Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Junos OS on the SRX320

 

SRX320 Services Gateway Software Configuration Overview

The services gateway is shipped with the Juniper Networks Junos operating system (Junos OS) preinstalled and ready to be configured when the device is powered on. You can perform the initial software configuration of the services gateway by using the browser-based setup wizard or by using the command-line interface (CLI).

Before configuring the device, gather the configuration information required to deploy the device in your network. At a minimum, the setup wizard requires the following information:

  • Device name

  • Password for the root user

  • Time information for the services gateway location

Understanding SRX320 Services Gateway Factory-Default Settings

Your services gateway comes configured with a factory-default configuration. The default configuration includes the following security configuration:

  • Two security zones are created: trust and untrust.

  • Interfaces ge-0/0/0 and ge-0/0/7 are in the untrust zone, while interfaces ge-0/0/1 through ge-0/0/6 are in the trust zone.

  • A security policy is created that permits outbound traffic from the trust zone to the untrust zone.

  • Source Network Address Translation (NAT) is configured on the trust zone.

Table 1 lists the default interface configuration.

Table 1: Default Interface Configuration for the SRX320 Services Gateway

Port Label

Interface

Security Zone

DHCP State

IP Address

0/0 and 0/7

ge-0/0/0 and ge-0/0/7

untrust

Client

Unassigned

0/1 to 0/6

VLAN Interface irb.0 (ge-0/0/1 to ge-0/0/6)

trust

Server

192.168.1.1/24

If the current active configuration fails, you can use the load factory-default command to revert to the factory-default configuration.

Configuring Zero-Touch Provisioning on SRX Series Devices

Zero Touch Provisioning (ZTP) enables you to complete the initial configuration of the services gateway in your network automatically, with minimum intervention. Network Service Controller is a component of the Juniper Networks Contrail Service Orchestration platform that simplifies and automates the design and implementation of custom network services that use an open framework. For more information, refer to the Network Service Controller section in the datasheet at https://www.juniper.net/assets/us/en/local/pdf/ datasheets/1000559-en.pdf  .

Note

To complete the ZTP process, ensure that the services gateway is connected to the Internet.

To configure the device automatically using ZTP:

  1. Access the J-Web interface (https://192.168.1.1).
  2. If you already have the authentication code, enter the code in the webpage displayed.

    On successful authentication, the initial configuration is applied and committed on the services gateway. Optionally, the latest Junos OS image is installed on the device before the initial configuration is applied.

    When the process is complete, the message Device activation complete. Please disconnect your laptop. is displayed

    If you do not have the authentication code, you can use the J-Web setup wizard to configure the services gateway. Click Skip to J-Web, enter a root authentication password, and configure the services gateway.

Accessing J-Web on the SRX320 Services Gateway

The J-Web interface is a Web-based graphical interface that allows you to operate a services gateway without commands.

Note

To access the J-Web interface, your management device requires one of the following supported browsers:

For Junos OS Release 15.1X49-D30 through Junos OS Release 15.1X49-D90, and Junos OS Release 17.3R1:

  • Microsoft Internet Explorer version 9 or 10

  • Mozilla Firefox version 38 (or later)

For Junos OS Release 15.1X49-D100:

  • Microsoft Internet Explorer version 10 or 11

  • Mozilla Firefox version 44 (or later)

  • Google Chrome version 55 (or later)

To access J-Web:

  1. Connect any of the network ports numbered 0/1 through 0/5 to the Ethernet port on the management device, using an RJ-45 cable.
    Figure 1: Connecting to the Ethernet Port on the SRX320 Services Gateway
  2. The services gateway functions as a DHCP server and automatically assigns an IP address to the management device. Ensure that the management device acquires an IP address on the 192.168.1.0/24 subnetwork from the device.

    If an IP address is not assigned to the management device, manually configure an IP address in the 192.168.1.0/24 subnetwork. Do not assign the 192.168.1.1 IP address to the management device, as this IP address is assigned to the services gateway. By default, the DHCP server is enabled on the L3 VLAN interface, irb.0 (interface ge-0/0/1 to ge-0/0/5). which is configured with an IP address of 192.168.1.1/24.

  3. Open a Web browser on the management device and enter the IP address http://192.168.1.1 in the address field.

Configuring the SRX320 Services Gateway Using the J-Web Setup Wizard

This topic describes how to perform the initial software configuration of your services gateway using the setup wizard.

This topic includes the following sections:

About the Setup Wizard

The setup wizard guides you through the step-by-step configuration of a services gateway that can securely pass traffic. To help guide you through the process, the wizard:

  • Provides recommended settings based on your previous selections. For example, the wizard recommends security policies based on the security topology you have defined.

  • Determines which configuration tasks to present to you based on your selections.

  • Flags any missing required configuration when you attempt to leave a page.

  • Indicates which configuration elements or tasks are unavailable to you based on your previous selections by graying them out.

You can choose one of the following setup modes to configure the services gateway:

  • Default Setup mode—This mode allows you to quickly set up a services gateway in a default security configuration. In this mode, you can configure basic system settings, such as the administrator password, and download purchased licenses. Any additional configuration can be carried out after completing the wizard setup.

  • Guided Setup mode—This mode allows you to set up a services gateway in a custom security configuration.

Note

It is mandatory to configure only the device name and root password. You can skip all the other steps by clicking Next to go directly to the Confirm & Apply page to apply the configuration.

About the Default Setup Mode

If you choose the Default Setup mode, the wizard takes you through the minimal configuration needed to set up the services gateway that can securely pass traffic in the default configuration.

In the Default Setup mode, you configure:

  • Device name

  • Password for the root account

  • Time information for the services gateway location:

    • Local time zone

    • Name or IP address of a Network Time Protocol (NTP) server, if NTP is used to set the time on the services gateway

    • Local date and time if an NTP server is not used to set the time

You cannot do additional configuration in the Default Setup mode. You must commit your changes and exit the wizard to perform any additional configuration. You can perform additional configuration by rerunning the wizard in the Guided Setup mode, by using the J-Web interface, or by using the CLI.

See the How to Set Up Your SRX320 Services Gateway for step-by-step instructions on how to configure your services gateway in the Default Setup mode.

About the Guided Setup Mode

If you choose the Guided Setup mode, the wizard guides you through configuring your services gateway in a custom security configuration. You can choose between the Basic and Expert levels based on your experience level. The following table compares the Basic and Expert levels.

Basic

Expert

Can configure only three internal zones

Can configure more than three internal zones

Can configure static and dynamic IP for the Internet zone

Can configure static IP, static pool, and dynamic IP for the Internet zone

Can configure internal zone service

Can configure internal zone service

Cannot configure internal destination NAT

Can configure internal destination NAT

Configurations you can perform with the setup wizard include:

  • Configuring basic options such as device name, root password, and system time

  • Configuring the security topology

    • Internet zone

    • Internal zones

    • DMZ

  • Defining security policies and Network Address Translation (NAT) rules

  • Configuring remote access

Note

Before applying the configuration changes to the services gateway, check the connectivity to the services gateway. You might lose connectivity if you have changed the management zone IP. Click the URL for reconnection instructions for information on how to reconnect to the device.

After you finish configuring the services gateway with the setup wizard and commit your configuration, you are redirected to the J-Web interface. Thereafter, whenever you connect to the services gateway, you are placed in the J-Web interface. You can access the setup wizard from the J-Web interface and use it to reconfigure your services gateway. To do so, select Configure > Device Setup > Set Up. You can either edit an existing configuration or create a new configuration.

Note

If you elect to create a new configuration, then all the current configuration in the services gateway will be deleted.

Accessing the CLI on the SRX320 Services Gateway

To access the CLI on the SRX320 Services Gateway:

  1. Plug one end of the Ethernet cable into the RJ-45 to DB-9 serial port adapter supplied with your services gateway.
  2. Plug the RJ-45 to DB-9 serial port adapter into the serial port on the management device.
  3. Connect the other end of the Ethernet cable to the serial console port on the services gateway.Note

    Alternately, you can use the USB cable to connect to the mini-USB console port on the services gateway. To use the mini-USB console port, you must download a USB driver to the management device from the SRX320 Software Download page or Silicon Labs page.

    Figure 2: Connecting to the Console Port on the SRX320 Services Gateway
    Connecting to the Console Port on the SRX320 Services
Gateway
  4. Start your asynchronous terminal emulation application (such as Microsoft Windows HyperTerminal) and select the appropriate COM port to use (for example, COM1).
  5. Configure the serial port settings with the following values:
    • Baud rate—9600

    • Parity—N

    • Data bits—8

    • Stop bits—1

    • Flow control—none

  6. Power on the services gateway. You can start performing initial software configuration on the services gateway after the device is up.

Connecting to the SRX320 Services Gateway from the CLI Remotely

You can connect an SRX320 Services Gateway to the CLI from a remote location through two dial-up modems:

  • A modem that is connected to the console port on the services gateway

  • A second modem connected to a remote management device

The modem connection allows you to remotely perform the same console operations that you can perform locally.

Configuring the SRX320 Services Gateway Using the CLI

This procedure connects the device to the network but does not enable it to forward traffic. For complete information about enabling the device to forward traffic, including examples, see the appropriate Junos OS configuration guides.

To configure the software:

  1. Verify that the device is powered on.
  2. Log in as the root user. There is no password.
  3. Start the CLI.
  4. Enter configuration mode.
  5. Set the root authentication password by entering a cleartext password, an encrypted password, or an SSH public key string (DSA or RSA).
  6. Configure an administrator account on the device.
  7. Commit the configuration to activate it on the device.
    Note

    For information on the factory-default settings, see Understanding SRX320 Services Gateway Factory-Default Settings.

  8. Log in as the administrative user you configured in Step 6.
  9. Configure the name of the device. If the name includes spaces, enclose the name in quotation marks (“ ”).
  10. Configure the traffic interface.
  11. Configure the default route.
  12. Configure basic security zones and bind them to traffic interfaces.
  13. Configure basic security policies.
  14. Create a Network Address Translation (NAT) rule for source translation of all Internet-bound traffic.
  15. Check the configuration for validity.
  16. Commit the configuration to activate it on the device.
  17. Optionally, display the configuration to verify that it is correct.
  18. Optionally, configure additional properties by adding the necessary configuration statements. Then commit the changes to activate them on the services gateway.
  19. When you have finished configuring the services gateway, exit configuration mode.

Verifying Settings for the SRX320 Services Gateway

Access https://www.juniper.net to verify connectivity. If the page does not load, perform the following checks to see if you can identify the problem:

  • Check if the cable connecting the ISP-supplied device to the SRX Series device is firmly seated.

  • Use the CLI ping command to verify that the services gateway can be accessed from the management device.

  • Check if the management device has an IP address in the 192.168.1.0/24 subnetwork.

  • Clear the browser cache on the management device.

After you complete these steps, the device can pass traffic from any trust port to the untrust port. You can connect other devices to the SRX Series device.