Juniper防火墙配置模板.ppt

* Copyright ? 2009 Juniper Networks, Inc. * Copyright ? 2009 Juniper Networks, Inc. JUNIPER 防火墙标准配置模板 认证设置 set auth-server ACS-Radius id 1 set auth-server ACS-Radius server-name x.x.x.x set auth-server ACS-Radius backup1 x.x.x.x set auth-server ACS-Radius account-type admin set auth-server ACS-Radius radius secret “abc“ set admin auth server ACS-Radius set admin privilege get-external 时钟设置 set clock dst-off set clock ntp set clock timezone 8 set clock time xxxx set ntp server “x.x.x.x“ set ntp server backup1 “y.y.y.y set ntp server backup2 “z.z.z.z set ntp max-adjustment 0 set ntp no-ha-sync ZONE配置 set zone “zone name” vrouter “untrust-vr“ 此命令根据实际业务需要添加 unset zone “zone name” tcp-rst set zone “zone name” block set zone trust screen alarm-without-drop 开启trust区的只告警不丢包 unset zone “untrust screen xxx 根据实际业务环境关闭不必要的攻击告警 set zone untrust screen syn-flood alarm-threshold 200 set zone untrust screen syn-flood attack-threshold 2000 此命令根据实际业务流量添加 set zone “zone name” screen limit-session source-ip-based “number” 此命令根据实际业务需要添加 INTERFACE配置 set interface interface name zone zone name set interface “interface name” route set interface “interface name” ip x.x.x.x/xx set/unset interface “interface name” ip manageable 根据所在ZONE打开或关闭端口可管理性 set interface “interface name” manage-ip x.x.x.y 如果可管理，设置管理IP set interface “interface name” manage xxx 根据管理需求，设置端口的管理属性 set interface mgt ip x.x.x.x/24 set route y.y.y.0/24 interface mgt gateway x.x.x.254 FLOW配置 set flow syn-proxy syn-cookie unset flow tcp-syn-check set/unset flow tcp-syn-bit-check 根据实际业务特征打开或关闭syn检查 set flow no-tcp-seq-check set flow reverse-route clear-text prefer NSRP配置 set nsrp cluster id 1 set nsrp vsd-group id 0 priority 50 主防火墙配置 set nsrp vsd-group id 0 priority 100 备防火墙配置 set nsrp rto-mirror sync set nsrp rto-mirror session ageout-ack unset nsrp rto-mirror session ping set nsrp monitor interface ethernet */* set nsrp vsd-group master-always-exist set nsrp monitor track-ip ip set nsrp monit