You have no items in your shopping cart.
Juniper SRX series firewalls are well known for delivering performance and security to protect your network edge, data center, and cloud applications. The highly flexible Juniper firewall offers next-generation security, SD-WAN support, and enterprise-grade networking to small to mid-sized businesses and large branch offices.
It provides next-generation security, networking, and SD-WAN capabilities to meet the changing needs of your cloud-enabled, AI-driven enterprise network.
In this article, we will learn how to configure a Juniper SRX firewall to connect it to the internet. This guide provides a detailed Juniper SRX firewall configuration process. This configuration guide will be helpful for beginners and for people who are already working on Juniper firewalls. We will set up the new SRX appliance based on the following network topology. Since it is a beginner guide, we will cover the following:
1. Connect to the console port using the console cable and terminal software (Putty)
2. Access the CLI for configuration.
3. Change default credentials and create a new root password.
4. Create a new user.
5. Configure a hostname.
6. Enable SSH.
7. Configure DNS settings.
8. Configuring time zone and NTP.
9. Configure security zones.
10. Configure IP address to interfaces.
11. Security policy creation.
12. Configuring default and static routes for internet access.
13. Configuring NAT.
14. Performing Firmware Upgrade.
Connect to the console port using the console cable and terminal software (Putty)
You can use the console cable that comes with the box or a new one that is supported. The console cable's USB end is plugged into the laptop, and the RJ45 end is plugged into the firewall's console port.
We can access the firewall using PUTTY terminal software after connecting the console cable to the respective ports.
After connecting the console cable, we can access the firewall's Command-Line Interface (CLI) using the correct port and baud rate. The firewall's entire configuration can be configured via CLI. Although CLI is a little more complicated than GUI, most Network/Security Engineers prefer it over GUI.
In the beginning, the root password is not set by default. We need to change it. Enter the username as "root" and press enter.
To change the device's configuration, we must first enter the configuration mode. The Juniper firewall has two modes.
Any unauthorized access to the root account can lead to security breaches and data theft. As the root account has full administrative privileges, it is recommended that the root password be changed regularly.
Enter configure
to enter configuration mode.
Set the new root password using set system root-authentication plain-text-password
.
Commit the changes using commit
.
The primary purpose of creating a new user is security. Different users can be created for different departments and administrators to ensure authorized access to the firewall or other network devices. Creating separate users can also help track all the changes made by the user, which is a good security practice.
To create a new user:
Enter set system login user <username> class super-user authentication plain-text-password
.
Set the new password when prompted.
Commit the changes using commit
.
A hostname provides a unique identification for the network device or firewall. It can be helpful to identify the device, and it is recommended that the firewall's default hostname be changed according to the organization's needs and criteria.
Note: Use commit
in the Juniper security appliances, save and apply the changes made in the device.
Secure Shell (SSH) allows network administrators to remotely manage and access the device. Since SSH is encrypted, it is safe to use. Enabling SSH is easy; follow the steps below to do so.
Domain Name Server (DNS) is essential to the network and can help resolve hostnames. DNS resolves the hostname to the IP address and enhances the network performance by caching DNS-level information. DNS can be configured by:
set system name-server 8.8.8.8
.Instead of "8.8.8.8", we can use our internal DNS server IP address.
Configuring time zones and NTP is critical in an organization as it ensures all the network devices are on the same and accurate time. This is important in logging, reporting, and other features.
Security zones and interfaces are grouped to implement zone-based access policies and control. Security Zones allow administrators to segment the network into different zones, and different policies can be applied to different zones. This enhances firewall performance, provides security, and stops attackers' lateral movements.
set security zones security-zone EXTERNAL-ZONE interfaces ge-0/0/1
Note: ge-0/0/1
and ge-0/0/2
are the interfaces, and EXTERNAL-ZONE
and INTERNAL-ZONE
are the zone names.
Configuring the IP address to the interface on the Juniper firewall can be done by the command below:
Here, ge-0/0/1
and ge-0/0/2
are the interfaces.
inet is for IPv4 address (for IPv6 address, we use inet6).
Security policies control an organization's incoming and outgoing traffic. Traffic is controlled based on criteria such as source IP address, destination IP address, ports, and application.
set security policies from-zone EXTERNAL-ZONE to-zone INTERNAL-ZONE policy INTERNET-RULE match source-address any destination-address any application junos-https permit
Detailed Example of Security Policy Configuration:
INTERNET-RULE is our policy name.
Routes are used to show the traffic's directions so it can reach its destination. Static routes are manually added to the routing table. They control the traffic and send it from a specific gateway. All the other traffic goes through the default gateway. We can configure static route by:
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.254
We can configure the default route by:
Network Address Translation (NAT) is used to translate private IP addresses to public IP addresses so that they can be routable on the internet, reach the required destination, and come back with a reply.
To configure SNAT;
1. Define source and destination zones using set security nat source rule-set SOURCE-NAT-RULE from zone INTERNAL-ZONE to zone EXTERNAL-ZONE
INTERNAL ZONE & EXTERNAL ZONE is our zone name.
SOURCE-NAT-RULE is our rule set name.
Define the source and destination addresses for the NAT operation.
2. Set rule using set security nat source rule-set SOURCE-NAT-RULE rule RULE-NAT match source-address 172.16.16.0/24 destination-address 0.0.0.0/0
RULE-NAT is our rule name, SOURCE-NAT-RULE is our rule set name, 172.16.16.0/24 is our source address, and 0.0.0.0/0 is the destination address.
GE-0/0/2 is our interface name, SOURCE-NAT-RULE is our rule set name, and RULE-NAT is our rule name.
GE-0/0/2 is our interface name, RS1 is our rule set name, and R1 is our rule name.
To verify if IPS is running or not, we can check by:
EXTERNAL-ZONE and INTERNAL-ZONE are our zone names, and ISP-POLICY is our policy name.
To upgrade the firmware on a Juniper SRX firewall, follow these steps:
Issue the command "request system software add <filename>" to start the upgrade process. Enter the “request system reboot” command to manually reboot the device.
The firewall will install the new firmware and reboot.
Note: Before performing any upgrade, it is recommended to back up the current configuration, read the release notes for the new firmware and test the upgrade process in a lab environment.
1. How do I connect my Juniper SRX firewall to the internet for optimal configuration?
Follow the steps in this guide to configure security zones, IP addresses, and routing options to connect your Juniper SRX firewall to the internet.
2. What are the benefits of configuring security zones in Juniper firewalls?
Configuring security zones allows you to segment the network, apply different policies, and enhance security to prevent lateral movement by attackers.
3. How do I configure NAT on a Juniper SRX firewall?
Use the configuration steps in this guide under "Configuring Source NAT (SNAT)" to set up NAT and allow devices to communicate over the internet.
4. What is the default root password for Juniper SRX?
By default, there is no password for the root user on Juniper SRX. You must set a new root password during the initial setup.
This step-by-step guide provided a complete overview of configuring a Juniper SRX firewall, from basic setup to advanced features such as security zones, NAT, and firmware upgrades. These steps will help you secure and optimize your network effectively.
Need help configuring your Juniper SRX firewall? Contact our experts today for personalized assistance!