Routing

Hello ALl,

 

I am new to juniper and would love you assistance please. Heres my scenario:

 

I have an SRX650 firewall, the ISP connects to  my firewall on ge-0/0/0 interface and the ge-0/0/1 is trunked which conenct to 3 vlans on my ex2200 switch. I want to limit download and bandwidth of vlan 1 to 10kbps. Vlan 1 goes outside via ge-0/0/1.90 and it has a subnet of 10.10.90.0/32....Please can i have a detailed step by step confgiuration of how to limit bandwidth on this interface...

We are luck that we are in born in network era when Junos is there to solve our problems. Virtual channel will help you out for traffic shaping and classification on logical interface.  Here are reference links (concept and configuration) you just need to do little effort and your configuration is ready.

 

http://66.129.228.18/techpubs/en_US/junos12.1x46/topics/concept/cos-virtual-channel-security-understanding.html

 

http://66.129.228.18/techpubs/en_US/junos12.1x46/topics/example/cos-virtual-channel-security-configuring.html

hello,

 

I just want detail step of how to limit bandwidth for staff in my office, no branch office, just simle one SRX in an office. its just one office but some staff are really downloading a lot of stuff, so i want to limit the bandwidth. thanks

You will need to configure a policer. Here are two examples

https://www.juniper.net/techpubs/en_US/junos13.2/topics/example/firewall-filter-ex-series-configuring.html

http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/firewall-filter-stateless-example-rate-limits-based-on-destination-class.html

You can apply on EX or SRX.

This explains policers:

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/policer-mx-m120-m320-burstsize-determining.html

This is the full guide with all the advanced policers, however just use a simple policer.

https://www.juniper.net/techpubs/en_US/junos12.3/information-products/pathway-pages/config-guide-firewall-filter/config-guide-policer.pdf

set interfaces ge-0/0/1 per-unit-scheduler

set interfaces ge-0/0/1 vlan-tagging

set interfaces ge-0/0/1 unit 0 vlan-id 90

set interfaces ge-0/0/1 unit 0 family inet address 10.10.90.1/24

set class-of-service interfaces ge-0/0/1 unit 0 shaping-rate 10k

 

 ****Policer portion is optional but it will over ensure that user on this subnet can send and receive traffic above the specified parameters****

set interfaces ge-0/0/1 unit 0 family inet policer input LB-policer

set interfaces ge-0/0/1 unit 0 family inet policer output LB-policer

set firewall policer LB-policer logical-bandwidth-policer

set firewall policer LB-policer if-exceeding bandwidth-percent  100

set firewall policer LB-policer if-exceeding burst-size-limit 125k

set firewall policer LB-policer then discard

Hello,

 

i followed all your configuration and this was what i got when i did a show firewall

policer LB-policer {
    ##
    ## Warning: statement ignored: unsupported platform (srx650)
    ##
    logical-bandwidth-policer;
    if-exceeding {
        bandwidth-percent 10;
        burst-size-limit 16k;
    }
    then discard;
}

Please help or is it that srx650 doesnt support it

What would give you the perfect control to limit download while allowing full bandwidth for tother purposes, among other features is the AppSecure suite using the AppFW module. Check out that product. In the meantime confiure a simple firewall
policer.
Try this one

policer 2mbps {
    if-exceeding {
        bandwidth-limit 2m;
        burst-size-limit 12k;
    }
    then discard;
}
filter limitdwnload {
    term limit {
        from {
            destination-address {
                10.10.90.0/24;
            }
        }
        then {
            policer 2mbps;
            
        }
    }
    term else-accept {
        then accept;
    }
}

...

ge-0/0/1 {
    unit 90 {
        family inet {
            filter {
                output limitdwnload;
            }
        }
    }
}

Hello Lyndidon,

 

Please can I have your output in configuration command, i mean in set format....jus to be on the save side.....the AppFW module is not free innit? thats why i want to limit only down load on the logical interface, Please can I have the set configuration files let me try it again on my srx650 firewall. thanks

set firewall family inet filter limit-download term limt from destination-address 10.10.90.0/24
set firewall family inet filter limit-download term limt then policer 2mbps
set firewall family inet filter limit-download term else-accept then accept
set interfaces ge-0/0/1.90 family inet filter output limit-download

 

if it does not suit your needs we can set it as an input filter on the interface that goes to the internet I think it was your ge-0/0/0.

BTW, small office with an SRX 650? Sweet deal!

Hello,

 

Heres what i basically want. I have an SRX650 firewall, I just want to limit the download on the firewall to as low as 1kbps just to frustrate my staff where as other internet activities will go on smoothly> how do i do this step by step, sorry am really new to juniper (am more conversant with cisco)

ok. I understand. 1k? That is less than an old dialup modem. You can change the values in the policer to suite your requirements. Did you try the policer at all? If you know what protocols they are using such as ftp, you can also add "from protocol ftp in the firewal filter match condition. Please try the one shown and then tweek it as needed. What is the bandwidth you have available for Internet connection? There is a limit as to what you can do with a firewall filter, hence the provision of other means of traffic control. There are rules involved in calculating the policer values, you can look at them here: Please read these pages so you can understand what we are trying to achieve and how it will affect traffic

http://www.juniper.net/techpubs/en_US/junos13.1/topics/concept/policer-mx-m120-m320-implementation-overview.html

http://www.juniper.net/techpubs/en_US/junos13.1/topics/concept/policer-mx-m120-m320-burstsize-determining.html

Hello,

 

I haven't tried it yet, cos am a bit confused with the commands but let me give you the scenario here.

 

I have a bandwidth of 1meg/512kbps to my small company. All staff are connected to my private IP network (10.10.20.0), I use a firewall (srx650). on my SRX650, the ge-0/0/0 is for the WAN connection while the ge-0/0/1 is a trunk. the logical interface IP that all staff connects to is 10.10.20.5 on logical interface ge-0/0/1.20. Mostly during office work, some staff download a lot of movies and songs which takes up all my 1 meg bandwidth and therefore makes it hard for other serious staff to work on net. So i want to limit the rate of download as low as possible to frustrate the culprits but at the same time allow the serious staff to browse faster and much conveniently. How can you help in this scenario, i want the step by step set commands please. thanks for you help

The commands are what we use to write to the configuration database. Since your pipe is so low, I used percentage instead (You can work out what 2% of 512K represents) We create a policer, apply the policer using a firewall filter and apply the firewall filter on the interface for the users excessively downloading files. I posted a few links that help you understand how policers work and how the policed bandwidth work. As soon as you login to the router save your existing configuration like this;

#save my-current-config

 

then you can enter the commands one line at a time or copy all the commands from 1 or 2 then load them like this:

# load set terminal
[Type ^D at a new line to end input]

 

<Right-click to paste the copied commands> or you can use CTRl + SHIFT + V to paste to copied commands. 

then press Ctrl + D, it will say load complete 

 

You can now enter commit. Or you can enter commit confirmed 60 so the filter is applied for 60 minutes and it will rolback in 60 minutes to your original configuration. If you enter commit before 60 minutes it will be applied permanently. You can always load your saved config if you do not like it. But please test it to see if it will work for you. As you indicated that you do not understand the commands, then you should definitely take  a few courses like the IJOS, JRE JIR and JSEC 

 

 

I have two suggestions for you;
1- You can find out the individual IP address and enter then in a prefix-list like this and the apply the firewall filter with the policer like this:

 

set policy-options prefix-list excess-downloaders 10.10.90.2/32
set policy-options prefix-list excess-downloaders 10.10.90.3/32
set policy-options prefix-list excess-downloaders 10.10.90.4/32

set firewall policer 2mbps if-exceeding bandwidth-percent 2
set firewall policer 2mbps if-exceeding burst-size-limit 1500
set firewall policer 2mbps then discard

set firewall family inet filter limit-download term limt from source-prefix-list excess-downloaders
set firewall family inet filter limit-download term limt then policer 2mbps
set firewall family inet filter limit-download term else-accept then accept

set interfaces ge-0/0/1.90 family inet filter input limit-download

 

2- Or like this for the whole subnet- I think this is the one you want:

set firewall policer 2mbps if-exceeding bandwidth-percent 2
set firewall policer 2mbps if-exceeding burst-size-limit 1500
set firewall policer 2mbps then discard

set firewall family inet filter limit-download term limt from source-address 10.10.90.0/24
set firewall family inet filter limit-download term limt then policer 2mbps
set firewall family inet filter limit-download term else-accept then accept

set interfaces ge-0/0/1.90 family inet filter input limit-download

 

Hello,

 

please how do i erase my current configs, i want to all my confgs and start new one, please help. The reason why I want to erase my configs is because you can browse behind the srx anymore, but when u connect laptop you will be able to browse......and nothing has changed. please help

 

You can view the stored configs here and delete them:

> file list /config/

 >file list /var/db/config

 

log in to the device, go into to edit mode, then enter delete, then commit the configuration and everything is gone. If you are connected to the management port it will be lost, if you are remote, you will lose connection and will not be able to connect back. You will have to have a connection to the console. Once this is done, there is absolutely nothing in the configuration, you will have to build it from scratch. I understand you do not know how to completely delete the configuration and create an apply a policer. Please be sure you are able to rebuild the configuration from scratch, otherwise you will be asking for the post to configure the SRX completely for you. You must be sure you have the ability the configure the SRX from scratch.

Hello lyndidon,

 

I have erased the srx and configured it from scratch but my main issue still persist.  recently like 2 weekd ago, my ISP disconnected me and after payment I was reconnected but we noticed that the internet speed was unbearably slow, there was extremly high latency on my upload (from the graph) but when i connect direct to my laptop (taking out the srx 650) the connect becomes fast and latency reduces, when I connect to my cisco router its fast too, but only on the srx it becomes slow, this was why i wiped all the configuration and reconfigured the srx but its stll the same, I can browse but damnnnnn slowwwwwwwwwwwwwwwwwwwwwwwwwwwwww. Please can you help

Can you shae your config and also the version you are running? Unless there is something physically wrong with the SRX and it should be RMA'd, it should not be slow at all.

Is this the same SRX on which you posted the memory-leak problem?
If yes, then a reboot might help you for now. But for a long term solution, you'll need to talk to JTAC and get a recommendation on the bug/fix etc.

HTH,
ankit

Hello lyndidon,

 

I am running version 12.1R .....Heres my configs

 

set version 12.1R1.9
set system host-name NET_SRX650_NODE0
set system time-zone Africa/Lagos
set system root-authentication encrypted-password "$1$PnrcNgeE$paU9/aIIXN7249fEumwC.1"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-server 217.117.0.38
set system name-server 217.117.15.106
set system name-server 4.2.2.2
set system login user Abdul uid 2005
set system login user Abdul class super-user
set system login user Abdul authentication encrypted-password "$1$O8RtLNn0$rkoLReDfymJnw3z3YTuCL."
set system services ssh protocol-version v2
set system services ssh connection-limit 5
set system services ssh rate-limit 2
set system services telnet connection-limit 5
set system services xnm-clear-text
set system services web-management http interface ge-0/0/1.0
set system services web-management http interface ge-0/0/2.0
set system services web-management http interface ge-0/0/3.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set system services web-management https interface ge-0/0/2.0
set system services web-management https interface ge-0/0/3.0
set system services web-management https interface ge-0/0/1.10
set system services web-management https interface ge-0/0/1.20
set system services web-management https interface ge-0/0/1.30
set system services web-management https interface ge-0/0/1.40
set system services web-management https interface ge-0/0/1.90
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 propagate-settings ge-0/0/0.0
set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.2
set system services dhcp pool 192.168.2.0/24 address-range high 192.168.2.254
set system services dhcp pool 192.168.2.0/24 router 192.168.2.1
set system services dhcp pool 192.168.2.0/24 propagate-settings ge-0/0/0.0
set system services dhcp pool 192.168.3.0/24 address-range low 192.168.3.2
set system services dhcp pool 192.168.3.0/24 address-range high 192.168.3.254
set system services dhcp pool 192.168.3.0/24 router 192.168.3.1
set system services dhcp pool 192.168.3.0/24 propagate-settings ge-0/0/0.0
set system services dhcp pool 10.10.10.0/24 address-range low 10.10.10.50
set system services dhcp pool 10.10.10.0/24 address-range high 10.10.10.254
set system services dhcp pool 10.10.10.0/24 name-server 10.10.60.14
set system services dhcp pool 10.10.10.0/24 name-server 217.117.0.38
set system services dhcp pool 10.10.10.0/24 name-server 217.117.15.106
set system services dhcp pool 10.10.10.0/24 name-server 4.2.2.2
set system services dhcp pool 10.10.10.0/24 router 10.10.10.5
set system services dhcp pool 10.10.20.0/24 address-range low 10.10.20.50
set system services dhcp pool 10.10.20.0/24 address-range high 10.10.20.254
set system services dhcp pool 10.10.20.0/24 name-server 10.10.60.14
set system services dhcp pool 10.10.20.0/24 router 10.10.20.5
set system services dhcp pool 10.10.30.0/24 address-range low 10.10.30.50
set system services dhcp pool 10.10.30.0/24 address-range high 10.10.30.254
set system services dhcp pool 10.10.30.0/24 name-server 10.10.60.14
set system services dhcp pool 10.10.30.0/24 name-server 217.117.0.38
set system services dhcp pool 10.10.30.0/24 name-server 217.117.15.106
set system services dhcp pool 10.10.30.0/24 name-server 4.2.2.2
set system services dhcp pool 10.10.30.0/24 router 10.10.30.5
set system services dhcp pool 10.10.40.0/24 address-range low 10.10.40.50
set system services dhcp pool 10.10.40.0/24 address-range high 10.10.40.254
set system services dhcp pool 10.10.40.0/24 name-server 217.117.0.38
set system services dhcp pool 10.10.40.0/24 name-server 217.117.15.106
set system services dhcp pool 10.10.40.0/24 router 10.10.40.5
set system services dhcp pool 10.10.90.0/24 address-range low 10.10.90.50
set system services dhcp pool 10.10.90.0/24 address-range high 10.10.90.254
set system services dhcp pool 10.10.90.0/24 name-server 217.117.0.38
set system services dhcp pool 10.10.90.0/24 name-server 217.117.15.106
set system services dhcp pool 10.10.90.0/24 router 10.10.90.5
set system services dhcp pool 10.10.60.0/24 address-range low 10.10.60.50
set system services dhcp pool 10.10.60.0/24 address-range high 10.10.60.254
set system services dhcp pool 10.10.60.0/24 name-server 217.117.0.38
set system services dhcp pool 10.10.60.0/24 name-server 217.117.15.106
set system services dhcp pool 10.10.60.0/24 router 10.10.60.5
set system services dhcp pool 10.10.50.0/24 address-range low 10.10.50.20
set system services dhcp pool 10.10.50.0/24 address-range high 10.10.50.254
set system services dhcp pool 10.10.50.0/24 router 10.10.50.5
set system services dhcp pool 10.10.70.0/24 address-range low 10.10.70.20
set system services dhcp pool 10.10.70.0/24 address-range high 10.10.70.254
set system services dhcp pool 10.10.70.0/24 router 10.10.70.5
set system services dhcp pool 172.16.0.0/24 address-range low 172.16.0.50
set system services dhcp pool 172.16.0.0/24 address-range high 172.16.0.254
set system services dhcp pool 172.16.0.0/24 router 172.16.0.5
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server 78.47.148.174
set interfaces ge-0/0/0 description WAN_AND_VPN_INTERFACE
set interfaces ge-0/0/0 unit 0 family inet address 41.73.234.13/25
set interfaces ge-0/0/1 description LAN_NETWORK
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 10 description CONNECTION_FOR_VLAN_General_LAN
set interfaces ge-0/0/1 unit 10 vlan-id 10
set interfaces ge-0/0/1 unit 10 family inet address 10.10.10.5/24
set interfaces ge-0/0/1 unit 20 description CONNECTION_FOR_VLAN_Authorized_LAN
set interfaces ge-0/0/1 unit 20 vlan-id 20
set interfaces ge-0/0/1 unit 20 family inet address 10.10.20.5/24
set interfaces ge-0/0/1 unit 30 description CONNECTION_FOR_VLAN_Admin1
set interfaces ge-0/0/1 unit 30 vlan-id 30
set interfaces ge-0/0/1 unit 30 family inet address 10.10.30.5/24
set interfaces ge-0/0/1 unit 40 description CONNECTION_FOR_VLAN_Admin2
set interfaces ge-0/0/1 unit 40 vlan-id 40
set interfaces ge-0/0/1 unit 40 family inet address 10.10.40.5/24
set interfaces ge-0/0/1 unit 90 description CONNECTION_FOR_VLAN_Guest_LAN
set interfaces ge-0/0/1 unit 90 vlan-id 90
set interfaces ge-0/0/1 unit 90 family inet address 10.10.90.5/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/3 vlan-tagging
set interfaces ge-0/0/3 unit 50 description CONNECTION_FOR_VLAN_Server_Prod
set interfaces ge-0/0/3 unit 50 vlan-id 50
set interfaces ge-0/0/3 unit 50 family inet address 10.10.50.5/24
set interfaces ge-0/0/3 unit 60 description CONNECTION_FOR_VLAN_Server_Test
set interfaces ge-0/0/3 unit 60 vlan-id 60
set interfaces ge-0/0/3 unit 60 family inet address 172.16.0.5/24
set interfaces ge-0/0/3 unit 70 description CONNECTION_FOR_VLAN_Prod_DMZ
set interfaces ge-0/0/3 unit 70 vlan-id 70
set interfaces ge-0/0/3 unit 70 family inet address 10.10.70.5/24
set interfaces ge-0/0/3 unit 80 description CONNECTION_FOR_VLAN_Test_DMZ
set interfaces ge-0/0/3 unit 80 vlan-id 80
set interfaces ge-0/0/3 unit 80 family inet address 10.10.80.5/24
set interfaces ge-6/0/0 unit 0 description CONNECTION_TO_Domain_Controller
set interfaces ge-6/0/0 unit 0 family inet address 10.10.60.5/24
set interfaces ge-6/0/15 unit 0 description CONNECTION_TO_NET_SRX650_NODE1
set interfaces ge-6/0/15 unit 0 family inet address 11.11.11.1/24
set interfaces st0 unit 0 family inet
set routing-options graceful-restart
set routing-options static route 0.0.0.0/0 next-hop 41.73.234.1
set routing-options static route 10.10.50.0/24 next-hop 11.11.11.2
set routing-options static route 10.10.70.0/24 next-hop 11.11.11.2
set routing-options static route 10.10.80.0/24 next-hop 11.11.11.2
set routing-options static route 172.16.0.0/24 next-hop 11.11.11.2
set security idp idp-policy recommended
set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike policy ike-policy mode main
set security ike policy ike-policy proposals ike-phase1-proposal
set security ike policy ike-policy pre-shared-key ascii-text "$9$yfHrvLx7VwgJ-VgJGU.mBIEcvLxNdw24Xx"
set security ike gateway ike-gateway ike-policy ike-policy
set security ike gateway ike-gateway address 41.217.204.74
set security ike gateway ike-gateway external-interface ge-0/0/0.0
set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy proposals ipsec-phase2-proposal
set security ipsec vpn ipsec-vpn-DC ike gateway ike-gateway
set security ipsec vpn ipsec-vpn-DC ike ipsec-policy ipsec-policy
set security ipsec vpn ipsec-vpn-DC establish-tunnels immediately
set security utm custom-objects url-pattern urlblacklist value http://www.facebook.com
set security utm custom-objects url-pattern urlblacklist value http://www.youtube.com
set security utm custom-objects custom-url-category blocked value urlblacklist
set security utm feature-profile anti-virus type kaspersky-lab-engine
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults notification-options fallback-block administrator-email "aibrahim@teasymobile.com"
set security utm feature-profile web-filtering url-blacklist blocked
set security utm feature-profile web-filtering type juniper-enhanced
set security utm feature-profile web-filtering juniper-enhanced cache timeout 1800
set security utm feature-profile web-filtering juniper-enhanced cache size 500
set security utm feature-profile web-filtering juniper-enhanced server host rp.cloud.threatseeker.com
set security utm feature-profile web-filtering juniper-enhanced server port 80
set security utm feature-profile web-filtering juniper-enhanced profile TEASY_WEB_FILTER category Enhanced_Adult_Content action block
set security utm feature-profile web-filtering juniper-enhanced profile TEASY_WEB_FILTER category Enhanced_Peer_to_Peer_File_Sharing action block
set security utm feature-profile web-filtering juniper-enhanced profile TEASY_WEB_FILTER category blocked action block
set security utm feature-profile web-filtering juniper-enhanced profile TEASY_WEB_FILTER category Enhanced_Illegal_or_Questionable action block
set security utm feature-profile web-filtering juniper-enhanced profile TEASY_WEB_FILTER category Enhanced_Gay_or_Lesbian_or_Bisexual_Interest action block
set security utm feature-profile web-filtering juniper-enhanced profile TEASY_WEB_FILTER category Enhanced_Keyloggers action block
set security utm feature-profile web-filtering juniper-enhanced profile TEASY_WEB_FILTER category Enhanced_Malicious_Web_Sites action block
set security utm feature-profile web-filtering juniper-enhanced profile TEASY_WEB_FILTER category Enhanced_Marijuana action block
set security utm feature-profile web-filtering juniper-enhanced profile TEASY_WEB_FILTER category Enhanced_Nudity action block
set security utm feature-profile web-filtering juniper-enhanced profile TEASY_WEB_FILTER category Enhanced_News_and_Media action permit
set security utm feature-profile web-filtering juniper-enhanced profile TEASY_WEB_FILTER category Enhanced_Organization action block
set security utm utm-policy TEASY_UTM_POLICY anti-virus http-profile junos-av-defaults
set security utm utm-policy TEASY_UTM_POLICY anti-virus ftp upload-profile junos-av-defaults
set security utm utm-policy TEASY_UTM_POLICY anti-virus ftp download-profile junos-av-defaults
set security utm utm-policy TEASY_UTM_POLICY anti-virus smtp-profile junos-av-defaults
set security utm utm-policy TEASY_UTM_POLICY anti-virus pop3-profile junos-av-defaults
set security utm utm-policy TEASY_UTM_POLICY anti-virus imap-profile junos-av-defaults
set security utm utm-policy TEASY_UTM_POLICY web-filtering http-profile TEASY_WEB_FILTER
set security utm utm-policy TEASY_UTM_POLICY anti-spam smtp-profile junos-as-defaults
set security utm utm-policy TEASY_UTM_POLICY traffic-options sessions-per-client over-limit log-and-permit
set security flow traceoptions file jtac
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops
set security flow traceoptions packet-filter pf1 source-prefix 172.17.15.119/32
set security flow traceoptions packet-filter pf1 destination-prefix 10.10.60.14/32
set security flow traceoptions packet-filter pf2 source-prefix 10.10.60.14/32
set security flow traceoptions packet-filter pf2 destination-prefix 172.17.15.119/32
set security flow tcp-mss ipsec-vpn mss 1350
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat source rule-set Trust_Gen-to-untrust_GW from zone Trust_Gen
set security nat source rule-set Trust_Gen-to-untrust_GW to zone untrust_GW
set security nat source rule-set Trust_Gen-to-untrust_GW rule source-nat-rule0 match source-address 0.0.0.0/0
set security nat source rule-set Trust_Gen-to-untrust_GW rule source-nat-rule0 then source-nat interface
set security nat source rule-set Trust_Auth-to-untrust_GW from zone Trust_Auth
set security nat source rule-set Trust_Auth-to-untrust_GW to zone untrust_GW
set security nat source rule-set Trust_Auth-to-untrust_GW rule source-nat-rule1 match source-address 0.0.0.0/0
set security nat source rule-set Trust_Auth-to-untrust_GW rule source-nat-rule1 then source-nat interface
set security nat source rule-set Trust_Admin1-to-untrust_GW from zone Trust_Admin1
set security nat source rule-set Trust_Admin1-to-untrust_GW to zone untrust_GW
set security nat source rule-set Trust_Admin1-to-untrust_GW rule source-nat-rule2 match source-address 0.0.0.0/0
set security nat source rule-set Trust_Admin1-to-untrust_GW rule source-nat-rule2 then source-nat interface
set security nat source rule-set Trust_Admin2-to-untrust_GW from zone Trust_Admin2
set security nat source rule-set Trust_Admin2-to-untrust_GW to zone untrust_GW
set security nat source rule-set Trust_Admin2-to-untrust_GW rule source-nat-rule3 match source-address 0.0.0.0/0
set security nat source rule-set Trust_Admin2-to-untrust_GW rule source-nat-rule3 then source-nat interface
set security nat source rule-set Guest_LAN-to-untrust_GW from zone Guest_LAN
set security nat source rule-set Guest_LAN-to-untrust_GW to zone untrust_GW
set security nat source rule-set Guest_LAN-to-untrust_GW rule source-nat-rule4 match source-address 0.0.0.0/0
set security nat source rule-set Guest_LAN-to-untrust_GW rule source-nat-rule4 then source-nat interface
set security nat source rule-set Domain_Controller-to-untrust_GW from zone Domain_Controller
set security nat source rule-set Domain_Controller-to-untrust_GW to zone untrust_GW
set security nat source rule-set Domain_Controller-to-untrust_GW rule source-nat-rule5 match source-address 0.0.0.0/0
set security nat source rule-set Domain_Controller-to-untrust_GW rule source-nat-rule5 then source-nat interface
set security nat source rule-set Prod_DMZ-to-untrust_GW from zone Prod_Server
set security nat source rule-set Prod_DMZ-to-untrust_GW to zone untrust_GW
set security nat source rule-set Prod_DMZ-to-untrust_GW rule source-nat-rule6 match source-address 0.0.0.0/0
set security nat source rule-set Prod_DMZ-to-untrust_GW rule source-nat-rule6 then source-nat interface
set security nat source rule-set DMZ_Prod-to-untrust_GW from zone DMZ_Prod
set security nat source rule-set DMZ_Prod-to-untrust_GW to zone untrust_GW
set security nat source rule-set DMZ_Prod-to-untrust_GW rule source-nat-rule7 match source-address 0.0.0.0/0
set security nat source rule-set DMZ_Prod-to-untrust_GW rule source-nat-rule7 then source-nat interface
set security nat source rule-set Test_Server-to-untrust_GW from zone Test_Server
set security nat source rule-set Test_Server-to-untrust_GW to zone untrust_GW
set security nat source rule-set Test_Server-to-untrust_GW rule source-nat-rule9 match source-address 0.0.0.0/0
set security nat source rule-set Test_Server-to-untrust_GW rule source-nat-rule9 then source-nat interface
set security nat destination pool dst-nat-pool address 10.10.70.1/32
set security nat destination pool dst-nat-pool-2 address 172.16.0.10/32
set security nat destination rule-set rs2 from zone untrust_GW
set security nat destination rule-set rs2 rule r2 match destination-address 41.206.29.42/32
set security nat destination rule-set rs2 rule r2 then destination-nat pool dst-nat-pool
set security nat static rule-set rs1 from zone untrust_GW
set security nat static rule-set rs1 rule r1 match destination-address 41.73.234.14/32
set security nat static rule-set rs1 rule r1 then static-nat prefix 10.10.60.15/32
set security nat proxy-arp interface ge-0/0/0.0 address 41.73.234.14/32
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone Trust_Admin2 to-zone untrust_GW policy Trust_Admin2-to-untrust_GW-after5pm match source-address any
set security policies from-zone Trust_Admin2 to-zone untrust_GW policy Trust_Admin2-to-untrust_GW-after5pm match destination-address any
set security policies from-zone Trust_Admin2 to-zone untrust_GW policy Trust_Admin2-to-untrust_GW-after5pm match application any
set security policies from-zone Trust_Admin2 to-zone untrust_GW policy Trust_Admin2-to-untrust_GW-after5pm then permit
set security policies from-zone Trust_Admin2 to-zone untrust_GW policy Trust_Admin2-to-untrust_GW match source-address any
set security policies from-zone Trust_Admin2 to-zone untrust_GW policy Trust_Admin2-to-untrust_GW match destination-address any
set security policies from-zone Trust_Admin2 to-zone untrust_GW policy Trust_Admin2-to-untrust_GW match application any
set security policies from-zone Trust_Admin2 to-zone untrust_GW policy Trust_Admin2-to-untrust_GW then permit application-services utm-policy TEASY_UTM_POLICY
set security policies from-zone Trust_Admin2 to-zone untrust_GW policy Trust_Admin2-to-untrust_GW scheduler-name WEB-PERMIT
set security policies from-zone Guest_LAN to-zone untrust_GW policy Guest_LAN-to-untrust_GW match source-address any
set security policies from-zone Guest_LAN to-zone untrust_GW policy Guest_LAN-to-untrust_GW match destination-address any
set security policies from-zone Guest_LAN to-zone untrust_GW policy Guest_LAN-to-untrust_GW match application any
set security policies from-zone Guest_LAN to-zone untrust_GW policy Guest_LAN-to-untrust_GW then permit application-services utm-policy TEASY_UTM_POLICY
set security policies from-zone Guest_LAN to-zone untrust_GW policy Guest_LAN-to-untrust_GW scheduler-name WEB-PERMIT
set security policies from-zone Guest_LAN to-zone untrust_GW policy Guest_LAN-to-untrust_GW-after5pm match source-address any
set security policies from-zone Guest_LAN to-zone untrust_GW policy Guest_LAN-to-untrust_GW-after5pm match destination-address any
set security policies from-zone Guest_LAN to-zone untrust_GW policy Guest_LAN-to-untrust_GW-after5pm match application any
set security policies from-zone Guest_LAN to-zone untrust_GW policy Guest_LAN-to-untrust_GW-after5pm then permit
set security policies from-zone Trust_Admin1 to-zone Trust_Auth policy Trust_Admin1-to-Trust_Auth match source-address any
set security policies from-zone Trust_Admin1 to-zone Trust_Auth policy Trust_Admin1-to-Trust_Auth match destination-address any
set security policies from-zone Trust_Admin1 to-zone Trust_Auth policy Trust_Admin1-to-Trust_Auth match application any
set security policies from-zone Trust_Admin1 to-zone Trust_Auth policy Trust_Admin1-to-Trust_Auth then permit
set security policies from-zone Trust_Admin1 to-zone Trust_Gen policy Trust_Admin1-to-Trust_Gen match source-address any
set security policies from-zone Trust_Admin1 to-zone Trust_Gen policy Trust_Admin1-to-Trust_Gen match destination-address any
set security policies from-zone Trust_Admin1 to-zone Trust_Gen policy Trust_Admin1-to-Trust_Gen match application any
set security policies from-zone Trust_Admin1 to-zone Trust_Gen policy Trust_Admin1-to-Trust_Gen then permit
set security policies from-zone Trust_Admin1 to-zone Domain_Controller policy Trust_Admin1-to-Domain_Controller match source-address any
set security policies from-zone Trust_Admin1 to-zone Domain_Controller policy Trust_Admin1-to-Domain_Controller match destination-address any
set security policies from-zone Trust_Admin1 to-zone Domain_Controller policy Trust_Admin1-to-Domain_Controller match application any
set security policies from-zone Trust_Admin1 to-zone Domain_Controller policy Trust_Admin1-to-Domain_Controller then permit
set security policies from-zone Trust_Auth to-zone Domain_Controller policy Trust_Auth-to-Domain_Controller match source-address any
set security policies from-zone Trust_Auth to-zone Domain_Controller policy Trust_Auth-to-Domain_Controller match destination-address any
set security policies from-zone Trust_Auth to-zone Domain_Controller policy Trust_Auth-to-Domain_Controller match application any
set security policies from-zone Trust_Auth to-zone Domain_Controller policy Trust_Auth-to-Domain_Controller then permit
set security policies from-zone Domain_Controller to-zone Trust_Auth policy Domain_Controller-to-Trust_Auth match source-address any
set security policies from-zone Domain_Controller to-zone Trust_Auth policy Domain_Controller-to-Trust_Auth match destination-address any
set security policies from-zone Domain_Controller to-zone Trust_Auth policy Domain_Controller-to-Trust_Auth match application any
set security policies from-zone Domain_Controller to-zone Trust_Auth policy Domain_Controller-to-Trust_Auth then permit
set security policies from-zone Trust_Admin1 to-zone Trust_Admin2 policy Trust_Admin1-to-Trust_Admin2 match source-address any
set security policies from-zone Trust_Admin1 to-zone Trust_Admin2 policy Trust_Admin1-to-Trust_Admin2 match destination-address any
set security policies from-zone Trust_Admin1 to-zone Trust_Admin2 policy Trust_Admin1-to-Trust_Admin2 match application any
set security policies from-zone Trust_Admin1 to-zone Trust_Admin2 policy Trust_Admin1-to-Trust_Admin2 then permit
set security policies from-zone Trust_Admin1 to-zone Guest_LAN policy Trust_Admin1-to-Guest_LAN match source-address any
set security policies from-zone Trust_Admin1 to-zone Guest_LAN policy Trust_Admin1-to-Guest_LAN match destination-address any
set security policies from-zone Trust_Admin1 to-zone Guest_LAN policy Trust_Admin1-to-Guest_LAN match application any
set security policies from-zone Trust_Admin1 to-zone Guest_LAN policy Trust_Admin1-to-Guest_LAN then permit
set security policies from-zone untrust_GW to-zone Domain_Controller policy VPN-untrust-to-Domain match source-address REMOTE-LAYER3
set security policies from-zone untrust_GW to-zone Domain_Controller policy VPN-untrust-to-Domain match destination-address LAYER3-SERVER
set security policies from-zone untrust_GW to-zone Domain_Controller policy VPN-untrust-to-Domain match application any
set security policies from-zone untrust_GW to-zone Domain_Controller policy VPN-untrust-to-Domain then permit tunnel ipsec-vpn ipsec-vpn-DC
set security policies from-zone untrust_GW to-zone Domain_Controller policy VPN-untrust-to-Domain then permit tunnel pair-policy VPN-Domain-to-untrust
set security policies from-zone untrust_GW to-zone Domain_Controller policy untrust_GW-to_Domain_Controller match source-address any
set security policies from-zone untrust_GW to-zone Domain_Controller policy untrust_GW-to_Domain_Controller match destination-address server-1
set security policies from-zone untrust_GW to-zone Domain_Controller policy untrust_GW-to_Domain_Controller match application any
set security policies from-zone untrust_GW to-zone Domain_Controller policy untrust_GW-to_Domain_Controller then permit
set security policies from-zone Domain_Controller to-zone untrust_GW policy VPN-Domain-to-untrust match source-address LAYER3-SERVER
set security policies from-zone Domain_Controller to-zone untrust_GW policy VPN-Domain-to-untrust match destination-address REMOTE-LAYER3
set security policies from-zone Domain_Controller to-zone untrust_GW policy VPN-Domain-to-untrust match application any
set security policies from-zone Domain_Controller to-zone untrust_GW policy VPN-Domain-to-untrust then permit tunnel ipsec-vpn ipsec-vpn-DC
set security policies from-zone Domain_Controller to-zone untrust_GW policy VPN-Domain-to-untrust then permit tunnel pair-policy VPN-untrust-to-Domain
set security policies from-zone Domain_Controller to-zone untrust_GW policy Domain_Controller-to-untrust_GW-server-1 match source-address server-1
set security policies from-zone Domain_Controller to-zone untrust_GW policy Domain_Controller-to-untrust_GW-server-1 match destination-address any
set security policies from-zone Domain_Controller to-zone untrust_GW policy Domain_Controller-to-untrust_GW-server-1 match application any
set security policies from-zone Domain_Controller to-zone untrust_GW policy Domain_Controller-to-untrust_GW-server-1 then permit
set security policies from-zone Domain_Controller to-zone untrust_GW policy Domain_Controller-to-untrust_GW match source-address any
set security policies from-zone Domain_Controller to-zone untrust_GW policy Domain_Controller-to-untrust_GW match destination-address any
set security policies from-zone Domain_Controller to-zone untrust_GW policy Domain_Controller-to-untrust_GW match application any
set security policies from-zone Domain_Controller to-zone untrust_GW policy Domain_Controller-to-untrust_GW then permit
set security policies from-zone Trust_Gen to-zone untrust_GW policy Trust_Gen-to-untrust_GW match source-address any
set security policies from-zone Trust_Gen to-zone untrust_GW policy Trust_Gen-to-untrust_GW match destination-address any
set security policies from-zone Trust_Gen to-zone untrust_GW policy Trust_Gen-to-untrust_GW match application any
set security policies from-zone Trust_Gen to-zone untrust_GW policy Trust_Gen-to-untrust_GW then permit application-services utm-policy TEASY_UTM_POLICY
set security policies from-zone Trust_Gen to-zone untrust_GW policy Trust_Gen-to-untrust_GW scheduler-name WEB-PERMIT
set security policies from-zone Trust_Gen to-zone untrust_GW policy Trust_Gen-to-untrust_GW-after5pm match source-address any
set security policies from-zone Trust_Gen to-zone untrust_GW policy Trust_Gen-to-untrust_GW-after5pm match destination-address any
set security policies from-zone Trust_Gen to-zone untrust_GW policy Trust_Gen-to-untrust_GW-after5pm match application any
set security policies from-zone Trust_Gen to-zone untrust_GW policy Trust_Gen-to-untrust_GW-after5pm then permit
set security policies from-zone Trust_Auth to-zone untrust_GW policy Trust_Auth-to-untrust_GW match source-address any
set security policies from-zone Trust_Auth to-zone untrust_GW policy Trust_Auth-to-untrust_GW match destination-address any
set security policies from-zone Trust_Auth to-zone untrust_GW policy Trust_Auth-to-untrust_GW match application any
set security policies from-zone Trust_Auth to-zone untrust_GW policy Trust_Auth-to-untrust_GW then permit
set security policies from-zone Trust_Admin1 to-zone untrust_GW policy Trust_Admin1-to-untrust_GW match source-address any
set security policies from-zone Trust_Admin1 to-zone untrust_GW policy Trust_Admin1-to-untrust_GW match destination-address any
set security policies from-zone Trust_Admin1 to-zone untrust_GW policy Trust_Admin1-to-untrust_GW match application any
set security policies from-zone Trust_Admin1 to-zone untrust_GW policy Trust_Admin1-to-untrust_GW then permit application-services utm-policy TEASY_UTM_POLICY
set security policies from-zone Trust_Admin1 to-zone untrust_GW policy Trust_Admin1-to-untrust_GW scheduler-name WEB-PERMIT
set security policies from-zone Trust_Admin1 to-zone untrust_GW policy Trust_Admin1-to-untrust_GW-after5pm match source-address any
set security policies from-zone Trust_Admin1 to-zone untrust_GW policy Trust_Admin1-to-untrust_GW-after5pm match destination-address any
set security policies from-zone Trust_Admin1 to-zone untrust_GW policy Trust_Admin1-to-untrust_GW-after5pm match application any
set security policies from-zone Trust_Admin1 to-zone untrust_GW policy Trust_Admin1-to-untrust_GW-after5pm then permit
set security policies from-zone Trust_Gen to-zone Cross_Over policy Trust_Gen-to-Cross_Over match source-address any
set security policies from-zone Trust_Gen to-zone Cross_Over policy Trust_Gen-to-Cross_Over match destination-address any
set security policies from-zone Trust_Gen to-zone Cross_Over policy Trust_Gen-to-Cross_Over match application any
set security policies from-zone Trust_Gen to-zone Cross_Over policy Trust_Gen-to-Cross_Over then permit
set security policies from-zone Cross_Over to-zone Trust_Gen policy Cross_Over-to-Trust_Gen match source-address any
set security policies from-zone Cross_Over to-zone Trust_Gen policy Cross_Over-to-Trust_Gen match destination-address any
set security policies from-zone Cross_Over to-zone Trust_Gen policy Cross_Over-to-Trust_Gen match application any
set security policies from-zone Cross_Over to-zone Trust_Gen policy Cross_Over-to-Trust_Gen then permit
set security policies from-zone Trust_Auth to-zone Cross_Over policy Trust_Auth-to-Cross_Over1 match source-address any
set security policies from-zone Trust_Auth to-zone Cross_Over policy Trust_Auth-to-Cross_Over1 match destination-address any
set security policies from-zone Trust_Auth to-zone Cross_Over policy Trust_Auth-to-Cross_Over1 match application any
set security policies from-zone Trust_Auth to-zone Cross_Over policy Trust_Auth-to-Cross_Over1 then permit
set security policies from-zone Cross_Over to-zone Trust_Auth policy Cross_Over-to-Trust_Auth match source-address any
set security policies from-zone Cross_Over to-zone Trust_Auth policy Cross_Over-to-Trust_Auth match destination-address any
set security policies from-zone Cross_Over to-zone Trust_Auth policy Cross_Over-to-Trust_Auth match application any
set security policies from-zone Cross_Over to-zone Trust_Auth policy Cross_Over-to-Trust_Auth then permit
set security policies from-zone Trust_Admin1 to-zone Cross_Over policy Trust_Admin1-to-Cross_Over match source-address any
set security policies from-zone Trust_Admin1 to-zone Cross_Over policy Trust_Admin1-to-Cross_Over match destination-address any
set security policies from-zone Trust_Admin1 to-zone Cross_Over policy Trust_Admin1-to-Cross_Over match application any
set security policies from-zone Trust_Admin1 to-zone Cross_Over policy Trust_Admin1-to-Cross_Over then permit
set security policies from-zone Cross_Over to-zone Trust_Admin1 policy Cross_Over-to-Trust_Admin1 match source-address any
set security policies from-zone Cross_Over to-zone Trust_Admin1 policy Cross_Over-to-Trust_Admin1 match destination-address any
set security policies from-zone Cross_Over to-zone Trust_Admin1 policy Cross_Over-to-Trust_Admin1 match application any
set security policies from-zone Cross_Over to-zone Trust_Admin1 policy Cross_Over-to-Trust_Admin1 then permit
set security policies from-zone Trust_Admin2 to-zone Cross_Over policy Trust_Admin2-to-Cross_Over match source-address any
set security policies from-zone Trust_Admin2 to-zone Cross_Over policy Trust_Admin2-to-Cross_Over match destination-address any
set security policies from-zone Trust_Admin2 to-zone Cross_Over policy Trust_Admin2-to-Cross_Over match application any
set security policies from-zone Trust_Admin2 to-zone Cross_Over policy Trust_Admin2-to-Cross_Over then permit
set security policies from-zone Cross_Over to-zone Trust_Admin2 policy Cross_Over-to-Trust_Admin2 match source-address any
set security policies from-zone Cross_Over to-zone Trust_Admin2 policy Cross_Over-to-Trust_Admin2 match destination-address any
set security policies from-zone Cross_Over to-zone Trust_Admin2 policy Cross_Over-to-Trust_Admin2 match application any
set security policies from-zone Cross_Over to-zone Trust_Admin2 policy Cross_Over-to-Trust_Admin2 then permit
set security policies from-zone Trust_Auth to-zone Test_Server policy Trust_Auth-to-Test_Server match source-address any
set security policies from-zone Trust_Auth to-zone Test_Server policy Trust_Auth-to-Test_Server match destination-address any
set security policies from-zone Trust_Auth to-zone Test_Server policy Trust_Auth-to-Test_Server match application any
set security policies from-zone Trust_Auth to-zone Test_Server policy Trust_Auth-to-Test_Server then permit
set security policies from-zone Test_Server to-zone Trust_Auth policy Test_Server-to-Trust_Auth match source-address any
set security policies from-zone Test_Server to-zone Trust_Auth policy Test_Server-to-Trust_Auth match destination-address any
set security policies from-zone Test_Server to-zone Trust_Auth policy Test_Server-to-Trust_Auth match application any
set security policies from-zone Test_Server to-zone Trust_Auth policy Test_Server-to-Trust_Auth then permit
set security policies from-zone Prod_Server to-zone DMZ_Prod policy Prod_Server-to-DMZ_Prod match source-address any
set security policies from-zone Prod_Server to-zone DMZ_Prod policy Prod_Server-to-DMZ_Prod match destination-address any
set security policies from-zone Prod_Server to-zone DMZ_Prod policy Prod_Server-to-DMZ_Prod match application any
set security policies from-zone Prod_Server to-zone DMZ_Prod policy Prod_Server-to-DMZ_Prod then permit
set security policies from-zone DMZ_Prod to-zone Prod_Server policy DMZ_Prod-to-Prod_Server match source-address any
set security policies from-zone DMZ_Prod to-zone Prod_Server policy DMZ_Prod-to-Prod_Server match destination-address any
set security policies from-zone DMZ_Prod to-zone Prod_Server policy DMZ_Prod-to-Prod_Server match application any
set security policies from-zone DMZ_Prod to-zone Prod_Server policy DMZ_Prod-to-Prod_Server then permit
set security policies from-zone DMZ_Test to-zone Test_Server policy DMZ_Test-to-Test_Server match source-address any
set security policies from-zone DMZ_Test to-zone Test_Server policy DMZ_Test-to-Test_Server match destination-address any
set security policies from-zone DMZ_Test to-zone Test_Server policy DMZ_Test-to-Test_Server match application any
set security policies from-zone DMZ_Test to-zone Test_Server policy DMZ_Test-to-Test_Server then permit
set security policies from-zone Test_Server to-zone DMZ_Test policy Test_Server-to-DMZ_est match source-address any
set security policies from-zone Test_Server to-zone DMZ_Test policy Test_Server-to-DMZ_est match destination-address any
set security policies from-zone Test_Server to-zone DMZ_Test policy Test_Server-to-DMZ_est match application any
set security policies from-zone Test_Server to-zone DMZ_Test policy Test_Server-to-DMZ_est then permit
set security policies from-zone Trust_Admin1 to-zone Prod_Server policy Trust_Admin1-to-Prod_Server match source-address any
set security policies from-zone Trust_Admin1 to-zone Prod_Server policy Trust_Admin1-to-Prod_Server match destination-address any
set security policies from-zone Trust_Admin1 to-zone Prod_Server policy Trust_Admin1-to-Prod_Server match application any
set security policies from-zone Trust_Admin1 to-zone Prod_Server policy Trust_Admin1-to-Prod_Server then permit
set security policies from-zone Trust_Admin1 to-zone Test_Server policy Trust_Admin1-to-Test_Server match source-address any
set security policies from-zone Trust_Admin1 to-zone Test_Server policy Trust_Admin1-to-Test_Server match destination-address any
set security policies from-zone Trust_Admin1 to-zone Test_Server policy Trust_Admin1-to-Test_Server match application any
set security policies from-zone Trust_Admin1 to-zone Test_Server policy Trust_Admin1-to-Test_Server then permit
set security policies from-zone Trust_Admin1 to-zone DMZ_Prod policy Trust_Admin1-toDMZ_Prod match source-address any
set security policies from-zone Trust_Admin1 to-zone DMZ_Prod policy Trust_Admin1-toDMZ_Prod match destination-address any
set security policies from-zone Trust_Admin1 to-zone DMZ_Prod policy Trust_Admin1-toDMZ_Prod match application any
set security policies from-zone Trust_Admin1 to-zone DMZ_Prod policy Trust_Admin1-toDMZ_Prod then permit
set security policies from-zone Trust_Admin1 to-zone DMZ_Test policy Trust_Admin1-to-DMZ_Test match source-address any
set security policies from-zone Trust_Admin1 to-zone DMZ_Test policy Trust_Admin1-to-DMZ_Test match destination-address any
set security policies from-zone Trust_Admin1 to-zone DMZ_Test policy Trust_Admin1-to-DMZ_Test match application any
set security policies from-zone Trust_Admin1 to-zone DMZ_Test policy Trust_Admin1-to-DMZ_Test then permit
set security policies from-zone Domain_Controller to-zone Cross_Over policy Domain_Controller-to-Cross_Over match source-address any
set security policies from-zone Domain_Controller to-zone Cross_Over policy Domain_Controller-to-Cross_Over match destination-address any
set security policies from-zone Domain_Controller to-zone Cross_Over policy Domain_Controller-to-Cross_Over match application any
set security policies from-zone Domain_Controller to-zone Cross_Over policy Domain_Controller-to-Cross_Over then permit
set security policies from-zone Cross_Over to-zone Domain_Controller policy Cross_Over-to-Domain_Controller match source-address any
set security policies from-zone Cross_Over to-zone Domain_Controller policy Cross_Over-to-Domain_Controller match destination-address any
set security policies from-zone Cross_Over to-zone Domain_Controller policy Cross_Over-to-Domain_Controller match application any
set security policies from-zone Cross_Over to-zone Domain_Controller policy Cross_Over-to-Domain_Controller then permit
set security policies from-zone Prod_Server to-zone untrust_GW policy Prod_Server-to-untrust_GW match source-address any
set security policies from-zone Prod_Server to-zone untrust_GW policy Prod_Server-to-untrust_GW match destination-address any
set security policies from-zone Prod_Server to-zone untrust_GW policy Prod_Server-to-untrust_GW match application any
set security policies from-zone Prod_Server to-zone untrust_GW policy Prod_Server-to-untrust_GW then permit
set security policies from-zone DMZ_Prod to-zone untrust_GW policy DMZ_Prod-to-untrust_GW match source-address any
set security policies from-zone DMZ_Prod to-zone untrust_GW policy DMZ_Prod-to-untrust_GW match destination-address any
set security policies from-zone DMZ_Prod to-zone untrust_GW policy DMZ_Prod-to-untrust_GW match application any
set security policies from-zone DMZ_Prod to-zone untrust_GW policy DMZ_Prod-to-untrust_GW then permit
set security policies from-zone Test_Server to-zone untrust_GW policy Test_Server-to-untrust_GW match source-address any
set security policies from-zone Test_Server to-zone untrust_GW policy Test_Server-to-untrust_GW match destination-address any
set security policies from-zone Test_Server to-zone untrust_GW policy Test_Server-to-untrust_GW match application any
set security policies from-zone Test_Server to-zone untrust_GW policy Test_Server-to-untrust_GW then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone Trust_Gen host-inbound-traffic system-services all
set security zones security-zone Trust_Gen host-inbound-traffic protocols all
set security zones security-zone Trust_Gen interfaces ge-0/0/1.10 host-inbound-traffic system-services all
set security zones security-zone Trust_Gen interfaces ge-0/0/1.10 host-inbound-traffic protocols all
set security zones security-zone Trust_Auth host-inbound-traffic system-services all
set security zones security-zone Trust_Auth host-inbound-traffic protocols all
set security zones security-zone Trust_Auth interfaces ge-0/0/1.20 host-inbound-traffic system-services all
set security zones security-zone Trust_Auth interfaces ge-0/0/1.20 host-inbound-traffic protocols all
set security zones security-zone Trust_Admin1 host-inbound-traffic system-services all
set security zones security-zone Trust_Admin1 host-inbound-traffic protocols all
set security zones security-zone Trust_Admin1 interfaces ge-0/0/1.30 host-inbound-traffic system-services all
set security zones security-zone Trust_Admin1 interfaces ge-0/0/1.30 host-inbound-traffic protocols all
set security zones security-zone Trust_Admin2 host-inbound-traffic system-services all
set security zones security-zone Trust_Admin2 host-inbound-traffic protocols all
set security zones security-zone Trust_Admin2 interfaces ge-0/0/1.40 host-inbound-traffic system-services all
set security zones security-zone Trust_Admin2 interfaces ge-0/0/1.40 host-inbound-traffic protocols all
set security zones security-zone Guest_LAN host-inbound-traffic system-services all
set security zones security-zone Guest_LAN host-inbound-traffic protocols all
set security zones security-zone Guest_LAN interfaces ge-0/0/1.90 host-inbound-traffic system-services all
set security zones security-zone Guest_LAN interfaces ge-0/0/1.90 host-inbound-traffic protocols all
set security zones security-zone untrust_GW address-book address REMOTE-LAYER3 172.17.15.0/24
set security zones security-zone untrust_GW host-inbound-traffic system-services all
set security zones security-zone untrust_GW host-inbound-traffic system-services ike
set security zones security-zone untrust_GW host-inbound-traffic protocols all
set security zones security-zone untrust_GW interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone untrust_GW interfaces ge-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone Domain_Controller address-book address server-1 10.10.60.15/32
set security zones security-zone Domain_Controller address-book address LAYER3-SERVER 10.10.60.0/24
set security zones security-zone Domain_Controller host-inbound-traffic system-services all
set security zones security-zone Domain_Controller host-inbound-traffic protocols all
set security zones security-zone Domain_Controller interfaces ge-6/0/0.0 host-inbound-traffic system-services all
set security zones security-zone Domain_Controller interfaces ge-6/0/0.0 host-inbound-traffic protocols all
set security zones security-zone Cross_Over host-inbound-traffic system-services all
set security zones security-zone Cross_Over host-inbound-traffic protocols all
set security zones security-zone Cross_Over interfaces ge-6/0/15.0 host-inbound-traffic system-services all
set security zones security-zone Cross_Over interfaces ge-6/0/15.0 host-inbound-traffic protocols all
set security zones security-zone Test_Server host-inbound-traffic system-services all
set security zones security-zone Test_Server host-inbound-traffic protocols all
set security zones security-zone Test_Server interfaces ge-0/0/3.60 host-inbound-traffic system-services all
set security zones security-zone Test_Server interfaces ge-0/0/3.60 host-inbound-traffic protocols all
set security zones security-zone Prod_Server host-inbound-traffic system-services all
set security zones security-zone Prod_Server host-inbound-traffic protocols all
set security zones security-zone Prod_Server interfaces ge-0/0/3.50 host-inbound-traffic system-services all
set security zones security-zone Prod_Server interfaces ge-0/0/3.50 host-inbound-traffic protocols all
set security zones security-zone DMZ_Prod host-inbound-traffic system-services all
set security zones security-zone DMZ_Prod host-inbound-traffic protocols all
set security zones security-zone DMZ_Prod interfaces ge-0/0/3.70 host-inbound-traffic system-services all
set security zones security-zone DMZ_Prod interfaces ge-0/0/3.70 host-inbound-traffic protocols all
set security zones security-zone DMZ_Test host-inbound-traffic system-services all
set security zones security-zone DMZ_Test host-inbound-traffic protocols all
set security zones security-zone DMZ_Test interfaces ge-0/0/3.80 host-inbound-traffic system-services all
set security zones security-zone DMZ_Test interfaces ge-0/0/3.80 host-inbound-traffic protocols all
set firewall family inet filter icmp-filter term 1 from source-address 172.17.15.119/32
set firewall family inet filter icmp-filter term 1 from destination-address 10.10.60.14/32
set firewall family inet filter icmp-filter term 1 from protocol icmp
set firewall family inet filter icmp-filter term 1 then count icmp-count
set firewall family inet filter icmp-filter term 1 then accept
set firewall family inet filter icmp-filter term default then accept
set schedulers scheduler WEB-PERMIT monday start-time 09:00:00 stop-time 17:00:00
set schedulers scheduler WEB-PERMIT tuesday start-time 09:00:00 stop-time 17:00:00
set schedulers scheduler WEB-PERMIT wednesday start-time 09:00:00 stop-time 17:00:00
set schedulers scheduler WEB-PERMIT thursday start-time 09:00:00 stop-time 17:00:00
set schedulers scheduler WEB-PERMIT friday start-time 09:00:00 stop-time 17:00:00

Please whats the fastest solution to solving this issue

 

@achadha: which leak memory are you talkin about sir, i have rebooted countless times but still have the same issue, please how do I get in touch with Jtac, its urgent, thanks

Call JTAC 1-408-745-9500

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

Unfortunately, the supported version for the SRX 650 is 11.4R10.3

http://www.juniper.net/support/downloads/?p=srx650

 

You may run into getting support if you are not running the reccommended version.

Hello lyndidon,

 

Yes you are right, but I have been using this version for almost 2 years now, I wanted to download the 11.0R version but Juniper says I don't have the privileges, I have requested for access to download but its gonna take 3 business days, I need quick solution sir. Can you help me to download the earlier version? or should i downgrade to an earlier version from J-web? Or what do u recommend?

Unfortunately I do not have a suggestion that could work for you. I have had these issues with Juniper before and they actually blocked my IP from downloading software and gave me some bogus explanation that they were updating something yadiyadiyadaa. Took days before I was able to get the software. run this command and see what version you have that you can rollback to:
> show system software backup
But if this has been working for 2 years, I don't know I would be willing to downgrade..personally. There are bugs with some of the other versions so only the recommended version I can suggest.

Hello,

 

this was what I got:

 

Abdul@NET_SRX650_NODE0> show system software backup
Backup JUNOS package information:
File name: /altroot/cf/packages/junos-11.4R1.6-domestic
File size: 151103906

this is slightly lower than the recommend version.......so what next

so it means we have to get the recommeded version 11.4R10.3

Issue resolved by installing the reccommended version

request system software add no-copy no-validate force reboot /var/tmp/junos-srxsme-11.4R10.3-domestic.tgz