root@SRX550-TMT> show configuration | no-more ## Last commit: 2015-05-13 05:41:53 WIT by root version 12.1X47-D20.7; system { host-name SRX550-TMT; auto-snapshot; root-authentication { encrypted-password "$1$n.GU2.Wl$NIftx.O0.JgYGsfHNA2fm0"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; } scripts { op { file "PKCS#7.p7b"; } } services { ftp; ssh; telnet; xnm-clear-text; web-management { http; https { system-generated-certificate; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file idp-attack-event.log { user info; match IDP_ATTACK_LOG_EVENT; archive size 1000k world-readable; structured-data; } file policy_session { user info; match RT_FLOW; archive size 1000k world-readable; structured-data; } file accepte-traffic { any any; match RT_FLOW_SESSION_CREATE; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.254.220/24; } } } ge-0/0/1 { unit 0 { family inet { address 10.1.99.65/24; } } } ge-0/0/2 { unit 0; } ge-0/0/3 { unit 0; } ge-0/0/4 { unit 0; } ge-0/0/5 { unit 0; } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.254.2; route 10.0.0.0/8 next-hop 10.1.99.2; } } protocols { stp; } security { log { mode event; } pki { ca-profile profile-ca1 { ca-identity profile-ca1; } } idp { idp-policy test-idp { rulebase-ips { inactive: rule rule3 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attacks FTP:USER:ROOT; } } then { action { drop-packet; } notification { log-attacks; } } } inactive: rule test2 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attacks [ ICMP:INFO:ECHO-REPLY ICMP:INFO:ECHO-REQUEST ]; } } then { action { drop-packet; } notification { log-attacks; } severity critical; } } rule test1 { match { from-zone any; source-address any; to-zone any; destination-address any; application any; } then { action { no-action; } notification { log-attacks; } } } } } active-policy test-idp; security-package { url https://services.netscreen.com/cgi-bin/index.cgi; } } address-book { global { address ssl-inspect-exempt { dns-name www.juniper.net; } } } application-firewall { traceoptions { file AppSec; flag all; } rule-sets tess-appFW2 { rule test-facebook { match { dynamic-application junos:FACEBOOK-CHAT; } then { deny; } } default-rule { permit; } } rule-sets test-appFW { rule test-fb { match { dynamic-application [ junos:FACEBOOK-CHAT junos:YOUTUBE-HD ]; } then { deny; } } default-rule { permit; } } rule-sets Black-List { rule web { match { dynamic-application [ junos:STREAMATE junos:STREAMAUDIO junos:YOUTUBE-HD junos:YOUTUBE-COMMENT ]; dynamic-application-group junos:web:multimedia:video-streaming; } then { deny; } } default-rule { permit; } } } application-tracking { first-update; session-update-interval 5; } utm { feature-profile { web-filtering { type juniper-enhanced; juniper-enhanced { cache { timeout 1800; size 500; } server { host rp.cloud.threatseeker.com; port 80; } profile junos-wf-enhanced-default { site-reputation-action { very-safe log-and-permit; moderately-safe log-and-permit; fairly-safe log-and-permit; suspicious block; harmful block; } default block; custom-block-message "****ACCESS DENIED****"; fallback-settings { server-connectivity block; timeout block; too-many-requests block; } timeout 10; no-safe-search; } } } } utm-policy testing-utm { anti-virus { http-profile junos-av-defaults; ftp { upload-profile junos-av-defaults; download-profile junos-av-defaults; } smtp-profile junos-av-defaults; pop3-profile junos-av-defaults; imap-profile junos-av-defaults; } web-filtering { http-profile junos-wf-enhanced-default; } anti-spam { smtp-profile junos-as-defaults; } traffic-options { sessions-per-client { over-limit log-and-permit; } } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule src-nat { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } inactive: static { rule-set Test-NAT { from interface ge-0/0/0.0; rule rule1 { match { destination-address 192.168.254.220/32; } then { static-nat { prefix { 10.11.4.248/32; } } } } } } } policies { from-zone trust to-zone untrust { policy test-youtube { match { source-address any; destination-address any; application any; } then { permit { application-services { application-firewall { rule-set Black-List; } } } log { session-init; session-close; } } } policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit { application-services { idp; utm-policy testing-utm; } } log { session-init; session-close; } } } policy test-blocked-appfw { match { source-address any; destination-address any; application any; } then { permit { application-services { ssl-proxy { profile-name ssl-inspect-profile; } application-firewall { rule-set test-appFW; } } } } } } from-zone untrust to-zone trust { policy untrust-to-trust { match { source-address any; destination-address any; application any; } then { permit { application-services { idp; utm-policy testing-utm; } } log { session-init; session-close; } } } policy blocked-by-appfw { match { source-address any; destination-address any; application any; } then { permit { application-services { ssl-proxy { profile-name ssl-inspect-profile; } application-firewall { rule-set test-appFW; } } } log { session-init; session-close; } } } } } zones { security-zone trust { inactive: address-book { address Test-PC 10.11.4.248/32; } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } application-tracking; } security-zone untrust { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } } } services { application-identification { no-application-identification; } ssl { proxy { profile ssl-inspect-profile { trusted-ca all; root-ca ssl-inspect-ca; whitelist ssl-inspect-exempt; actions { ignore-server-auth-failure; } } } } }