## Last changed: 2013-07-08 12:44:58 CEST version 10.4R3.4; groups { node0 { system { host-name SRXNODE0; } interfaces { fxp0 { unit 0 { family inet { address 192.168.3.13/24; } } } } } node1 { system { host-name SRXNODE1; } interfaces { fxp0 { unit 0 { family inet { address 192.168.3.14/24; } } } } } } apply-groups "${node}"; system { host-name SRXCLUSTER; time-zone Europe/Madrid; root-authentication { encrypted-password "XXXXXXXXXXXXXXXXXXX"; } name-server { 208.67.222.222; 208.67.220.220; } services { ssh; web-management { http { port 17226; interface reth0.0; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 130.206.3.166 prefer; } } chassis { cluster { reth-count 4; node 0; node 1; redundancy-group 0 { node 0 priority 100; node 1 priority 1; } redundancy-group 1 { node 0 priority 100; node 1 priority 1; interface-monitor { ge-0/0/5 weight 255; ge-0/0/6 weight 255; ge-0/0/7 weight 255; ge-0/0/8 weight 255; } } } } interfaces { ge-0/0/5 { gigether-options { redundant-parent reth0; } } ge-0/0/6 { gigether-options { redundant-parent reth1; } } ge-0/0/7 { gigether-options { redundant-parent reth2; } } ge-0/0/8 { gigether-options { redundant-parent reth3; } } ge-5/0/5 { gigether-options { redundant-parent reth0; } } ge-5/0/6 { gigether-options { redundant-parent reth1; } } ge-5/0/7 { gigether-options { redundant-parent reth2; } } ge-5/0/8 { gigether-options { redundant-parent reth3; } } fab0 { fabric-options { member-interfaces { ge-0/0/2; } } } fab1 { fabric-options { member-interfaces { ge-5/0/2; } } } reth0 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 1.1.1.1/22; } } } reth1 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 10.10.10.250/26; } } } reth2 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 11.11.11.254/24; } } } reth3 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 2.2.2.1/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 10.10.10.254; } } security { nat { source { rule-set ItoH { from zone R0; to zone R1; rule internet-out-R1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set ItoU { from zone R0; to zone R2; rule internet-out-R2 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool mail { address 1.1.1.1/32 port 25; } pool vpn-R2 { address 2.2.2.2/32 port 1723; } pool vpn-R1 { address 1.1.1.19/32 port 1723; } pool xpv { address 2.2.2.10/32 port 443; } pool xpv80 { address 2.2.2.10/32 port 80; } pool owa { address 2.2.2.3/32 port 80; } pool owa-ssl { address 2.2.2.3/32 port 443; } pool xpv-R1 { address 1.1.1.37/32 port 443; } pool xpv-R1-80 { address 1.1.1.37/32 port 80; } rule-set fromR1 { from interface reth1.0; rule vpn-R1 { match { source-address 0.0.0.0/0; destination-address 10.10.10.250/32; destination-port 1723; } then { destination-nat pool vpn-R1; } } rule mail { match { source-address 0.0.0.0/0; destination-address 10.10.10.250/32; destination-port 25; } then { destination-nat pool mail; } } rule xpv { match { source-address 0.0.0.0/0; destination-address 10.10.10.250/32; destination-port 443; } then { destination-nat pool xpv-R1; } } rule xpv-R1-80 { match { source-address 0.0.0.0/0; destination-address 10.10.10.250/32; destination-port 80; } then { destination-nat pool xpv-R1-80; } } } rule-set fromR2 { from interface reth2.0; rule vpn-R2 { match { source-address 0.0.0.0/0; destination-address 11.11.11.254/32; destination-port 1723; } then { destination-nat pool vpn-R2; } } rule xpv-R2 { match { source-address 0.0.0.0/0; destination-address 11.11.11.254/32; destination-port 443; } then { destination-nat pool xpv; } } rule xpv80 { match { source-address 0.0.0.0/0; destination-address 158.109.244.254/32; destination-port 80; } then { destination-nat pool xpv80; } } rule owa { match { source-address 0.0.0.0/0; destination-address 11.11.11.253/32; destination-port 80; } then { destination-nat pool owa; } } rule owa-ssl { match { source-address 0.0.0.0/0; destination-address 158.109.244.253/32; destination-port 443; } then { destination-nat pool owa-ssl; } } } } proxy-arp { interface reth2.0 { address { 11.11.11.253/32; } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } zones { security-zone R0 { address-book { address exchange 1.1.1.16/32; address vpn-R1 1.1.1.19/32; address sirius 172.26.2.13/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth0.0; } } security-zone R1 { screen untrust-screen; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth1.0; } } security-zone R2 { address-book { address ipR2 11.11.11.254/32; address ip-R2-253 11.11.11.253/32; } screen untrust-screen; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth2.0; } } security-zone dmz { address-book { address rras-dmz 2.2.2.2/32; address xpv-dmz 2.2.2.10/32; address exchange-dmz 2.2.2.3/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth3.0; } } } policies { from-zone R0 to-zone R1 { policy permit-any { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone R1 to-zone R0 { policy mail { match { source-address any; destination-address any; application [ junos-smtp junos-mail ]; } then { permit; } } policy vpn { match { source-address any; destination-address any; application [ junos-ike junos-ike-nat junos-l2tp junos-pptp ]; } then { permit; } } policy xpv-R1 { match { source-address any; destination-address xpv; application [ junos-http junos-https ]; } then { permit; } } policy deny-any { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone R0 to-zone R2 { policy permit-any { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone R2 to-zone R3 { policy igtpvpnUD { match { source-address any; destination-address rras-dmz; application [ junos-ike junos-ike-nat junos-l2tp junos-pptp ]; } then { permit; } } policy xpv { match { source-address any; destination-address xpv-dmz; application [ junos-https junos-http ]; } then { permit; } } policy owa { match { source-address any; destination-address exchange-dmz; application [ junos-http junos-https ]; } then { permit; } } policy deny-any { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone R0 to-zone dmz { policy permit-any { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone dmz to-zone R2 { policy vpn-R2 { match { source-address rras-dmz; destination-address any; application [ junos-ike junos-ike-nat junos-l2tp junos-pptp ]; } then { permit; } } policy deny-any { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone R2 to-zone R0 { policy deny-anyUI { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone R2 to-zone R1 { policy deny-any { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone dmz to-zone R0 { policy deny-anyDI { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone dmz to-zone R1 { policy deny-anyDH { match { source-address any; destination-address any; application any; } then { deny; } } } } utm { feature-profile { anti-virus { kaspersky-lab-engine { pattern-update { email-notify { admin-email "XXXXXXXXX"; } } } } web-filtering { type surf-control-integrated; surf-control-integrated { cache { timeout 1500; size 500; } profile webblock { category { Adult_Sexually_Explicit { action block; } Sex_Education { action block; } } default log-and-permit; custom-block-message "XXXXXXXXXXXXX."; fallback-settings { server-connectivity log-and-permit; timeout log-and-permit; too-many-requests log-and-permit; } } } } } utm-policy web filter { web-filtering { http-profile webblock; } traffic-options { sessions-per-client { over-limit block; } } } utm-policy kaspersky { anti-virus { http-profile junos-av-defaults; ftp { upload-profile junos-av-defaults; download-profile junos-av-defaults; } smtp-profile junos-av-defaults; pop3-profile junos-av-defaults; imap-profile junos-av-defaults; } traffic-options { sessions-per-client { over-limit log-and-permit; } } } } } routing-instances { R2-dmz { instance-type virtual-router; interface reth2.0; interface reth3.0; routing-options { static { route 0.0.0.0/0 next-hop 11.11.11.1; } } } }