Performing the Initial Software Configuration for the SRX5800
SRX5800 Services Gateway Software Configuration Overview
The services gateway is shipped with the Junos operating system (Junos OS) preinstalled and ready to be configured when the device is powered on. There are three copies of the software: one on a CompactFlash card (if installed) in the Routing Engine, one on the hard disk in the Routing Engine, and one on a USB flash drive that can be inserted into the slot in the Routing Engine faceplate.
When the device boots, it first attempts to start the image on the USB flash drive. If a USB flash drive is not inserted into the Routing Engine or the attempt otherwise fails, the device next tries the CompactFlash card (if installed), and finally the hard disk.
You configure the services gateway by issuing Junos OS command-line
interface (CLI) commands, either on a console device attached to the CONSOLE
port on the Routing Engine, or over a telnet connection
to a network connected to the ETHERNET
port on
the Routing Engine.
Gather the following information before configuring the device:
Name the device will use on the network
Domain name the device will use
IP address and prefix length information for the Ethernet interface
IP address of a default router
IP address of a DNS server
Password for the root user
Initially Configuring the SRX5800 Services Gateway
This procedure connects the device to the network but does not enable it to forward traffic. For complete information about enabling the device to forward traffic, including examples, see the appropriate Junos OS configuration guides.
To configure the software:
- Verify that the device is powered on.
- Log in as the root user. There is no password.
- Start the CLI.root# cliroot@>
- Enter configuration mode.configure[edit]root@#
- Set the root authentication password by entering either
a cleartext password, an encrypted password, or an SSH public key
string (DSA or RSA).[edit]root@# set system root-authentication plain-text-passwordNew password: passwordRetype new password: password
- Configure an administrator account on the device.
When prompted, enter the password for the administrator account.[edit]root@# set system login user admin class super-user authentication plain-text-passwordNew password: passwordRetype new password: password
- Commit the configuration
to activate it on the device.[edit]root@# commit
- Log in as the administrative user you configured in Step 6.
- Configure the name of
the device. If the name includes spaces, enclose the name in quotation
marks (“ ”).configure[edit]admin@# set system host-name host-name
- Configure the IP address and prefix length for the Ethernet
management interface on the services gateway’s Routing Engine.[edit]admin@# set interfaces fxp0 unit 0 family inet address address/prefix-length
- Configure the traffic interface.[edit]admin@# set interfaces ge-6/2/0 unit 0 family inet address address/prefix-lengthadmin@# set interfaces ge-6/3/5 unit 0 family inet address address/prefix-length
- Configure the default route.[edit]admin@# set routing-options static route 0.0.0.0/0 next-hop gateway
- Configure basic security zones and bind them to traffic
interfaces.[edit]admin@# set security zones security-zone trust interfaces ge-6/3/5admin@# set security zones security-zone untrust interfaces ge-6/2/0
- Configure basic security policies.[edit]admin@# set security policies from-zone trust to-zone untrust policy policy-name match source-address any destination-address any application anyroot@# set security policies from-zone trust to-zone untrust policy policy-name then permit
- Check the configuration for validity.[edit]admin@# commit checkconfiguration check succeeds
- Commit the configuration to activate it on the device.[edit]admin@# commitcommit complete
- Optionally, display the configuration to verify that it
is correct.
admin@# show
## Last changed: 2008-05-07 22:43:25 UTC version "9.2I0 [builder]"; system { autoinstallation; host-name henbert; root-authentication { encrypted-password "$1$oTVn2KY3$uQe4xzQCxpR2j7sKuV.Pa0"; ## SECRET-DATA } login { user admin { uid 928; class super-user; authentication { encrypted-password "$1$cdOPmACd$QvreBsJkNR1EF0uurTBkE."; ## SECRET-DATA } } } services { ssh; web-management { http { interface ge-0/0/0.0; } } } syslog { user * { any emergency; } file messages { any any; authorization info; } file interactive-commands { interactive-commands any; } } license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { unit 0; } ge-6/2/0 { unit 0 { family inet { address 5.1.1.1/24; } } } ge-6/3/5 { unit 0 { family inet { address 192.1.1.1/24; } } } fxp0 { unit 0 { family inet { address 192.168.10.2/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 5.1.1.2; } } security { zones { security-zone trust { interfaces { ge-6/3/5.0; } } security-zone untrust { interfaces { ge-6/2/0.0; } } } policies { from-zone trust to-zone untrust { policy bob { match { source-address any; destination-address any; application any; } then { permit; } } } } }
- Commit the configuration to activate it on the device.[edit]admin@# commit
- Optionally, configure
additional properties by adding the necessary configuration statements.
Then commit the changes to activate them on the device.[edit]admin@# commit
- When you have finished configuring the device, exit configuration
mode.[edit]admin@# exitadmin@host>
Performing Initial Software Configuration Using J-Web
Configuring Root Authentication and the Management Interface from the CLI
Before you can use J-Web to configure your device, you must access the CLI to perform the initial configuration.
To configure root authentication and the management interface:
- Log in as root. There is no password.
- Start the CLI and enter configuration mode.root@% cliroot@>configureroot@#
- Set the root authentication password by entering
a cleartext password, an encrypted password, or an SSH public key
string (DSA or RSA).[edit]root@# set system root-authentication plain-text-passwordNew password: passwordRetype new password: password
- Commit the configuration to activate it on the device.[edit]root@# commit
- Configure the IP address and prefix length for the Ethernet
management interface on the device.[edit]root@# set interfaces fxp0 unit 0 family inet address address/prefix-length
- Configure the default route.[edit]root@# set routing-options static route 0.0.0.0/0 next-hop gateway
- Enable Web access to launch J-Web.[edit]root@# set system services web-management http
- Commit the configuration changes.[edit]root@# commit
Configuring Interfaces, Zones, and Policies with J-Web
You can configure hostnames, interfaces, zones, and security policies using J-Web.
You cannot use J-Web to configure SRX5400, SRX5600, and SRX5800 Services Gateways in Junos OS Release 15.1X49-D10.
Before you begin:
Ensure you have configured the IP address, root authentication, and default route. See Configuring Root Authentication and the Management Interface from the CLI
Enable HTTP on the device to access J-Web. See Configuring Root Authentication and the Management Interface from the CLI
Configure the device with J-Web using the following procedures.
Configuring the Hostname
To configure the hostname:
- Launch a Web browser from the management device.
- Enter the IP address of the device in the URL address field.
- Specify the default username as root and enter the password. See Configuring Root Authentication and the Management Interface from the CLI.
- Click Log In. The J-Web Dashboard page appears.
- Select Configure>System Properties>System Identity, and then select Edit. The Edit System Identity dialog box appears.
- Enter the hostname and click OK.
- Select Commit Options>Commit to apply the configuration changes.
You have successfully configured the hostname for the system.
Configuring Interfaces
To configure two physical interfaces:
- From the J-Web Dashboard page, select Configure>Interfaces and select a physical interface you want to configure.
- Select Add>Logical Interface. The Add interface dialog box appears.
- Set Unit = 0.
- Select the check box for IPv4 Address to enable IPv4 addressing.
- Click Add and enter the IPv4 address.
- Click OK.
A message appears after your configuration changes are validated successfully.
- Click OK.
- Select Commit Options>Commit to apply the
configuration changes.
A message appears after your configuration changes are applied successfully.
- Click OK.
You have successfully configured the physical interface. Repeat these steps to configure the second physical interface for the device.
Configuring Zones and Assigning Interfaces
To assign interfaces within a trust zone and an untrust zone:
- From the J-Web Dashboard page, select Configure>Security>Zones/Screens and click Add. The Add Zone dialog box appears.
- In the Main tab, enter trust for zone name and enter the description.
- Set the zone type to Security.
- Select the interfaces listed under Available and move them under Selected.
- Click OK.
A message appears after your configuration changes are validated successfully.
- Click OK.
- Select Commit Options>Commit to apply the
configuration changes.
A message appears after your configuration changes are applied successfully.
- Click OK.
- Repeat Step 1 through Step 8 and assign another interface to an untrust zone.
You have successfully configured interfaces in a trust zone and in an untrust zone.
Configuring Security Policies
To configure security policies:
- From the J-Web Dashboard page, select Configure>Security>Security Policy and click Add. The Add Policy dialog box appears.
- In the Policy tab, enter the policy name and set the policy action to permit. Then select Zone and set the From Zone to trust and the To Zone to untrust.
- Configure the source IP address by selecting any listed under Available and moving it under Selected.
- Configure the destination IP address by selecting any listed under Available and moving it under Selected.
- Configure the application by selecting any listed under Available and moving it under Selected.
- Click OK.
A message appears after your configuration changes are validated successfully.
- Click OK.
- Select Commit Options>Commit to apply the
configuration changes.
A message appears after your configuration changes are applied successfully.
- Click OK.
You have successfully configured the security policy.