本文共 6096 字,大约阅读时间需要 20 分钟。
Juniper SRX采用Junos操作系统,简单介绍Junos的基础操作命令:
set: 建立一个配置(set system hostname srx-test);delete:删除一个配置(delete system hostname srx-test);commit: 建立,删除,修改配置都需要保存配置,使生效;commit check: 检测候选配置的合法性;show | compare: 查看当前配置与激活配置的区别;system层级,用于配置防火墙系统配置,在系统配置中涉及用户,远程接入方式,日志等信息的配置:
一、创建用户(修改root用户密码,创建普通用户)
[edit]
admin@SRX#[edit]
admin@SRX#Junos默认的用户权限
[edit]admin@SRX# set system login user admin class ?Possible completions:<class> Login classoperator permissions [ clear network reset trace view ]read-only permissions [ view ]super-user permissions [ all ]unauthorized permissions [ none ][edit]admin@SRX# set system login user admin class查看用户权限
show cli authorizationset system login user admin class class-test
set system login user admin authentication encrypted-password "$1$u83mA/sa$aeMk9kBBqyOLRQepJkA2.1"admin@SRX> show cli authorization
Current user: 'admin ' class 'class-test'Permissions:admin -- Can view user accounts.........all-control -- Can modify any configurationIndividual command authorization:Allow configuration regular expression: noneDeny configuration regular expression: shell|configuration|requestadmin@SRX>
二、SRX防火墙创建radius认证
SRX防火墙指定radius服务器
set system radius-server 10.250.0.254 secret "$9$5znCO1hKMXtuMX7-2gTz3"set system radius-server 10.250.0.254 source-address 10.10.1.1三、SRX防火墙配置NTP时间同步
注:当有多个NTP Server存在是,使用prefer优先选择
admin@SRX> set date ntp 100.100.100.1 强制NTP同步
配置NTP认证
set system ntp authentication-key 1 type md5set system ntp authentication-key 1 value "$9$g8aGiP5FApBk.pBIEeK4aZ"set system ntp server 100.100.100.1 key 1 /单个server指定认证set system ntp trusted-key 1 /所有Server指定认证四、防火墙开启远程访问服务
开启防火墙服务
set system services ftpset system services sshset system services telnetset system services web-management httpset system services web-management https system-generated-certificate对服务进行优化
(1)FTP、Telent、SSHset system services ftp connection-limit 10set system services ftp rate-limit 10set system services ssh root-login denyset system services telnet connection-limit 10set system services telnet rate-limit 10(2)WEB
set system services web-management management-url adminset system services web-management httpset system services web-management https port 8443set system services web-management https system-generated-certificateset system services web-management https interface ge-0/0/0.0[edit security zones security-zone trust]
admin@SRX# set host-inbound-traffic protocols ? Possible completions:all All protocolsbfd Bidirectional Forwarding Detectionbgp Border Gateway Protocoldvmrp Distance Vector Multicast Routing Protocoligmp Internet Group Management Protocolmsdp Multicast Source Discovery Protocolnhrp Next Hop Resolution Protocolospf Open Shortest Path Firstospf3 Open Shortest Path First version 3pgm Pragmatic General Multicastpim Protocol Independent Multicastrip Routing Information Protocolripng Routing Information Protocol next generationsap Session Announcement Protocolvrrp Virtual Router Redundancy Protocol或者还有防火墙策略中放行五、SNMP简单管理协议(v2c)
snmp基础配置:
set snmp community public authorization read-only六、系统日志配置
Junos的控制日志,可以给日志服务器、写在日志文件中、或者直接输出在CLI中set system syslog archive size 1mset system syslog archive world-readableset system syslog user * any emergencyset system syslog host 10.10.1.100 any noticeset system syslog host 10.10.1.100 authorization infoset system syslog file messages any noticeset system syslog file messages authorization infoset system syslog file interactive-commands interactive-commands anyset system syslog console any warningset system syslog time-format yearset system syslog source-address 10.10.1.1set system syslog file messages match "!(kernel time sync enabled)" /*过滤日志
Junos数据平面日志,将生成的session状态信息发送给日志服务器
set security log mode streamset security log mode streamset security log source-address 10.10.1.1set security log stream log severity noticeset security log stream log host 10.10.1.10七、设置console的参数
set system ports console log-out-on-disconnectset system ports console disable以上为Junos防火墙的基础配置,请参考!转载于:https://blog.51cto.com/ciscosyh/2362455