<ha /> </entry> - <entry name="ethernet1/3">

Size: px

Start display at page:

Download "<ha /> </entry> - <entry name="ethernet1/3">"

Aleesha Jenkins
5 years ago
Views:

1 - <config version="4.0.0"> + <mgt-config> - <shared> - <certificate> + - <network> - <interface> - <ethernet> - <entry name="ethernet1/1"> <link-state>auto</link-state> <ha /> <link-duplex>auto</link-duplex> <link-speed>auto</link-speed> - <entry name="ethernet1/2"> <link-state>auto</link-state> <ha /> <link-duplex>auto</link-duplex> <link-speed>auto</link-speed> - <entry name="ethernet1/3"> <link-speed>auto</link-speed> <link-duplex>auto</link-duplex> <link-state>auto</link-state> - <layer3> <mtu>1500</mtu> <interface-management-profile>allow_all</interface-management-profile> - <ip> <entry name=" /24" /> </ip> - <ipv6> <enabled>no</enabled> - <neighbor-discovery> <enable-dad>no</enable-dad> </neighbor-discovery> </ipv6> </layer3> - <entry name="ethernet1/4"> <link-speed>auto</link-speed> <link-duplex>auto</link-duplex> <link-state>auto</link-state> - <layer3> <mtu>1500</mtu> <interface-management-profile>allow_all</interface-management-profile> - <ip> <entry name=" /24" />

2 </ip> - <ipv6> <enabled>no</enabled> - <neighbor-discovery> <enable-dad>no</enable-dad> </neighbor-discovery> </ipv6> </layer3> - <entry name="ethernet1/5"> <link-speed>auto</link-speed> <link-duplex>auto</link-duplex> <link-state>auto</link-state> - <layer3> <mtu>1500</mtu> <interface-management-profile>allow_all</interface-management-profile> - <ip> <entry name=" /23" /> </ip> - <ipv6> <enabled>no</enabled> - <neighbor-discovery> <enable-dad>no</enable-dad> </neighbor-discovery> </ipv6> </layer3> - <entry name="ethernet1/6"> <link-speed>auto</link-speed> <link-duplex>auto</link-duplex> <link-state>auto</link-state> - <layer3> <mtu>1500</mtu> <interface-management-profile>allow_all</interface-management-profile> - <ip> <entry name=" /24" /> </ip> - <ipv6> <enabled>no</enabled> - <neighbor-discovery> <enable-dad>no</enable-dad> </neighbor-discovery> </ipv6> </layer3> - <entry name="ethernet1/7"> <link-speed>auto</link-speed> <link-duplex>auto</link-duplex> <link-state>auto</link-state>

3 <layer2 /> - <entry name="ethernet1/8"> <link-state>auto</link-state> <virtual-wire /> <link-duplex>auto</link-duplex> <link-speed>auto</link-speed> </ethernet> - <loopback> - <units> - <entry name="loopback.5"> <mtu>1500</mtu> <interface-management-profile>ping-response</interface-management-profile> - <ip> <entry name=" " /> </ip> - <ipv6> <enabled>no</enabled> </ipv6> - <entry name="loopback.4"> <mtu>1500</mtu> <interface-management-profile>ping-response</interface-management-profile> - <ip> <entry name=" " /> </ip> - <ipv6> <enabled>no</enabled> </ipv6> </units> </loopback> - <vlan> <units /> </vlan> - <tunnel> - <units> - <entry name="tunnel.10"> <mtu>1500</mtu> <interface-management-profile>allow_all</interface-management-profile> - <entry name="tunnel.56"> <mtu>1500</mtu> <interface-management-profile>ping-response</interface-management-profile> - <ip> <entry name=" /30" /> </ip>

4 - <entry name="tunnel.156"> <mtu>1500</mtu> <interface-management-profile>ping-response</interface-management-profile> - <ip> <entry name=" /30" /> </ip> </units> <mtu>1500</mtu> <ip /> </tunnel> </interface> <vlan /> <virtual-wire /> - <profiles> - <monitor-profile> - <entry name="default"> <interval>3</interval> <threshold>5</threshold> <action>wait-recover</action> </monitor-profile> - <interface-management-profile> - <entry name="allow_all"> <ping>yes</ping> <telnet>yes</telnet> <ssh>yes</ssh> <http>yes</http> <https>yes</https> <snmp>yes</snmp> <response-pages>yes</response-pages> - <entry name="ping-response"> <ping>yes</ping> <telnet>no</telnet> <ssh>no</ssh> <http>no</http> <https>no</https> <snmp>no</snmp> <response-pages>no</response-pages> </interface-management-profile> </profiles> - - <virtual-router> - <entry name="vr1"> - <interface> <member>ethernet1/3</member> <member>ethernet1/5</member>

5 <member>ethernet1/6</member> <member>loopback.4</member> <member>loopback.5</member> <member>tunnel.10</member> <member>tunnel.56</member> </interface> - <routing-table> - <ip> - <static-route> - <entry name="default"> <destination> /0</destination> <interface>ethernet1/3</interface> - <nexthop> <ip-address> </ip-address> </nexthop> - <entry name="vr1-net57"> <destination> /24</destination> <interface>tunnel.56</interface> - <entry name="monitor-vpn-56"> <destination> /30</destination> <interface>tunnel.56</interface> </static-route> </ip> <ipv6 /> </routing-table> - <protocol> - <rip> <reject-default-route>yes</reject-default-route> <allow-redist-default-route>no</allow-redist-default-route> - <timers> <interval-seconds>1</interval-seconds> <update-intervals>30</update-intervals> <expire-intervals>30</expire-intervals> <delete-intervals>120</delete-intervals> </timers> </rip> - <ospf> <reject-default-route>yes</reject-default-route> <allow-redist-default-route>no</allow-redist-default-route> <rfc1583>no</rfc1583> </ospf> - <bgp> <reject-default-route>no</reject-default-route>

6 - <routing-options> <as-format>2-byte</as-format> - <med> <deterministic-med-comparison>no</deterministic-med-comparison> </med> <default-local-preference>100</default-local-preference> - <graceful-restart> <stale-route-time>120</stale-route-time> <local-restart-time>120</local-restart-time> <max-peer-restart-time>120</max-peer-restart-time> </graceful-restart> - <aggregate> <aggregate-med>yes</aggregate-med> </aggregate> </routing-options> - <policy> <aggregation /> </policy> </bgp> </protocol> - <admin-dists> <static>10</static> <ospf-int>30</ospf-int> <ospf-ext>110</ospf-ext> <ibgp>200</ibgp> <ebgp>20</ebgp> <rip>120</rip> </admin-dists> - <entry name="vr2"> - <interface> <member>ethernet1/4</member> <member>tunnel.156</member> </interface> - <routing-table> - <ip> - <static-route> - <entry name="default"> <destination> /0</destination> - <nexthop> <ip-address> </ip-address> </nexthop> - <entry name="net57"> <destination> /24</destination> <interface>tunnel.156</interface> - <entry name="monitor-57">

7 <destination> /30</destination> <interface>tunnel.156</interface> - <entry name="net56"> <destination> /24</destination> - <nexthop> <next-vr>vr1</next-vr> </nexthop> </static-route> </ip> <ipv6 /> </routing-table> - <protocol> - <rip> <reject-default-route>yes</reject-default-route> <allow-redist-default-route>no</allow-redist-default-route> - <timers> <interval-seconds>1</interval-seconds> <update-intervals>30</update-intervals> <expire-intervals>30</expire-intervals> <delete-intervals>120</delete-intervals> </timers> </rip> - <ospf> <reject-default-route>yes</reject-default-route> <allow-redist-default-route>no</allow-redist-default-route> <rfc1583>no</rfc1583> </ospf> - <bgp> <reject-default-route>no</reject-default-route> - <routing-options> <as-format>2-byte</as-format> - <med> <deterministic-med-comparison>no</deterministic-med-comparison> </med> <default-local-preference>100</default-local-preference> - <graceful-restart> <stale-route-time>120</stale-route-time> <local-restart-time>120</local-restart-time> <max-peer-restart-time>120</max-peer-restart-time> </graceful-restart> - <aggregate> <aggregate-med>yes</aggregate-med> </aggregate>

8 </routing-options> - <policy> <aggregation /> </policy> </bgp> </protocol> - <admin-dists> <static>10</static> <ospf-int>30</ospf-int> <ospf-ext>110</ospf-ext> <ibgp>200</ibgp> <ebgp>20</ebgp> <rip>120</rip> </admin-dists> </virtual-router> - <ike> - <crypto-profiles> - <ike-crypto-profiles> - <entry name="default"> - <encryption> <member>aes128</member> <member>3des</member> </encryption> - <hash> <member>sha1</member> </hash> - <dh-group> <member>group2</member> </dh-group> - <lifetime> <hours>8</hours> </lifetime> </ike-crypto-profiles> - <ipsec-crypto-profiles> - <entry name="default"> - <esp> - <encryption> <member>aes128</member> <member>3des</member> </encryption> - <authentication> <member>sha1</member> </authentication> </esp> <dh-group>group2</dh-group> - <lifetime> <hours>1</hours>

9 </lifetime> </ipsec-crypto-profiles> </crypto-profiles> - <gateway> - <entry name="pa-57"> - <peer-address> <ip> </ip> </peer-address> - <local-address> <ip> /24</ip> <interface>ethernet1/3</interface> </local-address> - <authentication> - <pre-shared-key> <key>-aq==tunuwz8wf62ahkereqqhbjaims4=d5failvq==</key> </pre-shared-key> </authentication> - <protocol> - <ikev1> <exchange-mode>main</exchange-mode> <ike-crypto-profile>default</ike-crypto-profile> - <dpd> <interval>5</interval> <retry>5</retry> </dpd> </ikev1> </protocol> - <protocol-common> - <nat-traversal> </nat-traversal> <passive-mode>no</passive-mode> </protocol-common> - <entry name="pa-57-vr2"> - <peer-address> <ip> </ip> </peer-address> - <local-address> <ip> /24</ip> <interface>ethernet1/4</interface> </local-address> - <authentication> - <pre-shared-key> <key>-aq==tunuwz8wf62ahkereqqhbjaims4=d5failvq==</key> </pre-shared-key> </authentication>

10 - <protocol> - <ikev1> <exchange-mode>main</exchange-mode> <ike-crypto-profile>default</ike-crypto-profile> - <dpd> <interval>5</interval> <retry>5</retry> </dpd> </ikev1> </protocol> - <protocol-common> - <nat-traversal> </nat-traversal> <passive-mode>no</passive-mode> </protocol-common> </gateway> </ike> - <tunnel> - <ipsec> - <entry name="p2-vr1"> <anti-replay>no</anti-replay> <copy-tos>no</copy-tos> - <tunnel-monitor> </tunnel-monitor> <tunnel-interface>tunnel.56</tunnel-interface> - <auto-key> - <ike-gateway> <entry name="pa-57" /> </ike-gateway> <ipsec-crypto-profile>default</ipsec-crypto-profile> </auto-key> - <entry name="p2-vr2"> <anti-replay>no</anti-replay> <copy-tos>no</copy-tos> - <tunnel-monitor> </tunnel-monitor> <tunnel-interface>tunnel.156</tunnel-interface> - <auto-key> - <ike-gateway> <entry name="pa-57-vr2" /> </ike-gateway> <ipsec-crypto-profile>default</ipsec-crypto-profile> </auto-key>

11 </ipsec> <ssl-vpn /> - <split-tunneling> - <access-route> <member> /24</member> </access-route> </split-tunneling> - <dns-server> <member> </member> <member> </member> </dns-server> - <ip-pool> <member> </member> </ip-pool> </client> - <local-address> <ip> /24</ip> <interface>ethernet1/3</interface> </local-address> - <ipsec> <enable>yes</enable> </ipsec> <tunnel-interface>tunnel.10</tunnel-interface> </global-protect-gateway> </tunnel> </network> - <deviceconfig> - <system> - <snmp-setting> - <snmp-system> <location> Lab</location> </snmp-system> - <access-setting> - <version> - <v2c> <snmp-community-string>pan</snmp-community-string> </v2c> </version> </access-setting> </snmp-setting> <speed-duplex>auto-negotiate</speed-duplex> <hostname>lab </hostname> <ip-address> </ip-address> <netmask> </netmask> <default-gateway> </default-gateway> - <dns-setting> - <servers>

12 <primary> </primary> <secondary> </secondary> </servers> </dns-setting> <panorama-server></panorama-server> <timezone>us/pacific</timezone> <update-server>updates.paloaltonetworks.com</update-server> - <service> <disable-http>yes</disable-http> <disable-https>no</disable-https> <disable-telnet>no</disable-telnet> <disable-ssh>no</disable-ssh> <disable-icmp>no</disable-icmp> <disable-snmp>no</disable-snmp> </service> <route /> - <update-schedule> - <threats> - <recurring> - <weekly> <at>01:02</at> <day-of-week>wednesday</day-of-week> <action>download-only</action> </weekly> </recurring> </threats> - <url-database> - <recurring> - <daily> <at>01:02</at> <action>download-and-install</action> </daily> </recurring> </url-database> </update-schedule> </system> - <setting> - <config> <rematch>yes</rematch> </config> </setting> - <high-availability> <enabled>yes</enabled> - <interface> - <ha1> <port>ethernet1/1</port> <ip-address> </ip-address> <netmask> </netmask> <monitor-hold-time>3000</monitor-hold-time>

13 </ha1> <ha1-backup /> - <ha2> <port>ethernet1/2</port> </ha2> <ha2-backup /> </interface> - <group> - <entry name="1"> <peer-ip> </peer-ip> - <election-option> <heartbeat-backup>no</heartbeat-backup> <preemptive>no</preemptive> </election-option> - <state-synchronization> <enabled>yes</enabled> <transport>ethernet</transport> </state-synchronization> - <configuration-synchronization> <enabled>yes</enabled> </configuration-synchronization> - <mode> <active-passive /> </mode> - <monitoring> - <path-monitoring> <enabled>no</enabled> </path-monitoring> - <link-monitoring> <enabled>yes</enabled> <failure-condition>any</failure-condition> - <link-group> - <entry name="test"> <enabled>yes</enabled> <failure-condition>any</failure-condition> - <interface> <member>ethernet1/3</member> </interface> </link-group> </link-monitoring> </monitoring> </group> </high-availability> </deviceconfig> - <vsys> - <entry name="vsys1"> <ssl-decrypt />

14 <application /> <application-group /> - <zone> - <entry name="trust"> - <network> - <layer3> <member>ethernet1/6</member> </layer3> </network> <enable-user-identification>no</enable-user-identification> <user-acl /> - <entry name="untrust"> - <network> - <layer3> <member>ethernet1/3</member> <member>loopback.5</member> <member>loopback.4</member> <member>tunnel.10</member> </layer3> </network> <enable-user-identification>no</enable-user-identification> <user-acl /> - <entry name="dmz"> - <network> - <layer3> <member>ethernet1/5</member> </layer3> </network> <enable-user-identification>no</enable-user-identification> <user-acl /> - <entry name="vr2-untrust"> - <network> - <layer3> <member>ethernet1/4</member> </layer3> </network> <enable-user-identification>no</enable-user-identification> <user-acl /> - <entry name="vpn"> - <network> - <layer3> <member>tunnel.56</member> </layer3> </network> <enable-user-identification>no</enable-user-identification>

15 <user-acl /> - <entry name="vr2-vpn"> - <network> - <layer3> <member>tunnel.156</member> </layer3> </network> <enable-user-identification>no</enable-user-identification> <user-acl /> </zone> <service /> <service-group /> <schedule /> - <rulebase> - <security> - <rules> - <entry name="trafficvpn"> - <option> <disable-server-response-inspection>no</disable-server-response-inspection> </option> - <from> <member>trust</member> <member>vpn</member> <member>vr2-vpn</member> </from> - <to> <member>trust</member> <member>vpn</member> <member>vr2-vpn</member> </to> - <source> </source> - <destination> </destination> - <source-user> </source-user> - <application> </application> - <service> </service> - <hip-profiles>

16 </hip-profiles> <log-start>no</log-start> <log-end>yes</log-end> <negate-source>no</negate-source> <negate-destination>no</negate-destination> <action>allow</action> - <entry name="trust-vpn"> - <option> <disable-server-response-inspection>no</disable-server-response-inspection> </option> - <from> <member>trust</member> </from> - <to> <member>vpn</member> <member>vr2-vpn</member> </to> - <source> </source> - <destination> </destination> - <source-user> </source-user> - <application> </application> - <service> </service> - <hip-profiles> </hip-profiles> <log-start>no</log-start> <log-end>yes</log-end> <negate-source>no</negate-source> <negate-destination>no</negate-destination> <action>allow</action> - <entry name="src NAT"> - <option> <disable-server-response-inspection>no</disable-server-response-inspection> </option> - <from> <member>trust</member> </from>

17 - <to> <member>untrust</member> </to> - <source> </source> - <destination> </destination> - <source-user> </source-user> - <application> </application> - <service> </service> - <hip-profiles> </hip-profiles> <log-start>no</log-start> <log-end>yes</log-end> <negate-source>no</negate-source> <negate-destination>no</negate-destination> <action>allow</action> - <entry name="trust-dmz"> - <option> <disable-server-response-inspection>no</disable-server-response-inspection> </option> - <from> <member>trust</member> </from> - <to> <member>dmz</member> </to> - <source> </source> - <destination> </destination> - <source-user> </source-user> - <application> </application>

18 - <service> </service> - <hip-profiles> </hip-profiles> <log-start>no</log-start> <log-end>yes</log-end> <negate-source>no</negate-source> <negate-destination>no</negate-destination> <action>allow</action> - <entry name="dmz-trust"> - <option> <disable-server-response-inspection>no</disable-server-response-inspection> </option> - <from> <member>dmz</member> </from> - <to> <member>trust</member> </to> - <source> </source> - <destination> </destination> - <source-user> </source-user> - <application> </application> - <service> </service> - <hip-profiles> </hip-profiles> <log-start>no</log-start> <log-end>yes</log-end> <negate-source>no</negate-source> <negate-destination>no</negate-destination> <action>allow</action> - - <entry name="deny rest">

19 - <option> <disable-server-response-inspection>no</disable-server-response-inspection> </option> - <from> <member>untrust</member> </from> - <to> <member>trust</member> </to> - <source> </source> - <destination> </destination> - <source-user> </source-user> - <application> </application> - <service> </service> - <hip-profiles> </hip-profiles> <log-start>yes</log-start> <log-end>yes</log-end> <negate-source>no</negate-source> <negate-destination>no</negate-destination> <action>deny</action> </rules> </security> - <nat> - <rules> - <entry name="source NAT"> - <source-translation> - <dynamic-ip-and-port> - <interface-address> <interface>ethernet1/3</interface> </interface-address> </dynamic-ip-and-port> </source-translation> - <to> <member>untrust</member> </to> - <from>

20 <member>trust</member> </from> - <source> </source> - <destination> </destination> <service>any</service> </rules> </nat> - <decryption> <rules /> </decryption> - <pbf> - <rules> - <entry name="vpntraffic"> - <action> - <forward> - <nexthop> <ip-address> </ip-address> </nexthop> <egress-interface>tunnel.156</egress-interface> - <monitor> <profile>default</profile> <disable-if-unreachable>no</disable-if-unreachable> <ip-address> </ip-address> </monitor> </forward> </action> - <from> - <zone> <member>trust</member> </zone> </from> - <source> </source> - <destination> <member> /24</member> </destination> - <source-user> </source-user> - <application> </application> - <service>

21 </service> <negate-source>no</negate-source> <negate-destination>no</negate-destination> </rules> </pbf> </rulebase> <address /> <application-filter /> - <log-settings> <profiles /> </log-settings>

3.1.0 ethernet1/1 ethernet1/2 ethernet1/3 auto auto auto 1500 mgt-all /24 ethernet1/6 auto auto auto 1500 mgt-all

3.1.0 ethernet1/1 ethernet1/2 ethernet1/3 auto auto auto 1500 mgt-all /24 ethernet1/6 auto auto auto 1500 mgt-all - - - - - - - auto