以下是netscreen 防火墙active-passive典型配置:
! G/ g) ^2 ~: v+ o! V7 T2_cfg
1 n* z. h' W# v* h2 F0 H+ Q+ q. d# g" @) y
unset key protection enable& `; e; a- M( P4 w, C
set clock timezone 0
# u2 k, |! {% s& qset vrouter trust-vr sharable" Y6 R1 `$ ?6 Q3 H# q$ e
set vrouter "untrust-vr"5 h, P* T ]" _. r( H# W o/ @
exit+ C8 N2 w; ~2 Y8 a
set vrouter "trust-vr"
?2 g5 Q. R; M, {1 {4 Cunset auto-route-export
|: ^/ V* l) `9 c- Sexit
" O* o K5 m# `1 B' w# Qset service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002
# p8 V9 D9 K6 { l8 A$ mset alg appleichat enable
! V5 G1 o/ @; ~% M' u, k; v" Tunset alg appleichat re-assembly enable
2 f) [$ b5 a; Eset alg sctp enable
0 L# L/ F& Q( o1 B6 B7 Qset auth-server "Local" id 0
& i7 w4 P" t8 S* c5 V3 p( Lset auth-server "Local" server-name "Local"
# m' j: c: {0 E9 r# Kset auth default auth server "Local"
: a, T5 W6 c3 u, m8 aset auth radius accounting port 1646( G% ~: B5 Q9 X& T( {
set admin name "netscreen"
2 h: {! W( { [) v) [set admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"
/ d+ i' G1 \- a- d9 s$ Oset admin auth web timeout 10# e) K7 ?7 j+ _$ I, _+ }& `6 H
set admin auth server "Local"9 _5 e# X3 ]3 d+ E% V% z
set admin format dos; ]2 B8 X0 |- F. Y; N
set zone "Trust" vrouter "trust-vr"
0 [4 t/ N+ C5 _set zone "Untrust" vrouter "trust-vr"
7 n8 }3 F6 \, i4 Tset zone "DMZ" vrouter "trust-vr"
% z9 u Z' o7 P1 H) D6 Yset zone "VLAN" vrouter "trust-vr": ~) v+ ^. [& v1 r8 z0 V+ w. T4 u
set zone "Untrust-Tun" vrouter "trust-vr"& `* w% F: s' P' D. ]
set zone "Trust" tcp-rst
7 d+ @: {/ {6 P; J) ], V( \3 lset zone "Untrust" block 8 U0 G# I% p z: g) }& t9 Y# _
unset zone "Untrust" tcp-rst
+ F ^- x# v' Z2 lset zone "MGT" block & O" z0 r- I. @" p6 j
unset zone "V1-Trust" tcp-rst / h( F! V ^9 x
unset zone "V1-Untrust" tcp-rst
@& z1 U6 k. ]/ z1 G+ B) Kset zone "DMZ" tcp-rst
6 {0 L5 E# S8 `0 ]# w& @unset zone "V1-DMZ" tcp-rst
l; s- M/ x# Nunset zone "VLAN" tcp-rst : w5 [* o" m+ s, _7 v' k+ r
set zone "Untrust" screen tear-drop
; O4 [- M. ^& c; W* |( A. I% \1 eset zone "Untrust" screen syn-flood
& }& R9 L5 ~. S! q3 {set zone "Untrust" screen ping-death/ p: m0 E2 y) x* T
set zone "Untrust" screen ip-filter-src
( D4 d! l4 V; F0 F' {( H( kset zone "Untrust" screen land
6 G2 L# \2 d+ M. ]7 i1 ~set zone "V1-Untrust" screen tear-drop0 f* g& E+ O6 H. C3 `
set zone "V1-Untrust" screen syn-flood
+ I; |3 H3 S' g f9 M5 I5 Sset zone "V1-Untrust" screen ping-death D3 h# z" Q2 i* H( [% x9 N
set zone "V1-Untrust" screen ip-filter-src
% I- r- K2 U) i6 g) xset zone "V1-Untrust" screen land6 I. ]+ i( I. K/ i# g
set interface "ethernet0/0" zone "Null"
7 @8 I& d: x/ Q# Tset interface "ethernet0/1" zone "Null"/ |) x& D( s8 \# _7 v
set interface "ethernet0/2" zone "Untrust" G0 g2 J6 c' b! E6 h4 v
set interface "ethernet0/3" zone "Untrust"6 y8 a3 \3 Y5 F
set interface "ethernet0/4" zone "HA"+ D! E5 Z3 t+ ~$ s$ }3 G' ~2 T; n G
set interface "ethernet0/5" zone "HA"5 w+ F. m1 a* i/ I0 ~* H
set interface "ethernet0/6" zone "DMZ"$ t g' M8 w, n8 p/ t3 Z9 L5 X5 ^1 Z
set interface "ethernet0/8" zone "Trust"
3 I- U1 j/ m5 r/ Q( `unset interface vlan1 ip3 M; E) i6 R8 g N
set interface ethernet0/2 ip 116.247.91.98/29
0 ~( Z% w3 j7 l/ Pset interface ethernet0/2 route
) B# G: ]* y( [set interface ethernet0/3 ip 140.206.34.178/30: D4 ?6 {6 m6 s8 ?( B4 [' ^
set interface ethernet0/3 route3 |% g6 I9 G0 P
set interface ethernet0/6 ip 10.131.126.18/28
' |9 {, z2 b* X& w5 G5 ]set interface ethernet0/6 nat* z, T7 C& i5 n$ {$ h k# X9 O" g
set interface ethernet0/8 ip 10.131.126.4/289 U) ?' h( a* q5 l/ N5 D
set interface ethernet0/8 nat0 ]+ n9 F b O/ B1 e7 Z' ]
unset interface vlan1 bypass-others-ipsec
# k/ Z: g0 j# Zunset interface vlan1 bypass-non-ip7 m& E9 A! L$ \# A* y. {8 H( q
set interface ethernet0/2 manage-ip 116.247.91.99& j* R1 O# V% I% j; F* @; Q) C9 x# {
set interface ethernet0/6 manage-ip 10.131.126.20/ h. b, i/ U1 r- E: J c2 [: ]( W
set interface ethernet0/8 manage-ip 10.131.126.2
' H7 H) p+ [) G1 n3 F5 H& E. Uset interface ethernet0/2 ip manageable
B- d7 {2 ? h4 k# z# i. eunset interface ethernet0/3 ip manageable/ Y3 I m, B2 U7 n+ m% ? y p
set interface ethernet0/6 ip manageable
0 h4 _ W6 B2 Y1 ^set interface ethernet0/8 ip manageable
1 n" A& \6 ]3 {4 k# s; S5 ^% Gset interface ethernet0/2 manage ping: y' {6 c% B' o. P2 q5 k- I
set interface ethernet0/2 manage ssh
- T3 f6 c8 E! R) zset interface ethernet0/2 manage telnet$ J, r/ m$ Z( I: G4 J
set interface ethernet0/2 manage snmp+ h& [$ h' B& C2 R% {2 p. o& z
set interface ethernet0/2 manage ssl
# V8 t1 [" |3 v) G/ ?- r4 kset interface ethernet0/2 manage web
$ ~, ]6 i( R8 N+ R1 W% Xset interface ethernet0/3 manage ping
8 Z! W# \" t- A) y8 j" c" g( {" m Nset interface ethernet0/3 manage ssh" i) j/ j( A& \" S! v
set interface ethernet0/3 manage telnet
G; i" u3 A+ v5 Wset interface ethernet0/3 manage snmp, u8 d2 D8 `, b' a/ h9 w8 E
set interface ethernet0/3 manage ssl
`+ J3 h: ]# H! Uset interface ethernet0/3 manage web" P9 x( Z4 c/ R$ @& U$ `
set interface ethernet0/6 manage ssh
; J, ?7 S- I& j. ?; [1 M/ fset interface ethernet0/6 manage telnet
* b ], N9 c& z( Xset interface ethernet0/6 manage snmp+ b3 | Z' m3 }0 k/ {$ \. h+ I1 ~
set interface ethernet0/6 manage ssl
: w0 f q8 j, B: m) ^0 F( Dset interface ethernet0/6 manage web
3 t4 J$ k$ u$ m$ Z/ [' s; O( Eset interface ethernet0/2 monitor track-ip ip# c5 {" e1 p" y; ~7 @" O J6 j
set interface ethernet0/2 monitor track-ip threshold 10
3 t: [! V! l6 |7 y4 }1 z$ r Xset interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 3
0 }# q2 }. m8 @set interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 12
+ K- ]$ R7 r: r) J c' _unset interface ethernet0/2 monitor track-ip dynamic2 o+ k" I: I* ]/ M* k
unset flow no-tcp-seq-check' [; H( J3 M% K* ~9 [" o& |
set flow tcp-syn-check
( E& [) G3 E, Z4 r* s. munset flow tcp-syn-bit-check4 i9 g( T. f1 q
set flow reverse-route clear-text prefer. t8 E, i) b( E) G
set flow reverse-route tunnel always9 \7 i6 h4 l1 N2 Z
set console page 0
. L, z S% b$ O. E2 lset hostname RT3-xzl-1F-S-SSG140-10.131.126.23 \# g; l1 Q6 K/ f9 _: G, @
set pki authority default scep mode "auto"
+ @1 Q8 [ X9 Lset pki x509 default cert-path partial" i6 \: X$ _, S" C" L
set nsrp cluster id 1( F9 Y" y6 Y3 [
set nsrp cluster name FXGL
( w9 _. I& P9 fset nsrp rto-mirror sync
3 B* p. [# x4 b2 [set nsrp rto-mirror route2 t4 U W1 c7 k. m
set nsrp vsd-group master-always-exist6 Z1 n* P/ a/ H" J( B
set nsrp vsd-group id 0 priority 100& J. N& f9 y8 V( f, P
set nsrp vsd-group id 0 preempt! |6 f% R! B5 {+ }& P: N
set nsrp secondary-path ethernet0/8* `$ K! A6 b' h' n- `; l9 Q8 K) I
set nsrp vsd-group id 0 monitor interface ethernet0/3 weight 16
' [$ a$ v. o) c0 f0 jset nsrp vsd-group id 0 monitor track-ip ip2 q6 e y% ?' d3 G: e# K
set nsrp vsd-group id 0 monitor track-ip threshold 30
* L v: x5 _" A n$ F4 s9 Gset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/26 G8 |' r! w) V4 b
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 10
' Y" ?- X: u, V J8 A" M$ E$ p. [set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32) \$ N8 `' V. E* ]/ Y5 t
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/63 |1 \9 }4 {- d e6 q0 z+ O4 z
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 10
- L" \8 I) X% `1 C% g7 ] xset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 32) m* C" P9 z3 E V h
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/8
3 }% ^/ k' J; U9 X: z7 S4 Cset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 10( i+ a% C; s! J
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 32
6 o3 Q2 i2 t) D% K/ Qset nsrp ha-link probe8 m% n& a/ `7 T u7 Y9 P
set dns host dns1 202.96.209.5 src-interface ethernet0/2
$ \9 c: P7 O4 x% I3 O0 J1 L1 u& f; R! oset dns host dns2 0.0.0.0* r! {, ^+ n9 b* |8 d
set dns host dns3 0.0.0.08 n8 E) y9 f3 s
set crypto-policy, d5 e6 O+ o7 y: U1 x6 |, {
exit
% W: }# B9 S' m6 z% [& Uset ike respond-bad-spi 1
2 T/ H* C" }1 j# aset ike ikev2 ike-sa-soft-lifetime 60% a: S. Q; [7 G/ f8 F2 @6 V
unset ike ikeid-enumeration4 p: U6 t _# O7 N$ f& `
unset ike dos-protection, @% B- V C2 R1 d$ i. p
unset ipsec access-session enable0 j3 a/ n g2 C% P. Y" i' y" i
set ipsec access-session maximum 5000# p3 x" Y# t; K" K0 P5 y
set ipsec access-session upper-threshold 0 {$ }2 ~% f4 z' C! P* K
set ipsec access-session lower-threshold 09 W( {; a* k. X; z3 Y5 Q
set ipsec access-session dead-p2-sa-timeout 0 ~$ C6 ?$ `- y8 i! c1 F
unset ipsec access-session log-error( \' x5 d- t- P8 d$ Q- c
unset ipsec access-session info-exch-connected4 @1 F! v- U! [9 R" B1 n/ u
unset ipsec access-session use-error-log
' L& g6 a6 e4 H0 \! W6 T; C7 hset vrouter "untrust-vr"" ?" \3 k( ]5 Z7 z. e% s; M
exit/ @5 e& C- z' v
set vrouter "trust-vr"
/ T9 s7 Q4 E; {: P/ ^6 b) Mexit
: X( q! P9 }6 ]/ N8 Jset url protocol websense
0 |) Y* `- H/ G9 A! Sexit7 e) Q& g0 _3 B
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
1 b9 Q4 o7 _5 }, z* S2 Wset policy id 1) L# y" d: ^. P$ U- `
exit8 Q. K6 i( h9 `
set policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log & ~3 O L9 d- W' s% ^
set policy id 4
% P4 i% B2 s; O5 c, D, zexit
, {' V9 t& |0 s+ {1 Hset policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log
* B; Z s& Q! w; |7 _' fset policy id 53 F) c; Q2 T- Z$ } O( `
exit
1 L9 S+ f) P$ pset policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log ' E, h0 H$ N! c0 }5 ]: z: |2 o( ]2 w
set policy id 6
" r, S9 |# K9 y' j4 x% W7 qexit
* X4 B' v1 V" Z, _9 N8 O3 eset nsmgmt bulkcli reboot-timeout 60
2 F0 ^8 E0 n6 A: g* Hset ssh version v2) r: ~- c4 U1 B
set config lock timeout 52 r: f n; K/ a7 @& m
unset license-key auto-update, i4 n: @( A3 t& @: E% G2 `
set telnet client enable7 \& M& r- R$ C' f0 ~! _& `1 f
set snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c
& M$ Y# K7 d" a( P7 i' G9 sset snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8 2 b/ `' K( N, `- g7 `/ A& ]. Z! \
set snmp name "RT3-xzl-1F-S-SSG140-10.131.126.2"
4 E" z# d1 L: P& uset snmp port listen 1610 _, ~0 f! h6 N3 H# J
set snmp port trap 162
' i1 [4 M. a4 V! H- |/ Sset vrouter "untrust-vr"5 Y# L$ M; s4 w! h& N& O6 K
exit
) m( p: R9 c6 ^4 @9 K/ F. {set vrouter "trust-vr"
/ `: p- i1 `5 E4 d* n$ ]5 nunset add-default-route
1 ]2 k; f) r* B5 a" O4 qset route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet"
! o9 p- O/ p' k- p' a6 vset route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA"2 j/ r k I P+ ]% a- s
set route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet"
6 ]( B9 j5 d1 [$ d) lset route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ"
, s+ w4 I8 ?" s/ W6 f; {exit; V$ c# K$ |* U2 ~9 t6 O& ^, c7 i
set vrouter "untrust-vr"
; P; {1 t9 L/ M: j1 t! Qexit) B9 X+ O4 Y; C9 W
set vrouter "trust-vr"
2 R* w! T7 c) Q5 w1 p2 Q: vexit% U# E& W5 O8 o: u
& f: z* p f/ H) U1 Y: ? u. ~1 M# V* d- @* A% I1 | Y, \
3_cfg9 S! w1 J y6 @& v' l6 E3 J% J+ n
5 t ]$ n4 h O- p; d8 funset key protection enable
) L$ S3 V5 i$ r% sset clock timezone 08 L4 J! h+ Q" U# @. x( Q3 k! X$ l J
set vrouter trust-vr sharable. l1 Z: F* b, ]! M0 U' O- W+ q4 K
set vrouter "untrust-vr"7 X1 b2 F# }: j$ U# Y, S: x
exit
9 i) R+ o* v4 v, W6 `set vrouter "trust-vr"
( W1 C$ |0 }! N2 Munset auto-route-export! ^. B: v: ^# E1 w; |, ]
exit
! x: \/ F7 e/ K" lset service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002
3 b" q% ^' t8 E: f" W- Cset alg appleichat enable' V6 }( j5 a$ w6 Q
unset alg appleichat re-assembly enable
# A" ^6 h2 v2 @0 U5 J- O8 ~" N2 Dset alg sctp enable
/ Q1 Y# N$ W; a$ ]set auth-server "Local" id 0/ s- P* [9 d; q; U# Z. [8 w: m
set auth-server "Local" server-name "Local"
2 O- q1 j8 {4 ?9 g; M* T' lset auth default auth server "Local"
D4 q' V7 i/ q4 ~set auth radius accounting port 1646; U" L9 H& T+ }0 G. L' {
set admin name "netscreen") ? J- y8 s. e) j
set admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"; K C8 c; t0 U4 i! R7 `7 p$ l
set admin auth web timeout 107 {) t: j2 I6 v8 u- @8 D4 T
set admin auth server "Local". ^4 u& U5 G/ }) f' s8 |
set admin format dos
' H6 }6 d5 b6 W2 r- kset zone "Trust" vrouter "trust-vr" O- K! x* O6 Y: E; ~* s2 D( p
set zone "Untrust" vrouter "trust-vr"* M5 M+ m" K# e7 Z0 z
set zone "DMZ" vrouter "trust-vr"
: w, t3 P; D* kset zone "VLAN" vrouter "trust-vr"
- n, A6 g7 f& ~set zone "Untrust-Tun" vrouter "trust-vr"2 ]0 y3 \3 p- A
set zone "Trust" tcp-rst
. ^. ~3 S+ t, y: G# X4 h! tset zone "Untrust" block
' s, O4 n9 P: @unset zone "Untrust" tcp-rst : Z& x8 ]7 Q" n- y/ y
set zone "MGT" block % ?& N: e" Y9 {# U/ W
unset zone "V1-Trust" tcp-rst 0 S& x/ U5 u; N4 Q$ j& F. {
unset zone "V1-Untrust" tcp-rst $ R4 F2 W! P5 n6 C5 T: M
set zone "DMZ" tcp-rst & Y3 t( L9 u7 J% v2 K
unset zone "V1-DMZ" tcp-rst ) t9 t% ?& O1 M+ l
unset zone "VLAN" tcp-rst
8 J$ p" _" \$ ?: V5 L0 \: ^set zone "Untrust" screen tear-drop5 E! h: _1 D2 Z: i- [
set zone "Untrust" screen syn-flood
7 k' g, @) e* b) C' W. q1 g- \. X6 `set zone "Untrust" screen ping-death" k* l" p u5 g3 w8 u0 B# s
set zone "Untrust" screen ip-filter-src2 ?0 Q. i9 L3 [4 k; R' i
set zone "Untrust" screen land: L Q8 @& n8 f: ]
set zone "V1-Untrust" screen tear-drop
, Z9 s" `4 x/ u# A8 t; }! }set zone "V1-Untrust" screen syn-flood7 b4 W$ l3 h/ G' c2 d- ~/ p
set zone "V1-Untrust" screen ping-death; p4 z6 ~* t+ R0 H& d$ \/ Z8 ~3 G% T
set zone "V1-Untrust" screen ip-filter-src" d8 L$ ~' ]/ r. m1 p5 _
set zone "V1-Untrust" screen land
, r: K; m! d! wset interface "ethernet0/0" zone "Null"4 {8 E" ?' W3 m" v- B# \
set interface "ethernet0/1" zone "Null"
$ b8 Q. y! D1 j6 A& O! Fset interface "ethernet0/2" zone "Untrust"
! Y( g q# R+ g$ e0 V0 lset interface "ethernet0/3" zone "Untrust"
" q: w. d m' V) `" t- Uset interface "ethernet0/4" zone "HA"
) Q* D$ T# {. E3 j+ Z/ Oset interface "ethernet0/5" zone "HA"
, q9 c: f# P/ P& |. h, V$ h& z Vset interface "ethernet0/6" zone "DMZ"( J# `. B+ X) ^, F/ b* M8 s# t
set interface "ethernet0/8" zone "Trust", U! L/ j, I- j# E
unset interface vlan1 ip) k' o% I s: j0 ]
set interface ethernet0/2 ip 116.247.91.98/29/ b* s2 E; T3 L
set interface ethernet0/2 route
5 n* n9 r6 ~, K+ Oset interface ethernet0/3 ip 140.206.34.178/30
1 R: s1 k1 T. A( O# cset interface ethernet0/3 route2 X$ @" J& S' P! ~5 Y4 [
set interface ethernet0/6 ip 10.131.126.18/28# A: I5 s, m( k* ]9 h5 }' f
set interface ethernet0/6 nat
1 u8 D: K o# c1 oset interface ethernet0/8 ip 10.131.126.4/28
+ u, W9 h$ X7 p5 K- D9 Cset interface ethernet0/8 nat$ t i/ ?& l5 [& z+ ?+ R0 I y
unset interface vlan1 bypass-others-ipsec! H! H4 x+ \* j! U4 T% V
unset interface vlan1 bypass-non-ip
$ }- G! E; p6 x/ ^set interface ethernet0/2 manage-ip 116.247.91.100
: |: ]* v. w2 s$ qset interface ethernet0/6 manage-ip 10.131.126.21
( h. G9 M2 c$ t* S4 Zset interface ethernet0/8 manage-ip 10.131.126.3
: q& E9 A2 Q- ?$ tset interface ethernet0/2 ip manageable! O0 {# L' m1 L% ]* S
unset interface ethernet0/3 ip manageable3 ]! p/ N% r: H, ~) P
set interface ethernet0/6 ip manageable
9 ^+ v9 J4 f! T5 ~! J c: iset interface ethernet0/8 ip manageable" E* ?) C* x( a
set interface ethernet0/2 manage ping
3 ^# a% L& k8 R( g. D. Rset interface ethernet0/2 manage ssh
9 a$ F F6 N; k+ Z8 rset interface ethernet0/2 manage telnet
# q0 Y( F. I9 x+ Z5 ~3 W+ Mset interface ethernet0/2 manage snmp
$ R: a) r/ d5 J) [, P1 fset interface ethernet0/2 manage ssl: i2 q$ R9 O x2 R# W
set interface ethernet0/2 manage web! U/ v: |1 ? E
set interface ethernet0/3 manage ping0 A! [1 N7 J! R$ K+ |0 r
set interface ethernet0/3 manage ssh& n6 q4 d. V7 C' }. |. l# Z
set interface ethernet0/3 manage telnet8 R4 Y: @4 h! p, X
set interface ethernet0/3 manage snmp
5 @& n. t" ]0 O! g9 ]* @9 Zset interface ethernet0/3 manage ssl
' \2 S: n0 A) M; ]. i; X( ?set interface ethernet0/3 manage web% R6 V4 a! @& U8 R
set interface ethernet0/6 manage ssh% Z/ F/ k3 O0 m3 p$ P
set interface ethernet0/6 manage telnet. m' U5 K9 f9 | J# }: t
set interface ethernet0/6 manage snmp2 a% Q6 P) R2 ]2 }
set interface ethernet0/6 manage ssl
* J! N& Q+ n# s" {1 r% V$ kset interface ethernet0/6 manage web
+ M# _7 P4 ^( yset interface ethernet0/2 monitor track-ip ip. E& x! w+ O+ m! A4 j( r4 j
set interface ethernet0/2 monitor track-ip threshold 10
\; Y* T4 i$ R9 n+ s H/ g& j4 Fset interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 3
: m( Y/ p9 W; L! K uset interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 12
+ O! K$ B% F- V7 O4 e4 k2 junset interface ethernet0/2 monitor track-ip dynamic
3 q& ^* P: z6 A4 lunset flow no-tcp-seq-check w2 H. `2 P7 Y' ^
set flow tcp-syn-check& P. M5 S3 |; A* F9 a' k
unset flow tcp-syn-bit-check9 ~3 X3 P8 u( u" p# U" o0 [
set flow reverse-route clear-text prefer6 B% T( K$ h' I+ e- ? [! n. y
set flow reverse-route tunnel always9 ~& k1 S+ f4 I: l8 G! P
set console page 0
" l" f3 N+ F! oset hostname RT3-T2-5F-S-SSG140-10.131.126.3) P: I; J0 z/ |# ^
set pki authority default scep mode "auto"$ h, @5 i0 x1 F: K) ]2 @% M* }- p
set pki x509 default cert-path partial
1 U7 I! E6 y* W/ D! M/ oset nsrp cluster id 1
: `. B7 W3 w) j. P- L3 oset nsrp cluster name FXGL
, j- W2 S: t K K5 Eset nsrp rto-mirror sync8 ^- b0 j' h7 ^
set nsrp rto-mirror route
- i; N1 q" t6 c( Y: E& ^set nsrp vsd-group master-always-exist
: Z8 s9 i! O+ Q; ?; D) B5 Rset nsrp vsd-group id 0 priority 150
1 E) B; u5 w2 _; Nset nsrp vsd-group id 0 preempt2 A# \# V2 X: ?
set nsrp secondary-path ethernet0/8
3 H' E N4 F) Y( |: @set nsrp vsd-group id 0 monitor interface ethernet0/3 weight 16
5 z9 k6 O; C; Mset nsrp vsd-group id 0 monitor track-ip ip
* @. b4 Z) u9 `7 Gset nsrp vsd-group id 0 monitor track-ip threshold 305 g) e6 u6 t" T( [ H$ }
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/2
3 O) Y' }; F- o: X) Z4 q6 wset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 10
8 b( P7 B1 T) u3 [set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32
5 S+ A1 B5 E. d; b$ s h/ aset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/8
) ~+ c( S6 j( B1 I$ G" Tset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 100 p. }; n! }3 a* X4 M2 P3 ?
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 32
7 T& K; R( ?/ C6 z4 qset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/6$ s. @% b; n0 M, y4 p
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 10
# B( B. M+ K" c1 |, m! Fset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 32" G% I( w! t# e0 O% l+ m5 I
set nsrp ha-link probe7 {! B9 H. f$ b1 H
set dns host dns1 202.96.209.5 src-interface ethernet0/2* _/ G) Q# E' _& a- b- @8 P: d
set dns host dns2 0.0.0.0
3 E5 V" }! l6 {, Z! e9 Yset dns host dns3 0.0.0.0
& y7 l/ Q/ ^% v$ k1 M8 o+ Iset crypto-policy
; I) R" E3 Z" T/ s! D4 Yexit0 o8 C" ^+ b! T! {9 G" E
set ike respond-bad-spi 1$ m- |' B$ [! N8 }
set ike ikev2 ike-sa-soft-lifetime 60
! d8 E E- t, t8 J% ^0 V# Kunset ike ikeid-enumeration, [1 a7 K) ~% H7 h0 T% O6 `
unset ike dos-protection- e' Y; M v0 f: E% }
unset ipsec access-session enable
' d0 s9 j# ]( p2 t2 o0 r, n* D+ eset ipsec access-session maximum 50007 ]0 d+ ~/ K2 ?) C3 w: W S
set ipsec access-session upper-threshold 0. z: {8 V* B# }& B
set ipsec access-session lower-threshold 0
; C$ _8 y/ @8 z' V3 G, y, [9 Xset ipsec access-session dead-p2-sa-timeout 0
8 m) O) N# ]( X" K9 a! c/ t! Wunset ipsec access-session log-error
! u- I; \4 h, R- W$ y- Uunset ipsec access-session info-exch-connected
9 Q& J5 ?( x) g' @% ^- h9 Hunset ipsec access-session use-error-log
, m4 s( I; _0 q0 u' h3 w dset vrouter "untrust-vr"7 C/ T1 s4 v" ^3 X5 Z7 v
exit
$ X0 B9 o! }7 }set vrouter "trust-vr"
$ z4 ^' K: S# N, ?! Wexit/ T! W' B, J4 u2 {
set url protocol websense
- e( ~! d8 T% K# ?exit/ U/ u% g5 _* j: q; e% i
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
/ q+ a, Z R# G8 }! f: K$ b( ^set policy id 1
8 n* ^# L; j7 a9 x: T! Rexit
' }% N- |+ j& Z+ e* r' tset policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log . g `# L) c/ V8 `$ o, Z4 e9 X
set policy id 4
! r$ D! e& V: o2 S1 G' Aexit
1 b, D0 F3 f/ j0 Y: _set policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log
! ?, a# E3 W9 g' Y! P- t4 L$ Dset policy id 5; J; `2 p- u( v" ]- H
exit: L4 R. R3 g- s$ d3 f4 h0 ?
set policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log . }. @. z, q. K/ B. D2 O
set policy id 6; ^ J6 T! v' M7 ~. b
exit
3 }9 q7 ^" _% @$ i$ v0 I2 ~) Hset nsmgmt bulkcli reboot-timeout 60* P$ D y& C% J
set ssh version v2
4 E% V# ]1 `7 @( Cset config lock timeout 5
- w: a) K! K* gunset license-key auto-update
: r) Z7 D0 \0 y) V$ l6 f5 g( Pset telnet client enable" h5 h3 a- l; N
set snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c 6 s+ A$ L# z! W
set snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8 , C. j W+ x* C% v9 B7 X, l4 z
set snmp port listen 161$ e/ e4 [5 \# v5 ?
set snmp port trap 162( q% {$ \. [/ @" u2 F( c
set vrouter "untrust-vr"
: i* O7 I1 f% k! e- z% l* Mexit: q+ `1 f6 l" g9 \* V; k4 G5 M
set vrouter "trust-vr"% V7 K% ]# v$ X# D+ h$ }
unset add-default-route
+ c R! f( r9 D0 o) Mset route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet"0 q0 f2 B3 {7 F9 @8 ?
set route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA"
' T, E, A7 a4 zset route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet"
+ W/ z) L0 X: C, j- J: r) C* m9 ?set route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ"- e9 z4 _" j9 F4 i' t3 R5 C
exit
" h3 t, n8 H# Y ^7 h& nset vrouter "untrust-vr"
+ b! F% ?; E- x' Pexit
6 \" `7 h7 s9 l ^+ Hset vrouter "trust-vr"
+ ]& h. N3 q2 X% V% N6 q4 xexit |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
[复制链接]
