Juniper Srx防火墙管理手册jnpr v1

JUNIPER
SRX
2015 5

JUNOS ............................................................................................................ 5
1.1.
........................................................................................................... 5
1.2.
Junos ........................................................................................................... 6
1.3.
Junos ........................................................................................... 7
1.3.1.
CLI .................................................................................... 7
1.3.2.
J-WEB ............................................................................................ 9
1.3.3.
......................................................................................................... 10
1.3.4.
root ....................................................................................... 12
1.3.5.
................................................................................. 13
1.3.6.
................................................................................. 16
1.3.7.
......................................................................................... 24
SRX .................................................................................................... 25
2.1. ........................................................................................................................ 25
2.2. ................................................................................................................ 26
2.3. ........................................................................................................................ 35
SRX .............................................................................................................. 36
3.1. ................................................................................................................. 36
3.2. ................................................................................................. 37
3.3. DHCP ................................................................................................................ 43
3.4. ................................................................................................................. 45
3.4.1. .............................................................................. 45
Juniper Networks, Inc.
2 / 171
3.4.2. .............................................................................................. 47
3.4.3. ...................................................................................... 49
3.4.4. ...................................................................................................... 50
3.5. ......................................................................................................... 53
3.5.1. Interface based Nat ..................................................... 54
3.5.2. Pool based Source Nat ............................................. 57
3.5.3. Pool based Destination Nat ................................. 62
3.5.4. Pool based Static Nat ........................................... 69
3.6. IPSEC VPN ................................................................................................................ 76
3.6.1. SITE TO SITE IPSEC VPN ................................................................... 77
3.6.2. SITE TO SITE IPSEC VPN ................................................................... 95
3.6.3. DYNANMIC VPN................................................................................ 99
3.6.4. GROUP VPN ......................................................................................................... 118
3.7. ALG .......................................................................................... 126
3.8. SRX UTM ........................................................................................... 130
3.8.1
UTM ......................................................................................... 131
3.8.2
SRX UTM IDP ........................................................................... 132
3.8.3
SRX UTM Antivirus ................................................................... 134
3.8.4
SRX UTM WEB ................................................................ 136
3.8.5
SRX UTM ................................................................... 138
3.9. Appsecure .............................................................................................. 140

3.9.1. ................................................................ 141
3 / 171
3.9.2. Apptrack CLI ................................................................. 141

3.9.3.
AppFirewall .................................................................................. 142
3.9.4.
APPDDOS ..................................................................................... 144
3.10. Firewall Filter ....................................................................................... 146

3.10.1. FBF ............................................................................................................ 147
3.10.2. .......................................................................................... 150
3.10.3. ACL .............................................................................. 150
3.11. Screen .......................................................................................... 151
3.12. JSRP HA ........................................................................................ 155
SNMP ............................................................................... 160
Troubleshooting .............................................................................. 164
5.1. Flow ................................................................................................................... 164
5.2. IPSEC VPN .......................................................................................................... 166
5.3. LOG ........................................................................................................ 167
5.4. RSI LOG ..................................................................................... 168
-.................................................................................................... 170
4 / 171

SRX Branch SRX210 SRX
SRX SRX
CLI WEB
SRX210B*2SRX210-SH*1
WINDOWS 7
JUNOS
JUNOS Juniper
SRX JUNOS
JUNOS
JUNOS FreeBSD CLI WEBUI
1.1.
JUNOS CLI operationalconfigure
config edit
5 / 171
run JUNOS
edit unix cd ,up up
nexit topquit
1.2. Junos
JUNOS set
Candidate Config commit
SRX commit
Active config
JUNOS commit
commit confirmed 2 2
commit 2
SRX
commit show Candidate
Config
commit run show config
Active config
show | compare
6 / 171
SRX commit 50
rolback commit rollback 0/commit
commit
save configname.conf
load override configname.conf / commit load
factory-default / commit
SRX TFTP/FTP
J-WEB
1.3. Junos
SRX CLI J-WEB
2 CLI J-WEB
CLI
1.3.1.
CLI
console/telnet/ssh CLI
console Telnet SSH ROOT
root SSH
2
1 % root shell
shell SRX cli>
root@srx210% cli
7 / 171
root@srx210>
2 >
config #
root@srx210> con
root@srx210#
show shconfig con
sh
show
SRX set delete delete security

nat
Edit NAT edit security nat
NAT set
SRX copy
2
copy interfaces ge-0/0/1 to ge-0/0/2
SRX deactivate security nat
NAT activate security nat NAT
Rollback 0
8 / 171
Run run
root@srx210#run ping 192.168.1.1
1.3.2.
J-WEB
http/https WEB URL

Juniper SCREENOS WEB html
SRX J-WEB Javascript Javascipt html
WEB
html SRX WEB
SCREENOS Javascipt WEB
HTML Javascipt WEB

Javascript
IE WEB
9 / 171
SRX J-WEB
J-WEB commit
SCREENOS WEB
J-WEB HA J-WEB
SRX HA
(I/O)
J-WEB Javascript
WEB
J-WEB WEB
CLI
1.3.3.
CONSOLE
Console () SRXroot <>
COM
Bits per second: 9600
Data bits: 8
Parity: None
Stop bits: 1
Flow control: None

login: root
Password:
--- JUNOS 12.1X46-D20.5 built 2014-05-14 20:00:03 UTC
root% cli
/******/
root>
root> configure
10 / 171
Entering configuration mode

[edit]
/******/
Root#
WEB
ping IP 192.168.1.1
http://192.168.1.1
SRX 192.168.1.1 root Log
In
11 / 171
1.3.4.
root
ROOT
CLI
root
root# set system root-authentication plain-text-password

root# new password : root123
root# retype new password: root123
root# show system root-authentication

encrypted-password "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."; # SECRET-DATA
WEB
Start
* root
12 / 171
1.3.5.
HTTP/HTTPS/TELNET/SSH ROOT
HTTP/HTTPS/SSHTELNET Super-User
CLI
root# set system login user lab class super-user authentication plain-text-password
root# new password : lab123
root# retype new password: lab123
/*** lab lab123***/
WEB
System Properties User Management Edit
13 / 171
Add
14 / 171
User name login classic super-user
lab
15 / 171
1.3.6.
CLI
set system services telnet
set system services web-management http
/***telnet/http ***/
set system services web-management http interface ge-0/0/0.0

/***WEBhttp interfacege-0/0/0.0
WEB***/
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.238/24

set routing-options static route 0.0.0.0/0 next-hop 192.168.1.2
/***SRX IP ScreenOS
0 ***/
set security zones security-zone untrust interfaces ge-0/0/0.0

/***ge-0/0/0.0 ScreenOS***/
set security zones security-zone untrust host-inbound-traffic system-services ping

set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services telnet
set security zones security-zone untrust host-inbound-traffic system-services ssh
/***untrust zone ScreenOS SRX Zone
Ping/http/telnet/sshzone ***/
WEB
16 / 171
System Propeties Management Access Edit
Services Enable Telnet Enable SSH Enable Http

ge0/0/0.0 Selected Interface
17 / 171
Ge0/0/0.0 Selected Interfaces
Interfaces Ports Ge0/0/0.0 Edit
18 / 171
IPV4 Address Add IP
IP
19 / 171
Routing Static Routing Add
Static Router Next-hop
20 / 171
Zone name Untrust Edit
21 / 171
http http
ping ssh telnet Selected
22 / 171
commit
23 / 171
1.3.7.
2
reset
CLI
root# load factory-default

root
Reset
reset 15
Status Status
24 / 171
SRX
2.1.
JUNOS
CLI
1.
user@host> request system power-off
2. JUNOS Console
user@host> request system halt
The operating system has halted.

Please press any key to reboot
WEB
WEB halt
25 / 171
2.2.

OS
http://www.juniper.net/support/downloads/junos.html
Juniper 12.1X44-D45.2
CLI
1. OS
WINSCP FTP
3CDaemon FTP
26 / 171
OS G:\FTP
SRX
lab@SRX210B> ftp 192.168.1.3
Connected to 192.168.1.3.
220 3Com 3CDaemon FTP Server Version 2.0
Name (192.168.1.3:lab): anonymous
331 User name ok, need password
Password:
230-The response '' is not valid.
230-Next time, please use your email address as password.
230 User logged in
Remote system type is UNIX.
27 / 171
Using binary mode to transfer files.

ftp> ls
200 PORT command successful.
150 File status OK ; about to open data connection
drwxrwxrwx 1 owner group
0 Apr 06 20:26 .
drwxrwxrwx 1 owner group
0 Apr 06 20:26 ..
-rwxrwxrwx 1 owner group 138198178 Apr 06 20:26 junos-srxsme-12.1X44-D45.2domestic.tgz

226 Closing data connection
ftp> bin
200 Type set to I.
ftp> lcd
/******/
Local directory now /cf/var/home/lab

ftp> lcd /cf/var/tmp
/***/cf/var/tmp***/
Local directory now /cf/var/tmp

ftp> mget junos-srxsme-12.1X44-D45.2-domestic.tgz /*** mget OS
***/
mget junos-srxsme-12.1X44-D45.2-domestic.tgz?
200 PORT command successful.
150 File status OK ; about to open data connection
100%
|**************************************************************************************
28 / 171
********************************************************************|
131
MB
00:00 ETAA
226 Closing data connection; File transfer successful. /******/
138198178 bytes received in 87.72 seconds (1.50 MB/s)
ftp>
2.
lab@SRX210B> request system snapshot media internal slice alternate
Formatting alternate root (/dev/da0s2a)...
Copying '/dev/da0s1a' to '/dev/da0s2a' .. (this may take a few minutes)
The following filesystems were archived: /
3.
lab@SRX210B> request system software add /cf/var/tmp/junos-srxsme-12.1X44D45.2-domestic.tgz no-copy no-validate reboot
Formatting alternate root (/dev/da0s2a)...
/dev/da0s2a: 297.9MB (610044 sectors) block size 16384, fragment size
2048
using 4 cylinder groups of 74.47MB, 4766 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
32, 152544, 305056, 457568
Installing package '/altroot/cf/packages/install-tmp/junos-12.1X44-D45.2domestic' ...
Verified
junos-boot-srxsme-12.1X44-D45.2.tgz
29 / 171
signed
by
PackageProduction_12_1_0
Verified
junos-srxsme-12.1X44-D45.2-domestic
signed
PackageProduction_12_1_0
JUNOS 12.1X44-D45.2 will become active at next reboot
Saving state for rollback ...
Rebooting ...
shutdown: [pid 5537]
Shutdown NOW!
*** FINAL System shutdown message from root@SRX210B ***

System going down IMMEDIATELY
/*** OS ***/
4.
lab@SRX210B> show system software
Information for junos:
Comment:
JUNOS Software Release [12.1X44-D45.2]
lab@SRX210B> request system software rollback

** /dev/altroot
FILE SYSTEM CLEAN; SKIPPING CHECKS
30 / 171
by
clean, 76202 free (26 frags, 9522 blocks, 0.0% fragmentation)

junos-11.2R4.3-domestic will become active at next reboot
lab@SRX210B> request system storage cleanup /******/

List of files to delete:
Size Date
Name
62B Jul 30 2012 /cf/var/crash/flowd_octeon.log..0

62B Jan 26 16:44 /cf/var/crash/flowd_octeon.log..1
62B Feb 24 16:02 /cf/var/crash/flowd_octeon.log..2
62B Apr 6 09:26 /cf/var/crash/flowd_octeon.log..3
62B Apr 6 09:48 /cf/var/crash/flowd_octeon.log.SRX210B.0
752B Apr 6 20:34 /cf/var/crash/flowd_octeon.log.SRX210B.1
11B Apr 6 20:34 /cf/var/jail/tmp/alarmd.ts
49.5K Feb 12 16:01 /cf/var/log/autod.0.gz
68.0K Feb 12 02:34 /cf/var/log/autod.1.gz
119B Apr 6 21:04 /cf/var/log/interactive-commands.0.gz
8046B Apr 6 21:04 /cf/var/log/messages.0.gz
183B Apr 6 20:37 /cf/var/log/wtmp.0.gz
137B Apr 6 09:25 /cf/var/log/wtmp.1.gz
87B Jan 26 16:44 /cf/var/log/wtmp.2.gz
3871B Apr 6 20:34 /cf/var/tmp/cleanup-pkgs.log
0B Apr 6 20:33 /cf/var/tmp/eedebug_bin_file
31 / 171
34B Apr 6 20:33 /cf/var/tmp/gksdchk.log

124.0K Apr 6 20:31 /cf/var/tmp/gres-tp/env.dat
0B Jan 26 16:44 /cf/var/tmp/gres-tp/lock
131.8M Apr 6 12:26 /cf/var/tmp/junos-srxsme-12.1X44-D45.2-domestic.tgz
33B Apr 6 20:33 /cf/var/tmp/kmdchk.log
155B Apr 6 20:34 /cf/var/tmp/krt_gencfg_filter.txt
30B Apr 6 20:35 /cf/var/tmp/policy_status
0B Apr 6 20:34 /cf/var/tmp/rtsdb/if-rtsdb
0B Jan 26 16:43 /cf/var/tmp/spu_kmd_init
0B Apr 6 20:35 /cf/var/tmp/vpn_tunnel_orig.id
Delete these files ? [yes,no] (no)
/*** yes ***/
WEB
Maintain Software UploadPackage
tgz Upload
and Install Package
32 / 171
33 / 171
Dashboard Software Version
34 / 171
2.3.
console
root
1. CONSOLE
2.
boot -s
Loading /boot/defaults/loader.conf
/kernel data= syms=[ ]
Hit [Enter] to boot immediately, or space bar for command
prompt.
loader>
loader> boot s
35 / 171
3. Recovery
Enter full pathname of shell or 'recovery' for root password
recovery or RETURN for /bin/sh: recovery
4. root root
user@host> configure
Entering configuration mode
user@host#delete system root-authentication
user@host#set system root-authentication plain-text-password
user@host#New password:
user@host#Retype new password:
user@host# commit
5. commit complete
SRX
3.1.
36 / 171
3.2.
ZONE
SRX IP
type-pim/0/port.logical-unit-number
GE-0/0/0.0 0 0 0
37 / 171
Trust Untrust Null

Null Null
38 / 171
CLI
SRX210B GE-0/0/0.0 192.168.1.239/24 zone
Untrust Vlan.0 172.17.1.1/24 zone Trust
SRX210B IP
root@SRX210B# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.239/24
root@SRX210B# set interfaces vlan unit 0 family inet address 172.17.1.1/24
SRX210B ZONE
root@SRX210B# set security zones security-zone trust interfaces vlan.0
root@SRX210B# set security zones security-zone untrust interfaces ge-0/0/0.0
SRX210B
root@SRX210B# set routing-options static route 0.0.0.0/0 next-hop 192.168.1.253
WEB
ge-0/0/0.0 Untrust
39 / 171
Vlan.0 IP
40 / 171
VLAN.0 Trust
41 / 171
Routing-Static Routing 0/0

192.168.1.253
42 / 171
3.3. DHCP
SRX210B DHCP
172.17.1.100-200172.17.1.1DNS 192.168.1.10Vlan.0
CLI
set system services dhcp pool 172.17.1.0/24 address-range low 172.17.1.100
set system services dhcp pool 172.17.1.0/24 address-range high 172.17.1.200
set system services dhcp pool 172.17.1.0/24 name-server 192.168.1.10
set system services dhcp pool 172.17.1.0/24 router 172.17.1.1
set system services dhcp pool 172.17.1.0/24 propagate-settings vlan.0
WEB
Services-DHCP-DHCP Service DHCP Pools DHCP Pools
43 / 171
44 / 171
3.4.
3.4.1.
untrust
DNSGROUP
DNS10192.168.1.10/32 DNS10 DNSGROUP
trust
Lan 172.17.1.0/24
CLI
set security zones security-zone untrust address-book address DNS10
192.168.1.10/32
set security zones security-zone untrust address-book address-set DNSGROUP
address DNS10
set security zones security-zone trust address-book address Lan 172.17.1.0/24
WEB
Security-Policy Elements-Address Book Address untrust
DNS10 DNSGROUP
45 / 171
DNS10
Address Sets DNSGROUP
Trust Lan
46 / 171
3.4.2.
TCP-8080
CLI
set applications application tcp-8080 protocol tcp
set applications application tcp-8080 destination-port 8080
47 / 171
WEB
Security-Policy Elements-Applications Custom-Applicatios
48 / 171
3.4.3.
AllowDNS 1200-1300
CLI
set schedulers scheduler AllowDNS daily start-time 12:00:00 stop-time 13:00:00
WEB
Security-Policy Elements-Scheduler
49 / 171
3.4.4.
zone zone
Trust Lan Untrust DNSGROUP

TCP-8080 AllowDNS
CLI
set security policies from-zone trust to-zone untrust policy AllowDNS match sourceaddress Lan
set security policies from-zone trust to-zone untrust policy AllowDNS match
50 / 171
destination-address DNSGROUP
set security policies from-zone trust to-zone untrust policy AllowDNS match
application tcp-8080
set security policies from-zone trust to-zone untrust policy AllowDNS then permit
set security policies from-zone trust to-zone untrust policy AllowDNS schedulername AllowDNS
WEB
Security-Policy-Apply Policy
51 / 171
Scheduling AllowDNS
52 / 171
3.5.
SRX NAT ScreenOS
ScreenOSNAT policy MIP/VIP/DIP NATpolicy
NAT untrust Souec-NAT SRX NAT
Policy
53 / 171
NAT NAT
Policy
SRX NAT Policy
Policy Policy
Policy IP
ScreenOS
SRX MIP/VIP/DIP MIP Static
DIPSource NAT Policy VIP Destination NAT
ScreenOS Untrust zone SRX SRX
Trust Zone NAT ScreenOSStatic NAT
NAT
SRX proxy-arp IP Pool
SRX Pool ARP IP Pool MAC
MAC SRX
3.5.1. Interface based Nat
172.17.1.0
192.168.1.239
54 / 171
CLI
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match sourceaddress 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat
interface
WEB
Nat-Source NAT Source Rule Set Add
55 / 171
Rule Set Name Rule Set Rule
Rules Add RuleRule

Nat NAT 0.0.0.0/0 Source Address
56 / 171
Source Nat
3.5.2. Pool based Source Nat
Name Snatpool 192.168.1.220-230 Pool

172.17.1.0/24 SnatPool
CLI
set security nat source pool snatpool address 192.168.1.220/32 to 192.168.1.230/32
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule snatpool220-230 match sourceaddress 172.17.1.0/24
set security nat source rule-set trust-to-untrust rule snatpool220-230 then sourcenat pool snatpool
57 / 171
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.1.220/32 to

192.168.1.230/32
Pool Zone proxy-arp SRX

Pool IP
ge-0/0/0.0 Pool
WEB
NAT-Source Nat Source NAT Pool Add POOL
Pool Name
58 / 171
Port
SnatPool
59 / 171
Source Rule Set Rule
Rule Name SnatPool220-230 172.17.1.0/24 Source

NAT With Pool
60 / 171
SnatPool Proxy Arp ge-0/0/0.0

Pool
NAT-Proxy Add
61 / 171
3.5.3. Pool based Destination Nat

NAT IP SCREENOS VIP
IP
IP-172.16.1.11 3389 192.168.1.236 3389
62 / 171
CLI
/***NAT ***/
set security nat destination pool srv11-3389 address 172.16.1.11/32
set security nat destination pool srv11-3389 address port 3389
set security nat destination rule-set utot from zone untrust
set security nat destination rule-set utot rule u236-srv11-3389 match sourceaddress 0.0.0.0/0
set security nat destination rule-set utot rule u236-srv11-3389 match destinationaddress 192.168.1.236/32
set security nat destination rule-set utot rule u236-srv11-3389 match destinationport 3389
set security nat destination rule-set utot rule u236-srv11-3389 then destinationnat pool srv11-3389
63 / 171
/*** 3389 ***/

set applications application tcp-3389 protocol tcp
set applications application tcp-3389 destination-port 3389
/*** SRV11 ***/
set security zones security-zone trust address-book address srv11 172.16.1.11/32
/******/
set security policies from-zone untrust to-zone trust policy utot-srv11-3389 match
source-address any
destination-address srv11
application tcp-3389
set security policies from-zone untrust to-zone trust policy utot-srv11-3389 then
permit
WEB
NAT-Destination NAT Destination Nat Pool Add Pool
Pool Name IP
64 / 171
OK Pool
Destination Rule Set Add NAT
Rule Set Name Rules Add
65 / 171
Rule Name Actions Pool
66 / 171
NAT OK Rule Set
67 / 171
68 / 171
3.5.4. Pool based Static Nat

Static Nat IP Screenos MIP
Static Nat 192.168.1.237 172.16.1.10

69 / 171
CLI
/***Static Nat ***/
set security nat static rule-set SUTOT from zone untrust
set security nat static rule-set SUTOT rule U237-SRV10 match destination-address
192.168.1.237/32
set security nat static rule-set SUTOT rule U237-SRV10 then static-nat prefix
172.16.1.10/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.1.237/32
/***SRV10 ***/
set security zones security-zone trust address-book address SRV10 172.16.1.10/32
/******/
set security policies from-zone untrust to-zone trust policy U237-SRV10 match
source-address any
70 / 171
destination-address SRV10
application any
set security policies from-zone untrust to-zone trust policy U237-SRV10 then
permit
WEB
NAT-Static NAT Add NAT
Rule Set Name Add Rules
71 / 171
72 / 171
73 / 171
Proxy-Arp
74 / 171
75 / 171
3.6. IPSEC VPN

SRX IPSEC SITE TO SITE VPN
VPN VPN
2 SRX210A SRX210B VPN

76 / 171
172.16.1.0/24 172.17.1.0/24
3.6.1. SITE TO SITE IPSEC VPN

VPN
IKE -P1
Mode:main
Proposal-set:standard
Pre-shared-key:juniper
IPSEC VPN -P2:
Proposal-set:standard
CLI
SRX210A
set interfaces st0 unit 0 family inet
set security zones security-zone vpn interfaces st0.0
77 / 171
set routing-options static route 172.17.1.0/24 next-hop st0.0

st0.0 tunnel ZoneVPN
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic

system-services ike
IKE
set security ike policy aike mode main

set security ike policy aike proposal-set standard
set security ike policy aike pre-shared-key ascii-text juniper
IKE Phase1 policy main modestandard proposal
set security ike gateway gw1 ike-policy aike

set security ike gateway gw1 address 192.168.1.239
set security ike gateway gw1 external-interface ge-0/0/0.0
IKE Gateway 192.168.1.239ge-0/0/0.0
set security ipsec policy ap2 proposal-set standard

set security ipsec vpn vpn1 bind-interface st0.0
set security ipsec vpn vpn1 ike gateway gw1
set security ipsec vpn vpn1 ike ipsec-policy ap2
set security ipsec vpn vpn1 establish-tunnels immediately
ipsec Phase 2 VPN standard proposalst0.0 Phase 1 gw1 ike
set security policies from-zone vpn to-zone trust policy vpn-policy match sourceaddress any
set security policies from-zone vpn to-zone trust policy vpn-policy match
destination-address any
78 / 171
application any
set security policies from-zone vpn to-zone trust policy vpn-policy then permit
set security policies from-zone trust to-zone vpn policy vpn-policy match sourceaddress any
set security policies from-zone trust to-zone vpn policy vpn-policy match
application any
set security policies from-zone trust to-zone vpn policy vpn-policy then permit
SRX210B
set interfaces st0 unit 0 family inet
set security zones security-zone vpn interfaces st0.0
set routing-options static route 172.16.1.0/24 next-hop st0.0
st0 tunnel zone VPN
set security ike policy bikemode main
set security ike policy bike proposal-set standard
set security ike policy bike pre-shared-key ascii-text juniper
IKE Phase1 policy main modestandard proposal
set security ike gateway gw1 ike-policy bike
79 / 171
IKE gateway ,192.168.1.238ge-0/0/0.0

set security ipsec policy bp2 proposal-set standard
set security ipsec vpn vpn1 bind-interface st0.0
set security ipsec vpn vpn1 ike ipsec-policy bp2
ipsec Phase 2 VPN standard proposalst0.0 Phase 1
gw1 ike
set security policies from-zone vpn to-zone trust policy vpn-policy match sourceaddress any
application any
set security policies from-zone vpn to-zone trust policy vpn-policy then permit
set security policies from-zone trust to-zone vpn policy vpn-policy match sourceaddress any
application any
set security policies from-zone trust to-zone vpn policy vpn-policy then permit
80 / 171
policy VPN
WEB
SRX210A
VPN Zone Security-Zones/screens Add
zone name zone type
81 / 171
Interfaces-Ports St0 Add Tunnel
ZONE IP
82 / 171
Ipsec VPN-Auto Tunnel-Phase I IKE Policy Add P1 IKE

Policy
83 / 171
IKE Policy NameMode Proposal
IKE Policy Options Pre Share Key
84 / 171
IKE Policy
Phase I Gateway Add Gateway
85 / 171
IKE GATEWAY Name Policy IP
Gateway
86 / 171
Phase II IPSEC POLICY Add
Ipsec Policy Name Proposal
87 / 171
Auto Key VPN Add
88 / 171
P1 gateway Ipsec Policy Tunnel
Auto Key VPN
89 / 171
VPN Tunnel st0.0 Routing-Static Routing

Add
Static Route IPV4 Add
90 / 171
St0.0
91 / 171
2
Configure Security-Policy-Apply
Policy Add
92 / 171
Policy Name
93 / 171
VPN Trust
SRX210B
VPN
CLI
WEB Monitor Ipsec VPN Phase I II SA
94 / 171
3.6.2. SITE TO SITE IPSEC VPN

VPN VPN TUNNEL
VPN
CLI
SRX210A
set security ike policy aike mode main
set security ike policy aike proposal-set standard
set security ike policy aike pre-shared-key ascii-text juniper
set security ike gateway gw1 ike-policy aike
95 / 171

set security ipsec policy ap2 proposal-set standard
set security ipsec vpn vpn1 ike ipsec-policy ap2
set security policies from-zone trust to-zone untrust policy vpn-policy match
source-address LanA
destination-address LanB
application any
set security policies from-zone trust to-zone untrust policy vpn-policy then permit
tunnel ipsec-vpn vpn1
set security policies from-zone trust to-zone untrust policy vpn-policy then permit
tunnel pair-policy vpn-policy
set security policies from-zone untrust to-zone trust policy vpn-policy match
source-address LanB
destination-address LanA
application any
96 / 171
set security policies from-zone untrust to-zone trust policy vpn-policy then permit
tunnel ipsec-vpn vpn1
set security policies from-zone untrust to-zone trust policy vpn-policy then permit
tunnel pair-policy vpn-policy
set security zones security-zone trust address-book address LanA 172.16.1.0/24
set security zones security-zone untrust address-book address LanB 172.17.1.0/24
SRX210B
VPN
WEB
97 / 171
98 / 171
3.6.3. DYNANMIC VPN

VPN PC VPN
(IPsec) VPN
VPN 3
VPN
HTTPS Web VPN
appweb Web [edit system services webmanagement]
VPN
VPN
99 / 171
Juniper Networks IPsec VPN Web
Web VPN
VPN
1. SRX VPN HTTP HTTPS
Web
2. Web
3.
4.
5. IPsec (XAuth)
RADIUS IP
VPN Web
VPN Juniper Networks
:
IPsec SA
100 / 171
SCREENOS IPSEC VPN

DYNAMIC VPN
SRX210A DYNAMIC VPN VPN1 VPN2

DYNAMIC VPN 192.168.100.0/24
172.16.1.0/24
CLI
set access profile dyn-profile client vpn1 firewall-user password vpn1

set access profile dyn-profile client vpn2 firewall-user password vpn2
set access profile dyn-profile address-assignment pool dyn-ip-pool
101 / 171
set
access
address-assignment
pool
dyn-ip-pool
family
inet
network
192.168.100.0/24
set access address-assignment pool dyn-ip-pool family inet range 10to100 low
192.168.100.10
set access address-assignment pool dyn-ip-pool family inet range 10to100 high
192.168.100.100
set access firewall-authentication web-authentication default-profile dyn-profile
VPN
IKE Gateway
set security ike policy DVPN-vpn mode aggressive
set security ike policy DVPN-vpn proposal-set compatible
set security ike policy DVPN-vpn pre-shared-key ascii-text juniper
set security ike gateway DVPN-vpn ike-policy DVPN-vpn
set security ike gateway DVPN-vpn dynamic hostname dynvpn
set security ike gateway DVPN-vpn dynamic connections-limit 50
set security ike gateway DVPN-vpn dynamic ike-user-type group-ike-id
set security ike gateway DVPN-vpn external-interface ge-0/0/0
set security ike gateway DVPN-vpn xauth access-profile dyn-profile
IPSEC
set security ipsec policy DVPN-vpn proposal-set standard
set security ipsec vpn DVPN-vpn ike gateway DVPN-vpn
set security ipsec vpn DVPN-vpn ike ipsec-policy DVPN-vpn
102 / 171

set security policies from-zone untrust to-zone trust policy dyn-vpn match sourceaddress any
set security policies from-zone untrust to-zone trust policy dyn-vpn match
destination-address LanA
set security policies from-zone untrust to-zone trust policy dyn-vpn match
application any
set security policies from-zone untrust to-zone trust policy dyn-vpn then permit
tunnel ipsec-vpn DVPN-vpn
zone IKE HTTPS
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
VPN
set security dynamic-vpn access-profile dyn-profile
set
security
dynamic-vpn
clients
dyn-vpn
remote-protected-resources
172.16.1.0/24
set security dynamic-vpn clients dyn-vpn ipsec-vpn DVPN-vpn
set security dynamic-vpn clients dyn-vpn user vpn1
set security dynamic-vpn clients dyn-vpn user vpn2
103 / 171
WEB
Access Profile Configure Access-Access Profiles Add
Profile dyn-profile Address Assignment Configure
Address Pool Configuration Name dyn-ip-pool

192.168.100.10-100
104 / 171
Close Dyn-Ip-Pool Add
105 / 171
VPN1 VPN2
dyn-profile
106 / 171
Access-FW Authentication Web-auth settings Default Profile dynprofile
Ipsec VPN-Dynamic VPN Global Settings Access Profile dynprofile
107 / 171
dynamic vpn
DYNAMIC VPN
108 / 171
109 / 171
zone Interface IKE HTTPS
DYNAMIC VPN
110 / 171
111 / 171
Action-Commit
DYN-VPN
IE 192.168.1.238
112 / 171
Pulse
Junos Pulse
https://www.juniper.net/customers/support/#task
113 / 171
SRX URL DYNAMIC VPN IP
114 / 171
115 / 171
VPN1
IP
116 / 171
SRX210 IKE
SRX210 DYNAMIC-VPN USERS
DYNAMIC VPN URL WEB
#set system services web-management management-url admin

http://192.168.1.238/admin
117 / 171
3.6.4. GROUP VPN

Group VPN
IPsec (SA) (VPN)
VPN SA
VPN IPsec SA
VPN IP
VPN

SA
SA
1 65,535
VPN
1. UDP 848 IKE 1
2. GDOI groupkey-pull SA
3.
118 / 171
4. SA
(GDOI groupkey-push) SA
SA
SA
+
2
CLI
SRX210A
Lo0.0
set interfaces lo0 unit 0 family inet address 192.168.1.230/32
119 / 171
group-vpn member
set security group-vpn member ike proposal prop1 authentication-method preshared-keys
set security group-vpn member ike proposal prop1 dh-group group2
set security group-vpn member ike proposal prop1 authentication-algorithm sha1
set security group-vpn member ike proposal prop1 encryption-algorithm 3descbc
set security group-vpn member ike policy pol1 mode main
set security group-vpn member ike policy pol1 proposals prop1
set security group-vpn member ike policy pol1 pre-shared-key ascii-text juniper
set security group-vpn member ike gateway g1 ike-policy pol1
set security group-vpn member ike gateway g1 address 192.168.1.238
set security group-vpn member ike gateway g1 local-address 192.168.1.230
set security group-vpn member ipsec vpn v1 ike-gateway g1
set security group-vpn member ipsec vpn v1 group-vpn-external-interface ge0/0/0.0
set security group-vpn member ipsec vpn v1 group 1
group-VPN server
set security group-vpn server ike proposal srv-prop authentication-method preshared-keys
set security group-vpn server ike proposal srv-prop dh-group group2
set security group-vpn server ike proposal srv-prop authentication-algorithm sha1
120 / 171
set security group-vpn server ike proposal srv-prop encryption-algorithm 3descbc

set security group-vpn server ike policy srv-pol mode main
set security group-vpn server ike policy srv-pol proposals srv-prop
set security group-vpn server ike policy srv-pol pre-shared-key ascii-text juniper
set security group-vpn server ike gateway gw1 ike-policy srv-pol
set security group-vpn server ike gateway gw1 address 192.168.1.230
set security group-vpn server ike gateway gw2 ike-policy srv-pol
set security group-vpn server ike gateway gw2 address 192.168.1.239
set security group-vpn server ipsec proposal group-prop authentication-algorithm
hmac-sha1-96
set security group-vpn server ipsec proposal group-prop encryption-algorithm
3des-cbc
set security group-vpn server ipsec proposal group-prop lifetime-seconds 3600
set security group-vpn server group grp1 group-id 1
set security group-vpn server group grp1 ike-gateway gw1
set security group-vpn server group grp1 ike-gateway gw2
set security group-vpn server group grp1 anti-replay-time-window 120
set security group-vpn server group grp1 server-address 192.168.1.238
set
security
group-vpn
server
group
grp1
server-member-communication
group
grp1
communication-type unicast
set
security
group-vpn
server
121 / 171
encryption-algorithm aes-128-cbc
set security group-vpn server group grp1 server-member-communication sig-hashalgorithm md5
set
security
group-vpn
server
group
grp1
certificate srv-cert
set security group-vpn server group grp1 ipsec-sa group-sa proposal group-prop
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p1 source
172.16.1.0/24
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p1
destination 172.17.1.0/24
source-port 0
destination-port 0
protocol 0
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p2 source
172.17.1.0/24
destination 172.16.1.0/24
source-port 0
122 / 171

destination-port 0
protocol 0
set security group-vpn co-location
set security address-book gvpnbook1 address Gvpn 172.16.0.0/12

set security address-book gvpnbook1 attach zone trust
set security address-book gvpnbook2 address Gvpn 172.16.0.0/12
set security address-book gvpnbook2 attach zone untrust
Gvpn
set security policies from-zone untrust to-zone trust policy scope1 match sourceaddress Gvpn
set security policies from-zone untrust to-zone trust policy scope1 match
destination-address Gvpn
application any
set security policies from-zone untrust to-zone trust policy scope1 then permit
tunnel ipsec-group-vpn v1
set security policies from-zone trust to-zone untrust policy scope1 match sourceaddress Gvpn
123 / 171
set security policies from-zone trust to-zone untrust policy scope1 match
destination-address Gvpn
application any
set security policies from-zone trust to-zone untrust policy scope1 then permit
SRX210B
Group-VPN member
set security group-vpn member ike proposal prop1 authentication-method preshared-keys
set security group-vpn member ike proposal prop1 dh-group group2
set security group-vpn member ike proposal prop1 authentication-algorithm sha1
set security group-vpn member ike proposal prop1 encryption-algorithm 3des-cbc
set security group-vpn member ike policy pol1 mode main
set security group-vpn member ike policy pol1 proposals prop1
set security group-vpn member ike policy pol1 pre-shared-key ascii-text juniper
set security group-vpn member ike gateway g1 ike-policy pol1
set security group-vpn member ike gateway g1 address 192.168.1.238
set security group-vpn member ike gateway g1 local-address 192.168.1.239
set security group-vpn member ipsec vpn v1 ike-gateway g1
set security group-vpn member ipsec vpn v1 group-vpn-external-interface ge0/0/0.0
124 / 171
set security group-vpn member ipsec vpn v1 group 1
set security address-book gvpnbook1 address gvpn 172.16.0.0/12

set security address-book gvpnbook1 attach zone trust
set security address-book gvpnbook2 address gvpn 172.16.0.0/12
set security address-book gvpnbook2 attach zone untrust
Gvpn
set security policies from-zone trust to-zone untrust policy scope1 match sourceaddress gvpn
destination-address gvpn
application any
set security policies from-zone trust to-zone untrust policy scope1 then permit
set security policies from-zone untrust to-zone trust policy scope1 match sourceaddress gvpn
destination-address gvpn
application any
set security policies from-zone untrust to-zone trust policy scope1 then permit
125 / 171
Srx210A IKE SERVER
Srx210B Ipsec SA
WEB
WEB
3.7. ALG
(ALG) Junos OS Juniper Networks
(SIP) FTP ALG
ALG
TelnetFTPSMTP HTTP
4 TCP UDP TCP UDP
126 / 171

4 7
7
ALG
ALG ALG
1.
2.
3.
ALG ALG
ALG IP
(NAT) ALG IP
FTP ftp-testTCP 2100

3600 FTP ALGFTP
FTP ALG
set applications application ftp-test protocol tcp destination-port 2100 inactivity-timeout
3600
set applications application ftp-test application-protocol ftp
Set Security alg alg
lab@srx210A# set security alg ?
127 / 171
Possible completions:
> alg-manager
> alg-support-lib
+ apply-groups
Configure ALG-MANAGER
Configure ALG-SUPPORT-LIB
Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups

> dns
> ftp
> h323
> ike-esp-nat
Configure DNS ALG

Configure FTP ALG
Configure H.323 ALG
Configure IKE-ESP ALG with NAT
> mgcp
Configure MGCP ALG
> msrpc
Configure MSRPC ALG
> pptp
Configure PPTP ALG
> rsh
Configure RSH ALG
> rtsp
Configure RTSP ALG
> sccp
Configure SCCP ALG
> sip
Configure SIP ALG
> sql
Configure SQL ALG
> sunrpc
Configure SUNRPC ALG
> talk
Configure Talk ALG
> tftp
Configure TFTP ALG
> traceoptions
ALG trace options
[edit]
128 / 171
lab@srx210A# set security alg sql ?

disable
Disable SQL ALG
> traceoptions
SQL ALG trace options
ALG
lab@srx210A> show security alg status
ALG Status :
DNS
FTP
H323
: Enabled
: Enabled
: Enabled
MGCP
: Enabled
MSRPC
: Enabled
PPTP
: Enabled
RSH
: Enabled
RTSP
: Enabled
SCCP
: Enabled
SIP
SQL
SUNRPC
: Enabled
: Enabled
: Enabled
TALK
: Enabled
TFTP
: Enabled
IKE-ESP : Disabled
129 / 171
web security-ALG
3.8. SRX UTM

UTM
(SBL)Sophos
IP SBL
Kaspersky Lab
130 / 171

CPU
Juniper Networks
MIME
Web Web Web

Web Web
Websense CPA Server URL
Web Web Web
HTTP URL Websense URL
Web Web
Juniper Web URL
Web Juniper
3.8.1 UTM
UTM UTM Juniper
https://www.juniper.net/customers/support/#task
131 / 171
1
Internet
lab@srx210h> request system license update trial trial
License
lab@srx210h> show system license
web Maintain-Licenses
UTM
3.8.2 SRX UTM IDP

IDP
lab@srx210h> request security idp security-package download
132 / 171

lab@srx210h> request security idp security-package download status
lab@srx210h> request security idp security-package install

IDP
lab@srx210h# set security idp idp-policy ?
<policy-name>
IDP policy name
IDP
133 / 171
lab@srx210h# set security idp active-policy +IDP

IDP
IDP
lab@srx210h> show security idp status
3.8.3 SRX UTM Antivirus
Antivirus Profile
lab@srx210h# set security utm feature-profile anti-virus type kaspersky-lab-engine
Antivirus
134 / 171
lab@srx210h# set security utm utm-policy default-av anti-virus
lab@srx210h> show security utm anti-virus status
lab@srx210h> request security utm anti-virus kaspersky-lab-engine pattern-
135 / 171
update
3.8.4 SRX UTM WEB

Juniper SRX Branch WEB
,,
news.163.com,, <51JOB >
web-filtering
lab@srx210h# set security utm custom-objects url-pattern url
lab@srx210h# set security utm custom-objects custom-url-category

url feature-profile
136 / 171
lab@srx210h# set security utm feature-profile web-filtering

category
lab@srx210h# set security utm feature-profile web-filtering surf-control-integrated
lab@srx210h# set security utm utm-policy utm
137 / 171
utm
web
lab@srx210h# run show security utm web-filtering ?
statistics
status
Show web-filtering statistics

Show web-filtering status
3.8.5 SRX UTM

(SBL)
(SBL)
138 / 171
(DNS) SBL DNS SBL

IP SBL
DNSSBL DNS
DNS
: IP
Sophos IP
#
lab@srx210h# set security utm feature-profile anti-spam sbl profile sblprofile1
#SBL
lab@srx210h# set security utm feature-profile anti-spam sbl profile sblprofile1 sbldefault-server
#
lab@srx210h# set security utm feature-profile anti-spam sbl profile sblprofile1 sbldefault-server spam-action block
#UTM
lab@srx210h# set utm utm-policy spampolicy1 anti-spam smtp-profile sblprofile1
#UTM
lab@srx210h# set security policies from-zone trust to-zone untrust policy
utmsecuritypolicy1 match source-address any
139 / 171

utmsecuritypolicy1 match destination-address any
utmsecuritypolicy1 match application junos-smtp
utmsecuritypolicy1 then permit application-services utm-policy spampolicy1
lab@srx210h> show security utm anti-spam status
3.9. Appsecure
AppSecure SRX AppSecure
AppSecure
AppTrack
AppFirewall
AppDoS
AppQos
Appsecure SRX
UTM
140 / 171
3.9.1.
lab@srx210h>request services application-identification download
lab@srx210h>request services application-identification download status
lab@srx210h>show services application-identification version

IDP
lab@srx210h>request security idp security-package download
IDP
lab@srx210h>request security idp security-package install
IDP
lab@srx210h>request security idp security-package install status
IDP
lab@srx210h>show security idp security-package-version
3.9.2. Apptrack CLI

AppTrack
AppTrack
AppTrack
1. Zone
141 / 171
set security zones security-zone <name> application-tracking

2. SYSLOG :
set security log format sd-syslog
set security log source-address x.x.x.x
set security log stream Syslogsrv host y.y.y.y
3.
show security application-tracking counters
show services application-identification application-system-cache
3.9.3. AppFirewall
HTTP HTTP
IP
ID
AppFirewall

142 / 171

ID
AppFirewall
ID
IDID
facebook youtube
AppFirewall
set security application-firewall rule-sets allowed-apps rule 1 match dynamicapplication [ junos:FACEBOOK-ACCESS junos:FACEBOOK-APP junos:FACEBOOKCHAT junos:FACEBOOK-FANAPPZ junos:FACEBOOK-MAIL junos:FACEBOOK-MUSIC
junos:FACEBOOK-MUSIKGW
junos:FACEBOOK-SOCIALRSS
junos:FACEBOOK-
YEARBOOK junos:FACEBOOK-YOUTUBEBOX]
set security application-firewall rule-sets allowed-apps rule 1 then permit
set security application-firewall rule-sets allowed-apps rule 2 match dynamicapplication junos:YOUTUBE
set security application-firewall rule-sets allowed-apps rule 2 match dynamic-
143 / 171
application junos:YOUTUBE-COMMENT
set security application-firewall rule-sets allowed-apps rule 2 match dynamicapplication junos:YOUTUBE-STREAM
set security application-firewall rule-sets allowed-apps rule 2 match dynamicapplication junos:YOUTUBEVIDEOBOX
set security application-firewall rule-sets allowed-apps rule 2 then permit
set security application-firewall rule-sets allowed-apps default-rule deny
appfirewall
set security policies from-zone trust to-zone untrust policy allowed-web-apps
match source-address any
match destination-address any
match application junos-http
set security policies from-zone trust to-zone untrust policy allowed-web-apps then
permit application-services application-firewall rule-set allowed-apps
3.9.4. APPDDOS
DDoS 7
8053443 L3 / L4
144 / 171
APPDDOS HTTP DNS CLI

1. APPDOS
set security idp application-ddos Webserver service http
set security idp application-ddos Webserver connection-rate-threshold 1000
set security idp application-ddos Webserver context http-get-url hit-rate-threshold
60000
set security idp application-ddos Webserver context http-get-url value-hit-ratethreshold 60000
set security idp application-ddos Webserver context http-get-url time-bindingcount 10
set security idp application-ddos Webserver context http-get-url time-bindingperiod 60
2. IDP APPDDOS
set security idp idp-policy AppDoS-Webserver rulebase-ddos rule 1 match
destination-address Web-Login
set security idp idp-policy AppDoS-Webserver rulebase-ddos rule 1 match
application-ddos Webserver
set security idp idp-policy AppDoS-Webserver rulebase-ddos rule 1 then action noaction
set security idp idp-policy AppDoS-Webserver rulebase-ddos rule 1 then ip-action
ip-block
set security idp idp-policy AppDoS-Webserver rulebase-ddos rule 1 then ip-action
145 / 171
timeout 60
3. APPDDOS
set security idp active-policy AppDoS-Webserver
4. IDP application-service
set security policies from-zone untrust to-zone trust policy appddos match sourceaddress any
set security policies from-zone untrust to-zone trust policy appddos match
set security policies from-zone untrust to-zone trust policy appddos match
application junos-http
set security policies from-zone untrust to-zone trust policy appddos then permit
application-services idp
>show security idp counters application-ddos

> show security idp application-ddos application http-url-parsed
3.10. Firewall Filter

SRX ,
146 / 171
3.10.1. FBF
FBF SCREEN OS PBR FBF
dual-ISP srx down
SRX down/up
Junos RPM IP DOWN
set routing-instances ISP1 instance-type forwarding
147 / 171
set routing-instances ISP1 routing-options static route 0.0.0.0/0 next-hop 192.168.1.253

set routing-instances ISP1 routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.58.253
preference 100
set routing-instances ISP2 instance-type forwarding
set routing-instances ISP2 routing-options static route 0.0.0.0/0 next-hop 192.168.58.253
set routing-instances ISP2 routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.1.253
preference 100

set interfaces fe-0/0/2 unit 0 family inet filter input FBF
set interfaces fe-0/0/2 unit 0 family inet address 172.16.1.1/24
Filter
set firewall filter FBF term ISP1 from source-address 172.16.1.10/32
set firewall filter FBF term ISP1 then routing-instance ISP1
set firewall filter FBF term ISP2 from source-address 172.16.1.20/32
set firewall filter FBF term ISP2 then routing-instance ISP2
set firewall filter FBF term accept then accept
RIB-GROUP
set routing-options interface-routes rib-group inet rib-fbf
set routing-options rib-groups rib-fbf import-rib inet.0
set routing-options rib-groups rib-fbf import-rib isp1.inet.0
set routing-options rib-groups rib-fbf import-rib isp2.inet.0
FBF C1 ISP1C2 ISP2
RPM
set services rpm probe Probe-isp1 test isp1-gw target address 192.168.1.253
set services rpm probe Probe-isp1 test isp1-gw probe-count 10
set services rpm probe Probe-isp1 test isp1-gw probe-interval 5
set services rpm probe Probe-isp1 test isp1-gw test-interval 10
set services rpm probe Probe-isp1 test isp1-gw thresholds successive-loss 10
set services rpm probe Probe-isp1 test isp1-gw thresholds total-loss 5
148 / 171
set services rpm probe Probe-isp1 test isp1-gw destination-interface ge-0/0/0.0

set services rpm probe Probe-isp1 test isp1-gw next-hop 192.168.1.253
set services rpm probe Probe-isp2 test isp2-gw target address 192.168.58.253
set services rpm probe Probe-isp2 test isp2-gw probe-count 10
set services rpm probe Probe-isp2 test isp2-gw probe-interval 5
set services rpm probe Probe-isp2 test isp2-gw test-interval 10
set services rpm probe Probe-isp2 test isp2-gw thresholds successive-loss 10
set services rpm probe Probe-isp2 test isp2-gw thresholds total-loss 5
set services rpm probe Probe-isp2 test isp2-gw destination-interface ge-0/0/1.0
set services rpm probe Probe-isp2 test isp2-gw next-hop 192.168.58.253
IP-Monitoring
set services ip-monitoring policy isp1-Tracking match rpm-probe Probe-isp1
set services ip-monitoring policy isp1-Tracking then preferred-route routing-instances isp1 route
0.0.0.0/0 next-hop 192.168.58.253
set services ip-monitoring policy isp2-Tracking match rpm-probe Probe-isp2
set services ip-monitoring policy isp2-Tracking then preferred-route routing-instances isp2 route
0.0.0.0/0 next-hop 192.168.1.253
ZONE RPM
set security-zone security-zone isp1 interface ge-0/0/0.0 host-inbound-traffic system-services rpm
set security-zone security-zone isp1 interface ge-0/0/0.0 host-inbound-traffic system-services ping
set security-zone security-zone isp2 interface ge-0/0/1.0 host-inbound-traffic system-services rpm
set security-zone security-zone isp2 interface ge-0/0/1.0 host-inbound-traffic system-services ping
> show services ip-monitoring status all
149 / 171
3.10.2.
192.168.1.0/26 10M
set firewall family inet filter limit10M term Nolimite from address 192.168.1.0/26
set firewall family inet filter limit10M term Nolimite then accept
# 192.168.1.0/26
set firewall family inet filter limit10M term other-10M from source-address 0.0.0.0/0
set firewall family inet filter limit10M term other-10M then policer Upto10M
# Upto10M
set firewall family inet filter limit10M term other-accept then accept
#
set firewall policer Upto10M if-exceeding bandwidth-limit 10m
set firewall policer Upto10M if-exceeding burst-size-limit 128k
set firewall policer Upto10M then discard
# Upto10M
set interfaces fe-0/0/2 unit 0 family inet filter input limit10M
Input Filter
3.10.3. ACL
denylist-attack
set firewall family inet filter DenyAC term deny-list from prefix-list denylist-attack
150 / 171
set firewall family inet filter DenyAC term deny-list then discard
# Filter DenyAC denylist-attack prefix-list
set firewall family inet filter DenyAC term other-accept then accept
#
set policy-options prefix-list denylist-attack 124.232.0.0/16
set policy-options prefix-list denylist-attack 182.100.0.0/16
# denylist-attack 2 124.232.0.0/16 182.100.0.0/16
set interfaces fe-0/0/2 unit 0 family inet filter input DenyAC
# Filter Input
3.11. Screen
Juniper SRX
MGT
SCREEN
SCREEN
SCREEN (IDP)
SCREEN Untrust
CLI
151 / 171
root# show security screen

ids-option juniper-srx-screen-test {
alarm-without-drop; <
>
icmp {
ip-sweep threshold 1000;
fragment;
flood threshold 100;
}
ip {
bad-option;
spoofing;
tear-drop;
}
tcp {
syn-frag;
port-scan threshold 1000; 1000< 1000 >
land;
winnuke;
}
udp {
flood threshold 100; UDP FLOOD 100< 100 >
152 / 171
}
limit-session {
source-ip-based 128;< IP >
destination-ip-based 128;< IP >
}
}
[edit]
root# show security zones security-zone untrust
screen juniper-srx-screen-test; screen untrust
WEB
ConfigureSecurityZone/Screens Screens list Add
Main Screen name Screen
153 / 171
Denial of ServiceAnomailiesFlood Defense

Apply to Zones
154 / 171
3.12. JSRP HA
JSRP Juniper SRX HA ScreenOS NSRP
A/P A/A JSRP ScreenOS NSRP JUNOS Cluster
NSRP JSRP JSRP NSRP
JSRP Cluster
ScreenOS
ScreenOS NSRP session
JSRP
SRX JSRP ()
(Session ) 3K\5K
Branch
SRX Branch HA
HA
155 / 171

1. SRX110 HA
2. SRX650<4 RJ-45 >SRX650 HA ,
<HA
3 >
JSRP
0 0 1
0
JSRP
22
JSRP 7
Cluster id Node id (ScreenOS NSRP cluster id
id
Control Port
Fabric Link Port session RTO
156 / 171
Redundancy Group NSRP VSD group

IP
Redundant Ethernet Interface NSRP Redundant

Interface Monitoring NSRP interface monitor RG
2 SRX210 HA
SRX210 3 HA FE-0/0/7 FE-0/0/7

CONTROL LINK
GE-0/0/0 GE-0/0/0 FABRIC LINK
FE-0/0/6 FXP0
CONSOLE
SRX210-A
set chassis cluster cluster-id 1 node 0 reboot
157 / 171
SRX210-B
set chassis cluster cluster-id 1 node 1 reboot
SRX210-A
set groups node0 system host-name srx210-a
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.101.1/24
set groups node1 system host-name srx210-b
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.101.2/24
set apply-groups "${node}"
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set interfaces fab0 fabric-options member-interfaces ge-0/0/0
set interfaces fab1 fabric-options member-interfaces ge-2/0/0
set interfaces ge-0/0/1 gigether-options redundant-parent reth0
set interfaces ge-2/0/1 gigether-options redundant-parent reth0
set interfaces fe-0/0/2 gigether-options redundant-parent reth1
set interfaces fe-2/0/2 gigether-options redundant-parent reth1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1
set security zones security-zone Trusted
set security zones security-zone Untrusted
set security zones security-zone Trusted host-inbound-traffic system-services all
set interfaces reth0 unit 0 family inet address 172.16.1.1/24
set security zones security-zone Trusted interfaces reth0.0
set interfaces reth1 unit 0 family inet address 192.168.1.238/24
set security zones security-zone Untrusted interfaces reth1.0
# DOWN
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-2/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-0/0/2 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-2/0/2 weight 255
HA
>show chassis cluster status
Cluster ID: 1
Node
Priority
Status
Preempt
Manual failover
158 / 171
Redundancy group: 0 , Failover count: 0

node0
200
primary
no
node1
100
secondary
no
no
no

node0
200
primary
node1
100
secondary
yes
no
yes
no
> request chassis cluster failover redundancy-group 0 node 1

node1:
-------------------------------------------------------------------------Initiated manual failover for redundancy group 0
> request chassis cluster failover redundancy-group 1 node 1
node1:
-------------------------------------------------------------------------Initiated manual failover for redundancy group 1
>show chassis cluster status
Cluster ID: 1
Node
Priority
Status
Preempt
Manual failover

node0
200
secondary
no
yes
node1
255
primary
no
yes

node0
200
secondary
yes
yes
node1
255
primary
yes
yes
HA
t> request chassis cluster failover reset redundancy-group 0
node0:
-------------------------------------------------------------------------No reset required for redundancy group 0.
node1:
-------------------------------------------------------------------------Successfully reset manual failover for redundancy group 0
{secondary:node0}
> request chassis cluster failover reset redundancy-group 1
node0:
-------------------------------------------------------------------------No reset required for redundancy group 1.
node1:
--------------------------------------------------------------------------
159 / 171
Successfully reset manual failover for redundancy group 1

> show chassis cluster status HA
Cluster ID: 1
Node
Priority
Status
Preempt
Manual failover

node0
200
secondary
node1
100
primary
no
no
no
no

node0
200
secondary
no
node1
100
primary
no
no
no
SNMP
Show system software

show system uptime
Show chassis haredware
show chassis environment
show chassis routing-engine RE
show route
show arp ARP
show log messages
show interface terse
show interface ge-x/y/z detail
monitor interface ge-x/y/z
monitor traffic interface ge-x/y/z Tcpdump ScreenOS snoop
160 / 171
show security flow session summary

show security flow session
clear security flow session all session
show security alg status ALG
SNMP
SNMP
CPU PPS SNMP
MIB OID
OID
JUNOS MIB OID
OIDVIEW JUNOS MIB
161 / 171
SRX Object
lab@srx210h> show snmp mib walk ascii ifDescr

ifDescr.3
= fxp2
ifDescr.4
= lsi
ifDescr.6
= lo0
ifDescr.7
= tap
ifDescr.8
= gre
ifDescr.9
= ipip
ifDescr.10
= pime
ifDescr.11
= pimd
ifDescr.12
= mtun
ifDescr.15
= fxp2.0
ifDescr.21
= lo0.16384
162 / 171
ifDescr.22
ifDescr.248
ifDescr.501
ifDescr.502
ifDescr.503
ifDescr.504
ifDescr.505
ifDescr.506
ifDescr.507
ifDescr.508
ifDescr.509
ifDescr.510
ifDescr.511
ifDescr.512
ifDescr.513
ifDescr.514
ifDescr.515
ifDescr.516
ifDescr.517
ifDescr.518
ifDescr.519
ifDescr.520
ifDescr.521
ifDescr.523
ifDescr.524
ifDescr.526
ifDescr.527
ifDescr.529
ifDescr.530
ifDescr.533
ifDescr.534
= lo0.16385
= lo0.32768
= irb
= pp0
= st0
= ppd0
= ppe0
= vlan
= ge-0/0/0
= ge-0/0/1
= ge-0/0/0.0
= fe-0/0/2
= fe-0/0/3
= fe-0/0/4
= fe-0/0/5
= fe-0/0/6
= fe-0/0/7
= ge-0/0/1.0
= sp-0/0/0
= gr-0/0/0
= ip-0/0/0
= lsq-0/0/0
= mt-0/0/0
= lt-0/0/0
= fe-0/0/2.0
= fe-0/0/4.0
= fe-0/0/5.0
= sp-0/0/0.0
= sp-0/0/0.16383
= st0.1
= st0.2
fe-0/0/2.0 524 fe-0/0/2.0
lab@srx210h> show interfaces fe-0/0/2.0 extensive

Logical interface fe-0/0/2.0 (Index 73) (SNMP ifIndex 524) (Generation 138)
fe-0/0/2.0 PPS OIDVIEW
PPS Object ifIn1SecPkts OID 1.3.6.1.4.1.2636.3.3.1.1.3
163 / 171
fe-0/0/2.0 524
1.3.6.1.4.1.2636.3.3.1.1.3.524 OID
SNMP OID fe-0/0/2.0 PPS
Troubleshooting
5.1. Flow
164 / 171
1. Traffic
lab@SRX210B> monitor traffic interface ge-0/0/0.0 no-resolve
2. Flow Debug
set security flow traceoptions file flowlog # flowlog
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter to0 source-prefix 192.168.1.61/32
set security flow traceoptions packet-filter to0 destination-prefix 192.168.0.12/32
# 2 packet-filter 192.168.1.61 192.168.0.12
Debug floglog
lab@srx210B>show log filelog # filelog
lab@srx210B>clear log filelog # filelog
3.
show security flow session summary
show security flow session destination-prefix <ip-prefix>
show security flow session session-identifier <value>
show interface extensive
165 / 171
5.2. IPSEC VPN

IPSEC VPN
show security ike security-association
show security ike security-association index <number> detail
show security ike stats sa ()
show security ike stats sa index ()
show security ike memory-usage ()
show security ipsec security-association
show security ipsec security-association index <number> detail
show security flow session tunnel
monitor interface st0.x
show security ipsec statistics
show security ipsec next-hop-tunnels
Logs:
show log messages
show log kmd
DEBUG:
edit security ike traceoptions
set file ike-debug
set flag all
edit security ipsec traceoptions
set flag all
166 / 171
5.3. LOG
/VAR/LOG LOG CLI LOG
DEBUG
file list <>
show log <>
167 / 171
5.4. RSI LOG
#RSI/VAR/LOGRSI_
request support information | save /var/log/rsi_YYYY-MM-DD.txt
#/VAR/LOG/VAR/TMPLOGS_RSI
file archive compress source /var/log/* destination /var/tmp/logs_YYYY-MM-DD

# LOGS WINSCP FTP
WINSCP
WINSCP http://winscp.net/eng/download.php
168 / 171
F5
169 / 171
OS
170 / 171
https://www.juniper.net/customers/support/
http://forums.juniper.net/jnet/
OID
http://contentapps.juniper.net/mib-explorer/navigate.jsp
https://partners.juniper.net/partnercenter/tools-resources/fulfill-order/juniperfirewall-migration-cloud/index.page
http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/JSRXDebugInfo.pdf
VPN Troubleshooting
http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_kb10093.htm
SRX HA
http://www.juniper.net/support/tools/srxha/
171 / 171

Juniper Srx防火墙管理手册jnpr v1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Juniper Srx防火墙管理手册jnpr v1

Uploaded by

Copyright:

Available Formats

JUNIPER

Juniper Networks, Inc.

UTM ......................................................................................... 131

SRX UTM IDP ........................................................................... 132

SRX UTM Antivirus ................................................................... 134

SRX UTM WEB ................................................................ 136

SRX UTM ................................................................... 138

3.9. Appsecure .............................................................................................. 140

Juniper Networks, Inc.

3.9.2. Apptrack CLI ................................................................. 141

AppFirewall .................................................................................. 142

APPDDOS ..................................................................................... 144

3.10. Firewall Filter ....................................................................................... 146

Juniper Networks, Inc.

Juniper Networks, Inc.

Juniper Networks, Inc.

SRX set delete delete security

Juniper Networks, Inc.

http/https WEB URL

Juniper Networks, Inc.

Bits per second: 9600

Flow control: None

Entering configuration mode

Juniper Networks, Inc.

root# set system root-authentication plain-text-password

root# show system root-authentication

Juniper Networks, Inc.

Juniper Networks, Inc.

Juniper Networks, Inc.

User name login classic super-user

Juniper Networks, Inc.

set system services web-management http interface ge-0/0/0.0

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.238/24

set security zones security-zone untrust interfaces ge-0/0/0.0

set security zones security-zone untrust host-inbound-traffic system-services ping

System Propeties Management Access Edit

Services Enable Telnet Enable SSH Enable Http

Juniper Networks, Inc.

Ge0/0/0.0 Selected Interfaces

Interfaces Ports Ge0/0/0.0 Edit

Juniper Networks, Inc.

IPV4 Address Add IP

Juniper Networks, Inc.

Routing Static Routing Add

Static Router Next-hop

Juniper Networks, Inc.

Zone name Untrust Edit

Juniper Networks, Inc.

ping ssh telnet Selected

Juniper Networks, Inc.

Juniper Networks, Inc.

root# load factory-default

Juniper Networks, Inc.

The operating system has halted.

Juniper Networks, Inc.

Juniper Networks, Inc.

Juniper Networks, Inc.

Using binary mode to transfer files.

drwxrwxrwx 1 owner group

-rwxrwxrwx 1 owner group 138198178 Apr 06 20:26 junos-srxsme-12.1X44-D45.2domestic.tgz

Local directory now /cf/var/home/lab

Local directory now /cf/var/tmp

Juniper Networks, Inc.

Juniper Networks, Inc.

* FINAL System shutdown message from root@SRX210B *

/* yes */

/* 3389 */