關於Juniper SRX JUNOS Kaspersky AV 防毒方面的設定
關於Juniper SRX JUNOS Kaspersky AV 防毒方面的設定:
There
are currently 3 Antivirus solutions for the SRX all of which require a
different license to activate:
* Kapersky
* Sophos
* Juniper Express
Briefly, some differences
between the 3 options are:
Kaspersky
* Full file based AV
* Local signature database
lookups. AV signatures downloaded as a package.
* Largest cpu performance
impact
* Supports Intelligent
Prescreening預檢
Sophos
* Cloud based signature database
which therefore requires..
* Constant Internet access
needed for AV lookups.
* Moderate cpu perfomance impact
* No Prescreening預檢
Juniper Express
* Less protection than the other
2 options
* Only protects against critical
threats嚴重威脅. Modified Kaspersky database.
* Does not reconstruct content
prior to scanning
* Pattern matching based
solution. No heuristics.
* No protection against
polymorphic or metamorphic viruses
* Supports Intelligent
Prescreening預檢.
* Least cpu performance impact and highest throughput.
As our test today is on an SRX100H we only have 2 of
those options available. Juniper Express is not available on the 100 as it
doesn't have Content Security Accelerator hardware.
您可參考下列之網路連結:
查看病毒防護設定情形:
root@srx100>
show
security utm anti-virus status
UTM anti-virus status:
Scan engine type: no-config
root@srx100>
目前沒有任何設定。
設定您要使用的掃描引擎
(in this example, Kaspersky Lab engine).
user@host# set security utm feature-profile
anti-virus type kaspersky-lab-engine
設定 Kaspersky AV 防毒病毒模板自動更新:
Setting Up Automatic Updates
預設情況下, 防病毒模式資料庫配置為每60分鐘自動更新一次。 還可以指定在模式更新完成後發送給管理員的電子郵件通知。
1.
為卡巴斯基掃描引擎配置不同的時間間隔來更新病毒模板。
user@host# set security utm feature-profile anti-virus
kaspersky-lab-engine pattern-update url http://update.juniper-updates.net/AV/SRX100
user@host# set security utm feature-profile anti-virus
kaspersky-lab-engine pattern-update interval 60
Note: 網址最後的"SRX100” 是根據您的設備機型來設定的,您可以參考下列的說明:
There are 3 types of AV on
SRX devices. High-end SRX only supports type 3.
Express
Antivirus Scanner
Database Update Path
Full
Antivirus Pattern Updates
Database Update Path
Sophos
Antivirus Protection
Sophos antivirus uses a small set of data files that need
to be updated periodically. These data files only contain information on
guiding scanning logic and do not contain the full pattern database. The main
pattern database, which includes protection against critical viruses, URI
checks, malware, worms, Trojans, and spyware, is located on remote Sophos.
Extensible List servers maintained by Sophos.
Database Update Path
或者,
您可以通過輸入以下操作命令來手動設定病毒模板更新:
user@host> request security utm anti-virus kaspersky-lab-engine
pattern-update
2.
設定病毒模板更新 email 通知
user@host# set security utm feature-profile anti-virus
kaspersky-lab-engine pattern-update email-notify admin-email
"admin@juniper.net"
user@host# set security utm feature-profile anti-virus
kaspersky-lab-engine pattern-update email-notify custom-message "Pattern
UPDATE Done"
user@host# set security utm feature-profile anti-virus
kaspersky-lab-engine pattern-update email-notify custom-message-subject
"AV UPDATE COMPLETE"
3.
設定病毒掃引擎描模式
預設值,也就是沒有設定病毒掃引擎描模式會採用的方式,掃描所有檔案,但是太耗費系統資源,會降低設備之進出流量。
set security utm feature-profile anti-virus
kaspersky-lab-engine profile junos-av-defaults scan-options scan-mode all
設定只掃描特定副檔名的檔案,使用junos預設的副檔名集合。(我們這次使用的方式)
set security utm feature-profile anti-virus
kaspersky-lab-engine profile junos-av-defaults scan-options scan-mode
by-extension
set security utm feature-profile anti-virus
kaspersky-lab-engine profile junos-av-defaults scan-options scan-extension
junos-default-extension
設定只掃描特定副檔名的檔案,使用自己定義之副檔名集合。
set security utm custom-objects
filename-extension extlist1 value [zip js vbs exe com bin rar 7z]
set security utm feature-profile anti-virus
kaspersky-lab-engine profile junos-av-defaults scan-options scan-mode
by-extension
set
security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults scan-options
scan-extension extlist1
我們可以查看目前病毒防護設定情形。
root@srx100> show security
utm anti-virus status
UTM anti-virus status:
Anti-virus key expire date: 2018-02-27
08:00:00
Update server:
http://update.juniper-updates.net/AV/SRX100
Interval: 60 minutes
Pattern update status: in process
Last result: downloading signature
files
Anti-virus signature version: not loaded
Anti-virus signature compiler version: N/A
Scan engine type: kaspersky-lab-engine
Scan engine information: last action
result: Engine
not ready
root@srx100>
幾分鐘後再查看病毒防護設定情形。
root@srx100> show security
utm anti-virus status
UTM anti-virus status:
Anti-virus key expire date: 2018-02-27
08:00:00
Update server:
http://update.juniper-updates.net/AV/SRX100
Interval: 60 minutes
Pattern update status: next update
in 54 minutes
Last result: already have latest
database
Anti-virus signature version: 02/21/2018
20:35 GMT, virus records: 466030
Anti-virus signature compiler version: N/A
Scan engine type: kaspersky-lab-engine
Scan engine information: last action
result: No error(0x00000000)
root@srx100> show security utm anti-virus
statistics
本段我們設定的內容如下:
security {
utm {
custom-objects {
filename-extension {
extlist1 {
value [ zip js vbs exe com bin rar 7z ];
}
}
}
feature-profile {
anti-virus {
type kaspersky-lab-engine;
kaspersky-lab-engine {
pattern-update {
email-notify {
admin-email
"admin@juniper.net";
custom-message
"Pattern UPDATE Done";
custom-message-subject "AV UPDATE COMPLETE";
}
url http://update.juniper-updates.net/AV/SRX100;
interval 60;
}
profile junos-av-defaults {
scan-options {
scan-mode
by-extension;
scan-extension
junos-default-extension;
}
}
}
}
}
}
}
設定您要使用的UTM策略
user@host# set security utm utm-policy custom-utm-policy anti-virus
http-profile junos-av-defaults
Note: A separate anti-virus profile is needed for each
protocol. The available protocols include HTTP(網頁防護), FTP(FTP傳輸防護), SMTP(Email寄信防護), POP3(Email收信防護), and IMAP(Email收信防護).
set security utm utm-policy custom-utm-policy anti-virus
http-profile junos-av-defaults
set security utm utm-policy custom-utm-policy anti-virus ftp
upload-profile junos-av-defaults
set security utm utm-policy custom-utm-policy anti-virus ftp
download-profile junos-av-defaults
set security utm utm-policy custom-utm-policy anti-virus
smtp-profile junos-av-defaults
set security utm utm-policy custom-utm-policy anti-virus
pop3-profile junos-av-defaults
set security utm utm-policy custom-utm-policy anti-virus
imap-profile junos-av-defaults
為了避免浪費太多系統資源,建議只選擇您需要防護的protocol就好。
到目前為止我們設定的內容:
security {
utm {
utm-policy custom-utm-policy {
anti-virus {
http-profile junos-av-defaults;
ftp {
upload-profile
junos-av-defaults;
download-profile
junos-av-defaults;
}
smtp-profile junos-av-defaults;
pop3-profile junos-av-defaults;
imap-profile junos-av-defaults;
}
}
}
}
將UTM策略套用到安全策略上面
Apply the UTM policy to a security policy (in this
example, security policy called web-access).
user@host# set security
policies from-zone trust to-zone untrust policy web-access match source-address
any destination-address any application junos-http
user@host# set security
policies from-zone trust to-zone untrust policy web-access then permit
application-services utm-policy custom-utm-policy
set
security policies from-zone trust to-zone untrust policy web-access match
source-address any
set
security policies from-zone trust to-zone untrust policy web-access match
destination-address any
set
security policies from-zone trust to-zone untrust policy web-access match
application junos-http
set
security policies from-zone trust to-zone untrust policy web-access match
application junos-ftp
set
security policies from-zone trust to-zone untrust policy web-access match
application junos-imap
set
security policies from-zone trust to-zone untrust policy web-access match
application junos-pop3
set security
policies from-zone trust to-zone untrust policy web-access match application
junos-smtp
set
security policies from-zone trust to-zone untrust policy web-access then permit
application-services utm-policy custom-utm-policy
策略設定好之後,我們還要將其放在策略的第一行來執行,根據我們的設定,我們只要將其放置在trust-to-untrust策略之前即可。
insert security policies from-zone trust to-zone untrust policy web-access before policy trust-to-untrust
若不這麼做,則我們建立的policy web-access 會添加到policy
trust-to-untrust的後面,而policy
trust-to-untrust會放行所有內網到外網的流量,也就是內網到外網的所有流量都符合policy
trust-to-untrust的設定,那表示在policy
trust-to-untrust之後的policy web-access永遠也不會被執行。
PS:策略套用的原則是:假如有10條策略符合您的流量條件時,那您的流量真正會套用的策略是您遇到的第一個策略。
To
move a policy in the CLI, use the insert command:
root@siteA# insert security policies from-zone <zone>
to-zone <zone> policy <policy-name> before policy <policy-name>
root@siteA# insert security policies from-zone <zone>
to-zone <zone> policy <policy-name> after policy <policy-name>
Make sure that your policy is
activated. In Junos OS 10.0 and higher, your changes do not take effect until
you click the Commit button
(under the tabs).
[edit]
root@srx100# commit
commit complete
[edit]
root@srx100# exit
Exiting configuration mode
到目前為止病毒防護的設定已經初步完成!
本段我們設定的內容:
security {
policies {
from-zone trust to-zone untrust {
policy
web-access {
match
{
source-address any;
destination-address any;
application [ junos-http junos-ftp
junos-imap junos-pop3 junos-smtp ];
}
then {
permit {
application-services {
utm-policy custom-utm-policy;
}
}
}
}
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
如何設定SRX Kapersky AV病毒防護的系統日誌syslog
在開始之前我們要先分析Kapersky AV會產生哪些訊息,下列為範例:
AV_HUGE_FILE_DROPPED_MT LOG_PFE,Skip
antivirus scanning and drop the received traffic due to huge file
AV_HUGE_FILE_NOT_SCANNED_MT LOG_PFE,Skip
antivirus scanning and pass the received traffic due to huge file
AV_MANY_MSGS_DROPPED_MT LOG_PFE,Drop the
received file due to excessive traffic
AV_MANY_MSGS_NOT_SCANNED_MT LOG_PFE,Skip
antivirus scanning due to excessive traffic
AV_PATTERN_GET_FAILED LOG_FIREWALL,The
device was unable to retrieve an antivirus pattern file from the server
AV_PATTERN_KEY_EXPIRED LOG_FIREWALL,Unable
to download the antivirus pattern file, because the antivirus license key has
been expired
AV_PATTERN_KL_CHECK_FAILED LOG_FIREWALL,The
device is unable to use Kaspersky's pattern file
AV_PATTERN_TOO_BIG LOG_FIREWALL,The
pattern file size specified in the server initialization file exceeds the limit
AV_PATTERN_UPDATED LOG_FIREWALL,The
internal antivirus scanner successfully updated the antivirus pattern file
AV_PATTERN_WRITE_FS_FAILED LOG_FIREWALL,The
device is unable to save contents of an antivirus pattern file
AV_SCANNER_DROP_FILE_MT LOG_PFE,Drop the
received traffic due to an internal error of antivirus scanner
AV_SCANNER_ERROR_SKIPPED_MT LOG_PFE,Skip
antivirus scanning due to an internal error
AV_SCANNER_READY
LOG_FIREWALL,The antivirus scan engine is ready
AV_VIRUS_DETECTED_MT LOG_PFE,The antivirus
scanner detected a virus
Kapersky AV所產生的系統日誌訊息開頭都有"AV_"字串,當偵測到病毒時所產生的系統日誌訊息都有" AV_VIRUS_DETECTED_MT "字串,因此我們規劃將偵測到病毒的訊息存入AV_VIRUS檔案中,其他的訊息存入AV_OPS檔案中,以方便我們查找相關訊息。
set system syslog file AV_VIRUS any any
set system syslog file AV_VIRUS match "AV_VIRUS_DETECTED_MT"
set system syslog file AV_VIRUS archive size 1m files 3
set system syslog file AV_OPS any any
set system syslog file AV_OPS match "(AV_HUGE|AV_MANY|AV_PATTERN|AV_SCANNER)"
set system syslog file AV_OPS archive size 1m files 3
set system syslog host 192.168.1.3 port 514
set system syslog host 192.168.1.3 any any
本段我們設定的內容如下:
security {
syslog {
host 192.168.1.3 {
any any;
port 514;
}
file AV_VIRUS {
any any;
match " AV_VIRUS_DETECTED_MT
";
archive size 1m files 3;
}
file AV_OPS {
any any;
match
"(AV_HUGE|AV_MANY|AV_PATTERN|AV_SCANNER)";
archive size 1m files 3;
}
}
}
當我們要查看訊息時:
root@srx100>
show log
AV_VIRUS
Feb
24 01:42:18 srx100 RT_UTM:
AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected:
from 213.211.198.62:80 to 192.168.1.2:50150
source-zone untrust www.eicar.org/d
ownload/eicarcom2.zip
file www.eicar.org/download/eicarcom2.zip/eicar_com.zip/ei
car.com
virus EICAR-Test-File URL:http://www.viruslist.com/en/search?VN=EICAR-Te
st-File
username N/A roles N/A
Feb
24 03:42:15 srx100 RT_UTM:
AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected:
from 213.211.198.62:80 to 192.168.1.2:50887
source-zone untrust www.eicar.org/d
ownload/eicar_com.zip
file www.eicar.org/download/eicar_com.zip/eicar.com virus
EICAR-Test-File
URL:http://www.viruslist.com/en/search?VN=EICAR-Test-File userna
me
N/A roles N/A
root@srx100>
如何確定 SRX Kapersky AV病毒防護的設置已作用
查看病毒防護設定情形。
root@srx100> show security
utm anti-virus status
實際下載病毒測試
您可以點擊下列網頁連結來進行病毒防護測試。
如下圖:
點擊後若Kapersky AV病毒防護功能正常啟動則網頁會出現下列訊息:
但是若您不是用點擊的方式,而是按右鍵另存新檔,則不會被SRX Kapersky AV偵測到,但是會被您電腦上的防毒軟體偵測到。
您可以利用EICAR的病毒測試檔來測試POP3、SMTP、IMAP與FTP等病毒防護功能。
您可參考下列之網路連結:
SRX UTM: Antivirus - Kaspersky Full
如何確定 SRX 平臺上的預設防病毒設置
要確定預設防病毒設置, 請應用以下操作命令:
root@srx100> show configuration groups junos-defaults security utm
feature-profile anti-virus
type kaspersky-lab-engine;
#
# should not set no-autoupdate at any time
#
kaspersky-lab-engine {
pattern-update
{
url
http://update.juniper-updates.net/AV/SRX100/;
interval
60;
}
profile
junos-av-defaults {
fallback-options {
default
log-and-permit;
corrupt-file log-and-permit;
password-file log-and-permit;
decompress-layer
log-and-permit;
content-size log-and-permit;
engine-not-ready log-and-permit;
timeout
log-and-permit;
out-of-resources log-and-permit;
too-many-requests log-and-permit;
}
scan-options {
intelligent-prescreening;
scan-mode all;
content-size-limit 10000;
timeout
180;
decompress-layer-limit 2;
}
notification-options {
virus-detection {
type message;
no-notify-mail-sender;
custom-message "VIRUS WARNING";
}
fallback-block {
type message;
no-notify-mail-sender;
}
}
}
}
sophos-engine {
pattern-update
{
url
http://update.juniper-updates.net/SAV/;
interval
1440;
}
profile
junos-sophos-av-defaults {
fallback-options {
default
log-and-permit;
content-size log-and-permit;
engine-not-ready log-and-permit;
timeout
log-and-permit;
out-of-resources log-and-permit;
too-many-requests log-and-permit;
}
scan-options {
uri-check;
content-size-limit 10000;
timeout
180;
}
notification-options {
virus-detection {
type message;
no-notify-mail-sender;
custom-message "VIRUS WARNING";
}
fallback-block
{
type message;
no-notify-mail-sender;
}
}
}
}
set security utm
feature-profile anti-virus type kaspersky-lab-engine
set security utm
feature-profile anti-virus kaspersky-lab-engine pattern-update url
http://update.juniper-updates.net/AV/SRX100/
set security utm
feature-profile anti-virus kaspersky-lab-engine pattern-update interval 60
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
fallback-options default log-and-permit
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
fallback-options corrupt-file log-and-permit
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults fallback-options
password-file log-and-permit
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
fallback-options decompress-layer log-and-permit
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
fallback-options content-size log-and-permit
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
fallback-options engine-not-ready log-and-permit
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
fallback-options timeout log-and-permit
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
fallback-options out-of-resources log-and-permit
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
fallback-options too-many-requests log-and-permit
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
scan-options intelligent-prescreening
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
scan-options scan-mode all
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
scan-options content-size-limit 10000
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
scan-options timeout 180
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
scan-options decompress-layer-limit 2
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
notification-options virus-detection type message
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
notification-options virus-detection no-notify-mail-sender
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
notification-options virus-detection custom-message "VIRUS WARNING"
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
notification-options fallback-block type message
set security utm
feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
notification-options fallback-block no-notify-mail-sender
set security utm
feature-profile anti-virus sophos-engine pattern-update url
http://update.juniper-updates.net/SAV/
set security utm
feature-profile anti-virus sophos-engine pattern-update interval 1440
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
fallback-options default log-and-permit
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
fallback-options content-size log-and-permit
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
fallback-options engine-not-ready log-and-permit
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
fallback-options timeout log-and-permit
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
fallback-options out-of-resources log-and-permit
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
fallback-options too-many-requests log-and-permit
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
scan-options uri-check
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
scan-options content-size-limit 10000
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
scan-options timeout 180
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
notification-options virus-detection type message
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
notification-options virus-detection no-notify-mail-sender
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
notification-options virus-detection custom-message "VIRUS WARNING"
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
notification-options fallback-block type message
set security utm
feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults
notification-options fallback-block no-notify-mail-sender
如何刪除過期的SRX Kaspersky
AV Licenses病毒防護授權
過期的付費軟體授權如下圖紅框之中的授權:
當付費軟體授權過期後,系統就會不斷的在系統日誌中顯示以下之訊息:
srx100 license-check[15503]:
LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333336" has expired.
srx100 license-check[15503]:
LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333337" has expired.
srx100 license-check[15503]:
LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333338" has expired.
srx100 license-check[15503]:
LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333339" has expired.
srx100 license-check[15503]:
LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333340" has expired.
srx100 license-check[15503]:
LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS372087" has expired.
srx100 license-check[15503]:
LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS372088" has expired.
在煩不勝煩的狀況下,只好忍痛動手刪除它(如圖所示)。
原本以為這樣就完成了,可是隔天開機後系統日誌又出現了同樣的訊息!!??趕快查看Licenses訊息,結果發現已經刪除的授權又回來了,本著實驗的精神,又給他刪了一遍,重開機後已經刪除的授權又回來了,再以不屈不撓的精神再刪一次,重開機之後結果還是一樣,只是我們在開機過程中在console發現了下列訊息:
Checking integrity of licenses:
JUNOS221719.lic: Passed
JUNOS333336.lic:
Failed
JUNOS333336.lic: Performing recovery
JUNOS333336.lic: Recovered
JUNOS333337.lic: Failed
JUNOS333337.lic: Performing recovery
JUNOS333337.lic: Recovered
JUNOS333338.lic: Failed
JUNOS333338.lic: Performing recovery
JUNOS333338.lic:
Recovered
JUNOS333339.lic: Failed
JUNOS333339.lic: Performing recovery
JUNOS333339.lic: Recovered
JUNOS333340.lic: Failed
JUNOS333340.lic: Performing recovery
JUNOS333340.lic: Recovered
JUNOS372087.lic: Failed
JUNOS372087.lic: Performing recovery
JUNOS372087.lic: Recovered
JUNOS372088.lic: Failed
JUNOS372088.lic: Performing recovery
JUNOS372088.lic: Recovered
JUNOS985375.lic: Passed
JUNOS985376.lic: Passed
JUNOS985377.lic: Passed
JUNOS985378.lic: Passed
JUNOS985379.lic: Passed
JUNOS985380.lic: Passed
JUNOS985381.lic: Passed
Checking integrity of configuration:
rescue.conf.gz: Passed
我們似乎找到原因了! 趕緊上網一查,原來是autorecovery惹的禍。
當我們恢復出廠設定之後,Juniper
SRX100/210的前面板status會亮紅燈,這時候只要我們輸入了下列命令,立馬就能解決我們的問題,讓status變成綠燈。
root@srx100> request system autorecovery state save
Saving config
recovery information
Saving license
recovery information
Saving BSD label
recovery information
root@srx100>
從訊息中我們可以了解到它儲存了config、licenses、BSD label三種類型的還原資訊。
那這個命令的作用為何呢?
原來是JUNOS
OS為了保護重要的檔案而強制我們去執行的命令,否則設備就會一直亮紅燈給你看。而作用我們已經知道了,就是當您誤刪保護中的檔案之後,在設備重開機的過程中它又會給您還原回來了。
而又有哪些檔案被它保護呢?我們可以下達這個命令:
root@srx100> show system autorecovery state | no-more
Configuration:
File Recovery Information Integrity Check Action / Status
rescue.conf.gz Saved Passed None
Licenses:
File Recovery Information Integrity Check Action / Status
JUNOS221719.lic Saved Passed None
JUNOS333336.lic Saved Passed None
JUNOS333337.lic Saved Passed None
JUNOS333338.lic Saved Passed None
JUNOS333339.lic Saved Passed None
JUNOS333340.lic Saved Passed None
JUNOS372087.lic Saved Passed None
JUNOS372088.lic Saved Passed None
JUNOS985375.lic Saved Passed None
JUNOS985376.lic Saved Passed None
JUNOS985377.lic Saved Passed None
JUNOS985378.lic Saved Passed None
JUNOS985379.lic Saved Passed None
JUNOS985380.lic Saved Passed None
JUNOS985381.lic Saved Passed None
BSD Labels:
Slice Recovery
Information Integrity Check Action / Status
s1 Saved Passed None
s2 Saved Passed None
s3 Saved Passed None
s4 Saved Passed None
root@srx100>
看來辦法似乎可行,我們趕緊把不要的授權刪除(請參考本段開頭的圖示),
root@PayDay# run
show system license <--This will give you the information regarding
licenses
License usage:
Licenses Licenses Licenses
Expiry
Feature name used installed needed
j-flow 0 1 0
permanent
bgp-reflection 0 1 0
permanent
Licenses installed:
License identifier: JUNOS201481 <--This is the license identifier
License version: 2
Valid for device: JN10E8E75ADD
Features:
bgp-reflection - Border Gateway Protocol route reflection
permanent
j-flow - J-FLOW traffic analysis (CFLOW reporting)
permanent
root@PayDay> request system license delete JUNOS201481 <--This will remove the license
License usage:
Licenses Licenses Licenses
Expiry
Feature name used installed needed
j-flow 0 1 0
permanent
bgp-reflection 0 1 0
permanent
Licenses installed:
License identifier: JUNOS201481 <--This is the license identifier
License version: 2
Valid for device: JN10E8E75ADD
Features:
bgp-reflection - Border Gateway Protocol route reflection
permanent
j-flow - J-FLOW traffic analysis (CFLOW reporting)
permanent
root@PayDay> request system license delete JUNOS201481 <--This will remove the license
刪除之後再查看一下狀態:
root@srx100> show system autorecovery state | no-more
Configuration:
File Recovery Information Integrity Check Action / Status
rescue.conf.gz Not Saved Not checked Requires save
Licenses:
File Recovery Information Integrity Check Action / Status
JUNOS221719.lic Not Saved Not checked Requires save
JUNOS985375.lic Not Saved Not checked Requires save
JUNOS985376.lic Not Saved Not checked Requires save
JUNOS985377.lic Not Saved Not checked Requires save
JUNOS985378.lic Not Saved Not checked Requires save
JUNOS985379.lic Not Saved Not checked Requires save
JUNOS985380.lic Not Saved Not checked Requires save
JUNOS985381.lic Not Saved Not checked Requires save
BSD Labels:
Slice Recovery Information Integrity Check Action / Status
s1 Not Saved Not checked Requires save
s2 Not Saved Not checked Requires save
s3 Not Saved Not checked Requires save
s4 Not Saved Not checked Requires save
root@srx100>
最後我們再執行save命令選項:
root@srx100> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information
root@srx100>
最後經過數次的重開機測試,發現經過上述步驟所刪除的過期授權不再回來了,著實令小弟萬分的感動.........。
關於如何刪除過期的license key我們可以參考以下之網路連結:
我們可以將刪除過期付費軟體授權的步驟整理如下:
show system license
show system autorecovery state
request system autorecovery state clear
request system license delete JUNOS201481
show system autorecovery state
request system autorecovery state save
show system autorecovery state
show system license
show system autorecovery state
request system autorecovery state clear
request system license delete JUNOS201481
show system autorecovery state
request system autorecovery state save
show system autorecovery state
show system license
但是此刻卻發現系統面板仍然亮紅燈??於是我們執行以下之指令:
root@srx100> show system alarms
2 alarms currently active
Alarm time Class Description
2018-04-01 12:44:21 UTC Minor
Anti-Spam usage requires a license
2018-04-01 12:44:13 UTC Minor
Kaspersky AV usage requires a license
root@srx100>
檢查之下發現系統配置檔關於Kaspersky AV 等的UTM命令還在,如下:
security {
utm {
feature-profile {
anti-virus {
type kaspersky-lab-engine;
kaspersky-lab-engine {
pattern-update {
email-notify {
admin-email
"admin@juniper.net";
custom-message
"Pattern UPDATE Done";
custom-message-subject "AV
UPDATE COMPLETE";
}
url http://update.juniper-updates.net/AV/SRX240;
interval 120;
}
}
}
}
utm-policy
custom-utm-policy {
anti-virus {
http-profile junos-av-defaults;
}
}
}
policies {
from-zone
trust to-zone untrust {
policy
web-access {
match {
source-address any;
destination-address any;
application junos-http;
}
then {
permit {
application-services {
utm-policy
custom-utm-policy;
}
}
}
}
}
}
}
於是執行下列命令來刪除:
root@srx100#
delete
security utm
root@srx100# delete security policies from-zone trust to-zone untrust policy web-access
root@srx100#
commit
最後終於系統面板恢復正常,亮綠燈了!
大功告成!
