Configure Setup Wizard

You are here: Device Administration > Reset Configuration.

Using the Setup wizard, you can perform step-by-step configuration of a services gateway that can securely pass traffic.

Note:

You can also configure the setup modes in the factory default settings. Connect your management device (laptop or PC) to the SRX Series Firewall in factory default settings, the J-Web Setup wizard will appear. For more information on the Setup wizard in the factory default settings, see Start J-Web.

You can choose one of the following setup modes to configure the services gateway:

Note:

Click Cancel to exit the mode selection window.

Standalone mode—Configure your SRX Series device to operate in a standalone mode. In this mode, you can configure basic settings such as device credentials, time, management interface, zones and interfaces, and DNS servers and default gateways.
Cluster (HA) mode—Configure your SRX Series device to operate in a cluster (HA) mode. In the cluster mode, a pair of devices are connected together and configured to operate like a single node, providing device, interface, and service level redundancy.

Note:
You cannot configure Standalone or Passive mode when your device is in the HA mode.
Passive (Tap) mode—Configure your SRX Series device to operate in a TAP mode. TAP mode allows you to passively monitor traffic flows across a network. If IPS is enabled, then the TAP mode inspects the incoming and outgoing traffic to detect the number of threats.

Note:
SRX5000 line of devices, SRX4600, and vSRX devices does not support the passive mode configuration.

To help guide you through the process, the wizard:

Determines which configuration tasks to present to you based on your selections.
Flags any missing required configuration when you attempt to leave a page.

To configure SRX Series Firewalls using the J-Web Setup wizard:

Click Reset.
Click Proceed to Launch to launch the Setup Wizard.
Note:

For the Standalone and the Passive (Tap) modes, launching the Setup wizard resets the device to the factory default configuration after saving a backup of the current committed configuration to the local file system. If you click Cancel during the setup, the device rolls back to its previous committed state.
Select the mode you want to setup and click Start.
For the Standalone mode and Passive (Tap) mode, complete the configuration according to the guidelines provided in Table 1 through Table 3.
Note:
- If you select Cluster (HA) Mode, for the configuration information see Configure Cluster (HA) Setup.
- In the Setup wizard, root password is mandatory, and all the other options are optional. In the passive mode, management interface, Tap interface, and services are mandatory.
Click Finish.
A successful message appears, and the device configuration mode of your choice is set up.
Note:
- Once the configuration is complete, the entire configuration is committed to the device and a successful message appears. If the commit fails, the CLI displays an error message and you remain at the wizard’s last page. If required, you can change the configuration until the commit is successful.
- For SRX300 line of devices and SRX550M devices, an additional message will be displayed about the device reboot if you have enabled Juniper ATP Cloud or Security Intelligence services. For other SRX Series Firewalls, the device will not reboot.

Table 1: Setup Wizard Configuration
Field	Action
Device Credentials
System Identity
Device name	Enter a hostname. You can use alphanumeric characters, special characters such as the underscore (_), the hyphen (-), or the period (.); the maximum length is 255 characters.
Root Account
Username	Displays the root user. Note: We recommend that you do not use root user account as a best practice to manage your devices.
Password	Enter a password. You can use alphanumeric characters and special characters; the minimum length is six characters.
SSH for root user	Enable this option to allow the root login (to the device) using SSH.
Admin Account
Username	Enter the admin username to manage the device.
Password	Enter the admin password.
Time
Time
Time zone	Select a time zone from the list.
Time source	Select either NTP server, computer time, or Manual to configure the system time: NTP Server > NTP servers—Select the NTP server in the Available column and move to the selected column using the right arrow. Once the system is connected to the network, the system time is synced with the NTP server time. In addition, to add a new NTP server, click + and enter a hostname or IP address of the NTP server and click OK. Note: If you want to add more NTP servers, go to Device Administration > Basic Settings > Date & Time Details through the J-Web menu. Computer Time > Computer time—Device automatically synchronizes with your computer time only during the setup. Manual > Date and time—Select the date and time (in MM-DD-YYYY and HH:MM:SS 24-hour format) to configure the system time manually.
Management Interface
Management Interface Note: If you change the management IP address and click Next, a warning message appears on the Management Interface page that you need to use the new management IP address to log in to J-Web because you may lose the connectivity to J-Web.
Management interface	Select an interface from the list. If fxp0 port is your device’s management port, then the fxp0 port is displayed. You can change it as required or you can select None and proceed to the next page. Note: You can choose the revenue port as management port if your device does not support the fxp0 port. Revenue ports are all ports except fxp0 and em0. If you are in the Standalone mode, you can choose None for the management interface and click Next to proceed to the next screen. If you are in the Passive (Tap) mode, it is mandatory to configure a management port. J-Web needs a management port for viewing generated report.
IPv4 Note: Click email to self to get the newly configured IPv4 or IPv6 address to your inbox. This is useful if you lose connectivity when you change the management IP address to another network.
Management address	Enter a valid IPv4 address for the management interface. Note: If fxp0 port is your device’s management port, then the fxp0 port’s default IP address is displayed. You can change it if required.
Management subnet mask	Enter a subnet mask for the IPv4 address. If you have changed the management address, use the new IP address to access J-Web.
Static route	Enter an IPv4 address for the static route to route to the other network devices.
Static route subnet mask	Enter a subnet mask for the static route IPv4 address.
Next hop gateway	Enter a valid IPv4 address for the next hop.
IPv6
Management access	Enter a valid IPv6 address for the management interface.
Management subnet prefix	Enter a subnet prefix length for the IPv6 address.
Static route	Enter an IPv6 address for the static route if required to reach the device through the management interface.
Static route subnet prefix	Enter a subnet prefix length for the static route IPv6 address.
Next hop gateway	Enter a valid IPv6 address for the next hop.
Access Protocols Note: This option is available for all the ports except fxp0.
HTTPS	This option is enabled by default.
SSH	This option is enabled by default.
Ping	Enable this option for ping service.
DHCP	Enable this option for DHCP service.
NETCONF	Enable this option for NETCONF service.
Zones & Interfaces
Security Policy Note: This option is available only for the Standalone mode. For the Passive (Tap) mode, this option is available under Tap Settings.
From Zone	Name of the source zone. In the standalone mode, permits all traffic from the trust zone.
To Zone	Name of the destination zone. In standalone mode, permits all traffic from the trust zone to the untrust zone.
Source	Name of the source address (not the IP address) of a policy.
Destination	Name of the destination address.
Application	Name of a preconfigured or custom application of the policy match.
Action	Action taken when a match occurs as specified in the policy.
Zones —Displays the available trust and untrust zones configuration.
Trust Zone Interfaces Note: This option is available only for the Standalone mode.
Add Trust Zone Interface	Click + to add trust zone interface. For more information on the fields, see Table 2.
Edit Trust Zone Interface	Select an interface and click the pencil icon at the right corner of the table to modify the configuration.
Delete Trust Zone Interface	Select an interface and click the delete icon at the top right corner of the table. A confirmation window appears. Click Yes to delete the selected interface or click No to discard.
Search Trust Zone Interface	Click the search icon at the right corner of the table to quickly locate a zone or an interface.
Detailed View Trust Zone Interface	Hover over the interface name and click the Detailed View icon to view the zone and interface details.
Trust Zone Interfaces—Zone Level Settings
Zone name	View the trust zone name populated from your device factory default settings. Note: For standalone mode, trust and untrust zones are created by default even if these zones are not available in the factory default settings.
Description	Enter the description for trust zone.
System services	Enable this option for the types of traffic that can reach the device on a particular interface. By default, this option is enabled. You can disable if required.
Protocols	Enable this option to configure the device to perform stateful network traffic filtering on network packets using network traffic protocols (for example, TCP and UDP). By default, this option is enabled. You can disable if required.
Application tracking	Enable this option to collect byte, packet, and duration statistics for application flows in the specified zone.
Source identity log	Enable this option for the device to log the user identity information based on the source zone configured in the security policy.
Untrust Zone Interfaces
Add Untrust Zone Interface	Click + to add untrust zone interface. For more information on the fields, see Table 3.
Edit Untrust Zone Interface	Select an interface and click the pencil icon at the right corner of the table to modify the configuration.
Delete Untrust Zone Interface	Select an interface and click the delete icon at the top right corner of the table. A confirmation window appears. Click Yes to delete the selected interface or click No to discard.
Search Untrust Zone Interface	Click the search icon at the right corner of the table to quickly locate a zone or an interface.
Detailed View Untrust Zone Interface	Hover over the interface name and click the Detailed View icon to view the zone and interface details.
Untrust Zone Interfaces—Zone Level Settings
Zone name	View the untrust zone name populated from your device factory default settings. Note: For standalone mode, trust and untrust zones are created by default even if these zones are not available in the factory default settings.
Description	Enter the description for untrust zone.
Application tracking	Enable this option to collect byte, packet, and duration statistics for application flows in the specified zone.
Source identity log	Enable this option for the device to log the user identity information based on the source zone configured in the security policy.
DNS Servers & Default Gateways
DNS Servers
DNS server 1	Enter the IPv4 or IPv6 address of the primary DNS.
DNS server 2	Enter the IPv4 or IPv6 address of the secondary DNS.
Default Gateway
Default gateway (IPv4)	Enter the IPv4 address of the next possible destination for any network.
Default gateway (IPv6)	Enter the IPv6 address of the next possible destination for any network.
Tap Settings Note: This option is available only for the Passive (Tap) mode.
Tap Settings
Tap interface	Select the interface from the list.
IP-IP tunnel inspection	Enable this option for the SRX Series device to inspect pass through traffic over an IP-IP tunnel.
GRE tunnel inspection	Enable this option for the SRX Series device to inspect pass through traffic over a GRE tunnel.
Security Policy & Advanced Services Note: Your device must have internet connectivity to use IPS, Web filtering, Juniper ATP Cloud, and Security threat intelligence services.
From Zone	Name of the source zone. In the Tap mode, permits all traffic from the tap zone.
To Zone	Name of the destination zone. In the Tap mode, permits all traffic from the TAP zone to the TAP zone.
Source	Name of the source address (not the IP address) of a policy.
Destination	Name of the destination address.
Application	Name of a preconfigured or custom application of the policy match.
Action	Action taken when a match occurs as specified in the policy.
UTM
UTM	Enable this option for configuring UTM services.
License	Enter UTM license key and click Install License to add a new license. Note: Use a blank line to separate multiple license keys. To use UTM services, your device must have internet connectivity from a revenue interface.
UTM type	Select an option to configure UTM features: Web Filtering Antivirus Antispam
Web filtering type	Select an option: Enhanced—Specifies that the Juniper Enhanced Web filtering intercepts the HTTP and the HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC). Local—Specifies the local profile type.
IPS
IPS	Enable this option to install the IPS signatures.
License	Enter the license key and click Install License to add a new license. Note: The installation process may take few minutes.
IPS signature	Click Browse to navigate to the IPS signature package folder and select it. Click Install to install the selected IPS signature package. Note: You can download the IPS signature offline package at https://support.juniper.net/support/downloads/.
ATP Cloud
ATP Cloud	Enable this option to use Juniper ATP Cloud services. Note: After the Juniper ATP Cloud configuration is pushed, only the SRX300 line of devices and SRX550M devices are rebooted. Your device must have internet connectivity to enable Juniper ATP Cloud enrollment process through J-Web.
Security Intelligence
Security intelligence	Enable this option to use Security intelligence services. Note: After the Security Intelligence configuration is pushed, only the SRX300 line of devices and SRX550M devices are rebooted. Your device must have internet connectivity to enable Juniper ATP Cloud enrollment process through J-Web.
User Firewall
User Firewall	Enable this option to use user firewall services.
Domain name	Enter a domain name for Active Directory.
Domain controller	Enter domain controller IP address.
Username	Enter a username for administrator privilege.
Password	Enter a password for administrator privilege.

Table 2: Add Trust Zone
Field	Action
General
Type (family)	Select Switching. Fields for switching interface are: Note: This option will be available for only SRX300 line of devices, SRX550M, and SRX1500 devices. For SRX5000 line of devices, SRX4100, SRX4200, SRX4600, and vSRX devices, the Type (family) field is not available. IRB interface Unit—Enter the IRB unit. Description—Enter the description for the interface. Select Routing. Fields for routing interface are: For SRX5000 line of devices, SRX4100, SRX4200, SRX4600, and vSRX devices, the Type (family) field is not available. Interface—Select an option from list. Interface unit—Enter the Inet unit. Note: VLAN tagging is enabled automatically if the interface unit is higher than zero. Description—Enter the description for the interface. VLAN ID—Enter the VLAN ID. Note: VLAN ID is mandatory if the interface unit is higher than zero.
Interfaces	Select an interface from the Available column and move it to the Selected column. Note: This option is available only for the Switching family type.
VLAN Note: This option is available only for the Switching family type.
Name	Enter a unique name for the VLAN.
VLAN ID	Enter the VLAN ID.
IPv4
IPv4 address	Enter a valid IPv4 address for the switching or the routing interface.
Subnet mask	Enter a subnet mask for the IPv4 address.
IPv6
IPv6 address	Enter a valid IPv6 address for the switching or the routing interface.
Subnet prefix	Enter a subnet prefix for the IPv6 address.
DHCP Local Server
DHCP local server	Enable this option to configure the switch to function as an extended DHCP local server.
Pool name	Enter the DHCP pool name.
Pool start address	Enter the starting IPv4 address of the DHCP server pool address range. This address must be within the IPv4 network.
Pool end address	Enter the ending IPv4 address of the DHCP server pool address range. This address must be within the IPv4 network. Note: This address must be greater than the address specified in Pool start address.
Propagate settings from	Select an option from the list. Propagation of TCP/IP settings (such as, DNS and gateway address) received on the device interface acting as DHCP client.
Services & Protocols
System Services	Select system services from the list in the Available column and then click the right arrow to move it to the Selected column. The available options are: all—Specify all system services. any-service—Specify services on entire port range. appqoe—Specify the APPQOE active probe service. bootp—Specify the Bootp and dhcp relay agent service. dhcp—Specify the Dynamic Host Configuration Protocol. dhcpv6—Enable Dynamic Host Configuration Protocol for IPV6. dns—Specify the DNS service. finger—Specify the finger service. ftp—Specify the FTP protocol. http—Specify the Web management using HTTP. https—Specify the Web management using HTTP secured by SSL. ident-reset—Specify the send back TCP RST IDENT request for port 113. ike—Specify the Internet key exchange. lsping—Specify the Label Switched Path ping service. netconf—Specify the NETCONF Service. ntp—Specify the network time protocol. ping—Specify the internet control message protocol. r2cp—Enable Radio-Router Control Protocol. reverse-ssh—Specify the reverse SSH Service. reverse-telnet—Specify the reverse telnet Service. rlogin—Specify the Rlogin service rpm—Specify the Real-time performance monitoring. rsh—Specify the Rsh service. snmp—Specify the Simple Network Management Protocol. snmp-trap—Specify the Simple Network Management Protocol trap. ssh—Specify the SSH service. tcp—encap-Specify the TCP encapsulation service. telnet—Specify the Telnet service. tftp—Specify the TFTP traceroute—Specify the traceroute service. webapi-clear-text—Specify the Webapi service using http. webapi-ssl—Specify the Webapi service using HTTP secured by SSL. xnm-clear-text—Specify the JUNOScript API for unencrypted traffic over TCP. xnm-ssl—Specify the JUNOScript API Service over SSL.
Protocols	Select protocols from the list in the Available column and then click the right arrow to move it to the Selected column. The available options are: all—Specifies all protocol. bfd—Bidirectional Forwarding Detection. bgp—Border Gateway Protocol. dvmrp—Distance Vector Multicast Routing Protocol. igmp—Internet Group Management Protocol. ldp—Label Distribution Protocol. msdp—Multicast Source Discovery Protocol. nhrp- Next Hop Resolution Protocol. ospf—Open shortest path first. ospf3—Open shortest path first version 3. pgm—Pragmatic General Multicast. pim—Protocol Independent Multicast. rip—Routing Information Protocol. ripng—Routing Information Protocol next generation. router-discovery—Router Discovery. rsvp—Resource Reservation Protocol. sap—Session Announcement Protocol. vrrp—Virtual Router Redundancy Protocol.

Table 3: Add Untrust Zone
Field	Action
General
Interface	Select an interface from the list.
Interface unit	Enter the interface unit value.
VLAN ID	Enter the VLAN ID. Note: VLAN ID is mandatory if the interface unit is higher than zero.
Description	Enter the description for the interface.
Address Mode	Select an address mode for the interface. The available options are DHCP Client, PPPoE (PAP), PPPoE (CHAP) and Static IP. Note: PPPoE (PAP) and PPPoE (CHAP) are not supported for SRX5000 line of devices and if any of the devices are in passive mode.
Username	Enter a username for PPPoE (PAP) or PPPoE (CHAP) authentication.
Password	Enter a password for PPPoE (PAP) or PPPoE (CHAP) authentication.
IPv4 Note: This option is available only for the Static IP address mode.
IPv4 Address	Enter a valid IPv4 address for the interface.
Subnet Mask	Enter a subnet mask for the IPv4 address.
IPv6 Note: This option is available only for the Static IP address mode.
IPv6 Address	Enter a valid IPv6 address for the interface.
Subnet Prefix	Enter a subnet prefix for the IPv6 address.
Services & Protocols
System Services	Select system services from the list in the Available column and then click the right arrow to move it to the Selected column.
Protocols	Select protocols from the list in the Available column and then click the right arrow to move it to the Selected column.

Configure Setup Wizard

Related Documentation