SRX防火牆基礎介紹（system層級配置）

Juniper SRX採用Junos操做系統，簡單介紹Junos的基礎操做命令：
set: 創建一個配置（set system hostname srx-test）；
delete:刪除一個配置（delete system hostname srx-test）；
commit: 創建，刪除，修改配置都須要保存配置，使生效；
commit check: 檢測候選配置的合法性；
show | compare: 查看當前配置與激活配置的區別；

system層級，用於配置防火牆系統配置，在系統配置中涉及用戶，遠程接入方式，日誌等信息的配置：

1、建立用戶（修改root用戶密碼，建立普通用戶）

1. 修改root用戶的密碼
   admin@SRX# set system root-authentication plain-text-password
   New password:
   Retype new password:

[edit]
admin@SRX#

2. 建立普通用戶
   admin@SRX# set system login user admin class super-user authentication plain-text-password
   New password:
   Retype new password:

[edit]
admin@SRX#

3. Junos默認的用戶權限
   [edit]
   admin@SRX# set system login user admin class ?
   Possible completions:
   <class> Login class
   operator permissions [ clear network reset trace view ]
   read-only permissions [ view ]
   super-user permissions [ all ]
   unauthorized permissions [ none ]
   [edit]
   admin@SRX# set system login user admin class

4. 查看用戶權限
   show cli authorization

5. 手工配置class分類，並在用戶中調試新權限
   set system login class class-test permissions all
   set system login class class-test deny-configuration "shell|configuration|request"

set system login user admin class class-test
set system login user admin authentication encrypted-password "$1$u83mA/sa$aeMk9kBBqyOLRQepJkA2.1"

admin@SRX> show cli authorization
Current user: 'admin ' class 'class-test'
Permissions:
admin -- Can view user accounts
.........
all-control -- Can modify any configuration
Individual command authorization:
Allow configuration regular expression: none
Deny configuration regular expression: shell|configuration|request

admin@SRX>

6. 默認junos遠程用戶登陸網絡不會超時，設置10分鐘超時
   set system login class super-all idle-timeout 10
   set system login user admin class super-all .....

2、SRX防火牆建立radius認證

1. SRX防火牆指定radius服務器
   set system radius-server 10.250.0.254 secret "$9$5znCO1hKMXtuMX7-2gTz3"
   set system radius-server 10.250.0.254 source-address 10.10.1.1

2. SRX防火牆指定認證順序，默認爲本地認證
   set system authentication-order radius
   set system authentication-order password

3、SRX防火牆配置NTP時間同步

1. 配置防火牆的所在地的時區
   set system time-zone Asia/Shanghai
2. 配置NTP服務器
   set system ntp boot-server 100.100.100.1
   set system ntp server 100.100.100.1 prefer
   set system ntp source-address 10.10.1.1

注：當有多個NTP Server存在是，使用prefer優先選擇

admin@SRX> set date ntp 100.100.100.1 強制NTP同步

3. 配置NTP認證
   set system ntp authentication-key 1 type md5
   set system ntp authentication-key 1 value "$9$g8aGiP5FApBk.pBIEeK4aZ"
   set system ntp server 100.100.100.1 key 1 /單個server指定認證
   set system ntp trusted-key 1 /全部Server指定認證

4. 查看NTP同步狀態
   show ntp associations
   show ntp status

4、防火牆開啓遠程訪問服務

1. 開啓防火牆服務
   set system services ftp
   set system services ssh
   set system services telnet
   set system services web-management http
   set system services web-management https system-generated-certificate

2. 對服務進行優化
   （1）FTP、Telent、SSH
   set system services ftp connection-limit 10
   set system services ftp rate-limit 10
   set system services ssh root-login deny
   set system services telnet connection-limit 10
   set system services telnet rate-limit 10

   （2）WEB
   set system services web-management management-url admin
   set system services web-management http
   set system services web-management https port 8443
   set system services web-management https system-generated-certificate
   set system services web-management https interface ge-0/0/0.0

3. 在防火牆zone下開啓全部服務的，不然不能訪問防火牆，包括（radius和ntp協議等）
   host-inbound-traffic：容許管理流量到達防火牆自身
   [edit security zones security-zone trust]
   admin@SRX# set host-inbound-traffic system-services ?
   Possible completions:
   all All system services
   bootp Bootp and dhcp relay-agent service
   dhcp Dynamic Host Configuration Protocol
   dhcpv6 Enable Dynamic Host Configuration Protocol for IPv6
   dns DNS service
   ftp FTP
   http Web management service using HTTP
   https Web management service using HTTP secured by SSL
   ike Internet Key Exchange
   ntp Network Time Protocol service
   ping Internet Control Message Protocol echo requests
   snmp Simple Network Management Protocol service
   snmp-trap Simple Network Management Protocol traps
   ssh SSH service
   telnet Telnet service
   tftp TFTP

[edit security zones security-zone trust]
admin@SRX# set host-inbound-traffic protocols ?
Possible completions:
all All protocols
bfd Bidirectional Forwarding Detection
bgp Border Gateway Protocol
dvmrp Distance Vector Multicast Routing Protocol
igmp Internet Group Management Protocol
msdp Multicast Source Discovery Protocol
nhrp Next Hop Resolution Protocol
ospf Open Shortest Path First
ospf3 Open Shortest Path First version 3
pgm Pragmatic General Multicast
pim Protocol Independent Multicast
rip Routing Information Protocol
ripng Routing Information Protocol next generation
sap Session Announcement Protocol
vrrp Virtual Router Redundancy Protocol
或者還有防火牆策略中放行

5、SNMP簡單管理協議（v2c）

1. snmp基礎配置：
   set snmp community public authorization read-only

2. snmp trap配置：
   set snmp trap-group test categories chassis
   set snmp trap-group test categories chassis-cluster
   set snmp trap-group test categories configuration
   set snmp trap-group test categories link
   set snmp trap-group test categories routing
   set snmp trap-group test categories service
   set snmp trap-group test categories startup
   set snmp trap-group test targets 100.100.100.1

6、系統日誌配置
Junos的控制日誌，能夠給日誌服務器、寫在日誌文件中、或者直接輸出在CLI中
set system syslog archive size 1m
set system syslog archive world-readable
set system syslog user * any emergency
set system syslog host 10.10.1.100 any notice
set system syslog host 10.10.1.100 authorization info
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog console any warning
set system syslog time-format year
set system syslog source-address 10.10.1.1

set system syslog file messages match "!(kernel time sync enabled)" /*過濾日誌

Junos數據平面日誌，將生成的session狀態信息發送給日誌服務器
set security log mode stream
set security log mode stream
set security log source-address 10.10.1.1
set security log stream log severity notice
set security log stream log host 10.10.1.10

7、設置console的參數set system ports console log-out-on-disconnectset system ports console disable以上爲Junos防火牆的基礎配置，請參考！