广东移动揭阳分公司OA核心防火墙替换方案v1.0

编号密级广东移动揭阳分公司OA核心防火墙设备替换方案V1.0文档修订记录文档编号：工程名称广东移动揭阳分公司OA核心防火墙设备替换文件名称广东移动揭阳分公司OA核心防火墙设备替换方案文档描述Juniper防火墙设备替换方案当前版本1.0创立日期2010文档作者文档所属部门修改记录日期修改人审阅人摘要V1.020吴文轩文档书写目录第一章文档概述41.1文档目的41.2产品概述41.3产品说明41.4产品优势5设备性能6硬件架构6软件架构6软件功能7第二章网络拓扑82.1现有网络拓扑82.2改造网络拓扑82.3网络流量9现有拓扑流量9替换后网络流量10第三章网络实施113.1配置信息11设备硬件113.2配置信息12设备硬件12设备软件12接口配置12地址分配13路由配置13策略配置14HA设置143.2.8UAC配置153.3割接准备15机架空位15网络线缆16电源功率163.4割接步骤163.5回退方案17第四章配置汇总17文档概述文档目的本方案依据广东移动揭阳分公司现有核心防火墙的现状，对现有防火墙进行设备的替换有JuniperISG系列防火墙替换为SRX系列防火墙，其目的是提高核心防火墙对整网的处理性能，并解决现有网络中存在的一些性能瓶颈。方案明确SRX设备的整体优势、现网所需配置及整个网络割接的细节步骤，保证广东移动揭阳分公司防火墙设备替换工程的顺利实施。产品概述瞻博网络SRX3000系列业务网关是下一代解决方案，用于同时满足大型企业和电信运营商不断增长的网络根底架构和应用平安性需求。SRX3000系列业务网关从一开始便设计用于提供灵活的处理可扩展性、I/O可扩展性和高级集成能力，在数据中心大规模整合、快速托管效劳部署及平安解决方案融合等领域，能够满足网络和平安要求。SRX3000以瞻博网络Junos软件为构建根底，将瞻博网络丰富的路由功能、电信运营商级高可靠性与ScreenOS网络的卓越平安性结合在一起，支持高级特性/效劳集成，能够保护现代化网络根底架构和应用的平安。产品说明瞻博网络(JuniperNetworks®)SRX3400业务网关和瞻博网络SRX3600业务网关是下一代业务网关，在中型机箱中提供了市场领先的可扩展性和效劳集成能力。这些产品是大中型企业、公共部门和电信运营商网络的理想选择，包括：大型企业的效劳器库/数据中心部门或独立平安解决方案的会聚环境云和托管供给商数据中心托管效劳部署SRX3000产品系列基于创新的“中置背板〞(mid-plane)设计和瞻博网络的动态效劳架构，为大型企业和电信运营商环境提供最高性价比。在添加效劳处理卡(SPC)的情况下，每种业务网关都支持近线性的可扩展性，SRX3600最多可支持30Gbps的防火墙吞吐量。SPC设计用于支持广泛的效劳，能够支持将来的新功能，无需安装效劳特定的硬件。通过将SPC应用于所有效劳，将能够确保运行环境中的特定效劳领域不会存在闲置资源——最大限度地提高硬件利用率。SRX3000产品系列采用模块化架构，提供市场领先的灵活性和性价比。这个网关基于瞻博网络的动态效劳架构，支持灵活地配置I/O卡(IOC)、网络处理卡(NPC)和效劳处理卡(SPC)——使用户能够通过配置系统在性能和端口密度之间实现理想均衡，并能够基于特定的网络要求对瞻博网络SRX业务网关进行定制部署。这种灵活性支持您将SRX3600配置为支持超过100Gbps的接口(可以是千兆以太网和万兆以太网端口的任意组合)；提供从10到30Gbps的网络处理性能；并且提供适当的效劳处理来满足特定的业务需求。业务网关中部署了交换矩阵，支持SPC、NPC和IOC扩展功能。这个交换矩阵最多支持320Gbps的数据传输速度，在任何特定的配置中，都能提供最大处理能力和I/O能力的最合理的组合。这个级别的可扩展性和灵活性支持用户在不中断业务运行的情况下扩展并增长网络根底架构能力，不受平安解决方案的束缚。SRX3000产品系列的灵活性不仅限于动态效劳架构的创新成果和公认优势。SRX3000产品系列采用“中置背板〞(midplane)设计，用户可以同时在前后端安装SPC，从而获得市场领先的灵活性和可扩展性。SRX3000产品系列在一半的机柜空间中支持两倍的SPC，不仅提供根本的架构创新，而且还采用创新的物理设计。SRX系列业务网关通过瞻博网络Junos®软件支持特性集成。通过将Junos软件的路由特性与ScreenOS®软件的平安优势结合在一起，SRX系列业务网关提供了一组强大的功能，包括防火墙、IPsecVPN、入侵防御系统(IPS)、拒绝效劳攻击(DoS)防御、网络地址转换(NAT)和效劳质量(QoS)保证等。除此之外，将全部功能结合在单一OS框架中，还大幅度优化了流量在业务网关中的处理流程。安装Junos软件使SRX系列产品与瞻博网络电信运营商级路由器和交换机一样，获得了单源OS、一致的版本演进和一致性架构的优势产品优势新一代的SRX防火墙采用与ScreenOS不同的硬件架构及软件架构，SRX系列防火墙更适合运行在高稳定性及高性能要求的网络环境中。设备性能SRX3400业务网关与SRX3600使用相同的SPC、IOC和NPC，最多支持20Gbps的防火墙吞吐量、6Gbps的防火墙和IPS吞吐量，或者6Gbps的IPsecVPN吞吐量以及每秒最多17.5万条新建连接，描述如下表：参数型号SRX3600SRX3400ISG2000ISG1000吞吐量10/20/30Gbps10/20Gbps4Gbps2Gbps同时新建会话175,000175,00023,00020,000同时在线会话2,250,0002,250,0001,000,0005,00,0003DES性能10Gbps6Gbps2Gbps1Gbps硬件架构电信级机箱设计&高密度槽位高密度槽位和性能扩展Ichip&StingerfabricASICDPC板卡的技术和NP芯片转发与控制别离〔路由引擎、SPC、NPC由独立硬件处理，并可按需配置〕交换矩阵，彻底摆脱现有防火墙通过总线进行内部数据交换的现状，提供高性能的交换矩阵，真正无阻塞交换〔SRX3000系列采用SF16矩阵〕接口数量总数多软件架构模块化软件系统，新功能部署运行稳定，电信级互联网操作系统已被证明新功能整合能力如(EX交换、MX以太网会聚PE等)电信级路由操作系统JUNOS和平安操作系统ScreenOS的完美融合来自JUNOS的MPLS/NSF/NSR等高级功能来自JUNOS的层次化CLI配置风格来自ScreenOS的平安特性:平安域/NAT/IPsecVPN/Screen/深度检测/UTMCommit/JUNOSScripts等高级管理特性软件功能JUNOS的优势路由〔1,000,000条OSPF/BGP条目〕QoS配置回退完整的IDP功能〔独立硬件处理，多核处理器中独立的core〕基于硬件的DoS攻击防护功能〔Screen功能〕基于策略的流量统计、基于策略的新建会话统计等网络拓扑现有网络拓扑揭阳现有网络拓扑如下，ISG1000防火墙采用主/备的方式与核心交换机相连。改造网络拓扑改造后网络拓扑根本不变，ISG1000更换为SRX3000系列防火墙，防火墙采用主备模式，防火墙采用两个接口与交换机互联。网络流量现有拓扑流量现有网络拓扑采用单线连接防火墙与交换机，用户接入VLAN及上联MDCNVLAN之间的流量通过1G电口线缆传输，容易造成线路的流量瓶颈。流量图如下列图：替换后网络流量替换后防火墙采用用户VLAN之间流量及用户到MDCN大网流量物理接口别离的方法实现，改变现有的单线1G线缆到两条1G光纤线缆的模式，提高了网络的带宽，减少链路带宽的瓶颈。用户VLAN间流量用户VLAN间流量承载在独立的物理接口上。网络实施配置信息设备硬件型号描术数量SRX3400-ASRX3400Chassis,Midplane,Fan,RE,SFB-12GE,ACPEM-nopowercord-1SPC-noNPC1SRX3K-NPCNPC板卡，插到FPC71SRX3K-SPC-1-10-40SPC板卡，插到FPC51SFP-1GE-SX1G光模块，插到SFB-12GEControl01SFP-1GE-SX1G光模块，插到SFB-12GEGe-0/0/91SFP-1GE-SX1G光模块，插到SFB-12GEGe-0/0/101SFP-1GE-SX1G光模块，插到SFB-12GEGe-0/0/111SRX3K-PWR-AC电源1CBL-PWR-C19S-162-CH16A电源线2SRX3400-BSRX3400Chassis,Midplane,Fan,RE,SFB-12GE,ACPEM-nopowercord-1SPC-noNPC1SRX3K-NPCNPC板卡，插到FPC71SRX3K-SPC-1-10-40SPC板卡，插到FPC51SFP-1GE-SX1G光模块，插到SFB-12GEControl01SFP-1GE-SX1G光模块，插到SFB-12GEGe-0/0/91SFP-1GE-SX1G光模块，插到SFB-12GEGe-0/0/101SFP-1GE-SX1G光模块，插到SFB-12GEGe-0/0/111SRX3K-PWR-AC电源1CBL-PWR-C19S-162-CH16A电源线2配置信息设备硬件型号描述数量SRX3400-AJY-SRX3400-A1SRX3400-BJY-SRX3400-B1设备软件设备名称设备型号软件版本软件名称SRX3000SRX10.2R2.11junos-srx3000-10.2R2.11-domestic.tgzIC4000IC40004.0R2接口配置本端设备接口对端设备接口线缆类型SRX3000-1ge-0/0/10核心交换机光纤LC-LCcontrol0SRX3000-2control0光纤LC-LCge-0/0/11ge-8/0/11光纤LC-LCSRX3000-2ge-8/0/10核心交换机光纤LC-LCcontrol0SRX3000-1control0光纤LC-LCge-8/0/11ge-0/0/11光纤LC-LC地址分配本端设备接口IP地址备注SRX3000-1ge-0/0/10.2ge-0/0/10.11ge-0/0/10.12ge-0/0/10.13ge-0/0/10.14ge-0/0/10.1510.2ge-0/0/10.16ge-0/0/10.17ge-0/0/10.18ge-0/0/10.19ge-0/0/10.21ge-0/0/10.22ge-0/0/10.23ge-0/0/10.24ge-0/0/10.25ge-0/0/10.26ge-0/0/10.27ge-0/0/10.29ge-0/0/10.103ge-0/0/10.105ge-0/0/10.20510.ge-0/0/10.500SRX3000-2与主用防火墙相同路由配置路由配置防火墙采用动态路由协议OSPF，详细情况如下表：防火墙AreaIDInterfaceModeCost值SRX3000-1.21reth0.2passive1reth0.11passive1reth0.12passive1reth0.13passive1reth0.14passive1reth0.15passive1reth0.16passive1reth0.17passive1reth0.18passive1reth0.19passive1reth0.21passive1reth0.22passive1reth0.23passive1reth0.24passive1reth0.25passive1reth0.26passive1reth0.27passive1reth0.29passive1reth0.1031reth0.1051reth0.2051reth0.5001防火墙采用静态路由协议，详细情况如下表：目标地址下一跳策略配置策略按照原有ISG1000防火墙策略书写，并根据SRX防火墙平台的特定对策略做局部修改，如命名长度、命名语言〔中文更改为字母〕、调整策略LOG选项等，不修改策略的权限控制。HA设置SRX防火墙HA采用JSRP的方式部署，采用Redundany组织接口，并使用专用的Control接口传输控制信息，并定义Data接口传输RTO信息等。Cluster设置功能区域ClusterID外网接入区1RedundantGroup设置冗余组组IDNODE优先级接口组成RG1RETH0Node0200ge-0/0/10Node150ge-8/0/10监控设置MonitorInterfaceInterfacege-0/0/10ge-8/0/10UAC配置防火墙局部命名IP端口接口密码超时动作IC400011123Reth0.2jySRX!@#no-changeIC局部namePlatformpasswordserialnumberSRX3000JunOSjySRX!@#配置如下列图：割接准备机架空位型号大小备注SRX3400WxHxD(44.5x13.3x64.8cm)3USRX3600WxHxD(44.5x22.2x64.8cm)5U网络线缆类型数量长度备注光纤1根据设备位置确认互连线长度SRX设备互连〔Control〕光纤1根据设备位置确认互连线长度SRX设备互连〔DATA〕光纤2根据设备位置确认互连线长度SRX与交换机互连电源功率型号功率备注SRX34001,200W(ACpower)1,020W(DCpower)需16SRX36001,800W(ACpower)1,800W(DCpower)需16割接步骤2010/10步骤一：配置备份备份相关网络设备配置，如交换机、ISG1000防火墙、IC4000设备、SSG520。步骤二：断开ISG2000与6509互联的端口步骤三：接上SRX3400与6509互联的端口步骤3：网络测试检查内容命令结果备注网络连通性pi内网主机进行Ping测试IC联动检查检查防火墙及IC联队情况showservicesunified-access-controlstatusIC认证测试登陆IE浏览器并验证认证信息检查IC联动及用户认证IC认证客户端使用客户端测试测试客户认证及HostCheck功能是否正常切换测试拔除防火墙监控接口线缆测试防火墙切换，并检查会话及认证用户信息。showsecurityflowsessionshowservicesunified-access-controlauthentication-table步骤五：测试与省公司SNPM采集的信息，测试省公司的syslog能否采集信息。〔2010-10回退方案回退方案无需更改交换机配置，步骤为：步骤一：断开SRX与6509互联的接口步骤二：接上ISG2000与6509互联的接口步骤三：将网关切换至原防火墙上配置汇总//Node0(主用防火墙)启用Chassis功能，并启用ge-0/0/11为Fabric接口setchassisclustercluster-id1node0rebootsetinterfacefab0fabric-optionsmember-interfacesge-0/0/11//Node1(备用防火墙)启用Chassis功能，并启用ge-8/0/6为Fabric〔data〕接口setchassisclustercluster-id1node1rebootsetinterfacefab0fabric-optionsmember-interfacesge-8/0/11//配置Cluster链路自动恢复功能setchassisclustercontrol-link-recovery//配置Chassis冗余组，setchassisclusterreth-count2//配置冗余组优先级，数值大的优先级高，并设置JSRP监控接口。setchassisclusterredundancy-group0node1priority50setchassisclusterredundancy-group0node0priority200setchassisclusterredundancy-group1node1priority50setchassisclusterredundancy-group1node0priority200setchassisclusterredundancy-group1interface-monitorge-0/0/10weight255setchassisclusterredundancy-group1interface-monitorge-8/0/10weight255//设备HostName设置及管理接口配置IP配置。setgroupsnode0systemhost-nameJY-SRX3400-Asetgroupsnode0systembackup-routersetgroupsnode0systembackup-routerdestination.0/0.1/24setgroupsnode1systemhost-nameJY-SRX3400-Bsetgroupsnode1systembackup-routersetgroupsnode1systembackup-routerdestination.0/0setapply-groupsnode0setapply-groupsnode1//设置系统时区setsystemtime-zoneAsia/Shanghai//系统启用SSH、Telnet、FTP、管理setsystemservicessshsetsystemservicestelnetsetsystemservicesftp//绑定冗余接口setinterfacesge-0/0/10gigether-optionsredundant-parentreth0setinterfacesge-8/0/10gigether-optionsredundant-parentreth0setinterfacesreth0redundant-ether-optionsredundancy-group1//Reth0启用VlanTAG，并分配相关接口Vlan-ID及IP地址。setinterfacesreth0unit2vlan-id2familyinetaddress10.setinterfacesreth0unit205vlan-id205familyinetaddre//配置DHCP-Relay功能，并在相应接口启用DHCP-Relaysetforwarding-optionshelpersbootprelay-agent-optionsetforwarding-optionshelpersbootpserversetforwarding-optionshelpersbootpinterfacereth0.12serversetforwarding-optionshelpersbootpinterfacereth0.22server//设置SNMP网管配置。setsnmpnameJY_SRX3400-Asetsnmpcommunityzjpublicauthorizationread-only//配置动态OSPF路由setpolicy-optionspolicy-statementStatic-to-Ospfterm1fromprotocolstaticsetpolicy-optionspolicy-statementStatic-to-Ospfterm1thenacceptsetprotocolsospfexportStatic-to-Ospfsetprotocolsospfare.21interfacereth0.2metric1setprotocolsospfare.21interfacereth0.2authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.2passivesetprotocolsospfare.21interfacereth0.11passivesetprotocolsospfare.21interfacereth0.11metric1setprotocolsospfare.21interfacereth0.11authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.12passivesetprotocolsospfare.21interfacereth0.12metric1setprotocolsospfare.21interfacereth0.12authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.13passivesetprotocolsospfare.21interfacereth0.13metric1setprotocolsospfare.21interfacereth0.13authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.14passivesetprotocolsospfare.21interfacereth0.14metric1setprotocolsospfare.21interfacereth0.14authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.15passivesetprotocolsospfare.21interfacereth0.15metric1setprotocolsospfare.21interfacereth0.15authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.16passivesetprotocolsospfare.21interfacereth0.16metric1setprotocolsospfare.21interfacereth0.16authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.17passivesetprotocolsospfare.21interfacereth0.17metric1setprotocolsospfare.21interfacereth0.17authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.18passivesetprotocolsospfare.21interfacereth0.18metric1setprotocolsospfare.21interfacereth0.18authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.19passivesetprotocolsospfare.21interfacereth0.19metric1setprotocolsospfare.21interfacereth0.19authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.21passivesetprotocolsospfare.21interfacereth0.21metric1setprotocolsospfare.21interfacereth0.21authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.22passivesetprotocolsospfare.21interfacereth0.22metric1setprotocolsospfare.21interfacereth0.22authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.23passivesetprotocolsospfare.21interfacereth0.23metric1setprotocolsospfare.21interfacereth0.23authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.24passivesetprotocolsospfare.21interfacereth0.24metric1setprotocolsospfare.21interfacereth0.24authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.25passivesetprotocolsospfare.21interfacereth0.25metric1setprotocolsospfare.21interfacereth0.25authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.26passivesetprotocolsospfare.21interfacereth0.26metric1setprotocolsospfare.21interfacereth0.26authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.27passivesetprotocolsospfare.21interfacereth0.27metric1setprotocolsospfare.21interfacereth0.27authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.29passivesetprotocolsospfare.21interfacereth0.29metric1setprotocolsospfare.21interfacereth0.29authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.103metric1setprotocolsospfare.21interfacereth0.103authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.105metric1setprotocolsospfare.21interfacereth0.105authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.205metric1setprotocolsospfare.21interfacereth0.205authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.500metric1setprotocolsospfare.21interfacereth0.500authenticationmd51keyJYgmcc//配置静态路由setrouting-optionsstaticrout//配置syslog日志效劳器setsecuritylogmodestreamsetsecuritylogformatsd-syslogsetsecuritylogsource-address10.24setsecuritylogstreamsyslogseveritywarningsetsecuritylogstreamsyslogformatsyslogsetsecuritylogstreamsyslogcategoryall//定义地址簿及地址组配置setsecurityzonessecurity-zoneTrustaddresssetsecurityzonessecurity-zoneTrustaddress-bookaddressAll_Trust.0/8-5Fsetsecurityzonessecurity-zoneTrustaddress-bookaddress-setAll_Trust_ZONEaddressAll_Trustsetsecurityzonessecurity-zoneTrustaddress-bookaddress-setGD_ORACALaddressGD-ORACAL-3setsecurityzonessecurity-zoneTrustaddress-bookaddress-setGD_ORACALaddressGD_ORACAL_1setsecurityzonessecurity-zoneTrustaddress-bookaddress-setGD_ORACALaddressGD_ORACAL_2setsecurityzonessecurity-zoneDMZaddress-bookaddress-setDMZ_ORACAL_GROUP_1addressDKH_ORACAL_65setsecurityzonessecurity-zoneDMZaddress-bookaddress-setDMZ_ORACAL_GROUP_1addressJJFWZC_ORACAL_69-5Fsetsecurityzonessecurity-zoneDMZinterfacesreth0.2host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneDMZinterfacesreth0.2host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.11host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.11host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.11host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.12host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.12host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.12host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.13host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.13host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.13host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.14host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.14host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.14host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.15host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.15host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.15host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.16host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.16host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.16host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.17host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.17host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.17host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.18host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.18host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.18host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.19host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.19host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.19host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.21host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.21host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.21host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.22host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.22host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.22host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.23host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.23host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.23host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.24host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.24host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.24host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneDMZinterfacesreth0.25host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneDMZinterfacesreth0.25host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneDMZinterfacesreth0.25host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.26host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.26host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.26host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.27host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.27host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.27host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.29host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.29host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.29host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneBOSS_ZONEinterfacesreth0.103host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneBOSS_ZONEinterfacesreth0.103host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneBOSS_ZONEinterfacesreth0.103host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.105host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.105host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.105host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneTrustinterfacesreth0.205host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneTrustinterfacesreth0.205host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneTrustinterfacesreth0.205host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.500host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.500host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.500host-inbound-trafficsystem-servicesbootp//设置防火墙策略setsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneTrustpolicyid_294matchsource-addressAll_BOSS_ZONEuWuQisetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneTrustpolicyid_294matchapplicationjunos-setsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneTrustpolicyid_294thenpermitsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneTrustpolicyid_293matchsource-addressAll_XianGongSi_ZONEsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneTrustpolicyid_293matchapplicationjunos-setsecuritypoliciesfrom-zonexianggongsi_testto-zoneTrustpolicyid_293thenpermitsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_292matchsource-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_292matchapplicationjunos-setsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_292thenpermitsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_279matchapplicationanysetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_279thenpermitsetsecuritypoliciesfrom-zoneTrustto-zoneDMZpolicyid_276matchsource-addressAll_Trust_ZONEsetsecuritypoliciesfrom-zoneTrustto-zoneDMZpolicyid_276matchapplicationanysetsecuritypoliciesfrom-zoneTrustto-zoneDMZpolicyid_276thenpermitsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneBOSS_ZONEpolicyid_275matchsource-addressAll_XianGongSi_ZONEsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneBOSS_ZONEpolicyid_275matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zonexianggongsi_testto-zoneBOSS_ZONEpolicyid_275matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zonexianggongsi_testto-zoneBOSS_ZONEpolicyid_275thendenysetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274matchsource-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274thendenydeactivatesecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274setsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_272matchsource-addressAudit_Server_Groupsetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_272matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_272matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_272thenpermitsetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_273matchsource-addressAll_DMZ_ZONEsetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_273matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_273matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_273thendenysetsecuritypoliciesfrom-zoneTrustto-zoneBOSS_ZONEpolicyid_271matchsource-addressAll_Trust_ZONEsetsecuritypoliciesfrom-zoneTrustto-zoneBOSS_ZONEpolicyid_271matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zoneTrustto-zoneBOSS_ZONEpolicyid_271matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneTrustto-zoneBOSS_ZONEpolicyid_271thendenysetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_311matchsource-addressDeny-Clent-OA-xgs-tiyanjisetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_311matchdestination-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_311matchapplicationanysetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_311thendenysetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_270matchsource-addressAll_XianGongSi_ZONEsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_270matchdestination-addressMDCN_Audited_Serversetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_270matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_270thendenysetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_297matchsource-addressDeny-Clent-BOSS-tiyanjisetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_297matchdestination-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_297matchapplicationanysetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_297thendenysetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_269matchsource-addressAll_BOSS_ZONEsetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_269matchdestination-addressMDCN_Audited_Serversetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_269matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_269thendenysetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneLouCeng_ZONEpolicyid_268matchsource-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneLouCeng_ZONEpolicyid_268matchdestination-addressMDCN_Audited_Serversetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneLouCeng_ZONEpolicyid_268matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneLouCeng_ZONEpolicyid_268thendenysetsecuritypoliciesfrom-zoneDMZto-zoneLouCeng_ZONEpolicyid_267matchsource-addressAudit_Server_Groupsetsecuritypoliciesfrom-z