version 10.2R3.10; system { host-name zone4-fw; domain-name network.local; domain-search [ network.local xxx ]; time-zone America/Los_Angeles; root-authentication { encrypted-password "xxx"; ## SECRET-DATA } name-server { x.x.x.x; x.x.x.x; } login { user keithr { full-name "Keith R"; uid 2000; class super-user; authentication { encrypted-password "xxx"; ## SECRET-DATA } } } services { ssh; web-management { http { interface vlan.420; } https { system-generated-certificate; interface vlan.420; } } } syslog { user * { any emergency; } host x.x.x.x { authorization info; daemon critical; ntp error; security notice; kernel critical; user warning; pfe warning; conflict-log any; change-log notice; log-prefix Zone4-FW; explicit-priority; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file traffic-log { any any; match RT_FLOW_SESSION; } file screen-log { any any; match RT_SCREEN; } source-address 10.255.0.41; } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { boot-server x.x.x.x; server x.x.x.x; server x.x.x.x; server x.x.x.x; } } interfaces { interface-range unused-ports { member-range ge-0/0/2 to ge-0/0/15; disable; unit 0 { family ethernet-switching { port-mode trunk; native-vlan-id 1; } } } ge-0/0/0 { description cs-104-001_ge1; unit 0 { family ethernet-switching { port-mode trunk; native-vlan-id 1; } } } ge-0/0/1 { description cs-104-001_ge2; unit 0 { family ethernet-switching { port-mode access; } } } ge-3/0/0 { description cs-ni-cer_e1/7; vlan-tagging; unit 200 { vlan-id 200; family inet { address x.x.x.x/30; } } } ge-4/0/0 { description "TEMPORARY Uplink"; disable; unit 0 { family inet { address x.x.x.x/30; } } } lo0 { unit 0 { description "Device Loopback"; family inet { address 10.255.0.41/32; } } } vlan { unit 100 { family inet { filter { input From-Reshall; } address x.x.x.x/20; } } unit 101 { family inet { address x.x.x.x/20; } } unit 102 { family inet { address x.x.x.x/20; } } unit 401 { disable; family inet { address x.x.x.x/24; } } unit 404 { description "Zone 4 PCI"; family inet { address x.x.x.x/24; } } unit 420 { description zone4-fw_cs-104-001; family inet { address x.x.x.x/30; } } unit 600 { description "Zone 4 Chartwells VLAN"; family inet { address x.x.x.x/24; } } } } forwarding-options { helpers { bootp { relay-agent-option; description "DHCP Servers"; server x.x.x.x; server x.x.x.x; interface { vlan.100; vlan.600; } } } } snmp { name zone4-fw.network.local; description "Zone 4 Firewall"; location "xxx"; contact "xxx"; v3 { usm { local-engine { user xxxRO { authentication-sha { authentication-key "xxx"; ## SECRET-DATA } privacy-none; } } } vacm { security-to-group { security-model usm { security-name xxxRO { group read-only-all; } } } access { group read-only-all { default-context-prefix { security-model usm { security-level authentication { read-view all-oids; } } } } } } } engine-id { use-mac-address; } view all-oids { oid 1 include; } trap-options { source-address 10.255.0.41; } trap-group "SolarWinds Trap Collector" { categories { authentication; chassis; link; routing; startup; rmon-alarm; configuration; services; chassis-cluster; } targets { x.x.x.x; } } health-monitor; } routing-options { interface-routes { rib-group inet interface-import; } rib-groups { interface-import { import-rib [ inet.0 VR-Reshall.inet.0 ]; import-policy interfaces; } } router-id 10.255.0.41; } protocols { ospf { reference-bandwidth 1g; area 0.0.51.4 { stub; interface vlan.420 { inactive: interface-type p2p; authentication { md5 1 key "xxx"; ## SECRET-DATA } } interface lo0.0 { passive; } interface vlan.101 { passive; } interface vlan.102 { passive; } interface vlan.401 { passive; } interface vlan.404 { passive; } interface vlan.600 { passive; } } } pim { interface ge-3/0/0.200 { mode sparse; } interface ge-4/0/0.200 { mode sparse; } } lldp { interface all; } mstp { configuration-name unr-zone4; interface ge-0/0/0.0 { mode point-to-point; } interface ge-0/0/1.0 { mode point-to-point; } msti 10 { bridge-priority 0; vlan Reshall-Production; interface ge-0/0/1.0 { priority 0; } } } } policy-options { policy-statement interfaces { term default-to-VR-Reshall { from interface [ ge-3/0/0.200 ge-4/0/0.200 vlan.100 ]; to rib VR-Reshall.inet.0; then accept; } term reject { then reject; } } } security { ike { proposal ike-prop-p1 { description "Custom - pre-g2-aes128-sha"; authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 86400; } policy pci-local-pol-1 { mode main; description "PCI IKE Policy"; proposals ike-prop-p1; pre-shared-key ascii-text "xxx"; ## SECRET-DATA } gateway gw_pci{ ike-policy pci-local-pol-1; address x.x.x.x; dead-peer-detection interval 10; external-interface lo0.0; } } ipsec { proposal ipsec-prop-p2 { description "Custom - esp-aes128-sha"; protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; lifetime-kilobytes 1048576; } policy ipsec-pol-1 { description "Custom - DH Group 2 PFS"; perfect-forward-secrecy { keys group2; } proposals ipsec-prop-p2; } vpn vpn_zone4 { vpn-monitor { optimized; } ike { gateway gw_pci; idle-time 1800; ipsec-policy ipsec-pol-1; } } } screen { ids-option RH-Production-Screen { icmp { ip-sweep; flood; ping-death; } ip { bad-option; record-route-option; security-option; stream-option; spoofing; source-route-option; loose-source-route-option; strict-source-route-option; tear-drop; } tcp { syn-fin; fin-no-ack; tcp-no-flag; syn-frag; port-scan; syn-ack-ack-proxy; syn-flood; land; } udp { flood threshold 10000; } limit-session { source-ip-based 2048; destination-ip-based 4096; } } ids-option RH-Untrust-Screen { icmp { ip-sweep; flood; ping-death; } ip { bad-option; record-route-option; security-option; stream-option; spoofing; source-route-option; loose-source-route-option; strict-source-route-option; tear-drop; } tcp { syn-fin; fin-no-ack; tcp-no-flag; syn-frag; port-scan; syn-ack-ack-proxy; syn-flood; land; } udp { flood threshold 10000; } limit-session { source-ip-based 4096; destination-ip-based 512; } } ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; queue-size 2000; ## Warning: 'queue-size' is deprecated timeout 20; } land; } } } zones { security-zone trust { tcp-rst; } security-zone untrust { address-book { xxx; } screen untrust-screen; interfaces { lo0.0 { host-inbound-traffic { system-services { ping; traceroute; ssh; http; https; ike; snmp; } } } vlan.420 { host-inbound-traffic { system-services { all; } protocols { ospf; } } } } } security-zone Zone4-Chartwells { address-book { xxx; } interfaces { vlan.600 { host-inbound-traffic { system-services { ping; dhcp; traceroute; } } } } } security-zone Zone4-PCI { address-book { xxx; } interfaces { vlan.404 { host-inbound-traffic { system-services { ping; traceroute; } } } } } security-zone Reshall-Registration { address-book { xxx; } interfaces { vlan.101 { host-inbound-traffic { system-services { ping; } } } } } security-zone Reshall-Remediation { address-book { xxx; } interfaces { vlan.102 { host-inbound-traffic { system-services { ping; } } } } } security-zone Reshall-Production { address-book { xxx; } inactive: screen RH-Production-Screen; interfaces { vlan.100 { host-inbound-traffic { system-services { ping; dhcp; traceroute; } } } } } security-zone Reshall-Untrust { address-book { /* --- Network Definitions --- */ address net-10.0.0.0/8 10.0.0.0/8; address net-172.16.0.0/12 172.16.0.0/12; address net-192.168.0.0/16 192.168.0.0/16; /* --- RFC1918 Private Non-Routed Addresses --- */ address-set set-RFC1918-Private { address net-10.0.0.0/8; address net-172.16.0.0/12; address net-192.168.0.0/16; } } inactive: screen RH-Untrust-Screen; interfaces { ge-3/0/0.200; ge-4/0/0.0; } } } policies { } alg { dns disable; ftp disable; h323 disable; mgcp disable; msrpc disable; sunrpc disable; real disable; rsh disable; rtsp disable; sccp disable; sip disable; sql disable; talk disable; tftp disable; pptp disable; } } firewall { family inet { filter From-Reshall { term NetOps-Management { from { source-address { x.x.x.x/20; } destination-address { x.x.x.x/24; } icmp-type echo-reply; tcp-established; } then accept; } term DHCP-Discover { from { source-address { 0.0.0.0/32; } destination-address { 255.255.255.255/32; } destination-port dhcp; } then accept; } term DHCP-Other { from { source-address { x.x.x.x/20; } destination-address { x.x.x.x/32; x.x.x.x/32; } destination-port dhcp; } then accept; } term To-Self { from { source-address { x.x.x.x/20; } destination-address { x.x.x.x/32; } } then accept; } term Reshall-Traffic { from { source-address { x.x.x.x/20; } } then { routing-instance VR-Reshall; } } } } } routing-instances { VR-Reshall { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop x.x.x.x; } } } } applications { application app-Chartwells-5003 { protocol tcp; destination-port 5003; } application app-ANY-6hr-TCP-Timeouts { term udp protocol udp destination-port 0-65535; term tcp protocol tcp destination-port 0-65535 inactivity-timeout 21600; } application app-Kerberos { term udp protocol udp destination-port 88-88; term tcp protocol tcp destination-port 88-88; } application app-XBox-Live { term udp protocol udp destination-port 3074-3074; term tcp protocol tcp destination-port 3074-3074; } application-set appset-XBox-Live { application app-Kerberos; application app-XBox-Live; } } vlans { Reshall-Dead { vlan-id 103; } Reshall-Production { vlan-id 100; interface { ge-0/0/0.0; ge-0/0/1.0; } l3-interface vlan.100; } Reshall-Registration { vlan-id 101; interface { ge-0/0/0.0; } l3-interface vlan.101; } Reshall-Remediation { vlan-id 102; interface { ge-0/0/0.0; } l3-interface vlan.102; } p_chartwells04_600 { vlan-id 600; interface { ge-0/0/0.0; } l3-interface vlan.600; } p_csys04_401 { vlan-id 401; l3-interface vlan.401; } p_pci04_404 { vlan-id 404; interface { ge-0/0/0.0; } l3-interface vlan.404; } zone4-fw_cs-104-001 { vlan-id 420; interface { ge-0/0/0.0; } l3-interface vlan.420; } }