2.1Juniper防火墙基本安全策略.pptVIP

Multi-Cell Policy Creation – WebUI Multi-Cell Policy Creation - WebUI “Negate the Following” – apply policy to all except the listed addresses Multi-Cell Policy Creation – CLI ns208- set policy from private to external my-pc any any permit policy id = 5 ns208- set policy id 5 ns208(policy:5)- set ? attack attack group av AntiVirus (CSP) scanning count counting option dst-address destination address idp-alert-disable disable idp alert log logging option name policy name service service severity attack severity src-address source address ns208(policy:5)- set src-address ? negate modify negattion setting for this dimension name string name ns208(policy:5)- set src-address Viewing Multi-Cell Policies ns208- get policy Total regular policies 2, Default deny. ID From To Src-address Dst-address Service Action State ASTLCB 11 Private External my-otherPC Any FTP Permit enabled -----X my-pc HTTP PING Modifying Multi-Cell Policies ns208- set policy id 11 ns208(policy:11)- unset ? attack attack group av AntiVirus (CSP) scanning dst-address destination address ims-alert ims alert option ims-log ims log option service service severity attack severity src-address source address ns208(policy:11)- Common Problems Ordering problems Names ? addresses Group memberships Names ? Addresses Policy list shows address names, not actual entries Would this make any difference in this example? Group Membership Global Zone Use to create default policies set policy from global to global source_addr dest_addr service [permit | deny] Modifying/Removing Policies, Addresses, Services Modifying WebUI: click on Edit, make chan