Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Junos OS on the SRX550 HM

 

SRX550 High Memory Services Gateway Basic Connectivity Overview

The Juniper Networks Junos operating system (Junos OS) is preinstalled on the SRX550 High Memory Services Gateway. When the services gateway is powered on, it is ready to be configured.

If you are setting up a services gateway for the first time, you can use the command-line interface (CLI) and the J-Web interface to configure basic connectivity.

If you are setting up many services gateways, autoinstallation can help automate the configuration process. See SRX550 High Memory Services Gateway Autoinstallation Overview.

Before you configure the services gateway for the first time, you must complete the prerequisite tasks listed in Table 1.

Table 1: Services Gateway Prerequisite Tasks

Task

Details

Gather information on:

  • Device name

  • Password for the root user

  • Time zone information

    • System time and zone for services gateway location

    • IP address of a Network Time Protocol (NTP) server, if NTP is used to set the time on the services gateway

If you are performing the initial configuration with the CLI, gather the following equipment:

  • Management device, such as a desktop or laptop computer, with a serial port and an asynchronous terminal application (such as Microsoft Windows HyperTerminal)

  • Serial cable

  • For a remote connection, gather the following equipment:

    • Two dial-up modems

    • An adapter appropriate for your modem; for example, DB-25 plug or similar

Built-In Ethernet Ports for the SRX550 High Memory Services Gateway

Before initial configuration, when the factory default configuration is active, the services gateway attempts to perform autoinstallation by obtaining a device configuration through all its connected interfaces, including the interface ge-0/0/0. All interfaces are configured as Layer 3 interfaces. See Table 2 and Table 3 for the default interface configuration.

Table 2: Default Ethernet Interface Configuration for the SRX550 HM Services Gateway

Port Label

Interface

Connector

Security Zone

DHCP State

Address

0/0

ge-0/0/0

Note: If chassis clustering is enabled, use this port as the management port (fxp0).

RJ-45

Untrust

Client

Dynamically assigned

0/1

ge-0/0/1 (if used)

Note: If chassis clustering is enabled, use this port as the control port (fxp1).

RJ-45

Trust

Server

192.168.1.1/24

0/2

ge-0/0/2 (if used)

Note: Use this port as a fabric port.

RJ-45

Trust

Server

192.168.2.1/24

0/3

ge-0/0/3 (if used)

Note: Use this port as a fabric port.

RJ-45

Trust

Server

192.168.3.1/24

0/4

ge-0/0/4

RJ-45

Trust

Server

192.168.4.1/24

0/5

ge-0/0/5

RJ-45

Trust

Server

192.168.5.1/24

0/6

ge-0/0/6

No default configuration

0/7

ge-0/0/7

0/8

ge-0/0/8

0/9

ge-0/0/9

Note

If chassis clustering is enabled, we recommend using the port labeled 0/0 port as the management port (fxp0) and using the 0/1 port (if used) as the control port (fxp1). The fxp0 and fxp1 ports are created only when chassis clustering is enabled. You can use the other ports as fabric ports.

Table 3: LTE Interfaces

Interface

Security Zone

IP Address

cl-1/0/0

N/A

N/A

dl0 (logical)

untrust

ISP assigned*

Only if the LTE Mini-PIM is present

By default, the security policies and NAT rules in Table 4 and Table 5 are created on the SRX Series security policies.

Table 4: Security Policies

Source Zone

Destination Zone

Policy Action

trust

untrust

permit

trust

trust

permit

Table 5: NAT Rule

Source Zone

Destination Zone

NAT Action

Trust

Untrust

Source NAT to untrust zone interface

For example, a common default firewall configuration includes the following assumptions:

  • The protected network is connected to the interfaces ge-0/0/1 (port 0/1) through interface ge-0/0/5 (port 0/5) in the trust zone.

  • Connectivity to the Internet is through the interface ge-0/0/0 (port 0/0) in the untrust zone.

  • The IP address of the ge-0/0/0 interface is assigned through DHCP.

How to View Factory-Default Settings of the SRX550 High Memory Services Gateway

To view the factory-default configuration:

  1. Log in as the root user and provide your credentials.
  2. View the list of default configuration files:
    user@host> file list /etc/config

  3. View the required default configuration file.
    user@host> file show /etc/config/config file name

Management Access for the SRX550 High Memory Services Gateway

Telnet allows you to connect to the SRX550 High Memory Services Gateway and access the CLI to execute commands from a remote system. Telnet connections are not encrypted and therefore can be intercepted.

Note

You cannot use Telnet to access the root account. You must use more secure methods, such as SSH, to log in as root.



SSH provides the following features:

  • Allows you to connect to the services gateway and to access the CLI to execute commands from a remote system

  • Unlike Telnet, encrypts traffic so that it cannot be intercepted

  • Can be configured so that connections are authenticated by a digital certificate

  • Uses public–private key technology for both connection and authentication

The SSH client software must be installed on the machine where the client application runs. If the SSH private key is encrypted (for greater security), the SSH client must be able to access the passphrase used to decrypt the key.

For information about obtaining SSH software, see http://www.ssh.com and http://www.openssh.com.

If you are using a Junos XML protocol server to configure and monitor devices, you can activate cleartext access on the services gateway to allow unencrypted text to be sent directly over a TCP connection without using any additional protocol (such as SSH, SSL, or Telnet). For more information about the Junos XML management protocol, see the Junos XML Management Protocol Guide  .

Note

Information sent in cleartext is not encrypted and therefore can be intercepted.

If the services gateway is operating in a Common Criteria environment, see the Configuration Guides for Junos OS Public Sector Certifications.

SRX550 High Memory Services Gateway Secure Web Access Overview

You can manage a services gateway remotely through the J-Web interface. To communicate with the services gateway, the J-Web interface uses Hypertext Transfer Protocol (HTTP). HTTP allows easy Web access but does not include encryption. The data transmitted between the client and the services gateway by means of HTTP is vulnerable to interception and attack. To enable secure Web access, a services gateway supports HTTP over Secure Sockets Layer (HTTPS). You can enable HTTP or HTTPS access on specific interfaces and ports as needed.

The services gateway uses the SSL protocol to provide secure management of services gateways through the J-Web interface. SSL uses public-private key technology, which requires a paired private key and an authentication certificate to provide the SSL service. SSL encrypts communication between your device and the Web browser with a session key negotiated by the SSL server certificate.

An SSL certificate includes identifying information such as a public key and a signature made by a certificate authority (CA). When you access the services gateway through HTTPS, an SSL handshake authenticates the server and the client and begins a secure session. If the information does not match or if the certificate has expired, your access to the services gateway through HTTPS is restricted.

Without SSL encryption, communication between your services gateway and the browser is sent in the open and can be intercepted. We recommend that you enable HTTPS access on your WAN interfaces.

On services gateways, HTTP access is enabled by default on the built-in management interfaces. By default, HTTPS access is supported on any interface with an SSL server certificate.

You can use the J-Web interface or the CLI to configure secure Web access.

Before you configure secure Web access for the first time, you must complete the following tasks:

  • Establish basic connectivity.

  • Obtain an SSL certificate from a trusted signing authority.

For more details about configuring secure web access on your services gateway, see the User Access and Authentication Guide.

Initial Configuration Using J-Web

Configure Using J-Web

To configure the device by using J-Web:

  1. Connect any of the network ports numbered 0/1 through 0/5 on the services gateway to the Ethernet port on the management device, using an RJ-45 cable.Note

    The ge-0/0/0 and ge-0/0/9 interfaces (ports 0/0 and 0/9) are WAN interfaces. Do not use these ports for the initial configuration procedure.

  2. Connect the other end of the Ethernet cable to the management device.
    Figure 1: Connect the SRX550 HM to a Management Device
    Connect
the SRX550 HM to a Management Device
  3. Ensure that the management device acquires an IP address. The IP address should be on the corresponding IP subnet for the interface you connected to in Step 1. The device functions as a DHCP server and will assign an IP address to the management device.

    For example, if you are connected to port 0/1, then the IP address of the management device should be from the 192.168.1.x network. If an IP address is not assigned to the management device, manually configure an IP address. You can use the ipconfig (or ifconfig for Macintosh or Linux users) command to verify the IP address.

    Note

    Do not assign the IP address 192.168.1.1 (if connected to port 0/1) to the management device, as this IP address is assigned to the SRX550 HM.

    Refer to the factory-default settings for information on the subnet for each interface.

  4. Open a browser and type https://192.168.1.1 (if connected to port 0/1). For ports other than 0/1, access the services gateway using the URL https://192.168.x.1, where x is the port number.

    The Phone Home Client screen appears.

  5. To configure the device using zero touch provisioning (ZTP), follow the procedure in Configure the Device Using ZTP with Juniper Networks Network Service Controller.
  6. To configure the device using J-Web, click Skip to J-Web.
  7. Set a root authentication password in the Skip to J-Web screen and click Submit.

    The J-Web login page appears. The SRX550 HM already has factory-default settings configured to make it a plug-and-play device. So all you have to do to get the SRX550 HM up and running is connect it to your LAN and WAN networks.

  8. Connect the WAN network to port 0/0 to obtain a dynamic IP address.
  9. Connect the LAN network to any of the ports from 0/1 through 0/5.
  10. Check to see if the SRX550 HM is connected to the Internet. Go to http://www.juniper.net. If the page does not load, check the Internet connection.

    After you complete these steps, you can start using the SRX550 HM on your network right away.

You can continue to customize the settings by logging into J-Web and selecting the configuration mode that’s right for you and then follow the screens as they appear in the Setup wizard.

Customize the Configuration for Junos OS Release 19.2

You can select any one of the configuration modes to customize the configuration:

  • Standard—Configure basic security settings for the SRX550 HM.

  • Cluster (HA)—Set up the SRX550 HM in chassis cluster mode.

  • Passive—Set up the SRX550 HM in Tap mode. Tap mode enables the SRX550 HM to passively monitor traffic flows across a network.

Customize the Configuration for Junos OS Release 15.1X49-D170

You can select any one of the configuration modes to customize the configuration:

  • Guided Setup (uses a dynamic IP address)—Enables you to set up the SRX550 HM in a custom security configuration. You can select either the Basic or the Expert option.

    The following table compares the Basic and Expert levels:

    Options

    Basic

    Expert

    Number of internal zones allowed

    3

    ≥ 3

    Internet zone configuration options

    • Static IP

    • Dynamic IP

    • Static IP

    • Static pool

    • Dynamic IP

    Internal zone service configuration

    Allowed

    Allowed

    Internal destination NAT configuration

    Not Allowed

    Allowed

    Note

    If you change the IP address of the port to which the laptop is connected, you might lose connectivity to the device when applying the configuration in the Guided Setup mode. To access J-Web again, open a new browser window and type https://new IP address.

  • Default Setup (uses a dynamic IP address)—Enables you to quickly set up the SRX550 HM with the default configuration. Any additional configuration can be done after the wizard setup is completed.

  • High Availability—Enables you to set up a chassis cluster with a default basic configuration.

Initial Configuration Using the CLI

You can use either the serial or the mini-USB console port on the device.

Connecting to the Serial Console Port on the SRX550 High Memory Services Gateway

To connect to the serial console port:

  1. Plug one end of the Ethernet cable into the RJ-45 to DB-9 serial port adapter supplied with your SRX550 HM.
  2. Plug the RJ-45 to DB-9 serial port adapter into the serial port on the management device.
  3. Connect the other end of the Ethernet cable to the serial console port on the services gateway.
    Figure 2: Connecting to the Console Port on the SRX550 High Memory Services Gateway
    Connecting to
the Console Port on the SRX550 High Memory Services Gateway
    Note

    Figure 2 shows a connection to a local management device. A remote connection to the services gateway through a modem requires the cable and connector shown (RJ-45 to a DB-9 serial port adapter), along with an adapter for your modem, which you must purchase separately.

    You can connect to the SRX550 High Memory Services Gateway from a remote location through two dial-up modems:

    • A modem that is connected to the console port on the services gateway

    • A second modem that is connected to a remote management device

    The modem connection lets you remotely perform the same console operations that you can perform locally.

  4. Start your asynchronous terminal emulation application (such as Microsoft Windows HyperTerminal) and select the appropriate COM port to use (for example, COM1).
  5. Configure the serial port settings with the following values:
    • Baud rate—9600

    • Parity—N

    • Data bits—8

    • Stop bits—1

    • Flow control—none

    The terminal emulation screen on your management device displays the startup sequence. When the services gateway has finished starting up, a login prompt appears.

Connect to the Mini-USB Console Port

To connect to the mini-USB console port:

  1. Download the USB driver to the management device from the Downloads page. To download the driver for Windows OS, select 6.5 from the Version drop-down list. To download the driver for macOS, select 4.10 from the Version drop-down list.
  2. Install the USB console driver software:Note

    Install the USB console driver software before attempting to establish a physical connection between the SRX550 HM and the management device, otherwise the connection will fail.

    1. Copy and extract the .zip file to your local folder.

    2. Double-click the .exe file. The installer screen appears.

    3. Click Install.

    4. Click Continue Anyway on the next screen to complete the installation.

      If you chose to stop the installation at any time during the process, then all or part of the software will fail to install. In such a case, we recommend that you uninstall the USB console driver and then reinstall it.

    5. Click OK when the installation is complete.

  3. Plug the large end of the USB cable supplied with the SRX550 HM into a USB port on the management device.
  4. Connect the other end of the USB cable to the mini-USB console port on the SRX550 HM.
  5. Start your asynchronous terminal emulation application (such as Microsoft Windows HyperTerminal) and select the new COM port installed by the USB console driver software. In most cases, this is the highest-numbered COM port in the selection menu.

    You can locate the COM port under Ports (COM & LPT) in Windows Device Manager after the driver is installed and initialized. This might take several seconds.

  6. Configure the port settings with the following values:
    • Bits per second—9600

    • Parity—None

    • Data bits—8

    • Stop bits—1

    • Flow control—None

  7. If you have not already done so, power on the SRX550 HM by pressing the Power button on the front panel. Verify that the PWR LED on the front panel turns green.

    The terminal emulation screen on your management device displays the startup sequence. When the SRX550 HM has finished starting up, a login prompt appears.

Configure the SRX550 High Memory Using the CLI

This procedure connects the device to the network but does not enable it to forward traffic. For complete information about enabling the device to forward traffic, including examples, see the appropriate Junos OS configuration guides.

To configure the software:

  1. Log in as the root user. There is no password.
  2. Start the CLI.
  3. Enter configuration mode.
  4. Set the root authentication password by entering a cleartext password, an encrypted password, or an SSH public key string (DSA or RSA).
  5. Commit the configuration to activate it on the device.

Configure the Device Using ZTP with Juniper Networks Network Service Controller

Note

You can configure using ZTP for Junos OS Release 19.2 and earlier releases.

You can use ZTP to complete the initial configuration of the SRX550 HM in your network automatically, with minimum intervention.

Network Service Controller is a component of the Juniper Networks Contrail Service Orchestration platform that simplifies and automates the design and implementation of custom network services that use an open framework.

For more information, refer to the Network Service Controller section in the datasheet at http://www.juniper.net/assets/us/en/local/pdf/ datasheets/1000559-en.pdf  .

To configure the device automatically using ZTP:

Note

To complete the ZTP process, ensure that the SRX550 HM is connected to the Internet.

  • If you already have the authentication code, enter the code in the webpage displayed.

    Figure 3: Authentication Code Page
    Authentication
Code Page

    On successful authentication, the initial configuration is applied and committed on the SRX550 HM. Optionally, the latest Junos OS image is installed on the SRX550 HM before the initial configuration is applied.

  • If you do not have the authentication code, you can use the J-Web setup wizard to configure the SRX550 HM. Click Skip to J-Web and configure the SRX550 HM using J-Web.

Configuring Gigabit-Backplane Physical Interface Modules

To configure Gigabit-Backplane Physical Interface Modules (GPIMs) on the SRX550 High Memory Services Gateway:

  1. Verify that the GPIM is installed in the services gateway:

    user@host >show chassis hardware

    The following is a sample output of the command.

  2. Verify that the PIC on the XPIM is online:

    user@host> show chassis fpc pic-status

  3. Verify that the network interface that you want to configure on the XPIM is up:

    user@host> show interfaces terse

  4. Assign the interface an IP address:

    [edit]

    user@host# set interfaces interface-name unit 0 family inet address interface address/destination prefix

  5. Add or select a security zone; for example, Trust:

    [edit]

    user@host# set security zones security-zone trust interfaces ge-0/0/x.0 host-inbound-traffic system-services all

    where x is less than or equal to 16

  6. Add or select security zones for host inbound traffic protocol options:

    [edit]

    user@host# set security zones security-zone trust interfaces ge-0/0/x.0 host-inbound-traffic protocols all

    where x is less than or equal to 16

  7. Set security policies:

    [edit]

    user@host# set security policies default-policy permit-all

Configuring Mini-Physical Interface Modules

To enable the Mini-Physical Interface Module (Mini-PIM) installed on the services gateway, you must configure the basic settings for the Mini-PIM. You can perform the configuration tasks for this using either the J-Web interface or the CLI.

Using the J-Web Interface

To perform basic configuration for the Mini-PIM and to configure network interfaces for the services gateway using the J-Web interface:

  1. In the J-Web interface, select Configure>Interfaces.

    The Interfaces page displays and lists the network interfaces present on the services gateway, along with configuration information (if configured).

  2. Select the interface name and click Add > Logical Interfaces. Enter the details and click OK. To use the port on the Mini-PIM, assign an IP address to the port and assign it to a security zone, other than the Null zone. If there are no security zones listed, proceed to the next step to add a security zone.
  3. Add a security zone to the interface:
    1. Select Configure>Security>Zones/Screens.
    2. Add or select a security zone other than Null; for example, Trust. Assign the interface to the zone.
    3. For Host Inbound Traffic-Zone, set the following:
      • System Services=Allow All

      • Protocols=Allow All

    4. Click OK to save changes, and select Commit>Commit to apply the configuration and other pending changes (if any).
  4. To use the port on the Mini-PIM, you must also set security policies. Select the following settings:
    1. Select Configure>Security>Security Policy.
    2. Select Global Options > Policy Options.
    3. Set Policy Option: Default Policy Action=Permit-All.
    4. Click OK to save changes, and select Commit>Commit to apply the configuration and other pending changes (if any).

Using the CLI

To perform basic configuration for Mini-PIM and to configure network interfaces for the services gateway using the CLI:

  1. Verify that the Mini-PIM is installed on the device:

    show chassis hardware

  2. Verify the status of the interface:

    show interfaces terse

  3. Assign the port an IP address:

    For T1 interfaces:

    set interfaces t1-1/0/0 unit 0 family inet address interface address/destination prefix

    For E1 interfaces:

    set interfaces e1-1/0/0 unit 0 family inet address interface address/destination prefix

    For the 1-Port Serial Mini-PIM:

    set interfaces se-1/0/0 unit 0 family inet address interface address/destination prefix

  4. Add or select a security zone; for example, Trust:

    For T1 interfaces:

    set security zones security-zone trust interfaces t1-1/0/0.0 host-inbound-traffic system-services all

    For E1 interfaces:

    set security zones security-zone trust interfaces e1-1/0/0.0 host-inbound-traffic system-services all

    For the 1-Port Serial Mini-PIM:

    set security zones security-zone trust interfaces se-1/0/0.0 host-inbound-traffic system-services all

  5. Add or select security zones for host inbound traffic protocol options:

    For T1 interfaces:

    set security zones security-zone trust interfaces t1-1/0/0.0 host-inbound-traffic protocols all

    For E1 interfaces:

    set security zones security-zone trust interfaces e1-1/0/0.0 host-inbound-traffic protocols all

    For the 1-Port Serial Mini-PIM:

    set security zones security-zone trust interfaces se-1/0/0.0 host-inbound-traffic protocols all

  6. Set security policies:

    set security policies default-policy permit-all

Note

You can use the CLI commands set interfaces t1–1/0/0 or set interfaces e1–1/0/0 to enable the 1-Port T1/E1 Mini-PIM to function as a T1 or an E1 interface.