Juniper Firewall Basic Application Learning notes

Based on the TPC/IP 2-4 layer

Setup steps for Firewall devices:
1. Determine deployment mode (transparent, routing, NAT mode)
2, set the device's IP address (interface address, management address)
3. Set up Routing information
4. Determine IP address information (policy-based source, destination address)
5. Identify network applications
6. Configure the anti-Q control strategy

Default account password: NetScreen

Security zones for firewall three interfaces:
Ethernet1:trust
Ethernet2:dmz
Ethernet3:untrust
Ethernet4:null

Three application modes of firewall:
Transparent mode
Nat Mode
Route mode
Special mode: Two-tier mode and three-tier mode hybrid deployment (requires some condition support)

Transparent mode:
Only the administrative IP address does not have an interface IP address
IPSec VPN in unique transparent mode

Implementation of Transparent mode:
unset Interface Ethernet1 IP
Set interface Ethernet1 Zone V1-trust
Set interface Ethernet2 Zone V1-DMZ
Set interface Ethernet3 Zone V1-untrust
Set interface Vlan1 IP 192.168.1.1/24
Save

The implementation of NAT mode:
Set Interface Ethernet1 Zone Trust
Set interface Ethernet2 Zone DMZ
Set interface Ethernet3 Zone Untrust
Set interface Ethernet1 IP 192.168.1.1/24
Set interface Ethernet2 IP 172.16.1.1/24
Set interface Ethernet3 IP 10.10.1.1/24
Set Interface Ethernet3 Gateway 10.10.0.251
Set interface Ethernet1 NAT
Save

Implementation of the routing pattern
Set Interface Ethernet1 Zone Trust
Set interface Ethernet2 Zone DMZ
Set interface Ethernet3 Zone Untrust
Set interface Ethernet1 IP 192.168.1.1/24
Set interface Ethernet2 IP 172.16.1.1/24
Set interface Ethernet3 IP 10.10.1.1/24
Set Interface Ethernet3 Gateway 10.10.0.251
Set interface Ethernet1 route
Save

Web Login
Firewall default ip:192.168.1.1 transparent mode IP vlan1 IP address, Nat mode is the IP of the trust, the default on the Eth1 interface

Vlan1 IP address can be used as a gateway for remote VPN in transparent mode

Juniper Firewall must configure policies to forward packets

The access control policy contains the six most basic necessary information:
Direction of the policy
Source Address Information
Destination Address information
Network Service Information
Policy Action Information
Where the policy is arranged

Non-essential information:
Log, traffic control, authentication, real-time traffic recording

Arrange the policy sequence reasonably:
The concrete strategy is above, the non-concrete strategy is under;
The Deny policy is on, allowing the policy to be under;
VPN policy on, non-VPN policy in the next

Optimize policy content:
Make reasonable use of Address Group and service group function

Custom services:
Object-service-custom
Custom Service groups:
Objects-services-groups-configuartiong

Settings for the security domain
Most commonly used security domains: three-tier security domain trust, DMZ, Untrust, two-tier security domain: V1-trust, V1-DMZ, V1-untrust
Trust, DMZ, Untrust, V1-trust, V1-DMZ, v1-untrust the names above are reserved words for firewalls

Some special application MIP (IP address mapping)
MIP Mapping
Network>interface>ethernet3>edit>mip>new
General application: The main application is the one-to-a-map of public IP and internal IP
Policy direction: From Untrust to trust or DMZ
The source address is: any
Target Address: MIP
Service type: Optional on Demand

MIP Policy settings:

Dip applications (address pool mapping)
Dip dynamic address pool, similar to Cisco's IP pool feature
Address translation for internal address out-of-office access is primarily provided
Network users who have a large number of registered IP addresses and a large number of non-registered addresses are often used
Theoretically, a registered IP address can proxy more than 600,000 hosts out of the office
Location Network>interface>edit>dip

VIP Port Address Mapping
A registered IP address, a protocol-based port approach to an internal multiple server or compute Tribute address mapping
NETWORK>INTERFACE>EDIT>VIP/VIP Services
1. Add a registered IP address first
2. Increase the correspondence between the internal private address and the registered IP address, and provide the corresponding protocol port
3. Setting the Access control policy

Save the configuration file
Export of configuration files:
Configuration>update>config File>save to file> save to a specific location
Import of configuration files
Configuration>update>config file> Browse to find the configuration file >apply

Restore Factory Status:
Under the premise of knowing the firewall root username password: Enter unset all to confirm that the power will be restored to the factory state after the restart
Do not know the firewall root user name password, through the Super Terminal Connection Firewall console, with the firewall SN serial number as the user name password login, according to the prompt all the way yes, wait
After the firewall restarts, the factory status can be restored.

Juniper Firewall Basic Application Learning notes