Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Built-In Ethernet Ports for the SRX650 Services Gateway

 

You perform initial device setup through the four built-in Gigabit Ethernet ports, ge-0/0/0 through ge-0/0/3, on the front panel of the SRX650 Services Gateway.

Note

If chassis clustering is enabled, we recommend using the ge-0/0/0 port as the management port (fxp0) and using the ge-0/0/1 port (if used) as the control port (fxp1). The fxp0 and fxp1 ports are created only when chassis clustering is enabled. You can use the other ports as fabric ports.

Before initial configuration, when the factory default configuration is active, the services gateway attempts to perform autoinstallation by obtaining a device configuration through all its connected interfaces, including ge-0/0/0. All interfaces are configured as Layer 3 interfaces. See Table 1 for the default interface configuration.

Table 1: Default Interface Configuration for the Services Gateway

Interface

Security Zone

DHCP State

Address

ge-0/0/0

Note: If chassis clustering is enabled, use this port as the management port (fxp0).

Untrust

Client

Dynamically assigned

ge-0/0/1 (if used)

Note: If chassis clustering is enabled, use this port as the control port (fxp1).

Trust

Server

192.168.1.1/24.

ge-0/0/2 (if used)

Note: Use this port as a fabric port.

Trust

Server

192.168.2.1/24

ge-0/0/3 (if used)

Note: Use this port as a fabric port.

Trust

Server

192.168.3.1/24

By default, the security policies and NAT rules in Table 2 and Table 3 are created on the SRX Series security policies.

Table 2: Security Policies

Source Zone

Destination Zone

Policy Action

Trust

Untrust

Permit

Table 3: NAT Rule

Source Zone

Destination Zone

NAT Action

Trust

Untrust

Source NAT to untrust zone interface

For example, a common default firewall configuration includes the following assumptions:

  • The protected network is connected to the ge-0/0/1 interface and the ge-0/0/2 interface in the trust zone.

  • Connectivity to the Internet is through the ge-0/0/0 interface in the untrust zone.

  • The IP address of the ge-0/0/0 interface is assigned via DHCP.

Note

The ge-0/0/1 interface and ge-0/0/2 interface are a part of the default VLAN. The protected hosts can be connected to any one of the ports that are part of the default VLAN.

You can configure the services gateway using the CLI or J-Web. To use J-Web, connect a desktop or laptop computer to the ge-0/0/1 interface. The IP address of the desktop or laptop computer can be statically configured or assigned by the factory default DHCP server enabled on the VLAN interface.

After you connect your desktop or laptop computer to ge-0/0/1, you can use a Web browser to visit the address http://192.168.1.1, access the J-Web setup wizard, and complete the initial setup configuration of the services gateway.

After you perform the initial configuration and commit it by clicking Commit, the configured services gateway can no longer act as a DHCP server. Therefore, to continue using the services gateway as a management interface, you should configure the IP address of the interface as part of the initial configuration.

After the initial configuration is complete, you can attach the built-in Ethernet port that you are using for management purposes to the management network.