Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Add Devices

Before You Begin

  • Ensure you have access to the Juniper Security Director's Device connection virtual IP address or FQDN. You can find the virtual IP address details on the Administration > System Management > System page.

  • Open port TCP/443 (HTTPS) for the Juniper Security Director's UI virtual IP address or FQDN.
  • Open port TCP/7804 (NETCONF) for SRX Series Firewall outbound access to Juniper Security Director’s Device connection virtual IP address or FQDN.
  • Open port TCP/6514 (TLS Syslog) for monitoring and sending security logs to Juniper Security Director’s Log collector virtual IP address or FQDN.
  • Open port TCP/53 (DNS) for the IP address 8.8.8.8 to allow access to the Google DNS server.
  • Open port UDP/53 (DNS) for the IP address 8.8.4.4 to allow access to the Google DNS server.
  • Ensure a minimum of 32 SSH connections for NETCONF. If the number of connections is currently lower, increase it to prevent any potential configuration or synchronization issues. For more details, see Establish an SSH Connection for a NETCONF Session.
  • Ensure the System time on the device is configured correctly. You can set the time manually or synchronize the device with your NTP server.

  • Ensure that each SRX Series Firewall port can communicate with Juniper Security Director. The following table contains the details of SRX Series Firewall inbound connection ports.

    Table 1: Inbound Ports

    Port

    Purpose

    7804

    Inbound connection from all managed devices

    6514

    Inbound connection for traffic logs

  • If you use a custom routing-instance to connect to Juniper Security Director, run the following CLI commands to download and install the IDP security package from Juniper Security Director to a device:

    Standalone Devices Device Clusters MNHA Pair Devices

    set security idp security-package routing-instance <custom routing-instance>

    • set groups node0 security idp security-package routing-instance <custom routing-instance>

    • set groups node1 security idp security-package routing-instance <custom routing-instance>

    For each device in an MNHA pair:

    set security idp security-package routing-instance <custom routing-instance>

Add Standalone Devices, Device Clusters, or MNHA Pair Devices Using Commands

Juniper Security Director generates commands for adding a standalone device, a device cluster, or a multinode high availability (MNHA) pair devices. You can copy-paste and commit the commands into the device console, after which the devices are discovered and added to Juniper Security Director. For more information about MNHA, see the High Availability User Guide.

Note:

Juniper Security Director supports MNHA pair devices that run Junos OS Release 22.4R1 or later.
  1. Click SRX > Device Management > Devices.
    The Devices page is displayed.
  2. Click +.
    The Add Devices page is displayed.
  3. Click Adopt SRX Devices.
  4. Select one of the following options:
    • SRX Devices to add standalone devices.
    • SRX Clusters to add device clusters.
    • SRX Multi-node High Availability (MNHA) to add MNHA pairs.
  5. Enter the number of standalone devices, device clusters, or MNHA pairs to be added and click OK.
    Note:

    You can add a maximum of 50 standalone devices, device clusters, or MNHA pairs at a time. An MNHA pair consists of 2 devices. So, if you enter 1, both the devices in the MNHA pair are added.

    A success message is displayed and the standalone device, device cluster, or MNHA pair and its devices are displayed on the Devices page.
    Note:

    At this point, Juniper Security Director has not yet completely added the device. So the Management Status column displays Discovery Not Initiated status.

  6. In the Management Status column, click Adopt Device or Adopt Cluster.
    Note:

    If you added an MNHA pair, the Adopt Device link is displayed for each MNHA pair device.
    The Adopt Devices page opens with the commands that you need to commit to the device.
  7. Copy and paste the commands to your device edit prompt, and press Enter. If you are adding a device cluster, paste the commands to the cluster's primary device's CLI. If you are adding an MNHA pair, paste the commands to each device in the pair.

    If you use a custom routing-instance to connect to Juniper Security Director, add the following CLI commands on the adopted SRX Series Firewalls:

    • Standalone devices: set system services outbound-ssh routing-instance <custom routing-instance>

    • Device clusters:

      • set groups node0 system services outbound-ssh routing-instance <custom routing-instance>

      • set groups node1 system services outbound-ssh routing-instance <custom routing-instance>

    • For each device in an MNHA pair: set system services outbound-ssh routing-instance <custom routing-instance>

  8. Type Commit and press Enter to commit the changes to the device.
    The device discovery process is initiated in Juniper Security Director. You can refresh the Devices page and see the status Discovery in progress in the Management Status column. You can view the job status on the Jobs page.

    After discovery is complete, the status in the Management Status column changes to Up. If the discovery fails, Discovery failed status is displayed. Hover over the Discovery failed status to see the reason for the failure.

    • If the job fails for an MNHA pair, the deployment mode is not displayed beside the MNHA pair name. You can delete and add the MNHA pair again or initiate the discovery process again.

    • If security certificates installation job failed on a device in the MNHA pair, retry the job from the Jobs page and then reinitiate security logs configuration for the device from the Devices page.

  9. Optional. Run the following CLI commands to receive logs streams on Juniper Security Director when a custom routing-instance is used:

    • Standalone devices: set security log stream sd-logs host routing-instance <custom routing-instance>

    • Device clusters:

      • set groups node0 security log stream sd-logs host routing-instance <custom routing-instance>

      • set groups node1 security log stream sd-logs host routing-instance <custom routing-instance>

    • For each device in an MNHA pair: set security log stream sd-logs host routing-instance <custom routing-instance>

Auto Import Behavior on Devices Added To Juniper Security Director

If you have selected the auto-import option under the Organization tab and the devices are managed using the adopt devices method and device discovery profiles, this will automatically import security policies, NAT and referred objects. See About the Organization Page.

  • The auto import process creates copies of objects that conflict with the existing objects in Juniper Security Director.

  • The auto import process does not overwrite default Content Security settings in Juniper Security Director. The existing Content Security configuration is considered instead of the imported device configuration. We recommend you review and configure the Content Security settings in Juniper Security Director before managing the device. See Configure the Content Security Settings.