Appendix: SRX Series Device and Cisco Catalyst Switch Configurations
Configuration files for the devices used to build this configuration example are provided below.
The following configurations below are captured from a lab environment, and are provided for reference only. Actual configurations may vary based on the specific requirements of your environment.
SRX1500 Configuration
The following sample shows the configuration for the SRX1500 device used in this configuration example.
set version 15.1X49-D80.4
set system host-name SRX1500-WF
set system time-zone America/New_York
set system root-authentication encrypted-password
"$ABC123"
set system name-server 8.8.8.8
set system services ssh max-sessions-per-connection
32
set system services telnet
set system services xnm-clear-text
set system services netconf ssh
set system services dhcp-local-server group
wan-dhcp2 interface irb.14
set system syslog user * any emergency
set system syslog host 192.168.10.4 structured-data
set system syslog file messages any any
set system syslog file messages authorization
info
set system syslog file interactive-commands
interactive-commands any
set system syslog file default-log-messages
any info
set system syslog file default-log-messages
match "(requested 'commit' operation)|(requested 'commit synchronize'
operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU
power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license
add)|(license delete)|(package -X update)|(package -X delete)|(FRU
Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES"
set system syslog file default-log-messages
structured-data
set system max-configurations-on-flash 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server 203.0.113.1
set services application-identification
set services ssl initiation profile aamw-ssl
trusted-ca aamw-secintel-ca
set services ssl initiation profile aamw-ssl
trusted-ca aamw-cloud-ca
set services ssl initiation profile aamw-ssl
client-certificate aamw-srx-cert
set services ssl initiation profile aamw-ssl
actions crl disable
set services security-intelligence url https://10.13.107.164:443/api/v1/manifest.xml
set services security-intelligence authentication
auth-token RL520JGQ1DJQQI0ZZN2DALB0I0DP7HCL
set services security-intelligence profile
TP_CC category CC
set services security-intelligence profile
TP_CC rule Rule-1 match threat-level 1
set services security-intelligence profile
TP_CC rule Rule-1 match threat-level 2
set services security-intelligence profile
TP_CC rule Rule-1 then action permit
set services security-intelligence profile
TP_CC rule Rule-1 then log
set services security-intelligence profile
TP_CC rule Rule-2 match threat-level 3
set services security-intelligence profile
TP_CC rule Rule-2 match threat-level 4
set services security-intelligence profile
TP_CC rule Rule-2 then action permit
set services security-intelligence profile
TP_CC rule Rule-2 then log
set services security-intelligence profile
TP_CC rule Rule-3 match threat-level 5
set services security-intelligence profile
TP_CC rule Rule-3 match threat-level 6
set services security-intelligence profile
TP_CC rule Rule-3 match threat-level 7
set services security-intelligence profile
TP_CC rule Rule-3 match threat-level 8
set services security-intelligence profile
TP_CC rule Rule-3 match threat-level 9
set services security-intelligence profile
TP_CC rule Rule-3 match threat-level 10
set services security-intelligence profile
TP_CC rule Rule-3 then action block drop
set services security-intelligence profile
TP_CC rule Rule-3 then log
set services security-intelligence profile
TP_Infected-Hosts category Infected-Hosts
set services security-intelligence profile
TP_Infected-Hosts rule Rule-1 match threat-level 1
set services security-intelligence profile
TP_Infected-Hosts rule Rule-1 match threat-level 2
set services security-intelligence profile
TP_Infected-Hosts rule Rule-1 match threat-level 3
set services security-intelligence profile
TP_Infected-Hosts rule Rule-1 match threat-level 4
set services security-intelligence profile
TP_Infected-Hosts rule Rule-1 match threat-level 5
set services security-intelligence profile
TP_Infected-Hosts rule Rule-1 match threat-level 6
set services security-intelligence profile
TP_Infected-Hosts rule Rule-1 then action permit
set services security-intelligence profile
TP_Infected-Hosts rule Rule-1 then log
set services security-intelligence profile
TP_Infected-Hosts rule Rule-2 match threat-level 7
set services security-intelligence profile
TP_Infected-Hosts rule Rule-2 match threat-level 8
set services security-intelligence profile
TP_Infected-Hosts rule Rule-2 match threat-level 9
set services security-intelligence profile
TP_Infected-Hosts rule Rule-2 match threat-level 10
set services security-intelligence profile
TP_Infected-Hosts rule Rule-2 then action block drop
set services security-intelligence profile
TP_Infected-Hosts rule Rule-2 then log
set services security-intelligence policy
TP CC TP_CC
set services security-intelligence policy
TP Infected-Hosts TP_Infected-Hosts
set services advanced-anti-malware connection
url https://srxapi.us-west-2.sky.junipersecurity.net
set services advanced-anti-malware connection
authentication tls-profile aamw-ssl
set services advanced-anti-malware policy
TP http inspection-profile default_profile
set services advanced-anti-malware policy
TP http action block
set services advanced-anti-malware policy
TP http notification log
set services advanced-anti-malware policy
TP verdict-threshold 5
set services advanced-anti-malware policy
TP fallback-options action permit
set services advanced-anti-malware policy
TP fallback-options notification log
set services advanced-anti-malware policy
TP default-notification log
set services advanced-anti-malware policy
TP whitelist-notification log
set services advanced-anti-malware policy
TP blacklist-notification log
set security log mode stream
set security log format sd-syslog
set security log source-address 192.168.10.1
set security log stream TRAFFIC category all
set security log stream TRAFFIC host 192.168.10.4
set security log stream TRAFFIC host port
514
set security pki ca-profile aamw-ca ca-identity
deviceCA
set security pki ca-profile aamw-ca enrollment
url http://ca.junipersecurity.net:8080/ejbca/publicweb/apply/scep/SRX/pkiclient.exe
set security pki ca-profile aamw-ca revocation-check
disable
set security pki ca-profile aamw-ca revocation-check
crl url http://va.junipersecurity.net/ca/deviceCA.crl
set security pki ca-profile aamw-secintel-ca
ca-identity JUNIPER
set security pki ca-profile aamw-secintel-ca
revocation-check crl url http://va.junipersecurity.net/ca/current.crl
set security pki ca-profile aamw-cloud-ca
ca-identity JUNIPER_CLOUD
set security pki ca-profile aamw-cloud-ca
revocation-check crl url http://va.junipersecurity.net/ca/cloudCA.crl
set security policies global policy PolicyEnforcer-Rule1-1
match source-address any
set security policies global policy PolicyEnforcer-Rule1-1
match destination-address any
set security policies global policy PolicyEnforcer-Rule1-1
match application any
set security policies global policy PolicyEnforcer-Rule1-1
then permit application-services security-intelligence-policy TP
set security policies global policy PolicyEnforcer-Rule1-1
then permit application-services advanced-anti-malware-policy TP
set security policies global policy GlobalPermit
match source-address any
set security policies global policy GlobalPermit
match destination-address any
set security policies global policy GlobalPermit
match application any
set security policies global policy GlobalPermit
match from-zone any
set security policies global policy GlobalPermit
match to-zone any
set security policies global policy GlobalPermit
then permit
set security policies global policy GlobalPermit
then log session-init
set security policies global policy GlobalPermit
then log session-close
set security zones security-zone trust host-inbound-traffic
system-services all
set security zones security-zone trust host-inbound-traffic
protocols all
set security zones security-zone trust interfaces
irb.14
set security zones security-zone trust interfaces
irb.12
set security zones security-zone untrust host-inbound-traffic
system-services all
set security zones security-zone untrust host-inbound-traffic
protocols all
set security zones security-zone untrust interfaces
irb.13
set interfaces ge-0/0/0 unit 0 family ethernet-switching
interface-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching
vlan members VLAN12
set interfaces ge-0/0/1 unit 0 family ethernet-switching
interface-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching
vlan members VLAN14
set interfaces ge-0/0/2 unit 0 family ethernet-switching
interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching
vlan members VLAN13
set interfaces fxp0 unit 0 family inet address
10.13.107.186/23
set interfaces irb unit 12 family inet address
192.168.10.1/24
set interfaces irb unit 13 family inet address
192.168.231.1/24
set interfaces irb unit 14 family inet address
192.168.11.1/24
set snmp trap-group space targets 10.13.107.162
set routing-options static route 172.28.0.0/16
next-hop 10.13.106.1
set routing-options static route 10.13.0.0/16
next-hop 10.13.106.1
set routing-options static route 0.0.0.0/0
next-hop 192.168.231.10
set routing-options static route 172.29.0.0/16
next-hop 10.13.106.1
set routing-options static route 172.30.76.0/23
next-hop 10.13.106.1
set routing-options static route 10.163.69.44/30
next-hop 10.13.106.1
set protocols l2-learning global-mode switching
set access address-assignment pool wan-2 family
inet network 192.168.11.1/24
set access address-assignment pool wan-2 family
inet range wan-2-range low 192.168.11.10
set access address-assignment pool wan-2 family
inet range wan-2-range high 192.168.11.20
set access address-assignment pool wan-2 family
inet dhcp-attributes maximum-lease-time 86400
set access address-assignment pool wan-2 family
inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool wan-2 family
inet dhcp-attributes router 192.168.11.1
set vlans VLAN12 vlan-id 12
set vlans VLAN12 l3-interface irb.12
set vlans VLAN13 vlan-id 13
set vlans VLAN13 l3-interface irb.13
set vlans VLAN14 vlan-id 14
set vlans VLAN14 l3-interface irb.14
Cisco Catalyst 6509 Switch Configuration
The following sample shows the configuration for the Cisco Catalyst 6509 switch used in this configuration example.
HIAGATE# HIAGATE#show runn Building configuration... Current configuration : 14664 bytes ! ! Last configuration change at 20:44:49 UTC Fri Aug 18 2017 by cisco ! NVRAM config last updated at 20:33:43 UTC Fri Aug 18 2017 by cisco ! upgrade fpd auto version 12.2 service timestamps debug uptime service timestamps log datetime no service password-encryption service counters max age 10 ! hostname HIAGATE ! boot-start-marker boot system flash disk0:s72033-advipservicesk9_wan-vz.122-33.SXI14.bin boot-end-marker ! logging buffered informational ! aaa new-model ! ! aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius aaa accounting system default start-stop group radius ! aaa server radius dynamic-author client 10.13.107.167 server-key cisco123 port 3799 auth-type all ! aaa session-id common ! no ip domain-lookup ip domain-name hiagate-sdsn.com ! ip dhcp snooping no ip bootp server ip ssh version 2 ip scp server enable ip device tracking ! dot1x system-auth-control ! vlan 10 name VLAN10-Quarantine ! vlan 14 name VLAN14-Finance ! interface GigabitEthernet1/47 description SRX1500 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 14 switchport mode trunk ! interface GigabitEthernet1/48 description ESXiServer switchport switchport mode access speed 1000 duplex full authentication host-mode multi-host authentication port-control auto authentication periodic authentication timer reauthenticate server dot1x pae authenticator dot1x timeout server-timeout 30 dot1x timeout tx-period 10 dot1x max-req 3 dot1x max-reauth-req 10 spanning-tree portfast edge ! interface Vlan1 ip address 10.13.107.168 255.255.254.0 ! ip route 0.0.0.0 0.0.0.0 10.13.106.1 ! radius-server attribute 8 include-in-access-req radius-server host 10.13.107.167 auth-port 1812 acct-port 1813 key cisco123 radius-server vsa send accounting radius-server vsa send authentication ! line con 0 exec-timeout 0 0 logging synchronous line vty 0 4 exec-timeout 0 0 logging synchronous transport input ssh line vty 5 15 ! exception core-file ntp authentication-key 1 md5 123310191B1B0916 7 ntp trusted-key 1 ntp source Loopback0 ntp master 1 ! end HIAGATE#