set policy-options prefix-list MGMT_V4 {redacted} set policy-options prefix-list MGMT_V6 {redacted} set policy-options prefix-list LOCALHOST 127.0.0.1/32 set policy-options prefix-list RFC1918 10.0.0.0/8 set policy-options prefix-list RFC1918 172.16.0.0/12 set policy-options prefix-list RFC1918 192.168.0.0/16 set policy-options prefix-list RFC5156 fc00::/7 set policy-options prefix-list RFC5156 fe80::/10 set policy-options prefix-list SNMP_CLIENT_LISTS apply-path "snmp client-list <*> <*>" set policy-options prefix-list SNMP_COMMUNITY_CLIENTS apply-path "snmp community <*> clients <*>" set policy-options prefix-list BGP_NEIGHBORS_V4 apply-path "protocols bgp group <*_v4> neighbor <*>" set policy-options prefix-list BGP_NEIGHBORS_V6 apply-path "protocols bgp group <*_v6> neighbor <*>" set policy-options prefix-list OSPF 224.0.0.5/32 set policy-options prefix-list OSPF 224.0.0.6/32 set policy-options prefix-list OSPF apply-path "interfaces <*> unit <*> family inet address <*>" set policy-options prefix-list OSPF_v6 ff02:0:0:0:0:0:0:5/128 set policy-options prefix-list OSPF_v6 ff02:0:0:0:0:0:0:6/128 set policy-options prefix-list OSPF_v6 apply-path "interfaces <*> unit <*> family inet address <*>" set policy-options prefix-list VRRP 224.0.0.18/32 set policy-options prefix-list MULTICAST_ALL_ROUTERS 224.0.0.2/32 set policy-options prefix-list RIP 224.0.0.9/32 set policy-options prefix-list ROUTER_IP4 apply-path "interfaces <*> unit <*> family inet address <*>" set policy-options prefix-list ROUTER_IP6 apply-path "interfaces <*> unit <*> family inet6 address <*>" set policy-options prefix-list ROUTER_IP4_LOGICAL_SYSTEMS apply-path "logical-systems <*> interfaces <*> unit <*> family inet address <*>" set policy-options prefix-list ROUTER_IP6_LOGICAL_SYSTEMS apply-path "logical-systems <*> interfaces <*> unit <*> family inet6 address <*>" set policy-options prefix-list ROUTER_VRRP_V4 apply-path "interfaces <*> unit <*> family inet address <*> vrrp-group <*> virtual-address <*>" set policy-options prefix-list ROUTER_VRRP_V6 apply-path "interfaces <*> unit <*> family inet6 address <*> vrrp-inet6-group <*> virtual-inet6-address <*>" set policy-options prefix-list GRE_PEERS_V4 apply-path "interfaces unit <*> tunnel destination <*>" set policy-options prefix-list BGP_NEIGHBORS apply-path "protocols bgp group <*> neighbor <*>" set policy-options prefix-list BGP_NEIGHBORS_LOGICAL_SYSTEMS apply-path "logical-systems <*> protocols bgp group <*> neighbor <*>" set policy-options prefix-list BGP_NEIGHBORS_LOGICAL_SYSTEMS_V4 apply-path "logical-systems <*> protocols bgp group <*_v4> neighbor <*>" set policy-options prefix-list BGP_NEIGHBORS_LOGICAL_SYSTEMS_V6 apply-path "logical-systems <*> protocols bgp group <*_v6> neighbor <*>" set policy-options prefix-list RADIUS_SERVERS apply-path "system radius-server <*>" set policy-options prefix-list TACACS_SERVERS apply-path "system tacplus-server <*>" set policy-options prefix-list NTP_SERVERS apply-path "system ntp server <*>" set policy-options prefix-list NTP_SERVER_PEERS apply-path "system ntp peer <*>" set policy-options prefix-list DNS_SERVERS apply-path "system name-server <*>" set policy-options prefix-list GRE_PEERS_V6 apply-path "interfaces unit <*> tunnel destination <*>" ## ## IPv4 RE Filter ## set firewall family inet filter PROTECT_RE_v4 term accept-established-tcp from tcp-established set firewall family inet filter PROTECT_RE_v4 term accept-established-tcp then count accept-established-tcp set firewall family inet filter PROTECT_RE_v4 term accept-established-tcp then accept set firewall family inet filter PROTECT_RE_v4 term no-icmp-fragments from is-fragment set firewall family inet filter PROTECT_RE_v4 term no-icmp-fragments from protocol icmp set firewall family inet filter PROTECT_RE_v4 term no-icmp-fragments then count no-icmp-fragments set firewall family inet filter PROTECT_RE_v4 term no-icmp-fragments then discard set firewall family inet filter PROTECT_RE_v4 term accept-icmp from protocol icmp set firewall family inet filter PROTECT_RE_v4 term accept-icmp from icmp-type echo-reply set firewall family inet filter PROTECT_RE_v4 term accept-icmp from icmp-type echo-request set firewall family inet filter PROTECT_RE_v4 term accept-icmp from icmp-type time-exceeded set firewall family inet filter PROTECT_RE_v4 term accept-icmp from icmp-type unreachable set firewall family inet filter PROTECT_RE_v4 term accept-icmp from icmp-type source-quench set firewall family inet filter PROTECT_RE_v4 term accept-icmp from icmp-type router-advertisement set firewall family inet filter PROTECT_RE_v4 term accept-icmp from icmp-type parameter-problem set firewall family inet filter PROTECT_RE_v4 term accept-icmp then count accept-icmp set firewall family inet filter PROTECT_RE_v4 term accept-icmp then accept set firewall family inet filter PROTECT_RE_v4 term accept-traceroute-udp from protocol udp set firewall family inet filter PROTECT_RE_v4 term accept-traceroute-udp from destination-port 33435-33450 set firewall family inet filter PROTECT_RE_v4 term accept-traceroute-udp then count accept-traceroute-udp set firewall family inet filter PROTECT_RE_v4 term accept-traceroute-udp then accept set firewall family inet filter PROTECT_RE_v4 term accept-traceroute-icmp from protocol icmp set firewall family inet filter PROTECT_RE_v4 term accept-traceroute-icmp from icmp-type echo-request set firewall family inet filter PROTECT_RE_v4 term accept-traceroute-icmp from icmp-type timestamp set firewall family inet filter PROTECT_RE_v4 term accept-traceroute-icmp from icmp-type time-exceeded set firewall family inet filter PROTECT_RE_v4 term accept-traceroute-icmp then count accept-traceroute-icmp set firewall family inet filter PROTECT_RE_v4 term accept-traceroute-icmp then accept set firewall family inet filter PROTECT_RE_v4 term accept-ssh from source-prefix-list MGMT_V4 set firewall family inet filter PROTECT_RE_v4 term accept-ssh from source-prefix-list RFC1918 set firewall family inet filter PROTECT_RE_v4 term accept-ssh from protocol tcp set firewall family inet filter PROTECT_RE_v4 term accept-ssh from destination-port ssh set firewall family inet filter PROTECT_RE_v4 term accept-ssh then count accept-ssh set firewall family inet filter PROTECT_RE_v4 term accept-ssh then accept set firewall family inet filter PROTECT_RE_v4 term accept-snmp from source-prefix-list SNMP_CLIENT_LISTS set firewall family inet filter PROTECT_RE_v4 term accept-snmp from source-prefix-list SNMP_COMMUNITY_CLIENTS set firewall family inet filter PROTECT_RE_v4 term accept-snmp from protocol udp set firewall family inet filter PROTECT_RE_v4 term accept-snmp from destination-port snmp set firewall family inet filter PROTECT_RE_v4 term accept-snmp then count accept-snmp set firewall family inet filter PROTECT_RE_v4 term accept-snmp then accept set firewall family inet filter PROTECT_RE_v4 term accept-ntp from protocol udp set firewall family inet filter PROTECT_RE_v4 term accept-ntp from destination-port ntp set firewall family inet filter PROTECT_RE_v4 term accept-ntp then count accept-ntp set firewall family inet filter PROTECT_RE_v4 term accept-ntp then accept set firewall family inet filter PROTECT_RE_v4 term accept-dns from protocol udp set firewall family inet filter PROTECT_RE_v4 term accept-dns from protocol tcp set firewall family inet filter PROTECT_RE_v4 term accept-dns from source-port 53 set firewall family inet filter PROTECT_RE_v4 term accept-dns then count accept-dns set firewall family inet filter PROTECT_RE_v4 term accept-dns then accept set firewall family inet filter PROTECT_RE_v4 term accept-tacacs from protocol tcp set firewall family inet filter PROTECT_RE_v4 term accept-tacacs from protocol udp set firewall family inet filter PROTECT_RE_v4 term accept-tacacs from source-port tacacs set firewall family inet filter PROTECT_RE_v4 term accept-tacacs from source-port tacacs-ds set firewall family inet filter PROTECT_RE_v4 term accept-tacacs from tcp-established set firewall family inet filter PROTECT_RE_v4 term accept-tacacs then count accept-tacas set firewall family inet filter PROTECT_RE_v4 term accept-tacacs then accept set firewall family inet filter PROTECT_RE_v4 term accept-bgp from prefix-list BGP_NEIGHBORS_V4 set firewall family inet filter PROTECT_RE_v4 term accept-bgp from protocol tcp set firewall family inet filter PROTECT_RE_v4 term accept-bgp from destination-port bgp set firewall family inet filter PROTECT_RE_v4 term accept-bgp then count accept-bgp set firewall family inet filter PROTECT_RE_v4 term accept-bgp then accept set firewall family inet filter PROTECT_RE_v4 term accept-ospf from protocol ospf set firewall family inet filter PROTECT_RE_v4 term accept-ospf from protocol igmp set firewall family inet filter PROTECT_RE_v4 term accept-ospf then count accept-ospf set firewall family inet filter PROTECT_RE_v4 term accept-ospf then accept set firewall family inet filter PROTECT_RE_v4 term accept-vrrp from destination-prefix-list VRRP set firewall family inet filter PROTECT_RE_v4 term accept-vrrp from protocol vrrp set firewall family inet filter PROTECT_RE_v4 term accept-vrrp from protocol ah set firewall family inet filter PROTECT_RE_v4 term accept-vrrp then count accept-vrrp set firewall family inet filter PROTECT_RE_v4 term accept-vrrp then accept set firewall family inet filter PROTECT_RE_v4 term accept-sh-bfd from protocol udp set firewall family inet filter PROTECT_RE_v4 term accept-sh-bfd from source-port 49152-65535 set firewall family inet filter PROTECT_RE_v4 term accept-sh-bfd from destination-port 3784-3785 set firewall family inet filter PROTECT_RE_v4 term accept-sh-bfd then count accept-sh-bfd set firewall family inet filter PROTECT_RE_v4 term accept-sh-bfd then accept set firewall family inet filter PROTECT_RE_v4 term accept-iccp from protocol tcp set firewall family inet filter PROTECT_RE_v4 term accept-iccp from destination-port 33012 set firewall family inet filter PROTECT_RE_v4 term accept-iccp then count accept-iccp set firewall family inet filter PROTECT_RE_v4 term accept-iccp then accept set firewall family inet filter PROTECT_RE_v4 term accept-gre from protocol gre set firewall family inet filter PROTECT_RE_v4 term accept-gre then count accept-gre set firewall family inet filter PROTECT_RE_v4 term accept-gre then accept set firewall family inet filter PROTECT_RE_v4 term accept-ldp-discover from protocol udp set firewall family inet filter PROTECT_RE_v4 term accept-ldp-discover from destination-port ldp set firewall family inet filter PROTECT_RE_v4 term accept-ldp-discover then count accept-ldp-discover set firewall family inet filter PROTECT_RE_v4 term accept-ldp-discover then accept set firewall family inet filter PROTECT_RE_v4 term accept-ldp-unicast from protocol tcp set firewall family inet filter PROTECT_RE_v4 term accept-ldp-unicast from destination-port ldp set firewall family inet filter PROTECT_RE_v4 term accept-ldp-unicast then count accept-ldp-unicast set firewall family inet filter PROTECT_RE_v4 term accept-ldp-unicast then accept set firewall family inet filter PROTECT_RE_v4 term accept-tldp-discover from protocol udp set firewall family inet filter PROTECT_RE_v4 term accept-tldp-discover from destination-port ldp set firewall family inet filter PROTECT_RE_v4 term accept-tldp-discover then count accept-tldp-discover set firewall family inet filter PROTECT_RE_v4 term accept-tldp-discover then accept set firewall family inet filter PROTECT_RE_v4 term accept-ldp-igmp from destination-prefix-list MULTICAST_ALL_ROUTERS set firewall family inet filter PROTECT_RE_v4 term accept-ldp-igmp from protocol igmp set firewall family inet filter PROTECT_RE_v4 term accept-ldp-igmp then count accept-ldp-igmp set firewall family inet filter PROTECT_RE_v4 term accept-ldp-igmp then accept set firewall family inet filter PROTECT_RE_v4 term accept-rsvp from protocol rsvp set firewall family inet filter PROTECT_RE_v4 term accept-rsvp then count accept-rsvp set firewall family inet filter PROTECT_RE_v4 term accept-rsvp then accept set firewall family inet filter PROTECT_RE_v4 term discard then count discard set firewall family inet filter PROTECT_RE_v4 term discard then syslog set firewall family inet filter PROTECT_RE_v4 term discard then discard ## ## IPv6 RE Filter ## set firewall family inet6 filter PROTECT_RE_v6 term accept-established-tcp from next-header tcp set firewall family inet6 filter PROTECT_RE_v6 term accept-established-tcp from tcp-established set firewall family inet6 filter PROTECT_RE_v6 term accept-established-tcp then count accept-established-tcp set firewall family inet6 filter PROTECT_RE_v6 term accept-established-tcp then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-icmp6 from next-header icmp6 set firewall family inet6 filter PROTECT_RE_v6 term accept-icmp6 then policer ICMPv6_20m set firewall family inet6 filter PROTECT_RE_v6 term accept-icmp6 then count accept-icmp set firewall family inet6 filter PROTECT_RE_v6 term accept-icmp6 then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-ssh from source-prefix-list MGMT_V6 set firewall family inet6 filter PROTECT_RE_v6 term accept-ssh from source-prefix-list RFC5156 set firewall family inet6 filter PROTECT_RE_v6 term accept-ssh from next-header tcp set firewall family inet6 filter PROTECT_RE_v6 term accept-ssh from destination-port ssh set firewall family inet6 filter PROTECT_RE_v6 term accept-ssh then count accept-ssh set firewall family inet6 filter PROTECT_RE_v6 term accept-ssh then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-snmp from source-prefix-list SNMP_CLIENT_LISTS set firewall family inet6 filter PROTECT_RE_v6 term accept-snmp from source-prefix-list SNMP_COMMUNITY_CLIENTS set firewall family inet6 filter PROTECT_RE_v6 term accept-snmp from next-header udp set firewall family inet6 filter PROTECT_RE_v6 term accept-snmp from destination-port snmp set firewall family inet6 filter PROTECT_RE_v6 term accept-snmp then count accept-snmp set firewall family inet6 filter PROTECT_RE_v6 term accept-snmp then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-ntp from next-header udp set firewall family inet6 filter PROTECT_RE_v6 term accept-ntp from destination-port ntp set firewall family inet6 filter PROTECT_RE_v6 term accept-ntp then count accept-ntp set firewall family inet6 filter PROTECT_RE_v6 term accept-ntp then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-dns from next-header udp set firewall family inet6 filter PROTECT_RE_v6 term accept-dns from next-header tcp set firewall family inet6 filter PROTECT_RE_v6 term accept-dns from source-port 53 set firewall family inet6 filter PROTECT_RE_v6 term accept-dns then count accept-dns set firewall family inet6 filter PROTECT_RE_v6 term accept-dns then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-tacacs from next-header tcp set firewall family inet6 filter PROTECT_RE_v6 term accept-tacacs from next-header udp set firewall family inet6 filter PROTECT_RE_v6 term accept-tacacs from source-port tacacs set firewall family inet6 filter PROTECT_RE_v6 term accept-tacacs from source-port tacacs-ds set firewall family inet6 filter PROTECT_RE_v6 term accept-tacacs from tcp-established set firewall family inet6 filter PROTECT_RE_v6 term accept-tacacs then count accept-tacas set firewall family inet6 filter PROTECT_RE_v6 term accept-tacacs then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-bgp from prefix-list BGP_NEIGHBORS_V6 set firewall family inet6 filter PROTECT_RE_v6 term accept-bgp from next-header tcp set firewall family inet6 filter PROTECT_RE_v6 term accept-bgp from destination-port bgp set firewall family inet6 filter PROTECT_RE_v6 term accept-bgp then count accept-bgp set firewall family inet6 filter PROTECT_RE_v6 term accept-bgp then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-ospf from next-header ospf set firewall family inet6 filter PROTECT_RE_v6 term accept-ospf then count accept-ospf set firewall family inet6 filter PROTECT_RE_v6 term accept-ospf then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-vrrp from destination-prefix-list VRRP set firewall family inet6 filter PROTECT_RE_v6 term accept-vrrp from next-header vrrp set firewall family inet6 filter PROTECT_RE_v6 term accept-vrrp from next-header ah set firewall family inet6 filter PROTECT_RE_v6 term accept-vrrp then count accept-vrrp set firewall family inet6 filter PROTECT_RE_v6 term accept-vrrp then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-sh-bfd from next-header udp set firewall family inet6 filter PROTECT_RE_v6 term accept-sh-bfd from source-port 49152-65535 set firewall family inet6 filter PROTECT_RE_v6 term accept-sh-bfd from destination-port 3784-3785 set firewall family inet6 filter PROTECT_RE_v6 term accept-sh-bfd then count accept-sh-bfd set firewall family inet6 filter PROTECT_RE_v6 term accept-sh-bfd then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-iccp from next-header tcp set firewall family inet6 filter PROTECT_RE_v6 term accept-iccp from destination-port 33012 set firewall family inet6 filter PROTECT_RE_v6 term accept-iccp then count accept-iccp set firewall family inet6 filter PROTECT_RE_v6 term accept-iccp then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-gre from next-header gre set firewall family inet6 filter PROTECT_RE_v6 term accept-gre then count accept-gre set firewall family inet6 filter PROTECT_RE_v6 term accept-gre then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-ldp-discover from destination-prefix-list MULTICAST_ALL_ROUTERS set firewall family inet6 filter PROTECT_RE_v6 term accept-ldp-discover from next-header udp set firewall family inet6 filter PROTECT_RE_v6 term accept-ldp-discover from destination-port ldp set firewall family inet6 filter PROTECT_RE_v6 term accept-ldp-discover then count accept-ldp-discover set firewall family inet6 filter PROTECT_RE_v6 term accept-ldp-discover then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-ldp-unicast from next-header tcp set firewall family inet6 filter PROTECT_RE_v6 term accept-ldp-unicast from destination-port ldp set firewall family inet6 filter PROTECT_RE_v6 term accept-ldp-unicast then count accept-ldp-unicast set firewall family inet6 filter PROTECT_RE_v6 term accept-ldp-unicast then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-tldp-discover from next-header udp set firewall family inet6 filter PROTECT_RE_v6 term accept-tldp-discover from destination-port ldp set firewall family inet6 filter PROTECT_RE_v6 term accept-tldp-discover then count accept-tldp-discover set firewall family inet6 filter PROTECT_RE_v6 term accept-tldp-discover then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-ldp-igmp from destination-prefix-list MULTICAST_ALL_ROUTERS set firewall family inet6 filter PROTECT_RE_v6 term accept-ldp-igmp from next-header igmp set firewall family inet6 filter PROTECT_RE_v6 term accept-ldp-igmp then count accept-ldp-igmp set firewall family inet6 filter PROTECT_RE_v6 term accept-ldp-igmp then accept set firewall family inet6 filter PROTECT_RE_v6 term accept-rsvp from next-header rsvp set firewall family inet6 filter PROTECT_RE_v6 term accept-rsvp then count accept-rsvp set firewall family inet6 filter PROTECT_RE_v6 term accept-rsvp then accept set firewall family inet6 filter PROTECT_RE_v6 term discard then count discard set firewall family inet6 filter PROTECT_RE_v6 term discard then syslog set firewall family inet6 filter PROTECT_RE_v6 term discard then discard set firewall policer ICMPv6_20m if-exceeding bandwidth-limit 20m set firewall policer ICMPv6_20m if-exceeding burst-size-limit 625k set firewall policer ICMPv6_20m then discard