Juniper SRX 常用命令Word文档格式.docx
《Juniper SRX 常用命令Word文档格式.docx》由会员分享,可在线阅读,更多相关《Juniper SRX 常用命令Word文档格式.docx(17页珍藏版)》请在冰豆网上搜索。
setrouting-optionsstatic
setsystemloginuseradminclasssuper-user
setsystemloginuseradminauthenticationplain-text-password输入密码
setsystemservicesssh
setsecurityzonessecurity-zoneuntrusthost-inbound-trafficsystem-servicesssh/ping
setsecurityzonessecurity-zoneuntrustinterfacesge-0/0/0.0host-inbound-trafficsystem-servicesssh/telnet/ping
setsecurityzonessecurity-zonetrusthost-inbound-trafficsystem-servicesssh/telnet/ping
setsecurityzonessecurity-zonetrustinterfacesge-0/0/1.0host-inbound-trafficsystem-servicesssh/telnet/ping
setsecurityzonessecurity-zoneuntrustinterfacesge-0/0/0(不定义区域,无法配置NAT)
setsecurityzonessecurity-zonetrustinterfacesge-0/0/1
######setsecurityzonessecurity-zonetrustinterfacesge-0/0/1?
?
######setinterfacesinterface-rangeinterfaces-trustmemberge-0/0/1
##################################################
静态NAT:
setsecuritynatsourcerule-setinterface-natfromzonetrust
setsecuritynatsourcerule-setinterface-nattozoneuntrust
setsecuritynatsourcerule-setinterface-natrulerule1matchsource-address192.168.0.0/23
setsecuritynatsourcerule-setinterface-natrulerule1matchdestination-address0.0.0.0/0
setsecuritynatsourcerule-setinterface-natrulerule1thensource-natinterface
setsecurityzonessecurity-zonetrustaddress-bookaddress192192.168.0.0/23
setsecurityzonessecurity-zonetrustaddress-bookaddress-set192nataddress192
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicy192natmatchsource-addressany
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicy192natmatchdestination-addressany
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicy192natmatchapplicationany
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicy192natthenpermit
#######################################################
强制172.16.0.12走150出去(默认走物理接口146出去)
setsecuritynatsourcepoolpool-1address121.9.255.112
setsecuritynatsourcerule-setsou-natrulerule-mailmatchsource-address172.16.0.12/32
setsecuritynatsourcerule-setsou-natrulerule-mailmatchdestination-address0.0.0.0/0
setsecuritynatsourcerule-setsou-natrulerule-mailthensource-natpoolpool-1
insertsecuritynatsourcerule-setsou-natrulerule-mailbeforerulerule-sou
##########################################################
端口映射静态PAT:
从外到内
setsecuritynatproxy-arpinterfacege-0/0/0.0address10.1.1.100/24
setsecuritynatproxy-arpinterfacege-0/0/3.0address10.1.2.100/24
setsecuritynatdestinationpooldnat-pool-1address192.168.0.9/32
setsecuritynatdestinationpooldnat-pool-2address172.16.0.12/32
setsecuritynatdestinationrule-setdst-natfromzoneuntrust
setsecuritynatdestinationrule-setdst-natrulerule3matchdestination-address10.1.1.100/24
setsecuritynatdestinationrule-setdst-natrulerule3matchdestination-port21
setsecuritynatdestinationrule-setdst-natrulerule3thendestination-natpooldnat-pool-1
setsecuritynatdestinationrule-setdst-natrulerule2matchdestination-address10.1.2.100/24
setsecuritynatdestinationrule-setdst-natrulerule2matchdestination-port443
setsecuritynatdestinationrule-setdst-natrulerule2thendestination-natpooldnat-pool-2
setsecurityzonessecurity-zonetrustaddress-bookaddressftpserver192.168.0.9
setsecurityzonessecurity-zonetrustaddress-bookaddressmailserver172.16.0.12
setsecurityzonessecurity-zonetrustaddress-bookaddress-setservergroupaddressftpserver
setsecurityzonessecurity-zonetrustaddress-bookaddress-setservergroupaddressmailserver
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicystatic-natmatchsource-addressanydestination-addressservergroupapplicationjunos-http
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicystatic-natmatchapplicationjunos-pop3
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicystatic-natthenpermit
setapplicationsapplication443protocoltcp
setapplicationsapplication443destination-port443
##############################################################
setsecuritynatsourcerule-setsou-natfromzonetrust
setsecuritynatsourcerule-setsou-nattozoneuntrust
setsecuritynatsourcerule-setsou-natrulerule-mailmatchsource-address172.16.0.30/32
管理端口:
setsystemservicesweb-managementhttps
setsystemservicesweb-managementhttp
setsystemservicesweb-managementhttpport8084
setsystemservicesweb-managementhttpinterfaceall
setsystemservicesweb-managementhttpssystem-generated-certificate
setsystemservicesweb-managementhttpinterfacege-0/0/0.0
setsystemservicesweb-managementhttpsinterfacege-0/0/0.0
###########################################################################
定义端口地址池XXX_group:
setapplicationsapplicationsmtp_25destination-port25protocoltcp
setapplicationsapplicationpop3_110destination-port110protocoltcp
setapplicationsapplicationexchange_135destination-port135protocoltcp
setapplicationsapplicationsmtp_465destination-port465protocoltcp
setapplicationsapplicationimap_993destination-port993protocoltcp
setapplicationsapplicationpop3_995destination-port995protocoltcp
setapplicationsapplication-setmail_port_groupapplicationsmtp_25
setapplicationsapplication-setXXX_groupapplicationsmtp
setapplicationsapplication-setXXX_groupapplicationpop3
引用XXX_group:
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymail-policymatchapplicationXXX_group
##############################################################################
反向静态NAT:
从外到内
setsecuritynatstaticrule-setmail-static-natfromzoneuntrust
setsecuritynatstaticrule-setmail-static-natrulemail1matchdestination-address121.9.255.150/32
setsecuritynatstaticrule-setmail-static-natrulemail1thenstatic-natprefix172.16.0.12/32
返回的安全Policy:
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymail-policymatchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymail-policymatchdestination-addressMail_ser
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymail-policymatchapplicationany(XXX_group)
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymail-policythenpermit
插入insertPolicy:
setsecurityzonessecurity-zonetrustaddress-bookaddressdeny_172172.16.0.155
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_172matchsource-addressdeny_172
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_172matchdestination-addressany
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_172matchapplicationany
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_172thendeny
insertsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_172beforepolicyTrust2Utrust(Trust2Utrust允许上公网策略)
#####################################################
禁止192网段上网,只允许192.168.0.2,192.168.0.121上网
setsecurityzonessecurity-zonetrustaddress-bookaddressdeny_192192.168.0.0/23
setsecurityzonessecurity-zonetrustaddress-bookaddresspermit_host_2192.168.0.2/32
setsecurityzonessecurity-zonetrustaddress-bookaddresspermit_host_121192.168.0.121/32
setsecurityzonessecurity-zonetrustaddress-bookaddress-setpermit_192_onlineaddressFTP_ser
setsecurityzonessecurity-zonetrustaddress-bookaddress-setpermit_192_onlineaddresspermit_host_2
setsecurityzonessecurity-zonetrustaddress-bookaddress-setpermit_192_onlineaddresspermit_host_121
setsecurityzonessecurity-zonetrustaddress-bookaddress-setdeny_192_onlineaddressdeny_192
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicypermit_192_onlinematchsource-addresspermit_192_online
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicypermit_192_onlinematchdestination-addressany
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicypermit_192_onlinematchapplicationany
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicypermit_192_onlinethenpermit
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_192_onlinematchsource-addressdeny_192_online
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_192_onlinematchdestination-addressany
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_192_onlinematchapplicationany
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_192_onlinethendeny
insertsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicypermit_192_onlinebeforepolicydeny_172
insertsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_192_onlinebeforepolicydeny_172
配置WEB管理
setsystemhost-nameTest
setsystemroot-authenticationencrypted-password"
$1$XKPZUqwc$/WdxM1Cc1GAB8gJ0nNCOt."
setsystemname-server202.96.128.166
setsystemname-server202.96.128.86
setsystemloginuseradminuid2001
setsystemloginuseradmin
升级会员 