編號密級廣東移動揭陽分公司OA核心防火墻設備替換方案V1.0文檔修訂記錄文檔編號：工程名稱廣東移動揭陽分公司OA核心防火墻設備替換文件名稱廣東移動揭陽分公司OA核心防火墻設備替換方案文檔描述Juniper防火墻設備替換方案當前版本1.0創立日期2010文檔作者文檔所屬部門修改記錄日期修改人審閱人摘要V1.020吳文軒文檔書寫目錄第一章文檔概述41.1文檔目的41.2產品概述41.3產品說明41.4產品優勢5設備性能6硬件架構6軟件架構6軟件功能7第二章網絡拓撲82.1現有網絡拓撲82.2改造網絡拓撲82.3網絡流量9現有拓撲流量9替換后網絡流量10第三章網絡實施113.1配置信息11設備硬件113.2配置信息12設備硬件12設備軟件12接口配置12地址分配13路由配置13策略配置14HA設置143.2.8UAC配置153.3割接準備15機架空位15網絡線纜16電源功率163.4割接步驟163.5回退方案17第四章配置匯總17文檔概述文檔目的本方案依據廣東移動揭陽分公司現有核心防火墻的現狀，對現有防火墻進行設備的替換有JuniperISG系列防火墻替換為SRX系列防火墻，其目的是提高核心防火墻對整網的處理性能，并解決現有網絡中存在的一些性能瓶頸。方案明確SRX設備的整體優勢、現網所需配置及整個網絡割接的細節步驟，保證廣東移動揭陽分公司防火墻設備替換工程的順利實施。產品概述瞻博網絡SRX3000系列業務網關是下一代解決方案，用于同時滿足大型企業和電信運營商不斷增長的網絡根底架構和應用平安性需求。SRX3000系列業務網關從一開始便設計用于提供靈活的處理可擴展性、I/O可擴展性和高級集成能力，在數據中心大規模整合、快速托管效勞部署及平安解決方案融合等領域，能夠滿足網絡和平安要求。SRX3000以瞻博網絡Junos軟件為構建根底，將瞻博網絡豐富的路由功能、電信運營商級高可靠性與ScreenOS網絡的卓越平安性結合在一起，支持高級特性/效勞集成，能夠保護現代化網絡根底架構和應用的平安。產品說明瞻博網絡(JuniperNetworks?)SRX3400業務網關和瞻博網絡SRX3600業務網關是下一代業務網關，在中型機箱中提供了市場領先的可擴展性和效勞集成能力。這些產品是大中型企業、公共部門和電信運營商網絡的理想選擇，包括：大型企業的效勞器庫/數據中心部門或獨立平安解決方案的會聚環境云和托管供給商數據中心托管效勞部署SRX3000產品系列基于創新的“中置背板〞(mid-plane)設計和瞻博網絡的動態效勞架構，為大型企業和電信運營商環境提供最高性價比。在添加效勞處理卡(SPC)的情況下，每種業務網關都支持近線性的可擴展性，SRX3600最多可支持30Gbps的防火墻吞吐量。SPC設計用于支持廣泛的效勞，能夠支持將來的新功能，無需安裝效勞特定的硬件。通過將SPC應用于所有效勞，將能夠確保運行環境中的特定效勞領域不會存在閑置資源——最大限度地提高硬件利用率。SRX3000產品系列采用模塊化架構，提供市場領先的靈活性和性價比。這個網關基于瞻博網絡的動態效勞架構，支持靈活地配置I/O卡(IOC)、網絡處理卡(NPC)和效勞處理卡(SPC)——使用戶能夠通過配置系統在性能和端口密度之間實現理想均衡，并能夠基于特定的網絡要求對瞻博網絡SRX業務網關進行定制部署。這種靈活性支持您將SRX3600配置為支持超過100Gbps的接口(可以是千兆以太網和萬兆以太網端口的任意組合)；提供從10到30Gbps的網絡處理性能；并且提供適當的效勞處理來滿足特定的業務需求。業務網關中部署了交換矩陣，支持SPC、NPC和IOC擴展功能。這個交換矩陣最多支持320Gbps的數據傳輸速度，在任何特定的配置中，都能提供最大處理能力和I/O能力的最合理的組合。這個級別的可擴展性和靈活性支持用戶在不中斷業務運行的情況下擴展并增長網絡根底架構能力，不受平安解決方案的束縛。SRX3000產品系列的靈活性不僅限于動態效勞架構的創新成果和公認優勢。SRX3000產品系列采用“中置背板〞(midplane)設計，用戶可以同時在前后端安裝SPC，從而獲得市場領先的靈活性和可擴展性。SRX3000產品系列在一半的機柜空間中支持兩倍的SPC，不僅提供根本的架構創新，而且還采用創新的物理設計。SRX系列業務網關通過瞻博網絡Junos?軟件支持特性集成。通過將Junos軟件的路由特性與ScreenOS?軟件的平安優勢結合在一起，SRX系列業務網關提供了一組強大的功能，包括防火墻、IPsecVPN、入侵防御系統(IPS)、拒絕效勞攻擊(DoS)防御、網絡地址轉換(NAT)和效勞質量(QoS)保證等。除此之外，將全部功能結合在單一OS框架中，還大幅度優化了流量在業務網關中的處理流程。安裝Junos軟件使SRX系列產品與瞻博網絡電信運營商級路由器和交換機一樣，獲得了單源OS、一致的版本演進和一致性架構的優勢產品優勢新一代的SRX防火墻采用與ScreenOS不同的硬件架構及軟件架構，SRX系列防火墻更適合運行在高穩定性及高性能要求的網絡環境中。設備性能SRX3400業務網關與SRX3600使用相同的SPC、IOC和NPC，最多支持20Gbps的防火墻吞吐量、6Gbps的防火墻和IPS吞吐量，或者6Gbps的IPsecVPN吞吐量以及每秒最多17.5萬條新建連接，描述如下表：參數型號SRX3600SRX3400ISG2000ISG1000吞吐量10/20/30Gbps10/20Gbps4Gbps2Gbps同時新建會話175,000175,00023,00020,000同時在線會話2,250,0002,250,0001,000,0005,00,0003DES性能10Gbps6Gbps2Gbps1Gbps硬件架構電信級機箱設計&高密度槽位高密度槽位和性能擴展Ichip&StingerfabricASICDPC板卡的技術和NP芯片轉發與控制別離〔路由引擎、SPC、NPC由獨立硬件處理，并可按需配置〕交換矩陣，徹底擺脫現有防火墻通過總線進行內部數據交換的現狀，提供高性能的交換矩陣，真正無阻塞交換〔SRX3000系列采用SF16矩陣〕接口數量總數多軟件架構模塊化軟件系統，新功能部署運行穩定，電信級互聯網操作系統已被證明新功能整合能力如(EX交換、MX以太網會聚PE等)電信級路由操作系統JUNOS和平安操作系統ScreenOS的完美融合來自JUNOS的MPLS/NSF/NSR等高級功能來自JUNOS的層次化CLI配置風格來自ScreenOS的平安特性:平安域/NAT/IPsecVPN/Screen/深度檢測/UTMCommit/JUNOSScripts等高級管理特性軟件功能JUNOS的優勢路由〔1,000,000條OSPF/BGP條目〕QoS配置回退完整的IDP功能〔獨立硬件處理，多核處理器中獨立的core〕基于硬件的DoS攻擊防護功能〔Screen功能〕基于策略的流量統計、基于策略的新建會話統計等網絡拓撲現有網絡拓撲揭陽現有網絡拓撲如下，ISG1000防火墻采用主/備的方式與核心交換機相連。改造網絡拓撲改造后網絡拓撲根本不變，ISG1000更換為SRX3000系列防火墻，防火墻采用主備模式，防火墻采用兩個接口與交換機互聯。網絡流量現有拓撲流量現有網絡拓撲采用單線連接防火墻與交換機，用戶接入VLAN及上聯MDCNVLAN之間的流量通過1G電口線纜傳輸，容易造成線路的流量瓶頸。流量圖如下列圖：替換后網絡流量替換后防火墻采用用戶VLAN之間流量及用戶到MDCN大網流量物理接口別離的方法實現，改變現有的單線1G線纜到兩條1G光纖線纜的模式，提高了網絡的帶寬，減少鏈路帶寬的瓶頸。用戶VLAN間流量用戶VLAN間流量承載在獨立的物理接口上。網絡實施配置信息設備硬件型號描術數量SRX3400-ASRX3400Chassis,Midplane,Fan,RE,SFB-12GE,ACPEM-nopowercord-1SPC-noNPC1SRX3K-NPCNPC板卡，插到FPC71SRX3K-SPC-1-10-40SPC板卡，插到FPC51SFP-1GE-SX1G光模塊，插到SFB-12GEControl01SFP-1GE-SX1G光模塊，插到SFB-12GEGe-0/0/91SFP-1GE-SX1G光模塊，插到SFB-12GEGe-0/0/101SFP-1GE-SX1G光模塊，插到SFB-12GEGe-0/0/111SRX3K-PWR-AC電源1CBL-PWR-C19S-162-CH16A電源線2SRX3400-BSRX3400Chassis,Midplane,Fan,RE,SFB-12GE,ACPEM-nopowercord-1SPC-noNPC1SRX3K-NPCNPC板卡，插到FPC71SRX3K-SPC-1-10-40SPC板卡，插到FPC51SFP-1GE-SX1G光模塊，插到SFB-12GEControl01SFP-1GE-SX1G光模塊，插到SFB-12GEGe-0/0/91SFP-1GE-SX1G光模塊，插到SFB-12GEGe-0/0/101SFP-1GE-SX1G光模塊，插到SFB-12GEGe-0/0/111SRX3K-PWR-AC電源1CBL-PWR-C19S-162-CH16A電源線2配置信息設備硬件型號描述數量SRX3400-AJY-SRX3400-A1SRX3400-BJY-SRX3400-B1設備軟件設備名稱設備型號軟件版本軟件名稱SRX3000SRX10.2R2.11junos-srx3000-10.2R2.11-domestic.tgzIC4000IC40004.0R2接口配置本端設備接口對端設備接口線纜類型SRX3000-1ge-0/0/10核心交換機光纖LC-LCcontrol0SRX3000-2control0光纖LC-LCge-0/0/11ge-8/0/11光纖LC-LCSRX3000-2ge-8/0/10核心交換機光纖LC-LCcontrol0SRX3000-1control0光纖LC-LCge-8/0/11ge-0/0/11光纖LC-LC地址分配本端設備接口IP地址備注SRX3000-1ge-0/0/10.2ge-0/0/10.11ge-0/0/10.12ge-0/0/10.13ge-0/0/10.14ge-0/0/10.1510.2ge-0/0/10.16ge-0/0/10.17ge-0/0/10.18ge-0/0/10.19ge-0/0/10.21ge-0/0/10.22ge-0/0/10.23ge-0/0/10.24ge-0/0/10.25ge-0/0/10.26ge-0/0/10.27ge-0/0/10.29ge-0/0/10.103ge-0/0/10.105ge-0/0/10.20510.ge-0/0/10.500SRX3000-2與主用防火墻相同路由配置路由配置防火墻采用動態路由協議OSPF，詳細情況如下表：防火墻AreaIDInterfaceModeCost值SRX3000-1.21reth0.2passive1reth0.11passive1reth0.12passive1reth0.13passive1reth0.14passive1reth0.15passive1reth0.16passive1reth0.17passive1reth0.18passive1reth0.19passive1reth0.21passive1reth0.22passive1reth0.23passive1reth0.24passive1reth0.25passive1reth0.26passive1reth0.27passive1reth0.29passive1reth0.1031reth0.1051reth0.2051reth0.5001防火墻采用靜態路由協議，詳細情況如下表：目標地址下一跳策略配置策略按照原有ISG1000防火墻策略書寫，并根據SRX防火墻平臺的特定對策略做局部修改，如命名長度、命名語言〔中文更改為字母〕、調整策略LOG選項等，不修改策略的權限控制。HA設置SRX防火墻HA采用JSRP的方式部署，采用Redundany組織接口，并使用專用的Control接口傳輸控制信息，并定義Data接口傳輸RTO信息等。Cluster設置功能區域ClusterID外網接入區1RedundantGroup設置冗余組組IDNODE優先級接口組成RG1RETH0Node0200ge-0/0/10Node150ge-8/0/10監控設置MonitorInterfaceInterfacege-0/0/10ge-8/0/10UAC配置防火墻局部命名IP端口接口密碼超時動作IC400011123Reth0.2jySRX!@#no-changeIC局部namePlatformpasswordserialnumberSRX3000JunOSjySRX!@#配置如下列圖：割接準備機架空位型號大小備注SRX3400WxHxD(44.5x13.3x64.8cm)3USRX3600WxHxD(44.5x22.2x64.8cm)5U網絡線纜類型數量長度備注光纖1根據設備位置確認互連線長度SRX設備互連〔Control〕光纖1根據設備位置確認互連線長度SRX設備互連〔DATA〕光纖2根據設備位置確認互連線長度SRX與交換機互連電源功率型號功率備注SRX34001,200W(ACpower)1,020W(DCpower)需16SRX36001,800W(ACpower)1,800W(DCpower)需16割接步驟2010/10步驟一：配置備份備份相關網絡設備配置，如交換機、ISG1000防火墻、IC4000設備、SSG520。步驟二：斷開ISG2000與6509互聯的端口步驟三：接上SRX3400與6509互聯的端口步驟3：網絡測試檢查內容命令結果備注網絡連通性pi內網主機進行Ping測試IC聯動檢查檢查防火墻及IC聯隊情況showservicesunified-access-controlstatusIC認證測試登陸IE瀏覽器并驗證認證信息檢查IC聯動及用戶認證IC認證客戶端使用客戶端測試測試客戶認證及HostCheck功能是否正常切換測試拔除防火墻監控接口線纜測試防火墻切換，并檢查會話及認證用戶信息。showsecurityflowsessionshowservicesunified-access-controlauthentication-table步驟五：測試與省公司SNPM采集的信息，測試省公司的syslog能否采集信息?！?010-10回退方案回退方案無需更改交換機配置，步驟為：步驟一：斷開SRX與6509互聯的接口步驟二：接上ISG2000與6509互聯的接口步驟三：將網關切換至原防火墻上配置匯總//Node0(主用防火墻)啟用Chassis功能，并啟用ge-0/0/11為Fabric接口setchassisclustercluster-id1node0rebootsetinterfacefab0fabric-optionsmember-interfacesge-0/0/11//Node1(備用防火墻)啟用Chassis功能，并啟用ge-8/0/6為Fabric〔data〕接口setchassisclustercluster-id1node1rebootsetinterfacefab0fabric-optionsmember-interfacesge-8/0/11//配置Cluster鏈路自動恢復功能setchassisclustercontrol-link-recovery//配置Chassis冗余組，setchassisclusterreth-count2//配置冗余組優先級，數值大的優先級高，并設置JSRP監控接口。setchassisclusterredundancy-group0node1priority50setchassisclusterredundancy-group0node0priority200setchassisclusterredundancy-group1node1priority50setchassisclusterredundancy-group1node0priority200setchassisclusterredundancy-group1interface-monitorge-0/0/10weight255setchassisclusterredundancy-group1interface-monitorge-8/0/10weight255//設備HostName設置及管理接口配置IP配置。setgroupsnode0systemhost-nameJY-SRX3400-Asetgroupsnode0systembackup-routersetgroupsnode0systembackup-routerdestination.0/0.1/24setgroupsnode1systemhost-nameJY-SRX3400-Bsetgroupsnode1systembackup-routersetgroupsnode1systembackup-routerdestination.0/0setapply-groupsnode0setapply-groupsnode1//設置系統時區setsystemtime-zoneAsia/Shanghai//系統啟用SSH、Telnet、FTP、管理setsystemservicessshsetsystemservicestelnetsetsystemservicesftp//綁定冗余接口setinterfacesge-0/0/10gigether-optionsredundant-parentreth0setinterfacesge-8/0/10gigether-optionsredundant-parentreth0setinterfacesreth0redundant-ether-optionsredundancy-group1//Reth0啟用VlanTAG，并分配相關接口Vlan-ID及IP地址。setinterfacesreth0unit2vlan-id2familyinetaddress10.setinterfacesreth0unit205vlan-id205familyinetaddre//配置DHCP-Relay功能，并在相應接口啟用DHCP-Relaysetforwarding-optionshelpersbootprelay-agent-optionsetforwarding-optionshelpersbootpserversetforwarding-optionshelpersbootpinterfacereth0.12serversetforwarding-optionshelpersbootpinterfacereth0.22server//設置SNMP網管配置。setsnmpnameJY_SRX3400-Asetsnmpcommunityzjpublicauthorizationread-only//配置動態OSPF路由setpolicy-optionspolicy-statementStatic-to-Ospfterm1fromprotocolstaticsetpolicy-optionspolicy-statementStatic-to-Ospfterm1thenacceptsetprotocolsospfexportStatic-to-Ospfsetprotocolsospfare.21interfacereth0.2metric1setprotocolsospfare.21interfacereth0.2authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.2passivesetprotocolsospfare.21interfacereth0.11passivesetprotocolsospfare.21interfacereth0.11metric1setprotocolsospfare.21interfacereth0.11authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.12passivesetprotocolsospfare.21interfacereth0.12metric1setprotocolsospfare.21interfacereth0.12authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.13passivesetprotocolsospfare.21interfacereth0.13metric1setprotocolsospfare.21interfacereth0.13authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.14passivesetprotocolsospfare.21interfacereth0.14metric1setprotocolsospfare.21interfacereth0.14authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.15passivesetprotocolsospfare.21interfacereth0.15metric1setprotocolsospfare.21interfacereth0.15authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.16passivesetprotocolsospfare.21interfacereth0.16metric1setprotocolsospfare.21interfacereth0.16authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.17passivesetprotocolsospfare.21interfacereth0.17metric1setprotocolsospfare.21interfacereth0.17authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.18passivesetprotocolsospfare.21interfacereth0.18metric1setprotocolsospfare.21interfacereth0.18authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.19passivesetprotocolsospfare.21interfacereth0.19metric1setprotocolsospfare.21interfacereth0.19authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.21passivesetprotocolsospfare.21interfacereth0.21metric1setprotocolsospfare.21interfacereth0.21authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.22passivesetprotocolsospfare.21interfacereth0.22metric1setprotocolsospfare.21interfacereth0.22authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.23passivesetprotocolsospfare.21interfacereth0.23metric1setprotocolsospfare.21interfacereth0.23authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.24passivesetprotocolsospfare.21interfacereth0.24metric1setprotocolsospfare.21interfacereth0.24authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.25passivesetprotocolsospfare.21interfacereth0.25metric1setprotocolsospfare.21interfacereth0.25authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.26passivesetprotocolsospfare.21interfacereth0.26metric1setprotocolsospfare.21interfacereth0.26authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.27passivesetprotocolsospfare.21interfacereth0.27metric1setprotocolsospfare.21interfacereth0.27authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.29passivesetprotocolsospfare.21interfacereth0.29metric1setprotocolsospfare.21interfacereth0.29authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.103metric1setprotocolsospfare.21interfacereth0.103authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.105metric1setprotocolsospfare.21interfacereth0.105authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.205metric1setprotocolsospfare.21interfacereth0.205authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.500metric1setprotocolsospfare.21interfacereth0.500authenticationmd51keyJYgmcc//配置靜態路由setrouting-optionsstaticrout//配置syslog日志效勞器setsecuritylogmodestreamsetsecuritylogformatsd-syslogsetsecuritylogsource-address10.24setsecuritylogstreamsyslogseveritywarningsetsecuritylogstreamsyslogformatsyslogsetsecuritylogstreamsyslogcategoryall//定義地址簿及地址組配置setsecurityzonessecurity-zoneTrustaddresssetsecurityzonessecurity-zoneTrustaddress-bookaddressAll_Trust.0/8-5Fsetsecurityzonessecurity-zoneTrustaddress-bookaddress-setAll_Trust_ZONEaddressAll_Trustsetsecurityzonessecurity-zoneTrustaddress-bookaddress-setGD_ORACALaddressGD-ORACAL-3setsecurityzonessecurity-zoneTrustaddress-bookaddress-setGD_ORACALaddressGD_ORACAL_1setsecurityzonessecurity-zoneTrustaddress-bookaddress-setGD_ORACALaddressGD_ORACAL_2setsecurityzonessecurity-zoneDMZaddress-bookaddress-setDMZ_ORACAL_GROUP_1addressDKH_ORACAL_65setsecurityzonessecurity-zoneDMZaddress-bookaddress-setDMZ_ORACAL_GROUP_1addressJJFWZC_ORACAL_69-5Fsetsecurityzonessecurity-zoneDMZinterfacesreth0.2host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneDMZinterfacesreth0.2host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.11host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.11host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.11host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.12host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.12host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.12host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.13host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.13host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.13host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.14host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.14host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.14host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.15host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.15host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.15host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.16host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.16host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.16host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.17host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.17host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.17host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.18host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.18host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.18host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.19host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.19host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.19host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.21host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.21host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.21host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.22host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.22host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.22host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.23host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.23host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.23host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.24host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.24host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.24host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneDMZinterfacesreth0.25host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneDMZinterfacesreth0.25host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneDMZinterfacesreth0.25host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.26host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.26host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.26host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.27host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.27host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.27host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.29host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.29host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.29host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneBOSS_ZONEinterfacesreth0.103host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneBOSS_ZONEinterfacesreth0.103host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneBOSS_ZONEinterfacesreth0.103host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.105host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.105host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.105host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneTrustinterfacesreth0.205host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneTrustinterfacesreth0.205host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneTrustinterfacesreth0.205host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.500host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.500host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.500host-inbound-trafficsystem-servicesbootp//設置防火墻策略setsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneTrustpolicyid_294matchsource-addressAll_BOSS_ZONEuWuQisetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneTrustpolicyid_294matchapplicationjunos-setsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneTrustpolicyid_294thenpermitsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneTrustpolicyid_293matchsource-addressAll_XianGongSi_ZONEsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneTrustpolicyid_293matchapplicationjunos-setsecuritypoliciesfrom-zonexianggongsi_testto-zoneTrustpolicyid_293thenpermitsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_292matchsource-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_292matchapplicationjunos-setsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_292thenpermitsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_279matchapplicationanysetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_279thenpermitsetsecuritypoliciesfrom-zoneTrustto-zoneDMZpolicyid_276matchsource-addressAll_Trust_ZONEsetsecuritypoliciesfrom-zoneTrustto-zoneDMZpolicyid_276matchapplicationanysetsecuritypoliciesfrom-zoneTrustto-zoneDMZpolicyid_276thenpermitsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneBOSS_ZONEpolicyid_275matchsource-addressAll_XianGongSi_ZONEsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneBOSS_ZONEpolicyid_275matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zonexianggongsi_testto-zoneBOSS_ZONEpolicyid_275matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zonexianggongsi_testto-zoneBOSS_ZONEpolicyid_275thendenysetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274matchsource-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274thendenydeactivatesecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274setsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_272matchsource-addressAudit_Server_Groupsetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_272matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_272matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_272thenpermitsetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_273matchsource-addressAll_DMZ_ZONEsetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_273matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_273matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_273thendenysetsecuritypoliciesfrom-zoneTrustto-zoneBOSS_ZONEpolicyid_271matchsource-addressAll_Trust_ZONEsetsecuritypoliciesfrom-zoneTrustto-zoneBOSS_ZONEpolicyid_271matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zoneTrustto-zoneBOSS_ZONEpolicyid_271matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneTrustto-zoneBOSS_ZONEpolicyid_271thendenysetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_311matchsource-addressDeny-Clent-OA-xgs-tiyanjisetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_311matchdestination-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_311matchapplicationanysetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_311thendenysetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_270matchsource-addressAll_XianGongSi_ZONEsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_270matchdestination-addressMDCN_Audited_Serversetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_270matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_270thendenysetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_297matchsource-addressDeny-Clent-BOSS-tiyanjisetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_297matchdestination-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_297matchapplicationanysetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_297thendenysetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_269matchsource-addressAll_BOSS_ZONEsetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_269matchdestination-addressMDCN_Audited_Serversetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_269matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_269thendenysetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneLouCeng_ZONEpolicyid_268matchsource-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneLouCeng_ZONEpolicyid_268matchdestination-addressMDCN_Audited_Serversetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneLouCeng_ZONEpolicyid_268matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneLouCeng_ZONEpolicyid_268thendenysetsecuritypoliciesfrom-zoneDMZto-zoneLouCeng_ZONEpolicyid_267matchsource-addressAudit_Server_Groupsetsecuritypoliciesfrom-z