Juniper SRX 常用命令

qmya00

　　rollbackset interface set routing-options static set system login user admin>set system login user admin authentication plain-text-password 输入密码set system services sshset security zones security-zone untrust host-inbound-traffic system-services ssh/ping set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh /telnet/pingset security zones security-zone trust host-inbound-traffic system-services ssh /telnet /pingset security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh /telnet/ping set security zones security-zone untrust interfaces ge-0/0/0 (不定义区域，无法配置NAT)set security zones security-zone trust interfaces ge-0/0/1###### set security zones security-zone trust interfaces ge-0/0/1 ??? ###### set interfaces interface-range interfaces-trust member ge-0/0/1  ????##################################################静态NAT：  set security nat source rule-set interface-nat from zone trust  set security nat source rule-set interface-nat to zone untrust  set security nat source rule-set interface-nat rule rule1 match source-address 192.168.0.0/23   set security nat source rule-set interface-nat rule rule1 match destination-address 0.0.0.0/0  set security nat source rule-set interface-nat rule rule1 then source-nat interfaceset security zones security-zone trust address-book address 192 192.168.0.0/23set security zones security-zone trust address-book address-set 192nat address 192set security policies from-zone trust to-zone untrust policy 192nat match source-address anyset security policies from-zone trust to-zone untrust policy 192nat match destination-address anyset security policies from-zone trust to-zone untrust policy 192nat match application anyset security policies from-zone trust to-zone untrust policy 192nat then permit#######################################################强制172.16.0.12走150出去（默认走物理接口146出去）set security nat source pool pool-1 address 121.9.255.112 set security nat source rule-set sou-nat rule rule-mail match source-address 172.16.0.12/32set security nat source rule-set sou-nat rule rule-mail match destination-address 0.0.0.0/0set security nat source rule-set sou-nat rule rule-mail then source-nat pool pool-1 insert security nat source rule-set sou-nat rule rule-mail before rule rule-sou##########################################################端口映射 静态PAT: 从外到内 set security nat proxy-arp interface ge-0/0/0.0 address 10.1.1.100/24set security nat proxy-arp interface ge-0/0/3.0 address 10.1.2.100/24   set security nat destination pool dnat-pool-1 address 192.168.0.9/32set security nat destination pool dnat-pool-2 address 172.16.0.12/32set security nat destination rule-set dst-nat from zone untrustset security nat destination rule-set dst-nat rule rule3 match destination-address 10.1.1.100/24set security nat destination rule-set dst-nat rule rule3 match destination-port 21set security nat destination rule-set dst-nat rule rule3 then destination-nat pool dnat-pool-1set security nat destination rule-set dst-nat rule rule2 match destination-address 10.1.2.100/24 set security nat destination rule-set dst-nat rule rule2 match destination-port 443set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-pool-2set security zones security-zone trust address-book address ftpserver 192.168.0.9set security zones security-zone trust address-book address mailserver 172.16.0.12set security zones security-zone trust address-book address-set servergroup address ftpserverset security zones security-zone trust address-book address-set servergroup address mailserverset security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application junos-httpset security policies from-zone untrust to-zone trust policy static-nat match application junos-pop3set security policies from-zone untrust to-zone trust policy static-nat then permitset applications application 443 protocol tcpset applications application 443 destination-port 443##############################################################set security nat source rule-set sou-nat from zone trustset security nat source rule-set sou-nat to zone untrustset security nat source rule-set sou-nat rule rule-mail match source-address 172.16.0.30/32set security nat source rule-set sou-nat rule rule-mail match destination-address 0.0.0.0/0set security nat source rule-set sou-nat rule rule-mail then source-nat pool pool-1##############################################################管理端口：set system services web-management https set system services web-management httpset system services web-management http port 8084set system services web-management http interface allset system services web-management https system-generated-certificateset system services web-management http interface ge-0/0/0.0set system services web-management https interface ge-0/0/0.0###########################################################################定义端口地址池XXX_group：set applications application smtp_25 destination-port 25 protocol tcp set applications application pop3_110 destination-port 110 protocol tcp set applications application exchange_135 destination-port 135 protocol tcpset applications application smtp_465 destination-port 465 protocol tcpset applications application imap_993 destination-port 993 protocol tcp   set applications application pop3_995 destination-port 995 protocol tcp set applications application-set mail_port_group application smtp_25set applications application-set XXX_group application smtpset applications application-set XXX_group application pop3引用XXX_group:set security policies from-zone untrust to-zone trust policy mail-policy match application XXX_group##############################################################################反向静态NAT：从外到内set security nat static rule-set mail-static-nat from zone untrustset security nat static rule-set mail-static-nat rule mail1 match destination-address 121.9.255.150/32set security nat static rule-set mail-static-nat rule mail1 then static-nat prefix 172.16.0.12/32返回的安全Policy:set security policies from-zone untrust to-zone trust policy mail-policy match source-address anyset security policies from-zone untrust to-zone trust policy mail-policy match destination-address Mail_serset security policies from-zone untrust to-zone trust policy mail-policy match application any (XXX_group)set security policies from-zone untrust to-zone trust policy mail-policy then permit插入insert Policy:  set security zones security-zone trust address-book address deny_172 172.16.0.155set security policies from-zone trust to-zone untrust policy deny_172 match source-address deny_172set security policies from-zone trust to-zone untrust policy deny_172 match destination-address anyset security policies from-zone trust to-zone untrust policy deny_172 match application anyset security policies from-zone trust to-zone untrust policy deny_172 then denyinsert security policies from-zone trust to-zone untrust policy deny_172 before policy Trust2Utrust (Trust2Utrust允许上公网策略)#####################################################禁止192网段上网，只允许192.168.0.2，192.168.0.121上网set security zones security-zone trust address-book address deny_192 192.168.0.0/23set security zones security-zone trust address-book address permit_host_2 192.168.0.2/32set security zones security-zone trust address-book address permit_host_121 192.168.0.121/32set security zones security-zone trust address-book address-set permit_192_online address FTP_serset security zones security-zone trust address-book address-set permit_192_online address permit_host_2set security zones security-zone trust address-book address-set permit_192_online address permit_host_121set security zones security-zone trust address-book address-set deny_192_online address deny_192返回的安全Policy:set security policies from-zone trust to-zone untrust policy permit_192_online match source-address permit_192_onlineset security policies from-zone trust to-zone untrust policy permit_192_online match destination-address anyset security policies from-zone trust to-zone untrust policy permit_192_online match application any set security policies from-zone trust to-zone untrust policy permit_192_online then permitset security policies from-zone trust to-zone untrust policy deny_192_online match source-address deny_192_onlineset security policies from-zone trust to-zone untrust policy deny_192_online match destination-address anyset security policies from-zone trust to-zone untrust policy deny_192_online match application anyset security policies from-zone trust to-zone untrust policy deny_192_online then denyinsert security policies from-zone trust to-zone untrust policy permit_192_online before policy deny_172insert security policies from-zone trust to-zone untrust policy deny_192_online before policy deny_172###########################################################################配置WEB管理set system host-name Testset system root-authentication encrypted-password &quot;$1$XKPZUqwc$/WdxM1Cc1GAB8gJ0nNCOt.&quot;set system name-server 202.96.128.166set system name-server 202.96.128.86set system login user admin uid 2001set system login user admin>set system login user admin authentication encrypted-password HJuZerSULPfkAset system services sshset system services web-management http port 8084set system services web-management http interface allset system services web-management http interface ge-0/0/0.0set system services web-management https system-generated-certificateset system services web-management https interface ge-0/0/0.0set interfaces ge-0/0/0 unit 0 family inet address 192.168.8.125/24set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24set security zones security-zone untrust host-inbound-traffic system-services httpset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http###########################################################################开放Untrust服务端口set security zones security-zone untrust interfaces ge-0/0/0.0set security zones security-zone untrust host-inbound-traffic system-services allset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services allset security zones security-zone trust interfaces ge-0/0/1.0set security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all配置默认路由+NATset routing-options static route 0.0.0.0/0 next-hop 192.168.8.1set security nat source rule-set sou-nat from zone trustset security nat source rule-set sou-nat to zone untrustset security nat source rule-set sou-nat rule rule-sou match source-address 0.0.0.0/0set security nat source rule-set sou-nat rule rule-sou match destination-address 0.0.0.0/0set security nat source rule-set sou-nat rule rule-sou then source-nat interface  内网放行策略：  set security policies from-zone trust to-zone untrust policy in_out match source-address any  set security policies from-zone trust to-zone untrust policy in_out match destination-address any  set security policies from-zone trust to-zone untrust policy in_out match application any  set security policies from-zone trust to-zone untrust policy in_out then permit###########################################################################UTM 功能中  防病毒功能set security utm utm-policy test-policy anti-virus http-profile junos-av-defaultsset security utm utm-policy test-policy anti-virus ftp upload-profile junos-av-defaultsset security utm utm-policy test-policy anti-virus ftp download-profile junos-av-defaultsset security utm utm-policy test-policy anti-virus smtp-profile junos-av-defaultsset security utm utm-policy test-policy anti-virus pop3-profile junos-av-defaultsset security utm utm-policy test-policy anti-virus imap-profile junos-av-defaultsset security utm utm-policy test-policy anti-spam smtp-profile junos-as-defaultsset security utm utm-policy test-policy traffic-options sessions-per-client over-limit log-and-permitset security utm utm-policy web-policy anti-virus http-profile junos-av-defaultsset security utm utm-policy web-policy traffic-options sessions-per-client over-limit log-and-permitset security policies from-zone trust to-zone untrust policy permit_192_online match source-address permit_192_onlineset security policies from-zone trust to-zone untrust policy permit_192_online match destination-address anyset security policies from-zone trust to-zone untrust policy permit_192_online match application anyset security policies from-zone trust to-zone untrust policy permit_192_online then permit application-services utm-policy web-policyset security policies from-zone untrust to-zone trust policy mail-policy match source-address anyset security policies from-zone untrust to-zone trust policy mail-policy match destination-address Mail_serset security policies from-zone untrust to-zone trust policy mail-policy match application mail_port_groupset security policies from-zone untrust to-zone trust policy mail-policy then permit application-services utm-policy test-policyset security policies from-zone untrust to-zone trust policy Ftp-Policy match source-address anyset security policies from-zone untrust to-zone trust policy Ftp-Policy match destination-address FTP_serset security policies from-zone untrust to-zone trust policy Ftp-Policy match application junos-ftpset security policies from-zone untrust to-zone trust policy Ftpmservices utm-policy test-policyadmin@KDS_FW> show security utm anti-spam statistics ##########################################################dynamic ***功能配置:run show chassis routing-engine (查看CPU使用user、空闲idle)show config |dis set| match utmshow log utmd-av | lastclear log utmd-av###########################################################抓包功能配置：Could you please configure the following traceoption and send the log file.You can create the packet filter as followed#set security flow traceoption file debug#set security flow traceoption flag basic-datapath#set security flow traceoption packet-filter filter1 source-prefix <ip-address>  destination-prefix <ip-address> destination-port 80 #set security flow traceoption packet-filter filter2 source-prefix <ip-address>  destination-prefix <ip-address> destination-port 80 #committhe second one is for the return traffic.show log debug request system license update