Juniper防火墙中文配置解释对照表.xls

参参数数命命令令 时区设置 set clock dst off set clock ntp set clock timezone 8 set ntp server x x x x set ntp server backup1 x x x x set ntp server backup2 x x x x set ntp max adjustment 0 虚拟路由器设置 set vrouter trust vr sharable unset vrouter trust vr auto route export ALG unset alg sip enable unset alg mgcp enable unset alg sccp enable unset alg sunrpc enable unset alg msrpc enable unset alg rtsp enable unset alg h323 enable 认证和管理员属性 set auth server Local id 0 set auth server Local server name Local set auth server XXXX id 1 set auth server XXXX server name x x x x set auth server XXXX account type admin set auth default auth server Local set auth server XXXX radius secret xxxx set auth server ACS radius port 1646 set admin name ccb set admin password xxxxxxxxx set admin manager ip x x x x x x x x set admin auth timeout 10 set admin auth server XXXX set admin auth banner console login Access is ly set admin privilege get external set admin format dos ZONE设置 set zone Trust vrouter untrust vr set zone Untrust vrouter untrust vr set zone DMZ vrouter untrust vr unset zone Trust tcp rst set zone Trust block unset zone Untrust tcp rst set zone Untrust block set zone Untrust screen tear drop set zone Untrust screen syn flood set zone Untrust screen ping death set zone Untrust screen ip filter src 认证和管理员属性 set zone Untrust screen land set zone Untrust screen alarm without drop 接口设置 set interface ethernet1 1 zone xxx set interface ethernet1 1 ip x x x x x set interface ethernet1 1 route set interface ethernet1 1 manage ip set interface ethernet1 1 ip manageable set interface ethernet1 1 manage xxxx Flow设置 unset flow tcp syn check set flow tcp syn bit check set flow syn proxy syn cookie set flow reverse route clear text pefer set flow reverse route tunnel always set flow no tcp seq check HA设置 set nsrp cluster id 1 set nsrp rto mirror sync set nsrp rto mirror session ageout ack unset nsrp rto mirror session ping set nsrp vsd group id 0 priority 20 set nsrp vsd group id 0 monitor interface ethernet1 1 set nsrp monitor track ip ip set nsrp monitor track ip ip x x x x threshold 10 set nsrp vsd group master always exist ZONE设置 set ntp no ha sync SYSLOG set syslog enable set syslog config x x x x set syslog config x x x x facilities local0 local0 SNMP set snmp community xxx Read Only Trap on version v1 set snmp host bbb y y y y 255 255 255 255 trap v2 set snmp name xxxx set snmp port listen 161 set snmp port trap 162 VPN set pki authority default scep mode auto set pki x509 default cert path partial set ike respond bad spi 1 unset ike ikeid enumeration unset ike dos protection unset ipsec access session enable set ipsec access session maximum 5000 set ipsec access session upper threshold 0 set ipsec access session lower threshold 0 set ipsec access session dead p2 sa timeout 0 unset ipsec access session log error unset ipsec access session info exch connected unset ipsec access session use error log set interface tunnel 1 zone untrust set interface tunnel 1 ip unnumbered interface ethernet3 set ike gateway To Paris address 2 2 2 2 main outgoing interface ethernet3 preshare h1p8A24nG5 proposal pre g2 3des sha set vpn Tokyo Paris gateway To Paris sec level compatible set vpn Tokyo Paris bind interface tunnel 1 set vpn Tokyo Paris proxy id local ip 10 1 1 0 24 remote ip 10 2 2 0 24 any HA设置 w webeb Configuration Date Time Configuration Date Time Configuration Date Time Set Time Zone hours minutes from GMT Configuration Date Time Primary Server IP Name X X X X Configuration Date Time Backup Server1 IP Name X X X X Configuration Date Time Backup Server2 IP Name X X X X Configuration Date Time Automatically synchronize with an Internet Time Server NTP 选择 Maximum time adjustment seconds 0 Network Routing Virtual Routers Edit 对于 trust vr Shared and accessible by other vsys 选择 Network Routing Virtual Router Edit 对于 trust vr 取消选择 Auto Export Route to Untrust VR 然 后单击 OK Security ALG Basic 取消选中 Security ALG Basic 取消选中 Security ALG Basic 取消选中 Security ALG Basic 取消选中 Security ALG Basic 取消选中 Security ALG Basic 取消选中 Security ALG Basic 取消选中 Configuration Auth Auth Servers 系统默认 Configuration Auth Auth Servers 系统默认 Configuration Auth Auth Servers new Configuration Auth Auth Servers new Configuration Auth Auth Servers new Configuration Auth Auth Servers 系统默认 Configuration Auth Auth Servers new 要选中RADIUS Configuration Auth Auth Servers new 要选中RADIUS Configuration Admin Administrators new Configuration Admin Administrators new Configuration Auth Auth Servers new Configuration Admin Administrators new Configuration Admin Banners Network Zones Edit 对于Trust Network Zones Edit 对于unrust Network Zones Edit 对于DMZ Network Zones Edit 对于Trust 取消选中If TCP non SYN send RESET back Network Zones Edit 对于Trust 选中Block Intra Zone Traffic Network Zones Edit 对于Untrust 取消选中If TCP non SYN send RESET back Network Zones Edit 对于Untrust 选中Block Intra Zone Traffic Security Screening Screen 对于Untrust 选中Teardrop Attack Protection Security Screening Screen 对于Untrust 选中SYN Flood Protection Security Screening Screen 对于Untrust 选中Ping of Death Attack Protection Security Screening Screen 对于Untrust 选中IP Source Route Option Filter Security Screening Screen 对于Untrust 选中Land Attack Protection Security Screening Screen 对于Untrust 选中Generate Alarms without Dropping Packet Network Interfaces Edit 对于接 口E1 1 选择zone name Network Interfaces Edit 对于接 口E1 1 输入IP mask Network Interfaces Edit 对于接 口E1 1 Interface Mode选中ROUTE Network Interfaces Edit 对于接 口E1 1 输入Manage IP Network Interfaces Edit 对于接 口E1 1 选中Manageable Network Interfaces Edit 对于接 口E1 1 选中需要管理的服务 Screening Screen Screening Screen Security Screening Flow Protection Screening Screen Screening Screen Screening Screen Network NSRP Cluster Network NSRP Network NSRP Network NSRP Network NSRP VSD Group Configuration Network NSRP VSD Group Configuration Network NSRP Monitor Network NSRP Network NSRP Network NSRP Synchronization Configuration Report Settings Syslog Configuration Report Settings Syslog Configuration Report Settings Syslog Configuration Report Settings SNMP New Community Configuration Report Settings SNMP Configuration Report Settings SNMP Configuration Report Settings SNMP Configuration Report Settings SNMP Objects Certificates New Objects Certificates New Network Zones Edit Network Zones Edit VPNs AutoKey Advanced Gateway new VPNs AutoKey IKE Edit VPNs AutoKey IKE Edit VPNs AutoKey IKE Edit unset ipsec access session info exch connected 解解释释 关闭夏时制 启用ntp服务 设置防火墙时区为东8区 北京时间为东8时区 设置ntp服务器地址 设置备份ntp服务器地址 设置备份ntp服务器地址 允许任意时钟误差情况下都进行时间更新 设置trust vr虚拟路由器为共享路由器 trust vr作为根虚拟路由器 可以被其它虚拟系 统 VSYS 访问 关闭将trust vr中接口路由自动导入到Untrust vr中 系统默认 关闭会话初始协议 SIP 的应用层网关功能 关闭媒体网关控制协议 MGCP 的应用层网关功能 关闭瘦客户端呼叫控制协议 SCCP 的应用层网关功能 关闭SUN远程进程调用 SUNRPC 的应用层网关功能 关闭微软远程进程调用 MSRPC 的应用层网关功能 关闭实时流媒体协议 RTSP 的应用层网关功能 关闭H 323协议应用层网关功能 设置本地认证服器的ID 为0 系统默认 设置本地认证服器的名字为local 系统默认 设置ACS认证服器的ID 为1 设置ACS认证服器IP地址 设置ACS认证服器的帐号类型为管理员 设置默认的认证服务器为本地 系统默认 设置ACS认证服器共享密钥 设置认证服器通讯端口 设置登录防火墙的管理员名称 设置登录防火墙的超级用户名的密码 设置可管理防火墙主机的网段地址 设置管理员登录防火墙WEB页面时的超时时间 系统默认 设置管理员认证服务器的名称 设置用户使用TELNET和SSH登录防火墙时看到的标识语 设置防火墙管理员的权限以RADIUS服务器为准 设置防火墙产生的配置文件的格式为DOS格式 系统默认 设置trust区域归属于untrust虚拟路由器 设置untrust区域归属于untrust虚拟路由器 设置DMZ区域归属于untrust虚拟路由器 设置 Trust区域关闭tcp rst功能 当防火墙收到第一个报文不带有syn标志位时 防火墙 不再向源端发送reset报文 设置 trust区域开启Block功能 当多个接口均位于Untrust区域时 接口间的流量必需经 Policy明确允许才能通过防火墙 设置 Trust区域关闭tcp rst功能 如要启用 当防火墙收到第一个报文不带有syn标志位 时 防火墙给源端发送reset报文 对Untrust Zone为系统默认 设置 trust区域开启Block功能 当多个接口均位于Untrust区域时 接口间的流量必需经 Policy明确允许才能通过防火墙 对Untrust Zone为系统默认 Untrust区域开启tear drop泪滴攻击防御功能 对Untrust Zone为系统默认 Untrust区域开启syn flood攻击防御功能 对Untrust Zone为系统默认 Untrust区域开启ping death攻击防御功能 对Untrust Zone为系统默认 Untrust区域开启ip filter src攻击防御功能 对Untrust Zone为系统默认 Untrust区域开启Land陆地攻击防御功能 对Untrust Zone为系统默认 Untrust区域Screen启用只告警不丢包功能 设置接口所属ZONE 设置e1 1接口IP地址 设置接口为路由模式 设置接口的管理IP地址 设置接口允许管理 设置接口的管理服务方式 仅内网口建议开启管理服务 关闭防火墙在查找policy前检查该首包是否带有Syn标志位 如没有则丢弃该报文功能 建议用set flow tcp syn bit check来打开Syn检查功能 防火墙在查找policy前检查该首包是否带有Syn标志位 如没有则丢弃该报文功能 设置防火墙采用syn cookie方式防御针对目的地址 端口号的syn flood攻击 设置防火墙建立会话前需要进行反向路由查找 如果有路由 使用路由做返回消息通道 如果没有路由 则使用