Juniper SRX防火墙配置手册一、JUNOS操作系统介绍1.1 层次化配置结构JUNOS采用基于FreeBSD内核的软件模块化操作系统,支持CLI命令行和WEBUI两种接口配置方式,本文主要对CLI命令行方式进行配置说明。
JUNOS CLI使用层次化配置结构,分为操作(operational)和配置(configure)两类模式,在操作模式下可对当前配置、设备运行状态、路由及会话表等状态进行查看及设备运维操作,并通过执行config或edit命令进入配置模式,在配置模式下可对各相关模块进行配置并能够执行操作模式下的所有命令(run)。
在配置模式下JUNOS采用分层分级模块下配置结构,如下图所示,edit命令进入下一级配置(类似unix cd 命令),exit命令退回上一级,top命令回到根级。
1.2 JunOS配置管理JUNOS通过set语句进行配置,配置输入后并不会立即生效,而是作为候选配置(Candidate Config)等待管理员提交确认,管理员通过输入commit命令来提交配置,配置内容在通过SRX 语法检查后才会生效,一旦commit通过后当前配置即成为有效配置(Active config)。
另外,JUNOS 允许执行commit命令时要求管理员对提交的配置进行两次确认,如执行commit confirmed 2命令要求管理员必须在输入此命令后2分钟内再次输入commit以确认提交,否则2分钟后配置将自动回退,这样可以避免远程配置变更时管理员失去对SRX的远程连接风险。
在执行commit命令前可通过配置模式下show命令查看当前候选配置(Candidate Config),在执行commit后配置模式下可通过run show config命令查看当前有效配置(Active config)。
此外可通过执行show | compare比对候选配置和有效配置的差异。
SRX上由于配备大容量硬盘存储器,缺省按先后commit顺序自动保存50份有效配置,并可通过执行rolback和commit命令返回到以前配置(如rollback 0/commit可返回到前一commit配置);也可以直接通过执行save configname.conf手动保存当前配置,并执行load override configname.conf / commit调用前期手动保存的配置。
执行load factory-default / commit命令可恢复到出厂缺省配置。
SRX可对模块化配置进行功能关闭与激活,如执行deactivate security nat/comit命令可使NAT相关配置不生效,并可通过执行activate security nat/commit使NAT配置再次生效。
SRX通过set语句来配置防火墙,通过delete语句来删除配置,如delete security nat和edit security nat / delete一样,均可删除security防火墙层级下所有NAT相关配置,删除配置和ScreenOS不同,配置过程中需加以留意。
1.3 SRX主要配置内容部署SRX防火墙主要有以下几个方面需要进行配置:System:主要是系统级内容配置,如主机名、管理员账号口令及权限、时钟时区、Syslog、SNMP、系统级开放的远程管理服务(如telnet)等内容。
Interface:接口相关配置内容。
Security: 是SRX防火墙的主要配置内容,安全相关部分内容全部在Security层级下完成配置,如NAT、Zone、Policy、Address-book、Ipsec、Screen、Idp等,可简单理解为ScreenOS防火墙安全相关内容都迁移至此配置层次下,除了Application自定义服务。
Application:自定义服务单独在此进行配置,配置内容与ScreenOS基本一致。
routing-options:配置静态路由或router-id等系统全局路由属性配置。
二、SRX防火墙配置对照说明策略处理流程图2.1 初始安装2.1.1 登陆Console口(通用超级终端缺省配置)连接SRX,root用户登陆,密码为空login: rootPassword:--- JUNOS 9.5R1.8 built 2009-07-16 15:04:30 UTCroot% cli/ /进入操作模式root>root> configure //进入配置模式[edit]Root#2.1.2 设置root用户口令设置root用户口令root# set system root-authentication plain-text-passwordroot# new password : root123root# retype new password: root123[edit]root# set system login class super-user idle-timeout 3 设置当前用户超时时间密码将以密文方式显示root# show system root-authenticationencrypted-password "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."; # SECRET-DATA注意:强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式),此配置参数要求输入的口令应是经加密算法加密后的字符串,采用这种加密方式手工输入时存在密码无法通过验证风险。
2.1.3 设置远程登陆管理用户root# set system login user lab class super-user authentication plain-text-password //创建用户lab root# new password : lab123 //配置用户lab密码root# retype new password: lab123注:此lab用户拥有超级管理员权限,可用于console和远程管理访问,另也可自行灵活定义其它不同管理权限用户。
2.1.4 管理SRX相关配置root>show system uptime//查看时间root#run set date YYYYMMDDhhmm.ss //设置系统时钟root#set system time-zone Asia/beijing //设置时区为北京root#set system host-name SRX3400-A //设置主机名root#set system name-server 1.1.1.1 //设置DNS服务器root#set system ntp server 202.120.2.101 //设置NTP服务器root>show ntp associationsroot>show ntp status //查看NTProot>show security alg status//查看ALG状态ALG Status :DNS : EnabledFTP : EnabledH323 : EnabledMGCP : EnabledMSRPC : EnabledPPTP : EnabledRSH : EnabledRTSP : EnabledSCCP : EnabledSIP : EnabledSQL : EnabledSUNRPC : EnabledTALK : EnabledTFTP : EnabledIKE-ESP : Disabledroot#set system services ftproot#set system services telnetroot#set system services web-management http//在系统级开启ftp/telnet/http远程接入管理服务root>request system reboot //重启系统root>request system power-off // 关闭系统root>show version //查看版本信息Model: srx210bJUNOS Software Release [10.4R5.5]root>show system uptime //查看系统启动时间Current time: 2011-08-11 05:09:15 UTCSystem booted: 2011-08-11 01:12:48 UTC (03:56:27 ago)Protocols started: 2011-08-11 01:15:28 UTC (03:53:47 ago)Last configured: 2011-08-11 03:11:08 UTC (01:58:07 ago) by root5:09AM up 3:56, 1 user, load averages: 0.01, 0.02, 0.00root>Show chassis haredware//查看硬件板卡及序列号Hardware inventory:Item Version Part number Serial number DescriptionChassis AC5210AA0079 SRX210bRouting Engine REV 40 750-021778 AACN5249 RE-SRX210BFPC 0 FPCPIC 0 2x GE, 6x FE, 1x 3G Power Supply 0root> show chassis environment //查看硬件板卡当前状态Class Item Status MeasurementTemp Routing Engine OK 52 degrees C / 125 degrees F Routing Engine CPU AbsentFans SRX210 Chassis fan OK Spinning at normal speedPower Power Supply 0 OKroot>show chassis routing-engine //查看主控板(RE)资源使用及状态Routing Engine status:Temperature 52 degrees C / 125 degrees FTotal memory 512 MB Max 415 MB used ( 81 percent)Control plane memory 336 MB Max 306 MB used ( 91 percent)Data plane memory 176 MB Max 107 MB used ( 61 percent)CPU utilization:User 4 percentBackground 0 percentKernel 5 percentInterrupt 0 percentIdle 91 percentModel RE-SRX210BSerial ID AACN5249Start time 2011-08-11 01:12:47 UTCUptime 4 hours, 17 minutes, 57 secondsLast reboot reason 0x200:chassis control resetLoad averages: 1 minute 5 minute 15 minute0.09 0.05 0.01root>show system license //查看授权License usage:Licenses Licenses Licenses Expiry Feature name used installed neededax411-wlan-ap 0 2 0 permanentroot>show system processes extensive//查看系统利用率last pid: 1968; load averages: 0.01, 0.03, 0.00 up 0+04:20:28 05:32:46111 processes: 17 running, 83 sleeping, 11 waitingMem: 120M Active, 87M Inact, 231M Wired, 30M Cache, 61M Buf, 1356K FreeSwap:PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 1097 root 4 76 0 194M 34836K select 0 298:05 98.44% flowd_octeon22 root 1 171 52 0K 16K RUN 0 203:47 84.96% idle: cpu024 root 1 -20 -139 0K 16K RUN 0 5:42 0.00% swi7: clock21 root 1 171 52 0K 16K RUN 1 2:21 0.00% idle: cpu15 root 1 -84 0 0K 16K rtfifo 0 1:02 0.00% rtfifo_kern_recv 1109 root 1 76 0 9724K 3796K select 0 0:46 0.00% rtlogd868 root 1 76 0 7004K 2588K select 0 0:37 0.00% eventd52 root 1 -8 0 0K 16K mdwait 0 0:34 0.00% md01085 root 1 76 0 16984K 10676K select 0 0:29 0.00% snmpd1088 root 1 76 0 14288K 4788K select 0 0:23 0.00% l2ald1090 root 2 76 0 20124K 6476K select 0 0:22 0.00% pfed1115 root 1 76 0 4180K 1104K select 0 0:19 0.00% license-check 1087 root 1 4 0 39620K 20172K kqread 0 0:15 0.00% rpd23 root 1 -40 -159 0K 16K WAIT 0 0:15 0.00% swi2: net---(more 39%)---root>monitor interface ge-0/0/0 //动态统计接口数据包转发信息Interface: ge-0/0/0.0, Enabled, Link is UpFlags: SNMP-TrapsEncapsulation: ENET2Local statistics: Current delta Input bytes: 2986416 [4121] Output bytes: 47303 [90] Input packets: 47631 [64] Output packets: 969 [1] Remote statistics:Input bytes: 94404820 (1896 bps) [6685] Output bytes: 9553700 (952 bps) [2078] Input packets: 111689 (4 pps) [50] Output packets: 59369 (2 pps) [29] Traffic statistics:Input bytes: 97391236 Output bytes: , [10806] Next='n', Quit='q' or ESC, Freeze='f', Thaw='t', Clear='c', Interface='i'root>monitor traffic interface ge-0/0/0 //动态报文抓取verbose output suppressed, use <detail> or <extensive> for full protocol decode Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.Address resolution timeout is 4s.Listening on ge-0/0/0.0, capture size 96 bytesReverse lookup for 172.56.1.23 failed (check DNS reachability).Other reverse lookup failures will not be reported.Use <no-resolve> to avoid reverse lookups on IP addresses.05:41:02.773631 In arp who-has 172.56.1.23 tell 172.56.1.2405:41:02.783007 In arp who-has 172.56.1.21 tell 172.56.1.2405:41:02.787524 In arp who-has 172.56.6.135 tell 172.56.7.305:41:02.884849 In IPX 00000000.00:13:8f:74:bc:19.0455 > 00000000.ff:ff:ff:ff:ff:ff.0455: ipx-netbios 5005:41:03.437039 In arp who-has 172.56.7.41 tell 172.56.1.2405:41:03.509837 Out IP truncated-ip - 10 bytes missing! 172.56.3.34.55730 > .domain: 51866+[|domain]05:41:03.568547 In STP 802.1d, Config, Flags [none], bridge-id 8000.00:06:53:48:8a:80.8010, length 4305:41:03.678096 In IPX 00000000.00:13:8f:74:bc:19.0455 > 00000000.ff:ff:ff:ff:ff:ff.0455: ipx-netbios 502.1.5 接口的初始化接口说明:root% cli//进入操作模式root>root> show interfaces //查看接口状态调整输出详细程度root>show intefaces terseroot>show interfaces briefroot>show interfaces detailroot>show interfaces extensive //由上到下查看接口的信息越来越详细root>show interfaces detail | match fe-0/0/0 //使用管道符匹配特定关键字root>help reference security policy-security //查看配置参考信息root> help apropos security //帮助搜索关键字相关的操作命令root> configure //进入配置模式[edit]root#root# show interfaces //查看接口配置状态为接口配置IP地址的两种方法:set配置:root#set interfaces ge-0/0/0.0 family inet address 1.1.1.1/24 //为接口配置IP地址root#show interfaces ge-0/0/0.0 family inet //查看接口配置address 1.1.1.1./24edit 配置直接指定到某个层级:[edit ]root#edit interfaces ge-0/0/0.0 family inet //在该层级下为接口配置[edit interfaces ge-0/0/0.0 family inet]root#set address 1.1.1.1/24 //配置IP地址[edit interfaces ge-0/0/0.0 family inet]root#up //返回上一级,一层一层的退出(也可以使用exit和top退出到[edit])[edit interfaces]Root#showroot # set system syslog file monitor-log any any//创建名字为monitor-log的日志root # s et system syslog file monitor-log match "172.56.3.34" //监控接口root # monitor start monitor-log //开始监控root # monitor stop//停止监控删除配置:root#delete interfaces ge-0/0/0.0 //普通删除配置命令root#wildcard delete interfaces fe-0* //通配符匹配删除配置命令matched:fe-0/0/0matched:fe-0/0/1matched:fe-0/0/2matched:fe-0/0/3matched:fe-0/0/4matched:fe-0/0/5matched:fe-0/0/6matched:fe-0/0/7delete 8 objecgts?[yes,no](no)yes配置address-book (address-book就是为地址命名,以便调用)[edit]root# edit security zones security-zone outside // 配置outside区域address-book [edit security zones security-zone outside]root# set address-book address out-address 172.56.3.0/16 //把接口IP放入地址薄out-address [edit security zones security-zone outside]root# up[edit security zones]root#edit security-zone inside //配置inside区域address-book [edit security zones security-zone inside]root# set address-book address in-address 10.1.1.0/24 //把接口IP放入地址薄in -address [edit security zones security-zone inside]root# exit[edit security zones]root# exit配置application[edit]root# edit applications application tcp-1752//定义服务名字[edit applications application tcp-1752]root# set protocol tcp source-port 1752 destination-port 1752//定义协议及端口号[edit]root# show applicationsapplication tcp-1752 {protocol tcp;source-port 1752;destination-port 1752;配置application-set[edit]root# set applications application-set web-mgt application junos-ssh //配置应用服务集web-mgt [edit]root# set applications application-set web-mgt application junos-ping[edit]root# set applications application-set web-mgt application junos- pc-anywhere[edit]root# set applications application-set web-mgt application junos-http[edit]root# set applications application-set web-mgt application junos-ftproot# show applications //查看applications application-set web-mgt {application junos-ssh;application junos-ping;application junos-pc-anywhere;application junos-http;application junos-ftp;}替换配置:root#set interfaces ge-0/0/0.0 family inet address 1.1.1.1/24root# show interfaces ge-0/0/0ge-0/0/0 {unit 0 {family inet {address 1.1.1.1/24root#replace pattern ge-0/0/0 with ge-0/0/1 //一个接口取代另一个接口的配置root# show interfaces ge-0/0/1ge-0/0/1{unit 0 {family inet {address 1.1.1.1/24复制配置:root#set interfaces ge-0/0/0.0 family Ethernet-swithing vlanroot#copy interfaces ge-0/0/0.0 to ge-0/0/1.0 //复制接口配置配置模式下的showroot#show //查看配置root#show | display set // 查看set格式的配置set version 10.4R5.5set system time-zone asia/beijingset system root-authentication encrypted-password "$1$XyydlG84$f46l82dR8C/JHUvzFuq9o."set system name-server 202.96.134.133set system login user lab uid 2002set system login user lab class super-userset system login user lab authentication encrypted-password "$1$Y0X8gbap$GZNvirOuGhW.4ZAq4xwHF."set system services sshset system services telnetset system services web-management http interface vlan.0set system services web-management http interface ge-0/0/1.0set system services web-management http interface vlan.3set system services web-management http interface ge-0/0/0.0set system services web-management http interface fe-0/0/4.0set system services web-management https system-generated-certificateset system services web-management https interface vlan.0set system services web-management https interface ge-0/0/1.0set system syslog file nat-log any anyset system syslog file nat-log match RT_FLOW_SESSIONset system syslog file monitor-log any anyset system syslog file monitor-log match 172.56.3.34---(more)---基本提交与恢复配置命令:root#commit //最基本的提交配置命令root#show | compare //查看待提交的配置与当前运行的配置差别(+表示增加的,-表示减少的) -encrypted-password "$1$XyydlG84$f46l82dR8C/JHUvzFuq9o."; ## SECRET-DATA+ encrypted-password "$1$PRX8HyIJ$X0uFTlOJ4yn.DQYeDiHl10"; ## SECRET-DATA[edit system services web-management http]-interface [ vlan.0 ge-0/0/1.0 vlan.3 ge-0/0/0.0 fe-0/0/3.0 ];+ interface [ vlan.0 ge-0/0/1.0 vlan.3 ge-0/0/0.0 fe-0/0/4.0 ];[edit interfaces]+ fe-0/0/4 {+ unit 0 {+ family inet;+ family ethernet-switching;+ }+ }[edit security zones security-zone inside interfaces]vlan.3 { ... }+ fe-0/0/4.0 {+ host-inbound-traffic {+ system-services {+ http;+ }+ }+ }-fe-0/0/3.0 {-host-inbound-traffic {-system-services {-http;root#rollback ?/ /查看可恢复的配置(注意:使用load facroty-default命令恢复到出厂配置)Possible completions:<[Enter]> Execute this command0 2011-08-11 03:11:08 UTC by lab via cli1 2011-08-10 09:39:44 UTC by lab via cli2 2011-08-10 07:48:34 UTC by lab via cli3 2011-08-10 07:40:08 UTC by lab via cli4 2011-08-10 07:36:20 UTC by lab via cli5 2011-08-10 07:31:18 UTC by lab via cli6 2011-08-10 07:25:45 UTC by lab via cli7 2011-08-10 07:21:26 UTC by lab via cli8 2011-08-10 07:20:15 UTC by lab via cli9 2011-08-10 06:51:14 UTC by lab via cli10 2011-08-10 06:50:16 UTC by lab via cli11 2011-08-10 06:31:23 UTC by lab via cli12 2011-08-10 06:29:02 UTC by lab via cli[abort]---(more 42%)---[edit]root#rollback 4 // 恢复某一配置(注意:需要commit之后恢复配置才能生效)root#commit at “2012-01-01 18:00:00” //在某一日期或时间提交配置命令root>clear system commit //清除未被提交的配置root#commit comment “only-configuration-interfaces”//为提交的配置进行说明调换策略顺序Insert security policies from-zone zone-name to-zone zone-name policy name [before | after ] policy name配置SNMP配置系统信息(可配可不配)set snmp location lab (设备位置)setsnmpcontact"******************"(管理员联系方式)配置SNMP通讯的“团体名”(可理解为通讯密码,必须配置)set snmp community public authorization read-write在接口上启用SNMP访问(必须配置)set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services snmp (Please add other services as needed)访问控制(可配可不配,建议配置)set snmp community public clients 172.26.0.0/16set snmp community public clients 0.0.0.0/0 restrict2.1.6 配置安全策略图解:定义outside属于Internet,inside属于内部局域网,通过juniper访问Internet。