Juniper Networks QFX

To add an Juniper QFX device, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

  1. Create a super-user account for the Security Manager Data Collector.

This account is for passive data collection only. Security Manager will never attempt to make changes to your devices.

  1. Add a syslog host on your QFX device for the Data Collector. You can do this from the Web Client or with the CLI.

    • Log into your Juniper Web Client, and then:

      1. Click the Configure button.
      2. Click CLI Tools button and then click Point and Click CLI.
      3. In the Configuration tree, expand the system node. Then, click syslog.
      4. In the Host section, click Add new entry.
      5. In the Host name box, select Enter Specific Value. Then, in theLog host name field, enter the IP address of your application server.
      6. Click Edit for the host you just created.
      7. In the Contents section, click Add New Entry.
      8. In the Facility box, select any.
      9. In the Level box, select info.
      10. Click the Commit button.
      11. Click OK.
      12. Click OK again.
  2. Using the command line, enter configuration mode and add the following line to the config file:

set system syslog host 192.168.20.180 any info

Step 2: Add the Device in the Administration Module

  1. On the toolbar, click Device > Devices.
  1. Click Create, and then click Juniper Networks > QFX.
  1. General Properties section.

To prevent errors in device group-level device maps and incorrect reporting data, all devices added in Administration must have unique IP addresses. If devices with duplicate IP addresses must be added within a domain, it is strongly recommended that those devices be separated into discrete device groups, where no duplicate IP addresses are included in the same device group. Devices with duplicate IP addresses will cause errors in the All Devices device map, and may cause incorrect data in reports, even if they are in discrete device groups.

  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match name (optional). You can enter multiple comma-separated names.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. Collection Configuration is enabled on the management station or by duplicating and then editing the default configuration (DeviceCollection Configuration). Default is what is set on the installed device pack.
  1. Device Settings section.
Credentials
  1. In the User Name box, enter the user name used for the superuser account.
  2. In the Password box, enter the password used for the superuser account.
  3. In the Re-enter Password box, retype the password entered above.
Retrieval
  • By default, Protocol is SSH and the Port is 22.
  1. Monitoring section.

Scheduled Retrieval

  • By default, the Enable Scheduled Retrieval check box is selected.
    • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).
    • Set an optional time in the Check for Change Start Time box. To schedule the first retrieval for a specific time, select the Starting at check box and select a time. The first retrieval will run at the time you enter. All subsequent retrievals will occur at the interval you entered above, based on the time that the first retrieval occurred. If you do not select a Change Start Time, the first scheduled retrieval will occur immediately after you save the settings. Subsequent retrievals will occur at the interval you entered.
  1. Advanced section.
    1. Select the Use Batch Config Retrieval check box only if you are manually sending configurations for this device using your data collector's batchconfig directory. While this option is enabled, online retrievals will be disabled.
    2. Select the Automatically Update SSH Keys check box if you want the data collector to automatically update the SSH key for a device when a conflict occurs.
  2. Click Save.

Step 3: Verify Communication

Because automatically retrieving a configuration is enabled by default, there is nothing for you to do. Security Manager will automatically attempt to retrieve a device configuration.

To do a manual retrieval, select the device row, click the Menu icon and then click Retrieve Configuration.

It may take up to 15 minutes to see the status result of the retrieval.