发布时间 : 星期五 文章Juniper SRX3000工程开工指导书更新完毕开始阅读6612c87fa26925c52cc5bfaa
Juniper防火墙工程开通指导书
set security ipsec vpn vpn1 ike ipsec-policy AAA
set security ipsec vpn vpn1 establish-tunnels immediately
定义ipsec Phase 2 VPN参数:standard proposal、与st0.0接口绑定,调用Phase 1 gw1 ike网关。
set security policies from-zone untrust to-zone trust policy vpn-policy match source-address any
set security policies from-zone untrust to-zone trust policy vpn-policy match destination-address any
set security policies from-zone untrust to-zone trust policy vpn-policy match application any set security policies from-zone untrust to-zone trust policy vpn-policy then permit
set security policies from-zone trust to-zone untrust policy vpn-policy match source-address any
set security policies from-zone trust to-zone untrust policy vpn-policy match destination-address any
set security policies from-zone trust to-zone untrust policy vpn-policy match application any set security policies from-zone trust to-zone untrust policy vpn-policy then permit 开启双向policy以允许VPN流量通过
3.1.10 GRE配置 目前暂不支持
二、维护和故障定位
2.1防火墙版本升级
升级前请将原有配置文件备份,保证电源供应正常,建议升级过程中使用超级终端连接到防火墙的Console 端口上,记录输出信息。
Juniper设备JUNOS软件升级必须按照下面的步骤进行操作: 3.用Console或Telnet/SSH连接到主用路由引擎上 4.下载新的JUNOS软件,放置到FTP服务器上。
5.升级前,执行下面的命令备份旧的软件及设定:(能够在srx设备上面ping通ftp server
地址)
user@host> request system snapshot 6.安装新的JUNOS软件:
user@host> request system software add
ftp//:username:password@192.168.1.1 /
jinstall-7.X-package-name-signed.tgz no-copy unlink reboot
第37页
Juniper防火墙工程开通指导书
Checking compatibility with configuration Initializing... Using jbase-7.x-package-name Using /var/tmp/jinstall-7.x-package-name.signed.tgz Verified jinstall-7.x-package-name.tgz signed by PackageDevelopment_0 Using
/var/validate/tmp/jinstall-signed/jinstall-7.x-package-name.tgz Using /var/validate/tmp/jinstall/jbundle-7.x-package-name.tgz Checking jbundle requirements on /
Using /var/validate/tmp/jbundle/jbase-7.x-package-name.tgz Using /var/validate/tmp/jbundle/jkernel-7.x-package-name.tgz Using /var/validate/tmp/jbundle/jcrypto-7.x-package-name.tgz Using /var/validate/tmp/jbundle/jpfe-7.x-package-name.tgz Using /var/validate/tmp/jbundle/jdocs-7.x-package-name.tgz Using /var/validate/tmp/jbundle/jroute-7.x-package-name.tgz Validating against /config/juniper.conf.gz mgd: commit complete Validation succeeded Installing package
'/var/tmp/jinstall-7.x-package-name-signed.tgz' ... Verified jinstall-7.x-package-name-signed.tgz signed by
PackageDevelopment_0
Pre-checking requirements for jinstall... Auto-deleting old jinstall... Deleting saved config files ... Deleting bootstrap installer ... Adding jinstall...
WARNING: This package will load JUNOS 7.x software.
WARNING: It will save JUNOS configuration files, and SSH keys WARNING: (if configured), but erase all other files and information
WARNING: stored on this machine. It will attempt to preserve dumps
WARNING: and log files, but this can not be guaranteed. This is the
WARNING: pre-installation stage and all the software is loaded when
WARNING: you reboot the system. Saving the config files ...
Installing the bootstrap installer ...
WARNING: A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the
第38页
Juniper防火墙工程开通指导书
WARNING: 'request system reboot' command when software installation is
WARNING: complete. To abort the installation, do not reboot your system,
WARNING: instead use the 'request system software delete jinstall'
WARNING: command as soon as this operation completes.
Saving package file in
/var/sw/pkg/jinstall-7.x-package-name-signed.tgz ... Saving state for rollback ...
2.2防火墙密码恢复
如果设备的Root密码丢失,而且没有其他的超级用户权限,那么就需要执行密码恢复,该操作需要中断设备的正常功能。
要进行密码恢复,请按照下面操作进行:
1. 断电后再加电以重新启动设备。
2. 在启动过程中,console上出现下面的提示的时候,按任意键中断正常启动方式,
然后再进入单用户状态:
Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [kernel] in 9 seconds... < Press any key other than return > ok boot –s 3. 执行密码恢复
# cd /packages # ./mount.jkernel
Mounted jkernel package on /dev/vn1...
Verified manifest signed by PackageProduction_8_2_0 # ./mount.jroute
Mounted jroute package on /dev/vn2...
Verified manifest signed by PackageProduction_8_2_0 # cd /usr/libexec/ui # ./recovery-mode
4. 进入配置模式,设置新的root密码:
root> configure
Entering configuration mode
[edit]
第39页
Juniper防火墙工程开通指导书
root# set system root-authentication plain-text-password New password:
Retype new password: 5. 重新启动后,设备恢复正常。
2.3防火墙抓包和debug方法
如果出现部分网络无法正常访问,顺序检查接口状态、路由和策略配置是否有误,在确认上述配置无误后,通过debug命令检查防火墙对特定网段数据报处理情况。部分地址无法通过防火墙往往与策略配置有关。
Debug命令如下:
(用于判断防火墙内部对数据包的处理过程)
root@SRX3600#set security flow traceoptions file flow-trace (定义抓报文件名,此处为flow-trace)
root@SRX3600#set security flow traceoptions flag basic-datapath (定义只捕获设备处理flow 的信息)
root@SRX3600#set security flow traceoptions packet-filter debug source-prefix 10.1.10.5/32 destination-prefix 2.2.2.2/32
(定义需要捕获报文的条件)
root@SRX3600#commit (注意所有配置都需要commit) ( 发送测试报文)
root@SRX3600#run show log flow-trace (查看捕获报文的信息)
2.4故障信息收集命令
SRX3000系列配有12G硬盘,所有日志文件默认都存储在硬盘内。
防火墙基本信息收集:
SRX3600> request support information (数据比较多,将输出log下来) 防火墙var/log 目录下的log文件
SRX3000系列配有12G硬盘,所有日志文件默认都存储在硬盘内。
第40页