NetScreen: Netscreen 初始設定

Online Help

NetScreen 5GT-103 防火牆
1. 重置 Reset 出廠設定
插上電源啟動 NetScreen
待 LED 置於綠色閃動狀態 (約60秒)
用萬字夾按 Reset 2-4 秒直至 LED 轉橙色
拔出待 2 秒 LED 轉回綠色
用萬字夾按 Reset 2-4 秒直至 LED 轉紅色
NetScreen 重新啟動
待 LED 置於綠色閃動狀態 (約60秒)

2. 出廠設定
名稱: NetScreen
IP: 192.168.1.1
DHCP 服務: 開啟
DHCP IP: 192.168.1.33-192.168.1.126
Untrust Interface: 未設定
Trust Interface: 已設定
Web Login: http://192.168.1.1
Admin ID: netscreen
Password: netscreen

3. 預備設定資料
Web Login: http://192.168.1.1
Admin ID: netscreen
Password: netscreen
http readirect: yes
NAT/Router Mode: NAT
Port Mode: Turst-Untrust Mode
Untrust IP: DHCP / Static/ PPPoE
Trust IP: 192.168.0.1
DHCP Range: 192.168.1.101-200

4. 初始設定步驟

視窗工作站設定:
設定成自動取得 IP
執行 IPCONFIG 查詢本機IP
執行IPCONFIG/RELEASE 放棄IP
執行IPCONFIG/RENEW 重新取得 IP
執行IPCONFIG/ALL 查詢 IP 及 DNS
執行PING 192.168.1.1
執行 IE登入 Web Login: https://192.168.1.1
No. Skip Wizard

設定日期時間:
-configuration>datetime>time zone=+8
-configuration>datetime>daylight=OFF
-configuration>datetime>auto synchronize with NTP=ON
-configuration>datetime>update clock every 60min
-configuration>datetime>primary server=stdtime.gov.hk

設定使用 SSL Admin:
-configuration>admin>management>HTTP Port=8080
-configuration>admin>management>redirect HTTP to HTTPS=ON

設定 Port Mode
-Configuration>Port Mode=Trust-Untrust

設定 Trust Interface
-Configuration>Network>Interface>Trust>Edit>Static IP=192.168.10.1/24
>Interface Mode=NAT
>Management Services=SSL/PING

設定 Untrust Interface
-Configuration>Network>Interface>Untrust>Edit>PPPoE (User=netvigator.com, password=)
>Management Services=SSL/PING

設定 Trust DHCP Service
-Configuration>Network>DHCP>Trust>Address>192.168.10.101 to 192.168.10.200

設定 Untrust VIP 及 Policy
-Configuration>Network>Interface>Untrust>Edit>VIP>Same as Untrust IP>Add
>VIP>New VIP Service>WAN-IP:21=192.168.10.250:21
>VIP>New VIP Service>WAN-IP:22=192.168.10.250:22
>VIP>New VIP Service>WAN-IP:80=192.168.10.250:80
-Configuration>Policies>Untrust to Turst>New>FTP=Any-VIP,FTP
-Configuration>Policies>Untrust to Turst>New>SSH=Any-VIP,SSH !!! Error!!!
-Configuration>Policies>Untrust to Turst>New>HTTP=Any-VIP,HTTP

設定 Screen & Block
-Configuration>Screening>Untrust>Flood Defense (Protect all)
-Configuration>Screening>Untrust>MS Windows Defense (Protect all)
-Configuration>Screening>Untrust>Scan/Spoof/Sweep Defense (Protect all)
-Configuration>Screening>Untrust>Dos Defense (Protect all)

備份/還原設定
-Configuration>Update>Config File>Save to file
-Configuration>Update>Config File>Replace Current Configuration

設定使用自訂通訊埠的 Virtual 服務器
-Object>Service>Custom
步驟：1-建立自訂服務, 2-建立 VIP服務, 3-建立服務策略

ie HTTP:8000
-Object>Services>Custom>New
Name=HTTP-MEM, protocol=TCP, Source=0-65535, Destination=8000, [OK]

進階設定
- SSH Virtual IP
- VPN
- Auth Server

SSH 設定語法
==========================
set clock dst-off
set clock ntp
set clock timezone 8
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin port 8080
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen icmp-id
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.10.1/24
set interface trust nat
set interface untrust ip 192.168.0.108/24
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
unset interface trust manage ssh
unset interface trust manage telnet
unset interface trust manage snmp
unset interface trust manage web
set interface untrust manage ping
set interface untrust manage ssl
set interface untrust vip untrust 21 "FTP" 192.168.10.250
set interface untrust vip untrust 80 "HTTP" 192.168.10.250
set interface untrust dhcp client enable
unset interface untrust dhcp client settings update-dhcpserver
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server ip 192.168.10.101 to 192.168.10.200
unset interface trust dhcp server config next-server-ip
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check

set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 name "FTP" from "Untrust" to "Trust" "Any" "VIP(untrust)" "FTP" permit
set policy id 2
exit
set monitor cpu 100
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set ntp server "stdtime.gov.hk"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set ntp interval 60
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
==========================

附加檔案:0 | 讀取:164 | 留言:0

張貼: 開發空間 2006-10-14

我要推薦給朋友

文章留言

未有留言

我要留言

請先登入才可留言！

網上資源
PHP
Postgre SQL
Postgre SQL 手冊
FreeBSD
瀏覽人次:144427

外來連結
文章版權由原作者擁有
Design by 張老師工作室 Cafe Studio

你的大名:	[50]	認證碼:
朋友電郵:	[100]	認證碼:
	* 你可以;分隔多個電郵 (ie:peter@yahoo.com;joe@gmail.com)