security { idp { security-package { automatic { start-time "2013-7-14.03:00:00 +0100"; interval 168; enable; } } } alg { dns disable; ftp disable; h323 disable; mgcp disable; msrpc disable; sunrpc disable; rsh disable; rtsp disable; sccp disable; sip disable; sql disable; talk disable; tftp disable; pptp disable; } application-firewall { rule-sets rs1 { rule r1 { match { dynamic-application junos:UNKNOWN; } then { deny; } } default-rule { permit; } } rule-sets rs2 { rule r1 { match { dynamic-application junos:UNKNOWN; } then { permit; } } default-rule { deny; } } } utm { custom-objects { mime-pattern { video { value video/; } windows-media { value video/x-ms-wmv; } } filename-extension { some-images { value [ tif twf tiff svg ai bmp drw dwg eps jpg png ]; } } url-pattern { URL-BLOQUEE { value http://www.youtube.com; } SPAM_address { value [ www.gmail.com www.yahoo.fr ]; } URL-AUTORISEE { value http://www.juniper.com; } } custom-url-category { good-sites { value URL-AUTORISEE; } bad-sites { value URL-BLOQUEE; } } protocol-command { no-modify-content { value [ PUT DELE MKD RMD EXE MIME ]; } } } feature-profile { anti-virus { mime-whitelist { list video; exception windows-media; } type kaspersky-lab-engine; kaspersky-lab-engine { profile KS_AV { fallback-options { corrupt-file block; password-file log-and-permit; decompress-layer log-and-permit; content-size log-and-permit; engine-not-ready log-and-permit; timeout log-and-permit; out-of-resources log-and-permit; too-many-requests log-and-permit; } scan-options { intelligent-prescreening; scan-mode all; content-size-limit 10000; decompress-layer-limit 2; } notification-options { virus-detection { type message; notify-mail-sender; custom-message-subject "VIRUS WARNING"; } fallback-block { type message; notify-mail-sender; custom-message-subject "VIRUS WARNING"; } fallback-non-block { notify-mail-recipient; } } } } sophos-engine { pattern-update { email-notify { admin-email "m.marzougi@techprotn.com"; custom-message "Alerte de sécurité"; custom-message-subject "Alerte de sécurité de l\'antiviurs du firewall SRX240"; } } profile SOPHOS_AV { fallback-options { content-size block; engine-not-ready log-and-permit; timeout log-and-permit; out-of-resources block; too-many-requests block; } scan-options { content-size-limit 10000; } notification-options { virus-detection { type message; notify-mail-sender; custom-message-subject "VIRUS WARNING"; } fallback-block { type message; notify-mail-sender; custom-message-subject "VIRUS WARNING"; } } } } } web-filtering { url-blacklist bad-sites; type juniper-local; juniper-local { profile LOCAL { default permit; custom-block-message "blocked by IT"; } } } anti-spam { address-blacklist SPAM_address; sbl { profile SPAM { sbl-default-server; spam-action block; custom-tag-string ***SPAM***; } } } content-filtering { profile ftp-no-modify-content { block-command no-modify-content; notification-options { type protocol-only; } } profile no-images { block-extension some-images; } profile no-activex { block-content-type { activex; java-applet; http-cookie; } } } } utm-policy WTM-WF-LOCAL { anti-virus { http-profile KS_AV; smtp-profile KS_AV; pop3-profile KS_AV; } content-filtering { ftp { upload-profile ftp-no-modify-content; download-profile ftp-no-modify-content; } } web-filtering { http-profile LOCAL; } anti-spam { smtp-profile junos-as-defaults; } traffic-options { sessions-per-client { over-limit block; } } } utm-policy CF-ftp { content-filtering { ftp { upload-profile no-images; download-profile no-images; } } } utm-policy HTTP-no-activex { content-filtering { http-profile no-activex; } } utm-policy Sophos-AV-Only { anti-virus { http-profile SOPHOS_AV; } web-filtering { http-profile LOCAL; } anti-spam { smtp-profile junos-as-defaults; } } utm-policy ANTI_SPAM { anti-virus { http-profile SOPHOS_AV; ftp { upload-profile SOPHOS_AV; download-profile SOPHOS_AV; } smtp-profile SOPHOS_AV; pop3-profile SOPHOS_AV; imap-profile SOPHOS_AV; } content-filtering { http-profile no-activex; ftp { download-profile ftp-no-modify-content; } smtp-profile ftp-no-modify-content; pop3-profile ftp-no-modify-content; imap-profile ftp-no-modify-content; } web-filtering { http-profile LOCAL; } anti-spam { smtp-profile SPAM; } traffic-options { sessions-per-client { over-limit block; } } } } screen { ids-option untrust-screen { icmp { ip-sweep threshold 5000; fragment; large; ping-death; } ip { bad-option; record-route-option; source-route-option; loose-source-route-option; strict-source-route-option; tear-drop; } tcp { port-scan threshold 5000; syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; winnuke; } limit-session { source-ip-based 200; } } } nat { source { rule-set inside-to-outside { from zone inside; to zone outside; rule inside-to-out { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set administration-to-outside { from zone administration; to zone outside; rule administration-to-out { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone inside to-zone outside { policy FTP-SRV { match { source-address any; destination-address FTP; application [ junos-ftp junos-ssh ]; } then { deny; } } policy inside-outside { match { source-address any; destination-address any; application any; } then { permit { application-services { utm-policy WTM-WF-LOCAL; } } } } policy Internet_access { match { source-address any; destination-address any; application any; } then { permit { application-services { utm-policy Sophos-AV-Only; } } } } } from-zone outside to-zone inside { policy policy1 { match { source-address any; destination-address any; application junos-http; } then { permit { application-services { application-firewall { rule-set rs1; } } } } } policy policy2 { match { source-address any; destination-address any; application any; } then { permit { application-services { application-firewall { rule-set rs2; } } } } } } from-zone administration to-zone outside { policy administration-outside { match { source-address any; destination-address any; application any; } then { permit; } } policy Internet_access { match { source-address any; destination-address any; application any; } then { permit { application-services { utm-policy Sophos-AV-Only; } } } } } from-zone outside to-zone administration { policy policy1 { match { source-address any; destination-address any; application junos-http; } then { permit { application-services { application-firewall { rule-set rs1; } } } } } policy policy2 { match { source-address any; destination-address any; application any; } then { permit { application-services { application-firewall { rule-set rs2; } } } } } } } zones { security-zone inside { address-book { address etudiant 172.17.11.0/24; address wifi 172.17.60.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/15.0 { host-inbound-traffic { system-services { all; ssh; ftp; } } } ge-0/0/13.0 { host-inbound-traffic { system-services { all; ssh; ftp; } } } } } security-zone outside { address-book { address FTP 88.88.88.88/32; } screen untrust-screen; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/10.0; } } security-zone administration { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/14.0; } } } } services { application-identification; }