【正文】 opback set security zones securityzone trust addressbook address pc_10_0_0_5 set security zones securityzone trust addressbook address pc_10_0_0_6 set security zones securityzone trust addressbook addressset dnatpc address pc_10_0_0_5set security zones securityzone trust addressbook addressset dnatpc address pc_10_0_0_6set security zones securityzone trust hostinboundtraffic systemservices set security zones securityzone trust hostinboundtraffic systemservices telset security zones securityzone trust hostinboundtraffic systemservices sshset security zones securityzone trust hostinboundtraffic systemservices set security zones securityzone trust hostinboundtraffic systemservices pingset security zones securityzone trust interfaces ge0/0/set security zones securityzone trust interfaces ge0/0/set security zones securityzone trust interfaces set security zones securityzone untrust addressbook address pc10_1_1_15 set security zones securityzone untrust addressbook address remoteloopback set security zones securityzone untrust hostinboundtraffic systemservices telset security zones securityzone untrust hostinboundtraffic systemservices pingset security zones securityzone untrust hostinboundtraffic systemservices ikeset security zones securityzone untrust interfaces ge0/0/set security zones securityzone untrust interfaces ge0/0/set security zones securityzone vpn addressbook address remote set security zones securityzone vpn hostinboundtraffic systemservices pingset security zones securityzone vpn hostinboundtraffic protocols ospfset security zones securityzone vpn interfaces set security policies fromzone trust tozone untrust policy trusttountrustvpn match sourceaddress localloopbackset security policies fromzone trust tozone untrust policy trusttountrustvpn match sourceaddress pc_10_0_0_5set security policies fromzone trust tozone untrust policy trusttountrustvpn match destinationaddress remoteloopbackset security policies fromzone trust tozone untrust policy trusttountrustvpn match destinationaddress pc10_1_1_15set security policies fromzone trust tozone untrust policy trusttountrustvpn match application anyset security policies fromzone trust tozone untrust policy trusttountrustvpn then permit tunnel ipsecvpn ikevpn2set security policies fromzone trust tozone untrust policy trusttountrustvpn then permit tunnel pairpolicy untrusttotrustvpnset security policies fromzone trust tozone untrust policy trusttoftp match sourceaddress 32 / 34pc_10_0_0_0set security policies fromzone trust tozone untrust policy trusttoftp match destinationaddress anyset security policies fromzone trust tozone untrust policy trusttoftp match application ftp2021set security policies fromzone trust tozone untrust policy trusttoftp then permitset security policies fromzone trust 。SRX 的 NAT 配置分為源地址翻譯(source NAT), 目標(biāo)地址翻譯(destination NAT)和靜態(tài)地址翻譯(static NAT)三種，其配置語法都類似，只是 nat rule 必須被放到 ruleset 里使用，任意兩個 zone 或任意兩個網(wǎng)絡(luò)邏輯接口之間只允許有一個 ruleset。Application 同樣允許通過定義 applicationset 來包含多個 application，以方便策略引用。配置舉例：set security zones securityzone trust addressbook address internalset security zones securityzone untrust addressbook address webserver addressbook 還支持創(chuàng)建 addressset 來包含多個離散的地址，以方便策略引用 application 配置SRX 安全策略里不允許直接使用協(xié)議號，源端口，目標(biāo)端口來匹配業(yè)務(wù)應(yīng)用，只能使用[application] 下系統(tǒng)預(yù)定義的應(yīng)用類型或用戶自定義的業(yè)務(wù)類型。SRX 自己發(fā)出去的流量是不受限制的。Null zone 是一種系統(tǒng)預(yù)定義的特殊的安全域，null zone 內(nèi)的接口不能接受外界的任何報文，也不能對外發(fā)送任何報文，即 null zone 內(nèi)的接口是不參與業(yè)務(wù)轉(zhuǎn)發(fā)的。 SRX 常用功能配置 安全域 zone 配置Zone 是共享相同安全級別的一組網(wǎng)絡(luò)接口的集合。? 檢查設(shè)備 Craft Interface 上的狀態(tài)報告，看看是否有系統(tǒng)告警，LED 顯示是否正常。日常維護(hù)步驟為優(yōu)化設(shè)備的性能，有規(guī)律的執(zhí)行下面的預(yù)防步驟：? 檢查設(shè)備所在的機(jī)房的條件：濕度、電源線、數(shù)據(jù)線纜以及空氣過濾網(wǎng)是否有過多的灰塵。機(jī)箱硬件組件故障檢查對機(jī)箱組件進(jìn)行故障檢查，使用下面的指導(dǎo)：? 通過查看各板卡上相應(yīng)的 LED，可以檢查出相應(yīng)板卡的狀態(tài)。通過下面的命令，觀察輸出的 Status 域的狀態(tài)：userhost show chassis environment ..23 / 34.? 如果有風(fēng)扇盤發(fā)生故障，可以通過觀察判斷出哪一個風(fēng)扇除了問題。[edit]rootmitmit plete20 / 345. 常用故障診斷命令查看端口狀態(tài)labSRX show interfaces terse Interface Admin Link Proto Local Remotege0/0/0 up up ge0/0/1 up down查看路由表labSRX show route terse : 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)+ = Active Route, = Last Active, * = BothA Destination P Prf Metric 1 Metric 2 Next hop AS path* * ge0/0/ 查看 OSPF 鄰居關(guān)系labr1 show ospf neighbor Address Interface State ID Pri Dead fe0/0/ Full 128 36 fe0/0/ Full 128 3521 / 34Pinglabsrx ping PING (): 56 data bytes64 bytes from : icmp_seq=0 ttl=61 time= mslabsrx ping rapid PING (): 56 data bytes!!!!!labSRX run ping rapid count 1000 size 1000 PING (): 1000 data bytes!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1000 packets transmitted, 1000 packets received, 0% packet lossroundtrip min/avg/max/stddev = Traceroutelabsrx traceroute traceroute to (), 30 hops max, 40 byte packets 1 () ms ms ms2 () ms ms ms監(jiān)控接口流量labsrx monitor interface fe0/0/122 / 34監(jiān)控 RE CPU 利用率labsrxshow chassis routingengine監(jiān)控并發(fā)會話數(shù)labsrxshow security flow session summary冷卻系統(tǒng)故障檢查冷卻系統(tǒng)包含安裝在機(jī)箱側(cè)面的風(fēng)扇盤來保證 SRX 工作在一個可以接受的溫度環(huán)境下。[edit]rootset security nat source ruleset trusttountrust from zone trust[edit]rootset security nat source ruleset trusttountrust to zone untrust[edit]rootset security nat source ruleset trusttountrust rule sourcenatrule match sourceaddress [edit]rootset security nat source ruleset trusttountrust rule sourcenatrule then sourcenat interface12. 提交配置，使當(dāng)前配置生效。[edit]rootset security zones securityzone trust hostinbound