以下是netscreen 防火墙active-passive典型配置:
% n! `/ z5 o) P. X6 p3 G+ X, t2_cfg1 I' I0 I7 l! J8 G; E% @) C4 J
3 W! @, r& v& s7 _
unset key protection enable7 ^$ q0 |3 C a$ s6 E3 v5 V
set clock timezone 0; R" H$ N9 W$ e$ h" \0 ?
set vrouter trust-vr sharable/ u: R$ U7 D0 Z
set vrouter "untrust-vr"
) n. {( m' j- C8 l% k5 ~exit6 Q7 h" { |0 z4 {- _ Z
set vrouter "trust-vr"
! X1 ^. r3 B" p* L# e6 O3 dunset auto-route-export
# ^& j6 h! D, [( Yexit+ v& V2 ^$ z$ w5 \- X! j
set service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002
5 O( ^- ?! j" _" |$ Zset alg appleichat enable
- _) C3 T, c _9 L; @unset alg appleichat re-assembly enable5 L0 N6 u/ g. T# M3 o
set alg sctp enable
! p9 [7 o. {7 `7 d" T( N8 Nset auth-server "Local" id 07 c9 r& B$ ^8 a5 C
set auth-server "Local" server-name "Local". S2 q: c8 g0 K
set auth default auth server "Local"
' @% g5 N1 z/ n, K7 ]" P! k/ sset auth radius accounting port 1646
( n% X8 y% \' Q! f& z5 M1 Nset admin name "netscreen"6 q% V0 h9 p3 r7 y
set admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"
+ r1 S0 j! R0 a% f x: G2 dset admin auth web timeout 10* U! D6 r7 @% `: M; u0 v3 q% F
set admin auth server "Local"* B. N: `2 z% v p3 G! _6 D: u6 s
set admin format dos7 q7 V4 a0 S+ p5 h' A9 N
set zone "Trust" vrouter "trust-vr"
% n' [3 s9 w) B+ T3 v, ?2 ^set zone "Untrust" vrouter "trust-vr"0 @! a7 w. ^1 Y& W2 W
set zone "DMZ" vrouter "trust-vr"9 m4 K" ~9 n. b3 Y
set zone "VLAN" vrouter "trust-vr"4 y3 ^+ t8 R2 o7 P" N- n4 t2 t i, S
set zone "Untrust-Tun" vrouter "trust-vr"* Z7 |2 t# U# g f8 p2 a" J
set zone "Trust" tcp-rst ; C$ l6 L$ R# [2 q& x& Z
set zone "Untrust" block $ m+ R$ d1 ^) b3 W& g! i
unset zone "Untrust" tcp-rst ! Q- S" _( x" A
set zone "MGT" block / p7 Q/ Y9 g8 g3 n) T3 [; Y/ }
unset zone "V1-Trust" tcp-rst * I7 h1 `. n8 W2 ?( l
unset zone "V1-Untrust" tcp-rst
/ Q4 G+ E2 t9 U' @3 M& c4 Tset zone "DMZ" tcp-rst
% X9 G+ i2 K" |# gunset zone "V1-DMZ" tcp-rst
" s4 S8 J$ d1 s- Uunset zone "VLAN" tcp-rst
, J$ W+ q) k ~set zone "Untrust" screen tear-drop" \6 R- p9 T5 I9 J" T7 @
set zone "Untrust" screen syn-flood& J& @4 O$ D! J- n$ j7 T2 ]2 h6 k$ p
set zone "Untrust" screen ping-death# a5 H3 p) P% F) O$ m
set zone "Untrust" screen ip-filter-src3 E3 ?1 X( w3 {, P% `$ o) H0 `6 t
set zone "Untrust" screen land
5 ?) ^- M( i# [8 w! U1 W2 Bset zone "V1-Untrust" screen tear-drop5 X; l0 F. Q& V0 I2 q) j
set zone "V1-Untrust" screen syn-flood
o! A* i" R+ \9 ^" T) ^* D# ?set zone "V1-Untrust" screen ping-death
5 U* {' z% a9 Q3 vset zone "V1-Untrust" screen ip-filter-src
, Z9 S" y6 W2 U, G' y* s+ x; u: cset zone "V1-Untrust" screen land
3 o6 F) l3 ~, P5 I4 a9 M" s- q/ \set interface "ethernet0/0" zone "Null"
3 y& U, J4 w% T0 Y: d$ v) Zset interface "ethernet0/1" zone "Null"
: {3 E2 D$ i' w8 F3 ^. S& fset interface "ethernet0/2" zone "Untrust"$ D% `/ t: ]% J
set interface "ethernet0/3" zone "Untrust" M( w a2 T$ w( K5 t
set interface "ethernet0/4" zone "HA"* ?7 W9 J: M0 M+ g
set interface "ethernet0/5" zone "HA"
, b- H) `. B2 {% Rset interface "ethernet0/6" zone "DMZ"5 b1 M2 I5 s) ?0 f4 A0 v$ H
set interface "ethernet0/8" zone "Trust"9 E, q: M; i) r! L# Q% M0 v6 R3 _
unset interface vlan1 ip& P( S# X5 @; x. S4 ~9 t( U$ B
set interface ethernet0/2 ip 116.247.91.98/293 B; D. j- h. k/ |& p* r* w
set interface ethernet0/2 route
8 w( O! J1 K. [set interface ethernet0/3 ip 140.206.34.178/30$ F0 i3 I% c7 S9 m9 ^2 I4 q
set interface ethernet0/3 route& P# Q1 u# V& T# p' x) J
set interface ethernet0/6 ip 10.131.126.18/28
' G; {3 n6 Q; m0 ^set interface ethernet0/6 nat( m" }0 ?5 @2 j
set interface ethernet0/8 ip 10.131.126.4/28- p: @3 W7 o3 B& [% p8 B
set interface ethernet0/8 nat6 o/ _$ _. t: q+ l7 {
unset interface vlan1 bypass-others-ipsec3 k B8 c3 {7 h
unset interface vlan1 bypass-non-ip
* \! L$ ?3 S$ ~6 b4 lset interface ethernet0/2 manage-ip 116.247.91.99. D; p& U3 ?9 I; k& i
set interface ethernet0/6 manage-ip 10.131.126.20
+ X2 Z- D7 T6 s7 l1 ]' Tset interface ethernet0/8 manage-ip 10.131.126.2
$ r& y2 M' u( Yset interface ethernet0/2 ip manageable
1 l! s+ h ?! I" o% runset interface ethernet0/3 ip manageable
; I- _6 l' Q! b& \- T9 tset interface ethernet0/6 ip manageable- W; @6 D1 P: T x" j! P
set interface ethernet0/8 ip manageable
4 M( F5 _3 \! u4 Yset interface ethernet0/2 manage ping" u2 S. c3 m! Z3 ~' P* T
set interface ethernet0/2 manage ssh6 C; ^' O! N' A0 ]& T! G
set interface ethernet0/2 manage telnet
( f" u) c( I- E3 u- L! ?/ ]set interface ethernet0/2 manage snmp
" f2 k3 ^, ?* Q2 W4 cset interface ethernet0/2 manage ssl
9 F( ]: r- C3 c. u$ zset interface ethernet0/2 manage web" M, }7 y0 ?/ X6 Q: x
set interface ethernet0/3 manage ping
/ w; i9 j8 G# }: f7 ]set interface ethernet0/3 manage ssh% `7 G8 z- s: B$ V3 r
set interface ethernet0/3 manage telnet; ]1 n6 E% l! Q |* p7 d# Q+ i
set interface ethernet0/3 manage snmp
/ e, H8 ]6 N6 z; u2 aset interface ethernet0/3 manage ssl& n( Q# x# K$ J6 x/ `# K
set interface ethernet0/3 manage web, h9 k* |) Z' S0 r1 ` }, L' ?% Q8 p
set interface ethernet0/6 manage ssh
! z. b1 J) n/ Pset interface ethernet0/6 manage telnet
" {1 ]$ n1 h! B7 fset interface ethernet0/6 manage snmp% d: {: P3 G% z1 n
set interface ethernet0/6 manage ssl, n t3 b( q- ?! Z" E+ T2 c
set interface ethernet0/6 manage web2 _0 U2 {& w2 c. r( G8 }3 Z, E
set interface ethernet0/2 monitor track-ip ip; c+ G" o, o. L8 q" w
set interface ethernet0/2 monitor track-ip threshold 10
8 I# Y" N0 y5 mset interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 3
7 L1 Z5 s' p% w+ Jset interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 12
6 ]) f9 A" S. O: ~0 r8 iunset interface ethernet0/2 monitor track-ip dynamic* b1 F3 g2 o& y5 D3 U
unset flow no-tcp-seq-check
O% o: K) T4 `4 C0 q$ xset flow tcp-syn-check' f* W0 |: R \0 E# G
unset flow tcp-syn-bit-check- e3 W5 M( M/ p
set flow reverse-route clear-text prefer
' Q/ |7 U) S' M9 u* ^6 P6 `' yset flow reverse-route tunnel always
# u# f7 {" j5 D% B" hset console page 0% X5 F/ c4 d7 N9 j* C5 L
set hostname RT3-xzl-1F-S-SSG140-10.131.126.2( f. _9 ]$ X. F. u9 L( l
set pki authority default scep mode "auto"! M( E1 z" z1 C4 p
set pki x509 default cert-path partial
; x9 J, D8 f/ f% r0 n) o1 ]set nsrp cluster id 1
* l+ ~; C7 o3 h0 I# s( ~. Yset nsrp cluster name FXGL
9 O1 u9 N( O" U1 u$ Oset nsrp rto-mirror sync- q( E5 v0 r, Z
set nsrp rto-mirror route
* R+ I! X/ o8 X! g hset nsrp vsd-group master-always-exist
' c$ B4 J+ A+ d5 l4 g( Kset nsrp vsd-group id 0 priority 100
3 e7 f7 f1 \% \set nsrp vsd-group id 0 preempt
/ H* O' I; x" `; Lset nsrp secondary-path ethernet0/8
1 U- q$ T& W! ` d# y' _6 e& Aset nsrp vsd-group id 0 monitor interface ethernet0/3 weight 16# U+ s( Q! y3 f8 z! s# v. D- U( S
set nsrp vsd-group id 0 monitor track-ip ip) `; }, M% ?+ d* X4 o
set nsrp vsd-group id 0 monitor track-ip threshold 30
5 ]% G5 F0 F5 i7 R5 ]3 F3 C0 Yset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/2, U, j! S7 V# g- A, G3 J
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 10! X8 g0 E, v4 R; U
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32! Q" ]6 I3 b7 M6 R$ @+ O9 t1 L+ V$ ?
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/6! S' |; l$ k0 a/ a/ Z1 j0 j
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 10
( o+ W9 I0 b* a8 R# E1 [# bset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 323 A* }/ p. J8 A E; j0 ], H6 |' f
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/8" s/ C: |6 N9 H7 s2 S1 N) @# \, U& O
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 10# t# C7 N# t! z I
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 32
2 ]. L0 ?7 Y7 c5 j% qset nsrp ha-link probe6 W! \9 h3 A* f& {$ B7 p
set dns host dns1 202.96.209.5 src-interface ethernet0/2
' N7 v4 \% T- j3 z+ w# aset dns host dns2 0.0.0.0
! `' T) ~4 e5 ?( u1 zset dns host dns3 0.0.0.04 ~ a: s t, {+ L
set crypto-policy0 { z% q7 D) b7 d, ?' H6 ^- {
exit
; B6 f5 e* u Wset ike respond-bad-spi 11 k6 g" _8 J. s4 O
set ike ikev2 ike-sa-soft-lifetime 60
5 \) u$ i1 D: I! \$ R! `unset ike ikeid-enumeration7 R: R @5 O6 b8 [0 O
unset ike dos-protection
1 ^, U; s) j* r zunset ipsec access-session enable
4 f- _0 |0 M3 \2 \6 oset ipsec access-session maximum 5000
6 v% A: X. h- X* g6 O" M$ Qset ipsec access-session upper-threshold 08 I1 L( F& [: P# m' U/ x0 F0 y7 ]6 x
set ipsec access-session lower-threshold 0
2 c4 c/ r/ o6 ?9 V( E& _$ g. F& d% xset ipsec access-session dead-p2-sa-timeout 0; ]" A8 ?* i% Z3 f
unset ipsec access-session log-error
0 D/ b. _( ?9 M S; d; Munset ipsec access-session info-exch-connected% L: K, T3 B7 r& z: M
unset ipsec access-session use-error-log9 w& H$ o! X. }" r8 P# X G
set vrouter "untrust-vr"# M8 {! x" y$ u/ S! E9 B" O/ a
exit
$ A& F, a8 E( o1 s) h! }0 Eset vrouter "trust-vr"
$ v% f, I+ x0 @+ |9 Dexit
) ~: M! D2 a1 W* [: Aset url protocol websense% n" l$ [" a B2 T6 [3 W
exit
" P; S4 M5 s) s$ r* iset policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
: R9 L0 \$ A4 f( t Zset policy id 1
6 X2 q3 z$ r) s8 Hexit* G, Q" U* R7 @# @
set policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log 8 b, N( T! e0 u8 H) j) p$ H# q" Q) o) [
set policy id 4. V' _: T. T4 R/ P: v* |
exit! R9 f* H( \. p4 [4 Y
set policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log - L, L( B {! u* i
set policy id 52 x, q- s7 N" ]1 k5 L
exit
; L( D# u7 v( j5 w5 c) G# l* X1 W! [5 Aset policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log 6 l7 b0 X" E; b; H' t, N
set policy id 6
: d0 \6 r( ]" e4 R( {2 Xexit
! [. c$ n a9 a" bset nsmgmt bulkcli reboot-timeout 60( Q; w; j2 e! ?
set ssh version v2
' Z: P* K& H/ Gset config lock timeout 5
1 ~; ?; d% V _unset license-key auto-update
. a; ?. {) X0 \% Bset telnet client enable+ ~' J' A q: H% K
set snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c 8 t0 t' l" S o* T
set snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8
. q4 J- {: b/ Mset snmp name "RT3-xzl-1F-S-SSG140-10.131.126.2"
n1 J, q; t6 k$ j e/ t, Dset snmp port listen 161
0 l2 K8 {9 F% Q4 t! j: d8 E1 Qset snmp port trap 162& b1 V$ h, t& _& c
set vrouter "untrust-vr"
+ b$ p* ~: {# Uexit3 G" n2 X: _ T* R' S
set vrouter "trust-vr"( I* \' L( y1 ^ I+ X) }+ r0 D
unset add-default-route
& i. q5 V# P( A* T, E' r( [set route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet"
3 n r+ B- J/ }) T8 iset route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA"7 ~! o( p5 a4 F: H
set route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet") `9 N- d! d2 B- z0 W# c4 v v
set route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ"
: g1 F$ M% P4 t' l7 _% dexit
# o" K; l: w2 X3 o& H* o F$ ^7 nset vrouter "untrust-vr"7 S& R D, Y/ f5 G, {2 d* k
exit
D- w# y9 f5 dset vrouter "trust-vr"
( w. j" Z$ O6 U/ ]) J9 H7 X9 ?% lexit" {# |2 }; U8 ]- e( [! a
5 ?9 W) P, X) s, e' t0 b
3 M8 T% q: o! u* k3_cfg& J& y% r9 F) v/ A2 D
k* ?9 T: b u1 }0 ~3 D% `unset key protection enable( E7 {/ ~8 Z; x
set clock timezone 0
7 E( l4 U8 ?/ gset vrouter trust-vr sharable
+ a2 H# v# o2 _5 oset vrouter "untrust-vr"7 e7 [& m9 @$ C3 V
exit4 V) j3 k- [! F3 B) r
set vrouter "trust-vr"
4 r2 `7 D3 I3 }+ C) s9 zunset auto-route-export
/ |, j2 {0 ?5 q2 J% r9 pexit6 ^5 P7 K7 c( j. ?% Y7 y
set service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002 0 z) [9 ?6 _) u* E
set alg appleichat enable
3 Y% y3 |3 j1 ~; G# s- U" {unset alg appleichat re-assembly enable
. i( ?8 K' x+ e. hset alg sctp enable
0 p3 T3 W1 ~* @4 I$ T0 [4 xset auth-server "Local" id 0 z3 F- l L. J2 W% w
set auth-server "Local" server-name "Local"
% ]0 g3 f8 C$ p" Z' J( z: jset auth default auth server "Local"
1 b' P4 G/ z/ i3 kset auth radius accounting port 1646) {) f( {8 a( y" A
set admin name "netscreen"
1 H3 v4 t. @: O1 _; gset admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"
" K3 t) S( \' N" W1 Qset admin auth web timeout 10
6 }- w7 c9 f1 \9 @, u% O8 Dset admin auth server "Local"! `) N6 r6 [% _& f) |
set admin format dos
5 h4 [' t5 e a4 C0 `7 Hset zone "Trust" vrouter "trust-vr"
+ M7 }# O. N( e% _) yset zone "Untrust" vrouter "trust-vr"
2 O% |* ^6 J0 P+ ] \) a0 K/ S; v% q" dset zone "DMZ" vrouter "trust-vr"- ?: t, b1 c; O5 n' [
set zone "VLAN" vrouter "trust-vr"
2 o+ O8 [9 f0 vset zone "Untrust-Tun" vrouter "trust-vr"
) A8 j. S6 e: z$ ]) |/ Dset zone "Trust" tcp-rst 0 O& G Y& l# d$ n
set zone "Untrust" block U( I+ V! I6 K( h' B
unset zone "Untrust" tcp-rst
% k/ Q1 q. r- E4 e; g: h. Z) Yset zone "MGT" block 7 N O; V' }' Z6 I
unset zone "V1-Trust" tcp-rst
j3 j/ h1 q. ]# e/ w! v/ Munset zone "V1-Untrust" tcp-rst
1 M+ w' ]& O! N9 Hset zone "DMZ" tcp-rst
: \4 B* i$ k3 e; Y3 U; @unset zone "V1-DMZ" tcp-rst
! f3 \+ r) c, M9 v2 ]unset zone "VLAN" tcp-rst O, ~& |, s: i8 X' v1 m8 i0 P; g
set zone "Untrust" screen tear-drop
* Y7 |; ?: Z3 `4 U% Pset zone "Untrust" screen syn-flood
2 @. a+ m5 e/ `& d# f9 K( c0 Qset zone "Untrust" screen ping-death
' }* m" w! A" I/ G7 yset zone "Untrust" screen ip-filter-src
; B) F: y+ @8 y6 V: F/ Gset zone "Untrust" screen land5 b0 p4 X2 l) W' ^
set zone "V1-Untrust" screen tear-drop
" ?+ j7 b6 n, Zset zone "V1-Untrust" screen syn-flood
/ I% B) Z O* T" tset zone "V1-Untrust" screen ping-death0 C/ G! D- A( V3 q! m
set zone "V1-Untrust" screen ip-filter-src
" [0 I# R O [! }0 l, yset zone "V1-Untrust" screen land) w" m) K5 U3 T7 m7 [
set interface "ethernet0/0" zone "Null"
4 c. R6 H4 x) s2 D5 kset interface "ethernet0/1" zone "Null"7 a3 |! l4 l4 p) P& v1 ~
set interface "ethernet0/2" zone "Untrust"
1 m( {+ h5 {, ^# Jset interface "ethernet0/3" zone "Untrust"' }9 c! J% h0 p7 @9 b' W8 W
set interface "ethernet0/4" zone "HA"
9 t4 g0 v( E4 v& A( Q# _. T7 Vset interface "ethernet0/5" zone "HA"9 z4 u4 e! U; f$ A
set interface "ethernet0/6" zone "DMZ"
1 [! U1 c9 ?. sset interface "ethernet0/8" zone "Trust": g% I- H' L( C) ]
unset interface vlan1 ip. W! v7 y& q" M1 a8 |& J7 N
set interface ethernet0/2 ip 116.247.91.98/29
+ T- D* ]3 s xset interface ethernet0/2 route) }8 K% {, h$ b0 u6 Y* H; | b5 F
set interface ethernet0/3 ip 140.206.34.178/303 W. P. ~3 @* o) b4 w
set interface ethernet0/3 route- Y& k* A( I" {. d3 D
set interface ethernet0/6 ip 10.131.126.18/28- U$ k1 X) M z6 }
set interface ethernet0/6 nat
" }9 n9 K1 \( Sset interface ethernet0/8 ip 10.131.126.4/283 c/ x1 x4 p- J! x$ R
set interface ethernet0/8 nat
: T) h! F9 e* w# punset interface vlan1 bypass-others-ipsec9 y6 _& [- ?3 G' X
unset interface vlan1 bypass-non-ip
! X5 H. J% t7 t) t2 H7 j' D3 `set interface ethernet0/2 manage-ip 116.247.91.1002 ?3 l+ s5 T" _
set interface ethernet0/6 manage-ip 10.131.126.215 G- Z+ T& m8 O' }" t: l, x/ m; W0 W
set interface ethernet0/8 manage-ip 10.131.126.35 \+ X5 S; x- \) M9 `. G& E8 M; I
set interface ethernet0/2 ip manageable" _8 O6 j8 i2 t' O t8 V
unset interface ethernet0/3 ip manageable6 Z& ?& D# H* D7 _! N
set interface ethernet0/6 ip manageable
! i4 ^! ?* H1 f. D3 ]: \& r4 Xset interface ethernet0/8 ip manageable
1 {+ `+ a3 I. D4 H6 @set interface ethernet0/2 manage ping
9 W# Q1 t' `: T* i' k/ n) a- m0 yset interface ethernet0/2 manage ssh" O3 K4 P. h# B9 j* G6 B/ d+ w E
set interface ethernet0/2 manage telnet
- V1 g9 e8 W6 P% W; Gset interface ethernet0/2 manage snmp
) k) Q0 p% M; u% G8 H+ l6 Rset interface ethernet0/2 manage ssl4 n+ [1 X$ I% ~' p* J) w
set interface ethernet0/2 manage web
- Y1 D. l2 F, r+ j/ U' P6 }% T; Dset interface ethernet0/3 manage ping7 v$ N2 e3 r3 t! y
set interface ethernet0/3 manage ssh
" @- ]# \1 l0 ?6 M; M; Q2 Y0 X) vset interface ethernet0/3 manage telnet
0 A, w; r* C! r6 L4 h. eset interface ethernet0/3 manage snmp
' i4 p! r4 y+ r( p3 nset interface ethernet0/3 manage ssl
; Y/ w+ @5 ?4 ^set interface ethernet0/3 manage web
$ d. W' Z! Q) Q) j, wset interface ethernet0/6 manage ssh
( f* F$ o: @3 Eset interface ethernet0/6 manage telnet: A( M0 v" ~% }$ l) {- x
set interface ethernet0/6 manage snmp
$ c7 V% o+ t0 O) A0 \. U9 q; Iset interface ethernet0/6 manage ssl
' y. _* q8 G, X. t( m( B+ hset interface ethernet0/6 manage web
0 {6 j9 O+ o* L q6 Hset interface ethernet0/2 monitor track-ip ip
0 a+ E6 u" {/ L0 |" aset interface ethernet0/2 monitor track-ip threshold 10
. j3 s+ `) o' n$ t+ ^" L9 x+ kset interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 3
* {* d' `, l- h' d. i9 Sset interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 127 Z0 j+ F) v6 F
unset interface ethernet0/2 monitor track-ip dynamic
x" U; u2 d' D* z6 Eunset flow no-tcp-seq-check
4 Y2 j9 C& }9 t) `9 ]6 f w2 nset flow tcp-syn-check6 E2 D+ t1 m! j" `, [
unset flow tcp-syn-bit-check6 i6 `. o2 w, K- P# E% w) I1 {2 h
set flow reverse-route clear-text prefer
5 m, U* C9 j% |9 M3 ?set flow reverse-route tunnel always* e% [* H1 s5 c9 c3 a# e" Z
set console page 09 l9 `( E5 A9 o5 Z& }) T6 ^! z
set hostname RT3-T2-5F-S-SSG140-10.131.126.3
7 ]$ B3 ^$ H9 ` Oset pki authority default scep mode "auto"& n$ [* M4 ^9 \+ ~# Z1 d: C
set pki x509 default cert-path partial% M& [7 U V* k7 L5 o
set nsrp cluster id 1
# F$ `% J5 B( K. L5 r+ l3 dset nsrp cluster name FXGL
- j$ E8 h9 K- [0 Hset nsrp rto-mirror sync
) K4 h+ h' l# W, w1 u1 P" @set nsrp rto-mirror route( ~! N' b) O: K
set nsrp vsd-group master-always-exist
8 \) v7 J3 X8 F8 s' N$ ~set nsrp vsd-group id 0 priority 150 X' t( T( `2 v j/ D+ j
set nsrp vsd-group id 0 preempt
|3 q: C& a9 T" `2 oset nsrp secondary-path ethernet0/8
6 t! k( w0 d( Y. a! Bset nsrp vsd-group id 0 monitor interface ethernet0/3 weight 164 q5 z. Y8 ? q8 F0 r
set nsrp vsd-group id 0 monitor track-ip ip6 q1 I9 I2 g1 M/ Z* g
set nsrp vsd-group id 0 monitor track-ip threshold 30
& G: j1 t% }: c$ s/ D. T1 e& X: u/ nset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/2
- U; _- C2 X; |8 a: X9 l! B6 F4 eset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 10
2 v$ u0 u& E ]3 V4 Kset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32
5 \. }2 u; j/ H: y$ kset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/88 F; r9 G0 u+ a! u9 B" e) k
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 10
$ }) w% s0 f! }7 @5 u6 `6 |, Aset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 32) R" Z1 C2 `9 c0 P
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/6
/ }# r" Z8 ^0 Y7 o; Mset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 109 `$ C5 T! V+ N/ X
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 32- A, ?4 _, y3 C! G2 R
set nsrp ha-link probe& ?- ]& z2 s* ^! }0 F. P; m. W
set dns host dns1 202.96.209.5 src-interface ethernet0/2, l3 |+ @: \! p9 D/ a! g' z
set dns host dns2 0.0.0.07 B8 {8 {4 Q9 Y, \8 |7 `
set dns host dns3 0.0.0.02 F8 M, y# O) G! C: K
set crypto-policy
* c& H5 v& J& V# P6 |) J8 L) I6 }exit0 D1 n; [7 N8 H$ t
set ike respond-bad-spi 1
0 Z- V! I3 {/ Z2 j# b. S& Kset ike ikev2 ike-sa-soft-lifetime 60 Y3 w; ~) g/ M; A S
unset ike ikeid-enumeration
9 f3 a2 {3 T' A4 ?/ M. e3 qunset ike dos-protection
& n$ O0 P2 g$ l0 ~- m, Bunset ipsec access-session enable8 p& A1 b7 j0 t, O' F' n
set ipsec access-session maximum 5000# z% m5 k5 }, t, h* X
set ipsec access-session upper-threshold 0
2 b0 O! a% x6 w# D, \: xset ipsec access-session lower-threshold 0
' \' a! e2 D; X. ~) u# Kset ipsec access-session dead-p2-sa-timeout 0
& ~8 N9 i7 s u1 v0 z) X5 Cunset ipsec access-session log-error! m" G* W" o0 @" Y! `7 `
unset ipsec access-session info-exch-connected; ^% L1 y6 w; L0 ~- y' e
unset ipsec access-session use-error-log
9 R% Q3 k4 [" b T+ _) C- fset vrouter "untrust-vr". F5 B y, a- j9 i* s3 T# b* x
exit
) d) |. Q% F N" gset vrouter "trust-vr"
1 N4 L& Y3 I* Z& L8 \- O- w6 Hexit4 R/ l( e/ l2 ]4 {3 }
set url protocol websense
# C' z( d. v1 [0 K" K" h* |6 jexit" C! v t$ Y5 [1 X) F( D
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
# t) e$ o9 a( k, [. iset policy id 14 E; @* P% l) r' Y1 N4 F
exit
& z$ {* U& H. Z( Jset policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log
_ h9 h, X/ T& jset policy id 48 g& h! h1 H. x* I7 E- D4 {" ?
exit
# S2 Q7 ?9 h- S9 e; e% a& L. P1 \% Kset policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log
) u9 x+ A. B$ Y0 Lset policy id 5
, a/ X' B) l" g% Qexit
3 m$ Z9 R- r5 A j }$ Zset policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log
7 Z4 t/ z" M8 y: O. G( X* Xset policy id 6
5 W1 E+ }* t8 Z6 C1 u8 eexit5 Y7 s9 J) S# t; E4 q- D/ z) K8 t
set nsmgmt bulkcli reboot-timeout 607 n4 w, y ^8 q$ x" C: a
set ssh version v2
, [3 K* M5 V# t" E: zset config lock timeout 51 i( y8 L& L) B$ C% f7 \ Q
unset license-key auto-update; G4 H* U( T& j0 W
set telnet client enable
7 C. ^ V$ @9 U! j: y3 iset snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c 9 {+ S& ~! S+ t3 e/ }
set snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8
" P! Y+ u1 f& ]% g a0 i" Pset snmp port listen 161+ Q" U) S4 d4 E, E; W, ~. z
set snmp port trap 162
( |; X G/ u/ F4 Lset vrouter "untrust-vr"4 k$ t% I6 T4 N, e! V% y
exit
3 r, x# o4 c7 e2 s/ E2 qset vrouter "trust-vr"
' d7 s) c8 c8 d" ]0 _unset add-default-route7 Z4 u+ B) X: C& t0 v' s* Y
set route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet"
, D# h' a* R; E5 M/ t& @) [2 M) B& R9 oset route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA"4 e Q' v9 ] s) \9 e
set route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet". g3 A5 s/ J- S. s: {
set route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ"
7 X3 x9 y1 U1 ]; o! Iexit
4 J" E' w- d( j' [9 Lset vrouter "untrust-vr"
; m: O7 @$ l; {+ qexit
. k7 l- \6 U2 @( J( D- Pset vrouter "trust-vr"" n8 r: D- s q! |/ n, n, L, F
exit |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
[复制链接]
