juniper srx防火墙修改后,但未提交。不想生效修改怎么办

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了juniper srx防火墙修改后,但未提交。不想生效修改怎么办相关的知识,希望对你有一定的参考价值。

juniper srx防火墙做了大量修改,但未commit。这时发现,修改存在问题。
现在想取消修改,避免以后commit时,把原来的修改提交了。怎么办??
防火墙无法重启。

参考技术A 只要没commit,那就很简单,一条命令而已:
rollback 0。
可以用show | compare检查一下。

以上均在configure模式下。追问

提交了,是不是也可以 rollback 1 恢复??

追答

commit就生效了。用rollback 1可以恢复到这次commit之前的那次commit的内容。

本回答被提问者和网友采纳

Juniper srx防火墙NAT配置

本文转自https://www.cnblogs.com/networking/p/4694469.html#####

一、基础操作说明:

1、 设备恢复出厂化

root# load factory-default

root# set system root-authentication plain-text-password

root# commit

root> request system reboot

2、 基本配置

2.1 配置主机名

root# set system host-name SRX1400

2.2设置时区

root@SRX1400# set system time-zone Asia/Shanghai

2.3设置时间

root@SRX1400# run set date 201508011549.21

2.4设置dns

root@SRX1400# set system name-server 202.l06.0.20

2.5设置接口IP

root@SRX1400# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24

2.6设置默认路由

root@SRX1400# set routing-options static route 0.0.0.0/0 next-hop 10.0.0.254

2.7创建登陆用户

root@SRX1400# set system login user admin class super-user authentication plain-text-password

2.8创建安全Zone

root@SRX1400# set security zones security-zone untrust

2.9接口加入zone

root@SRX1400# set security zones security-zone untrust interfaces ge-0/0/0.0

2.10业务口放行icmp

root@SRX1400# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

说明:默认情况下,除管理口外的业务口是无法ping通的,需要放行icmp。

二、juniper srx nat

1、NAT的类型

1.1 source nat :interface

1.2 source nat :pool

1.3 destination nat

1.4 static nat

2、配置实例

2.1 基于接口的source nat

root@SRX1400# set security nat source rule-set 1 from zone trust

root@SRX1400# set security nat source rule-set 1 to zone untrust

root@SRX1400# set security nat source rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0

root@SRX1400# set security nat source rule-set 1 rule rule1 then source-nat interface

默认police

policy default-permit {

match {

    source-address any;

    destination-address any;

    application any;

}

then {

    permit;

}

}

2.2基于地址池的source nat

root@SRX1400# set security nat source pool isp address 10.0.0.20 to 10.0.30

root@SRX1400# set security nat source rule-set 1 from zone trust

root@SRX1400# set security nat source rule-set 1 to zone untrust

root@SRX1400# set security nat source rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0

root@SRX1400# set security nat source rule-set 1 rule rule1 then source-nat pool isp

root@SRX1400# set security nat proxy-arp interface ge-0/0/0 address 10.0.0.20 to 10.0.0.30

2.3 destination nat 配置

root@SRX1400# set security nat destination pool dst-nat-pool-1 address 172.16.1.1/32

root@SRX1400# set security nat destination pool dst-nat-pool-1 address port 80

root@SRX1400# set security nat destination rule-set rs1 from zone untrust

root@SRX1400# set security nat destination rule-set rs1 rule 1 match destination-address 10.0.0.100/32

root@SRX1400# set security nat destination pool dst-nat-pool-1 address port 80

root@SRX1400# set security nat proxy-arp interface ge-0/0/0.0 address 10.0.0.100/32

root@SRX1400# set security address-book global address web 172.16.1.1/32

root@SRX1400# set security nat destination rule-set rs1 rule 1 then destination-nat pool dst-nat-pool-1

root@SRX1400# set security policies from-zone untrust to-zone trust policy web match source-address any

root@SRX1400# set security policies from-zone untrust to-zone trust policy web match destination-address web match application any

root@SRX1400# set security policies from-zone untrust to-zone trust policy

root@SRX1400# set security policies from-zone untrust to-zone trust policy web then permit

root@SRX1400# insert security policies from-zone untrust to-zone trust policy web before policy default-deny

2.4 static nat配置

root@SRX1400# set security nat static rule-set rs1 from zone untrust

root@SRX1400# set security nat static rule-set rs1 rule r1 match destination-address 10.0.0.100/32

root@SRX1400# set security nat static rule-set rs1 rule r1 then static-nat prefix 172.16.1.1/32

root@SRX1400# set security nat proxy-arp interface ge-0/0/0.0 address 10.0.0.100/32

root@SRX1400# set security address-book global address web 172.16.1.1/32

root@SRX1400# set security policies from-zone untrust to-zone untrust web match source-address any destination-address web application any

root@SRX1400# set security policies from-zone untrust to-zone trust policy web then permit

root@SRX1400# insert security policies from-zone untrust to-zone trust web before policy default-deny

以上是关于juniper srx防火墙修改后,但未提交。不想生效修改怎么办的主要内容,如果未能解决你的问题,请参考以下文章

juniper srx240如何恢复出厂配置

juniper srx240如何恢复出厂配置

Juniper SRX550防火墙之基本配置

Juniper SRX防火墙批量导入set格式配置

Juniper SRX 简单命令一

Juniper srx系列防火墙端口限速