SRX防火墻基礎介紹(system層級配置)
set: 建立一個配置(set system hostname srx-test);
delete:刪除一個配置(delete system hostname srx-test);
commit: 建立,刪除,修改配置都需要保存配置,使生效;
commit check: 檢測候選配置的合法性;
show | compare: 查看當前配置與激活配置的區別;
system層級,用於配置防火墻系統配置,在系統配置中涉及用戶,遠程接入方式,日誌等信息的配置:
一、創建用戶(修改root用戶密碼,創建普通用戶)
- 修改root用戶的密碼admin@SRX# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
admin@SRX#
- 創建普通用戶
admin@SRX# set system login user admin class super-user authentication plain-text-password
New password:
Retype new password:
[edit]
admin@SRX#
-
Junos默認的用戶權限
[edit]
admin@SRX# set system login user admin class ?Possible completions:
<class> Login class
operator permissions [ clear network reset trace view ]
read-only permissions [ view ]
super-user permissions [ all ]
unauthorized permissions [ none ]
[edit]
admin@SRX# set system login user admin class -
查看用戶權限
show cli authorization - 手工配置class分類,並在用戶中調試新權限
set system login class class-test permissions all
set system login class class-test deny-configuration "shell|configuration|request"
set system login user admin class class-test
set system login user admin authentication encrypted-password "$1$u83mA/sa$aeMk9kBBqyOLRQepJkA2.1"
admin@SRX> show cli authorization
Current user: ‘admin ‘ class ‘class-test‘
Permissions:
admin -- Can view user accounts
.........
all-control -- Can modify any configuration
Individual command authorization:
Allow configuration regular expression: none
Deny configuration regular expression: shell|configuration|request
admin@SRX>
- 默認junos遠程用戶登錄網絡不會超時,設置10分鐘超時
set system login class super-all idle-timeout 10
set system login user admin class super-all .....
二、SRX防火墻創建radius認證
-
SRX防火墻指定radius服務器
set system radius-server 10.250.0.254 secret "$9$5znCO1hKMXtuMX7-2gTz3"
set system radius-server 10.250.0.254 source-address 10.10.1.1 - SRX防火墻指定認證順序,默認為本地認證
set system authentication-order radius
set system authentication-order password
三、SRX防火墻配置NTP時間同步
- 配置防火墻的所在地的時區
set system time-zone Asia/Shanghai - 配置NTP服務器
set system ntp boot-server 100.100.100.1
set system ntp server 100.100.100.1 prefer
set system ntp source-address 10.10.1.1
註:當有多個NTP Server存在是,使用prefer優先選擇
admin@SRX> set date ntp 100.100.100.1 強制NTP同步
-
配置NTP認證
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$g8aGiP5FApBk.pBIEeK4aZ"
set system ntp server 100.100.100.1 key 1 /單個server指定認證
set system ntp trusted-key 1 /所有Server指定認證 - 查看NTP同步狀態
show ntp associations
show ntp status
四、防火墻開啟遠程訪問服務
-
開啟防火墻服務
set system services ftp
set system services ssh
set system services telnet
set system services web-management http
set system services web-management https system-generated-certificate -
對服務進行優化
(1)FTP、Telent、SSH
set system services ftp connection-limit 10
set system services ftp rate-limit 10
set system services ssh root-login deny
set system services telnet connection-limit 10
set system services telnet rate-limit 10(2)WEB
set system services web-management management-url admin
set system services web-management http
set system services web-management https port 8443
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/0.0 - 在防火墻zone下開啟所有服務的,否則不能訪問防火墻,包括(radius和ntp協議等)
host-inbound-traffic:允許管理流量到達防火墻自身
[edit security zones security-zone trust]
admin@SRX# set host-inbound-traffic system-services ?
Possible completions:
all All system services
bootp Bootp and dhcp relay-agent service
dhcp Dynamic Host Configuration Protocol
dhcpv6 Enable Dynamic Host Configuration Protocol for IPv6
dns DNS service
ftp FTP
http Web management service using HTTP
https Web management service using HTTP secured by SSL
ike Internet Key Exchange
ntp Network Time Protocol service
ping Internet Control Message Protocol echo requests
snmp Simple Network Management Protocol service
snmp-trap Simple Network Management Protocol traps
ssh SSH service
telnet Telnet service
tftp TFTP
[edit security zones security-zone trust]
admin@SRX# set host-inbound-traffic protocols ?
Possible completions:
all All protocols
bfd Bidirectional Forwarding Detection
bgp Border Gateway Protocol
dvmrp Distance Vector Multicast Routing Protocol
igmp Internet Group Management Protocol
msdp Multicast Source Discovery Protocol
nhrp Next Hop Resolution Protocol
ospf Open Shortest Path First
ospf3 Open Shortest Path First version 3
pgm Pragmatic General Multicast
pim Protocol Independent Multicast
rip Routing Information Protocol
ripng Routing Information Protocol next generation
sap Session Announcement Protocol
vrrp Virtual Router Redundancy Protocol
或者還有防火墻策略中放行
五、SNMP簡單管理協議(v2c)
-
snmp基礎配置:
set snmp community public authorization read-only - snmp trap配置:
set snmp trap-group test categories chassis
set snmp trap-group test categories chassis-cluster
set snmp trap-group test categories configuration
set snmp trap-group test categories link
set snmp trap-group test categories routing
set snmp trap-group test categories service
set snmp trap-group test categories startup
set snmp trap-group test targets 100.100.100.1
六、系統日誌配置
Junos的控制日誌,可以給日誌服務器、寫在日誌文件中、或者直接輸出在CLI中
set system syslog archive size 1m
set system syslog archive world-readable
set system syslog user * any emergency
set system syslog host 10.10.1.100 any notice
set system syslog host 10.10.1.100 authorization info
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog console any warning
set system syslog time-format year
set system syslog source-address 10.10.1.1
set system syslog file messages match "!(kernel time sync enabled)" /*過濾日誌
Junos數據平面日誌,將生成的session狀態信息發送給日誌服務器
set security log mode stream
set security log mode stream
set security log source-address 10.10.1.1
set security log stream log severity notice
set security log stream log host 10.10.1.10
七、設置console的參數
set system ports console log-out-on-disconnect
set system ports console disable
以上為Junos防火墻的基礎配置,請參考!
SRX防火墻基礎介紹(system層級配置)