瞻博網路防火牆 SRX210 問題
瞻博網路的新手。
好的,我已經在 SRX210 防火牆上搞砸了幾個小時的 Web 界面,現在看起來我需要具體的幫助。
所以整體架構是我有一個將遠端辦公室連接到本地辦公室的路由器。我希望 FW 位於本地路由器和 LAN 交換機之間,並且僅在流量進出本地辦公室 LAN 時才進行 IP 過濾。應該到達遠端連結的唯一流量應該是發往遠端網路的流量,反之亦然。
僅當遠端機器以某種方式被黑客入侵時,韌體才會存在。不太可能,但以防萬一需要安裝防火牆。
我在安全設置下設置了一些策略,以允許受信任和不受信任的區域根據 FW 通訊簿中列出的網路相互通信。
我有一個 Trusted to Untrusted Any to Any 許可證 Unrusted to Trusted
$$ remote network $$當地許可證 $$ Ed: removed $$Untrusted to Trusted Any to Any Deny 我已經在 FW f/02 和 f/03 上設置了兩個埠,設置為乙太網模式訪問和無 VLan,其中 f/02 為受信任,f/03 為不受信任。
我認為任何進出這些埠的東西都應該根據策略過濾器進行過濾。
雖然沒有發生。我有兩台筆記型電腦插入每個埠,我將 IP 設置為與允許的網路不同的網路,它們仍然可以來回 ping。
由於我沒有使用 Juniper FW 或除蹩腳的家庭用品之外的任何防火牆的經驗,所以你們有一些我錯過的想法嗎?
謝謝。
$$ Edit: Okay, I reset to factory defaults and followed along in one of the Juniper set-up guides but it still doesn’t work. Here’s the config file below. I’m doing the config via the web-interface so if any feedback could reference that instead of CLI that would help me more…one less thing I need to learn in order to make it work. $$
## Last changed: 2013-04-18 15:36:25 PDT version 11.2R4.3; system { host-name Office; time-zone *************; root-authentication { encrypted-password "*********************"; } name-server { 208.67.222.222; 208.67.220.220; } services { ssh; telnet; xnm-clear-text; web-management { http { interface vlan.0; } https { system-generated-certificate; interface vlan.0; } } dhcp { router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.2 high 192.168.1.254; } propagate-settings ge-0/0/0.0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { unit 0 { family inet { dhcp; } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/2 { unit 0 { description Remote_Side; family ethernet-switching { port-mode access; } } } fe-0/0/3 { unit 0 { description Local_Side; family ethernet-switching { port-mode access; } } } fe-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } vlan { unit 0 { family inet { address 192.168.1.1/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 10.1.0.254; } } protocols { stp; } security { screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy InBound { match { source-address Remote; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; fe-0/0/3.0; } } security-zone untrust { address-book { address Remote 175.17.1.0/24; } screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; } } } fe-0/0/2.0; } } } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }
您尚未為 fe-0/0/2 或 fe-0/0/3 分配 VLAN,因此兩者都在預設 VLAN 中,並且應該只是在它們之間傳遞流量,而無需 SRX 干預。
您實際上需要將 SRX 設為 IP 路由器才能完成其工作。SRX 確實有一個“透明模式”,但我不推薦它。
如果每邊只需要一個埠,則可以避免 VLAN 並手動配置埠。無論您走什麼路線,都不要忘記將埠添加到安全區域。