Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring SRX Series Firewall Clusters in Junos Space using Secure Console

You can create a cluster of two SRX-series devices that are combined to act as a single system, or create a single-device cluster and then add a second device to the cluster later. You can also configure a standalone device from an existing cluster device. You can do this using the Secure Console feature in the Devices workspace.

You can configure an SRX-series cluster in the following modes:

  • Active/passive clustering

  • Active/active clustering

In the active/passive mode, the transit traffic passes through the primary node, while the backup node is used only in the event of a failure. When failure occurs, the backup device becomes the primary and takes over all the forwarding tasks.

In the active/active mode, the transit traffic always passes through both the nodes of the cluster.

Note:

To discover and manage an SRX Series Firewall cluster that is already configured, you must perform the device discovery workflow independently for each cluster node. You can add and discover the cluster devices using the Web UI. The discovery process is common for both standalone devices and cluster devices. For more information, see Running Device Discovery Profiles.

This topic includes the following tasks:

Configuring a Standalone Device from a Single-node Cluster

You can configure a standalone device from device that is currently configured as a single-node cluster.

To configure a single-node cluster as a standalone device:

  1. On the Junos Space Network Management Platform user interface, select Devices > Device Management.
  2. Select the single-node cluster and select Device Access > SSH to Device from the Actions menu.

    The SSH to Device pop-up window is displayed.

    Note:

    If you have cleared the Allow users to auto log in to devices using SSH option on the Modify Applications page, the SSH to Device pop-up window is displayed. The IP address is automatically displayed in the IP address field. Enter the username and password in the User name and Password fields respectively.

  3. In the IP Address field, enter a valid IP address for the device.
  4. In the Username field, enter the user name for the device.
  5. In the Password field, enter the password to access the device.

    The name and password must match the name and password configured on the device.

  6. In the Port field, enter the port number to use for the SSH connection.

    The default value is 22. If you want to change the value, specify a value specified in the SSH port for device connection field on the Modify Application Settings page in the Administration workspace.

  7. Click Connect.

    The SSH terminal window is displayed.

    Note:

    You may receive error messages such as “Unable to Connect”, “Authentication Error”, or “Connection Lost or Terminated”, which are displayed as standard text in terminal window. If you receive an error message, all other functionality in the terminal window is stopped. You should close this terminal window and open a new SSH session.

  8. Enter the set chassis command to remove the cluster configuration:
  9. Reboot the device, by entering the command:
  10. Copy the outbound-ssh configuration from group node to system level, for example:
  11. Copy the system log configuration from group node to system level:
  12. Copy the fxp0 interface setting from group node to system level, for example:
  13. Delete the outbound-ssh configuration from the group node, for example:
  14. Delete the system log configuration from the group node, for example:
  15. Delete the interfaces configuration from the group node, for example:
  16. Commit the configuration changes on the device:

    In the Junos Space user interface, the device connection status will go down and then up again. After the device connection is back up, you can verify that the device you configured displays as a standalone device.

  17. To terminate the SSH session, type exit from the terminal window prompt, and press Enter.
  18. Click in the top right corner of the terminal window to close the window.

Configuring a Standalone Device from a Two-Node Cluster

You can configure a standalone device from the secondary peer device in a cluster.

Note:

You cannot use the primary peer in a two-node cluster to configure a standalone device.

To configure a secondary peer device in a cluster as a standalone device:

  1. On the Junos Space Network Management Platform user interface, select Devices > Device Management.
  2. Select the secondary peer device and select Device Access > SSH to Device from the Actions menu.

    The SSH to Device pop-up window is displayed.

  3. Select the single-node cluster and select Device Access > SSH to Device from the Actions menu.

    The SSH to Device pop-up window is displayed.

    Note:

    If you have cleared the Allow users to auto log in to devices using SSH option on the Modify Applications page, the SSH to Device pop-up window is displayed. The IP address is automatically displayed in the IP address field. Enter the username and password in the User name and Password fields respectively.

  4. In the IP Address field, enter a valid IP address for the device.
  5. In the Username field, enter the user name for the device.
  6. In the Password field, enter the password to access the device.

    The name and password must match the name and password configured on the device.

  7. In the Port field, enter the port number to use for the SSH connection.

    The default value is 22. If you want to change the value, specify a value specified in the SSH port for device connection field on the Modify Application Settings page in the Administration workspace.

  8. Click Connect.

    The SSH terminal window is displayed.

    Note:

    You may receive error messages such as “Unable to Connect”, “Authentication Error”, or “Connection Lost or Terminated”, which are displayed as standard text in terminal window. If you receive an error message, all other functionality in the terminal window is stopped. You should close this terminal window and open a new SSH session.

  9. Disconnect the HA cable from the device that you want to configure as a standalone device.
  10. Enter the set chassis command for the peer device, for example:
  11. Reboot the device, by entering the command:
  12. Copy the outbound-ssh configuration from group level to system level, for example:
  13. Copy the system log configuration from group level to system level:
  14. Copy the fxp0 interface setting from group level to system level, for example:
  15. Delete the outbound-ssh configuration from the group level, for example:
  16. Delete the system log configuration from the group level, for example:
  17. Delete the interfaces configuration from the group level, for example:
  18. Commit the configuration changes on the device:

    In the Junos Space user interface, the device connection status will go down and then up again. After the device connection is back up, you can verify that the device you configured displays as a standalone device.

    After the device connections are up, verify the following changes in the Manage Devices inventory landing page:

    • The device you configured now displays as a standalone device.

    • The cluster that formerly included a primary and secondary peer device now displays the primary peer device only.

  19. To terminate the SSH session, type exit from the terminal window prompt, and press Enter.
  20. Click in the top right corner of the terminal window to close the window.

Configuring a Primary Peer in a Cluster from a Standalone Device

You can create a device cluster from two standalone devices. Use the following procedure to configure a standalone device as the primary peer in a cluster.

To configure a primary peer in a cluster from a standalone device:

  1. On the Junos Space Network Management Platform user interface, select Devices > Device Management.
  2. Select the primary peer in the cluster and select Device Access > SSH to Device from the Actions menu.

    The SSH to Device pop-up window is displayed.

    Note:

    If you have cleared the Allow users to auto log in to devices using SSH option on the Modify Applications page, the SSH to Device pop-up window is displayed. The IP address is automatically displayed in the IP address field. Enter the username and password in the User name and Password fields respectively.

  3. In the IP Address field, enter a valid IP address for the device.
  4. In the Username field, enter the user name for the device.
  5. In the Password field, enter the password to access the device.

    The name and password must match the name and password configured on the device.

  6. In the Port field, enter the port number to use for the SSH connection.

    The default value is 22. If you want to change the value, specify a value specified in the SSH port for device connection field on the Modify Application Settings page in the Administration workspace.

  7. Click Connect.

    The SSH terminal window is displayed.

    Note:

    You may receive error messages such as “Unable to Connect”, “Authentication Error”, or “Connection Lost or Terminated”, which are displayed as standard text in terminal window. If you receive an error message, all other functionality in the terminal window is stopped. You should close this terminal window and open a new SSH session.

  8. For the standalone device, enter the command:
  9. Reboot the device, by entering the command:
  10. Copy the outbound-ssh configuration from the system level to the group level, for example:
  11. Copy the fxp0 interface configuration from the system level to the group level, for example:
  12. Copy the system log configuration from system level to group level:
  13. Delete the outbound-ssh configuration from the system level, for example:
  14. Delete the system log configuration from the system level, for example:
  15. Delete the interfaces configuration from the system level, for example:
  16. Commit the configuration changes on the device again:

    After the device connection is up, verify the following changes:

    • In the Manage Devices inventory landing page:

      • The cluster icon appears for the device.

      • The new cluster device appears as the primary device.

    • In the physical inventory landing page, Junos Space Network Management Platform displays chassis information for the primary device cluster.

  17. To terminate the SSH session, type exit from the terminal window prompt, and press Enter.
  18. Click in the top right corner of the terminal window to close the window.

Configuring a Secondary Peer in a Cluster from a Standalone Device

If a device cluster contains only a primary peer, you can configure a standalone device to function as a secondary peer in the cluster. Use the following procedure to ensure that Junos Space Network Management Platform is able to manage both devices.

To add a standalone device to a cluster:

  1. On the Junos Space Network Management Platform user interface, select Devices > Device Management.
  2. Select the device and select Device Access > SSH to Device from the Actions menu.

    The SSH to Device pop-up window is displayed.

    Note:

    If you have cleared the Allow users to auto log in to devices using SSH option on the Modify Applications page, the SSH to Device pop-up window is displayed. The IP address is automatically displayed in the IP address field. Enter the username and password in the User name and Password fields respectively.

  3. In the IP Address field, enter a valid IP address for the device.
  4. In the Username field, enter the user name for the device.
  5. In the Password field, enter the password to access the device.

    The name and password must match the name and password configured on the device.

  6. In the Port field, enter the port number to use for the SSH connection.

    The default value is 22. If you want to change the value, specify a value specified in the SSH port for device connection field on the Modify Application Settings page in the Administration workspace.

  7. Click Connect.

    The SSH terminal window is displayed.

    From the terminal window prompt, you can enter CLI commands to create a standalone device from the device cluster.

    Note:

    You may receive error messages such as “Unable to Connect”, “Authentication Error”, or “Connection Lost or Terminated”, which are displayed as standard text in terminal window. If you receive an error message, all other functionality in the terminal window is stopped. You should close this terminal window and open a new SSH session.

  8. For the standalone device, enter the command:
  9. Enter the command:
  10. Copy the outbound-ssh configuration from the system level to the group level, for example:
  11. Copy the fxp0 interface configuration from the system level to the group level, for example:
  12. Copy the system log configuration from system level to group level:
  13. Delete the outbound-ssh configuration from the system level, for example:
  14. Delete the system log configuration from the system level, for example:
  15. Delete the interfaces configuration from the system level, for example:
  16. Commit the configuration changes on the device again:
  17. Connect the HA cable to each device in the cluster.
  18. Establish an SSH connection to the primary device in the cluster.
  19. On the primary device, make some trivial change to the device, for example, add a description, and commit the change:

    After the device connections are up for both devices in the cluster, verify the following changes:

    • In the Manage Devices inventory landing page:

      • Each peer device displays the other cluster member.

      • The cluster icon appears for each member device.

      • One device appears as the primary device and the other as the secondary device in the cluster.

    • In the physical inventory landing page, chassis information appears for each peer device in the cluster.

  20. To terminate the SSH sessions, type exit from the terminal window prompt, and press Enter.
  21. Click in the top right corner of the terminal window to close the window.

Configuring a Cluster with Loopback Interface

By default, the SRX devices are configured to be managed through the fxp0 Ethernet management interface.

If the device is managed through non-fxp0 interface (loopback address), add the following additional command to the device so that the SRX Series Firewall is considered as a cluster in Junos Space:

Command: set chassis cluster network-management cluster-primary

Note:

All other cluster configuration commands remain the same for both the Active/Active mode, and Active/Passive mode.