Performing Initial Software Configuration on the SRX1400 Services Gateway (CLI Procedure)
This sample procedure explains how you can create an initial configuration using CLI commands to connect the services gateway to the network. For complete information about enabling the services gateway to forward traffic, including examples, see the appropriate Junos OS configuration guides at www.juniper.net/documentation/.
To configure Junos OS:
- Verify that the device is powered on.
- Log in as the root user. There is no password.
- Start the CLI.
root#cliroot# - Enter configuration mode.
configure[edit]root@# - Set the root authentication password by entering a cleartext
password, an encrypted password, or an SSH public key string (DSA
or RSA).
[edit]root@# set system root-authentication plain-text-passwordNew password: passwordRetype new password: password - Configure an administrator
account on the device. When you are prompted, enter the password for
the administrator account.
[edit]root@# set system login user admin class super-user authentication plain-text-passwordNew password: passwordRetype new password: password - Commit the configuration
to activate it on the services gateway.
[edit]root@# commit - Log in as the administrative user you configured in Step 6.
- Configure the name of
the services gateway. If the name includes spaces, enclose the name
in quotation marks (“ ”).
configure[edit]admin@# set system host-name host-name - Configure the IP address and prefix length for the services
gateway Ethernet interface.
[edit]admin@# set interfaces fxp0 unit 0 family inet address address/prefix-length - Configure the traffic interface.
[edit]admin@# set interfaces ge-0/0/0 unit 0 family inet address address/prefix-lengthadmin@# set interfaces ge-0/0/1 unit 0 family inet address address/prefix-lengthNote The ge-0/0/0 interface is for the LAN, and the ge-0/0/1 interface is for the ISP.
- Configure the default route.
[edit]admin@# set routing-options static route 0.0.0.0/0 next-hop gateway - Configure basic security zones and bind them to traffic
interfaces.
[edit]admin@# set security zones security-zone trust interfaces ge-0/0/0admin@# set security zones security-zone untrust interfaces ge-0/0/1 - Configure basic security policies.
[edit]admin@# set security policies from-zone trust to-zone untrust policy policy-name match source-address any destination-address any application anyadmin@# set security policies from-zone trust to-zone untrust policy policy-name then permitadmin@# set security policies from-zone untrust to-zone trust policy policy-name match source-address any destination-address any application anyadmin@# set security policies from-zone untrust to-zone trust policy policy-name then permitNote The actual configuration of the policies depends on your requirements.
- Check the configuration for validity.
[edit]admin@# commit checkconfiguration check succeeds - Commit the configuration to activate it on the services
gateway.
[edit]admin@# commitcommit complete - Optionally, display the configuration to verify that it
is correct.
Note This is a sample output. The actual output might vary depending on your configuration requirements.
admin@# show## Last changed: 2010-08-18 05:50:46 UTC version "10.4I0 [sharibkh]"; system { host-name doc; root-authentication { encrypted-password "$ABC123"; ## SECRET-DATA } login { user admin { uid 2000; class super-user; authentication { encrypted-password "$ABC123"; ## SECRET-DATA } } user@host { uid 928; class super-user; authentication { encrypted-password "$ABC123"; ## SECRET-DATA } } } services { ssh; telnet; web-management { http; } } } interfaces { ge-0/0/0 { unit 0 { family inet { address 192.1.1.1/24; } } } ge-0/0/1 { unit 0 { family inet { address 5.1.1.1/24; } } } fxp0 { unit 0 { family inet { address 10.204.210.23/23; address 192.168.10.2/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop [ 10.204.211.254 5.1.1.2 ]; } } security { zones { security-zone trust { interfaces { ge-0/0/0.0; } } security-zone untrust { interfaces { ge-0/0/1.0; } } } policies { from-zone trust to-zone untrust { policy bob { match { source-address any; destination-address any; application any; } then { permit; } } } } policies { from-zone untrust to-zone trust { policy bob { match { source-address any; destination-address any; application any; } then { permit; } } } } } [edit] user@host# [edit] - Commit the configuration to activate it on the services
gateway.[edit]admin@# commit
- Optionally, configure
additional properties by adding the necessary configuration statements.
Then commit the changes to activate them on the services gateway.[edit]admin@# commit
- When you have finished configuring the services gateway,
exit configuration mode.[edit]admin@# exitadmin@>
To access the device using J-Web for the first time, enter the configuration mode in the CLI, and set the management option using the command set system services web-management http.
If you are using an interface other than fxp0, then you must also use the command set security zones security-zone trust interface interface-name host-inbound-traffic system-services http/https to set up J-Web.