Juniper SRX配置手册
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Juniper SRX防火墙配置手册
一、JUNOS操作系统介绍
1.1 层次化配置结构
JUNOS采用基于FreeBSD内核的软件模块化操作系统,支持CLI命令行和WEBUI两种接
口配置方式,本文主要对CLI命令行方式进行配置说明。
JUNOS CLI使用层次化配置结构,分为操作(operational)和配置(configure)两类模式,在操作模式下可对当前配置、设备运行状态、路由及会话表等状态进行查看及设备运维操作,并通过执行config或edit命令进入配置模式,在配置模式下可对各相关模块进行配置并能够执行操作模式下的所有命令(run)。
在配置模式下JUNOS采用分层分级模块下配置结构,如下图所示,edit命令进入下一级配置(类似unix cd 命令),exit命令退回上一级,top命令回到根级。
1.2 JunOS配置管理
JUNOS通过set语句进行配置,配置输入后并不会立即生效,而是作为候选配置(Candidate Config)等待管理员提交确认,管理员通过输入commit命令来提交配置,配置内容在通过SRX 语法检查后才会生效,一旦commit通过后当前配置即成为有效配置(Active config)。
另外,JUNOS 允许执行commit命令时要求管理员对提交的配置进行两次确认,如执行commit confirmed 2命令要求管理员必须在输入此命令后2分钟内再次输入commit以确认提交,否则2分钟后配置将自动回退,这样可以避免远程配置变更时管理员失去对SRX的远程连接风险。
在执行commit命令前可通过配置模式下show命令查看当前候选配置(Candidate Config),在执行commit后配置模式下可通过run show config命令查看当前有效配置(Active config)。
此外可通过执行show | compare比对候选配置和有效配置的差异。
SRX上由于配备大容量硬盘存储器,缺省按先后commit顺序自动保存50份有效配置,并可通过执行rolback和commit命令返回到以前配置(如rollback 0/commit可返回到前一commit配置);也可以直接通过执行save configname.conf手动保存当前配置,并执行load override configname.conf / commit调用前期手动保存的配置。
执行load factory-default / commit命令可恢复到出厂缺省配置。
SRX可对模块化配置进行功能关闭与激活,如执行deactivate security nat/comit命令可使NAT
相关配置不生效,并可通过执行activate security nat/commit使NAT配置再次生效。
SRX通过set语句来配置防火墙,通过delete语句来删除配置,如delete security nat和edit security nat / delete一样,均可删除security防火墙层级下所有NAT相关配置,删除配置和ScreenOS不同,配置过程中需加以留意。
1.3 SRX主要配置内容
部署SRX防火墙主要有以下几个方面需要进行配置:
System:主要是系统级内容配置,如主机名、管理员账号口令及权限、时钟时区、Syslog、SNMP、系统级开放的远程管理服务(如telnet)等内容。
Interface:接口相关配置内容。
Security: 是SRX防火墙的主要配置内容,安全相关部分内容全部在Security层级下完成配置,如NAT、Zone、Policy、Address-book、Ipsec、Screen、Idp等,可简单理解为ScreenOS防火墙安全相关内容都迁移至此配置层次下,除了Application自定义服务。
Application:自定义服务单独在此进行配置,配置内容与ScreenOS基本一致。
routing-options:配置静态路由或router-id等系统全局路由属性配置。
二、SRX防火墙配置对照说明
策略处理流程图
2.1 初始安装
2.1.1 登陆
Console口(通用超级终端缺省配置)连接SRX,root用户登陆,密码为空
login: root
Password:
--- JUNOS 9.5R1.8 built 2009-07-16 15:04:30 UTC
root% cli/ /进入操作模式
root>
root> configure //进入配置模式
[edit]
Root#
2.1.2 设置root用户口令
设置root用户口令
root# set system root-authentication plain-text-password
root# new password : root123
root# retype new password: root123
[edit]
root# set system login class super-user idle-timeout 3 设置当前用户超时时间
密码将以密文方式显示
root# show system root-authentication
encrypted-password "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."; # SECRET-DATA
注意:强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式),此配置参数要求输入的口令应是经加密算法加密后的字符串,采用这种加密方式手工输入时存在密码无法通过验证风险。
2.1.3 设置远程登陆管理用户
root# set system login user lab class super-user authentication plain-text-password //创建用户lab root# new password : lab123 //配置用户lab密码
root# retype new password: lab123
注:此lab用户拥有超级管理员权限,可用于console和远程管理访问,另也可自行灵活定义其它不同管理权限用户。
2.1.4 管理SRX相关配置
root>show system uptime//查看时间
root#run set date YYYYMMDDhhmm.ss //设置系统时钟
root#set system time-zone Asia/beijing //设置时区为北京
root#set system host-name SRX3400-A //设置主机名
root#set system name-server 1.1.1.1 //设置DNS服务器
root#set system ntp server 202.120.2.101 //设置NTP服务器
root>show ntp associations
root>show ntp status //查看NTP
root>show security alg status//查看ALG状态
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Enabled
MGCP : Enabled
MSRPC : Enabled
PPTP : Enabled
RSH : Enabled
RTSP : Enabled
SCCP : Enabled
SIP : Enabled
SQL : Enabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled
root#set system services ftp
root#set system services telnet
root#set system services web-management http
//在系统级开启ftp/telnet/http远程接入管理服务
root>request system reboot //重启系统
root>request system power-off // 关闭系统
root>show version //查看版本信息
Model: srx210b
JUNOS Software Release [10.4R5.5]
root>show system uptime //查看系统启动时间
Current time: 2011-08-11 05:09:15 UTC
System booted: 2011-08-11 01:12:48 UTC (03:56:27 ago)
Protocols started: 2011-08-11 01:15:28 UTC (03:53:47 ago)
Last configured: 2011-08-11 03:11:08 UTC (01:58:07 ago) by root
5:09AM up 3:56, 1 user, load averages: 0.01, 0.02, 0.00
root>Show chassis haredware//查看硬件板卡及序列号
Hardware inventory:
Item Version Part number Serial number Description
Chassis AC5210AA0079 SRX210b
Routing Engine REV 40 750-021778 AACN5249 RE-SRX210B
FPC 0 FPC
PIC 0 2x GE, 6x FE, 1x 3G Power Supply 0
root> show chassis environment //查看硬件板卡当前状态
Class Item Status Measurement
Temp Routing Engine OK 52 degrees C / 125 degrees F Routing Engine CPU Absent
Fans SRX210 Chassis fan OK Spinning at normal speed
Power Power Supply 0 OK
root>show chassis routing-engine //查看主控板(RE)资源使用及状态
Routing Engine status:
Temperature 52 degrees C / 125 degrees F
Total memory 512 MB Max 415 MB used ( 81 percent)
Control plane memory 336 MB Max 306 MB used ( 91 percent)
Data plane memory 176 MB Max 107 MB used ( 61 percent)
CPU utilization:
User 4 percent
Background 0 percent
Kernel 5 percent
Interrupt 0 percent
Idle 91 percent
Model RE-SRX210B
Serial ID AACN5249
Start time 2011-08-11 01:12:47 UTC
Uptime 4 hours, 17 minutes, 57 seconds
Last reboot reason 0x200:chassis control reset
Load averages: 1 minute 5 minute 15 minute
0.09 0.05 0.01
root>show system license //查看授权
License usage:
Licenses Licenses Licenses Expiry Feature name used installed needed
ax411-wlan-ap 0 2 0 permanent
root>show system processes extensive//查看系统利用率
last pid: 1968; load averages: 0.01, 0.03, 0.00 up 0+04:20:28 05:32:46
111 processes: 17 running, 83 sleeping, 11 waiting
Mem: 120M Active, 87M Inact, 231M Wired, 30M Cache, 61M Buf, 1356K Free
Swap:
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 1097 root 4 76 0 194M 34836K select 0 298:05 98.44% flowd_octeon
22 root 1 171 52 0K 16K RUN 0 203:47 84.96% idle: cpu0
24 root 1 -20 -139 0K 16K RUN 0 5:42 0.00% swi7: clock
21 root 1 171 52 0K 16K RUN 1 2:21 0.00% idle: cpu1
5 root 1 -84 0 0K 16K rtfifo 0 1:02 0.00% rtfifo_kern_recv 1109 root 1 7
6 0 9724K 3796K select 0 0:46 0.00% rtlogd
868 root 1 76 0 7004K 2588K select 0 0:37 0.00% eventd
52 root 1 -8 0 0K 16K mdwait 0 0:34 0.00% md0
1085 root 1 76 0 16984K 10676K select 0 0:29 0.00% snmpd
1088 root 1 76 0 14288K 4788K select 0 0:23 0.00% l2ald
1090 root 2 76 0 20124K 6476K select 0 0:22 0.00% pfed
1115 root 1 76 0 4180K 1104K select 0 0:19 0.00% license-check 1087 root 1 4 0 39620K 20172K kqread 0 0:15 0.00% rpd
23 root 1 -40 -159 0K 16K WAIT 0 0:15 0.00% swi2: net
---(more 39%)---
root>monitor interface ge-0/0/0 //动态统计接口数据包转发信息Interface: ge-0/0/0.0, Enabled, Link is Up
Flags: SNMP-Traps
Encapsulation: ENET2
Local statistics: Current delta Input bytes: 2986416 [4121] Output bytes: 47303 [90] Input packets: 47631 [64] Output packets: 969 [1] Remote statistics:
Input bytes: 94404820 (1896 bps) [6685] Output bytes: 9553700 (952 bps) [2078] Input packets: 111689 (4 pps) [50] Output packets: 59369 (2 pps) [29] Traffic statistics:
Input bytes: 97391236 Output bytes: , [10806] Next='n', Quit='q' or ESC, Freeze='f', Thaw='t', Clear='c', Interface='i'
root>monitor traffic interface ge-0/0/0 //动态报文抓取
verbose output suppressed, use <detail> or <extensive> for full protocol decode Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0.0, capture size 96 bytes
Reverse lookup for 172.56.1.23 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
05:41:02.773631 In arp who-has 172.56.1.23 tell 172.56.1.24
05:41:02.783007 In arp who-has 172.56.1.21 tell 172.56.1.24
05:41:02.787524 In arp who-has 172.56.6.135 tell 172.56.7.3
05:41:02.884849 In IPX 00000000.00:13:8f:74:bc:19.0455 > 00000000.ff:ff:ff:ff:ff:ff.0455: ipx-netbios 50
05:41:03.437039 In arp who-has 172.56.7.41 tell 172.56.1.24
05:41:03.509837 Out IP truncated-ip - 10 bytes missing! 172.56.3.34.55730 > .domain: 51866+[|domain]
05:41:03.568547 In STP 802.1d, Config, Flags [none], bridge-id 8000.00:06:53:48:8a:80.8010, length 43
05:41:03.678096 In IPX 00000000.00:13:8f:74:bc:19.0455 > 00000000.ff:ff:ff:ff:ff:ff.0455: ipx-netbios 50
2.1.5 接口的初始化
接口说明:
root% cli//进入操作模式
root>
root> show interfaces //查看接口状态
调整输出详细程度
root>show intefaces terse
root>show interfaces brief
root>show interfaces detail
root>show interfaces extensive //由上到下查看接口的信息越来越详细
root>show interfaces detail | match fe-0/0/0 //使用管道符匹配特定关键字
root>help reference security policy-security //查看配置参考信息
root> help apropos security //帮助搜索关键字相关的操作命令
root> configure //进入配置模式
[edit]
root#
root# show interfaces //查看接口配置状态
为接口配置IP地址的两种方法:
set配置:
root#set interfaces ge-0/0/0.0 family inet address 1.1.1.1/24 //为接口配置IP地址
root#show interfaces ge-0/0/0.0 family inet //查看接口配置
address 1.1.1.1./24
edit 配置直接指定到某个层级:
[edit ]
root#edit interfaces ge-0/0/0.0 family inet //在该层级下为接口配置
[edit interfaces ge-0/0/0.0 family inet]
root#set address 1.1.1.1/24 //配置IP地址
[edit interfaces ge-0/0/0.0 family inet]
root#up //返回上一级,一层一层的退出(也可以使用exit和top退出到[edit])[edit interfaces]
Root#show
root # set system syslog file monitor-log any any//创建名字为monitor-log的日志root # s et system syslog file monitor-log match "172.56.3.34" //监控接口
root # monitor start monitor-log //开始监控
root # monitor stop//停止监控
删除配置:
root#delete interfaces ge-0/0/0.0 //普通删除配置命令
root#wildcard delete interfaces fe-0* //通配符匹配删除配置命令matched:fe-0/0/0
matched:fe-0/0/1
matched:fe-0/0/2
matched:fe-0/0/3
matched:fe-0/0/4
matched:fe-0/0/5
matched:fe-0/0/6
matched:fe-0/0/7
delete 8 objecgts?[yes,no](no)yes
配置address-book (address-book就是为地址命名,以便调用)
[edit]
root# edit security zones security-zone outside // 配置outside区域address-book [edit security zones security-zone outside]
root# set address-book address out-address 172.56.3.0/16 //把接口IP放入地址薄out-address [edit security zones security-zone outside]
root# up
[edit security zones]
root#edit security-zone inside //配置inside区域address-book [edit security zones security-zone inside]
root# set address-book address in-address 10.1.1.0/24 //把接口IP放入地址薄in -address [edit security zones security-zone inside]
root# exit
[edit security zones]
root# exit
配置application
[edit]
root# edit applications application tcp-1752//定义服务名字
[edit applications application tcp-1752]
root# set protocol tcp source-port 1752 destination-port 1752//定义协议及端口号
[edit]
root# show applications
application tcp-1752 {
protocol tcp;
source-port 1752;
destination-port 1752;
配置application-set
[edit]
root# set applications application-set web-mgt application junos-ssh //配置应用服务集web-mgt [edit]
root# set applications application-set web-mgt application junos-ping
[edit]
root# set applications application-set web-mgt application junos- pc-anywhere
[edit]
root# set applications application-set web-mgt application junos-http
[edit]
root# set applications application-set web-mgt application junos-ftp
root# show applications //查看applications application-set web-mgt {
application junos-ssh;
application junos-ping;
application junos-pc-anywhere;
application junos-http;
application junos-ftp;
}
替换配置:
root#set interfaces ge-0/0/0.0 family inet address 1.1.1.1/24
root# show interfaces ge-0/0/0
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24
root#replace pattern ge-0/0/0 with ge-0/0/1 //一个接口取代另一个接口的配置root# show interfaces ge-0/0/1
ge-0/0/1{
unit 0 {
family inet {
address 1.1.1.1/24
复制配置:
root#set interfaces ge-0/0/0.0 family Ethernet-swithing vlan
root#copy interfaces ge-0/0/0.0 to ge-0/0/1.0 //复制接口配置
配置模式下的show
root#show //查看配置
root#show | display set // 查看set格式的配置
set version 10.4R5.5
set system time-zone asia/beijing
set system root-authentication encrypted-password "$1$XyydlG84$f46l82dR8C/JHUvzFuq9o."
set system name-server 202.96.134.133
set system login user lab uid 2002
set system login user lab class super-user
set system login user lab authentication encrypted-password "$1$Y0X8gbap$GZNvirOuGhW.4ZAq4xwHF."
set system services ssh
set system services telnet
set system services web-management http interface vlan.0
set system services web-management http interface ge-0/0/1.0
set system services web-management http interface vlan.3
set system services web-management http interface ge-0/0/0.0
set system services web-management http interface fe-0/0/4.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services web-management https interface ge-0/0/1.0
set system syslog file nat-log any any
set system syslog file nat-log match RT_FLOW_SESSION
set system syslog file monitor-log any any
set system syslog file monitor-log match 172.56.3.34
---(more)---
基本提交与恢复配置命令:
root#commit //最基本的提交配置命令
root#show | compare //查看待提交的配置与当前运行的配置差别(+表示增加的,-表示减少的) -encrypted-password "$1$XyydlG84$f46l82dR8C/JHUvzFuq9o."; ## SECRET-DATA
+ encrypted-password "$1$PRX8HyIJ$X0uFTlOJ4yn.DQYeDiHl10"; ## SECRET-DATA
[edit system services web-management http]
-interface [ vlan.0 ge-0/0/1.0 vlan.3 ge-0/0/0.0 fe-0/0/3.0 ];
+ interface [ vlan.0 ge-0/0/1.0 vlan.3 ge-0/0/0.0 fe-0/0/4.0 ];
[edit interfaces]
+ fe-0/0/4 {
+ unit 0 {
+ family inet;
+ family ethernet-switching;
+ }
+ }
[edit security zones security-zone inside interfaces]
vlan.3 { ... }
+ fe-0/0/4.0 {
+ host-inbound-traffic {
+ system-services {
+ http;
+ }
+ }
+ }
-fe-0/0/3.0 {
-host-inbound-traffic {
-system-services {
-http;
root#rollback ?/ /查看可恢复的配置(注意:使用load facroty-default命令恢复到出厂配置)Possible completions:
<[Enter]> Execute this command
0 2011-08-11 03:11:08 UTC by lab via cli
1 2011-08-10 09:39:44 UTC by lab via cli
2 2011-08-10 07:48:34 UTC by lab via cli
3 2011-08-10 07:40:08 UTC by lab via cli
4 2011-08-10 07:36:20 UTC by lab via cli
5 2011-08-10 07:31:18 UTC by lab via cli
6 2011-08-10 07:25:45 UTC by lab via cli
7 2011-08-10 07:21:26 UTC by lab via cli
8 2011-08-10 07:20:15 UTC by lab via cli
9 2011-08-10 06:51:14 UTC by lab via cli
10 2011-08-10 06:50:16 UTC by lab via cli
11 2011-08-10 06:31:23 UTC by lab via cli
12 2011-08-10 06:29:02 UTC by lab via cli
[abort]
---(more 42%)---[edit]
root#rollback 4 // 恢复某一配置(注意:需要commit之后恢复配置才能生效)root#commit at “2012-01-01 18:00:00” //在某一日期或时间提交配置命令root>clear system commit //清除未被提交的配置
root#commit comment “only-configuration-interfaces”//为提交的配置进行说明
调换策略顺序
Insert security policies from-zone zone-name to-zone zone-name policy name [before | after ] policy name
配置SNMP
配置系统信息(可配可不配)
set snmp location lab (设备位置)
setsnmpcontact"******************"(管理员联系方式)
配置SNMP通讯的“团体名”(可理解为通讯密码,必须配置)
set snmp community public authorization read-write
在接口上启用SNMP访问(必须配置)
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services snmp (Please add other services as needed)
访问控制(可配可不配,建议配置)
set snmp community public clients 172.26.0.0/16
set snmp community public clients 0.0.0.0/0 restrict
2.1.6 配置安全策略
图解:定义outside属于Internet,inside属于内部局域网,通过juniper访问Internet。
接口的配置及创建不同的区域:
root#set interfaces ge-0/0/0.0 family inet address 172.56.3.34/16
root#set interfaces ge-0/0/1.0 family inet address 10.1.1.10/24
//为接口ge-0/0/0、ge-0/0/1配置IP地址root#set security zones security-zone outside interfaces ge-0/0/0.0
root#set security zones security-zone inside interfaces ge-0/0/1.0
// 把接口放在不同的区域(outside /inside)中root#commit //提交配置
root# show interfaces // 查看接口配置信息
ge-0/0/0 {
unit 0 {
family inet {
address 172.56.3.34/16 }
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.1.1/24;
}
root # show security zones //查看zones的配置信息
security-zone inside {
interfaces {
ge-0/0/1.0;
}
}
security-zone outside {
interfaces {
ge-0/0/0.0;
}
配置路由:
[edit]
root# edit routing-options
[edit routing-options]
root # set static route 0.0.0.0/0 next-hop172.56.0.1 //配置静态路由
root#commit
[edit routing-options]
root # show //查看路由条目
static {
route 0.0.0.0/0 next-hop [172.56.0.1 ];
}
root# run show route //查看路由
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:34:17
> to 172.56.0.1 via ge-0/0/0.0
10.1.1.0/24 *[Direct/0] 00:34:16
> via ge-0/0/1.0
10.1.1.1/32 *[Local/0] 00:34:23
Local via ge-0/0/1.0
172.56.0.0/16 *[Direct/0] 00:34:17
> via ge-0/0/0.0
172.56.3.34/32 *[Local/0] 00:34:23
Local via ge-0/0/0.0
配置策略:
[edit]
root # edit security policies from-zone inside to-zone outside policy permit-all
//定义zone inside到zone outside的策略[edit security policies from-zone inside to-zone outside policy permit-all]
root # set match source-address any //设置源地址为any
[edit security policies from-zone inside to-zone outside policy permit-all]
root # set match destination-address any //设置目标地址为any
[edit security policies from-zone inside to-zone outside policy permit-all]
root # set match application any //设置策略允许的服务为any
[edit security policies from-zone inside to-zone outside policy permit-all]
root # set then permit//设置的动作是允许通过
root#commit
[edit]
root# show security policies //查看安全策略
from-zone inside to-zone outside {
policy permit-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
Example 1 : 源地址转换(NAT)多对一,使得所有出向的流量源IP地址转换为外部接口地址IP
[edit]
root # edit security nat source rule-set nat-policy//定义名字为nat-policy的nat策略
[edit security nat source rule-set nat-policy]
root # set from zone inside to zone outside //设置策略来自inside去往outside
[edit security nat source rule-set nat-policy]
root # edit rule inside-to-outside-nat//定义规则名字为inside-to-outside-nat
[edit security nat source rule-set nat-policy rule inside-to-outside-nat]
root # set match destination-address 172.56.3.34/16//设置规则中目的IP地址
[edit security nat source rule-set nat-policy rule inside-to-outside-nat]
root # set then source-nat interface//设置转换源的nat
[edit security nat source rule-set nat-policy rule inside-to-outside-nat]
root #set then log session-init session-close //设置启用日志,记录会话开始与结束
[edit security nat source rule-set nat-policy]
root # exit
[edit]
root # edit system syslog file nat-log / /设置一个日志文件名字为nat-log
[edit system syslog file nat-log]
root # set any any //匹配任何log
root #set match RT_FLOW_SESSION //匹配日志中关键字RT_FLOW_SESSION root #run show security flow session// 查看会话的状态信息
In: 10.1.1.2/55249 --> 172.56.0.101/161;udp, If: ge-0/0/1.0, Pkts: 166, Bytes: 17596
Out: 172.56.0.101/161 --> 10.1.1.2/55249;udp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
Session ID: 50, Policy name: permit-all/4, Timeout: 52, Valid
In: 10.1.1.2/55249 --> 172.56.1.100/161;udp, If: ge-0/0/1.0, Pkts: 167, Bytes: 17702
Out: 172.56.1.100/161 --> 10.1.1.2/55249;udp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
Total sessions: 2
root #run show security flow session summary// 查看会话数
Unicast-sessions: 4
Multicast-sessions: 0
Failed-sessions: 0
Sessions-in-use: 10
Valid sessions: 4
Pending sessions: 0
Invalidated sessions: 6
Sessions in other states: 0
Maximum-sessions: 32768
root #run show log nat-log //查看日志信息
Aug 2 17:46:43 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.2/52896->202.96.134.133/53 junos-dns-udp 10.1.1.2/52896->202.96.134.133/53 None None 17 permit-all inside outside 3048
Aug 2 17:46:43 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.2/50439->183.60.153.178/80 junos-http 10.1.1.2/50439->183.60.153.178/80 None None 6 permit-all inside outside 3049
Aug 2 17:46:43 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.2/50440->183.60.153.178/80 junos-http 10.1.1.2/50440->183.60.153.178/80 None None 6 permit-all inside outside 3050
Aug 2 17:46:45 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 10.1.1.2/52896->202.96.134.133/53 junos-dns-udp 10.1.1.2/52896->202.96.134.133/53 None None 17 permit-all inside outside 3048 1(61) 1(180) 3
root # show security nat //查看nat的策略信息
source {
rule-set nat-policy {
from zone inside;
to zone outside ;
rule inside-to-outside-nat {
match {
destination-address [172.56.3.34/16 ];
}
then {
source-nat {
interface;
}
[edit]
root # edit security policies from-zone inside to-zone outside
[edit security policies from-zone inside to-zone outside]
root #edit policy permit-all
[edit security policies from-zone inside to-zone outside policy permit-all]
root #set then count // 为policy配置count行为
[edit security policies from-zone inside to-zone outside policy permit-all]
root # commit
commit complete
[edit security policies from-zone inside to-zone outside policy permit-all]
root # show
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
root > show security policies policy-name permit-all detail // 使用show查看count结果Policy: permit-all, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: inside, To zone: outside
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Session log: at-create, at-close
Policy statistics:
Input bytes : 2696984 14509 bps
Output bytes : 2683338 14443 bps
Input packets : 4537 28 pps
Output packets : 4433 27 pps
Session rate : 234 1 sps
Active sessions : 9
Session deletions: 225
Policy lookups : 230
Example 2 : 源地址转换(NAT)多对一,使得所有出向的流量源IP地址转换为公网地址池207.17.137.0/24
配置:
[edit security nat source]
root# show
pool A {
address {
207.17.137.1/24 to 207.17.137.254/24;
}
host-address-base 10.1.10.5/24;
}
rule-set 1A {
from zone inside;
to zone outside;
rule 1 {
match {
source-address 10.1.10.0/24;
}
then {
source-nat pool A;
root> show security flow session
Session ID: 57737, Policy name: default-permit/4, Timeout: 1772
In: 10.1.10.5/2023 -->200.100.100.1/24;tcp, If: ge-0/0/2.0
Out: 200.100.100.1/24 --> 207.17.137.1/2023;tcp, If: ge-0/0/3.10
root> show security nat source pool all
Total pools: 1
Pool name : A
Pool id : 4
Routing instance : default
Host address base : 10.1.10.5
Port : no translation
Total addresses : 254
Translation hits : 6
Example 3 :目的地址转换(NAT)一对一,使所有进方向访问公网IP (100.0.0.1/32)地址的流量都转换为内网的一个IP(10.1.10.5/32)地址
配置:
[edit security nat destination]
root# show
pool A {
address 10.1.10.5/24;
}
rule-set 1 {
from zone outside;
rule 1A {
match {
destination-address 100.0.0.1/32;
}
Then {
destination-nat pool A;
Example4 :目的地址转换(NAT)一对多,使所有进方向访问公网IP (100.0.0.1/32port:80/81)地址的流量都转换为内网的多个IP(10.1.10.5/32port:8080 10.1.10.6/32port:8181)地址
图解:将访问公网ip 100.0.0.1 port 80转换为内网ip 10.1.10.5 port 8080将访问公网ip 100.0.0.1 port 81转换为内网ip 10.1.10.6 port 8181配置:
[edit security nat destination]
root# show
pool A {
address 10.1.10.5/24 port 8080;
pool B{
address 10.1.10.5/24 port 8181;
}
rule-set 1 {
from zone outside;
rule 1A {
match {
destination-address 100.0.0.1/32;
destination-port 80;
}
then {
destination-nat pool A;
rule 1B {
match {
destination-address 100.0.0.1/32;
destination-port 81;
}
then {
destination-nat pool B;
root> show security flow session
Session ID: 12554, Policy name: default-permit/4, Timeout: 14
In: 1.1.70.6/58204 --> 100.0.0.1/80;tcp, If: ge-0/0/3.10
Out: 10.1.10.5/8080 --> 1.1.70.6/58204;tcp, If: ge-0/0/2.0 1 sessions displayed
Session ID: 12554, Policy name: default-permit/4, Timeout: 14
In: 1.1.70.6/58304 --> 100.0.0.1/81;tcp, If: ge-0/0/3.10
Out: 10.1.10.5/8181 --> 1.1.70.6/58304;tcp, If: ge-0/0/2.0 1 sessions displayed
2.2 透明模式的配置
1.配置Bridge Domains
桥接域(Bridge Domains):属于同一泛洪或广播域的一组逻辑接口。
在同一个Vlan里,桥接域可以跨越多个设备的一个或多个接口。
默认情况下,每个桥接域都维护着自己的MAC地址转发表,从属于本桥接域的接口接受的数据包。
在桥接域里转发的数据包,必须是一个0已经被打上Vlan ID的数据包,并且这个Vlan ID 是属于这个桥接域的。
CLI命令配置举例:
root# set bridge-domains bd1 domain-type bridge vlan-id-list 1,10
//配置桥接域bd1,并且指定模式为桥模式,属于这个桥接域的vlan ID 1和10
root# set bridge-domains bd2 domain-type bridge vlan-id 2
//配置桥接域bd2,并且指定模式为桥模式,属于这个桥接域的vlan ID 2
注:如果要配置多个vlan ID时,使用vlan-id-list。
root# set protocols l2-learning global-mac-limit 64000 packet-action drop
//配置在一个逻辑接口上学习到的最大MAC地址数量
2.配置Layer 2 逻辑接口
layer2接口模式有2种模式,trunk和access。
CLI命令配置举例:
root# set interfaces ge-3/0/0 unit 0 family bridge interface-mode trunk vlan-id-list 1–10 //将接口ge-3/0/0配置为2层trunk模式,并转发来自vlan 1-10数据包
root# set interfaces ge-3/0/0 unit 0 family bridge interface-mode access vlan-id 1
//将接口ge-3/0/0配置为2层access模式,并转发来自vlan 1数据包
root# set interfaces ge-3/0/0 vlan-tagging native-vlan-id 10
//对于来自物理接口没有vlan标识的数据包打上vlan 10
3.配置layer 2区域
CLI命令配置举例:
root# set security zones security-zone l2–zone1 interfaces ge-3/0/0.0
root# set security zones security-zone l2–zone2 interfaces ge-3/0/1.0
root# set security zones security-zone l2–zone2 host-inbound-traffic system-services all //允许所有支持的应用作为host-inbound traffic通过“l2–zone2”(例如SSH, Telnet, SNMP, 以及其他应用)
4.配置layer3策略
CLI命令配置举例:
root# set security policies from-zone l2–zone1 to-zone l2–zone2 policy p1 match source-address 10.1.1.1/24
root# set security policies from-zone l2–zone1 to-zone l2–zone2 policy p1 match destination-address 20.1.1.1/32
root# set security policies from-zone l2–zone1 to-zone l2–zone2 policy p1 match application http root# set security policies from-zone l2–zone1 to-zone l2–zone2 policy p1 then permit
5.配置集成路由桥接口(Integrated Routing and Bridging Interfaces)(可选)
irb接口其实就是原来在screenOS平台下的vlan 1 接口,起一个管理的作用。
CLI命令配置举例:
root# set interface irb unit 0 family inet address 10.1.1.1/24 web-authentication http
//配置irb接口地址为10.1.1.1/24并启用web管理
root# set bridge-domains bd2 routing-interface irb.0
//将irb接口放到桥接域bd2里
root# set system services web-management http
//打开SRX的web管理服务
注:irb接口必须是在桥接域配置为单个vlan ID才能配置。
当桥接域里配置是vlan-id-list时,irb 是不能配置的。
SRX不支持路由与透明模式同时运行,初始时是运行在路由模式下,当配置成透明时必须要重启设备。
日志转发
转发syslog到一台日志服务器
system
syslog {
host 192.168.1.100 {
user info;
change-log notice;
interactive-commands notice;
match
"(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SES
SION_DENY)";
log-prefix SecureTrack_SRX_3;
转发traffic log到一台日志服务器
security {
log {
format sd-syslog;
source-address 192.168.1.1;
stream traffic-log {
severity info;
format sd-syslog;
host {
192.168.1.120;
}
}
stream traffic-log-test {
severity info;
format sd-syslog;
host {
192.168.1.100;
}。