Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Step 3: What's Next

Congratulations! You've got your branch office configured for secure local communications, Internet access, and IPsec VPN for secure communications to a remote site. And, you've confirmed that it's all working to your expectations.

With minor adaptation, the procedures in this guide apply to the whole family of branch SRX devices. This guide focuses on the needs of a typical small branch office, and how to leverage the factory defaults of your new SRX device to quickly get a remote branch online.

We showed you how to configure the SRX using the Junos CLI. SRX devices also support cloud-based provisioning for those who prefer a GUI interface and/or require the advanced features cloud-based management offers. A companion guide in this series provides coverage of a day in the life for a cloud-based user.

Table 1: Task Summary
If you want to Then

Verify factory-default operation

 Use the Junos CLI to confirm the Day One+ ending state operation.
  • Confirm the WAN interface DHCP assignment and default route
  • Verify SRX default DHCP server for LAN ports
  • Confirm Layer 2 connectivity for ports in the default trust VLAN
  • Inspect flows for traffic allowed from the trust to untrust zones

Configure VLANs to isolate local traffic

 See VLANs for more details on configuring VLANs.
  • Define VLANs
  • Configure an IRB interface for each VLAN
  • Configure DHCP servers for each VLAN to support auto-configuration of attached devices
  • Define security zones for the new VLANs
  • Define a security policy to control inter-VLAN traffic
  • Use a security policy to block source NAT and access to the untrust (Internet access) zone

Verify VLAN Operation

 Confirm expected connectivity between the VLANs.
  • Verify DHCP server operation
  • Use security flow trace options to troubleshoot a connectivity issue
  • Add a security policy to provide the expected connectivity
  • Define a security policy to control inter-VLAN traffic

Configure an IPsec route-based VPN to a remote location

 Add an IPsec VPN to provide secure communications over the Internet. This IPsec VPN supports dynamic address assignment at the branch office.
  • Define IKE and IPsec parameters
  • Configure the st.0 tunnel interfaces
  • Add a static route to direct desired traffic into the VPN
  • Create a vpn zone and a related security policy to allow traffic from the trust to vpn zone
  • Define a security policy to control inter-VLAN traffic

Verify IPsec VPN operation

Confirm successful IKE session and IPsec tunnel establishment. Verify that traffic is using the IPsec tunnel to reach the remote network.
  • Verify the license status
  • Confirm the IKE session
  • Confirm the IPsec tunnel
  • Verify the static route for the trust to the vpn zone traffic
  • Confirm only the desired traffic is using the tunnel

Verify licensing status

 Confirm the features you configured don't require additional licensing.

With your branch site online, here are some places and things you might want to check out next.

Table 2: What's Next
If you want to Then

See the Junos OS documentation

Visit the Junos OS documentation page

Learn more about IPsec VPN architectures and topologies

See Day One: IPsec VPN Cookbook
Learn how to provide wired and Wi-Fi Internet and Intranet access at a branch office See Branch in a Box

Learn about Application Security

 See Understanding Application Security
Learn about the application tracking tool for analyzing bandwidth usage of your network See Application Tracking
Learn about Content Security feature for SRX devices, which includes functions such as antivirus, antispam, content filtering, and web filtering

See UTM Overview

Set up your SRX Series Firewall with advanced security measures to protect and defend your network

See SRX Series Up and Running with Advanced Security Services

Get hands-on experience with configuring an IPsec VPN Visit Juniper Networks Virtual Labs and reserve your free sandbox. You’ll find the IPsec VPN sandboxes in the Security category.

Our video library continues to grow! We've created many, many videos that demonstrate how to do everything from install your hardware to configure advanced Junos OS network features. Here are some great video and training resources that will help you expand your knowledge of Junos OS and branch SRX devices.

Table 3: Learn With Videos
If you want to Then

View a Web-based training video which provides an overview of the SRX320 and describes how to install and configure it

Visit the SRX300 and SRX320 Services Gateways Overview and Deployment (WBT) page

Get short and concise tips and instructions that provide quick answers, clarity, and insight into specific features and functions of Juniper technologies

See Learning With Juniper on the Juniper Networks main YouTube page

View a list of the many free technical trainings we offer at Juniper Visit the Getting Started page on the Juniper Learning Portal