Juniper瞻博网络Sky高级威胁防护SRX1500

Data Sheet经过环境强化的小型 ACX 系列平台可提供全面的路由和安全服务、应用程序感知和控制，以及可保证业务连续性和弹性的高可用性，因此成为关键任务通信网络的完美之选。

ACX 系列平台可帮助传统 TDM/SONET 无缝迁移至以太网/IP，同时能够对传统服务提供支持。

移动回传不断加快的创新速度正在迫使移动运营商迁移至 LTE-Advanced 和5G 功能。

LTE-Advanced 和 5G 场所对网络基础架构的容量、延迟性、同步性和安全性提出了更严苛的要求。

ACX 系列能够以低至 60 Gbps 的各类小型设备支持 1GbE/10GbE 接口和吞吐量，满足了 LTE-Advanced 和 5G 的容量要求。

除了符合扩展所需的高容量和高密度要求，ACX 系列还以高精度定时、先进的安全功能以及更强的 SLA 管理功能来满足终端用户的质量要求。

ACX 系列支持所有移动服务范围，包括 2G/3G 的高速分组接入(HSPA)、4G LTE、LTE-Advanced 和小型基站。

在典型的回传部署场景中，ACX500 会被用作小型基站路由器和主时钟，而ACX1000 系列、ACX2000 系列或 ACX4000 则是大型基站路由器。

企业网络和户外网络随着企业和政府踏上数字化变革之旅，他们需要部署和升级任务关键型通信网络，而其中一些网络位于严酷恶劣的环境中，例如，提供监测控制和数据采集 (SCADA) 系统连接的户外网络。

电力、油气、采矿、铁路和运输、国防和公共安全行业等领域都面临这种情况。

架构和关键组件ACX 系列路由器采用 Juniper Networks Junos®操作系统，与瞻博网络 MX 系列 3D 通用边缘路由器形成互补；它提供针对服务提供商和企业分支机构进行了优化的灵活且可扩展的路由产品组合，以支持快速增长的移动、视频和云计算应用程序。

ACX 系列平台将瞻博网络在 IP/MPLS 领域从核心到边缘的成熟领先技术引入了网络的接入层。

Juniper SRX防火墙简明配置手册目录一、 JUNOS 操作系统介绍 (3)1.1层次化配置结构 (3)1.2 JunOS 配置管理 (4)1.3 SRX 主要配置内容 (4)二、 SRX 防火墙配置说明 (5)2.1初始安装 (5)2.1.1登陆 (5)2.1.2设置 root 用户口令 (9)2.1.3JSRP 初始化配置 (9)2.1.4设置远程登陆管理用户 (14)2.1.5远程管理 SRX相关配置 (15)2.1.6ZONE 及相关接口的配置 (15)2.2 Policy (16)2.3 NAT (17)2.3.1Interface based NAT (18)2.3.2Pool based Source NAT (18)2.3.3Pool base destination NAT (19)2.3.4Pool base Static NAT (20)2.4 IPSEC VPN (21)2.5 Application and ALG (22)三、 SRX 防火墙常规操作与维护 (22)3.1单机设备关机 (22)3.2单机设备重启 (23)3.3单机操作系统升级 (23)3.4双机模式下主备 SRX 关机 (23)3.5双机模式下主备设备重启 (24)3.6双机模式下操作系统升级 (24)3.7双机转发平面主备切换及切换后恢复 (25)3.8双机控制平面主备切换及切换后恢复 (25)3.9双机模式下更换备SRX (25)3.10双机模式下更换主SRX (26)3.11双机模式更换电源 (27)3.12双机模式更换故障板卡 (27)3.13配置备份及还原方法 (27)3.14密码修改方法 (28)3.15磁盘文件清理方法 (28)3.16密码恢复 (28)3.17常用监控维护命令 (29)四、 SRX 防火墙介绍 (31)Juniper SRX防火墙简明配置手册SRX系列防火墙是 Juniper 公司基于 JUNOS操作系统的安全系列产品，JUNOS集成了路由、交换、安全性和一系列丰富的网络服务。

The SRX5400, SRX5600, and SRX5800 are supported by Juniper Networks Junos®Space Security Director, which enables distributed security policy management through an intuitive, centralized interface that enables enforcement across emerging and traditional risk vectors. Using intuitive dashboards and reporting features, administrators gain insight into threats, compromised devices, risky applications, and more.Based on Juniper’s Dynamic Services Architecture, the SRX5000 line provides unrivaled scalability and performance. Each services gateway can support near linear scalability with the addition of Services Processing Cards (SPCs) and I/O cards (IOCs), enabling a fully equipped SRX5800 to support up to 1.2 Tbps firewall throughput. The SPCs are designed to support a wide range of services, enabling future support of new capabilities without the need for service-specific hardware. Using SPCs on all services ensures that there are no idle resources based on specific services being used—maximizing hardware utilization.The scalability and flexibility of the SRX5000 line is supported by equally robust interfaces. The SRX5000 line employs a modular approach, where each platform can be equipped with a flexible number of IOCs that offer a wide range of connectivity options, including 1GbE, 10GbE, 40GbE, and 100GbE interfaces. With the IOCs sharing the same interface slot as the SPCs, the gateway can be configured as needed to support the ideal balance of processing and I/O. Hence, each deployment of the SRX Series can be tailored to specific network requirements. The scalability of both SPCs and IOCs in the SRX5000 line is enabled by the custom-designed switch fabric. Supporting up to 960 Gbps of data transfer, the fabric enables realizationof maximum processing and I/O capability available in any particular configuration. This level of scalability and flexibility enables future expansion and growth of the network infrastructure, providing unrivaled investment protection.The tight service integration on the SRX Series is enabled by Juniper Networks Junos® operating system. The SRX Seriesis equipped with a robust set of services that include stateful firewall, intrusion prevention system (IPS), denial of service (DoS), application security, VPN (IPsec), Network Address Translation (NAT), unified threat management (UTM), and quality of service (QoS). In addition to the benefit of individual services, the SRX5000 line provides a low latency solution.Junos OS also delivers carrier-class reliability with six nines system availability, the first in the industry to achieve independent verification by Telcordia. Furthermore, the SRX Series enjoys the benefit of a single source OS, and single integrated architecture traditionally available on Juniper’s carrier-class routers and switches.SRX5800The SRX5800 Services Gateway is the market-leading security solution supporting up to 1.2 Tbps firewall throughput and latency as low as 32 microseconds for stateful firewall. The SRX5800 also supports 1 Tbps IPS and 390 million concurrent sessions. Equipped with the full range of advanced security services, the SRX5800 is ideally suited for securing large enterprise, hosted, or colocated data centers, service provider core and cloud provider infrastructures, and mobile operator environments. The massive performance, scalability, and flexibility of the SRX5800 make it ideal for densely consolidated processing environments, and the service density makes it ideal for cloud and managed service providers.SRX5600The SRX5600 Services Gateway uses the same SPCs and IOCsas the SRX5800 and can support up to 570 IMIX Gbps firewall throughput, 460 million concurrent sessions, and 460 Gbps IPS. The SRX5600 is ideally suited for securing enterprise data centers as well as aggregation of various security solutions. The capability to support unique security policies per zone and its ability to scale with the growth of the network infrastructure make the SRX5600 an ideal deployment for consolidation of services in large enterprise, service provider, or mobile operator environments. SRX5400The SRX5400 Services Gateway uses the same SPCs and IOCs as the SRX5800 and can support up to 285 Gbps IMIX firewall, 90 million concurrent sessions, and 230 Gbps IPS. The SRX5400 is a small footprint, high-performance gateway ideally suited for securing large enterprise campuses as well as data centers, either for edge or core security deployments. The ability to support unique security policies per zone and a compelling price/performance/footprint ratio make the SRX5400 an optimal solution for edge or data center services in large enterprise, service provider, or mobile operator environments. Service Processing Cards (SPC)As the “brains” behind the SRX5000 line, SPCs are designedto process all available services on the platform. Without the need for dedicated hardware for specific services or capabilities, there are no instances in which a piece of hardware is taxedto the limit while other hardware is sitting idle. SPCs are designed to be pooled together, allowing the SRX5000 line to expand performance and capacities with the introduction of additional SPCs, drastically reducing management overhead and complexity. The high-performance SPC3 cards are supported on the SRX5400, SRX5600, and SRX5800 Services Gateways.I/O Cards (IOCs)To provide the most flexible solution, the SRX5000 line employs the same modular architecture for SPCs and IOCs. The SRX5000 line can be equipped with one or several IOCs, supporting the ideal mix of interfaces. With the flexibility to install an IOC or an SPC on any available slot, the SRX5000 line can be equipped to support the perfect blend of interfaces and processing capabilities, meeting the needs of the most demanding environments while ensuring investment protection. Juniper offers the IOC2, a second-generation card with superior connectivity options. The IOC2 offers the industry’s first100GbE as well as 40GbE and high-density 10GbE and 1GbE connectivity options. These options reduce the need for link aggregation when connecting high throughput switches to the firewall, as well as enabling increased throughput in the firewall itself. The IOC2 is supported on all three platforms in theSRX5000 line of services gateways.The third generation of IOCs from Juniper, the IOC3, delivers the highest throughput levels yet, along with superior connectivity options including 100GbE, 40GbE, and high-density 10GbE interfaces. The IOC2 or IOC3 operates with the Express Path optimization capability, delivering higher levels of throughput—up to an industry-leading 2 Tbps on the SRX5800. The IOC3 cards are supported on the SRX5400, SRX5600, and SRX5800.Routing Engine (RE2) and Enhanced System Control Board (SCB3)The SRX5K-RE-1800X4 Routing Engine (RE2) is the latest in the family of REs for the SRX5000 line with a multicore processor running at 1800 MHz. It delivers improved performance, scalability, and reliability with 16 GB DRAM and 128 GB solid-state drive (SSD). The SRX5K-SCB3 Enhanced System Control Board (SCB3) enables 240 Gbps per slot throughput with intra as well as interchassis high availability and redundancy.Features and BenefitsNetworking and SecurityThe Juniper Networks SRX5000 line of Services Gateways has been designed from the ground up to offer robust networking andsecurity services.*Requires Junos OS 15.1x49-D10 or greater.**Requires Junos OS 18.2R1-S1 or greater.IPS CapabilitiesJuniper Networks IPS capabilities offer several unique features that assure the highest level of network security.Content Security UTM CapabilitiesThe UTM services offered on the SRX5000 line of Services Gateways include industry-leading antivirus, antispam, content filtering,and additional content security services.Advanced Threat PreventionAdvanced threat prevention (ATP) solutions that defend against sophisticated malware, persistent threats, and ransomware are available for the SRX5000 line. Two versions are available: Juniper Sky ATP, a SaaS-based service, and the Juniper ATP Appliance, anon-premises solution.More information about Juniper Sky ATP can be found at /us/en/products-services/security/sky-advanced-threat-prevention/. Additional information about the Juniper ATP Appliance can be found at /us/en/products-services/ security/advanced-threat-prevention-appliance/.Centralized ManagementJuniper Networks Junos Space Security Director delivers scalable and responsive security management that improves the reach, ease, and accuracy of security policy administration. It lets administrators manage all phases of the security policy life cycle through a single web-based interface, accessible via standard browsers. Junos Space Security Director centralizes application identification, firewall, IPS, NAT, and VPN security management for intuitive and quick policy administration. Security Director runs on the Junos Space Network Management Platform for highly extensible, network-wide management functionality, including ongoing access to Juniper and third-party Junos Space ecosystem innovations.Specifications1FirewallSRX5600Services GatewaySRX5800Services GatewaySRX5400Services Gateway Performance, capacity and features listed are based on systems running Junos OS 15.1x49 and are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployments. Maximum concurrent sessions and new sessions/second improvements are a result of Junos 15.1X49-D30.* Session capacity differs based on UTM/AppSecure/IPS features enabled.Please consult the technical publication documents and release notes for a list of compatible ISSU features.T o enable dual control links on the SRX5000 line, two SRX5K-RE-1800X4 modules must be installed on each cluster member.SRX5000 line of gateways operating with Junos OS release 10.0 and later are compliant with the R6, R7, and R8 releases of 3GPP TS 20.060 with the following exceptions (not supported on the SRX5000 line): - Section 7.5A Multimedia Broadcast and Multicast Services (MBMS) messages- Section 7.5B Mobile Station (MS) info change messages- Section 7.3.12 Initiate secondary PDP context from GGSNShort term is not greater than 96 consecutive hours, and not greater than 15 days in 1 year.WarrantyFor warranty information, please visit /support/warranty/.Juniper Networks Services and SupportJuniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize yourhigh-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit /us/en/products-services .Ordering Information*These products require Junos OS 12.1X47-D15 or greater.**Requires Junos OS 15.1X49-D10 or greater.Corporate and Sales Headquarters Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or +Copyright 2018 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.APAC and EMEA Headquarters Juniper Networks International B.V.Boeing Avenue 2401119 PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: +31.0.207.125.700EXPLORE JUNIPERAbout Juniper NetworksJuniper Networks brings simplicity to networking with products, solutions and services that connect the world. Through engineering innovation, we remove the constraints and complexities of networking in the cloud era to solve the toughest challenges our customers and partners face daily. At Juniper Networks, we believe that the network is a resource for sharing knowledge and human advancement that changes the world. We are committed to imagining groundbreaking ways to deliver automated, scalable and secure networks to move at the speed of business.* I n 12.3X48-D10, the Services Offload feature was renamed Express Path and is included withoutrequiring a license for Junos OS X48 releases and beyond. With the X48 release, the Express Path feature is supported on all SRX5000 Services Gateways including the SRX5400. For versions prior to the X48 release, the Services Offload license is still required and supports only SRX5600 and SRX5800 products. Express Path is available on the SRX5400, SRX5600, and SRX5800 Services Gateways. No separate license required.。

Juniper防火墙Juniper防火墙是一种企业级网络安全设备，专门设计用于保护网络免受非法入侵、恶意软件和其他网络威胁的攻击。

本文将介绍Juniper防火墙的基本原理、功能和配置方法。

1. 简介Juniper防火墙是Juniper Networks公司生产的一系列网络安全设备，包括物理和虚拟防火墙产品。

它采用先进的技术和算法，为企业提供强大的安全防护能力。

Juniper防火墙具有高性能、高可靠性和高安全性的特点，被广泛应用于数据中心、企业网络和云环境中。

2. 基本原理Juniper防火墙基于过滤规则对网络流量进行检查和控制。

它通过检查IP包的源地址、目的地址、端口和协议等信息，决定是否允许该流量通过。

防火墙还可以进行深度包检查和应用层协议分析，以识别和阻止潜在的安全威胁。

3. 功能3.1 防火墙规则防火墙规则是决定哪些流量被允许通过防火墙的最重要的配置项之一。

管理员可以根据网络的安全需求和策略，定义各种规则，如允许或禁止特定IP地址、端口或协议的流量通过。

3.2 网络地址转换（NAT）Juniper防火墙支持网络地址转换（NAT），它允许在私有网络和公共网络之间建立映射关系。

NAT可以隐藏内部网络的真实IP地址，提高网络的安全性，并且允许多个内部主机共享一个公共IP地址。

3.3 虚拟专用网络（VPN）Juniper防火墙支持虚拟专用网络（VPN）技术，可以建立安全的远程连接并加密数据传输。

VPN可以用于远程办公、分支机构互联和对外合作等场景，保护数据在传输过程中的安全性和隐私性。

3.4 入侵检测与预防系统（IDS/IPS）Juniper防火墙集成了入侵检测与预防系统（IDS/IPS），可以实时监测网络流量，识别并阻止潜在的入侵行为。

IDS/IPS可以在网络层和应用层提供全面的安全保护，有效地减少安全威胁所带来的风险。

3.5 安全日志和报警Juniper防火墙可以生成详细的安全日志，并提供实时的报警机制。

【网络设备】--Juniper安全产品介绍X86架构产品介绍SSG系列：适用于从小型分支办事处到大型全球部署的各类应用，是阻止内部和外部攻击、防止未授权接入和实现法规遵从性的理想选择。

SSG 5（建议50人左右）- 对应新产品SRX 100SSG5 是一个专用、固定机型的安全平台，提供160 Mbps状态化防火墙流量和40 Mbps IPsec VPN吞吐量，适用于小型分支办事处、远程工作人员和企业部署。

SSG 20（建议50人左右）- 对应新产品SRX 210SSG20 是一个专用、模块化安全平台，提供160 Mbps状态化防火墙流量和40 Mbps IPsec VPN吞吐量，适用于小型分支办事处、远程工作人员和企业部署。

SSG 140（建议100人左右）-对应新产品SRX 240SSG140是一个专用、模块化安全平台，提供超过350 Mbps的防火墙流量和100 Mbps IPsec VPN，适用于中型分支办事处、地区办事处和企业。

SSG 320M（建议150人左右）-SSG320M是一个专用、模块化安全平台，提供超过450 Mbps的防火墙流量和175 Mbps IPsec VPN ，适用于大中型分支办事处、地区办事处和企业。

SSG 350M（建议200人左右）SSG350M 是一个专用、模块化安全平台，提供超过550 Mbps的防火墙流量和225 Mbps IPsec VPN ，适用于大中型分支办事处、地区办事处和企业。

SSG 520M（建议300人左右）- 对应新产品SRX 550SSG520M 是一个专用、模块化安全平台，提供超过650 Mbps的防火墙流量和300 Mbps IPsec VPN，适用于大型分支办事处、地区办事处和企业。

SSG 550M（建议500人左右）- 对应新产品SRX 650SSG550M 是一个专用、模块化安全平台，提供超过1 Gbps的防火墙流量和500 Mbps IPsec VPN，适用于大型分支办事处、地区办事处和企业。

产品简介产品概述在当今复杂的网络环境中，如果管理解决方案不敏捷、不直观，或者在粒度水平、控制和可视性方面不足，就可能使网络安全管理变得极其耗时，而且容易出错。

Junos Space Security Director提供一个直观、集中管理的Web界面，它能够针对新兴和传统的风险向量，对所有的物理、逻辑和虚拟防火墙(瞻博网络SRX系列业务网关和vSRX)实施安全策略管理。

产品说明瞻博网络Junos Space Security Director运行在创新、直观和智能化的Junos Space 网络管理平台上，该应用提供详细的应用性能可视性，降低了相关风险，使用户不仅“知道”某个组件出现了故障，还能快速“采取措施”修复故障。

Security Director为整个网络在扩展性、细粒度策略控制和策略广度方面提供全面支持，通过一个集中管理的Web界面，能够帮助管理人员在安全策略生命周期的各个阶段，快速地对状态防火墙、统一威胁管理(UTM)、入侵防御、应用防火墙(AppFW)、VPN和网络地址转换(NAT)进行管理。

通过提供操作智能、自动化管理、高效的安全策略、直观的工作流，以及一种强大的应用和平台架构，Security Director能够降低管理成本和减少出错，使用户能够检测到正在发生的威胁，并实时采取补救措施。

Security Director的仪表板提供一些可自定义、信息丰富的窗口小部件，直观地显示安全设备的状态一览。

利用一个托盘工具，你可以在防火墙、威胁、入侵防御系统(IPS)、应用、吞吐率和设备的相关信息之间轻松导航，它们可以用来为瞻博网络SRX系列业务网关防火墙环境创建一个可自定义视图。

通过这个仪表板，你可以快速确定哪些SRX系列设备的报警次数最多，或者在某个具体的时间段内哪些消耗的CPU周期或RAM最多。

一个Threat Map(威胁地图)窗口小部件将显示在每个地理位置已检测到的IPS事件数量，为你提供业内领先的信息收集和补救功能。

SRX Series configuration Guide (中文)更新了（红色）PPPOE、IPSec VPN、ECMP（Junos目前有点问题）、总结。

LtmV2.02011.6一、概述： (4)二、JUNIPER SRX Base (5)三、Interface (8)四、Authentication (10)Source NAT (11)Static NAT(MIP) (11)Virtual IP (12)Destination NAT (13)五、Security (14)Zone (14)地址簿 (14)服务簿 (15)时间 (16)策略 (16)六、VPN (16)IPSEC VPN (16)Dynamic VPN (21)七、Wireless LAN (21)八、Switching (21)九、Routing (22)Class of Service (24)十一、System Properties (24)十二、Chassis Cluster (24)十三、Service (24)十四、Wizards (25)十五、CLI Tools (25)十六、Monitor (25)十七、Syslog (25)十八、Show命令 (25)十九、命令行结构 (31)概述：JUNOS™软件是帮助瞻博网络在高性能联网领域获得领先地位的值得信赖的网络操作系统。

瞻博网络严格遵守单一源网络操作系统的开发原则，积极驱动JUNOS软件创新，将路由、交换、安全性和其他服务集成在一起。

提供全面的产品将企业分支和地区办事处、中央站点和数据中心、以及城域网和电信运营商网络的核心与边缘连接在一起。

JUNOS软件独特的构建方式使其作为网络操作系统得以从市场中脱颖而出-采用单一模块化架构的单一操作系统，逐版本实现增强。

电信运营商、企业和公共机构都可通过部署JUNOS软件获得以下三项主要优势：<UL><LI>持续运行的系统：通过高性能的软件设计、高可用性特性、防止人为错误的功能和主动的运行保护措施来提高网络可用性以及应用和服务的交付能力。

Data Sheet攻击缓解：入侵防御系统瞻博网络的入侵防御系统 (IPS) 已与瞻博网络的 NGFW 紧密集成，可减少威胁并防范各种攻击和漏洞。

与瞻博网络 Sky™ Advanced Threat Prevention (Sky ATP) 结合后，IPS 可对已知和未知的威胁提供全面的防御，在零日攻击袭击网络之前就开始防范。

该解决方案会持续监控对新近发现漏洞的新攻击，不断更新对新网络攻击方法的网络防护。

经由网络，针对客户端和服务器系统上的漏洞发起的攻击在造成任何损坏之前就会被阻止。

未知恶意软件：瞻博网络 Sky ATP瞻博网络 Sky ATP 是基于云的服务，可以提供全面的高级恶意软件防护。

通过与 SRX 系列防火墙集成，瞻博网络 Sky ATP 可提供动态反恶意软件解决方案来适应不断变化的威胁环境。

该解决方案提供基于云的服务来通过强大的机器学习算法动态分析 Web 和电子邮件文件，从而迅速识别新的、未知的恶意软件。

一旦得出结论，相关决策就会发送至 SRX 系列 NGFW，以供实施。

瞻博网络 Sky ATP 支持所有主流文件类型，包括Microsoft（.docx、.xls和 .ppt）、pdf 和 Android 应用程序 (APK)。

阻止已知威胁：反恶意软件保护来自多种攻击途径的恶意活动在持续激增，这种情况下，企业外围就成为了阻拦威胁进入网络的第一道防线。

反恶意软件保护将基于云的声誉情报与 SRX 系列 NGFW 的本机处理相结合，提供轻便快捷的安全保护。

其成果则是能够抵御众多已知威胁的高效外围防御，而且不会降低用户或业务的速度。

浏览防御：恶意 URL 过滤钓鱼攻击是一种流行的攻击方法，通常会导致企业内部出现严重漏洞。

毫无戒备的用户单击恶意 URL 后，就会安装利用漏洞的根程序病毒包，而此病毒包作为高级持续攻击的前导，为有价值的企业数据遭窃取创造了条件。

攻击者通常会破坏热门网站，引诱用户无意中提供其用户密码。