Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Step 2: Up and Running

Now that the SRX300 is powered on, let’s do some initial configuration to get it up and running on the network.

Note:

Be sure to check out our Guided Setup: SRX300 Line Firewalls. Our Guided Setup picks up where this Day One+ leaves off, providing step-by-step instructions on how to easily secure and validate your branch location.

SRX300 Provisioning Options

It’s simple to provision and manage the SRX300 and other devices on your network. Choose the configuration tool that’s right for you:

Initial Configuration Using the CLI

You can use the console port on the SRX to do the initial configuration. This section assumes you start from a factory default configuration. See SRX300 Firewall Hardware Guide for details on the SRX300 factory default configuration.

After you configure the SRX300, you can log in on a local LAN port, or remotely over the WAN interface, to manage and configure the SRX using the CLI or J-Web.

We recommend that you use the ge-0/0/0 interface for WAN connectivity on the SRX300. By default, this interface is set to receive its Internet access configuration from the service provider.

Note:

This examples assumes you are using DHCP to configure the WAN interface. If the WAN provider does not support DHCP, you’ll need to manually configure the WAN interface and related static routing. See Junos Initial Configuration.

Have this information handy before you begin the initial configuration:

  • Root password

  • Hostname

Connect to the Serial Console Port

  1. Plug one end of the Ethernet cable into the RJ-45 to DB-9 serial port adapter for your SRX300.
    Note:

    We no longer include the console cable as part of the device package. If the console cable and adapter are not included in your device package, or if you need a different type of adapter, you can order the following separately:

    • RJ-45 to DB-9 adapter (JNP-CBL-RJ45-DB9)

    • RJ-45 to USB-A adapter (JNP-CBL-RJ45-USBA)

    • RJ-45 to USB-C adapter (JNP-CBL-RJ45-USBC)

    If you want to use an RJ-45 to USB-A or RJ-45 to USB-C adapter, you must have the X64 (64-Bit) Virtual COM port (VCP) driver installed on your PC. See https://ftdichip.com/drivers/vcp-drivers/ to download the driver.

  2. Plug the RJ-45 to DB-9 serial port adapter into the serial port on the management device.
  3. Connect the other end of the Ethernet cable to the serial console port on the SRX300.
  4. Start your asynchronous terminal emulation application (such as Microsoft Windows HyperTerminal) and select the appropriate COM port to use (for example, COM1).
  5. Verify that the serial port settings are set to the default:
    • Baud rate—9600

    • Parity—N

    • Data bits—8

    • Stop bits—1

    • Flow control—none

Note:

You can also connect to the SRX300 using a mini-USB console port. See the SRX300 Hardware Guide.

Perform Initial Configuration

  1. Login as the root user and start the CLI. You don't need a password if you're running the factory default.
    Note:

    You can view the factory-default settings with the show configuration operational mode command.

  2. Enter configuration mode.
  3. Since you're doing the initial configuration manually, you'll need to remove ZTP from the configuration. This stops the periodic log messages that report on ZTP status.

    Set the root authentication password and commit the change to deactivate ZTP.

    Issue the commit command to activate the candidate configuration that disables ZTP:

  4. Enable root login over SSH, and allow SSH access over the WAN interface (ge-0/0/0).
  5. Configure the hostname.
  6. That’s it! The initial configuration is complete. Commit the configuration to activate the changes on the SRX.

Congratulations! Your SRX is Up and Running

Your SRX300 is now online and providing secure Internet access to devices attached to the LAN ports. You can manage the device locally and remotely, using the Junos CLI, J-Web, or a cloud based provisioning service. Here's what your network looks like:

A few things to keep in mind about your new SRX300 branch network:

  • You access the SRX CLI or J-Web user interface locally using the 192.168.1.1 address. To access the SRX remotely, specify the IP address assigned by the WAN provider. Simply issue a show interfaces ge-0/0/0 terse CLI command to confirm the address in use by the WAN interface.

  • Devices attached to the LAN ports are configured to use DHCP. They receive their network configuration from the SRX. These devices obtain an IP address from the 192.168.1.0/24 address pool and use the SRX as their default gateway.

  • All LAN ports are in the same subnet with Layer 2 connectivity. All traffic is permitted between trust zone interfaces.

  • All traffic originating in the trust zone is permitted in the untrust zone. Matching response traffic is allowed back from the untrust to the trust zone. Traffic that originates from the untrust zone is blocked from the trust zone.

  • The SRX performs source NAT (S-NAT) using the WAN interface’s IP for traffic sent to the WAN that originated from the trust zone.

  • Traffic associated with specific system services (HTTPS, DHCP, TFTP, and SSH) is permitted from the untrust zone to the local host. All local host services and protocols are allowed for traffic that originates from the trust zone.

If you’d like to quickly configure and validate a secure branch office, be sure to check out our Guided Setup: SRX300 Line Firewalls.