1、Juniper SRX 防火墙透明模式配置手册Juniper SRX防火墙配置手册上海神州数码有限公司系统网络技术部Juniper 防火墙安装手册项目编号Juniper200909文档名称JuniperSRX防火墙安装手册编写人樊超完成日期20091001文档修订记录:日期修订版本修订内容修订人一、透明模式配置说明硬件型号SRX3400软件版本 9.6R1.13配置案例图在上图中ge-0/0/0, ge-0/0/10, ge-0/0/8均让VLAN 199-223穿过。GSR和cisco 3750,6509之间通过上述vlan连通。在GSR、3750和6509之间运行3层协议(如ospf、st
2、atic等)根据需求,在SRX上运行policy实现trust、DMZ和untrust流量控制Juniper防火墙作为透明模式部署需要建立3个区域,分别、1.1设置node ID和cluster ID#在操作模式下输入,后面没有注明的则默认是在配置模式下操作#SRX3400-1_L2配置为set chassis cluster node 0 cluster-id 1 reboot#SRX3400-2_L2配置为set chassis cluster node 1 cluster-id 1 reboot1.2防火墙系统全局配置(初始化配置)#设置root的用户名和密码system root-au
3、thentication encrypted-password $1$R7QtWpjt$OsUXw/4GC.7AiGO2bFHUz.; # SECRET-DATA #添加用户名为lab的用户和密码 login user lab uid 2000; class superuser; authentication encrypted-password $1$h54Sa7e3$cjwdMDkIcvEN89jSZ8eSa/; # SECRET-DATA #设置防火墙自己开启的服务 services ftp; telnet; web-management http; syslog user * any
4、emergency; file messages any notice; authorization info; 1.3建立集群#双机配置,设置node0为主,node1为备。#设置node0主机名groups node0 system host-name SRX3400-1_L2; backup-router 192.168.2.1 destination 0.0.0.0/0; #设置带外管理地址和带外管理的网关 interfaces fxp0 unit 0 family inet address 192.168.2.254/24; routing-options static route
5、0.0.0.0/0 next-hop 192.168.2.1; retain; no-readvertise; #设置node1主机名,带外管理地址和带外管理的网关 node1 system host-name SRX3400-2_L2; backup-router 192.168.2.1 destination 0.0.0.0/0; interfaces fxp0 unit 0 family inet address 192.168.2.253/24; routing-options static route 0.0.0.0/0 next-hop 192.168.2.1; retain; n
6、o-readvertise; apply-groups $node;1.4设置cluster冗余组和接口对象#设置reth-count 数目及主机单元的优先级,并设置监控的端口和权重chassis cluster reth-count 3; heartbeat-interval 1000; heartbeat-threshold 3;#redundancy-group 0为引擎组对象,此处将所有业务接口都放到此组中,这样#设置的结果就是只要有一个业务接口down了,则引擎也进行切换,防止出现#业务接口进行了切换,而引擎没有切换的结果 redundancy-group 0 node 0 prio
7、rity 100; node 1 priority 1; interface-monitor ge-0/0/10 weight 255; ge-0/0/8 weight 255; ge-8/0/8 weight 255; ge-8/0/10 weight 255; ge-0/0/0 weight 255; ge-8/0/0 weight 255; redundancy-group 1 node 0 priority 100; node 1 priority 1; interface-monitor ge-0/0/8 weight 255; ge-8/0/8 weight 255; ge-0/0
8、/10 weight 255; ge-8/0/10 weight 255; ge-0/0/0 weight 255; ge-8/0/0 weight 255; #设置相关的物理接口与相应的logical接口reth关联interfaces ge-0/0/0 gigether-options redundant-parent reth2; ge-0/0/8 gigether-options no-auto-negotiation; redundant-parent reth0; ge-0/0/10 gigether-options no-auto-negotiation; redundant-p
9、arent reth1; ge-8/0/0 gigether-options redundant-parent reth2; ge-8/0/8 gigether-options no-auto-negotiation; redundant-parent reth0; ge-8/0/10 gigether-options redundant-parent reth1; #设置两台防火墙互联的接口 fab0 fabric-options member-interfaces ge-0/0/7; fab1 fabric-options member-interfaces ge-8/0/7; irb u
10、nit 220 disable; family inet address 192.168.1.10/28; lo0 unit 0 family inet address 127.0.0.1/32; #设置reth接口为trunk接口,所允许的vlan号 reth0 vlan-tagging; redundant-ether-options redundancy-group 1; unit 0 family bridge interface-mode trunk; vlan-id-list 1-4094; reth1 vlan-tagging; redundant-ether-options r
11、edundancy-group 1; unit 0 family bridge interface-mode trunk; vlan-id-list 1-4094; reth2 vlan-tagging; redundant-ether-options redundancy-group 1; unit 0 family bridge interface-mode trunk; vlan-id-list 1-4094; 1.5设置安全区域和策略#设置防火墙的安全区域,其中l2开头的代表两层,并把相关的reth接口同安全区域关联security zones functional-zone mana
12、gement; security-zone l2-trust host-inbound-traffic system-services all; protocols all; interfaces reth1.0; security-zone l2-untrust interfaces reth0.0; security-zone trust; security-zone l2-dmz host-inbound-traffic system-services all; protocols all; interfaces reth2.0; #设置防火墙的策略,目前各安全区域之间是全开放 poli
13、cies from-zone l2-trust to-zone l2-untrust policy trust-untrust match source-address any; destination-address any; application any; then permit; from-zone l2-untrust to-zone l2-trust policy untrust-trust match source-address any; destination-address any; application any; then permit; from-zone l2-tr
14、ust to-zone l2-trust policy trust-trust match source-address any; destination-address any; application any; then permit; from-zone l2-trust to-zone l2-dmz policy trust-dmz match source-address any; destination-address any; application any; then permit; from-zone l2-untrust to-zone l2-dmz policy untr
15、ust-dmz match source-address any; destination-address any; application any; then permit; from-zone l2-dmz to-zone l2-trust policy dmz-trust match source-address any; destination-address any; application any; then permit; from-zone l2-dmz to-zone l2-untrust policy dmz-untrust match source-address any; destination-address any; application any; then permit; alg ftp disable; tftp disable; 1.6设置全局l2特性#全局设置vlan透传bridge-domains trunk199-223 vlan-id-list 199-223; vlan001 vlan-id 1; routing-interface irb.0; secondary:node0