system { host-name firewall; domain-name foo.com; domain-search foo.com; time-zone America/Phoenix; authentication-order [ tacplus password ]; ports { console log-out-on-disconnect; } root-authentication { encrypted-password "secret data"; ## SECRET-DATA } name-server { 192.168.2.100; 192.168.2.101; } tacplus-server { 192.168.2.102 { secret "secret data"; ## SECRET-DATA source-address 192.168.2.1; } 192.168.2.103 { secret "secret data"; ## SECRET-DATA source-address 192.168.2.1; } } login { user remote-root { full-name "TACACS+ Root Users"; uid 2001; class super-user; } } services { ssh { root-login allow; protocol-version v2; } web-management { https { system-generated-certificate; interface [ ge-0/0/0.0 t1-1/0/0.0 ]; } } } syslog { archive size 100k files 3; user * { any emergency; } host 192.168.2.105 { any notice; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } source-address 192.168.2.1; } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 192.168.2.37; server 192.168.2.40 prefer; } } chassis { config-button no-rescue no-clear; } interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.2.1/24; } } } t1-1/0/0 { unit 0 { family inet { address 192.168.1.2/30; } } } ge-0/0/1 { unit 0 { family inet; } } fe-0/0/2 { unit 0; } fe-0/0/3 { unit 0; } fe-0/0/4 { unit 0; } fe-0/0/5 { unit 0; } fe-0/0/6 { unit 0; } fe-0/0/7 { unit 0; } lo0 { unit 0 { family inet { address 192.168.10.49/32; } } } vlan { unit 0 { family inet; } } } routing-options { static { route 0.0.0.0/0 { next-hop 192.168.1.1; no-resolve; } route 192.168.3.0/24 { next-hop 192.168.2.10; no-resolve; } } } security { screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } policies { from-zone trust to-zone untrust { policy COP_to_YPIT_ADSi { match { source-address [ Alpha Beta Gamma Delta ]; destination-address Epsilon application junos-ssh; } then { permit; } } } } zones { security-zone trust { address-book { address Alpha 192.168.8.207/32; address Beta 192.168.8.203/32; address Gamma 192.168.8.204/32; address Delta 192.168.8.208/32; } host-inbound-traffic { system-services { ssh; ping; https; snmp; snmp-trap; tftp; } protocols { all; } } interfaces { t1-1/0/0.0; } } security-zone untrust { address-book { address Epsilon 192.168.3.40/32; } host-inbound-traffic { system-services { ping; ssh; https; } } interfaces { ge-0/0/0.0; } } } }