Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuration Guidelines for Securing Console Port Access

We recommend that you (the network administrator) disable the console port to prevent unauthorized access to the device.

Secure the Console Port

You can use the console port on a device to connect to the device through an RJ-45 serial cable. From the console port, you can use the CLI to configure the device. By default, the console port is enabled. To secure the console port, you can configure the device to take the following actions:

  • Log out of the console session when you unplug the serial cable connected to the console port.

  • Disable root login connections to the console. This action prevents a non-root user from performing password recovery operation using the console.

  • Disable the console port. We recommend that you disable the console port to prevent unauthorized access to the device. Preventing unauthorized access is especially important when the device is used as customer premises equipment (CPE) and is forwarding sensitive traffic.

    Note:

    It is not always possible to disable the console port, because console access is important during operations such as software upgrades.
    Warning:

    On SRX300, SRX320, SRX340, and SRX345 devices, if you configure both the set system ports console insecure and set chassis routing-engine bios uninterrupt options, there is no alternative recovery method available if Junos OS fails to boot.

To secure the console port:

  1. Do one of the following:

    • Disable the console port.

    • Disable root login connections to the console.

      Note:

      After you configure the console port as insecure, if a user tries to perform the password recovery operation by booting in recovery mode, the device will prompt for the root password. This way, only a user who knows the root password will be able to log in to recovery mode for password recovery.

    • Log out of the console session when the serial cable connected to the console port is unplugged. Enter

    Note:

    The log-out-on-disconnect statement is not operational on SRX1500, SRX4100, SRX4200, or SRX4600 devices; on these devices, you must manually log out of the console with the request system logout command.
  2. After you configure the device, enter commit in configuration mode.

Secure Mini-USB Ports

SRX320, SRX320, SRX340, and SRX345 devices have a mini-USB Type-B port. You can connect your management device to the Mini-USB Type-B console port for CLI management.

You can disable mini-USB ports on the SRX Series Firewalls to block users from connecting a USB mass storage device to the services gateway. When you disable the mini-USB port on the device, any transactions in progress on the USB device are terminated.

Use the following command to disable mini-USB ports:

Use the following command to enable mini-USB ports:

This action re-enables the disabled mini-USB ports.

Use the show command to verify the status of the mini-USB:

The output displays the current status of the USB mass storage device and indicates whether the USB ports are enabled or disabled.