以下是netscreen 防火墙active-passive典型配置:: I' O& G) W( a! U# P9 s
2_cfg: V) p0 e* E4 ^) ?6 W5 M
! `8 K$ X- m7 t' M6 @& R
unset key protection enable) s9 V; {% T1 @
set clock timezone 0) y, u/ j4 d' Y( N- o# y8 z
set vrouter trust-vr sharable
$ b' ~2 v+ x. P r% I% [: _5 I1 [set vrouter "untrust-vr"
0 W& `; |1 j8 `, J5 w9 n7 K5 oexit
3 a0 d1 p) O* l! ~7 jset vrouter "trust-vr"" |. t4 V# X- U4 s( G% J% h
unset auto-route-export9 n6 h7 O7 p( V
exit0 Q9 Z" I( g' I& k& K m9 m
set service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002
0 `6 L W; }0 B# t2 r6 ]set alg appleichat enable& ?5 ~' y# r$ z
unset alg appleichat re-assembly enable
) h2 g. z1 u) ` Oset alg sctp enable
. [9 j. M3 k3 o# y" j! B$ O5 Hset auth-server "Local" id 0
$ m& X4 F( w, z" w6 yset auth-server "Local" server-name "Local"
- U; O# g) `% A' O- B& xset auth default auth server "Local"
7 c1 ?, t2 V# l# `* c) y# Q7 bset auth radius accounting port 1646) x3 r0 J/ o- Z- X& w- T
set admin name "netscreen"- e; n$ R: L1 T) i; i, T
set admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"
# H# _9 b8 Y jset admin auth web timeout 100 `5 f% y& C. c9 N5 [: \
set admin auth server "Local"0 N. F* O1 J- C1 w/ r* [3 |, Z4 K
set admin format dos
1 m2 q3 c# m# [set zone "Trust" vrouter "trust-vr"
1 |5 q7 d* k" N+ p/ `7 @set zone "Untrust" vrouter "trust-vr"
# N! ]6 c- N& g9 s1 o6 c! i% H& _ mset zone "DMZ" vrouter "trust-vr"
! K' X, K2 L" h% o6 k% z' m& ]set zone "VLAN" vrouter "trust-vr"" I6 p, p$ B: k( |- G/ E
set zone "Untrust-Tun" vrouter "trust-vr"9 `5 j5 v+ N: [* |0 P" V7 U/ ^( ]
set zone "Trust" tcp-rst * q S4 q! f+ r' I4 u& I/ P2 F: F
set zone "Untrust" block R; d" l. |2 d5 w R
unset zone "Untrust" tcp-rst
% Q8 L0 v2 e8 wset zone "MGT" block ' l# j5 b$ z d( x- g0 o: `1 y
unset zone "V1-Trust" tcp-rst 7 }2 D. o7 r! w: N7 m
unset zone "V1-Untrust" tcp-rst 3 W0 p3 \0 }( _8 k# \
set zone "DMZ" tcp-rst 3 ~0 l+ r: Q5 f: L3 V. k/ K, f) r
unset zone "V1-DMZ" tcp-rst " a0 l, i% {& W
unset zone "VLAN" tcp-rst
4 P5 e+ b4 a3 B' qset zone "Untrust" screen tear-drop
7 p5 V5 z+ E* m- f( y. s' @8 I9 iset zone "Untrust" screen syn-flood
# _) H q/ J+ f& l7 @set zone "Untrust" screen ping-death% Y0 `' ?& j1 f9 n5 z
set zone "Untrust" screen ip-filter-src2 \/ ?& ~- d1 n" F; n
set zone "Untrust" screen land
6 G6 v$ h' P! f2 Oset zone "V1-Untrust" screen tear-drop
; f, E! P6 u4 z: Z/ `set zone "V1-Untrust" screen syn-flood, N# M/ t1 S( P2 {) L
set zone "V1-Untrust" screen ping-death' ?* y& L* f4 @- O7 y
set zone "V1-Untrust" screen ip-filter-src+ P/ O7 r1 y, u$ y
set zone "V1-Untrust" screen land
0 @! d F; c4 F F% C8 {( |+ Qset interface "ethernet0/0" zone "Null"
7 k* a Z3 U+ J$ f" g2 Eset interface "ethernet0/1" zone "Null"4 D) w6 w3 d" I- i( }
set interface "ethernet0/2" zone "Untrust"
7 ? k) R. ^( c( \9 w Fset interface "ethernet0/3" zone "Untrust"8 M( t( ]( H$ k3 A1 l9 d8 |$ ?
set interface "ethernet0/4" zone "HA"
( E7 b1 w v6 d$ yset interface "ethernet0/5" zone "HA"* D, L3 X* [" H! O6 M$ z& c) Y: c: A' |
set interface "ethernet0/6" zone "DMZ". A8 l7 V9 G, F( w0 o: b! o6 G3 Y \
set interface "ethernet0/8" zone "Trust"
5 n; O1 r: @! W( p/ tunset interface vlan1 ip* w( ]* m9 E: Z
set interface ethernet0/2 ip 116.247.91.98/29% O: y6 {2 `! X% ~ G
set interface ethernet0/2 route
3 m" g/ v G5 x4 F. uset interface ethernet0/3 ip 140.206.34.178/30
5 a5 G8 v. i1 g# e4 I6 v; b. \set interface ethernet0/3 route. Z$ `2 b6 S. e, ^' k* O& s1 h* X
set interface ethernet0/6 ip 10.131.126.18/280 h$ v, u. B; Y! ~. [7 b @
set interface ethernet0/6 nat3 ?' {# ~2 |1 h+ ]' K
set interface ethernet0/8 ip 10.131.126.4/28
8 d) t0 J+ |* } lset interface ethernet0/8 nat
5 v0 x. Y4 l- V$ v* Dunset interface vlan1 bypass-others-ipsec7 {: ~6 v9 T: z8 g
unset interface vlan1 bypass-non-ip
! r. ?: P7 p7 S. X5 ~! Wset interface ethernet0/2 manage-ip 116.247.91.99. p" C7 `2 |+ d! p
set interface ethernet0/6 manage-ip 10.131.126.20
6 ` {/ f9 a/ {# \set interface ethernet0/8 manage-ip 10.131.126.2
5 J* b- `8 W2 X/ yset interface ethernet0/2 ip manageable# K) N' r1 n) q( F7 \. H
unset interface ethernet0/3 ip manageable
! d, O7 M4 g% {( u' n* Z* Bset interface ethernet0/6 ip manageable& h) a g' n2 p( X
set interface ethernet0/8 ip manageable
) b$ s, p' U" Yset interface ethernet0/2 manage ping
9 f% r* d$ r- u/ C+ w8 _% `# }set interface ethernet0/2 manage ssh
9 x6 H% h/ C. F$ Zset interface ethernet0/2 manage telnet8 e$ h ~- @- N$ `7 h" F
set interface ethernet0/2 manage snmp
$ V/ b5 [7 _+ sset interface ethernet0/2 manage ssl) q- I9 s. {! x; s& t6 k9 O
set interface ethernet0/2 manage web
; g7 A! [+ @- E6 d0 V% B& tset interface ethernet0/3 manage ping
/ T+ m! y( j5 Sset interface ethernet0/3 manage ssh
# O0 y7 R; x1 rset interface ethernet0/3 manage telnet
& ?( o3 F- m5 h* L9 H! Bset interface ethernet0/3 manage snmp' x @ C k! x+ Y" t6 ^
set interface ethernet0/3 manage ssl
3 ]: o+ w. F7 Q* T! v7 k& eset interface ethernet0/3 manage web! L, H& Y* u3 D: f
set interface ethernet0/6 manage ssh/ m5 V8 G% ~+ }
set interface ethernet0/6 manage telnet4 }7 v8 U, D4 {5 _7 T Z
set interface ethernet0/6 manage snmp1 q. `7 u! P: f& g. } k" p* o
set interface ethernet0/6 manage ssl3 B( A5 e% ~( V2 E* {
set interface ethernet0/6 manage web
9 i7 N* p, h' {set interface ethernet0/2 monitor track-ip ip
5 ?3 c9 E6 v0 [set interface ethernet0/2 monitor track-ip threshold 10
( h% F" u/ W% d( u0 Hset interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 36 J# @9 K; T- X) ^5 p- f. J
set interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 12' m( D" j! w7 D5 u1 S" A" ]
unset interface ethernet0/2 monitor track-ip dynamic
8 j( }" F+ b* O. f5 c9 D5 s2 ]0 Dunset flow no-tcp-seq-check& w- E* f2 @. F2 E5 i
set flow tcp-syn-check
% r- U/ F8 _( o# A7 r) ounset flow tcp-syn-bit-check
) |- T# J P% y0 }0 x y& dset flow reverse-route clear-text prefer
6 |, r0 a( K4 M7 S0 R$ _ X5 zset flow reverse-route tunnel always, U5 c3 h$ `+ d) O' B- ]8 u2 ^
set console page 06 J+ t l0 V( X$ k8 [
set hostname RT3-xzl-1F-S-SSG140-10.131.126.2
r. r0 y2 e/ U! G" R3 g- w6 Zset pki authority default scep mode "auto"
4 N2 J- |4 Y1 a! b, E5 Bset pki x509 default cert-path partial% a' ^8 c2 h+ H' ?9 Q- Q
set nsrp cluster id 15 w0 b1 e# @* ?9 \0 G
set nsrp cluster name FXGL
' h6 r2 J- T8 O) y2 Z: C5 j1 \set nsrp rto-mirror sync
* K4 f. x; y8 v5 i6 sset nsrp rto-mirror route! t& s0 S3 G2 H- U3 g
set nsrp vsd-group master-always-exist
' g* l4 |: M q \/ Hset nsrp vsd-group id 0 priority 1002 P& i9 Z0 ~& s8 g9 [
set nsrp vsd-group id 0 preempt, ^, A& _; I2 [' }: `+ ]/ y$ R. y
set nsrp secondary-path ethernet0/8
* x3 K3 K5 }& X9 [& I# D& D& rset nsrp vsd-group id 0 monitor interface ethernet0/3 weight 16
- Q0 r) i6 D; d5 C7 ~& _4 Uset nsrp vsd-group id 0 monitor track-ip ip
1 h6 R! y1 ]9 a% |* R! f5 Aset nsrp vsd-group id 0 monitor track-ip threshold 30) X3 K" M: O( n+ b5 A
set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/2
% \' O3 U1 ` I: Oset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 10
# }8 {% e) h/ v9 N& zset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32+ x0 ? R) Q6 x5 b9 J4 H
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/67 M O2 G& q7 ]
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 10
: z+ {: q, _+ V- a; ^+ k& _set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 32! j( h7 f4 J$ ]& U* E* a
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/8( ~7 }4 l/ j3 a& v
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 10$ i0 C# i5 b* ?0 G& _- ^ J
set nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 32/ f8 l# o3 {, j1 B: S+ ~- ]2 w
set nsrp ha-link probe4 }2 k& r" O3 X. f% z- y
set dns host dns1 202.96.209.5 src-interface ethernet0/2- A3 C% h% s- A
set dns host dns2 0.0.0.0
9 e, q6 e. x8 u: eset dns host dns3 0.0.0.0
# [2 K8 m9 I9 C" u3 z1 Cset crypto-policy
5 G' j, S1 D" I, _exit
5 h T) x; V' z. u2 }set ike respond-bad-spi 1& ?) ?/ q9 J. G& E V1 B0 q
set ike ikev2 ike-sa-soft-lifetime 600 P0 ?+ w# ?5 x
unset ike ikeid-enumeration! G8 z" O h7 `2 \0 s" r
unset ike dos-protection7 e& f1 ~% H4 u9 z7 T5 ?8 U
unset ipsec access-session enable% |7 J& \4 m. s0 u
set ipsec access-session maximum 5000
/ } K" S6 i2 Jset ipsec access-session upper-threshold 0
% | M5 L0 H0 o4 G2 V5 x* zset ipsec access-session lower-threshold 0! e8 U6 y6 }' B
set ipsec access-session dead-p2-sa-timeout 0
& |7 I4 X% h- ounset ipsec access-session log-error1 ]% w7 h: O& {. n0 n
unset ipsec access-session info-exch-connected
/ k* l4 O9 ~1 A( J6 D3 {unset ipsec access-session use-error-log" m; N5 J+ |. L! ]/ p
set vrouter "untrust-vr"
: B# d; _+ A$ [+ b# Z; vexit( Y- D/ N( D% Z% A5 F, Q
set vrouter "trust-vr"
/ U) o1 z4 c4 |0 w& M( P" hexit; U- {8 Y+ e' H+ i3 y7 T
set url protocol websense6 V7 V" h% ?: ^3 E" C; H i) ]
exit! B% W# g. _6 M
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log 8 A$ u. W" k3 T9 y* }2 k6 z
set policy id 1
4 }* H( X# q2 a% g. n+ s, n( x) Yexit b4 I0 |, X! |9 d3 q
set policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log
0 a9 {# w6 b7 Cset policy id 43 e# k& J% I- ~8 k
exit
/ p8 O3 V9 {* s8 N; {set policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log Y0 d/ p* u) u6 s+ u3 |9 m
set policy id 5* S0 f; l5 `2 f7 p
exit
4 \1 w) v( O/ |0 Yset policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log , E* p4 ^4 k D' I1 v
set policy id 6: w* J3 L9 {) ^
exit& O- D+ J7 o ?6 R% y
set nsmgmt bulkcli reboot-timeout 60
4 M- R5 E3 P/ qset ssh version v2
4 ~: X* F. @6 @6 ^) J2 lset config lock timeout 5! Q' V0 B: E3 L6 I% |8 J+ z& l
unset license-key auto-update4 }" T4 K) d0 A
set telnet client enable9 {' {: Q- I% D6 O' p
set snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c
2 O5 L- I/ r' F1 N8 C7 o' p/ ^set snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8 / Y7 r' |5 G/ c" O. a |1 r, x! K
set snmp name "RT3-xzl-1F-S-SSG140-10.131.126.2" V0 w3 g4 Y b$ h& y& ^8 [# U7 S
set snmp port listen 1617 Y+ a- r' l; l6 @! ~! u
set snmp port trap 1621 w# e) N/ ^' h) a
set vrouter "untrust-vr"9 [5 e3 d5 S7 a4 ?/ j/ q
exit* E! Y) C" d1 X
set vrouter "trust-vr": B" `9 R0 Z8 A( W& C" n) Z+ [
unset add-default-route
. R" M3 Q9 z/ Eset route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet"
$ m, n" I! V: \8 a. A$ Rset route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA"8 g) L; @& y0 x8 _5 G
set route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet"
) u. b. }, g6 G8 Z9 L5 M5 u6 Uset route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ": g2 L( w* T& f) N
exit
5 |4 V0 l7 v5 a' aset vrouter "untrust-vr"- n% x1 Y; C# v. | Z. `
exit' B9 n. m {- h/ }% M
set vrouter "trust-vr"* x9 W* |. {1 p2 @/ Y9 Z! }& k
exit) Y) _* F, }) `
) K5 O' J$ }" \- p H0 r2 s# C: Z F# I4 P6 d4 P
3_cfg! k6 W& J2 m$ _( _8 v
0 r2 X6 C8 l. x$ x: W# ~1 Y7 Sunset key protection enable7 c, }: S) p* L9 A, F1 [# @9 L1 P
set clock timezone 0- a) w5 `: ]1 |, S! s/ M
set vrouter trust-vr sharable5 G: O% g1 u% O/ y, o* {( P# p7 b6 R6 R
set vrouter "untrust-vr"- i# Z6 d, v) ~' G' K
exit
6 E' S0 a: p) J7 x/ ?$ J2 [set vrouter "trust-vr"' J9 _4 n5 L' {. I9 C) N% Q( @
unset auto-route-export" y7 D: z8 G, I/ C N9 O) o, u! ^$ W
exit+ @7 U4 ~' L8 M+ i
set service "ACS" protocol tcp src-port 0-65535 dst-port 2002-2002 1 D; C1 l6 \6 Q+ n0 U$ H
set alg appleichat enable2 e& [5 X/ c& Z v( {
unset alg appleichat re-assembly enable" f0 G7 n7 Y1 }( r( Y9 b
set alg sctp enable
$ t) t2 k% ~- s5 F) Sset auth-server "Local" id 0
4 M$ G" T0 @7 h: f4 cset auth-server "Local" server-name "Local"* Z/ R9 N* {# p$ S8 r6 j- m' [0 ?
set auth default auth server "Local"
8 }' A0 C; Z% y: X2 e3 N, h0 F; ~set auth radius accounting port 1646
\( b, Q4 V- d& X/ J. Jset admin name "netscreen"
* J+ }( k7 N& h" v9 |0 Z6 }+ L8 h9 qset admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"
4 `; j) q7 t, p8 i* Wset admin auth web timeout 10
5 G6 W/ U- u# Y6 e4 r/ Bset admin auth server "Local"
1 { o* d5 E) q+ `set admin format dos- U9 L: \& {' S5 x0 Q3 n6 \9 z( ~8 P, a
set zone "Trust" vrouter "trust-vr"
9 t6 U8 Q$ p1 C6 {$ b) q x" Oset zone "Untrust" vrouter "trust-vr"( r4 ]4 X$ t" s: }! J9 `
set zone "DMZ" vrouter "trust-vr"' ?0 d( M8 _$ h# O. c7 j% J
set zone "VLAN" vrouter "trust-vr"% d4 ]) ?4 F9 U% t: O, j- m# j
set zone "Untrust-Tun" vrouter "trust-vr"
8 T6 W: M, u4 d6 R/ Z7 wset zone "Trust" tcp-rst . G: s9 J: X4 ?' c2 v
set zone "Untrust" block
6 k! n, Y& M# Y4 ~unset zone "Untrust" tcp-rst
0 k, u& X; d0 Pset zone "MGT" block
7 ]: [# ~. A d$ B7 C" G2 s: tunset zone "V1-Trust" tcp-rst 1 M: j1 a3 R5 U+ k+ l, ^
unset zone "V1-Untrust" tcp-rst ; M/ A* ?# K: T- N% C3 _
set zone "DMZ" tcp-rst
$ ]7 F' w$ z3 r% H3 }unset zone "V1-DMZ" tcp-rst
6 u5 P7 g: i8 C2 h4 Junset zone "VLAN" tcp-rst 5 o/ r4 O5 l+ o; P7 L
set zone "Untrust" screen tear-drop# M4 H4 O! d0 a8 u3 [& ~1 |$ @
set zone "Untrust" screen syn-flood
3 ?4 ]* z) P) o/ U8 m, rset zone "Untrust" screen ping-death
2 a) B" C9 |" a) |set zone "Untrust" screen ip-filter-src6 P. x& m' Y' d7 {* Q4 ]
set zone "Untrust" screen land
' ]5 r& \0 R+ F: f8 _& S9 c! iset zone "V1-Untrust" screen tear-drop) y" M0 [% f3 u3 o$ D
set zone "V1-Untrust" screen syn-flood
2 e }2 b4 E, W- t7 s3 C& n9 iset zone "V1-Untrust" screen ping-death
( K T1 a: Q: A3 X& G" dset zone "V1-Untrust" screen ip-filter-src, Z) l: }" f7 G* j* o
set zone "V1-Untrust" screen land
, N5 C; M# v2 \set interface "ethernet0/0" zone "Null"/ U6 A0 X& |5 i5 v9 Y3 T6 Y
set interface "ethernet0/1" zone "Null") P! A/ @* m! G0 Z+ Q0 ?
set interface "ethernet0/2" zone "Untrust"; J' w4 O1 M. C) F% X$ d$ T$ ~
set interface "ethernet0/3" zone "Untrust"
. z4 c$ L5 j, Q0 G" O9 S5 ^set interface "ethernet0/4" zone "HA"3 y R! a% K. R; q }& m
set interface "ethernet0/5" zone "HA"% ^2 r( k8 L2 ]1 M- i9 n$ o3 Q
set interface "ethernet0/6" zone "DMZ") A; Y4 y2 {2 m5 T0 A" ~
set interface "ethernet0/8" zone "Trust"6 S$ z8 \- L6 ?. O- ?- [( z
unset interface vlan1 ip6 ~6 q' T: F; L# @9 n r! ?8 N6 z
set interface ethernet0/2 ip 116.247.91.98/29
0 G; N* W1 ~# a. D, ^set interface ethernet0/2 route- z# T9 i6 d' i/ ^8 O; U
set interface ethernet0/3 ip 140.206.34.178/30
+ y# r5 \- m6 Hset interface ethernet0/3 route; b, s" m! q6 [! K* `
set interface ethernet0/6 ip 10.131.126.18/280 r- g/ q: i4 K4 r" m( R
set interface ethernet0/6 nat
) U: Z: Z% b# h' s9 m1 x3 yset interface ethernet0/8 ip 10.131.126.4/28
9 Y" B6 W5 M! ^7 r, dset interface ethernet0/8 nat
P9 L9 \9 x) f& ]: C, ounset interface vlan1 bypass-others-ipsec4 n! P4 O* M$ s
unset interface vlan1 bypass-non-ip
4 Q' `0 ~1 D" k; }& H* Dset interface ethernet0/2 manage-ip 116.247.91.100
+ }9 o. J6 q- n) |# z* O( Wset interface ethernet0/6 manage-ip 10.131.126.219 f' f# P* `& l7 ^' r& I7 p
set interface ethernet0/8 manage-ip 10.131.126.3
* ], V D! _. h/ v3 W: yset interface ethernet0/2 ip manageable7 j# K, [5 n7 E, ~
unset interface ethernet0/3 ip manageable
) }7 Q; G! y" Yset interface ethernet0/6 ip manageable
) Q. F: \: i/ X$ m0 _) Pset interface ethernet0/8 ip manageable# b0 o% Q$ o" `; x6 W3 S
set interface ethernet0/2 manage ping( `* X* T0 v, I+ I7 r1 T
set interface ethernet0/2 manage ssh
3 S( D' n+ Z( X& y0 Xset interface ethernet0/2 manage telnet4 E( W/ l1 o- R# F; h
set interface ethernet0/2 manage snmp7 x0 N1 P \9 D; w) Y
set interface ethernet0/2 manage ssl: ^% g. N: Y1 l U! Y5 H/ u3 V( q0 j
set interface ethernet0/2 manage web
( E% L% ~1 x, _1 d3 Mset interface ethernet0/3 manage ping
2 k5 |' B7 g% h0 U* Cset interface ethernet0/3 manage ssh
' q2 z4 p1 s! U% E2 k# tset interface ethernet0/3 manage telnet; S# s6 _ r/ l- F# q! B
set interface ethernet0/3 manage snmp
' E5 _9 X' @9 ~; Nset interface ethernet0/3 manage ssl
. J! B7 b9 y4 G0 x; ]8 U0 Hset interface ethernet0/3 manage web
4 F. O; r8 b6 a0 n( N; s- R% Tset interface ethernet0/6 manage ssh
0 J0 A6 r( c7 E" i: L3 q; i* Zset interface ethernet0/6 manage telnet
% E9 h. A) M, e( rset interface ethernet0/6 manage snmp
& ~: Z" a% f+ o: t1 v* t/ k/ w- @set interface ethernet0/6 manage ssl
* e' r5 s u' Bset interface ethernet0/6 manage web
2 g, [, W8 R$ X4 ~( qset interface ethernet0/2 monitor track-ip ip* J5 v3 C4 e# o+ N0 J
set interface ethernet0/2 monitor track-ip threshold 106 p% ]" u9 J2 l- r5 k
set interface ethernet0/2 monitor track-ip ip 124.74.147.117 interval 3
, ?1 ^5 P% X' [8 m# l0 D4 Cset interface ethernet0/2 monitor track-ip ip 124.74.147.117 weight 12# j; M7 H+ z5 J! K9 @6 Z1 o0 S
unset interface ethernet0/2 monitor track-ip dynamic
* D. j; ` |1 s1 I" J+ L- nunset flow no-tcp-seq-check4 ~4 R) }# S# R/ K [
set flow tcp-syn-check$ p) r( ~. _1 I x
unset flow tcp-syn-bit-check: U, K- B! K$ b+ R
set flow reverse-route clear-text prefer
2 M0 j1 b: i1 q" Kset flow reverse-route tunnel always
3 d% B- D/ u" gset console page 0
, ]9 r( ^" y- f( u3 ~, {+ Vset hostname RT3-T2-5F-S-SSG140-10.131.126.3* ?& |; o1 R) i/ _- P
set pki authority default scep mode "auto"
, A `) s5 |! r! A9 \# d F5 p2 H& Sset pki x509 default cert-path partial
8 [! W; p* ~" V; I6 R& [' W) qset nsrp cluster id 15 E! ?6 [6 O, E
set nsrp cluster name FXGL& N; @$ C% ~6 `1 p2 E: q) n, l" z
set nsrp rto-mirror sync
; a! @. P+ E, G4 cset nsrp rto-mirror route
7 `$ D k d6 k( oset nsrp vsd-group master-always-exist" G) q% V% r) q: X
set nsrp vsd-group id 0 priority 1507 J I+ e7 X4 @4 ]" C9 v
set nsrp vsd-group id 0 preempt
7 C! Y/ q, ?. y, q* Eset nsrp secondary-path ethernet0/8* }% }& Z( h: n: b
set nsrp vsd-group id 0 monitor interface ethernet0/3 weight 16. d' q/ l3 S# a" o; C8 s: W
set nsrp vsd-group id 0 monitor track-ip ip' e Q* y$ c' {9 }6 `) |) t/ E
set nsrp vsd-group id 0 monitor track-ip threshold 30
, j5 j6 k1 Z6 q, Sset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interface ethernet0/2
f) D# ^1 A( ?' y% Kset nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 interval 10
, x3 t% m! w [# t. u& ^set nsrp vsd-group id 0 monitor track-ip ip 124.74.147.117 weight 32
6 k/ M- b, R& s7 t% c- q1 X% oset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interface ethernet0/8
9 k% M. \5 E7 Xset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 interval 10
3 P$ ?" f3 N! A6 \, fset nsrp vsd-group id 0 monitor track-ip ip 10.131.127.249 weight 32% }0 h$ ]3 j$ p& V
set nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interface ethernet0/6
6 E6 P1 r, c( ~5 iset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 interval 10
. }0 N' J2 v* cset nsrp vsd-group id 0 monitor track-ip ip 10.131.121.254 weight 32
% H3 ?7 O! m) iset nsrp ha-link probe- }! y+ k7 c4 J4 }" V
set dns host dns1 202.96.209.5 src-interface ethernet0/2
( T5 \/ {7 V' T7 T2 o) Cset dns host dns2 0.0.0.0: a3 I, o" I, r2 p+ D
set dns host dns3 0.0.0.0' }' M7 B) [) G9 s7 f4 d$ l6 T
set crypto-policy1 Y* g# W6 {4 |( ?$ q) y
exit% X- `3 `5 Y2 e% B: s" w/ ?
set ike respond-bad-spi 1: G h4 X# P. ^) m9 m* o' E9 L
set ike ikev2 ike-sa-soft-lifetime 60; U6 p) e3 X7 g
unset ike ikeid-enumeration
+ q5 G: \5 d8 f* Munset ike dos-protection
V8 v. I3 V# ?; C9 Xunset ipsec access-session enable
: o3 S# Z4 q. Q- ^% N6 o( F& `. t$ O( Cset ipsec access-session maximum 5000& M/ X: x2 J$ F
set ipsec access-session upper-threshold 0) y% G8 N+ [ w' \( l% }$ i
set ipsec access-session lower-threshold 0
# U7 }8 c5 c% \ l$ uset ipsec access-session dead-p2-sa-timeout 0
* F9 g% s& y( C) l( O1 W( z( r4 _unset ipsec access-session log-error' B" K+ p2 J* d7 s; b
unset ipsec access-session info-exch-connected6 _ S- N8 a; S% |( K& `
unset ipsec access-session use-error-log' i! \7 @& U$ j9 `
set vrouter "untrust-vr"6 z& p; I& u- p! T! A0 E2 Y8 R
exit3 B0 N# l7 t4 D* c8 O* V1 u( J3 w
set vrouter "trust-vr"
. ?% _' U3 h: P( Z* S+ T+ aexit/ b5 ~0 a% F9 `0 U0 Y# @! S: p
set url protocol websense X9 w6 g2 k! p8 e& O" O1 N
exit
6 j& o- r7 z0 |( J' k% G6 ?. t- hset policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
5 P4 t4 R. r3 Q: }0 Kset policy id 1
5 f& S- s: @! R3 F7 j7 i( O3 \$ lexit) ~# k$ L- x: U, A
set policy id 4 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat src permit log
- x: T Q7 V* B) [- f% v3 K" Lset policy id 4
8 c9 @. t, t. \& w1 v4 s% eexit" n: c9 d5 s* b; c
set policy id 5 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log 0 M6 u% Q+ g3 j
set policy id 59 \. O) ?: P% h& Y$ l0 |* w
exit
6 m* S- D) O/ [& q, p# j, sset policy id 6 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log # `( v# @* n; s5 S4 B
set policy id 6
& Z& X6 F' H. t: b8 Uexit
: @: b4 g' \% ?( z# [set nsmgmt bulkcli reboot-timeout 60
2 Y9 a5 Z& [' G0 X! C7 [- I! q% uset ssh version v2
" M9 E1 V; v' q' }# Rset config lock timeout 5
; L4 @4 N7 @. h) w# Hunset license-key auto-update
( w% x: p' `4 J/ r5 m9 q; rset telnet client enable$ o2 V$ V- m- d e( _! d- \
set snmp community "ri-teng@pega" Read-Only Trap-on traffic version v2c
2 p2 @' s1 g1 N$ l; @# Y0 uset snmp host "ri-teng@pega" 0.0.0.0 0.0.0.0 src-interface ethernet0/8
9 E$ h) P0 g- Z% l: w8 rset snmp port listen 161; i1 F: s9 o5 a9 A# L
set snmp port trap 162
/ q7 Q! V" F6 `. @set vrouter "untrust-vr"
% W% L) e& J5 L9 w/ O0 Jexit7 y, n9 e" e9 u. b& v9 w
set vrouter "trust-vr"1 [& }# P6 X) @! G
unset add-default-route
$ L* ^2 ]0 W2 @set route 0.0.0.0/0 interface ethernet0/2 gateway 116.247.91.97 description "CT-Internet" t: o+ X0 l0 V4 G3 Q
set route 10.0.0.0/8 interface ethernet0/8 gateway 10.131.126.13 description "OA"1 w# T* Y, e2 x Q
set route 0.0.0.0/0 interface ethernet0/3 gateway 140.206.34.177 description "CMCC-internet"( j0 v3 G! ?7 a8 C7 W
set route 10.131.121.0/24 interface ethernet0/6 gateway 10.131.126.28 description "DMZ"
9 D" N! x) Z9 Uexit$ i9 C8 X% U l
set vrouter "untrust-vr"
0 J) Z/ y! s4 w" bexit- o3 D" X. I+ M6 ]& c8 p( h
set vrouter "trust-vr"
( V4 v: q! i; e% ^) @: R% fexit |