Juniper Junos OS Скачать руководство пользователя страница 87 | Manualshive

Страница: 87 / 158

background image

CHAPTER 10

Understanding Stateful Firewall, IPsec
VPN, and Chassis Cluster for Branch SRX
Series

•

Understanding Branch SRX Series Stateful Firewall Functionality on page 71

•

Understanding IPsec VPN for SRX Series on page 72

•

Understanding Chassis Cluster for SRX Series on page 72

Understanding Branch SRX Series Stateful Firewall Functionality

Your branch SRX Series includes a stateful firewall, which tracks the state of each traffic
flow or stream and uses dynamic packet inspection to identify patterns in data packets
that might represent a threat to your network. This feature protects hosts from
communicating with compromised or malicious users or applications.

The branch SRX Series uses zones and policies to provide firewall configuration.

Although zones and policies can have user-defined configurations, the factory-default
configuration contains, at a minimum, a “trust” and “untrust” zone. The trust zone is used
for configuration and attaching the internal LAN to the branch SRX Series. The untrust
zone is commonly used for the WAN or untrusted Internet interface.

To simplify installation and make configuration easier, a default policy is in place that
allows traffic originating from the trust zone to the untrust zone. You are not required to
configure a deny policy from the untrust zone to any other zones, because the device
drops the traffic by default if there is no policy defined for any traffic.

By using the J-Web interface or CLI, you can create a series of security policies that can
control the traffic from within and in between zones by defining policies.

Related

Documentation

Understanding Security Zones and Policies for SRX Series on page 31

•

•

Example: Configuring Security Zones and Policies for SRX Series on page 32

71

Copyright © 2016, Juniper Networks, Inc.

«
...
85
86
87
88
89
...
»

Содержание Junos OS

Страница 1: ...Junos OS Getting Started Guide for Branch SRX Series Release 12 3X48 D10 Modified 2016 09 01 Copyright 2016 Juniper Networks Inc...

Страница 2: ...tting Started Guide for Branch SRX Series 12 3X48 D10 Copyright 2016 Juniper Networks Inc All rights reserved The information in this document is current as of the date on the title page YEAR 2000 NOT...

Страница 3: ...Default Configuration Topology 7 Default Port Settings 8 Default Settings for Interfaces Zones Policy and NAT 9 Default System Services 10 Autoinstallation 10 SRX210 Factory Default Settings A Sample...

Страница 4: ...efault UTM Policy for Branch SRX Series 54 Default UTM Policy 54 Predefined UTM Profile Configuration for Branch SRX Series 54 Antispam 54 Antivirus 55 Web Filtering 56 Chapter 9 Configuring Intrusion...

Страница 5: ...sion 109 show security idp active policy 115 show security idp status 116 show security nat destination summary 118 show security policies 120 show security utm session 128 show security utm status 12...

Страница 6: ...Copyright 2016 Juniper Networks Inc vi Getting Started Guide for Branch SRX Series...

Страница 7: ...n SRX Series Device for the First Time 17 Figure 2 Connecting an SRX210 to the Internet 21 Part 3 Configuring Basic SRX Series Features Chapter 5 Configuring Security Zones and Policies for SRX Series...

Страница 8: ...Copyright 2016 Juniper Networks Inc viii Getting Started Guide for Branch SRX Series...

Страница 9: ...s Devices 32 Table 8 Address Books Configuration 33 Table 9 Security Policy Configuration 34 Chapter 6 Configuring NAT for SRX Series 39 Table 10 Destination NAT Mapping 41 Chapter 8 Configuring UTM f...

Страница 10: ...Copyright 2016 Juniper Networks Inc x Getting Started Guide for Branch SRX Series...

Страница 11: ...rs and subject matter experts These books go beyond the technical documentation to explore the nuances of network architecture deployment and administration The current list can be viewed at http www...

Страница 12: ...sable unit 0 family inet address 10 0 0 1 24 2 Merge the contents of the file into your routing platform configuration by issuing the load merge configuration mode command edit user host load merge va...

Страница 13: ...tant features or instructions Informational note Indicates a situation that might result in loss of data or hardware damage Caution Alerts you to the risk of personal injury or death Warning Alerts yo...

Страница 14: ...archy levels or labels on routing platform components Text like this stub default metric metric Encloses optional keywords or variables angle brackets broadcast multicast string1 string2 string3 Indic...

Страница 15: ...ks Technical Assistance Center JTAC If you are a customer with an active J Care or Partner Support Service support contract or are covered under warranty and need post sales technical support you can...

Страница 16: ...To verify service entitlement by product serial number use our Serial Number Entitlement SNE Tool https tools juniper net SerialNumberEntitlementSearch Opening a Case with JTAC You can open a case wit...

Страница 17: ...PART 1 Overview Introduction to SRX Series Devices on page 3 1 Copyright 2016 Juniper Networks Inc...

Страница 18: ...Copyright 2016 Juniper Networks Inc 2 Getting Started Guide for Branch SRX Series...

Страница 19: ...eries are based on Junos OS a full featured networking operating system that is optimized to provide maximum performance and efficient network security The SRX Series range from lower end branch devic...

Страница 20: ...Copyright 2016 Juniper Networks Inc 4 Getting Started Guide for Branch SRX Series...

Страница 21: ...Series Services Gateway Understanding Factory Default Configuration Settings on page 7 Configuring an SRX Series Device for the First Time on page 17 Resetting the SRX Series Device on page 27 5 Copyr...

Страница 22: ...Copyright 2016 Juniper Networks Inc 6 Getting Started Guide for Branch SRX Series...

Страница 23: ...8 Default Settings for Interfaces Zones Policy and NAT on page 9 Default System Services on page 10 Autoinstallation on page 10 Default Configuration Topology Figure 1 on page 8 provides a topology of...

Страница 24: ...lan trust The protected hosts can be connected to any one of the ports that are part of the default VLAN The DHCP server is running on vlan 0 and assigns IP addresses to other interfaces for the local...

Страница 25: ...es in the 192 168 1 2 to 192 168 1 254 range to any device plugged into the trust interfaces Default Settings for Interfaces Zones Policy and NAT Table 3 on page 9 provides the default configuration o...

Страница 26: ...s automatic configuration for a new device that you connect to the network Autoinstallation is active by default and is deactivated when you commit the device for the first time You can use the delete...

Страница 27: ...rtificate interface vlan 0 dhcp router 192 168 1 1 pool 192 168 1 0 24 address range low 192 168 1 2 high 192 168 1 254 propagate settings ge 0 0 0 0 syslog archive size 100k files 3 user any emergenc...

Страница 28: ...g vlan members vlan trust fe 0 0 2 unit 0 family ethernet switching vlan members vlan trust fe 0 0 3 unit 0 family ethernet switching vlan members vlan trust fe 0 0 4 unit 0 family ethernet switching...

Страница 29: ...creen ids option untrust screen icmp ping death ip source route option tear drop tcp syn flood alarm threshold 1024 attack threshold 200 source threshold 1024 destination threshold 2048 timeout 20 lan...

Страница 30: ...tination address any application any then permit zones security zone trust host inbound traffic system services all protocols all interfaces vlan 0 security zone untrust screen untrust screen interfac...

Страница 31: ...onnecting the Branch SRX Series Through the Console Port for the First Time on page 19 Understanding Factory Default Configuration Settings of an SRX210 on page 7 15 Copyright 2016 Juniper Networks In...

Страница 32: ...Copyright 2016 Juniper Networks Inc 16 Getting Started Guide for Branch SRX Series...

Страница 33: ...lowing methods right out of the box Connecting through the console port Use an Ethernet cable with an RJ 45 to DB 9 serial port adapter to connect the console port on the SRX Series to the serial port...

Страница 34: ...account Administrator Password Record the name of your SRX210 to identify itself on your network Hostname Network security often depends on knowing the exact time when a specific event occurs If you d...

Страница 35: ...different applications 4 Press the POWER button on the device and wait till the Power LED turns green 5 Log in to the device as root and leave the password field blank When you boot the device with t...

Страница 36: ...Related Documentation Understanding Methods to Manage the Branch SRX Series on page 17 Understanding Factory Default Configuration Settings of an SRX210 on page 7 Configuring a Hostname to Identify a...

Страница 37: ...ess and gateway through DHCP If your ISP supports DHCP your services gateway acquires an IP address and other settings domain name servers default routes from your ISP Assign IP address manually If yo...

Страница 38: ...Default Configuration Settings of an SRX210 on page 7 Connecting the Branch SRX Series Through the Console Port for the First Time on page 19 Configuring a Hostname to Identify a Branch SRX Series Ser...

Страница 39: ...e show commands such as show system host name show system login and show system name server as shown in the following samples Verify system hostname details edit root host show system host name host n...

Страница 40: ...d Address obtained 1 1 1 20 update server enables Lease Obtained at 2007 05 10 18 16 04 PST Lease Expires at 2007 05 11 18 16 04 PST DHCP Options Name name server Value 1 1 1 2 Code 1 Type ip address...

Страница 41: ...es Services Gateway in Your Network on page 20 Configuring Internet Access for the Branch SRX Series on page 21 Configuring a Network Time Protocol Server for the Branch SRX Series on page 22 Validati...

Страница 42: ...Copyright 2016 Juniper Networks Inc 26 Getting Started Guide for Branch SRX Series...

Страница 43: ...services gateway will load and commit the rescue configuration During this operation the Status light on the front panel of your services gateway glows amber Resetting Your SRX Series to Factory Setti...

Страница 44: ...Copyright 2016 Juniper Networks Inc 28 Getting Started Guide for Branch SRX Series...

Страница 45: ...for SRX Series on page 39 Managing Licenses for SRX Series on page 47 Configuring UTM for Branch SRX Series on page 49 Configuring Intrusion Detection and Prevention for SRX Series on page 63 Underst...

Страница 46: ...Copyright 2016 Juniper Networks Inc 30 Getting Started Guide for Branch SRX Series...

Страница 47: ...are used to identify traffic flow direction in security policies to control traffic On a single device you can configure multiple security zones and at a minimum you must define two security zones ba...

Страница 48: ...or Security Devices Related Documentation Understanding Factory Default Configuration Settings of an SRX210 on page 7 Connecting Your Branch SRX Series for the First Time Example Configuring Security...

Страница 49: ...thernet switching factory configuration setting to family inet Assign IP address 192 168 1 2 24 to the host connected to the fe 0 0 2 0 interface in the trust zone Set up two HTTP servers Server HTTP...

Страница 50: ...zoneDMZaddress bookaddressServer SMTP192 168 2 4 24 set security zones security zone DMZ address book address set DMZ address set http address Server HTTP 1 set security zones security zone DMZ addre...

Страница 51: ...ecurity zone DMZ address book address set DMZ address set http address Server HTTP 2 5 Create address books in the trust zone edit user srx210 host set security zones security zone trust address book...

Страница 52: ...ook address Server HTTP 1 192 168 2 2 24 address Server HTTP 2 192 168 2 3 24 address Server SMTP 192 168 2 4 24 address set DMZ address set http address Server HTTP 1 address Server HTTP 2 interfaces...

Страница 53: ...e show security flow session command from operational mode For samples of the show security flow session command output see show security flow session Related Documentation Understanding Security Zone...

Страница 54: ...Copyright 2016 Juniper Networks Inc 38 Getting Started Guide for Branch SRX Series...

Страница 55: ...same size Destination NAT Destination NAT is the translation of the destination IP address of a packet entering the SRX Series Destination NAT is used to redirect traffic destined to a virtual host i...

Страница 56: ...ss to the private address Requirements Before you begin create security zones and assign interfaces to them See Example Configuring Security Zones and Policies for SRX Series on page 32 This example u...

Страница 57: ...rce IP Address 192 168 2 2 1 1 1 3 1 1 1 3 20 20 20 20 In this topology you provide access to the server Server HTTP 1 in the DMZ zone from the Internet after translating the public IP address 1 1 1 3...

Страница 58: ...the commands into the CLI at the edit hierarchy level and then enter commit from configuration mode set security nat destination pool dst nat pool 1 address 192 168 2 2 32 set security nat destinatio...

Страница 59: ...st set security policies from zone untrust to zone DMZ policy server access match source address any user srx210 host set security policies from zone untrust to zone DMZ policy server access match des...

Страница 60: ...nat destination summary command View the translation hits field to check for traffic using IP addresses from the pool Total pools 1 Pool name Address Routing Port Total Range Instance Address dst nat...

Страница 61: ...rstanding Factory Default Configuration Settings of an SRX210 on page 7 Connecting Your Branch SRX Series for the First Time 45 Copyright 2016 Juniper Networks Inc Chapter 6 Configuring NAT for SRX Se...

Страница 62: ...Copyright 2016 Juniper Networks Inc 46 Getting Started Guide for Branch SRX Series...

Страница 63: ...You can Install the license on the SRX Series using either the automatic method or manual method as follows Install your license automatically on the device To install or update your license automatic...

Страница 64: ...license View license usage for UTM features License identifier JUNOS240185 License version 2 Valid for device AH1111AA7883 Features av_key_kaspersky_engine Kaspersky AV date based 2010 01 04 08 00 00...

Страница 65: ...threats enter the network The following UTM modules are supported Antispam Antispam blocks and filters unwanted e mail traffic by scanning inbound and outbound SMTP e mail traffic by using some combi...

Страница 66: ...Redirect Web filtering junos wf local default juniper local Local Web filtering junos wf enhanced default juniper enhanced Enhanced Web filtering SMTP POP3 IMAP HTTP and FTP NA NA NA Content filterin...

Страница 67: ...CLI Quick Configuration To quickly configure this example copy the following commands paste them into a text file remove any line breaks change any details necessary to match your network configurati...

Страница 68: ...e address any destination address any application any user srx210 host set security policies from zone trust to zone untrust policy trust to untrust then permit application services utm policy policy...

Страница 69: ...hat the antispam filtering configuration is active Action From operational mode enter the show security utm anti spam status command user srx210 host show security utm anti spam status SBL Whitelist S...

Страница 70: ...Branch SRX Series Default UTM Policy anti virus http profile junos av defaults ftp upload profile junos av defaults download profile junos av defaults smtp profile junos av defaults pop3 profile juno...

Страница 71: ...ng scan mode all content size limit 10000 timeout 180 decompress layer limit 2 notification options virus detection type message no notify mail sender custom message VIRUS WARNING fallback block type...

Страница 72: ...ns default log and permit content size log and permit engine not ready log and permit timeout log and permit out of resources log and permit too many requests log and permit scan options uri check con...

Страница 73: ...s_Alcohol_Tobacco action block Education action permit Finance_Investment action permit Food_Drink action permit Gambling action block Games action block Glamour_Intimate_Apparel action permit Governm...

Страница 74: ...ng action block Photo_Searches action permit Real_Estate action permit Reference action permit Religion action permit Remote_Proxies action block Sex_Education action block Search_Engines action permi...

Страница 75: ...fallback settings default log and permit server connectivity log and permit timeout log and permit too many requests log and permit juniper local profile junos wf local default custom block message Ju...

Страница 76: ...action block Enhanced_Nudity action block Enhanced_Adult_Content action block Enhanced_Sex action block Enhanced_Hacking action block Enhanced_Personals_and_Dating action block Enhanced_Alcohol_and_To...

Страница 77: ...log and permit custom block message Juniper Web Filtering has been set to block this site fallback settings default log and permit server connectivity log and permit timeout log and permit too many r...

Страница 78: ...Copyright 2016 Juniper Networks Inc 62 Getting Started Guide for Branch SRX Series...

Страница 79: ...ge on the Juniper Networks website This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks Configure recommended policy as...

Страница 80: ...u want to inspect This example shows how to configure a security policy to enable IDP services for the first time on traffic flowing on the device Requirements on page 64 Overview on page 64 Configura...

Страница 81: ...x cgi Version info 2230 Mon Feb 4 19 40 13 2013 GMT 8 Detector 12 6 160121210 3 Install the attack database edit user host run request security idp security package install Will be processed in async...

Страница 82: ...ing the status checking CLI 9 Verify the installation status update edit user host run request security idp security package install status Done policy templates has been successfully updated into int...

Страница 83: ...security policy identifies what traffic is to be sent to the IDP engine and then the IDP engine applies inspection based on the contents of that traffic Traffic that matches a security policy in which...

Страница 84: ...ss set http application junos http then permit application services idp If you are done configuring the device enter commit from configuration mode Verification Confirm that the configuration is worki...

Страница 85: ...Memory Detector 0 Recommended 0 2233 12 6 160121210 Meaning The sample output shows the Recommended predefined IDP policy as the active policy Related Documentation Updating Licenses for a Branch SRX...

Страница 86: ...Copyright 2016 Juniper Networks Inc 70 Getting Started Guide for Branch SRX Series...

Страница 87: ...defined configurations the factory default configuration contains at a minimum a trust and untrust zone The trust zone is used for configuration and attaching the internal LAN to the branch SRX Series...

Страница 88: ...y parameter index SPI destination IP address and security protocol Authentication Header or Encapsulating Security Payload employed Through the SA an IPsec tunnel can provide the following security fu...

Страница 89: ...PART 4 Configuration Statements and Operational Commands Configuration Statements on page 75 Operational Commands on page 107 73 Copyright 2016 Juniper Networks Inc...

Страница 90: ...Copyright 2016 Juniper Networks Inc 74 Getting Started Guide for Branch SRX Series...

Страница 91: ...ding options group VPNs Intrusion Detection Prevention IDP Internet Key Exchange IKE Internet Protocol Security IPsec logging Network Address Translation NAT public key infrastructure PKI policies res...

Страница 92: ...page 90 edit security pki Hierarchy Level edit security policies Hierarchy Level on page 93 edit security resource manager Hierarchy Level edit security screen Hierarchy Level edit security softwires...

Страница 93: ...ny client to server server to client service service name shellcode all intel no shellcode sparc test test condition chain expression boolean expression member member name attack type anomaly same sta...

Страница 94: ...code value data length match equal greater than less than not equal value data length identification match equal greater than less than not equal value identification value sequence number match equa...

Страница 95: ...ater than less than not equal value identification value ihl match equal greater than less than not equal value ihl value ip flags df no df mf no mf rb no rb protocol match equal greater than less tha...

Страница 96: ...t match equal greater than less than not equal value hop limit value next header match equal greater than less than not equal value next header value payload length match equal greater than less than...

Страница 97: ...er than less than not equal value reserved value sequence number match equal greater than less than not equal value sequence number source port match equal greater than less than not equal value sourc...

Страница 98: ...transport layer protocol number rpc program number rpc program number tcp minimum port port number maximum port port number udp minimum port port number maximum port port number regexp regular expres...

Страница 99: ...p policy policy name rulebase exempt rule rule name description text match attacks custom attack groups attack group name custom attacks attack name dynamic attack groups attack group name predefined...

Страница 100: ...class forwarding class close client close client and server close server drop connection drop packet ignore connection mark diffserv value no action recommended ip action ip block ip close ip notify l...

Страница 101: ...cache limit lt lower threshold value min objcache limit ut upper threshold value reject timeout value reset on policy no reset on policy udp anticipated timeout value global enable all qmodules no ena...

Страница 102: ...ignore reassembly memory overflow ignore reassembly overflow max flow mem value max packet mem ratio percetnage value max synacks queued value tcp error logging no tcp error logging ssl inspection cac...

Страница 103: ...ail address nat keepalive seconds no nat traversal remote identity distinguished name container container string wildcard wildcard string hostname hostname inet ip address inet6 ipv6 address user at h...

Страница 104: ...association manual encryption iked_encryption enabled algorithm 3des cbc key ascii text key policy policy name description description perfect forward secrecy keys group1 group14 group19 group2 group...

Страница 105: ...ely on traffic ike gateway gateway name idle time seconds install interval seconds ipsec policy ipsec policy name no anti replay proxy identity local ip prefix remote ip prefix service any service nam...

Страница 106: ...ecurity nat destination pool pool name address ip address port port number to ip address description text routing instance routing instance name default rule set rule set name description text from in...

Страница 107: ...tilization alarm clear threshold value raise threshold value port block allocation active block timeouttimeout interval block size block size log disable maximum blocks per host maximum block number d...

Страница 108: ...imeout seconds max session number value permit any remote host target host target host port off pool pool name persistent nat address mapping inactivity timeout seconds max session number number permi...

Страница 109: ...uting instance routing instance name default rule session count alarm clear threshold value raise threshold value traceoptions file filename files number match regular expression world readable no wor...

Страница 110: ...me scheduler name then count alarm per minute threshold number per second threshold number deny log session close session init permit application services application firewall rule set rule set name a...

Страница 111: ...profile name domain domain name ssl termination profile profile name web authentication client match user or group name services offload tcp options sequence check required syn check required tunnel...

Страница 112: ...lose session init permit application services application firewall rule set rule set name application traffic control rule set rule set name gprs gtp profile profile name gprs sctp profile profile nam...

Страница 113: ...nitial tcp mss mss value reverse tcp mss mss value sequence check required syn check required reject policy rematch policy stats system wide disable enable traceoptions file filename files number matc...

Страница 114: ...spam address blacklist list name address whitelist list name sbl profile profile name custom tag string string sbl default server no sbl default server spam action block tag header tag subject traceop...

Страница 115: ...nder type message protocol only fallback non block custom message message custom message subject message subject notify mail recipient no notify mail recipient virus detection custom message message c...

Страница 116: ...ge message custom message subject message subject display host notify mail sender no notify mail sender type message protocol only fallback non block custom message message custom message subject mess...

Страница 117: ...mit permit too many requests block log and permit permit notification options fallback block administrator email email address allow email custom message message custom message subject message subject...

Страница 118: ...xception list name list list name notification options custom message message notify mail sender no notify mail sender type message protocol only permit command protocol command list traceoptions flag...

Страница 119: ...t value server host host name port number juniper local profile profile name custom block message value default block log and permit permit fallback settings default block log and permit server connec...

Страница 120: ...og and permit too many requests block log and permit server host host name port number sockets value timeout value ipc traceoptions flag flag traceoptions flag flag utm policy policy name anti spam sm...

Страница 121: ...75 Unified Threat Management Overview edit security zones Hierarchy Level security zones functional zone management description text host inbound traffic protocols protocol name except system services...

Страница 122: ...t host inbound traffic protocols protocol name except system services service name except interfaces interface name host inbound traffic protocols protocol name except system services service name exc...

Страница 123: ...show security idp active policy show security idp status show security nat destination summary show security policies show security utm session show security utm status show security zones show syste...

Страница 124: ...m license update trial on page 108 Output Fields When you enter this command you are provided feedback on the status of your request Sample Output request system license update user host request syste...

Страница 125: ...n firewall Application firewall enabled application firewall rule set Application firewall enabled with the specified rule set application traffic control Application traffic control session applicati...

Страница 126: ...curity flow session on page 112 show security flow session brief on page 112 show security flow session extensive on page 113 show security flow session summary on page 113 Output Fields Table 12 on p...

Страница 127: ...ority Forwarding class Differentiated Services DiffServ code point DSCP value remarked by the matching rule for this session DSCP code point One of four priority levels set by the matching rule to con...

Страница 128: ...00001 Policy name default policy 2 Timeout 1794 Valid In 40 0 0 111 32852 30 0 0 100 21 tcp If ge 0 0 2 0 Pkts 25 Bytes 1138 Out 30 0 0 100 21 40 0 0 111 32852 tcp If ge 0 0 1 0 Pkts 20 Bytes 1152 Tot...

Страница 129: ...rface ge 0 0 2 0 Session token 0x9 Flag 0x20 Route 0x0 Gateway 20 0 0 10 Tunnel 0 Port sequence 0 FIN sequence 0 FIN state 0 Pkts 0 Bytes 0 Total sessions 1 show security flow session summary root sho...

Страница 130: ...Valid sessions 0 Pending sessions 0 Invalidated sessions 0 Sessions in other states 0 Maximum sessions 819200 Copyright 2016 Juniper Networks Inc 114 Getting Started Guide for Branch SRX Series...

Страница 131: ...e Output show security idp active policy on page 115 Output Fields Table 13 on page 115 lists the output fields for the showsecurityidpactive policycommand Output fields are listed in the approximate...

Страница 132: ...throughput packets per second for the system Packets second The aggregated throughput kilobits per second for the system KBits second min Minimum delay for a packet to receive and return by a node in...

Страница 133: ...icroseconds min 0 max 0 avg 0 Packet Statistics ICMP 0 TCP 82 UDP 0 Other 0 Flow Statistics ICMP Current 0 Max 0 2010 02 05 06 49 51 UTC TCP Current 2 Max 6 2010 02 05 06 52 08 UTC UDP Current 0 Max 0...

Страница 134: ...ation pool Security Destination NAT rule Security Destination NAT Security Configuration Statement Hierarchy on page 75 List of Sample Output show security nat destination summary on page 119 Output F...

Страница 135: ...ll the destination NAT rules Total fail times Sample Output show security nat destination summary user host show security nat destination summary Total pools 2 Pool name Address Routing Port Total Ran...

Страница 136: ...cp mss options added in Junos OS Release 12 3X48 D20 Description Display a summary of all security policies configured on the device If a particular policy is specified display information particular...

Страница 137: ...able in a from zoneA to zoneB context might be ordered with sequence numbers 1 2 3 Also in a from zoneC to zoneD context four policies might have sequence numbers 1 2 3 4 Sequence number For standard...

Страница 138: ...with translated destination addresses drop untranslated Drop the packets without translated destination addresses Destination Address Translation An application firewall includes the following Rule se...

Страница 139: ...irection Output packets The total number of packets actually processed by the device Initial direction The number of packets actually processed by the device from the initial direction Reply direction...

Страница 140: ...sses sa 1 ipv4 2 2 2 0 24 sa 2 ipv6 2001 0db8 32 sa 3 ipv6 2001 0db6 24 sa 4 wc 192 168 0 11 255 255 0 255 Destination addresses da 1 ipv4 2 2 2 0 24 da 2 ipv6 2400 0af8 32 da 3 ipv6 2400 0d78 0 24 da...

Страница 141: ...n addresses any Source identities role1 role2 role4 Applications any Action permit services offload show security policies detail user host show security policies detail Default policy deny all Policy...

Страница 142: ...ol 0 ALG 0 Inactivity timeout 0 Source port range 0 0 Destination port range 0 0 Per policy TCP Options SYN check No SEQ check No show security policies detail TCP Options user host show security poli...

Страница 143: ...00 196 0 22 ad5 ad 15 1 7 199 15 1 8 19 ad6 ad 15 1 8 0 21 ad7 ad 15 1 7 0 24 Destination addresses excluded ad13 ad2 20 1 7 0 24 ad12 ad2 20 1 4 1 32 ad11 ad2 20 1 7 199 20 1 8 19 ad10 ad2 50 1 4 0 2...

Страница 144: ...ormation from both nodes in a chassis cluster Required Privilege Level view Related Documentation clear security utm session show security utm status on page 129 Output Fields show security utm sessio...

Страница 145: ...status of both the nodes with full chassis cluster support for UTM Required Privilege Level view Related Documentation clear security utm session show security utm session on page 128 Output Fields sh...

Страница 146: ...ature Guide for Security Devices List of Sample Output show security zones on page 131 show security zones abc on page 131 show security zones abc detail on page 131 show security zones terse on page...

Страница 147: ...reset for non SYN session TCP packets Off Policy configurable Yes Interfaces bound 1 Interfaces ge 0 0 1 0 Security zone def Description This is the def zone Send reset for non SYN session TCP packet...

Страница 148: ...es Interfaces bound 1 Interfaces ge 0 0 1 0 Sample Output show security zones terse user host show security zones terse Zone Type my internal Security my external Security dmz Security Copyright 2016...

Страница 149: ...Series Devices List of Sample Output show system license on page 134 show system license installed on page 134 show system license keys on page 135 show system license usage on page 135 show system l...

Страница 150: ...Output show system license user host show system license License usage Licenses Licenses Licenses Expiry Feature name used installed needed av_key_kaspersky_engine 1 1 0 2012 03 30 01 00 00 IST wf_key...

Страница 151: ...xxxxx xxxxxx xxxxxx xxx show system license usage user host show system license usage Licenses Licenses Licenses Expiry Feature name used installed needed av_key_kaspersky_engine 1 1 0 2012 03 30 01 0...

Страница 152: ...statistics on page 138 Output Fields Table 19 on page 136 lists the output fields for the show system services dhcp client command Output fields are listed in the approximate order in which they appea...

Страница 153: ...o the DHCP server for local configuration parameters DHCPRELEASE Packet sent to the DHCP server to relinquish network address and cancel remaining lease DHCPRENEW Packet sent to the DHCP server to ren...

Страница 154: ...ress Value 255 255 255 0 Name name server Value 77 77 77 77 55 55 55 55 Name domain name Value mylab example net Sample Output show system services dhcp client statistics user host show system service...

Страница 155: ...PART 5 Index Index on page 141 139 Copyright 2016 Juniper Networks Inc...

Страница 156: ...Copyright 2016 Juniper Networks Inc 140 Getting Started Guide for Branch SRX Series...

Страница 157: ...t 19 console port 17 conventions text and syntax xiii curly braces in configuration statements xiv customer support xv contacting JTAC xv D default configuration NAT 7 policies 7 destination NAT 40 de...

Страница 158: ...nat destination summary command 118 show security policies command 120 show security utm session 128 show security utm status 129 show security zones command 130 show system license command 133 show...

Отзывы:

Нет отзывов

Похожие инструкции для Junos OS

Бренд: YASKAWA Страницы: 34

EK-FC780 GTX Jetstream

Бренд: ekwb Страницы: 2

Бренд: SMART Страницы: 15

Бренд: Speedtouch Страницы: 124

Бренд: u-blox Страницы: 29

Бренд: ADS Technologies Страницы: 1

Бренд: Abit Страницы: 22

Suzie-Q 541.35.520

Бренд: Hafele Страницы: 12

Бренд: TP-Link Страницы: 2

Бренд: NBase Страницы: 18

Бренд: Gearlinx Страницы: 23

Бренд: MA lighting Страницы: 49

Бренд: Xtreme Страницы: 83

Бренд: Vacron Страницы: 16

D-Link DSL-2640U

Бренд: Broadband Products Страницы: 12

GEFORCE RTX 4090

Бренд: Nvidia Страницы: 160

NVR2104/2108HS-W-4KS2 1U

Бренд: Dahua Technology Страницы: 363

IE-SW-VL09T-6TX-3SC

Бренд: Weidmuller Страницы: 14

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды