Configure Hub Profiles for SRX Series Firewalls

Each hub device in a Juniper Mist™ cloud topology must have its own profile. Hub profiles are a convenient way to create an overlay and assign a path for each WAN link on that overlay in Juniper WAN Assurance.

The difference between a hub profile and a WAN edge template is that you apply the hub profile to an individual device that’s at a hub site. And the WAN edge templates are bound to spoke sites that have multiple devices and bound with the same template across multiple sites. Every Hub WAN interface creates an overlay endpoint for spokes. Spoke WAN interfaces map the appropriate Hub WAN interfaces, defining the topology. Hub profiles drive the addition, removal of paths on your overlay.

When you create a hub profile for the Juniper Networks® SRX Series Firewall, the Mist cloud generates and installs the SSL certificates automatically. It also sets up WAN uplink probes for failover detection.

In this task, you create a hub profile and then clone the same profile to create a second hub profile in the Juniper Mist cloud portal.

Configure a Hub Profile

A hub profile comprises the set of attributes that associate with a particular hub device. Hub profiles include name, LAN,WAN, traffic steering, application policies, and routing options. You can assign the hub profile to a hub device and after a hub profile is loaded onto the site, the device assigned to the site picks up the attributes of that hub profile.

To configure a hub profile:

In the Juniper Mist cloud portal, click Organization > WAN > Hub Profiles.
A list of existing profiles, if any, appears.
Click Create Profile in the upper right corner.

Note:
You can also create a hub profile by importing a JavaScript Object Notation (JSON file) using the Import Profile option.

Enter the name of the profile and click Create.

Table 1 summarizes the options you can set in a hub profile.

Table 1: Hub Profile Options
Field	Description
Name	The profile name. Enter a unique name for the profile. The profile name can include up to 64 characters. Example: hub1.
NTP	IP address or hostname of the Network Time Protocol (NTP) server. NTP allows network devices to synchronize their clocks with a central source clock on the Internet.
Applies to Device	Site to associate the hub profile. The drop-down menu shows a list of the WAN edge devices available in the inventory of the current site.
DNS Settings	IP address or host name of Domain Name System (DNS) servers. Network devices use the DNS name servers to resolve hostnames to IP addresses.
Secure Edge Connectors	Secure Edge connector details. Secure Edge performs traffic inspection for the WAN edge devices that the Juniper Mist cloud portal manages.
WAN	WAN interface details. The hub profile uses these details to create an overlay endpoint for spokes. For each of the WAN links, you can define the physical interface, the type of WAN (Ethernet or DSL), the IP configuration, and the overlay hub endpoints for the interfaces. See WAN Interfaces.
LAN	LAN interface details. This section lists the hub side of the LAN interfaces that connect the hub to the LAN segment. You assign the networks, create VLANs, and set up IP addresses and DHCP options (none, relay, or server). See LAN Interfaces.
Traffic Steering	Steering paths. Define the different paths the traffic can take to reach its destination. For any traffic steering policy, you can include paths for traffic to traverse, as well as the strategies for utilizing those paths. See Traffic Steering policy.
Application Policies	Policies to enforce rules for traffic. Define network (source), application (destination), traffic steering policies, and policy action. See Application policies.
Routing	Routing options for routing traffic between the hub and spokes. You can s enable Border Gateway Protocol (BGP) underlay routing, where routes are learned dynamically or use static routing to define routes manually.
CLI Configuration	CLI configuration commands. If you want to configure settings that are not available in the template's GUI, you can configure them using CLI commands in the set format.

Click Save.

Add WAN Interfaces to the Hub Profile

Create WAN interfaces for the hub profile. WAN interfaces become the connection across the SD-WAN. The hub profile automatically creates an overlay endpoints for each WAN interface. Note that the overlay Hub Endpoints is where you tell the spoke (branch) about the hub endpoints.

To add WAN interfaces to the hub profile:

Scroll down to the WAN section and click Add WAN to open the Add WAN Configuration pane.

Complete the configurations according to the details provided in Table 2.

Table 2: WAN Interface Configuration
Field	WAN Interface 1	WAN Interface 2
Name (a label and not a technology)	INET	MPLS
Overlay Hub Endpoint (generated automatically)	hub1-INET	hub1-MPLS
WAN Type	Ethernet	Ethernet
Interface	ge-0/0/0	ge-0/0/1
VLAN ID	-	-
IP Address	{{WAN0_PFX}}.254	{{WAN1_PFX}}.254
Prefix Length	24	24
Gateway	{{WAN0_PFX}}.1	{{WAN1_PFX}}.1
Source NAT	Check Interface.	Check Interface.
Override for Public IP	Check Override for Public IP. Provide Public IP={{WAN0_PUBIP} }	Check Override for Public IP. Provide Public IP={{WAN1_PUBIP} }
Public IP	{{WAN0_PUBIP}}	{{WAN1_PUBIP}}

Note:

Use Network Address Translation (NAT) along with advertising the public IP address unless the WAN address is a publicly routable address.

Click Save

Figure 1 shows the list of WAN interfaces you created.

Figure 1: Configured WAN Interfaces

Add a LAN Interface to the Hub Profile

Hub-side of LAN interfaces connect a hub device to the LAN segment.

To add a LAN interface to the hub profile:

Scroll down to the LAN section, click the Add LAN button to open the Add LAN Configuration pane.

Complete the configuration according to the details provided in Table 3.

Table 3: LAN Interface Configuration
Field	LAN Interface
Network	HUB1-LAN1 (existing network selected from drop-down list)
Interface	ge-0/0/4
IP Address	{{HUB1_LAN1_PFX}}.1
Prefix Length	24
Untagged VLAN	No
DHCP	No

Click Save.
Figure 2 shows the LAN interface you created.
Figure 2: Configured LAN Interfaces

Configure Traffic-Steering Policies

Traffic steering is where you define the different paths that application traffic can take to traverse the network. The paths that you configure within traffic steering determine the destination zone. For any traffic steering policy, you need to define the paths for traffic to traverse and strategies for utilizing those paths. Strategies include:

Ordered—Starts with a specified path and failover to backup path(s) when needed
Weighted—Distributes traffic across links according to a weighted bias, as determined by a cost that you input
Equal-cost multipath—Load balances traffic equally across multiple paths

When you apply a hub profile to a device, the traffic-steering policy determines the overlay, WAN and LAN interfaces, order of policies, and usage of Equal Cost Multi-Path (ECMP). The policy also determines how interfaces or a combination of interfaces interact to steer the traffic.

To configure traffic-steering policies:

Scroll down to the Traffic Steering section, and click Add Traffic Steering to display the Traffic Steering configuration pane.

Configure three traffic-steering policies: one for the overlay, one for the underlay, and one for the central breakout, according to the details provided in Table 4.

Table 4: Traffic-Steering Policy Configuration
Field	Traffic-Steering Policy 1	Traffic-Steering Policy 2	Traffic-Steering Policy 3
Name	Underlay (HUB-LAN)	Overlay	Central Breakout
Strategy	Ordered	ECMP	Ordered
PATHS For path types, existing LAN and WAN networks are made available for selection as endpoints.	Type—LAN Network —HUB1-LAN1	Type—WAN Network —hub1-INET and hub1-MPLS	Type—WAN Network —WAN: INET and WAN: MPLS

Figure 3 shows the list of the traffic-steering policies that you created.

Figure 3: Traffic-Steering Policies

Configure an Application Policy

Application policies are where you define which network and users can access which applications, and according to which traffic-steering policy. The settings in Networks/Users determine the source zone. The Applications and Traffic Steering path settings determine the destination zone. Additionally, you can assign a policy action— permit or deny to allow or block traffic. Mist evaluates and applies application policies in the order in which you list them in the portal. You can use Up Arrow and Down arrows to change the order of policies.

Figure 4 shows different traffic-direction requirements in this task. The image depicts a basic initial traffic model for a corporate VPN setup (third spoke device and second hub device are not shown).

Figure 4: Traffic-Direction Topology

In this task, you create the following application rules to allow traffic:

Rule 1—Allows traffic from spoke sites to reach the hub (and to a server in the DMZ attached to the hub device).
Rule 2—Allows traffic from servers in the DMZ attached to the hub to reach spoke devices.
Rule 3—Allows traffic from spoke devices to reach spoke device hair-pinning through a hub device
Rule 4—Allows Internet-bound traffic from the hub device to the Internet (local breakout). In this rule, define the destination as "Any" with IP address 0.0.0.0/0. The traffic uses the WAN underlay interface with SNAT applied to reach IP addresses on the Internet as a local breakout.
Note:
Avoid creating rules with same destination name and IP address 0.0.0.0/0. If required, create destinations with different names using IP address 0.0.0.0/0.
From the spoke devices to the Internet directly (not passing through the hub device). In this rule, define the destination as "Any" with IP address 0.0.0.0/0. The traffic uses the WAN underlay interface with SNAT applied to reach IP addresses on the Internet as a local breakout. This method implements a central breakout at the hub for all spoke devices.

To configure an application policy:

Scroll down to the Application Policy section, click Add Policy to create a new rule in the policy list.
Note:
- For SRX Series Firewalls, you must associate a traffic-steering policy to the application policy.
- The order of application policies in the policies list is very important for SRX Series Firewalls.
Click the Name column and give the policy a name, and then click the blue checkmark to apply your changes.

Figure 5: Adding a New Application Policy

Create application rules according to the details provided in Table 5.

Table 5: Application Policy Rule Configuration
No. (Policy Order)	Rule Name	Network	Action	Destination	Steering
1	Spoke-to-Hub-DMZ	ALL.SPOKE-LAN1	Pass	HUB1-LAN1	HUB-LAN
2	Hub-DMZ-to-Spokes	HUB1-LAN1	Pass	SPOKE-LAN1	Overlay
3	Spoke-to-Spoke-on-Hub-Hairpin	ALL.SPOKE-LAN1	Pass	SPOKE-LAN1	Overlay
4	Hub-DMZ-to-Internet	HUB1-LAN1	Pass	ANY	LBO
5	Spokes-Traffic-CBO-on-Hub	ALL.SPOKE-LAN1	Pass	ANY	LBO

Figure 6 shows a list of the application policies that you created.

Figure 6: Application Policy Summary

In the above illustration, the green counter marks indicates the policies you have created for the traffic requirements in Figure 4.

Allow ICMP pings for debugging and for checking device connectivity.
The default security configuration for SRX Series Firewalls does not allow ICMP pings from LAN device to the local interface of the WAN edge router. You might need to test connectivity before devices attempt to connect to the outside network. You allow ICMP pings for debugging and for checking device connectivity.

On an SRX Series Firewall, you can use the following CLI configuration statement to allow pings to the local LAN interface for debugging.

Create a Second Hub Profile by Cloning the Existing Hub Profile

Hub devices are unique throughout your network. You have to create an individual profile for each hub device. Juniper Mist™ enables you to create a hub profile by cloning the existing profile and applying modifications wherever required.

To create a second hub profile by cloning an existing hub profile:

In the Juniper Mist cloud portal, click Organization > WAN > Hub Profiles.
A list of existing hub profiles, if any, appears.
Click the hub profile (example: hub1) that you want to clone. The profile page of the selected hub profile opens.
In the upper right corner of the screen, click More and select Clone.

Figure 7: Create a New Hub Profile By Using the Clone Option
Name the new profile (example: hub2) and click Clone.

If you see any errors while naming the profile, refresh your browser.
Start configuring the profile. Since you've used variables when creating the original hub profile, you don't need to configure all options from the beginning. You need to change only the required configurations to reflect HUB2 details. For example, change Network to HUB2-LAN1 and change IP Address to {{HUB2_LAN1_PFX}}.1.

Figure 8: Edit a Cloned Profile
Change the LAN interface to include HUB2. Example: HUB2-LAN1 and {{HUB2_LAN1_PFX}}.1
Confirm that the variables in the configuration have changed to reflect hub2 profile details. Example: Overlay definitions have changed to hub2-INET and hub2-MPLS.

Figure 9: Updated Traffic-Steering Policy
Scroll down to the TRAFFIC STEERING pane and edit the entry to change the Paths to LAN: HUB2-LAN1.

Figure 10: Update Paths in a Traffic-Steering Policy

Update the application rules according to the details provided in Table 6. For example, wherever applicable, change HUB1-LAN to HUB2-LAN.

Table 6: Application Rules Configuration
S.No.	Rule Name	Network	Action	Destination	Steering
1	Spoke-to-Hub-DMZ	ALL.SPOKE-LAN1	Pass	HUB2-LAN1	HUB-LAN
2	Hub-DMZ-to-Spokes	HUB2-LAN1	Pass	SPOKE-LAN1	Overlay
3	Spoke-to-Spoke-on-Hub-Hairpin	ALL.SPOKE-LAN1	Pass	SPOKE-LAN1	Overlay
4	Hub-DMZ-to-Internet	HUB2-LAN1	Pass	ANY	LBO
5	Spokes-Traffic-CBO-on-Hub	ALL.SPOKE-LAN1	Pass	ANY	LBO

Figure 11 shows the details of the updated application policies after you save your changes.

Figure 11: Updated Application Policy Summary

ON THIS PAGE