
config {
  shared {
    application;
    application-group;
    service;
    service-group;
    botnet {
      configuration {
        http {
          dynamic-dns {
            enabled yes;
            threshold 5;
          }
          malware-sites {
            enabled yes;
            threshold 5;
          }
          recent-domains {
            enabled yes;
            threshold 5;
          }
          ip-domains {
            enabled yes;
            threshold 10;
          }
          executables-from-unknown-sites {
            enabled yes;
            threshold 5;
          }
        }
        other-applications {
          irc yes;
        }
        unknown-applications {
          unknown-tcp {
            destinations-per-hour 10;
            sessions-per-hour 10;
            session-length {
              maximum-bytes 100;
              minimum-bytes 50;
            }
          }
          unknown-udp {
            destinations-per-hour 10;
            sessions-per-hour 10;
            session-length {
              maximum-bytes 100;
              minimum-bytes 50;
            }
          }
        }
      }
      report {
        topn 100;
        scheduled yes;
      }
    }
  }
  devices {
    localhost.localdomain {
      network {
        interface {
          ethernet {
            ethernet1/1 {
              layer3 {
                units {
                  ethernet1/1.108 {
                    tag 108;
                    ip {
                      10.115.7.24;
                    }
                  }
                  ethernet1/1.107 {
                    tag 107;
                    ip {
                      10.115.7.26;
                    }
                  }
                  ethernet1/1.109 {
                    tag 109;
                    ip {
                      10.115.7.28;
                    }
                  }
                  ethernet1/1.110 {
                    tag 110;
                    ip {
                      10.115.7.30;
                    }
                  }
                  ethernet1/1.103 {
                    tag 103;
                    ip {
                      10.115.7.32;
                    }
                  }
                  ethernet1/1.111 {
                    tag 111;
                    ip {
                      10.115.7.34;
                    }
                  }
                  ethernet1/1.105 {
                    tag 105;
                    ip {
                      10.115.7.36;
                    }
                  }
                  ethernet1/1.208 {
                    tag 208;
                    ip {
                      10.115.7.101;
                    }
                  }
                }
                lldp {
                  profile lldp-01;
                  enable yes;
                }
              }
            }
            ethernet1/2 {
              layer3 {
                units {
                  ethernet1/2.108 {
                    tag 108;
                    ip {
                      10.115.7.39;
                    }
                  }
                  ethernet1/2.107 {
                    tag 107;
                    ip {
                      10.115.7.41;
                    }
                  }
                  ethernet1/2.103 {
                    tag 103;
                    ip {
                      10.115.7.47;
                    }
                  }
                  ethernet1/2.111 {
                    tag 111;
                    ip {
                      10.115.7.49;
                    }
                  }
                  ethernet1/2.105 {
                    tag 105;
                    ip {
                      10.115.7.51;
                    }
                  }
                  ethernet1/2.110 {
                    tag 110;
                    ip {
                      10.115.7.45;
                    }
                  }
                  ethernet1/2.109 {
                    tag 109;
                    ip {
                      10.115.7.43;
                    }
                  }
                  ethernet1/2.208 {
                    tag 208;
                    ip {
                      10.115.7.103;
                    }
                  }
                }
                lldp {
                  profile lldp-01;
                  enable yes;
                }
              }
            }
          }
        }
        profiles {
          monitor-profile {
            default {
              interval 3;
              threshold 5;
              action wait-recover;
            }
          }
          lldp-profile {
            lldp-01 {
              mode transmit-receive;
              option-tlvs {
                system-name yes;
                system-description yes;
                port-description yes;
                system-capabilities yes;
                management-address {
                  enabled yes;
                }
              }
            }
          }
        }
        ike {
          crypto-profiles {
            ike-crypto-profiles {
              default {
                encryption [ aes-128-cbc 3des];
                hash sha1;
                dh-group group2;
                lifetime {
                  hours 8;
                }
              }
              Suite-B-GCM-128 {
                encryption aes-128-cbc;
                hash sha256;
                dh-group group19;
                lifetime {
                  hours 8;
                }
              }
              Suite-B-GCM-256 {
                encryption aes-256-cbc;
                hash sha384;
                dh-group group20;
                lifetime {
                  hours 8;
                }
              }
            }
            ipsec-crypto-profiles {
              default {
                esp {
                  encryption [ aes-128-cbc 3des];
                  authentication sha1;
                }
                dh-group group2;
                lifetime {
                  hours 1;
                }
              }
              Suite-B-GCM-128 {
                esp {
                  encryption aes-128-gcm;
                  authentication none;
                }
                dh-group group19;
                lifetime {
                  hours 1;
                }
              }
              Suite-B-GCM-256 {
                esp {
                  encryption aes-256-gcm;
                  authentication none;
                }
                dh-group group20;
                lifetime {
                  hours 1;
                }
              }
            }
            global-protect-app-crypto-profiles {
              default {
                encryption aes-128-cbc;
                authentication sha1;
              }
            }
          }
        }
        qos {
          profile {
            default {
              class {
                class1 {
                  priority real-time;
                }
                class2 {
                  priority high;
                }
                class3 {
                  priority high;
                }
                class4 {
                  priority medium;
                }
                class5 {
                  priority medium;
                }
                class6 {
                  priority low;
                }
                class7 {
                  priority low;
                }
                class8 {
                  priority low;
                }
              }
            }
          }
        }
        virtual-router {
          INTERNET-VRFS {
            protocol {
              bgp {
                enable no;
                dampening-profile {
                  default {
                    cutoff 1.25;
                    reuse 0.5;
                    max-hold-time 900;
                    decay-half-life-reachable 300;
                    decay-half-life-unreachable 900;
                    enable yes;
                  }
                }
              }
              ospf {
                router-id 10.100.99.9;
                enable yes;
                area {
                  0.0.0.0 {
                    type {
                      normal;
                    }
                    interface {
                      ethernet1/1.107;
                      ethernet1/1.108;
                      ethernet1/2.107;
                      ethernet1/2.108;
                    }
                  }
                }
              }
            }
            interface [ ethernet1/1.107 ethernet1/1.108 ethernet1/2.107 ethernet1/2.108];
            ecmp {
              enable yes;
            }
          }
          OTHER-VRFS {
            interface [ ethernet1/1.103 ethernet1/1.105 ethernet1/1.109 ethernet1/1.110 ethernet1/1.111 ethernet1/2.103 ethernet1/2.105 ethernet1/2.109 ethernet1/2.111 ethernet1/2.110 ethernet1/1.208 ethernet1/2.208];
            protocol {
              ospf {
                router-id 10.100.98.9;
                enable yes;
                area {
                  0.0.0.0 {
                    type {
                      normal;
                    }
                    interface {
                      ethernet1/1.208;
                      ethernet1/2.208;
                      ethernet1/1.110;
                      ethernet1/2.110;
                      ethernet1/1.109;
                      ethernet1/2.109;
                      ethernet1/1.103;
                      ethernet1/2.103;
                      ethernet1/1.111;
                      ethernet1/2.111;
                      ethernet1/1.105;
                      ethernet1/2.105;
                    }
                  }
                }
              }
            }
            ecmp {
              enable yes;
            }
          }
        }
        lldp {
          enable yes;
        }
      }
      deviceconfig {
        system {
          ip-address 10.100.0.105;
          netmask 255.255.255.248;
          update-server updates.paloaltonetworks.com;
          update-schedule {
            threats {
              recurring {
                weekly {
                  day-of-week wednesday;
                  at 01:02;
                  action download-only;
                }
              }
            }
          }
          timezone US/Pacific;
          service {
            disable-telnet yes;
            disable-http yes;
          }
          type {
            static;
          }
          default-gateway 192.168.122.1;
          hostname PA-VM;
        }
        setting {
          config {
            rematch yes;
          }
          management {
            hostname-type-in-syslog FQDN;
            initcfg {
              type {
                static;
              }
              ip-address 192.168.122.4;
              netmask 255.255.255.0;
              default-gateway 192.168.122.1;
            }
          }
        }
      }
      vsys {
        vsys1 {
          application;
          application-group;
          zone {
            INTERNET-IN {
              network {
                layer3 [ ethernet1/1.108 ethernet1/2.108 ethernet1/1.208 ethernet1/2.208];
              }
            }
            INTERNET-OUT {
              network {
                layer3 [ ethernet1/1.107 ethernet1/2.107];
              }
            }
            ECOMM-2-PROD {
              network {
                layer3 [ ethernet1/1.109 ethernet1/2.109];
              }
            }
            ECOMM-2-QA {
              network {
                layer3 [ ethernet1/1.110 ethernet1/2.110];
              }
            }
            DEVZONE1 {
              network {
                layer3 [ ethernet1/1.103 ethernet1/2.103];
              }
            }
            CORP-EXTRANET1 {
              network {
                layer3 [ ethernet1/1.111 ethernet1/2.111];
              }
            }
            MGT-TOOLS {
              network {
                layer3 [ ethernet1/1.105 ethernet1/2.105];
              }
            }
          }
          service;
          service-group;
          schedule;
          rulebase {
            security {
              rules {
                to_AWS-default-deny {
                  rule-type interzone;
                  description "Deny all traffic (by default) from any zone to AWS";
                  source any;
                  from any;
                  to INTERNET-IN;
                  destination 10.5.0.0/16;
                  application any;
                  action deny;
                  service any;
                }              
                000_any-zone_to_any-zone {
                  rule-type interzone;
                  description "Allow all traffic between zones";
                  source any;
                  from any;
                  to any;
                  destination any;
                  application any;
                  service any;
                  action allow;
                }
              }
            }
          }
          address {
            10.115.7.24 {
              ip-netmask 10.115.7.24/31;
            }
            10.115.7.26 {
              ip-netmask 10.115.7.26/31;
            }
            10.115.7.28 {
              ip-netmask 10.115.7.28/31;
            }
            10.115.7.30 {
              ip-netmask 10.115.7.30/31;
            }
            10.115.7.32 {
              ip-netmask 10.115.7.32/31;
            }
            10.115.7.34 {
              ip-netmask 10.115.7.34/31;
            }
            10.115.7.36 {
              ip-netmask 10.115.7.36/31;
            }
            10.115.7.47 {
              ip-netmask 10.115.7.47/31;
            }
            10.115.7.51 {
              ip-netmask 10.115.7.51/31;
            }
            10.115.7.41 {
              ip-netmask 10.115.7.41/31;
            }
            10.115.7.39 {
              ip-netmask 10.115.7.39/31;
            }
            10.115.7.43 {
              ip-netmask 10.115.7.43/31;
            }
            10.115.7.45 {
              ip-netmask 10.115.7.45/31;
            }
            10.115.7.49 {
              ip-netmask 10.115.7.49/31;
            }
            10.115.7.53 {
              ip-netmask 10.115.7.53/31;
            }
            10.115.7.101 {
              ip-netmask 10.115.7.101/31;
            }
            10.115.7.103 {
              ip-netmask 10.115.7.103/31;
            }
          }
        }
      }
    }
  }
}


