08-17-2011 04:00 AM - edited 08-17-2011 04:02 AM
We're looking for a multitenant firewall to fit in to our Cloud offering.
We’re familiar with the SRX and so are looking into the possibility of using Logical-System / LSYS in 11.2.
However what I would like to know is - Does LSYS result in the loss of any features which would normally be available on the SRX?
Specifically does LSYS support; Clustering, IDP, AppSecure, Antivirus, Antispam, web filtering, content filtering, Dynamic VPN, Site to Site VPN
Thanks in advance,
08-17-2011 06:07 AM
Clustering < yep, A/P and A/A are supported
IDP, AppSecure < not supported in 11.2, but coming
Antivirus, Antispam, web filtering, content filtering, Dynamic VPN < LSYS is only supported on high-end (SRX3k/5k, with 1400 support coming soon), and the UTM suite and Dynamic VPN are only supported on Branch (650 and below)
Site to Site VPN < not supported in 11.2, but coming; initial release will have some caveats (since it's not released yet, that's an NDA discussion that you can have with your partner or Juniper SE)
09-03-2011 04:52 PM
My understanding of the restrictions is:
- Can only terminate VPN's within the ROOT LSYS
- ALG and IDP only on ROOT LSYS
- restrictions with the use of RADIUS and TACACS per LSYS
- restrictions with common usernames across LSYS'
- LSYS-enabled SRX's cannot be managed by NSM or SPACE (massive issue)
- AppSec not supported per LSYS
- Can only support up to 30 or 32 LSYS's currently
- LSYS0 (if you chose to use it) counts towards one of the LSYS license units
There are more I believe, however I'd have to check notes
11-02-2011 03:00 AM
What is the max. number of users in 1 LSYS?
Is there a actual no. of max session in 1 LSYS?
11-02-2011 09:04 AM
Can we do mixed-mode deployment (one LSYS in L2/transparent and one in L3/route)?
What's the max # of users per LSYS?
> You mean admin users configured in Junos, or # of sessions running through the box? I believe we currently only support a total of 32 SSH sessions, but that's not limited per LSYS (at least not yet). Max and reserved number of sessions per LSYS can be set as part of your resource allocation.
What's the actual no. of max sessions in 1 LSYS?
> If you don't set a max, then it's based on the capacity of the chassis. With no max set, one LSYS could fill up your session table and no new sessions would be available for other LSYS (unless they had reserved sessions set up in their resource reservation).
11-09-2011 08:19 PM
12-28-2011 12:01 AM
01-10-2012 04:35 AM
01-19-2012 04:13 PM
As other contributors have mentioned, there are numerous limitations in features within L-SYS.
We are currently running Junos 11.4 on SRX3600, and while there are improvements in features since 11.2, it is still a rather painful and convoluted process to get things like IDP to work. For instance, while IDP is now working within a user level L-SYS, the IDP policy has to be configured at the root (or master) level. This is fine if one administrator is configuring the entire system and simply using L-SYS to compartmentalize their firewall. But I would not consider it acceptable for a 'multi-tenant' scenario (which is why we bought the things in the first place...). Not sure yet if a user-level L-SYS can configure their own exempt rulebase to avoid false positives - I suspect not.
There are also other limitations, such as SNMP now apparently works per-L-SYS, but this doesn't include IDP monitoring.
We have also found a number of weird bugs that seem to be down to the L-SYS implementation, such as syslog from the firewall itself being blocked by itself and the issuance of weird N ACK log messages each time a syslog packet gets dropped. Security policies are fine, it's not that.
Anyway - given hindsight I wish a different platform had been chosen. SRX and L-SYS in my opinion is quite immature and not ready for a production environment.
03-05-2012 07:41 AM - edited 03-05-2012 07:56 AM
Thanks for sharing!
If so, what and when can we expect on the next update on the SRX Lsys feature? On 11.4, 11.5?
Is there any links that explains the maximum no. of lsys each srx can support?