'업무이야기/Security' 카테고리의 글 목록

업무이야기/Security

How to Deploy and Manage FortiEndpoint | Endpoint Security 2024.11.08 7
Juniper SRX(방화벽) 패스워드 초기화 2024.10.24 5
DeepFinder (웹방화벽) 2024.10.23 6
FortiGate SIP Debug 2023.05.02 1
SRX IPSec Tunnel Sample 2023.05.02
AhnLab Network Solutions 2022.11.21
FortiGate FSSO 설정 2022.08.10
Juniper SRX Cluster configuration 2021.08.26 2

How to Deploy and Manage FortiEndpoint | Endpoint Security

쫑콩아빠 2024. 11. 8. 08:55

2024. 11. 8. 08:55

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX(방화벽) 패스워드 초기화 (5)	2024.10.24
DeepFinder (웹방화벽) (6)	2024.10.23
FortiGate SIP Debug (1)	2023.05.02
SRX IPSec Tunnel Sample (0)	2023.05.02
AhnLab Network Solutions (0)	2022.11.21

Juniper SRX(방화벽) 패스워드 초기화

쫑콩아빠 2024. 10. 24. 09:55

2024. 10. 24. 09:55

To resolve the issue, use the following procedure to recover the root password for SRX Branch devices running on Junos release versions 10.0R1, 10.0R2, and 10.1R1. This involves disabling watchdog functionality to allow the system to properly boot into single-user mode.

Press the power button on the front panel to power on the router.  Verify that the POWER LED on the front panel turns green. The console should continuously display the boot message.
When the prompt appears, press the spacebar to access the router’s bootstrap loader and type these commands:
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 9 seconds...

Loader>
Loader> watchdog disable
Loader> boot –s

The firewall starts up in single-user mode. In single-user mode, a multiuser operating system such as Junos boots into a single superuser. Single-use mode is mainly used for maintenance of multi-user environments such as network servers.
At the prompt, enter " recovery " to start the root password recovery procedure.
System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
The device directly enters operational mode without asking for an user ID or password..
Starting CLI ...

root@host> edit

When in configuration mode, set the root password.
root@host# set system root-authentication plain-text-password
On pressing the return key, type in the new root password.  Reenter the new root password when the second prompt appears.

New password: juniper1
Retype new password: juniper1
Commit the changes.
root@host# commit
commit complete
Reboot the device again.
root@host# run request system reboot
Reboot the system ? [yes,no] (no) yes

The boot messages display on the console.
Press the spacebar one time, to access the router’s bootstrap loader prompt. This sequence appears on the console:
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 9 seconds...

Loader>
Loader> watchdog enable
Loader> boot
The device reboots again and this time it asks for an user ID and password.  Enter the newly configured password.
Wed Jun 16 14:20:21 UTC 2010
Amnesiac (ttyu0)
login: root
Password: juniper1
For more information, refer to PR499745 .

Modification History
2019-08-28: Article reviewed for accuracy. Only applicable on the specific versions
request system zeroize    공장초기화
리부팅
set system root-authentication plain-text-password
commit
show system chassis       ,, J 대문자 Juniper
set chassis cluster disable reboot   이중화 종료
delete interfaces vlan unit 0 family inet address 192.168.1.222/24
root# show | display set
request system power-off at now    시스템 종료

저작자표시

'업무이야기 > Security' 카테고리의 다른 글

How to Deploy and Manage FortiEndpoint \| Endpoint Security (7)	2024.11.08
DeepFinder (웹방화벽) (6)	2024.10.23
FortiGate SIP Debug (1)	2023.05.02
SRX IPSec Tunnel Sample (0)	2023.05.02
AhnLab Network Solutions (0)	2022.11.21

DeepFinder (웹방화벽)

쫑콩아빠 2024. 10. 23. 10:11

2024. 10. 23. 10:11

DeepFinder 는 H/W, Proxy, Reverse Proxy 웹방화벽의 SSL 처리 방식과 달라 가속기 등의 추가 구매 없이, 성능/속도 저하없이 SSL 트래픽을 필터링합니다.
Cloud 시대에 어플라이언스 타입의 WAF가 해결하기 어려운 부분을 쉽게 구성할 수 있다.
기존 WAF의 운영에서 불편한 인증서 관리가 필요 없고 SSL암복호화 수행을 따로 하지 않기 때문에 리소스의 저하도 발생 하지 않는다.

저작자표시

'업무이야기 > Security' 카테고리의 다른 글

How to Deploy and Manage FortiEndpoint \| Endpoint Security (7)	2024.11.08
Juniper SRX(방화벽) 패스워드 초기화 (5)	2024.10.24
FortiGate SIP Debug (1)	2023.05.02
SRX IPSec Tunnel Sample (0)	2023.05.02
AhnLab Network Solutions (0)	2022.11.21

FortiGate SIP Debug

쫑콩아빠 2023. 5. 2. 08:28

2023. 5. 2. 08:28

FortiGate SIP Debug

Please refer to the debugging SIP and provide us the output.

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-voip-guide-52/debug-setting.htm

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-voip-guide-52/debug-log.htm

Additionally, you can run a debug flow between the src and dst IP addresses:

diag debug console timestamp enable

diag debug flow show console en

diag debug flow show function-name en

diag debug flow filter saddr

diag debug flow filter daddr

diag debug en

diag debug flow trace start 200

Once the debugs are collected, you can disable all the above with:

diag debug appl sip 0

diag debug flow filter clear

diag debug flow trace stop

diag debug disable

diag debug reset

저작자표시

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX(방화벽) 패스워드 초기화 (5)	2024.10.24
DeepFinder (웹방화벽) (6)	2024.10.23
SRX IPSec Tunnel Sample (0)	2023.05.02
AhnLab Network Solutions (0)	2022.11.21
FortiGate FSSO 설정 (0)	2022.08.10

SRX IPSec Tunnel Sample

쫑콩아빠 2023. 5. 2. 08:26

2023. 5. 2. 08:26

SRX IPSec Tunnel Sample

root@SRX_Test# show | display set | no-more

set version 15.1X49-D90.7

set system host-name SRX_Test

set system root-authentication encrypted-password "$5$ZZrR8Xx5$ZPpG6X5ugNL7s0dHqj.URP4v6YhfzLqkDk3TrtfWHh8"

set system name-server 8.8.8.8

set system login user isd uid 2001

set system login user isd class super-user

set system login user isd authentication encrypted-password "$5$7i/tv6W2$eU0ilDNMbZQhZHff4gUFbtqTFIwigO3SiY8yqpD/.n0"

set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys

set security ike proposal IKE-PROPOSAL dh-group group5

set security ike proposal IKE-PROPOSAL authentication-algorithm sha1

set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc

set security ike proposal IKE-PROPOSAL lifetime-seconds 28800

set security ike policy IKE-POLICY mode main

set security ike policy IKE-POLICY proposals IKE-PROPOSAL

set security ike policy IKE-POLICY pre-shared-key ascii-text "$9$-nd4aJGiqPQdbmTQ3tp0BIhlM7Nbg4Z8L2aZU.mcylvNd"

set security ike gateway VPN-GATEWAY ike-policy IKE-POLICY

set security ike gateway VPN-GATEWAY address 10.1.2.201

set security ike gateway VPN-GATEWAY dead-peer-detection interval 10

set security ike gateway VPN-GATEWAY dead-peer-detection threshold 1

set security ike gateway VPN-GATEWAY nat-keepalive 10

set security ike gateway VPN-GATEWAY external-interface ge-0/0/0.0

set security ipsec proposal IPSEC-PROPOSAL protocol esp

set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96

set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc

set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 86400

set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group5

set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL

set security ipsec vpn IPSEC-VPN bind-interface st0.1

set security ipsec vpn IPSEC-VPN ike gateway VPN-GATEWAY

set security ipsec vpn IPSEC-VPN ike proxy-identity local 172.15.0.0/24

set security ipsec vpn IPSEC-VPN ike proxy-identity remote 172.15.1.0/24

set security ipsec vpn IPSEC-VPN ike proxy-identity service any

set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY

set security ipsec vpn IPSEC-VPN establish-tunnels immediately

set security flow tcp-mss ipsec-vpn mss 1350

set security nat source rule-set src-nat from zone trust

set security nat source rule-set src-nat to zone untrust

set security nat source rule-set src-nat rule r1 match source-address 0.0.0.0/0

set security nat source rule-set src-nat rule r1 then source-nat interface

set security forwarding-process enhanced-services-mode

set security policies from-zone trust to-zone untrust policy permit-all match source-address any

set security policies from-zone trust to-zone untrust policy permit-all match destination-address any

set security policies from-zone trust to-zone untrust policy permit-all match application any

set security policies from-zone trust to-zone untrust policy permit-all then permit

set security policies from-zone trust to-zone vpn policy permit-all match source-address any

set security policies from-zone trust to-zone vpn policy permit-all match destination-address any

set security policies from-zone trust to-zone vpn policy permit-all match application any

set security policies from-zone trust to-zone vpn policy permit-all then permit

set security policies from-zone vpn to-zone trust policy permit-all match source-address any

set security policies from-zone vpn to-zone trust policy permit-all match destination-address any

set security policies from-zone vpn to-zone trust policy permit-all match application any

set security policies from-zone vpn to-zone trust policy permit-all then permit

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all

set security zones security-zone vpn interfaces st0.1

set interfaces ge-0/0/0 unit 0 family inet address 10.1.2.115/24

set interfaces ge-0/0/1 unit 0 family inet address 172.15.0.1/24

set interfaces st0 unit 1 family inet

set routing-options static route 0.0.0.0/0 next-hop 10.1.2.1

set routing-options static route 172.15.1.0/24 next-hop st0.1

[edit]

root@SRX_Test# run show security ike sa

Index State Initiator cookie Responder cookie Mode Remote Address

6299423 UP f51982a09b260851 3fcd24f6bec6f419 Main 10.1.2.201

6299424 UP 25885c239e958271 92d1dde980db90c8 Main 10.1.2.201

[edit]

root@SRX_Test# run show security ipsec sa

Total active tunnels: 1

ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway

<131073 ESP:3des/sha1 44d00f02 84435/unlim - root 500 10.1.2.201

>131073 ESP:3des/sha1 46f0dfb7 84435/unlim - root 500 10.1.2.201

[edit]

root@SRX_Test#

======================================================================================================================================================

FWF90D3Z13006231 # get vpn ipsec tunnel details

gateway

name: 'VPN-GW'

type: route-based

local-gateway: 10.1.2.201:0 (static)

remote-gateway: 10.1.2.115:0 (static)

mode: ike-v1

interface: 'wan1' (6)

rx packets: 0 bytes: 0 errors: 0

tx packets: 0 bytes: 0 errors: 7870

dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0

selectors

name: 'VPN-TUNNEL'

auto-negotiate: disable

mode: tunnel

src: 0:172.15.1.0/255.255.255.0:0

dst: 0:172.15.0.0/255.255.255.0:0

lifetime/rekey: 86400/79426

mtu: 1446

tx-esp-seq: 1

replay: enabled

inbound

spi: 46f0dfb7

enc: 3des 6b1ddb0ba8c46a879e22dd055ae0c5b643983f4d68d72ff1

auth: sha1 ce45021dbfac556674600ff9cb08faf7d942d48f

outbound

spi: 44d00f02

enc: 3des aa81515e22c7e8eefce24d6ff740b1b3c4cec463d6dd15b5

auth: sha1 69dff90febd00f5d4e64637c73dec32527ddbba7

NPU acceleration: none

FWF90D3Z13006231 #

FWF90D3Z13006231 # get vpn ip tunnel summary

'VPN-GW' 10.1.2.115:0 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 0/7902

FWF90D3Z13006231 # get ipsec tunnel list

NAME REMOTE-GW PROXY-ID-SOURCE PROXY-ID-DESTINATION STATUS TIMEOUT

VPN-GW 10.1.2.115:0 172.15.1.0/255.255.255.0 172.15.0.0/255.255.255.0 up 79367

저작자표시

'업무이야기 > Security' 카테고리의 다른 글

DeepFinder (웹방화벽) (6)	2024.10.23
FortiGate SIP Debug (1)	2023.05.02
AhnLab Network Solutions (0)	2022.11.21
FortiGate FSSO 설정 (0)	2022.08.10
Juniper SRX Cluster configuration (2)	2021.08.26

AhnLab Network Solutions

쫑콩아빠 2022. 11. 21. 09:53

2022. 11. 21. 09:53

상세설명 --->>>> http://blog.naver.com/uctTrusGuard - Firewall, IPS, Application Control, VPN, Anti-Virus/Spam,C&C 탐지 및 차단 등 다양한 보안 기능을 제공하는차세대 네트워크 통합 보안 시스템입니다.

Ucontech : 네이버 블로그

제품 문의 & 기술 문의 Tel: 02-780-6002 Fax: 02-6008-6111 ucontech@ucontech.com www.ucontech.com

blog.naver.com

TrusGuard IPX - 안랩의 강력한 보안 위협 대응 기술력과 독보적인 인프라가 응집된 최고의 네트워크 침입방지 솔루션입니다.

TrusGuard DPX - 안랩의 특별한 DDoS 방어 프로세스로 DDoS 공격 패러다임의 변화에 종합적으로 대응합니다.

TMS - 빅데이터 이벤트 처리 기반 심층적인 위협분석과 네트워크 보안 제품의 효율적인 통합 정책 관리를 제공하는 차세대 네트워크 통합 보안 관리 솔루션입니다.

TSM - 다수의 네트워크 보안 관리 장비에 대한 정책 설정 및 통합 모니터링 환경을 제공하는 차세대 네트워크보안 통합 관리 솔루션입니다.

저작자표시

'업무이야기 > Security' 카테고리의 다른 글

FortiGate SIP Debug (1)	2023.05.02
SRX IPSec Tunnel Sample (0)	2023.05.02
FortiGate FSSO 설정 (0)	2022.08.10
Juniper SRX Cluster configuration (2)	2021.08.26
Juniper SRX Policy-Based IPSec VPN (0)	2021.08.26

FortiGate FSSO 설정

쫑콩아빠 2022. 8. 10. 10:30

2022. 8. 10. 10:30

# Windows Server 2016의 AD를 사용

# FortiGate 200D v6.0.14build0457(GA) 사용

# Security Fabric/Fabric Connectors

# 사용자 또는 그룹을 선택

# User & Device\User Group 추가

# FortiGate Policy

# Client OS에서 도메인을 통한 로그인 설정

# FortiGate에서 도메인을 통한 로그인 확인

# 정책 테스트

저작자표시

'업무이야기 > Security' 카테고리의 다른 글

SRX IPSec Tunnel Sample (0)	2023.05.02
AhnLab Network Solutions (0)	2022.11.21
Juniper SRX Cluster configuration (2)	2021.08.26
Juniper SRX Policy-Based IPSec VPN (0)	2021.08.26
Juniper SRX Routed-Based IPSec VPN (0)	2021.08.26

Juniper SRX Cluster configuration

쫑콩아빠 2021. 8. 26. 09:23

2021. 8. 26. 09:23

- Node 0
# set chassis cluster cluster-id 1 node 0 reboot
- Node 1
# set chassis cluster cluster-id 1 node 1 reboot

set groups node0 system host-name srx1500-1
set groups node0 interfaces fxp0 unit 0 family inet address 192.16.35.46/24
set groups node1 system host-name srx1500-2
set groups node1 interfaces fxp0 unit 0 family inet address 192.16.35.47/24
set groups node0 system backup-router <backup next-hop from fxp0> destination <management network/mask>
set groups node1 system backup-router <backup next-hop from fxp0> destination <management network/mask>
set apply-groups "${node}"
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-7/0/1
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-7/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-7/0/4 weight 255
set chassis cluster reth-count 2
set interfaces ge-0/0/5 gigether-options redundant-parent reth1
set interfaces ge-7/0/5 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 203.0.113.233/24
set interfaces ge-0/0/4 gigether-options redundant-parent reth0
set interfaces ge-7/0/4 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 198.51.100.1/24
set security zones security-zone Untrust interfaces reth1.0
set security zones security-zone Trust interfaces reth0.0

Verification
>show chassis cluster status
>show chassis cluster interfaces
>show chassis cluster statistics
>clear chassis cluster statistics
>show chassis cluster control-plane statistics
>show chassis cluster data-plane statistics
>show chassis cluster status redundancy-group 1
>show chassis cluster information configuration-synchronization
> show log jsrpd
>show log chassisd
>show log messages
>show log dcd
>show traceoptions

저작자표시

'업무이야기 > Security' 카테고리의 다른 글

AhnLab Network Solutions (0)	2022.11.21
FortiGate FSSO 설정 (0)	2022.08.10
Juniper SRX Policy-Based IPSec VPN (0)	2021.08.26
Juniper SRX Routed-Based IPSec VPN (0)	2021.08.26
DefensePro CLI (0)	2021.04.26

PREV 이전 1 2 3 4 ···11 NEXT 다음

쫑콩아빠의 지금 이 순간...