Here's the config
## Last changed: 2017-12-21 05:36:08 GMT-6
version 15.1X49-D75.5;
system {
host-name xxx;
time-zone GMT-6;
root-authentication {
encrypted-password "xxx";
}
name-server {
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;
}
login {
user xxx {
uid 2000;
class super-user;
authentication {
encrypted-password "xxx";
}
}
}
services {
ssh;
telnet;
dns {
dns-proxy {
interface {
ge-0/0/1.0;
}
default-domain * {
forwarders {
208.67.222.222;
208.67.220.220;
}
}
}
}
web-management {
http {
interface [ ge-0/0/1.0 ge-0/0/0.0 ];
}
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/0.0 ];
}
session {
idle-timeout 60;
}
}
dhcp {
pool 172.16.1.0/24 {
address-range low 172.16.1.50 high 172.16.1.199;
router {
172.16.1.1;
}
}
propagate-settings pp0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
file webfilter-log {
any any;
match WEBFILTER_;
}
file antivirus-log {
any any;
match AntiVirus;
}
file IDP_Log {
any any;
match RT_IDP;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
services {
rpm {
probe INET-UP {
test TargetIP {
target address x.x.x.x;
probe-count 3;
probe-interval 15;
test-interval 10;
thresholds {
successive-loss 3;
total-loss 3;
}
destination-interface ge-0/0/0.0;
}
}
}
ip-monitoring {
policy INET-UP-MON {
match {
rpm-probe INET-UP;
}
then {
preferred-route {
route 4.2.2.2/32 {
next-hop 192.168.0.2;
}
}
}
}
}
}
security {
idp {
idp-policy shelmet-idp-policy {
rulebase-ips {
rule 1 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups Critical;
}
}
then {
action {
drop-connection;
}
notification {
log-attacks {
alert;
}
}
severity critical;
}
}
rule 2 {
match {
from-zone any;
source-address any;
to-zone any;
application default;
attacks {
predefined-attack-groups Major;
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
severity major;
}
}
}
}
active-policy shelmet-idp-policy;
traceoptions {
file size 100m;
flag all;
level all;
}
security-package {
automatic {
start-time "2017-6-24.08:00:00 +0600";
interval 72;
}
}
}
utm {
custom-objects {
url-pattern {
white {
value [ *.assist.com *.fastsupport.com *.fedex.com *.gotoassist.com *.grainger.com *.mcmaster.com *.mcsdirect.com *.microsoft.com *.mscdirect.com *.noaa.gov *.office365.com *.olsensafety.com *.outlook.com *.ups.com *.weather.com *.weather.gov *.eicar.org *.spn.com *.symantec.com *.norton.com ];
}
black {
value www.msn.com;
}
Office365 {
value [ *.office365.com *.office.com *.microsoftonline.com *.msocdn.com *.office.net *.live.com *.windows.net *.microsoft.com *.cloudapp.net *.outlook.com *.oaspapps.com *.outlookgroups.ms *.onmicrosoft.com *.msedge.net *.microsoftonline-p.com *.edgekey.net *.akadns.net *.bing.com *.aria.microsoft.com *.portal.microsoft.com *.urs.microsoft.com *.res.office365.com *.pipe.aria.microsoft.com *.officeapps.live.com *.portal.office.com *.data.microsoft.com *.aadcdn.microsoftonline-p.com ];
}
Exec {
value *.siriusxm.com;
}
}
custom-url-category {
Cust-Category-Prod {
value [ white Office365 ];
}
Cust-Category-Exec {
value Exec;
}
}
}
feature-profile {
anti-virus {
type sophos-engine;
sophos-engine {
profile AV_Profile {
fallback-options {
default log-and-permit;
content-size log-and-permit;
engine-not-ready log-and-permit;
timeout log-and-permit;
out-of-resources log-and-permit;
too-many-requests log-and-permit;
}
scan-options {
content-size-limit 10000;
timeout 180;
}
notification-options {
virus-detection {
type message;
notify-mail-sender;
custom-message "VIRUS WARNING";
}
fallback-block {
type message;
notify-mail-sender;
}
}
}
}
}
web-filtering {
type juniper-enhanced;
juniper-enhanced {
cache {
timeout 1800;
size 500;
}
profile Production_Profile {
category {
Cust-Category-Prod {
action permit;
}
Enhanced_Information_Technology {
action log-and-permit;
}
Enhanced_Hosted_Business_Applications {
action log-and-permit;
}
}
default block;
fallback-settings {
default log-and-permit;
server-connectivity log-and-permit;
timeout log-and-permit;
too-many-requests log-and-permit;
}
}
profile Exec_Profile {
category {
Enhanced_Malicious_Web_Sites {
action block;
}
Enhanced_Advanced_Malware_Command_and_Control {
action block;
}
Enhanced_Advanced_Malware_Payloads {
action block;
}
Enhanced_Malicious_Embedded_Link {
action block;
}
Enhanced_Malicious_Embedded_iFrame {
action block;
}
Enhanced_Bot_Networks {
action block;
}
Enhanced_Keyloggers {
action block;
}
Enhanced_Parked_Domain {
action block;
}
Enhanced_Phishing_and_Other_Frauds {
action block;
}
Enhanced_Potentially_Exploited_Documents {
action block;
}
Enhanced_Potentially_Unwanted_Software {
action block;
}
Enhanced_Spyware {
action block;
}
Enhanced_Suspicious_Embedded_Link {
action block;
}
Enhanced_Society_and_Lifestyles {
action permit;
}
Cust-Category-Exec {
action log-and-permit;
}
}
site-reputation-action {
very-safe permit;
moderately-safe permit;
fairly-safe permit;
suspicious log-and-permit;
harmful block;
}
default permit;
fallback-settings {
default log-and-permit;
server-connectivity log-and-permit;
timeout log-and-permit;
too-many-requests log-and-permit;
}
}
}
}
}
utm-policy Prod_Policy {
anti-virus {
http-profile AV_Profile;
ftp {
upload-profile AV_Profile;
download-profile AV_Profile;
}
}
web-filtering {
http-profile Production_Profile;
}
traffic-options {
sessions-per-client {
limit 200;
over-limit log-and-permit;
}
}
}
utm-policy AV_Policy {
anti-virus {
http-profile AV_Profile;
ftp {
upload-profile AV_Profile;
download-profile AV_Profile;
}
}
traffic-options {
sessions-per-client {
over-limit log-and-permit;
}
}
}
utm-policy Exec_Policy {
anti-virus {
http-profile AV_Profile;
ftp {
upload-profile AV_Profile;
download-profile AV_Profile;
}
}
web-filtering {
http-profile Exec_Profile;
}
traffic-options {
sessions-per-client {
over-limit log-and-permit;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
spoofing;
source-route-option;
tear-drop;
}
tcp {
port-scan;
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set Guest-Nat {
from zone Guest;
to zone Internet;
rule Guest-Nat {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool webmgt {
routing-instance {
default;
}
address 192.168.0.1/32 port 80;
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy Exec_Rule {
match {
source-address Exec_192-223;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit {
application-services {
utm-policy Exec_Policy;
}
}
}
}
policy Egress_Rule {
match {
source-address any;
destination-address any;
application egress_blacklist;
}
then {
deny;
}
}
policy Prod_Web-Filter {
match {
source-address Prod_160-191;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit {
application-services {
utm-policy Prod_Policy;
}
}
}
}
policy Office_Web-Filter {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit {
application-services {
utm-policy junos-av-wf-policy;
}
}
}
}
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy Shelmet_AV {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy junos-av-policy;
}
}
}
}
}
from-zone Internet to-zone Internal {
policy RDPpolicy {
match {
source-address any;
destination-address any;
application RDP;
}
then {
permit;
}
}
policy webmgr {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit;
}
}
policy sshmgt {
match {
source-address any;
destination-address any;
application junos-ssh;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy TEC_Panel {
description "Access to 192.168.0.16/2001";
match {
source-address TEC_Security;
destination-address any;
application TEC_Panel;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone Guest to-zone Internet {
policy Office_Web-Filter {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit {
application-services {
utm-policy junos-av-wf-policy;
}
}
}
}
policy All_Guest_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
address-book {
address Prod_160-191 192.168.0.160/27;
address Exec_192-223 192.168.0.192/27;
address Guest_WiFi 172.16.1.0/24;
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
http;
https;
ssh;
telnet;
dns;
}
protocols {
all;
}
}
}
}
}
security-zone Internet {
address-book {
address Outside_Addr x.x.x.x/32;
address TEC_Security x.x.x.x/32;
}
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
inactive: tftp;
inactive: dhcp;
inactive: https;
}
}
}
}
}
security-zone Guest {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
telnet;
http;
ssh;
https;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address x.x.x.x/30;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 172.16.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop x.x.x.x;
qualified-next-hop 192.168.0.2 {
preference 6;
}
preference 2;
}
}
}
class-of-service {
interfaces {
ge-0/0/0 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-0/0/1 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-0/0/2 {
unit 0 {
classifiers {
dscp default;
}
}
}
}
}
applications {
application RDP {
protocol tcp;
source-port 1024-65535;
destination-port 3389;
}
application snmp {
protocol udp;
source-port 1024-65535;
destination-port 161-162;
}
application irc {
protocol tcp;
source-port 1024-65535;
destination-port 6660-6669;
}
application SMB_Ports {
term smb_udp_ports protocol udp source-port 1024-65535 destination-port 135-139;
term smb_tcp_ports protocol tcp source-port 1024-65535 destination-port 135-139;
}
application TEC_Panel {
protocol tcp;
source-port 1024-65535;
destination-port 2001;
}
application-set egress_blacklist {
application SMB_Ports;
application irc;
application snmp;
application junos-tftp;
application junos-netbios-session;
application junos-smb-session;
application junos-smtp;
application junos-syslog;
}
}