Description of the configurations to be set by the service provider

This section describes various configurations needed for the service provider to provide the vSRX menu. Keep in mind that as described in "Restrictions" in the service instruction manual, alteration and deletion of the configurations may result in stop of the services, because they are essential for service provision.

動作確認バージョン:vSRX Version15.1X49-D105.1, vSRX Version19.2R1.8

"<Configurations set by the service provider at the time of Firewall (vSRX) creation> * The others are the initial configurations of the product."

set system login user provider-admin uid 2000
set system login user provider-admin class ******
set system login user provider-admin authentication encrypted-password "***********"
set system login user provider-ctrl uid 2001
set system login user provider-ctrl class ******
set system login user provider-ctrl authentication encrypted-password "***********"
set system login user provider-ctrl-ro uid 2002
set system login user provider-ctrl-ro class ******
set system login user provider-ctrl-ro authentication encrypted-password "***********"
set system login user provider-ope uid 2003
set system login user provider-ope class ******
set system login user provider-ope authentication encrypted-password "***********"
set system login user provider-ope-ctrl uid 2004
set system login user provider-ope-ctrl class ******
set system login user provider-ope-ctrl authentication encrypted-password "***********"
set system login user provider-ope-ro uid 2005
set system login user provider-ope-ro class ******
set system login user provider-ope-ro authentication encrypted-password "***********"
set system services ssh
set system services rest http port 3000
set system services rest control connection-limit 100
set system services web-management http interface fxp0.0
set interfaces ge-0/0/0 unit 0 family inet address ***.***.***.***/**
set interfaces ge-0/0/1 disable
set interfaces ge-0/0/2 disable
set interfaces ge-0/0/3 disable
set interfaces ge-0/0/4 disable
set interfaces ge-0/0/5 disable
set interfaces ge-0/0/6 disable
set interfaces ge-0/0/7 disable
set interfaces fxp0 unit 0 family inet address 100.***.***.***/24
set snmp community ************ authorization read-only
set routing-options static route 100.***.0.0/16 next-hop 100.***.***.1
set routing-options static route 0.0.0.0/0 next-hop ***.***.***.***

The individual settings made by the service provider are described below:

<List of configurations which are set by the service provider and must not be deleted>

Command

Location of the restriction descriptions in the service description

Description

set system login user provider- *

Account related

The account whose name starts with "provider-" is used by the service provider, so do not perform any operations such as edit, password reset and deletion. If any of those operations is identified, use of the service is disabled by NTT Communications.

set system services ssh

Management communications related

Login and investigation are performed for troubleshooting (etc.) when the service provider considers it necessary

set system services rest *

Management communications related

Firewall (Juniper vSRX) creation, information reference, edit, deletion, and Action operations with the customer portal

set system services web-management http interface fxp0.0

Management communications related

Login and investigation are performed for troubleshooting (etc.) when the service provider considers it necessary

set interfaces fxp0 unit 0 family inet address **

Management communications related

IP address assignment to Static Route and fxp0 to enable the communications aforementioned

set routing-options static route 100.***.0.0/16 next-hop 100.***.***.1

Management communications related

IP address assignment to Static Route and fxp0 to enable the communications aforementioned

set snmp community ******** authorization read-only

Management communications related

Metrics acquisition for monitoring-service provision through snmp

set interfaces ge-0/0/X disable

Interface related

The interface not connected with a logical network has been deactivated. Do not activate the interface.

<List of configurations which are set by the service provider and can be deleted in accordance with the design of the customer>

Configuration

Location of the restriction descriptions in the service description

Description

set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh

Creation of Firewall (vSRX)

When the Firewall is created, the interface (ge-0/0/0.0) has been set to a trust zone. After the creation, the customer is expected to change the setting through Juniper vSRX portal/API/CLI, in accordance with their design.

set interfaces ge-0/0/0 unit 0 family inet address *.*.***.***/**

Creation of Firewall (vSRX)

The IP address of ge-0/0/0.0 is to be set only at the time of the creation.

set routing-options static route 0.0.0.0/0 next-hop *.*.***.***

Creation of Firewall (vSRX)

The default gateway is to be set only at the time of the creation. Change and deletion of the default gateway are to be executed through Juniper vSRX portal/API/CLI.

<List of the service provider's configurations which are needed when API has been enabled by the customer>

Command

Location of the restriction descriptions in the tutorial

Description

set system services rest http addressesIP address of IF fxp0.0""

Basic vSRX functions - Enabling API of vSRX

The additional setting of the IP address of interface fxp0.0 is necessary for login monitoring from our controller to the customer's vSRX using the API. Please note that without this setting, the login status will be "MONITORING UNAVAILABLE" and some change functions cannot be executed from the ECL2.0 customer portal. For the IP address of interface fxp0.0, enter the IP address of 100.xx.xx.xx obtained by executing show interfaces fxp0.0 terse.