2.3.4 Ìí¼Ó²ßÂÔÅäÖþÙÀý

PolicyÅäÖ÷½·¨ÓëScreenOS»ù±¾Ò»Ö£¬½öÔÚÅäÖÃÃüÁîÉÏÓÐËùÇø±ð£¬ÆäÖвßÂÔµÄÔÊÐí/¾Ü¾øµÄ¶¯×÷£¨Action£©ÐèÒª¶îÍâÅäÖÃÒ»ÌõthenÓï¾ä(½«ScreenOSµÄÒ»Ìõ²ßÂÔ·Ö½â³ÉÁ½Ìõ¼°ÒÔÉÏÅäÖÃÓï¾ä)¡£PolicyÐèÒªÊÖ¶¯ÅäÖÃpolicy name£¬policy name¿ÉÒÔÊÇ×Ö·û´®£¬Ò²¿ÉÒÔÊÇÊý×Ö£¨ÓëScreenOSµÄpolicy IDÀàËÆ,Ö»²»¹ýÐèÒªÊÖ¹¤Ö¸¶¨£©¡£ Ê×ÏÈÐèҪעÒâϵͳȱʡ²ßÂÔÅäÖãº

root# show security policies default-policy ²é¿´µ±Ç°ÏµÍ³È±Ê¡²ßÂÔ¶¯×÷ root# set security policies default-policy ? ÉèÖÃϵͳȱʡ²ßÂÔ¶¯×÷ Possible completions:

deny-all Deny all traffic if no policy match permit-all Permit all traffic if no policy match

¸ù¾ÝʵÑéÍØÆ˽øÐвßÂÔÅäÖþÙÀý˵Ã÷

set security zones security-zone trust address-book address pc1 20.1.1.200/32

set security zones security-zone untrust address-book address server1 192.168.1.200/32

/***ÓëScreenOSÒ»Ñù£¬ÔÚtrustºÍuntrust zoneÏ·ֱð¶¨ÒåµØÖ·¶ÔÏó±ãÓÚ²ßÂÔµ÷Ó㬵ØÖ·¶ÔÏóµÄÃû³Æ¿ÉÒÔÊǵØÖ·/ÑÚÂëÐÎʽ***/

set security zones security-zone trust address-book address-set addr-group1 address pc1

/***ÔÚtrust zone϶¨ÒåÃû³ÆΪadd-group1µÄµØÖ·×飬²¢½«pc1µØÖ··Åµ½¸ÃµØÖ·×éÖÐ***/

Set security policies from-zone trust to-zone untrust policy 001 match source-address addr-group1 destination-address server1 application any

set security policies from-zone trust to-zone untrust policy 001 then permit

/***¶¨Òå´Ótrust µ½untrust·½Ïòpermit²ßÂÔ£¬ÔÊÐíaddr-group1×éµÄÔ´µØÖ··ÃÎÊserver1µØÖ·any·þÎñ***/

set security policies from-zone trust to-zone untrust policy 001 then log session-init set security policies from-zone trust to-zone untrust policy 001 then log session-close set security policies from-zone trust to-zone untrust policy 001 then count

<¿ÉÑ¡ÅäÖÃ>/***¶¨Òå´Ótrust µ½untrust·½Ïò²ßÂÔ£¬Õë¶Ôµ±Ç°²ßÂԼǼÈÕÖ¾²¢Í³¼Æ²ßÂÔÁ÷Á¿

root# set security policies from-zone trust to-zone untrust policy 001 scheduler-name happy-time root# set security policies from-zone trust to-zone dmz policy 001 scheduler-name work-time

<¿ÉÑ¡ÅäÖÃ>/***¶¨Ò嵱ǰ²ßÂÔ£¬ÒýÓÃʱ¼äµ÷¶È¶ÔÏ󣬷ûºÏʱ¼äÌõ¼þ²ßÂÔÉúЧ£¬·ñÔò²ßÂÔ½«´¦Óڷǹ¤×÷״̬

root# set security policies from-zone trust to-zone untrust policy t-u then permit application-services ? Possible completions:

+ apply-groups Groups from which to inherit configuration data + apply-groups-SRXcept Don't inherit configuration data from these groups gprs-gtp-profile Specify GPRS Tunneling Protocol profile name idp Intrusion detection and prevention redirect-wx Set WX redirection reverse-redirect-wx Set WX reverse redirection uac-policy Enable unified access control enforcement of policy utm-policy Specify utm policy name [edit]

<¿ÉÑ¡ÅäÖÃ>/***¶¨Ò嵱ǰ²ßÂÔ£¬Ñ¡ÔñÊÇ·ñ¿ÍÆøIDP\\UAC\\UTMµÈ²Ù×÷,Èç¹ûÕë¶Ô²ßÂÔ¿ªÆôÏàÓ¦µÄ¼ì²é£¬ÇëÏȶ¨ÒåºÃÏàÓ¦µÄ¹¦ÄÜ¡£

µÚ 9 Ò³ ¹² 26 Ò³

2.3.5 ²ßÂÔɾ³ý

ɾ³ýSRX·À»ðǽ²ßÂÔÃüÁÔÚJUNOSϵͳÖÐɾ³ýÈ«²¿¶¼Ê¹ÓÃdeleteÃüÁÒò´Ëɾ³ý²ßÂÔµÄÃüÁîÈçÏ£º srx3400@root#delete security policies from trust to untrust policy 1 /*** ɾ³ý´Ótrustµ½ untrust ²ßÂÔIDΪ1µÄ²ßÂÔ ***/

ÃüÁîÈçÏ£ºsrx3400@root#delete security policies from zone-name to zone-name policy policy-id Zone-name:±íʾ×Ô¶¨Òå»òÕßÔ¤¶¨ÒåµÄzoneÃû×Ö¡£ÀýÈ磺trust¡¢untrust¡¢dmzµÈ Policy-id£º±íʾ²ßÂÔµÄIDºÅ£¬ÀýÈ磺1¡¢2¡¢3¡¢4¡¢n¡£

×¢Ò⣺Èç¹û²»¼Ó²ßÂÔID½«±íʾɾ³ý´ÓFrom-zone µ½ TO zone µÄÈ«²¿²ßÂÔ

2.3.6 µ÷Õû²ßÂÔ˳Ðò

SRX·À»ðǽµÄ²ßÂÔÖ´ÐÐ˳ÐòÊÇ×ÔÉ϶øÏ£¬ÖðÒ»¼ì²é½øÐÐÆ¥Åä¡£ÐÂÌí¼ÓµÄ²ßÂÔ½«ÅÅÁÐÔÚ²ßÂÔµÄ×îºóÒ»¸ö£¬Ä¬ÈϲßÂÔÊÇÈ«²¿×èÖ¹£¬Òò´ËÈç¹ûÇ°ÃæÓÐÄ£ºýÆ¥ÅäµÄ²ßÂÔ£¬¾«È·Æ¥Åä²ßÂÔ½«²»ÔÙÖ´ÐУ¬ËùÒÔÐèÒªµ÷Õû²ßÂÔ˳Ðò¡£ ÃüÁîÈçÏ£º(1) srx3400@root#insert security policies from trust to untrust policy 1 before policy 2

/*** ½«´ÓtrustÇøÓòµ½untrustÇøÓòµÄ²ßÂÔ1²åÈëµ½²ßÂÔ2µÄÇ°Ãæ ***/

(2) srx3400@root#insert security policies from trust to untrust policy 1 after policy 2

/*** ½«´ÓtrustÇøÓòµ½untrustÇøÓòµÄ²ßÂÔ1²åÈëµ½²ßÂÔ2µÄºóÃæ ***/

ÃüÁî¸ñʽ£ºsrx3400@root#insert security policies from zone-name to zone-name policy policy-id before

policy policy-id

srx3400@root#insert security policies from zone-name to zone-name policy policy-id after

policy policy-id

2.3.7 ²ßÂÔʧЧÓ뼤»î

ÔÚSRX·À»ðǽÖÐ×¼±¸ÔÝͣijÌõ²ßÂÔ£¬µÈ´ý²âÊÔ½áÊøºóÔÙ¼¤»îÆôÓã¬Ê¹ÓÃÈçÏÂÃüÁî½øÐÐÉèÖà ÃüÁîÈçÏ£º²ßÂÔʧЧ

(1) srx3400@root#deactive security policies from trust to untrust policy 1

/*** ½«´ÓtrustÇøÓòµ½untrustÇøÓòµÄ²ßÂÔ1 ÔÝʱͣÓà ***/ ²ßÂÔ¼¤»î

£¨2£©srx3400@root#active security policies from trust to untrust policy 1

/*** ½«´ÓtrustÇøÓòµ½untrustÇøÓòµÄ²ßÂÔ1 ¼¤»î ***/

¼¤»îºÍʧЧÅäÖÃÍê³Éºó¶¼Òª½øÐÐcommit²Ù×÷¡£ ÃüÁîÈçÏ£ºsrx3400@root#commit

2.4 µØַת»»

SRX NAT½ÏScreenOSÔÚ¹¦ÄÜʵÏÖ·½Ãæ»ù±¾±£³ÖÒ»Ö£¬µ«ÔÚ¹¦ÄÜÅäÖÃÉÏÓнϴóÇø±ð£¬ÅäÖõÄÖ÷Òª²îÒìÔÚÓÚScreenOSµÄNATÓëpolicyÊǰ󶨵ģ¬ÎÞÂÛÊÇMIP/VIP/DIP»¹ÊÇ»ùÓÚ²ßÂÔµÄNAT£¬ÔÚpolicyÖоùÒªÌåÏÖ³öNATÄÚÈÝ£¨³ýÁËȱʡ»ùÓÚuntrust½Ó¿ÚµÄSouec-NATģʽÍ⣩£¬¶øSRX µÄNATÔò×÷ΪÍøÂç²ãÃæ»ù´¡ÄÚÈݽøÐжÀÁ¢ÅäÖ㨶ÀÁ¢¶¨ÒåµØÖ·Ó³ÉäµÄ·½Ïò¡¢Ó³Éä¹Øϵ¼°µØÖ··¶Î§£©£¬PolicyÖв»ÔÙ°üº¬NATÏà¹ØÅäÖÃÐÅÏ¢£¬ÕâÑùµÄºÃ´¦ÊÇÒ×ÓÚÀí½â¡¢

µÚ 10 Ò³ ¹² 26 Ò³

¼ò»¯ÔËά£¬µ±ÍøÂçÍØÆÓºÍNATÓ³Éä¹Øϵ·¢Éú¸Ä±äʱ£¬ÎÞÐèµ÷ÕûPolicyÅäÖÃÄÚÈÝ¡£

SRX NATºÍPolicyÖ´ÐÐÏȺó˳ÐòΪ£ºÄ¿µÄµØַת»»£­Ä¿µÄµØַ·ÓɲéÕÒ£­Ö´ÐвßÂÔ¼ì²é£­Ô´µØַת»»£¬½áºÏÕâ¸öÖ´ÐÐ˳Ðò£¬ÔÚÅäÖÃPolicyʱÐè×¢Ò⣺PolicyÖÐÔ´µØÖ·Ó¦ÊÇת»»Ç°µÄÔ´µØÖ·£¬¶øÄ¿µÄµØÖ·Ó¦¸ÃÊÇת»»ºóµÄÄ¿µÄµØÖ·£¬»»¾ä»°Ëµ£¬PolicyÖеÄÔ´ºÍÄ¿µÄµØÖ·Ó¦¸ÃÊÇÔ´ºÍÄ¿µÄÁ½¶ËµÄÕæʵIPµØÖ·£¬ÕâÒ»µãºÍScreenOS´æÔÚÇø±ð£¬ÐèÒª¼ÓÒÔ×¢Òâ¡£

SRXÖв»ÔÙʹÓÃMIP/VIP/DIPÕâЩ¸ÅÄÆäÖÐMIP±»Static¾²Ì¬µØַת»»È¡´ú£¬Á½ÕßÔÚ¹¦ÄÜÉÏÍêÈ«Ò»Ö£»DIP±»Source NATÈ¡´ú£»»ùÓÚPolicyµÄÄ¿µÄµØַת»»¼°VIP±» Destination NATÈ¡´ú¡£ScreenOSÖлùÓÚUntrust zone½Ó¿ÚµÄÔ´µØַת»»±»±£ÁôÏÂÀ´£¬µ«ÔÚSRXÖв»ÔÙÊÇȱʡģʽ£¨SRXÖÐTrust Zone½Ó¿ÚûÓÐNATģʽ¸ÅÄ£¬ÐèÒªÊÖ¹¤ÅäÖá£ÀàËÆScreenOS£¬StaticÊôÓÚË«ÏòNAT£¬ÆäËûÀàÐ;ùÊôÓÚµ¥ÏòNAT¡£

´ËÍ⣬SRX»¹¶àÁËÒ»¸öproxy-arp¸ÅÄÈç¹û¶¨ÒåµÄIP Pool£¨¿ÉÓÃÓÚÔ´»òÄ¿µÄµØַת»»£©ÐèÅäÖÃSRX¶ÔÕâ¸öPoolÄڵĵØÖ·ÌṩARP´úÀí¹¦ÄÜ£¬ÕâÑù¶Ô¶ËÉ豸Äܹ»½âÎöµ½IP PoolµØÖ·µÄMACµØÖ·£¨Ê¹ÓýӿÚMACµØÖ·ÏìÓ¦¶Ô·½£©£¬ÒÔ±ãÓÚ·µ»Ø±¨ÎÄÄܹ»ËÍ´ïSRX¡£ÏÂÃæÊÇÅäÖþÙÀý¼°Ïà¹Ø˵Ã÷£º

2.4.1 Interface based NAT »ùÓÚ½Ó¿ÚµÄÔ´µØַת»»

ͼƬ½ö¹©²Î¿¼,ÏÂÁÐÅäÖòο¼ÊµÑéÍØÆË

NATÅäÖãº

set security nat source rule-set 1 from zone trust Ö¸¶¨Ô´ÇøÓò set security nat source rule-set 1 to zone untrust Ö¸¶¨Ä¿±êÇøÓò

set security nat source rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 Ö¸¶¨Ô´ºÍÄ¿±êÆ¥ÅäµÄµØÖ·»òÕßµØÖ·¶Î,0.0.0./0´ú±íËùÓÐ

set security nat source rule-set 1 rule rule1 then source-nat interface Ö¸¶¨Í¨¹ý½Ó¿ÚIP½øÐÐÔ´·­Òë

ÉÏÊöÅäÖö¨ÒåNATÔ´µØÖ·Ó³Éä¹æÔò£¬´ÓTrust Zone·ÃÎÊUntrust ZoneµÄËùÓÐÁ÷Á¿ÓÃUntrust Zone½Ó¿ÚIP×öÔ´µØַת»»¡£

PolicyÅäÖÃ:

set security policies from-zone trust to-zone untrust policy 1 match source-address pc-1 set security policies from-zone trust to-zone untrust policy 1 match destination-address any set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit

ÉÏÊöÅäÖö¨ÒåPolicy²ßÂÔ£¬ÔÊÐíTrust zone 10.1.2.2µØÖ··ÃÎÊUntrust·½ÏòÈκεØÖ·£¬¸ù¾ÝÇ°ÃæµÄNATÅäÖã¬SRXÔÚ½¨Á¢sessionʱ×Ô¶¯Ö´ÐнӿÚÔ´µØַת»»¡£ µÚ 11 Ò³ ¹² 26 Ò³

2.4.2 Pool based Source NAT»ùÓÚµØÖ·³ØµÄÔ´µØַת»»

ͼƬ½ö¹©²Î¿¼,ÏÂÁÐÅäÖòο¼ÊµÑéÍØÆË

NATÅäÖãº

set security nat source pool pool-1 address 192.168.1.50 to 192.168.1.150 set security nat source rule-set 1 from zone trust set security nat source rule-set 1 to zone untrust

set security nat source rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0

set security nat source rule-set 1 rule rule1 then source-nat pool pool-1

set security nat proxy-arp interface ge-0/0/0 address 192.168.1.50 to 192.168.1.150

ÉÏÊöÅäÖñíʾ´Ótrust·½Ïò£¨any£©µ½untrust·½Ïò(any)·ÃÎÊʱÌṩԴµØַת»»£¬Ô´µØÖ·³ØΪpool1(192.168.1.50-192.168.1.150)£¬Í¬Ê±fe-0/0/0½Ó¿ÚΪ´Ëpool IPÌṩARP´úÀí¡£ÐèҪעÒâµÄÊÇ£º¶¨ÒåPoolʱ²»ÐèÒªÓëZone¼°½Ó¿Ú½øÐйØÁª¡£ÅäÖÃproxy-arpÄ¿µÄÊÇÈ÷µ»Ø°üÄܹ»ËÍ´ïSRX£¬Èç¹ûPoolÓë³ö½Ó¿ÚIP²»ÔÚͬһ×ÓÍø£¬Ôò¶Ô¶ËÉ豸ÐèÒªÅäÖÃÖ¸Ïòfe-0/0/0½Ó¿ÚµÄPoolµØַ·ÓÉ¡£

Policy£º

set security policies from-zone trust to-zone untrust policy 1 match source-address pc-1 set security policies from-zone trust to-zone untrust policy 1 match destination-address any set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit

ÉÏÊöÅäÖö¨ÒåPolicy²ßÂÔ£¬ÔÊÐíTrust zone 10.1.2.2µØÖ··ÃÎÊUntrust·½ÏòÈκεØÖ·£¬¸ù¾ÝÇ°ÃæµÄNATÅäÖã¬SRXÔÚ½¨Á¢sessionʱ×Ô¶¯Ö´ÐÐÔ´µØַת»»¡£

2.4.3 Pool base destination NAT»ùÓÚµØÖ·³ØµÄÄ¿±êµØַת»»

µÚ 12 Ò³ ¹² 26 Ò³