Juniper SRX 常用命令
2024-05-13 14:30:00
rollback
set interface
set routing-options static
set system login user admin class super-user
set system login user admin authentication plain-text-password 输入密码
set system services ssh
set security zones security-zone untrust host-inbound-traffic system-services ssh/ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh /telnet/ping
set security zones security-zone trust host-inbound-traffic system-services ssh /telnet /ping
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh /telnet/ping
set security zones security-zone untrust interfaces ge-0/0/0 (不定义区域,无法配置NAT)
set security zones security-zone trust interfaces ge-0/0/1
###### set security zones security-zone trust interfaces ge-0/0/1 ???
###### set interfaces interface-range interfaces-trust member ge-0/0/1 ????
##################################################
静态NAT:
set security nat source rule-set interface-nat from zone trust
set security nat source rule-set interface-nat to zone untrust
set security nat source rule-set interface-nat rule rule1 match source-address 192.168.0.0/23
set security nat source rule-set interface-nat rule rule1 match destination-address 0.0.0.0/0
set security nat source rule-set interface-nat rule rule1 then source-nat interface
set security zones security-zone trust address-book address 192 192.168.0.0/23
set security zones security-zone trust address-book address-set 192nat address 192
set security policies from-zone trust to-zone untrust policy 192nat match source-address any
set security policies from-zone trust to-zone untrust policy 192nat match destination-address any
set security policies from-zone trust to-zone untrust policy 192nat match application any
set security policies from-zone trust to-zone untrust policy 192nat then permit
#######################################################
强制172.16.0.12走150出去(默认走物理接口146出去)
set security nat source pool pool-1 address 121.9.255.112
set security nat source rule-set sou-nat rule rule-mail match source-address 172.16.0.12/32
set security nat source rule-set sou-nat rule rule-mail match destination-address 0.0.0.0/0
set security nat source rule-set sou-nat rule rule-mail then source-nat pool pool-1
insert security nat source rule-set sou-nat rule rule-mail before rule rule-sou
##########################################################
端口映射 静态PAT: 从外到内
set security nat proxy-arp interface ge-0/0/0.0 address 10.1.1.100/24
set security nat proxy-arp interface ge-0/0/3.0 address 10.1.2.100/24
set security nat destination pool dnat-pool-1 address 192.168.0.9/32
set security nat destination pool dnat-pool-2 address 172.16.0.12/32
set security nat destination rule-set dst-nat from zone untrust
set security nat destination rule-set dst-nat rule rule3 match destination-address 10.1.1.100/24
set security nat destination rule-set dst-nat rule rule3 match destination-port 21
set security nat destination rule-set dst-nat rule rule3 then destination-nat pool dnat-pool-1
set security nat destination rule-set dst-nat rule rule2 match destination-address 10.1.2.100/24
set security nat destination rule-set dst-nat rule rule2 match destination-port 443
set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-pool-2
set security zones security-zone trust address-book address ftpserver 192.168.0.9
set security zones security-zone trust address-book address mailserver 172.16.0.12
set security zones security-zone trust address-book address-set servergroup address ftpserver
set security zones security-zone trust address-book address-set servergroup address mailserver
set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application junos-http
set security policies from-zone untrust to-zone trust policy static-nat match application junos-pop3
set security policies from-zone untrust to-zone trust policy static-nat then permit
set applications application 443 protocol tcp
set applications application 443 destination-port 443
##############################################################
set security nat source rule-set sou-nat from zone trust
set security nat source rule-set sou-nat to zone untrust
set security nat source rule-set sou-nat rule rule-mail match source-address 172.16.0.30/32
set security nat source rule-set sou-nat rule rule-mail match destination-address 0.0.0.0/0
set security nat source rule-set sou-nat rule rule-mail then source-nat pool pool-1
##############################################################
管理端口:
set system services web-management https
set system services web-management http
set system services web-management http port 8084
set system services web-management http interface all
set system services web-management https system-generated-certificate
set system services web-management http interface ge-0/0/0.0
set system services web-management https interface ge-0/0/0.0
###########################################################################
定义端口地址池XXX_group:
set applications application smtp_25 destination-port 25 protocol tcp
set applications application pop3_110 destination-port 110 protocol tcp
set applications application exchange_135 destination-port 135 protocol tcp
set applications application smtp_465 destination-port 465 protocol tcp
set applications application imap_993 destination-port 993 protocol tcp
set applications application pop3_995 destination-port 995 protocol tcp
set applications application-set mail_port_group application smtp_25
set applications application-set XXX_group application smtp
set applications application-set XXX_group application pop3
引用XXX_group:
set security policies from-zone untrust to-zone trust policy mail-policy match application XXX_group
##############################################################################
反向静态NAT:从外到内
set security nat static rule-set mail-static-nat from zone untrust
set security nat static rule-set mail-static-nat rule mail1 match destination-address 121.9.255.150/32
set security nat static rule-set mail-static-nat rule mail1 then static-nat prefix 172.16.0.12/32
返回的安全Policy:
set security policies from-zone untrust to-zone trust policy mail-policy match source-address any
set security policies from-zone untrust to-zone trust policy mail-policy match destination-address Mail_ser
set security policies from-zone untrust to-zone trust policy mail-policy match application any (XXX_group)
set security policies from-zone untrust to-zone trust policy mail-policy then permit
插入insert Policy:
set security zones security-zone trust address-book address deny_172 172.16.0.155
set security policies from-zone trust to-zone untrust policy deny_172 match source-address deny_172
set security policies from-zone trust to-zone untrust policy deny_172 match destination-address any
set security policies from-zone trust to-zone untrust policy deny_172 match application any
set security policies from-zone trust to-zone untrust policy deny_172 then deny
insert security policies from-zone trust to-zone untrust policy deny_172 before policy Trust2Utrust (Trust2Utrust允许上公网策略)
#####################################################
禁止192网段上网,只允许192.168.0.2,192.168.0.121上网
set security zones security-zone trust address-book address deny_192 192.168.0.0/23
set security zones security-zone trust address-book address permit_host_2 192.168.0.2/32
set security zones security-zone trust address-book address permit_host_121 192.168.0.121/32
set security zones security-zone trust address-book address-set permit_192_online address FTP_ser
set security zones security-zone trust address-book address-set permit_192_online address permit_host_2
set security zones security-zone trust address-book address-set permit_192_online address permit_host_121
set security zones security-zone trust address-book address-set deny_192_online address deny_192
返回的安全Policy:
set security policies from-zone trust to-zone untrust policy permit_192_online match source-address permit_192_online
set security policies from-zone trust to-zone untrust policy permit_192_online match destination-address any
set security policies from-zone trust to-zone untrust policy permit_192_online match application any
set security policies from-zone trust to-zone untrust policy permit_192_online then permit
set security policies from-zone trust to-zone untrust policy deny_192_online match source-address deny_192_online
set security policies from-zone trust to-zone untrust policy deny_192_online match destination-address any
set security policies from-zone trust to-zone untrust policy deny_192_online match application any
set security policies from-zone trust to-zone untrust policy deny_192_online then deny
insert security policies from-zone trust to-zone untrust policy permit_192_online before policy deny_172
insert security policies from-zone trust to-zone untrust policy deny_192_online before policy deny_172
###########################################################################
配置WEB管理
set system host-name Test
set system root-authentication encrypted-password "$1$XKPZUqwc$/WdxM1Cc1GAB8gJ0nNCOt."
set system name-server 202.96.128.166
set system name-server 202.96.128.86
set system login user admin uid 2001
set system login user admin class super-user
set system login user admin authentication encrypted-password HJuZerSULPfkA
set system services ssh
set system services web-management http port 8084
set system services web-management http interface all
set system services web-management http interface ge-0/0/0.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.8.125/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
###########################################################################
开放Untrust服务端口
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
配置默认路由+NAT
set routing-options static route 0.0.0.0/0 next-hop 192.168.8.1
set security nat source rule-set sou-nat from zone trust
set security nat source rule-set sou-nat to zone untrust
set security nat source rule-set sou-nat rule rule-sou match source-address 0.0.0.0/0
set security nat source rule-set sou-nat rule rule-sou match destination-address 0.0.0.0/0
set security nat source rule-set sou-nat rule rule-sou then source-nat interface
内网放行策略:
set security policies from-zone trust to-zone untrust policy in_out match source-address any
set security policies from-zone trust to-zone untrust policy in_out match destination-address any
set security policies from-zone trust to-zone untrust policy in_out match application any
set security policies from-zone trust to-zone untrust policy in_out then permit
###########################################################################
UTM 功能中 防病毒功能
set security utm utm-policy test-policy anti-virus http-profile junos-av-defaults
set security utm utm-policy test-policy anti-virus ftp upload-profile junos-av-defaults
set security utm utm-policy test-policy anti-virus ftp download-profile junos-av-defaults
set security utm utm-policy test-policy anti-virus smtp-profile junos-av-defaults
set security utm utm-policy test-policy anti-virus pop3-profile junos-av-defaults
set security utm utm-policy test-policy anti-virus imap-profile junos-av-defaults
set security utm utm-policy test-policy anti-spam smtp-profile junos-as-defaults
set security utm utm-policy test-policy traffic-options sessions-per-client over-limit log-and-permit
set security utm utm-policy web-policy anti-virus http-profile junos-av-defaults
set security utm utm-policy web-policy traffic-options sessions-per-client over-limit log-and-permit
set security policies from-zone trust to-zone untrust policy permit_192_online match source-address permit_192_online
set security policies from-zone trust to-zone untrust policy permit_192_online match destination-address any
set security policies from-zone trust to-zone untrust policy permit_192_online match application any
set security policies from-zone trust to-zone untrust policy permit_192_online then permit application-services utm-policy web-policy
set security policies from-zone untrust to-zone trust policy mail-policy match source-address any
set security policies from-zone untrust to-zone trust policy mail-policy match destination-address Mail_ser
set security policies from-zone untrust to-zone trust policy mail-policy match application mail_port_group
set security policies from-zone untrust to-zone trust policy mail-policy then permit application-services utm-policy test-policy
set security policies from-zone untrust to-zone trust policy Ftp-Policy match source-address any
set security policies from-zone untrust to-zone trust policy Ftp-Policy match destination-address FTP_ser
set security policies from-zone untrust to-zone trust policy Ftp-Policy match application junos-ftp
set security policies from-zone untrust to-zone trust policy Ftpmservices utm-policy test-policy
admin@KDS_FW> show security utm anti-spam statistics
##########################################################
dynamic VPN功能配置:
run show chassis routing-engine (查看CPU使用user、空闲idle)
show config |dis set| match utm
show log utmd-av | last
clear log utmd-av
###########################################################
抓包功能配置:
Could you please configure the following traceoption and send the log file.
You can create the packet filter as followed
#set security flow traceoption file debug
#set security flow traceoption flag basic-datapath
#set security flow traceoption packet-filter filter1 source-prefix <ip-address> destination-prefix <ip-address> destination-port 80
#set security flow traceoption packet-filter filter2 source-prefix <ip-address> destination-prefix <ip-address> destination-port 80
#commit
the second one is for the return traffic.
show log debug
request system license update
本文转自 yhw85 51CTO博客,原文链接:http://blog.51cto.com/yanghuawu/662445,如需转载请自行联系原作者
Juniper SRX 常用命令相关推荐
- JUNIPER设备常用命令总结
前些日子认真看了一下Juniper路由器的一些命令.在这里总结一下.方便以后使用 Juniper路由器的命令主要分为两个部分,一个是operational,主要是复杂查看目前网络的配置情况(只能查看, ...
- Juniper SRX 简单命令一
Juniper为人所熟悉的一定是从netscreen开始的,作为一线防火墙品牌,还是有很高的地位.但是以前玩netscreen,都是用的网页版去配置,而且网页版做得很不错.但是现在netscreen要 ...
- JUNIPER路由器中常用命令总结
前些日子认真看了一下Juniper路由器的一些命令.在这里总结一下.方便以后使用 Juniper路由器的命令主要分为两个部分,一个是operational,主要是复杂查看目前网络的配置情况(只能查看, ...
- juniper srx 1500 HA及双线路自动切换配置
机房ISP提供了两条上联线路,分别接入ISP的两台核心交换机. 这两条线路是主备模式,同一时间只能有一条工作. 恰好等保要求,买了两台juniper srx 1500,为了节省设备,决定这两个墙既作为 ...
- Juniper SRX JSRP 配置文档
请访问原文链接:https://sysin.org/blog/juniper-srx-jsrp-config/,查看最新版.原创作品,转载请保留出处. 作者:gc(at)sysin.org,主页:ww ...
- Juniper SRX防火墙批量导入set格式配置
Juniper SRX防火墙批量导入set格式配置 SRX在进行大量配置时可能会出现一些小问题,可以使用load set terminal命令导入大量set格式的配置. root# load set ...
- juniper srx 3400 双机 配置
单位最近更新防火墙,打算把10年前的2台juniper换成现在的2台juniper srx 3400,利用juniper的jsrp技术实现,双机设备,一台坏了,另一台自动接替.觉得这次juniper命 ...
- juniper防火墙常用配置
juniper netscreen FW的常用配置 1.Juniper防火墙管理配置的基本信息 Juniper防火墙常用管理方式: ① 通过Web浏览器方式管理.推荐使用IE浏览器进行登录管理,需 ...
- Juniper SRX Junos升级
Juniper SRX Junos升级 这是我升级SRX 系统的过程给大家分享一下 准备工作:先准备一个Junos软件(可以到Juniper官网下)和一个3CD Ftp软件(个人认为比较稳定)还有网线 ...
最新文章
- .net平台下C#socket通信(中)
- 深入理解signed、unsigned 关键字
- 语义化,让你的网页更好的被搜索引擎理解
- 去中心化钱包CoinU下载教程(如何下载C)
- 浅析WebRtc中视频数据的接收和渲染流程
- 软件开发计划_敏捷软件开发实践:估算与计划读书笔记123第21章 关于计划的沟通...
- javascrip --- 构造函数的继承
- CSS——基础选择器
- 组合数学 - 组合数的个数
- MCSE2003学习之八
- 内存区划分、内存分配、常量存储区、堆、栈、自由存储区、全局区[C++][内存管理][转载]...
- The block problem poj1208
- 计算 KL距离 (相对熵)
- RedHat7.6 Linux系统图形界面安装教程
- html中如何定义斜框,html表格单元格添加斜下框线的方法
- 米家接入HomeKit系列四:HomeBridge搭建、配置与接入米家设备
- 无线桥接怎么设置网关和dns服务器,无线桥接怎么设置网关和dns服务器
- 特斯拉model3中控屏怎么关_玩转特斯拉Model 3:那些隐藏的功能和技巧
- 【擦哥擦姐的CSDN博客】原创系列博客清单整理【截至2022年9月30日】
- 白皮书:InfiniBand简介