• juniper srx命令


    ollback

    set interface

    set routing-options static

    更改初始密码

    set system root-authentication plain-text-password 回车

    New password:

     retype new password:

    set system login user admin class super-user

    set system login user admin authentication plain-text-password 输入密码

    set system services ssh

    set security zones security-zone untrust host-inbound-traffic system-services ssh/ping

    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh /telnet/ping

    set security zones security-zone trust host-inbound-traffic system-services ssh /telnet /ping

    set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh /telnet/ping

    set security zones security-zone untrust interfaces ge-0/0/0 (不定义区域,无法配置NAT)

    set security zones security-zone trust interfaces ge-0/0/1

    ###### set security zones security-zone trust interfaces ge-0/0/1 ???

    ###### set interfaces interface-range interfaces-trust member ge-0/0/1  ????

    静态NAT:

      set security nat source rule-set interface-nat from zone trust

      set security nat source rule-set interface-nat to zone untrust

      set security nat source rule-set interface-nat rule rule1 match source-address 192.168.0.0/23

      set security nat source rule-set interface-nat rule rule1 match destination-address 0.0.0.0/0

      set security nat source rule-set interface-nat rule rule1 then source-nat interface

    set security zones security-zone trust address-book address 192 192.168.0.0/23

    set security zones security-zone trust address-book address-set 192nat address 192

    set security policies from-zone trust to-zone untrust policy 192nat match source-address any

    set security policies from-zone trust to-zone untrust policy 192nat match destination-address any

    set security policies from-zone trust to-zone untrust policy 192nat match application any

    set security policies from-zone trust to-zone untrust policy 192nat then permit

    强制172.16.0.12走150出去(默认走物理接口146出去)

    set security nat source pool pool-1 address 121.9.255.112

    set security nat source rule-set sou-nat rule rule-mail match source-address 172.16.0.12/32

    set security nat source rule-set sou-nat rule rule-mail match destination-address 0.0.0.0/0

    set security nat source rule-set sou-nat rule rule-mail then source-nat pool pool-1

    insert security nat source rule-set sou-nat rule rule-mail before rule rule-sou

    ##########################################################

    端口映射 静态PAT: 从外到内

    set security nat proxy-arp interface ge-0/0/0.0 address 10.1.1.100/24

    set security nat proxy-arp interface ge-0/0/3.0 address 10.1.2.100/24

    set security nat destination pool dnat-pool-1 address 192.168.0.9/32

    set security nat destination pool dnat-pool-2 address 172.16.0.12/32

    set security nat destination rule-set dst-nat from zone untrust

    set security nat destination rule-set dst-nat rule rule3 match destination-address 10.1.1.100/24

    set security nat destination rule-set dst-nat rule rule3 match destination-port 21

    set security nat destination rule-set dst-nat rule rule3 then destination-nat pool dnat-pool-1

    set security nat destination rule-set dst-nat rule rule2 match destination-address 10.1.2.100/24

    set security nat destination rule-set dst-nat rule rule2 match destination-port 443

    set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-pool-2

    set security zones security-zone trust address-book address ftpserver 192.168.0.9

    set security zones security-zone trust address-book address mailserver 172.16.0.12

    set security zones security-zone trust address-book address-set servergroup address ftpserver

    set security zones security-zone trust address-book address-set servergroup address mailserver

    set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application junos-http

    set security policies from-zone untrust to-zone trust policy static-nat match application junos-pop3

    set security policies from-zone untrust to-zone trust policy static-nat then permit

    set applications application 443 protocol tcp

    set applications application 443 destination-port 443

    ##############################################################

    set security nat source rule-set sou-nat from zone trust

    set security nat source rule-set sou-nat to zone untrust

    set security nat source rule-set sou-nat rule rule-mail match source-address 172.16.0.30/32

    set security nat source rule-set sou-nat rule rule-mail match destination-address 0.0.0.0/0

    set security nat source rule-set sou-nat rule rule-mail then source-nat pool pool-1

    ##############################################################

    管理端口:

    set system services web-management https

    set system services web-management http

    set system services web-management http port 8084

    set system services web-management http interface all

    set system services web-management https system-generated-certificate

    set system services web-management http interface ge-0/0/0.0

    set system services web-management https interface ge-0/0/0.0

    ###########################################################################

    定义端口地址池XXX_group:

    set applications application smtp_25 destination-port 25 protocol tcp

    set applications application pop3_110 destination-port 110 protocol tcp

    set applications application exchange_135 destination-port 135 protocol tcp

    set applications application smtp_465 destination-port 465 protocol tcp

    set applications application imap_993 destination-port 993 protocol tcp  

    set applications application pop3_995 destination-port 995 protocol tcp

    set applications application-set mail_port_group application smtp_25

    set applications application-set XXX_group application smtp

    set applications application-set XXX_group application pop3

    引用XXX_group:

    set security policies from-zone untrust to-zone trust policy mail-policy match application XXX_group

    ##############################################################################

    反向静态NAT:从外到内

    set security nat static rule-set mail-static-nat from zone untrust

    set security nat static rule-set mail-static-nat rule mail1 match destination-address 121.9.255.150/32

    set security nat static rule-set mail-static-nat rule mail1 then static-nat prefix 172.16.0.12/32

    返回的安全Policy:

    set security policies from-zone untrust to-zone trust policy mail-policy match source-address any

    set security policies from-zone untrust to-zone trust policy mail-policy match destination-address Mail_ser

    set security policies from-zone untrust to-zone trust policy mail-policy match application any (XXX_group)

    set security policies from-zone untrust to-zone trust policy mail-policy then permit

    插入insert Policy: 

    set security zones security-zone trust address-book address deny_172 172.16.0.155

    set security policies from-zone trust to-zone untrust policy deny_172 match source-address deny_172

    set security policies from-zone trust to-zone untrust policy deny_172 match destination-address any

    set security policies from-zone trust to-zone untrust policy deny_172 match application any

    set security policies from-zone trust to-zone untrust policy deny_172 then deny

    insert security policies from-zone trust to-zone untrust policy deny_172 before policy         Trust2Utrust (Trust2Utrust允许上公网策略)

    #####################################################

    禁止192网段上网,只允许192.168.0.2,192.168.0.121上网

    set security zones security-zone trust address-book address deny_192 192.168.0.0/23

    set security zones security-zone trust address-book address permit_host_2 192.168.0.2/32

    set security zones security-zone trust address-book address permit_host_121 192.168.0.121/32

    set security zones security-zone trust address-book address-set permit_192_online address FTP_ser

    set security zones security-zone trust address-book address-set permit_192_online address permit_host_2

    set security zones security-zone trust address-book address-set permit_192_online address permit_host_121

    set security zones security-zone trust address-book address-set deny_192_online address deny_192

    返回的安全Policy:

    set security policies from-zone trust to-zone untrust policy permit_192_online match source-address permit_192_online

    set security policies from-zone trust to-zone untrust policy permit_192_online match destination-address any

    set security policies from-zone trust to-zone untrust policy permit_192_online match application any

    set security policies from-zone trust to-zone untrust policy permit_192_online then permit

    set security policies from-zone trust to-zone untrust policy deny_192_online match source-address deny_192_online

    set security policies from-zone trust to-zone untrust policy deny_192_online match destination-address any

    set security policies from-zone trust to-zone untrust policy deny_192_online match application any

    set security policies from-zone trust to-zone untrust policy deny_192_online then deny

    insert security policies from-zone trust to-zone untrust policy permit_192_online before policy deny_172

    insert security policies from-zone trust to-zone untrust policy deny_192_online before policy deny_172

    ###########################################################################

    配置WEB管理

    set system host-name Test

    set system root-authentication encrypted-password "$1$XKPZUqwc$/WdxM1Cc1GAB8gJ0nNCOt."

    set system name-server 202.96.128.166

    set system name-server 202.96.128.86

    set system login user admin uid 2001

    set system login user admin class super-user

    set system login user admin authentication encrypted-password HJuZerSULPfkA

    set system services ssh

    set system services web-management http port 8084

    set system services web-management http interface all

    set system services web-management http interface ge-0/0/0.0

    set system services web-management https system-generated-certificate

    set system services web-management https interface ge-0/0/0.0

    set interfaces ge-0/0/0 unit 0 family inet address 192.168.8.125/24

    set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24

    set security zones security-zone untrust host-inbound-traffic system-services http

    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http

    ###########################################################################

    开放Untrust服务端口

    set security zones security-zone untrust interfaces ge-0/0/0.0

    set security zones security-zone untrust host-inbound-traffic system-services all

    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

    set security zones security-zone trust interfaces ge-0/0/1.0

    set security zones security-zone trust host-inbound-traffic system-services all

    set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all

    配置默认路由+NAT

    set routing-options static route 0.0.0.0/0 next-hop 192.168.8.1

    set security nat source rule-set sou-nat from zone trust

    set security nat source rule-set sou-nat to zone untrust

    set security nat source rule-set sou-nat rule rule-sou match source-address 0.0.0.0/0

    set security nat source rule-set sou-nat rule rule-sou match destination-address 0.0.0.0/0

    set security nat source rule-set sou-nat rule rule-sou then source-nat interface

      内网放行策略:

      set security policies from-zone trust to-zone untrust policy in_out match source-address any

      set security policies from-zone trust to-zone untrust policy in_out match destination-address any

      set security policies from-zone trust to-zone untrust policy in_out match application any

      set security policies from-zone trust to-zone untrust policy in_out then permit

    ###########################################################################

    UTM 功能中  防病毒功能

    set security utm utm-policy test-policy anti-virus http-profile junos-av-defaults

    set security utm utm-policy test-policy anti-virus ftp upload-profile junos-av-defaults

    set security utm utm-policy test-policy anti-virus ftp download-profile junos-av-defaults

    set security utm utm-policy test-policy anti-virus smtp-profile junos-av-defaults

    set security utm utm-policy test-policy anti-virus pop3-profile junos-av-defaults

    set security utm utm-policy test-policy anti-virus imap-profile junos-av-defaults

    set security utm utm-policy test-policy anti-spam smtp-profile junos-as-defaults

    set security utm utm-policy test-policy traffic-options sessions-per-client over-limit log-and-permit

    set security utm utm-policy web-policy anti-virus http-profile junos-av-defaults

    set security utm utm-policy web-policy traffic-options sessions-per-client over-limit log-and-permit

    set security policies from-zone trust to-zone untrust policy permit_192_online match source-address permit_192_online

    set security policies from-zone trust to-zone untrust policy permit_192_online match destination-address any

    set security policies from-zone trust to-zone untrust policy permit_192_online match application any

    set security policies from-zone trust to-zone untrust policy permit_192_online then permit application-services utm-policy web-policy

    set security policies from-zone untrust to-zone trust policy mail-policy match source-address any

    set security policies from-zone untrust to-zone trust policy mail-policy match destination-address Mail_ser

    set security policies from-zone untrust to-zone trust policy mail-policy match application mail_port_group

    set security policies from-zone untrust to-zone trust policy mail-policy then permit application-services utm-policy test-policy

    set security policies from-zone untrust to-zone trust policy Ftp-Policy match source-address any

    set security policies from-zone untrust to-zone trust policy Ftp-Policy match destination-address FTP_ser

    set security policies from-zone untrust to-zone trust policy Ftp-Policy match application junos-ftp

    set security policies from-zone untrust to-zone trust policy Ftpmservices utm-policy test-policy

    admin@KDS_FW> show security utm anti-spam statistics

    ##########################################################

    dynamic VPN功能配置:

    run show chassis routing-engine (查看CPU使用user、空闲idle)

    show config |dis set| match utm

    show log utmd-av | last

    clear log utmd-av

    ###########################################################

    抓包功能配置:

    Could you please configure the following traceoption and send the log file.

    You can create the packet filter as followed

    #set security flow traceoption file debug

    #set security flow traceoption flag basic-datapath

    #set security flow traceoption packet-filter filter1 source-prefix <ip-address>  destination-prefix <ip-address> destination-port 80

    #set security flow traceoption packet-filter filter2 source-prefix <ip-address>  destination-prefix <ip-address> destination-port 80

    #commit

    the second one is for the return traffic.

    show log debug

    删除生成的日志文件

    全局模式下 file delete /var/log/debug

    或者 start shell

    进入linux模式  cd /var/log/  rm –rf  xxx.log 

    request system license update

    juniper srx 配置文件存放目录

    /config/juniper.config.n(n=0-3)

    /var/db/config/juniper.config.n(n=4-49)

    Juniper SRX ROOT密码恢复 

    密码恢复 

    SRX Root密码丢失,并且没有其他的超级用户权限,那么就需要执行密码恢复,该操作需要中断设备正常运行,但不会丢失配置信息,这点与ScreenOS存在区别。 

    要进行密码恢复,请按照下面操作进行: 1. Console口连接SRX,然后重启SRX。 

    2. 在启动过程中,console上出现下面的提示的时候,按空格键中断正常启动方式,然后再进入单用户状态,并输入:boot -s Loading /boot/defaults/loader.conf  /kernel data=… … syms=[… …] 

    Hit [Enter] to boot immediately, or space bar for command prompt. loader>    

    loader> boot -s 

    3. 执行密码恢复:在以下提示文字后输入recovery,设备将自动进行重启 Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery 

    4. 进入配置模式,删除root密码,并重现设置root密码: user@host> configure  

    Entering configuration mode 

    user@host#delete system root-authentication  

    user@host#set system root-authentication plain-text-password user@host#New password: 

    user@host#Retype new password: user@host# commit  commit complete 

    感谢关注
  • 相关阅读:
    第四章 瓦解无意识
    C#操作Sqlite快速入门及相关工具收集(转)
    为什么要反应?你的惯性反应模式是什么?
    NPOI 1.2简介和教程目录
    jquery 得到当前页面高度和宽度
    第十一章 不勾招世界
    关于使用HtmlAgilityPack
    C# 网页图片采集
    互联网协议入门(转)
    对技术的态度(转)
  • 原文地址:https://www.cnblogs.com/wspblog/p/15432707.html
Copyright © 2020-2023  润新知