lab@240a# run show chassis cluster status

e) f)

È¡ÏûclusterÅäÖÃ

lab@Srx240a# set chassis cluster disable reboot

Éý¼¶JSRPÈí¼þ°æ±¾

SRXÄ¿Ç°Ôݲ»Ö§³ÖÈí¼þÔÚÏßÉý¼¶£¨ISSU£©£¬Éý¼¶¹ý³Ì»áÖжÏÒµÎñ¡£ Éý¼¶²½ÖèÈçÏ£º

1.Éý¼¶node 0£¬×¢Òâ²»ÒªÖØÆôϵͳ 2.Éý¼¶node 1£¬×¢Òâ²»ÒªÖØÆôϵͳ. 3.ͬʱÖØÆôÁ½¸öϵͳ g)

»Ö¸´´¦ÓÚdisabled״̬µÄnode

µ±control port»òfabric link³öÏÖ¹ÊÕÏʱ£¬Îª±ÜÃâ³öÏÖË«master (split-brain)ÏÖÏó£¬JSRP»á°Ñ³öÏÖ¹ÊÕÏǰ״̬ΪsecdonaryµÄnodeÉèΪdisabled״̬£¬¼´³ýÁËRE£¬ÆäÓಿ¼þ¶¼²»¹¤×÷¡£ÏëÒª»Ö¸´±ØÐëreboot¸Ãnode¡£2.8 WEB½çÃæ²Ù×÷½éÉÜ2.9 ScreenÅäÖòÙ×÷½éÉÜ

2.8 SRX Branch ϵÁÐIDP¡¢UTMÅäÖòÙ×÷½éÉÜ

SRX BranchϵÁвúÆ·ÌṩһÕûÌ×ͳһÍþв¹ÜÀí (UTM) ·þÎñ£¬°üÀ¨£ºÈëÇÖ·ÀÓùϵͳ (IPS)¡¢·À²¡¶¾¡¢·ÀÀ¬»øÓʼþ¡¢Í¨¹ýÄÚÈݹýÂËʵÏÖµÄÍøÒ³¹ýÂËÒÔ¼°·ÀÐÅϢй¶£¬´Ó¶ø±£»¤ÄúµÄÍøÂ磬·ÀÖ¹×îеÄÄÚÈÝÍþв¡£Ìض¨ÐͺŵIJúÆ·»¹¾ßÓÐÄÚÈÝ°²È«¼ÓËÙÆ÷ÒÔÌṩ¸ßÐÔÄÜ IPSºÍ·À²¡¶¾ÐÔÄÜ¡£ÃæÏò·ÖÖ§»ú¹¹µÄ SRX ϵÁвúÆ·ÓëÆäËüµÄÕ°²©°²È«²úÆ·¼¯³É£¬´Ó¶øÌṩÆóÒµ¼¶µÄͳһ½ÓÈë¿ØÖƺÍ×ÔÊÊÓ¦Íþв¹ÜÀí¹¦ÄÜ¡£ÕâЩ¹¦ÄÜΪ°²È«×¨¼ÒÌṩÁËÓëÍøÂç·¸×ïºÍÊý¾Ý¶ªÊ§¶·ÕùµÄÇ¿´ó¹¤¾ß¡£

ÅäÖÃIDP¡¢UTM¹¦ÄÜ֮ǰ,ÄãÊ×ÏÈÐèÒªÖªµÀÄãµÄÉ豸ÊÇ·ñ¹ºÂòÁËÏà¹Ø¹¦ÄܵÄlicense£¬¿ÉÒÔͨ¹ýÏÂÃæÃüÁî½øÐв鿴£¬ÓÉÓÚ²âÊÔÖб¾È˵ÄÉ豸License¹ýÆÚ,ÏàÓ¦µÄ¹¦ÄÜÖ»ÊDz»ÄܸüжøÒÑ,¹¦ÄܲâÊÔʹÓÃûÓÐÎÊÌâ¡£ ÓÉÓÚµ±Ç°²âÊÔ¹ý³ÌûÓÐNSM¹ÜÀíƽ̨,¹Ê²âÊÔÖеÄIDP\\UTMµÈ¹¦ÄܲúÉúµÄÈÕÖ¾ÎÞ·¨ÊÕ¼¯·ÖÎö¡£

root# run show system license <½«»áÏÔʾÏàÓ¦µÄ¹¦ÄÜlicenseÒÔ¼°¹ýÆÚʱ¼ä>

Èç¹ûlicense¹ýÈ¥Ò²¿ÉÒÔͨ¹ýÏàÓ¦µÄÃüÁî½øÐв鿴,ÈçÏ£º

root# run show system alarms

3 alarms currently active

Alarm time Class Description

2010-06-17 19:22:31 CST Minor License grace period for feature 28 expired 2010-06-17 19:22:31 CST Minor License grace period for feature 27 expired 2010-06-17 19:22:31 CST Minor License grace period for feature 25 expired

ĬÈÏÇé¿öÏÂ,É豸¹µÍ¨¹ýÈ¥½«ÓÐÌṩһ¸öÔµÄÊÔÓÃÆÚlicense¡£ Ê×ÏÈÎÒÃǽ«½éÉÜIDPÅäÖÃ

µÚÒ»²½£ºÉêÇëlicense,´Ë²½Öè±ØÐë±£Ö¤É豸±¾ÉíÄܹ»·ÃÎÊInternet

Root#run request system license update trial

µÚ¶þ²½£º²é¿´license¸üÐÂÇé¿ö

root# run show system license

µÚÈý²½£º¼ì²é²¢ÏÂÔØ°²×°IDPÌØÕ÷¿â¸üаü<ÐèÒªÉ豸±¾ÉíÄܹ»·ÃÎÊinternet>

root# run request security idp security-package ? ÏÂÔز¢°²×°¸üаü

Possible completions:

download Download security package (Package includes detector and deltas for attack table) install Update attack database, active policy, detector with new package

µÚ 33 Ò³ ¹² 52 Ò³

µÚËIJ½£º¼ì²éÏÂÔØ״̬¡¢ÏÂÔØÌØÕ÷¿â°æ±¾¡¢¸üÐÂÈÕÆÚµÈÐÅÏ¢

root# run request security idp security-package download status In progress: Downloading ...

root# run request security idp security-package download status

Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:1714(Wed Jun 16 14:41:19 2010, Detector=10.4.160100525)

root# run request security idp security-package download check-server Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:1714(Detector=10.4.160100525, Templates=2)

µÚÎå²½£ºµ±Íê³ÉÉÏÊö²Ù×÷ÏÂÔØIDPÌØÕ÷¿âÒÔºó,ÐèÒª½øÐжÔÌØÕ÷¿âµÄ°²×°

root# run request security idp security-package install ? ÌØÕ÷¿â°²×°²¢²é¿´°²×°×´Ì¬ Possible completions:

<[Enter]> Execute this command

policy-templates Update previously installed policy-templates with newly downloaded ones status Retrieve the status of security package load operation

update-attack-database-only Don't update/push active policy or detector to data plane | Pipe through a command

µÚÁù²½£ºÅäÖÃIDP²ßÂÔÓë°²×°²ßÂÔ

root# show security idp ÅäÖÃIDP²ßÂÔÓ밲ȫ²ßÂÔ idp-policy juniper-srx-idp-test { rulebase-ips {

rule 1 {

match {

source-address any; destination-address any;

attacks {

predefined-attack-groups [ HTTP DNS ICMP UDP TCP ]; } } then {

action {

ignore-connection; }

notification { log-attacks; } } } }

}

active-policy juniper-srx-idp-test; ¼¤»îIDP²ßÂÔ

[edit]

root# show security policies

µÚ 34 Ò³ ¹² 52 Ò³

from-zone dmz to-zone untrust { policy d-u { match {

source-address any; destination-address any; application any; }

then {

permit {

application-services {

idp; Õë¶Ôµ±Ç°²ßÂÔ¿ªÆôIDP¹¦ÄÜ } } log {

session-init;

µÚÆß²½£º²é¿´IDP¹¦Äܹ¤×÷״̬ÃüÁ

root# run show security idp ? Possible completions:

application-identification Show IDP application identification data application-statistics Show IDP application statistics attack Show IDP attack data

counters Show IDP counters

memory Show IDP data plane memory statistics policies Show the list of currently installed policies policy-templates-list Show available policy templates

security-package-version Show the version of currently installed security-package status Show IDP status

root# run show security idp status

State of IDP: 2-default, Up since: 2010-01-19 23:23:21 CST (21:59:39 ago) Packets/second: 281 Peak: 2703 @ 2010-01-20 20:15:34 CST KBits/second : 280 Peak: 10097 @ 2010-01-20 20:15:34 CST Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:

[ICMP: 2210497] [TCP: 11918] [UDP: 2419330] [Other: 0] Flow Statistics:

ICMP: [Current: 1218] [Max: 2278 @ 2010-01-20 21:22:37 CST] TCP: [Current: 40] [Max: 138 @ 2010-01-20 19:14:02 CST] UDP: [Current: 16] [Max: 434 @ 2010-01-20 19:15:48 CST] Other: [Current: 0] [Max: 0 @ 2010-01-19 23:23:21 CST] Session Statistics:

[ICMP: 609] [TCP: 20] [UDP: 8] [Other: 0]

Policy Name : juniper-srx-idp-test v0 ¹Ø¼ü²é¿´´Ë´¦IDP²ßÂÔÊÇ·ñ¼¤»î¹¤×÷״̬ Running Detector Version : 10.2.160091104 ÔËÐÐÖÐʹÓõļì²â°æ±¾

µÚ 35 Ò³ ¹² 52 Ò³

½ÓÏÂÎÒÃǽ«½éÉÜUTMÖеÄweb-filtering¹¦ÄÜÅäÖÃ

Juniper SRX BranchϵÁÐÄܹ»×öµ½µÄWEB¹ýÂËÄÚÍø°üÀ¨ÈçÏ£º

¿ÉÒÔͨ¹ýWEB¹ýÂ˹¦ÄܹýÂËÉæ¼°ÉÏÊöÐÅÏ¢µÄÍøÕ¾µÈ,ÓÐЧÌá¸ßÆóÒµ°ì¹«Ð§ÂÊ

ÁоÙÒ»¸ö¼òµ¥µÄÀý×Ó,²»ÔÊÐíÄÚÍøÓû§·ÃÎÊÈκÎÓëÐÂÎÅÓйصÄÍøÕ¾, µ«ÊÇ¿ÉÒÔ·ÃÎÊnews.163.com,²¢ÇÒ²»ÔÊÐí·ÃÎÊ¿ªÐÄÍø, ÆäËûÀàÐÍÍøÕ¾¿ÉÒÔ·ÃÎÊ<ÌåÓý¡¢51JOBµÈ>

Ê×ÏÈÎÒÃÇͬÑùÐèÒª¼ì²éÉ豸µÄlicenseÓëÌØÕ÷¿âµÈÊÇ·ñ×îÐÂ<¸ù¾ÝÉÏÊöIDP²Ù×÷,²»ÔÙÖظ´> µÚÒ»²½£ºÉêÇëlicense,´Ë²½Öè±ØÐë±£Ö¤É豸±¾ÉíÄܹ»·ÃÎÊInternet

Root#run request system license update trial

µÚ¶þ²½£º²é¿´license¸üÐÂÇé¿ö

root# run show system license

µÚÈý²½£ºÅäÖÃUTM- web-filtering²ßÂԺͰ²È«²ßÂÔ

root# show security utm custom-objects { url-pattern { badsite-1 {

value www.kaixin001.com; }

goodsite-1 {

value news.163.com; }

}

custom-url-category { bad-site {

value badsite-1; }

good-site {

value goodsite-1; } } }

feature-profile {

web-filtering {

url-whitelist good-site; url-blacklist bad-site;

µÚ 36 Ò³ ¹² 52 Ò³