Choice: Booting Junos in CLI recovery mode ... Verified /boot/manifest signed by PackageProductionECP256_2021 Verified /boot/loader.rc Verified /boot/support.4th Verified /boot/load-dtb.4th Verified /boot/platform.4th Verified /boot/platform-load-dtb.4th - / yymmss==[[00xx8++00xx88++00]] 33dd33bb-- boooott//oosddaattaa==ddaattaa==00xx44ffff118eexxtt==00xx5577ee337744 -- siiggnneedd bby888 || ioonnEECCPP225566__22002211 netstack/../manifest signed by PackageProductionECP256_2021 Veerriiffiieedd //ppaacckkaaggeess//sseettss//aaccttiivvee//bboooott//ooss--kkeerrnneell//kkeerrnneell Veerriiffiieedd //ppaacckkaaggeess//sseettss//aaccttiivvee//bboooott//ooss--vvmmgguueesstt//iinniitt..44tthh - ified /packages/sets/active/boot/junos-modules/init.4th \- ified /packages/sets/active/boot/junos-net-platform/../manifest signed by PackageProductionECP256_2021 Verified /packages/sets/active/boot/junos-vmguest-platform/../manifest signed by PackageProductionECP256_2021 VVeerriiffiieedd //ppaacckkaaggeess//sseettss//aaccttiivvee//bboooott//ooss--kkeerrnneell//....//mmaanniiffeesstt ssiiggnneedd bbyy PPaacckkaaggeePPrrooddu
부팅이 완료되면, 로그인 없이 바로 root> 모드입니다.
패스워드를 수정합니다. 그리고 재부팅합니다.
이유는 현재 모드는 password recovery 모드입니다.
NOTE: the 'configure' command to make any required changes. For example, NOTE: to reset the root password, type: NOTE: configure NOTE: set system root-authentication plain-text-password NOTE: (enter the new password when asked) NOTE: commit NOTE: exit NOTE: exit NOTE: When you exit the CLI, you will be in a shell. Starting CLI ...
root> configure root# set system root-authentication plain-text-password New password: error: require change of case, digits or punctuation
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit commit complete
[edit] root@srx# exit Exiting configuration mode
root@srx> request system reboot Reboot the system ? [yes,no] (no) yes
Jun 23 11:12:02 shutdown 16997 - - reboot requested by root at Sun Jun 23 11:12:02 2024 Shutdown NOW! [pid 16997] Jun 23 11:12:02 shutdown 16997 - - reboot by root: Waiting (max 60 seconds) for system process `vnlru' to stop... done Waiting (max 60 seconds) for system process `syncer' to stop... Syncing disks, vnodes remaining... 0
부팅이 완료될 때까지 기다립니다.
password recovery mode에서 변경했던 패스워드로 로그인을 시도합니다.
그리고 interface ge-0/0/0 ip주소를 확인합니다.
password-recovery는 단순히 비밀번호만 수정합니다. 다른 설정값은 그대로 남아 있습니다.
login: root Password: Last login: Sun Jun 23 10:42:33 on ttyu0
--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil root@srx:~ # ci ci: Command not found. root@srx:~ # cli root@srx> show interfaces terse | match ge-0/0 ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.1.1/24 ge-0/0/1 up up ge-0/0/2 up up
지금까지 [2024][Juniper SRX #16] password recovery 글을 읽어 주셔서 감사합니다.
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system or ^ syntax error. root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit commit complete
[edit] root#
ge-0/0/0 192.168.1.1/24 설정하기
root# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
root# run show interfaces terse | match ge-0/0 ge-0/0/0 up up ge-0/0/1 up up ge-0/0/2 up up
위에 보시면 commit를 누르지 않으면 설정값이 적용되지 않습니다.
현재 어떤 명령어가 commit를 대기 중인지 확인하는 방법
root# show | compare [edit] + interfaces { + ge-0/0/0 { + unit 0 { + family inet { + address 192.168.1.1/24; + } + } + } + }
[edit] root#
만약에 이 상태에서 exit로 밖으로 나가면 위에 설정값은 사라집니다.
root# exit The configuration has been changed but not committed Exit with uncommitted changes? [yes,no] (yes)
no를 선택합니다
commit check은 commit 하기 전에 추가적으로 설정값이 맞는지 확인합니다. 만약에 commit check 없이 바로 commit 했을 때 설정값에 문제가 있다면 error메시지가 출력되면서 commit이 실패합니다.
root# commit check configuration check succeeds
[edit] root#
commit 실행
root# commit commit complete
[edit] root# exit Exiting configuration mode
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
재부팅합니다. juniper는 commit 하면 명령어 적용과 저장이 됩니다.
재부팅해서 설정값이 유지되는지 확인해 보겠습니다.
request system reboot
부팅이 완료될 때까지 기다립니다.
root> request system reboot Reboot the system ? [yes,no] (no) yes
*** FINAL System shutdown message from root@ ***
System going down IMMEDIATELY
Stopping cron. .
부팅이 완료되면 Interface ge-0/0/0 ip를 확인해 보면 그대로 설정 값이 남아 있습니다.
login: root Password: Last login: Sun Jun 23 09:53:36 on ttyu0
commit confirmed - hostname firewall 변경하고 commit 수행합니다. 그리고 10분 안에 commit이 다시 한번 없으면 이전 상태로 돌아갑니다.
root@srx# set system host-name firewall
[edit] root@srx# commit ? Possible completions: <[Enter]> Execute this command activate Activate a previously prepared commit and-quit Quit configuration mode if commit succeeds at Time at which to activate configuration changes check Check correctness of syntax; do not apply changes comment Message to write to commit log confirmed Automatically rollback if not confirmed peers-synchronize Synchronize commit on remote peers prepare Prepare for an upcoming commit activation | Pipe through a command [edit] root@srx# commit confirmed commit confirmed will be automatically rolled back in 10 minutes unless confirmed commit complete
# commit confirmed will be rolled back in 10 minutes [edit] root@firewall#
테스트를 위해서 10분을 기다립니다. 10분 안에 commit이 없으면 host-name은 이전 설정값은 srx로 변경됩니다.
10분안에 commit을 하지 않았기 때문에 설정값이 이전으로 rollback 되었음
Broadcast Message from root@srx (no tty) at 10:25 UTC...
Commit was not confirmed; automatic rollback complete.
[edit] root@srx#
이번에는 테스트를 위해서 commit confirmed 1으로 하고 1분 안에 commit를 수행합니다.
1분이 지나도 설정값이 rollback 되지 않습니다.
root@srx# set system host-name firewall
[edit] root@srx# commit confirmed 1 commit confirmed will be automatically rolled back in 1 minutes unless confirmed commit complete
# commit confirmed will be rolled back in 1 minute [edit] root@firewall# commit commit complete
[edit] root@firewall#
commit at를 테스트해 보겠습니다
12:00:00에 commit를 수행합니다.
[edit] root@firewall# set system host-name srxsrx
root@firewall# commit at 12:00:00 configuration check succeeds commit at will be executed at 2024-06-23 12:00:00 UTC The configuration has been changed but not committed Exiting configuration mode
root@firewall>
이번에는 Rollback에 대해서 알아보겠습니다.
설정값 원복(rollback)
설정값을 기존 설정값으로 원복수행(rollback 후 반드시 commit를 수행해야 완료됨)
설정값을 commit 할 때마다 rollback이 생성됩니다.
rollback 0 - 마지막 commit이후 변경한 설정값을 초기화
rollback 1 - 마지막 commit이전 설정값을 원복
rollback 2 - 2번째 전 commit이전 설정값으로 원복
commit 할 때마다 rollback으로 생성되는데 그 시점을 알고 싶을 때 확인 명령어
Possible completions: <revision> Rollback to given configuration revision re0-1719138399-8 2024-06-23 10:26:40 UTC by root via cli re0-1719138393-7 2024-06-23 10:26:36 UTC by root via cli commit confirmed, rollback in 1mins re0-1719138344-6 2024-06-23 10:25:47 UTC by root via other re0-1719137740-5 2024-06-23 10:15:43 UTC by root via cli commit confirmed, rollback in 10mins re0-1719137710-4 2024-06-23 10:15:13 UTC by root via cli re0-1719137288-3 2024-06-23 10:08:11 UTC by root via cli re0-1719136430-2 2024-06-23 09:54:02 UTC by root via cli re0-1719135583-1 2024-06-23 09:41:04 UTC by root via other [edit] root@firewall# rollback revision
이번에는 [2024][Juniper SRX #14] firewall policy 순서 변경입니다.
방화벽 정책이 여러 개가 있으면 항상 맨 위에서부터 아래로 정책 허용/차단을 확인합니다.
그래서 방화벽 정책 순서는 매우 중요합니다.
추가적으로 방화벽 정책을 변경하지 않으면 새로운 방화벽 정책은 맨 아래에 추가됩니다.
우선 테스트를 하면서 자세히 설명하도록 하겠습니다.
*** 중요 ***
1. Juniper SRX stateful 방화벽입니다
나가는 Traffic을 허용하는 방화벽 정책이 있으면 Return 되는 Traffic은 자동으로 허용됩니다.
자세한 내용은 나중에 다른 강좌에서 설명하겠습니다.
2. 방화벽이 정책이 여러 개가 있다면 맨 위에서부터 아래로 차근차근 방화벽 정책을 확인합니다.
3. 맨 아래 deny 정책이 없어도 default로 모든 traffic은 차단됩니다. - 즉 default deny all이라는 정책이 있습니다.
4. 방화벽 정책을 만들 때에는,
4-1 match
4-1-1 source-ip
4-1-2 destination-ip
4-1-3 destination application
위에 조건문을 입력하고 어떻게 처리할 것인지 정의 ㅎ합니다
4-2 action
4-2-1 permit - 허용
4-2-2 reject - 차단
4-2-3 log - 로그 생성 - 꼭 하위옵션 session-init/close 명령어를 추가로 입력해야 합니다.
4-2-3-1 session-init - 세션이 시작될 때 로그 생성
4-2-3-2 session-close - 세션이 종료될 때 로그 생성
4-2-4 count - 해당조건 트래픽 누적 치 사용량 정보 제공
permit, log, count를 동시에 설정 가능 합니다.
토폴로지는 아래와 같습니다.
SRX
ge-0/0/0 - dhcp - untrust
ge-0/0/1 - 192.168.1.1/24 - trust
ge-0/0/2 - 172.16.1.1/24 - dmz
SW01
gi0/0 - 192.168.1.2/24
SW02
gi0/0 - 172.16.1.2/24
그리고 아래 서비스를 enable 합니다.
http
https
telnet
ssh
방화벽 정책 1)
192.168.1.2 -> 172.16.1.2 http 허용
방화벽 정책 2)
192.168.1.2 -> 172.16.1.2 https 허용
방화벽 정책 3)
192.168.1.2 -> 172.16.1.2 ssh 허용
기존 방화벽 설정값 삭제
root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit commit complete
2. Inteface에 IP주소를 설정합니다.
root# set interfaces ge-0/0/0 unit 0 family inet dhcp
[edit] root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
[edit] root# set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.1/24
[edit] root# commit
그리고 Interface에 IP주소를 확인합니다.
root# set security zones security-zone unturst root# set security zones security-zone untrust interfaces ge-0/0/0
root# set security zones security-zone trust root# set security zones security-zone trust interfaces ge-0/0/1
root# set security zones security-zone dmz root# set security zones security-zone dmz interfaces ge-0/0/2
root# commit commit complete
root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security
root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 192.168.10.105/24 untrust sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null ge-0/0/1.0 up up inet 192.168.1.1/24 trust ge-0/0/2.0 up up inet 172.16.1.1/24 dmz lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null
root>
Interface에 IP주소를 확인합니다.
저희가 ge-0/0/0 dhcp 설정하였으나 IP주소가 없습니다.
그 이유는 Juniper SRX은 ge-0/0/0 dhcp 기능을 허용해 주어야지 IP주소를 DHCP에서 받아 올 수 있습니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 172.16.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up
ge-0/0/0 dhcp 기능받아오기 위해서 zone에 system-services에서 dhcp기능 그리고 ping테스트를 위해서 ping를 허용합니다.
set security zones security-zone untrust host-inbound-traffic system-services dhcp set security zones security-zone untrust host-inbound-traffic system-services ping
그리고 show interface terse을 이용해서 ge-0/0/0 IP주소를 확인합니다.
DHCP로부터 192.168.10.105/24 IP주소를 받았습니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.105/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 172.16.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
ge-0/0/1 그리고 ge-0/0/2 ping도 허용해 줍니다.
set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone dmz host-inbound-traffic system-services ping
SW01#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.1.1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, GigabitEthernet0/0 L 192.168.1.2/32 is directly connected, GigabitEthernet0/0 SW01#
Switch>en Switch#conf t Switch(config)#ho SW02 SW02(config)#int gigabitEthernet 0/0 SW02(config-if)#no sw SW02(config-if)#ip add 172.16.1.2 255.255.255.0 SW02(config-if)#no shutdown SW02(config-if)#end SW02# SW02#ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms SW02#
그리고 Default Gateway 설정
SW02(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1 SW02(config)# SW02#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.1.1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, GigabitEthernet0/0 L 172.16.1.2/32 is directly connected, GigabitEthernet0/0 SW02#
SW02에 http, https, telnet 그리고 ssh서비스를 Enable 합니다.
SW02#conf t SW02(config)#ip http server SW02(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 1 seconds) Failed to generate persistent self-signed certificate. Secure server will use temporary self-signed certificate.
SW02(config)#ip domain-name cisco SW02(config)#crypto key generate rsa The name for the keys will be: SW02.cisco Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: % Generating 512 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds)
SW02(config)#username cisco privilege 15 password cisco SW02(config)#line vty 0 15 SW02(config-line)#login local SW02(config-line)#transport input all SW02(config-line)#
Juniper SRX에서 방화벽 정책을 생성하겠습니다.
방화벽 정책 1)
192.168.1.2 -> 172.16.1.2 http 허용
방화벽 정책 2)
192.168.1.2 -> 172.16.1.2 https 허용
방화벽 정책 3)
192.168.1.2 -> 172.16.1.2 ssh 허용
Address-book이랑 application 정
set security address-book global address H-192.168.1.2/32 192.168.1.2/32 set security address-book global address H-172.16.1.2/32 172.16.1.2/32
set applications application T-443 protocol tcp set applications application T-443 source-port 0-65535 set applications application T-443 destination-port 443 set applications application T-443 inactivity-timeout 20
set applications application T-80 protocol tcp set applications application T-80 source-port 0-65535 set applications application T-80 destination-port 80 set applications application T-80 inactivity-timeout 20
set applications application T-22 protocol tcp set applications application T-22 source-port 0-65535 set applications application T-22 destination-port 22 set applications application T-22 inactivity-timeout 20
정책 생성
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match application T-80 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then count
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match application T-443 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then count
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match application T-22 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then count
Firewall 정책 순서 확인
root> show configuration security policies from-zone trust to-zone dmz | display set | no-more
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match application T-80 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then count set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match application T-443 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then count set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match application T-22 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then count
방화벽 정책 순서 확인 하는 방법
순서는 방화벽 정책을 생성한 순서입니다.
그리고 default 정책은 deny-all인데 순서는 안 보이지만 default policy:에 보시면 deny-all이라고 표시됩니다.
위에서부터 아래까지 방화벽 정책을 확인 후 아무것도 match 되지 않으면 default policy 즉 deny-all이 적용됩니다.
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: dmz Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-80 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-22 Source identity feeds: any Destination identity feeds: any Action: permit, log, count
SW01에서 SW02로 테스트해 보겠습니다.
192.168.1.2 -> 172.16.1.2 http - 성공
192.168.1.2 -> 172.16.1.2 https - 성공
192.168.1.2 -> 172.16.1.2 ssh - 성공
192.168.1.2 -> 172.16.1.2 telnet - 실패 방화벽 정책이 없어서 default policy - deny-all 적
SW01#telnet 172.16.1.2 80 Trying 172.16.1.2, 80 ... Open ^C HTTP/1.1 400 Bad Request Date: Sun, 23 Jun 2024 09:04:47 GMT Server: cisco-IOS Accept-Ranges: none
400 Bad Request [Connection to 172.16.1.2 closed by foreign host] SW01#telnet 172.16.1.2 443 Trying 172.16.1.2, 443 ... Open ^C ^C [Connection to 172.16.1.2 closed by foreign host] SW01#ssh -l cisco 172.16.1.2
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** Password:
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW02#exit
[Connection to 172.16.1.2 closed by foreign host] SW01# SW01#telnet 172.16.1.2 Trying 172.16.1.2 ... % Connection timed out; remote host not responding
hit-count 확인 - 여기에서 index번호는 방화벽 순서를 나타내지 않습니다. 주의 바랍니다.
root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust dmz trust-to-dmz-ssh 1 Permit 2 trust dmz trust-to-dmz-http 1 Permit 3 trust dmz trust-to-dmz-https 1 Permit
방화벽 순서 확인 하기 위해서 deny-any 정책을 생성하겠습니다. 가시성 있게 deny-all 정책을 만들고 count랑 log를 생성하게 설정하겠습니다.
set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match source-address any set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match destination-address any set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match application any set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then deny set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then count
방화벽 정책 순서 확인- 특정 명령어 없이 방화벽 정책을 생성하면 맨 아래에 생성됩니다.
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: dmz Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-80 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-22 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: deny, log, count
root>
이 상태에서 추가적으로 다른 방화벽 정책을 생성하게 되면 Deny 밑에 방화벽 정책이 생성 되게 됩니다.
우선 테스트를 위해서 192.168.1.2 -> 172.16.1.2 telnet를 허용하는 방화벽 정책을 생성하겠습니다.
set applications application T-22 protocol tcp set applications application T-22 source-port 0-65535 set applications application T-22 destination-port 22 set applications application T-22 inactivity-timeout 20
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match application T-23 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then count
commit
telnet 허용 정책이 deny-any 정책 밑에 생성되었습니다.
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: dmz Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-80 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-22 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: deny, log, count Policy: trust-to-dmz-telnet, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 5, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-23 Source identity feeds: any Destination identity feeds: any Action: permit, log, count
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match application T-23 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then count
after - 특정 정책 다음에 새로운 방화벽 정책을 생성합니다.
before - 특정 정책 이전에 새로운 방화벽 정책을 생성합니다.
trust-to-dmz-deny-all 이전에 생성해 보겠습니다.
insert security policies from-zone trust to-zone dmzpolicy trust-to-dmz-telnet ? Possible completions: after Insert after given data element + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups before Insert before given data element > match Specify security policy match-criteria > then Specify policy action to take when packet match criteria
나가는 Traffic을 허용하는 방화벽 정책이 있으면 Return되는 Traffic은 자동으로 허용됩니다.
자세한 내용은 나중에 다른 강좌에서 설명 하겠습니다.
2. 방화벽이 정책이 여러개가 있다면 맨 위에서부터 아래로 차근차근 방화벽 정책을 확인합니다.
3. 맨 아래 deny 정책이 없어도 default로 모든 traffic은 차단됩니다. - 즉 default deny all이라는 정책이 있습니다.
4. 방화벽 정책을 만들 때에는,
4-1 match
4-1-1 source-ip
4-1-2 destination-ip
4-1-3 destination application
위에 조건문을 입력하고 어떻게 처리할 것인지 정의 ㅎ합니다
4-2 action
4-2-1 permit - 허용
4-2-2 reject - 차단
4-2-3 log - 로그 생성 - 꼭 하위옵션 session-init/close 명령어를 추가로 입력해야 합니다.
4-2-3-1 session-init - 세션이 시작될 때 로그 생성
4-2-3-2 session-close - 세션이 종료될 때 로그 생성
4-2-4 count - 해당조건 트래픽 누적 치 사용량 정보 제공
permit, log, count를 동시에 설정 가능 합니다.
SRX side
1. 기존 설정값을 다 삭제합니다.
root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit commit complete
2. Inteface에 IP주소를 설정합니다.
root# set interfaces ge-0/0/0 unit 0 family inet dhcp
[edit] root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
[edit] root# set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.1/24
[edit] root# commit
그리고 Interface에 IP주소를 확인합니다.
root# set security zones security-zone unturst root# set security zones security-zone untrust interfaces ge-0/0/0
root# set security zones security-zone trust root# set security zones security-zone trust interfaces ge-0/0/1
root# set security zones security-zone dmz root# set security zones security-zone dmz interfaces ge-0/0/2
root# commit commit complete
root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security
root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 192.168.10.105/24 untrust sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null ge-0/0/1.0 up up inet 192.168.1.1/24 trust ge-0/0/2.0 up up inet 172.16.1.1/24 dmz lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null
root>
Interface에 IP주소를 확인합니다.
저희가 ge-0/0/0 dhcp 설정하였으나 IP주소가 없습니다.
그 이유는 Juniper SRX은 ge-0/0/0 dhcp 기능을 허용해 주어야지 IP주소를 DHCP에서 받아 올 수 있습니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 172.16.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up
ge-0/0/0 dhcp 기능받아오기 위해서 zone에 system-services에서 dhcp기능 그리고 ping테스트를 위해서 ping를 허용합니다.
set security zones security-zone untrust host-inbound-traffic system-services dhcp set security zones security-zone untrust host-inbound-traffic system-services ping
그리고 show interface terse을 이용해서 ge-0/0/0 IP주소를 확인합니다.
DHCP로부터 192.168.10.105/24 IP주소를 받았습니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.105/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 172.16.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
ge-0/0/1 그리고 ge-0/0/2 ping도 허용해 줍니다.
set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone dmz host-inbound-traffic system-services ping
SW01#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.1.1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, GigabitEthernet0/0 L 192.168.1.2/32 is directly connected, GigabitEthernet0/0 SW01#
Switch>en Switch#conf t Switch(config)#ho SW02 SW02(config)#int gigabitEthernet 0/0 SW02(config-if)#no sw SW02(config-if)#ip add 172.16.1.2 255.255.255.0 SW02(config-if)#no shutdown SW02(config-if)#end SW02# SW02#ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms SW02#
그리고 Default Gateway 설정
SW02(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1 SW02(config)# SW02#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.1.1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, GigabitEthernet0/0 L 172.16.1.2/32 is directly connected, GigabitEthernet0/0 SW02#
방화벽 정책을 테스트하기 위해서 SW01과 SW02를 http, https, telnet, ssh를 Enable 합니다.
SW01(config)#ip http server SW01(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds) Failed to generate persistent self-signed certificate. Secure server will use temporary self-signed certificate.
SW01(config)#ip domain-name cisco SW01(config)#crypto key generate rsa The name for the keys will be: SW01.cisco Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: % Generating 512 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds)
SW01(config)#line vty 0 15 SW01(config-line)#login local SW01(config-line)#transport input all
SW02에서도 똑같이 설정합니다.
SW02#conf t SW02(config)#ip http server SW02(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 1 seconds) Failed to generate persistent self-signed certificate. Secure server will use temporary self-signed certificate.
SW02(config)#ip domain-name cisco SW02(config)#crypto key generate rsa The name for the keys will be: SW02.cisco Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: % Generating 512 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds)
SW02(config)#username cisco privilege 15 password cisco SW02(config)#line vty 0 15 SW02(config-line)#login local SW02(config-line)#transport input all SW02(config-line)#
우선 http, https, telnet, ssh가 제대로 동작하는지 확인하기 위해서 Juniper SRX 방화벽 정책을 Any Any로 먼저 설정하고 테스트를 진행합니다.
turst zone에서 dmz zone으로 가는 Traffic은 모두 허용합니다.
set security policies from-zone trust to-zone dmz policy trsut-to-dmz match source-address any set security policies from-zone trust to-zone dmz policy trsut-to-dmz match destination-address any set security policies from-zone trust to-zone dmz policy trsut-to-dmz match application any set security policies from-zone trust to-zone dmz policy trsut-to-dmz then permit set security policies from-zone trust to-zone dmz policy trsut-to-dmz then log session-init set security policies from-zone trust to-zone dmz policy trsut-to-dmz then count
SW01 in trust zone에서 SW02 in dmz zone에 Ping시도
SW01#ping 172.16.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/126 ms SW01#
SW01 in trust zone에서 SW02 in dmz zone에 http, https, telnet, ssh 시도
telnet 172.16.1.2 80 - http 성공
telnet 172.16.1.2 443 - https 성공
telnet 172.16.1.2 23 - telnet 성공
ssh -l cisco 172.16.1.2 - ssh 성공
SW01#telnet 172.16.1.2 80 Trying 172.16.1.2, 80 ... Open ^C HTTP/1.1 400 Bad Request Date: Sun, 23 Jun 2024 07:37:36 GMT Server: cisco-IOS Accept-Ranges: none
400 Bad Request [Connection to 172.16.1.2 closed by foreign host] SW01# SW01# SW01#telnet 172.16.1.2 443 Trying 172.16.1.2, 443 ... Open
[Connection to 172.16.1.2 closed by foreign host] SW01# SW01# SW01#
SW01#telnet 172.16.1.2 Trying 172.16.1.2 ... Open
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************
User Access Verification
Username: cisco Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW02#
SW01# SW01#ssh -l cisco 172.16.1.2
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** Password:
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************SW02# SW02# SW02#
SW02 in dmz zone에서 SW01 in trust zone으로 Ping 시도합니다.
Juniper SRX에서 dmz zone에서 trust zone에 방화벽 정책이 없기 때문에 실패합니다.
SW02#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) SW02#
테스트를 위해서 dmz zone에서 trust zone에 방화벽 정책 any를 설정합니다.
set security policies from-zone dmz to-zone trust policy dmz-to-trustmatch source-address any set security policies from-zonedmzto-zonetrustpolicydmz-to-trust match destination-address any set security policies from-zonedmzto-zonetrustpolicydmz-to-trustmatch application any set security policies from-zonedmzto-zonetrustpolicydmz-to-trustthen permit set security policies from-zonedmzto-zonetrustpolicydmz-to-trustthen log session-init set security policies from-zonedmzto-zonetrustpolicydmz-to-trustthen count
SW02 in dmz zone에서 SW01 in trust zone으로 Ping 시도합니다.
SW02#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/15 ms SW02#
SW02 in trust zone에서 SW01 in dmz zone에 http, https, telnet, ssh 시도
telnet 192.168.1.2 80 - http 성공
telnet 192.168.1.2 443 - https 성공
telnet 192.168.1.2 23 - telnet 성공
ssh -l cisco 192.168.1.2 - ssh 성공
SW02#telnet 192.168.1.2 80 Trying 192.168.1.2, 80 ... Open ^C HTTP/1.1 400 Bad Request Date: Sun, 23 Jun 2024 07:49:11 GMT Server: cisco-IOS Accept-Ranges: none
400 Bad Request [Connection to 192.168.1.2 closed by foreign host] SW02#telnet 192.168.1.2 443 Trying 192.168.1.2, 443 ... Open
^C^[[A [Connection to 192.168.1.2 closed by foreign host] SW02#telnet 192.168.1.2 Trying 192.168.1.2 ... Open
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************
User Access Verification
Username: cisco Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW01#
SW01#ssh -l cisco 192.168.1.2
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** Password:
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW01#exit
[Connection to 192.168.1.2 closed by foreign host] SW01#
Juniper SRX방화벽 정책에서 Hit-Count 확인하는 방법
root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust dmz trsut-to-dmz 9 Permit 2 dmz trust trsut-to-dmz 8 Permit
set security address-book global address H-192.168.1.2/32 192.168.1.2/32 set security address-book global address H-172.16.1.2/32 172.16.1.2/32
set applications application T-23 protocol tcp set applications application T-23 source-port 0-65535 set applications application T-23 destination-port 23 set applications application T-23 inactivity-timeout 20
set applications application T-443 protocol tcp set applications application T-443 source-port 0-65535 set applications application T-443 destination-port 443 set applications application T-443 inactivity-timeout 20
방화벽 정책을 생성합니다.
set security policies from-zone dmz to-zone trust policy trsut-to-dmz match source-address any set security policies from-zone dmz to-zone trust policy trsut-to-dmz match destination-address any set security policies from-zone dmz to-zone trust policy trsut-to-dmz match application any set security policies from-zone dmz to-zone trust policy trsut-to-dmz then permit set security policies from-zone dmz to-zone trust policy trsut-to-dmz then log session-init set security policies from-zone dmz to-zone trust policy trsut-to-dmz then count
commit
방화벽 정책 확인하는 방법
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: dmz, To zone: trust Policy: trsut-to-dmz, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit, log, count From zone: trust, To zone: dmz Policy: trust-to-dmz, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-23, T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count
root>
방화벽 정책 설정값 확인 방법 - 전체
root> show configuration security | display set | no-more set security address-book global address H-192.168.1.2/32 192.168.1.2/32 set security address-book global address H-172.16.1.2/32 172.16.1.2/32 set security policies from-zone dmz to-zone trust policy trsut-to-dmz match source-address any set security policies from-zone dmz to-zone trust policy trsut-to-dmz match destination-address any set security policies from-zone dmz to-zone trust policy trsut-to-dmz match application any set security policies from-zone dmz to-zone trust policy trsut-to-dmz then permit set security policies from-zone dmz to-zone trust policy trsut-to-dmz then log session-init set security policies from-zone dmz to-zone trust policy trsut-to-dmz then count set security policies from-zone trust to-zone dmz policy trust-to-dmz match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-23 set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-443 set security policies from-zone trust to-zone dmz policy trust-to-dmz then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz then count set security zones security-zone untrust host-inbound-traffic system-services dhcp set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone dmz host-inbound-traffic system-services ping set security zones security-zone dmz interfaces ge-0/0/2.0
root>
방화벽 정책 trust zone에서 dmz zone만 확인 하는 방법
root> show configuration security policies from-zone trust to-zone dmz | display set | no-more set security policies from-zone trust to-zone dmz policy trust-to-dmz match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-23 set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-443 set security policies from-zone trust to-zone dmz policy trust-to-dmz then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz then count
테스트해보겠습니다.
trust zone - SW01에서 dmz zone -SW02에 방화벽 정책
1. 192.168.1.2 -> 172.16.1.2 https 허용
2. 192.168.1.2 -> 172.16.1.2 telnet 허용
3. 192.168.1.2 -> 172.16.1.2 http 차단
4. 192.168.1.2 -> 172.16.1.2 ssh 차단
나머지는 모두 차단
SW01#telnet 172.16.1.2 443 Trying 172.16.1.2, 443 ... Open ^C ^^ v [Connection to 172.16.1.2 closed by foreign host] SW01# SW01#telnet 172.16.1.2 Trying 172.16.1.2 ... Open
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************
User Access Verification
Username: cisco Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW02#exit
root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust dmz trust-to-dmz 2 Permit 2 dmz trust trsut-to-dmz 8 Permit
현재 방화벽 flow session를 확인하는 방법
SW01 -> SW02 telnet 시도
SW01#telnet 172.16.1.2 Trying 172.16.1.2 ... Open
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************
User Access Verification
Username: cisco Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW02#
Juniper SRX에서 show security flow session으로 세션 상태 확인
standard way는 이미 Juniper SRX에서 정의된 포트를 말합니다. 주로 well-known port를 의미합니다.
set applications application standard-way application-protocol http
root# set applications application KK application-protocol ? Possible completions: dns Domain Name Service ftp File Transfer Protocol ftp-data File Transfer Protocol Data Session gprs-gtp-c GPRS Tunneling Control Plane gprs-gtp-u GPRS Tunneling User Plane gprs-gtp-v0 GPRS Tunneling Version 0 gprs-sctp GPRS Stream Control Protocol http Hypertext Transfer Protocol https Hypertext Transfer Protocol ignore Ignore application type ike-esp-nat IKE/ESP with NAT imap Internet Mail Access Protocol imaps Internet Mail Access Protocol Over TLS mgcp-ca MGCP-CA mgcp-ua MGCP-UA ms-rpc Microsoft RPC none None pop3 Post Office Protocol 3 Protocol pop3s Post Office Protocol 3 Protocol Over TLS pptp Point-to-Point Tunneling Protocol q931 Q.931 ras RAS realaudio RealAudio rsh Remote Shell rtsp Real Time Streaming Protocol sccp Skinny Client Control Protocol sip Session Initiation Protocol smtp Simple Mail Transfer Protocol smtps Simple Mail Transfer Protocol Over TLS sqlnet-v2 Oracle SQL*Net Version 2 ssh Secure Shell Protocol sun-rpc Sun Microsystems RPC talk Talk Program telnet Telnet Protocol tftp Trivial File Transfer Protocol twamp Two Way Active Meaurement Protocol [edit]
이번에는 custom 방식에 대해서 알아보겠습니다.
Protocol -> tcp
Source-port - 0-65535 -> source port는 랜덤으로 선택됩니다. 특정 Application은 source-port가 특정 포트로 동작하는 APP도 있습니다
Destination-port - 23
inactivity-timeout - 20초
set applications application telnet-1 protocol tcp set applications application telnet-1 source-port 0-65535 set applications application telnet-1 destination-port 23 set applications application telnet-1inactivity-timeout 20
방화벽 정책 설정 시 application를 아래처럼 불러와서 사용 가능 합니다.
set security policies from-zone trust to-zone untrust policy p1 match application telnet-1
만약에 하나에 방화벽 정책에 여러 개 application를 사용하고 싶으면 아래와 같이 설정 가능 합니다
set applications application http-1 protocol tcp set applications applicationhttp-1source-port 0-65535 set applications applicationhttp-1destination-port 80 set applications applicationhttp-1inactivity-timeout 20
아래처럼 application 정책을 계속 추가해야 합니다.
set security policies from-zone trust to-zone untrust policy p1 match application telnet-1 set security policies from-zone trust to-zone untrust policy p1 match application http-1
하지만 application-set을 이용하면 하나에 정책에 많은 application 추가해서 사용할 수 있습니다.
application-set에 http-1이랑 telnet-1을 할당합니다.
set applications application-set app-group application http-1 set applications application-set app-group application telnet-1
그리고 방화벽 정책에 application-set를 설정합니다.
set security policies from-zone trust to-zone untrust policy p1 match application-set app-group
application 설정값 확인 하는 명령어
root> show configuration applications | display set set applications application standard-way application-protocol http set applications application http-1 protocol tcp set applications application http-1 source-port 0-65535 set applications application http-1 destination-port 80 set applications application http-1 inactivity-timeout 20 set applications application telnet-1 protocol tcp set applications application telnet-1 source-port 0-65535 set applications application telnet-1 destination-port 23 set applications application telnet-1 inactivity-timeout 20 set applications application-set app-group application http-1 set applications application-set app-group application telnet-1
root>
지금까지 [2024][Juniper SRX #12] application and application-set 글을 읽어주셔서 감사합니다.
[2024][Juniper SRX #10] Administrator access restriction settings for MGMT입니다.
Juniper SRX에 SSH 또는 Telnet 또는 J-web를 설정하여 Juniper SRX 관리할 수 있지만 보안 설정을 안 하면 모든 IP대역이 Juniper SRX를 SSH 또는 Telent 또는 J-web를 접속하여 로그인할 수 있습니다.
회사에서 보안상 특정 IP대역만 Juniper SRX MGMT IP를 통하여 주니퍼 방화벽을 관리해야 하는 경우에는 아래와 같이 설정 가능 합니다.
토폴로지
Juniper SRX 기본 설정은 아래와 같습니다.
root> show configuration | display set | no-more set version 21.3R1.9 set system root-authentication encrypted-password "$6$Ea7ce5UJ$33Cef6CXrDrf7O1iHX0Skwii8sjgCAeFvM5CXzEbX3/5QyNQxTMpRtregTUO/84DdvZhnEXel5WPvXKOu0hyx1" set system login user juniper uid 2000 set system login user juniper class super-user set system login user juniper authentication encrypted-password "$6$.zIMNUej$r05Ie68YwDsLLShNbIIYdL.TjI9p/ndcvxF0YOuOAbD.OlQWmgaABWskuOtmcU9ZRhp.VqM/tVcA2.tZMwc.W/" set system services ssh root-login allow set system services telnet set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set interfaces fxp0 unit 0 family inet address 192.168.10.220/24 set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
Cisco 스위치 기본 설정입니다.
Switch#conf t Switch(config)#hostname SW1 SW1(config)#int g0/0 SW1(config-if)#no sw SW1(config-if)#ip add dhcp SW1(config-if)#no sh
Juniper Interface를 상태를 확인합니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up inet 192.168.10.220/24 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
Cisco Interface를 확인합니다.
SW1#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet0/0 192.168.10.104 YES DHCP up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up SW1#
Juniper SRX fxp0 IP: 192.168.10.220
Cisco Gi0/0 IP: 192.168.10.104
Cisco에서 Juniper fxp0로 Ping를 시도합니다
SW1#ping 192.168.10.220 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.220, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms SW1#
Telnet Test - 정상적으로 동작합니다.
SW1#telnet 192.168.10.220 Trying 192.168.10.220 ... Open login: juniper Password: Last login: Thu Jun 20 09:49:37 from 172.16.10.15
SW1#ssh -l root 192.168.10.220 Password: Last login: Sat Jun 22 06:12:39 2024 --- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil root@:~ #
현재 Cisco IP주소는 192.168.10.104인데, 보안 설정을 192.168.10.105만 Juniper SRX로 접속 가능 하게 설정해 보겠습니다.
1. IP 대상을 입력합니다. 여러 IP를 허용하면 여러 개를 입력합니다.
set policy-options prefix-list manager-ip 192.168.10.105/32
2. IP를 이용해서 Filter 정책을 만듭니다.
IP: 192.168.10.105
Protocol: tcp
Destination port: telnet https ssh
만 허용합니다. 그리고 나머지는 차단합니다.
set firewall filter manager-ip term accept_manager from prefix-list manager-ip set firewall filter manager-ip term accept_manager from protocol tcp set firewall filter manager-ip term accept_manager from destination-port telnet set firewall filter manager-ip term accept_manager from destination-port https set firewall filter manager-ip term accept_manager from destination-port ssh set firewall filter manager-ip term accept_manager then accept set firewall filter manager-ip term block_non_manager then discard
3. MGMT interface fxp0에 filter를 적용합니다.
set interfaces fxp0 unit 0 family inet filter input manager-ip
commit
그리고 설정을 적용합니다.
Cisco Side
Telent를 시도합니다. Juniper Filter정책 때문에 Telnet 접속이 실패합니다.
Cisco Switch에서 IP주소를 192.168.10.105로 변경 후 Telnet과 SSH를 시도해 보겠습니다.
SW1(config)#int g0/0 SW1(config-if)#ip add 192.168.10.105 255.255.255.0 SW1(config-if)#no sh
SW1#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet0/0 192.168.10.105 YES manual up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up SW1#
Telnet 시도 - 허용된 IP이기 때문에 telnet이 성공합니다.
SW1#telnet 192.168.10.220 Trying 192.168.10.220 ... Open login: juniper Password: Last login: Sat Jun 22 06:19:21 from 192.168.10.104
Juniper SRX은 fxp0이 MGMT interface입니다. 여기에 IP주소를 설정하고 외부에서 SSH나 Telent를 통해서 접속해 보겠습니다.
토폴로지는 아래와 같습니다.
기본적으로 설정값들을 지웁니다.
root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
root# set system root-authentication plain-text-password New password: Retype new password:
root# commit commit complete
[edit] root# commit commit complete
fxp0에 IP주소를 할당합니다.
DHCP기능이 동작하면 자동으로 IP주소를 받을 수 있고 또는 수동으로 설정 가능 합니다.
DHCP로 IP주소 받기
root# set interfaces fxp0 unit 0 family inet dhcp
[edit] root# commit
Interface에 IP 확인하기
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up inet 192.168.10.220/24 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
수동으로 IP주소 설정하기
delete interfaces fxp0 unit 0 family inet dhcp commit
root# set interfaces fxp0 unit 0 family inet address 192.168.10.104/24 root# set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
[edit] root# commit
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up inet 192.168.10.220/24 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
Juniper SRX에 SSH 설정합니다.
root# set system services ssh root-login allow
[edit] root# commit commit complete
노트북에서 putty 또는 CRT를 이용해서 접속을 테스트합니다.
정상적으로 동작합니다.
이번에는 Telent를 설정합니다.
root# set system services telnet
[edit] root# commit commit complete
telnet은 기본적으로 root를 허용하지 않습니다. root계정으로 로그인을 시도해도 실패합니다.
만약에 telnet를 사용해야 하는 경우에는 user를 따로 생성합니다.
root# set system login user juniper class super-user
[edit] root# set system login user juniper authentication plain-text-password New password: Retype new password:
[edit] root# commit commit complete
juniper 계정을 새로 생성하였고 로그인을 시도합니다.
성공적으로 로그인됩니다.
Juniper SRX는 Web 기반에 방화벽에 설정을 지원합니다. 이번에는 j-web를 설정해 보겠습니다.
set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0
테스트를 위해서 fxp0 ip를 입력합니다.
지금까지 [2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 글을 읽어주셔서 감사합니다.
Juniper SRX는 Zone base Firewall입니다. Interface가 독자적으로 동작하지 못하고 interface는 하나에 Zone에 포함되어야 하고 방화벽 정책은 Zone를 기반으로 허용 또는 차단이 가능합니다.
이 부분은 추후에 방화벽 정책을 테스트할 때 좀 더 자세히 진행하겠습니다.
테스트 토폴로지는 아래와 같습니다.
1.vIOS Switch
2.vSRX를 사용 하였습니다.
IP정보는 아래와 같습니다
SRX:
ge-0/0/0 - 10.1.1.1/24 untrust zone
ge-0/0/1 - 172.16.1.1/24 dmz zone
ge-0/0/2 - 192.168.1.1/24 trust zone
fxp0 - dhcp - management zone
SW1
gi0/0 - 10.1.1.2/24
SW2
gi0/0 - 172.16.1.2/24
SW3
gi0/0 - 192.168.1.2/24
Juniper SRX Zone Types
1. fuctional zone (management Zone) - dedicate an interface just for the purpose of management
일반적으로 fxp0이 management 인터페이스인데, data interface를 MGMT로 사용할 때 이 명령어를 사용하여
MGMT역활한 할 수 있게 설정할 수 있습니다.
2. Security zone - to control traffic between different security zone
3. junos-host - control traffic between security zone and juniper device itself
4. null - discard traffic
현재 생성된 zone 리스트를 출력 하는 명령어
show security zones terse
root> show security zones terse Zone Type junos-host Security
아래 interface를 보면 fxp0이 SRX management interface입니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
fxp0 인터페이스에 IP주소를 DHCP 통해서 할당 받겠습니다.
간단하게 제 테스트랩을 설명하겠습니다
1. 제 노트북에서 Global Protect(VPN agent)로 팔로알토에 접속합니다.
2. EVE-NG는 VMware ESXi안에 설치되어 있스비다.
3. 팔로알토가 DHCP기능을 수행합니다.
그래서 fxp0 인터페이스는 자동으로 팔로알토로부터 IP를 받을 수 있습니다.
아니면 수동으로 설정하셔도 됩니다.
root# set interfaces fxp0 unit 0 family inet dhcp
[edit] root# commit commit complete
그리고 Interface에 IP주소를 확인합니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up inet 192.168.10.104/24 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0
제 PC에서 SRX fxp0 192.168.10.104 ping 테스트입니다.
핑이 성공합니다.
C:\Users\admin>ping 192.168.10.104
Pinging 192.168.10.104 with 32 bytes of data: Reply from 192.168.10.104: bytes=32 time=4ms TTL=63 Reply from 192.168.10.104: bytes=32 time=5ms TTL=63 Reply from 192.168.10.104: bytes=32 time=7ms TTL=63 Reply from 192.168.10.104: bytes=32 time=14ms TTL=63
Ping statistics for 192.168.10.104: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 4ms, Maximum = 14ms, Average = 7ms
C:\Users\admin>
fxp0를 수동으로 IP주소를 설정하기.
set interfaces fxp0 unit 0 family inet address 192.168.10.104/24 set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
PC에서 PIng테스트
C:\Users\admin>ping 192.168.10.104
Pinging 192.168.10.104 with 32 bytes of data: Reply from 192.168.10.104: bytes=32 time=5ms TTL=63 Reply from 192.168.10.104: bytes=32 time=6ms TTL=63 Reply from 192.168.10.104: bytes=32 time=6ms TTL=63 Reply from 192.168.10.104: bytes=32 time=13ms TTL=63
Ping statistics for 192.168.10.104: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 5ms, Maximum = 13ms, Average = 7ms
어떤 Interface가 어떤 Zone에 할당되었는지 확인하는 명령어입니다.
show interfaces zone terse
root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 10.1.1.1/24 Null sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null fxp0.0 up up inet 192.168.10.104/24 Null lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null
fxp0는 기본적으로 null zone에 할당되어 있습니다.
일반적은 data용 interface를 MGMT interface로 사용할 때 사용 됩니다.
테스트를 위해서 ge-0/0/0를 MGMT interface로 만들어 보겠습니다.
root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
[edit] root# set security zones functional-zone management interfaces ge-0/0/0
[edit] root# commit commit complete
root> show security zones terse Zone Type management Functional junos-host Security
root>
Zone를 확인하고 Interface 할당된 Zone도 확인합니다.
root> show security zones terse Zone Type management Functional junos-host Security
root>
root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 10.1.1.1/24 Management sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null fxp0.0 up up inet 192.168.10.104/24 Null lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null
root>
테스트를 위해서 기존에 Ge-0/0/0 zone를 삭제합니다.
delete security zones functional-zone management interfaces ge-0/0/0.0 commit
root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 10.1.1.1/24 Null sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null fxp0.0 up up inet 192.168.10.104/24 Null lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null
root>
2
2. Security zone - to control traffic between different security zone
테스트를 위해서 IP를 설정합니다.
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.1/24
commit
인터페이스를 확인합니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 10.1.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 172.16.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 192.168.1.1/24 dsc up up fti0 up up fxp0 up up fxp0.0 up up inet 192.168.10.104/24 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
Zone를 생성합니다.
set security zones security-zone trust set security zones security-zone untrust set security zones security-zone dmz
commit
Zone를 생성을 확인합니다.
root> show security zones terse Zone Type management Functional dmz Security trust Security untrust Security junos-host Security
root>
Interface를 Zone에 할당합니다.
set security zones security-zone trust interfaces ge-0/0/2.0 set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz interfaces ge-0/0/1.0
commit
Zone에 할당된 interface를 확인합니다.
root> show interfaces zone terse | match ge- ge-0/0/0.0 up up inet 10.1.1.1/24 ge-0/0/1.0 up up inet 172.16.1.1/24 ge-0/0/2.0 up up inet 192.168.1.1/24
root>
Ping 테스트를 위해서 각 Zone에 PING를 허용합니다.
set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone dmz host-inbound-traffic system-services ping
주니퍼 SRX장비는 방화벽(보안) 장비이기 때문에, SRX에 interface가 목적지인 경우에는 기본적으로 패킷이 차단됩니다.
방법은 2가지입니다.
1. zone에서 host-inbound-traffic를 허용하는 방법 - Zone안에 있는 Interface에 일괄적으로 적용
2. Interface별로 host-inbound-trafic를 허용하는 방법 - Interface별로 개별 적용.
root# ...rity-zone trust host-inbound-traffic ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > protocols Protocol type of incoming traffic to accept > system-services Type of incoming system-service traffic to accept
Protocols를 선택하면 아래와 같습니다.
root# ...rity-zone trust host-inbound-traffic protocols ? Possible completions: all All protocols bfd Bidirectional Forwarding Detection bgp Border Gateway Protocol dvmrp Distance Vector Multicast Routing Protocol igmp Internet Group Management Protocol ldp Label Distribution Protocol msdp Multicast Source Discovery Protocol nhrp Next Hop Resolution Protocol ospf Open Shortest Path First ospf3 Open Shortest Path First version 3 pgm Pragmatic General Multicast pim Protocol Independent Multicast rip Routing Information Protocol ripng Routing Information Protocol next generation router-discovery Router Discovery rsvp Resource Reservation Protocol sap Session Announcement Protocol vrrp Virtual Router Redundancy Protocol [edit]
System-services를 선택하면 아래와 같습니다.
root# ...rity-zone trust host-inbound-traffic system-services ? Possible completions: all All system services any-service Enable services on entire port range appqoe APPQOE active probe service bootp Bootp and dhcp relay-agent service dhcp Dynamic Host Configuration Protocol dhcpv6 Enable Dynamic Host Configuration Protocol for IPv6 dns DNS service finger Finger service ftp FTP high-availability High Availability service http Web management service using HTTP https Web management service using HTTP secured by SSL ident-reset Send back TCP RST to IDENT request for port 113 ike Internet Key Exchange lsping Label Switched Path ping service netconf NETCONF service ntp Network Time Protocol service ping Internet Control Message Protocol echo requests r2cp Enable Radio-Router Control Protocol service reverse-ssh Reverse SSH service reverse-telnet Reverse telnet service rlogin Rlogin service rpm Real-time performance monitoring rsh Rsh service snmp Simple Network Management Protocol service snmp-trap Simple Network Management Protocol traps ssh SSH service tcp-encap Tcp encapsulation service telnet Telnet service tftp TFTP traceroute Traceroute service webapi-clear-text Webapi service using http webapi-ssl Webapi service using HTTP secured by SSL xnm-clear-text JUNOScript API for unencrypted traffic over TCP xnm-ssl JUNOScript API service over SSL [edit]
테스트를 해보겠습니다.
토폴로지 아래와 같습니다.
Juniper
1. Ge-0/0/0 - 10.1.1.1/24
2. Zone Trust 생성
3. Ge-0/0/0를 Zone Trust 할당
4. OSPF 설정
Cisco
1. g0/0 - 10.1.1.2/24 설정
2. lo0 - 192.168.1.1/24 설정
3. OSPF 설정
테스트
1. Juniper랑 Cisco랑 OSPF 네이버 확인
2. Juniper라우팅 테이블에 192.168.1.0/24 확인
2. Cisco에서 Juniper Interface ge-0/0/0 10.1.1.1로 PIng 시도
위에 테스트를 하기 위해서는 주니퍼에 host-inbound-traffic 기능이 필요합니다.
Juniper Side
1. 설정값을 초기화합니다.
root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
2. Juniper Ge-0/0/0에 10.1.1.1/24 IP 할
root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
3. Zone Trust 생성
[edit] root# set security zones security-zone Trust
[edit] root# set security zones security-zone Trust interfaces ge-0/0/0
4. Ospf 설정
root# set routing-options router-id 10.1.1.1 root# set protocols ospf area 0.0.0.0 interface ge-0/0/0
Cisco Side
1. Interface에 IP 할당하기
Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface gigabitEthernet 0/0 Switch(config-if)#no sw Switch(config-if)#no switchport Switch(config-if)#ip address 10.1.1.2 255.255.255.0 Switch(config-if)#no shutdown
Switch(config)#router ospf 1 Switch(config-router)#router-id 10.1.1.2 Switch(config-router)#network 0.0.0.0 0.0.0.0 area 0
테스트
Cisco에서 Juniper Ge-0/0/0 10.1.1.1로 PIng 테스
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch#
Cisco랑 Juniper Interface 상태 확인
Switch#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.1.2 YES manual up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Loopback0 unassigned YES unset up up Loopback1 192.168.1.1 YES manual up up Switch#
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 10.1.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
Interface상태가 모두 다 up인데도 Ping 실패
Juniper Side
Zone에서 ping를 허용하는 host-inbound-traffic system-service 커맨드를 사용하여 허용하겠습니다.
root# set security zones security-zone Trust host-inbound-traffic system-services ping
[edit] root# commit
Cisco에서 다시 Ping 테스트 시도 합니다
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/20/94 ms Switch#
이번에는 Cisco에서 ospf 네이버를 확인하겠습니다. 네이버가 Full 상태가 아니라 INIT상태입니다.
Cisco랑 Juniper 사이에 네이버가 생성되지 않습니다.
Switch#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 128 INIT/DROTHER 00:00:38 10.1.1.1 GigabitEthernet0/0 Switch#
Juniper Side
Zone에서 host-inbound-traffic protocol 커맨드를 사용하여 ospf를 허용하겠습니다.
root# set security zones security-zone Trust host-inbound-traffic protocols ospf
[edit] root# commit commit complete
Cisco에서 네이버를 확인해 보겠습니다.
아래처럼 네이버가 생성되었습니다.
Switch#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 128 INIT/DROTHER 00:00:38 10.1.1.1 GigabitEthernet0/0
Juniper에서 네이버를 확인합니다. 그리고 라우팅 테이블에 192.168.1.0/24를 Cisco에서 받아 왔는지 확인합니다.
root> show ospf neighbor Address Interface State ID Pri Dead 10.1.1.2 ge-0/0/0.0 Full 10.1.1.2 1 33
root> show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
10.1.1.0/24 *[Direct/0] 00:16:43 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:16:43 Local via ge-0/0/0.0 192.168.1.0/24 *[OSPF/10] 00:00:29, metric 2 > to 10.1.1.2 via ge-0/0/0.0 224.0.0.5/32 *[OSPF/10] 00:07:06, metric 1 MultiRecv
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 00:44:15 MultiRecv
root>
아래처럼 Zone에서 host-inbound-traffic 사용하여 해결합니다.
set security zones security-zone Trust host-inbound-traffic system-services ping set security zones security-zone Trust host-inbound-traffic protocols ospf
이번에는 Zone에 Interface ge-0/0/0에 host-inbound-traffic 사용하여 해결해 보겠습니다.
Juniper Side
Zone에 설정된 host-inbound-traffic를 삭제합니다.
root#security zones security-zone Trust host-inbound-traffic system-services ping root#security zones security-zone Trust host-inbound-traffic protocols ospf root# commit commit complete
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Switch#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 128 FULL/DR 00:00:33 10.1.1.1 GigabitEthernet0/0 Switch#
Juniper에서 ospf네이버랑 라우팅 테이블 확인
root> show ospf neighbor Address Interface State ID Pri Dead 10.1.1.2 ge-0/0/0.0 Full 10.1.1.2 1 36
root> show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
10.1.1.0/24 *[Direct/0] 00:22:05 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:22:05 Local via ge-0/0/0.0 192.168.1.0/24 *[OSPF/10] 00:05:51, metric 2 > to 10.1.1.2 via ge-0/0/0.0 224.0.0.5/32 *[OSPF/10] 00:12:28, metric 1 MultiRecv
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 00:49:37 MultiRecv
root>
모두 다 정상적으로 동작합니다.
지금까지 [2024][Juniper SRX #7] host-inbound-traffic 글을 읽어 주셔서 감사합니다.
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
commit complete
[edit] root#
2. vSRX side
vlan을 생성합니다.
vlan name: VL10, VL20, V30
vlan-id: 10, 20, 30
그리고 vlan를 확인합니다.
root# set vlans VL10 vlan-id 10
[edit] root# set vlans VL20 vlan-id 20
[edit] root# set vlans VL30 vlan-id 30
[edit] root# commit commit complete
[edit] root# exit Exiting configuration mode
root> show vlans brief
Routing instance VLAN name Tag Interfaces default-switch VL10 10
default-switch VL20 20
default-switch VL30 30
default-switch default 1
root>
Interface ge-0/0/0를 Trunk mode를 설정합니다.
그리고 VL10, VL20, VL30만 사용할 수 있도록 설정합니다.
root#set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk root#set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members VL10 members VL20 members VL30
IRB를 설정합니다.
IRB10 - 10.1.1.1/24
IRB20 - 20.1.1.1/24
IRB30 - 30.1.1.1/24
root# set interfaces irb unit 10 family inet address 10.1.1.1/24
[edit] root# set interfaces irb unit 20 family inet address 20.1.1.1/24
[edit] root# set interfaces irb unit 30 family inet address 30.1.1.1/24
[edit] root# commit commit complete
[edit] root#
IRB interface를 VLAN이랑 mapping를 합니다.
root# set vlans VL10 l3-interface irb.10
[edit] root# set vlans VL20 l3-interface irb.20
[edit] root# set vlans VL30 l3-interface irb.30
[edit] root# commit commit complete
[edit]
Interface 상태를 확인합니다.
root> show interfaces terse | no-more Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up eth-switch gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up irb.10 up up inet 10.1.1.1/24 irb.20 up up inet 20.1.1.1/24 irb.30 up up inet 30.1.1.1/24 lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down vtep up up
Switch#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES unset up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Vlan10 10.1.1.2 YES manual up up Vlan20 20.1.1.2 YES manual up up Vlan30 30.1.1.2 YES manual up up Switch#
Cisco Switch에서 vSRX로 ping를 시도합니다.
vSRX는 보안 장비이기 때문에 기본적으로 icmp 패킷을 차단합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch#
vSRX side
Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.
irb.10 -> trust_vl10
irb.20 -> trust_vl20
irb.30 -> trust_vl30
set security zones security-zone trust_vl10 interfaces irb.10 set security zones security-zone trust_vl10 host-inbound-traffic system-services ping set security zones security-zone trust_vl20 interfaces irb.20 set security zones security-zone trust_vl20 host-inbound-traffic system-services ping
set security zones security-zone trust_vl30 interfaces irb.30 set security zones security-zone trust_vl30 host-inbound-traffic system-services ping
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
commit complete
[edit] root#
2. vSRX side
vlan을 생성합니다.
vlan name: VL10
vlan-id: 10
그리고 vlan를 확인합니다.
root# set vlans VL10 vlan-id 10
root> show vlans
Routing instance VLAN name Tag Interfaces default-switch VL10 10 ge-0/0/0.0* default-switch default 1
ge-0/0/0 access mode - untagged mode로 변경합니다.
ge-0/0/0 interface에 VL10를 설정합니다.
인터페이스는 VLAN10만 허용합니다. tagged 포트가 아니기 때문에, VLAN 1개 이상 허용 할 수 없습니다.
root# set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access root# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members VL10
VL10를 l3-interface irb.10이랑 Mapping 합니다.
root# set vlans VL10 l3-interface irb.10
Interface상태를 확인합니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up eth-switch gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up irb.10 up up inet 10.1.1.1/24 lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down vtep up up
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members VL10 set interfaces irb unit 10 family inet address 10.1.1.1/24 set vlans VL10 vlan-id 10
set vlans VL10 l3-interface irb.10
Cisco Side
Vlan10를 만들고 Vlan를 확인합니다.
Switch(config)#vlan 10 Switch(config-vlan)#end Switch#show vlan br *Jun 10 08:47:47.665: %SYS-5-CONFIG_I: Configured from console by consoleie
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3, Gi1/0 Gi1/1, Gi1/2, Gi1/3 10 VLAN0010 active Gi0/0 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Switch#
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch#
vSRX
Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.
set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/0.0
root# set security zones security-zone trust interfaces ge-0/0/0.0 root# set security zones security-zone trust host-inbound-trafic system-services ping
[edit] root# commit commit complete
[edit] root#
Cisco Side
다시 Ping를 시도합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/23/109 ms Switch#
지금까지 [2024][Juniper SRX #5] Interface 설정 - RVI - untagged mode 글을 읽어 주셔서 감사합니다.
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
commit complete
[edit] root#
VLAN를 3개를 생성합니다.
VL10 - 10 VL20 - 20 VL30 - 30
왼쪽은 VLAN이름을 입니다.
오른쪽은 VLAN번호입니다.
root# set vlans VL10 vlan-id 10
[edit] root# set vlans VL20 vlan-id 20
[edit] root# set vlans VL30 vlan-id 30
[edit] root#
ge-0/0/0 인터페이스를 tagging 인터페이스로 설정합니다. 이 인터페이스를 통해서 VLAN 1개 이상을 전달받을 수 있습니다 즉 위에 설정한 VLAN 10, 20, 30이 Juniper Ge-0/0/0 tagging port로 트래픽을 받을 수 있습니다.
root# set interfaces ge-0/0/0 vlan-tagging [edit] root# set interfaces ge-0/0/0 unit 10 vlan-id 10 [edit] root# set interfaces ge-0/0/0 unit 10 family inet address 10.1.1.1/24 [edit] root# set interfaces ge-0/0/0 unit 20 vlan-id 20 [edit] root# set interfaces ge-0/0/0 unit 20 family inet address 20.1.1.1/24 [edit] root# set interfaces ge-0/0/0 unit 30 vlan-id 30 [edit] root# set interfaces ge-0/0/0 unit 30 family inet address 30.1.1.1/24
Interface 상태를 확인합니다.
root> show interfaces terse | match inet ge-0/0/0.10 up up inet 10.1.1.1/24 ge-0/0/0.20 up up inet 20.1.1.1/24 ge-0/0/0.30 up up inet 30.1.1.1/24 sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0
Switch#show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES unset up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Vlan10 10.1.1.2 YES manual up up Vlan20 20.1.1.2 YES manual up up Vlan30 30.1.1.3 YES manual up up Switch#
Cisco Switch에서 vSRX로 ping를 시도합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch#
vSRX
Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.
root#set security zones security-zone trust_vl10 interfaces ge-0/0/0.10 root#set security zones security-zone trust_vl10 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl20 interfaces ge-0/0/0.20 root#set security zones security-zone trust_vl20 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl30 interfaces ge-0/0/0.30 root#set security zones security-zone trust_vl30 host-inbound-traffic system-services ping
root#set security zones security-zone trust_vl10 interfaces ge-0/0/0.10 root#set security zones security-zone trust_vl10 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl20 interfaces ge-0/0/0.20 root#set security zones security-zone trust_vl20 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl30 interfaces ge-0/0/0.30 root#set security zones security-zone trust_vl30 host-inbound-traffic system-services ping
root# commit commit complete
Cisco Switch에서 다시 Ping테스트를 시도합니다.
Switch# Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms Switch#ping 20.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms Switch#ping 30.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms Switch#
지금까지 [2024][Juniper SRX #4] Interface 설정 - Layer3 Logical Interface 글을 읽어 주셔서 감사합니다.
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
commit complete
[edit] root#
Interface ge-0/0/0에 10.1.1.1/24 설정합니다.
그리고 show interface terse | match ge-0/0/0를 통해서 IP를 확인합니다.
- Set interfaces [인터페이스이름] [논리적 인터페이스넘버] [protocol종류] [IP주소/서브넷마스크] ※ 논리적 인터페이스는 일반적으로 0을 사용하며, protocol종류는 아래와 같음. inet : ipv4inet6 : ipv6 mpls: mpls ethernet-switching : L2스위칭
root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
[edit] root# commit commit complete
root> show interfaces terse | match ge-0/0/0 ge-0/0/0 up up ge-0/0/0.0 up up inet 10.1.1.1/24
Cisco Switch Side
Switch>en Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#int g0/0 Switch(config-if)#no sw Switch(config-if)#ip add 10.1.1.2 255.255.25 Switch(config-if)#no sh Switch(config-if)#end Switch#show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.1.2 YES manual up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Switch# Switch#
Cisco Switch에서 vSRX 쪽으로 Ping 테스트
하지만 실패하였습니다. 그 이유는 vSRX장비는 보안 장비이기 때문에 기본 적으로 ping를 차단하기 때문에 ping이 실패합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch#
vSRX
Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.
set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/0.0
root# set security zones security-zone trust interfaces ge-0/0/0 root# set security zones security-zone trust host-inbound-traffic system-services ping [edit] root# commit commit complete
Cisco Side
Cisco Switch에서 vSRX Interface로 Ping를 시도 시 아래와 같이 성공합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/96/473 ms Switch#
지금까지 [2024][Juniper SRX #3] Interface 설정 - Layer3 Physical Interface 글을 읽어 주셔서 감사합니다.
4. ae: Aggregated Ethernet 포트를 의미합니다. ae1: 두 번째 논리적인 인터페이
5. reth: Redundant Ethernet 포트를 의미합니다. reth0: 첫 번째 Redundant Ethernet 포를 의미합니다.
장비 콘솔 연결 후 커맨드로 확인이 가능합니다.
show chassis hardware 입력하면 아래처럼 표시됩니다.
FPC 0
PIC 0
root> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis fd45efae5e05 VSRX Midplane System IO Routing Engine VSRX-2CPU-4G memory FPC 0 BUILTIN BUILTIN FPC PIC 0 VSRX DPDK GE Power Supply 0
이번에는 Interface port를 확인해 보겠습니다. 현재 EVE-NG에서 Juniper SRX를 생성했을 때 디폴트 값으로 인터페이스를 4개입니다.
ge-0/0/0
ge-0/0/1
ge-0/0/2
fxp0 - MGMT Interface
root> show interfaces terse | grep ge-0/0 ge-0/0/0 up up ge-0/0/1 up up ge-0/0/2 up up
만약에 인터페이스를 더 추가하고 싶다면 아래처럼 수정합니다.
Ethernets에 숫자를 8로 입력하고 SRX를 부팅합니다.
장비를 부팅 후 확인해 보겠습니다.
ge-0/0/0 ~ 6 그리고 fxp0를 더 하면 총 8개 인터페이스를 확인할 수 있습니다.
인터페이스가 더 필요하시면 위에 사진처럼 인터페이스를 추가하면 됩니다.
root> show interfaces terse | match ge-0/0 ge-0/0/0 up up ge-0/0/1 up up ge-0/0/2 up up ge-0/0/3 up up ge-0/0/4 up up ge-0/0/5 up up ge-0/0/6 up up
지금까지 [2024][Juniper SRX #2] Interface Numbering 글을 읽어주셔서 감사합니다.
이 모드에서는 show, monitor, request 등 주로 설정값 등을 확인할 때 이 모드를 사용합니다.
root>
예를 들어 Interface 상태를 확인하고 싶을 경우
show interface terse
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
2. configuration mode
이 모드로 들어가기 위해서는 아래처럼 operation mode에서 configure 명령어를 입력합니다.
만약에 configuration mode에서 operation mode에 있는 명령어를 사용하고 싶으면 run 명령어를 앞에 사용합니다.
root# run show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
[edit] root#
3. 계층 간 이동 명령어
3-1 edit
3-2 top
3-3 up
3-4 exit
Juniper는 리눅스 기반에 동작하기 때문에 리눅스에 Statement Hierarchy 구조를 사용합니다.
top 명령어
현재 interfaces 안에 있습니다. 이 상태에서 top명령어를 이용하고 최상으로 돌아갑니다.
최송이는 configuration mode입니다.
root# edit interfaces
[edit interfaces]
root# top
[edit] root#
up 명령어
현재 system -> services -> ftp 위치에 있습니다.
up 명령어를 사용하면 바로 윗단계 services로 이동합니다.
root# edit system services ftp
[edit system services ftp] root#
root# up
[edit system services] root#
만약에 2단계 위로 올라가고 싶으면 up 2 입력하면 됩니다.
[edit system services ftp] root# up 2
[edit system] root#
exit 명령어
한 단계 위로 이동 합니다.
또 configuration mode 최상위에서 exit 입력하면 operation mode로 진입합니다.
root# edit system
[edit system] root#
root# exit
[edit] root#
root# exit
Exiting configuration mode
root>
4. 명령어 단축키 사용방법
- Ctrl + p 또는 위 화살표키: 직전명령어호출 - Ctrl + n 또는 아래 화살표키 : 직전명령어 간 이동 - Ctrl + a, e : 명령어 제일 앞, 뒤으로 커서 이동 - Ctrl + w : 커서 앞 또는 커서가 위치한 단어 삭제
5. 설정 추가 삭제 명령어
set: 설정 추가 명령어
delete: 설정 삭제 명령어
set 명령어로 hostname를 설정해 보겠습니다.
주니퍼 디폴트 값으로 root 비밀번호가 없기 때문에 commit를 눌러서 변경값이 저장되지 않습니다.
우선 root password를 입력합니다.
set system root-authentication plain-text-password
그리고 호스트이름을 변경합니다
set system host-name vSRX
그리고 설정값을 저장 및 즉시 변경 합니다.
commit
Hostname이 바뀌었습니다.
root> configure root# set system root-authentication plain-text-password New password: Retype new password:
root# set system host-name vSRX
[edit] root# commit commit complete
[edit] root@vSRX#
이번에는 delete 명령어를 사용해 보겠습니다.
set system services ftp 이 명령어를 삭제해 보겠습니다.
delete system services ftp
root@vSRX> show configuration | display set | no-more set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ftp set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen set interfaces fxp0 unit 0
root@vSRX> configure Entering configuration mode
[edit] root@vSRX# delete system services ftp
[edit] root@vSRX# commit commit complete
[edit] root@vSRX# run show configuration | display set | match ftp
[edit] root@vSRX#
6. Pipe 명령어 사용 방법
- count : 표시되는 값의 라인 수를 출력함 - display : 설정값등을 보여주는 방식을 변경하여 표시 detail : 설정값에 주석으로 추가설정 가능한 예제를 표시 set : 설정값을 set형식으로 표시 xml : 설정값을 xml형식으로 표시 - except : 특정 값을 제외한 모든 값을 표시 - find : 특정값이 처음으로 시작되는 위치부터 표시 - match : 특정값이 포함된 값만 표시 - no-more : 표시내용이 한 페이지를 넘더라도 한 번에 모든 내용을 출력함 - hold : 표시내용이 한 페이지를 넘을 때 한 페이지단위로 표시하며 마지막에 --More-- 표시를 하지 않음 - save : 표시되는 값을 파일로 바로 저장 ex) show config | save 20120406.txt - last : 표시내용의 마지막 부분을 표시 ex ) show log message | last 30(마지막 30라인만 출력) - trim : 표시되는 값을 왼쪽을 기준으로 특정문자 수만큼 삭제하고 표시 * show log message Apr 6 15:55:22 SRX210 login: Login attempt for user stcon from host 1.1.1.100 * show log message | trim 15 (왼쪽기준으로 15자 삭제하고 출력) SRX210 login: Login attempt for user stcon from host 1.1.1.100
root@vSRX> show configuration | display set set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land ---(more)---
위에 --(more)-- 표시 없이 한꺼번에 output 표시하기.
root@vSRX> show configuration | display set | no-more set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen set interfaces fxp0 unit 0
- find 명령어 - 특정값이 처음으로 시작되는 위치부터 추력
위에 설정값에서 policies 줄이 있는 곳부터 끝까지 출력해 보겠습니다.
root@vSRX> show configuration | display set | find policies set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen set interfaces fxp0 unit 0
- match 특정값이 포함된 값만 표시해 보겠습니다
zones이라는 단어가 있는 줄만 표시해 보겠습니다.
root@vSRX> show configuration | display set | match zones set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen
root@vSRX>
- except: 특정 값을 제외한 모든 값을 표시합니다.
zones이라는 단어가 있는 줄을 제외하고 출력해 보겠습니다
root@vSRX> show configuration | display set | except zones set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set interfaces fxp0 unit 0
root@vSRX>
save - 출력값을 파일로 저장하는 명령어입니다
설정값을 file로 저장해 보겠습니다.
file 이름은 config_backup입니다.
파일을 확인하기 위해서는 file list 명령어를 입력합니다.
root@vSRX> show configuration | display set | save config_backup Wrote 32 lines of output to 'config_backup'
root@vSRX> file show config_backup set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen set interfaces fxp0 unit 0
root@vSRX>
last: 표시내용의 마지막 부분을 표시합니다.
ex) 로그에 마지막 10줄만 표시 - 즉 최신 로그 10개만 출력입니다.
root@vSRX> show log messages | last 10 Jun 9 13:02:53 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:03:05 vSRX last message repeated 4 times Jun 9 13:03:14 vSRX last message repeated 3 times Jun 9 13:03:17 vSRX mgd[23313]: UI_CMDLINE_READ_LINE: User 'root', command 'show log messages ' Jun 9 13:03:17 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:03:35 vSRX last message repeated 6 times Jun 9 13:03:53 vSRX last message repeated 6 times Jun 9 13:03:55 vSRX mgd[23313]: UI_CMDLINE_READ_LINE: User 'root', command 'show log messages | last 10 '
root@vSRX>
Pipe옵션은 중복에서도 사용 가능 합니다.
show log messages 출력
match VSRX 이 단어가 있는 messages만 출력
last 10 마지막으로부터 최신 10개 log만 출
root@vSRX> show log messages | match VSRX | last 10 Jun 9 13:03:56 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:04:06 vSRX last message repeated 3 times Jun 9 13:04:45 vSRX last message repeated 13 times Jun 9 13:04:47 vSRX mgd[23313]: UI_CMDLINE_READ_LINE: User 'root', command 'show log messages | match VSRX ' Jun 9 13:04:48 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:04:51 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:04:53 vSRX mgd[23313]: UI_CMDLINE_READ_LINE: User 'root', command 'show log messages | match VSRX | last 10 '
root@vSRX>
?
입력하면 실행 가능한 명려어가 표시 됩니다.
root@vSRX> ? Possible completions: clear Clear PPM related statistics information configure Manipulate software configuration information file Perform file operations help Provide help information load Load information from file monitor Show real-time debugging information mtrace Trace multicast path from source to receiver op Invoke an operation script ping Ping remote target probe Probe interfaces on remote target quit Exit the management session request Make system-level requests restart Restart software process scp Copy files via ssh set Set CLI properties, date/time, craft interface message show Show system information ssh Start secure shell on another host start Start shell telnet Telnet to another host test Perform diagnostic debugging traceroute
지금까지 [2024][Juniper SRX #1] 기본 CLI 명령어 글을 읽어주셔서 감사합니다.
