JuniperSRX 基本初始配置步骤(Security Policy 2)

1) 接口

set interfaces ge-0/0/0.0 family inet address x.x.x.x/24

set interfaces ge-0/0/1.0 family inet address x.x.x.x/24

#show interfaces

#run show int terse

2) 安全区域(中把接口加入到各安全区域)

set security zones security-zone Outside/Inside 或 untrust/trust interface ge-0/0/0.0

#show security zones

3) 安全策略-zone间策略(由内到外流量-全部permit;由外到内流量-全部deny)

set security policies from-zone Inside to-zone Outside policy [Policy-Name]Default-Permit

match source-address any

match destination-address any

match application any

then permit

4) 安全区域的(各个安全区域的)addressbook

//针对match source-address\destination-address any

set security zones security-zone Outside address-book address [Address-Name] x.x.x.x/32

set security zones security-zone Inside address-book address [Address-Name] x.x.x.x/32

5) 配置应用applications application 或 applications application-set

//针对 match application any

set application [Application-Name] //show applications

set applications apolication [TCP-3032] protocol tcp destination-port 3032

set applications application-set [APP-SET1] application TCP-3032

show security flow session ?

_______________________________________________________________________________

6) count

edit security poicies from-zone Inside to-zone Outside policy Default-Permit

set match source-address Inside-Network

set match destination-address SP-Routers

set match application any

set then permit

set then count

set then log session-init session-close

set system syslog file [Traffic-Log] any(facility) any(level严重级别)

set system syslog file [Traffice-log] match "RT_FLOW_SESSION"

>show security policies policy-name [Default-Permit] detail

>show system syslog

>show log [Traffice-Log]

7) monitor

#set system syslog file Monitor-Traffic-Log any any

#set system syslog file Monitor-Traffic-Log match "10.1.1.1"

#show system syslog

>monitor start Monitor-Traffic-Log

>monitor stop

8) security flow traceoptions //Juniper的debug

9) Policy Schedulers //时间访问控制列表

10) Web-Authen

11) Pass-Through