一��、管理配置
1.1 主機(jī)名
成都創(chuàng)新互聯(lián)是一家企業(yè)級(jí)云計(jì)算解決方案提供商,超15年IDC數(shù)據(jù)中心運(yùn)營(yíng)經(jīng)驗(yàn)�����。主營(yíng)GPU顯卡服務(wù)器��,站群服務(wù)器��,服務(wù)器主機(jī)托管���,海外高防服務(wù)器�,機(jī)柜大帶寬����、租用·托管,動(dòng)態(tài)撥號(hào)VPS����,海外云手機(jī),海外云服務(wù)器�����,海外服務(wù)器租用托管等���。
root@SRX550# set system host-name SRX550
1.2 設(shè)置時(shí)區(qū)
root@SRX550# set system time-zone Asia/Shanghai
1.3 開啟遠(yuǎn)程服務(wù)
root@SRX550# set system services ssh
root@SRX550# set system services telnet
1.4 開啟web管理并允許從0/0/1接口管理
root@SRX550# set system services web-management https system-generated-certificate
root@SRX550# set system services web-management https interface ge-0/0/1.0
1.5 配置SNMP讀寫團(tuán)體字
root@SRX550# set snmp community xmcyy authorization read-write
二�����、用戶配置
2.1 設(shè)置root密碼,新設(shè)備第一步必須先設(shè)置root密碼
root@SRX550#set system root-authentication plain-text-password
2.2 設(shè)置用戶admin,權(quán)限超級(jí)級(jí)管理員
root@SRX550#set system login user admin uid 2000
root@SRX550#set system login user admin class super-user
三、接口配置
3.1 配置三層接口
root@SRX550# set interfaces ge-0/0/0 unit 0 family inet address 110.250.250.2/24
root@SRX550# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
3.2 將1口加入trust域
root@SRX550# set security zones security-zone trust interfaces ge-0/0/1.0
3.3 將0口加入untrust域
root@SRX550# set security zones security-zone untrust interfaces ge-0/0/0.0
四��、路由配置
4.1 默認(rèn)路由
root@SRX550# set routing-options static route 0.0.0.0/0 next-hop 110.250.250.1
4.2 靜態(tài)路由
root@SRX550# set routing-options static route 172.16.0.0/24 next-hop 192.168.1.254
五��、策略配置
5.1 創(chuàng)建端口組Service_1433及對(duì)應(yīng)端口:
root@SRX550# set applications application Service_1433 term Service_1433 protocol tcp
root@SRX550# set applications application Service_1433 term Service_1433 source-port 0-65535
root@SRX550# set applications application Service_1433 term Service_1433 destination-port 1433-1433
5.2 創(chuàng)建應(yīng)用組Service_allow,并將Service_1433加入到應(yīng)用組:
root@SRX550# set applications application-set Service_allow application Service_1433
5.3 創(chuàng)建地址組
root@SRX550# set security zones security-zone trust address-book address 172.16.0.0/24 172.16.0.0/24
root@SRX550# set security zones security-zone trust address-book address 172.16.0.253/32 172.16.0.253/32
5.4 創(chuàng)建地址池neiwang_allow����,并將允許訪問外網(wǎng)的地址組加入進(jìn)來
root@SRX550# set security zones security-zone trust address-book address-set neiwang_allow address 172.16.0.0/24
5.5 創(chuàng)建域間規(guī)則策略從trust到untrust
root@SRX550# set security policies from-zone trust to-zone untrust policy 1 match source-address neiwang_allow
root@SRX550# set security policies from-zone trust to-zone untrust policy 1 match destination-address any
root@SRX550# set security policies from-zone trust to-zone untrust policy 1 match application any
root@SRX550# set security policies from-zone trust to-zone untrust policy 1 then permit
5.6 創(chuàng)建域間規(guī)則策略從untrust到trust,允許訪問內(nèi)部172.16.0.253的1433端口
root@SRX550# set security policies from-zone untrust to-zone trust policy 1 match source-address any
root@SRX550# set security policies from-zone untrust to-zone trust policy 1 match destination-address 172.16.0.253
root@SRX550# set security policies from-zone untrust to-zone trust policy 1 match application Service_allow
root@SRX550# set security policies from-zone untrust to-zone trust policy 1 then permit
六���、NAT配置
請(qǐng)參考:Juniper SRX550防火墻NAT配置
分享文章:JuniperSRX550防火墻之基本配置
轉(zhuǎn)載注明:
http://weahome.cn/article/jdisoi.html
重慶分公司
重慶分公司
