Juniper-防火墙的管理.ppt
《Juniper-防火墙的管理.ppt》由会员分享,可在线阅读,更多相关《Juniper-防火墙的管理.ppt(54页珍藏版)》请在三一办公上搜索。
1、对防火墙的管理,2,目标,介绍防火墙的管理通过控制线和网络实现对防火墙的管理配置管理员设置和选项配置防火墙与第三方设备之间的管理通信License 的管理对防火墙的配置文件和软件升级的管理灾难恢复的管理,3,系统组成,所有关键的系统功能都在内存中运行。可以通过控制线和webu对防火墙的配置进行修改。,TablesBuffersRunningConfigScreenOS(active),ScreenOSImageSaved ConfigCerts,etc.,RAM,Flash,Interf.,Interf.,Interf.,TFTP,PwrUp/Reset,Aux.Storage,WebUI,N
2、etScreen,Aux.Mgt.Servers,DNS/Syslog,Console,“Get”,“Set”,4,建立控制台的连接,可以通过物理的控制线来连接防火墙设备。用控制线连接的好处直接连接到防火墙安全性好完成配置不需要网络连接不需要IP地址可以看到启动的信息可以看到时事的 debug or snoop 信息,NetScreenDevice,ConsolePort,5,命令行界面,使用终端登录防火墙,用默认的口令登录防火墙login:netscreen password:netscreenCommand line interface(CLI)是默认的模式Use Up and Down
3、Arrow keys to recall previous commands Use CTL-A to move to the beginning of a command lineUse CTL-E to move to the end of a command lineUse Left and Right Arrow keys to position cursor editing commandsUse TAB for command completionHelp facility availableUse?to display optionsUse at the prompt for c
4、ommandsUse within a command for parameters,6,提供命令使用的帮助 CLI,ns208-?clear clear dynamic system infoexec exec system commandsexit exit command consoleget get system informationping ping other hostreset reset systemsave save commandset configure system parameterstrace-route trace routeunset unconfigure
5、system parameters,输入问号可以提供时事的帮助信息:左列显示该命令的使用右列显示该命令的帮助信息。,7,ns208-get systemProduct Name:NS208Serial Number:0043042002000034,Control Number:00000000Hardware Version:0110(0)-(11),FPGA checksum:00000000,VLAN1 IP(0.0.0.0)Software Version:5.0.0.0,Type:Firewall+VPNBase Mac:0010.db1d.1c30File Name:n200-LA
6、S0z0ad,Checksum:00000000Date 04/15/2003 22:06:53,Daylight Saving Time enabledThe Network Time Protocol is DisabledUp 2 hours 31 minutes 14 seconds Since 15 Apr 2003 19:35:39Total Device Resets:0System in NAT/route mode.Use interface IP,Config Port:80User Name:netscreenInterface ethernet1:number 0,if
7、_info 0,if_index 0,mode nat link up,phy-link up/full-duplex vsys Root,zone Trust,vr trust-vr dhcp disabled*ip 1.1.1.1/24 mac 0010.db1d.1c30*manage ip 1.1.1.1,mac 0010.db1d.1c30-more-,显示状态信息-CLI,In the CLI,get commands provide valuable status about operational conditions:System serial numberSoftware
8、versionOperating modeInterface statusInterface addressManagement addresses,8,图形化界面-WebUI,NetScreen 防火墙可以通过图形化的界面进行管理。需要的条件(ie.one IP address)一台PC机与防火墙在同一个网段口令保护,9,初始化配置向导,一台新设备可以通过初始化向导进行防火墙的配置,也可以跳过向导手工进行配置,10,初始化配置向导,初始化完毕系统会通过向用户提供配置信息,11,WebUI 的主界面,Displays information similar to get system outp
9、ut,12,WebUI 启动java 菜单,Navigation in the category selection panel can be accomplished using Java link format,13,配置管理员访问概述,配置IP地址以便进行通信Assign addressManagement servicesManage-IP addresses(optional)修改 root administrator 口令建立系统管理员 system administrators管理员选项TimeoutsManager-IP addresses,14,网卡配置步骤,分配网卡到安全域
10、定义L3 ip 地址,15,Zone 和 Interface 的分配,A strict hierarchical linkage exists between zones and interfaces in a NetScreen deviceZones are assigned to a virtual routerInterfaces are assigned to a security zoneAn interface can only belong to one security zoneIndividual configuration parameters are assigned
11、to interfacesIP addressesManagement servicesOthers,Int.,Zone,Zone,Virtual Router,IP,16,Zone 的类型,安全zonePre-defined:Trust,Untrust,DMZ;V1-Trust,V1-Untrust,V1-DMZUser-definedTunnel Zone,功能 ZonesNullMGTHASelfVLAN,ns5gt-get zoneTotal 10 zones created in vsys Root-5 are policy configurable.Total policy con
12、figurable zones for Root is 5.-ID Name Type Attr VR Default-IF VSYS 0 Null Null Shared untrust-vr hidden Root 1 Untrust Sec(L3)Shared trust-vr untrust Root 2 Trust Sec(L3)trust-vr trust Root 4 Self Func trust-vr self Root 5 MGT Func trust-vr null Root 10 Global Sec(L3)trust-vr null Root 11 V1-Untrus
13、t Sec(L2)trust-vr v1-untrust Root 12 V1-Trust Sec(L2)trust-vr v1-trust Root 14 VLAN Func trust-vr vlan1 Root 16 Untrust-Tun Tun trust-vr hidden.1 Root-,17,Configuring Zones/Interfaces-WebUI,Network Interfaces(edit),18,Configuring Zones/Interfaces-CLI,一个网卡必须属于一个“security zone”然后才能分配IP地址。,set interfac
14、e zone set interface ip/ns208-set interface e1 zone trustns208-set interface e1 ip 1.1.1.1/24,19,管理服务 WebUI,在默认情况下与域的分配有关。Trust zone:all services enabledAny other zone:all services disabled,NetworkInterfacesEdit,20,Management Services CLI,set interface manage ns208-set interface e1 manage pingns208-
15、set interface e1 manage webEnable all services:ns208-set interface e1 manage,如果没有通过命令指定管理服务,那么所有的管理服务都被允许。,21,Manage-IP Address,Separate IP address specifically for management,set interface manage-ip set interface e1 manage-ip 1.1.1.250,NetworkInterfacesEdit,22,验证网卡的配置-WebUI,NetworkInterfacesEdit,23
16、,验证网卡的配置-CLI,ns208-get interface e1Interface ethernet1:number 0,if_info 0,if_index 0,mode nat link up,phy-link up/full-duplex vsys Root,zone Trust,vr trust-vr dhcp disabled ip 1.1.1.1/24 mac 0010.db1d.1c30 manage ip 1.1.1.3,mac 0010.db1d.1c30 ping enabled,telnet enabled,SSH enabled,SNMP enabled web
17、enabled,ident-reset disabled,SSL enabled webauth disabled,webauth-ip 0.0.0.0 OSPF disabled BGP disabled RIP disabled DHCP-Relay disabled bandwidth:physical 100000kbps,configured 0kbps,current 0kbps total configured gbw 0kbps,total allocated gbw 0kbps,24,设备管理员,Netscreen 防火墙可以被不同级别的管理员进行管理Root admin d
18、efined by the ScreenOSLocal admin created by the Root account,Click to create new Local Administrator,Click to view settings for Root account,ConfigurationAdminAdministrators,25,修改根管理员的用户名和口令,ConfigurationAdminAdministrators,set admin name set admin password,26,建立系统管理员,ConfigurationAdminAdministrato
19、rs,set admin user name password privilege all|read-only,27,验证管理员信息 WebUI,ConfigurationAdminAdministrators,28,验证管理员-CLI,ns208-get admin userName Privilege-netscreen RootIT-Admin-10 Read-WriteIT-Admin-20 Read-WriteAdmin-Mktg Read-Onlyns208-get admin ssh allAdmin Name SSH PWA enabled SSH PKA keys-netsc
20、reen yes 0IT-Admin-10 yes 0IT-Admin-20 yes 0Admin-Mktg no 0,29,Timeout-Console,Management via the console port is protected by an idle timeoutDefault value is 10 minutesDisable by setting timeout to 0,set console timeout ns208 set console timeout 5,30,Timeout-WebUI,set admin auth timeout,Configurati
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Juniper 防火墙 管理
链接地址:https://www.31ppt.com/p-2668459.html