## Last changed: 2011-08-25 04:18:08 CEST version 10.4R6.5; groups { node0 { system { host-name firewall-master; } interfaces { fxp0 { unit 0 { family inet { address 192.168.250.250/24; } } } } } node1 { system { host-name firewall-slave; } interfaces { fxp0 { unit 0 { family inet { address 192.168.250.251/24; } } } } } } apply-groups "${node}"; system { time-zone Europe/Berlin; root-authentication { encrypted-password "$1$IFcEBhDy$jgy4EVS5GHA6dGPQegKUD0"; } name-server { 8.8.8.8; 8.8.4.4; } services { ssh; web-management { management-url jweb; https { system-generated-certificate; interface [ fxp0.0 reth0.2 reth0.1 ]; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 129.70.132.35; server 31.19.179.253; server 85.31.187.67; server 46.4.54.78; } } chassis { cluster { control-link-recovery; reth-count 1; redundancy-group 0 { node 0 priority 254; node 1 priority 1; } redundancy-group 1 { node 0 priority 254; node 1 priority 1; preempt; } } } interfaces { ge-0/0/0 { gigether-options { redundant-parent reth0; } } ge-0/0/1 { gigether-options { redundant-parent reth0; } } fe-0/0/2 { disable; } fe-0/0/3 { disable; } ge-2/0/0 { gigether-options { redundant-parent reth0; } } ge-2/0/1 { gigether-options { redundant-parent reth0; } } fe-2/0/2 { disable; } fe-2/0/3 { disable; } fab0 { fabric-options { member-interfaces { fe-0/0/4; fe-0/0/5; } } } fab1 { fabric-options { member-interfaces { fe-2/0/4; fe-2/0/5; } } } fxp0 { unit 0 { family inet { address 192.168.250.252/24 { master-only; } } } } reth0 { vlan-tagging; redundant-ether-options { redundancy-group 1; lacp { active; } } unit 1 { description "Internes Netzwerk"; vlan-id 1; family inet { address 192.168.0.1/24 { primary; preferred; } address 172.18.0.1/24; inactive: address 192.168.0.254/24 { primary; preferred; } } } unit 2 { description "DSL/Internet Verbindung"; vlan-id 2; family inet { address 62.96.131.138/29 { primary; preferred; } address 62.96.131.139/29; address 62.96.131.140/29; address 62.96.131.142/29; address 62.96.12.161/28; address 62.96.12.166/28; address 62.96.12.167/28; address 62.96.12.168/28; address 62.96.12.169/28; address 62.96.12.170/28; address 62.96.12.171/28; address 62.96.12.172/28; address 213.61.224.226/28; address 213.61.224.227/28; address 213.61.224.228/28; address 213.61.224.229/28; address 213.61.224.230/28; address 213.61.224.231/28; } } unit 3 { description "dmz Netzwerk"; vlan-id 3; family inet { address 172.16.131.1/24 { preferred; } } } } } routing-options { static { route 0.0.0.0/0 next-hop 62.96.131.137; } } protocols { rstp; } security { ike { traceoptions { file DEBUG_ipsec; flag all; } respond-bad-spi; proposal proposal_ibb { description "IBB VPN"; authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 86400; } proposal proposal_kbb { description "KBB VPN"; authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 28800; } proposal proposal_zf { description "ZF VPN"; authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 86400; } proposal proposal_dynamic_vpn_shrew { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 180; } policy ike_ibb { mode main; description "IBB VPN"; proposals proposal_ibb; pre-shared-key ascii-text "$9$RlHcSevWL-bsGDHmPQ9CtuO1SrvWL7VYik1R"; } policy ike_kbb { mode main; description "KBB VPN"; proposals proposal_kbb; pre-shared-key ascii-text "x"; } policy ike_zf { mode main; description "ZF VPN"; proposals proposal_zf; pre-shared-key ascii-text "x"; } policy ike_dynamic_vpn { mode aggressive; proposal-set standard; pre-shared-key ascii-text "x"; } policy ike_dynamic_vpn_shrew { mode aggressive; proposals proposal_dynamic_vpn_shrew; pre-shared-key ascii-text "x"; } gateway gw_ibb { ike-policy ike_ibb; address 213.61.227.171; dead-peer-detection; external-interface reth0.2; } gateway gw_kbb { ike-policy ike_kbb; address 62.206.115.141; dead-peer-detection; external-interface reth0.2; } gateway gw_zf { ike-policy ike_zf; address 217.24.192.212; dead-peer-detection; external-interface reth0.2; } gateway gw_dynamic_vpn { ike-policy ike_dynamic_vpn; dynamic { hostname dynamic_vpn; connections-limit 50; ike-user-type shared-ike-id; } external-interface reth0.2; xauth access-profile profile_access_intern; } gateway gw_dynamic_vpn_shrew { ike-policy ike_dynamic_vpn_shrew; dynamic { hostname dynamic_vpn_shrew; connections-limit 50; ike-user-type shared-ike-id; } external-interface reth0.2; xauth access-profile profile_access_intern; } } ipsec { traceoptions { flag all; } proposal proposal_ibb { description "IBB VPN"; protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } proposal proposal_kbb { description "KBB VPN"; protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 28800; } proposal proposal_zf { description "ZF VPN"; protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } proposal proposal_dynamic_vpn_shrew { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; lifetime-seconds 86400; } policy ipsec_ibb { description "IBB VPN"; proposals proposal_ibb; } policy ipsec_kbb { description "KBB VPN"; proposals proposal_kbb; } policy ipsec_zf { description "VPN ZF"; proposals proposal_zf; } policy ipsec_dynamic_vpn { proposal-set standard; } policy ipsec_dynamic_vpn_shrew { perfect-forward-secrecy { keys group5; } proposals proposal_dynamic_vpn_shrew; } vpn vpn_ibb { ike { gateway gw_ibb; ipsec-policy ipsec_ibb; } establish-tunnels on-traffic; } vpn vpn_kbb { ike { gateway gw_kbb; ipsec-policy ipsec_kbb; } establish-tunnels on-traffic; } vpn vpn_zf { ike { gateway gw_zf; proxy-identity { local 192.168.0.0/24; remote 149.238.10.0/24; } ipsec-policy ipsec_zf; } establish-tunnels on-traffic; } vpn vpn_dynamic_vpn { ike { gateway gw_dynamic_vpn; ipsec-policy ipsec_dynamic_vpn; } } vpn vpn_dynamic_vpn_shrew { ike { gateway gw_dynamic_vpn_shrew; ipsec-policy ipsec_dynamic_vpn_shrew; } } } nat { source { pool srcpool_dsl-ip-confluence { address { 62.96.12.170/32; } } pool srcpool_dsl-ip-confluence2 { address { 62.96.12.171/32; } } pool srcpool_dsl-ip-firstspirit { address { 62.96.131.139/32; } } pool srcpool_dsl-ip-ibb { address { 62.96.131.142/32; } } pool srcpool_dsl-ip-kbb_web { address { 213.61.224.226/32; } } pool srcpool_dsl-ip-fs4r4 { address { 213.61.224.231/32; } } pool srcpool_dsl-ip-nord_cms { address { 62.96.12.172/32; } } pool srcpool_dsl-ip-nord_web { address { 62.96.12.168/32; } } pool srcpool_dsl-ip-svn { address { 62.96.131.140/32; } } pool srcpool_dsl-ip-swp_cms { address { 213.61.224.227/32; } } pool srcpool_dsl-ip-swp_web { address { 213.61.224.228/32; } } pool srcpool_dsl-ip-watt { address { 62.96.12.167/32; } } pool srcpool_dsl-ip-win_web { address { 62.96.12.161/32; } } pool srcpool_dsl-ip-zf_cms { address { 213.61.224.229/32; } } pool srcpool_dsl-ip-zf_web { address { 213.61.224.230/32; } } pool srcpool_dsl-ip-zf_webdav { address { 62.96.12.166/32; } } pool srcpool_trust-ip-zf_intern_1 { address { 192.168.0.39/32; } } pool srcpool_trust-ip-zf_intern_2 { address { 192.168.0.42/32; } } pool srcpool_trust-ip-zf_intern_3 { address { 192.168.0.43/32; } } rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set dmz-to-untrust { from zone dmz; to zone untrust; rule r_net_dmz-confluence-to-untrust { match { source-address 172.16.131.170/32; } then { source-nat { pool { srcpool_dsl-ip-confluence; } } } } rule r_net_dmz-ibb-to-untrust { match { source-address 172.16.131.142/32; } then { source-nat { pool { srcpool_dsl-ip-ibb; } } } } rule r_net_dmz-kbb_web-to-untrust { match { source-address 172.16.131.226/32; } then { source-nat { pool { srcpool_dsl-ip-kbb_web; } } } } rule r_net_dmz-fs4r4-to-untrust { match { source-address 172.16.131.231/32; } then { source-nat { pool { srcpool_dsl-ip-fs4r4; } } } } rule r_net_dmz-nord_cms-to-untrust { match { source-address 172.16.131.172/32; } then { source-nat { pool { srcpool_dsl-ip-nord_cms; } } } } rule r_net_dmz-nord_web-to-untrust { match { source-address 172.16.131.168/32; } then { source-nat { pool { srcpool_dsl-ip-nord_web; } } } } rule r_net_dmz-svn-to-untrust { match { source-address 172.16.131.140/32; } then { source-nat { pool { srcpool_dsl-ip-svn; } } } } rule r_net_dmz-swp_cms-to-untrust { match { source-address 172.16.131.227/32; } then { source-nat { pool { srcpool_dsl-ip-swp_cms; } } } } rule r_net_dmz-swp_web-to-untrust { match { source-address 172.16.131.228/32; } then { source-nat { pool { srcpool_dsl-ip-swp_web; } } } } rule r_net_dmz-watt-to-untrust { match { source-address 172.16.131.167/32; } then { source-nat { pool { srcpool_dsl-ip-watt; } } } } rule r_net_dmz-win_web-to-untrust { match { source-address 172.16.131.161/32; } then { source-nat { pool { srcpool_dsl-ip-win_web; } } } } rule r_net_dmz-zf_cms-to-untrust { match { source-address 172.16.131.163/32; } then { source-nat { pool { srcpool_dsl-ip-zf_cms; } } } } rule r_net_dmz-zf_web-to-untrust { match { source-address 172.16.131.164/32; } then { source-nat { pool { srcpool_dsl-ip-zf_web; } } } } rule r_net_dmz-zf_webdav-to-untrust { match { source-address 172.16.131.166/32; } then { source-nat { pool { srcpool_dsl-ip-zf_webdav; } } } } rule r_net_dmz-confl2-to-untrust { match { source-address 172.16.131.171/32; } then { source-nat { pool { srcpool_dsl-ip-confluence2; } } } } rule r_net_dmz-firstspir-to-untrust { match { source-address 172.16.131.139/32; } then { source-nat { pool { srcpool_dsl-ip-firstspirit; } } } } rule r_net_dmz-zf_web_neu-to-trust { match { source-address 172.16.131.230/32; destination-address 149.238.10.0/24; } then { source-nat { pool { srcpool_trust-ip-zf_intern_1; } } } } rule r_net_dmz-zf_sec_ip-to-trust { match { source-address 172.16.131.64/32; destination-address 149.238.10.0/24; } then { source-nat { pool { srcpool_trust-ip-zf_intern_3; } } } } rule r_net_dmz-zf_winsec_ip-to-trust { match { source-address 172.16.131.41/32; destination-address 149.238.10.0/24; } then { source-nat { pool { srcpool_trust-ip-zf_intern_2; } } } } rule r_net_dmz-to-untrust { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool dstpool_srv-confluence { address 172.16.131.170/32; } pool dstpool_srv-confluence2 { address 172.16.131.171/32; } pool dstpool_srv-firstspirit { address 172.16.131.139/32; } pool dstpool_srv-ibb { address 172.16.131.142/32; } pool dstpool_srv-kbb_web { address 172.16.131.226/32; } pool dstpool_srv-fs4r4 { address 172.16.131.231/32; } pool dstpool_srv-nord_cms { address 172.16.131.172/32; } pool dstpool_srv-nord_web { address 172.16.131.168/32; } pool dstpool_srv-svn { address 172.16.131.140/32; } pool dstpool_srv-swp_cms { address 172.16.131.227/32; } pool dstpool_srv-swp_web { address 172.16.131.228/32; } pool dstpool_srv-watt { address 172.16.131.167/32; } pool dstpool_srv-win_web { address 172.16.131.161/32; } pool dstpool_srv-zf_cms { address 172.16.131.229/32; } pool dstpool_srv-zf_web { address 172.16.131.230/32; } pool dstpool_srv-zf_webdav { address 172.16.131.166/32; } pool dstpool_srv-zf_web_neu { address 172.16.131.230/32; } pool dstpool_srv-zf_second_ip { address 172.16.131.64/32; } pool dstpool_srv-zf_win_second_ip { address 172.16.131.41/32; } rule-set rs_zone_trust_untrust { from zone [ trust untrust ]; rule r_srv-confluence { match { destination-address 62.96.12.170/32; } then { destination-nat pool dstpool_srv-confluence; } } rule r_srv-confluence2 { match { destination-address 62.96.12.171/32; } then { destination-nat pool dstpool_srv-confluence2; } } rule r_srv-firstspirit { match { destination-address 62.96.131.139/32; } then { destination-nat pool dstpool_srv-firstspirit; } } rule r_srv-ibb { match { destination-address 62.96.131.142/32; } then { destination-nat pool dstpool_srv-ibb; } } rule r_srv-kbb_web { match { destination-address 213.61.224.226/32; } then { destination-nat pool dstpool_srv-kbb_web; } } rule r_srv-fs4r4 { match { destination-address 213.61.224.231/32; } then { destination-nat pool dstpool_srv-fs4r4; } } rule r_srv-nord_cms { match { destination-address 62.96.12.172/32; } then { destination-nat pool dstpool_srv-nord_cms; } } rule r_srv-nord_web { match { destination-address 62.96.12.168/32; } then { destination-nat pool dstpool_srv-nord_web; } } rule r_srv-svn { match { destination-address 62.96.131.140/32; } then { destination-nat pool dstpool_srv-svn; } } rule r_srv-swp_cms { match { destination-address 213.61.224.227/32; } then { destination-nat pool dstpool_srv-swp_cms; } } rule r_srv-swp_web { match { destination-address 213.61.224.228/32; } then { destination-nat pool dstpool_srv-swp_web; } } rule r_srv-watt { match { destination-address 62.96.12.167/32; } then { destination-nat pool dstpool_srv-watt; } } rule r_srv-win_web { match { destination-address 62.96.12.161/32; } then { destination-nat pool dstpool_srv-win_web; } } rule r_srv-zf_cms { match { destination-address 213.61.224.229/32; } then { destination-nat pool dstpool_srv-zf_cms; } } rule r_srv-zf_web { match { destination-address 213.61.224.230/32; } then { destination-nat pool dstpool_srv-zf_web; } } rule r_srv-zf_webdav { match { destination-address 62.96.12.166/32; } then { destination-nat pool dstpool_srv-zf_webdav; } } rule r_srv-zf_web_neu { match { source-address 149.238.10.0/24; destination-address 192.168.0.39/32; } then { destination-nat pool dstpool_srv-zf_web_neu; } } rule r_srv-zf-web_second_ip { match { source-address 149.238.10.0/24; destination-address 192.168.0.43/32; } then { destination-nat pool dstpool_srv-zf_second_ip; } } rule r_srv-zf_winweb_sec_ip { match { source-address 149.238.10.0/24; destination-address 192.168.0.42/32; } then { destination-nat pool dstpool_srv-zf_win_second_ip; } } } } } screen { ids-option dmz-screen { icmp { ip-sweep threshold 1000000; fragment; flood threshold 8000; ping-death; } ip { bad-option; record-route-option; timestamp-option; security-option; stream-option; spoofing; source-route-option; loose-source-route-option; strict-source-route-option; unknown-protocol; block-frag; tear-drop; } tcp { syn-fin; fin-no-ack; tcp-no-flag; syn-frag; port-scan threshold 1000000; syn-ack-ack-proxy; syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; winnuke; tcp-sweep threshold 1000000; } udp { flood threshold 50000; udp-sweep threshold 1000000; } limit-session { source-ip-based 200; destination-ip-based 20000; } } ids-option trust-screen { icmp { ip-sweep threshold 1000000; fragment; flood threshold 8000; ping-death; } ip { bad-option; record-route-option; timestamp-option; security-option; stream-option; spoofing; source-route-option; loose-source-route-option; strict-source-route-option; unknown-protocol; block-frag; tear-drop; } tcp { syn-fin; fin-no-ack; tcp-no-flag; syn-frag; port-scan threshold 1000000; syn-ack-ack-proxy; syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; winnuke; tcp-sweep threshold 1000000; } udp { flood threshold 50000; udp-sweep threshold 1000000; } limit-session { source-ip-based 200; destination-ip-based 20000; } } ids-option untrust-screen { icmp { ip-sweep threshold 1000000; fragment; flood threshold 8000; ping-death; } ip { bad-option; record-route-option; timestamp-option; security-option; stream-option; spoofing; source-route-option; loose-source-route-option; strict-source-route-option; unknown-protocol; tear-drop; } tcp { syn-fin; fin-no-ack; tcp-no-flag; syn-frag; port-scan threshold 1000000; syn-ack-ack-proxy; syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; winnuke; tcp-sweep threshold 1000000; } udp { flood threshold 50000; udp-sweep threshold 1000000; } limit-session { source-ip-based 200; destination-ip-based 20000; } } } zones { security-zone trust { address-book { address net_ibb_itools_intern 172.18.0.0/24; address srv-backup 192.168.0.37/32; address srv-mail_dns 192.168.0.59/32; address net-trust 192.168.0.0/24; } screen trust-screen; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth0.1; } } security-zone untrust { address-book { address net_ibb 192.168.114.0/24; address host-sslmailpool.ispgateway.de 80.67.29.6/32; address host-pop3.interactive-tools.de 80.67.29.59/32; address host-nagios.digisec.de 87.230.76.160/32; address dsl-digisec_extern 87.193.218.46/32; address srv-kbb-database 10.20.10.19/32; address net-kbb-webserverfarm 10.60.0.0/16; address srv-kbb-10_31 10.30.10.31/32; address net-vpn-zf 149.238.10.0/24; address-set set-df_mailserver { address host-sslmailpool.ispgateway.de; address host-pop3.interactive-tools.de; } } screen untrust-screen; host-inbound-traffic { system-services { https; ike; ping; ssh; traceroute; dns; } } interfaces { reth0.2; } } security-zone dmz { address-book { address srv-confluence-170 172.16.131.170/32; address srv-confluence-171 172.16.131.171/32; address srv-nord_cms 172.16.131.172/32; address srv-zf_cms 172.16.131.163/32; address srv-win_zf_fs4 172.16.131.174/32; address srv-zf_cms_neu 172.16.131.229/32; address srv-firstspirit 172.16.131.139/32; address srv-linux_fs4 172.16.131.162/32; address srv-kbb_cms 172.16.131.161/32; address srv-linux_fs4r4 172.16.131.231/32; address srv-zf_web_neu 172.16.131.230/32; address srv-kbb_web 172.16.131.226/32; address srv-nord_web 172.16.131.168/32; address-set set-confluence { address srv-confluence-170; address srv-confluence-171; } address-set set-server_ssh { address srv-zf_cms; address srv-win_zf_fs4; } address-set set-server_ftp { address srv-zf_cms; address srv-zf_cms_neu; address srv-win_zf_fs4; } } screen dmz-screen; host-inbound-traffic { system-services { ping; dns; traceroute; } } interfaces { reth0.3; } } } policies { from-zone trust to-zone untrust { inactive: policy pol_vpn_ibb { match { source-address net_ibb_itools_intern; destination-address net_ibb; application any; } then { permit { tunnel { ipsec-vpn vpn_ibb; } application-services { idp; utm-policy pol_utm_av; } } count; } } inactive: policy pol-vpn-srv-kbb-database { match { source-address any; destination-address srv-kbb-database; application any; } then { permit { tunnel { ipsec-vpn vpn_kbb; } application-services { idp; utm-policy pol_utm_av; } } count; } } inactive: policy pol-vpn-kbb-webserverfarm { match { source-address any; destination-address net-kbb-webserverfarm; application any; } then { permit { tunnel { ipsec-vpn vpn_kbb; } application-services { idp; utm-policy pol_utm_av; } } count; } } inactive: policy pol-vpn-kbb-host10_31 { match { source-address any; destination-address srv-kbb-10_31; application any; } then { permit { tunnel { ipsec-vpn vpn_kbb; } application-services { idp; utm-policy pol_utm_av; } } count; } } policy pol-vpn-zf { match { source-address net-trust; destination-address net-vpn-zf; application any; } then { permit { tunnel { ipsec-vpn vpn_zf; } application-services { idp; utm-policy pol_utm_av; } } count; } } policy pol-standard-internet { match { source-address any; destination-address any; application any; } then { permit { application-services { idp; utm-policy pol_utm_av; } } count; } } policy pol-network { match { source-address any; destination-address any; application junos-icmp-all; } then { permit { application-services { idp; } } } } } from-zone dmz to-zone trust { policy pol-backup-bacula { match { source-address any; destination-address srv-backup; application app-bacula-sd; } then { permit { application-services { idp; } } count; } } policy pol-mailserver { match { source-address any; destination-address srv-mail_dns; application junos-smtp; } then { permit { application-services { idp; utm-policy pol_utm_av; } } count; } } } from-zone dmz to-zone untrust { policy pol-mail_to_internet { match { source-address any; destination-address any; application junos-smtp; } then { permit { application-services { idp; utm-policy pol_utm_av; } } count; } } policy pol-dmz_internet_services { match { source-address any; destination-address any; application set-dmz_internet_services; } then { permit { application-services { idp; utm-policy pol_utm_av; } } count; } } policy pol-confluence-domainfactory { match { source-address set-confluence; destination-address set-df_mailserver; application app-pop3s; } then { permit { application-services { idp; utm-policy pol_utm_av; } } count; } } policy pol-server_ssh { match { source-address set-server_ssh; destination-address any; application junos-ssh; } then { permit { application-services { idp; } } count; } } policy pol-nagios_digisec { match { source-address any; destination-address host-nagios.digisec.de; application app-nagios_nsca; } then { permit { application-services { idp; } } count; } } policy pol-server_ftp { match { source-address set-server_ftp; destination-address any; application junos-ftp; } then { permit { application-services { idp; utm-policy pol_utm_av; } } count; } } } from-zone trust to-zone dmz { policy pol-trust-to-dmz_any { match { source-address any; destination-address any; application any; } then { permit { application-services { idp; utm-policy pol_utm_av; } } count; } } policy pol-network { match { source-address any; destination-address any; application junos-icmp-all; } then { permit { application-services { idp; } } } } } from-zone untrust to-zone dmz { policy pol-digisec-to-dmz { match { source-address dsl-digisec_extern; destination-address any; application any; } then { permit { application-services { idp; utm-policy pol_utm_av; } } count; } } policy pol-http_https { match { source-address any; destination-address any; application [ junos-http junos-https ]; } then { permit { application-services { idp; } } count; } } policy pol-tomcat { match { source-address any; destination-address srv-firstspirit; application app-tomcat; } then { permit { application-services { idp; } } count; } } policy pol-zf_cms_port3100 { match { source-address any; destination-address srv-zf_cms; application app-port3100; } then { permit { application-services { idp; } } count; } } policy pol-win_zf_fs4_ftp { match { source-address any; destination-address srv-win_zf_fs4; application junos-ftp; } then { permit { application-services { idp; } } count; } } policy pol-linux_fs4_port1088 { match { source-address any; destination-address srv-linux_fs4; application app-port1088; } then { permit { application-services { idp; } } count; } } policy pol-wacker8000 { match { source-address any; destination-address [ srv-kbb_cms srv-linux_fs4r4 ]; application app-wacker8000; } then { permit { application-services { idp; } } count; } } policy pol-kbb_web_port8888 { match { source-address any; destination-address srv-kbb_web; application app-port8888; } then { permit { application-services { idp; } } count; } } policy pol-zf_web_neu_port1199_8180 { match { source-address any; destination-address srv-zf_web_neu; application [ app-port1199 app-port8180 ]; } then { permit { application-services { idp; } } count; } } policy pol-nord_web_ssh { match { source-address any; destination-address srv-nord_web; application junos-ssh; } then { permit { application-services { idp; } } count; } } } } flow { tcp-mss { ipsec-vpn { mss 1350; } } tcp-session { strict-syn-check; } } utm { feature-profile { anti-virus { type kaspersky-lab-engine; kaspersky-lab-engine { profile p_antivirus_http { scan-options { intelligent-prescreening; scan-mode all; scan-extension junos-default-extension; } trickling timeout 10; notification-options { virus-detection { type message; } } } profile p_antivirus_smtp { scan-options { scan-mode all; scan-extension junos-default-extension; } notification-options { virus-detection { type protocol-only; } } } profile p_antivirus_imap { scan-options { scan-mode all; scan-extension junos-default-extension; } notification-options { virus-detection { type message; } fallback-non-block { notify-mail-recipient; } } } profile p_antivirus_pop3 { scan-options { scan-mode all; scan-extension junos-default-extension; } notification-options { virus-detection { type message; } fallback-non-block { notify-mail-recipient; } } } profile p_antivirus_ftp { scan-options { intelligent-prescreening; scan-mode all; scan-extension junos-default-extension; } notification-options { virus-detection { type message; } } } } } web-filtering { type surf-control-integrated; surf-control-integrated { profile p_surfcontrol { category { Adult_Sexually_Explicit { action block; } Advertisements { action block; } Arts_Entertainment { action log-and-permit; } Chat { action log-and-permit; } Computing_Internet { action log-and-permit; } Criminal_Skills { action block; } Drugs_Alcohol_Tobacco { action block; } Education { action log-and-permit; } Finance_Investment { action log-and-permit; } Food_Drink { action log-and-permit; } Gambling { action block; } Games { action block; } Glamour_Intimate_Apparel { action log-and-permit; } Government_Politics { action log-and-permit; } Hacking { action block; } Hate_Speech { action block; } Health_Medicine { action log-and-permit; } Hobbies_Recreation { action log-and-permit; } Hosting_Sites { action log-and-permit; } Job_Search_Career_Development { action log-and-permit; } Kids_Site { action log-and-permit; } Lifestyle_Culture { action log-and-permit; } Motor_Vehicles { action log-and-permit; } News { action log-and-permit; } Personals_Dating { action block; } Photo_Searches { action log-and-permit; } Real_Estate { action log-and-permit; } Reference { action log-and-permit; } Religion { action log-and-permit; } Remote_Proxies { action block; } Sex_Education { action block; } Search_Engines { action log-and-permit; } Shopping { action log-and-permit; } Sports { action log-and-permit; } Streaming_Media { action log-and-permit; } Travel { action log-and-permit; } Usenet_News { action log-and-permit; } Violence { action block; } Weapons { action block; } Web_based_Email { action log-and-permit; } } default log-and-permit; custom-block-message "Juniper Web Filtering has been set to block this site."; fallback-settings { default log-and-permit; server-connectivity log-and-permit; timeout log-and-permit; too-many-requests log-and-permit; } } } } anti-spam { sbl { profile p_antispam_sbl { sbl-default-server; spam-action block; custom-tag-string ***SPAM***; } } } } utm-policy pol_utm_av_as { anti-virus { http-profile p_antivirus_http; ftp { upload-profile p_antivirus_ftp; download-profile p_antivirus_ftp; } smtp-profile p_antivirus_smtp; pop3-profile p_antivirus_pop3; imap-profile p_antivirus_imap; } anti-spam { smtp-profile p_antispam_sbl; } } utm-policy pol_utm_av_wf { anti-virus { http-profile p_antivirus_http; ftp { upload-profile p_antivirus_ftp; download-profile p_antivirus_ftp; } smtp-profile p_antivirus_smtp; pop3-profile p_antivirus_pop3; imap-profile p_antivirus_imap; } web-filtering { http-profile p_surfcontrol; } } utm-policy pol_utm_av { anti-virus { http-profile p_antivirus_http; ftp { upload-profile p_antivirus_ftp; download-profile p_antivirus_ftp; } smtp-profile p_antivirus_smtp; pop3-profile p_antivirus_pop3; imap-profile p_antivirus_imap; } } } dynamic-vpn { access-profile profile_access_intern; clients { clients_dynamic_vpn { remote-protected-resources { 192.168.0.0/24; 172.16.131.0/24; } ipsec-vpn vpn_dynamic_vpn; user { adminitslange; } } } } } access { profile profile_access_intern { authentication-order password; client adminitslange { firewall-user { password "x"; } } address-assignment { pool pool_dynamic_vpn; } session-options { client-idle-timeout 10; client-session-timeout 480; } } address-assignment { pool pool_dynamic_vpn { family inet { network 10.10.250.0/24; xauth-attributes { primary-dns 192.168.0.10/32; secondary-dns 192.168.0.12/32; primary-wins 192.168.0.10/32; secondary-wins 192.168.0.12/32; } } } } firewall-authentication { pass-through { default-profile profile_access_intern; http { banner { login "Die Verbindung benoetigt eine Authentifizierung. Geben Sie Benutzername und Kennwort ein."; success "Anmeldung erfolgreich. Die Sitzung laeuft nach 10 Minuten Inaktivitaet ab."; fail "Anmeldung fehlgeschlagen."; } } } web-authentication { default-profile profile_access_intern; banner { success "Anmeldung erfolgreich. Die Sitzung laeuft nach 10 Minuten Inaktivitaet ab."; } } } } applications { application app-bacula-sd { protocol tcp; destination-port 9103; } application app-pop3s { protocol tcp; destination-port 995; } application app-nagios_nsca { protocol tcp; destination-port 5668; } application app-tomcat { protocol tcp; destination-port 8080; } application app-port3100 { protocol tcp; destination-port 3100; } application app-port1088 { protocol tcp; destination-port 1088; } application app-wacker8000 { protocol tcp; destination-port 8000; } application app-port8888 { protocol tcp; destination-port 8888; } application app-port1199 { protocol tcp; destination-port 1199; } application app-port8180 { protocol tcp; destination-port 8180; } application-set set-dmz_internet_services { application junos-http; application junos-https; application junos-dns-udp; application junos-ntp; } application-set set-pop3 { application junos-pop3; application app-pop3s; } }