Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Start J-Web

 

Prerequisites for Using J-Web

To access the J-Web interface for all platforms, your management device requires the following software:

  • Supported browsers—Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer.

    Note

    By default, you establish a J-Web session through an HTTPS-enabled Web browser.

  • Language support— English-version browsers.

Log On to J-Web

To log into the J-Web interface:

  1. Connect the network port of your device to the Ethernet port on the management device (laptop or PC), using an RJ-45 cable.Note

    Following are the networks that you can use for your respective device:

    • For SRX300 and SRX320 devices, use network ports numbered 0/1 through 0/6.

    • For SRX550M, use network ports numbered 0/1 through 0/5.

    • For other SRX devices, use the management port labelled MGMT.

  2. Ensure that the management device acquires an IP address from the device.Note

    The services gateway functions as a DHCP server and will assign an IP address to the management device. This is applicable only for SRX300 line of devices and SRX550M devices. If an IP address is not assigned to the management device, manually configure an IP address.

  3. Open a browser, and enter https://<IP address> in the address bar.

    Where, <IP address> is the IP address of the SRX Series device.

    The J-Web Setup Wizard page opens. See Figure 1.

    Figure 1: Setup Wizard Page
    Setup Wizard Page

Configure SRX Devices Using the J-Web Setup Wizard

Using the Setup wizard, you can perform step-by-step configuration of a services gateway that can securely pass traffic.

You can choose one of the following setup modes to configure the services gateway:

  • Standard mode—Configure your SRX Series device to operate in a standard mode. In this mode, you can configure basic settings such as device and users, time and DNS Servers, also management interface, zones and interfaces, and security policies.

  • Cluster (HA) mode—Configure your SRX Series device to operate in a cluster (HA) mode. In the cluster mode, a pair of devices are connected together and configured to operate like a single node, providing device, interface, and service level redundancy.

    Note

    You cannot configure Standard or Passive mode when your device is in the HA mode.

  • Passive mode—Configure your SRX Series device to operate in a TAP mode. TAP mode allows you to passively monitor traffic flows across a network. If IDP is enabled, then the TAP mode inspects the incoming and outgoing traffic to detect the number of threats.

    Note

    SRX5000 line of devices, SRX4600, and vSRX devices does not support the passive mode configuration.

To help guide you through the process, the wizard:

  • Determines which configuration tasks to present to you based on your selections.

  • Flags any missing required configuration when you attempt to leave a page.

To configure SRX Devices using the J-Web Setup wizard:

  1. Click on the configuration mode that you want to setup.

    The Setup Wizard page appears.

    If you do not want to perform the initial configuration, then:

    1. Click Skip.

      The J-Web Device Password screen appears. See Figure 2

      Figure 2: Device Password
      Device Password
    2. Enter the root password and reenter it to confirm.
    3. Click OK.

      The password is committed to the device and the J-Web login page appears.

    4. Enter the username and password again and click Log In.

      The J-Web application window appears.

      Note

      You can choose Configure > Setup Wizard through the J-Web menu to configure the wizard.

  2. For standard mode and passive mode, complete the configuration according to the guidelines provided in Table 1.Note
    • If you select Cluster (HA) Mode, for the configuration information see Configure Cluster (HA) Setup.

    • In the Setup wizard, root password is mandatory and all the other options are optional. In the passive mode, management interface, Tap interface, and services are mandatory.

  3. Click Finish.

    A successful message appears and the device configuration mode of your choice is set up.

    Note
    • Once the configuration is complete, the entire configuration is committed to the device and a successful message appears. If the commit fails, the CLI displays an error message and you remain at the wizard’s last page. If required, you can change the configuration until the commit is successful.

    • If the connectivity is lost during commit or if commit takes more than a minute, a message will be displayed with configured IP address to access J-Web again.

    • For SRX300 line of devices and SRX550M devices, an additional message will be displayed about the device reboot if you have enabled Juniper Sky ATP or Security Intelligence services. For other SRX devices, the device will not reboot.

Table 1: Setup Wizard Configuration

Field

Action

Device & Users

System Identity

Hostname

Enter a hostname.

You can use alphanumeric characters, special characters such as the underscore (_), the hyphen (-), or the period (.); the maximum length is 255 characters.

Allow root user SSH login

Enable this option to allow the root login (to the device) using SSH.

Device Password

Username

Displays the root user.

Note: We recommend that you do not use root user account as a best practise to manage your devices.

Password

Enter a password.

You can use alphanumeric characters and special characters; the minimum length is six characters.

Confirm Password

Reenter the password.

User Management

You can create additional user accounts in addition to root user account.

Note: We recommend that you do not use root user account as a best practise to manage your devices.

To add additional user accounts and to assign them a role:

  1. Click +.
  2. Enter the details in the following fields:
    • Username—Enter a username. Do not use space or symbols.

    • Password—Enter a password.

      You can use alphanumeric characters and special characters; the minimum length is six characters.

    • Confirm Password—Reenter the password.

    • Role—Select a role from the list.

      Available options are: Super User, Operator, Read-Only, and Unauthorized.

  3. Click the tick mark.

You can edit the user details using the pencil icon or select the existing user and delete it using the delete icon.

Time & DNS Servers

Set Date & Time

Set system time

Select either NTP server or Manual to configure the system time.

Date and Time

Select the date and time (in DD-MM-YYYY and HH:MM:SS 24-hour or AM/PM formats) to configure the system time manually.

NTP Server

Enter a hostname or IP address of the NTP server.

Once the system is connected to the network, the system time is synced with the NTP server time.

Note: If you want to add more NTP servers, go to Configure > Device Settings > Basic Settings > Date & Time Details through the J-Web menu.

Time zone

Select an option from the list. By default, device current time (UTC) is selected.

DNS Servers

DNS Server 1

By default, 8.8.8.8 is displayed.

Note: Entering a new IP address for the DNS server will remove the default IP address.

DNS Server 2

Enter an IP address for the DNS server. By default, 8.8.4.4 is displayed.

Note: Entering a new IP address for the DNS server will remove the default IP address.

Management Interface

Management Interface

Note: If you change the management IP address and click Next, a warning message appears on the Management Interface page that you need to use the new management IP address to log in to J-Web because you may lose the connectivity to J-Web.

Management Port

Select an option from the list.

If fxp0 port is your device’s management port, then the fxp0 port is displayed. You can change it as required or you can select None and proceed to the next page.

Note:

  • You can choose the revenue port as management port if your device does not support the fxp0 port. Revenue ports are all ports except fxp0 and em0.

  • If you are in Tap mode, it is mandatory to configure a management port. J-Web needs a management port for viewing generated report.

IPv4

Note: Click Email it to self to get the newly configured IPv4 address to your inbox. This is useful if you lose connectivity when you change the management IP address to another network.

Management Address

Enter a valid IPv4 address for the management interface.

Note: If fxp0 port is your device’s management port, then the fxp0 port’s default IP address is displayed. You can change it if required.

Management Subnet Mask

Enter a subnet mask for the IPv4 address.

Static Route

Enter an IPv4 address for the static route to route to the other network devices.

Static Route Subnet Mask

Enter a subnet mask for the static route IPv4 address.

Next Hop Gateway

Enter a valid IPv4 address for the next hop.

IPv6

Management Access

Enter a valid IPv6 address for the management interface.

Management Subnet Prefix

Enter a subnet prefix length for the IPv6 address.

Static Route

Enter an IPv6 address for the static route to route to the other network devices.

Static Route Subnet Prefix

Enter a subnet prefix length for the static route IPv6 address.

Next Hop Gateway

Enter a valid IPv6 address for the next hop.

Access Protocols

Note:

  • This option is not available if the management port is fxp0. If the management port is not fxp0, a new dedicated functional management zone is created and the configures access protocols are added to the zone.

  • In the Setup wizard, you cannot add any additional protocols.

HTTPS

Select this option for the web management using HTTP secured by SSL.

Note: By default, this option is selected.

SSH

Select this option for the SSH service.

Note: By default, this option is selected.

Ping

Select this option for the internet control message protocol.

Note: By default, this option is selected.

DHCP

Select this option for the Dynamic Host Configuration Protocol.

Netconf

Select this option for the NETCONF Service.

Zones & Interfaces—For Standard Mode

Zones & Interfaces

Zone Name

View the zone name populated from your device factory default settings.

Note: For Standard mode, trust and untrust zones are created by default even if these zones are not available in the factory default settings.

Interfaces

View the interfaces name populated from your device factory default settings.

Description

Enter the description for zone and interfaces.

Edit

Select a zone and click the pencil icon at the right corner of the table to modify the configuration.

For more information on editing zones, see Table 2 and Table 3.

Search

Click the search icon at the right corner of the table to quickly locate a zone or an interface.

Detailed View

Hover over the zone name and click the Detailed View icon to view the zone and interface details.

You can also click More and select Detailed View for the selected zone.

Zones & Interfaces—For Passive Mode

TAP Interface

Physical Interface

Select an interface from the list.

For Passive mode, untrust zone will be displayed.

Internet Connectivity

Note: Your device must have internet connectivity to use IPS, AppSec, Web filtering, Juniper Sky ATP, and Security threat intelligence services.

Name

View the zone name populated from your device factory default settings.

Note: For Passive mode, untrust zone is created by default.

Interfaces

View the interfaces name populated from your device factory default settings.

Description

Enter the description for zone and interfaces.

Edit

Select a zone and click the pencil icon at the right corner of the table to modify the configuration.

For more information on editing zones, see Table 2 and Table 3.

Search

Click the search icon at the right corner of the table to quickly locate a zone or an interface.

Detailed View

Hover over the zone name and click the Detailed View icon to view the zone and interface details.

You can also click More and select Detailed View for the selected zone.

Default Gateway

Default Gateway (IPv4)

Enter the IPv4 address of the default gateway.

Default Gateway (IPv6)

Enter the IPv6 address of the default gateway.

Security Policies

Security Services

UTM

Enable this option for configuring UTM services.

License

Enter UTM license key and click Install License to add a new license.

Note:

  • Use a blank line to separate multiple license keys.

  • To use UTM services, your device must have internet connectivity from a revenue interface.

UTM Type

Select an option to configure UTM features:

  • Web Filtering

  • Anti Virus

  • Anti Spam

Web Filtering Type

Select an option:

  • Enhanced—Specifies that the Juniper Enhanced Web filtering intercepts the HTTP and the HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC).

  • Local—Specifies the local profile type.

IPS

Enable this option to install the IPS signatures.

  • IPS Policy—Displays the IPS policy wizard name.

  • License—Enter the license key and click Install License to add a new license.

    Note: The installation process may take few minutes.

  • IPS Signature—Click Browse to navigate to the IPS signature package folder and select it. Click Install to install the selected IPS signature package.

    Note: You can download the IPS signature offline package at https://support.juniper.net/support/downloads/.

Sky ATP

Enable this option to use Juniper Sky ATP services.

Note: After the Juniper Sky ATP configuration is pushed, only the SRX300 line of devices and SRX550M devices are rebooted. Your device must have internet connectivity to enable Juniper Sky ATP enrollment process through J-Web.

Security Intelligence

Enable this option to use Security Intelligence services.

Note: After the Security Intelligence configuration is pushed, only the SRX300 line of devices and SRX550M devices are rebooted. Your device must have internet connectivity to enable Juniper Sky ATP enrollment process through J-Web.

User Firewall

Enable this option to use user firewall services.

  • Domain Name—Enter a domain name for Active Directory.

  • Domain Controller—Enter domain controller IP address.

  • Username—Enter a username for administrator privilege.

  • Password—Enter a password for administrator privilege.

Security Policies

Note: The table lists the security policy along with the selected advanced security settings.

Policy Name

Name of the policy.

Note:

  • If you are in Standard mode, trust-to-untrust policy is created by default.

  • If you are in Tap mode, tap-policy is created by default.

From Zone

Name of the source zone.

Note:

  • If you are in Standard mode, permits all traffic from the trust zone.

  • If you are in Tap mode, permits all traffic from the tap zone.

To Zone

Name of the destination zone.

  • If you are in Standard mode, permits all traffic from the trust zone to the untrust zone.

  • If you are in Tap mode, permits all traffic from the tap zone to the tap zone.

Source Address

Name of the source address (not the IP address) of a policy.

Destination Address

Name of the destination address.

Application

Name of a preconfigured or custom application of the policy match.

Action

Action taken when a match occurs as specified in the policy.

Advanced Security

Name of the configured advanced security settings.

Table 2: Edit Trust Zone

Field

Action

General Information

Name

Displays the zone name.

Description

Enter the description for the zone.

Application Tracking

Enables this option to provide application tracking support to the zone.

Source Identity Log

Enables this option to trigger user identity logging when that zone is used as the source zone in a security policy.

Services

By default, this option is enabled. You can disable if required.

all—Specifies all system services.

Protocols

By default, this option is enabled. You can disable if required.

all—Specifies all protocol.

Interfaces

Name

Displays the name of the interface

Description

Displays the description of the interface.

IP Address

Displays the IP address of the interface.

VLAN

Displays the VLAN name.

Services

Displays the system service option selected.

Protocols

Displays the protocol option selected.

Add

To add a switching or a routing interface:

  1. Click +.

    The Add Interface page appears.

  2. Enter the following details:
    • General (fields for switching interface):

      • Type (family)—Select Switching.

        Note: This option will be available for only SRX300 line of devices, SRX550M, and SRX1500 devices. For SRX5000 line of devices, SRX4100, SRX4200, SRX4600, and vSRX devices, the Type (family) field is not available.

      • Routing Interface (IRB) Unit—Enter the IRB unit.

      • Description—Enter the description for the interface.

    • General (fields for routing interface):

      • Type (family)—Select Routing.

        For SRX5000 line of devices, SRX4100, SRX4200, SRX4600, and vSRX devices, the Type (family) field is not available.

      • Interface Name—Select an option from list.

      • Interface Unit—Enter the Inet unit.

        Note: VLAN tagging is enabled automatically if the interface unit is higher than zero.

      • Description—Enter the description for the interface.

      • VLAN ID—Enter the VLAN ID.

        Note: VLAN ID is mandatory if the interface unit is higher than zero.

    • Interfaces—Select an interface from the Available column and move it to the Selected column.

      Note: This option is available only for the Switching family type.

    • IPv4:

      • IPv4 Address—Enter a valid IPv4 address for the switching or the routing interface.

      • Subnet Mask—Enter a subnet mask for the IPv4 address.

    • IPv6:

      • IPv6 Address—Enter a valid IPv6 address for the switching or the routing interface.

      • Subnet Prefix—Enter a subnet prefix for the IPv6 address.

    • VLAN Details:

      Note: This option is available only for the Switching family type.

      • VLAN Name—Enter an unique name for the VLAN.

      • VLAN ID—Enter the VLAN ID.

    • DHCP Local Server:

      • DHCP Local Server—Enable this option to configure the switch to function as an extended DHCP local server.

      • DHCP Pool Name—Enter the DHCP pool name.

      • DHCP Pool Range (Low)—Enter an IP address that is the lowest address in the IP address pool range.

      • DHCP Pool Range (High)—Enter an IP address that is the highest address in the IP address pool range.

        Note: This address must be greater than the address specified in DHCP Pool Range (Low).

      • Propagate Settings from—Select an interface on the router through which the resolved DHCP queries are propagated to the DHCP pool.

    • System Services—Select system services from the list in the Available column and then click the right arrow to move it to the Selected column.

      The available options are:

      • all—Specify all system services.

      • any-service—Specify services on entire port range.

      • appqoe—Specify the APPQOE active probe service.

      • bootp—Specify the Bootp and dhcp relay agent service.

      • dhcp—Specify the Dynamic Host Configuration Protocol.

      • dhcpv6—Enable Dynamic Host Configuration Protocol for IPV6.

      • dns—Specify the DNS service.

      • finger—Specify the finger service.

      • ftp—Specify the FTP protocol.

      • http—Specify the Web management using HTTP.

      • https—Specify the Web management using HTTP secured by SSL.

      • ident-reset—Specify the send back TCP RST IDENT request for port 113.

      • ike—Specify the Internet key exchange.

      • lsping—Specify the Label Switched Path ping service.

      • netconf—Specify the NETCONF Service.

      • ntp—Specify the network time protocol.

      • ping—Specify the internet control message protocol.

      • r2cp—Enable Radio-Router Control Protocol.

      • reverse-ssh—Specify the reverse SSH Service.

      • reverse-telnet—Specify the reverse telnet Service.

      • rlogin—Specify the Rlogin service

      • rpm—Specify the Real-time performance monitoring.

      • rsh—Specify the Rsh service.

      • snmp—Specify the Simple Network Management Protocol.

      • snmp-trap—Specify the Simple Network Management Protocol trap.

      • ssh—Specify the SSH service.

      • tcp—encap-Specify the TCP encapsulation service.

      • telnet—Specify the Telnet service.

      • tftp—Specify the TFTP

      • traceroute—Specify the traceroute service.

      • webapi-clear-text—Specify the Webapi service using http.

      • webapi-ssl—Specify the Webapi service using HTTP secured by SSL.

      • xnm-clear-text—Specify the JUNOScript API for unencrypted traffic over TCP.

      • xnm-ssl—Specify the JUNOScript API Service over SSL.

    • Protocols—Select protocols from the list in the Available column and then click the right arrow to move it to the Selected column.

      The available options are:

      • all—Specifies all protocol.

      • bfd—Bidirectional Forwarding Detection.

      • bgp—Border Gateway Protocol.

      • dvmrp—Distance Vector Multicast Routing Protocol.

      • igmp—Internet Group Management Protocol.

      • ldp—Label Distribution Protocol.

      • msdp—Multicast Source Discovery Protocol.

      • nhrp- Next Hop Resolution Protocol.

      • ospf—Open shortest path first.

      • ospf3—Open shortest path first version 3.

      • pgm—Pragmatic General Multicast.

      • pim—Protocol Independent Multicast.

      • rip—Routing Information Protocol.

      • ripng—Routing Information Protocol next generation.

      • router-discovery—Router Discovery.

      • rsvp—Resource Reservation Protocol.

      • sap—Session Announcement Protocol.

      • vrrp—Virtual Router Redundancy Protocol.

Edit

Select an interface and click the edit icon at the top right corner of the table.

The Edit Interface page appears with editable fields.

Note: As interface name is prepopulated, you cannot edit it.

Delete

Select an interface and click the delete icon at the top right corner of the table.

A confirmation window appears. Click Yes to delete the selected interface or click No to discard.

Search

Click the search icon at the top right corner of the table and enter partial text or full text of the keyword in the search bar.

The search results are displayed.

Table 3: Edit Untrust Zone

Field

Action

General Information

Name

Displays the zone name as untrust.

Description

Enter the description for the zone.

Application Tracking

Enables this option to provide application tracking support to the zone.

Source Identity Log

Enables this option for system services.

Interfaces

Name

Displays the name of the physical interface

Description

Displays the description of the interface.

Address Mode

Displays the type of address mode.

IP Address

Displays the IP address of the interface.

Services

Displays the system service option selected.

Protocols

Displays the protocol option selected.

Add

To add an interface to the untrust zone:

  1. Click +.

    The Add Interface page appears.

  2. Enter the following details:
    • General:

      • Interface Name—Select an interface from the list.

      • Interface Unit—By default 0 will be populated. You can change the unit value if required.

      • Description—Enter the description for the interface.

      • Address Mode—Select an address mode for the interface. The available options are DHCP Client, PPPoE (PAP), PPPoE (CHAP) and Static IP.

        Note: PPPoE (PAP) and PPPoE (CHAP) are not supported for SRX5000 line of devices and if any of the devices are in passive mode.

      • Username—Enter a username for PPPoE (PAP) or PPPoE (CHAP) authentication.

      • Password—Enter a password for PPPoE (PAP) or PPPoE (CHAP) authentication.

    • IPv4:

      Note: This option is available only for the Static IP address mode.

      • IPv4 Address—Enter a valid IPv4 address for the interface.

      • Subnet Mask—Enter a subnet mask for the IPv4 address.

    • IPv6:

      Note: This option is available only for the Static IP address mode.

      • IPv6 Address—Enter a valid IPv6 address for the interface.

      • Subnet Prefix—Enter a subnet prefix for the IPv6 address.

    • System Services—Select system services from the list in the Available column and then click the right arrow to move it to the Selected column.

    • Protocols—Select protocols from the list in the Available column and then click the right arrow to move it to the Selected column.

Edit

Select an interface and click the edit icon at the top right corner of the table.

The Edit Interface page appears with editable fields.

Note: As interface name is prepopulated, you cannot edit it.

Delete

Select an interface and click the delete icon at the top right corner of the table.

A confirmation window appears. Click Yes to delete the selected interface or click No to discard.

Search

Click the search icon at the top right corner of the table and enter partial text or full text of the keyword in the search bar.

The search results are displayed.

J-Web First Look

Each page of the J-Web interface is divided into the following panes (see Figure 3):

  • Launch pad—Displays high level details of the system identification, active users, and interface status.

  • Top pane—Displays identifying information and links.

  • Side pane—Displays subtasks of the Monitor, Configure, Reports, and Administration task currently displayed in the main pane. Click an item to access it in the main pane.

  • Main pane—Location where you monitor, configure, view or generate reports, and administrate the Juniper Networks device by entering information in text boxes, making selections, and clicking buttons.

Figure 3: J-Web First Look
J-Web First Look