As shipped from the factory, a Services Router running JUNOS software with enhanced services initially starts up and uses a configuration that places the router in secure context. You can change the context in which the Services Router is running from secure context to router context. To do so, use a predefined template configuration file. If you plan to use the Services Router primarily as a router, change to router context, using this configuration as your starting point.
 |
Caution: If you plan to change contexts, do so before you configure anything else on the Services Router. If you change contexts after you have configured the Services Router, your configuration is overwritten by the default configuration for the new context. |
Secure context allows a Services Router to act as a stateful firewall with only management access. To allow traffic to pass through a Services Router, you must explicitly configure a security policy for that purpose. In secure context, a Services Router forwards packets only if a security policy permits it. Certain services are also configured (in the host-inbound-traffic statement at the [edit security zones] hierarchy level) to allow host-inbound traffic for management of a Services Router. A Services Router running in secure context is a secure routing device with predefined configuration values.
For secure context configuration details, see Secure Context Configuration Settings. For information about how to change from router context to secure context, see Changing from Router Context to Secure Context.
Router context allows a Services Router to act as a router, in which all management and transit traffic is allowed. All interfaces are bound to the trust zone, and host inbound traffic from all predefined services is allowed. In router context, the Services Router forwards all packets unless you configure a security policy that denies specific traffic.
JUNOS software with enhanced services is a hardened operating system. You can use JUNOS software with enhanced services with more relaxed checks for host-inbound traffic and configure the dataplane with default transit policies to permit all traffic. In this scenario, the Services Router operates in a router context.
You load a predefined template configuration, jsr-series-routermode-factory.conf, to change to router context. In router context, the Services Router remains flow-enabled. All security features are available, but they are explicitly denied.
For router context configuration details, see Router Context Configuration Settings. For information about how to change from secure context to router context, see Changing from Secure Context to Router Context.