yes auditadmin UDP 514 BSD LOG_LOCAL7 UDP 514 BSD LOG_LOCAL7 traffic SYSLOG-PROFILE threat SYSLOG-PROFILE url SYSLOG-PROFILE auth SYSLOG-PROFILE PA-5220-01 UTC =============================================================== UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit, authorized permission to access or configure this device. All activities are monitored and logged. Unauthorized access attempts will be reported. =============================================================== 10 TLS-1-2-PROFILE 5 30 10 yes 5000 WAN-MGMT-RESTRICT no WAN / Internet uplink to ISP LAN-MGMT LAN trunk to Core Switch LAN-MGMT LAN trunk to Core Switch 2 (redundant) DMZ-RESTRICT DMZ server segment HA2 - Data link HA3 - Packet forwarding yes yes yes yes yes yes yes ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4 0.0.0.0/0 ethernet1/1 10 / ethernet1/2 / ethernet1/2 / ethernet1/2 ethernet1/1 yes ethernet1/2 ethernet1/3 yes ethernet1/4 yes

/ User workstation network Internal / Server network Internal / VoIP network Internal / DMZ servers DMZ / Management network /32 /32 /32

NET-USERS NET-SERVERS NET-VOICE SRV-DNS-1 SRV-DNS-2 reset-both reset-both reset-both reset-both reset-both reset-both reset-both reset-both reset-both reset-both reset-both reset-both critical high any any single-packet medium low informational any any single-packet sinkhole default single-packet sinkhole default sinkhole default single-packet 72.5.65.111 ::1 any critical high any any single-packet medium any any low informational any any adult command-and-control cryptocurrency dynamic-dns extremism gambling grayware hacking malware newly-registered-domain not-resolved parked peer-to-peer phishing proxy-avoidance-and-anonymizers questionable ransomware unknown weapons high-risk medium-risk insufficient-content yes yes any bat cab class cmd dll exe hlp hta jar msi pif ps1 reg scr vbe vbs wsf both block any pe elf mach-o both alert any any both public-cloud AV-STRICT AS-STRICT VP-STRICT URL-STANDARD FB-STRICT WF-ALL TRUST UNTRUST NET-USERS any ssl web-browsing dns ntp ms-update apple-update ubuntu-update application-default allow SPG-STANDARD LOG-ALL no yes Allow users to browse internet with full inspection Outbound TRUST UNTRUST NET-SERVERS any ssl web-browsing dns ntp apt-get yum ms-update application-default allow SPG-STANDARD LOG-ALL yes Allow servers to fetch updates and DNS TRUST DMZ NET-USERS NET-DMZ ssl web-browsing application-default allow LOG-ALL yes Allow users to access DMZ web services UNTRUST DMZ any NET-DMZ ssl web-browsing application-default allow SPG-STANDARD LOG-ALL yes Published web services accessible from internet DMZ TRUST NET-DMZ NET-SERVERS mysql postgresql mssql-db application-default allow LOG-ALL yes DMZ web servers to backend databases only TRUST TRUST NET-USERS NET-SERVERS ssl web-browsing ms-ds-smb msrpc dns active-directory ldap kerberos application-default allow LOG-ALL yes Users to servers - approved applications only (zero trust) any any any any any any deny LOG-ALL yes Explicit deny-all with full logging Cleanup TRUST UNTRUST GRP-INTERNAL-ALL any any ethernet1/1 Source NAT for internal networks going to internet