[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
commit complete
[edit] root#
2. vSRX side
vlan을 생성합니다.
vlan name: VL10
vlan-id: 10
그리고 vlan를 확인합니다.
root# set vlans VL10 vlan-id 10
root> show vlans
Routing instance VLAN name Tag Interfaces default-switch VL10 10 ge-0/0/0.0* default-switch default 1
ge-0/0/0 access mode - untagged mode로 변경합니다.
ge-0/0/0 interface에 VL10를 설정합니다.
인터페이스는 VLAN10만 허용합니다. tagged 포트가 아니기 때문에, VLAN 1개 이상 허용 할 수 없습니다.
root# set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access root# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members VL10
VL10를 l3-interface irb.10이랑 Mapping 합니다.
root# set vlans VL10 l3-interface irb.10
Interface상태를 확인합니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up eth-switch gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up irb.10 up up inet 10.1.1.1/24 lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down vtep up up
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members VL10 set interfaces irb unit 10 family inet address 10.1.1.1/24 set vlans VL10 vlan-id 10
set vlans VL10 l3-interface irb.10
Cisco Side
Vlan10를 만들고 Vlan를 확인합니다.
Switch(config)#vlan 10 Switch(config-vlan)#end Switch#show vlan br *Jun 10 08:47:47.665: %SYS-5-CONFIG_I: Configured from console by consoleie
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3, Gi1/0 Gi1/1, Gi1/2, Gi1/3 10 VLAN0010 active Gi0/0 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Switch#
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch#
vSRX
Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.
set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/0.0
root# set security zones security-zone trust interfaces ge-0/0/0.0 root# set security zones security-zone trust host-inbound-trafic system-services ping
[edit] root# commit commit complete
[edit] root#
Cisco Side
다시 Ping를 시도합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/23/109 ms Switch#
지금까지 [2024][Juniper SRX #5] Interface 설정 - RVI - untagged mode 글을 읽어 주셔서 감사합니다.
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
commit complete
[edit] root#
VLAN를 3개를 생성합니다.
VL10 - 10 VL20 - 20 VL30 - 30
왼쪽은 VLAN이름을 입니다.
오른쪽은 VLAN번호입니다.
root# set vlans VL10 vlan-id 10
[edit] root# set vlans VL20 vlan-id 20
[edit] root# set vlans VL30 vlan-id 30
[edit] root#
ge-0/0/0 인터페이스를 tagging 인터페이스로 설정합니다. 이 인터페이스를 통해서 VLAN 1개 이상을 전달받을 수 있습니다 즉 위에 설정한 VLAN 10, 20, 30이 Juniper Ge-0/0/0 tagging port로 트래픽을 받을 수 있습니다.
root# set interfaces ge-0/0/0 vlan-tagging [edit] root# set interfaces ge-0/0/0 unit 10 vlan-id 10 [edit] root# set interfaces ge-0/0/0 unit 10 family inet address 10.1.1.1/24 [edit] root# set interfaces ge-0/0/0 unit 20 vlan-id 20 [edit] root# set interfaces ge-0/0/0 unit 20 family inet address 20.1.1.1/24 [edit] root# set interfaces ge-0/0/0 unit 30 vlan-id 30 [edit] root# set interfaces ge-0/0/0 unit 30 family inet address 30.1.1.1/24
Interface 상태를 확인합니다.
root> show interfaces terse | match inet ge-0/0/0.10 up up inet 10.1.1.1/24 ge-0/0/0.20 up up inet 20.1.1.1/24 ge-0/0/0.30 up up inet 30.1.1.1/24 sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0
Switch#show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES unset up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Vlan10 10.1.1.2 YES manual up up Vlan20 20.1.1.2 YES manual up up Vlan30 30.1.1.3 YES manual up up Switch#
Cisco Switch에서 vSRX로 ping를 시도합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch#
vSRX
Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.
root#set security zones security-zone trust_vl10 interfaces ge-0/0/0.10 root#set security zones security-zone trust_vl10 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl20 interfaces ge-0/0/0.20 root#set security zones security-zone trust_vl20 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl30 interfaces ge-0/0/0.30 root#set security zones security-zone trust_vl30 host-inbound-traffic system-services ping
root#set security zones security-zone trust_vl10 interfaces ge-0/0/0.10 root#set security zones security-zone trust_vl10 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl20 interfaces ge-0/0/0.20 root#set security zones security-zone trust_vl20 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl30 interfaces ge-0/0/0.30 root#set security zones security-zone trust_vl30 host-inbound-traffic system-services ping
root# commit commit complete
Cisco Switch에서 다시 Ping테스트를 시도합니다.
Switch# Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms Switch#ping 20.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms Switch#ping 30.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms Switch#
지금까지 [2024][Juniper SRX #4] Interface 설정 - Layer3 Logical Interface 글을 읽어 주셔서 감사합니다.
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
commit complete
[edit] root#
Interface ge-0/0/0에 10.1.1.1/24 설정합니다.
그리고 show interface terse | match ge-0/0/0를 통해서 IP를 확인합니다.
- Set interfaces [인터페이스이름] [논리적 인터페이스넘버] [protocol종류] [IP주소/서브넷마스크] ※ 논리적 인터페이스는 일반적으로 0을 사용하며, protocol종류는 아래와 같음. inet : ipv4inet6 : ipv6 mpls: mpls ethernet-switching : L2스위칭
root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
[edit] root# commit commit complete
root> show interfaces terse | match ge-0/0/0 ge-0/0/0 up up ge-0/0/0.0 up up inet 10.1.1.1/24
Cisco Switch Side
Switch>en Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#int g0/0 Switch(config-if)#no sw Switch(config-if)#ip add 10.1.1.2 255.255.25 Switch(config-if)#no sh Switch(config-if)#end Switch#show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.1.2 YES manual up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Switch# Switch#
Cisco Switch에서 vSRX 쪽으로 Ping 테스트
하지만 실패하였습니다. 그 이유는 vSRX장비는 보안 장비이기 때문에 기본 적으로 ping를 차단하기 때문에 ping이 실패합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch#
vSRX
Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.
set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/0.0
root# set security zones security-zone trust interfaces ge-0/0/0 root# set security zones security-zone trust host-inbound-traffic system-services ping [edit] root# commit commit complete
Cisco Side
Cisco Switch에서 vSRX Interface로 Ping를 시도 시 아래와 같이 성공합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/96/473 ms Switch#
지금까지 [2024][Juniper SRX #3] Interface 설정 - Layer3 Physical Interface 글을 읽어 주셔서 감사합니다.
4. ae: Aggregated Ethernet 포트를 의미합니다. ae1: 두 번째 논리적인 인터페이
5. reth: Redundant Ethernet 포트를 의미합니다. reth0: 첫 번째 Redundant Ethernet 포를 의미합니다.
장비 콘솔 연결 후 커맨드로 확인이 가능합니다.
show chassis hardware 입력하면 아래처럼 표시됩니다.
FPC 0
PIC 0
root> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis fd45efae5e05 VSRX Midplane System IO Routing Engine VSRX-2CPU-4G memory FPC 0 BUILTIN BUILTIN FPC PIC 0 VSRX DPDK GE Power Supply 0
이번에는 Interface port를 확인해 보겠습니다. 현재 EVE-NG에서 Juniper SRX를 생성했을 때 디폴트 값으로 인터페이스를 4개입니다.
ge-0/0/0
ge-0/0/1
ge-0/0/2
fxp0 - MGMT Interface
root> show interfaces terse | grep ge-0/0 ge-0/0/0 up up ge-0/0/1 up up ge-0/0/2 up up
만약에 인터페이스를 더 추가하고 싶다면 아래처럼 수정합니다.
Ethernets에 숫자를 8로 입력하고 SRX를 부팅합니다.
장비를 부팅 후 확인해 보겠습니다.
ge-0/0/0 ~ 6 그리고 fxp0를 더 하면 총 8개 인터페이스를 확인할 수 있습니다.
인터페이스가 더 필요하시면 위에 사진처럼 인터페이스를 추가하면 됩니다.
root> show interfaces terse | match ge-0/0 ge-0/0/0 up up ge-0/0/1 up up ge-0/0/2 up up ge-0/0/3 up up ge-0/0/4 up up ge-0/0/5 up up ge-0/0/6 up up
지금까지 [2024][Juniper SRX #2] Interface Numbering 글을 읽어주셔서 감사합니다.
이 모드에서는 show, monitor, request 등 주로 설정값 등을 확인할 때 이 모드를 사용합니다.
root>
예를 들어 Interface 상태를 확인하고 싶을 경우
show interface terse
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
2. configuration mode
이 모드로 들어가기 위해서는 아래처럼 operation mode에서 configure 명령어를 입력합니다.
만약에 configuration mode에서 operation mode에 있는 명령어를 사용하고 싶으면 run 명령어를 앞에 사용합니다.
root# run show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
[edit] root#
3. 계층 간 이동 명령어
3-1 edit
3-2 top
3-3 up
3-4 exit
Juniper는 리눅스 기반에 동작하기 때문에 리눅스에 Statement Hierarchy 구조를 사용합니다.
top 명령어
현재 interfaces 안에 있습니다. 이 상태에서 top명령어를 이용하고 최상으로 돌아갑니다.
최송이는 configuration mode입니다.
root# edit interfaces
[edit interfaces]
root# top
[edit] root#
up 명령어
현재 system -> services -> ftp 위치에 있습니다.
up 명령어를 사용하면 바로 윗단계 services로 이동합니다.
root# edit system services ftp
[edit system services ftp] root#
root# up
[edit system services] root#
만약에 2단계 위로 올라가고 싶으면 up 2 입력하면 됩니다.
[edit system services ftp] root# up 2
[edit system] root#
exit 명령어
한 단계 위로 이동 합니다.
또 configuration mode 최상위에서 exit 입력하면 operation mode로 진입합니다.
root# edit system
[edit system] root#
root# exit
[edit] root#
root# exit
Exiting configuration mode
root>
4. 명령어 단축키 사용방법
- Ctrl + p 또는 위 화살표키: 직전명령어호출 - Ctrl + n 또는 아래 화살표키 : 직전명령어 간 이동 - Ctrl + a, e : 명령어 제일 앞, 뒤으로 커서 이동 - Ctrl + w : 커서 앞 또는 커서가 위치한 단어 삭제
5. 설정 추가 삭제 명령어
set: 설정 추가 명령어
delete: 설정 삭제 명령어
set 명령어로 hostname를 설정해 보겠습니다.
주니퍼 디폴트 값으로 root 비밀번호가 없기 때문에 commit를 눌러서 변경값이 저장되지 않습니다.
우선 root password를 입력합니다.
set system root-authentication plain-text-password
그리고 호스트이름을 변경합니다
set system host-name vSRX
그리고 설정값을 저장 및 즉시 변경 합니다.
commit
Hostname이 바뀌었습니다.
root> configure root# set system root-authentication plain-text-password New password: Retype new password:
root# set system host-name vSRX
[edit] root# commit commit complete
[edit] root@vSRX#
이번에는 delete 명령어를 사용해 보겠습니다.
set system services ftp 이 명령어를 삭제해 보겠습니다.
delete system services ftp
root@vSRX> show configuration | display set | no-more set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ftp set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen set interfaces fxp0 unit 0
root@vSRX> configure Entering configuration mode
[edit] root@vSRX# delete system services ftp
[edit] root@vSRX# commit commit complete
[edit] root@vSRX# run show configuration | display set | match ftp
[edit] root@vSRX#
6. Pipe 명령어 사용 방법
- count : 표시되는 값의 라인 수를 출력함 - display : 설정값등을 보여주는 방식을 변경하여 표시 detail : 설정값에 주석으로 추가설정 가능한 예제를 표시 set : 설정값을 set형식으로 표시 xml : 설정값을 xml형식으로 표시 - except : 특정 값을 제외한 모든 값을 표시 - find : 특정값이 처음으로 시작되는 위치부터 표시 - match : 특정값이 포함된 값만 표시 - no-more : 표시내용이 한 페이지를 넘더라도 한 번에 모든 내용을 출력함 - hold : 표시내용이 한 페이지를 넘을 때 한 페이지단위로 표시하며 마지막에 --More-- 표시를 하지 않음 - save : 표시되는 값을 파일로 바로 저장 ex) show config | save 20120406.txt - last : 표시내용의 마지막 부분을 표시 ex ) show log message | last 30(마지막 30라인만 출력) - trim : 표시되는 값을 왼쪽을 기준으로 특정문자 수만큼 삭제하고 표시 * show log message Apr 6 15:55:22 SRX210 login: Login attempt for user stcon from host 1.1.1.100 * show log message | trim 15 (왼쪽기준으로 15자 삭제하고 출력) SRX210 login: Login attempt for user stcon from host 1.1.1.100
root@vSRX> show configuration | display set set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land ---(more)---
위에 --(more)-- 표시 없이 한꺼번에 output 표시하기.
root@vSRX> show configuration | display set | no-more set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen set interfaces fxp0 unit 0
- find 명령어 - 특정값이 처음으로 시작되는 위치부터 추력
위에 설정값에서 policies 줄이 있는 곳부터 끝까지 출력해 보겠습니다.
root@vSRX> show configuration | display set | find policies set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen set interfaces fxp0 unit 0
- match 특정값이 포함된 값만 표시해 보겠습니다
zones이라는 단어가 있는 줄만 표시해 보겠습니다.
root@vSRX> show configuration | display set | match zones set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen
root@vSRX>
- except: 특정 값을 제외한 모든 값을 표시합니다.
zones이라는 단어가 있는 줄을 제외하고 출력해 보겠습니다
root@vSRX> show configuration | display set | except zones set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set interfaces fxp0 unit 0
root@vSRX>
save - 출력값을 파일로 저장하는 명령어입니다
설정값을 file로 저장해 보겠습니다.
file 이름은 config_backup입니다.
파일을 확인하기 위해서는 file list 명령어를 입력합니다.
root@vSRX> show configuration | display set | save config_backup Wrote 32 lines of output to 'config_backup'
root@vSRX> file show config_backup set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen set interfaces fxp0 unit 0
root@vSRX>
last: 표시내용의 마지막 부분을 표시합니다.
ex) 로그에 마지막 10줄만 표시 - 즉 최신 로그 10개만 출력입니다.
root@vSRX> show log messages | last 10 Jun 9 13:02:53 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:03:05 vSRX last message repeated 4 times Jun 9 13:03:14 vSRX last message repeated 3 times Jun 9 13:03:17 vSRX mgd[23313]: UI_CMDLINE_READ_LINE: User 'root', command 'show log messages ' Jun 9 13:03:17 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:03:35 vSRX last message repeated 6 times Jun 9 13:03:53 vSRX last message repeated 6 times Jun 9 13:03:55 vSRX mgd[23313]: UI_CMDLINE_READ_LINE: User 'root', command 'show log messages | last 10 '
root@vSRX>
Pipe옵션은 중복에서도 사용 가능 합니다.
show log messages 출력
match VSRX 이 단어가 있는 messages만 출력
last 10 마지막으로부터 최신 10개 log만 출
root@vSRX> show log messages | match VSRX | last 10 Jun 9 13:03:56 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:04:06 vSRX last message repeated 3 times Jun 9 13:04:45 vSRX last message repeated 13 times Jun 9 13:04:47 vSRX mgd[23313]: UI_CMDLINE_READ_LINE: User 'root', command 'show log messages | match VSRX ' Jun 9 13:04:48 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:04:51 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:04:53 vSRX mgd[23313]: UI_CMDLINE_READ_LINE: User 'root', command 'show log messages | match VSRX | last 10 '
root@vSRX>
?
입력하면 실행 가능한 명려어가 표시 됩니다.
root@vSRX> ? Possible completions: clear Clear PPM related statistics information configure Manipulate software configuration information file Perform file operations help Provide help information load Load information from file monitor Show real-time debugging information mtrace Trace multicast path from source to receiver op Invoke an operation script ping Ping remote target probe Probe interfaces on remote target quit Exit the management session request Make system-level requests restart Restart software process scp Copy files via ssh set Set CLI properties, date/time, craft interface message show Show system information ssh Start secure shell on another host start Start shell telnet Telnet to another host test Perform diagnostic debugging traceroute
지금까지 [2024][Juniper SRX #1] 기본 CLI 명령어 글을 읽어주셔서 감사합니다.
root@vqfx-re> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis VM5F3D5FF6E7
{master:0} root@vqfx-re> show chassis fpc Temp CPU Utilization (%) CPU Utilization (%) Memory Utilization (%) Slot State (C) Total Interrupt 1min 5min 15min DRAM (MB) Heap Buffer 0 Empty 1 Empty 2 Empty 3 Empty 4 Empty 5 Empty 6 Empty 7 Empty 8 Empty 9 Empty
{master:0} root@vqfx-re>
위에 표에 표시면 현재 fpc가 아직 부팅이 끝나지 않았으면 위와 같이 slot0에 아무런 정보가 없습니다.
몇 분 더 기다립니다.
root@vqfx-re> show chassis fpc Temp CPU Utilization (%) CPU Utilization (%) Memory Utilization (%) Slot State (C) Total Interrupt 1min 5min 15min DRAM (MB) Heap Buffer 0 Online Testing 71 30 0 0 0 1920 0 50 1 Empty 2 Empty 3 Empty 4 Empty 5 Empty 6 Empty 7 Empty 8 Empty 9 Empty
위에 Slot0이 state가 Online으로 바뀌었고 FPC가 인식되었습니다. 이제 show interface terse 통해서 인터페이스가 제대로 표시되는지 확인합니다.
root@vqfx-re> show interfaces terse Interface Admin Link Proto Local Remote gr-0/0/0 up up pfe-0/0/0 up up pfe-0/0/0.16383 up up inet inet6 pfh-0/0/0 up up pfh-0/0/0.16383 up up inet pfh-0/0/0.16384 up up inet xe-0/0/0 up up xe-0/0/0.0 up up inet xe-0/0/1 up up xe-0/0/1.0 up up inet xe-0/0/2 up up xe-0/0/2.0 up up inet xe-0/0/3 up up xe-0/0/3.0 up up inet xe-0/0/4 up up xe-0/0/4.0 up up inet xe-0/0/5 up up xe-0/0/5.0 up up inet xe-0/0/6 up up xe-0/0/6.0 up up inet xe-0/0/7 up up xe-0/0/7.0 up up inet xe-0/0/8 up up xe-0/0/8.0 up up inet xe-0/0/9 up up xe-0/0/9.0 up up inet xe-0/0/10 up up xe-0/0/10.0 up up inet xe-0/0/11 up up xe-0/0/11.0 up up inet bme0 up up bme0.0 up up inet 128.0.0.1/2 128.0.0.4/2 128.0.0.16/2 128.0.0.63/2 cbp0 up up dsc up up em0 up up em0.0 up up inet em1 up up em1.0 up up inet 169.254.0.2/24 em2 up up em2.32768 up up inet 192.168.1.2/24 em3 up up em4 up up em4.32768 up up inet 192.0.2.2/24 em5 up up em6 up up em7 up up em8 up up em9 up up em10 up up em11 up up em12 up up em13 up up em14 up up esi up up fti0 up up gre up up ipip up up irb up up jsrv up up jsrv.1 up up inet 128.0.0.127/2 lo0 up up lo0.0 up up inet inet6 fe80::205:860f:fc71:d000 lo0.16385 up up inet lsi up up mtun up up pimd up up pime up up pip0 up up tap up up vme up down vtep up up
{master:0} root@vqfx-re>
인터페이스가 정상적으로 동작합니다.
지금까지 [2024][EVE-NG #16] Juniper QFX 스위치 설치하기 글을 읽어 주셔서 감사합니다.
7. Juniper vMX 폴더를 오른쪽 /opt/unetlab/addons/qemu/ 폴더에 복사합니다.
8. putty 또는 secure crt를 이용해서 EVE-NG 접속합니다.
IP:
ID:
Password: 입력합니다.
9. 폴더를 확인합니다
root@eve-ng:~# cd /opt/unetlab/addons/qemu/ root@eve-ng:/opt/unetlab/addons/qemu# ls -al | grep vmx drwxr-xr-x 2 root root 4096 Jun 9 07:56 vmxvcp-16.2R1.6-domestic-VCP drwxr-xr-x 2 root root 4096 Jun 9 07:56 vmxvcp-17.1R1.8-domestic-VCP drwxr-xr-x 2 root root 4096 Jun 9 07:57 vmxvfp-16.2R1.6-domestic-VFP drwxr-xr-x 2 root root 4096 Jun 9 07:58 vmxvfp-17.1R1.8-domestic-VFP root@eve-ng:/opt/unetlab/addons/qemu#
10. 파일을 확인합니다.
vmxvcp 파일을 확인합니다.
root@eve-ng:/opt/unetlab/addons/qemu# cd vmxvcp-17.1R1.8-domestic-VCP/ root@eve-ng:/opt/unetlab/addons/qemu/vmxvcp-17.1R1.8-domestic-VCP# ls hda.qcow2 hdb.qcow2 hdc.qcow2
vmxvfp 파일을 확인합니다.
root@eve-ng:/opt/unetlab/addons/qemu# cd vmxvfp-17.1R1.8-domestic-VFP/ root@eve-ng:/opt/unetlab/addons/qemu/vmxvfp-17.1R1.8-domestic-VFP# ls hda.qcow2
11. 퍼미션을 수정합니다.
폴더 위치는 상관없습니다.
root@eve-ng:/opt/unetlab/addons/qemu# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
12. EVE-NG를 접속합니다.
http://192.168.40.128
13. 로그인 후 node를 추가합니다.
template: Juniper vMX VCP
image: vmxvcp-17.1R1
icon: JuniperMX
그리고 Save버튼을 클릭합니다.
14.로그인 후 node를 추가합니다.
template: Juniper vMX VFP
image: vmxvfp-17.1R1
icon: JuniperMX
그리고 Save버튼을 클릭합니다.
15. 아래 사진처럼 VCP랑 VFP선을 em1 / int 인터페이스에 연결합니다.
16. 두장비를 Start버튼을 눌러서 구동시킵니다.
17. 부팅이 완료될 때까지 기다립니다.
18. 부팅이 완료되었습니다
기본 로그인 정보는 아래와 같습니다
ID: root
Passwrod: 없
아래처럼 show chassis hardware 입력하면
VCP - Routing Engine
VFP - FPC 정상적으로 동작하는 걸 확인 가능합니다.
또는
show chassis fpc 명령어로도 확인 가능합니다
fpc가 정상적으로 동작하면 show interface terse 명령어를 입력했을 때 인터페이스 정보들이 나타납니다.
root> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis VM6665662857 VMX Midplane Routing Engine 0 RE-VMX CB 0 VMX SCB CB 1 VMX SCB FPC 0 Virtual FPC CPU Rev. 1.0 RIOT 123XYZ987
root> show chassis fpc Temp CPU Utilization (%) CPU Utilization (%) Memory Utilization (%) Slot State (C) Total Interrupt 1min 5min 15min DRAM (MB) Heap Buffer 0 Online Testing 100 0 41 9 3 512 28 0 1 Empty 2 Empty 3 Empty 4 Empty 5 Empty 6 Empty 7 Empty 8 Empty 9 Empty 10 Empty 11 Empty
root>
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up lc-0/0/0 up up lc-0/0/0.32769 up up vpls pfe-0/0/0 up up pfe-0/0/0.16383 up up inet inet6 pfh-0/0/0 up up pfh-0/0/0.16383 up up inet pfh-0/0/0.16384 up up inet ge-0/0/1 up up ge-0/0/2 up up ge-0/0/3 up up ge-0/0/4 up up ge-0/0/5 up up ge-0/0/6 up up ge-0/0/7 up up ge-0/0/8 up up ge-0/0/9 up up cbp0 up up demux0 up up dsc up up em1 up up em1.0 up up inet 10.0.0.4/8 128.0.0.1/2 128.0.0.4/2 inet6 fe80::5200:ff:fe09:1/64 fec0::a:0:0:4/64 tnp 0x4 esi up up fxp0 up up gre up up ipip up up irb up up jsrv up up jsrv.1 up up inet 128.0.0.127/2 lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet lsi up up mtun up up pimd up up pime up up pip0 up up pp0 up up rbeb up up tap up up vtep up up
root>
지금까지 [2024][EVE-NG #15] Juniper MX 라우터 설치하기 읽어주셔서 감사합니다.
Cisco Application Deployment Engine OS Release: 3.2 ADE-OS Build Version: 3.2.0.401 ADE-OS System Architecture: x86_64
Copyright (c) 2005-2022 by Cisco Systems, Inc. All rights reserved. Hostname: ISE-3-2
Version information of installed applications ---------------------------------------------
Cisco Identity Services Engine --------------------------------------------- Version : 3.2.0.542 Build Date : Wed Oct 19 16:27:24 2022 Install Date : Sat Jun 8 10:58:59 2024
3. cisco ISE 접속합니다. 그리고 patch6 파일을 cisco ise에 업로드하기 위해서 아래와 같이 접속합니다
Maintenance -> Repository
Repositoruy List에서 add 버튼을 클릭합니다.
4. 아래와 같이 입력합니다
Repository Name: disk
Protocol Disk:
Path: /
그리고 Save버튼을 클릭합니다.
5. Maintenance -> Localdisk Management
Node Name: ISE-3-2를 클릭합니다.
upload버튼을 클릭합니다.
6. 파일을 업로드합니다.
업로드가 완료될 때까지 기다립니다.
Close 버튼을 클릭합니다.
7. SSH 접속해서 repository에 파일을 확인합니다
ISE-3-2/admin#show repository disk ise-patchbundle-3.2.0.542-Patch6-24041918.SPA.x86_64.tar.gz upgraderpms.log
8. patch6을 설치합니다.
ISE-3-2/admin#patch install ise-patchbundle-3.2.0.542-Patch6-24041918.SPA.x86_64.tar.gz disk % Warning: Patch will be installed only on this node. Install using Primary Administration node GUI to install on all nodes in deployment. Continue? (yes/no) [yes] ? yes Initiating Application Patch installation...
Getting bundle to local machine... Unbundling Application Package... Verifying Application Signature... Patch successfully installed
Broadcast message from root@ISE-3-2 (pts/1) (Sat Jun 8 12:26:44 2024):
Trying to stop processes gracefully. Reload might take approximately 3 mins
% This application Install or Upgrade requires reboot, rebooting now...
Broadcast message from root@ISE-3-2 (pts/1) (Sat Jun 8 12:27:29 2024):
The system is going down for reboot NOW
Patch successfully installed
patch6가 설치 완료 될 때까지 기다립니다.
약 20~30분 정도가 소요됩니다.
설치가 완료되면 자동으로 재부팅됩니다.
9. ssh 다시 접속해서 show version 입력해서 patch6을 확인합니다.
ISE-3-2/admin#show version
Cisco Application Deployment Engine OS Release: 3.2 ADE-OS Build Version: 3.2.0.401 ADE-OS System Architecture: x86_64
Copyright (c) 2005-2022 by Cisco Systems, Inc. All rights reserved. Hostname: ISE-3-2
Version information of installed applications ---------------------------------------------
Cisco Identity Services Engine --------------------------------------------- Version : 3.2.0.542 Build Date : Wed Oct 19 16:27:24 2022 Install Date : Sat Jun 8 10:58:59 2024
Cisco Identity Services Engine Patch --------------------------------------------- Version : 6 Install Date : Sat Jun 08 12:24:44 2024
ISE-3-2/admin#
위에 Cisco Identity Service Engine Patch 보시면 아래처럼
version: 6 표시되고
Install Date: 언제 설치되었는지 날짜가 표시됩니다.
10. show application status ise
application server 상태가 running인지 확인합니다.
ISE-3-2/admin#show application status ise
ISE PROCESS NAME STATE PROCESS ID -------------------------------------------------------------------- Database Listener running 4015 Database Server running 157 PROCESSES Application Server running 23465 Profiler Database running 12538 ISE Indexing Engine running 24587 AD Connector running 25900 M&T Session Database running 18927 M&T Log Processor running 23717 Certificate Authority Service running 25725 EST Service running 60586 SXP Engine Service disabled TC-NAC Service disabled PassiveID WMI Service disabled PassiveID Syslog Service disabled PassiveID API Service disabled PassiveID Agent Service disabled PassiveID Endpoint Service disabled PassiveID SPAN Service disabled DHCP Server (dhcpd) disabled DNS Server (named) disabled ISE Messaging Service running 8622 ISE API Gateway Database Service running 11476 ISE API Gateway Service running 17605 ISE pxGrid Direct Service running 49034 Segmentation Policy Service disabled REST Auth Service disabled SSE Connector disabled Hermes (pxGrid Cloud Agent) disabled McTrust (Meraki Sync Service) disabled ISE Node Exporter running 26542 ISE Prometheus Service running 27678 ISE Grafana Service running 29824 ISE MNT LogAnalytics Elasticsearch disabled ISE Logstash Service disabled ISE Kibana Service disabled % WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE % RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 100 GB
11. cisco ISE를 접속합니다.
지금까지 [2024][CISCO ISE#2] ISE서버 Patch Update 하기 글을 읽어 주셔서 감사합니다.
6. fortinet 폴더를 오른쪽 /opt/unetlab/addons/qemu/ 폴더에 복사합니다.
7. putty 또는 secure crt를 이용해서 EVE-NG 접속합니다.
IP:
ID:
Password: 입력합니다.
8. 폴더를 확인합니다
root@eve-ng:~# cd /opt/unetlab/addons/qemu/ root@eve-ng:/opt/unetlab/addons/qemu# ls -ls | grep fortinet 4 drwxr-xr-x 2 root root 4096 Jun 8 11:06 fortinet-FGT-v6-4-build1579 4 drwxr-xr-x 2 root root 4096 Jun 8 11:06 fortinet-FGT-v7.0.3build0237 root@eve-ng:/opt/unetlab/addons/qemu#
9. 파일 이름을 확인합니다
root@eve-ng:/opt/unetlab/addons/qemu# cd fortinet-FGT-v6-4-build1579/ root@eve-ng:/opt/unetlab/addons/qemu/fortinet-FGT-v6-4-build1579# ls virtioa.qcow2
10. 퍼미션을 수정합니다
폴더 위치는 상관없습니다.
root@eve-ng:/opt/unetlab/addons/qemu# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
11. EVE-NG를 접속합니다.
http://192.168.40.128
12. 로그인 후 node를 추가합니다.
template: fortinet fortigate
image: fortinet-FGT-v7
icon: Firewall
그리고 Save버튼을 클릭합니다.
13. 이번에는 Network를 추가합니다.
14. Type: Management(Cloud0)
Icon: Cloud
Save버튼을 클릭합니다
15. 케이블 Fortinet port1에 연결하고 Save버튼을 클릭합니다.
16. Start버튼을 클릭해서 장비를 부팅합니다.
17. 장비가 파란색으로 변화고 장비가 부팅이 진행됩니다.
부팅이 완료될 때까지 기다립니다.
18. 로그인을 합니다.
ID: admin
Password: 없음
19. 로그인 후 새로운 패스워드를 입력합니다
FortiGate-VM64-KVM login: admin Password: You are forced to change your password. Please input a new password. New Password: Confirm Password: Welcome!
FortiGate-VM64-KVM #
20. 인터페이스 기본 설정을 합니다.
FortiGate-VM64-KVM # show system interface port1 config system interface edit "port1" set vdom "root" set mode dhcp set allowaccess ping https ssh fgfm set type physical set snmp-index 1 next end
기본적으로 dhcp로 동작합니다.
실제 어떤 IP를 받아 왔는지 확인합니다.
FortiGate-VM64-KVM # config system interface
FortiGate-VM64-KVM (interface) # edit ? name Name. fortilink static 0.0.0.0 0.0.0.0 10.255.1.1 255.255.255.0 up disable aggregate enable l2t.root static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable tunnel enable naf.root static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable tunnel disable port1 dhcp 0.0.0.0 0.0.0.0 192.168.40.134 255.255.255.0 up disable physical enable port2 static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical enable port3 static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical enable port4 static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical enable ssl.root static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable tunnel enable
port1에 192.168.40.134 IP를 확인할 수 있습니다
저는 https 말고 http로 접속하고 싶어서 아래와 같이 set allowacces http를 추가합니다.
FortiGate-VM64-KVM # config system interface
FortiGate-VM64-KVM (interface) # edit port1
FortiGate-VM64-KVM (port1) # show config system interface edit "port1" set vdom "root" set mode dhcp set allowaccess ping https ssh fgfm set type physical set snmp-index 1 next end
FortiGate-VM64-KVM (port1) # set allowaccess http
FortiGate-VM64-KVM (port1) # end
21. http://192.168.40.134 접속합니다.
로그인합니다.
22. 정상적으로 로그인되고 Fortiget 방화벽이 동작합니다.
지금까지 [2024][EVE-NG #13] Fortigate 방화벽 설치하기 글을 읽어주셔서 감사합니다.
