以下是netscreen 防火墙active-passive典型配置:. o5 i3 L. H% u! f3 Z- t& a7 L5 a1 S
2_cfg+ U' m6 g, v7 Y8 q1 d2 D
$ Q% Y# `* _) V" U F. E. Q5 v9 Aunset key protection enable5 }$ e8 G$ w9 z1 f/ H
set clock timezone 0. |6 g. U( A# z/ _% x V5 F
set vrouter trust-vr sharable
, E5 H3 s5 }# I0 dset vrouter "untrust-vr"% d1 @' ^+ b& D t0 W$ |
exit1 q0 l% l( R' x* V9 `+ w+ E0 t
set vrouter "trust-vr"
4 t2 T k0 m; U: w- L9 O6 U' M, wunset auto-route-export
3 |: I! z, ], k' Z6 Cexit
) `0 U W0 ~1 w9 eset service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002
: q2 Z. {* ?8 i8 V8 dset alg appleichat enable! D) c( I, @# @
unset alg appleichat re-assembly enable7 {) h: d+ f8 B1 R1 h5 r6 y3 W
set alg sctp enable
" k( J- q9 T& \2 ~( ]set auth-server "Local" id 06 ?8 o; q& n0 d. c
set auth-server "Local" server-name "Local"$ b5 F4 O' `; N$ c
set auth default auth server "Local"* S. V r. s" Z W& C
set auth radius accounting port 1646
- X/ w& `6 v% V5 O3 ?2 m: i$ Hset admin name "netscreen"
; h8 ~/ C5 Z; \, ~3 ] Oset admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"# o8 K% d9 T! i! K
set admin auth web timeout 10
( b- M. V2 O* fset admin auth server "Local", r- n- @0 ^$ L. |" Q! Y, h' \
set admin format dos
9 Q8 H h7 @9 S, D% U2 n0 E8 fset zone "Trust" vrouter "trust-vr"; E h0 O$ [2 m+ D
set zone "Untrust" vrouter "trust-vr"
9 U5 Y% t& s8 |6 n0 bset zone "DMZ" vrouter "trust-vr"1 a# A: p, a# w; J! v1 Z7 h" t9 w
set zone "VLAN" vrouter "trust-vr"
/ L/ a! K2 ~+ M- i0 Hset zone "Untrust-Tun" vrouter "trust-vr"
5 j" x4 J0 i, D1 yset zone "Trust" tcp-rst * a ~* S( i% Z. A+ l( c$ t! ]. [
set zone "Untrust" block " y6 Y4 a; @* g8 f
unset zone "Untrust" tcp-rst
' r3 B6 C. P1 i, [* d$ s! v; cset zone "MGT" block ( L1 P/ \ k2 N$ B9 @( _
unset zone "V1-Trust" tcp-rst 6 ?3 V+ Q* ~; X% D: B
unset zone "V1-Untrust" tcp-rst $ I; E* R, t0 w: ?, H2 z
set zone "DMZ" tcp-rst
- U1 s% v" I9 L" B0 _# A- _* C9 Lunset zone "V1-DMZ" tcp-rst 9 l( I( C+ M; l6 Z$ Q: x2 Z
unset zone "VLAN" tcp-rst 5 {/ N6 ~5 G, x0 N# W( E& n
set zone "Untrust" screen tear-drop) Z+ i7 V( r; J
set zone "Untrust" screen syn-flood+ m0 y' w7 A. a z
set zone "Untrust" screen ping-death% _2 B) _/ P! ?* U
set zone "Untrust" screen ip-filter-src1 a L( d# `% t# l5 \% F
set zone "Untrust" screen land
' A9 K2 G" x. X- iset zone "V1-Untrust" screen tear-drop, \5 b/ j$ y5 l3 x0 E5 W! U
set zone "V1-Untrust" screen syn-flood
- f: R6 e5 Z2 V+ n7 h: P& `2 J0 z* ^set zone "V1-Untrust" screen ping-death" j8 M7 s( a3 r u! C; x7 M4 j) M
set zone "V1-Untrust" screen ip-filter-src( L* I& l- ^/ A* n- B
set zone "V1-Untrust" screen land
: I" z, i5 q* ~, \, D, [/ ^8 h3 Dset interface "ethernet0/0" zone "Null"
5 p) W/ d6 E: f# X1 d9 v* A' S3 Uset interface "ethernet0/1" zone "Null"* {% E ?) j4 T- P9 g. c
set interface "ethernet0/2" zone "Untrust"% }( k, }. D: f% ^2 q; x9 f
set interface "ethernet0/3" zone "Untrust"8 t" {5 Y, ^* g
set interface "ethernet0/4" zone "HA"8 o& x2 g) R' W
set interface "ethernet0/5" zone "HA"
- y& H/ Y+ t' w1 ]set interface "ethernet0/6" zone "DMZ"
, R9 a g- b7 Z0 F$ \+ a5 Bset interface "ethernet0/8" zone "Trust"
: A' m) \ W6 W1 vunset interface vlan1 ip
% H p" f# j+ f9 r& B' Rset interface ethernet0/2 ip 116.247.91.98/29! b# F( W0 P% J9 o8 U3 g& I9 r
set interface ethernet0/2 route
9 P1 V3 v1 Y- Q+ O. Tset interface ethernet0/3 ip 140.206.34.178/30
8 Y$ X5 k) a* p3 B+ |set interface ethernet0/3 route/ z4 i7 I- z* |0 S& u! m
set interface ethernet0/6 ip 10.131.126.18/28' ]( L0 w' v6 X
set interface ethernet0/6 nat
$ v2 l3 m; \: r4 lset interface ethernet0/8 ip 10.131.126.4/28* ]; Y! g" _! `/ a0 A$ M8 g( K
set interface ethernet0/8 nat$ g1 z c: Z; d$ \
unset interface vlan1 bypass-others-ipsec/ e$ _- S+ J- ]! F+ d# [
unset interface vlan1 bypass-non-ip
$ p6 o. h* ]" ]2 p8 a5 u: r; iset interface ethernet0/2 manage-ip 116.247.91.99% u1 T: Y+ P) H- }& m. k" N
set interface ethernet0/6 manage-ip 10.131.126.20
o+ r+ L9 E9 F7 x9 Rset interface ethernet0/8 manage-ip 10.131.126.2' [: ~" _$ L: h! c3 d0 i$ e
set interface ethernet0/2 ip manageable1 E; @) J; p3 z$ M1 |) N
unset interface ethernet0/3 ip manageable& ^5 H$ s1 W T/ I2 a1 \8 R+ s0 B3 u; B! S
set interface ethernet0/6 ip manageable
- s8 t0 R* Q! }3 d: Cset interface ethernet0/8 ip manageable
8 ?+ U; f+ X5 p' m" a8 kset interface ethernet0/2 manage ping
% ^8 I* Y- U3 `( Z$ f7 e# eset interface ethernet0/2 manage ssh: Q, M- S) O9 o& v& a; A2 D; I! W
set interface ethernet0/2 manage telnet4 |* {8 C' z+ K& Y. y; q
set interface ethernet0/2 manage snmp* s" ]( _2 N* P. k% v- @& u6 |
set interface ethernet0/2 manage ssl9 f6 T6 w& q; @) B, A+ ?
set interface ethernet0/2 manage web& m& ]( D" \: Q0 Q& Q% h
set interface ethernet0/3 manage ping
7 D$ p6 B5 x t& M3 g- c$ D- cset interface ethernet0/3 manage ssh
: c) p; L/ a3 i/ ?3 Gset interface ethernet0/3 manage telnet
, w7 f! }2 F# F1 rset interface ethernet0/3 manage snmp
/ t6 ?5 B8 y s, o7 B6 @ oset interface ethernet0/3 manage ssl2 v/ t8 z4 P3 J* X. n( Z" J
set interface ethernet0/3 manage web$ b! a+ B/ l3 G+ n3 M
set interface ethernet0/6 manage ssh
- O; Z& U! F( r. Q3 bset interface ethernet0/6 manage telnet. Y0 n' g( z3 l
set interface ethernet0/6 manage snmp
) n/ z& I( a; i: i) I; v/ t) V; Jset interface ethernet0/6 manage ssl
- p% I. k+ o, P! N$ ?set interface ethernet0/6 manage web9 K1 D) B: b, ?
set interface ethernet0/2 monitor track-ip ip
5 g$ s& S5 Z& o l( x) Vset interface ethernet0/2 monitor track-ip threshold 100 U. u2 ~) G/ _2 Z
set interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 3: |4 s5 Z' T" @! h! T0 M- s' H
set interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 12
" k# H; z6 N- W+ e, o5 d7 nunset interface ethernet0/2 monitor track-ip dynamic9 |+ p4 C& y* }
unset flow no-tcp-seq-check
2 c5 m* P% ?: b( C) hset flow tcp-syn-check
, W) T9 D6 @1 s3 I8 V5 `unset flow tcp-syn-bit-check3 ?/ E/ W; C5 c$ q ^7 N
set flow reverse-route clear-text prefer7 e2 | h0 s9 R' S% t
set flow reverse-route tunnel always
6 I4 Q& r+ U: `6 ^1 C: Vset console page 0
% ^$ z2 Y: O7 g% e+ z K* |set hostname RT3-xzl-1F-S-SSG140-10.131.126.2
! m$ F0 U# q7 ~! p* B) [- M( Sset pki authority default scep mode "auto"' t) u! B |" A0 T' \. J
set pki x509 default cert-path partial
( d- d# `& I6 u. @. m6 Bset nsrp cluster id 1
' P5 b# N; D' o1 u, Q( Q: `set nsrp cluster name FXGL
' h X# q" U6 {6 K! s0 ?+ c# e1 Lset nsrp rto-mirror sync' ?; r1 `6 ~) z
set nsrp rto-mirror route
# C$ m: A7 v' Mset nsrp vsd-group master-always-exist& M" B& z& t- [9 B; M6 `6 N
set nsrp vsd-group id 0 priority 100
) i7 P9 c' \5 O$ Cset nsrp vsd-group id 0 preempt* i0 o( K5 g. ~( T8 b" c
set nsrp secondary-path ethernet0/8
+ V( H! P+ Q3 S( h* L8 R7 _/ m) r8 Hset nsrp vsd-group id 0 monitor interface ethernet0/3 weight 16
# E- r* j; F) O9 w( W. ]set nsrp vsd-group id 0 monitor track-ip ip
& h* O! f* g' E! u# b! ]3 l; Gset nsrp vsd-group id 0 monitor track-ip threshold 30
8 N: ~ F+ b% }) a9 p% ~set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/2+ {/ W* U1 B1 p4 s n
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 10- e8 t* o& o9 x' A6 U: h& ]; q
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32
0 T* x/ v( L& ~, ?9 jset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/6, f9 t! f/ p& t9 D X3 g/ W) E# A
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 10( L7 `& F' H3 Q* W4 f# A
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 320 \* {& T& k* o$ t9 H' B6 y
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/8. B$ p# i8 K& e2 \4 w
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 10
% Z" O X7 {' Dset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 329 l! @3 F8 U" R- Y* J
set nsrp ha-link probe
\4 y$ ~# U4 B, |1 pset dns host dns1 202.96.209.5 src-interface ethernet0/2
. g: @6 f/ F- K- [set dns host dns2 0.0.0.0
6 a Y8 ?. R2 i) J- ?0 k; D$ jset dns host dns3 0.0.0.06 u0 s5 _# A' U! C- X& ]: R1 `
set crypto-policy
0 P( I( T( X& t1 q1 T/ Uexit
4 T9 b$ D6 H/ o: w+ ]set ike respond-bad-spi 11 w% B# ~; f: N9 a4 [
set ike ikev2 ike-sa-soft-lifetime 608 W1 a# i0 A( \3 p
unset ike ikeid-enumeration4 D# \# w; C4 }2 I1 s
unset ike dos-protection
! ^% @& m/ |. g- s% _unset ipsec access-session enable
( O! }# d% j- I0 g0 Pset ipsec access-session maximum 5000# H) V1 J3 |; J# I2 j0 o" }& ?
set ipsec access-session upper-threshold 0- ?" P" h9 K; \. l2 V6 l
set ipsec access-session lower-threshold 0
# H8 s. |( ]4 nset ipsec access-session dead-p2-sa-timeout 03 L+ `7 y" l8 @' F$ a
unset ipsec access-session log-error
3 ^5 q9 J8 z3 C7 e% c8 |( ~unset ipsec access-session info-exch-connected* A- J; l( M( D0 `+ A0 i
unset ipsec access-session use-error-log( t6 [. n6 I: k
set vrouter "untrust-vr"
4 d/ J# A% Y0 l2 X gexit5 @! l2 T/ y3 a3 n0 v' e$ V6 E V
set vrouter "trust-vr"
0 o( r: D* o% q( ^exit% V. L! y% ^( P j
set url protocol websense
" Z! X% }9 W9 E$ b& y# K. @0 hexit1 o1 L3 `- a) y6 l; i
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
' K6 Z+ G# U1 x. C. Mset policy id 1
+ |$ S7 B; h4 `2 B" v8 vexit
' C7 N' T4 J, ]6 o) Y6 n O7 ~$ dset policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log
$ R$ b3 Y3 T8 e4 Q) Jset policy id 4: d* _: x( r+ q/ h$ K7 T
exit% P8 [' m9 a4 @+ Q" L
set policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log
2 o6 p2 M& s% w# pset policy id 5
9 w: ]! ^+ t- uexit. y) z' K$ q% U1 a
set policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log ; S4 u: n3 u) ^+ n0 s- b' ^2 K
set policy id 6
' P5 T( M8 k+ ~exit
: @ ~+ L, D7 yset nsmgmt bulkcli reboot-timeout 60
$ L5 Y' y( u( P5 G4 U* Fset ssh version v2
) a6 V7 x6 q1 x% x3 \+ Jset config lock timeout 5
3 M2 \ q/ s A4 M1 S Funset license-key auto-update
. k3 [" T8 x X/ q" Kset telnet client enable- Q# x4 N! X3 [
set snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c / m+ w4 `- p6 v# c8 A
set snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8
# Y+ x9 r4 J' s5 K! g0 {set snmp name "RT3-xzl-1F-S-SSG140-10.131.126.2"# K+ e- o' B3 G( G& O! Z
set snmp port listen 161
: R% ]( x' y+ n9 ?8 d: @set snmp port trap 162
8 i1 j& \4 H! j5 |3 Jset vrouter "untrust-vr"
! H) X( k9 G* l( Dexit" a, n) e5 D* n: o6 V
set vrouter "trust-vr"
( u9 n* u0 e& _/ Runset add-default-route# v) l6 Q. P8 W2 I
set route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet"+ w- q; [. }/ X: K
set route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA"
+ g( ]) g8 S9 @" _: ^set route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet"' j. t, n! s/ y; Q/ o. ]. N7 z
set route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ"
5 D4 Q) `# v8 Z8 L4 d3 g) i; ]exit
( C1 m2 d6 l: L0 u' Kset vrouter "untrust-vr"9 W' x# ?6 G3 l7 l: d" f/ N- j
exit+ b3 ]+ U( y) z4 E: C' J) \
set vrouter "trust-vr" x) s& O1 `* w8 X G, S# p8 ?
exit
! k K3 b+ J" b# ~6 Q. p. g# R
! F! O) n3 t$ e9 o9 Z2 k5 ^/ F O0 p8 L& P2 V, h* D; U
3_cfg2 X0 z+ x2 v H4 ^9 e" O0 W* F3 R [
+ ]$ a2 E# p3 U# v4 @' d' Dunset key protection enable' m1 W4 l# T5 K( f% G! d4 v3 i5 c
set clock timezone 0
( N( s G$ r7 V0 nset vrouter trust-vr sharable$ b7 Q. z5 ?' M4 |
set vrouter "untrust-vr": G0 ^3 ?( Z- E/ P F$ {
exit. R" @7 g- b8 ?& c" Z# f: O
set vrouter "trust-vr"
, v0 o* y$ [0 K1 Z( S- {unset auto-route-export
$ n. d/ G7 q/ h) z' M" s6 iexit, w5 `" }0 ]% E I) c) H
set service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002 # ~3 M- e* j( R3 ]3 V
set alg appleichat enable3 S$ N2 s5 j& D7 x' `1 e) y
unset alg appleichat re-assembly enable } j' L( m, s1 w9 B9 ?3 w/ X' I
set alg sctp enable
9 Y- G, A6 A. E! Y6 _+ X7 I b' cset auth-server "Local" id 0
9 Q3 ?3 \: ?$ L5 `1 @$ Aset auth-server "Local" server-name "Local") r; I7 i! p- y; g" g# i
set auth default auth server "Local"
9 G' [1 k3 w$ m! Kset auth radius accounting port 1646/ I# G4 Y1 z6 r" M' A& h* M4 O# X
set admin name "netscreen"
z' w/ o, `" t3 x0 lset admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"
2 G9 y# }. f& ?5 j. J4 oset admin auth web timeout 10% Z8 {, `' o1 S/ q6 b* _7 Y* A. d
set admin auth server "Local"
2 H5 b; d$ Q0 e& wset admin format dos
6 O2 ]& g8 W5 }; C$ [- p4 M/ }set zone "Trust" vrouter "trust-vr"7 N) T$ w, e' M4 ]
set zone "Untrust" vrouter "trust-vr"2 U; D: K# p* s( c9 g8 J2 {
set zone "DMZ" vrouter "trust-vr", o5 G5 I; Y ~$ `1 ?6 ~% W! E
set zone "VLAN" vrouter "trust-vr"
) G, u3 b6 K: n1 [& E4 Z8 Q; zset zone "Untrust-Tun" vrouter "trust-vr"9 a+ L4 Z: i; L6 x/ r1 ?
set zone "Trust" tcp-rst
" j* w5 E& f! }' n+ s. z! G3 ?' Zset zone "Untrust" block 5 D2 P9 ~5 E: M6 d
unset zone "Untrust" tcp-rst
]: h& t: _( W4 M+ zset zone "MGT" block
9 f3 u5 [1 J( p$ x) |unset zone "V1-Trust" tcp-rst
; ^ Y, A9 h, G7 Runset zone "V1-Untrust" tcp-rst
# B+ H8 o( ]7 I0 e' d& aset zone "DMZ" tcp-rst
0 p _; K1 L6 }8 Uunset zone "V1-DMZ" tcp-rst 4 Z: G7 a& i; @' o N0 ?. ]. f
unset zone "VLAN" tcp-rst 8 f9 z9 g/ G1 z! Y
set zone "Untrust" screen tear-drop
. m0 c2 g" J6 u8 G) k$ Eset zone "Untrust" screen syn-flood
+ `3 ^+ s$ o; l7 [5 @& Zset zone "Untrust" screen ping-death3 ~. x4 j4 n5 W, I( X0 d( H# ^
set zone "Untrust" screen ip-filter-src7 z. \4 d0 w5 h4 l8 K4 T
set zone "Untrust" screen land
9 f- O9 B( d# q, Pset zone "V1-Untrust" screen tear-drop: ^3 h: B0 W& r2 v
set zone "V1-Untrust" screen syn-flood4 B n T, z$ n- J1 R* e8 Z/ N
set zone "V1-Untrust" screen ping-death
: h: o3 E! S _3 ?5 f+ m9 ]set zone "V1-Untrust" screen ip-filter-src% t; |4 V1 }. E3 s) B: _9 z; Y$ ~
set zone "V1-Untrust" screen land
8 {* ] L4 A! O- zset interface "ethernet0/0" zone "Null"
* E3 r$ H# Q5 P/ V+ j& cset interface "ethernet0/1" zone "Null"+ g7 T, F5 L/ l
set interface "ethernet0/2" zone "Untrust", t* N# W3 Z! c( K: o6 ]! Q
set interface "ethernet0/3" zone "Untrust"
: n7 N0 _8 O, d7 O" f- y5 b Iset interface "ethernet0/4" zone "HA"* }8 q" A" P* c: ?, g9 R$ `
set interface "ethernet0/5" zone "HA" p+ S; v0 y% [5 B7 }9 f
set interface "ethernet0/6" zone "DMZ"6 b5 R I' F$ f( ?
set interface "ethernet0/8" zone "Trust"
$ A H9 i3 e) a6 L5 W8 a1 yunset interface vlan1 ip) p# _$ G" b0 U& a# a# a" {
set interface ethernet0/2 ip 116.247.91.98/29
5 x) o; p0 ]! B9 k$ {4 f0 tset interface ethernet0/2 route
, ^9 P& p! l9 q" j4 s7 Iset interface ethernet0/3 ip 140.206.34.178/30
% N3 N1 i% @* l- g$ f8 wset interface ethernet0/3 route
" u& ?8 r# Y8 r4 ?' W8 }" Bset interface ethernet0/6 ip 10.131.126.18/28
( V5 y5 }1 m! x$ O. J% iset interface ethernet0/6 nat
- H- d: l# v0 j, nset interface ethernet0/8 ip 10.131.126.4/28# _ U) F" J: L) t
set interface ethernet0/8 nat* d0 X( b7 h1 V: z. @( T
unset interface vlan1 bypass-others-ipsec8 X" r. S4 D- B2 X( L
unset interface vlan1 bypass-non-ip) l: N H _) W
set interface ethernet0/2 manage-ip 116.247.91.100+ I( p! J& ~/ p* Q8 V
set interface ethernet0/6 manage-ip 10.131.126.21
+ g7 H/ i7 U/ y) H- Cset interface ethernet0/8 manage-ip 10.131.126.3
- B3 g m+ a8 H! ?; _# Bset interface ethernet0/2 ip manageable
% f$ }! X5 c3 d2 }6 C* Eunset interface ethernet0/3 ip manageable1 V8 u ]5 U( b! i2 ]0 g
set interface ethernet0/6 ip manageable
1 g( @0 A0 k" C" f* M0 z( w- w Jset interface ethernet0/8 ip manageable. f0 L- O0 {: s7 O' Q" J
set interface ethernet0/2 manage ping1 _" O P2 Z" }- `# c* C
set interface ethernet0/2 manage ssh3 y$ V% y8 G) U
set interface ethernet0/2 manage telnet7 `" q) Q$ E4 C& ?- C5 r" i7 s- t3 z
set interface ethernet0/2 manage snmp
l6 }/ g6 d3 F" k6 o- N# jset interface ethernet0/2 manage ssl
* y8 c R, H, Mset interface ethernet0/2 manage web2 a: T6 q1 E Z2 v+ r4 v, W
set interface ethernet0/3 manage ping. Q8 T5 c7 [6 X0 H* s8 Q+ J
set interface ethernet0/3 manage ssh- [8 u+ a( Y; p! n( @% i
set interface ethernet0/3 manage telnet8 I6 o- w0 u5 u, ]
set interface ethernet0/3 manage snmp% j9 V% r. C# ]) z9 G7 b, R
set interface ethernet0/3 manage ssl
' F+ h9 z O" ^. {; }, {# uset interface ethernet0/3 manage web1 N N* Z! u4 S/ h5 Y+ T0 M, e+ {( W
set interface ethernet0/6 manage ssh
9 q2 j {& c9 k7 s7 Y! mset interface ethernet0/6 manage telnet; y* g6 f' O2 c$ I6 s/ y
set interface ethernet0/6 manage snmp
4 H v0 f' I( F5 I' M3 n7 f& j# rset interface ethernet0/6 manage ssl
`6 w T9 i7 lset interface ethernet0/6 manage web
& ?6 E! R! d* w9 D t# R G" Zset interface ethernet0/2 monitor track-ip ip
7 k' W1 V1 ^/ v4 P9 b/ U! Jset interface ethernet0/2 monitor track-ip threshold 10
! o8 H- {/ U& B3 S3 sset interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 3
, g9 t4 x! t7 V: y3 r5 l' Nset interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 12
0 I/ O. J4 m' G* x$ {unset interface ethernet0/2 monitor track-ip dynamic9 D1 {" d4 p p/ r% k
unset flow no-tcp-seq-check" h& T* C# E0 w. k+ n
set flow tcp-syn-check. o! r, S e4 D& c: f" }
unset flow tcp-syn-bit-check0 {/ m/ r, A w, z
set flow reverse-route clear-text prefer: V9 V8 V! \8 M) h1 a
set flow reverse-route tunnel always
- y4 {6 d* G( |set console page 0
3 v8 U0 [( L- lset hostname RT3-T2-5F-S-SSG140-10.131.126.3) {8 A' `" w- {% z F9 ]
set pki authority default scep mode "auto"
- {5 ^% P# c6 U2 v; m* n7 sset pki x509 default cert-path partial
; d& L3 g4 J+ k C9 pset nsrp cluster id 18 X* C/ {% M; R
set nsrp cluster name FXGL( ?3 v4 P1 A9 }. [% r
set nsrp rto-mirror sync6 a$ h* b0 i7 W2 m5 Q/ T& r
set nsrp rto-mirror route
- i6 {6 n t+ T( G. n$ Rset nsrp vsd-group master-always-exist
$ q! j) F5 S; ~- bset nsrp vsd-group id 0 priority 150
1 {. v C% M4 c" uset nsrp vsd-group id 0 preempt
' j$ x0 D) W9 c$ i1 k7 p- oset nsrp secondary-path ethernet0/8
8 ] a7 n( U/ S9 L* mset nsrp vsd-group id 0 monitor interface ethernet0/3 weight 16& R4 o; g* j: ]: p
set nsrp vsd-group id 0 monitor track-ip ip
7 ]- W. a% N8 t* v. u {, [: W- hset nsrp vsd-group id 0 monitor track-ip threshold 30
/ [+ s) J9 ]" N) a: iset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/2# i4 v! f5 `- g" L
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 10; n3 C- Y% }" O% d& ~& k
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32' n# K! [. f6 f* f2 S9 S
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/8
9 L" E& B. O/ b& C& E! N# K3 `. Jset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 109 W0 z+ v4 ~1 \# Z$ ?9 {; P
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 32
9 j5 y" @1 q) v# ^* N2 fset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/6$ |9 Q8 T& S% c
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 103 d$ i* D" u# C' Z, p$ r( {5 m. I7 }& w* y
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 327 w% n2 J2 w% H5 Q8 L7 v$ E
set nsrp ha-link probe
A- B! D' J6 A( S$ D: @set dns host dns1 202.96.209.5 src-interface ethernet0/2) F' p6 Q t4 F! O4 S$ z2 Y; f
set dns host dns2 0.0.0.0% Z, S4 E- |2 {5 C0 P( j
set dns host dns3 0.0.0.0
. x/ q, y. M% Gset crypto-policy
8 T% S5 p) m& C1 K7 I0 i1 bexit" v. A' d4 Z" D, ?( L3 z: U$ l
set ike respond-bad-spi 1) M' s" m/ H( W( T0 P
set ike ikev2 ike-sa-soft-lifetime 60
% ~: G: w- w6 a8 T; i+ g( a2 m0 C+ lunset ike ikeid-enumeration
0 W5 l V) C4 K4 }unset ike dos-protection5 y# E1 l; P! Z6 g! S6 C( [+ n
unset ipsec access-session enable
+ F3 |+ X4 {( k$ ~7 r! @set ipsec access-session maximum 5000& K" w% L/ d$ g7 P6 \
set ipsec access-session upper-threshold 0* i& N# s3 Q- ` K$ ~
set ipsec access-session lower-threshold 0
& B: v b Q! e$ o/ E* pset ipsec access-session dead-p2-sa-timeout 0
: Z" C; `; E1 ~; E; r7 c& _7 i5 k$ ounset ipsec access-session log-error
! K4 W. d' P8 X Z/ o0 M9 n8 Runset ipsec access-session info-exch-connected
' R R4 y3 t+ S0 v) M8 M/ ^unset ipsec access-session use-error-log5 |: q+ K4 }2 r7 I
set vrouter "untrust-vr"
; t# @: Z% n! H" x$ L' o# o! Nexit
j2 y3 |+ F6 |% t' V, F! ]set vrouter "trust-vr"
9 D4 m# s% q/ V' Q5 J* w& Texit% ~' T, H3 R W! [3 E
set url protocol websense8 m1 P/ X& [) T( _/ R
exit. r; N1 p8 E% ~4 c6 t
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
5 u" Z1 @% V' K r' J/ t" C6 Dset policy id 1
) i3 C/ N/ @6 b4 m) O) Y0 Texit; m, ^! A& C+ n- F( S, n( t
set policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log ' V0 C w9 u4 @/ H6 G) f. v
set policy id 4- S- ~3 E2 x {" {8 X$ `
exit+ g3 n2 J( ^( z6 J; S
set policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log 7 Z! O! p3 }" S; V% l! T* G4 {
set policy id 5% B% n- Q3 W7 ?, O5 `
exit3 }2 g* F( p: K d( Q. K
set policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log
; D" W0 q5 E+ |9 p4 d( H: jset policy id 63 D/ Q/ N) o$ m2 s. q
exit
+ w! f& O1 K1 C% \/ o) }( U* Xset nsmgmt bulkcli reboot-timeout 60
@3 J, O: k5 M( S+ R+ s: pset ssh version v2, v4 q& T2 B" [9 @4 p7 G
set config lock timeout 5
" i# W7 Y9 r: A( |) ^; X, Junset license-key auto-update- ^4 F/ i! u( b B
set telnet client enable7 o5 }, M. t, n1 O
set snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c
7 x: e! ^8 Z. h! |# `$ b/ {set snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8 * O5 I# S( t3 u# E. m
set snmp port listen 161
- b. i- R+ D% } qset snmp port trap 162
9 `$ ]$ ?3 V3 w2 E. _set vrouter "untrust-vr"9 v1 b, @3 h6 S( `, K
exit
- q* I7 T( V: P1 n0 Y4 Aset vrouter "trust-vr"1 K8 ~+ ^8 ~2 G* W
unset add-default-route
. L/ b2 Y- u mset route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet"
# ^# `: N; q# A0 e, Z( s Qset route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA"
) }; n3 J2 m4 `& ]$ Nset route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet"! v) y5 @$ B1 H- c! t$ m1 P+ o
set route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ"& z) L# ~" }7 n$ F
exit6 w; d5 Z A. I6 p. W) F0 ~
set vrouter "untrust-vr"
: x4 d, W) [1 Iexit
: t4 ^' v5 V8 G' [; ^# H6 wset vrouter "trust-vr"
& ~- _6 [$ \6 i) v" Fexit |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
[复制链接]
