Juniper SRX210配置 含idp-Juniper工作记录
show configuration | no-more ## Last commit: 2010-02-12 02:26:30 UTC by labversion 9.6R1.13;
system {
host-name ERX210;
authentication-order [ password radius ];
root-authentication {
encrypted-password "$1$24jhwwMW$DKfnv4zYNrCESy54qLshS0"; ## SECRET-DATA
ssh-dsa "ssh-dss 0123456789"; ## SECRET-DATA
}
name-server {
61.134.1.4;
}
radius-server {
192.168.0.1 {
secret "$9$HmznOBEevLGDi.mfn6BIEcK87-w"; ## SECRET-DATA
timeout 5;
}
192.168.0.222 {
secret "$9$c37SKMWLx7dbrl"; ## SECRET-DATA
source-address 192.168.0.10;
}
}
login {
message "\n\n\n\tUNAUTHORIZED USE OF THIS SYSTEM\n\ttIS STRICTLY PROHIBITED!\n\n\tPlease contact\'company-noc@company.com\' to gain\naccessto this equipment if you need authorization.\n\n\n";
user lab {
uid 2001;
> authentication {
encrypted-password "$1$tASBo6PD$PU235CkJQBcFa0Kv33SVH."; ## SECRET-DATA
}
}
user test1 {
uid 10000;
> authentication {
encrypted-password "$1$1UUPUDfy$uaakRCMJTtfk2vuPYh7qM0"; ## SECRET-DATA
}
}
}
services {
inactive: ftp;
ssh {
root-login allow;
protocol-version [ v1 v2 ];
}
telnet {
connection-limit 3;
}
web-management {
http {
port 8080;
}
}
}
syslog {
user * {
any emergency;
security any;
}
host 192.168.0.11 {
any info;
authorization info;
security any;
firewall any;
explicit-priority;
}
file messages {
any critical;
authorization info;
security any;
firewall any;
explicit-priority;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fe-0/0/2 {
description Trust;
unit 0 {
family inet {
inactive: filter {
input Filter-trust;
}
address 192.168.0.10/24;
}
}
}
fe-0/0/3 {
description Untrust;
unit 0 {
family inet {
inactive: filter {
input Filter-untrust;
}
address 192.168.1.254/24;
}
}
}
}
routing-options {
interface-routes {
rib-group inet FBF;
}
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
}
rib-groups {
FBF {
import-rib [ inet.0 To-ISP2.inet.0 ];
}
}
}
class-of-service {
> dscp ccc {
forwarding-class best-effort {
loss-priority low code-points af41;
}
forwarding-class expedited-forwarding {
loss-priority medium-high code-points af11;
}
}
}
drop-profiles {
Drop-profile1 {
interpolate {
fill-level 100;
drop-probability 100;
}
}
Drop-profile2 {
interpolate {
fill-level 100;
drop-probability 10;
}
}
Drop-profile3 {
interpolate {
fill-level 100;
drop-probability 0;
}
}
}
schedulers {
Scheduler1 {
transmit-rate percent 50;
shaping-rate percent 50;
buffer-size percent 50;
priority medium-high;
drop-profile-map loss-priority low protocol any drop-profile Drop-profile1;
}
Scheduler2 {
transmit-rate percent 20;
shaping-rate percent 20;
buffer-size percent 20;
priority medium-low;
drop-profile-map loss-priority low protocol any drop-profile Drop-profile1;
}
}
}
security {
>
> /* This template policy covers the most important vulnerabilities. Use this template as a base line. */
rulebase-ips {
rule 1 {
/* This rule is designed to protect your networks against important TCP/IP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "IP - Critical" "IP - Minor" "IP - Major" "TCP - Critical" "TCP - Minor" "TCP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 2 {
/* This rule is designed to protect your network againstimportant ICMP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "ICMP - Major" "ICMP - Minor" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 3 {
/* This rule is designed to protect your network againstimportant HTTP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "HTTP - Critical" "HTTP - Major" "HTTP - Minor" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 4 {
/* This rule is designed to protect your network againstimportant SMTP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "SMTP - Critical" "SMTP - Major" "SMTP - Minor" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 5 {
/* This rule is designed to protect your network againstimportant DNS attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "DNS - Critical" "DNS - Minor" "DNS - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 6 {
/* This rule is designed to protect your network againstimportant FTP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "FTP - Critical" "FTP - Minor" "FTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 7 {
/* This rule is designed to protect your network against important POP3 attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "POP3 - Critical" "POP3 - Minor" "POP3 - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 8 {
/* This rule is designed to protect your network againstimportant IMAP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "IMAP - Critical" "IMAP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 9 {
/* This rule is designed to protect your network against common internet malware. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "TROJAN - Critical" "TROJAN - Major" "TROJAN - Minor" "VIRUS - Critical" "VIRUS - Major" "VIRUS - Minor" "WORM - Critical" "WORM - Major" "WORM - Minor" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
}
}
active-policy Recommended;
}
nat {
source {
pool S-POOL {
address {
192.168.0.128/29;
}
}
pool S_pool1 {
address {
192.168.1.200/32 to 192.168.1.205/32;
}
}
address-persistent;
inactive: rule-set S-RULE-SET-1 {
from zone untrust;
to zone trust;
rule 1000 {
match {
destination-address 192.168.1.0/24;
}
then {
source-nat {
pool {
S-POOL;
}
}
}
}
}
rule-set SRS-1 {
from zone trust;
to zone untrust;
rule Srule1 {
match {
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
S_pool1;
}
}
}
}
}
}
destination {
pool DNAT-POOL1 {
address 192.168.0.11/32 port 23;
}
pool DNAT-POOL2 {
address 192.168.0.11/32 port 80;
}
pool DNAT-POOL3 {
address 192.168.0.11/32 port 21;
}
rule-set DNAT-RuleSet {
from zone untrust;
rule DN-r1 {
match {
source-address 0.0.0.0/0;
destination-address 192.168.1.254/32;
destination-port 23;
}
then {
destination-nat pool DNAT-POOL1;
}
}
rule DN-r2 {
match {
source-address 0.0.0.0/0;
destination-address 192.168.1.254/32;
destination-port 80;
}
then {
destination-nat pool DNAT-POOL2;
}
}
rule DN-r3 {
match {
destination-address 192.168.1.254/32;
destination-port 21;
}
then {
destination-nat pool DNAT-POOL3;
}
}
}
}
proxy-arp {
interface fe-0/0/3.0 {
address {
192.168.1.200/32 to 192.168.1.205/32;
}
}
}
}
screen {
> icmp {
ip-sweep threshold 1000000;
}
limit-session {
source-ip-based 50;
}
}
> icmp {
ip-sweep threshold 5000;
fragment;
flood threshold 1000;
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-fin;
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1000;
destination-threshold 1000;
timeout 20;
}
land;
}
udp {
flood threshold 1000;
}
}
}
zones {
security-zone trust {
tcp-rst;
address-book {
address ADD-NOTES-SRV 192.168.0.17/32;
address ADD-NOTES-SRV1 192.168.0.16/32;
address 192.168.0.0/24 192.168.0.0/24;
address Server1 192.168.0.11/32;
address-set ADDR-SET-NOTES-SRV {
address ADD-NOTES-SRV;
address ADD-NOTES-SRV1;
}
}
screen trust-screen;
interfaces {
fe-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
fe-0/0/3.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
> inactive: utm-policy Default-EAV;
}
}
log {
session-close;
}
}
}
}
from-zone untrust to-zone trust {
policy T-O2I-APP2 {
match {
source-address any;
destination-address Server1;
application any;
}
then {
permit;
}
}
policy T-O2I-APP {
match {
source-address any;
destination-address ADD-NOTES-SRV;
application TEST-APP;
}
then {
permit {
application-services {
> utm-policy Default-EAV;
}
}
log {
session-close;
}
count;
}
}
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
default-policy {
deny-all;
}
}
utm {
custom-objects {
url-pattern {
URL_LIST1 {
value [ www.sina.com.cn www.baidu.com ];
}
URL_LIST2 {
value [ www.google.com *.yahoo.* ];
}
}
custom-url-category {
URL_DENY {
value [ URL_LIST1 URL_LIST2 ];
}
}
}
feature-profile {
anti-virus {
type juniper-express-engine;
}
web-filtering {
url-blacklist URL_DENY;
type surf-control-integrated;
}
}
utm-policy Default-AV {
anti-virus {
http-profile junos-av-defaults;
ftp {
download-profile junos-av-defaults;
}
smtp-profile junos-av-defaults;
pop3-profile junos-av-defaults;
}
inactive: web-filtering {
http-profile junos-wf-cpa-default;
}
}
utm-policy Default-EAV {
anti-virus {
http-profile junos-eav-defaults;
ftp {
upload-profile junos-eav-defaults;
download-profile junos-eav-defaults;
}
smtp-profile junos-eav-defaults;
pop3-profile junos-eav-defaults;
imap-profile junos-eav-defaults;
}
}
}
}
firewall {
policer Policer1 {
if-exceeding {
bandwidth-limit 50k;
burst-size-limit 5k;
}
then discard;
}
family inet {
filter Filter-trust {
term For-Ping {
from {
protocol icmp;
}
then {
loss-priority low;
forwarding-class expedited-forwarding;
}
}
term ftTerm-Limit-ftp {
from {
destination-port [ ftp ftp-data ];
}
then policer Policer1;
}
term ftTerm10 {
from {
destination-port [ http https ];
}
then policer Policer1;
}
term ftTerm-default {
then accept;
}
}
filter Filter-untrust {
term For-Ping {
from {
protocol icmp;
icmp-type echo-reply;
}
then {
loss-priority low;
forwarding-class expedited-forwarding;
}
}
inactive: term ftTerm-Limit-ftp {
from {
source-port ftp-data;
}
then policer Policer1;
}
inactive: term ftTerm10 {
from {
source-port [ http https ];
}
then policer Policer1;
}
term ftTerm-default {
then accept;
}
}
}
}
access {
address-assignment {
pool AccGrp {
family inet {
network 192.168.0.0/24;
}
}
}
}
routing-instances {
To-ISP2 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop [ 202.200.127.10 192.168.0.2 ];
preference 3;
}
}
}
}
}
applications {
application TEST-APP {
term 1 protocol tcp destination-port 1352;
}
}
页:
[1]