以下是netscreen 防火墙active-passive典型配置:
' V4 X& F2 a; v: w7 t2_cfg4 ?$ S$ ^9 _: O
6 s! x1 \3 L5 ]$ E7 r1 A8 U S# xunset key protection enable
" ~7 n+ m% A4 m7 |& Oset clock timezone 0- N! ]$ ]9 O+ J9 _% y
set vrouter trust-vr sharable
; @9 K) w0 t% _( w/ l5 gset vrouter "untrust-vr"4 u! D( ^+ \0 M5 V
exit& w/ j- k& S7 Z6 A$ |7 A. {
set vrouter "trust-vr"4 P) ?5 z! `$ @0 s
unset auto-route-export
! r$ K3 d7 r# F* q5 Yexit
) U' U1 B2 x) Dset service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002 2 B8 d' L A* @7 K8 V2 J% h
set alg appleichat enable8 P( ^+ l7 z2 R* O
unset alg appleichat re-assembly enable
# n4 p# I7 I& X( V" i0 Q2 P* t8 gset alg sctp enable
. g, O5 {9 r3 D e' Fset auth-server "Local" id 09 M" { i6 y) ?+ Y1 A% K- \
set auth-server "Local" server-name "Local"
5 q, d1 O" h3 K+ \set auth default auth server "Local"" {7 t) l$ g( U, u! [, g) S
set auth radius accounting port 1646
, f; T4 C9 B# Xset admin name "netscreen"
5 a; q+ _0 m7 ]% k) T5 kset admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"
2 D: G$ r* f+ Y6 d: A7 @0 Aset admin auth web timeout 108 m9 C+ M3 W) Y
set admin auth server "Local"
2 W8 ^) x$ m* ?set admin format dos) O6 v5 O% v" e9 a
set zone "Trust" vrouter "trust-vr"
1 L3 w% ]4 o4 X- d5 R5 V* e0 `set zone "Untrust" vrouter "trust-vr"
8 M' P, h$ D0 Qset zone "DMZ" vrouter "trust-vr"
% N& x: A W0 l6 g% lset zone "VLAN" vrouter "trust-vr"& p4 {( Y+ M6 H J
set zone "Untrust-Tun" vrouter "trust-vr"& u/ f9 l0 i7 x7 T* E' Y# B ?) v. Q' O
set zone "Trust" tcp-rst " G) u1 w: d. ]6 u9 K
set zone "Untrust" block
, ^; r' n3 r% X$ Runset zone "Untrust" tcp-rst ' X8 }+ W# C+ A- A5 ^% R
set zone "MGT" block & \/ Z+ O$ Q/ O! [
unset zone "V1-Trust" tcp-rst 0 I0 C3 S* }9 z5 a3 D
unset zone "V1-Untrust" tcp-rst
- F7 d+ k6 ~5 b* W4 }6 Kset zone "DMZ" tcp-rst $ g! }. z3 m, D% S0 G, {( R
unset zone "V1-DMZ" tcp-rst ! a6 H- S3 E1 F7 a
unset zone "VLAN" tcp-rst & ?, E( K6 ]" }8 y- N
set zone "Untrust" screen tear-drop3 g7 K/ t0 a7 K
set zone "Untrust" screen syn-flood
`2 E% G& [/ Vset zone "Untrust" screen ping-death
" ?1 [% s$ t6 w0 v7 h: mset zone "Untrust" screen ip-filter-src
P) `4 B- Q, v6 G* Pset zone "Untrust" screen land* T! `9 ~4 h7 C2 i% X6 X
set zone "V1-Untrust" screen tear-drop6 ^# X$ v; H" z1 q( u" |8 f7 @
set zone "V1-Untrust" screen syn-flood
( W* P2 h; {3 kset zone "V1-Untrust" screen ping-death
Z% R+ @8 W' h6 ?) d M& Rset zone "V1-Untrust" screen ip-filter-src
( Y& E4 j* I. j# P5 @- c% lset zone "V1-Untrust" screen land
6 U% q2 m& W7 I; }8 } T4 fset interface "ethernet0/0" zone "Null"
. L( L3 S5 y% x1 b eset interface "ethernet0/1" zone "Null"- H; G& W- C! L8 r/ b% |
set interface "ethernet0/2" zone "Untrust", U3 v# {" T4 K4 }& k. A: z
set interface "ethernet0/3" zone "Untrust"
1 M% R* ~" n6 ^+ s G& P3 j$ Z* T1 yset interface "ethernet0/4" zone "HA"
. t7 l5 j1 }7 \6 o/ e* ^set interface "ethernet0/5" zone "HA"/ h9 C! H/ O; E% h
set interface "ethernet0/6" zone "DMZ"
1 H( g; O& A+ C' B5 E5 Oset interface "ethernet0/8" zone "Trust"
5 C6 \, d: M" T+ y8 o1 Yunset interface vlan1 ip
N) G) W0 {$ X& o" xset interface ethernet0/2 ip 116.247.91.98/29% H& M+ a1 ?+ E) H- I& P& ^
set interface ethernet0/2 route
+ A0 e2 x" q* b0 b( dset interface ethernet0/3 ip 140.206.34.178/30: `0 n# g% ~' q& Y0 A2 F
set interface ethernet0/3 route$ M3 _+ l3 |9 H+ n$ M8 `
set interface ethernet0/6 ip 10.131.126.18/28! B7 L$ ]+ v( a8 H( \2 \2 I
set interface ethernet0/6 nat+ V9 s2 D! U9 L) e: L0 N5 B' g; R
set interface ethernet0/8 ip 10.131.126.4/28
9 N( I) q" S5 g8 J9 Jset interface ethernet0/8 nat
$ t6 o3 D- |3 r: c# o5 Nunset interface vlan1 bypass-others-ipsec
7 x# l3 N! t3 z# x! E n# u munset interface vlan1 bypass-non-ip, A& E+ t7 i- h1 W) A/ b
set interface ethernet0/2 manage-ip 116.247.91.99; ^0 A' a: V+ G) r+ T
set interface ethernet0/6 manage-ip 10.131.126.209 I" C [7 O. ?8 G; @. Y/ w/ b
set interface ethernet0/8 manage-ip 10.131.126.2
: u$ ?3 P. q8 X0 c7 tset interface ethernet0/2 ip manageable) o% P6 s- u0 ?4 E, C
unset interface ethernet0/3 ip manageable' ~8 F4 [1 a, |( C# x
set interface ethernet0/6 ip manageable: | U1 k( w3 V8 e$ r
set interface ethernet0/8 ip manageable6 q2 r4 E. T* g/ _! V5 L# u
set interface ethernet0/2 manage ping4 g$ D: Y2 W! c7 x3 [) e. |( K
set interface ethernet0/2 manage ssh
$ M# g" M; w) K7 Dset interface ethernet0/2 manage telnet
8 |& D1 i* P, ?: Oset interface ethernet0/2 manage snmp" g4 j; V- g$ w E) W
set interface ethernet0/2 manage ssl0 J2 P2 U3 r- P, B- b! ^4 F2 ?
set interface ethernet0/2 manage web! W' F# | Q& d" b. t
set interface ethernet0/3 manage ping
4 i2 ]/ T% p7 V- dset interface ethernet0/3 manage ssh( W) A+ k) S, `* W
set interface ethernet0/3 manage telnet# F$ [+ N u# p
set interface ethernet0/3 manage snmp! c' }' A: a# v9 |2 L
set interface ethernet0/3 manage ssl
4 c" z4 C: a6 T. G1 r4 hset interface ethernet0/3 manage web
+ x1 O, k& D% o' g; h D" Lset interface ethernet0/6 manage ssh ^7 m" Z, N& F8 A* M* H
set interface ethernet0/6 manage telnet9 u ~% D8 R2 }& Z' ]5 @6 Q7 }
set interface ethernet0/6 manage snmp
, |5 P; b/ g" R& B ~2 Z! sset interface ethernet0/6 manage ssl6 C: b& ~& _! U9 ~# i$ Y0 |+ }
set interface ethernet0/6 manage web
) n6 u: u. V, h" Xset interface ethernet0/2 monitor track-ip ip
6 Y9 F0 R2 e, l$ Xset interface ethernet0/2 monitor track-ip threshold 10
3 s; o8 j9 {) @0 }- C: o6 v# b1 R) rset interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 31 f; o( K( ]! k( q5 B
set interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 129 l I, w) H! t* G6 S6 w
unset interface ethernet0/2 monitor track-ip dynamic$ S" C# c. F8 p0 v N
unset flow no-tcp-seq-check
/ X8 _3 H3 P4 D: D" \set flow tcp-syn-check
* l8 o3 G" r Vunset flow tcp-syn-bit-check$ p/ I. J) g: L* M9 a
set flow reverse-route clear-text prefer% y+ B! x8 t/ U8 A
set flow reverse-route tunnel always' U% r7 M4 C( S; T1 U: |
set console page 0
9 t6 p9 n3 j; ~8 m% F8 xset hostname RT3-xzl-1F-S-SSG140-10.131.126.2
6 F# f) P. F0 H, \) t: ?6 Sset pki authority default scep mode "auto"! u: m8 N" \+ B# f; t% g7 C3 g
set pki x509 default cert-path partial
' o3 q" V+ K3 O4 V% E# d% r+ Fset nsrp cluster id 1
/ `' I9 _7 T# m3 ]* {4 xset nsrp cluster name FXGL% |: C1 Y8 O" y$ f# |' n' P9 A
set nsrp rto-mirror sync% s# A# B6 x) v: ?- p5 L
set nsrp rto-mirror route
4 F/ |$ N" b3 `5 N5 l" sset nsrp vsd-group master-always-exist! X+ A: X' H6 K+ U
set nsrp vsd-group id 0 priority 100
# V7 ^) `* J$ Hset nsrp vsd-group id 0 preempt) _0 O: S# Y) p. N9 E
set nsrp secondary-path ethernet0/8
, k+ b, f* b* o. ^8 D8 z7 @& p" ~set nsrp vsd-group id 0 monitor interface ethernet0/3 weight 16# f2 N' b, x7 f) t
set nsrp vsd-group id 0 monitor track-ip ip
( t& m3 y% O5 Nset nsrp vsd-group id 0 monitor track-ip threshold 30
2 k' l* G) ]/ U' R; W$ bset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/2( J! p) W& Y% f6 \! a/ j- n7 A
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 107 }- B5 d0 Q* P6 g7 I( {2 D2 Z1 c
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32) B# |' m( ], X* u
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/6
8 y: w9 M8 w( I; ?7 B. e! O3 Oset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 10, v9 `: F/ v: D& h; ^
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 32& Q) N: j/ v, S, c6 _
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/8: o2 G) N* q h
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 10
; u! E3 I; m2 A. \4 [3 c7 Dset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 32/ [) o+ ^& x! l4 Y0 G
set nsrp ha-link probe. Q: q: `- C0 W) h, V+ W, `
set dns host dns1 202.96.209.5 src-interface ethernet0/2$ U" a$ U9 s3 ~, X8 P$ k' p
set dns host dns2 0.0.0.0
0 W5 W, b3 P) k, t* T& x) ~set dns host dns3 0.0.0.02 C8 b/ m1 [0 z: p
set crypto-policy2 E5 _3 q, T/ c- z4 o
exit# C& v: s- [3 r7 l4 ~: O% |7 z
set ike respond-bad-spi 1
& z8 N+ }2 g* L' i) e0 Eset ike ikev2 ike-sa-soft-lifetime 60# z0 @% c1 \( N2 c z' {( @
unset ike ikeid-enumeration! s% b+ @; @3 ?! X# V6 a
unset ike dos-protection
! N3 g& a( c. N$ Y& |, d7 q Junset ipsec access-session enable. @0 M* O2 k5 `0 b( J' N" b
set ipsec access-session maximum 50004 r& t" [: k' J I
set ipsec access-session upper-threshold 0
* J, v6 g) s7 v! s" Pset ipsec access-session lower-threshold 0
/ n! i* h- H8 C3 h9 {. cset ipsec access-session dead-p2-sa-timeout 0
$ ~1 T% p. I+ D5 h) g9 @& Iunset ipsec access-session log-error+ |+ @* A% a" a, l1 a: C- I
unset ipsec access-session info-exch-connected* `0 C ?1 g+ C$ l
unset ipsec access-session use-error-log/ Z8 [0 D+ v" w( |1 D+ M0 w
set vrouter "untrust-vr"
5 T6 v, y5 p! S& m( Qexit. u! s0 Q1 D$ p# P* N$ p
set vrouter "trust-vr"
: N, d, L$ O8 b: U, _ qexit
0 O7 K- O) L( A- X: b' jset url protocol websense
% I2 i2 f& L( aexit' Q0 N8 O$ B6 x
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log 2 f! E( X, \) o+ c
set policy id 1
% z6 B# h0 D% u$ T0 lexit4 X3 p }2 H* h( n6 F+ _
set policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log
& `; q& B7 I/ ?7 W0 ~5 r& D `- I6 Nset policy id 4
' v$ T, g- E( |$ i8 Z1 u) Bexit2 ?4 N3 S, R) Y
set policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log % b6 J" b6 V: R1 j4 q& ^
set policy id 5
7 o3 _9 E- G" L+ J0 K s, k, c) Eexit+ V4 }' }3 \9 ]: m
set policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log 0 E& f. ^4 }* J$ T% g! s8 H8 g7 v
set policy id 6
* y. O2 @3 A9 u1 J1 ^% B7 mexit
6 Z9 c5 M" D! Q0 jset nsmgmt bulkcli reboot-timeout 60
% P- y9 w8 b% {5 w1 hset ssh version v2
* ?) E, ~* V9 `" Cset config lock timeout 5
* Q$ \ Q h; f( k* Funset license-key auto-update
1 s0 [( Q$ V& o! ^' v5 L$ [* eset telnet client enable( g8 t6 p# H: p6 D4 e6 v4 x9 ]
set snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c % s( I# B! [5 r E- u2 j- d1 B
set snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8
/ Q7 C' G7 d7 w+ Wset snmp name "RT3-xzl-1F-S-SSG140-10.131.126.2"
- d/ K2 e. }+ d- _set snmp port listen 161
0 S( t, f9 A0 |% F' M" u* dset snmp port trap 162
) u& {# ~* d5 L& zset vrouter "untrust-vr"
( P& @7 j3 ^/ J- ?, Nexit
) I$ Q3 Y' d. C5 W* V2 Zset vrouter "trust-vr"
0 T* L5 D' H9 ~unset add-default-route
. C. m f# |! `* nset route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet"
- ~" W1 ?# J, S# cset route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA": t5 u+ {% T$ E" C0 b& e1 Y1 k' Y
set route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet": C4 B8 _9 a7 ~" }. c5 j
set route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ"
8 v5 y6 m( \/ D& O' k+ g' @. |; C" cexit3 w/ B* y- M) i, n2 L$ h* S
set vrouter "untrust-vr"9 s& j7 f7 e6 p) I c
exit; a, d8 e5 ^6 m% T4 \* ?) J7 ?8 {
set vrouter "trust-vr"
2 y' U8 x, D7 h# Eexit
3 d% ~# Z |' J+ n5 a+ m m4 F* _( K( {: M- W- N: N
1 v$ J1 `: \ V, S) X1 g4 M+ |
3_cfg D/ O) y7 S4 X, ~" x% l
; e, E9 F6 v2 \4 lunset key protection enable; I5 y M: K* O5 b9 h8 w
set clock timezone 0; y1 {& o" i# O h2 k: @# J
set vrouter trust-vr sharable
( S0 i3 ~' H3 N- p0 P1 J' o+ C, sset vrouter "untrust-vr"; l6 M& r" p/ y; W4 M
exit4 P8 u. L) N4 }8 v7 g- ]7 S
set vrouter "trust-vr"
% }* ` o/ e; `0 B3 bunset auto-route-export
6 a9 j- h& G/ V! p- G: Zexit" p# a1 C& o# Q3 F
set service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002 : k) H3 w" b; j6 ]+ ^! V) J
set alg appleichat enable- V% [+ N8 N% X+ f) \& Y; W# U4 V
unset alg appleichat re-assembly enable3 U0 ?1 ?& \ c
set alg sctp enable+ ]) U+ }5 f. Q
set auth-server "Local" id 0& w8 c$ [0 N$ W/ L( u' ?# Q
set auth-server "Local" server-name "Local"* @; _$ b1 |9 j# H3 @! H; m
set auth default auth server "Local"3 o9 F! W# Y4 n' n: G% A2 ^
set auth radius accounting port 16468 r" X, x" p |0 |' E
set admin name "netscreen", x& f( U5 f" T
set admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"
! _- S: W/ C2 o/ Eset admin auth web timeout 10- ]9 v3 A! i; x
set admin auth server "Local"# R; I) f7 a) G$ J6 a3 T. F
set admin format dos
/ Z* G5 B1 e. H) O) u6 n. Rset zone "Trust" vrouter "trust-vr"8 _. y2 u7 G0 _
set zone "Untrust" vrouter "trust-vr", e* W8 {, e6 \& M5 A
set zone "DMZ" vrouter "trust-vr". h6 @7 z/ b0 s \- T9 @
set zone "VLAN" vrouter "trust-vr"6 }5 [5 w- I3 o5 E3 P0 l/ S1 m
set zone "Untrust-Tun" vrouter "trust-vr"8 G) ~# X$ b1 ]2 Q. i$ B- p
set zone "Trust" tcp-rst
+ O- @6 P* Z5 k0 qset zone "Untrust" block $ v+ a& m) F5 M% t( K9 N
unset zone "Untrust" tcp-rst ! F3 t8 B" U l2 @: r
set zone "MGT" block
* o/ K- V3 F+ Z" c7 o6 z4 K5 Tunset zone "V1-Trust" tcp-rst
5 X) k9 k8 i4 Z. Hunset zone "V1-Untrust" tcp-rst
_/ w: a) X0 r2 k# K1 L6 [+ ~set zone "DMZ" tcp-rst
* {) S N t3 V; Iunset zone "V1-DMZ" tcp-rst
9 N# _) E {$ f! A# sunset zone "VLAN" tcp-rst
( X3 d/ [* a, E8 V! d& y" Wset zone "Untrust" screen tear-drop" O8 @* ^: N9 g
set zone "Untrust" screen syn-flood& b) h6 A" f7 g
set zone "Untrust" screen ping-death
, c4 ]- A$ Z5 ] Z) mset zone "Untrust" screen ip-filter-src) `4 u/ K% X( ~5 y$ a
set zone "Untrust" screen land
0 V4 _ S7 d7 r* kset zone "V1-Untrust" screen tear-drop2 {5 ?# w' |2 V0 P& t
set zone "V1-Untrust" screen syn-flood
9 W& h, G: S% w M& K- Xset zone "V1-Untrust" screen ping-death: T& ^' w6 R6 F. s4 G6 e
set zone "V1-Untrust" screen ip-filter-src, m# X" c! x5 x R) s
set zone "V1-Untrust" screen land; C w n2 I5 b1 c, Z
set interface "ethernet0/0" zone "Null"' P- A' Y9 A% f2 I. K6 x, r
set interface "ethernet0/1" zone "Null"
6 N. b7 ^ d9 H8 x$ a9 l6 _7 Jset interface "ethernet0/2" zone "Untrust": S2 U. E! Y+ n+ J3 p3 U- @
set interface "ethernet0/3" zone "Untrust"# S; M W; y( O% S; k; t
set interface "ethernet0/4" zone "HA"
( u4 y9 Y5 x9 X3 R( _9 X+ ]- w& fset interface "ethernet0/5" zone "HA"* D9 P X! H! ^( f. m" m
set interface "ethernet0/6" zone "DMZ"
* h1 U/ _6 R s3 ]set interface "ethernet0/8" zone "Trust"* G) l6 ]4 Y' t' Y8 y) ]% r- V
unset interface vlan1 ip
5 Y- s- P+ M' A0 ^* fset interface ethernet0/2 ip 116.247.91.98/291 k$ H# | a2 y; I& w4 {+ H
set interface ethernet0/2 route
" {0 r. f4 y! Gset interface ethernet0/3 ip 140.206.34.178/30 X" y6 S& F. n, j+ A5 W1 |; ?9 K
set interface ethernet0/3 route. K* J% n8 t2 F4 ^+ A4 L
set interface ethernet0/6 ip 10.131.126.18/28" D0 v* P+ v$ \9 P k& b+ S: ^
set interface ethernet0/6 nat
! [9 d) n. p/ Z/ s6 nset interface ethernet0/8 ip 10.131.126.4/28
4 g9 |: L# K, i4 uset interface ethernet0/8 nat! |) ], _5 Q' @7 C( g
unset interface vlan1 bypass-others-ipsec
$ u8 A' s+ U. g m( r2 |0 y: O7 _unset interface vlan1 bypass-non-ip8 R- C8 Y7 C6 E7 R6 m7 l
set interface ethernet0/2 manage-ip 116.247.91.1005 \; n1 i9 V* W+ l2 H$ }
set interface ethernet0/6 manage-ip 10.131.126.21. a2 u# s+ e: C j: Q
set interface ethernet0/8 manage-ip 10.131.126.3
* \ q0 T9 j. S( I7 }& H) v# nset interface ethernet0/2 ip manageable
6 W3 B4 `7 s5 U# ^/ ]unset interface ethernet0/3 ip manageable& v# w! ^* n* Y) D
set interface ethernet0/6 ip manageable+ Z. `% s& q. ]' n- M8 ~- m% n
set interface ethernet0/8 ip manageable
2 [" @* d$ S+ u) {% zset interface ethernet0/2 manage ping4 ~0 V7 i/ G+ Q3 H5 J( @
set interface ethernet0/2 manage ssh; W& L: j% S3 A4 M# E/ i* ?
set interface ethernet0/2 manage telnet! p/ h7 Q/ z' u: K2 \6 R- ~
set interface ethernet0/2 manage snmp
$ e* o: U( B3 p# Qset interface ethernet0/2 manage ssl9 E" s1 q% U6 r$ n
set interface ethernet0/2 manage web
( `0 [8 `: T) y0 Wset interface ethernet0/3 manage ping6 @; C$ {1 L( }- r& t. J
set interface ethernet0/3 manage ssh
+ ?. N4 M8 Q3 b5 x( Oset interface ethernet0/3 manage telnet- R2 E3 s! ^. q# ^% ]. h4 Y6 p. `
set interface ethernet0/3 manage snmp$ s' i0 E( Y! l0 {' {
set interface ethernet0/3 manage ssl$ N! I; B. W: H+ }( O
set interface ethernet0/3 manage web
3 j9 l# |9 d$ y: q3 i dset interface ethernet0/6 manage ssh8 E/ T; F3 ~0 ~( D2 [
set interface ethernet0/6 manage telnet N: N1 ?# l( C4 k: ]5 Q
set interface ethernet0/6 manage snmp! H N0 f0 ^0 B4 m3 Z$ \
set interface ethernet0/6 manage ssl
0 h( n8 J9 S% j3 G3 g5 cset interface ethernet0/6 manage web9 w; F+ A; L# d5 w9 K
set interface ethernet0/2 monitor track-ip ip3 c7 y) t7 j% Z& C0 W/ q- n
set interface ethernet0/2 monitor track-ip threshold 10: ?4 u( i. [$ q! X1 F. c
set interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 3! y- k) Z/ q* n: a
set interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 122 g+ f# |3 |" L2 N
unset interface ethernet0/2 monitor track-ip dynamic: j9 F' O( ?+ l0 G' _
unset flow no-tcp-seq-check
) X) V, {* v: n0 o( qset flow tcp-syn-check- h1 N( f# G1 n+ Z, H- T
unset flow tcp-syn-bit-check
! f O& N) i3 p/ oset flow reverse-route clear-text prefer( ~" a3 o# n$ H0 D: N7 y
set flow reverse-route tunnel always# m0 g& m8 d/ _ R
set console page 03 @ T, F& _" B2 j! N
set hostname RT3-T2-5F-S-SSG140-10.131.126.3
% V: p' v% p! Tset pki authority default scep mode "auto"
% K& F& |* {7 ~set pki x509 default cert-path partial, n. u6 R. V/ k
set nsrp cluster id 14 u: L, U) L8 Y/ f
set nsrp cluster name FXGL0 U/ f3 A+ c8 x5 e
set nsrp rto-mirror sync
9 b9 n+ f$ t9 c9 A* t" iset nsrp rto-mirror route
5 \7 ^$ [* [6 T5 o$ l" r8 wset nsrp vsd-group master-always-exist6 X( N7 `) W/ A! ^3 Z9 @; v% `4 w
set nsrp vsd-group id 0 priority 150) t$ k7 t" _2 |4 R9 K6 i. H
set nsrp vsd-group id 0 preempt
" S; V! D3 |, y' c$ f& D9 gset nsrp secondary-path ethernet0/88 {; `( j* S7 r1 @
set nsrp vsd-group id 0 monitor interface ethernet0/3 weight 16
/ L; T9 r8 l% Z: G6 E/ U5 j: N/ h$ Nset nsrp vsd-group id 0 monitor track-ip ip
! e0 [$ L3 S, S5 f& C6 @- Q! mset nsrp vsd-group id 0 monitor track-ip threshold 30
! ?1 [; G( d9 h7 M3 d) ?2 x! [! {set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/2* G# W! K& K4 q( i! K3 C& A
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 10
. k: j* f" O' O" l5 eset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32! z3 N6 d0 a9 [
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/8
: q* _% P) o( g9 R. l2 O; x( ~% }' Dset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 10) _; z4 j0 H6 y. z" k; I* o
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 32" }3 D& f( ~/ ~3 x
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/6" P! v5 W( Q$ Z( d& T# v: E
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 10
0 { V9 h. @9 Y2 _0 zset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 32
& w7 t4 Q8 A: F6 U; p+ {5 Fset nsrp ha-link probe
# {9 L, I' ^ m- Dset dns host dns1 202.96.209.5 src-interface ethernet0/2
0 F2 [$ r. ~; {' v; t5 ~$ Dset dns host dns2 0.0.0.0- @% Q9 @1 }- Q3 X
set dns host dns3 0.0.0.03 D- T: J# n( A7 P- w9 D" Z% c
set crypto-policy) H5 E" _! `6 j' `/ Z1 f
exit
. q& h5 m( N# n0 J! Vset ike respond-bad-spi 1
# B1 r1 `- `/ j" kset ike ikev2 ike-sa-soft-lifetime 60* K( O7 @6 S9 e- o+ Z8 i& o, n
unset ike ikeid-enumeration
% y& d+ {( N( ^: ^+ J9 W/ Kunset ike dos-protection
, c7 F7 P7 o0 w6 J8 T& V3 f5 junset ipsec access-session enable
* T0 g3 A# S1 h3 ^& {- rset ipsec access-session maximum 5000( Y& g+ A; e+ H+ N
set ipsec access-session upper-threshold 0
- C9 d6 }) y2 P; ~3 lset ipsec access-session lower-threshold 0) p' `4 m7 v: ]- f# G% s
set ipsec access-session dead-p2-sa-timeout 0+ W$ n( ~! ]7 U# P* p* ?
unset ipsec access-session log-error& C$ K, n# t0 I5 N6 k
unset ipsec access-session info-exch-connected) D5 y8 S P" _" A% {4 X
unset ipsec access-session use-error-log: X& B9 p9 U2 U7 N! T
set vrouter "untrust-vr"
$ | a7 K } ]. j3 j/ h$ @exit# n3 I: l6 m1 k; b
set vrouter "trust-vr"' ^3 Q( ~+ U9 m- S- f1 a6 ^8 z
exit
7 l1 v& }" t: t: X0 K0 J) pset url protocol websense* \# k, V, ?5 K0 C* C" W
exit7 X% ~/ ?9 h) q8 g
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
5 p6 P% L% o& Y8 z: ]) ]; x5 qset policy id 10 J7 k- B4 ~' G6 D5 d; x$ a
exit9 C9 F+ d' a3 H; h
set policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log
4 d! I9 ^. x( z. ?8 y6 S; Vset policy id 4
: H" k) U6 r3 ?4 Cexit# k2 {% O3 p) p% |7 n8 ?
set policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log
2 I' X" G" @# ?' ?set policy id 5
' j% P9 ~8 U2 r; S3 g$ X1 fexit
, e' a9 L$ h2 a) W) x5 u; Lset policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log ! P8 L/ v. N, s+ X. {- q/ x$ R
set policy id 6
4 L, o" H0 n3 S+ eexit" V. v5 d) D" D6 p& x! M# l0 s$ h" J
set nsmgmt bulkcli reboot-timeout 60
- i7 H3 x" L3 Zset ssh version v2! t7 e# X& \4 f2 a0 w& ]( M. }
set config lock timeout 5. r+ j1 f- z9 |
unset license-key auto-update
/ O( q9 s- G1 p- v8 t! Oset telnet client enable; S; e' v3 c! K" y( Q- }
set snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c 6 L E) z7 V$ d/ H I& ^2 O% a
set snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8
5 P: F% ]2 P5 n+ l7 Lset snmp port listen 161
Y* o: m% g: n! L! r* l/ N" M- Iset snmp port trap 162* n6 {; G! U# J4 W2 e3 e$ e* u! h
set vrouter "untrust-vr"! j6 M: D- d* p) f& L- Q
exit/ L/ [! s3 ?8 U* Y8 e6 E" Q2 ?
set vrouter "trust-vr"
( |4 _ H+ w3 |, i5 x. b8 uunset add-default-route
: G4 c8 \ S5 @/ j( Bset route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet"0 V/ H2 [" K7 e0 q; A n+ y
set route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA"
6 N O. \" [7 k; x" n1 k1 r- W8 A1 P" Yset route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet"! S$ V3 ~4 I4 @
set route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ"; L$ s( W( g+ I' [. T% j
exit# g1 a' T; I: M, b* q) _" W
set vrouter "untrust-vr" P& Q' I# S; }6 C8 ^2 s
exit
9 r; S+ `0 U8 V. L( a! ]# x5 Q- M Hset vrouter "trust-vr"
! l; v7 Y+ L; {; @# _1 G# oexit |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
[复制链接]
