名词介绍

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Cluster-id #:0-15可选,如果等于0不能做HA。
Group #:横向,用于数据控制。
Node id #:竖向,SRX1,SRX2.
gr: GRE隧道接口
ip: ip-over-ip接口
ge: 千兆以太网接口
ae: 聚合以太网接口
as: 聚合SONET/SDH接口
Fxp0:带外管理口。独立于HA,且管理口配置不会进行同步
Fxp1(console Link):控制层面心跳口。不同型号接口不一样,不做配置。
(可参考:https://www.juniper.net/documentation/us/en/software/junos/chassis-cluster-security-devices/topics/topic-map/security-chassis-cluster-verification.html)
Fab(Fabric Link)#:数据面心跳。模块类型1GE或10GE
Reth#:转发数据口,每个SRX分一个接口捆绑成一个reth#。可理解为冗余端口组

查看转发会话
show security flow session
查看nat详情
show security nat source rule all

用户配置

1
2
3
4
5
6
7
8
9
10
11
root用户密码修改及配置
set system root-authentication plain-text-password
New password:
Retype new password:

新建用户
set system login user vtg uid 101 class super-user // super-user 为完全权限
set system login user vtg authentication plain-text-password
New password:
Retype new password:
show cli authorization //查看当前用户权限

上网配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
1. 配置接口ip地址
set interfaces ge-0/0/0.0 family inet address 124.207.100.1/24 //注意子网掩码表示方式

set interfaces ge-0/0/0 unit 0 family inet address 124.207.100.1/24
2. 接口划分安全域
set security zones security-zone untrust interfaces ge-0/0/0.0 //将接口ge-0/0/0.0 划分至非安全域
set security zones security-zone trust interfaces ge-0/0/1.0
3. 开启接口可支持的功能或服务
set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services https
4. 建立全局地址簿
set security address-book global address vlan10 192.168.10.0/24
set security address-book global address vlan20 192.168.20.0/24
set security address-book global address vlan30 192.168.30.0/24
将以上地址放进地址组,如下
set security address-book global address-set Inside_network address vlan10
set security address-book global address-set Inside_network address vlan20
set security address-book global address-set Inside_network address vlan30

注意: 做nat时,需调用全局地址簿中的地址,不然会报错,且global为系统内置的对象,需要将地址放置在此处
5. 源nat配置
set security nat source rule-set src-nat from zone trust
set security nat source rule-set src-nat to zone untrust
set security nat source rule-set src-nat rule id1 match source-address 192.168.10.0/24 //单个ip或单网段

set security nat source rule-set src-nat rule id1 match source-address-name Inside_network //调用刚才建立的地址组
set security nat source rule-set src-nat rule id1 destination-address 0.0.0.0/0
set security nat source rule-set src-nat rule id1 then source-nat interface //转换成出接口地址

6. 目的nat配置
需要先配置nat pool
例:添加一台需要映射到公网的oa服务器
set security nat destination pool oa_web address 192.168.10.11/32 port 23 //地址为192.168.10.11 需要映射的端口为23
目的nat配置
set security nat destination rule-set dst_nat from zone untrust
set security nat destination rule-set dst_nat rule id1 match destination-address 124.207.100.2/32
set security nat destination rule-set dst_nat rule id1 match destination-port 8080
set security nat destination rule-set dst_nat rule id1 match protocol tcp
set security nat destination rule-set dst_nat rule id1 then destinatione-nat pool oa_web //转换对象,调用已配置的pool名称
7. 策略配置
默认策略
trust to trust --- permit any any
default-permit
trust to untrust --- permit any any
default-permit
untrust to trust --- deny any any
default-deny
set security policies from-zone trust to-zone untrust policy default-permit match source-address any destionation-address any application any
set security policies from-zone trust to-zone untrust policy default-permit then permit

新增策略建议,policy 名称设置为policy_id1*
set security policies from-zone untrust to-zone trust policy policy_id10 match source-address any destionation-address any application any
set security poilicies from-zone untrust to-zone trust policy policy_id10 then permit

策略顺序优先级调整
after Insert after given data element -- 在给定数据元素之后插入之后
before Insert before given data element -- 在给定数据元素之前插入之前
insert security policies from-zone trust to-zone untrust policy new_policy before policy default-permit //new_policy default-permit 均为策略名称

NAT详解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
源地址         目的地址           源地址转换为       目的地址转换为
10.1.1.1 10.5.5.5 172.16.1.1 192.168.1.1
1、源地址转换
set security nat source pool AAA address 172.16.1.1/32 to 172.16.1.1/32
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule A-B match source-address 10.1.1.1/32
set security nat source rule-set trust-to-untrust rule A-B match destination-address 192.168.1.1/32
set security nat source rule-set trust-to-untrust rule A-B then source-nat pool AAA

set security nat source pool BBB address 10.5.5.5/32 to 10.5.5.5/32
set security nat source rule-set untrust-to-trust from zone untrust
set security nat source rule-set untrust-to-trust to zone trust
set security nat source rule-set untrust-to-trust rule B-A match source-address 192.168.1.1/32
set security nat source rule-set untrust-to-trust rule B-A match destination-address 10.1.1.1/32
set security nat source rule-set untrust-to-trust rule B-A then source-nat pool BBB

注:源地址转换时匹配的目的地址是真实的目的地址,因为先进行目的转换再进行源地址转换


2.目的转换
set security nat destination pool CCC address 192.168.1.1/32
set security nat destination rule-set trust-to-untrust from zone trust
set security nat destination rule-set trust-to-untrust rule A-Bmatch source-address 10.1.1.1/32
set security nat destination rule-set trust-to-untrust rule A-B match destination-address 10.5.5.5/32
set security nat destination rule-set trust-to-untrust rule A-B then destination-nat pool CCC

set security nat destination pool DDD address 10.1.1.1/32
set security nat destination rule-set untrust-to-trust from zone untrust
set security nat destination rule-set untrust-to-trust rule B-A match source-address 192.168.1.1/32
set security nat destination rule-set untrust-to-trust rule B-A match destination-address 172.16.1.1/32
set security nat destination rule-set untrust-to-trust rule B-A then destination-nat pool DDD
3.策略
从trust到untrust
set security zones security-zone trust address-book address EEE 10.1.1.1/32
set security zones security-zone untrust address-book address FFF 192.168.1.1/32
set security policies from-zone trust to-zone untrust policy A-B match source-address EEE
set security policies from-zone trust to-zone untrust policy A-B match destination-address FFF
set security policies from-zone trust to-zone untrust policy A-B match application any
set security policies from-zone trust to-zone untrust policy A-B then permit
set security policies from-zone trust to-zone untrust policy A-B then log session-init
set security policies from-zone trust to-zone untrust policy A-B then log session-close
从untrust到trust
set security policies from-zone untrust to-zone trust policy B-A match source-address FFF
set security policies from-zone untrust to-zone trust policy B-A match destination-address EEE
set security policies from-zone untrust to-zone trust policy B-A match application any
set security policies from-zone untrust to-zone trust policy B-A then permit
set security policies from-zone untrust to-zone trust policy B-A then log session-init
set security policies from-zone untrust to-zone trust policy B-A then log session-close
4.开ARP代理,因为10.5.5.5 和172.16.1.1是实际上不存在的,所以需要在物理接口上开ARP代理
set security nat proxy-arp interface reth0.0 address 10.5.5.5/32 to 10.5.5.5/32
set security nat proxy-arp interface reth1.0 address 172.16.1.1/32 to 172.16.1.1/32
注:reth0.0位内部接口,reth1.0为防火墙外部接口

策略路由

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
静态路由/默认路由
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.2
如果是双链路或者多链路,可以使用以下方式配置,然后在配置rpm监测,如果不配置rpm将不会自动切换
静态路由默认优先级值为5,可使用preference来手动指定
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.2
set routing-options static route 0.0.0.0/0 qualified-next-hop 20.1.1.2 preference 20

策略路由(多出口示例)
配置思路:
1. 创建独立于主路由表inet.0的路由表即routing-instance路由实例
2. 为这些实例添加路由表
3. 为路由条目添加底层路由
4. 根据源地址配置过滤策略(即ACL),并将这些数据送进不同的路由表
5. 将过滤策略应用在内网接口的input方向

1. 创建路由实例,名称为PBRCU,PBRCT,分别对应联通和移动线路
set routing-instances pbrct instance-type forwarding \\类型为forwarding
set routing-instances pbrct routing-options static route 0.0.0.0/0 next-hop 20.1.1.1 \\路由条目
set routing-instances pbrcu instance-type forwarding
set routing-instances pbrcu routing-options static route 0.0.0.0/0 next-hop 10.1.1.1

2. 创建rib-group并关联新创建的实例及默认inet.0路由,同时将直连路由安装进实例路由表
set routing-options rib-groups pbr-group import-rib inet.0 \\关联inet.0路由
set routing-options rib-groups pbr-group import-rib pbrcu.inet.0 \\关联新建的路由实例pbrcu.inet.0
set routing-options rib-groups pbr-group import-rib pbrct.inet.0 \\关联新建的路由实例pbrct.inet.0
set routing-options interface-routes rib-group inet pbr-group \\安装直连路由至rib-group组

3. 配置过滤条件(可以理解为我们常用的ACL)
set firewall filter pbracl term aclid1 from address 192.168.1.0/24 \\匹配源地址
set firewall filter pbracl term aclid1 then log \\开启log日志
set firewall filter pbracl term aclid1 then routing-instance pbrct \\如果满足条件,则执行路由实例pbrct
set firewall filter pbracl term default then accept \\其他则默认走主路由表

4. 将filter关联在接口input方向
set interfaces ge-0/0/2 unit 0 family inet filter input pbracl