Description of the configurations to be set by the service providerΒΆ
This section describes various configurations needed for the service provider to provide the vSRX menu. Keep in mind that as described in "Restrictions" in the service instruction manual, alteration and deletion of the configurations may result in stop of the services, because they are essential for service provision.
Operation Confirmed version: vSRX Version15.1X49-D105.1, vSRX Version19.2R1.8, vSRX Version20.4R2
"<Configurations set by the service provider at the time of Firewall (vSRX) creation> * The others are the initial configurations of the product."
set system login user provider-admin uid 2000
set system login user provider-admin class ******
set system login user provider-admin authentication encrypted-password "***********"
set system login user provider-ctrl uid 2001
set system login user provider-ctrl class ******
set system login user provider-ctrl authentication encrypted-password "***********"
set system login user provider-ctrl-ro uid 2002
set system login user provider-ctrl-ro class ******
set system login user provider-ctrl-ro authentication encrypted-password "***********"
set system login user provider-ope uid 2003
set system login user provider-ope class ******
set system login user provider-ope authentication encrypted-password "***********"
set system login user provider-ope-ctrl uid 2004
set system login user provider-ope-ctrl class ******
set system login user provider-ope-ctrl authentication encrypted-password "***********"
set system login user provider-ope-ro uid 2005
set system login user provider-ope-ro class ******
set system login user provider-ope-ro authentication encrypted-password "***********"
set system services ssh
set system services rest http port 3000
set system services rest control connection-limit 100
set system services web-management http interface fxp0.0
set interfaces ge-0/0/* unit 0 family inet address ***.***.***.***/**
set interfaces fxp0 unit 0 family inet address 100.***.***.***/24
set snmp community ************ authorization read-only
set routing-options static route 100.***.0.0/16 next-hop 100.***.***.1
set routing-options static route 0.0.0.0/0 next-hop ***.***.***.***
The individual settings made by the service provider are described below:
<List of configurations which are set by the service provider and must not be deleted>
Command |
Location of the restriction descriptions in the service description |
Description |
set system login user provider- * | Account related |
The account whose name starts with "provider-" is used by the service provider, so do not perform any operations such as edit, password reset and deletion. If any of those operations is identified, use of the service is disabled by NTT Communications. |
set system services ssh | Management communications related |
Login and investigation are performed for troubleshooting (etc.) when the service provider considers it necessary |
set system services rest * | Management communications related |
Firewall (Juniper vSRX) creation, information reference, edit, deletion, and Action operations with the customer portal |
set system services web-management http interface fxp0.0 | Management communications related |
Login and investigation are performed for troubleshooting (etc.) when the service provider considers it necessary |
set interfaces fxp0 unit 0 family inet address ** | Management communications related |
IP address assignment to Static Route and fxp0 to enable the communications aforementioned |
set routing-options static route 100.***.0.0/16 next-hop 100.***.***.1 | Management communications related |
IP address assignment to Static Route and fxp0 to enable the communications aforementioned |
set snmp community ******** authorization read-only | Management communications related |
Metrics acquisition for monitoring-service provision through snmp |
set interfaces ge-0/0/X disable | Interface related |
The interface not connected with a logical network has been deactivated. Do not activate the interface. |
<List of configurations which are set by the service provider and can be deleted in accordance with the design of the customer>
Configuration |
Location of the restriction descriptions in the service description |
Description |
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh | Creation of Firewall (vSRX) |
When the Firewall is created, the interface (ge-0/0/0.0) has been set to a trust zone. After the creation, the customer is expected to change the setting through Juniper vSRX portal/API/CLI, in accordance with their design. |
set interfaces ge-0/0/* unit 0 family inet address |
Creation of Firewall (vSRX) |
The IP address of ge-0/0/0.* is to be set only at the time of the creation. |
set routing-options static route 0.0.0.0/0 next-hop *.*.***.*** | Creation of Firewall (vSRX) |
The default gateway is to be set only at the time of the creation. Change and deletion of the default gateway are to be executed through Juniper vSRX portal/API/CLI. |
<List of the service provider's configurations which are needed when API has been enabled by the customer>
Command |
Location of the restriction descriptions in the tutorial |
Description |
set system services rest http addressesIP address of IF fxp0.0"" |
Basic vSRX functions - Enabling API of vSRX |
The additional setting of the IP address of interface fxp0.0 is necessary for login monitoring from our controller to the customer's vSRX using the API. Please note that without this setting, the login status will be "MONITORING UNAVAILABLE" and some change functions cannot be executed from the ECL2.0 customer portal. For the IP address of interface fxp0.0, enter the IP address of 100.xx.xx.xx obtained by executing show interfaces fxp0.0 terse. |