Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring the Connection to an SRX Series Device

 

You can configure Juniper Identity Management Service to serve up to 100 SRX Series devices.

Before you begin, you need the following information:

  • Client ID that the SRX Series device needs to obtain an OAuth token from the JIMS server for user queries. This value must match the client ID configured on the SRX Series device.

  • Client secret that the SRX Series devices needs to obtain an OAuth token from the JIMS server for user queries. This value must match the client secret configured on the SRX Series device.

  • For an SRX Series device running Junos OS Release 12.3X48-D45 or later, you also need the username and password that the SRX Series device’s HTTPS server uses to authenticate incoming connections.

To configure the connection to an SRX Series device:

  1. In the navigation pane, select Clients. Click the SRX Clients tab.
  2. In the upper SRX Configured Clients pane, click Add. The Add SRX Client Configuration page appears.Note

    Values with a light blue background represent default values. These values can be overridden as needed.

  3. If you have multiple SRX Series devices that can utilize the same client configuration, from the Templates list select one of the available templates to support the grouping of an SRX client configuration. See Configuring SRX Series Device Templates for details on creating an SRX client configuration template.
  4. Type the IP address of the SRX Series device.
  5. Type a description for the SRX Series device.
  6. If your environment contains SRX Series devices running Junos OS Release 12.3X48-D45 or later, click the WebAPI (Legacy) check box, then click Configure. The JIMS to SRX Client Configuration dialog box appears. Note

    By default, the JIMS server assumes connectivity to SRX Series devices running Junos OS Release 15.1X49-D100, 17.4R1, or a later release, and uses batch query mode to communicate with SRX Series devices. With batch query mode, the JIMS server sends reports in response to requests from the SRX Series device for batch reports. A batch report contains multiple records. The service also responds to individual queries for missing information with reports containing the requested information.

    In the JIMS to SRX Client area of the dialog box, perform the following:



    1. Type the username credential that the HTTPS or HTTP server on the SRX Series device uses to authenticate incoming connections.
    2. Type the password credential that the HTTPS or HTTP server on the SRX Series device uses to authenticate incoming connections.
    3. Type the maximum data rate in entries per second. This is the maximum number of entries (reports) allowed to be sent per second from Juniper Identity Management Service to the SRX Series device. The value can be between 1 and 1,000 entries per second. The default value is 200 entries per second.
    4. The Filter check box for preventing device-only reports from being sent to the SRX Series device is selected by default. To enable sending device-only reports, clear the check box.Note

      When creating a template, the Filter parameter uses a tri-state check box to allow an indeterminate state in addition to the two provided in the check box (checked and unchecked). This third state is shown as a black square in the check box, and indicates that its state is neither checked nor unchecked. In this case, the black square means that the value is not to be included in the template.

    5. In the Protocol and Port on Client area, specify the port number on the SRX Series device to use for communication with the JIMS server.

      To use the Secure port, click the Use TLS check box to select it and then type the port number in the Secure Port text field. This value must be a valid port number between 1024 and 65,535, and it must match the SRX WebAPI configuration. The default value for the Secure port is 8443.

      Note

      When creating a template, the Use TLS parameter uses a tri-state check box to allow an indeterminate state in addition to the two provided in the check box (checked and unchecked). This third state is shown as a black square in the check box, and indicates that its state is neither checked nor unchecked. In this case, the black square means that the value is not to be included in the template.

      To use the Debug (HTTP) port, leave the Use TLS check box unchecked and then type the port number in the Debug (HTTP) Port text field. This value must be a valid port number between 1024 and 65,535, and it must match the SRX WebAPI configuration. The default value for the Debug (HTTP) port is 8080.

      Note

      For security considerations, we recommend that you specify a secure HTTPS port rather than an HTTP port. HTTP is supported primarily for debugging purposes.

      If you enable the Debug (HTTP) port and change the port value, ensure that the corresponding port configuration on the SRX Series devices is modified to match this setting.

    6. Click OK to save the JIMS to SRX Client settings.
  7. To allow IPv6-related report information to pass from the JIMS server to SRX Series devices, click the Enable check box. Leave the check box unchecked if you do not want IPv6-related report information to pass to SRX Series devices.

    Starting in Junos OS Release 18.1R1, the IPv6 Enabled checkbox can be turned ON in JIMS server to support IPv6 addresses if they are utilized. SRX Series devices can search the identity management authentication table for information based on IPv6 addresses. Prior to Junos OS Release 18.1R1, the client configuration IPv6 Enable checkbox on JIMS server is OFF by default for maximal compatibility, as it filters all IPv6 addresses to the target. SRX Series devices read only IPv4 addresses. Starting in Junos OS Release 18.1R1 and later, SRX Series device supports the use of IPv6 addresses associated with source identities in security policies. If an IPv4 or IPv6 entry exists, policies matching that entry are applied to the traffic and access is either allowed or denied.

    Note

    When creating a template, the IPv6 Reporting Enable parameter uses a tri-state check box to allow an indeterminate state in addition to the two provided in the check box (checked and unchecked). This third state is shown as a black square in the check box, and indicates that its state is neither checked nor unchecked. In this case, the black square means that the value is not to be included in the template.

  8. In the SRX Client to JIMS area, do the following:

    1. Type the client ID that the JIMS server requires from the SRX Series device in the request to obtain an OAuth access token. This value must match the client ID configured on the SRX Series device.
    2. Type the client secret that the JIMS server requires from the SRX Series device in the request to obtain an OAuth access token. This value must match the client secret configured on the SRX Series device.
    3. In the Token Lifetime text field, type the token lifetime period for OAuth access tokens, which can be between 60 and 36,000 seconds. The default value is 1,200 seconds.
  9. Click OK to save the settings.