Guide That Contains This Content
[+] Expand All
[-] Collapse All

    SRX210 Services Gateway Software Configuration Overview

    This topic includes the following sections:

    Preparing the SRX210 Services Gateway for Configuration

    The services gateway is shipped with the Juniper Networks Junos operating system (Junos OS) preinstalled and ready to be configured when the device is powered on.

    You can perform the initial software configuration of the services gateway by using the browser-based setup wizard or by using the command-line interface (CLI).

    Before configuring the device, gather the configuration information required to deploy the device in your network. At minimum, the setup wizard requires the following information:

    • Device name to be used on the network
    • Password for the root user
    • Time information for services gateway location
      • Local time zone
      • Name or IP address of a Network Time Protocol (NTP) server, if NTP is used to set the time on the services gateway
      • Local date and time if an NTP server is not used to set the time

    Understanding the Factory-Default Configuration

    Your services gateway comes configured with a factory-default configuration. This configuration sets up the following network topology:

    • Interface ge-0/0/0 (port 0/0) is configured for Internet access. A DHCP client running on the interface enables the interface to receive its network settings—IP address, default gateway, and DNS servers—from an Internet service provider (ISP).
    • Interfaces ge-0/0/1 and fe-0/0/2 through fe-0/0/7 (port 0/1 through port 0/7) are configured as switched interfaces in a common VLAN on which the IP address is configured.
    • A DHCP server is active on interfaces ge-0/0/1 and fe-0/0/2 through fe-0/0/7. The DHCP server assigns IP addresses in the network to connected devices.

    The default configuration also includes the following security configuration:

    • Two security zones are created: trust and untrust.
    • Interface ge-0/0/0 is in the untrust zone, while interfaces ge-0/0/1 and fe-0/0/2 through fe-0/0/7 are in the trust zone.
    • A security policy is created that permits outbound traffic from the trust zone to the untrust zone. Inbound traffic originating in the untrust zone is blocked.
    • Source Network Address Translation (NAT) is configured on the trust zone.

    Understanding Built-In Ethernet Ports and Initial Configuration

    During the initial configuration of the services gateway, how you use the built-in Ethernet ports (ports 0/0 through 0/7) depends on the initial configuration you are performing:

    • Configuration using autoinstallation—Use built-in Ethernet port 0/0 to connect to the DHCP server. A DHCP client is configured on this interface, allowing the services gateway to receive its IP address from the DHCP server.
    • Configuration using the setup wizard—Use the following built-in Ethernet ports:
      • Port 0/1—Connect your management device to this port. A DHCP server running on this interface automatically assigns your management device an IP address in the same subnetwork as the interface, allowing your management device to communicate with the services gateway through this interface.
      • Port 0/0—Connect your services gateway to the Internet on this port if you plan to download purchased software licenses through the setup wizard. A DHCP client running on this interface allows it to receive its network settings from the ISP.

        Note: Downloading of purchased licenses from the setup wizard is available only in Junos OS Release 11.2R3 or later.

    • Configuration of a chassis cluster—Perform the initial configuration of the chassis cluster using a console connection. Before you perform the initial configuration, connect the built-in Ethernet ports as follows:
      • Port 0/6—Connect to the out-of-band management network for management of the device. When you enable chassis clustering as part of configuring the chassis cluster, the management interface (fxp0) is automatically created on this port.
      • Port 0/7—Connect to the other device in the chassis cluster. When you enable chassis clustering, the control interface between the two devices (fxp1) is automatically created on this port.

      You must also make another connection between the two devices for the fabric link. You can use any Fast Ethernet or Gigabit Ethernet port for this connection. You must configure the interface you choose as the fabric link. For more information on configuring chassis clusters, see the Security Basics.

    Mapping the Chassis Cluster Ports

    On the SRX210 Services Gateway, the fxp1 port is not user-configurable when the services gateway is operating in chassis cluster mode.

    The fxp0 port is dedicated as the out-of-band management interface for each of the devices in the chassis cluster setup and the fxp1 port is dedicated as the chassis-cluster control port.

    Table 1 shows the mapping of the chassis cluster ports.

    Table 1: Mapping the Chassis Cluster Ports on an SRX210 Services Gateway

    Ethernet Ports on SRX210 Services Gateway

    Management Interface

    0/6 (fe-0/0/6)

    fxp0 (management port)

    0/7 (fe-0/0/7)

    fxp1 (control port)

    Junos OS automatically creates the fxp0 and fxp1 interfaces on these ports when the SRX210 Services Gateway is operating in chassis cluster mode.

    For more information, see the following topics:

    Understanding Management Access

    Telnet allows you to connect to the services gateway and access the CLI to execute commands from a remote system. The Telnet CLI connections are not encrypted and therefore can be intercepted.

    Note: Telnet access to the root user is prohibited. You must use more secure methods, such as SSH, to log in as root.

    SSH provides the following features:

    • Allows you to connect to the device and access the CLI to execute commands from a remote system
    • Encrypts traffic so that it cannot be intercepted (unlike Telnet)
    • Can be configured so that connections are authenticated by a digital certificate
    • Uses public–private key technology for both connection and authentication

    The SSH client software must be installed on the machine where the client application runs. If the SSH private key is encrypted (for greater security), the SSH client must be able to access the passphrase used to decrypt the key.

    For information about obtaining SSH software, see and

    If you are using a Junos XML protocol server to configure and monitor devices, you can activate cleartext access on the device to allow unencrypted text to be sent directly over a Transmission Line Protocol (TCP) connection without using any additional protocol (such as SSH, SSL, or Telnet). For more information about the Junos XML management protocol, see
     PDF Document.

    Note: Information sent in cleartext is not encrypted and therefore can be intercepted.

    If the device is operating in a Common Criteria environment, see the Configuration Guides for Junos OS Public Sector Certifications.

    Published: 2013-06-23