参数时区设置虚拟路由器设置ALG认证和管理员属性ZONE设置接口设置Flow设置HA设置SNMP VPN命令set clock dst-offset clock ntpset clock timezone 8set ntp server x.x.x.xset ntp server backup1 "x.x.x.x"set ntp server backup2 "x.x.x.x"set ntp max-adjustment 0set vrouter trust-vr sharableunset vrouter "trust-vr" auto-route-exportunset alg sip enableunset alg mgcp enableunset alg sccp enableunset alg sunrpc enableunset alg msrpc enableunset alg rtsp enableunset alg h323 enableset auth-server "Local" id 0set auth-server "Local" server-name "Local" set auth-server "XXXX" id 1set auth-server "XXXX" server-name "x.x.x.x" set auth-server "XXXX" account-type admin set auth default auth server "Local"set auth-server "XXXX" radius secret "xxxx"set auth-server "ACS" radius port 1646set admin name "ccb"set admin password "xxxxxxxxx"set admin manager-ip x.x.x.x x.x.x.xset admin auth timeout 10set admin auth server "XXXX"set admin auth banner console login "Access is….ly" set admin privilege get-externalset admin format dosset zone "Trust" vrouter "untrust-vr"set zone "Untrust" vrouter "untrust-vr"set zone "DMZ" vrouter "untrust-vr"unset zone "Trust" tcp-rstset zone "Trust" blockunset zone "Untrust" tcp-rstset zone "Untrust" blockset zone "Untrust" screen tear-dropset zone "Untrust" screen syn-floodset zone "Untrust" screen ping-deathset zone "Untrust" screen ip-filter-srcset zone "Untrust" screen landset zone "Untrust" screen alarm-without-dropset interface "ethernet1/1" zone "xxx"set interface ethernet1/1 ip x.x.x.x/xset interface ethernet1/1 routeset interface ethernet1/1 manage-ipset interface ethernet1/1 ip manageableset interface ethernet1/1 manage xxxxunset flow tcp-syn-checkset flow tcp-syn-bit-checkset flow syn-proxy syn-cookieset flow reverse-route clear-text peferset flow reverse-route tunnel alwaysset flow no-tcp-seq-checkset nsrp cluster id 1set nsrp rto-mirror syncset nsrp rto-mirror session ageout-ackunset nsrp rto-mirror session pingset nsrp vsd-group id 0 priority 20set nsrp vsd-group id 0 monitor interface ethernet1/1 set nsrp monitor track-ip ipset nsrp monitor track-ip ip x.x.x.x threshold 10set nsrp vsd-group master-always-existset ntp no-ha-syncset snmp community "xxx" Read-Only Trap-on version v1set snmp host "bbb" y.y.y.y 255.255.255.255 trap v2set snmp name xxxxset snmp port listen 161set snmp port trap 162set pki authority default scep mode "auto"set pki x509 default cert-path partialset ike respond-bad-spi 1unset ike ikeid-enumerationunset ike dos-protectionunset ipsec access-session enableset ipsec access-session maximum 5000set ipsec access-session upper-threshold 0set ipsec access-session lower-threshold 0set ipsec access-session dead-p2-sa-timeout 0unset ipsec access-session log-errorunset ipsec access-session info-exch-connectedunset ipsec access-session use-error-logset interface tunnel.1 zone untrustset interface tunnel.1 ip unnumbered interface ethernet3set ike gateway To_Paris address 2.2.2.2 main outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-shaset vpn Tokyo_Paris gateway To_Paris sec-level compatibleset vpn Tokyo_Paris bind interface tunnel.1set vpn Tokyo_Paris proxy-id local-ip 10.1.1.0/24 remote-ip10.2.2.0/24 anywebConfiguration > Date/Time > Configuration > Date/Time > Configuration > Date/Time > Set Time Zone_hours_minutes from GMT Configuration > Date/Time>Primary Server IP/Name: X.X.X.X Configuration > Date/Time>Backup Server1 IP/Name: X.X.X.X Configuration > Date/Time>Backup Server2 IP/Name: X.X.X.X Configuration >Date/Time>Automatically synchronize with an Internet Time Server (NTP): ( 选择 )Maximum time adjustment seconds:0Network > Routing > Virtual Routers > Edit ( 对于 trust-vr):Shared and accessible by other vsys ( 选择 )Network > Routing > Virtual Router > Edit ( 对于 trust-vr): 取消选择Auto Export Route to Untrust-VR，然后单击 OK。

Security > ALG > Basic 取消选中Security > ALG > Basic 取消选中Security > ALG > Basic 取消选中Security > ALG > Basic 取消选中Security > ALG > Basic 取消选中Security > ALG > Basic 取消选中Security > ALG > Basic 取消选中Configuration > Auth > Auth Servers （系统默认）Configuration > Auth > Auth Servers （系统默认）Configuration > Auth > Auth Servers >newConfiguration > Auth > Auth Servers >newConfiguration > Auth > Auth Servers >newConfiguration > Auth > Auth Servers （系统默认）Configuration > Auth > Auth Servers >new 要选中RADIUSConfiguration > Auth > Auth Servers >new 要选中RADIUSConfiguration > Admin > Administrators>newConfiguration > Admin > Administrators>newConfiguration > Auth > Auth Servers >newConfiguration > Admin > Administrators>newConfiguration > Admin > BannersNetwork > Zones > Edit(对于Trust) Network > Zones > Edit(对于unrust) Network > Zones > Edit(对于DMZ) Network > Zones > Edit(对于Trust)，取消选中If TCP non SYN, send RESET backNetwork > Zones > Edit(对于Trust)，选中Block Intra-Zone Traffic Network > Zones > Edit(对于Untrust)取消选中If TCP non SYN, send RESET backNetwork > Zones > Edit(对于Untrust)，选中Block Intra-Zone TrafficSecurity > Screening > Screen(对于Untrust),选中Teardrop Attack ProtectionSecurity > Screening > Screen(对于Untrust),选中SYN Flood Protection Security > Screening > Screen(对于Untrust),选中Ping of Death Attack ProtectionSecurity > Screening > Screen(对于Untrust),选中IP Source Route Option FilterSecurity > Screening > Screen(对于Untrust),选中Land Attack Protection Security > Screening > Screen(对于Untrust),选中Generate Alarms without Dropping PacketNetwork > Interfaces > Edit（对于接口E1/1）,选择zone nameNetwork > Interfaces > Edit（对于接口E1/1），输入IP/maskNetwork > Interfaces > Edit（对于接口E1/1），Interface Mode选中ROUTE Network > Interfaces > Edit（对于接口E1/1）输入Manage IPNetwork > Interfaces > Edit（对于接口E1/1）选中ManageableNetwork > Interfaces > Edit（对于接口E1/1）选中需要管理的服务Screening > ScreenScreening > ScreenSecurity > Screening > Flow ProtectionScreening > ScreenScreening > ScreenScreening > ScreenNetwork > NSRP > ClusterNetwork > NSRP >Network > NSRP >Network > NSRP >Network > NSRP > VSD Group > ConfigurationNetwork > NSRP > VSD Group > ConfigurationNetwork > NSRP > Monitor >Network > NSRP >Network > NSRP >Network > NSRP > Synchronization Configuration > Report Settings >SyslogConfiguration > Report Settings > SyslogConfiguration > Report Settings > SyslogConfiguration > Report Settings > SNMP> New CommunityConfiguration > Report Settings > SNMPConfiguration > Report Settings > SNMPConfiguration > Report Settings > SNMPConfiguration > Report Settings > SNMPObjects > Certificates > New Objects > Certificates > New Network > Zones > EditNetwork > Zones > EditVPNs > AutoKey Advanced >Gateway > newVPNs > AutoKey IKE > EditVPNs > AutoKey IKE > EditVPNs > AutoKey IKE > Edit解释关闭夏时制启用ntp服务设置防火墙时区为东8区，北京时间为东8时区设置ntp服务器地址设置备份ntp服务器地址设置备份ntp服务器地址允许任意时钟误差情况下都进行时间更新设置trust-vr虚拟路由器为共享路由器，trust-vr作为根虚拟路由器，可以被其它虚拟系统（VSYS）访问关闭将trust-vr中接口路由自动导入到Untrust-vr中（系统默认）关闭会话初始协议(SIP)的应用层网关功能关闭媒体网关控制协议(MGCP)的应用层网关功能关闭瘦客户端呼叫控制协议(SCCP)的应用层网关功能关闭SUN远程进程调用(SUNRPC)的应用层网关功能关闭微软远程进程调用(MSRPC)的应用层网关功能关闭实时流媒体协议(RTSP)的应用层网关功能关闭H.323协议应用层网关功能设置本地认证服器的ID 为0（系统默认）设置本地认证服器的名字为local（系统默认）设置ACS认证服器的ID 为1设置ACS认证服器IP地址设置ACS认证服器的帐号类型为管理员设置默认的认证服务器为本地（系统默认）设置ACS认证服器共享密钥设置认证服器通讯端口设置登录防火墙的管理员名称设置登录防火墙的超级用户名的密码设置可管理防火墙主机的网段地址设置管理员登录防火墙WEB页面时的超时时间（系统默认）设置管理员认证服务器的名称设置用户使用TELNET和SSH登录防火墙时看到的标识语设置防火墙管理员的权限以RADIUS服务器为准设置防火墙产生的配置文件的格式为DOS格式(系统默认）设置trust区域归属于untrust虚拟路由器设置untrust区域归属于untrust虚拟路由器设置DMZ区域归属于untrust虚拟路由器设置 Trust区域关闭tcp-rst功能，当防火墙收到第一个报文不带有syn标志位时，防火墙不再向源端发送reset报文设置 trust区域开启Block功能，当多个接口均位于Untrust区域时，接口间的流量必需经Policy明确允许才能通过防火墙设置 Trust区域关闭tcp-rst功能，如要启用,当防火墙收到第一个报文不带有syn标志位时，防火墙给源端发送reset报文(对Untrust Zone为系统默认）设置 trust区域开启Block功能，当多个接口均位于Untrust区域时，接口间的流量必需经Policy明确允许才能通过防火墙(对Untrust Zone为系统默认）Untrust区域开启tear-drop泪滴攻击防御功能(对Untrust Zone为系统默认）Untrust区域开启syn-flood攻击防御功能(对Untrust Zone为系统默认）Untrust区域开启ping-death攻击防御功能(对Untrust Zone为系统默认）Untrust区域开启ip-filter-src攻击防御功能(对Untrust Zone为系统默认）Untrust区域开启Land陆地攻击防御功能(对Untrust Zone为系统默认）Untrust区域Screen启用只告警不丢包功能设置接口所属ZONE设置e1/1接口IP地址设置接口为路由模式设置接口的管理IP地址设置接口允许管理设置接口的管理服务方式（仅内网口建议开启管理服务）关闭防火墙在查找policy前检查该首包是否带有Syn标志位，如没有则丢弃该报文功能。