Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Junos OS on the SRX1500

SRX1500 Firewall Software Configuration Overview

The SRX1500 Firewall is shipped with Junos OS preinstalled and ready to be configured when the services gateway is powered on. If you are setting up the services gateway for the first time, use the command-line interface (CLI) to perform the initial configuration.

Gather the following information before configuring the services gateway:

  • Root authentication

  • IP address of the management interface

  • Default route

Understanding SRX1500 Firewall Factory-Default Settings

Your SRX1500 comes configured with a factory-default configuration. The default configuration includes the following security configuration:

  • Two security zones are created: trust and untrust.

  • Interfaces ge-0/0/0 and ge-0/0/15 are in the untrust zone, while interfaces ge-0/0/1 through ge-0/0/3 are in the trust zone.

  • A security policy is created that permits outbound traffic from the trust zone to the untrust zone.

  • Source Network Address Translation (NAT) is configured on the trust zone.

If the current active configuration fails, you can use the load factory-default command to revert to the factory-default configuration.

Viewing SRX1500 Firewall Factory-Default Settings

To view the factory-default configuration of the services gateway using the CLI:

  1. Log in as the root user and provide your credentials.
  2. View the list of default config files:

  3. View the required default config file.

Accessing J-Web on the SRX1500 Services Gateway

The J-Web interface is a Web-based graphical interface that allows you to operate a services gateway without commands. Before you can use J-Web to configure your device, you must access the CLI to perform the initial configuration.

Note:

To access the J-Web interface, your management device requires one of the following supported browsers:

  • Microsoft Internet Explorer version 8.0, 9.0, or 10.0

  • Mozilla Firefox version 23+

  • Google Chrome version 28+

To access J-Web:

  1. Open a Web browser on the management device and enter the device management IP address in the address field.
  2. Specify the default username as root and enter the password.

Configuring the SRX1500 Firewall Using J-Web

Configuring Root Authentication and the Management Interface from the CLI

Before you can use J-Web to configure your device, you must access the CLI to perform the initial configuration.

To configure root authentication and the management interface:

  1. Log in as root. There is no password.
  2. Start the CLI and enter configuration mode.
  3. Set the root authentication password by entering a cleartext password, an encrypted password, or an SSH public key string (DSA or RSA).
  4. Commit the configuration to activate it on the device.
  5. Configure the IP address and prefix length for the Ethernet management interface on the device.
  6. Configure the default route.
  7. Enable Web access to launch J-Web.
  8. Commit the configuration changes.

Configuring Interfaces, Zones, and Policies with J-Web

You can configure hostnames, interfaces, zones, and security policies using J-Web.

Before you begin:

Configure the device with J-Web using the following procedures.

Configuring the Hostname

To configure the hostname:

  1. Launch a Web browser from the management device.
  2. Enter the IP address of the device in the URL address field.
  3. Specify the default username as root and enter the password. See Configuring the SRX1500 Firewall Using J-Web.
  4. Click Log In. The J-Web Dashboard page appears.
  5. Select Configure>System Properties>System Identity, and then select Edit. The Edit System Identity dialog box appears.
  6. Enter the hostname and click OK.
  7. Select Commit Options>Commit to apply the configuration changes.

You have successfully configured the hostname for the system.

Configuring Interfaces

To configure two physical interfaces:

  1. From the J-Web Dashboard page, select Configure>Interfaces and select a physical interface you want to configure.
  2. Select Add>Logical Interface. The Add interface dialog box appears.
  3. Set Unit = 0.
  4. Select the check box for IPv4 Address to enable IPv4 addressing.
  5. Click Add and enter the IPv4 address.
  6. Click OK.

    A message appears after your configuration changes are validated successfully.

  7. Click OK.
  8. Select Commit Options>Commit to apply the configuration changes.

    A message appears after your configuration changes are applied successfully.

  9. Click OK.

You have successfully configured the physical interface. Repeat these steps to configure the second physical interface for the device.

Configuring Zones and Assigning Interfaces

To assign interfaces within a trust zone and an untrust zone:

  1. From the J-Web Dashboard page, select Configure>Security>Zones/Screens and click Add. The Add Zone dialog box appears.
  2. In the Main tab, enter trust for zone name and enter the description.
  3. Set the zone type to Security.
  4. Select the interfaces listed under Available and move them under Selected.
  5. Click OK.

    A message appears after your configuration changes are validated successfully.

  6. Click OK.
  7. Select Commit Options>Commit to apply the configuration changes.

    A message appears after your configuration changes are applied successfully.

  8. Click OK.
  9. Repeat Step 1 through Step 8 and assign another interface to an untrust zone.

You have successfully configured interfaces in a trust zone and in an untrust zone.

Configuring Security Policies

To configure security policies:

  1. From the J-Web Dashboard page, select Configure>Security>Security Policy and click Add. The Add Policy dialog box appears.
  2. In the Policy tab, enter the policy name and set the policy action to permit. Then select Zone and set the From Zone to trust and the To Zone to untrust.
  3. Configure the source IP address by selecting any listed under Available and moving it under Selected.
  4. Configure the destination IP address by selecting any listed under Available and moving it under Selected.
  5. Configure the application by selecting any listed under Available and moving it under Selected.
  6. Click OK.

    A message appears after your configuration changes are validated successfully.

  7. Click OK.
  8. Select Commit Options>Commit to apply the configuration changes.

    A message appears after your configuration changes are applied successfully.

  9. Click OK.

You have successfully configured the security policy.

Accessing the CLI on the SRX1500 Firewall

To access the CLI on the SRX1500 Firewall:

  1. Plug one end of the Ethernet cable into the RJ-45 to DB-9 serial port adapter.
  2. Plug the RJ-45 to DB-9 serial port adapter into the serial port on the management device.
  3. Connect the other end of the Ethernet cable to the serial console port on the services gateway.
    Note:

    Alternately, you can use the USB cable to connect to the mini-USB console port on the services gateway. To use the USB console port, you must download a USB driver to the management device from the Silicon Labs page.

    Note:

    We no longer include the console cable as part of the device package. If the console cable and adapter are not included in your device package, or if you need a different type of adapter, you can order the following separately:

    • RJ-45 to DB-9 adapter (JNP-CBL-RJ45-DB9)

    • RJ-45 to USB-A adapter (JNP-CBL-RJ45-USBA)

    • RJ-45 to USB-C adapter (JNP-CBL-RJ45-USBC)

    If you want to use RJ-45 to USB-A or RJ-45 to USB-C adapter you must have X64 (64-Bit) Virtual COM port (VCP) driver installed on your PC. See https://ftdichip.com/drivers/vcp-drivers/ to download the driver.

  4. Start your asynchronous terminal emulation application (such as Microsoft Windows HyperTerminal) and select the appropriate COM port to use (for example, COM1).
  5. Configure the serial port settings with the following values:
    • Baud rate—9600

    • Parity—N

    • Data bits—8

    • Stop bits—1

    • Flow control—none

  6. Power on the services gateway. You can start performing initial software configuration on the services gateway after the device is up.

Connecting to the SRX1500 Firewall from the CLI Remotely

To connect the services gateway to a network for out-of-band management:

  1. Plug one end of an Ethernet cable with RJ-45 connectors into the MGMT port on the front panel of the services gateway.
  2. Plug the other end of the cable into the management device.

Configuring the SRX1500 Firewall Using the CLI

This sample procedure explains how you can create an initial configuration using CLI commands to connect the SRX1500 Firewall to the network.

  1. Verify that the device is powered on.
  2. Log in as the root user. Do not enter a password.
  3. Start the CLI.
  4. Enter configuration mode.
  5. Set the root authentication password by entering a cleartext password, an encrypted password, or an SSH public key string (DSA or RSA).
  6. Configure an administrator account on the device. When you are prompted, enter the password for the administrator account.
  7. Commit the configuration to activate it on the services gateway.
  8. Log in as the administrative user you configured in Step 6.
  9. Configure the name of the services gateway. If the name includes spaces, enclose the name in quotation marks (“ ”).
  10. Configure the IP address and prefix length for the services gateway Ethernet interface.
  11. Configure the traffic interface.
    Note:

    The ge-0/0/0 interface is for the LAN, and the ge-0/0/1 interface is for the ISP.

  12. Configure the default route.
  13. Configure basic security zones and bind them to traffic interfaces.
  14. Configure basic security policies.
    Note:

    The actual configuration of the policies depends on your requirements.

  15. Check the configuration for validity.
  16. Commit the configuration to activate it on the services gateway.
  17. Optionally, display the configuration to verify that it is correct.
    Note:

    This is a sample output. The actual output might vary depending on your configuration requirements.

  18. Commit the configuration to activate it on the services gateway.
  19. Optionally, configure additional properties by adding the necessary configuration statements. Then commit the changes to activate them on the services gateway.
  20. When you have finished configuring the services gateway, exit configuration mode.
Note:

To access the device using J-Web for the first time, enter configuration mode in the CLI, and set the management option using the command set system services web-management http.

Launch a Web browser from the management device and access the services gateway using the URL http://<device management IP address>. The J-Web login page is displayed. This indicates that you have successfully completed the initial configuration, and your SRX1500 Firewall is ready for use.