Juniper SRX (Junos OS)初始化安裝(CLI模式)

Juniper SRX (Junos OS)初始化安裝(CLI模式)

本範例使用Juniper SRX100來示範初始化流程。
初始化作業的目的是對設備進行初步的設定,讓SRX防火牆設備能具備上網及基本的安全防護需求。

當有下列情況發生時,我們就需要進行初始化安裝作業:
1.剛拿到新購買的juniper srx安全設備。
2.設備恢復出廠設定。
關於要讓 SRX防火牆設備恢復出廠設定您可參考下列的網路連結:




當您沒有備份的配置檔時,我們可以直接更改出廠的預設配置,好簡化初始化程序:
首先我們使用CLI介面來登入系統,並進入到配置模式之中,然後參考下列的步驟進行設定:
/** 刪除配置精靈(Setup Wizard) **/
恢復出廠設定後的SRX設備在我們登入J-Web時,會強制進入 設定精靈(Setup Wizard) 之中是因為多了下列4行命令:
set system autoinstallation delete-upon-commit
set system autoinstallation traceoptions level verbose
set system autoinstallation traceoptions flag all
set system autoinstallation interfaces fe-0/0/0 bootp
因此我們只要將其刪除就可以避免進入到 設定精靈(Setup Wizard) 之中,而直接進入一般的J-Web設定畫面中:
root@srx100# delete system autoinstallation
[edit]
root@srx100# commit
commit complete
[edit]
root@srx100#


/***創建本地系統帳號***/
JUNOS 預設 root帳號不能被使用於telnet但是可以被使用於consoleweb (httphttps)ssh的遠端管理方式來登入到SRX設備。
注意因為telnet是屬於明文資料傳輸,在資料傳輸的過程中並沒有經過安全加密的程序,因此容易被駭客截取訊息並破解帳號密碼,所以telnet禁用root帳戶是為了連線安全方面的考量;另外rootJuniper SRX (JUNOS OS) 設備眾所周知的最高權限帳戶,且無法更名,因此容易被駭客使用暴力密碼破解來取得設備的控制權,因此為了安全我們在遠端管理習慣上禁用root帳號,額外建立具有管理權限的帳號則是替代的方案,另外增加密碼的長度與複雜度,以及限制登入失敗的嘗試次數也是必要的。
root@srx100# set system login user admin class super-user authentication plain-text-password
New password:    /** 第一次輸入新密碼,密碼必須至少六個字元,包含字母與數字 **/
Retype new password:    /** 重新確認新密碼 **/
[edit]
root@srx100#

/***創建一個系統本地帳號"admin",用戶名稱可以根據實際需求安排,分配管理員許可權,設置密碼 ***/
分類
説明
super-user
 All permissions。您具有與根帳號相同的許可權,您可以執行所有操作。
operator
 Clearresettraceview permissionsclear允許命令和進程重新開機。show命令也可以執行。
read-only
 View permissions。不可能執行配置更改或清除,只能執行顯示命令。
unauthorized
 No permissions

關於Juniper SRX 防火牆設備帳號登入安全相關的資料請參考下列的網路連結:




/** 配置設備名稱 srx100 **/
root@srx100# set system host-name srx100


/** 配置WAN端口IP位址 **/
出廠配置預設在WAN介面fe-0/0/0.0無任何設定,因此我們可以這麼做:
一、直接指定外網(WAN)介面的靜態IP位址
若您有架站需求,向ISP (例如中華電信) 申請的是固定IP位址時。
root@srx100# delete interfaces fe-0/0/0 unit 0 family inet   /** 設定前先清除介面上原有的配置,以避免提交(commit)時出現錯誤訊息 **/
root@srx100# set interfaces fe-0/0/0 unit 0 family inet address 192.168.188.10/24
WAN介面為靜態IP位址時,您就必須要設定到公網的預設路由,否則會無法上網,下列命令乃設定將0.0.0.0/0所有未定義的流量全部送往172.16.200.1(此為舉例,但這個ip通常是中華電信小烏龜的閘道ip)
root@srx100# set routing-options static route 0.0.0.0/0 next-hop 172.16.200.1

二、或是透過DHCP來取得外網介面的動態IP位址
若您沒有架站的需求,向ISP (例如中華電信) 申請的是浮動(動態)IP位址時。
root@srx100# delete interfaces fe-0/0/0 unit 0 family inet
root@srx100# set interfaces fe-0/0/0 unit 0 family inet dhcp


/** 配置DNS Server **/
我們上網所查詢網址靠的就是透過DNS Server來將網址轉換成IP位址,好讓我們能夠到達目的網站。
出廠配置預設的DNS Server如下:
set system name-server 208.67.222.222
set system name-server 208.67.220.220
我們可以把它改成本地最大ISP中華電信的DNS Server,速度會快些
root@srx100# delete system name-server
root@srx100# set system name-server 168.95.1.1
root@srx100# set system name-server 168.95.192.1
root@srx100# commit


/** 配置Time Server **/
配置時間伺服器(Time Server)的原因是要讓SRX防火牆能與遠端時間伺服器進行網路自動對時,好讓設備能隨時保持準確的網路時間。
配置時區:
root@srx100# set system time-zone GMT+8
我們可以配置本地最大ISP中華電信的Time Server
root@srx100# set system ntp server 118.163.81.61
root@srx100# set system ntp server 118.163.81.62
root@srx100# set system ntp server 118.163.81.63



最後我們可以將上述的命令整理出來並一次全部貼到Juniper SRX100console主控臺上,可以節省很多時間:
load factory-default
delete system autoinstallation
set system host-name srx100
set interfaces fe-0/0/0 unit 0 family inet dhcp
delete system name-server
set system name-server 168.95.1.1
set system name-server 168.95.192.1
set system time-zone GMT+8
set system ntp server 118.163.81.61
set system ntp server 118.163.81.62
set system ntp server 118.163.81.63
set system root-authentication plain-text-password
set system login user admin class super-user authentication plain-text-password
commit

如此即可完成CLI模式的初始化安裝作業。



若您的設備是SRX210,請將上述之fe-0/0/0介面改成ge-0/0/0fe-0/0/1介面改成ge-0/0/1,因為SRX2100/00/1個介面乃是Gigabits(ge)埠,不是Fastethernet(fe)埠。
若您的設備是Juniper SRX210則我們可以更改設定如下:
load factory-default
delete system autoinstallation
set system host-name srx210
set interfaces ge-0/0/0 unit 0 family inet dhcp
delete system name-server
set system name-server 168.95.1.1
set system name-server 168.95.192.1
set system time-zone GMT+8
set system ntp server 118.163.81.61
set system ntp server 118.163.81.62
set system ntp server 118.163.81.63
set system root-authentication plain-text-password
set system login user admin class super-user authentication plain-text-password
commit


以下為實作示範:

下面為貼上命令後console所顯示的實作畫面:
[edit]
root@srx100#

[edit]
root@srx100# load factory-default
: activating factory configuration
delete system autoinstallawarning
set system host-name srx100
set interfaces fe-0/0/0 unit 0 family inet dhcp
delete system name-server
set system name-server 168.95.1.1
set system name-server 168.95.192.1
set system time-zone GMT+8
set system ntp server 118.163.81.61
set system ntp server 118.163.81.62
set system ntp server 118.163.81.63
set system root-authentication plain-text-password
set system login user admin class super-user authentication plain-text-password
commit

[edit]
root@srx100# delete system autoinstallation

[edit]
root@srx100# set system host-name srx100

[edit]
root@srx100# set interfaces fe-0/0/0 unit 0 family inet dhcp

[edit]
root@srx100# delete system name-server

[edit]
root@srx100# set system name-server 168.95.1.1

[edit]
root@srx100# set system name-server 168.95.192.1

[edit]
root@srx100# set system time-zone GMT+8

[edit]
root@srx100# set system ntp server 118.163.81.61

[edit]
root@srx100# set system ntp server 118.163.81.62

[edit]
root@srx100# set system ntp server 118.163.81.63

[edit]
root@srx100# set system root-authentication plain-text-password
New password:      /** 請輸入密碼 **/
Retype new password:      /** 確認密碼 **/

[edit]
root@srx100# set system login user admin class super-user authentication plain-text-password
New password:      /** 請輸入密碼 **/
Retype new password:      /** 確認密碼 **/

[edit]
root@srx100# commit
commit complete

[edit]
root@srx100#



以下為上述命令執行後所產生的完整配置檔:
system {
    host-name srx100;
    time-zone GMT+8;
    root-authentication {
        encrypted-password "$1$WYqJj0DN$E3ES7ZPdQhR3HbEEQWzB9.";
    }
    name-server {
        168.95.1.1;
        168.95.192.1;
    }
    login {
        user admin {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$vsObgzb/$AOkcK.lrt46WDIP9aCvcK1";
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 118.163.81.61;
        server 118.163.81.62;
        server 118.163.81.63;
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}





完全自行配置的初始化設定
上述設定乃是借用出廠預設配置來進行CLI模式的初始化設定,程序簡單迅速,而我們也可以刪除所有的系統配置,重新建立我們所需的網路環境,請在CLI配置模式下輸入以下命令:
root@srx100# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes
[edit]
root@srx100# show    ##查看設定是否清空了

[edit]
root@srx100# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root@srx100# commit
commit complete
[edit]
root@srx100#




系統基線配置
初始化安裝作業賦予系統一些基線配置,讓系統能正常運維(包括系統名稱、介面IP位址、安全區域)等,使本地或是遠端電腦能夠通過telnet\ssh\WebUI等方式來登錄到設備,以及達到通過設備來上網等基本功能。
________________________________________________________________

/***配置設備名稱"srx100"***/
root@srx100# set system host-name srx100


/***配置系統時區***/
root@srx100# set system time-zone Asia/Taipei


/***配置系統預設root帳號密碼,系統不允許修改"root"帳號名稱***/
set system root-authentication plain-text-password
New password:      /** 第一次輸入新密碼,密碼必須至少六個字元,包含字母與數字 **/
Retype new password:     /** 重新確認新密碼 **/
注意:root帳號不能用於telnet,但是可以用於consolewebssh管理登錄到設備


/***創建系統本地帳號***/
創建一個本地系統帳號"admin",分配管理員許可權,設置密碼
有兩種設定方式,第一種方式:
set system login user admin uid 200
set system login user admin class super-user
set system login user admin authentication encrypted-password "srx100"
第二種方式:
set system login user admin class super-user authentication plain-text-password
New password:      /** 第一次輸入新密碼,密碼必須至少六個字元,包含字母與數字 **/
Retype new password:     /** 重新確認新密碼 **/
分類
説明
super-user
 All permissions。您具有與根帳號相同的許可權,您可以執行所有操作。
operator
 Clearresettraceview permissionsclear允許命令和進程重新開機。show命令也可以執行。
read-only
 View permissions。不可能執行配置更改或清除,只能執行顯示命令。
unauthorized
 No permissions


/***配置中華電信DNS伺服器,以便能查詢網址之真實IP***/
set system name-server 168.95.1.1


/***配置NTP伺服器,以便能同步SRX設備的網路時間***/
set system ntp server 118.163.81.61
set system ntp server 118.163.81.62
set system ntp server 118.163.81.63


/***設定系統事件日誌接收主機***/
set system syslog host 192.168.1.11 any any


/***定義系統配置檔變更並提交(commit)後,可以存放在flash中的最大容許數量(0..49)***/
set system max-configuration-rollbacks 15   /** 容許回滾(回復)的數量 **/
set system max-configurations-on-flash 49   /** 系統配置檔存放在flash中的容許數量 **/


/***定義內網介面同時定義安全區域並將介面加入到安全區域,介面的選擇根據實際需求安排***/
/***將介面加入vlan.0***/
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust


/***指定vlan.0內網閘道IP地址***/
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0


/***vlan.0加入到trust安全區,並指定內網介面開放全部的服務與協定***/
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic protocols all


/***指定vlan.0內網閘道為DHCP伺服器,及內網IP位址取得範圍***/
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.11
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200
set system services dhcp pool 192.168.1.0/24 propagate-settings vlan.0


/***直接指定外網介面的靜態IP位址***/(二擇一)
set interfaces fe-0/0/0 unit 0 family inet address 192.168.188.10/24
/***設定到公網的預設路由,當指定外網介面為靜態IP位址時所必需 ***/
set routing-options static route 0.0.0.0/0 next-hop 172.16.200.1
/***或是透過DHCP來取得外網介面的動態IP位址***/(二擇一)
set interfaces fe-0/0/0 unit 0 family inet dhcp


/***配置管理系統服務的項目內容,ssh\telnet\http\https ***/
set system services telnet
set system services ssh
set system services ssh root-login allow
set system services ftp
set system services netconf ssh


/***配置系統服務http\https的內容,只有vlan.0 介面及fe-0/0/0.0介面能使用http\https服務***/
set system services web-management http interface vlan.0
set system services web-management http interface fe-0/0/0.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services web-management https interface fe-0/0/0.0
上面5行命令效果等同執行下列命令:
root@srx100# edit system services web-management
[edit system services web-management]
root@srx100# set http interface vlan.0
[edit system services web-management]
root@srx100# set http interface fe-0/0/0.0
[edit system services web-management]
root@srx100# set https interface system-generated-certificate
[edit system services web-management]
root@srx100# set https interface vlan.0
[edit system services web-management]
root@srx100# set https interface fe-0/0/0.0
[edit system services web-management]
root@srx100# top


/***將介面加入到安全區域,並指定外網介面開放的服務***/
/*** WAN介面fe-0/0/0.0能接收DHCP訊息、被PING、以及從外網使用WebUI來登入管理設備***/
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
上面4行命令效果等同執行下列命令:
edit security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services
set dhcp
set http
set https
set ping
top


/***配置來源NAT策略,轉換內網到外網IP,讓內網能夠上網 ***/
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
上面4行命令效果等同執行下列命令:
edit security nat source rule-set trust-to-untrust
set from zone trust
set to zone untrust
set rule source-nat-rule match source-address 0.0.0.0/0
set rule source-nat-rule then source-nat interface
top


/***配置基本策略,開放內網能夠自由上網 ***/
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
上面4行命令效果等同執行下列命令:
edit security policies from-zone trust to-zone untrust policy trust-to-untrust
set match source-address any
set match destination-address any
set match application any
set then permit
top


至此系統的基線配置完成,其中防火牆的fe-0/0/0埠為wan介面,連接到外網Internet,而防火牆的fe-0/0/1~ fe-0/0/7埠則為內網lan介面,內網可自由上網及管理設備,外網儘開放httphttps服務來管理設備。
若您的設備是SRX210,請將上述之fe-0/0/0介面改成ge-0/0/0fe-0/0/1介面改成ge-0/0/1,因為SRX2100/00/1個介面乃是Gigabits(ge)埠,不是Fastethernet(fe)埠。


下列為上述CLI設定所產生的配置檔:
system {
    host-name srx100;
    time-zone Asia/Taipei;
    root-authentication {
        encrypted-password "$1$sp75icQ0$R40jIhcciJZ6H6MKu.Gni.";
    }
    name-server {
        168.95.1.1;
    }
    login {
        user admin {
            uid 200;
            class super-user;
            authentication {
                encrypted-password srx100;
            }
        }
    }
    services {
        ftp;
        ssh {
            root-login allow;
        }
        telnet;
        netconf {
            ssh;
        }
        web-management {
            http {
                interface [ vlan.0 fe-0/0/0.0 ];
            }
            https {
                system-generated-certificate;
                interface [ vlan.0 fe-0/0/0.0 ];
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.11 high 192.168.1.200;
                propagate-settings vlan.0;
            }
        }
    }
    syslog {
        host 192.168.1.1 {
            any any;
        }
        host 192.168.1.11 {
            any any;
        }
    }
    max-configuration-rollbacks 15;
    max-configurations-on-flash 49;
    ntp {
        server 118.163.81.61;
        server 118.163.81.62;
        server 118.163.81.63;
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 172.16.200.1;
    }
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            interfaces {
                vlan.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            http;
                            https;
                            ping;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}


您還可以參考下列的網路連結:


這個網誌中的熱門文章

如何測試網路連線--網路斷線了怎麼辦?

筆記電腦刷BIOS失敗無法開機—用CH341A編程器重刷BIOS教學!

查理王的電腦部落格-首頁