Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Junos OS on the SRX345

The services gateway is shipped with the Juniper Networks Junos operating system (Junos OS) preinstalled and ready to be configured when the device is powered on. You can perform the initial software configuration of the services gateway by using the browser-based setup wizard or by using the command-line interface (CLI).

SRX345 Firewall Factory-Default Settings

The SRX345 device is shipped with the following factory-default settings:

Table 1: Security Policies

Source Zone

Destination Zone

Policy Action

trust

trust

permit

trust

untrust

permit

Table 2: NAT Rules

Source Zone

Destination Zone

Policy Action

trust

untrust

Source NAT to untrust zone interface

Table 3: Ethernet Interfaces

Port Label

Interface

Security Zone

DHCP State

IP Address

0/0 and 0/15

ge-0/0/0 and ge-0/0/15

untrust

Client

Unassigned

0/1 to 0/14

VLAN Interface irb.0 (ge-0/0/1 to ge-0/0/14)

trust

Server

192.168.2.1/24

MGMT

fxp0

Server

192.168.1.1/24

Table 4: LTE Interfaces

Interface

Security Zone

IP Address

cl-1/0/0

N/A

N/A

dl0 (logical)

untrust

ISP assigned*

Only if the LTE Mini-PIM is present

The SRX345 device is shipped with the following services and protocols enabled by default:

Table 5: Services, Protocols, and Startup Mode

Services

Protocols

Device Startup Mode

SSH

HTTPS

NETCONF over SSH

RSTP (all interfaces)

Switching

To provide secure traffic, a basic set of screens are configured on the untrust zone.

If the current active configuration fails, you can use the load factory-default command to revert to the factory-default configuration.

How to View Factory-Default Settings

To view the factory-default settings on your device:

  1. Log in as the root user and provide your credentials.

  2. View the list of default configuration files:

  3. View the required default configuration file.

When you commit changes to the configuration, a new configuration file is created, which becomes the active configuration. If the current active configuration fails, you can use the load factory-default command to revert to the factory-default configuration.

Initial Configuration Using the CLI

You can use either the serial or the mini-USB console port on the device.

Connect to the Serial Console Port

To connect to the serial console port:

  1. Plug one end of the Ethernet cable into the RJ-45 to DB-9 serial port adapter.
  2. Plug the RJ-45 to DB-9 serial port adapter into the serial port on the management device.
  3. Connect the other end of the Ethernet cable to the serial console port on the SRX345.
    Figure 1: Connect to the Console Port on the SRX345Connect to the Console Port on the SRX345
  4. Start your asynchronous terminal emulation application (such as Microsoft Windows HyperTerminal) and select the appropriate COM port to use (for example, COM1).
  5. Configure the serial port settings with the following values:
    • Baud rate—9600

    • Parity—N

    • Data bits—8

    • Stop bits—1

    • Flow control—none

Connect to the Mini-USB Console Port

To connect to the mini-USB console port:

  1. Download the USB driver to the management device from the Downloads page. To download the driver for Windows OS, select 6.5 from the Version drop-down list. To download the driver for macOS, select 4.10 from the Version drop-down list.
  2. Install the USB console driver software:
    Note:

    Install the USB console driver software before attempting to establish a physical connection between the SRX345 and the management device, otherwise the connection will fail.

    1. Copy and extract the .zip file to your local folder.

    2. Double-click the .exe file. The installer screen appears.

    3. Click Install.

    4. Click Continue Anyway on the next screen to complete the installation.

      If you chose to stop the installation at any time during the process, then all or part of the software will fail to install. In such a case, we recommend that you uninstall the USB console driver and then reinstall it.

    5. Click OK when the installation is complete.

  3. Plug the large end of the USB cable supplied with the SRX320 into a USB port on the management device.
  4. Connect the other end of the USB cable to the mini-USB console port on the SRX345.
  5. Start your asynchronous terminal emulation application (such as Microsoft Windows HyperTerminal) and select the new COM port installed by the USB console driver software. In most cases, this is the highest-numbered COM port in the selection menu.

    You can locate the COM port under Ports (COM & LPT) in Windows Device Manager after the driver is installed and initialized. This might take several seconds.

  6. Configure the port settings with the following values:
    • Bits per second—9600

    • Parity—None

    • Data bits—8

    • Stop bits—1

    • Flow control—None

  7. If you have not already done so, power on the SRX345 by pressing the Power button on the front panel. Verify that the PWR LED on the front panel turns green.

    The terminal emulation screen on your management device displays the startup sequence. When the SRX345 has finished starting up, a login prompt appears.

Configure the SRX345 Using the CLI

To configure the SRX345 by using the CLI:

  1. Start the CLI.
    Note:

    You can view the factory-default settings by using the show configuration command.

  2. Enter configuration mode.
  3. Set the root authentication password by entering a cleartext password, an encrypted password, or an SSH public key string (DSA or RSA).
  4. Commit the configuration to activate it on the device.

Initial Configuration Using J-Web

Configure Using J-Web

To configure the device by using J-Web:

  1. Connect one end of the Ethernet cable to the management port (labeled MGMT) on the device.

    The ge-0/0/0 and ge-0/0/15 interfaces (ports 0/0 and 0/15) are WAN interfaces. Do not use these ports for the initial configuration procedure.

  2. Connect the other end of the Ethernet cable to the management device.
    Figure 2: Connecting the SRX345 to a Management DeviceConnecting the SRX345 to a Management Device

    The SRX345 functions as a DHCP server and automatically assigns an IP address to the laptop.

  3. Ensure that the management device acquires an IP address on the 192.168.1.0/24 network from the device.

    If an IP address is not assigned to the management device, manually configure an IP address in the 192.168.1.0/24 network.

    Note:

    Do not assign the 192.168.1.1 IP address to the management device, as this IP address is assigned to the services gateway.

  4. Open a browser and type https://192.168.1.1. The Phone Home Client page appears.

  5. To configure the device:
  6. Set a root authentication password in the Skip to J-Web page and click Submit.

    The J-Web login page appears. The SRX345 already has factory-default settings configured to make it a plug-and-play device. So all you have to do to get the SRX345 up and running is connect it to your LAN and WAN networks.

  7. Connect the WAN network to port 0/0 to obtain a dynamic IP address.
  8. Connect the LAN network to any of the ports from 0/1 through 0/14.
  9. Check to see if the SRX345 is connected to the Internet. Go to http://www.juniper.net. If the page does not load, check the Internet connection.

    After you complete these steps, you can start using the SRX345 on your network right away.

You can continue to customize the settings by logging in to J-Web and selecting the configuration mode that’s right for you. You can then follow the screens as they appear in the Setup wizard.

Customize the Configuration for Junos OS Release 19.2

You can select any one of the configuration modes to customize the configuration:

  • Standard—Configure basic security settings for the SRX345.

  • Cluster (HA)—Set up the SRX345 in chassis cluster mode.

  • Passive—Set up the SRX345 in Tap mode. Tap mode enables the SRX345 to passively monitor traffic flows across a network.

Customize the Configuration for Junos OS Release 15.1X49-D170

You can select any one of the configuration modes to customize the configuration:

  • Guided Setup (uses a dynamic IP address)—Enables you to set up the SRX345 in a custom security configuration. You can select either the Basic or the Expert option.

    The following table compares the Basic and Expert levels:

    Options

    Basic

    Expert

    Number of internal zones allowed

    3

    ≥ 3

    Internet zone configuration options

    • Static IP

    • Dynamic IP

    • Static IP

    • Static pool

    • Dynamic IP

    Internal zone service configuration

    Allowed

    Allowed

    Internal destination NAT configuration

    Not Allowed

    Allowed

    Note:

    If you change the IP address of the port to which the laptop is connected, you might lose connectivity to the device when applying the configuration in the Guided Setup mode. To access J-Web again, open a new browser window and type https://new IP address.

  • Default Setup (uses a dynamic IP address)—Enables you to quickly set up the SRX345 with the default configuration. Any additional configuration can be done after the wizard setup is completed.

  • High Availability—Enables you to set up a chassis cluster with a default basic configuration.

Configure the Device Using ZTP with Juniper Networks Network Service Controller

Note:

You can configure using ZTP for Junos OS Release 19.2 and earlier releases.

You can use ZTP to complete the initial configuration of the SRX345 in your network automatically, with minimum intervention.

Network Service Controller is a component of the Juniper Networks Contrail Service Orchestration platform that simplifies and automates the design and implementation of custom network services that use an open framework.

For more information, refer to the Network Service Controller section in the datasheet at http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000559-en.pdf.

To configure the device automatically using ZTP:

Note:

To complete the ZTP process, ensure that the SRX345 is connected to the Internet.

  • If you already have the authentication code, enter the code in the webpage displayed.

    Figure 3: Authentication Code PageAuthentication Code Page

    On successful authentication, the initial configuration is applied and committed on the SRX345. Optionally, the latest Junos OS image is installed on the SRX345 before the initial configuration is applied.

  • If you do not have the authentication code, you can use the J-Web setup wizard to configure the SRX345. Click Skip to J-Web and configure the SRX345 using J-Web.