SRX for beginners

I was thinking if I should write a short article for beginners to quickly configure an SRX firewall. I don’t know how many people will find it useful but I hope it will be for those who use SRX for the first time in their life. Let’s get started.

Our topology in this tutorial is below;

srx_beginner
We will configure the followings from scratch:

  1. Loading default config and setting the root password
  2. Configuring interfaces and default route
  3. Configuring security zones
  4. Configuring address book entries
  5. Creating security policies
  6. Creating source nat for internal clients

Loading default config and setting the root password

I assume you are connected to the SRX device via console

First a bit of information for the SRX novice. As SRX is running Junos, it has two modes

  1. Operational mode and this mode has the prompt > on the CLI
  2. Configuration mode and this mode has the prompt # on the cli

When you login to a Junos device, you might also see the prompt % which is the root shell and it doesn’t belong to any of those aforementioned modes and this is the lowest mode on the hierarchy and you can switch between these modes. Quickly, I can show you how to switch between these modes with an example:

root%           <-- This is the root shell, you may see this as well
root% cli       <-- I would like to switch to operational mode so I am typing the command "cli".
root>           <-- I am on the operational mode as the prompt indicates.
root>configure <-- I would like to switch to configuration mode to configure my interfaces, IP addresses etc.
root#           <-- Now we are on the configuration mode as the hash prompt indicates.

Now we can move to the configuration:


[edit]
root# load factory-default
warning: activating factory configuration

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# set system host-name srx220

[edit]
root# commit
commit complete

[edit]
root@srx220#

Once we commit the changes, we should see the new hostname srx220 in the prompt.
Commit is required to save and activate your changes.

Configuring interfaces and default route

Interfaces


#delete interfaces ge-0/0/0
#delete interfaces ge-0/0/1
#set interfaces ge-0/0/0 unit 0 family inet address 192.168.100.38/24
#set interfaces ge-0/0/1 unit 0 family inet address 192.168.239.1/24

Default route


#set routing-options static route 0.0.0.0/0 next-hop 192.168.100.1

Configuring security zones

SRX is a zone based firewall hence you have to assign each interface to a zone to be able to pass traffic through and into it. There may be two default zones trust and untrust coming with the factory-default config but we will delete them and configure our own zones. Following will be our zone configuration;

  • Our zone facing pc clients is named internal
  • zone facing internet is named internet
  • Internal clients will be able to reach SRX (i.e ping and ssh service will be enabled) towards SRX

#set security zones security-zone internal interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
#set security zones security-zone internal interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
#set security zones security-zone internet interfaces ge-0/0/0.0

Now we have assigned interfaces to each zone. To mention again, if you don't add the services e.g ssh&ping under internal zone, you can neither connect to the box via ssh nor ping its internal interface IP.

Configuring address book entries

If you want to configure a security policy you must create an address book entry for the network ranges you would like to use. We will create one address book entry for our internal network block 192.168.239.0/24 as follows;


#set security zones security-zone internal address-book address network_239 192.168.239.0/24

Our address book entry is also ready for security policy. Now it is time to enforce the security policy to allow internal users to access outside networks.

Note: Address book configuration has evolved over several releases. To better understand the address book concept on SRX, you can take a look at my other post about address books once you finish this post.

Creating security policies

As this is a firewall, if you don't create a security policy allowing traffic from one zone to the other one, don't expect your transit traffic to work. Here, we first start by deleting already existing policies to make sure no other policies exist.


#delete security policies
#set security policies from-zone internal to-zone internet policy allow-internal-clients match source-address network_239
#set security policies from-zone internal to-zone internet policy allow-internal-clients match destination-address any
#set security policies from-zone internal to-zone internet policy allow-internal-clients match application any
#set security policies from-zone internal to-zone internet policy allow-internal-clients then permit

A security policy is created within a context. What does this mean? It means the context defines the direction. For example, policy we have created named "allow-internal-clients" is only matching any traffic from internal zone to internet zone. As our action is "permit", we allow traffic from "network_239" address book network i.e 192.168.239.0/24 towards any address.

Creating source nat for internal clients

You may also need to source NAT internal clients with your outside interface IP address. Here is how we configure source nat in SRX:

First start deleting previous left over nat rules.


#delete security nat
#set security nat source rule-set internal-to-internet from zone internal
#set security nat source rule-set internal-to-internet to zone internet
#set security nat source rule-set internal-to-internet rule internet-access match source-address 192.168.239.0/24
#set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
#set security nat source rule-set internal-to-internet rule internet-access then source-nat interface
#commit

For simplicity we use interface based nat which means if an internal client has an IP address on 192.168.239.0/24 range, its IP packets' source addresses will be replaced by the interface IP address 192.168.100.38 when the client wants to reach Internet.

As you can see source NAT is also a context based configuration. You define from which zone you are coming and to which zone you are heading.After these configuration your internal clients whose gateway is 192.168.239.1 should be able to reach Internet if I haven't made any mistake so far.

To see the next SRX for beginners post SRX for beginners #2

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


51 thoughts on “SRX for beginners”

  1. Hi , Perfect one !….. How to configure nat rules and default route for dynamic IP address which we are receiving from isp through PPOE/PPOA ?

      1. Hello rtoodtoo

        I like your blog. Useful things! 🙂

        In that case, of PPPoE, is it necessary to commit this as different interface? Can you use your modem/router default gateway in a ge 0/0/0 interface?

  2. Hi, Perfect documentation for starters with SRX. I am working with Netscreen FW for 7 years but no experience on SRX so far. Your simple writing is a very helpful for me. By the way, in the NAT section there is no rule about to which IP the translation will occur? Would you please enlighten on that?

    Thanks again for the great post.

    1. Hi Neo,
      Source NAT is done on the interface IP. So you don’t have to specify an IP address and in our example external source IP will be 192.168.100.38

      Genco.

  3. Hi,

    What do you think about the web interface configuration? Do you think that it’s a good idea to setup everything through web interface and then play with the console? I have to do the basic setup for the production environment with DMZ etc. and I’m beginners with juniper – before I was working on sonicwalls firewall.

    Thanks

    1. It isn’t an easy question actually. I do always prefer CLI as I can see what I configure. WEB interface is easier for beginners of course but if you would like to learn
      JUNOS, better to use CLI.

  4. Hi, i configure my srx201he2, but i want a list of commands to learn do my job.

  5. Thanks alot, I’m also a beginer and this article just made my day. I have an srx110 and I’ve been struggling to join it on the network. I followed this article and managed to join the srx on the network and now I’m able to manage it remotely.

    KEEP UP THE GOOD WORK.

  6. Thanks. Having just downloaded vSRX this provides a nice place to start.
    Note – Console of VMware started me at a kernel shell prompt and I had to issue the ‘CLI’ command to enter the Junos CLI shell.

    1. Life saver – I had the same problem on a live box when connected via console – I think it was due to the previous login issuing the “exit” command. Anyway – thanks for the comment – would be nice to add this to the overview above.

      1. Hi Marc and Joe,
        I have updated the post as per your feedback to cover the cli command as well. Thank you.

  7. Thank you for the post. I dont seem to understand the nat process. The second to the last command that ends with “then source-nat interface”.

    Please help release another post on vlans, vpn and other aspects. Thanks so much

  8. I tried connecting a cisco switch to the srx internal interface, client connected to the switch could not ping to the srx internal interface but able to ping if I connect client directly to srx internal interface. Is there a need to assign vlan to srx internal interface?

    1. Hello Kenneth, I think the srx has the capability to also act as a switch beside the routing. I will suggest checking the default gateway on the switch and make sure it point to the router. Another area might be the ip address. Make sure it is on the same subnet with the srx

  9. Excellent article for beginners like me. I worked on SSG series , just started learning on SRX and found this article. Thanks buddy.

    I ll ask many queries in future 🙂 Thanks again

      1. rtoodtoo the SRX cli was great and thank you but what changes would i need if the data is going through the Cisco switch into an SRX and then onto a UAD?

  10. Could you help me out? i have been trying to give my VSRX internet access ( so i can download and install IDP) but i cannot go out to the internet, i can SSH and ping my VSRX from my computer, but i cannot ping any website nor any other host within my network.

    I am using VMware workstation, i dont know if it has something to do with my network adapters, i am using them as bridged to my physical network.

    Could you check if i am missing something if i share my configuration?

  11. i config as you but when ping from 192.168.239.2 to 192.168.239.1 is request timed out and ping from srx220 (192.168.239.1) to 192.168.239 is ok

  12. Please help why is fe-0/0/1.0 Link down? I connect a endpoint (192.168.239.100/24) to fe-0/0/6 and cannot ping to 192.168.239.1

    root@Internet# run show interfaces terse
    Interface Admin Link Proto Local Remote
    fe-0/0/0 up up
    fe-0/0/0.0 up up inet 192.168.0.254/24
    fe-0/0/1 up down
    fe-0/0/1.0 up down inet 192.168.239.1/24
    fe-0/0/2 up down
    fe-0/0/2.0 up down eth-switch
    fe-0/0/3 up down
    fe-0/0/3.0 up down eth-switch
    fe-0/0/4 up down
    fe-0/0/4.0 up down eth-switch
    fe-0/0/5 up down
    fe-0/0/5.0 up down eth-switch
    fe-0/0/6 up up
    fe-0/0/6.0 up up eth-switch

    interfaces {
    fe-0/0/0 {
    unit 0 {
    family inet {
    address 192.168.0.254/24;
    }
    }
    }
    fe-0/0/1 {
    unit 0 {
    family inet {
    address 192.168.239.1/24;
    }
    }
    }

    fe-0/0/6 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }

  13. This is helpful. However, I would like to add a Juniper SRX210 to an existing network but have it act as a switch only as security is already handled by my router. Is this possible?

    1. Chris,
      You can use SRX in transparent mode as well. There are bunch of docs at Juniper and also in my blog about configuration.

  14. Thanks a lot, after try to understand some article this is the simple way and easy to understand for me

  15. Thx for your guide . I have problem at Configuring security zones,I found ge-0/0/0.0 already assigned to another zone, But I ve never assign it before

  16. New to zone-based firewalls, not to networking. Coming from Cisco, this and your next post helped a lot. Thanks!

  17. Hello, I am new to this srx 1400. I am lucky to purchase it at the cheap price. I am student of networking engineering. I decide to put something new that I am not comfortable to work with but….if I learn to do out of comfort zone, I am pretty sure I will learn many things. ANYWAY, let me state that I have no knowledge in the juno system. I been practice to pick up something and I try to config the internet for the first time. NO LUCK.

    how can we interact with this information?

    Jared

    1. you can check virtual SRX, you don’t really need hardware to test most of the features.

Leave a Reply to NeoCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading