Juniper Sky Enterprise User Guide

End Of Service Notice

Juniper Sky Enterprise will officially be discontinued on 2024/11/20. The EOS annoucement can be found at End-Of-Life-Notification-Sky-Enterprise-SaaS-Cloud-Service. Please review options for migration to Juniper Mist for SaaS solution before the service is discontinued.

Introduction 

Juniper Sky Enterprise delivers cloud-based network management for Juniper SRX Series, EX Series, QFX Series and NFX Series devices. It provides a secure web-based user interface that is quick to set up and connect devices to. With Sky Enterprise, network engineers with no prior Juniper Networks experience can easily deploy and manage devices and the network.

This User Guide describes the features within Sky Enterprise and how to use them.

The video below provides an overview of Sky Enterprise capabilities (duration 3:46).

Getting Access to Sky Enterprise

Trial Accounts

Juniper Networks offers free 30-day accounts to customers who are interested in a trial of the system. Once the trial account is activated trial users can add their Juniper devices to Sky Enterprise where they will have access to the full set features enjoyed by subscribers.


To request a trial account complete the form found at: https://www.juniper.net/us/en/forms/sky-enterprise-free-trial/. Juniper will send you an email with an activation link. The link expires after 48 hours, if you are unable to activate before it expires, contact Juniper Customer Care to request the link to be resent.


Demonstration Accounts

Demonstration accounts are available for Juniper Networks staff. These can be requested via email to: skyent-trial@juniper.net

Activating Sky Enterprise Licenses

When you purchase Sky Enterprise licenses you can activated your account via the Juniper Agile Licensing Portal.

For assistance you can open a Customer Care case at: https://support.juniper.net/support 

Juniper Networks Devices Supported by Sky Enterprise

Sky Enterprise supports:


JunOS Software Releases Supported by Sky Enterprise

Juniper Networks EX Series Switches 

For the EX Series switches, the following Junos OS software versions are supported on Sky Enterprise:

Juniper Networks QFX Series Switches 

For the QFX Series switches, the Junos OS Release 14.1X53-D30 and later are supported on Sky Enterprise. 

Juniper Networks SRX Series Services Gateways

For SRX Series and vSRX devices, the following Junos OS software releases are supported on Sky Enterprise:

Juniper Networks NFX Series Devices

We recommend the Junos OS Release 15.1X53-D47 for Juniper Networks NFX Series devices.

Sites

Logging in to Sky Enterprise automatically takes users to the 'Sites' view. This is the first tab on the 'Home' page. This page gives users a quick network overview including interactive world map view, devices online/offline, alarms and sites.

The main part of the screen shows the Google Maps view where you can view, add and edit your site details for locations around the world. Below the map is a list of existing sites. 

Edit a Site

By clicking on the menu option to the left of a site in the list, you are presented with various options:


Add a New Site

To add a new site, click on the 'New Site' button on the right side of the screen and add the site name and address. From there you can select from existing devices to add to the site.

Devices

The Devices Dashboard provides a single list view of all your managed devices. This view can be organised using Device and Site tags, and offline devices can be filtered out using the display options menu. 

The following tools are accessible from this view:

Add Device


This button downloads a CSV file of all your Juniper device, including: hostname, description, device models, Junos versions, serial numbers, site details, IP address, up time, last backup time, reboot reason. Think of this as a near real time asset report.


Create tags and add them to any device, this is a useful tool for grouping devices by model, function, location or any other common element. You can use tags in search functions, and for selecting groups of devices for bulk update actions.


Fast search option to find any string within your device list 

The list of devices is displayed as a table with the following information and tools:

Tenants

The 'Tenants' tab is visible when the 'Multi Tenancy' option is selected in the 'Settings' tab. To enable 'Multi Tenacy' see Enable Multi Tenancy.

To add a new tenant, click on the 'Add Tenant' button.

Users created at a tenant hierarchy are bound to that hierarchy. Different users roles are available during user creation. See Creating Multi Tenant Users and Understanding User Roles.

A logo can be shared from a higher level tenant with sub tenants. To do so see; Share Logo with Tenants.

Tenants is a great way for managed service providers (MSP's) and/or large organizations to segment users and devices into responsibility domains.

Tools

The Tools tab contains features to help you locate specific devices.

There are two search options available:

Topology

The Topology tab presents a real time layer-2 view of your network devices. The view is generated using LLDP (link layer discovery protocol). LLDP is a vendor neutral protocol so non-Juniper devices running this protocol will be displayed in this view e.g. other vendor network devices, access points, IP phones, servers configured with LLDP.

Sky Enterprise will display up to 250 devices in the Topology view. Views can be network-wide, or site specific. To view an individual site, select the site from the dropdown menu on the middle-right of the screen.


By clicking on an individual device (managed by Sky Enterprise) additional details will be displayed in the lower-right corner of the screen, including device type, IP address and alarms count. The device's interfaces will be listed with a direct link to the interface graph.

The Topology view can be refreshed by reloading the page or by clicking the 'Refresh Layout' button on the middle-right of the screen.

Alarms

The 'Alarms' tab is visible when 'Enable Global Device Alarms' option is selected in the 'Settings' tab.

Sky Enterprise displays system and chassis alarms on managed devices. Alarms are listed in a table including:

An Action menu is presented for each alarm. Where possible Sky Enterprise provides an action to remedy the alarm, such as:

Using the Action menu to remedy alarms is a simple way to improve the resilience and reliability of the network.

WiFi

This tab displays information about SRX WIFi mPIM Access Points. SRX WiFi mPIM Access Points are cards that can be installed in Juniper SRX320, SRX340, SRX345, SRX380 and SRX550M devices. Additional details below.

When an SRX WiFi mPIM is installed in an SRX, Sky Enterprise will automatically detect it and enable the WiFi menu for configuring the device.

The 'WiFi' tab displays a list of all SRX WiFi Access Points currently active on the network. The table (shown below) includes SSID, Parent AP, the associated device (that the WiFi mPIM is installed in), country code, Mode, Channel, Security, VLAN, active client count and connection status.

Selecting the Action menu item for an Access Point provides an option to edit the Access Point. Clicking on this option takes you to the WiFi configuration menu specific to the Associated device. Configuring WiFi Access Points is covered in more detail in the "Device Actions' section.

Also displayed in the WiFi tab is the connected clients table. This table shows all the clients currently connected to the Access Points, including: MAC Address, SSID, Associated device, Radio ID and bytes received/transmitted.


Mist WiFi

Sky Enterprise includes an API integration to Mist Systems' cloud-based portal. By adding your Mist credentials into Sky Enterprise you can view and monitor your Mist APs and clients directly from the Sky Enterprise portal.

The Mist API is enabled within Sky Enterprise Settings tab.

To configure Mist APs, use the context sensitive cross-launch option in Sky Enterprise to open the Mist portal to configure the AP you are currently working on.

Using the Action menu on a Mist Access Point the following options are available:


The video below shows an overview of establishing the Mist API integration, and the simple user interface in Sky Enterprise for viewing you wifi access points and clients.

Managing Devices

This section provides information about managing devices from the Action menu in the Devices tab. 

There are menu items that are common across multiple device types, for example: Interfaces/VLANs; System and Monitoring; and Junos CLI. Other menu items are specific to certain device types. For example, Security Policies and Zones is available for SRX devices, but not for EX and QFX.

For each of the Action menu items described below, the device type that that the menu applies to is listed in the title.

 

Custom SD-WAN and Routing

What is Custom SD-WAN?

Custom SD-WAN is a group of features within Sky Enterprise that contribute to the deployment and ongoing management of SD-WAN environments. It is called 'custom' because these features can be used at the discretion of the network administrator to add configuration to an SRX device in any manner they want. 

The video below describes the Custom SD-WAN features.

Custom SD-WAN Overview

This screenshot shows the range of tabs that are included in the Custom SD-WAN section.

Beginning with WAN Graphs, Sky Enterprise imports the default untrust interface. To add/remove interfaces from this view simply "Select WAN Interfaces". 

Traffic throughput (bytes transmitted/received) in graphs is displayed; available in hourly, daily, weekly and monthly views.

To the right of the graph Apptrack data is displayed if enabled. This is a near real-time view of application, by volume, traversing the WAN interfaces. By hoovering the cursor over the bar chart, the exact details of the application traffic are shown.




System Graphs are next, these display the CPU, Memory, Temperature, and Session values in hourly, daily, weekly and monthly views.




Viewing current device licenses as well as expiration dates and License expiry warning can be done in this section as well.

Application Routes

Layer 7 application routes can be managed on the Application Routes view within Custom SD-WAN. All common interface types like Ethernet, 3G/4G LTE, T1/E1, are supported. Direct internet break-out along with IPSec tunnels are supported with no custom underlay required.


Creating and Editing Application Routes

Creating/editing an application routes allow users to select L7 applications or application groups like multimedia:audio/video-streaming and make a forwarding decisions.

For instance in the example screenshot below we use this to offload high bandwidth application to inexpensive links. Selecting Spotify/Netflix, etc in the rule will forward traffic matching the L7 app-id out that link. This could also be used to steer mission critical applications like SIP on premise Exchange, across IPSec tunnels.



Realtime Performance Monitoring - RPM

Application steering coupled with auto fail over / fail back using RPM for redundancy. In the screenshot below you can see information related to the probe; Name, Probe Type, Target Type, Target, Status, RTT, % Loss as well as details; RTT, Avg Delay, Jitter Delay, Min Delay, Max Delay, Stddev Delay, Delay Threshold, Sum Delay.



IP Monitoring Policies

The IP Monitoring Policy determines the path when the probe is in a failed state. In this instance the default path has a preference of 8 and when the default-inet1 probe fail's a static route is added to the table to use the other ISP. A default static route has a preference of 5.


Security - Policies (SRX)

The screenshot below shows the Security Policies view in Sky Enterprise. There are two tabs available: Firewall and App Firewall.

Managing firewall security policies in the Firewall section of Sky Enterprise is simple. The top menu allows users to:

Firewall Policy Edit

The Device Policy edit screen loads for cloning/editing/creating security policies. 

By typing in the address book/zone/application/dynamic application boxes Sky Enterprise starts to sort entries from these large lists.

Forgot to add an address book before editing the policy? Just select '+ Add addressbook entry'.

Enabling logging, add counting, or IDP to the security policy can be done with a check of the corresponding boxes. 

Also select your NGFW feature set like UTM from the drop down list. 

Need to setup your IDP policy? Browse to the Security -> IDP item in the Action menu.


Policy Reorder

Reordering policies is simple with the Reorder function. This function is especially helpful when 'shadowing' occurs and you need to adjust the order of your policies.

Select the policies that you want to move, drag it to the desired location, then click 'Reorder Policies'.

Security - Zones (SRX)

Within the Security Zones section of Sky Enterprise users can create and edit security zones as well as address book entries. This includes adding/removing interfaces from zones as well as host system services on the zone or interface in the zone.

New Zone Dialogue

Selecting +New Zone opens the Device Zone creation dialogue. This allows you to give your new security zone a name, select services and protocols for the zone as well as selecting an App Routing Profile and enabling Application tracking. Also add interfaces to the zone. 

Editing an existing security zone will open this same dialogue.

Security - NAT (SRX)

Source NAT

Source NAT is the default NAT setup on SRX firewalls. It allows private internal networks (Trust Zone) to traverse and be translated to the public internet (Untrust Zone). A security policy is also needed to permit traffic.

New NAT Rule-Set

A New Rule Set dialogue is available. Rules sets are used to select source zones or interfaces (From) and destination zones or interfaces (To).

Edit NAT Rule

Within a rule set, rules are used to match traffic.

New NAT Pool

Source NAT Pools can also be created with "port  no-translation".  Pick a previously configured pool for overflow pool from the drop down.

Destination NAT

Destination NAT is most commonly used for inbound Untrust to Trust traffic. For example using TCP port 4443 on the Untrust public IP for a Trust web server on TCP port 443.

Destination NAT Easy Wizard

To help build destination NAT rules, Sky Enterprise has a destination NAT wizard. This can been seen in the screenshot. This wizard walks users though creating destination NAT rules and can also create corresponding security policies with the box checked.

Static NAT

Static NAT is a 1:1 IP and port mapping.

Static NAT rule sets can be created/edited using the static dialogue. 


Within the static nat rules set, rules can be created/edited.

Security - VPNs (SRX)

Sky Enterprise makes it easier for administrators to create and manage VPNs between their network devices. In the VPN section a list of existing VPNs is shown (if any exist), and the button to add an IPSec VPN using the Sky Enterprise wizard.

Clicking on the VPN wizard opens up a modal that requires basic details to be added to create the VPN. As shown below, the information required includes:

The wizard also includes and 'Advanced' section with further options including: mode and advanced IKE and IPsec details.

Security - IDP (SRX)

Sky Enterprise provides a simple interface for Intrusion Detection and Prevention (IDP) Policy and Custom Attack creation. Please note that you do not need any additional licensing in Sky Enterprise for this, but it is a licensed feature on the SRX device(s). Please ensure that the SRX you wish to configure IDP on is licensed (see device license checking in Sky Enterprise) and the IDP database is downloaded and installed. 

For IDP specific questions, please refer to the IDP best practices guide; https://kb.juniper.net/InfoCenter/index?page=content&id=KB25915&actp=METADATA for more information.

Creating a new IDP policy

Select "+ New Policy" to start the policy creation modal.

Security - Applications (SRX)

Security applications or sometimes referred to as custom applications can be created using Sky Enterprise. This application list is the port and protocol based custom applications. To create advanced L7 dynamic applications please see "App Firewall".

Navigating to security applications

On the device action menu select Security and then Applications.

View existing security applications

Navigating to the applications page under security will display any existing custom applications and application sets.

Application sets are groups of applications. This group can contain both custom applications and default applications like; junos-http, etc.

Create custom security application

Towards the upper right of the Security Application page,  users select "+ New Application".

Within the New Application modal users fill in the required information to create the custom application. 


In the example shown to the right we setup a custom application for protocol TCP on port 3389 for Remote Desktop using the Standard Type. To use term based see the example below.


Selecting term based changes the modal to allow users to enter multiple terms.

Selecting Add Term opens the new modal displayed above for new Term creation.

Security - Security Feeds (SRX)

Sky Enterprise’s Dynamic Security Feed enables SRX devices to subscribe to a feed to dynamically update their security policies. The following feeds are available in Sky Enterprise: 

Sky Enterprise constantly checks the IP infrastructure lists of these vendor services and if a change is detected, the security feed is updated. This update is automatically applied to SRX devices that are subscribed to the feed without the need for a commit.

As shown below, feeds can simply be selected from a dropdown list.

Feeds can be selected individually or using the "_all" options e.g. "ms_azure_all".

Once selections are finalised, click the 'Submit' button and the feeds will be added to the SRX.

Adding Custom Feeds

You can create and maintain your own custom IP feeds to Sky Enterprise. These can then be added to your devices by selecting them from the list as shown above.

To create a new Custom feed, browse to the 'Settings' section and select the 'Dynamic Address Book Feeds' tab. Any existing Custom feeds will be shown in a list. You can add new feeds by selecting the 'Add Custom Security Feed' button. 

To edit an existing Custom feed, click the Action menu, then Edit. In the Edit modal you can add or remove IP addresses from the feed.

Once a feed has been update, any devices that are subscribed to the feed will be automatically updated.

DHCP

In the DHCP section you can create and manage the dynamic host configuration protocol capabilities of your SRX and EX devices.

As shown below, there are sections for managing DHCP Groups, and DHCP Pools.

To add a new pool select the ‘Add New Pool’ option at the top of the screen. When adding a new pool or editing and existing pool you are presented with a list of configuration items including:

Interfaces/VLANs

The Interfaces/VLANs menu allows the configuration and management of: 

Interfaces

In the Interfaces tab you can view the device's interface, logical and physical. The table view includes mode details e.g. access or trunk mode, VLAN membership, DHCP, connected status and enabled status.

The Interface action menu also provides a link to view the real-time graph of each interface.

Configuring an interface is easy using the intuitive options. Physical interfaces can be edited by changing the description, enabling or disabling the interface, changing the encapsulation, and assigning Apply Groups.

Logical interfaces options include:

When changes are made to an interface, and the 'Save Interface Unit' button is clicked, the configuration changes will be applied to the device and committed.

Power over Ethernet

Sky Enterprise can also manage PoE ports on devices that have them.

Using the PoE feature you can view or edit PoE interfaces.

In the screenshot to the right we see the edit modal for PoE on an interface. Here we can enable/disable PoE, adjust the priority of the power on the interface, and set the maximum power for the interface.

VLANs

In the VLANs tab you can create and manage VLANs on your devices.

To create a new VLAN click on the "New VLAN' button, then in the modal add:

Ranges

Ranges provides an easy way to manage interfaces as a group. Using the Ranges feature in Sky Enterprise you can easily and quickly create and manage interface ranges.

To create a new Range click on the "New Interface Range' button, then in the modal add:

To save the new range, click the "Set Interface Range" button.

Spanning Tree Protocol

There are still many networks running Spanning Tree Protocol, also know as Rapid Spanning Tree Protocol (RSTP). This Sky Enterprise feature makes is easy to configure and maintain RSTP in your network.


The 'RSTP Settings' option allows you to configure the RSTP settings, including:


Using the Action menu, interfaces can be configured individually, including:

All interfaces can enabled simultaneously using the 'Configure RSTP for All Interfaces' button.


Ethernet Switch Table, LLDP Neighbors and ARP Table

Clicking on these tabs gives you real-time information about your layer 2 network and adjacent devices

System and Monitoring

The System and Monitoring section in the Devices Action menu is where you will find a range of visibility and monitoring tools for individual devices.

The System and Monitoring menu contains a range a tab, these include:

System Graphs

In the Systems Graphs tab you will see near real-time graphs for a device showing CPU, Memory and Temperature based on data gathered every 5 minutes. 

Graphs are available in hourly, daily, weekly and monthly view. Graph data for weekly and hourly views is aggregated over time. 

For SRX and VSRX device, a graph of security sessions is also provided.

Views can be changed on individual graphs using the radio buttons to the right of the graph. Or for all graphs using the drop-down selector at the top left of the screen.

Interface Graphs

In this tab you can view graphs for all interfaces. Data is collected every 5 minutes and graphs are available in hourly, daily, weekly and monthly views. Note: data for weekly and monthly views is aggregated.

As shown below, graphs can be filtered using Unit, Connected or All options. Graphs can also be set to refresh automatically, either on a 5 minute or 10 minute interval - this is useful for displaying graphs on a monitor where there is no regular user interaction.

To select which interfaces are polled for data, use the 'Configure Monitored Interfaces' button in the top right corner. This is particularly useful for devices that are only reachable via low bandwidth connections and allows you to turn polling off for some or all your interfaces.

Selective Polling of Interfaces

Clicking on the 'Configure Monitored Interfaces' button will reveal the screen shown to the right.

In this screen you can select which interfaces you would like polled for data. You can turn individual interfaces on or off, and you can use the 'Select None' or 'Select All' buttons.

Newly enabled interfaces will start displaying data in a graph after 5 - 10 minutes.

Interfaces that are turned off will lose their metric history.

Commits

Sky Enterprise presents the commit history of a device in an easy to consume list. The list shows up to the last 50 commits made on the device, plus additional details like: 

As shown below, using the Action menu found alongside each commit in the list, several options are available. These include:


The Commit 0 (running commit) has a slightly different list of options, as shown in the image to the right.

You can view the entire configuration of the device by selecting 'Show Full Configuration'. The full configuration can also be viewed in the 'Config Backups' tab.

Config Backups

The Config Backups tab shows a history of configuration files for the device. 

Backups are done automatically for the device configuration whenever a change has been detected. Configuration change checks are made hourly. If no change is detected the current latest backup in the list remains in place and unchanged.

For each backup entry in the list the action menu provides these options:

The image to the right shows an example of a configuration compare.

Enabling Config Backups

Config backups can be enabled for all new devices in the 'Settings' tab. For existing devices that do not have it enabled, this can be done on a device by device basis.

Config backups can be enabled on individual devices from the Device Details menu option in the 'Devices' tab. 

To enable config backups for an individual device, ensure that the config backup box is ticked.

Actions

The Actions menu option provides a range of useful, automated actions commonly used by network administrators. Examples include:

Junos CLI

The Junos CLI feature gives direct access to your device's command line interface from your browser.

Note: for security reasons this feature is only accessible to Administrators who have 2FA enabled on their account.

Device Details includes:


Configlet

The Configlet is the Junos configuration snippet that enables the device to call home to Sky Enterprise to be authenticated and managed. It enables and maintains a secure Outbound-SSH connection to the Sky Enterprise platform, allowing devices to connect and re-connect without requiring any special firewall policies or NAT to be put in place (it uses port 4087 outbound).

Configlets are unique per device and should not be copied and used on other devices.

Delete Device

Devices can be deleted from Sky Enterprise using this feature. During the delete process Sky Enterprise will attempt to remove the configlet from the device to prevent it from trying to reconnect.

Users

As a Juniper Sky Enterprise administrator, you can create and manage user accounts. In this section you can learn more about:

Creating New User Accounts


*NOTE See Understanding User Roles.

   6. Click Create User. 

Activating User Accounts

After the account is created, an activation link is e-mailed from Sky Enterprise. Please use this link to activate your account. 

*NOTE The activation link is valid for 48 hours.

To activate your user account:

On the Edit User Details page, you can reset passwords and roles for users. You can also choose that users don’t receive product update notifications. 

Managing User Accounts

As a Sky Enterprise administrator, you can re-send activation requests, delete users, and edit user accounts. To perform these activities, navigate to the user account you want to manage, and follow these steps: 

From the action drop-down menu, select Resend Activation to re-send an activation request.

From the action drop-down menu, select Delete User to delete a user account.

From the action drop-down menu, select Edit User to edit a user account.

Resetting Passwords

If logged in to Sky Enterprise, you can reset your password using the action menu. Other admin users can also reset another users password. 

*NOTE See Understanding User Roles.








To reset your password if not logged in:









Enabling Two Factor Authentication

Sky Enterprise supports two factor authentications by many different vendors (Google Authenticator, Duo, etc.). 

By enabling Two Factor Authentication (2FA) your account is more secure and you will have access to more features such as 'Junos CLI'. 

To enable two factor authentication:

Disable Two Factor Authentication

To disable your two factor authentication: 

Resetting Your Two Factor Authentication

If two factor authentication is enabled but you are unable to generate two factor codes you can ask another administrator in your company to remove your account and recreate it. 

Alternatively during the login procedure you can request a two factor code to be sent to your email. 

If you continue to experience issues, contact Juniper Technical Assistance Center (JTAC) at support@juniper.net.

Creating Multi-Tenant Users

Sky Enterprise supports multi-tenancy. As a Sky Enterprise administrator, you can enable multi-tenancy using the Settings tab. 


Once multi-tenancy is enabled, you can create tenants under your company name. You can also create, delete, and edit users within a tenant. Users within a tenant can only view devices in their company and not the parent devices.

1. From your main page, select the tenant you want to create, delete, or edit user in. 

   2. After you select a tenant, you will see the tenant change in the upper right corner of the GUI. Navigate to the Users tab and perform the desired action.

Understanding User Roles

The Sky Enterprise system provides predefined roles that you can assign to users to define administrative responsibilities and specify the management tasks that a user can perform in the system.

READ-ONLY

USER

Administrator

Read-only User Administrator - similar to the read-only role. Except it also allows you to create and delete read-only users:

Configuration

The Configuration tab is home to the following functions:

Bulk Updates

The Bulk Updates enables single or multiple devices to be configured in one action. Target devices can be selected individually, on a per site basis, or using tags. Once selected, devices can be updated using one of the following options:

To start a new Bulk Update job, click the green 'New Update' button on the right of the screen.

New Bulk Update Jobs

Bulk Update job using Set Commands or Junos Configuration

Perform the following steps to create a new Bulk Update job using Set Commands or Junos Configuration:

Once the "update' button has been clicked a dialogue box will present itself to confirm that you want to run the job and configure the selected devices.


Click 'Proceed' to continue.

The Bulk Update will commence and progress logs will scroll in the dialogue box showing the progress job.

Updates and commits can take 30 -40 seconds to complete, especially on smaller Juniper devices.

When the Bulk Update is complete a report will appear. The report has several sections.

The top sections shows a summary of the update, including successes and failures.

The next section lists the target devices.

The 'Input' section shows the configuration changed that were applied to the devices.

The log shows details of each change on a per device basis. If a devices fails to update, error logs will specify the reason for the failure.

An email is sent to the user who ran the Bulk Update with a summary of the operation.

The on-screen report can be downloaded as a PDF using the button at the bottom of the report.

Scheduled Bulk Update

To run a Scheduled job:

*Time relates to your local timezone.

When the job is initiated a message appears to confirm the details and schedule.

Click 'proceed' to accept and continue.

Bulk Update Job using Template

To create a Bulk Update job using a template, you must first create your template in the 'Bulk Update Templates' tab. For details on how to create a template please see the section below - <link here>.

Bulk Update Templates can include variables. Where variables are used you can specify values for each device, allowing for a unique configuration to be applied to multiple devices through a single operation.


To create a Bulk Update job using a template:

Bulk Update Templates

The Bulk Update Templates tab is the location for creating, editing and storing templates used for performing advanced Bulk Updates on your devices, including variables.

Create New Bulk Update Template

To create a new Bulk Update Template:

The template will now appear in your saved list of templates and will be available for selection from the templates dropdown list in the Bulk Update job tab.

Junos Upgrade

The Junos Upgrade feature provides a simple method for upgrading Junos devices using images hosted by Sky Enterprise.

Sky Enterprise typically hosts mainstream image versions, including Suggested Releases. If you need to install an image that is not currently available on Sky Enterprise you can use the Software Library and Software Distribution features that allows you to host images on your own network. [Note: The Software Distribution mechanism can fail due to file copy and disk space issues on certain Juniper devices, particularly smaller EX devices.]

The image below shows the Junos Upgrade feature plus a history of upgrades performed.

To perform Junos Upgrade on a device:

Sky Enterprise checks for available disk space. If there is sufficient it enables the 'New Upgrade' button.

Advanced features are also available should you need them. These include:

An example of advanced features is shown below.

Zero Touch Provisioning (ZTP)

ZTP is a process whereby a factory new Juniper device can 'call home' to Sky Enterprise to be configured after being unboxed, powered on and plugged into a network. The process is simple to setup within Sky Enterprise and provides a fast and reliable way to deploy new devices without requiring onsite engineers and truck rolls.

The image below depicts the steps involved in a successful ZTP deployment.

ZTP Supported Devices

ZTP is made possible by a feature in Junos called 'phone home'. This feature is initiated when a device boots. It starts the device polling, or 'calling home' to a Juniper provisioning service, to determine to IP address of its configuration service. The provisioning service inspects the device's serial number and does a lookup to determine which configuration server this serial number is associated with. Therefore, if a new Junos device has been added to Sky Enterprise, its request to be configured will be sent to Sky Enterprise.

The table below shows the type of devices, and the version of Junos, that supports ZTP. 

Note: ZTP is limited to branch devices only, high-end devices not currently support .

Performing a ZTP Deployment

To perform a ZTP deployment the following steps are to be observed.

Step 1 Power on a device that has the 'phone home' feature in Junos available (see list above of compatible devices and Junos versions). Not all Branch SRX, EX and NFX devices shipping from the factory are ZTP capable.

Step 2 Plug the device into a network that provides DHCP with DNS to ensure the device can reach the internet and resolve the required URL i.e redirect.juniper.net

Step 3 Login into Sky Enterprise and add a new device, selecting the ZTP option. Choose an appropriate template and add the target device's Serial Number.

Step 4 The device will call home and be directed to Sky Enterprise. When Sky Enterprise receives a request from the device, it will send an email to the user who created the new device, requesting authorization to configure the device. Authorization is a measure put in place to ensure security.

Step 5 Once authorized Sky Enterprise will configure the device, including the configuration required to connect to Sky Enterprise for management. Typically configuration takes 10-15 minutes, after which time the device will appear online in the Sky Enterprise dashboard.

ZTP Templates

Junos mandates the use of XML for ZTP templates. In this section of Sky Enterprise you can: 

Managing ZTP Devices

The screenshot below shows the ZTP Devices in the ZTP tab. The list of devices includes several columns:

A list of all existing templates is shown within the tab. Templates can be edited using the Action menu, including:

Create a New ZTP Template

ZTP Template must be in XML format, this mandated in Junos. If you are unfamiliar with XML, there are a few things you can do:

Follow these steps to create a new template:

To create variables within the template, simply replace the configuration item with a variable name enclosed by double curly (moustache) brackets e.g. <host-name>{{ hostname }}</host-name>. When the template is used, the user will be prompted to provide a value for this variable that will be applied to the configuration when the ZTP template is deployed.

Adding Devices to Sky Enterprise

Manually adding devices to Sky Enterprise using a configlet

Sky Enterprise reads a devices config in real time as data is needed. This allows the system of record to be the device. Any changes made at the CLI or with another tools outside Sky Enterprise will be read the next time that data is needed by Sky Enterprise.

JunOS devices which already have a configuration can simply be added to Sky Enterprise and the config will be read in automatically. 

Too add your JunOS device to Sky Enterprise use the following steps:

nnorman-laptop:~ nnorman$ ssh 10.0.204.2

Last login: Tue Oct 29 20:28:05 2019 from 192.168.2.105

--- JUNOS 18.3R2.7 built 2019-05-03 08:42:18 UTC


nnorman@lab-srx300> 


nnorman@lab-srx300> configure 

Entering configuration mode


[edit]

nnorman@lab-srx300# 

Adding Devices using Zero Touch Provisioning (ZTP)

New JunOS devices ship with phone-home ZTP enabled from a factory default state. This along with passing IP information using DHCP will provide a true zero touch setup and enrollment in Sky Enterprise.

The DHCP server should pass IP, router (default route), dns servers, and network time. 

*NOTE Please consult with your DHCP servers manual for specific setup instructions or your internet service provider if connecting to an Internet link. 

Juniper SRX devices are setup as dhcp clients on port ge-0/0/0 and Juniper EX devices are setup as a dhcp client on irb.0 (all interfaces are in the default VLAN for irb.0) from a factory state.

Once powered on and connected to the network the device should have IP connectivity to Sky Enterprise. See Troubleshooting device connectivity issues.

The same process outlined above to Add a Device is followed in part. 

Removing Devices from Sky Enterprise

Devices can be deleted from Sky Enterprise using the Delete Device option under Action menu. When you delete a device, Sky Enterprise attempts to delete the configlet from the device if the device is still connected to it. 

Manually deleting Sky Enterprise configuration from your device

If your device is not connected to Sky Enterprise, the system cannot delete the configuration snippet, you must delete it manually. 

Here is an example to show how you can remove the configuration snippet yourself:

nnorman@lab-srx300> show configuration system services outbound-ssh 

client skyenterprise-ncd01 {

    device-id somedevice-id;

    secret ""; ## SECRET-DATA

    keep-alive {

        retry 3;

        timeout 5;

    }

    services netconf;

    skyent-ncd01.juniper.net {

        port 4087;

        retry 1000;

        timeout 60;

    }

}

client skyenterprise-ncd02 {

    device-id somedevice-id;

    secret ""; ## SECRET-DATA

    keep-alive {

        retry 3;

        timeout 5;

    }

    services netconf;

    skyent-ncd02.juniper.net {

        port 4087;

        retry 1000;

        timeout 60;

    }

}


nnorman@lab-srx300> configure 

Entering configuration mode


[edit]

nnorman@lab-srx300# delete system services outbound-ssh client skyenterprise-ncd01  


[edit]

nnorman@lab-srx300# delete system services outbound-ssh client skyenterprise-ncd02    


[edit]

nnorman@lab-srx300# delete system login user skyenterprise 


[edit]

nnorman@lab-srx300# commit and-quit

commit complete

Exiting configuration mode


Software (Firmware) Updates

Software Distribution

From the Configuration>Software Distribution page users can schedule or run device firmware upgrades as well as stage VNF's.

*NOTE Timezone is based on the timezone of the User using Sky Enterprise

Method type:

On which devices allows users to mix and match several elements. Users can select devices individually or multiple devices individually as well as devices using site ID's and/or tags. These elements can be mixed and matched and all matching devices will be selected.

Software Library

You can add JunOS software images or VNF files to the Sky Enterprise software library. This allows you to upgrade images or distribute VNF files to one or many Juniper Networks devices easily using the Sky Enterprise software distribution feature.

To use the Sky Enterprise software distribution feature, software images are placed on a file server in your network or another location reachable from your devices.


To add an image to the Sky Enterprise software library:

You can now use the image or files under the Software Distribution tab.

*NOTE Coming soon JunOS images hosted in Sky Enterprise

Creating an MD5 Checksum for Your Software Image

Sky Enterprise software distribution system requires you to provide an MD5 checksum of the Junos or VNF image file. This enables the system to perform a check on the file once it has been copied to the device, ensuring the integrity of the file.

MD5 Checksum is a program that acts as a digital fingerprint for files. It ensures that the file has not changed due to file transfer faults, disk errors or non-malicious meddling. Sky Enterprise uses MD5 Checksum to ensure file integrity for the Software Distribution feature.

Vendor Supplied Checksum

Depending on where your software image is coming from you might have an option to obtain an MD5 checksum from a provider. For example, you can obtain an MD5 checksum for a Juniper Networks vSRX image. 

Here is an example of Juniper Networks software download site with links to MD5 checksums for each image. Download the MD5 file, open it using a text editor, and copy the string.


Create Your Own MD5 Checksum

If you don’t have a supplied MD5 checksum file, you can create one by using a checksum tool.

Depending on your operating system, there are different ways to obtain a checksum from a file.

For example:

user@host$ md5 junos-srxsme-15.1X49-D70.3-domestic.tgz

MD5 (junos-srxsme-15.1X49-D70.3-domestic.tgz) = 07453173a9db4b2f034f2ab9f0ad2711


Settings

General

Add Company Logo

Add your own logo to Sky Enterprise with this feature. Select a file from your computer (PNG or JPEG), then click UPDATE at the bottom of the page. The logo will display in the top right corner of the screen (replacing the Juniper Networks logo).

Note: The recommended dimensions for the image are 255 x 116 pixels with a white background.

Share Logo  with Tenants

If you have added your own logo file, and you have enabled the Multi-tenancy feature in Settings, you can tick this box to share your logo with your tenants. This is useful for managed service providers who give their customers a login to Sky Enterprise.

Custom Commit Message

To make it clear to other system administrators, you can set a commit message that is displayed for all config changes made by Sky Enterprise. As an additional option, you can tick the box to include the Sky Enterprise username in the commit message.

Enable Global Device Alarms

Selecting this option will display all device alarms in a new 'Alarms' tab in the Home page.

Note: alarms for individual devices are always available in the 'Alarms' tab in the device's System and Monitoring menu area.

Enable Junos CLI Web Console

Selecting this option will enable the web-based Junos CLI feature, allowing users to access managed device's CLI directly from Sky Enterprise. 

Note: For security reasons, this feature is only available to Admin users with 2FA enabled.

Enable JTAC Support of my company/devices

Selecting this option will allow Juniper's JTAC Engineers to view and manage your devices via Sky Enterprise. This is particularly useful when they are assisting to troubleshoot or fix a technical issue.


Enable Multi Tenancy

Select this option to enable the multi-tenancy feature. Once enabled a new 'Tenants' tab will appear on the 'Home' page. In this tab you can create new tenants under your company, then add managed devices and users to the tenant company. 

Logical Firewall (MTFW) Services

The MTFW feature allows virtual router (VR) instances to be managed as separate logical units within Sky Enterprise. This is particularly useful for service providers using SRX devices to create small firewall instances for multiple customers. 

Enabling this feature will add a new 'Services' tab to the home page.

Aerohive/Extreme Wifi

Sky Enterprise includes an API integration to Aerohive/Extreme cloud-managed Access Points. By adding your Aerohive/Extreme credentials you can view and monitor your APs and clients directly from the Sky Enterprise portal. 

Note: Access Point configuration is not currently supported in Sky Enterprise, link through to the Aerohive portal to perform configuration actions.

Mist WiFi Integration (Premium Feature)

Sky Enterprise includes an API integration to Mist Systems' cloud-based portal. By adding your Mist credentials into Sky Enterprise you can view and monitor your Mist APs and clients directly from the Sky Enterprise portal.

To configure Mist APs, use the context sensitive cross-launch option in Sky Enterprise to open the Mist portal to configure the AP you are currently working on.

Note: From 1st June 2020 this becomes a premium feature requiring a separate license.

Metric Collection on New Devices

With this option selected, all new devices added to Sky Enterprise will automatically be configured for periodic (5 minute) metric collection of performance statistics e.g. CPU, memory, temperature, bytes in/out, security session count.

Metric collection can be enabled or disabled on a per device basis in the 'Device Details' menu option. Disabling metric collection is often used to reduce traffic between devices and Sky Enterprise, this is particularly useful where low bandwidth or high data costs are involved e.g. satellite links.

Security Collection on New Devices

For Juniper SRX devices, Sky Enterprise collects security related data from devices periodically (5 minute intervals). This data is used to produce detailed security reports, called Application and Network Risk (ANR) Reports. The data collected includes applications in use, AAMW statistics, web filtering statistics, IDP statistics and more.

Security collection can be enabled or disabled on a per device basis in the 'Device Details' menu option.

Config Backups on New Devices

With this option selected, all new devices added to your company will be enabled for configuration backup. Configuration backup works by checking your device(s) on an hourly basis to determine whether the configuration has changed. If a change is detected, the current configuration is downloaded to Sky Enterprise.

Config backups can be enabled or disabled on a per device basis in the 'Device Details' menu option.

Use RADIUS for New Devices

Selecting this option automatically selects the 'RADIUS' option when adding a new device. This option requires a username and password to be provided when creating a new device, instead of Sky Enterprise automatically using the default username and creating a unique random password. (This is for the user that Sky Enterprise uses to gain access to the device).

By requiring the user to set the username and password, this ensures that the user can then add those credentials into their RADIUS server to allow authentication to take place.

License Expiry Warning Days

Sky Enterprise automatically tracks license expiry dates by looking up data on Juniper's license management system. You can use this setting to enable license expiry and specifying how many days notice you'd like. To disable the warning, set the days to '0'.

License expiry warnings are raised as 'Alarms'. These are visible from the 'Alarms' tab on individual devices under the 'System and Monitoring' menu area, or on the 'Alarms' tab on the Home page if the 'Enable Global Alarms' option is selected in the 'Settings' tab.

Commit Confirm

Junos is famous for its commit confirm feature that allows a commit to automatically roll back after a timer expires if the commit is not confirmed by the user. This is useful for ensuring a commit change does not disconnect the user from the device e.g. an incorrect routing update on a remote SRX.

By selecting the 'Commit Confirm' option in Sky Enterprise, the system will automatically confirm commits after a change is made if the device is still accessible. If the device is not accessible the commit will roll back. This operation is performed by Sky Enterprise without any involvement from the user at the UI level.

Enabling this feature also requires the user to select the timeout in minutes that Sky Enterprise will set for each commit confirm.

Licensing

Sky Enterprise is licensed on a per device basis, based on concurrently connected devices. Licensing is not tied to specific devices or serial numbers, so devices can be added and removed at will. 

The 'Licensing' tab shows the number of devices your company currently has connected to Sky Enterprise.

Device counts are listed in their respective license groups: Group A, Group B and Group C.

Devices that do not map to a specific license group are listed in the 'Unknown' section. This may include devices that are connect to but not officially supported by Sky Enterprise, for example MX devices.

Devices that have been added to Sky Enterprise but have not yet connected are listed in the 'Undefined' section. Only once a device connects to Sky Enterprise can the model be determined and a license group allocation be made.

Sky Enterprise currently operates a trust based system where users monitor how many devices they connect to the platform according to their license entitlements - limits are not enforced by the system.

Dynamic Address Book Feeds

On Juniper SRX devices Sky Enterprise supports a feature called 'Security Feeds'. This feature is available from a device's configuration menu under the 'Security' section. The 'Security Feeds' feature allows an SRX to subscribe to a feed that contains IP addresses in a list that can be used as an allowlist or a blocklist lists for allowing or denying traffic.

Sky Enterprise includes a number of dynamically updated Security Feeds, including Office365, MS Azure and AWS IP lists. These lists change quite frequently, subscribing SRX devices to these lists saves time and effort and provides a better experience for users on the network. If these vendors change their IP lists for their products (O365, Azure, AWS), Sky Enterprise automatically updates the list details in the feed and the SRX remains current without any action required from an administrator.


Custom Security Feeds

Sky Enterprise also allows the addition of Custom Feeds where an administrator can create their own blocklist/allowlist and subscribe their SRX devices to the feed. Updating the list will immediately propagate the changes through to all subscribed SRXs, making it a highly efficient way of managing security lists across a large network.

To create a new Custom Fee, simply click on 'Add Custom Security Feed' button, give the feed a name and add IP addresses to the list. The new list will appear in list. Lists can be edited at any time using the 'Edit' option from the action menu. 

IP addresses can be added to a list as either a range e.g. 10.1.10.0/24, or as individual IP addresses e.g. 10.1.10.23.

Once Custom Feeds have been created they can be assigned to individual devices from the 'Devices' tab, using the 'Security Feeds' menu option.


Troubleshooting

Troubleshooting Device Connectivity Issues

If you’ve added your Juniper Networks device to Sky Enterprise and it’s not showing as online, follow these steps to ensure that the path from your device to Sky Enterprise is working:

nnorman@lab-srx300> ping skyent-ncd01.juniper.net inet 

PING skyent-ncd01.oneconfig.net (165.227.48.108): 56 data bytes

64 bytes from 165.227.48.108: icmp_seq=0 ttl=51 time=87.918 ms

64 bytes from 165.227.48.108: icmp_seq=1 ttl=51 time=206.095 ms

64 bytes from 165.227.48.108: icmp_seq=2 ttl=51 time=86.716 ms

64 bytes from 165.227.48.108: icmp_seq=3 ttl=51 time=114.487 ms

^C

--- skyent-ncd01.oneconfig.net ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss

round-trip min/avg/max/stddev = 86.716/123.804/206.095/48.790 ms


nnorman@lab-srx300> ping skyent-ncd02.juniper.net inet    

PING skyent-ncd02.oneconfig.net (68.183.248.21): 56 data bytes

64 bytes from 68.183.248.21: icmp_seq=0 ttl=51 time=87.824 ms

64 bytes from 68.183.248.21: icmp_seq=1 ttl=51 time=90.403 ms

64 bytes from 68.183.248.21: icmp_seq=2 ttl=51 time=85.504 ms

64 bytes from 68.183.248.21: icmp_seq=3 ttl=51 time=87.202 ms

^C

--- skyent-ncd02.oneconfig.net ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss

round-trip min/avg/max/stddev = 85.504/87.733/90.403/1.760 ms

To check the connection, use Telnet on the Juniper Networks device with some specific options to activate the connection on port 4087.

Here is an example showing a Juniper Networks device that isn’t able to connect to Sky Enterprise on port 4087 and requires further investigation for the blocked traffic.

nnorman@lab-srx300> telnet skyent-ncd01.juniper.net port 4087

Trying 165.227.48.108…

telnet: connect to address 165.227.48.108: Connection refused

telnet: Unable to connect to remote host

Here is an example of a successful test: 

nnorman@lab-srx300> telnet skyent-ncd01.juniper.net port 4087     

Trying 165.227.48.108...

Connected to skyent-ncd01.oneconfig.net.

Escape character is '^]'.

^]

telnet> quit

Connection closed.


*NOTE Upstream devices may block outbound TCP port 4087 and/or outbound SSH on a non-standard port.

If you cannot determine the cause of a problem or need additional assistance, visit Juniper Networks Technical Assistance Center (JTAC) at https://www.juniper.net/support/requesting-support.html.

Adding DNS or Static Host Mappings to Your Device (no DNS)

Sky Enterprise uses hostnames to allow for devices to automatically connect in the event that IP addresses change. To leverage the domain name system (DNS) to automatically perform this function see Adding DNS servers below. A less automatic solution if your device is unable to leverage DNS, use the JunOS static host mapping feature outlined below.


Adding DNS servers for automatic resolution

nnorman@lab-srx300> show configuration system name-server 


nnorman@lab-srx300> configure 

Entering configuration mode


[edit]

nnorman@lab-srx300# set system name-server 8.8.8.8


[edit]

nnorman@lab-srx300# set system name-server 1.1.1.1


nnorman@lab-srx300# commit and-quit

commit complete

Exiting configuration mode


Adding a Static Host Mapping to Your Device (no DNS)

Using a device that has DNS resolution perform a lookup. Use the IP obtained in the lookup in the static-host-mapping JunOS command.

From OSX:

nnorman-laptop:~ nnorman$ host skyent-ncd01.juniper.net

skyent-ncd01.juniper.net is an alias for skyent-ncd01.oneconfig.net.

skyent-ncd01.oneconfig.net has address 165.227.48.108


nnorman-laptop:~ nnorman$ host skyent-ncd02.juniper.net

skyent-ncd02.juniper.net is an alias for skyent-ncd02.oneconfig.net.

skyent-ncd02.oneconfig.net has address 68.183.248.21



nnorman@lab-srx300> configure


nnorman@lab-srx300# set system static-host-mapping skyent-ncd01.juniper.net inet <IP>


nnorman@lab-srx300# set system static-host-mapping skyent-ncd02.juniper.net inet <IP>


nnorman@lab-srx300# commit and-quit

commit complete

Exiting configuration mode

Troubleshooting ZTP

*NOTE If the above Authorization column shows required, pending device connection it indicates that the device has not contacted Sky Enterprise yet. Further device troubleshooting should be performed.