Juniper NETWORKS SRX380 Fnterprise Firewall User Guide

: August 28, 2024
: JUNIPER NETWORKS

Juniper NETWORKS SRX380 Fnterprise Firewall User Guide

Juniper NETWORKS SRX380 Fnterprise Firewall - front
page

Step 1: Begin

In this guide, we provide a simple, three-step path, to quickly get you up and running with your new SRX380. We’ve simplified and shortened the installation and configuration steps, and included how-to videos. You’ll learn how to install the SRX380 in a rack, power it up, and deploy it on your network using the CLI.

NOTE : We think you’ll want to check out our Guided Setup: SRX300 Line Firewalls. Our Guided Setup picks up where this Day One+ ends, providing step-by-step instructions on how to easily secure and validate your branch location.

Are you interested in getting hands-on experience with the topics and operations covered in this guide? Visit Juniper Networks Virtual Labs and reserve your free sandbox today! You’ll find the Junos Day One Experience sandbox in the stand alone category.

Meet the SRX380

The Juniper Networks® SRX380 Firewall is a high-performance, all-in-one secure SD-WAN gateway. It provides your network with superior and reliable WAN connectivity while consolidating security, routing, and switching for distributed enterprise offices. With sixteen 1-Gigabit Ethernet PoE+ ports and four 10-Gigabit Ethernet ports, the SRX380 provides greater port density than other models in the SRX300 line of devices, all in a 1-U form factor.

Juniper NETWORKS SRX380 Fnterprise Firewall - Meet the
SRX380

Install the SRX380

What’s in the Box?

SRX380 Firewall
Power cord appropriate for your geographic location
Power cord retainer clip
Rack mount kit with:
• Six flat-head 4-40 mounting screws
• Twelve flat-head M4x6-mm Phillips mounting screws
• Four mounting brackets (includes two 2-inch-recess brackets) that attach to the mounting rails
• Two mounting rails
• Two mounting blades

What Else Do I Need?

You’ll also need:

Someone to help you do the installation
Eight rack mount screws appropriate for your rack
A number two Phillips (+) screwdriver
A console cable with the required adapter

NOTE : We no longer include the console cable as part of the device package. If the console cable and adapter are not included in your device package, or if you need a different type of adapter, you can order the following separately:

RJ-45 to DB-9 adapter (JNP-CBL-RJ45-DB9)
RJ-45 to USB-A adapter (JNP-CBL-RJ45-USBA)
RJ-45 to USB-C adapter (JNP-CBL-RJ45-USBC)

If you want to use an RJ-45 to USB-A or RJ-45 to USB-C adapter, you must have the X64 (64-Bit) Virtual COM port (VCP) driver installed on your PC. See https://ftdichip.com/drivers/ vcp-drivers/ to download the driver.

Rack It

Here’s how to install the SRX380 in a rack:

Review General Safety Guidelines and Warnings
Wrap and fasten one end of the electrostatic discharge (ESD) grounding strap around your bare wrist, and connect the other end to a site ESD point.
Attach the mounting brackets to the side mounting rails using the six flat-head mounting screws.
Attach the mounting rails to the sides of the SRX380 using the M4x6-mm Phillips flat-head mounting screws.
Lift the SRX380 and position it in the rack. Line up the bottom hole in each mounting bracket with a hole in each rack rail, making sure the SRX380 is level.
While you’re holding the SRX380 in place, have a second person insert and tighten the rack mount screws to secure the mounting brackets to the rack rails. Make sure they tighten the screws in the two bottom holes first and then tighten the screws in the two top holes.
Continue holding the SRX380 in place and have the second person slide the mounting blades into the channel of the mounting rails.
Screw the mounting blades to the rack using the rack mount screws.
Check that the mounting brackets on each side of the rack are level.

Power On

Now that you’ve installed your SRX380 in the rack, you’re ready to connect it to power.

Wrap and fasten one end of the electrostatic discharge (ESD) grounding strap around your bare wrist, and connect the other end to a site ESD point.
Attach a grounding cable to earth ground and then attach the other end to the SRX380’s grounding points.
On the SRX380 rear panel, push the end of the retainer strip into the slot above the power cord socket until the strip snaps into place.
Press the small tab on the retainer strip to loosen the loop.
Slide the loop until you have enough space to insert the power cord into the power cord socket.
Plug in the power cord firmly to the SRX380 power cord socket.
Slide the loop on the retainer strip toward the power supply until it is snug against the base of the power cord coupler.
Press the tab on the loop and draw out the loop into a tight circle.
If the AC power source outlet has a power switch, turn it off.
Plug in the AC power cord to the power source outlet.
If the AC power source outlet has a power switch, turn it on.
The SRX380 powers up as soon as you connect it to power. When the PWR LED on the front panel is lit solid green, the SRX380 is ready to use.

Step 2: Up and Running

Now that the SRX380 is powered on, let’s do some initial configuration to get the switch up and running on the network.

NOTE : Be sure to check out our Guided Setup: SRX300 Line Firewalls. Our Guided Setup picks up where this Day One+ leaves off, providing step-by-step instructions on how to easily secure and validate your branch location.

SRX380 Provisioning Options

It’s simple to provision and manage the SRX380 and other devices on your network. You can choose the configuration tool that’s right for you:

Junos CLI commands. In this guide we show you how to configure the SRX380 with CLI commands that leverage the plug and play factory defaults.
J-Web, Juniper Networks Setup wizard that is preinstalled on the SRX380. For information on performing initial configuration using the J-Web setup wizard see Configure SRX Devices Using the J-Web Setup Wizard in the J-Web User Guide for SRX Series Devices.
Juniper Sky™ Enterprise, Juniper Networks-hosted public cloud-based Software as a Service (SaaS) solution.

NOTE : You’ll need to have a Juniper Sky Enterprise subscription service before you can use it to configure the SRX380. For more information, check out the Juniper Sky Enterprise Getting Started Guide.

Juniper Networks Contrail Service Orchestration (CSO). To use CSO, you’ll need an authentication code. See the Contrail Service Orchestration (CSO ) Deployment Guide.

Initial Configuration Using the CLI

You can use the console port on the SRX to do the initial configuration. This section assumes you start from a factory default configuration. See SRX380 Firewall Hardware Guide for details on the SRX380 factory default configuration.

After you configure the SRX380, you can log in on a local LAN port, or remotely over the WAN interface, to manage and configure the SRX using the CLI or J-Web.

We recommend that you use the ge-0/0/0 interface for WAN connectivity on the SRX380. By default, this interface is set to receive its Internet access configuration from the service provider.

NOTE : This examples assumes you are using DHCP to configure the WAN interface. If the WAN provider does not support DHCP, you’ll need to manually configure the WAN interface and related static routing. See Junos Initial Configuration.

Have this information handy before you begin the initial configuration:

Root password
Hostname

Connect to the Serial Console Port

Plug one end of the Ethernet cable into the RJ-45 to DB-9 serial port adapter for your SRX345.

NOTE : We no longer include the console cable as part of the device package. If the console cable and adapter are not included in your device package, or if you need a different type of adapter, you can order the following separately:
• RJ-45 to DB-9 adapter (JNP-CBL-RJ45-DB9)
• RJ-45 to USB-A adapter (JNP-CBL-RJ45-USBA)
• RJ-45 to USB-C adapter (JNP-CBL-RJ45-USBC)

If you want to use an RJ-45 to USB-A or RJ-45 to USB-C adapter, you must have the X64 (64-Bit) Virtual COM port (VCP) driver installed on your PC. See https://ftdichip.com/drivers/ vcp-drivers/ to download the driver.

Plug the RJ-45 to DB-9 serial port adapter into the serial port on the management device.
Connect the other end of the Ethernet cable to the serial console port on the SRX380.
Start your asynchronous terminal emulation application (such as Microsoft Windows HyperTerminal) and select the appropriate COM port to use (for example, COM1).
Verify that the serial port settings are set to the default:
• Baud rate—9600
• Parity—N
• Data bits—8
• Stop bits—1
• Flow control—none

NOTE : You can also connect to the SRX380 using a mini-USB console port. See the SRX380 Hardware Guide.

Perform Initial Configuration

Login as the root user and start the CLI. You don’t need a password if you’re running the factory default.

login: root
root@% cli
root>

NOTE : You can view the factory-default settings with the show configuration operational mode command.

Enter configuration mode.

root> configure
[edit] root#

Since you’re doing the initial configuration manually, you’ll need to remove ZTP from the configuration. This stops the periodic log messages that report on ZTP status. Set the root authentication password and commit the change to deactivate ZTP. [edit] root# delete chassis auto-image-upgrade
root# delete system phone-home
root# set system root-authentication plain-text-password
New password: password
Retype new password: password

Issue the commit command to activate the candidate configuration that disables ZTP:

[edit] root# commit

Enable root login over SSH, and allow SSH access over the WAN interface (ge-0/0/0) [edit] root# set system services ssh root-login allow
root# set security zones security-zone untrust interfaces ge-0/0/0.0 host- inbound-traffic system-services ssh
Configure the hostname. [edit] root# set system host-name host_name
That’s it! The initial configuration is complete. Commit the configuration to activate the changes on the SRX. [edit] root# commit

Congratulations! Your SRX is Up and Running

Your SRX380 is now online and providing secure Internet access to devices attached to the LAN ports. You can manage the device locally and remotely, using the Junos CLI, J-Web, or a cloud based provisioning service. Here’s what your network looks like:

Juniper NETWORKS SRX380 Fnterprise Firewall - SRX380 is now online and
providing secure Internet

A few things to keep in mind about your new SRX380 branch network:

You access the SRX CLI or J-Web user interface locally using the 192.168.1.1 address. To access the SRX remotely, specify the IP address assigned by the WAN provider. Simply issue a show interfaces ge-0/0/0 terse CLI command to confirm the address in use by the WAN interface.
The management interface is configured as a DHCP server for the 192.168.1.0/24 subnet.
Devices attached to the LAN ports are configured to use DHCP. They receive their network configuration from the SRX. These devices obtain an IP address from the 192.168.2.0/24 address pool and use the SRX as their default gateway.
All LAN ports are in the same subnet with Layer 2 connectivity. All traffic is permitted between trust zone interfaces.
All traffic originating in the trust zone is permitted in the untrust zone. Matching response traffic is allowed back from the untrust to the trust zone. Traffic that originates from the untrust zone is blocked from the trust zone.
The SRX performs source NAT (S-NAT) using the WAN interface’s IP for traffic sent to the WAN that originated from the trust zone.
Traffic associated with specific system services (HTTPS, DHCP, TFTP, and SSH) is permitted from the untrust zone to the local host. All local host services and protocols are allowed for traffic that originates from the trust zone.

Step 3: Keep Going

Congratulations! Your SRX380 is configured and ready to go. Here are some things you can do next.

What’s Next?

NOTE : Quickly configure and validate a secure branch office in a few simple steps with our Guided Setup: SRX300 Line Firewalls. Our Guided Setup picks up where this Day One+ guide ends and is designed to quickly get your branch location online and secured.

Juniper NETWORKS SRX380 Fnterprise Firewall -
Information
https://www.juniper.net/documentation/en_US/cso5.1/information-products /pathway-pages/deployment-guide.html
https://www.juniper.net/documentation/en_US/sky-enterprise/topics/topic-map /getting-started-guide.html
https://www.juniper.net/documentation/en_US/day-one-books/DO_SRX_UR.pdf
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/install- software-on-srx.html
https://www.juniper.net/documentation/solutions/en_US/security

General Information

Juniper NETWORKS SRX380 Fnterprise Firewall - General
Information

https://www.juniper.net/documentation/en_US/release- independent/licensing/topics/concept/download-activate-software.html
https://www.juniper.net/documentation/en_US/release-independent/licensing /information-products/pathway-pages/licensing.html
https://www.juniper.net/documentation/product/us/en/srx380
https://www.juniper.net/documentation/en_US/day-one-plus/junos-os/id-step-2 -up-and-running.html
https://www.juniper.net/documentation/product/us/en/j-web-srx-series/19.4
https://www.juniper.net/documentation/product/en_US/junos- os#cat=release_notes

Learn With Videos

Our video library continues to grow! We’ve created many, many videos that demonstrate how to do everything from install your hardware to configure advanced Junos OS network features. Here are some great video and training resources that will help you expand your knowledge of Junos OS.

Juniper NETWORKS SRX380 Fnterprise Firewall - Learn With
Videos
https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=11531
https://www.youtube.com/user/JuniperNetworks/playlists?view=50&sort=dd&shelf_id=3
https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=11478

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Copyright © 2024 Juniper Networks, Inc. All rights reserved.