ANR Example Configuration

The configuration file below provides an example for setting up an SRX to use OneConfig's ANR Report for running successful customer evaluations. Alternatively, download a text file here.

EXAMPLE CONFIGURATION

version 12.3X48-D10.3;
groups {
    SES {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy <*> {
                        then {
                            permit {
                                application-services {
                                    idp;
                                    utm-policy SES-policy;
                                }
                            }
                        }
                    }
                }
            }
            zones {
                security-zone <*> {
                    application-tracking;
                }
            }
        }
    }
}
apply-groups SES;
system {
    host-name SRX-XXXXXXXXXXXX;
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
security {
    idp {
        idp-policy Recommended {
            /* This legacy template policy covers most current vulnerabilities.  This templateis supported on all platforms, including Branch devices with 1G of memory. */
            rulebase-ips {
                rule 1 {
                    /* This rule is designed to protect your networks against important TCP/I attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 2 {
                    /* This rule is designed to protect your network against  important ICMP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]ICMP - Major" "[Recommended]ICMP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 3 {
                    /* This rule is designed to protect your network against  important HTTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]HTTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 4 {
                    /* This rule is designed to protect your network against  important SMTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 5 {
                    /* This rule is designed to protect your network against  important DNS attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]DNS - Critical" "[Recommended]DNS - Minor" "[Recommended]DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 6 {
                    /* This rule is designed to protect your network against  important FTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]FTP - Critical" "[Recommended]FTP - Minor" "[Recommended]FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 7 {
                    /* This rule is designed to protect your network against important POP3 attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]POP3 - Critical" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Major" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 8 {
                    /* This rule is designed to protect your network against  important IMAP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 9 {
                    /* This rule is designed to protect your network against common internet malware. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]TROJAN - Minor" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]VIRUS - Minor" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]WORM - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule TCP/IP {
                    /* This rule is designed to protect your networks against important TCP/IP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule ICMP {
                    /* This rule is designed to protect your network against  important ICMP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]ICMP - Major" "[Recommended]ICMP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule HTTP {
                    /* This rule is designed to protect your network against  important HTTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]HTTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule SMTP {
                    /* This rule is designed to protect your network against  important SMTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule DNS {
                    /* This rule is designed to protect your network against important DNS attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]DNS - Critical" "[Recommended]DNS - Minor" "[Recommended]DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule FTP {
                    /* This rule is designed to protect your network against important FTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]FTP - Critical" "[Recommended]FTP - Minor" "[Recommended]FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule POP3 {
                    /* This rule is designed to protect your network against important POP3 attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]POP3 - Critical" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Major" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule IMAP {
                    /* This rule is designed to protect your network against important IMAP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malware {
                    /* This rule is designed to protect your network against common internet malware. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]TROJAN - Minor" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]VIRUS - Minor" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]WORM - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        active-policy Recommended;
        security-package {
            automatic {
                start-time "2015-1-1.01:00:00 +0000";
                interval 24;
                enable;
            }
        }
    }
    application-tracking {
        first-update;
    }
    utm {
        feature-profile {
            web-filtering {
                type juniper-enhanced;
                juniper-enhanced {
                    cache {
                        timeout 1800;
                        size 1500;
                    }
                    profile EVAL-EWF {
                        category {
                            Enhanced_Advanced_Malware_Command_and_Control {
                              action log-and-permit;
                            }
                            Enhanced_Advanced_Malware_Payloads {
                              action log-and-permit;
                            }
                             Enhanced_Bot_Networks {
                              action log-and-permit;
                            }
                            Enhanced_Keyloggers {
                              action log-and-permit;
                            }
                            Enhanced_Malicious_Embedded_Link {
                              action log-and-permit;
                            }
                            Enhanced_Malicious_Embedded_iFrame {
                              action log-and-permit;
                            }
                            Enhanced_Malicious_Web_Sites {
                              action log-and-permit;
                            }
                            Enhanced_Mobile_Malware {
                              action log-and-permit;
                            }
                            Enhanced_Spyware {
                              action log-and-permit;
                            }
                            Enhanced_Weapons {
                              action log-and-permit;
                            }
                            Enhanced_Adult_Content {
                              action log-and-permit;
                            }
                            Enhanced_Adult_Material {
                              action log-and-permit;
                            }
                            Enhanced_Sex {
                              action log-and-permit;
                            }      
                        }
                        default permit;
                        fallback-settings {
                            default log-and-permit;
                            server-connectivity log-and-permit;
                            timeout log-and-permit;
                            too-many-requests log-and-permit;
                        }
                    }
                }
            }
        }
        utm-policy SES-policy {
            web-filtering {
                http-profile EVAL-EWF;
            }
        }
    }
    forwarding-options {
        secure-wire {
            EVAL {
                interface [ ge-0/0/0.0 ge-0/0/1.0 ];
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }
    }
    zones {
        security-zone untrust {
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone trust {
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone mgmt {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
    log {
        mode stream;
        format sd-syslog;
        source-address 192.168.1.14; # THIS MUST BE THE OUTGOING IP ADDRESS OF THE SRX 
        transport {
                protocol tls;
                tls-profile ssl-i; 
        }
        stream oneconfig { 
             severity debug;
             category all; 
             host {
                 logs.oneconfig.com;
                 port 514; 
             }
        } 
   }
}
services {
   ssl { 
      initiation {
          profile ssl-i { 
              protocol-version all; 
              actions { 
                  ignore-server-auth-failure; 
              }
          } 
      }
   } 
}
interfaces {
    ge-0/0/0 {
        native-vlan-id 1;
        unit 0 {
            family bridge {
                interface-mode trunk;
                vlan-id-list 1-4000;
            }
        }
    }
    ge-0/0/1 {
        native-vlan-id 1;
        unit 0 {
            family bridge {
                interface-mode trunk;
                vlan-id-list 1-4000;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
}
bridge-domains {
    default {
        vlan-id-list 1-4000;
    }
}



Tap mode / port mirror installation

#### For TAP / mirror port installations
security {
    flow {
        tcp-session {
            no-syn-check;
            no-syn-check-in-tunnel;
            no-sequence-check;
        }
    }
}