request system zeroize or
loader> boot -s Enter full pathname of shell: /bin/sh # mount -t msdosfs /dev/da0s1 /mnt # vi /mnt/etc/master.passwd # (remove the password hash after root::) # reboot This is complex and requires physical or out-of-band console access. 6.1 Ansible and Default Passwords When using Ansible to initially provision QFX switches, never rely on a default blank password. Instead, use console-based first-time setup or pre-staged SSH keys via USB autoinstall.
ssh root@<qfx-mgmt-ip> You will get Connection refused because the SSH service is disabled in factory state.
Press Enter . You will see:
login: root Password: Press Enter at the password prompt. You are now logged in as root. If the switch has been configured for serial over LAN but the password was later cleared (e.g., via load factory-default ), the same blank password applies. 2.3 SSH – Not Enabled by Default Contrary to some misconceptions, SSH is not enabled out of the box. If you try:
Because in networking, as in security: the default is rarely your friend. Author’s note: This article applies to all QFX models including QFX5100, QFX5110, QFX5120, QFX5130, QFX5200, QFX5700, and QFX10000 series running Junos 15.1X53 and later.
- name: Configure QFX junipernetworks.junos.junos_config: host: " inventory_hostname " user: root passwd: "" # EMPTY PASSWORD src: config.conf – Use SSH keys or vault-encrypted temporary credentials. 6.2 Zero Touch Provisioning (ZTP) In ZTP, the switch gets an IP from DHCP and downloads a configuration file. That file must include a root password or, better, disable root login entirely. If the ZTP config does not set authentication, the switch remains vulnerable. Part 7: Common Misconceptions Myth 1: “QFX has a default password like juniper or juniper123 ” Fact: Juniper never shipped QFX with a manufacturer-set password. The only “default” is blank for root. Myth 2: “If I set a password once, it stays forever” Fact: Factory reset, load factory-default , or certain recovery operations clear it. Myth 3: “The management port is isolated, so no risk” Fact: Insider threats, misconfigured VLANs, and rogue devices on the same management segment can exploit blank passwords. Part 8: Auditing Your QFX Fleet for Default Passwords Use this operational script to check for blank root passwords across your QFX devices: qfx default password
load factory-default commit The root password is cleared. The switch reverts to root: (blank).
root@qfx> configure Entering configuration mode [edit] root@qfx# set system root-authentication plain-text-password New password: <enter strong password> Retype new password: <confirm> [edit] root@qfx# commit commit complete Now log out and test: console login should require the new password. For production, disable direct root login and use a separate admin account with su privileges:
Every engineer who unboxes a QFX, performs a zeroize, or loads factory-default configuration must immediately set a strong root password or—preferably—disable root login entirely. Document the change, verify it, and include it in your configuration management database. request system zeroize or loader> boot -s Enter
Introduction In the world of data center networking, Juniper’s QFX Series switches are ubiquitous. Designed for high-performance leaf-and-spine architectures, EVPN-VXLAN fabrics, and large-scale Layer 2/Layer 3 environments, these switches are powerful—but like all network devices, they begin their life in a vulnerable state. At the heart of that vulnerability lies a simple, often-overlooked question: What is the default password on a QFX switch?
set system login user admin uid 2000 set system login user admin class super-user set system login user admin authentication plain-text-password # (set admin password) set system root-authentication ssh-rsa "ssh-rsa AAAAB3..." # key-only, or set system root-authentication load-key-file /var/tmp/root_key.pub delete system root-authentication plain-text-password 4.3 Enforcing Password Policies set system login password format sha512 set system login password minimum-length 12 set system login password change-type user-set 4.4 Saving Configuration to Prevent Reversion After committing, save to both rescue and backup: