Shulou(Shulou.com)06/01 Report--

View the local routing table of the firewall:

à get route

By default, all Zone belong to the Trust-VR virtual router

View the virtual router of the firewall

à get vrouter

Since firewalls need to connect multiple Zone, and different Zone belong to different network segments, if interworking between Zone is needed, the firewall needs routing.

Which routing protocols are supported by Juniper's firewall:

1. Static rout

1. Common static routing protocol

à set route (vrouter trust-vr) 10.1.3.0Accord 24 interface eth4 gateway 1.1.1.3

à get route protocol static

two。 Default static route (default static route)

à set route 0.0.0.0amp 0 interface eth4 gateway 1.1.1.3

two。 Dynamic routing

OSPF

RIP

BGP

Juniper defines address groups and address groups

a. Define an address

à set address untrust 10.1.2.2 10.1.2.2 255.255.255.255

b. Define an address group

à set group addrss untrust cjclub01 add 10.1.2.2

à set group addrss untrust cjclub01 add 10.1.3.2

c. Apply the strategy from external network to internal network

à set policy from untrust to home cjclub01 any any permit

à set policy from untrust to home any any any permit

Allow all services from the public network to the Home section to enter

Configure the three-layer functions of the Juniper firewall:

a. Create a Zone (if the default Zone is not used)

à set zone name cjclub

b. Establish an interface, divide the interface into the Zone, and configure the IP address

à set interface loopback.1 zone cjclub

à set interface loopback.1 ip 8.8.8.8 Compact 32

c. Configure static routes for firewalls

à set route 10.1.2.0 Compact 24 interface eth4 gateway 1.1.1.2

View commands on the third floor:

a. Check whether the route to the destination host exists

à get route ip 10.1.2.1

b. View the route entries to the destination network segment

à get route prefix 10.1.2.0 Compact 24

c. View static route entries

à get route protocol static

d. Trace rout

à trace-route 10.1.3.2

Debug information of Juniper's firewall:

1. Debug information can monitor the packets of traffic sent by the network in real time.

The Debug information of the firewall of the default Juniper is put in the cache

2. Configuration of Debug information

a. Open Debug information

à debug flow basic

b. View DB's cache

à get db stream

c. View the status of the DB cache

à get db info

d. Set the size of the DB cache

à set db size 4096

e. Clear cache count

à clear dbuf

L output Debug information directly through Console port

à unset console dbuf

3. Configure flow filtering for Juniper Firewall

Flow filter:

a. Based on IP address

b. Based on TCP/UDP port number

c. IP-based protocol

L à undebug all closes all Debug messages

4. View the detailed process of a packet passing through a firewall through Debug information

a. Set up Flow Filter

à set ff src-ip 10.1.1.2

b. View Flow Filter

à get ff

Flow filter based on:

Id:0 src ip 10.1.1.2

c. Open the information of Debug

à debug flow basic

d. Clear the cache of DB

à clear db

e. Turn off all Debug messages

à undebug all

L detailed process

Inspection of 1.Screen filter

Packet passed sanity check

two。 Find out if there is a session

Flow got session

3. Find route entry

Search route to

4. Find Policy

5. Find a normal NAT

6. Establish Session

7. Routed packet

8. Resolve the MAC address of the next-hop IP (using ARP)

& some information about ISG-2000 and NS-5000 high-end firewalls cannot be captured through Debug

The capture of Debug information is entirely based on CPU processing, and ASIC chips are used in high-end equipment.

Loopback interface (loopback interface address)

a. Virtual interface, always UP, does not require a physical connection

b. Function:

1. Administration and Management

2. × × ×

3. Dynamic routing Protocol (ROUTER-ID)

c. Configure loopback

1. Configure an interface with an IP address

à set interface loopback.3 ip 10.10.10.10 Compact 32

two。 Configure the management functions of loopback

à set interface lo.3 manage

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.