SRX简明操作手册 by Panda.docx

《SRX简明操作手册 by Panda.docx》由会员分享，可在线阅读，更多相关《SRX简明操作手册 by Panda.docx（41页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、目录1. SRX Introduction22. JUNOS Basic OP I83. JUNOS Basic OP II164. Security Policy I185. Security Policy II216. Routing I257. NAT288. IPSecVPN I309. IPSecVPN II341. SRX Introduction=熊猫说：SRX笔记是基于“明教教主”的笔记进行再次整理和“网上的教材”自学时所做笔记进行修改而成。原先的笔记中有些错误和配置缺陷，再经过测试和修改已经将笔记中的95%的命令和状态都已经验证过。SRX笔记可以满足基本的路由配置，接口配置，

2、策略配置，VPN配置，NAT配置等。如果使用者喜欢用GUI配置的话，可以根据本手册进行界面反推。=推荐书籍-Junos Security传统ScreenOS迁移到Junos:1.ScreenOS不能从内核分离运行的任务，所有进程相同优先级SCreenOS任何一个部分崩溃，整个OS也面临崩溃2.Junos模块化的架构更容易添加新功能*Junos源自于FreeBSD系统SRX配置方式:1.CLI2.J-WebBrach SRX Series：SRX Shared Features + SRX Branch FeaturesSRX Branch Features包括-Antivirus-Antosp

3、am-URL Filtering-有限的IPS-Dynamic VPN Client-3G&Wifi-MPLS-支持多种WAN interface/Data Center只支持以太网License for Branch SRX Series-Antivirus Juniper-Kaspersky 1/3/5yrs update-Antispam Juniper-Sphos 1/3/5yrs update-Intrusion protection Juniepr 1/3/5yrs update-Web fiiltering Websense 1/3/5yrs update-Combined se

4、t 以上四合一 1/3/5yrs update-Dyanamic VPN client 5/10/25/50 users-BGP router reflector 作为路由器反射器的能力-AX411 access point 支持外挂一个专用瘦AP-CX111 3G modem 支持外挂一个专用3G适配器SRX100（基本版本512MB/高级版1G内存）内置其实是1G内存，但是要买License激活基本版是无法执行Combined包含的功能的基本版要做防病毒需要先买高级版License，然后再买Antivirus LicenseSRX200（基本版本512MB/高级版1G内存）就像SSG5与S

5、SG20的区别，性能都一样，但是可以支持广域网模块SRX600（性能比SRX100/200高出很多个档次）Data Center SRX Series：SRX Shared Features + SRX Data Center FeaturesSRX Data Center Features包括（高端产品稳定，性能好，但是功能少）-Transparent mode-强大功能的IPS-AppDoSSRX3000 20G吞吐量SRX5600 已经完胜ASA吞吐量SRX5800 IPS吞吐量已经超过ASA最高级别型号的普通吞吐量SRX的主要配置内容：System：系统级内容和配置，例如主机名，管理账

6、号，权限，时钟时区，syslog，SNMP，系统开放的远程管理服务等。Interface：接口配置内容Security：是SRX防火墙的主要配置内容，安全相关内容，如NAT，ZONE，POLICY，Address-Book等。Application：自定义服务单独配置Routing-Options：配置路由或者动态路由等以下是出厂值的配置，可以看到模块分类：root# run show configuration # Last commit: 2014-04-28 06:33:38 UTC by rootversion 10.2R3.10;system root-authentication

7、encrypted-password $1$sJwj3W9D$Gkiyjtau5Bn7oUXKtfPhK1; # SECRET-DATA name-server 208.67.222.222; 208.67.220.220; services ssh; telnet; xnm-clear-text; web-management http interface vlan.0; https system-generated-certificate; interface vlan.0; dhcp router 192.168.1.1; pool 192.168.1.0/24 address-rang

8、e low 192.168.1.2 high 192.168.1.254; propagate-settings fe-0/0/0.0; syslog archive size 100k files 3; user * any emergency; file messages any critical; authorization info; file interactive-commands interactive-commands error; max-configurations-on-flash 5; max-configuration-rollbacks 5; license aut

9、oupdate url interfaces fe-0/0/0 unit 0; fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust; fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust; fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust; fe-0/0/4 unit 0 family ethernet-switching vlan members vlan

10、-trust; fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust; fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust; fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust; vlan unit 0 family inet address 192.168.1.1/24; protocols stp;security nat source rule-set

11、trust-to-untrust from zone trust; to zone untrust; rule source-nat-rule match source-address 0.0.0.0/0; then source-nat interface; screen ids-option untrust-screen icmp ping-death; ip source-route-option; tear-drop; tcp syn-flood alarm-threshold 1024; attack-threshold 200; source-threshold 1024; des

12、tination-threshold 2048; timeout 20; land; zones security-zone trust host-inbound-traffic system-services all; protocols all; interfaces vlan.0; security-zone untrust screen untrust-screen; interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp; tftp; policies from-zone trust to-zone untrus

13、t policy trust-to-untrust match source-address any; destination-address any; application any; then permit; vlans vlan-trust vlan-id 3; l3-interface vlan.0; edit2. JUNOS Basic OP I模式类型默认账户root，默认密码为空，root账户只能用于Console配置，TELNET和WEB时无法使用此账户。刚进入时显示为：root%cli 刚进入时候提示符是%，还处于linux底层，cli即调用命令行程序提示符为操作模式，即ex

14、ec模式 configure Entering configuration modeeditshow configure 查看配置，在操作模式下，可以直接show注意：如果是用于配制导入的show，必须要用： show configuration | display set 这样才能看到set命令，保存为TXT后才能导入配制。/类似于CISCO的#/#类似于CISCO的(config)#/下show interface类似于CISCO的show interface/#下show interfacce类似于CISCO的show run interface如果要在root#下进行show，要输入“

15、run”命令，例如：run show interfaceshow interface terse 最基本的接口信息，例如IP，UP/Down之类的。show interface brief 接口的概要信息，例如输出输入延迟，MAC地址等等。show interface detail 显示接口详细信息show interface extensive 全面信息show interface detail | match fe0/0/0 显示时用于匹配某个字段root show interfaces detail | ? Possible completions: count Count occurr

16、ences display Show additional kinds of information except Show only text that does not match a pattern find Search for first occurrence of pattern hold Hold text without exiting the -More- prompt last Display end of output only match Show only text that matches a pattern no-more Dont paginate output

17、 request Make system-level requests resolve Resolve IP addresses save Save output text to file trim Trim specified number of columns from start of linehelp reference security policy-security 查看指定命令的参照指南，类似linux manhelp apropos arp 查看与arp相关的命令恢复出厂值：用针对RESET键按10秒左右，等STATUS灯跳黄，就关电重启。设备会恢复到出厂状态。SRX启动界面：

18、=以下U-Boot 1.1.6-JNPR-2.0 (Build time: Nov 17 2010 - 07:04:52)SRX_100_HIGHMEM board revision major:0, minor:0, serial #: AT1811AF1105OCTEON CN5020-SCP pass 1.1, Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate)DRAM: 1024 MB 1G DramStarting Memory POST. Checking datalines. OKChecking address

19、 lines. OKChecking 512K memory for U-Boot. OK.Running U-Boot CRC Test. OK.Flash: 4 MB 4M FLASHUSB: scanning bus for devices. 3 USB Device(s) found scanning bus for storage devices. 1 Storage Device(s) foundClearing DRAM. doneBIST check passed.Boot Media: nand-flash usb Net: pic init done (err = 0)oc

20、teth0POST PassedPress SPACE to abort autoboot in 1 seconds 升级OS时，要在此处按下SPACE，中断启动进程。ELF file is 32 bitLoading .text 0x8f ( bytes)Loading .rodata 0x8f03bd58 (13940 bytes)Loading .rodata.str1.4 0x8f03f3cc (16648 bytes)Loading set_Xcommand_set 0x8f0434d4 (100 bytes)Loading .rodata.cst4 0x8f (20 bytes)L

21、oading .data 0x8f (5608 bytes)Loading .data.rel.ro 0x8f0455e8 (120 bytes)Loading .data.rel 0x8f (136 bytes)Clearing .bss 0x8f0456e8 (11656 bytes)# Starting application at 0x8f .Consoles: U-Boot console Found compatible API, ver. 2.0FreeBSD/MIPS U-Boot bootstrap loader, Revision 2.0(builder, Wed Nov

22、17 07:07:32 UTC 2010)Memory: 1024MB 0Booting from nand-flash slice 2Un-Protected 1 sectorswriting to flash.Protected 1 sectorsLoading /boot/defaults/loader.conf 如果你要加载新的OS请在此处按空格键中断系统进程。/kernel data=0x97d8ac+0xd70d0 syms=0x4+0x79c50+0x4+0xadd2eHit Enter to boot immediately, or space bar for command

23、prompt.如果你要清除密码，请在此处按空格键中断系统进程。Booting /kernel. Kernel entry at 0xd8 .getbootinfo: magic 0x0 md 0x80c7e000 memsize 0x0WARNING: Incompatible U-Boot version2.0 You need to upgrade to 1.5 or aboveWARNING: Incompatible loader version2.0 You need to upgrade to 1.5 or abovegetbootinfo: boothowto 0x1000 ke

24、rnend 0x80d00000 memsize 1024MB kernelname /kernelPlatform Startinginit regular consoleInitializing octeon watchdogGDB: debug ports: uartGDB: current port: uartKDB: debugger backends: ddb gdbKDB: current backend: ddbgetmemsize: msgbufpsize=32768 = 0x8000cfe4Copyright (c) 1996-2010, Juniper Networks,

25、 Inc.All rights reserved.Copyright (c) 1992-2006 The FreeBSD Project.Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved.JUNOS 10.2R3.10 #0: 2010-10-16 20:36:59 UTC builder:/volume/build/junos/10.2/release/10.2R3.1

26、0/obj-octeon/bsd/sys/compile/JSRXNLEJUNOS 10.2R3.10 #0: 2010-10-16 20:36:59 UTC builder:/volume/build/junos/10.2/release/10.2R3.10/obj-octeon/bsd/sys/compile/JSRXNLEreal memory = (1024MB) 内存1Gavail memory = (503MB) 剩余503Mcpuid: 0, btlb_cpumap:0xffffffffFreeBSD/SMP: Multiprocessor System Detected: 2

27、CPUsInitializing watchdog interuptLoading RT Fifo module.Loaded RT Fifo modulepmap_helper loaded (interface version 6, syscall 210)cpu0 on motherboard: CAVIUMs Octeon CPU Rev. 0.1 with no FPU implemented L1 Cache: I size 32kb(128 line), D size 8kb(128 line), sixty four way. L2 Cache: Size 128kb, ? w

28、ayobio0 on motherboarduart0: on obio0uart0: console (9600,n,8,1)twsi0 on obio0dwc0: on obio0usb0: DWC OTG Controller Using DMA modeInit: Port Power? op_state=1Init: Power Port (0)usb0: on dwc0usb0: USB revision 2.0uhub0: vendor 0x0000 DWC OTG root hub, class 9/0, rev 2.00/1.00, addr 1uhub0: 1 port w

29、ith 1 removable, self powereduhub1: vendor 0x0409 product 0x005a, class 9/0, rev 2.00/1.00, addr 2uhub1: single transaction translatoruhub1: 2 ports with 1 removable, self poweredumass0: STMicroelectronics ST72682 High Speed Mode, rev 2.00/2.10, addr 3pcib0: on obio0Disabling Octeon big bar supportPCI Status: PCI 32-bit: 0xc041bpcib0: Initialized controllerpci0: on pcib0pci0: at device 2