1、设置系统密码
set system root-authentication plain-text-password
New password:
Retype new password:
2、设置IP地址、路由、开启SSH和HTTPS服务
set system time-zone Asia/Shanghai
set system name-server 114.114.114.114
set system services ssh
set system services web-management https port 443
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/0.0
set system ntp server 62.201.225.9
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.60.212/24
set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.254/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.60.254
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services ping
3、限制只有指定IP地址可以管理防火墙
set policy-options prefix-list manager-ip 192.168.53.137/32
set firewall filter management-acl-2 term allow-manager-networks from source-prefix-list manager-ip
set firewall filter management-acl-2 term allow-manager-networks then accept
set firewall filter management-acl-2 term deny-mgmt from destination-port ssh
set firewall filter management-acl-2 term deny-mgmt from destination-port https
set firewall filter management-acl-2 term deny-mgmt then log
set firewall filter management-acl-2 term deny-mgmt then discard
set firewall filter management-acl-2 term accept-all then accept
set interfaces lo0 unit 0 family inet filter input management-acl-2
4、设置源NAT保存内部机器可以上网
set security nat source rule-set NAT-Policy from zone trust
set security nat source rule-set NAT-Policy to zone untrust
set security nat source rule-set NAT-Policy rule Trust-Untrust-Interface-NAT match source-address 1.1.1.0/24
set security nat source rule-set NAT-Policy rule Trust-Untrust-Interface-NAT then source-nat interface
set security policies from-zone trust to-zone untrust policy Permit-ALL match source-address any
set security policies from-zone trust to-zone untrust policy Permit-ALL match destination-address any
set security policies from-zone trust to-zone untrust policy Permit-ALL match application any
set security policies from-zone trust to-zone untrust policy Permit-ALL then permit
5、映射端口
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule rule1 match destination-address 192.168.60.199/32
set security nat static rule-set static-nat rule rule1 then static-nat prefix 1.1.1.1/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.60.199/32
set security zones security-zone trust address-book address test 1.1.1.1/32
set security zones security-zone trust address-book address-set 1.1.1.1 address test
set applications application 3389 protocol tcp
set applications application 3389 destination-port 3389
set applications application-set 3389-3389 application 3389
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address test
set security policies from-zone untrust to-zone trust policy 1 match application 3389-3389
set security policies from-zone untrust to-zone trust policy 1 then permit