Juniper550M防火墙配置指导

1、贝胛内轡目录Juniper 550M防火墙配置指导 .2双机HA配置.21.登陆防火墙 .22.配置接口 IP.43.配置默认路由 .54.配置 NSRP.65.设置同步选项 .86.同步配置 .8配置MIP.91.配置映射IP.92.配置策略 .10配置VIP.111.配置映射端口服务 .122.配置映射IP关系.133.配置策略 .14附件1.14第瑕贝腳内容Juniper 550M防火墙配置指导通过串口登陆,帐号：netscreen密码:netscreenSSG520 get config 等同于等同于 cisco 的的show run新机器上来默认是无任何配置的，如拿到的机器是有配置的

2、，谙淸除。 注：淸除防火墙配置方法（见附件1）双机HA配置配置HA之前，请将HA心跳线拔掉。注：HA配宜当中，如无特别说明，以下操作均要在主备两台防火墙上操作。1.登陆防火墙用普通网线连上防火墙0X）口，将本机IP设为192.168.1.100/24 gwl92.168.1.1（现场环境 需要做一条到防火墙的默认路由），打开IE浏览器：第瑕贝腳内容此网站出具的安全证书不是由受信任的证书颁发机构颁发的。 此网站出具的安全证书是为其他网站地址颁发的 安全证书问题可能显示试图敗宾您或裁获您向服务器发送的数捋 建仪关闭此网页f并且不要继续浏览该网站。单击此处关闭该网页。继续浏览此网站（不推荐）。此网站

3、的安全证书有问题。更多信息贝胛内轡 Remember my name and passwordLogin用戶名：netscreen密码：netscreen配宜主界而:2.配置接口 IP注：只需在主防火墙上配曬即可，后续接口 IP会同步到备机。但Manage IP不会同步, 需要在配完HA后，自己根据需要进行更改，也可以不设。Network-lnterfaces-ehternetO/2-Edit-Basic注：此处0/2 口为untrust 口，实际应用中，应当为公网IP或网管网、营帐网所对应接 口。贝腳内容MHwortc MeHncc5 (LHt)SSG520LHt 120 jjpxUst 1

4、4 用IntcHacejNneZoneTypeLinkPPPoECoiWlgureethemetO/O192 iee.i.V2TTMJtLayer3D”ro.o.o.o/oOMZLyar3Downxhoma 2172.16.6. W24uncrufitLyar3屮Editettiem*t0/3O.O.O.OHfiLayer?Dosevlanlo.oowoVLAMLayer3DOSE“ Static IPIP Address f Netmask Manage IP172.16.6.99172.16.6.980881.f47C.4f86F ManageableInterface Mode C 皿丁

5、 介 RouteBlock Intra-Subnet Traffic 厂Service OptionsP Web UP SHMPOther Services P PingManagement ServicesP TelnetP SSLr Path MTU(IPv4)Q SSHr ident-reset ttps） 特騷;希安目己送择Maximum Transfer Unit(Mru) Admin MTUBytes (Operating MTU： 1500; Default MTU: 1500)DNS Proxy 厂NTP Server 厂Web Au th 厂 IP Address |o.0.

6、0.0G ARP Pr SSL onlyTraffic Bandwidth EgressIngressMaximum Bandwidth |Maximuni Bandwidth |oKbpsKbp5SSG520:NSRP(M) Q|txust-viVRRP r3.配置默认路由Network Routing Routing EntriesWtw*rk IBT4 | 20 2J 吋 RK1BUtt nxjta criW( (w for | 11 vrirtQal cwtersT j|KxrG l JF3贝腳内容tnjt-vr3十IntaM-fx*ProtocolPrvfrx.Vwy.DiMcrtp

7、tlonConAurw1夕 2 i“ L.0/24&heme 回 0 NSRP ClusterNSRP Protocol Veraion 2.0( Cluster ID 1CLocal Unit 8145152Number of Gratuitous ARPs to Resend 厂 NSRP Authentication Password 厂 NSRP Enctyption PasswordNot in ClusterActive Units Discovered 81451ApplyCancelNetwork NSRP VSD GroupVirtual Router Hame trust-

8、vrP Address/Netmasl: ：jo?0.0.0/ oNext HP C Virtual RouterGatewayZ1Gateway IP Address |l72.16 A. 254Peiroanent 厂List |勿 jdp” pageGroup IDPriorityPreemptHold-Down TimeModeMasterPrimary BackupGroup MembersConfigureo100no3mastermyselfnone点击 Edit 进入 Network NSRP VSD Group Configuration贝胛内轡weight (1255)SS

9、G520 NSRIGroup ID 0Network NSRP Monitor Interface1 Network NSRP Monitor IntarfacaSSG520：NSRP(|将需要监控的端口勾选并保存Network NSRP Monitor Interface A Editinterface Name ethemotO/O |厂 ethemetO/1V ethemetO/2Apply I Cancel INetwork NSRP Monitor InterfaceLit Mhiotor Interface for |VSI Cron-AllVSD ID: 0 帥r InzbeIn

10、tarfacQWoightethernetO/O255ethern9to?2255贝胛内轡Login:login: netscreen password;SSG520(M)-SSG520(M)-Save globalContinue todone 5.设置同步选项Network NSRP SynchronizationF7 NSRP RTO Synchronization“ NSRP Session Synchronizationf.:V : NSRP Backup Session Timeout AcknowledgeP Non vsi Session SynchronizationP Ro

11、ute SynchronizationThresholdApply | CanCEI |&同步配置上述操作在主备防火墙上完成后，连接好心跳线，用串口线连接备防火墙.并登陆，输 入如下命令，并重启防火墙。（同样的操作在主防火墙上操作一遍）exec nsrp sync global-config saveexec nsrp sync global-config saveload peer systen config to save configuration successfully.save local configurat.ions Save local configuration succe

12、ssfully.Please reset your box to let cluster configuration take effect!SSG520(M)- resetSystem reset, are you sure? y/n y In reset.Statt deactivate session (vsd=0)8 sessions deactivated贝腳内容2.配.Source AddressNew Address/IQ Address Book Entry |血卩New AddressDestination Address_/IQ Address Book En乜、卫刃Ser

13、vice |ANYTJ Multiple |V Mulbple |Application noneZr WEB FilteringDeep InspectionTunnelLoggingPosition ot TopVPN pone 创 Modify matching bidirectional VPN policy L2TP |one厂 at Session Beginning 厂厂厂 Session-limitcounter |uPolicy Policies (From All zones To All zones)name opnonai; jFes Trust To Untrust.

14、 totN poky 1IDSourceDatinationSarvlcaActionOptionsConftguraEnablaMove1AnyAnyHEEditClonePNo entry aelaDWAlarm without drop 厂贝胛内轡OKCancelAdvanced厂 WEB FilteringAction permit JDeep Inspection|Tunnel VPN I None厂 Modify matchi ng bidirectional VPN policy L2TP | NoneLogging _at Session Beginning 厂Position

15、 at Top 厂 Session-limitCounter |0Alarm without drop From Trust To untrustj total policy: 1IDSourceDestinationSefviceActionOptionsCotifigureEnableMove1AnyNYEditR/inoyP0 ”LErmt To：Iob寸! total poicy:IDSourceDestinationServiceActionOptionsConfigureEnableMove2AnyAnyUWYdirP:- f配置VIP简单来说，和MIP的区别就是，MIP是基于IP

16、的一对一映射，而VIP是基于端口的映射, 可以将英理解为我们平时在外场做网管网防火墙CISCO所映射端口的那样。A 亠一 RNGW Address_Q Address Book Entry lyJMultipleNew Address |/IAddress4 Address Book Entry lyJMultipleServiceSourceDestinationApplication pone贝腳内容1.配置映射端口服务Policy Policy Elements Services CustomSSG520：NSRP(Mj120 v|prmVPraWcvlParwntrTam9ut (nv

17、n| 1 *;*)mvql30O6TCP .rc port: 0-6553S, dat port: 3306-330630EdrtIn Use8000TCP rc port: 0 63933 dat port: BOBO-OODO30LdrtIn U9050TCP rc port: 0 65335, dat port: ?050-?08030tdtIn U9090TCP tre poti 0-W5S3S. dr* parts 109Q-Q09020MjtIn Ur*Service Name |mz=Q13306Service 亦皿 Q Use protoco, default NeverCus

18、tomQ 1 Minute 10 SecondsSource PortDestination PortICMPNo.Transport protocolLowHighLowHighTypeCode1noneQ TCPrUDP f ICMP fother |165535|3306|3306LL2 k r“F, i.-. .* i ; t2.配置映射IP关系Vetvtrk 1*1 er faces (last)r.*J | Tunnel IFIPTMePPPofConfvgurwethemetQ/Oi$ai6e.i.i?24TnistL4?ec3Adi yeEditthrrwta/l172.10.

19、L5.23QZ4CMZL?r3Dovn2 ,6699/24Ung八Lrr3Sv.1 34 |ethemetQ/3o.o. 0.0/0HA5ec3galinLVLAML3Vr22mNetwork Interfaces Edit VIP/VIP ServicesJe tvork Iikter&ces Edi t VIF/VIP SrvieeInterface: ethemetOi/2 (IP/Netmask: 172.16 6 9/24) )Propertiess Babe MIP DIP VIP IGMP Monitor 802.1X此IP为外部访问进来时的进口 IPolotv*rk I*tor

20、rct 1411 nr/nr rvleesInte*focc* ethemettZ?PrpaKlMt 的x IP O1P VJP ICMP mofIX第瑕贝腳内容Virtual IP | 172. 16. 6 101 上步所设公网IFVirtual Port |13306自定义虎拟菇口Map to Service JTLysql3306 (3306)实际映射的端口Map to IP |172. 16. 15. 100被映射的内网主机TPSewep Auto Detection f? Enable3.配置策略请参考配置MIP的策略，和它是一样的。附件1晴除配置。査找机器上的标签，找到SN： JN120DA18ADA,或者用默认用户密码netscreen登陆防火墙, 并用get sys命令找到Load WVRAN IfOMiatlon (6.2. 0DOftC lo( (An： etetetO/? Interface cliajie plijslcal state to 血 Sys ten c lianas state to kctive-A18aDn! Lost Pasw