version 10.2R3.10; Configuring Basic System Information system { domain-name foo.bar; time-zone America/New_York;

Size: px

Start display at page:

Download "version 10.2R3.10; Configuring Basic System Information system { domain-name foo.bar; time-zone America/New_York;"

Kathlyn Waters
5 years ago
Views:

1 version 10.2R3.10; Configuring Cluster Groups groups { node0 { system { host-name hh-node0; interfaces { fxp0 { unit 0 { family inet { address /24; node1 { system { host-name th-node1; interfaces { fxp0 { unit 0 { family inet { address /24; apply-groups "${node"; Configuring Basic System Information system { domain-name foo.bar; time-zone America/New_York; Configuring RADIUS Authentication authentication-order [ radius password ]; root-authentication { encrypted-password ""; ## SECRET-DATA name-server { ; ; radius-server { { port 1812; secret ""; ## SECRET-DATA { port 1812; secret ""; ## SECRET-DATA radius-options { password-protocol mschap-v2;

2 Configuring Login Accounts login { user JunosAdmins { uid 2001; class super-user; Configuring System Services services { ftp { connection-limit 1; ssh { root-login allow; web-management { https { local-certificate uajunos; Configuring System Logging syslog { archive size 3m files 3 world-readable; user * { any emergency; host { any error; file messages { any critical; authorization info; file interactive-commands { interactive-commands error; file spyworm { any any; match RT_IDP; max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url Configuring the Time Source ntp { server prefer; Configuring Cluster Redundancy Groups chassis { cluster { reth-count 3; redundancy-group 0 {

3 node 0 priority 100; node 1 priority 1; redundancy-group 1 { node 0 priority 100; node 1 priority 1; interface-monitor { ge-2/0/0 weight 255; ge-11/0/0 weight 255; ge-2/0/1 weight 255; ge-11/0/1 weight 255; ge-2/0/2 weight 255; ge-11/0/2 weight 255; Configuring Interfaces interfaces { ge-2/0/0 { gigether-options { redundant-parent reth0; ge-2/0/1 { gigether-options { redundant-parent reth1; ge-2/0/2 { gigether-options { redundant-parent reth2; ge-11/0/0 { gigether-options { redundant-parent reth0; ge-11/0/1 { gigether-options { redundant-parent reth1; ge-11/0/2 { gigether-options { redundant-parent reth2; fab0 { fabric-options { member-interfaces { ge-2/0/23; fab1 { fabric-options { member-interfaces { ge-11/0/23;

4 reth0 { redundant-ether-options { redundancy-group 1; unit 0 { family inet { filter { input isp-balance; address /24; reth1 { redundant-ether-options { redundancy-group 1; unit 0 { family inet { address x.x.x.214/30; reth2 { redundant-ether-options { redundancy-group 1; unit 0 { family inet { address x.x.x.26/29; Configuring Event Options event-options { policy isp1 { events ping_test_failed; within 180 { trigger on 3; attributes- ping_test_failed.test-name matches isp1; event-script fw-isp1-down.slax; policy isp2 { events ping_test_failed; within 180 { trigger on 3; attributes- ping_test_failed.test-name matches isp2; event-script fw-isp2-down.slax;

5 event-script { file fw-isp1-down.slax; file fw-isp2-down.slax; Configuring SNMP snmp { description "SRX Cluster"; contact "Network Department"; community FooBar { authorization read-only; routing-options { interface-routes { rib-group inet import-ua; static { route /0 next-hop [ x.x.x.213 x.x.x.25 ]; rib-groups { import-ua { import-rib [ inet.0 rt-isp1-isp1.inet.0 rt-isp2-isp2.inet.0 ]; Configuring Routing Protocols protocols { ospf { export ospf-area0; area { interface reth0.0; Configuring Firewall Policies policy-options { policy-statement ospf-area0 { term term1 { from { protocol static; route-filter /0 exact; then accept; Configuring SSL Certificate security { certificates { local { uajunos { "-----BEGIN RSA PRIVATE KEY-----\\n-----END CERTIFICATE-----\n "; ## SECRET-DATA

6 Configuring Network Address Translation (NAT) nat { source { rule-set outbound { from zone trust; to zone untrust; rule nat_out { source-address /8; destination-address /0; source-nat { interface; static { rule-set s_nat { from zone untrust; rule hh_vpn { destination-address x.x.x.4/32; static-nat prefix /32; rule term_svcs { destination-address x.x.x.23/32; static-nat prefix /32; rule webtest { destination-address x.x.x.30/32; static-nat prefix /32; rule myuarts { destination-address x.x.x.31/32; static-nat prefix /32; rule exchange {

7 destination-address x.x.x.20/32; static-nat prefix /32; rule google_apps { destination-address x.x.x.21/32; static-nat prefix /32; rule vmware_webstage { destination-address x.x.x.61/32; static-nat prefix /32; rule vmware_webprod { destination-address x.x.x.62/32; static-nat prefix /32; rule vmware_applestore { destination-address x.x.x.63/32; static-nat prefix /32; rule vmware_cmacweb { destination-address x.x.x.64/32; static-nat prefix /32; rule voip { destination-address x.x.x.22/32; static-nat prefix /32; rule sandbox { destination-address x.x.x.32/32; static-nat prefix /32;

8 rule active_admissions { destination-address x.x.x.60/32; static-nat prefix /32; rule wco { destination-address x.x.x.40/32; static-nat prefix /32; rule beta { destination-address x.x.x.33/32; static-nat prefix /32; rule th_vpn { destination-address x.x.x.4/32; static-nat prefix /32; rule secureid { destination-address x.x.x.30/32; static-nat prefix /32; rule lights_broadst { destination-address x.x.x.40/32; static-nat prefix /32; rule sakai { destination-address x.x.x.31/32; static-nat prefix /32; rule alpha { destination-address x.x.x.33/32;

9 static-nat prefix /32; rule itunesu { destination-address x.x.x.41/32; static-nat prefix /32; rule library_sun { destination-address x.x.x.50/32; static-nat prefix /32; rule library_search { destination-address x.x.x.51/32; static-nat prefix /32; rule library_calendar { destination-address x.x.x.52/32; static-nat prefix /32; rule library_catalog { destination-address x.x.x.53/32; static-nat prefix /32; rule library_imgpgs { destination-address x.x.x.54/32; static-nat prefix /32; rule library_cdm { destination-address x.x.x.55/32; static-nat prefix /32;

10 Configuring Proxy ARP proxy-arp { interface reth1.0 { address { x.x.x.4/32; x.x.x.20/32; x.x.x.21/32; x.x.x.22/32; x.x.x.23/32; x.x.x.30/32; x.x.x.31/32; x.x.x.32/32; x.x.x.40/32; x.x.x.60/32; x.x.x.61/32; x.x.x.62/32; x.x.x.63/32; x.x.x.64/32; x.x.x.4/32; x.x.x.30/32; x.x.x.31/32; x.x.x.33/32; x.x.x.33/32; x.x.x.40/32; x.x.x.41/32; x.x.x.50/32; x.x.x.51/32; x.x.x.52/32; x.x.x.53/32; x.x.x.54/32; x.x.x.55/32; interface reth2.0 { address { x.x.x.4/32; x.x.x.20/32; x.x.x.21/32; x.x.x.22/32; x.x.x.23/32; x.x.x.30/32; x.x.x.31/32; x.x.x.32/32; x.x.x.40/32; x.x.x.60/32; x.x.x.61/32; x.x.x.62/32; x.x.x.63/32; x.x.x.64/32; x.x.x.4/32; x.x.x.30/32; x.x.x.31/32; x.x.x.33/32; x.x.x.33/32; x.x.x.40/32; x.x.x.41/32; x.x.x.50/32; x.x.x.51/32; x.x.x.52/32;

11 x.x.x.53/32; x.x.x.54/32; x.x.x.55/32; Configuring Screen Options screen { ids-option untrust-screen { icmp { ip-sweep threshold 5000; flood threshold 1000; ping-death; ip { inactive: spoofing; source-route-option; tear-drop; tcp { port-scan threshold 5000; syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; land; udp { flood threshold 1000; Configuring Zones zones { security-zone trust { tcp-rst; address-book { address search /32; address content_dm /32; address secureid /32; address gutenberg /32; address tvpn /32; address alpha /32; address sakai /32; address imagepages /32; address lights_on_broad /32; address library /32; address mail /32; address sandbox /32; address web_prod /32; address applestore /32; address googleapps /32; address cmac_web /32; address hvpn /32; address web_stage /32;

12 address lobster /32; address terminalsvr /32; address webtest /32; address myuarts /32; address itunesu /32; address sun_lom /32; address admission /32; address wco /32; address my /32; address-set www_only { address search; address content_dm; address wco; address-set www_https { address secureid; address gutenberg; address tvpn; address sandbox; address cmac_web1; address googleapps; address hvpn; address applestore; address web_prod1; address admission; address-set www_https_ssh { address alpha; address sakai; address web_stage1; address itunesu; address-set www_8080 { address imagepages; address-set www_https_rdp { address lights_on_broad; address-set tcp_udp_all { address library; address sun_lom; interfaces { reth0.0 { host-inbound-traffic { system-services { ping; ssh; https; snmp; protocols { ospf; security-zone untrust {

13 address-book { address postini /24; address postini /24; address postini /24; address postini /24; address-set postini { address postini1; address postini2; address postini3; address postini4; screen untrust-screen; interfaces { reth1.0 { host-inbound-traffic { system-services { ping; reth2.0 { host-inbound-traffic { system-services { ping; security-zone DMZ; Configuring Firewall Policies policies { from-zone trust to-zone trust { policy default-permit { destination-address any; application any; from-zone trust to-zone untrust { policy Abusers_out { destination-address any; application [ Abusers_TCP Abusers_UDP ]; deny; policy icmp_out {

14 destination-address any; application junos-icmp-ping; policy default-permit { destination-address any; application any; from-zone untrust to-zone trust { policy Abuser_In { destination-address any; application [ Abusers_TCP Abusers_UDP ]; deny; policy www_only { destination-address www_only; application junos-http; policy www_https { destination-address www_https; application [ junos-http junos-https ]; policy www_https_ssh { destination-address www_https_ssh; application [ junos-ssh junos-http junos-https ]; policy icmp_in {

15 ]; destination-address any; application junos-icmp-ping; policy www_8080 { destination-address www_8080; application [ TCP_8080 junos-http ]; policy www_https_rdp { destination-address www_https_rdp; application [ junos-http junos-https TCP_RDP ]; policy tcp_udp_all { destination-address tcp_udp_all; application [ TCP_ALL UDP_ALL ]; policy postini { source-address postini; destination-address mail.foo.bar; application junos-smtp; policy exchange { destination-address mail.foo.bar; application [ junos-http junos-https junos-imap junos-imaps policy voip {

16 destination-address lobster01.foo.bar; application [ TCP_8443 junos-ssh junos-http junos-https ]; policy termsvcs { destination-address terminalsvr; application TCP_RDP; policy webtest { destination-address webtest.foo.bar; application [ WebTestCustom junos-ftp junos-ssh junos-http junos-https ]; policy myuarts { destination-address myuarts.foo.bar; application [ junos-http junos-https junos-ssh MyUartsCustom ]; policy beta { destination-address my.foo.bar; application [ junos-http junos-https TCP_8080 TCP_8443 ]; policy default-deny { destination-address any; application any; deny;

17 flow { tcp-mss { all-tcp { mss 1350; tcp-session { no-syn-check; no-sequence-check; Configuring Firewall Filters firewall { family inet { filter isp-balance { term selftraffic { from { destination-address { /32; then accept; term term1 { from { source-address { /16; /24; /16; /16; /24; /24; /24; /24; /24; routing-instance rt-isp2-isp2; term term2 { from { source-address { /16; /16; /16; /16; /16; routing-instance rt-isp1-isp1; term default {

18 then accept; Configuring Routing Instances routing-instances { rt-isp1-isp1 { instance-type forwarding; routing-options { static { route /0 { next-hop x.x.x.213; qualified-next-hop x.x.x.25 { preference 100; rt-isp2-isp2 { instance-type forwarding; routing-options { static { route /0 { next-hop x.x.x.25; qualified-next-hop x.x.x.213 { preference 100; Configuring Real-Time Performance Monitors services { rpm { probe icmp-ping-probe { test isp1 { probe-type icmp-ping; target address x.x.x.213; test-interval 60; test isp2 { probe-type icmp-ping; target address x.x.x.25; test-interval 60; Configuring Applications applications { application Abusers_TCP1 {

19 destination-port ; inactivity-timeout 300; application Abusers_TCP2 { destination-port ; inactivity-timeout 300; application Abusers_TCP3 { destination-port ; inactivity-timeout 300; application Abusers_TCP4 { destination-port 6668; inactivity-timeout 300; application Abusers_UDP1 { protocol udp; destination-port ; inactivity-timeout 300; application Abusers_UDP2 { protocol udp; destination-port ; inactivity-timeout 300; application Abusers_UDP3 { protocol udp; destination-port ; inactivity-timeout 300; application Abusers_UDP4 { protocol udp; destination-port 6668; inactivity-timeout 300; application Abusers_UDP5 { protocol udp; destination-port 18989; inactivity-timeout 300; application Abusers_UDP6 { protocol udp; destination-port 10200; inactivity-timeout 300; application TCP_ALL {

20 destination-port ; application UDP_ALL { protocol udp; destination-port ; application TCP_RDP { destination-port 3389; application TCP_8080 { destination-port 8080; application TCP_81 { destination-port 81; application TCP_8080_8083 { destination-port ; application TCP_8443 { destination-port 8443; application TCP_444 { destination-port 444; application TCP_8888 { destination-port 8888; application TCP_13579 { destination-port 13579; application-set Abusers_TCP { application Abusers_TCP1; application Abusers_TCP2; application Abusers_TCP3; application Abusers_TCP4; application-set Abusers_UDP { application Abusers_UDP1; application Abusers_UDP2; application Abusers_UDP3; application Abusers_UDP4; application Abusers_UDP5;

21 application Abusers_UDP6; application-set WebTestCustom { application TCP_444; application TCP_13579; application TCP_8888; application TCP_81; application TCP_8080_8083; application-set MyUartsCustom { application TCP_81; application TCP_8080_8083; application TCP_444; application TCP_13579;

Network Configuration Example

Network Configuration Example Validated Reference - Business Edge Solution - Device R-10 Release 1.0 Published: 2014-03-31 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089