JUNIPER防火墙简单配置
unset key protection enable
set clock timezone 7
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
set auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "local" id 1
set auth-server "local" server-name "local"
set auth default auth server "local"
set auth radius accounting port 1646
set admin name "TXBFHQ"
set admin password "nPD4P/ryERLLc51DFsUB2fGt96D5on"
set admin access attempts 1
set admin access lock-on-failure 960
set admin auth web timeout 0
set admin auth server "Local"
set admin auth remote root
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
unset zone "Trust" tcp-rst
unset zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
unset zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Trust" screen ip-spoofing zone-based
unset zone "Untrust" screen tear-drop
unset zone "Untrust" screen syn-flood
unset zone "Untrust" screen ping-death
unset zone "Untrust" screen ip-filter-src
unset zone "Untrust" screen land
set zone "Untrust" screen ip-spoofing zone-based
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "DMZ" screen alarm-without-drop
set zone "DMZ" screen on-tunnel
set zone "DMZ" screen icmp-flood
set zone "DMZ" screen udp-flood
set zone "DMZ" screen winnuke
set zone "DMZ" screen port-scan
set zone "DMZ" screen ip-sweep
set zone "DMZ" screen tear-drop
set zone "DMZ" screen syn-flood
set zone "DMZ" screen ip-spoofing
set zone "DMZ" screen ping-death
set zone "DMZ" screen ip-filter-src
set zone "DMZ" screen land
set zone "DMZ" screen syn-frag
set zone "DMZ" screen tcp-no-flag
set zone "DMZ" screen unknown-protocol
set zone "DMZ" screen ip-bad-option
set zone "DMZ" screen ip-record-route
set zone "DMZ" screen ip-timestamp-opt
set zone "DMZ" screen ip-security-opt
set zone "DMZ" screen ip-loose-src-route
set zone "DMZ" screen ip-strict-src-route
set zone "DMZ" screen ip-stream-opt
set zone "DMZ" screen icmp-fragment
set zone "DMZ" screen icmp-large
set zone "DMZ" screen syn-fin
set zone "DMZ" screen fin-no-ack
set zone "DMZ" screen limit-session source-ip-based
set zone "DMZ" screen syn-ack-ack-proxy
set zone "DMZ" screen block-frag
set zone "DMZ" screen limit-session destination-ip-based
set zone "DMZ" screen component-block zip
set zone "DMZ" screen component-block jar
set zone "
DMZ" screen component-block exe
set zone "DMZ" screen component-block activex
set zone "DMZ" screen icmp-id
set zone "DMZ" screen tcp-sweep
set zone "DMZ" screen udp-sweep
set zone "DMZ" screen ip-spoofing drop-no-rpf-route
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "V1-Null"
set interface ethernet0/0 ip 10.0.3.9/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 192.168.2.1/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 218.89.188.50/24
set interface ethernet0/2 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/1 manage ssh
set interface ethernet0/1 manage telnet
set interface ethernet0/1 manage snmp
set interface ethernet0/1 manage ssl
set interface ethernet0/1 manage web
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage snmp
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
set interface ethernet0/1 vip interface-ip 8079 "HTTP" 218.89.189.232
set interface ethernet0/1 vip interface-ip 8080 "HTTP" 218.89.188.50
set interface ethernet0/1 vip interface-ip 8077 "HTTP" 10.0.3.10
set interface ethernet0/1 vip interface-ip 8078 "HTTP" 10.0.3.9
set interface "ethernet0/2" mip 218.89.188.50 host 10.0.3.10 netmask 255.255.255.255 vr "trust-vr"
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "10.0.3.1/24" 10.0.3.1 255.255.255.0
set address "Trust" "218.89.189.1/24" 218.89.189.1 255.255.255.0
set address "DMZ" "123" 192.168.2.3 255.255.255.255
set address "DMZ" "kbx" 10.0.3.10 255.255.255.0
set address "DMZ" "oda1" 1.2.1.8 255.255.255.255
set address "DMZ" "oda2" 1.2.1.8 255.255.255.255
set user "HYX" uid 3
set user "HYX" type auth wan
set user "HYX" password "rVX4ldT9Nz8bfTsee1CAjIIYq+nq9J3hyQ=="
set user "HYX" "enable"
set user "dw" uid 4
set user "dw" type auth wan
set user "dw" password "jbBRZOTvN7MA6ssJCaCXVYrW9jnJO3UWMg=="
set user "dw" "enable"
set user "kbx" uid 1
set user "kbx" type auth wan
set user "kbx" password "sBOfmFYCNgvpRKsk1mCVHZGDovnJbJd5rQ=="
set user "kbx" "enable"
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 1 from "Trust" to "Trust" "Any" "Any" "ANY" permit log
set policy id 1
set log session-init
exit
set policy id 2 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 2
set log session-init
exit
set policy id 4 from "Untrust" to "Trust" "Any" "MIP(218.89.188.50)" "ANY" permit log
set policy id 4
set log session-init
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2 gateway 218.89.188.1
set route 0.0.0.0/0 interface ethernet0/2 gateway 218.89.189.1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
相关文档
- juniper防火墙详细配置手册
- juniper防火墙详细配置手册
- Juniper-SSG--5防火墙中文版配置手册
- junipersrx100防火墙配置
- juniper防火墙配置手册
- Juniper_SSG__5防火墙中文版配置手册
- Juniper防火墙配置图解
- juniper防火墙配置手册
- Juniper初始配置及管理
- juniper防火墙详细配置手册
- JuniperSRX防火墙简明配置手册
- juniper防火墙配置手册
- Juniper防火墙配置案例
- Juniper_SRX防火墙简明配置手册
- juniper防火墙详细配置手册
- juniper防火墙常用配置
- Juniper SRX防火墙Web配置说明
- Juniper-SSG防火墙配置手册
- juniper防火墙详细配置手册
- JUNIPER防火墙简单配置