Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Step 1: Verify and Secure Local Branch Connectivity

There’s no better way to get to know your SRX than to just jump in and start using it. First, let's use the CLI to verify the operational state of your SRX. This step assumes you've done the initial configuration using the factory defaults, as described in the Day One+ guide. At this point, you should have both local and Internet connectivity for your branch.

Understand Branch SRX Default Connectivity

Secure Local Branch Connectivity shows the ending state of your branch office after you've done the initial configuration. We'll show you how to leverage the SRX factory-default configuration to get the branch online quickly.

Figure 1: Branch SRX Default Connectivity Branch SRX Default Connectivity

First, a few reminders about the Day One+ ending state for your branch SRX:

How to Access the CLI

There are several ways to access the SRX CLI. In all cases, you log in as the root user using the password that you configured in the Day One+ procedure:

  • Direct console access with a serial port
  • SSH access:

    • Access via a trust zone device

      You can SSH to 192.168.2.1 from a device attached to a local LAN port in the Trust VLAN.
    • Access via a management interface

      If the SRX has a dedicated management interface (fxp0), SSH to 192.168.1.1 from a device attached to the out of band management network.
    • Remote access

      To access the SRX remotely, use the IP address assigned by the WAN provider to the ge-0/0/0 interface. Simply issue the show interfaces ge-0/0/0 terse command on the SRX to confirm the address assigned by the provider to the WAN interface.

Default LAN Port Configuration

  • Devices attached to the LAN ports are configured to use DHCP. They receive their network configuration from the SRX. These devices obtain an IP address from the 192.168.2.0/24 address pool using the SRX as a default gateway.
  • The trust zone LAN ports are in the same subnet with Layer 2 connectivity. All traffic is permitted between trust interfaces.
  • All traffic originating in the trust zone is permitted in the untrust zone. Matching response traffic is allowed back from the untrust zone to the trust zone. Traffic that originates from the untrust zone is blocked from the trust zone.
  • The SRX performs source Network Translation (source NAT) using the WAN interface’s IP address for traffic originating from the trust zone and sent to the WAN untrust zone.
  • Traffic associated with specific system services (HTTPS, DHCP, TFTP, and SSH) is permitted from theuntrust zone to the local host. All local host services and protocols are allowed for traffic that originates in the trust zone.