Configure WAN Edge Templates for SRX Series Firewalls

SUMMARY

The WAN edge template in Juniper Mist™ WAN Assurance enables you to define common spoke characteristics including WAN interfaces, traffic-steering rules, and access policies. You then apply these configurations to the Juniper Networks® SRX Series Firewall deployed as a WAN edge device. When you assign a WAN edge device to a site, the device automatically adopts the configuration from the associated template. This automatic process enables you to manage and apply consistent and standardized configurations across your network infrastructure, streamlining the configuration process.

Note:

Configuration done on the WAN edge device through the Mist dashboard overrides any configuration done through the device CLI.

You can have one or more templates for your spoke devices.

In this task, you create and configure a WAN edge template for a spoke device in the Juniper Mist™ cloud portal.

Configure a WAN Edge Template

To configure a WAN edge template:

In the Juniper Mist™ portal, click Organization > WAN > WAN Edge Templates. A list of existing templates, if any, appears.
Click the Create Template button in the upper right corner.

Note:
You can also create a WAN edge template by importing a JavaScript Object Notation (JSON) file using the Import Profile option.
In the box that appears, enter the name for the template, click Type and select Spoke, and then click Create.

Figure 1: Select the Template Type

Here’s an illustration that shows the GUI elements on the WAN edge template configuration page.

Figure 2: WAN Edge Template Configuration Options

Complete the configurations according to the details provided in Table 1.

Table 1: WAN Edge Profile Options
Fields	Description
Name	Profile name. Enter a unique profile name with up to 64 characters.
Type	WAN edge profile type. Select one of the following options: Standalone—To manage a standalone device in your site. Spoke—To manage a spoke device that is connecting to a hub device in your configuration.
NTP	The IP address or hostname of the Network Time Protocol (NTP) server. NTP is used to synchronize the clocks of the switch and other hardware devices on the Internet.
Applies to Device	Site to associate the WAN edge template. The drop-down menu shows a list of the WAN edge devices that have been added to the inventory of the current site.
DNS Settings	IP address or host names of Domain Name System (DNS) servers. Network devices use the DNS name servers to resolve hostnames to IP addresses.
Secure Edge Connectors	Secure Edge connector details. Juniper Secure Edge performs traffic inspection for the WAN edge devices managed by Juniper Mist Cloud portal.
WAN	WAN interfaces details. This WAN interface corresponds to the WAN interface on hub. That is—Mist creates an IPsec VPN tunnel between WAN interface on the hub to WAN interface on the spoke. For each of the WAN links, you can define the physical interface, the type of WAN (Ethernet or DSL), the IP configuration, and the overlay hub endpoints for the interfaces . See WAN Interfaces.
LAN	LAN interfaces. LAN interfaces that connect the LAN segment. You assign the networks, create VLANs, and set up IP addresses and DHCP options (none, or relay, or server). See LAN Interfaces.
Traffic Steering	Steering paths. Define different paths the traffic can take to reach its destination. For any traffic steering policy, you can include paths for traffic to traverse, as well as the strategies for utilizing those paths. See Traffic Steering .
Application Policies	Policies to enforce rules for traffic. Define network (source), application (destination), traffic steering policies, and policy action. See Application Policies .
Routing	Routing options for routing traffic between the hub and spokes. You can enable Border Gateway Protocol (BGP) underlay routing, where routes are learned dynamically or use static routing to define routes manually..
CLI Configuration	CLI option. For any additional settings that are not available in the template's GUI, you can still configure them using CLI set commands.

Click Save.

Add WAN Interfaces to the Template

The WAN interface on the spoke corresponds to the WAN interface on hub. That is—Mist creates an IPsec VPN tunnel between WAN interface on the hub to WAN interface on the spoke.

In this task, add two WAN interfaces to the WAN edge template.

To add WAN interfaces to the template:

In the Juniper Mist portal, scroll down to the WAN section and click Add WAN to open the Add WAN Configuration pane.

Complete the configuration according to the details provided in Table 2.

Table 2: WAN Interface Configuration Options
Fields	WAN Interface 1	WAN Interface 2
Name (a label and not a technology)	INET	MPLS
WAN Type	Ethernet	Ethernet
Interface	ge-0/0/0	ge-0/0/3
VLAN ID	-	-
IP Configuration	DHCP	Static IP Address={{WAN1_PFX}}.2 Prefix Length=24 Gateway={{WAN1_PFX}}.1
Source NAT	Interface	Interface
Overlay Hub Endpoint (generated automatically).	hub1-INET, hub2-INET (BFD profile Broadband)	hub1-MPLS and hub2-MPLS

Figure 3 shows list of WAN interfaces you created.

Figure 3: WAN Interfaces Summary

Add a LAN Interface

LAN interface configuration identifies your request source from the name of the network you specify in the LAN configuration.

To add a LAN interface:

In the Juniper Mist portal, scroll down to the LAN pane and click Add LAN to open the Add LAN Configuration panel.

Complete the configuration according to the details provided in Table 3.

Table 3: LAN Interface Details
Fields	LAN Interface
Network	SPOKE-LAN1 (Select from the list of networks that appears. When you do, the remaining configuration will be filled in automatically.)
Interface	ge-0/0/3
IP Address	{{SPOKE_LAN1_PFX}}.1
Prefix Length	24
Untagged VLAN	No
DHCP	No

Figure 4 shows the list of LAN interface you created.

Figure 4: Summary of LAN Interface

Configure Traffic-Steering Policies

Just like with hub profiles, traffic steering in a Juniper Mist network is where you define the different paths that application traffic can take to traverse the network. The paths that you configure within traffic steering also determine the destination zone.

To configure traffic-steering policies:

In the Juniper Mist portal, scroll down to the Traffic Steering section, and click Add Traffic Steering to display the Traffic Steering configuration pane.

Complete the configuration according to the details provided in Table 4.

Table 4: Traffic Steering Policy Configuration
Fields	Traffic-Steering Policy 1	Traffic-Steering Policy 2
Name	SPOKE-LANS	Overlay
Strategy	Ordered	ECMP
PATHS (For path types, you can select the previously created LAN and WAN networks as endpoints.)	Type—LAN Network—SPOKE-LAN1	Type— WAN Network — hub1-INET hub2-INET hub1-MPLS hub2-MPLS

Figure 5 shows the list of traffic-steering policies you created.

Figure 5: Traffic-Steering Policies Summary

Configure Application Policies

In a Mist network, application policies are where you define which network and users can access which applications, and according to which traffic-steering policy. The Networks/Users settings determine the source zone. The Application + Traffic Steering settings determine the destination zone. Additionally, you can assign an action of Permit or Deny. Mist evaluates and applies application policies in the order in which you list them.

Consider the traffic-flow requirements in Figure 6. The image depicts a basic initial traffic model for a corporate VPN setup (third spoke device and second hub device are not shown).

Figure 6: Traffic Flow and Distribution

To meet the preceding requirements, you need to create the following application policies:

Policy 1—Allows traffic from spoke sites to the hub. In this case, the destination prefix used in address groups represents the LAN interface of two hubs.
Policy 2—Allows spoke-to-spoke traffic through the corporate LAN through an overlay.

Note:
This may not be feasible in the real world except on expensive MPLS networks with managed IPs. Managed IPs send traffic directly to the other spoke. This type of traffic usually flows through a hub device
Policy 3—Allows traffic from both the hub and the DMZ attached to the hub to the spoke devices.
Policy 4—Allows Internet-bound traffic to flow from spoke devices to the hub device. From there, the traffic breaks out to the Internet. In this case, the hub applies source NAT to the traffic and routes traffic to a WAN interface, as defined in the hub profile. This rule is general, so you should place it after the specific rules. Because Mist evaluates application policies in the order they are placed in the policies list.

To configure application polices:

In the Juniper Mist portal, scroll down to Application Policy section, click Add Policy to add a new policy in the policy list.

Complete the configuration according to the details provided in Table 5.

Table 5: Application Policies Configuration
S.No.	Rule Name	Network	Action	Destination	Steering
1	Spoke-to-Hub-DMZ	SPOKE-LAN1	Pass	HUB1-LAN1 + HUB2-LAN1	Overlay
2	Spoke-to-Spoke-via-Hub	SPOKE-LAN1	Pass	SPOKE-LAN1	Overlay
3	Hub-DMZ-to-Spoke	HUB1-LAN1 + HUB2-LAN1	Pass	SPOKE-LAN1	SPOKE-LANS
4	Internet-via-Hub-CBO	SPOKE-LAN1	Pass	ANY	Overlay

Note:

Juniper Mist cloud evaluates and applies application policies in the order in which the policies are listed. You can move a given policy up or down in the order by clicking the ellipsis (…) button.
You must create steering policies to use with SRX Series Firewalls.

Figure 7 shows the list of application policies you created.

Figure 7: Application Policy Summary

Allow Internet Control Message Protocol (ICMP) pings for debugging and for checking device connectivity.
The default security configuration for SRX Series Firewalls do not allow ICMP ping requests from the LAN device to the local interface of the WAN edge router. We recommend that you test connectivity before the device attempts to connect to the outside network. We also recommend that you allow ICMP ping requests for debugging and for checking device connectivity.

On the SRX Series Firewall, use the following CLI configuration statement to allow ping requests to the local LAN interface for debugging:

ON THIS PAGE