Junos SRX Firewall Initial Configuration
Juniper Networks® SRX Series Services Gateways are high-performance network security solutions for enterprises and service providers that deliver security, routing, and networking capabilities.
- Setting up system date under the operations mode. Following the format YYYYMMDDhhmm.ss. Below command aims to set the device date to January 5, 2023 12:00:00 PM.
set date 202301051200.00- After configuring the date and time, you can check the device’s date and time and its uptime using the “show system uptime” command.
2. Setup the root-authentication. Aside from securing the device by setting up a password, Juniper also enforces this and will not allow us to commit if we don’t set this up.
set system root-authentication plain-text-password- Do not get confused by the plain-text-password option, this does not mean that the password is not encrypted — this only means that you are providing a plain text string and not an encrypted password already.
3. Enable SSH service for out-of-band access. The command below will also show how to enable telnet, although it is not recommended due to its unencrypted nature.
set system services ssh
set system services telnet4. Changing the device’ hostname, domain name and name server, and time zone.
set system host-name JNCIA-SRX
set system domain-name srxtest.com
set system name-server 8.8.8.8
set system time-zone Asia/Manila5. Setting up the management interface and the transit traffic interfaces.
set interfaces fxp0 unit 0 family inet address 192.168.1.1/24
set interface ge-0/0/0 unit 0 family inet address 10.0.0.1/24
set interface ge-0/0/1 unit 0 family inet address 100.0.0.1/306. Configure default route going to the internet gateway.
set routing-options static route 0.0.0.0/0 next-hop 100.0.0.27. Setup a login banner.
set system login message "This is a test environment."8. Configure the zones — trust and untrust zones. Take note the the naming convention is up to you.
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/1.09. Enabling SSH access to the trust zone interfaces for in-band access.
set security zones security-zone trust host-inbound-traffic system-services ssh10. Configure a security policy that allows web traffic from trust zone to untrust zone.
set security policies from-zone trust to-zone untrust policy Allow-Web-Traffic match source-address any destination-address any application junos-https
set security policies from-zone trust to-zone untrust policy Allow-Web-Traffic then permit11. For troubleshooting purposes, you may also add additional actions like log and count to the policy.
set security policies from-zone trust to-zone untrust policy Allow-Web-Traffic then log session-close
set security policies from-zone trust to-zone untrust policy Allow-Web-Traffic then count12. If a DENY-ALL security policy and you want reorder the newly created policy, you may use the insert command as follows.
edit security policies from-zone trust to-zone untrust
insert policy Allow-Web-Traffic before policy DENY-ALL13. Verifying changes, comparing candidate config to the existing one, and committing.
commit check
show | compare
commit- Commit check verifies the configuration without actually pushing the changes.
- Show | compare shows the difference between the candidate and current config.
- Commit is pushing the actual candidate configuration to the current and active configuration.
- You can optionally execute and commit confirmed 5 command that will push the configuration but will roll it back after 5 minutes. If you don’t specify the time, it will default to 10 minutes. This is useful when you are anticipating locking out of your session to the box.
- In case of any mistakes from you configuration, you may opt in for reverting all your changes by executing rollback 0 followed by a commit command.
14. Some useful show commands under the operational mode.
show interface terse
show configuration system services
show route
show security policies
show security policies policy-name <policy name>
show security policies hit-count15. Resources
