juniper_srx650配置手册

juniper_srx650配置⼿册
buhui配置前准备⼯作：
SRX默认出⼚设置：
⽤户名：root 密码为空；
Console⼝：
Srx% 输⼊cli
Srx>
进⼊配置状态srx>config
Srx#
恢复出⼚默认：srx# load factory-default
配置root密码：
Set system root-authentication plain-text-password
#root密码最少6位并且有字母及数字
提交配置commit
#所有操作必须执⾏commit 后才能⽣效
Commit check #配置的检测
清空所有配置：srx#delete
设置irb.99 为管理电信IP：
set system services web-management http interface irb.99
set system services web-management https system-generated-certificate
set system services web-management https interface irb.99
设置irb.199 为管理电信IP：
set system services web-management http interface irb.199
set system services web-management https system-generated-certificate set system services web-management https interface irb.199
设置irb.99的管理地址
set interfaces irb unit 99 family inet address 192.168.2.99/32
set routing-options static route 0.0.0.0/0 next-hop 192.168.2.1
设置irb.199的管理地址
set interfaces irb unit 99 family inet address 192.168.10.199/32
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.199.1
设置ge-0/0/0 和ge-0/0/2 为同⼀vlan-id10中，作为联通线路的通道set interfaces ge-0/0/0 unit 0 family bridge interface-mode access
#透明模式
set interfaces ge-0/0/0 unit 0 family bridge vlan-id 10
set interfaces ge-0/0/2 unit 0 family bridge interface-mode access
set interfaces ge-0/0/2 unit 0 family bridge vlan-id 10
设置ge-0/0/1 和ge-0/0/3 为同⼀vlan-id 11中，作为电信线路的通道
set interfaces ge-0/0/1 unit 0 family bridge interface-mode access
set interfaces ge-0/0/1 unit 0 family bridge vlan-id 11
set interfaces ge-0/0/3 unit 0 family bridge interface-mode access
set interfaces ge-0/0/3 unit 0 family bridge vlan-id 11
将端⼝划分到不同区域并开启相关服务
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone luntrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services all
set security zones security-zone ltrust interfaces ge-0/0/3.0 host-inbound-traffic system-services all
set bridge-domains jcn vlan-id 10
set bridge-domains jcn routing-interface irb.199
set bridge-domains ltj vlan-id 11
set bridge-domains jcn routing-interface irb.99
set bridge-domains jcn domain-type bridge
set bridge-domains ltj domain-type bridge
commit
# 注意irb ⼦接⼝创建的再多也没⽤通⼀个vlan-id内只有⼀个irb ⼦接⼝的⽣效，即新创建的那个是有效的。

设置安全策略（安全和⾮安全区域互访）：
set security policies from-zone trust to-zone untrust policy 1 match source-address any destination-address any application any
set security policies from-zone trust to-zone untrust policy 1 then permit
set security policies from-zone ltrust to-zone luntrust policy 2 match source-address any destination-address any application any
set security policies from-zone ltrust to-zone luntrust policy 2 then permit
set security policies from-zone untrust to-zone trust policy 3 match
source-address any destination-address any application any
set security policies from-zone untrust to-zone trust policy 1 then permit
set security policies from-zone luntrust to-zone ltrust policy 4 match source-address any destination-address any application any
set security policies from-zone luntrust to-zone ltrust policy 4 then permit
commit
关闭防⽕墙：
te
重启防⽕墙：Request system reboot 密码恢复：
回滚到上次配置：
commit就⽣效了。

⽤rollback 1可以恢复到这次commit之前的那次
commit的内容。

设置只允许IP1 IP2 ip3的IP管理防⽕墙：
set interfaces irb unit 99 family inet filter input login-control
set interfaces irb unit 199 family inet filter input login-control
set firewall family inet filter login-control term 20 from source-address IP1/32
set firewall family inet filter login-control term 20 from source-address IP2/24
set firewall family inet filter login-control term 20 from source-address IP3/25
set firewall family inet filter login-control term 20 from
destination-address 192.168.2.99/32
set firewall family inet filter login-control term 20 from destination-address 192.168.10.199/32
set firewall family inet filter login-control term 20 then accept
set firewall family inet filter login-control term 30 from source-address 0/0
set firewall family inet filter login-control term 30 from destination-address 192.168.2.99/32
set firewall family inet filter login-control term 30 from destination-address 192.168.10.199/32
set firewall family inet filter login-control term 30 then discard
set firewall family inet filter login-control term 100 then accept
开启snmp服务：
set snmp community public authorization read-only
set snmp community public clients 192.168.2.99/32
set snmp community public clients 192.168.2.0/24
set snmp community public clients 192.168.10.25/32
set snmp community public clients 192.168.10.0/24
set snmp community public clients 0.0.0.0/0 restrict
⽇志服务器：
set system syslog host 192.168.10.248 any any
set system syslog host 192.168.10.7 any any
set system syslog host 192.168.10.248 source-address 192.168.10.199
set system syslog host 192.168.2.7 source-address 192.168.2.99
有⼋个⽇志事件级别：
local0到== 调试⽔平。

因此，调试级以上（即ALL）事件记录
LOCAL1 == 信息级别（信息/通知/警告/错误/关键/警报/紧急级别事件记录）?Local2 == 通知⽔平（通知/登录警告/错误/关键/警报/紧急级别的事件?Local3 == 警告级别（警告/错误/关键/警报/紧急级别事件记录
LOCAL4 == 错误级别（错误/关键/警报/紧急级别事件记录）
local5表⽰== 关键级（严重/警报/紧急级别事件记录）
Local6 == 警报级别（警报和紧急级别的事件记录）。

LOCAL7 == 紧急级别（仅限紧急级别事件记录）。

Log：
root@srx650> show log messages
root@srx650> file list /cf/var/log
root@srx650>file delete /cf/var/log/srx650_logs.7.gz show log chassis。