[Nocrancid] autopop-onenet.net router config diffs
rancid at rancid.noc.onenet.net
rancid at rancid.noc.onenet.net
Sat Aug 5 23:04:53 CDT 2017
Index: configs/okay-ps.client.onenet.net
===================================================================
--- configs/okay-ps.client.onenet.net (revision 155534)
+++ configs/okay-ps.client.onenet.net (working copy)
@@ -7,7 +7,7 @@
# 2016-06-29 19:38:56 CDT by admin via cli commit confirmed, rollback in 2mins
# 2016-06-27 19:29:41 CDT by root via cli
# 2016-06-27 17:39:07 CDT by root via other
-# rescue 2017-08-05 21:38:54 CDT by andrew via cli
+# rescue 2017-08-05 22:35:21 CDT by andrew via cli
#
# grnoc-mon at OKAY-PS-LR-004931> show chassis environment
# Class Item Status Measurement
@@ -125,8 +125,8 @@
# total files: 1
#
# grnoc-mon at OKAY-PS-LR-004931> show system uptime
-# System booted: 2017-07-22 14:13 CDT
-# Protocols started: 2017-07-22 14:16 CDT
+# System booted: 2017-08-05 22:28 CDT
+# Protocols started: 2017-08-05 22:30 CDT
# Last configured: 2017-07-22 14:15 CDT by root
#
# grnoc-mon at OKAY-PS-LR-004931> show interface terse
Index: configs/hilldale-ps.client.onenet.net
===================================================================
--- configs/hilldale-ps.client.onenet.net (revision 155127)
+++ configs/hilldale-ps.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at HILLDALE-PS-LR-004895> show system commit
+# 2017-08-05 22:01:25 CDT by root via other
# 2017-07-22 14:28:49 CDT by root via other
# 2017-01-23 10:44:55 CST by sky via cli
# 2015-10-06 22:24:28 CDT by admin via cli
# 2015-08-12 00:01:54 CDT by root via cli
# 2015-08-11 23:57:23 CDT by root via cli
-# 2015-08-11 23:54:03 CDT by root via cli
# grnoc-mon at HILLDALE-PS-LR-004895> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at HILLDALE-PS-LR-004895> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at HILLDALE-PS-LR-004895> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s1a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s2a
#
# grnoc-mon at HILLDALE-PS-LR-004895> show version
# Hostname: HILLDALE-PS-LR-004895
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at HILLDALE-PS-LR-004895> show version invoke-on all-routing-engines
# Hostname: HILLDALE-PS-LR-004895
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at HILLDALE-PS-LR-004895> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at HILLDALE-PS-LR-004895> show system uptime
-# System booted: 2017-07-22 14:26 CDT
-# Protocols started: 2017-07-22 14:30 CDT
-# Last configured: 2017-07-22 14:28 CDT by root
+# System booted: 2017-08-05 21:58 CDT
+# Protocols started: 2017-08-05 22:03 CDT
+# Last configured: 2017-08-05 22:01 CDT by root
#
# grnoc-mon at HILLDALE-PS-LR-004895> show interface terse
#Interface Admin Link
@@ -180,8 +184,8 @@
#vlan.4 up up
#vlan.999 up down
# grnoc-mon at HILLDALE-PS-LR-004895> show configuration
-## Last commit: 2017-07-22 14:28:49 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:01:25 CDT by root
+version 12.3X48-D40.5;
system {
host-name HILLDALE-PS-LR-004895;
auto-snapshot;
@@ -314,6 +318,114 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy UNTRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ vlan.4 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ dns;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ vlan.3 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ dns;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "UNTRUST WAN Interface";
@@ -448,114 +560,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- vlan.4 {
- host-inbound-traffic {
- system-services {
- dhcp;
- dns;
- ping;
- traceroute;
- }
- }
- }
- vlan.3 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- dns;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/core3.okc-m120.onenet.net
===================================================================
--- configs/core3.okc-m120.onenet.net (revision 155534)
+++ configs/core3.okc-m120.onenet.net (working copy)
@@ -541,9 +541,9 @@
#t1-2/3/0:1:10.17 up up
#t1-2/3/0:1:11 up up
#t1-2/3/0:1:11.0 up up
-#t1-2/3/0:1:12 up up
-#t1-2/3/0:1:12.16 up up
-#t1-2/3/0:1:12.17 up up
+#t1-2/3/0:1:12 up down
+#t1-2/3/0:1:12.16 up down
+#t1-2/3/0:1:12.17 up down
#t1-2/3/0:1:13 up up
#t1-2/3/0:1:13.16 up up
#t1-2/3/0:1:13.17 up up
@@ -766,8 +766,8 @@
#t1-2/3/0:6:9 down down
#t1-2/3/0:6:10 down down
#t1-2/3/0:6:11 down down
-#t1-2/3/0:6:12 up down
-#t1-2/3/0:6:12.0 up down
+#t1-2/3/0:6:12 up up
+#t1-2/3/0:6:12.0 up up
#t1-2/3/0:6:13 down down
#t1-2/3/0:6:14 up up
#t1-2/3/0:6:14.0 up up
Index: configs/haywood-ps.client.onenet.net
===================================================================
--- configs/haywood-ps.client.onenet.net (revision 155334)
+++ configs/haywood-ps.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at HAYWOOD-PS-LR-004888> show system commit
+# 2017-08-05 22:00:40 CDT by root via other
# 2017-07-22 14:25:04 CDT by root via other
# 2017-04-07 09:29:56 CDT by sean via cli
# 2015-10-06 17:27:26 CDT by andrew via cli
# 2015-08-28 20:39:01 CDT by root via cli
# 2015-08-28 20:15:10 CDT by root via other
-# 2015-05-14 19:33:05 CDT by root via other
# grnoc-mon at HAYWOOD-PS-LR-004888> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at HAYWOOD-PS-LR-004888> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at HAYWOOD-PS-LR-004888> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,29 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
-# WARNING: / was not properly dismounted
-# WARNING: / was not properly dismounted
-# WARNING: R/W mount of /cf/var denied. Filesystem is not clean - run fsck
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at HAYWOOD-PS-LR-004888> show version
# Hostname: HAYWOOD-PS-LR-004888
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at HAYWOOD-PS-LR-004888> show version invoke-on all-routing-engines
# Hostname: HAYWOOD-PS-LR-004888
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at HAYWOOD-PS-LR-004888> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at HAYWOOD-PS-LR-004888> show system uptime
-# System booted: 2017-07-30 07:13 CDT
-# Protocols started: 2017-07-30 07:17 CDT
-# Last configured: 2017-07-22 14:25 CDT by root
+# System booted: 2017-08-05 21:57 CDT
+# Protocols started: 2017-08-05 22:02 CDT
+# Last configured: 2017-08-05 22:00 CDT by root
#
# grnoc-mon at HAYWOOD-PS-LR-004888> show interface terse
#Interface Admin Link
@@ -181,8 +182,8 @@
#vlan up up
#vlan.999 up down
# grnoc-mon at HAYWOOD-PS-LR-004888> show configuration
-## Last commit: 2017-07-22 14:25:04 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:00:40 CDT by root
+version 12.3X48-D40.5;
system {
host-name HAYWOOD-PS-LR-004888;
auto-snapshot;
@@ -315,6 +316,114 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy UNTRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ dns;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/15.0 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ dns;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "UNTRUST WAN Interface - 164.58.8.162/30";
@@ -433,114 +542,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- dns;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- ge-0/0/15.0 {
- host-inbound-traffic {
- system-services {
- dhcp;
- dns;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/five-star-interlocal.client.onenet.net
===================================================================
--- configs/five-star-interlocal.client.onenet.net (revision 155266)
+++ configs/five-star-interlocal.client.onenet.net (working copy)
@@ -1,13 +1,13 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at FIVE-STAR-INTERLOCAL-LR-4954> show system commit
+# 2017-08-05 22:00:51 CDT by root via other
# 2017-07-23 13:47:16 CDT by root via other
# 2016-06-23 14:32:46 CDT by sky via cli
# 2016-06-23 14:30:01 CDT by admin via cli
# 2016-06-21 12:25:23 CDT by admin via cli
# 5
# 2016-06-21 12:23:32 CDT by admin via cli
-# 2016-06-21 11:10:38 CDT by admin via cli commit confirmed, rollback in 5mins
# grnoc-mon at FIVE-STAR-INTERLOCAL-LR-4954> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -22,8 +22,8 @@
#
# grnoc-mon at FIVE-STAR-INTERLOCAL-LR-4954> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at FIVE-STAR-INTERLOCAL-LR-4954> show chassis fpc detail
# Slot 0 information:
@@ -55,8 +55,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -107,29 +110,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
-# WARNING: / was not properly dismounted
-# WARNING: / was not properly dismounted
-# WARNING: R/W mount of /cf/var denied. Filesystem is not clean - run fsck
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at FIVE-STAR-INTERLOCAL-LR-4954> show version
# Hostname: FIVE-STAR-INTERLOCAL-LR-4954
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at FIVE-STAR-INTERLOCAL-LR-4954> show version invoke-on all-routing-engines
# Hostname: FIVE-STAR-INTERLOCAL-LR-4954
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at FIVE-STAR-INTERLOCAL-LR-4954> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at FIVE-STAR-INTERLOCAL-LR-4954> show system uptime
-# System booted: 2017-07-27 14:15 CDT
-# Protocols started: 2017-07-27 14:19 CDT
-# Last configured: 2017-07-23 13:47 CDT by root
+# System booted: 2017-08-05 21:57 CDT
+# Protocols started: 2017-08-05 22:02 CDT
+# Last configured: 2017-08-05 22:00 CDT by root
#
# grnoc-mon at FIVE-STAR-INTERLOCAL-LR-4954> show interface terse
#Interface Admin Link
@@ -184,8 +185,8 @@
#vlan.3 up up
#vlan.999 up down
# grnoc-mon at FIVE-STAR-INTERLOCAL-LR-4954> show configuration
-## Last commit: 2017-07-23 13:47:16 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:00:51 CDT by root
+version 12.3X48-D40.5;
system {
host-name FIVE-STAR-INTERLOCAL-LR-4954;
domain-name onenet.net;
@@ -317,6 +318,111 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy UNTRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ vlan.3 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "L3 INTERFACE - UNTRUST-WAN - 164.58.22.82/30";
@@ -453,111 +559,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- vlan.3 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- }
- }
- }
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/midway-ps.client.onenet.net
===================================================================
--- configs/midway-ps.client.onenet.net (revision 155134)
+++ configs/midway-ps.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at MIDWAY-ES-LR-004940> show system commit
+# 2017-08-05 22:01:16 CDT by root via other
# 2017-07-22 20:56:27 CDT by andrew via cli
# 2017-07-22 14:15:40 CDT by root via other
# 2017-07-22 13:49:41 CDT by andrew via cli
# 2017-07-20 09:41:59 CDT by aberrios via cli
# 2016-08-29 17:22:33 CDT by andrew via cli
-# 2016-08-10 09:48:09 CDT by admin via cli
# grnoc-mon at MIDWAY-ES-LR-004940> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at MIDWAY-ES-LR-004940> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at MIDWAY-ES-LR-004940> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,29 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
-# WARNING: / was not properly dismounted
-# WARNING: / was not properly dismounted
-# WARNING: R/W mount of /cf/var denied. Filesystem is not clean - run fsck
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at MIDWAY-ES-LR-004940> show version
# Hostname: MIDWAY-ES-LR-004940
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at MIDWAY-ES-LR-004940> show version invoke-on all-routing-engines
# Hostname: MIDWAY-ES-LR-004940
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at MIDWAY-ES-LR-004940> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at MIDWAY-ES-LR-004940> show system uptime
-# System booted: 2017-07-22 21:08 CDT
-# Protocols started: 2017-07-22 21:12 CDT
-# Last configured: 2017-07-22 20:56 CDT by andrew
+# System booted: 2017-08-05 21:58 CDT
+# Protocols started: 2017-08-05 22:02 CDT
+# Last configured: 2017-08-05 22:01 CDT by root
#
# grnoc-mon at MIDWAY-ES-LR-004940> show interface terse
#Interface Admin Link
@@ -182,8 +183,8 @@
#vlan.3 up up
#vlan.999 up down
# grnoc-mon at MIDWAY-ES-LR-004940> show configuration
-## Last commit: 2017-07-22 20:56:27 CDT by andrew
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:01:16 CDT by root
+version 12.3X48-D40.5;
system {
host-name MIDWAY-ES-LR-004940;
auto-snapshot;
@@ -316,6 +317,130 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TRUST-TO-UNTRUST-NAT {
+ from zone TRUST;
+ to zone UNTRUST;
+ rule NAT-TRUST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone TRUST to-zone UNTRUST {
+ policy TRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone TRUST {
+ interfaces {
+ vlan.3 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "L3 INTERFACE - UNTRUST-WAN - 156.110.34.166/30";
@@ -444,130 +569,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TRUST-TO-UNTRUST-NAT {
- from zone TRUST;
- to zone UNTRUST;
- rule NAT-TRUST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone TRUST to-zone UNTRUST {
- policy TRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone TRUST {
- interfaces {
- vlan.3 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/justice-ps.client.onenet.net
===================================================================
--- configs/justice-ps.client.onenet.net (revision 155423)
+++ configs/justice-ps.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at JUSTICE-PS-LR-004934> show system commit
+# 2017-08-05 22:01:10 CDT by root via other
# 2017-07-22 13:32:54 CDT by root via other
# 2017-06-12 10:12:50 CDT by admin via cli
# 2016-08-17 08:58:41 CDT by admin via cli
# 2016-06-15 15:43:47 CDT by admin via cli commit confirmed, rollback in 3mins
# 2016-06-15 15:17:20 CDT by admin via cli
-# 2016-06-15 15:07:15 CDT by admin via cli
# grnoc-mon at JUSTICE-PS-LR-004934> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at JUSTICE-PS-LR-004934> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at JUSTICE-PS-LR-004934> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,29 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
-# WARNING: / was not properly dismounted
-# WARNING: / was not properly dismounted
-# WARNING: R/W mount of /cf/var denied. Filesystem is not clean - run fsck
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at JUSTICE-PS-LR-004934> show version
# Hostname: JUSTICE-PS-LR-004934
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at JUSTICE-PS-LR-004934> show version invoke-on all-routing-engines
# Hostname: JUSTICE-PS-LR-004934
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at JUSTICE-PS-LR-004934> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at JUSTICE-PS-LR-004934> show system uptime
-# System booted: 2017-08-02 10:36 CDT
-# Protocols started: 2017-08-02 10:39 CDT
-# Last configured: 2017-07-22 13:32 CDT by root
+# System booted: 2017-08-05 21:57 CDT
+# Protocols started: 2017-08-05 22:03 CDT
+# Last configured: 2017-08-05 22:01 CDT by root
#
# grnoc-mon at JUSTICE-PS-LR-004934> show interface terse
#Interface Admin Link
@@ -183,8 +184,8 @@
#vlan up up
#vlan.999 up down
# grnoc-mon at JUSTICE-PS-LR-004934> show configuration
-## Last commit: 2017-07-22 13:32:54 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:01:10 CDT by root
+version 12.3X48-D40.5;
system {
host-name JUSTICE-PS-LR-004934;
domain-name onenet.net;
@@ -316,6 +317,121 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone UNTRUST to-zone UNTRUST {
+ policy TRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/2.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/15.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "L3 INTERFACE - UNTRUST-WAN - 164.58.63.198/30";
@@ -442,121 +558,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone UNTRUST to-zone UNTRUST {
- policy TRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- ge-0/0/2.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- ge-0/0/15.0 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/woodward-public-library-srx240.client.onenet.net
===================================================================
--- configs/woodward-public-library-srx240.client.onenet.net (revision 155149)
+++ configs/woodward-public-library-srx240.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at WOODWARD-PL-LR-004880> show system commit
+# 2017-08-05 22:54:01 CDT by root via other
# 2017-07-23 12:56:08 CDT by root via other
# 2017-05-02 10:56:52 CDT by andrew via cli
# 2016-10-26 10:55:43 CDT by sean via cli
# 2016-10-26 10:36:45 CDT by sean via cli
# 2016-07-29 15:26:31 CDT by sean via cli
-# 2016-07-29 14:35:03 CDT by sean via cli
# grnoc-mon at WOODWARD-PL-LR-004880> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at WOODWARD-PL-LR-004880> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at WOODWARD-PL-LR-004880> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at WOODWARD-PL-LR-004880> show version
# Hostname: WOODWARD-PL-LR-004880
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at WOODWARD-PL-LR-004880> show version invoke-on all-routing-engines
# Hostname: WOODWARD-PL-LR-004880
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at WOODWARD-PL-LR-004880> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at WOODWARD-PL-LR-004880> show system uptime
-# System booted: 2017-07-23 12:53 CDT
-# Protocols started: 2017-07-23 12:57 CDT
-# Last configured: 2017-07-23 12:56 CDT by root
+# System booted: 2017-08-05 22:50 CDT
+# Protocols started: 2017-08-05 22:55 CDT
+# Last configured: 2017-08-05 22:54 CDT by root
#
# grnoc-mon at WOODWARD-PL-LR-004880> show interface terse
#Interface Admin Link
@@ -187,8 +191,8 @@
#vlan.4 up up
#vlan.999 up down
# grnoc-mon at WOODWARD-PL-LR-004880> show configuration
-## Last commit: 2017-07-23 12:56:08 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:54:01 CDT by root
+version 12.3X48-D40.5;
system {
host-name WOODWARD-PL-LR-004880;
auto-snapshot;
@@ -343,198 +347,6 @@
server 164.58.3.98 prefer;
}
}
-interfaces {
- ge-0/0/0 {
- description "UNTRUST WAN Interface - 164.58.83.34/30";
- speed 100m;
- link-mode full-duplex;
- gigether-options {
- no-auto-negotiation;
- }
- unit 0 {
- family inet {
- address 164.58.83.34/30;
- }
- }
- }
- ge-0/0/1 {
- unit 0 {
- description TEST-INTERFACE;
- family ethernet-switching {
- vlan {
- members TEST-VLAN;
- }
- }
- }
- }
- ge-0/0/2 {
- disable;
- }
- ge-0/0/3 {
- disable;
- }
- ge-0/0/4 {
- disable;
- }
- ge-0/0/5 {
- description SWITCH-PORT-TRUNK;
- unit 0 {
- family ethernet-switching {
- port-mode trunk;
- vlan {
- members all;
- }
- }
- }
- }
- ge-0/0/6 {
- description SWITCH-PORT-TRUNK;
- unit 0 {
- family ethernet-switching {
- port-mode trunk;
- vlan {
- members all;
- }
- }
- }
- }
- ge-0/0/7 {
- description SWITCH-PORT-TRUNK;
- unit 0 {
- family ethernet-switching {
- port-mode trunk;
- vlan {
- members all;
- }
- }
- }
- }
- ge-0/0/8 {
- description SWITCH-PORT-TRUNK;
- unit 0 {
- family ethernet-switching {
- port-mode trunk;
- vlan {
- members all;
- }
- }
- }
- }
- ge-0/0/9 {
- description SWITCH-PORT-TRUNK;
- unit 0 {
- family ethernet-switching {
- port-mode trunk;
- vlan {
- members all;
- }
- }
- }
- }
- ge-0/0/10 {
- description SWITCH-PORT-TRUNK;
- unit 0 {
- family ethernet-switching {
- port-mode trunk;
- vlan {
- members all;
- }
- }
- }
- }
- ge-0/0/11 {
- disable;
- }
- ge-0/0/12 {
- disable;
- }
- ge-0/0/13 {
- disable;
- }
- ge-0/0/14 {
- disable;
- }
- ge-0/0/15 {
- description "TRUST LAN Interface - Trunk to Cisco 2960-24P gi 1/0/1";
- unit 0 {
- family ethernet-switching {
- port-mode trunk;
- vlan {
- members [ WIRELESS-VLAN-2 WIRED-VLAN-3 THIN-CLIENT-4 ];
- }
- }
- }
- }
- lo0 {
- unit 0 {
- family inet {
- filter {
- input PROTECT-RE;
- }
- }
- }
- }
- vlan {
- unit 2 {
- description "L3 INTERFACE - WIRELESS-VLAN-2 - 192.168.10.1/24";
- family inet {
- address 192.168.10.1/24;
- }
- }
- unit 3 {
- description "L3 INTERFACE - WIRED-VLAN-3 - 172.16.1.1/16";
- family inet {
- address 172.16.1.1/16;
- }
- }
- unit 4 {
- description "L3 INTERFACE - WIRED-VLAN-3 - 192.168.11.1/24";
- family inet {
- address 192.168.11.1/24;
- }
- }
- unit 999 {
- description "L3 INTERFACE - TEST-VLAN - 10.1.0.1/24";
- family inet {
- address 10.1.0.1/24;
- }
- }
- }
-}
-snmp {
- description OneNet;
- contact "Net Group";
- community "<removed>" {
- authorization read-only;
- }
- community "<removed>" {
- authorization read-only;
- }
- community "<removed>" {
- authorization read-write;
- }
-}
-routing-options {
- static {
- route 0.0.0.0/0 next-hop 164.58.83.33;
- }
-}
-protocols {
- lldp {
- interface all;
- }
- stp;
-}
-policy-options {
- prefix-list PRE-MGMT-SOURCES {
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.253.0/24;
- }
- prefix-list PRE-LOCALIPv4-SOURCES {
- apply-path "interfaces <*> unit <*> family inet address <*>";
- }
-}
security {
address-book {
global {
@@ -843,6 +655,198 @@
}
}
}
+interfaces {
+ ge-0/0/0 {
+ description "UNTRUST WAN Interface - 164.58.83.34/30";
+ speed 100m;
+ link-mode full-duplex;
+ gigether-options {
+ no-auto-negotiation;
+ }
+ unit 0 {
+ family inet {
+ address 164.58.83.34/30;
+ }
+ }
+ }
+ ge-0/0/1 {
+ unit 0 {
+ description TEST-INTERFACE;
+ family ethernet-switching {
+ vlan {
+ members TEST-VLAN;
+ }
+ }
+ }
+ }
+ ge-0/0/2 {
+ disable;
+ }
+ ge-0/0/3 {
+ disable;
+ }
+ ge-0/0/4 {
+ disable;
+ }
+ ge-0/0/5 {
+ description SWITCH-PORT-TRUNK;
+ unit 0 {
+ family ethernet-switching {
+ port-mode trunk;
+ vlan {
+ members all;
+ }
+ }
+ }
+ }
+ ge-0/0/6 {
+ description SWITCH-PORT-TRUNK;
+ unit 0 {
+ family ethernet-switching {
+ port-mode trunk;
+ vlan {
+ members all;
+ }
+ }
+ }
+ }
+ ge-0/0/7 {
+ description SWITCH-PORT-TRUNK;
+ unit 0 {
+ family ethernet-switching {
+ port-mode trunk;
+ vlan {
+ members all;
+ }
+ }
+ }
+ }
+ ge-0/0/8 {
+ description SWITCH-PORT-TRUNK;
+ unit 0 {
+ family ethernet-switching {
+ port-mode trunk;
+ vlan {
+ members all;
+ }
+ }
+ }
+ }
+ ge-0/0/9 {
+ description SWITCH-PORT-TRUNK;
+ unit 0 {
+ family ethernet-switching {
+ port-mode trunk;
+ vlan {
+ members all;
+ }
+ }
+ }
+ }
+ ge-0/0/10 {
+ description SWITCH-PORT-TRUNK;
+ unit 0 {
+ family ethernet-switching {
+ port-mode trunk;
+ vlan {
+ members all;
+ }
+ }
+ }
+ }
+ ge-0/0/11 {
+ disable;
+ }
+ ge-0/0/12 {
+ disable;
+ }
+ ge-0/0/13 {
+ disable;
+ }
+ ge-0/0/14 {
+ disable;
+ }
+ ge-0/0/15 {
+ description "TRUST LAN Interface - Trunk to Cisco 2960-24P gi 1/0/1";
+ unit 0 {
+ family ethernet-switching {
+ port-mode trunk;
+ vlan {
+ members [ WIRELESS-VLAN-2 WIRED-VLAN-3 THIN-CLIENT-4 ];
+ }
+ }
+ }
+ }
+ lo0 {
+ unit 0 {
+ family inet {
+ filter {
+ input PROTECT-RE;
+ }
+ }
+ }
+ }
+ vlan {
+ unit 2 {
+ description "L3 INTERFACE - WIRELESS-VLAN-2 - 192.168.10.1/24";
+ family inet {
+ address 192.168.10.1/24;
+ }
+ }
+ unit 3 {
+ description "L3 INTERFACE - WIRED-VLAN-3 - 172.16.1.1/16";
+ family inet {
+ address 172.16.1.1/16;
+ }
+ }
+ unit 4 {
+ description "L3 INTERFACE - WIRED-VLAN-3 - 192.168.11.1/24";
+ family inet {
+ address 192.168.11.1/24;
+ }
+ }
+ unit 999 {
+ description "L3 INTERFACE - TEST-VLAN - 10.1.0.1/24";
+ family inet {
+ address 10.1.0.1/24;
+ }
+ }
+ }
+}
+snmp {
+ description OneNet;
+ contact "Net Group";
+ community "<removed>" {
+ authorization read-only;
+ }
+ community "<removed>" {
+ authorization read-only;
+ }
+ community "<removed>" {
+ authorization read-write;
+ }
+}
+routing-options {
+ static {
+ route 0.0.0.0/0 next-hop 164.58.83.33;
+ }
+}
+protocols {
+ lldp {
+ interface all;
+ }
+ stp;
+}
+policy-options {
+ prefix-list PRE-MGMT-SOURCES {
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/konawa-ps.client.onenet.net
===================================================================
--- configs/konawa-ps.client.onenet.net (revision 155441)
+++ configs/konawa-ps.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at KONAWA-PS-004950-LR> show system commit
+# 2017-08-05 22:01:50 CDT by root via other
# 2017-08-02 23:11:28 CDT by root via other
# 2017-04-22 15:44:31 CDT by admin via cli
# 2016-11-29 10:51:49 CST by aberrios via cli
# 2016-11-18 08:49:42 CST by admin via cli
# 2016-11-17 14:17:06 CST by onenet via cli
-# 2016-11-03 15:23:56 CDT by admin via cli
# grnoc-mon at KONAWA-PS-004950-LR> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at KONAWA-PS-004950-LR> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at KONAWA-PS-004950-LR> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s1a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s2a
#
# grnoc-mon at KONAWA-PS-004950-LR> show version
# Hostname: KONAWA-PS-004950-LR
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at KONAWA-PS-004950-LR> show version invoke-on all-routing-engines
# Hostname: KONAWA-PS-004950-LR
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at KONAWA-PS-004950-LR> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at KONAWA-PS-004950-LR> show system uptime
-# System booted: 2017-08-02 23:09 CDT
-# Protocols started: 2017-08-02 23:12 CDT
-# Last configured: 2017-08-02 23:11 CDT by root
+# System booted: 2017-08-05 21:58 CDT
+# Protocols started: 2017-08-05 22:03 CDT
+# Last configured: 2017-08-05 22:01 CDT by root
#
# grnoc-mon at KONAWA-PS-004950-LR> show interface terse
#Interface Admin Link
@@ -178,8 +182,8 @@
#vlan up up
#vlan.999 up down
# grnoc-mon at KONAWA-PS-004950-LR> show configuration
-## Last commit: 2017-08-02 23:11:28 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:01:50 CDT by root
+version 12.3X48-D40.5;
system {
host-name KONAWA-PS-004950-LR;
auto-snapshot;
@@ -309,6 +313,111 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy UNTRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/15.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "L3 INTERFACE - UNTRUST-WAN - 156.110.34.38/30";
@@ -429,111 +538,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- ge-0/0/15.0 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/porum-ps.client.onenet.net
===================================================================
--- configs/porum-ps.client.onenet.net (revision 155127)
+++ configs/porum-ps.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at PORUM-PS-LR-004906> show system commit
+# 2017-08-05 22:53:13 CDT by root via other
# 2017-07-22 14:09:15 CDT by root via other
# 2015-10-02 22:06:09 CDT by andrew via cli
# 2015-08-17 11:56:17 CDT by joel via cli
# 2015-08-17 11:54:46 CDT by admin via cli
# 2015-08-14 20:29:58 CDT by root via cli
-# 2015-08-14 18:39:55 CDT by root via other
# grnoc-mon at PORUM-PS-LR-004906> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at PORUM-PS-LR-004906> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at PORUM-PS-LR-004906> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at PORUM-PS-LR-004906> show version
# Hostname: PORUM-PS-LR-004906
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at PORUM-PS-LR-004906> show version invoke-on all-routing-engines
# Hostname: PORUM-PS-LR-004906
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at PORUM-PS-LR-004906> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at PORUM-PS-LR-004906> show system uptime
-# System booted: 2017-07-22 14:06 CDT
-# Protocols started: 2017-07-22 14:10 CDT
-# Last configured: 2017-07-22 14:09 CDT by root
+# System booted: 2017-08-05 22:50 CDT
+# Protocols started: 2017-08-05 22:54 CDT
+# Last configured: 2017-08-05 22:53 CDT by root
#
# grnoc-mon at PORUM-PS-LR-004906> show interface terse
#Interface Admin Link
@@ -178,8 +182,8 @@
#vlan up up
#vlan.999 up down
# grnoc-mon at PORUM-PS-LR-004906> show configuration
-## Last commit: 2017-07-22 14:09:15 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:53:13 CDT by root
+version 12.3X48-D40.5;
system {
host-name PORUM-PS-LR-004906;
domain-name onenet.net;
@@ -311,6 +315,114 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone UNTRUST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ dns;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ ssh;
+ snmp;
+ }
+ }
+ }
+ ge-0/0/15.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "UNTRUST WAN Interface - 164.58.69.214/30";
@@ -432,114 +544,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone UNTRUST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- dns;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- ssh;
- snmp;
- }
- }
- }
- ge-0/0/15.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/wewoka-public-schools.client.onenet.net
===================================================================
--- configs/wewoka-public-schools.client.onenet.net (revision 155441)
+++ configs/wewoka-public-schools.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at WEWOKA-PUBLIC-SCHOOLS-ASSET-004889> show system commit
+# 2017-08-05 22:53:29 CDT by root via other
# 2017-08-02 23:17:21 CDT by root via other
# 2016-04-26 16:43:24 CDT by sean via cli commit confirmed, rollback in 3mins
# 2015-12-30 13:42:47 CST by joel via cli
# 2015-12-30 21:35:24 CST by joel via cli
# 2015-12-30 16:49:51 CST by root via other
-# 2015-12-30 16:45:29 CST by root via cli
# grnoc-mon at WEWOKA-PUBLIC-SCHOOLS-ASSET-004889> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at WEWOKA-PUBLIC-SCHOOLS-ASSET-004889> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at WEWOKA-PUBLIC-SCHOOLS-ASSET-004889> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s1a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s2a
#
# grnoc-mon at WEWOKA-PUBLIC-SCHOOLS-ASSET-004889> show version
# Hostname: WEWOKA-PUBLIC-SCHOOLS-ASSET-004889
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at WEWOKA-PUBLIC-SCHOOLS-ASSET-004889> show version invoke-on all-routing-engines
# Hostname: WEWOKA-PUBLIC-SCHOOLS-ASSET-004889
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at WEWOKA-PUBLIC-SCHOOLS-ASSET-004889> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at WEWOKA-PUBLIC-SCHOOLS-ASSET-004889> show system uptime
-# System booted: 2017-08-02 23:15 CDT
-# Protocols started: 2017-08-02 23:18 CDT
-# Last configured: 2017-08-02 23:17 CDT by root
+# System booted: 2017-08-05 22:50 CDT
+# Protocols started: 2017-08-05 22:55 CDT
+# Last configured: 2017-08-05 22:53 CDT by root
#
# grnoc-mon at WEWOKA-PUBLIC-SCHOOLS-ASSET-004889> show interface terse
#Interface Admin Link
@@ -178,8 +182,8 @@
#vlan up up
#vlan.999 up down
# grnoc-mon at WEWOKA-PUBLIC-SCHOOLS-ASSET-004889> show configuration
-## Last commit: 2017-08-02 23:17:21 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:53:29 CDT by root
+version 12.3X48-D40.5;
system {
host-name WEWOKA-PUBLIC-SCHOOLS-ASSET-004889;
domain-name onenet.net;
@@ -311,6 +315,129 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TRUST-TO-UNTRUST-NAT {
+ from zone TRUST;
+ to zone UNTRUST;
+ rule NAT-TRUST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone TRUST to-zone UNTRUST {
+ policy TRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone TRUST {
+ interfaces {
+ ge-0/0/15.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "L3 INTERFACE - UNTRUST-WAN - 164.58.4.106/30";
@@ -437,129 +564,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TRUST-TO-UNTRUST-NAT {
- from zone TRUST;
- to zone UNTRUST;
- rule NAT-TRUST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone TRUST to-zone UNTRUST {
- policy TRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone TRUST {
- interfaces {
- ge-0/0/15.0 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/hub.dur.onenet.net
===================================================================
--- configs/hub.dur.onenet.net (revision 155534)
+++ configs/hub.dur.onenet.net (working copy)
@@ -433,7 +433,7 @@
#fe-2/1/1 up up
#fe-2/1/1.0 up up
#fe-2/1/2 up down
-#fe-2/1/3 down up
+#fe-2/1/3 down down
#ge-2/2/0 up up
#ge-2/2/0.0 up up
#pc-2/2/0 up up
Index: configs/muldrow-isd.client.onenet.net
===================================================================
--- configs/muldrow-isd.client.onenet.net (revision 155127)
+++ configs/muldrow-isd.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at MULDROW-ISD-LR-004946> show system commit
+# 2017-08-05 22:00:55 CDT by root via other
# 2017-07-22 14:13:06 CDT by root via other
# 2017-06-29 11:09:47 CDT by aberrios via cli commit confirmed, rollback in 5mins
# 2017-06-29 11:04:23 CDT by aberrios via cli commit confirmed, rollback in 3mins
# 2017-06-29 11:04:15 CDT by aberrios via cli commit confirmed, rollback in 3mins
# 2017-06-29 11:04:07 CDT by aberrios via cli commit confirmed, rollback in 3mins
-# 2017-06-29 11:03:58 CDT by aberrios via cli commit confirmed, rollback in 3mins
# grnoc-mon at MULDROW-ISD-LR-004946> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at MULDROW-ISD-LR-004946> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at MULDROW-ISD-LR-004946> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at MULDROW-ISD-LR-004946> show version
# Hostname: MULDROW-ISD-LR-004946
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at MULDROW-ISD-LR-004946> show version invoke-on all-routing-engines
# Hostname: MULDROW-ISD-LR-004946
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at MULDROW-ISD-LR-004946> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at MULDROW-ISD-LR-004946> show system uptime
-# System booted: 2017-07-22 14:10 CDT
-# Protocols started: 2017-07-22 14:14 CDT
-# Last configured: 2017-07-22 14:13 CDT by root
+# System booted: 2017-08-05 21:58 CDT
+# Protocols started: 2017-08-05 22:02 CDT
+# Last configured: 2017-08-05 22:00 CDT by root
#
# grnoc-mon at MULDROW-ISD-LR-004946> show interface terse
#Interface Admin Link
@@ -180,8 +184,8 @@
#vlan.3 up up
#vlan.999 up down
# grnoc-mon at MULDROW-ISD-LR-004946> show configuration
-## Last commit: 2017-07-22 14:13:06 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:00:55 CDT by root
+version 12.3X48-D40.5;
system {
host-name MULDROW-ISD-LR-004946;
auto-snapshot;
@@ -311,6 +315,111 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy UNTRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ vlan.3 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/2.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/1 {
description "L2 INTERFACE - TEST-VLAN";
@@ -438,111 +547,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- vlan.3 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- }
- }
- }
- ge-0/0/2.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/union-city-ps.client.onenet.net
===================================================================
--- configs/union-city-ps.client.onenet.net (revision 155150)
+++ configs/union-city-ps.client.onenet.net (working copy)
@@ -1,14 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at UNION-CITY-PS-LR-ASSET-004902> show system commit
+# 2017-08-05 22:53:13 CDT by root via other
# 2017-07-23 13:43:53 CDT by root via other
# 2016-09-08 14:19:35 CDT by sean via cli
# 2015-08-25 21:58:52 CDT by root via cli
# 2015-08-22 00:03:43 CDT by root via cli
# 2015-08-21 23:16:30 CDT by root via other
-# 2015-05-14 16:54:19 CDT by root via other
-# rescue 2017-07-23 13:47:04 CDT by andrew via cli
-#
# grnoc-mon at UNION-CITY-PS-LR-ASSET-004902> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -23,8 +21,8 @@
#
# grnoc-mon at UNION-CITY-PS-LR-ASSET-004902> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at UNION-CITY-PS-LR-ASSET-004902> show chassis fpc detail
# Slot 0 information:
@@ -56,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -108,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at UNION-CITY-PS-LR-ASSET-004902> show version
# Hostname: UNION-CITY-PS-LR-ASSET-004902
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at UNION-CITY-PS-LR-ASSET-004902> show version invoke-on all-routing-engines
# Hostname: UNION-CITY-PS-LR-ASSET-004902
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at UNION-CITY-PS-LR-ASSET-004902> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at UNION-CITY-PS-LR-ASSET-004902> show system uptime
-# System booted: 2017-07-23 13:41 CDT
-# Protocols started: 2017-07-23 13:45 CDT
-# Last configured: 2017-07-23 13:43 CDT by root
+# System booted: 2017-08-05 22:50 CDT
+# Protocols started: 2017-08-05 22:54 CDT
+# Last configured: 2017-08-05 22:53 CDT by root
#
# grnoc-mon at UNION-CITY-PS-LR-ASSET-004902> show interface terse
#Interface Admin Link
@@ -182,8 +184,8 @@
#vlan.4 up up
#vlan.999 up down
# grnoc-mon at UNION-CITY-PS-LR-ASSET-004902> show configuration
-## Last commit: 2017-07-23 13:43:53 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:53:13 CDT by root
+version 12.3X48-D40.5;
system {
host-name UNION-CITY-PS-LR-ASSET-004902;
auto-snapshot;
@@ -316,6 +318,113 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy UNTRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ vlan.4 {
+ host-inbound-traffic {
+ system-services {
+ dns;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ dns;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "UNTRUST WAN Interface";
@@ -444,113 +553,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- vlan.4 {
- host-inbound-traffic {
- system-services {
- dns;
- ping;
- traceroute;
- }
- }
- }
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- dns;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/oktaha-isd.client.onenet.net
===================================================================
--- configs/oktaha-isd.client.onenet.net (revision 155401)
+++ configs/oktaha-isd.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKTAHA-ISD-LR-004898> show system commit
+# 2017-08-05 22:01:12 CDT by root via other
# 2017-08-01 12:44:35 CDT by admin via cli
# 2017-08-01 12:43:33 CDT by admin via cli
# 2017-08-01 12:43:00 CDT by admin via cli
# 2017-08-01 12:33:32 CDT by admin via cli
# 2017-08-01 12:32:22 CDT by admin via cli
-# 2017-08-01 12:31:26 CDT by admin via cli
# grnoc-mon at OKTAHA-ISD-LR-004898> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at OKTAHA-ISD-LR-004898> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at OKTAHA-ISD-LR-004898> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,28 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
-# WARNING: / was not properly dismounted
-# WARNING: / was not properly dismounted
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at OKTAHA-ISD-LR-004898> show version
# Hostname: OKTAHA-ISD-LR-004898
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at OKTAHA-ISD-LR-004898> show version invoke-on all-routing-engines
# Hostname: OKTAHA-ISD-LR-004898
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at OKTAHA-ISD-LR-004898> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at OKTAHA-ISD-LR-004898> show system uptime
-# System booted: 2017-08-01 12:24 CDT
-# Protocols started: 2017-08-01 12:27 CDT
-# Last configured: 2017-08-01 12:44 CDT by admin
+# System booted: 2017-08-05 21:58 CDT
+# Protocols started: 2017-08-05 22:02 CDT
+# Last configured: 2017-08-05 22:01 CDT by root
#
# grnoc-mon at OKTAHA-ISD-LR-004898> show interface terse
#Interface Admin Link
@@ -182,8 +184,8 @@
#vlan.4 up up
#vlan.999 up down
# grnoc-mon at OKTAHA-ISD-LR-004898> show configuration
-## Last commit: 2017-08-01 12:44:35 CDT by admin
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:01:12 CDT by root
+version 12.3X48-D40.5;
system {
host-name OKTAHA-ISD-LR-004898;
domain-name onenet.net;
@@ -315,6 +317,114 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone UNTRUST to-zone UNTRUST {
+ policy UNTRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ dns;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ vlan.3 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ vlan.4 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ dns;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "UNTRUST WAN Interface";
@@ -454,114 +564,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- dns;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- vlan.3 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- vlan.4 {
- host-inbound-traffic {
- system-services {
- dhcp;
- dns;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/tahlequah-isd.client.onenet.net
===================================================================
--- configs/tahlequah-isd.client.onenet.net (revision 155126)
+++ configs/tahlequah-isd.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TAHLEQUAH-ISD-LR-4953> show system commit
+# 2017-08-05 22:53:20 CDT by root via other
# 2017-07-22 13:28:20 CDT by root via other
# 2015-11-11 09:18:23 CST by admin via cli commit confirmed, rollback in 3mins
# 2015-11-10 15:51:22 CST by admin via cli
# 2015-11-10 16:47:25 CST by admin via cli
# 2015-11-09 23:24:32 CST by admin via cli
-# 2015-11-09 23:17:24 CST by admin via cli
# grnoc-mon at TAHLEQUAH-ISD-LR-4953> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at TAHLEQUAH-ISD-LR-4953> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at TAHLEQUAH-ISD-LR-4953> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at TAHLEQUAH-ISD-LR-4953> show version
# Hostname: TAHLEQUAH-ISD-LR-4953
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at TAHLEQUAH-ISD-LR-4953> show version invoke-on all-routing-engines
# Hostname: TAHLEQUAH-ISD-LR-4953
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at TAHLEQUAH-ISD-LR-4953> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at TAHLEQUAH-ISD-LR-4953> show system uptime
-# System booted: 2017-07-22 13:25 CDT
-# Protocols started: 2017-07-22 13:29 CDT
-# Last configured: 2017-07-22 13:28 CDT by root
+# System booted: 2017-08-05 22:50 CDT
+# Protocols started: 2017-08-05 22:54 CDT
+# Last configured: 2017-08-05 22:53 CDT by root
#
# grnoc-mon at TAHLEQUAH-ISD-LR-4953> show interface terse
#Interface Admin Link
@@ -179,8 +183,8 @@
#vlan.3 up down
#vlan.999 up down
# grnoc-mon at TAHLEQUAH-ISD-LR-4953> show configuration
-## Last commit: 2017-07-22 13:28:20 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:53:20 CDT by root
+version 12.3X48-D40.5;
system {
host-name TAHLEQUAH-ISD-LR-4953;
domain-name onenet.net;
@@ -312,6 +316,111 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy TRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ vlan.3 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "L3 INTERFACE - UNTRUST-WAN - 164.58.40.14/30";
@@ -440,111 +549,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy TRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- vlan.3 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- }
- }
- }
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/tushka-ps.client.onenet.net
===================================================================
--- configs/tushka-ps.client.onenet.net (revision 155441)
+++ configs/tushka-ps.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TUSHKA-PS-LR-004886> show system commit
+# 2017-08-05 22:53:26 CDT by root via other
# 2017-08-02 23:34:18 CDT by root via other
# 2016-10-11 15:37:21 CDT by sean via cli
# 2016-09-08 14:31:40 CDT by admin via cli commit confirmed, rollback in 3mins
# 2016-09-08 14:28:11 CDT by admin via cli
# 2016-09-08 14:26:51 CDT by admin via cli
-# 2016-08-26 19:13:08 CDT by root via cli
# grnoc-mon at TUSHKA-PS-LR-004886> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at TUSHKA-PS-LR-004886> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at TUSHKA-PS-LR-004886> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s1a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s2a
#
# grnoc-mon at TUSHKA-PS-LR-004886> show version
# Hostname: TUSHKA-PS-LR-004886
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at TUSHKA-PS-LR-004886> show version invoke-on all-routing-engines
# Hostname: TUSHKA-PS-LR-004886
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at TUSHKA-PS-LR-004886> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at TUSHKA-PS-LR-004886> show system uptime
-# System booted: 2017-08-02 23:31 CDT
-# Protocols started: 2017-08-02 23:35 CDT
-# Last configured: 2017-08-02 23:34 CDT by root
+# System booted: 2017-08-05 22:50 CDT
+# Protocols started: 2017-08-05 22:55 CDT
+# Last configured: 2017-08-05 22:53 CDT by root
#
# grnoc-mon at TUSHKA-PS-LR-004886> show interface terse
#Interface Admin Link
@@ -179,8 +183,8 @@
#vlan.3 up up
#vlan.999 up down
# grnoc-mon at TUSHKA-PS-LR-004886> show configuration
-## Last commit: 2017-08-02 23:34:18 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:53:26 CDT by root
+version 12.3X48-D40.5;
system {
host-name TUSHKA-PS-LR-004886;
auto-snapshot;
@@ -310,6 +314,111 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy TRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ vlan.3 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "L3 INTERFACE - UNTRUST-WAN - 156.110.28.249/31";
@@ -443,111 +552,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy TRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- vlan.3 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- }
- }
- }
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/perry-ps.client.onenet.net
===================================================================
--- configs/perry-ps.client.onenet.net (revision 155127)
+++ configs/perry-ps.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at PERRY-PS-LR-004952> show system commit
+# 2017-08-05 22:53:08 CDT by root via other
# 2017-07-22 14:04:58 CDT by root via other
# 2016-12-03 13:37:40 CST by andrew via cli
# 2016-09-15 14:26:26 CDT by aberrios via cli
# 2016-09-15 14:21:12 CDT by aberrios via cli
# 2016-09-15 14:06:22 CDT by aberrios via cli
-# 2016-03-08 10:45:07 CST by sky via cli
# grnoc-mon at PERRY-PS-LR-004952> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at PERRY-PS-LR-004952> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at PERRY-PS-LR-004952> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at PERRY-PS-LR-004952> show version
# Hostname: PERRY-PS-LR-004952
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at PERRY-PS-LR-004952> show version invoke-on all-routing-engines
# Hostname: PERRY-PS-LR-004952
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at PERRY-PS-LR-004952> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at PERRY-PS-LR-004952> show system uptime
-# System booted: 2017-07-22 14:02 CDT
-# Protocols started: 2017-07-22 14:06 CDT
-# Last configured: 2017-07-22 14:04 CDT by root
+# System booted: 2017-08-05 22:50 CDT
+# Protocols started: 2017-08-05 22:54 CDT
+# Last configured: 2017-08-05 22:53 CDT by root
#
# grnoc-mon at PERRY-PS-LR-004952> show interface terse
#Interface Admin Link
@@ -180,8 +184,8 @@
#vlan.3 up up
#vlan.999 up down
# grnoc-mon at PERRY-PS-LR-004952> show configuration
-## Last commit: 2017-07-22 14:04:58 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:53:08 CDT by root
+version 12.3X48-D40.5;
system {
host-name PERRY-PS-LR-004952;
domain-name onenet.net;
@@ -318,148 +322,6 @@
server 164.58.3.98 prefer;
}
}
-interfaces {
- ge-0/0/0 {
- description "L3 INTERFACE - UNTRUST-WAN - 164.58.9.102/30";
- speed 100m;
- link-mode full-duplex;
- gigether-options {
- no-auto-negotiation;
- }
- unit 0 {
- family inet {
- address 164.58.9.102/30;
- }
- }
- }
- ge-0/0/1 {
- description "L2 INTERFACE - TEST-VLAN";
- unit 0 {
- family ethernet-switching {
- port-mode access;
- vlan {
- members TEST-VLAN;
- }
- }
- }
- }
- ge-0/0/2 {
- disable;
- }
- ge-0/0/3 {
- disable;
- }
- ge-0/0/4 {
- disable;
- }
- ge-0/0/5 {
- disable;
- }
- ge-0/0/6 {
- disable;
- }
- ge-0/0/7 {
- disable;
- }
- ge-0/0/8 {
- disable;
- }
- ge-0/0/9 {
- disable;
- }
- ge-0/0/10 {
- disable;
- }
- ge-0/0/11 {
- disable;
- }
- ge-0/0/12 {
- disable;
- }
- ge-0/0/13 {
- disable;
- }
- ge-0/0/14 {
- description "L3 Interface - POLYCOM-UNTRUST";
- unit 0 {
- family inet {
- address 164.58.163.49/29;
- address 156.110.119.97/29;
- }
- }
- }
- ge-0/0/15 {
- description "L2 INTERFACE - TRUST-VLAN";
- unit 0 {
- family ethernet-switching {
- port-mode access;
- vlan {
- members 3;
- }
- }
- }
- }
- lo0 {
- unit 0 {
- family inet {
- filter {
- input PROTECT-RE;
- }
- }
- }
- }
- vlan {
- unit 3 {
- description "L3 INTERFACE - TRUST-VLAN - 192.168.1.1/30";
- family inet {
- address 192.168.1.1/30;
- }
- }
- unit 999 {
- description "L3 INTERFACE - TEST-VLAN - 10.1.0.1/24";
- family inet {
- address 10.1.0.1/24;
- }
- }
- }
-}
-snmp {
- description OneNet;
- contact "Net Group";
- community "<removed>" {
- authorization read-only;
- }
- community "<removed>" {
- authorization read-only;
- }
- community "<removed>" {
- authorization read-write;
- }
-}
-routing-options {
- static {
- route 0.0.0.0/0 next-hop 164.58.9.101;
- route 10.0.0.0/8 next-hop 192.168.1.2;
- route 172.16.0.0/12 next-hop 192.168.1.2;
- route 192.168.0.0/16 next-hop 192.168.1.2;
- }
-}
-protocols {
- lldp {
- interface all;
- }
- stp;
-}
-policy-options {
- prefix-list PRE-MGMT-SOURCES {
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.253.0/24;
- }
- prefix-list PRE-LOCALIPv4-SOURCES {
- apply-path "interfaces <*> unit <*> family inet address <*>";
- }
-}
security {
ike {
policy IKE-DYN-VPN-POLICY {
@@ -824,6 +686,148 @@
}
}
}
+interfaces {
+ ge-0/0/0 {
+ description "L3 INTERFACE - UNTRUST-WAN - 164.58.9.102/30";
+ speed 100m;
+ link-mode full-duplex;
+ gigether-options {
+ no-auto-negotiation;
+ }
+ unit 0 {
+ family inet {
+ address 164.58.9.102/30;
+ }
+ }
+ }
+ ge-0/0/1 {
+ description "L2 INTERFACE - TEST-VLAN";
+ unit 0 {
+ family ethernet-switching {
+ port-mode access;
+ vlan {
+ members TEST-VLAN;
+ }
+ }
+ }
+ }
+ ge-0/0/2 {
+ disable;
+ }
+ ge-0/0/3 {
+ disable;
+ }
+ ge-0/0/4 {
+ disable;
+ }
+ ge-0/0/5 {
+ disable;
+ }
+ ge-0/0/6 {
+ disable;
+ }
+ ge-0/0/7 {
+ disable;
+ }
+ ge-0/0/8 {
+ disable;
+ }
+ ge-0/0/9 {
+ disable;
+ }
+ ge-0/0/10 {
+ disable;
+ }
+ ge-0/0/11 {
+ disable;
+ }
+ ge-0/0/12 {
+ disable;
+ }
+ ge-0/0/13 {
+ disable;
+ }
+ ge-0/0/14 {
+ description "L3 Interface - POLYCOM-UNTRUST";
+ unit 0 {
+ family inet {
+ address 164.58.163.49/29;
+ address 156.110.119.97/29;
+ }
+ }
+ }
+ ge-0/0/15 {
+ description "L2 INTERFACE - TRUST-VLAN";
+ unit 0 {
+ family ethernet-switching {
+ port-mode access;
+ vlan {
+ members 3;
+ }
+ }
+ }
+ }
+ lo0 {
+ unit 0 {
+ family inet {
+ filter {
+ input PROTECT-RE;
+ }
+ }
+ }
+ }
+ vlan {
+ unit 3 {
+ description "L3 INTERFACE - TRUST-VLAN - 192.168.1.1/30";
+ family inet {
+ address 192.168.1.1/30;
+ }
+ }
+ unit 999 {
+ description "L3 INTERFACE - TEST-VLAN - 10.1.0.1/24";
+ family inet {
+ address 10.1.0.1/24;
+ }
+ }
+ }
+}
+snmp {
+ description OneNet;
+ contact "Net Group";
+ community "<removed>" {
+ authorization read-only;
+ }
+ community "<removed>" {
+ authorization read-only;
+ }
+ community "<removed>" {
+ authorization read-write;
+ }
+}
+routing-options {
+ static {
+ route 0.0.0.0/0 next-hop 164.58.9.101;
+ route 10.0.0.0/8 next-hop 192.168.1.2;
+ route 172.16.0.0/12 next-hop 192.168.1.2;
+ route 192.168.0.0/16 next-hop 192.168.1.2;
+ }
+}
+protocols {
+ lldp {
+ interface all;
+ }
+ stp;
+}
+policy-options {
+ prefix-list PRE-MGMT-SOURCES {
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/wewoka-pl.client.onenet.net
===================================================================
--- configs/wewoka-pl.client.onenet.net (revision 155423)
+++ configs/wewoka-pl.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at WEWOKA-PL-SRX240-MR-4933> show system commit
+# 2017-08-05 22:53:58 CDT by root via other
# 2017-07-23 13:42:44 CDT by root via other
# 2017-05-19 13:29:17 CDT by andrew via cli
# 2016-06-21 14:06:26 CDT by admin via cli
# 2016-01-08 12:40:40 CST by admin via cli commit confirmed, rollback in 5mins
# 2016-01-08 12:16:18 CST by admin via cli
-# 2016-01-08 12:13:01 CST by admin via cli
# grnoc-mon at WEWOKA-PL-SRX240-MR-4933> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at WEWOKA-PL-SRX240-MR-4933> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at WEWOKA-PL-SRX240-MR-4933> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,29 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s1a
-# WARNING: / was not properly dismounted
-# WARNING: / was not properly dismounted
-# WARNING: R/W mount of /cf/var denied. Filesystem is not clean - run fsck
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s2a
#
# grnoc-mon at WEWOKA-PL-SRX240-MR-4933> show version
# Hostname: WEWOKA-PL-SRX240-MR-4933
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at WEWOKA-PL-SRX240-MR-4933> show version invoke-on all-routing-engines
# Hostname: WEWOKA-PL-SRX240-MR-4933
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at WEWOKA-PL-SRX240-MR-4933> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at WEWOKA-PL-SRX240-MR-4933> show system uptime
-# System booted: 2017-08-02 10:35 CDT
-# Protocols started: 2017-08-02 10:39 CDT
-# Last configured: 2017-07-23 13:42 CDT by root
+# System booted: 2017-08-05 22:50 CDT
+# Protocols started: 2017-08-05 22:55 CDT
+# Last configured: 2017-08-05 22:53 CDT by root
#
# grnoc-mon at WEWOKA-PL-SRX240-MR-4933> show interface terse
#Interface Admin Link
@@ -184,8 +185,8 @@
#vlan.3 up up
#vlan.999 up down
# grnoc-mon at WEWOKA-PL-SRX240-MR-4933> show configuration
-## Last commit: 2017-07-23 13:42:44 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:53:58 CDT by root
+version 12.3X48-D40.5;
system {
host-name WEWOKA-PL-SRX240-MR-4933;
auto-snapshot;
@@ -329,6 +330,130 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TRUST-TO-UNTRUST-NAT {
+ from zone TRUST;
+ to zone UNTRUST;
+ rule NAT-TRUST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone TRUST to-zone UNTRUST {
+ policy TRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone TRUST {
+ interfaces {
+ vlan.3 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "L3 INTERFACE - UNTRUST-WAN - 164.58.40.94/30";
@@ -479,130 +604,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TRUST-TO-UNTRUST-NAT {
- from zone TRUST;
- to zone UNTRUST;
- rule NAT-TRUST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone TRUST to-zone UNTRUST {
- policy TRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone TRUST {
- interfaces {
- vlan.3 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/ninnekah-ps.client.onenet.net
===================================================================
--- configs/ninnekah-ps.client.onenet.net (revision 155534)
+++ configs/ninnekah-ps.client.onenet.net (working copy)
@@ -1,8 +1,9 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at NINNEKAH-PS-LR-004926> show system commit
+# 2017-08-05 22:53:04 CDT by root via other
# 2017-08-02 23:40:13 CDT by root via other
-# rescue 2017-08-05 21:38:53 CDT by andrew via cli
+# rescue 2017-08-05 22:59:51 CDT by andrew via cli
#
# grnoc-mon at NINNEKAH-PS-LR-004926> show chassis environment
# Class Item Status Measurement
@@ -18,8 +19,8 @@
#
# grnoc-mon at NINNEKAH-PS-LR-004926> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at NINNEKAH-PS-LR-004926> show chassis fpc detail
# Slot 0 information:
@@ -51,8 +52,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -103,26 +107,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at NINNEKAH-PS-LR-004926> show version
# Hostname: NINNEKAH-PS-LR-004926
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at NINNEKAH-PS-LR-004926> show version invoke-on all-routing-engines
# Hostname: NINNEKAH-PS-LR-004926
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at NINNEKAH-PS-LR-004926> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at NINNEKAH-PS-LR-004926> show system uptime
-# System booted: 2017-08-02 23:37 CDT
-# Protocols started: 2017-08-02 23:41 CDT
-# Last configured: 2017-08-02 23:40 CDT by root
+# System booted: 2017-08-05 22:50 CDT
+# Protocols started: 2017-08-05 22:54 CDT
+# Last configured: 2017-08-05 22:53 CDT by root
#
# grnoc-mon at NINNEKAH-PS-LR-004926> show interface terse
#Interface Admin Link
@@ -176,8 +181,8 @@
#vlan.3 up down
#vlan.999 up down
# grnoc-mon at NINNEKAH-PS-LR-004926> show configuration
-## Last commit: 2017-08-02 23:40:13 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:53:04 CDT by root
+version 12.3X48-D40.5;
system {
host-name NINNEKAH-PS-LR-004926;
auto-snapshot;
@@ -307,6 +312,111 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy UNTRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/15.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "L3 INTERFACE - UNTRUST-WAN - 164.58.17.235/31";
@@ -426,111 +536,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- ge-0/0/15.0 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/tuskahoma-ps.client.onenet.net
===================================================================
--- configs/tuskahoma-ps.client.onenet.net (revision 155150)
+++ configs/tuskahoma-ps.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at Tuskahoma-PS-SRX240-LEASED-004901> show system commit
+# 2017-08-05 22:53:47 CDT by root via other
# 2017-07-23 13:47:36 CDT by root via other
# 2017-04-24 09:11:22 CDT by andrew via cli commit confirmed, rollback in 3mins
# 2016-05-25 09:26:43 CDT by andrew via cli
# 2015-08-11 12:35:08 CDT by sean via cli
# 2015-08-10 12:25:16 CDT by admin via cli
-# 2015-08-10 11:36:01 CDT by admin via cli
# grnoc-mon at Tuskahoma-PS-SRX240-LEASED-004901> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at Tuskahoma-PS-SRX240-LEASED-004901> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at Tuskahoma-PS-SRX240-LEASED-004901> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at Tuskahoma-PS-SRX240-LEASED-004901> show version
# Hostname: Tuskahoma-PS-SRX240-LEASED-004901
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at Tuskahoma-PS-SRX240-LEASED-004901> show version invoke-on all-routing-engines
# Hostname: Tuskahoma-PS-SRX240-LEASED-004901
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at Tuskahoma-PS-SRX240-LEASED-004901> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at Tuskahoma-PS-SRX240-LEASED-004901> show system uptime
-# System booted: 2017-07-23 13:44 CDT
-# Protocols started: 2017-07-23 13:48 CDT
-# Last configured: 2017-07-23 13:47 CDT by root
+# System booted: 2017-08-05 22:50 CDT
+# Protocols started: 2017-08-05 22:55 CDT
+# Last configured: 2017-08-05 22:53 CDT by root
#
# grnoc-mon at Tuskahoma-PS-SRX240-LEASED-004901> show interface terse
#Interface Admin Link
@@ -180,8 +184,8 @@
#vlan.4 up up
#vlan.999 up down
# grnoc-mon at Tuskahoma-PS-SRX240-LEASED-004901> show configuration
-## Last commit: 2017-07-23 13:47:36 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 22:53:47 CDT by root
+version 12.3X48-D40.5;
system {
host-name Tuskahoma-PS-SRX240-LEASED-004901;
auto-snapshot;
@@ -306,6 +310,132 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TRUST-TO-UNTRUST-NAT {
+ from zone TRUST;
+ to zone UNTRUST;
+ rule NAT-TRUST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone TRUST to-zone UNTRUST {
+ policy TRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone TRUST {
+ interfaces {
+ vlan.4 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ dns;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ dns;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ vlan.3 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "UNTRUST WAN Interface";
@@ -440,132 +570,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TRUST-TO-UNTRUST-NAT {
- from zone TRUST;
- to zone UNTRUST;
- rule NAT-TRUST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone TRUST to-zone UNTRUST {
- policy TRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone TRUST {
- interfaces {
- vlan.4 {
- host-inbound-traffic {
- system-services {
- dhcp;
- dns;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- dns;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- vlan.3 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
More information about the Nocrancid
mailing list