Automation

ZTP for Juniper SRX Devices for initial setup

  • 1.  ZTP for Juniper SRX Devices for initial setup

    Posted 12-20-2020 19:49

    Hello there,

    I'm searching a solution for my problem of having a lot of Juniper SRX devices (300series, 1500series, 4000series) laying in our storage with outdated firmware.
    At our company we're managing over 500 Juniper SRX devices and at that "level" we're having commonly outtakes (due to issues in facilities or self-made, there are plenty of reasons).

    With that said, if a incident occurs we need to take action as fast as possible and that includes, having a firewall device ready to go.
    Searching for a solution to reduce the time between taking the firewall from our storage, to fully functional operating in the rack, I tried to find out how to "ZTP" that device.

    Setting up a TFTP-Server with an ISC-DHCP-Server did not help. I could not get any useable information's for SRX devices, to get firmware-updates with DHCP-Options.

    #DHCP OPTIONS
    option space SRX_FIRMWARE_OP;
    option SRX_FIRMWARE_OP.image-file-name code 0 = text;
    option SRX_FIRMWARE_OP.config-file-name code 1 = text;
    option SRX_FIRMWARE_OP.image-file-type code 2 = text;
    option SRX_FIRMWARE_OP.transfer-mode code 3 = text;
    option SRX_FIRMWARE_OP.alt-image-file-name code 4= text;
    option SRX_FIRMWARE_OP.http-port code 5= text;
    option SRX_FIRMWARE_OP-encapsulation code 43 = encapsulate SRX_FIRMWARE_OP;
    
    
    #VLAN13 Deployment- Clients
    subnet 10.1.2.128 netmask 255.255.255.128 {
    range 10.1.2.130 10.1.2.200;
    option routers 10.1.2.129;
    option domain-name-servers 10.1.1.2;
    option domain-name "company.local";
    option domain-search "company.local";
    option tftp-server-name "10.1.1.3";
    option SRX_FIRMWARE_OP.transfer-mode "tftp";
    option SRX_FIRMWARE_OP.image-file-name "junos-srxsme-20.3R1.8.tgz";
    }

    After that, did not work, I tried with a concept of creating a python-script to periodically scan the network, find IP-Addresses with MAC-Addresses from Juniper, login via ssh, update and shutdown the devices. But as I saw, the default srx-configuration does not allow SSH to it.

    Due to our company-policy no "communication" externally is allowed, so setting up a solution to communicate into external networks to unknown servers is not going to be approved.

    Therefore, I'd like to ask, whether you had a similar case or what recommended solution would be appropriate?



    ------------------------------
    Best regards Ali
    ------------------------------