#1.模式#全新防火墙Amnesiac (ttyd0)login: root--- JUNOS 12.1X44-D10.4 built 2013-01-08 05:52:29 UTC会进入到系统其中用户名默认root密码为空root@% 这里就相当于进入到承载junos的操作系统下root@% cliroot> 这就进入junos的界面，此模式叫操作模式主要指令就是show,clear,monitorroot> show interfaces terse Interface               Admin Link Proto    Local                 Remotege-0/0/0                up    up  ge-0/0/0.0              up    up   inet     192.168.138.131/24gr-0/0/0                up    up  ip-0/0/0                up    up  lsq-0/0/0               up    up  lt-0/0/0                up    up  mt-0/0/0                up    up  sp-0/0/0                up    up  sp-0/0/0.0              up    up   inet    sp-0/0/0.16383          up    up   inet     10.0.0.1            --> 10.0.0.16                                            10.0.0.6            --> 0/0                                            128.0.0.1           --> 128.0.1.16                                            128.0.0.6           --> 0/0ge-0/0/1                up    up  ge-0/0/1.0              up    up   inet     192.168.2.1/24  ge-0/0/2                up    up  ge-0/0/2.0              up    up   inet     192.168.3.1/24  ge-0/0/3                up    up  ge-0/0/3.0              up    up   inet     192.168.4.1/24  root> configure Entering configuration mode[edit]root# 配置模式理解：操作模式就是看东西，配置模式就是配置东西流程：系统--->操作模式---->配置模式可用通过exit进行退出对于显示信息的详细程度依次提升root> show interfaces terseroot> show interfaces briefroot> show interfaces detailroot> show interfaces extensive可用使用管道符和match进行过滤root> show interfaces detail |match ge-0/0/0 Physical interface: ge-0/0/0, Enabled, Physical link is Up  Logical interface ge-0/0/0.0 (Index 69) (SNMP ifIndex 508) (Generation 134)可用使用help进行帮助查看root> help reference security policy-security还可以查看和某些关键字相关的命令root> help apropos arp下面来第一个配置接口配置iproot# set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/24 不推荐推荐以下方式root# edit interfaces                                              [edit interfaces]root# show ge-0/0/0 {    unit 0;}[edit interfaces]root# edit ge-0/0/0 [edit interfaces ge-0/0/0]root# show unit 0;root# edit unit 0 [edit interfaces ge-0/0/0 unit 0]root# edit family inet            [edit interfaces ge-0/0/0 unit 0 family inet][edit interfaces ge-0/0/0 unit 0 family inet]root# set address 1.1.1.1/24root# show address 1.1.1.1/24;另外可用show来进行查看当前等级下的配置进入内层之后可用使用up来跳到上一级也可以是exit退出edit模式root> show interfaces terse Interface               Admin Link Proto    Local                 Remotege-0/0/0                up    up  ge-0/0/0.0              up    up   inet     1.1.1.1/24      这里需要注意的是juniper防火墙的ip地址不能直接配置到物理接口上只能配置在子接口上 unit 0表示第一个子接口修改配置要commit生效由于全新防火墙没有设置root密码所以提交不了需要设置root的密码root# set system root-authentication plain-text-password New password:Retype new password:根据提示输入密码即可删除配置root# delete interfaces ge-0/0/0有个很好记忆的方法就是set替换成delete就可用实现配置的删除同样删除配置也是提交之后才会生效ge-0/0/0.0              up    up   inet    还可用批量删除root# wildcard delete interfaces ge-0/0/*重命名root# edit security nat sourceroot# rename rule-set in-to-out to rule-set inside-outsie主要是为了方便记忆和同比不同设备的相同功能替换配置配置1口结果配置到0口了root# show interfaces ge-0/0/0 unit 0 {    family inet {        address 1.1.1.1/24;    }}root# replace pattern ge-0/0/0 with ge-0/0/1root# show interfaces             ge-0/0/1 {    unit 0 {        family inet {            address 1.1.1.1/24;        }    }}这样就看到0口配置没有了1口的配置有了拷贝配置root# copy interfaces ge-0/0/1 to ge-0/0/0 [edit]root# show interfaces ge-0/0/0 {    unit 0 {        family inet {            address 1.1.1.1/24;        }    }}ge-0/0/1 {    unit 0 {        family inet {            address 1.1.1.1/24;        }    }}这样2个接口都有相关配置了，对于每个接口的特殊配置需要再进行修改查看配置root# show    ## Last changed: 2018-04-19 13:55:57 UTCversion 12.1X44.4;system {    root-authentication {        encrypted-password "$1$czJ1/1FI$aEih2B9Tfo8kLnK7kPZpX."; ## SECRET-DATA    }这里展现的配置是不能进行直接粘贴的只是为了方便查看root# show |display set set version 12.1X44.4set system root-authentication encrypted-password "$1$czJ1/1FI$aEih2B9Tfo8kLnK7kPZpX."set system services sshset system services web-management http interface ge-0/0/1.0set system syslog user * any emergencyset system syslog file messages any anyset system syslog file messages authorization info这里配置是可以直接粘贴到防火墙进行配置的在配置模式下想使用操作模式的指令root# run show interfaces terse#2.提交和恢复配置基本提交root# commit 对比：上一次commit和这一次commit之前的对比root# sho|compare                 [edit system services web-management http]-     interface ge-0/0/0.0;+     interface ge-0/0/1.0;[edit interfaces]定时提交root# commit at ?         Possible completions:  
    
                      Time at which to activate configuration changes提交注释root# commit comment "interface0-1 address"root> show system commit 0   2018-04-19 14:03:52 UTC by root via cli1   2018-04-19 14:02:45 UTC by root via cli    interface0-1 address2   2018-04-19 13:52:56 UTC by root via cli3   2018-04-19 13:44:26 UTC by root via cli4   2018-04-19 13:35:31 UTC by root via cli5   2018-04-18 17:16:29 UTC by root via other这样你就可用标注提交的功能是什么以方便回滚不然只看时间很容易忘记提交之后确定功能在10分钟之内使用commit才会最终生效，否则10分钟之后配置取消root# commit confirmed commit confirmed will be automatically rolled back in 10 minutes unless confirmedcommit complete# commit confirmed will be rolled back in 10 minutes恢复root# rollback ?  Possible completions:  <[Enter]>            Execute this command  0                    2018-04-19 13:52:56 UTC by root via cli   1                    2018-04-19 13:44:26 UTC by root via cli   2                    2018-04-19 13:35:31 UTC by root via cli   3                    2018-04-18 17:16:29 UTC by root via other 清除没有commit的配置root> clear system commit#3.基本系统配置设置主机名[edit]root# set system host-name SRX1设置dns服务器[edit]root@SRX1# set system name-server 8.8.8.8查看时间root@SRX1> show system uptime Current time: 2018-04-19 14:11:24 UTCSystem booted: 2018-04-19 12:51:35 UTC (01:19:49 ago)Protocols started: 2018-04-19 12:51:59 UTC (01:19:25 ago)Last configured: 2018-04-19 14:10:33 UTC (00:00:51 ago) by root 2:11PM  up 1:20, 1 user, load averages: 0.00, 0.00, 0.00设置时区root@SRX1# set system time-zone Asia/Shanghai手动设置时间root@SRX1> set date 201804111413.00查看ntproot@SRX1> show ntp associationsroot@SRX1> show ntp status设置ntp服务器root@SRX1# set system ntp server 1.1.1.1让局域网的服务器把防火墙做为时间同步服务器重启防火墙root@SRX1> request system reboot关闭防火墙root@SRX1> request system power-of回到系统root@SRX1> start shell进入防火墙cliroot@SRX1% cli设置root密码root@SRX1# set system root-authentication plain-text-password不建议用root进行配置添加用户root@SRX1# edit system login user eddy [edit system login user eddy]root@SRX1# set class super-user authentication plain-text-password New password:Retype new password:权限分级super-user仅次于rootread-onlyoperatorunauthorized重置root密码首先重启request system reboot出现load /boot/defaults/loader.conf按空格loader>boot -s......:revoeryroot>然后就可用设置密码配置了配置服务eddy@SRX1# edit system services [edit system services]eddy@SRX1# set ssh  启用ssheddy@SRX1# set ssh root-login deny 拒绝root ssh登录eddy@SRX1# set telnet 启用telneteddy@SRX1# set web-management http interface ge-0/0/1.0 启用web管理查看版本信息eddy@SRX1> show version Hostname: SRX1Model: junosv-fireflyJUNOS Software Release [12.1X44-D10.4]查看授权eddy@SRX1> show system license License usage:                                  Licenses     Licenses    Licenses    Expiry  Feature name                       used    installed      needed   all                                   0            1           0    29 daysLicenses installed: none由于我使用的是模拟器这里只有30天