반응형
SMALL

SRX 설정 방법 (CLI)

설정 확인(operation 모드)
show configuration | display set | match “찾을 문자 또는 숫자”

어드레스 추가(configure 모드)

set security zones security-zone untrust address-book address 222_231_7_233 222.231.7.233/32
set security zones security-zone trust address-book address 2_2_2_2 2.2.2.2/32

어드레스 그룹 추가(configure 모드)

set security zones security-zone untrust address-book address-set 222_231_7_233/222_231_7_234 address 222_231_7_233
set security zones security-zone untrust address-book address-set 222_231_7_233/222_231_7_234 address 218_50_1_87

어드레스 그룹 삭제(해당 그룹에서 특정 IP만 제거)

delete security zones security-zone untrust address-book address-set 1_1_1_1/2_2_2_2 address 1_1_1_1

스케줄 추가(configure 모드)

set schedulers scheduler 2014_07_31_23_59 start-date 2012-08-24.00:00 stop-date 2014-07-31.23:59

서비스 추가

#set applications application tcp_3659 term tcp_3659 protocol tcp
#set applications application tcp_3659 term tcp_3659 source-port 1024-65535
#set applications application tcp_3659 term tcp_3659 destination-port 3659-3659

서비스 그룹 추가

#set applications application-set ping_tcp_3659 application junos-ping
#set applications application-set ping_tcp_3659 application tcp_3659

정책 추가(configure 모드)

set security policies from-zone untrust to-zone trust policy 120824001 match source-address 61_110_18_122
set security policies from-zone untrust to-zone trust policy 120824001 match destination-address 121_254_132_198
set security policies from-zone untrust to-zone trust policy 120824001 match application http_8080
set security policies from-zone untrust to-zone trust policy 120824001 then permit
set security policies from-zone untrust to-zone trust policy 120824001 then log session-close
set security policies from-zone untrust to-zone trust policy 120824001 scheduler-name 2014_07_31_23_59

우선순위 변경(configure 모드)

insert security policies from-zone untrust to-zone trust policy 130115001 before policy 706 (인바운드))

정책 우선순위 확인(operation 모드)

show security policies from-zone untrust to-zone trust
show security policies from-zone trust to-zone untrust

정책 리스트 확인

op policy.xml

Source NAT 추가 (configure 모드)

set security nat source rule-set rs_1 to zone untrust --> 초기생성 시 적용
set security nat source rule-set rs_1 rule rule_14 match source-address 172.30.148.0/24
set security nat source rule-set rs_1 rule rule_14 then source-nat pool pool_14
set security nat source pool pool_14 address 117.52.15.148/32

Destination NAT 추가 (configure 모드)

set security nat destination rule-set dnat_1 from zone untrust
set security nat destination rule-set dnat_1 rule dnat_rule_1 match destination-address 123.123.123.123/32
set security nat destination rule-set dnat_1 rule dnat_rule_1 then destination-nat pool dpool_1
set security nat destination pool dpool_1 address 192.168.10.50/32

dnat port(포트 포워딩)

set security nat destination pool dpool_1 address 192.168.10.50/32
set security nat destination pool dpool_1 address port 80
set security nat destination rule-set dnat_1 from zone untrust
set security nat destination rule-set dnat_1 rule dnat_rule_1 match destination-address 123.123.123.123/32
set security nat destination rule-set dnat_1 rule dnat_rule_1 match destination-port 33890
set security nat destination rule-set dnat_1 rule dnat_rule_1 then destination-nat pool dpool_1

routing 추가 (configure 모드)

set routing-options static route 172.30.148.0/24 next-hop 172.16.20.113

session 확인

show security flow session source-prefix
show security flow session destination-prefix 출발지IP


  • show | compare 로 추가되는 설정 확인 후, commit check로 정상적으로 들어가는지 확인 후 commit 적용 필요~!!!!
    #show | compare
    #commit check
    #commit
    #exit

 

 

반응형
LIST

+ Recent posts