Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring Management and Discard Interfaces

The topics below discuss the over and configuration details of management and discard interfaces on the security devices.

Configuring Management Interfaces

Management interfaces are the primary interfaces for accessing the device remotely. Typically, a management interface is not connected to the in-band network, but is connected instead to the device's internal network. Through a management interface you can access the device over the network using utilities such as ssh and telnet and configure it from anywhere, regardless of its physical location. SNMP can use the management interface to gather statistics from the device.

Management interfaces vary based on device type:

  • The SRX5600 and SRX5800 devices include a 10/100-Mbps Ethernet port on the Routing Engine (RE). This port, which is labeled ETHERNET, is a dedicated out-of-band management interface for the device. Junos OS automatically creates the device’s management interface fxp0. To use fxp0 as a management port, you must configure its logical port fxp0.0 with a valid IP address. While you can use fxp0 to connect to a management network, you cannot place it into the management zone.


On the SRX5600 and SRX5800 devices, you must first connect to the device through the serial console port before assigning a unique IP address to the management interface.

As a security feature, users cannot log in as root through a management interface. To access the device as root, you must use the console port.

In an SRX Series device, the fxp0 management interface is a dedicated port located on the Routing Engine. In an SRX Series chassis cluster configuration, the control link interface must be port 0 on an SPC. For each node in the chassis cluster, you must configure the SPC that is used for the control link interface.

Configuring Discard Interface

The discard (dsc) interface is not a physical interface, but a virtual interface that discards packets. You can configure one discard interface. This interface allows you to identify the ingress (inbound) point of a denial-of-service (DoS) attack. When your network is under attack, the target host IP address is identified, and the local policy forwards attacking packets to the discard interface. Traffic routed out the discard interface is silently discarded.