set version 12.1X44-D35.5
set system host-name vpn-nyj001-02
set system domain-name quantcast.com
set system internet-options path-mtu-discovery
set system root-authentication encrypted-password "$1$ObJg6hy1$Ax/A5ZCHVS5tqqdTAluKx0"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 preempt
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-2/0/0 weight 255
set interfaces ge-0/0/0 gigether-options redundant-parent reth0
set interfaces fe-0/0/2 fastether-options redundant-parent reth2
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 fastether-options redundant-parent reth1
set interfaces fe-0/0/4 fastether-options redundant-parent reth2
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-2/0/0 gigether-options redundant-parent reth0
set interfaces fe-2/0/2 fastether-options redundant-parent reth2
set interfaces fe-2/0/3 fastether-options redundant-parent reth1
set interfaces fe-2/0/4 fastether-options redundant-parent reth2
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-2/0/1
set interfaces lo0 unit 0 family inet filter input admin-services-in
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 45.102.181.114/29
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 10.122.16.1/24
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family inet address 10.122.18.1/24
set interfaces st0 unit 1 family inet address 10.122.248.6/24
set interfaces st0 unit 2 family inet address 10.122.250.6/24
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 45.102.181.118
set routing-options autonomous-system 64514
set protocols bgp group peers_to_SFO_SEA type external
set protocols bgp group peers_to_SFO_SEA export conected_routes_only
set protocols bgp group peers_to_SFO_SEA neighbor 10.122.248.240 hold-time 180
set protocols bgp group peers_to_SFO_SEA neighbor 10.122.248.240 peer-as 65533
set protocols bgp group peers_to_SFO_SEA neighbor 10.122.250.240 hold-time 180
set protocols bgp group peers_to_SFO_SEA neighbor 10.122.250.240 peer-as 65534
set policy-options prefix-list mgmt-ips 46.49.186.0/24
set policy-options prefix-list mgmt-ips 27.15.14.0/24
set policy-options prefix-list nyj001-pixel-prefix 10.122.16.0/24
set policy-options policy-statement conected_routes_only term connected_networks from protocol direct
set policy-options policy-statement conected_routes_only term connected_networks from route-filter 10.122.16.0/24 exact
set policy-options policy-statement conected_routes_only term connected_networks from route-filter 10.122.18.0/24 exact
set policy-options policy-statement conected_routes_only term connected_networks then accept
set policy-options policy-statement conected_routes_only term anything_else then reject
set policy-options policy-statement connected_to_bgp from protocol direct
set policy-options policy-statement connected_to_bgp from route-filter 10.122.16.0/24 exact
set policy-options policy-statement connected_to_bgp from route-filter 10.122.18.0/24 exact
set policy-options policy-statement connected_to_bgp then accept
set security log mode stream
set security ike proposal SEA_SFO_P1_proposal1 authentication-method pre-shared-keys
set security ike proposal SEA_SFO_P1_proposal1 dh-group group2
set security ike proposal SEA_SFO_P1_proposal1 authentication-algorithm sha1
set security ike proposal SEA_SFO_P1_proposal1 encryption-algorithm 3des-cbc
set security ike proposal SEA_SFO_P1_proposal1 lifetime-seconds 86400
set security ike proposal SEA_SFO_P1_proposal2 authentication-method pre-shared-keys
set security ike proposal SEA_SFO_P1_proposal2 dh-group group2
set security ike proposal SEA_SFO_P1_proposal2 authentication-algorithm sha1
set security ike proposal SEA_SFO_P1_proposal2 encryption-algorithm aes-128-cbc
set security ike proposal SEA_SFO_P1_proposal2 lifetime-seconds 86400
set security ike policy SEA_SFO_policy1 mode main
set security ike policy SEA_SFO_policy1 proposals SEA_SFO_P1_proposal1
set security ike policy SEA_SFO_policy1 pre-shared-key ascii-text "$9$g0aUiTz369pTzlMX-2gz3n69t"
set security ike gateway SEA_GW ike-policy SEA_SFO_policy1
set security ike gateway SEA_GW address 46.49.186.17
set security ike gateway SEA_GW dead-peer-detection interval 10
set security ike gateway SEA_GW dead-peer-detection threshold 3
set security ike gateway SEA_GW local-identity inet 45.102.181.114
set security ike gateway SEA_GW external-interface reth0.0
set security ike gateway SFO_GW ike-policy SEA_SFO_policy1
set security ike gateway SFO_GW address 27.15.14.17
set security ike gateway SFO_GW dead-peer-detection interval 10
set security ike gateway SFO_GW dead-peer-detection threshold 3
set security ike gateway SFO_GW local-identity inet 45.102.181.114
set security ike gateway SFO_GW external-interface reth0.0
set security ipsec proposal SEA_SFO_P2_proposal1 protocol esp
set security ipsec proposal SEA_SFO_P2_proposal1 authentication-algorithm hmac-sha1-96
set security ipsec proposal SEA_SFO_P2_proposal1 encryption-algorithm 3des-cbc
set security ipsec proposal SEA_SFO_P2_proposal1 lifetime-seconds 3600
set security ipsec policy SEA_SFO_P2_policy1 perfect-forward-secrecy keys group2
set security ipsec policy SEA_SFO_P2_policy1 proposals SEA_SFO_P2_proposal1
set security ipsec vpn BGP-VPN-to-SEA bind-interface st0.1
set security ipsec vpn BGP-VPN-to-SEA vpn-monitor
set security ipsec vpn BGP-VPN-to-SEA ike gateway SEA_GW
set security ipsec vpn BGP-VPN-to-SEA ike ipsec-policy SEA_SFO_P2_policy1
set security ipsec vpn BGP-VPN-to-SEA establish-tunnels immediately
set security ipsec vpn BGP-VPN-to-SFO bind-interface st0.2
set security ipsec vpn BGP-VPN-to-SFO vpn-monitor
set security ipsec vpn BGP-VPN-to-SFO ike gateway SFO_GW
set security ipsec vpn BGP-VPN-to-SFO ike ipsec-policy SEA_SFO_P2_policy1
set security ipsec vpn BGP-VPN-to-SFO establish-tunnels immediately
set security alg ftp disable
set security alg h323 disable
set security alg mgcp disable
set security alg sunrpc disable
set security alg rsh disable
set security alg rtsp disable
set security alg sccp disable
set security alg sip disable
set security alg sql disable
set security alg pptp disable
set security flow traceoptions file ipsec_traffic_drop
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops
deactivate security flow traceoptions
set security flow tcp-session no-syn-check
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone BGP-VPN policy trust-to-bgpvpn-policy match source-address any
set security policies from-zone trust to-zone BGP-VPN policy trust-to-bgpvpn-policy match destination-address any
set security policies from-zone trust to-zone BGP-VPN policy trust-to-bgpvpn-policy match application any
set security policies from-zone trust to-zone BGP-VPN policy trust-to-bgpvpn-policy then permit
set security policies from-zone BGP-VPN to-zone trust policy bgpvpn-to-trust-policy match source-address any
set security policies from-zone BGP-VPN to-zone trust policy bgpvpn-to-trust-policy match destination-address any
set security policies from-zone BGP-VPN to-zone trust policy bgpvpn-to-trust-policy match application any
set security policies from-zone BGP-VPN to-zone trust policy bgpvpn-to-trust-policy then permit
set security policies from-zone BGP-VPN to-zone BGP-VPN policy allow_hairpin match source-address any
set security policies from-zone BGP-VPN to-zone BGP-VPN policy allow_hairpin match destination-address any
set security policies from-zone BGP-VPN to-zone BGP-VPN policy allow_hairpin match application any
set security policies from-zone BGP-VPN to-zone BGP-VPN policy allow_hairpin then permit
set security policies from-zone trust to-zone trust policy allow_intra_trust match source-address any
set security policies from-zone trust to-zone trust policy allow_intra_trust match destination-address any
set security policies from-zone trust to-zone trust policy allow_intra_trust match application any
set security policies from-zone trust to-zone trust policy allow_intra_trust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces reth1.0
set security zones security-zone trust interfaces reth2.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services dns
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ntp
set security zones security-zone untrust interfaces reth0.0
set security zones security-zone BGP-VPN host-inbound-traffic system-services ike
set security zones security-zone BGP-VPN host-inbound-traffic system-services ping
set security zones security-zone BGP-VPN host-inbound-traffic system-services all
set security zones security-zone BGP-VPN host-inbound-traffic protocols bgp
set security zones security-zone BGP-VPN interfaces st0.1
set security zones security-zone BGP-VPN interfaces st0.2
set firewall family inet filter SFO_Address term allow_mgmt_from_sfo from source-address 27.15.14.0/24
set firewall family inet filter SEF_Address term allow_mgmt_from_sfo from source-address 46.49.186.0/24
set firewall family inet filter SFO_SEF_Address term allow_traffic_from_sfo_sef from source-address 46.49.186.0/24
set firewall family inet filter SFO_SEF_Address term allow_traffic_from_sfo_sef from source-address 27.15.14.0/24
set firewall filter admin-services-in term established from tcp-established
set firewall filter admin-services-in term established then accept
set firewall filter admin-services-in term allow_in from protocol udp
set firewall filter admin-services-in term allow_in from protocol tcp
set firewall filter admin-services-in term allow_in from protocol esp
set firewall filter admin-services-in term allow_in from port 500
set firewall filter admin-services-in term allow_in from port 4500
set firewall filter admin-services-in term allow_in from port 443
set firewall filter admin-services-in term allow_in then accept
set firewall filter admin-services-in term allow_in_ipv4_ping from protocol icmp
set firewall filter admin-services-in term allow_in_ipv4_ping from icmp-type echo-reply
set firewall filter admin-services-in term allow_in_ipv4_ping from icmp-type echo-request
set firewall filter admin-services-in term allow_in_ipv4_ping then accept
set firewall filter admin-services-in term allow_in_ipv6_ping from protocol icmpv6
set firewall filter admin-services-in term allow_in_ipv6_ping from icmp-type echo-reply
set firewall filter admin-services-in term allow_ntp from destination-port 123
set firewall filter admin-services-in term deny_in from source-address 0.0.0.0/0
set firewall filter admin-services-in term deny_in from source-prefix-list mgmt-ips except
set firewall filter admin-services-in term deny_in then count deny_count
set firewall filter admin-services-in term deny_in then syslog
set firewall filter admin-services-in term deny_in then discard
set firewall filter admin-services-in term accept_everything_else then accept
set firewall filter admin-services-out term allow-all then accept
set applications application junos-ssh protocol tcp
set applications application junos-ssh destination-port 22
set applications application junos-ssh inactivity-timeout 28800
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

{primary:node0}