ScreenOS Study Notes

Security Section	2nd Floor	V1-trust	The interface communication in the same section does not require policy, and the interface communication between different sections requires policy. Global segment has no interface
		V1-untrust
		V1-dmz
	3rd Floor	Trust
		Untrust
		Dmz
	Global	Global
Tunnel section	Untrust-tun
function section	Null,self,mgt,ha,vlan

A security section is a collection of one or more network segments and is a logical entity that binds one or more interfaces.

Set Zone Name zone//Create a section named zone

Set Zone Zone block//block information flow between hosts in the same section

Set Zone zone Vrouter name_str//route segment into NAME_STR routing domain

All interfaces bound to this section must be deleted before changing or deleting a section

Sub-interfaces and redundant interfaces

The sub-interfaces of the same interface share the bandwidth and can be in different security sections. A redundant interface is a bundle of two physical interfaces, each of which is an alternate interface.

The Channel interface acts as a gateway to the VPN tunnel.

Some physical interfaces can be bound to L2 (layer 2nd) or L3 (3rd) security sections. Because the subinterface requires an IP address, the sub-interface can only be bound to the L3 Security section. The IP address can not be assigned to an interface until the interface is bound to the L3 Security section. An infinite interface cannot be bound to the Untrust Security section.

Before assigning an interface to a group, you must set the interface to a null security section.

1 Interface NULL 2 Interface NULL 3 interface bgroup1 Port EHTERNET0/34interface bgroup1 Port ETHERNET0/45  Interface  bgroup1 zone DMZ6 Save

If the interface is not numbered, it can be removed directly from the current Security section and bound to another security section. If the interface has a number, you must first set the IP address and netmask of the interface to 0.0.0.0.

1 interface ETHERNET0/3 IP 0.0.0.0/02interfacenull3save4   5unsetinterface bgroup1 Port ETHERNET0/36Interface ETHERNET0/3 Zone Trust7 Save

The default interface for a security section is the first interface bound to that section.

1 interface ETHERNET0/5 IP 210.1.1.1/242interface ETHERNET0/5 manage-ip 210.1.1.53 Save

Change the management IP address of E0/1 to 10.1.1.12, enable SSH and SSL, disable Telnet and the Web.

1 interface ETHERNET0/1 manage-ip 10.1.1.122interface ethernet0/1 manage ssh3  Interface ETHERNET0/1 manage SSL4unsetinterface ETHERNET0/1 Manage Telnet 5 unset interface ETHERNET0/1 Manage Web6 Save

Set the VLAN tag for the subinterface e0/1.3 to ID 3.

1 interface ethernet0/1.3 zone accounting2interface ethernet0/1.3 IP 10.2.1.1/24 Tag 33 Save

The callback interface is a logical interface that is working as long as the device on which it is located is turned on. However, a policy must be defined to access the Backhaul interface over a network or a host that resides in another section.

Create a callback interface and set it for administration.

1 interface loopback.1 zone untrust2interface loopback.1 IP 1.1.1.273 interface loopback.1 manage4 Save

To create an address entry:

1 Set address Trust Sunnyvale_eng 10.1.10.0/242 set address Untrust Juniper Www.juniper. Net 3 Save

To modify an address entry:

1 unset Address Trust Sunnyvale_eng 2 Set address Trust Sunnyvale_eng 10.1.40.0/243 Save

To delete an address entry:

1 unset Address Trust "Sunnyvale_sw_eng"2 Save

To create and edit an address group:

1 Set Group address Trust "HQ 2nd Floor" Add "Santa Clara Eng"2 set Group address Trust "HQ 2nd Floor" a DD "Tech Pubs"3 Save

To delete members and groups:

1  unset Group Address Trust ' HQ 2nd floor ' removesupport2unset  Group Address Trust Sales3 Save

To create a service:

1 Set Service cust-telnet protocol TCP src-port 1-65535 dst-port 23000-230002 set service Cust-telne T Timeout3 Save

Modify the service (the definition of the service must be cleared before modifying the service)

1 Set service cust-telnet clear2 Set service cust-telnet + TCP Src-port 1-65535 dst-port 23230- 232303 Save

To delete a service:

1 unset service cust-telnet2 Save

To create a service group:

1 Set Group service GRP1 2 Set Group service GRP1 add Ike 3 Set Group service GRP1 add FTP 4 Set Group service GRP1 Add LDAP 5 Save

To modify a service group:

1 unset Group Service Grp1 Clear 2 Set Group Service GRP1 add HTTP 3 Set Group service GRP1 add finger 4 Set Group service GRP1 add IMAP 5 Save

To delete a service group:

1 unset Group Service GRP1 2 Save

To create a global policy:

1 Global Server1 www.juniper. com 2 Global Any Server1 HTTP permit 3 Save

Modify the policy (add before the source address or destination address!) Exclude this address)

1 set policy ID 12 device (policy:1), set src-address Host23 Device (policy:1)- > Set dst-address Server24 device (policy:1), set service FTP5 Device (POLICY:1), set attack CRITICAL:HTTP:SIGS

To disable a policy:

1 Set Policy ID id_num disable 2 Save

Validation policy:

1 EXEC Policy verify

Sorting policy:

1  Number 2 Save

Delete policy:

1 unset Policy Id_num

ScreenOS Study Notes