SSG-5
JuniperのSSG-5を使った
SSG-5は標準でメモリ256MBモデルだが128MBモデルも存在する
違いはSSG-5のオプションライセンスが有効にならない事のみ
transparentモードに移行
ssg5-serial-> unset interface bgroup0 ip ssg5-serial-> set interface ethernet0/0 zone V1-Untrust ssg5-serial-> set interface ethernet0/1 zone V1-DMZ ssg5-serial-> set interface bgroup0 zone V1-Trust Changed to pure l2 mode ssg5-serial-> set interface vlan1 ip <IP Address>/<Mask> ssg5-serial-> set interface vlan1 manage web ssg5-serial-> set interface vlan1 manage ping ssg5-serial-> set route 0.0.0.0/0 interface vlan1 gateway <DGW IP Address>
bgroup0に規定値で192.168.1.1/24が割当られているため
vlan1に同じセグメントのIPは割り当てられない
V1-Untrust ZONEで以下を許可するにはコマンド入力
| https接続 | set zone V1-Untrust manage ssl |
|---|---|
| ping応答 | set zone V1-Untrust manage ping |
| SNMP応答 | set zone V1-Untrust manage snmp |
| http接続 | set zone V1-Untrust manage web |
基本情報
- 起動にかかる時間は約2分半程度
- 192.168.1.1/24
- netscreen/netscreen
- ethernet0/0はUntrust Zone
- ethernet0/1はDMZ Zone
- ethernet0/2~0/6はbgroup0に割当、Trust Zone、192.168.1.1/24
- bgroup0はNAT
- bgroup0でdhcpが有効、192.168.1.33-126
- TrustからUntrustへは全て許可のポリシー
- timezoneは0
- 再起動コマンドはresetだと…焦るよね…
規定値に戻す方法1、コンソール接続から
hostname>unset all Erase all system config, are you sure y/[n] ? y hostname>reset Configuration modified, save? [y]/n n System reset, are you sure? y/[n] y In reset ...
規定値に戻す方法2、リセットボタン
後ろ側のReset phinholeを4〜6秒間押し続ける StatusLEDが赤点滅する その後StatusLEDが緑点滅するのでpinholeを押すのをやめる 2秒待つ 再度4〜6秒間pinholeを押し続ける
処理系
| get config | 設定情報表示 |
| save config | 設定情報保存 |
| set 何がし | 何がし項目の設定 |
| get 何がし | 何がし項目の表示 |
snmp trap
SNMP TRAPはホスト名の後に数字が入る
この数字はNS-TRAP.MIBで定義されている
SYNTAX INTEGER {
-- Traffic per-second threshold
traffic-sec(1),
-- Traffic per-minute threshold
traffic-min(2),
-- Winnuke pak
winnuke(4),
-- Syn attack
syn-attack(5),
-- tear-drop attack
tear-drop(6),
-- Ping of Death attack
ping-death(7),
-- IP spoofing attack
ip-spoofing(8),
-- IP source routing attack
ip-src-route(9),
-- land attack
land(10),
-- ICMP flooding attack
icmp-flood(11),
-- UDP flooding attack
udp-flood(12),
-- Illegal server IP to connect to CMS port
illegal-cms-svr(13),
-- URL blocking server connection alarm
url-block-srv(14),
-- Port Scan attack
port-scan(16),
-- address sweep attack
addr-sweep(17),
-- memory low
low-memory(20),
-- DNS server unreachable
dns-srv-down(21),
-- Fan, Power Supply failure
generic-HW-fail(22),
-- Load balance server unreachable
lb-srv-down(23),
-- log buffer overflow
log-full(24),
-- X509 related
x509(25),
-- VPN and IKE related
vpn-ike(26),
-- admin realted
admin(27),
-- Illegal src ip to connect to sme port
sme(28),
-- DHCP related
dhcp(29),
-- CPU usage is high
cpu-usage-high(30),
-- Interface IP conflict
ip-conflict(31),
-- Microsoft IIS server vulnerability
attact-malicious-url(32),
-- session threshold is exceeded
session-threshold(33),
-- SSH related alarms
ssh-alarm(34),
-- VPN tunnel from down to up
vpn-tunnel-up(40),
-- VPN tunnel from up to down
vpn-tunnel-down(41),
-- VPN replay detected
vpn-replay-attack(42),
-- VPN tunnel removed
vpn-l2tp-tunnel-remove(43),
-- VPN tunnel removed and error detected
vpn-l2tp-tunnel-remove-err(44),
-- VPN call removed
vpn-l2tp-call-remove(45),
-- VPN call removed and error detected
vpn-l2tp-call-remove-err(46),
-- Number of IAS exceeds configured maximum
vpn-ias-too-many(47),
-- Number of IAS crossed configured upper threshold
vpn-ias-over-threshold(48),
-- Number of IAS crossed configured lower threshold
vpn-ias-under-threshold(49),
-- IKE error occured for the IAS session
vpn-ias-ike-error(50),
-- allocated session exceed threshold
allocated-session-threshold(51),
-- AV Scan Manager Alarm, sofeware trap
av-scan-mgr(554),
-- NSRP rto self unit status change from up to down
nsrp-rto-up(60),
-- NSRP rto self unit status change from down to up
nsrp-rto-down(61),
-- NSRP track ip successed
nsrp-trackip-success(62),
-- NSRP track ip failed
nsrp-trackip-failed(63),
-- NSRP track ip fail over
nsrp-trackip-failover(64),
-- NSRP inconsistent configuration between master and backup
nsrp-inconsistent-configuration(65),
-- NSRP vsd group status change to elect
nsrp-vsd-init(70),
-- NSRP vsd group status change to master
nsrp-vsd-master(71),
-- NSRP vsd group status change to primary backup
nsrp-vsd-pbackup(72),
-- NSRP vsd group status change to backup
nsrp-vsd-backup(73),
-- NSRP vsd group status change to ineligible
nsrp-vsd-ineligible(74),
-- NSRP VSD group status change to inoperable
nsrp-vsd-inoperable(75),
-- NSRP VSD request heartbeat from 2nd HA path
nsrp-vsd-req-hearbeat-2nd(76),
-- NSRP VSD reply to 2nd path request
nsrp-vsd-reply-2nd(77),
-- NSRP duplicated RTO group found
nsrp-rto-duplicated(78),
-- DC fails to re-connect to MC
dc-fail-reconnect-mc(79),
-- MC fails to re-connect to Db
mc-fail-reconnect-db(80),
-- DC fails to initialize
dc-fail-init(81),
-- MC fails to initialize
mc-fail-init(82),
-- Unknown device trying to connect to a DC
unknown-connect-attempt-dc(83),
-- DC has been reinitialized/restarted (similar meaning as the cold
-- start trap generated by the device)
dc-reinit(84),
-- MC has been restarted
mc-reinit(85),
-- DC fails to authenticate to a device
dc-fail-auth(86),
-- DC / MC are not running the same version
dc-mc-version-unmatch(87),
-- DC's traffic log files are full
dc-log-full(88),
-- NetScreen device connected to Global PRO
device-connect-dc(89),
-- NetScreen device dis-connected from Global PRO
device-disconnect-dc(90),
-- A USB key is plug/unplug from USB port
usb-device-operation(93),
-- No ppp IP pool configured
ppp-no-ip-cfg(95),
-- IP pool exhausted. No ip to assign
ppp-no-ip-in-pool(96),
-- Interface IPv6 address conflict
ipv6-conflict(101),
-- DIP utilization reaches raised threshold limit
dip-util-raise(102),
-- DIP utilization reaches clear threshold limit
dip-util-clear(103),
-- Errors in route module (exceed limit, malloc failure, add-perfix failure etc)
route-alarm(205),
-- LSA/Hello packets flood in OSPF, route redistribution exceed limit,
ospf-flood(206),
-- Update packet floods in RIP
rip-flood(207),
-- Peer forms adjacency completely
bgp-established(208),
-- Peer's adjacency is torn down, goes to Idle state
bgp-backwardtransition(209),
-- change in virtual link's state (down, point-to-point etc)
ospf-virtifstatechange(210),
-- change in neighbor's state on regular interface (down, 2way, full etc)
ospf-nbrstatechange(211),
-- change in neighbor's state on virtual link (down, full etc)
ospf-virtnbrstatechange(212),
-- authentication mismatch/area mismatch etc on regular interface
ospf-ifconfigerror(213),
-- authentication mismatch/area mismatch etc on virtual link
ospf-virtifconfigerror(214),
-- Authentication eror on regular interface
ospf-ifauthfailure(215),
-- Authentication eror on virtual link
ospf-virtifauthfailure(216),
-- lsa received with invalid lsa-type on regular interface
ospf-ifrxbadpacket(217),
-- lsa received with invalid lsa-type on virtual link
ospf-virtifrxbadpacket(218),
-- retransmission to neighbor on regular interface
ospf-txretransmit(219),
-- retransmission to neighbor on virtual link
ospf-virtiftxretransmit(220),
-- new LSA generated by local router
ospf-originatelsa(221),
-- LSA aged out
ospf-maxagelsa(222),
-- when total LSAs in database exceed predefined limit
ospf-lsdboverflow(223),
-- when total LSAs in database approach predefined limit
ospf-lsdbapproachingoverflow(224),
-- change in regular interface state (up/down, dr/bdr etc)
ospf-ifstatechange(225),
-- block java/active-x component
ids-component(400),
-- icmp flood attack
ids-icmp-flood(401),
-- udp flood attack
ids-udp-flood(402),
-- winnuke attack
ids-winnuke(403),
-- port scan attack
ids-port-scan(404),
-- address sweep attack
ids-addr-sweep(405),
-- tear drop attack
ids-tear-drop(406),
-- syn flood attack
ids-syn(407),
-- ip spoofing attack
ids-ip-spoofing(408),
-- ping of death attack
ids-ping-death(409),
-- filter ip packet with source route option
ids-ip-source-route(410),
-- land attack
ids-land(411),
-- screen syn fragment attack
syn-frag-attack(412),
-- screen tcp packet without flag attack
tcp-without-flag(413),
-- screen unknown ip packet
unknow-ip-packet(414),
-- screen bad ip option
bad-ip-option(415),
-- Dst IP-based session limiting
dst-ip-session-limit(430),
-- HTTP component blocking for .zip files
ids-block-zip(431),
-- HTTP component blocking for Java applets
ids-block-jar(432),
-- HTTP component blocking for .exe files
ids-block-exe(433),
-- HTTP component blocking for ActiveX controls
ids-block-activex(434),
-- screen icmp fragment packet
icmp-fragment(435),
-- screen too large icmp packet
too-large-icmp(436),
-- screen tcp flag syn-fin set
tcp-syn-fin(437),
-- screen tcp fin without ack
tcp-fin-no-ack(438),
-- avoid replying to syns after excessive 3 way TCP handshakes from
-- same src ip but not proceeding with user auth. (not replying to
-- username/password)..
ids-tcp-syn-ack-ack(439),
-- ip fragment
ids-ip-block-frag(440),
-- icmp ping id 0
ids-icmp-ping-id-zero(441),
--Shared to fair transition forced
cpu-limit-s2f-forced(800),
--Shared to fair transition auto
cpu-limit-s2f-auto(801),
--Fair to shared transition forced
cpu-limit-f2s-forced(802),
--Fair to shared transition because of timeout
cpu-limit-f2s-timeout(803),
--Fair to shared transition auto
cpu-limit-f2s-auto(804)
}
