SRX Services Gateway
SRX Services Gateway

LSYS on SRX - are there any feature restrictions?

[ Edited ]
08.17.11   |  
‎08-17-2011 04:00 AM

Hi,

 

We're looking for a multitenant firewall to fit in to our Cloud offering.

 

We’re familiar with the SRX and so are looking into the possibility of using Logical-System / LSYS in 11.2.

 

However what I would like to know is - Does LSYS result in the loss of any features which would normally be available on the SRX?

 

Specifically does LSYS support; Clustering, IDP, AppSecure, Antivirus, Antispam, web filtering, content filtering, Dynamic VPN, Site to Site VPN

 

Thanks in advance,

Chris

12 REPLIES
SRX Services Gateway

Re: LSYS on SRX - are there any feature restrictions?

08.17.11   |  
‎08-17-2011 06:07 AM

 

Clustering < yep, A/P and A/A are supported

IDP, AppSecure < not supported in 11.2, but coming

Antivirus, Antispam, web filtering, content filtering, Dynamic VPN < LSYS is only supported on high-end (SRX3k/5k, with 1400 support coming soon), and the UTM suite and Dynamic VPN are only supported on Branch (650 and below)

Site to Site VPN < not supported in 11.2, but coming; initial release will have some caveats (since it's not released yet, that's an NDA discussion that you can have with your partner or Juniper SE)

SRX Services Gateway

Re: LSYS on SRX - are there any feature restrictions?

09.03.11   |  
‎09-03-2011 11:03 AM

Hi bilip ,

But the only limitation mentioned at the relese notes is  "cannot eneble/disbale ALG per LSYS "

Nothing mentioned about other limitations

SRX Services Gateway

Re: LSYS on SRX - are there any feature restrictions?

09.03.11   |  
‎09-03-2011 04:52 PM

Hi,

 

My understanding of the restrictions is:

 

 - Can only terminate VPN's within the ROOT LSYS

 - ALG and IDP only on ROOT LSYS

 - restrictions with the use of RADIUS and TACACS per LSYS

 - restrictions with common usernames across LSYS'

 - LSYS-enabled SRX's cannot be managed by NSM or SPACE (massive issue)

 - AppSec not supported per LSYS

 - Can only support up to 30 or 32 LSYS's currently

 - LSYS0 (if you chose to use it) counts towards one of the LSYS license units

 

There are more I believe, however I'd have to check notes

 

G

SRX Services Gateway

Re: LSYS on SRX - are there any feature restrictions?

10.20.11   |  
‎10-20-2011 07:56 AM

Hi,

 

Can we do multiple deployment mode (route/transparent) in each Lsys?

 

Thanks,

Yohanes

SRX Services Gateway

Re: LSYS on SRX - are there any feature restrictions?

11.02.11   |  
‎11-02-2011 03:00 AM

What is the max. number of users in 1 LSYS?

Is there a actual no. of max session in 1 LSYS?

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
SRX Services Gateway

Re: LSYS on SRX - are there any feature restrictions?

11.02.11   |  
‎11-02-2011 09:04 AM

Can we do mixed-mode deployment (one LSYS in L2/transparent and one in L3/route)?

> Nope.

 

What's the max # of users per LSYS?

> You mean admin users configured in Junos, or # of sessions running through the box? I believe we currently only support a total of 32 SSH sessions, but that's not limited per LSYS (at least not yet). Max and reserved number of sessions per LSYS can be set as part of your resource allocation.

 

What's the actual no. of max sessions in 1 LSYS?

> If you don't set a max, then it's based on the capacity of the chassis. With no max set, one LSYS could fill up your session table and no new sessions would be available for other LSYS (unless they had reserved sessions set up in their resource reservation).

SRX Services Gateway

Re: LSYS on SRX - are there any feature restrictions?

11.09.11   |  
‎11-09-2011 08:19 PM
Hi billp

Thanks for the info Smiley Happy

Cheers!
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
SRX Services Gateway

Re: LSYS on SRX - are there any feature restrictions?

12.28.11   |  
‎12-28-2011 12:01 AM
Hi,

Anyone knows how many Lsys are there on a base SRX, eg. SRX3600?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Highlighted
SRX Services Gateway

Re: LSYS on SRX - are there any feature restrictions?

12.28.11   |  
‎12-28-2011 05:51 AM

LSYS requires a license to be enabled - there aren't any included with the base system.

SRX Services Gateway

Re: LSYS on SRX - are there any feature restrictions?

01.10.12   |  
‎01-10-2012 04:35 AM
Can SRX work without any Lsys in the device itself, in this case?
It is able to right?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
SRX Services Gateway

Re: LSYS on SRX - are there any feature restrictions?

01.19.12   |  
‎01-19-2012 04:13 PM

As other contributors have mentioned, there are numerous limitations in features within L-SYS.

 

We are currently running Junos 11.4 on SRX3600, and while there are improvements in features since 11.2, it is still a rather painful and convoluted process to get things like IDP to work. For instance, while IDP is now working within a user level L-SYS, the IDP policy has to be configured at the root (or master) level. This is fine if one administrator is configuring the entire system and simply using L-SYS to compartmentalize their firewall. But I would not consider it acceptable for a 'multi-tenant' scenario (which is why we bought the things in the first place...). Not sure yet if a user-level L-SYS can configure their own exempt rulebase to avoid false positives - I suspect not.

 

There are also other limitations, such as SNMP now apparently works per-L-SYS, but this doesn't include IDP monitoring.

 

We have also found a number of weird bugs that seem to be down to the L-SYS implementation, such as syslog from the firewall itself being blocked by itself and the issuance of weird N ACK log messages each time a syslog packet gets dropped. Security policies are fine, it's not that.

 

Anyway - given hindsight I wish a different platform had been chosen. SRX and L-SYS in my opinion is quite immature and not ready for a production environment.

SRX Services Gateway

Re: LSYS on SRX - are there any feature restrictions?

[ Edited ]
03.05.12   |  
‎03-05-2012 07:41 AM

Hi ferdsnerd,

Thanks for sharing!
If so, what and when can we expect on the next update on the SRX Lsys feature? On 11.4, 11.5?

 

Is there any links that explains the maximum no. of lsys each srx can support? 

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"