Juniper (JunOS) SRX Firewall
To configure the tunnel with Juniper SRX firewall through CLI:
|
|
Note - To configure the tunnel in the Juniper SRX Management Portal, see Juniper VPN configuration generator. |
-
Connect to the firewall through SSH. For example, using PuTTY.
-
Create a tunnel interface. Run:
Note - Do not assign an IP address but make sure it’s enabled for layer 3 communication. set interfaces st0 unit 0 family inet -
Set up the IKE Proposal. Run:
set security ike proposal QS description Perimeter81-SRXTunnel
set security ike proposal QS authentication-method pre-shared-keys
set security ike proposal QS dh-group group14
set security ike proposal QS authentication-algorithm sha-256
set security ike proposal QS encryption-algorithm aes-256-cbc
set security ike proposal QS lifetime-seconds 28800 -
Set up the IKE policy configuration. Run:
set security ike policy QS-policy proposals p81
set security ike policy QS-policy pre-shared-key ascii-text <Secret_key_from_Quantum SASE Administrator Portal> -
Set up the IKE gateway configuration. Run:
set security ike gateway QS-ike-gateway ike-policy QS-policy
set security ike gateway QS-ike-gateway address <Public IP address of Quantum SASE gatewy>
set security ike gateway QS-ike-gateway local-identity inet <Locak IP address of the firewall>
set security ike gateway QS-ike-gateway external-interface ge-0/0/0
set security ike gateway QS-ike-gateway version v1-only -
Set up the IPSec proposal. Run:
set security ipsec proposal QS-proposal description Perimeter81
set security ipsec proposal QS-proposal protocol esp
set security ipsec proposal QS-proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal QS-proposal encryption-algorithm aes-256-cbc
set security ipsec proposal QS-proposal lifetime-seconds 3600 -
Set up the IPSec policy configuration. Run:
set security ipsec policy ipsec-QS-policy perfect-forward-secrecy keys group14
set security ipsec policy ipsec-QS-policy proposals QS-proposal -
Bind your tunnel interface and apply the configuration. Run:
set security ipsec vpn QS-ipsec bind-interface st0.0
set security ipsec vpn QS-ipsec ike gateway p81-ike-gateway
set security ipsec vpn QS-ipsec ike ipsec-policy ipsec-p81-policy
set security ipsec vpn QS-ipsec establish-tunnels on-traffic immediately
set security address-book global address QS_internal 10.255.0.0/16
Note - To establish the tunnel only upon active traffic or set the firewall to the only to respond when the traffic is initiated from Harmony SASE (never initiate a tunnel), set firewall to the Responder-Only mode.
-
Set firewall security policies. Run:
Note - If the tunnel interface is in a trusted zone or a zone that allows all the traffic, then skip this step. Otherwise, modify the parameters in the following commands according to your network topology.
In the following example, all the traffic from icmp and ssh from zone vpn with a source address of 10.255.0.0/16 to any address in zone trust is allowed.
set security policies from-zone vpn to-zone trust policy vpn-internal match source-address QS_internal
set security policies from-zone vpn to-zone trust policy vpn-internal match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-internal match application junos-icmp-all
set security policies from-zone vpn to-zone trust policy vpn-internal match application junos-ssh
set security policies from-zone vpn to-zone trust policy vpn-internal then permit -
Set host inbound services. Allow services to the firewall interfaces and your public facing interface. Run:
set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike -
Define a static route to Harmony SASE network. Run:
set routing-options static route 10.255.0.0/16 next-hop st0.0