JuniperSRX防火墙透明模式配置手册

JuniperSRX防火墙配置手册上海神州数码有限公司系统网络技术部Juniper防火墙安装手册项目编号Juniper200909文档名称JuniperSRX防火墙安装手册编写人樊超完成日期20091001文档修订记录：日期修订版本修订内容修订人一、透明模式配置说明硬件型号SRX3400软件版本9.6R1.13配置案例图GSR-1GSR-2Cisco6509_1_L3Cisco6500_L30/0/78/0/7ClusterHAHeartbeat0/0/88/0/80/0/108/0/10RETH1_L2-TRUSTRDNTGROUP1RDNTGROUP1SRX3400-1_L2SRX3400-2_L2Cisco3750_L3Cisco3750_L3RETH2BackupMaster0/0/08/0/0Reth11192.168.1.0/28RETH0_L2-UNTRUSTDMZTRUSTUNTRUST24578•在上图中ge-0/0/0,ge-0/0/10,ge-0/0/8均让VLAN199-223穿过。•GSR和cisco3750，6509之间通过上述vlan连通。•在GSR、3750和6509之间运行3层协议（如ospf、static等）•根据需求，在SRX上运行policy实现trust、DMZ和untrust流量控制•Juniper防火墙作为透明模式部署需要建立3个区域,分别L2_Untrust、L2_Trust、L2_DMZ1.1设置nodeID和clusterID##在操作模式下输入，后面没有注明的则默认是在配置模式下操作##SRX3400-1_L2配置为setchassisclusternode0cluster-id1reboot##SRX3400-2_L2配置为setchassisclusternode1cluster-id1reboot1.2防火墙系统全局配置（初始化配置）##设置root的用户名和密码system{root-authentication{encrypted-password$1$R7QtWpjt$OsUXw/4GC.7AiGO2bFHUz.;##SECRET-DATA}##添加用户名为lab的用户和密码login{userlab{uid2000;classsuperuser;authentication{encrypted-password$1$h54Sa7e3$cjwdMDkIcvEN89jSZ8eSa/;##SECRET-DATA}}}##设置防火墙自己开启的服务services{ftp;telnet;web-management{http;}}syslog{user*{anyemergency;}filemessages{anynotice;authorizationinfo;}}}1.3建立集群##双机配置，设置node0为主，node1为备。##设置node0主机名groups{node0{system{host-nameSRX3400-1_L2;backup-router192.168.2.1destination0.0.0.0/0;}##设置带外管理地址和带外管理的网关interfaces{fxp0{unit0{familyinet{address192.168.2.254/24;}}}}routing-options{static{route0.0.0.0/0{next-hop192.168.2.1;retain;no-readvertise;}}}}##设置node1主机名,带外管理地址和带外管理的网关node1{system{host-nameSRX3400-2_L2;backup-router192.168.2.1destination0.0.0.0/0;}interfaces{fxp0{unit0{familyinet{address192.168.2.253/24;}}}}routing-options{static{route0.0.0.0/0{next-hop192.168.2.1;retain;no-readvertise;}}}}}apply-groups${node};1.4设置cluster冗余组和接口对象##设置reth-count数目及主机单元的优先级，并设置监控的端口和权重chassis{cluster{reth-count3;heartbeat-interval1000;heartbeat-threshold3;##redundancy-group0为引擎组对象，此处将所有业务接口都放到此组中，这样##设置的结果就是只要有一个业务接口down了，则引擎也进行切换，防止出现##业务接口进行了切换，而引擎没有切换的结果redundancy-group0{node0priority100;node1priority1;interface-monitor{ge-0/0/10weight255;ge-0/0/8weight255;ge-8/0/8weight255;ge-8/0/10weight255;ge-0/0/0weight255;ge-8/0/0weight255;}}redundancy-group1{node0priority100;node1priority1;interface-monitor{ge-0/0/8weight255;ge-8/0/8weight255;ge-0/0/10weight255;ge-8/0/10weight255;ge-0/0/0weight255;ge-8/0/0weight255;}}}}##设置相关的物理接口与相应的logical接口reth关联interfaces{ge-0/0/0{gigether-options{redundant-parentreth2;}}ge-0/0/8{gigether-options{no-auto-negotiation;redundant-parentreth0;}}ge-0/0/10{gigether-options{no-auto-negotiation;redundant-parentreth1;}}ge-8/0/0{gigether-options{redundant-parentreth2;}}ge-8/0/8{gigether-options{no-auto-negotiation;redundant-parentreth0;}}ge-8/0/10{gigether-options{redundant-parentreth1;}}##设置两台防火墙互联的接口fab0{fabric-options{member-interfaces{ge-0/0/7;}}}fab1{fabric-options{member-interfaces{ge-8/0/7;}}}irb{unit220{disable;familyinet{address192.168.1.10/28;}}}lo0{unit0{familyinet{address127.0.0.1/32;}}}##设置reth接口为trunk接口，所允许的vlan号reth0{vlan-tagging;redundant-ether-options{redundancy-group1;}unit0{familybridge{interface-modetrunk;vlan-id-list1-4094;}}}reth1{vlan-tagging;redundant-ether-options{redundancy-group1;}unit0{familybridge{interface-modetrunk;vlan-id-list1-4094;}}}reth2{vlan-tagging;redundant-ether-options{redundancy-group1;}unit0{familybridge{interface-modetrunk;vlan-id-list1-4094;}}}}1.5设置安全区域和策略##设置防火墙的安全区域，其中l2开头的代表两层，并把相关的reth接口同安全区域关联security{zones{functional-zonemanagement;security-zonel2-trust{host-inbound-traffic{system-services{all;}protocols{all;}}interfaces{reth1.0;}}security-zonel2-untrust{interfaces{reth0.0;}}security-zonetrust;security-zonel2-dmz{host-inbound-traffic{system-services{all;}protocols{all;}}interfaces{reth2.0;}}}##设置防火墙的策略，目前各安全区域之间是全开放policies{from-zonel2-trustto-zonel2-untrust{policytrust-untrust{match{source-addressany;destination-addressany;applicationany;}then{permit;}}}from-zonel2-untrustto-zonel2-trust{policyuntrust-trust{match{source-addressany;destination-addressany;applicationany;}then{permit;}}}from-zonel2-trustto-zonel2-trust{policytrust-trust{match{source-addressany;destination-addressany;applicationany;}then{permit;}}}from-zonel2-trustto-zonel2-dmz{policytrust-dmz{match{source-addressany;destination-addressany;applicationany;}then{permit;}}}from-zonel2-untrustto-zonel2-dmz{policyuntrust-dmz{match{source-addressany;destination-addressany;applicationany;}then{permit;}}}from-zonel2-dmzto-zonel2-trust{policydmz-trust{match{source-addressany;destination-addressany;applicationany;}then{permit;}}}from-zonel2-dmzto-zonel2-untrust{policydmz-untrust{match{source-addressany;destination-addressany;applicationany;}then{permit;}}}}alg{ftpdisable;tftpdisable;}}1.6设置全局l2特性##全局设置vlan透传bridge-domains{trunk199-223{vlan-id-list199-223;}vlan001{vlan-id1;routing-interfaceirb.0;}}{secondary:node0}