Juniper SRX 系統預設策略配置
Juniper SRX 系統預設策略配置:
何謂系統預設策略(system-default policies)?
系統預設策略乃是會套用至整個系統的策略,它只有兩種命令,deny-all或是permit all,預設為deny-all,例如不同的zone之間是無法互通的,除非您在策略中設定允許才行,這就是因為系統預設策略預設為deny-all的原因。而若將系統預設策略設定成permit all,除非您是要測試流量不通是否是因為策略設定所影響的關係,否則這樣做就失去防火牆的意義了。
Default Security Policies
On the SRX devices, system-default and
factory-default security policies are implemented as follows:
System-Default
Security Policy
By default, Junos denies all traffic through an SRX Series device.(系統預設策略為
Factory-Default Security Policies
The factory-default template configuration file in branch security platforms has three preconfigured security policies (not to be confused with the system-default security policy discussed in the previous paragraph):
By default, Junos denies all traffic through an SRX Series device.(系統預設策略為
deny-all) In fact, an
implicit default security policy exists that denies all packets. You can change
this behavior by configuring a standard security policy that permits certain
types of traffic. The implicit default policy can be changed to permit
all traffic with the 'set security policies default-policy' command;
however, this is not recommended. Factory-Default Security Policies
The factory-default template configuration file in branch security platforms has three preconfigured security policies (not to be confused with the system-default security policy discussed in the previous paragraph):
1. Trust-to-trust
zone policy: Denies all intrazone traffic within the trust zone
2. Trust-to-untrust
zone policy: Permits all traffic from the trust zone to the untrust zone
3. Untrust-to-trust
zone policy: Denies all traffic from the untrust zone to the trust zone.
These can be displayed with the 'show security
policies' command:
root@> show security policies | no-more Default policy: deny-allFrom zone: trust, To zone: untrustPolicy: trust-to-untrust, State: enabled, Index: 4, Scope Policy: 0,
Sequence number: 1Source addresses: anyDestination addresses: anyApplications: anyAction: permit
Note: The device outputs in
the above command is based on the Junos 12.1X44 release.
root# show security
policies default-policy ##查看當前系統預設策略動作
root# set security
policies default-policy ? ##設置系統預設策略動作
Possible completions:
deny-all Deny all traffic if no policy
match ##deny-all表示policy沒有開放的,通通禁止。此為系統預設值This is the default。
permit-all Permit all traffic if no policy
match ##permit-all表示policy沒有限制的,通通允許
範例:
root@srx100-a# show security policies default-policy
##因為沒有設定,所以不顯示,預設為deny-all
{primary:node0}[edit]
root@srx100-a# set security policies default-policy
permit-all ##permit-all表示policy沒有限制的,通通允許
{primary:node0}[edit]
root@srx100-a# show security policies default-policy
permit-all;
{primary:node0}[edit]
root@srx100-a# set security policies default-policy
deny-all ##設定了permit-all記得要deny-all回來
{primary:node0}[edit]
root@srx100-a# show security policies default-policy
deny-all;
{primary:node0}[edit]
root@srx100-a#
