Juniper SRX Firewall Configuration: A 14-Step Guide

Juniper SRX Firewall Configuration: A 14-Step Guide

Carmen Tosun Carmen Tosun
9 minute read

Juniper SRX series firewalls are well known for delivering performance and security to protect your network edge, data center, and cloud applications. The highly flexible Juniper firewall offers next-generation security, SD-WAN support, and enterprise-grade networking to small to mid-sized businesses and large branch offices. 

It provides next-generation security, networking, and SD-WAN capabilities to meet the changing needs of your cloud-enabled, AI-driven enterprise network.

In this article, we will learn how to configure a Juniper SRX firewall to connect it to the internet. This guide provides a detailed Juniper SRX firewall configuration process. This configuration guide will be helpful for beginners and for people who are already working on Juniper firewalls. We will set up the new SRX appliance based on the following network topology. Since it is a beginner guide, we will cover the following:

1. Connect to the console port using the console cable and terminal software (Putty)

2. Access the CLI for configuration.

3. Change default credentials and create a new root password.

4. Create a new user.

5. Configure a hostname.

6. Enable SSH.

7. Configure DNS settings.

8. Configuring time zone and NTP.

9. Configure security zones.

10. Configure IP address to interfaces.

11. Security policy creation.

12. Configuring default and static routes for internet access.

13. Configuring NAT.

14. Performing Firmware Upgrade.

Network Topology for Juniper SRX Firewall Configuration

How to Set Up Your Juniper SRX Firewall: Step-by-Step Configuration Guide

Step 1: Connecting to the Console Port to Begin Setup

Connect to the console port using the console cable and terminal software (Putty)

You can use the console cable that comes with the box or a new one that is supported. The console cable's USB end is plugged into the laptop, and the RJ45 end is plugged into the firewall's console port.

We can access the firewall using PUTTY terminal software after connecting the console cable to the respective ports.

PuTTY configuration settings for connecting to Juniper SRX firewall via console, showing Serial Line COM4 and speed 9600 setup

Step 2: Accessing the CLI for Configuration

After connecting the console cable, we can access the firewall's Command-Line Interface (CLI) using the correct port and baud rate. The firewall's entire configuration can be configured via CLI. Although CLI is a little more complicated than GUI, most Network/Security Engineers prefer it over GUI.

  • Connection Type: Serial
  • Serial Line: COM4
  • Speed: 9600

Where can changes be made in the Juniper firewall?

In the beginning, the root password is not set by default. We need to change it. Enter the username as "root" and press enter.

Juniper SRX firewall login screen showing root user access in command line interface

To change the device's configuration, we must first enter the configuration mode. The Juniper firewall has two modes. 

Operational mode: In this mode, we cannot change the device configuration file and settings. It only lets the user see the system settings, device, and other information. To enter operational mode, we enter the command CLI.

Firewall configuration operational mode

Configuration Mode: Here, we can change the device configuration settings and save these changes. To enter the configuration mode, enter the Configure command and press enter.Juniper SRX firewall CLI configuration mode example showing configure command and entering configuration mode

Step 3: Changing Default Credentials

Any unauthorized access to the root account can lead to security breaches and data theft. As the root account has full administrative privileges, it is recommended that the root password be changed regularly.

To change the root password:

  • Enter configure to enter configuration mode.

  • Set the new root password using set system root-authentication plain-text-password.

  • Commit the changes using commit.

Juniper SRX firewall CLI showing command to set root password using plain-text authentication

Step 4: Creating a New User

The primary purpose of creating a new user is security. Different users can be created for different departments and administrators to ensure authorized access to the firewall or other network devices. Creating separate users can also help track all the changes made by the user, which is a good security practice.

To create a new user:

  • Enter set system login user <username> class super-user authentication plain-text-password.

  • Set the new password when prompted.

  • Commit the changes using commit.

Juniper SRX firewall command to create a new user with super-user privileges in CLI

Step 5: Configuring a Hostname

A hostname provides a unique identification for the network device or firewall. It can be helpful to identify the device, and it is recommended that the firewall's default hostname be changed according to the organization's needs and criteria.Juniper SRX firewall CLI command to set hostname and commit configuration changes

Note: Use commit in the Juniper security appliances, save and apply the changes made in the device.

Step 6: Enabling SSH

Secure Shell (SSH) allows network administrators to remotely manage and access the device. Since SSH is encrypted, it is safe to use. Enabling SSH is easy; follow the steps below to do so.

Juniper SRX firewall CLI command to enable SSH for remote management access

Step 7: Configuring DNS Settings for Juniper SRX Firewall

Domain Name Server (DNS) is essential to the network and can help resolve hostnames. DNS resolves the hostname to the IP address and enhances the network performance by caching DNS-level information. DNS can be configured by:

  • Use set system name-server 8.8.8.8.Juniper SRX firewall CLI command to set DNS name-server to 8.8.8.8

Instead of "8.8.8.8", we can use our internal DNS server IP address.

Step 8: Configuring Time Zone and NTP

Configuring time zones and NTP is critical in an organization as it ensures all the network devices are on the same and accurate time. This is important in logging, reporting, and other features.

Juniper SRX firewall CLI commands to set time zone and configure NTP server for accurate device synchronization

Step 9: Configuring Security Zones

Security zones and interfaces are grouped to implement zone-based access policies and control. Security Zones allow administrators to segment the network into different zones, and different policies can be applied to different zones. This enhances firewall performance, provides security, and stops attackers' lateral movements.

  • Example: set security zones security-zone EXTERNAL-ZONE interfaces ge-0/0/1

Juniper SRX firewall CLI commands to configure external and internal security zones for network segmentation

Note: ge-0/0/1 and ge-0/0/2 are the interfaces, and EXTERNAL-ZONE and INTERNAL-ZONE are the zone names.

Step 10: Configuring IP Address to Interfaces

Configuring the IP address to the interface on the Juniper firewall can be done by the command below:Configure IP address to interfaces

Here, ge-0/0/1 and ge-0/0/2 are the interfaces.

inet is for IPv4 address (for IPv6 address, we use inet6).

Step 11: Security Policy Creation

Security policies control an organization's incoming and outgoing traffic. Traffic is controlled based on criteria such as source IP address, destination IP address, ports, and application.

  • Example: set security policies from-zone EXTERNAL-ZONE to-zone INTERNAL-ZONE policy INTERNET-RULE match source-address any destination-address any application junos-https permit

Detailed Example of Security Policy Configuration:Juniper SRX firewall CLI commands to create a security policy from internal to external zone with match and permit or deny settings

INTERNET-RULE is our policy name.

Step 12: Configuring Default and Static Routes for Internet Access

Routes are used to show the traffic's directions so it can reach its destination. Static routes are manually added to the routing table. They control the traffic and send it from a specific gateway. All the other traffic goes through the default gateway. We can configure static route by:

  • Example: set routing-options static route 0.0.0.0/0 next-hop 192.168.1.254Configuring default and static routes for internet access

We can configure the default route by:default route

Step 13: Configuring Source NAT (SNAT)

Network Address Translation (NAT) is used to translate private IP addresses to public IP addresses so that they can be routable on the internet, reach the required destination, and come back with a reply.

To configure SNAT;

1. Define source and destination zones using set security nat source rule-set SOURCE-NAT-RULE from zone INTERNAL-ZONE to zone EXTERNAL-ZONE

Configuring Source SNAT

INTERNAL ZONE & EXTERNAL ZONE is our zone name.

SOURCE-NAT-RULE is our rule set name.

Define the source and destination addresses for the NAT operation.

2. Set rule using set security nat source rule-set SOURCE-NAT-RULE rule RULE-NAT match source-address 172.16.16.0/24 destination-address 0.0.0.0/0Configuring Source SNAT 2

RULE-NAT is our rule name, SOURCE-NAT-RULE is our rule set name, 172.16.16.0/24 is our source address, and 0.0.0.0/0 is the destination address.Configuring Source SNAT 3

GE-0/0/2 is our interface name, SOURCE-NAT-RULE is our rule set name, and RULE-NAT is our rule name.

Configuring Destination NAT (DNAT)Configure Destination NAT (DNAT)

GE-0/0/2 is our interface name, RS1 is our rule set name, and R1 is our rule name.

Enabling IPS in Juniper FirewallEnabling IPS in Juniper Firewall

To verify if IPS is running or not, we can check by:IPS check

EXTERNAL-ZONE and INTERNAL-ZONE are our zone names, and ISP-POLICY is our policy name.

Step 14: Upgrading Firmware Version

To upgrade the firmware on a Juniper SRX firewall, follow these steps:

  1. Download the latest firmware image from the Juniper website.
  2. Connect to the firewall via a console or SSH connection.
  3. Upload the firmware image to the firewall using FTP, SCP, or another file transfer protocol.
  4. Copy the image to /var/temp/ location.

Firmware Version Upgrade

Issue the command "request system software add <filename>" to start the upgrade process.Firmware Version Upgrade 2 Enter the “request system reboot” command to manually reboot the device.

      The firewall will install the new firmware and reboot.

  1. After the reboot, log back into the firewall and verify that the new firmware version is installed and operating as expected.

Note: Before performing any upgrade, it is recommended to back up the current configuration, read the release notes for the new firmware and test the upgrade process in a lab environment.

Frequently Asked Questions (FAQ) for Juniper SRX Firewall Configuration

1. How do I connect my Juniper SRX firewall to the internet for optimal configuration?

Follow the steps in this guide to configure security zones, IP addresses, and routing options to connect your Juniper SRX firewall to the internet.

2. What are the benefits of configuring security zones in Juniper firewalls?

Configuring security zones allows you to segment the network, apply different policies, and enhance security to prevent lateral movement by attackers.

3. How do I configure NAT on a Juniper SRX firewall?

Use the configuration steps in this guide under "Configuring Source NAT (SNAT)" to set up NAT and allow devices to communicate over the internet.

4. What is the default root password for Juniper SRX?

By default, there is no password for the root user on Juniper SRX. You must set a new root password during the initial setup.

This step-by-step guide provided a complete overview of configuring a Juniper SRX firewall, from basic setup to advanced features such as security zones, NAT, and firmware upgrades. These steps will help you secure and optimize your network effectively.

Need help configuring your Juniper SRX firewall? Contact our experts today for personalized assistance!

« Back to Blog

Just added to your wishlist:
My Wishlist
You've just added this product to the cart:
Checkout