联动正常,UAC首页显示如下:
第四步:配置SRX设备unified-access-control,具体内容如下: lab# show services unified-access-control { infranet-controller ic-1 {
address 20.1.1.20; UAC设备IP地址
interface fe-0/0/1.0; 与UAC设备进行通信的端口
password \ 与UAC设备联动的共享密钥
}
第五步:SRX设备针对需要进行与UAC设备联动的策略开启UAC认证策略功能:
set security policies from-zone trust to-zone untrust policy t-u then permit application-services uac-policy
第六步:查看SRX设备unified-access-control状态,具体内容如下:
lab# run show services unified-access-control authentication-table 用户认证表 Id Source IP Username Age Role identifier 2 20.1.1.100 test2 0 0000000001.000005.0 Total: 1 [edit]
lab# run show services unified-access-control policies detail UAC下发到设备的策略 Identifier: 1
Resource: icmp://*:* Resource: tcp://*:* Resource: udp://*:* Action: allow Apply: all Total: 1 [edit]
lab# run show services unified-access-control status SRX设备与UAC设备连接的状态 Host Address Port Interface State ic-1 20.1.1.20 11123 fe-0/0/1.0 connected
第 41 页 共 52 页
2.10 SRX Branch系列FLOW配置说明
root# set security flow ? Possible completions:
> aging Aging configuration
allow-dns-reply Allow unmatched incoming DNS reply packet + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups
route-change-timeout Timeout value for route change to nonexistent route (6..1800 seconds) syn-flood-protection-mode TCP SYN flood protection mode
> tcp-mss TCP maximum segment size configuration > tcp-session Transmission Control Protocol session configuration > traceoptions Trace options for flow services
[edit]
root# set security flow syn-flood-protection-mode ? 设置SYN-FLOOD攻击防护 Possible completions:
syn-cookie Enable SYN cookie protection syn-proxy Enable SYN proxy protection [edit]
root# set security flow tcp-session ? 设置tcp-session相关参数 Possible completions:
+ apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups no-sequence-check Disable sequence-number checking
no-syn-check Disable creation-time SYN-flag check
no-syn-check-in-tunnel Disable creation-time SYN-flag check for tunnel packets rst-invalidate-session Immediately end session on receipt of reset (RST) segment rst-sequence-check Check sequence number in reset (RST) segment strict-syn-check Enable strict syn check
tcp-initial-timeout Timeout for TCP session when initialization fails (20..300 seconds) [edit]
root# set security flow tcp-mss ? 设置TCP-MSS相关参数 Possible completions:
> all-tcp Enable MSS override for all packets
+ apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups
> gre-in Enable MSS override for all GRE packets coming out of an IPSec tunnel > gre-out Enable MSS override for all GRE packets entering an IPsec tunnel > ipsec-vpn Enable MSS override for all packets entering IPSec tunnel [edit]
第 42 页 共 52 页
2.11 SRX Branch系列SCREEN攻击防护配置说明
Juniper SRX系列 防火墙用于保护网络的安全,具体做法是先检查要求从一个安全区段到另一区段的通路的所有连接尝试,然后予以允许或拒绝。对于每个安全区段和 MGT 区段,可启用一组预定义的 SCREEN 选项,检测并阻塞安全设备将其确定为具有潜在危害的各种信息流。
SCREEN 选项用于保护区段的安全,具体做法是先检查要求经过绑定到该区域的某一接口的所有连接尝试,然后予以准许或拒绝。然后安全设备应用防火墙策略,在这些策略中,可能包含针对通过 SCREEN 过滤器的信息流的内容过滤和入侵检测及防护 (IDP) 组件。
下面我们将举例配置一个SCREEN应用在外网Untrust区域: 具体配置命令如下:
root# show security screen
ids-option juniper-srx-screen-test {
alarm-without-drop; 此动作表示仅记录攻击信息到日志,但是不拒绝攻击<可选设置> icmp {
ip-sweep threshold 1000; fragment;
flood threshold 100; }
ip {
bad-option; spoofing; tear-drop; }
tcp {
syn-frag;
port-scan threshold 1000;端口扫描触发值为1000<每秒1000个扫描动作> land; winnuke; } udp {
flood threshold 100; UDP FLOOD触发值为100<每秒100个> }
limit-session {
source-ip-based 128;会话数限制<针对源IP地址>
destination-ip-based 128;会话数限制<针对目标IP地址> } }
[edit]
root# show security zones security-zone untrust
screen juniper-srx-screen-test; 将上述定义的screen配置应用到untrust区域
第 43 页 共 52 页
2.12 SRX Branch系列J-WEB操作配置简要说明
Juniper SRX 系列防火墙提供WEB操作界面,WEB操作界面主要包括如下几个大类: 1、 首页<监控实时系统状态>
2、 配置页面<防火墙功能配置,比如策略、VPN、NAT、路由等> 3、 监控页面<防火墙各项功能状态监控、接口流量监控等> 4、 系统维护页面<防火墙日常维护,比如升级等>
5、 系统故障排查页面<防火墙日常维护故障排查,比如抓包、PING、tracert route等> 功能分类页面截图如下:
登录页面
第 44 页 共 52 页