Juniper防火墙设备部署标准模板.docx
《Juniper防火墙设备部署标准模板.docx》由会员分享,可在线阅读,更多相关《Juniper防火墙设备部署标准模板.docx(23页珍藏版)》请在冰点文库上搜索。
Juniper防火墙设备部署标准模板
Juniper防火墙设备
部署标准模板
一、大规模分行(ISG2000)
1.产品外观及接口标识:
2.ISG2000实物连接拓扑结构
3.配置模板
以下配置如无标注,都为系统默认设置。
红色的为特别需要注意的,必须所有分行统一化的设置。
主防火墙配置:
setclockdst-off
/*设置timezone为8,实际上用你的电脑的时间同步以下防火墙,就可以了,在Web界面里有个时间同步的页面*/
setclocktimezone8
setclockdstrecurringstart-weekday20302:
00end-weekday101102:
00
setvroutertrust-vrsharable
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
unsetauto-route-export
exit
/*设置协议对象,各分行自行定义。
建议不要定义长的超时时间,对于长连接应用,如果找不全,就通过设置不检测TCP标志位来全局解决*/
setservice"XXX"protocoltcpXXXXXX
/*全局关闭一些ALG,初上线时必须按照如下设置*/
unsetalgsipenable
unsetalgmgcpenable
unsetalgsccpenable
unsetalgsunrpcenable
unsetalgmsrpcenable
unsetalgsqlenable
unsetalgrtspenable
unsetalgh323enable
/*认证和管理员属性的一些默认设置*/
setauth-server"Local"id0
setauth-server"Local"server-name"Local"
setauthdefaultauthserver"Local"
setauthradiusaccountingport1646
setadminname"netscreen"
setadminpassword"nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
setadminauthtimeout10
setadminauthserver"Local"
setadminformatdos
/*设置安全区所属的虚拟路由器,实际上我们用到的只有Trust和Untrust两个zone,把这两个zone都放进Untrust-VR*/
setzone"Trust"vrouter"untrust-vr"
setzone"Untrust"vrouter"untrust-vr"
setzone"DMZ"vrouter"trust-vr"
setzone"VLAN"vrouter"trust-vr"
setzone"Untrust-Tun"vrouter"trust-vr"
/*Zone内的一些安全设置,关闭一些可能带来连通性问题的安全设置。
*/
unsetzone"Trust"tcp-rst
unsetzone"Untrust"block
unsetzone"Untrust"tcp-rst
setzone"DMZ"tcp-rst
setzone"VLAN"block
unsetzone"VLAN"tcp-rst
/*为保证连通性,牺牲一些安全性,关闭一些抗网络层攻击功能*/
unsetzone"Untrust"screentear-drop
unsetzone"Untrust"screensyn-flood
unsetzone"Untrust"screenping-death
unsetzone"Untrust"screenip-filter-src
unsetzone"Untrust"screenland
setzone"V1-Untrust"screentear-drop
setzone"V1-Untrust"screensyn-flood
setzone"V1-Untrust"screenping-death
setzone"V1-Untrust"screenip-filter-src
setzone"V1-Untrust"screenland
/*把e3/1和e3/2两个口放到HAzone里,做HA口使用,用反绞线直接连接,不要通过交换机连接*/
setinterface"ethernet3/1"zone"HA"
setinterface"ethernet3/2"zone"HA"
/*把e1/1放untrustzone里,把e1/2放trustzone里*/
setinterface"ethernet1/1"zone"Untrust"
setinterface"ethernet1/2"zone"Trust"
unsetinterfacevlan1ip
/*设置MGT口的IP地址,用MGT做带外管理*/
setinterfacemgtip32.0.6.140/25
/*设置接口IP地址,注意接口模式为route模式*/
setinterfaceethernet1/1ip32.0.224.68/28
setinterfaceethernet1/1route
setinterfaceethernet1/2ip32.0.224.84/28
setinterfaceethernet1/2route
unsetinterfacevlan1bypass-others-ipsec
unsetinterfacevlan1bypass-non-ip
setinterfaceethernet1/1ipmanageable
setinterfaceethernet1/2ipmanageable
unsetinterfaceethernet1/2managesnmp
unsetinterfaceethernet1/2managessl
/*设置Flow的一些参数,这里尤其需要注意*/
setflowtcp-rst-invalid-session
unsetflowtcp-syn-check
unsetflowtcp-syn-bit-check
setflowreverse-routeclear-textprefer
setflowreverse-routetunnelalways
sethostnameJS_SRV_FW_1
setpkiauthoritydefaultscepmode"auto"
setpkix509defaultcert-pathpartial
/*HA属性的一些设置*/
setnsrpclusterid1
setnsrprto-mirrorsync
setnsrprto-mirrorroute
setnsrprto-mirrorsessionageout-ack
setnsrpvsd-groupid0priority50
setnsrpsecondary-pathethernet1/2
setnsrpvsd-groupid0monitorinterfaceethernet1/1
setnsrpvsd-groupid0monitorinterfaceethernet1/2
setikerespond-bad-spi1
unsetikeikeid-enumeration
unsetikedos-protection
unsetipsecaccess-sessionenable
setipsecaccess-sessionmaximum5000
setipsecaccess-sessionupper-threshold0
setipsecaccess-sessionlower-threshold0
setipsecaccess-sessiondead-p2-sa-timeout0
unsetipsecaccess-sessionlog-error
unsetipsecaccess-sessioninfo-exch-connected
unsetipsecaccess-sessionuse-error-log
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
exit
seticapav-vendor-idsymantec-5
seturlprotocolwebsense
exit
/*访问控制策略的设置,各分行灵活自定义,注意最后留两条保底策略*/
setpolicyid1from"Trust"to"Untrust""Any""Any""ANY"permit
setpolicyid1
exit
setpolicyid2from"Untrust"to"Trust""Any""Any""ANY"permit
setpolicyid2
exit
setnsmgmtbulkclireboot-timeout60
setsshversionv2
setconfiglocktimeout5
unsetlicense-keyauto-update
setsnmpportlisten161
setsnmpporttrap162
/*静态路由设置,各分行自定义*/
setvrouter"untrust-vr"
setroute0.0.0.0/0interfaceethernet1/1gateway32.0.224.65preference20
setroute32.0.6.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.7.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.8.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.12.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.27.0/28interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.30.224/28interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.32.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.33.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.34.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.40.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.63.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.76.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.88.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.105.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.108.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.141.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.159.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.160.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.161.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.171.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.190.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.191.0/24interfaceethernet1/2gateway32.0.224.81preference20
setroute32.0.192.0/24interfaceethernet1/2gateway32.0.224.81preference20
exit
setvrouter"trust-vr"
unsetadd-default-route
setroute0.0.0.0/0interfacemgtgateway32.0.6.254preference20
exit
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
exit
备防火墙配置:
(备防火墙只有在MGT和NSRP方面的设置与主防火墙不同,其它配置都是自动同步的)
二、小规模分行(ISG1000)
1.产品外观及接口标识:
2.ISG1000实物连接拓扑结构
3.配置模板
以下配置如无标注,都为系统默认设置。
红色的为特别需要注意的,必须所有分行统一化的设置。
主防火墙配置:
setclockdst-off
/*设置timezone为8,实际上用你的电脑的时间同步以下防火墙,就可以了,在Web界面里有个时间同步的页面*/
setclocktimezone8
setclockdstrecurringstart-weekday20302:
00end-weekday101102:
00
setvroutertrust-vrsharable
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
unsetauto-route-export
exit
/*设置协议对象,各分行自行定义。
建议不要定义长的超时时间,对于长连接应用,如果找不全,就通过设置不检测TCP标志位来全局解决*/
setservice"XXX"protocoltcpXXXXXX
/*全局关闭一些ALG,初上线时必须按照如下设置*/
unsetalgsipenable
unsetalgmgcpenable
unsetalgsccpenable
unsetalgsunrpcenable
unsetalgmsrpcenable
unsetalgsqlenable
unsetalgrtspenable
unsetalgh323enable
/*认证和管理员属性的一些默认设置*/
setauth-server"Local"id0
setauth-server"Local"server-name"Local"
setauthdefaultauthserver"Local"
setauthradiusaccountingport1646
setadminname"netscreen"
setadminpassword"nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
setadminauthtimeout10
setadminauthserver"Local"
setadminformatdos
/*设置安全区所属的虚拟路由器,实际上我们用到的只有Trust和Untrust两个zone,把这两个zone都放进Untrust-VR*/
setzone"Trust"vrouter"untrust-vr"
setzone"Untrust"vrouter"untrust-vr"
setzone"DMZ"vrouter"untrust-vr"
setzone"VLAN"vrouter"trust-vr"
setzone"Untrust-Tun"vrouter"trust-vr"
/*Zone内的一些安全设置,关闭一些可能带来连通性问题的安全设置。
*/
unsetzone"Trust"tcp-rst
unsetzone"Untrust"block
unsetzone"Untrust"tcp-rst
unsetzone"DMZ"tcp-rst
setzone"VLAN"block
unsetzone"VLAN"tcp-rst
/*为保证连通性,牺牲一些安全性,关闭一些抗网络层攻击功能*/
unsetzone"Untrust"screentear-drop
unsetzone"Untrust"screensyn-flood
unsetzone"Untrust"screenping-death
unsetzone"Untrust"screenip-filter-src
unsetzone"Untrust"screenland
unsetzone"V1-Untrust"screentear-drop
unsetzone"V1-Untrust"screensyn-flood
unsetzone"V1-Untrust"screenping-death
unsetzone"V1-Untrust"screenip-filter-src
unsetzone"V1-Untrust"screenland
/*把e1/1和e1/2两个口放到HAzone里,做HA口使用,用反绞线直接连接,不要通过交换机连接*/
setinterface"ethernet1/1"zone"HA"
setinterface"ethernet1/2"zone"HA"
/*把e2/1放untrustzone里,把e2/2放trustzone里
setinterface"ethernet2/1"zone"Untrust"
setinterface"ethernet2/2"zone"Trust"
unsetinterfacevlan1ip
/*设置MGT口的IP地址,用MGT做带外管理*/
setinterfacemgtip192.168.1.1/24
/*设置接口IP地址,注意接口模式为route模式*/
setinterfaceethernet2/1ip52.0.224.68/28
setinterfaceethernet2/1route
setinterfaceethernet2/2ip52.0.224.84/28
setinterfaceethernet2/2route
unsetinterfacevlan1bypass-others-ipsec
unsetinterfacevlan1bypass-non-ip
setinterfaceethernet2/1ipmanageable
setinterfaceethernet2/2ipmanageable
setinterfaceethernet2/1manageping
unsetinterfaceethernet2/2managesnmp
unsetinterfaceethernet2/2managessl
/*设置Flow的一些参数,这里尤其需要注意*/
setflowtcp-rst-invalid-session
unsetflowtcp-syn-check
unsetflowtcp-syn-bit-check
setflowreverse-routeclear-textprefer
setflowreverse-routetunnelalways
sethostnameHB_SRV_FW_1
setpkiauthoritydefaultscepmode"auto"
setpkix509defaultcert-pathpartial
/*HA属性的一些设置*/
setnsrpclusterid1
setnsrprto-mirrorsync
setnsrprto-mirrorroute
setnsrprto-mirrorsessionageout-ack
setnsrpvsd-groupid0priority50
setnsrpsecondary-pathethernet2/2
setnsrpvsd-groupid0monitorinterfaceethernet2/1
setnsrpvsd-groupid0mon