juniper防火墙初级动手配置internalqubo

资源描述

《juniper防火墙初级动手配置internalqubo》由会员分享，可在线阅读，更多相关《juniper防火墙初级动手配置internalqubo（169页珍藏版）》请在金锄头文库上搜索。

1、Copyright 2004 Juniper Networks, Inc. Proprietary and C 1防火墙-动手配置2Copyright 2004 Juniper Networks, Inc. Proprietary and C 议程系统管理透明模式路由模式安全策略地址翻译应用层和网络层防攻击Copyright 2004 Juniper Networks, Inc. Proprietary and C 3系统管理4Copyright 2004 Juniper Networks, Inc. Proprietary and C 系统组成所有关键的系统功能都在内存中运行。可以通过控制

2、线和webu对防火墙的配置进行修改。TablesBuffersRunningConfigScreenOS(active)ScreenOSImageSaved ConfigCerts, etc.RAMFlashInterf.Interf.Interf.TFTPPwrUp/ResetAux.StorageWebUINetScreenAux.Mgt.ServersDNS/SyslogConsole“Get”“Set”5Copyright 2004 Juniper Networks, Inc. Proprietary and C ns208- get systemProduct Name: NS208

3、Serial Number: 0043042002000034, Control Number: 00000000Hardware Version: 0110(0)-(11), FPGA checksum: 00000000,VLAN1 IP (0.0.0.0)Software Version: 5.0.0.0, Type: Firewall+VPNBase Mac: 0010.db1d.1c30File Name: n200-LAS0z0ad, Checksum: 00000000Date 04/15/2003 22:06:53, Daylight Saving Time enabledTh

4、e Network Time Protocol is DisabledUp 2 hours 31 minutes 14 seconds Since 15 Apr 2003 19:35:39Total Device Resets: 0System in NAT/route mode.Use interface IP, Config Port: 80User Name: netscreenInterface ethernet1: number 0, if_info 0, if_index 0, mode nat link up, phy-link up/full-duplex vsys Root,

5、 zone Trust, vr trust-vr dhcp disabled *ip 1.1.1.1/24 mac 0010.db1d.1c30 *manage ip 1.1.1.1, mac 0010.db1d.1c30- more -显示状态信息 - CLIIn the CLI, get commands provide valuable status about operational conditions:System serial numberSoftware versionOperating modeInterface statusInterface addressManageme

6、nt addresses6Copyright 2004 Juniper Networks, Inc. Proprietary and C 图形化界面 - WebUINetScreen 防火墙可以通过图形化的界面进行管理。需要的条件 (ie. one IP address)一台PC机与防火墙在同一个网段口令保护7Copyright 2004 Juniper Networks, Inc. Proprietary and C Zone 和 Interface 的分配A strict hierarchical linkage exists between zones and interfaces in

7、 a NetScreen deviceZones are assigned to a virtual routerInterfaces are assigned to a security zoneAn interface can only belong to one security zoneIndividual configuration parameters are assigned to interfacesIP addressesManagement servicesOthersInt.ZoneZoneVirtual RouterVRZoneInt.IP8Copyright 2004

8、 Juniper Networks, Inc. Proprietary and C Zone 的类型安全zonePre-defined: Trust, Untrust, DMZ; V1-Trust, V1-Untrust, V1-DMZUser-definedTunnel Zone功能 ZonesNullMGTHASelfVLANns5gt- get zoneTotal 10 zones created in vsys Root - 5 are policy configurable.Total policy configurable zones for Root is 5.- ID Name

9、 Type Attr VR Default-IF VSYS 0 Null Null Shared untrust-vr hidden Root 1 Untrust Sec(L3) Shared trust-vr untrust Root 2 Trust Sec(L3) trust-vr trust Root 4 Self Func trust-vr self Root 5 MGT Func trust-vr null Root 10 Global Sec(L3) trust-vr null Root 11 V1-Untrust Sec(L2) trust-vr v1-untrust Root

10、12 V1-Trust Sec(L2) trust-vr v1-trust Root 14 VLAN Func trust-vr vlan1 Root 16 Untrust-Tun Tun trust-vr hidden.1 Root-9Copyright 2004 Juniper Networks, Inc. Proprietary and C Configuring Zones/Interfaces - WebUINetwork Interfaces (edit)10Copyright 2004 Juniper Networks, Inc. Proprietary and C Licens

11、e Keys的管理以下的特征需要增加license key:Capacity expansion (extended/advanced releases)Anti-virusURL filteringDeep Inspection两种安装key的方法Manual get key from Juniper/resellerAutomatic register device at Juniper Website, then download licensesexec license-key capacity exec license-key update11Copyright 2004 Junip

12、er Networks, Inc. Proprietary and C 文件管理备份/恢复 netscreen 防火墙所需要的重要的配置文件信息。ScreenOS imageConfiguration files备份/恢复配置文件的存放On-board FlashTFTP serverExternal storage (SANdisk)Management station (WebUI only)12Copyright 2004 Juniper Networks, Inc. Proprietary and C 保存配置WebUISaves automatically when you cli

13、ck “Apply” or “OK”Console displays save messagesCLIManual commandWrites to on-board flash configuration filens208 save13Copyright 2004 Juniper Networks, Inc. Proprietary and C 配置文件管理 - CLI只有根管理员才能进行这些操作配置文件备份配置文件恢复Option 1: copies file into flash available at next rebootOption 2: merges file into RA

15、 1.1.7.250 15June03.cfg merge14Copyright 2004 Juniper Networks, Inc. Proprietary and C 配置文件管理 WebUIConfigurationUpdateConfig File15Copyright 2004 Juniper Networks, Inc. Proprietary and C 配置的回退（ Rollback）Provides “safety net” for failed/corrupted configIf default config in flash cant be loaded, syste

16、m will try to load “last known good” fileCan be forced manually to correct config mistakesCreate rollback fileForce rollbacksave config to last-known-goodexec config rollback16Copyright 2004 Juniper Networks, Inc. Proprietary and C 软件包的管理Image backupImage importing (Upgrade)Downgrade from 5.0 or hig

17、her to prior releasessave software from flash to tftp | pcmcia | slot1 ns208- save software from flash to tftp 1.1.7.250 ns208image.binsave software from tftp | pcmcia | slot1 to flash ns208- save software from tftp 1.1.7.250 newimage to flashexec downgrade 17Copyright 2004 Juniper Networks, Inc. Pr

18、oprietary and C Upgrade Example CLI5XT- save software from tftp 1.1.7.250 newimage.bin to flash!tftp received octets = 3304662tftp success!TFTP SucceededSave to flash. It may take a few minutes . update new flash image (02c86db0,33 04662)platform = 17, cpu = 10, version = 16offset = 20, address = 90

19、0000, size = 3304584date = 0, time = 0, cksum = 28e9f31cProgram flash (0,3304662) .+doneDone5XT- reset18Copyright 2004 Juniper Networks, Inc. Proprietary and C ConfigurationUpdateScreenOS/KeysUpgrade Example - WebUI19Copyright 2004 Juniper Networks, Inc. Proprietary and C 灾难恢复“Disaster” RecoveryNetS

20、creen devices support features to deal with electronic “disasters”Corrupted ScreenOS image in FlashLost root passwordRequirement to reset to factory defaults20Copyright 2004 Juniper Networks, Inc. Proprietary and C Recovering the ScreenOS Image - Boot Mode NetScreen NS-200 Boot Loader Version 3.0.0

21、(Checksum: 35E1A866)Copyright (c) 1997-2003 NetScreen Technologies, Inc.Total physical memory: 128MB Test - Pass Initialization - DoneModel Number: NS-208Hit any key to run loaderHit any key to run loaderHit any key to ruSerial Number 0043042002000034: READ ONLYHW Version Number 0110: READ ONLYSelf

22、MAC Address 0010-db1d-1c30: READ ONLYBoot File Name n200-LAS0z0ad: n200-LAS0z0adSelf IP Address 172.16.10.1: 1.1.1.1TFTP IP Address 172.16.10.131: 1.1.1.2Save loader config (112 bytes). DoneTFTP server must be in same subnet as NetScreens Self IP address.Server must be connected to:Trust interface o

23、n devices with Trust interfaceE1 interface on devices with E1 interfaceE1/1 or MGT interface on systems21Copyright 2004 Juniper Networks, Inc. Proprietary and C Boot Mode (cont.)Loading file n200-LAS0z0ad.r!r.tatatatatatatatatatatatatatatatatLoaded Successfully! (size = 3,444,522 bytes)Ignore image

24、authentication!Save to on-board flash disk? (y/n/m) Yes!Saving as default system image in flash disk.Done! (size = 3,444,522 bytes)Run downloaded system image? (y/n) Yes! Start loading.Done.NetScreen Technologies, IncNS200 System SoftwareCopyright, 1997-2003Version 5.0.0ad.0Init Heap (1546000/50b9c0

25、0,32, 00000000/00000000)GT64120 revision id: 0x11Load NVRAM Information . (5.0)Done22Copyright 2004 Juniper Networks, Inc. Proprietary and C 根管理员口令丢失口令不能被恢复系统需要回到出厂设置Also called “Asset Recovery”All configuration parameters, certificates, and keys are deleted两种方法Log in to console with device serial n

26、umber as username and passwordWarning messages regarding destructive results will appearUse pinhole on exterior of systemPress until flashing light changes to redWait until flashing red turns to flashing greenPress againCopyright 2004 Juniper Networks, Inc. Proprietary and C 23透明模式24Copyright 2004 J

27、uniper Networks, Inc. Proprietary and C 什么是透明模式?Netscreen 防火墙的接口在第二层的网桥模式或者是第二层的交换模式下进行工作。Learning, Flooding, Forwarding, Filtering通过安全策略让风火墙对第二层的安全区之间的数据包进行流量的访问控制。10.1.0.0/16E1E3zoneV1-TrustzoneV1-DMZzoneV1-UntrustE225Copyright 2004 Juniper Networks, Inc. Proprietary and C Layer 2 Frame Forwarding

28、 (Bridging/Switching)透明模式的功能Learning (based on Source MAC address)Forward/Flood/Filter (based on Destination MAC address)Loop prevention (Spanning Tree protocol)MAC Address Table00c0.01cd.5120 E1E8 00e0.01ab.cd10Destination AddressPort00c0.01cd.5120E100e0.01ab.cd10E826Copyright 2004 Juniper Networks

29、, Inc. Proprietary and C V1-Untrust透明模式的工作由于没有使用到网络的第三层，因此，透明模式能够让防火墙更加快速的部署。不需要定义拓扑结构增加安全性在netscreen 的二层工作模式下可以使用VPNZone 概念的提出，可以提供比基于路由的ACL更加安全的访问控制V1-Trust10.1.0.0/16V1-DMZBBDABC10.100.1.0/1610.200.1.0/16E27Copyright 2004 Juniper Networks, Inc. Proprietary and C Layer-2 安全区预先定义的 “V1” zonesV1-Trus

30、tV1-UntrustV1-DMZ用户定义的安全区Layer-2 (L2) 区用户在定义安全区的时候必须以 “L2-”开头。Int.Zone28Copyright 2004 Juniper Networks, Inc. Proprietary and C 透明模式中的接口在ScreenOS 5.0 没有定义任何接口是属于透明模式把一个接口放到第二层的安全区中因此二层的接口的域必须是以 “V1-” or “L2-”开头的。所有接口在v1或者是L2 安全区，是具有相同广播域的第二层防火墙的成员。Int e1Zone L2-privateInt e2Zone L2-public10.1.0.0/16

31、29Copyright 2004 Juniper Networks, Inc. Proprietary and C VLAN1 接口在VLAN 区中是第三层逻辑接口该接口可以配置一个IP 地址，用来管理netscreen 防火墙。支持管理IP地址所有物理接口都可以接受arp 请求。V1-Trust1.1.1.101.1.1.111.1.1.12V1-DMZV1-UntrustVLAN1 is a logical VLAN1 is a logical interface which is interface which is accessible fromaccessible fromany t

32、ransparent any transparent zonezoneVLAN1 interface: 1.1.1.210/24E1E3E2ABC30Copyright 2004 Juniper Networks, Inc. Proprietary and C V1-Trust1.1.1.101.1.1.111.1.1.12V1-DMZV1-UntrustVLAN1 interface: 1.1.1.210/24E1E3E2ABC管理行为VLAN1 will inherit management options from zone membership of physical interfac

33、esXVLAN1 interface: 1.1.1.210/24noneV1-UntrustnoneUser-defined (L2)PING onlyV1-DMZPING, telnet, SSH, SNMP, web, SSL, nsmgtV1-TrustManagement Services EnabledZone31Copyright 2004 Juniper Networks, Inc. Proprietary and C 透明模式的配置1.建立2层的安全区 (在没有使用缺省安全区的情况下)2.分配接口给2层安全区3.为VLAN1 配置管理地址3a. 配置IP 地址3b. 选择广播的

34、方法3c. 配置管理服务4.(可选项) 配置每个安全区的管理服务5.在不同的安全区之间配置策略32Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 1: 配置2层安全区Network Zones Newset zone name L2 Example:ns208- set zone name L2-Demo L2 133Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 2: 分配接口到安全区Network Interfaces (Edit)set in

35、terface zone ns208- set interface e3 zone L2-Demo34Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 3a: 配置VLAN1 的IP 地址Network Interfaces Edit (VLAN1)Use for Interface Use for Interface IP when IP when terminating VPNsterminating VPNsUse Manage-IP as Use Manage-IP as destination address o

36、f destination address of PING, telnet, Web UI, PING, telnet, Web UI, etc.etc.set interface vlan1 ip /ns208- set int vlan1 ip 1.1.7.1/24set interface vlan1 manage-ip ns208- set int vlan1 manage-ip 1.1.7.100/2435Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 3b: 选择广播的方法Flooding (default)

37、如果MAC表中没有，原数据包将向所有的接口进行广播除了流入数据包的接口。ARP/Trace-Route如果MAC表中没有, ARP 或 traceroute 将向所有的接口进行广播除了流入数据包的接口。Network Interfaces Edit (VLAN1)set vlan1 broadcast arpset vlan1 broadcast flood36Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 3c: 配置VLAN1 的服务允许所有的管理服务Web UI, Telnet, SSH, SNMP, SSL, N

38、S-GlobalPro (nsmgmt)选择指定的管理服务Network Interfaces Edit (VLAN1)set interface vlan1 managens208- set int vlan1 manageset interface vlan1 manage ns208- set int vlan1 manage webns208- set int vlan1 manage sslns208- set int vlan1 manage nsmgmt37Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 4

39、: 在每个安全区中配置不同的管理服务Network Zones Edit (V1-Trust)set zone manage ns208- set zone v1-dmz manage web38Copyright 2004 Juniper Networks, Inc. Proprietary and C 透明模式的检查工具Get interfaceGet ARPGet mac-learnGet session39Copyright 2004 Juniper Networks, Inc. Proprietary and C Get interface ns208- get interface

40、ethernet1Interface ethernet1: number 0, if_info 0, if_index 0, mode xparent, port vlan 1, sess token 9 link up, phy-link up/half-duplex vsys Root, zone V1-Trust, vr trust-vr *ip 0.0.0.0/0 mac 0010.db22.23f0 ping enabled, telnet enabled, SSH enabled, SNMP enabled web enabled, ident-reset disabled, SS

41、L enabled, nsmgmt enabled webauth disabled DHCP-Relay disabled bandwidth: physical 100000kbps, configured 0kbps, current 0kbps total configured gbw 0kbps, total allocated gbw 0kbpsns208-40Copyright 2004 Juniper Networks, Inc. Proprietary and C Get arpns208- get arpIP Mac VR/Interface State Age Retry

42、 PakQue3.4.5.6 abc3241244dc trust-vr/v1-trust STS 0 01.1.7.250 00065bd2ff42 trust-vr/v1-trust VLD 1151 0 0ARP Entry Number 2/1024, No Free Entry Count: 0Arp always-on-dest: disabledns208-Note: Although it says “interface”, in transparent mode the zone name is displayed41Copyright 2004 Juniper Networ

43、ks, Inc. Proprietary and C Get mac-learn学习Associates a MAC address with an outgoing interfaceDetermines how received frames are forwarded in Layer-2Also known as Bridge Table or L2 Forwarding Table静态ARP 影射MAC address to outgoing port association can be manually configured via the CLIset mac ns208- g

44、et mac-learnlink down clear mac learn table: enableTotal 3, Create 9, Ageout 6Flood 1, BCast 150, ReLearn 1, NoFree 0, Error 0, Drop 0 ethernet2: 0004.7648.aa3c 56ethernet1: 0010.db13.e441 44ethernet3: 0010.db15.6bc4 5942Copyright 2004 Juniper Networks, Inc. Proprietary and C Get sessionns208- get s

45、essionalloc 2/max 128000, alloc failed 0id 43/s*,vsys 0,flag 00000090/00/00,policy 1,time 1 17(01):192.168.1.5/27129-192.168.1.10/768,1,00b0d06c3f39,vlan 0,tun 0,vsd 0 19(00):192.168.1.5/27129192.168.1.10/768,1,00b0d06c3f39,vlan 0,tun 0,vsd 0 19(00):192.168.1.5/27385-192.168.1.10/768,1,0010db2b1622,

46、vlan 0,tun 0,vsd 0Total 2 sessions shownICMP Sequence #ICMP Sequence #ICMP Identifier #ICMP Identifier #IP protocol #IP protocol #43Copyright 2004 Juniper Networks, Inc. Proprietary and C 需要考虑的问题必须配置策略才能允许访问没有默认策略通过第三层的地址配置策略避免潜在的网络风暴透明模式是一个非常灵活的防火墙部署解决方案可以快速实现防火墙和VPN 的功能不需要修改网络结构，建立虚拟地址（NAT），就可以实现访

47、问控制。44Copyright 2004 Juniper Networks, Inc. Proprietary and C Lab: Transparent Mode目的: 使用5GT配置防火墙的透明模式，并能够在透明模式下实现对防火墙的管理。Copyright 2004 Juniper Networks, Inc. Proprietary and C 45路由模式46Copyright 2004 Juniper Networks, Inc. Proprietary and C Layer 3 操作模式ExternalZonePrivateZone1.1.70.2501.1.70.0/2410

48、.1.10.510.1.20.0/24B10.1.10.0/24PublicZone10.1.20.5.254200.5.5.5ABCD10.1.1.0/2410.1.2.0/24.1.254.1.2541.1.7.0/241.1.8.0/24.254.1InterfaceAddressE110.1.1.1E210.1.2.1E71.1.7.1E81.1.8.147Copyright 2004 Juniper Networks, Inc. Proprietary and C 静态路由ExternalZonePrivateZone1.1.70.2501.1.70.0/2410.1.10.510.

49、1.20.0/24B10.1.10.0/24PublicZone10.1.20.5.254200.5.5.5ABCD10.1.1.0/2410.1.2.0/24.1.254.1.2541.1.7.0/241.1.8.0/24.254.1NetworkInterfaceNext Hop10.1.1.0/24E1-10.1.2.0/24E2- 1.1.7.0/24E7-1.1.8.0/24E8-10.1.10.0/24 E110.1.1.25448Copyright 2004 Juniper Networks, Inc. Proprietary and C 默认网关ExternalZonePriv

50、ateZone1.1.70.2501.1.70.0/2410.1.10.510.1.20.0/24B10.1.10.0/24PublicZone10.1.20.5.254200.5.5.5ABCD10.1.1.0/2410.1.2.0/24.1.254.1.2541.1.7.0/241.1.8.0/24.254.1NetworkInterfaceNext Hop10.1.1.0/24E1-10.1.2.0/24E2- 1.1.7.0/24E7-1.1.8.0/24E8-10.1.10.0/24E110.1.1.2540.0.0.0/0E81.1.8.25449Copyright 2004 Ju

51、niper Networks, Inc. Proprietary and C Zones 和 Interfaces 的复习和回顾严格的等级管理接口必须属于一个zone ，然后才能为其分配IP 地址Int.ZoneZoneIPInt.50Copyright 2004 Juniper Networks, Inc. Proprietary and C 配置第三层的步骤1.建立 zones (如果没有使用默认的zone )2.分配接口给zone3.分配IP地址给接口4.配置静态路由51Copyright 2004 Juniper Networks, Inc. Proprietary and C Ste

52、p 1: 建立 Zonesset zone name Example:ns208- set zone name PrivateNetwork Zones52Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 2: 分配接口给 ZonesNetwork Interfaces (Edit)set interface zone ns208- set interface e8 zone untrust53Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 3: 分

53、配地址给接口set interface ip /ns208- set interface e8 ip 1.1.8.1/24Network Interfaces (Edit)54Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 4: 配置静态路由set route / interface gateway Example:ns208- set route 10.1.10.0/24 interface e1 gateway 10.1.1.254Network Routing Destination Edit55Copyright

54、 2004 Juniper Networks, Inc. Proprietary and C 验证接口的配置Network Interfacesns208- get interfaceA - Active, I - Inactive, U - Up, D - Down, R - ReadyInterfaces in vsys Root:Name IP Address Zone MAC VLAN State VSDeth1 10.1.1.1/24 Private 0010.db1d.1be0 - U -eth2 0.0.0.0/0 V1-DMZ 0010.db1d.1be4 - D -eth3

55、0.0.0.0/0 V1-Untrust 0010.db1d.1be5 - D -eth4 0.0.0.0/0 Private 0010.db1d.1be6 - D -eth5 0.0.0.0/0 Untrust 0010.db1d.1be7 - D -eth6 0.0.0.0/0 Null 0010.db1d.1be8 - D -eth7 1.1.7.1/24 Public 0010.db1d.1be9 - U -eth8 1.1.8.1/24 External 0010.db1d.1bea - U -vlan1 0.0.0.0/0 VLAN 0010.db1d.1bef 1 D -56Co

56、pyright 2004 Juniper Networks, Inc. Proprietary and C 验证静态路由 WebUINetwork Routing Destination57Copyright 2004 Juniper Networks, Inc. Proprietary and C 验证静态路由 - CLIns208- get routeuntrust-vr (0 entries)-C - Connected, S - Static, A - Auto-Exported, I - Imported, R - RIPiB - IBGP, eB - EBGP, O - OSPF,

57、 E1 - OSPF external type 1E2 - OSPF external type 2trust-vr (9 entries)- ID IP-Prefix Interface Gateway P Pref Mtr Vsys-* 7 0.0.0.0/0 eth8 1.1.8.254 S 20 1 Root* 8 10.1.1.0/24 eth1 1.1.1.10 S 20 1 Root 9 10.2.1.0/24 eth2 1.1.2.10 S 20 1 Root* 6 1.1.8.0/24 eth8 0.0.0.0 C 0 0 Root 11 10.3.1.0/24 eth3

58、1.1.3.10 S 20 1 Root* 5 1.1.7.0/24 eth7 0.0.0.0 C 0 0 Root 4 1.1.3.0/24 eth3 0.0.0.0 C 0 0 Root 3 1.1.2.0/24 eth2 0.0.0.0 C 0 0 Root* 2 1.1.1.0/24 eth1 0.0.0.0 C 0 0 Root58Copyright 2004 Juniper Networks, Inc. Proprietary and C 验证路由get route ip ns208- get route ip 10.1.10.5Destination Routes for 10.

59、1.10.5-trust-vr : = 10.1.10.0/24 (id=6) via 10.1.1.254 (vr: trust-vr) Interface ethernet1 , metric 159Copyright 2004 Juniper Networks, Inc. Proprietary and C 验证路由ns208- ping 10.1.10.5Type escape sequence to abortSending 5, 100-byte ICMP Echos to 10.1.10.5, timeout is 2 seconds!Success Rate is 100 pe

60、rcent (5/5), round-trip time min/avg/max=2/3/9 msns208- pingTarget IP address:10.1.10.5Repeat count 5:Datagram size 100:Timeout in seconds2:Source interface:Type escape sequence to abortSending 5, 100-byte ICMP Echos to 10.1.10.5, timeout is 2 seconds!Success Rate is 100 percent (5/5), round-trip ti

61、me min/avg/max=2/3/4 msPing and extended ping60Copyright 2004 Juniper Networks, Inc. Proprietary and C 验证路由ns208- trace 10.1.10.5Type escape sequence to escapeSend ICMP echos to 10.1.10.5, timeout is 2 seconds, maximum hops are 321 1ms 2ms 2ms 10.1.1.2542 3ms 2ms 3ms 10.1.10.5Trace completetracerout

62、e61Copyright 2004 Juniper Networks, Inc. Proprietary and C 路由的相互依赖性ExternalZonePrivateZone1.1.70.2501.1.70.0/2410.1.10.510.1.20.0/24B10.1.10.0/24PublicZone10.1.20.5.254200.5.5.5ABCD10.1.1.0/2410.1.2.0/24.1.254.1.2541.1.7.0/241.1.8.0/24.254.1NetworkInterfaceNext Hop1.1.8.0/24E1-0.0.0.0/0E21.1.8.254Ho

63、w will traffic from Host D get to Host A?62Copyright 2004 Juniper Networks, Inc. Proprietary and C Virtual Routers One VROne table displays all routes external and internalDifficult to secureRouting Table ID IP-Prefix Interface Gateway P Pref Mtr Vsys-* 3 1.1.1.0/24 eth8 0.0.0.0 C 0 0 Root* 8 1.1.10

64、.0/24 eth8 1.1.1.2 S 20 1 Root* 7 1.1.20.0/24 eth8 1.1.1.3 S 20 1 Root* 2 10.1.10.0/24 eth1 0.0.0.0 C 0 0 Root* 4 10.1.110.0/24 eth1 10.1.10.2 S 20 1 Root* 5 10.1.120.0/24 eth1 10.1.10.3 S 20 1 RootE8E11.1.1.21.1.1.310.1.10.210.1.10.310.1.110.010.1.120.01.1.20.01.1.10.063Copyright 2004 Juniper Netwo

65、rks, Inc. Proprietary and C Loopback 接口没有物理连接只要路有可以达到，可以通过任何接口连接到防火墙的loopback 地址Used for管理VPN 终结动态路由 (Router ID)64Copyright 2004 Juniper Networks, Inc. Proprietary and C Loopback Interface 配置set interface loopback. zone set interface loopback. ip /set interface loopback. manage 65Copyright 2004 Juni

66、per Networks, Inc. Proprietary and C Network Address Translation (NAT)ExternalZonePrivateZone10.1.10.510.1.10.0/24.254200.5.5.5AD10.1.1.0/24.1.2541.1.8.0/24SrcIPDstIPProtocol Src PortDstPort10.1.10.5200.5.5.56200080SrcIPDstIPProtocol Src PortDstPort1.1.8.1200.5.5.56102480内部的私有地址被翻译为外部的合法的注册的有效的公网IP地

67、址。这个过程被称作网络地址端口转化：Network Address Port Translation (NAPT)66Copyright 2004 Juniper Networks, Inc. Proprietary and C 基于接口的 NAT防火墙的接口运行在NAT或路由模式下在路由模式下没有地址翻译发生在NAT模式下，地址翻译可以出现在特定的条件中One VRFrom Trust zone to Untrust zone ONLYTwo VRFrom any VR to Untrust VR ONLY如果NAT需要在其他的 zones/VRs 中使用, 请使用基于策略的NAT。我们在

68、以后的课程中再讨论这个问题。67Copyright 2004 Juniper Networks, Inc. Proprietary and C Route Mode没有地址翻译发生需要设定内部地址的路由ExternalZonePrivateZone10.1.10.510.1.10.0/24.254200.5.5.5AD10.1.1.0/24.1.2541.1.8.0/24SrcIPDstIPProtocol Src PortDstPort10.1.10.5200.5.5.56200080SrcIPDstIPProtocol Src PortDstPort10.1.10.5200.5.5.562

69、0008068Copyright 2004 Juniper Networks, Inc. Proprietary and C NAT Mode内部的地址被翻译成防火墙向外访问的公网的IP 地址返回的流量被重新翻译成内部的地址。UntrustZoneTrustZone10.1.10.510.1.10.0/24.254200.5.5.5AD10.1.1.0/24.1.2541.1.8.0/24SrcIPDstIPProtocol Src PortDstPort10.1.10.5200.5.5.56200080SrcIPDstIPProtocol Src PortDstPort1.1.8.1200.

70、5.5.5610248069Copyright 2004 Juniper Networks, Inc. Proprietary and C 配置接口的模式set interface route | natns208- set interface e1 natNetwork Interfaces (Edit)70Copyright 2004 Juniper Networks, Inc. Proprietary and C 验证接口的工作模式WebUI same screen for configuration and verificationget interface ns208- get in

71、t e1Interface ethernet1: number 0, if_info 0, if_index 0, mode nat link up, phy-link up/half-duplex vsys Root, zone Trust, vr trust-vr dhcp disabled *ip 10.1.1.1/24 mac 0010.db1d.1be0 *manage ip 10.1.1.1, mac 0010.db1d.1be0 ping enabled, telnet enabled, SSH enabled, SNMP enabled web enabled, ident-r

72、eset disabled, SSL enabled webauth disabled, webauth-ip 0.0.0.0 OSPF disabled BGP disabled RIP disabled DHCP-Relay disabled bandwidth: physical 10000kbps, configured 0kbps, current 0kbps total configured gbw 0kbps, total allocated gbw 0kbps71Copyright 2004 Juniper Networks, Inc. Proprietary and C 验证

73、NAT 行为没有翻译在不同的方向具有相同的IP地址经过了翻译在不同的方向，IP地址不相同ns208- get sessionalloc 5/max 128000, alloc failed 0id 99/s*,vsys 0,flag 00000000/00/00,policy 1,time 6 0(01):10.1.10.5/34560-200.5.5.5/512,1,0010db12cea1,vlan 0,tun 0,vsd 0 10(20):1.1.8.1/1028 get sessionalloc 5/max 128000, alloc failed 0id 78/s*,vsys 0,f

74、lag 00000040/80/20,policy -1,time 89 0(21):10.1.10.5/4647-200.5.5.5/80,6,0010db12cea1,vlan 0,tun 0,vsd 0 3(00):10.1.10.5/4647Advanced76Copyright 2004 Juniper Networks, Inc. Proprietary and C Advanced Policy Options (cont.)PolicyAdvanced77Copyright 2004 Juniper Networks, Inc. Proprietary and C Traffi

75、c Logs记录了会话结束时间, 会话持续时间, 地址和地址翻译以及所使用的服务。Reports Policies Traffic Log78Copyright 2004 Juniper Networks, Inc. Proprietary and C Configuring Traffic Logsset policy (from zone to zone sa da service action) log-OR set policy logns5gt- set policy id 1ns5gt(policy:1)- set policy logPolicy79Copyright 2004

76、Juniper Networks, Inc. Proprietary and C Verifying/Accessing Loggingget log trafficPoliciesReports Policies80Copyright 2004 Juniper Networks, Inc. Proprietary and C 流量统计图形化的方式察看匹配策略的流量情况。WebUI onlyReports Policies Traffic Counting Graph81Copyright 2004 Juniper Networks, Inc. Proprietary and C Config

77、uring Traffic Countersset policy (from zone to zone sa da service action) count-OR-set policy countset policy count alarm ns5gt- set policy id 1ns5gt(policy:1)- set policy countPolicyAdvanced82Copyright 2004 Juniper Networks, Inc. Proprietary and C Verifying/Accessing Traffic CountersPoliciesReports

78、 Policiesget counters policy 83Copyright 2004 Juniper Networks, Inc. Proprietary and C Policy Scheduling定义策略基于时间的允许和禁止两个选项重复时间Two windows per dayWeekly scheduleOnce only为了时间的准确性，请配置时间服务器。84Copyright 2004 Juniper Networks, Inc. Proprietary and C Configuring Policy Scheduling1.Create schedule2.Apply s

79、chedule to policy85Copyright 2004 Juniper Networks, Inc. Proprietary and C Create Schedule - WebUIObjects Schedules New 86Copyright 2004 Juniper Networks, Inc. Proprietary and C Create Schedule CLIset scheduler recurrent start stop start stop ns208- set scheduler NoICQ recurrent mon start 7:00 stop

80、12:00 start 13:00 stop 18:00ns208- set scheduler NoICQ recurrent tues start 7:00 stop 12:00 13:00 stop 18:00(etc.)set scheduler once start stop ns208- set scheduler Y2K once start 01/01/2000 stop 01/02/200087Copyright 2004 Juniper Networks, Inc. Proprietary and C Apply Schedule to Policyset policy (

81、from zone to zone sa da service action) schedule PolicyAdvanced88Copyright 2004 Juniper Networks, Inc. Proprietary and C Verifying Scheduling如果策略是灰色的背景，那么该策略已经启动了scheduling请确认何时禁止何时允许。89Copyright 2004 Juniper Networks, Inc. Proprietary and C 用户认证当数据流量通过防火墙的时候，需要输入用户名和口令。可以与 NS Remote Client 结合使用当防火墙

82、需要附加的对用户身份验证的时候可以使用这条规则。两种工作方式当数据包通过防火墙的时候，防火墙自动提示用户输入用户名和口令。策略中的应用必须是 Telnet, FTP, or HTTP可以使用WebAuth在防火墙上首先进行认证，认证通过，流量可以通过防火墙一旦认证通过，所有匹配策略的应用将被运行通过防火墙。90Copyright 2004 Juniper Networks, Inc. Proprietary and C 防火墙认证Web Server172.16.1.99DA: 172.16.1.99, service HTTPAuth Auth PolicyPolicyUsername?Pa

83、ssword?DA: 172.16.1.99, service HTTPUsernamePasswordAuthenticated!All traffic permitted by policy91Copyright 2004 Juniper Networks, Inc. Proprietary and C WebAuth 认证DA: 10.1.1.42, service HTTPWeb Web AuthAuthUsername?Password?UsernamePasswordAuthenticated!All traffic permitted by policyWeb Server172

84、.16.1.99WebAuth address10.1.1.4292Copyright 2004 Juniper Networks, Inc. Proprietary and C WebAuth example防火墙认证的方式取决于用户所使用的认证服务的形式。HTTP displays similar dialogueFTP/Telnet display text-based prompts认证的界面93Copyright 2004 Juniper Networks, Inc. Proprietary and C 认证配置的步骤1.建立用户2.配置认证策略3.(WebAuth only) 配置

85、 WebAuth 地址 94Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 1: 建立用户Objects Users Local Editset user password 95Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 2: 配置认证策略set policy (from zone to zone sa da service action) authset policy (from zone to zone sa da service acti

86、on) webauthPolicyAdvanced96Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 3: 配置 WebAuth 地址Network Interface Editset interface webauthset interface webauth-ip 97Copyright 2004 Juniper Networks, Inc. Proprietary and C 验证认证ns5gt- get user allTotal users: 1Id User name Enable Type ID-type

87、Identity Belongs to groups- - - - - - - 1 JoeUser Yes authns5gt- get auth tableTotal users in table: 1 Successful: 1, Failed: 0 Pending : 0, Others: 0Col T: Used: D = Default settings, W = WebAuth, A = Auth server in policy id src user group age status server T srczone dstzone 1 192.168.1.33 JoeUser

88、 5 Success Local W N/A N/A98Copyright 2004 Juniper Networks, Inc. Proprietary and C Lab 策略的配置步骤 Add logging, counting, and schedule to your policiesCopyright 2004 Juniper Networks, Inc. Proprietary and C 99地址翻译100Copyright 2004 Juniper Networks, Inc. Proprietary and C Interface-based NAT - Review如果防

89、火墙的内接口是在NAT模式：在默认情况下，网络地址和端口翻译 (NAPT) 被起用。原地址被翻译成为防火墙的外接口地址。防火墙内接口默认情况下被设置为模式。如果内接口是路由模式在默认情况下没有地址翻译。可以通过策略来实现。除了内接口之外其他的防火墙接口在默认情况下都被设置为路由模式。101Copyright 2004 Juniper Networks, Inc. Proprietary and C 基于策略的 NAT NAT 的仅仅在策略中发生，可以是从任意的zone 到任意的zone 之间实现。单向地址翻译NAT-srcNAT-dstVIP双向地址翻译MIP102Copyright 2004

90、 Juniper Networks, Inc. Proprietary and C 基于策略的 NATe8: 1.1.8.1NAT-src10.1.1.5200.100.8.51.1.8.1200.100.8.5SADASADA10.1.20.5:21200.100.8.51.1.8.100:21200.100.8.5NAT-dstSADASADAMIP10.1.1.5200.100.8.51.1.8.2200.100.8.5200.100.8.510.1.1.5200.100.8.51.1.8.2SADASADAVIP10.1.20.5:21200.100.8.5200.100.8.51.1

91、.8.100:2110.1.30.5:80200.100.8.5SADASADA200.100.8.51.1.8.100:80103Copyright 2004 Juniper Networks, Inc. Proprietary and C NAT的选择? NAT-src当以下的情况出现的时候：Sessions will only be initiated from private to publicNAT-dst 当以下的情况出现的时候：制定的服务被internet 访问服务不需要向internet发出初始化连接对外发布的域不是Untrust (类似VIP)MIP 当以下的情况出现的时候：

92、需要一对一的地址映射VIP 当以下的情况出现的时候：一个公网地址但是需要多个内网的地址进行服务的映射Untrust 是面对公网的zone104Copyright 2004 Juniper Networks, Inc. Proprietary and C NAT-src 选项NAT-src without DIP翻译成防火墙外接口地址需要端口翻译DIP pool with port translation从地址池中自动选择一个地址向外发包从外接口端口的102465535 中随机选择，并且与发起的端口保持一致DIP pool without port translation从外接口端口的1024

93、65535 中随机选择DIP address shifting从内向外一对一的地址映射105Copyright 2004 Juniper Networks, Inc. Proprietary and C e1e2e3e7e8Dynamic IP (DIP)为源地址翻译制定的地址池在外接口中定义DIP池必须满足以下的条件之一The interface primary IP addressThe interface secondary IP addressThe interface extended IP address可以在多个策略中使用10.0.0.510.1.1.5ABE8 primary:

94、 1.1.8.1E8 secondary: 1.1.10.1E8 extended: 1.1.11.1DIP 4: 1.1.8.10-1.1.8.20DIP 4: 1.1.8.10-1.1.8.20DIP 10: 1.1.10.2-1.1.10.254DIP 10: 1.1.10.2-1.1.10.254DIP 42: 1.1.11.1-1.1.11.254DIP 42: 1.1.11.1-1.1.11.254106Copyright 2004 Juniper Networks, Inc. Proprietary and C e1e2e3e7e8NAT-src Examples10.0.0.5

95、10.1.1.5ABCDE200.100.8.5E8: 1.1.8.1NAT-src10.1.1.5:1099200.100.8.51.1.8.1:1024200.100.8.5DIP w/ port translation10.1.1.5:6550200.100.8.51.1.8.10:1024200.100.8.510.0.0.5:4251200.100.8.51.1.8.10:1025200.100.8.5DIP w/ fixed-port10.1.1.5:6550200.100.8.51.1.8.10:6550200.100.8.5IP shift10.1.1.5200.100.8.5

96、1.1.8.10200.100.8.510.1.1.6200.100.8.51.1.8.11200.100.8.510.1.20.5FTP Server10.1.30.5Web ServerPrivate External107Copyright 2004 Juniper Networks, Inc. Proprietary and C NAT-src 配置过程1.建立 DIP1a Port translation on1b Port translation off1c Address shifting2.建立策略e1e2e3e7e810.0.0.510.1.1.5ABE200.100.8.5

97、E8: 1.1.8.1Private ExternalDIP DIP 108Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 1: Create DIP WebUINetwork Interface Edit DIP (click on new)Private startPrivate startPublic startPublic startPublic endPublic end109Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 1: Crea

98、te DIP - CLIset interface dip ns208 set interface e8 dip 5 1.1.10.2 1.1.10.254For extended address range:set interface ext ip / dip ns208 set interface e8 ext ip 1.1.11.1/24 dip 42 1.1.11.2 1.1.11.254No port translationset interface dip fix-portns208 set interface e8 dip 5 1.1.10.2 1.1.10.254 fix-po

99、rtAddress shiftingset interface dip shift-from ns208 set interface e8 dip 5 shift-from 10.1.1.5 1.1.10.2 1.1.10.40110Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 2: Create Policyset policy from to nat src dip id permit Without DIP:ns208 set policy from Private to External any any any

100、 nat src permitWith DIP:ns208 set policy from Private to External any any any nat src dip 5 permitPolicies Edit (Advanced)111Copyright 2004 Juniper Networks, Inc. Proprietary and C 检查DIP 配置ns208- get dipDip Id Dip Low Dip High Interface Attribute 4 1.1.10.5 1.1.10.10 ethernet8 port-xlatePort-xlated

101、dip stickness offNetwork Interface DIP112Copyright 2004 Juniper Networks, Inc. Proprietary and C Verifying NAT-src - WebUIPoliciesReports Policies Traffic Log113Copyright 2004 Juniper Networks, Inc. Proprietary and C Verifying NAT-src - CLIns208- get policy id 1id 1, name none, from zone Private to

102、zone Externalaction Permit, status enabledsrc Any, dst Any, serv ANYPolicies on this vpn tunnel: 0nat src dip-id 4, serv_timeout 0 (minute)vpn unknown vpn, policy flag 00, session backup: ontraffic shapping OFF, url filtering OFF, scheduler n/a, serv flag 00log no, log count 0, alert no, counter no(

103、0) rate(min/sec) 0/0total octets 2220, counter(session/packet/octet) 0/0/0priority 7, diffserv marking Offtadapter: state OFF, gbw/mbw 0/-1No AuthenticationNo User, User Group or Group expression setns208- get sessionalloc 2/max 128000, alloc failed 0id 142/s*,vsys 0,flag 00000010/00/00,policy 1,tim

104、e 1 0(01):10.1.10.5/50944-200.5.5.5/512,1,0010db12cea1,vlan 0,tun 0,vsd 0 10(20):1.1.8.10/1024-200.5.5.5/512,1,0010db21c041,vlan 0,tun 0,vsd 0id 143/s*,vsys 0,flag 00000010/00/00,policy 1,time 1What “flavor” of DIP does this policy use?114Copyright 2004 Juniper Networks, Inc. Proprietary and C NAT-d

105、st一对一的映射一对多映射类似VIP多对多映射地址轮训端口翻译115Copyright 2004 Juniper Networks, Inc. Proprietary and C NAT-dst Examplese1e2e3e7e810.0.0.510.1.1.5ABCDE200.100.8.510.1.30.5:8080200.100.8.51.1.8.100:80200.100.8.5Port translation10.1.20.5:21200.100.8.51.1.8.100:21200.100.8.5One-to-oneOne-to-many1.1.8.100:21200.100.8

106、.51.1.8.100:80101.202.3.910.1.20.5:21200.100.8.510.1.30.5:80101.202.3.910.1.20.5FTP Server10.1.30.5Web ServerPrivate ExternalIP shift10.1.1.5200.100.8.51.1.8.10200.100.8.510.1.1.6200.100.8.51.1.8.11200.100.8.5116Copyright 2004 Juniper Networks, Inc. Proprietary and C e1e2e3e7e8Private ExternalNAT-ds

107、t Requirements10.0.0.510.1.1.5ABCDE200.100.8.510.1.20.5FTP Server10.1.30.5Web ServerPublic address: 1.1.10.1/32Actual NetworkLogical NetworkPrivate External10.0.0.0/2410.1.1.0/2410.1.20.0/2410.1.30.0/241.1.10.1/32Pre-translation address must be associated with destination zoneAddress book entryRoute

108、 entry117Copyright 2004 Juniper Networks, Inc. Proprietary and C NAT-dst 配置步骤1.为公网IP配置地址池2.配置路由2a. Secondary interface address OR2b. Static route 3.配置策略 3a. Single post-translation address (xxx to one)3b. Multiple post-translation addresses (xxx to many)3c. Port mappinge1e2e3e7e810.0.0.510.1.1.5ABCD

109、E10.1.20.5FTP Server10.1.30.5Web ServerPublic address: 1.1.10.20Private address: 10.1.20.5118Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 1: Configure Address Book Entry地址是公网地址 (i.e. pre-translation), 但是配置为内部的 zoneset address / ns208 set address Private MyPCPublic 1.1.10.20/32Objects

110、 Addresses (New)119Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 2a: 配置可达性 Secondary Addressset interface ip / secondaryns208 set interface e1 ip 1.1.10.1/24 secondaryNetwork Interface Edit Secondary IPs120Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 2b: 配置可达性静态路由set

111、route / int ns208 set route 1.1.10.20/32 int e1Network Routing Routing Table (new)121Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 3: 配置策略 WebUIPolicies Edit (Advanced)Policies EditMyPCPublicHTTP 122Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 3:配置策略 CLIOne to oneset p

112、olicy from to nat dst ip permitns208 set policy from External to Private any MyPCPublic http nat dst ip 10.1.20.5 permitAddress shiftingset policy from to nat dst ip permitns208 set policy from External to Private any PublicRange http nat dst ip 10.1.40.1 10.1.40.254 permitPort translationset policy

113、 from to nat dst ip port permitns208 set policy from External to Private any MyPCPublic http nat dst ip 10.1.20.5 port 8080 permit123Copyright 2004 Juniper Networks, Inc. Proprietary and C 验证地址翻译 - WebUIPoliciesReports Policies Traffic Log124Copyright 2004 Juniper Networks, Inc. Proprietary and C Ve

114、rifying NAT-dst - CLIns208- get policy id 2id 2, name none, from zone External to zone Privateaction Permit, status enabledsrc Any, dst MyPCPublic, serv ANYPolicies on this vpn tunnel: 0nat dst map to 10.1.10.5, serv_timeout 0 (minute)vpn unknown vpn, policy flag 00, session backup: ontraffic shappi

115、ng OFF, url filtering OFF, scheduler n/a, serv flag 00log yes, log count 1005, alert no, counter no(0) rate(min/sec) 0/0total octets 285420, counter(session/packet/octet) 0/0/0priority 7, diffserv marking Offtadapter: state OFF, gbw/mbw 0/-1No AuthenticationNo User, User Group or Group expression se

116、tns208- get sessionalloc 133/max 128000, alloc failed 0id 322/s*,vsys 0,flag 04000010/00/00,policy 2,time 1 10(01):200.5.5.5/33800-1.1.10.20/1024,1,0010db21c041,vlan 0,tun 0,vsd 0 0(20):200.5.5.5/33800 Interface (Select Interface click on MIP)set int mip host ns208 set int e8 mip 1.1.8.15 host 10.1.

117、10.5128Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 2: 配置MIP策略Policies Editset policy from to MIP() permit129Copyright 2004 Juniper Networks, Inc. Proprietary and C Verifying MIP Operation WebUIPolicies130Copyright 2004 Juniper Networks, Inc. Proprietary and C Verifying MIP Operation

118、 - CLI Ping to MIP from external hostPing from internal host to external hostPacket egress is the interface where the MIP is definedns208- get sessionalloc 225/max 128000, alloc failed 0id 292/s*,vsys 0,flag 04000010/00/00,policy 2,time 1 10(01):200.5.5.5/1728-1.1.8.15/1024,1,0010db21c041,vlan 0,tun

119、 0,vsd 0 0(20):200.5.5.5/1728 get sessionalloc 2/max 128000, alloc failed 0id 38/s*,vsys 0,flag 04000010/00/00,policy 1,time 1 0(01):10.1.10.5/7936-200.5.5.5/512,1,0010db12cea1,vlan 0,tun 0,vsd 0 10(20):1.1.8.15/7936 Interface (Select Interface click on MIP)set int mip host netmask ns208 set int e8

120、mip 1.1.8.32 host 10.1.10.32 netmask 255.255.255.248133Copyright 2004 Juniper Networks, Inc. Proprietary and C MIP Complications Other Interfaces?What if Host C wants to communicate with Host A using MIP defined on E8?ExternalZonePrivateZone1.1.70.2501.1.70.0/2410.1.10.510.1.20.0/24B10.1.10.0/24Publ

121、icZone10.1.20.5.254200.5.5.5ABCD10.1.1.0/2410.1.2.0/24.1.254.1.2541.1.7.0/241.1.8.0/24.254.1MIP =1.1.8.15134Copyright 2004 Juniper Networks, Inc. Proprietary and C The Solution Two PoliciesPolicy 1 from Public to External permits routing/forwarding to IP address 1.1.8.15Policy 2 is existing policy (

122、from external to private or external to global) invokes MIP to translate 1.1.8.15 to 10.1.10.5ExternalZonePrivateZone1.1.70.2501.1.70.0/2410.1.10.510.1.20.0/24B10.1.10.0/24PublicZone10.1.20.5.254200.5.5.5ABCD10.1.1.0/2410.1.2.0/24.1.254.1.2541.1.7.0/241.1.8.0/24.254.1POLICY 1POLICY 2135Copyright 200

123、4 Juniper Networks, Inc. Proprietary and C e1e2e3e7e8Virtual IP - VIPIP地址的多对一映射一个公网地址通过端口映射到内部的多台服务器上。只能在untrust zone中使用VIP地址必须与防火墙外接口在相同的网段VIP (1.1.8.100)PortDestIP21 10.1.20.523 10.0.0.580 10.1.30.510.0.0.5Telnet Server10.1.20.5FTP Server10.1.30.5Web ServerABC136Copyright 2004 Juniper Networks, In

124、c. Proprietary and C VIP 配置步骤1.在untrust 中定义VIP2.建立策略调用 VIPe1e2e3e7e8VIP (1.1.8.100)PortDestIP21 10.1.20.523 10.0.0.580 10.1.30.510.0.0.5Telnet Server10.1.20.5FTP Server10.1.30.5Web ServerABC137Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 1: Define VIPNetwork Interface Edit VIP/VIP Se

125、rvicesset int vip ns208 set int e8 vip 1.1.8.100 23 telnet 10.0.0.5ns208 set int e8 vip 1.1.8.100 21 ftp 10.1.20.5ns208 set int e8 vip 1.1.8.100 80 http 10.1.30.5138Copyright 2004 Juniper Networks, Inc. Proprietary and C Step 2: Define Policyset policy from to VIP() permitns208 set policy from untru

126、st to private any VIP:4 any permitPolicies EditVIP:4139Copyright 2004 Juniper Networks, Inc. Proprietary and C Verifying VIP ConfigurationNetwork Interface Edit VIP/VIP Servicesns208- get vipVirtual IP Interface Port Service Server/Port1.1.8.100 ethernet8 23 TELNET 10.0.0.5/23(DOWN)1.1.8.100 etherne

127、t8 80 HTTP 10.1.30.5/80(DOWN)1.1.8.100 ethernet8 21 FTP 10.1.20.5/21(DOWN)140Copyright 2004 Juniper Networks, Inc. Proprietary and C Verifying VIP Operationsns208- get sessionalloc 2/max 128000, alloc failed 0id 38/s*,vsys 0,flag 04000010/00/00,policy 1,time 1 11(01):1.1.8.5/1262-1.1.8.100/80,6,00b0

128、d080b963,vlan 0,tun 0,vsd 0 4(20):1.1.8.5/12621.1.8.100/23,6,00b0d080b963,vlan 0,tun 0,vsd 0 5(21):1.1.8.5/1451reset如果定购了相应的服务，将由juniper发与Serial number对应的Authentication Code给Disty，Disty在Juniper的网站上生成相应的license key，再给用户145Copyright 2004 Juniper Networks, Inc. Proprietary and C 检查license的有效期146Copyrig

129、ht 2004 Juniper Networks, Inc. Proprietary and C 更新防病毒和入侵防护的特征库Kaspersky AV pattern server:http:/update.juniper- av scan-mgr pattern-update（手动更新）DI pattern server:https:/ attack-db update（手动更新）2006-04-08 00:17:52notifSCAN-MGR: New AV pattern file has been updated. Version: 04/07/2006 15:11 GMT, viru

130、s records: 102953; type standard; size: 7789654 bytes.2006-04-08 00:16:50notifAttack database version 542 has been saved to flash2006-04-08 00:16:50emerDI policy has been loaded in to system.2006-04-08 00:16:45notifPKI: No revocation check, per config, for cert with subject name CN=,OU=Terms of use

131、at (c)05,OU=shared cert,O=NetScreen147Copyright 2004 Juniper Networks, Inc. Proprietary and C 防病毒配置148Copyright 2004 Juniper Networks, Inc. Proprietary and C 防病毒配置149Copyright 2004 Juniper Networks, Inc. Proprietary and C 防病毒配置150Copyright 2004 Juniper Networks, Inc. Proprietary and C 配置结果151Copyri

132、ght 2004 Juniper Networks, Inc. Proprietary and C 下载eicar的病毒文件阻断了152Copyright 2004 Juniper Networks, Inc. Proprietary and C 相应的log153Copyright 2004 Juniper Networks, Inc. Proprietary and C ns5gt- get av fail-mode traffic: close max. percent of AV resources allowed per client: 70(percent) connection

133、mode: close trickling: disabled scanning: HTTP (including WebMail) AV Key Expire Date: 05/07/2006 00:00:00 Update Server: http:/update.juniper- interval: 0 minutes auto update status: automatic update is disabled last result: already have latest database AV signature version: 04/07/2006 15:11 GMT, v

134、irus records: 102953 Scan Engine Info: last action result: No error(0x00000000), memory left 26500kB Scan engine default file extension list: 386;ACE;ARJ;ASP;BAT;BIN;BZ2;CAB;CHM;CLA;CMD;COM;CPL;DLL;DOC;DOT;DPL;DRV;DWG;ELF;EMF;EML;EXE;FON;FPM;GEA;GZ;HA;HLP;HTA;HTM;HTML;HTT;HXS;ICE;INI;ITSF;JAR;JPEG;J

135、PG;JS;JSE;LHA;LNK;LZH;MBX;MD?;MIME;MSG;MSI;MSO;NWS;OCX;OTM;OV?;PDF;PHP;PHT;PIF;PK;PL;PLG;PP?;PRG;PRJ;RAR;REG;RTF;SCR;SH;SHS;SWF;SYS;TAR;TGZ;THE;TSP;VBE;VBS;VXD;WSF;WSH;XL?;XML;ZIP; pattern type: standard max content size: 10000(k) (drop if exceeds) max concurrent messages: 16 (drop if exceeds) queue

136、 size: 16ns5gt-154Copyright 2004 Juniper Networks, Inc. Proprietary and C 入侵防护(IPS/DI)的配置155Copyright 2004 Juniper Networks, Inc. Proprietary and C 156Copyright 2004 Juniper Networks, Inc. Proprietary and C 防垃圾邮件配置157Copyright 2004 Juniper Networks, Inc. Proprietary and C ns5gt- get anti-spam profil

137、e: ns-profile *Whitelists (1): ; *Blacklist (1): ; *SBL Blacklist Server: *Default setting: *Action: tag mail subject as *SPAM*DNS Server: Primary : 202.96.128.86 Secondary: 202.96.128.166 Ternary: 0.0.0.0 Total connections: 0 Total greetings: 0 Total emails: 0 Total permit emails: 0 Total deny act

138、ions: 0 Total tag emails: 0 errors: 0 timeouts: 0ns5gt-ns5gt- exec anti-spam test AS: anti spam result: action Tag email subject, reason: Match local blacklist158Copyright 2004 Juniper Networks, Inc. Proprietary and C 防垃圾邮件配置159Copyright 2004 Juniper Networks, Inc. Proprietary and C Web Filtering配置1

139、60Copyright 2004 Juniper Networks, Inc. Proprietary and C Web Filtering配置161Copyright 2004 Juniper Networks, Inc. Proprietary and C Web Filtering 配置162Copyright 2004 Juniper Networks, Inc. Proprietary and C Web Filtering 配置163Copyright 2004 Juniper Networks, Inc. Proprietary and C Web filtering 测试16

140、4Copyright 2004 Juniper Networks, Inc. Proprietary and C 配置结果165Copyright 2004 Juniper Networks, Inc. Proprietary and C 流量日志（地址翻译）166Copyright 2004 Juniper Networks, Inc. Proprietary and C 防DDoS攻击167Copyright 2004 Juniper Networks, Inc. Proprietary and C 基于Syn-cookie方式防syn flooding168Copyright 2004 Juniper Networks, Inc. Proprietary and C 其他配置其他配置请参考Configuration & Guide的配置说明http:/ （英文版本：5.3）Copyright 2004 Juniper Networks, Inc. Proprietary and C 169Thank You

展开阅读全文

juniper防火墙初级动手配置internalqubo

最新文档