Downloads
Juniper Networks, Now Part of HPE – Leading the Convergence of AI & NetworkingSupportDownloadsEnd User License Agreement - Support - Juniper NetworksCLI Overview | Juniper Networks
Installation Guide for Juniper NETWORKS models including: Security Director, Security, Director
2 days ago — After you deploy the OVA, you can log in to the Web GUI using the UI virtual IP address or FQDN. (domain name) that you configured during the OVA deployment.
1 day ago — However, the NTP application is known to have some difficulty in the year 2036. END USER LICENSE AGREEMENT. The Juniper Networks product that is the subject of ...
File Info : application/pdf, 24 Pages, 466.20KB
DocumentDocumentJuniper Security Director Installation and Upgrade Guide
Published
2025-01-24
ii
Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Juniper Security Director Installation and Upgrade Guide Copyright © 2025 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ("EULA") posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.
iii
Table of Contents
About This Guide | iv
1
Introduction
Juniper Security Director Installation Overview | 2
2
System Requirements
Juniper Security Director System Requirements | 5
3
Deploy
Deploy Juniper Security Director Using VMware vSphere | 8
Log In to the Juniper Security Director Web UI | 15
4
Upgrade
Upgrade Juniper Security Director | 19
iv
About This Guide
Use this guide to install and upgrade Juniper Security Director®.
1 CHAPTER
Introduction
Juniper Security Director Installation Overview | 2
2
Juniper Security Director Installation Overview
IN THIS SECTION Benefits of Juniper Security Director | 2 What's Next | 3
Juniper Security Director is the next generation on-premise management product for SRX Series Firewall and vSRX devices.
Benefits of Juniper Security Director
· Provides centralized security management · Provides operational simplicity and efficiency with ease of use · Offers integrated device management and security management with unified policies · Offers visibility and analytics · Manages all SRX Series Firewall and vSRX devices · Suitable for regulated/air-gapped environments as it can be deployed on-premise. "Figure 1" on page 2 shows the installation process for Juniper Security Director.
3 Figure 1: Juniper Security Director Installation Process
You can install Juniper Security Director by downloading the open virtual application (OVA) and the software bundle from the Juniper Software Downloads page. Use the OVA file to deploy the virtual machine (VM) using VMware vSphere. After the OVA deployment is complete, power on the VM to automatically install the software bundle.
NOTE: Juniper Security Director is a single-node deployment.
What's Next
"Juniper Security Director System Requirements" on page 5
2 CHAPTER
System Requirements
Juniper Security Director System Requirements | 5
5
Juniper Security Director System Requirements
SUMMARY
Ensure that your system meets the hardware and software requirements.
IN THIS SECTION Hardware Requirements | 5 Software Requirements | 6 What's Next | 6
Hardware Requirements
Table 1: Hardware Requirements for ESXi Server
VM Configuration
16 vCPU, 80 GB RAM, 2.1 TB storage
Device Management Capability
Log Analytics and Storage Capability
· Up to 1000 devices
· Up to 10000 policy rules per device
· Up to 6000 NAT rules per device
· Up to 1000 VPNs per device/ system
· Up to 17000 logs per second
· Out of the 2.1 TB storage, 1.5 TB is dedicated for log analytics.
40 vCPU, 208 GB RAM, 4.2 TB storage
· Up to 3000 devices
· Up to 20000 policy rules per device
· Up to 10000 NAT rules per device
· Up to 1500 VPNs per device/ system
· Up to 40000 logs per second
· Out of the 4.2 TB storage, 3.5 TB is dedicated for log analytics.
6
NOTE: We do not recommend hyperthreading on VMware hypervisor (ESXi) Server. You must use dedicated resources for CPU, RAM, and disk as per the hardware requirement. We do not recommend oversubscription or sharing resources.
Software Requirements
· Juniper Security Director runs on a VMware hypervisor (ESXi) Server. Use vCenter and vSphere version 7.0 and later. You must deploy the OVA through vCenter Server only. We do not support OVA deployment on ESXi directly.
· You must have the following dedicated IP addresses in the same subnet: · Management IP address--IP address for the VM that provides access to the Juniper Security Director CLI. · UI virtual IP address--Virtual IP address to access the Juniper Security Director GUI. · Device connection virtual IP address--Virtual IP address to establish connection between the managed devices and Juniper Security Director. · Log collector virtual IP address--Virtual IP address to receive logs from devices.
· Ensure that you have access to SMTP, NTP, and DNS servers from the VM network (Juniper Security Director).
NOTE: We support NTP server with IPv4 address only.
What's Next
"Deploy Juniper Security Director Using VMware vSphere" on page 8
3 CHAPTER
Deploy
Deploy Juniper Security Director Using VMware vSphere | 8 Log In to the Juniper Security Director Web UI | 15
8
Deploy Juniper Security Director Using VMware vSphere
SUMMARY
This topic guides you through the Juniper Security Director VM deployment using VMware vSphere.
IN THIS SECTION
Before You Begin | 8 Step 1: Download the OVA and the Software Bundle | 8 Step 2: Deploy the VM | 9 Step 3: Verify and Troubleshoot | 13 What's Next | 14
Before You Begin
· If you are not familiar using VMware vSphere, see VMware Documentation and select the appropriate VMware vSphere version.
· Choose the size of the VM, see "Hardware Requirements" on page 5. · You must have 4 dedicated IP addresses and ensure that you have access to SMTP, NTP, and DNS
servers, see "Software Requirements" on page 5.
NOTE: If the deployment is a regulated/air-gapped environment, ensure that the VM also has access to signatures.juniper.net for IDP/Applications Signatures download. To deploy Juniper Security Director VM using VMware vSphere:
Step 1: Download the OVA and the Software Bundle
1. Download the Juniper Security Director OVA (.ova file) from https://support.juniper.net/support/ downloads/?p=security-director-on-prem to a Web server or your local machine.
9
2. Download the Juniper Security Director Software Bundle (.tgz file) to your local machine from https:// support.juniper.net/support/downloads/?p=security-director-on-prem and then transfer the file to your staging server. A staging server is an intermediate server where the software bundle is downloaded and is accessible from the VM. The staging server must support software bundle download from the Juniper Security Director VM through Secure Copy Protocol (SCP). Before you deploy the VM, you must have the details of the staging server, including the SCP username and password.
Step 2: Deploy the VM
1. Open the vSphere Client. 2. Right-click the inventory object that is a valid parent object of a VM and select Deploy OVF
Template. 3. On the Select an OVF template page:
· Enter the webserver OVA URL, where you have downloaded the OVA. The system might warn you about source verification. Click Yes.
NOTE: Ensure that firewall rules do not block image access from the vSphere cluster.
OR · Select the Local file option and click UPLOAD FILES to choose the OVA file from your local
machine. 4. On the Select a name and folder page, enter the VM name and the location. 5. On the Select a compute resource page, select the compute resource for the host on which the VM
will be deployed. 6. On the Review details page, review the details of the resources to be provisioned. 7. On the Select storage page, select the storage for the configuration and the virtual disk format. We
recommend you to use virtual disk format as Thick provision.
10
NOTE: We do not recommend thin provisioning. If you choose thin provisioning and the actual disk space available is low, the system might encounter problems once the disk is full. 8. On the Select networks page, select the network to configure IP allocation for static addressing. 9. On the Customize template page, configure Juniper Security Director on-premise OVA parameters.
NOTE: Prepare all details for the Custom template page in advance. The OVF template will timeout after 6 to 7 minutes.
11
12
NOTE: · The cliadmin user password field does not strictly validate password
requirements. However, during the installation process, the system enforces strict validations and rejects the password that does not meet the specified requirements, causing installation failure. To avoid issues during installation, ensure that the password meets these criteria: · Must be at least 8 characters long and not more than 32 characters. · Must not be dictionary words. · Must include at least three of the following:
· Numbers (0-9) · Uppercase letters (A-Z) · Lowercase letters (a-z) · Special characters (~!@#$%^&*()_-+={}[];:"'<,>.?/|\) · We recommend you to use FQDN.
10. On the Ready to complete page, review all the details and if required, go back and edit the VM parameters. These network parameters cannot be changed from the VM configuration after successful installation. However, network parameters can be changed from the CLI. Click Finish to begin the OVA deployment. You can monitor the OVA deployment progress status in the Recent Tasks window at the bottom of your screen till it is 100% complete. The Status column shows the deployment complete percentage. Congratulations! Now the OVA deployment is complete.
11. (Optional) Once you've deployed the OVA, create a snapshot. Snapshot is useful if you need to rollback after the software bundle automatically installs. Select the VM and from the Actions menu navigate toSnapshots > TAKE SNAPSHOT.
12. Click the triangle icon to power on the VM.
NOTE: By default, the VM will be deployed with the smallest resource configuration as mentioned in Hardware Requirements on page 5. Adjust the resources to match other resource configurations using the VMware Edit VM settings.
13
For a successful installation, the resource allocation must match Hardware Requirements on page 5.
Once the VM powers on, navigate to the Summary tab and click LAUNCH WEB CONSOLE to monitor the software bundle installation status.
NOTE: Avoid performing any operation on the console until the installation is complete.
You can view the installation progress on the console. After the installation is complete, the console displays Successfully installed software bundle on the cluster. A successful installation requires approximately 30 minutes. If the installation lasts longer, check the Web console for potential errors. You can ssh to the VM IP using the cliadmin user and the password you configured during the OVA deployment. Then, use the show bundle install status command to check the installation status. To rectify errors, power off the VM, then navigate to Configure and click vApp options to modify the parameters and then power on the VM. Congratulations! The software bundle installation is now complete.
Step 3: Verify and Troubleshoot
To verify if the installation is successful, you must log into the VM IP through an SSH connection. VM IP is the value provided in the IP address field in "Step 9" on page 10. Use the following default credentials: User: cliadmin Password: abc123 After you have logged in, you will be prompted to change the default credentials. Log in with your new credentials and run the following commands: · show service healthmonitor status command to view the installation status. · list /var/log/cluster-manager command to list the log file. · show file /var/log/cluster-manager/cluster-manager-service.log command to view the content of
the log file. · remotecopy /var/log/cluster-manager/cluster-manager-service.log
<username>@<hostname>:<remote path to copy the log file> command to copy the file to a remote location for troubleshooting.
14
Troubleshoot Using UI
You can generate and download the system logs for issues related to feature groups such as device management, policy management, and log analytics. A feature group is a logical grouping of related microservices whose logs are required to debug an issue. Before You Begin See "Log In to the Juniper Security Director Web UI" on page 15. To generate the system logs: 1. Select Administration > System Management > System Logs.
The System Logs page is displayed. 2. Select the feature group. 3. In the Timespan drop-down field, select the period for which you want to generate the logs. 4. Click Generate Log Package.
A job is created for the log generation process. The details are displayed on the top of the page. Select Administration > Jobs to view the job. On the Jobs page, you can monitor the status of log generation process. After the job is finished, a link is created on the System Logs page to download the logs. System logs will be downloaded as a tgz file and shared with the Juniper Networks support team to analyze the root cause of the issue.
What's Next
"Log In to the Juniper Security Director Web UI" on page 15
15
Log In to the Juniper Security Director Web UI
SUMMARY Create your Juniper Security Director organization account in two steps--enter your details and your organization's details and then verify your e-mail address to activate your account.
After you deploy the OVA, you can log in to the Web GUI using the UI virtual IP address or FQDN (domain name) that you configured during the OVA deployment. Before You Begin The following ports must be opened: · Inbound port 443 for users' connection to Web · Outbound port 25 for outbound to configured mail server · Inbound port 7804 from all managed devices · Outbound port 443 for signature download URL · Inbound port 6514 for inbound connection for traffic log To log in to the Web UI: 1. Enter the UI virtual IP address or FQDN (domain name) in a Web browser to access the Juniper
Security Director login page. To view the configured UI virtual IP address, select the deployed VM, navigate to Configure and click vApp Options. Under Properties, you can view the UI address. The Juniper Security Director login page is displayed.
16
2. Set your login credentials and click Next: · Enter a valid e-mail address. · Enter a password containing 8 to 20 characters. The password must contain at least one number, one uppercase letter, and one special character.
3. Enter your contact details and click Next: · Enter your name. You can use a maximum of 32 letters. Spaces are allowed. · Enter your company name. You can use a maximum of 64 characters. Alphanumeric characters, hyphens (-), underscores (_), and spaces are allowed. · Select your country from the drop-down list. · Enter a valid phone number. You can use 7 to 18 characters comprising numbers and special characters, such as the plus sign (+), dashes (-), or brackets ().
4. Enter your SMTP details and click Next: · Enter the hostname or IP address of the SMTP server. · Enter the SMTP server port number. · Enter the sender's name in the e-mail. · Enter the sender's e-mail address.
17
You can enable SMTP server authentication for sending e-mails and secure your e-mails with Transport Layer Security (TLS) encryption.
NOTE: Ensure that your SMTP configuration is valid, otherwise you will not receive emails to activate your organization account.
5. Test your SMTP server or skip test. If you click Test SMTP Server, an SMTP test e-mail will be sent to your mailbox.
6. Enter a name for the organization account that you will use to manage the security devices and services and click Create Organization Account. You will receive an e-mail to verify your e-mail address and activate your account.
7. Log in to your e-mail account, open the verification e-mail, and click Activate Organization Account. The organization account is now successfully activated and you can now log in with your credentials.
NOTE: Ensure you verify your e-mail address and click Activate Organization Account within 24 hours of receiving the e-mail. If you don't verify your e-mail, your account details will be removed from Juniper Security Director, and you'll need to re-create your organization.
8. Enter the password, and click Sign in. Congratulations! You are now signed in to the Juniper Security Director UI. The menu bar on the left of each page allows easy access to various tasks.
4 CHAPTER
Upgrade
Upgrade Juniper Security Director | 19
19
Upgrade Juniper Security Director
You can upgrade your existing Juniper Security Director version to the latest available version.
NOTE: Services will be temporarily unavailable during the upgrade process. The upgrade may take 40 minutes to complete, after which services will be restored. We recommend scheduling the upgrade during a maintenance window with ample time.
Before You Begin Download the Juniper Security Director Software Bundle (.tgz file) to your local machine from https:// support.juniper.net/support/downloads/?p=security-director-on-prem and then transfer the file to your staging server. A staging server is an intermediate server where the software upgrade bundle is downloaded. The staging server must support the software upgrade bundle download from the Juniper Security Director VM through SCP. Before you upgrade the VM, you must have the details of the staging server, including the SCP username and password. To upgrade Juniper Security Director: 1. Log in to the Juniper Security Director UI. 2. Select Administration > System Management > System.
The System page is displayed. You can view the existing software version that is displayed on the page. 3. Click Upgrade System. 4. Complete the configuration by entering the details as described in Table 2 on page 20.
20
Table 2: Fields on the Upgrade System Page Field Upgrade bundle location
Port Username Password
Description
Enter the staging server location, where the upgrade bundle is available. You must provide the bundle location in the following formats: · With port -- user@server:port/relative-path or
user@server:port//absolute-path. For example, root@10.0.0.1:22//var/www/html/ sdop-24.1-898.tgz · Without port -- user@server:relative-path or user@server:/absolute-path. For example, root@10.0.0.1:/root/sdop-24.1-898.tgz
Enter the SCP port number of the staging server.
Enter the username to connect to the staging server.
Enter the password to connect to the staging server.
5. Click OK. The upgrade process is triggered, and the Job Status page is displayed. After the upgrade is complete, close the Job Status page. The detailed status of the job is displayed on the Job Status page. The status of the upgrade is displayed on the System page.
On successful upgrade, the upgraded version is displayed on the System page.
If the upgrade fails, check if: · VM has connectivity to the staging server.
· Incorrect bundle location is provided.
· Missing bundle in the specified location.
· Invalid bundle or invalid bundle format is provided.
RELATED DOCUMENTATION CLI Commands