标签:参考 version 用户权限 ada inbound encrypt modify 直接 ann
Juniper SRX采用Junos操作系统,简单介绍Junos的基础操作命令:system层级,用于配置防火墙系统配置,在系统配置中涉及用户,远程接入方式,日志等信息的配置:
一、创建用户(修改root用户密码,创建普通用户)
[edit]
admin@SRX#
[edit]
admin@SRX#
Junos默认的用户权限
[edit]
admin@SRX# set system login user admin class ?
Possible completions:
<class> Login class
operator permissions [ clear network reset trace view ]
read-only permissions [ view ]
super-user permissions [ all ]
unauthorized permissions [ none ]
[edit]
admin@SRX# set system login user admin class
查看用户权限
show cli authorization
set system login user admin class class-test
set system login user admin authentication encrypted-password "$1$u83mA/sa$aeMk9kBBqyOLRQepJkA2.1"
admin@SRX> show cli authorization
Current user: ‘admin ‘ class ‘class-test‘
Permissions:
admin -- Can view user accounts
.........
all-control -- Can modify any configuration
Individual command authorization:
Allow configuration regular expression: none
Deny configuration regular expression: shell|configuration|request
admin@SRX>
二、SRX防火墙创建radius认证
SRX防火墙指定radius服务器
set system radius-server 10.250.0.254 secret "$9$5znCO1hKMXtuMX7-2gTz3"
set system radius-server 10.250.0.254 source-address 10.10.1.1
三、SRX防火墙配置NTP时间同步
注:当有多个NTP Server存在是,使用prefer优先选择
admin@SRX> set date ntp 100.100.100.1 强制NTP同步
配置NTP认证
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$g8aGiP5FApBk.pBIEeK4aZ"
set system ntp server 100.100.100.1 key 1 /单个server指定认证
set system ntp trusted-key 1 /所有Server指定认证
四、防火墙开启远程访问服务
开启防火墙服务
set system services ftp
set system services ssh
set system services telnet
set system services web-management http
set system services web-management https system-generated-certificate
对服务进行优化
(1)FTP、Telent、SSH
set system services ftp connection-limit 10
set system services ftp rate-limit 10
set system services ssh root-login deny
set system services telnet connection-limit 10
set system services telnet rate-limit 10
(2)WEB
set system services web-management management-url admin
set system services web-management http
set system services web-management https port 8443
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/0.0
[edit security zones security-zone trust]
admin@SRX# set host-inbound-traffic protocols ?
Possible completions:
all All protocols
bfd Bidirectional Forwarding Detection
bgp Border Gateway Protocol
dvmrp Distance Vector Multicast Routing Protocol
igmp Internet Group Management Protocol
msdp Multicast Source Discovery Protocol
nhrp Next Hop Resolution Protocol
ospf Open Shortest Path First
ospf3 Open Shortest Path First version 3
pgm Pragmatic General Multicast
pim Protocol Independent Multicast
rip Routing Information Protocol
ripng Routing Information Protocol next generation
sap Session Announcement Protocol
vrrp Virtual Router Redundancy Protocol
或者还有防火墙策略中放行
五、SNMP简单管理协议(v2c)
snmp基础配置:
set snmp community public authorization read-only
六、系统日志配置
Junos的控制日志,可以给日志服务器、写在日志文件中、或者直接输出在CLI中
set system syslog archive size 1m
set system syslog archive world-readable
set system syslog user * any emergency
set system syslog host 10.10.1.100 any notice
set system syslog host 10.10.1.100 authorization info
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog console any warning
set system syslog time-format year
set system syslog source-address 10.10.1.1
set system syslog file messages match "!(kernel time sync enabled)" /*过滤日志
Junos数据平面日志,将生成的session状态信息发送给日志服务器
set security log mode stream
set security log mode stream
set security log source-address 10.10.1.1
set security log stream log severity notice
set security log stream log host 10.10.1.10
七、设置console的参数
set system ports console log-out-on-disconnect
set system ports console disable
以上为Junos防火墙的基础配置,请参考!
标签:参考 version 用户权限 ada inbound encrypt modify 直接 ann
原文地址:https://blog.51cto.com/ciscosyh/2362455
