Add Devices

Overview

You can add devices to Juniper Security Director Cloud by:

Using Commands - Juniper Security Director Cloud generates commands for adding an individual device, device cluster, or MNHA pair devices. When you copy-paste and commit the commands into the device console, the device, device cluster, or MNHA pair devices are added to Juniper Security Director Cloud. See Add Standalone Devices, Device Clusters, or MNHA Pair Devices Using Commands. For the list of supported SRX Series firewalls on which MNHA is supported, see the High Availability User Guide.

Note:
Juniper Security Director Cloud supports MNHA pair devices that run Junos OS Release 22.4R1 or later.
ZTP - You can configure and provision devices automatically without any manual intervention. See Add Devices Using ZTP.
Using J-Web - See Add an SRX Series Firewall to Juniper Security Director Cloud in the J-Web User Guide for SRX Series Firewalls for details.
Using Security Director - See Add Devices to Juniper Security Director Cloud in the Juniper Security Director User Guide for details.
Scanning QR code - Onboard cloud-ready SRX Series Firewall by scanning the device QR code. See Add Device by Scanning QR Code.

Before You Begin

Ensure that each SRX Series Firewall port can communicate with a Juniper Security Director Cloud FQDN. The FQDN of each region is different.

Table 1: Region to FQDN Mapping
Region	Purpose	Port	FQDN
North Virginia, US	ZTP	443	jsec2-virginia.juniperclouds.net
	Outbound SSH	7804	srx.sdcloud.juniperclouds.net
	Syslog TLS	6514	srx.sdcloud.juniperclouds.net
Ohio, US	ZTP	443	jsec2-ohio.juniperclouds.net
	Outbound SSH	7804	srx.jsec2-ohio.juniperclouds.net
	Syslog TLS	6514	srx.jsec2-ohio.juniperclouds.net
Montreal, Canada	ZTP	443	jsec-montreal2.juniperclouds.net
	Outbound SSH	7804	srx.jsec-montreal2.juniperclouds.net
	Syslog TLS	6514	srx.jsec-montreal2.juniperclouds.net
Frankfurt, Germany	ZTP	443	jsec-frankfurt.juniperclouds.net
	Outbound SSH	7804	srx.jsec-frankfurt.juniperclouds.net
	Syslog TLS	6514	srx.jsec-frankfurt.juniperclouds.net

Use TCP port 53 and UDP port 53 to connect to Google DNS servers (IP addresses—8.8.8.8 and 8.8.4.4). The Google DNS servers are specified as the default servers in the factory settings of the SRX Series Firewalls. You must use these default DNS servers when you use ZTP to onboard the firewalls. You can use private DNS servers when you use other methods to onboard the firewalls. Note that you must make sure that the private DNS servers can resolve the Juniper Security Director Cloud FQDNs.

If you use a custom routing-instance to connect to Juniper Security Director Cloud, run the following CLI commands to download and install the IDP security package from Juniper Security Director Cloud to a device:

Standalone Devices Device Clusters MNHA Pair Devices

Standalone Devices	Device Clusters	MNHA Pair Devices
`set security idp security-package routing-instance <custom routing-instance>`	`set groups node0 security idp security-package routing-instance <custom routing-instance>` `set groups node1 security idp security-package routing-instance <custom routing-instance>`	For each device in an MNHA pair: `set security idp security-package routing-instance <custom routing-instance>`

set security idp security-package routing-instance <custom routing-instance>

set groups node0 security idp security-package routing-instance <custom routing-instance>
set groups node1 security idp security-package routing-instance <custom routing-instance>

For each device in an MNHA pair:

set security idp security-package routing-instance <custom routing-instance>

Add Standalone Devices, Device Clusters, or MNHA Pair Devices Using Commands

Juniper Security Director Cloud generates commands for adding a standalone device, a device cluster, or a multinode high availability (MNHA) pair devices. You can copy-paste and commit the commands into the device console, after which the devices are discovered and added to Juniper Security Director Cloud. For more information about MNHA, see the High Availability User Guide.

Note:

Juniper Security Director Cloud supports MNHA pair devices that run Junos OS Release 22.4R1 or later.

Click SRX > Device Management > Devices.
The Devices page is displayed.
Click +.
The Add Devices page is displayed.
Click Adopt SRX Devices.
Select one of the following options:
- SRX Devices to add standalone devices.
- SRX Clusters to add device clusters.
- SRX Multi-node High Availability (MNHA) to add MNHA pairs.
Enter the number of standalone devices, device clusters, or MNHA pairs to be added and click OK.

Note:
You can add a maximum of 50 standalone devices, device clusters, or MNHA pairs at a time. An MNHA pair consists of 2 devices. So, if you enter 1, both the devices in the MNHA pair are added.

A success message is displayed and the standalone device, device cluster, or MNHA pair and its devices are displayed on the Devices page.
Note:
At this point, Juniper Security Director Cloud has not yet completely added the device. So the Management Status column displays Discovery Not Initiated status.
In the Management Status column, click Adopt Device or Adopt Cluster.

Note:
If you added an MNHA pair, the Adopt Device link is displayed for each MNHA pair device.

The Adopt Devices page opens with the commands that you need to commit to the device.
Copy and paste the commands to your device edit prompt, and press Enter. If you are adding a device cluster, paste the commands to the cluster's primary device's CLI. If you are adding an MNHA pair, paste the commands to each device in the pair.
If you use a custom routing-instance to connect to Juniper Security Director Cloud, add the following CLI commands on the adopted SRX Series Firewalls:
- Standalone devices: set system services outbound-ssh routing-instance <custom routing-instance>
- Device clusters:
  - set groups node0 system services outbound-ssh routing-instance <custom routing-instance>
  - set groups node1 system services outbound-ssh routing-instance <custom routing-instance>
- For each device in an MNHA pair: set system services outbound-ssh routing-instance <custom routing-instance>
Type Commit and press Enter to commit the changes to the device.
The device discovery process is initiated in Juniper Security Director Cloud. You can refresh the Devices page and see the status Discovery in progress in the Management Status column. You can view the job status on the Jobs page.
After discovery is complete, the status in the Management Status column changes to Up. If the discovery fails, Discovery failed status is displayed. Hover over the Discovery failed status to see the reason for the failure.
- If the job fails for an MNHA pair, the deployment mode is not displayed beside the MNHA pair name. You can delete and add the MNHA pair again or initiate the discovery process again.
- If security certificates installation job failed on a device in the MNHA pair, retry the job from the Jobs page and then reinitiate security logs configuration for the device from the Devices page.
Optional. Run the following CLI commands to receive logs streams on Juniper Security Director Cloud when a custom routing-instance is used:
- Standalone devices: set security log stream sd-cloud-logs host routing-instance <custom routing-instance>
- Device clusters:
  - set groups node0 security log stream sd-cloud-logs host routing-instance <custom routing-instance>
  - set groups node1 security log stream sd-cloud-logs host routing-instance <custom routing-instance>
- For each device in an MNHA pair: set security log stream sd-cloud-logs host routing-instance <custom routing-instance>

Auto Import Behavior on Devices Added To Juniper Security Director Cloud

If you have selected the auto-import option under the Organization tab and the devices are managed using the adopt devices method and device discovery profiles, this will automatically import security policies, NAT and referred objects. See About the Organization Page.

The auto import process creates copies of objects that conflict with the existing objects in Juniper Security Director Cloud.
The auto import process does not overwrite default Content Security settings in Juniper Security Director Cloud. The existing Content Security configuration is considered instead of the imported device configuration. We recommend you review and configure the Content Security settings in Juniper Security Director Cloud before managing the device. See Configure the Content Security Settings.

Add Devices Using ZTP

You can configure and provision devices automatically using ZTP. ZTP reduces the manual intervention for adding devices to a network. To ensure valid devices are onboarded through ZTP, you can configure Juniper Security Director Cloud to prompt you to approve or reject onboarding requests.

For supported SRX Series Firewalls, see Juniper Security Director Cloud Supported Firewalls.

Note:

To add other devices models, configure the basic device settings and connectivity, and add the device using Add Standalone Devices, Device Clusters, or MNHA Pair Devices Using Commands.

Power on the devices to add to Juniper Security Director Cloud.

Click SRX >Device Management > Devices.
The Devices page is displayed.
Click Add Devices.
The Add Devices page is displayed.
To manually enter the device details, click Register SRX Devices for ZTP, and do the following:
1. Enter the serial number of the device.
2. Set a root password for the device with at least six alphanumeric and special characters without spaces.
3. To add multiple devices, click + and enter the device details.
4. To use the same root password for all devices, select Use this password for all devices in Device 1.
5. Click OK.
To upload device information as a CSV file, click Register Devices for ZTP > Upload CSV File, and do the following:
1. Click Download sample CSV file to download the CSV file template to enter the device details.
2. Add the serial number and root password of the devices in the CSV file.
3. Click Browse and upload the CSV file.
4. Click OK.

The devices are added and displayed on the Devices page and the device discovery process is initiated.

If Juniper Security Director Cloud is configured to prompt you to approve or reject onboarding requests for devices through ZTP, a link to approve or reject the request is displayed in the Management Status column. See Approve or Reject Onboarding Requests for ZTP Devices.

Add Device by Scanning QR Code

You can add cloud-ready SRX Series Firewalls to Juniper Security Director Cloud by scanning the QR code available on the firewall. Your SRX Series Firewall is cloud-ready if it has a QR claim code on the front or the back panel.

Ensure the following:

The firewall is powered on.
The firewall is not already added in an organization. You can add a firewall in only one organization.

Scan the QR code on the SRX Series Firewall using a mobile device that is connected to the Internet.
Click the displayed link to go to the Juniper Security Director Cloud login page.
Enter your account email address and password and click Login.
If you do not have an account, go to https://sdcloud.juniperclouds.net on a different device, create an account, and then retry.
Select the organization to add the firewall.
Enter the root password for the firewall with a minimum of six characters without spaces and click Add Device.
The firewall is added to Juniper Security Director Cloud and the device discovery is automatically initiated. You can log in to the portal and manage the firewall after the discovery is complete.
Note:
After you log in, the session is valid for 60 minutes. During this time, you can add multiple firewalls without entering the account email address and password.

Approve or Reject Onboarding Requests for ZTP Devices

The Approve/reject device onboarding requests toggle button on the Organization page must be enabled to receive onboarding requests.

ZTP reduces the manual intervention for adding devices to a network. However, to ensure valid devices are onboarded through ZTP, you can configure Juniper Security Director Cloud to prompt you to approve or reject onboarding requests for devices.

When you enter an incorrect serial number, an onboarding request is not generated. It ensures that only devices with valid serial numbers are added in Juniper Security Director Cloud.

In the Management Status column for the device, hover over the Onboarding Request(s) link.
The options to approve or reject the request are displayed.
Note:
You must approve or reject a request within 14 days. After 14 days, the device is automatically removed from Juniper Security Director Cloud.
To approve the request and initiate device discovery, perform the following steps:
1. Click Approve Onboarding Request(s).
  You are prompted to confirm if you want to approve the request.
2. Click OK.
  The device discovery process is initiated and Discovery in progress status is displayed in the Management Status column. When the discovery is complete, Up and In Sync statuses are displayed in Management Status and Inventory Status columns respectively. If the discovery failed, you can check the details on the Jobs page.
  Note:
  You can reject the request anytime before the discovery process is initiated. If the discovery is initiated, you can only delete the device from Juniper Security Director Cloud. See Delete Devices.
To reject the request, click Reject Onboarding Request(s).
The Onboarding Request(s) Rejected status is displayed as a link. You can hover over the link and approve the request later.
Note:
You must approve or reject a request within 14 days. After 14 days, the device is automatically removed from Juniper Security Director Cloud.

ON THIS PAGE