close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Overview
play_arrow Site Planning, Preparation, and Specifications
play_arrow Initial Installation and Configuration
play_arrow Maintaining Components
play_arrow Troubleshooting Hardware
- Troubleshooting the SRX5800
play_arrow Contacting Customer Support and Returning the Chassis or Components
- Returning the SRX5800 Chassis or Components
play_arrow Safety and Compliance Information

list Table of Contents

English

Performing the Initial Software Configuration for the SRX5800

date_range 25-Jul-23

arrow_backward

arrow_forward

SRX5800 Firewall Software Configuration Overview

The firewall is shipped with the Junos operating system (Junos OS) preinstalled and ready to be configured when the device is powered on. There are three copies of the software: one on a CompactFlash card (if installed) in the Routing Engine, one on the hard disk in the Routing Engine, and one on a USB flash drive that can be inserted into the slot in the Routing Engine faceplate.

When the device boots, it first attempts to start the image on the USB flash drive. If a USB flash drive is not inserted into the Routing Engine or the attempt otherwise fails, the device next tries the CompactFlash card (if installed), and finally the hard disk.

You configure the firewall by issuing Junos OS command-line interface (CLI) commands, either on a console device attached to the CONSOLE port on the Routing Engine, or over a telnet connection to a network connected to the ETHERNET port on the Routing Engine.

Gather the following information before configuring the device:

Name the device will use on the network
Domain name the device will use
IP address and prefix length information for the Ethernet interface
IP address of a default router
IP address of a DNS server
Password for the root user

Initially Configuring the SRX5800 Firewall

This procedure connects the device to the network but does not enable it to forward traffic. For complete information about enabling the device to forward traffic, including examples, see the appropriate Junos OS configuration guides.

To configure the software:

Verify that the device is powered on.
Log in as the root user. There is no password.
Start the CLI.
```
root# cli
root@>
```
Enter configuration mode.
```
configure 
[edit]
root@#
```
Set the root authentication password by entering either a cleartext password, an encrypted password, or an SSH public key string (DSA or RSA).
```
[edit]
root@# set system root-authentication plain-text-password
New password: password 
Retype new password: password 
```

Configure an administrator account on the device. When prompted, enter the password for the administrator account.

content_copy zoom_out_map
[edit]
root@# set system login user admin class super-user authentication plain-text-password 
New password: password 
Retype new password: password 

Commit the configuration to activate it on the device.
```
[edit]
root@# commit
```
Log in as the administrative user you configured in Step 6.
Configure the name of the device. If the name includes spaces, enclose the name in quotation marks (“ ”).
```
configure 
[edit]
admin@# set system host-name host-name
```
Configure the IP address and prefix length for the Ethernet management interface on the firewall’s Routing Engine.
```
[edit]
admin@# set interfaces fxp0 unit 0 family inet address address/prefix-length
```

Configure the traffic interface.

content_copy zoom_out_map
[edit]
admin@# set interfaces ge-6/2/0 unit 0 family inet address address/prefix-length
admin@# set interfaces ge-6/3/5 unit 0 family inet address address/prefix-length

Configure the default route.

content_copy zoom_out_map
[edit]
admin@# set routing-options static route 0.0.0.0/0 next-hop gateway

Configure basic security zones and bind them to traffic interfaces.

content_copy zoom_out_map
[edit]
admin@# set security zones security-zone trust interfaces ge-6/3/5 
admin@# set security zones security-zone untrust interfaces ge-6/2/0 

Configure basic security policies.

content_copy zoom_out_map
[edit]
admin@# set security policies from-zone trust to-zone untrust policy policy-name match source-address any destination-address any application any 
root@# set security policies from-zone trust to-zone untrust policy policy-name then permit 

Check the configuration for validity.
```
[edit]
admin@# commit check
configuration check succeeds
```
Commit the configuration to activate it on the device.
```
[edit]
admin@# commit
commit complete
```

Optionally, display the configuration to verify that it is correct.

content_copy zoom_out_map
admin@# show
## Last changed: 2008-05-07 22:43:25 UTC
version "9.2I0 [builder]";
system {
    autoinstallation;
    host-name henbert;
    root-authentication {
        encrypted-password "$1$oTVn2KY3$uQe4xzQCxpR2j7sKuV.Pa0"; ## SECRET-DATA
    }
    login {
        user admin {
            uid 928;
            class super-user;
            authentication {
                encrypted-password "$1$cdOPmACd$QvreBsJkNR1EF0uurTBkE."; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
       web-management {
            http {
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0;
    }
    ge-6/2/0 {
        unit 0 {
            family inet {
                address 5.1.1.1/24;
            }
        }
    }
    ge-6/3/5 {
        unit 0 {
            family inet {
                address 192.1.1.1/24;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                address 192.168.10.2/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 5.1.1.2;
    }
}
security {
    zones {
        security-zone trust {
            interfaces {
                ge-6/3/5.0;
            }
        }
        security-zone untrust {
            interfaces {
                ge-6/2/0.0;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy bob {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

Commit the configuration to activate it on the device.
```
[edit]
admin@# commit
```
Optionally, configure additional properties by adding the necessary configuration statements. Then commit the changes to activate them on the device.
```
[edit]
admin@# commit
```
When you have finished configuring the device, exit configuration mode.
```
[edit]
admin@# exit
admin@host>
```

Performing Initial Software Configuration Using J-Web

Configuring Root Authentication and the Management Interface from the CLI
Configuring Interfaces, Zones, and Policies with J-Web

Configuring Root Authentication and the Management Interface from the CLI

Before you can use J-Web to configure your device, you must access the CLI to perform the initial configuration.

To configure root authentication and the management interface:

Log in as root. There is no password.
Start the CLI and enter configuration mode.
```
root@% cli
root@>configure
root@#
```
Set the root authentication password by entering a cleartext password, an encrypted password, or an SSH public key string (DSA or RSA).
```
[edit]
root@# set system root-authentication plain-text-password
New password: password
Retype new password: password
```
Commit the configuration to activate it on the device.
```
[edit]
root@# commit
```
Configure the IP address and prefix length for the Ethernet management interface on the device.
```
[edit]
root@# set interfaces fxp0 unit 0 family inet address address/prefix-length
```

Configure the default route.

content_copy zoom_out_map
[edit]
root@# set routing-options static route 0.0.0.0/0 next-hop gateway

Enable Web access to launch J-Web.
```
[edit]
root@# set system services web-management http
```
Commit the configuration changes.
```
[edit]
root@# commit
```

Configuring Interfaces, Zones, and Policies with J-Web

You can configure hostnames, interfaces, zones, and security policies using J-Web.

Note:

You cannot use J-Web to configure SRX5400, SRX5600, and SRX5800 Firewalls in Junos OS Release 15.1X49-D10.

Before you begin:

Ensure you have configured the IP address, root authentication, and default route. See Performing Initial Software Configuration Using J-Web
Enable HTTP on the device to access J-Web. See Performing Initial Software Configuration Using J-Web

Configure the device with J-Web using the following procedures.

Configuring the Hostname
Configuring Interfaces
Configuring Zones and Assigning Interfaces
Configuring Security Policies

Configuring the Hostname

To configure the hostname:

Launch a Web browser from the management device.
Enter the IP address of the device in the URL address field.
Specify the default username as root and enter the password. See Performing Initial Software Configuration Using J-Web.
Click Log In. The J-Web Dashboard page appears.
Select Configure>System Properties>System Identity, and then select Edit. The Edit System Identity dialog box appears.
Enter the hostname and click OK.
Select Commit Options>Commit to apply the configuration changes.

You have successfully configured the hostname for the system.

Configuring Interfaces

To configure two physical interfaces:

From the J-Web Dashboard page, select Configure>Interfaces and select a physical interface you want to configure.
Select Add>Logical Interface. The Add interface dialog box appears.
Set Unit = 0.
Select the check box for IPv4 Address to enable IPv4 addressing.
Click Add and enter the IPv4 address.
Click OK.
A message appears after your configuration changes are validated successfully.
Click OK.
Select Commit Options>Commit to apply the configuration changes.
A message appears after your configuration changes are applied successfully.
Click OK.

You have successfully configured the physical interface. Repeat these steps to configure the second physical interface for the device.

Configuring Zones and Assigning Interfaces

To assign interfaces within a trust zone and an untrust zone:

From the J-Web Dashboard page, select Configure>Security>Zones/Screens and click Add. The Add Zone dialog box appears.
In the Main tab, enter trust for zone name and enter the description.
Set the zone type to Security.
Select the interfaces listed under Available and move them under Selected.
Click OK.
A message appears after your configuration changes are validated successfully.
Click OK.
Select Commit Options>Commit to apply the configuration changes.
A message appears after your configuration changes are applied successfully.
Click OK.
Repeat Step 1 through Step 8 and assign another interface to an untrust zone.

You have successfully configured interfaces in a trust zone and in an untrust zone.

Configuring Security Policies

To configure security policies:

From the J-Web Dashboard page, select Configure>Security>Security Policy and click Add. The Add Policy dialog box appears.
In the Policy tab, enter the policy name and set the policy action to permit. Then select Zone and set the From Zone to trust and the To Zone to untrust.
Configure the source IP address by selecting any listed under Available and moving it under Selected.
Configure the destination IP address by selecting any listed under Available and moving it under Selected.
Configure the application by selecting any listed under Available and moving it under Selected.
Click OK.
A message appears after your configuration changes are validated successfully.
Click OK.
Select Commit Options>Commit to apply the configuration changes.
A message appears after your configuration changes are applied successfully.
Click OK.

You have successfully configured the security policy.

arrow_backward PREVIOUS Connecting the SRX5800 to Power

NEXT arrow_forward Maintaining the SRX5800 Chassis

SRX5800 Firewall Hardware Guide

ON THIS PAGE