Please see the config below:
services {
ssh;
web-management {
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/0.0 ];
}
session {
idle-timeout 60;
}
}
dhcp {
pool 10.0.10.0/24 {
address-range low 10.0.10.20 high 10.0.10.30;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
10.0.10.3;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
interfaces {
interface-range interfaces-vlan10 {
member-range ge-0/0/2 to ge-0/0/5;
unit 0 {
family ethernet-switching {
vlan {
members vlan-internal;
}
}
}
}
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.253/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.10.1/24;
}
}
}
ge-0/0/2 {
description "internal switchport";
speed 1g;
mtu 1500;
link-mode full-duplex;
gigether-options {
auto-negotiation;
}
}
ge-0/0/3 {
description "internal switchport";
speed 1g;
mtu 1500;
link-mode full-duplex;
gigether-options {
auto-negotiation;
}
}
ge-0/0/4 {
description "internal switchport";
speed 1g;
mtu 1500;
link-mode full-duplex;
gigether-options {
auto-negotiation;
}
}
ge-0/0/5 {
description "internal switchport";
speed 1g;
mtu 1500;
link-mode full-duplex;
gigether-options {
auto-negotiation;
}
}
vlan {
unit 0 {
family inet {
address 10.0.10.3/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
}
}
protocols {
stp;
}
security {
utm {
feature-profile {
web-filtering {
juniper-local {
profile junos-wf-local-default {
default permit;
}
}
juniper-enhanced {
profile junos-wf-enhanced-default {
category {
Enhanced_Streaming_Media {
action permit;
}
Enhanced_Internet_Radio_and_TV {
action permit;
}
Enhanced_Entertainment_Video {
action permit;
}
}
site-reputation-action {
very-safe permit;
moderately-safe permit;
fairly-safe permit;
suspicious permit;
harmful permit;
}
default permit;
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set vlan_srcnat {
from interface vlan.0;
to zone Internet;
rule vlan_srcnat_rule {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy internet_usage {
match {
source-address any-ipv4;
destination-address any-ipv4;
application [ junos-http junos-ssh junos-smtp junos-https junos-pop3 junos-ntp junos-imap junos-imaps junos-dns-udp junos-dns-tcp junos-icmp-ping junos-bgp ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy apple_google_sync {
match {
source-address any;
destination-address [ google1 google2 apple1 apple2 google3 ];
application [ tcp-5228 tcp-5223 tcp-8443 ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone Internal {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
}
}
}
vlan.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
}
}
security-zone Internet {
address-book {
address google1 64.233.166.188/32;
address google2 172.217.169.33/32;
address apple1 17.57.146.148/32;
address apple2 17.57.146.149/32;
address google3 74.125.71.188/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
https;
ssh;
}
}
}
}
}
}
}
applications {
application tcp-5228 protocol tcp;
application tcp-5223 {
protocol tcp;
destination-port 5223;
}
application tcp-8443 {
protocol tcp;
destination-port 8443;
}
}
vlans {
vlan-internal {
vlan-id 10;
l3-interface vlan.0;
}
}