API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 15th, 2025
122
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 49.46 KB | None | 0 0
raw download clone embed print report
  1. ## Last commit: 2025-03-11 16:48:12 CDT by me
  2. version 23.4R2-S3.9;
  3. groups {
  4. node0 {
  5. system {
  6. host-name MDCBR-Test-0;
  7. }
  8. interfaces {
  9. fxp0 {
  10. unit 0 {
  11. family inet {
  12. address 10.0.10.1/24;
  13. }
  14. }
  15. }
  16. }
  17. }
  18. node1 {
  19. system {
  20. host-name MDCBR-Test-1;
  21. }
  22. interfaces {
  23. fxp0 {
  24. unit 0 {
  25. family inet {
  26. address 10.0.10.2/24;
  27. }
  28. }
  29. }
  30. }
  31. }
  32. }
  33. apply-groups "${node}";
  34. system {
  35. root-authentication {
  36. encrypted-password ""; ## SECRET-DATA
  37. }
  38. login {
  39. retry-options {
  40. tries-before-disconnect 3;
  41. backoff-threshold 2;
  42. lockout-period 5;
  43. }
  44. class read-only-remote {
  45. idle-timeout 10;
  46. login-alarms;
  47. permissions [ view view-configuration ];
  48. }
  49. class service-accounts {
  50. idle-timeout 1;
  51. login-alarms;
  52. permissions [ secret view view-configuration ];
  53. allow-commands "(request system power-off.*|show configuration \| display set \| no-more)";
  54. }
  55. class super-user-local {
  56. login-alarms;
  57. permissions all;
  58. }
  59. class super-user-remote {
  60. idle-timeout 10;
  61. login-alarms;
  62. permissions all;
  63. }
  64. user admin {
  65. full-name Administrator;
  66. uid 2000;
  67. class super-user-local;
  68. authentication {
  69. encrypted-password ""; ## SECRET-DATA
  70. }
  71. }
  72. user remote-admin {
  73. full-name ENT-SEC-NetworkAdmins-G;
  74. uid 2001;
  75. class super-user-remote;
  76. }
  77. user remote-read-only {
  78. full-name ENT-SEC-ITUsers-G;
  79. uid 2002;
  80. class read-only-remote;
  81. }
  82. user service-accounts {
  83. full-name ENT-SEC-NetworkServiceAccounts-G;
  84. uid 2003;
  85. class service-accounts;
  86. }
  87. message "\n########################################################################\n# THIS SYSTEM IS RESTRICTED TO AUTHORIZED USAGE! #\n# #\n# Unauthorized usage will be subject to criminal penalties, fines, #\n# damages and/or disciplinary action. If you are not authorized to use #\n# this system, you must exit immediately. If you are authorized to #\n# use this system, you must do so in compliance with all laws, #\n# regulations, conduct rules, and company security policies applicable #\n# to this system. This system, including any hardware components, #\n# software, workstations, and storage spaces is subject to monitoring #\n# and search without advanced notice. Users should have no expectation #\n# of privacy in their use of any aspect of this system. #\n########################################################################\n\n";
  88. }
  89. services {
  90. inactive: netconf {
  91. ssh;
  92. }
  93. ssh {
  94. root-login deny;
  95. protocol-version v2;
  96. max-sessions-per-connection 2;
  97. sftp-server;
  98. connection-limit 5;
  99. }
  100. telnet {
  101. connection-limit 2;
  102. }
  103. dhcp-local-server {
  104. group EXT-User-Untrust-WLAN {
  105. interface reth1.1681;
  106. }
  107. group INT-User-IT-Admins-WLAN {
  108. interface reth0.1682;
  109. }
  110. inactive: group jdhcp-group {
  111. interface irb.0;
  112. }
  113. }
  114. web-management {
  115. https {
  116. system-generated-certificate;
  117. }
  118. }
  119. }
  120. auto-snapshot;
  121. domain-name mgmt.mdc.com;
  122. domain-search [ mgmt.mdc.com wlc.mdc.com ad.mdc.com mdc.com ];
  123. time-zone America/Chicago;
  124. management-instance;
  125. authentication-order radius;
  126. name-server {
  127. inactive: 8.8.8.8;
  128. inactive: 8.8.4.4;
  129. 10.20.11.1 source-address 10.255.255.100;
  130. 10.20.11.2 source-address 10.255.255.100;
  131. }
  132. radius-server {
  133. 10.20.11.1 {
  134. secret ""; ## SECRET-DATA
  135. timeout 2;
  136. source-address 10.255.255.100;
  137. }
  138. 10.20.11.2 {
  139. secret ""; ## SECRET-DATA
  140. timeout 2;
  141. source-address 10.255.255.100;
  142. }
  143. }
  144. accounting {
  145. events [ login change-log interactive-commands ];
  146. destination {
  147. radius {
  148. server {
  149. 10.20.11.1 {
  150. secret ""; ## SECRET-DATA
  151. source-address 10.255.255.100;
  152. }
  153. 10.20.11.2 {
  154. secret ""; ## SECRET-DATA
  155. source-address 10.255.255.100;
  156. }
  157. }
  158. }
  159. }
  160. }
  161. syslog {
  162. archive {
  163. size 100k;
  164. files 3;
  165. }
  166. user * {
  167. any emergency;
  168. }
  169. host 10.20.10.4 {
  170. firewall any;
  171. }
  172. host 10.20.10.9 {
  173. any info;
  174. match "!(identification string from 10.20.10.1|identification string from 10.20.10.2|exited, status 255|tvp_drv_syspld_read|MAIL)";
  175. }
  176. file alert {
  177. any alert;
  178. }
  179. file commands {
  180. any info;
  181. match UI_CMDLINE_READ_LINE;
  182. archive {
  183. size 1m;
  184. files 1;
  185. }
  186. }
  187. file critical {
  188. any critical;
  189. }
  190. file default-log-message {
  191. any any;
  192. match "!(identification string from 10.20.10.1|identification string from 10.20.10.2|exited, status 255|tvp_drv_syspld_read|MAIL)";
  193. }
  194. file emergency {
  195. any emergency;
  196. }
  197. file error {
  198. any error;
  199. }
  200. file host-inbound {
  201. any any;
  202. match RT_FLOW.*junos-host;
  203. structured-data;
  204. }
  205. file info {
  206. any info;
  207. match "!(identification string from 10.20.10.1|identification string from 10.20.10.2|exited, status 255|tvp_drv_syspld_read|MAIL)";
  208. }
  209. file interactive-commands {
  210. interactive-commands any;
  211. archive {
  212. size 2m;
  213. files 3;
  214. }
  215. }
  216. file login {
  217. any info;
  218. match "(UI_AUTH_EVENT|UI_LOGIN_EVENT|SSHD_LOGIN_FAILED|UI_DBASE_LOGIN_EVENT)";
  219. archive {
  220. size 1m;
  221. files 1;
  222. }
  223. }
  224. file messages {
  225. any critical;
  226. authorization any;
  227. match "!(identification string from 10.20.10.1|identification string from 10.20.10.2|exited, status 255|tvp_drv_syspld_read|MAIL)";
  228. archive {
  229. size 2m;
  230. files 5;
  231. }
  232. explicit-priority;
  233. }
  234. file notice {
  235. any notice;
  236. match "!(identification string from 10.20.10.1|identification string from 10.20.10.2|exited, status 255|tvp_drv_syspld_read|MAIL)";
  237. }
  238. file snapshot {
  239. archive {
  240. size 2m;
  241. files 1;
  242. }
  243. }
  244. file syslog-event-daemon-info {
  245. daemon info;
  246. match "exited, status 255";
  247. }
  248. }
  249. max-configurations-on-flash 5;
  250. max-configuration-rollbacks 5;
  251. license {
  252. autoupdate {
  253. url https://ae1.juniper.net/junos/key_retrieval;
  254. }
  255. }
  256. ntp {
  257. server 132.163.96.1;
  258. server 132.163.96.2;
  259. }
  260. inactive: phone-home {
  261. server https://redirect.juniper.net;
  262. rfc-compliant;
  263. }
  264. }
  265. chassis {
  266. config-button no-clear;
  267. aggregated-devices {
  268. ethernet {
  269. device-count 1;
  270. }
  271. }
  272. inactive: auto-image-upgrade;
  273. cluster {
  274. reth-count 4;
  275. network-management {
  276. cluster-master;
  277. }
  278. redundancy-group 0 {
  279. node 0 priority 254;
  280. node 1 priority 1;
  281. }
  282. redundancy-group 1 {
  283. node 0 priority 254;
  284. node 1 priority 1;
  285. preempt;
  286. gratuitous-arp-count 4;
  287. inactive: interface-monitor {
  288. ge-0/0/3 weight 255;
  289. ge-0/0/4 weight 255;
  290. ge-0/0/5 weight 255;
  291. ge-0/0/6 weight 255;
  292. ge-0/0/7 weight 255;
  293. }
  294. }
  295. }
  296. }
  297. security {
  298. log {
  299. cache;
  300. mode stream;
  301. format sd-syslog;
  302. stream MDCLX7310-IDR1 {
  303. severity info;
  304. format sd-syslog;
  305. category all;
  306. host {
  307. 10.20.10.4;
  308. port 514;
  309. }
  310. source-address 10.255.255.100;
  311. }
  312. }
  313. pki {
  314. ca-profile ISRG_Root_X1 {
  315. ca-identity ISRG_Root_X1;
  316. pre-load;
  317. }
  318. ca-profile Lets_Encrypt {
  319. ca-identity Lets_Encrypt;
  320. enrollment {
  321. url https://acme-v02.api.letsencrypt.org/directory;
  322. }
  323. }
  324. }
  325. ike {
  326. proposal pre-g2-3des-md5 {
  327. authentication-method pre-shared-keys;
  328. dh-group group2;
  329. authentication-algorithm md5;
  330. encryption-algorithm 3des-cbc;
  331. lifetime-seconds 28800;
  332. }
  333. proposal pre-g2-aes256-sha1 {
  334. authentication-method pre-shared-keys;
  335. dh-group group2;
  336. authentication-algorithm sha1;
  337. encryption-algorithm aes-256-cbc;
  338. lifetime-seconds 86400;
  339. }
  340. proposal pre-g2-aes256-sha256 {
  341. authentication-method pre-shared-keys;
  342. dh-group group5;
  343. authentication-algorithm sha-256;
  344. encryption-algorithm aes-256-cbc;
  345. lifetime-seconds 86400;
  346. }
  347. proposal pre-g20-aes128cbc-sha384 {
  348. authentication-method pre-shared-keys;
  349. dh-group group20;
  350. authentication-algorithm sha-384;
  351. encryption-algorithm aes-128-cbc;
  352. lifetime-seconds 86400;
  353. }
  354. proposal pre-g20-aes128cbc-sha256 {
  355. authentication-method pre-shared-keys;
  356. dh-group group20;
  357. authentication-algorithm sha-256;
  358. encryption-algorithm aes-256-cbc;
  359. lifetime-seconds 86400;
  360. }
  361. proposal pre-g20-aes256cbc-sha256 {
  362. authentication-method pre-shared-keys;
  363. dh-group group20;
  364. authentication-algorithm sha-256;
  365. encryption-algorithm aes-256-cbc;
  366. lifetime-seconds 86400;
  367. }
  368. }
  369. ipsec {
  370. proposal nopfs-esp-aes256-sha1 {
  371. protocol esp;
  372. authentication-algorithm hmac-sha1-96;
  373. encryption-algorithm aes-256-cbc;
  374. lifetime-seconds 28800;
  375. lifetime-kilobytes 4194303;
  376. }
  377. proposal nopfs-esp-3des-md5 {
  378. protocol esp;
  379. authentication-algorithm hmac-md5-96;
  380. encryption-algorithm 3des-cbc;
  381. lifetime-seconds 3600;
  382. }
  383. proposal nopfs-esp-aes128-sha_1 {
  384. protocol esp;
  385. authentication-algorithm hmac-sha1-96;
  386. encryption-algorithm aes-128-cbc;
  387. lifetime-seconds 3600;
  388. }
  389. proposal nopfs-esp-aes256-sha256 {
  390. protocol esp;
  391. authentication-algorithm hmac-sha-256-128;
  392. encryption-algorithm aes-256-cbc;
  393. lifetime-seconds 7200;
  394. }
  395. proposal pfs-esp-aes256gcm {
  396. protocol esp;
  397. encryption-algorithm aes-256-gcm;
  398. lifetime-seconds 3600;
  399. }
  400. proposal pfs-esp-aes192-cbc-sha256 {
  401. protocol esp;
  402. authentication-algorithm hmac-sha-256-128;
  403. encryption-algorithm aes-192-cbc;
  404. lifetime-seconds 3600;
  405. }
  406. proposal pfs-esp-aes-256cbc-sha256 {
  407. protocol esp;
  408. authentication-algorithm hmac-sha-256-128;
  409. encryption-algorithm aes-256-cbc;
  410. lifetime-seconds 7200;
  411. }
  412. }
  413. address-book {
  414. global {
  415. address EXT-ADGUARD_NET94-140-14_HOST32-14 94.140.14.14/32;
  416. address EXT-ADGUARD_NET94-140-14_HOST32_15-15 94.140.15.15/32;
  417. address G-W-INT-VLAN1681 192.168.1.254/32;
  418. address G-W-INT-VLAN1682 192.168.2.254/32;
  419. address INT-MDCMS8100 10.20.11.1/32;
  420. address INT-MDCMS8101 10.20.11.2/32;
  421. address-set S-AD-EXT_TRUSTED_DNS {
  422. address EXT-ADGUARD_NET94-140-14_HOST32-14;
  423. address EXT-ADGUARD_NET94-140-14_HOST32_15-15;
  424. }
  425. address-set S-AD-INT_TRUSTED_DNS {
  426. address INT-MDCMS8100;
  427. address INT-MDCMS8101;
  428. }
  429. }
  430. }
  431. alg {
  432. dns disable;
  433. msrpc disable;
  434. sunrpc disable;
  435. sip disable;
  436. talk disable;
  437. tftp disable;
  438. pptp disable;
  439. }
  440. utm {
  441. custom-objects {
  442. url-pattern {
  443. MDC-UP-Malicious_URLs {
  444. value [ http://*.gruanoaph.net http://*.shafiats.shop http://*.theglossonline.com http://*.insideoftech.com ];
  445. }
  446. MDC-UP-Forbidden_URLs {
  447. value [ http://*.eurogamer.net http://*.pcgamer.com http://*.tenorshare.com http://*.sweetbabyinc.com http://*.ign.com http://*.libertymutual.com http://*.pixiv.net http://*.epicgames.com ];
  448. }
  449. MDC-UP-Facebook_URLs {
  450. value [ http://*.facebook.com http://*.facebook.de http://*.facebook.fr http://*.facebook.net http://*.fb.com http://*.fb.me http://*.fbcdn.com http://*.fbcdn.net http://*.fbpigeon.com http://*.fbsbx.com http://*.fburl.com http://*.internet.org http://*.tfbnw.net http://*.thefacebook.com http://*.m.me http://*.messenger.com ];
  451. }
  452. MDC-UP-TikTok_URLs {
  453. value [ http://*.bytedance.com http://*.bytefcdn-oversea.com http://*.bytefcdn-ttpeu.com http://*.tiktok.com http://*.tiktok.in http://*.tiktok.org http://*.tiktokcdn.com http://*.tiktokd.org http://*.tiktokglobalshop.com http://*.tiktokmusic.app http://*.tiktokshop.com http://*.tiktokstaticb.com http://*.tiktokv.com http://*.tiktokv.eu http://*.tiktokv.us http://*.tiktokw.us ];
  454. }
  455. MDC-UP-Pinterest_URLs {
  456. value [ http://*.pin.it http://*.pinimg.com http://*.pinterest.ch http://*.pinterest.com http://*.pinterest.fr ];
  457. }
  458. MDC-UP-Snapchat_URLs {
  459. value [ http://*.snapchat.com http://*.snapchat.appspot.com http://*.sc-analytics.appspot.com http://*.feelinsonice-hrd.appspot.com http://*.feelinsonice.com ];
  460. }
  461. MDC-UP-Advertising_URLs {
  462. value [ http://*.doubleclick.net http://*.adnxs.com http://*.advertising.com http://*.adsrvr.org http://*.adroll.com http://*.criteo.com http://*.pubmatic.com http://*.openx.com http://*.adtech.de http://*.media.net http://*.rubiconproject.com http://*.exelator.com http://*.dynatrace.com http://*.quantcast.com ];
  463. }
  464. }
  465. custom-url-category {
  466. MDC-UC-Malicious_Websites {
  467. value MDC-UP-Malicious_URLs;
  468. }
  469. MDC-UC-Forbidden_Websites {
  470. value [ MDC-UP-Forbidden_URLs MDC-UP-Facebook_URLs MDC-UP-TikTok_URLs MDC-UP-Pinterest_URLs MDC-UP-Snapchat_URLs ];
  471. }
  472. MDC-UC-Advertising_Websites {
  473. value MDC-UP-Advertising_URLs;
  474. }
  475. }
  476. }
  477. default-configuration {
  478. web-filtering {
  479. performance-mode;
  480. type juniper-local;
  481. juniper-local {
  482. default log-and-permit;
  483. }
  484. }
  485. }
  486. feature-profile {
  487. web-filtering {
  488. type juniper-local;
  489. juniper-local {
  490. profile MDC-WFP_Local {
  491. default permit;
  492. category {
  493. MDC-UC-Malicious_Websites {
  494. action block;
  495. }
  496. MDC-UC-Forbidden_Websites {
  497. action block;
  498. }
  499. MDC-UC-Advertising_Websites {
  500. action block;
  501. }
  502. }
  503. fallback-settings {
  504. default block;
  505. too-many-requests block;
  506. }
  507. }
  508. }
  509. }
  510. }
  511. utm-policy MDC-UTM-WF_Local {
  512. web-filtering {
  513. http-profile MDC-WFP_Local;
  514. }
  515. }
  516. }
  517. flow {
  518. syn-flood-protection-mode syn-cookie;
  519. }
  520. screen {
  521. ids-option IDS-EXT {
  522. icmp {
  523. ping-death;
  524. }
  525. ip {
  526. bad-option;
  527. record-route-option;
  528. timestamp-option;
  529. security-option;
  530. stream-option;
  531. spoofing;
  532. source-route-option;
  533. loose-source-route-option;
  534. strict-source-route-option;
  535. tear-drop;
  536. }
  537. tcp {
  538. syn-fin;
  539. fin-no-ack;
  540. tcp-no-flag;
  541. syn-frag;
  542. syn-flood {
  543. alarm-threshold 512;
  544. attack-threshold 200;
  545. source-threshold 4000;
  546. destination-threshold 4000;
  547. timeout 20;
  548. }
  549. land;
  550. winnuke;
  551. }
  552. udp {
  553. flood {
  554. threshold 1000;
  555. }
  556. }
  557. }
  558. ids-option IDS-INT {
  559. icmp {
  560. ping-death;
  561. }
  562. ip {
  563. source-route-option;
  564. tear-drop;
  565. }
  566. tcp {
  567. syn-flood {
  568. alarm-threshold 1024;
  569. attack-threshold 200;
  570. source-threshold 1024;
  571. destination-threshold 2048;
  572. timeout 20;
  573. }
  574. land;
  575. }
  576. }
  577. ids-option IDS-WAN {
  578. icmp {
  579. ip-sweep;
  580. flood threshold 1000;
  581. ping-death;
  582. icmpv6-malformed;
  583. }
  584. ip {
  585. bad-option;
  586. record-route-option;
  587. timestamp-option;
  588. security-option;
  589. stream-option;
  590. spoofing;
  591. source-route-option;
  592. loose-source-route-option;
  593. strict-source-route-option;
  594. tear-drop;
  595. ipv6-extension-header {
  596. hop-by-hop-header;
  597. }
  598. ipv6-malformed-header;
  599. }
  600. tcp {
  601. syn-fin;
  602. fin-no-ack;
  603. tcp-no-flag;
  604. syn-frag;
  605. port-scan;
  606. syn-ack-ack-proxy;
  607. syn-flood {
  608. alarm-threshold 512;
  609. attack-threshold 200;
  610. source-threshold 4000;
  611. destination-threshold 4000;
  612. timeout 20;
  613. }
  614. land;
  615. winnuke;
  616. }
  617. udp {
  618. flood {
  619. threshold 1000;
  620. }
  621. }
  622. }
  623. inactive: ids-option untrust-screen {
  624. icmp {
  625. ping-death;
  626. }
  627. ip {
  628. source-route-option;
  629. tear-drop;
  630. }
  631. tcp {
  632. syn-flood {
  633. alarm-threshold 1024;
  634. attack-threshold 200;
  635. source-threshold 1024;
  636. destination-threshold 2048;
  637. timeout 20;
  638. }
  639. land;
  640. }
  641. }
  642. }
  643. nat {
  644. source {
  645. inactive: rule-set trust-to-untrust {
  646. from zone trust;
  647. to zone untrust;
  648. rule source-nat-rule {
  649. match {
  650. source-address 0.0.0.0/0;
  651. }
  652. then {
  653. source-nat {
  654. interface;
  655. }
  656. }
  657. }
  658. }
  659. rule-set EXT-User-Untrust-to-EXT-WAN {
  660. from zone EXT-User-Untrust;
  661. to zone EXT-WAN;
  662. rule SPAT-EXT-User-Unturst {
  663. match {
  664. source-address 0.0.0.0/0;
  665. destination-address 0.0.0.0/0;
  666. }
  667. then {
  668. source-nat {
  669. interface;
  670. }
  671. }
  672. }
  673. }
  674. rule-set Infra-and-Admins-to-EXT-WAN {
  675. from zone [ INT-User-IT-Admins Infra-Network ];
  676. to zone EXT-WAN;
  677. rule SPAT-Infra-and-Admins-to-EXT-WAN {
  678. match {
  679. source-address 0.0.0.0/0;
  680. destination-address 0.0.0.0/0;
  681. }
  682. then {
  683. source-nat {
  684. interface;
  685. }
  686. }
  687. }
  688. }
  689. rule-set Infra-and-Admins-to-Lumen-ONT {
  690. from zone [ INT-User-IT-Admins Infra-Network ];
  691. to zone DMZ-Network;
  692. rule SPAT-Infra-and-Admins-to-Lumen-ONT {
  693. match {
  694. source-address 0.0.0.0/0;
  695. destination-address 0.0.0.0/0;
  696. }
  697. then {
  698. source-nat {
  699. interface;
  700. }
  701. }
  702. }
  703. }
  704. }
  705. }
  706. policies {
  707. inactive: from-zone trust to-zone trust {
  708. policy trust-to-trust {
  709. match {
  710. source-address any;
  711. destination-address any;
  712. application any;
  713. }
  714. then {
  715. permit;
  716. }
  717. }
  718. }
  719. inactive: from-zone trust to-zone untrust {
  720. policy trust-to-untrust {
  721. match {
  722. source-address any;
  723. destination-address any;
  724. application any;
  725. }
  726. then {
  727. permit;
  728. }
  729. }
  730. }
  731. from-zone EXT-WAN to-zone junos-host {
  732. policy Deny-EXT-WAN-to-Junos-Host {
  733. match {
  734. source-address any;
  735. destination-address any;
  736. application any;
  737. }
  738. then {
  739. deny;
  740. log {
  741. session-init;
  742. }
  743. }
  744. }
  745. }
  746. from-zone WAN-Prod to-zone WAN-Prod {
  747. policy Permit-WAN-Prod-Intrazone {
  748. match {
  749. source-address any;
  750. destination-address any;
  751. application any;
  752. }
  753. then {
  754. permit;
  755. log {
  756. session-close;
  757. }
  758. }
  759. }
  760. }
  761. global {
  762. policy Deny-EXT-WAN-to-Any {
  763. match {
  764. source-address any;
  765. destination-address any;
  766. application any;
  767. from-zone EXT-WAN;
  768. to-zone any;
  769. }
  770. then {
  771. deny;
  772. log {
  773. session-init;
  774. }
  775. count;
  776. }
  777. }
  778. policy Deny-High-Risk-Applications {
  779. match {
  780. source-address any;
  781. destination-address any;
  782. application S-AP-MDC_HIGH_RISK_APPLICATIONS;
  783. from-zone any;
  784. to-zone any;
  785. }
  786. then {
  787. reject;
  788. log {
  789. session-init;
  790. }
  791. count;
  792. }
  793. }
  794. policy Permit-INT-Trusted-DNS {
  795. match {
  796. source-address any;
  797. destination-address S-AD-INT_TRUSTED_DNS;
  798. application [ junos-dns-tcp junos-dns-udp ];
  799. from-zone [ Infra-Network INT-User-IT-Admins ];
  800. to-zone WAN-Prod;
  801. }
  802. then {
  803. permit;
  804. }
  805. }
  806. policy Permit-EXT-Trusted-DNS {
  807. match {
  808. source-address any;
  809. destination-address S-AD-EXT_TRUSTED_DNS;
  810. application [ junos-dns-tcp junos-dns-udp ];
  811. from-zone any;
  812. to-zone EXT-WAN;
  813. }
  814. then {
  815. permit;
  816. }
  817. }
  818. policy Deny-Untrusted-DNS {
  819. match {
  820. source-address any;
  821. destination-address any;
  822. application S-AP-MDC_ALL_DNS;
  823. from-zone any;
  824. to-zone any;
  825. }
  826. then {
  827. reject;
  828. log {
  829. session-init;
  830. }
  831. count;
  832. }
  833. }
  834. policy Deny-DoH-to-AdGuard {
  835. match {
  836. source-address any;
  837. destination-address [ EXT-ADGUARD_NET94-140-14_HOST32-14 EXT-ADGUARD_NET94-140-14_HOST32_15-15 ];
  838. application junos-https;
  839. from-zone any;
  840. to-zone EXT-WAN;
  841. }
  842. then {
  843. reject;
  844. log {
  845. session-init;
  846. }
  847. count;
  848. }
  849. }
  850. policy Deny-Forbidden-Websites {
  851. match {
  852. source-address any;
  853. destination-address any;
  854. application any;
  855. from-zone [ EXT-User-Untrust INT-User-IT-Admins ];
  856. to-zone EXT-WAN;
  857. }
  858. then {
  859. permit {
  860. application-services {
  861. utm-policy MDC-UTM-WF_Local;
  862. }
  863. }
  864. }
  865. }
  866. policy Permit-Infra-All-to-Any {
  867. match {
  868. source-address any;
  869. destination-address any;
  870. application any;
  871. from-zone [ Infra-Network WAN-Prod ];
  872. to-zone any;
  873. }
  874. then {
  875. permit;
  876. log {
  877. session-close;
  878. }
  879. }
  880. }
  881. policy Permit-INT-User-IT-Admins-to-Any {
  882. match {
  883. source-address any;
  884. destination-address any;
  885. application any;
  886. from-zone INT-User-IT-Admins;
  887. to-zone any;
  888. }
  889. then {
  890. permit;
  891. log {
  892. session-close;
  893. }
  894. }
  895. }
  896. policy Permit-EXT-User-Untrust-to-EXT-WAN {
  897. match {
  898. source-address any;
  899. destination-address any;
  900. application any;
  901. from-zone EXT-User-Untrust;
  902. to-zone EXT-WAN;
  903. }
  904. then {
  905. permit;
  906. log {
  907. session-close;
  908. }
  909. }
  910. }
  911. policy default-deny {
  912. match {
  913. source-address any;
  914. destination-address any;
  915. application any;
  916. }
  917. then {
  918. deny;
  919. log {
  920. session-init;
  921. }
  922. count;
  923. }
  924. }
  925. }
  926. pre-id-default-policy {
  927. then {
  928. log {
  929. session-close;
  930. }
  931. }
  932. }
  933. }
  934. zones {
  935. inactive: security-zone trust {
  936. host-inbound-traffic {
  937. system-services {
  938. all;
  939. }
  940. protocols {
  941. all;
  942. }
  943. }
  944. interfaces {
  945. irb.0;
  946. }
  947. }
  948. inactive: security-zone untrust {
  949. screen untrust-screen;
  950. interfaces {
  951. ge-0/0/0.0 {
  952. host-inbound-traffic {
  953. system-services {
  954. dhcp;
  955. tftp;
  956. https;
  957. }
  958. }
  959. }
  960. ge-0/0/7.0 {
  961. host-inbound-traffic {
  962. system-services {
  963. dhcp;
  964. tftp;
  965. }
  966. }
  967. }
  968. dl0.0 {
  969. host-inbound-traffic {
  970. system-services {
  971. tftp;
  972. }
  973. }
  974. }
  975. }
  976. }
  977. security-zone EXT-User-Untrust {
  978. tcp-rst;
  979. screen IDS-EXT;
  980. host-inbound-traffic {
  981. system-services {
  982. dhcp;
  983. ping;
  984. }
  985. }
  986. interfaces {
  987. reth1.1681;
  988. }
  989. }
  990. security-zone EXT-WAN {
  991. tcp-rst;
  992. screen IDS-WAN;
  993. interfaces {
  994. reth2.201 {
  995. host-inbound-traffic {
  996. system-services {
  997. dhcp;
  998. }
  999. }
  1000. }
  1001. }
  1002. }
  1003. security-zone WAN-Prod {
  1004. screen IDS-INT;
  1005. host-inbound-traffic {
  1006. system-services {
  1007. ping;
  1008. traceroute;
  1009. }
  1010. protocols {
  1011. bgp;
  1012. }
  1013. }
  1014. interfaces {
  1015. reth0.1001;
  1016. }
  1017. }
  1018. security-zone Infra-Network {
  1019. screen IDS-INT;
  1020. host-inbound-traffic {
  1021. system-services {
  1022. all;
  1023. }
  1024. }
  1025. interfaces {
  1026. lo0.0;
  1027. }
  1028. }
  1029. security-zone DMZ-Network {
  1030. tcp-rst;
  1031. screen IDS-WAN;
  1032. interfaces {
  1033. reth2.0;
  1034. }
  1035. }
  1036. security-zone INT-User-IT-Admins {
  1037. screen IDS-INT;
  1038. host-inbound-traffic {
  1039. system-services {
  1040. ping;
  1041. traceroute;
  1042. dhcp;
  1043. }
  1044. }
  1045. interfaces {
  1046. reth0.1682;
  1047. }
  1048. }
  1049. }
  1050. }
  1051. interfaces {
  1052. ge-0/0/3 {
  1053. gigether-options {
  1054. redundant-parent reth0;
  1055. }
  1056. }
  1057. ge-0/0/4 {
  1058. gigether-options {
  1059. redundant-parent reth1;
  1060. }
  1061. }
  1062. ge-0/0/5 {
  1063. gigether-options {
  1064. redundant-parent reth2;
  1065. }
  1066. }
  1067. cl-1/0/0 {
  1068. dialer-options {
  1069. pool 1 priority 100;
  1070. }
  1071. }
  1072. ge-3/0/3 {
  1073. gigether-options {
  1074. redundant-parent reth0;
  1075. }
  1076. }
  1077. ge-3/0/4 {
  1078. gigether-options {
  1079. redundant-parent reth1;
  1080. }
  1081. }
  1082. ge-3/0/5 {
  1083. gigether-options {
  1084. redundant-parent reth2;
  1085. }
  1086. }
  1087. dl0 {
  1088. unit 0 {
  1089. family inet {
  1090. negotiate-address;
  1091. }
  1092. family inet6 {
  1093. negotiate-address;
  1094. }
  1095. dialer-options {
  1096. pool 1;
  1097. dial-string 1234;
  1098. always-on;
  1099. }
  1100. }
  1101. }
  1102. fab0 {
  1103. fabric-options {
  1104. member-interfaces {
  1105. ge-0/0/2;
  1106. }
  1107. }
  1108. }
  1109. fab1 {
  1110. fabric-options {
  1111. member-interfaces {
  1112. ge-3/0/2;
  1113. }
  1114. }
  1115. }
  1116. irb {
  1117. inactive: unit 0 {
  1118. family inet {
  1119. address 192.168.1.1/24;
  1120. }
  1121. }
  1122. }
  1123. lo0 {
  1124. unit 0 {
  1125. family inet {
  1126. inactive: filter {
  1127. input Protect-RE;
  1128. }
  1129. address 10.255.255.100/32;
  1130. }
  1131. }
  1132. }
  1133. reth0 {
  1134. description INT-Infra-User;
  1135. vlan-tagging;
  1136. redundant-ether-options {
  1137. redundancy-group 1;
  1138. }
  1139. unit 1001 {
  1140. description WAN-Prod;
  1141. vlan-id 1001;
  1142. family inet {
  1143. address 10.255.254.14/30;
  1144. }
  1145. }
  1146. unit 1682 {
  1147. description INT-User-IT-Admins-WLAN;
  1148. vlan-id 1682;
  1149. family inet {
  1150. address 192.168.2.254/24;
  1151. }
  1152. }
  1153. }
  1154. reth1 {
  1155. description EXT-User;
  1156. vlan-tagging;
  1157. redundant-ether-options {
  1158. redundancy-group 1;
  1159. }
  1160. unit 1681 {
  1161. description EXT-User-Untrust-WLAN;
  1162. vlan-id 1681;
  1163. family inet {
  1164. address 192.168.1.254/24;
  1165. }
  1166. }
  1167. }
  1168. reth2 {
  1169. description IO-Trunk;
  1170. flexible-vlan-tagging;
  1171. native-vlan-id 998;
  1172. redundant-ether-options {
  1173. redundancy-group 1;
  1174. }
  1175. unit 0 {
  1176. description DMZ-Network-to-Lumen-ONT;
  1177. vlan-id 998;
  1178. family inet {
  1179. address 192.168.0.253/24;
  1180. }
  1181. }
  1182. unit 201 {
  1183. description Internet-Lumen;
  1184. vlan-id 201;
  1185. family inet {
  1186. dhcp {
  1187. no-dns-install;
  1188. retransmission-interval 64;
  1189. metric 5;
  1190. update-server;
  1191. force-discover;
  1192. options {
  1193. no-hostname;
  1194. }
  1195. }
  1196. }
  1197. }
  1198. }
  1199. }
  1200. snmp {
  1201. description "MDC Firewall";
  1202. location "";
  1203. contact "";
  1204. filter-duplicates;
  1205. community "" {
  1206. authorization read-only;
  1207. clients {
  1208. 10.20.10.0/30;
  1209. }
  1210. }
  1211. community "" {
  1212. authorization read-write;
  1213. clients {
  1214. 10.20.10.0/30;
  1215. }
  1216. }
  1217. trap-options {
  1218. source-address 10.255.255.100;
  1219. }
  1220. trap-group PRTG {
  1221. version v2;
  1222. categories {
  1223. authentication;
  1224. chassis;
  1225. link;
  1226. remote-operations;
  1227. routing;
  1228. startup;
  1229. rmon-alarm;
  1230. vrrp-events;
  1231. configuration;
  1232. }
  1233. targets {
  1234. 10.20.10.1;
  1235. 10.20.10.2;
  1236. }
  1237. }
  1238. health-monitor {
  1239. interval 30;
  1240. rising-threshold 80;
  1241. falling-threshold 20;
  1242. }
  1243. }
  1244. policy-options {
  1245. prefix-list Export-to-Production {
  1246. 10.255.255.100/32;
  1247. 192.168.1.0/24;
  1248. 192.168.2.0/24;
  1249. }
  1250. policy-statement Deny-Redist {
  1251. term Default-Deny {
  1252. then reject;
  1253. }
  1254. }
  1255. policy-statement Export-to-Production {
  1256. term Connect-Allow {
  1257. from {
  1258. prefix-list Export-to-Production;
  1259. }
  1260. then accept;
  1261. }
  1262. term Default-Deny {
  1263. then reject;
  1264. }
  1265. }
  1266. }
  1267. firewall {
  1268. family inet {
  1269. filter Protect-RE {
  1270. term Permit-Loopback-All {
  1271. from {
  1272. source-address {
  1273. 10.255.255.100/32;
  1274. }
  1275. }
  1276. then accept;
  1277. }
  1278. term Permit-SSH {
  1279. from {
  1280. source-address {
  1281. 10.10.10.0/24;
  1282. 10.10.16.0/24;
  1283. 10.20.10.0/24;
  1284. 10.20.11.0/30;
  1285. 10.34.16.0/23;
  1286. 10.37.16.0/23;
  1287. }
  1288. protocol tcp;
  1289. destination-port 22;
  1290. }
  1291. then accept;
  1292. }
  1293. term Permit-Telnet {
  1294. from {
  1295. source-address {
  1296. 10.20.10.3/32;
  1297. }
  1298. protocol tcp;
  1299. destination-port 23;
  1300. }
  1301. then {
  1302. count TELNET_COUNTER;
  1303. syslog;
  1304. accept;
  1305. }
  1306. }
  1307. term Permit-HTTPS {
  1308. from {
  1309. source-address {
  1310. 10.20.10.0/24;
  1311. 10.20.11.0/30;
  1312. 10.34.16.0/23;
  1313. 10.37.16.0/23;
  1314. }
  1315. protocol tcp;
  1316. destination-port 443;
  1317. }
  1318. then accept;
  1319. }
  1320. term Permit-RADIUS {
  1321. from {
  1322. source-address {
  1323. 10.20.11.0/30;
  1324. }
  1325. protocol udp;
  1326. source-port [ 1812 1813 ];
  1327. }
  1328. then accept;
  1329. }
  1330. term Permit-NTP {
  1331. from {
  1332. source-address {
  1333. 132.163.96.0/30;
  1334. }
  1335. protocol udp;
  1336. destination-port 123;
  1337. }
  1338. then accept;
  1339. }
  1340. term Permit-DNS {
  1341. from {
  1342. source-address {
  1343. 10.20.11.0/30;
  1344. }
  1345. protocol udp;
  1346. source-port 53;
  1347. }
  1348. then accept;
  1349. }
  1350. term Permit-ICMP-Request {
  1351. from {
  1352. source-address {
  1353. 10.10.10.0/24;
  1354. 10.10.16.0/24;
  1355. 10.20.10.0/24;
  1356. 10.20.11.0/30;
  1357. 10.34.16.0/23;
  1358. 10.37.16.0/23;
  1359. 10.255.253.0/24;
  1360. 10.255.254.0/24;
  1361. 10.255.255.0/24;
  1362. }
  1363. protocol icmp;
  1364. icmp-type echo-request;
  1365. }
  1366. then accept;
  1367. }
  1368. term Permit-ICMP-Reply {
  1369. from {
  1370. protocol icmp;
  1371. icmp-type echo-reply;
  1372. }
  1373. then accept;
  1374. }
  1375. term Permit-Syslog {
  1376. from {
  1377. source-address {
  1378. 10.20.10.4/32;
  1379. 10.20.10.9/32;
  1380. }
  1381. protocol udp;
  1382. destination-port 514;
  1383. }
  1384. then accept;
  1385. }
  1386. term Permit-DHCP {
  1387. from {
  1388. source-address {
  1389. 207.109.2.27/32;
  1390. 172.16.0.0/23;
  1391. 10.10.15.0/24;
  1392. 10.10.20.0/24;
  1393. 10.20.0.0/16;
  1394. 10.34.0.0/16;
  1395. 10.36.0.0/16;
  1396. 10.37.0.0/16;
  1397. 192.168.1.0/24;
  1398. 192.168.2.0/24;
  1399. }
  1400. protocol udp;
  1401. destination-port [ 67 68 ];
  1402. }
  1403. then accept;
  1404. }
  1405. term Permit-BGP {
  1406. from {
  1407. source-address {
  1408. 10.255.253.0/24;
  1409. 10.255.254.0/24;
  1410. }
  1411. protocol tcp;
  1412. destination-port 179;
  1413. }
  1414. then accept;
  1415. }
  1416. term Silent-Discard-LNCB {
  1417. from {
  1418. destination-address {
  1419. 224.0.0.0/24;
  1420. }
  1421. }
  1422. then {
  1423. discard;
  1424. }
  1425. }
  1426. term Default-Discard {
  1427. then {
  1428. count DEFAULT_DISCARD_COUNTER;
  1429. log;
  1430. syslog;
  1431. discard;
  1432. }
  1433. }
  1434. }
  1435. }
  1436. }
  1437. access {
  1438. address-assignment {
  1439. inactive: pool junosDHCPPool {
  1440. family inet {
  1441. network 192.168.1.0/24;
  1442. range junosRange {
  1443. low 192.168.1.2;
  1444. high 192.168.1.254;
  1445. }
  1446. dhcp-attributes {
  1447. router {
  1448. 192.168.1.1;
  1449. }
  1450. propagate-settings ge-0/0/0.0;
  1451. }
  1452. }
  1453. }
  1454. pool VLAN1681 {
  1455. family inet {
  1456. network 192.168.1.0/24;
  1457. range EXT-User-Untrust {
  1458. low 192.168.1.1;
  1459. high 192.168.1.250;
  1460. }
  1461. dhcp-attributes {
  1462. maximum-lease-time 43140;
  1463. server-identifier 192.168.1.254;
  1464. name-server {
  1465. 94.140.14.14;
  1466. 94.140.15.15;
  1467. }
  1468. router {
  1469. 192.168.1.254;
  1470. }
  1471. }
  1472. }
  1473. }
  1474. pool VLAN1682 {
  1475. family inet {
  1476. network 192.168.2.0/24;
  1477. range INT-User-IT-Admins {
  1478. low 192.168.2.1;
  1479. high 192.168.2.250;
  1480. }
  1481. dhcp-attributes {
  1482. maximum-lease-time 43140;
  1483. server-identifier 10.34.17.254;
  1484. domain-name its.ad.mdc.com;
  1485. name-server {
  1486. 10.20.11.1;
  1487. 10.20.11.2;
  1488. }
  1489. option 119 hex-string 046D676D74036D646303636F6D0003776C63C005036C6162C005026164C005087072696E74657273C005087365637572697479C005C005;
  1490. }
  1491. }
  1492. }
  1493. }
  1494. }
  1495. routing-instances {
  1496. mgmt_junos {
  1497. routing-options {
  1498. static {
  1499. route 0.0.0.0/0 next-hop 10.10.10.254;
  1500. }
  1501. }
  1502. }
  1503. }
  1504. applications {
  1505. application MDC-QUIC {
  1506. protocol udp;
  1507. destination-port 443;
  1508. }
  1509. application MDC-NETBIOS {
  1510. protocol udp;
  1511. destination-port 137-139;
  1512. }
  1513. application MDC-WINS_TCP {
  1514. protocol tcp;
  1515. destination-port 42;
  1516. }
  1517. application MDC-WINS_UDP {
  1518. protocol udp;
  1519. destination-port 42;
  1520. }
  1521. application MDC-LLMNR_TCP {
  1522. protocol tcp;
  1523. destination-port 5355;
  1524. }
  1525. application MDC-LLMNR_UDP {
  1526. protocol udp;
  1527. destination-port 5355;
  1528. }
  1529. application MDC-SSDP {
  1530. protocol udp;
  1531. destination-port 1900;
  1532. }
  1533. application MDC-UPNP {
  1534. protocol tcp;
  1535. destination-port 2869;
  1536. }
  1537. application MDC-DNS_OVER_QUIC {
  1538. protocol udp;
  1539. destination-port 853;
  1540. }
  1541. application MDC-DNS_OVER_TLS {
  1542. protocol tcp;
  1543. destination-port 853;
  1544. }
  1545. application MDC-KERBEROS_AUTH_TCP {
  1546. protocol tcp;
  1547. destination-port 88;
  1548. }
  1549. application MDC-KERBEROS_PWD_TCP {
  1550. protocol tcp;
  1551. destination-port 464;
  1552. }
  1553. application MDC-KERBEROS_AUTH_UDP {
  1554. protocol udp;
  1555. destination-port 88;
  1556. }
  1557. application MDC-KERBEROS_PWD_UDP {
  1558. protocol udp;
  1559. destination-port 464;
  1560. }
  1561. application MDC-LDAP_TCP {
  1562. protocol tcp;
  1563. destination-port 389;
  1564. }
  1565. application MDC-LDAP_GC_TCP {
  1566. protocol tcp;
  1567. destination-port 3268-3269;
  1568. }
  1569. application MDC-LDAP_UDP {
  1570. protocol udp;
  1571. destination-port 389;
  1572. }
  1573. application MDC-LDAP_GC_UDP {
  1574. protocol udp;
  1575. destination-port 3268-3269;
  1576. }
  1577. application MDC-LDAPS_TCP {
  1578. protocol tcp;
  1579. destination-port 636;
  1580. }
  1581. application MDC-LDAPS_UDP {
  1582. protocol udp;
  1583. destination-port 636;
  1584. }
  1585. application MDC-NTP {
  1586. protocol udp;
  1587. destination-port 123;
  1588. }
  1589. application MDC-RPC {
  1590. protocol tcp;
  1591. destination-port 135;
  1592. }
  1593. application MDC-RPC_DYN {
  1594. protocol tcp;
  1595. destination-port 49152-65535;
  1596. }
  1597. application MDC-SMB_AD_MSDS {
  1598. protocol tcp;
  1599. destination-port 445;
  1600. }
  1601. application MDC-SMB_NBSS {
  1602. protocol tcp;
  1603. destination-port 139;
  1604. }
  1605. application MDC-W32TIME {
  1606. protocol udp;
  1607. destination-port 123;
  1608. }
  1609. application-set S-AP-MDC-ACTIVE_DIRECTORY {
  1610. application MDC-KERBEROS_AUTH_TCP;
  1611. application MDC-KERBEROS_PWD_TCP;
  1612. application MDC-KERBEROS_AUTH_UDP;
  1613. application MDC-KERBEROS_PWD_UDP;
  1614. application MDC-LDAP_TCP;
  1615. application MDC-LDAP_GC_TCP;
  1616. application MDC-LDAP_UDP;
  1617. application MDC-LDAP_GC_UDP;
  1618. application MDC-LDAPS_TCP;
  1619. application MDC-LDAPS_UDP;
  1620. application MDC-RPC;
  1621. application MDC-RPC_DYN;
  1622. application MDC-SMB_AD_MSDS;
  1623. application MDC-W32TIME;
  1624. }
  1625. application-set S-AP-MDC_ALL_DNS {
  1626. application junos-dns-tcp;
  1627. application junos-dns-udp;
  1628. application MDC-DNS_OVER_QUIC;
  1629. application MDC-DNS_OVER_TLS;
  1630. }
  1631. application-set S-AP-MDC_HIGH_RISK_APPLICATIONS {
  1632. application MDC-QUIC;
  1633. application MDC-NETBIOS;
  1634. application MDC-WINS_TCP;
  1635. application MDC-WINS_UDP;
  1636. application MDC-LLMNR_TCP;
  1637. application MDC-LLMNR_UDP;
  1638. application MDC-SSDP;
  1639. application MDC-UPNP;
  1640. }
  1641. }
  1642. vlans {
  1643. inactive: vlan-trust {
  1644. vlan-id 3;
  1645. l3-interface irb.0;
  1646. }
  1647. }
  1648. protocols {
  1649. bgp {
  1650. path-selection always-compare-med;
  1651. group MDCBR-Test-to-Production {
  1652. type external;
  1653. description "eBGP to Production";
  1654. local-address 10.255.254.14;
  1655. export Export-to-Production;
  1656. local-as 65409;
  1657. neighbor 10.255.254.13 {
  1658. description MDCBR-PROD;
  1659. peer-as 65376;
  1660. }
  1661. }
  1662. description "MDC Test Firewall";
  1663. hold-time 90;
  1664. log-updown;
  1665. graceful-restart;
  1666. }
  1667. l2-learning {
  1668. global-mode switching;
  1669. }
  1670. lldp {
  1671. interface all;
  1672. interface reth3 {
  1673. disable;
  1674. }
  1675. }
  1676. lldp-med {
  1677. interface all {
  1678. disable;
  1679. }
  1680. }
  1681. rstp {
  1682. interface all;
  1683. }
  1684. }
  1685.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!