Juniper vSRX Limitations

This topic provides a list of commands that are restricted on Juniper vSRX, and information about certificates and version upgrade limitations.

Restricted Commands

The following commands are restricted on Juniper vSRX:

  • Any command starting from ‘request.’ Exceptions: ‘request system reboot’

  • Start shell

  • Show interfaces fxp0

  • Any command starting from ‘ssh’

  • Any command starting from ‘telnet’

  • Any command starting from ‘restart’

  • Any command starting from ‘file’

  • Show system license keys

  • Any system level commands or commands that include the word ‘system’

  • Any config on interface ge-0/0/0

  • Any config on interface fxp0

  • Any config on interface loopback 0 unit 10

  • Any config or command that has ‘routing-instance external’.

  • Any command that has ‘security-zone external’

  • Any command that has ‘security policies from-zone external’

  • Any command that has ‘routing-options static’

Version Upgrade Limitations

  • Always save a copy of certificates before performing vSRX upgrades.

  • Once the vSRX upgrade is complete, certificates are required to be copied and loaded back into vSRX configuration as they were before the upgrade.

Enable Certificates

To enable certificates on Juniper go to:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21718&actp=METADATA

Example (from our test lab)

SDNSS@vsrx151> show security pki local-certificate

Certificate identifier: testname

Validity:

Not before: 05-13-2020 04:15 UTC

Not after: 05-12-2025 04:15 UTC

Public key algorithm: rsaEncryption(1024 bits)

 

SDNSS@vsrx151> clear security pki local-certificate certificate-id testname

 

SDNSS@vsrx151> clear security pki key-pair certificate-id testname

Key pair deleted successfully

 

SDNSS@vsrx151> show security pki local-certificate

 

SDNSS@vsrx151> request security pki generate-key-pair size 1024 certificate-id test_cert

Generated key pair test_cert, key size 1024 bits

test_cert – is the certificate name

bit size is per your design

 

SDNSS@vsrx151> request security pki local-certificate generate-self-signed certificate-id test_cert subject CN=20150625 domain-name juniper.com ip-address 172.27.100.3

Self-signed certificate generated and loaded successfully

  • domain-name juniper.com – Domain name should be your domain name
  • 172.27.100.3 – Actual IP Address depends on your domain
  • CN=20150625 – Device serial number

Re-Enabled Certificate

SDNSS@vsrx151> show security pki local-certificate

Certificate identifier: test_cert

Issued to: 20150625, Issued by: CN = 20In th150625

Validity:

Not before: 05-13-2020 04:21 UTC

Not after: 05-12-2025 04:21 UTC

Public key algorithm: rsaEncryption(1024 bits)

Note: In the case of CLI and feature changes in the upgraded version, consult the release and the vendor directly.