Juniper SRX Firewall Configuration: A 14-Step Guide

Maximize your network security with our guide to Juniper SRX firewall configuration. From setup to advanced policies, we cover it all step-by-step.

Juniper SRX series firewalls are well known for delivering performance and security to protect your network edge, data center, and cloud applications. The highly flexible Juniper firewall offers next-generation security, SD-WAN support, and enterprise-grade networking to small to mid-sized businesses and large branch offices. It provides next-generation security, networking, and SD‑WAN capabilities to meet the changing needs of your cloud-enabled, AI-driven enterprise network.

In this article, we will learn how to configure a Juniper firewall to connect it to the internet. This configuration guide will be helpful for beginners and for people who are already working on Juniper firewalls. We will set up the new SRX appliance based on the following network topology. Since it is a beginner guide, we will cover the following:

1. Connect to the console port using the console cable and terminal software (Putty)

2. Access the CLI for configuration.

3. Change default credentials and create a new root password.

4. Create a new user.

5. Configure a hostname.

6. Enable SSH.

7. Configure DNS settings.

8. Configuring time zone and NTP.

9. Configure security zones.

10. Configure IP address to interfaces.

11. Security policy creation.

12. Configuring default and static routes for internet access.

13. Configuring NAT.

14. Performing Firmware Upgrade.

1. Putty Software: Let's start the configuration

Connect to the console port using the console cable and terminal software (Putty)

You can use the console cable that comes with the box or a new one that is supported. The console cable's USB end is plugged into the laptop, and the RJ45 end is plugged into the firewall's console port.

After connecting the console cable to the respective ports, we can access the firewall using PUTTY terminal software.

2. Access the CLI for configuration.

After connecting the console cable, we can access the firewall's Command-Line Interface (CLI) using the correct port and baud rate. All the configurations of the firewall can be configured via CLI. Although CLI is a little more complicated than GUI, most Network/Security Engineers prefer it over GUI.

·  Connection Type: Serial

·  Serial Line: COM4

·  Speed: 9600

Where to make changes in the Juniper firewall?

In the beginning, there is no password for the root by default. We need to change the password. Enter the username as "root" and press enter.

We must first enter the configuration mode to change the device's configuration. There are two modes in the Juniper firewall. 

Operational mode: In this mode, we cannot change the device configuration file and settings. It only lets the user see the system setting, device, and other information. To enter the operational mode, we enter the command CLI.

Configuration Mode: Here, we can change the device configuration settings and save these changes. To enter the configuration mode, enter the Configure command and press enter.

3. Change Default credentials

Any unauthorized access to the root account can lead to security breaches and data theft. Regularly changing the root password is recommended, as the root account has full administrative privilege. 

To change the root password:

4. Create a new user

The primary purpose for creating a new user is security. Different users can be created for different departments and administrators to ensure authorized access to the firewall or other network devices. Also, creating separate users can help to track all the changes made by the user, which is a good security practice. 

5. Configure a hostname

Hostname provides a unique identification for the network device or firewall. It can be helpful to identify the device, and it is recommended to change the default hostname of the firewall according to the organization's needs and criteria.

Note: Commit is used in the Juniper security appliances to save and apply the changes made in the device.

6. Enable SSH

Secure Shell (SSH) allows network administrators to remotely manage and access the device. Since SSH is encrypted, it is secure to use. Enabling SSH is easy and can be done by following the steps below.

7. Configure DNS settings

Domain Name Server (DNS) is essential to the network and can help resolve hostnames. DNS resolves the hostname to the IP address and enhances the network performance by caching DNS-level information. DNS can be configured by

Instead of "8.8.8.8", we can use our internal DNS server IP address.

8. Configure time zone and NTP

Configuring time zone and NTP is critical in an organization as it ensures all the network devices are on the same and accurate time. It is important in logging, reporting, and other features.

9. Configure security zones

Security zones and interfaces are grouped to implement zone-based access policies and control. Security Zones allow administrators to segment our network into different zones, and different policies can be applied to different zones. It enhances firewall performances, provides security, and stops lateral movements from attackers. The steps to create security zones are as follows:

ge-0/0/1 and ge-0/0/2 are the interface, and EXTERNAL-ZONE and INTERNAL-ZONE are the zone names.

10. Configure IP address to interfaces

Configuring the IP address to the interface on the Juniper firewall can be done by the command below:

Here, ge-0/0/1 and ge-0/0/2 are the interfaces.

inet is for IPv4 address (for IPv6 address, we use inet6).

11. Security policy creation

Security policies are used for controlling the incoming and outgoing traffic in an organization. The traffic is controlled based on criteria such as source IP address, Destination IP address, Ports, and application. 

The following can be done to create a security policy:

INTERNET-RULE is our policy name.

12. Configuring default and static routes for internet access

Routes are used to show the traffic's directions so it can reach its destination. Static routes are manually added to the routing table. They control the traffic and send it from a specific gateway. All the other traffic goes through the default gateway. We can configure static route by:

We can configure the default route by:

13. Configure Source SNAT

Network Address Translation (NAT) is used for translating private IP addresses to Public IP addresses so that they can be routable on the internet, reach the required destination, and come back with a reply. To configure SNAT, first, define the source and destination zone.

INTERNAL ZONE & EXTERNAL ZONE is our zone name.

SOURCE-NAT-RULE is our rule set name.

Define the source and destination addresses for the NAT operation.

RULE-NAT is our rule name, SOURCE-NAT-RULE is our rule set name, 172.16.16.0/24 is our source address, and 0.0.0.0/0 is the destination address.

GE-0/0/2 is our interface name, SOURCE-NAT-RULE is our rule set name, and RULE-NAT is our rule name.

14. Configure Destination NAT (DNAT)

GE-0/0/2 is our interface name, RS1 is our rule set name, and R1 is our rule name.

Enabling IPS in Juniper Firewall

To verify if IPS is running or not, we can check by:

EXTERNAL-ZONE and INTERNAL-ZONE are our zone names, and ISP-POLICY is our policy name.

15. Upgrade Firmware Version

To upgrade the firmware on a Juniper SRX firewall, follow these steps:

1. Download the latest firmware image from the Juniper website.
2. Connect to the firewall via a console or SSH connection.
3. Upload the firmware image to the firewall using FTP, SCP, or another file transfer protocol.
4. Copy the image to /var/temp/ location.

Issue the command "request system software add <filename>" to start the upgrade process.

5.     To manually reboot the device, enter the “request system reboot” command.

6.     The firewall will install the new firmware and reboot.

7. After the reboot, log back into the firewall and verify that the new firmware version is installed and operating as expected.

Note: Before performing any upgrade, it is recommended to back up the current configuration, read the release notes for the new firmware and test the upgrade process in a lab environment.

I hope you found our Juniper SRX configuration guide helpful. I will continue covering related topics like Juniper SRX HA configuration, IPsec VPN, and Remote Access SSL VPN.

In the meantime, you can CONTACT US for any questions or queries.