学员提问:
NS5GT,不能从WEB界面管理;只有在恢复出厂设置后才能进行WEB管理,有两个公网IP,一个用作内网上网用,另一个用于WEB服务器,WEB服务器是用MIP做的;当一切信息配置完后,防火墙就不能进行WEB管理了,不能从IE登陆,只能Telnet 用CLI来配置,CLI我又不怎么会,该怎么解决?
下面是get config 、get system、get event 内容:
ns5gt-> get config all
Total Config size 4290:
set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "3389" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "3389" + udp src-port 0-65535 dst-port 3389-3389
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "juniper10823"
set admin password "nBv2PhrEKaK5434dfsdhf5JcfyI1smCcaHtb2LuSn"
set admin manager-ip 192.168.1.1 255.255.255.0
set admin port 1234
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.1.1/24
set interface trust nat
set interface untrust ip 222.242.***.**/24
set interface untrust route
set interface untrust gateway 222.242.***.**
set interface trust mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust manage-ip 192.168.1.3
unset interface trust ip manageable
set interface untrust ip manageable
set interface trust manage ping
unset interface trust manage ssh
set interface trust manage telnet
unset interface trust manage snmp
unset interface trust manage ssl
set interface trust manage web
unset interface trust manage ident-reset
set interface trust manage mtrace
unset interface untrust manage ping
unset interface untrust manage ssh
unset interface untrust manage telnet
unset interface untrust manage snmp
unset interface untrust manage ssl
unset interface untrust manage web
unset interface untrust manage ident-reset
set interface vlan1 manage ping
set interface vlan1 manage ssh
set interface vlan1 manage telnet
set interface vlan1 manage snmp
set interface vlan1 manage ssl
set interface vlan1 manage web
unset interface vlan1 manage ident-reset
set zone V1-Trust manage ping
set zone V1-Trust manage ssh
set zone V1-Trust manage telnet
set zone V1-Trust manage snmp
set zone V1-Trust manage ssl
set zone V1-Trust manage web
unset zone V1-Trust manage ident-reset
unset zone V1-Untrust manage ping
unset zone V1-Untrust manage ssh
unset zone V1-Untrust manage telnet
unset zone V1-Untrust manage snmp
unset zone V1-Untrust manage ssl
unset zone V1-Untrust manage web
unset zone V1-Untrust manage ident-reset
set interface untrust vip untrust 3389 "3389" 192.168.1.8
set interface "untrust" mip 222.242.***.** host 192.168.1.2 netmask 255.255.255.
255 vrouter "trust-vr"
set interface "trust" webauth
set flow tcp-mss
unset flow tcp-syn-check
set console timeout 0
set hostname ns5gt
set dns host dns1 222.246.129.81
set dns host dns2 59.51.78.211
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set url protocol sc-cpa
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 3 from "Untrust" to "Trust" "Any" "MIP(222.242.***.**)" "HTTP" pe
rmit
set policy id 3
exit
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set dl-buf size 8986977
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
ns5gt->
ns5gt-> get system
Product Name: NetScreen-5GT
Serial Number: 0064022004006415, Control Number: 00000000
Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.3.0-up.0, Type: Firewall+VPN
Base Mac: 0010.db64.cc80
File Name: ns5gt.5.3.0-up.0, Checksum: 2afa16b7
Date 12/13/2009 10:37:43, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 189 hours 32 minutes 59 seconds Since 5 Dec 2009 13:04:44
Total Device Resets: 26, Last Device Reset at: 12/22/2008 11:08:44
Box in trust-untrust mode
System in NAT/route mode.
Use interface IP, Config Port: 1234
Mng Host IP: 192.168.1.1/255.255.255.0
User Name: juniper10823
Interface trust:
number 2, if_info 176, if_index 0, mode nat
link up, phy-link up/full-duplex
vsys Root, zone Trust, vr trust-vr
dhcp client disabled
PPPoE disabled
admin mtu 1500
ip 192.168.1.1/24 mac 0010.db64.cc82
manage ip 192.168.1.3, mac 0010.db64.cc82
route-deny disable
Interface untrust:
number 1, if_info 88, if_index 0, mode route
link up, phy-link up/full-duplex
vsys Root, zone Untrust, vr trust-vr
dhcp client disabled
PPPoE disabled
*ip 222.242.***.**/24 mac 0010.db64.cc81
gateway 222.242.***.**
*manage ip 222.242.***.**, mac 0010.db64.cc81
route-deny disable
Interface serial:
number 6, if_info 528, if_index 0, mode route
link down, phy-link down
vsys Root, zone Null, vr untrust-vr
*ip 0.0.0.0/0 mac 0010.db64.cc86
ns5gt-> get event
Total event entries = 2155
Date Time Module Level Type Description
2009-12-12 10:39:43 system notif 00767 Event log was reviewed by admin
juniper10823.
2009-12-12 10:36:04 system notif 00767 Event log was reviewed by admin
juniper10823.
2009-12-12 10:34:58 system notif 00767 Traffic log was reviewed by admin
juniper10823.
2009-12-12 10:32:58 system warn 00515 Admin user juniper10823 has logged on
via Telnet from 192.168.1.2:1085
2009-12-12 10:02:58 system warn 00515 Admin user juniper10823 has logged out
via Telnet from 192.168.1.2:3574
2009-12-12 10:02:58 system info 00767 Lock configuration ended by task
telnet-cmd:9
2009-12-12 10:02:14 system warn 00515 Admin user juniper10823 has logged on
via Telnet from 192.168.1.2:3574
2009-12-12 10:02:02 system warn 00515 Login attempt to system by admin
juniper10823 via Telnet from 192.168.1.2
3574 has failed (Incorrect password)
2009-12-12 10:01:44 system warn 00515 Admin user juniper10823 has logged out
via Telnet from 192.168.1.2:3568
2009-12-12 10:01:44 system info 00767 Lock configuration ended by task
telnet-cmd:8
2009-12-12 10:01:41 system info 00767 System configuration saved by
juniper10823 via telnet-cmd:8 from host
192.168.1.2:3568 by juniper10823
2009-12-12 10:01:34 system info 00002 Admin password for account
'juniper10823' has been modified by
juniper10823 via telnet-cmd:8 from host
192.168.1.2:3568
2009-12-12 10:00:50 system warn 00515 Admin user juniper10823 has logged on
via Telnet from 192.168.1.2:3568
2009-12-12 01:50:54 system notif 00767 SIP parser error Message: Cannot find
CRLF
2009-12-10 11:51:05 system crit 00051 Session utilization has reached 1857,
which is 90% of the system capacity!
2009-12-10 06:55:16 system emer 00006 Teardrop attack! From 192.168.1.115:
3481 to 222.242.***.**:80, proto TCP
(zone Untrust, int untrust). Occurred
1 times.
2009-12-09 06:49:45 system info 00536 Rejected an IKE packet on untrust from
24.16.114.96:62482 to 222.242.***.**:
500 with cookies 714028ca57fd53cd and
0000000000000000 because an initial
Phase 1 packet arrived from an
unrecognized peer gateway.
2009-12-06 14:07:35 system info 00536 Rejected an IKE packet on untrust from
116.77.2.177:500 to 222.242.***.**:500
with cookies 9b9dc8e27d96f16e and
0000000000000000 because an initial
Phase 1 packet arrived from an
unrecognized peer gateway.
2009-12-06 13:27:50 system info 00767 System configuration saved by
juniper10823 via telnet-cmd:4 from host
192.168.1.2:1424 by juniper10823
2009-12-06 13:27:47 system info 00002 HTTP port has been changed from 80 to
1234 by juniper10823 via telnet-cmd:4
from host 192.168.1.2:1424
2009-12-06 13:23:59 system info 00767 System configuration saved by
juniper10823 via telnet-cmd:4 from host
192.168.1.2:1424 by juniper10823
2009-12-06 13:09:18 system info 00767 System configuration saved by
juniper10823 via telnet-cmd:4 from host
192.168.1.2:1424 by juniper10823
2009-12-06 13:09:15 system info 00767 System configuration saved by
juniper10823 via telnet-cmd:4 from host
192.168.1.2:1424 by juniper10823
2009-12-06 13:09:12 system notif 00003 The console timeout value changed from
10 to 0 minutes
2009-12-06 13:07:44 system warn 00515 Admin user juniper10823 has logged on
via Telnet from 192.168.1.2:1424
2009-12-06 12:53:40 system info 00767 System configuration saved by
juniper10823 via telnet-cmd:3 from host
192.168.1.2:1185 by juniper10823
2009-12-06 12:53:32 system warn 00515 Admin user juniper10823 has logged on
via Telnet from 192.168.1.2:1185
2009-12-06 12:35:09 system crit 00023 VIP server 192.168.1.8 cannot be
contacted.
2009-12-06 12:35:07 system notif 00016 VIP (222.242.***.**:3389 3389
192.168.1.8) New by juniper10823 via
telnet-cmd:2 from host 192.168.1.2:
4734
2009-12-06 12:31:46 system info 00767 System configuration saved by
juniper10823 via telnet-cmd:2 from host
192.168.1.2:4734 by juniper10823
2009-12-06 12:31:13 system notif 00012 Service 3389 has been modified by
juniper10823 via telnet-cmd:2 from host
192.168.1.2:4734
2009-12-05 13:05:46 system notif 00029 DNS has been refreshed.
2009-12-05 13:05:30 system warn 00515 Admin user juniper10823 has logged on
via Telnet from 192.168.1.2:2157
2009-12-05 13:05:05 system notif 00029 DNS has been refreshed.
2009-12-05 13:05:05 system info 00004 DNS entries have been refreshed by HA.
2009-12-05 13:04:52 system info 00551 Rapid Deployment cannot start because
gateway has undergone configuration
changes.
2009-12-05 13:04:52 system notif 00767 System was reset at 2009-12-05 13:03:
21 by juniper10823
2009-12-05 13:04:52 system notif 00767 System is operational.
2009-12-05 13:04:46 system crit 00023 VIP server 192.168.1.8 cannot be
contacted.
2009-12-05 13:04:46 system notif 00513 The physical state of interface
untrust has changed to Up
2009-12-05 13:04:46 system notif 00513 The physical state of interface trust
has changed to Up
Total entries matched = 2155
捷盈讲师及学员解答:
set admin port 82
set int tru manage