Tuesday, September 22, 2015

Junos Space Security Director - Part III

The third part of this guide demonstrates how to import an SRX series firewall into Junos Space (version 14.1R3.4). It assumes that Junos Space, Security Director, and a Log Collector are already deployed and operational. For steps on how to install Junos Space components, start here.
  1. In Security Director, navigate to Devices and select Click here to Discover Devices.
  2. Follow the prompts to add a device target. In this example, we will add the SRX via its IP address.
  3. Continue to follow the prompts to add options like ping, SNMP, and SSH as methods to discover the device.
  4. Select Discover. Upon completion a status page will be displayed showing success.

  5. Navigate to Security Director Devices to verify configuration/connection status, and the schema version in use.
    1. If the schema version is out of date:
    2. Navigate to Network Management Platform -> Administration -> DMI Schemas -> Update Schema
    3. Select SVN Repository and then Configure
    4. Enter https://xml.juniper.net/dmi/repository/trunk/ for SVN URL
    5. Enter your Juniper Networks support credentials
    6. Test the connection and then save
    7. For Device Family select junos-es
    8. Click Connect
    9. Select the Junos version that matches the version installed on the SRX and click Install
    10. Once installed, navigate back to Network Management Platform -> Administration -> DMI Schemas, select the OS version recently installed and then under actions select Set as Default Scheme
    11. Navigate back to Security Director -> Security Director Devices to verify that the correct schema version is showing
  6. Right-click the device and select Import
  7. Select the policies to import (in this case we would import both NAT and Firewall policies, and click Next
  8. A summary will be shown listing the configuration elements to be imported. Click Finish.
  9. A summary will be shown listing the configuration elements that were imported. Click Close.
  10. Navigate to NAT Policies, right-click on the SRX host name and select Assign Devices
  11. Select the SRX host name and then select Modify
  12. In NAT Policies, right-click the on the SRX host name and select Publish NAT Policy
  13. Click Publish and then verify that it was successful
  14. Navigate to Firewall Policies, right-click on the SRX host name and select  Assign Devices
  15. Select the SRX host name and then select Modify 
  16. In Firewall Policies, right-click the on the SRX host name and select Publish Policy
  17. Click Publish and then verify that it was successful
  18.  To test things out, navigate to Firewall Policies, click on the SRX, and then click on the green lock to edit.
  19. Modify or create a policy (in my case, I changed an existing policy's action from permit to deny)
  20. Click Save and the right-click the SRX and select Publish
  21. Click on Publish and Update
  22. Verify that the update was successful by viewing the job status and/or doing a show | compare  from operational mode in the CLI 
  23. Don't forget to revert your change after testing is complete :)
The next post will show you how to configure logging for security policies.

No comments:

Post a Comment