Juniper新一代业务网关SRX

Data SheetTable 1. SRX4100 and SRX4200 Statistics¹The SRX4100 and SRX4200 recognize more than 4,275 applications and nested applications in plain-text or SSL-encrypted transactions. The firewalls also integrate with Microsoft Active Directory and combine user information with application data to provide network-wide application and user visibility and control.Features and BenefitsTable 2. SRX4100 and SRX4200 Features and BenefitsSRX4100 and SRX4200 Services Gateways Specifications Software SpecificationsFirewall Services•Stateful and stateless firewall•Zone-based firewall•Screens and distributed denial of service (DDoS) protection •Protection from protocol and traffic anomalies•Unified Access Control (UAC)Network Address Translation (NAT)•Source NAT with Port Address T ranslation (PAT)•Bidirectional 1:1 static NAT•Destination NAT with PAT•Persistent NAT•IPv6 address translationVPN Features•Tunnels: Site-to-site, hub and spoke, dynamic endpoint,AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/Dual Stack)•Juniper Secure Connect: Remote access/SSL VPN •Configuration payload: Yes•IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, Suite B•IKE authentication algorithms: MD5, SHA-1, SHA-128,SHA-256, SHA-384•Authentication: Pre-shared key and public key infrastructure(PKI) (X.509)•IPsec (Internet Protocol Security): Authentication Header(AH) / Encapsulating Security Payload (ESP) protocol •IPsec Authentication Algorithms: hmac-md5, hmac-sha-196,hmac-sha-256•IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC,AEC-CBC, AES-GCM, Suite B•Perfect forward secrecy, anti-reply•Internet Key Exchange: IKEv1, IKEv2•Monitoring: Standard-based dead peer detection (DPD)support, VPN monitoring•VPNs GRE, IP-in-IP, and MPLS High Availability Features•Virtual Router Redundancy Protocol (VRRP) – IPv4 and IPv6•Stateful high availability:-Dual box clustering-Active/passive-Active/active-Configuration synchronization-Firewall session synchronization-Device/link detection-In-Service Software Upgrade (ISSU)•IP monitoring with route and interface failoverApplication Security Services3•Application visibility and control•Application-based firewall•Application QoS•Advanced/application policy-based routing (APBR)•Application Quality of Experience (AppQoE)•Application-based multipath routing•User-based firewallThreat Defense and Intelligence Services3•Intrusion prevention system•Antivirus•Antispam•Category/reputation-based URL filtering•SSL proxy/inspection•Protection from botnets (command and control)•Adaptive enforcement based on GeoIP•Juniper Advanced Threat Prevention, a cloud-based SaaSoffering, to detect and block zero-day attacks•Adaptive Threat Profiling•Encrypted T raffic Insights•SecIntel to provide threat intelligence•Juniper ATP Appliance, a distributed, on-premises advancedthreat prevention solution to detect and block zero-day attacks Offered as advanced security subscription license.Routing Protocols•IPv4, IPv6, static routes, RIP v1/v2•OSPF/OSPF v3•BGP with route reflector•IS-IS•Multicast: Internet Group Management Protocol (IGMP) v1/v2;Protocol Independent Multicast (PIM) sparse mode (SM)/source-specific multicast (SSM); Session Description Protocol(SDP); Distance Vector Multicast Routing Protocol (DVMRP);Multicast Source Discovery Protocol (MSDP); reverse pathforwarding (RPF)•Encapsulation: VLAN, Point-to-Point Protocol over Ethernet(PPPoE)•Virtual routers•Policy-based routing, source-based routing•Equal-cost multipath (ECMP)QoS Features•Support for 802.1p, DiffServ code point (DSCP), EXP •Classification based on VLAN, data-link connection identifier(DLCI), interface, bundles, or multifield filters•Marking, policing, and shaping•Classification and scheduling•Weighted random early detection (WRED)•Guaranteed and maximum bandwidth•Ingress traffic policing•Virtual channels Network Services•Dynamic Host Configuration Protocol (DHCP) client/server/relay•Domain Name System (DNS) proxy, dynamic DNS (DDNS)•Juniper real-time performance monitoring (RPM) and IPmonitoring•Juniper flow monitoring (J-Flow)Advanced Routing Services•Packet Mode•MPLS (RSVP, LDP)•Circuit cross-connect (CCC), translational cross-connect (TCC)•L2/L2 MPLS VPN, pseudo-wires•Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)•MPLS traffic engineering and MPLS fast re-routeManagement, Automation, Logging, and Reporting•SSH, T elnet, SNMP•Smart image download•Juniper CLI and Web UI•Juniper Networks Junos Space Security Director•Python•Junos events, commit and OP scripts•Application and bandwidth usage reporting•Debug and troubleshooting toolsHardware SpecificationsTable 3. SRX4100 and SRX4200 Hardware SpecificationsJuniper Networks Services and SupportJuniper Networks is the leader in performance-enabling services designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit https:///us/en/products.html.Ordering InformationT o order Juniper Networks SRX Series Services Gateways, and to access software licensing information, please visit the How to Buy page at https:///us/en/how-to-buy/form.html.Base System AccessoriesSRX4100 Performance Upgrade License Advanced Security Services Subscription LicensesRemote Access/Juniper Secure Connect VPN LicensesAbout Juniper NetworksAt Juniper Networks, we are dedicated to dramatically simplifyingnetwork operations and driving superior experiences for end users.Our solutions deliver industry-leading insight, automation, securityand AI to drive real business results. We believe that poweringconnections will bring us closer together while empowering us all tosolve the world’s greatest challenges of well-being, sustainabilityand equality.Corporate and Sales HeadquartersJuniper Networks, Inc.1133 Innovation WaySunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or +1.408.745.2000APAC and EMEA HeadquartersJuniper Networks International B.V.Boeing Avenue 240 1119 PZ Schiphol-RijkAmsterdam, The NetherlandsPhone: +31.207.125.700Copyright 2022 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no。

The SRX5400, SRX5600, and SRX5800 are supported by Juniper Networks Junos®Space Security Director, which enables distributed security policy management through an intuitive, centralized interface that enables enforcement across emerging and traditional risk vectors. Using intuitive dashboards and reporting features, administrators gain insight into threats, compromised devices, risky applications, and more.Based on Juniper’s Dynamic Services Architecture, the SRX5000 line provides unrivaled scalability and performance. Each services gateway can support near linear scalability with the addition of Services Processing Cards (SPCs) and I/O cards (IOCs), enabling a fully equipped SRX5800 to support up to 1.2 Tbps firewall throughput. The SPCs are designed to support a wide range of services, enabling future support of new capabilities without the need for service-specific hardware. Using SPCs on all services ensures that there are no idle resources based on specific services being used—maximizing hardware utilization.The scalability and flexibility of the SRX5000 line is supported by equally robust interfaces. The SRX5000 line employs a modular approach, where each platform can be equipped with a flexible number of IOCs that offer a wide range of connectivity options, including 1GbE, 10GbE, 40GbE, and 100GbE interfaces. With the IOCs sharing the same interface slot as the SPCs, the gateway can be configured as needed to support the ideal balance of processing and I/O. Hence, each deployment of the SRX Series can be tailored to specific network requirements. The scalability of both SPCs and IOCs in the SRX5000 line is enabled by the custom-designed switch fabric. Supporting up to 960 Gbps of data transfer, the fabric enables realizationof maximum processing and I/O capability available in any particular configuration. This level of scalability and flexibility enables future expansion and growth of the network infrastructure, providing unrivaled investment protection.The tight service integration on the SRX Series is enabled by Juniper Networks Junos® operating system. The SRX Seriesis equipped with a robust set of services that include stateful firewall, intrusion prevention system (IPS), denial of service (DoS), application security, VPN (IPsec), Network Address Translation (NAT), unified threat management (UTM), quality of service (QoS), and large-scale multitenancy. In addition to the benefit of individual services, the SRX5000 line provides a low latency solution.Junos OS also delivers carrier-class reliability with six nines system availability, the first in the industry to achieve independent verification by Telcordia. Furthermore, the SRX Series enjoys the benefit of a single source OS, and single integrated architecture traditionally available on Juniper’s carrier-class routers and switches.SRX5800The SRX5800 Services Gateway is the market-leading security solution supporting up to 1.2 Tbps firewall throughput and latency as low as 32 microseconds for stateful firewall. The SRX5800 also supports 1 Tbps IPS and 395 million concurrent sessions. Equipped with the full range of advanced security services, the SRX5800 is ideally suited for securing large enterprise, hosted, or colocated data centers, service provider core and cloud provider infrastructures, and mobile operator environments. The massive performance, scalability, and flexibility of the SRX5800 make it ideal for densely consolidated processing environments, and the service density makes it ideal for cloud and managed service providers.SRX5600The SRX5600 Services Gateway uses the same SPCs and IOCsas the SRX5800 and can support up to 570 IMIX Gbps firewall throughput, 180 million concurrent sessions, and 460 Gbps IPS. The SRX5600 is ideally suited for securing enterprise data centers as well as aggregation of various security solutions. The capability to support unique security policies per zone and its ability to scale with the growth of the network infrastructure make the SRX5600 an ideal deployment for consolidation of services in large enterprise, service provider, or mobile operator environments. SRX5400The SRX5400 Services Gateway uses the same SPCs and IOCs as the SRX5800 and can support up to 285 Gbps IMIX firewall, 90 million concurrent sessions, and 230 Gbps IPS. The SRX5400 is a small footprint, high-performance gateway ideally suited for securing large enterprise campuses as well as data centers, either for edge or core security deployments. The ability to support unique security policies per zone and a compelling price/performance/footprint ratio make the SRX5400 an optimal solution for edge or data center services in large enterprise, service provider, or mobile operator environments. Service Processing Cards (SPC)As the “brains” behind the SRX5000 line, SPCs are designedto process all available services on the platform. Without the need for dedicated hardware for specific services or capabilities, there are no instances in which a piece of hardware is taxedto the limit while other hardware is sitting idle. SPCs are designed to be pooled together, allowing the SRX5000 line to expand performance and capacities with the introduction of additional SPCs, drastically reducing management overhead and complexity. The high-performance SPC3 cards are supported on the SRX5400, SRX5600, and SRX5800 Services Gateways.I/O Cards (IOCs)To provide the most flexible solution, the SRX5000 line employs the same modular architecture for SPCs and IOCs. The SRX5000 line can be equipped with one or several IOCs, supporting the ideal mix of interfaces. With the flexibility to install an IOC or an SPC on any available slot, the SRX5000 line can be equipped to support the perfect blend of interfaces and processing capabilities, meeting the needs of the most demanding environments while ensuring investment protection. Juniper offers the IOC2, a second-generation card with superior connectivity options. The IOC2 offers 100GbE as well as 40GbE and high-density 10GbE and 1GbE connectivity options. These options reduce the need for link aggregation when connecting high throughput switches to the firewall, as well as enabling increased throughput in the firewall itself. The IOC2 is supported on all three platforms in the SRX5000 line of services gateways.The third generation of IOCs from Juniper, the IOC3, delivers the highest throughput levels yet, along with superior connectivity options including 100GbE, 40GbE, and high-density 10GbE interfaces. The IOC2 or IOC3 operates with the Express Path optimization capability, delivering higher levels of throughput—up to an industry-leading 2 Tbps on the SRX5800. The IOC3 cards are supported on the SRX5400, SRX5600, and SRX5800.Routing Engine (RE2) and Enhanced System Control Board (SCB3)The SRX5K-RE-1800X4 Routing Engine (RE2) is the latest in the family of REs for the SRX5000 line with a multicore processor running at 1800 MHz. It delivers improved performance, scalability, and reliability with 16 GB DRAM and 128 GB solid-state drive (SSD). The SRX5K-SCB3 Enhanced System Control Board (SCB3) enables 240 Gbps per slot throughput with intra as well as interchassis high availability and redundancy.Features and BenefitsNetworking and SecurityThe Juniper Networks SRX5000 line of Services Gateways has been designed from the ground up to offer robust networking andsecurity services.*Requires Junos OS 15.1x49-D10 or greater.**Requires Junos OS 18.2R1-S1 or greater.IPS CapabilitiesJuniper Networks IPS capabilities offer several unique features that assure the highest level of network security.Content Security UTM CapabilitiesThe UTM services offered on the SRX5000 line of Services Gateways include industry-leading antivirus, antispam, content filtering,and additional content security services.Advanced Threat PreventionAdvanced threat prevention (ATP) solutions that defend against sophisticated malware, persistent threats, and ransomware are available for the SRX5000 line. Two versions are available: Juniper Sky ATP, a SaaS-based service, and the Juniper ATP Appliance, anon-premises solution.More information about Juniper Sky ATP can be found at /us/en/products-services/security/sky-advanced-threat-prevention/. Additional information about the Juniper ATP Appliance can be found at /us/en/products-services/ security/advanced-threat-prevention-appliance/.Centralized ManagementJuniper Networks Junos Space Security Director delivers scalable and responsive security management that improves the reach, ease, and accuracy of security policy administration. It lets administrators manage all phases of the security policy life cycle through a single web-based interface, accessible via standard browsers. Junos Space Security Director centralizes application identification, firewall, IPS, NAT, and VPN security management for intuitive and quick policy administration. Security Director runs on the Junos Space Network Management Platform for highly extensible, network-wide management functionality, including ongoing access to Juniper and third-party Junos Space ecosystem innovations.Specifications1SRX5600Services GatewaySRX5800Services GatewaySRX5400Services Gateway Performance, capacity and features listed are based on systems running Junos OS 18.2R1 and are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployments.Firewall* Session capacity differs based on UTM/AppSecure/IPS features enabled.* Session capacity differs based on UTM/AppSecure/IPS features enabled.Maximum number of BGP and OSPF routes recommended is 100,000.Please consult the technical publication documents and release notes for a list of compatible ISSU features.T o enable dual control links on the SRX5000 line, two SRX5K-RE-1800X4 modules must be installed on each cluster member.SRX5000 line of gateways operating with Junos OS release 10.0 and later are compliant with the R6, R7, and R8 releases of 3GPP TS 20.060 with the following exceptions (not supported on the SRX5000 line): - Section 7.5A Multimedia Broadcast and Multicast Services (MBMS) messages- Section 7.5B Mobile Station (MS) info change messages- Section 7.3.12 Initiate secondary PDP context from GGSNShort term is not greater than 96 consecutive hours, and not greater than 15 days in 1 year.WarrantyFor warranty information, please visit /support/warranty/.Juniper Networks Services and SupportJuniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize yourhigh-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit /us/en/products-services .Ordering Information*These products require Junos OS 12.1X47-D15 or greater.**Requires Junos OS 15.1X49-D10 or greater.Corporate and Sales Headquarters Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or +Copyright 2019 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.APAC and EMEA Headquarters Juniper Networks International B.V.Boeing Avenue 2401119 PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: +31.0.207.125.700EXPLORE JUNIPERAbout Juniper NetworksJuniper Networks brings simplicity to networking with products, solutions and services that connect the world. Through engineering innovation, we remove the constraints and complexities of networking in the cloud era to solve the toughest challenges our customers and partners face daily. At Juniper Networks, we believe that the network is a resource for sharing knowledge and human advancement that changes the world. We are committed to imagining groundbreaking ways to deliver automated, scalable and secure networks to move at the speed of business.* I n 12.3X48-D10, the Services Offload feature was renamed Express Path and is included withoutrequiring a license for Junos OS X48 releases and beyond. With the X48 release, the Express Path feature is supported on all SRX5000 Services Gateways including the SRX5400. For versions prior to the X48 release, the Services Offload license is still required and supports only SRX5600 and SRX5800 products. Express Path is available on the SRX5400, SRX5600, and SRX5800 Services Gateways. No separate license required.。

Quick Start GuideMount the SD-WAN Edge CPE1.Attach the brackets to the SD-WAN Edge CPE.e the screws and cage nuts supplied with the rack to securethe SD-WAN Edge CPE in the rack.Ground the SD-WAN Edge CPE1.Ensure the rack on which the SD-WAN Edge CPE is to bemounted is properly grounded and in compliance withinternational and local standards. Verify that there is a good electrical connection to the grounding point on the rack. (no paint or isolating surface treatment)2.Attach a lug (not provided) to a #18 AWG minimum groundingwire (not provided), and connect it to the grounding point on the device’s rear panel. Then connect the other end of the wire to rack ground.Connect Power1.Plug the power cord into a 100-240 VAC, 50-60 Hz AC powersource.2.Insert the other end of the power cord directly into the AC inputsocket on the back of the device.Caution: Risk of explosion if battery is replaced by anincorrect type. Dispose of used batteries according to the manufacturer’s instructions.Attention: Risque d’explosion si la batterie est remplacée par un type incorrect. Éliminez les piles usagées conformément auxinstructions.12121Caution: The earth connection must not be removed unlessall supply connections have been disconnected.Attention: Le raccordement à la terre ne doit pas être retiré sauf si toutes les connexions d’alimentation ont été débranchées.Caution: The device must be installed in a restricted-accesslocation. It should have a separate protective earthing terminal on the chassis that must be permanently connected to earth to adequately ground the chassis and protect the operator from electrical hazards.Attention: L'appareil doit être installé dans un emplacement à accès restreint. Il doit comporter une borne de terre de protection distincte sur le châssis, qui doit être connectée en permanence à la terre pour assurer une mise à la terre adéquate du châssis et protéger l'opérateur des risques électriques.Caution: Use the AC power cord supplied with the device .For International use, you may need to change the AC line cord. You must use line cord sets that have been approved for the socket type in your country.Attention: Utilisez le cordon d’alimentation secteur fourniavec l’appareil. Pour une utilisation internationale, vous devrez peut-être changer le cordon d’alimentation secteur. Vous devez utiliser des jeux de cordons d’alimentation qui ont étéapprouvés pour le type de prise dans votre pays.321SD-WAN Edge CPESDW1001.SDW100 SD-WAN Edge CPE2.Rack Mounting Kit—2 brackets and 8 screws3.Power cord—either Japan, US, Continental Europe or UK4.Console cable—RJ-45 to DB-95.Documentation—Quick Start Guide (this document)25143Package ContentsCheck the System LEDs1.Verify basic operation by checking the system LEDs. Whenoperating normally, the Power LED should be on green and the Status LED should be either on blue or blinking when the device is booting up.Connect Network Cables1.For the 1000BASE-T RJ-45 ports, connect 100-ohm Category 5,5e or better twisted-pair cable.2.For the SFP slots, first install SFP transceivers and then connectfiber optic cabling to the transceiver ports.The following transceivers are supported:⏹1000BASE-SX (ET4201-SX)⏹1000BASE-LX (ET4201-LX)⏹1000BASE-ZX (ET4201-ZX)⏹1000BASE-LHX (ET4201-LHX)3.As connections are made, check the port status LEDs to be surethe links are valid.⏹On/Blinking Green — Port has a valid link. Blinking indicates network activity.Make Initial Configuration Changes1.Connect a PC to one of the SD-WAN Edge CPE’s LAN ports.2.Log in to the web interface using the default management IPaddress 192.168.100.1 (there is no user name or password).3.Configure the Barrista controller IP address and port throughone of the following methods.⏹DHCP: Automatic configuration.⏹Static: Manually set the IP address, subnet mask, default gateway, and DNS servers.⏹PPPoE: Set the PPPoE username and password.4.Click “Save” to confirm the configuration and enable the SD-WAN Edge CPE to communicate with the Barrista controller.Hardware Specifications41153126Chassis Size (WxDxH)42.6 x 27.0 x 4.4 cm (16.8 x 10.6 x 1.7 in.)Weight 2.64 kg (5.81 lb)Temperature Operating: 0 °C to 40 °C (32 °F to 104 °F)Storage: -20 °C to 70 °C (-4 °F to 158 °F)Humidity Operating: 10% to 90% (non-condensing)InterfacesNetwork Ports 3-10: RJ-45 10/100/1000BASE-TPorts 1-2 RJ-45 10/100/1000BASE-T or SFP USB 1 USB 3.0ConsoleRS-232 serial, RJ-45 portPower AC Input100-240 VAC 50-60 Hz 2.5 APower Consumption 65 Watts Maximum Maximum Current0.9 ARegulatory Compliances EmissionsCE MarkEN 55032, Class A EN 61000-3-2, Class A EN 61000-3-3FCC Class A CNS 1343847 CPR FCC Part 15:2016, Subpart B, Class A ANSI C63.4:2014CISPR 32.2015 + COR1:2016, Class A AS/NZS CISPR 32:2015, Class ACanada Std. ICES-003:2016 Issue 6, Class A Immunity IEC 61000-4-2/3/4/5/6/8/11SafetyUL 62368-1 & CAN/CSA C22.2 No. 62368-1-14CB IEC/EN 60950-1 & IEC/EN 62368-1 2nd. BSMI Safety Standard CNS14336-1Taiwan RoHSCNS 15663Safety and Regulatory InformationFCC Class AThis equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.You are cautioned that changes or modifications not expressly approved by the party responsible for compliance could void your authority to operate the equipment.You may use unshielded twisted-pair (UTP) for RJ-45 connections - Category 3 or better for 10 Mbps connections, Category 5 or better for 100 Mbps connections, Category 5, 5e, or 6 for 1000 Mbps connections. For fiber optic connections, you may use 50/125 or 62.5/ 125 micron multimode fiber or 9/125 micron single-mode fiber.CE MarkCE Mark Declaration of Conformance for EMI and Safety (EEC)This information technology equipment complies with the requirements of the Council Directive 2014/30/EU on the Approximation of the laws of the Member States relating to Electromagnetic Compatibility and 2014/ 35/EU for electrical equipment used within certain voltage limits. For the evaluation of the compliance with these Directives, the following standards were applied:RFI Emission:⏹Limit according to EN 55032:2012+AC:2013, Class A⏹Limit for harmonic current emission according to EN 61000-3-2:2014, Class A⏹Limitation of voltage fluctuation and flicker in low-voltage supplysystem according to EN 61000-3-3:2013Immunity:⏹Product family standard according to EN 55024:2010⏹Electrostatic Discharge according to IEC 61000-4-2:2008⏹Radio-frequency electromagnetic field according to IEC 61000-4-3:2010⏹Electrical fast transient/burst according to IEC 61000-4-4:2012⏹Surge immunity test according to IEC 61000-4-5:2014⏹Immunity to conducted disturbances, Induced by radio-frequencyfields: IEC 61000-4-6:2013⏹Power frequency magnetic field immunity test according to IEC61000-4-8:2009⏹Voltage dips, short interruptions and voltage variations immunity testaccording to IEC 61000-4-11:2004LVD:⏹EN 62368-1:2014/A11: 2017The Declaration of Conformity (DoC) can be obtained from -> support -> download.Japan - VCCI Class ALaser SafetyWarning: Fiber Optic Port Safety:Avertissment: Ports pour fibres optiques - sécurité sur le plan optique: Warnhinweis: Faseroptikanschlüsse - Optische Sicherheit:Battery SafetyPower Cord SafetyPlease read the following safety information carefully before installing the device:Warning:Installation and removal of the unit must be carried out by qualified personnel only.⏹The unit must be connected to an earthed (grounded) outlet tocomply with international safety standards.⏹Do not connect the unit to an A.C. outlet (power supply) without anearth (ground) connection.⏹The appliance coupler (the connector to the unit and not the wallplug) must have a configuration for mating with an EN 60320/IEC 320 appliance inlet.⏹The socket outlet must be near to the unit and easily accessible. Youcan only remove power from the unit by disconnecting the powercord from the outlet.⏹This unit operates under SELV (Safety Extra Low Voltage) conditionsaccording to IEC 60950. The conditions are only maintained if the equipment to which it is connected also operates under SELVconditions.When using a fiber optic port, never look at thetransmit laser while it is powered on. Also, never lookdirectly at the fiber TX port and fiber cable ends whenthey are powered on.Ne regardez jamais le laser tant qu'il est sous tension.Ne regardez jamais directement le port TX(Transmission) à fibres optiques et les embouts decâbles à fibres optiques tant qu'ils sont sous tension.Niemals ein Übertragungslaser betrachten, währenddieses eingeschaltet ist. Niemals direkt auf den Faser-TX-Anschluß und auf die Faserkabelenden schauen,während diese eingeschaltet sind.Warning: If your device uses a lithium battery, do not attemptto replace the battery yourself. Return the device to themanufacturer for battery replacement.Avertissement: Si votre appareil utilise une batterie aulithium, n’essayez pas de remplacer la batterie vous-même.Renvoyez l’appareil au fabricant pour le remplacement de labatterie.If the device contains lithium batteries that are encased in asealed chassis, do not attempt to open the sealed chassis underany circumstances.Si l’appareil contient des piles au lithium logées dans unchâssis scellé, n’essayez en aucun cas d’ouvrir le châssis scellé.Risk of explosion if the battery is replaced by an incorrect type.Dispose of used batteries according to the instructions.Risque d’explosion si la batterie est remplacée par un typeincorrect. Éliminez les piles usagées conformément auxinstructions.CLASS ILASER DEVICEDISPOSITIF LASERDE CLASSE ILASERGERDER KLASSE IÄTFrance and Peru onlyThis unit cannot be powered from IT† supplies. If your supplies are of IT type, this unit must be powered by 230 V (2P+T) via an isolation transformer ratio 1:1, with the secondary connection point labeled Neutral, connected directly to earth (ground).† Impédance à la terreImportant! Before making connections, make sure you have the correct cord set. Check it (read the label on the cable) against the following:Veuillez lire à fond l’information de la sécurité suivante avant d’installer l’appareil:Avertissement: L’installation et la dépose de ce groupe doivent être confiés à un personnel qualifié.⏹Ne branchez pas votre appareil sur une prise secteur (alimentationélectrique) lorsqu’il n’y a pas de connexion de mise à la terre (mise à la masse).⏹Vous devez raccorder ce groupe à une sortie mise à la terre (mise àla masse) afin de respecter les normes internationales de sécurité.⏹Le coupleur d’appareil (le connecteur du groupe et non pas la prisemurale) doit respecter une configuration qui permet unbranchement sur une entrée d’appareil EN 60320/IEC 320.⏹La prise secteur doit se trouver à proximité de l’appareil et son accèsdoit être facile. Vous ne pouvez mettre l’appareil hors circuit qu’en débranchant son cordon électrique au niveau de cette prise.⏹L’appareil fonctionne à une tension extrêmement basse de sécuritéqui est conforme à la norme IEC 60950. Ces conditions ne sontmaintenues que si l’équipement auquel il est raccordé fonctionne dans les mêmes conditions.France et Pérou uniquement:Ce groupe ne peut pas être alimenté par un dispositif à impédance à la terre. Si vos alimentations sont du type impédance à la terre, ce groupe doit être alimenté par une tension de 230 V (2 P+T) par le biais d’un transformateur d’isolement à rapport 1:1, avec un point secondaire de connexion portant l’appellation Neutre et avec raccordement direct à la terre (masse).Bitte unbedingt vor dem Einbauen des Geräts die folgenden Sicherheitsanweisungen durchlesen:Warnung: Die Installation und der Ausbau des Geräts darf nur durch Fachpersonal erfolgen.⏹Das Gerät sollte nicht an eine ungeerdete Wechselstromsteckdoseangeschlossen werden.⏹Das Gerät muß an eine geerdete Steckdose angeschlossen werden,welche die internationalen Sicherheitsnormen erfüllt.⏹Der Gerätestecker (der Anschluß an das Gerät, nicht derWandsteckdosenstecker) muß einen gemäß EN 60320/IEC 320konfigurierten Geräteeingang haben.⏹Die Netzsteckdose muß in der Nähe des Geräts und leichtzugänglich sein. Die Stromversorgung des Geräts kann nur durch Herausziehen des Gerätenetzkabels aus der Netzsteckdoseunterbrochen werden.⏹Der Betrieb dieses Geräts erfolgt unter den SELV-Bedingungen(Sicherheitskleinstspannung) gemäß IEC 60950. Diese Bedingungen sind nur gegeben, wenn auch die an das Gerät angeschlossenen Geräte unter SELV-Bedingungen betrieben werden.电源线安全安装交换机前，请仔细阅读以下安全信息。

JUNIPer配置说明〉操作模式#配置模式#show interface#show interface deatil | math fe‐0/0/0>hlpe apropes arp>config ３种模式#edit interface 一层一层配置#up 退出#show |display set （显示所有可刷的命令）#edit security nat source#rename rule‐set trust‐to‐untrust to rule‐set inside‐to‐outside (重命令nat名字) #rollback (恢复到以前的配置，可选５０份)#commit at 201207200800(定时提交)>clear system commit (清除未提交的配置)#commit comment "beyond"（为提交的配置进行说明）# run show system commit（查看提交的配置说明，用于快速恢复的配置） #commit confirmed (十分钟之内不对配置进行确认，自动恢复配置到提交之前) #copy interface ge‐0/0/1 to ge0/0/3 （复制配置）#show system update (查看系统时间)>request system reboot (重启系统)>request system power‐off (关闭系统)#edit sytem login user class ? (设置用户，有４种权限)#edit system service (设置系统服务)#set ssh /telnet /web‐ma….>show system license (查看授权)>request system license add terminal (加载授权信息)> show system processes extensive（查看系统进程）> restart chassis‐control gracefully（重启系统进程）> load update xxx (加载以前的配置文件)run show security flow session summary（查看防火墙会话数）run show security flow session（查看防火墙具体会话数）1, root密码设置set system root‐authentication plain‐text‐passworderpo@66982, 远程登录用户set system login user erpo class super‐user authentication plain‐text‐passworderpo6698３，设置时间run set date 201207091908４，设置时区为上海set system time‐zone Asia/shanghai５，设置主机名set system host‐name FW６，设置ＮＤＳ服和器Set system name‐server 208.67.222.222; 208.67.220.220;７，端口交换机属性设置root@ex2200# edit vlans test #新建vlan名称为testroot@ex2200# set vlan-id 10 #设置vlan idroot@ex2200# set description “Test VLAN” #设置vlan描述root@ex2200# set mac-limit 200 #设置mac数量,范围是(1..65535)，通常可以不配置root@ex2200# set mac-table-aging-time 600 #”设置mac生存时间(秒)，范围是(60-1000000) ”root@ex2200# set l3-interface vlan.10 #”将绑定三层逻辑子端口”root@ex2200# set interface ge-0/0/1.0 #”将端口加入到VLAN中”root@ex2200# set interface ge-0/0/2.0 #”将端口加入到VLAN中”(2)创建三层逻辑子端口root@ex2200# top #”回到最外层菜单”root@ex2200# set interfaces vlan unit 10 family inet address 192.168.1.1/24 #设置网关(3)将交换机端口修改为access模式并加入到新创建的VLAN中root@ex2200# top #”回到最外层菜单”root@ex2200# set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode accessroot@ex2200# set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 10root@ex2200# set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode accessroot@ex2200# set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 10(4)commit提交：root@ex2200#commit８， DHCP 配置(DHCP Server)set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.33set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.64et system services dhcp pool 192.168.1.0/24 domain-name set system services dhcp pool 192.168.1.0/24 name-server 192.168.1.1set system services dhcp pool 192.168.1.0/24 router 192.168.1.1set system services dhcp pool 192.168.1.0/24 default-lease-time 3600set security zones security-zone untrust interfaces fe-0/0/5.0 host-inbound-traffic system-services dhcpuser@host# set security zones security-zone untrust interfaces fe-0/0/6.0 host-inbound-traffic system-services dhcp user@host# set interfaces fe-0/0/6 unit 0 family inet address 192.168.1.1/24DHCP设置(DHCP Client)user@host# set interfaces fe‐0/0/7 unit 0 family inet dhcpuser@host# set security zones security‐zone untrust interfaces fe‐0/0/7.0 host‐inbound‐traffic system‐services dhcpDHCP设置（DHCP Relay）user@host# set forwarding‐options helpers bootp description "Global DHCP relay service"user@host# set forwarding‐options helpers bootp server 192.18.24.38user@host# set forwarding‐options helpers bootp maximum‐hop‐count 4user@host# set forwarding‐options helpers bootp interface fe‐0/0/7.0user@host# set security zones security‐zone untrust interfaces fe‐0/0/7 host‐inbound‐traffic system‐services dhcpuser@host# set security zones security‐zone untrust interfaces fe‐0/0/8 host‐inbound‐traffic system‐services dhcp９，接口设置user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.2/24或者set interfaces ge-0/0/1.0 family inet address 192.168.20.2/249.2 设置区域user@host# set security zones security-zone trustuser@host# set security zones security-zone trust interfaces ge-0/0/1.0…ge-0/0/1.0 host-inbound-traffic system-services http (允许的服务)10, 静态路由user@host# set routing-options static route 10.2.2.0/24 next-hop 10.1.1.254user@host# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.25411,在系统级开启ftp/telnet/http远程接入管理服务Set system services ftpSet system services sshSet system services telnetSet system services web‐management http12, 在untrust zone 打开允许远程登录管理服务Set security zones security‐zone untrnst host‐inbound‐traffic system‐services ssh13,防火墙策略安全设备的缺省行为是拒绝安全区段之间的所有信息流，允许绑定到同一区段的接口间的所有信息流。

产品简介产品说明瞻博网络SRX1400业务网关是市场领先的SRX 系列数据中心产品线的最新成员。

SRX1400整合了多种安全服务和网络功能，具有极高的可用性，主要为10GbE 网络环境提供保护。

它采用了模块化设计，其通用尺寸的模块可以从前面板进行维护和更换。

SRX1400利用创新的技术，增加了可靠性和网络的可用性，并提供极高的并发安全服务性能。

凭借瞻博网络的动态服务架构和Junos OS ，以及基于SRX3000业务网关成熟的电信级特性，SRX1400确立了新的价值标准，扩展了SRX 系列数据中心产品线，能够经济高效地满足更小网络环境的安全需求。

每台SRX1400业务网关都整合了多种安全服务，并执行全面的安全策略，其性能完全能满足当今10GbE 高性能网络环境的需要。

面向网络安全专业人员SRX1400是按照电信级标准从底层开始设计的高可靠设备，能够在严格的高性能数据中心网络环境中，长时间无故障地连续运行。

SRX1400的设计和生产过程都采用了TL 9000质量管理体系，无论是软件、支持服务还是硬件（包括能够分离控制和用户平面的创新芯片组）都100%由瞻博网络提供，同时，SRX1400还将性能提升到一种新的水平，能够满足高性能网络的需要。

动态服务架构利用瞻博网络的动态服务架构，高端SRX 系列能够在处理器的多个核心之间动态、快速地分配数据会话。

动态服务架构不是像其他供应商那样，将网络流量和服务固定或严格捆绑到专门的CPU 核心和处理资源，而是动态地平衡流量会话，在由所有可用资源构成的一个共享池中动态地处理工作负载。

这就避免了在一般的安全计算平台上经常出现的情况，即一些资源全负荷或接近全负荷地运行，而其它资源却闲置或低负荷地运行。

产品概述SRX1400业务网关作为专业级的安全平台，非常适合部署在中小型的数据中心、企业和电信运营商网络。

在这些环境中，客户主要考虑的问题是功能整合、10Gbps 性能、空间节省和经济性。

Juniper SRX防火墙配置手册一、JUNOS操作系统介绍1.1 层次化配置结构JUNOS采用基于FreeBSD内核的软件模块化操作系统，支持CLI命令行和WEBUI两种接口配置方式，本文主要对CLI命令行方式进行配置说明。

JUNOS CLI使用层次化配置结构，分为操作（operational）和配置（configure）两类模式，在操作模式下可对当前配置、设备运行状态、路由及会话表等状态进行查看及设备运维操作，并通过执行config或edit命令进入配置模式，在配置模式下可对各相关模块进行配置并能够执行操作模式下的所有命令（run）。

在配置模式下JUNOS采用分层分级模块下配置结构，如下图所示，edit命令进入下一级配置（类似unix cd 命令）,exit命令退回上一级，top命令回到根级。

1.2 JunOS配置管理JUNOS通过set语句进行配置，配置输入后并不会立即生效，而是作为候选配置（Candidate Config）等待管理员提交确认，管理员通过输入commit命令来提交配置，配置内容在通过SRX 语法检查后才会生效，一旦commit通过后当前配置即成为有效配置（Active config）。

另外，JUNOS 允许执行commit命令时要求管理员对提交的配置进行两次确认，如执行commit confirmed 2命令要求管理员必须在输入此命令后2分钟内再次输入commit以确认提交，否则2分钟后配置将自动回退，这样可以避免远程配置变更时管理员失去对SRX的远程连接风险。

在执行commit命令前可通过配置模式下show命令查看当前候选配置（Candidate Config），在执行commit后配置模式下可通过run show config命令查看当前有效配置（Active config）。

此外可通过执行show | compare比对候选配置和有效配置的差异。

SRX上由于配备大容量硬盘存储器，缺省按先后commit顺序自动保存50份有效配置，并可通过执行rolback和commit命令返回到以前配置（如rollback 0/commit可返回到前一commit配置）；也可以直接通过执行save configname.conf手动保存当前配置，并执行load override configname.conf / commit调用前期手动保存的配置。

下扩展并增长网络基础架构能力，不受安全解决方案的束缚。

SRX3000产品系列的灵活性不仅限于动态服务架构的创新成果和公认优势。

SRX3000产品系列采用“中置背板”(mid-plane) 设计，用户可以同时在前后端安装SPC，从而获得市场领先的灵活性和可扩展性。

SRX3000产品系列在一半的机柜空间中支持两倍的SPC，不仅提供基本的架构创新，而且还采用创新的物理设计。

SRX系列业务网关通过瞻博网络Junos® 软件支持特性集成。

通过将Junos软件的路由特性与ScreenOS® 软件的安全优势结合在一起，SRX系列业务网关提供了一组强大的功能，包括防火墙、IPsec VPN、入侵防御系统 (IPS)、拒绝服务攻击 (DoS) 防御、网络地址转换 (NAT) 和服务质量 (QoS) 保证等。

除此之外，将全部功能结合在单一OS框架中，还大幅度优化了流量在业务网关中的处理流程。

安装Junos软件使SRX系列产品与瞻博网络电信运营商级路由器和交换机一样，获得了单源OS、一致的版本演进和一致性架构的优势。

SRX3600SRX3600业务网关是市场领先的安全解决方案，最多支持30 Gbps的防火墙吞吐量、10 Gbps的防火墙和IPS吞吐量，或者10 Gbps的IPsec VPN吞吐量以及每秒最多17.5万条新建连接。

SRX3600配置了全套安全特性，最适合保护大中型企业数据中心、托管数据中心/共置数据中心或下一代企业服务/应用的安全性。

此外，SRX3600还能同时保护电信运营商云计算基础架构的安全性，该架构需满足多重租赁的需求。

这个业务网关支持高可扩展性和灵活性，不仅能够轻松满足高密度数据中心对传统安全设备的整合要求，还能满足云计算服务供应商的服务密度要求。

SRX3600业务网关由瞻博网络Network and Security Manager软件负责管理，使用单一应用来管理所有瞻博网络防火墙、IPS、SSL、瞻博网络统一接入控制 (UAC) 和EX系列以太网交换机产品。

srx标准
SRX标准是一种网络安全平台，由Juniper Networks开发和推出。

SRX代表"Services Gateways"，它是一系列集成了多种网
络安全功能的硬件设备，可用于保护企业网络免受各种威胁和攻击。

SRX标准的关键特点包括：
1. 防火墙功能：SRX设备可以检测和过滤进出网络的数据流量，通过访问控制列表(ACL)、应用程序识别和防火墙策略来
保护网络安全。

2. 虚拟专用网络(VPN)功能：SRX设备支持虚拟私人网络连接，用于建立安全的远程访问和站点到站点连接。

3. 入侵检测和防御系统(IDS/IPS)功能：SRX设备可以检测并
预防入侵攻击，包括网络和应用层攻击。

4. 安全管理员角色：SRX设备提供了管理员角色，用于配置
和管理设备的网络安全策略。

5. 安全事件和日志记录：SRX设备可以记录安全事件和生成
日志，以便进行安全审计和故障排除。

SRX标准是一个灵活和可扩展的网络安全解决方案，适用于
各种规模的企业网络。

它提供了全面的网络安全功能，帮助保护企业免受各种网络威胁的侵害。

Juniper SRX防火墙基本配置手册1SRX防火墙的PPPoE拔号配置Juniper SRX防火墙支持PPPoE拔号，这样防火墙能够连接ADSL链路，提供给内网用户访问网络的需求。

配置拓扑如下所示：Ge-0/0/4 via PPPoE to obtian IP addressJuniper SRX240防火墙在Juniper SRX防火墙上面设置ADSL PPPoE拔号，可以在WEB界面或者命令行下面查看PPPoE拔号接口pp0，在命令行下面的查看命令如下所示：juniper@HaoPeng# run show interfaces terse | match ppInterface Admin Link Proto Local Remotepp0 up up在WEB界面下，也能够看到PPPoE的拔号接口pp0配置步聚如下所示：第一步：选择接口ge-0/0/4作为PPPoE拔号接口的物理接口，将接口封装成PPPoETo configure PPPoE encapsulation on an Ethernet interface:juniper@HaoPeng# set interfaces ge-0/0/4 unit 0 encapsulation ppp-over-ether第二步：配置PPPoE接口PP0.0的参数To create a PPPoE interface and configure PPPoE options:user@host# set interfaces pp0 unit 0 pppoe-options underlying-interfacege-0/0/4.0 auto-reconnect 100 idle-timeout 100 client第三步：配置PPPoE接口的MTU值To configure the maximum transmission unit (MTU) of the IPv4 family:user@host# set interfaces pp0 unit 0 family inet mtu 1492第四步：配置PPPoE接口的地址为negotiate-addressTo configure the PPPoE interface address:user@host# set interfaces pp0 unit 0 family inet negotiate-address第五步：配置PPPoE接口的PAP认证set int pp0 unit 0 ppp-options pap default password 88888878 local-name ****************local-password88888878 passive注意：default password和local password都必须设置成ADSL拔号时所用的密码，local name 必须是ADSL拔号时所用的用户名。

Data SheetSRX1500 与瞻博网络 Contrail 服务编排结合使用，可以向企业和服务提供商提供完全自动化的 SD-WAN。

其全自动部署 (ZTP) 功能极大地简化了分支机构网络连接的初始部署和持续管理。

SRX1500的高性能和可扩展性使它可以用作 VPN 集线器，在各种 SD-WAN 拓扑结构中端接 VPN/安全叠加连接。

SRX1500 服务网关运行 Juniper Networks Junos®操作系统，这是一个已得到实践验证并且运营商可以定制加强的网络操作系统，目前在为全球前 100 强服务提供商网络提供支持。

IPv4/IPv6、OSPF、BGP 和组播经过严格测试的运营商级路由功能已在超过 15年的全球部署中久经验证。

功能与优势SRX1500 服务网关规格软件规格防火墙服务•有状态和无状态防火墙•基于区域的防火墙•筛选和分布式拒绝服务 (DDoS) 保护•抵御协议和流量异常•与 Pulse 统一访问控制 (UAC) 集成•与 Aruba Clear Pass Policy Manager 集成•基于用户角色的防火墙•SSL 检测网络地址转换 (NAT)•带有端口地址转换 (PAT) 的源 NAT•双向 1:1 静态 NAT•带有 PAT 的目标 NAT•持久 NAT•IPv6 地址转换VPN 功能•隧道：通用路由封装 (GRE)1、IP-IP1、IPsec•站点-站点 IPsec VPN、自动 VPN、组 VPN•IPsec 加密算法：数据加密标准 (DES)、三重 DES (3DES)、高级加密标准 (AES-256)、AES-GCM•IPsec 身份验证算法：MD5、SHA-1、SHA-128、SHA-256•预共享密钥和公钥基础架构 (PKI) (X.509)•完全向前保密，防重播•IPv4 和 IPv6 IPsec VPN•站点-站点 VPN 的多代理 ID•互联网密钥交换（IKEv1、IKEv2），NAT-T•虚拟路由器和服务质量 (QoS) 感知•基于标准的失效对等方检测 (DPD) 支持•VPN 监控高可用性功能•虚拟路由器冗余协议 (VRRP)•有状态的高可用性- 双机箱集群- 主动/被动- 主动/被动- 配置同步- 防火墙会话同步- 设备/链路检测- 不中断服务的软件升级 (ISSU)•采用路由与接口故障转移的 IP 监控应用程序安全性服务2•应用程序可见性和控制•基于应用程序的防火墙•应用程序 QoS•高级/基于应用程序策略的路由 (APBR)•应用程序体验质量 (AppQoE)•基于应用程序的多路径路由威胁防御和情报服务3•入侵防御•防病毒•反垃圾邮件•类别/基于信誉的 URL 过滤•SecIntel 提供威胁情报•防范僵尸网络（命令和控制）•基于 GeoIP 的自适应实施•瞻博网络 Advanced Threat Prevention（一种基于云的 SaaS产品），可检测并阻止零日攻击•瞻博网络 ATP 设备，是一种内部部署的分布式高级威胁防御解决方案，可用于检测并阻止零日攻击路由协议•IPv4、IPv6•静态路由•RIP v1/v2•OSPF/OSPF v3•具有路由反射器的 BGP•IS-IS•组播：Internet 组管理协议 (IGMP) v1/v2；协议无关组播(PIM) 稀疏模式 (SM)/密集模式 (DM)/源特定组播 (SSM)；会话描述协议 (SDP)；距离矢量组播路由协议 (DVMRP)；组播源发现协议 (MSDP)；逆向路径转发 (RPF)•封装：VLAN、通过以太网传输的点对点协议 (PPPoE)•虚拟路由器•基于策略的路由，基于源的路由•等价多路径 (ECMP)QoS 功能•支持 802.1 p、DiffServ代码点 (DSCP)、EXP•按 VLAN、数据链路连接标识符 (DLCI)、接口、束或多域过滤器分类•标记、监管和整形•分类和计划•加权随机早期检测 (WRED)•保证带宽和最大带宽•入口流量监管•虚拟通道•层次结构整形和策略制定交换功能•基于 ASIC 的第 2 层转发•MAC 地址学习•VLAN 寻址以及集成路由与桥接 (IRB) 支持•链路聚合与 LACP•LLDP 和 LLDP-MED•STP、RSTP、MSTP•MVRP•802.1X 身份验证网络服务•动态主机配置协议 (DHCP) 客户端/服务器/中继•域名系统 (DNS) 代理、动态 DNS (DDNS)•瞻博网络实时性能监控 (RPM) 和 IP 监控•瞻博网络流量监控（J 流）•双向转发检测 (BFD)•双向主动测量协议 (TWAMP)•IEEE 802.3ah 链路默认管理 (LFM)•IEEE 802.1ag 连接故障管理 (CFM)高级路由服务•分组模式•MPLS（RSVP、LDP）•电路交叉连接 (CCC)、平移交叉连接 (TCC)•L2/L2 MPLS VPN、伪线•虚拟专用 LAN 服务 (VPLS)、下一代组播 VPN (NG-MVPN)•MPLS 流量工程和 MPLS 快速重新路由管理、自动化、日志记录和报告•SSH、T elnet、SNMP•智能图像下载•瞻博网络 CLI 和 Web UI•瞻博网络 Junos Space 和 Security Director•Python•Junos OS 事件、提交和 OP 脚本•应用程序和带宽使用情况报告•自动安装•调试和故障排除工具GRE、IP-IP 和 VRRP 在有状态高可用性模式下不受支持。

Juniper_SRX中⽂配置⼿册簿及现⽤图解前⾔、版本说明 (2)⼀、界⾯菜单管理 (3)2、WEB管理界⾯ (4)（1）Web管理界⾯需要浏览器⽀持Flash控件。

(4)（2）输⼊⽤户名密码登陆： (4)（3）仪表盘⾸页 (5)3、菜单⽬录 (8)⼆、接⼝配置 (13)1、接⼝静态IP (13)2、PPPoE (14)3、DHCP (15)三、路由配置 (17)1、静态路由 (17)2、动态路由 (17)四、区域设置Zone (19)五、策略配置 (21)1、策略元素定义 (21)2、防⽕墙策略配置 (23)3、安全防护策略 (26)六、地址转换 (27)1、源地址转换-建⽴地址池 (27)2、源地址转换规则设置 (28)七、VPN配置 (31)1、建⽴第⼀阶段加密建议IKE Proposal (Phase 1) (或者⽤默认提议) (31)2、建⽴第⼀阶段IKE策略 (32)3、建⽴第⼀阶段IKE Gateway (33)4、建⽴第⼆阶段加密提议IKE Proposal (Phase 2) (或者⽤默认提议) (34)5、建⽴第⼀阶段IKE策略 (35)6、建⽴VPN策略 (36)⼋、Screen防攻击 (38)九、双机 (39)⼗、故障诊断 (39)前⾔、版本说明产品：Juniper SRX240 SH版本：JUNOS Software Release [9.6R1.13]注：测试推荐使⽤此版本。

此版本对浏览速度、保存速度提⾼了⼀些，并且CPU占⽤率明显下降很多。

9.5R2.7版本（CPU持续保持在60%以上，甚⾄90%）9.6R1.13版本（对菜单操作或者保存配置时，仍会提升⼀部分CPU）⼀、界⾯菜单管理1、管理⽅式JuniperSRX系列防⽕墙出⼚默认状态下，登陆⽤户名为root密码为空，所有接⼝都已开启Web管理，但⽆接⼝地址。

终端连接防⽕墙后，输⼊⽤户名(root)、密码(空)，显⽰如下：rootsrx240-1%输⼊cli命令进⼊JUNOS访问模式：rootsrx240-1% clirootsrx240-1>输⼊configure进⼊JUNOS配置模式：rootsrx240-1% clirootsrx240-1> configureEntering configuration mode[edit]rootsrx240-1#防⽕墙⾄少要进⾏以下配置才可以正常使⽤：(1)设置root密码（否则⽆法保存配置）(2)开启ssh/telnet/http服务(3)添加⽤户（root权限不能作为远程telnet，可以使⽤SHH⽅式）(4)分配新的⽤户权限2、WEB管理界⾯（1）Web管理界⾯需要浏览器⽀持Flash控件。

Juniper SRX防火墙配置手册之马矢奏春创作一、JUNOS把持系统介绍1.1 条理化配置结构JUNOS采纳基于FreeBSD内核的软件模块化把持系统,支持CLI命令行和WEBUI两种接口配置方式,本文主要对CLI命令行方式进行配置说明.JUNOS CLI 使用条理化配置结构,分为把持（operational）和配置（configure）两类模式,在把持模式下可对以后配置、设备运行状态、路由及会话表等状态进行检查及设备运维把持,并通过执行config或edit命令进入配置模式,在配置模式下可对各相关模块进行配置并能够执行把持模式下的所有命令（run）.在配置模式下JUNOS采纳分层分级模块下配置结构,如下图所示,edit命令进入下一级配置（类似unix cd命令）,exit命令退回上一级,top 命令回到根级.1.2 JunOS配置管理JUNOS通过set语句进行配置,配置输入后其实不会立即生效,而是作为候选配置（CandidateConfig）等候管理员提交确认,管理员通过输入commit命令来提交配置,配置内容在通过SRX语法检查后才会生效,一旦commit通过后以后配置即成为有效配置（Active config）.另外,JUNOS允许执行commit命令时要求管理员对提交的配置进行两次确认,如执行commit confirmed 2命令要求管理员必需在输入此命令后2分钟内再次输入commit以确认提交,否则2分钟后配置将自动回退,这样可以防止远程配置变更时管理员失去对SRX的远程连接风险.在执行commit命令前可通过配置模式下show命令检查以后候选配置（Candidate Config）,在执行commit后配置模式下可通过run show config命令检查以后有效配置（Active config）.另外可通过执行show | compare比对候选配置和有效配置的不同. SRX上由于配备年夜容量硬盘存储器,缺省按先后commit顺序自动保管50份有效配置,并可通过执行rolback和commit命令返回到以前配置（如rollback 0/commit可返回到前一commit配置）；也可以直接通过执行save configname.conf手动保管以后配置,并执行load override configname.conf / commit调用前期手动保管的配置.执行load factorydefault / commit命令可恢复到出厂缺省配置.SRX可对模块化配置进行功能关闭与激活,如执行deactivate security nat/comit命令可使NAT相关配置不生效,并可通过执行activate security nat/commit 使NAT配置再次生效.SRX通过set语句来配置防火墙,通过delete语句来删除配置,如delete security nat和edit security nat / delete一样,均可删除security防火墙层级下所有NAT相关配置,删除配置和ScreenOS分歧,配置过程中需加以留意.1.3 SRX主要配置内容布置SRX防火墙主要有以下几个方面需要进行配置：System：主要是系统级内容配置,如主机名、管理员账号口令及权限、时钟时区、Syslog、SNMP、系统级开放的远程管理服务（如telnet）等外容.Interface:接口相关配置内容.Security: 是SRX防火墙的主要配置内容,平安相关部份内容全部在Security层级下完成配置,如NAT、Zone、Policy、Addressbook、Ipsec、Screen、Idp等,可简单理解为ScreenOS防火墙平安相关内容都迁移至此配置条理下,除Application自界说服务.Application：自界说服务独自在此进行配置,配置内容与ScreenOS基本一致.routingoptions：配置静态路由或routerid等系统全局路由属性配置.二、SRX防火墙配置对比说明战略处置流程图2.1 初始装置2.1.1 登岸Console口(通用超级终端缺省配置)连接SRX,root用户登岸,密码为空login: rootPassword:JUNOS 9.5R1.8 built 0716 15:04:30 UTCroot% cli //进入把持模式root>root> configure //进入配置模式[edit]Root#2.1.2 设置root用户口令设置root用户口令root# set system rootauthentication plaintextpassword root# new password : root123root# retype new password: root123[edit]root# set system login class superuser idletimeout 3 设置以后用户超时时间密码将以密文方式显示root# show system rootauthenticationencryptedpassword "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."; # SECRETDATA注意：强烈建议不要使用其它加密选项来加密root和其它user 口令(如encryptedpassword加密方式),此配置参数要求输入的口令应是经加密算法加密后的字符串,采纳这种加密方式手工输入时存在密码无法通过验证风险.2.1.3 设置远程登岸管理用户root# set system login user labclass superuser authentication plaintextpassword //创立用户labroot# new password : lab123 //配置用户lab密码root# retype new password: lab123注：此lab用户拥有超级管理员权限,可用于console和远程管理访问,另也可自行灵活界说其它分歧管理权限用户.2.1.4 管理SRX相关配置root>show system uptime//检查时间root#run set date YYYYMMDDhhmm.ss //设置系统时钟root#set system timezone Asia/beijing//设置时区为北京root#set system hostname SRX3400A//设置主机名root#set system ntp server 202.120.2.101 //设置NTP服务器root>show ntp associationsroot>show ntp status //检查NTProot>show security alg status//检查ALG状态ALG Status :DNS : EnabledFTP : EnabledH323 : EnabledMGCP : EnabledMSRPC : EnabledPPTP : EnabledRSH : EnabledRTSP : EnabledSCCP : EnabledSIP : EnabledSQL : EnabledSUNRPC : EnabledTALK : EnabledTFTP : EnabledIKEESP : Disabledroot#set system services ftproot#set system services telnetroot#set system services webmanagement http//在系统级开启ftp/telnet/http远程接入管理服务root>request system reboot //重启系统root>request system poweroff // 关闭系统root>show version//检查版本信息Model: srx210bJUNOS Software Release [10.4R5.5]root>show system uptime //检查系统启动时间Current time: 0811 05:09:15 UTCSystem booted: 0811 01:12:48 UTC (03:56:27 ago)Protocols started: 0811 01:15:28 UTC (03:53:47 ago)Last configured: 0811 03:11:08 UTC (01:58:07 ago) by rootroot>Show chassis haredware//检查硬件板卡及序列号Hardware inventory:Item Version Part number Serial number DescriptionChassis AC5210AA0079 SRX210bRouting Engine REV 40 750021778 AACN5249 RESRX210BFPC 0 FPCPIC 0 2x GE, 6x FE, 1x 3GPower Supply 0root> show chassis environment //检查硬件板卡以后状态Class Item Status MeasurementTemp Routing Engine OK 52degrees C / 125 degrees FRouting Engine CPU AbsentFans SRX210 Chassis fan OK Spinningat normal speedPower Power Supply 0 OKroot>show chassis routingengine //检查主控板（RE）资源使用及状态Routing Engine status:Temperature 52 degrees C / 125degrees FTotal memory 512 MB Max 415 MB used( 81 percent)Control plane memory 336 MB Max 306 MB used ( 91 percent)Data plane memory 176 MB Max 107 MB used ( 61 percent)CPU utilization:User 4 percentBackground 0 percentKernel 5 percentInterrupt 0 percentIdle 91 percentModel RESRX210BSerial ID AACN5249Start time 0811 01:12:47 UTCUptime 4 hours, 17 minutes, 57 secondsLast reboot reason 0x200:chassis control resetLoad averages: 1 minute 5 minute 15 minuteroot>show system license //检查授权License usage:Licenses Licenses Licenses ExpiryFeature name used installed neededax411wlanap 0 2 0 permanentroot>show system processes extensive//检查系统利用率last pid: 1968; load averages: 0.01, 0.03, 0.00 up0+04:20:28 05:32:46111 processes: 17 running, 83 sleeping, 11 waitingMem: 120M Active, 87M Inact, 231M Wired, 30M Cache, 61MBuf, 1356K FreeSwap:PID USERNAME THR PRI NICE SIZE RES STATE C TIMEWCPU COMMAND1097 root 4 76 0 194M 34836K select 0298:05 98.44% flowd_octeon22 root 1 171 52 0K 16K RUN 0203:47 84.96% idle: cpu024 root 1 20 139 0K 16K RUN 0 5:420.00% swi7: clock21 root 1 171 52 0K 16K RUN 12:21 0.00% idle: cpu15 root 1 84 0 0K 16K rtfifo 0 1:02 0.00% rtfifo_kern_recv1109 root 1 76 0 9724K 3796K select 0 0:46 0.00% rtlogd868 root 1 76 0 7004K 2588K select 0 0:37 0.00% eventd52 root 1 8 0 0K 16K mdwait 0 0:34 0.00% md01085 root 1 76 0 16984K 10676K select 0 0:29 0.00% snmpd1088 root 1 76 0 14288K 4788K select 0 0:23 0.00% l2ald1090 root 2 76 0 4K 6476K select 0 0:22 0.00% pfed1115 root 1 76 0 4180K 1104K select 0 0:19 0.00% licensecheck1087 root 1 4 0 39620K 2K kqread 0 0:15 0.00% rpd23 root 1 40 159 0K 16K WAIT 0 0:15 0.00% swi2: net(more 39%)root>monitor interface ge0/0/0//静态统计接口数据包转发信息Interface: ge0/0/0.0, Enabled, Link is UpFlags: SNMPTrapsEncapsulation: ENET2Local statistics: Current deltaInput bytes: 2986416 [4121]Output bytes: 47303 [90]Input packets: 47631 [64]Output packets: 969 [1]Remote statistics:Input bytes: 94404820 (1896 bps) [6685]Output bytes: 9553700 (952 bps) [2078]Input packets: 111689 (4 pps) [50]Output packets: 59369 (2 pps) [29]Traffic statistics:Input bytes: 97391236 Outputbytes: , [10806]Next='n', Quit='q' or ESC, Freeze='f', Thaw='t',Clear='c', Interface='i'root>monitor traffic interface ge0/0/0//静态报文抓取verbose output suppressed, use <detail> or <extensive>for full protocol decodeAddress resolution is ON. Use <noresolve> to avoid anyreverse lookup delay.Address resolution timeout is 4s.Listening on ge0/0/0.0, capture size 96 bytesReverse lookup for 172.56.1.23 failed (check DNS reachability).Other reverse lookup failures will not be reported.Use <noresolve> to avoid reverse lookups on IP addresses.05:41:02.884849 In IPX 00000000.00:13:8f:74:bc:19.0455 >00000000.ff:ff:ff:ff:ff:ff.0455: ipxnetbios 5005:41:03.509837 Out IP truncatedip 10 bytes missing! 172.56.3.34.55730 > .domain: 51866+[|domain]05:41:03.568547 In STP 802.1d, Config, Flags [none], bridgeid 8000.00:06:53:48:8a:80.8010, length 4305:41:03.678096 In IPX 00000000.00:13:8f:74:bc:19.0455 > 00000000.ff:ff:ff:ff:ff:ff.0455: ipxnetbios 502.1.5 接口的初始化接口说明：root% cli//进入把持模式root>root>show interfaces //检查接口状态调整输出详细水平root>show intefaces terseroot>show interfaces briefroot>show interfaces detailroot>show interfaces extensive //由上到下检查接口的信息越来越详细root>show interfaces detail | match fe0/0/0 //使用管道符匹配特定关键字root>help reference security policysecurity //检查配置参考信息root> help apropos security //帮手搜索关键字相关的把持命令root> configure //进入配置模式[edit]root#root# show interfaces //检查接口配置状态为接口配置IP地址的两种方法：set配置：root#show interfaces ge0/0/0.0 family inet //检查接口配置address 1.1.1.1./24edit 配置直接指定到某个层级：[edit ]root#edit interfaces ge0/0/0.0 family inet //在该层级下为接口配置[edit interfaces ge0/0/0.0 family inet][edit interfaces ge0/0/0.0 family inet]root#up //返回上一级,一层一层的退出（也可以使用exit和top退出到[edit]）[edit interfaces]Root#showroot # set system syslog file monitorlog any any//创立名字为monitorlog的日志root # set system syslog file monitorlog match "172.56.3.34" //监控接口root #run monitor start monitorlog //开始监控root #run monitor stop//停止监控删除配置：root#delete interfaces ge0/0/0.0 //普通删除配置命令root#wildcard delete interfaces fe0* //通配符匹配删除配置命令matched：fe0/0/0matched：fe0/0/1matched：fe0/0/2matched：fe0/0/3matched：fe0/0/4matched：fe0/0/5matched：fe0/0/6matched：fe0/0/7delete 8 objecgts?[yes,no](no)yes配置addressbook（addressbook就是为地址命名,以便调用）[edit]root# edit security zones securityzone outside // 配置outside区域addressbook[edit security zones securityzone outside][edit security zones securityzone outside]root# up[edit security zones]root#edit securityzone inside //配置inside区域addressbook[edit security zones securityzone inside][edit security zones securityzone inside]root# exit[edit security zones]root# exit配置application[edit]root# edit applications application tcp1752 //界说服务名字[edit applications application tcp1752]root# set protocol tcp sourceport 1752 destinationport 1752 //界说协议及端口号[edit]root# show applicationsapplication tcp1752 {protocol tcp;sourceport 1752;destinationport 1752;配置applicationset[edit]root# set applications applicationset webmgt applicationjunosssh //配置应用服务集webmgt[edit]root# set applications applicationset webmgt applicationjunosping[edit]root# set applications applicationset webmgtapplication junospcanywhere[edit]root# set applications applicationset webmgt applicationjunoshttp[edit]root# set applications applicationset webmgt applicationjunosftproot# show applications//检查applicationsapplicationset webmgt {application junosssh;application junosping;application junospcanywhere;application junoshttp;application junosftp;}替换配置：root# show interfaces ge0/0/0ge0/0/0 {unit 0 {family inet {root#WordStr pattern ge0/0/0 with ge0/0/1//一个接口取代另一个接口的配置root# show interfaces ge0/0/1ge0/0/1{unit 0 {family inet {复制配置：root#set interfaces ge0/0/0.0 familyEthernetswithing vlanroot#copy interfaces ge0/0/0.0 to ge0/0/1.0 //复制接口配置配置模式下的showroot#show //检查配置root#show | display set // 检查set格式的配置set system timezone asia/beijingset system rootauthentication encryptedpassword "$1$XyydlG84$f46l82dR8C/JHUvzFuq9o."set system login user lab uidset system login user lab class superuserset system login user lab authentication encryptedpassword "$1$Y0X8gbap$GZNvirOuGhW.4ZAq4xwHF."set system services sshset system services telnetset system services webmanagement https systemgeneratedcertificateset system syslog file natlog any anyset system syslog file natlog match RT_FLOW_SESSIONset system syslog file monitorlog any any(more)基本提交与恢复配置命令：root#commit //最基本的提交配置命令root#show | compare //检查待提交的配置与以后运行的配置分歧(+暗示增加的, 暗示减少的)encryptedpassword "$1$XyydlG84$f46l82dR8C/JHUvzFuq9o."; ## SECRETDATA+ encryptedpassword "$1$PRX8HyIJ$X0uFTlOJ4yn.DQYeDiHl10"; ## SECRETDATA[edit system services webmanagement http]interface [ vlan.0 ge0/0/1.0 vlan.3 ge0/0/0.0 fe0/0/3.0 ];+ interface [ vlan.0 ge0/0/1.0 vlan.3 ge0/0/0.0 fe0/0/4.0 ];[edit interfaces]+ fe0/0/4 {+ unit 0 {+ family inet;+ family ethernetswitching;+ }+ }[edit security zones securityzone inside interfaces]vlan.3 { ... }+ fe0/0/4.0 {+ hostinboundtraffic {+ systemservices {+ http;+ }+ }+ }fe0/0/3.0 {hostinboundtraffic {systemservices {http;root#rollback ？ //检查可恢复的配置（注意：使用load facrotydefault命令恢复到出厂配置）Possible completions:<[Enter]> Execute this command0 0811 03:11:08 UTC by lab via cli1 0810 09:39:44 UTC by lab via cli2 0810 07:48:34 UTC by lab via cli3 0810 07:40:08 UTC by lab via cli4 0810 07:36:20 UTC by lab via cli5 0810 07:31:18 UTC by lab via cli6 0810 07:25:45 UTC by lab via cli7 0810 07:21:26 UTC by lab via cli8 0810 07:20:15 UTC by lab via cli9 0810 06:51:14 UTC by lab via cli10 0810 06:50:16 UTC by lab via cli11 0810 06:31:23 UTC by lab via cli12 0810 06:29:02 UTC by lab via cli[abort](more 42%)[edit]root#rollback 4 // 恢复某一配置（注意：需要commit之后恢复配置才华生效）root#commit at “0101 18:00:00”//在某一日期或时间提交配置命令root>clear system commit //清除未被提交的配置root#commit comment “onlyconfigurationinterfaces”//为提交的配置进行说明调换战略顺序Insert security policies fromzone zonename tozone zonename policy name [before | after ] policy name配置SNMP2.1.6 配置平安战略图解：界说outside属于Internet,inside属于内部局域网,通过juniper访问Internet.接口的配置及创立分歧的区域：//为接口ge0/0/0、ge0/0/1配置IP地址// 把接口放在分歧的区域(outside /inside)中root#commit //提交配置root# show interfaces // 检查接口配置信息ge0/0/0 {unit 0 {family inet {address 172.56.3.34/16 }}}ge0/0/1 {unit 0 {family inet {;}root # show security zones //检查zones的配置信息securityzone inside {interfaces {ge0/0/1.0;}}securityzone outside {interfaces {ge0/0/0.0;}配置路由:[edit]root# edit routingoptions[edit routingoptions]root#commit[edit routingoptions]root # show //检查路由条目static {route 0.0.0.0/0 nexthop [172.56.0.1 ];}root# run show route //检查路由inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0hidden)+ = Active Route, = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:34:1710.1.1.0/24 *[Direct/0] 00:34:1610.1.1.1/32 *[Local/0] 00:34:23172.56.0.0/16 *[Direct/0] 00:34:17172.56.3.34/32 *[Local/0] 00:34:23配置战略:[edit]root# edit security policies fromzone inside tozone outside policy permitall//界说zone inside到zone outside的战略[edit security policies fromzone inside tozone outside policy permitall]root# set match sourceaddress any //设置源地址为any[edit security policies fromzone inside tozone outside policy permitall]root# set match destinationaddress any //设置目标地址为any[edit security policies fromzone inside tozone outsidepolicy permitall]root# set match application any //设置战略允许的服务为any[edit security policies fromzone inside tozone outside policy permitall]root# set then permit//设置的举措是允许通过root#commit[edit]root# show security policies //检查平安战略fromzone inside tozone outside {policy permitall {match {sourceaddress any;destinationaddress any;application any;}then {permit;}Example 1 : 源地址转换(NAT)多对一,使得所有出向的流量源IP 地址转换为外部接口地址IP[edit]root # edit security nat source ruleset natpolicy//界说名字为natpolicy的nat战略[edit security nat source ruleset natpolicy]root # set from zone insideto zone outside //设置战略来自inside去往outside[edit security nat source ruleset natpolicy]root # edit rule insidetooutsidenat//界说规则名字为insidetooutsidenat[edit security nat source ruleset natpolicy rule insidetooutsidenat][edit security nat source ruleset natpolicy rule insidetooutsidenat]root # set then sourcenat interface//设置转换源的nat [edit security nat source ruleset natpolicy rule insidetooutsidenat]root #set then log sessioninit sessionclose //设置启用日志,记录会话开始与结束[edit security nat source ruleset natpolicy]root # exit[edit]root #edit system syslog file natlog //设置一个日志文件名字为natlog[edit system syslog file natlog]root #set any any //匹配任何logroot #set match RT_FLOW_SESSION //匹配日志中关键字RT_FLOW_SESSIONroot #run show security flow session// 检查会话的状态信息 In: 10.1.1.2/55249 > 172.56.0.101/161;udp, If: ge0/0/1.0, Pkts: 166, Bytes: 17596Out: 172.56.0.101/161 > 10.1.1.2/55249;udp, If: ge0/0/0.0, Pkts: 0, Bytes: 0Session ID: 50, Policy name: permitall/4, Timeout: 52, ValidIn: 10.1.1.2/55249 > 172.56.1.100/161;udp, If: ge0/0/1.0, Pkts: 167, Bytes: 17702Out: 172.56.1.100/161 > 10.1.1.2/55249;udp, If: ge0/0/0.0, Pkts: 0, Bytes: 0Total sessions: 2root #run show security flow session summary// 检查会话数Unicastsessions: 4Multicastsessions: 0Failedsessions: 0Sessionsinuse: 10Valid sessions: 4Pending sessions: 0Invalidated sessions: 6Sessions in other states: 0Maximumsessions: 32768root #run show log natlog //检查日志信息Aug 2 17:46:45 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 10.1.1.2/52896>202.96.134.133/53 junosdnsudp 10.1.1.2/52896>202.96.134.133/53 None None 17 permitall inside outside 3048 1(61) 1(180) 3root # show security nat //检查nat的战略信息source {ruleset natpolicy {from zone inside;to zone outside ;rule insidetooutsidenat {match {destinationaddress [172.56.3.34/16 ];}then {sourcenat {interface;}[edit]root # edit security policies fromzone inside tozone outside[edit security policies fromzone inside tozone outside] root #edit policy permitall[edit security policies fromzone inside tozone outside policy permitall]root #set then count // 为policy配置count行为[edit security policies fromzone inside tozone outside policy permitall]root # commitcommit complete[edit security policies fromzone inside tozone outside policy permitall]root # showmatch {sourceaddress any;destinationaddress any;application any;}then {permit;log {sessioninit;sessionclose;}count;root> show security policies policyname permitall detail //使用show检查count结果Policy: permitall, actiontype: permit, State: enabled, Index: 4, Scope Policy: 0Policy Type: ConfiguredSequence number: 1From zone: inside, To zone: outsideSource addresses:anyipv6: ::/0Destination addresses:anyipv6: ::/0Application: anyIP protocol: 0, ALG: 0, Inactivity timeout: 0Source port range: [00]Destination port range: [00]Per policy TCP Options: SYN check: No, SEQ check: NoSession log: atcreate, atclosePolicy statistics:Input bytes : 2696984 14509 bpsOutput bytes : 2683338 14443 bpsInput packets : 4537 28 ppsOutput packets : 4433 27 ppsSession rate : 234 1 spsActive sessions : 9Session deletions: 225Policy lookups : 230配置:[edit security nat source]root# showpool A {address {207.17.137.1/24 to 207.17.137.254/24;}hostaddressbase 10.1.10.5/24;}ruleset 1A {from zone inside;to zone outside;rule 1 {match {sourceaddress 10.1.10.0/24;}then {sourcenat pool A;root> show security flow sessionSession ID: 57737, Policy name: defaultpermit/4, Timeout: 1772root> show security nat source pool allTotal pools: 1Pool name : APool id : 4Routing instance : defaultPort : no translationTotal addresses : 254Translation hits : 6Example 3 :目的地址转换（NAT）一对一,使所有进方向访问公网IP（100.0.0.1/32）地址的流量都转换为内网的一个IP(10.1.10.5/32)地址配置：[edit security nat destination]root# showpool A {address 10.1.10.5/24;}ruleset 1 {from zone outside;rule 1A {match {destinationaddress 100.0.0.1/32;}Then {destinationnat pool A;Example4 :目的地址转换（NAT）一对多,使所有进方向访问公网IP（100.0.0.1/32port：80/81）地址的流量都转换为内网的多个IP(10.1.10.5/32port：8080 10.1.10.6/32port：8181)地址图解：将访问公网ip 100.0.0.1 port 80转换为内网ip 10.1.10.5 port 8080将访问公网ip 100.0.0.1 port 81转换为内网ip 10.1.10.6 port 8181配置：[edit security nat destination]root# showpool A {address 10.1.10.5/24 port 8080;pool B{address 10.1.10.5/24 port 8181;}ruleset 1 {from zone outside;rule 1A {match {destinationaddress 100.0.0.1/32;destinationport 80;}then {destinationnat pool A;rule 1B {match {destinationaddress 100.0.0.1/32;destinationport 81;}then {destinationnat pool B;root> show security flow sessionSession ID: 12554, Policy name: defaultpermit/4, Timeout: 14Out: 10.1.10.5/8080 > 1.1.70.6/58204;tcp, If: ge0/0/2.01 sessions displayedSession ID: 12554, Policy name: defaultpermit/4, Timeout: 14Out: 10.1.10.5/8181 > 1.1.70.6/58304;tcp, If: ge0/0/2.01 sessions displayed2.2 透明模式的配置1.配置Bridge Domains桥接域（Bridge Domains）:属于同一泛洪或广播域的一组逻辑接口.在同一个Vlan里,桥接域可以跨越多个设备的一个或多个接口.默认情况下,每个桥接域都维护着自己的MAC地址转发表,附属于本桥接域的接口接受的数据包.在桥接域里转发的数据包,必需是一个0已经被打上Vlan ID的数据包,而且这个Vlan ID 是属于这个桥接域的.CLI命令配置举例：root# set bridgedomains bd1 domaintype bridge vlanidlist 1,10//配置桥接域bd1,而且指定模式为桥模式,属于这个桥接域的vlan ID 1和10root# set bridgedomains bd2 domaintype bridge vlanid 2//配置桥接域bd2,而且指定模式为桥模式,属于这个桥接域的vlan ID 2注：如果要配置多个vlan ID时,使用vlanidlist.root# set protocols l2learning globalmaclimit 64000 packetaction drop//配置在一个逻辑接口上学习到的最年夜MAC地址数量2.配置Layer 2 逻辑接口layer2接口模式有2种模式,trunk和access.CLI命令配置举例：root# set interfaces ge3/0/0 unit 0 family bridge interfacemode trunk vlanidlist 1–10//将接口ge3/0/0配置为2层trunk模式,并转发来自vlan 110数据包root# set interfaces ge3/0/0 unit 0 family bridge interfacemode access vlanid 1//将接口ge3/0/0配置为2层access模式,并转发来自vlan 1数据包root# set interfaces ge3/0/0 vlantagging nativevlanid 10 //对来自物理接口没有vlan标识的数据包打上vlan 10 3.配置layer 2区域CLI命令配置举例：root# set security zones securityzone l2–zone1 interfaces ge3/0/0.0root# set security zones securityzone l2–zone2 interfaces ge3/0/1.0root# set security zones securityzone l2–zone2 hostinboundtraffic systemservices all//允许所有支持的应用作为hostinbound traffic通过“l2–zone2”（例如SSH, Telnet, SNMP, 以及其他应用）CLI命令配置举例：root# set security policies fromzone l2–zone1 tozonel2–zone2 policy p1 match application httproot# set security policies fromzone l2–zone1 tozonel2–zone2 policy p1 then permit5.配置集成路由桥接口（Integrated Routing and Bridging Interfaces）（可选）irb接口其实就是原来在screenOS平台下的vlan 1 接口,起一个管理的作用.CLI命令配置举例：//将irb接口放到桥接域bd2里root# set system services webmanagement http//翻开SRX的web管理服务注：irb接口必需是在桥接域配置为单个vlan ID才华配置.当桥接域里配置是vlanidlist时,irb是不能配置的.SRX不支持路由与透明模式同时运行,初始时是运行在路由模式下,当配置成透明时必需要重启设备.日志转发转发syslog到一台日志服务器systemsyslog {host 192.168.1.100 {user info;changelog notice;interactivecommands notice;match"(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SESSION_DENY)";logprefix SecureTrack_SRX_3;转发traffic log到一台日志服务器security {log {format sdsyslog;sourceaddress 192.168.1.1;stream trafficlog {severity info;format sdsyslog; host {192.168.1.120;}}stream trafficlogtest {severity info;format sdsyslog;host {192.168.1.100;}。