1) 接口
set interfaces ge-0/0/0.0 family inet address x.x.x.x/24
set interfaces ge-0/0/1.0 family inet address x.x.x.x/24
#show interfaces
#run show int terse
2) 安全区域(中把接口加入到各安全区域)
set security zones security-zone Outside/Inside 或 untrust/trust interface ge-0/0/0.0
#show security zones
3) 安全策略-zone间策略(由内到外流量-全部permit;由外到内流量-全部deny)
set security policies from-zone Inside to-zone Outside policy [Policy-Name]Default-Permit
match source-address any
match destination-address any
match application any
then permit
4) 安全区域的(各个安全区域的)addressbook
//针对match source-address\destination-address any
set security zones security-zone Outside address-book address [Address-Name] x.x.x.x/32
set security zones security-zone Inside address-book address [Address-Name] x.x.x.x/32
5) 配置应用applications application 或 applications application-set
//针对 match application any
set application [Application-Name] //show applications
set applications apolication [TCP-3032] protocol tcp destination-port 3032
set applications application-set [APP-SET1] application TCP-3032
show security flow session ?
_______________________________________________________________________________
6) count
edit security poicies from-zone Inside to-zone Outside policy Default-Permit
set match source-address Inside-Network
set match destination-address SP-Routers
set match application any
set then permit
set then count
set then log session-init session-close
set system syslog file [Traffic-Log] any(facility) any(level严重级别)
set system syslog file [Traffice-log] match "RT_FLOW_SESSION"
>show security policies policy-name [Default-Permit] detail
>show system syslog
>show log [Traffice-Log]
7) monitor
#set system syslog file Monitor-Traffic-Log any any
#set system syslog file Monitor-Traffic-Log match "10.1.1.1"
#show system syslog
>monitor start Monitor-Traffic-Log
>monitor stop
8) security flow traceoptions //Juniper的debug
9) Policy Schedulers //时间访问控制列表
10) Web-Authen
11) Pass-Through