以下是netscreen 防火墙active-passive典型配置:
! P4 D9 m0 M& |& P+ i" p2_cfg
+ t- ^; c& v9 k! {7 a* P, s7 m) ^: F
unset key protection enable+ U1 y8 X4 b9 p" m+ ^
set clock timezone 0( C3 o. I9 j. L. ~+ [
set vrouter trust-vr sharable
, y' ]0 t* g& {set vrouter "untrust-vr"
' U; q4 M4 I4 p9 r1 z+ V9 Hexit
1 L4 g R1 ]( z+ Y, Oset vrouter "trust-vr"
% q4 L, y* d0 x4 z. L7 Hunset auto-route-export
z2 U3 p* ]$ P8 uexit
% k8 U u/ m! U( Y! O& k% Sset service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002 ! K( D# a6 @2 l8 `& [
set alg appleichat enable
# X' |; V+ m+ }- T5 q# m; Runset alg appleichat re-assembly enable
3 o6 V0 a' E+ \2 Y# M2 I& h1 D* b5 sset alg sctp enable
; x* O/ p/ z2 r' H ^" y' e3 cset auth-server "Local" id 0( N! L( y5 w8 C, h- ?
set auth-server "Local" server-name "Local"
; [( C. q5 p, A6 S3 cset auth default auth server "Local"( S- Q' q \" S
set auth radius accounting port 1646' J7 ~# x1 E4 Z2 p$ ]1 z+ q; A
set admin name "netscreen"! l7 g! g0 _3 g1 \# Z
set admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"
* O9 h& c8 F0 \! O- M/ z gset admin auth web timeout 109 g2 w( p& ?1 @ o$ X
set admin auth server "Local"
( a6 r+ ]0 v7 R- ]3 v- ]set admin format dos
- R* ?4 Q3 O5 N2 U; h# P/ ?; A' h6 Fset zone "Trust" vrouter "trust-vr"
+ W: U; [3 `/ S2 e% c- a( Kset zone "Untrust" vrouter "trust-vr"' |! B3 g1 w6 }
set zone "DMZ" vrouter "trust-vr"- P/ |# u1 n6 h% _ l1 v
set zone "VLAN" vrouter "trust-vr"
0 a1 y, p3 [, ?set zone "Untrust-Tun" vrouter "trust-vr"$ W4 G# ~- d4 E) w5 x6 Q# u
set zone "Trust" tcp-rst
1 x0 r9 P) g2 _set zone "Untrust" block
! X2 U* ~5 t! k& {0 Funset zone "Untrust" tcp-rst
: x" u. k! T$ Q, }$ u: zset zone "MGT" block , q* K& U# f3 n" d% h; R1 o0 j$ C$ a# H
unset zone "V1-Trust" tcp-rst
' A1 ^6 m8 f/ K5 G9 e2 S! punset zone "V1-Untrust" tcp-rst
& \; {0 k0 c/ d: h% O$ m" cset zone "DMZ" tcp-rst
$ t* Q7 x% J& ]8 Q* X+ A1 _- Wunset zone "V1-DMZ" tcp-rst 3 v) ~" {; ]' d, v
unset zone "VLAN" tcp-rst
7 g) v2 O9 u3 u* j# ~set zone "Untrust" screen tear-drop
3 r6 t7 T4 C4 ^& Pset zone "Untrust" screen syn-flood8 i; W. c$ s0 q7 S( D2 v* X
set zone "Untrust" screen ping-death& _) M- ~ V+ e4 S+ B2 b
set zone "Untrust" screen ip-filter-src2 L. n+ e0 N3 Y2 J6 ^( d! s
set zone "Untrust" screen land
* S! ?/ K1 ]' d+ `set zone "V1-Untrust" screen tear-drop" ~7 v) M- Y2 V$ L: L0 {
set zone "V1-Untrust" screen syn-flood# W( z% F7 M6 F5 B! C5 L5 o' ]
set zone "V1-Untrust" screen ping-death4 E3 J' \- ^" W
set zone "V1-Untrust" screen ip-filter-src. y: ~4 C* N4 Y; j+ n
set zone "V1-Untrust" screen land: {6 X8 [* _# {+ p4 X3 S
set interface "ethernet0/0" zone "Null"
( z5 {2 i6 ^/ Y; dset interface "ethernet0/1" zone "Null"
1 l) O; F- A+ _ c6 `' Tset interface "ethernet0/2" zone "Untrust"
6 O. S3 W$ B% ~4 t3 ~set interface "ethernet0/3" zone "Untrust"& T8 ^! W9 ~! e% K- C
set interface "ethernet0/4" zone "HA"& y, ?' }0 D4 e9 H" u* k) E6 P
set interface "ethernet0/5" zone "HA"
! v7 h G8 d4 ?5 tset interface "ethernet0/6" zone "DMZ"
- P) c( x- I8 E2 c, b' R2 ?set interface "ethernet0/8" zone "Trust"* p8 R3 a4 P2 o# c1 M0 y
unset interface vlan1 ip! n$ U1 N$ q( {
set interface ethernet0/2 ip 116.247.91.98/29
2 i2 L( t6 A" z. G! `set interface ethernet0/2 route
& q5 D* Z$ M V0 g$ e0 o: \set interface ethernet0/3 ip 140.206.34.178/30. M0 J) R( w/ c
set interface ethernet0/3 route
2 f* T* t. s; c* yset interface ethernet0/6 ip 10.131.126.18/28( ~ V8 i; Y7 ?( q6 T
set interface ethernet0/6 nat
, \; Z. }( R7 J) D Sset interface ethernet0/8 ip 10.131.126.4/28
9 N9 o( k( d' W2 e" S0 F& Vset interface ethernet0/8 nat$ y1 b: N1 ~* V" l: m' \/ R
unset interface vlan1 bypass-others-ipsec' y" \; E. U. ]. P5 |, i8 C
unset interface vlan1 bypass-non-ip
: H$ H- b4 h1 K; ]* P7 zset interface ethernet0/2 manage-ip 116.247.91.99
' Q3 j9 g* e K( G3 p9 Dset interface ethernet0/6 manage-ip 10.131.126.20/ j+ ^/ s1 I/ F
set interface ethernet0/8 manage-ip 10.131.126.2
0 x) h. ]+ D3 _% y, A* e# W7 Hset interface ethernet0/2 ip manageable
3 |. t1 `% L' l6 B! z% V( Vunset interface ethernet0/3 ip manageable& k7 z! T$ a, ?3 D1 [
set interface ethernet0/6 ip manageable" `$ }& u% `9 v# W2 b8 X4 U4 g0 d( K, `
set interface ethernet0/8 ip manageable4 z7 k) n; D+ r" P: _6 t
set interface ethernet0/2 manage ping
9 M$ ]/ U" Q! g3 Wset interface ethernet0/2 manage ssh* F# I, x! P; I4 n! _
set interface ethernet0/2 manage telnet
* K: d. ?9 }" E$ Yset interface ethernet0/2 manage snmp
% X- Y6 e% S# zset interface ethernet0/2 manage ssl
$ N; K7 h) }; g% L% n, o% zset interface ethernet0/2 manage web& z9 Q8 H( v6 C& D s3 j2 a
set interface ethernet0/3 manage ping
, m0 A" k( d: r. ^' P, mset interface ethernet0/3 manage ssh8 g; Z. R; p# F
set interface ethernet0/3 manage telnet
& |5 s) a- e& _9 {. W" s, D& x( ^set interface ethernet0/3 manage snmp) f8 o( t8 `; Z4 | b ?
set interface ethernet0/3 manage ssl
& R0 ^/ u- U3 Oset interface ethernet0/3 manage web4 ~# f: }: k" T/ Q! g+ M
set interface ethernet0/6 manage ssh' i# g9 ~6 s6 r8 ~+ M/ Y- {1 e5 c$ F
set interface ethernet0/6 manage telnet
/ t0 d! E: O. D6 B+ mset interface ethernet0/6 manage snmp
$ [- _; K" W2 ?, F+ d2 gset interface ethernet0/6 manage ssl
% R: v/ i2 J& P5 v# n1 ?! r2 Yset interface ethernet0/6 manage web: b ~( k- a/ K" u; N
set interface ethernet0/2 monitor track-ip ip
* Z/ {# r" B) z8 N# Aset interface ethernet0/2 monitor track-ip threshold 10, L0 f. z* W" ?; J$ h
set interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 3
: \7 c" b, {+ m- v+ w' L4 Aset interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 12, D* {& O. C q$ S3 b6 [0 G/ J7 l
unset interface ethernet0/2 monitor track-ip dynamic
5 a9 U) E r. U4 bunset flow no-tcp-seq-check
4 v6 O% p% l/ B2 gset flow tcp-syn-check
9 N2 S1 Z: F" R! g3 Y7 M' `unset flow tcp-syn-bit-check
8 k$ |# ]" R" ]4 dset flow reverse-route clear-text prefer
M ?+ M9 P q, |" iset flow reverse-route tunnel always+ |4 ^2 P: X' O3 |# X
set console page 0& q6 ^3 M( i6 N, u6 K9 V
set hostname RT3-xzl-1F-S-SSG140-10.131.126.21 w8 G: L, _3 T* S5 m
set pki authority default scep mode "auto"3 ~1 G+ s2 t8 ]- s" P4 c
set pki x509 default cert-path partial
7 s( |4 @6 a; o. g! n) h9 |/ Kset nsrp cluster id 1
; P/ p6 p2 S2 u, |' ?8 qset nsrp cluster name FXGL& O% P) f" z' s7 w$ I
set nsrp rto-mirror sync
! S8 l7 ~$ ^% n/ fset nsrp rto-mirror route
" ~# |1 M- _& K9 o3 u0 Kset nsrp vsd-group master-always-exist4 T/ Q0 [0 ~& P7 T
set nsrp vsd-group id 0 priority 100" f& H) k; [1 S$ V- m* @+ X( `
set nsrp vsd-group id 0 preempt: j% n6 O0 c" o4 B* y& K
set nsrp secondary-path ethernet0/8& g- I+ }2 t; D6 m" w5 A
set nsrp vsd-group id 0 monitor interface ethernet0/3 weight 167 q0 d" w. x/ i, T8 K$ \! l
set nsrp vsd-group id 0 monitor track-ip ip
$ E4 t1 u& p" Q9 ]set nsrp vsd-group id 0 monitor track-ip threshold 30: c, P/ S! i! i! e! Y
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/2
; i& s! o5 A' Z& \set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 10
% T0 l& f. D5 N0 u" Y0 L0 @set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32
, a8 a* o; X0 B; P' b2 U; E2 ?. b6 wset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/6
5 j# Q+ ?/ W4 I+ Qset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 10& w e+ a5 s8 n/ K; s+ {' a
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 32: \. x( M. N w* G! ^! ^
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/88 s) w5 h8 C5 \3 L9 r0 p' r
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 10, x0 g5 l/ }, X( v- r9 r3 w7 ]4 C- p
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 32
6 e* o G# C: G2 b6 ~set nsrp ha-link probe. a+ I/ C% g' L
set dns host dns1 202.96.209.5 src-interface ethernet0/2' e. K! z: l4 H/ ?9 E D
set dns host dns2 0.0.0.0* }% b$ w' L$ \
set dns host dns3 0.0.0.0
. C& |* G7 z6 [1 w: gset crypto-policy
# L8 V6 [8 M. j# o0 n, @exit
" U _: i1 c1 }' @1 v+ c6 b ?set ike respond-bad-spi 1
. y1 y/ N1 g) `, |# K0 p/ ]. J, iset ike ikev2 ike-sa-soft-lifetime 60
) s$ g# `+ t1 M) n7 wunset ike ikeid-enumeration
$ z4 M$ f: n8 `/ A _unset ike dos-protection
L8 @( J/ ?9 u% D0 Lunset ipsec access-session enable
! z6 K* T( M m/ Gset ipsec access-session maximum 50008 x. W2 [/ W8 y: C
set ipsec access-session upper-threshold 00 t8 U* k, w( M0 J* e' |9 K+ J0 ]
set ipsec access-session lower-threshold 0
* m7 ?, g3 F, dset ipsec access-session dead-p2-sa-timeout 0
8 s2 D( Y% b: ^% ]unset ipsec access-session log-error2 `: b+ z' K; }& M _
unset ipsec access-session info-exch-connected
0 f; o r- l5 p+ }. w+ @" u- o+ nunset ipsec access-session use-error-log' ]. d7 ?$ ?# Q- R2 F
set vrouter "untrust-vr"( }, N2 s* H3 G" E1 r
exit
. G, `- ]4 u9 jset vrouter "trust-vr"
: C5 K) I# L3 h8 J4 y) E% bexit
2 e3 k! |8 s9 Rset url protocol websense
$ x3 M( B l$ K& A* oexit g1 @& |/ `; I
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
; ?3 S8 m* w: j- p7 Eset policy id 1- }( o8 W4 l! E" G# \' K) T5 a6 ~
exit: d' q/ c0 K M! b1 ~8 h
set policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log # a2 s, P7 [. F' C: `1 k0 R% A! n
set policy id 4
$ V3 p6 q; D5 v/ G% wexit9 v6 i+ y1 ?# i; R
set policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log
$ `+ \' }6 \$ Yset policy id 5
' L- _0 G; E. |; z4 wexit; v5 X* z S; x' S1 I9 }0 Y
set policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log
6 f5 J z' k- R7 N+ }8 f$ _set policy id 6
2 z7 |. B' T" T- kexit, H2 Z3 L0 I* o" c+ j7 d
set nsmgmt bulkcli reboot-timeout 60
; U4 D7 K# \/ T% N! F0 nset ssh version v2
$ M* A9 j+ M5 ~6 Cset config lock timeout 5
) v* N8 o) [! Z6 c0 k& hunset license-key auto-update5 }2 e) I/ k" E/ G5 P5 L/ T
set telnet client enable% q/ K9 B- i, n1 B4 i) V
set snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c
" W) v- _: u/ N2 cset snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8
s- N/ W: D* J; i" Uset snmp name "RT3-xzl-1F-S-SSG140-10.131.126.2"
6 @. K, o' O' a* lset snmp port listen 1615 W( Z6 T! {' m2 J( W; z
set snmp port trap 1621 X& B$ k* {, X- ~
set vrouter "untrust-vr"
8 {( R3 |6 \' h$ p% z9 @' L% ]exit
+ t% k# b' x/ c' f; b8 |1 tset vrouter "trust-vr"
% G( k$ k0 H% S& j( @unset add-default-route l$ {* c6 j- S X8 @& J7 E
set route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet"
# Z8 q, ]5 y; Q5 d% f9 G) Lset route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA"
0 G, Q3 m$ I7 v( v) [set route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet"% X8 c+ i5 s8 k, f" D
set route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ" n9 x5 F9 v) z0 \3 I
exit
1 r$ G9 k/ B. K/ s( ]- Uset vrouter "untrust-vr"
3 q9 z% A( S4 r: f `exit9 r" \/ ^2 _% Q
set vrouter "trust-vr"
, \. L0 l, g$ l* @exit2 l# Q K. C+ h O! @
! b( g# _0 _. c& Y, | O& M; |$ q2 P
3_cfg
3 f7 p" k I; B- }1 U+ q4 C# \: u- _' N5 o- f( Z7 M+ M+ r- I
unset key protection enable
) u% A6 f+ ~- T6 R/ U: [" x7 Lset clock timezone 0+ e' [6 n4 O7 N- p+ o M7 @
set vrouter trust-vr sharable( E# S8 I' z( u# |- r
set vrouter "untrust-vr"% D8 j' j k; V! S$ x" s
exit/ k1 @* G, m4 ?
set vrouter "trust-vr"# }0 }# }% @) i
unset auto-route-export
- j0 D g) w4 U& P1 R2 @! Xexit5 Q% Q; g9 ]7 V$ T @( y
set service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002
5 a: g* D' o7 G$ V8 F4 xset alg appleichat enable6 P2 b. P$ D% G
unset alg appleichat re-assembly enable
3 v" F' B5 E. E* P2 C: ]& F. r, dset alg sctp enable% Q0 ?; _5 m% n5 E7 w
set auth-server "Local" id 0
& p7 ?! _/ I. F: }7 q- e T8 G4 Jset auth-server "Local" server-name "Local"
3 ~/ f, @6 ~. {) D$ oset auth default auth server "Local"
3 i, P$ O5 a0 D3 C2 ?. Mset auth radius accounting port 1646( P6 l( \. t' W- C2 l
set admin name "netscreen"
1 Z9 b1 N) B3 V- ~set admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"; l5 K% [; \3 \* H0 _: {% G8 X
set admin auth web timeout 10
% e* N" x2 ~9 Q. h' {1 J6 Pset admin auth server "Local"
& |( s! |1 I0 n3 V1 ]. Tset admin format dos
" r( ~& M. }, r; z: o* b& Rset zone "Trust" vrouter "trust-vr"# e) ? U$ l* W5 J/ ?1 Z
set zone "Untrust" vrouter "trust-vr": u" W, `2 m9 ^+ {2 S
set zone "DMZ" vrouter "trust-vr"* f6 O% b: o+ T/ V$ Q
set zone "VLAN" vrouter "trust-vr"
, F( K* O( D* G) U# P t$ |set zone "Untrust-Tun" vrouter "trust-vr"+ f& m! S! e: C
set zone "Trust" tcp-rst
9 d Q! {" i! o1 Tset zone "Untrust" block 0 e+ }: W0 z! ?0 R* i; ~5 t; _
unset zone "Untrust" tcp-rst 6 b+ R J# ~! X5 ~% u
set zone "MGT" block
Z( S1 E) o7 F* Sunset zone "V1-Trust" tcp-rst ( s- o( M0 s$ c/ A. t
unset zone "V1-Untrust" tcp-rst
; Y( K) W9 h% {% X& P+ @, h2 Aset zone "DMZ" tcp-rst
O& a2 R% \& \6 qunset zone "V1-DMZ" tcp-rst
0 d$ I8 A, w0 t# H0 Q0 dunset zone "VLAN" tcp-rst - H+ @3 P4 c- C# {( B: W. B
set zone "Untrust" screen tear-drop
m9 Q- e, i4 Uset zone "Untrust" screen syn-flood
+ i+ x: }& t8 h' x$ _ T! e9 mset zone "Untrust" screen ping-death
0 M0 W' \/ q' E; u6 P) Rset zone "Untrust" screen ip-filter-src+ w: f% s3 T) A
set zone "Untrust" screen land
. E* } G* _" I/ ~* V+ S+ fset zone "V1-Untrust" screen tear-drop% g2 R- p# ^ @( P7 f
set zone "V1-Untrust" screen syn-flood
- Z- _& L- n- n& N. `set zone "V1-Untrust" screen ping-death& s, c! B9 S- h: l
set zone "V1-Untrust" screen ip-filter-src
2 `( A* Z/ Q/ L+ i' e& T* jset zone "V1-Untrust" screen land2 R3 O. d; |6 B' q
set interface "ethernet0/0" zone "Null"
* L; W" ~& N! `4 N4 H8 x# z: @5 fset interface "ethernet0/1" zone "Null": ]. f9 q3 s$ c! e% {, J. k
set interface "ethernet0/2" zone "Untrust"( y' Q( s4 M+ D" r8 }5 v
set interface "ethernet0/3" zone "Untrust"
) L$ h. d2 N% U6 u9 q6 g. F$ Dset interface "ethernet0/4" zone "HA"
" t0 } |4 M' \7 |; ?2 K4 Zset interface "ethernet0/5" zone "HA"" w. ~8 \" j! F
set interface "ethernet0/6" zone "DMZ"
2 O& e% E3 h- S$ |2 b4 E. lset interface "ethernet0/8" zone "Trust"
6 z1 x9 Y& B% N6 w6 _2 j, G8 W8 Iunset interface vlan1 ip# j- }! O- o5 E( g. B [
set interface ethernet0/2 ip 116.247.91.98/29
; @7 y V$ F- l5 @set interface ethernet0/2 route f0 R5 _, H5 V! L/ r
set interface ethernet0/3 ip 140.206.34.178/30
6 j+ l$ X9 x6 P! i" P2 Gset interface ethernet0/3 route
$ c7 Z \) ]9 H7 \& Tset interface ethernet0/6 ip 10.131.126.18/282 y0 a' x- _7 r: e- L
set interface ethernet0/6 nat
; u( K- B! I7 |3 U6 Vset interface ethernet0/8 ip 10.131.126.4/28
/ l: z2 S) I. L8 b- fset interface ethernet0/8 nat1 _4 R/ D. H9 ]
unset interface vlan1 bypass-others-ipsec! G. ? I2 l/ B- J! N1 A
unset interface vlan1 bypass-non-ip
3 Y. D' g7 I f( Lset interface ethernet0/2 manage-ip 116.247.91.100
$ D0 H/ M! R4 Uset interface ethernet0/6 manage-ip 10.131.126.21" }( O# K6 v6 `" z+ R% D
set interface ethernet0/8 manage-ip 10.131.126.3
\ M6 S' A6 R" j9 }4 }set interface ethernet0/2 ip manageable
" @ q' A* x- _" B1 ^* gunset interface ethernet0/3 ip manageable
" t$ Q. X+ V; ~set interface ethernet0/6 ip manageable
) z9 R5 M2 x3 ]; rset interface ethernet0/8 ip manageable
8 l: @) q& v) ~; }) w5 hset interface ethernet0/2 manage ping+ K& j! `9 {3 E1 ~9 |
set interface ethernet0/2 manage ssh
4 _& I( v. p3 v" c4 P# w& \set interface ethernet0/2 manage telnet0 O6 q3 K. K( T0 Q% M" f4 F
set interface ethernet0/2 manage snmp# E9 c4 A& O8 \- [9 V
set interface ethernet0/2 manage ssl
9 t& |% }: h* J& T8 Sset interface ethernet0/2 manage web
" D( C* P! V7 G2 p$ z. y+ Qset interface ethernet0/3 manage ping
$ W/ m1 S2 g& h- u6 U X* z+ d* [set interface ethernet0/3 manage ssh
9 ~% \' k1 E* tset interface ethernet0/3 manage telnet
' H9 k, D( w( G0 Y+ J& zset interface ethernet0/3 manage snmp8 z' g6 z, P+ P. s6 e
set interface ethernet0/3 manage ssl ] L$ ]5 n5 B, W0 N
set interface ethernet0/3 manage web
- _* P) ]8 I, d7 Y9 ~/ yset interface ethernet0/6 manage ssh
) L# {! a& K9 @7 w# ~set interface ethernet0/6 manage telnet; k8 g: H2 E7 k9 h0 ?8 x
set interface ethernet0/6 manage snmp
3 R9 u2 F: ]0 Fset interface ethernet0/6 manage ssl
9 P+ F; W% ]& }set interface ethernet0/6 manage web
" E$ C! z' p) {6 U$ P" _set interface ethernet0/2 monitor track-ip ip0 \8 ?. C+ p: O0 Q: _' r# a0 b
set interface ethernet0/2 monitor track-ip threshold 10$ a0 G8 i" }3 o! x8 L) f
set interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 30 m' M& @7 j6 K
set interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 121 |! x) h6 k+ [2 {
unset interface ethernet0/2 monitor track-ip dynamic
. I6 T7 J7 s8 d2 Vunset flow no-tcp-seq-check8 L/ E! J9 G) z8 B0 t ? e2 F
set flow tcp-syn-check
( }! @+ F# j3 l" yunset flow tcp-syn-bit-check& H2 f |; O" S. Y3 T
set flow reverse-route clear-text prefer
6 _( A- O, B8 U, g- d: p: Eset flow reverse-route tunnel always
% M1 r1 c, s; l3 sset console page 0
- l+ a' {2 S! `; iset hostname RT3-T2-5F-S-SSG140-10.131.126.3
! D% J( z! J& J0 }; Q2 b/ X" zset pki authority default scep mode "auto"3 w$ |5 t& o0 c- @4 z5 H
set pki x509 default cert-path partial
' I5 [' D- E$ v% ^: e3 fset nsrp cluster id 1+ `; F2 A+ a% P. q. m1 J
set nsrp cluster name FXGL$ ^$ h; [ [* h/ H& R
set nsrp rto-mirror sync
* C& A: ?/ ^. R! Y. h5 \* q$ Oset nsrp rto-mirror route9 _- J# I' ^; L% s1 V
set nsrp vsd-group master-always-exist E7 [8 d( P* o9 [8 }4 R# B
set nsrp vsd-group id 0 priority 150, ^% C% o9 O; V- \" C
set nsrp vsd-group id 0 preempt
+ G7 K. }; V/ Z2 z0 O3 ?* M; {set nsrp secondary-path ethernet0/8
6 s1 J) {4 Z8 P7 D$ m q' v( ~set nsrp vsd-group id 0 monitor interface ethernet0/3 weight 16) d. n9 W$ v0 ^' Q" K
set nsrp vsd-group id 0 monitor track-ip ip5 F: n9 s9 L9 e2 ~$ o
set nsrp vsd-group id 0 monitor track-ip threshold 30' S6 O- k4 l, Q* V3 a3 m. }
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/25 J" W% n) ^) ]! O
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 10
0 ^* G0 _' m2 t9 dset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32* R; A8 a0 p% ]" j% }2 n
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/8
- {% [8 l+ c/ n1 \, `& zset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 103 C' Y8 h# _: t0 m9 R) y5 J
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 32 H: g2 R, @9 `: f k" \' F- B
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/6( w1 f( D% s% i$ F& P4 m
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 10 N# o) f& L+ S+ Z! o# Y) y
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 32
# {+ z9 D6 p' A" Y. l) R4 @/ G7 |set nsrp ha-link probe3 v( _9 H4 a. B# Y
set dns host dns1 202.96.209.5 src-interface ethernet0/2
8 Q6 Y" x" \4 t9 X0 Y' D* |6 }0 Rset dns host dns2 0.0.0.0
8 d W' m# f) Y% K* a" W' N. Bset dns host dns3 0.0.0.0
6 o/ V" ?% g9 ?, ~9 cset crypto-policy7 {7 G% e. i8 q# W( }0 v4 x
exit3 w p) D4 J+ R3 V& y7 @
set ike respond-bad-spi 1( V. o4 \; Z& e4 a! @* y4 ~# b
set ike ikev2 ike-sa-soft-lifetime 60. G7 O, ?. o) [; B7 ~
unset ike ikeid-enumeration
% Y& Z1 p, W% X# q6 T7 V% |unset ike dos-protection( c8 \1 C6 t; u
unset ipsec access-session enable
% t1 O. w6 Z6 R1 pset ipsec access-session maximum 5000' K+ w, z9 c( f a) p' d# y) Y4 h
set ipsec access-session upper-threshold 0
! N4 H5 X, G2 }1 Q( |set ipsec access-session lower-threshold 02 v* Y% \: a2 j2 p z" e6 l4 }1 C
set ipsec access-session dead-p2-sa-timeout 0. P$ f# `2 b: h$ y- w3 Z
unset ipsec access-session log-error
6 y. A, z$ j- N9 b+ } w$ Zunset ipsec access-session info-exch-connected
! I# C9 Y9 Q7 h# y: r$ d3 J/ Zunset ipsec access-session use-error-log
4 I/ {9 x6 u9 r3 H$ A# ]' Q7 ?4 r7 iset vrouter "untrust-vr"' J0 p) E, U" @) e8 l# Z0 b. A
exit
5 t! I. O! N# t! W6 @set vrouter "trust-vr"
6 E B; q4 O: B8 u* M$ hexit7 B/ D2 g* @9 A9 Y& o% b* L" o
set url protocol websense
, K9 Z7 p) q2 |3 v. X7 F& R7 x; x; cexit7 N- f; F. j$ o* g1 w
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log 6 ?, f# j+ V s
set policy id 1+ ~9 u% _# ^0 V! T, K6 b" |
exit K% r0 q8 l. n3 j$ F3 ]( `& c
set policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log 3 w! d) W: \, f; `& I
set policy id 4
' V @! i1 f& b0 x, Pexit% b% u8 b( f2 O8 u" E% C2 c# Q
set policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log 5 ]9 C( s8 F3 h9 Q
set policy id 5
/ O0 c9 B% m% J7 B; ~- Wexit2 C W" V$ T9 f1 W
set policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log 2 c$ T1 ], ?0 |. ~
set policy id 6
_, ~3 S5 S6 p$ C5 Oexit
3 k% N K/ d/ k, a' B* ~2 J3 ]; Jset nsmgmt bulkcli reboot-timeout 606 }$ z' G+ x5 ^+ R% [* C
set ssh version v2
2 ^" c% G& D; ~$ |0 cset config lock timeout 5
1 \: k& P1 A+ [9 Bunset license-key auto-update
# X0 p$ i& q" M0 m8 v6 xset telnet client enable7 f/ J6 [/ y8 v5 d4 E
set snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c ( T, ?0 w4 @5 J$ V9 A& [1 C
set snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8 $ a4 U2 }! k |+ c' L. T- H
set snmp port listen 161& } ~) Z) S) |4 u6 c
set snmp port trap 162& X. W3 s0 W; n5 G# [- x
set vrouter "untrust-vr"( c2 ?; C5 \# I5 W
exit
6 C( O7 p! q8 A* a$ |3 U# `- {set vrouter "trust-vr"4 k! b; Z/ O Y7 ~+ M, t- W0 e1 H
unset add-default-route
* V0 s' G+ Q. }* z1 b7 I7 Jset route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet"
+ ]- S+ H" ^, e; f0 _set route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA"
" n7 X4 \! x6 a# O$ @set route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet": R) H' F- q2 Q- i
set route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ"
, z& {. T8 j3 {+ Iexit3 w& q! V8 g6 w. N6 g6 g' S/ w% M
set vrouter "untrust-vr"
7 O5 Q+ m9 n$ b7 b ]exit
5 s8 N; R1 T. E- u" W1 l/ Mset vrouter "trust-vr"
1 p! q% Y' l# u1 B0 V; hexit |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
[复制链接]
