- play_arrow Overview
- play_arrow Platform Considerations
- play_arrow WAN Configuration for Session Smart Routers
- WAN Assurance Configuration Overview
- Configure Sites and Variables for Session Smart Routers
- Configure Networks for Session Smart Routers
- Configure Applications for Session Smart Routers
- Configure Application Policies on Session Smart Routers
- Configure Hub Profile for Session Smart Routers
- Configure Path Selection from Hub-to-Spoke with Traffic Steering
- Configure WAN Edge Templates for Session Smart Routers
- Routing Configuration on Session Smart Routers
- Onboard Session Smart Routers for WAN Configuration
- Onboard Session Smart Routers with Static IP Address
- IDP-Based Threat Detection on Session Smart Routers
- Upgrade a WAN Edge Session Smart Router
- Configure VRF Route Leaking for Session Smart Routers
- Revoke DHCP Lease on a WAN Edge Device
- Reserve DHCP IP Address
- play_arrow WAN Configuration for SRX Series Firewalls
- WAN Assurance Configuration Overview
- Configure Sites and Variables for SRX Series Firewalls
- Configure Applications for SRX Series Firewalls
- Configure Networks for SRX Series Firewalls
- Configure Application Policies on SRX Series Firewalls
- Configure Hub Profiles for SRX Series Firewalls
- Configure WAN Edge Templates for SRX Series Firewalls
- Routing Configuration on SRX Series Firewalls
- Onboard SRX Series Firewalls for WAN Configuration
- IDP-Based Threat Detection for SRX Series Firewalls
- Enable Application Visibility on SRX Series Firewalls
- Monitor the Service Status of SRX Series Firewalls
- Upgrade a WAN Edge SRX Series Firewalls
- Configure a Custom VR for SRX Series Firewalls
- Revoke DHCP Lease on a WAN Edge Device
- Reserve DHCP IP Address
- play_arrow WAN Assurance Design
- play_arrow Cellular Edges
- play_arrow Monitor and Troubleshoot
- WAN Assurance Monitoring, SLE, and Troubleshooting Overview
- Monitor SRX Series Firewall Deployed as WAN Edge
- Monitor Session Smart Router Deployed as WAN Edge
- Service-Level Experiences for Session Smart Router Deployed as WAN Edge
- Troubleshoot Session Smart Router Deployed as WAN Edge
- Speed Tests for Session Smart Router Deployed as a WAN Edge (BETA)
- Dynamic and Manual Packet Captures
- Troubleshoot SRX Series Firewalls
- Replace a WAN Edge Device
- WAN Edge Testing Tools
Juniper Mist Secure Edge Connector
Juniper Mist provides pre-built connectors specifically designed for the Juniper Networks® SRX Series Firewalls and Juniper® Session Smart™ Routers deployed as WAN edge devices. These connectors facilitate seamless integration with your Secure Service Edge (SSE) deployments. With minimal configuration, you can integrate the SSE into the Juniper Mist portal. As a result, your WAN Edge device establishes connections to the SSE using either IPsec or GRE protocols.
In this solution, an IPsec tunnel is configured between the WAN Edge device and SSE using the Secure Edge Connector within the WAN Edge template. Additionally, a BGP over IPsec connection is configured to dynamically learn routing destinations from the SSE device.
Following types of connectors are pre-built for you in Juniper Mist portal:
- Juniper Secure Edge (manual provisioning and auto provisioning)
- Zscaler (manual provisioning and auto provisioning)
- Custom
High-level workflow for setting up secure edge connectors with Juniper Secure Edge, custom, or Zscaler deployment to offload traffic from your WAN edge device (SSR Series Routers or SRX Series Firewalls):
Create and deploy a basic branch template for device connectivity.
Optionally configure a remote network in SSE. This step defines a remote source for inbound connectivity through the tunnel.
Configure a Secure Edge Connector and provider in the device template. This step creates a custom IPsec tunnel to the remote location and define encryption parameters.
Optionally configure a BGP peer to learn routes dynamically.
Configure an Application to allow traffic to be steered toward the IPsec tunnel. This application will be used in Application Policy to allow client networks to access the BGP learned routes.
Configure a Traffic Steering Policy to steer the Internet-bound traffic from the LAN side of a spoke or hub device to Secure Edge.
Application Policies for Secure Edge Connector
An Application Policy in the Juniper WAN Assurance design is a combination of Networks and Users as the source with Applications as the destination. These security rules define which networks/users can access these applications with Traffic Steering defining which path should be used.
To set up these policies, you need to create Networks, Applications, Traffic-steering profiles. For outbound traffic the Traffic Steering profile will include the Secure Edge Connector. For inbound use cases where traffic initiates from the Secure Edge Connector you include the remote network in the Secure Edge Connector and then use that network in an Application Policy to allow inbound access from the Secure Edge Connector. With this feature, you can securely connect to cloud-hosted services which need to initiate inbound traffic to a site.
Traffic Steering Profiles for Secure Edge Connector
Traffic Steering is required for SEC on both SRX Series Firewalls and Session Smart Routers before Juniper Mist creates the tunnels.
This requirement remains unless:
- A remote network is assigned to a Secure Edge Connector
- A BGP peer is assigned to a Secure Edge Connector
Dynamic Routing for Secure Edge Connectors
You can configure BGP peering over a Secure Edge Connector. This configuration leverages BGP for dynamic routing and uses BGP path selection to install routes in the route table. High-Level steps include:
Verify that your Secure Edge Connector is established and is configured using the custom Secure Edge provider.
Configure BGP import and export policies.
Configure BGP neighbor options.
Select the Secure Edge Connector for this BGP neighbor.
Assign import and export policies.
Verify that the BGP peers are exchanging routes over the tunnel interface.
