## ## Last commit: 2016-07-20 07:59:05 PDT by usr version 12.1X44-D50.2; groups { node0 { system { host-name srx5600-01; services { ftp; ssh { protocol-version v2; max-sessions-per-connection 32; } } syslog { host 192.168.10.10 { any info; authorization info; security info; change-log info; } file default-log-messages { any info; match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete) | GRES | (AIS_DATA_AVAILABLE)"; structured-data; } } } interfaces { fxp0 { unit 0 { family inet { } } } } snmp { description srx5600-01; contact Sys_Admin; community Public { authorization read-only; clients { 192.168.0.10/32; } } trap-group Public { categories { authentication; chassis; link; remote-operations; routing; startup; rmon-alarm; configuration; services; chassis-cluster; } targets { 192.168.5.1; 192.168.5.2; 192.168.7.1; } } } } node1 { system { host-name srx5600-01; services { ftp; ssh { protocol-version v2; } } syslog { host 192.168.10.10 { any info; authorization info; security info; change-log info; } file default-log-messages { any any; structured-data; } } } interfaces { fxp0 { unit 0 { family inet { } } } } snmp { description srx5600-01; contact Sys_Admin; community Public { authorization read-only; clients { 192.168.0.10/32; } } trap-group Public { categories { authentication; chassis; link; remote-operations; routing; startup; rmon-alarm; configuration; services; chassis-cluster; } targets { 192.168.5.1; 192.168.5.2; 192.168.7.1; } } } } } apply-groups "${node}"; system { domain-name example.com; domain-search [ example.com ]; time-zone America/Los_Angeles; internet-options { tcp-drop-synfin-set; } authentication-order [ radius password ]; root-authentication { encrypted-password "Encrypted Password Stripped"; } name-server { 192.168.0.50; 192.168.0.51; } radius-server { 192.168.50.1 { port 1812; accounting-port 1813; secret "Encrypted Password Stripped"; } 192.168.50.99 { port 1812; accounting-port 1813; secret "Encrypted Password Stripped"; } } scripts { op { file addr-book-upgrade.slax; file debug-helper.xsl { description "Assist in diagnosing data plane debugging"; } file policy-test.xsl { description "helps in determining if a security policy exist for the given objects"; } file traffic-capture-stop.xslt { description "TCPDump STOP for data plane traffic collection"; } file traffic-capture.xslt { description "TCPDump START for data plane traffic collection"; } } } login { message "*************************************************************************\n* This system is the property of this Corporation/organization, *\n* and is intended for the use of authorized users only. All *\n* activities of individuals using this computing system with or *\n* without authority, or in excess of their authority, may be *\n* monitored and recorded by system personnel. If any such *\n* monitoring reveals evidence of criminal activity or is *\n* in violation of state and federal law, such evidence may be *\n* provided to law enforcement officials and/or used for further *\n* legal action by this Corporation and/or the organization's *\n* Information Protection group. Unauthorized use of this system is *\n* prohibited and may result in revocation of access, disciplinary *\n* action and/or legal action. The company reserves the right to *\n* monitor and review user activity, files and electronic messages. *\n* *\n* Reminder: Information transmitted to a foreign person on this *\n* network may be subject to US Export Control laws. Contact your *\n* Export Coordinator for assistance. *\n*************************************************************************"; class tier1 { idle-timeout 12; permissions [ firewall interface network routing snmp system trace view ]; } class tier2 { idle-timeout 12; permissions [ admin clear configure firewall firewall-control interface interface-control network rollback routing routing-control snmp snmp-control system system-control view ]; } class tier3 { idle-timeout 12; permissions all; } user admin { full-name admin; uid 2000; class super-user; authentication { encrypted-password "Encrypted Password Stripped"; } } user readonly { uid 2003; class read-only; authentication { encrypted-password "Encrypted Password Stripped"; } } user remote { uid 2002; class tier3; } } services { ftp; ssh { protocol-version v2; } netconf { ssh; } } syslog { user * { any emergency; } host 192.168.69.69 { any any; } file messages { any notice; authorization info; change-log info; match "!(.*ezchip_aus_check_invalid_packet_type_counter*.)"; } file default-log-messages { any info; match "(FRU Offline)|(FRU Online)|(FRU insertion)|(FRU power)|(FRU removal)|(commit complete)|(copying configuration to juniper.save)|(license add)|(license delete)|(link UP)|(package -X delete)|(package -X update)|(plugged in)|(requested 'commit' operation)|(unplugged)|Transferred|ifAdminStatus|transfer-file|transitioned|GRES|(AIS_DATA_AVAILABLE)"; structured-data; } } ntp { boot-server 192.168.68.67; server 192.168.50.55; } } chassis { cluster { control-link-recovery; reth-count 3; control-ports { fpc 4 port 0; fpc 10 port 0; } heartbeat-interval 1000; heartbeat-threshold 3; redundancy-group 0 { node 0 priority 50; node 1 priority 100; } redundancy-group 1 { node 0 priority 50; node 1 priority 100; interface-monitor { xe-2/0/0 weight 255; xe-8/0/0 weight 255; xe-2/1/0 weight 255; xe-8/1/0 weight 255; xe-2/2/0 weight 255; xe-8/2/0 weight 255; ge-0/0/1 weight 255; ge-6/0/1 weight 255; } } } } interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.10.24/29; } } } ge-0/0/1 { gigether-options { redundant-parent reth2; } } ge-0/2/3 { gigether-options { redundant-parent reth3; } } ge-0/2/5 { gigether-options { redundant-parent reth4; } } ge-0/2/7 { gigether-options { redundant-parent reth5; } } ge-0/2/9 { gigether-options { redundant-parent reth6; } } lo0 { unit 0 { family inet { address 127.0.0.1/32; } } } reth0 { vlan-tagging; redundant-ether-options { redundancy-group 1; } unit 300 { vlan-id 300; family inet { address 192.168.27.254/23; } } unit 301 { vlan-id 301; family inet { address 192.168.6.254/24; } } } } forwarding-options { hash-key { family inet { layer-3; layer-4; } } helpers { bootp { relay-agent-option; interface { ge-0/0/0; reth0.300; reth0.301; } } inactive: port 111 { interface { reth1.408 { } } } } } snmp { v3 { usm { local-engine { user usr { authentication-sha { authentication-key "Encrypted Password Stripped"; } privacy-aes128 { privacy-key "Encrypted Password Stripped"; } } } } } view view_rw_oid { oid .1 include; } } routing-options { graceful-restart; static { route 0.0.0.0/0 { retain; } } } protocols { igmp { interface all { version 2; } interface fxp0.0 { disable; } interface fab1.0 { disable; } interface fab0.0 { disable; } } pim { interface all { version 2; } interface fxp0.0 { disable; } interface fab0.0 { disable; } interface fab1.0 { disable; } } } security { log { mode stream; format sd-syslog; stream trafficlogs { host { } } stream firemon { host { port 514; } } stream firemon-palm { host { port 514; } } } address-book { global { address 192.168.23.0/23 192.168.22.0/23; address 192.168.17.0/24 192.168.17.0/24; address dns-anycast-1 { description dns-anycast-1; 192.168.200.1/32; } } } alg { dns disable; msrpc disable; sunrpc disable; rsh disable; rtsp disable; sql disable; talk disable; tftp disable; pptp disable; ftp disable; } nat { source { pool src-pool { address { } } rule-set src { from zone ISO; to zone [ server ]; rule 1 { match { source-address 192.168.56.2/32; } then { source-nat { pool { gis-src-pool; } } } } } } destination { pool dst-pool { address 192.168.56.2/32; } rule-set dst { from zone [ LMI server ]; rule 1 { match { } then { destination-nat pool gis-dst-pool; } } } } proxy-arp { interface reth0.301 { address { 192.168.6.6/32; } } } } policies { from-zone Corp to-zone server { policy DNS { match { source-address any; destination-address any; application [ junos-dns-udp junos-dns-tcp ]; } then { permit; log { session-init; } } } policy NoLog { match { source-address any; destination-address any; application [ DIR-Svcs LMI-srv-nolog ]; } then { permit; log { session-init; } } } policy permit-any { match { source-address any; destination-address any; application any; } then { permit; log { session-init; } } } } global { policy drop { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } default-policy { deny-all; } } } routing-instances { corp { instance-type virtual-router; interface ge-0/0/0.0; interface lo0.0; interface reth0.300; interface reth0.301; } } applications { application snmp-udp { protocol udp; source-port 1-65535; destination-port 161; } application SSH-22 { protocol tcp; source-port 0-65535; destination-port 22-22; } application tcp-8443 { protocol tcp; source-port 1-65535; destination-port 8443; inactivity-timeout 3600; } application tcp-7443 { protocol tcp; source-port 1-65535; destination-port 7443; inactivity-timeout 3600; } application RDP-3389 { protocol tcp; source-port 0-65535; destination-port 3389; } application HTTPS-443 { protocol tcp; source-port 0-65535; destination-port 443-443; } application HTTP-80 { protocol tcp; source-port 0-65535; destination-port 80-80; } application udp-1024-65535 { protocol udp; source-port 1-65535; destination-port 1024-65535; } application udp-5061 { protocol udp; source-port 1-65535; destination-port 5061; } application tcp-5108 { protocol tcp; source-port 1-65535; destination-port 5108; inactivity-timeout 86400; } application snmptrap-udp { protocol udp; source-port 1-65535; destination-port 162; } application udp-5107 { protocol udp; source-port 1-65535; destination-port 5107; inactivity-timeout 86400; } application udp-8162 { protocol udp; source-port 1-65535; destination-port 8162; inactivity-timeout 86400; } application tcp-3269 { protocol tcp; source-port 1-65535; destination-port 3269; } application ldap-udp { protocol udp; source-port 1-65535; destination-port 389; } application microsoft-ds-TCP-445 { protocol tcp; source-port 0-65535; destination-port 445; } application tcp-8014 { protocol tcp; source-port 1-65535; destination-port 8014; } application TCP-49155 { protocol tcp; source-port 0-65535; destination-port 49155; } application NetMeeting2 { term term0 protocol tcp source-port 1-65535 destination-port 1720-1720; term term1 protocol tcp source-port 1-65535 destination-port 1503-1503; term term2 protocol tcp source-port 1-65535 destination-port 389-389; term term3 protocol tcp source-port 1-65535 destination-port 522-522; term term4 protocol tcp source-port 1-65535 destination-port 1731-1731; term term5 protocol udp source-port 1-65535 destination-port 1719-1719; } application kerberos-TCP-88 { protocol tcp; source-port 0-65535; destination-port 88; } application ldap-tcp { protocol tcp; source-port 1-65535; destination-port 389; } application ADrange { protocol tcp; destination-port 49155-49159; } application DCE-CERT { application-protocol ms-rpc; protocol tcp; destination-port 135; uuid 91ae6020-9e3c-11cf-8d7c-00aa00c091be; inactivity-timeout 3600; } application DCE-CERT2 { application-protocol ms-rpc; protocol tcp; destination-port 135; uuid 5422fd3a-d4b8-4cef-a12e-e87d4ca22e90; inactivity-timeout 3600; } application DCE-DCOM-OXID { application-protocol ms-rpc; protocol tcp; destination-port 135; uuid 99fcfec4-5260-101b-bbcb-00aa0021347a; inactivity-timeout 3600; } application DCE-DCOM-SCMactivation { application-protocol ms-rpc; protocol tcp; destination-port 135; uuid 000001a0-0000-0000-c000-000000000046; inactivity-timeout 3600; } application DCE-DRSUAPI { application-protocol ms-rpc; protocol tcp; destination-port 135; uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2; inactivity-timeout 3600; } application DCE-EndPtMapper { application-protocol ms-rpc; protocol tcp; destination-port 135; uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa; inactivity-timeout 3600; } application DCE-LSA { application-protocol ms-rpc; protocol tcp; destination-port 135; uuid 12345778-1234-abcd-ef00-0123456789ab; inactivity-timeout 3600; } application DCE-MGMT { application-protocol ms-rpc; protocol tcp; destination-port 135; uuid afa8bd80-7d8a-11c9-bef4-08002b102989; inactivity-timeout 3600; } application DCE-NetLogon { application-protocol ms-rpc; protocol tcp; destination-port 135; uuid 12345678-1234-abcd-ef00-01234567cffb; inactivity-timeout 3600; } application DCE-REMunk2 { application-protocol ms-rpc; protocol tcp; destination-port 135; uuid 00000143-0000-0000-c000-000000000046; inactivity-timeout 3600; } application DCE-iRemoteWinspool { application-protocol ms-rpc; protocol tcp; destination-port 135; uuid 76F03F96-CDFD-44FC-A22C-64950A001209; inactivity-timeout never; } application kerberos-UDP-88 { protocol udp; source-port 0-65535; destination-port 88; } application kpassword { term term1 protocol tcp destination-port 464 inactivity-timeout 3600; term term2 protocol udp destination-port 464 inactivity-timeout 60; } application ldaps { protocol tcp; destination-port 636; inactivity-timeout 3600; } application ntp-udp { protocol udp; source-port 1-65535; destination-port 123; } application tcp-1273 { protocol tcp; destination-port 1273; } application tcp-1319 { protocol tcp; destination-port 1319; } application tcp-1434 { protocol tcp; destination-port 1434; } application tcp-3268 { protocol tcp; source-port 0-65535; destination-port 3268; } application tcp-4750 { protocol tcp; source-port 1-65535; destination-port 4750; inactivity-timeout 3600; } application tcp-49159 { protocol tcp; source-port 1-65535; destination-port 49159-49159; } application tcp-5723 { protocol tcp; source-port 1-65535; destination-port 5723-5723; } application tcp-6090 { protocol tcp; source-port 0-65535; destination-port 6090; } application tcp-6095 { protocol tcp; source-port 1-65535; destination-port 6095; } application tcp-6097 { protocol tcp; source-port 1-65535; destination-port 6097; } application tcp-636 { protocol tcp; source-port 1-65535; destination-port 636; } application udp-88 { protocol udp; destination-port 88; } application tcp-59532 { protocol tcp; destination-port 59532; } application NetbackUp-TCP-13724 { protocol tcp; source-port 0-65535; destination-port 13724; } application NetbackUp-TCP-13782 { protocol tcp; source-port 0-65535; destination-port 13782; } application tcp-10000 { protocol tcp; source-port 0-65535; destination-port 10000; } application tcp-1556 { protocol tcp; source-port 0-65535; destination-port 1556; inactivity-timeout 3600; } application ftp-get { protocol tcp; destination-port 21; description "predefined service"; } application-set DIR-Svcs { application ldap-udp; application microsoft-ds-TCP-445; application ldap-tcp; application kerberos-TCP-88; } application-set LMI-srv-nolog { application junos-ntp; application tcp-8014; application TCP-49155; } application-set DIR-SVCS { description "MS directory services protocols"; application ADrange; application junos-ping; application kerberos-UDP-88; application kerberos-TCP-88; application ldap-tcp; application ldap-udp; application microsoft-ds-TCP-445; application junos-ms-rpc-tcp; application DCE-LSA; application DCE-EndPtMapper; application DCE-NetLogon; application DCE-CERT; application DCE-MGMT; application DCE-DCOM-OXID; application DCE-REMunk2; application DCE-DCOM-SCMactivation; application DCE-CERT2; application DCE-DRSUAPI; application DCE-iRemoteWinspool; application ntp-udp; application tcp-3268; application tcp-3269; application kpassword; application ldaps; application-set DNS; } application-set DNS { application junos-dns-tcp; application junos-dns-udp; } application-set NetBackup { application tcp-1556; application tcp-10000; application NetbackUp-TCP-13782; application NetbackUp-TCP-13724; } }##