Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
7 views21 pages

Shared Gateway Example

The document is a configuration file for a Palo Alto Networks device, detailing various settings for admin roles, authentication profiles, application filters, and network configurations. It includes enabled features for monitoring, policies, objects, and security profiles, as well as specific settings for network interfaces and routing protocols. Additionally, it outlines QoS profiles, IKE and IPSec crypto profiles, and other essential network management parameters.

Uploaded by

anbusivaram89
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
7 views21 pages

Shared Gateway Example

The document is a configuration file for a Palo Alto Networks device, detailing various settings for admin roles, authentication profiles, application filters, and network configurations. It includes enabled features for monitoring, policies, objects, and security profiles, as well as specific settings for network interfaces and routing protocols. Additionally, it outlines QoS profiles, IKE and IPSec crypto profiles, and other essential network management parameters.

Uploaded by

anbusivaram89
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 21

<?xml version="1.0"?

>
<config version="9.1.0" urldb="paloaltonetworks">
<shared>
<admin-role>
<entry name="vsysadminrole">
<role>
<vsys>
<webui>
<monitor>
<logs>
<traffic>enable</traffic>
<threat>enable</threat>
<url>enable</url>
<wildfire>enable</wildfire>
<data-filtering>enable</data-filtering>
<hipmatch>enable</hipmatch>
<globalprotect>enable</globalprotect>
<iptag>enable</iptag>
<userid>enable</userid>
<tunnel>enable</tunnel>
<authentication>enable</authentication>
</logs>
<automated-correlation-engine>
<correlation-objects>enable</correlation-objects>
<correlated-events>enable</correlated-events>
</automated-correlation-engine>
<app-scope>enable</app-scope>
<session-browser>enable</session-browser>
<block-ip-list>enable</block-ip-list>
<pdf-reports>
<manage-pdf-summary>enable</manage-pdf-summary>
<pdf-summary-reports>enable</pdf-summary-reports>
<user-activity-report>enable</user-activity-report>
<saas-application-usage-report>enable</saas-application-usage-
report>
<report-groups>enable</report-groups>
<email-scheduler>enable</email-scheduler>
</pdf-reports>
<custom-reports>
<application-statistics>enable</application-statistics>
<data-filtering-log>enable</data-filtering-log>
<threat-log>enable</threat-log>
<threat-summary>enable</threat-summary>
<traffic-log>enable</traffic-log>
<traffic-summary>enable</traffic-summary>
<url-log>enable</url-log>
<url-summary>enable</url-summary>
<hipmatch>enable</hipmatch>
<globalprotect>enable</globalprotect>
<wildfire-log>enable</wildfire-log>
<tunnel-log>enable</tunnel-log>
<tunnel-summary>enable</tunnel-summary>
<iptag>enable</iptag>
<userid>enable</userid>
<auth>enable</auth>
</custom-reports>
<view-custom-reports>enable</view-custom-reports>
</monitor>
<policies>
<security-rulebase>enable</security-rulebase>
<nat-rulebase>enable</nat-rulebase>
<qos-rulebase>enable</qos-rulebase>
<pbf-rulebase>enable</pbf-rulebase>
<ssl-decryption-rulebase>enable</ssl-decryption-rulebase>
<tunnel-inspect-rulebase>enable</tunnel-inspect-rulebase>
<application-override-rulebase>enable</application-override-
rulebase>
<authentication-rulebase>enable</authentication-rulebase>
<dos-rulebase>enable</dos-rulebase>
<sdwan-rulebase>enable</sdwan-rulebase>
<rule-hit-count-reset>enable</rule-hit-count-reset>
</policies>
<objects>
<addresses>enable</addresses>
<address-groups>enable</address-groups>
<regions>enable</regions>
<dynamic-user-groups>enable</dynamic-user-groups>
<applications>enable</applications>
<application-groups>enable</application-groups>
<application-filters>enable</application-filters>
<services>enable</services>
<service-groups>enable</service-groups>
<tags>enable</tags>
<global-protect>
<hip-objects>enable</hip-objects>
<hip-profiles>enable</hip-profiles>
</global-protect>
<dynamic-block-lists>enable</dynamic-block-lists>
<custom-objects>
<data-patterns>enable</data-patterns>
<spyware>enable</spyware>
<vulnerability>enable</vulnerability>
<url-category>enable</url-category>
</custom-objects>
<security-profiles>
<antivirus>enable</antivirus>
<anti-spyware>enable</anti-spyware>
<vulnerability-protection>enable</vulnerability-protection>
<url-filtering>enable</url-filtering>
<file-blocking>enable</file-blocking>
<wildfire-analysis>enable</wildfire-analysis>
<data-filtering>enable</data-filtering>
<dos-protection>enable</dos-protection>
</security-profiles>
<security-profile-groups>enable</security-profile-groups>
<log-forwarding>enable</log-forwarding>
<authentication>enable</authentication>
<decryption>
<decryption-profile>enable</decryption-profile>
</decryption>
<sdwan>
<sdwan-profile>enable</sdwan-profile>
<sdwan-dist-profile>enable</sdwan-dist-profile>
</sdwan>
<schedules>enable</schedules>
</objects>
<network>
<zones>enable</zones>
<global-protect>
<portals>enable</portals>
<gateways>enable</gateways>
<mdm>enable</mdm>
<device-block-list>enable</device-block-list>
<clientless-apps>enable</clientless-apps>
<clientless-app-groups>enable</clientless-app-groups>
</global-protect>
<sdwan-interface-profile>enable</sdwan-interface-profile>
</network>
<privacy>
<show-full-ip-addresses>enable</show-full-ip-addresses>
<show-user-names-in-logs-and-reports>enable</show-user-names-in-
logs-and-reports>
<view-pcap-files>enable</view-pcap-files>
</privacy>
<validate>enable</validate>
<save>
<partial-save>enable</partial-save>
<save-for-other-admins>enable</save-for-other-admins>
</save>
<commit>
<virtual-systems>enable</virtual-systems>
<commit-for-other-admins>enable</commit-for-other-admins>
</commit>
<tasks>enable</tasks>
</webui>
<xmlapi/>
</vsys>
</role>
</entry>
</admin-role>
<authentication-profile>
<entry name="auth">
<multi-factor-auth>
<mfa-enable>no</mfa-enable>
</multi-factor-auth>
<method>
<none/>
</method>
<allow-list>
<member>all</member>
</allow-list>
</entry>
</authentication-profile>
<application-filter>
<entry name="allowed">
<category>
<member>business-systems</member>
<member>collaboration</member>
<member>general-internet</member>
</category>
<subcategory>
<member>general-business</member>
<member>internet-conferencing</member>
<member>management</member>
<member>office-programs</member>
<member>social-business</member>
<member>software-update</member>
<member>voip-video</member>
</subcategory>
<risk>
<member>1</member>
<member>2</member>
<member>3</member>
</risk>
</entry>
</application-filter>
<profile-group>
<entry name="default">
<virus>
<member>default</member>
</virus>
<spyware>
<member>strict</member>
</spyware>
<vulnerability>
<member>strict</member>
</vulnerability>
<wildfire-analysis>
<member>default</member>
</wildfire-analysis>
</entry>
</profile-group>
</shared>
<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<ip>
<entry name="10.0.0.0/24"/>
</ip>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>
<entry name="ethernet1/2">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<lldp>
<enable>no</enable>
</lldp>
<ip>
<entry name="10.1.0.0/24"/>
</ip>
</layer3>
</entry>
<entry name="ethernet1/3">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<lldp>
<enable>no</enable>
</lldp>
<ip>
<entry name="198.51.100.2/24"/>
</ip>
</layer3>
</entry>
</ethernet>
<loopback>
<units/>
</loopback>
<vlan>
<units/>
</vlan>
<tunnel>
<units/>
</tunnel>
</interface>
<vlan/>
<virtual-wire/>
<profiles>
<monitor-profile>
<entry name="default">
<interval>3</interval>
<threshold>5</threshold>
<action>wait-recover</action>
</entry>
</monitor-profile>
</profiles>
<ike>
<crypto-profiles>
<ike-crypto-profiles>
<entry name="default">
<encryption>
<member>aes-128-cbc</member>
<member>3des</member>
</encryption>
<hash>
<member>sha1</member>
</hash>
<dh-group>
<member>group2</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-128">
<encryption>
<member>aes-128-cbc</member>
</encryption>
<hash>
<member>sha256</member>
</hash>
<dh-group>
<member>group19</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-256">
<encryption>
<member>aes-256-cbc</member>
</encryption>
<hash>
<member>sha384</member>
</hash>
<dh-group>
<member>group20</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
</ike-crypto-profiles>
<ipsec-crypto-profiles>
<entry name="default">
<esp>
<encryption>
<member>aes-128-cbc</member>
<member>3des</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</esp>
<dh-group>group2</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-128">
<esp>
<encryption>
<member>aes-128-gcm</member>
</encryption>
<authentication>
<member>none</member>
</authentication>
</esp>
<dh-group>group19</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-256">
<esp>
<encryption>
<member>aes-256-gcm</member>
</encryption>
<authentication>
<member>none</member>
</authentication>
</esp>
<dh-group>group20</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
</ipsec-crypto-profiles>
<global-protect-app-crypto-profiles>
<entry name="default">
<encryption>
<member>aes-128-cbc</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</entry>
</global-protect-app-crypto-profiles>
</crypto-profiles>
</ike>
<qos>
<profile>
<entry name="default">
<class-bandwidth-type>
<mbps>
<class>
<entry name="class1">
<priority>real-time</priority>
</entry>
<entry name="class2">
<priority>high</priority>
</entry>
<entry name="class3">
<priority>high</priority>
</entry>
<entry name="class4">
<priority>medium</priority>
</entry>
<entry name="class5">
<priority>medium</priority>
</entry>
<entry name="class6">
<priority>low</priority>
</entry>
<entry name="class7">
<priority>low</priority>
</entry>
<entry name="class8">
<priority>low</priority>
</entry>
</class>
</mbps>
</class-bandwidth-type>
</entry>
</profile>
</qos>
<virtual-router>
<entry name="v1-default">
<protocol>
<bgp>
<enable>no</enable>
<dampening-profile>
<entry name="default">
<cutoff>1.25</cutoff>
<reuse>0.5</reuse>
<max-hold-time>900</max-hold-time>
<decay-half-life-reachable>300</decay-half-life-reachable>
<decay-half-life-unreachable>900</decay-half-life-unreachable>
<enable>yes</enable>
</entry>
</dampening-profile>
<routing-options>
<graceful-restart>
<enable>yes</enable>
</graceful-restart>
</routing-options>
</bgp>
<rip>
<enable>no</enable>
</rip>
<ospf>
<enable>no</enable>
</ospf>
<ospfv3>
<enable>no</enable>
</ospfv3>
</protocol>
<interface>
<member>ethernet1/1</member>
</interface>
<ecmp>
<algorithm>
<ip-modulo/>
</algorithm>
</ecmp>
<routing-table>
<ip>
<static-route>
<entry name="vsys2-subnet">
<nexthop>
<next-vr>v2-default</next-vr>
</nexthop>
<bfd>
<profile>None</profile>
</bfd>
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<metric>10</metric>
<destination>10.1.0.0/24</destination>
<route-table>
<unicast/>
</route-table>
</entry>
<entry name="dg">
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<nexthop>
<next-vr>sharedVR</next-vr>
</nexthop>
<bfd>
<profile>None</profile>
</bfd>
<metric>10</metric>
<destination>0.0.0.0/0</destination>
<route-table>
<unicast/>
</route-table>
</entry>
</static-route>
</ip>
</routing-table>
</entry>
<entry name="v2-default">
<ecmp>
<algorithm>
<ip-modulo/>
</algorithm>
</ecmp>
<protocol>
<bgp>
<routing-options>
<graceful-restart>
<enable>yes</enable>
</graceful-restart>
</routing-options>
<enable>no</enable>
</bgp>
<rip>
<enable>no</enable>
</rip>
<ospf>
<enable>no</enable>
</ospf>
<ospfv3>
<enable>no</enable>
</ospfv3>
</protocol>
<interface>
<member>ethernet1/2</member>
</interface>
<routing-table>
<ip>
<static-route>
<entry name="vsys1-subnet">
<nexthop>
<next-vr>v1-default</next-vr>
</nexthop>
<bfd>
<profile>None</profile>
</bfd>
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<metric>10</metric>
<destination>10.0.0.0/24</destination>
<route-table>
<unicast/>
</route-table>
</entry>
<entry name="dg">
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<nexthop>
<next-vr>sharedVR</next-vr>
</nexthop>
<bfd>
<profile>None</profile>
</bfd>
<metric>10</metric>
<destination>0.0.0.0/0</destination>
<route-table>
<unicast/>
</route-table>
</entry>
</static-route>
</ip>
</routing-table>
</entry>
<entry name="sharedVR">
<ecmp>
<algorithm>
<ip-modulo/>
</algorithm>
</ecmp>
<protocol>
<bgp>
<routing-options>
<graceful-restart>
<enable>yes</enable>
</graceful-restart>
</routing-options>
<enable>no</enable>
</bgp>
<rip>
<enable>no</enable>
</rip>
<ospf>
<enable>no</enable>
</ospf>
<ospfv3>
<enable>no</enable>
</ospfv3>
</protocol>
<routing-table>
<ip>
<static-route>
<entry name="dg">
<nexthop>
<ip-address>198.51.100.1</ip-address>
</nexthop>
<bfd>
<profile>None</profile>
</bfd>
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<interface>ethernet1/3</interface>
<metric>10</metric>
<destination>0.0.0.0/0</destination>
<route-table>
<unicast/>
</route-table>
</entry>
<entry name="vsys1">
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<nexthop>
<next-vr>v1-default</next-vr>
</nexthop>
<bfd>
<profile>None</profile>
</bfd>
<metric>10</metric>
<destination>10.0.0.0/24</destination>
<route-table>
<unicast/>
</route-table>
</entry>
<entry name="vsys2">
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<nexthop>
<next-vr>v2-default</next-vr>
</nexthop>
<bfd>
<profile>None</profile>
</bfd>
<metric>10</metric>
<destination>10.1.0.0/24</destination>
<route-table>
<unicast/>
</route-table>
</entry>
</static-route>
</ip>
</routing-table>
<interface>
<member>ethernet1/3</member>
</interface>
</entry>
</virtual-router>
<shared-gateway>
<entry name="sg1">
<display-name>SharedGW</display-name>
<zone>
<entry name="SGuntrust">
<network>
<layer3>
<member>ethernet1/3</member>
</layer3>
</network>
</entry>
<entry name="to-vsys1">
<network>
<external>
<member>vsys1</member>
</external>
</network>
</entry>
<entry name="to-vsys2">
<network>
<external>
<member>vsys2</member>
</external>
</network>
</entry>
</zone>
<import>
<network>
<interface>
<member>ethernet1/3</member>
</interface>
</network>
</import>
<rulebase>
<nat>
<rules>
<entry name="vsys1-nat" uuid="4f3371b2-baff-4383-9781-
6363911b9737">
<source-translation>
<dynamic-ip-and-port>
<interface-address>
<interface>ethernet1/3</interface>
<ip>198.51.100.2/24</ip>
</interface-address>
</dynamic-ip-and-port>
</source-translation>
<to>
<member>SGuntrust</member>
</to>
<from>
<member>to-vsys1</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<service>any</service>
</entry>
<entry name="vsys2-nat" uuid="a5ad7ee8-0a0a-4856-95b1-
b2d4524d6673">
<source-translation>
<dynamic-ip-and-port>
<interface-address>
<interface>ethernet1/3</interface>
<ip>198.51.100.2/24</ip>
</interface-address>
</dynamic-ip-and-port>
</source-translation>
<to>
<member>SGuntrust</member>
</to>
<from>
<member>to-vsys2</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<service>any</service>
</entry>
<entry name="inbound-vsys1" uuid="51f4bbee-a421-4ce6-b5f8-
1bfc55c3841c">
<destination-translation>
<translated-address>10.0.0.4</translated-address>
</destination-translation>
<to>
<member>SGuntrust</member>
</to>
<from>
<member>SGuntrust</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>198.51.100.4</member>
</destination>
<service>service-https</service>
</entry>
<entry name="inbound-vsys2" uuid="fafe4ec8-c38c-484c-9ebb-
3d085c70dbdd">
<destination-translation>
<translated-address>10.1.0.5</translated-address>
</destination-translation>
<to>
<member>SGuntrust</member>
</to>
<from>
<member>SGuntrust</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>198.51.100.5</member>
</destination>
<service>service-https</service>
</entry>
</rules>
</nat>
</rulebase>
</entry>
</shared-gateway>
</network>
<deviceconfig>
<system>
<ip-address>192.168.27.240</ip-address>
<netmask>255.255.255.0</netmask>
<update-server>updates.paloaltonetworks.com</update-server>
<update-schedule>
<threats>
<recurring>
<hourly>
<action>download-and-install</action>
</hourly>
<threshold>25</threshold>
</recurring>
</threats>
<anti-virus>
<recurring>
<hourly>
<action>download-and-install</action>
</hourly>
<threshold>5</threshold>
</recurring>
</anti-virus>
<wildfire>
<recurring>
<every-hour>
<at>45</at>
<action>download-and-install</action>
</every-hour>
</recurring>
</wildfire>
</update-schedule>
<timezone>US/Pacific</timezone>
<service>
<disable-telnet>yes</disable-telnet>
<disable-http>yes</disable-http>
</service>
<hostname>PA-3020</hostname>
<default-gateway>192.168.27.1</default-gateway>
<dns-setting>
<servers>
<primary>1.1.1.1</primary>
<secondary>1.0.0.1</secondary>
</servers>
</dns-setting>
<type>
<dhcp-client>
<accept-dhcp-domain>yes</accept-dhcp-domain>
<accept-dhcp-hostname>yes</accept-dhcp-hostname>
<send-client-id>yes</send-client-id>
<send-hostname>yes</send-hostname>
</dhcp-client>
</type>
</system>
<setting>
<config>
<rematch>yes</rematch>
</config>
<management>
<hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
</management>
</setting>
</deviceconfig>
<vsys>
<entry name="vsys1">
<import>
<network>
<interface>
<member>ethernet1/1</member>
<member>ethernet1/1</member>
<member>loopback</member>
<member>tunnel</member>
<member>vlan</member>
</interface>
<virtual-router>
<member>v1-default</member>
</virtual-router>
</network>
<visible-vsys>
<member>vsys2</member>
</visible-vsys>
</import>
<application/>
<application-group/>
<zone>
<entry name="trust">
<network>
<virtual-wire/>
</network>
</entry>
<entry name="untrust">
<network>
<virtual-wire/>
</network>
</entry>
<entry name="L3-untrust-V1">
<network>
<layer3/>
</network>
</entry>
<entry name="L3-trust-V1">
<network>
<layer3>
<member>ethernet1/1</member>
</layer3>
</network>
</entry>
<entry name="out-to-vsys2">
<network>
<external>
<member>vsys2</member>
</external>
</network>
</entry>
<entry name="to-SG-untrust">
<network>
<external>
<member>sg1</member>
</external>
</network>
</entry>
</zone>
<service/>
<service-group/>
<schedule/>
<rulebase>
<security>
<rules>
<entry name="to-vsys2">
<to>
<member>out-to-vsys2</member>
</to>
<from>
<member>L3-trust-V1</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>allowed</member>
</application>
<service>
<member>application-default</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
<profile-setting>
<group>
<member>default</member>
</group>
</profile-setting>
</entry>
<entry name="internet access">
<profile-setting>
<group>
<member>default</member>
</group>
</profile-setting>
<to>
<member>to-SG-untrust</member>
</to>
<from>
<member>L3-trust-V1</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>allowed</member>
</application>
<service>
<member>application-default</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
</entry>
<entry name="inbound">
<profile-setting>
<group>
<member>default</member>
</group>
</profile-setting>
<to>
<member>L3-trust-V1</member>
</to>
<from>
<member>to-SG-untrust</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>198.51.100.4</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>ssl</member>
</application>
<service>
<member>application-default</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
</entry>
</rules>
</security>
</rulebase>
<authentication-profile>
<entry name="authprofile">
<multi-factor-auth>
<mfa-enable>no</mfa-enable>
</multi-factor-auth>
<method>
<none/>
</method>
<allow-list>
<member>all</member>
</allow-list>
</entry>
<entry name="auth">
<multi-factor-auth>
<mfa-enable>no</mfa-enable>
</multi-factor-auth>
<method>
<none/>
</method>
<allow-list>
<member>all</member>
</allow-list>
</entry>
</authentication-profile>
</entry>
<entry name="vsys2">
<display-name>Beta environment</display-name>
<zone>
<entry name="L3-untrust-V2">
<network>
<layer3/>
</network>
</entry>
<entry name="L3-trust-V2">
<network>
<layer3>
<member>ethernet1/2</member>
</layer3>
</network>
</entry>
<entry name="out-to-vsys1">
<network>
<external>
<member>vsys1</member>
</external>
</network>
</entry>
<entry name="to-SG-untrust">
<network>
<external>
<member>sg1</member>
</external>
</network>
</entry>
</zone>
<import>
<network>
<interface>
<member>ethernet1/7</member>
<member>ethernet1/2</member>
</interface>
<virtual-router>
<member>v2-default</member>
</virtual-router>
</network>
<visible-vsys>
<member>vsys1</member>
</visible-vsys>
</import>
<profile-group/>
<application-filter/>
<rulebase>
<security>
<rules>
<entry name="to-vsys1">
<profile-setting>
<group>
<member>default</member>
</group>
</profile-setting>
<to>
<member>out-to-vsys1</member>
</to>
<from>
<member>L3-trust-V2</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>allowed</member>
</application>
<service>
<member>application-default</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
</entry>
<entry name="internet access">
<profile-setting>
<group>
<member>default</member>
</group>
</profile-setting>
<to>
<member>to-SG-untrust</member>
</to>
<from>
<member>L3-trust-V2</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>allowed</member>
</application>
<service>
<member>application-default</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
</entry>
<entry name="inbound">
<profile-setting>
<group>
<member>default</member>
</group>
</profile-setting>
<to>
<member>L3-trust-V2</member>
</to>
<from>
<member>to-SG-untrust</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>198.51.100.5</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>ssl</member>
</application>
<service>
<member>application-default</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
</entry>
</rules>
</security>
</rulebase>
</entry>
</vsys>
</entry>
</devices>
</config>

You might also like