Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure WAN Edge Templates for SRX Series Firewalls

The WAN edge template in Juniper Mist™ WAN Assurance enables you to define common spoke characteristics including WAN interfaces, traffic-steering rules, and access policies. You then apply these configurations to the Juniper Networks® SRX Series Firewall deployed as a WAN edge device. When you assign a WAN edge device to a site, the device automatically adopts the configuration from the associated template. This automatic process enables you to manage and apply consistent and standardized configurations across your network infrastructure, streamlining the configuration process.

Note:

Configuration done on the WAN edge device through the Mist dashboard overrides any configuration done through the device CLI.

You can have one or more templates for your spoke devices.

In this task, you create and configure a WAN edge template for a spoke device in the Juniper Mist™ cloud portal.

Configure a WAN Edge Template

To configure a WAN edge template:

  1. In the Juniper Mist™ portal, click Organization > WAN > WAN Edge Templates. A list of existing templates, if any, appears.
  2. Click the Create Template button in the upper right corner.
    Note:

    You can also create a WAN edge template by importing a JavaScript Object Notation (JSON) file using the Import Profile option.
  3. In the box that appears, enter the name for the template, click Type and select Spoke, and then click Create.
    Figure 1: Select the Template Type Select the Template Type

    Here’s an illustration that shows the GUI elements on the WAN edge template configuration page.

    Figure 2: WAN Edge Template Configuration Options WAN Edge Template Configuration Options
  4. Complete the configurations according to the details provided in Table 1.
    Table 1: WAN Edge Profile Options
    Fields Description
    Name Profile name. Enter a unique profile name with up to 64 characters.
    Type WAN edge profile type. Select one of the following options:

    • Standalone—To manage a standalone device in your site.

    • Spoke—To manage a spoke device that is connecting to a hub device in your configuration.
    NTP The IP address or hostname of the Network Time Protocol (NTP) server. NTP is used to synchronize the clocks of the switch and other hardware devices on the Internet.
    Applies to Device Site to associate the WAN edge template. The drop-down menu shows a list of the WAN edge devices that have been added to the inventory of the current site.
    DNS Settings IP address or host names of Domain Name System (DNS) servers. Network devices use the DNS name servers to resolve hostnames to IP addresses.
    Secure Edge Connectors Secure Edge connector details. Juniper Secure Edge performs traffic inspection for the WAN edge devices managed by Juniper Mist Cloud portal.
    WAN WAN interfaces details. This WAN interface corresponds to the WAN interface on hub. That is—Mist creates an IPsec VPN tunnel between WAN interface on the hub to WAN interface on the spoke. For each of the WAN links, you can define the physical interface, the type of WAN (Ethernet or DSL), the IP configuration, and the overlay hub endpoints for the interfaces . See Add WAN Interfaces to the Template.
    LAN LAN interfaces. LAN interfaces that connect the LAN segment. You assign the networks, create VLANs, and set up IP addresses and DHCP options (none, or relay, or server). See Add a LAN Interface.
    Traffic Steering Steering paths. Define different paths the traffic can take to reach its destination. For any traffic steering policy, you can include paths for traffic to traverse, as well as the strategies for utilizing those paths. See Configure Traffic-Steering Policies.
    Application Policies Policies to enforce rules for traffic. Define network (source), application (destination), traffic steering policies, and policy action. See Configure Application Policies.
    Routing Routing options for routing traffic between the hub and spokes. You can enable Border Gateway Protocol (BGP) underlay routing, where routes are learned dynamically or use static routing to define routes manually..
    CLI Configuration CLI option. For any additional settings that are not available in the template's GUI, you can still configure them using CLI set commands.
  5. Click Save.

Add WAN Interfaces to the Template

The WAN interface on the spoke corresponds to the WAN interface on hub. That is—Mist creates an IPsec VPN tunnel between WAN interface on the hub to WAN interface on the spoke.

In this task, add two WAN interfaces to the WAN edge template.

To add WAN interfaces to the template:

  1. Scroll down to the WAN section and click Add WAN to open the Add WAN Configuration pane.
  2. Tip: When working on configuration screens, look for the VAR indicators. Fields with this indicator allow site variables.

    The fields with this label also display the matching variables (if configured) as you start typing a specific variable in it. This field lists variables from all sites within the organization.

    The organization-wide list of variables can be viewed using GET /api/v1/orgs/:org_id/vars/search?var=*. This list is populated as variables are added under site settings.

     Complete the configuration according to the details provided in Table 2.
    Table 2: WAN Interface Configuration Options
    Fields WAN Interface 1 WAN Interface 2
    Name (a label and not a technology) INET MPLS
    WAN Type Ethernet Ethernet
    Interface ge-0/0/0 ge-0/0/3
    VLAN ID - -
    IP Configuration DHCP Static

      • IP Address={{WAN1_PFX}}.2

      • Prefix Length=24

      • Gateway={{WAN1_PFX}}.1
    Source NAT Interface Interface
    Overlay Hub Endpoint (generated automatically). hub1-INET, hub2-INET (BFD profile Broadband) hub1-MPLS and hub2-MPLS

    MTU

    Enter an MTU value between 256 -9192. Default is 1500.

    Enter an MTU value between 256 -9192. Default is 1500.

    Figure 3 shows list of WAN interfaces you created.

    Figure 3: WAN Interfaces Summary WAN Interfaces Summary

Configure LTE Interface

Juniper Mist SD-WAN allows organizations to integrate LTE connectivity seamlessly. LTE connectivity provides an alternate path for multipath routing; either as a primary path in locations that have no access to circuits or as a path of last resort in the event that the primary circuit has failed.

For example: In a retail store with a primary MPLS connection for business-critical applications. Juniper Mist SD-WAN can add an LTE link as a backup. If the MPLS link experiences issues, Juniper Mist dynamically switches traffic to the LTE link. This ensures continuous connectivity and minimizes disruptions.

On SRX Series Firewalls, the LTE Mini-Physical Interface Module (Mini-PIM) provides wireless WAN support on the SRX300 Series and SRX550 High Memory Services Gateways. The Mini-PIM contains an integrated modem and operates over 3G and 4G networks. The Mini-PIM can be installed in any of the Mini-PIM slots on the devices. See https://www.juniper.net/documentation/us/en/hardware/lte-mpim-install/topics/task/lte-mpim-hardware-intalling.html for installing LTE Mini-PIM on an SRX Series Firewall.

To have LTE link for Juniper Mist SD-WAN, you need an LTE interface setup on your Session Smart Routers and SRX Series Firewalls and insert the Subscriber Identity Module (SIM) in the LTE card.

To add an LTE interface as WAN link:

  1. Scroll down to the WAN section and click Add WAN to open the Add WAN Configuration pane.
  2. Enter the details for the interface configuration
    Table 3: LTE Interface Configuration

    Fields

    Values

    Name

    Name of the LTE interface

    Description

    Description of the interface.
    WAN Type LTE
    Interface cl-1/0/0. Use the interface cl-1/0/0 when the LTE Mini-PIM module is inserted in slot 1.

    LTE APN

    Enter the access point name (APN) of the gateway router. The name can contain alphanumeric characters and special characters. (Optional for SRX Series Firewalls and mandatory for Session Smart Routers)

    LTE Authentication

    Select the authentication method for the APN configuration:

    • PAP—Select this option to use Password Authentication Protocol (PAP) as the authentication method. Provide User name and Password.

    • CHAP—Select this option to use Challenge Handshake Authentication Protocol (CHAP) authentication as the authentication method. Provide User name and Password.

    • None (Default)—Select this option if you do not want to use any authentication method.

    Source NAT

    Select Source NAT options:

    • Interface—NAT using source interface.
    • Pool—NAT using defined IP address pool.
    • Disabled—Disable source NAT
    Traffic Shaping

    Select Enabled or Disabled.

    (Required for Session Smart Routers only)

    Auto Negotiation

    Select Enabled or Disabled.
    MTU Enter an MTU value between 256 -9192. Default is 1500.
  3. Click Save.
Note:

On SRX Series Firewalls, when you create a WAN Edge template using device-specific WAN Edge templates option, the LTE interface configuration is included by default in the template.

The template provides device-specific, pre-configured WAN interfaces, LAN interfaces, a traffic steering policy, and an application policy. All you have to do is name the template and select the device type.

Figure 4shows a sample of SRX320 template that includes default LTE configuration in WAN section of the template.
Figure 4: WAN Edge Template Sample WAN Edge Template Sample

Disable WAN Edge Ports

There are many reasons why it might be necessary to disable a WAN Edge port. In debugging scenarios, for example, disabling a port and then enabling it again can trigger processes to reset, which can help resolve issues.

You may also want to disable a port when you are staging a connection, but are not quite ready to bring the connection into service, or if you’ve identified a malicious or problematic device, you can disable the port to quickly disable the device until the device can be removed or repaired.

To disable WAN Edge ports:

  1. Navigate to Organization > WAN Edge Templates.
  2. Click the appropriate WAN Edge Template.
  3. Scroll down to the WAN or LAN section and click the appropriate WAN Edge.
  4. In the Interface section of the window, select the Disabled checkbox. This will administratively disable the WAN Edge device port for the specified interface.

  5. Click Save at the bottom of the window to save the changes.
  6. Click Save at the top right-corner of the template page.

    This option is part of interface configuration. If you use this option to disable an aggregated Ethernet (AE) interface or redundant Ethernet (reth) interface, all member links are disabled

Add a LAN Interface

LAN interface configuration identifies your request source from the name of the network you specify in the LAN configuration.

To add a LAN interface:

  1. Scroll down to the LAN pane and click Add LAN to open the Add LAN Configuration panel.
    Figure 5: Add LAN Interfaces to the Template Add LAN Interfaces to the Template
  2. Configure LAN interfaces.

    The LAN configuration section includes the components for IP Configuration, DHCP Configuration, and Custom VR. The LAN configuration section enables more flexibility by allowing you to override each configuration component (such as IP configuration) separately without touching other components.

    The LAN Configuration section also provides a filter for you to easily search for configurations per port or network.

    • IP configuration

      • Network—Select an available network from the drop-down.
      • IP Address—IPv4 address and prefix length for the interface.
      • Prefix Length—Prefix length for the interface.
      • Redirect Gateway—IP address of redirect gateway for Session Smart Routers only.

    • DHCP configuration—Select Enabled option to use DHCP service for assigning IP addresses to the LAN interface.

      • Network—Select the network from the list of available networks.
      • DHCP type—Select DHCP Server or DHCP Relay. If you chose DHCP server, enter the following options:
        • IP Start—Enter the beginning IP address of the desired IP address range.
        • IP End—Enter the ending IP address.
        • Gateway—Enter the IP address of the network gateway.

        • Maximum Lease Time—Specify a maximum lease time for the DHCP addresses. Supported DHCP lease duration ranges from 3600 seconds (1 hour) to 604800 seconds (1 week).

        • DNS Servers—Enter IP address of the Domain Name System (DNS) server.
        • Server Options—Add following options:
          • Code—Enter the DHCP option code you want to configure the server. The Type field will be populated with the associated value. For example: If you select Option 15 (domain-name), the Type field displays FQDN. You must enter the Value associated to the Type.

        • Static Reservations—Use this option if you want to statically reserve a DHCP address. Static DHCP IP address reservation involves binding a client MAC address to a static IP address from the DHCP address pool. The following options are available:

          • Name—A name that identifies the configuration.

          • MAC Address—The MAC address to be used in the reservation.

          • IP Address—The IP address to be reserved.

    • Custom VR configuration.

      • Network—Select an available network from the drop-down.
      • Name—Enter the name for the routing instance.
  3. Complete the configuration according to the details provided in Table 4.
    Tip: When working on configuration screens, look for the VAR indicators. Fields with this indicator allow site variables.

    The fields with this label also display the matching variables (if configured) as you start typing a specific variable in it. This field lists variables from all sites within the organization.

    The organization-wide list of variables can be viewed using GET /api/v1/orgs/:org_id/vars/search?var=*. This list is populated as variables are added under site settings.
    Table 4: Sample LAN Interface Configuration
    Fields LAN Interface
    Network SPOKE-LAN1 (Select from the list of networks that appears. When you do, the remaining configuration will be filled in automatically.)
    Interface ge-0/0/3
    IP Address {{SPOKE_LAN1_PFX}}.1
    Prefix Length 24
    Untagged VLAN No
    DHCP No

    Figure 6 shows the list of LAN interface you created.

    Figure 6: Summary of LAN Interface Summary of LAN Interface

Configure LACP on Redundant Ethernet Interfaces (BETA)

Link Aggregation Control Protocol (LACP) is an IEEE standard protocol that defines how a group of interfaces operate. With LACP, devices send LACP data units to eachother to establish connection. The devices do not attempt to establish a connection if they are unable to do so, which prevents issues from occuring during the link aggregation setup process such as misconfigured Link Aggregation Group (LAG) settings. You can configure LACP on the Redundant Ethernet (Reth) Interfaces on your SRX Series Firewalls.

To configure LACP on Redundant Ethernet Interfaces:

  1. From the left menu of the Juniper Mist portal, select Organization > WAN Edge Templates.
  2. Select the WAN Edge Template containing the Redundant Ethernet Interfaces you want to configure LACP for.
  3. Scroll down to the LAN pane and click Add LAN to open the Add LAN Configuration panel, or click on an existing LAN to open the Edit LAN Configuration panel.
  4. Configure the following fields:
    Table 5: Sample LACP on Redundant Ethernet Interfaces Configuration
    Fields LAN Interface Configuration
    Interface List the redundant interfaces, separated by a comma.
    Port Aggregation Select this checkbox to enable LACP on the Reth interfaces.
    Enable Force Up Selecting this checkbox sets the state of the interface as "up" when the peer has limited LACP capacity.

    Use Case: When a device connected to this aggregate ethernet (AE) interface port is using Zero-Touch Provisioning (ZTP) for the first time, it will not have LACP configured on the other end.

    Note:

    Selecting this enables Force Up on one of the interfaces in the bundle only.
    Redundant (BETA) Select this checkbox to enable redundancy. The physical interfaces mentioned in the LAN configuration will be configured into a redundancy group and under a reth interface (redundant parent).
    Redundant Index (SRX) Only This is the index for the reth interface. For example, an index of 4 would configure the redundant interface reth4.
    Primary Node This indicates which node is the primary node in a redundancy group, where one of the nodes is primary and the other is secondary so that a node can take over for the other in the event of interface failover.

    Enable "Up/Down Port" Alert Type

    Enable this alert type to allow the user to receive alerts when the port transitions from up to down or vice-versa.

    This also requires the user to enable Critical WAN Edge Port Up/Down under Monitor > Alerts > Alerts Configuration.
  5. At the bottom of the panel, click Add or Save to save the configuration.

Configure Traffic-Steering Policies

Just like with hub profiles, traffic steering in a Juniper Mist network is where you define the different paths that application traffic can take to traverse the network. The paths that you configure within traffic steering also determine the destination zone.

To configure traffic-steering policies:

  1. In the Juniper Mist portal, scroll down to the Traffic Steering section, and click Add Traffic Steering to display the Traffic Steering configuration pane.
  2. Complete the configuration according to the details provided in Table 6.
    Table 6: Traffic Steering Policy Configuration
    Fields Traffic-Steering Policy 1 Traffic-Steering Policy 2
    Name SPOKE-LANS Overlay
    Strategy Ordered ECMP
    PATHS (For path types, you can select the previously created LAN and WAN networks as endpoints.)

    • Type—LAN

    • Network—SPOKE-LAN1

    • Type— WAN

    • Network

      • hub1-INET

      • hub2-INET

      • hub1-MPLS

      • hub2-MPLS

    Figure 7 shows the list of traffic-steering policies you created.

    Figure 7: Traffic-Steering Policies Summary Traffic-Steering Policies Summary

Configure Application Policies

In a Mist network, application policies are where you define which network and users can access which applications, and according to which traffic-steering policy. The Networks/Users settings determine the source zone. The Application + Traffic Steering settings determine the destination zone. Additionally, you can assign an action of Permit or Deny. Mist evaluates and applies application policies in the order in which you list them.

Consider the traffic-flow requirements in Figure 8. The image depicts a basic initial traffic model for a corporate VPN setup (third spoke device and second hub device are not shown).

Figure 8: Traffic Flow and Distribution Traffic Flow and Distribution

To meet the preceding requirements, you need to create the following application policies:

  • Policy 1—Allows traffic from spoke sites to the hub. In this case, the destination prefix used in address groups represents the LAN interface of two hubs.

  • Policy 2—Allows spoke-to-spoke traffic through the corporate LAN through an overlay.

    Note:

    This may not be feasible in the real world except on expensive MPLS networks with managed IPs. Managed IPs send traffic directly to the other spoke. This type of traffic usually flows through a hub device

  • Policy 3—Allows traffic from both the hub and the DMZ attached to the hub to the spoke devices.

  • Policy 4—Allows Internet-bound traffic to flow from spoke devices to the hub device. From there, the traffic breaks out to the Internet. In this case, the hub applies source NAT to the traffic and routes traffic to a WAN interface, as defined in the hub profile. This rule is general, so you should place it after the specific rules. Because Mist evaluates application policies in the order they are placed in the policies list.

To configure application polices:

  1. In the Juniper Mist portal, scroll down to Application Policy section, click Add Policy to add a new policy in the policy list.
  2. Complete the configuration according to the details provided in Table 7.
    Table 7: Application Policies Configuration
    S.No. Rule Name Network Action Destination Steering
    1 Spoke-to-Hub-DMZ SPOKE-LAN1 Pass HUB1-LAN1 + HUB2-LAN1 Overlay
    2 Spoke-to-Spoke-via-Hub SPOKE-LAN1 Pass SPOKE-LAN1 Overlay
    3 Hub-DMZ-to-Spoke HUB1-LAN1 + HUB2-LAN1 Pass SPOKE-LAN1 SPOKE-LANS
    4 Internet-via-Hub-CBO SPOKE-LAN1 Pass ANY Overlay
    Note:

    • Juniper Mist cloud evaluates and applies application policies in the order in which the policies are listed. You can move a given policy up or down in the order by clicking the ellipsis (…) button.

    • You must create steering policies to use with SRX Series Firewalls.

    Figure 9 shows the list of application policies you created.
    Figure 9: Application Policy Summary Application Policy Summary
  3. Allow Internet Control Message Protocol (ICMP) pings for debugging and for checking device connectivity.

    The default security configuration for SRX Series Firewalls do not allow ICMP ping requests from the LAN device to the local interface of the WAN edge router. We recommend that you test connectivity before the device attempts to connect to the outside network. We also recommend that you allow ICMP ping requests for debugging and for checking device connectivity.

    On the SRX Series Firewall, use the following CLI configuration statement to allow ping requests to the local LAN interface for debugging:

Configure Device-Specific WAN Edge Templates

Device configuration is simplified with WAN Edge Templates following your device onboarding process. These WAN Edge templates can be customized to unique deployments across all edge devices. Juniper Networks Mist AI is positioned uniquely in the industry as Mist AI WAN Edge templates can be applied to any model, regardless of vendor. Additionally, WAN Edge templates can mix and match different models under a single template, streamlining your configuration and deployment phase.

To manually configure your WAN Edge templates for the SRX Series Firewalls, see Configure a WAN Edge Template.

Device-Specific WAN Edge Templates

There is a significant benefit to leveraging select Juniper Networks hardware with Mist AI SD-WAN. Configuration is simplified for many Juniper Networks® SRX Series Firewalls, which have device-specific templates that automatically assign WAN and LAN interfaces and define LAN Networks for connectivity.

These templates are unique for each device model. With zero manual input after device selection and naming the WAN Edge, a user’s specified WAN Edge device is pre-populated with the values. Figure 10 shows that the SRX Series WAN Edge template generating several values, including Ethernet interfaces for LAN and WAN with relevant DHCP and IP values.

Figure 10: Sample of SRX Series WAN Edge Template Sample of SRX Series WAN Edge Template

Additionally, the Juniper Mist portal populates a traffic steering policy. This enables Juniper Mist to send traffic over our wan connection to an any Mist Application with a quad zero catch-all destination.

When you apply a WAN Edge template, you can notice that application policies, networks, and applications receive automatic updates. Figure 11 shows a sample of application policies.

Figure 11: Application Policies After Applying WAN Edge Template Application Policies After Applying WAN Edge Template

Juniper Mist AI SD-WAN includes the following device models with pre-configured WAN Edge templates for SRX Series Firewalls:

  • SRX300
  • SRX320-POE
  • SRX320
  • SRX340
  • SRX345
  • SRX380
  • SRX550M
  • SRX1500
  • SRX1600*
  • SRX4100
  • SRX4200
  • SRX4600
  • SRX2300*
  • SRX4300*

* Indicates planned Juniper Mist AI WAN support for new model later in 2024.

The WAN Edge device specific templates provide basic network configuration in a single step and allow for re-usable and consistent configuration for each Session Smart Router and SRX Series Firewall device you deploy. The template provides device-specific, pre-configured WAN interfaces, LAN interfaces, a traffic steering policy, and an application policy. All you have to do is name the template and select the device type.

To select a device-specific WAN Edge template:

  1. In the Juniper Mist portal, select Organization > WAN > WAN Edge Templates.
  2. Select Create Template in the upper right corner to open a new template page.
  3. Enter the name for the template.
  4. Click the Create from Device Model check-box.
  5. Select your device model from the drop-down box.
    Figure 12: Configure Device-Specific WAN Edge Template Configure Device-Specific WAN Edge Template
  6. Click Create.

Juniper Mist UI displays the completed device template. You now have a working WAN Edge template that you can apply to many sites and devices across your organization.

Assign to Site

With your template set up, you need to save and assign it to the site where your WAN edge device will be deployed.

  1. Click the Assign to Site button at the top of the template page.
  2. Select a site from the list where you want the template applied.
  3. Click Apply.
  4. Finally, all that remains is to associate the device with your site, see Onboard SRX Series Firewalls for WAN Configuration.

See Also