API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 4th, 2025
90
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 90.59 KB | None | 0 0
raw download clone embed print report
  1. ## Last commit: 2025-02-04 08:36:03 CST by me
  2. version 23.4R2-S3.9;
  3. groups {
  4. node0 {
  5. system {
  6. host-name MDCBR-N0;
  7. }
  8. interfaces {
  9. fxp0 {
  10. unit 0 {
  11. family inet {
  12. address 10.10.10.253/24;
  13. }
  14. }
  15. }
  16. }
  17. }
  18. node1 {
  19. system {
  20. host-name MDCBR-N1;
  21. }
  22. interfaces {
  23. fxp0 {
  24. unit 0 {
  25. family inet {
  26. address 10.10.10.252/24;
  27. }
  28. }
  29. }
  30. }
  31. }
  32. }
  33. apply-groups "${node}";
  34. system {
  35. root-authentication {
  36. encrypted-password ""; ## SECRET-DATA
  37. }
  38. login {
  39. retry-options {
  40. tries-before-disconnect 3;
  41. backoff-threshold 2;
  42. lockout-period 5;
  43. }
  44. class read-only-remote {
  45. idle-timeout 10;
  46. login-alarms;
  47. permissions [ view view-configuration ];
  48. }
  49. class service-accounts {
  50. idle-timeout 5;
  51. login-alarms;
  52. permissions [ secret view view-configuration ];
  53. allow-commands "(request system power-off.*|show configuration \| display set \| no-more)";
  54. }
  55. class super-user-local {
  56. login-alarms;
  57. permissions all;
  58. }
  59. class super-user-remote {
  60. idle-timeout 10;
  61. login-alarms;
  62. permissions all;
  63. }
  64. user admin {
  65. full-name Administrator;
  66. uid 2000;
  67. class super-user-local;
  68. authentication {
  69. encrypted-password ""; ## SECRET-DATA
  70. }
  71. }
  72. user remote-admin {
  73. full-name "Remote Admins";
  74. uid 2001;
  75. class super-user-remote;
  76. }
  77. user remote-read-only {
  78. full-name "Remote Read-Only Users";
  79. uid 2002;
  80. class read-only-remote;
  81. }
  82. user service-accounts {
  83. full-name "Service Accounts";
  84. uid 2003;
  85. class service-accounts;
  86. }
  87. message "\n########################################################################\n# THIS SYSTEM IS RESTRICTED TO AUTHORIZED USAGE! #\n# #\n# Unauthorized usage will be subject to criminal penalties, fines, #\n# damages and/or disciplinary action. If you are not authorized to use #\n# this system, you must exit immediately. If you are authorized to #\n# use this system, you must do so in compliance with all laws, #\n# regulations, conduct rules, and company security policies applicable #\n# to this system. This system, including any hardware components, #\n# software, workstations, and storage spaces is subject to monitoring #\n# and search without advanced notice. Users should have no expectation #\n# of privacy in their use of any aspect of this system. #\n########################################################################\n\n";
  88. }
  89. services {
  90. inactive: netconf {
  91. ssh;
  92. }
  93. ssh {
  94. root-login deny;
  95. protocol-version v2;
  96. max-sessions-per-connection 2;
  97. sftp-server;
  98. }
  99. telnet;
  100. dhcp-local-server {
  101. group EXT-IoT {
  102. interface reth2.2328;
  103. }
  104. group EXT-IoT-WLAN {
  105. interface reth2.2329;
  106. }
  107. group EXT-User-Untrust {
  108. interface reth2.3400;
  109. }
  110. group EXT-User-Untrust-RLAN {
  111. interface reth2.3732;
  112. }
  113. group EXT-User-Untrust-WLAN {
  114. interface reth2.3700;
  115. }
  116. group INT-IoT-Facilities {
  117. interface reth1.2022;
  118. }
  119. group INT-IoT-Facilities-WLAN {
  120. interface reth1.2023;
  121. }
  122. group INT-IoT-Printers {
  123. interface reth1.2116;
  124. }
  125. group INT-IoT-Printers-WLAN {
  126. interface reth1.2117;
  127. }
  128. group INT-IoT-Security {
  129. interface reth1.2020;
  130. }
  131. group INT-IoT-Security-WLAN {
  132. interface reth1.2021;
  133. }
  134. group INT-IoT-Telecom-B1 {
  135. interface reth1.2316;
  136. }
  137. group INT-User-IT-Admins {
  138. interface reth1.3416;
  139. }
  140. group INT-User-IT-Admins-WLAN {
  141. interface reth1.3716;
  142. }
  143. group INT-User-IT-Staff {
  144. interface reth1.3424;
  145. }
  146. group INT-User-IT-Staff-WLAN {
  147. interface reth1.3724;
  148. }
  149. group INT-User-Trust {
  150. interface reth1.3410;
  151. }
  152. group INT-User-Trust-WLAN {
  153. interface reth1.3710;
  154. }
  155. group Infra-Network-Power {
  156. interface reth0.1015;
  157. }
  158. group Infra-Network-Wireless {
  159. interface reth0.1020;
  160. }
  161. group MDC-EXT {
  162. interface reth2.160;
  163. }
  164. group MDC-EXT-WLAN {
  165. interface reth2.161;
  166. }
  167. inactive: group jdhcp-group {
  168. interface irb.0;
  169. }
  170. }
  171. web-management {
  172. https {
  173. system-generated-certificate;
  174. }
  175. }
  176. }
  177. auto-snapshot;
  178. domain-name mgmt.mdc.com;
  179. domain-search [ mgmt.mdc.com wlc.mdc.com ad.mdc.com lab.mdc.com mdc.com ];
  180. time-zone America/Chicago;
  181. management-instance;
  182. authentication-order radius;
  183. name-server {
  184. inactive: 8.8.8.8;
  185. inactive: 8.8.4.4;
  186. 10.20.11.1 source-address 10.255.255.1;
  187. 10.20.11.2 source-address 10.255.255.1;
  188. }
  189. radius-server {
  190. 10.20.11.1 {
  191. secret ""; ## SECRET-DATA
  192. timeout 2;
  193. source-address 10.255.255.1;
  194. }
  195. 10.20.11.2 {
  196. secret ""; ## SECRET-DATA
  197. timeout 2;
  198. source-address 10.255.255.1;
  199. }
  200. }
  201. accounting {
  202. events [ login change-log interactive-commands ];
  203. destination {
  204. radius {
  205. server {
  206. 10.20.11.1 {
  207. secret ""; ## SECRET-DATA
  208. source-address 10.255.255.1;
  209. }
  210. 10.20.11.2 {
  211. secret ""; ## SECRET-DATA
  212. source-address 10.255.255.1;
  213. }
  214. }
  215. }
  216. }
  217. }
  218. syslog {
  219. archive {
  220. size 100k;
  221. files 3;
  222. }
  223. user * {
  224. any emergency;
  225. }
  226. host 10.20.10.4 {
  227. any any;
  228. match "(RT_FLOW_SESSION|WEBFILTER_URL_BLOCKED)";
  229. source-address 10.255.255.1;
  230. }
  231. host 10.20.10.9 {
  232. any info;
  233. match "!(identification string from 10.20.10.1|identification string from 10.20.10.2|RT_FLOW_SESSION)";
  234. source-address 10.255.255.1;
  235. }
  236. file alert {
  237. any alert;
  238. }
  239. inactive: file auth-log {
  240. authorization any;
  241. change-log any;
  242. match "!(identification string from 10.20.10.1|identification string from 10.20.10.2)";
  243. }
  244. file commands {
  245. any info;
  246. match UI_CMDLINE_READ_LINE;
  247. archive {
  248. size 1m;
  249. files 1;
  250. }
  251. }
  252. file critical {
  253. any critical;
  254. }
  255. file default-log-message {
  256. any any;
  257. match "!RT_FLOW_SESSION";
  258. }
  259. file emergency {
  260. any emergency;
  261. }
  262. file error {
  263. any error;
  264. }
  265. file info {
  266. any info;
  267. match "!RT_FLOW_SESSION";
  268. }
  269. file interactive-commands {
  270. interactive-commands any;
  271. archive {
  272. size 2m;
  273. files 5;
  274. }
  275. }
  276. file login {
  277. any info;
  278. match "(UI_AUTH_EVENT|UI_LOGIN_EVENT|SSHD_LOGIN_FAILED|UI_DBASE_LOGIN_EVENT)";
  279. archive {
  280. size 1m;
  281. files 1;
  282. }
  283. }
  284. file messages {
  285. any critical;
  286. authorization any;
  287. match "!(identification string from 10.20.10.1|identification string from 10.20.10.2)";
  288. archive {
  289. size 2m;
  290. files 5;
  291. }
  292. explicit-priority;
  293. }
  294. file notice {
  295. any notice;
  296. }
  297. file snapshot {
  298. archive {
  299. size 2m;
  300. files 1;
  301. }
  302. }
  303. file syslog-event-daemon-info {
  304. daemon info;
  305. match "!exited, status 255";
  306. }
  307. inactive: file traffic-log-all {
  308. any any;
  309. match RT_FLOW_SESSION;
  310. archive {
  311. size 2m;
  312. files 1;
  313. }
  314. }
  315. inactive: file traffic-log-denied {
  316. any any;
  317. match RT_FLOW_SESSION_DENY;
  318. archive {
  319. size 3m;
  320. files 1;
  321. }
  322. }
  323. inactive: file traffic-log-permitted {
  324. any any;
  325. match RT_FLOW_SESSION_CREATE;
  326. archive {
  327. size 2m;
  328. files 1;
  329. }
  330. }
  331. file warning {
  332. any warning;
  333. }
  334. inactive: file web-filter-denied {
  335. any any;
  336. match WEBFILTER_URL_BLOCKED;
  337. archive {
  338. size 2m;
  339. files 1;
  340. }
  341. }
  342. time-format year millisecond;
  343. }
  344. max-configurations-on-flash 5;
  345. max-configuration-rollbacks 5;
  346. license {
  347. autoupdate {
  348. url https://ae1.juniper.net/junos/key_retrieval;
  349. }
  350. }
  351. ntp {
  352. server 132.163.96.1 prefer;
  353. server 132.163.96.2;
  354. source-address 10.255.255.1;
  355. }
  356. inactive: phone-home {
  357. server https://redirect.juniper.net;
  358. rfc-compliant;
  359. }
  360. }
  361. chassis {
  362. config-button no-clear;
  363. inactive: auto-image-upgrade;
  364. cluster {
  365. reth-count 5;
  366. network-management {
  367. cluster-master;
  368. }
  369. redundancy-group 0 {
  370. node 0 priority 254;
  371. node 1 priority 1;
  372. }
  373. redundancy-group 1 {
  374. node 0 priority 254;
  375. node 1 priority 1;
  376. preempt;
  377. gratuitous-arp-count 4;
  378. interface-monitor {
  379. ge-0/0/3 weight 255;
  380. ge-0/0/4 weight 255;
  381. ge-0/0/5 weight 255;
  382. inactive: ge-0/0/6 weight 255;
  383. ge-0/0/7 weight 255;
  384. }
  385. }
  386. }
  387. }
  388. security {
  389. log {
  390. cache;
  391. mode stream;
  392. format sd-syslog;
  393. source-address 10.255.255.1;
  394. stream MDC-IDR1 {
  395. severity info;
  396. format sd-syslog;
  397. category all;
  398. host {
  399. 10.20.10.4;
  400. port 514;
  401. }
  402. }
  403. }
  404. pki {
  405. ca-profile ISRG_Root_X1 {
  406. ca-identity ISRG_Root_X1;
  407. pre-load;
  408. }
  409. ca-profile Lets_Encrypt {
  410. ca-identity Lets_Encrypt;
  411. enrollment {
  412. url https://acme-v02.api.letsencrypt.org/directory;
  413. }
  414. }
  415. }
  416. ike {
  417. proposal pre-g2-3des-md5 {
  418. authentication-method pre-shared-keys;
  419. dh-group group2;
  420. authentication-algorithm md5;
  421. encryption-algorithm 3des-cbc;
  422. lifetime-seconds 28800;
  423. }
  424. proposal pre-g2-aes256-sha1 {
  425. authentication-method pre-shared-keys;
  426. dh-group group2;
  427. authentication-algorithm sha1;
  428. encryption-algorithm aes-256-cbc;
  429. lifetime-seconds 86400;
  430. }
  431. proposal pre-g2-aes256-sha256 {
  432. authentication-method pre-shared-keys;
  433. dh-group group5;
  434. authentication-algorithm sha-256;
  435. encryption-algorithm aes-256-cbc;
  436. lifetime-seconds 86400;
  437. }
  438. proposal pre-g20-aes128cbc-sha384 {
  439. authentication-method pre-shared-keys;
  440. dh-group group20;
  441. authentication-algorithm sha-384;
  442. encryption-algorithm aes-128-cbc;
  443. lifetime-seconds 86400;
  444. }
  445. proposal pre-g20-aes128cbc-sha256 {
  446. authentication-method pre-shared-keys;
  447. dh-group group20;
  448. authentication-algorithm sha-256;
  449. encryption-algorithm aes-256-cbc;
  450. lifetime-seconds 86400;
  451. }
  452. proposal pre-g20-aes256cbc-sha256 {
  453. authentication-method pre-shared-keys;
  454. dh-group group20;
  455. authentication-algorithm sha-256;
  456. encryption-algorithm aes-256-cbc;
  457. lifetime-seconds 86400;
  458. }
  459. }
  460. ipsec {
  461. proposal nopfs-esp-aes256-sha1 {
  462. protocol esp;
  463. authentication-algorithm hmac-sha1-96;
  464. encryption-algorithm aes-256-cbc;
  465. lifetime-seconds 28800;
  466. lifetime-kilobytes 4194303;
  467. }
  468. proposal nopfs-esp-3des-md5 {
  469. protocol esp;
  470. authentication-algorithm hmac-md5-96;
  471. encryption-algorithm 3des-cbc;
  472. lifetime-seconds 3600;
  473. }
  474. proposal nopfs-esp-aes128-sha_1 {
  475. protocol esp;
  476. authentication-algorithm hmac-sha1-96;
  477. encryption-algorithm aes-128-cbc;
  478. lifetime-seconds 3600;
  479. }
  480. proposal nopfs-esp-aes256-sha256 {
  481. protocol esp;
  482. authentication-algorithm hmac-sha-256-128;
  483. encryption-algorithm aes-256-cbc;
  484. lifetime-seconds 7200;
  485. }
  486. proposal pfs-esp-aes256gcm {
  487. protocol esp;
  488. encryption-algorithm aes-256-gcm;
  489. lifetime-seconds 3600;
  490. }
  491. proposal pfs-esp-aes192-cbc-sha256 {
  492. protocol esp;
  493. authentication-algorithm hmac-sha-256-128;
  494. encryption-algorithm aes-192-cbc;
  495. lifetime-seconds 3600;
  496. }
  497. proposal pfs-esp-aes-256cbc-sha256 {
  498. protocol esp;
  499. authentication-algorithm hmac-sha-256-128;
  500. encryption-algorithm aes-256-cbc;
  501. lifetime-seconds 7200;
  502. }
  503. }
  504. address-book {
  505. global {
  506. address S1----------HELPER_ADDRESSES---------- 0.0.0.0/32;
  507. address H-DEFAULT_NETWORK 0.0.0.0/0;
  508. address H-RFC_1918_A 10.0.0.0/8;
  509. address H-RFC_1918_B 172.16.0.0/12;
  510. address H-RFC_1918_C 192.168.0.0/16;
  511. address S2----------INTERNAL_ADDRESSES---------- 0.0.0.0/32;
  512. address INT-MDC-VM-FS1 10.20.10.6/32;
  513. address INT-MDC-VM-MONITOR 10.20.10.1/32;
  514. address INT-MDC-VM-MONITOR2 10.20.10.2/32;
  515. address INT-MDW1 10.21.17.1/32;
  516. address INT-MINION-DC1-PROD 10.20.11.1/32;
  517. address INT-MINION-DC2-PROD 10.20.11.2/32;
  518. address S3----------INTERNAL_DMZ_ADDRESSES---------- 0.0.0.0/32;
  519. address D-INT-MDC-VM-FS2 10.25.31.10/32;
  520. address D-INT-MDC-VM-SMTP1 10.25.31.11/32;
  521. address D-INT-MDC-VM-SMTP2 10.25.31.12/32;
  522. address S4----------INTERNAL_PROTECTED_ADDRESSES---------- 0.0.0.0/32;
  523. address P-INT-LAB_SUBNETS 10.0.0.0/16;
  524. address P-INT-LOOPBACK_AND_P2P 10.255.254.0/23;
  525. address P-INT-LUMEN_ONT 192.168.0.1/32;
  526. address P-INT-MDCBR_N0_MGT 10.10.10.253/32;
  527. address P-INT-MDCBR_N1_MGT 10.10.10.252/32;
  528. address P-INT_MDCBR_LOOPBACK_VIP 10.255.255.1/32;
  529. address P-INT_MDCBR_DP_VIP 10.10.16.254/32;
  530. address P-INT_MD2BR_MGT 10.10.10.250/32;
  531. address P-INT-MDCINT0_MGT 10.10.10.250/32;
  532. address S5----------EXTERNAL_ADDRESSES---------- 0.0.0.0/32;
  533. address EXT-GOOGLE_SMTP_FQDN {
  534. dns-name smtp.gmail.com;
  535. }
  536. address EXT-ADGUARD_NET94-140-14_HOST32-14 94.140.14.14/32;
  537. address EXT-ADGUARD_NET94-140-14_HOST32-15-15 94.140.15.15/32;
  538. address EXT-AKAMAI_NET104-64_HOST32_96-150-139 104.96.150.139/32;
  539. address EXT-APPLE_NET17 170.0.0.0/8;
  540. address EXT-21VIANET_NET124-251_HOST32_101-55 124.251.101.55/32;
  541. address EXT-21VIANET_NET124-251_HOST32_34-134 124.251.34.134/32;
  542. address EXT-21VIANET_NET124-251_HOST32_34-135 124.251.34.135/32;
  543. address EXT-21VIANET_NET183-84_HOST32_5-154 182.84.5.154/32;
  544. address EXT-21VIANET_NET183-84_HOST32_7-119 183.84.7.119/32;
  545. address EXT-21VIANET_NET183-84_HOST32_7-120 183.84.7.120/32;
  546. address EXT-BJKSCNET_NET120-92_HOST32_65-100 120.92.65.100/32;
  547. address EXT-BJKSCNET_NET120-92_HOST32_65-101 120.92.65.101/32;
  548. address EXT-TENCENT_NET106-55_HOST32_134-25 106.55.134.25/32;
  549. address EXT-GCL_NET92-223_84_HOST32_84 92.223.84.84/32;
  550. address EXT-GPSZ4_NET91-222-195_HOST32_233 91.222.185.233/32;
  551. address EXT-JNPR_AMAZON_NET35-152_HOST32_167-117-215 35.167.117.215/32;
  552. address EXT-JNPR_AMAZON_NET44-192_HOST32_213-144-179 44.213.144.179/32;
  553. address EXT-JNPR_AMAZON_NET52_HOST32_38-245-118 52.38.245.118/32;
  554. address EXT-LUMEN_NET63-224_HOST32_243-195 63.224.243.195/32;
  555. address EXT-MICROSOFT_NET20-192 20.192.0.0/10;
  556. address EXT-NIST-B_NET132_HOST32_163-96-1 132.163.96.1/32;
  557. address EXT-NIST-B_NET132_HOST32_163-96-2 132.163.96.2/32;
  558. address S6----------MD2BR_ADDRESSES---------- 0.0.0.0/32;
  559. address M-VLAN1020 10.10.20.0/24;
  560. address M-VLAN2021 10.20.21.0/24;
  561. address M-VLAN2023 10.20.23.0/24;
  562. address M-VLAN2117 10.21.17.0/24;
  563. address M-VLAN2329 10.23.29.0/24;
  564. address M-VLAN3700 10.37.0.0/23;
  565. address M-VLAN3710 10.37.10.0/23;
  566. address M-VLAN3716 10.37.16.0/23;
  567. address M-VLAN3724 10.37.24.0/23;
  568. address M-VLAN3732 10.37.32.0/24;
  569. address-set S-DMZ-NETWORK-MDCINT0-PERMITTED {
  570. address INT-MDC-VM-MONITOR;
  571. address INT-MDC-VM-MONITOR2;
  572. address INT-MINION-DC1-PROD;
  573. address INT-MINION-DC2-PROD;
  574. address EXT-JNPR_AMAZON_NET35-152_HOST32_167-117-215;
  575. address EXT-JNPR_AMAZON_NET44-192_HOST32_213-144-179;
  576. address EXT-JNPR_AMAZON_NET52_HOST32_38-245-118;
  577. address EXT-NIST-B_NET132_HOST32_163-96-1;
  578. address EXT-NIST-B_NET132_HOST32_163-96-2;
  579. }
  580. address-set S-GEOBLOCK_OVERRIDE {
  581. address EXT-21VIANET_NET124-251_HOST32_101-55;
  582. address EXT-21VIANET_NET124-251_HOST32_34-134;
  583. address EXT-21VIANET_NET124-251_HOST32_34-135;
  584. address EXT-21VIANET_NET183-84_HOST32_5-154;
  585. address EXT-21VIANET_NET183-84_HOST32_7-119;
  586. address EXT-21VIANET_NET183-84_HOST32_7-120;
  587. address EXT-BJKSCNET_NET120-92_HOST32_65-100;
  588. address EXT-TENCENT_NET106-55_HOST32_134-25;
  589. address EXT-ADGUARD_NET94-140-14_HOST32-14;
  590. address EXT-ADGUARD_NET94-140-14_HOST32-15-15;
  591. address EXT-AKAMAI_NET104-64_HOST32_96-150-139;
  592. address EXT-GCL_NET92-223_84_HOST32_84;
  593. address EXT-GPSZ4_NET91-222-195_HOST32_233;
  594. address EXT-MICROSOFT_NET20-192;
  595. }
  596. address-set S-PROTECTED_DEVICES {
  597. address P-INT-LAB_SUBNETS;
  598. address P-INT-LOOPBACK_AND_P2P;
  599. address P-INT-LUMEN_ONT;
  600. address P-INT-MDCBR_N0_MGT;
  601. address P-INT-MDCBR_N1_MGT;
  602. address P-INT_MDCBR_DP_VIP;
  603. address P-INT_MDCBR_LOOPBACK_VIP;
  604. address P-INT_MD2BR_MGT;
  605. address P-INT-MDCINT0_MGT;
  606. }
  607. address-set S-EXT_TRUSTED_DNS {
  608. address EXT-ADGUARD_NET94-140-14_HOST32-14;
  609. address EXT-ADGUARD_NET94-140-14_HOST32-15-15;
  610. }
  611. address-set S-INT_TRUSTED_DNS {
  612. address INT-MINION-DC1-PROD;
  613. address INT-MINION-DC2-PROD;
  614. }
  615. address-set S-RFC_1918 {
  616. address H-RFC_1918_A;
  617. address H-RFC_1918_B;
  618. address H-RFC_1918_C;
  619. }
  620. }
  621. }
  622. alg {
  623. dns disable;
  624. msrpc disable;
  625. sunrpc disable;
  626. sip disable;
  627. talk disable;
  628. tftp disable;
  629. pptp disable;
  630. }
  631. utm {
  632. custom-objects {
  633. url-pattern {
  634. Forbidden-URLs-Facebook {
  635. value [ http://*.facebook.com http://*.facebook.de http://*.facebook.fr http://*.facebook.net http://*.fb.com http://*.fb.me http://*.fbcdn.com http://*.fbcdn.net http://*.fbpigeon.com http://*.fbsbx.com http://*.fburl.com http://*.internet.org http://*.tfbnw.net http://*.thefacebook.com http://*.m.me http://*.messenger.com ];
  636. }
  637. Forbidden-URLs-TikTok {
  638. value [ http://*.bytedance.com http://*.bytefcdn-oversea.com http://*.bytefcdn-ttpeu.com http://*.tiktok.com http://*.tiktok.in http://*.tiktok.org http://*.tiktokcdn.com http://*.tiktokd.org http://*.tiktokglobalshop.com http://*.tiktokmusic.app http://*.tiktokshop.com http://*.tiktokstaticb.com http://*.tiktokv.com http://*.tiktokv.eu http://*.tiktokv.us http://*.tiktokw.us ];
  639. }
  640. Forbidden-URLs-Pinterest {
  641. value [ http://*.pin.it http://*.pinimg.com http://*.pinterest.ch http://*.pinterest.com http://*.pinterest.fr ];
  642. }
  643. Forbidden-URLs-Snapchat {
  644. value [ http://*.snapchat.com http://*.snapchat.appspot.com http://*.sc-analytics.appspot.com http://*.feelinsonice-hrd.appspot.com http://*.feelinsonice.com ];
  645. }
  646. Forbidden-URLs-Epic-Games {
  647. value http://*.epicgames.com;
  648. }
  649. Forbidden-URLs-Ads-Trackers {
  650. value [ http://*.doubleclick.net http://*.adnxs.com http://*.advertising.com http://*.adsrvr.org http://*.adroll.com http://*.criteo.com http://*.pubmatic.com http://*.openx.com http://*.adtech.de http://*.media.net http://*.rubiconproject.com http://*.exelator.com http://*.dynatrace.com http://*.quantcast.com ];
  651. }
  652. Forbidden-URLs-Generic {
  653. value [ http://*.eurogamer.net http://*.gruanoaph.net http://*.pcgamer.com http://*.tenorshare.com http://*.sweetbabyinc.com http://*.googleadservices.com http://*.ign.com http://*.libertymutual.com http://*.pixiv.net ];
  654. }
  655. }
  656. custom-url-category {
  657. Forbidden-URLs {
  658. value [ Forbidden-URLs-Facebook Forbidden-URLs-TikTok Forbidden-URLs-Pinterest Forbidden-URLs-Snapchat Forbidden-URLs-Epic-Games Forbidden-URLs-Ads-Trackers Forbidden-URLs-Generic ];
  659. }
  660. }
  661. }
  662. default-configuration {
  663. web-filtering {
  664. performance-mode;
  665. type juniper-local;
  666. juniper-local {
  667. default log-and-permit;
  668. }
  669. }
  670. }
  671. feature-profile {
  672. web-filtering {
  673. type juniper-local;
  674. juniper-local {
  675. profile WF-Local-Profile {
  676. default permit;
  677. category {
  678. Forbidden-URLs {
  679. action block;
  680. }
  681. }
  682. fallback-settings {
  683. default block;
  684. too-many-requests block;
  685. }
  686. }
  687. }
  688. }
  689. }
  690. utm-policy mdc-wf-policy {
  691. web-filtering {
  692. http-profile WF-Local-Profile;
  693. }
  694. }
  695. }
  696. screen {
  697. ids-option DMZ-WAN-screen {
  698. icmp {
  699. flood threshold 1000;
  700. ping-death;
  701. }
  702. ip {
  703. bad-option;
  704. record-route-option;
  705. timestamp-option;
  706. security-option;
  707. stream-option;
  708. source-route-option;
  709. loose-source-route-option;
  710. strict-source-route-option;
  711. tear-drop;
  712. }
  713. tcp {
  714. syn-fin;
  715. fin-no-ack;
  716. tcp-no-flag;
  717. syn-frag;
  718. syn-flood {
  719. alarm-threshold 512;
  720. attack-threshold 200;
  721. source-threshold 4000;
  722. destination-threshold 4000;
  723. timeout 20;
  724. }
  725. land;
  726. winnuke;
  727. }
  728. udp {
  729. flood {
  730. threshold 1000;
  731. }
  732. }
  733. }
  734. ids-option EXT-All-screen {
  735. icmp {
  736. ping-death;
  737. }
  738. ip {
  739. bad-option;
  740. record-route-option;
  741. timestamp-option;
  742. security-option;
  743. stream-option;
  744. spoofing;
  745. source-route-option;
  746. loose-source-route-option;
  747. strict-source-route-option;
  748. tear-drop;
  749. }
  750. tcp {
  751. syn-fin;
  752. fin-no-ack;
  753. tcp-no-flag;
  754. syn-frag;
  755. syn-flood {
  756. alarm-threshold 512;
  757. attack-threshold 200;
  758. source-threshold 4000;
  759. destination-threshold 4000;
  760. timeout 20;
  761. }
  762. land;
  763. winnuke;
  764. }
  765. udp {
  766. flood {
  767. threshold 1000;
  768. }
  769. }
  770. }
  771. ids-option INT-All-screen {
  772. icmp {
  773. ping-death;
  774. }
  775. ip {
  776. source-route-option;
  777. tear-drop;
  778. }
  779. tcp {
  780. syn-flood {
  781. alarm-threshold 1024;
  782. attack-threshold 200;
  783. source-threshold 1024;
  784. destination-threshold 2048;
  785. timeout 20;
  786. }
  787. land;
  788. }
  789. }
  790. inactive: ids-option untrust-screen {
  791. icmp {
  792. ping-death;
  793. }
  794. ip {
  795. source-route-option;
  796. tear-drop;
  797. }
  798. tcp {
  799. syn-flood {
  800. alarm-threshold 1024;
  801. attack-threshold 200;
  802. source-threshold 1024;
  803. destination-threshold 2048;
  804. timeout 20;
  805. }
  806. land;
  807. }
  808. }
  809. }
  810. nat {
  811. source {
  812. inactive: rule-set trust-to-untrust {
  813. from zone trust;
  814. to zone untrust;
  815. rule source-nat-rule {
  816. match {
  817. source-address 0.0.0.0/0;
  818. }
  819. then {
  820. source-nat {
  821. interface;
  822. }
  823. }
  824. }
  825. }
  826. rule-set MDC-EXT-to-EXT-WAN {
  827. from zone MDC-EXT;
  828. to zone EXT-WAN;
  829. rule SPAT-MDC-EXT {
  830. match {
  831. source-address 0.0.0.0/0;
  832. destination-address 0.0.0.0/0;
  833. }
  834. then {
  835. source-nat {
  836. interface;
  837. }
  838. }
  839. }
  840. }
  841. rule-set Infra-and-Admins-to-DMZ-WAN {
  842. from zone [ INT-User-IT-Admins Infra-Network-Core Infra-Server ];
  843. to zone DMZ-Network;
  844. rule SPAT-DMZ-WAN {
  845. match {
  846. source-address 0.0.0.0/0;
  847. destination-address-name P-INT-LUMEN_ONT;
  848. }
  849. then {
  850. source-nat {
  851. interface;
  852. }
  853. }
  854. }
  855. }
  856. rule-set Infra-to-WAN {
  857. from zone [ Infra-Lab Infra-Network Infra-Network-Core Infra-Server ];
  858. to zone EXT-WAN;
  859. rule SPAT-Infra {
  860. match {
  861. source-address 0.0.0.0/0;
  862. destination-address 0.0.0.0/0;
  863. }
  864. then {
  865. source-nat {
  866. interface;
  867. }
  868. }
  869. }
  870. }
  871. rule-set INT-User-to-WAN {
  872. from zone [ INT-User-IT-Admins INT-User-IT-Staff INT-User-Trust ];
  873. to zone EXT-WAN;
  874. rule SPAT-INT-User {
  875. match {
  876. source-address 0.0.0.0/0;
  877. destination-address 0.0.0.0/0;
  878. }
  879. then {
  880. source-nat {
  881. interface;
  882. }
  883. }
  884. }
  885. }
  886. rule-set INT-IoT-to-WAN {
  887. from zone [ INT-IoT-Facilities INT-IoT-Printers INT-IoT-Telecom ];
  888. to zone EXT-WAN;
  889. rule SPAT-INT-IoT {
  890. match {
  891. source-address 0.0.0.0/0;
  892. destination-address 0.0.0.0/0;
  893. }
  894. then {
  895. source-nat {
  896. interface;
  897. }
  898. }
  899. }
  900. }
  901. rule-set EXT-IoT-User-to-WAN {
  902. from zone EXT-IoT-User;
  903. to zone EXT-WAN;
  904. rule SPAT-EXT-All {
  905. match {
  906. source-address 0.0.0.0/0;
  907. destination-address 0.0.0.0/0;
  908. }
  909. then {
  910. source-nat {
  911. interface;
  912. }
  913. }
  914. }
  915. }
  916. rule-set DMZ-Server-to-WAN {
  917. from zone DMZ-Server;
  918. to zone EXT-WAN;
  919. rule SPAT-DMZ-Server {
  920. match {
  921. source-address 0.0.0.0/0;
  922. destination-address 0.0.0.0/0;
  923. }
  924. then {
  925. source-nat {
  926. interface;
  927. }
  928. }
  929. }
  930. }
  931. }
  932. }
  933. policies {
  934. inactive: from-zone trust to-zone trust {
  935. policy trust-to-trust {
  936. match {
  937. source-address any;
  938. destination-address any;
  939. application any;
  940. }
  941. then {
  942. permit;
  943. }
  944. }
  945. }
  946. inactive: from-zone trust to-zone untrust {
  947. policy trust-to-untrust {
  948. match {
  949. source-address any;
  950. destination-address any;
  951. application any;
  952. }
  953. then {
  954. permit;
  955. }
  956. }
  957. }
  958. from-zone MDC-EXT to-zone EXT-WAN {
  959. policy permit-mdc-ext {
  960. match {
  961. source-address any;
  962. destination-address any;
  963. application any;
  964. }
  965. then {
  966. permit;
  967. log {
  968. session-close;
  969. }
  970. }
  971. }
  972. }
  973. global {
  974. policy deny-mdc-ext-all {
  975. match {
  976. source-address any;
  977. destination-address any;
  978. application any;
  979. from-zone MDC-EXT;
  980. to-zone any;
  981. }
  982. then {
  983. reject;
  984. log {
  985. session-init;
  986. }
  987. }
  988. }
  989. policy permit-all-from-lab {
  990. match {
  991. source-address any;
  992. destination-address any;
  993. application any;
  994. from-zone Infra-Lab;
  995. to-zone any;
  996. }
  997. then {
  998. permit;
  999. log {
  1000. session-close;
  1001. }
  1002. }
  1003. }
  1004. policy permit-md2br-infra-outbound {
  1005. match {
  1006. source-address M-VLAN1020;
  1007. destination-address any;
  1008. application any;
  1009. from-zone INT-WAN;
  1010. to-zone any;
  1011. }
  1012. then {
  1013. permit;
  1014. log {
  1015. session-close;
  1016. }
  1017. }
  1018. }
  1019. policy permit-md2br-int-iot-to-dns {
  1020. match {
  1021. source-address [ M-VLAN2021 M-VLAN2023 M-VLAN2117 ];
  1022. destination-address any;
  1023. application [ junos-dns-tcp junos-dns-udp ];
  1024. from-zone INT-WAN;
  1025. to-zone Infra-Server;
  1026. }
  1027. then {
  1028. permit;
  1029. log {
  1030. session-init;
  1031. }
  1032. }
  1033. }
  1034. policy permit-md2br-int-user-trust-to-pdc-sdc {
  1035. match {
  1036. source-address M-VLAN3710;
  1037. destination-address [ INT-MINION-DC1-PROD INT-MINION-DC2-PROD ];
  1038. application MDC-ACTIVE-DIRECTORY;
  1039. from-zone INT-WAN;
  1040. to-zone Infra-Server;
  1041. }
  1042. then {
  1043. permit;
  1044. log {
  1045. session-close;
  1046. }
  1047. }
  1048. }
  1049. policy permit-md2br-int-user-trust-to-dmz {
  1050. match {
  1051. source-address M-VLAN3710;
  1052. destination-address D-INT-MDC-VM-FS2;
  1053. application MDC-DMZ-APPLICATIONS;
  1054. from-zone INT-WAN;
  1055. to-zone DMZ-Server;
  1056. }
  1057. then {
  1058. permit;
  1059. log {
  1060. session-close;
  1061. }
  1062. }
  1063. }
  1064. policy permit-md2br-int-user-it-admins-outbound {
  1065. match {
  1066. source-address M-VLAN3716;
  1067. destination-address any;
  1068. application any;
  1069. from-zone INT-WAN;
  1070. to-zone any;
  1071. }
  1072. then {
  1073. permit;
  1074. log {
  1075. session-close;
  1076. }
  1077. }
  1078. }
  1079. policy permit-md2br-int-user-it-staff-outbound {
  1080. match {
  1081. source-address M-VLAN3724;
  1082. destination-address S-PROTECTED_DEVICES;
  1083. destination-address-excluded;
  1084. application any;
  1085. from-zone INT-WAN;
  1086. to-zone any;
  1087. }
  1088. then {
  1089. permit;
  1090. log {
  1091. session-close;
  1092. }
  1093. }
  1094. }
  1095. policy deny-high-risk-global {
  1096. match {
  1097. source-address any;
  1098. destination-address any;
  1099. application MDC-HIGH-RISK-GLOBAL;
  1100. from-zone any;
  1101. to-zone any;
  1102. }
  1103. then {
  1104. reject;
  1105. }
  1106. }
  1107. policy deny-high-risk-ext {
  1108. match {
  1109. source-address any;
  1110. destination-address any;
  1111. application MDC-HIGH-RISK-EXT;
  1112. from-zone EXT-IoT-User;
  1113. to-zone any;
  1114. }
  1115. then {
  1116. reject;
  1117. }
  1118. }
  1119. policy deny-forbidden-websites {
  1120. match {
  1121. source-address any;
  1122. destination-address S-EXT_TRUSTED_DNS;
  1123. destination-address-excluded;
  1124. application any;
  1125. from-zone [ DMZ-Server EXT-IoT-User Infra-Server INT-User-IT-Admins INT-User-IT-Staff INT-User-Trust ];
  1126. to-zone EXT-WAN;
  1127. }
  1128. then {
  1129. permit {
  1130. application-services {
  1131. utm-policy mdc-wf-policy;
  1132. }
  1133. }
  1134. log {
  1135. session-init;
  1136. }
  1137. }
  1138. }
  1139. policy permit-int-trusted-dns {
  1140. match {
  1141. source-address any;
  1142. destination-address S-INT_TRUSTED_DNS;
  1143. application MDC-ALL-DNS;
  1144. from-zone [ DMZ-Server Infra-Network-Core Infra-Network Infra-Server INT-IoT-Facilities INT-IoT-Printers INT-IoT-Telecom INT-User-IT-Admins INT-User-IT-Staff INT-User-Trust ];
  1145. to-zone Infra-Server;
  1146. }
  1147. then {
  1148. permit;
  1149. }
  1150. }
  1151. policy permit-ext-trusted-dns {
  1152. match {
  1153. source-address any;
  1154. destination-address S-EXT_TRUSTED_DNS;
  1155. application MDC-ALL-DNS;
  1156. from-zone any;
  1157. to-zone EXT-WAN;
  1158. }
  1159. then {
  1160. permit;
  1161. }
  1162. }
  1163. policy deny-doh-to-adguard {
  1164. match {
  1165. source-address any;
  1166. destination-address S-EXT_TRUSTED_DNS;
  1167. application MDC-DNS-OVER-HTTPS;
  1168. from-zone any;
  1169. to-zone EXT-WAN;
  1170. }
  1171. then {
  1172. reject;
  1173. log {
  1174. session-init;
  1175. }
  1176. }
  1177. }
  1178. policy deny-untrusted-dns {
  1179. match {
  1180. source-address any;
  1181. destination-address any;
  1182. application MDC-ALL-DNS;
  1183. from-zone any;
  1184. to-zone any;
  1185. }
  1186. then {
  1187. reject;
  1188. log {
  1189. session-init;
  1190. }
  1191. }
  1192. }
  1193. policy permit-infra-all-outbound {
  1194. match {
  1195. source-address any;
  1196. destination-address any;
  1197. application any;
  1198. from-zone [ Infra-Network-Core Infra-Network Infra-Server ];
  1199. to-zone any;
  1200. }
  1201. then {
  1202. permit;
  1203. log {
  1204. session-close;
  1205. }
  1206. }
  1207. }
  1208. policy permit-int-user-it-admins-outbound {
  1209. match {
  1210. source-address any;
  1211. destination-address any;
  1212. application any;
  1213. from-zone INT-User-IT-Admins;
  1214. to-zone any;
  1215. }
  1216. then {
  1217. permit;
  1218. log {
  1219. session-close;
  1220. }
  1221. }
  1222. }
  1223. policy permit-int-user-it-staff-outbound {
  1224. match {
  1225. source-address any;
  1226. destination-address S-PROTECTED_DEVICES;
  1227. destination-address-excluded;
  1228. application any;
  1229. from-zone INT-User-IT-Staff;
  1230. to-zone any;
  1231. }
  1232. then {
  1233. permit;
  1234. log {
  1235. session-close;
  1236. }
  1237. }
  1238. }
  1239. policy permit-active-directory-to-pdc-sdc {
  1240. match {
  1241. source-address any;
  1242. destination-address [ INT-MINION-DC1-PROD INT-MINION-DC2-PROD ];
  1243. application MDC-ACTIVE-DIRECTORY;
  1244. from-zone [ DMZ-Server INT-User-Trust ];
  1245. to-zone Infra-Server;
  1246. }
  1247. then {
  1248. permit;
  1249. log {
  1250. session-close;
  1251. }
  1252. }
  1253. }
  1254. policy permit-int-user-trust-to-dmz-server {
  1255. match {
  1256. source-address any;
  1257. destination-address D-INT-MDC-VM-FS2;
  1258. application MDC-DMZ-APPLICATIONS;
  1259. from-zone INT-User-Trust;
  1260. to-zone DMZ-Server;
  1261. }
  1262. then {
  1263. permit;
  1264. log {
  1265. session-close;
  1266. }
  1267. }
  1268. }
  1269. policy deny-web-browing-to-printers {
  1270. match {
  1271. source-address any;
  1272. destination-address any;
  1273. application [ junos-http junos-http-ext junos-https ];
  1274. from-zone any;
  1275. to-zone INT-IoT-Printers;
  1276. }
  1277. then {
  1278. reject;
  1279. log {
  1280. session-init;
  1281. }
  1282. }
  1283. }
  1284. policy permit-int-user-trust-outbound {
  1285. match {
  1286. source-address any;
  1287. destination-address any;
  1288. application any;
  1289. from-zone INT-User-Trust;
  1290. to-zone [ INT-IoT-Printers EXT-WAN ];
  1291. }
  1292. then {
  1293. permit;
  1294. log {
  1295. session-close;
  1296. }
  1297. }
  1298. }
  1299. policy deny-untrusted-printers-outbound {
  1300. match {
  1301. source-address INT-MDW1;
  1302. destination-address any;
  1303. application any;
  1304. from-zone INT-IoT-Printers;
  1305. to-zone EXT-WAN;
  1306. }
  1307. then {
  1308. reject;
  1309. log {
  1310. session-init;
  1311. }
  1312. }
  1313. }
  1314. policy permit-int-iot-outbound {
  1315. match {
  1316. source-address any;
  1317. destination-address any;
  1318. application any;
  1319. from-zone [ INT-IoT-Facilities INT-IoT-Printers INT-IoT-Telecom ];
  1320. to-zone EXT-WAN;
  1321. }
  1322. then {
  1323. permit;
  1324. log {
  1325. session-close;
  1326. }
  1327. }
  1328. }
  1329. policy permit-ext-all-outbound {
  1330. match {
  1331. source-address any;
  1332. destination-address any;
  1333. application any;
  1334. from-zone EXT-IoT-User;
  1335. to-zone EXT-WAN;
  1336. }
  1337. then {
  1338. permit;
  1339. log {
  1340. session-close;
  1341. }
  1342. }
  1343. }
  1344. policy permit-dmz-server-to-fs1 {
  1345. match {
  1346. source-address D-INT-MDC-VM-FS2;
  1347. destination-address INT-MDC-VM-FS1;
  1348. application MDC-SMB-MSDS;
  1349. from-zone DMZ-Server;
  1350. to-zone Infra-Server;
  1351. }
  1352. then {
  1353. permit;
  1354. log {
  1355. session-close;
  1356. }
  1357. }
  1358. }
  1359. policy permit-dmz-server-outbound {
  1360. match {
  1361. source-address any;
  1362. destination-address any;
  1363. application any;
  1364. from-zone DMZ-Server;
  1365. to-zone EXT-WAN;
  1366. }
  1367. then {
  1368. permit;
  1369. log {
  1370. session-close;
  1371. }
  1372. }
  1373. }
  1374. policy deny-dmz-network-outbound {
  1375. match {
  1376. source-address any;
  1377. destination-address any;
  1378. application any;
  1379. from-zone DMZ-Network;
  1380. to-zone any;
  1381. }
  1382. then {
  1383. deny;
  1384. log {
  1385. session-init;
  1386. }
  1387. }
  1388. }
  1389. policy deny-ext-wan-to-any {
  1390. match {
  1391. source-address any;
  1392. destination-address any;
  1393. application any;
  1394. from-zone EXT-WAN;
  1395. to-zone any;
  1396. }
  1397. then {
  1398. deny;
  1399. log {
  1400. session-init;
  1401. }
  1402. count;
  1403. }
  1404. }
  1405. policy default-deny {
  1406. match {
  1407. source-address any;
  1408. destination-address any;
  1409. application any;
  1410. }
  1411. then {
  1412. deny;
  1413. log {
  1414. session-init;
  1415. }
  1416. count;
  1417. }
  1418. }
  1419. }
  1420. pre-id-default-policy {
  1421. then {
  1422. log {
  1423. session-close;
  1424. }
  1425. }
  1426. }
  1427. }
  1428. zones {
  1429. inactive: security-zone trust {
  1430. host-inbound-traffic {
  1431. system-services {
  1432. all;
  1433. }
  1434. protocols {
  1435. all;
  1436. }
  1437. }
  1438. interfaces {
  1439. irb.0;
  1440. }
  1441. }
  1442. inactive: security-zone untrust {
  1443. screen untrust-screen;
  1444. interfaces {
  1445. ge-0/0/0.0 {
  1446. host-inbound-traffic {
  1447. system-services {
  1448. dhcp;
  1449. tftp;
  1450. https;
  1451. }
  1452. }
  1453. }
  1454. ge-0/0/7.0 {
  1455. host-inbound-traffic {
  1456. system-services {
  1457. dhcp;
  1458. tftp;
  1459. }
  1460. }
  1461. }
  1462. dl0.0 {
  1463. host-inbound-traffic {
  1464. system-services {
  1465. tftp;
  1466. }
  1467. }
  1468. }
  1469. }
  1470. }
  1471. security-zone DMZ-Network {
  1472. tcp-rst;
  1473. screen DMZ-WAN-screen;
  1474. interfaces {
  1475. reth2.2531;
  1476. reth4.0;
  1477. }
  1478. }
  1479. security-zone DMZ-Server {
  1480. tcp-rst;
  1481. screen DMZ-WAN-screen;
  1482. interfaces {
  1483. reth2.2538;
  1484. }
  1485. }
  1486. security-zone EXT-IoT-User {
  1487. tcp-rst;
  1488. screen EXT-All-screen;
  1489. host-inbound-traffic {
  1490. system-services {
  1491. dhcp;
  1492. }
  1493. }
  1494. interfaces {
  1495. reth2.2328;
  1496. reth2.2329;
  1497. reth2.3400;
  1498. reth2.3700;
  1499. reth2.3732;
  1500. }
  1501. }
  1502. security-zone EXT-WAN {
  1503. tcp-rst;
  1504. screen DMZ-WAN-screen;
  1505. interfaces {
  1506. reth4.201 {
  1507. host-inbound-traffic {
  1508. system-services {
  1509. dhcp;
  1510. }
  1511. }
  1512. }
  1513. }
  1514. }
  1515. security-zone Infra-Lab {
  1516. screen INT-All-screen;
  1517. host-inbound-traffic {
  1518. system-services {
  1519. ping;
  1520. traceroute;
  1521. }
  1522. }
  1523. interfaces {
  1524. reth3.0;
  1525. }
  1526. }
  1527. security-zone Infra-Network-Core {
  1528. screen INT-All-screen;
  1529. host-inbound-traffic {
  1530. system-services {
  1531. all;
  1532. }
  1533. }
  1534. interfaces {
  1535. reth0.1016;
  1536. lo0.0;
  1537. }
  1538. }
  1539. security-zone Infra-Network {
  1540. screen INT-All-screen;
  1541. host-inbound-traffic {
  1542. system-services {
  1543. ping;
  1544. traceroute;
  1545. }
  1546. }
  1547. interfaces {
  1548. reth0.1010;
  1549. reth0.1015 {
  1550. host-inbound-traffic {
  1551. system-services {
  1552. dhcp;
  1553. }
  1554. }
  1555. }
  1556. reth0.1020 {
  1557. host-inbound-traffic {
  1558. system-services {
  1559. dhcp;
  1560. }
  1561. }
  1562. }
  1563. }
  1564. }
  1565. security-zone Infra-Server {
  1566. host-inbound-traffic {
  1567. system-services {
  1568. ping;
  1569. traceroute;
  1570. }
  1571. }
  1572. interfaces {
  1573. reth0.1200;
  1574. reth0.2010;
  1575. reth0.2011;
  1576. }
  1577. }
  1578. security-zone INT-IoT-Facilities {
  1579. screen INT-All-screen;
  1580. host-inbound-traffic {
  1581. system-services {
  1582. ping;
  1583. traceroute;
  1584. dhcp;
  1585. }
  1586. }
  1587. interfaces {
  1588. reth1.2023;
  1589. reth1.2021;
  1590. reth1.2020;
  1591. reth1.2022;
  1592. }
  1593. }
  1594. security-zone INT-IoT-Printers {
  1595. screen INT-All-screen;
  1596. host-inbound-traffic {
  1597. system-services {
  1598. ping;
  1599. traceroute;
  1600. dhcp;
  1601. }
  1602. }
  1603. interfaces {
  1604. reth1.2116;
  1605. reth1.2117;
  1606. }
  1607. }
  1608. security-zone INT-IoT-Telecom {
  1609. screen INT-All-screen;
  1610. host-inbound-traffic {
  1611. system-services {
  1612. ping;
  1613. traceroute;
  1614. dhcp;
  1615. }
  1616. }
  1617. interfaces {
  1618. reth1.2316;
  1619. }
  1620. }
  1621. security-zone INT-User-IT-Admins {
  1622. inactive: screen INT-All-screen;
  1623. host-inbound-traffic {
  1624. system-services {
  1625. ping;
  1626. traceroute;
  1627. dhcp;
  1628. }
  1629. }
  1630. interfaces {
  1631. reth1.3416;
  1632. reth1.3716;
  1633. }
  1634. }
  1635. security-zone INT-User-IT-Staff {
  1636. screen INT-All-screen;
  1637. host-inbound-traffic {
  1638. system-services {
  1639. ping;
  1640. traceroute;
  1641. dhcp;
  1642. }
  1643. }
  1644. interfaces {
  1645. reth1.3424;
  1646. reth1.3724;
  1647. }
  1648. }
  1649. security-zone INT-User-Trust {
  1650. screen INT-All-screen;
  1651. host-inbound-traffic {
  1652. system-services {
  1653. ping;
  1654. traceroute;
  1655. dhcp;
  1656. }
  1657. }
  1658. interfaces {
  1659. reth1.3410;
  1660. reth1.3710;
  1661. }
  1662. }
  1663. security-zone MDC-EXT {
  1664. screen EXT-All-screen;
  1665. host-inbound-traffic {
  1666. system-services {
  1667. dhcp;
  1668. }
  1669. }
  1670. interfaces {
  1671. reth2.160;
  1672. reth2.161;
  1673. }
  1674. }
  1675. security-zone INT-WAN {
  1676. tcp-rst;
  1677. screen INT-All-screen;
  1678. host-inbound-traffic {
  1679. system-services {
  1680. ping;
  1681. traceroute;
  1682. }
  1683. }
  1684. interfaces {
  1685. reth0.1001;
  1686. }
  1687. }
  1688. }
  1689. }
  1690. interfaces {
  1691. ge-0/0/3 {
  1692. gigether-options {
  1693. redundant-parent reth0;
  1694. }
  1695. }
  1696. ge-0/0/4 {
  1697. gigether-options {
  1698. redundant-parent reth1;
  1699. }
  1700. }
  1701. ge-0/0/5 {
  1702. gigether-options {
  1703. redundant-parent reth2;
  1704. }
  1705. }
  1706. ge-0/0/6 {
  1707. gigether-options {
  1708. redundant-parent reth3;
  1709. }
  1710. }
  1711. ge-0/0/7 {
  1712. gigether-options {
  1713. redundant-parent reth4;
  1714. }
  1715. }
  1716. cl-1/0/0 {
  1717. dialer-options {
  1718. pool 1 priority 100;
  1719. }
  1720. }
  1721. dl0 {
  1722. unit 0 {
  1723. family inet {
  1724. negotiate-address;
  1725. }
  1726. family inet6 {
  1727. negotiate-address;
  1728. }
  1729. dialer-options {
  1730. pool 1;
  1731. dial-string 1234;
  1732. always-on;
  1733. }
  1734. }
  1735. }
  1736. fab0 {
  1737. fabric-options {
  1738. member-interfaces {
  1739. ge-0/0/2;
  1740. }
  1741. }
  1742. }
  1743. fab1 {
  1744. fabric-options {
  1745. member-interfaces {
  1746. ge-3/0/2;
  1747. }
  1748. }
  1749. }
  1750. fxp0 {
  1751. unit 0 {
  1752. family inet {
  1753. filter {
  1754. input Management-Filter;
  1755. }
  1756. }
  1757. }
  1758. }
  1759. irb {
  1760. inactive: unit 0 {
  1761. family inet {
  1762. address 192.168.1.1/24;
  1763. }
  1764. }
  1765. }
  1766. lo0 {
  1767. unit 0 {
  1768. family inet {
  1769. filter {
  1770. input Telnet-Filter;
  1771. }
  1772. address 10.255.255.1/32;
  1773. }
  1774. }
  1775. }
  1776. reth0 {
  1777. description Infrastructure;
  1778. vlan-tagging;
  1779. redundant-ether-options {
  1780. redundancy-group 1;
  1781. }
  1782. unit 1001 {
  1783. description INT-WAN-to-MD2BR;
  1784. vlan-id 1001;
  1785. family inet {
  1786. address 10.255.254.22/30;
  1787. }
  1788. }
  1789. unit 1010 {
  1790. description Infra-Network-OOBM;
  1791. vlan-id 1010;
  1792. family inet {
  1793. address 10.10.10.254/24;
  1794. }
  1795. }
  1796. unit 1015 {
  1797. description Infra-Network-Power;
  1798. vlan-id 1015;
  1799. family inet {
  1800. address 10.10.15.254/24;
  1801. }
  1802. }
  1803. unit 1016 {
  1804. description Infra-Network-Core;
  1805. vlan-id 1016;
  1806. family inet {
  1807. address 10.10.16.254/24;
  1808. }
  1809. }
  1810. unit 1020 {
  1811. description Infra-Network-Wireless;
  1812. vlan-id 1020;
  1813. family inet {
  1814. address 10.10.20.254/24;
  1815. }
  1816. }
  1817. unit 1200 {
  1818. description Infra-Server-OOBM;
  1819. vlan-id 1200;
  1820. family inet {
  1821. address 10.12.0.254/24;
  1822. }
  1823. }
  1824. unit 2010 {
  1825. description Infra-Server-VMs;
  1826. vlan-id 2010;
  1827. family inet {
  1828. address 10.20.10.254/24;
  1829. }
  1830. }
  1831. unit 2011 {
  1832. description Infra-Server-Core;
  1833. vlan-id 2011;
  1834. family inet {
  1835. address 10.20.11.254/24;
  1836. }
  1837. }
  1838. }
  1839. reth1 {
  1840. description INT-IoT-User;
  1841. vlan-tagging;
  1842. redundant-ether-options {
  1843. redundancy-group 1;
  1844. }
  1845. unit 2020 {
  1846. description INT-IoT-Security;
  1847. vlan-id 2020;
  1848. family inet {
  1849. address 10.20.20.254/24;
  1850. }
  1851. }
  1852. unit 2021 {
  1853. description INT-IoT-Security-WLAN;
  1854. vlan-id 2021;
  1855. family inet {
  1856. address 10.20.21.254/24;
  1857. }
  1858. }
  1859. unit 2022 {
  1860. description INT-IoT-Facilities;
  1861. vlan-id 2022;
  1862. family inet {
  1863. address 10.20.22.254/24;
  1864. }
  1865. }
  1866. unit 2023 {
  1867. description INT-IoT-Facilities-WLAN;
  1868. vlan-id 2023;
  1869. family inet {
  1870. address 10.20.23.254/24;
  1871. }
  1872. }
  1873. unit 2116 {
  1874. description INT-IoT-Printers;
  1875. vlan-id 2116;
  1876. family inet {
  1877. address 10.21.16.254/24;
  1878. }
  1879. }
  1880. unit 2117 {
  1881. description INT-IoT-Printers-WLAN;
  1882. vlan-id 2117;
  1883. family inet {
  1884. address 10.21.17.254/24;
  1885. }
  1886. }
  1887. unit 2316 {
  1888. description INT-IoT-Telecom;
  1889. vlan-id 2316;
  1890. family inet {
  1891. address 10.23.16.254/24;
  1892. }
  1893. }
  1894. unit 3410 {
  1895. description INT-User-Trust;
  1896. vlan-id 3410;
  1897. family inet {
  1898. address 10.34.11.254/23;
  1899. }
  1900. }
  1901. unit 3416 {
  1902. description INT-User-IT-Admins;
  1903. vlan-id 3416;
  1904. family inet {
  1905. address 10.34.17.254/23;
  1906. }
  1907. }
  1908. unit 3424 {
  1909. description INT-User-IT-Staff;
  1910. vlan-id 3424;
  1911. family inet {
  1912. address 10.34.25.254/23;
  1913. }
  1914. }
  1915. unit 3710 {
  1916. description INT-User-Trust-WLAN;
  1917. vlan-id 3710;
  1918. family inet {
  1919. address 10.37.11.254/23;
  1920. }
  1921. }
  1922. unit 3716 {
  1923. description INT-User-IT-Admins-WLAN;
  1924. vlan-id 3716;
  1925. family inet {
  1926. address 10.37.17.254/23;
  1927. }
  1928. }
  1929. unit 3724 {
  1930. description INT-User-IT-Staff-WLAN;
  1931. vlan-id 3724;
  1932. family inet {
  1933. address 10.37.25.254/23;
  1934. }
  1935. }
  1936. }
  1937. reth2 {
  1938. description EXT-IoT-DMZ-User;
  1939. vlan-tagging;
  1940. redundant-ether-options {
  1941. redundancy-group 1;
  1942. }
  1943. unit 160 {
  1944. description MDC-EXT;
  1945. vlan-id 160;
  1946. family inet {
  1947. address 172.16.0.254/24;
  1948. }
  1949. }
  1950. unit 161 {
  1951. description MDC-EXT-WLAN;
  1952. vlan-id 161;
  1953. family inet {
  1954. address 172.16.1.254/24;
  1955. }
  1956. }
  1957. unit 2328 {
  1958. description EXT-IoT;
  1959. vlan-id 2328;
  1960. family inet {
  1961. address 10.23.28.254/24;
  1962. }
  1963. }
  1964. unit 2329 {
  1965. description EXT-IoT-WLAN;
  1966. vlan-id 2329;
  1967. family inet {
  1968. address 10.23.29.254/24;
  1969. }
  1970. }
  1971. unit 2531 {
  1972. description DMZ-Network;
  1973. vlan-id 2531;
  1974. family inet {
  1975. address 10.25.31.6/29;
  1976. }
  1977. }
  1978. unit 2538 {
  1979. description DMZ-Server;
  1980. vlan-id 2538;
  1981. family inet {
  1982. address 10.25.31.14/29;
  1983. }
  1984. }
  1985. unit 3400 {
  1986. description EXT-User-Untrust;
  1987. vlan-id 3400;
  1988. family inet {
  1989. address 10.34.1.254/23;
  1990. }
  1991. }
  1992. unit 3700 {
  1993. description EXT-User-Untrust-WLAN;
  1994. vlan-id 3700;
  1995. family inet {
  1996. address 10.37.1.254/23;
  1997. }
  1998. }
  1999. unit 3732 {
  2000. description EXT-User-Untrust-RLAN;
  2001. vlan-id 3732;
  2002. family inet {
  2003. address 10.37.32.254/24;
  2004. }
  2005. }
  2006. }
  2007. reth3 {
  2008. description INT-WAN;
  2009. redundant-ether-options {
  2010. redundancy-group 1;
  2011. }
  2012. unit 0 {
  2013. description "INT-WAN to Lab";
  2014. family inet {
  2015. address 10.255.254.17/30;
  2016. }
  2017. }
  2018. }
  2019. reth4 {
  2020. description Lumen-INET;
  2021. flexible-vlan-tagging;
  2022. native-vlan-id 998;
  2023. redundant-ether-options {
  2024. redundancy-group 1;
  2025. }
  2026. unit 0 {
  2027. description "DMZ-WAN to Lumen ONT";
  2028. vlan-id 998;
  2029. family inet {
  2030. address 192.168.0.254/24;
  2031. }
  2032. }
  2033. unit 201 {
  2034. description Lumen-INET-Uplink;
  2035. vlan-id 201;
  2036. family inet {
  2037. dhcp {
  2038. no-dns-install;
  2039. retransmission-interval 64;
  2040. metric 5;
  2041. update-server;
  2042. force-discover;
  2043. options {
  2044. no-hostname;
  2045. }
  2046. }
  2047. }
  2048. }
  2049. }
  2050. }
  2051. snmp {
  2052. description "MDC Production Firewall";
  2053. location "";
  2054. contact "";
  2055. filter-duplicates;
  2056. community "..." {
  2057. authorization read-only;
  2058. clients {
  2059. 10.20.10.1/32;
  2060. 10.20.10.2/32;
  2061. }
  2062. }
  2063. community "..." {
  2064. authorization read-write;
  2065. clients {
  2066. 10.20.10.1/32;
  2067. 10.20.10.2/32;
  2068. }
  2069. }
  2070. trap-group MDC-IDR2 {
  2071. version v2;
  2072. categories {
  2073. authentication;
  2074. chassis;
  2075. link;
  2076. remote-operations;
  2077. routing;
  2078. startup;
  2079. rmon-alarm;
  2080. vrrp-events;
  2081. configuration;
  2082. }
  2083. targets {
  2084. 10.20.10.9;
  2085. }
  2086. }
  2087. }
  2088. policy-options {
  2089. prefix-list Export-to-Lab {
  2090. 10.10.10.0/24;
  2091. 10.10.15.0/24;
  2092. 10.10.16.0/24;
  2093. 10.12.0.0/24;
  2094. 10.20.10.0/24;
  2095. 10.20.11.0/24;
  2096. 10.255.255.1/32;
  2097. }
  2098. prefix-list Export-to-MD2BR {
  2099. 10.10.10.0/24;
  2100. 10.10.15.0/24;
  2101. 10.10.16.0/24;
  2102. 10.12.0.0/24;
  2103. 10.20.10.0/24;
  2104. 10.20.11.0/24;
  2105. 10.20.20.0/24;
  2106. 10.20.22.0/24;
  2107. 10.21.16.0/24;
  2108. 10.23.16.0/24;
  2109. 10.23.28.0/24;
  2110. 10.25.31.0/29;
  2111. 10.25.31.8/29;
  2112. 10.34.16.0/23;
  2113. 10.255.255.1/32;
  2114. 192.168.0.0/24;
  2115. }
  2116. policy-statement Deny-Redist {
  2117. term Default-Deny {
  2118. then reject;
  2119. }
  2120. }
  2121. policy-statement Export-to-Lab {
  2122. term Connect-Allow {
  2123. from {
  2124. prefix-list Export-to-Lab;
  2125. }
  2126. }
  2127. term Default-Deny {
  2128. then reject;
  2129. }
  2130. }
  2131. policy-statement Export-to-MD2BR {
  2132. term Connect-Allow {
  2133. from {
  2134. prefix-list Export-to-MD2BR;
  2135. }
  2136. then accept;
  2137. }
  2138. term BGP-Allow {
  2139. from protocol bgp;
  2140. then accept;
  2141. }
  2142. term Static-Allow {
  2143. from protocol static;
  2144. then accept;
  2145. }
  2146. term Default-Deny {
  2147. then reject;
  2148. }
  2149. }
  2150. }
  2151. firewall {
  2152. family inet {
  2153. filter Management-Filter {
  2154. term Permit-SSH {
  2155. from {
  2156. source-address {
  2157. 10.10.10.0/24;
  2158. 10.10.16.0/24;
  2159. 10.20.10.0/24;
  2160. 10.20.11.0/24;
  2161. 10.34.16.0/23;
  2162. 10.37.16.0/23;
  2163. 10.255.254.0/23;
  2164. }
  2165. protocol tcp;
  2166. destination-port 22;
  2167. }
  2168. then accept;
  2169. }
  2170. term Permit-Telnet {
  2171. from {
  2172. source-address {
  2173. 10.20.10.3/32;
  2174. }
  2175. protocol tcp;
  2176. destination-port 23;
  2177. }
  2178. then accept;
  2179. }
  2180. term Permit-HTTP-HTTPS {
  2181. from {
  2182. source-address {
  2183. 10.10.10.0/24;
  2184. 10.20.10.0/24;
  2185. 10.20.11.0/24;
  2186. 10.34.16.0/23;
  2187. 10.37.16.0/23;
  2188. }
  2189. protocol tcp;
  2190. destination-port [ 80 443 ];
  2191. }
  2192. then accept;
  2193. }
  2194. term Permit-ICMP {
  2195. from {
  2196. source-address {
  2197. 10.10.10.0/24;
  2198. 10.10.16.0/24;
  2199. 10.20.10.0/24;
  2200. 10.20.11.0/24;
  2201. 10.34.16.0/23;
  2202. 10.37.16.0/23;
  2203. 10.255.254.0/23;
  2204. }
  2205. protocol icmp;
  2206. }
  2207. }
  2208. term Default-Deny {
  2209. then {
  2210. log;
  2211. discard;
  2212. }
  2213. }
  2214. }
  2215. filter Telnet-Filter {
  2216. term Permit-Telnet {
  2217. from {
  2218. source-address {
  2219. 10.20.10.3/32;
  2220. }
  2221. protocol tcp;
  2222. destination-port 23;
  2223. }
  2224. then {
  2225. log;
  2226. accept;
  2227. }
  2228. }
  2229. term Deny-Telnet {
  2230. from {
  2231. protocol tcp;
  2232. destination-port 23;
  2233. }
  2234. then {
  2235. log;
  2236. reject;
  2237. }
  2238. }
  2239. term Default-Permit {
  2240. then accept;
  2241. }
  2242. }
  2243. }
  2244. }
  2245. access {
  2246. address-assignment {
  2247. inactive: pool junosDHCPPool {
  2248. family inet {
  2249. network 192.168.1.0/24;
  2250. range junosRange {
  2251. low 192.168.1.2;
  2252. high 192.168.1.254;
  2253. }
  2254. dhcp-attributes {
  2255. router {
  2256. 192.168.1.1;
  2257. }
  2258. propagate-settings ge-0/0/0.0;
  2259. }
  2260. }
  2261. }
  2262. pool VLAN160 {
  2263. family inet {
  2264. network 172.16.0.0/24;
  2265. range MDC-EXT {
  2266. low 172.16.0.1;
  2267. high 172.16.0.253;
  2268. }
  2269. dhcp-attributes {
  2270. maximum-lease-time 43140;
  2271. server-identifier 172.16.0.254;
  2272. name-server {
  2273. 8.8.8.8;
  2274. 8.8.4.4;
  2275. }
  2276. router {
  2277. 172.16.0.254;
  2278. }
  2279. }
  2280. }
  2281. }
  2282. inactive: pool VLAN161 {
  2283. family inet {
  2284. network 172.16.1.0/24;
  2285. range MDC-EXT-WLAN {
  2286. low 172.16.1.1;
  2287. high 172.16.1.253;
  2288. }
  2289. dhcp-attributes {
  2290. maximum-lease-time 43140;
  2291. server-identifier 172.16.1.254;
  2292. name-server {
  2293. 8.8.8.8;
  2294. 8.8.4.4;
  2295. }
  2296. router {
  2297. 172.16.1.254;
  2298. }
  2299. }
  2300. }
  2301. }
  2302. pool VLAN1015 {
  2303. family inet {
  2304. network 10.10.15.0/24;
  2305. range Infra-Network-Power {
  2306. low 10.10.15.1;
  2307. high 10.10.15.250;
  2308. }
  2309. dhcp-attributes {
  2310. maximum-lease-time 43140;
  2311. server-identifier 10.10.15.254;
  2312. domain-name mgmt.mdc.com;
  2313. name-server {
  2314. 10.20.11.1;
  2315. 10.20.11.2;
  2316. }
  2317. router {
  2318. 10.10.15.254;
  2319. }
  2320. }
  2321. }
  2322. }
  2323. pool VLAN1020 {
  2324. family inet {
  2325. network 10.10.20.0/24;
  2326. range Infra-Network-Wireless {
  2327. low 10.10.20.1;
  2328. high 10.10.20.250;
  2329. }
  2330. dhcp-attributes {
  2331. maximum-lease-time 43140;
  2332. server-identifier 10.10.20.254;
  2333. domain-name wlc.mdc.com;
  2334. name-server {
  2335. 10.20.11.1;
  2336. 10.20.11.2;
  2337. }
  2338. router {
  2339. 10.10.20.254;
  2340. }
  2341. }
  2342. host MDCMONAP {
  2343. hardware-address c4:f7:d5:61:43:58;
  2344. ip-address 10.10.20.250;
  2345. }
  2346. host MDCAP01 {
  2347. hardware-address 00:df:1d:9e:60:9c;
  2348. ip-address 10.10.20.1;
  2349. }
  2350. }
  2351. }
  2352. pool VLAN2020 {
  2353. family inet {
  2354. network 10.20.20.0/24;
  2355. range INT-IoT-Security {
  2356. low 10.20.20.1;
  2357. high 10.20.20.250;
  2358. }
  2359. dhcp-attributes {
  2360. maximum-lease-time 43140;
  2361. server-identifier 10.20.20.254;
  2362. domain-name security.mdc.com;
  2363. name-server {
  2364. 10.20.11.1;
  2365. 10.20.11.2;
  2366. }
  2367. router {
  2368. 10.20.20.254;
  2369. }
  2370. }
  2371. }
  2372. }
  2373. pool VLAN2021 {
  2374. family inet {
  2375. network 10.20.21.0/24;
  2376. range INT-IoT-Security-WLAN {
  2377. low 10.20.21.1;
  2378. high 10.20.21.250;
  2379. }
  2380. dhcp-attributes {
  2381. maximum-lease-time 43140;
  2382. server-identifier 10.20.21.254;
  2383. domain-name security.mdc.com;
  2384. name-server {
  2385. 10.20.11.1;
  2386. 10.20.11.2;
  2387. }
  2388. router {
  2389. 10.20.21.254;
  2390. }
  2391. }
  2392. host MDCSecNVR1 {
  2393. hardware-address 00:03:7f:d2:14:85;
  2394. ip-address 10.20.21.250;
  2395. }
  2396. host MDCSecCam1 {
  2397. hardware-address f4:b8:5e:ba:ff:51;
  2398. ip-address 10.20.21.1;
  2399. }
  2400. }
  2401. }
  2402. pool VLAN2022 {
  2403. family inet {
  2404. network 10.20.22.0/24;
  2405. range INT-IoT-Facilities {
  2406. low 10.20.22.1;
  2407. high 10.20.22.250;
  2408. }
  2409. dhcp-attributes {
  2410. maximum-lease-time 43140;
  2411. server-identifier 10.20.22.254;
  2412. domain-name facilities.mdc.com;
  2413. name-server {
  2414. 10.20.11.1;
  2415. 10.20.11.2;
  2416. }
  2417. router {
  2418. 10.20.22.254;
  2419. }
  2420. }
  2421. }
  2422. }
  2423. pool VLAN2023 {
  2424. family inet {
  2425. network 10.20.23.0/24;
  2426. range INT-IoT-Facilities-WLAN {
  2427. low 10.20.23.1;
  2428. high 10.20.23.250;
  2429. }
  2430. dhcp-attributes {
  2431. maximum-lease-time 43140;
  2432. server-identifier 10.20.23.254;
  2433. domain-name facilities.mdc.com;
  2434. name-server {
  2435. 10.20.11.1;
  2436. 10.20.11.2;
  2437. }
  2438. router {
  2439. 10.20.23.254;
  2440. }
  2441. }
  2442. }
  2443. }
  2444. pool VLAN2116 {
  2445. family inet {
  2446. network 10.21.16.0/24;
  2447. range INT-IoT-Printers {
  2448. low 10.21.16.1;
  2449. high 10.21.16.250;
  2450. }
  2451. dhcp-attributes {
  2452. maximum-lease-time 43140;
  2453. server-identifier 10.21.16.254;
  2454. domain-name printers.mdc.com;
  2455. name-server {
  2456. 10.20.11.1;
  2457. 10.20.11.2;
  2458. }
  2459. router {
  2460. 10.21.16.254;
  2461. }
  2462. }
  2463. }
  2464. }
  2465. pool VLAN2117 {
  2466. family inet {
  2467. network 10.21.17.0/24;
  2468. range INT-IoT-Printers-WLAN {
  2469. low 10.21.17.1;
  2470. high 10.21.17.250;
  2471. }
  2472. dhcp-attributes {
  2473. maximum-lease-time 43140;
  2474. server-identifier 10.21.17.254;
  2475. domain-name printers.mdc.com;
  2476. name-server {
  2477. 10.20.11.1;
  2478. 10.20.11.2;
  2479. }
  2480. router {
  2481. 10.21.17.254;
  2482. }
  2483. }
  2484. host MDW1 {
  2485. hardware-address f4:a9:97:1c:20:2a;
  2486. ip-address 10.21.17.1;
  2487. }
  2488. }
  2489. }
  2490. pool VLAN2316 {
  2491. family inet {
  2492. network 10.23.16.0/24;
  2493. range INT-IoT-Telecom {
  2494. low 10.23.16.1;
  2495. high 10.23.16.250;
  2496. }
  2497. dhcp-attributes {
  2498. maximum-lease-time 43140;
  2499. server-identifier 10.23.16.254;
  2500. domain-name voip.mdc.com;
  2501. name-server {
  2502. 10.20.11.1;
  2503. 10.20.11.2;
  2504. }
  2505. router {
  2506. 10.23.16.254;
  2507. }
  2508. }
  2509. }
  2510. }
  2511. pool VLAN2328 {
  2512. family inet {
  2513. network 10.23.28.0/24;
  2514. range EXT-IoT {
  2515. low 10.23.28.1;
  2516. high 10.23.28.250;
  2517. }
  2518. dhcp-attributes {
  2519. maximum-lease-time 43140;
  2520. server-identifier 10.23.28.254;
  2521. domain-name iot.mdc.com;
  2522. name-server {
  2523. 94.140.14.14;
  2524. }
  2525. router {
  2526. 10.23.28.254;
  2527. }
  2528. }
  2529. }
  2530. }
  2531. pool VLAN2329 {
  2532. family inet {
  2533. network 10.23.29.0/24;
  2534. range EXT-IoT-WLAN {
  2535. low 10.23.29.1;
  2536. high 10.23.29.250;
  2537. }
  2538. dhcp-attributes {
  2539. maximum-lease-time 43140;
  2540. server-identifier 10.23.29.254;
  2541. domain-name iot.mdc.com;
  2542. name-server {
  2543. 94.140.14.14;
  2544. }
  2545. router {
  2546. 10.23.29.254;
  2547. }
  2548. }
  2549. }
  2550. }
  2551. pool VLAN3400 {
  2552. family inet {
  2553. network 10.34.0.0/23;
  2554. range EXT-User-Untrust {
  2555. low 10.34.0.1;
  2556. high 10.34.1.253;
  2557. }
  2558. dhcp-attributes {
  2559. maximum-lease-time 43140;
  2560. server-identifier 10.34.1.254;
  2561. domain-name guest.mdc.com;
  2562. name-server {
  2563. 94.140.14.14;
  2564. }
  2565. router {
  2566. 10.34.1.254;
  2567. }
  2568. }
  2569. }
  2570. }
  2571. pool VLAN3410 {
  2572. family inet {
  2573. network 10.34.10.0/23;
  2574. range INT-User-Trust {
  2575. low 10.34.10.1;
  2576. high 10.34.11.253;
  2577. }
  2578. dhcp-attributes {
  2579. maximum-lease-time 43140;
  2580. server-identifier 10.34.11.254;
  2581. domain-name ad.mdc.com;
  2582. name-server {
  2583. 10.20.11.1;
  2584. 10.20.11.2;
  2585. }
  2586. router {
  2587. 10.34.11.254;
  2588. }
  2589. option 119 hex-string 026164036D646303636F6D00087072696E74657273C003C003;
  2590. }
  2591. }
  2592. }
  2593. pool VLAN3416 {
  2594. family inet {
  2595. network 10.34.16.0/23;
  2596. range INT-User-IT-Admins {
  2597. low 10.34.16.1;
  2598. high 10.34.17.253;
  2599. }
  2600. dhcp-attributes {
  2601. maximum-lease-time 43140;
  2602. server-identifier 10.34.17.254;
  2603. domain-name its.mdc.com;
  2604. name-server {
  2605. 10.20.11.1;
  2606. 10.20.11.2;
  2607. }
  2608. router {
  2609. 10.34.17.254;
  2610. }
  2611. option 119 hex-string 046D676D74036D646303636F6D0003776C63C005036C6162C005026164C005087072696E74657273C005087365637572697479C005C005;
  2612. }
  2613. }
  2614. }
  2615. pool VLAN3424 {
  2616. family inet {
  2617. network 10.34.24.0/23;
  2618. range INT-Users-IT-Staff {
  2619. low 10.34.24.1;
  2620. high 10.34.25.253;
  2621. }
  2622. dhcp-attributes {
  2623. maximum-lease-time 43140;
  2624. server-identifier 10.34.25.254;
  2625. domain-name its.mdc.com;
  2626. name-server {
  2627. 10.20.11.1;
  2628. 10.20.11.2;
  2629. }
  2630. router {
  2631. 10.34.25.254;
  2632. }
  2633. option 119 hex-string 046D676D74036D646303636F6D0003776C63C005036C6162C005026164C005087072696E74657273C005087365637572697479C005C005;
  2634. }
  2635. }
  2636. }
  2637. pool VLAN3700 {
  2638. family inet {
  2639. network 10.37.0.0/23;
  2640. range EXT-User-Untrust-WLAN {
  2641. low 10.37.0.1;
  2642. high 10.37.1.251;
  2643. }
  2644. dhcp-attributes {
  2645. maximum-lease-time 43140;
  2646. server-identifier 10.37.1.254;
  2647. domain-name guest.mdc.com;
  2648. name-server {
  2649. 94.140.14.14;
  2650. }
  2651. router {
  2652. 10.37.1.254;
  2653. }
  2654. }
  2655. }
  2656. }
  2657. pool VLAN3710 {
  2658. family inet {
  2659. network 10.37.10.0/23;
  2660. range INT-User-Trust-WLAN {
  2661. low 10.37.10.1;
  2662. high 10.37.11.251;
  2663. }
  2664. dhcp-attributes {
  2665. maximum-lease-time 43140;
  2666. server-identifier 10.37.11.254;
  2667. domain-name ad.mdc.com;
  2668. name-server {
  2669. 10.20.11.1;
  2670. 10.20.11.2;
  2671. }
  2672. router {
  2673. 10.37.11.254;
  2674. }
  2675. option 119 hex-string 026164036D646303636F6D00087072696E74657273C003C003;
  2676. }
  2677. }
  2678. }
  2679. pool VLAN3716 {
  2680. family inet {
  2681. network 10.37.16.0/23;
  2682. range INT-User-IT-Admins-WLAN {
  2683. low 10.37.16.1;
  2684. high 10.37.17.251;
  2685. }
  2686. dhcp-attributes {
  2687. maximum-lease-time 43140;
  2688. server-identifier 10.37.17.254;
  2689. domain-name its.mdc.com;
  2690. name-server {
  2691. 10.20.11.1;
  2692. 10.20.11.2;
  2693. }
  2694. router {
  2695. 10.37.17.254;
  2696. }
  2697. option 119 hex-string 046D676D74036D646303636F6D0003776C63C005036C6162C005026164C005087072696E74657273C005087365637572697479C005C005;
  2698. }
  2699. }
  2700. }
  2701. pool VLAN3724 {
  2702. family inet {
  2703. network 10.37.24.0/23;
  2704. range INT-Users-IT-Staff-WLAN {
  2705. low 10.37.24.1;
  2706. high 10.37.25.251;
  2707. }
  2708. dhcp-attributes {
  2709. maximum-lease-time 43140;
  2710. server-identifier 10.37.25.254;
  2711. domain-name its.mdc.com;
  2712. name-server {
  2713. 10.20.11.1;
  2714. 10.20.11.2;
  2715. }
  2716. router {
  2717. 10.37.25.254;
  2718. }
  2719. option 119 hex-string 046D676D74036D646303636F6D0003776C63C005036C6162C005026164C005087072696E74657273C005087365637572697479C005C005;
  2720. }
  2721. }
  2722. }
  2723. pool VLAN3732 {
  2724. family inet {
  2725. network 10.37.32.0/24;
  2726. range EXT-User-Untrust-RLAN {
  2727. low 10.37.32.1;
  2728. high 10.37.32.251;
  2729. }
  2730. dhcp-attributes {
  2731. maximum-lease-time 43140;
  2732. server-identifier 10.37.32.254;
  2733. domain-name guest.mdc.com;
  2734. name-server {
  2735. 94.140.14.14;
  2736. }
  2737. router {
  2738. 10.37.32.254;
  2739. }
  2740. }
  2741. }
  2742. }
  2743. }
  2744. }
  2745. routing-instances {
  2746. mgmt_junos {
  2747. description fxp0-vrf;
  2748. routing-options {
  2749. static {
  2750. route 0.0.0.0/0 next-hop 10.10.10.254;
  2751. }
  2752. }
  2753. }
  2754. }
  2755. applications {
  2756. application MDC-QUIC {
  2757. protocol udp;
  2758. destination-port 443;
  2759. }
  2760. application MDC-WINS-TCP {
  2761. protocol tcp;
  2762. destination-port 42;
  2763. }
  2764. application MDC-WINS-UDP {
  2765. protocol udp;
  2766. destination-port 42;
  2767. }
  2768. application MDC-LLMNR-TCP {
  2769. protocol tcp;
  2770. destination-port 5355;
  2771. }
  2772. application MDC-LLMNR-UDP {
  2773. protocol udp;
  2774. destination-port 5355;
  2775. }
  2776. application MDC-DNS-OVER-TLS {
  2777. protocol tcp;
  2778. destination-port 853;
  2779. }
  2780. application MDC-SSDP {
  2781. protocol udp;
  2782. destination-port 1900;
  2783. }
  2784. application MDC-UPNP {
  2785. protocol tcp;
  2786. destination-port 2869;
  2787. }
  2788. application MDC-DNS-OVER-QUIC {
  2789. protocol udp;
  2790. destination-port 853;
  2791. }
  2792. application MDC-NETBIOS {
  2793. protocol udp;
  2794. destination-port 137-139;
  2795. }
  2796. application MDC-KERBEROS-TCP-AUTH {
  2797. protocol tcp;
  2798. destination-port 88;
  2799. }
  2800. application MDC-KERBEROS-TCP-PWD {
  2801. protocol tcp;
  2802. destination-port 464;
  2803. }
  2804. application MDC-KERBEROS-UDP-AUTH {
  2805. protocol udp;
  2806. destination-port 88;
  2807. }
  2808. application MDC-KERBEROS-UDP-PWD {
  2809. protocol udp;
  2810. destination-port 464;
  2811. }
  2812. application MDC-LDAP-TCP-SSL {
  2813. protocol tcp;
  2814. destination-port 636;
  2815. }
  2816. application MDC-LDAP-TCP {
  2817. protocol tcp;
  2818. destination-port 389;
  2819. }
  2820. application MDC-LDAP-TCP-GC {
  2821. protocol tcp;
  2822. destination-port 3268-3269;
  2823. }
  2824. application MDC-LDAP-UDP {
  2825. protocol udp;
  2826. destination-port 389;
  2827. }
  2828. application MDC-LPD {
  2829. protocol tcp;
  2830. destination-port 515;
  2831. }
  2832. application MDC-RPC-EPM {
  2833. protocol tcp;
  2834. destination-port 135;
  2835. }
  2836. application MDC-RPC-DYN {
  2837. protocol tcp;
  2838. destination-port 49152-65535;
  2839. }
  2840. application MDC-SMB-AD {
  2841. protocol tcp;
  2842. destination-port 445;
  2843. }
  2844. application MDC-SMB-NBSS {
  2845. protocol tcp;
  2846. destination-port 139;
  2847. }
  2848. application MDC-SMB-MSDS {
  2849. protocol tcp;
  2850. destination-port 445;
  2851. }
  2852. application MDC-W32TIME {
  2853. protocol udp;
  2854. destination-port 123;
  2855. }
  2856. application MDC-IPP {
  2857. protocol tcp;
  2858. destination-port 631;
  2859. }
  2860. application MDC-IPPS {
  2861. protocol tcp;
  2862. destination-port 443;
  2863. }
  2864. application MDC-PRINT-RAW {
  2865. protocol tcp;
  2866. destination-port 9100;
  2867. }
  2868. application MDC-DNS-OVER-HTTPS {
  2869. protocol tcp;
  2870. destination-port 443;
  2871. }
  2872. application-set MDC-HIGH-RISK-GLOBAL {
  2873. application MDC-QUIC;
  2874. application MDC-NETBIOS;
  2875. application MDC-WINS-TCP;
  2876. application MDC-WINS-UDP;
  2877. application MDC-LLMNR-TCP;
  2878. application MDC-LLMNR-UDP;
  2879. }
  2880. application-set MDC-HIGH-RISK-EXT {
  2881. application MDC-SSDP;
  2882. application MDC-UPNP;
  2883. }
  2884. application-set MDC-ALL-DNS {
  2885. application junos-dns-tcp;
  2886. application junos-dns-udp;
  2887. application MDC-DNS-OVER-TLS;
  2888. application MDC-DNS-OVER-QUIC;
  2889. }
  2890. application-set MDC-ACTIVE-DIRECTORY {
  2891. application MDC-KERBEROS-TCP-AUTH;
  2892. application MDC-KERBEROS-TCP-PWD;
  2893. application MDC-KERBEROS-UDP-AUTH;
  2894. application MDC-KERBEROS-UDP-PWD;
  2895. application MDC-LDAP-TCP-SSL;
  2896. application MDC-LDAP-TCP;
  2897. application MDC-LDAP-TCP-GC;
  2898. application MDC-LDAP-UDP;
  2899. application MDC-RPC-EPM;
  2900. application MDC-RPC-DYN;
  2901. application MDC-SMB-AD;
  2902. application MDC-W32TIME;
  2903. }
  2904. application-set MDC-DMZ-APPLICATIONS {
  2905. application MDC-LPD;
  2906. application MDC-SMB-NBSS;
  2907. application MDC-SMB-MSDS;
  2908. application MDC-IPP;
  2909. application MDC-IPPS;
  2910. application MDC-PRINT-RAW;
  2911. }
  2912. }
  2913. vlans {
  2914. inactive: vlan-trust {
  2915. vlan-id 3;
  2916. l3-interface irb.0;
  2917. }
  2918. }
  2919. protocols {
  2920. inactive: bgp {
  2921. path-selection always-compare-med;
  2922. group MDCBR-to-MD2BR {
  2923. type external;
  2924. description "eBGP to MD2BR";
  2925. local-address 10.255.254.22;
  2926. export Export-to-MD2BR;
  2927. local-as 65008;
  2928. neighbor 10.255.254.21 {
  2929. description MD2BR;
  2930. peer-as 65003;
  2931. }
  2932. }
  2933. group MDCBR-to-La2BR {
  2934. type external;
  2935. description "eBGP to La2BR";
  2936. local-address 10.255.254.17;
  2937. export Export-to-Lab;
  2938. local-as 65001;
  2939. neighbor 10.255.254.18 {
  2940. description La2BR;
  2941. peer-as 65005;
  2942. }
  2943. }
  2944. description "MDC Production Firewall";
  2945. hold-time 90;
  2946. log-updown;
  2947. graceful-restart;
  2948. }
  2949. l2-learning {
  2950. global-mode switching;
  2951. }
  2952. lldp {
  2953. interface all;
  2954. interface ge-0/0/7 {
  2955. disable;
  2956. }
  2957. }
  2958. rstp {
  2959. interface all;
  2960. }
  2961. }
  2962. poe {
  2963. interface all {
  2964. disable;
  2965. }
  2966. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!