1、创建高级管理员:

现在我们创建一个管理员Admin,操作权限为Super的管理员用户,并配置密码。
首先我们建立一个操作权限“super”,设置为idel-timeout 15,具有所有操作权限。
命令行配置如下:
set system login class super idle-timeout 15
set system login class super permissions all


set system login user febayadmin class super
set system login user febayadmin authentication  plain-text-password
 

 

2、过滤公网IP:

其中a.a.a.a/32为你要限制的IP地址
set firewall filter admin-ip term 1 from source-address 183.16.3.83/32
set firewall filter admin-ip term 1 from destination-address   0.0.0.0/0
set firewall filter admin-ip term 1 then disable log
set firewall filter admin-ip term 3 then accept
最后在接口加上过滤条件
set inter ge-0/0/0 unit 0 fam inet filter input admin-ip

 

3、常用操命令:

show log messages  #显示系统日志
clear log messages
 #清除系统日志
show configuration groups junos-defaults applications  #查看系统默认服务机端口
show configuration applications          #查看自定义的服务及端口
show arp 查看ARP 表
show log messages 查看系统日志
show interface terse 查看所有接口运行状态
show interface ge-x/y/z detail 查看接口运行细节信息
monitor interface ge-x/y/z 动态统计接口数据包转发信息
monitor traffic interface ge-x/y/z 动态报文抓取(Tcpdump,类似ScreenOS snoop
命令)
show security flow session summary 查看当前防火墙并发会话数
show security flow session 查看当前防火墙具体并发会话
clear security flow session all 清除当前session
show security alg status 检查全局ALG 开启情况
Show system software 查看当前软件版本号
show system uptime 查看系统启动时间
Show chassis haredware 查看硬件板卡及序列号
show chassis environment 查看硬件板卡当前状态
show chassis routing-engine 查看主控板(RE)资源使用及状态
show route 查看路由表

request system reboot 重启设备

 

4、基于目的地址池的端口映射:

set security zones security-zone trust address-book address server182 192.168.100.182/32
#建立元素
#服务22端口系统自带。所以不需要新建
set security nat destination pool 182 address 192.168.100.182/32
set security nat destination pool 182 address port 22
set security nat destination rule-set 1 from zone untrust   
set security nat destination rule-set 1 rule 182 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 182 match destination-address 113.106.95.114/32
set security nat destination rule-set 1 rule 182 match destination-port 222
set security nat destination rule-set 1 rule 182 then destination-nat pool 182
#NAT


set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address server182
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application junos-ssh
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
#策略
set security nat proxy-arp interface ge-0/0/0.0 address 113.106.95.114/32
#代理公网IP到接口IP
 

 4、命令行将策略移动到顶端

insert security policies from-zone trust to-zone untrust policy s251-jc(要移动的策略) before policy trust-to-untrust(当前顶端的策略名)

查看目前的策略及排名:查看策略的相关命令

5、备份juniper srx配置:进入配置模式:

#save srx65020120406  (备份到srx设备的内存)

还原:load update srx65020120406

删除已备份到srx设备的相关文件:退回到用户模式,

start shell,进入到普通权限模式,提示符号:%      想进入root模式,运行su - root

进入到管理模式下,提示符:root@%  即unix命令模式,通过find命令找到需要的问题件,在rm **(文件名)即可

 

备份到ftp服务器:

save ftp://user:pw@x.x.x.x/filename.txt
 

从ftp服务器还原:

load update  ftp://user:pw@x.x.x.x/filename.txt