#1.模式
#全新防火墙
Amnesiac (ttyd0)
login: root
--- JUNOS 12.1X44-D10.4 built 2013-01-08 05:52:29 UTC
会进入到系统其中用户名默认root密码为空
root@%
这里就相当于进入到承载junos的操作系统下
root@% cli
root>
这就进入junos的界面,此模式叫操作模式
主要指令就是show,clear,monitor
root> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 192.168.138.131/24
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16
10.0.0.6 --> 0/0
128.0.0.1 --> 128.0.1.16
128.0.0.6 --> 0/0
ge-0/0/1 up up
ge-0/0/1.0 up up inet 192.168.2.1/24
ge-0/0/2 up up
ge-0/0/2.0 up up inet 192.168.3.1/24
ge-0/0/3 up up
ge-0/0/3.0 up up inet 192.168.4.1/24
root> configure
Entering configuration mode
[edit]
root#
配置模式
理解:操作模式就是看东西,配置模式就是配置东西
流程:系统--->操作模式---->配置模式
可用通过exit进行退出
对于显示信息的详细程度依次提升
root> show interfaces terse
root> show interfaces brief
root> show interfaces detail
root> show interfaces extensive
可用使用管道符和match进行过滤
root> show interfaces detail |match ge-0/0/0
Physical interface: ge-0/0/0, Enabled, Physical link is Up
Logical interface ge-0/0/0.0 (Index 69) (SNMP ifIndex 508) (Generation 134)
可用使用help进行帮助查看
root> help reference security policy-security
还可以查看和某些关键字相关的命令
root> help apropos arp
下面来第一个配置
接口配置ip
root# set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/24 不推荐
推荐以下方式
root# edit interfaces
[edit interfaces]
root# show
ge-0/0/0 {
unit 0;
}
[edit interfaces]
root# edit ge-0/0/0
[edit interfaces ge-0/0/0]
root# show
unit 0;
root# edit unit 0
[edit interfaces ge-0/0/0 unit 0]
root# edit family inet
[edit interfaces ge-0/0/0 unit 0 family inet]
[edit interfaces ge-0/0/0 unit 0 family inet]
root# set address 1.1.1.1/24
root# show
address 1.1.1.1/24;
另外可用show来进行查看当前等级下的配置
进入内层之后可用使用up来跳到上一级
也可以是exit退出edit模式
root> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 1.1.1.1/24
这里需要注意的是juniper防火墙的ip地址不能直接配置到物理接口上只能配置在子接口上 unit 0表示第一个子接口
修改配置要commit生效
由于全新防火墙没有设置root密码所以提交不了需要设置root的密码
root# set system root-authentication plain-text-password
New password:
Retype new password:
根据提示输入密码即可
删除配置
root# delete interfaces ge-0/0/0
有个很好记忆的方法就是set替换成delete就可用实现配置的删除
同样删除配置也是提交之后才会生效
ge-0/0/0.0 up up inet
还可用批量删除
root# wildcard delete interfaces ge-0/0/*
重命名
root# edit security nat source
root# rename rule-set in-to-out to rule-set inside-outsie
主要是为了方便记忆和同比不同设备的相同功能
替换配置
配置1口结果配置到0口了
root# show interfaces ge-0/0/0
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
root# replace pattern ge-0/0/0 with ge-0/0/1
root# show interfaces
ge-0/0/1 {
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
这样就看到0口配置没有了1口的配置有了
拷贝配置
root# copy interfaces ge-0/0/1 to ge-0/0/0
[edit]
root# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
这样2个接口都有相关配置了,对于每个接口的特殊配置需要再进行修改
查看配置
root# show
## Last changed: 2018-04-19 13:55:57 UTC
version 12.1X44.4;
system {
root-authentication {
encrypted-password "$1$czJ1/1FI$aEih2B9Tfo8kLnK7kPZpX."; ## SECRET-DATA
}
这里展现的配置是不能进行直接粘贴的只是为了方便查看
root# show |display set
set version 12.1X44.4
set system root-authentication encrypted-password "$1$czJ1/1FI$aEih2B9Tfo8kLnK7kPZpX."
set system services ssh
set system services web-management http interface ge-0/0/1.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
这里配置是可以直接粘贴到防火墙进行配置的
在配置模式下想使用操作模式的指令
root# run show interfaces terse
#2.提交和恢复配置
基本提交
root# commit
对比:上一次commit和这一次commit之前的对比
root# sho|compare
[edit system services web-management http]
- interface ge-0/0/0.0;
+ interface ge-0/0/1.0;
[edit interfaces]
定时提交
root# commit at ?
Possible completions:
<at>
Time at which to activate configuration changes
提交注释
root# commit comment "interface0-1 address"
root> show system commit
0 2018-04-19 14:03:52 UTC by root via cli
1 2018-04-19 14:02:45 UTC by root via cli
interface0-1 address
2 2018-04-19 13:52:56 UTC by root via cli
3 2018-04-19 13:44:26 UTC by root via cli
4 2018-04-19 13:35:31 UTC by root via cli
5 2018-04-18 17:16:29 UTC by root via other
这样你就可用标注提交的功能是什么以方便回滚不然只看时间很容易忘记
提交之后确定功能在10分钟之内使用commit才会最终生效,否则10分钟之后配置取消
root# commit confirmed
commit confirmed will be automatically rolled back in 10 minutes unless confirmed
commit complete
# commit confirmed will be rolled back in 10 minutes
恢复
root# rollback ?
Possible completions:
<[Enter]> Execute this command
0 2018-04-19 13:52:56 UTC by root via cli
1 2018-04-19 13:44:26 UTC by root via cli
2 2018-04-19 13:35:31 UTC by root via cli
3 2018-04-18 17:16:29 UTC by root via other
清除没有commit的配置
root> clear system commit
#3.基本系统配置
设置主机名
[edit]
root# set system host-name SRX1
设置dns服务器
[edit]
root@SRX1# set system name-server 8.8.8.8
查看时间
root@SRX1> show system uptime
Current time: 2018-04-19 14:11:24 UTC
System booted: 2018-04-19 12:51:35 UTC (01:19:49 ago)
Protocols started: 2018-04-19 12:51:59 UTC (01:19:25 ago)
Last configured: 2018-04-19 14:10:33 UTC (00:00:51 ago) by root
2:11PM up 1:20, 1 user, load averages: 0.00, 0.00, 0.00
设置时区
root@SRX1# set system time-zone Asia/Shanghai
手动设置时间
root@SRX1> set date 201804111413.00
查看ntp
root@SRX1> show ntp associations
root@SRX1> show ntp status
设置ntp服务器
root@SRX1# set system ntp server 1.1.1.1
让局域网的服务器把防火墙做为时间同步服务器
重启防火墙
root@SRX1> request system reboot
关闭防火墙
root@SRX1> request system power-of
回到系统
root@SRX1> start shell
进入防火墙cli
root@SRX1% cli
设置root密码
root@SRX1# set system root-authentication plain-text-password
不建议用root进行配置
添加用户
root@SRX1# edit system login user eddy
[edit system login user eddy]
root@SRX1# set class super-user authentication plain-text-password
New password:
Retype new password:
权限分级
super-user仅次于root
read-only
operator
unauthorized
重置root密码
首先重启
request system reboot
出现load /boot/defaults/loader.conf
按空格
loader>boot -s
......:revoery
root>
然后就可用设置密码配置了
配置服务
eddy@SRX1# edit system services
[edit system services]
eddy@SRX1# set ssh 启用ssh
eddy@SRX1# set ssh root-login deny 拒绝root ssh登录
eddy@SRX1# set telnet 启用telnet
eddy@SRX1# set web-management http interface ge-0/0/1.0 启用web管理
查看版本信息
eddy@SRX1> show version
Hostname: SRX1
Model: junosv-firefly
JUNOS Software Release [12.1X44-D10.4]
查看授权
eddy@SRX1> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
all 0 1 0 29 days
Licenses installed: none
由于我使用的是模拟器这里只有30天