version 12.1X46-D40.2; system { } name-server { 208.67.222.222; 208.67.220.220; 62.179.104.196; 213.46.228.196; 8.8.8.8; } } services { ssh { protocol-version v2; client-alive-count-max 6; client-alive-interval 300; } xnm-clear-text; dhcp-local-server { group DHCP-STATIC { overrides { process-inform { pool STATIC-POOL; } } interface vlan.10; } group GUEST { overrides { process-inform { pool GUEST; } } interface vlan.30; } } web-management { http { interface vlan.10; } https { system-generated-certificate; interface vlan.10; } } } syslog { archive size 100k files 10; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file change-log { change-log any; } file conflict-log { conflict-log any; } file kmd-logs { daemon info; match KMD; } file ids { any any; match RT_IDS; archive world-readable; structured-data; } file DENIED_TRAFFIC { any any; match RT_FLOW_SESSION_DENY; } time-format year; } max-configurations-on-flash 5; max-configuration-rollbacks 49; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 83.98.155.30; server 131.155.140.129; server 178.239.61.38; server 129.250.35.250; server 37.139.24.171; } } chassis { alarm { ethernet { link-down ignore; } integrated-services { failure red; } services { pic-reset red; pic-hold-reset red; linkdown red; rx-errors yellow; tx-errors yellow; sw-down red; hw-down red; } } } interfaces { ge-0/0/0 { traps; speed 1g; link-mode full-duplex; gigether-options { no-auto-negotiation; } unit 0 { description "UPLINK TO ISP"; traps; family inet { dhcp-client { update-server; } } } } ge-0/0/1 { traps; speed 1g; link-mode full-duplex; gratuitous-arp-reply; gigether-options { no-auto-negotiation; } unit 0 { traps; family ethernet-switching { vlan { members STATIC_VLAN; } } } } ge-0/0/2 { traps; speed 1g; link-mode full-duplex; gratuitous-arp-reply; gigether-options { no-auto-negotiation; } unit 0 { traps; family ethernet-switching { vlan { members STATIC_VLAN; } } } } ge-0/0/3 { traps; speed 100m; link-mode full-duplex; gratuitous-arp-reply; gigether-options { no-auto-negotiation; } unit 0 { traps; family ethernet-switching { vlan { members STATIC_VLAN; } } } } ge-0/0/4 { traps; speed 1g; link-mode full-duplex; gratuitous-arp-reply; gigether-options { no-auto-negotiation; } unit 0 { traps; family ethernet-switching { port-mode trunk; vlan { members GUEST_VLAN; } native-vlan-id 10; } } } ge-0/0/5 { no-traps; speed 100m; link-mode full-duplex; gratuitous-arp-reply; gigether-options { auto-negotiation; } unit 0 { traps; family ethernet-switching { vlan { members STATIC_VLAN; } } } } ge-0/0/6 { disable; traps; gigether-options { auto-negotiation; } unit 0 { traps; family ethernet-switching { vlan { members DUMMY_VLAN; } } } } ge-0/0/7 { traps; speed 1g; link-mode full-duplex; gigether-options { no-auto-negotiation; } unit 0 { traps; family ethernet-switching { vlan { members STATIC_VLAN; } } } } vlan { unit 10 { family inet { address 192.168.1.1/24; } } unit 30 { family inet { address 192.168.2.1/24; } } } } protocols { igmp { interface vlan.10 { disable; } } stp { disable; } rstp { disable; } igmp-snooping { vlan all { disable; } } } security { alarms { potential-violation { authentication 3; cryptographic-self-test; decryption-failures; encryption-failures; ike-phase1-failures; ike-phase2-failures; key-generation-self-test; non-cryptographic-self-test; replay-attacks; security-log-percent-full 80; idp; } } log { utc-timestamp; mode event; format sd-syslog; source-address 192.168.1.1; transport { protocol udp; } } address-book { global { address DHCP-STATIC { range-address 192.168.1.1 { to { 192.168.1.127; } } } address GUEST_DHCP { range-address 192.168.2.1 { to { 192.168.2.254; } } } address NAT-STATIC 192.168.1.0/24; address GUEST_NAT 192.168.2.0/24; } address-set DHCP-ADDRSET { address DHCP-STATIC; } address-set NAT-ADDRSET { address NAT-STATIC; } address-set GUEST-ADDRSET { address GUEST_DHCP; } } } } application-tracking; flow { syn-flood-protection-mode syn-cookie; aging { early-ageout 20; low-watermark 79; high-watermark 80; } } screen { ids-option UNTRUST-SCREEN { icmp { ip-sweep threshold 1000; fragment; large; flood threshold 50; ping-death; icmpv6-malformed; } ip { bad-option; record-route-option; timestamp-option; security-option; stream-option; spoofing; source-route-option; loose-source-route-option; strict-source-route-option; unknown-protocol; block-frag; tear-drop; ipv6-extension-header { hop-by-hop-header { jumbo-payload-option; router-alert-option; quick-start-option; CALIPSO-option; SMF-DPD-option; RPL-option; } routing-header; fragment-header; ESP-header; AH-header; no-next-header; destination-header { tunnel-encapsulation-limit-option; home-address-option; ILNP-nonce-option; line-identification-option; } shim6-header; mobility-header; HIP-header; } ipv6-extension-header-limit 5; ipv6-malformed-header; } tcp { syn-fin; fin-no-ack; tcp-no-flag; syn-frag; port-scan threshold 1000; syn-ack-ack-proxy threshold 100; syn-flood { alarm-threshold 60; attack-threshold 80; source-threshold 80; destination-threshold 60; timeout 30; } land; winnuke; tcp-sweep threshold 5000; } udp { flood threshold 1000; udp-sweep threshold 1000; } limit-session { source-ip-based 50; destination-ip-based 100; } } } nat { source { pool-utilization-alarm raise-threshold 80 clear-threshold 79; rule-set NAT-RULE-SET { from zone LAN_ZONE; to zone UNTRUST; rule NAT-RULE-SOURCE { match { source-address-name NAT-ADDRSET; } then { source-nat { interface; } } } } rule-set GUEST_NAT-RULE-SET { description "RULE SET FOR GUEST"; from zone GUEST; to zone UNTRUST; rule GUEST_NAT-RULE-SOURCE { match { source-address-name GUEST_NAT; } then { source-nat { interface; } } } } } policies { from-zone LAN_ZONE to-zone GUEST { policy STATIC_POLICY-TO-GUEST { match { source-address DHCP-STATIC; destination-address GUEST-ADDRSET; application any; } then { permit; } } } from-zone LAN_ZONE to-zone UNTRUST { policy LAN_POLICY-TO-UNTRUST-FOR-STATIC-ADDRSET { match { source-address DHCP-STATIC; destination-address any; application any; } then { permit; } } } from-zone GUEST to-zone UNTRUST { policy GUEST_POLICY-TO-UNTRUST { match { source-address GUEST-ADDRSET; destination-address any; application any; } then { permit; log { session-init; session-close; } count; } } } default-policy { deny-all; } policy-rematch; policy-stats { system-wide enable; } } zones { security-zone LAN_ZONE { interfaces { vlan.10 { host-inbound-traffic { system-services { all; } } } } application-tracking; } security-zone GUEST { interfaces { vlan.30 { host-inbound-traffic { system-services { dhcp; } } } } application-tracking; } security-zone UNTRUST { screen UNTRUST-SCREEN; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; ike; https; } } } } } } } access { } address-assignment { high-utilization 80; abated-utilization 79; pool DHCP-STATIC-POOL { family inet { network 192.168.1.0/24; dhcp-attributes { maximum-lease-time 172800; server-identifier 192.168.1.1; grace-period 30; name-server { 213.46.228.196; 62.179.104.196; } router { 192.168.1.1; } propagate-settings ge-0/0/0.0; } //BUNCH OF HOSTS// } } } } } vlans { STATIC_VLAN { vlan-id 10; l3-interface vlan.10; } DUMMY_VLAN { vlan-id 4094; no-mac-learning; } GUEST_VLAN { vlan-id 30; l3-interface vlan.30; } }