SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Contributor
Posts: 49
Registered: ‎01-07-2009
0 Kudos

LSYS on SRX - are there any feature restrictions?

[ Edited ]

Hi,

 

We're looking for a multitenant firewall to fit in to our Cloud offering.

 

We’re familiar with the SRX and so are looking into the possibility of using Logical-System / LSYS in 11.2.

 

However what I would like to know is - Does LSYS result in the loss of any features which would normally be available on the SRX?

 

Specifically does LSYS support; Clustering, IDP, AppSecure, Antivirus, Antispam, web filtering, content filtering, Dynamic VPN, Site to Site VPN

 

Thanks in advance,

Chris

Super Contributor
Posts: 127
Registered: ‎05-01-2008
0 Kudos

Re: LSYS on SRX - are there any feature restrictions?

 

Clustering < yep, A/P and A/A are supported

IDP, AppSecure < not supported in 11.2, but coming

Antivirus, Antispam, web filtering, content filtering, Dynamic VPN < LSYS is only supported on high-end (SRX3k/5k, with 1400 support coming soon), and the UTM suite and Dynamic VPN are only supported on Branch (650 and below)

Site to Site VPN < not supported in 11.2, but coming; initial release will have some caveats (since it's not released yet, that's an NDA discussion that you can have with your partner or Juniper SE)

Trusted Expert
Posts: 601
Registered: ‎11-21-2009
0 Kudos

Re: LSYS on SRX - are there any feature restrictions?

Hi bilip ,

But the only limitation mentioned at the relese notes is  "cannot eneble/disbale ALG per LSYS "

Nothing mentioned about other limitations

Visitor
Posts: 2
Registered: ‎12-29-2010
0 Kudos

Re: LSYS on SRX - are there any feature restrictions?

Hi,

 

My understanding of the restrictions is:

 

 - Can only terminate VPN's within the ROOT LSYS

 - ALG and IDP only on ROOT LSYS

 - restrictions with the use of RADIUS and TACACS per LSYS

 - restrictions with common usernames across LSYS'

 - LSYS-enabled SRX's cannot be managed by NSM or SPACE (massive issue)

 - AppSec not supported per LSYS

 - Can only support up to 30 or 32 LSYS's currently

 - LSYS0 (if you chose to use it) counts towards one of the LSYS license units

 

There are more I believe, however I'd have to check notes

 

G

Contributor
Posts: 21
Registered: ‎04-12-2010
0 Kudos

Re: LSYS on SRX - are there any feature restrictions?

Hi,

 

Can we do multiple deployment mode (route/transparent) in each Lsys?

 

Thanks,

Yohanes

Trusted Contributor
Posts: 1,048
Registered: ‎09-26-2011
0 Kudos

Re: LSYS on SRX - are there any feature restrictions?

What is the max. number of users in 1 LSYS?

Is there a actual no. of max session in 1 LSYS?

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Super Contributor
Posts: 127
Registered: ‎05-01-2008
0 Kudos

Re: LSYS on SRX - are there any feature restrictions?

Can we do mixed-mode deployment (one LSYS in L2/transparent and one in L3/route)?

> Nope.

 

What's the max # of users per LSYS?

> You mean admin users configured in Junos, or # of sessions running through the box? I believe we currently only support a total of 32 SSH sessions, but that's not limited per LSYS (at least not yet). Max and reserved number of sessions per LSYS can be set as part of your resource allocation.

 

What's the actual no. of max sessions in 1 LSYS?

> If you don't set a max, then it's based on the capacity of the chassis. With no max set, one LSYS could fill up your session table and no new sessions would be available for other LSYS (unless they had reserved sessions set up in their resource reservation).

Trusted Contributor
Posts: 1,048
Registered: ‎09-26-2011
0 Kudos

Re: LSYS on SRX - are there any feature restrictions?

Hi billp

Thanks for the info Smiley Happy

Cheers!
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Trusted Contributor
Posts: 1,048
Registered: ‎09-26-2011
0 Kudos

Re: LSYS on SRX - are there any feature restrictions?

Hi,

Anyone knows how many Lsys are there on a base SRX, eg. SRX3600?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Super Contributor
Posts: 127
Registered: ‎05-01-2008
0 Kudos

Re: LSYS on SRX - are there any feature restrictions?

LSYS requires a license to be enabled - there aren't any included with the base system.

Trusted Contributor
Posts: 1,048
Registered: ‎09-26-2011
0 Kudos

Re: LSYS on SRX - are there any feature restrictions?

Can SRX work without any Lsys in the device itself, in this case?
It is able to right?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
New User
Posts: 1
Registered: ‎01-19-2012
0 Kudos

Re: LSYS on SRX - are there any feature restrictions?

As other contributors have mentioned, there are numerous limitations in features within L-SYS.

 

We are currently running Junos 11.4 on SRX3600, and while there are improvements in features since 11.2, it is still a rather painful and convoluted process to get things like IDP to work. For instance, while IDP is now working within a user level L-SYS, the IDP policy has to be configured at the root (or master) level. This is fine if one administrator is configuring the entire system and simply using L-SYS to compartmentalize their firewall. But I would not consider it acceptable for a 'multi-tenant' scenario (which is why we bought the things in the first place...). Not sure yet if a user-level L-SYS can configure their own exempt rulebase to avoid false positives - I suspect not.

 

There are also other limitations, such as SNMP now apparently works per-L-SYS, but this doesn't include IDP monitoring.

 

We have also found a number of weird bugs that seem to be down to the L-SYS implementation, such as syslog from the firewall itself being blocked by itself and the issuance of weird N ACK log messages each time a syslog packet gets dropped. Security policies are fine, it's not that.

 

Anyway - given hindsight I wish a different platform had been chosen. SRX and L-SYS in my opinion is quite immature and not ready for a production environment.

Trusted Contributor
Posts: 1,048
Registered: ‎09-26-2011
0 Kudos

Re: LSYS on SRX - are there any feature restrictions?

[ Edited ]

Hi ferdsnerd,

Thanks for sharing!
If so, what and when can we expect on the next update on the SRX Lsys feature? On 11.4, 11.5?

 

Is there any links that explains the maximum no. of lsys each srx can support? 

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"