안녕하세요.
이번에는 [2024][Juniper SRX #13] firewall policy입니다.
토폴로지는 아래와 같습니다.
SRX
ge-0/0/0 - dhcp - untrust
ge-0/0/1 - 192.168.1.1/24 - trust
ge-0/0/2 - 172.16.1.1/24 - dmz
SW01
gi0/0 - 192.168.1.2/24
그리고 아래 서비스를 enable 합니다.
http
https
telnet
ssh
SW02
gi0/0 - 172.16.1.2/24
그리고 아래 서비스를 enable합니다.
http
https
telnet
ssh
*** 중요 ***
1. Juniper SRX stateful 방화벽입니다
나가는 Traffic을 허용하는 방화벽 정책이 있으면 Return되는 Traffic은 자동으로 허용됩니다.
자세한 내용은 나중에 다른 강좌에서 설명 하겠습니다.
2. 방화벽이 정책이 여러개가 있다면 맨 위에서부터 아래로 차근차근 방화벽 정책을 확인합니다.
3. 맨 아래 deny 정책이 없어도 default로 모든 traffic은 차단됩니다. - 즉 default deny all이라는 정책이 있습니다.
4. 방화벽 정책을 만들 때에는,
4-1 match
4-1-1 source-ip
4-1-2 destination-ip
4-1-3 destination application
위에 조건문을 입력하고 어떻게 처리할 것인지 정의 ㅎ합니다
4-2 action
4-2-1 permit - 허용
4-2-2 reject - 차단
4-2-3 log - 로그 생성 - 꼭 하위옵션 session-init/close 명령어를 추가로 입력해야 합니다.
4-2-3-1 session-init - 세션이 시작될 때 로그 생성
4-2-3-2 session-close - 세션이 종료될 때 로그 생성
4-2-4 count - 해당조건 트래픽 누적 치 사용량 정보 제공
permit, log, count를 동시에 설정 가능 합니다.
SRX side
1. 기존 설정값을 다 삭제합니다.
| root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit commit complete |
2. Inteface에 IP주소를 설정합니다.
| root# set interfaces ge-0/0/0 unit 0 family inet dhcp [edit] root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 [edit] root# set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.1/24 [edit] root# commit |
그리고 Interface에 IP주소를 확인합니다.
| root# set security zones security-zone unturst root# set security zones security-zone untrust interfaces ge-0/0/0 root# set security zones security-zone trust root# set security zones security-zone trust interfaces ge-0/0/1 root# set security zones security-zone dmz root# set security zones security-zone dmz interfaces ge-0/0/2 root# commit commit complete root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 192.168.10.105/24 untrust sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null ge-0/0/1.0 up up inet 192.168.1.1/24 trust ge-0/0/2.0 up up inet 172.16.1.1/24 dmz lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null root> |
Interface에 IP주소를 확인합니다.
저희가 ge-0/0/0 dhcp 설정하였으나 IP주소가 없습니다.
그 이유는 Juniper SRX은 ge-0/0/0 dhcp 기능을 허용해 주어야지 IP주소를 DHCP에서 받아 올 수 있습니다.
| root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 172.16.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up |
ge-0/0/0 dhcp 기능받아오기 위해서 zone에 system-services에서 dhcp기능 그리고 ping테스트를 위해서 ping를 허용합니다.
| set security zones security-zone untrust host-inbound-traffic system-services dhcp set security zones security-zone untrust host-inbound-traffic system-services ping |
그리고 show interface terse을 이용해서 ge-0/0/0 IP주소를 확인합니다.
DHCP로부터 192.168.10.105/24 IP주소를 받았습니다.
| root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.105/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 172.16.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down root> |
ge-0/0/1 그리고 ge-0/0/2 ping도 허용해 줍니다.
| set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone dmz host-inbound-traffic system-services ping |
그리고 SW01 - Gi0/0 192.168.1.2/24 설정하고 SRX ge-0/0/1 192.168.1.1 ping를 시도합니다.
| Switch> Switch>en Switch#conf t Switch(config)#ho SW01 SW01(config)#int gigabitEthernet 0/0 SW01(config-if)#no switchport SW01(config-if)#ip add 192.168.1.2 255.255.255.0 SW01(config-if)#no sh SW01(config-if)#end SW01#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 2/40/155 ms SW01# |
그리고 Default Gatway 설정
| SW01(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1 SW01(config)#end SW01# SW01#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 192.168.1.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 192.168.1.1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, GigabitEthernet0/0 L 192.168.1.2/32 is directly connected, GigabitEthernet0/0 SW01# |
그리고 SW02 - Gi0/0 172.16.1.2/24 설정하고 SRX ge-0/0/2 172.16.1.1 ping를 시도합니다.
| Switch>en Switch#conf t Switch(config)#ho SW02 SW02(config)#int gigabitEthernet 0/0 SW02(config-if)#no sw SW02(config-if)#ip add 172.16.1.2 255.255.255.0 SW02(config-if)#no shutdown SW02(config-if)#end SW02# SW02#ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms SW02# |
그리고 Default Gateway 설정
| SW02(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1 SW02(config)# SW02#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 172.16.1.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 172.16.1.1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, GigabitEthernet0/0 L 172.16.1.2/32 is directly connected, GigabitEthernet0/0 SW02# |
방화벽 정책을 테스트하기 위해서 SW01과 SW02를 http, https, telnet, ssh를 Enable 합니다.
| SW01(config)#ip http server SW01(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds) Failed to generate persistent self-signed certificate. Secure server will use temporary self-signed certificate. SW01(config)#ip domain-name cisco SW01(config)#crypto key generate rsa The name for the keys will be: SW01.cisco Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: % Generating 512 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds) SW01(config)#username cisco privilege 15 password cisco SW01(config)# SW01(config)#line vty 0 15 SW01(config-line)#login local SW01(config-line)#transport input all |
SW02에서도 똑같이 설정합니다.
| SW02#conf t SW02(config)#ip http server SW02(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 1 seconds) Failed to generate persistent self-signed certificate. Secure server will use temporary self-signed certificate. SW02(config)#ip domain-name cisco SW02(config)#crypto key generate rsa The name for the keys will be: SW02.cisco Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: % Generating 512 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds) SW02(config)#username cisco privilege 15 password cisco SW02(config)#line vty 0 15 SW02(config-line)#login local SW02(config-line)#transport input all SW02(config-line)# |
우선 http, https, telnet, ssh가 제대로 동작하는지 확인하기 위해서 Juniper SRX 방화벽 정책을 Any Any로 먼저 설정하고 테스트를 진행합니다.
turst zone에서 dmz zone으로 가는 Traffic은 모두 허용합니다.
| set security policies from-zone trust to-zone dmz policy trsut-to-dmz match source-address any set security policies from-zone trust to-zone dmz policy trsut-to-dmz match destination-address any set security policies from-zone trust to-zone dmz policy trsut-to-dmz match application any set security policies from-zone trust to-zone dmz policy trsut-to-dmz then permit set security policies from-zone trust to-zone dmz policy trsut-to-dmz then log session-init set security policies from-zone trust to-zone dmz policy trsut-to-dmz then count |
SW01 in trust zone에서 SW02 in dmz zone에 Ping시도
| SW01#ping 172.16.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/126 ms SW01# |
SW01 in trust zone에서 SW02 in dmz zone에 http, https, telnet, ssh 시도
telnet 172.16.1.2 80 - http 성공
telnet 172.16.1.2 443 - https 성공
telnet 172.16.1.2 23 - telnet 성공
ssh -l cisco 172.16.1.2 - ssh 성공
| SW01#telnet 172.16.1.2 80 Trying 172.16.1.2, 80 ... Open ^C HTTP/1.1 400 Bad Request Date: Sun, 23 Jun 2024 07:37:36 GMT Server: cisco-IOS Accept-Ranges: none 400 Bad Request [Connection to 172.16.1.2 closed by foreign host] SW01# SW01# SW01#telnet 172.16.1.2 443 Trying 172.16.1.2, 443 ... Open [Connection to 172.16.1.2 closed by foreign host] SW01# SW01# SW01# SW01#telnet 172.16.1.2 Trying 172.16.1.2 ... Open ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** User Access Verification Username: cisco Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW02# SW01# SW01#ssh -l cisco 172.16.1.2 ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************SW02# SW02# SW02# |
SW02 in dmz zone에서 SW01 in trust zone으로 Ping 시도합니다.
Juniper SRX에서 dmz zone에서 trust zone에 방화벽 정책이 없기 때문에 실패합니다.
| SW02#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) SW02# |
테스트를 위해서 dmz zone에서 trust zone에 방화벽 정책 any를 설정합니다.
| set security policies from-zone dmz to-zone trust policy dmz-to-trust match source-address any set security policies from-zone dmz to-zone trust policy dmz-to-trust match destination-address any set security policies from-zone dmz to-zone trust policy dmz-to-trust match application any set security policies from-zone dmz to-zone trust policy dmz-to-trust then permit set security policies from-zone dmz to-zone trust policy dmz-to-trust then log session-init set security policies from-zone dmz to-zone trust policy dmz-to-trust then count |
SW02 in dmz zone에서 SW01 in trust zone으로 Ping 시도합니다.
| SW02#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/15 ms SW02# |
SW02 in trust zone에서 SW01 in dmz zone에 http, https, telnet, ssh 시도
telnet 192.168.1.2 80 - http 성공
telnet 192.168.1.2 443 - https 성공
telnet 192.168.1.2 23 - telnet 성공
ssh -l cisco 192.168.1.2 - ssh 성공
| SW02#telnet 192.168.1.2 80 Trying 192.168.1.2, 80 ... Open ^C HTTP/1.1 400 Bad Request Date: Sun, 23 Jun 2024 07:49:11 GMT Server: cisco-IOS Accept-Ranges: none 400 Bad Request [Connection to 192.168.1.2 closed by foreign host] SW02#telnet 192.168.1.2 443 Trying 192.168.1.2, 443 ... Open ^C^[[A [Connection to 192.168.1.2 closed by foreign host] SW02#telnet 192.168.1.2 Trying 192.168.1.2 ... Open ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** User Access Verification Username: cisco Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW01# SW01#ssh -l cisco 192.168.1.2 ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW01#exit [Connection to 192.168.1.2 closed by foreign host] SW01# |
Juniper SRX방화벽 정책에서 Hit-Count 확인하는 방법
| root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust dmz trsut-to-dmz 9 Permit 2 dmz trust trsut-to-dmz 8 Permit Number of policy: 2 root> |
trust zone - SW01에서 dmz zone -SW02에 방화벽 정책
1. 192.168.1.2 -> 172.16.1.2 https 허용
2. 192.168.1.2 -> 172.16.1.2 telnet 허용
나머지는 모두 차단
address-book name
H-192.168.1.2/32 - SW01
H-172.16.1.2/32 - SW02
application은 custom으로 설정
T-23 -> T는 tcp를 의미 23은 포트 번호 의미
T-443
기존 trust zone에서 dmz zone으로 가는 Any 정책 삭제
| root# delete security policies from-zone trust to-zone dmz [edit] root# commit commit complete |
address-book과 application를 정의합니다.
| set security address-book global address H-192.168.1.2/32 192.168.1.2/32 set security address-book global address H-172.16.1.2/32 172.16.1.2/32 set applications application T-23 protocol tcp set applications application T-23 source-port 0-65535 set applications application T-23 destination-port 23 set applications application T-23 inactivity-timeout 20 set applications application T-443 protocol tcp set applications application T-443 source-port 0-65535 set applications application T-443 destination-port 443 set applications application T-443 inactivity-timeout 20 |
방화벽 정책을 생성합니다.
| set security policies from-zone dmz to-zone trust policy trsut-to-dmz match source-address any set security policies from-zone dmz to-zone trust policy trsut-to-dmz match destination-address any set security policies from-zone dmz to-zone trust policy trsut-to-dmz match application any set security policies from-zone dmz to-zone trust policy trsut-to-dmz then permit set security policies from-zone dmz to-zone trust policy trsut-to-dmz then log session-init set security policies from-zone dmz to-zone trust policy trsut-to-dmz then count commit |
방화벽 정책 확인하는 방법
| root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: dmz, To zone: trust Policy: trsut-to-dmz, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit, log, count From zone: trust, To zone: dmz Policy: trust-to-dmz, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-23, T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count root> |
방화벽 정책 설정값 확인 방법 - 전체
| root> show configuration security | display set | no-more set security address-book global address H-192.168.1.2/32 192.168.1.2/32 set security address-book global address H-172.16.1.2/32 172.16.1.2/32 set security policies from-zone dmz to-zone trust policy trsut-to-dmz match source-address any set security policies from-zone dmz to-zone trust policy trsut-to-dmz match destination-address any set security policies from-zone dmz to-zone trust policy trsut-to-dmz match application any set security policies from-zone dmz to-zone trust policy trsut-to-dmz then permit set security policies from-zone dmz to-zone trust policy trsut-to-dmz then log session-init set security policies from-zone dmz to-zone trust policy trsut-to-dmz then count set security policies from-zone trust to-zone dmz policy trust-to-dmz match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-23 set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-443 set security policies from-zone trust to-zone dmz policy trust-to-dmz then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz then count set security zones security-zone untrust host-inbound-traffic system-services dhcp set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone dmz host-inbound-traffic system-services ping set security zones security-zone dmz interfaces ge-0/0/2.0 root> |
방화벽 정책 trust zone에서 dmz zone만 확인 하는 방법
| root> show configuration security policies from-zone trust to-zone dmz | display set | no-more set security policies from-zone trust to-zone dmz policy trust-to-dmz match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-23 set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-443 set security policies from-zone trust to-zone dmz policy trust-to-dmz then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz then count |
테스트해보겠습니다.
trust zone - SW01에서 dmz zone -SW02에 방화벽 정책
1. 192.168.1.2 -> 172.16.1.2 https 허용
2. 192.168.1.2 -> 172.16.1.2 telnet 허용
3. 192.168.1.2 -> 172.16.1.2 http 차단
4. 192.168.1.2 -> 172.16.1.2 ssh 차단
나머지는 모두 차단
| SW01#telnet 172.16.1.2 443 Trying 172.16.1.2, 443 ... Open ^C ^^ v [Connection to 172.16.1.2 closed by foreign host] SW01# SW01#telnet 172.16.1.2 Trying 172.16.1.2 ... Open ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** User Access Verification Username: cisco Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW02#exit |
Telnet이랑 SSH는 접속 실패 하였습니다. 방화벽 정책이 없기 때문입니다.
| SW01#telnet 172.16.1.2 80 Trying 172.16.1.2, 80 ... % Connection timed out; remote host not responding SW01#ssh -l cisco 172.16.1.2 SW01# |
방화벽 정책 hit count를 확인해 보겠습니다.
| root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust dmz trust-to-dmz 2 Permit 2 dmz trust trsut-to-dmz 8 Permit |
현재 방화벽 flow session를 확인하는 방법
SW01 -> SW02 telnet 시도
| SW01#telnet 172.16.1.2 Trying 172.16.1.2 ... Open ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** User Access Verification Username: cisco Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW02# |
Juniper SRX에서 show security flow session으로 세션 상태 확인
| root> show security flow session Session ID: 1641, Policy name: trust-to-dmz/4, State: Stand-alone, Timeout: 16, Valid In: 192.168.1.2/59113 --> 172.16.1.2/23;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 24, Bytes: 1108, Out: 172.16.1.2/23 --> 192.168.1.2/59113;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 20, Bytes: 2171, Total sessions: 1 |
지금까지 [2024][Juniper SRX #13] firewall policy 글을 읽어주셔서 감사합니다.
'JUNIPER > SRX 방화벽' 카테고리의 다른 글
| [2024][Juniper SRX #15] commit and rollback (0) | 2024.07.27 |
|---|---|
| [2024][Juniper SRX #14] firewall policy 순서 변경 (0) | 2024.07.26 |
| [2024][Juniper SRX #12] application and application-set (2) | 2024.07.24 |
| [2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0) | 2024.07.22 |
| [2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0) | 2024.07.21 |