Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

SRX240 Services Gateway Software Configuration Overview


This topic includes the following sections:

Preparing the SRX240 Services Gateway for Configuration

The services gateway is shipped with the Juniper Networks Junos operating system (Junos OS) preinstalled. When the services gateway is powered on, it is ready to be configured.

You can perform the initial configuration of the services gateway by using the browser-based setup wizard or by using the command-line interface (CLI).

Before configuring the services gateway, gather the configuration information required to deploy the services gateway in your network. At minimum, the setup wizard requires the following information:

  • Device name to be used on the network

  • Password for the root user

  • Time information for the services gateway location:

    • Local time zone

    • Name or IP address of a Network Time Protocol (NTP) server, if NTP is used to set the time on the services gateway

    • Local date and time if an NTP server is not used to set the time

Understanding the Factory Default Configuration

Your services gateway comes configured with a default configuration. This factory default configuration sets up the following network topology:

  • Interface ge-0/0/0 (port 0/0) is configured for Internet access. A DHCP client running on the interface enables the interface to receive its network settings—IP address, default gateway, and DNS servers—from an Internet service provider (ISP).

  • Interfaces ge-0/0/1 through ge-0/0/15 (port 0/1 through port 0/15) are configured as switched interfaces in a VLAN on which the IP address is configured.

  • A DHCP server is active on interfaces ge-0/0/1 through ge-0/0/15. The DHCP server assigns IP addresses in the network to connected devices.

The default configuration also includes the following security configuration:

  • Two security zones are created: trust and untrust.

  • Interface ge-0/0/0 is in the untrust zone, while interfaces ge-0/0/1 through ge-0/0/15 are in the trust zone.

  • A security policy is created that permits outbound traffic from the trust zone to the untrust zone. Inbound traffic originating in the untrust zone is blocked.

  • Source Network Address Translation (NAT) is configured on the trust zone.

Understanding Built-In Ethernet Ports and Initial Configuration

During the initial configuration of the services gateway, how you use the built-in Ethernet ports (ports 0/0 through 0/15) depends on the initial configuration you are performing:

  • Configuration using autoinstallation—Use the built-in Ethernet port 0/0 to connect to the DHCP server. A DHCP client is configured on this interface, allowing the services gateway to receive its IP address from the DHCP server.

  • Configuration using the setup wizard—Use the following built-in Ethernet ports:

    • Port 0/1—Connect your management device to this port. A DHCP server running on this interface automatically assigns your management device an IP address on the same subnetwork as the interface, allowing your management device to communicate with the services gateway through this interface.

    • Port 0/0—Connect your services gateway to the Internet on this port if you plan to download purchased software licenses through the setup wizard. A DHCP client running on this interface allows it to receive its network settings from the ISP.


      Downloading of purchased licenses from the setup wizard is available only in Junos OS Release 11.2R3 or later.

  • Configuration of a chassis cluster—Perform the initial configuration of the chassis cluster using a console connection. Before you perform the initial configuration, connect the built-in Ethernet ports as follows:

    • Port 0/0—Connect to the out-of-band management network for management of the services gateway. When you enable chassis clustering as part of configuring the chassis cluster, the management interface (fxp0) is automatically created on this port.

    • Port 0/1—Connect to the other device in the chassis cluster. When you enable chassis clustering, the control interface between the two devices (fxp1) is automatically created on this port.

    You must also make another connection between the two devices for the fabric link. You can use any available Gigabit Ethernet port for this connection. You must configure the interface you choose as the fabric link. For more information on configuring chassis clusters, see the Security Basics.

Mapping the Chassis Cluster Ports

A chassis cluster is created by physically connecting two identical SRX240 Services Gateways together using a pair of the same type of Ethernet connections. The connection is made for both a control link and a fabric (data) link between the two services gateway.

The fxp0 port is dedicated as the out-of-band management interface for each of the services gateway in the chassis cluster setup and the fxp1 port is dedicated as the chassis-cluster control port.

On the SRX240 Services Gateway, the fxp1 port is not user configurable when the services gateway is operating in chassis cluster mode.

Table 1 shows the mapping of the chassis cluster ports.

Table 1: Mapping the Chassis Cluster Ports on an SRX240 Services Gateway

Ethernet Ports on SRX240 Services Gateway

Management Interface

0/0 (ge-0/0/0)

fxp0 (management port)

0/1 (ge-0/0/1)

fxp1 (control port)


On SRX240 Services Gateway, the fabric link connection can be any pair of Gigabit Ethernet interfaces.

Junos OS automatically creates the fxp0 and fxp1 interfaces on these ports when the SRX240 Services Gateway is operating in chassis cluster mode.

For more information, see the following guides:

Understanding Management Access

Telnet allows you to connect to the services gateway and access the CLI to execute commands from a remote system. Telnet CLI connections are not encrypted and therefore can be intercepted.


Telnet access to the root user is prohibited. You must use more secure methods, such as SSH, to log in as root.

SSH provides the following features:

  • Allows you to connect to the services gateway and access the CLI to execute commands from a remote system

  • Encrypts traffic so that it cannot be intercepted (unlike Telnet)

  • Can be configured so that connections are authenticated by a digital certificate

  • Uses public–private key technology for both connection and authentication

The SSH client software must be installed on the machine where the client application runs. If the SSH private key is encrypted (for greater security), the SSH client must be able to access the passphrase used to decrypt the key.

For information about obtaining SSH software, see and

If you are using a Junos XML protocol server to configure and monitor devices, you can activate cleartext access on the device to allow unencrypted text to be sent directly over a Transmission Line Protocol (TCP) connection without using any additional protocol (such as SSH, SSL, or Telnet). For more information about the Junos XML management protocol, see the Junos XML Management Protocol Guide  .


Information sent in cleartext is not encrypted and therefore can be intercepted.

If the device is operating in a Common Criteria environment, see the Configuration Guides for Junos OS Public Sector Certifications.