■SRX100HをJSRP-HA構成にしてみた。
基本的には以下の実機版。結論から言うとvSRXを無償の範囲で触ればもういい。
SRXのシャーシクラスタ(HA構成/A-P)を試してみる。
http://labunix.hateblo.jp/entry/20150919/1442600451
VMware Player上にvSRX-HAを構築してみる。
http://labunix.hateblo.jp/entry/20151221/1450626773
vSRX-HAのフェイルオーバ、フェイルバック動作を確認する。
http://labunix.hateblo.jp/entry/20151227/1451159022
■まずは初期化
「RESET CONFIGボタンを15秒押しつづける」方法と、
「request system zeroize」でログもすべて消去する方法があるが、
今回はコマンドで。
root@% cli
root> configure
root# load factory-default
warning: activating factory configuration
[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root# commit
commit complete
[edit]
root# exit
Exiting configuration mode
root> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
■SRX100シリーズの場合のシャーシクラスタ有効時ポート構成は以下のとおり。
SRX シャーシクラスター《ブランチ編》
https://www.juniper.net/assets/jp/jp/local/pdf/others/br_chassis-clustering.pdf
マネージメントポートのfxp0はfe-0/0/6
コントロールリンクのfxp1はfe-0/0/7
ファブリックリンクのfab0/fab1はfe-0/0/0
■両系の現在のconfigのバックアップ
configure
show | save before-jsrp.20160207
■インターフェイスの削除対象を確認
VLANもインターフェイスに紐づいているので、[interfaces]、[sevurity]、[vlans]の3つが対象。
root> show configuration | display set | match interface
set system services web-management http interface vlan.0
set system services web-management https interface vlan.0
set interfaces fe-0/0/0 unit 0
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set vlans vlan-trust l3-interface vlan.0
■インターフェイス関連設定の削除と、役割を稼働系(node0)に設定
configure
delete interface
delete security
delete vlans
commit and-quit
set chassis cluster cluster-id 1 node 0
■インターフェイス関連設定の削除と役割を待機系(node1)に設定
configure
delete interface
delete security
delete vlans
commit and-quit
set chassis cluster cluster-id 1 node 1
■再起動後にfab0(fe-0/0/0)と、fab1(fe-1/0/0)となるLANと、
fxp1(fe-0/0/7)とfxp1(fe-1/0/7)となるLANをそれぞれ直接結線して再起動
※両方とも、IPアドレスは自動割り当てのため、手動設定は不要。
また、再起動前はシャーシクラスタが無効なので
電源が入ったまま結線してもクラスタにはならない。
順序は待機系、稼働系の順に再起動した。
root> show chassis cluster status
error: Chassis cluster is not enabled.
root> request system reboot
Reboot the system ? [yes,no] (no) yes
■再起動後の確認。
root> show chassis cluster status | last 3 | no-more
Redundancy group: 0 , Failover count: 1
node0 1 primary no no None
node1 1 secondary no no None
{primary:node0}
■稼働系(node0)からホスト名とfxp0を設定
configure
set groups node0 system host-name SRX100H-node0
set groups node0 interface fxp0 unit 0 family inet address 172.31.31.110/24
set groups node1 system host-name SRX100H-node1
set groups node1 interface fxp0 unit 0 family inet address 172.31.31.111/24
set apply-groups ${node}
commit and-quit
■fxp0(fe-0/0/6,fe-1/0/6)のLANケーブルを管理ネットワークに接続
fab0は任意のinterfaceを指定出来るので、
逆に言うと、interfaceメンバーの設定がされていない。
なので、現状はLink Downのステータス。
root@SRX100H-node0> ping count 3 172.31.31.110
PING 172.31.31.110 (172.31.31.110): 56 data bytes
64 bytes from 172.31.31.110: icmp_seq=0 ttl=64 time=0.324 ms
64 bytes from 172.31.31.110: icmp_seq=1 ttl=64 time=0.366 ms
64 bytes from 172.31.31.110: icmp_seq=2 ttl=64 time=0.382 ms
--- 172.31.31.110 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.324/0.357/0.382/0.024 ms
{primary:node0}
root@SRX100H-node0> ping count 3 172.31.31.111
PING 172.31.31.111 (172.31.31.111): 56 data bytes
64 bytes from 172.31.31.111: icmp_seq=0 ttl=64 time=18.819 ms
64 bytes from 172.31.31.111: icmp_seq=1 ttl=64 time=8.205 ms
64 bytes from 172.31.31.111: icmp_seq=2 ttl=64 time=7.191 ms
--- 172.31.31.111 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 7.191/11.405/18.819/5.259 ms
{primary:node0}
root@SRX100H-node0> show interfaces fxp* terse
Interface Admin Link Proto Local Remote
fxp0 up up
fxp0.0 up up inet 172.31.31.110/24
fxp1 up up
fxp1.0 up up inet 129.16.0.1/2
tnp 0x1100001
{primary:node0}
root@SRX100H-node0> show interfaces fab* terse
Interface Admin Link Proto Local Remote
fab0 up down
fab0.0 up down inet 30.17.0.200/24
fab1 up down
fab1.0 up down inet 30.18.0.200/24
{primary:node0}
■インターフェイスのコメントを設定
fxp1(fe-0/0/7,fe-1/0/7)はコメントの付与も出来ないので、
それ以外を設定。
configure
edit interfaces fab0.0
set description "(node0)Data Link/Any"
edit interfaces fab1.0
set description "(node1)Data Link/Any"
top edit interfaces fe-0/0/1
set description "L2-Trust"
top edit interfaces fe-0/0/2
set description "L3-Trust"
top edit interfaces fe-0/0/3
set description "L2-Untrust"
top edit interfaces fe-0/0/4
set description "L3-Untrust"
top edit interfaces fxp0.0
set description "Management/Fixed(fe-0/0/6-to-fe-1/0/6)"
top
commit check
commit and-quit
■fab0/fab1のinterfaceメンバーを設定
configure
set interfaces fab0 fabric-options member-interfaces fe-0/0/0
set interfaces fab1 fabric-options member-interfaces fe-1/0/0
commit check
commit and-quit
root@SRX100H-node0> show interfaces fab* terse
Interface Admin Link Proto Local Remote
fab0 up up
fab0.0 up up inet 30.17.0.200/24
fab1 up up
fab1.0 up up inet 30.18.0.200/24
{primary:node0}
■HAの確認
root@SRX100H-node0> show chassis cluster status | last 3 | no-more
Redundancy group: 0 , Failover count: 1
node0 1 primary no no None
node1 1 secondary no no None
{primary:node0}
root@SRX100H-node0> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index Interface Status Internal-SA
0 fxp1 Up Disabled
Fabric link status: Up
Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 fe-0/0/0 Up / Up
fab0
fab1 fe-1/0/0 Up / Up
fab1
Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0
{primary:node0}
■J-Webを使用するinterfaceを変更
root@SRX100H-node0> show configuration | display set | match vlan
set system services web-management http interface vlan.0
set system services web-management https interface vlan.0
{primary:node0}
configure
replace pattern vlan.0 with fxp0
commit check
commit and-quit
■RedundancyGroup(reth0,reth1)の設定、プライオリティを付与
configure
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 99
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 99
commit check
commit and-quit
■reth[0-3]をそれぞれのZoneに関連付け
root@SRX100H-node0> show configuration | display set | match rust
set interfaces fe-0/0/1 description L2-Trust
set interfaces fe-0/0/2 description L3-Trust
set interfaces fe-0/0/3 description L2-Untrust
set interfaces fe-0/0/4 description L3-Untrust
{primary:node0}
configure
set interfaces reth0.0 family inet
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces fe-0/0/1 fastether-options redundant-parent reth0
set interfaces fe-1/0/1 fastether-options redundant-parent reth0
set interfaces reth1.0 family inet address 10.26.7.112/24
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces fe-0/0/2 fastether-options redundant-parent reth1
set interfaces fe-1/0/2 fastether-options redundant-parent reth1
set interfaces reth2.0 family inet
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces fe-0/0/3 fastether-options redundant-parent reth2
set interfaces fe-1/0/3 fastether-options redundant-parent reth2
set interfaces reth3.0 family inet address 172.16.16.112/24
set interfaces reth3 redundant-ether-options redundancy-group 1
set interfaces fe-0/0/4 fastether-options redundant-parent reth3
set interfaces fe-1/0/4 fastether-options redundant-parent reth3
set routing-options static route 0/0 next-hop 10.26.7.254
commit check
commit and-quit
■reth0,reth1のHA状態の確認
root@SRX100H-node0> show chassis cluster status | last 7 | no-more
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 100 primary no no None
node1 99 secondary no no None
Redundancy group: 1 , Failover count: 1
node0 100 primary no no None
node1 99 secondary no no None
{primary:node0}
■各インターフェイスの監視設定
configure
set chassis cluster redundancy-group 1 interface-monitor fe-0/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-1/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-0/0/2 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-1/0/2 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-1/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-1/0/4 weight 255
commit check
commit and-quit
■セキュリティゾーンの設定
configure
set security zones security-zone L2-Trust interfaces reth0.0
set security zones security-zone L3-Trust interfaces reth1.0
set security zones security-zone L2-Untrust interfaces reth2.0
set security zones security-zone L3-Untrust interfaces reth3.0
commit check
commit and-quit
■DNSクライアントの設定
configure
delete system name-server 208.67.222.222
delete system name-server 208.67.220.220
set system name-server 172.31.31.251
commit check
commit and-quit
root@SRX100H-node0> show host juniper.com
juniper.com has address 192.107.16.40
juniper.com mail is handled by 5 juniper-com.mail.protection.outlook.com.
juniper.com mail is handled by 5 mail.global.frontbridge.com.
{primary:node0}
■タイムゾーンとNTPクライアントの設定
再起動時にも時刻を合わせるように設定、
NTPサーバを参照しているのに階層16のままなら再起動してみる。
configure
set system time-zone Asia/Tokyo
set system ntp boot-server 172.31.31.60
set system ntp server 172.31.31.60
commit check
commit and-quit
set date ntp 172.31.31.254
show ntp status
show ntp associations
show system uptime
request routing-engine login node 1
cli
request system reboot
exit
exit
request system reboot
■以下のように稼働系で取得出来て入ればOK。
なお、待機系からは直接参照することは出来ません。
root@SRX100H-node0> set date ntp 172.31.31.254
node0:
--------------------------------------------------------------------------
7 Feb 23:44:37 ntpdate[2659]: step time server 172.31.31.254 offset 0.005155 sec
node1:
--------------------------------------------------------------------------
7 Feb 23:44:37 ntpdate[2639]: step time server 172.31.31.254 offset 0.009376 sec
{primary:node0}
root@SRX100H-node0> show ntp status
status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Sat Sep 26 04:37:05 UTC 2015 (1)",
processor="octeon", system="JUNOS12.1X46-D40.2", leap=00, stratum=3,
precision=-17, rootdelay=9.260, rootdispersion=952.736, peer=62308,
refid=172.31.31.254,
reftime=da61d690.14489a7c Sun, Feb 7 2016 23:43:28.079, poll=4,
clock=da61d6c3.4f1b4277 Sun, Feb 7 2016 23:44:19.309, state=2,
offset=4.401, frequency=0.063, jitter=1.780, stability=0.031
{primary:node0}
root@SRX100H-node0> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
*172.31.31.254 133.243.238.164 2 - 8 64 1 1.081 4.401 3.560
{primary:node0}
root@SRX100H-node0> show system uptime
node0:
--------------------------------------------------------------------------
Current time: 2016-02-07 23:44:00 JST
System booted: 2016-02-07 18:21:22 JST (05:22:38 ago)
Protocols started: 2016-02-07 18:25:20 JST (05:18:40 ago)
Last configured: 2016-02-07 18:36:08 JST (05:07:52 ago) by root
11:44PM up 5:23, 1 user, load averages: 0.16, 0.17, 0.11
node1:
--------------------------------------------------------------------------
Current time: 2016-02-07 23:44:01 JST
System booted: 2016-02-07 18:21:04 JST (05:22:57 ago)
Last configured: 2016-02-07 18:35:54 JST (05:08:07 ago) by root
11:44PM up 5:23, 0 users, load averages: 0.24, 0.23, 0.14
{primary:node0}
root@SRX100H-node0> request routing-engine login node 1
--- JUNOS 12.1X46-D40.2 built 2015-09-26 02:25:28 UTC
root@SRX100H-node1> show ntp status
localhost: timed out, nothing received
***Request timed out
{secondary:node1}
root@SRX100H-node1> show ntp associations
localhost: timed out, nothing received
***Request timed out
{secondary:node1}
■ユーザの作成と公開鍵認証のsshログインの設定
SRX(junos)に公開鍵認証のsshログインを設定する。
http://labunix.hateblo.jp/entry/20151228/1451310702
SRX100Hの設定を公開鍵認証(パスフレーズなし)のscpでバックアップする。
http://labunix.hateblo.jp/entry/20150920/1442686263
set system login user labunix uid 2000
set system login user labunix class super-user
set system login user labunix authentication ssh-rsa "ssh-rsa [公開鍵の貼り付け]"
■SNMP/SNMP TRAPの設定
「172.31.31.0/24」からのアクセスのみ許可する。
ルーティングエンジンとシャーシに関するイベントをpublicで投げる。
configure
set snmp community public authorization read-only
set snmp community public clients 172.31.31.0/24
set snmp community public clients 0.0.0.0/0 restrict
set snmp community private authorization read-write
set snmp community private clients 172.31.31.0/24
set snmp community private clients 0.0.0.0/0 restrict
set snmp trap-group public categories chassis routing
set snmp trap-group public targets 172.31.31.254
set snmp trap-group private targets 172.31.31.254
commit and-quit
$ echo -e "110\n111" | awk '{print "snmpwalk -c public -v1 172.31.31."$1" sysName.0"}' | sh 2>/dev/null
SNMPv2-MIB::sysName.0 = STRING: SRX100H-node0
SNMPv2-MIB::sysName.0 = STRING: SRX100H-node1
$ echo -e "110\n111" | awk '{print "snmpwalk -c public -v1 172.31.31."$1" hrSystemUptime.0"}' | sh 2>/dev/null
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (2052353) 5:42:03.53
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (63676) 0:10:36.76
$ sudo tail -30 /var/log/syslog | grep UNKNOWN | sed -e 's/ [A-Z]\|> /&\n\t/g' | grep -v UNKNOWN
[UDP: [172.31.31.111]:53882->[172.31.31.254]:162]:#012DISMAN-EXPRESSION-MIB::sysUpTimeInstance = T
imeticks: (28886) 0:04:48.86#011SNMPv2-MIB::snmpTrapOID.0 = O
ID: S
NMPv2-SMI::enterprises.2636.4.1.6#011SNMPv2-SMI::enterprises.2636.3.1.15.1.1.9.1.1.0 = I
NTEGER: 9#011SNMPv2-SMI::enterprises.2636.3.1.15.1.2.9.1.1.0 = I
NTEGER: 1#011SNMPv2-SMI::enterprises.2636.3.1.15.1.3.9.1.1.0 = I
NTEGER: 1#011SNMPv2-SMI::enterprises.2636.3.1.15.1.4.9.1.1.0 = I
NTEGER: 0#011SNMPv2-SMI::enterprises.2636.3.1.15.1.5.9.1.1.0 = S
TRING: "node0 U
SB H
ub"#011SNMPv2-SMI::enterprises.2636.3.1.15.1.6.9.1.1.0 = I
NTEGER: 6#011SNMPv2-SMI::enterprises.2636.3.1.15.1.7.9.1.1.0 = I
NTEGER: 0#011SNMPv2-MIB::snmpTrapEnterprise.0 = O
ID: S
NMPv2-SMI::enterprises.2636.1.1.1.2.41
■syslogを設定
configure
set system syslog user * any emergency
set system syslog host 172.31.31.254 any warning
set system syslog host 172.31.31.254 facility-override local7
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
commit check
commit and-quit
$ sudo grep shutdown /var/log/SRX*
/var/log/SRX100H-node0.log:Feb 8 02:06:29 SRX100H-node0 craftd[1347]: craftd_user_conn_shutdown: socket 5, errno = 0
/var/log/SRX100H-node1.log:Feb 8 02:06:31 SRX100H-node1 craftd[1411]: craftd_user_conn_shutdown: socket 5, errno = 0
/var/log/SRX100H-node1.log:Feb 8 02:06:35 SRX100H-node1 craftd[1411]: craftd_user_conn_shutdown: socket 8, errno = 0
■テスト用のアドレスリストを作成
$ seq 1 111 | awk 'BEGIN{print "edit security zones security-zone L2-Trust address-book "}\
{printf "set address L2-Trust-%03d 10.26.7.%d/32\n",$1,$1} \
END {print "exit"}' > address.log; \
seq 112 254 | awk 'BEGIN{print "edit security zones security-zone L3-Trust address-book "}\
{printf "set address L3-Trust-%03d 10.26.7.%d/32\n",$1,$1} \
END {print "exit"}' >> address.log; \
seq 1 111 | awk 'BEGIN{print "edit security zones security-zone L2-Untrust address-book "}\
{printf "set address L2-Untrust-%03d 172.16.16.%d/32\n",$1,$1} \
END {print "exit"}' >> address.log; \
seq 112 254 | awk 'BEGIN{print "edit security zones security-zone L3-Untrust address-book "}\
{printf "set address L3-Untrust-%03d 172.16.16.%d/32\n",$1,$1} \
END {print "exit"}' >> address.log
■こんな感じです。
$ grep -B1 -A 2 ^edit address.log
edit security zones security-zone L2-Trust address-book
set address L2-Trust-001 10.26.7.1/32
set address L2-Trust-002 10.26.7.2/32
--
exit
edit security zones security-zone L3-Trust address-book
set address L3-Trust-112 10.26.7.112/32
set address L3-Trust-113 10.26.7.113/32
--
exit
edit security zones security-zone L2-Untrust address-book
set address L2-Untrust-001 172.16.16.1/32
set address L2-Untrust-002 172.16.16.2/32
--
exit
edit security zones security-zone L3-Untrust address-book
set address L3-Untrust-112 172.16.16.112/32
set address L3-Untrust-113 172.16.16.113/32
■scpで送って一括登録します。
$ scp address.log labunix@172.31.31.110:~/
address.log 100% 15KB 15.2KB/s 00:00
$ ssh labunix@172.31.31.110
> configure
labunix@SRX100H-node0# load set address.log
load complete
{primary:node0}[edit]
labunix@SRX100H-node0# commit check
node0:
configuration check succeeds
node1:
configuration check succeeds
{primary:node0}[edit]
labunix@SRX100H-node0# commit and-quit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete
Exiting configuration mode
{primary:node0}
■ところで、同じゾーンで同じホスト名で別のIPアドレスがあるという良くあるシチュエーションで、
2つ目のIPアドレスを設定すると、前のIPアドレスが消えますwww。
vSRXでも思っていたけど、J-Webも使い難いし、ナンダコレ。
[edit security zones security-zone L2-Trust address-book]
- address L2-Trust-001 10.26.7.1/32;
+ address L2-Trust-001 10.10.10.10/32;
address L2-Trust-002 { ... }
{primary:node0}[edit]
■気を取り直して、そんなときはaddress-setを使います。
ちなみに[address]と[address-set]に同じ名前は使えません。
[commit check]でエラーとなり、弾かれます。
「Security address and address-set cannot have same name」
ウソでしょ?w
configure
delete security zones security-zone L2-Trust address-book address L2-Trust-001
set security zones security-zone L2-Trust address-book address L2-Trust-001-1 10.26.7.1/32
set security zones security-zone L2-Trust address-book address L2-Trust-001-2 10.26.6.1/32
set security zones security-zone L2-Trust address-book address L2-Trust-001-3 10.26.5.1/32
set security zones security-zone L2-Trust address-book address-set L2-Trust-001 address L2-Trust-001-1
set security zones security-zone L2-Trust address-book address-set L2-Trust-001 address L2-Trust-001-2
set security zones security-zone L2-Trust address-book address-set L2-Trust-001 address L2-Trust-001-3
commit check
commit and-quit
■想像したとおり、applicationもtcpの後にudpの設定をすると前の設定が消えます。
ナニコレ?
configure
set applications application test-dns protocol tcp destination-port 53 inactivity-timeout 180
set applications application test-dns protocol udp destination-port 53 inactivity-timeout 180
[edit]
+ applications {
+ application test-dns {
+ protocol udp;
+ destination-port 53;
+ inactivity-timeout 180;
+ }
+ }
{primary:node0}[edit]
The configuration has been changed but not committed
Discard uncommitted changes? [yes,no] (yes) yes
Exiting configuration mode
{primary:node0}
■勿論、[application-set]と[application]の名前は被ってはいけないので、
以下のようにします。
configure
set applications application test-dns-tcp protocol tcp destination-port 53 inactivity-timeout 180
set applications application test-dns-udp protocol udp destination-port 53 inactivity-timeout 180
set applications application-set test-dns application test-dns-tcp
set applications application-set test-dns application test-dns-udp
commit check
commit and-quit
■結果として動くので良いのですが、やっぱり違和感の塊が出来ます。
labunix@SRX100H-node0> show configuration | find test-dns
application test-dns-tcp {
protocol tcp;
destination-port 53;
inactivity-timeout 180;
}
application test-dns-udp {
protocol udp;
destination-port 53;
inactivity-timeout 180;
}
application-set test-dns {
application test-dns-tcp;
application test-dns-udp;
}
}
{primary:node0}
■ポリシーに名前が必須ってヲイw。
仕方が無いので、[CiscoのACL風番号-アプリケーション名]でごまかす。
ここは、[application-set]で選択するところだよね。え?[application]なの?ww
configure
set security policies from-zone L3-Untrust to-zone L3-Trust policy 010-dns match source-address L3-Untrust-112
set security policies from-zone L3-Untrust to-zone L3-Trust policy 010-dns match source-address L3-Untrust-112
set security policies from-zone L3-Untrust to-zone L3-Trust policy 010-dns match destination-address L3-Trust-112
set security policies from-zone L3-Untrust to-zone L3-Trust policy 010-dns match destination-address L3-Trust-113
set security policies from-zone L3-Untrust to-zone L3-Trust policy 010-dns match application test-dns
set security policies from-zone L3-Untrust to-zone L3-Trust policy 010-dns then log session-init
set security policies from-zone L3-Untrust to-zone L3-Trust policy 010-dns then log session-close
set security policies from-zone L3-Untrust to-zone L3-Trust policy 010-dns then permit
commit check
commit and-quit
labunix@SRX100H-node0# show | compare rollback 1
[edit security]
+ policies {
+ from-zone L3-Untrust to-zone L3-Trust {
+ policy 010-dns {
+ match {
+ source-address [ L3-Untrust-112 L3-Untrust-113 ];
+ destination-address [ L3-Trust-112 L3-Trust-113 ];
+ application test-dns;
+ }
+ then {
+ permit;
+ log {
+ session-init;
+ session-close;
+ }
+ }
+ }
+ }
+ }
{primary:node0}[edit]
■後はいずれのルールにもマッチしなかったときのルールを設定。
configure
set security policies default-policy deny-all
commit check
commit and-quit
[edit security policies]
+ default-policy {
+ deny-all;
+ }
{primary:node0}[edit]
■Kaspersky-AVの設定
※シリアル番号や保守情報を登録したアカウントで、
30日間のトライアルライセンスは、端末1つにつき1回分だけ自分で払いだせる。
configure
set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update interval 120
set security utm feature-profile anti-virus type kaspersky-lab-engine
set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update proxy server 172.31.31.254
set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update proxy port 3128
set security policies from-zone L3-Untrust to-zone L3-Trust policy 010-dns then permit application-services utm-policy junos-av-policy
commit check
commit and-quit
■確認
labunix@SRX100H-node0> show interfaces fab* terse
Interface Admin Link Proto Local Remote
fab0 up up
fab0.0 up up inet 30.17.0.200/24
fab1 up up
fab1.0 up up inet 30.18.0.200/24
{primary:node0}
labunix@SRX100H-node0> show interfaces fxp* terse
Interface Admin Link Proto Local Remote
fxp0 up up
fxp0.0 up up inet 172.31.31.110/24
fxp1 up up
fxp1.0 up up inet 129.16.0.1/2
tnp 0x1100001
{primary:node0}
labunix@SRX100H-node0> show chassis cluster status | last 7 | no-more
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 100 primary no no None
node1 99 secondary no no None
Redundancy group: 1 , Failover count: 1
node0 100 primary no no None
node1 99 secondary no no None
{primary:node0}
labunix@SRX100H-node0> show chassis cluster interfaces | no-more
Control link status: Up
Control interfaces:
Index Interface Status Internal-SA
0 fxp1 Up Disabled
Fabric link status: Up
Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 fe-0/0/0 Up / Up
fab0
fab1 fe-1/0/0 Up / Up
fab1
Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Up 1
reth1 Up 1
Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0
Interface Monitoring:
Interface Weight Status Redundancy-group
fe-1/0/4 255 Up 1
fe-0/0/4 255 Up 1
fe-1/0/3 255 Up 1
fe-0/0/3 255 Up 1
fe-1/0/2 255 Up 1
fe-0/0/2 255 Up 1
fe-1/0/1 255 Up 1
fe-0/0/1 255 Up 1
{primary:node0}
labunix@SRX100H-node0> show interfaces reth* terse
Interface Admin Link Proto Local Remote
reth0 up up
reth0.0 up up inet
reth1 up up
reth1.0 up up inet 10.26.7.112/24
{primary:node0}
labunix@SRX100H-node0> show interfaces fe-* terse | match "up.*up"
fe-0/0/0 up up
fe-0/0/0.0 up up aenet --> fab0.0
fe-0/0/1 up up
fe-0/0/1.0 up up aenet --> reth0.0
fe-0/0/2 up up
fe-0/0/2.0 up up aenet --> reth1.0
fe-0/0/3 up up
fe-0/0/3.0 up up aenet --> reth2.0
fe-0/0/4 up up
fe-0/0/4.0 up up aenet --> reth3.0
fe-0/0/6 up up
fe-0/0/7 up up
fe-1/0/0 up up
fe-1/0/0.0 up up aenet --> fab1.0
fe-1/0/1 up up
fe-1/0/1.0 up up aenet --> reth0.0
fe-1/0/2 up up
fe-1/0/2.0 up up aenet --> reth1.0
fe-1/0/3 up up
fe-1/0/3.0 up up aenet --> reth2.0
fe-1/0/4 up up
fe-1/0/4.0 up up aenet --> reth3.0
fe-1/0/6 up up
fe-1/0/7 up up
{primary:node0}
