Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Sites and Variables for SRX Series Firewalls

A site is a subset of your organization in the Juniper Mist™ cloud. You need a unique site for each physical (or logical) location in the network. Users with required privileges can configure and modify sites. The configuration changes in the sites are automatically applied to (or at least available to) all the devices included in the site.

In addition, the Juniper® SRX Series Firewall must have an Application Security license (AppSecure is a suite of application-aware security services that provides visibility and control over the types of applications traversing in the networks, which allows the Juniper Mist cloud to track and report applications passing through the device).

In this task, you also create site variables. Site variables provide simplicity and flexibility for deployment at a large scale. Site variables are configured on a per-site basis. When planning a network design, you can create standard templates for specific WAN edges devices and use variables in templates or the WAN edge configuration page.

Site variables provide a way to use tags (such as “WAN1_PUBIP”) to represent real values (such as 192.168.200.254) so that the value can vary according to the context where you use the variable. For example, for Site 1 you can define WAN1_PUBIP to be 192.168.200.254, while for Site 2 the value you give WAN1_PUBIP is 192.168.1.10. You can then use the tag to replace the IP address for Juniper Mist cloud configurations such as in the WAN edge template. That is, when you attach the template to different sites, Juniper Mist cloud uses the appropriate IP address automatically in each site when the configuration is rendered and pushed to the device.

You can also define entire IP subnets of the first three octets in variables, leaving minimal configuration at each device.

You can define the site variable by using double brackets to format the variable name. Example: {{SPOKE_LAN1_PFX}}

To configure sites:
  1. In the Juniper Mist cloud portal, click Organization > Admin > Site Configuration.

    A list of existing sites, if any, appears.

  2. Click Create Sites in the upper right corner. The New Site window appears.

    1. Give the site a name. A Site ID is generated automatically. In this task, you create five sites (hub1-site, hub2-site, spoke1-site, spoke2-site, and spoke3-site).

    2. Enter the street address of your site, or use the map to locate it.

  3. Scroll down the page to the Switch Management and WAN Edge Management settings pane, and configure the root password.
    Figure 1: Setting Root Password Setting Root Password

    Ensure that you always set a root password for WAN edge devices and switches on the site. Otherwise, after you activate the device that Juniper Mist cloud manages, the system assigns a random root password for security reasons.

  4. Scroll down the page to the WAN Edge Application Visibility section, and then enable the WAN Edge devices have an APP Track license option.
    Figure 2: Enable Application Visibility Enable Application Visibility
    Note:

    An application security license is mandatory for all software-defined WAN (SD-WAN) SRX Series Firewall devices. Ensure that you have a valid license installed on the device.

  5. Scroll down the screen to the Site Variables settings pane.

    1. Click the Add Variable button.

    2. In the pop-up screen that appears, type a name for the variable and specify the value it represents.

      Figure 3: Configuring Variables Configuring Variables
    Use Table 1 to complete the list of variables you need to add.
    Table 1: Variable Settings for Sites
    Site Name Variable Value
    spoke1-site {{SPOKE_LAN1_PFX}} 10.99.99
    {{SPOKE_LAN1_VLAN}} 1099
    {{WAN0_PFX}} 192.168.173
    {{WAN1_PFX}} 192.168.170
    spoke2-site {{SPOKE_LAN1_PFX}} 10.88.88
    {{SPOKE_LAN1_VLAN}} 1088
    {{WAN0_PFX}} 192.168.133
    {{WAN1_PFX}} 192.168.130
    spoke3-site {{SPOKE_LAN1_PFX}} 10.77.77
    {{SPOKE_LAN1_VLAN}} 1077
    {{WAN0_PFX}} 192.168.153
    {{WAN1_PFX}} 192.168.150
    hub1-site {{HUB1_LAN1_PFX}} 10.66.66
    {{HUB1_LAN1_VLAN}} 1066
    {{WAN0_PFX}} 192.168.191
    {{WAN1_PFX}} 192.168.190
    {{WAN0_PUBIP}} 192.168.129.191
    {{WAN1_PUBIP}} 192.168.190.254
    hub2-site {{HUB2_LAN1_PFX}} 10.55.55
    {{HUB2_LAN1_VLAN}} 1055
    {{WAN0_PFX}} 192.168.201
    {{WAN1_PFX}} 192.168.200
    {{WAN0_PUBIP}} 192.168.129.201
    {{WAN1_PUBIP}} 192.168.200.254

    • The variables such as {{SPOKE_LAN1_PFX}}, {{HUB1_LAN1_PFX}}, {{HUB2_LAN1_PFX}}, {{WAN0_PFX}} and {{WAN1_PFX}} represent first three octets of an IP address or a prefix.

    • The variables such as {{SPOKE_LAN1_VLAN}}, {{HUB1_LAN1_VLAN}}, {{HUB2_LAN1_VLAN}} contain the individual VLAN IDs. In this example, use VLAN tagging to break up the broadcast domain and separate the traffic.

    • The variables {{WAN0_PUBIP}} and {{WAN1_PUBIP}} defined for the WAN interfaces of hubs use the public IP address:

      • The IP address of interfaces on the Internet path is in 192.168.129.x format. You can set up Network Address Translation (NAT) rules for the interface.

      • The IP address of interfaces on the MPLS path is in 192.168.x.254.

    • Use the /24 subnet mask and do not create a variable for this field.
    For the remaining fields, use the default values except for when you define your site variables.
  6. Click Save to add the variable to the list.

    Figure 4 shows the list of newly created variables.

    Figure 4: Site Variables Sample Site Variables Sample
  7. Click Save to save your changes for the site.
    Figure 5 shows the list of newly created sites.
    Figure 5: Newly Created Sites Newly Created Sites

Related Documentation