Built-In Ethernet Port for the SRX650 Services Gateway
The four built-in Gigabit Ethernet ports, ge-0/0/0 through ge-0/0/3, on the front panel of the SRX650 Services Gateway are the ports through which you perform initial device setup.
 | Note: If chassis clustering is enabled, Juniper recommends using the ge-0/0/0 port as the management port (fxp0) and using the ge-0/0/1 port (if used) as the control port (fxp1). The fxp0 and fxp1 ports are created only when chassis clustering is enabled. You can use the other ports as fabric ports. |
Before initial configuration, when the factory default configuration is active, the services gateway attempts to perform autoinstallation by obtaining a device configuration through all its connected interfaces, including ge-0/0/0. All interfaces are configured as Layer 3 interfaces. See Table 1 for the default interface configuration.
Table 1: Default Interface Configuration for the Services Gateway
Interface | Security Zone | DHCP State | Address |
|---|---|---|---|
ge-0/0/0 Note: If chassis clustering is enabled, use this port as the management port (fxp0). | untrust | client | dynamically assigned |
ge-0/0/1 (if used) Note: If chassis clustering is enabled, use this port as the control port (fxp1). | trust | server | 192.168.1.1/24. |
ge-0/0/2 (if used) Note: Use this port as a fabric port. | trust | server | 192.168.2.1/24 |
ge-0/0/3 (if used) Note: Use this port as a fabric port. | trust | server | 192.168.3.1/24 |
By default, the security policies and NAT rules in Table 2 and Table 3 are created on the SRX Series security policies.
Table 2: Security Policies
Source Zone | Destination Zone | Policy Action |
|---|---|---|
trust | untrust | permit |
Table 3: NAT Rule
Source Zone | Destination Zone | NAT Action |
|---|---|---|
trust | untrust | Source NAT to untrust zone interface |
For example, a common default firewall configuration includes the following assumptions:
- The protected network is connected to the ge-0/0/1 interface and fe-0/0/2 interface in the trust zone.
- Connectivity to the Internet is through the ge-0/0/0 interface in the untrust zone.
- The IP address of the ge-0/0/0 interface is assigned via DHCP.
| Note: The ge-0/0/1 interface and fe-0/0/2 interface are a part of the default VLAN. The protected hosts can be connected to any one of the ports that are part of the default VLAN. |
You can configure the services gateway from the CLI or with J-Web. To use J-Web, connect a desktop or notebook computer to the ge-0/0/1 interface. The IP address of the desktop or notebook computer can be statically configured or assigned by the factory default DHCP server enabled on the VLAN interface.
Once you connect your desktop or notebook computer to ge-0/0/1, you can use a Web browser to visit the address 192.168.1.1/24, access J-Web and complete the initial configuration of the services gateway.
After you perform the initial configuration and commit it by clicking Apply or OK, the configured services gateway can no longer act as a DHCP server. Therefore, to continue using the services gateway as a management interface, you should configure the IP address of the interface as part of the initial configuration.
After the initial configuration is complete, you can attach the built-in Ethernet port that you are using for management purposes to the management network.
