Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to prepare Junos device for NSM connectivity

0

0

Article ID: KB16246 KB Last Updated: 23 Feb 2020Version: 3.0
Summary:

How to connect a Junos device to NSM

 

Symptoms:

For NSM to manage a Junos device, the device must first be configured properly.

Notes:

  • SSHv2 is mandatory for NSM

  • For NSM access, both SSH and netconf over SSH must be enabled (step 5 below).

  • It is recommended to use a dedicated NSM user. 

  • root#  set system login user nsm class super-user authentication plain-text-password

    This allows you to identify who made certain changes/operations. 

 

Solution:

Perform the following steps to import a device into NSM, so that it can be managed by NSM:

  1. Log in to the Junos device:
    Amnesiac (ttyu0)

    login: root
    Password:

    --- JUNOS 9.6R1.13 built 2009-08-01 09:23:09 UTC
    root@%

     
  2. Enter the configuration CLI mode, if needed:
    root@% cli
    root>
  3. Confirm the device has the necessary configuration for connectivity: root-authentication, interface, routing, security zones. Security devices such as JSRX block all traffic by default, including management traffic.

    Run the following command, and check the settings for the following set commands. For branch SRX devices, make sure the services required for NSM are opened for access (see bold line below).  In this example, the ge-0/0/0 interface is used to accept all inbound management traffic; you may be using a different interface for management.

    root> show configuration | display set
    set version 9.6R1.13
    set system root-authentication encrypted-password "$ABC123"
    set interfaces ge-0/0/0 unit 0 family inet address 10.85.49.149/24
    set routing-options static route 0.0.0.0/0 next-hop 10.85.49.1
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

     
  4. Enter configuration mode:
    root> edit
    Entering configuration mode

    [edit]
    root#

     
  5. Configure netconf ssh on the device. If the device is a cluster, configure the appropriate groups.
    [edit]
    root# set system services netconf ssh
    root# set system services ssh protocol-version v2 

    [edit]
    root# commit and-quit
    commit complete
    Exiting configuration mode

    root>

     
  6. In NSM, click to add a new device:

  7. Choose the 'Device is Reachable' option:

  8. Enter the IP Address, Admin Username, and password:

  9. Click "Next" to accept the SSH key:

  10. Enter device name and click "Next":

  11. The device will receive the NSM config through an SSH connection and then will connect back to NSM over a secure netconf tunnel.  The configuration will look similar to the following:
    root> show configuration | display set
    set version 9.6R1.13
    set system root-authentication encrypted-password "$ABC123"
    set system services netconf ssh
    set system services outbound-ssh client nsm-10.85.34.46 device-id 631578
    set system services outbound-ssh client nsm-10.85.34.46 secret "$ABC123"
    set system services outbound-ssh client nsm-10.85.34.46 services netconf
    set system services outbound-ssh client nsm-10.85.34.46 10.85.34.46 port 7804
    set system syslog file default-log-messages any any
    set system syslog file default-log-messages structured-data
    set interfaces ge-0/0/0 unit 0 family inet address 10.85.49.149/24
    set routing-options static route 0.0.0.0/0 next-hop 10.85.49.1
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

    root>
    Click "Next" to Import Device Config into NSM.

  12. Click "Finish" once the device config has been imported:

    Device is now imported into NSM and is managed and in-sync.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search