Juniper SRX采用Junos操作系统,简单介绍Junos的基础操作命令:
set: 建立一个配置(set system hostname srx-test);
delete:删除一个配置(delete system hostname srx-test);
commit: 建立,删除,修改配置都需要保存配置,使生效;
commit check: 检测候选配置的合法性;
show | compare: 查看当前配置与激活配置的区别;
system层级,用于配置防火墙系统配置,在系统配置中涉及用户,远程接入方式,日志等信息的配置:
一、创建用户(修改root用户密码,创建普通用户)
- 修改root用户的密码
admin@SRX# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
admin@SRX#
- 创建普通用户
admin@SRX# set system login user admin class super-user authentication plain-text-password
New password:
Retype new password:
[edit]
admin@SRX#
- Junos默认的用户权限
[edit]
admin@SRX# set system login user admin class ?
Possible completions:
<class> Login class
operator permissions [ clear network reset trace view ]
read-only permissions [ view ]
super-user permissions [ all ]
unauthorized permissions [ none ]
[edit]
admin@SRX# set system login user admin class - 查看用户权限
show cli authorization - 手工配置class分类,并在用户中调试新权限
set system login class class-test permissions all
set system login class class-test deny-configuration "shell|configuration|request"
set system login user admin class class-test
set system login user admin authentication encrypted-password "$1$u83mA/sa$aeMk9kBBqyOLRQepJkA2.1"
admin@SRX> show cli authorization
Current user: ‘admin ‘ class ‘class-test‘
Permissions:
admin -- Can view user accounts
.........
all-control -- Can modify any configuration
Individual command authorization:
Allow configuration regular expression: none
Deny configuration regular expression: shell|configuration|request
admin@SRX>
- 默认junos远程用户登录网络不会超时,设置10分钟超时
set system login class super-all idle-timeout 10
set system login user admin class super-all .....
二、SRX防火墙创建radius认证
- SRX防火墙指定radius服务器
set system radius-server 10.250.0.254 secret "$9$5znCO1hKMXtuMX7-2gTz3"
set system radius-server 10.250.0.254 source-address 10.10.1.1 - SRX防火墙指定认证顺序,默认为本地认证
set system authentication-order radius
set system authentication-order password
三、SRX防火墙配置NTP时间同步
- 配置防火墙的所在地的时区
set system time-zone Asia/Shanghai - 配置NTP服务器
set system ntp boot-server 100.100.100.1
set system ntp server 100.100.100.1 prefer
set system ntp source-address 10.10.1.1
注:当有多个NTP Server存在是,使用prefer优先选择
admin@SRX> set date ntp 100.100.100.1 强制NTP同步
- 配置NTP认证
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$g8aGiP5FApBk.pBIEeK4aZ"
set system ntp server 100.100.100.1 key 1 /单个server指定认证
set system ntp trusted-key 1 /所有Server指定认证 - 查看NTP同步状态
show ntp associations
show ntp status
四、防火墙开启远程访问服务
- 开启防火墙服务
set system services ftp
set system services ssh
set system services telnet
set system services web-management http
set system services web-management https system-generated-certificate - 对服务进行优化
(1)FTP、Telent、SSH
set system services ftp connection-limit 10
set system services ftp rate-limit 10
set system services ssh root-login deny
set system services telnet connection-limit 10
set system services telnet rate-limit 10(2)WEB
set system services web-management management-url admin
set system services web-management http
set system services web-management https port 8443
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/0.0 - 在防火墙zone下开启所有服务的,否则不能访问防火墙,包括(radius和ntp协议等)
host-inbound-traffic:允许管理流量到达防火墙自身
[edit security zones security-zone trust]
admin@SRX# set host-inbound-traffic system-services ?
Possible completions:
all All system services
bootp Bootp and dhcp relay-agent service
dhcp Dynamic Host Configuration Protocol
dhcpv6 Enable Dynamic Host Configuration Protocol for IPv6
dns DNS service
ftp FTP
http Web management service using HTTP
https Web management service using HTTP secured by SSL
ike Internet Key Exchange
ntp Network Time Protocol service
ping Internet Control Message Protocol echo requests
snmp Simple Network Management Protocol service
snmp-trap Simple Network Management Protocol traps
ssh SSH service
telnet Telnet service
tftp TFTP
[edit security zones security-zone trust]
admin@SRX# set host-inbound-traffic protocols ?
Possible completions:
all All protocols
bfd Bidirectional Forwarding Detection
bgp Border Gateway Protocol
dvmrp Distance Vector Multicast Routing Protocol
igmp Internet Group Management Protocol
msdp Multicast Source Discovery Protocol
nhrp Next Hop Resolution Protocol
ospf Open Shortest Path First
ospf3 Open Shortest Path First version 3
pgm Pragmatic General Multicast
pim Protocol Independent Multicast
rip Routing Information Protocol
ripng Routing Information Protocol next generation
sap Session Announcement Protocol
vrrp Virtual Router Redundancy Protocol
或者还有防火墙策略中放行
五、SNMP简单管理协议(v2c)
- snmp基础配置:
set snmp community public authorization read-only - snmp trap配置:
set snmp trap-group test categories chassis
set snmp trap-group test categories chassis-cluster
set snmp trap-group test categories configuration
set snmp trap-group test categories link
set snmp trap-group test categories routing
set snmp trap-group test categories service
set snmp trap-group test categories startup
set snmp trap-group test targets 100.100.100.1
六、系统日志配置
Junos的控制日志,可以给日志服务器、写在日志文件中、或者直接输出在CLI中
set system syslog archive size 1m
set system syslog archive world-readable
set system syslog user * any emergency
set system syslog host 10.10.1.100 any notice
set system syslog host 10.10.1.100 authorization info
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog console any warning
set system syslog time-format year
set system syslog source-address 10.10.1.1
set system syslog file messages match "!(kernel time sync enabled)" /*过滤日志
Junos数据平面日志,将生成的session状态信息发送给日志服务器
set security log mode stream
set security log mode stream
set security log source-address 10.10.1.1
set security log stream log severity notice
set security log stream log host 10.10.1.10
七、设置console的参数
set system ports console log-out-on-disconnect
set system ports console disable
以上为Junos防火墙的基础配置,请参考!
原文地址:https://blog.51cto.com/ciscosyh/2362455