

Juniper Networks Technical Books
About the Author
  • Anil Lohiya is a Principal Engineer in the Campus and Data Center Business unit in Juniper Networks. In his current role, he is leading some of the SDN and Network Virtualization initiatives.
  • I am an Engineer with expertise in Data Packet Forwarding, Software Design & Programming with major domain expertise in QoS (Quality of Services). I have worked across the domains in Data communications field. I love water and am a good swimmer too.
  • Remarkably organized stardust.
  • I have been in the networking industry for over 35 years: PBXs, SNA, Muxes, ATM, routers, switches, optical - I've seen it all. Twelve years in the US, over 25 in Europe, at companies like AT&T, IBM, Bay Networks, Nortel Networks and Dimension Data. Since 2007 I have been at Juniper, focusing on solutions and services: solving business problems via products and projects. Our market is characterized by amazing technological innovations, but technology is no use if you cannot get it to work and keep it working. That is why services are so exciting: this is where the technology moves out of the glossy brochures and into the real world! Follow me on Twitter: @JoeAtJuniper For more about me, go to my LinkedIn profile:
  • Ken Briley is Data Center TME at Juniper Networks focused on Juniper switching product lines. Prior to Juniper Networks, Ken worked at Cumulus Networks as a TME supporting the dis-aggregation movement and before that he spent 15 years at Cisco Systems working in various roles: Technical Support, Technical Marketing Engineer, Network Consulting Engineer and Product Management. Ken has an MS in Electrical Engineering and is CCIE # 9754.
  • Michael Pergament, JNCIE-SP #510, JNCIE-ENT #23, JNCIE-DC #3
  • Raj is a Sr. Cloud Technology Architect with Juniper Networks and focuses on technologies such as VMware, SDN, and OpenStack etc.
  • Rakesh Dubey is the engineering head for Campus and Data Center business unit at Juniper Networks. He has been with Juniper for past six years leading multiple switching products.
  • Sarath Chandra Mekala is a staff engineer with Juniper networks and focuses on implementing Juniper's Openstack Neutron plugins in the areas of Switching, Routing, Firewall and VPN. He is an official contributor to Openstack Neutron FWaaS v2.
  • Sriram is a Sr. Manager in the Campus and Datacenter Business Unit. He is part of the Network Director team and focuses on technologies such as VMware integration, OpenStack etc.
  • An accomplished network engineer with 18+ years’ experience, and a Juniper employee since 2004, Tony leads the IT team focused on deploying “Juniper on Juniper”, using Juniper technology to run the business and deliver core business services across the enterprise. Tony holds a BS degree from California Polytechnic State University. Outside of work, Tony serves on a School Advisory Council, loves biking and good coffee.