set version 11.2R6.3 set system name-server 4.2.2.2 set system name-server 8.8.8.8 set system services dhcp propagate-settings ge-0/0/0.0 set system syslog file kmd-logs daemon info set system syslog file kmd-logs match KMD set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set interfaces interface-range interfaces-trust member ge-0/0/2 set interfaces interface-range interfaces-trust member ge-0/0/3 set interfaces interface-range interfaces-trust member ge-0/0/4 set interfaces interface-range interfaces-trust member ge-0/0/5 set interfaces interface-range interfaces-trust member ge-0/0/8 set interfaces interface-range interfaces-trust member ge-0/0/9 set interfaces interface-range interfaces-trust member ge-0/0/10 set interfaces interface-range interfaces-trust member ge-0/0/11 set interfaces interface-range interfaces-trust member ge-0/0/12 set interfaces interface-range interfaces-trust member ge-0/0/13 set interfaces interface-range interfaces-trust member ge-0/0/14 set interfaces interface-range interfaces-trust member ge-0/0/15 set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/0 speed 100m set interfaces ge-0/0/0 link-mode full-duplex set interfaces ge-0/0/0 gigether-options no-auto-negotiation set interfaces ge-0/0/0 unit 0 family inet filter input PCAP set interfaces ge-0/0/0 unit 0 family inet filter output PCAP set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.142/30 set interfaces ge-0/0/1 unit 0 family inet filter input port-specific set interfaces ge-0/0/1 unit 0 family inet address 2.2.2.226/27 set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members 10 set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members 10 set interfaces lo0 unit 0 family inet filter input CONTROL-PLANE set interfaces lo0 unit 0 family inet address 127.0.0.1/32 set interfaces st0 unit 0 family inet address 10.24.12.118/30 set interfaces vlan unit 0 family inet address 10.10.200.1/23 set interfaces vlan unit 10 family inet filter input do-FBF2 set interfaces vlan unit 10 family inet address 10.10.201.249/29 set routing-options interface-routes rib-group inet rib-test set routing-options static route 0.0.0.0/0 next-hop 1.1.1.141 set routing-options rib-groups rib-test import-rib inet.0 set routing-options rib-groups rib-test import-rib SERVER-Traffic.inet.0 set routing-options rib-groups rib-test import-rib ISP1.inet.0 set routing-options rib-groups rib-test import-rib ISP2.inet.0 set policy-options prefix-list MANAGEMENT-NETWORKS 10.2.0.0/24 set policy-options prefix-list DNS-SERVERS apply-path "system name-server <*>" set policy-options prefix-list NTP-SERVERS apply-path "system ntp server <*>" set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys set security ike proposal ike-phase1-proposal dh-group group5 set security ike proposal ike-phase1-proposal authentication-algorithm sha-256 set security ike proposal ike-phase1-proposal encryption-algorithm aes-256-cbc set security ike policy ike-phase1-policy mode main set security ike policy ike-phase1-policy proposals ike-phase1-proposal set security ike policy ike-phase1-policy pre-shared-key ascii-text "123456" set security ike gateway la-fw1 ike-policy ike-phase1-policy set security ike gateway la-fw1 address 6.1.1.85 set security ike gateway la-fw1 external-interface ge-0/0/0.0 set security ipsec proposal ipsec-phase2-proposal protocol esp set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha-256-128 set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-256-cbc set security ipsec proposal ipsec-phase2-proposal lifetime-seconds 1800 set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal set security ipsec vpn ike-vpn-corp bind-interface st0.0 set security ipsec vpn ike-vpn-corp ike gateway la-fw1 set security ipsec vpn ike-vpn-corp ike no-anti-replay set security ipsec vpn ike-vpn-corp ike ipsec-policy ipsec-phase2-policy set security ipsec vpn ike-vpn-corp establish-tunnels immediately set security alg h323 disable set security alg sip disable set security alg ike-esp-nat enable set security alg ike-esp-nat esp-gate-timeout 20 set security alg ike-esp-nat esp-session-timeout 2400 set security alg ike-esp-nat state-timeout 360 set security flow traceoptions file DebugTraffic set security flow traceoptions flag basic-datapath set security flow traceoptions packet-filter MatchTraffic interface st0.0 deactivate security flow traceoptions set security flow tcp-mss all-tcp mss 1400 set security flow tcp-mss ipsec-vpn mss 1350 set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security nat source rule-set trust-to-untrust from zone server set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface set security nat destination rule-set server from zone untrust set security nat destination rule-set server rule tes11 match destination-address 2.2.2.226/32 set security nat destination rule-set server rule tes11 then destination-nat pool test1 deactivate security nat destination rule-set server set security nat static rule-set hosts from zone untrust set security nat static rule-set hosts rule 9379 match destination-address 2.2.2.226/32 set security nat static rule-set hosts rule 9379 then static-nat prefix 10.10.201.250/32 set security policies from-zone trust to-zone untrust policy LAN-URL-FILTER match source-address any set security policies from-zone trust to-zone untrust policy LAN-URL-FILTER match destination-address URLBLOCK-1 set security policies from-zone trust to-zone untrust policy LAN-URL-FILTER match application any set security policies from-zone trust to-zone untrust policy LAN-URL-FILTER then deny set security policies from-zone trust to-zone untrust policy LAN-10 match source-address LAN-USERS-2 set security policies from-zone trust to-zone untrust policy LAN-10 match destination-address any set security policies from-zone trust to-zone untrust policy LAN-10 match application TCP-25 set security policies from-zone trust to-zone untrust policy LAN-10 then deny set security policies from-zone trust to-zone untrust policy LAN-10 then log session-init set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies from-zone server to-zone untrust policy s-2-u match source-address any set security policies from-zone server to-zone untrust policy s-2-u match destination-address any set security policies from-zone server to-zone untrust policy s-2-u match application any set security policies from-zone server to-zone untrust policy s-2-u then permit set security policies from-zone untrust to-zone server policy u-2-s match source-address any set security policies from-zone untrust to-zone server policy u-2-s match destination-address any set security policies from-zone untrust to-zone server policy u-2-s match application any set security policies from-zone untrust to-zone server policy u-2-s then permit set security policies from-zone server to-zone server policy intra-zonal match source-address any set security policies from-zone server to-zone server policy intra-zonal match destination-address any set security policies from-zone server to-zone server policy intra-zonal match application any set security policies from-zone server to-zone server policy intra-zonal then permit set security policies from-zone trust to-zone server policy trust-to-server match source-address any set security policies from-zone trust to-zone server policy trust-to-server match destination-address any set security policies from-zone trust to-zone server policy trust-to-server match application any set security policies from-zone trust to-zone server policy trust-to-server then permit set security policies from-zone untrust to-zone trust policy untrust-to-server match source-address any set security policies from-zone untrust to-zone trust policy untrust-to-server match destination-address any set security policies from-zone untrust to-zone trust policy untrust-to-server match application any set security policies from-zone untrust to-zone trust policy untrust-to-server then permit set security policies from-zone trust to-zone corp-vpn policy vpn-to-corp match source-address any set security policies from-zone trust to-zone corp-vpn policy vpn-to-corp match destination-address any set security policies from-zone trust to-zone corp-vpn policy vpn-to-corp match application any set security policies from-zone trust to-zone corp-vpn policy vpn-to-corp then permit set security policies from-zone corp-vpn to-zone trust policy vpn-from-corp match source-address any set security policies from-zone corp-vpn to-zone trust policy vpn-from-corp match destination-address any set security policies from-zone corp-vpn to-zone trust policy vpn-from-corp match application any set security policies from-zone corp-vpn to-zone trust policy vpn-from-corp then permit set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit set security zones security-zone trust address-book address LAN-USERS-2 10.10.200.0/23 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces vlan.0 set security zones security-zone untrust address-book address URLBLOCK-1 67.225.156.125/32 set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all set security zones security-zone server host-inbound-traffic system-services all set security zones security-zone server host-inbound-traffic protocols all set security zones security-zone server interfaces vlan.10 set security zones security-zone server interfaces ge-0/0/6.0 set security zones security-zone server interfaces ge-0/0/7.0 set security zones security-zone corp-vpn host-inbound-traffic system-services all set security zones security-zone corp-vpn host-inbound-traffic protocols all set security zones security-zone corp-vpn interfaces st0.0 host-inbound-traffic system-services ike set security zones security-zone corp-vpn interfaces st0.0 host-inbound-traffic system-services traceroute set security zones security-zone corp-vpn interfaces st0.0 host-inbound-traffic system-services ping set security zones security-zone corp-vpn interfaces st0.0 host-inbound-traffic protocols all set firewall family inet filter ssh-access term 1 from source-address 6.1.1.85/32 set firewall family inet filter ssh-access term 1 from destination-port 22 set firewall family inet filter ssh-access term 1 then accept set firewall family inet filter ssh-access term 2 from destination-port 22 set firewall family inet filter ssh-access term 2 from destination-port 80 set firewall family inet filter ssh-access term 2 from destination-port 443 set firewall family inet filter ssh-access term 2 then reject set firewall family inet filter ssh-access term default then accept set firewall family inet filter port-specific term new from destination-address 2.2.2.226/32 set firewall family inet filter port-specific term new from destination-port ssh set firewall family inet filter port-specific term new from destination-port ftp set firewall family inet filter port-specific term new from destination-port tftp set firewall family inet filter port-specific term new from destination-port http set firewall family inet filter port-specific term new from destination-port https set firewall family inet filter port-specific term new from destination-port 2000 set firewall family inet filter port-specific term new from destination-port 53 set firewall family inet filter port-specific term new then reject set firewall family inet filter port-specific term term-accept from destination-address 2.2.2.226/32 set firewall family inet filter port-specific term term-accept then accept set firewall family inet filter port-specific term term-deny from destination-address 2.2.2.226/32 set firewall family inet filter port-specific term term-deny then reject set firewall family inet filter port-specific term default then accept set firewall family inet filter do-FBF2 term 3 from source-address 10.10.201.250/32 set firewall family inet filter do-FBF2 term 3 from source-address 10.10.201.251/32 set firewall family inet filter do-FBF2 term 3 then routing-instance SERVER-Traffic set firewall filter CONTROL-PLANE term icmp-denial-of-service-protection from protocol icmp set firewall filter CONTROL-PLANE term icmp-denial-of-service-protection from icmp-type echo-request set firewall filter CONTROL-PLANE term icmp-denial-of-service-protection from icmp-type echo-reply set firewall filter CONTROL-PLANE term icmp-denial-of-service-protection from icmp-type unreachable set firewall filter CONTROL-PLANE term icmp-denial-of-service-protection from icmp-type time-exceeded set firewall filter CONTROL-PLANE term icmp-denial-of-service-protection then count icmp-counter set firewall filter CONTROL-PLANE term icmp-denial-of-service-protection then accept set firewall filter CONTROL-PLANE term allow-management-traffic from source-prefix-list MANAGEMENT-NETWORKS set firewall filter CONTROL-PLANE term allow-management-traffic from protocol tcp set firewall filter CONTROL-PLANE term allow-management-traffic from destination-port ssh set firewall filter CONTROL-PLANE term allow-management-traffic from destination-port https set firewall filter CONTROL-PLANE term allow-management-traffic then accept set firewall filter CONTROL-PLANE term deny-other-management from protocol tcp set firewall filter CONTROL-PLANE term deny-other-management from destination-port ssh set firewall filter CONTROL-PLANE term deny-other-management then log set firewall filter CONTROL-PLANE term deny-other-management then discard set firewall filter CONTROL-PLANE term vrrp from destination-address 224.0.0.0/24 set firewall filter CONTROL-PLANE term vrrp then accept set firewall filter CONTROL-PLANE term allow-dhcp from source-address 0.0.0.0/32 set firewall filter CONTROL-PLANE term allow-dhcp from destination-address 255.255.255.255/32 set firewall filter CONTROL-PLANE term allow-dhcp from protocol udp set firewall filter CONTROL-PLANE term allow-dhcp then count dhcp set firewall filter CONTROL-PLANE term allow-dhcp then accept set firewall filter CONTROL-PLANE term ALLOW-RETURN-TCP from protocol tcp set firewall filter CONTROL-PLANE term ALLOW-RETURN-TCP from tcp-established set firewall filter CONTROL-PLANE term ALLOW-RETURN-TCP then accept set firewall filter CONTROL-PLANE term ALLOW-ICMP from protocol icmp set firewall filter CONTROL-PLANE term ALLOW-ICMP from icmp-type 0 set firewall filter CONTROL-PLANE term ALLOW-ICMP from icmp-type 3 set firewall filter CONTROL-PLANE term ALLOW-ICMP from icmp-type 8 set firewall filter CONTROL-PLANE term ALLOW-ICMP from icmp-type 11 set firewall filter CONTROL-PLANE term ALLOW-ICMP then accept set firewall filter CONTROL-PLANE term ALLOW-MONITORING from source-prefix-list MONITORING-HOSTS set firewall filter CONTROL-PLANE term ALLOW-MONITORING from protocol udp set firewall filter CONTROL-PLANE term ALLOW-MONITORING from port 161 set firewall filter CONTROL-PLANE term ALLOW-MONITORING then accept set firewall filter CONTROL-PLANE term ALLOW-LOCAL-HOST-TRAFFIC from source-address 127.0.0.1/32 set firewall filter CONTROL-PLANE term ALLOW-LOCAL-HOST-TRAFFIC from destination-address 127.0.0.1/32 set firewall filter CONTROL-PLANE term ALLOW-LOCAL-HOST-TRAFFIC then accept set firewall filter CONTROL-PLANE term ALLOW-DNS-REPLIES from source-prefix-list DNS-SERVERS set firewall filter CONTROL-PLANE term ALLOW-DNS-REPLIES from protocol udp set firewall filter CONTROL-PLANE term ALLOW-DNS-REPLIES from protocol tcp set firewall filter CONTROL-PLANE term ALLOW-DNS-REPLIES from source-port 53 set firewall filter CONTROL-PLANE term ALLOW-DNS-REPLIES then accept set firewall filter CONTROL-PLANE term ALLOW-NTP-REPLIES from source-prefix-list NTP-SERVERS set firewall filter CONTROL-PLANE term ALLOW-NTP-REPLIES from protocol udp set firewall filter CONTROL-PLANE term ALLOW-NTP-REPLIES from source-port 123 set firewall filter CONTROL-PLANE term ALLOW-NTP-REPLIES from destination-port 123 set firewall filter CONTROL-PLANE term ALLOW-NTP-REPLIES from destination-port 1024-65535 set firewall filter CONTROL-PLANE term ALLOW-NTP-REPLIES then accept set firewall filter CONTROL-PLANE term ALLOW-UDP-TRACEROUTES from protocol udp set firewall filter CONTROL-PLANE term ALLOW-UDP-TRACEROUTES from port 33000-34000 set firewall filter CONTROL-PLANE term ALLOW-UDP-TRACEROUTES then accept set firewall filter CONTROL-PLANE term ALLOW-VPN from source-address 6.1.1.85/32 set firewall filter CONTROL-PLANE term ALLOW-VPN then accept set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 135 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 139 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 137 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 138 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 1433 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 445 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 80 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 443 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 1026 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 1434 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 143 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 8000 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 8080 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 3389 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 1027 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 25 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG from destination-port 21 set firewall filter CONTROL-PLANE term DENY-WITHOUT-LOG then discard set firewall filter CONTROL-PLANE term DENY-AND-LOG then syslog set firewall filter CONTROL-PLANE term DENY-AND-LOG then discard set routing-instances ISP1 instance-type forwarding set routing-instances ISP1 routing-options static route 10.1.17.0/24 next-hop 10.24.12.117 set routing-instances ISP1 routing-options static route 10.0.17.0/24 next-hop 10.24.12.117 set routing-instances ISP1 routing-options static route 0.0.0.0/0 next-hop 1.1.1.141 set routing-instances ISP1 routing-options static route 0.0.0.0/0 qualified-next-hop 2.2.2.225 preference 100 set routing-instances ISP1 routing-options static route 6.1.1.85/32 next-hop 1.1.1.141 set routing-instances ISP2 instance-type forwarding set routing-instances ISP2 routing-options static route 0.0.0.0/0 next-hop 2.2.2.225 set routing-instances ISP2 routing-options static route 0.0.0.0/0 qualified-next-hop 1.1.1.141 preference 100 set routing-instances ISP2 routing-options static route 6.1.1.85/32 next-hop 1.1.1.141 set routing-instances SERVER-Traffic instance-type forwarding set routing-instances SERVER-Traffic routing-options static route 0.0.0.0/0 next-hop 2.2.2.225 set routing-instances test instance-type forwarding set applications application TCP-25 protocol tcp set applications application TCP-25 destination-port 25 set vlans vlan-server vlan-id 10 set vlans vlan-server l3-interface vlan.10 set vlans vlan-trust vlan-id 3 set vlans vlan-trust filter input ISP_failover set vlans vlan-trust l3-interface vlan.0