#
sysname FW
#
 l2tp domain suffix-separator @
#
authentication-profile name portal_authen_default
#
 undo factory-configuration prohibit
#
undo telnet server enable
undo telnet ipv6 server enable
#
clock timezone Beijing add 08:00:00
#
 firewall packet-filter basic-protocol enable
#
 update schedule location-sdb weekly Sun 22:42
#
 firewall defend action discard
#
 undo log type traffic enable
 log type syslog enable
 log type policy enable
#
 undo dataflow enable
#
 undo sa force-detection enable
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 firewall ids authentication type aes256
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
dhcp enable
#
 undo feedback type threat-log enable
#
 update schedule ips-sdb daily 06:48
 update schedule av-sdb daily 06:48
 update schedule sa-sdb daily 06:48
 update schedule ip-reputation daily 06:48
 update schedule cnc daily 06:48
 update schedule file-reputation daily 06:48
 update schedule ext-url-sdb daily 06:48
#
 disk-usage alarm threshold 95
#
ip vpn-instance default
 ipv4-family
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
web-auth-server default
 port 50100
#
portal-access-profile name default
#
ip pool VLAN10_Staff
 gateway-list 192.168.10.254
 network 192.168.10.0 mask 255.255.255.0
 section 0 192.168.10.10 192.168.10.200
 dns-list 8.8.8.8
#
ip pool VLAN30_Guest
 gateway-list 192.168.30.254
 network 192.168.30.0 mask 255.255.255.0
 section 0 192.168.30.10 192.168.30.200
 dns-list 8.8.8.8
#
aaa
 authentication-scheme admin_ad
 authentication-scheme admin_ad_local
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ldap
 authentication-scheme admin_ldap_local
 authentication-scheme admin_local
 authentication-scheme admin_radius
 authentication-scheme admin_radius_local
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike dot1x
  internet-access mode password
  reference user current-domain
 manager-user audit-admin
  password cipher $1a$<vT~V/>!YP$I6@T1:%^)Rhm%fM@2<B1Cmu1MT+mL:'{'CKfTQ;($
  service-type web terminal
  level 15

 manager-user admin
  password cipher $1a$Y5J}3yr|ZQ$(02cA"\}B$#q*/JU(0=~6NSWS$)*n:}ex."SFDY<$
  service-type web terminal
  level 15

 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
interface MEth0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.0.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip address 10.0.1.1 255.255.255.252
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 10.0.2.2 255.255.255.252
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.0.3.2 255.255.255.252
#
interface GigabitEthernet0/0/3
 undo shutdown
#
interface GigabitEthernet0/0/4
 undo shutdown
#
interface GigabitEthernet0/0/5
 undo shutdown
#
interface GigabitEthernet0/0/6
 undo shutdown
#
interface GigabitEthernet0/0/7
 undo shutdown
#
interface WAN0/0/0
 undo shutdown
#
interface WAN0/0/1
 undo shutdown
#
interface XGigabitEthernet0/0/0
 undo shutdown
#
interface XGigabitEthernet0/0/1
 undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface MEth0/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/2
#
firewall zone dmz
 set priority 50
#
api
#
ospf 1 router-id 6.6.6.6
 area 0.0.0.0
  network 10.0.1.0 0.0.0.3
  network 10.0.2.0 0.0.0.3
  network 10.0.3.0 0.0.0.3
#
undo icmp name timestamp-request receive
undo icmp name timestamp-reply receive
undo icmp type 17 code 0 receive
undo icmp type 18 code 0 receive
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
ssh server dh-exchange min-len 2048
#
firewall detect ftp
#
 v-gateway ssl-renegotiation-attack defend enable
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-interface
 mode proportion-of-weight
#
right-manager server-group
#
IoT
#
network-scan
 network-scan timeout per-asset 300
 network-scan timeout entire-scan 23
 conflict-resolve override
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 default action permit
 rule name t2ut
  source-zone trust
  destination-zone untrust
  source-address 192.168.0.0 mask 255.255.0.0
  action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
 rule name t2ut
  source-zone trust
  destination-zone untrust
  source-address 192.168.0.0 mask 255.255.0.0
  action source-nat easy-ip
#
proxy-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
 mode based-on-multi-interface
#
rightm-policy
#
decryption-policy
#
flow-probe-policy
#
mac-access-profile name mac_access_profile
#
return