VSRX防火牆安裝與部署

Juniper vSRX的安裝與部署

1、準備工做

1. Juniper官網下載15.1的.ova模板的junos
2. 一臺安裝ESXI5.1, 5.5 ,6.0的服務器
3. 兩臺vmx模擬PC測試，一臺vsrx防火牆（15.1x49-d170）

2、操做部署

1. 使用vSphere Client登陸ESXI服務器
   
2. 在登陸的界面中，點擊文件部署」OVA模板「
   
3. 根據提示，點擊完成
4. 編輯虛擬機，設置相關參數
   
5. 啓動vsrx虛擬機，直至進入login界面
   
6. 啓動完成後，進入Login界面，用戶名root，密碼爲空
   
7. 經過root用戶名，直接進入shell界面，輸入cli進入操做界面
   
8. 從操做界面進入到配置界面，輸入configuration
   
9. 至此，vsrx換安裝已經完成；

2、實驗拓撲搭建

1. 實現經過vmx、vsrx、isp鏈路組成邏輯拓撲圖
   

vmx-1網卡與vsrx ge-0/0/0在虛擬網卡vm2中

vmx-2網卡與vsrx ge-0/0/1在虛擬網卡vm3中

vsrx ge-0/0/0與isp在虛擬網卡vm中

2. 連通性測試：
   vmx-1 ping vsrx ge-0/0/0
   
   vmx-2 ping vsrx ge-0/0/1
   
   vsrx ge-0/0/2 ping isp 192.168.1.1, ping 114.114.114.114
   

3. vmx-1與vmx-2的連通性測試
   
4. vmx-1與vmx-2的Internet測試
   

5. 控制vmx-1和vmx-2的流量，不容許ping，ssh，只容許telnet。
   
   

6. 查看防火牆策略匹配的數量
   

總結：
以上爲vsrx防火牆在vm中的部署步驟，注意vsrx網卡的橋接，vsrx防火牆使用的也是junos，操做方式和配置方式和物理防火牆同樣，接觸過srx防火牆，能夠很快的上手vsrx。

vSRX防火牆配置輸出：

--- JUNOS 15.1X49-D170.4 built 2019-02-22 23:02:01 UTC
admin@vsrx-15.1> show configuration | no-more | display set
set version 15.1X49-D170.4
set system host-name vsrx-15.1
set system root-authentication encrypted-password "$5$AUnhweol$AN5LIIlwt5sXB1OvLkrM7TpuCrAu/JLQqDmNfXuFZd5"
set system name-server 8.8.8.8
set system name-server 114.114.114.114
set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication encrypted-password "$5$ibd52KZv$NvtKlvBhZ3B5.5atZT0ipKRJ/BVqMruiO1lbY1PPsS4"
set system services ssh
set system services telnet
set system services web-management http
set system services web-management https system-generated-certificate
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file policy_session user info
set system syslog file policy_session match RT_FLOW
set system syslog file policy_session archive size 1000k
set system syslog file policy_session archive world-readable
set system syslog file policy_session structured-data
deactivate system syslog file policy_session
set system syslog file event-log any any
set system syslog file event-log archive files 1
set system syslog file event-log structured-data
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security log mode event
set security address-book global address vmx-1 10.10.1.10/32
set security address-book global address vmx-2 10.10.2.10/32
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set snat from zone User1
set security nat source rule-set snat from zone User2
set security nat source rule-set snat to zone Cmcc
set security nat source rule-set snat rule 1 match source-address 10.10.1.0/24
set security nat source rule-set snat rule 1 match source-address 10.10.2.0/24
set security nat source rule-set snat rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set snat rule 1 then source-nat interface
set security policies from-zone User1 to-zone Cmcc policy 1 match source-address any
set security policies from-zone User1 to-zone Cmcc policy 1 match destination-address any
set security policies from-zone User1 to-zone Cmcc policy 1 match application any
set security policies from-zone User1 to-zone Cmcc policy 1 then permit
set security policies from-zone User2 to-zone Cmcc policy 1 match source-address any
set security policies from-zone User2 to-zone Cmcc policy 1 match destination-address any
set security policies from-zone User2 to-zone Cmcc policy 1 match application any
set security policies from-zone User2 to-zone Cmcc policy 1 then permit
set security policies from-zone User1 to-zone User2 policy 2 match source-address vmx-1
set security policies from-zone User1 to-zone User2 policy 2 match destination-address vmx-2
set security policies from-zone User1 to-zone User2 policy 2 match application junos-icmp-ping
set security policies from-zone User1 to-zone User2 policy 2 match application junos-ssh
set security policies from-zone User1 to-zone User2 policy 2 then reject
set security policies from-zone User1 to-zone User2 policy 2 then log session-init
set security policies from-zone User1 to-zone User2 policy 2 then log session-close
set security policies from-zone User1 to-zone User2 policy 2 then count
set security policies from-zone User1 to-zone User2 policy 1 match source-address any
set security policies from-zone User1 to-zone User2 policy 1 match destination-address any
set security policies from-zone User1 to-zone User2 policy 1 match application any
set security policies from-zone User1 to-zone User2 policy 1 then permit
set security policies from-zone User2 to-zone User1 policy 2 match source-address vmx-2
set security policies from-zone User2 to-zone User1 policy 2 match destination-address vmx-1
set security policies from-zone User2 to-zone User1 policy 2 match application junos-icmp-ping
set security policies from-zone User2 to-zone User1 policy 2 match application junos-ssh
set security policies from-zone User2 to-zone User1 policy 2 then reject
set security policies from-zone User2 to-zone User1 policy 2 then log session-init
set security policies from-zone User2 to-zone User1 policy 2 then log session-close
set security policies from-zone User2 to-zone User1 policy 2 then count
set security policies from-zone User2 to-zone User1 policy 1 match source-address any
set security policies from-zone User2 to-zone User1 policy 1 match destination-address any
set security policies from-zone User2 to-zone User1 policy 1 match application any
set security policies from-zone User2 to-zone User1 policy 1 then permit
set security zones security-zone User1 interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone User1 application-tracking
set security zones security-zone User2 interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone User2 application-tracking
set security zones security-zone Cmcc interfaces ge-0/0/2.0 host-inbound-traffic system-services all
set security zones security-zone Cmcc application-tracking
set interfaces ge-0/0/0 unit 0 family inet address 10.10.1.254/24
set interfaces ge-0/0/1 unit 0 family inet address 10.10.2.254/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.150/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1

vMX-1配置輸出：
admin@vMX-1> show configuration | no-more | display set
set version 14.1R1.10
set system host-name vMX-1
set system root-authentication encrypted-password "$1$wt0dI4la$d7JtEZv8MdB/aFx2Sf0cN."
set system name-server 8.8.8.8
set system login user admin uid 2001
set system login user admin class super-user
set system login user admin authentication encrypted-password "$1$ZndUPvaG$jUKRfxwDPyKgx8GJ5wJ0M/"
set system services ftp
set system services ssh
set system services telnet connection-limit 5
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em2 unit 0 family inet address 10.10.1.10/24
set routing-options static route 0.0.0.0/0 next-hop 10.10.1.254

vMX-2配置輸出：admin@vMX-2> show configuration | no-more | display set set version 14.1R1.10set system host-name vMX-2set system root-authentication encrypted-password "$1$A6hZKEhm$h/SdcxNgtaL0yN8NThxeu/"set system name-server 114.114.114.114set system login user admin uid 2001set system login user admin class super-userset system login user admin authentication encrypted-password "$1$HSS00OAL$KJx8HU4Ve6vTX9I.1SZWw/"set system services ftpset system services sshset system services telnet connection-limit 5set system syslog user * any emergencyset system syslog file messages any noticeset system syslog file messages authorization infoset system syslog file interactive-commands interactive-commands anyset interfaces em2 unit 0 family inet address 10.10.2.10/24set routing-options static route 0.0.0.0/0 next-hop 10.10.2.254