## Last commit: 2020-07-16 11:35:55 EDT by arenault version 18.2R3.4; groups { node0 { system { host-name srx-nichols_rd-A; } interfaces { fxp0 { unit 0 { family inet { address 10.10.10.110/24; } } } } } node1 { system { host-name srx-nichols_rd-B; } interfaces { fxp0 { unit 0 { family inet { address 10.10.10.111/24; } } } } } } apply-groups "${node}"; system { login { ... } root-authentication { encrypted-password "..."; ## SECRET-DATA } host-name ...; time-zone America/New_York; name-server { 8.8.8.8; 8.8.4.4; 208.67.222.222; 208.67.220.220; } services { ssh; telnet; xnm-clear-text; netconf { ssh; } dhcp-local-server { group g1 { interface irb.0; } group g2 { interface irb.1; } } web-management { http { port 2783; interface irb.0; } https { port 2784; system-generated-certificate; interface irb.0; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file kmd-logs { daemon info; match KMD; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; archival { configuration { transfer-on-commit; archive-sites { ftp://192.168.1.4/SRX; } } } ntp { server 72.5.72.15; server 184.105.182.7; server 209.51.161.238; server 159.203.158.197; } } chassis { cluster { reth-count 4; redundancy-group 0 { node 0 priority 200; node 1 priority 100; } redundancy-group 1 { node 0 priority 200; node 1 priority 100; preempt; interface-monitor { ge-0/0/3 weight 255; ge-1/0/3 weight 255; ge-0/0/4 weight 255; ge-1/0/4 weight 255; ge-0/0/5 weight 255; ge-1/0/5 weight 255; ge-1/0/6 weight 255; ge-0/0/6 weight 255; } } } } services { rpm { probe Probe-Fiber { test test-GoogleDNS { probe-type icmp-ping; target address 8.8.8.8; probe-count 5; probe-interval 1; test-interval 2; thresholds { successive-loss 2; total-loss 4; } destination-interface reth0.0; next-hop 1.2.3.9; } test test-OpenDNS { probe-type icmp-ping; target address 208.67.222.222; probe-count 5; probe-interval 1; test-interval 2; thresholds { successive-loss 2; total-loss 4; } destination-interface reth0.0; next-hop 1.2.3.9; } } probe Probe-Cable { test test-GoogleDNS { probe-type icmp-ping; target address 8.8.8.8; probe-count 5; probe-interval 1; test-interval 2; thresholds { successive-loss 2; total-loss 4; } destination-interface reth1.0; next-hop 10.20.30.22; } test test-OpenDNS { probe-type icmp-ping; target address 208.67.222.222; probe-count 5; probe-interval 1; test-interval 1; thresholds { successive-loss 2; total-loss 4; } destination-interface reth1.0; next-hop 10.20.30.22; } } } ip-monitoring { policy Comcast-Fiber-monitor { match { rpm-probe Probe-Fiber; } then { preferred-route { routing-instances Comcast-Fiber { route 0.0.0.0/0 { next-hop 10.20.30.22; } } } } } policy Comcast-Cable-monitor { match { rpm-probe Probe-Cable; } then { preferred-route { routing-instances Comcast-Cable { route 0.0.0.0/0 { next-hop 1.2.3.10; } } } } } } } security { ike { ... } } ipsec { ... } } address-book { global { address loopback 127.0.0.1/32; address BREWSTER-lan 192.168.171.0/24; ... } } flow { inactive: traceoptions { file debug.log; flag basic-datapath; packet-filter FILTER1 { source-prefix 54.196.137.212/32; destination-prefix 1.2.3.10/32; destination-port 1610; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust-Fiber { from zone trust; to zone untrust-Fiber; rule source-nat-rule-Fiber { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set trust-to-untrust-Cable { from zone trust; to zone untrust-Cable; rule source-nat-rule-Cable { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool dnat-loopback-1610 { address 127.0.0.1/32 port 161; } ... rule-set dest-nat-Fiber { from zone untrust-Fiber; ... rule rule-snmp-1610-Fiber { match { destination-address 1.2.3.10/32; destination-port { 1610; } } then { destination-nat { pool { dnat-loopback-1610; } } } } ... } rule-set dest-nat-Cable { from zone untrust-Cable; ... rule rule-snmp-1610-Cable { match { destination-address 10.20.30.21/32; destination-port { 1610; } } then { destination-nat { pool { dnat-loopback-1610; } } } } ... } } } policies { from-zone trust to-zone untrust-Fiber { policy trust-to-untrust-Fiber { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust-Fiber to-zone trust { ... } from-zone trust to-zone vpn { ... } from-zone vpn to-zone trust { ... } from-zone trust to-zone trust { ... } from-zone trust to-zone untrust-Cable { policy trust-to-untrust-Cable { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust-Cable to-zone trust { ... } from-zone untrust-Fiber to-zone self { policy unt-Fiber-to-self { match { source-address any; destination-address loopback; application snmp-161; } then { permit; } } } from-zone untrust-Cable to-zone self { policy unt-Cable-to-self { match { source-address any; destination-address loopback; application snmp-161; } then { permit; } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { irb.0 { host-inbound-traffic { system-services { ping; http; https; ssh; telnet; dhcp; } } } irb.1 { host-inbound-traffic { system-services { dhcp; ping; ssh; } } } } } security-zone vpn { interfaces { st0.1; ... } } security-zone untrust-Fiber { interfaces { reth0.0 { host-inbound-traffic { system-services { ping; ssh; snmp; ike; } } } } } security-zone untrust-Cable { interfaces { reth1.0 { host-inbound-traffic { system-services { ping; ssh; snmp; ike; } } } } } security-zone self { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { lo0.0 { host-inbound-traffic { system-services { snmp; } } } } } } } interfaces { ge-0/0/3 { gigether-options { redundant-parent reth0; } } ge-0/0/4 { gigether-options { redundant-parent reth1; } } ge-0/0/5 { gigether-options { redundant-parent reth3; } } ge-0/0/6 { gigether-options { redundant-parent reth2; } } ge-1/0/3 { gigether-options { redundant-parent reth0; } } ge-1/0/4 { gigether-options { redundant-parent reth1; } } ge-1/0/5 { gigether-options { redundant-parent reth3; } } ge-1/0/6 { gigether-options { redundant-parent reth2; } } fab0 { fabric-options { member-interfaces { ge-0/0/2; } } } fab1 { fabric-options { member-interfaces { ge-1/0/2; } } } irb { unit 0 { family inet { address 192.168.1.1/24; } } unit 1 { family inet { address 10.0.20.1/24; } } } lo0 { unit 0 { family inet { filter { input allow-mgmt-ip-only; } address 127.0.0.1/32; } } } reth0 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 1.2.3.10/30; } } } reth1 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 10.20.30.21/29; } } } reth2 { redundant-ether-options { redundancy-group 1; } unit 0 { family ethernet-switching { vlan { members vlan-internal; } } } } reth3 { redundant-ether-options { redundancy-group 1; } unit 0 { family ethernet-switching { /* NEEDED FOR VLAN ID ENFORCING */ interface-mode trunk; vlan { members vlan-10; } } } } st0 { unit 1 { family inet; } ... } } snmp { ... } routing-options { interface-routes { rib-group inet inet.0-to-RI; } static { ... route 0.0.0.0/0 next-table Comcast-Fiber.inet.0; } rib-groups { inet.0-to-RI { import-rib [ inet.0 Comcast-Fiber.inet.0 Comcast-Cable.inet.0 ]; } Fiber-to-Cable { import-rib [ Comcast-Fiber.inet.0 Comcast-Cable.inet.0 ]; } Cable-to-Fiber { import-rib [ Comcast-Cable.inet.0 Comcast-Fiber.inet.0 ]; } } } protocols { l2-learning { global-mode switching; } } policy-options { prefix-list mgmt-ip { ... } } firewall { filter allow-mgmt-ip-only { term block-except-mgmt { from { source-address { 0.0.0.0/0; } source-prefix-list { mgmt-ip except; } protocol [ tcp udp ]; destination-port [ ssh http https snmp 16100 2345 2346 ]; } then { inactive: log; discard; } } term block-ping { from { source-address { 0.0.0.0/0; } source-prefix-list { mgmt-ip except; } protocol icmp; icmp-type echo-request; } then { discard; } } term allow-everything-else { then accept; } } } access { address-assignment { pool p1 { family inet { ... } pool p2 { ... } } } routing-instances { Comcast-Cable { instance-type virtual-router; interface reth1.0; routing-options { interface-routes { rib-group inet Fiber-to-Cable; } static { route 0.0.0.0/0 next-hop 10.20.30.22; } } } Comcast-Fiber { instance-type virtual-router; interface lo0.0; interface reth0.0; routing-options { interface-routes { rib-group inet Cable-to-Fiber; } static { route 0.0.0.0/0 next-hop 1.2.3.9; } } } } applications { application snmp-161 { protocol udp; destination-port 161; } } vlans { vlan-10 { vlan-id 10; l3-interface irb.1; } vlan-internal { vlan-id 3; l3-interface irb.0; } }