JUNIPER SRX 防火牆設定管理介面存取來源限制

JUNIPER SRX 系列防火牆,在網頁存取介面一直找不到在哪邊可以輕易地設定管理介面限制存取。

經由GOOGLE 爬文之後,發現有一位網友提供了詳細的步驟說明,參考設定之後,順利解決問題。

首先我們先利用ssh登入。
% cli       #進入命令模式
> config   #或是 edit,進入編輯模式
接著可以開始設定,基於安全的考量,我們會把http跟telnet關閉,只留下ssh跟https

delete system services web-management http
delete system services telnet
set system services ssh
set system services web-management https interface ae0.0
接著設定允許介面存取服務(應該是這樣翻吧XD)
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services https
接著加入允許存取的IP
set policy-options prefix-list management-hosts 123.123.123.123/32
 接著加入防火牆存取過濾,設定允許的IP存取ssh跟https
IPV4以及IPV6
set firewall family inet filter filter-management term block_unauthorised from source-address 0.0.0.0/0
set firewall family inet filter filter-management term block_unauthorised from source-prefix-list management-hosts except
set firewall family inet filter filter-management term block_unauthorised from protocol tcp destination-port [ssh https]
set firewall family inet filter filter-management term block_unauthorised then discard
set firewall family inet filter filter-management term accept_default then accept

set firewall family inet6 filter filter-management6 term block_unauthorised from source-address ::/0
set firewall family inet6 filter filter-management6 term block_unauthorised from source-prefix-list management-hosts except
set firewall family inet6 filter filter-management6 term block_unauthorised from destination-port [ssh https]
set firewall family inet6 filter filter-management6 term block_unauthorised then discard
set firewall family inet6 filter filter-management6 term accept_detault then accept
接著將規則加入到loopback介面
set interfaces lo0 unit 0 family inet filter input filter-management
set interfaces lo0 unit 0 family inet6 filter input filter-management6
 最後不要忘記套用,打完收工
commit


參考來源:

Securely enable outside management on SRX

留言

這個網誌中的熱門文章

EXCEL 2013 點選超連結,出現 您組織的原則不允許我們為您完成此動作

WIN7無法安裝IE11