Netscreen 防火墙初级配置指南
Written by Zhongjie Fan
升级ScreenOS (2)
恢复出厂设置 (5)
查看Netscreen的Licen (6)
为Netscreen导入和导出配置文件 (7)
更改Netscreen的管理端口 (9)
调试Netscreen防火墙上网 (10)
为Netscreen增加管理员帐户 (17)
限制管理员访问Netscreen (18)
打开DHCP服务器的功能 (19)
对访问Internet进行时间和内容的限制 (20)
设置MAC地址绑定 (23)
基于策略的点到点VPN设置(自动IKE) (24)
基于路由的点到点VPN设置(自动IKE) (36)
Netscreen基于策略的拨号VPN(自动IKE) (49)
在Netscreen中实现L2TP拨号VPN (56)
配置Netscreen透明模式 (63)
监控并阻止恶意的攻击 (65)
升级ScreenOS
根据实际情况,可以为Netscreen防火墙升级或降级固件的版本。方法有两种,一是通过Web界面,二是通过命令行界面。
z通过Web界面升级固件
首先以根用户或具有读写权限的用户帐号登陆防火墙,在Configuration > Update > ScreenOS/Keys页面中选择Firmware Update (ScreenOS),点击Brow按钮,选择相关的ScreenOS文件。点击Apply。
需要注意的是通过Web界面升级OS时要谨慎,首先要查看相关OS的upgrade Relea Notes。一般来说,在跨大版本升级时,一定要分段升级。例如,将一台Netscreen 50从3.0.1升级到5.4.0版本时,就一定要分段升级。首先把版本升级到3.0.3r9a.1,重启防火墙,然后再升到4.0.0,重启防火墙,然后再升到4.0.3,重启防火墙,然后再升到5.0.0,重启防火墙,然后再升到5.2.0,重启防火墙,然后再升到5.4.0。这样才能保证安全,否则将可能导致设备不可用。
z通过CLI命令行界面升级固件
通过console口升级,使用Console线和网线将防火墙与PC机连接起来。使用超级终端(默认波特率9600bps,数据位8bit,无校验位,1bit停止位,无流控制)登陆防火墙的命令行界面。
打开TFTP软件,设置好软件的upload and download directory。将防火墙的一个接口地址设为与PC机地址同一网段。例如,将ethernet 1接口设为192.168.3.1/24,自己的PC机设为192.168.3.180/24。
在命令行界面中输入save software from tftp 192.168.3.180 ns5gt.5.0.0r8.1 to flash,回车。
如果成功,命令行界面会显示如下
5gt_3-> save software from tftp 192.168.3.180 ns5gt.5.0.0r8.1 to flash
Load software from TFTP 192.168.3.180 (file: ns5gt.5.0.0r8.1).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
tftp received octets = 5390336
上海梨膏糖
tftp success!
TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 18, cpu = 12, version = 16
update new flash image (01bb3870,5390336)
platform = 18, cpu = 12, version = 16
offt = 20, address = 1900000, size = 5385716
date = 3136, sw_version = 28008000, cksum = 76e973e8
Program flash (5390336 bytes) ...
c_size :16384 align_support 1 , mode 0
++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++
++++++++++++++done
Done
然后重启防火墙。
通过命令行升级OS,无须考虑版本问题。
毕业设计论文如有必要通过Telnet进行远程的升级,那就需要PC机和防火墙都有一个公网地址,且链路速度不是很慢。
z通过应急方式启动netscreen,并为之安装ScreenOS。
如果由于某种原因不能正常启动防火墙,例如,丢失了ScreenOS。那么可以从loader 中加载OS。
方法如下: 将PC机与防火墙用console线和网线相连接。断电重启防火墙,在命令行提示有Hit any key to run loader时,按任意键进入Loader。显示如下,根据提示,输入Boot File Name、Self IP Address和TFTP IP Address。同时打开TFTP软件,设置好下载目录。
根据提示操作
辣条制作过程恶心
NetScreen NS-5GT Boot Loader Version 2.1.0 (Checksum: 61D07DA5) Copyright (c) 1997-2003 NetScreen Technologies, Inc.
Total physical memory: 128MB
Test - Pass
描写花灯的句子< Done
Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
Serial Number [0064042006003887]: READ ONLY
腘绳肌拉伤HW Version Number [1010]: READ ONLY
Self MAC Address [0014-f695-75e0]: READ ONLY
Boot File Name [ns5gt.5.0.0r8.1]: ns5gt.5.4.0r1.0
Self IP Address [192.168.1.1]: 192.168.3.1
TFTP IP Address [192.168.1.254]: 192.168.3.180
Save loader config (56 bytes)... Done
Loading file "ns5gt.5.4.0r1.0"... rtatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatata tatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat atatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatata atatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatata tatatatatatatat
Loaded Successfully! (size = 9,832,696 bytes)
宁夏大学研究生院官网Ignore image authentication!
Save to on-board flash disk? (y/[n]/m) Yes!
Saving system image to on-board
Done! (size = 9,832,696 bytes)
Run downloaded system image? ([y]/n) Yes!
................................................................. ................................................................. ................................................................. ............................
恢复出厂设置
根据需要可以为防火墙恢复出厂设置。恢复有两种方法。
z通过命令恢复出厂值
5gt_3->
5gt_3-> unt all
Era all system config, are you sure y/[n] ? y
5gt_3->
5gt_3-> ret勇敢的小兵兵
Configuration modified, save? [y]/n n
System ret, are you sure? y/[n] y
In ret ...
z通过输入序列号恢复出厂值环的成语
序列号在设备的底部标签中会有。在命令行模式中,当显示要输入用户名和密码时,输入序列号,用户名为序列号,密码也是序列号。按提示操作。显示如下:
login: 006404200xxxx887
password:
!!! Lost Password Ret !!! You have initiated a command to ret the device to factory defaults, clearing all current configuration and ttings. Would you like to continue? y/[n] y
!! Reconfirm Lost Password Ret !! If you continue, the entire configuration of the device will be erad. In addition, a permanent counter will be incremented to signify that this device has been ret. This is your last chance to cancel this command. If you proceed, the device will return to factory default configuration, which is: System IP: 192.168.1.1; urname: netscreen, password: netscreen. Would you like to continue? y/[n] y
In ret ...
注: 在Netscreen 5gt中,可以更改端口模式。如果执行恢复出厂值操作以后,端口模式不会恢复到初始状态。初始状态为Trust-Untrust模式。
