Juniper Sky Enterprise User Guide
End Of Service Notice
Juniper Sky Enterprise will officially be discontinued on 2024/11/20. The EOS annoucement can be found at End-Of-Life-Notification-Sky-Enterprise-SaaS-Cloud-Service. Please review options for migration to Juniper Mist for SaaS solution before the service is discontinued.
Introduction
Juniper Sky Enterprise delivers cloud-based network management for Juniper SRX Series, EX Series, QFX Series and NFX Series devices. It provides a secure web-based user interface that is quick to set up and connect devices to. With Sky Enterprise, network engineers with no prior Juniper Networks experience can easily deploy and manage devices and the network.
This User Guide describes the features within Sky Enterprise and how to use them.
The video below provides an overview of Sky Enterprise capabilities (duration 3:46).
Getting Access to Sky Enterprise
Trial Accounts
Juniper Networks offers free 30-day accounts to customers who are interested in a trial of the system. Once the trial account is activated trial users can add their Juniper devices to Sky Enterprise where they will have access to the full set features enjoyed by subscribers.
To request a trial account complete the form found at: https://www.juniper.net/us/en/forms/sky-enterprise-free-trial/. Juniper will send you an email with an activation link. The link expires after 48 hours, if you are unable to activate before it expires, contact Juniper Customer Care to request the link to be resent.
Demonstration Accounts
Demonstration accounts are available for Juniper Networks staff. These can be requested via email to: skyent-trial@juniper.net
Activating Sky Enterprise Licenses
When you purchase Sky Enterprise licenses you can activated your account via the Juniper Agile Licensing Portal.
If you don't already have a Juniper User Account, register for one at: https://userregistration.juniper.net/entitlement/setupAccountinfo.do
Sign into the Juniper Agile Licensing Portal at: https://license.juniper.net/licensemanage/
Activate your license in the Juniper Agile Licensing Portal:
If you are activating a new license, click New Cloud Registration. Then enter the Authorization Code/Activation Code located in your certificate and follow the onscreen instructions.
If you are adding licenses to your existing cloud service, find your new purchase in the entitlement screen and select it. Follow the on-screen instructions to activate the new license for your cloud instance.
For assistance you can open a Customer Care case at: https://support.juniper.net/support
Juniper Networks Devices Supported by Sky Enterprise
Sky Enterprise supports:
All SRX models
All EX models
All QFX models
All NFX models
JunOS Software Releases Supported by Sky Enterprise
Juniper Networks EX Series Switches
For the EX Series switches, the following Junos OS software versions are supported on Sky Enterprise:
Junos OS Release 12.1
Junos OS Release 13.1
Junos OS Release 14.1
Junos OS Release 15.1
Junos OS Release 17.1
and later
Avoid 12.3R12-S13, 12.3R12-S14, and 12.3R12-S15 - these have an SSH bug that prevents connection to Sky Enterprise.
Juniper Networks QFX Series Switches
For the QFX Series switches, the Junos OS Release 14.1X53-D30 and later are supported on Sky Enterprise.
Juniper Networks SRX Series Services Gateways
For SRX Series and vSRX devices, the following Junos OS software releases are supported on Sky Enterprise:
Junos OS Releases 12.1X44, 12.1X45, 12.1X46, and 12.1X47.
Junos OS Releases 12.3X48 and 15.1X49.
Junos OS Release 17.3R1.
Junos OS Release 18.1
and later
Juniper Networks NFX Series Devices
We recommend the Junos OS Release 15.1X53-D47 for Juniper Networks NFX Series devices.
Sites
Logging in to Sky Enterprise automatically takes users to the 'Sites' view. This is the first tab on the 'Home' page. This page gives users a quick network overview including interactive world map view, devices online/offline, alarms and sites.
The main part of the screen shows the Google Maps view where you can view, add and edit your site details for locations around the world. Below the map is a list of existing sites.
Edit a Site
By clicking on the menu option to the left of a site in the list, you are presented with various options:
View Devices - presents a list of devices in the site
View Topology - presenters a real time Layer 2 view of devices in the site
Edit - provides the option of changing the site name, the site address and site description. It also provides an option for adding or removing devices for the site.
Delete - provides the option to delete a site.
Add a New Site
To add a new site, click on the 'New Site' button on the right side of the screen and add the site name and address. From there you can select from existing devices to add to the site.
Devices
The Devices Dashboard provides a single list view of all your managed devices. This view can be organised using Device and Site tags, and offline devices can be filtered out using the display options menu.
The following tools are accessible from this view:
Add Device
Display Options - toggle on or off:
System Alarms
License Alarms
Device & Site Tags
Show Online Devices
Show Offline Device
Download
This button downloads a CSV file of all your Juniper device, including: hostname, description, device models, Junos versions, serial numbers, site details, IP address, up time, last backup time, reboot reason. Think of this as a near real time asset report.
Set Tags
Create tags and add them to any device, this is a useful tool for grouping devices by model, function, location or any other common element. You can use tags in search functions, and for selecting groups of devices for bulk update actions.
Search
Fast search option to find any string within your device list
The list of devices is displayed as a table with the following information and tools:
Action - the Action menu provides easy access to device management and configuration workflows.
Host/(hostname) - displays the name of the device as configured within the system with the device's hostname in brackets next to it.
Model - Juniper device model
Description/IP address - manually added description / IP address is the public IP address of the network that the devices is connected to
Status - online or offline, also has hover for last connect time
Tenants
The 'Tenants' tab is visible when the 'Multi Tenancy' option is selected in the 'Settings' tab. To enable 'Multi Tenacy' see Enable Multi Tenancy.
To add a new tenant, click on the 'Add Tenant' button.
Users created at a tenant hierarchy are bound to that hierarchy. Different users roles are available during user creation. See Creating Multi Tenant Users and Understanding User Roles.
A logo can be shared from a higher level tenant with sub tenants. To do so see; Share Logo with Tenants.
Tenants is a great way for managed service providers (MSP's) and/or large organizations to segment users and devices into responsibility domains.
Tools
The Tools tab contains features to help you locate specific devices.
There are two search options available:
IP Address search performs a search of all your managed devices across you network to quickly locate a specific IP address. Enter the IP address that you are looking for and click 'Search'.
MAC Address will search your network for the specific MAC address that you entered.
Topology
The Topology tab presents a real time layer-2 view of your network devices. The view is generated using LLDP (link layer discovery protocol). LLDP is a vendor neutral protocol so non-Juniper devices running this protocol will be displayed in this view e.g. other vendor network devices, access points, IP phones, servers configured with LLDP.
Sky Enterprise will display up to 250 devices in the Topology view. Views can be network-wide, or site specific. To view an individual site, select the site from the dropdown menu on the middle-right of the screen.
By clicking on an individual device (managed by Sky Enterprise) additional details will be displayed in the lower-right corner of the screen, including device type, IP address and alarms count. The device's interfaces will be listed with a direct link to the interface graph.
The Topology view can be refreshed by reloading the page or by clicking the 'Refresh Layout' button on the middle-right of the screen.
Alarms
The 'Alarms' tab is visible when 'Enable Global Device Alarms' option is selected in the 'Settings' tab.
Sky Enterprise displays system and chassis alarms on managed devices. Alarms are listed in a table including:
Timestamp of the alarm
Device
Description of the alarms
Alarm type
An Action menu is presented for each alarm. Where possible Sky Enterprise provides an action to remedy the alarm, such as:
Save Autorecovery Information
Set Rescue Configuration
Using the Action menu to remedy alarms is a simple way to improve the resilience and reliability of the network.
WiFi
This tab displays information about SRX WIFi mPIM Access Points. SRX WiFi mPIM Access Points are cards that can be installed in Juniper SRX320, SRX340, SRX345, SRX380 and SRX550M devices. Additional details below.
When an SRX WiFi mPIM is installed in an SRX, Sky Enterprise will automatically detect it and enable the WiFi menu for configuring the device.
The 'WiFi' tab displays a list of all SRX WiFi Access Points currently active on the network. The table (shown below) includes SSID, Parent AP, the associated device (that the WiFi mPIM is installed in), country code, Mode, Channel, Security, VLAN, active client count and connection status.
Selecting the Action menu item for an Access Point provides an option to edit the Access Point. Clicking on this option takes you to the WiFi configuration menu specific to the Associated device. Configuring WiFi Access Points is covered in more detail in the "Device Actions' section.
Also displayed in the WiFi tab is the connected clients table. This table shows all the clients currently connected to the Access Points, including: MAC Address, SSID, Associated device, Radio ID and bytes received/transmitted.
Mist WiFi
Sky Enterprise includes an API integration to Mist Systems' cloud-based portal. By adding your Mist credentials into Sky Enterprise you can view and monitor your Mist APs and clients directly from the Sky Enterprise portal.
The Mist API is enabled within Sky Enterprise Settings tab.
To configure Mist APs, use the context sensitive cross-launch option in Sky Enterprise to open the Mist portal to configure the AP you are currently working on.
Using the Action menu on a Mist Access Point the following options are available:
View details - shows the Access Points details including hostname, ID, model, version, serial number, MAC, IP address and more
Update Associations - allows an Access Point to be associated with a Juniper device (EX) and/or a site within Sky Enterprise
View AP in Mist Portal - launching you into the Mist portal directly to the Access Point you are looking at in Sky Enterprise
The video below shows an overview of establishing the Mist API integration, and the simple user interface in Sky Enterprise for viewing you wifi access points and clients.
Managing Devices
This section provides information about managing devices from the Action menu in the Devices tab.
There are menu items that are common across multiple device types, for example: Interfaces/VLANs; System and Monitoring; and Junos CLI. Other menu items are specific to certain device types. For example, Security Policies and Zones is available for SRX devices, but not for EX and QFX.
For each of the Action menu items described below, the device type that that the menu applies to is listed in the title.
Custom SD-WAN and Routing
What is Custom SD-WAN?
Custom SD-WAN is a group of features within Sky Enterprise that contribute to the deployment and ongoing management of SD-WAN environments. It is called 'custom' because these features can be used at the discretion of the network administrator to add configuration to an SRX device in any manner they want.
The video below describes the Custom SD-WAN features.
Custom SD-WAN Overview
This screenshot shows the range of tabs that are included in the Custom SD-WAN section.
Beginning with WAN Graphs, Sky Enterprise imports the default untrust interface. To add/remove interfaces from this view simply "Select WAN Interfaces".
Traffic throughput (bytes transmitted/received) in graphs is displayed; available in hourly, daily, weekly and monthly views.
To the right of the graph Apptrack data is displayed if enabled. This is a near real-time view of application, by volume, traversing the WAN interfaces. By hoovering the cursor over the bar chart, the exact details of the application traffic are shown.
System Graphs are next, these display the CPU, Memory, Temperature, and Session values in hourly, daily, weekly and monthly views.
Viewing current device licenses as well as expiration dates and License expiry warning can be done in this section as well.
select the license expiry to adjust the notification timeframe
Note: The SRX must be licensed for Application Identification and must be configured to send syslog (over TLS) to Sky Enterprise.
Application Routes
Layer 7 application routes can be managed on the Application Routes view within Custom SD-WAN. All common interface types like Ethernet, 3G/4G LTE, T1/E1, are supported. Direct internet break-out along with IPSec tunnels are supported with no custom underlay required.
Creating and Editing Application Routes
Creating/editing an application routes allow users to select L7 applications or application groups like multimedia:audio/video-streaming and make a forwarding decisions.
For instance in the example screenshot below we use this to offload high bandwidth application to inexpensive links. Selecting Spotify/Netflix, etc in the rule will forward traffic matching the L7 app-id out that link. This could also be used to steer mission critical applications like SIP on premise Exchange, across IPSec tunnels.
An example bulk update template to setup dual ISP interfaces is available here.
Realtime Performance Monitoring - RPM
Application steering coupled with auto fail over / fail back using RPM for redundancy. In the screenshot below you can see information related to the probe; Name, Probe Type, Target Type, Target, Status, RTT, % Loss as well as details; RTT, Avg Delay, Jitter Delay, Min Delay, Max Delay, Stddev Delay, Delay Threshold, Sum Delay.
IP Monitoring Policies
The IP Monitoring Policy determines the path when the probe is in a failed state. In this instance the default path has a preference of 8 and when the default-inet1 probe fail's a static route is added to the table to use the other ISP. A default static route has a preference of 5.
Security - Policies (SRX)
The screenshot below shows the Security Policies view in Sky Enterprise. There are two tabs available: Firewall and App Firewall.
Managing firewall security policies in the Firewall section of Sky Enterprise is simple. The top menu allows users to:
+ Add Security Policy Template
+ New Policy
Change Default Policy
Download
Expand all
Close all
Full policy detail
Firewall Policy Edit
The Device Policy edit screen loads for cloning/editing/creating security policies.
By typing in the address book/zone/application/dynamic application boxes Sky Enterprise starts to sort entries from these large lists.
Forgot to add an address book before editing the policy? Just select '+ Add addressbook entry'.
Enabling logging, add counting, or IDP to the security policy can be done with a check of the corresponding boxes.
Also select your NGFW feature set like UTM from the drop down list.
Need to setup your IDP policy? Browse to the Security -> IDP item in the Action menu.
Policy Reorder
Reordering policies is simple with the Reorder function. This function is especially helpful when 'shadowing' occurs and you need to adjust the order of your policies.
Select the policies that you want to move, drag it to the desired location, then click 'Reorder Policies'.
Security - Zones (SRX)
Within the Security Zones section of Sky Enterprise users can create and edit security zones as well as address book entries. This includes adding/removing interfaces from zones as well as host system services on the zone or interface in the zone.
New Zone Dialogue
Selecting +New Zone opens the Device Zone creation dialogue. This allows you to give your new security zone a name, select services and protocols for the zone as well as selecting an App Routing Profile and enabling Application tracking. Also add interfaces to the zone.
Editing an existing security zone will open this same dialogue.
Security - NAT (SRX)
Source NAT
Source NAT is the default NAT setup on SRX firewalls. It allows private internal networks (Trust Zone) to traverse and be translated to the public internet (Untrust Zone). A security policy is also needed to permit traffic.
New NAT Rule-Set
A New Rule Set dialogue is available. Rules sets are used to select source zones or interfaces (From) and destination zones or interfaces (To).
Edit NAT Rule
Within a rule set, rules are used to match traffic.
New NAT Pool
Source NAT Pools can also be created with "port no-translation". Pick a previously configured pool for overflow pool from the drop down.
Destination NAT
Destination NAT is most commonly used for inbound Untrust to Trust traffic. For example using TCP port 4443 on the Untrust public IP for a Trust web server on TCP port 443.
Destination NAT Easy Wizard
To help build destination NAT rules, Sky Enterprise has a destination NAT wizard. This can been seen in the screenshot. This wizard walks users though creating destination NAT rules and can also create corresponding security policies with the box checked.
Static NAT
Static NAT is a 1:1 IP and port mapping.
Static NAT rule sets can be created/edited using the static dialogue.
Within the static nat rules set, rules can be created/edited.
Security - VPNs (SRX)
Sky Enterprise makes it easier for administrators to create and manage VPNs between their network devices. In the VPN section a list of existing VPNs is shown (if any exist), and the button to add an IPSec VPN using the Sky Enterprise wizard.
Clicking on the VPN wizard opens up a modal that requires basic details to be added to create the VPN. As shown below, the information required includes:
VPN Name
Local address range and policy zone
Tunnel details
Remote Address details
The wizard also includes and 'Advanced' section with further options including: mode and advanced IKE and IPsec details.
Security - IDP (SRX)
Sky Enterprise provides a simple interface for Intrusion Detection and Prevention (IDP) Policy and Custom Attack creation. Please note that you do not need any additional licensing in Sky Enterprise for this, but it is a licensed feature on the SRX device(s). Please ensure that the SRX you wish to configure IDP on is licensed (see device license checking in Sky Enterprise) and the IDP database is downloaded and installed.
For IDP specific questions, please refer to the IDP best practices guide; https://kb.juniper.net/InfoCenter/index?page=content&id=KB25915&actp=METADATA for more information.
Creating a new IDP policy
Select "+ New Policy" to start the policy creation modal.
Security - Applications (SRX)
Security applications or sometimes referred to as custom applications can be created using Sky Enterprise. This application list is the port and protocol based custom applications. To create advanced L7 dynamic applications please see "App Firewall".
Navigating to security applications
On the device action menu select Security and then Applications.
View existing security applications
Navigating to the applications page under security will display any existing custom applications and application sets.
Application sets are groups of applications. This group can contain both custom applications and default applications like; junos-http, etc.
Create custom security application
Towards the upper right of the Security Application page, users select "+ New Application".
Within the New Application modal users fill in the required information to create the custom application.
In the example shown to the right we setup a custom application for protocol TCP on port 3389 for Remote Desktop using the Standard Type. To use term based see the example below.
Selecting term based changes the modal to allow users to enter multiple terms.
Selecting Add Term opens the new modal displayed above for new Term creation.
Security - Security Feeds (SRX)
Sky Enterprise’s Dynamic Security Feed enables SRX devices to subscribe to a feed to dynamically update their security policies. The following feeds are available in Sky Enterprise:
Microsoft Office 365 (O365)
Microsoft Azure
AWS
Sky Enterprise constantly checks the IP infrastructure lists of these vendor services and if a change is detected, the security feed is updated. This update is automatically applied to SRX devices that are subscribed to the feed without the need for a commit.
As shown below, feeds can simply be selected from a dropdown list.
Feeds can be selected individually or using the "_all" options e.g. "ms_azure_all".
Once selections are finalised, click the 'Submit' button and the feeds will be added to the SRX.
Adding Custom Feeds
You can create and maintain your own custom IP feeds to Sky Enterprise. These can then be added to your devices by selecting them from the list as shown above.
To create a new Custom feed, browse to the 'Settings' section and select the 'Dynamic Address Book Feeds' tab. Any existing Custom feeds will be shown in a list. You can add new feeds by selecting the 'Add Custom Security Feed' button.
To edit an existing Custom feed, click the Action menu, then Edit. In the Edit modal you can add or remove IP addresses from the feed.
Once a feed has been update, any devices that are subscribed to the feed will be automatically updated.
DHCP
In the DHCP section you can create and manage the dynamic host configuration protocol capabilities of your SRX and EX devices.
As shown below, there are sections for managing DHCP Groups, and DHCP Pools.
To add a new pool select the ‘Add New Pool’ option at the top of the screen. When adding a new pool or editing and existing pool you are presented with a list of configuration items including:
Name
Domain
Name servers
Address range
Lease time
Routers
Interfaces/VLANs
The Interfaces/VLANs menu allows the configuration and management of:
logical and physical interfaces, including power over ethernet (PoE)
VLANs
Ranges
Spanning Tree Protocol
Ethernet Switch Table
LLDP Neighbors
ARP Table
Interfaces
In the Interfaces tab you can view the device's interface, logical and physical. The table view includes mode details e.g. access or trunk mode, VLAN membership, DHCP, connected status and enabled status.
The Interface action menu also provides a link to view the real-time graph of each interface.
Configuring an interface is easy using the intuitive options. Physical interfaces can be edited by changing the description, enabling or disabling the interface, changing the encapsulation, and assigning Apply Groups.
Logical interfaces options include:
description
Admin status - enabled or disabled
Address family name
IP Address
DHCP
VLAN Tagging
VLAN
When changes are made to an interface, and the 'Save Interface Unit' button is clicked, the configuration changes will be applied to the device and committed.
Power over Ethernet
Sky Enterprise can also manage PoE ports on devices that have them.
Using the PoE feature you can view or edit PoE interfaces.
In the screenshot to the right we see the edit modal for PoE on an interface. Here we can enable/disable PoE, adjust the priority of the power on the interface, and set the maximum power for the interface.
VLANs
In the VLANs tab you can create and manage VLANs on your devices.
To create a new VLAN click on the "New VLAN' button, then in the modal add:
Name
Description (optional)
VLAN ID
Ranges
Ranges provides an easy way to manage interfaces as a group. Using the Ranges feature in Sky Enterprise you can easily and quickly create and manage interface ranges.
To create a new Range click on the "New Interface Range' button, then in the modal add:
Name
Members - select individual interfaces
Ranges - add in interface ranges, add additional lines as needed
VLAN - optional
To save the new range, click the "Set Interface Range" button.
Spanning Tree Protocol
There are still many networks running Spanning Tree Protocol, also know as Rapid Spanning Tree Protocol (RSTP). This Sky Enterprise feature makes is easy to configure and maintain RSTP in your network.
The 'RSTP Settings' option allows you to configure the RSTP settings, including:
Disable RSTP
Bridge Priority
Forward Delay
Hello Time
Max Age
Priority Hold Time
Using the Action menu, interfaces can be configured individually, including:
Disable RSTP
Cost
Priority
Node edge status
Enable reboot protect
All interfaces can enabled simultaneously using the 'Configure RSTP for All Interfaces' button.
Ethernet Switch Table, LLDP Neighbors and ARP Table
Clicking on these tabs gives you real-time information about your layer 2 network and adjacent devices
System and Monitoring
The System and Monitoring section in the Devices Action menu is where you will find a range of visibility and monitoring tools for individual devices.
The System and Monitoring menu contains a range a tab, these include:
System Graphs - near real-time graphs showing CPU, Memory and temperature based on data gathered continuously every 5 minutes. Graphs are available in hourly, daily, weekly and monthly view. Graph data for weekly and hourly views is aggregated over time. For SRX and VSRX device, a graph of security sessions is also provided.
Interface graphs - near real-time graphs showing ingress and egress traffic volumes on interfaces
Application and Network Risk (ANR) Reports - For SRX devices only. Reports showing details of applications and risks traversing the device. For best results devices must be configured to send syslog details to Sky Enterprise. Licenses for AppID, IDP, WebSense, Sky ATP and other services are required.
Commits - up to 50 of the last commits are listed in this feature, with options to compare and rollback.
Configuration Backup - when enabled on a device, Sky Enterprise will check the device every hour to determine whether the config has changed. If a change is detected, the new config will be uploaded to Sky Enterprise. Using this feature you can view, download and compare backups.
Licenses - Sky Enterprise lists all licenses detected on a device and the expiry date. Sky Enterprise can request new licenses from Juniper's License Management System, and request trial licenses.
Alarms - a display of Junos system and chassis alarms, with remediation activities on selected alarms.
Actions - a range of action items that make a network administrator's job a little easier, such as reboot options, system storage cleanup, and more.
Real-time Logs - the ability to view syslog (message or interactive) in real time on a device, and download those logs for further analysis.
Diagnostics - the ability to run commands like ping directly from the device.
RPM Probes - real-time performance monitoring is a great way to measure network performance from a device's perspective. This feature allows RPM probes to be created on a device quickly and easily, and the results to be visualised on graphs. Monitoring Policies can be added to take action when thresholds are breached e.g. to implement network interface failover.
System Graphs
In the Systems Graphs tab you will see near real-time graphs for a device showing CPU, Memory and Temperature based on data gathered every 5 minutes.
Graphs are available in hourly, daily, weekly and monthly view. Graph data for weekly and hourly views is aggregated over time.
For SRX and VSRX device, a graph of security sessions is also provided.
Views can be changed on individual graphs using the radio buttons to the right of the graph. Or for all graphs using the drop-down selector at the top left of the screen.
Interface Graphs
In this tab you can view graphs for all interfaces. Data is collected every 5 minutes and graphs are available in hourly, daily, weekly and monthly views. Note: data for weekly and monthly views is aggregated.
As shown below, graphs can be filtered using Unit, Connected or All options. Graphs can also be set to refresh automatically, either on a 5 minute or 10 minute interval - this is useful for displaying graphs on a monitor where there is no regular user interaction.
To select which interfaces are polled for data, use the 'Configure Monitored Interfaces' button in the top right corner. This is particularly useful for devices that are only reachable via low bandwidth connections and allows you to turn polling off for some or all your interfaces.
Selective Polling of Interfaces
Clicking on the 'Configure Monitored Interfaces' button will reveal the screen shown to the right.
In this screen you can select which interfaces you would like polled for data. You can turn individual interfaces on or off, and you can use the 'Select None' or 'Select All' buttons.
Newly enabled interfaces will start displaying data in a graph after 5 - 10 minutes.
Interfaces that are turned off will lose their metric history.
Commits
Sky Enterprise presents the commit history of a device in an easy to consume list. The list shows up to the last 50 commits made on the device, plus additional details like:
the user who made the commit
the client or method used e.g. CLI, netconf
the date of the commit
a log message (Note: log entry messages for Sky Enterprise commits can be customized in the Settings tab.)
As shown below, using the Action menu found alongside each commit in the list, several options are available. These include:
Show this commit
Show difference to running configuration (commit 0)
Rollback this commit
The Commit 0 (running commit) has a slightly different list of options, as shown in the image to the right.
You can view the entire configuration of the device by selecting 'Show Full Configuration'. The full configuration can also be viewed in the 'Config Backups' tab.
Config Backups
The Config Backups tab shows a history of configuration files for the device.
Backups are done automatically for the device configuration whenever a change has been detected. Configuration change checks are made hourly. If no change is detected the current latest backup in the list remains in place and unchanged.
For each backup entry in the list the action menu provides these options:
Show Config Backup - this displays the configuration file
Download Config Backup - the configuration file is downloaded to your device
Compare - this allows you to select a second configuration file from the same device and see highlighted differences between the configurations.
The image to the right shows an example of a configuration compare.
Enabling Config Backups
Config backups can be enabled for all new devices in the 'Settings' tab. For existing devices that do not have it enabled, this can be done on a device by device basis.
Config backups can be enabled on individual devices from the Device Details menu option in the 'Devices' tab.
To enable config backups for an individual device, ensure that the config backup box is ticked.
Actions
The Actions menu option provides a range of useful, automated actions commonly used by network administrators. Examples include:
Save rescue configuration
Renew DHCP leases
Reboot (multiple options)
Show full configuration
Request system cleanup
Junos CLI
The Junos CLI feature gives direct access to your device's command line interface from your browser.
Note: for security reasons this feature is only accessible to Administrators who have 2FA enabled on their account.
Device Details includes:
Hostname
Model
IP Address
Uptime, reboot reason, last connection timestamp
Serial Number (Serial Numbers for VC and Clusters)
Alarm email address (online/offline notifications)
Enable/disable system metrics collection
Enable/disable Interface metrics collection
Enable/disable Security collection
Enable/disable config backup
Enable/disable syslog collection (for detailed ANR Reporting)
Latest config backup timestamp
Configlet
The Configlet is the Junos configuration snippet that enables the device to call home to Sky Enterprise to be authenticated and managed. It enables and maintains a secure Outbound-SSH connection to the Sky Enterprise platform, allowing devices to connect and re-connect without requiring any special firewall policies or NAT to be put in place (it uses port 4087 outbound).
Configlets are unique per device and should not be copied and used on other devices.
Delete Device
Devices can be deleted from Sky Enterprise using this feature. During the delete process Sky Enterprise will attempt to remove the configlet from the device to prevent it from trying to reconnect.
Users
As a Juniper Sky Enterprise administrator, you can create and manage user accounts. In this section you can learn more about:
Creating New User Accounts
Activating User Accounts
Managing User Accounts
Resetting Passwords
Enabling Two Factor Authentication
Disabling Two Factor Authentication
Resetting Your Two Factor Authentication
Creating Multi-Tenant Users
Understanding User Roles
Creating New User Accounts
Login to Sky Enterprise.
Navigate to the Users tab.
Select Add User.
Enter the User's e-mail address.
Select an appropriate role for the user.
6. Click Create User.
Activating User Accounts
After the account is created, an activation link is e-mailed from Sky Enterprise. Please use this link to activate your account.
*NOTE The activation link is valid for 48 hours.To activate your user account:
Click the link you received in your e-mail
A password creation dialog box appears.
Enter your password and also confirm it.
Must contain 12 or more characters and at least three (3) of the following:
Uppercase
Lowercase
Numbers
Non-alphanumeric
Must not contain leading spaces, dictionary words, names, or personal information.
Click Confirm my account.
On the Edit User Details page, you can reset passwords and roles for users. You can also choose that users don’t receive product update notifications.
Managing User Accounts
As a Sky Enterprise administrator, you can re-send activation requests, delete users, and edit user accounts. To perform these activities, navigate to the user account you want to manage, and follow these steps:
Re-send Activation Requests
From the action drop-down menu, select Resend Activation to re-send an activation request.
Delete Users
From the action drop-down menu, select Delete User to delete a user account.
Edit Users
From the action drop-down menu, select Edit User to edit a user account.
Resetting Passwords
If logged in to Sky Enterprise, you can reset your password using the action menu. Other admin users can also reset another users password.
*NOTE See Understanding User Roles.To reset your password if not logged in:
Click Forgot your password? on the main login page.
When prompted, enter your e-mail address.
An email will be sent to your account with further instructions on how to reset your password.
Enabling Two Factor Authentication
Sky Enterprise supports two factor authentications by many different vendors (Google Authenticator, Duo, etc.).
By enabling Two Factor Authentication (2FA) your account is more secure and you will have access to more features such as 'Junos CLI'.
To enable two factor authentication:
Log in to your Sky Enterprise account.
From the upper right corner of the UI, select the user icon and Two Factor Auth.
A QR code similar to the right image is displayed.
Scan your QR code with the two factor app on your phone.
Enter the resulting authentication code.
Your two-factor authentication is enabled and ready to use.
Disable Two Factor Authentication
To disable your two factor authentication:
Log in to your Sky Enterprise account.
From the upper right corner of your GUI, select Two Factor Auth.
Provide the authentication code from your two factor application.
(Optional) Choose to get your code via e-mail.
Click Submit.
Resetting Your Two Factor Authentication
If two factor authentication is enabled but you are unable to generate two factor codes you can ask another administrator in your company to remove your account and recreate it.
Alternatively during the login procedure you can request a two factor code to be sent to your email.
If you continue to experience issues, contact Juniper Technical Assistance Center (JTAC) at support@juniper.net.
Creating Multi-Tenant Users
Sky Enterprise supports multi-tenancy. As a Sky Enterprise administrator, you can enable multi-tenancy using the Settings tab.
Once multi-tenancy is enabled, you can create tenants under your company name. You can also create, delete, and edit users within a tenant. Users within a tenant can only view devices in their company and not the parent devices.
1. From your main page, select the tenant you want to create, delete, or edit user in.
2. After you select a tenant, you will see the tenant change in the upper right corner of the GUI. Navigate to the Users tab and perform the desired action.
Understanding User Roles
The Sky Enterprise system provides predefined roles that you can assign to users to define administrative responsibilities and specify the management tasks that a user can perform in the system.
READ-ONLY
Read-only access to view interfaces and security related configuration details.
View troubleshooting information for interfaces (for example, ARP, LLDP, and the ethernet-switching table).
View graphs.
View and create ANR reports.
USER
Read-and-write access to interfaces and security related configuration.
View troubleshooting information for interfaces (for example, ARP, LLDP, and the ethernet-switching table).
View graphs.
View and create ANR reports.
Set and update device rescue configuration and auto recovery.
Administrator
Read-and-write access to interfaces and security related configuration.
View troubleshooting information for interfaces (for example, ARP, LLDP, and the ethernet-switching table).
View graphs.
View and create ANR reports.
Set and update device rescue configuration and auto recovery.
Create and edit user accounts.
Create and edit devices.
Create and edit managed service provider tenant companies (for MSP use case only)
Manage devices for tenant companies (for MSP use case only)
Read-only User Administrator - similar to the read-only role. Except it also allows you to create and delete read-only users:
Create and delete read-only users.
View interfaces and security related configuration details.
View troubleshooting information for interfaces (for example, ARP, LLDP, and the ethernet-switching table).
View graphs.
View and create ANR reports.
Configuration
The Configuration tab is home to the following functions:
Bulk Updates - providing the capability to update one or many devices in one action using a variety of configuration techniques.
Bulk Update Templates - a repository of custom and publicly available templates for making bulk updates easier and more flexible.
Junos Upgrade - upgrade your Junos devices easily with images hosted by Sky Enterprise.
Software Distribution - providing the capability for distributing images that you host in your network for device upgrades, and VNFs for deployment onto NFX devices.
Software Library - a repository of images and VNFs for the Software Distribution feature to call upon.
ZTP - the zero touch provisioning tab where configuration templates are created and stored, and devices are prepared and authorized.
Security Policy Templates - providing the capability to create and manage security templates, apply to devices and perform compliance checks.
Bulk Updates
The Bulk Updates enables single or multiple devices to be configured in one action. Target devices can be selected individually, on a per site basis, or using tags. Once selected, devices can be updated using one of the following options:
Set commands
Junos Configuration
Using templates, with or without variables
To start a new Bulk Update job, click the green 'New Update' button on the right of the screen.
New Bulk Update Jobs
Bulk Update job using Set Commands or Junos Configuration
Perform the following steps to create a new Bulk Update job using Set Commands or Junos Configuration:
Scheduled or immediate - if you intend to run the job immediately, leave the Scheduled Update option to 'No'. If you intend to schedule the job for later, select the 'Yes' option, the choose the time and date. Note: Bulk Update jobs cannot be scheduled during Sky Enterprise advertised maintenance windows.
Select devices - select individual devices, select entire sites, or select tags. Selections are cumulative i.e all devices from each selection option will be included in the list.
Input type - for Set Commands and Junos Configuration, the 'Basic' option must be used.
Configurations - choose between Set Commands and Junos Configuration.
Enter the configuration changes that you wish to apply to the device(s)
Update - to apply the changes click the 'Update' button.
Once the "update' button has been clicked a dialogue box will present itself to confirm that you want to run the job and configure the selected devices.
Click 'Proceed' to continue.
The Bulk Update will commence and progress logs will scroll in the dialogue box showing the progress job.
Updates and commits can take 30 -40 seconds to complete, especially on smaller Juniper devices.
When the Bulk Update is complete a report will appear. The report has several sections.
The top sections shows a summary of the update, including successes and failures.
The next section lists the target devices.
The 'Input' section shows the configuration changed that were applied to the devices.
The log shows details of each change on a per device basis. If a devices fails to update, error logs will specify the reason for the failure.
An email is sent to the user who ran the Bulk Update with a summary of the operation.
The on-screen report can be downloaded as a PDF using the button at the bottom of the report.
Scheduled Bulk Update
To run a Scheduled job:
selected the 'Yes' option at the top right of the screen
select the date that you want to run the job on
select the time* that you want the job to start
proceed with the rest of the setup of the job
*Time relates to your local timezone.
When the job is initiated a message appears to confirm the details and schedule.
Click 'proceed' to accept and continue.
Bulk Update Job using Template
To create a Bulk Update job using a template, you must first create your template in the 'Bulk Update Templates' tab. For details on how to create a template please see the section below - <link here>.
Bulk Update Templates can include variables. Where variables are used you can specify values for each device, allowing for a unique configuration to be applied to multiple devices through a single operation.
To create a Bulk Update job using a template:
Choose scheduled or immediate option
Select the devices to be updated
From 'Input Type' select 'Advanced'
Select a template from the dropdown list
Depending on your template, a list of options will be displayed alongside your target devices
Devices and inputs can be shown as a list or a table by selecting the desired input format on the right
Enter the value for each variable against the appropriate device
Once complete, initiate the job by clicking on 'Update' and following the normal process
Bulk Update Templates
The Bulk Update Templates tab is the location for creating, editing and storing templates used for performing advanced Bulk Updates on your devices, including variables.
Create New Bulk Update Template
To create a new Bulk Update Template:
Click on the 'New Template' button
Complete the form by adding a template name, description and selecting Set Commands or Junos Configuration
Add in the commands or configuration
To create a variable replace the value in the configuration with a variable name enclosed in double curly/moustache brackets
Click 'Save'
The template will now appear in your saved list of templates and will be available for selection from the templates dropdown list in the Bulk Update job tab.
Junos Upgrade
The Junos Upgrade feature provides a simple method for upgrading Junos devices using images hosted by Sky Enterprise.
Sky Enterprise typically hosts mainstream image versions, including Suggested Releases. If you need to install an image that is not currently available on Sky Enterprise you can use the Software Library and Software Distribution features that allows you to host images on your own network. [Note: The Software Distribution mechanism can fail due to file copy and disk space issues on certain Juniper devices, particularly smaller EX devices.]
The image below shows the Junos Upgrade feature plus a history of upgrades performed.
To perform Junos Upgrade on a device:
select the device from the list
select the image that you want to upgrade to
Select Stage or Upgrade
Sky Enterprise checks for available disk space. If there is sufficient it enables the 'New Upgrade' button.
Advanced features are also available should you need them. These include:
Request system cleanup
Reboot options - yes/no
Validate / No validate
An example of advanced features is shown below.
Zero Touch Provisioning (ZTP)
ZTP is a process whereby a factory new Juniper device can 'call home' to Sky Enterprise to be configured after being unboxed, powered on and plugged into a network. The process is simple to setup within Sky Enterprise and provides a fast and reliable way to deploy new devices without requiring onsite engineers and truck rolls.
The image below depicts the steps involved in a successful ZTP deployment.
ZTP Supported Devices
ZTP is made possible by a feature in Junos called 'phone home'. This feature is initiated when a device boots. It starts the device polling, or 'calling home' to a Juniper provisioning service, to determine to IP address of its configuration service. The provisioning service inspects the device's serial number and does a lookup to determine which configuration server this serial number is associated with. Therefore, if a new Junos device has been added to Sky Enterprise, its request to be configured will be sent to Sky Enterprise.
The table below shows the type of devices, and the version of Junos, that supports ZTP.
Note: ZTP is limited to branch devices only, high-end devices not currently support .
Performing a ZTP Deployment
To perform a ZTP deployment the following steps are to be observed.
Step 1 Power on a device that has the 'phone home' feature in Junos available (see list above of compatible devices and Junos versions). Not all Branch SRX, EX and NFX devices shipping from the factory are ZTP capable.
Step 2 Plug the device into a network that provides DHCP with DNS to ensure the device can reach the internet and resolve the required URL i.e redirect.juniper.net
Step 3 Login into Sky Enterprise and add a new device, selecting the ZTP option. Choose an appropriate template and add the target device's Serial Number.
Step 4 The device will call home and be directed to Sky Enterprise. When Sky Enterprise receives a request from the device, it will send an email to the user who created the new device, requesting authorization to configure the device. Authorization is a measure put in place to ensure security.
Step 5 Once authorized Sky Enterprise will configure the device, including the configuration required to connect to Sky Enterprise for management. Typically configuration takes 10-15 minutes, after which time the device will appear online in the Sky Enterprise dashboard.
ZTP Templates
Junos mandates the use of XML for ZTP templates. In this section of Sky Enterprise you can:
view, create, edit and delete ZTP templates
add or remove users who can authorize ZTP deployments for a particular template
Managing ZTP Devices
The screenshot below shows the ZTP Devices in the ZTP tab. The list of devices includes several columns:
Action Menu - options for editing and managing the device
Name - device name including company name and serial number
ZTP Template
Serial Number
Authorization status
State:
Entitle - the serial number is in the process of being added to the provisioning server
Start - Sky Enterprise is ready, device not yet detected
Bootstrap complete - the device has been given the final ZTP configuration
Configuration Failed - there were commit errors, and the device couldn't commit the configuration. (This usually is a result of an issue with the template or variable data. You can follow troubleshooting procedure: https://github.com/Juniper/sky-enterprise-templates/tree/master/ztp).
A list of all existing templates is shown within the tab. Templates can be edited using the Action menu, including:
Show Configuration - this shows the existing template details
Edit - allows the template and template properties to be edited, including the list of users permitted to authorize devices using this template
Delete
Create a New ZTP Template
ZTP Template must be in XML format, this mandated in Junos. If you are unfamiliar with XML, there are a few things you can do:
Use one of the published ZTP templates from Juniper Sky Enterprise's Github repository - https://github.com/juniper/sky-enterprise-templates
Use the configuration of an existing Juniper device as the basis for your new template, by logging into the CLI and issuing the following command "show configuration | display xml". Cut and paste the configuration into the Sky Enterprise dialog box.
Follow these steps to create a new template:
Click on the 'Add ZTP Template' button
Give the template a name and description
Select one or more users who are permitted to authorize ZTP transactions for new devices using this template
Add in your XML configuration details
To create variables within the template, simply replace the configuration item with a variable name enclosed by double curly (moustache) brackets e.g. <host-name>{{ hostname }}</host-name>. When the template is used, the user will be prompted to provide a value for this variable that will be applied to the configuration when the ZTP template is deployed.
Adding Devices to Sky Enterprise
Manually adding devices to Sky Enterprise using a configlet
Sky Enterprise reads a devices config in real time as data is needed. This allows the system of record to be the device. Any changes made at the CLI or with another tools outside Sky Enterprise will be read the next time that data is needed by Sky Enterprise.
JunOS devices which already have a configuration can simply be added to Sky Enterprise and the config will be read in automatically.
Too add your JunOS device to Sky Enterprise use the following steps:
When logged into Sky Enterprise navigate to the Home->Devices page.
From here click +Add Devices
Give your device a display name
Select which category of device it is: firewall, switch, nfx.
Copy and paste the per-device auto-generated configlet onto the device and commit.
The configlet window should popup. It can be retrieved at any time from the devices Action Menu->Configlet
The configlet is also emailed out.
Add the configlet to your device:
SSH to the device using terminal session software (such as Putty for Windows, or Terminal/iTerm for the Mac). Log in to the device with your usual administrator details.
Enter configuration mode
nnorman-laptop:~ nnorman$ ssh 10.0.204.2
Last login: Tue Oct 29 20:28:05 2019 from 192.168.2.105
--- JUNOS 18.3R2.7 built 2019-05-03 08:42:18 UTC
nnorman@lab-srx300>
nnorman@lab-srx300> configure
Entering configuration mode
[edit]
nnorman@lab-srx300#
Paste the configuration snippet and perform a commit or commit confirmed.
You should see the device transition to an Online status briefly. If not perform the Troubleshooting steps.
Adding Devices using Zero Touch Provisioning (ZTP)
New JunOS devices ship with phone-home ZTP enabled from a factory default state. This along with passing IP information using DHCP will provide a true zero touch setup and enrollment in Sky Enterprise.
The DHCP server should pass IP, router (default route), dns servers, and network time.
*NOTE Please consult with your DHCP servers manual for specific setup instructions or your internet service provider if connecting to an Internet link.Juniper SRX devices are setup as dhcp clients on port ge-0/0/0 and Juniper EX devices are setup as a dhcp client on irb.0 (all interfaces are in the default VLAN for irb.0) from a factory state.
Once powered on and connected to the network the device should have IP connectivity to Sky Enterprise. See Troubleshooting device connectivity issues.
The same process outlined above to Add a Device is followed in part.
From the Devices tab in Sky Enterprise click +Add Device.
Give your device a display name.
Select a device Category.
NOTE from this step on we deviate from the manual device add procedure
Select Create ZTP Device.
Input the Devices Serial number.
Select the appropriate ZTP Template and input any Variables.
NOTE ZTP templates can be found in the Sky Enterprise github repo
Select Create Device.
Automated - Sky Enterprise is enrolling the serial number in redirect.
Automated - The device makes an outbound SSL connection.
Automated - The device transitions to an authorization required state.
Authorize the device in Sky Enterprise on the Configuration>ZTP page, or using the authorization email link sent to user(s) associated to the ZTP template.
At this point the device will download and apply the configuration based on the provided ZTP template. Under Configuration>ZTP users can see the State of the device. Below we can see a successful ZTP with the device State being configuration-applied. The device is also Online in Sky Enterprise at this time.
Removing Devices from Sky Enterprise
Devices can be deleted from Sky Enterprise using the Delete Device option under Action menu. When you delete a device, Sky Enterprise attempts to delete the configlet from the device if the device is still connected to it.
Manually deleting Sky Enterprise configuration from your device
If your device is not connected to Sky Enterprise, the system cannot delete the configuration snippet, you must delete it manually.
Here is an example to show how you can remove the configuration snippet yourself:
Log in to your device.
Enter the configuration mode.
Check/Remove the outbound-ssh setup.
Remove the authentication user for Sky Enterprise
commit
nnorman@lab-srx300> show configuration system services outbound-ssh
client skyenterprise-ncd01 {
device-id somedevice-id;
secret ""; ## SECRET-DATA
keep-alive {
retry 3;
timeout 5;
}
services netconf;
skyent-ncd01.juniper.net {
port 4087;
retry 1000;
timeout 60;
}
}
client skyenterprise-ncd02 {
device-id somedevice-id;
secret ""; ## SECRET-DATA
keep-alive {
retry 3;
timeout 5;
}
services netconf;
skyent-ncd02.juniper.net {
port 4087;
retry 1000;
timeout 60;
}
}
nnorman@lab-srx300> configure
Entering configuration mode
[edit]
nnorman@lab-srx300# delete system services outbound-ssh client skyenterprise-ncd01
[edit]
nnorman@lab-srx300# delete system services outbound-ssh client skyenterprise-ncd02
[edit]
nnorman@lab-srx300# delete system login user skyenterprise
[edit]
nnorman@lab-srx300# commit and-quit
commit complete
Exiting configuration mode
Software (Firmware) Updates
Software Distribution
From the Configuration>Software Distribution page users can schedule or run device firmware upgrades as well as stage VNF's.
Not selecting schedule update yes will run the job immediately when Create is selected.
Method type:
Stage - copies the file to the device(s).
Upgrade - copies and upgrades the device(s) with a reboot
On which devices allows users to mix and match several elements. Users can select devices individually or multiple devices individually as well as devices using site ID's and/or tags. These elements can be mixed and matched and all matching devices will be selected.
Software Library
You can add JunOS software images or VNF files to the Sky Enterprise software library. This allows you to upgrade images or distribute VNF files to one or many Juniper Networks devices easily using the Sky Enterprise software distribution feature.
To use the Sky Enterprise software distribution feature, software images are placed on a file server in your network or another location reachable from your devices.
To add an image to the Sky Enterprise software library:
Select Configuration>Software Library.
Click New Software Image.
Add the image details, including the URL, size, and checksum
Click Submit.
You can now use the image or files under the Software Distribution tab.
*NOTE Coming soon JunOS images hosted in Sky EnterpriseCreating an MD5 Checksum for Your Software Image
Sky Enterprise software distribution system requires you to provide an MD5 checksum of the Junos or VNF image file. This enables the system to perform a check on the file once it has been copied to the device, ensuring the integrity of the file.
MD5 Checksum is a program that acts as a digital fingerprint for files. It ensures that the file has not changed due to file transfer faults, disk errors or non-malicious meddling. Sky Enterprise uses MD5 Checksum to ensure file integrity for the Software Distribution feature.
Vendor Supplied Checksum
Depending on where your software image is coming from you might have an option to obtain an MD5 checksum from a provider. For example, you can obtain an MD5 checksum for a Juniper Networks vSRX image.
Here is an example of Juniper Networks software download site with links to MD5 checksums for each image. Download the MD5 file, open it using a text editor, and copy the string.
Create Your Own MD5 Checksum
If you don’t have a supplied MD5 checksum file, you can create one by using a checksum tool.
Depending on your operating system, there are different ways to obtain a checksum from a file.
For Windows systems
There is a utility called FCIV (File Checksum Integrity Verifier) that is available from Microsoft. For instructions on how to download and use the utility, see https://support.microsoft.com/en-us/help/841290.
For Unix-based systems
Unix-based systems, like MacOS or Linux (or even Junos), usually include tools to get checksums. The command is either md5 or md5sum, depending on the distribution.
For example:
user@host$ md5 junos-srxsme-15.1X49-D70.3-domestic.tgz
MD5 (junos-srxsme-15.1X49-D70.3-domestic.tgz) = 07453173a9db4b2f034f2ab9f0ad2711
Settings
General
Add Company Logo
Add your own logo to Sky Enterprise with this feature. Select a file from your computer (PNG or JPEG), then click UPDATE at the bottom of the page. The logo will display in the top right corner of the screen (replacing the Juniper Networks logo).
Note: The recommended dimensions for the image are 255 x 116 pixels with a white background.
Share Logo with Tenants
If you have added your own logo file, and you have enabled the Multi-tenancy feature in Settings, you can tick this box to share your logo with your tenants. This is useful for managed service providers who give their customers a login to Sky Enterprise.
Custom Commit Message
To make it clear to other system administrators, you can set a commit message that is displayed for all config changes made by Sky Enterprise. As an additional option, you can tick the box to include the Sky Enterprise username in the commit message.
Enable Global Device Alarms
Selecting this option will display all device alarms in a new 'Alarms' tab in the Home page.
Note: alarms for individual devices are always available in the 'Alarms' tab in the device's System and Monitoring menu area.
Enable Junos CLI Web Console
Selecting this option will enable the web-based Junos CLI feature, allowing users to access managed device's CLI directly from Sky Enterprise.
Note: For security reasons, this feature is only available to Admin users with 2FA enabled.
Enable JTAC Support of my company/devices
Selecting this option will allow Juniper's JTAC Engineers to view and manage your devices via Sky Enterprise. This is particularly useful when they are assisting to troubleshoot or fix a technical issue.
Enable Multi Tenancy
Select this option to enable the multi-tenancy feature. Once enabled a new 'Tenants' tab will appear on the 'Home' page. In this tab you can create new tenants under your company, then add managed devices and users to the tenant company.
Logical Firewall (MTFW) Services
The MTFW feature allows virtual router (VR) instances to be managed as separate logical units within Sky Enterprise. This is particularly useful for service providers using SRX devices to create small firewall instances for multiple customers.
Enabling this feature will add a new 'Services' tab to the home page.
Aerohive/Extreme Wifi
Sky Enterprise includes an API integration to Aerohive/Extreme cloud-managed Access Points. By adding your Aerohive/Extreme credentials you can view and monitor your APs and clients directly from the Sky Enterprise portal.
Note: Access Point configuration is not currently supported in Sky Enterprise, link through to the Aerohive portal to perform configuration actions.
Mist WiFi Integration (Premium Feature)
Sky Enterprise includes an API integration to Mist Systems' cloud-based portal. By adding your Mist credentials into Sky Enterprise you can view and monitor your Mist APs and clients directly from the Sky Enterprise portal.
To configure Mist APs, use the context sensitive cross-launch option in Sky Enterprise to open the Mist portal to configure the AP you are currently working on.
Note: From 1st June 2020 this becomes a premium feature requiring a separate license.
Metric Collection on New Devices
With this option selected, all new devices added to Sky Enterprise will automatically be configured for periodic (5 minute) metric collection of performance statistics e.g. CPU, memory, temperature, bytes in/out, security session count.
Metric collection can be enabled or disabled on a per device basis in the 'Device Details' menu option. Disabling metric collection is often used to reduce traffic between devices and Sky Enterprise, this is particularly useful where low bandwidth or high data costs are involved e.g. satellite links.
Security Collection on New Devices
For Juniper SRX devices, Sky Enterprise collects security related data from devices periodically (5 minute intervals). This data is used to produce detailed security reports, called Application and Network Risk (ANR) Reports. The data collected includes applications in use, AAMW statistics, web filtering statistics, IDP statistics and more.
Security collection can be enabled or disabled on a per device basis in the 'Device Details' menu option.
Config Backups on New Devices
With this option selected, all new devices added to your company will be enabled for configuration backup. Configuration backup works by checking your device(s) on an hourly basis to determine whether the configuration has changed. If a change is detected, the current configuration is downloaded to Sky Enterprise.
Config backups can be enabled or disabled on a per device basis in the 'Device Details' menu option.
Use RADIUS for New Devices
Selecting this option automatically selects the 'RADIUS' option when adding a new device. This option requires a username and password to be provided when creating a new device, instead of Sky Enterprise automatically using the default username and creating a unique random password. (This is for the user that Sky Enterprise uses to gain access to the device).
By requiring the user to set the username and password, this ensures that the user can then add those credentials into their RADIUS server to allow authentication to take place.
License Expiry Warning Days
Sky Enterprise automatically tracks license expiry dates by looking up data on Juniper's license management system. You can use this setting to enable license expiry and specifying how many days notice you'd like. To disable the warning, set the days to '0'.
License expiry warnings are raised as 'Alarms'. These are visible from the 'Alarms' tab on individual devices under the 'System and Monitoring' menu area, or on the 'Alarms' tab on the Home page if the 'Enable Global Alarms' option is selected in the 'Settings' tab.
Commit Confirm
Junos is famous for its commit confirm feature that allows a commit to automatically roll back after a timer expires if the commit is not confirmed by the user. This is useful for ensuring a commit change does not disconnect the user from the device e.g. an incorrect routing update on a remote SRX.
By selecting the 'Commit Confirm' option in Sky Enterprise, the system will automatically confirm commits after a change is made if the device is still accessible. If the device is not accessible the commit will roll back. This operation is performed by Sky Enterprise without any involvement from the user at the UI level.
Enabling this feature also requires the user to select the timeout in minutes that Sky Enterprise will set for each commit confirm.
Licensing
Sky Enterprise is licensed on a per device basis, based on concurrently connected devices. Licensing is not tied to specific devices or serial numbers, so devices can be added and removed at will.
The 'Licensing' tab shows the number of devices your company currently has connected to Sky Enterprise.
Device counts are listed in their respective license groups: Group A, Group B and Group C.
Devices that do not map to a specific license group are listed in the 'Unknown' section. This may include devices that are connect to but not officially supported by Sky Enterprise, for example MX devices.
Devices that have been added to Sky Enterprise but have not yet connected are listed in the 'Undefined' section. Only once a device connects to Sky Enterprise can the model be determined and a license group allocation be made.
Sky Enterprise currently operates a trust based system where users monitor how many devices they connect to the platform according to their license entitlements - limits are not enforced by the system.
Dynamic Address Book Feeds
On Juniper SRX devices Sky Enterprise supports a feature called 'Security Feeds'. This feature is available from a device's configuration menu under the 'Security' section. The 'Security Feeds' feature allows an SRX to subscribe to a feed that contains IP addresses in a list that can be used as an allowlist or a blocklist lists for allowing or denying traffic.
Sky Enterprise includes a number of dynamically updated Security Feeds, including Office365, MS Azure and AWS IP lists. These lists change quite frequently, subscribing SRX devices to these lists saves time and effort and provides a better experience for users on the network. If these vendors change their IP lists for their products (O365, Azure, AWS), Sky Enterprise automatically updates the list details in the feed and the SRX remains current without any action required from an administrator.
Custom Security Feeds
Sky Enterprise also allows the addition of Custom Feeds where an administrator can create their own blocklist/allowlist and subscribe their SRX devices to the feed. Updating the list will immediately propagate the changes through to all subscribed SRXs, making it a highly efficient way of managing security lists across a large network.
To create a new Custom Fee, simply click on 'Add Custom Security Feed' button, give the feed a name and add IP addresses to the list. The new list will appear in list. Lists can be edited at any time using the 'Edit' option from the action menu.
IP addresses can be added to a list as either a range e.g. 10.1.10.0/24, or as individual IP addresses e.g. 10.1.10.23.
Once Custom Feeds have been created they can be assigned to individual devices from the 'Devices' tab, using the 'Security Feeds' menu option.
Troubleshooting
Troubleshooting Device Connectivity Issues
If you’ve added your Juniper Networks device to Sky Enterprise and it’s not showing as online, follow these steps to ensure that the path from your device to Sky Enterprise is working:
Make sure your device can connect to the Internet and resolve hostnames. Try to ping to an external hostname. If this fails see Adding DNS or static host mappings.
nnorman@lab-srx300> ping skyent-ncd01.juniper.net inet
PING skyent-ncd01.oneconfig.net (165.227.48.108): 56 data bytes
64 bytes from 165.227.48.108: icmp_seq=0 ttl=51 time=87.918 ms
64 bytes from 165.227.48.108: icmp_seq=1 ttl=51 time=206.095 ms
64 bytes from 165.227.48.108: icmp_seq=2 ttl=51 time=86.716 ms
64 bytes from 165.227.48.108: icmp_seq=3 ttl=51 time=114.487 ms
^C
--- skyent-ncd01.oneconfig.net ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 86.716/123.804/206.095/48.790 ms
nnorman@lab-srx300> ping skyent-ncd02.juniper.net inet
PING skyent-ncd02.oneconfig.net (68.183.248.21): 56 data bytes
64 bytes from 68.183.248.21: icmp_seq=0 ttl=51 time=87.824 ms
64 bytes from 68.183.248.21: icmp_seq=1 ttl=51 time=90.403 ms
64 bytes from 68.183.248.21: icmp_seq=2 ttl=51 time=85.504 ms
64 bytes from 68.183.248.21: icmp_seq=3 ttl=51 time=87.202 ms
^C
--- skyent-ncd02.oneconfig.net ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 85.504/87.733/90.403/1.760 ms
Make sure your device can connect to the Sky Enterprise connector servers using SSH on TCP port 4087.
To check the connection, use Telnet on the Juniper Networks device with some specific options to activate the connection on port 4087.
Here is an example showing a Juniper Networks device that isn’t able to connect to Sky Enterprise on port 4087 and requires further investigation for the blocked traffic.
nnorman@lab-srx300> telnet skyent-ncd01.juniper.net port 4087
Trying 165.227.48.108…
telnet: connect to address 165.227.48.108: Connection refused
telnet: Unable to connect to remote host
Here is an example of a successful test:
nnorman@lab-srx300> telnet skyent-ncd01.juniper.net port 4087
Trying 165.227.48.108...
Connected to skyent-ncd01.oneconfig.net.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
*NOTE Upstream devices may block outbound TCP port 4087 and/or outbound SSH on a non-standard port.
If you cannot determine the cause of a problem or need additional assistance, visit Juniper Networks Technical Assistance Center (JTAC) at https://www.juniper.net/support/requesting-support.html.
Adding DNS or Static Host Mappings to Your Device (no DNS)
Sky Enterprise uses hostnames to allow for devices to automatically connect in the event that IP addresses change. To leverage the domain name system (DNS) to automatically perform this function see Adding DNS servers below. A less automatic solution if your device is unable to leverage DNS, use the JunOS static host mapping feature outlined below.
Adding DNS servers for automatic resolution
nnorman@lab-srx300> show configuration system name-server
nnorman@lab-srx300> configure
Entering configuration mode
[edit]
nnorman@lab-srx300# set system name-server 8.8.8.8
[edit]
nnorman@lab-srx300# set system name-server 1.1.1.1
nnorman@lab-srx300# commit and-quit
commit complete
Exiting configuration mode
Adding a Static Host Mapping to Your Device (no DNS)
Using a device that has DNS resolution perform a lookup. Use the IP obtained in the lookup in the static-host-mapping JunOS command.
From OSX:
nnorman-laptop:~ nnorman$ host skyent-ncd01.juniper.net
skyent-ncd01.juniper.net is an alias for skyent-ncd01.oneconfig.net.
skyent-ncd01.oneconfig.net has address 165.227.48.108
nnorman-laptop:~ nnorman$ host skyent-ncd02.juniper.net
skyent-ncd02.juniper.net is an alias for skyent-ncd02.oneconfig.net.
skyent-ncd02.oneconfig.net has address 68.183.248.21
nnorman@lab-srx300> configure
nnorman@lab-srx300# set system static-host-mapping skyent-ncd01.juniper.net inet <IP>
nnorman@lab-srx300# set system static-host-mapping skyent-ncd02.juniper.net inet <IP>
nnorman@lab-srx300# commit and-quit
commit complete
Exiting configuration mode
Troubleshooting ZTP
Verify power and basic IP connectivity. Devices need SSL port 443 and SSH on TCP port 4087 permitted outbound.
Verify DNS. Devices may also need UDP port 53 permitted outbound based on configured DNS server(s).
Refer to the Troubleshooting Device Connectivity Issues section if needed.
Verify that the device has the correct time. The output from show system uptime will show if the correct time is set on the device.
Verify that the redirect server is configured. In the JunOS config look for; "set system phone-home server https://redirect.juniper.net"
Verify ZTP Authorization in Sky Enterprise Configuration>ZTP
*NOTE If the above Authorization column shows required, pending device connection it indicates that the device has not contacted Sky Enterprise yet. Further device troubleshooting should be performed.