MGMT - Logging
1 |
set system syslog user * any emergency |
2 |
set system syslog host {{ Syslog_IP }} any info |
3 |
set system syslog file messages any notice |
4 |
set system syslog file messages authorization info |
5 |
set system syslog file interactive interactive-commands any |
6 |
set system syslog file all-logs any any |
7 |
set system syslog file all-logs archive size 1000k |
8 |
set system syslog file all-logs archive files 5 |
9 |
set system syslog file log-messages any any |
10 |
set system syslog file log-messages match "(requested 'commit' operation)|(requested 'commit synchronize' operation))" |
11 |
set system syslog file log-messages structured-data |
12 |
set system syslog source-address {{ Source_IP }} |
MGMT - SNMPv3
1 |
set snmp description {{ Description }} |
2 |
set snmp location {{ Location }} |
3 |
set snmp contact {{ Contact }} |
4 |
set snmp interface {{ Source_Interface }} |
5 |
set snmp v3 usm local-engine user {{ SNMP_User }} authentication-sha authentication-key {{ Auth_Key }} |
6 |
set snmp v3 usm local-engine user {{ SNMP_User }} privacy-aes128 privacy-key {{ Privacy_Key }} |
7 |
set snmp v3 vacm security-to-group security-model usm security-name {{ Security_Name }} group {{ SNMP_Group }} |
8 |
set snmp v3 vacm access group {{ SNMP_Group }} default-context-prefix security-model usm security-level privacy read-view {{ SNMP_View }} |
9 |
set snmp v3 vacm access group {{ SNMP_Group }} default-context-prefix security-model usm security-level privacy notify-view {{ SNMP_View }} |
10 |
|
11 |
set snmp v3 target-address {{ Target_Name }} address {{ IP_Address }} |
12 |
set snmp v3 target-address {{ Target_Name }} tag-list {{ SNMP_User }} |
13 |
set snmp v3 target-address {{ Target_Name }} address-mask {{ Subnet_Mask }} |
14 |
set snmp v3 target-address {{ Target_Name }} target-parameters {{ Parameter_Name }} |
15 |
|
16 |
set snmp v3 target-parameters {{ Parameter_Name }} parameters message-processing-model v3 |
17 |
set snmp v3 target-parameters {{ Parameter_Name }} parameters security-model usm |
18 |
set snmp v3 target-parameters {{ Parameter_Name }} parameters security-level privacy |
19 |
set snmp v3 target-parameters {{ Parameter_Name }} parameters security-name {{ SNMP_User }} |
20 |
|
21 |
set snmp engine-id local {{ IP_Address }} |
22 |
set snmp view {{ SNMP_View }} oid .1 include |
NET - Class of Service
1 |
set class-of-service forwarding-classes class NET-CONTROL queue-num 7 |
2 |
set class-of-service forwarding-classes class VOIP queue-num 5 |
3 |
set class-of-service forwarding-classes class CRITICAL queue-num 3 |
4 |
set class-of-service forwarding-classes class BE queue-num 1 |
5 |
set class-of-service forwarding-classes class SCAVENGER queue-num 0 |
6 |
set class-of-service interfaces ge-* scheduler-map ethernet-cos-map |
7 |
set class-of-service interfaces xe-* scheduler-map ethernet-cos-map |
8 |
set class-of-service scheduler-maps ethernet-cos-map forwarding-class NET-CONTROL scheduler NET-CONTROL_SCHED |
9 |
set class-of-service scheduler-maps ethernet-cos-map forwarding-class VOIP scheduler VOIP_SCHED |
10 |
set class-of-service scheduler-maps ethernet-cos-map forwarding-class CRITICAL scheduler CRITICAL_SCHED |
11 |
set class-of-service scheduler-maps ethernet-cos-map forwarding-class BE scheduler BE_SCHED |
12 |
set class-of-service scheduler-maps ethernet-cos-map forwarding-class SCAVENGER scheduler SCAVENGER_SCHED |
13 |
set class-of-service schedulers VOIP_SCHED buffer-size percent 20 |
14 |
set class-of-service schedulers VOIP_SCHED priority strict-high |
15 |
set class-of-service schedulers CRITICAL_SCHED buffer-size percent 20 |
16 |
set class-of-service schedulers CRITICAL_SCHED priority strict-high |
17 |
set class-of-service schedulers NET-CONTROL_SCHED buffer-size percent 15 |
18 |
set class-of-service schedulers NET-CONTROL_SCHED priority strict-high |
19 |
set class-of-service schedulers BE_SCHED transmit-rate percent 40 |
20 |
set class-of-service schedulers BE_SCHED buffer-size percent 30 |
21 |
set class-of-service schedulers BE_SCHED priority low |
22 |
set class-of-service schedulers SCAVENGER_SCHED transmit-rate percent 20 |
23 |
set class-of-service schedulers SCAVENGER_SCHED buffer-size percent 15 |
24 |
set class-of-service schedulers SCAVENGER_SCHED priority |
25 |
|
26 |
set interfaces {{ Interface }} unit 0 family ethernet-switching filter input {{ COS_Filter }} |
27 |
|
28 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_NET-CONTROL from ip-precedence net-control |
29 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_NET-CONTROL then forwarding-class NET-CONTROL |
30 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_NET-CONTROL then loss-priority low |
31 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_VOIP from destination-port {{ Voice-Ports }} |
32 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_VOIP from ip-source-address {{ VOIP_Source_IP }} |
33 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_VOIP from ip-protocol tcp |
34 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_VOIP from ip-protocol udp |
35 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_VOIP then forwarding-class VOIP |
36 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_VOIP then loss-priority low |
37 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_CRITICAL_HOSTS from ip-destination-address {{ Destination_IP }} |
38 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_CRITICAL_HOSTS then forwarding-class CRITICAL |
39 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_CRITICAL_HOSTS then loss-priority low |
40 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_CRITICAL_ICMP from ip-protocol icmp |
41 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_CRITICAL_ICMP then forwarding-class CRITICAL |
42 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_CRITICAL_ICMP then loss-priority low |
43 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_CRITICAL_SSH from destination-port 22 |
44 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_CRITICAL_SSH then forwarding-class CRITICAL |
45 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_CRITICAL_SSH then loss-priority low |
46 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_BE then forwarding-class BE |
47 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_BE then loss-priority low |
48 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_SCAVENGER from ip-destination-address {{ Destination_IP }} |
49 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_SCAVENGER then forwarding-class SCAVENGER |
50 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_SCAVENGER then loss-priority high |
51 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_WIRELESS from ip-source-address {{ Wireless_Source_IP }} |
52 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_WIRELESS then forwarding-class BE |
53 |
set firewall family ethernet-switching filter {{ COS_Filter }} term TAG_WIRELESS then loss-priority low |
ROUTE - BGP Setup
1 |
set routing-options autonomous-system {{ ASN }} |
2 |
|
3 |
set protocols bgp group {{ Group_Name }} type {{ Internal | External }} |
4 |
set protocols bgp group {{ Group_Name }} multipath |
5 |
set protocols bgp group {{ Group_Name }} neighbor {{ Neighbor_IP }} local-preference 100 |
6 |
set protocols bgp group {{ Group_Name }} neighbor {{ Neighbor_IP }} local-address {{ Local_IP }} |
7 |
set protocols bgp group {{ Group_Name }} neighbor {{ Neighbor_IP }} authentication-key {{ Auth_Key }} |
8 |
set protocols bgp group {{ Group_Name }} neighbor {{ Neighbor_IP }} export {{ Export_Filter }} |
9 |
set protocols bgp group {{ Group_Name }} neighbor {{ Neighbor_IP }} import {{ Import_Filter }} |
10 |
set protocols bgp group {{ Group_Name }} neighbor {{ Neighbor_IP }} bfd-liveness-detection minimum-interval 3000 |
11 |
set protocols bgp group {{ Group_Name }} neighbor {{ Neighbor_IP }} bfd-liveness-detection multiplier 4 |
12 |
|
13 |
set policy-options policy-statement {{ Policy_Name }} term {{ Term_Name }} from route-filter 192.168.0.0/24 exact |
14 |
set policy-options policy-statement {{ Policy_Name }} term {{ Term_Name }} then reject |
15 |
set policy-options policy-statement {{ Policy_Name }} term {{ Term_Name }} from route-filter 0.0.0.0/0 exact |
16 |
set policy-options policy-statement {{ Policy_Name }} term {{ Term_Name }} from route-filter 172.16.0.0/12 orlonger |
17 |
set policy-options policy-statement {{ Policy_Name }} term {{ Term_Name }} from route-filter 10.0.0.0/8 orlonger |
18 |
set policy-options policy-statement {{ Policy_Name }} term {{ Term_Name }} then accept |
SEC - IKE Phase 2
1 |
set security ipsec proposal {{ IPSEC_Proposal_Name }} protocol esp |
2 |
set security ipsec proposal {{ IPSEC_Proposal_Name }} authentication-algorithm hmac-sha1-96 |
3 |
set security ipsec proposal {{ IPSEC_Proposal_Name }} encryption-algorithm aes-256-cbc |
4 |
set security ipsec proposal {{ IPSEC_Proposal_Name }} lifetime-seconds 28800 |
5 |
|
6 |
set security ipsec policy {{ IPSEC_Policy_Name }} perfect-forward-secrecy keys group5 |
7 |
set security ipsec policy {{ IPSEC_Policy_Name }} proposals {{ IPSEC_Proposal_Name }} |
8 |
|
9 |
set security ike gateway {{ Gateway_Name }} ike-policy {{ IKE_Policy_Name }} |
10 |
set security ike gateway {{ Gateway_Name }} address {{ External_Address_Neighor }} |
11 |
set security ike gateway {{ Gateway_Name }} dead-peer-detection |
12 |
set security ike gateway {{ Gateway_Name }} external-interface {{ External_Interface }} |
13 |
|
14 |
set security ipsec vpn {{ VPN_Name }} ike gateway {{ Gateway_Name }} |
15 |
set security ipsec vpn {{ VPN_Name }} ike ipsec-policy {{ IPSEC_Policy_Name }} |
16 |
set security ipsec vpn {{ VPN_Name }} establish-tunnels immediately |
SEC - IPsec Interesting Traffic
1 |
set security policies from-zone {{ Internal_Zone }} to-zone {{ Internet_Zone }} policy 1 match source-address {{ Internal_Address_Group }} |
2 |
set security policies from-zone {{ Internal_Zone }} to-zone {{ Internet_Zone }} policy 1 match destination-address {{ Partner_Tunnel_Address_Group }} |
3 |
set security policies from-zone {{ Internal_Zone }} to-zone {{ Internet_Zone }} policy 1 match application any |
4 |
set security policies from-zone {{ Internal_Zone }} to-zone {{ Internet_Zone }} policy 1 then permit tunnel ipsec-vpn {{ VPN_Name }} |
5 |
set security policies from-zone {{ Internal_Zone }} to-zone {{ Internet_Zone }} policy 1 then permit tunnel pair-policy 2 |
6 |
set security policies from-zone {{ Internal_Zone }} to-zone {{ Internet_Zone }} policy 1 then log session-init |
7 |
|
8 |
set security policies from-zone {{ Internet_Zone }} to-zone {{ Internal_Zone }} policy 2 match source-address {{ Partner_Tunnel_Address_Group }} |
9 |
set security policies from-zone {{ Internet_Zone }} to-zone {{ Internal_Zone }} policy 2 match destination-address {{ Internal_Address_Group }} |
10 |
set security policies from-zone {{ Internet_Zone }} to-zone {{ Internal_Zone }} policy 2 match application any |
11 |
set security policies from-zone {{ Internet_Zone }} to-zone {{ Internal_Zone }} policy 2 then permit tunnel ipsec-vpn {{ VPN_Name }} |
12 |
set security policies from-zone {{ Internet_Zone }} to-zone {{ Internal_Zone }} policy 2 then permit tunnel pair-policy 1 |
13 |
set security policies from-zone {{ Internet_Zone }} to-zone {{ Internal_Zone }} policy 2 then log session-init |