Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- set version 18.4R3-S2
- set system login retry-options tries-before-disconnect 3
- set system login retry-options backoff-threshold 1
- set system login retry-options backoff-factor 6
- set system login retry-options minimum-time 30
- set system login retry-options maximum-time 60
- set system login retry-options lockout-period 10
- set system login class Network-Owner idle-timeout 10
- set system login class Network-Owner permissions all
- set system login user *REMOVED* full-name "*REMOVED*"
- set system login user *REMOVED* uid 2000
- set system login user *REMOVED* class Network-Owner
- set system login user *REMOVED* authentication encrypted-password "*REMOVED*"
- set system login password minimum-length 15
- set system login password change-type character-sets
- set system login password minimum-changes 4
- set system login password minimum-numerics 2
- set system login password minimum-upper-cases 2
- set system login password minimum-lower-cases 2
- set system login password minimum-punctuations 2
- set system login password format sha256
- set system login message "************************************************************************\n \n WARNING: This system is for the use of authorized clients only.\n Individuals using the computer network system without\n authorization, or in excess of their authorization, are\n subject to having all their activity on this computer\n network system monitored and recorded by system\n personnel. To protect the computer network system from\n unauthorized use and to ensure the computer network systems\n is functioning properly, system administrators monitor this\n system. Anyone using this computer network system\n expressly consents to such monitoring and is advised that\n if such monitoring reveals possible conduct of criminal\n activity, system personnel may provide the evidence of\n such activity to law enforcement officers.\n \n Access is restricted to authorized users only.\n Unauthorized access is a violation of state and federal,\n civil and criminal laws.\n**************************************************************************"
- set system root-authentication encrypted-password "*REMOVED*"
- set system services ssh root-login deny
- set system services ssh no-tcp-forwarding
- set system services ssh protocol-version v2
- set system services ssh max-sessions-per-connection 2
- set system services ssh macs hmac-sha2-256
- set system services ssh macs hmac-sha2-512
- set system services ssh client-alive-count-max 3
- set system services ssh client-alive-interval 10
- set system services ssh connection-limit 2
- set system services ssh rate-limit 2
- set system services dhcp-local-server group jdhcp-group interface irb.0
- set system services dhcp-local-server group Trusted-Clients interface irb.30
- set system services dhcp-local-server group IoT interface irb.20
- set system services dhcp-local-server group Guest interface irb.10
- set system services dhcp-local-server lease-time-validation lease-time-threshold 3600
- set system services web-management https system-generated-certificate
- set system services web-management session idle-timeout 30
- set system services web-management session session-limit 2
- set system host-name Juniper-SRX300
- set system time-zone *REMOVED*
- set system no-redirects
- set system no-redirects-ipv6
- set system no-ping-record-route
- set system no-ping-time-stamp
- set system internet-options no-source-quench
- set system internet-options tcp-drop-synfin-set
- set system internet-options no-tcp-reset drop-all-tcp
- set system ports console log-out-on-disconnect
- set system ports auxiliary disable
- set system ports auxiliary insecure
- set system diag-port-authentication encrypted-password ***DISABLED***
- set system pic-console-authentication encrypted-password ***DISABLED***
- set system name-server 192.168.30.254
- set system name-server 192.168.30.253
- set system syslog archive size 100k
- set system syslog archive files 3
- set system syslog user * any emergency
- set system syslog file messages any notice
- set system syslog file messages authorization info
- set system syslog file messages match "!(kernel time sync enabled)"
- set system syslog file interactive-commands interactive-commands any
- set system max-configurations-on-flash 5
- set system max-configuration-rollbacks 5
- set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
- set system ntp boot-server 128.138.140.50
- set system ntp server 128.138.140.50 prefer
- set system ntp server 132.163.97.7
- set chassis aggregated-devices ethernet device-count 4
- set security log mode stream
- set security ike policy ike-remote-vpn-policy mode aggressive
- set security ike policy ike-remote-vpn-policy proposal-set standard
- set security ike policy ike-remote-vpn-policy pre-shared-key ascii-text "*REMOVED*"
- set security ike gateway remote-vpn-local-gw ike-policy ike-remote-vpn-policy
- set security ike gateway remote-vpn-local-gw dynamic hostname *REMOVED*
- set security ike gateway remote-vpn-local-gw dynamic connections-limit 2
- set security ike gateway remote-vpn-local-gw dynamic ike-user-type group-ike-id
- set security ike gateway remote-vpn-local-gw external-interface ge-0/0/0.0
- set security ike gateway remote-vpn-local-gw aaa access-profile remote-vpn-access-profile
- set security ipsec policy ipsec-remote-vpn-policy proposal-set standard
- set security ipsec vpn remote-vpn ike gateway remote-vpn-local-gw
- set security ipsec vpn remote-vpn ike ipsec-policy ipsec-remote-vpn-policy
- set security dynamic-vpn access-profile remote-vpn-access-profile
- set security dynamic-vpn clients all remote-protected-resources 0.0.0.0/0
- set security dynamic-vpn clients all ipsec-vpn remote-vpn
- set security dynamic-vpn clients all user *REMOVED*
- set security screen ids-option untrust-screen icmp ping-death
- set security screen ids-option untrust-screen ip bad-option
- set security screen ids-option untrust-screen ip record-route-option
- set security screen ids-option untrust-screen ip timestamp-option
- set security screen ids-option untrust-screen ip stream-option
- set security screen ids-option untrust-screen ip spoofing
- set security screen ids-option untrust-screen ip source-route-option
- set security screen ids-option untrust-screen ip loose-source-route-option
- set security screen ids-option untrust-screen ip strict-source-route-option
- set security screen ids-option untrust-screen ip unknown-protocol
- set security screen ids-option untrust-screen ip tear-drop
- set security screen ids-option untrust-screen tcp fin-no-ack
- set security screen ids-option untrust-screen tcp port-scan threshold 1000000
- set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
- set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
- set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
- set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
- set security screen ids-option untrust-screen tcp syn-flood timeout 20
- set security screen ids-option untrust-screen tcp land
- set security screen ids-option untrust-screen udp port-scan threshold 1000000
- set security nat source rule-set trust-to-untrust from zone trust
- set security nat source rule-set trust-to-untrust to zone untrust
- set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
- set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
- set security nat source rule-set guest-to-untrust from zone guest
- set security nat source rule-set guest-to-untrust to zone untrust
- set security nat source rule-set guest-to-untrust rule guest-source-nat-rule match source-address 200.200.200.0/24
- set security nat source rule-set guest-to-untrust rule guest-source-nat-rule then source-nat interface
- set security nat source rule-set IoT-to-untrust from zone IoT
- set security nat source rule-set IoT-to-untrust to zone untrust
- set security nat source rule-set IoT-to-untrust rule IoT-source-nat-rule match source-address 201.201.201.0/24
- set security nat source rule-set IoT-to-untrust rule IoT-source-nat-rule then source-nat interface
- set security nat source rule-set remote-vpn-nat from zone untrust
- set security nat source rule-set remote-vpn-nat to zone untrust
- set security nat source rule-set remote-vpn-nat rule vpn-nat match source-address 202.202.202.0/24
- set security nat source rule-set remote-vpn-nat rule vpn-nat then source-nat interface
- set security nat destination pool dest-nat-plex description "Plex Server"
- set security nat destination pool dest-nat-plex routing-instance default
- set security nat destination pool dest-nat-plex address 192.168.30.236/32
- set security nat destination pool dest-nat-plex address port *REMOVED*
- set security nat destination pool dest-nat-vpn description OpenVPN
- set security nat destination pool dest-nat-vpn routing-instance default
- set security nat destination pool dest-nat-vpn address 192.168.30.24/32
- set security nat destination pool dest-nat-vpn address port *REMOVED*
- set security nat destination rule-set rule-set-1 from zone untrust
- set security nat destination rule-set rule-set-1 rule rule-1 match destination-address 0.0.0.0/0
- set security nat destination rule-set rule-set-1 rule rule-1 match destination-port *REMOVED*
- set security nat destination rule-set rule-set-1 rule rule-1 then destination-nat pool dest-nat-plex
- set security nat destination rule-set rule-set-1 rule rule-2 match destination-address 0.0.0.0/0
- set security nat destination rule-set rule-set-1 rule rule-2 match destination-port *REMOVED*
- set security nat destination rule-set rule-set-1 rule rule-2 then destination-nat pool dest-nat-vpn
- set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
- set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
- set security policies from-zone trust to-zone trust policy trust-to-trust match application any
- set security policies from-zone trust to-zone trust policy trust-to-trust then permit
- set security policies from-zone trust to-zone trust policy trust-to-trust then count
- set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
- set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
- set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
- set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
- set security policies from-zone untrust to-zone trust policy Plex match source-address any
- set security policies from-zone untrust to-zone trust policy Plex match destination-address Plex-Server
- set security policies from-zone untrust to-zone trust policy Plex match application Plex
- set security policies from-zone untrust to-zone trust policy Plex then permit
- set security policies from-zone untrust to-zone trust policy Plex then count
- set security policies from-zone untrust to-zone trust policy OpenVPN match source-address any
- set security policies from-zone untrust to-zone trust policy OpenVPN match destination-address OpenVPN-Server
- set security policies from-zone untrust to-zone trust policy OpenVPN match application OpenVPN
- set security policies from-zone untrust to-zone trust policy OpenVPN then permit
- set security policies from-zone untrust to-zone trust policy OpenVPN then count
- set security policies from-zone untrust to-zone trust policy remote-vpn-policy match source-address any
- set security policies from-zone untrust to-zone trust policy remote-vpn-policy match destination-address any
- set security policies from-zone untrust to-zone trust policy remote-vpn-policy match application any
- set security policies from-zone untrust to-zone trust policy remote-vpn-policy then permit tunnel ipsec-vpn remote-vpn
- set security policies from-zone guest to-zone untrust policy guest-to-untrust match source-address any
- set security policies from-zone guest to-zone untrust policy guest-to-untrust match destination-address any
- set security policies from-zone guest to-zone untrust policy guest-to-untrust match application any
- set security policies from-zone guest to-zone untrust policy guest-to-untrust then permit
- set security policies from-zone IoT to-zone untrust policy IoT-to-untrust match source-address any
- set security policies from-zone IoT to-zone untrust policy IoT-to-untrust match destination-address any
- set security policies from-zone IoT to-zone untrust policy IoT-to-untrust match application any
- set security policies from-zone IoT to-zone untrust policy IoT-to-untrust then permit
- set security policies from-zone untrust to-zone untrust policy remote-vpn match source-address any
- set security policies from-zone untrust to-zone untrust policy remote-vpn match destination-address any
- set security policies from-zone untrust to-zone untrust policy remote-vpn match application any
- set security policies from-zone untrust to-zone untrust policy remote-vpn then permit tunnel ipsec-vpn remote-vpn
- set security policies from-zone guest to-zone trust policy To-Plex-Server match source-address any
- set security policies from-zone guest to-zone trust policy To-Plex-Server match destination-address Plex-Server
- set security policies from-zone guest to-zone trust policy To-Plex-Server match application Plex
- set security policies from-zone guest to-zone trust policy To-Plex-Server then permit
- set security policies from-zone guest to-zone trust policy To-Plex-Server then count
- set security policies from-zone guest to-zone trust policy To-Pi-Hole match source-address any
- set security policies from-zone guest to-zone trust policy To-Pi-Hole match destination-address Pi-Hole-Server
- set security policies from-zone guest to-zone trust policy To-Pi-Hole match destination-address Pi-Hole-Server-Secondary
- set security policies from-zone guest to-zone trust policy To-Pi-Hole match application Pi-Hole-UDP
- set security policies from-zone guest to-zone trust policy To-Pi-Hole match application Pi-Hole-TCP
- set security policies from-zone guest to-zone trust policy To-Pi-Hole then permit
- set security policies from-zone IoT to-zone trust policy To-Pi-Hole match source-address any
- set security policies from-zone IoT to-zone trust policy To-Pi-Hole match destination-address Pi-Hole-Server
- set security policies from-zone IoT to-zone trust policy To-Pi-Hole match destination-address Pi-Hole-Server-Secondary
- set security policies from-zone IoT to-zone trust policy To-Pi-Hole match application Pi-Hole-UDP
- set security policies from-zone IoT to-zone trust policy To-Pi-Hole match application Pi-Hole-TCP
- set security policies from-zone IoT to-zone trust policy To-Pi-Hole then permit
- set security policies from-zone trust to-zone IoT policy To-Verizon-4G-LTE match source-address any
- set security policies from-zone trust to-zone IoT policy To-Verizon-4G-LTE match destination-address Verizon-4G-LTE
- set security policies from-zone trust to-zone IoT policy To-Verizon-4G-LTE match application Verizon-4G-LTE-80
- set security policies from-zone trust to-zone IoT policy To-Verizon-4G-LTE match application Verizon-4G-LTE-443
- set security policies from-zone trust to-zone IoT policy To-Verizon-4G-LTE then permit
- set security policies from-zone trust to-zone IoT policy To-Verizon-4G-LTE then count
- set security policies default-policy deny-all
- set security zones security-zone trust address-book address Plex-Server 192.168.30.236/32
- set security zones security-zone trust address-book address OpenVPN-Server 192.168.30.24/32
- set security zones security-zone trust address-book address Pi-Hole-Server 192.168.30.254/32
- set security zones security-zone trust address-book address Pi-Hole-Server-Secondary 192.168.30.253/32
- set security zones security-zone trust host-inbound-traffic system-services all
- set security zones security-zone trust host-inbound-traffic protocols all
- set security zones security-zone trust interfaces irb.0
- set security zones security-zone trust interfaces irb.30
- set security zones security-zone untrust screen untrust-screen
- set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
- set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
- set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
- set security zones security-zone guest host-inbound-traffic system-services dhcp
- set security zones security-zone guest interfaces irb.10
- set security zones security-zone IoT address-book address Verizon-4G-LTE 201.201.201.254/32
- set security zones security-zone IoT host-inbound-traffic system-services dhcp
- set security zones security-zone IoT host-inbound-traffic system-services ping
- set security zones security-zone IoT interfaces irb.20
- set interfaces interface-range LACP-To-Juniper-EX2300-C member ge-0/0/7
- set interfaces interface-range LACP-To-Juniper-EX2300-C member ge-0/0/6
- set interfaces interface-range LACP-To-Juniper-EX2300-C description "LACP -> EX2300-C"
- set interfaces interface-range LACP-To-Juniper-EX2300-C ether-options 802.3ad ae0
- set interfaces ge-0/0/0 description "To AT&T Gateway"
- set interfaces ge-0/0/0 unit 0 family inet dhcp update-server
- set interfaces ge-0/0/0 unit 0 family inet filter input BLOCKED-IPs
- set interfaces ge-0/0/1 description AVAILABLE
- set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
- set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Guest
- set interfaces ge-0/0/2 description AVAILABLE
- set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
- set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members Guest
- set interfaces ge-0/0/3 description AVAILABLE
- set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
- set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members Guest
- set interfaces ge-0/0/4 description AVAILABLE
- set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access
- set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members Guest
- set interfaces ge-0/0/5 description AVAILABLE
- set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode access
- set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members Guest
- set interfaces ae0 description "LACP -> EX2300-C"
- set interfaces ae0 native-vlan-id 3
- set interfaces ae0 aggregated-ether-options link-speed 1g
- set interfaces ae0 aggregated-ether-options lacp active
- set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
- set interfaces ae0 unit 0 family ethernet-switching vlan members all
- set interfaces ae0 unit 0 family ethernet-switching vlan members Guest
- set interfaces ae0 unit 0 family ethernet-switching vlan members IoT
- set interfaces ae0 unit 0 family ethernet-switching vlan members Trusted-Clients
- set interfaces irb unit 0 family inet address 192.168.1.1/24
- set interfaces irb unit 10 family inet policer input limit-100m
- set interfaces irb unit 10 family inet policer output limit-100m
- set interfaces irb unit 10 family inet address 200.200.200.1/24
- set interfaces irb unit 20 family inet policer input limit-100m
- set interfaces irb unit 20 family inet policer output limit-100m
- set interfaces irb unit 20 family inet address 201.201.201.1/24
- set interfaces irb unit 30 family inet address 192.168.30.1/24
- set interfaces lo0 unit 0 family inet filter input PROTECT-RE
- set forwarding-options packet-capture maximum-capture-size 1500
- set policy-options prefix-list ntp-servers
- set policy-options prefix-list mgmt-nets 192.168.30.0/24
- set policy-options prefix-list mgmt-nets 202.202.202.0/24
- set policy-options prefix-list localhost
- set policy-options prefix-list BLOCK-IP-LIST 60.190.248.10/32
- set policy-options prefix-list BLOCK-IP-LIST 164.52.24.173/32
- set policy-options prefix-list BLOCK-IP-LIST 187.72.29.2/32
- set policy-options prefix-list BLOCK-IP-LIST 202.96.99.84/32
- set policy-options prefix-list BLOCK-IP-LIST 216.218.206.64/26
- set firewall family inet filter PROTECT-RE term allow-ssh from source-prefix-list mgmt-nets
- set firewall family inet filter PROTECT-RE term allow-ssh from protocol tcp
- set firewall family inet filter PROTECT-RE term allow-ssh from destination-port ssh
- set firewall family inet filter PROTECT-RE term allow-ssh then policer limit-10m
- set firewall family inet filter PROTECT-RE term allow-ssh then accept
- set firewall family inet filter PROTECT-RE term icmp-frags from is-fragment
- set firewall family inet filter PROTECT-RE term icmp-frags from protocol icmp
- set firewall family inet filter PROTECT-RE term icmp-frags then count icmp-frags
- set firewall family inet filter PROTECT-RE term icmp-frags then log
- set firewall family inet filter PROTECT-RE term icmp-frags then discard
- set firewall family inet filter PROTECT-RE term allow-icmp from protocol icmp
- set firewall family inet filter PROTECT-RE term allow-icmp from icmp-type echo-request
- set firewall family inet filter PROTECT-RE term allow-icmp from icmp-type echo-reply
- set firewall family inet filter PROTECT-RE term allow-icmp from icmp-type unreachable
- set firewall family inet filter PROTECT-RE term allow-icmp from icmp-type time-exceeded
- set firewall family inet filter PROTECT-RE term allow-icmp then policer limit-1m
- set firewall family inet filter PROTECT-RE term allow-icmp then count allow-icmp
- set firewall family inet filter PROTECT-RE term allow-icmp then accept
- set firewall family inet filter PROTECT-RE term allow-traceroute from protocol udp
- set firewall family inet filter PROTECT-RE term allow-traceroute from destination-port 33434-33523
- set firewall family inet filter PROTECT-RE term allow-traceroute then policer limit-1m
- set firewall family inet filter PROTECT-RE term allow-traceroute then count allow-traceroute
- set firewall family inet filter PROTECT-RE term allow-traceroute then accept
- set firewall family inet filter PROTECT-RE term tcp-established from protocol tcp
- set firewall family inet filter PROTECT-RE term tcp-established from source-port ssh
- set firewall family inet filter PROTECT-RE term tcp-established from tcp-established
- set firewall family inet filter PROTECT-RE term tcp-established then policer limit-10m
- set firewall family inet filter PROTECT-RE term tcp-established then count tcp-established
- set firewall family inet filter PROTECT-RE term tcp-established then accept
- set firewall family inet filter PROTECT-RE term allow-jweb from source-address 192.168.30.0/24
- set firewall family inet filter PROTECT-RE term allow-jweb from protocol tcp
- set firewall family inet filter PROTECT-RE term allow-jweb from destination-port https
- set firewall family inet filter PROTECT-RE term allow-jweb then policer limit-10m
- set firewall family inet filter PROTECT-RE term allow-jweb then count allow-jweb
- set firewall family inet filter PROTECT-RE term allow-jweb then accept
- set firewall family inet filter PROTECT-RE term allow-dhcp-client from source-address 0.0.0.0/32
- set firewall family inet filter PROTECT-RE term allow-dhcp-client from destination-address 255.255.255.255/32
- set firewall family inet filter PROTECT-RE term allow-dhcp-client from protocol udp
- set firewall family inet filter PROTECT-RE term allow-dhcp-client from source-port 68
- set firewall family inet filter PROTECT-RE term allow-dhcp-client then policer limit-32k
- set firewall family inet filter PROTECT-RE term allow-dhcp-client then count allow-dhcp-client
- set firewall family inet filter PROTECT-RE term allow-dhcp-client then accept
- set firewall family inet filter PROTECT-RE term allow-dhcp-server from protocol udp
- set firewall family inet filter PROTECT-RE term allow-dhcp-server from source-port 67
- set firewall family inet filter PROTECT-RE term allow-dhcp-server from source-port 68
- set firewall family inet filter PROTECT-RE term allow-dhcp-server from destination-port 67
- set firewall family inet filter PROTECT-RE term allow-dhcp-server from destination-port 68
- set firewall family inet filter PROTECT-RE term allow-dhcp-server then policer limit-32k
- set firewall family inet filter PROTECT-RE term allow-dhcp-server then count allow-dhcp-server
- set firewall family inet filter PROTECT-RE term allow-dhcp-server then accept
- set firewall family inet filter PROTECT-RE term allow-ntp from source-address 127.0.0.1/32
- set firewall family inet filter PROTECT-RE term allow-ntp from source-address 128.138.140.50/32
- set firewall family inet filter PROTECT-RE term allow-ntp from source-address 132.163.97.7/32
- set firewall family inet filter PROTECT-RE term allow-ntp from source-address 192.168.1.1/32
- set firewall family inet filter PROTECT-RE term allow-ntp from protocol udp
- set firewall family inet filter PROTECT-RE term allow-ntp from port ntp
- set firewall family inet filter PROTECT-RE term allow-ntp then policer limit-32k
- set firewall family inet filter PROTECT-RE term allow-ntp then count allow-ntp
- set firewall family inet filter PROTECT-RE term allow-ntp then accept
- set firewall family inet filter PROTECT-RE term allow-dns from source-address 127.0.0.1/32
- set firewall family inet filter PROTECT-RE term allow-dns from source-address 192.168.1.1/32
- set firewall family inet filter PROTECT-RE term allow-dns from source-address 192.168.2.254/32
- set firewall family inet filter PROTECT-RE term allow-dns from source-address 192.168.30.254/32
- set firewall family inet filter PROTECT-RE term allow-dns from source-address 192.168.30.253/32
- set firewall family inet filter PROTECT-RE term allow-dns from protocol tcp
- set firewall family inet filter PROTECT-RE term allow-dns from protocol udp
- set firewall family inet filter PROTECT-RE term allow-dns from port domain
- set firewall family inet filter PROTECT-RE term allow-dns then policer limit-32k
- set firewall family inet filter PROTECT-RE term allow-dns then count allow-dns
- set firewall family inet filter PROTECT-RE term allow-dns then accept
- set firewall family inet filter PROTECT-RE term allow-https from protocol tcp
- set firewall family inet filter PROTECT-RE term allow-https from destination-port https
- set firewall family inet filter PROTECT-RE term allow-https then policer limit-1m
- set firewall family inet filter PROTECT-RE term allow-https then count allow-https
- set firewall family inet filter PROTECT-RE term allow-https then accept
- set firewall family inet filter PROTECT-RE term allow-ike from protocol udp
- set firewall family inet filter PROTECT-RE term allow-ike from destination-port 500
- set firewall family inet filter PROTECT-RE term allow-ike from destination-port 4500
- set firewall family inet filter PROTECT-RE term allow-ike then policer limit-1m
- set firewall family inet filter PROTECT-RE term allow-ike then count allow-ike/ipsec
- set firewall family inet filter PROTECT-RE term allow-ike then accept
- set firewall family inet filter PROTECT-RE term default-discard then count default-discard
- set firewall family inet filter PROTECT-RE term default-discard then log
- set firewall family inet filter PROTECT-RE term default-discard then syslog
- set firewall family inet filter PROTECT-RE term default-discard then discard
- set firewall family inet filter BLOCKED-IPs term DENY from prefix-list BLOCK-IP-LIST
- set firewall family inet filter BLOCKED-IPs term DENY then count BLOCKED-IPs
- set firewall family inet filter BLOCKED-IPs term DENY then log
- set firewall family inet filter BLOCKED-IPs term DENY then discard
- set firewall family inet filter BLOCKED-IPs term DEFAULT-ACCEPT then accept
- set firewall policer limit-100m if-exceeding bandwidth-limit 100m
- set firewall policer limit-100m if-exceeding burst-size-limit 625k
- set firewall policer limit-100m then discard
- set firewall policer limit-10m if-exceeding bandwidth-limit 10m
- set firewall policer limit-10m if-exceeding burst-size-limit 625k
- set firewall policer limit-10m then discard
- set firewall policer limit-1m if-exceeding bandwidth-limit 1m
- set firewall policer limit-1m if-exceeding burst-size-limit 15k
- set firewall policer limit-1m then discard
- set firewall policer limit-32k if-exceeding bandwidth-limit 32k
- set firewall policer limit-32k if-exceeding burst-size-limit 15k
- set firewall policer limit-32k then discard
- set access profile remote-vpn-access-profile client *REMOVED* firewall-user password "*REMOVED*"
- set access profile remote-vpn-access-profile address-assignment pool remote-vpn-address-pool
- set access address-assignment pool junosDHCPPool family inet network 192.168.1.0/24
- set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.1.2
- set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.1.254
- set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.1.1
- set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0
- set access address-assignment pool Trusted-Clients family inet network 192.168.30.0/24
- set access address-assignment pool Trusted-Clients family inet range Trusted-Clients low 192.168.30.2
- set access address-assignment pool Trusted-Clients family inet range Trusted-Clients high 192.168.30.254
- set access address-assignment pool Trusted-Clients family inet dhcp-attributes name-server 192.168.30.254
- set access address-assignment pool Trusted-Clients family inet dhcp-attributes name-server 192.168.30.253
- set access address-assignment pool Trusted-Clients family inet dhcp-attributes router 192.168.30.1
- set access address-assignment pool Guest family inet network 200.200.200.0/24
- set access address-assignment pool Guest family inet range Guest low 200.200.200.2
- set access address-assignment pool Guest family inet range Guest high 200.200.200.254
- set access address-assignment pool Guest family inet dhcp-attributes name-server 192.168.30.254
- set access address-assignment pool Guest family inet dhcp-attributes name-server 192.168.30.253
- set access address-assignment pool Guest family inet dhcp-attributes router 200.200.200.1
- set access address-assignment pool IoT family inet network 201.201.201.0/24
- set access address-assignment pool IoT family inet range IoT low 201.201.201.2
- set access address-assignment pool IoT family inet range IoT high 201.201.201.254
- set access address-assignment pool IoT family inet dhcp-attributes name-server 192.168.30.254
- set access address-assignment pool IoT family inet dhcp-attributes name-server 192.168.30.253
- set access address-assignment pool IoT family inet dhcp-attributes router 201.201.201.1
- set access address-assignment pool IoT family inet host Verizon-4G-LTE hardware-address *REMOVED*
- set access address-assignment pool IoT family inet host Verizon-4G-LTE ip-address 201.201.201.254
- set access address-assignment pool remote-vpn-address-pool family inet network 202.202.202.0/24
- set access address-assignment pool remote-vpn-address-pool family inet xauth-attributes primary-dns 192.168.30.254/32
- set access address-assignment pool remote-vpn-address-pool family inet xauth-attributes secondary-dns 192.168.30.253/32
- set access firewall-authentication web-authentication default-profile remote-vpn-access-profile
- set applications application Plex protocol tcp
- set applications application Plex destination-port *REMOVED*
- set applications application OpenVPN protocol udp
- set applications application OpenVPN destination-port *REMOVED*
- set applications application Pi-Hole-UDP protocol udp
- set applications application Pi-Hole-UDP destination-port *REMOVED*
- set applications application Pi-Hole-TCP protocol tcp
- set applications application Pi-Hole-TCP destination-port *REMOVED*
- set applications application Verizon-4G-LTE-443 protocol tcp
- set applications application Verizon-4G-LTE-443 destination-port *REMOVED*
- set applications application Verizon-4G-LTE-80 protocol tcp
- set applications application Verizon-4G-LTE-80 destination-port *REMOVED*
- set vlans Guest vlan-id 10
- set vlans Guest l3-interface irb.10
- set vlans IoT vlan-id 20
- set vlans IoT l3-interface irb.20
- set vlans Trusted-Clients vlan-id 30
- set vlans Trusted-Clients l3-interface irb.30
- set vlans vlan-trust vlan-id 3
- set vlans vlan-trust l3-interface irb.0
- set protocols l2-learning global-mode switching
- set protocols lldp interface all disable
- set protocols lldp interface ge-0/0/0 disable
- set protocols lldp-med interface ge-0/0/0 disable
- set protocols rstp interface all
Add Comment
Please, Sign In to add comment