Knowledge Search


×
 

SRX Getting Started - Configure Management Access

  [KB16647] Show Article Properties


Summary:

This article describes how to configure, verify, and troubleshoot management access to the SRX Series device.

For other topics, go to the SRX Getting Started main page.

Symptoms:

Configure management access to the SRX Series device.

Cause:

Solution:

This section contains the following:


Overview

Some system services are enabled by default, and HTTP access is enabled for the ge-0/0/0.0 interface. Some allowed host-inbound services are also enabled by default for the ge-0/0/0.0 interface in the trust security zone.

To configure how you can remotely manage a device, perform the following tasks:
  • Enable system services.
  • Specify allowed host-inbound traffic at the zone or specific interface level

J-Web Configuration

To configure management access:
  • Verify enabled system services
  • Enable system services
  • Enable HTTP access to the device
  • Enable HTTPS access to the device
  • Specify an allowed host-inbound service for a zone
  • Specify an allowed host-inbound service for an interface

Verify enabled system services

  1. Select Configure>System Properties>Management Access. The Management Access Configuration page appears.
  2. In the Management access section, review the system services listed. If a system service is listed with a value of true, the service is enabled.
  3. In the Secure access section, review the system services listed. If a system service is listed with a value of true, the service is enabled.

Enable system services

  1. Select Configure>System Properties>Management Access. The Management Access Configuration page appears.
  2. Click Edit.
  3. In the Edit Management Access dialog box, click the Services tab.
  4. In the Services section, select the check box for the service that you want to enable.
Note: To enable system services other than telnet, SSH, HTTP, HTTPS, and JunosScript, use the CLI. For more information, see  the CLI Configuration below.

Enable HTTP access to the device

  1. Select Configure>System Properties>Management Access. The Management Access Configuration page appears.
  2. Click Edit.
  3. In the Edit Management Access dialog box, click the Services tab.
  4. If the Enable HTTP check box is not selected, select it to enable HTTP access to the device. By default, this option is enabled.
  5. Specify the interfaces for which HTTP is enabled by doing one of the following:
    • To enable HTTP on all interfaces, select Enable on all interfaces.
    • In the Available interfaces list, select interfaces that require HTTP to be enabled, and move them to the Selected interfaces list with the left arrow. Move any interfaces that do not require HTTP to be enabled to the Available interfaces list.
  6. Click OK.

Enable HTTPS access to the device

Note: Before enabling HTTPS access, make sure that the system date and time is set accurately. For information about setting system date and time, see KB15756 - SRX Getting Started - Configure Time and NTP Client.
  1. Select Configure>System Properties>Management Access. The Management Access Configuration page appears.
  2. Click Edit.
  3. In the Edit Management Access dialog box, click the Services tab.
  4. To enable HTTPS access to the device, select the Enable HTTPs check box.
  5. To use a self-signed certificate, select system-generated-certificate in the HTTPs certificate list.
  6. Specify the interfaces for which HTTP is enabled by doing one of the following:
    • To enable HTTP on all interfaces, select Enable on all interfaces.
    • In the Available interfaces list, select interfaces that require HTTP to be enabled, and move them to the Selected interfaces list with the left arrow. Move any interfaces that do not require HTTP to be enabled to the Available interfaces list.
  7. Click OK.

Specify an allowed host-inbound service for a zone

  1. Select Configure>Security>Zones.
  2. Click the security zone that you want to modify (for example, trust).
  3. In the Host Inbound Traffic Option section, under System Services, select Allow Selected Services.
  4. In the Allowed Selected Services box, select a service (for example, ping), and click Add.
  5. Click OK.
  6. To apply your changes, click Apply.

Specify an allowed host-inbound service for an interface

  1. Select Configure>Security>Zones.
  2. Click the security zone that you want to modify (for example, trust).
  3. Under Interfaces Configuration, select the interface in the zone for which you want to add services, and click Edit.
  4. In the Host Inbound Traffic Option section, under System Services, select Allow Selected Services.
  5. In the Allowed Selected Services box, select a service (for example, ping), and click Add.
  6. Click OK.
  7. To apply your changes, click Apply.
  8. If you are finished configuring the device, click Commit to commit the configuration.

CLI Configuration

To configure management access:
  • Enable system services
  • Specify allowed host-inbound traffic for a zone or interface

Enable system services

Some system services, such as SSH, Telnet, HTTP, and HTTPS, require that the service process be started on the device. Before enabling system services, verify which system services are enabled.

  1. Verify the enabled system services.
To check which system services are enabled, enter the following command:

user@host> show config | match "set system services" | display set   
set system services ssh
set system services telnet
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp propagate-settings ge-0/0/0.0
  1. Enable appropriate system services.
If a system service is not enabled and you want to enable that service, use the set system services command:

user@host# set system services service

Replace service with the service that you want to enable.

To see available services, enter set system services ?

For more information, see system-services (Security Zones Host Inbound Traffic).
  1. Enable HTTP access.

When enabling HTTP access, specify the interface on which you want to enable access. Use the following command to specify the interface on which you want HTTP enabled:

user@host# set system services web-management http interface
  1. Enable HTTPS access.

Note: Before enabling HTTPS access, make sure that the system date and time are set accurately. For information about setting system date and time, see KB15756 - SRX Getting Started - Configure Time and NTP Client.

The following commands enable HTTPS access for an interface by activating a self-signed certificate:

user@host# set system services web-management https system-generated-certificate
user@host# set system services web-management https interface interface


Specify allowed host-inbound traffic for a zone or interface

To access the SRX Series device, you must specify the kinds of traffic that can reach it by using the host-inbound-traffic command, which you can configure at the zone or interface level.

If you configure host-inbound traffic for a zone, all interfaces in that zone are affected.

If you configure host-inbound traffic at the interface level, this configuration overrides the host-inbound traffic configuration for a zone.

You must enable all expected host-inbound traffic. Inbound traffic from devices directly connected to the SRX Series device's interfaces is dropped by default.

  1. Verify that host-inbound traffic is enabled on all zones.

To verify this, use the following command:

user@host# show security zones | match "host-inbound-traffic" | display set
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp

In this example, all system services are enabled for the trust security zone.

To verify the host-inbound traffic that is enabled for the trust security zone, use the following command:

user@host# show security zones security-zone trust | display set
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
  1. Enable host-inbound traffic for a zone or interface.
If host-inbound-traffic service is not enabled for a zone, use the following command:

user@host# set security zones security-zone zone host-inbound-traffic system-services service

If host-inbound-traffic service is not enabled for an interface, use the following command:

user@host# set security zones security-zone zone interfaces interface host-inbound-traffic system-services service

The following example specifies that ping is an allowed host-inbound service for an interface in the trust zone:

user@host# set security zones security-zone trust interfaces interface host-inbound-traffic system-services ping

The following example specifies that HTTPS is an allowed host-inbound service for an interface in the untrust security zone:

user@host# set security zones security-zone untrust interfaces interface host-inbound-traffic system-services https


Technical Documentation

Security Zones and Interfaces Feature Guide for Security Devices



Verification

To verify that Web access to the device is enabled correctly, use a Web browser to connect to the device:

  • HTTP access--http://URL or http://IP_address

  • HTTPS access--https://URL or https://IP_address

If you activated an SSL certificate, use the the show security command in configuration mode to review certificate information.

user@host# show security

If you configured secure Web access, use the show system services command in configuration mode to review secure access configuration.

user@host# show system services

For sample output, see Example: Configuring Secure Web Access.



Troubleshooting

Use the flow traceoptions command to troubleshoot management access. For information about traceoptions, see KB16233 - How to use 'Flow Traceoptions' and the 'security datapath-debug' in SRX series.

A common error message about management access to the SRX Series device is "packet dropped: for self but not interested."

The following example shows how to use flow traceoptions commands and review the output:

Configure flow traceoptions.

To review the flow traceoptions output, use the following command:

user@host> show log filename_to_write_debug_logs

Feb 15 18:01:23 18:01:22.1207073:CID-0:RT:<10.85.49.24/1055->172.24.28.76/23;6> matched filter 6:
Feb 15 18:01:23 18:01:22.1207073:CID-0:RT:packet [48] ipid = 1471, @423fc09e
Feb 15 18:01:23 18:01:22.1207073:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag 0x0, mbuf 0x423fbf00
Feb 15 18:01:23 18:01:22.1207073:CID-0:RT: flow process pak fast ifl 72 in_ifp ge-0/0/0.0
Feb 15 18:01:23 18:01:22.1207073:CID-0:RT: ge-0/0/0.0:10.85.49.24/1055->172.24.28.76/23, tcp, flag 2 syn
Feb 15 18:01:23 18:01:22.1207073:CID-0:RT: find flow: table 0x51e1b348, hash 15901(0xffff), sa 10.85.49.24, da 172.24.28.76, sp 1055, dp 23, proto 6, tok 448
Feb 15 18:01:23 18:01:22.1207073:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Feb 15 18:01:23 18:01:22.1207073:CID-0:RT:check self-traffic on ge-0/0/0.0, in_tunnel 0x0
Feb 15 18:01:23 18:01:22.1207073:CID-0:RT: flow_first_create_session
Feb 15 18:01:23 18:01:22.1207073:CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/0.0>, out <N/A> dst_adr 172.24.28.76, sp 1055, dp 23
Feb 15 18:01:23 18:01:22.1207073:CID-0:RT: chose interface ge-0/0/0.0 as incoming nat if.
Feb 15 18:01:23 18:01:22.1207073:CID-0:RT: packet dropped: for self but not interested
Feb 15 18:01:23 18:01:22.1207073:CID-0:RT: packet dropped, packet dropped: for self but not interested.
Feb 15 18:01:23 18:01:22.1207073:CID-0:RT: flow find session returns error.

If you see the "packet dropped: for self but not interested" message in the output, configure host-inbound traffic for the affected zone or interface. For more information, see the section 'Specify allowed host-inbound traffic for a zone or interface' above.

If you are unable to log in as root using telnet, that is per design; see KB10083 - Telnet to Junos router fails with root login.

Related Links: