Security Section |
2nd Floor |
V1-trust |
The interface communication in the same section does not require policy, and the interface communication between different sections requires policy. Global segment has no interface |
V1-untrust |
V1-dmz |
3rd Floor |
Trust |
Untrust |
Dmz |
Global |
Global |
Tunnel section |
Untrust-tun |
|
function section |
Null,self,mgt,ha,vlan |
|
A security section is a collection of one or more network segments and is a logical entity that binds one or more interfaces.
Set Zone Name zone//Create a section named zone
Set Zone Zone block//block information flow between hosts in the same section
Set Zone zone Vrouter name_str//route segment into NAME_STR routing domain
All interfaces bound to this section must be deleted before changing or deleting a section
Sub-interfaces and redundant interfaces
The sub-interfaces of the same interface share the bandwidth and can be in different security sections. A redundant interface is a bundle of two physical interfaces, each of which is an alternate interface.
The Channel interface acts as a gateway to the VPN tunnel.
Some physical interfaces can be bound to L2 (layer 2nd) or L3 (3rd) security sections. Because the subinterface requires an IP address, the sub-interface can only be bound to the L3 Security section. The IP address can not be assigned to an interface until the interface is bound to the L3 Security section. An infinite interface cannot be bound to the Untrust Security section.
Before assigning an interface to a group, you must set the interface to a null security section.
1 Interface NULL 2 Interface NULL 3 interface bgroup1 Port EHTERNET0/34interface bgroup1 Port ETHERNET0/45 Interface bgroup1 zone DMZ6 Save
If the interface is not numbered, it can be removed directly from the current Security section and bound to another security section. If the interface has a number, you must first set the IP address and netmask of the interface to 0.0.0.0.
1 interface ETHERNET0/3 IP 0.0.0.0/02interfacenull3save4 5unsetinterface bgroup1 Port ETHERNET0/36Interface ETHERNET0/3 Zone Trust7 Save
The default interface for a security section is the first interface bound to that section.
1 interface ETHERNET0/5 IP 210.1.1.1/242interface ETHERNET0/5 manage-ip 210.1.1.53 Save
Change the management IP address of E0/1 to 10.1.1.12, enable SSH and SSL, disable Telnet and the Web.
1 interface ETHERNET0/1 manage-ip 10.1.1.122interface ethernet0/1 manage ssh3 Interface ETHERNET0/1 manage SSL4unsetinterface ETHERNET0/1 Manage Telnet 5 unset interface ETHERNET0/1 Manage Web6 Save
Set the VLAN tag for the subinterface e0/1.3 to ID 3.
1 interface ethernet0/1.3 zone accounting2interface ethernet0/1.3 IP 10.2.1.1/24 Tag 33 Save
The callback interface is a logical interface that is working as long as the device on which it is located is turned on. However, a policy must be defined to access the Backhaul interface over a network or a host that resides in another section.
Create a callback interface and set it for administration.
1 interface loopback.1 zone untrust2interface loopback.1 IP 1.1.1.273 interface loopback.1 manage4 Save
To create an address entry:
1 Set address Trust Sunnyvale_eng 10.1.10.0/242 set address Untrust Juniper Www.juniper. Net 3 Save
To modify an address entry:
1 unset Address Trust Sunnyvale_eng 2 Set address Trust Sunnyvale_eng 10.1.40.0/243 Save
To delete an address entry:
1 unset Address Trust "Sunnyvale_sw_eng"2 Save
To create and edit an address group:
1 Set Group address Trust "HQ 2nd Floor" Add "Santa Clara Eng"2 set Group address Trust "HQ 2nd Floor" a DD "Tech Pubs"3 Save
To delete members and groups:
1 unset Group Address Trust ' HQ 2nd floor ' removesupport2unset Group Address Trust Sales3 Save
To create a service:
1 Set Service cust-telnet protocol TCP src-port 1-65535 dst-port 23000-230002 set service Cust-telne T Timeout3 Save
Modify the service (the definition of the service must be cleared before modifying the service)
1 Set service cust-telnet clear2 Set service cust-telnet + TCP Src-port 1-65535 dst-port 23230- 232303 Save
To delete a service:
1 unset service cust-telnet2 Save
To create a service group:
1 Set Group service GRP1 2 Set Group service GRP1 add Ike 3 Set Group service GRP1 add FTP 4 Set Group service GRP1 Add LDAP 5 Save
To modify a service group:
1 unset Group Service Grp1 Clear 2 Set Group Service GRP1 add HTTP 3 Set Group service GRP1 add finger 4 Set Group service GRP1 add IMAP 5 Save
To delete a service group:
1 unset Group Service GRP1 2 Save
To create a global policy:
1 Global Server1 www.juniper. com 2 Global Any Server1 HTTP permit 3 Save
Modify the policy (add before the source address or destination address!) Exclude this address)
1 set policy ID 12 device (policy:1), set src-address Host23 Device (policy:1)- > Set dst-address Server24 device (policy:1), set service FTP5 Device (POLICY:1), set attack CRITICAL:HTTP:SIGS
To disable a policy:
1 Set Policy ID id_num disable 2 Save
Validation policy:
1 EXEC Policy verify
Sorting policy:
1 Number 2 Save
Delete policy:
1 unset Policy Id_num
ScreenOS Study Notes