Juniper SRX 使用Reset Config重置組態按鈕

Juniper SRX 使用Reset Config重置組態按鈕

如果配置失敗或拒絕對服務閘道(Service Gateway)的管理訪問, 則可以使用 "重置配置Reset Config " 按鈕將設備恢復到出廠預設配置(factory-default configuration)或搶救配置(rescue configuration)。例如, 如果有人無意中提交了拒絕管理訪問服務閘道的配置, 則可以通過按下 "重定配置Reset Config " 按鈕來刪除無效配置並將其替換為 " rescue搶救"。

救援配置rescue configuration是以前提交的、有效的配置。您以前必須通過 J Web 介面或 CLI 設置了救援配置。

user@srx> request system configuration rescue save   ##設定當前運行中之設定檔為補救設定檔

user@srx> rollback rescue   ##命令會載入補救設定檔

要按重定配置按鈕, 請在前面板的針孔上插入一個小探頭 (如拉直的迴紋針)。

預設情況下, 按下並快速釋放重定配置按鈕將載入通過 J Web 介面或 CLI 提交的救援配置。此時, 狀態指示燈呈穩定琥珀色solid amber。

預設情況下, 按住 "重定配置" 按鈕15秒鐘或更短-直到狀態指示燈呈穩定琥珀色-將刪除設備上的所有配置, 包括備份配置和救援配置, 及載入並提交(commit)出廠預設配置。

更改 SRX100 服務閘道上的重置配置Reset Config按鈕行為

要防止 "重定配置Reset Config " 按鈕作用時，除了將設備設置成為出廠預設配置外, 並一起刪除所有其他配置，可執行以下命令:

user@srx# set chassis config-button no-clear

您仍然可以按下並快速釋放該按鈕, 將其重置為救援配置。

要防止 "重定配置Reset Config " 按鈕將設備設置成為 "搶救" 配置，可執行以下命令:

user@srx# set chassis config-button no-rescue

您仍然可以按住按鈕15秒鐘或更多, 以將閘道重置為出廠預設配置。

要禁用該按鈕並防止設備重置為任一配置，可執行以下命令:

user@srx# set chassis config-button no-clear no-rescue

no-clear 選項可防止 "重定配置Reset Config " 按鈕刪除 "服務" 閘道上的所有配置。no-rescue 選項可防止 "重定配置Reset Config " 按鈕載入 " rescue " 設置。

若要將 "重定配置" 按鈕的函數返回到其預設行為, 請從設備配置中刪除配置按鈕語句。

設備恢復出廠介紹

進入到配置模式,執行下列命令：

root@srx100# load factory-default

warning: activating factory configuration    /***系統啟動出廠配置***/

恢復出廠後,必須立刻設置ROOT 帳號密碼<默認密碼至少6 位數：必須包含字母加數字>

root@srx100# set system root-authentication plain-text-password  /***一定要執行此命令，不然無法commit***/

New password:

Retype new password:  

當設置完ROOT 帳號密碼以後,進行提交(commit)以保存並實行配置

root@srx100# commit

commit complete

load factory-default的效果等同以下的動作：

預設情況下，在SRX100/210設備的前面板上，按住 "重設組態Reset Config" 按鈕15秒鐘或更短-直到狀態指示燈呈穩定琥珀色-這將刪除設備上的所有配置，包括備份配置和救援配置，及載入並提交(commit)出廠預設配置。

此時console會顯示以下訊息:

Broadcast Message from root@srx100

        (no tty) at 23:57 CST...

Config button pressed

Committing factory default configuration

若您此時從WebUI來登入srx設備，會看到以下Setup Wizard畫面：

而關於其詳細設定內容請您參考以下之連結：

初始化安裝(J-Web模式)

若您此時在CLI命令列輸入show | no-more則可以看到出廠預設之配置如下：

root@srx100# show | no-more

system {

    autoinstallation {

        delete-upon-commit; ## Deletes [system autoinstallation] upon change/commit

        traceoptions {

            level verbose;

            flag {

                all;

            }

        }

        interfaces {

            fe-0/0/0 {

                bootp;

            }

        }

    }

    name-server {

        208.67.222.222;

        208.67.220.220;

    }

    services {

        ssh;

        telnet;

        xnm-clear-text;

        web-management {

            http {

                interface vlan.0;

            }

            https {

                system-generated-certificate;

                interface vlan.0;

            }

        }

        dhcp {

            router {

                192.168.1.1;

            }

            pool 192.168.1.0/24 {

                address-range low 192.168.1.2 high 192.168.1.254;

            }

            propagate-settings fe-0/0/0.0;

        }

    }

    syslog {

        archive size 100k files 3;

        user * {

            any emergency;

        }

        file messages {

            any critical;

            authorization info;

        }

        file interactive-commands {

            interactive-commands error;

        }

    }

    max-configurations-on-flash 5;

    max-configuration-rollbacks 5;

    license {

        autoupdate {

            url https://ae1.juniper.net/junos/key_retrieval;

        }

    }

    ## Warning: missing mandatory statement(s): 'root-authentication'

}

interfaces {

    fe-0/0/0 {

        unit 0;

    }

    fe-0/0/1 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan-trust;

                }

            }

        }

    }

    fe-0/0/2 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan-trust;

                }

            }

        }

    }

    fe-0/0/3 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan-trust;

                }

            }

        }

    }

    fe-0/0/4 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan-trust;

                }

            }

        }

    }

    fe-0/0/5 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan-trust;

                }

            }

        }

    }

    fe-0/0/6 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan-trust;

                }

            }

        }

    }

    fe-0/0/7 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan-trust;

                }

            }

        }

    }

    vlan {

        unit 0 {

            family inet {

                address 192.168.1.1/24;

            }

        }

    }

}

protocols {

    stp;

}

security {

    screen {

        ids-option untrust-screen {

            icmp {

                ping-death;

            }

            ip {

                source-route-option;

                tear-drop;

            }

            tcp {

                syn-flood {

                    alarm-threshold 1024;

                    attack-threshold 200;

                    source-threshold 1024;

                    destination-threshold 2048;

                    timeout 20;

                }

                land;

            }

        }

    }

    nat {

        source {

            rule-set trust-to-untrust {

                from zone trust;

                to zone untrust;

                rule source-nat-rule {

                    match {

                        source-address 0.0.0.0/0;

                    }

                    then {

                        source-nat {

                            interface;

                        }

                    }

                }

            }

        }

    }

    policies {

        from-zone trust to-zone untrust {

            policy trust-to-untrust {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

    }

    zones {

        security-zone trust {

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {

                vlan.0;

            }

        }

        security-zone untrust {

            screen untrust-screen;

            interfaces {

                fe-0/0/0.0 {

                    host-inbound-traffic {

                        system-services {

                            dhcp;

                            tftp;

                        }

                    }

                }

            }

        }

    }

}

vlans {

    vlan-trust {

        vlan-id 3;

        l3-interface vlan.0;

    }

}