Juniper Networks SRX Series

Device Details

Juniper SRX and SRX LSYS have combined into a single device / device pack.

  • Support:

    • SRX: Level 1 - 5

    • SRX LSYS: Levels 1 - 4

  • Automation Notes:

    • Automation for Juniper SRX, not managed by Juniper NSM

    • Super User with read/write permission
    • There is an optional set of credentials in case Read-only credentials are being used for retrieval, in which case you would need this secondary account that has write permission.
      • If policy automation credentials are not specified, automation will fall back to device retrieval credentials. If the retrieval credentials are for a user with write permission, then automation will succeed. The fall back only happens if the policy automation credentials are not specified. The fall back does not happen if the policy automation credentials fail.
    • Port 830/TCP must be used for netconf retrievals

  • Policy Planner: Support for zone-based address books that an object should be created under. The address book being used will be listed in Security Manager in the [Device] > Policy > Network Objects, subsection - ADDRESS BOOK (under DEVICE).

Connecting to SIP

To add a SRX device, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.
  1. Create a Super User account for the Security Manager Data Collector.

This account is for passive data collection only. Security Manager will never attempt to make changes to your devices.

  1. Click Configure.
  2. Click Authentication > Access Profiles.
  3. Click Add.
  1. Add a syslog host on your SRX device for the data collector.
  1. Click Configure.
  2. Click CLI Tools > Point and Click CLI.
  3. In the configuration tree, expand the system node, and then click syslog.
  4. In the Syslog Host section, click Add new entry.
  5. In the Host name field, select Enter Specific Value. Then, in the Log host name field, enter the IP address of your data collector.
  6. In the Contents section, click Add New Entry.
  7. In the Facility field, select any.
  8. In the Level field, select info.
  9. Click Commit....
  10. Click OK.
  11. Click OK again.
  1. If you'll use automation, use port 830/TCP and enable netconf using the CLI command: set system services netconf ssh

Step 2: Onboard the Device in the Administration Module

Contact FireMon Support to receive a specific device pack (a .jar file) if it was not included in the FMOS GA release. Review the steps to upload a device pack.

After onboarding, if you change any device settings, confirm that those updates were automatically applied to the discovered devices.
  1. On the toolbar, click Device > Devices.
  1. Click Create, and then click Juniper Networks > SRX Series.
  1. General Properties section.
To prevent errors in device group-level device maps and incorrect reporting data, all devices added in Administration must have unique IP addresses. If devices with duplicate IP addresses must be added within a domain, it is strongly recommended that those devices be separated into discrete device groups, where no duplicate IP addresses are included in the same device group. Devices with duplicate IP addresses will cause errors in the All Devices device map, and may cause incorrect data in reports, even if they are in discrete device groups.
  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).
Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.
  1. In the Syslog Match Names box, type the syslog match name (optional). You can enter multiple comma-separated names.
  2. By default, the Automatically Retrieve Configuration checkbox is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. Collection Configuration is enabled on the management station or by duplicating and then editing the default configuration (DeviceCollection Configuration). Default is what is set on the installed device pack.
  1. Device Settings section.

Managed By: Will list the management station or be disabled if this is not a managed device.

Applications: If this is an SRX LSYS device, the LSYS Name will be entered here.

Credentials

  1. Select an Authentication Method:

  • User/Password: Enter the user name and password for the superuser account.

  • SSH Private Key: Use the copy and paste function to enter SSH information.
Juniper provides documentation to use an SSH private key for authentication: Generating SSH RSA keys (https://supportportal.juniper.net/s/article/Junos-Generating-SSH-RSA-keys-locally-on-devices-running-Junos-OS?language=en_US) and CLI Reference (https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/user-edit-system-login.html)

  1. Select the Fallback Authentication checkbox to enable the system to automatically use the other authentication method if the one set fails

Retrieval

  • By default, Protocol is SSH and the Port is 22.
  1. Policy Automation section.

    A valid Policy Automation license is required to complete this section and you need to create a secondary super user account with read/write privileges and the SRX must not be managed by NSM, and Netconf TCP/830 must be configured and allowed.

    • Settings: Select the Suppress FQDN Capabilities checkbox to use an IP address instead of FQDN when creating network objects.
    • Credentials:
      • In the User Name box, type the user name used for the secondary administrator account.

      • In the Password box, type the password used for the secondary administrator account.

      • In the Re-enter Password box, retype the password entered above.
    • Advanced Automation Options:
      • Select the Generate CLI Automation Commands checkbox if you want to generate CLI commands rather than attempt API calls.
      • Select the Use a Private Session for Automation checkbox to use a private configuration session so that multiple users can edit different parts of a configuration simultaneously and commit only their changes without interfering with each others changes.
  1. Monitoring section.

Log Monitoring

  • By default, the Enable Log Monitoring checkbox is selected. To disable this automatic function, clear the checkbox.
    • By default, Track Usage Via is set to Syslog.
    • By default, the Log Update Interval is set to 10 minutes for either tracking method.

    Change Monitoring

  • By default, the Enable Change Monitoring checkbox is selected.
    • Enter an optional Alternate Syslog Source IP.
  • Select the Perform Change Verification checkbox to allow the Data Collector to verify there are actual changes prior to posting a revision to Security Manager. This will enable more efficient use of disk space by not posting revisions that did not change from the last normalized revision.
  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval checkbox to perform a retrieval at a set time daily regardless of change. When selected, additional fields to set display.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).
  • Set an optional time in the Check for Change Start Time box. To schedule the first retrieval for a specific time, select the Starting at checkbox and select a time. The first retrieval will run at the time you enter. All subsequent retrievals will occur at the interval you entered above, based on the time that the first retrieval occurred. If you do not select a Change Start Time, the first scheduled retrieval will occur immediately after you save the settings. Subsequent retrievals will occur at the interval you entered.

Check for Change Retrieval

Select the Enable Check for Change checkbox to enable checking for configuration changes after the specified interval, and perform a retrieval if changes are detected. When selected, the Check for Change Interval (minutes) displays and is set to 1440.

  1. Advanced section.

    • File Retrieval Options
      • Choose a Device Charset Encoding option from the list.
      • The Retrieval Timeout in Seconds is the time to wait for a response during a retrieval. The default is 120 seconds.
      • Select the Use Batch Config Retrieval checkbox only if you are manually sending configurations for this device using your data collector's batchconfig directory. While this option is enabled, online retrievals will be disabled.
      • Select the Enable Deprecated Ciphers and Algorithms checkbox to allow the use of weak SSH keys to extend the OpenSSH options with deprecated ciphers and algorithms for devices that cannot update the OS to a supported OpenSSH version.
      • Select the Retrieve Set Format Configuration checkbox to retrieve the configuration file in Set Output format; allowing Regex creation for compliance-related controls.
      • Choose the preferred Configuration Method from the list. Permissions may restrict access of the full configuration.
    • SSH Key Options: Select the Automatically Update SSH Keys checkbox if you want the data collector to automatically update the SSH key for a device when a conflict occurs.
    • Interface Normalization:
      • Select the Use Configuration for Route Details checkbox to normalize routes from the configuration of device and ignore the active routing table.
      • Select the Force Interfaces to Set Layer 2 Enforcement checkbox to force normalization of all interfaces with layer 2 enforcement set to true.
    • Route File Options
      • Select from the available Active Route Files to Retrieve checkboxes to retrieve and normalize active routes based on the selected types.
      • Select from the available Inactive Route Files to Retrieve checkboxes to retrieve and normalize routes that are not currently active on the device but may have been advertised.
      • Select the Retrieve Routes by Valid Tables checkbox to enable to retrieve routes by only valid tables. This may decrease speed but lowers memory usage.
    • BGP Options: Select the Filter BGP By Community checkbox to enable to filter active BGP routes by community.

  1. Enforcement section.

Select one of the available enforcement options:

  •  Allow All: All automation is allowed (enforcement, change, manual).

  • Manual Only: When selected all changes must be manually pushed for this device.

  •  Prevent All: No automation is allowed.

  • Window Only: Automation can only take place in the assigned enforcement window.

If this device is assigned to an enforcement or change window, it will be listed. If no assignment, changes must be manually pushed for this device.
  1. Supplemental Routes section.
Supplemental routes cannot be added until after a retrieval normalizes successfully. You can perform a manual retrieval before continuing.

  1. Click Add.

  2. Complete fields in the Add Supplemental Routes dialog box:

  • Select an Interface.
If you select an Interface, you will not need to select a virtual router and next virtual router. If no interface is selected, you will need to select a Virtual Router and Next Virtual Router.
  • Type the Destination IP address.
  • Type the Gateway IP address.
  • Select a Virtual Router.
  • Select a Next Virtual Router.
  • Switch the Drop toggle to enable (disabled = Accept).
  • Click Add.
  1. Click Save.

Step 3: Verify Communication

Because automatically retrieving a configuration is enabled by default, there is nothing for you to do. Security Manager will automatically attempt to retrieve a device configuration.

To do a manual retrieval, select the device row, click the Menu icon and then click Retrieve Configuration.

It may take up to 15 minutes to see the status result of the retrieval.