Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

JUNIPER NETWORKS

SRX Series

configuration Guide

(中文)

Ltm

V1.0

2011.2

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

目录

一、概述： .......................................................................................................................................... 4

二、JUNIPER SRX Base ................................................................................................................. 5

三、Interface ..................................................................................................................................... 7

四、Authentication ........................................................................................................................... 8

Source NAT ................................................................................................................................. 8

Static NAT(MIP) ......................................................................................................................... 9

Virtual IP .................................................................................................................................... 10

Destination NAT ...................................................................................................................... 11

五、Security ....................................................................................................................................... 12

Zone ............................................................................................................................................ 12

地址簿 .......................................................................................................................................... 12

服务簿 .......................................................................................................................................... 13

时间 .............................................................................................................................................. 13

策略 .............................................................................................................................................. 13

六、VPN .............................................................................................................................................. 14

IPSEC VPN ................................................................................................................................. 14

Dynamic VPN ........................................................................................................................... 14

七、Wireless LAN ............................................................................................................................ 14

八、Switching ................................................................................................................................... 14

九、Routing ....................................................................................................................................... 14

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

十、Class of Service ........................................................................................................................ 14

十一、System Properties .............................................................................................................. 14

十二、Chassis Cluster ..................................................................................................................... 14

十三、Service .................................................................................................................................... 14

十四、Wizards .................................................................................................................................. 15

十五、CLI Tools ................................................................................................................................. 15

十六、Monitor .................................................................................................................................. 15

十七、Syslog ..................................................................................................................................... 15

十八、Show 命令 .............................................................................................................................. 15

十九、命令行结构 ............................................................................................................................. 21

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

一、概述：

JUNOS™软件是帮助瞻博网络在高性能联网领域获得领先地位的值得信赖的网络

操作系统。瞻博网络严格遵守单一源网络操作系统的开发原则，积极驱动 JUNOS 软件

创新，将路由、交换、安全性和其他服务集成在一起。提供全面的产品将企业分支和

地区办事处、中央站点和数据中心、以及城域网和电信运营商网络的核心与边缘连接

在一起。

JUNOS 软件独特的构建方式使其作为网络操作系统得以从市场中脱颖而出-采用

单一模块化架构的单一操作系统，逐版本实现增强。电信运营商、企业和公共机构都

可通过部署 JUNOS 软件获得以下三项主要优势：

<UL><LI>持续运行的系统：通过高性能的软件设计、高可用性特性、防止人为错

误的功能和主动的运行保护措施来提高网络可用性以及应用和服务的交付能力。 <LI>

自动运行：通过一致的特性实施、防错配置、用于自动执行运行任务的脚本以及单一

软件版本的易于升级特性来提高效率，从而降低运行成本。 <LI>加速创新：JUNOS

软件基于标准的开放设计和平滑的可扩展性，包括使合作伙伴及客户能够公开参与开

发过程的工具，使您能够更灵活地提供新服务和新应用。 </LI></UL>构建方式是

JUNOS 软件作为网络操作系统从市场中脱颖而出的原因--通过单一版本模式和单一的

模块化架构得到增强的单一操作系统。

特性

模块化－JUNOS 软件采用模块化的软件设计，提供卓越的故障恢复能力并确保能

够简单地集成 IPv6 等新功能

路由专业技术 － Juniper 网络公司在 IP 路由方面的专业技术可全面补充增强

用于生产的路由协议

基于标准 － 严格遵守路由和 MPLS 行业标准以及协议平稳重启（Protocol

Graceful Restart）等可用性机制，这样可以为客户提高稳定性并降低运行复杂性。

安全性 - JUNOS 软件结合了智能数据包处理功能和卓越的性能，为客户提供了

一个强有力的 IP 安全性工具包

丰富的业务 － 无论是个人用户、企业客户或服务供应商，JUNOS IP 业务系列

使客户能够为各种类型的最终用户提供有保证的体验

策略和控制 - Juniper Networks SDX 和 NMC 平台使客户可以调用并控制这些强

大的 JUNOS 功能; Juniper Networks JUNOScript XML 界面还可简化并加速 OSS 集成

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

二、JUNIPER SRX Base

为了技术之间的交流本人写出了针对 SRX 防火墙产品的技术手册，此手册会

定期更细，希望大家多多交流。

此文档献给有一定 juniper 产品基础的朋友。

Junos OS [10.4R1.9]

数据包转发流程

支持本地与远程两种环境配置，支持 Console、telnet、ssh、http、https管理 Console

参数 数值

波特率 9600 bit/s

数据位 8

停止位 1

校验/流控 无

telnet

参数 数值

接口 Eth0/1-*

用户名 Root

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

密码 空

管理 IP 192.168.1.1

记住默认 telnet与 Untrust（包括 web） 管理不能使用 root用户，但是管理 web 与 Console可以。 login: root Password:空 root@% cli root> configure Entering configuration mode [edit] root# SRX登录时默认密码为空，必须设置 root密码才能保存设置的配置。 配置 root 密码：4选 2原则，比如：test123 这样的组合才可以，如果单是 111111，这样的是不行的！ root#set system root-authentication plain-text-password New password:test123 Retype new password:test123 --------------------------------------- root> request system reboot 从启系统 (root# run request system reboot) Reboot the system ? [yes,no] (no) yes 关机命令：request system halt/reboot 初始化管理等： 管理方式 set system services web-management http interface ge-0/0/0.0 set system services web-management http port 8080 set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http or 管理方式是通过安全域打开的 set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services telnet set security zones security-zone untrust host-inbound-traffic system-services ping 使用非根用户管理 添加管理员： set system login user test class super-user <-设置 juniper用户为超级用户 set system login user test authentication plain-text-password <-设置 juniper 用户的密码如：test123。 ---------------------------------------- 关于密码恢复：在系统重起的时候，快速按空格键，第一次进入到 =》bootd ,第二次在按空格进入到一个停顿的命令下，输入 boot -s 进入到单用户模式，然后输入命令，即可取消原有密码。 删除 root密码： root# delete system root-authentication 重新启动后，配置新的 root密码。 ------------------------------------------------------------------------------- 恢复出厂：root@lizhiqiang# load factory-default 已经把配置清除（无需从新启动）

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

root@lizhiqiang# set system root-authentication plain-text-password 需要配置一个密码才能保存 New password:test123 Retype new password:test123 root# commit 保存 root# exit 退出 root> show configuration | display set 可以查看一下配置 删除 root密码：（也可不删除 root密码） root# delete system root-authentication 重新启动后，配置新的 root密码。 注意！恢复出场可无需从新启动系统。 ------------------------------------------------------------------------------- JUNOS升级： 在 WEB页面下作升级比较简单，登陆到 web管理界面下： 9.5的：junos版本在 manage=》software=》uploadpackage: 9.6 以上的：junos 版本在 maintain=》software=》uploadpackage:点击 "浏览"，找到升级文件，在打钩 Reboot If Required，然后点击下面的"upload and install package". 升级提示如下： Software Upload PackageInstalling Uploaded Package Installation of software package junos-srxsme-9.6R1.13-domestic.tgz is underway. Installation Progress finished Receive Package File pending Validate Package File pending Check Configuration Compatibility pending Install Package pending Reboot 整个过程下来大概要半个小时左右，甚至更长，请耐心等待！之后会自动从启。 --------------------------------------------------------------------------

三、Interface 默认情况下除 ge-0/0/0 接口外其它全部为 vlan.0接口组 set vlans vlan-trust vlan-id 3（默认配置） set vlans vlan-trust l3-interface vlan.0（默认配置） 配置接口信息 set interfaces ge-0/0/0 unit 0 family inet address 192.168.201.209/24 配置接口速率 set interfaces ge-0/0/0 speed 1g link-mode full-duplex 协议模式 set interfaces ge-0/0/0 unit 0 family > ccc Circuit cross-connect parameters > ethernet-switching Ethernet switching parameters > inet IPv4 parameters > inet6 IPv6 protocol parameters > iso OSI ISO protocol parameters > mpls MPLS protocol parameters > tcc Translational cross-connect parameters > vpls Virtual private LAN service parameters show interfaces Aggregate Interface set chassis aggregated-devices ethernet device-count 1 set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 unit 0 family inet address 192.168.100.254/24 set interfaces ge-2/0/0 gigether-options 802.3ad ae0

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

set interfaces ge-2/0/1 gigether-options 802.3ad ae0 set security zones security-zone trust interface ae0 host-inbound-traffic system-services all You can instead define a vlan instead and attach this to your ae0.0: set chassis aggregated-devices ethernet device-count 1 set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 unit 0 family ethernet-switching port-mode trunk vlan members all set interfaces ae0 unit 0 family ethernet-switching native-vlan-id 100 set interfaces ge-2/0/0 gigether-options 802.3ad ae0 set interfaces ge-2/0/1 gigether-options 802.3ad ae0 set interfaces vlan.100 family inet 192.168.100.254/24 set vlans vlan100 vlan-id 100 l3-interface vlan.100 set security zones security-zone trust interface vlan.100 host-inbound-traffic system-services all loopback Interface Redundant Interface Tunnel Interface Ehternet Sub- Interface Redundant Sub- Interface PPPOE Interface

四、Authentication

五、NAT

Source NAT

注意！

做 NAT时 any(源地址、目的地址)要写成 0.0.0.0/0，与策略不同

做策略时目的地址是私网地址，与 ScreeenOS（MIP地址）不同。 set security nat source rule-set trust-to-untrust from zone trust

set security nat source rule-set trust-to-untrust to zone untrust

set security nat source rule-set trust-to-untrust rule source-nat-rule match

source-address 0.0.0.0/0

set security nat source rule-set trust-to-untrust rule source-nat-rule then

source-nat interface

从内网访问内网的映射（MIP、VIP）请看下个版本的 Guide

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

Static NAT(MIP)

In ScreenOS, the interface IP address can be used for static NAT (mobile IP). This

option is not currently

available in Junos OS.

是 MIP 可以做一对一或是多对多。

Example：

Static NAT to a Single Host

ScreenOS Configuration

set int e0/0 mip 1.1.1.100 host 10.1.1.100

set pol from untrust to trust any mip(1.1.1.100) http permit

-----------------------------------------------------------------

Junos OS Configuration

set security nat proxy-arp interface ge-0/0/0 address 1.1.1.100/32

set security nat static rule-set static-nat from zone untrust

set security nat static rule-set static-nat rule rule1 match destination-address

1.1.1.100

set security nat static rule-set static-nat rule rule1 then static-nat prefix

10.1.1.100

set security zones security-zone trust address-book address webserver 10.1.1.100

set security policies from-zone untrust to-zone trust policy static-nat match

source-address

any destination-address webserver application junos-http

set security policies from-zone untrust to-zone trust policy static-nat then permit

-------------------------------------------------------------------------------

Example：

Static NAT to a Subnet

ScreenOS Configuration

set int e0/0 mip 1.1.1.0 host 10.1.1.0 netmask 255.255.255.240

set policy from untrust to trust any mip(1.1.1.0/28) http permit

Junos OS Configuration

set security zones security-zone trust address-book address webserver-group

10.1.1.0/28

set security nat proxy-arp interface ge-0/0/0 address 1.1.1.0/28

set security nat static rule-set static-nat from zone untrust

set security nat static rule-set static-set rule rule1 match destination-address

1.1.1.0/28

set security nat static rule-set static-set rule rule1 then static-nat prefix

10.1.1.0/28

set security policies from-zone untrust to-zone trust policy static-nat match

source-address

any destination-address webserver-group application junos-http

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

set security policies from-zone untrust to-zone trust policy static-nat then permit

Virtual IP

ScreenOS Configuration

set int e0/0 vip 1.1.1.100 80 http 10.1.1.100

set int e0/0 vip 1.1.1.100 110 pop3 10.1.1.200

set policy from untrust to trust any vip(1.1.1.100) http permit

Junos OS Configuration

set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.100

set security nat destination pool dnat-pool-1 address 10.1.1.100/32

set security nat destination pool dnat-pool-2 address 10.1.1.200/32

set security nat destination rule-set dst-nat from zone untrust

set security nat destination rule-set dst-nat rule rule1 match destination-address

1.1.1.100/32

set security nat destination rule-set dst-nat rule rule1 match destination-port 80

set security nat destination rule-set dst-nat rule rule1 then destination-nat pool

dnat-pool-1

set security nat destination rule-set dst-nat rule rule2 match destination-address

1.1.1.100/32

set security nat destination rule-set dst-nat rule rule2 match destination-port 110

set security nat destination rule-set dst-nat rule rule2 then destination-nat pool

dnat-pool-2

set security zones security-zone trust address-book address webserver 10.1.1.100

set security zones security-zone trust address-book address mailserver 10.1.1.200

set security zones security-zone trust address-book address-set servergroup address

webserver

set security zones security-zone trust address-book address-set servergroup address

mailserver

set security policies from-zone untrust to-zone trust policy static-nat match

source-address

any destination-address servergroup application junos-http

set security policies from-zone untrust to-zone trust policy static-nat match

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

application

junos-pop3

set security policies from-zone untrust to-zone trust policy static-nat then permit

Destination NAT

可以定义策略将一个目标 IP 地址转换成另一个地址。可能需要安全设备将一个或

多个公共 IP 地址转换成一个或多个私有 IP 地址。初始目标地址与已转换目标地址

之间的关系可以是一对一、多对一或多对多关系。图 20 说明了一对一和多对一

NAT-dst 关系的概念。

Destination Address Translation to a Single Host

In this example, the destination IP and the interface IP are on different subnets.

Example：

ScreenOS Configuration

1. 接口

set interface ethernet3 zone untrust

set interface ethernet3 ip 1.1.1.1/24

set interface ethernet2 zone dmz

set interface ethernet2 ip 10.2.1.1/24

2. 地址

set address dmz oda2 1.2.1.8/32

3. 服务组

set group service http-ftp

set group service http-ftp add http

set group service http-ftp add ftp

4. 路由

set vrouter trust-vr route 1.2.1.8/32 interface ethernet2

5. 策略

set policy from untrust to dmz any oda2 http-ftp nat dst ip 10.2.1.8 permit

save

Junos OS Configuration Commands

set security nat proxy-arp interface ge-0/0/0.0 address 2.1.1.100

set security nat destination pool dnat-pool-1 address 10.1.1.100

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

set security nat destination rule-set dst-nat from zone untrust

set security nat destination rule-set dst-nat rule r1 match destination-address

2.1.1.100

set security nat destination rule-set dst-nat rule r1 then destination-nat pool

dnat-pool-1

set security zones security-zone trust address-book address webserver 10.1.1.100

set security policies from-zone untrust to-zone trust policy dst-nat match

source-address any

destination-address webserver application junos-http

set security policies from-zone untrust to-zone trust policy dst-nat then permit

五、Security

Zone set security zones security-zone trust interfaces vlan.0 set security zones security-zone untrust interfaces ge-0/0/0.0 root> show security zones 地址簿 是在 zone 里添加

Note: Specify addresses as network prefixes in the prefix/length format. For example, 1.2.3.0/24

is an acceptable address book address because it translates to a network prefix. However, 1.2.3.4/24

is not acceptable for an address book because it exceeds the subnet length of 24 bits. Everything

beyond the subnet length must be entered as 0 (zero). In special scenarios, you can enter a hostname

because it can use the full 32-bit address length.

The address set option has the following features:

You can create address sets in any zone. You can create address sets with existing users, or you can create empty

address sets and later fill them with users. You can reference an address set entry in a policy like an individual address

book entry.

Note: JUNOS Software applies policies automatically to each address set member, so you do not have to create them one by one for each address. Furthermore, JUNOS Software writes these policies to ASIC, which makes lookups run very fast.

When you delete an individual address book entry from the address book, you must remove the address (wherever it is referred) from all the address sets.

Create Address set security zones security-zone trust address-book address trust-net 10.1.1.0/24 set security zones security-zone trust address-book address Bob-PC 10.1.1.1/32 Create Address Set (Groups) set security zones security-zone trust address-book address-set All10 address trust-net set security zones security-zone trust address-book address-set All10 address

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

Bob-PC 不能写范围 服务簿 Below shows a simple example of creating a custom security policy application (service) for SSH: List default Application (Service) Objects show configuration groups junos-defaults applications

Example： Create Custom Application (Service Object) set applications application my-ssh protocol tcp set applications application my-ssh destination-port 22 set applications application my-ssh inactivity-timeout 3600

Example： Create Custom Service Objects with multiple ports require "terms" set applications application my-ssh term ssh protocol tcp set applications application my-ssh term ssh destination-port 22 set applications application my-ssh term ssh inactivity-timeout 3600 set applications application my-ssh term ssh1 protocol tcp set applications application my-ssh term ssh1 destination-port ssh Verification To see information about the address books and zones, enter the following command: show configuration security zones To list the default application objects, enter the following command: show configuration groups junos-defaults applications To list the custom application objects, enter the following command: show configuration application 时间 set schedulers scheduler test daily start-time 09:00:00 stop-time 12:00:00 set schedulers scheduler test daily start-time 13:00:00 stop-time 17:30:00 set schedulers scheduler test monday all-day 策略 如果想移动策略顺序，请在配置模式下输入 insert、、top、up。如果想关闭策略状态请在配置模式下输入 deactivate or activate

Example： insert security policies from-zone trust to-zone untrust policy Dorp before policy test2

Example： set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies from-zone trust to-zone untrust policy Dorp then log session-init set security policies from-zone trust to-zone untrust policy Dorp then count set security policies from-zone trust to-zone untrust policy Dorp match

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

source-address 192.168.1.2/32 set security policies from-zone trust to-zone untrust policy Dorp match destination-address any set security policies from-zone trust to-zone untrust policy Dorp match application any set security policies from-zone trust to-zone untrust policy Dorp then deny set security policies from-zone trust to-zone untrust policy Dorp then log session-init set security policies from-zone trust to-zone untrust policy Dorp then count

Example： deactivate security policies from-zone trust to-zone untrust policy name run show configuration security policies | display set

六、VPN

IPSEC VPN

Dynamic VPN

七、Wireless LAN

八、Switching

九、Routing Creating Static Routes

The following example configures a static route of 10.2.2.0/24 with a next-hop

address of 10.1.1.254:

set routing-options static route 10.2.2.0/24 next-hop 10.1.1.254

Creating Default Routes

The following example configures an IPv4 default route with a next-hop address of

10.1.1.254:

set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254

show route terse

十、Class of Service

十一、System Properties

十二、Chassis Cluster

十三、Service

开启 DHCP

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

root@ltm# run show configuration system services dhcp | display set

set system services dhcp name-server 202.106.0.20

set system services dhcp router 192.168.1.1

set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2

set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254

set system services dhcp propagate-settings vlan.0

十四、Wizards

十五、CLI Tools

十六、Monitor

十七、Syslog

十八、Show 命令

JUNOS 9.4 and above (with default configuration)

JUNOS with Enhanced Services 8.5 through 9.3 (with default configuration)

默认只能在>号模式下去 show所有的配置，如果想在#以上模式 show，前面需要加 run，方

可在任何模式下 show。

也可以到某个模式下直接输入 show命令就可以看到当前模式下的所有配置。

root# run show configuration 是以 unix命令集输出。

root# run show configuration | display set 是以你配置的形式输出。

查看软件版本：root@lizhiqiang> show version brief

ScreenOS JUNOS Notes

Session & Interface counters

get session > show security flow session

get interface > show interface terse

get counter stat > show interface extensive

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

get counter stat <interface> > show interface <interface> extensive

clear counter stat > clear interface statistics <interface>

Debug & Snoop

debug flow basic # edit security flow

# set traceoptions flag basic-datapath

# commit

-creates debugs in default file name:

/var/log/security-trace

See KB16108 for traceoptions info.

set ff # edit security flow

# set traceoptions packet-filter

Packet-drop is a feature that will be added

get ff > show configuration | match packet-filter | display

set

get debug > show configuration | match traceoptions |

display set

get db stream View stored log: (recommended option)

> show log <file name> (enter h to see help

options)

> show log security-trace (to view 'security flow'

debugs)

> show log kmd (to view 'security ike' debugs)

View real-time: (use this option with caution)

> monitor start <debugfilename>

ESC-Q (to pause real-time output to screen)

‘monitor stop' stops real-time view , but debugs

are still collected in log files

clear db > clear log <filename> (clears contents of file) Use ‘file delete <filename> to actually delete file>

undebug <debug> (stops collecting debugs) # edit security flow

# deactivate traceoptions OR # delete traceoptions

(at the particular hierarchy)

# commit

Deactivate makes it easier to enable/disable.

Use activate traceoptions to activate.

undebug all Not available. You need to deactivate or delete

traceoptions separately.

debug ike detail # edit security ike

# set traceoptions flag ike

# commit

-creates debugs in default file name: kmd

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

snoop (packets THRU the JUNOS device) Use Packet Capture feature:

http://www.juniper.net/techpubs/software/junos-s

ecurity/junos-security95/junos-security-admin-gui

de/config-pcap-chapter.html#config-pcap-chapter

- Not supported on SRX 3x00/5x00 yet

snoop (packets TO the JUNOS device) > monitor traffic interface <int> layer2-headers

write-file option (hidden)

read-file (hidden)

-Only captures traffic destined for the RE of router

itself.

- Excludes PING .

Event Logs

get event > show log messages

> show log messages | last 20 (helpful cmd

because newest log entries are at end of file)

get event | include <string> > show log messages | match <string>

> show log messages | match “<string> | <string> |

<string>”

Examples:

> show log messages | match “error | kernel |

panic”

> show log messages | last 20 | find error

Note: There is not an equivalent command for ‘get

event include <string>'.

match displays only the lines that contains the

string

find displays output starting from the first

occurrence of the string

clear event > clear log messages

> show log

Config & Software upgrade

get config > show config (program structured format)

> show config | display set (set command format)

get license > show system license keys

get chassis (serial numbers) > show chassis hardware detail > show chas environment

> show chas routing-engine

exec license > request system license [add | delete |save]

unset all load factory-default See KB15725.

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

reset set system root-authentication

plain-text-passsword

commit and-quit

request system reboot

load config from tftp <tftp_server> <configfile> > start shell and FTP config to router, i.e.

/var/tmp/test.cfg. Then

# load override /var/tmp/test.cfg (or full path of

config file)

-TFTP is not supported. Use only FTP, HTTP, or SCP.

load software from tftp <tftp_server>

<screenosimage> to flash

> request system software add

Example:

request system software add

ftp:10.10.10.129/jsr/junos-srxsme-9.5R1.8-domesti

c.tgz reboot

-TFTP is not supported. Use only FTP. HTTP, or SCP.

-Use ‘request system software rollback' to rollback

to previous s/w package

See KB16652.

save # commit OR

# commit and-quit

reset > request system reboot

Policy

get policy > show security policies

get policy from <zone> to <zone> > show security policies from <zone> to <zone>

VPN

get ike cookie > show security ike security-associations

get sa > show security ipsec security-associations > show security ipsec stat

clear ike cookie > clear security ike security-associations

clear sa > clear security ipsec security-associations

NSRP

get nsrp

> show chassis cluster status

> show chassis cluster interfaces

> show chassis cluster status redundancy-group

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

<group>

exec nsrp vsd <vsd> mode backup (on master) see

KB5885

> request chassis cluster failover redundancy-group

<group> node <node>

> request chassis cluster failover reset

redundancy-group <group>

DHCP

get dhcp client > show system services dhcp client See KB15753.

exec dhcp client <int> renew > request system services dhcp renew (or release)

Routing

get route > show route

get route ip <ipaddress> > show route <ipaddress>

get vr untrust-vr route > show route instance untrust-vr

get ospf nei > show ospf neighbor

set route 0.0.0.0/0 interface <int> gateway <ip> # set routing-options static route 0.0.0.0/0

next-hop <ip>

See KB16572.

NAT

get vip > show security nat destination-nat summary

get mip > show security nat static-nat summary

get dip > show security nat source-nat summary

> show security nat source-nat pool <pool>

Other

get perf cpu > show chassis routing-engine

get net-pak s > show system buffers

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

get file > show system storage

get alg > show configuration groups junos-defaults

applications

All pre-defined applications are located within the

hidden group junos-defaults. If any ALGs are

applied to the pre-defined applications, they will

also be displayed with this command.

get service > show configuration groups junos-defaults

applications

get tech > request support information

set console page 0 > set cli screen-length 0

> file list <path>

Example: file list /var/tmp/

Shows directory listing.

Note that / is needed at end of path

# = configuration mode prompt

> = operational mode prompt

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

十九、命令行结构

Set or Show

system root-authentication name-server

208.67.222.222 208.67.220.220 202.106.0.20

login user

ltm authentication

encrypted-password Encrypted password string plain-text-password Prompt for plain text password (autoencrypted) class operator permissions [ clear network resettraceview ] read-only permissions [ view ] super-user permissions [ all ] unauthorized permissions [ none ] services

web-management > control Control of the web management process

> http Unencrypted HTTP connection settings > https Encrypted HTTPS connections management-url URL path for web management access > session Session parameters

dhcp name-server

202.106.0.20 router

192.168.1.1 pool

192.168.1.0/24 syslog

archive user file

interfaces

ge-0/0/0

unit

0

family

inet

address

192.168.201.209/24

routing-options

static

route

Author：Ltm Email：network-security@hotmail.com www.juniper.net

QQ 群 15900381

0.0.0.0/0

security

nat

source

rule-set

destination

pool

rule-set

proxy-arp

screen

ids-option

untrust-screen

zones

security-zone

trust

address-book

host-inbound-traffic

interfaces

untrust

host-inbound-traffic

interfaces

policies

policy