Juniper SRX4200 User guide

J-Web User Guide for SRX Series Devices

Published

2023-07-10

Juniper Networks, Inc.

1133 Innovaon Way

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc.

in the United States and other countries. All other trademarks, service marks, registered marks, or registered service

marks are the property of their respecve owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right

to change, modify, transfer, or otherwise revise this publicaon without noce.

J-Web User Guide for SRX Series Devices

The informaon in this document is current as of the date on the tle page.

YEAR 2000 NOTICE

Juniper Networks hardware and soware products are Year 2000 compliant. Junos OS has no known me-related

limitaons through the year 2038. However, the NTP applicaon is known to have some diculty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentaon consists of (or is intended for use

with) Juniper Networks soware. Use of such soware is subject to the terms and condions of the End User License

Agreement ("EULA") posted at hps://support.juniper.net/support/eula/. By downloading, installing or using such

soware, you agree to the terms and condions of that EULA.

ii

Table of Contents

About This Guide | xxviii

1

Juniper Web Device Manager

Geng Started | 2

Juniper Web Device Manager Overview | 2

What is J-Web? | 2

Benets of J-Web | 3

Access the J-Web User Interface | 3

Prerequisites for Using J-Web | 3

Log in to J-Web | 4

The J-Web Setup Wizard | 8

Congure SRX Series Firewalls Using the J-Web Setup Wizard | 8

Example: J-Web Wizard for Standalone Mode | 10

J-Web Setup Wizard Parameters | 22

Explore J-Web | 39

J-Web: A First Look | 40

J-Web Launch Pad | 40

J-Web Top Pane | 41

J-Web Side Pane | 44

J-Web Main Pane | 47

J-Web Workow Wizards | 49

Summary | 50

2

Add SRX Device to Security Director Cloud

Add an SRX Series Firewall to Juniper Security Director Cloud | 52

3

Dashboard

J-Web Dashboard | 55

Dashboard Overview | 55

What is J-Web Dashboard | 55

Work with Widgets | 56

iii

4

Monitor

Network | 62

Monitor Interfaces | 62

Monitor DHCP Server Bindings | 63

Monitor IPsec VPN | 65

Logs | 69

Monitor Session | 69

Monitor Threats | 75

Monitor Web Filtering | 81

Monitor ATP | 85

Monitor VPN | 90

Monitor All Events | 93

Monitor System | 101

Monitor Alarms | 103

Maps and Charts | 105

Monitor Trac Map | 105

Monitor Threats Map | 108

Monitor Applicaons | 115

Monitor Users | 118

Stascs | 120

Monitor Threat Prevenon | 120

Monitor VPN Phase I | 122

Monitor VPN Phase II | 123

Monitor DNS Security | 125

Monitor Encrypted Trac Insights | 127

Reports | 129

iv

About Reports Page | 129

Overview | 130

Threat Assessment Report | 135

Applicaon and User Usage | 135

Top Talkers | 136

IPS Threat Environment | 136

Viruses Blocked | 136

URL Report | 137

Virus: Top Blocked | 137

Top Firewall Events | 137

Top Firewall Deny Desnaons | 137

Top Firewall Denies | 137

Top IPS Events | 137

Top An-spam Detected | 138

Top Screen Aackers | 138

Top Screen Vicms | 138

Top Screen Hits | 138

Top Firewall Rules | 138

Top Firewall Deny Sources | 138

Top IPS Aack Sources | 138

Top IPS Aack Desnaons | 138

Top IPS Rules | 138

Top Web Apps | 139

Top Applicaons Blocked | 139

Top URLs by User | 139

Top Source Zone by Volume | 139

Top Applicaons by User | 139

Top Botnet Threats By Source Address via IDP Logs | 139

Top Botnet Threats by Desnaon Address via IDP Logs | 139

Top Botnet Threats by Threat Severity via IDP Logs | 140

Top Malware Threats by Source Address via IDP Logs | 140

Top Malware Threats by Desnaon Address via IDP Logs | 140

Top Malware Threats by Threat Severity via IDP Logs | 140

Top Blocked Applicaons via Weblter Logs | 140

Top Permied Applicaon Subcategories by Volume via Weblter Logs | 141

Top Permied Applicaon Subcategories by Count via Weblter Logs | 141

v

5

Device Administraon

Basic Sengs | 144

Congure Basic Sengs | 144

Cluster Management | 164

Congure Cluster (HA) Setup | 164

About the Cluster Conguraon Page | 179

Edit Node Sengs | 182

Add an HA Cluster Interface | 183

Edit an HA Cluster Interface | 185

Delete an HA Cluster Interface | 185

Add a Redundancy Group | 186

Edit a Redundancy Group | 188

Delete a Redundancy Group | 189

User & Roles | 190

About the Users Page | 190

Create a User | 192

Edit a User | 197

Delete a User | 198

About the Roles Page | 198

Create a Role | 202

Edit a Role | 204

Delete a User | 204

Mul Tenancy—Resource Proles | 206

About the Resource Proles Page | 206

Global Sengs | 208

Add a Resource Prole | 209

vi

Edit a Resource Prole | 213

Delete a Resource Prole | 213

Mul Tenancy—Interconnect Ports | 215

About the Interconnect Ports Page | 215

Add a LT Logical Interface | 217

Edit a LT Logical Interface | 224

Delete a Logical Interface | 224

Search for Text in an Interconnect Ports Table | 224

Mul Tenancy—Logical Systems | 226

About the Logical Systems Page | 226

Add a Logical System | 228

Edit a Logical System | 239

Delete a Logical System | 240

Search Text in Logical Systems Table | 240

Mul Tenancy—Tenants | 241

About the Tenants Page | 241

Add a Tenant | 243

Edit a Tenant | 251

Delete a Tenant | 251

Search Text in Tenants Table | 252

Cercates Management—Cercates | 253

About the Cercates page | 253

Create a Device Cercate | 255

Create Device Cercate (Let's Encrypt) | 256

Create Device Cercate (Local Self-Signed) | 257

Create Device Cercate (SCEP) | 260

Create Device Cercate (ACME) | 262

Create Device Cercate (CMPv2) | 264

vii

Create Device Cercate (CSR) | 266

Load Signed Device Cercate (Externally Generated) | 269

Add a Cercate Authority (CA) | 270

Add CA Cercate | 270

Export a Device Cercate | 274

Edit a CA Cercate | 275

Delete a Cercate | 275

Search Text in the Cercates Table | 276

Re-Enroll a Device Cercate | 276

Load CA Cercate | 277

Reload CA Cercate | 279

Cercate Management—Cercate Authority Group | 281

About the Cercate Authority Group Page | 281

Import a Trusted CA Group | 282

Add a CA Group | 283

Edit a CA Group | 284

Delete a CA Group | 285

Search Text in the Cercate Authority Group Table | 285

License Management | 287

Manage Your Licenses | 287

About License Management Page | 287

Add License | 288

Delete Installed Licenses | 289

Update Installed Licenses | 289

Update Trial Licenses | 289

Display License Keys | 289

Download License Keys | 290

Soware Feature Licenses | 290

Security Package Management | 291

viii

About the Security Package Management Page | 291

Install or Upload IPS Signatures Package | 295

IPS Signatures Sengs | 297

Install Applicaon Signatures Package | 299

Applicaon Signatures Sengs | 299

Install URL Category Package | 301

URL Categories Sengs | 301

ATP Management | 304

Enroll Your Device with Juniper ATP Cloud | 304

About the Diagnoscs Page | 307

Operaons | 310

Maintain Files | 310

About Files Page | 310

Clean Up Files | 310

Download and Delete Files | 311

Maintain Reboot Schedule | 313

Maintain System Snapshots | 315

Soware Management | 317

Upload Soware Packages | 317

Install Soware Packages | 318

Rollback Soware Package Version | 319

Conguraon Management | 321

Manage Upload Conguraon Files | 321

Manage Conguraon History | 322

Manage Rescue Conguraon | 326

Alarm Management | 327

Monitor Chassis Alarm | 327

ix

About Chassis Alarm Page | 327

Create Chassis Alarm Denion | 327

Edit Chassis Alarm Denion | 332

Monitor System Alarm | 333

About System Alarm Page | 333

Create System Alarm Conguraon | 333

Edit System Alarm Conguraon | 337

RPM | 338

Setup RPM | 338

View RPM | 347

Tools | 353

Troubleshoot Ping Host | 353

About Ping Host Page | 353

Troubleshoot Ping MPLS | 357

About Ping MPLS Page | 358

Troubleshoot Traceroute | 363

About Traceroute Page | 363

Control Plane Packet Capture | 366

About the Control Plane Packet Capture Page | 366

About the Data Plane Packet Capture Page | 373

Access CLI | 377

About CLI Terminal Page | 377

View CLI Conguraon | 379

About CLI Viewer Page | 379

Edit CLI Conguraon | 380

About CLI Editor Page | 380

Point and Click CLI | 381

About Point and Click CLI Page | 381

Reset Conguraon | 388

x

Reset Conguraon and Rerun Setup Wizard | 388

6

Network

Connecvity—Interfaces | 391

About the Interfaces Page | 391

Add a Logical Interface | 395

Edit an Interface | 402

Delete a Logical Interface | 403

Connecvity—VLAN | 404

About the VLAN Page | 404

Add a VLAN | 406

Edit a VLAN | 408

Delete a VLAN | 409

Assign an Interface to VLAN | 409

Connecvity—Link Aggregaon | 411

About the Link Aggregaon Page | 411

Link Aggregaon Global Sengs | 413

Add a Logical Interface to Link Aggregaon | 414

Add a Link Aggregaon | 415

Edit an Aggregated Interface | 417

Delete Link Aggregaon | 418

Search for Text in the Link Aggregaon Table | 418

Connecvity—PPPoE | 420

Congure PPPoE | 420

Connecvity—Wireless LAN | 422

About the Sengs Page | 422

Create an Access Point | 424

Edit an Access Point | 425

xi

Delete an Access Point | 426

Create an Access Point Radio Seng | 426

Edit an Access Point Radio Seng | 430

Delete an Access Point Radio Sengs | 430

DHCP Client | 432

About the DHCP Client Page | 432

Add DHCP Client Informaon | 433

Delete DHCP Client Informaon | 435

DHCP Server | 436

About the DHCP Server Page | 436

Add a DHCP Pool | 438

Edit a DHCP Pool | 442

Delete a DHCP Pool | 443

DHCP Groups Global Sengs | 443

Add a DHCP Group | 444

Edit a DHCP Group | 444

Delete a DHCP Group | 445

Firewall Filters—IPv4 | 446

About the IPv4 Page | 446

Add IPv4 Firewall Filters | 447

Firewall Filters—IPv6 | 464

About the IPv6 Page | 464

Add IPv6 Firewall Filters | 465

Firewall Filters—Assign to Interfaces | 480

About the Assign to Interfaces Page | 480

NAT Policies | 482

About the NAT Policies Page | 482

xii

Create a Source NAT | 484

Edit a Source NAT | 490

Delete a Source NAT | 490

NAT Pools | 491

About the NAT Pools Page | 491

Global Opons | 493

Create a Source NAT Pool | 494

Edit a Source NAT Pool | 498

Delete a Source NAT Pool | 499

Add a Desnaon NAT Pool | 499

Edit a Desnaon NAT Pool | 501

Delete a Desnaon NAT Pool | 501

Desnaon NAT | 502

About the Desnaon Page | 502

Add a Desnaon Rule Set | 504

Edit a Desnaon Rule Set | 507

Delete a Desnaon Rule Set | 507

Stac NAT | 508

About the Stac Page | 508

Add a Stac Rule Set | 510

Edit a Stac Rule Set | 514

Delete a Stac Rule Set | 514

NAT Proxy ARP/ND | 516

About the Proxy ARP/ND Page | 516

Add a Proxy ARP | 517

Edit a Proxy ARP | 519

xiii

Delete a Proxy ARP | 519

Add a Proxy ND | 520

Edit a Proxy ND | 521

Delete a Proxy ND | 521

Stac Roung | 523

About the Stac Roung Page | 523

Add a Stac Route | 524

Edit a Stac Route | 526

Delete a Stac Route | 526

RIP Roung | 527

About the RIP Page | 527

Add a RIP Instance | 529

Edit a RIP Instance | 531

Delete a RIP Instance | 531

Edit RIP Global Sengs | 531

Delete RIP Global Sengs | 535

OSPF Roung | 536

About the OSPF Page | 536

Add an OSPF | 538

Edit an OSPF | 547

Delete an OSPF | 547

BGP Roung | 549

About the BGP Page | 549

Add a BGP Group | 553

Edit a BGP Group | 558

Delete a BGP Group | 559

xiv

Edit Global Informaon | 559

Roung Instances | 565

About the Roung Instances Page | 565

Add a Roung Instance | 567

Edit a Roung Instance | 568

Delete a Roung Instance | 569

Roung—Policies | 570

About the Policies Page | 570

Global Opons | 572

Add a Policy | 573

Clone a Policy | 585

Edit a Policy | 585

Delete a Policy | 585

Test a Policy | 586

Roung—Forwarding Mode | 587

About the Forwarding Mode Page | 587

CoS—Value Aliases | 589

About the Value Aliases Page | 589

Add a Code Point Alias | 590

Edit a Code Point Alias | 591

Delete a Code Point Alias | 592

CoS—Forwarding Classes | 593

About the Forwarding Classes Page | 593

Add a Forwarding Class | 594

Edit a Forwarding Class | 595

Delete a Forwarding Class | 595

xv

CoS Classiers | 597

About the Classiers Page | 597

Add a Classier | 599

Edit a Classier | 600

Delete a Classier | 601

CoS—Rewrite Rules | 602

About the Rewrite Rules Page | 602

Add a Rewrite Rule | 603

Edit a Rewrite Rule | 605

Delete a Rewrite Rule | 605

CoS—Schedulers | 607

About the Schedulers Page | 607

Add a Scheduler | 608

Edit a Scheduler | 610

Delete a Scheduler | 611

CoS—Scheduler Maps | 612

About the Scheduler Maps Page | 612

Add a Scheduler Map | 613

Edit a Scheduler Map | 614

Delete a Scheduler Map | 615

CoS—Drop Prole | 616

About the Drop Prole Page | 616

Add a Drop Prole | 617

Edit a Drop Prole | 619

Delete a Drop Prole | 619

CoS—Virtual Channel Groups | 620

About the Virtual Channel Groups Page | 620

xvi

Add a Virtual Channel | 621

Edit a Virtual Channel | 622

Delete a Virtual Channel | 623

CoS—Assign To Interface | 624

About the Assign To Interface Page | 624

Edit a Port | 626

Add a Logical Interface | 626

Edit a Logical Interface | 628

Delete a Logical Interface | 629

Applicaon QoS | 630

About the Applicaon QoS Page | 630

Add an Applicaon QoS Prole | 633

Edit an Applicaon QoS Prole | 635

Clone an Applicaon QoS Prole | 635

Delete an Applicaon QoS Prole | 636

Add a Rate Limiter Prole | 636

Edit a Rate Limiter Prole | 637

Clone a Rate Limiter Prole | 638

Delete a Rate Limiter Prole | 638

IPsec VPN | 640

About the IPsec VPN Page | 640

IPsec VPN Global Sengs | 643

Create a Site-to-Site VPN | 646

Create a Remote Access VPN—Juniper Secure Connect | 663

Create a Remote Access VPN—NCP Exclusive Client | 685

Edit an IPsec VPN | 698

xvii

Delete an IPsec VPN | 699

Manual Key VPN | 701

About the Manual Key VPN Page | 701

Add a Manual Key VPN | 702

Edit a Manual Key VPN | 705

Delete a Manual Key VPN | 706

Dynamic VPN | 707

About the Dynamic VPN Page | 707

Global Sengs | 709

IPsec Template | 711

Add a Dynamic VPN | 712

Edit a Dynamic VPN | 713

Delete a Dynamic VPN | 714

Compliance | 715

About the Compliance Page | 715

Create Pre-Logon Compliance | 717

Edit Pre-Logon Compliance | 723

Delete Pre-Logon Compliance | 723

7

Security Policies and Objects

Security Policies | 726

About the Security Policies Page | 726

Global Opons | 731

Add a Rule to a Security Policy | 734

Clone a Security Policy Rule | 751

Edit a Security Policy Rule | 752

Delete a Security Policy Rule | 752

xviii

Congure Capve Portal for Web Authencaon and Firewall User Authencaon | 753

Overview | 753

Workow | 754

Step 1: Create a Logical Interface and Enable Web Authencaon | 756

Step 2: Create an Access Prole | 762

Step 3: Congure Web Authencaon Sengs | 763

Step 4: Create Security Zones and Assign Interfaces to the Zones | 765

Step 5: Enable Web or Firewall User Authencaon for Capve Portal in the Security Policy | 769

Step 6: Verify the Web Authencaon and User Authencaon Conguraon | 776

Metadata Streaming Policy | 780

About the Metadata Streaming Policy Page | 780

Create a Metadata Streaming Policy | 782

Edit a Metadata Streaming Policy | 783

Delete a Metadata Streaming Policy | 784

Zones/Screens | 785

About the Zones/Screens Page | 785

Add a Zone | 787

Edit a Zone | 790

Delete a Zone | 790

Add a Screen | 790

Edit a Screen | 801

Delete a Screen | 802

Zone Addresses | 803

About the Zone Addresses Page | 803

Add Zone Addresses | 805

Clone Zone Addresses | 807

Edit Zone Addresses | 808

Delete Zone Addresses | 808

xix

Search Text in a Zone Addresses Table | 808

Global Addresses | 810

About the Global Addresses Page | 810

Add an Address Book | 811

Edit an Address Book | 815

Delete an Address Book | 815

Services | 816

About the Services Page | 816

Add a Custom Applicaon | 818

Edit a Custom Applicaon | 821

Delete Custom Applicaon | 821

Add an Applicaon Group | 822

Edit an Applicaon Group | 823

Delete an Applicaon Group | 824

Dynamic Applicaons | 825

About the Dynamic Applicaons Page | 825

Global Sengs | 828

Add Applicaon Signatures | 831

Clone Applicaon Signatures | 836

Add Applicaon Signatures Group | 837

Edit Applicaon Signatures | 838

Delete Applicaon Signatures | 838

Search Text in an Applicaon Signatures Table | 839

Applicaon Tracking | 840

About the Applicaon Tracking Page | 840

Schedules | 842

xx

Page is loading ...

Juniper SRX4200 User guide

Related papers

Other documents