Juniper SRX防火墙巡检命令

JuniperSRX系列防火墙日常监控命令Juniper SRX系列防火墙日常监控命令查看版本admin@#run show version查看机箱环境user@host> show chassis environmentuser@host> show chassis environment cbuser@host> show chassis environment cb 0user@host> show chassis environment pem查看机箱告警（正常情况下不能存在大量硬件错识信息）user@host> show chassis alarms查看日志信息（正常工作情况下，日志中不应该有大量重复的信息，如端口频繁up/down、大量用户认证失败信息等。

）user@host> show log messages查看机箱硬件信息user@host> show chassis hardware查看机箱路由引擎信息user@host> show chassis routing-engine查看机箱FPC信息user@host> show chassis fpcuser@host> show chassis fpc detailuser@host> show chassis fpc pic-status系统关机/重启user@host> request system halt/reboot板卡上线/下线user@host>request chassis fpc slot slot-number offlineuser@host>request chassis fpc slot slot-number online防火墙设备指示灯检查（直接查看防火墙前面板的LED 指示灯）Status ：系统状态。

黄色闪烁表示系统正常启动；绿色闪烁表示系统正常工作。

juniper SRX 常用命令rollbackset interfaceset routing-options staticset system login user admin class super-userset system login user admin authentication plain-text-password 输入密码set system services sshset security zones security-zone untrust host-inbound-traffic system-services ssh/pingset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh /telnet/pingset security zones security-zone trust host-inbound-traffic system-services ssh /telnet /pingset security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh /telnet/pingset security zones security-zone untrust interfaces ge-0/0/0 (不定义区域，无法配置NAT)set security zones security-zone trust interfaces ge-0/0/1###### set security zones security-zone trust interfaces ge-0/0/1 ???###### set interfaces interface-range interfaces-trust member ge-0/0/1 ????##################################################静态NAT：set security nat source rule-set interface-nat from zone trustset security nat source rule-set interface-nat to zone untrustset security nat source rule-set interface-nat rule rule1 match source-address 192.168.0.0/23 set security nat source rule-set interface-nat rule rule1 match destination-address 0.0.0.0/0 set security nat source rule-set interface-nat rule rule1 then source-nat interfaceset security zones security-zone trust address-book address 192 192.168.0.0/23set security zones security-zone trust address-book address-set 192nat address 192set security policies from-zone trust to-zone untrust policy 192nat match source-address anyset security policies from-zone trust to-zone untrust policy 192nat match destination-address any set security policies from-zone trust to-zone untrust policy 192nat match application anyset security policies from-zone trust to-zone untrust policy 192nat then permit#######################################################强制172.16.0.12走150出去（默认走物理接口146出去）set security nat source pool pool-1 address 121.9.255.112set security nat source rule-set sou-nat rule rule-mail match source-address 172.16.0.12/32set security nat source rule-set sou-nat rule rule-mail match destination-address 0.0.0.0/0set security nat source rule-set sou-nat rule rule-mail then source-nat pool pool-1insert security nat source rule-set sou-nat rule rule-mail before rule rule-sou##########################################################端口映射静态PAT: 从外到内set security nat proxy-arp interface ge-0/0/0.0 address 10.1.1.100/24set security nat proxy-arp interface ge-0/0/3.0 address 10.1.2.100/24set security nat destination pool dnat-pool-1 address 192.168.0.9/32set security nat destination pool dnat-pool-2 address 172.16.0.12/32set security nat destination rule-set dst-nat from zone untrustset security nat destination rule-set dst-nat rule rule3 match destination-address 10.1.1.100/24 set security nat destination rule-set dst-nat rule rule3 match destination-port 21set security nat destination rule-set dst-nat rule rule3 then destination-nat pool dnat-pool-1set security nat destination rule-set dst-nat rule rule2 match destination-address 10.1.2.100/24 set security nat destination rule-set dst-nat rule rule2 match destination-port 443set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-pool-2set security zones security-zone trust address-book address ftpserver 192.168.0.9set security zones security-zone trust address-book address mailserver 172.16.0.12set security zones security-zone trust address-book address-set servergroup address ftpserver set security zones security-zone trust address-book address-set servergroup address mailserverset security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application junos-httpset security policies from-zone untrust to-zone trust policy static-nat match application junos-pop3set security policies from-zone untrust to-zone trust policy static-nat then permitset applications application 443 protocol tcpset applications application 443 destination-port 443##############################################################set security nat source rule-set sou-nat from zone trustset security nat source rule-set sou-nat to zone untrustset security nat source rule-set sou-nat rule rule-mail match source-address 172.16.0.30/32set security nat source rule-set sou-nat rule rule-mail match destination-address 0.0.0.0/0set security nat source rule-set sou-nat rule rule-mail then source-nat pool pool-1##############################################################管理端口：set system services web-management httpsset system services web-management httpset system services web-management http port 8084set system services web-management http interface allset system services web-management https system-generated-certificateset system services web-management http interface ge-0/0/0.0set system services web-management https interface ge-0/0/0.0###########################################################################定义端口地址池XXX_group：set applications application smtp_25 destination-port 25 protocol tcpset applications application pop3_110 destination-port 110 protocol tcpset applications application exchange_135 destination-port 135 protocol tcpset applications application smtp_465 destination-port 465 protocol tcpset applications application imap_993 destination-port 993 protocol tcpset applications application pop3_995 destination-port 995 protocol tcpset applications application-set mail_port_group application smtp_25set applications application-set XXX_group application smtpset applications application-set XXX_group application pop3引用XXX_group:set security policies from-zone untrust to-zone trust policy mail-policy match application XXX_group############################################################################## 反向静态NAT：从外到内set security nat static rule-set mail-static-nat from zone untrustset security nat static rule-set mail-static-nat rule mail1 match destination-address 121.9.255.150/32set security nat static rule-set mail-static-nat rule mail1 then static-nat prefix 172.16.0.12/32返回的安全Policy:set security policies from-zone untrust to-zone trust policy mail-policy match source-address any set security policies from-zone untrust to-zone trust policy mail-policy match destination-address Mail_serset security policies from-zone untrust to-zone trust policy mail-policy match application any(XXX_group)set security policies from-zone untrust to-zone trust policy mail-policy then permit插入insert Policy:set security zones security-zone trust address-book address deny_172 172.16.0.155set security policies from-zone trust to-zone untrust policy deny_172 match source-address deny_172set security policies from-zone trust to-zone untrust policy deny_172 match destination-address anyset security policies from-zone trust to-zone untrust policy deny_172 match application anyset security policies from-zone trust to-zone untrust policy deny_172 then denyinsert security policies from-zone trust to-zone untrust policy deny_172 before policy Trust2Utrust (Trust2Utrust允许上公网策略)#####################################################禁止192网段上网，只允许192.168.0.2，192.168.0.121上网set security zones security-zone trust address-book address deny_192 192.168.0.0/23set security zones security-zone trust address-book address permit_host_2 192.168.0.2/32set security zones security-zone trust address-book address permit_host_121 192.168.0.121/32 set security zones security-zone trust address-book address-set permit_192_online address FTP_serset security zones security-zone trust address-book address-set permit_192_online address permit_host_2set security zones security-zone trust address-book address-set permit_192_online address permit_host_121set security zones security-zone trust address-book address-set deny_192_online address deny_192返回的安全Policy:set security policies from-zone trust to-zone untrust policy permit_192_online match source-address permit_192_onlineset security policies from-zone trust to-zone untrust policy permit_192_online match destination-address anyset security policies from-zone trust to-zone untrust policy permit_192_online match application anyset security policies from-zone trust to-zone untrust policy permit_192_online then permitset security policies from-zone trust to-zone untrust policy deny_192_online match source-address deny_192_onlineset security policies from-zone trust to-zone untrust policy deny_192_online match destination-address anyset security policies from-zone trust to-zone untrust policy deny_192_online match application anyset security policies from-zone trust to-zone untrust policy deny_192_online then denyinsert security policies from-zone trust to-zone untrust policy permit_192_online before policy deny_172insert security policies from-zone trust to-zone untrust policy deny_192_online before policy deny_172###########################################################################配置WEB管理set system host-name Testset system root-authentication encrypted-password "$1$XKPZUqwc$/WdxM1Cc1GAB8gJ0nNCOt."set system name-server 202.96.128.166set system name-server 202.96.128.86set system login user admin uid 2001set system login user admin class super-userset system login user admin authentication encrypted-password HJuZerSULPfkAset system services sshset system services web-management http port 8084set system services web-management http interface allset system services web-management http interface ge-0/0/0.0set system services web-management https system-generated-certificateset system services web-management https interface ge-0/0/0.0set interfaces ge-0/0/0 unit 0 family inet address 192.168.8.125/24set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24set security zones security-zone untrust host-inbound-traffic system-services httpset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http###########################################################################开放Untrust服务端口set security zones security-zone untrust interfaces ge-0/0/0.0set security zones security-zone untrust host-inbound-traffic system-services allset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services allset security zones security-zone trust interfaces ge-0/0/1.0set security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all配置默认路由+NATset routing-options static route 0.0.0.0/0 next-hop 192.168.8.1set security nat source rule-set sou-nat from zone trustset security nat source rule-set sou-nat to zone untrustset security nat source rule-set sou-nat rule rule-sou match source-address 0.0.0.0/0set security nat source rule-set sou-nat rule rule-sou match destination-address 0.0.0.0/0set security nat source rule-set sou-nat rule rule-sou then source-nat interface内网放行策略：set security policies from-zone trust to-zone untrust policy in_out match source-address any set security policies from-zone trust to-zone untrust policy in_out match destination-address anyset security policies from-zone trust to-zone untrust policy in_out match application anyset security policies from-zone trust to-zone untrust policy in_out then permit########################################################################### UTM 功能中防病毒功能set security utm utm-policy test-policy anti-virus http-profile junos-av-defaultsset security utm utm-policy test-policy anti-virus ftp upload-profile junos-av-defaultsset security utm utm-policy test-policy anti-virus ftp download-profile junos-av-defaultsset security utm utm-policy test-policy anti-virus smtp-profile junos-av-defaultsset security utm utm-policy test-policy anti-virus pop3-profile junos-av-defaultsset security utm utm-policy test-policy anti-virus imap-profile junos-av-defaultsset security utm utm-policy test-policy anti-spam smtp-profile junos-as-defaultsset security utm utm-policy test-policy traffic-options sessions-per-client over-limit log-and-permitset security utm utm-policy web-policy anti-virus http-profile junos-av-defaultsset security utm utm-policy web-policy traffic-options sessions-per-client over-limit log-and-permitset security policies from-zone trust to-zone untrust policy permit_192_online match source-address permit_192_onlineset security policies from-zone trust to-zone untrust policy permit_192_online match destination-address anyset security policies from-zone trust to-zone untrust policy permit_192_online match application anyset security policies from-zone trust to-zone untrust policy permit_192_online then permit application-services utm-policy web-policyset security policies from-zone untrust to-zone trust policy mail-policy match source-address any set security policies from-zone untrust to-zone trust policy mail-policy match destination-address Mail_serset security policies from-zone untrust to-zone trust policy mail-policy match application mail_port_groupset security policies from-zone untrust to-zone trust policy mail-policy then permit application-services utm-policy test-policyset security policies from-zone untrust to-zone trust policy Ftp-Policy match source-address any set security policies from-zone untrust to-zone trust policy Ftp-Policy match destination-address FTP_serset security policies from-zone untrust to-zone trust policy Ftp-Policy match application junos-ftp set security policies from-zone untrust to-zone trust policy Ftpmservices utm-policy test-policyadmin@KDS_FW> show security utm anti-spam statistics##########################################################dynamic VPN功能配置:run show chassis routing-engine (查看CPU使用user、空闲idle)show config |dis set| match utmshow log utmd-av | lastclear log utmd-av###########################################################抓包功能配置：Could you please configure the following traceoption and send the log file.You can create the packet filter as followed#set security flow traceoption file debug#set security flow traceoption flag basic-datapath#set security flow traceoption packet-filter filter1 source-prefix <ip-address> destination-prefix<ip-address> destination-port 80#set security flow traceoption packet-filter filter2 source-prefix <ip-address> destination-prefix <ip-address> destination-port 80#committhe second one is for the return traffic.show log debugrequest system license update。

Juniper SRX防火墙简明配置手册目录一、 JUNOS 操作系统介绍 (3)1.1层次化配置结构 (3)1.2 JunOS 配置管理 (4)1.3 SRX 主要配置内容 (4)二、 SRX 防火墙配置说明 (5)2.1初始安装 (5)2.1.1登陆 (5)2.1.2设置 root 用户口令 (9)2.1.3JSRP 初始化配置 (9)2.1.4设置远程登陆管理用户 (14)2.1.5远程管理 SRX相关配置 (15)2.1.6ZONE 及相关接口的配置 (15)2.2 Policy (16)2.3 NAT (17)2.3.1Interface based NAT (18)2.3.2Pool based Source NAT (18)2.3.3Pool base destination NAT (19)2.3.4Pool base Static NAT (20)2.4 IPSEC VPN (21)2.5 Application and ALG (22)三、 SRX 防火墙常规操作与维护 (22)3.1单机设备关机 (22)3.2单机设备重启 (23)3.3单机操作系统升级 (23)3.4双机模式下主备 SRX 关机 (23)3.5双机模式下主备设备重启 (24)3.6双机模式下操作系统升级 (24)3.7双机转发平面主备切换及切换后恢复 (25)3.8双机控制平面主备切换及切换后恢复 (25)3.9双机模式下更换备SRX (25)3.10双机模式下更换主SRX (26)3.11双机模式更换电源 (27)3.12双机模式更换故障板卡 (27)3.13配置备份及还原方法 (27)3.14密码修改方法 (28)3.15磁盘文件清理方法 (28)3.16密码恢复 (28)3.17常用监控维护命令 (29)四、 SRX 防火墙介绍 (31)Juniper SRX防火墙简明配置手册SRX系列防火墙是 Juniper 公司基于 JUNOS操作系统的安全系列产品，JUNOS集成了路由、交换、安全性和一系列丰富的网络服务。

网络设备安全巡检命令参考为了提高安全巡检工作效率，快速完成对网络设备交换机、路由器和防火墙的例行巡检，建议利用SecureCRT终端登录管理工具及拷贝粘贴批处理命令脚本快速完成网络设备巡检数据采集工作。

客户设备本地或远程登录统一采用SecureCRT工具，对所有巡检客户网络设备预先编辑好登录脚本，方便后期巡检和维护快速登录客户设备。

对要巡检的客户采用以下批处理执行命令快速完成数据采集任务。

在执行以下批处理命令前先使用SecureCRT软件设置logsession到一个新建txt文件，然后选取全部以下命令拷贝粘贴到设备特权模式?下，以下命令所显示的信息会自动发送到新建的txt文件里。

．目录1 CISCO网络设备例行巡检数据采集任务 (3)1.1 CISCO交换机 (3)1.2 CISCO 路由器 (4)1.3 CISCO 防火墙 (4)1.4 CISCO网络设备巡检命令解释 (5)华为网络设备例行巡检数据采集任务................................................................................... 8 28 ................................................................................................................... 2.1 华为交换机8 ................................................................................................................... 2.2 华为路由器0 ..................................................................................... 12.3 华为网络设备巡检命令解释312 H3C网络设备例行巡检数据采集任务................................................................................2 交换机3.4 H3C ................................................................................................................ 12 3.5 H3C 路由器............................................................................................................... 13 H3C网络设备巡检命令解释.................................................................................... 13.64 14 港湾网络设备例行巡检数据采集任务.................................................................................4 4.7 港湾交换机................................................................................................................. 14 4.8 港湾路由器................................................................................................................1.4 .................................................................................... .14.9 港湾网络设备巡检命令解释5 1网络设备例行巡检数据采集任务HP .. (4)4 1交换机5.10 HP...................................................................................................................5 1.路由器5.11 HP .................................................................................................................5.网络设备巡检命令解释HP5.12 (1)1CISCO网络设备例行巡检数据采集任务1.1 CISCO交换机================================================================== terminal length 0show runnshow vershow ip socketshow ip socket detailshow tcpshow clockshow vtp statusshow vtp passshow env allshow inventoryshow spanning rootshow spanning blockshow spanningshow cdp neishow cdp nei detshow arpshow mac-address-tabledir all-show inter statusshow inter summshow inter | i errors|FastEthernet|GigabitEthernetclear countersshow proc cpu | ex 0.00%show proc memshow debugsh loggingshow ip routeterminal length 451.2 CISCO 路由器===================================================================== terminal length 0show vershow runnshow clockshow tcp brief allshow tcpshow env allshow inventoryshow cdp neishow cdp nei detshow arpdir all-show interfaceshow inter summshow inter | i errors|FastEthernet|GigabitEthernet|Serialclear countersshow proc cpu hisshow proc cpu | ex 0.00%show proc memshow debugshow access-listsh loggingshow ip routeterminal length 451.3 CISCO 防火墙====================================================================== terminal pager 0show runnshow vershow clockshow nameifshow inventoryshow resource usageshow asp dropshow conn countshow xlate countshow firewallshow perfmon detailshow ip audit countdir all-show interfaceshow inter | i errors|FastEthernet|GigabitEthernet|Serialclear countersshow cpu usashow memshow debugshow access-listsh loggingshow routeshow local-hostterminal pager 241.4 CISCO网络设备巡检命令解释======================================================================1terminal length 0 ；设置终端显示行数不做限制（使所有show命令完全显示，不做暂停）2show running-config ；查看当前设备配置3show version ；查看IOS版本信息及设备正常运行时间4show clock ；查看设备时钟信息5show tcp brief all ；查看当前设备开发的TCP服务状态6show vtp status ；查看交换机vtp配置模式7show vtp password ；查看交换机vtp配置口令8show env all ；查看设备温度，电源和风扇运转参数及是否报警（注意：中高端设备不带参数all）9show inventory ；调取设备内部板卡出厂模块型号及序列号（可作为资产梳理和设备维保依据）10show spanning-tree root ；查看交换机生成树根位置show spanning-tree block ；查看交换机11block端口show spanning-tree 12；查看全部VLAN生成树信息；查看邻接13show cdp neighborscisco设备基本信息；查看邻接cisco14设备详细信息show cdp neighbors detailshow mac-address-table ；通过查看MAC 地址表信息，确认目的MAC地址是否正确。

Juniper SRX系列防火墙日常监控命令查看版本admin@#run show version查看机箱环境user@host> show chassis environmentuser@host> show chassis environment cbuser@host> show chassis environment cb 0user@host> show chassis environment pem查看机箱告警（正常情况下不能存在大量硬件错识信息）user@host> show chassis alarms查看日志信息（正常工作情况下，日志中不应该有大量重复的信息，如端口频繁up/down、大量用户认证失败信息等。

）user@host> show log messages查看机箱硬件信息user@host> show chassis hardware查看机箱路由引擎信息user@host> show chassis routing-engine查看机箱FPC信息user@host> show chassis fpcuser@host> show chassis fpc detailuser@host> show chassis fpc pic-status系统关机/重启user@host> request system halt/reboot板卡上线/下线user@host>request chassis fpc slot slot-number offlineuser@host>request chassis fpc slot slot-number online防火墙设备指示灯检查（直接查看防火墙前面板的LED 指示灯）Status ：系统状态。

黄色闪烁表示系统正常启动；绿色闪烁表示系统正常工作。

SRX 防火墙日常监控命令1、查看当前设备CPU、会话使用情况（正常情况下CPU峰值不要超过90%、并发连接数资源峰值不要超过MAX的80%）admin@#run op srx-monitor2、清除会话表admin@#run clear security flow session all (此操作必须要经过客户同意才可操作！慎用！)3、查看当前设备CPU使用情况（正常情况下CPU峰值不要超过90%）admin@#run show chassis routing-engine4、查看当前带宽使用情况admin@#run monitor interface traffic5、查询基于端口NAT地址翻译（正常情况下NAT翻译峰值不要超过MAX的90%）lab@srx5800a# run show security nat interface-nat-ports6、查看会话明细表（并发连接数资源峰值不要超过MAX的80%）admin@#run show security flow sessionadmin@#run show security flow session summary7、查看/清除ARP表admin@#run show arpadmin@#run clear arp8、查看设备时间(系统时间和当地时间、时区一致）admin@#run show system uptime9、查看接口状态（正在使用的接口应为UP或Active）admin@#run show interfaces terse10、查看光纤接口下的收发功率lab@mx480-2-re0# run show interfaces diagnostics optics ge-0/0/211、软件升级admin@#run request system software addftp://192.168.100.101/junos-srx3000-10.0R1.4-domestic.tgz no-copyno-validate unlink12、查看版本admin@#run show version13、查看机箱环境user@host> show chassis environmentuser@host> show chassis environment cbuser@host> show chassis environment cb 0user@host> show chassis environment pem14、查看机箱告警（正常情况下不能存在大量硬件错识信息）user@host> show chassis alarms15、查看日志信息（正常工作情况下，日志中不应该有大量重复的信息，如端口频繁up/down、大量用户认证失败信息等。

Juniper防火墙设备巡检使用命令-> get chassis输出信息显示所有模块运行OK此命令还可以看到设备各个模块的SN号及各个设备模块的型号。

-> get system该命令可显示IOS版本。

防火墙持续运行的时间。

最近一次的重启原因、防火墙主存的大小。

如果设备uptime时间比较短，一定在利用get system命令查看设备最近一次重启动的时间和原因，便于分析各种潜在风险。

-> get performance cpu使用get performance cpu命令检查防火墙短时间内（5分钟内）的CPU利用率。

Netscreen是基于硬件架构的高性能防火墙，很多计算工作由专用ASIC芯片完成，正常工作状态下防火墙CPU使用率应保持在50%以下，如出现CPU利用率过高情况需给予足够重视，应检查Session使用情况和各类告警信息，并检查网络中是否存在攻击流量。

通常情况下CPU利用率过高往往与攻击有关，可通过正确设置screening对应选项进行防范。

get memory显示了存储器的系统可用的内存。

NetScreen防火墙对内存的使用把握得十分准确，采用“预分配”机制，空载时内存使用率为约50-60%，随着流量不断增长，内存的使用率应基本保持稳定。

如果出现内存使用率高达90％时，需检查网络中是否存在攻击流量，并察看为debug分配的内存空间是否过大（get dbuf info单位为字节）。

-> get session info查看当前会话数量，:会话连接数不能太接近最大支持会话数，否则会过载，需要考虑升级设备-> get alarm event检查设备告警信息设备系统时间-> get nsrpnsrp状态正常备注: NSRP状态为active -> get config查看设备的配置信息。

Juniper SRX防火墙简明配置手册目录一、JUNOS操作系统介绍 (3)1.1 层次化配置结构 (3)1.2 JunOS配置管理 (4)1.3 SRX主要配置内容 (5)二、SRX防火墙配置对照说明 (6)2.1 初始安装 (6)2.1.1 登陆 (6)2.1.2 设置root用户口令 (6)2.1.3 设置远程登陆管理用户 (7)2.1.4 远程管理SRX相关配置 (7)2.2 Policy (8)2.3 NAT (8)2.3.1 Interface based NAT (9)2.3.2 Pool based Source NAT (10)2.3.3 Pool base destination NAT (11)2.3.4 Pool base Static NAT (12)2.4 IPSEC VPN (13)2.5 Application and ALG (15)2.6 JSRP (15)三、SRX防火墙常规操作与维护 (19)3.1 设备关机 (19)3.2设备重启 (20)3.3操作系统升级 (20)3.4密码恢复 (21)3.5常用监控维护命令 (22)Juniper SRX防火墙简明配置手册SRX系列防火墙是Juniper公司基于JUNOS操作系统的安全系列产品，JUNOS集成了路由、交换、安全性和一系列丰富的网络服务。

目前Juniper公司的全系列路由器产品、交换机产品和SRX安全产品均采用统一源代码的JUNOS操作系统，JUNOS是全球首款将转发与控制功能相隔离，并采用模块化软件架构的网络操作系统。

JUNOS作为电信级产品的精髓是Juniper真正成功的基石，它让企业级产品同样具有电信级的不间断运营特性，更好的安全性和管理特性，JUNOS软件创新的分布式架构为高性能、高可用、高可扩展的网络奠定了基础。

基于NP架构的SRX系列产品产品同时提供性能优异的防火墙、NAT、IPSEC、IPS、SSL VPN和UTM等全系列安全功能，其安全功能主要来源于已被广泛证明的ScreenOS操作系统。

SRX3600防火墙日常检查命令也可以通过MIB值查看设备的相关信息SRX36001.防火墙的CPU、Session会话数OID值对应的MIB文件为mib-jnx-js-spu-monitoring.txtNSRP状态OID：1.3.6.1.4.1.2636.3.1.14.1.7.9.1.0.0 控制平面的主/备1.3.6.1.4.1.2636.3.1.14.1.7.9.3.0.0 转发平面的主/备取得的值：2表示master;3表示backup;4表示disable;对应的MIB文件为mib-jnx-jsrpd.txt2.使用此命令显示MIB值的信息：show snmp mib walk1.3.6.1.4.1.2636.3.39.1.12.1.1.1.4.73.防火墙公网IP地址NAT转换使用情况show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.7.1.1.4.1.5举例说明如下：1.查看防火墙当前session会话总数命令：show security flow session summaryadmin@BJBJ-PS-WAP4-FW01> show security flow session summary node 0node0:--------------------------------------------------------------------------Flow Sessions on FPC7 PIC0:Unicast-sessions: 189499Multicast-sessions: 0Failed-sessions: 0Sessions-in-use: 193363Valid sessions: 189196Pending sessions: 2Invalidated sessions: 3859Sessions in other states: 0Maximum-sessions: 524288{primary:node0}表示防火墙目前的会话总数为：1933632.查看防火墙每秒中新建会话数量命令如下：show interface fab0admin@BJBJ-PS-WAP4-FW01> show interfaces fab0Physical interface: fab0, Enabled, Physical link is UpInterface index: 138, SNMP ifIndex: 520Link-level type: Ethernet, MTU: 9014, Speed: 2Gbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1, Minimum bandwidth needed: 0Device flags : Present RunningInterface flags: SNMP-Traps Internal: 0x0Current address: 84:18:88:43:b0:21, Hardware address: 84:18:88:43:b0:21Last flapped : 2011-11-22 00:40:55 CST (1w1d 00:00 ago)Input rate : 0 bps (0 pps)Output rate : 7516352 bps (2204 pps)Logical interface fab0.0 (Index 74) (SNMP ifIndex 521)Flags: SNMP-Traps 0x0 Encapsulation: ENET2Statistics Packets pps Bytes bpsBundle:Input : 0 0 0 0Output: 1682870581 2204719123403018 7516352Security: Zone: NullProtocol inet, MTU: 9000Addresses, Flags: Is-Preferred Is-PrimaryDestination: 30.17.0/24, Local: 30.17.0.200, Broadcast: 30.17.0.255表示防火墙每秒中新建会话：22043.通过查看MIB值，检查防火墙公网IP地址NAT转换数量命令如下：show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.7.1.1.4.1.5admin@BJBJ-PS-WAP4-FW01> show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.7.1.1.4.1.5 jnxJsNatSrcNumPortInuse.13.115.109.115.95.49.48.45.52.45.53.45.51.54.0.10.4.5.36 = 0 jnxJsNatSrcNumPortInuse.17.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.57.0.211.136.28.189 = 0 jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.180 = 44840jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.181 = 45711jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.182 = 45825jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.183 = 44858{primary:node0}表示目前公网IP:211.136.28.180 地址转换44840条，一个公网地址最多完成200万NAT地址转换公网IP:211.136.28.181 地址转换45711条公网IP:211.136.28.182 地址转换45852条公网IP:211.136.28.183 地址转换44858条4.检查防火墙板卡状态信息命令如下：show chassis fpcadmin@BJBJ-PS-WAP4-FW01> show chassis fpc node 0node0:--------------------------------------------------------------------------Temp CPU Utilization (%) Memory Utilization (%) Slot State (C) Total Interrupt DRAM (MB) Heap Buffer0 Online 39 14 0 1024 2 271 Empty2 Empty3 Empty4 Empty5 Empty6 Empty7 Online 49 14 0 1024 2 278 Empty9 Empty10 Online 33 14 0 1024 2 2711 Empty12 Empty0槽位代表SFB(转发板卡)的状态信息，7槽位代表NPC板卡的状态信息，10槽位代表SPC板卡的状态信息。

Juniper SRX系列防火墙配置管理手册目录一、JUNOS操作系统介绍 (3)层次化配置结构 (3)JunOS配置管理 (4)SRX主要配置内容 (4)二、SRX防火墙配置操作举例说明 (5)初始安装 (5)设备登陆 (5)设备恢复出厂介绍 (5)设置root用户口令 (5)设置远程登陆管理用户 (6)远程管理SRX相关配置 (6)配置操作实验拓扑 (7)策略相关配置说明 (7)策略地址对象定义 (8)策略服务对象定义 (8)策略时间调度对象定义 (8)添加策略配置举例 (9)策略删除 (10)调整策略顺序 (10)策略失效与激活 (10)地址转换 (10)Interface based NAT 基于接口的源地址转换 (11)Pool based Source NAT基于地址池的源地址转换 (12)Pool base destination NAT基于地址池的目标地址转换 (12)Pool base Static NAT基于地址池的静态地址转换 (13)路由协议配置 (14)静态路由配置 (14)OSPF配置 (15)交换机Firewall限制功能 (22)限制IP地 (22)限制MAC地址 (22)三、SRX防火墙常规操作与维护 (23)设备关机 (23)设备重启 (23)操作系统升级 (24)密码恢复 (24)常用监控维护命令 (25)Juniper SRX Branch系列防火墙配置管理手册说明SRX系列防火墙是Juniper公司基于JUNOS操作系统的安全系列产品，JUNOS集成了路由、交换、安全性和一系列丰富的网络服务。

目前Juniper公司的全系列路由器产品、交换机产品和SRX安全产品均采用统一源代码的JUNOS操作系统，JUNOS是全球首款将转发与控制功能相隔离，并采用模块化软件架构的网络操作系统。

JUNOS作为电信级产品的精髓是Juniper真正成功的基石，它让企业级产品同样具有电信级的不间断运营特性，更好的安全性和管理特性，JUNOS软件创新的分布式架构为高性能、高可用、高可扩展的网络奠定了基础。

Juniper防火墙命令行查错工具snoop的使用2007-04-24 13:22Snoop的使用举例如下:1. 先设置过滤列表,使得防火墙只对需要的数据包进行分析. 即snoop filter命令:ns208-> snoop filter ?delete delete snoop filterethernet snoop specified ethernetid snoop filter idip snoop ip packetoff turn off snoop filteron turn on snoop filtertcp snoop tcp packetudp snoop udp packetns208-> snoop filter ip ?<return>direction snoop directiondst-ip snoop filter dst ipdst-port snoop filter dst portinterface interface nameip-proto snoop filter ip protoport src or dst portsrc-ip snoop filter src ipsrc-port snoop filter src port<IPv4 Address> IPv4 Addressoffset ip offsetns208-> snoop infoSnoop: OFFFilters Defined: 2, Active Filters 2Detail: OFF, Detail Display length: 96Snoop filter based on:id 1(on): IP dir(I)id 2(on): IP dst-ip 172.27.68.1 dir(B)2. 开启snoop 进行抓包ns208-> snoopStart Snoop, type ESC or 'snoop off' to stop, continue? [y]/n y3. 发送测试数据包或让小部分流量穿越防火墙4. 停止snoopns208-> snoop off5. 检查防火墙对所转发的符合过滤条件的数据包的分析结果(非采用上面的filter,而是采用另外的filter):ns208-> get db stream1.The packet comes into the Netscreen from the Trusted side client.55864.0: 0(i):005004bb815f->0010db00ab30/080010.0.0.36->10.10.10.14/1, tlen=60vhl=45, id=31489, frag=0000, ttl=322.The packet then leaves the Netscreen, on it’s way to the destination host. 55864.0: 1(o):0010db00ab31->00104bf3d073/080010.10.10.10->10.10.10.14/1, tlen=60vhl=45, id=31489, frag=0000, ttl=313.The packet then returns to the Netscreen from the host.55864.0: 1(i):00104bf3d073->0010db00ab31/080010.10.10.14->10.10.10.10/1, tlen=60vhl=45, id=12289, frag=0000, ttl=1284. Finally, the packet is returned to the client on the trusted side.55864.0: 0(o):0010db00ab30->005004bb815f/080010.10.10.14->10.0.0.36/1, tlen=60vhl=45, id=12289, frag=0000, ttl=1275. 清除防火墙缓存的debug结果:ns208-> clear db6. 清除防火墙的snoop过滤设置ns208-> snoop filter deleteAll filters removed。

Juniper防火墙基本命令常用查看命令Get int查看接口配置信息Get int ethx/x查看指定接口配置信息Get mip查看映射ip关系Get route查看路由表Get policy id x查看指定策略Get nsrp查看nsrp信息，后可接参数查看具体vsd组、端口监控设置等Get per cpu de查看cpu利用率信息Get per sessionde查看每秒新建会话信息Get session查看当前会话信息，后可匹配源地址、源端口、目的地址、目的端口、协议等选项Get session info查看当前会话数量Get system查看系统信息，包括当前os版本，接口信息，设备运行时间等Get chaiss查看设备及板卡序列号，查看设备运行温度Get counter stat查看所有接口计数信息Get counter stat ethx/x查看指定接口计数信息Get counter flow zone trust/untrust查看指定区域数据流信息Get counter screen zone untrust/trust查看指定区域攻击防护统计信息Get tech-support查看设备状态命令集，一般在出现故障时，收集该信息寻求JTAC支持常用设置命令Set int ethx/x zone trust/untrust/dmz/ha配置指定接口进入指定区域(trust/untrust/dmz/ha等)Set int ethx/x ip x.x.x.x/xx配置指定接口ip地址Set int ethx/x manage配置指定接口管理选项，打开所有管理选项Set int ethx/x manage web/telnet/ssl/ssh配置指定接口指定管理选项Set int ethx/x phy full 100mb配置指定接口速率及双工方式Set int ethx/x phy link-down配置指定接口shutdownSet nsrp vsd id 0 monitor interface ethx/x配置ha监控端口，如此端口断开，则设备发生主/备切换Exec nsrp vsd 0 mode backup手工进行设备主/备切换，在当前的主设备上执行set route 0.0.0.0/0 interface ethernet1/3 gateway 222.92.116.33配置路由，需同时指定下一跳接口及ip地址所有set命令，都可以通过unset命令来取消，相当于cisco中的no所有命令都可以通过“TAB”键进行命令补全，通过“?”来查看后续支持的命令防火墙基本配置create account [admin | user]<username> 回车输入密码：再次输入密码：configure account admin 回车输入密码：再次输入密码：2.port配置config ports <portlist> auto off{speed [10 | 100 | 1000]} duplex [half | full] auto off3.Vlan配置无论是核心还是接入层，都要先创建三个Vlan，并且将所有归于Default Vlan的端口删除：config vlan default del port allcreate vlan Servercreate vlan Usercreate vlan Manger定义802.1q标记config vlan Server tag 10config vlan User tag 20config vlan Manger tag 30设定Vlan网关地址：config vlan Server ipa 192.168.41.1/24config vlan User ipa 192.168.40.1/24config vlan Manger ipa 192.168.*.*/24Enable ipforwarding 启用ip路由转发，即vlan间路由Trunk 配置config vlan Server add port 1-3 tconfig vlan User add port 1-3 tconfig vlan manger add port 1-3 t4.VRRP配置enable vrrpconfigure vrrp add vlan UserVlanconfigure vrrp vlan UserVlan add master vrid 10192.168.6.254configure vrrp vlan UserVlan authentication simple-passwordextremeconfigure vrrp vlan UserVlan vrid 10 priority 200configure vrrp vlan UserVlan vrid 10 advertisement-interval15configure vrrp vlan UserVlan vrid 10 preempt5.端口镜像配置首先将端口从VLAN中删除enable mirroring to port 3 ＃选择3作为镜像口config mirroring add port 1 ＃把端口1的流量发送到3config mirroring add port 1 vlan default ＃把1和vlandefault的流量都发送到36.port-channel配置enable sharing <port> grouping<portlist> {port-based |address-based | round-robin} show port sharing //查看配置7.stp配置enable stpd //启动生成树create stpd stp-name //创建一个生成树configure stpd <spanning treename> add vlan <vlanname> {ports<portlist> [dot1d | emistp |pvst-plus]}configure stpd stpd1 priority 16384configure vlan marketing add ports 2-3 stpd stpd1 emistp8.DHCP 中继配置enable bootprelayconfig bootprelay add <dhcp serverip>9.NAT配置Enable nat ＃启用natStatic NAT Rule Exampleconfig nat add out_vlan_1 map source 192.168.1.12/32 to216.52.8.32/32Dynamic NAT Rule Exampleconfig nat add out_vlan_1 map source 192.168.1.0/24 to216.52.8.1 - 216.52.8.31 Portmap NAT Rule Exampleconfig nat add out_vlan_2 map source 192.168.2.0/25 to216.52.8.32 /28 both portmap Portmap Min-Max Exampleconfig nat add out_vlan_2 map source 192.168.2.128/25 to216.52.8.64/28 tcp portmap 1024 - 819210.OSPF配置enable ospf 启用OSPF进程create ospf area <area identifier>创建OSPF区域configure ospf routerid [automatic |<routerid>] 配置Routeridconfigure ospf add vlan [<vlanname> | all] area <areaidentifier> {passive}把某个vlan加到某个Area中去，相当于Cisco中的network的作用configure ospf area <areaidentifier> add range<ipaddress><mask> [advertise | noadvertise]{type-3 | type-7} 把某个网段加到某个Area中去，相当于Cisco中的network的作用configure ospf vlan <vlan name>neighbor add <ipaddress>OSPF中路由重发布配置enable ospf export direct [cost<metric> [ase-type-1 | ase-type-2]{tag <number>}|<route map>]enable ospf export static [cost<metric> [ase-type-1 | ase-type-2]{tag <number>}|<route map>]enable ospf originate-default {always} cost<metric> [ase-type-1 | ase-type-2]{tag<number>}enable ospf originate-router-id11.SNMP配置enable snmp accessenable snmp trapscreate access-profile <accessprofile> type [ipaddress | vlan]config snmp access-profile readonly[<access_profile> |none]配置snmp的只读访问列表，none是去除config snmp access-profile readwrite[<access_profile> | none]这是控制读写控制config snmp add trapreceiver <ipaddress> {port<udp_port>}community<communitystring> {from<source ip address>} 配置snmp接收host和团体字符串12.安全配置disable ip-option loose-source-routedisable ip-option strict-source-routedisable ip-option record-routedisable ip-option record-timestampdisable ipforwarding broadcastdisable udp-echo-serverdisable irdp vlan <vlan name>disable icmp redirectdisable web 关闭web方式访问交换机enable cpu-dos-protect13.Access－Lists配置create access-list icmp destination sourcecreate access-list ip destination source portscreate access-list tcp destination source portscreate access-list udp destination source ports14.默认路由配置config iproute add default<gateway>15.恢复出厂值，但不包括用户改的时间和用户帐号信息unconfig switch {all}16.检查配置show versionshow configshow sessionshow management 查看管理信息，以及snmp信息show bannershow ports configurationshow ports utilization ?show memory/show cpu-monitoringshow ospfshow access-list {<name> | port<portlist>}show access-list-monitorshow ospf area <areaidentifier>show ospf area detailshow ospf ase-summaryshow ospf interfaces {vlan <vlanname> | area <areaidentifier>}unconfigure ospf {vlan <vlan name>| area <area identifier>}switchshow switchshow configshow diagshow iparpshow iprouteshow ipstatshow logshow tech allshow version detail17.备份和升级软件download image [<hostname> |<ipaddress>]<filename> {primary | secondary} upload image [<hostname> |<ipaddress>]<filename> {primary | secondary}use image [primary | secondary]18.密码恢复。

Juniper防火墙基本命令常用查看命令Get int查看接口配置信息Get int ethx/x查看指定接口配置信息 Get mip查看映射ip关系 Get route查看路由表Get policy id x查看指定策略Get nsrp查看nsrp信息，后可接参数查看具体vsd组、端口监控设置等 Get per cpu de查看cpu利用率信息Get per sessionde查看每秒新建会话信息 Get session查看当前会话信息，后可匹配源地址、源端口、目的地址、目的端口、协议等选项Get session info查看当前会话数量Get system查看系统信息，包括当前os版本，接口信息，设备运行时间等 Get chaiss查看设备及板卡序列号，查看设备运行温度 Get counter stat查看所有接口计数信息Get counter stat ethx/x查看指定接口计数信息Get counter flow zone trust/untrust查看指定区域数据流信息Get counter screen zone untrust/trust查看指定区域攻击防护统计信息Get tech-support查看设备状态命令集，一般在出现故障时，收集该信息寻求JTAC支持常用设置命令Set int ethx/x zone trust/untrust/dmz/ha配置指定接口进入指定区域(trust/untrust/dmz/ha等) Set int ethx/x ip x.x.x.x/xx配置指定接口ip地址Set int ethx/x manage配置指定接口管理选项，打开所有管理选项Set int ethx/x manage web/telnet/ssl/ssh配置指定接口指定管理选项 Set int ethx/x phy full 100mb配置指定接口速率及双工方式 Set int ethx/x phy link-down配置指定接口shutdownSet nsrp vsd id 0 monitor interface ethx/x配置ha监控端口，如此端口断开，则设备发生主/备切换Exec nsrp vsd 0 mode backup手工进行设备主/备切换，在当前的主设备上执行set route 0.0.0.0/0 interface ethernet1/3 gateway 222.92.116.33配置路由，需同时指定下一跳接口及ip地址所有set命令，都可以通过unset命令来取消，相当于cisco中的no所有命令都可以通过“TAB”键进行命令补全，通过“?”来查看后续支持的命令防火墙基本配置create account [admin | user]<username> （创建账户）回车输入密码：再次输入密码：configure account admin (配置账户)回车输入密码：再次输入密码： 2.port配置config ports <portlist> auto off{speed [10 | 100 | 1000]} duplex [half | full] auto off 配置端口的限速和工作模式（全和半） 3.Vlan配置无论是核心还是接入层，都要先创建三个Vlan，并且将所有归于Default Vlan的端口删除： config vlan default del port all 清除默认VLAN里面所有端口 create vlan Server create vlan User创建vlan server user和mangercreate vlan Manger 定义802.1q标记config vlan Server tag 10 config vlan User tag 20 config vlan Manger tag 30 设定Vlan网关地址：config vlan Server ipa 192.168.41.1/24 config vlan User ipa 192.168.40.1/24 config vlan Manger ip a 192.168.*.*/24Enable ipforwarding 启用ip路由转发，即vlan间路由 Trunk 配置config vlan Server add port 1-3 t config vlan User add port 1-3 t config vlan manger add port 1-3 t 4.VRRP配置enable vrrp 开启虚拟路由冗余协议configure vrrp add vlan UserVlan 在VLAN里面添加vrrpconfigure vrrp vlan UserVlan add master vrid 10 192.168.6.254 configure vrrp vlan UserVlan auth entication simple-passwordextreme configure vrrp vlan UserVlan vrid 10 priority 200 configure vrrp vlan UserVlan vrid 10 advertisement-interval15 configure vrrp vlan UserVlan vrid 1 0 preempt 5.端口镜像配置首先将端口从VLAN中删除enable mirroring to port 3 ＃选择3作为镜像口 config mirroring add port 1 ＃把端口1的流量发送到3config mirroring add port 1 vlan default ＃把1和vlandefault的流量都发送到3 6.port-channel 配置enable sharing <port> grouping<portlist> {port-based |address-based | round-robin} show port s haring //查看配置 7.stp配置enable stpd //启动生成树create stpd stp-name //创建一个生成树configure stpd <spanning treename> add vlan <vlanname> {ports<portlist> [dot1d | emistp |pvst -plus]}configure stpd stpd1 priority 16384configure vlan marketing add ports 2-3 stpd stpd1 emistp 8.DHCP 中继配置 enable bootprelay config bootprelay add <dhcp serverip> 9.NAT配置Enable nat ＃启用nat Static NAT Rule Exampleconfig nat add out_vlan_1 map source 192.168.1.12/32 to216.52.8.32/32 Dynamic NAT Rule Exam pleconfig nat add out_vlan_1 map source 192.168.1.0/24 to216.52.8.1 - 216.52.8.31 Portmap NAT R ule Exampleconfig nat add out_vlan_2 map source 192.168.2.0/25 to216.52.8.32 /28 both portmap Portmap Min-Max Exampleconfig nat add out_vlan_2 map source 192.168.2.128/25 to216.52.8.64/28 tcp portmap 1024 - 819 2 10.OSPF配置enable ospf 启用OSPF进程create ospf area <area identifier>创建OSPF区域configure ospf routerid [automatic |<routerid>] 配置Routeridconfigure ospf add vlan [<vlanname> | all] area <areaidentifier> {passive}把某个vlan加到某个Area中去，相当于Cisco中的 network的作用configure ospf area <areaidentifier> add range<ipaddress><mask> [advertise | noadvertise]{type-3 | type-7} 把某个网段加到某个Area中去，相当于Cisco中的network的作用configure ospf vlan <vlan name>neighbor add <ipaddress> OSPF中路由重发布配置enable ospf export direct [cost<metric> [ase-type-1 | ase-type-2]{tag <number>} |<route map>] enable ospf export static [cost<metric> [ase-type-1 | ase-type-2]{tag <number>} |<route map>] enable ospf originate-default {always} cost<metric> [ase-type-1 | ase-type-2]{tag <number>} enable ospf originate-router-id 11.SNMP配置enable snmp access启用SNMP访问 enable snmp traps启用SNMP限制create access-profile <accessprofile> type [ipaddress | vlan]config snmp access-profile readonly[<access_profile> |none]配置snmp的只读访问列表，none 是去除config snmp access-profile readwrite[<access_profile> | none]这是控制读写控制 config snmp add trapreceiver <ipaddress> {port<udp_port>}community<communitystring> {from<source ip address>} 配置snmp接收host和团体字符串 12.安全配置disable ip-option loose-source-route禁止散发源路由 disable ip-option strict-source-route禁止静态源路由 disable ip-option record-route 禁用路由记录。

Juniper防火墙（SSG and SRX）排障抓包命令一、Screen OS抓包debug：跟踪防火墙对数据包的处理过程1. Set ffilter src-ip x.x.x.x dst-ip x.x.x.x dst-port xx设置过滤列表,定义捕获包的范围2、clear dbuf清除防火墙内存中缓存的分析包3、debug flow basic开启debug数据流跟踪功能4、发送测试数据包或让小部分流量穿越防火墙5、undebug all关闭所有debug功能6、get dbuf stream检查防火墙对符合过滤条件数据包的分析结果7、unset ffilter清除防火墙debug过滤列表8、clear dbuf清除防火墙缓存的debug信息9、get debug查看当前debug设置Snoop：捕获进出防火墙的数据包，与Sniffer嗅包软件功能类似1. Snoop filter ip src-ip x.x.x.x dst-ip x.x.x.x dst-port xx设置过滤列表,定义捕获包的范围2、clear dbuf清除防火墙内存中缓存的分析包3、snoop开启snoop功能捕获数据包4、发送测试数据包或让小部分流量穿越防火墙5、snoop off停止snoop6、get db stream检查防火墙对符合过滤条件数据包的分析结果7、snoop filter delete清除防火墙snoop过滤列表8、clear dbuf清除防火墙缓存的debug信息9、snoop info查看snoop设置———————————–二、SRX 抓包debug：跟踪防火墙对数据包的处理过程SRX对应ScreenOS debug flow basic跟踪报文处理路径的命令：set security flow traceoptions flag basic-datapath 开启SRX基本报文处理Debugset security flow traceoptions file filename.log 将输出信息记录到指定文件中set security flow traceoptions file filename.log size <file-size> 设置该文件大小，缺省128k set security flow traceoptions packet-filter filter1 destination-prefix 5.5.5.2 设置报文跟踪过滤器run file show filename.log 查看该Log输出信息捕获进出防火墙的数据包开启抓包功能参数设置edit forwarding-optionsset packet-capture maximum-capture-size 500 //Specify in bytes the maximum size of each packet to capture in each file—for example, 500. The range is between 68 and 1500, and the default is 68 bytes. set packet-capture file filename pcap-file //Specify the target filename for the packet capture file—for example, pcap-file. For each physical interface, the interface name is automatically suffixed to the filename—for example, pcap-file.fe-0.0.1.set packet-capture file files 100 // Specify the maximum number of files to capture—for example, 100. The range is between 2 and 10,000, and the default is 10 files. In the Files box, type 100 set packet-capture file size 1024 // Specify the maximum size of each file in bytes—for example, 1024. The range is between 1,024 and 104,857,600, and the default is 512,000 bytes. In the Size box, type 1024.set packet-capture file world-readable // Specify if all users have permission to read the packet capture files.Configuring Packet Capture on an Interfaceedit interfaces fe-0/0/1set unit 0 family inet sampling input outputConfiguring a Firewall Filter for Packet Captureedit firewallset firewall filter dest-all term dest-term from destination-address 192.168.1.1/32set firewall filter dest-all term dest-term then sample acceptset interfaces fe-0/0/1 unit 0 family inet filter output dest-allDisabling Packet Captureedit forwarding-optionsset packet-capture disable。

Juniper SRX防火墙简明配置手册Juniper Networks, Inc.北京市东城区东长安街1号东方经贸城西三办公室15层1508室邮编:100738电话:65288800目录一、JUNOS操作系统介绍 (3)1.1 层次化配置结构 (3)1.2 JunOS配置管理 (3)1.3 SRX主要配置内容 (4)二、SRX防火墙配置对照说明 (5)2.1 初始安装 (5)2.1.1 登陆 (5)2.1.2 设置root用户口令 (5)2.1.3 设置远程登陆管理用户 (5)2.1.4 远程管理SRX相关配置 (6)2.2 Policy (6)2.3 NAT (6)2.3.1 Interface based NAT............................................................. 错误！未定义书签。

2.3.2 Pool based Source NAT......................................................... 错误！未定义书签。

2.3.3 Pool base destination NAT................................................. 错误！未定义书签。

2.3.4 Pool base Static NAT (7)2.4 IPSEC VPN (7)2.5 Application and ALG (8)2.6 JSRP ........................................................................................................ 错误！未定义书签。

三、SRX防火墙常规操作与维护 (9)3.1 设备关机 (9)3.2 设备重启 (9)3.3 操作系统升级 (10)3.4 密码恢复 (10)3.5 常用监控维护命令 (11)Juniper SRX防火墙简明配置手册SRX系列防火墙是Juniper公司基于JUNOS操作系统的安全系列产品，JUNOS集成了路由、交换、安全性和一系列丰富的网络服务。

H3C设备常规巡检命令一．巡检基础命令：#系统时间display clock#系统以及各单板软件版本display version#设备温度display environment#日志信息display logbuffer#单板运行状态display device#电源状态display device#风扇状态display device#CPU占用状态display cpu-usage#内存占用率display memory limit#接口流量display interface#接口、链路状态display interface#地址分配display current-configuration interface##路由扩散display current-configuration | include ospf #OSPF（Open Shortest Path First）配置display router id#路由信息display ip routing-table#端口统计数据display ip interface#当前配置文件display current-configuration#保存配置文件display saved-configuration2、脚本—华为display versiondis patch-informationdisplay clockdis dustproofdis frame-typedis healthdisplay cpu-usagedisplay memorydisplay memory limitdisplay devicedisplay device manuinfodisplay powerdisplay fandisplay voltagedir cfcard2:/dir cfcard:display device pic-statusdis switchover statedisplay environmentdisplay interfacedisplay logbufferdis alarmdis bootrom ethernetdisplay current-configurationdisplay current-configuration interface# display router iddisplay ip routing-tabledisplay ip interfacedisplay ip interface briefdisplay current-configurationdisplay saved-configurationdisplay diagnostic-information3、华为NE40edisplay version 查看VRP版本等信息dis patch-information 查看版本补丁display clock查看时钟dis dustproof防尘网信息Dis frame-type显示NE40E机框类型dis health显示系统资源的使用情况display cpu-usage 查看1分钟CPU利用率display memory查看内存使用情况display memory limitdisplay device查看母板信息display device manuinfodisplay power查看电源状态display fan查看风扇状态display voltage 查看板卡电压dir cfcard2:/ 查看设备crash信息dir cfcard:查看设备cf卡信息display device pic-status查看子卡型号，序列号(NE40E NE80E) dis switchover state 查看引擎HA情况display environmentdisplay interface 查看接口状态display logbuffer 查看日志dis alarm查看设备告警dis bootrom ethernet 查看设备bootrom信息display current-configuration 查看当前配置display current-configuration interface# 查看设备当前接口配置display router id 查看设备路由IDdisplay ip routing-table 查看设备路由display ip interface 查看设备接口情况display ip interface brief 查看设备接口状态display current-configuration 查看设备当前配置display saved-configuration查看设备内存配置（相当show start）display diagnostic-information 抓取设备完整信息相对于show tech二、JUNIPER设备常用维护巡检命令1、脚本—JUNIPERshow version detailshow chassis hardware detail show chassis environment show chassis routing-engine show chassis firmwareshow configurationshow chassis fpc detailshow interfaceshow interfaces terseshow chassis alarmsshow system alarmsshow log messages|no-more show log chassisd|no-more show log logfile Displaysshow chassis sfm Reportsshow system boot-messages show system core-dumpsshow system processes extensive show pfe statistics errorshow chassis routing-engineshow system virtual-memoryshow system buffershow system queuesshow system statisticsshow configuration | except SECRET-DATA show interfaces extensiveshow chassis hardware extensive2、脚本—Juniper Firewallget systemget configget log eventget filiterget per cpu detailget session infoget per session detailget mac-learnget alarm eventget techget log system。