API tools faq
paste
Guest User

Untitled

a guest
Jun 28th, 2020
99
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 32.17 KB | None | 0 0
raw download clone embed print report
  1. set version 18.4R3-S2
  2. set system login retry-options tries-before-disconnect 3
  3. set system login retry-options backoff-threshold 1
  4. set system login retry-options backoff-factor 6
  5. set system login retry-options minimum-time 30
  6. set system login retry-options maximum-time 60
  7. set system login retry-options lockout-period 10
  8. set system login class Network-Owner idle-timeout 10
  9. set system login class Network-Owner permissions all
  10. set system login user *REMOVED* full-name "*REMOVED*"
  11. set system login user *REMOVED* uid 2000
  12. set system login user *REMOVED* class Network-Owner
  13. set system login user *REMOVED* authentication encrypted-password "*REMOVED*"
  14. set system login password minimum-length 15
  15. set system login password change-type character-sets
  16. set system login password minimum-changes 4
  17. set system login password minimum-numerics 2
  18. set system login password minimum-upper-cases 2
  19. set system login password minimum-lower-cases 2
  20. set system login password minimum-punctuations 2
  21. set system login password format sha256
  22. set system login message "************************************************************************\n \n WARNING: This system is for the use of authorized clients only.\n Individuals using the computer network system without\n authorization, or in excess of their authorization, are\n subject to having all their activity on this computer\n network system monitored and recorded by system\n personnel. To protect the computer network system from\n unauthorized use and to ensure the computer network systems\n is functioning properly, system administrators monitor this\n system. Anyone using this computer network system\n expressly consents to such monitoring and is advised that\n if such monitoring reveals possible conduct of criminal\n activity, system personnel may provide the evidence of\n such activity to law enforcement officers.\n \n Access is restricted to authorized users only.\n Unauthorized access is a violation of state and federal,\n civil and criminal laws.\n**************************************************************************"
  23. set system root-authentication encrypted-password "*REMOVED*"
  24. set system services ssh root-login deny
  25. set system services ssh no-tcp-forwarding
  26. set system services ssh protocol-version v2
  27. set system services ssh max-sessions-per-connection 2
  28. set system services ssh macs hmac-sha2-256
  29. set system services ssh macs hmac-sha2-512
  30. set system services ssh client-alive-count-max 3
  31. set system services ssh client-alive-interval 10
  32. set system services ssh connection-limit 2
  33. set system services ssh rate-limit 2
  34. set system services dhcp-local-server group jdhcp-group interface irb.0
  35. set system services dhcp-local-server group Trusted-Clients interface irb.30
  36. set system services dhcp-local-server group IoT interface irb.20
  37. set system services dhcp-local-server group Guest interface irb.10
  38. set system services dhcp-local-server lease-time-validation lease-time-threshold 3600
  39. set system services web-management https system-generated-certificate
  40. set system services web-management session idle-timeout 30
  41. set system services web-management session session-limit 2
  42. set system host-name Juniper-SRX300
  43. set system time-zone *REMOVED*
  44. set system no-redirects
  45. set system no-redirects-ipv6
  46. set system no-ping-record-route
  47. set system no-ping-time-stamp
  48. set system internet-options no-source-quench
  49. set system internet-options tcp-drop-synfin-set
  50. set system internet-options no-tcp-reset drop-all-tcp
  51. set system ports console log-out-on-disconnect
  52. set system ports auxiliary disable
  53. set system ports auxiliary insecure
  54. set system diag-port-authentication encrypted-password ***DISABLED***
  55. set system pic-console-authentication encrypted-password ***DISABLED***
  56. set system name-server 192.168.30.254
  57. set system name-server 192.168.30.253
  58. set system syslog archive size 100k
  59. set system syslog archive files 3
  60. set system syslog user * any emergency
  61. set system syslog file messages any notice
  62. set system syslog file messages authorization info
  63. set system syslog file messages match "!(kernel time sync enabled)"
  64. set system syslog file interactive-commands interactive-commands any
  65. set system max-configurations-on-flash 5
  66. set system max-configuration-rollbacks 5
  67. set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
  68. set system ntp boot-server 128.138.140.50
  69. set system ntp server 128.138.140.50 prefer
  70. set system ntp server 132.163.97.7
  71. set chassis aggregated-devices ethernet device-count 4
  72. set security log mode stream
  73. set security ike policy ike-remote-vpn-policy mode aggressive
  74. set security ike policy ike-remote-vpn-policy proposal-set standard
  75. set security ike policy ike-remote-vpn-policy pre-shared-key ascii-text "*REMOVED*"
  76. set security ike gateway remote-vpn-local-gw ike-policy ike-remote-vpn-policy
  77. set security ike gateway remote-vpn-local-gw dynamic hostname *REMOVED*
  78. set security ike gateway remote-vpn-local-gw dynamic connections-limit 2
  79. set security ike gateway remote-vpn-local-gw dynamic ike-user-type group-ike-id
  80. set security ike gateway remote-vpn-local-gw external-interface ge-0/0/0.0
  81. set security ike gateway remote-vpn-local-gw aaa access-profile remote-vpn-access-profile
  82. set security ipsec policy ipsec-remote-vpn-policy proposal-set standard
  83. set security ipsec vpn remote-vpn ike gateway remote-vpn-local-gw
  84. set security ipsec vpn remote-vpn ike ipsec-policy ipsec-remote-vpn-policy
  85. set security dynamic-vpn access-profile remote-vpn-access-profile
  86. set security dynamic-vpn clients all remote-protected-resources 0.0.0.0/0
  87. set security dynamic-vpn clients all ipsec-vpn remote-vpn
  88. set security dynamic-vpn clients all user *REMOVED*
  89. set security screen ids-option untrust-screen icmp ping-death
  90. set security screen ids-option untrust-screen ip bad-option
  91. set security screen ids-option untrust-screen ip record-route-option
  92. set security screen ids-option untrust-screen ip timestamp-option
  93. set security screen ids-option untrust-screen ip stream-option
  94. set security screen ids-option untrust-screen ip spoofing
  95. set security screen ids-option untrust-screen ip source-route-option
  96. set security screen ids-option untrust-screen ip loose-source-route-option
  97. set security screen ids-option untrust-screen ip strict-source-route-option
  98. set security screen ids-option untrust-screen ip unknown-protocol
  99. set security screen ids-option untrust-screen ip tear-drop
  100. set security screen ids-option untrust-screen tcp fin-no-ack
  101. set security screen ids-option untrust-screen tcp port-scan threshold 1000000
  102. set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
  103. set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
  104. set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
  105. set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
  106. set security screen ids-option untrust-screen tcp syn-flood timeout 20
  107. set security screen ids-option untrust-screen tcp land
  108. set security screen ids-option untrust-screen udp port-scan threshold 1000000
  109. set security nat source rule-set trust-to-untrust from zone trust
  110. set security nat source rule-set trust-to-untrust to zone untrust
  111. set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
  112. set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
  113. set security nat source rule-set guest-to-untrust from zone guest
  114. set security nat source rule-set guest-to-untrust to zone untrust
  115. set security nat source rule-set guest-to-untrust rule guest-source-nat-rule match source-address 200.200.200.0/24
  116. set security nat source rule-set guest-to-untrust rule guest-source-nat-rule then source-nat interface
  117. set security nat source rule-set IoT-to-untrust from zone IoT
  118. set security nat source rule-set IoT-to-untrust to zone untrust
  119. set security nat source rule-set IoT-to-untrust rule IoT-source-nat-rule match source-address 201.201.201.0/24
  120. set security nat source rule-set IoT-to-untrust rule IoT-source-nat-rule then source-nat interface
  121. set security nat source rule-set remote-vpn-nat from zone untrust
  122. set security nat source rule-set remote-vpn-nat to zone untrust
  123. set security nat source rule-set remote-vpn-nat rule vpn-nat match source-address 202.202.202.0/24
  124. set security nat source rule-set remote-vpn-nat rule vpn-nat then source-nat interface
  125. set security nat destination pool dest-nat-plex description "Plex Server"
  126. set security nat destination pool dest-nat-plex routing-instance default
  127. set security nat destination pool dest-nat-plex address 192.168.30.236/32
  128. set security nat destination pool dest-nat-plex address port *REMOVED*
  129. set security nat destination pool dest-nat-vpn description OpenVPN
  130. set security nat destination pool dest-nat-vpn routing-instance default
  131. set security nat destination pool dest-nat-vpn address 192.168.30.24/32
  132. set security nat destination pool dest-nat-vpn address port *REMOVED*
  133. set security nat destination rule-set rule-set-1 from zone untrust
  134. set security nat destination rule-set rule-set-1 rule rule-1 match destination-address 0.0.0.0/0
  135. set security nat destination rule-set rule-set-1 rule rule-1 match destination-port *REMOVED*
  136. set security nat destination rule-set rule-set-1 rule rule-1 then destination-nat pool dest-nat-plex
  137. set security nat destination rule-set rule-set-1 rule rule-2 match destination-address 0.0.0.0/0
  138. set security nat destination rule-set rule-set-1 rule rule-2 match destination-port *REMOVED*
  139. set security nat destination rule-set rule-set-1 rule rule-2 then destination-nat pool dest-nat-vpn
  140. set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
  141. set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
  142. set security policies from-zone trust to-zone trust policy trust-to-trust match application any
  143. set security policies from-zone trust to-zone trust policy trust-to-trust then permit
  144. set security policies from-zone trust to-zone trust policy trust-to-trust then count
  145. set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
  146. set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
  147. set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
  148. set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
  149. set security policies from-zone untrust to-zone trust policy Plex match source-address any
  150. set security policies from-zone untrust to-zone trust policy Plex match destination-address Plex-Server
  151. set security policies from-zone untrust to-zone trust policy Plex match application Plex
  152. set security policies from-zone untrust to-zone trust policy Plex then permit
  153. set security policies from-zone untrust to-zone trust policy Plex then count
  154. set security policies from-zone untrust to-zone trust policy OpenVPN match source-address any
  155. set security policies from-zone untrust to-zone trust policy OpenVPN match destination-address OpenVPN-Server
  156. set security policies from-zone untrust to-zone trust policy OpenVPN match application OpenVPN
  157. set security policies from-zone untrust to-zone trust policy OpenVPN then permit
  158. set security policies from-zone untrust to-zone trust policy OpenVPN then count
  159. set security policies from-zone untrust to-zone trust policy remote-vpn-policy match source-address any
  160. set security policies from-zone untrust to-zone trust policy remote-vpn-policy match destination-address any
  161. set security policies from-zone untrust to-zone trust policy remote-vpn-policy match application any
  162. set security policies from-zone untrust to-zone trust policy remote-vpn-policy then permit tunnel ipsec-vpn remote-vpn
  163. set security policies from-zone guest to-zone untrust policy guest-to-untrust match source-address any
  164. set security policies from-zone guest to-zone untrust policy guest-to-untrust match destination-address any
  165. set security policies from-zone guest to-zone untrust policy guest-to-untrust match application any
  166. set security policies from-zone guest to-zone untrust policy guest-to-untrust then permit
  167. set security policies from-zone IoT to-zone untrust policy IoT-to-untrust match source-address any
  168. set security policies from-zone IoT to-zone untrust policy IoT-to-untrust match destination-address any
  169. set security policies from-zone IoT to-zone untrust policy IoT-to-untrust match application any
  170. set security policies from-zone IoT to-zone untrust policy IoT-to-untrust then permit
  171. set security policies from-zone untrust to-zone untrust policy remote-vpn match source-address any
  172. set security policies from-zone untrust to-zone untrust policy remote-vpn match destination-address any
  173. set security policies from-zone untrust to-zone untrust policy remote-vpn match application any
  174. set security policies from-zone untrust to-zone untrust policy remote-vpn then permit tunnel ipsec-vpn remote-vpn
  175. set security policies from-zone guest to-zone trust policy To-Plex-Server match source-address any
  176. set security policies from-zone guest to-zone trust policy To-Plex-Server match destination-address Plex-Server
  177. set security policies from-zone guest to-zone trust policy To-Plex-Server match application Plex
  178. set security policies from-zone guest to-zone trust policy To-Plex-Server then permit
  179. set security policies from-zone guest to-zone trust policy To-Plex-Server then count
  180. set security policies from-zone guest to-zone trust policy To-Pi-Hole match source-address any
  181. set security policies from-zone guest to-zone trust policy To-Pi-Hole match destination-address Pi-Hole-Server
  182. set security policies from-zone guest to-zone trust policy To-Pi-Hole match destination-address Pi-Hole-Server-Secondary
  183. set security policies from-zone guest to-zone trust policy To-Pi-Hole match application Pi-Hole-UDP
  184. set security policies from-zone guest to-zone trust policy To-Pi-Hole match application Pi-Hole-TCP
  185. set security policies from-zone guest to-zone trust policy To-Pi-Hole then permit
  186. set security policies from-zone IoT to-zone trust policy To-Pi-Hole match source-address any
  187. set security policies from-zone IoT to-zone trust policy To-Pi-Hole match destination-address Pi-Hole-Server
  188. set security policies from-zone IoT to-zone trust policy To-Pi-Hole match destination-address Pi-Hole-Server-Secondary
  189. set security policies from-zone IoT to-zone trust policy To-Pi-Hole match application Pi-Hole-UDP
  190. set security policies from-zone IoT to-zone trust policy To-Pi-Hole match application Pi-Hole-TCP
  191. set security policies from-zone IoT to-zone trust policy To-Pi-Hole then permit
  192. set security policies from-zone trust to-zone IoT policy To-Verizon-4G-LTE match source-address any
  193. set security policies from-zone trust to-zone IoT policy To-Verizon-4G-LTE match destination-address Verizon-4G-LTE
  194. set security policies from-zone trust to-zone IoT policy To-Verizon-4G-LTE match application Verizon-4G-LTE-80
  195. set security policies from-zone trust to-zone IoT policy To-Verizon-4G-LTE match application Verizon-4G-LTE-443
  196. set security policies from-zone trust to-zone IoT policy To-Verizon-4G-LTE then permit
  197. set security policies from-zone trust to-zone IoT policy To-Verizon-4G-LTE then count
  198. set security policies default-policy deny-all
  199. set security zones security-zone trust address-book address Plex-Server 192.168.30.236/32
  200. set security zones security-zone trust address-book address OpenVPN-Server 192.168.30.24/32
  201. set security zones security-zone trust address-book address Pi-Hole-Server 192.168.30.254/32
  202. set security zones security-zone trust address-book address Pi-Hole-Server-Secondary 192.168.30.253/32
  203. set security zones security-zone trust host-inbound-traffic system-services all
  204. set security zones security-zone trust host-inbound-traffic protocols all
  205. set security zones security-zone trust interfaces irb.0
  206. set security zones security-zone trust interfaces irb.30
  207. set security zones security-zone untrust screen untrust-screen
  208. set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
  209. set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
  210. set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
  211. set security zones security-zone guest host-inbound-traffic system-services dhcp
  212. set security zones security-zone guest interfaces irb.10
  213. set security zones security-zone IoT address-book address Verizon-4G-LTE 201.201.201.254/32
  214. set security zones security-zone IoT host-inbound-traffic system-services dhcp
  215. set security zones security-zone IoT host-inbound-traffic system-services ping
  216. set security zones security-zone IoT interfaces irb.20
  217. set interfaces interface-range LACP-To-Juniper-EX2300-C member ge-0/0/7
  218. set interfaces interface-range LACP-To-Juniper-EX2300-C member ge-0/0/6
  219. set interfaces interface-range LACP-To-Juniper-EX2300-C description "LACP -> EX2300-C"
  220. set interfaces interface-range LACP-To-Juniper-EX2300-C ether-options 802.3ad ae0
  221. set interfaces ge-0/0/0 description "To AT&T Gateway"
  222. set interfaces ge-0/0/0 unit 0 family inet dhcp update-server
  223. set interfaces ge-0/0/0 unit 0 family inet filter input BLOCKED-IPs
  224. set interfaces ge-0/0/1 description AVAILABLE
  225. set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
  226. set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Guest
  227. set interfaces ge-0/0/2 description AVAILABLE
  228. set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
  229. set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members Guest
  230. set interfaces ge-0/0/3 description AVAILABLE
  231. set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
  232. set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members Guest
  233. set interfaces ge-0/0/4 description AVAILABLE
  234. set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access
  235. set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members Guest
  236. set interfaces ge-0/0/5 description AVAILABLE
  237. set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode access
  238. set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members Guest
  239. set interfaces ae0 description "LACP -> EX2300-C"
  240. set interfaces ae0 native-vlan-id 3
  241. set interfaces ae0 aggregated-ether-options link-speed 1g
  242. set interfaces ae0 aggregated-ether-options lacp active
  243. set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
  244. set interfaces ae0 unit 0 family ethernet-switching vlan members all
  245. set interfaces ae0 unit 0 family ethernet-switching vlan members Guest
  246. set interfaces ae0 unit 0 family ethernet-switching vlan members IoT
  247. set interfaces ae0 unit 0 family ethernet-switching vlan members Trusted-Clients
  248. set interfaces irb unit 0 family inet address 192.168.1.1/24
  249. set interfaces irb unit 10 family inet policer input limit-100m
  250. set interfaces irb unit 10 family inet policer output limit-100m
  251. set interfaces irb unit 10 family inet address 200.200.200.1/24
  252. set interfaces irb unit 20 family inet policer input limit-100m
  253. set interfaces irb unit 20 family inet policer output limit-100m
  254. set interfaces irb unit 20 family inet address 201.201.201.1/24
  255. set interfaces irb unit 30 family inet address 192.168.30.1/24
  256. set interfaces lo0 unit 0 family inet filter input PROTECT-RE
  257. set forwarding-options packet-capture maximum-capture-size 1500
  258. set policy-options prefix-list ntp-servers
  259. set policy-options prefix-list mgmt-nets 192.168.30.0/24
  260. set policy-options prefix-list mgmt-nets 202.202.202.0/24
  261. set policy-options prefix-list localhost
  262. set policy-options prefix-list BLOCK-IP-LIST 60.190.248.10/32
  263. set policy-options prefix-list BLOCK-IP-LIST 164.52.24.173/32
  264. set policy-options prefix-list BLOCK-IP-LIST 187.72.29.2/32
  265. set policy-options prefix-list BLOCK-IP-LIST 202.96.99.84/32
  266. set policy-options prefix-list BLOCK-IP-LIST 216.218.206.64/26
  267. set firewall family inet filter PROTECT-RE term allow-ssh from source-prefix-list mgmt-nets
  268. set firewall family inet filter PROTECT-RE term allow-ssh from protocol tcp
  269. set firewall family inet filter PROTECT-RE term allow-ssh from destination-port ssh
  270. set firewall family inet filter PROTECT-RE term allow-ssh then policer limit-10m
  271. set firewall family inet filter PROTECT-RE term allow-ssh then accept
  272. set firewall family inet filter PROTECT-RE term icmp-frags from is-fragment
  273. set firewall family inet filter PROTECT-RE term icmp-frags from protocol icmp
  274. set firewall family inet filter PROTECT-RE term icmp-frags then count icmp-frags
  275. set firewall family inet filter PROTECT-RE term icmp-frags then log
  276. set firewall family inet filter PROTECT-RE term icmp-frags then discard
  277. set firewall family inet filter PROTECT-RE term allow-icmp from protocol icmp
  278. set firewall family inet filter PROTECT-RE term allow-icmp from icmp-type echo-request
  279. set firewall family inet filter PROTECT-RE term allow-icmp from icmp-type echo-reply
  280. set firewall family inet filter PROTECT-RE term allow-icmp from icmp-type unreachable
  281. set firewall family inet filter PROTECT-RE term allow-icmp from icmp-type time-exceeded
  282. set firewall family inet filter PROTECT-RE term allow-icmp then policer limit-1m
  283. set firewall family inet filter PROTECT-RE term allow-icmp then count allow-icmp
  284. set firewall family inet filter PROTECT-RE term allow-icmp then accept
  285. set firewall family inet filter PROTECT-RE term allow-traceroute from protocol udp
  286. set firewall family inet filter PROTECT-RE term allow-traceroute from destination-port 33434-33523
  287. set firewall family inet filter PROTECT-RE term allow-traceroute then policer limit-1m
  288. set firewall family inet filter PROTECT-RE term allow-traceroute then count allow-traceroute
  289. set firewall family inet filter PROTECT-RE term allow-traceroute then accept
  290. set firewall family inet filter PROTECT-RE term tcp-established from protocol tcp
  291. set firewall family inet filter PROTECT-RE term tcp-established from source-port ssh
  292. set firewall family inet filter PROTECT-RE term tcp-established from tcp-established
  293. set firewall family inet filter PROTECT-RE term tcp-established then policer limit-10m
  294. set firewall family inet filter PROTECT-RE term tcp-established then count tcp-established
  295. set firewall family inet filter PROTECT-RE term tcp-established then accept
  296. set firewall family inet filter PROTECT-RE term allow-jweb from source-address 192.168.30.0/24
  297. set firewall family inet filter PROTECT-RE term allow-jweb from protocol tcp
  298. set firewall family inet filter PROTECT-RE term allow-jweb from destination-port https
  299. set firewall family inet filter PROTECT-RE term allow-jweb then policer limit-10m
  300. set firewall family inet filter PROTECT-RE term allow-jweb then count allow-jweb
  301. set firewall family inet filter PROTECT-RE term allow-jweb then accept
  302. set firewall family inet filter PROTECT-RE term allow-dhcp-client from source-address 0.0.0.0/32
  303. set firewall family inet filter PROTECT-RE term allow-dhcp-client from destination-address 255.255.255.255/32
  304. set firewall family inet filter PROTECT-RE term allow-dhcp-client from protocol udp
  305. set firewall family inet filter PROTECT-RE term allow-dhcp-client from source-port 68
  306. set firewall family inet filter PROTECT-RE term allow-dhcp-client then policer limit-32k
  307. set firewall family inet filter PROTECT-RE term allow-dhcp-client then count allow-dhcp-client
  308. set firewall family inet filter PROTECT-RE term allow-dhcp-client then accept
  309. set firewall family inet filter PROTECT-RE term allow-dhcp-server from protocol udp
  310. set firewall family inet filter PROTECT-RE term allow-dhcp-server from source-port 67
  311. set firewall family inet filter PROTECT-RE term allow-dhcp-server from source-port 68
  312. set firewall family inet filter PROTECT-RE term allow-dhcp-server from destination-port 67
  313. set firewall family inet filter PROTECT-RE term allow-dhcp-server from destination-port 68
  314. set firewall family inet filter PROTECT-RE term allow-dhcp-server then policer limit-32k
  315. set firewall family inet filter PROTECT-RE term allow-dhcp-server then count allow-dhcp-server
  316. set firewall family inet filter PROTECT-RE term allow-dhcp-server then accept
  317. set firewall family inet filter PROTECT-RE term allow-ntp from source-address 127.0.0.1/32
  318. set firewall family inet filter PROTECT-RE term allow-ntp from source-address 128.138.140.50/32
  319. set firewall family inet filter PROTECT-RE term allow-ntp from source-address 132.163.97.7/32
  320. set firewall family inet filter PROTECT-RE term allow-ntp from source-address 192.168.1.1/32
  321. set firewall family inet filter PROTECT-RE term allow-ntp from protocol udp
  322. set firewall family inet filter PROTECT-RE term allow-ntp from port ntp
  323. set firewall family inet filter PROTECT-RE term allow-ntp then policer limit-32k
  324. set firewall family inet filter PROTECT-RE term allow-ntp then count allow-ntp
  325. set firewall family inet filter PROTECT-RE term allow-ntp then accept
  326. set firewall family inet filter PROTECT-RE term allow-dns from source-address 127.0.0.1/32
  327. set firewall family inet filter PROTECT-RE term allow-dns from source-address 192.168.1.1/32
  328. set firewall family inet filter PROTECT-RE term allow-dns from source-address 192.168.2.254/32
  329. set firewall family inet filter PROTECT-RE term allow-dns from source-address 192.168.30.254/32
  330. set firewall family inet filter PROTECT-RE term allow-dns from source-address 192.168.30.253/32
  331. set firewall family inet filter PROTECT-RE term allow-dns from protocol tcp
  332. set firewall family inet filter PROTECT-RE term allow-dns from protocol udp
  333. set firewall family inet filter PROTECT-RE term allow-dns from port domain
  334. set firewall family inet filter PROTECT-RE term allow-dns then policer limit-32k
  335. set firewall family inet filter PROTECT-RE term allow-dns then count allow-dns
  336. set firewall family inet filter PROTECT-RE term allow-dns then accept
  337. set firewall family inet filter PROTECT-RE term allow-https from protocol tcp
  338. set firewall family inet filter PROTECT-RE term allow-https from destination-port https
  339. set firewall family inet filter PROTECT-RE term allow-https then policer limit-1m
  340. set firewall family inet filter PROTECT-RE term allow-https then count allow-https
  341. set firewall family inet filter PROTECT-RE term allow-https then accept
  342. set firewall family inet filter PROTECT-RE term allow-ike from protocol udp
  343. set firewall family inet filter PROTECT-RE term allow-ike from destination-port 500
  344. set firewall family inet filter PROTECT-RE term allow-ike from destination-port 4500
  345. set firewall family inet filter PROTECT-RE term allow-ike then policer limit-1m
  346. set firewall family inet filter PROTECT-RE term allow-ike then count allow-ike/ipsec
  347. set firewall family inet filter PROTECT-RE term allow-ike then accept
  348. set firewall family inet filter PROTECT-RE term default-discard then count default-discard
  349. set firewall family inet filter PROTECT-RE term default-discard then log
  350. set firewall family inet filter PROTECT-RE term default-discard then syslog
  351. set firewall family inet filter PROTECT-RE term default-discard then discard
  352. set firewall family inet filter BLOCKED-IPs term DENY from prefix-list BLOCK-IP-LIST
  353. set firewall family inet filter BLOCKED-IPs term DENY then count BLOCKED-IPs
  354. set firewall family inet filter BLOCKED-IPs term DENY then log
  355. set firewall family inet filter BLOCKED-IPs term DENY then discard
  356. set firewall family inet filter BLOCKED-IPs term DEFAULT-ACCEPT then accept
  357. set firewall policer limit-100m if-exceeding bandwidth-limit 100m
  358. set firewall policer limit-100m if-exceeding burst-size-limit 625k
  359. set firewall policer limit-100m then discard
  360. set firewall policer limit-10m if-exceeding bandwidth-limit 10m
  361. set firewall policer limit-10m if-exceeding burst-size-limit 625k
  362. set firewall policer limit-10m then discard
  363. set firewall policer limit-1m if-exceeding bandwidth-limit 1m
  364. set firewall policer limit-1m if-exceeding burst-size-limit 15k
  365. set firewall policer limit-1m then discard
  366. set firewall policer limit-32k if-exceeding bandwidth-limit 32k
  367. set firewall policer limit-32k if-exceeding burst-size-limit 15k
  368. set firewall policer limit-32k then discard
  369. set access profile remote-vpn-access-profile client *REMOVED* firewall-user password "*REMOVED*"
  370. set access profile remote-vpn-access-profile address-assignment pool remote-vpn-address-pool
  371. set access address-assignment pool junosDHCPPool family inet network 192.168.1.0/24
  372. set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.1.2
  373. set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.1.254
  374. set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.1.1
  375. set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0
  376. set access address-assignment pool Trusted-Clients family inet network 192.168.30.0/24
  377. set access address-assignment pool Trusted-Clients family inet range Trusted-Clients low 192.168.30.2
  378. set access address-assignment pool Trusted-Clients family inet range Trusted-Clients high 192.168.30.254
  379. set access address-assignment pool Trusted-Clients family inet dhcp-attributes name-server 192.168.30.254
  380. set access address-assignment pool Trusted-Clients family inet dhcp-attributes name-server 192.168.30.253
  381. set access address-assignment pool Trusted-Clients family inet dhcp-attributes router 192.168.30.1
  382. set access address-assignment pool Guest family inet network 200.200.200.0/24
  383. set access address-assignment pool Guest family inet range Guest low 200.200.200.2
  384. set access address-assignment pool Guest family inet range Guest high 200.200.200.254
  385. set access address-assignment pool Guest family inet dhcp-attributes name-server 192.168.30.254
  386. set access address-assignment pool Guest family inet dhcp-attributes name-server 192.168.30.253
  387. set access address-assignment pool Guest family inet dhcp-attributes router 200.200.200.1
  388. set access address-assignment pool IoT family inet network 201.201.201.0/24
  389. set access address-assignment pool IoT family inet range IoT low 201.201.201.2
  390. set access address-assignment pool IoT family inet range IoT high 201.201.201.254
  391. set access address-assignment pool IoT family inet dhcp-attributes name-server 192.168.30.254
  392. set access address-assignment pool IoT family inet dhcp-attributes name-server 192.168.30.253
  393. set access address-assignment pool IoT family inet dhcp-attributes router 201.201.201.1
  394. set access address-assignment pool IoT family inet host Verizon-4G-LTE hardware-address *REMOVED*
  395. set access address-assignment pool IoT family inet host Verizon-4G-LTE ip-address 201.201.201.254
  396. set access address-assignment pool remote-vpn-address-pool family inet network 202.202.202.0/24
  397. set access address-assignment pool remote-vpn-address-pool family inet xauth-attributes primary-dns 192.168.30.254/32
  398. set access address-assignment pool remote-vpn-address-pool family inet xauth-attributes secondary-dns 192.168.30.253/32
  399. set access firewall-authentication web-authentication default-profile remote-vpn-access-profile
  400. set applications application Plex protocol tcp
  401. set applications application Plex destination-port *REMOVED*
  402. set applications application OpenVPN protocol udp
  403. set applications application OpenVPN destination-port *REMOVED*
  404. set applications application Pi-Hole-UDP protocol udp
  405. set applications application Pi-Hole-UDP destination-port *REMOVED*
  406. set applications application Pi-Hole-TCP protocol tcp
  407. set applications application Pi-Hole-TCP destination-port *REMOVED*
  408. set applications application Verizon-4G-LTE-443 protocol tcp
  409. set applications application Verizon-4G-LTE-443 destination-port *REMOVED*
  410. set applications application Verizon-4G-LTE-80 protocol tcp
  411. set applications application Verizon-4G-LTE-80 destination-port *REMOVED*
  412. set vlans Guest vlan-id 10
  413. set vlans Guest l3-interface irb.10
  414. set vlans IoT vlan-id 20
  415. set vlans IoT l3-interface irb.20
  416. set vlans Trusted-Clients vlan-id 30
  417. set vlans Trusted-Clients l3-interface irb.30
  418. set vlans vlan-trust vlan-id 3
  419. set vlans vlan-trust l3-interface irb.0
  420. set protocols l2-learning global-mode switching
  421. set protocols lldp interface all disable
  422. set protocols lldp interface ge-0/0/0 disable
  423. set protocols lldp-med interface ge-0/0/0 disable
  424. set protocols rstp interface all
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!