以下是netscreen 防火墙active-passive典型配置:
7 @: n: q8 w9 H3 |0 a2_cfg
0 w5 O; m" m5 E1 ~1 f4 Q. e! O
! R9 j9 L8 t# S, G4 qunset key protection enable$ o* v: @+ h" N" @
set clock timezone 0. u: n1 N+ Y7 |% z+ d: G
set vrouter trust-vr sharable' G W4 ~% z& S
set vrouter "untrust-vr") o |6 x2 u" j" k
exit
% |% }1 }: E; y7 T# ^set vrouter "trust-vr"
" Q( i7 R$ s* l K" Gunset auto-route-export
; V8 L, G! U E) _( v ^exit
0 ]/ T8 \& j( H5 S5 T; jset service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002 4 H; c6 f, ?" ], a. X* s
set alg appleichat enable
0 h$ ^& ^; Q1 n3 Munset alg appleichat re-assembly enable
1 V# E' [; k0 V3 |; d+ Sset alg sctp enable
6 B6 H' X- T8 Dset auth-server "Local" id 0
( ^# V& V* z$ M0 W/ X- Mset auth-server "Local" server-name "Local"
! n' }- \/ @: T3 m1 |set auth default auth server "Local"" X0 T, D0 i+ P5 r1 c$ m+ w
set auth radius accounting port 16463 q) m: p4 s$ h% x" s7 t
set admin name "netscreen"
2 I# x" H( x& \5 Y( W5 w" J8 nset admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"! i8 T# e: f' u: o! M, w4 E
set admin auth web timeout 10) Q7 y9 x/ V6 a
set admin auth server "Local"2 u& F% r9 z& \/ e: H Q
set admin format dos
/ Y* H; F: k) I" B5 f! r/ cset zone "Trust" vrouter "trust-vr"& Q0 c& f0 m( w" l2 @! e; z! B! r1 K+ J
set zone "Untrust" vrouter "trust-vr"
+ o+ u1 H& G; aset zone "DMZ" vrouter "trust-vr"
4 t* [5 I# ^( C; q, @9 T- }set zone "VLAN" vrouter "trust-vr"
* j9 E' v/ b: z- M3 c$ X( j- h1 l6 pset zone "Untrust-Tun" vrouter "trust-vr"
9 i7 g% G3 k0 h/ P$ n( N7 Oset zone "Trust" tcp-rst
# O" ]0 K c* c, }set zone "Untrust" block
2 ?2 `- [" o8 u5 C. x. M1 q; Aunset zone "Untrust" tcp-rst
) Y: D5 j8 O# M6 Lset zone "MGT" block
) [8 J- v7 L1 z9 `' K) Dunset zone "V1-Trust" tcp-rst ; J& F- h7 y, j9 M# Z% `& v/ m/ ?
unset zone "V1-Untrust" tcp-rst p2 \2 w4 \/ W2 h' R7 ^5 J: K5 }" M
set zone "DMZ" tcp-rst
, \1 o) c% j2 X% s: V6 M7 _- E4 |unset zone "V1-DMZ" tcp-rst
0 ?! h. s% U% h0 \# `- `& N/ L% Zunset zone "VLAN" tcp-rst * d! T* V3 G: p' \
set zone "Untrust" screen tear-drop( }8 q2 M/ r) q2 u. U/ _! g: Z! p
set zone "Untrust" screen syn-flood
, }3 L! p" ], i% lset zone "Untrust" screen ping-death5 Z l$ w' z' [ ]. ?
set zone "Untrust" screen ip-filter-src
; ^& {1 \+ o( p3 }; {set zone "Untrust" screen land
$ B; J. c t# Y+ nset zone "V1-Untrust" screen tear-drop
% }% K0 {8 S& e9 [" Q/ Wset zone "V1-Untrust" screen syn-flood
0 P2 j# W$ j9 J5 S8 U* ?, vset zone "V1-Untrust" screen ping-death
S( u8 U6 t0 b/ A% F" Y& V$ Dset zone "V1-Untrust" screen ip-filter-src# t" S5 H9 [7 U) M# B8 @; E
set zone "V1-Untrust" screen land
4 X. C# w% h5 f2 Jset interface "ethernet0/0" zone "Null"
, B* \8 ~+ F& V6 x- gset interface "ethernet0/1" zone "Null"0 {. @! R: M! R' V& y2 c# a# r
set interface "ethernet0/2" zone "Untrust") d1 J. N- Z4 u& g+ _7 X
set interface "ethernet0/3" zone "Untrust"9 Q+ t5 X6 }. a( t, ~
set interface "ethernet0/4" zone "HA"
- Z2 n. ?) B# ^- i& G8 f/ `set interface "ethernet0/5" zone "HA"
! ], Y4 k0 z+ o8 f3 y( pset interface "ethernet0/6" zone "DMZ"
o* V6 ]! e% e: N' T4 Fset interface "ethernet0/8" zone "Trust" b0 D1 C5 J- o1 p3 A% n
unset interface vlan1 ip
2 k0 s1 a: R& v2 c1 g! Gset interface ethernet0/2 ip 116.247.91.98/29( k* e' y* W: b; s
set interface ethernet0/2 route
$ y- h& R4 `: m, S5 r- yset interface ethernet0/3 ip 140.206.34.178/30
" a* d5 K I d$ d) s/ A. Aset interface ethernet0/3 route
- [2 B2 A0 B% \# B8 rset interface ethernet0/6 ip 10.131.126.18/28
: X# ?, T5 Z* F! T- {; e8 xset interface ethernet0/6 nat% G, r% Q1 k9 J& {
set interface ethernet0/8 ip 10.131.126.4/28
: [2 n. A* C& E) m% a3 tset interface ethernet0/8 nat
$ M! ~+ x x; z o, xunset interface vlan1 bypass-others-ipsec% {' F( ]6 i8 Z2 \# G" P1 F
unset interface vlan1 bypass-non-ip, W9 Q6 c! W( }
set interface ethernet0/2 manage-ip 116.247.91.99( P3 q7 z- _3 `2 ?
set interface ethernet0/6 manage-ip 10.131.126.20
3 N5 k3 T/ [ vset interface ethernet0/8 manage-ip 10.131.126.2# [0 P/ [ W' u$ i
set interface ethernet0/2 ip manageable$ A! }7 c7 }* U4 k2 v7 c9 W$ _
unset interface ethernet0/3 ip manageable
% b; L. Y7 |8 W9 |set interface ethernet0/6 ip manageable& l0 y6 F" e. Y; O+ M) T& }2 {# T
set interface ethernet0/8 ip manageable
# D7 C+ O4 N" t4 d3 i( ~set interface ethernet0/2 manage ping
; r% `% v6 T x6 ], rset interface ethernet0/2 manage ssh
( U- o/ }) f5 Uset interface ethernet0/2 manage telnet
$ i# f& o( p, a6 M! y/ V4 u- l1 w, S, pset interface ethernet0/2 manage snmp
2 `5 ?/ f; j& t2 ~4 uset interface ethernet0/2 manage ssl3 _% ?" [5 G, p4 B- W
set interface ethernet0/2 manage web2 |- s. X1 M6 ?# u- r% x7 g
set interface ethernet0/3 manage ping
- q7 P- a% p0 v8 I( ?" Pset interface ethernet0/3 manage ssh# N7 i" z$ h' ^- E1 s5 L* m5 L2 x) F
set interface ethernet0/3 manage telnet, t% K" K' i. R2 N) \* U
set interface ethernet0/3 manage snmp
; H: \* ?' A5 hset interface ethernet0/3 manage ssl
V5 T$ E, p+ Z8 w7 W2 a3 nset interface ethernet0/3 manage web
6 `' w2 P; e. }8 Z6 q" ^0 yset interface ethernet0/6 manage ssh
; B j# ^: w- p* Pset interface ethernet0/6 manage telnet
1 }# E& k) k' Q+ kset interface ethernet0/6 manage snmp
7 U3 L; t# s6 C' U4 ^set interface ethernet0/6 manage ssl
2 m3 m. O) t4 g! J- B/ |) `set interface ethernet0/6 manage web- h `0 n7 P) w3 Z7 U
set interface ethernet0/2 monitor track-ip ip2 _" c! m1 Q. j8 A
set interface ethernet0/2 monitor track-ip threshold 10
* ~) a6 H( W" m' H7 H* eset interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 3
4 k* C# C& N: T$ Sset interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 12, {$ ]8 d& H+ u A4 _1 r
unset interface ethernet0/2 monitor track-ip dynamic
4 k& Y2 [' Z0 R" \4 `6 U, z$ n5 runset flow no-tcp-seq-check
+ O- H/ z" r# F! I( n% rset flow tcp-syn-check
& @9 Y7 k, C6 f( G* f- K; m7 X+ Ounset flow tcp-syn-bit-check2 N& W- i5 P3 k7 _
set flow reverse-route clear-text prefer) l) \- B/ ^6 M: P" h2 h6 H
set flow reverse-route tunnel always5 {! I! ]9 p4 D) X; o+ o
set console page 0" c* Z7 S% o) p1 R! T, L. y
set hostname RT3-xzl-1F-S-SSG140-10.131.126.2( l p6 |. [2 b* v9 F5 t% P
set pki authority default scep mode "auto"+ g6 j' N2 H7 h, G* k8 z, T
set pki x509 default cert-path partial0 T& G5 a3 x# C: C2 }3 i( h
set nsrp cluster id 1* k# T* z2 L4 B3 y
set nsrp cluster name FXGL! E# B) q" J9 _ t
set nsrp rto-mirror sync& F& l P* k7 S
set nsrp rto-mirror route F! X4 W; i- [9 A$ @
set nsrp vsd-group master-always-exist
( \7 O$ }& G8 J9 Q% j( j4 @9 rset nsrp vsd-group id 0 priority 100
. [7 }! W1 q0 }: Fset nsrp vsd-group id 0 preempt
4 C! [% Z" m6 N2 B3 }set nsrp secondary-path ethernet0/8* t4 E" E( J' e* Q* ?) W0 W5 {
set nsrp vsd-group id 0 monitor interface ethernet0/3 weight 16
6 F l0 h0 o j+ v' Cset nsrp vsd-group id 0 monitor track-ip ip3 n8 T1 V* d# u; T
set nsrp vsd-group id 0 monitor track-ip threshold 30! L9 s. h: _# z# a
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/2
5 T* c- H6 I- u3 E. i* n: q% mset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 106 ]# g: R6 N# T( x7 g
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32
; D C4 ?* l9 Eset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/66 I, q0 v& { p! W
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 10* E9 B- W1 G9 v! U* @$ J
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 32+ Z1 m! n; b* f7 r9 y- D
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/8
. s& Y* w" q) d5 F9 l: B V* R" uset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 10; `# c: {) {$ q& j9 G& p
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 32
% i+ Z$ ]# f3 `! u; \. fset nsrp ha-link probe2 h; ~; ~# S7 m4 u, Q9 N* c% v8 f
set dns host dns1 202.96.209.5 src-interface ethernet0/2$ ~% {) S3 v1 o, y
set dns host dns2 0.0.0.0. [ Z3 U) _9 d8 C& d, x
set dns host dns3 0.0.0.0- m: f. ~% T1 \
set crypto-policy
: q5 n e0 p1 K( d% ]exit
# T. m9 z8 {( w7 h) l8 b; e! ]set ike respond-bad-spi 1
& T3 z) Q8 G* H: _, p4 r$ Xset ike ikev2 ike-sa-soft-lifetime 600 t8 V) P0 n( p
unset ike ikeid-enumeration
8 y- j/ Q4 [# w. \7 m8 S- `. l5 O# munset ike dos-protection4 E$ c! R. q$ O z! L
unset ipsec access-session enable( E4 d8 c, o" P$ p# |: `
set ipsec access-session maximum 5000
; _6 h5 z+ ]" C5 ?$ _9 e8 {set ipsec access-session upper-threshold 0
# s& S) _3 x0 r6 ?% n- Wset ipsec access-session lower-threshold 0% S# |; _3 x; x
set ipsec access-session dead-p2-sa-timeout 0
2 r8 t5 M/ J9 x! p+ ounset ipsec access-session log-error
5 N& D* O6 }+ [# Funset ipsec access-session info-exch-connected' q1 G: I: G0 z1 A" B
unset ipsec access-session use-error-log
9 r% M y2 w1 Hset vrouter "untrust-vr"# o8 ~8 G; m/ c6 C
exit
- w. A: G }/ O: eset vrouter "trust-vr"
7 v: g. c/ g! D/ g, ]! @exit; m' i0 Y/ o8 X& V
set url protocol websense9 N' {0 _: h U* J
exit
: ?- ~3 ]: {1 f/ `9 `% ^set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log % E1 {" ?: w3 |# D+ k0 f# W
set policy id 10 ?' Q: u F$ \# ^4 U% q
exit
/ J K: h" b" T% [set policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log $ r! r$ j5 x# h- x1 M- G2 b
set policy id 4! f- `& Z$ J" `4 f
exit* D- N# F2 o- X6 N7 u
set policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log % A/ a9 a2 ?- w, n9 ]
set policy id 57 ~* y& @; Q4 R. H/ o
exit
" x: d; a0 }! }" \4 y/ jset policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log , J& z& e: P. F1 V9 X
set policy id 6) M/ X0 D+ V) m8 ?, g+ h7 @7 S
exit' T) v3 U+ _+ ?# ?
set nsmgmt bulkcli reboot-timeout 608 c' X0 n7 ?' ?2 O- R
set ssh version v29 A* |! h4 r. n' P% g
set config lock timeout 5
1 N. ^5 E O% R: D8 y% q0 Eunset license-key auto-update
# y) p# R) G; R& G' Oset telnet client enable2 {7 m ^0 ~4 V$ T0 Z
set snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c + B ]- ~( u/ T
set snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8
/ o o+ a: X" yset snmp name "RT3-xzl-1F-S-SSG140-10.131.126.2"& [* v" D7 Q# u% u0 {6 C m# z
set snmp port listen 161. f: Z- E. N6 D' g: |0 D: e- T
set snmp port trap 162
% i1 e; z% i0 {; M# a& Dset vrouter "untrust-vr"
% R* ]/ {' i! ]0 L6 x8 hexit
. K A9 J/ O, h+ R, j4 T' gset vrouter "trust-vr". p5 u* M1 ~5 n$ g. T
unset add-default-route3 ^. m. B5 S i1 M0 }- Z: ?- K A
set route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet"
; v1 i! n, r2 u" h6 ~- B" Cset route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA"
& D i r. Y+ b) {" B2 s; r& D1 Hset route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet"! Q: \7 b, ^- ^8 ]9 W$ [: f
set route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ"* O9 d) i* k1 K: b1 T: q9 l
exit
" Y( u) N* E. y4 D; A+ W" e8 t2 cset vrouter "untrust-vr"& G/ b& `& z$ f1 x
exit( P' w, Z. v5 ]* O# X/ z- c
set vrouter "trust-vr"
; p: ]' v; n; J: u/ @/ L- ~exit" g$ y+ R/ W8 L
/ H q7 s5 `( j4 z/ e
. ?" I9 Z# l# }+ E- h4 O3_cfg7 I/ l/ c. p2 N" h) t5 j. {
4 J- z9 Y/ K5 W- cunset key protection enable
7 N0 M8 l2 M4 G% |- v- Eset clock timezone 0
2 \1 f7 c! t$ w4 U, Qset vrouter trust-vr sharable
6 S8 v: v ?1 N+ Oset vrouter "untrust-vr"$ y2 G% L- y2 X
exit( ~. h6 }4 m p/ [( Y0 ?' a$ Q
set vrouter "trust-vr"
2 b* d) T- C, {' K! ^+ z# ~' \unset auto-route-export
5 q" w* g: Q# Mexit9 ^3 W9 Y4 h( s/ n/ X/ ]
set service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002 % V+ d9 C& c6 W/ h& d
set alg appleichat enable6 D5 }* w# u+ ^) T
unset alg appleichat re-assembly enable
- A* {2 a g5 }set alg sctp enable
! x6 T+ Q0 K4 \; Fset auth-server "Local" id 0
5 K& I( j! t) |8 ?1 I' Q# Xset auth-server "Local" server-name "Local"" Z' D( Z3 B* p$ Q% z
set auth default auth server "Local"/ _* K: O/ d. A) X8 L
set auth radius accounting port 1646' Q7 [2 m( f% x- M
set admin name "netscreen"# p+ _* Y4 ^1 ]6 z* J. s2 L; U$ \
set admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"
' P. {5 X% M l1 i, Vset admin auth web timeout 10
2 v3 A, a" z- p/ gset admin auth server "Local"* R7 h2 f/ ^! D' J# J
set admin format dos7 a8 [! }" P; I6 D( T- o2 w
set zone "Trust" vrouter "trust-vr"
9 c3 B& _5 p/ dset zone "Untrust" vrouter "trust-vr": i) i' b* F+ J! G K5 p* d
set zone "DMZ" vrouter "trust-vr": y$ ]2 f% L) J4 h; p3 s; P( q
set zone "VLAN" vrouter "trust-vr"2 c! a$ q* m5 z; E X' t
set zone "Untrust-Tun" vrouter "trust-vr"# a- k# v/ H Y+ L3 k
set zone "Trust" tcp-rst 6 G3 h' ^2 u7 K- B4 y* d) B' r- V
set zone "Untrust" block $ U6 w/ s- s2 |
unset zone "Untrust" tcp-rst ; J7 ^, ?) k7 f. d& Z
set zone "MGT" block
% [% @+ H5 n0 `! r* @ x( Tunset zone "V1-Trust" tcp-rst
# [1 h) x! _/ J6 f4 n2 W/ }unset zone "V1-Untrust" tcp-rst
. R4 m% I1 S% C Kset zone "DMZ" tcp-rst 3 `% X& D8 c# L
unset zone "V1-DMZ" tcp-rst 3 V" N" K$ m4 |3 C5 V
unset zone "VLAN" tcp-rst 6 X% |( V1 z* V0 P; f
set zone "Untrust" screen tear-drop
+ h' z( { \ T1 S S6 qset zone "Untrust" screen syn-flood
. m# ?/ |3 H) d+ d2 K) s5 `3 b5 {; Cset zone "Untrust" screen ping-death, N7 {0 a' o2 [1 b# `! d I) }
set zone "Untrust" screen ip-filter-src4 l( s: ]6 M }. B" _
set zone "Untrust" screen land) w9 H1 o) Z( p: n4 F3 c% h8 l
set zone "V1-Untrust" screen tear-drop
) X: g2 ]# B( B: [4 Eset zone "V1-Untrust" screen syn-flood
3 c! c5 x/ I& v3 u' d+ o% s+ aset zone "V1-Untrust" screen ping-death
' _' r% u, v# n! w: xset zone "V1-Untrust" screen ip-filter-src
p6 c2 a' J+ ^+ `set zone "V1-Untrust" screen land2 l |. P2 B$ m
set interface "ethernet0/0" zone "Null"6 L; g* |. H; s0 i5 J
set interface "ethernet0/1" zone "Null"+ F# B+ d4 A L( O) Y; w+ v1 I
set interface "ethernet0/2" zone "Untrust"/ \+ B9 i6 s* E7 W* S ^/ B
set interface "ethernet0/3" zone "Untrust"
% p# |& p5 S% c! _% d) S# l$ sset interface "ethernet0/4" zone "HA"
9 p" ^$ j- Q+ V+ R0 S; B* lset interface "ethernet0/5" zone "HA"
' `4 H: k: t5 A2 t/ Hset interface "ethernet0/6" zone "DMZ"
& w% i, @3 h3 Q4 k+ [+ R# Kset interface "ethernet0/8" zone "Trust"" W4 v6 \) d0 B' m& C& J7 y
unset interface vlan1 ip
! {# R% b1 \) ^set interface ethernet0/2 ip 116.247.91.98/29
* ~+ [& p' b. k) kset interface ethernet0/2 route
2 b7 r+ E9 O6 i0 Q Yset interface ethernet0/3 ip 140.206.34.178/30) c% c: G$ x8 S1 N* ~2 @% k
set interface ethernet0/3 route
* ^1 s r. T, }' f% y z2 a( u2 }set interface ethernet0/6 ip 10.131.126.18/28! [2 P& |( e6 D* v v3 G
set interface ethernet0/6 nat* g n0 L! l3 G# G' n: G
set interface ethernet0/8 ip 10.131.126.4/28
- H8 h0 ~+ [! kset interface ethernet0/8 nat5 J! a' Y( P- R3 R
unset interface vlan1 bypass-others-ipsec
) ^! t$ j" v' z7 zunset interface vlan1 bypass-non-ip1 f: C0 x& ~" l, d
set interface ethernet0/2 manage-ip 116.247.91.100& {/ S- A G; C+ u; b
set interface ethernet0/6 manage-ip 10.131.126.21
) |; \5 g- p3 u% S+ s6 Fset interface ethernet0/8 manage-ip 10.131.126.3( Y+ G9 J/ r, c2 P6 [
set interface ethernet0/2 ip manageable
% Z) |, Q1 N+ {unset interface ethernet0/3 ip manageable
% K3 H( H3 Q$ ]/ \7 h. vset interface ethernet0/6 ip manageable
8 O5 H: o& _6 l% Z" U; dset interface ethernet0/8 ip manageable' m' N3 ]( [7 E! N* J
set interface ethernet0/2 manage ping) y, v& T% {/ G
set interface ethernet0/2 manage ssh& W9 k% U W# A2 ~+ E
set interface ethernet0/2 manage telnet
/ B" ^1 p- G9 _' B) L1 _! _set interface ethernet0/2 manage snmp1 W/ k4 C) J/ `4 w, i: A; V v1 R
set interface ethernet0/2 manage ssl) T2 l2 r$ b9 U9 G. h' W: K& z( Q& }
set interface ethernet0/2 manage web, J2 k# c& I- h3 s6 p3 `8 b1 l" ]3 V
set interface ethernet0/3 manage ping) m* B1 x. [1 k$ f- m, Q7 `
set interface ethernet0/3 manage ssh" p* p5 z' j; T
set interface ethernet0/3 manage telnet
( t t8 k( I) a8 K3 b* ^3 {set interface ethernet0/3 manage snmp0 S, l0 N& o0 n
set interface ethernet0/3 manage ssl
& M/ X; Z- L% G( mset interface ethernet0/3 manage web( M# ^$ q. H/ j. a# A7 j i
set interface ethernet0/6 manage ssh5 }; O: K; {2 t5 Q2 j
set interface ethernet0/6 manage telnet
0 w" P0 e1 L- \, x, oset interface ethernet0/6 manage snmp. S |- {' C, Z* Z
set interface ethernet0/6 manage ssl& G* B* E4 f0 ~5 N: _# F% w; g* x
set interface ethernet0/6 manage web. k- ~; l2 K* ^$ I) @% g: E1 ~( @% P" j
set interface ethernet0/2 monitor track-ip ip
2 f. M: Z6 K/ Iset interface ethernet0/2 monitor track-ip threshold 100 ^+ N2 U0 i( {9 {1 Y
set interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 3: z' @9 j' ~: X; H& K4 D
set interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 12
2 T; f* k, L+ r4 T" @# j0 Lunset interface ethernet0/2 monitor track-ip dynamic3 l$ `( p3 h( r8 n* a/ ^
unset flow no-tcp-seq-check
- ^' j3 i( r3 J7 g% i" `" Q8 bset flow tcp-syn-check* B1 J' J7 W6 J$ b R+ S9 ] l
unset flow tcp-syn-bit-check
7 s Z* ^% j ?- k! h( m p; Bset flow reverse-route clear-text prefer
" }3 E2 s! v+ B9 R5 ?set flow reverse-route tunnel always
: Z$ I; i4 d0 Y; A: Q9 Mset console page 0
8 V# [' _4 p9 @5 x% E6 Aset hostname RT3-T2-5F-S-SSG140-10.131.126.3
2 [+ L6 k0 ?8 k+ Z2 L2 ]. h+ gset pki authority default scep mode "auto"
+ I O' m1 ^4 e( D' aset pki x509 default cert-path partial
5 Z% ~# U( Z1 a$ I! M) E/ F# Qset nsrp cluster id 14 v/ X$ ~* d/ P2 `; d6 Z
set nsrp cluster name FXGL1 o! j5 u. ^; K" {1 J& p1 F3 V- T
set nsrp rto-mirror sync
5 D" i s1 T: F) t! P. C+ a' ^" dset nsrp rto-mirror route
+ `; d* r1 `# B) t4 C& tset nsrp vsd-group master-always-exist! S7 a( M9 h) l
set nsrp vsd-group id 0 priority 150
6 \; B. {7 g q; U& U% N8 `& rset nsrp vsd-group id 0 preempt, B3 o/ O: |. z2 V
set nsrp secondary-path ethernet0/8
6 [# {; I, \4 G7 i2 tset nsrp vsd-group id 0 monitor interface ethernet0/3 weight 16
+ l+ b/ j; p; S. m, yset nsrp vsd-group id 0 monitor track-ip ip6 l& j, O# d+ m0 L4 l$ k0 p% L
set nsrp vsd-group id 0 monitor track-ip threshold 30; O* x7 T4 A* M
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/2
$ H2 s( p8 M) S Z- r7 M, uset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 103 e+ D- g5 O; V( _3 i
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32
+ ^1 ?' m w# I( P. H. F9 K! yset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/8
1 K8 B8 s0 g s$ L! A0 t. Pset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 10
" l" \' E8 a0 N4 K0 M% |set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 321 t; _8 Y P7 t: K$ R2 t+ c- H1 k4 M8 T
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/64 _8 T" z& f0 R: A# |6 ~# X) u
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 10
m$ S0 X$ I* k3 s; ~set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 323 S, c" U5 Q( A9 G* ?
set nsrp ha-link probe, a, _2 D* o# I/ E7 K5 x* v7 U& G5 b" e
set dns host dns1 202.96.209.5 src-interface ethernet0/2' z0 _5 m: E8 \. m' A8 V
set dns host dns2 0.0.0.0
( y/ n' X/ D; ?/ Z) j* ?% [set dns host dns3 0.0.0.0
1 b# f4 V1 L# r3 k$ C7 U7 z: ]9 \set crypto-policy
0 Q. w5 w) @% ` vexit
$ t3 i) a5 w: q2 y! A3 m. u+ jset ike respond-bad-spi 1" H7 T0 o D) V# ~ U, A
set ike ikev2 ike-sa-soft-lifetime 604 L% d( R8 j1 O% W0 p0 ~
unset ike ikeid-enumeration# p' t- V ]+ K) F3 m: F
unset ike dos-protection) y6 v. V. h' P* K' t! G
unset ipsec access-session enable
8 z8 W8 Z* Z Hset ipsec access-session maximum 5000
! k3 s* B/ \0 _5 @& a2 |set ipsec access-session upper-threshold 0
' |7 X; c( P! i9 ]# c7 Rset ipsec access-session lower-threshold 02 }5 ^ A: n" n- T# y- \
set ipsec access-session dead-p2-sa-timeout 0
3 u7 k# T* Z2 L0 |& Ounset ipsec access-session log-error$ K; f6 x1 F: s! l/ ?
unset ipsec access-session info-exch-connected
- I5 r' @) P: a0 _0 W2 Xunset ipsec access-session use-error-log7 Q% A) t1 b$ h9 J1 n' @
set vrouter "untrust-vr"
+ o- K( j; F( s* g: Y* h4 H5 Fexit/ q5 d3 B. v' Q! ^( f
set vrouter "trust-vr"2 `% P& s# n' F8 @1 G% Q& E3 H
exit
2 Q& H7 ?/ l: g2 G: rset url protocol websense3 U9 s; T/ v2 h0 j* P0 t6 L
exit
7 T* D) H% k1 Z6 O9 ^6 C' Rset policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log 2 i$ v" W# c9 t. T8 d* s/ j3 B% K
set policy id 1! ~5 Y/ k4 G7 m0 _
exit8 |. n: D6 l) X# M! ^2 g: V
set policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log 1 x& R, V) S! B# G+ `6 u
set policy id 4
, s1 e; {6 F, _& x& J) {exit4 H2 @( k# v& h( \$ t9 P/ t
set policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log 7 p: S6 Q; G' M' D) D' s, w
set policy id 5
: B; T/ T' _6 r* Rexit2 @1 a) S3 g! a* T& T, V
set policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log
' S U" X2 j: o$ v8 aset policy id 6
( o1 f$ C. z! F( `* Z1 D5 Yexit
`9 U2 Y; W) e; O4 f- kset nsmgmt bulkcli reboot-timeout 60
7 r2 C* ?; A- O, oset ssh version v2' `# C) t9 D5 \: [! N4 z4 h7 Q/ d
set config lock timeout 52 W- z$ t9 F) b2 u6 R
unset license-key auto-update
$ L0 E4 E/ M2 M! F0 xset telnet client enable
6 U8 w6 _& s1 s" A, l0 Gset snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c ) d- P# S9 C6 z r: L
set snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8
3 J( @& }- ~! v B, V4 J& xset snmp port listen 161
5 j- e0 f5 h3 n6 ?2 s8 Dset snmp port trap 162
# a' N2 r& {+ k$ H: I0 kset vrouter "untrust-vr"
: ]% W6 m: B t0 Jexit
5 M6 F" }$ X: l* L$ nset vrouter "trust-vr"
0 [# c* t4 `* f2 P# Kunset add-default-route$ i! i% d" t+ G; ^% z9 C/ l0 k4 j, K+ O
set route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet"
' o0 F3 N0 n1 Z4 w: n$ y! Hset route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA"
9 A# ?, P) T4 }$ Aset route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet"
: r* x# N: R! o0 B/ q6 Pset route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ"
+ u: A: `, |8 R3 D9 kexit
; E3 F+ K( u+ A( Iset vrouter "untrust-vr"( |$ }: x8 X0 o# V6 R# _
exit
) Z# M ?4 F. P" J* I* Gset vrouter "trust-vr"
' w/ j/ B K$ m, x* K6 @4 J; dexit |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
[复制链接]
