set clock timezone 1 set clock dst recurring start-weekday 4 0 3 02:00 end-weekday 4 0 10 02:00 set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" unset auto-route-export exit set alg appleichat enable unset alg appleichat re-assembly enable set alg sctp enable set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set auth radius accounting port 1646 set admin name "xxxxxxx" set admin password "xxxxxxxxxxxxxxxxxx" set admin mail alert set admin mail server-name "xxx" set admin mail mail-addr1 "xxx@mydomain.com" set admin mail traffic-log set admin auth web timeout 10 set admin auth dial-in timeout 3 set admin auth server "Local" set admin format dos set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone "Untrust-Tun" vrouter "trust-vr" set zone "Trust" tcp-rst unset zone "Untrust" block unset zone "Untrust" tcp-rst set zone "MGT" block set zone "DMZ" tcp-rst set zone "VLAN" block unset zone "VLAN" tcp-rst set zone "Trust" screen icmp-flood set zone "Trust" screen udp-flood set zone "Trust" screen winnuke set zone "Trust" screen port-scan set zone "Trust" screen ip-sweep set zone "Trust" screen tear-drop set zone "Trust" screen syn-flood set zone "Trust" screen ip-spoofing set zone "Trust" screen ping-death set zone "Trust" screen ip-filter-src set zone "Trust" screen land set zone "Trust" screen syn-frag set zone "Trust" screen tcp-no-flag set zone "Trust" screen unknown-protocol set zone "Trust" screen ip-bad-option set zone "Trust" screen ip-record-route set zone "Trust" screen ip-timestamp-opt set zone "Trust" screen ip-security-opt set zone "Trust" screen ip-loose-src-route set zone "Trust" screen ip-strict-src-route set zone "Trust" screen ip-stream-opt set zone "Trust" screen icmp-fragment set zone "Trust" screen icmp-large set zone "Trust" screen syn-fin set zone "Trust" screen fin-no-ack set zone "Trust" screen limit-session source-ip-based set zone "Trust" screen syn-ack-ack-proxy set zone "Trust" screen block-frag set zone "Trust" screen limit-session destination-ip-based set zone "Trust" screen icmp-id set zone "Trust" screen ip-spoofing drop-no-rpf-route set zone "Untrust" screen icmp-flood set zone "Untrust" screen udp-flood set zone "Untrust" screen winnuke set zone "Untrust" screen port-scan set zone "Untrust" screen ip-sweep set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ip-spoofing set zone "Untrust" screen ping-death set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "Untrust" screen syn-frag set zone "Untrust" screen tcp-no-flag set zone "Untrust" screen unknown-protocol set zone "Untrust" screen ip-bad-option set zone "Untrust" screen ip-record-route set zone "Untrust" screen ip-timestamp-opt set zone "Untrust" screen ip-security-opt set zone "Untrust" screen ip-loose-src-route set zone "Untrust" screen ip-strict-src-route set zone "Untrust" screen ip-stream-opt set zone "Untrust" screen icmp-fragment set zone "Untrust" screen icmp-large set zone "Untrust" screen syn-fin set zone "Untrust" screen fin-no-ack set zone "Untrust" screen limit-session source-ip-based set zone "Untrust" screen syn-ack-ack-proxy set zone "Untrust" screen block-frag set zone "Untrust" screen limit-session destination-ip-based set zone "Untrust" screen icmp-id set zone "Untrust" screen ip-spoofing drop-no-rpf-route set zone "V1-Trust" screen icmp-flood set zone "V1-Trust" screen udp-flood set zone "V1-Trust" screen winnuke set zone "V1-Trust" screen port-scan set zone "V1-Trust" screen ip-sweep set zone "V1-Trust" screen tear-drop set zone "V1-Trust" screen syn-flood set zone "V1-Trust" screen ip-spoofing set zone "V1-Trust" screen ping-death set zone "V1-Trust" screen ip-filter-src set zone "V1-Trust" screen land set zone "V1-Trust" screen syn-frag set zone "V1-Trust" screen tcp-no-flag set zone "V1-Trust" screen unknown-protocol set zone "V1-Trust" screen ip-bad-option set zone "V1-Trust" screen ip-record-route set zone "V1-Trust" screen ip-timestamp-opt set zone "V1-Trust" screen ip-security-opt set zone "V1-Trust" screen ip-loose-src-route set zone "V1-Trust" screen ip-strict-src-route set zone "V1-Trust" screen ip-stream-opt set zone "V1-Trust" screen icmp-fragment set zone "V1-Trust" screen icmp-large set zone "V1-Trust" screen syn-fin set zone "V1-Trust" screen fin-no-ack set zone "V1-Trust" screen limit-session source-ip-based set zone "V1-Trust" screen syn-ack-ack-proxy set zone "V1-Trust" screen block-frag set zone "V1-Trust" screen limit-session destination-ip-based set zone "V1-Trust" screen icmp-id set zone "V1-Untrust" screen icmp-flood set zone "V1-Untrust" screen udp-flood set zone "V1-Untrust" screen winnuke set zone "V1-Untrust" screen port-scan set zone "V1-Untrust" screen ip-sweep set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ip-spoofing set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set zone "V1-Untrust" screen syn-frag set zone "V1-Untrust" screen tcp-no-flag set zone "V1-Untrust" screen unknown-protocol set zone "V1-Untrust" screen ip-bad-option set zone "V1-Untrust" screen ip-record-route set zone "V1-Untrust" screen ip-timestamp-opt set zone "V1-Untrust" screen ip-security-opt set zone "V1-Untrust" screen ip-loose-src-route set zone "V1-Untrust" screen ip-strict-src-route set zone "V1-Untrust" screen ip-stream-opt set zone "V1-Untrust" screen icmp-fragment set zone "V1-Untrust" screen icmp-large set zone "V1-Untrust" screen syn-fin set zone "V1-Untrust" screen fin-no-ack set zone "V1-Untrust" screen limit-session source-ip-based set zone "V1-Untrust" screen syn-ack-ack-proxy set zone "V1-Untrust" screen block-frag set zone "V1-Untrust" screen limit-session destination-ip-based set zone "V1-Untrust" screen component-block zip set zone "V1-Untrust" screen component-block jar set zone "V1-Untrust" screen component-block exe set zone "V1-Untrust" screen component-block activex set zone "V1-Untrust" screen icmp-id set zone "DMZ" screen icmp-flood set zone "DMZ" screen udp-flood set zone "DMZ" screen winnuke set zone "DMZ" screen port-scan set zone "DMZ" screen ip-sweep set zone "DMZ" screen tear-drop set zone "DMZ" screen syn-flood set zone "DMZ" screen ip-spoofing set zone "DMZ" screen ping-death set zone "DMZ" screen ip-filter-src set zone "DMZ" screen land set zone "DMZ" screen syn-frag set zone "DMZ" screen tcp-no-flag set zone "DMZ" screen unknown-protocol set zone "DMZ" screen ip-bad-option set zone "DMZ" screen ip-record-route set zone "DMZ" screen ip-timestamp-opt set zone "DMZ" screen ip-security-opt set zone "DMZ" screen ip-loose-src-route set zone "DMZ" screen ip-strict-src-route set zone "DMZ" screen ip-stream-opt set zone "DMZ" screen icmp-fragment set zone "DMZ" screen icmp-large set zone "DMZ" screen syn-fin set zone "DMZ" screen fin-no-ack set zone "DMZ" screen limit-session source-ip-based set zone "DMZ" screen syn-ack-ack-proxy set zone "DMZ" screen block-frag set zone "DMZ" screen limit-session destination-ip-based set zone "DMZ" screen icmp-id set zone "DMZ" screen ip-spoofing drop-no-rpf-route set zone "V1-DMZ" screen icmp-flood set zone "V1-DMZ" screen udp-flood set zone "V1-DMZ" screen winnuke set zone "V1-DMZ" screen port-scan set zone "V1-DMZ" screen ip-sweep set zone "V1-DMZ" screen tear-drop set zone "V1-DMZ" screen syn-flood set zone "V1-DMZ" screen ip-spoofing set zone "V1-DMZ" screen ping-death set zone "V1-DMZ" screen ip-filter-src set zone "V1-DMZ" screen land set zone "V1-DMZ" screen syn-frag set zone "V1-DMZ" screen tcp-no-flag set zone "V1-DMZ" screen unknown-protocol set zone "V1-DMZ" screen ip-bad-option set zone "V1-DMZ" screen ip-record-route set zone "V1-DMZ" screen ip-timestamp-opt set zone "V1-DMZ" screen ip-security-opt set zone "V1-DMZ" screen ip-loose-src-route set zone "V1-DMZ" screen ip-strict-src-route set zone "V1-DMZ" screen ip-stream-opt set zone "V1-DMZ" screen icmp-fragment set zone "V1-DMZ" screen icmp-large set zone "V1-DMZ" screen syn-fin set zone "V1-DMZ" screen fin-no-ack set zone "V1-DMZ" screen limit-session source-ip-based set zone "V1-DMZ" screen syn-ack-ack-proxy set zone "V1-DMZ" screen block-frag set zone "V1-DMZ" screen limit-session destination-ip-based set zone "V1-DMZ" screen component-block zip set zone "V1-DMZ" screen component-block jar set zone "V1-DMZ" screen component-block exe set zone "V1-DMZ" screen component-block activex set zone "V1-DMZ" screen icmp-id set zone "Trust" screen limit-session source-ip-based 80 set zone "Untrust" screen limit-session source-ip-based 400 set zone "DMZ" screen limit-session source-ip-based 8 set zone "Trust" screen limit-session destination-ip-based 256 set zone "DMZ" screen limit-session destination-ip-based 256 set zone "Trust" screen syn-ack-ack threshold 32 set zone "Untrust" screen syn-ack-ack threshold 64 set zone "DMZ" screen syn-ack-ack threshold 32 set interface "ethernet0/0" zone "Untrust" set interface "ethernet0/1" zone "DMZ" set interface "bgroup0" zone "Trust" set interface bgroup0 port ethernet0/2 set interface bgroup0 port ethernet0/3 set interface bgroup0 port ethernet0/4 set interface bgroup0 port ethernet0/5 set interface bgroup0 port ethernet0/6 unset interface vlan1 ip set interface ethernet0/0 ip 192.168.252.2/29 set interface ethernet0/0 route set interface ethernet0/1 ip 1.10.3.1/24 set interface ethernet0/1 nat set interface bgroup0 ip 192.168.30.1/24 set interface bgroup0 nat unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip unset interface ethernet0/0 ip manageable unset interface ethernet0/1 ip manageable set interface bgroup0 ip manageable set interface ethernet0/0 manage ssh set interface ethernet0/0 manage ssl set interface ethernet0/1 manage ssh set interface ethernet0/1 manage ssl unset interface bgroup0 manage snmp set interface bgroup0 manage mtrace set interface ethernet0/0 monitor track-ip ip set interface ethernet0/0 monitor track-ip ip 192.168.252.2 unset interface ethernet0/0 monitor track-ip dynamic set interface ethernet0/0 vip interface-ip 25 "MAIL" 1.x.x.7 manual set interface "serial0/0" modem settings "USR" init "AT&F" set interface "serial0/0" modem settings "USR" active set interface "serial0/0" modem speed 115200 set interface "serial0/0" modem retry 3 set interface "serial0/0" modem interval 10 set interface "serial0/0" modem idle-time 10 set flow tcp-mss unset flow tcp-syn-check unset flow tcp-syn-bit-check set flow syn-proxy syn-cookie set flow reverse-route clear-text prefer set flow reverse-route tunnel always set domain . set pki authority default scep mode "auto" set pki x509 default cert-path partial set dns host dns1 198.228.12.22 set dns host dns2 198.228.12.23 set dns host dns3 0.0.0.0 set address "Trust" "192.168.30.0/24" 192.168.30.0 255.255.255.0 set address "Trust" "xx_PC" 192.168.30.76 255.255.255.255 set address "Trust" "xx_PC" 192.168.30.63 255.255.255.255 set address "Trust" "xx_PC" 192.168.30.70 255.255.255.255 set address "Trust" "xx_PC" 192.168.30.60 255.255.255.255 set address "DMZ" "Mail_Server" 1.10.3.7 255.255.255.255 set group service "MAIL-POP3" comment "Mail Send-Receive Services" set group service "MAIL-POP3" add "MAIL" set group service "MAIL-POP3" add "POP3" set ike respond-bad-spi 1 set ike ikev2 ike-sa-soft-lifetime 60 unset ike ikeid-enumeration unset ike dos-protection unset ipsec access-session enable set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 unset ipsec access-session log-error unset ipsec access-session info-exch-connected unset ipsec access-session use-error-log set vrouter "untrust-vr" exit set vrouter "trust-vr" exit set url protocol websense exit set policy id 3 from "Trust" to "DMZ" "192.168.30.0/24" "Mail_Server" "MAIL-POP3" permit set policy id 3 exit set policy id 4 from "DMZ" to "Untrust" "Mail_Server" "Any" "MAIL" permit set policy id 4 exit set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit set policy id 1 exit set policy id 9 from "Untrust" to "DMZ" "VIP(ethernet0/0)" "Mail_Server" "MAIL-POP3" permit set policy id 9 exit set nsmgmt bulkcli reboot-timeout 60 set ssh version v2 set config lock timeout 5 unset license-key auto-update set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route set route 0.0.0.0/0 interface ethernet0/0 gateway 192.168.252.1 exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit