新增Juniper SRX550 防火牆規則
以telnet登入Juniper SRX550進入設定模式,指令:
configure
新增StaticNAT指令範例:
set security nat static rule-set NAT rule Static-Rule1 match destination-address 192.168.0.91/32
set security nat static rule-set NAT rule Static-Rule1 then static-nat prefix 10.220.21.2/32
說明:
Static-Rule[序號] 序號依照防火牆上最後一筆資料遞增
destination-address
[public IP]
prefix [private IP]
新增客戶來源IP指令範例:
set security address-book global address 192.168.0.127/32 192.168.0.127/32
說明:
address [命名][ip/mask]
若客戶來源IP很多,可將客戶IP群組化,指令範例:
set security address-book global
address-set ADM address 192.168.0.127/32
set security address-book global
address-set ADM address 192.168.0.128/32
set security address-book global
address-set ADM address 192.168.0.129/32
說明:
address-set [群組名稱] address [ip/mask]
新增客戶使用的port資訊指令範例:
set applications
application tcp_20 protocol tcp
set applications
application tcp_20 destination-port 20
說明:
application [port名稱] protocol [協定]
application [port名稱] destination-port [port-number]
若客戶使用的PORT很多,可將PORT群組化,指令範例:
set applications application-set tcp_80_8080 application tcp_80
set applications application-set tcp_80_8080 application tcp_8080
說明:
application-set [群組名稱] application [port名稱]
新增規則指令範例:
set security policies from-zone untrust to-zone trust policy
Rule707 match source-address 192.168.0.40/32
set security policies from-zone untrust to-zone trust policy
Rule707 match destination-address 10.200.4.212/32
set security policies from-zone untrust to-zone trust policy
Rule707 match application tcp_20_21_3389
set security policies from-zone untrust to-zone trust policy
Rule707 then permit
說明:
set security policies from-zone [來源zone] to-zone [目的zone] policy [規則名稱] match source-address [來源IP/mask]
set security policies from-zone [來源zone] to-zone [目的zone] policy [規則名稱] destination-address [目的IP/mask]
set security policies from-zone [來源zone] to-zone [目的zone] policy [規則名稱] application [port名稱]
set security policies from-zone [來源zone] to-zone [目的zone] policy [規則名稱] then [執行動作]
刪除語法,只要將上述範例的 set 改為 delete 即可,範例:
delete security nat static rule-set NAT rule Static-Rule1 match destination-address 192.168.0.91/32
=====
除了telnet、ssh以外,也可以透過 junos web ui 或是web CLI Editor 也可以進行操作
junos web ui 是視窗化介面,比較貼近使用者操作上手容易,但是細部的設定就無法進行
web CLI Editor 是在 junos web ui 的其中一個功能,裡面的語法格式類似 C語言,有學過程式設計的人非常容易上手
更進階的方式是 junos web ui 內的 Point and Click CLI設定方式接近 junos web ui 但是可設定的東西就比 junos web ui 多出非常多,也非常非常詳細
沒有留言:
張貼留言