Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Junos OS on the SRX1500

 

SRX1500 Services Gateway Software Configuration Overview

The SRX1500 Services Gateway is shipped with Junos OS preinstalled and ready to be configured when the services gateway is powered on. If you are setting up the services gateway for the first time, use the command-line interface (CLI) to perform the initial configuration.

Gather the following information before configuring the services gateway:

  • Root authentication

  • IP address of the management interface

  • Default route

Understanding SRX1500 Services Gateway Factory-Default Settings

Your services gateway comes configured with a factory-default configuration. The default configuration includes the following security configuration:

  • Two security zones are created: trust and untrust.

  • Interface ge-0/0/0 is in the untrust zone, while interfaces ge-0/0/1 through ge-0/0/3 are in the trust zone.

  • A security policy is created that permits outbound traffic from the trust zone to the untrust zone.

  • Source Network Address Translation (NAT) is configured on the trust zone.

If the current active configuration fails, you can use the load factory-default command to revert to the factory-default configuration.

Viewing SRX1500 Services Gateway Factory-Default Settings

To view the factory-default configuration of the services gateway using the CLI:

  1. Log in as the root user and provide your credentials.
  2. View the list of default config files:
    root@srx1500>file list /etc/config

  3. View the required default config file.
    root@srx1500> file show /etc/config/<config file name>

Accessing J-Web on the SRX1500 Services Gateway

The J-Web interface is a Web-based graphical interface that allows you to operate a services gateway without commands. Before you can use J-Web to configure your device, you must access the CLI to perform the initial configuration.

Note

To access the J-Web interface, your management device requires one of the following supported browsers:

  • Microsoft Internet Explorer version 8.0, 9.0, or 10.0

  • Mozilla Firefox version 23+

  • Google Chrome version 28+

To access J-Web:

  1. Open a Web browser on the management device and enter the device management IP address in the address field.
  2. Specify the default username as root and enter the password.

Configuring the SRX1500 Services Gateway Using J-Web

Configuring Root Authentication and the Management Interface from the CLI

Before you can use J-Web to configure your device, you must access the CLI to perform the initial configuration.

To configure root authentication and the management interface:

  1. Log in as root. There is no password.
  2. Start the CLI and enter configuration mode.
  3. Set the root authentication password by entering a cleartext password, an encrypted password, or an SSH public key string (DSA or RSA).
  4. Commit the configuration to activate it on the device.
  5. Configure the IP address and prefix length for the Ethernet management interface on the device.
  6. Configure the default route.
  7. Enable Web access to launch J-Web.
  8. Commit the configuration changes.

Configuring Interfaces, Zones, and Policies with J-Web

You can configure hostnames, interfaces, zones, and security policies using J-Web.

Before you begin:

Configure the device with J-Web using the following procedures.

Configuring the Hostname

To configure the hostname:

  1. Launch a Web browser from the management device.
  2. Enter the IP address of the device in the URL address field.
  3. Specify the default username as root and enter the password. See Configuring Root Authentication and the Management Interface from the CLI.
  4. Click Log In. The J-Web Dashboard page appears.
  5. Select Configure>System Properties>System Identity, and then select Edit. The Edit System Identity dialog box appears.
  6. Enter the hostname and click OK.
  7. Select Commit Options>Commit to apply the configuration changes.

You have successfully configured the hostname for the system.

Configuring Interfaces

To configure two physical interfaces:

  1. From the J-Web Dashboard page, select Configure>Interfaces and select a physical interface you want to configure.
  2. Select Add>Logical Interface. The Add interface dialog box appears.
  3. Set Unit = 0.
  4. Select the check box for IPv4 Address to enable IPv4 addressing.
  5. Click Add and enter the IPv4 address.
  6. Click OK.

    A message appears after your configuration changes are validated successfully.

  7. Click OK.
  8. Select Commit Options>Commit to apply the configuration changes.

    A message appears after your configuration changes are applied successfully.

  9. Click OK.

You have successfully configured the physical interface. Repeat these steps to configure the second physical interface for the device.

Configuring Zones and Assigning Interfaces

To assign interfaces within a trust zone and an untrust zone:

  1. From the J-Web Dashboard page, select Configure>Security>Zones/Screens and click Add. The Add Zone dialog box appears.
  2. In the Main tab, enter trust for zone name and enter the description.
  3. Set the zone type to Security.
  4. Select the interfaces listed under Available and move them under Selected.
  5. Click OK.

    A message appears after your configuration changes are validated successfully.

  6. Click OK.
  7. Select Commit Options>Commit to apply the configuration changes.

    A message appears after your configuration changes are applied successfully.

  8. Click OK.
  9. Repeat Step 1 through Step 8 and assign another interface to an untrust zone.

You have successfully configured interfaces in a trust zone and in an untrust zone.

Configuring Security Policies

To configure security policies:

  1. From the J-Web Dashboard page, select Configure>Security>Security Policy and click Add. The Add Policy dialog box appears.
  2. In the Policy tab, enter the policy name and set the policy action to permit. Then select Zone and set the From Zone to trust and the To Zone to untrust.
  3. Configure the source IP address by selecting any listed under Available and moving it under Selected.
  4. Configure the destination IP address by selecting any listed under Available and moving it under Selected.
  5. Configure the application by selecting any listed under Available and moving it under Selected.
  6. Click OK.

    A message appears after your configuration changes are validated successfully.

  7. Click OK.
  8. Select Commit Options>Commit to apply the configuration changes.

    A message appears after your configuration changes are applied successfully.

  9. Click OK.

You have successfully configured the security policy.

Accessing the CLI on the SRX1500 Services Gateway

To access the CLI on the SRX1500 Services Gateway:

  1. Plug one end of the Ethernet cable into the RJ-45 to DB-9 serial port adapter supplied with your services gateway.
  2. Plug the RJ-45 to DB-9 serial port adapter into the serial port on the management device.
  3. Connect the other end of the Ethernet cable to the serial console port on the services gateway.Note

    Alternately, you can use the USB cable to connect to the mini-USB console port on the services gateway. To use the USB console port, you must download a USB driver to the management device from the Silicon Labs page.

  4. Start your asynchronous terminal emulation application (such as Microsoft Windows HyperTerminal) and select the appropriate COM port to use (for example, COM1).
  5. Configure the serial port settings with the following values:
    • Baud rate—9600

    • Parity—N

    • Data bits—8

    • Stop bits—1

    • Flow control—none

  6. Power on the services gateway. You can start performing initial software configuration on the services gateway after the device is up.

Connecting to the SRX1500 Services Gateway from the CLI Remotely

To connect the services gateway to a network for out-of-band management:

  1. Plug one end of an Ethernet cable with RJ-45 connectors into the MGMT port on the front panel of the services gateway.
  2. Plug the other end of the cable into the management device.

Configuring the SRX1500 Services Gateway Using the CLI

This sample procedure explains how you can create an initial configuration using CLI commands to connect the SRX1500 Services Gateway to the network.

  1. Verify that the device is powered on.
  2. Log in as the root user. Do not enter a password.
  3. Start the CLI.
    root@%cli
    root>

  4. Enter configuration mode.
    configure
    [edit]
    root#

  5. Set the root authentication password by entering a cleartext password, an encrypted password, or an SSH public key string (DSA or RSA).
    [edit]
    root# set system root-authentication plain-text-password
    New password: password
    Retype new password: password

  6. Configure an administrator account on the device. When you are prompted, enter the password for the administrator account.
    [edit]
    root# set system login user admin class super-user authentication plain-text-password
    New password: password
    Retype new password: password

  7. Commit the configuration to activate it on the services gateway.
    [edit]
    root# commit

  8. Log in as the administrative user you configured in Step 6.
  9. Configure the name of the services gateway. If the name includes spaces, enclose the name in quotation marks (“ ”).
    configure
    [edit]
    admin# set system host-name host-name

  10. Configure the IP address and prefix length for the services gateway Ethernet interface.
    [edit]
    admin# set interfaces fxp0 unit 0 family inet address address/prefix-length

  11. Configure the traffic interface.
    [edit]
    admin# set interfaces ge-0/0/0 unit 0 family inet address address/prefix-length
    admin# set interfaces ge-0/0/1 unit 0 family inet address address/prefix-length
    Note

    The ge-0/0/0 interface is for the LAN, and the ge-0/0/1 interface is for the ISP.

  12. Configure the default route.
    [edit]
    admin# set routing-options static route 0.0.0.0/0 next-hop gateway

  13. Configure basic security zones and bind them to traffic interfaces.
    [edit]
    admin# set security zones security-zone untrust interfaces ge-0/0/0
    admin# set security zones security-zone trust interfaces ge-0/0/1

  14. Configure basic security policies.
    [edit]
    admin# set security policies from-zone trust to-zone untrust policy policy-name match source-address any destination-address any application any
    admin# set security policies from-zone trust to-zone untrust policy policy-name then permit
    admin# set security policies from-zone untrust to-zone trust policy policy-name match source-address any destination-address any application any
    admin# set security policies from-zone untrust to-zone trust policy policy-name then permit
    Note

    The actual configuration of the policies depends on your requirements.

  15. Check the configuration for validity.
    [edit]
    admin# commit check
    configuration check succeeds

  16. Commit the configuration to activate it on the services gateway.
    [edit]
    admin# commit
    commit complete

  17. Optionally, display the configuration to verify that it is correct.Note

    This is a sample output. The actual output might vary depending on your configuration requirements.

    admin@# show
  18. Commit the configuration to activate it on the services gateway.
  19. Optionally, configure additional properties by adding the necessary configuration statements. Then commit the changes to activate them on the services gateway.
  20. When you have finished configuring the services gateway, exit configuration mode.
Note

To access the device using J-Web for the first time, enter configuration mode in the CLI, and set the management option using the command set system services web-management http.

Launch a Web browser from the management device and access the services gateway using the URL http://<device management IP address>. The J-Web login page is displayed. This indicates that you have successfully completed the initial configuration, and your SRX1500 Services Gateway is ready for use.