172 DC PDF

Nipper Studio
Audit Report
Wednesday 12th February 2014
Summary
Nipper Studio performed an audit on Wednesday 12th February 2014 of the netw ork device detailed in the scope. The audit consisted
of the follow ing components:
a best practice security audit (Part 2);
a Defence Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) compliance report (Part 3);
a SysAdmin Audit Netw ork Security (SANS) policy compliance report (Part 4);
a configuration review (Part 5).
Scope
The scope of this audit w as limited to the device detailed in Table 1.
Device Name OS
Fortinet FortiGate Firew all FG100D DC-PERIMETER1 FortiOS 5.02-FW -build718-160328
Table 1: Audit device scope
Security Audit Summary

Nipper Studio performed a security audit of the one device detailed in the scope and identified 16 security-related issues. Although
significant issues w ere identified that Nipper Studio recommends should be review ed as soon as is practical, most of the security
issues w ere rated as low or informational. Each of the issues identified are described in greater detail in the main body of this report.
Nipper Studio identified a number of clear-text protocol related issues. It is important that all clear-text protocol services should be
replaced w ith cryptographically secure alternatives in order to help prevent unauthorized eavesdropping of potentially sensitive data.
Furthermore the clear-text services are often used for administration purposes and a malicious user, or attacker, w ho is able to
monitor the communications may also gain access to authentication credentials that could then lead them to gain administrative access
to the system.
Nipper Studio can draw the follow ing statistics from the results of this security assessment. 1 issue (6%) w as rated as high, 4 issues
(25%) w ere rated as medium, 5 issues (31%) w ere rated as low and 6 issues (38%) w ere rated as informational.
DISA STIG Summary

Nipper Studio performed one DISA STIG compliance audit. Table 2 summarizes the findings.
Name STIG Version I I I II II II III III III

Pass Fail Man Pass Fail Man Pass Fail Man
DC- Firew all Security Technical 8 Release 14 Benchmark Date 5 1 5 11 3 34 1 2 13
PERIMETER1 Implementation Guide 26 Apr 2013
Table 2: DISA STIG device compliance summary
SANS Summary
Nipper Studio audited DC-PERIMETER1 against the follow ing tw o SANS policies:
Router policy (April 18th 2007);
Information systems audit logging policy (2007).
Nipper Studio can conclude the follow ing statistics from the audit (percentages have been rounded); seven checks passed (18%), tw o
checks failed (5%), 29 checks require a manual assessment (76%).
Contents
1 Y our Report
1.1 Introduction
1.2 Evaluation Use Only
1.3 Report Conventions
1.4 Compliance Check Results
1.5 Netw ork Filtering Actions
2 Security Audit
2.1 Introduction
2.2 Rules Allow Access To Administrative Services
2.3 Rules Allow Access To Clear-Text Protocol Services
2.4 Filter Rules Allow Packets To Any Destination And Any Port
2.5 Rules Allow Access To Potentially Unnecessary Services
2.6 Rules Allow Access To Potentially Sensitive Services
2.7 Clear-Text Simple Netw ork Management Protocol (SNMP) In Use
2.8 Filter Rules That Allow Any Protocol W ere Configured
2.9 W eak SNMP Community Strings W ere Configured
2.10 Filter Allow Rules W ere Configured W ithout Logging
2.11 Filter Drop Rules W ere Configured W ithout Logging
2.12 Proxy Address Resolution Protocol (ARP) W as Enabled
2.13 Filter Rule List Does Not End W ith Drop All And Log
2.14 Disabled Filter Rules W ere Configured
2.15 Unused Filter Objects W ere Configured
2.16 W eak Syslog Severity Level Configured
2.17 Internet Control Message Protocol (ICMP) Redirect Messages W ere Enabled
2.18 Conclusions
2.19 Recommendations
2.20 Mitigation Classification
3 DISA STIG Compliance

3.1 Introduction
3.2 DC-PERIMETER1 - Firew all Security Technical Implementation Guide
3.3 Conclusions
3.4 Recommendations
4 SANS Policy Compliance
4.1 DC-PERIMETER1 SANS Policy Compliance Audit

5 Configuration Report
5.1 Introduction
5.2 Fortinet FortiGate Firew all FG100D DC-PERIMETER1 Configuration Report
5.2.1 Basic Information
5.2.2 Netw ork Services
5.2.3 Authentication
5.2.4 Administration
5.2.5 Logon Banner Message
5.2.6 SNMP Settings
5.2.7 Message Logging
5.2.8 Name Resolution Settings
5.2.9 Netw ork Protocols
5.2.10 Netw ork Interfaces
5.2.11 Routing Configuration
5.2.12 Netw ork Filtering
5.2.13 Time And Date
6 Raw Configuration
6.1 Introduction
6.2 Fortinet FortiGate Firew all FG100D DC-PERIMETER1 Raw Configuration
7 Appendix
7.1 Logging Severity Levels
7.2 Common Time Zones
7.3 Internet Protocol (IP) Protocols
7.4 ICMP Types
7.5 Abbreviations
7.6 Nipper Studio Version
Index Of Diagrams
Diagram 1. Severity Classification

Diagram 2. Issue Classification
Diagram 3. STIG CAT I Findings
Diagram 4. STIG CAT II Findings
Diagram 5. DC-PERIMETER1 SANS Findings
Diagram 6. Severity Classification
Diagram 7. Issue Classification
Diagram 8. Issue Mitigation Classification
Diagram 9. STIG CAT I Findings
Diagram 10. STIG CAT II Findings
Diagram 11. DC-PERIMETER1 SANS Findings
Index Of Tables
Table 1. Audit device scope

Table 2. DISA STIG device compliance summary
1 Y our Report

Table 3. Report text conventions
Table 4. STIG check status definitions
1.5 Netw ork Filtering Actions
Table 5. Netw ork filter rule actions
2 Security Audit
2.1 Introduction
Table 6. Security audit device list
Table 7. The impact rating
Table 8. The ease rating
Table 9. The fix rating
2.2 Rules Allow Access To Administrative Services

Table 10. Firew all Policy from DC-Admin to w an1 administrative service rules on DC-PERIMETER1
Table 11. Firew all Policy from CheckPoint-FW to w an1 administrative service rule on DC-PERIMETER1
Table 12. Firew all Policy from HO-USERS to w an1 administrative service rules on DC-PERIMETER1
2.3 Rules Allow Access To Clear-Text Protocol Services

Table 13. Firew all Policy from DC-Admin to w an1 clear-text protocol rules on DC-PERIMETER1
Table 14. Firew all Policy from CheckPoint-FW to w an1 clear-text protocol rule on DC-PERIMETER1
Table 15. Firew all Policy from HO-USERS to w an1 clear-text protocol rules on DC-PERIMETER1
2.4 Filter Rules Allow Packets To Any Destination And Any Port
Table 16. Firew all Policy from DC-Admin to w an1 rules allow ing packets to any destination and any port on DC-PERIMETER1
Table 17. Firew all Policy from CheckPoint-FW to w an1 rules allow ing packets to any destination and any port on DC-
PERIMETER1
Table 18. Firew all Policy from HO-USERS to w an1 rules allow ing packets to any destination and any port on DC-PERIMETER1
2.5 Rules Allow Access To Potentially Unnecessary Services

Table 19. Firew all Policy from DC-Admin to w an1 unnecessary service rules on DC-PERIMETER1
Table 20. Firew all Policy from CheckPoint-FW to w an1 unnecessary service rule on DC-PERIMETER1
Table 21. Firew all Policy from HO-USERS to w an1 unnecessary service rules on DC-PERIMETER1
2.6 Rules Allow Access To Potentially Sensitive Services
Table 22. Firew all Policy from DC-Admin to w an1 sensitive service rules on DC-PERIMETER1
Table 23. Firew all Policy from CheckPoint-FW to w an1 sensitive service rule on DC-PERIMETER1
Table 24. Firew all Policy from HO-USERS to w an1 sensitive service rules on DC-PERIMETER1
2.8 Filter Rules That Allow Any Protocol W ere Configured

Table 25. Firew all Policy from DC-Admin to w an1 any protocol rules on DC-PERIMETER1
Table 26. Firew all Policy from CheckPoint-FW to w an1 any protocol rule on DC-PERIMETER1
Table 27. Firew all Policy from HO-USERS to w an1 any protocol rules on DC-PERIMETER1
2.9 W eak SNMP Community Strings W ere Configured

Table 28. W eak SNMP community string on DC-PERIMETER1
2.10 Filter Allow Rules W ere Configured W ithout Logging
Table 29. Firew all Policy from DC-Admin to w an1 rules not logging allow ed netw ork traffic on DC-PERIMETER1
Table 30. Firew all Policy from CheckPoint-FW to w an1 rule not logging allow ed netw ork traffic on DC-PERIMETER1
Table 31. Firew all Policy from HO-USERS to w an1 rules not logging allow ed netw ork traffic on DC-PERIMETER1
2.11 Filter Drop Rules W ere Configured W ithout Logging

Table 32. Firew all Policy from lan to w an1 rule not logging dropped netw ork traffic on DC-PERIMETER1
2.12 Proxy ARP W as Enabled

Table 33. Netw ork interfaces on DC-PERIMETER1 w ith Proxy ARP enabled
2.14 Disabled Filter Rules W ere Configured
Table 34. Firew all Policy from DC-Admin to w an1 disabled rule on DC-PERIMETER1
Table 35. Firew all Policy from CheckPoint-FW to w an1 disabled rule on DC-PERIMETER1
Table 36. Firew all Policy from HO-USERS to w an1 disabled rule on DC-PERIMETER1
Table 37. Firew all Policy from RTGS to CheckPoint-FW disabled rule on DC-PERIMETER1
Table 38. Firew all Policy from RTGS to w an1 disabled rule on DC-PERIMETER1
2.15 Unused Filter Objects W ere Configured
Table 39. Custom netw ork addresses unused objects on DC-PERIMETER1
Table 40. Custom IPv6 netw ork addresses unused objects on DC-PERIMETER1
Table 41. Custom service list unused objects on DC-PERIMETER1
2.17 ICMP Redirect Messages W ere Enabled

Table 42. Netw ork interfaces on DC-PERIMETER1 w ith ICMP Redirects enabled
2.18 Conclusions
Table 43. Security audit device conclusions
Table 44. Security audit recommendations list

Table 45. The mitigation classification
3.1 Introduction
Table 46. STIG device audit check list
Table 47. Vulnerability Severity Code Definitions
3.2 DC-PERIMETER1 - Firew all Security Technical Implementation Guide

Table 48. DC-PERIMETER1 - Firew all Security Technical Implementation Guide audit summary
Table 49. Firew all Policy from lan to w an1 deny rules.
Table 50. Firew all Policy from HO-USERS to CheckPoint-FW deny rules.
Table 51. Local users
Table 52. SNMP community configuration
Table 53. Users
Table 54. Users
Table 55. Users
Table 56. Users
Table 57. Management Services
Table 58. Device information
Table 59. Users
Table 60. Device information
3.3 Conclusions
Table 61. DISA STIG device compliance summary
3.4 Recommendations
Table 62. DISA STIG recommendations

Table 63. DC-PERIMETER1 SANS router policy compliance
Table 64. DC-PERIMETER1 audit logging underlying requirements
Table 65. DC-PERIMETER1 audit logging activities
Table 66. DC-PERIMETER1 audit logging elements
Table 67. DC-PERIMETER1 audit logging storage
5.2 Fortinet FortiGate Firew all FG100D DC-PERIMETER1 Configuration Report

Table 68. Basic information
Table 69. Netw ork services
Table 70. Users
Table 71. General administration settings
Table 72. Telnet service settings
Table 73. SSH service settings
Table 74. W eb-based administration service settings
Table 75. SNMP settings
Table 76. SNMP community configuration
Table 77. SNMP trap hosts
Table 78. SNMP notifications
Table 79. Syslog logging configuration
Table 80. Syslog hosts
Table 81. W eb Trends logging configuration
Table 82. FortiAnalyzer logging configuration
Table 83. Memory logging configuration
Table 84. DNS client configuration
Table 85. DNS servers
Table 86. IPv4 addresses
Table 87. IPv4 ICMP Options
Table 87. IPv4 ICMP Options
Table 88. Ethernet interfaces
Table 89. Tunnel interfaces
Table 90. Static netw ork routes
Table 91. Firew all Policy from DC-Admin to w an1
Table 92. Firew all Policy from lan to w an1
Table 93. Firew all Policy from DC-Router to CheckPoint-FW
Table 94. Firew all Policy from DC-Admin to CheckPoint-FW
Table 95. Firew all Policy from HO-USERS to CheckPoint-FW
Table 96. Firew all Policy from CheckPoint-FW to DC-Router
Table 97. Firew all Policy from DC-Admin to DC-Router
Table 98. Firew all Policy from DC-Router to ATM
Table 99. Firew all Policy from ATM to CheckPoint-FW
Table 100. Firew all Policy from ATM to DC-Router
Table 101. Firew all Policy from CheckPoint-FW to w an1
Table 102. Firew all Policy from HO-USERS to w an1
Table 103. Firew all Policy from HO-USERS to ATM
Table 104. Firew all Policy from ATM to HO-USERS
Table 105. Firew all Policy from CheckPoint-FW to RTGS
Table 106. Firew all Policy from DC-Admin to RTGS
Table 107. Firew all Policy from HO-USERS to RTGS
Table 108. Firew all Policy from RTGS to CheckPoint-FW
Table 109. Firew all Policy from RTGS to HO-USERS
Table 110. Firew all Policy from CheckPoint-FW to DC-Admin
Table 111. Firew all Policy from CheckPoint-FW to ATM
Table 112. Firew all Policy from DC-Admin to HO-USERS
Table 113. Firew all Policy from HO-USERS to DC-Router
Table 114. Firew all Policy from DC-Router to HO-USERS
Table 115. Firew all Policy from CheckPoint-FW to HO-USERS
Table 116. Firew all Policy from CheckPoint-FW to CheckPoint-FW
Table 117. Firew all Policy from port10 to CheckPoint-FW
Table 118. Firew all Policy from port10 to ATM
Table 119. Firew all Policy from ATM to port10
Table 120. Firew all Policy from CheckPoint-FW to port10
Table 121. Firew all Policy from port6 to CheckPoint-FW
Table 122. Firew all Policy from CheckPoint-FW to port6
Table 123. Firew all Policy from DC-Admin to ATM
Table 124. Firew all Policy from HO-USERS to port6
Table 125. Firew all Policy from port6 to HO-USERS
Table 126. Firew all Policy from w an1 to DC-Admin
Table 127. Firew all Policy from DC-Admin to port6
Table 128. Firew all Policy from RTGS to w an1
Table 129. Firew all Policy from port6 to ATM
Table 130. Firew all Policy from ATM to port6
Table 131. Firew all Policy from DC-Admin to port10
Table 132. Firew all Policy from port10 to DC-Admin
Table 133. Firew all Policy from DC-Router to w an1
Table 134. Firew all Policy from DC-Router to port6
Table 135. Custom netw ork addresses
Table 136. Custom IPv6 netw ork addresses
Table 137. BRANCHES-Group-1 address group
Table 138. Branches-Group-2 address group
Table 141. BranchesGroup-5 address group
Table 142. ATM-1 address group
Table 144. APP-SERVERS address group
Table 145. DOMAIN address group
Table 146. DATABASE address group
Table 147. OLD-DOMAIN address group
Table 148. Routers-GR1 address group
Table 153. RGCS address group
Table 154. RBI-RTGS address group
Table 155. DC-ADMIN-INTERNET-USERS address group
Table 158. DR-APPSERVERS address group
Table 159. DR-DOMAINS address group
Table 160. DR-DATABASESERVERS address group
Table 161. BRANCH-GROUP-6 address group
Table 162. Datacenter-Laptops address group
Table 163. OFFSITE ATM address group
Table 164. BRANCH-DVR address group
Table 165. BBPS_Clients address group
Table 166. Custom service list
Table 167. Email Access service group
Table 168. W eb Access service group
Table 169. W indow s AD service group
Table 170. Exchange Server service group
Table 171. APP-Services service group
Table 172. AntivirusServices service group
Table 173. Domain-Services service group
Table 174. DATABASE-SERVICES service group
Table 175. BRANCH-ATMS-TO-SW ITCH-1 service group
Table 176. RBI-SERVICES service group
Table 177. APBS service group
Table 178. BRANCH-ATMS-TO-SW ITCH-2 service group
Table 179. IT-Audit service group
Table 180. General Time Settings
Table 181. NTP client settings
Table 182. NTP client time sources
Table 182. NTP client time sources
6 Raw Configuration
6.2 Fortinet FortiGate Firew all FG100D DC-PERIMETER1 Raw Configuration

Table 183. Fortinet FortiGate Firew all FG100D DC-PERIMETER1 Configuration Hashes
7 Appendix
Table 184. Logging message severity levels

Table 185. Common time zones
7.3 IP Protocols
Table 186. IP Protocols
7.4 ICMP Types

Table 187. ICMP Types
7.5 Abbreviations
Table 188. Abbreviations
1 Your Report
1.1 Introduction
This report w as produced by Nipper Studio on W ednesday 12th February 2014. This report is comprised of the follow ing sections:
a security audit section w hich details any identified security-related issues. Each security issue identified includes details of w hat
w as found together w ith the impact of the issue, how easy it w ould be for an attacker to exploit and a recommendation. The
recommendations may include alternatives and, w here relevant, the commands to resolve the issue;
a DISA STIG report section that provides compliance information against specific checklists. The report includes a summary of the
findings, detailed findings and recommendations on remedial action together w ith references and severity information;
a SANS policy report section that provides compliance information against specific policy checklists. The report includes a
summary of the findings and details of each check requirement;
a configuration report w hich details the configuration settings of all the audited devices in an easy to read format. The
configuration settings are divided in to report sub-sections w hich group related settings together and provide additional
information about their purpose;
a raw configuration report details the raw configuration of devices w ithout providing any interpretation. How ever, some devices
w hich have extensive or specially encoded configurations w ill be excluded from inclusion in this report.
1.2 Evaluation Use Only
The version of Nipper Studio used to generate this report w as licensed for evaluation purposes only. For more information on licensing
options you can contact Titania or one of our partners to discuss your requirements.
This report makes use of the text conventions detailed in Table 3.
Convention Description
command This text style represents a device command that should be entered literally.
user data This style of text represents a part of a device command that you should substitute w ith a relevant value. For example,
a command that sets a devices IP address w ould use this text style in a position w here the address should be entered.
[ ] These are used to enclose a part of a command that should be treated as optional.
{ } These are used to enclose a part of a command that is required.
| This is used to divide options w hich could be enclosed in either required or optional braces.
Table 3: Report text conventions
Each compliance audit check is given a status that indicates the outcome of the audit for that check. Table 4 details each of the posible
status types.
Status Description
The check passed all the requirements. For example, the Telnet service should be disabled and it w as.
The check failed to meet some or all of the requirements. For example, the check may specify that support for only SSH
protocol version 2 must be configured and version 1 w as allow ed.
protocol version 2 must be configured and version 1 w as allow ed.
The check requires a manual assessment. For example, the check may require the auditor to determine if cables are
physically attached to specific ports on a sw itch.
Table 4: STIG check status definitions
1.5 Network Filtering Actions
This report includes a number of netw ork filter rules. Table 5 describes the filter rule actions used w ithin the report.
Action Description
Allow the netw ork traffic, enabling it to pass through to its destination.
Drop the netw ork traffic, preventing it from reaching its destination and not informing the sender that it has been dropped.
Table 5: Network filter rule actions
2 Security Audit
2.1 Introduction
Nipper Studio performed a security audit on W ednesday 12th February 2014 of the device detailed in Table 6.
Device Name OS
Fortinet FortiGate Firew all FG100D DC-PERIMETER1 FortiOS 5.02-FW -build718-160328
Table 6: Security audit device list
2.1.1 Security Issue Overview

Each security issue identified by Nipper Studio is described w ith a finding, the impact of the issue, how easy it w ould be for an
attacker to exploit the issue and a recommendation.
Issue Finding
The issue finding describes w hat Nipper Studio identified during the security audit. Typically the finding w ill include background
information on w hat particular configuration settings are prior to describing w hat w as found.
Issue Impact
The issue impact describes w hat an attacker could achieve from exploiting the security audit finding. How ever, it is w orth noting
that the impact of an issue can often influenced by other configuration settings w hich could heighten or partially mitigate the issue.
For example, a w eak passw ord could be partially mitigated if the access gained from using it is restricted in some w ay.
Issue Ease
The issue ease describes the know ledge, skill, level of access and time scales that w ould be required by an attacker in order to
exploit an issue. The issue ease w ill describe, w here relevant, if any Open Source or commercially available tools could be used to
exploit an issue.
Issue Recommendation
Each issue includes a recommendation section w hich describes the steps that Nipper Studio recommends should be taken in order
to mitigate the issue. The recommendation includes, w here relevant, the commands that can be used to resolve the issue.
2.1.2 Rating System Overview

Each issue identified in the security audit is rated against both the impact of the issue and how easy it w ould be for an attacker to
exploit it. The fix rating provides a guide to the effort required to resolve the issue. The overall rating for the issue is calculated
based on the issues impact and ease ratings.
Impact Rating
An issues impact rating is determined using the criteria outlined in Table 7.
Rating Description
CRITICAL These issues can pose a very significant security threat. The issues that have a critical impact are typically those that
w ould allow an attacker to gain full administrative access to the device. For a firew all device, allow ing all traffic to pass
through the device unfiltered w ould receive this rating as filtering traffic to protect other devices is the primary purpose of
a firew all.
HIGH These issues pose a significant threat to security, but have some limitations on the extent to w hich they can be abused.
User level access to a device and a DoS vulnerability in a critical service w ould fall into this category. A firew all device that
User level access to a device and a DoS vulnerability in a critical service w ould fall into this category. A firew all device that
allow ed significant unfiltered access, such as allow ing entire subnets through or not filtering in all directions, w ould fall
into this category. A router that allow s significant modification of its routing configuration w ould also fall into this category.
MEDIUM These issues have significant limitations on the direct impact they can cause. Typically these issues w ould include
significant information leakage issues, less significant DoS issues or those that provide significantly limited access. A SNMP
service that is secured w ith a default or a dictionary-based community string w ould typically fall into this rating, as w ould
a firew all that allow s unfiltered access to a range of services on a device.
LOW These issues represent a low level security threat. A typical issue w ould involve information leakage that could be useful
to an attacker, such as a list of users or version details. A non-firew all device that w as configured w ith w eak netw ork
filtering w ould fall into this category.
INFO These issues represent a very low level of security threat. These issues include minor information leakage, unnecessary
services or legacy protocols that provide no real threat to security.
Table 7: The impact rating
Ease Rating
An issues ease rating is determined using the criteria outlined in Table 8.
Rating Description
TRIVIAL The issue requires little-to-no know ledge on behalf of an attacker and can be exploited using standard operating
system tools. A firew all device w hich had a netw ork filtering configuration that enables traffic to pass through w ould fall
into this category.
EASY The issue requires some know ledge for an attacker to exploit, w hich could be performed using standard operating
system tools or tools dow nloaded from the Internet. An administrative service w ithout or w ith a default passw ord
w ould fall into this category, as w ould a simple softw are vulnerability exploit.
MODERATE The issue requires specific know ledge on behalf of an attacker. The issue could be exploited using a combination of
operating system tools or publicly available tools dow nloaded from the Internet.
CHALLENGE A security issue that falls into this category w ould require significant effort and know ledge on behalf of the attacker.
The attacker may require specific physical access to resources or to the netw ork infrastructure in order to successfully
exploit it. Furthermore, a combination of attacks may be required.
N/A The issue is not directly exploitable. An issue such as enabling legacy protocols or unnecessary services w ould fall into
this rating category.
Table 8: The ease rating
Fix Rating
An issues fix rating is determined using the criteria outlined in Table 9.
Rating Description
INVOLVED The resolution of the issue w ill require significant resources to resolve and is likely to include disruption to netw ork
services, and possibly the modification of other netw ork device configurations. The issue could involve upgrading a
devices OS and possible modifications to the hardw are.
PLANNED The issue resolution involves planning, testing and could cause some disruption to services. This issue could involve
changes to routing protocols and changes to netw ork filtering.
QUICK The issue is quick to resolve. Typically this w ould just involve changing a small number of settings and w ould have little-
to-no effect on netw ork services.
Table 9: The fix rating
Notes
It is w orth noting that Nipper Studio is unable to provide an accurate threat assessment due to a lack of contextual information. For
example, in the case w here highly sensitive information is processed, a Denial of Service (DoS) vulnerability poses less of a threat
than the integrity of the data or an attacker gaining access to it. Similarly, for a situation w here up-time is critical, a DoS vulnerability
could be more important than the leakage of sensitive information. Therefore the ratings provided by Nipper Studio are only
intended to be a guide to an issues significance.
2.2 Rules Allow Access T o Administrative Services
2.2.1 Finding
Overall: HIGH
Administrative netw ork services are essential to enable netw ork administrators to remotely configure,
update, modify and monitor the systems. Typically these services fall in to tw o groups: Impact: High
remote command, graphical or w eb-based environments that enable administrators to quickly configure Ease: Easy
and manage devices; Fix: Planned
informational services w hich either provide alerts, notifications and may also enable the modification of
settings using specialist softw are.
Nipper Studio identified five filter rules on DC-PERIMETER1 that allow access to administrative netw ork services. Those filter rules
are listed below .
Rule Active Action Source Destination Service Log

203 Yes PRASANNA Any Any No
VMW ARE-CLIENT
Vinod Raut
162 Yes Prasanna Rathod Any Any No
VAIBHAV
MORESIR
MORESIR
Table 10: Firewall Policy from DC-Admin to wan1 administrative service rules on DC-PERIMETER1

23 Yes Antivirus-Server Any Any No
Table 11: Firewall Policy from CheckPoint-FW to wan1 administrative service rule on DC-PERIMETER1

31 Yes AAN Any Any No
HO-INTERNET-USERS-ACC-SECTION
HO-INTERNET-USERS
Biskunde Saheb
Drop_Box_Internet
Nelito-Prasad
198 Yes VaidyaSir Any Any No
PA
CTS-PC
SK Mohod
MILIND
Vinod Kalbande
CropInsurance
Table 12: Firewall Policy from HO-USERS to wan1 administrative service rules on DC-PERIMETER1
2.2.2 Impact
The administrative services by their nature enable the remote configuration of a device and access to a w ealth of sensitive
configuration information. These services are likely to be a prime target for an attacker w ho may attempt to gain access by
exploiting a vulnerability or attacking the authentication systems.
2.2.3 Ease
Access to the administrative netw ork services detailed in the finding w ould not be prevented by the netw ork filter rules if any
netw ork traffic w ere to match the rule.
2.2.4 Recommendation
Nipper Studio recommends that netw ork filter rules should only be configured to allow access to administrative netw ork services
from those w ho are authorized.
Nipper Studio recommends that:
filter rules should only allow access to specific destination addresses;
filter rules should only allow access to specific destination netw ork ports;
filter rules should only allow access from specific source addresses;
filter rules should specify a specific netw ork protocol;
ICMP filter rules should specify a specific message type;
filter rules should alw ays drop netw ork packets and not reject them;
filter rules should perform a specific action and not rely on a default action.
2.3 Rules Allow Access T o Clear-T ext Protocol Services
2.3.1 Finding
Overall: MEDIUM
Clear-text protocol services are those netw ork services that provide no encryption of the netw ork traffic
betw een the service and a connected client. W hilst some clear-text protocol services are relatively simple Impact: Critical
and be of little of interest to an attacker, others may be used for the remote administration of the device
and transfer their authentication credentials w ith no encryption. Ease: Moderate
Fix: Planned
Nipper Studio identified five filter rules on DC-PERIMETER1 that allow access to clear-text protocol
services. Those filter rules are listed below .

VMW ARE-CLIENT
Vinod Raut
VAIBHAV
MORESIR
Table 13: Firewall Policy from DC-Admin to wan1 clear-text protocol rules on DC-PERIMETER1

Table 14: Firewall Policy from CheckPoint-FW to wan1 clear-text protocol rule on DC-PERIMETER1

HO-INTERNET-USERS
Biskunde Saheb
Drop_Box_Internet
Nelito-Prasad
PA
CTS-PC
SK Mohod
MILIND
Vinod Kalbande
CropInsurance
Table 15: Firewall Policy from HO-USERS to wan1 clear-text protocol rules on DC-PERIMETER1
2.3.2 Impact
Due to a lack of encryption, an attacker w ho is able to monitor clear-text protocol service netw ork communications w ould gain
access to the information transmitted. The information could include the authentication credentials used to access the service or any
other information transferred. Furthermore, some of the services could be used for remote administration and once accessed could
be used to attack other devices on the netw ork, bypassing any configured netw ork filtering. Additionally, clear-text protocol services
are vulnerable to man in the middle style attacks.
2.3.3 Ease
Access to the netw ork services detailed in the finding w ould not be prevented by the netw ork filter rules if any netw ork traffic w ere
to match the rule.
Netw ork monitoring tools are available on the Internet and, depending on the operating system, may be installed by default. It is
w orth noting that an attacker may have to perform additional actions in order to be in a position w here the netw ork traffic can be
monitored. This could mean that an attacker w ould have to perform a layer-2 attack or exploit a w eakness in a routing protocol.
Nipper Studio recommends that, w here possible, netw ork filter rules should not allow access to clear-text protocol services.
2.4 Filter Rules Allow Packets T o Any Destination And Any Port
2.4.1 Finding
Overall: MEDIUM
Netw ork filtering rules can be configured on a w ide range of netw ork devices to restrict access, helping to
prevent unauthorized access to netw ork hosts and services. The filtering rules are processed sequentially Impact: Medium
w hen they are applied to netw ork packets, w ith the first rule that matches the netw ork packet being
applied. Ease: N/A
Fix: Planned
Nipper Studio identified five netw ork filter rules on DC-PERIMETER1 that allow s packets to any destination
and any port.

VMW ARE-CLIENT
Vinod Raut
VAIBHAV
MORESIR
Table 16: Firewall Policy from DC-Admin to wan1 rules allowing packets to any destination and any port on DC-PERIMETER1

Table 17: Firewall Policy from CheckPoint-FW to wan1 rules allowing packets to any destination and any port on DC-PERIMETER1

HO-INTERNET-USERS
Biskunde Saheb
Drop_Box_Internet
Nelito-Prasad
PA
PA
CTS-PC
SK Mohod
MILIND
Vinod Kalbande
CropInsurance
Table 18: Firewall Policy from HO-USERS to wan1 rules allowing packets to any destination and any port on DC-PERIMETER1
2.4.2 Impact
If netw ork filtering rules are not configured to restrict access to netw ork services from only those hosts that require the access then
unauthorized access may be gained to those services covered in this issues finding. For a netw ork edge device, this could lead to a
remote attacker gaining access to netw ork service. For an internal device this could lead a malicious user gaining unauthorized
access to a service.
2.4.3 Ease
The netw ork filtering w ould not prevent a malicious user or an attacker from accessing the netw ork services covered by the rules
detailed in this issues finding.
Nipper Studio recommends that, w here possible, all netw ork filtering rules should be configured to restrict access to netw ork
services from only those hosts that require the access. How ever, it is w orth noting that it may not be possible to achieve this in all
circumstances, such as w ith a public w eb server w here business requirements imply that any netw ork address should be permitted
to access the service.
Notes for Fortinet FortiGate Firewall FG100D devices:

Policy rules can be deleted on Fortinet FortiGate Firew all FG100D devices using the follow ing commands:
config firewall policy

delete rule-number
Address objects and object groups can be deleted on Fortinet FortiGate Firew all FG100D devices using the follow ing commands:
config firewall address

delete address-name
end
config firewall addrgrp
delete group-name
end
2.5 Rules Allow Access T o Potentially Unnecessary Services
2.5.1 Finding
Overall: MEDIUM
A number of different netw ork services provide little to no functionality and are installed by default on
some operating systems. Examples of these services are: Impact: Medium
echo - a netw ork service that responds w ith a copy of the data sent to it; Ease: Easy
qotd - a netw ork service that responds a random quote; Fix: Quick
discard - a netw ork service that simply ignores anything that is sent to it;
chargen - a netw ork service that returns w ith a repeating character sequence;
daytime - a netw ork service that returns the current system time and date.
Nipper Studio identified five filter rules on DC-PERIMETER1 that allow access to potentially unnecessary netw ork services. Those
filter rules are listed below .

VMW ARE-CLIENT
Vinod Raut
VAIBHAV
MORESIR
Table 19: Firewall Policy from DC-Admin to wan1 unnecessary service rules on DC-PERIMETER1

Table 20: Firewall Policy from CheckPoint-FW to wan1 unnecessary service rule on DC-PERIMETER1
Table 20: Firewall Policy from CheckPoint-FW to wan1 unnecessary service rule on DC-PERIMETER1

HO-INTERNET-USERS
Biskunde Saheb
Drop_Box_Internet
Nelito-Prasad
PA
CTS-PC
SK Mohod
MILIND
Vinod Kalbande
CropInsurance
Table 21: Firewall Policy from HO-USERS to wan1 unnecessary service rules on DC-PERIMETER1
2.5.2 Impact
Although a number of these services may appear to be relatively harmless, serious issues may exist w ith their use and running
unnecessary services also places a burden on the host system. Furthermore, an attacker may be able to use a combination of some
netw ork services such as chargen and echo to perform a DoS attack.
2.5.3 Ease
Access to the potentially unnecessary netw ork services detailed in the finding w ould not be prevented by the netw ork filter rules if
any netw ork traffic w ere to match the rule.
Nipper Studio recommends that, w here possible, netw ork filter rules should be configured to prevent access to potentially
unnecessary services. Additionally, if the potentially unnecessary netw ork services are not required, Nipper Studio suggests that
they should be disabled.
2.6 Rules Allow Access T o Potentially Sensitive Services
2.6.1 Finding
Overall: MEDIUM
W hilst not strictly administrative services, a number of netw ork services can be classified as potentially
sensitive due to their nature. These netw ork services could be database services that enable applications Impact: Medium
to connect to and query data, authentication services or Microsoft W indow s file sharing services.
Ease: Easy
Nipper Studio identified five filter rules on DC-PERIMETER1 that allow access to potentially sensitive Fix: Quick
netw ork services. Those filter rules are listed below .

VMW ARE-CLIENT
Vinod Raut
VAIBHAV
MORESIR
Table 22: Firewall Policy from DC-Admin to wan1 sensitive service rules on DC-PERIMETER1

Table 23: Firewall Policy from CheckPoint-FW to wan1 sensitive service rule on DC-PERIMETER1

HO-INTERNET-USERS
Biskunde Saheb
Drop_Box_Internet
Nelito-Prasad
PA
CTS-PC
CTS-PC
SK Mohod
MILIND
Vinod Kalbande
CropInsurance
Table 24: Firewall Policy from HO-USERS to wan1 sensitive service rules on DC-PERIMETER1
2.6.2 Impact
Although there may be a business requirement for access to be permitted to these services, such as access to W indow s file shares,
these services also offer a tempting target for an attacker. At w orst an attacker may be able to exploit configuration or softw are
vulnerabilities in these services in order to gain access to the service host and data. It is also typical for these services to provide
an attacker w ith a w ealth of information about the systems, such as enumerating users from a W indow s hosts or obtaining
softw are version details from database services.
2.6.3 Ease
Access to the potentially sensitive netw ork services detailed in the finding w ould not be prevented by the netw ork filter rules if any
netw ork traffic w ere to match the rule.
Nipper Studio recommends that access to potentially sensitive services should be restricted to only those w ho are authorized.
2.7 Clear-T ext SNMP In Use
2.7.1 Finding
Overall: LOW
SNMP is an industry standard protocol for monitoring and managing a variety of devices. SNMP services
typically offer detailed information that includes the devices operating system, netw ork interfaces, memory, Impact: Medium
system counters and system users. W ith w rite access to SNMP it can be possible to re-configure netw orking,
system properties and even shutdow n a device. Ease: Easy
Fix: Planned
There are multiple versions of SNMP and versions prior to version 3 offer no encryption of either the
authentication or data netw ork traffic.
Nipper Studio determined that the clear-text SNMP versions w ere enabled on DC-PERIMETER1.
2.7.2 Impact
An attacker or malicious user w ho can monitor the unencrypted SNMP netw ork traffic w ould capture the SNMP community string
used to authenticate access to the SNMP agent service. Additionally they w ould gain all the information transferred using the
unencrypted connection.
2.7.3 Ease
Netw ork packet capture tools can be dow nloaded from the Internet that can allow an attacker to monitor the netw ork traffic. In a
modern netw ork environment, sw itches are typically deployed to connect the netw ork infrastructure devices rather than hubs. W ith
netw ork sw itch devices, the attacker should only be able to see broadcast netw ork traffic or traffic sent directly to or from the
attacker's host. How ever, a skilled attacker could bypass this restriction by performing an attack such as ARP spoofing or exploiting
a vulnerability w ith the netw ork routing. Tools for bypassing a netw ork sw itching environment's restrictions can be dow nloaded
from the Internet.
Nipper Studio recommends that, if not required, SNMP should be disabled. How ever if SNMP access is required, Nipper Studio
recommends that only SNMP version 3 should be configured w ith strong authentication and privacy passw ords.
2.8 Filter Rules T hat Allow Any Protocol Were Configured
2.8.1 Finding
Overall: LOW
Netw ork filtering rules are typically configured to enable hosts to access a specific netw ork service or services.
Therefore a netw ork filter rule w hich enables access to a secure w eb service could be configured to access a Impact: Low
specific destination host on Transmission Control Protocol (TCP) port 443. How ever it is also possible to
configure the filter rule to allow access using any protocol w hich, for the previous example, w ould enable Ease: N/A
access to port 443 using both TCP and User Datagram Protocol (UDP). Fix: Planned
Nipper Studio identified five filter rules on DC-PERIMETER1 that allow any protocol. Those filter rules are listed
below .

VMW ARE-CLIENT
Vinod Raut
VAIBHAV
MORESIR
Table 25: Firewall Policy from DC-Admin to wan1 any protocol rules on DC-PERIMETER1

Table 26: Firewall Policy from CheckPoint-FW to wan1 any protocol rule on DC-PERIMETER1

HO-INTERNET-USERS
Biskunde Saheb
Drop_Box_Internet
Nelito-Prasad
PA
CTS-PC
SK Mohod
MILIND
Vinod Kalbande
CropInsurance
Table 27: Firewall Policy from HO-USERS to wan1 any protocol rules on DC-PERIMETER1
2.8.2 Impact
If a netw ork protocol is not specified then it an attacker w ould not be prevented from accessing hosts and services detailed in the
finding using protocols other than those w hich the services are listening on. This could enable an attacker to gain unauthorized
access to a netw ork service or leave unfiltered netw ork ports w hich an attacker could utilize in a targeted attack.
2.8.3 Ease
W ith no specific netw ork protocol configured on the netw ork filtering rules identified, access attempts using a netw ork protocol
other than the one that w as intended w ould not be prevented by the filtering.
Nipper Studio recommends that all netw ork filter rules should be configured to use only the specific protocols required.
2.9 Weak SNMP Community Strings Were Configured
2.9.1 Finding
Overall: LOW
SNMP is an industry standard protocol for monitoring and managing a variety of devices. SNMP services
typically offer detailed information that includes the devices operating system, netw ork interfaces, memory, Impact: Medium
system counters and system users. Access to the SNMP Management Information Base (MIB) w ith protocol
versions 1 and 2 is restricted using a community string to help prevent unauthorized access. Ease: Moderate
Fix: Quick
Nipper Studio identified the one w eak SNMP community string on DC-PERIMETER1 that is listed below .
Community Access Version Weakness

adccb Read Only 1 and 2c Too short
Table 28: Weak SNMP community string on DC-PERIMETER1
2.9.2 Impact
W ith read access to the SNMP MIB an attacker w ould be able to enumerate a large quantity of information about the device, its
configuration, netw ork details and more. The attacker could then use this information as part of a targeted attack.
2.9.3 Ease
An attacker w ill typically attempt to gain access to an SNMP service by guessing the community string used to restrict access. This
usually means that testing for "public" and "private" are attempted first as these are the most common community strings. If simple
community string guessing does not succeed then it w ould be trivial for an attacker to perform a dictionary-based and brute-force
attack. There are a number of tools available that an attacker could use for this and they do not require any advanced skills on
behalf of the attacker.
behalf of the attacker.
Nipper Studio recommends that, if not required, SNMP should be disabled. If SNMP is required then Nipper Studio recommends that
only SNMP version 3 should be configured. If access using SNMP community strings is required, Nipper Studio recommends that only
strong community strings should be chosen that are also not used for any other authentication.
SNMP community strings should be at least eight characters in length;
characters in the SNMP community string should not be repeated more than three times;
SNMP community strings should include both uppercase and low ercase characters;
SNMP community strings should include numbers;
SNMP community strings should include punctuation characters;
SNMP community strings should not include the devices name, make or model;
SNMP community strings should not be based on dictionary w ords.
2.10 Filter Allow Rules Were Configured Without Logging
2.10.1 Finding
Overall: LOW
Netw ork filter rules can be configured to log an access attempt w hen netw ork traffic matches a specific filter
rule. The netw ork filter rule logging facility helps netw ork administrators to diagnose issues, determine a rules Impact: Low
usage and provide an audit trail for netw ork traffic accessing specific hosts and services.
Ease: N/A
Nipper Studio identified five filter rules on DC-PERIMETER1 that do not log allow ed netw ork traffic. Those filter Fix: Quick
rules are listed below .

VMW ARE-CLIENT
Vinod Raut
VAIBHAV
MORESIR
Table 29: Firewall Policy from DC-Admin to wan1 rules not logging allowed network traffic on DC-PERIMETER1

Table 30: Firewall Policy from CheckPoint-FW to wan1 rule not logging allowed network traffic on DC-PERIMETER1

HO-INTERNET-USERS
Biskunde Saheb
Drop_Box_Internet
Nelito-Prasad
PA
CTS-PC
SK Mohod
MILIND
Vinod Kalbande
CropInsurance
Table 31: Firewall Policy from HO-USERS to wan1 rules not logging allowed network traffic on DC-PERIMETER1
2.10.2 Impact
It is common for an attacker to perform netw ork reconnaissance in order to identify potential target hosts and services. An
attackers reconnaissance phase can vary greatly in intensity and covertness, but any netw ork scans that match netw ork filter rules
that are not configured to log w ill not be recorded.
Logging access attempts to netw ork hosts and services that are filtered using allow rules provides useful information about an
attackers activities, enabling a netw ork administrators to determine w hich hosts and services w ere accessed. The information
collected w ould also be useful as evidence in case any legal action w ere to be taken against the attacker. W ith no logging of allow
filter rules the information w ould not be recorded for use by netw ork administrators, auditors or a netw ork forensic team.
Additionally, w ith no logging of allow filter rules netw ork administrators may not be able to determine w hich hosts w ere accessed by
an attacker and log monitoring softw are, if configured, w ould not alert netw ork administrators of a potential attack in progress.
2.10.3 Ease
An attackers attempts to access netw ork services covered by the allow filter rules detailed in the finding w ould not be logged.
Nipper Studio recommends that all netw ork filter rules that allow netw ork traffic should be configured to log the access attempt.
2.11 Filter Drop Rules Were Configured Without Logging
2.11.1 Finding
Overall: LOW
Netw ork filter rules can be configured to log an access attempt w hen netw ork traffic matches a specific filter
rule. The netw ork filter rule logging facility helps netw ork administrators to diagnose issues, determine a rules Impact: Low
usage and provide an audit trail for netw ork traffic accessing specific hosts and services.
Ease: N/A
Nipper Studio identified one filter rule on DC-PERIMETER1 that does not log dropped netw ork traffic. The filter Fix: Quick
rule is show n below in Table 32.

1 Yes Any Any Any No
Table 32: Firewall Policy from lan to wan1 rule not logging dropped network traffic on DC-PERIMETER1
2.11.2 Impact
attackers reconnaissance phase can vary greatly in intensity and covertness, but any netw ork scans that match netw ork filter rules
that are not configured to log w ill not be record the activity.
Logging access attempts to netw ork hosts and services that are filtered using drop rules provides useful information about an
attackers activities, and could be useful as evidence in any legal action taken. W ith no logging of drop filter rules the information
w ould not be recorded for use by netw ork administrators, auditors or a netw ork forensic team. Furthermore log monitoring
softw are, if configured, w ould not alert netw ork administrators of a potential attack in progress.
2.11.3 Ease
An attackers attempts to access netw ork services w hich are protected by the drop filter rules detailed in the finding w ould not be
logged.
Nipper Studio recommends that all netw ork filter rules that drop netw ork traffic should be configured to log the access attempt.
2.12 Proxy ARP Was Enabled
2.12.1 Finding
Overall: INFORMATIONAL
ARP is a protocol that netw ork hosts use to translate netw ork IP addresses into Media Access
Control (MAC) addresses. Under normal circumstances, ARP packets are confined to the Impact: Low
sender's netw ork segment. How ever some netw ork devices can be configured to act as a
proxy for ARP requests, retransmitting an ARP request on other netw ork segments and Ease: Easy
sending any response back to the originator of the request. Fix: Quick
Nipper Studio determined that the Proxy ARP feature w as enabled on fourteen netw ork
interfaces on DC-PERIMETER1. These are detailed in Table 33.
Interface Active Address Proxy-ARP Description

w an1 Yes 172.22.22.1/24 On
modem Yes DHCP On
w an2 Yes DHCP On
mgmt Yes 172.23.21.130/24 On
port6 Yes 172.30.11.1/24 On
port10 Yes 172.30.10.1/24 On
lan Yes 172.168.1.97/29 On
DC-Router Yes 192.168.1.97/24 On Connected To DC-Router Interface
CheckPoint-FW Yes 172.22.26.4/24 On Connected To Checkpoint FW Interface
DC-Admin Yes 172.21.28.1/24 On Connected To DC-Admin Interface
HO-USERS Yes 192.168.6.1/24 On Connected To HO-USERS Interface
HO-USERS Yes 192.168.6.1/24 On Connected To HO-USERS Interface
RTGS Yes 172.30.0.100/24 On Connected to RTGS Interface
ATM Yes 172.21.29.4/24 On Connected To ATM Interface
BRANCH-BACKUP Yes 172.21.26.1/24 On
Table 33: Network interfaces on DC-PERIMETER1 with Proxy ARP enabled
2.12.2 Impact
A router that acts as a proxy for ARP requests w ill extend layer tw o access across multiple netw ork segments, potentially breaking
perimeter security.
2.12.3 Ease
A netw ork device w ith proxy ARP enabled w ill proxy ARP requests for all hosts on those interfaces. A number of ARP tools can be
dow nloaded from the Internet for use in exploiting this issue.
Nipper Studio recommends that, if not required, the Proxy ARP feature should be disabled on all interfaces.

Proxy ARP can disabled on individual netw ork interfaces on Fortinet FortiGate Firew all FG100D devices using the follow ing interface
command:
set arpforward disable
2.13 Filter Rule List Does Not End With Drop All And Log
2.13.1 Finding
Netw ork devices that are capable of performing netw ork filtering w ill usually drop all netw ork
traffic w hen it does not match any of the configured netw ork filter rules. How ever this netw ork Impact: Informational
traffic is also usually excluded from logging w hen a netw ork filter rule does not apply.
Ease: N/A
Nipper Studio identified four filter rule lists on DC-PERIMETER1 that did not end w ith a drop all Fix: Quick
and log rule. Those filter rule lists are detailed below .
Firew all Policy from lan to w an1;
Firew all Policy from CheckPoint-FW to w an1;
Firew all Policy from HO-USERS to w an1;
Firew all Policy from RTGS to w an1.
2.13.2 Impact
attackers reconnaissance phase can vary greatly in intensity and covertness, but any netw ork scans w hich do not match the
configured filter rules w ill not be logged.
The log information collected w ould be useful as evidence in case any legal action w ere to be taken against the attacker. W ithout
any logging of the netw ork traffic that does not match any of the filter rules, the information w ould not be recorded for use by
netw ork administrators, auditors or a netw ork forensic team.
2.13.3 Ease
Any netw ork traffic that does not match any netw ork filter rules w ill not be logged.
Nipper Studio recommends that a drop all and log filter rule should be configured as the final rule in a filter rule list.
2.14 Disabled Filter Rules Were Configured
2.14.1 Finding
The capability to enable and disable individual netw ork filter rules can be invaluable w hen
administering a filtering device. This feature enables a netw ork administrator to temporarily Impact: Informational
disable access to a netw ork service w hich is undergoing maintenance or temporarily disable a
filter rule w hich may no longer be of any use. Ease: N/A
Fix: Quick
Nipper Studio identified five filter rules on DC-PERIMETER1 that w ere disabled. Those filter
rules are listed below .
32 No MGMNT-PC Any Any No
CTS Server
Datacenter-Laptop-2
W SUS
Table 34: Firewall Policy from DC-Admin to wan1 disabled rule on DC-PERIMETER1

161 No CPFW -OUT Any Any No
Table 35: Firewall Policy from CheckPoint-FW to wan1 disabled rule on DC-PERIMETER1

183 No Any Any Any No
Table 36: Firewall Policy from HO-USERS to wan1 disabled rule on DC-PERIMETER1

Table 37: Firewall Policy from RTGS to CheckPoint-FW disabled rule on DC-PERIMETER1

195 No SFMS-PRIMARY Any Any No
Table 38: Firewall Policy from RTGS to wan1 disabled rule on DC-PERIMETER1
2.14.2 Impact
Although disabled netw ork filter rules are not a direct threat to security, the rules could make interpreting a filter rule list more
difficult. This could lead a netw ork administrator to add additional, or more relaxed, filter rules that enable an attacker to gain
unauthorized access to netw ork services.
2.14.3 Ease
An attacker w ill only be able to exploit this issue if it leads to a netw ork administrator adding additional, or more relaxed, filter rules
by mistake. Enabling an attacker to gain unauthorized access to netw ork hosts and services.
Nipper Studio recommends that all disabled netw ork filter rules should be removed once they are no longer of any use.

Policy rules can be deleted on Fortinet FortiGate Firew all FG100D devices using the follow ing commands:
config firewall policy

delete rule-number
2.15 Unused Filter Objects Were Configured
2.15.1 Finding
Netw ork filtering devices w ill often enable the configuration of a variety of different filter
objects w hich can be used w hen netw ork filter rules are configured. These filter objects can Impact: Informational
include netw ork addresses, services and group objects (that enable filter objects to be
combined in to a filter single object). For example a printers group object could be created that Ease: N/A
contains all the netw ork printer address objects so that a single filter rule can be used to Fix: Quick
enable access to them.
Nipper Studio identified 706 filter objects and object lists on DC-PERIMETER1 that w ere unused. Those filter objects are detailed
below .
BRANCHES-Group-1 address group;
Branches-Group-2 address group;
BranchesGroup-5 address group;
BranchesGroup-5 address group;
ATM-1 address group;
APP-SERVERS address group;
DOMAIN address group;
DATABASE address group;
OLD-DOMAIN address group;
Routers-GR1 address group;
RGCS address group;
RBI-RTGS address group;
DC-ADMIN-INTERNET-USERS address group;
DR-APPSERVERS address group;
DR-DOMAINS address group;
DR-DATABASESERVERS address group;
BRANCH-GROUP-6 address group;
Datacenter-Laptops address group;
OFFSITE ATM address group;
BRANCH-DVR address group;
BBPS_Clients address group;
Email Access service group;
W eb Access service group;
W indow s AD service group;
Exchange Server service group;
IT-Audit service group.
Name Type Address Interface

SSLVPN_TUNNEL_ADDR1 Host 10.212.134.200 - Any
Range 10.212.134.210
all Host Any Any
apple Host Any Any
dropbox.com Host Any Any
Gotomeeting Host Any Any
icloud Host Any Any
itunes Host Any Any
android Host Any Any
skype Host Any Any
sw scan.apple.com Host Any Any
update.microsoft.com Host Any Any
appstore Host Any Any
eease Host Any Any
google-drive Host Any Any
google-play Host Any Any
google-play2 Host Any Any
microsoft Host Any Any
adobe Host Any Any
Adobe Login Host Any Any
fortinet Host Any Any
googleapis.com Host Any Any
citrix Host Any Any
verisign Host Any Any
W indow s update 2 Host Any Any
*.live.com Host Any Any
auth.gfx.ms Host Any Any
autoupdate.opera.com Host Any Any
softw areupdate.vmw are.com Host Any Any
firefox update server Host Any Any
MAHILA BRANCH RAMDASPETH BIRLA GATE Host 192.168.7.1 - 192.168.7.4 DC-Router
Range
AKOT CITY BRANCH JAISTHAMBH CHOW K Host 192.168.34.1 - 192.168.34.4 DC-Router
Range
NARSING MANDIR BRANCH AKOT NR NARSING MANDIR Host 192.168.35.1 - 192.168.35.3 DC-Router
Range
TELHARA MAIN BRANCH NR BUS STAND TELHARA Host 192.168.43.1 - 192.168.43.9 DC-Router
Range
TELHARA CITY BRANCH JUNA ATHAW ADI BAZAR NR DESHMUKH W ADA TE Host 192.168.44.1 - 192.168.44.3 DC-Router
Range
CHOHATTA BAZAR BRANCH AKOT ROAD CHOHATTA BAZAR Host 192.168.38.1 - 192.168.38.5 DC-Router
Range
HIW ARKHED BRANCH AT POST - HIW ARKHED TQ- TELHARA Host 192.168.45.1 - 192.168.45.6 DC-Router
Range
DANAPUR BRANCH AT - DANAPUR TQ-TELHARA DIST-AKOLA Host 192.168.46.1 - 192.168.46.2 DC-Router
Range
AKOLKHED BRANCH AT - AKOLKHED TQ- AKOT Host 192.168.40.1 - 192.168.40.2 DC-Router
Range
BORDI BRANCH AT - BORDI TQ- AKOT Host 192.168.110.1 - 192.168.110.2 DC-Router
Range
ADGAON BRANCH AT - ADGAON BZ TQ- TELHARA DIST- AKOLA Host 192.168.50.1 - 192.168.50.3 DC-Router
Range
ADSUL BRANCH AT - ADSUL TQ- TELHARA DIST-AKOLA Host 192.168.49.1 - 192.168.49.3 DC-Router
Range
PATHARDI BRANCH AT - PATHARDI TQ- TELHARA DIST-AKOLA Host 192.168.47.1 - 192.168.47.2 DC-Router
Range
MUNDGAON BRANCH AT -MUNDGAON TQ- AKOT Host 192.168.42.1 - 192.168.42.3 DC-Router
Range
W ARUL JAULKA BRANCH AT - W ARUD JAULKA TQ- AKOT Host 192.168.39.1 - 192.168.39.2 DC-Router
Range
KUTASA BRANCH AT -KUTASA TQ- AKOLA Host 192.168.41.1 - 192.168.41.3 DC-Router
Range
SAW ARA BRANCH AT- SAW ARA TQ- AKOT DIST- AKOLA Host 192.168.36.1 - 192.168.36.3 DC-Router
Range
RAUNDALA BRANCH AT - RAUNDALA TQ- AKOT Host 192.168.37.1 - 192.168.37.3 DC-Router
Range
TUKARAM CHOW K BRANCH, Near Tukaram Hospital, At Sant Tukaram Host 192.168.11.1 - 192.168.11.4 DC-Router
Ch Range
APP-1 Host 172.21.22.1 CheckPoint-
FW
FW
APP-CLUSTER Host 172.21.22.3 CheckPoint-
FW
ATMInterface Host 172.21.25.1 CheckPoint-
FW
RtgsInterface Host 172.21.25.2 CheckPoint-
FW
Antivirus-Server Host 172.21.23.3 CheckPoint-
FW
BDC Host 172.21.23.2 CheckPoint-
FW
PDC Host 172.21.23.1 CheckPoint-
FW
DATABASE1 Host 172.21.21.1 CheckPoint-
FW
FW
SQL-CLUSTER Host 172.21.21.5 CheckPoint-
FW
Belkhed Branch Ta. Telhara Host 192.168.48.1 - 192.168.48.2 DC-Router
Range
Keshavnagar Branch Ta Risod Dist. W ashim Host 192.168.106.1 - 192.168.106.2 DC-Router
Range
Kasola Branch Ta. Mangrulpir Dist. W ashim Host 192.168.109.1 - 192.168.109.2 DC-Router
Range
Asegaon, Ta. Mangrulpir District W ashim,Mangrulpur,Maharashtra Host 192.168.112.1 - 192.168.112.2 DC-Router
Range
AKOT MAIN BRANCH HIW ARKHED ROAD NR PETROL PUMP Host 192.168.33.1 - 192.168.33.13 DC-Router
Range
KAPAD BAZAR BRANCH RAYAT HAVELI JUNA KAPAD BAZAR Host 192.168.3.1 - 192.168.3.8 DC-Router
Range
RATANLAL PLOT BRANCH NR RAGHUVANSHI MANGAL KARYALAYA Host 192.168.26.1 - 192.168.26.4 DC-Router
RATANLAL Range
DABKI ROAD BRANCH NR KHANDELW AL HIGH SCHOOL Host 192.168.10.1 - 192.168.10.4 DC-Router
Range
MARKET YARD BRANCH APMC MARKET Host 192.168.2.1 - 192.168.2.7 DC-Router
Range
W ASHIM MAIN BRANCH NEAR ST STAND Host 192.168.88.1 - 192.168.88.14 DC-Router
Range
KARANJA MAIN BRANCH BEHIND ST STAND NR TAHASILOFFICE KARANJ Host 192.168.70.1 - 192.168.70.10 DC-Router
Range
MANGRULPIR MAIN BRANCH BIRBALNATH ROAD NR DR SARKAR CLINIC Host 192.168.78.1 - 192.168.78.10 DC-Router
Range
Range
RISOD MAIN BRANCH NR BUS STAND Host 192.168.99.1 - 192.168.99.10 DC-Router
Range
VIVARA BRANCH AT BABHULGAON TQ - PATUR DIST - AKOLA Host 192.168.61.1 - 192.168.61.4 DC-Router
Range
KENW AD BRANCH AT - KENW AD TQ- RISOD DIST- W ASHIM Host 192.168.102.1 - 192.168.102.3 DC-Router
Range
CHIKHALGAON BRANCH AT - CHIKHALGAON TQ- AKOLA Host 192.168.17.1 - 192.168.17.2 DC-Router
Range
KURANKHED BRANCH AT- KURANKHED TQ- AKOLA Host 192.168.20.1 - 192.168.20.3 DC-Router
Range
HARAL BRANCH AT - HARAL TQ- RISOD Host 192.168.104.1 - 192.168.104.2 DC-Router
Range
DAHIHANDA BRANCH AT - DAHIHANDA TQ- AKOLA Host 192.168.18.1 - 192.168.18.3 DC-Router
Range
PARAS BRANCH AT- PARAS TQ- BALAPUR . DIST-AKOLA Host 192.168.55.1 - 192.168.55.3 DC-Router
Range
PDKV BRANCH DR PDKV VIDYAPEETH CAMPUS Host 192.168.9.1 - 192.168.9.5 DC-Router
Range
KARANJA CITY BRANCH BHAJI BAZAR GANDHI CHOW K KARANJA Host 192.168.71.1 - 192.168.71.3 DC-Router
Range
W ASHIM CITY BRANCH RAJANI CHOW K NR INDANI SCHOO Host 192.168.89.1 - 192.168.89.5 DC-Router
Range
RANPISE NAGAR BRANCH SAUJANYA MARKET RANPISE NAGAR Host 192.168.24.1 - 192.168.24.4 DC-Router
Range
Z P BRANCH NR COLLECTOR OFFICE Host 192.168.5.1 - 192.168.5.14 DC-Router
Range
RAJESHW AR JAIHIND CHOW K BRANCH JAIHIND CHOW K OLD CITY Host 192.168.4.1 - 192.168.4.4 DC-Router
Range
PATUR NANDAPUR BRANCH AT - PATUR NANDAPUR TQ- AKOLA Host 192.168.19.1 - 192.168.19.2 DC-Router
Range
CHIKHALI BRANCH AT - CHIKHALI TQ- RISOD Host 192.168.108.1 - 192.168.108.2 DC-Router
Range
DHANAJ BZ BRANCH AT - DHANAJ BZ TQ- KARANJA DIST-W ASHIM Host 192.168.74.1 - 192.168.74.4 DC-Router
Range
DHABA BRANCH AT - DHABA TQ- BARSHITAKLI Host 192.168.32.1 - 192.168.32.2 DC-Router
Range
KANSHIVANI BRANCH AT - KANSHIVANI TQ- AKOLA Host 192.168.15.1 - 192.168.15.4 DC-Router
Range
KANHERI SARAP BRANCH AT - KANHERI SARAP TQ- BARSHITAKL Host 192.168.31.1 - 192.168.31.3 DC-Router
Range
W ANOJA BRANCH AT- W ANOJA TQ- MANGRULPIR DIST- W ASHIM Host 192.168.82.1 - 192.168.82.2 DC-Router
Range
SHENDURJANA BRANCH AT - SHENDURJANA TQ- MANORA DIST- W ASHIM Host 192.168.85.1 - 192.168.85.4 DC-Router
Range
PARDI TAKMOR BRANCH AT - PARDI TAKMOR TQ - W ASHIM Host 192.168.92.1 - 192.168.92.2 DC-Router
Range
MOHARI BRANCH AT - MOHARI TQ- MANGRULPIR DIST- W ASHIM Host 192.168.80.1 - 192.168.80.2 DC-Router
Range
TONDGAON BRANCH KEKATUMRA EXCHANGE DIST - W ASHIM Host 192.168.91.1 - 192.168.91.3 DC-Router
Range
MANGUL ZANAK BRANCH AT -MANGUL ZANAK TQ- RISOD Host 192.168.103.1 - 192.168.103.4 DC-Router
Range
PALSO BRANCH AT PALSO TQ DIST- AKOLA Host 192.168.13.1 - 192.168.13.3 DC-Router
Range
MOP BRANCH AT - MOP TQ- RISOD Host 192.168.105.1 - 192.168.105.3 DC-Router
Range
SASTI BRANCH AT - SASTI TQ- PATUR DIST- AKOLA Host 192.168.62.1 - 192.168.62.2 DC-Router
Range
POHA BRANCH AT - POHA TQ- KARANJA DIST- W ASHIM Host 192.168.76.1 - 192.168.76.2 DC-Router
Range
JAULKA RLY BRANCH AT -JAULKA RLY TQ- MALEGAON DIST- W ASHIM Host 192.168.98.1 - 192.168.98.2 DC-Router
Range
HATRUN BRANCH AT - HATRUN TQ- BALAPUR DIST- AKOLA Host 192.168.56.1 - 192.168.56.3 DC-Router
Range
UMBARDA BAZAR BRANCH AT - UMBARDA BAZAR TQ- KARANJA DIST- W Host 192.168.73.1 - 192.168.73.3 DC-Router
Range
MANBHA BRANCH AT - MANBHA TQ- KARANJA DIST- W ASHIM Host 192.168.75.1 - 192.168.75.2 DC-Router
Range
PANGRIKUTE BRANCH AT - PANGRIKUTE TQ- MALEGAON DIST- W ASHIM Host 192.168.97.1 - 192.168.97.2 DC-Router
Range
KAJALESHW AR BRANCH AT - KAJALESHW AR TQ- KARANJA DIST- W ASHI Host 192.168.77.1 - 192.168.77.2 DC-Router
Range
POHARADEVI BRANCH AT - POHARADEVI TQ- MANORA DIST- W ASHIM Host 192.168.86.1 - 192.168.86.4 DC-Router
Range
NIMBA BRANCH AT - NIMBA TQ- BALAPUR DIST-AKOLA Host 192.168.54.1 - 192.168.54.5 DC-Router
Range
DHANORA BRANCH AT - DHANORA TQ- MANGRULPIR DIST- W ASHIM Host 192.168.83.1 - 192.168.83.4 DC-Router
Range
MHAISANG BRANCH AT POST - MHAISANG TQ- AKOLA Host 192.168.14.1 - 192.168.14.3 DC-Router
Range
GANDHIGRAM BRANCH AT - GANDHIGRAM TQ- AKOLA Host 192.168.16.1 - 192.168.16.3 DC-Router
Range
GOREGAON BRANCH AT- GOREGAON TQ- AKOLA Host 192.168.21.1 - 192.168.21.2 DC-Router
Range
MEDSHI BRANCH AT - MEDSHI TQ- MALEGAON DIST- W ASHIM Host 192.168.96.1 - 192.168.96.4 DC-Router
Range
AGAR BRANCH AT- AGAR TQ- AKOLA Host 192.168.25.1 - 192.168.25.2 DC-Router
Range
KINHIRAJA BRANCH AT -KINHIRAJA TQ- MALEGAON DIST- W ASHIM Host 192.168.94.1 - 192.168.94.4 DC-Router
Range
W AKAD BRANCH AT - W AKAD TQ- RISOD Host 192.168.107.1 - 192.168.107.2 DC-Router
Range
SAKHARDOH BRANCH SHIVAJI CHOW K MANORA DIST- W ASHIM Host 192.168.87.1 - 192.168.87.4 DC-Router
Range
UMARI BRANCH AKOLA AT PATIL MARKET JATHARPETH AKOLA Host 192.168.22.1 - 192.168.22.4 DC-Router
Range
BORGAON MANJU BRANCH AT POST - BORGAON MANJU TQ- AKOLA Host 192.168.12.1 - 192.168.12.5 DC-Router
Range
BALAPUR BRANCH NR BUS STAND BALAPUR Host 192.168.51.1 - 192.168.51.8 DC-Router
Range
KURUM BRANCH AT - KURUM TQ- MURTIZAPUR Host 192.168.68.1 - 192.168.68.4 DC-Router
Range
MALEGAON BRANCH NR NEW BUS STAND MALEGAON DIST- W ASHIM Host 192.168.93.1 - 192.168.93.8 DC-Router
Range
MURTIZAPUR CITY BRANCH AT TIDKE COMPLEX MANGALW AR BAZAR Host 192.168.66.1 - 192.168.66.5 DC-Router
MUR Range
PATUR BRANCH NR OLD BUS STAND PATUR TQ- PATUR Host 192.168.58.1 - 192.168.58.9 DC-Router
Range
ALEGAON BRANCH AT - ALEGAON TQ- PATUR DIST-AKOLA Host 192.168.60.1 - 192.168.60.5 DC-Router
Range
SHELUBAZAR BRANCH BHAJI BAZAR SHELU BAZAR TQ- MANGRULPIR Host 192.168.81.1 - 192.168.81.6 DC-Router
Range
PINJAR BRANCH AT POST - PINJAR TQ- BARSHITAKLI Host 192.168.29.1 - 192.168.29.5 DC-Router
Range
RITHAD BRANCH AT POST- RITHAD TQ- RISDO DIST-W ASHIM Host 192.168.101.1 - 192.168.101.4 DC-Router
Range
KAMARGAON BRANCH AT - KAMARGAON TQ- KARANJA DIST- W ASHIM Host 192.168.72.1 - 192.168.72.5 DC-Router
Range
MURTIZAPUR MAIN BRANCH NR TAHSIL OFFICE MURTIZAPUR Host 192.168.64.1 - 192.168.64.10 DC-Router
Range
RISOD CITY BRANCH BAGADIYA COMPLEX NR SITLAMATA MANDIR RISOD Host 192.168.100.1 - 192.168.100.2 DC-Router
Range
URAL BRANCH AT POST - URAL TQ- BALAPUR Host 192.168.52.1 - 192.168.52.5 DC-Router
Range
MAHAN BRANCH VIVIDH KARYAKARI SAHAKARI SANSTHA MAHAN Host 192.168.30.1 - 192.168.30.4 DC-Router
Range
BARSHITAKLI BRANCH AT POST TQ- BARSHITAKLI Host 192.168.28.1 - 192.168.28.9 DC-Router
Range
ANSING BRANCH AT - ANSING TQ DIST- W ASHIM Host 192.168.90.1 - 192.168.90.5 DC-Router
Range
MANA BRANCH GRAMPANCHAYAT MANA TQ- MURTIZAPUR Host 192.168.67.1 - 192.168.67.5 DC-Router
Range
MANGRULPIR CITY BRANCH NR BIRBALNATH MANDIR MANGRULPIR Host 192.168.79.1 - 192.168.79.3 DC-Router
Range
CHANNI BRANCH AT POST - CHANNI TQ- PATUR DIST- AKOLA Host 192.168.59.1 - 192.168.59.3 DC-Router
Range
SHIRPUR BRANCH AT- SHIRPUR TQ- MALEGAON Host 192.168.95.1 - 192.168.95.5 DC-Router
Range
MURTIZAPUR MARKET YARD BRANCH APMC PREMISES MURTIZAPUR Host 192.168.65.1 - 192.168.65.6 DC-Router
Range
MANORA BRANCH AT POST TQ- MANORA DIST-W ASHIM Host 192.168.84.1 - 192.168.84.10 DC-Router
Range
KHADKI BRANCH AKOLA AT POST - KHADKI Host 192.168.23.1 - 192.168.23.4 DC-Router
Range
W ADEGAON BRANCH AT POST - W ADEGAON TQ- BALAPUR Host 192.168.53.1 - 192.168.53.6 DC-Router
Range
PATANI CHOW K BRANCH W ASHIM PATANI CHOW K Host 192.168.111.1 - 192.168.111.4 DC-Router
Range
VYALA BRANCH AT - VYALA TQ- BALAPUR Host 192.168.57.1 - 192.168.57.3 DC-Router
Range
DR KORPE NAGAR BRANCH KORPE NAGAR NR ADARSH COLONY Host 192.168.8.1 - 192.168.8.4 DC-Router
Range
Civil-Lines Branch Host 192.168.6.11 - 192.168.6.23 HO-USERS
Range
ATM-CIVIL-LINES Host 192.168.6.101 HO-USERS
ATM-KAPAD-BAZAR Host 192.168.3.101 DC-Router
ATM-ZP Host 192.168.5.101 DC-Router
ATM-DR KORPENAGAR Host 192.168.8.101 DC-Router
ATM-DABKIRD Host 192.168.10.101 DC-Router
ATM-BORGAOM Host 192.168.12.101 DC-Router
ATM-KHADKI Host 192.168.23.101 DC-Router
ATM-RANPISE Host 192.168.24.101 DC-Router
ATM-BARSHITAKLI Host 192.168.28.101 DC-Router
ATM-PINJAR Host 192.168.29.101 DC-Router
ATM-AKOT-MAIN Host 192.168.33.101 DC-Router
ATM-AKOT-CITI Host 192.168.34.101 DC-Router
ATM-CHOHOTTA Host 192.168.38.101 DC-Router
ATM-TELHARA Host 192.168.43.101 DC-Router
ATM-BALAPUR Host 192.168.51.101 DC-Router
ATM-URAL Host 192.168.52.101 DC-Router
ATM-W ADEGAON Host 192.168.53.101 DC-Router
ATM-PATUR Host 192.168.58.101 DC-Router
ATM-ALEGAON Host 192.168.60.101 DC-Router
ATM-MURTIZAPUR-MAIN Host 192.168.64.101 DC-Router
ATM-MANA Host 192.168.67.101 DC-Router
ATM-KURUM Host 192.168.68.101 DC-Router
ATM-KARANJA-MAIN Host 192.168.70.101 DC-Router
ATM-KARANJA-CITI Host 192.168.71.101 DC-Router
ATM-KAMARGAON Host 192.168.72.101 DC-Router
ATM-MANGRULPIR-MAIN Host 192.168.78.101 DC-Router
ATM-SHELUBAZAR Host 192.168.81.101 DC-Router
ATM-MANORA Host 192.168.84.101 DC-Router
ATM-SHENDURJANA Host 192.168.85.101 DC-Router
ATM-W ASHIM-MAIN Host 192.168.88.101 DC-Router
ATM-ANSING Host 192.168.90.101 DC-Router
ATM-MALEGAON Host 192.168.93.101 DC-Router
ATM-SHIRPUR Host 192.168.95.101 DC-Router
ATM-JAULKA Host 192.168.98.101 DC-Router
ATM-RISOD-MAIN Host 192.168.99.101 DC-Router
ATM-KENW AD Host 192.168.102.101 DC-Router
ATM-PATNI-CH Host 192.168.111.101 DC-Router
ATM-ZP-W ASHIM Host 192.168.113.101 DC-Router
DC-ADMIN-USERS Host 172.21.28.15 - 172.21.28.20 DC-Admin
Range
HO-USERS Host 192.168.6.23 - 192.168.6.125 HO-USERS
Range
OLD-PDC Host 192.168.1.2 DC-Router
OLD-BDC Host 192.168.1.4 DC-Router
Euronet-Sw itch Host 10.13.15.65 ATM
Router2 Host 192.168.2.100 DC-Router
Netw ork-Admin Host 172.21.28.21 DC-Admin
HO-ROUTER Host 192.168.1.100 DC-Router
RTGS-CLIENT1 Host 172.21.28.11 DC-Admin
SFMS-PRIMARY Host 172.30.0.18 RTGS
SFMS-BACKUP Host 172.30.0.20 RTGS
SD-Agent-Euronet Host 10.13.135.39 ATM
Euro-SFTP Host 202.138.123.73 ATM
HO-USERS-COMP-SECTION Host 192.168.6.31 - 192.168.6.40 HO-USERS
Range
HO-USER-ACC-SECTION Host 192.168.6.43 - 192.168.6.60 HO-USERS
Range
HO-USERS-ADM-SECTION Host 192.168.6.61 - 192.168.6.70 HO-USERS
Range
HO-USERS-DATAHUB Host 192.168.6.71 - 192.168.6.85 HO-USERS
Range
HO-USERS-LOAN-SECTION Host 192.168.6.86 - 192.168.6.100 HO-USERS
Range
HO-USERS-STATIONARY-SECTION Host 192.168.6.104 - 192.168.6.125 HO-USERS
Range
RTGS-CLIENT2 Host 192.168.6.41 HO-USERS
HO-INTERNET-USERS-ATM Host 192.168.6.26 - 192.168.6.30 HO-USERS
Range
HO-INTERNET-USER Host 192.168.6.61 HO-USERS
HO-INTERNET-USERS-ACC-SECTION Host 192.168.6.46 - 192.168.6.47 HO-USERS
Range
Range
EMAIL-SERVER Host 10.10.10.2 CheckPoint-
FW
W EB-CMS Host 10.13.135.58 ATM
RGCS1 Host 192.168.171.33 ATM
RGCS2 Host 192.168.171.40 ATM
Ekuber-New Host 10.28.1.254 RTGS
IDRBT-TEST-HUB Host 10.0.67.194 RTGS
PO-Ticketing Host 10.29.1.191 RTGS
PO-2 Host 10.29.3.51 RTGS
LDAP-2 Host 10.30.0.6 RTGS
SFMS-DR Host 10.30.0.102 RTGS
ROUTER Host 10.30.231.1 RTGS
RTGS-NG-W AN Host 10.30.231.11 RTGS
RTGS-PRI-W AN Host 10.30.231.7 RTGS
RTGS-BKP-W AN Host 10.30.231.6 RTGS
Ekuber-BKP Host 10.28.1.171 RTGS
Ekuber-PRI Host 10.29.1.171 RTGS
SFMS Host 10.0.67.115 RTGS
SONICW ALL-RTGS Host 172.30.0.50 RTGS
PO-NEAR-DR Host 10.28.3.51 RTGS
PO-FAR-DR Host 10.35.3.51 RTGS
IDRBT-INTRANET Host 10.0.67.166 RTGS
IDRBT-CA Host 10.0.67.18 RTGS
SASTI Host 192.168.62.1 DC-Router
MPLS ROUTER Host 172.23.39.133 DC-Router
Sophos-Backup-1 Netw ork 192.168.250.0/24 DC-Router
TESTSERVR Host 172.21.27.1 CheckPoint-
FW
eurronet-router Host 172.21.29.3 ATM
ATM-MARKETYARD Host 192.168.2.101 DC-Router
ATM-HIW ARKHED-EXT Host 192.168.114.101 DC-Router
ATM-MAHAN Host 192.168.30.101 DC-Router
W SUS Host 172.21.28.17 DC-Admin
PRASANNA Host 172.21.28.20 DC-Admin
ATM-FINCRAFT-USER1 Host 192.168.6.26 HO-USERS
ACC-SECTION-INT-USER1 Host 192.168.6.55 HO-USERS
ZP-W ASHIM Host 192.168.113.1 - 192.168.113.2 DC-Router
Range
HIW ARKHED-EXT Host 192.168.114.1 DC-Router
CA-SERVER Host 172.21.24.1 CheckPoint-
FW
Umesh More Host 172.21.28.13 DC-Admin
APP1 Host Any CheckPoint-
FW
HO-INTERNET-USERS Host 192.168.6.117 - 192.168.6.117 HO-USERS
Range
PA Host 192.168.6.67 HO-USERS
FileZilla Host 192.168.6.99 HO-USERS
SQLDB Host Any CheckPoint-
FW
SONICW ALL-INTERNET Host 192.168.1.50 DC-Router
PrimaryDomain Host Any CheckPoint-
FW
BackupDomain Host Any CheckPoint-
FW
APPLICATION1 Host Any CheckPoint-
FW
MGMNT-PC Host 172.21.28.25 DC-Admin
MILIND Host 192.168.6.65 HO-USERS
ProxyServer Host 172.21.28.22 DC-Admin
MORESIR Host 172.21.28.13 DC-Admin
GHS Host 192.168.6.154 HO-USERS
nw adm Host 172.21.28.21 DC-Admin
GMAIL Host Any w an1
AAN Host 192.168.6.56 HO-USERS
VaidyaSir Host 192.168.6.120 HO-USERS
DR-PRIMARYDOMAIN Host 172.16.16.1 DC-Router
DR-BACKUPDOMAIN Host 172.16.16.2 DC-Router
CTS Server Host 172.21.28.15 DC-Admin
SMSSERVER Host 10.10.10.1 CheckPoint-
FW
Mr.Kale Host 192.168.6.121 HO-USERS
VBK1037 Host 192.168.6.50 HO-USERS
VMW ARE-CLIENT Host 172.21.28.16 DC-Admin
VMW ARE-HOST Host 10.10.10.3 CheckPoint-
FW
DR-DATABASE1 Host 172.19.19.1 DC-Router
DR-APPLICATION1 Host 172.17.17.1 DC-Router
VIEW -FRAME Host 192.168.6.114 HO-USERS
ATM-MANGRULPIR-CITY Host 192.168.79.101 DC-Router
ATM-MHAISANG Host 192.168.14.101 DC-Router
ATM-Dhaihanda Host 192.168.18.101 DC-Router
ATM-DHABA Host 192.168.32.101 DC-Router
ATM-RAUNDLA Host 192.168.37.101 DC-Router
ATM-KUTASA Host 192.168.41.101 DC-Router
ATM-NIMBA Host 192.168.54.101 DC-Router
ATM-PARAS Host 192.168.55.101 DC-Router
ATM-CHANNI Host 192.168.59.101 DC-Router
ATM-MURTIZAPUR CITY Host 192.168.66.101 DC-Router
ATM-UMBARDA BAZAR Host 192.168.73.101 DC-Router
ATM-DHANAJ Host 192.168.74.101 DC-Router
ATM-POHARADEVI Host 192.168.86.101 DC-Router
ATM-TONDGAO Host 192.168.91.101 DC-Router
ATM-MEDSHI Host 192.168.96.101 DC-Router
ATM-PANGRIKUTE Host 192.168.97.101 DC-Router
ATM-RITHAD Host 192.168.101.101 DC-Router
ATM-MANGULZANAK Host 192.168.103.101 DC-Router
ATM-AKOT-NarsingMandir Host 192.168.35.101 DC-Router
ATM-Kansivni Host 192.168.15.101 DC-Router
BSNL-W AN Host 59.99.164.1 w an1
DRAPPCLUSTER Host 172.17.17.3 DC-Router
DRADCCSQL Host 172.19.19.5 DC-Router
Ekuber-DR Host 10.35.1.171 RTGS
ATM-CIVILLINES-2 Host 192.168.6.103 HO-USERS
ATM-Rajeshw ar Host 192.168.4.101 DC-Router
sysadmin Host 172.21.28.26 DC-Admin
DR-CASERVER Host 172.20.20.1 CheckPoint-
FW
DR-CASERVER-2 Host 172.20.20.1 DC-Router
ATM-Adsul Host 192.168.49.101 DC-Router
DC-ADMIN-USERS-2 Host 172.21.28.12 - 172.21.28.14 DC-Admin
Range
CIVIL-LINES-DVR Host 192.168.6.102 HO-USERS
INZORI BRANCH Host 192.168.115.1 - 192.168.115.2 DC-Router
Range
ATM-GANDHIGRAM Host 192.168.16.101 DC-Router
EuronetTest1 Host 202.138.123.75 ATM
VAIBHAV Host 172.21.28.14 DC-Admin
MGMNT2-PC Host 172.21.28.26 DC-Admin
MSEB-APP Host 192.168.6.57 HO-USERS
DR-MONITOR Host 172.16.16.3 DC-Router
DR-RTGS-SERVER Host 172.28.28.1 CheckPoint-
FW
Datacenter-Laptop-1 Host 172.21.28.22 DC-Admin
Vinod Raut Host 172.21.28.24 DC-Admin
abcd Host 192.168.6.32 HO-USERS
ATM-OFFSITE-NIMBA Host 192.168.246.2 DC-Router
Nelito_Tech Host 172.21.28.28 DC-Admin
NELITODBUSER Host 192.168.6.38 - 192.168.6.39 HO-USERS
Range
comsolvepc Host 192.168.6.40 HO-USERS
RTGS-MONITER Host 192.168.6.116 HO-USERS
RATHODPC Host 192.168.6.117 HO-USERS
KARANJA MARKET YARD Host 192.168.116.1 - 192.168.116.2 DC-Router
Range
ATM-KARANJA-MARKETYARD Host 192.168.116.101 DC-Router
IDRBT-TEST-HUB-NEW Host 10.0.67.85 RTGS
DR-Korpe-Nagar-DVR Host 192.168.8.102 DC-Router
Ranpise Nagar-DVR Host 192.168.24.102 DC-Router
Kapad Bazar-DVR Host 192.168.3.102 DC-Router
DabkrRD-DVR Host 192.168.10.102 DC-Router
Barshitakli-DVR Host 192.168.28.102 DC-Router
Khadki-DVR Host 192.168.23.102 DC-Router
Mahan-DVR Host 192.168.30.102 DC-Router
Chohotta-DVR Host 192.168.38.102 DC-Router
AkotCity-DVR Host 192.168.34.102 DC-Router
AkotMain-DVR Host 192.168.33.102 DC-Router
Hiw arkhed Ex-DVR Host 192.168.114.102 DC-Router
Telhara Main-DVR Host 192.168.43.102 DC-Router
SOPHOS-UTM Host 192.168.1.246 DC-Router
Vinod Kalbande Host 192.168.6.31 HO-USERS
Mahure Host 192.168.6.75 HO-USERS
Ho Back-Office Host 192.168.6.126 - 192.168.6.147 HO-USERS
Range
FRM Host 192.168.171.28 ATM
ATM-USER-1 Host 192.168.6.72 HO-USERS
New -SFMS Host 10.100.5.234 RTGS
HO-Backoffice-INTERNETUSER-1 Host 192.168.6.126 HO-USERS
IDRBT-INTRANET-NEW Host 10.0.50.173 RTGS
SFMS_NEW Host 10.100.5.115 RTGS
SK Mohod Host 192.168.6.55 HO-USERS
ATM OFF-SITE PUSAD NAKA Host 192.168.246.10 DC-Router
CHECKPOINT-IP Host 172.22.26.4 CheckPoint-
FW
ATM-Kasola Extn Host 192.168.109.101 DC-Router
ATM-Kinhiraja Host 192.168.94.101 DC-Router
Micro ATM Host 20.20.20.20 ATM
TEST Host 172.21.29.10 ATM
CTRLSFI Host 172.23.25.3 port10
Micro-ATM Host 172.30.10.2 port10
PDC-DR Host 172.16.16.1 CheckPoint-
FW
BDC-DR Host 172.16.16.2 CheckPoint-
FW
Unspecified Branch - Reserved For SOPHOS Host 192.168.63.1 - 192.168.63.9 Any
Range
Ekuber-Pri Host 10.29.1.171 CheckPoint-
FW
Ekuber-Bkp Host 10.28.1.171 CheckPoint-
FW
CPFW Host 172.22.24.3 CheckPoint-
FW
CPFW -OUT Host 172.22.26.3 CheckPoint-
FW
CPPRI Host 172.23.21.128 CheckPoint-
FW
CPHA Host 172.23.21.129 CheckPoint-
FW
ATM-Hiw arkhed Host 192.168.45.101 DC-Router
ATM-Mundgaon Host 192.168.42.101 DC-Router
ATM-Hatrun Host 192.168.56.101 DC-Router
Ekuber-DR-Primary Host 10.29.1.171 CheckPoint-
FW
Ekuber-DR-Backup Host 10.28.1.171 CheckPoint-
FW
DR-ATMInterface Host 172.18.18.1 CheckPoint-
FW
Nelito-Prasad Host 192.168.6.38 HO-USERS
DR-Rtgs-Interface Host 172.18.18.2 CheckPoint-
FW
EMS Host 10.29.1.191 CheckPoint-
FW
SFMS-Intranet Host 10.0.67.166 CheckPoint-
FW
CropInsurance Host 192.168.6.145 HO-USERS
ATM-MOP Host 192.168.105.101 DC-Router
IMPS router Host 172.30.11.2 port6
IMPS_Telnet Host 20.20.20.25 port6
Finacus-IMPS-LIVE Host 172.17.24.48 port6
Shende Saheb Host 192.168.6.88 HO-USERS
IDRBT-INTRANET-2 Host 10.100.0.119 RTGS
SFMS-INTRANET-2 Host 10.100.0.119 CheckPoint-
FW
Mangle Host 192.168.6.95 HO-USERS
Finacus - Mobile Banking Host 172.17.25.11 port6
SIEM-SRV Host 10.10.10.4 CheckPoint-
FW
Finacus-IMPS-UAT Host 172.18.2.216 port6
EuronetSw itch-forCivilLines Host 10.13.15.65 DC-Router
Euronet-Checkpoint Host 10.13.15.65 CheckPoint-
FW
Biskunde Saheb Host 192.168.6.81 HO-USERS
Potmala-Int-135 Host 192.168.6.135 HO-USERS
SachinNelito Host 192.168.6.151 HO-USERS
GST-INVOICE Host 103.14.162.217 w an1
BBPS1 Host 10.13.135.126 ATM
BBPS_HO_AmitPC Host 192.168.6.26 HO-USERS
HO-Backoffice-INTENETUSER-3 Host 192.168.6.128 HO-USERS
CTS-PC Host 192.168.6.199 HO-USERS
BBPS2 Host 10.13.135.130 ATM
BBPS-Korpe Nagar Host 192.168.8.1 - 192.168.8.2 DC-Router
Range
ABsCsDd Host Any ATM
BBPS_Ratanlal Host 192.168.26.1 DC-Router
BBPS_KorpeNagar Host 192.168.8.9 DC-Router
BBPS_Ratanlal2 Host 192.168.26.2 DC-Router
BBPS_CIVILLINES_1 Host 192.168.6.11 HO-USERS
HO-Backoffice-INTERNETUSER 133 Host 192.168.6.133 HO-USERS
HO-BBPS Clients Host 192.168.6.148 - 192.168.6.149 HO-USERS
Range
BBPS_W ashim_Main Host 192.168.188.1 DC-Router
BBPS_Barshitakli Host 192.168.128.1 DC-Router
BBPS_Akot_Main Host 192.168.133.1 DC-Router
BBPS_Telhara_Main Host 192.168.143.1 DC-Router
BBPS_Balapur Host 192.168.151.1 DC-Router
BBPS_Patur Host 192.168.158.1 DC-Router
BBPS_Mzr_Main Host 192.168.164.1 DC-Router
BBPS_Karanja_Main Host 192.168.170.1 DC-Router
BBPS_Mangrulpir_Main Host 192.168.178.1 DC-Router
BBPS_Manora Host 192.168.184.1 DC-Router
BBPS_Malegaon Host 192.168.193.1 DC-Router
BBPS_Risod_Main Host 192.168.199.1 DC-Router
BBPS_ZP_63 Host 192.168.63.1 DC-Router
HO_NEW _IP_Series Host 192.168.6.152 - 192.168.6.158 HO-USERS
Range
Prasad PC Host 192.168.6.36 HO-USERS
Agme Saheb Host 192.168.6.106 HO-USERS
Finacus_RGCS_1 Host 192.168.183.50 port6
ATM-PALSO Host 192.168.13.101 DC-Router
PFMS Host 49.35.221.181 w an1
W ashimMain-DVR Host 192.168.88.102 DC-Router
ATM-SAVRA Host 192.168.36.101 DC-Router
BSG - Recon Server Host 192.168.6.198 HO-USERS
Block Internet IP-1 Host 192.147.130.204 w an1
Block Internet IP-2 Host Any w an1
BBPS API Host 172.21.25.3 CheckPoint-
FW
ratanlal-BSNL-W an Host 172.23.40.110 DC-Router
IMPS Interface Host 172.21.25.4 CheckPoint-
FW
Euronet NetScaler Host 10.13.139.23 ATM
Comsolve W ebmail Host Any w an1
BCS-RuPay Host 192.168.162.164 ATM
Comsolve Mail IP Host 103.228.50.191 w an1
DropBox_IP Host 162.125.248.1 w an1
Netscaler_Natted_IP Host 172.16.108.7 port6
Drop_Box_Internet Host 192.168.6.100 HO-USERS
CA Accounting Module Host 10.0.67.39 RTGS
HUB Infinet IP 1 Host 10.29.3.128 RTGS
IDRBT Accounting Module DR Host 10.30.0.3 RTGS
Senryasa Host 103.241.182.37 w an1
Team View er Host Any w an1
NFS_URL Host 192.168.171.6 ATM
Prasanna Rathod Host 172.21.28.12 DC-Admin
Zabbix_Host Host 10.10.10.11 CheckPoint-
FW
IMPS @ Branch Host 172.17.2.83 port6
S.N.W ankhade Host 192.168.6.118 HO-USERS
TESTSERVR_2 Host 172.21.27.5 CheckPoint-
FW
AW S Cloud Host 10.0.4.185 port10
Nale Saheb Host 192.168.6.85 HO-USERS
Finacus-IMPS-W ebservice Host 172.17.2.75 port6
ISG IP Host 110.173.183.4 w an1
ISG MERCHANT PAY Host Any w an1
Netscaler_2 Host 10.13.135.30 ATM
Zabbix_Server Host 10.10.10.12 CheckPoint-
FW
CTS CHQ Printing Host 192.168.6.159 - 192.168.6.160 HO-USERS
Range
Table 39: Custom network addresses unused objects on DC-PERIMETER1
Name Address
SSLVPN_TUNNEL_IPv6_ADDR1 fdff:ffff::/120
all Any
none ::
Table 40: Custom IPv6 network addresses unused objects on DC-PERIMETER1
Name Protocol Source Port Destination Port

ALL IP
ALL_TCP Any Any
ALL_UDP Any Any
ALL_ICMP6 ICMP6
GRE IP
GRE
AH IP
AH
ESP IP
ESP
AOL 5190 - 5194 5190 - 5194
BGP 179 179
DHCP 67 - 68 67 - 68
FINGER 79 79
GOPHER 70 70
H323 1720 1720
1719 1719
IKE 500 500
Internet-Locator-Service 389 389
IRC 6660 - 6669 6660 - 6669
L2TP 1701 1701
1701 1701
NetMeeting 1720 1720
NFS 111 111
111 111
NNTP 119 119
OSPF IP
OSPF
PC-Anyw here 5631 5631
5632 5632
TIMESTAMP (13)
INFO_REQUEST (15)
INFO_ADDRESS (17)
ONC-RPC 111 111
111 111
PPTP 1723 1723
QUAKE 26000 26000
RAUDIO 7070 7070
REXEC 512 512
RIP 520 520
RLOGIN 512 - 1023 513
RSH 512 - 1023 514
SCCP 2000 2000
SIP 5060 5060
5060 5060
SIP-MSNmessenger 1863 1863
TALK 517 - 518 517 - 518
TFTP 69 69
MGCP 2427 2427
UUCP 540 540
VDOLIVE 7000 - 7010 7000 - 7010
W AIS 210 210
W INFRAME 1494 1494
X-W INDOW S 6000 - 6063 6000 - 6063
PING6 ICMP6
VNC 5900 5900
DHCP6 546 546
SQUID 3128 3128
SOCKS 1080 1080
1080 1080
W INS 1512 1512
1512 1512
RADIUS 1812 1812
RADIUS-OLD 1645 1645
CVSPSERVER 2401 2401
2401 2401
AFS3 7000 - 7009 7000 - 7009
7000 - 7009 7000 - 7009
RTSP 554 554
554 554
MMS 1755 1755
1024 - 5000 1024 - 5000
NONE 0 0
w ebproxy ALL 0 - 65535 0 - 65535
TCP8893 8893 8893
TCP8085 8085 8085
TCP8081 8081 8081
TCP-54218 54218 54218
TCP-14147 14147 14147
Internet Any Any
TCP/143 143 143
TCP/465 465 465
TCP/587 587 587
TCP/993 993 993
TCP/995 995 995
BBPSTCP4434 4434 4434
Table 41: Custom service list unused objects on DC-PERIMETER1
2.15.2 Impact
Although unused filter objects are not a direct threat to security, the unused objects can clutter the filter configuration making it
more difficult for an administrator. This could potentially lead a netw ork administrator misconfiguring the netw ork filtering and
enabling an attacker to gain unauthorized access to netw ork services and hosts.
2.15.3 Ease
An attacker w ill only be able to exploit this issue if it leads to a netw ork administrator misconfiguring the netw ork filtering.
Nipper Studio recommends that all unused filter objects should be removed.

Address objects and object groups can be deleted on Fortinet FortiGate Firew all FG100D devices using the follow ing commands:
config firewall address

delete address-name
end
config firewall addrgrp
delete group-name
end
2.16 Weak Syslog Severity Level Configured
2.16.1 Finding
Logging is an essential component of a secure netw ork configuration. Logging not only assists
netw ork administrators w ith the identification of issues w hen troubleshooting, but it also Impact: Informational
enables netw ork administrators to react to intrusion attempts or DoS attacks. A logging
severity level can be configured to specify the severity of the message that w ill be logged. The Ease: N/A
standard logging severity levels are: Fix: Quick
0 - Emergencies;
1 - Alerts;
2 - Critical;
3 - Errors;
4 - W arnings;
5 - Notifications;
6 - Informational;
7 - Debugging.
Nipper Studio determined that the Syslog severity level on DC-PERIMETER1 w as not set to at least informational (6).
2.16.2 Impact
If the Syslog severity level is not set to a sufficient level then important messages may not be logged. This could mean that an
attackers activities or problems w ith a device may not be available w hen performing a forensic analysis or troubleshooting an issue.
2.16.3 Ease
The system w ill not send messages to a Syslog server w ith a severity level of at least informational (6).
Nipper Studio suggests that the Syslog severity message level should be set to at least informational (6).
2.17 ICMP Redirect Messages Were Enabled
2.17.1 Finding
W hen sending netw ork traffic through a router, ICMP redirect messages could be sent to the
router in order to indicate a specific route that the sending host w ould like the netw ork traffic Impact: Informational
to take. On a router that accepts ICMP redirect message the netw ork traffic w ill be forw arded
using the specified route. Furthermore, some routers w ill cache the new routing information for Ease: N/A
use w ith future netw ork packets. Fix: Quick
Nipper Studio determined that the ICMP Redirects feature w as enabled on thirteen netw ork
interfaces on DC-PERIMETER1. These are detailed below .
Interface Active Redirects Description

modem Yes On
w an2 Yes On
mgmt Yes On
port6 Yes On
port10 Yes On
lan Yes On
DC-Router Yes On Connected To DC-Router Interface
CheckPoint-FW Yes On Connected To Checkpoint FW Interface
DC-Admin Yes On Connected To DC-Admin Interface
HO-USERS Yes On Connected To HO-USERS Interface
RTGS Yes On Connected to RTGS Interface
ATM Yes On Connected To ATM Interface
BRANCH-BACKUP Yes On
Table 42: Network interfaces on DC-PERIMETER1 with ICMP Redirects enabled
2.17.2 Impact
An attacker could use ICMP redirects to modify the route that a packet takes through a netw ork. How ever, it is w orth noting that on
An attacker could use ICMP redirects to modify the route that a packet takes through a netw ork. How ever, it is w orth noting that on
netw orks w ith functional netw ork routing, disabling ICMP redirects w ill have little to no effect.
2.17.3 Ease
ICMP redirect messages w ill be accepted, but not necessarily acted upon. An attacker could dow nload softw are from the Internet in
order to perform this attack.
Nipper Studio recommends that, if not required, the processing of ICMP redirect messages on devices should be disabled.

ICMP redirects can be disabled on individual netw ork interfaces using the follow ing Fortinet FortiGate Firew all FG100D interface
command:
set icmp-redirect disable
2.18 Conclusions
Nipper Studio performed a security audit on Wednesday 12th February 2014 of the device detailed in Table 43. Nipper Studio identified
16 security-related issues. The most significant issue w as rated as HIGH.
Device Name Issues Highest Rating

Fortinet FortiGate Firew all FG100D DC-PERIMETER1 16 HIGH
Table 43: Security audit device conclusions
One HIGH rated security issue w as identified. Nipper Studio determined that:
netw ork filter rules w ere configured that enable access to administrative services (one device, see section 2.2).
Nipper Studio identified four MEDIUM rated security issues. Nipper Studio determined that:
netw ork filter rules w ere identified that allow access to clear-text protocol services (one device, see section 2.3);
netw ork filtering rules w ere configured that allow packets to any destination and any port (one device, see section 2.4);
netw ork filter rules allow ed access to potentially unnecessary netw ork services (one device, see section 2.5);
netw ork filter rules allow ed access to potentially sensitive netw ork services (one device, see section 2.6).
Nipper Studio identified five LOW rated security issues. Nipper Studio determined that:
the clear-text SNMP service w as enabled (one device, see section 2.7);
netw ork filter rules w ere configured to use any protocol (one device, see section 2.8);
w eak SNMP community strings w ere configured (one device, see section 2.9);
netw ork filter rules w ere configured that do not log allow ed netw ork traffic (one device, see section 2.10);
netw ork filter rules w ere configured that do not log dropped netw ork traffic (one device, see section 2.11).
Nipper Studio identified six INFO rated security issues. Nipper Studio determined that:
proxy ARP w as enabled (one device, see section 2.12);
not all filter rule lists w ere configured w ith a drop all and log rule (one device, see section 2.13);
disabled netw ork filter rules w ere configured (one device, see section 2.14);
unused filter objects w ere configured (one device, see section 2.15);
the Syslog server severity level w as not set to at least informational (6) (one device, see section 2.16);
ICMP redirect message sending w as enabled (one device, see section 2.17).
Nipper Studio can draw the follow ing statistics from the results of this security assessment. 1 issue (6%) w as rated as high, 4 issues
(25%) w ere rated as medium, 5 issues (31%) w ere rated as low and 6 issues (38%) w ere rated as informational.
This section collates the security audit issue recommendations into a single location in order to provide a guide to planning and
mitigating the identified issues. The recommendations are listed in Table 44 together w ith the issue rating and a list of affected
devices.
Issue Rating Recommendation Affected Section

Devices
Rules Allow Access To HIGH Modify the filter rules to only permit access to administrative DC- 2.2
Administrative Services services w here it is necessary. PERIMETER1
Rules Allow Access To Clear-Text MEDIUM Modify the filter rules to prevent access to clear-text protocol DC- 2.3
Protocol Services services. PERIMETER1
Filter Rules Allow Packets To Any MEDIUM Configure the netw ork filtering rules to restrict access to netw ork DC- 2.4
Destination And Any Port services from only those hosts that require the access. PERIMETER1
Rules Allow Access To Potentially MEDIUM Modify the filter rules to prevent access to potentially DC- 2.5
Unnecessary Services unnecessary netw ork services. PERIMETER1
Rules Allow Access To Potentially MEDIUM Modify the filter rules to restrict access to potentially sensitive DC- 2.6
Sensitive Services netw ork services. PERIMETER1
Clear-Text SNMP In Use LOW Disable access to the clear-text SNMP service. DC- 2.7
OR PERIMETER1
Configure SNMP version 3 w ith authentication and privacy
passw ords instead of SNMP versions 1 or 2.
Filter Rules That Allow Any LOW Modify the filter rules to use a specific protocol. DC- 2.8
Protocol W ere Configured PERIMETER1
W eak SNMP Community Strings LOW Configure strong SNMP community strings. DC- 2.9
W ere Configured PERIMETER1
Filter Allow Rules W ere LOW Modify the filter rules to log all allow ed netw ork traffic. DC- 2.10
Configured W ithout Logging PERIMETER1
Filter Drop Rules W ere LOW Modify the filter rules to log all dropped netw ork traffic. DC- 2.11
Configured W ithout Logging PERIMETER1
Proxy ARP W as Enabled INFO Disable proxy ARP on all interfaces. DC- 2.12
PERIMETER1
Filter Rule List Does Not End INFO Add a drop all and log filter rule as the last filter rule. DC- 2.13
W ith Drop All And Log PERIMETER1
Disabled Filter Rules W ere INFO Remove all disabled netw ork filter rules. DC- 2.14
Configured PERIMETER1
Unused Filter Objects W ere INFO Remove all unused filter objects. DC- 2.15
W eak Syslog Severity Level INFO Configure the Syslog severity level to at least informational (6) DC- 2.16
ICMP Redirect Messages W ere INFO Disable the sending of ICMP redirect messages. DC- 2.17
Enabled PERIMETER1
Table 44: Security audit recommendations list
This section aims to provide a guide to the perceived complexity of resolving a particular issue by implementing the recommendation.
An outline of how each mitigation classification has been determined is described in Table 45.
Classification Description
QUICK The issue is quick to resolve. Typically this w ould just involve changing a small number of settings and w ould have
little-to-no effect on netw ork services.
PLANNED The issue resolution involves planning, testing and could cause some disruption to services. This issue could involve
changes to routing protocols and changes to netw ork filtering.
INVOLVED The resolution of the issue w ill require significant resources to resolve and is likely to include disruption to netw ork
services, and possibly the modification of other netw ork device configurations. The issue could involve upgrading a
devices OS and possible modifications to the hardw are.
Table 45: The mitigation classification
Nipper Studio identified eleven security issues w ith mitigation recommendations that w ere classified as QUICK. Those issues w ere:
MEDIUM: Rules Allow Access To Potentially Unnecessary Services (one device, see section 2.5);
MEDIUM: Rules Allow Access To Potentially Sensitive Services (one device, see section 2.6);
LOW: W eak SNMP Community Strings W ere Configured (one device, see section 2.9);
LOW: Filter Allow Rules W ere Configured W ithout Logging (one device, see section 2.10);
LOW: Filter Drop Rules W ere Configured W ithout Logging (one device, see section 2.11);
INFO: Proxy ARP W as Enabled (one device, see section 2.12);
INFO: Filter Rule List Does Not End W ith Drop All And Log (one device, see section 2.13);
INFO: Disabled Filter Rules W ere Configured (one device, see section 2.14);
INFO: Unused Filter Objects W ere Configured (one device, see section 2.15);
INFO: W eak Syslog Severity Level Configured (one device, see section 2.16);
INFO: ICMP Redirect Messages W ere Enabled (one device, see section 2.17).
Nipper Studio identified five security issues w ith mitigation recommendations that w ere classified as PLANNED. Those issues w ere:
HIGH: Rules Allow Access To Administrative Services (one device, see section 2.2);
MEDIUM: Rules Allow Access To Clear-Text Protocol Services (one device, see section 2.3);
MEDIUM: Filter Rules Allow Packets To Any Destination And Any Port (one device, see section 2.4);
LOW: Clear-Text SNMP In Use (one device, see section 2.7);
LOW: Filter Rules That Allow Any Protocol W ere Configured (one device, see section 2.8).
Nipper Studio can draw the follow ing additional conclusion from the security audit based on the classification of the recommended issue
mitigations. Most of the security issue recommendations are perceived to be quick to implement, enabling the majority of the issues to
be quickly resolved w ithout requiring a significant allocation of resources or system disruption. Of the 16 security issues identified,
eleven (68%) recommendations w ere classified as having a quick mitigation and five (31%) recommendations w ere classified as having
a planned mitigation.
3.1 Introduction
Nipper Studio performed a Department of Defence (DoD) STIG compliance audit on Wednesday 12th February 2014 of the device and
STIGs detailed in Table 46.
Device STIG Profile Version

DC- Firew all Security Technical Implementation I - Mission Critical 8 Release 14 Benchmark Date 26 Apr
PERIMETER1 Guide Public 2013
Table 46: STIG device audit check list
Vulnerability Severity Code Definition

Table 47 provides the vulnerability severity codes and its definitions.
CAT DISA/DIACAP Category Examples

Code Guidelines
I Any vulnerability, the exploitation of w hich w ill, directly Includes BUT NOT LIMITED to the follow ing examples of direct and
and immediately result in loss of Confidentiality, immediate loss:
Availability, or Integrity. An ATO w ill not be granted
w hile CAT I w eaknesses are present. 1. May result in loss of life, loss of facilities, or equipment, w hich
w ould result in mission failure.
Note: The exploitation of vulnerabilities must be
evaluated at the level of the system or component 2. Allow s unauthorized access to security or administrator level
being review ed. A w orkstation for example, is a resources or privileges.
standalone device for some purposes and part of a
larger system for others. Risks to the device are first 3. Allow s unauthorized disclosure of, or access to, classified data or
considered, then risks to the device in its environment, materials.
then risks presented by the device to the environment.
All risk factors must be considered w hen developing 4. Allow s unauthorized access to classified facilities.
mitigation strategies at the device and system level.
5. Allow s denial of service or denial of access, w hich w ill result in
mission failure.
6. Prevents auditing or monitoring of cyber or physical
environments.
7. Operation of a system/capability w hich has not been approved by

the appropriate DAA.
8. Unsupported softw are w here there is no documented acceptance

of DAA risk.
II Any vulnerability, the exploitation of w hich has a Includes BUT NOT LIMITED to the follow ing examples that have a
potential to result in loss of Confidentiality, Availability, potential to result in loss:
or Integrity. CAT II findings that have been satisfactorily
mitigated w ill not prevent an ATO from being granted. 1. Allow s access to information that could lead to a CAT I
vulnerability.
Note: The exploitation of vulnerabilities must be
evaluated at the level of the system or component 2. Could result in personal injury, damage to facilities, or equipment
being review ed. A w orkstation for example, is a w hich w ould degrade the mission.
standalone device for some purposes and part of a
larger system for others. Risks to the device are first 3. Allow s unauthorized access to user or application level system
considered, then risks to the device in its environment, resources.
then risks presented by the device to the environment.
All risk factors must be considered w hen developing 4. Could result in the loss or compromise of sensitive information.
mitigation strategies at the device and system level.
5. Allow s unauthorized access to Government or Contractor ow ned
or leased facilities.
6. May result in the disruption of system or netw ork resources that

degrades the ability to perform the mission.
7. Prevents a timely recovery from an attack or system outage.
8. Provides unauthorized disclosure of or access to unclassified
sensitive, PII, or other data or materials.
III Any vulnerability, the existence of w hich degrades Includes BUT NOT LIMITED to the follow ing examples that provide
measures to protect against loss of Confidentiality, information w hich could potentially result in degradation of system
Availability, or Integrity. information assurance measures or loss of data:
Assigned findings that may impact IA posture but are 1. Allow s access to information that could lead to a CAT II
not required to be mitigated or corrected in order for an vulnerability.
ATO to be granted.
2. Has the potential to affect the accuracy or reliability of data
Note: The exploitation of vulnerabilities must be pertaining to personnel, resources, operations, or other sensitive
evaluated at the level of the system or component information.
being review ed. A w orkstation for example, is a
standalone device for some purposes and part of a 3. Allow s the running of any applications, services or protocols that
larger system for others. Risks to the device are first do not support mission functions.
considered, then risks to the device in its environment,
then risks presented by the device to the environment. 4. Degrades a defense in depth systems security architecture.
All risk factors must be considered w hen developing
mitigation strategies at the device and system level. 5. Degrades the timely recovery from an attack or system outage.
6. Indicates inadequate security administration.
7. System not documented in the sites C&A Package / SSP.

8. Lack of document retention by the Information Assurance
Manager IAM (i.e., completed user agreement forms).
Table 47: Vulnerability Severity Code Definitions
Disclaimer
The follow ing compliance audit is designed to add speed and convenience to a manual STIG assessment. To maintain validity w e
alw ays recommend that you use the latest release of the DISA STIG. Any automated compliance reporting should be combined w ith
careful analysis and additional manual checks may be required.
3.2 DC-PERIMETER1 - Firewall Security Technical Implementation Guide
3.2.1 Summary
Table 48 provides a summary of the "Firew all Security Technical Implementation Guide" version 8 Release 14 Benchmark Date 26
Apr 2013 compliance audit as "I - Mission Critical Public" against the Fortinet FortiGate Firew all FG100D device DC-PERIMETER1. A
more detailed analysis of each requirement and the findings follow s this summary.
Group STIG Title Responsibility IA Controls Severity State

V- NET1020 A log or syslog statement does not follow all deny IAO ECAT-1, ECAT-2, ECSC-1 CAT III
3000 statements.
V- NET0190 LAN addresses are not protected from the public. IAO EBBD-1, EBBD-2, EBBD-3, CAT III
3005 ECSC-1
V- NET1800 IPSec VPN is not configured as a tunnel type VPN. IAO EBVC-1, ECSC-1 CAT II
3008
V- NET0230 Netw ork element is not passw ord protected. IAO ECSC-1, IAIA-1, IAIA-2 CAT I
3012
V- NET0340 Login banner is non-existent or not DOD IAO ECW M-1 CAT II
3013 approved.
V- NET1639 Management connection does not timeout. IAO ECSC-1 CAT II
3014
V- NET0820 DNS servers must be defined for client resolver. IAO ECSC-1 CAT III
3020
V- NET0890 SNMP access is not restricted by IP address. IAO ECSC-1 CAT II
3021
V- NET1675 SNMP privileged and non-privileged access. IAO ECSC-1 CAT II
3043
V- NET0377 Firew all has unnecessary services enabled. IAO ECSC-1 CAT II
3054
V- NET0460 Group accounts are defined. IAO IAIA-1, IAIA-2 CAT I
3056
V- NET0465 Assign low est privilege level to user accounts. IAO ECSC-1 CAT II
3057
V- NET0470 Unnecessary or unauthorized accounts exist. IAO ECSC-1 CAT II
3058
V- NET0600 Passw ords are view able w hen displaying the IAO ECSC-1 CAT I
3062 config.
V- NET1638 Management connections must be secured by FIPS IAO ECSC-1 CAT II
3069 140-2.
V- NET1640 Management connections must be logged. IAO ECAT-1, ECAT-2 CAT III
3070
V- NET0740 HTTP server is not disabled IAO ECSC-1 CAT II
3085
V- NET0240 Devices exist w ith standard default passw ords. IAO ECSC-1 CAT I
3143
3143
V- NET0375 Firew all is not configured to protect the netw ork. IAO EBBD-1, EBBD-2, EBBD-3, CAT II
3156 ECSC-1
V- NET0700 Operating system is not at a current release level. IAO ECSC-1 CAT II
3160
V- NET1636 Management connections must require IAO ECSC-1 CAT I
3175 passw ords.
V- NET0390 The IDS or FW is not configured to alarm the IAO ECAT-2, ECSC-1 CAT II
3176 admin
V- NET1300 Firew all Admins w ill be logged. IAO ECAR-1, ECAR-2, ECAR-3, CAT III
3178 ECSC-1
V- NET1660 An insecure version of SNMP is being used. IAO ECSC-1 CAT I
3196
V- NET1665 Using default SNMP community names. IAO ECSC-1, IAIA-1, IAIA-2 CAT I
3210
V- NET0440 More than one emergency account is defined. IAO ECSC-1 CAT II
3966
V- NET1624 The console port does not timeout after 10 IAO ECSC-1 CAT II
3967 minutes.
V- NET0894 Netw ork element must only allow SNMP read IAO ECSC-1 CAT II
3969 access.
V- NET-TUNL- L2TP is terminated in the private netw ork. IAO ECSC-1 CAT II
3982 013
V- NET1623 Authentication required for console access. IAO IAIA-1, IAIA-2 CAT I
4582
V- NET0379 Firew all is not operating on a STIG'd OS IAO DCCS-1, DCCS-2, ECSC-1 CAT II
4619
V- NET1637 Management connections are not restricted. IAO ECSC-1 CAT II
5611
V- NET1645 SSH session timeout is not 60 seconds or less. IAO ECSC-1 CAT II
5612
V- NET1646 SSH login attempts value is greater than 3. IAO ECSC-1 CAT II
5613
V- NET0965 TCP connection request w ait times limited. IAO ECSC-1 CAT II
5646
V- NET0910 Perimeter is not compliant w ith DOD Instr. 8551.1 IAO ECSC-1 CAT II
5731
V- NET1629 The auxiliary port is not disabled. IAO ECSC-1 CAT III
7011
V- NET-IPV6-004 IPv6 Router Advertisements must be suppressed. IAO DCBP-1, ECSC-1 CAT II
14637
V- NET0366 Firew all inspection is not performed adequately IAO DCCS-2, ECSC-1 CAT II
14643
V- NET0380 Firew all must block loopback address IAO ECSC-1 CAT II
14644
V- NET0386 Alerts generated at 75% log storage capacity. IAO ECSC-1 CAT III
14646
V- NET0388 No FW log dump procedures ECSC-1 CAT III
14647
V- NET0391 FA is not informed of critical alerts. IAO ECAR-1, ECAR-2, ECAR-3, CAT II
14648 ECSC-1
V- NET0392 FW alert not w ritten to remote console. IAO ECAR-1, ECAR-2, ECAR-3, CAT II
14649 ECSC-1
V- NET0395 Audit record must display violation IAO ECAR-1, ECAR-2, ECAR-3, CAT III
14653 ECSC-1
V- NET0396 Alerts must remain until acknow ledged. IAO ECAR-1, ECAR-2, ECAR-3, CAT III
14655 ECSC-1
V- NET0398 FW acknow ledge messages must be recorded IAO ECAR-1, ECAR-2, ECAR-3, CAT III
14656 ECSC-1
V- NET0422 Key expiration exceeds 180 days. IAO IAKM-1, IAKM-2, IAKM-3 CAT III
14667
V- NET0813 NTP messages are not authenticated. IAO ECSC-1 CAT II
14671
V- NET-IPV6-025 IPv6 Site Local Unicast ADDR must not be defined IAO ECSC-1 CAT II
14693
V- NET1647 The netw ork element must not allow SSH Version IAO ECSC-1 CAT II
14717 1.
V- NET-TUNL- Teredo is not blocked by filtering UDP port 3544 IAO ECSC-1 CAT I
15294 020
V- NET-IPV6-047 IPv4 Interfaces in NAT-PT receive IPv6 IAO ECSC-1 CAT II
15296
V- NET0433 The device is not authenticated using a AAA IAO IAIA-1 CAT II
15432 server.
V- NET0441 Emergency account privilege level is not set. IAO ECSC-1 CAT I
V- NET0441 Emergency account privilege level is not set. IAO ECSC-1 CAT I
15434
V- NET1807 Management traffic is not restricted CAT II
17754
V- NET1808 Remote VPN end-point not a mirror of local IAO ECSC-1 CAT II
17814 gatew ay
V- NET0991 The OOBM interface not configured correctly. IAO ECSC-1 CAT II
17821
V- NET0992 The management interface does not have an ACL. IAO ECSC-1 CAT II
17822
V- NET0993 The management interface is not IGP passive. IAO ECSC-1 CAT III
17823
V- NET1001 The firew all does not block outbound mgmt traffic IAO ECSC-1 CAT II
17830
V- NET1006 IPSec traffic is not restricted IAO ECSC-1 CAT II
17835
V- NET-SRVFRM- ACLs must restrict access to server VLANs. IAO ECND-1, ECSC-1 CAT II
18522 003
V- NET-SRVFRM- ACLs do not protect against compromised servers IAO ECND-1 CAT II
18523 004
V- NET-SRVFRM- Server Farm w ithout firew all content inspection IAO EBBD-1 CAT II
18525 005
V- NET-IPV6-024 IPv6 6-to-4 addresses are not filtered IAO ECSC-1 CAT II
18608
V- NET-IPV6-035 IPV6 Jumbo payload hop by hop is not dropped IAO ECSC-1 CAT II
18815
V- NET0812 Tw o NTP servers are not used to synchronize time. IAO ECSC-1 CAT III
23747
V- NET1970 PAT is vulnerable to DNS cache poisoning IAO VIVM-1 CAT I
25037
V- NET1288 Firew all log must be accurate IAO ECSC-1, ECTB-1 CAT III
25890
V- NET1289 FW event records do not include required fields IAO ECSC-1, ECTB-1 CAT III
25891
V- NET0405 Call home service is disabled. NSO ECSC-1 CAT II
28784
V- NET-IPV6-005 IPV6 firew all does not meet DITO requirements IAO DCDS-1, EBBD-1 CAT II
30638
Table 48: DC-PERIMETER1 - Firewall Security Technical Implementation Guide audit summary
3.2.2 A log or syslog statement does not follow all deny statements. (V-3000 / NET1020)
The netw ork element must be configured to log any attempt to a port, protocol, or service
that is denied.
Status:
Description Severity: CAT III
Rule ID: SV-3000r2_rule
Auditing and logging are key components of any security architecture. It is essential security
personnel know w hat is being done, attempted to be done, and by w hom in order to Controls: ECAT-1, ECAT-2, ECSC-1
compile an accurate risk assessment. Auditing the actions on routers provides a means to Responsibility: IAO
recreate an attack, or simply identify a configuration mistake of the device.
Finding
Nipper Studio identified tw o active rule lists on DC-PERIMETER1 that contained deny rules.

Table 49: Firewall Policy from lan to wan1 deny rules.

204 Yes SachinNelito Antivirus-Server RDP No
Table 50: Firewall Policy from HO-USERS to CheckPoint-FW deny rules.
Check
Review the netw ork element's configuration and verify all deny or reject statements in the ingress and egress ACL; specify to log
the dropped packet.
Fix
The netw ork element must be configured to ensure all deny statements w ithin ingress and egress ACLs have a log statement that
follow s.
3.2.3 LAN addresses are not protected from the public. (V-3005 / NET0190)
3.2.3 LAN addresses are not protected from the public. (V-3005 / NET0190)
The Information Assurance Officer (IAO)/Netw ork Security Officer (NSO) w ill ensure
that w orkstation clients' real IPv4 addresses are not revealed to the public by
implementing NAT on the firew all or the router. Status:
Severity: CAT III
Description Rule ID: SV-3005r1_rule
NAT w orks w ell w ith the implementation of RFC 1918 addressing scheme, it also Controls: EBBD-1, EBBD-2, EBBD-3, ECSC-1
has the privacy benefit of hiding real internal addresses. An attacker can learn more Responsibility: IAO
about a site's private netw ork once it has discovered the real IP addresses of the
hosts w ithin.
Check
Review the firew all or premise router configuration to determine if NAT has been implemented.
Fix
Implement Netw ork Address Translation (NAT) on the firew all or premise router for NIPRNet Enclaves.
3.2.4 IPSec VPN is not configured as a tunnel type VPN. (V-3008 / NET1800)
The IAO w ill ensure IPSec Virtual Private Netw ork (VPN)s are established as tunnel type VPNs w hen
transporting management traffic across an ip backbone netw ork.
Status:
Description Severity: CAT II
Using dedicated paths, the OOBM backbone connects the OOBM gatew ay routers located at the
premise of the managed netw orks and at the NOC. Dedicated links can be deployed using Controls: EBVC-1, ECSC-1
provisioned circuits (ATM, Frame Relay, SONET, T-carrier, and others or VPN technologies such as Responsibility: IAO
subscribing to MPLS Layer 2 and Layer 3 VPN services) or implementing a secured path w ith
gatew ay-to-gatew ay IPsec tunnel. The tunnel mode ensures that the management traffic w ill be
logically separated from any other traffic traversing the same path.
Check
Have the SA display the configuration settings that enable this feature.
Review the netw ork topology diagram, and review VPN concentrators. Determine if tunnel mode is being used by review ing the
configuration. Examples:
In CISCO
Router(config)# crypto ipsec transform-set transform-set-name transform1
Router(cfg-crypto-tran)# mode tunnel
OR in Junos
edit security ipsec security-association sa-name] mode tunnel
Fix
Establish the VPN as a tunneled VPN.
Terminate the tunneled VPN outside of the firew all.

Ensure all host-to-host VPN are established betw een trusted know n hosts.
3.2.5 Network element is not password protected. (V-3012 / NET0230)

The netw ork element must be passw ord protected.
Description Status:
Severity: CAT I
Netw ork access control mechanisms interoperate to prevent unauthorized access and to Rule ID: SV-3012r2_rule
enforce the organization's security policy. Access to the netw ork must be categorized as
administrator, user, or guest so the appropriate authorization can be assigned to the user Controls: ECSC-1, IAIA-1, IAIA-2
requesting access to the netw ork or a netw ork element. Authorization requires an individual Responsibility: IAO
account identifier that has been approved, assigned, and configured on an authentication
server. Authentication of user identities is accomplished through the use of passw ords,
tokens, biometrics, or in the case of multi-factor authentication, some combination thereof. Lack of authentication enables anyone
to gain access to the netw ork or possibly a netw ork element providing opportunity for intruders to compromise resources w ithin the
netw ork infrastructure.
Finding
Table 51 details local users configured on DC-PERIMETER1.
User Groups Password Privilege

admin (ENCRYPTED) super_admin
administrator (ENCRYPTED) super_admin
adcc (ENCRYPTED) super_admin
guest Guest-group (ENCRYPTED)
AHB1234
APB1626
VNK1614
USM1562
AMIT (ENCRYPTED)
Table 51: Local users
Check
Review the netw ork element configuration to determine if administrative access to the device requires some form of authentication--
at a minimum a passw ord is required.
Fix
Configure the netw ork element so it w ill require a passw ord to gain administrative access to the device.
3.2.6 Login banner is non-existent or not DOD approved. (V-3013 / NET0340)

The netw ork element must display the DoD approved login banner w arning in accordance w ith the
CYBERCOM DTM-08-060 document.
Status:
All netw ork devices must present a DoD approved w arning banner prior to a system administrator
logging on. The banner should w arn any unauthorized user not to proceed. It also should provide Controls: ECW M-1
clear and unequivocal notice to both authorized and unauthorized personnel that access to the device Responsibility: IAO
is subject to monitoring to detect unauthorized usage. Failure to display the required login w arning
banner prior to logon attempts w ill limit DoD's ability to prosecute unauthorized access and also
presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. In
addition, DISA's ability to monitor the device's usage is limited unless a proper w arning banner is displayed.
DoD CIO has issued new , mandatory policy standardizing the w ording of "notice and consent" banners and matching user
agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, "Policy
on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement", dated 9 May 2008.
The banner is mandatory and deviations are not permitted except as authorized in w riting by the Deputy Assistant Secretary of
Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components
for all DoD assets via USCYBERCOM CTO 08-008A.
Finding
Nipper Studio determined that there w as no pre-authentication logon banner message configured.
Check
Review the device configuration or request that the administrator login to the device and observe the terminal. Verify either Option
A or Option B (for systems w ith character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at
logon. The required banner verbiage follow s and must be displayed verbatim:
Option A
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS
(w hich includes any device attached to this IS), you consent to the follow ing conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing,
COMSEC monitoring, netw ork operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and
may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit
or privacy.
-Notw ithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the
content of privileged communications, or w ork product, related to personal representation or services by attorneys,
psychotherapists, or clergy, and their assistants. Such communications and w ork product are private and confidential. See User
Agreement for details.
Option B
If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory
verbiage follow s: "I've read & consent to terms in IS user agreem't."
Fix
Configure all management interfaces to the netw ork device to display the DoD mandated w arning banner verbiage at login
regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim is as
follow s:
Option A
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS
(w hich includes any device attached to this IS), you consent to the follow ing conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing,
COMSEC monitoring, netw ork operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and
may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit
or privacy.
-Notw ithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the
content of privileged communications, or w ork product, related to personal representation or services by attorneys,
psychotherapists, or clergy, and their assistants. Such communications and w ork product are private and confidential. See User
Agreement for details.
Option B
Option B
If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory
verbiage follow s: "I've read & consent to terms in IS user agreem't."
3.2.7 Management connection does not timeout. (V-3014 / NET1639)

The netw ork element must timeout management connections for administrative access after 10
minutes or less of inactivity.
Status:
Terminating an idle session w ithin a short time period reduces the w indow of opportunity for
unauthorized personnel to take control of a management session enabled betw een the managed Controls: ECSC-1
netw ork element and a PC or terminal server w hen the later has been left unattended. In addition Responsibility: IAO
quickly terminating an idle session w ill also free up resources committed by the managed netw ork
element as w ell as reduce the risk of a management session from being hijacked. Setting the timeout
of the session to 10 minutes or less increases the level of protection afforded critical netw ork components.
Finding
Nipper Studio determined that the connection timeout w as set to 10 minutes on DC-PERIMETER1.
Check
Review the management connection for administrative access and verify the netw ork element is configured to time-out the
connection after 10 minutes or less of inactivity.
Fix
Configure the netw ork element to ensure the timeout for unattended administrative access connections is no longer than 10
minutes.
3.2.8 DNS servers must be defined for client resolver. (V-3020 / NET0820)
The netw ork element must have Domain Name System (DNS) servers defined if it is configured as a
client resolver.
Status:
The susceptibility of IP addresses to spoofing translates to DNS host name and IP address mapping
vulnerabilities. For example, suppose a source host w ishes to establish a connection w ith a Controls: ECSC-1
destination host and queries a DNS server for the IP address of the destination host name. If the Responsibility: IAO
response to this query is the IP address of a host operated by an attacker, the source host w ill
establish a connection w ith the attacker's host, rather than the intended target. The user on the
source host might then provide logon, authentication, and other sensitive data.
Finding
Nipper Studio determined that the follow ing DNS servers w ere configured on the device:
208.91.112.53;
208.91.112.52.
Check
Review the device configuration to ensure DNS servers have been defined if it has been configured as a client resolver (name
lookup).
Fix
Configure the device to include DNS servers or disable domain lookup.
3.2.9 SNMP access is not restricted by IP address. (V-3021 / NET0890)

The netw ork element must only allow SNMP access from addresses belonging to the management
netw ork.
Status:
Detailed information about the netw ork is sent across the netw ork via SNMP. If this information is
discovered by attackers it could be used to trace the netw ork, show the netw orks topology, and Controls: ECSC-1
possibly gain access to netw ork devices. Responsibility: IAO
Finding
Check
Review the device configuration and verify it is configured to only allow SNMP access from addresses belonging to the management
netw ork.
Fix
Configure the netw ork element to only allow SNMP access from only addresses belonging to the management netw ork.
3.2.10 SNMP privileged and non-privileged access. (V-3043 / NET1675)

The netw ork element must use different SNMP community names or groups for various levels of read
and w rite access.
Status:
Numerous vulnerabilities exist w ith SNMP; therefore, w ithout unique SNMP community names, the risk
of compromise is dramatically increased. This is especially true w ith vendors default community names Controls: ECSC-1
w hich are w idely know n by hackers and other netw orking experts. If a hacker gains access to these Responsibility: IAO
devices and can easily guess the name, this could result in denial of service, interception of sensitive
information, or other destructive actions.
Finding
Table 52 details the SNMP community strings configured on DC-PERIMETER1.
Community Access Version

adccb Read Only 1 and 2c
Table 52: SNMP community configuration
Check
Review the SNMP configuration of all managed nodes to ensure different community names (V1/2) or groups/users (V3) are
configured for read-only and read-w rite access.
Fix
Configure the SNMP community strings on the netw ork element and change them from the default values. SNMP community strings
and user passw ords must be unique and do not match any other netw ork device passw ords. Different community strings (V1/2) or
groups (V3) must be configured for various levels of read and w rite access.
3.2.11 Firewall has unnecessary services enabled. (V-3054 / NET0377)

The FA w ill ensure the firew all w ill not utilize any services or capabilities other than firew all softw are
(e.g., DNS servers, e-mail client servers, ftp servers, w eb servers, etc.), and if these services are part
of the standard firew all suite, they w ill be either uninstalled or disabled. Status:
Severity: CAT II
The additional services that the firew all has enabled increases the risk for an attack since the firew all Controls: ECSC-1
w ill listen for these services. In addition, these services provide an unsecured method for an attacker Responsibility: IAO
to gain access to the router.
Check
Have the FA display the services running on the firew all appliance or underlying OS.CAVEAT: Anti-virus softw are running on the
firew all's OS w ould be an exception to the above requirement. In fact, it is recommended that anti-virus softw are be implemented
on any non-appliance firew all if supported. How ever, it is not a finding if anti-virus softw are has not been implemented.
Fix
The Firew all Administrator w ill only utilize services related to the operation of the firew all and even if they are part of the firew all
standard suite, they w ill be uninstalled or disabled.
3.2.12 Group accounts are defined. (V-3056 / NET0460)

Group accounts must not be configured or used for administrative access.
Status:
Description
Severity: CAT I
Group accounts on any device are strictly prohibited. If these group accounts are not changed w hen Rule ID: SV-3056r4_rule
someone leaves the group, that person could possibly gain control of the netw ork device. Having
group accounts does not allow for proper auditing of w ho is accessing or changing the netw ork. Controls: IAIA-1, IAIA-2
Responsibility: IAO
Finding
Nipper Studio identified the local user accounts listed in Table 53 on DC-PERIMETER1.

AHB1234
APB1626
VNK1614
USM1562
AMIT (ENCRYPTED)
Table 53: Users
Check
Review the netw ork device configuration and validate there are no group accounts configured for administrative access.
Fix
Configure individual user accounts for each authorized administrator then remove or disable any group accounts w ith administrative
Configure individual user accounts for each authorized administrator then remove or disable any group accounts w ith administrative
access.
3.2.13 Assign lowest privilege level to user accounts. (V-3057 / NET0465)

The netw ork element must have all user accounts assigned to the low est privilege level that allow s
each administrator to perform his or her duties.
Status:
Severity: CAT II
By not restricting administrators and operations personnel to their proper privilege levels, access to Controls: ECSC-1
restricted functions may be allow ed before they are trained or experienced enough to use those Responsibility: IAO
functio ns . Netw ork disruptions or outages could be caused by mistakes made by inexperienced
administrators.
Finding
The 9 users listed in Table 54 w ere configured on DC-PERIMETER1.

AHB1234
APB1626
VNK1614
USM1562
AMIT (ENCRYPTED)
Table 54: Users
Check
Review the accounts that have been defined locally on the netw ork element and determine if the accounts have the low est privilege
level. User accounts must be set to a specific privilege level w hich can be mapped to specific commands or group of commands. Not
all administrators should have the highest level unless they all perform all configuration tasks.
Fix
Configure accounts w ith the least privilege rule. Each user w ill have access to only the privileges they require to perform their
respective duties. Access to the highest privilege levels should be restricted to a few users.
3.2.14 Unnecessary or unauthorized accounts exist. (V-3058 / NET0470)

The netw ork element must not have accounts defined that are inactive or no longer required.
Status:
Description
Severity: CAT II
Allow ing unnecessary or unauthorized accounts may allow for them to be compromised by Rule ID: SV-3058r2_rule
unauthorized users w ho could then gain full control of the device. Denial of service, interception of
sensitive information or other destructive actions could then take place. Controls: ECSC-1
Responsibility: IAO
Finding
Nipper Studio identified the local user accounts listed in Table 55 on DC-PERIMETER1.

AHB1234
APB1626
VNK1614
USM1562
AMIT (ENCRYPTED)
Table 55: Users
Check
Review the site's responsibilities list and reconcile this list w ith those accounts defined on the netw ork element.
Fix
Remove any account that is no longer needed.
3.2.15 Passwords are viewable when displaying the config. (V-3062 / NET0600)
The netw ork element must be configured to ensure passw ords are not view able w hen displaying
configuration information.
Status:
Description Severity: CAT I
Many attacks on information systems and netw ork elements are launched from w ithin the netw ork.
Hence, it is imperative that all passw ords are encrypted so they cannot be intercepted by view ing the Controls: ECSC-1
console or printout of the configuration. Responsibility: IAO
Finding
Nipper Studio identified the nine users detailed in Table 56 configured on DC-PERIMETER1.

AHB1234
APB1626
VNK1614
USM1562
AMIT (ENCRYPTED)
Table 56: Users
Check
Review the netw ork element configuration to determine if passw ords are view able.
Fix
Configure the netw ork element to ensure passw ords are not view able w hen displaying configuration information.
3.2.16 Management connections must be secured by FIPS 140-2. (V-3069 / NET1638)

The netw ork element must only allow management connections for administrative access using FIPS
140-2 validated encryption algorithms or protocols.
Status:
Remote administration using non-FIPS 140-2 validated encryption is inherently dangerous because
anyone w ith a sniffer and access to the right LAN segment can acquire the device's account and Controls: ECSC-1
passw ord information. W ith this intercepted information they could gain access to the device and Responsibility: IAO
cause denial of service attacks, intercept sensitive information, or perform other destructive actions.
Finding
Nipper Studio determined that the four management services detailed in Table 57 w ere configure on DC-PERIMETER1
Service State
Telnet Disabled
SSH Disabled
HTTP Disabled
HTTPS Disabled
Table 57: Management Services
Check
Review the configuration to determine if FIPS 140-2 validated encryption algorithms such as AES or protocols such as SSH and
SSL/TLS are used for management connections.
Fix
Configure the netw ork element to only allow management connections for administrative access using FIPS 140-2 validated
encryption algorithms or protocols.
3.2.17 Management connections must be logged. (V-3070 / NET1640)

The netw ork element must log all attempts to establish a management connection for administrative
access.
Status:
Audit logs are necessary to provide a trail of evidence in case the netw ork is compromised. W ithout
an audit trail that provides a w hen, w here, w ho and how set of information, repeat offenders could Controls: ECAT-1, ECAT-2
continue attacks against the netw ork indefinitely. W ith this information, the netw ork administrator Responsibility: IAO
can devise w ays to block the attack and possibly identify and prosecute the attacker.
can devise w ays to block the attack and possibly identify and prosecute the attacker.
Finding
Check
Review the configuration to verify all attempts to access the device via management connection are logged.
Fix
Configure the device to log all access attempts to the device to establish a management connection for administrative access.
3.2.18 HTTP server is not disabled (V-3085 / NET0740)

The netw ork element must have HTTP service for administrative access disabled.
Status:
Description
Severity: CAT II
The additional services that the router is enabled for increases the risk for an attack since the router Rule ID: SV-3085r2_rule
w ill listen for these services. In addition, these services provide an unsecured method for an attacker
to gain access to the router. Most recent softw are versions support remote configuration and Controls: ECSC-1
monitoring using the World W ide Web's HTTP protocol. In general, HTTP access is equivalent to Responsibility: IAO
interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a
clear-text passw ord across the netw ork, and, unfortunately, there is no effective provision in HTTP for
challenge-based or one-time passw ords. This makes HTTP a relatively risky choice for use across the public Internet. Any additional
services that are enabled increase the risk for an attack since the router w ill listen for these services.
Check
Review the device configuration to determine that HTTP is not enabled for administrative access.
Fix
Configure the device to disable using HTTP (port 80) for administrative access.
3.2.19 Devices exist with standard default passwords. (V-3143 / NET0240)

The netw ork element must not have any default manufacturer passw ords.
Status:
Description
Severity: CAT I
Netw ork elements not protected w ith strong passw ord schemes provide the opportunity for anyone to Rule ID: SV-3143r2_rule
crack the passw ord thus gaining access to the device and causing netw ork outage or denial of service.
Many default vendor passw ords are w ell know n; hence, not removing them prior to deploying the Controls: ECSC-1
netw ork element into production provides an opportunity for a malicious user to gain unauthorized Responsibility: IAO
access to the device.
Check
Review the netw ork element configuration to determine if the vendor default passw ord is active.
Fix
Remove any vendor default passw ords from the netw ork element configuration.
3.2.20 Firewall is not configured to protect the network. (V-3156 / NET0375)

T h e IAO/NSO w ill ensure that the firew all is configured to protect the netw ork
against denial of service attacks such as Ping of Death, TCP SYN floods, etc.
Status:
A SYN-flood attack is a denial-of-service attack w here the attacker send a huge
amount of please-start-a-connection packets and then nothing else. This causes Controls: EBBD-1, EBBD-2, EBBD-3, ECSC-1
the device being attacked to be overloaded w ith the open sessions and eventually Responsibility: IAO
crash.
A ping sw eep (also know n as an ICMP sw eep) is a basic netw ork scanning technique used to determine w hich of a range of IP
addresses map to live hosts (computers).
Check
Have the FW administrator show you the FW configuration files and rules to verify the compliance of this requirement.
CAVEAT: If the site has implemented SYN flood protection for the netw ork using the premise router, it is not an additional
requirement to implement this on the firew all.
Fix
If the firew all support SYN-flood or ping sw eep protection then enable these features. If the firew all does not support these
features, enable the security features on the router to protect the netw ork from these attacks.
3.2.21 Operating system is not at a current release level. (V-3160 / NET0700)

The netw ork element must be running a current and supported operating system w ith all IAVMs
addressed.
Status:
Netw ork devices not running the latest tested and approved versions of softw are are vulnerable to
Netw ork devices not running the latest tested and approved versions of softw are are vulnerable to
netw ork attacks. Running the most current, approved version of system and device softw are helps the Controls: ECSC-1
site maintain a stable base of security fixes and patches, as w ell as enhancements to IP security. Responsibility: IAO
Viruses, denial of service attacks, system w eaknesses, back doors and other potentially harmful
situations could render a system vulnerable, allow ing unauthorized access to DoD assets.
Finding
Nipper Studio determined the follow ing information detailed in Table 58 about DC-PERIMETER1
Description Setting
Manufacturer Fortinet
Device FortiGate Firew all
Model FG100D
FortiOS 5.02-FW -build718-160328
Table 58: Device information
* Please note that the information provided in the STIG check below may not be entirely accurate, i.e. new er versions of IOS may be
available.
Check
Have the administrator display the OS version in operation. The OS must be current w ith related IAVMs addressed.
Fix
Update operating system and address all related IAVMs.
3.2.22 Management connections must require passwords. (V-3175 / NET1636)

The netw ork device must require authentication prior to establishing a management connection for
administrative access.
Status:
Netw ork devices w ith no passw ord for administrative access via a management connection provide
the opportunity for anyone w ith netw ork access to the device to make configuration changes enabling Controls: ECSC-1
them to disrupt netw ork operations resulting in a netw ork outage. Responsibility: IAO
Check
Review the netw ork device configuration to verify all management connections for administrative access require authentication.
Fix
Configure authentication for all management connections.
3.2.23 The IDS or FW is not configured to alarm the admin (V-3176 / NET0390)
Th e IAO/NSO w ill ensure the IDS or firew all is configured to alert the administrator of a potential
attack or system failure.
Status:
The IDS or firew all is the first device that is under the sites control that has the possibility to alarm
the local staff of an ongoing attack. An alert from either of these devices can be the first indication of Controls: ECAT-2, ECSC-1
an attack or system failure. Responsibility: IAO
Check
The SA shall define clipping levels / thresholds as a baseline to display alert messages on specific attacks identifying the potential
security violation or attack. Review the IDS or firew all configuration to determine w hat alerts have been defined and how the
notifications are performed.
Fix
Configure the IDS or firew all to alarm the SA of potential attacks or system failure.
3.2.24 Firewall Admins will be logged. (V-3178 / NET1300)

The IAO/NSO w ill ensure administrator logons, changes to the administrator group,
and account lockouts are logged.
Status:
The firew all and the associated logging functions allow s for forensic investigations if
properly configured and protected. The administrators account is the most sought Controls: ECAR-1, ECAR-2, ECAR-3, ECSC-1
after account so extra protection must be taken to protect this account and log its Responsibility: IAO
activity.
Check
Have the FA display the logging configuration. Review log data created by firew all and identify if these features are being logged,
such as log on.
Fix
Fix
Have the FA make the necessary configuration changes and verify the corrections w ork by re-review ing the firew all log.
3.2.25 An insecure version of SNMP is being used. (V-3196 / NET1660)

The netw ork element must use SNMP Version 3 Security Model w ith FIPS 140-2 validated cryptography
for any SNMP agent configured on the device.
Status:
SNMP Versions 1 and 2 are not considered secure. W ithout the strong authentication and privacy that
is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain Controls: ECSC-1
access to netw ork management information used to launch an attack against the netw ork. Responsibility: IAO
Check
Review the device configuration to verify it is configured to use SNMPv3 w ith both SHA authentication and privacy using AES
encryption.
If the site is using Version 1 or Version 2 w ith all of the appropriate patches and has developed a migration plan to implement the
Version 3 Security Model, this finding can be dow ngraded to a Category II.
To verify the appropriate patches on CISCO devices: Check the follow ing IAVMs associated w ith SNMPv1:
1. 2001-B-0001 (V0005809) Cisco IOS Softw are SNMP Read-W rite ILMI Community String Vulnerability
2. 2002-A-SNMP-001 (V0005835) Multiple Simple Netw ork Management Protocol Vulnerabilities in Perimeter Devices (Cisco Security
Advisory: Malformed SNMP Message-Handling Vulnerabilities)
To verify the appropriate patches on other vendors refer to this w eb site: http://w w w .cert.org/advisories/CA-2002-03.html.
If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication
and DES or 3DES encryption, then the finding can be dow ngraded to a Category III.
If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any know n
security vulnerabilities, this finding can be dow ngraded to a Category II. In addition, if the device does not support SNMPv3, this
finding can be dow ngraded to a Category III provided all of the appropriate patches to mitigate any know n security vulnerabilities
have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the
implementation of the Version 3 Security Model.
Fix
If SNMP is enabled, configure the netw ork element to use SNMP Version 3 Security Model w ith FIPS 140-2 validated cryptography
(i.e., SHA authentication and AES encryption).
3.2.26 Using default SNMP community names. (V-3210 / NET1665)

The netw ork element must not use the default or w ell-know n SNMP community strings public
and private.
Status:
Netw ork elements may be distributed by the vendor pre-configured w ith an SNMP agent using
the w ell know n SNMP community strings public for read only and private for read and w rite Controls: ECSC-1, IAIA-1, IAIA-2
authorization. An attacker can obtain information about a netw ork element using the read Responsibility: IAO
community string "public". In addition, an attacker can change a system configuration using
the w rite community string "private".
Check
Review the netw ork element configuration and verify if either of the SNMP community strings "public" or "private" is being used.
Fix
Configure unique SNMP community strings replacing the default community strings.
3.2.27 More than one emergency account is defined. (V-3966 / NET0440)

In the event the authentication server is dow n or unavailable, there must only be one local account
created for emergency use.
Status:
Authentication for administrative access to the device is required at all times. A single account can be
created on the device's local database for use in an emergency such as w hen the authentication Controls: ECSC-1
server is dow n or connectivity betw een the device and the authentication server is not operable. The Responsibility: IAO
console or emergency account logon credentials must be stored in a sealed envelope and kept in a
safe.
Finding
Nipper Studio identified nine local user accounts configured on DC-PERIMETER1. These are detailed in Table 59.

AHB1234
AHB1234
APB1626
VNK1614
USM1562
AMIT (ENCRYPTED)
Table 59: Users
Check
Review the netw ork device configuration to determine if an authentication server is defined for gaining administrative access. If so,
there must be only one account configured locally for an emergency. Verify the username and passw ord for the emergency account
is contained w ithin a sealed envelope kept in a safe.
Fix
Configure the device to only allow one local account for emergency access and store the credentials in a secret manner.
3.2.28 The console port does not timeout after 10 minutes. (V-3967 / NET1624)
The netw ork element must time out access to the console port after 10 minutes or less of inactivity.
Status:
Description
Severity: CAT II
Terminating an idle session w ithin a short time period reduces the w indow of opportunity for Rule ID: SV-3967r2_rule
unauthorized personnel to take control of a management session enabled on the console or console
port that has been left unattended. In addition quickly terminating an idle session w ill also free up Controls: ECSC-1
resources committed by the managed netw ork element. Setting the timeout of the session to 10 Responsibility: IAO
minutes or less increases the level of protection afforded critical netw ork components.
Check
Review the configuration and verify a session using the console port w ill time out after 10 minutes or less of inactivity.
Fix
Configure the timeout for idle console connection to 10 minutes or less.
3.2.29 Network element must only allow SNMP read access. (V-3969 / NET0894)
The netw ork device must only allow SNMP read-only access.
Status:
Description
Severity: CAT II
Enabling w rite access to the device via SNMP provides a mechanism that can be exploited by an Rule ID: SV-3969r3_rule
attacker to set configuration variables that can disrupt netw ork operations.
Controls: ECSC-1
Check Responsibility: IAO
Review the netw ork device configuration and verify SNMP community strings are read-only w hen using
SNMPv1, v2c, or basic v3 (no authentication or privacy). W rite access may be used if authentication is configured w hen using
SNMPv3.
If w rite-access is used for SNMP versions 1, 2c, or 3-noAuthNoPriv mode and there is no documented approval by the IAO, this is a
finding.
Fix
Configure the netw ork device to allow for read-only SNMP access w hen using SNMPv1, v2c, or basic v3 (no authentication or
privacy). W rite access may be used if authentication is configured w hen using SNMPv3.
3.2.30 L2TP is terminated in the private network. (V-3982 / NET-TUNL-013)

L2TP must not pass into the private netw ork of an enclave.
Status:
Description
Severity: CAT II
Unlike GRE (a simple encapsulating header) L2TP is a full fledged communications protocol w ith control Rule ID: SV-3982r2_rule
channel, data channels, and a robust command structure. In addition to PPP, other link layer types
(called pseudow ires) can be and are defined for delivery in L2TP by separate RFC documents. Further Controls: ECSC-1
complexity is created by the capability to define vender-specific parameters beyond those defined in Responsibility: IAO
the L2TP specifications.
The endpoint devices of an L2TP connection can be an L2TP Access Concentrator (LAC) in w hich case it inputs/outputs the layer 2
protocol to/from the L2TP tunnel. Otherw ise it is an L2TP Netw ork Server (LNS), in w hich case it inputs/outputs the layer 3 (IP)
protocol to/from the L2TP tunnel. The specifications describe three reference models: LAC-LNS, LAC-LAC, and LNS-LNS, the first of
w hich is the most common case. The LAC-LNS model allow s a remote access user to reach his home netw ork or ISP from a remote
location. The remote access user either dials (or otherw ise connects via layer 2) to a LAC device w hich tunnels his connection home
to an aw aiting LNS. The LAC could also be located on the remote user's laptop w hich connects to an LNS at home using some
generic internet connection. The other reference models may be used for more obscure scenarios.
Although the L2TP protocol does not contain encryption capability, it can be operated over IPSEC w hich w ould provide
authentication and confidentiality. A remote user in the LAC-LNS model w ould most likely obtain a dynamically assigned IP address
from the home netw ork to ultimately use through the tunnel back to the home netw ork. Secondly, the outer IP source address used
to send the L2TP tunnel packet to the home netw ork is likely to be unknow n or highly variable. Thirdly, since the LNS provides the
remote user w ith a dynamic IP address to use, the firew all at the home netw ork w ould have to be dynamically updated to accept
this address in conjunction w ith the outer tunnel address. Finally, there is also the issue of authentication of the remote user prior
to divulging an acceptable IP address. As a result of all of these complications, the strict filtering rules applied to the IP-in-IP and
GRE tunneling cases w ill likely not be possible in the L2TP scenario.
In addition to the difficulty of enforcing addresses and endpoints (as explained above), the L2TP protocol itself is a security concern
if allow ed through a security boundary. In particular:
1) L2TP potentially allow s link layer protocols to be delivered from afar. These protocols w ere intended for link-local scope only, are
less defended, and not as w ell-know n
2) The L2TP tunnels can carry IP packets that are very difficult to see and filter because of the additional layer 2 overhead
3) L2TP is highly complex and variable (vender-specific variability) and therefore w ould be a viable target that is difficult to defend. It
is better left outside of the main firew all w here less damage occurs if the L2TP-processing node is compromised.
4) Filtering can not be used to detect and prevent other unintended layer 2 protocols from being tunneled. The strength of the
application layer code w ould have to be relied on to achieve this task.
5) Regardless of w hether the L2TP is handled inside or outside of the main netw ork, a secondary layer of IP filtering is required,
therefore bringing it inside doesn't save resources.
Therefore, it is not recommended to allow unencrypted L2TP packets across the security boundary into the netw ork's protected
areas. Reference the Backbone Transport STIG for additional L2TP guidance and use.
Check
Review the netw ork topology diagram, and review VPN concentrators. Verify that L2TP is not permitted into the enclave's private
netw ork. L2TP uses TCP and UDP ports 1701. See the PPS Vulnerability Assessment for additional protocol guidance and reference
the Backbone Transport STIG for exceptions.
Fix
Terminate L2TP tunnels at the enclave perimeter, either in the DMZ or a service netw ork for filtering and content inspection before
passing traffic to the enclave's private netw ork.
3.2.31 Authentication required for console access. (V-4582 / NET1623)

The netw ork device must require authentication for console access.
Status:
Description
Severity: CAT I
Netw ork devices w ith no passw ord for administrative access via the console provide the opportunity Rule ID: SV-4582r3_rule
for anyone w ith physical access to the device to make configuration changes enabling them to disrupt
netw ork operations resulting in a netw ork outage. Controls: IAIA-1, IAIA-2
Responsibility: IAO
Check
Review the netw ork device's configuration and verify authentication is required for console access.
Fix
Configure authentication for console access on the netw ork device.
3.2.32 Firewall is not operating on a STIG'd OS (V-4619 / NET0379)

The FA w ill ensure that if the firew all product operates on an OS platform, the host must be
STIG compliant prior to the installation of the firew all product.
Status:
If the host that a firew all engine is operating on is not secured, the firew all itself is exposed
to greater risk. Controls: DCCS-1, DCCS-2, ECSC-1
Responsibility: IAO
Check
Review documentation that the OS w as STIG compliant prior to firew all installation and that the appropriate patches have been
applied that address all IAVAs.
Fix
The firew all administrator w ill install all patches that address IAVA.
3.2.33 Management connections are not restricted. (V-5611 / NET1637)

The netw ork element must only allow management connections for administrative access from hosts
residing in the management netw ork.
Status:
Remote administration is inherently dangerous because anyone w ith a sniffer and access to the right
LAN segment, could acquire the device account and passw ord information. W ith this intercepted Controls: ECSC-1
information they could gain access to the infrastructure and cause denial of service attacks, intercept Responsibility: IAO
sensitive information, or perform other destructive actions.
Check
Review the configuration and verify management access to the device is allow ed only from hosts w ithin the management netw ork.
Fix
Configure an ACL or filter to restrict management access to the device from only the management netw ork.
3.2.34 SSH session timeout is not 60 seconds or less. (V-5612 / NET1645)

The netw ork element must be configured to timeout after 60 seconds or less for incomplete or broken
SSH sessions.
Status:
An attacker may attempt to connect to the device using SSH by guessing the authentication method,
encryption algorithm, and keys. Limiting the amount of time allow ed for authenticating and negotiating Controls: ECSC-1
the SSH session reduces the w indow of opportunity for the malicious user attempting to make a Responsibility: IAO
connection to the netw ork element.
Finding
Nipper Studio determined that Secure Shell (SSH) w as not enabled on DC-PERIMETER1.
Check
Review the configuration and verify the timeout is set for 60 seconds or less. The SSH service terminates the connection if protocol
negotiation (that includes user authentication) is not complete w ithin this timeout period.
Fix
Configure the netw ork element so it w ill require a secure shell timeout of 60 seconds or less.
3.2.35 SSH login attempts value is greater than 3. (V-5613 / NET1646)

The netw ork element must be configured for a maximum number of unsuccessful SSH login attempts
set at 3 before resetting the interface.
Status:
An attacker may attempt to connect to the device using SSH by guessing the authentication method
and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens Controls: ECSC-1
against a Brute Force attack. Responsibility: IAO
Finding
Nipper Studio determined that SSH w as not enabled on DC-PERIMETER1.
Check
Review the configuration and verify the number of unsuccessful SSH login attempts is set at 3.
Fix
Configure the netw ork element to require a maximum number of unsuccessful SSH login attempts at 3.
3.2.36 TCP connection request wait times limited. (V-5646 / NET0965)

The netw ork device must be configured w ith a maximum w ait time of 10 seconds or less to allow a
host to establish a TCP connection.
Status:
A TCP connection consists of a three-w ay handshake message sequence. A connection request is
transmitted by the originator, an acknow ledgement is returned from the receiver, and then an Controls: ECSC-1
acceptance of that acknow ledgement is sent by the originator. Responsibility: IAO
An attacker's goal in this scenario is to cause a denial of service to the netw ork or device by initiating
a high volume of TCP packets, then never sending an acknow ledgement, leaving connections in a half-opened state. W ithout the
device having a time threshold for these half-opened sessions, the device risks being a victim of a denial of service attack. Setting a
TCP timeout threshold w ill instruct the device to shut dow n any incomplete connections. Services such as SSH, BGP, SNMP, LDP, etc.
are some services that may be prone to these types of denial of service attacks. If the router does not have any BGP connections
w ith BGP neighbors across W AN links, values could be set to even tighter constraints.
Check
Review the device configuration and verify the maximum w ait time for TCP connections to be established w ith the device is set to 10
seconds or less.
Fix
Configure the maximum w ait time for TCP connections to be established w ith the device to 10 seconds or less.
3.2.37 Perimeter is not compliant with DOD Instr. 8551.1 (V-5731 / NET0910)
The SA w ill utilize ingress and egress ACLs to restrict traffic destined to the enclave perimeter in
accordance w ith the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required
for operational commitments. Status:
Severity: CAT II
Vulnerability assessments must be review ed by the SA and protocols must be approved by the IA staff Controls: ECSC-1
before entering the enclave. Responsibility: IAO
Access Control Lists (ACLs) are the first line of defense in a layered security approach. They permit
authorized packets and deny unauthorized packets based on port or service type. They enhance the posture of the netw ork by not
allow ing packets to even reach a potential target w ithin the security domain. The list provided are highly susceptible ports and
services that should be blocked or limited as much as possible w ithout adversely affecting customer requirements. Auditing packets
attempting to penetrate the netw ork but are stopped by an ACL w ill allow netw ork administrators to broaden their protective ring
and more tightly define the scope of operation.
If the perimeter is in a Deny-by-Default posture and w hat is allow ed through the filter is IAW DoD Instruction 8551.1, and if the
permit rule is explicitly defined w ith explicit ports and protocols allow ed, then all requirements related to PPS being blocked w ould
be satisfied.
Check
Identify the device or devices that make up the perimeter defense. Review the configuration of the premise routers and firew alls
and verify that the filters are IAW DoD 8551.
SA w ill review PPS Vulnerability Assessment of every port allow ed into the enclave and apply all appropriate mitigations defined in
the VA report. All ports and protocols allow ed into the enclave must be registered in the PPSM database.
Note: It is the responsibility of the enclave ow ner to have the applications the enclave uses registered in the PPSM database.
Fix
The SA w ill utilize ingress and egress ACLs to restrict traffic in accordance w ith the guidelines contained in DOD Instruction 8551.1
for all services and protocols required for operational commitments.
3.2.38 The auxiliary port is not disabled. (V-7011 / NET1629)

The netw ork element's auxiliary port must be disabled unless it is connected to a secured modem
providing encryption and authentication.
Status:
The use of POTS lines to modems connecting to netw ork devices provides clear text of authentication
traffic over commercial circuits that could be captured and used to compromise the netw ork. Additional Controls: ECSC-1
w ar dial attacks on the device could degrade the device and the production netw ork. Responsibility: IAO
Secured modem devices must be able to authenticate users and must negotiate a key exchange
before full encryption takes place. The modem w ill provide full encryption capability (Triple DES) or stronger. The technician w ho
manages these devices w ill be authenticated using a key fob and granted access to the appropriate maintenance port, thus the
technician w ill gain access to the managed device (router, sw itch, etc.). The token provides a method of strong (tw o-factor) user
authentication. The token w orks in conjunction w ith a server to generate one-time user passw ords that w ill change values at
second intervals. The user must know a personal identification number (PIN) and possess the token to be allow ed access to the
device.
Check
Review the configuration and verify the auxiliary port is disabled unless a secured modem providing encryption and authentication is
connected.
Fix
Disable the auxiliary port. If used for out-of-band administrative access, the port must be connected to a secured modem providing
encryption and authentication.
3.2.39 IPv6 Router Advertisements must be suppressed. (V-14637 / NET-IPV6-004)

Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces.
Status:
Description
Severity: CAT II
Many of the know n attacks in stateless autoconfiguration are defined in RFC 3756 w ere present in Rule ID: SV-15262r2_rule
IPv4 ARP attacks. IPSec AH w as originally suggested as mitigation for the link local attacks, but has
since been found to have bootstrapping problems and to be very administrative intensive. Due to Controls: DCBP-1, ECSC-1
first requiring an IP address in order to set up the IPSec security association creates the chicken- Responsibility: IAO
before-the-egg dilemma. There are solutions being developed (Secure Neighbor Discovery and
Cryptographic Generated Addressing) to secure these threats but are not currently available at the
time of this w riting.
To mitigate these vulnerabilities, links that have no hosts connected such as the interface connecting to external gatew ays w ill be
configured to suppress router advertisements.
Disable (or do not configure) all IPv6 Neighbor Discovery functions across tunnels including the Neighbor Unreachability Detection
(NUD) function. Note: this is applicable only w hen the inner IP layer is IPv6 since IPv4 does not have the Neighbor Discovery
functionality.
Check
Inspect the device configuration to validate IPv6 router advertisement suppression is enabled on all external-facing interfaces. This
is applicable to all IPv6-enabled interfaces connected to an IP backbone (i.e. NIPRNet, SIPRNet, etc), backdoor link, or an alternate
gatew ay (AG).
Fix
Configure the netw ork device to enable route advertisement suppression on all external facing have IPv6 enabled on the interface.
3.2.40 Firewall inspection is not performed adequately (V-14643 / NET0366)

The SA w ill configure the firew all for the minimum content and protocol inspection requirements.
Status:
Description
Severity: CAT II
Creating a filter to allow a port or service through the firew all w ithout a proxy or content inspection, Rule ID: SV-15269r1_rule
protocol inspection, and flow control creates a direct connection betw een the host in the private
netw ork and a host on the outside; thereby, bypassing additional security measures that could be Controls: DCCS-2, ECSC-1
provided. This places the internal host at a greater risk of exploitation that could make the entire Responsibility: IAO
netw ork vulnerable to an attack.
Check
Review the firew all configuration and verify that both ingress and egress traffic is being inspected for the follow ing:
Review the firew all configuration and verify that both ingress and egress traffic is being inspected for the follow ing:
DNS Inspection: Protocol conformance, malformed packets, message length and domain name integrity. Query ID and port
randomization for DNS query traffic must be enabled.
SMTP Inspection: SMTP and Extended SMTP inspection w ill be configured to detect spam, phishing and malformed message attacks.
FTP Inspection: FTP is not a recommended file transfer solution. Reference the Enclave STIG for conditional guidance on FTP. The
firew all should inspect FTP traffic and drop connections w ith embedded commands, truncated commands, provide command and
reply spoofing, drop invalid port negotiations, and protect FTP servers from buffer overflow .
HTTP Inspection: Inspection of HTTP traffic to servers residing in the enclave is required. Inspection of HTTP traffic from clients and
servers in the enclave to servers outside the enclave is also required. HTTP inspection w ill be configured to filter Java applets and
ActiveX objects to meet the enclave security policy. Review the security policy w ith the IAO and look for Java and ActiveX filters if the
security policy requires restrictions.
Fix
Ensure the firew all has implemented proxies for all services that need to traverse the firew all. If the firew all does not have proxy
capability ensure the firew all is configured to meet the minimum content, protocol and flow control inspection.
3.2.41 Firewall must block loopback address (V-14644 / NET0380)

The IAO w ill ensure the firew all shall reject requests for access or services w here the source address
received by the firew all specifies a loopback address.
Status:
The loopback address is used by an Inter-Processor Control (IPC) mechanism that enables the client
and server portion of an application running on the same machine to communicate, and so it is Controls: ECSC-1
trusted. It should never be used as the source IP address of an inbound or outbound transmission. Responsibility: IAO
Check
Ensure any attempt from the firew all or any netw ork to pass any packets claiming to be from a loopback address is blocked.
Fix
Establish filters to block any attempt from the firew all or any netw ork to pass any packets claiming to be from a loopback address.
3.2.42 Alerts generated at 75% log storage capacity. (V-14646 / NET0386)

Alerts must be automatically generated to notify the administrator w hen log storage reaches
seventy-five percent or more of its maximum capacity.
Status:
Configuring the netw ork device or syslog server to provide alerts to the administrator in the event of
modification or audit log capacity being exceeded ensures administrative staff is aw are of critical Controls: ECSC-1
a le rts . W ithout this type of notification setup, logged audits and events could potentially fill to Responsibility: IAO
capacity, causing subsequent records to not be recorded and dropped w ithout any know ledge by the
administrative staff. Other unintended consequences of filling the log storage to capacity may include
a denial of service of the device itself w ithout proper notification.
Check
Review the netw ork device or syslog server to determine w hether alerts are configured to automatically generate and notify the
administrator w hen seventy-five percent or more of the storage capacity has been reached w ith log data.
Fix
Configure the netw ork device or syslog server to automatically generate and notify the administrator w hen seventy-five percent or
more of the storage capacity has been reached w ith log data.
3.2.43 No FW log dump procedures (V-14647 / NET0388)

The FA w ill have a procedure in place to dump logs w hen they reach 75% capacity to a syslog server.
Status:
Description
Severity: CAT III
Having a procedure tested and verified w ill prevent the logs from filling w hen they reach 75% Rule ID: SV-15273r1_rule
capacity.
Controls: ECSC-1
Check Responsibility:
Have the FA identify how the firew all logs are managed during critical events.
Fix
Have the FA establish procedures for dumping the logs.
3.2.44 FA is not informed of critical alerts. (V-14648 / NET0391)

The IAO/NSO w ill ensure the firew all provides critical alert message levels to the FA
regardless of w hether an administrator is logged in.
Status:
By immediately displaying an alarm message, identifying the potential security
violation and making it accessible w ith the audit record contents associated w ith Controls: ECAR-1, ECAR-2, ECAR-3, ECSC-1
the event(s) that generated the alarm provides the administration staff prompt Responsibility: IAO
alert messages 7 x 24 regardless of if they are logged on.
alert messages 7 x 24 regardless of if they are logged on.
Check
Review the firew all configuration to determine w hat alerts have been defined and how the notifications are performed.
Fix
Configure the firew all to immediately notify the FA of critical alerts.
3.2.45 FW alert not written to remote console. (V-14649 / NET0392)

Th e IAO/NSO w ill ensure the message is displayed at the remote console if an
administrator is already logged in, or w hen an administrator logs in if the alarm
message has not been acknow ledged Status:
Severity: CAT II
By immediately displaying an alarm message, identifying the potential security Controls: ECAR-1, ECAR-2, ECAR-3, ECSC-1
violation and making it accessible w ith the audit record contents associated w ith Responsibility: IAO
the auditable event(s) that generated the alarm provides the administration staff
prompt alert messages at their w ork areas.
Check
Review the firew all configuration to determine w hat alerts have been defined and how the notifications are performed. The
message must be displayed at the remote console if an administrator is already logged in, or w hen an administrator logs in if the
alarm message has not been acknow ledged. The firew all shall immediately display an alarm message, identifying the potential
security violation and make accessible the audit record contents associated w ith the auditable event(s) that generated the alarm.
This can also be accomplished by sending email alerts using an Exchange receipt.
Fix
Configure the firew all to immediately w rite an alarm message to the remote consoles.
3.2.46 Audit record must display violation (V-14653 / NET0395)

T h e IAO/NSO w ill ensure the alarm message identifying the potential security
violation makes accessible the audit record contents associated w ith the event(s).
Status:
The relevant audit information must be available to administrators. The firew all shall
immediately display an alarm message, identifying the potential security violation Controls: ECAR-1, ECAR-2, ECAR-3, ECSC-1
and make accessible the audit record contents associated w ith the event(s) that Responsibility: IAO
generated the alarm.
Check
Review the firew all configuration to determine w hat alerts have been defined and how the notifications are performed. The relevant
audit information must be available to administrators. The message w ill not be scrolled off the screen due to other activities taking
place (e.g., the Audit Administrator is running an audit report).
Fix
Configure the firew all to w rite violations to the console and make accessible the audit record contents.
3.2.47 Alerts must remain until acknowledged. (V-14655 / NET0396)

T h e IAO/NSO w ill ensure an alert w ill remain w ritten on the consoles until
acknow ledged by an administrator.
Status:
Critical alerts require immediate response. Critical alerts must not roll off the
screens. The requirements are necessary to ensure an administrator w ill be aw are Controls: ECAR-1, ECAR-2, ECAR-3, ECSC-1
of the alerts or alarm. The intent is to ensure that if an administrator is physically at Responsibility: IAO
the remote w orkstation the message w ill remain displayed until they have
acknow ledged it.
Check
Review the firew all configuration to determine w hat alerts have been defined and how the notifications are performed. Verify alerts
generated and remain until acknow ledged.
Fix
Configure the firew all to send an alarm or retain an alert message until acknow ledged.
3.2.48 FW acknowledge messages must be recorded (V-14656 / NET0398)

The IAO/NSO w ill ensure an acknow ledgement message identifying a reference to
the potential security violation is logged and it contains a notice that it has been
acknow ledged, the time of the acknow ledgement and the user identifier that Status:
acknow ledged the alarm, at the remote administrator session that received the Severity: CAT III
alarm.
Description Controls: ECAR-1, ECAR-2, ECAR-3, ECSC-1
Responsibility: IAO
Acknow ledging the alert could be a single event, or different events. In addition,
assurance is required that each administrator that received the alarm message also
receives the acknow ledgement message, w hich includes some form of reference to the alarm message, w ho acknow ledged the
receives the acknow ledgement message, w hich includes some form of reference to the alarm message, w ho acknow ledged the
message and w hen.
Check
The firew all shall display an acknow ledgement message identifying a reference to the potential security violation, a notice that it
has been acknow ledged, the time of the acknow ledgement and the user identifier that acknow ledged the alarm at the remote
administrator sessions that received the alarm. Have the administrator verify these capabilities.
Fix
Configure the firew all to send acknow ledge messages to administrators, referencing the alarm, w ho acknow ledged the alarm, and
timestamps.
3.2.49 Key expiration exceeds 180 days. (V-14667 / NET0422)

The netw ork element must not be configured w ith rotating keys used for authenticating IGP
peers that have a duration exceeding 180 days.
Status:
If the keys used for routing protocol authentication are guessed, the malicious user could
create havoc w ithin the netw ork by advertising incorrect routes and redirecting traffic. Controls: IAKM-1, IAKM-2, IAKM-3
Changing the keys frequently reduces the risk of them eventually being guessed. Responsibility: IAO
Check
Review key expirations. W hen configuring authentication for routing protocols that provide key chains, configure tw o rotating keys
w ith overlapping expiration dates, both w ith 180-day expirations.
Fix
The IAO or SA w ill ensure a key has an expiration of 180 days or less.
3.2.50 NTP messages are not authenticated. (V-14671 / NET0813)

The netw ork element must authenticate all NTP messages received from NTP servers and peers.
Status:
Description
Severity: CAT II
Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a Rule ID: SV-15327r2_rule
malicious user w ere able to falsify NTP information. To launch an attack on the NTP infrastructure, a
hacker could inject time that w ould be accepted by NTP clients by spoofing the IP address of a valid Controls: ECSC-1
NTP server. To mitigate this risk, the time messages must be authenticated by the client before Responsibility: IAO
accepting them as a time source.
Tw o NTP-enabled devices can communicate in either client-server mode or peer-to-peer mode (aka "symmetric mode"). The peering
mode is configured manually on the device and indicated in the outgoing NTP packets. The fundamental difference is the
synchronization behavior: an NTP server can synchronize to a peer w ith better stratum, w hereas it w ill never synchronize to its
client regardless of the client's stratum. From a protocol perspective, NTP clients are no different from the NTP servers. The NTP
client can synchronize to multiple NTP servers, select the best server and synchronize w ith it, or synchronize to the averaged value
returned by the servers.
A hierarchical model can be used to improve scalability. W ith this implementation, an NTP client can also become an NTP server
providing time to dow nstream clients at a higher stratum level and of decreasing accuracy than that of its upstream server. To
increase availability, NTP peering can be used betw een NTP servers. In the event the device looses connectivity to it upstream NTP
server, it w ill be able to choose time from one of its peers.
The NTP authentication model is opposite of the typical client-server authentication model. NTP authentication enables an NTP client
or peer to authenticate time received from their servers and peers. It's not used to authenticate NTP clients because NTP servers
don't care about the authenticity of their clients, as they never accept any time from them.
Check
Review the device configuration and verify it is authenticating the NTP messages received from the NTP server or peer.
Authentication must be performed using either PKI (supported in NTP v4) or SHA-1 hashing algorithm. If SHA-1 is not supported by
both the NTP client and server, then MD5 can be used.
Fix
Configure the device to authenticate all received NTP messages using either PKI (supported in NTP v4) or SHA-1 hashing algorithm.
If SHA-1 is not supported by this client or the NTP peer or server, then MD5 can be used.
3.2.51 IPv6 Site Local Unicast ADDR must not be defined (V-14693 / NET-IPV6-025)
The netw ork element must be configured to ensure IPv6 Site Local Unicast addresses are not defined
in the enclave, (FEC0::/10). Note that this consist of all addresses that begin w ith FEC, FED, FEE and
FEF. Status:
Severity: CAT II
As currently defined, site local addresses are ambiguous and can be present in multiple sites. The Controls: ECSC-1
address itself does not contain any indication of the site to w hich it belongs. The use of site-local Responsibility: IAO
addresses has the potential to adversely affect netw ork security through leaks, ambiguity and
potential misrouting, as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6
site-local unicast prefix defined in RFC3513, i.e., 1111111011 binary or FEC0::/10.
Check
Procedure: Review the device configuration to ensure FEC0::/10 IP addresses are not defined.
Fix
Fix
Configure the device using authorized IP addresses.
3.2.52 The network element must not allow SSH Version 1. (V-14717 / NET1647)
The netw ork element must not allow SSH Version 1 to be used for administrative access.
Status:
Description
Severity: CAT II
SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent Rule ID: SV-15459r2_rule
design flaw s w hich make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now generally
considered obsolete and should be avoided by explicitly disabling fallback to SSH-1. Controls: ECSC-1
Responsibility: IAO
Finding
Nipper Studio determined that SSH w as not enabled on DC-PERIMETER1.
Check
Review the configuration and verify SSH Version 1 is not being used for administrative access.
Fix
Configure the netw ork element to use SSH version 2.
3.2.53 Teredo is not blocked by filtering UDP port 3544 (V-15294 / NET-TUNL-020)
Teredo packets must be blocked inbound to the enclave and outbound from the enclave.
Status:
Description
Severity: CAT I
Teredo (RFC 4380) is a tunneling mechanism that allow s computers to encapsulate IPv6 packets Rule ID: SV-16075r3_rule
inside IPv4 to traverse IPv4-only netw orks. It relies on UDP to allow the tunnel to traverse NAT
devices. Teredo uses UDP port 3544 to communicate w ith Teredo relays w hich access the packet, Controls: ECSC-1
decapsulated the packet, and route it to the appropriate IPv6 netw ork. W hile Teredo w as proposed Responsibility: IAO
by Microsoft, Linux versions do exist.
By allow ing Teredo tunneling mechanism to be uncontrolled, it can pass malicious IPv6 packets over IPv4 w ithout further inspection
of the packet by router and firew all ACLs.
Check
Inspect the netw ork device configuration to validate Teredo packets, UDP port 3544 are blocked both inbound to the enclave and
outbound from the enclave.
Fix
Configure the netw ork device to block UDP port 3544 traffic inbound and outbound.
3.2.54 IPv4 Interfaces in NAT-PT receive IPv6 (V-15296 / NET-IPV6-047)

The IAO/NSO w ill ensure interfaces supporting IPv4 in NAT-PT Architecture do not receive IPv6 traffic.
Status:
Description
Severity: CAT II
Netw ork Address Translation w ith Protocol Translation (NAT-PT), defined in [RFC2766], is a service Rule ID: SV-16078r1_rule
that can be used to translate data sent betw een IP-heterogeneous nodes. NAT-PT translates a IPv4
datagram into a semantically equivalent IPv6 datagram or vice versa. For this service to w ork it has Controls: ECSC-1
to be located in the connection point betw een the IPv4 netw ork and the IPv6 netw ork. The PT-part Responsibility: IAO
of the NAT-PT handles the interpretation and translation of the semantically equivalent IP header,
either from IPv4 to IPv6 or from IPv6 to IPv4. Like NAT, NATPT also uses a pool of addresses w hich it
dynamically assigns to the translated datagrams.
The NAT-PT architecture is not one of the preferred DoD IPv6 transition paradigms due to the deprecation of NAT-PT w ithin the DoD
co mmunity. How ever, as described in the "DoD IPv6 Guidance for Information Assurance (IA) Milestone Objective 3 (MO3)
Requirements, some services/agencies may chose to implement this transition mechanism w ithin an enclave. The follow ing sub-
sections provide guidelines for the use of NAT-PT w ithin a controlled enclave.
In addition to the single point of failure, the reduced performance of an application level gatew ay, coupled w ith limitations on the
kinds of applications that w ork, decreases the overall value and utility of the netw ork. NAT-PT also inhibits the ability to deploy
security at the IP layer.
Check
Base Procedure:Review netw ork diagram in the STIG and ensure the architecture is designed correctly. The interface facing the IPv4
LAN netw ork must not receive IPv6 traffic. This can be accomplished by not having IPv6 on the interface supporting the IPv4
netw ork. In addition a filter can be added to deny IPv6 at this interface.
Fix
This can be accomplished by not having IPv6 enabled on the interface supporting the IPv4 netw ork. In addition a filter can be added
to deny IPv6 at the interface.
3.2.55 The device is not authenticated using a AAA server. (V-15432 / NET0433)
The netw ork element must use tw o or more authentication servers for the purpose of granting
administrative access.
Status:
The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for
controlling user access, authorization levels, and activity logging. By enabling AAA on the routers in Controls: IAIA-1
controlling user access, authorization levels, and activity logging. By enabling AAA on the routers in Controls: IAIA-1
conjunction w ith an authentication server such as TACACS+ or RADIUS, the administrators can easily Responsibility: IAO
add or remove user accounts, add or remove command authorizations, and maintain a log of user
activity.
The use of an authentication server provides the capability to assign router administrators to tiered groups that contain their
privilege level that is used for authorization of specific commands. For example, user mode w ould be authorized for all authenticated
administrators w hile configuration or edit mode should only be granted to those administrators that are permitted to implement
router configuration changes.
Finding
Nipper Studio identified zero authentication servers configured on DC-PERIMETER1
Check
Verify an authentication server is required to access the device and that there are tw o or more authentication servers defined.
Fix
Ensure an authentication server is required to access the device and that there are tw o or more authentication servers defined.
3.2.56 Emergency account privilege level is not set. (V-15434 / NET0441)

The netw ork element's emergency account must be set to an appropriate authorization level to
perform necessary administrative functions w hen the authentication server is not online.
Status:
The emergency account is to be configured as a local account on the netw ork element. It is to be
used only w hen the authentication server is offline or not reachable via the netw ork. The emergency Controls: ECSC-1
account must be set to an appropriate authorization level to perform necessary administrative Responsibility: IAO
functions during this time.
Check
Review the emergency account configured on the netw ork element and verify that it has been assigned to a privilege level that w ill
enable the administrator to perform necessary administrative functions w hen the authentication server is not online.
Fix
Assign a privilege level to the emergency account to allow the administrator to perform necessary administrative functions w hen the
authentication server is not online.
3.2.57 Management traffic is not restricted (V-17754 / NET1807)

Management traffic is not restricted to only the authorized management packets based on
destination and source IP address.
Status:
Check Controls:
W here IPSec technology is deployed to connect the OOBM gatew ay routers or firew all, the traffic Responsibility:
entering the tunnels must be restricted to only the authorized management packets based on
destination and source IP address from the address block used for the management netw ork. Verify
that all traffic from the managed netw ork to the management netw ork and vice-versa is secured via IPSec encapsulation. In the
configuration examples, 10.2.2.0/24 is the management netw ork at the NOC and 10.1.1.0/24 is the management address block
used at the netw ork being managed (i.e., the enclave).
W hen the AS PIC receives traffic on the inside interface associated w ith a service set, the AS PIC applies the configured Layer 3
services and then forw ards the packet back to the router through the outside interface. Likew ise, w hen the AS PIC receives traffic
on the outside interface associated w ith a service set, it forw ards the packet back to the router through the inside interface after
applying the configured Layer 3 services.
hostname VPN-Gatew ay1

!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 19.16.1.254 255.255.255.252
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map ipsec-isakmp
crypto map Outside_map 20 match address 101
crypto map Outside_map 20 set peer 19.16.2.254
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
!
isakmp key ***** 19.16.2.254 netmask 255.255.255.255
isakmp enable Outside
!
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
sysopt connection permit-ipsec
Note: Access lists can be defined for PIX/ASA using the familiar IOS softw are ACL format. How ever, one important difference exists
betw een the PIX/ASA and IOS ACL formats: PIXs use real subnet masks (a 1 bit matches, and a 0 bit ignores), w hereas IOS
platforms use a w ildcard mask (a 0 bit matches, and a 1 bit ignores).
Fix
W here IPSec technology is deployed to connect the OOBM gatew ay routers or firew all, traffic entering the tunnels is restricted to
only the authorized management packets based on destination and source IP address from the address block used for the
management netw ork.
3.2.58 Remote VPN end-point not a mirror of local gateway (V-17814 / NET1808)
Gatew ay configuration at the remote VPN end-point is a not a mirror of the local gatew ay
Status:
Description
Severity: CAT II
The IPSec tunnel end points may be configured on the OOBM gatew ay routers connecting the Rule ID: SV-19063r1_rule
managed netw ork and the NOC. They may also be configured on a firew all or VPN concentrator
located behind the gatew ay router. In either case, the crypto access-list used to identify the traffic to Controls: ECSC-1
be protected must be a mirror (both IP source and destination address) of the crypto access list Responsibility: IAO
configured at the remote VPN peer.
Check
Verify the configuration at the remote VPN end-point is a mirror configuration as that review ed for the local end-point.
Fix
Configure he crypto access-list used to identify the traffic to be protected so that it is a mirror (both IP source and destination
address) of the crypto access list configured at the remote VPN peer.
3.2.59 The OOBM interface not configured correctly. (V-17821 / NET0991)

The netw ork element's OOBM interface must be configured w ith an OOBM netw ork address.
Status:
Description
Severity: CAT II
The OOBM access sw itch w ill connect to the management interface of the managed netw ork Rule ID: SV-19075r2_rule
elements. The management interface of the managed netw ork element w ill be directly connected to
the OOBM netw ork. An OOBM interface does not forw ard transit traffic; thereby, providing complete Controls: ECSC-1
separation of production and management traffic. Since all management traffic is immediately Responsibility: IAO
forw arded into the management netw ork, it is not exposed to possible tampering. The separation
also ensures that congestion or failures in the managed netw ork do not affect the management of
the device. If the OOBM interface does not have an IP address from the managed netw ork address space, it w ill not have
reachability from the NOC using scalable and normal control plane and forw arding mechanisms.
Check
The managed netw ork element's OOBM interface must be configured w ith an IP address from the address space belonging to the
OOBM netw ork. After determining w hich interface is connected to the OOBM access sw itch, review the managed device configuration
and verify the interface has been assigned an address from the local management address block.
Fix
Configure the managed netw ork element's OOBM interface w ith an IP address from the address space belonging to the OOBM
netw ork.
3.2.60 The management interface does not have an ACL. (V-17822 / NET0992)
The netw ork elements management interface must be configured w ith both an ingress and egress
ACL.
Status:
The OOBM access sw itch w ill connect to the management interface of the managed netw ork
elements. The management interface can be a true OOBM interface or a standard interface Controls: ECSC-1
functioning as the management interface. In either case, the management interface of the managed Responsibility: IAO
netw ork element w ill be directly connected to the OOBM netw ork.
An OOBM interface does not forw ard transit traffic; thereby, providing complete separation of production and management traffic.
Since all management traffic is immediately forw arded into the management netw ork, it is not exposed to possible tampering. The
separation also ensures that congestion or failures in the managed netw ork do not affect the management of the device. If the
device does not have an OOBM port, the interface functioning as the management interface must be configured so that
management traffic does not leak into the managed netw ork and that production traffic does not leak into the management
netw ork.
Check
Step 1: Verify the managed interface has an inbound and outbound ACL or filter.
Step 2: Verify the ingress ACL blocks all transit traffic--that is, any traffic not destined to the router itself. In addition, traffic
accessing the managed elements should be originated at the NOC.
Step 3: Verify the egress ACL blocks any traffic not originated by the managed element.
Fix
If the management interface is a routed interface, it must be configured w ith both an ingress and egress ACL. The ingress ACL
should block any transit traffic, w hile the egress ACL should block any traffic that w as not originated by the managed netw ork
should block any transit traffic, w hile the egress ACL should block any traffic that w as not originated by the managed netw ork
elements.
3.2.61 The management interface is not IGP passive. (V-17823 / NET0993)

The netw ork element's management interface is not configured as passive for the IGP instance
deployed in the managed netw ork.
Status:
The OOBM access sw itch w ill connect to the management interface of the managed netw ork
elements. The management interface can be a true OOBM interface or a standard interface Controls: ECSC-1
functioning as the management interface. In either case, the management interface of the managed Responsibility: IAO
netw ork element w ill be directly connected to the OOBM netw ork.
An OOBM interface does not forw ard transit traffic; thereby, providing complete separation of production and management traffic.
Since all management traffic is immediately forw arded into the management netw ork, it is not exposed to possible tampering. The
separation also ensures that congestion or failures in the managed netw ork do not affect the management of the device. If the
device does not have an OOBM port, the interface functioning as the management interface must be configured so that
management traffic, both data plane and control plane, does not leak into the managed netw ork and that production traffic does
not leak into the management netw ork.
Check
Review the configuration to verify the management interface is configured as passive for the IGP instance for the managed netw ork.
Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the
IGP configuration.
Fix
Configure the management interface as passive for the IGP instance configured for the managed netw ork. Depending on the
platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration.
3.2.62 The firewall does not block outbound mgmt traffic (V-17830 / NET1001)
A firew all located behind the premise router must be configured to block all outbound management
traffic.
Status:
The management netw ork must still have its ow n subnet in order to enforce control and access
boundaries provided by Layer 3 netw ork nodes such as routers and firew alls. Management traffic Controls: ECSC-1
betw een the managed netw ork elements and the management netw ork is routed via the same links Responsibility: IAO
and nodes as that used for production or operational traffic. Safeguards must be implemented to
ensure that the management traffic does not leak past the managed netw ork's premise equipment.
It there is a firew all located behind the premise router, then all management traffic should be blocked at that point--w ith the
exception of management traffic destined to premise equipment.
Check
Review the firew all configuration to verify that it is blocking all outbound management traffic.
Fix
W ith the exception of management traffic destined to premise equipment, a firew all located behind the premise router must be
configured to block all outbound management traffic.
3.2.63 IPSec traffic is not restricted (V-17835 / NET1006)

Traffic entering the tunnels is not restricted to only the authorized management packets based on
destination address.
Status:
Similar to the OOBM model, w hen the production netw ork is managed in-band, the management
netw ork could also be housed at a NOC that is located locally or remotely at a single or multiple Controls: ECSC-1
interconnected sites. NOC interconnectivity as w ell as connectivity betw een the NOC and the Responsibility: IAO
managed netw orks' premise routers w ould be enabled using either provisioned circuits or VPN
technologies such as IPSec tunnels or MPLS VPN services.
Check
For both the NOC and the managed netw ork, the IPSec tunnel end points may be configured on the premise or gatew ay router, a
VPN gatew ay firew all or VPN concentrator. Verify that all traffic from the managed netw ork to the management netw ork and vice-
versa is secured via IPSec encapsulation.
Fix
W here IPSec technology is deployed to connect the managed netw ork to the NOC, it is imperative that the traffic entering the
tunnels is restricted to only the authorized management packets based on destination address.
3.2.64 ACLs must restrict access to server VLANs. (V-18522 / NET-SRVFRM-003)

Server VLAN interfaces must be protected by restrictive ACLs using a deny-by-default security
posture.
Status:
Protecting data sitting in a server VLAN is necessary and can be accomplished using access control
lists on VLANs provisioned for servers. W ithout proper access control of traffic entering or leaving Controls: ECND-1, ECSC-1
the server VLAN, potential threats such as a denial of service, data corruption, or theft could occur, Responsibility: IAO
resulting in the inability to complete mission requirements by authorized users.
resulting in the inability to complete mission requirements by authorized users.
Check
Review the device configuration to validate an ACL w ith a deny-by-default security posture has been implemented on the server
VLAN interface.
Fix
Configure an ACL to protect the server VLAN interface. The ACL must be in a deny-by-default security posture.
3.2.65 ACLs do not protect against compromised servers (V-18523 / NET-SRVFRM-004)

The IAO w ill ensure the Server Farm infrastructure is secured by ACLs on VLAN interfaces that restrict
data originating from one server farm segment destined to another server farm segment.
Status:
ACLs on VLAN interfaces do not protect against compromised servers. The Server farm vlans need to
protect the servers located on one subnet from servers located on another subnet. Protecting a Controls: ECND-1
client's data from other clients is necessary and can be accomplished using VLAN provisioning, layer 3 Responsibility: IAO
filtering and content filtering at the Server Farm entry point. Restricting protocol, source and
destination traffic via filters is an option; how ever additional security practices such as content
filtering are required.
The Server farm private vlans need to protect the servers located on one subnet from servers located on another subnet.
Check
Review the firew all protecting the server farm. Vlan configurations should have a filter that secures the servers located on the vlan
segment. Identify the source ip addresses that have access to the servers and verify the privilege intended w ith the SA. The filter
should be in a deny by default posture.
If the filter is not defined on the firew all and the architecture contains a layer 3 sw itch betw een the firew all and the server, than
review the VLAN definition on the L3 sw itch.
Fix
Review the filter and ensure access from other server segments is denied unless necessary for application operation. The intent of
the policy should be to protect servers from a server that has been compromised by an intruder.
3.2.66 Server Farm without firewall content inspection (V-18525 / NET-SRVFRM-005)

The IAO w ill ensure the Server Farm VLANs are protected by severely restricting the actions the hosts
can perform on the servers by firew all content filtering.
Status:
Most current applications are deployed as a multi-tier architecture. The multi-tier model uses
separate server machines to provide the different functions of presentation, business logic, and Controls: EBBD-1
database. Responsibility: IAO
Multi-tier server farms provide added security because a compromised w eb server does not provide
direct access to the application itself or to the database.
The multi-tier separation is accomplished in several architectures, by a layer 2 sw itch, by a layer3 sw itch/router or by a firew all
located at the server farm. Using the firew all implementation is the most secure method and is the only approved DoD architecture.
Firew alls get packets from VLAN-supporting sw itches complete w ith 802.1Q tags in their headers. W hat the VLAN-aw are firew all can
do is extract the tags and use the information w ithin the tags to make policy-based security decisions.
Check
Identify the VLAN IP subnet and determine if the subnet passes content inspect by a firew all capable on content inspection.
Fix
Configure the firew all to inspect traffic content to and from the server farm.
3.2.67 IPv6 6-to-4 addresses are not filtered (V-18608 / NET-IPV6-024)

The IAO/NSO w ill ensure IPv6 6-to-4 addresses w ith a prefix of 2002::/16 are dropped at the enclave
perimeter by the ingress and egress filters.
Status:
"6-to-4" is a tunneling IPv6 transition mechanism [RFC 3056]. The guidance is the default case, w hich
assumes that 6-to-4 is not being used as an IPv6 transition mechanism. If 6-to-4 is implemented, Controls: ECSC-1
reference addition 6-to-4 guidance defined in the STIG. Responsibility: IAO
Drop all inbound IPv6 packets containing a source address of type 2002::/16. This assumes the 6-to-
4 transition mechanism is not being used.
Drop all inbound IPv6 packets containing a destination address of type 2002::/16. This assumes the 6-to-4 transition mechanism is
not being used.
Check
Base Procedure: Review the premise router and firew all configurations to ensure filters are in place to restrict the IP addresses
explicitly, or inexplicitly. Verify that ingress and egress ACLs for IPv6 have been defined to deny 6-to-4 tunnel addresses and log all
violations.
source type: 2002::/16

Fix
The administrator w ill configure the router ACLs to restrict IP addresses that contain any 6-to-4 addresses.
3.2.68 IPV6 Jumbo payload hop by hop is not dropped (V-18815 / NET-IPV6-035)
The IAO w ill ensure the IPV6 Jumbo Payload hop by hop header is blocked.
Status:
Description
Severity: CAT II
The IPv6 Jumbo Payload allow s IP packets to be larger than 65,535 bytes. This feature is only useful Rule ID: SV-20551r1_rule
on very specialized high performance systems (e.g. super computers). Common place link layer
technologies do not support these payload sizes and special link layer designs w ould be necessary. Controls: ECSC-1
This header should be dropped unless the system is specifically designed to use very large payloads, Responsibility: IAO
since it only serves as an opportunity to break implementations.
Check
Verify the firew all drops all inbound and/or outbound IPv6 packets containing a hop-by-hop option of option type 0xC2.
If the system is specifically designed to use very large payloads and its use is documented in architecture design documents, than
this is not a finding.
Fix
Configure the firew all to drop all inbound and/or outbound IPv6 packets containing a hop-by-hop option of option type 0xC2.
3.2.69 Two NTP servers are not used to synchronize time. (V-23747 / NET0812)
The netw ork element must use tw o or more NTP servers to synchronize time.
Description Status:
Severity: CAT III
W ithout synchronized time, accurately correlating information betw een devices becomes difficult, if Rule ID: SV-28651r2_rule
not impossible. If logs cannot be successfully compared betw een each of the routers, sw itches, and
firew alls, it w ill be very difficult to determine the exact events that resulted in a netw ork breach Controls: ECSC-1
incident. NTP provides an efficient and scalable method for netw ork elements to synchronize to an Responsibility: IAO
accurate time source.
Check
Review the configuration and verify tw o NTP servers have been defined.
Fix
Specify tw o NTP server IP addresses on the device to be used to request time from.
3.2.70 PAT is vulnerable to DNS cache poisoning (V-25037 / NET1970)

The IAO w ill ensure that the router or firew all softw are has been upgraded to mitigate the risk of
DNS cache poisoning attack caused by a flaw ed PAT implementation using a predictable source port
allocation method for DNS query traffic. Status:
Severity: CAT I
DNS cache poisoning is an attack technique that allow s an attacker to introduce forged DNS Controls: VIVM-1
information into the cache of a caching name server. There are inherent deficiencies in the DNS Responsibility: IAO
protocol and defects in implementations that facilitate DNS cache poisoning.
Name servers vulnerable to cache poisoning attacks are due to their use of insufficiently randomized
transaction IDs and UDP source ports in the DNS queries that they produce, w hich may allow an attacker to more easily forge DNS
answ ers that can poison DNS caches. To exploit these vulnerabilities an attacker must be able to cause a vulnerable DNS server to
perform recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers w here recursion is not allow ed, are
not affected.
T h e DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the
transaction ID is randomly selected w ith a strong random number generator, an attacker w ill require, on average, 32,768 attempts
to successfully predict the ID. Some flaw ed implementations may use a smaller number of bits for this transaction ID, meaning that
few er attempts w ill be needed. Furthermore, there are know n errors w ith the randomness of transaction IDs that are generated by
a number of implementations.
Some current implementations allocate an arbitrary source port at startup (and sometimes selected at random) and reuse this
source port for all outgoing queries. W ith other implementations, the source port for outgoing queries is fixed at the traditional
assigned DNS server UDP port number 53. Because attacks against these vulnerabilities all rely on an attacker's ability to predict,
the implementation of per-query source port randomization in the server presents a practical mitigation against these attacks w ithin
the boundaries of the current protocol specification. Randomized source ports can be used to gain approximately 16 additional bits
of randomness in the data that an attacker must guess. Randomizing the ports adds a significant amount of attack resiliency.
Routers, firew alls, proxies, and other gatew ay devices that perform NAT--more specifically Port Address Translation (PAT)--often
rew rite source ports in order to track connection state. A flaw ed implementation of a PAT device using a predictable source port
allocation method can reduce any effectiveness of source port randomization implemented by name servers and stub resolvers.
Henceforth, it is imperative that the router or firew all softw are has been upgraded or patched to reduce an attacker's opportunity
for launching a DNS cache poisoning attack.
Note: Regular NAT (allocating one public IP address for each private IP address) is not affected by this problem because it only
rew rites layer 3 information and does not modify layer 4 header information of packets traversing the NAT device.
Finding
Nipper Studio determined the follow ing information detailed in Table 60 about DC-PERIMETER1
Description Setting
Manufacturer Fortinet
Device FortiGate Firew all
Model FG100D
Table 60: Device information
Check
Verify that the softw are implemented on the router or firew all has been updated to a release that mitigates the risk of a DNS cache
poisoning attack. A number of vendors have released patches to implement source port randomization. This change significantly
reduces the practicality of cache poisoning attacks. See the Systems Affected section at http://w w w .kb.cert.org/vuls/id/800113 for
additional details for specific products not listed below .
The follow ing BlueCoat products are vulnerable:
Proxy SG: Fixed in 4.2.8.6 or 5.2.4.3 and later.

Director: Fixed in: 4.2.2.4 or 5.2.2.5 and later.
Proxy RA: Fixed in 2.3.2.1 and later.
The follow ing Secure Computing products are vulnerable:
Sidew inder G2 6.1 .0.01

Sidew inder G2 6.1 .0.02
Sidew inder 5.0
Sidew inder 5.0 .0.01
Sidew inder 5.1
Sidew inder 5.1 .1
Sidew inder 5.2
Sidew inder 5.2 .1
Sidew inder 5.2.1 .10
Sidew inder Softw are 5.0
Sidew inder Softw are 5.0 .0.01
Sidew inder Softw are 5.1 .1
Sidew inder Softw are 5.2 .1
CyberGuard Classic
CyberGuard TSP
See Secure Computing Know ledgebase article 11446 for the resolution to updates to these vulnerable products.
The follow ing Juniper Netw orks ScreenOS firew all versions are vulnerable.
ScreenOS 5.1
ScreenOS 5.2
The follow ing Cisco PIX/ASA releases are vulnerable:

6.3(5) and earlier. Fixed w ith 6.3(5.144) and later
7.0 Fixed w ith 7.0(8.1)
7.1 Fixed w ith 7.1(2.74)
7.2 Fixed w ith 7.2(4.9)
8.0 Fixed w ith 8.0(3.32)
8.1 Fixed w ith 8.1(1.8) , 8.1(1.100), and 8.1(101.4)
8.2 Fixed w ith 8.2(0.140)
Fix
Update the OS to the release that mitigates the risk of a DNS cache poisoning attack
3.2.71 Firewall log must be accurate (V-25890 / NET1288)

The IAO/NSO w ill ensure the audit trail events are stamped w ith accurate date and time.
Status:
The firew all logs can be used for forensic analysis in support of incident as w ell as to aid w ith normal
traffic analysis. It can take numerous days to recover from a firew all outage w hen a proper backup Controls: ECSC-1, ECTB-1
scheme is not used. Responsibility: IAO
Check
Review the active log and verify the date and time of the records is correct.
Fix
Ensure the firew all is receiving time from the same source as other netw ork devices are, such as the perimeter router. Verify the
NTP guidance is implemented correctly.
3.2.72 FW event records do not include required fields (V-25891 / NET1289)

The IAO/NSO w ill ensure the audit trail events include source IP, destination IP, port, protocol used
and action taken.
Status:
The firew all logs can be used for forensic analysis in support of incident as w ell as to aid w ith normal
traffic analysis. Controls: ECSC-1, ECTB-1
Responsibility: IAO
Check
Review the active firew all logs and verify the source IP, destination IP, port, protocol used and action taken are recorded fields in
the event record..
Fix
Ensure the firew all logs are receiving source IP, destination IP, port, protocol used and action taken.
3.2.73 Call home service is disabled. (V-28784 / NET0405)

A service or feature that calls home to the vendor must be disabled.
Status:
Description
Severity: CAT II
Call home services or features w ill routinely send data such as configuration and diagnostic Rule ID: SV-36774r2_rule
information to the vendor for routine or emergency analysis and troubleshooting. The risk that
transmission of sensitive data sent to unauthorized persons could result in data loss or dow ntime Controls: ECSC-1
due to an attack. Responsibility: NSO
Check
Verify the call home service or feature is disabled on the device.
Fix
Configure the netw ork device to disable the call home service or feature.
3.2.74 IPV6 firewall does not meet DITO requirements (V-30638 / NET-IPV6-005)
The IAO must ensure firew alls deployed in an IPv6 enclave meet the requirements defined by DITO
and NSA milestone objective 3 guidance.
Status:
1) Drop IPv6 Undetectable protocol/port (May be an intrinsic FW feature.) - IPv6 allow s an unlimited
number of extension headers to be applied to a packet. A FW may not be able to locate the layer 4 Controls: DCDS-1, EBBD-1
protocol and port values if too many extension headers exhaust its resources. As a minimum, a FW Responsibility: IAO
must be able to drop any packet for w hich it cannot identify the layer 4 protocol and ports (if
applicable). The security policy w ould be subverted if these packets w ere allow ed to pass through a
FW. If the FW cannot traverse through extension headers at all, it must drop packets using any extension header. This measure w ill
disable a large amount of IPv6's functionality and should only be used if the Primary guidance cannot be implemented.
2) Drop IPv6 Type 0 Routing Header - The IPv6 Type 0 Routing Header (extension header) is functionally equivalent to the IPv4
loose source routing header option, w hich is typically blocked for security reasons. The Type 0 Routing Header is dangerous
because it allow s attackers to spoof source addresses and get traffic in response (rather than to the real ow ner of the address).
Secondly, a packet w ith an allow ed destination address could be sent through a FW only to bounce to a different (disallow ed) node
once inside using the Routing Header functionality. If the Type 0 Routing Header must be used, it must be used in conjunction w ith
either the IPSec AH or the IPSec Encapsulation Security Payload (ESP) headers. If the FW cannot distinguish the type field of a
routing header, it should be configured to drop all routing headers. Note that Mobile IP is disabled w ithout the Type 2 Routing
Header. Although deprecated by a recent RFC, there may be existing implementations that still recognize this header.
3) Drop Undefined IPv6 Header Extensions/Protocol Values (May be an intrinsic FW feature.) - Undefined IPv6 header extensions
means that the Next Header type is not registered w ith Internet Assigned Numbers Authority (IANA). The header extension is the
same as the protocol value, and should be dropped. Drop all undefined extension headers/protocol values.
4) Drop at least one fragment of any inbound fragmented packet for w hich the complete data set for filtering to include
protocol/port values cannot be determined.(May be an intrinsic FW feature) - A FW must be able to properly enforce its filtering
policy upon fragmented packets. This requires that the FW be able to find the complete set of header data including extension
headers and the upper layer protocol/port values. It also requires that the packet not be susceptible to fragment overlap attacks.
Fragment overlaps are a more serious problem in IPv6 than in IPv4 because the presence of extension headers can push the upper
layer protocol/port information outw ard (tow ard packet boundaries) making it much harder to protect. How a FW achieves these
requirements is not important as long as both aspects are met. The w ording "drop at least one fragment" used in the actions below
is a statement of the bare minimum action to secure a packet, and is chosen to allow FW venders flexibility in achieving it. Refer to
Firew all Design Considerations for IPv6 section 3.6 for extensive detail on this topic. https://w w w .us.army.mil/suite/doc/10209656
5) Drop all inbound IPv6 packets containing more than one Fragmentation Header w ithin an IP header chain. (May be an intrinsic
FW feature) - Nested fragmentation is an unnecessary and unw anted IPv6 condition that is not forbidden by the specifications. It
occurs w hen an IP header chain contains more than one Fragmentation Header implying that a fragment has been fragmented. In
the specification, the phrase "IP header chain" rather than "packet" is used, because a tunneled packet has more than one IP
header chain and each chain can have a Fragment Header (this case is not nested fragmentation). Nested fragmentation is a new
header chain and each chain can have a Fragment Header (this case is not nested fragmentation). Nested fragmentation is a new
phenomenon w ith IPv6. It is not possible in IPv4, because the fragmentation fields are part of the main header and are modified in
the event of a secondary fragmentation event. Nested fragmentation in IPv6 should be dropped by FW s since internal nodes that
process the fragmentation may or may not be equipped to handle this unexpected case. These nodes may crash or behave in some
unpredictable manner.
Check
Drop all inbound IPv6 packets for w hich the layer 4 protocol and ports (if applicable) cannot be located. Drop all inbound IPv6
packets w ith a Type 0 Routing Header unless those packets also contain an IPSec AH or IPSec ESP header. Drop all inbound IPv6
packets containing undefined header extensions/protocol values. Drop at least one fragment of any inbound fragmented packet for
w hich the complete data set for filtering to include protocol/port values cannot be determined. Drop all inbound IPv6 packets
containing more than one Fragmentation Header w ithin an IP header chain.
Fix
Identify the firew all capabilities to ensure they support the DITO requirements prior to procurement. Review current alternatives
defined in the MO3 guidance for mitigation.
3.3 Conclusions
Nipper Studio performed a DoD STIG compliance audit on Wednesday 12th February 2014 of the device and STIGs detailed in Table 61.
The highest rated STIG compliance failure w as a CAT I.
Name STIG Version I I I II II II III III III

Pass Fail Man Pass Fail Man Pass Fail Man
DC- Firew all Security Technical 8 Release 14 Benchmark Date 5 1 5 11 3 34 1 2 13
PERIMETER1 Implementation Guide 26 Apr 2013
Table 61: DISA STIG device compliance summary
STIG CAT I checks are for those vulnerabilities w hich if exploitation w ill, directly and immediately result in loss of confidentiality,
availability, or integrity. An ATO w ill not be granted w hile CAT I w eaknesses are present for a device. There w ere eleven checks that
had been classed as CAT I.
Nipper Studio identified one CAT I compliance check that FAILED. The compliance failure w as:
NET1660 - An insecure version of SNMP is being used. (failed on DC-PERIMETER1).
Nipper Studio identified five CAT I compliance checks that PASSED. These compliance passes w ere:
NET0230 - Netw ork element is not passw ord protected. (passed on DC-PERIMETER1);
NET0600 - Passw ords are view able w hen displaying the config. (passed on DC-PERIMETER1);
NET0240 - Devices exist w ith standard default passw ords. (passed on DC-PERIMETER1);
NET1636 - Management connections must require passw ords. (passed on DC-PERIMETER1);
NET1665 - Using default SNMP community names. (passed on DC-PERIMETER1).
Nipper Studio identified five CAT I compliance checks that require MANUAL inspections before they can be catagorized as either a pass
or a fail. These compliance checks w ere:
NET0460 - Group accounts are defined. (inspection on DC-PERIMETER1);
NET1623 - Authentication required for console access. (inspection on DC-PERIMETER1);
NET-TUNL-020 - Teredo is not blocked by filtering UDP port 3544 (inspection on DC-PERIMETER1);
NET0441 - Emergency account privilege level is not set. (inspection on DC-PERIMETER1);
NET1970 - PAT is vulnerable to DNS cache poisoning (inspection on DC-PERIMETER1).
STIG CAT II checks are for those vulnerabilities w here exploitation has a potential to result in loss of confidentiality, availability, or
integrity. CAT II findings that have been satisfactorily mitigated w ill not prevent an ATO from being granted for a device. There w ere 46
checks that had been classed as CAT II.
Nipper Studio identified three CAT II compliance checks that FAILED. These compliance failures w ere:
NET0440 - More than one emergency account is defined. (failed on DC-PERIMETER1);
NET0813 - NTP messages are not authenticated. (failed on DC-PERIMETER1);
NET0433 - The device is not authenticated using a AAA server. (failed on DC-PERIMETER1).
Nipper Studio identified nine CAT II compliance checks that PASSED. These compliance passes w ere:
NET1639 - Management connection does not timeout. (passed on DC-PERIMETER1);
NET1675 - SNMP privileged and non-privileged access. (passed on DC-PERIMETER1);
NET1638 - Management connections must be secured by FIPS 140-2. (passed on DC-PERIMETER1);
NET0740 - HTTP server is not disabled (passed on DC-PERIMETER1);
NET1624 - The console port does not timeout after 10 minutes. (passed on DC-PERIMETER1);
NET0894 - Netw ork element must only allow SNMP read access. (passed on DC-PERIMETER1);
NET1645 - SSH session timeout is not 60 seconds or less. (passed on DC-PERIMETER1);
NET1646 - SSH login attempts value is greater than 3. (passed on DC-PERIMETER1);
NET1647 - The netw ork element must not allow SSH Version 1. (passed on DC-PERIMETER1).
Nipper Studio identified 34 CAT II compliance checks that require MANUAL inspections before they can be catagorized as either a pass
or a fail. These compliance checks w ere:
NET1800 - IPSec VPN is not configured as a tunnel type VPN. (inspection on DC-PERIMETER1);
NET0340 - Login banner is non-existent or not DOD approved. (inspection on DC-PERIMETER1);
NET0890 - SNMP access is not restricted by IP address. (inspection on DC-PERIMETER1);
NET0377 - Firew all has unnecessary services enabled. (inspection on DC-PERIMETER1);
NET0465 - Assign low est privilege level to user accounts. (inspection on DC-PERIMETER1);
NET0470 - Unnecessary or unauthorized accounts exist. (inspection on DC-PERIMETER1);
NET0375 - Firew all is not configured to protect the netw ork. (inspection on DC-PERIMETER1);
NET0700 - Operating system is not at a current release level. (inspection on DC-PERIMETER1);
NET0390 - The IDS or FW is not configured to alarm the admin (inspection on DC-PERIMETER1);
NET-TUNL-013 - L2TP is terminated in the private netw ork. (inspection on DC-PERIMETER1);
NET0379 - Firew all is not operating on a STIG'd OS (inspection on DC-PERIMETER1);
NET1637 - Management connections are not restricted. (inspection on DC-PERIMETER1);
NET1637 - Management connections are not restricted. (inspection on DC-PERIMETER1);
NET0965 - TCP connection request w ait times limited. (inspection on DC-PERIMETER1);
NET0910 - Perimeter is not compliant w ith DOD Instr. 8551.1 (inspection on DC-PERIMETER1);
NET-IPV6-004 - IPv6 Router Advertisements must be suppressed. (inspection on DC-PERIMETER1);
NET0366 - Firew all inspection is not performed adequately (inspection on DC-PERIMETER1);
NET0380 - Firew all must block loopback address (inspection on DC-PERIMETER1);
NET0391 - FA is not informed of critical alerts. (inspection on DC-PERIMETER1);
NET0392 - FW alert not w ritten to remote console. (inspection on DC-PERIMETER1);
NET-IPV6-025 - IPv6 Site Local Unicast ADDR must not be defined (inspection on DC-PERIMETER1);
NET-IPV6-047 - IPv4 Interfaces in NAT-PT receive IPv6 (inspection on DC-PERIMETER1);
NET1807 - Management traffic is not restricted (inspection on DC-PERIMETER1);
NET1808 - Remote VPN end-point not a mirror of local gatew ay (inspection on DC-PERIMETER1);
NET0991 - The OOBM interface not configured correctly. (inspection on DC-PERIMETER1);
NET0992 - The management interface does not have an ACL. (inspection on DC-PERIMETER1);
NET1001 - The firew all does not block outbound mgmt traffic (inspection on DC-PERIMETER1);
NET1006 - IPSec traffic is not restricted (inspection on DC-PERIMETER1);
NET-SRVFRM-003 - ACLs must restrict access to server VLANs. (inspection on DC-PERIMETER1);
NET-SRVFRM-004 - ACLs do not protect against compromised servers (inspection on DC-PERIMETER1);
NET-SRVFRM-005 - Server Farm w ithout firew all content inspection (inspection on DC-PERIMETER1);
NET-IPV6-024 - IPv6 6-to-4 addresses are not filtered (inspection on DC-PERIMETER1);
NET-IPV6-035 - IPV6 Jumbo payload hop by hop is not dropped (inspection on DC-PERIMETER1);
NET0405 - Call home service is disabled. (inspection on DC-PERIMETER1);
NET-IPV6-005 - IPV6 firew all does not meet DITO requirements (inspection on DC-PERIMETER1).
STIG CAT III checks are for those vulnerabilities w hich degrades measures to protect against loss of confidentiality, availability, or
integrity. These findings that may impact the IA posture but are not required to be mitigated or corrected in order for an ATO to be
granted for a device. There w ere 16 checks that had been classed as CAT III.
Nipper Studio identified tw o CAT III compliance checks that FAILED. These compliance failures w ere:
NET1020 - A log or syslog statement does not follow all deny statements. (failed on DC-PERIMETER1);
NET0812 - Tw o NTP servers are not used to synchronize time. (failed on DC-PERIMETER1).
Nipper Studio identified one CAT III compliance PASS. The compliance pass w as:
NET0820 - DNS servers must be defined for client resolver. (passed on DC-PERIMETER1).
Nipper Studio identified thirteen CAT III compliance checks that require MANUAL inspections before they can be catagorized as either a
pass or a fail. These compliance checks w ere:
NET0190 - LAN addresses are not protected from the public. (inspection on DC-PERIMETER1);
NET1640 - Management connections must be logged. (inspection on DC-PERIMETER1);
NET1300 - Firew all Admins w ill be logged. (inspection on DC-PERIMETER1);
NET1629 - The auxiliary port is not disabled. (inspection on DC-PERIMETER1);
NET0386 - Alerts generated at 75% log storage capacity. (inspection on DC-PERIMETER1);
NET0388 - No FW log dump procedures (inspection on DC-PERIMETER1);
NET0395 - Audit record must display violation (inspection on DC-PERIMETER1);
NET0396 - Alerts must remain until acknow ledged. (inspection on DC-PERIMETER1);
NET0398 - FW acknow ledge messages must be recorded (inspection on DC-PERIMETER1);
NET0422 - Key expiration exceeds 180 days. (inspection on DC-PERIMETER1);
NET0993 - The management interface is not IGP passive. (inspection on DC-PERIMETER1);
NET1288 - Firew all log must be accurate (inspection on DC-PERIMETER1);
NET1289 - FW event records do not include required fields (inspection on DC-PERIMETER1).
3.4 Recommendations
Nipper Studio recommends that the findings of this audit are review ed. Furthermore, Nipper Studio recommends that mitigation should
be implemented to resolve any compliance failures. Table 62 lists the recomended actions for the compliance findings detailed in this
report.
STIG Title Severity State Recommendation Affected

Devices
NET0460 Group accounts are defined. CAT I Investigate if this is a compliance pass or failure. If it DC-
is a failure then implement mitigation PERIMETER1
NET1660 An insecure version of SNMP is being CAT I Investigate the compliance failure and implement DC-
used. mitigation PERIMETER1
NET1623 Authentication required for console CAT I Investigate if this is a compliance pass or failure. If it DC-
access. is a failure then implement mitigation PERIMETER1
NET- Teredo is not blocked by filtering CAT I Investigate if this is a compliance pass or failure. If it DC-
TUNL-020 UDP port 3544 is a failure then implement mitigation PERIMETER1
NET0441 Emergency account privilege level is CAT I Investigate if this is a compliance pass or failure. If it DC-
not set. is a failure then implement mitigation PERIMETER1
NET1970 PAT is vulnerable to DNS cache CAT I Investigate if this is a compliance pass or failure. If it DC-
poisoning is a failure then implement mitigation PERIMETER1
NET1800 IPSec VPN is not configured as a CAT II Investigate if this is a compliance pass or failure. If it DC-
tunnel type VPN. is a failure then implement mitigation PERIMETER1
NET0340 Login banner is non-existent or not CAT II Investigate if this is a compliance pass or failure. If it DC-
DOD approved. is a failure then implement mitigation PERIMETER1
NET0890 SNMP access is not restricted by IP CAT II Investigate if this is a compliance pass or failure. If it DC-
address. is a failure then implement mitigation PERIMETER1
NET0377 Firew all has unnecessary services CAT II Investigate if this is a compliance pass or failure. If it DC-
enabled. is a failure then implement mitigation PERIMETER1
NET0465 Assign low est privilege level to user CAT II Investigate if this is a compliance pass or failure. If it DC-
accounts. is a failure then implement mitigation PERIMETER1
NET0470 Unnecessary or unauthorized CAT II Investigate if this is a compliance pass or failure. If it DC-
accounts exist. is a failure then implement mitigation PERIMETER1
NET0375 Firew all is not configured to protect CAT II Investigate if this is a compliance pass or failure. If it DC-
the netw ork. is a failure then implement mitigation PERIMETER1
NET0700 Operating system is not at a current CAT II Investigate if this is a compliance pass or failure. If it DC-
release level. is a failure then implement mitigation PERIMETER1
NET0390 The IDS or FW is not configured to CAT II Investigate if this is a compliance pass or failure. If it DC-
alarm the admin is a failure then implement mitigation PERIMETER1
NET0440 More than one emergency account is CAT II Investigate the compliance failure and implement DC-
defined. mitigation PERIMETER1
NET- L2TP is terminated in the private CAT II Investigate if this is a compliance pass or failure. If it DC-
TUNL-013 netw ork. is a failure then implement mitigation PERIMETER1
NET0379 Firew all is not operating on a STIG'd CAT II Investigate if this is a compliance pass or failure. If it DC-
OS is a failure then implement mitigation PERIMETER1
NET1637 Management connections are not CAT II Investigate if this is a compliance pass or failure. If it DC-
restricted. is a failure then implement mitigation PERIMETER1
NET0965 TCP connection request w ait times CAT II Investigate if this is a compliance pass or failure. If it DC-
limited. is a failure then implement mitigation PERIMETER1
NET0910 Perimeter is not compliant w ith DOD CAT II Investigate if this is a compliance pass or failure. If it DC-
Instr. 8551.1 is a failure then implement mitigation PERIMETER1
NET- IPv6 Router Advertisements must be CAT II Investigate if this is a compliance pass or failure. If it DC-
IPV6-004 suppressed. is a failure then implement mitigation PERIMETER1
NET0366 Firew all inspection is not performed CAT II Investigate if this is a compliance pass or failure. If it DC-
adequately is a failure then implement mitigation PERIMETER1
NET0380 Firew all must block loopback CAT II Investigate if this is a compliance pass or failure. If it DC-
address is a failure then implement mitigation PERIMETER1
NET0391 FA is not informed of critical alerts. CAT II Investigate if this is a compliance pass or failure. If it DC-
NET0392 FW alert not w ritten to remote CAT II Investigate if this is a compliance pass or failure. If it DC-
console. is a failure then implement mitigation PERIMETER1
NET0813 NTP messages are not CAT II Investigate the compliance failure and implement DC-
authenticated. mitigation PERIMETER1
NET- IPv6 Site Local Unicast ADDR must CAT II Investigate if this is a compliance pass or failure. If it DC-
IPV6-025 not be defined is a failure then implement mitigation PERIMETER1
NET- IPv4 Interfaces in NAT-PT receive CAT II Investigate if this is a compliance pass or failure. If it DC-
IPV6-047 IPv6 is a failure then implement mitigation PERIMETER1
NET0433 The device is not authenticated CAT II Investigate the compliance failure and implement DC-
using a AAA server. mitigation PERIMETER1
NET1807 Management traffic is not restricted CAT II Investigate if this is a compliance pass or failure. If it DC-
NET1808 Remote VPN end-point not a mirror CAT II Investigate if this is a compliance pass or failure. If it DC-
of local gatew ay is a failure then implement mitigation PERIMETER1
NET0991 The OOBM interface not configured CAT II Investigate if this is a compliance pass or failure. If it DC-
correctly. is a failure then implement mitigation PERIMETER1
NET0992 The management interface does not CAT II Investigate if this is a compliance pass or failure. If it DC-
have an ACL. is a failure then implement mitigation PERIMETER1
NET1001 The firew all does not block CAT II Investigate if this is a compliance pass or failure. If it DC-
outbound mgmt traffic is a failure then implement mitigation PERIMETER1
NET1006 IPSec traffic is not restricted CAT II Investigate if this is a compliance pass or failure. If it DC-
NET- ACLs must restrict access to server CAT II Investigate if this is a compliance pass or failure. If it DC-
SRVFRM- VLANs. is a failure then implement mitigation PERIMETER1
003
NET- ACLs do not protect against CAT II Investigate if this is a compliance pass or failure. If it DC-
SRVFRM- compromised servers is a failure then implement mitigation PERIMETER1
004
NET- Server Farm w ithout firew all content CAT II Investigate if this is a compliance pass or failure. If it DC-
SRVFRM- inspection is a failure then implement mitigation PERIMETER1
005
NET- IPv6 6-to-4 addresses are not CAT II Investigate if this is a compliance pass or failure. If it DC-
IPV6-024 filtered is a failure then implement mitigation PERIMETER1
NET- IPV6 Jumbo payload hop by hop is CAT II Investigate if this is a compliance pass or failure. If it DC-
IPV6-035 not dropped is a failure then implement mitigation PERIMETER1
NET0405 Call home service is disabled. CAT II Investigate if this is a compliance pass or failure. If it DC-
NET- IPV6 firew all does not meet DITO CAT II Investigate if this is a compliance pass or failure. If it DC-
IPV6-005 requirements is a failure then implement mitigation PERIMETER1
NET1020 A log or syslog statement does not CAT III Investigate the compliance failure and potentially DC-
follow all deny statements. implement mitigation PERIMETER1
NET0190 LAN addresses are not protected CAT III Investigate if this is a compliance pass or failure. If it DC-
from the public. is a failure then potentially implement mitigation PERIMETER1
NET1640 Management connections must be CAT III Investigate if this is a compliance pass or failure. If it DC-
logged. is a failure then potentially implement mitigation PERIMETER1
NET1300 Firew all Admins w ill be logged. CAT III Investigate if this is a compliance pass or failure. If it DC-
is a failure then potentially implement mitigation PERIMETER1
NET1629 The auxiliary port is not disabled. CAT III Investigate if this is a compliance pass or failure. If it DC-
NET0386 Alerts generated at 75% log storage CAT III Investigate if this is a compliance pass or failure. If it DC-
capacity. is a failure then potentially implement mitigation PERIMETER1
NET0388 No FW log dump procedures CAT III Investigate if this is a compliance pass or failure. If it DC-
NET0395 Audit record must display violation CAT III Investigate if this is a compliance pass or failure. If it DC-
NET0396 Alerts must remain until CAT III Investigate if this is a compliance pass or failure. If it DC-
acknow ledged. is a failure then potentially implement mitigation PERIMETER1
NET0398 FW acknow ledge messages must be CAT III Investigate if this is a compliance pass or failure. If it DC-
recorded is a failure then potentially implement mitigation PERIMETER1
NET0422 Key expiration exceeds 180 days. CAT III Investigate if this is a compliance pass or failure. If it DC-
NET0993 The management interface is not CAT III Investigate if this is a compliance pass or failure. If it DC-
IGP passive. is a failure then potentially implement mitigation PERIMETER1
NET0812 Tw o NTP servers are not used to CAT III Investigate the compliance failure and potentially DC-
synchronize time. implement mitigation PERIMETER1
NET1288 Firew all log must be accurate CAT III Investigate if this is a compliance pass or failure. If it DC-
NET1289 FW event records do not include CAT III Investigate if this is a compliance pass or failure. If it DC-
required fields is a failure then potentially implement mitigation PERIMETER1
Table 62: DISA STIG recommendations
4.1.1 Router Policy

The SANS router policy describes a required minimal security configuration for all routers and sw itches connecting to a production
netw ork or used in a production capacity at or on behalf of Nipper Studio. Nipper Studio performed a SANS router policy compliance
audit (dated April 18th 2007) of the device DC-PERIMETER1. The result of the audit is show n in Table 63.
Ref Description Status

3.1 No local user accounts are configured on the device. Devices must use TACACS+ for all user authentication.
3.2 The enable passw ord on the device must be kept in a secure encrypted form. The device must have the enable
passw ord set to the current production device passw ord from the device's support organization
3.3a IP directed broadcasts disabled
3.3b Incoming packets at the device sourced w ith invalid addresses such as RFC1918 address
3.3c TCP small services disabled
3.3d UDP small services disabled
3.3e All source routing disabled
3.3f All w eb services running on router disabled
3.4 Use corporate standardized SNMP community strings
3.5 Access rules are to be added as business needs arise
3.6 The router must be included in the corporate enterprise management system w ith a designated point of contact
3.6 The router must be included in the corporate enterprise management system w ith a designated point of contact
3.7 Each device must have the follow ing statement posted in clear view : "UNAUTHORIZED ACCESS TO THIS NETW ORK
DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on
this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law
enforcement. There is no right to privacy on this device."
3.8 Telnet may never be used across any netw ork to manage a router, unless there is a secure tunnel protecting the entire
communication path. SSH is the preferred management protocol
Table 63: DC-PERIMETER1 SANS router policy compliance
4.1.2 Audit Logging Policy

Nipper Studio performed an audit of DC-PERIMETER1 against the controls detailed in the SANS Information Systems Audit Logging
Policy (2007). This section details the compliance of the device against that policy.
A - Underlying Requirements
All systems that handle confidential information, accept netw ork connections, or make access control (authentication and
authorization) decisions shall record and retain audit-logging information sufficient to record the elements detailed in Table 64.

A.1 W hat activity w as performed?
A.2 W ho or w hat performed the activity, including w here or on w hat system the activity w as performed from (subject)?
A.3 W hat the activity w as performed on (object)?
A.4 W hen w as the activity performed?
A.5 W hat tool(s) w as the activity w as performed w ith?
A.6 W hat w as the status (such as success vs. failure), outcome, or result of the activity?
Table 64: DC-PERIMETER1 audit logging underlying requirements
B - Activities to be Logged
Logs shall be created w henever any of the activities detailed in Table 65 are requested to be performed by the system.

B.1 Create, read, update, or delete confidential information, including confidential authentication information such as
passw ords
B.2 Create, update, or delete information not covered in B.1
B.3 Initiate a netw ork connection
B.4 Accept a netw ork connection
B.5 User authentication and authorization for activities covered in B.1 or B.2 such as user login and logout
B.6 Grant, modify, or revoke access rights, including adding a new user or group, changing user privilege levels, changing
file permissions, changing database object permissions, changing firew all rules, and user passw ord changes
B.7 System, netw ork, or services configuration changes, including installation of softw are patches and updates, or other
installed softw are changes
B.8 Application process startup, shutdow n, or restart
B.9 Application process abort, failure, or abnormal end, especially due to resource exhaustion or reaching a resource limit or
threshold (such as for CPU, memory, netw ork connections, netw ork bandw idth, disk space, or other resources), the
failure of netw ork services such as DHCP or DNS, or hardw are fault
B.10 Detection of suspicious/malicious activity such as from an IDS/IPS, anti-virus system, or anti-spyw are system
Table 65: DC-PERIMETER1 audit logging activities
C - Elements of the Log

Logs shall identify or contain at least the elements listed in Table 66 either directly or indirectly.

C.1 Type of action - examples include authorize, create, read, update, delete, and accept netw ork connection
C.2 Subsystem performing the action - examples include process or transaction name, process or transaction identifier
C.3 Identifiers (as many as available) for the subject requesting the action - examples include user name, computer name,
IP address, and MAC address. Note that such identifiers should be standardized in order to facilitate log correlation
C.4 Identifiers (as many as available) for the object the action w as performed on - examples include file names accessed,
unique identifiers of records accessed in a database, query parameters used to determine records accessed in a
database, computer name, IP address, and MAC address. Note that such identifiers should be standardized in order to
facilitate log correlation
facilitate log correlation
C.5 Before and after values w hen action involves updating a data element, if feasible
C.6 Date and time the action w as performed, including relevant time-zone information if not in Coordinated Universal Time
C.7 W hether the action w as allow ed or denied by access-control mechanisms
C.8 Description and/or reason-codes of w hy the action w as denied by the access-control mechanism, if applicable
Table 66: DC-PERIMETER1 audit logging elements
D - Formatting and Storage

The system shall support the formatting and storage of audit logs in such a w ay as to ensure the integrity of the logs and to
support enterprise-level analysis and reporting. The status of this requirement is show n in Table 67.

D Supports enterprise level reporting and maintains log integrity
Table 67: DC-PERIMETER1 audit logging storage
4.1.3 Audit Coverage

Nipper Studio audited DC-PERIMETER1 against the follow ing tw o SANS policies:
Router policy (April 18th 2007);
Information systems audit logging policy (2007).
Nipper Studio can conclude the follow ing statistics from the audit (percentages have been rounded); seven checks passed (18%),
tw o checks failed (5%), 29 checks require a manual assessment (76%).
5.1 Introduction
This section details the configuration settings of your device in an easy to read and understand format. The various device
configuration settings are grouped into sections of related options.
5.2 Fortinet FortiGate Firewall FG100D DC-PERIMETER1 Configuration Report
5.2.1 Basic Information
Description Setting
Name DC-PERIMETER1
Device Fortinet FortiGate Firew all FG100D
Model FG100D
Configuration Revision 15337751207499427911
Table 68: Basic information
5.2.2 Network Services

Table 69 outlines the netw ork services configured on the device and their status. The service settings are described in greater
detail in the proceeding sections.
detail in the proceeding sections.
Service Status Protocol Port

Telnet Service Disabled TCP 23
SSH Service Disabled TCP 22
W eb Administration Service (HTTP) Disabled TCP 80
W eb Administration Service (HTTPS) Disabled TCP 443
SNMP Service Enabled UDP 161
Table 69: Network services
5.2.3 Authentication
This section details the authentication configuration settings for DC-PERIMETER1.
5.2.3.1 Local Users

This section details the users configured on DC-PERIMETER1.

AHB1234
APB1626
VNK1614
USM1562
AMIT (ENCRYPTED)
Table 70: Users
5.2.4 Administration
This section describes the administration services and configuration settings that are supported by Fortinet FortiGate Firew all
FG100D devices. Each subsection covers the configuration of a specific administration service or services.
5.2.4.1 General Administration Settings

This section describes some general Fortinet FortiGate Firew all FG100D device administration settings.
Description Setting
Console Port Enabled
Service Connection Timeout 10 minutes
Table 71: General administration settings
5.2.4.2 Telnet Service Settings

The Telnet service enables remote administrative access to a Command Line Interface (CLI) on DC-PERIMETER1. The Telnet protocol
implemented by the service is simple and provides no encryption of the netw ork communications betw een the client and the server.
This section details the Telnet service settings.
Description Setting
Telnet Service Disabled
Service TCP Port 23
Table 72: Telnet service settings
5.2.4.3 SSH Service Settings

The SSH service enables a remote administrator to access a CLI on DC-PERIMETER1. The SSH protocol provides complete encryption
of the netw ork packets betw een the connecting client and the server. There are tw o main versions of the SSH protocol.
This section details the SSH service settings.
Description Setting
SSH Service Disabled
Service TCP Port 22
SSH Protocol Version 1
Table 73: SSH service settings
5.2.4.4 Web-Based Administration Service Settings
The Web-based administration service enables a remote administrator to manage the device using a w eb brow ser. Fortinet
FortiGate Firew all FG100D devices provide administrative access using both the HyperText Transfer Protocol (HTTP) and HyperText
Transfer Protocol over SSL (HTTPS) protocols. Although the HTTPS protocol provides encryption of the connection betw een the
administrator and the device, the HTTP protocol provides no encryption.
This section details the configuration of the w eb-based administration.
Description Setting
W eb Administration Service (HTTP) Disabled
HTTP TCP Port 80
W eb Administration Service (HTTPS) Disabled
HTTPS TCP Port 443
Secure W eb Administration Service Redirect Disabled
Force Strong Ciphers Disabled
Table 74: Web-based administration service settings
5.2.5 Logon Banner Message

The importance of banner messages can often be overlooked. Banner messages are useful for providing a deterrent against
unauthorized access or reminding a user about procedural details for making modifications to a devices configuration. If a w arning
message has been configured and an attacker has gained unauthorized access, the banner message could act as evidence of an
attackers intent. This section details the banner messages configured on DC-PERIMETER1.
5.2.5.1 E-Mail email-block Banner
5.2.5.2 E-Mail email-dlp-subject Banner
5.2.5.3 E-Mail email-dlp-ban Banner
5.2.5.4 E-Mail email-filesize Banner
5.2.5.5 E-Mail partial Banner
5.2.5.6 E-Mail smtp-block Banner
5.2.5.7 E-Mail smtp-filesize Banner
5.2.5.8 Web Access bannedword Banner
5.2.5.9 Web Access url-block Banner
5.2.5.10 Web Access urlfilter-err Banner
5.2.5.11 Web Access infcache-block Banner
5.2.5.12 Web Access http-block Banner
5.2.5.13 Web Access http-filesize Banner
5.2.5.14 Web Access http-dlp-ban Banner
5.2.5.15 Web Access http-archive-block Banner
5.2.5.16 Web Access http-contenttypeblock Banner

5.2.5.16 Web Access http-contenttypeblock Banner
5.2.5.17 Web Access https-invalid-cert-block Banner
5.2.5.18 Web Access http-client-block Banner
5.2.5.19 Web Access http-client-filesize Banner
5.2.5.20 Web Access http-client-bannedword Banner
5.2.5.21 Web Access http-post-block Banner
5.2.5.22 Web Access http-client-archive-block Banner
5.2.5.23 Web Access switching-protocols-block Banner
5.2.5.24 webproxy deny Banner
5.2.5.25 webproxy user-limit Banner
5.2.5.26 webproxy auth-challenge Banner
5.2.5.27 webproxy auth-login-fail Banner
5.2.5.28 webproxy auth-authorization-fail Banner
5.2.5.29 webproxy http-err Banner
5.2.5.30 webproxy auth-ip-blackout Banner
5.2.5.31 FTP Access ftp-dl-blocked Banner
5.2.5.32 FTP Access ftp-dl-filesize Banner
5.2.5.33 FTP Access ftp-dl-dlp-ban Banner
5.2.5.34 FTP Access ftp-explicit-banner Banner
5.2.5.35 FTP Access ftp-dl-archive-block Banner
5.2.5.36 NNTP Access nntp-dl-blocked Banner
5.2.5.37 NNTP Access nntp-dl-filesize Banner
5.2.5.38 NNTP Access nntp-dlp-subject Banner
5.2.5.39 NNTP Access nntp-dlp-ban Banner

5.2.5.40 Web Filtering ftgd-block Banner
5.2.5.41 Web Filtering http-err Banner
5.2.5.42 Web Filtering ftgd-ovrd Banner
5.2.5.43 Web Filtering ftgd-quota Banner
5.2.5.44 Web Filtering ftgd-warning Banner
5.2.5.45 spam ipblocklist Banner
5.2.5.46 spam smtp-spam-dnsbl Banner
5.2.5.47 spam smtp-spam-feip Banner
5.2.5.48 spam smtp-spam-helo Banner
5.2.5.49 spam smtp-spam-emailblack Banner
5.2.5.50 spam smtp-spam-mimeheader Banner
5.2.5.51 spam reversedns Banner
5.2.5.52 spam smtp-spam-bannedword Banner
5.2.5.53 spam smtp-spam-ase Banner
5.2.5.54 spam submit Banner
5.2.5.55 Instant Messaging im-file-xfer-block Banner
5.2.5.56 Instant Messaging im-file-xfer-name Banner
5.2.5.57 Instant Messaging im-file-xfer-infected Banner
5.2.5.58 Instant Messaging im-file-xfer-size Banner
5.2.5.59 Instant Messaging im-dlp Banner
5.2.5.60 Instant Messaging im-dlp-ban Banner
5.2.5.61 Instant Messaging im-voice-chat-block Banner
5.2.5.62 Instant Messaging im-video-chat-block Banner

5.2.5.63 Instant Messaging im-photo-share-block Banner
5.2.5.64 Instant Messaging im-long-chat-block Banner
5.2.5.65 E-Mail Alert alertmail-virus Banner
5.2.5.66 E-Mail Alert alertmail-block Banner
5.2.5.67 E-Mail Alert alertmail-nids-event Banner
5.2.5.68 E-Mail Alert alertmail-crit-event Banner
5.2.5.69 E-Mail Alert alertmail-disk-full Banner
5.2.5.70 admin pre_admin-disclaimer-text Banner
This is a private computer system. Unauthorized access or use

is prohibited and subject to prosecution and/or disciplinary
action. All use of this system constitutes consent to
monitoring at all times and users are not entitled to any
expectation of privacy. If monitoring reveals possible evidence
of violation of criminal statutes, this evidence and any other
related information, including identification information about
the user, may be provided to law enforcement officials.
If monitoring reveals violations of security regulations or
unauthorized use, employees who violate security regulations or
make unauthorized use of this system are subject to appropriate
disciplinary action.
5.2.5.71 admin post_admin-disclaimer-text Banner
5.2.5.72 Authenitication auth-disclaimer-page-1 Banner
5.2.5.75 Authenitication auth-reject-page Banner
5.2.5.76 Authenitication auth-login-page Banner
5.2.5.77 Authenitication auth-login-failed-page Banner
5.2.5.78 Authenitication auth-token-login-page Banner
5.2.5.79 Authenitication auth-token-login-failed-page Banner
5.2.5.80 Authenitication auth-success-msg Banner
5.2.5.81 Authenitication auth-challenge-page Banner

5.2.5.82 Authenitication auth-keepalive-page Banner
5.2.5.83 Authenitication auth-portal-page Banner
5.2.5.84 Authenitication auth-password-page Banner
5.2.5.85 Authenitication auth-fortitoken-page Banner
5.2.5.86 Authenitication auth-next-fortitoken-page Banner
5.2.5.87 Authenitication auth-email-token-page Banner
5.2.5.88 Authenitication auth-sms-token-page Banner
5.2.5.89 Authenitication auth-email-harvesting-page Banner
5.2.5.90 Authenitication auth-email-failed-page Banner
5.2.5.91 Authenitication auth-cert-passwd-page Banner
5.2.5.92 Authenitication auth-guest-print-page Banner
5.2.5.93 Authenitication auth-guest-email-page Banner
5.2.5.94 Authenitication auth-success-page Banner
5.2.5.95 Authenitication auth-block-notification-page Banner
5.2.5.96 SSL VPN sslvpn-login Banner
5.2.5.97 SSL VPN sslvpn-limit Banner
5.2.5.98 SSL VPN hostcheck-error Banner
5.2.5.99 ec endpt-download-portal Banner
5.2.5.100 ec endpt-download-portal-mac Banner
5.2.5.101 ec endpt-download-portal-ios Banner
5.2.5.102 ec endpt-download-portal-aos Banner
5.2.5.103 ec endpt-download-portal-other Banner
5.2.5.104 device-detection-portal device-detection-failure Banner

5.2.5.105 nac-quar nac-quar-virus Banner
5.2.5.106 nac-quar nac-quar-dos Banner
5.2.5.107 nac-quar nac-quar-ips Banner
5.2.5.108 nac-quar nac-quar-dlp Banner
5.2.5.109 nac-quar nac-quar-admin Banner
5.2.5.110 traffic-quota per-ip-shaper-block Banner
5.2.5.111 utm virus-html Banner
5.2.5.112 utm virus-text Banner
5.2.5.113 utm dlp-html Banner
5.2.5.114 utm dlp-text Banner
5.2.5.115 utm appblk-html Banner
5.2.6 SNMP Settings

SNMP is used to assist netw ork administrators in monitoring and managing a w ide variety of netw ork devices. There are three main
versions of SNMP in use. Versions 1 and 2 of SNMP are both secured w ith a community string and authenticate and transmit
netw ork packets w ithout any form of encryption. SNMP version 3 provides several levels of authentication and encryption. The most
basic level provides a similar protection to that of the earlier protocol versions. How ever, SNMP version 3 can be configured to
provide encrypted authentication (auth) and secured further w ith support for encrypted data communications (priv).
This section describes the DC-PERIMETER1 SNMP configuration settings.
Description Setting
SNMP Service Enabled
UDP Port 161
Table 75: SNMP settings
5.2.6.1 SNMP Community

SNMP community strings are used to authenticate access betw een a Netw ork Management System (NMS) and the Fortinet FortiGate
Firew all FG100D SNMP agent. A connecting NMS, using SNMP protocol versions 1 or 2c, must provide the SNMP agent w ith a valid
community string w hen making a MIB read or w rite request.
Community Access Version

adccb Read Only 1 and 2c
Table 76: SNMP community configuration
5.2.6.2 SNMP Traps

The Fortinet FortiGate Firew all FG100D SNMP agent can be configured to send trap notifications to a NMS or SNMP manager host.
Once a trap is sent, the Fortinet FortiGate Firew all FG100D SNMP agent assumes that the receiving host received the notification, no
confirmation is expected.
Host Version Community Interface

172.21.28.16 1 and 2c DC-Admin
Table 77: SNMP trap hosts
Notification
cpu-high
cpu-high
mem-low
log-full
intf-ip
vpn-tun-up
vpn-tun-dow n
ha-sw itch
ha-hb-failure
ips-signature
ips-anomaly
av-virus
av-oversize
av-pattern
av-fragmented
fm-if-change
bgp-established
bgp-backw ard-transition
ha-member-up
ha-member-dow n
ent-conf-change
av-conserve
av-bypass
av-oversize-passed
av-oversize-blocked
ips-pkg-update
ips-fail-open
faz-disconnect
w c-ap-up
w c-ap-dow n
fsw ctl-session-up
fsw ctl-session-dow n
Table 78: SNMP notifications
5.2.7 Message Logging

Fortinet FortiGate Firew all FG100D devices are capable of logging system events and messages. Those logs can then be recalled at
a later time, assisting administrators in the diagnosis of system faults or alerting system administrators of an attack. This section
details the devices logging configuration.
5.2.7.1 Syslog Logging

Syslog messages can be sent by Fortinet FortiGate Firew all FG100D devices to a Syslog server. Syslog servers provide the follow ing
advantages:
a central repository for logs from a range of netw ork devices;
a potentially longer retention period for logs than a device may be capable of storing;
a troubleshooting resource for w hen a device may no longer be responsive;
an external log source, in case the security of a device has been compromised;
support for an industry standard logging system.
This section details the Syslog configuration settings.
Description Setting
Syslog Logging Enabled
Severity Level Alerts (1)
Table 79: Syslog logging configuration
Enabled Host Description Protocol Port Facility

Yes 10.10.10.4 First UDP 514 local7
Table 80: Syslog hosts
5.2.7.2 Web Trends Logging

Fortinet FortiGate Firew all FG100D devices can log messages to a Web Trends server. This section details the Web Trends logging
configuration settings.
Description Setting
W eb Trends Logging Disabled
W eb Trends Server
W eb Trends Severity Level Alerts (1)
Table 81: Web Trends logging configuration
5.2.7.3 FortiAnalyzer Logging

Fortinet FortiGate Firew all FG100D devices can log messages to a FortiAnalyzer server for further analysis. This section details the
FortiAnalyzer logging configuration settings.
Description Setting
FortiAnalyzer Logging Disabled
Table 82: FortiAnalyzer logging configuration
5.2.7.4 Memory Logging Settings

Fortinet FortiGate Firew all FG100D devices can log messages to the devices memory. By its nature, the memory is size limited and
therefore new er messages w ill overw rite older ones w hen the memory log size has been reached. This section details the memory
logging configuration settings.
Description Setting
Memory Logging Enabled
Memory Severity Level Emergencies (0)
Table 83: Memory logging configuration

Fortinet FortiGate Firew all FG100D devices can be configured to resolve name to address mappings. This section details those
settings.
5.2.8.1 DNS Client

Th e DNS service stores information about mappings betw een a devices IP address and a name, w hich is easier for humans to
recognize and remember. Fortinet FortiGate Firew all FG100D devices can be configured to query a DNS in order to resolve names to
addresses. This section details those configuration settings.
Description Setting
DNS Type Standard
Table 84: DNS client configuration
Description Server IP Address

Primary 208.91.112.53
Secondary 208.91.112.52
Table 85: DNS servers
5.2.9 Network Protocols

This section details the configuration of the netw ork protocols supported by Fortinet FortiGate Firew all FG100D devices. Each
section details specific settings such as any netw ork protocol address configuration settings.
5.2.9.1 IPv4
This section details the configuration of the Internet Protocol version 4 (IPv4) protocol and addresses. IPv4 is described in RFC 791.
Interface Active Address Proxy-ARP

w an1 Yes 172.22.22.1/24 On
dmz Yes On
modem Yes DHCP On
w an2 Yes DHCP On
mgmt Yes 172.23.21.130/24 On
ha1 Yes On
ha2 Yes On
port1 Yes On
port2 Yes On
port3 Yes On
port4 Yes On
port5 Yes On
port6 Yes 172.30.11.1/24 On
port6 Yes 172.30.11.1/24 On
port7 Yes On
port8 Yes On
port9 Yes On
port10 Yes 172.30.10.1/24 On
port11 Yes On
port12 Yes On
port13 Yes On
port14 Yes On
lan Yes 172.168.1.97/29 On
DC-Router Yes 192.168.1.97/24 On
CheckPoint-FW Yes 172.22.26.4/24 On
DC-Admin Yes 172.21.28.1/24 On
HO-USERS Yes 192.168.6.1/24 On
RTGS Yes 172.30.0.100/24 On
ATM Yes 172.21.29.4/24 On
BRANCH-BACKUP Yes 172.21.26.1/24 On
Table 86: IPv4 addresses
Interface Active Redirects

w an1 Yes Off
dmz Yes On
modem Yes On
w an2 Yes On
mgmt Yes On
ha1 Yes On
ha2 Yes On
port1 Yes On
port2 Yes On
port3 Yes On
port4 Yes On
port5 Yes On
port6 Yes On
port7 Yes On
port8 Yes On
port9 Yes On
port10 Yes On
port11 Yes On
port12 Yes On
port13 Yes On
port14 Yes On
lan Yes On
DC-Router Yes On
CheckPoint-FW Yes On
DC-Admin Yes On
HO-USERS Yes On
RTGS Yes On
ATM Yes On
BRANCH-BACKUP Yes On
Table 87: IPv4 ICMP Options
5.2.10 Network Interfaces

This section details the configuration of both physical and virtual netw ork interfaces.
5.2.10.1 Ethernet Interfaces

This section describes the configuration of the devices Ethernet interfaces.
Interface Active
w an1 Yes
dmz Yes
modem Yes
w an2 Yes
mgmt Yes
ha1 Yes
ha2 Yes
port1 Yes
port2 Yes
port3 Yes
port4 Yes
port5 Yes
port6 Yes
port7 Yes
port8 Yes
port9 Yes
port10 Yes
port11 Yes
port12 Yes
port13 Yes
port14 Yes
lan Yes
DC-Router Yes
CheckPoint-FW Yes
DC-Admin Yes
HO-USERS Yes
RTGS Yes
ATM Yes
BRANCH-BACKUP Yes
Table 88: Ethernet interfaces
5.2.10.2 Tunnel Interfaces

This section describes the configuration of the devices tunnel interfaces.
Interface Active
ssl.root Yes
Table 89: Tunnel interfaces
5.2.11 Routing Configuration

This section describes the routing configuration settings.
5.2.11.1 Static Routes

Fortinet FortiGate Firew all FG100D devices can be configured w ith static netw ork routes. This section details the static netw ork
routes.
Interface Address Gateway Metric

CheckPoint-FW 172.21.23.0/24 172.22.26.3
CheckPoint-FW 172.21.25.0/24 172.22.26.3
ATM 10.13.135.39/32 172.21.29.3
ATM 10.13.135.58/32 172.21.29.3
ATM 192.168.171.40/32 172.21.29.3
ATM 192.168.171.33/32 172.21.29.3
ATM 202.138.123.73/32 172.21.29.3
RTGS 10.28.1.171/32 172.30.0.50
RTGS 10.29.2.11/32 172.30.0.50
RTGS 10.29.3.51/32 172.30.0.50
CheckPoint-FW 10.29.1.191/32 172.22.26.3
RTGS 10.35.3.51/32 172.30.0.50
RTGS 10.28.3.51/32 172.30.0.50
RTGS 10.0.67.18/32 172.30.0.50
RTGS 10.0.67.166/32 172.30.0.50
RTGS 10.0.67.115/32 172.30.0.50
RTGS 10.0.67.194/32 172.30.0.50
CheckPoint-FW 172.21.22.0/24 172.22.26.3
DC-Router 192.168.11.0/24 192.168.1.100
DC-Router 192.168.26.0/24 192.168.1.100
DC-Router 192.168.22.0/24 192.168.1.100
DC-Router 192.168.2.0/24 192.168.1.100
DC-Router 192.168.3.0/24 192.168.1.100
DC-Router 192.168.4.0/24 192.168.1.100
DC-Router 192.168.7.0/24 192.168.1.100
DC-Router 192.168.8.0/24 192.168.1.100
DC-Router 192.168.9.0/24 192.168.1.100
DC-Router 192.168.10.0/24 192.168.1.100
DC-Router 192.168.12.0/24 192.168.1.100
DC-Router 192.168.13.0/24 192.168.1.100
DC-Router 192.168.14.0/24 192.168.1.100
DC-Router 192.168.15.0/24 192.168.1.100
DC-Router 192.168.16.0/24 192.168.1.100
DC-Router 192.168.17.0/24 192.168.1.100
DC-Router 192.168.18.0/24 192.168.1.100
DC-Router 192.168.19.0/24 192.168.1.100
DC-Router 192.168.20.0/24 192.168.1.100
DC-Router 192.168.21.0/24 192.168.1.100
DC-Router 192.168.24.0/24 192.168.1.100
DC-Router 192.168.25.0/24 192.168.1.100
DC-Router 192.168.28.0/24 192.168.1.100
DC-Router 192.168.30.0/24 192.168.1.100
DC-Router 192.168.31.0/24 192.168.1.100
DC-Router 192.168.32.0/24 192.168.1.100
DC-Router 192.168.33.0/24 192.168.1.100
DC-Router 192.168.34.0/24 192.168.1.100
DC-Router 192.168.35.0/24 192.168.1.100
DC-Router 192.168.36.0/24 192.168.1.100
DC-Router 192.168.37.0/24 192.168.1.100
DC-Router 192.168.38.0/24 192.168.1.100
DC-Router 192.168.39.0/24 192.168.1.100
DC-Router 192.168.40.0/24 192.168.1.100
DC-Router 192.168.41.0/24 192.168.1.100
DC-Router 192.168.42.0/24 192.168.1.100
DC-Router 192.168.110.0/24 192.168.1.100
DC-Router 192.168.43.0/24 192.168.1.100
DC-Router 192.168.44.0/24 192.168.1.100
DC-Router 192.168.45.0/24 192.168.1.100
DC-Router 192.168.46.0/24 192.168.1.100
DC-Router 192.168.47.0/24 192.168.1.100
DC-Router 192.168.48.0/24 192.168.1.100
DC-Router 192.168.49.0/24 192.168.1.100
DC-Router 192.168.50.0/24 192.168.1.100
DC-Router 192.168.51.0/24 192.168.1.100
DC-Router 192.168.114.0/24 192.168.1.100
DC-Router 192.168.52.0/24 192.168.1.100
DC-Router 192.168.53.0/24 192.168.1.100
DC-Router 192.168.54.0/24 192.168.1.100
DC-Router 192.168.55.0/24 192.168.1.100
DC-Router 192.168.56.0/24 192.168.1.100
DC-Router 192.168.57.0/24 192.168.1.100
DC-Router 192.168.58.0/24 192.168.1.100
DC-Router 192.168.59.0/24 192.168.1.100
DC-Router 192.168.60.0/24 192.168.1.100
DC-Router 192.168.61.0/24 192.168.1.100
DC-Router 192.168.62.0/24 192.168.1.100
DC-Router 192.168.64.0/24 192.168.1.100
DC-Router 192.168.65.0/24 192.168.1.100
DC-Router 192.168.66.0/24 192.168.1.100
DC-Router 192.168.67.0/24 192.168.1.100
DC-Router 192.168.68.0/24 192.168.1.100
DC-Router 192.168.70.0/24 192.168.1.100
DC-Router 192.168.71.0/24 192.168.1.100
DC-Router 192.168.72.0/24 192.168.1.100
DC-Router 192.168.73.0/24 192.168.1.100
DC-Router 192.168.74.0/24 192.168.1.100
DC-Router 192.168.75.0/24 192.168.1.100
DC-Router 192.168.76.0/24 192.168.1.100
DC-Router 192.168.77.0/24 192.168.1.100
DC-Router 192.168.78.0/24 192.168.1.100
DC-Router 192.168.79.0/24 192.168.1.100
DC-Router 192.168.80.0/24 192.168.1.100
DC-Router 192.168.81.0/24 192.168.1.100
DC-Router 192.168.82.0/24 192.168.1.100
DC-Router 192.168.83.0/24 192.168.1.100
DC-Router 192.168.109.0/24 192.168.1.100
DC-Router 192.168.112.0/24 192.168.1.100
DC-Router 192.168.84.0/24 192.168.1.100
DC-Router 192.168.85.0/24 192.168.1.100
DC-Router 192.168.86.0/24 192.168.1.100
DC-Router 192.168.87.0/24 192.168.1.100
DC-Router 192.168.88.0/24 192.168.1.100
DC-Router 192.168.89.0/24 192.168.1.100
DC-Router 192.168.90.0/24 192.168.1.100
DC-Router 192.168.91.0/24 192.168.1.100
DC-Router 192.168.92.0/24 192.168.1.100
DC-Router 192.168.111.0/24 192.168.1.100
DC-Router 192.168.113.0/24 192.168.1.100
DC-Router 192.168.93.0/24 192.168.1.100
DC-Router 192.168.94.0/24 192.168.1.100
DC-Router 192.168.95.0/24 192.168.1.100
DC-Router 192.168.96.0/24 192.168.1.100
DC-Router 192.168.97.0/24 192.168.1.100
DC-Router 192.168.98.0/24 192.168.1.100
DC-Router 192.168.99.0/24 192.168.1.100
DC-Router 192.168.100.0/24 192.168.1.100
DC-Router 192.168.101.0/24 192.168.1.100
DC-Router 192.168.102.0/24 192.168.1.100
DC-Router 192.168.103.0/24 192.168.1.100
DC-Router 192.168.104.0/24 192.168.1.100
DC-Router 192.168.105.0/24 192.168.1.100
DC-Router 192.168.106.0/24 192.168.1.100
DC-Router 192.168.108.0/24 192.168.1.100
DC-Router 192.168.107.0/24 192.168.1.100
CheckPoint-FW 172.21.27.1/32 172.22.26.3
DC-Router 192.168.251.0/24 192.168.1.100
ATM 10.13.139.2/32 172.21.29.3
CheckPoint-FW 172.21.24.0/24 172.22.26.3
DC-Router 192.168.250.0/24 192.168.1.100
ATM 10.13.15.65/32 172.21.29.3
CheckPoint-FW 10.10.10.0/28 172.22.26.5
DC-Router 192.168.252.0/24 192.168.1.100
CheckPoint-FW 172.21.21.0/24 172.22.26.3
RTGS 10.35.1.171/32 172.30.0.50
DC-Router 172.17.17.0/24 192.168.1.100
DC-Router 172.19.19.0/24 192.168.1.100
w an1 172.22.22.3
DC-Router 192.168.5.0/24 192.168.1.100
DC-Router 192.168.23.0/24 192.168.1.100
DC-Router 192.168.29.0/24 192.168.1.100
DC-Router 172.20.20.0/24 192.168.1.100
DC-Router 192.168.115.0/24 192.168.1.246
ATM 202.138.123.75/32 172.21.29.3
DC-Router 192.168.125.0/24 192.168.1.100
CheckPoint-FW 172.28.28.0/24 172.22.26.3
DC-Router 192.168.246.0/29 192.168.1.100
DC-Router 192.168.253.0/24 192.168.1.100
DC-Router 192.168.116.0/24 192.168.1.100
ATM 192.168.171.28/32 172.21.29.3
DC-Router 192.168.246.8/29 192.168.1.100
port10 172.23.25.0/24 172.30.10.2
CheckPoint-FW 172.16.16.0/24 172.22.26.3
DC-Router 172.16.16.0/24 192.168.1.100
DC-Router 192.168.63.0/24 192.168.1.100
CheckPoint-FW 172.18.18.1/32 172.22.26.3
CheckPoint-FW 172.18.18.2/32 172.22.26.3
port6 172.17.24.0/24 172.30.11.2
RTGS 10.100.0.119/32 172.30.0.50
port6 172.18.2.0/24 172.30.11.2
RTGS 10.29.1.171/32 172.30.0.50
RTGS 10.29.1.191/32 172.30.0.50
DC-Router 192.168.188.0/24 192.168.1.246
DC-Router 192.168.128.0/24 192.168.1.246
DC-Router 192.168.133.0/24 192.168.1.246
DC-Router 192.168.143.0/24 192.168.1.246
DC-Router 192.168.151.0/24 192.168.1.246
DC-Router 192.168.158.0/24 192.168.1.246
DC-Router 192.168.164.0/24 192.168.1.246
DC-Router 192.168.170.0/24 192.168.1.246
DC-Router 192.168.178.0/24 192.168.1.246
DC-Router 192.168.184.0/24 192.168.1.246
DC-Router 192.168.193.0/24 192.168.1.246
DC-Router 192.168.199.0/24 192.168.1.246
port6 192.168.183.50/32 172.30.11.2
port6 172.17.25.0/24 172.30.11.2
ATM 10.13.135.130/32 172.21.29.3
ATM 10.13.139.23/32 172.21.29.3
ATM 192.168.162.164/32 172.21.29.3
RTGS 10.0.67.39/32 172.30.0.50
RTGS 10.28.2.162/32 172.30.0.50
RTGS 10.29.3.128/32 172.30.0.50
port6 192.168.162.163/32 172.30.11.2
ATM 192.168.171.6/32 172.21.29.3
CheckPoint-FW 172.19.19.0/32 172.22.26.3
port6 172.17.2.83/32 172.30.11.2
CheckPoint-FW 172.21.27.5/32 172.22.26.3
port10 10.0.4.185/32 172.30.10.2
ATM 10.13.135.30/32 172.21.29.3
port6 172.17.2.75/32 172.30.11.2
Table 90: Static network routes
5.2.12 Network Filtering

Fortinet FortiGate Firew all FG100D devices can be configured to filter netw ork traffic in order to restrict access to devices and
services. Those netw ork filtering settings are detailed in this section.
5.2.12.1 Firewall Policy

The firew all policy defines w hat netw ork traffic w ill be permitted to pass through the Fortinet FortiGate Firew all FG100D device.
The firew all policy defines w hat netw ork traffic w ill be permitted to pass through the Fortinet FortiGate Firew all FG100D device.

VMW ARE-CLIENT
Vinod Raut
VAIBHAV
MORESIR
32 No MGMNT-PC Any Any No
CTS Server
Datacenter-Laptop-2
W SUS
184 No VMW ARE-CLIENT Adobe Login Any No
Block Internet IP-1
Block Internet IP-2
Table 91: Firewall Policy from DC-Admin to wan1

Table 92: Firewall Policy from lan to wan1

2 Yes Sophos-Backup-1 APP-SERVERS APP-Services No
Sophos-Backup-2 APP1
Sophos-Backup-3
Sophos-Backup-4
118 Yes BRANCHES-Group-1 APP1 APP-Services No
Asegaon, Ta. Mangrulpir District W ashim,Mangrulpur,Maharashtra APP-SERVERS
TUKARAM CHOW K BRANCH, Near Tukaram Hospital, At Sant Tukaram
Ch
Branches-Group-2
Branches-Group-3
Branches-Group-4
BranchesGroup-5
3 Yes Sophos-Backup-1 DOMAIN Domain-Services No
Sophos-Backup-2 PrimaryDomain
Sophos-Backup-3 BackupDomain
Sophos-Backup-4
119 Yes BRANCHES-Group-1 PrimaryDomain Domain-Services No
Asegaon, Ta. Mangrulpir District W ashim,Mangrulpur,Maharashtra BackupDomain
TUKARAM CHOW K BRANCH, Near Tukaram Hospital, At Sant Tukaram DOMAIN
Ch
Branches-Group-2
Branches-Group-3
Branches-Group-4
BranchesGroup-5
4 Yes softw areupdate.vmw are.com DATABASE DATABASE- No
Sophos-Backup-1 SQLDB SERVICES
Sophos-Backup-2 ALL_ICMP
Sophos-Backup-3
Sophos-Backup-4
120 Yes BRANCHES-Group-1 DATABASE ALL_ICMP No
Asegaon, Ta. Mangrulpir District W ashim,Mangrulpur,Maharashtra DATABASE-
TUKARAM CHOW K BRANCH, Near Tukaram Hospital, At Sant Tukaram SERVICES
Ch
Branches-Group-2
Branches-Group-3
Branches-Group-4
BranchesGroup-5
28 Yes BRANCHES-Group-1 EMAIL-SERVER ALL_ICMP No
Branches-Group-2 HTTPS
Branches-Group-3 TCP-8443
Branches-Group-4 SMTPS
BranchesGroup-5
Ch
Asegaon, Ta. Mangrulpir District W ashim,Mangrulpur,Maharashtra
BRANCH-GROUP-6
BRANCH-DVR
58 Yes BRANCHES-Group-1 Antivirus- AntivirusServices No
Branches-Group-2 Server
Branches-Group-3
Branches-Group-4
BranchesGroup-5
Ch
BRANCH-GROUP-6
53 Yes Sophos-Backup-1 APP-1 APBS No
Sophos-Backup-2 APPLICATION1
Sophos-Backup-2 APPLICATION1
Sophos-Backup-3
Sophos-Backup-4
122 Yes BRANCHES-Group-1 APP-1 APBS No
Ch
Branches-Group-2
Branches-Group-3
Branches-Group-4
BranchesGroup-5
104 Yes DR-DOMAINS DOMAIN Domain-Services No
112 Yes BRANCH-GROUP-6 DATABASE DATABASE- No

SERVICES
113 Yes BRANCH-GROUP-6 DOMAIN Domain-Services No
114 Yes BRANCH-GROUP-6 APP-SERVERS APP-Services No
116 Yes BRANCH-GROUP-6 APP-1 APBS No
191 Yes Sophos-Backup-1 BBPS API ALL_ICMP No

Sophos-Backup-2 TRACEROUTE
Sophos-Backup-3 TCP-8012
Sophos-Backup-4
187 Yes BRANCHES-Group-1 BBPS API ALL_ICMP No
Branches-Group-2 TRACEROUTE
Branches-Group-4
BranchesGroup-5
BRANCH-GROUP-6
ratanlal-BSNL-W an
Table 93: Firewall Policy from DC-Router to CheckPoint-FW

5 Yes DC-ADMIN-USERS APP-SERVERS APP-Services No
Datacenter-Laptops APPLICATION1 APBS
Vinod Raut
189 Yes VMW ARE-CLIENT BBPS API TRACEROUTE No
PRASANNA ALL_ICMP
VAIBHAV TCP-8012
Datacenter-Laptop-1
Datacenter-Laptop-2
DC-ADMIN-USERS
Vinod Raut
DC-ADMIN-USERS-2
Nelito_Tech
6 Yes DC-ADMIN-USERS DOMAIN Domain-Services No
Netw ork-Admin
ProxyServer
Datacenter-Laptops
Vinod Raut
7 Yes DC-ADMIN-USERS DATABASE DATABASE-SERVICES No
Datacenter-Laptops SQLDB RDP
Vinod Raut
27 Yes DC-ADMIN-USERS EMAIL-SERVER HTTPS No
nw adm VMW ARE-HOST TCP-8443
MGMNT-PC ALL_ICMP
DC-ADMIN-USERS-2 HTTP
Datacenter-Laptops SMTP
Vinod Raut SMTPS
POP3
IMAP
POP3S
IMAPS
VMW ARE_1
VMW ARE_2
46 No RTGS-CLIENT1 RtgsInterface RDP No
VMW ARE-CLIENT TCP-139
SMB
47 Yes DC-ADMIN-USERS Antivirus-Server AntivirusServices No
RTGS-CLIENT1
DC-ADMIN-USERS-2
nw adm
Datacenter-Laptops
Vinod Raut
62 Yes DC-ADMIN-USERS TESTSERVR Any No
DC-ADMIN-USERS-2 TESTSERVR_2
Datacenter-Laptops
Vinod Raut
Netw ork-Admin
Nelito_Tech
59 Yes RTGS-CLIENT1 DOMAIN Domain-Services No
68 Yes RTGS-CLIENT1 RtgsInterface ALL_ICMP No
RDP
147 Yes MGMNT-PC RtgsInterface RDP No
ALL_ICMP
70 Yes RTGS-CLIENT1 CA-SERVER RDP No
MGMNT-PC ALL_ICMP
MGMNT2-PC
VAIBHAV
W SUS
VMW ARE-CLIENT
85 No VMW ARE-CLIENT ATMInterface RDP No
IMPS Interface SMB
ALL_ICMP
PING
87 Yes VAIBHAV SMSSERVER RDP No
ALL_ICMP
PING
89 Yes W SUS Antivirus-Server SMB No
RDP
91 Yes VMW ARE-CLIENT VMW ARE-HOST HTTPS No
EMAIL-SERVER SSH
SIEM-SRV TCP/7071-7072
Zabbix_Host TCP/7780
Zabbix_Server ALL_ICMP
HTTP
101 Yes nw adm Antivirus-Server RDP No
108 Yes DC-ADMIN-USERS-2 APP-SERVERS APP-Services No
109 Yes DC-ADMIN-USERS-2 DATABASE DATABASE-SERVICES No

RDP
110 Yes DC-ADMIN-USERS-2 DOMAIN Domain-Services No
111 Yes DC-ADMIN-USERS-2 APP-1 APBS No
146 Yes MGMNT-PC RtgsInterface RDP No
Table 94: Firewall Policy from DC-Admin to CheckPoint-FW

8 Yes HO-USER-ACC-SECTION APP-SERVERS APP-Services No
HO-USERS-ADM-SECTION APP1
HO-USERS-COMP-SECTION
HO-USERS-DATAHUB
HO-USERS-LOAN-SECTION
HO-USERS-STATIONARY-SECTION
VaidyaSir
Mr.Kale
HO-INTERNET-USERS-ATM
Ho Back-Office
HO_NEW _IP_Series
CTS-PC
SachinNelito
CTS CHQ Printing
9 Yes HO-USER-ACC-SECTION DOMAIN Domain-Services No
HO-USERS-ADM-SECTION PrimaryDomain
HO-USERS-COMP-SECTION BackupDomain
HO-USERS-DATAHUB
ATM-CIVIL-LINES
ATM-FINCRAFT-USER1
ATM-FINCRAFT-USER2
VaidyaSir
Mr.Kale
RTGS-MONITER
Ho Back-Office
CTS-PC
HO_NEW _IP_Series
SachinNelito
CTS CHQ Printing
10 Yes HO-USERS DATABASE DATABASE-SERVICES No
HO-USER-ACC-SECTION SQLDB
HO-USERS-ADM-SECTION
HO-USERS-DATAHUB
VaidyaSir
Mr.Kale
Ho Back-Office
HO_NEW _IP_Series
CTS CHQ Printing
24 Yes Civil-Lines Branch APP-SERVERS APP-Services No
APP1 APBS
APPLICATION1
25 Yes Civil-Lines Branch DOMAIN Domain-Services No
PrimaryDomain
BackupDomain
26 Yes Civil-Lines Branch DATABASE DATABASE-SERVICES No
SQLDB
192 Yes Civil-Lines Branch BBPS API ALL_ICMP No
TRACEROUTE
TCP-8012
30 Yes HO-USER-ACC-SECTION EMAIL-SERVER ALL_ICMP No
HO-USERS-ADM-SECTION HTTPS
HO-USERS-COMP-SECTION TCP-8443
HO-USERS-DATAHUB HTTP
HO-USERS-LOAN-SECTION SMTPS
HO-USERS-STATIONARY-SECTION IMAP
VaidyaSir IMAPS
Mr.Kale POP3
HO-INTERNET-USERS-ATM POP3S
Ho Back-Office SMTP
48 Yes Civil-Lines Branch EMAIL-SERVER ALL_ICMP No
CIVIL-LINES-DVR HTTP
HTTPS
IMAP
POP3
IMAPS
POP3S
SMTP
SMTPS
LDAP
TCP-7025
TCP-7071
141 Yes RTGS-MONITER RtgsInterface RDP No
ALL_ICMP
169 Yes RTGS-MONITER EMS ALL_ICMP No
SFMS-Intranet TCP8080
SFMS-INTRANET-2 HTTPS
TRACEROUTE
HTTP
159 Yes RTGS-CLIENT2 DR-RTGS-SERVER ALL_ICMP No
RTGS-CLIENT3 RBI-SERVICES
168 Yes RTGS-MONITER DR-RTGS-SERVER ALL_ICMP No
DR-Rtgs-Interface RDP
DR-ATMInterface TCP-139
SMB
160 Yes RTGS-CLIENT2 Ekuber-Bkp ALL_ICMP No
RTGS-CLIENT3 Ekuber-Pri HTTP
TRACEROUTE
HTTPS
204 Yes SachinNelito Antivirus-Server RDP No
52 Yes HO-USER-ACC-SECTION Antivirus-Server AntivirusServices No

HO-INTERNET-USER
HO-USERS-DATAHUB
Civil-Lines Branch
Mr.Kale
RTGS-MONITER
RTGS-CLIENT2
RTGS-CLIENT3
Ho Back-Office
BSG - Recon Server
SachinNelito
CTS CHQ Printing
54 Yes HO-USER-ACC-SECTION APP-1 APBS No
HO-USERS-ADM-SECTION APPLICATION1
HO-USERS-DATAHUB
Mr.Kale
VaidyaSir
Ho Back-Office
66 Yes HO-INTERNET-USERS-ATM DOMAIN Domain-Services No
PrimaryDomain
BackupDomain
67 Yes RTGS-CLIENT2 DOMAIN Domain-Services No
RTGS-CLIENT3
79 Yes HO-INTERNET-USERS TESTSERVR Any No
79 Yes HO-INTERNET-USERS TESTSERVR Any No
HO-USERS
HO-USERS-DATAHUB
VaidyaSir
Mr.Kale
Ho Back-Office
CTS-PC
BBPS_CIVILLINES_1
HO-BBPS Clients
BSG - Recon Server
HO_NEW _IP_Series
74 Yes HO-INTERNET-USERS-ATM ATMInterface RDP No
IMPS Interface SMB
165 Yes ATM-FINCRAFT-USER1 DR-ATMInterface RDP No
ALL_ICMP
90 No VBK1037 TESTSERVR DATABASE-SERVICES No
137 Yes NELITODBUSER DATABASE1 RDP No

BSG - Recon Server DATABASE2 ALL_ICMP
SQL-CLUSTER
142 Yes RTGS-MONITER CA-SERVER ALL_ICMP No
RDP
172 Yes ATM-CIVILLINES-2 Euronet-Checkpoint TCP-3926 No
TRACEROUTE
ALL_ICMP
188 Yes HO-USERS BBPS API TCP-8012 No
ALL_ICMP
TRACEROUTE
200 Yes BSG - Recon Server SIEM-SRV ALL_ICMP No
TRACEROUTE
TELNET
SYSLOG
Table 95: Firewall Policy from HO-USERS to CheckPoint-FW

11 Yes Antivirus- BRANCHES-Group-1 AntivirusServices No
Server Branches-Group-2
Branches-Group-3
Branches-Group-4
BranchesGroup-5
TUKARAM CHOW K BRANCH, Near Tukaram Hospital, At Sant Tukaram Ch
BRANCH-GROUP-6
40 No DOMAIN OLD-DOMAIN Domain-Services No
RDP
190 Yes BBPS API RATANLAL PLOT BRANCH NR RAGHUVANSHI MANGAL KARYALAYA ALL_ICMP No
RATANLAL TRACEROUTE
PATUR BRANCH NR OLD BUS STAND PATUR TQ- PATUR
105 No DOMAIN DR-BACKUPDOMAIN Domain-Services No
DR-PRIMARYDOMAIN
Table 96: Firewall Policy from CheckPoint-FW to DC-Router

14 Yes Netw ork-Admin Routers-GR4 PING No
VMW ARE-CLIENT Routers-GR5 TELNET
Routers-GR1 SSH
Routers-GR2
Routers-GR3
Sophos-Backup-1
Sophos-Backup-2
Sophos-Backup-3
BRANCHES-Group-1
BRANCH-GROUP-6
Branches-Group-2
Branches-Group-3
Branches-Group-4
BranchesGroup-5
TUKARAM CHOW K BRANCH, Near Tukaram Hospital, At Sant
Tukaram Ch
Sophos-Backup-4
ATM-1
ATM-2
ATM-4
ATM-5
OFFSITE ATM
BBPS_Clients
69 Yes DC-ADMIN-USERS BRANCHES-Group-1 ALL_ICMP No
69 Yes DC-ADMIN-USERS BRANCHES-Group-1 ALL_ICMP No
Vinod Raut Branches-Group-2
DC-ADMIN-USERS- Branches-Group-3
2 Branches-Group-4
Datacenter- BranchesGroup-5
Laptops TUKARAM CHOW K BRANCH, Near Tukaram Hospital, At Sant
Tukaram Ch
77 Yes RTGS-CLIENT1 SONICW ALL-INTERNET ALL_ICMP No
HTTP
HTTPS
83 Yes DC-ADMIN-USERS BRANCHES-Group-1 HTTP No
DC-ADMIN-USERS- Branches-Group-2 HTTPS
2 Branches-Group-3 TCP-5938
Vinod Raut Branches-Group-4
Datacenter- BranchesGroup-5
Laptops TUKARAM CHOW K BRANCH, Near Tukaram Hospital, At Sant
Tukaram Ch
BRANCH-GROUP-6
BBPS_Clients
86 Yes DC-ADMIN-USERS DR-DOMAINS Domain-Services No
MGMNT-PC
Vinod Raut
Datacenter-
Laptops
DC-ADMIN-USERS-
2
98 Yes DC-ADMIN-USERS DR-APPLICATION1 APBS No
Vinod Raut
DC-ADMIN-USERS-
2
99 Yes DC-ADMIN-USERS DR-DATABASESERVERS DATABASE- No
DC-ADMIN-USERS- SERVICES
2
Vinod Raut
Datacenter-
Laptops
167 Yes VAIBHAV DR-DATABASESERVERS ALL_ICMP No
RDP
129 Yes MGMNT-PC DR-DATABASESERVERS Any No
100 Yes DC-ADMIN-USERS DR-APPSERVERS APP-Services No

Vinod Raut
DC-ADMIN-USERS-
2
Datacenter-
Laptops
130 Yes MGMNT-PC DR-APPLICATION1 Any No
DR-APPLICATION2
DRAPPCLUSTER
107 Yes sysadmin DR-CASERVER-2 Any No
MGMNT-PC DR-MONITOR
VMW ARE-CLIENT DR-DOMAINS
Table 97: Firewall Policy from DC-Admin to DC-Router

16 Yes ATM-1 Euronet-Sw itch BRANCH-ATMS-TO-SW ITCH-1 No
ATM-2
21 Yes ATM-1 SD-Agent-Euronet TCP5001 No
ATM-2 TCP5004
ATM-4 TRACEROUTE
TELNET
71 Yes ATM-4 Euronet-Sw itch BRANCH-ATMS-TO-SW ITCH-2 No
95 Yes ATM-5 Euronet-Sw itch TCP-3926 No

TRACEROUTE
96 Yes ATM-5 SD-Agent-Euronet TCP5001 No
TCP5004
131 Yes OFFSITE ATM Euronet-Sw itch TCP-3926 No
TELNET
ALL_ICMP
PING
132 Yes OFFSITE ATM SD-Agent-Euronet TCP5001 No
134 Yes ATM-1 SD-Agent-Euronet TCP-50020 No

ATM-2 TCP5004
ATM-4
ATM-5
ATM-OFFSITE-NIMBA
ATM OFF-SITE PUSAD NAKA
176 No BBPS_Clients BBPS2 HTTPS No
TRACEROUTE
TRACEROUTE
Table 98: Firewall Policy from DC-Router to ATM

124 Yes EuronetTest1 TESTSERVR TCP/6415 No
EuronetTest2
19 Yes Euronet-Sw itch ATMInterface TCP5001 No
TCP5004
117 No EuronetTest1 TESTSERVR TCP/6415 No
EuronetTest2
Table 99: Firewall Policy from ATM to CheckPoint-FW

20 Yes SD-Agent-Euronet ATM-1 TCP-5002 No
ATM-2
ATM-4
ATM-5
OFFSITE ATM
133 Yes SD-Agent-Euronet ATM-1 TCP-24010 No
ATM-2
ATM-4
ATM-5
ATM-OFFSITE-NIMBA
Table 100: Firewall Policy from ATM to DC-Router

161 No CPFW -OUT Any Any No
Table 101: Firewall Policy from CheckPoint-FW to wan1


HO-INTERNET-USERS
Biskunde Saheb
Drop_Box_Internet
Nelito-Prasad
194 Yes comsolvepc Comsolve W ebmail Any No
Comsolve Mail IP
ISG IP
ISG MERCHANT PAY
PA
CTS-PC
SK Mohod
MILIND
Vinod Kalbande
CropInsurance
Table 102: Firewall Policy from HO-USERS to wan1

33 Yes HO-INTERNET-USERS-ATM W EB-CMS HTTPS No
ATM-FINCRAFT-USER1 TCP-9086
ATM-FINCRAFT-USER2
ATM-USER-1
ATM-USER-2
36 Yes HO-INTERNET-USERS-ATM Euro-SFTP SSH No
ATM-FINCRAFT-USER1
ATM-FINCRAFT-USER2
ATM-FINCRAFT-USER3
37 Yes HO-INTERNET-USERS-ATM RGCS HTTPS No
ATM-FINCRAFT-USER1
ATM-FINCRAFT-USER2
ATM-USER-1
ATM-USER-2
65 Yes ATM-CIVIL-LINES Euronet-Sw itch BRANCH-ATMS-TO-SW ITCH-1 No
EuronetTest1 TCP/7282
EuronetTest2 TCP/7501
TCP/15402
80 Yes ATM-CIVIL-LINES SD-Agent-Euronet TCP5004 No
TCP5001
102 Yes ATM-CIVILLINES-2 Euronet-Sw itch TCP-3926 No
102 Yes ATM-CIVILLINES-2 Euronet-Sw itch TCP-3926 No
135 Yes ATM-CIVIL-LINES SD-Agent-Euronet TCP-50020 No

ATM-CIVILLINES-2
103 Yes ATM-CIVILLINES-2 SD-Agent-Euronet TCP5004 No
TCP5001
149 Yes HO-INTERNET-USERS-ATM FRM HTTPS No
ATM-USER-1 TCP-8443
ATM-USER-2
175 Yes RATHODPC BBPS1 HTTPS No
HO-BBPS Clients BBPS2 ALL_ICMP
TRACEROUTE
TELNET
Table 103: Firewall Policy from HO-USERS to ATM

34 Yes W EB-CMS HO-INTERNET-USERS-ATM TCP-9086 No
HTTPS
35 Yes Euro-SFTP HO-INTERNET-USERS-ATM SSH No
TCP/22
38 Yes RGCS HO-INTERNET-USERS-ATM HTTPS No
73 Yes SD-Agent-Euronet ATM-CIVIL-LINES TCP-5002 No

ATM-CIVILLINES-2 TCP5004
TCP5001
136 Yes SD-Agent-Euronet ATM-CIVIL-LINES TCP-24010 No
ATM-CIVILLINES-2
Table 104: Firewall Policy from ATM to HO-USERS

41 Yes RtgsInterface SFMS-BACKUP Domain-Services No
SFMS-PRIMARY ALL_ICMP
TCP-1415
TELNET
127 Yes CA-SERVER SFMS-PRIMARY ALL_ICMP No
SFMS-BACKUP TCP25000
UDP-137
128 Yes DR-RTGS-SERVER SFMS-BACKUP ALL_ICMP No
SFMS-PRIMARY TCP25000
Table 105: Firewall Policy from CheckPoint-FW to RTGS

42 Yes RTGS-CLIENT1 SFMS-BACKUP ALL_ICMP No
MGMNT-PC SFMS-PRIMARY Domain-Services
W SUS HTTP
HTTPS
TELNET
TCP8080
RDP
49 Yes RTGS-CLIENT1 SONICW ALL-RTGS ALL_ICMP No
MGMNT-PC HTTP
HTTPS
TELNET
51 Yes RTGS-CLIENT1 RBI-RTGS RBI-SERVICES No
MGMNT-PC
Table 106: Firewall Policy from DC-Admin to RTGS

43 Yes RTGS-CLIENT2 SFMS-BACKUP ALL_ICMP No
RTGS-CLIENT3 SFMS-PRIMARY TCP8080
RTGS-MONITER RBI-RTGS Domain-Services
CA Accounting Module HTTP
RBI-SERVICES
144 Yes RTGS-MONITER SFMS-BACKUP ALL_ICMP No
SFMS-PRIMARY HTTP
HTTPS
Domain-Services
TELNET
TCP8080
RDP
145 Yes RTGS-MONITER SONICW ALL-RTGS ALL_ICMP No
HTTP
HTTPS
TELNET
Table 107: Firewall Policy from HO-USERS to RTGS
44 Yes SFMS-BACKUP RtgsInterface ALL_ICMP No
SFMS-PRIMARY TCP-1414
TELNET
126 Yes SFMS-PRIMARY DR-RTGS-SERVER ALL_ICMP No
SFMS-BACKUP TCP25000
178 Yes SFMS-BACKUP DR-Rtgs-Interface Any No
153 Yes SFMS-PRIMARY DOMAIN Domain-Services No

SFMS-BACKUP
157 Yes SFMS-BACKUP BDC-DR Domain-Services No
PDC-DR
158 Yes SFMS-BACKUP EMAIL-SERVER ALL_ICMP No

SFMS-PRIMARY DATABASE SMTP
SIEM-SRV DATABASE-SERVICES
SYSLOG
182 Yes SFMS-PRIMARY TESTSERVR Any No
186 Yes SFMS-BACKUP Antivirus-Server AntivirusServices No

SFMS-PRIMARY
Table 108: Firewall Policy from RTGS to CheckPoint-FW

45 Yes SONICW ALL-RTGS RTGS-CLIENT2 TCP8080 No
RTGS-CLIENT3 HTTP
RBI-SERVICES
Table 109: Firewall Policy from RTGS to HO-USERS

50 Yes Antivirus-Server DC-ADMIN-USERS AntivirusServices No
DC-ADMIN-USERS-2
nw adm
72 Yes SQL-CLUSTER Umesh More Any No
DATABASE1
DATABASE2
106 Yes DR-CASERVER sysadmin ALL_ICMP No
RDP
Table 110: Firewall Policy from CheckPoint-FW to DC-Admin

64 Yes ATMInterface eurronet-router ALL_ICMP No
Euronet-Sw itch TCP5004
TELNET
TCP-5002
115 Yes TESTSERVR EuronetTest1 TCP/6415 No
EuronetTest2 ALL_ICMP
Euronet NetScaler TELNET
TCP9095
185 Yes BBPS API BBPS2 HTTPS No
TRACEROUTE
TELNET
Table 111: Firewall Policy from CheckPoint-FW to ATM

75 Yes W SUS FileZilla FTP No
Datacenter-Laptop-2 FTP_PUT
FTP_GET
84 Yes W SUS FileZilla RDP No
125 No VMW ARE-CLIENT BSG - Recon Server HTTP No

PRASANNA TCP8080
W SUS TCP/22
MYSQL
ALL_ICMP
RDP
Table 112: Firewall Policy from DC-Admin to HO-USERS

78 Yes HO-INTERNET-USERS-ATM ATM-1 ALL_ICMP No
ATM-2 PING
ATM-4
ATM-5
ATM-5
OFFSITE ATM
88 Yes Civil-Lines Branch DR-DOMAINS Domain-Services No
HO-USER-ACC-SECTION
HO-USERS-DATAHUB
HO-USERS-STATIONARY-
SECTION
Ho Back-Office
HO_NEW _IP_Series
92 Yes Civil-Lines Branch DR-APPSERVERS APP-Services No
HO-INTERNET-USERS-ACC-
SECTION
HO-USERS-DATAHUB
SECTION
HO-USER-ACC-SECTION
Ho Back-Office
HO_NEW _IP_Series
93 Yes Civil-Lines Branch DR-DATABASESERVERS DATABASE- No
HO-USER-ACC-SECTION SERVICES
HO-USERS-DATAHUB
SECTION
Ho Back-Office
HO_NEW _IP_Series
171 Yes ATM-CIVIL-LINES EuronetSw itch-forCivilLines TCP8868 No
TRACEROUTE
170 Yes ATM-CIVILLINES-2 EuronetSw itch-forCivilLines TCP-3926 No
TRACEROUTE
166 Yes Nelito-Prasad DR-DATABASESERVERS ALL_ICMP No
RDP
97 Yes Civil-Lines Branch DR-APPLICATION1 APBS No
HO-INTERNET-USERS-ACC-
SECTION
HO-USER-ACC-SECTION
HO-USERS-DATAHUB
SECTION
Ho Back-Office
138 Yes comsolvepc Routers-GR1 TELNET No
SachinNelito Routers-GR2 PING
Routers-GR3 SSH
Routers-GR4
Routers-GR5
Sophos-Backup-1
Sophos-Backup-2
Sophos-Backup-3
Sophos-Backup-4
BRANCH-GROUP-6
BRANCHES-Group-1
Branches-Group-2
Branches-Group-3
Branches-Group-4
BranchesGroup-5
Asegaon, Ta. Mangrulpir District
W ashim,Mangrulpur,Maharashtra
TUKARAM CHOW K BRANCH, Near Tukaram Hospital, At
Sant Tukaram Ch
OFFSITE ATM
BBPS_Clients
139 Yes HO-USERS-COMP-SECTION BRANCH-GROUP-6 HTTP No
RATHODPC BRANCHES-Group-1 HTTPS
SachinNelito Branches-Group-2 TCP-5938
Branches-Group-3
Branches-Group-4
BranchesGroup-5
TUKARAM CHOW K BRANCH, Near Tukaram Hospital, At
Sant Tukaram Ch
Asegaon, Ta. Mangrulpir District
W ashim,Mangrulpur,Maharashtra
143 Yes RTGS-MONITER SONICW ALL-INTERNET ALL_ICMP No
HTTP
HTTPS
148 Yes comsolvepc SOPHOS-UTM HTTPS No
148 Yes comsolvepc SOPHOS-UTM HTTPS No
PING
TCP-4444
Table 113: Firewall Policy from HO-USERS to DC-Router

81 Yes BRANCHES-Group-1 FileZilla FTP No
Branches-Group-2 FTP_GET
Branches-Group-3 FTP_PUT
Branches-Group-4 ALL_ICMP
BranchesGroup-5
BRANCH-GROUP-6
Unspecified Branch - Reserved For SOPHOS
94 Yes BRANCHES-Group-1 VIEW -FRAME HTTP No
Branches-Group-2
Branches-Group-3
Branches-Group-4
BranchesGroup-5
BRANCH-GROUP-6
123 Yes BRANCH-GROUP-6 MSEB-APP HTTP No
BRANCHES-Group-1 CropInsurance TCP8080
Branches-Group-3 ALL_ICMP
Branches-Group-4
BranchesGroup-5
Sophos-Backup-1
Sophos-Backup-2
Sophos-Backup-3
Sophos-Backup-4
Table 114: Firewall Policy from DC-Router to HO-USERS

121 Yes Antivirus-Server HO-INTERNET-USERS-ACC-SECTION AntivirusServices No
HO-USERS-DATAHUB
HO-USER-ACC-SECTION
HO-INTERNET-USERS
Civil-Lines Branch
RTGS-CLIENT2
RTGS-CLIENT3
Ho Back-Office
SachinNelito
HO_NEW _IP_Series
BSG - Recon Server
Table 115: Firewall Policy from CheckPoint-FW to HO-USERS

151 Yes CHECKPOINT-IP BDC ALL_ICMP No
PDC PING
Table 116: Firewall Policy from CheckPoint-FW to CheckPoint-FW

152 Yes CTRLSFI ATMInterface ALL_ICMP No
Micro-ATM TESTSERVR TCP44405
AW S Cloud TELNET
TRACEROUTE
Table 117: Firewall Policy from port10 to CheckPoint-FW

154 Yes CTRLSFI Euronet-Sw itch TCP33305 No
AW S Cloud EuronetTest2 TRACEROUTE
TCP8049
Table 118: Firewall Policy from port10 to ATM

155 Yes Euronet-Sw itch CTRLSFI TCP33305 No
EuronetTest2 AW S Cloud ALL_ICMP
TCP8049
Table 119: Firewall Policy from ATM to port10

156 Yes ATMInterface CTRLSFI TCP44405 No
TESTSERVR AW S Cloud ALL_ICMP
TELNET
TRACEROUTE
TCP7094
Table 120: Firewall Policy from CheckPoint-FW to port10

163 Yes Finacus-IMPS-LIVE ATMInterface ALL_ICMP No
IMPS_Telnet IMPS Interface TCP45451
Finacus - Mobile Banking TRACEROUTE
Finacus_RGCS_1 HTTPS
174 Yes Finacus-IMPS-UAT TESTSERVR ALL_ICMP No
IMPS_Telnet TCP45451
Finacus - Mobile Banking TRACEROUTE
Table 121: Firewall Policy from port6 to CheckPoint-FW

164 Yes ATMInterface Finacus-IMPS-LIVE ALL_ICMP No
IMPS Interface Finacus_RGCS_1 TCP45451
TRACEROUTE
HTTPS
173 Yes TESTSERVR Finacus-IMPS-UAT ALL_ICMP No
IMPS @ Branch TCP45451
TRACEROUTE
HTTP
Table 122: Firewall Policy from CheckPoint-FW to port6

177 No PRASANNA BBPS2 HTTPS No
Datacenter-Laptop-2 BBPS1 TRACEROUTE
TELNET
199 Yes PRASANNA FRM HTTPS No
MORESIR TCP-8443
Table 123: Firewall Policy from DC-Admin to ATM

179 Yes ATM-FINCRAFT-USER1 Finacus_RGCS_1 HTTPS No
HO-INTERNET-USERS-ATM IMPS router TRACEROUTE
Finacus - Mobile Banking ALL_ICMP
Finacus_RGCS_2 HTTP
Finacus-IMPS-W ebservice
Table 124: Firewall Policy from HO-USERS to port6

180 Yes Finacus_RGCS_1 ATM-FINCRAFT-USER1 TRACEROUTE No
IMPS router HTTPS
Finacus - Mobile Banking ALL_ICMP
HTTP
Table 125: Firewall Policy from port6 to HO-USERS

181 No PFMS VMW ARE-CLIENT FTP No
GST-SFTP
Table 126: Firewall Policy from wan1 to DC-Admin

193 Yes VMW ARE-CLIENT IMPS router ALL_ICMP No
IMPS_Telnet TELNET
TRACEROUTE
207 Yes Nelito_Tech IMPS @ Branch Any No
Table 127: Firewall Policy from DC-Admin to port6

195 No SFMS-PRIMARY Any Any No
Table 128: Firewall Policy from RTGS to wan1

196 Yes Finacus-IMPS-UAT Euronet NetScaler TCP9095 No
Finacus-IMPS-W ebservice W EB-CMS TCP-9086
BBPS2 HTTPS
TCP9086
206 Yes Finacus-IMPS-LIVE BBPS2 HTTPS No
Table 129: Firewall Policy from port6 to ATM

197 No Euronet NetScaler Finacus-IMPS-UAT TRACEROUTE No
Netscaler_Natted_IP TELNET
TCP9095
Table 130: Firewall Policy from ATM to port6

201 No VMW ARE-CLIENT Micro-ATM Any No
Table 131: Firewall Policy from DC-Admin to port10

202 Yes Micro-ATM VMW ARE-CLIENT Any No
Table 132: Firewall Policy from port10 to DC-Admin

208 No RATANLAL PLOT BRANCH NR RAGHUVANSHI MANGAL KARYALAYA RATANLAL ISG IP Any No
ISG MERCHANT PAY
Table 133: Firewall Policy from DC-Router to wan1

209 Yes RATANLAL PLOT BRANCH NR RAGHUVANSHI MANGAL KARYALAYA Finacus-IMPS- HTTP No
RATANLAL W ebservice
Table 134: Firewall Policy from DC-Router to port6
5.2.12.2 Addresses
This section describes the netw ork addresses and address pools defined for use in the firew all policy. Addresses can also be
grouped to ease the administration of the firew all rules. This section also describes any configured address groups.
Name Type Address Interface

SSLVPN_TUNNEL_ADDR1 Host 10.212.134.200 - Any
Range 10.212.134.210
all Host Any Any
apple Host Any Any
dropbox.com Host Any Any
Gotomeeting Host Any Any
icloud Host Any Any
itunes Host Any Any
android Host Any Any
skype Host Any Any
sw scan.apple.com Host Any Any
update.microsoft.com Host Any Any
appstore Host Any Any
eease Host Any Any
google-drive Host Any Any
google-play Host Any Any
microsoft Host Any Any
adobe Host Any Any
Adobe Login Host Any Any
googleapis.com Host Any Any
citrix Host Any Any
verisign Host Any Any
W indow s update 2 Host Any Any
*.live.com Host Any Any
auth.gfx.ms Host Any Any
autoupdate.opera.com Host Any Any
softw areupdate.vmw are.com Host Any Any
firefox update server Host Any Any
MAHILA BRANCH RAMDASPETH BIRLA GATE Host 192.168.7.1 - 192.168.7.4 DC-Router
Range
AKOT CITY BRANCH JAISTHAMBH CHOW K Host 192.168.34.1 - 192.168.34.4 DC-Router
Range
NARSING MANDIR BRANCH AKOT NR NARSING MANDIR Host 192.168.35.1 - 192.168.35.3 DC-Router
Range
TELHARA MAIN BRANCH NR BUS STAND TELHARA Host 192.168.43.1 - 192.168.43.9 DC-Router
Range
TELHARA CITY BRANCH JUNA ATHAW ADI BAZAR NR DESHMUKH W ADA TE Host 192.168.44.1 - 192.168.44.3 DC-Router
Range
CHOHATTA BAZAR BRANCH AKOT ROAD CHOHATTA BAZAR Host 192.168.38.1 - 192.168.38.5 DC-Router
Range
HIW ARKHED BRANCH AT POST - HIW ARKHED TQ- TELHARA Host 192.168.45.1 - 192.168.45.6 DC-Router
Range
DANAPUR BRANCH AT - DANAPUR TQ-TELHARA DIST-AKOLA Host 192.168.46.1 - 192.168.46.2 DC-Router
Range
AKOLKHED BRANCH AT - AKOLKHED TQ- AKOT Host 192.168.40.1 - 192.168.40.2 DC-Router
Range
BORDI BRANCH AT - BORDI TQ- AKOT Host 192.168.110.1 - 192.168.110.2 DC-Router
Range
ADGAON BRANCH AT - ADGAON BZ TQ- TELHARA DIST- AKOLA Host 192.168.50.1 - 192.168.50.3 DC-Router
Range
ADSUL BRANCH AT - ADSUL TQ- TELHARA DIST-AKOLA Host 192.168.49.1 - 192.168.49.3 DC-Router
Range
PATHARDI BRANCH AT - PATHARDI TQ- TELHARA DIST-AKOLA Host 192.168.47.1 - 192.168.47.2 DC-Router
Range
MUNDGAON BRANCH AT -MUNDGAON TQ- AKOT Host 192.168.42.1 - 192.168.42.3 DC-Router
Range
W ARUL JAULKA BRANCH AT - W ARUD JAULKA TQ- AKOT Host 192.168.39.1 - 192.168.39.2 DC-Router
Range
KUTASA BRANCH AT -KUTASA TQ- AKOLA Host 192.168.41.1 - 192.168.41.3 DC-Router
Range
SAW ARA BRANCH AT- SAW ARA TQ- AKOT DIST- AKOLA Host 192.168.36.1 - 192.168.36.3 DC-Router
Range
RAUNDALA BRANCH AT - RAUNDALA TQ- AKOT Host 192.168.37.1 - 192.168.37.3 DC-Router
Range
TUKARAM CHOW K BRANCH, Near Tukaram Hospital, At Sant Tukaram Host 192.168.11.1 - 192.168.11.4 DC-Router
Ch Range
FW
FW
APP-CLUSTER Host 172.21.22.3 CheckPoint-
FW
ATMInterface Host 172.21.25.1 CheckPoint-
FW
RtgsInterface Host 172.21.25.2 CheckPoint-
FW
Antivirus-Server Host 172.21.23.3 CheckPoint-
FW
BDC Host 172.21.23.2 CheckPoint-
FW
PDC Host 172.21.23.1 CheckPoint-
FW
FW
FW
SQL-CLUSTER Host 172.21.21.5 CheckPoint-
FW
Belkhed Branch Ta. Telhara Host 192.168.48.1 - 192.168.48.2 DC-Router
Range
Range
Keshavnagar Branch Ta Risod Dist. W ashim Host 192.168.106.1 - 192.168.106.2 DC-Router
Range
Kasola Branch Ta. Mangrulpir Dist. W ashim Host 192.168.109.1 - 192.168.109.2 DC-Router
Range
Asegaon, Ta. Mangrulpir District W ashim,Mangrulpur,Maharashtra Host 192.168.112.1 - 192.168.112.2 DC-Router
Range
AKOT MAIN BRANCH HIW ARKHED ROAD NR PETROL PUMP Host 192.168.33.1 - 192.168.33.13 DC-Router
Range
KAPAD BAZAR BRANCH RAYAT HAVELI JUNA KAPAD BAZAR Host 192.168.3.1 - 192.168.3.8 DC-Router
Range
RATANLAL PLOT BRANCH NR RAGHUVANSHI MANGAL KARYALAYA Host 192.168.26.1 - 192.168.26.4 DC-Router
RATANLAL Range
DABKI ROAD BRANCH NR KHANDELW AL HIGH SCHOOL Host 192.168.10.1 - 192.168.10.4 DC-Router
Range
MARKET YARD BRANCH APMC MARKET Host 192.168.2.1 - 192.168.2.7 DC-Router
Range
W ASHIM MAIN BRANCH NEAR ST STAND Host 192.168.88.1 - 192.168.88.14 DC-Router
Range
KARANJA MAIN BRANCH BEHIND ST STAND NR TAHASILOFFICE KARANJ Host 192.168.70.1 - 192.168.70.10 DC-Router
Range
MANGRULPIR MAIN BRANCH BIRBALNATH ROAD NR DR SARKAR CLINIC Host 192.168.78.1 - 192.168.78.10 DC-Router
Range
RISOD MAIN BRANCH NR BUS STAND Host 192.168.99.1 - 192.168.99.10 DC-Router
Range
VIVARA BRANCH AT BABHULGAON TQ - PATUR DIST - AKOLA Host 192.168.61.1 - 192.168.61.4 DC-Router
Range
KENW AD BRANCH AT - KENW AD TQ- RISOD DIST- W ASHIM Host 192.168.102.1 - 192.168.102.3 DC-Router
Range
CHIKHALGAON BRANCH AT - CHIKHALGAON TQ- AKOLA Host 192.168.17.1 - 192.168.17.2 DC-Router
Range
KURANKHED BRANCH AT- KURANKHED TQ- AKOLA Host 192.168.20.1 - 192.168.20.3 DC-Router
Range
HARAL BRANCH AT - HARAL TQ- RISOD Host 192.168.104.1 - 192.168.104.2 DC-Router
Range
DAHIHANDA BRANCH AT - DAHIHANDA TQ- AKOLA Host 192.168.18.1 - 192.168.18.3 DC-Router
Range
PARAS BRANCH AT- PARAS TQ- BALAPUR . DIST-AKOLA Host 192.168.55.1 - 192.168.55.3 DC-Router
Range
PDKV BRANCH DR PDKV VIDYAPEETH CAMPUS Host 192.168.9.1 - 192.168.9.5 DC-Router
Range
KARANJA CITY BRANCH BHAJI BAZAR GANDHI CHOW K KARANJA Host 192.168.71.1 - 192.168.71.3 DC-Router
Range
W ASHIM CITY BRANCH RAJANI CHOW K NR INDANI SCHOO Host 192.168.89.1 - 192.168.89.5 DC-Router
Range
RANPISE NAGAR BRANCH SAUJANYA MARKET RANPISE NAGAR Host 192.168.24.1 - 192.168.24.4 DC-Router
Range
Z P BRANCH NR COLLECTOR OFFICE Host 192.168.5.1 - 192.168.5.14 DC-Router
Range
RAJESHW AR JAIHIND CHOW K BRANCH JAIHIND CHOW K OLD CITY Host 192.168.4.1 - 192.168.4.4 DC-Router
Range
PATUR NANDAPUR BRANCH AT - PATUR NANDAPUR TQ- AKOLA Host 192.168.19.1 - 192.168.19.2 DC-Router
Range
CHIKHALI BRANCH AT - CHIKHALI TQ- RISOD Host 192.168.108.1 - 192.168.108.2 DC-Router
Range
DHANAJ BZ BRANCH AT - DHANAJ BZ TQ- KARANJA DIST-W ASHIM Host 192.168.74.1 - 192.168.74.4 DC-Router
Range
DHABA BRANCH AT - DHABA TQ- BARSHITAKLI Host 192.168.32.1 - 192.168.32.2 DC-Router
Range
KANSHIVANI BRANCH AT - KANSHIVANI TQ- AKOLA Host 192.168.15.1 - 192.168.15.4 DC-Router
Range
KANHERI SARAP BRANCH AT - KANHERI SARAP TQ- BARSHITAKL Host 192.168.31.1 - 192.168.31.3 DC-Router
Range
W ANOJA BRANCH AT- W ANOJA TQ- MANGRULPIR DIST- W ASHIM Host 192.168.82.1 - 192.168.82.2 DC-Router
Range
SHENDURJANA BRANCH AT - SHENDURJANA TQ- MANORA DIST- W ASHIM Host 192.168.85.1 - 192.168.85.4 DC-Router
Range
PARDI TAKMOR BRANCH AT - PARDI TAKMOR TQ - W ASHIM Host 192.168.92.1 - 192.168.92.2 DC-Router
Range
MOHARI BRANCH AT - MOHARI TQ- MANGRULPIR DIST- W ASHIM Host 192.168.80.1 - 192.168.80.2 DC-Router
Range
TONDGAON BRANCH KEKATUMRA EXCHANGE DIST - W ASHIM Host 192.168.91.1 - 192.168.91.3 DC-Router
Range
Range
PALSO BRANCH AT PALSO TQ DIST- AKOLA Host 192.168.13.1 - 192.168.13.3 DC-Router
Range
MOP BRANCH AT - MOP TQ- RISOD Host 192.168.105.1 - 192.168.105.3 DC-Router
Range
SASTI BRANCH AT - SASTI TQ- PATUR DIST- AKOLA Host 192.168.62.1 - 192.168.62.2 DC-Router
Range
POHA BRANCH AT - POHA TQ- KARANJA DIST- W ASHIM Host 192.168.76.1 - 192.168.76.2 DC-Router
Range
JAULKA RLY BRANCH AT -JAULKA RLY TQ- MALEGAON DIST- W ASHIM Host 192.168.98.1 - 192.168.98.2 DC-Router
Range
HATRUN BRANCH AT - HATRUN TQ- BALAPUR DIST- AKOLA Host 192.168.56.1 - 192.168.56.3 DC-Router
Range
UMBARDA BAZAR BRANCH AT - UMBARDA BAZAR TQ- KARANJA DIST- W Host 192.168.73.1 - 192.168.73.3 DC-Router
Range
MANBHA BRANCH AT - MANBHA TQ- KARANJA DIST- W ASHIM Host 192.168.75.1 - 192.168.75.2 DC-Router
Range
PANGRIKUTE BRANCH AT - PANGRIKUTE TQ- MALEGAON DIST- W ASHIM Host 192.168.97.1 - 192.168.97.2 DC-Router
Range
KAJALESHW AR BRANCH AT - KAJALESHW AR TQ- KARANJA DIST- W ASHI Host 192.168.77.1 - 192.168.77.2 DC-Router
Range
Range
NIMBA BRANCH AT - NIMBA TQ- BALAPUR DIST-AKOLA Host 192.168.54.1 - 192.168.54.5 DC-Router
Range
DHANORA BRANCH AT - DHANORA TQ- MANGRULPIR DIST- W ASHIM Host 192.168.83.1 - 192.168.83.4 DC-Router
Range
MHAISANG BRANCH AT POST - MHAISANG TQ- AKOLA Host 192.168.14.1 - 192.168.14.3 DC-Router
Range
GANDHIGRAM BRANCH AT - GANDHIGRAM TQ- AKOLA Host 192.168.16.1 - 192.168.16.3 DC-Router
Range
GOREGAON BRANCH AT- GOREGAON TQ- AKOLA Host 192.168.21.1 - 192.168.21.2 DC-Router
Range
MEDSHI BRANCH AT - MEDSHI TQ- MALEGAON DIST- W ASHIM Host 192.168.96.1 - 192.168.96.4 DC-Router
Range
AGAR BRANCH AT- AGAR TQ- AKOLA Host 192.168.25.1 - 192.168.25.2 DC-Router
Range
KINHIRAJA BRANCH AT -KINHIRAJA TQ- MALEGAON DIST- W ASHIM Host 192.168.94.1 - 192.168.94.4 DC-Router
Range
W AKAD BRANCH AT - W AKAD TQ- RISOD Host 192.168.107.1 - 192.168.107.2 DC-Router
Range
SAKHARDOH BRANCH SHIVAJI CHOW K MANORA DIST- W ASHIM Host 192.168.87.1 - 192.168.87.4 DC-Router
Range
UMARI BRANCH AKOLA AT PATIL MARKET JATHARPETH AKOLA Host 192.168.22.1 - 192.168.22.4 DC-Router
Range
BORGAON MANJU BRANCH AT POST - BORGAON MANJU TQ- AKOLA Host 192.168.12.1 - 192.168.12.5 DC-Router
Range
BALAPUR BRANCH NR BUS STAND BALAPUR Host 192.168.51.1 - 192.168.51.8 DC-Router
Range
KURUM BRANCH AT - KURUM TQ- MURTIZAPUR Host 192.168.68.1 - 192.168.68.4 DC-Router
Range
MALEGAON BRANCH NR NEW BUS STAND MALEGAON DIST- W ASHIM Host 192.168.93.1 - 192.168.93.8 DC-Router
Range
MURTIZAPUR CITY BRANCH AT TIDKE COMPLEX MANGALW AR BAZAR Host 192.168.66.1 - 192.168.66.5 DC-Router
MUR Range
PATUR BRANCH NR OLD BUS STAND PATUR TQ- PATUR Host 192.168.58.1 - 192.168.58.9 DC-Router
Range
ALEGAON BRANCH AT - ALEGAON TQ- PATUR DIST-AKOLA Host 192.168.60.1 - 192.168.60.5 DC-Router
Range
SHELUBAZAR BRANCH BHAJI BAZAR SHELU BAZAR TQ- MANGRULPIR Host 192.168.81.1 - 192.168.81.6 DC-Router
Range
PINJAR BRANCH AT POST - PINJAR TQ- BARSHITAKLI Host 192.168.29.1 - 192.168.29.5 DC-Router
Range
RITHAD BRANCH AT POST- RITHAD TQ- RISDO DIST-W ASHIM Host 192.168.101.1 - 192.168.101.4 DC-Router
Range
KAMARGAON BRANCH AT - KAMARGAON TQ- KARANJA DIST- W ASHIM Host 192.168.72.1 - 192.168.72.5 DC-Router
Range
MURTIZAPUR MAIN BRANCH NR TAHSIL OFFICE MURTIZAPUR Host 192.168.64.1 - 192.168.64.10 DC-Router
Range
RISOD CITY BRANCH BAGADIYA COMPLEX NR SITLAMATA MANDIR RISOD Host 192.168.100.1 - 192.168.100.2 DC-Router
Range
URAL BRANCH AT POST - URAL TQ- BALAPUR Host 192.168.52.1 - 192.168.52.5 DC-Router
Range
Range
BARSHITAKLI BRANCH AT POST TQ- BARSHITAKLI Host 192.168.28.1 - 192.168.28.9 DC-Router
Range
ANSING BRANCH AT - ANSING TQ DIST- W ASHIM Host 192.168.90.1 - 192.168.90.5 DC-Router
Range
MANA BRANCH GRAMPANCHAYAT MANA TQ- MURTIZAPUR Host 192.168.67.1 - 192.168.67.5 DC-Router
Range
MANGRULPIR CITY BRANCH NR BIRBALNATH MANDIR MANGRULPIR Host 192.168.79.1 - 192.168.79.3 DC-Router
Range
CHANNI BRANCH AT POST - CHANNI TQ- PATUR DIST- AKOLA Host 192.168.59.1 - 192.168.59.3 DC-Router
Range
SHIRPUR BRANCH AT- SHIRPUR TQ- MALEGAON Host 192.168.95.1 - 192.168.95.5 DC-Router
Range
MURTIZAPUR MARKET YARD BRANCH APMC PREMISES MURTIZAPUR Host 192.168.65.1 - 192.168.65.6 DC-Router
Range
MANORA BRANCH AT POST TQ- MANORA DIST-W ASHIM Host 192.168.84.1 - 192.168.84.10 DC-Router
Range
KHADKI BRANCH AKOLA AT POST - KHADKI Host 192.168.23.1 - 192.168.23.4 DC-Router
Range
W ADEGAON BRANCH AT POST - W ADEGAON TQ- BALAPUR Host 192.168.53.1 - 192.168.53.6 DC-Router
Range
PATANI CHOW K BRANCH W ASHIM PATANI CHOW K Host 192.168.111.1 - 192.168.111.4 DC-Router
Range
VYALA BRANCH AT - VYALA TQ- BALAPUR Host 192.168.57.1 - 192.168.57.3 DC-Router
Range
DR KORPE NAGAR BRANCH KORPE NAGAR NR ADARSH COLONY Host 192.168.8.1 - 192.168.8.4 DC-Router
Range
Civil-Lines Branch Host 192.168.6.11 - 192.168.6.23 HO-USERS
Range
ATM-CIVIL-LINES Host 192.168.6.101 HO-USERS
ATM-KAPAD-BAZAR Host 192.168.3.101 DC-Router
ATM-ZP Host 192.168.5.101 DC-Router
ATM-DR KORPENAGAR Host 192.168.8.101 DC-Router
ATM-DABKIRD Host 192.168.10.101 DC-Router
ATM-BORGAOM Host 192.168.12.101 DC-Router
ATM-KHADKI Host 192.168.23.101 DC-Router
ATM-RANPISE Host 192.168.24.101 DC-Router
ATM-BARSHITAKLI Host 192.168.28.101 DC-Router
ATM-PINJAR Host 192.168.29.101 DC-Router
ATM-AKOT-MAIN Host 192.168.33.101 DC-Router
ATM-AKOT-CITI Host 192.168.34.101 DC-Router
ATM-CHOHOTTA Host 192.168.38.101 DC-Router
ATM-TELHARA Host 192.168.43.101 DC-Router
ATM-BALAPUR Host 192.168.51.101 DC-Router
ATM-URAL Host 192.168.52.101 DC-Router
ATM-W ADEGAON Host 192.168.53.101 DC-Router
ATM-PATUR Host 192.168.58.101 DC-Router
ATM-ALEGAON Host 192.168.60.101 DC-Router
ATM-MURTIZAPUR-MAIN Host 192.168.64.101 DC-Router
ATM-MANA Host 192.168.67.101 DC-Router
ATM-KURUM Host 192.168.68.101 DC-Router
ATM-KARANJA-MAIN Host 192.168.70.101 DC-Router
ATM-KARANJA-CITI Host 192.168.71.101 DC-Router
ATM-KAMARGAON Host 192.168.72.101 DC-Router
ATM-MANGRULPIR-MAIN Host 192.168.78.101 DC-Router
ATM-SHELUBAZAR Host 192.168.81.101 DC-Router
ATM-MANORA Host 192.168.84.101 DC-Router
ATM-SHENDURJANA Host 192.168.85.101 DC-Router
ATM-W ASHIM-MAIN Host 192.168.88.101 DC-Router
ATM-ANSING Host 192.168.90.101 DC-Router
ATM-MALEGAON Host 192.168.93.101 DC-Router
ATM-SHIRPUR Host 192.168.95.101 DC-Router
ATM-JAULKA Host 192.168.98.101 DC-Router
ATM-RISOD-MAIN Host 192.168.99.101 DC-Router
ATM-KENW AD Host 192.168.102.101 DC-Router
ATM-PATNI-CH Host 192.168.111.101 DC-Router
ATM-ZP-W ASHIM Host 192.168.113.101 DC-Router
DC-ADMIN-USERS Host 172.21.28.15 - 172.21.28.20 DC-Admin
Range
HO-USERS Host 192.168.6.23 - 192.168.6.125 HO-USERS
Range
OLD-PDC Host 192.168.1.2 DC-Router
OLD-BDC Host 192.168.1.4 DC-Router
Euronet-Sw itch Host 10.13.15.65 ATM
Netw ork-Admin Host 172.21.28.21 DC-Admin
HO-ROUTER Host 192.168.1.100 DC-Router
RTGS-CLIENT1 Host 172.21.28.11 DC-Admin
SFMS-PRIMARY Host 172.30.0.18 RTGS
SD-Agent-Euronet Host 10.13.135.39 ATM
Euro-SFTP Host 202.138.123.73 ATM
HO-USERS-COMP-SECTION Host 192.168.6.31 - 192.168.6.40 HO-USERS
Range
HO-USER-ACC-SECTION Host 192.168.6.43 - 192.168.6.60 HO-USERS
Range
HO-USERS-ADM-SECTION Host 192.168.6.61 - 192.168.6.70 HO-USERS
Range
HO-USERS-DATAHUB Host 192.168.6.71 - 192.168.6.85 HO-USERS
Range
HO-USERS-LOAN-SECTION Host 192.168.6.86 - 192.168.6.100 HO-USERS
Range
HO-USERS-STATIONARY-SECTION Host 192.168.6.104 - 192.168.6.125 HO-USERS
Range
HO-INTERNET-USERS-ATM Host 192.168.6.26 - 192.168.6.30 HO-USERS
Range
HO-INTERNET-USER Host 192.168.6.61 HO-USERS
HO-INTERNET-USERS-ACC-SECTION Host 192.168.6.46 - 192.168.6.47 HO-USERS
Range
EMAIL-SERVER Host 10.10.10.2 CheckPoint-
FW
W EB-CMS Host 10.13.135.58 ATM
RGCS1 Host 192.168.171.33 ATM
RGCS2 Host 192.168.171.40 ATM
Ekuber-New Host 10.28.1.254 RTGS
IDRBT-TEST-HUB Host 10.0.67.194 RTGS
PO-Ticketing Host 10.29.1.191 RTGS
SFMS-DR Host 10.30.0.102 RTGS
ROUTER Host 10.30.231.1 RTGS
RTGS-NG-W AN Host 10.30.231.11 RTGS
RTGS-PRI-W AN Host 10.30.231.7 RTGS
RTGS-BKP-W AN Host 10.30.231.6 RTGS
Ekuber-BKP Host 10.28.1.171 RTGS
Ekuber-PRI Host 10.29.1.171 RTGS
SFMS Host 10.0.67.115 RTGS
SONICW ALL-RTGS Host 172.30.0.50 RTGS
PO-NEAR-DR Host 10.28.3.51 RTGS
PO-FAR-DR Host 10.35.3.51 RTGS
IDRBT-INTRANET Host 10.0.67.166 RTGS
IDRBT-CA Host 10.0.67.18 RTGS
SASTI Host 192.168.62.1 DC-Router
MPLS ROUTER Host 172.23.39.133 DC-Router
TESTSERVR Host 172.21.27.1 CheckPoint-
FW
eurronet-router Host 172.21.29.3 ATM
ATM-MARKETYARD Host 192.168.2.101 DC-Router
ATM-HIW ARKHED-EXT Host 192.168.114.101 DC-Router
ATM-MAHAN Host 192.168.30.101 DC-Router
W SUS Host 172.21.28.17 DC-Admin
PRASANNA Host 172.21.28.20 DC-Admin
ACC-SECTION-INT-USER1 Host 192.168.6.55 HO-USERS
ZP-W ASHIM Host 192.168.113.1 - 192.168.113.2 DC-Router
Range
HIW ARKHED-EXT Host 192.168.114.1 DC-Router
CA-SERVER Host 172.21.24.1 CheckPoint-
FW
Umesh More Host 172.21.28.13 DC-Admin
APP1 Host Any CheckPoint-
FW
HO-INTERNET-USERS Host 192.168.6.117 - 192.168.6.117 HO-USERS
Range
PA Host 192.168.6.67 HO-USERS
FileZilla Host 192.168.6.99 HO-USERS
SQLDB Host Any CheckPoint-
FW
SONICW ALL-INTERNET Host 192.168.1.50 DC-Router
PrimaryDomain Host Any CheckPoint-
FW
BackupDomain Host Any CheckPoint-
FW
APPLICATION1 Host Any CheckPoint-
FW
MILIND Host 192.168.6.65 HO-USERS
ProxyServer Host 172.21.28.22 DC-Admin
MORESIR Host 172.21.28.13 DC-Admin
GHS Host 192.168.6.154 HO-USERS
nw adm Host 172.21.28.21 DC-Admin
GMAIL Host Any w an1
AAN Host 192.168.6.56 HO-USERS
VaidyaSir Host 192.168.6.120 HO-USERS
DR-PRIMARYDOMAIN Host 172.16.16.1 DC-Router
DR-BACKUPDOMAIN Host 172.16.16.2 DC-Router
CTS Server Host 172.21.28.15 DC-Admin
SMSSERVER Host 10.10.10.1 CheckPoint-
FW
Mr.Kale Host 192.168.6.121 HO-USERS
VBK1037 Host 192.168.6.50 HO-USERS
VMW ARE-CLIENT Host 172.21.28.16 DC-Admin
VMW ARE-HOST Host 10.10.10.3 CheckPoint-
FW
VIEW -FRAME Host 192.168.6.114 HO-USERS
ATM-MANGRULPIR-CITY Host 192.168.79.101 DC-Router
ATM-MHAISANG Host 192.168.14.101 DC-Router
ATM-Dhaihanda Host 192.168.18.101 DC-Router
ATM-DHABA Host 192.168.32.101 DC-Router
ATM-RAUNDLA Host 192.168.37.101 DC-Router
ATM-KUTASA Host 192.168.41.101 DC-Router
ATM-NIMBA Host 192.168.54.101 DC-Router
ATM-PARAS Host 192.168.55.101 DC-Router
ATM-CHANNI Host 192.168.59.101 DC-Router
ATM-MURTIZAPUR CITY Host 192.168.66.101 DC-Router
ATM-UMBARDA BAZAR Host 192.168.73.101 DC-Router
ATM-DHANAJ Host 192.168.74.101 DC-Router
ATM-POHARADEVI Host 192.168.86.101 DC-Router
ATM-TONDGAO Host 192.168.91.101 DC-Router
ATM-MEDSHI Host 192.168.96.101 DC-Router
ATM-PANGRIKUTE Host 192.168.97.101 DC-Router
ATM-RITHAD Host 192.168.101.101 DC-Router
ATM-MANGULZANAK Host 192.168.103.101 DC-Router
ATM-Kansivni Host 192.168.15.101 DC-Router
BSNL-W AN Host 59.99.164.1 w an1
DRAPPCLUSTER Host 172.17.17.3 DC-Router
DRADCCSQL Host 172.19.19.5 DC-Router
Ekuber-DR Host 10.35.1.171 RTGS
ATM-CIVILLINES-2 Host 192.168.6.103 HO-USERS
ATM-Rajeshw ar Host 192.168.4.101 DC-Router
sysadmin Host 172.21.28.26 DC-Admin
DR-CASERVER Host 172.20.20.1 CheckPoint-
FW
DR-CASERVER-2 Host 172.20.20.1 DC-Router
ATM-Adsul Host 192.168.49.101 DC-Router
DC-ADMIN-USERS-2 Host 172.21.28.12 - 172.21.28.14 DC-Admin
Range
CIVIL-LINES-DVR Host 192.168.6.102 HO-USERS
INZORI BRANCH Host 192.168.115.1 - 192.168.115.2 DC-Router
Range
ATM-GANDHIGRAM Host 192.168.16.101 DC-Router
VAIBHAV Host 172.21.28.14 DC-Admin
MGMNT2-PC Host 172.21.28.26 DC-Admin
MSEB-APP Host 192.168.6.57 HO-USERS
DR-MONITOR Host 172.16.16.3 DC-Router
DR-RTGS-SERVER Host 172.28.28.1 CheckPoint-
FW
Vinod Raut Host 172.21.28.24 DC-Admin
abcd Host 192.168.6.32 HO-USERS
ATM-OFFSITE-NIMBA Host 192.168.246.2 DC-Router
Nelito_Tech Host 172.21.28.28 DC-Admin
NELITODBUSER Host 192.168.6.38 - 192.168.6.39 HO-USERS
Range
comsolvepc Host 192.168.6.40 HO-USERS
RTGS-MONITER Host 192.168.6.116 HO-USERS
RATHODPC Host 192.168.6.117 HO-USERS
KARANJA MARKET YARD Host 192.168.116.1 - 192.168.116.2 DC-Router
Range
ATM-KARANJA-MARKETYARD Host 192.168.116.101 DC-Router
IDRBT-TEST-HUB-NEW Host 10.0.67.85 RTGS
DR-Korpe-Nagar-DVR Host 192.168.8.102 DC-Router
Ranpise Nagar-DVR Host 192.168.24.102 DC-Router
Kapad Bazar-DVR Host 192.168.3.102 DC-Router
DabkrRD-DVR Host 192.168.10.102 DC-Router
Barshitakli-DVR Host 192.168.28.102 DC-Router
Khadki-DVR Host 192.168.23.102 DC-Router
Mahan-DVR Host 192.168.30.102 DC-Router
Chohotta-DVR Host 192.168.38.102 DC-Router
AkotCity-DVR Host 192.168.34.102 DC-Router
AkotMain-DVR Host 192.168.33.102 DC-Router
Hiw arkhed Ex-DVR Host 192.168.114.102 DC-Router
Telhara Main-DVR Host 192.168.43.102 DC-Router
SOPHOS-UTM Host 192.168.1.246 DC-Router
Vinod Kalbande Host 192.168.6.31 HO-USERS
Mahure Host 192.168.6.75 HO-USERS
Ho Back-Office Host 192.168.6.126 - 192.168.6.147 HO-USERS
Range
FRM Host 192.168.171.28 ATM
New -SFMS Host 10.100.5.234 RTGS
IDRBT-INTRANET-NEW Host 10.0.50.173 RTGS
SFMS_NEW Host 10.100.5.115 RTGS
SK Mohod Host 192.168.6.55 HO-USERS
ATM OFF-SITE PUSAD NAKA Host 192.168.246.10 DC-Router
CHECKPOINT-IP Host 172.22.26.4 CheckPoint-
FW
ATM-Kasola Extn Host 192.168.109.101 DC-Router
ATM-Kinhiraja Host 192.168.94.101 DC-Router
Micro ATM Host 20.20.20.20 ATM
TEST Host 172.21.29.10 ATM
CTRLSFI Host 172.23.25.3 port10
Micro-ATM Host 172.30.10.2 port10
PDC-DR Host 172.16.16.1 CheckPoint-
FW
FW
Unspecified Branch - Reserved For SOPHOS Host 192.168.63.1 - 192.168.63.9 Any
Range
Ekuber-Pri Host 10.29.1.171 CheckPoint-
FW
Ekuber-Bkp Host 10.28.1.171 CheckPoint-
FW
CPFW Host 172.22.24.3 CheckPoint-
FW
CPFW -OUT Host 172.22.26.3 CheckPoint-
FW
CPPRI Host 172.23.21.128 CheckPoint-
FW
CPHA Host 172.23.21.129 CheckPoint-
FW
ATM-Hiw arkhed Host 192.168.45.101 DC-Router
ATM-Mundgaon Host 192.168.42.101 DC-Router
ATM-Hatrun Host 192.168.56.101 DC-Router
Ekuber-DR-Primary Host 10.29.1.171 CheckPoint-
FW
Ekuber-DR-Backup Host 10.28.1.171 CheckPoint-
FW
DR-ATMInterface Host 172.18.18.1 CheckPoint-
FW
Nelito-Prasad Host 192.168.6.38 HO-USERS
DR-Rtgs-Interface Host 172.18.18.2 CheckPoint-
FW
EMS Host 10.29.1.191 CheckPoint-
FW
SFMS-Intranet Host 10.0.67.166 CheckPoint-
FW
CropInsurance Host 192.168.6.145 HO-USERS
ATM-MOP Host 192.168.105.101 DC-Router
IMPS router Host 172.30.11.2 port6
IMPS_Telnet Host 20.20.20.25 port6
Finacus-IMPS-LIVE Host 172.17.24.48 port6
Shende Saheb Host 192.168.6.88 HO-USERS
IDRBT-INTRANET-2 Host 10.100.0.119 RTGS
SFMS-INTRANET-2 Host 10.100.0.119 CheckPoint-
FW
Mangle Host 192.168.6.95 HO-USERS
Finacus - Mobile Banking Host 172.17.25.11 port6
SIEM-SRV Host 10.10.10.4 CheckPoint-
FW
Finacus-IMPS-UAT Host 172.18.2.216 port6
EuronetSw itch-forCivilLines Host 10.13.15.65 DC-Router
Euronet-Checkpoint Host 10.13.15.65 CheckPoint-
FW
Biskunde Saheb Host 192.168.6.81 HO-USERS
SachinNelito Host 192.168.6.151 HO-USERS
GST-INVOICE Host 103.14.162.217 w an1
BBPS1 Host 10.13.135.126 ATM
BBPS_HO_AmitPC Host 192.168.6.26 HO-USERS
CTS-PC Host 192.168.6.199 HO-USERS
BBPS2 Host 10.13.135.130 ATM
BBPS-Korpe Nagar Host 192.168.8.1 - 192.168.8.2 DC-Router
Range
ABsCsDd Host Any ATM
BBPS_Ratanlal Host 192.168.26.1 DC-Router
BBPS_KorpeNagar Host 192.168.8.9 DC-Router
BBPS_Ratanlal2 Host 192.168.26.2 DC-Router
HO-BBPS Clients Host 192.168.6.148 - 192.168.6.149 HO-USERS
Range
BBPS_W ashim_Main Host 192.168.188.1 DC-Router
BBPS_Barshitakli Host 192.168.128.1 DC-Router
BBPS_Akot_Main Host 192.168.133.1 DC-Router
BBPS_Telhara_Main Host 192.168.143.1 DC-Router
BBPS_Balapur Host 192.168.151.1 DC-Router
BBPS_Patur Host 192.168.158.1 DC-Router
BBPS_Mzr_Main Host 192.168.164.1 DC-Router
BBPS_Karanja_Main Host 192.168.170.1 DC-Router
BBPS_Mangrulpir_Main Host 192.168.178.1 DC-Router
BBPS_Manora Host 192.168.184.1 DC-Router
BBPS_Malegaon Host 192.168.193.1 DC-Router
BBPS_Risod_Main Host 192.168.199.1 DC-Router
BBPS_ZP_63 Host 192.168.63.1 DC-Router
HO_NEW _IP_Series Host 192.168.6.152 - 192.168.6.158 HO-USERS
Range
Prasad PC Host 192.168.6.36 HO-USERS
Agme Saheb Host 192.168.6.106 HO-USERS
ATM-PALSO Host 192.168.13.101 DC-Router
PFMS Host 49.35.221.181 w an1
W ashimMain-DVR Host 192.168.88.102 DC-Router
ATM-SAVRA Host 192.168.36.101 DC-Router
BSG - Recon Server Host 192.168.6.198 HO-USERS
Block Internet IP-2 Host Any w an1
BBPS API Host 172.21.25.3 CheckPoint-
FW
ratanlal-BSNL-W an Host 172.23.40.110 DC-Router
IMPS Interface Host 172.21.25.4 CheckPoint-
FW
Euronet NetScaler Host 10.13.139.23 ATM
Comsolve W ebmail Host Any w an1
BCS-RuPay Host 192.168.162.164 ATM
DropBox_IP Host 162.125.248.1 w an1
Netscaler_Natted_IP Host 172.16.108.7 port6
Drop_Box_Internet Host 192.168.6.100 HO-USERS
CA Accounting Module Host 10.0.67.39 RTGS
IDRBT Accounting Module DR Host 10.30.0.3 RTGS
Senryasa Host 103.241.182.37 w an1
Team View er Host Any w an1
NFS_URL Host 192.168.171.6 ATM
Prasanna Rathod Host 172.21.28.12 DC-Admin
Zabbix_Host Host 10.10.10.11 CheckPoint-
FW
IMPS @ Branch Host 172.17.2.83 port6
S.N.W ankhade Host 192.168.6.118 HO-USERS
TESTSERVR_2 Host 172.21.27.5 CheckPoint-
FW
AW S Cloud Host 10.0.4.185 port10
Nale Saheb Host 192.168.6.85 HO-USERS
Finacus-IMPS-W ebservice Host 172.17.2.75 port6
ISG IP Host 110.173.183.4 w an1
ISG MERCHANT PAY Host Any w an1
Netscaler_2 Host 10.13.135.30 ATM
Zabbix_Server Host 10.10.10.12 CheckPoint-
FW
CTS CHQ Printing Host 192.168.6.159 - 192.168.6.160 HO-USERS
Range
Table 135: Custom network addresses
Name Address
SSLVPN_TUNNEL_IPv6_ADDR1 fdff:ffff::/120
all Any
none ::
Table 136: Custom IPv6 network addresses
Address
ADGAON BRANCH AT - ADGAON BZ TQ- TELHARA DIST- AKOLA
ADSUL BRANCH AT - ADSUL TQ- TELHARA DIST-AKOLA
AKOLKHED BRANCH AT - AKOLKHED TQ- AKOT
AKOT CITY BRANCH JAISTHAMBH CHOW K
BORDI BRANCH AT - BORDI TQ- AKOT
CHOHATTA BAZAR BRANCH AKOT ROAD CHOHATTA BAZAR
DANAPUR BRANCH AT - DANAPUR TQ-TELHARA DIST-AKOLA
HIW ARKHED BRANCH AT POST - HIW ARKHED TQ- TELHARA
KUTASA BRANCH AT -KUTASA TQ- AKOLA
MAHILA BRANCH RAMDASPETH BIRLA GATE
MUNDGAON BRANCH AT -MUNDGAON TQ- AKOT
NARSING MANDIR BRANCH AKOT NR NARSING MANDIR
PATHARDI BRANCH AT - PATHARDI TQ- TELHARA DIST-AKOLA
RAUNDALA BRANCH AT - RAUNDALA TQ- AKOT
SAW ARA BRANCH AT- SAW ARA TQ- AKOT DIST- AKOLA
TELHARA CITY BRANCH JUNA ATHAW ADI BAZAR NR DESHMUKH W ADA TE
W ARUL JAULKA BRANCH AT - W ARUD JAULKA TQ- AKOT
ZP-W ASHIM
HIW ARKHED-EXT
Table 137: BRANCHES-Group-1 address group
Address
Belkhed Branch Ta. Telhara
DABKI ROAD BRANCH NR KHANDELW AL HIGH SCHOOL
KAPAD BAZAR BRANCH RAYAT HAVELI JUNA KAPAD BAZAR
Kasola Branch Ta. Mangrulpir Dist. W ashim
Keshavnagar Branch Ta Risod Dist. W ashim
RATANLAL PLOT BRANCH NR RAGHUVANSHI MANGAL KARYALAYA RATANLAL
CHIKHALGAON BRANCH AT - CHIKHALGAON TQ- AKOLA
DAHIHANDA BRANCH AT - DAHIHANDA TQ- AKOLA
HARAL BRANCH AT - HARAL TQ- RISOD
KENW AD BRANCH AT - KENW AD TQ- RISOD DIST- W ASHIM
KURANKHED BRANCH AT- KURANKHED TQ- AKOLA
MARKET YARD BRANCH APMC MARKET
PARAS BRANCH AT- PARAS TQ- BALAPUR . DIST-AKOLA
VIVARA BRANCH AT BABHULGAON TQ - PATUR DIST - AKOLA
RITHAD BRANCH AT POST- RITHAD TQ- RISDO DIST-W ASHIM
Table 138: Branches-Group-2 address group
Address
CHIKHALI BRANCH AT - CHIKHALI TQ- RISOD
DHABA BRANCH AT - DHABA TQ- BARSHITAKLI
DHANAJ BZ BRANCH AT - DHANAJ BZ TQ- KARANJA DIST-W ASHIM
KANHERI SARAP BRANCH AT - KANHERI SARAP TQ- BARSHITAKL
KANSHIVANI BRANCH AT - KANSHIVANI TQ- AKOLA
KARANJA CITY BRANCH BHAJI BAZAR GANDHI CHOW K KARANJA
PATUR NANDAPUR BRANCH AT - PATUR NANDAPUR TQ- AKOLA
PDKV BRANCH DR PDKV VIDYAPEETH CAMPUS
RAJESHW AR JAIHIND CHOW K BRANCH JAIHIND CHOW K OLD CITY
W ANOJA BRANCH AT- W ANOJA TQ- MANGRULPIR DIST- W ASHIM
W ASHIM CITY BRANCH RAJANI CHOW K NR INDANI SCHOO
HATRUN BRANCH AT - HATRUN TQ- BALAPUR DIST- AKOLA
JAULKA RLY BRANCH AT -JAULKA RLY TQ- MALEGAON DIST- W ASHIM
MANGUL ZANAK BRANCH AT -MANGUL ZANAK TQ- RISOD
MOHARI BRANCH AT - MOHARI TQ- MANGRULPIR DIST- W ASHIM
MOP BRANCH AT - MOP TQ- RISOD
PALSO BRANCH AT PALSO TQ DIST- AKOLA
PARDI TAKMOR BRANCH AT - PARDI TAKMOR TQ - W ASHIM
POHA BRANCH AT - POHA TQ- KARANJA DIST- W ASHIM
SASTI BRANCH AT - SASTI TQ- PATUR DIST- AKOLA
SHENDURJANA BRANCH AT - SHENDURJANA TQ- MANORA DIST- W ASHIM
TONDGAON BRANCH KEKATUMRA EXCHANGE DIST - W ASHIM
Address
KAJALESHW AR BRANCH AT - KAJALESHW AR TQ- KARANJA DIST- W ASHI
MANBHA BRANCH AT - MANBHA TQ- KARANJA DIST- W ASHIM
NIMBA BRANCH AT - NIMBA TQ- BALAPUR DIST-AKOLA
PANGRIKUTE BRANCH AT - PANGRIKUTE TQ- MALEGAON DIST- W ASHIM
POHARADEVI BRANCH AT - POHARADEVI TQ- MANORA DIST- W ASHIM
UMBARDA BAZAR BRANCH AT - UMBARDA BAZAR TQ- KARANJA DIST- W
AGAR BRANCH AT- AGAR TQ- AKOLA
DHANORA BRANCH AT - DHANORA TQ- MANGRULPIR DIST- W ASHIM
GANDHIGRAM BRANCH AT - GANDHIGRAM TQ- AKOLA
GOREGAON BRANCH AT- GOREGAON TQ- AKOLA
KINHIRAJA BRANCH AT -KINHIRAJA TQ- MALEGAON DIST- W ASHIM
MEDSHI BRANCH AT - MEDSHI TQ- MALEGAON DIST- W ASHIM
MHAISANG BRANCH AT POST - MHAISANG TQ- AKOLA
SAKHARDOH BRANCH SHIVAJI CHOW K MANORA DIST- W ASHIM
W AKAD BRANCH AT - W AKAD TQ- RISOD
KAMARGAON BRANCH AT - KAMARGAON TQ- KARANJA DIST- W ASHIM
KAMARGAON BRANCH AT - KAMARGAON TQ- KARANJA DIST- W ASHIM
PINJAR BRANCH AT POST - PINJAR TQ- BARSHITAKLI
RISOD CITY BRANCH BAGADIYA COMPLEX NR SITLAMATA MANDIR RISOD
RITHAD BRANCH AT POST- RITHAD TQ- RISDO DIST-W ASHIM
URAL BRANCH AT POST - URAL TQ- BALAPUR
SHELUBAZAR BRANCH BHAJI BAZAR SHELU BAZAR TQ- MANGRULPIR
ALEGAON BRANCH AT - ALEGAON TQ- PATUR DIST-AKOLA
MURTIZAPUR CITY BRANCH AT TIDKE COMPLEX MANGALW AR BAZAR MUR
KURUM BRANCH AT - KURUM TQ- MURTIZAPUR
BORGAON MANJU BRANCH AT POST - BORGAON MANJU TQ- AKOLA
UMARI BRANCH AKOLA AT PATIL MARKET JATHARPETH AKOLA
Address
MAHAN BRANCH VIVIDH KARYAKARI SAHAKARI SANSTHA MAHAN
ANSING BRANCH AT - ANSING TQ DIST- W ASHIM
MANA BRANCH GRAMPANCHAYAT MANA TQ- MURTIZAPUR
CHANNI BRANCH AT POST - CHANNI TQ- PATUR DIST- AKOLA
MANGRULPIR CITY BRANCH NR BIRBALNATH MANDIR MANGRULPIR
SHIRPUR BRANCH AT- SHIRPUR TQ- MALEGAON
MURTIZAPUR MARKET YARD BRANCH APMC PREMISES MURTIZAPUR
PATANI CHOW K BRANCH W ASHIM PATANI CHOW K
W ADEGAON BRANCH AT POST - W ADEGAON TQ- BALAPUR
DR KORPE NAGAR BRANCH KORPE NAGAR NR ADARSH COLONY
VYALA BRANCH AT - VYALA TQ- BALAPUR
RATANLAL PLOT BRANCH NR RAGHUVANSHI MANGAL KARYALAYA RATANLAL
KHADKI BRANCH AKOLA AT POST - KHADKI
INZORI BRANCH
Unspecified Branch - Reserved For SOPHOS
Table 141: BranchesGroup-5 address group
Address
ATM-AKOT-CITI
ATM-ALEGAON
ATM-ANSING
ATM-BALAPUR
ATM-BARSHITAKLI
ATM-BORGAOM
ATM-CHOHOTTA
ATM-DABKIRD
ATM-DR KORPENAGAR
ATM-JAULKA
ATM-KAMARGAON
ATM-KAPAD-BAZAR
ATM-KARANJA-CITI
ATM-KARANJA-MAIN
ATM-KENW AD
ATM-KHADKI
ATM-KURUM
ATM-MARKETYARD
ATM-URAL
ATM-AKOT-MAIN
ATM-MANGRULPIR-CITY
Table 142: ATM-1 address group
Address
ATM-MALEGAON
ATM-MANA
ATM-MANGRULPIR-MAIN
ATM-MANORA
ATM-MURTIZAPUR-MAIN
ATM-PATNI-CH
ATM-PATUR
ATM-PINJAR
ATM-RANPISE
ATM-RISOD-MAIN
ATM-SHELUBAZAR
ATM-SHENDURJANA
ATM-SHIRPUR
ATM-TELHARA
ATM-W ADEGAON
ATM-W ASHIM-MAIN
ATM-ZP
ATM-GANDHIGRAM
ATM-Hiw arkhed
Address
APP-1
APP-2
APP-CLUSTER
Table 144: APP-SERVERS address group
Address
BDC
PDC
Table 145: DOMAIN address group
Address
DATABASE1
DATABASE2
SQL-CLUSTER
Table 146: DATABASE address group
Address
OLD-BDC
OLD-PDC
Table 147: OLD-DOMAIN address group
Address
Router2
Router3
Router4
Router5
Router7
Router8
Router9
Router10
Router11
Router12
Router14
Router15
Router16
Router17
Router18
Router19
Router20
Router21
Router22
Router23
Router23
Router24
Router25
Router13
Router26
HO-ROUTER
Table 148: Routers-GR1 address group
Address
Router42
Router43
Router44
Router45
Router46
Router47
Router48
Router49
Router50
Router40
Router41
Router35
Router36
Router37
Router38
Router39
Router33
Router34
Router28
Router29
Router30
Router31
Router32
Router51
Router52
Address
Router53
Router54
Router55
Router56
Router57
Router58
Router59
Router60
Router61
Router62
Router64
Router65
Router66
Router67
Router68
Router70
Router71
Router72
Router73
Router74
Router75
Router76
Router77
Router78
Address
Router79
Router80
Router81
Router82
Router83
Router84
Router85
Router86
Router87
Router88
Router89
Router90
Router91
Router92
Router93
Router94
Router95
Router96
Router97
Router98
Router99
Router100
Router101
Router102
Address
Router104
Router103
Router105
Router106
Router107
Router108
Router109
Router111
Router112
Router113
Router114
Router110
Router115
Router116
Address
RGCS1
RGCS2
BCS-RuPay
NFS_URL
Table 153: RGCS address group
Address
Ekuber-BKP
Ekuber-PRI
RTGS-BKP-W AN
RTGS-NG-W AN
RTGS-PRI-W AN
RTGS-PRI-W AN
IDRBT-TEST-HUB
PO-1
PO-2
PO-Ticketing
LDAP-1
LDAP-2
SFMS
SFMS-DR
ROUTER
Ekuber-New
PO-FAR-DR
PO-NEAR-DR
IDRBT-CA
IDRBT-INTRANET
Ekuber-DR
IDRBT-TEST-HUB-NEW
New -SFMS
IDRBT-INTRANET-NEW
SFMS_NEW
IDRBT-INTRANET-2
Table 154: RBI-RTGS address group
Address
PRASANNA
W SUS
Table 155: DC-ADMIN-INTERNET-USERS address group
Address
ATM-HIW ARKHED-EXT
ATM-MAHAN
ATM-ZP-W ASHIM
Address
ATM-MHAISANG
ATM-Dhaihanda
ATM-CHANNI
ATM-DHABA
ATM-DHANAJ
ATM-KUTASA
ATM-MANGULZANAK
ATM-MEDSHI
ATM-MURTIZAPUR CITY
ATM-NIMBA
ATM-PANGRIKUTE
ATM-PARAS
ATM-POHARADEVI
ATM-RAUNDLA
ATM-RITHAD
ATM-TONDGAO
ATM-UMBARDA BAZAR
ATM-AKOT-NarsingMandir
ATM-Kansivni
ATM-Rajeshw ar
ATM-Adsul
ATM-KARANJA-MARKETYARD
ATM-Kasola Extn
ATM-Kinhiraja
ATM-Mundgaon
ATM-Hatrun
ATM-MOP
ATM-PALSO
ATM-SAVRA
Address
DR-APPLICATION1
DR-APPLICATION2
DRAPPCLUSTER
Table 158: DR-APPSERVERS address group
Address
DR-BACKUPDOMAIN
DR-PRIMARYDOMAIN
Table 159: DR-DOMAINS address group
Address
DR-DATABASE1
DR-DATABASE2
DRADCCSQL
Table 160: DR-DATABASESERVERS address group
Address
AKOT MAIN BRANCH HIW ARKHED ROAD NR PETROL PUMP
TELHARA MAIN BRANCH NR BUS STAND TELHARA
W ASHIM MAIN BRANCH NEAR ST STAND
BALAPUR BRANCH NR BUS STAND BALAPUR
BARSHITAKLI BRANCH AT POST TQ- BARSHITAKLI
KARANJA MAIN BRANCH BEHIND ST STAND NR TAHASILOFFICE KARANJ
MALEGAON BRANCH NR NEW BUS STAND MALEGAON DIST- W ASHIM
MANGRULPIR MAIN BRANCH BIRBALNATH ROAD NR DR SARKAR CLINIC
MANORA BRANCH AT POST TQ- MANORA DIST-W ASHIM
MURTIZAPUR MAIN BRANCH NR TAHSIL OFFICE MURTIZAPUR
PATUR BRANCH NR OLD BUS STAND PATUR TQ- PATUR
RISOD MAIN BRANCH NR BUS STAND
Z P BRANCH NR COLLECTOR OFFICE
KARANJA MARKET YARD
RANPISE NAGAR BRANCH SAUJANYA MARKET RANPISE NAGAR
Table 161: BRANCH-GROUP-6 address group
Address
Datacenter-Laptop-1
Datacenter-Laptop-2
Table 162: Datacenter-Laptops address group
Address
ATM-OFFSITE-NIMBA
Table 163: OFFSITE ATM address group
Address
DR-Korpe-Nagar-DVR
DabkrRD-DVR
Kapad Bazar-DVR
Ranpise Nagar-DVR
Barshitakli-DVR
Khadki-DVR
Mahan-DVR
Mahan-DVR
Chohotta-DVR
AkotMain-DVR
Hiw arkhed Ex-DVR
Telhara Main-DVR
Table 164: BRANCH-DVR address group
Address
BBPS_Akot_Main
BBPS_Balapur
BBPS_Barshitakli
BBPS_Karanja_Main
BBPS_Malegaon
BBPS_Mangrulpir_Main
BBPS_Manora
BBPS_Mzr_Main
BBPS_Patur
BBPS_Risod_Main
BBPS_Telhara_Main
BBPS_W ashim_Main
BBPS_ZP_63
Table 165: BBPS_Clients address group
5.2.12.3 Services
Custom services can be defined for use w ithin the devices firew all policy. Furthermore, to simplify the administration of the firew all
rules a group of services can be configured w hich can then be used in the firew all policy. This section describes the service
configuration.
Name Protocol Source Port Destination Port

ALL IP
ALL_TCP Any Any
ALL_UDP Any Any
ALL_ICMP ICMP
ALL_ICMP6 ICMP6
GRE IP
GRE
AH IP
AH
ESP IP
ESP
AOL 5190 - 5194 5190 - 5194
BGP 179 179
DHCP 67 - 68 67 - 68
DNS 53 53
53 53
FINGER 79 79
FTP 21 21
FTP_GET 21 21
FTP_PUT 21 21
GOPHER 70 70
H323 1720 1720
1719 1719
HTTP 80 80
HTTPS 443 443
IKE 500 500
IMAP 143 143
IMAPS 993 993
Internet-Locator-Service 389 389
IRC 6660 - 6669 6660 - 6669
L2TP 1701 1701
1701 1701
LDAP 389 389
NetMeeting 1720 1720
NFS 111 111
111 111
NNTP 119 119
NTP 123 123
123 123
OSPF IP
OSPF
PC-Anyw here 5631 5631
5632 5632
PING (8)
TIMESTAMP (13)
INFO_REQUEST (15)
INFO_ADDRESS (17)
ONC-RPC 111 111
111 111
DCE-RPC 135 135
135 135
POP3 110 110
POP3S 995 995
PPTP 1723 1723
QUAKE 26000 26000
RAUDIO 7070 7070
REXEC 512 512
RIP 520 520
RLOGIN 512 - 1023 513
RSH 512 - 1023 514
SCCP 2000 2000
SIP 5060 5060
5060 5060
SIP-MSNmessenger 1863 1863
SAMBA 139 139
SMTP 25 25
SMTPS 465 465
SNMP 161 - 162 161 - 162
161 - 162 161 - 162
SSH 22 22
SYSLOG 514 514
TALK 517 - 518 517 - 518
TELNET 23 23
TFTP 69 69
MGCP 2427 2427
UUCP 540 540
VDOLIVE 7000 - 7010 7000 - 7010
W AIS 210 210
W INFRAME 1494 1494
X-W INDOW S 6000 - 6063 6000 - 6063
PING6 ICMP6
MS-SQL 1433 1433
MYSQL 3306 3306
RDP 3389 3389
VNC 5900 5900
DHCP6 546 546
SQUID 3128 3128
SOCKS 1080 1080
1080 1080
W INS 1512 1512
1512 1512
RADIUS 1812 1812
RADIUS-OLD 1645 1645
CVSPSERVER 2401 2401
2401 2401
AFS3 7000 - 7009 7000 - 7009
7000 - 7009 7000 - 7009
TRACEROUTE 33434 - 33535 33434 - 33535
RTSP 554 554
RTSP 554 554
554 554
MMS 1755 1755
1024 - 5000 1024 - 5000
KERBEROS 88 88
88 88
LDAP_UDP 389 389
SMB 445 445
NONE 0 0
w ebproxy ALL 0 - 65535 0 - 65535
TCP-8065 8065 8065
TCP-8000 8000 - 8004 8000 - 8004
TCP-8087 8087 8087
TCP-8014 8014 8014
TCP-2638 2638 2638
TCP-9090 9090 9090
UDP-138 138 138
TCP-139 139 139
TCP-2967 2967 2967
UDP-39999 39999 39999
TCP-8765 8765 8765
UDP-1812 1812 1812
TCP-8443 8443 - 8447 8443 - 8447
UDP-137 137 137
TCP-Dynamic 0 - 65535 0 - 65535
TCP-3268 3268 - 3269 3268 - 3269
TCP-464 464 464
464 464
TCP-9389 9389 9389
TCP-5722 5722 5722
TCP-636 636 636
UDP-Dynamic 49152 - 65535 49152 - 65535
TCP1415 1415 1415
TCP8868 8868 8868
TCP8872 8872 8872
TCP5001 5001 5001
TCP5004 5004 5004
TCP-9086 9086 9086
TCP-5002 5002 5002
TCP9086 9086 9086
TCP8893 8893 8893
TCP8080 8080 8080
TCP-1423 1423 1423
TCP-1414 1414 1414
TCP-1419 1419 1419
TCP-1420 1420 1420
TCP-1417 1417 1417
TCP-1415 1415 1415
TCP-7071 7071 7071
TCP-7025 7025 7025
TCP8003 8003 8003
TCP8002 8002 8002
TCP8004 8004 8004
TCP8085 8085 8085
TCP8081 8081 8081
TCP-8001 8001 8001
TCP-54218 54218 54218
TCP-14147 14147 14147
Internet Any Any
TCP-5938 5938 5938
TCP/7071-7072 7071 - 7072 7071 - 7072
TCP/7780 7780 7780
TCP-3926 3926 3926
TCP/143 143 143
TCP/465 465 465
TCP/587 587 587
TCP/993 993 993
TCP/995 995 995
TCP/6415 6415 6415
TCP/22 22 22
TCP25000 25000 25000
TCP/7282 7282 7282
TCP/7501 7501 7501
TCP-24010 24010 24010
TCP-50020 50020 50020
TCP-4444 4444 4444
4444 4444
TCP44405 44405 44405
TCP33305 33305 33305
TCP8049 8049 8049
TCP45451 45451 45451
GST-SFTP 8122 8122
TCP8011 8011 8011
BBPSTCP4434 4434 4434
TCP-8012 8012 8012
TCP9095 9095 9095
TCP/15402 15402 15402
VMW ARE_1 901 901
VMW ARE_2 902 902
TCP7094 7094 7094
TCP-5201 5201 5201
Table 166: Custom service list
Service
DNS
IMAP
IMAPS
POP3
POP3S
SMTP
SMTPS
Table 167: Email Access service group
Service
DNS
HTTP
HTTPS
Table 168: Web Access service group
Service
DCE-RPC
DNS
KERBEROS
LDAP
LDAP_UDP
SAMBA
SMB
Table 169: Windows AD service group
Service
DCE-RPC
DNS
HTTPS
Table 170: Exchange Server service group
Service
ALL_ICMP
HTTP
DCE-RPC
TCP-8065
SMB
Table 171: APP-Services service group
Service
HTTP
SMB
HTTPS
ALL_ICMP
TCP-8014
TCP-2638
TCP-9090
UDP-138
TCP-2967
UDP-39999
TCP-8765
SNMP
UDP-1812
TCP-8443
UDP-137
TCP-Dynamic
SAMBA
Table 172: AntivirusServices service group
Service
ALL_ICMP
TCP-3268
UDP-Dynamic
TCP-464
LDAP
KERBEROS
DCE-RPC
TCP-9389
LDAP_UDP
DNS
TCP-5722
SMB
TCP-636
TCP-Dynamic
NTP
Table 173: Domain-Services service group
Service
HTTP
MS-SQL
ALL_ICMP
SMB
SAMBA
UDP-137
UDP-138
HTTPS
Table 174: DATABASE-SERVICES service group
Service
TCP8868
Table 175: BRANCH-ATMS-TO-SWITCH-1 service group
Service
HTTP
HTTPS
LDAP
LDAP_UDP
MS-SQL
TELNET
ALL_ICMP
TCP-1423
TCP-1414
TCP1415
TCP-1417
TCP-1419
TCP-1420
TCP8080
Table 176: RBI-SERVICES service group
Service
TCP8002
TCP8003
TCP8004
TCP-8000
TCP-8087
TCP-8001
TCP8011
Table 177: APBS service group
Service
TCP8872
Table 178: BRANCH-ATMS-TO-SWITCH-2 service group
Service
TCP-139
SMB
Table 179: IT-Audit service group
5.2.13 Time And Date

It can be critically important that the time and date set on all netw ork devices match. Many authentication services depend on the
time betw een devices being synchronized, if a clock is outside a threshold then that device may no longer be able to perform
authentication. Furthermore, diagnosing issues w ith the use of message logs becomes much more cumbersome if the time and
dates betw een devices do not match. Fortinet FortiGate Firew all FG100D devices can be configured to obtain time updates from a
netw ork time source. This section details the time and date configuration settings.
5.2.13.1 Time Zones
Description Setting
Time Zone 47
Table 180: General Time Settings
5.2.13.2 NTP Client Configuration

Fortinet FortiGate Firew all FG100D devices can be configured to synchronize their time from a Netw ork Time Protocol (NTP) time
source (Request For Change (RFC) 1305 http://w w w .faqs.org/rfcs/rfc1305.html). This section details those NTP client configuration
settings.
Description Setting
NTP Client Enabled
NTP Update Interval 60 minutes
NTP Update Interval 60 minutes
Table 181: NTP client settings
Table 182 details the NTP time sources used to provide the time updates to the device.
Address Description
2.asia.pool.ntp.org 1
Table 182: NTP client time sources
6 Raw Configuration
6.1 Introduction
This section details the raw configuration of a device w ithout performing any interpretation of the content. Therefore, to understand
the information show n in this section w ill require some technical know ledge.
6.2 Fortinet FortiGate Firewall FG100D DC-PERIMETER1 Raw Configuration
1 #config-version=FG100D-5.02-FW-build718-160328:opmode=0:vdom=0:user=admin
2 #conf_file_ver=15337751207499427911
3 #buildno=0718
4 #global_vdom=1
5 config system global
6 set admintimeout 10
7 set fgd-alert-subscription advisory latest-threat
8 set gui-endpoint-control disable
9 set gui-explicit-proxy enable
10 set gui-wireless-controller disable
11 set hostname "DC-PERIMETER1"
12 set internal-switch-mode interface
13 set pre-login-banner enable
14 set refresh 20
15 set timezone 47
16 end
17 config system accprofile
18 edit "prof_admin"
19 set mntgrp read-write
20 set admingrp read-write
21 set updategrp read-write
22 set authgrp read-write
23 set sysgrp read-write
24 set netgrp read-write
25 set loggrp read-write
26 set routegrp read-write
27 set fwgrp read-write
28 set vpngrp read-write
29 set utmgrp read-write
30 set wanoptgrp read-write
31 set endpoint-control-grp read-write
32 set wifi read-write
33 next
34 end
35 config system interface
36 edit "wan1"
37 set vdom "root"
38 set ip 172.22.22.1 255.255.255.0
39 set icmp-redirect disable
40 set type physical
41 set alias "Backup-Internet"
42 set device-identification enable
43 set snmp-index 1
44 next
45 edit "dmz"
46 set vdom "root"
48 set snmp-index 2
49 next
49 next
50 edit "modem"
51 set vdom "root"
52 set mode pppoe
54 set snmp-index 3
55 next
56 edit "ssl.root"
57 set vdom "root"
58 set type tunnel
59 set alias "SSL VPN interface"
60 set snmp-index 6
61 next
62 edit "wan2"
63 set vdom "root"
64 set mode dhcp
65 set allowaccess ping fgfm
67 set alias "Primary-Internet"
68 set snmp-index 7
69 next
70 edit "mgmt"
71 set vdom "root"
72 set ip 172.23.21.130 255.255.255.0
73 set allowaccess ping https ssh http fgfm
75 set dedicated-to management
76 set snmp-index 8
77 next
78 edit "ha1"
79 set vdom "root"
81 set snmp-index 9
82 next
83 edit "ha2"
84 set vdom "root"
86 set snmp-index 10
87 next
88 edit "port1"
89 set vdom "root"
91 set snmp-index 4
92 next
93 edit "port2"
94 set vdom "root"
96 set snmp-index 5
97 next
98 edit "port3"
99 set vdom "root"
102 next
103 edit "port4"
104 set vdom "root"
107 next
108 edit "port5"
109 set vdom "root"
112 next
113 edit "port6"
114 set vdom "root"
115 set ip 172.30.11.1 255.255.255.0
117 set alias "IMPS"
120 next
121 edit "port7"
122 set vdom "root"
125 next
126 edit "port8"
127 set vdom "root"
127 set vdom "root"
130 next
131 edit "port9"
132 set vdom "root"
135 next
136 edit "port10"
137 set vdom "root"
138 set ip 172.30.10.1 255.255.255.0
140 set alias "MICRO-ATM"
143 next
144 edit "port11"
145 set vdom "root"
148 next
149 edit "port12"
150 set vdom "root"
153 next
154 edit "port13"
155 set vdom "root"
158 next
159 edit "port14"
160 set vdom "root"
163 next
164 edit "lan"
165 set vdom "root"
166 set ip 172.168.1.97 255.255.255.248
167 set allowaccess ping https http fgfm capwap
168 set type hard-switch
169 set listen-forticlient-connection enable
171 next
172 edit "DC-Router"
173 set vdom "root"
174 set ip 192.168.1.97 255.255.255.0
175 set allowaccess ping
176 set type redundant
177 set member "port1" "port2"
178 set description "Connected To DC-Router Interface"
181 next
182 edit "CheckPoint-FW"
183 set vdom "root"
184 set ip 172.22.26.4 255.255.255.0
188 set description "Connected To Checkpoint FW Interface"
191 next
192 edit "DC-Admin"
193 set vdom "root"
194 set ip 172.21.28.1 255.255.255.0
195 set allowaccess ping snmp
197 set explicit-web-proxy enable
198 set member "port5"
199 set description "Connected To DC-Admin Interface"
202 next
203 edit "HO-USERS"
204 set vdom "root"
205 set ip 192.168.6.1 255.255.255.0
205 set ip 192.168.6.1 255.255.255.0
207 set explicit-web-proxy enable
209 set description "Connected To HO-USERS Interface"
212 next
213 edit "RTGS"
214 set vdom "root"
215 set ip 172.30.0.100 255.255.255.0
216 set allowaccess ping ssh
219 set description "Connected to RTGS Interface"
222 next
223 edit "ATM"
224 set vdom "root"
225 set ip 172.21.29.4 255.255.255.0
229 set description "Connected To ATM Interface"
232 next
233 edit "BRANCH-BACKUP"
234 set vdom "root"
235 set ip 172.21.26.1 255.255.255.0
240 next
241 end
242 config system physical-switch
243 edit "sw0"
244 set age-val 0
245 next
246 end
247 config system virtual-switch
248 edit "lan"
249 set physical-switch "sw0"
250 config port
251 edit "port15"
252 next
253 edit "port16"
254 next
255 end
256 next
257 end
258 config system password-policy
259 set status enable
260 set min-lower-case-letter 1
261 set min-non-alphanumeric 1
262 set min-number 1
263 set expire-status enable
264 set expire-day 60
265 end
266 config system custom-language
267 edit "en"
268 set filename "en"
269 next
270 edit "fr"
271 set filename "fr"
272 next
273 edit "sp"
274 set filename "sp"
275 next
276 edit "pg"
277 set filename "pg"
278 next
279 edit "x-sjis"
280 set filename "x-sjis"
281 next
282 edit "big5"
283 set filename "big5"
284 next
285 edit "GB2312"
286 set filename "GB2312"
287 next
288 edit "euc-kr"
289 set filename "euc-kr"
290 next
291 end
292 config system admin
293 edit "admin"
294 set trusthost1 172.23.21.253 255.255.255.255
295 set trusthost2 172.23.21.252 255.255.255.255
296 set trusthost3 172.23.23.253 255.255.255.255
297 set accprofile "super_admin"
298 set vdom "root"
299 set password-expire 2019-07-06 13:04:08
300 config dashboard-tabs
301 edit 1
302 set name "Status"
303 next
304 end
305 config dashboard
306 edit 1
307 set tab-id 1
308 set column 1
309 next
310 edit 8
311 set widget-type licinfo
312 set tab-id 1
313 set column 1
314 next
315 edit 4
316 set widget-type sysres
317 set tab-id 1
318 set column 1
319 next
320 edit 7
321 set widget-type jsconsole
322 set tab-id 1
323 set column 1
324 next
325 edit 5
326 set widget-type gui-features
327 set tab-id 1
328 set column 1
329 next
330 edit 6
331 set widget-type alert
332 set tab-id 1
333 set column 1
334 set top-n 10
335 next
336 end
337 set password ENC AK1QciRCEbECBnWa+I6aM6sM4jHYkrU0AgSbnvpmSv5gSs=
338 next
339 edit "administrator"
340 set trusthost1 172.23.21.253 255.255.255.255
341 set trusthost2 172.23.21.252 255.255.255.255
342 set trusthost3 172.23.23.253 255.255.255.255
344 set vdom "root"
347 edit 1
349 next
350 end
352 edit 1
353 set tab-id 1
354 set column 1
355 next
356 edit 2
358 set tab-id 1
359 set column 1
360 next
360 next
361 edit 3
363 set tab-id 1
364 set column 1
365 next
366 edit 4
368 set tab-id 1
369 set column 2
370 next
371 edit 5
373 set tab-id 1
374 set column 2
375 next
376 edit 6
378 set tab-id 1
379 set column 2
380 set top-n 10
381 next
382 end
383 set password ENC AK1mn+7dtOX7ALp7mqxmhE+aQp/3RbTQXWS18SyFJ992vg=
384 next
385 edit "adcc"
386 set trusthost1 172.23.21.253 255.255.255.255
387 set trusthost2 172.23.21.252 255.255.255.255
388 set trusthost3 172.23.23.253 255.255.255.255
390 set vdom "root"
393 edit 1
395 next
396 end
398 edit 1
399 set tab-id 1
400 set column 1
401 next
402 edit 2
404 set tab-id 1
405 set column 1
406 next
407 edit 3
409 set tab-id 1
410 set column 1
411 next
412 edit 4
414 set tab-id 1
415 set column 2
416 next
417 edit 5
419 set tab-id 1
420 set column 2
421 next
422 edit 6
424 set tab-id 1
425 set column 2
426 set top-n 10
427 next
428 end
429 set password ENC AK15YEoEcEcYFxxrZ6oMhIAbPln6kfq9DTHMs5ryTyJQc4=
430 next
431 end
432 config system ha
433 set group-id 25
434 set group-name "DC-PER-CLUSTER"
435 set mode a-p
436 set password ENC ↓
...Czg/QnWaGhfYW3P2vrjkj2xLMwdF/4MD6bJ/ckhk/7/XVkWPwyyjhq+SIfAzwkjO0NkXX34R8IggnzBKkwHRDzCAYZ7vOP ↓
...hfAjnowBCN8WgqKq5D1fffxgPRp9iJzW4cRcOevEGXPylP0ZWLKeklAzkDIl4ALHzYBJ0Ovxof9CaZwIn/Dnf2BkCg1kb+ ↓
...hfAjnowBCN8WgqKq5D1fffxgPRp9iJzW4cRcOevEGXPylP0ZWLKeklAzkDIl4ALHzYBJ0Ovxof9CaZwIn/Dnf2BkCg1kb+ ↓
...hVtMwGvfJQ==
437 set ha-mgmt-status enable
438 set ha-mgmt-interface "mgmt"
439 set override enable
440 set priority 200
441 set monitor "ATM" "BRANCH-BACKUP" "CheckPoint-FW" "DC-Admin" "DC-Router" ↓
..."HO-USERS" "RTGS"
442 end
443 config system dns
444 set primary 208.91.112.53
445 set secondary 208.91.112.52
446 set domain "172.21.23.1"
447 end
448 config system replacemsg-image
449 edit "logo_fnet"
450 set image-type gif
451 set image-base64 ''
452 next
453 edit "logo_fguard_wf"
454 set image-type gif
456 next
457 edit "logo_fw_auth"
458 set image-type png
460 next
461 edit "logo_v2_fnet"
464 next
465 edit "logo_v2_fguard_wf"
468 next
469 edit "logo_v2_fguard_app"
472 next
473 end
474 config system replacemsg mail "email-block"
475 end
476 config system replacemsg mail "email-dlp-subject"
477 end
478 config system replacemsg mail "email-dlp-ban"
479 end
480 config system replacemsg mail "email-filesize"
481 end
482 config system replacemsg mail "partial"
483 end
484 config system replacemsg mail "smtp-block"
485 end
486 config system replacemsg mail "smtp-filesize"
487 end
488 config system replacemsg http "bannedword"
489 end
490 config system replacemsg http "url-block"
491 end
492 config system replacemsg http "urlfilter-err"
493 end
494 config system replacemsg http "infcache-block"
495 end
496 config system replacemsg http "http-block"
497 end
498 config system replacemsg http "http-filesize"
499 end
500 config system replacemsg http "http-dlp-ban"
501 end
502 config system replacemsg http "http-archive-block"
503 end
504 config system replacemsg http "http-contenttypeblock"
505 end
506 config system replacemsg http "https-invalid-cert-block"
507 end
508 config system replacemsg http "http-client-block"
509 end
510 config system replacemsg http "http-client-filesize"
511 end
512 config system replacemsg http "http-client-bannedword"
512 config system replacemsg http "http-client-bannedword"
513 end
514 config system replacemsg http "http-post-block"
515 end
516 config system replacemsg http "http-client-archive-block"
517 end
518 config system replacemsg http "switching-protocols-block"
519 end
520 config system replacemsg webproxy "deny"
521 end
522 config system replacemsg webproxy "user-limit"
523 end
524 config system replacemsg webproxy "auth-challenge"
525 end
526 config system replacemsg webproxy "auth-login-fail"
527 end
528 config system replacemsg webproxy "auth-authorization-fail"
529 end
530 config system replacemsg webproxy "http-err"
531 end
532 config system replacemsg webproxy "auth-ip-blackout"
533 end
534 config system replacemsg ftp "ftp-dl-blocked"
535 end
536 config system replacemsg ftp "ftp-dl-filesize"
537 end
538 config system replacemsg ftp "ftp-dl-dlp-ban"
539 end
540 config system replacemsg ftp "ftp-explicit-banner"
541 end
542 config system replacemsg ftp "ftp-dl-archive-block"
543 end
544 config system replacemsg nntp "nntp-dl-blocked"
545 end
546 config system replacemsg nntp "nntp-dl-filesize"
547 end
548 config system replacemsg nntp "nntp-dlp-subject"
549 end
550 config system replacemsg nntp "nntp-dlp-ban"
551 end
552 config system replacemsg fortiguard-wf "ftgd-block"
553 end
554 config system replacemsg fortiguard-wf "http-err"
555 end
556 config system replacemsg fortiguard-wf "ftgd-ovrd"
557 end
558 config system replacemsg fortiguard-wf "ftgd-quota"
559 end
560 config system replacemsg fortiguard-wf "ftgd-warning"
561 end
562 config system replacemsg spam "ipblocklist"
563 end
564 config system replacemsg spam "smtp-spam-dnsbl"
565 end
566 config system replacemsg spam "smtp-spam-feip"
567 end
568 config system replacemsg spam "smtp-spam-helo"
569 end
570 config system replacemsg spam "smtp-spam-emailblack"
571 end
572 config system replacemsg spam "smtp-spam-mimeheader"
573 end
574 config system replacemsg spam "reversedns"
575 end
576 config system replacemsg spam "smtp-spam-bannedword"
577 end
578 config system replacemsg spam "smtp-spam-ase"
579 end
580 config system replacemsg spam "submit"
581 end
582 config system replacemsg im "im-file-xfer-block"
583 end
584 config system replacemsg im "im-file-xfer-name"
585 end
586 config system replacemsg im "im-file-xfer-infected"
587 end
588 config system replacemsg im "im-file-xfer-size"
589 end
590 config system replacemsg im "im-dlp"
590 config system replacemsg im "im-dlp"
591 end
592 config system replacemsg im "im-dlp-ban"
593 end
594 config system replacemsg im "im-voice-chat-block"
595 end
596 config system replacemsg im "im-video-chat-block"
597 end
598 config system replacemsg im "im-photo-share-block"
599 end
600 config system replacemsg im "im-long-chat-block"
601 end
602 config system replacemsg alertmail "alertmail-virus"
603 end
604 config system replacemsg alertmail "alertmail-block"
605 end
606 config system replacemsg alertmail "alertmail-nids-event"
607 end
608 config system replacemsg alertmail "alertmail-crit-event"
609 end
610 config system replacemsg alertmail "alertmail-disk-full"
611 end
612 config system replacemsg admin "pre_admin-disclaimer-text"
613 set buffer "
614 This is a private computer system. Unauthorized access or use
615 is prohibited and subject to prosecution and/or disciplinary
616 action. All use of this system constitutes consent to
617 monitoring at all times and users are not entitled to any
618 expectation of privacy. If monitoring reveals possible evidence
619 of violation of criminal statutes, this evidence and any other
620 related information, including identification information about
621 the user, may be provided to law enforcement officials.
622 If monitoring reveals violations of security regulations or
623 unauthorized use, employees who violate security regulations or
624 make unauthorized use of this system are subject to appropriate
625 disciplinary action.
626
627 "
628 end
629 config system replacemsg admin "post_admin-disclaimer-text"
630 end
631 config system replacemsg auth "auth-disclaimer-page-1"
632 end
634 end
636 end
637 config system replacemsg auth "auth-reject-page"
638 end
639 config system replacemsg auth "auth-login-page"
640 end
641 config system replacemsg auth "auth-login-failed-page"
642 end
643 config system replacemsg auth "auth-token-login-page"
644 end
645 config system replacemsg auth "auth-token-login-failed-page"
646 end
647 config system replacemsg auth "auth-success-msg"
648 end
649 config system replacemsg auth "auth-challenge-page"
650 end
651 config system replacemsg auth "auth-keepalive-page"
652 end
653 config system replacemsg auth "auth-portal-page"
654 end
655 config system replacemsg auth "auth-password-page"
656 end
657 config system replacemsg auth "auth-fortitoken-page"
658 end
659 config system replacemsg auth "auth-next-fortitoken-page"
660 end
661 config system replacemsg auth "auth-email-token-page"
662 end
663 config system replacemsg auth "auth-sms-token-page"
664 end
665 config system replacemsg auth "auth-email-harvesting-page"
666 end
667 config system replacemsg auth "auth-email-failed-page"
667 config system replacemsg auth "auth-email-failed-page"
668 end
669 config system replacemsg auth "auth-cert-passwd-page"
670 end
671 config system replacemsg auth "auth-guest-print-page"
672 end
673 config system replacemsg auth "auth-guest-email-page"
674 end
675 config system replacemsg auth "auth-success-page"
676 end
677 config system replacemsg auth "auth-block-notification-page"
678 end
679 config system replacemsg sslvpn "sslvpn-login"
680 end
681 config system replacemsg sslvpn "sslvpn-limit"
682 end
683 config system replacemsg sslvpn "hostcheck-error"
684 end
685 config system replacemsg ec "endpt-download-portal"
686 end
687 config system replacemsg ec "endpt-download-portal-mac"
688 end
689 config system replacemsg ec "endpt-download-portal-ios"
690 end
691 config system replacemsg ec "endpt-download-portal-aos"
692 end
693 config system replacemsg ec "endpt-download-portal-other"
694 end
695 config system replacemsg device-detection-portal "device-detection-failure"
696 end
697 config system replacemsg nac-quar "nac-quar-virus"
698 end
699 config system replacemsg nac-quar "nac-quar-dos"
700 end
701 config system replacemsg nac-quar "nac-quar-ips"
702 end
703 config system replacemsg nac-quar "nac-quar-dlp"
704 end
705 config system replacemsg nac-quar "nac-quar-admin"
706 end
707 config system replacemsg traffic-quota "per-ip-shaper-block"
708 end
709 config system replacemsg utm "virus-html"
710 end
711 config system replacemsg utm "virus-text"
712 end
713 config system replacemsg utm "dlp-html"
714 end
715 config system replacemsg utm "dlp-text"
716 end
717 config system replacemsg utm "appblk-html"
718 end
719 config system snmp sysinfo
721 end
722 config system snmp community
723 edit 1
724 set name "adccb"
725 config hosts
726 edit 1
727 set ip 172.21.28.16 255.255.255.255
728 set interface "DC-Admin"
729 next
730 end
731 set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ↓
...ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern ↓
...av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ↓
...ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ↓
...ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down fswctl-session-up ↓
...fswctl-session-down
732 next
733 end
734 config system autoupdate push-update
736 end
737 config system autoupdate schedule
738 set time 01:60
739 end
740 config system central-management
740 config system central-management
741 set type fortiguard
742 end
743 config vpn certificate ca
744 end
745 config vpn certificate local
746 edit "Fortinet_CA_SSLProxy"
...fAJvTzOQrEG0A7vxn2Sq6oFMga8sidZ6jvQd2qafb+Z9NIheEMjaXAGWHM0G/ngzKZb+pdSadO4Dl0sAhy15cSNs8OuC9v ↓
...P/KOhZkEdhp+lVl30iAOENlWRkAkj16TJjdFntyuTtn8FLQ6eNGysYQrqxLtvvDJB+WhNOsglfN+7tsUu/Ww1ACv8klPWH ↓
...CEX8y7pBoA==
748 set comments "This is the default CA certificate the SSL Inspection ↓
...will use when generating new server certificates."
749 set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
750 MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI1BBIbkoVoCYCAggA
751 MBQGCCqGSIb3DQMHBAj4DZXO/LBx0gSCBMg62cAQMpUtyyv+bCDWUGKwbpn6Ts49
752 /mAwpU93dwT63O8iOAfBXq9+tr9DXR8UFbw4SEEq2jj6k7Rs8dAuKs/wp9gGy+4X
753 QfKbt4fAFZfsssUUffxPaRxHxyIi0/F8qSdmFuI1e742f5u++Zci9LsrZCdR3Qmi
754 pZmEUZSujSDPdVQhZBh7kWNqIx3+1uyXO0N7ghLnPQF6upcacDiuRNu2DKyulo+9
755 HPG/JJtYXl5/JftUo85UTImwZeQ/4FGuf0xL+yHfm3ISGKpdUVvkfLY9aAcLcXdn
756 +coqDu0fJnbmfg984y1eFjAbO+QjL4KJdHO/2iMteFzeQH7WUU1JXadcaaQ9AO5d
757 5v+EPl68uAXE4LwCQ3dLTPD86Fm2hGABZzWnnbRdXl05B0TCXDqOP2eM7gmy/sKQ
758 bP0ZbSarbz6EPP4bauq++Fxk4q1D+QXHzINS2KdvLw97XuLl1sK4CYhwHPGTrhri
759 2tJC1zlTKTwwih/boB5kPQFUCFl/Diw31GxCLsQmNGsBSgbbYNHiA5WhWy1e++l5
760 4a5/nnmk3qAs3Da4DoK8BGlxAbnLt6y1BGCHi4zZ2RTdg/pyHKi/BwEPRhoac3K6
761 RKMMOXoHsHUJ+x2aNEQxoN4XZ3slWYTzRi1GnqzvJbG9LK87jq0dd61McSUXlaZA
762 V41isM3u8xbKBQCmsNNzfeOSHeKvXLTvU8jma6vJIHkL2w1GX121H0flJ6iVadyU
763 +lfcK85wUQlhKk9pmoGm4rxaO1VrIg8Nool6P9wXUDBAa6P//WULnUdGk2zYMwTM
764 KX9Gskl/FpKLR2tCKxpC4A2Vs9oKmfBtjjhUz9zR+bvYPMPEiq+XFbr8i3LXDRtT
765 zl5rUvrNQKZnUFajQY74s0vtXNm//T4gSdag6SlTyPbbj1fwFOgPo9XSpbeO/5hD
766 B5So04cpP1BLuud7Xu6mKFfaHP8faWh5VD96+yE3XJY8ln+RdwDEbYNtVFRwvyuA
767 5shKoD+bucO2yl3Nn66ydFcx+laypB3WeIlklJY+ajbEPnbg04+4XKI906dPvqwU
768 EdjciUBZUrC6rhn05YTH2bD0qjYJEGJiUQF+UaAxdb13mBw4wT29ofbrBzlXz/OF
769 wF5he3+jUHmQUVcrhVVXxblhQAvF0QJzJxBw3drtjGqhBz3W9Ngj5szeBXb79lKM
770 dxktpw0LKSmMAZZDkukvf2F3238KO2Kr/MQcr/1yqZDCDTPPEspPDotsdwjRUlrg
771 nrBZ3U5xDtLimOVX0Dqofae7T9d997hlKL4eK1SahybMFcB9FbSJldK3kbIpGxMy
772 XIyLKZ8JRQdjQdUXnpQi94Hb+KW/Dj3H1SwDoJeXKAqVyeWhqIyMW7f0suyVzUHt
773 EecK+sPf7cHUxDEad6aiUzaa/CqNrhKALXemHwVvxNE9xMa8BCDOVMtQ5YUqJ0rQ
774 /xFmpTscAXX+vCnc3W6bsvy8VBbO/Hqay+xO4ZkE63YCbmNjGgRavfE41GMQ9GCc
775 2/OAVhWL//4bcaOGghXcFY2r7HO5NL2T3fa2oKdg9Jh+7B4Z8+jO7h+Wp4zi/mun
776 yiRiOjF9dwi/qwjF4e8jykYVgsAVsPfqUcVeEm7wGcy0gUc1S8/xEDOsHygzVjj5
777 6JI=
778 -----END ENCRYPTED PRIVATE KEY-----"
779 set certificate "-----BEGIN CERTIFICATE-----
780 MIID3jCCAsagAwIBAgIINKWrUK3NxEQwDQYJKoZIhvcNAQEFBQAwgaUxCzAJBgNV
781 BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUx
782 ETAPBgNVBAoMCEZvcnRpbmV0MR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp
783 dHkxFTATBgNVBAMMDEZvcnRpR2F0ZSBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9y
784 dEBmb3J0aW5ldC5jb20wHhcNMTUwNzE2MDgwNTAzWhcNMjUwNzE2MDgwNTAzWjCB
785 pTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1
786 bm55dmFsZTERMA8GA1UECgwIRm9ydGluZXQxHjAcBgNVBAsMFUNlcnRpZmljYXRl
787 IEF1dGhvcml0eTEVMBMGA1UEAwwMRm9ydGlHYXRlIENBMSMwIQYJKoZIhvcNAQkB
788 FhRzdXBwb3J0QGZvcnRpbmV0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
789 AQoCggEBAL38kLcEBpZwu/D1SkkSxElSPFLES6qy2QR/bhmxdyc3H/jiLOZHiLc3
790 l0wkU8BMaA5aSsNP8xNAYTZlDbe7vGdJ3mqVVDRgEmyAaMO355e/GKR/vNSyYfJn
791 1XX+uf/rLuD4d2M67al1QYAr2Dh4od2Uz3Radvkl5CkDQJ052d8SY2jh49wGnx21
792 5NNaKrL/dWKwciCIM2ycWrkcdyR1E81RtN9uAT2Ajt1dZNWNLZkWZxrfvRCMtuB1
793 +/zKbti2S4kMa62UvEonSoi1lDeDgOkQeBcAbpszB40qHGNdiHxOXNFzns3Aqwyh
794 BTCdErH0Of6HnJ1Z0ZdaqHJC8LL5wwkCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
795 BgkqhkiG9w0BAQUFAAOCAQEASM45c4aik1mveKunpQTZtRCwj8M8ZunGmFAqKEkk
796 EVwpKPr9brsj40s6Nm3/L73NwONGEqh0+y4/Gh1uaSTYdGWdOJn0GbPNstaJZZR9
797 mkZ6g/1u1WrxOxceyQuWKssbgvcSk5Oq84gACgOhl14EnUuBmsvOmawGN+sGQHzk
798 x3tFZcPezaaP4L8xS5qlcEyhoKk+Eld+wo273/RTLevQV6wqBTqKaejK1rAKyLG4
799 mfzrUbVHozLOppLc5T5QfdK9/D5JJuDxU2NhnF5d1P2P1fQJVqGtX3rseZED24Zx
800 klFoEVQXw6lcuhh40yPkyZGLpTSAuhUJB2ruhf7HGb9xSg==
801 -----END CERTIFICATE-----"
802 next
803 edit "Fortinet_SSLProxy"
...O9nYNxGeQuyyu1UCRneMuKy68YUm5bhcBlCa3WxDR30O7x1VWLuIg3EbOg2LUbeLWr3Vrffq0ys1O04Q4ggC/r8pUSrQjG ↓
...s3nWpcKtGfczuEE82o0wWaBSUpeOUDmWpmFIiyr8BjfaQ0DfWJx2FTcV7eP7GdVvYKt1aV0McYPiMKh9w8ixBWgTRYXbYw ↓
...kJ5dm7n/ag==
805 set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
806 MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIfTee5vmhpVgCAggA
807 MBQGCCqGSIb3DQMHBAjnbuQ0IElwmwSCBMhwAYqC/XIpH63cX9ZJE6JJ38xN7ppQ
808 DENL1IpY3G/aNH598ZwicvIF09C4t9OqywOg0mgzMfkE+SIgy3WEwiFw7/HP8fJ5
809 0jjfQvqUInyjt6fFGbsb/1BSx/C7ZsZlv/4PkSQKKBISnOi+z2y8Wfves1Cy/YcG
810 UYD18yUclD0/xISLHjEQwYR26+K97qFaF3bqjK0nraecf/BBadm5Q6vtCuINjHFU
811 5pVaF7+H6lvSEARrP/qGCxKa27NVI/7yX7PrrKYlKuS5mKq/6830BlzPoU0qkkx+
811 5pVaF7+H6lvSEARrP/qGCxKa27NVI/7yX7PrrKYlKuS5mKq/6830BlzPoU0qkkx+
812 UBmjhd3P+SrvsuBcj4GcuD7hJjiK56w7L/zw7OSZyBrR0nOiWluDiywCnuXXoVoX
813 HJSi9Utpz5nbDXATVBc2auWXpkSOd+wLtJJXRoF6ahD/jsYKmIFdK4YgP8Nz4ogW
814 KGkvFcsNAqQ3J+Fgw/AT8kZOjUOUcw0izeLYTzSqGURlPvvcVpdOzEEohfel6SKJ
815 P2/sfwLnJZU6ATkByj4d/MD8GJJp2bejq7NMvKYZ7JPNkrGIemCthTqr4+fye5Xg
816 HrQ/W8/oD+lVY+2o85juJQAIVIN8bGu9crWAoMN3ANhv3Fbr/GE2XJBVvn74oSDf
817 U6VQY46AXUqJJ6BxHI7Sm7oNhBcv+WYK6djlPXvErN1XKVMoo/D46WOinySmLWeS
818 ffH4IU3RxigVxS4al5VdvRkwQoPqf3uEG7TY5ALN3VX9wTeMqefoWHogii+j8BdB
819 +1PZl44968VLQrU8AqyIDQN0apaWdbhNf28l6YIt+RwScQ4zra9aU1wpeCzYNBzF
820 9x5yr66h+Xsl8Adzzx6RARxYeMXMeR7kFhHMR66OBKp/yoStfXG6hAnm3ne5oLkj
821 tjpVxKrfA/NsBdxzE6kohmwuvIZ2q+GoZv0CqDcC/wqV7oO/2CgBvAhQDeqEC+Q7
822 BgD/009b6jB3rGt2Zl13eHokMSIs67bd9Q084JMm2EB+FEr1gSoixwMgenYLE0GP
823 yPA42xHW1zO+tM1QO+eh7Pzj8LnY4ik26De1VeafV5TQqCPsOIf2QT2j1Zbhr6Ze
824 iIbpmAu2ff8Ihu3hZ9IpoLcCHMSD1juqV/saH3sLqy0yoPmo0mxe2sBaNzoveKbQ
825 3NimRcmDDHRkNBz/vxSAQnbTmURr9CZwmnAOt6rQ3guLvtJO8ngNjOA73pZnfhDP
826 J5GV6HiYD4/AkkYxzenncdCeLWjsGXvKv/dxTvPQDMr8lYG2Lq1OliUrJ92glLIh
827 yTYcpmM5MBzus7i8dpiBN5w9BPKKmJ1/07S+ncscxkhMtBmC785iGnuPIRyrwGtP
828 8uFbUrBl5NnOQj4bBv0XjiD6lWeblv9lnUUFU9gMYrR+3F3VdM3yMPU6uq5DaYLo
829 YluXtmkSF71Vj906H05YP1oO65mHFHrtmQEMYHIbVdeWXtApUZP4jrwp5d2zQZYc
830 wJ65Yi0A1nT9TvKIjpWfzSzDG285c5SXfopjcWA4Fu3nwbM0bTSP2k517orT4vd9
831 J+hhKoKaB+iZUrRcL7RtgTnGSc0ahjrWXkOQ6flVTTatVKk9tdQnZpXE/Smws2xX
832 tzs+T8ljhAJBFkw3EW0+IA2iybuP/31K4zzaqG+Lo8mXm4S2IaDLCsfWsZKkCSNm
833 jIQ=
834 -----END ENCRYPTED PRIVATE KEY-----"
835 set certificate "-----BEGIN CERTIFICATE-----
836 MIIDyzCCArOgAwIBAgIITcelxqw3Kk4wDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNV
838 ETAPBgNVBAoMCEZvcnRpbmV0MRIwEAYDVQQLDAlGb3J0aUdhdGUxGTAXBgNVBAMM
839 EEZvcnRpR2F0ZSBTZXJ2ZXIxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAZm9ydGlu
840 ZXQuY29tMB4XDTE1MDcxNjA4MDUwM1oXDTI1MDcxNjA4MDUwM1owgZ0xCzAJBgNV
842 ETAPBgNVBAoMCEZvcnRpbmV0MRIwEAYDVQQLDAlGb3J0aUdhdGUxGTAXBgNVBAMM
843 EEZvcnRpR2F0ZSBTZXJ2ZXIxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAZm9ydGlu
844 ZXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2bZHK/7i/eim
845 APLk3YnbfmXPkd9GS7d/aUDMkU7rT2PFTHzxn3hS8eKW27SzL/o9xbkGv6PPIAtf
846 Taui7SEqE8QCCpVLgvCoU+qQ73Vurkal1TD1NC0p5IHIUFL2IRBKn4TMx27kal6k
847 lpkwaLv9hAijRG77y3EGnj91sRgsMBxVQ5+/J2syPvtCoUNqxkSB+cU9sVXyejRO
848 mhxykqhEg/ae/B0Pc33AxovHun853HqH6nnRE11L1XUsFnkBW6zRSf2XYaOZCye6
849 cB33ASFyyEe6sRsidY6TK0O4P/EC12/D++8i5QJaoAQl7ORCH1m4q+KmAf9hYth7
850 mpuzZLXTnwIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQAC
851 rQAnjT1nEO8976xni0AmjuZgVuvzAWm0jo8qdYf/1Tj7Sef7eWn2V2Df2e3jt9aY
852 5Ree/HLl+Ky7QCqn+m7vxTkgfymjbeFIBwdUKpSMjlNu0k1eaX8BPN342ingBF0q
853 fv3uPkkQSRiM84q1ylOPge/Dt6oFg1tTwgPSwOBozV8EX7SukFHEbRfzMdl5P46o
854 P3Bf/+H5NfJ/7Nq7lhz41DPtXUav6mctV0SuroF8mWo5rivbWNOVKyD5aQFjTpYb
855 QuegvAtXtSqmb7g4Cr1WIOi6RcBw4bHS2EM1CQOtIXuLfQNvhAn0uTw6Rp8P7v+E
856 rgRoICXCei5w2em3qNOS
857 -----END CERTIFICATE-----"
858 next
859 end
860 config user device-category
861 edit "ipad"
862 next
863 edit "iphone"
864 next
865 edit "gaming-console"
866 next
867 edit "blackberry-phone"
868 next
869 edit "blackberry-playbook"
870 next
871 edit "linux-pc"
872 next
873 edit "mac"
874 next
875 edit "windows-pc"
876 next
877 edit "android-phone"
878 next
879 edit "android-tablet"
880 next
881 edit "media-streaming"
882 next
883 edit "windows-phone"
884 next
885 edit "windows-tablet"
886 next
887 edit "fortinet-device"
888 next
889 edit "ip-phone"
889 edit "ip-phone"
890 next
891 edit "router-nat-device"
892 next
893 edit "printer"
894 next
895 edit "other-network-device"
896 next
897 edit "collected-emails"
898 next
899 edit "all"
900 next
901 end
902 config system session-sync
903 end
904 config system fortiguard
905 set webfilter-sdns-server-ip "208.91.112.220"
906 end
907 config ips global
908 set default-app-cat-mask 18446744073474670591
909 end
910 config ips dbinfo
911 set version 1
912 end
913 config log syslogd setting
915 set server "10.10.10.4"
916 end
917 config gui console
918 unset preferences
919 end
920 config system session-helper
921 edit 1
922 set name pptp
923 set protocol 6
924 set port 1723
925 next
926 edit 2
927 set name h323
928 set protocol 6
929 set port 1720
930 next
931 edit 3
932 set name ras
933 set protocol 17
934 set port 1719
935 next
936 edit 4
937 set name tns
938 set protocol 6
939 set port 1521
940 next
941 edit 5
942 set name tftp
943 set protocol 17
944 set port 69
945 next
946 edit 6
947 set name rtsp
948 set protocol 6
949 set port 554
950 next
951 edit 7
952 set name rtsp
953 set protocol 6
954 set port 7070
955 next
956 edit 8
957 set name rtsp
958 set protocol 6
959 set port 8554
960 next
961 edit 9
962 set name ftp
963 set protocol 6
964 set port 21
965 next
966 edit 10
966 edit 10
967 set name mms
968 set protocol 6
969 set port 1863
970 next
971 edit 11
972 set name pmap
973 set protocol 6
974 set port 111
975 next
976 edit 12
977 set name pmap
978 set protocol 17
979 set port 111
980 next
981 edit 13
982 set name sip
983 set protocol 17
984 set port 5060
985 next
986 edit 14
987 set name dns-udp
988 set protocol 17
989 set port 53
990 next
991 edit 15
992 set name rsh
993 set protocol 6
994 set port 514
995 next
996 edit 16
997 set name rsh
998 set protocol 6
999 set port 512
1000 next
1001 edit 17
1002 set name dcerpc
1003 set protocol 6
1004 set port 135
1005 next
1006 edit 18
1007 set name dcerpc
1008 set protocol 17
1009 set port 135
1010 next
1011 edit 19
1012 set name mgcp
1014 set port 2427
1015 next
1016 edit 20
1017 set name mgcp
1019 set port 2727
1020 next
1021 end
1022 config system auto-install
1023 set auto-install-config enable
1024 set auto-install-image enable
1025 end
1026 config system ntp
1027 set ntpsync enable
1028 set type custom
1029 set syncinterval 60
1030 config ntpserver
1031 edit 1
1032 set server "2.asia.pool.ntp.org"
1033 next
1034 end
1035 set server-mode enable
1036 set interface "DC-Admin" "CheckPoint-FW" "port10" "DC-Router" "port6" ↓
..."RTGS"
1037 end
1038 config system settings
1039 set v4-ecmp-mode source-dest-ip-based
1040 end
1041 config system replacemsg-group
1042 edit "web-filter-default"
1043 set comment "System Generated"
1043 set comment "System Generated"
1044 set group-type utm
1045 next
1046 end
1047 config firewall address
1048 edit "SSLVPN_TUNNEL_ADDR1"
1049 set uuid 571064a4-2b91-51e5-22de-08c7312be149
1050 set type iprange
1051 set start-ip 10.212.134.200
1052 set end-ip 10.212.134.210
1053 next
1054 edit "all"
1055 set uuid 5af86ec2-2b91-51e5-a20e-3033d1655df2
1056 next
1057 edit "apple"
1058 set uuid 5af8b620-2b91-51e5-20e9-a0366ca22658
1059 set type fqdn
1060 set fqdn "*.apple.com"
1061 next
1062 edit "dropbox.com"
1063 set uuid 5af8daec-2b91-51e5-4fea-3fabbbf644e0
1064 set type fqdn
1065 set fqdn "www.dropbox.com"
1066 next
1067 edit "Gotomeeting"
1068 set uuid 5af8ffcc-2b91-51e5-4d48-60e9a5d35716
1069 set type fqdn
1070 set fqdn "*.gotomeeting.com"
1071 next
1072 edit "icloud"
1073 set uuid 5af9243e-2b91-51e5-e536-4aa474842a12
1074 set type fqdn
1075 set fqdn "*.icloud.com"
1076 next
1077 edit "itunes"
1078 set uuid 5af948d8-2b91-51e5-63f2-4ac30895211e
1079 set type fqdn
1080 set fqdn "*itunes.apple.com"
1081 next
1082 edit "android"
1083 set uuid 5af96d36-2b91-51e5-d2e7-1f0def0b0da7
1084 set type fqdn
1085 set fqdn "*.android.com"
1086 next
1087 edit "skype"
1088 set uuid 5af99180-2b91-51e5-fda3-71961beed394
1089 set type fqdn
1090 set fqdn "*.messenger.live.com"
1091 next
1092 edit "swscan.apple.com"
1093 set uuid 5af9b5fc-2b91-51e5-bbbd-e69dfa11b772
1094 set type fqdn
1095 set fqdn "swscan.apple.com"
1096 next
1097 edit "update.microsoft.com"
1098 set uuid 5af9da78-2b91-51e5-4138-7eabd304c72c
1099 set type fqdn
1100 set fqdn "update.microsoft.com"
1101 next
1102 edit "appstore"
1103 set uuid 5af9fecc-2b91-51e5-707f-0aa389ff13be
1104 set type fqdn
1105 set fqdn "*.appstore.com"
1106 next
1107 edit "eease"
1108 set uuid 5afa2352-2b91-51e5-e50c-f1a29bff83e7
1109 set type fqdn
1110 set fqdn "*.eease.com"
1111 next
1112 edit "google-drive"
1113 set uuid 5afa480a-2b91-51e5-95d2-24e580f1fbbb
1114 set type fqdn
1115 set fqdn "*drive.google.com"
1116 next
1117 edit "google-play"
1118 set uuid 5afa6c5e-2b91-51e5-6b7b-62fc86f18543
1119 set type fqdn
1120 set fqdn "play.google.com"
1121 next
1121 next
1122 edit "google-play2"
1123 set uuid 5afa9116-2b91-51e5-cac3-94719c85ecc5
1124 set type fqdn
1125 set fqdn "*.ggpht.com"
1126 next
1127 edit "google-play3"
1128 set uuid 5afab5a6-2b91-51e5-f206-8c5e6198681b
1129 set type fqdn
1130 set fqdn "*.books.google.com"
1131 next
1132 edit "microsoft"
1133 set uuid 5afada5e-2b91-51e5-0d3a-647472065ee3
1134 set type fqdn
1135 set fqdn "*.microsoft.com"
1136 next
1137 edit "adobe"
1138 set uuid 5afafebc-2b91-51e5-9704-581f0bfa349e
1139 set type fqdn
1140 set fqdn "*.adobe.com"
1141 next
1142 edit "Adobe Login"
1143 set uuid 5afb22de-2b91-51e5-65ac-88764fb804a5
1144 set type fqdn
1145 set fqdn "*.adobelogin.com"
1146 next
1147 edit "fortinet"
1148 set uuid 5afb4746-2b91-51e5-b35b-461688b58c49
1149 set type fqdn
1150 set fqdn "*.fortinet.com"
1151 next
1152 edit "googleapis.com"
1153 set uuid 5afb6ba4-2b91-51e5-3598-290fdd12bd1f
1154 set type fqdn
1155 set fqdn "*.googleapis.com"
1156 next
1157 edit "citrix"
1158 set uuid 5afb9016-2b91-51e5-b6f0-629245abc887
1159 set type fqdn
1160 set fqdn "*.citrixonline.com"
1161 next
1162 edit "verisign"
1163 set uuid 5afbb4ba-2b91-51e5-c255-79c65ad0a1c1
1164 set type fqdn
1165 set fqdn "*.verisign.com"
1166 next
1167 edit "Windows update 2"
1168 set uuid 5afbd94a-2b91-51e5-f785-2633767bf938
1169 set type fqdn
1170 set fqdn "*.windowsupdate.com"
1171 next
1172 edit "*.live.com"
1173 set uuid 5afbfe20-2b91-51e5-e903-3c9ecce471d0
1174 set type fqdn
1175 set fqdn "*.live.com"
1176 next
1177 edit "auth.gfx.ms"
1178 set uuid 5afc2288-2b91-51e5-5871-41d294d0272a
1179 set type fqdn
1180 set fqdn "auth.gfx.ms"
1181 next
1182 edit "autoupdate.opera.com"
1183 set uuid 5afc4722-2b91-51e5-b0a7-8a335bd53062
1184 set type fqdn
1185 set fqdn "autoupdate.opera.com"
1186 next
1187 edit "softwareupdate.vmware.com"
1188 set uuid 5afc6bb2-2b91-51e5-0fe2-9e8c8edec788
1189 set type fqdn
1190 set fqdn "softwareupdate.vmware.com"
1191 next
1192 edit "firefox update server"
1193 set uuid 5afc90d8-2b91-51e5-b352-390363bb4277
1194 set type fqdn
1195 set fqdn "aus*.mozilla.org"
1196 next
1197 edit "MAHILA BRANCH RAMDASPETH BIRLA GATE"
1198 set uuid 571698ae-613a-51e5-ce19-7417f56c8da9
1200 set associated-interface "DC-Router"
1201 set start-ip 192.168.7.1
1202 set end-ip 192.168.7.4
1203 next
1204 edit "AKOT CITY BRANCH JAISTHAMBH CHOWK"
1205 set uuid a6ea7f26-613a-51e5-ab39-cc62d1b2e0f4
1208 set start-ip 192.168.34.1
1209 set end-ip 192.168.34.4
1210 next
1211 edit "NARSING MANDIR BRANCH AKOT NR NARSING MANDIR"
1212 set uuid d72ac290-613a-51e5-1fc5-e3e783da7e78
1215 set start-ip 192.168.35.1
1216 set end-ip 192.168.35.3
1217 next
1218 edit "TELHARA MAIN BRANCH NR BUS STAND TELHARA"
1219 set uuid 0eadc96a-613b-51e5-5017-e8b601013833
1222 set start-ip 192.168.43.1
1223 set end-ip 192.168.43.9
1224 next
1225 edit "TELHARA CITY BRANCH JUNA ATHAWADI BAZAR NR DESHMUKH WADA TE"
1226 set uuid 31791b8e-613b-51e5-d630-6193aa6d9c32
1229 set start-ip 192.168.44.1
1230 set end-ip 192.168.44.3
1231 next
1232 edit "CHOHATTA BAZAR BRANCH AKOT ROAD CHOHATTA BAZAR"
1233 set uuid 89d60544-613b-51e5-93f4-41bd73a6be17
1236 set start-ip 192.168.38.1
1237 set end-ip 192.168.38.5
1238 next
1239 edit "HIWARKHED BRANCH AT POST - HIWARKHED TQ- TELHARA"
1240 set uuid ba760582-613b-51e5-380a-fb04ab470aaa
1243 set start-ip 192.168.45.1
1244 set end-ip 192.168.45.6
1245 next
1246 edit "DANAPUR BRANCH AT - DANAPUR TQ-TELHARA DIST-AKOLA"
1247 set uuid e5d09d14-613b-51e5-b07d-753b2dd0617e
1250 set start-ip 192.168.46.1
1251 set end-ip 192.168.46.2
1252 next
1253 edit "AKOLKHED BRANCH AT - AKOLKHED TQ- AKOT"
1254 set uuid 1391ac52-613c-51e5-745f-53b2f32d54f8
1257 set start-ip 192.168.40.1
1258 set end-ip 192.168.40.2
1259 next
1260 edit "BORDI BRANCH AT - BORDI TQ- AKOT"
1261 set uuid 4c5e3e38-613c-51e5-4103-5874503ef60b
1264 set start-ip 192.168.110.1
1265 set end-ip 192.168.110.2
1266 next
1267 edit "ADGAON BRANCH AT - ADGAON BZ TQ- TELHARA DIST- AKOLA"
1268 set uuid 75b53c28-613c-51e5-806b-3b4c8753af06
1271 set start-ip 192.168.50.1
1272 set end-ip 192.168.50.3
1273 next
1274 edit "ADSUL BRANCH AT - ADSUL TQ- TELHARA DIST-AKOLA"
1275 set uuid 9c4897fe-613c-51e5-d3a3-344c311461ff
1278 set start-ip 192.168.49.1
1279 set end-ip 192.168.49.3
1280 next
1281 edit "PATHARDI BRANCH AT - PATHARDI TQ- TELHARA DIST-AKOLA"
1282 set uuid c5dd2e86-613c-51e5-be3b-186e9cd42aa0
1285 set start-ip 192.168.47.1
1286 set end-ip 192.168.47.2
1287 next
1288 edit "MUNDGAON BRANCH AT -MUNDGAON TQ- AKOT"
1289 set uuid ecf6d4ae-613c-51e5-e0ad-19e161f538f8
1292 set start-ip 192.168.42.1
1293 set end-ip 192.168.42.3
1294 next
1295 edit "WARUL JAULKA BRANCH AT - WARUD JAULKA TQ- AKOT"
1296 set uuid 1134fac6-613d-51e5-795e-44250024190e
1299 set start-ip 192.168.39.1
1300 set end-ip 192.168.39.2
1301 next
1302 edit "KUTASA BRANCH AT -KUTASA TQ- AKOLA"
1303 set uuid 3df62abc-613d-51e5-5e90-67d4c32aaf96
1306 set start-ip 192.168.41.1
1307 set end-ip 192.168.41.3
1308 next
1309 edit "SAWARA BRANCH AT- SAWARA TQ- AKOT DIST- AKOLA"
1310 set uuid 73e53140-613d-51e5-45c6-5acd7dd971cc
1313 set start-ip 192.168.36.1
1314 set end-ip 192.168.36.3
1315 next
1316 edit "RAUNDALA BRANCH AT - RAUNDALA TQ- AKOT"
1317 set uuid 9607c95e-613d-51e5-d6f4-3ff13dfbf210
1320 set start-ip 192.168.37.1
1321 set end-ip 192.168.37.3
1322 next
1323 edit "TUKARAM CHOWK BRANCH, Near Tukaram Hospital, At Sant Tukaram Ch"
1324 set uuid cc7ff48e-613d-51e5-3811-88ee2ceb0b67
1327 set start-ip 192.168.11.1
1328 set end-ip 192.168.11.4
1329 next
1330 edit "APP-1"
1331 set uuid 4b23c940-613f-51e5-1faf-7881c24c4b86
1332 set associated-interface "CheckPoint-FW"
1333 set subnet 172.21.22.1 255.255.255.255
1334 next
1335 edit "APP-2"
1336 set uuid 69c74cc8-613f-51e5-1b07-44e5fd2f0a7e
1338 set subnet 172.21.22.2 255.255.255.255
1339 next
1340 edit "APP-CLUSTER"
1341 set uuid 7a135e1e-613f-51e5-b84d-37a13c7d3307
1343 set subnet 172.21.22.3 255.255.255.255
1344 next
1345 edit "ATMInterface"
1346 set uuid a3b67b8e-613f-51e5-53bf-b6636568311f
1348 set subnet 172.21.25.1 255.255.255.255
1349 next
1350 edit "RtgsInterface"
1351 set uuid b2e06f02-613f-51e5-1b8a-e432402633c7
1353 set subnet 172.21.25.2 255.255.255.255
1354 next
1354 next
1355 edit "Antivirus-Server"
1356 set uuid cc2e7e72-613f-51e5-86a5-7e44fea5aa95
1358 set subnet 172.21.23.3 255.255.255.255
1359 next
1360 edit "BDC"
1361 set uuid dfaebf7a-613f-51e5-dd5d-b5922ba06b6a
1363 set subnet 172.21.23.2 255.255.255.255
1364 next
1365 edit "PDC"
1366 set uuid eb14046a-613f-51e5-1943-f4725e57f416
1368 set subnet 172.21.23.1 255.255.255.255
1369 next
1370 edit "DATABASE1"
1371 set uuid 01ffd776-6140-51e5-0074-d542f53c0cce
1373 set subnet 172.21.21.1 255.255.255.255
1374 next
1375 edit "DATABASE2"
1376 set uuid 0ee28114-6140-51e5-db3e-2cbd8eb4c65b
1378 set subnet 172.21.21.2 255.255.255.255
1379 next
1380 edit "SQL-CLUSTER"
1381 set uuid 1a47ff84-6140-51e5-81e1-d944e8a9999c
1383 set subnet 172.21.21.5 255.255.255.255
1384 next
1385 edit "Belkhed Branch Ta. Telhara"
1386 set uuid 6fdfef38-6140-51e5-dfc6-95cc251d550b
1389 set start-ip 192.168.48.1
1390 set end-ip 192.168.48.2
1391 next
1392 edit "Keshavnagar Branch Ta Risod Dist. Washim"
1393 set uuid 9776bc02-6140-51e5-d629-104134853368
1396 set start-ip 192.168.106.1
1397 set end-ip 192.168.106.2
1398 next
1399 edit "Kasola Branch Ta. Mangrulpir Dist. Washim"
1400 set uuid bcee3f6e-6140-51e5-645e-1dcedf905fdf
1403 set start-ip 192.168.109.1
1404 set end-ip 192.168.109.2
1405 next
1406 edit "Asegaon, Ta. Mangrulpir District Washim,Mangrulpur,Maharashtra"
1407 set uuid eeea25b4-6140-51e5-5aa4-8ad256522afd
1410 set start-ip 192.168.112.1
1411 set end-ip 192.168.112.2
1412 next
1413 edit "AKOT MAIN BRANCH HIWARKHED ROAD NR PETROL PUMP"
1414 set uuid 26c0eb1c-6141-51e5-d244-a345065a5e2d
1417 set start-ip 192.168.33.1
1418 set end-ip 192.168.33.13
1419 next
1420 edit "KAPAD BAZAR BRANCH RAYAT HAVELI JUNA KAPAD BAZAR"
1421 set uuid 49340620-6141-51e5-7f19-95480f1c04c9
1424 set start-ip 192.168.3.1
1425 set end-ip 192.168.3.8
1426 next
1427 edit "RATANLAL PLOT BRANCH NR RAGHUVANSHI MANGAL KARYALAYA RATANLAL"
1428 set uuid 7772271a-6141-51e5-c21c-415091e4e40d
1431 set start-ip 192.168.26.1
1432 set end-ip 192.168.26.4
1432 set end-ip 192.168.26.4
1433 next
1434 edit "DABKI ROAD BRANCH NR KHANDELWAL HIGH SCHOOL"
1435 set uuid ddd36226-6141-51e5-6dfb-91aeb3b0b6eb
1438 set start-ip 192.168.10.1
1439 set end-ip 192.168.10.4
1440 next
1441 edit "MARKET YARD BRANCH APMC MARKET"
1442 set uuid 010e373e-6142-51e5-b1f9-f37152c3e5ab
1445 set start-ip 192.168.2.1
1446 set end-ip 192.168.2.7
1447 next
1448 edit "WASHIM MAIN BRANCH NEAR ST STAND"
1449 set uuid 2762d174-6142-51e5-8dbe-b61847388e05
1452 set start-ip 192.168.88.1
1453 set end-ip 192.168.88.14
1454 next
1455 edit "KARANJA MAIN BRANCH BEHIND ST STAND NR TAHASILOFFICE KARANJ"
1456 set uuid 4c5e3054-6142-51e5-a47f-abe491af2df7
1459 set start-ip 192.168.70.1
1460 set end-ip 192.168.70.10
1461 next
1462 edit "MANGRULPIR MAIN BRANCH BIRBALNATH ROAD NR DR SARKAR CLINIC"
1463 set uuid 81670b18-6142-51e5-da5a-2e93f40e93df
1466 set start-ip 192.168.78.1
1467 set end-ip 192.168.78.10
1468 next
1469 edit "RISOD MAIN BRANCH NR BUS STAND"
1470 set uuid b7b6cce4-6142-51e5-d3cf-4c46c37d646d
1473 set start-ip 192.168.99.1
1474 set end-ip 192.168.99.10
1475 next
1476 edit "VIVARA BRANCH AT BABHULGAON TQ - PATUR DIST - AKOLA"
1477 set uuid da405820-6142-51e5-1a67-f5e32983d440
1480 set start-ip 192.168.61.1
1481 set end-ip 192.168.61.4
1482 next
1483 edit "KENWAD BRANCH AT - KENWAD TQ- RISOD DIST- WASHIM"
1484 set uuid feb29ed4-6142-51e5-f652-9be3f85fd6c1
1487 set start-ip 192.168.102.1
1488 set end-ip 192.168.102.3
1489 next
1490 edit "CHIKHALGAON BRANCH AT - CHIKHALGAON TQ- AKOLA"
1491 set uuid 1f766a42-6143-51e5-3384-16cf8f59a6fc
1494 set start-ip 192.168.17.1
1495 set end-ip 192.168.17.2
1496 next
1497 edit "KURANKHED BRANCH AT- KURANKHED TQ- AKOLA"
1498 set uuid 3bccbb88-6143-51e5-a274-a05844c867dc
1501 set start-ip 192.168.20.1
1502 set end-ip 192.168.20.3
1503 next
1504 edit "HARAL BRANCH AT - HARAL TQ- RISOD"
1505 set uuid 5f970348-6143-51e5-010c-4862c7a661b1
1508 set start-ip 192.168.104.1
1509 set end-ip 192.168.104.2
1510 next
1510 next
1511 edit "DAHIHANDA BRANCH AT - DAHIHANDA TQ- AKOLA"
1512 set uuid 81c2b8a4-6143-51e5-1c8b-3e18ce32cbff
1515 set start-ip 192.168.18.1
1516 set end-ip 192.168.18.3
1517 next
1518 edit "PARAS BRANCH AT- PARAS TQ- BALAPUR . DIST-AKOLA"
1519 set uuid a16687ee-6143-51e5-962c-acae664071b3
1522 set start-ip 192.168.55.1
1523 set end-ip 192.168.55.3
1524 next
1525 edit "PDKV BRANCH DR PDKV VIDYAPEETH CAMPUS"
1526 set uuid 6aa92f42-61b9-51e5-972e-647368b071db
1529 set start-ip 192.168.9.1
1530 set end-ip 192.168.9.5
1531 next
1532 edit "KARANJA CITY BRANCH BHAJI BAZAR GANDHI CHOWK KARANJA"
1533 set uuid 89c17f06-61b9-51e5-09b2-760ce35f7152
1536 set start-ip 192.168.71.1
1537 set end-ip 192.168.71.3
1538 next
1539 edit "WASHIM CITY BRANCH RAJANI CHOWK NR INDANI SCHOO"
1540 set uuid b08035ec-61b9-51e5-f6fa-a92ac561f7c6
1543 set start-ip 192.168.89.1
1544 set end-ip 192.168.89.5
1545 next
1546 edit "RANPISE NAGAR BRANCH SAUJANYA MARKET RANPISE NAGAR"
1547 set uuid d200006c-61b9-51e5-0292-e1e4ddb79e06
1550 set start-ip 192.168.24.1
1551 set end-ip 192.168.24.4
1552 next
1553 edit "Z P BRANCH NR COLLECTOR OFFICE"
1554 set uuid f4689740-61b9-51e5-93b4-1e677a57d694
1557 set start-ip 192.168.5.1
1558 set end-ip 192.168.5.14
1559 next
1560 edit "RAJESHWAR JAIHIND CHOWK BRANCH JAIHIND CHOWK OLD CITY"
1561 set uuid 1b575f3a-61ba-51e5-0c8c-cabd85d48de9
1564 set start-ip 192.168.4.1
1565 set end-ip 192.168.4.4
1566 next
1567 edit "PATUR NANDAPUR BRANCH AT - PATUR NANDAPUR TQ- AKOLA"
1568 set uuid 49f2d2b6-61ba-51e5-4a73-d87a7da7647d
1571 set start-ip 192.168.19.1
1572 set end-ip 192.168.19.2
1573 next
1574 edit "CHIKHALI BRANCH AT - CHIKHALI TQ- RISOD"
1575 set uuid 9ad0c396-61ba-51e5-9df7-69a9b6a79870
1578 set start-ip 192.168.108.1
1579 set end-ip 192.168.108.2
1580 next
1581 edit "DHANAJ BZ BRANCH AT - DHANAJ BZ TQ- KARANJA DIST-WASHIM"
1582 set uuid d0518320-61ba-51e5-bc06-c71bdeaa8da9
1585 set start-ip 192.168.74.1
1586 set end-ip 192.168.74.4
1587 next
1588 edit "DHABA BRANCH AT - DHABA TQ- BARSHITAKLI"
1589 set uuid 05f23c9a-61bb-51e5-fbe0-aaf5ea90f8db
1592 set start-ip 192.168.32.1
1593 set end-ip 192.168.32.2
1594 next
1595 edit "KANSHIVANI BRANCH AT - KANSHIVANI TQ- AKOLA"
1596 set uuid 26aefe46-61bb-51e5-f551-6f960e24d835
1599 set start-ip 192.168.15.1
1600 set end-ip 192.168.15.4
1601 next
1602 edit "KANHERI SARAP BRANCH AT - KANHERI SARAP TQ- BARSHITAKL"
1603 set uuid 4a795a10-61bb-51e5-d3fd-c2521fc3d023
1606 set start-ip 192.168.31.1
1607 set end-ip 192.168.31.3
1608 next
1609 edit "WANOJA BRANCH AT- WANOJA TQ- MANGRULPIR DIST- WASHIM"
1610 set uuid 6ae82d1c-61bb-51e5-703f-9ba3282a5246
1613 set start-ip 192.168.82.1
1614 set end-ip 192.168.82.2
1615 next
1616 edit "SHENDURJANA BRANCH AT - SHENDURJANA TQ- MANORA DIST- WASHIM"
1617 set uuid 987da662-61bb-51e5-b956-fc1ad4b0a708
1620 set start-ip 192.168.85.1
1621 set end-ip 192.168.85.4
1622 next
1623 edit "PARDI TAKMOR BRANCH AT - PARDI TAKMOR TQ - WASHIM"
1624 set uuid c7e4de8e-61bb-51e5-4299-4ac4970fe175
1627 set start-ip 192.168.92.1
1628 set end-ip 192.168.92.2
1629 next
1630 edit "MOHARI BRANCH AT - MOHARI TQ- MANGRULPIR DIST- WASHIM"
1631 set uuid e5271b1a-61bb-51e5-f391-399c6c3ad039
1634 set start-ip 192.168.80.1
1635 set end-ip 192.168.80.2
1636 next
1637 edit "TONDGAON BRANCH KEKATUMRA EXCHANGE DIST - WASHIM"
1638 set uuid 0ebd6916-61bc-51e5-d0e5-da590e34c9be
1641 set start-ip 192.168.91.1
1642 set end-ip 192.168.91.3
1643 next
1644 edit "MANGUL ZANAK BRANCH AT -MANGUL ZANAK TQ- RISOD"
1645 set uuid 33156f52-61bc-51e5-b087-9c8bd7662194
1648 set start-ip 192.168.103.1
1649 set end-ip 192.168.103.4
1650 next
1651 edit "PALSO BRANCH AT PALSO TQ DIST- AKOLA"
1652 set uuid 5b4c7902-61bc-51e5-7bcd-b929b3a9c34c
1655 set start-ip 192.168.13.1
1656 set end-ip 192.168.13.3
1657 next
1658 edit "MOP BRANCH AT - MOP TQ- RISOD"
1659 set uuid 7dd1bdc0-61bc-51e5-5baf-c999bbee5454
1662 set start-ip 192.168.105.1
1663 set end-ip 192.168.105.3
1664 next
1665 edit "SASTI BRANCH AT - SASTI TQ- PATUR DIST- AKOLA"
1665 edit "SASTI BRANCH AT - SASTI TQ- PATUR DIST- AKOLA"
1666 set uuid a2ca53d0-61bc-51e5-09a6-503782ed6bf2
1669 set start-ip 192.168.62.1
1670 set end-ip 192.168.62.2
1671 next
1672 edit "POHA BRANCH AT - POHA TQ- KARANJA DIST- WASHIM"
1673 set uuid ce95466e-61bc-51e5-9e94-53875c693bc2
1676 set start-ip 192.168.76.1
1677 set end-ip 192.168.76.2
1678 next
1679 edit "JAULKA RLY BRANCH AT -JAULKA RLY TQ- MALEGAON DIST- WASHIM"
1680 set uuid ee71ef82-61bc-51e5-0637-4e8ca0a09e46
1683 set start-ip 192.168.98.1
1684 set end-ip 192.168.98.2
1685 next
1686 edit "HATRUN BRANCH AT - HATRUN TQ- BALAPUR DIST- AKOLA"
1687 set uuid 04d2d586-61c0-51e5-2c13-64ec38d5e056
1690 set start-ip 192.168.56.1
1691 set end-ip 192.168.56.3
1692 next
1693 edit "UMBARDA BAZAR BRANCH AT - UMBARDA BAZAR TQ- KARANJA DIST- W"
1694 set uuid 1f6f280c-61c2-51e5-425c-a3495cae7533
1697 set start-ip 192.168.73.1
1698 set end-ip 192.168.73.3
1699 next
1700 edit "MANBHA BRANCH AT - MANBHA TQ- KARANJA DIST- WASHIM"
1701 set uuid 3e1bbbda-61c2-51e5-479e-f117fa02113f
1704 set start-ip 192.168.75.1
1705 set end-ip 192.168.75.2
1706 next
1707 edit "PANGRIKUTE BRANCH AT - PANGRIKUTE TQ- MALEGAON DIST- WASHIM"
1708 set uuid 5c446d46-61c2-51e5-62ca-b6d3035f9ec0
1711 set start-ip 192.168.97.1
1712 set end-ip 192.168.97.2
1713 next
1714 edit "KAJALESHWAR BRANCH AT - KAJALESHWAR TQ- KARANJA DIST- WASHI"
1715 set uuid 7ccaeb26-61c2-51e5-ff5a-282061f7bbd4
1718 set start-ip 192.168.77.1
1719 set end-ip 192.168.77.2
1720 next
1721 edit "POHARADEVI BRANCH AT - POHARADEVI TQ- MANORA DIST- WASHIM"
1722 set uuid a521236a-61c2-51e5-bbe3-5a9e9d7aa8aa
1725 set start-ip 192.168.86.1
1726 set end-ip 192.168.86.4
1727 next
1728 edit "NIMBA BRANCH AT - NIMBA TQ- BALAPUR DIST-AKOLA"
1729 set uuid c709f8ee-61c2-51e5-bba2-f09ae83f9de4
1732 set start-ip 192.168.54.1
1733 set end-ip 192.168.54.5
1734 next
1735 edit "DHANORA BRANCH AT - DHANORA TQ- MANGRULPIR DIST- WASHIM"
1736 set uuid f0c988e8-61c2-51e5-1572-6c10249cf333
1739 set start-ip 192.168.83.1
1740 set end-ip 192.168.83.4
1741 next
1742 edit "MHAISANG BRANCH AT POST - MHAISANG TQ- AKOLA"
1743 set uuid 0f5643f0-61c3-51e5-c654-0b2d53dc4dde
1743 set uuid 0f5643f0-61c3-51e5-c654-0b2d53dc4dde
1746 set start-ip 192.168.14.1
1747 set end-ip 192.168.14.3
1748 next
1749 edit "GANDHIGRAM BRANCH AT - GANDHIGRAM TQ- AKOLA"
1750 set uuid 2a48782c-61c3-51e5-ab7f-48a80684e191
1753 set start-ip 192.168.16.1
1754 set end-ip 192.168.16.3
1755 next
1756 edit "GOREGAON BRANCH AT- GOREGAON TQ- AKOLA"
1757 set uuid 4eaf2eea-61c3-51e5-025d-5e0c33b92240
1760 set start-ip 192.168.21.1
1761 set end-ip 192.168.21.2
1762 next
1763 edit "MEDSHI BRANCH AT - MEDSHI TQ- MALEGAON DIST- WASHIM"
1764 set uuid 7473ddce-61c3-51e5-23e6-44e47002972b
1767 set start-ip 192.168.96.1
1768 set end-ip 192.168.96.4
1769 next
1770 edit "AGAR BRANCH AT- AGAR TQ- AKOLA"
1771 set uuid 905bffa8-61c3-51e5-5f26-980cc0fe1ab8
1774 set start-ip 192.168.25.1
1775 set end-ip 192.168.25.2
1776 next
1777 edit "KINHIRAJA BRANCH AT -KINHIRAJA TQ- MALEGAON DIST- WASHIM"
1778 set uuid bb9dcd2c-61c3-51e5-bd01-e9864e43b3b2
1781 set start-ip 192.168.94.1
1782 set end-ip 192.168.94.4
1783 next
1784 edit "WAKAD BRANCH AT - WAKAD TQ- RISOD"
1785 set uuid f69272c0-61c3-51e5-9b84-381c9ba9f3ee
1788 set start-ip 192.168.107.1
1789 set end-ip 192.168.107.2
1790 next
1791 edit "SAKHARDOH BRANCH SHIVAJI CHOWK MANORA DIST- WASHIM"
1792 set uuid 1bde0f3a-61c4-51e5-0223-a4a0a3e3e6ee
1795 set start-ip 192.168.87.1
1796 set end-ip 192.168.87.4
1797 next
1798 edit "UMARI BRANCH AKOLA AT PATIL MARKET JATHARPETH AKOLA"
1799 set uuid 41ff1fa6-61c4-51e5-bd9c-18fc38bcfff9
1802 set start-ip 192.168.22.1
1803 set end-ip 192.168.22.4
1804 next
1805 edit "BORGAON MANJU BRANCH AT POST - BORGAON MANJU TQ- AKOLA"
1806 set uuid 6712c8ec-61c4-51e5-f2d2-0affb11b2cee
1809 set start-ip 192.168.12.1
1810 set end-ip 192.168.12.5
1811 next
1812 edit "BALAPUR BRANCH NR BUS STAND BALAPUR"
1813 set uuid 91ca6ad6-61c4-51e5-f463-bda39903a03a
1816 set start-ip 192.168.51.1
1817 set end-ip 192.168.51.8
1818 next
1819 edit "KURUM BRANCH AT - KURUM TQ- MURTIZAPUR"
1820 set uuid b4217e58-61c4-51e5-3300-82dd15c80153
1823 set start-ip 192.168.68.1
1824 set end-ip 192.168.68.4
1825 next
1826 edit "MALEGAON BRANCH NR NEW BUS STAND MALEGAON DIST- WASHIM"
1827 set uuid d5a6f21a-61c4-51e5-2a6c-f59189dfff68
1830 set start-ip 192.168.93.1
1831 set end-ip 192.168.93.8
1832 next
1833 edit "MURTIZAPUR CITY BRANCH AT TIDKE COMPLEX MANGALWAR BAZAR MUR"
1834 set uuid 1bb5b75a-61c5-51e5-8511-c89ab97386cc
1837 set start-ip 192.168.66.1
1838 set end-ip 192.168.66.5
1839 next
1840 edit "PATUR BRANCH NR OLD BUS STAND PATUR TQ- PATUR"
1841 set uuid 3bb95778-61c5-51e5-5ffd-2749a2bbc0fa
1844 set start-ip 192.168.58.1
1845 set end-ip 192.168.58.9
1846 next
1847 edit "ALEGAON BRANCH AT - ALEGAON TQ- PATUR DIST-AKOLA"
1848 set uuid 58e17222-61c5-51e5-a923-7afe819f7832
1851 set start-ip 192.168.60.1
1852 set end-ip 192.168.60.5
1853 next
1854 edit "SHELUBAZAR BRANCH BHAJI BAZAR SHELU BAZAR TQ- MANGRULPIR"
1855 set uuid 79031d3a-61c5-51e5-9c73-ed1a2ccf1e77
1858 set start-ip 192.168.81.1
1859 set end-ip 192.168.81.6
1860 next
1861 edit "PINJAR BRANCH AT POST - PINJAR TQ- BARSHITAKLI"
1862 set uuid 99abf714-61c5-51e5-def5-9dad8881c5de
1865 set start-ip 192.168.29.1
1866 set end-ip 192.168.29.5
1867 next
1868 edit "RITHAD BRANCH AT POST- RITHAD TQ- RISDO DIST-WASHIM"
1869 set uuid c919e272-61c5-51e5-3fd2-35acb6eca234
1872 set start-ip 192.168.101.1
1873 set end-ip 192.168.101.4
1874 next
1875 edit "KAMARGAON BRANCH AT - KAMARGAON TQ- KARANJA DIST- WASHIM"
1876 set uuid ee43eb38-61c5-51e5-4964-a616f18c6321
1879 set start-ip 192.168.72.1
1880 set end-ip 192.168.72.5
1881 next
1882 edit "MURTIZAPUR MAIN BRANCH NR TAHSIL OFFICE MURTIZAPUR"
1883 set uuid 0d3f3d1c-61c6-51e5-c098-05c7d88fd348
1886 set start-ip 192.168.64.1
1887 set end-ip 192.168.64.10
1888 next
1889 edit "RISOD CITY BRANCH BAGADIYA COMPLEX NR SITLAMATA MANDIR RISOD"
1890 set uuid 27a3c768-61c6-51e5-f6da-86242811a4aa
1893 set start-ip 192.168.100.1
1894 set end-ip 192.168.100.2
1895 next
1896 edit "URAL BRANCH AT POST - URAL TQ- BALAPUR"
1897 set uuid 43c487e8-61c6-51e5-9ff8-9dc5250299bf
1900 set start-ip 192.168.52.1
1901 set end-ip 192.168.52.5
1902 next
1903 edit "MAHAN BRANCH VIVIDH KARYAKARI SAHAKARI SANSTHA MAHAN"
1904 set uuid 42c6a1d4-61dd-51e5-5fd9-98064ebfae7d
1907 set start-ip 192.168.30.1
1908 set end-ip 192.168.30.4
1909 next
1910 edit "BARSHITAKLI BRANCH AT POST TQ- BARSHITAKLI"
1911 set uuid 6474d77e-61dd-51e5-16ec-7a1f702e9c10
1914 set start-ip 192.168.28.1
1915 set end-ip 192.168.28.9
1916 next
1917 edit "ANSING BRANCH AT - ANSING TQ DIST- WASHIM"
1918 set uuid a51294b0-61dd-51e5-df1e-68a791942406
1921 set start-ip 192.168.90.1
1922 set end-ip 192.168.90.5
1923 next
1924 edit "MANA BRANCH GRAMPANCHAYAT MANA TQ- MURTIZAPUR"
1925 set uuid d67e24d8-61dd-51e5-a6d4-b033f02b3553
1928 set start-ip 192.168.67.1
1929 set end-ip 192.168.67.5
1930 next
1931 edit "MANGRULPIR CITY BRANCH NR BIRBALNATH MANDIR MANGRULPIR"
1932 set uuid 04f9062a-61de-51e5-6f4f-f6ae615b8edf
1935 set start-ip 192.168.79.1
1936 set end-ip 192.168.79.3
1937 next
1938 edit "CHANNI BRANCH AT POST - CHANNI TQ- PATUR DIST- AKOLA"
1939 set uuid 35e514f4-61de-51e5-55c2-069cf591f323
1942 set start-ip 192.168.59.1
1943 set end-ip 192.168.59.3
1944 next
1945 edit "SHIRPUR BRANCH AT- SHIRPUR TQ- MALEGAON"
1946 set uuid 593b85c8-61de-51e5-b1ac-8ffb39019956
1949 set start-ip 192.168.95.1
1950 set end-ip 192.168.95.5
1951 next
1952 edit "MURTIZAPUR MARKET YARD BRANCH APMC PREMISES MURTIZAPUR"
1953 set uuid 9aeb76ea-61de-51e5-b616-685ac2fc2918
1956 set start-ip 192.168.65.1
1957 set end-ip 192.168.65.6
1958 next
1959 edit "MANORA BRANCH AT POST TQ- MANORA DIST-WASHIM"
1960 set uuid c3d8c454-61de-51e5-438c-f4d2228c17c9
1963 set start-ip 192.168.84.1
1964 set end-ip 192.168.84.10
1965 next
1966 edit "KHADKI BRANCH AKOLA AT POST - KHADKI"
1967 set uuid e2484dec-61de-51e5-6a3d-1650840c1fb0
1970 set start-ip 192.168.23.1
1971 set end-ip 192.168.23.4
1972 next
1973 edit "WADEGAON BRANCH AT POST - WADEGAON TQ- BALAPUR"
1974 set uuid 01d845a4-61df-51e5-2b07-d63e96bf875c
1977 set start-ip 192.168.53.1
1978 set end-ip 192.168.53.6
1979 next
1980 edit "PATANI CHOWK BRANCH WASHIM PATANI CHOWK"
1981 set uuid 1ea531f6-61df-51e5-6de2-76fc7807e58f
1984 set start-ip 192.168.111.1
1985 set end-ip 192.168.111.4
1986 next
1987 edit "VYALA BRANCH AT - VYALA TQ- BALAPUR"
1988 set uuid 46fe2b06-61e1-51e5-56b5-b05a31fdc927
1991 set start-ip 192.168.57.1
1992 set end-ip 192.168.57.3
1993 next
1994 edit "DR KORPE NAGAR BRANCH KORPE NAGAR NR ADARSH COLONY"
1995 set uuid 37a1ead8-61e3-51e5-70ea-3a2f8ade5447
1998 set start-ip 192.168.8.1
1999 set end-ip 192.168.8.4
2000 next
2001 edit "Civil-Lines Branch"
2002 set uuid bc2e32b6-61e3-51e5-4f61-ecfe2730423c
2004 set associated-interface "HO-USERS"
2005 set start-ip 192.168.6.11
2006 set end-ip 192.168.6.23
2007 next
2008 edit "ATM-CIVIL-LINES"
2009 set uuid 1d87323c-61e5-51e5-691d-f9882b3619d8
2011 set subnet 192.168.6.101 255.255.255.255
2012 next
2013 edit "ATM-KAPAD-BAZAR"
2014 set uuid b432eafa-61e5-51e5-9259-ece1b15a8417
2016 set subnet 192.168.3.101 255.255.255.255
2017 next
2018 edit "ATM-ZP"
2019 set uuid ccac786c-61e5-51e5-6474-de981cd587cc
2021 set subnet 192.168.5.101 255.255.255.255
2022 next
2023 edit "ATM-DR KORPENAGAR"
2024 set uuid f39ce95c-61e5-51e5-4289-f2ee4cbca3af
2026 set subnet 192.168.8.101 255.255.255.255
2027 next
2028 edit "ATM-DABKIRD"
2029 set uuid df7da134-61e8-51e5-e871-e6ff9e20c0d3
2031 set subnet 192.168.10.101 255.255.255.255
2032 next
2033 edit "ATM-BORGAOM"
2034 set uuid 04e5e756-61e9-51e5-dd90-be324f39d80b
2036 set subnet 192.168.12.101 255.255.255.255
2037 next
2038 edit "ATM-KHADKI"
2039 set uuid 34154846-61e9-51e5-3594-ade65fee008c
2041 set subnet 192.168.23.101 255.255.255.255
2042 next
2043 edit "ATM-RANPISE"
2044 set uuid 563ddd16-61e9-51e5-2efb-850141b9902c
2046 set subnet 192.168.24.101 255.255.255.255
2047 next
2048 edit "ATM-BARSHITAKLI"
2049 set uuid 766e780c-61e9-51e5-1d37-4ab4a1871c0b
2051 set subnet 192.168.28.101 255.255.255.255
2052 next
2053 edit "ATM-PINJAR"
2054 set uuid 8d4ad732-61e9-51e5-66ac-9f3e5fe120bc
2054 set uuid 8d4ad732-61e9-51e5-66ac-9f3e5fe120bc
2056 set subnet 192.168.29.101 255.255.255.255
2057 next
2058 edit "ATM-AKOT-MAIN"
2059 set uuid a2d64b22-61e9-51e5-c4e3-1b091533114b
2061 set subnet 192.168.33.101 255.255.255.255
2062 next
2063 edit "ATM-AKOT-CITI"
2064 set uuid b838844e-61e9-51e5-b336-9720d52e1ed8
2066 set subnet 192.168.34.101 255.255.255.255
2067 next
2068 edit "ATM-CHOHOTTA"
2069 set uuid d5fd4eec-61e9-51e5-482f-45bd8ef799c7
2071 set subnet 192.168.38.101 255.255.255.255
2072 next
2073 edit "ATM-TELHARA"
2074 set uuid eebfface-61e9-51e5-29b7-d3164b13dad3
2076 set subnet 192.168.43.101 255.255.255.255
2077 next
2078 edit "ATM-BALAPUR"
2079 set uuid 0d163a38-61ea-51e5-2c42-d3c1a5933559
2081 set subnet 192.168.51.101 255.255.255.255
2082 next
2083 edit "ATM-URAL"
2084 set uuid 22bc7f6e-61ea-51e5-d933-c2bc771ac881
2086 set subnet 192.168.52.101 255.255.255.255
2087 next
2088 edit "ATM-WADEGAON"
2089 set uuid 459e86a8-61ea-51e5-569a-eb0132a1f81e
2091 set subnet 192.168.53.101 255.255.255.255
2092 next
2093 edit "ATM-PATUR"
2094 set uuid 5ddcdc9c-61ea-51e5-43c7-cf718816ac9c
2096 set subnet 192.168.58.101 255.255.255.255
2097 next
2098 edit "ATM-ALEGAON"
2099 set uuid 74ce1c18-61ea-51e5-56e6-a846b8cea128
2101 set subnet 192.168.60.101 255.255.255.255
2102 next
2103 edit "ATM-MURTIZAPUR-MAIN"
2104 set uuid f4983374-61eb-51e5-36ec-45559c8cfd5f
2106 set subnet 192.168.64.101 255.255.255.255
2107 next
2108 edit "ATM-MANA"
2109 set uuid 2bf67cf4-61ec-51e5-317c-177c9a59ca60
2111 set subnet 192.168.67.101 255.255.255.255
2112 next
2113 edit "ATM-KURUM"
2114 set uuid 3d47e89e-61ec-51e5-6f46-e7dac71d959e
2116 set subnet 192.168.68.101 255.255.255.255
2117 next
2118 edit "ATM-KARANJA-MAIN"
2119 set uuid 5c567ab6-61ec-51e5-b407-9b8f9f581fca
2121 set subnet 192.168.70.101 255.255.255.255
2122 next
2123 edit "ATM-KARANJA-CITI"
2124 set uuid 7497faf0-61ec-51e5-065b-d80dcf1d7fa9
2126 set subnet 192.168.71.101 255.255.255.255
2127 next
2128 edit "ATM-KAMARGAON"
2129 set uuid 92a2a842-61ec-51e5-72a3-c3d1ba04fac0
2131 set subnet 192.168.72.101 255.255.255.255
2132 next
2132 next
2133 edit "ATM-MANGRULPIR-MAIN"
2134 set uuid bec562d4-61ec-51e5-cedf-22e67a9da85e
2136 set subnet 192.168.78.101 255.255.255.255
2137 next
2138 edit "ATM-SHELUBAZAR"
2139 set uuid d193075e-61ec-51e5-ba1e-d718798aa9a6
2141 set subnet 192.168.81.101 255.255.255.255
2142 next
2143 edit "ATM-MANORA"
2144 set uuid e62d86ee-61ec-51e5-706d-4d7a149c2d7f
2146 set subnet 192.168.84.101 255.255.255.255
2147 next
2148 edit "ATM-SHENDURJANA"
2149 set uuid 00f1ff1e-61ed-51e5-ccc7-bf3994ccae92
2151 set subnet 192.168.85.101 255.255.255.255
2152 next
2153 edit "ATM-WASHIM-MAIN"
2154 set uuid 27ae9aae-61ed-51e5-2f5f-9289205e77c8
2156 set subnet 192.168.88.101 255.255.255.255
2157 next
2158 edit "ATM-ANSING"
2159 set uuid 537f4836-61ed-51e5-a752-8b36ebea52a3
2161 set subnet 192.168.90.101 255.255.255.255
2162 next
2163 edit "ATM-MALEGAON"
2164 set uuid 7071b140-61ed-51e5-1382-0c96689996c9
2166 set subnet 192.168.93.101 255.255.255.255
2167 next
2168 edit "ATM-SHIRPUR"
2169 set uuid 86d6f8c8-61ed-51e5-986d-fa8e51b89e52
2171 set subnet 192.168.95.101 255.255.255.255
2172 next
2173 edit "ATM-JAULKA"
2174 set uuid 9e21a4f6-61ed-51e5-eeb7-e4d89546f29b
2176 set subnet 192.168.98.101 255.255.255.255
2177 next
2178 edit "ATM-RISOD-MAIN"
2179 set uuid b5bc8f22-61ed-51e5-2498-0f5ee3d41427
2181 set subnet 192.168.99.101 255.255.255.255
2182 next
2183 edit "ATM-KENWAD"
2184 set uuid c8b1ef46-61ed-51e5-c3c1-7ad6ad8ab694
2186 set subnet 192.168.102.101 255.255.255.255
2187 next
2188 edit "ATM-PATNI-CH"
2189 set uuid deba8050-61ed-51e5-5814-b0ace142bc89
2191 set subnet 192.168.111.101 255.255.255.255
2192 next
2193 edit "ATM-ZP-WASHIM"
2194 set uuid fa5da274-61ed-51e5-1583-85b0bdf4512b
2196 set subnet 192.168.113.101 255.255.255.255
2197 next
2198 edit "DC-ADMIN-USERS"
2199 set uuid 806435ee-673f-51e5-0c4d-9ade203567a2
2201 set associated-interface "DC-Admin"
2202 set start-ip 172.21.28.15
2203 set end-ip 172.21.28.20
2204 next
2205 edit "HO-USERS"
2206 set uuid c7ed6e5c-6740-51e5-b8e7-4836a5781ab4
2209 set start-ip 192.168.6.23
2210 set end-ip 192.168.6.125
2210 set end-ip 192.168.6.125
2211 next
2212 edit "OLD-PDC"
2213 set uuid 3d44b8c2-676e-51e5-fc38-8dbf3542dc72
2215 set subnet 192.168.1.2 255.255.255.255
2216 next
2217 edit "OLD-BDC"
2218 set uuid 4ecc03a2-676e-51e5-c785-343b04623416
2220 set subnet 192.168.1.4 255.255.255.255
2221 next
2222 edit "Euronet-Switch"
2223 set uuid 8d7b98c4-6773-51e5-a592-712d413d11bb
2224 set associated-interface "ATM"
2225 set subnet 10.13.15.65 255.255.255.255
2226 next
2227 edit "Router2"
2228 set uuid e7471ef2-6820-51e5-fce3-c4841a4526e6
2230 set subnet 192.168.2.100 255.255.255.255
2231 next
2232 edit "Router3"
2233 set uuid 027c13da-6821-51e5-ea0a-d3c81ba928ff
2235 set subnet 192.168.3.100 255.255.255.255
2236 next
2237 edit "Router4"
2238 set uuid 1c8ac0d2-6821-51e5-f8e2-df651f0a063d
2240 set subnet 192.168.4.100 255.255.255.255
2241 next
2242 edit "Router5"
2243 set uuid 982b2ec0-6821-51e5-0831-a1c2427aafb7
2245 set subnet 192.168.5.100 255.255.255.255
2246 next
2247 edit "Router7"
2248 set uuid d0cdbd38-6821-51e5-72be-d92f9fca5717
2250 set subnet 192.168.7.100 255.255.255.255
2251 next
2252 edit "Router8"
2253 set uuid debc02d8-6821-51e5-d6f5-798dbaf4e606
2255 set subnet 192.168.8.100 255.255.255.255
2256 next
2257 edit "Router9"
2258 set uuid ef609fcc-6821-51e5-cc38-f6ae80f36140
2260 set subnet 192.168.9.100 255.255.255.255
2261 next
2262 edit "Router10"
2263 set uuid fecac898-6821-51e5-8ef4-c617c97934c5
2265 set subnet 192.168.10.100 255.255.255.255
2266 next
2268 set uuid 136b5b00-6822-51e5-e6a1-2761cefc2450
2270 set subnet 192.168.11.100 255.255.255.255
2271 next
2273 set uuid 4830205a-6822-51e5-dc70-f6641828248e
2275 set subnet 192.168.12.100 255.255.255.255
2276 next
2278 set uuid 606ece00-6822-51e5-b041-7f8ee684ae08
2280 set subnet 192.168.14.100 255.255.255.255
2281 next
2283 set uuid 70fd9a4e-6822-51e5-35df-95f6185ae2db
2285 set subnet 192.168.15.100 255.255.255.255
2286 next
2288 set uuid 82fe8848-6822-51e5-734d-75ca6ec56477
2290 set subnet 192.168.16.100 255.255.255.255
2291 next
2293 set uuid 98baaa5e-6822-51e5-9fe0-e4cf4e840401
2295 set subnet 192.168.17.100 255.255.255.255
2296 next
2298 set uuid a7ace63a-6822-51e5-2133-3fb6f215f0a9
2300 set subnet 192.168.18.100 255.255.255.255
2301 next
2303 set uuid bef1e0d4-6822-51e5-6d6a-9fd9f4b99367
2305 set subnet 192.168.19.100 255.255.255.255
2306 next
2308 set uuid d9087f32-6822-51e5-3da4-366993cae002
2310 set subnet 192.168.20.100 255.255.255.255
2311 next
2313 set uuid ec48a4fa-6822-51e5-659a-eb858d348998
2315 set subnet 192.168.21.100 255.255.255.255
2316 next
2318 set uuid ffed56b8-6822-51e5-7942-d357bd9d8c90
2320 set subnet 192.168.22.100 255.255.255.255
2321 next
2323 set uuid 0e6045fc-6823-51e5-a683-a5736bc3d23d
2325 set subnet 192.168.23.100 255.255.255.255
2326 next
2328 set uuid 1a9b15b8-6823-51e5-f9fd-080edf98e640
2330 set subnet 192.168.24.100 255.255.255.255
2331 next
2333 set uuid 2836372a-6823-51e5-c5e0-8bbae1670d32
2335 set subnet 192.168.25.100 255.255.255.255
2336 next
2338 set uuid 61239fbe-6828-51e5-de0c-df90d00f390a
2340 set subnet 192.168.13.100 255.255.255.255
2341 next
2342 edit "Network-Admin"
2343 set uuid 0d2486e8-6829-51e5-cc96-ef042c4a5862
2345 set subnet 172.21.28.21 255.255.255.255
2346 next
2348 set uuid b66f7bea-682e-51e5-c3b3-b2f7a66fb387
2350 set subnet 192.168.26.100 255.255.255.255
2351 next
2353 set uuid c5f4f702-682e-51e5-6988-57165c311376
2355 set subnet 192.168.28.100 255.255.255.255
2356 next
2358 set uuid d4bb91d8-682e-51e5-4ba4-608a056ae9f4
2360 set subnet 192.168.29.100 255.255.255.255
2361 next
2363 set uuid e54a417a-682e-51e5-4495-c6cd52e43c98
2365 set subnet 192.168.30.100 255.255.255.255
2365 set subnet 192.168.30.100 255.255.255.255
2366 next
2368 set uuid f8087eda-682e-51e5-3fb4-36e622825ccc
2370 set subnet 192.168.31.100 255.255.255.255
2371 next
2373 set uuid 06065854-682f-51e5-ce44-9ac79bc4c9b3
2375 set subnet 192.168.32.100 255.255.255.255
2376 next
2378 set uuid 13ee8112-682f-51e5-e410-259b29469470
2380 set subnet 192.168.33.100 255.255.255.255
2381 next
2383 set uuid 24264c9a-682f-51e5-958f-b3f6306d013f
2385 set subnet 192.168.34.100 255.255.255.255
2386 next
2388 set uuid 31f93ae4-682f-51e5-fae6-7e2f53e304c4
2390 set subnet 192.168.35.100 255.255.255.255
2391 next
2393 set uuid 3fe5a3fe-682f-51e5-80fe-650490a4f9b3
2395 set subnet 192.168.36.100 255.255.255.255
2396 next
2398 set uuid 508854ae-682f-51e5-4577-28bc5d36edd2
2400 set subnet 192.168.37.100 255.255.255.255
2401 next
2403 set uuid 5de3421c-682f-51e5-7559-42ce2d49584e
2405 set subnet 192.168.38.100 255.255.255.255
2406 next
2408 set uuid 6f8eb2da-682f-51e5-7871-9281a2effc27
2410 set subnet 192.168.39.100 255.255.255.255
2411 next
2413 set uuid 7de1497e-682f-51e5-798a-8dad721f4517
2415 set subnet 192.168.40.100 255.255.255.255
2416 next
2418 set uuid 62ed182e-6833-51e5-f55c-2c000371fb21
2420 set subnet 192.168.41.100 255.255.255.255
2421 next
2423 set uuid 871fac5c-6833-51e5-cd8e-c90f2f9cd310
2425 set subnet 192.168.42.100 255.255.255.255
2426 next
2428 set uuid 985e51ee-6833-51e5-9941-9de9fc7b37cb
2430 set subnet 192.168.43.100 255.255.255.255
2431 next
2433 set uuid a99e477a-6833-51e5-26dc-5f73e535f6b6
2435 set subnet 192.168.44.100 255.255.255.255
2436 next
2438 set uuid b913fcae-6833-51e5-7761-d507847e5513
2440 set subnet 192.168.45.100 255.255.255.255
2441 next
2443 set uuid c6e39650-6833-51e5-0ba9-a8ffe9853fae
2443 set uuid c6e39650-6833-51e5-0ba9-a8ffe9853fae
2445 set subnet 192.168.46.100 255.255.255.255
2446 next
2448 set uuid d55c8052-6833-51e5-c80e-95b1d83659fe
2450 set subnet 192.168.47.100 255.255.255.255
2451 next
2453 set uuid e3c4a3f4-6833-51e5-19b0-3e8c430ec3c3
2455 set subnet 192.168.48.100 255.255.255.255
2456 next
2458 set uuid f213fc48-6833-51e5-bd67-0a066906e842
2460 set subnet 192.168.49.100 255.255.255.255
2461 next
2463 set uuid 03fe8afe-6834-51e5-8e39-d6768767304e
2465 set subnet 192.168.50.100 255.255.255.255
2466 next
2468 set uuid 7b74472a-6836-51e5-2be2-3864ac5dccb8
2470 set subnet 192.168.51.100 255.255.255.255
2471 next
2473 set uuid 8c5f1574-6836-51e5-b583-f1df721e1887
2475 set subnet 192.168.53.100 255.255.255.255
2476 next
2478 set uuid 7b148e92-6837-51e5-1060-9391765c0a3f
2480 set subnet 192.168.54.100 255.255.255.255
2481 next
2483 set uuid 8a11108c-6837-51e5-040b-f957e4f1ae06
2485 set subnet 192.168.55.100 255.255.255.255
2486 next
2488 set uuid 9a30db32-6837-51e5-42b2-267e4880b261
2490 set subnet 192.168.56.100 255.255.255.255
2491 next
2493 set uuid a96cdc40-6837-51e5-b5b5-0a5db9adb73e
2495 set subnet 192.168.57.100 255.255.255.255
2496 next
2498 set uuid 0343f6e0-6838-51e5-bc52-85fd2dac8150
2500 set subnet 192.168.58.100 255.255.255.255
2501 next
2503 set uuid 142eaa68-6838-51e5-f7b7-f91ba660b6e1
2505 set subnet 192.168.59.100 255.255.255.255
2506 next
2508 set uuid 2621677e-6838-51e5-dff0-0cf59c0bb554
2510 set subnet 192.168.60.100 255.255.255.255
2511 next
2513 set uuid 52a61466-6838-51e5-da09-250be97527ed
2515 set subnet 192.168.61.100 255.255.255.255
2516 next
2518 set uuid b7e6634e-6838-51e5-b895-dcb72f799a10
2520 set subnet 192.168.62.100 255.255.255.255
2521 next
2521 next
2523 set uuid f11f063e-6838-51e5-ffac-648703081d38
2525 set subnet 192.168.64.100 255.255.255.255
2526 next
2528 set uuid 11950a4e-6839-51e5-b2fe-479d506a2b7a
2530 set subnet 192.168.65.100 255.255.255.255
2531 next
2533 set uuid 20b6fd48-6839-51e5-6a16-2d9b065eba74
2535 set subnet 192.168.66.100 255.255.255.255
2536 next
2538 set uuid 32d69fd8-6839-51e5-3166-9e62df49e4dd
2540 set subnet 192.168.67.100 255.255.255.255
2541 next
2543 set uuid 3eb9c154-6839-51e5-91c1-3d6d9f9f76e2
2545 set subnet 192.168.68.100 255.255.255.255
2546 next
2548 set uuid 4d9ed60a-6839-51e5-490c-398cd1a226e2
2550 set subnet 192.168.70.100 255.255.255.255
2551 next
2553 set uuid 573bbe12-6839-51e5-4d36-640ffc53b9dd
2555 set subnet 192.168.71.100 255.255.255.255
2556 next
2558 set uuid 64062e98-6839-51e5-e092-e3dcd8809211
2560 set subnet 192.168.72.100 255.255.255.255
2561 next
2563 set uuid 7426f7d0-6839-51e5-496d-d47573e2c4a4
2565 set subnet 192.168.73.100 255.255.255.255
2566 next
2568 set uuid 7d4bed3e-6839-51e5-706e-54498f5c150d
2570 set subnet 192.168.74.100 255.255.255.255
2571 next
2573 set uuid 962af62e-6839-51e5-57c3-bec8a13e2260
2575 set subnet 192.168.75.100 255.255.255.255
2576 next
2578 set uuid a406e8a2-6839-51e5-60db-e5b83593864d
2580 set subnet 192.168.76.100 255.255.255.255
2581 next
2583 set uuid d690d850-6839-51e5-2e07-3b7124e301cb
2585 set subnet 192.168.77.100 255.255.255.255
2586 next
2588 set uuid f106cadc-6839-51e5-4ca8-ae1e81c7d5db
2590 set subnet 192.168.78.100 255.255.255.255
2591 next
2593 set uuid fe4c1f08-6839-51e5-e6c6-4abdce036122
2595 set subnet 192.168.79.100 255.255.255.255
2596 next
2598 set uuid 18b8b3a6-683a-51e5-9750-0cb4e17f5164
2598 set uuid 18b8b3a6-683a-51e5-9750-0cb4e17f5164
2600 set subnet 192.168.80.100 255.255.255.255
2601 next
2603 set uuid 2d22a0ea-683a-51e5-ccd8-2656e94e7b89
2605 set subnet 192.168.81.100 255.255.255.255
2606 next
2608 set uuid 4112a32a-683a-51e5-c0c8-e2affa3db1b3
2610 set subnet 192.168.82.100 255.255.255.255
2611 next
2613 set uuid 518a4596-683a-51e5-dda8-df2901e42b62
2615 set subnet 192.168.83.100 255.255.255.255
2616 next
2618 set uuid 620676a6-683a-51e5-c166-745e5cfe016e
2620 set subnet 192.168.84.100 255.255.255.255
2621 next
2623 set uuid 7561023e-683a-51e5-6ea2-5de2f549083d
2625 set subnet 192.168.85.100 255.255.255.255
2626 next
2628 set uuid 8b6a6836-683a-51e5-a591-12a15e733fa0
2630 set subnet 192.168.86.100 255.255.255.255
2631 next
2633 set uuid 961beba6-683a-51e5-a25f-6dce35c97f54
2635 set subnet 192.168.87.100 255.255.255.255
2636 next
2638 set uuid b2920a72-683a-51e5-8e8f-2eb8616c46df
2640 set subnet 192.168.88.100 255.255.255.255
2641 next
2643 set uuid bdb3f852-683a-51e5-e913-6478e6f5b738
2645 set subnet 192.168.89.100 255.255.255.255
2646 next
2648 set uuid d8f188be-683a-51e5-d31d-85b170374f2a
2650 set subnet 192.168.90.100 255.255.255.255
2651 next
2653 set uuid eab4e2b2-683a-51e5-a23e-4818fc449fe9
2655 set subnet 192.168.91.100 255.255.255.255
2656 next
2658 set uuid 00c68ccc-683b-51e5-e4cc-423eb8d4a427
2660 set subnet 192.168.92.100 255.255.255.255
2661 next
2663 set uuid 11243b82-683b-51e5-bd8b-a80e3e5beb44
2665 set subnet 192.168.93.100 255.255.255.255
2666 next
2668 set uuid 1f515adc-683b-51e5-674c-17cb2845d878
2670 set subnet 192.168.94.100 255.255.255.255
2671 next
2673 set uuid 3ca19f52-683b-51e5-c50f-e71c0693ae00
2675 set subnet 192.168.95.100 255.255.255.255
2676 next
2676 next
2678 set uuid 469560c0-683b-51e5-199e-26a60a173b0f
2680 set subnet 192.168.96.100 255.255.255.255
2681 next
2683 set uuid 5562e802-683b-51e5-552b-b086639e62dc
2685 set subnet 192.168.97.100 255.255.255.255
2686 next
2688 set uuid 6cd886ea-683b-51e5-c0be-c56fe867950d
2690 set subnet 192.168.98.100 255.255.255.255
2691 next
2693 set uuid 788ddf26-683b-51e5-bc28-e81e4671e45c
2695 set subnet 192.168.99.100 255.255.255.255
2696 next
2698 set uuid 93487ccc-683b-51e5-370d-78d9b4f747b3
2700 set subnet 192.168.100.100 255.255.255.255
2701 next
2703 set uuid 9e9e1c58-683b-51e5-6bcc-2b681faa63f7
2705 set subnet 192.168.101.100 255.255.255.255
2706 next
2708 set uuid a9fcc0e0-683b-51e5-bd91-49caf4bc02d5
2710 set subnet 192.168.102.100 255.255.255.255
2711 next
2713 set uuid b911f55a-683b-51e5-5e3d-a92b8e420474
2715 set subnet 192.168.103.100 255.255.255.255
2716 next
2718 set uuid c4054656-683b-51e5-cb25-79f4aba78457
2720 set subnet 192.168.104.100 255.255.255.255
2721 next
2723 set uuid d02674a0-683b-51e5-e927-d718365e67a2
2725 set subnet 192.168.105.100 255.255.255.255
2726 next
2728 set uuid dbae248a-683b-51e5-1391-86540148bd23
2730 set subnet 192.168.106.100 255.255.255.255
2731 next
2733 set uuid e5a18626-683b-51e5-1552-60334dd37c9e
2735 set subnet 192.168.107.100 255.255.255.255
2736 next
2738 set uuid ff547da8-683b-51e5-3a2f-7e9f924b24c1
2740 set subnet 192.168.108.100 255.255.255.255
2741 next
2743 set uuid 0a9c6298-683c-51e5-e49f-8b333ca09ff5
2745 set subnet 192.168.109.100 255.255.255.255
2746 next
2748 set uuid 2c247cd4-683c-51e5-f434-63ab3c815df1
2750 set subnet 192.168.111.100 255.255.255.255
2751 next
2753 set uuid 3a1dc26e-683c-51e5-4c12-9706d9a503cf
2755 set subnet 192.168.112.100 255.255.255.255
2756 next
2758 set uuid 45d07d72-683c-51e5-e505-f12d5a123df0
2760 set subnet 192.168.113.100 255.255.255.255
2761 next
2763 set uuid 50680a02-683c-51e5-3e4b-7cf9b60e715d
2765 set subnet 192.168.114.100 255.255.255.255
2766 next
2767 edit "HO-ROUTER"
2768 set uuid 69f1c13e-6990-51e5-5737-9a95cb16a510
2770 set subnet 192.168.1.100 255.255.255.255
2771 next
2772 edit "RTGS-CLIENT1"
2773 set uuid 0bd7003a-69bf-51e5-3757-320aa1e9140a
2775 set subnet 172.21.28.11 255.255.255.255
2776 next
2777 edit "SFMS-PRIMARY"
2778 set uuid 91c0d5ee-69c0-51e5-0eec-3ad06a3065ae
2779 set associated-interface "RTGS"
2780 set subnet 172.30.0.18 255.255.255.255
2781 next
2782 edit "SFMS-BACKUP"
2783 set uuid b79692cc-69c0-51e5-8dfc-641339215883
2785 set subnet 172.30.0.20 255.255.255.255
2786 next
2787 edit "SD-Agent-Euronet"
2788 set uuid 0ec94776-6b3b-51e5-ce8b-58a971eca4ab
2790 set subnet 10.13.135.39 255.255.255.255
2791 next
2792 edit "Euro-SFTP"
2793 set uuid d4e3c8d2-6b3b-51e5-568c-7b87ed68fa90
2795 set subnet 202.138.123.73 255.255.255.255
2796 next
2797 edit "HO-USERS-COMP-SECTION"
2798 set uuid ed21b9d8-6d8c-51e5-106b-1e2bda48c509
2801 set start-ip 192.168.6.31
2802 set end-ip 192.168.6.40
2803 next
2804 edit "HO-USER-ACC-SECTION"
2805 set uuid 27849afa-6d8d-51e5-dd19-1d09d1e46b6b
2808 set start-ip 192.168.6.43
2809 set end-ip 192.168.6.60
2810 next
2811 edit "HO-USERS-ADM-SECTION"
2812 set uuid 729cead8-6d8d-51e5-8cbd-113ac32e54e4
2815 set start-ip 192.168.6.61
2816 set end-ip 192.168.6.70
2817 next
2818 edit "HO-USERS-DATAHUB"
2819 set uuid ae458968-6d8e-51e5-2438-5a3327ad79d8
2822 set start-ip 192.168.6.71
2823 set end-ip 192.168.6.85
2824 next
2825 edit "HO-USERS-LOAN-SECTION"
2826 set uuid f4dffb8c-6d8f-51e5-f0d6-6822e36131e8
2829 set start-ip 192.168.6.86
2830 set end-ip 192.168.6.100
2831 next
2832 edit "HO-USERS-STATIONARY-SECTION"
2832 edit "HO-USERS-STATIONARY-SECTION"
2833 set uuid 1c9a1e50-6d90-51e5-6324-557c430c6960
2836 set start-ip 192.168.6.104
2837 set end-ip 192.168.6.125
2838 next
2840 set uuid 50ecad62-6d90-51e5-c5d3-9e6def380d22
2842 set subnet 192.168.6.41 255.255.255.255
2843 next
2845 set uuid 63e0abe4-6d90-51e5-bfe5-33169aba6c1c
2847 set subnet 192.168.6.42 255.255.255.255
2848 next
2849 edit "HO-INTERNET-USERS-ATM"
2850 set uuid aeba32b6-6d90-51e5-cdcb-453b7a88f1c3
2853 set start-ip 192.168.6.26
2854 set end-ip 192.168.6.30
2855 next
2856 edit "HO-INTERNET-USER"
2857 set uuid d0b56fe8-6d90-51e5-1016-9d3d582d6acb
2859 set subnet 192.168.6.61 255.255.255.255
2860 next
2861 edit "HO-INTERNET-USERS-ACC-SECTION"
2862 set uuid 27081c10-6d91-51e5-d303-a2a6e0c945fc
2865 set start-ip 192.168.6.46
2866 set end-ip 192.168.6.47
2867 next
2868 edit "EMAIL-SERVER"
2869 set uuid 368c3728-6d93-51e5-6659-2b607fd75f7c
2871 set subnet 10.10.10.2 255.255.255.255
2872 next
2873 edit "WEB-CMS"
2874 set uuid 62c4ab5a-6e46-51e5-729b-a2e04ce90304
2876 set subnet 10.13.135.58 255.255.255.255
2877 next
2878 edit "RGCS1"
2879 set uuid 2dd81b90-6e49-51e5-6a33-e774e5a3621b
2881 set subnet 192.168.171.33 255.255.255.255
2882 next
2883 edit "RGCS2"
2884 set uuid 42f2a3ce-6e49-51e5-a986-bf5c7a71129c
2886 set subnet 192.168.171.40 255.255.255.255
2887 next
2888 edit "Ekuber-New"
2889 set uuid 1ac112be-717d-51e5-f8e2-51e2d7e1e18d
2891 set subnet 10.28.1.254 255.255.255.255
2892 next
2893 edit "IDRBT-TEST-HUB"
2894 set uuid 2eef3856-717d-51e5-e04a-94c990d46ecf
2896 set subnet 10.0.67.194 255.255.255.255
2897 next
2898 edit "PO-Ticketing"
2899 set uuid 55f1f37a-717e-51e5-720e-3ec25db2af83
2901 set subnet 10.29.1.191 255.255.255.255
2902 next
2903 edit "PO-2"
2904 set uuid 66502c96-717e-51e5-48ac-6ae667be00ba
2906 set subnet 10.29.3.51 255.255.255.255
2907 next
2908 edit "PO-1"
2909 set uuid 870bc2ce-717e-51e5-df38-c54b9deaefa6
2911 set subnet 10.29.2.11 255.255.255.255
2912 next
2913 edit "LDAP-2"
2914 set uuid 9b58db7c-717e-51e5-33bb-25af246fc022
2916 set subnet 10.30.0.6 255.255.255.255
2917 next
2918 edit "LDAP-1"
2919 set uuid aa3f53dc-717e-51e5-8edc-d01243250515
2921 set subnet 10.30.0.4 255.255.255.255
2922 next
2923 edit "SFMS-DR"
2924 set uuid c17f240a-717e-51e5-ccc3-a39ba06e481d
2926 set subnet 10.30.0.102 255.255.255.255
2927 next
2928 edit "ROUTER"
2929 set uuid d1986112-717e-51e5-fc11-88c50d2102d6
2931 set subnet 10.30.231.1 255.255.255.255
2932 next
2933 edit "RTGS-NG-WAN"
2934 set uuid ec6f1cba-717e-51e5-6c81-ccecddfd75ad
2936 set subnet 10.30.231.11 255.255.255.255
2937 next
2938 edit "RTGS-PRI-WAN"
2939 set uuid 098daa82-717f-51e5-3d26-5c77df1bfc0b
2941 set subnet 10.30.231.7 255.255.255.255
2942 next
2943 edit "RTGS-BKP-WAN"
2944 set uuid 1acb303a-717f-51e5-99f5-127ed65612a3
2946 set subnet 10.30.231.6 255.255.255.255
2947 next
2948 edit "Ekuber-BKP"
2949 set uuid 42dacd60-717f-51e5-3e21-3028e8b501c1
2951 set subnet 10.28.1.171 255.255.255.255
2952 next
2953 edit "Ekuber-PRI"
2954 set uuid 5af3e684-717f-51e5-2cb5-c9c2c279d4b4
2956 set subnet 10.29.1.171 255.255.255.255
2957 next
2958 edit "SFMS"
2959 set uuid 73eae700-717f-51e5-d144-135d63a31b7f
2961 set subnet 10.0.67.115 255.255.255.255
2962 next
2963 edit "SONICWALL-RTGS"
2964 set uuid ff3c4662-7186-51e5-5076-7000570c4a7b
2966 set subnet 172.30.0.50 255.255.255.255
2967 next
2968 edit "PO-NEAR-DR"
2969 set uuid 9ff89826-7191-51e5-7dc7-25ea95f2debc
2971 set subnet 10.28.3.51 255.255.255.255
2972 next
2973 edit "PO-FAR-DR"
2974 set uuid b67419b8-7191-51e5-6694-1a9c14bb535c
2976 set subnet 10.35.3.51 255.255.255.255
2977 next
2978 edit "IDRBT-INTRANET"
2979 set uuid 413951f8-7197-51e5-7ff1-08fea62d1c5c
2981 set subnet 10.0.67.166 255.255.255.255
2982 next
2983 edit "IDRBT-CA"
2984 set uuid 5060da7a-7197-51e5-97d3-114cdde5c4ce
2986 set subnet 10.0.67.18 255.255.255.255
2987 next
2987 next
2988 edit "SASTI"
2989 set uuid 4e90fdd8-83b7-51e5-684a-afb66730840b
2991 set subnet 192.168.62.1 255.255.255.255
2992 next
2993 edit "MPLS ROUTER"
2994 set uuid 9a14e876-8472-51e5-cb82-94383ccdb767
2996 set subnet 172.23.39.133 255.255.255.255
2997 next
2998 edit "Sophos-Backup-1"
2999 set uuid a8021608-937b-51e5-507c-fb768d26a307
3001 set subnet 192.168.250.0 255.255.255.0
3002 next
3003 edit "TESTSERVR"
3004 set uuid abb5f9d2-a234-51e5-cc83-7c062398c60b
3006 set subnet 172.21.27.1 255.255.255.255
3007 next
3008 edit "eurronet-router"
3009 set uuid 8edaa794-aa19-51e5-def2-238febe18f5c
3011 set subnet 172.21.29.3 255.255.255.255
3012 next
3013 edit "ATM-MARKETYARD"
3014 set uuid b7dc57ae-ab0a-51e5-bdbe-22258c017098
3016 set subnet 192.168.2.101 255.255.255.255
3017 next
3018 edit "ATM-HIWARKHED-EXT"
3019 set uuid da072642-ab0a-51e5-826a-78e1ac0bfe0b
3021 set subnet 192.168.114.101 255.255.255.255
3022 next
3023 edit "ATM-MAHAN"
3024 set uuid 6bc55a26-ab9d-51e5-ebdc-de1622157d8e
3026 set subnet 192.168.30.101 255.255.255.255
3027 next
3028 edit "WSUS"
3029 set uuid a4c6c012-abbb-51e5-c89b-2f9f170a4c21
3031 set subnet 172.21.28.17 255.255.255.255
3032 next
3033 edit "PRASANNA"
3034 set uuid ccc8bf6a-abbc-51e5-5532-0425af911b2b
3036 set subnet 172.21.28.20 255.255.255.255
3037 next
3038 edit "ATM-FINCRAFT-USER1"
3039 set uuid 61c4ebae-abc0-51e5-6928-5d83c3f27d0c
3041 set subnet 192.168.6.26 255.255.255.255
3042 next
3044 set uuid 7dca5adc-abc0-51e5-f0f0-6bd8456b310d
3046 set subnet 192.168.6.27 255.255.255.255
3047 next
3048 edit "ACC-SECTION-INT-USER1"
3049 set uuid 7fed0322-abc6-51e5-a1df-5f3212bba054
3051 set subnet 192.168.6.55 255.255.255.255
3052 next
3053 edit "ZP-WASHIM"
3054 set uuid f4489716-ad30-51e5-0295-eaa6a5114b70
3057 set start-ip 192.168.113.1
3058 set end-ip 192.168.113.2
3059 next
3060 edit "HIWARKHED-EXT"
3061 set uuid dc95725a-ad31-51e5-300e-9c0f1df69df7
3063 set subnet 192.168.114.1 255.255.255.255
3064 next
3066 set uuid 675ec55e-ad3b-51e5-ebd5-f4a2131ba810
3068 set subnet 192.168.52.100 255.255.255.255
3069 next
3070 edit "CA-SERVER"
3071 set uuid 68647cb2-ad4c-51e5-1aab-3cdabdf8a441
3073 set subnet 172.21.24.1 255.255.255.255
3074 next
3075 edit "Umesh More"
3076 set uuid 5057a98a-ad71-51e5-2986-92b738340567
3078 set subnet 172.21.28.13 255.255.255.255
3079 next
3080 edit "APP1"
3081 set uuid 6da790cc-adf3-51e5-0a0c-bcbe9e37c572
3082 set type fqdn
3084 set fqdn "APPCLUSTER.ADCCBCBS.COM"
3085 next
3086 edit "HO-INTERNET-USERS"
3087 set uuid a01ebd64-adfd-51e5-2c4a-a4937642ad20
3090 set start-ip 192.168.6.117
3091 set end-ip 192.168.6.117
3092 next
3094 set uuid e0f236da-adfe-51e5-4059-795407dd2567
3096 set subnet 192.168.110.100 255.255.255.255
3097 next
3098 edit "PA"
3099 set uuid cde2bfea-ae1e-51e5-2bf8-4355db8c5ce5
3101 set subnet 192.168.6.67 255.255.255.255
3102 next
3104 set uuid a10ee9de-ae24-51e5-4cc2-0a8815fdd4cc
3106 set subnet 192.168.251.0 255.255.255.0
3107 next
3108 edit "FileZilla"
3109 set uuid e9017d8a-ae27-51e5-675c-0495f7e255a1
3111 set subnet 192.168.6.99 255.255.255.255
3112 next
3113 edit "SQLDB"
3114 set uuid a5502abe-aeb3-51e5-ece4-79a0e9bccc96
3115 set type fqdn
3117 set fqdn "ADCCSQL.ADCCBCBS.COM"
3118 next
3119 edit "SONICWALL-INTERNET"
3120 set uuid 338593fe-aec4-51e5-d9fb-3abde5e1fc02
3122 set subnet 192.168.1.50 255.255.255.255
3123 next
3124 edit "PrimaryDomain"
3125 set uuid a665a8da-aecb-51e5-d2b7-34174cd9617b
3126 set type fqdn
3128 set fqdn "PRIMARYDOMAIN.ADCCBCBS.COM"
3129 next
3130 edit "BackupDomain"
3131 set uuid d655430c-aecb-51e5-71c2-9220c365533a
3132 set type fqdn
3134 set fqdn "BACKUPDOMAIN.ADCCBCBS.COM"
3135 next
3136 edit "APPLICATION1"
3137 set uuid e79aa676-aecf-51e5-eb49-e8bb3e1eba32
3138 set type fqdn
3140 set fqdn "APPLICATION1.ADCCBCBS.COM"
3141 next
3142 edit "MGMNT-PC"
3143 set uuid cd541652-af89-51e5-9475-7e9f9c65ad72
3143 set uuid cd541652-af89-51e5-9475-7e9f9c65ad72
3145 set subnet 172.21.28.25 255.255.255.255
3146 next
3147 edit "MILIND"
3148 set uuid 3a18aa4a-afa4-51e5-9213-d98520eae0e1
3150 set subnet 192.168.6.65 255.255.255.255
3151 next
3152 edit "ProxyServer"
3153 set uuid ea680f48-b130-51e5-70d4-59d363c428d0
3155 set subnet 172.21.28.22 255.255.255.255
3156 next
3157 edit "MORESIR"
3158 set uuid 07677b2c-b435-51e5-a0b2-bc1bbe8c4df2
3160 set subnet 172.21.28.13 255.255.255.255
3161 next
3162 edit "GHS"
3163 set uuid ae059d1a-b52f-51e5-ae34-410109a2d2a4
3165 set subnet 192.168.6.154 255.255.255.255
3166 next
3167 edit "nwadm"
3168 set uuid 74db8e1c-b608-51e5-b7b4-5c9960de1241
3170 set subnet 172.21.28.21 255.255.255.255
3171 next
3172 edit "GMAIL"
3173 set uuid f4c18998-bb75-51e5-4171-1627d1d1c427
3174 set type fqdn
3175 set associated-interface "wan1"
3176 set fqdn "*.GMAIL.COM"
3177 next
3178 edit "AAN"
3179 set uuid 2d9a3776-bc1e-51e5-a1b3-3023ab1581c0
3181 set subnet 192.168.6.56 255.255.255.255
3182 next
3183 edit "VaidyaSir"
3184 set uuid c850f77e-c028-51e5-ed20-8b0eeed922a4
3186 set subnet 192.168.6.120 255.255.255.255
3187 next
3188 edit "DR-PRIMARYDOMAIN"
3189 set uuid a1f762b2-c8ce-51e5-f150-d30505aa95af
3191 set subnet 172.16.16.1 255.255.255.255
3192 next
3193 edit "DR-BACKUPDOMAIN"
3194 set uuid ba07fdbc-c8ce-51e5-42fc-90cb047f1b6b
3196 set subnet 172.16.16.2 255.255.255.255
3197 next
3198 edit "CTS Server"
3199 set uuid d4792bb8-c8d7-51e5-8ba1-5cd21ae86793
3201 set subnet 172.21.28.15 255.255.255.255
3202 next
3203 edit "SMSSERVER"
3204 set uuid ede3e250-c8d7-51e5-fd6d-9f92870a5130
3206 set subnet 10.10.10.1 255.255.255.255
3207 next
3208 edit "Mr.Kale"
3209 set uuid d62e2b00-cf0f-51e5-4b7f-ae4c099f2f7d
3211 set subnet 192.168.6.121 255.255.255.255
3212 next
3213 edit "VBK1037"
3214 set uuid 16179b2a-cf29-51e5-159a-a0d30fd44275
3216 set subnet 192.168.6.50 255.255.255.255
3217 next
3218 edit "VMWARE-CLIENT"
3219 set uuid d6ffc50e-d471-51e5-769a-a4dc3504f119
3221 set subnet 172.21.28.16 255.255.255.255
3221 set subnet 172.21.28.16 255.255.255.255
3222 next
3223 edit "VMWARE-HOST"
3224 set uuid ecf161b0-d471-51e5-3ae9-167e759bebe0
3226 set subnet 10.10.10.3 255.255.255.255
3227 next
3228 edit "DR-DATABASE1"
3229 set uuid 79c67a4e-deb8-51e5-b99c-4c00bdd1112c
3231 set subnet 172.19.19.1 255.255.255.255
3232 next
3233 edit "DR-DATABASE2"
3234 set uuid 951d142e-deb8-51e5-67d1-2b80d19abe12
3236 set subnet 172.19.19.2 255.255.255.255
3237 next
3238 edit "DR-APPLICATION1"
3239 set uuid bd478a9c-deb8-51e5-59d3-6ba3b2648167
3241 set subnet 172.17.17.1 255.255.255.255
3242 next
3243 edit "DR-APPLICATION2"
3244 set uuid d77dd1f0-deb8-51e5-a9e5-2880dec42884
3246 set subnet 172.17.17.2 255.255.255.255
3247 next
3248 edit "VIEW-FRAME"
3249 set uuid 71ed17e2-e04d-51e5-bb28-fd338b903025
3251 set subnet 192.168.6.114 255.255.255.255
3252 next
3253 edit "ATM-MANGRULPIR-CITY"
3254 set uuid ea29b26e-e11b-51e5-e478-c37e19f19d91
3256 set subnet 192.168.79.101 255.255.255.255
3257 next
3259 set uuid 36df1480-eb4b-51e5-8d03-100c51442c5b
3261 set subnet 192.168.252.0 255.255.255.0
3262 next
3263 edit "ATM-MHAISANG"
3264 set uuid 2b4ef344-ec25-51e5-e268-7ee74e28cf9a
3266 set subnet 192.168.14.101 255.255.255.255
3267 next
3268 edit "ATM-Dhaihanda"
3269 set uuid 8fd530e2-ec27-51e5-6aa7-c4823eaec343
3271 set subnet 192.168.18.101 255.255.255.255
3272 next
3273 edit "ATM-DHABA"
3274 set uuid 54c8e3ee-ec28-51e5-b747-90cb525026f6
3276 set subnet 192.168.32.101 255.255.255.255
3277 next
3278 edit "ATM-RAUNDLA"
3279 set uuid 760417ae-ec28-51e5-dc90-50aaa5904fcf
3281 set subnet 192.168.37.101 255.255.255.255
3282 next
3283 edit "ATM-KUTASA"
3284 set uuid 88a42af2-ec28-51e5-75fc-6463f516e678
3286 set subnet 192.168.41.101 255.255.255.255
3287 next
3288 edit "ATM-NIMBA"
3289 set uuid a0b98aba-ec28-51e5-60c2-8e5735d2f998
3291 set subnet 192.168.54.101 255.255.255.255
3292 next
3293 edit "ATM-PARAS"
3294 set uuid b7718dd4-ec28-51e5-2b13-e31ac7dec6de
3296 set subnet 192.168.55.101 255.255.255.255
3297 next
3298 edit "ATM-CHANNI"
3298 edit "ATM-CHANNI"
3299 set uuid c5369c48-ec28-51e5-71d9-91471355d6ac
3301 set subnet 192.168.59.101 255.255.255.255
3302 next
3303 edit "ATM-MURTIZAPUR CITY"
3304 set uuid d87d89c4-ec28-51e5-b389-9681dbdbb35a
3306 set subnet 192.168.66.101 255.255.255.255
3307 next
3308 edit "ATM-UMBARDA BAZAR"
3309 set uuid eba4b068-ec28-51e5-43dd-d8406c569568
3311 set subnet 192.168.73.101 255.255.255.255
3312 next
3313 edit "ATM-DHANAJ"
3314 set uuid 044dc352-ec29-51e5-e932-0e6f094ff102
3316 set subnet 192.168.74.101 255.255.255.255
3317 next
3318 edit "ATM-POHARADEVI"
3319 set uuid 16bec45a-ec29-51e5-774f-cb2e49131194
3321 set subnet 192.168.86.101 255.255.255.255
3322 next
3323 edit "ATM-TONDGAO"
3324 set uuid 289dbb0e-ec29-51e5-1442-ba815ea76186
3326 set subnet 192.168.91.101 255.255.255.255
3327 next
3328 edit "ATM-MEDSHI"
3329 set uuid 52de0b44-ec29-51e5-243c-06237a43bfc3
3331 set subnet 192.168.96.101 255.255.255.255
3332 next
3333 edit "ATM-PANGRIKUTE"
3334 set uuid 8ea39018-ec29-51e5-a0de-2a373879c73a
3336 set subnet 192.168.97.101 255.255.255.255
3337 next
3338 edit "ATM-RITHAD"
3339 set uuid a5b8fcac-ec29-51e5-18de-650843fe7517
3341 set subnet 192.168.101.101 255.255.255.255
3342 next
3343 edit "ATM-MANGULZANAK"
3344 set uuid b7fad11a-ec29-51e5-55f9-5f9c1f1c29d1
3346 set subnet 192.168.103.101 255.255.255.255
3347 next
3348 edit "ATM-AKOT-NarsingMandir"
3349 set uuid 606cc08c-ef50-51e5-8281-31e0800d5546
3351 set subnet 192.168.35.101 255.255.255.255
3352 next
3353 edit "ATM-Kansivni"
3354 set uuid 9cc75efc-ef50-51e5-81b0-262110f52ed6
3356 set subnet 192.168.15.101 255.255.255.255
3357 next
3358 edit "BSNL-WAN"
3359 set uuid d330e8ec-f0df-51e5-4b5d-22dbfe82c0b7
3361 set subnet 59.99.164.1 255.255.255.255
3362 next
3363 edit "DRAPPCLUSTER"
3364 set uuid cf8332d8-0ea6-51e6-d62c-549d19337289
3366 set subnet 172.17.17.3 255.255.255.255
3367 next
3368 edit "DRADCCSQL"
3369 set uuid 03b58b7c-0ea8-51e6-1af3-d8ae291d2431
3371 set subnet 172.19.19.5 255.255.255.255
3372 next
3373 edit "Ekuber-DR"
3374 set uuid 218bedc8-1414-51e6-b44a-21864c91c6dc
3376 set subnet 10.35.1.171 255.255.255.255
3376 set subnet 10.35.1.171 255.255.255.255
3377 next
3378 edit "ATM-CIVILLINES-2"
3379 set uuid a782f8b2-1681-51e6-a7ef-9d7952137678
3381 set subnet 192.168.6.103 255.255.255.255
3382 next
3383 edit "ATM-Rajeshwar"
3384 set uuid 5cdaa62e-1682-51e6-6ade-41a0f5cc68f0
3386 set subnet 192.168.4.101 255.255.255.255
3387 next
3388 edit "sysadmin"
3389 set uuid f012127a-23d8-51e6-2041-50d75611e9f1
3391 set subnet 172.21.28.26 255.255.255.255
3392 next
3393 edit "DR-CASERVER"
3394 set uuid 189f38e4-23d9-51e6-08a6-343bd08d7d55
3396 set subnet 172.20.20.1 255.255.255.255
3397 next
3398 edit "DR-CASERVER-2"
3399 set uuid 4f722d5c-2629-51e6-80ba-1b7ba49cce72
3401 set subnet 172.20.20.1 255.255.255.255
3402 next
3403 edit "ATM-Adsul"
3404 set uuid 4886b2d2-27e7-51e6-541a-99832ef079c5
3406 set subnet 192.168.49.101 255.255.255.255
3407 next
3408 edit "DC-ADMIN-USERS-2"
3409 set uuid 43ff97a8-28ad-51e6-2f04-20a3eb4c8adf
3412 set start-ip 172.21.28.12
3413 set end-ip 172.21.28.14
3414 next
3415 edit "CIVIL-LINES-DVR"
3416 set uuid 30731b40-2a5d-51e6-6ebb-a473b19595cc
3418 set subnet 192.168.6.102 255.255.255.255
3419 next
3420 edit "INZORI BRANCH"
3421 set uuid 57aecd60-3207-51e6-c0d9-1fc1c9885966
3424 set start-ip 192.168.115.1
3425 set end-ip 192.168.115.2
3426 next
3427 edit "ATM-GANDHIGRAM"
3428 set uuid e7c854be-3236-51e6-1444-cf3e8888da92
3430 set subnet 192.168.16.101 255.255.255.255
3431 next
3432 edit "EuronetTest1"
3433 set uuid 6e310620-3527-51e6-9e61-f076667bbfe9
3435 set subnet 202.138.123.75 255.255.255.255
3436 next
3437 edit "EuronetTest2"
3438 set uuid 85cd084c-3527-51e6-45cd-dc664199e192
3440 set subnet 10.13.139.2 255.255.255.255
3441 next
3442 edit "VAIBHAV"
3443 set uuid 1d19a150-36a5-51e6-9659-61e0bd7910b6
3445 set subnet 172.21.28.14 255.255.255.255
3446 next
3447 edit "MGMNT2-PC"
3448 set uuid 3bde58d0-36d0-51e6-108e-0fb01d76d724
3450 set subnet 172.21.28.26 255.255.255.255
3451 next
3452 edit "MSEB-APP"
3453 set uuid 9bad5c44-3dcd-51e6-ea3d-351c6b46cbfc
3455 set subnet 192.168.6.57 255.255.255.255
3456 next
3457 edit "DR-MONITOR"
3458 set uuid 6e3b5c4e-41c8-51e6-c9bb-5b313136848b
3460 set subnet 172.16.16.3 255.255.255.255
3461 next
3463 set uuid 6c648088-4b43-51e6-365f-0210a1c2e623
3465 set subnet 192.168.115.100 255.255.255.255
3466 next
3467 edit "DR-RTGS-SERVER"
3468 set uuid 25031748-4e42-51e6-0477-caaf4d65b6d5
3470 set subnet 172.28.28.1 255.255.255.255
3471 next
3472 edit "Datacenter-Laptop-1"
3473 set uuid 7048fcbc-52f8-51e6-3d49-dc2263790edc
3475 set subnet 172.21.28.22 255.255.255.255
3476 next
3477 edit "Datacenter-Laptop-2"
3478 set uuid 8d504b30-52f8-51e6-0c6b-f82e574df8f0
3480 set subnet 172.21.28.23 255.255.255.255
3481 next
3482 edit "Vinod Raut"
3483 set uuid 9e8677b0-5ade-51e6-9f6b-e88b73f48907
3485 set subnet 172.21.28.24 255.255.255.255
3486 next
3487 edit "abcd"
3488 set uuid 66279f0a-5fa9-51e6-22b4-5cc6c798134c
3490 set subnet 192.168.6.32 255.255.255.255
3491 next
3492 edit "ATM-OFFSITE-NIMBA"
3493 set uuid faa2647e-6dc0-51e6-a195-f1bde6d7e9a8
3495 set subnet 192.168.246.2 255.255.255.255
3496 next
3497 edit "Nelito_Tech"
3498 set uuid deb87a8a-8569-51e6-ad72-c573e677afda
3499 set comment "Suraj Bhoir"
3501 set subnet 172.21.28.28 255.255.255.255
3502 next
3504 set uuid a0bdb4f4-92aa-51e6-9d5f-4b067bcda068
3506 set subnet 192.168.253.0 255.255.255.0
3507 next
3508 edit "NELITODBUSER"
3509 set uuid e72e5f98-b798-51e6-2008-9c358f787581
3512 set start-ip 192.168.6.38
3513 set end-ip 192.168.6.39
3514 next
3515 edit "comsolvepc"
3516 set uuid 853ed54a-b7ae-51e6-60c8-418e7b1f0556
3518 set subnet 192.168.6.40 255.255.255.255
3519 next
3520 edit "RTGS-MONITER"
3521 set uuid 8972abec-b86b-51e6-b579-31dafa347fbd
3523 set subnet 192.168.6.116 255.255.255.255
3524 next
3525 edit "RATHODPC"
3526 set uuid 84b66846-cc2f-51e6-e50a-d37e6b87fe84
3528 set subnet 192.168.6.117 255.255.255.255
3529 next
3530 edit "KARANJA MARKET YARD"
3531 set uuid da9649fa-d0af-51e6-3dd6-b3a0198184f2
3534 set start-ip 192.168.116.1
3535 set end-ip 192.168.116.2
3536 next
3537 edit "ATM-KARANJA-MARKETYARD"
3538 set uuid add496f0-d0b0-51e6-6dc5-071841a934e5
3540 set subnet 192.168.116.101 255.255.255.255
3541 next
3543 set uuid 1eb0d338-d0b2-51e6-6fe4-e0815a8ba263
3545 set subnet 192.168.116.100 255.255.255.255
3546 next
3547 edit "IDRBT-TEST-HUB-NEW"
3548 set uuid 5fddc17e-d664-51e6-ffc5-2543883d3563
3550 set subnet 10.0.67.85 255.255.255.255
3551 next
3552 edit "DR-Korpe-Nagar-DVR"
3553 set uuid c2f70eb2-edef-51e6-2762-6e9744e9714a
3555 set subnet 192.168.8.102 255.255.255.255
3556 next
3557 edit "Ranpise Nagar-DVR"
3558 set uuid ffc0c9e2-ee8e-51e6-bbe1-2fc799bfee21
3560 set subnet 192.168.24.102 255.255.255.255
3561 next
3562 edit "Kapad Bazar-DVR"
3563 set uuid cc08c212-ee93-51e6-010e-15660e0b0af7
3565 set subnet 192.168.3.102 255.255.255.255
3566 next
3567 edit "DabkrRD-DVR"
3568 set uuid 06434ae0-ee9b-51e6-bba6-6ac0abac97f5
3570 set subnet 192.168.10.102 255.255.255.255
3571 next
3572 edit "Barshitakli-DVR"
3573 set uuid 46f49f74-eeb6-51e6-15f7-1ef10b74f0fc
3575 set subnet 192.168.28.102 255.255.255.255
3576 next
3577 edit "Khadki-DVR"
3578 set uuid c6efbb1e-eeb6-51e6-32c1-3f9b87f7433e
3580 set subnet 192.168.23.102 255.255.255.255
3581 next
3582 edit "Mahan-DVR"
3583 set uuid 571e5774-eebf-51e6-325c-80c8e1165a9b
3585 set subnet 192.168.30.102 255.255.255.255
3586 next
3587 edit "Chohotta-DVR"
3588 set uuid f36a1c4c-ef61-51e6-9558-1bbbb6f9f770
3590 set subnet 192.168.38.102 255.255.255.255
3591 next
3592 edit "AkotCity-DVR"
3593 set uuid a3fd303c-ef6a-51e6-a08c-5e20cd14aea0
3595 set subnet 192.168.34.102 255.255.255.255
3596 next
3597 edit "AkotMain-DVR"
3598 set uuid d4c74fa4-ef6a-51e6-3f87-234978fd7f5b
3600 set subnet 192.168.33.102 255.255.255.255
3601 next
3602 edit "Hiwarkhed Ex-DVR"
3603 set uuid e57d5b6a-ef7c-51e6-553d-840d418ae7c2
3605 set subnet 192.168.114.102 255.255.255.255
3606 next
3607 edit "Telhara Main-DVR"
3608 set uuid 24a0e29e-ef7d-51e6-5444-f54b190d458c
3610 set subnet 192.168.43.102 255.255.255.255
3611 next
3612 edit "SOPHOS-UTM"
3613 set uuid 952f79da-04a4-51e7-e87a-9c7a9bf21124
3615 set subnet 192.168.1.246 255.255.255.255
3616 next
3617 edit "Vinod Kalbande"
3618 set uuid f4c8deb0-12b2-51e7-7676-f5da0ce5c654
3620 set subnet 192.168.6.31 255.255.255.255
3621 next
3622 edit "Mahure"
3623 set uuid 766cdcd2-1385-51e7-e126-3c77ae53bbd1
3625 set subnet 192.168.6.75 255.255.255.255
3626 next
3627 edit "Ho Back-Office"
3628 set uuid ed9928ae-19e5-51e7-860b-a6eb01da5a8a
3631 set start-ip 192.168.6.126
3632 set end-ip 192.168.6.147
3633 next
3634 edit "FRM"
3635 set uuid 457c7f4c-2988-51e7-ca3a-645164aa60bb
3637 set subnet 192.168.171.28 255.255.255.255
3638 next
3639 edit "ATM-USER-1"
3640 set uuid bcb28f74-2bff-51e7-47e8-dd3d62cc20a4
3642 set subnet 192.168.6.72 255.255.255.255
3643 next
3644 edit "ATM-USER-2"
3645 set uuid 021cedca-2c00-51e7-080b-5cf80e02b93e
3647 set subnet 192.168.6.77 255.255.255.255
3648 next
3649 edit "New-SFMS"
3650 set uuid c91016de-2cdf-51e7-5b57-4d155cfcb14f
3652 set subnet 10.100.5.234 255.255.255.255
3653 next
3654 edit "HO-Backoffice-INTERNETUSER-1"
3655 set uuid 462290ba-33c6-51e7-1dd7-7884f03a0779
3657 set subnet 192.168.6.126 255.255.255.255
3658 next
3659 edit "IDRBT-INTRANET-NEW"
3660 set uuid 287a4d02-3621-51e7-f263-8a57abcd09d0
3662 set subnet 10.0.50.173 255.255.255.255
3663 next
3664 edit "SFMS_NEW"
3665 set uuid 8a7acfe6-406b-51e7-03b1-bd28ee0be6b7
3666 set comment "RTGS New Server"
3668 set subnet 10.100.5.115 255.255.255.255
3669 next
3670 edit "SK Mohod"
3671 set uuid 36c0314e-4114-51e7-ad52-74b72d250963
3672 set comment "For FU-IND"
3674 set subnet 192.168.6.55 255.255.255.255
3675 next
3676 edit "ATM OFF-SITE PUSAD NAKA"
3677 set uuid ea3c8f48-450f-51e7-1ec6-abcc5009dbee
3679 set subnet 192.168.246.10 255.255.255.255
3680 next
3681 edit "CHECKPOINT-IP"
3682 set uuid 69a96944-45f7-51e7-69d4-e1542b63346f
3684 set subnet 172.22.26.4 255.255.255.255
3685 next
3686 edit "ATM-Kasola Extn"
3687 set uuid 03507100-4756-51e7-0ec0-70c71049686a
3687 set uuid 03507100-4756-51e7-0ec0-70c71049686a
3689 set subnet 192.168.109.101 255.255.255.255
3690 next
3691 edit "ATM-Kinhiraja"
3692 set uuid 2073fb4e-4756-51e7-389f-33e6b76ff264
3694 set subnet 192.168.94.101 255.255.255.255
3695 next
3696 edit "Micro ATM"
3697 set uuid 0f139ae4-4779-51e7-7636-e354042979da
3699 set subnet 20.20.20.20 255.255.255.255
3700 next
3701 edit "TEST"
3702 set uuid 1c089a58-500a-51e7-d922-222f29ff78eb
3704 set subnet 172.21.29.10 255.255.255.255
3705 next
3706 edit "CTRLSFI"
3707 set uuid 469753e4-502e-51e7-1529-e3ab47d74975
3708 set associated-interface "port10"
3709 set subnet 172.23.25.3 255.255.255.255
3710 next
3711 edit "Micro-ATM"
3712 set uuid 9a4d141a-5042-51e7-2dc2-0f947b98a819
3714 set subnet 172.30.10.2 255.255.255.255
3715 next
3716 edit "PDC-DR"
3717 set uuid 491c9e66-5322-51e7-c2f8-5ba0e01600bc
3719 set subnet 172.16.16.1 255.255.255.255
3720 next
3721 edit "BDC-DR"
3722 set uuid 5baa15ea-5322-51e7-b4a1-f2e72301080e
3724 set subnet 172.16.16.2 255.255.255.255
3725 next
3726 edit "Unspecified Branch - Reserved For SOPHOS"
3727 set uuid de863286-55bc-51e7-8230-c4200e2f1634
3729 set start-ip 192.168.63.1
3730 set end-ip 192.168.63.9
3731 next
3732 edit "Ekuber-Pri"
3733 set uuid fc505ade-5671-51e7-2f6f-77b7563c4e22
3735 set subnet 10.29.1.171 255.255.255.255
3736 next
3737 edit "Ekuber-Bkp"
3738 set uuid 16ee4c7a-5672-51e7-be79-f465dfb46acf
3740 set subnet 10.28.1.171 255.255.255.255
3741 next
3742 edit "CPFW"
3743 set uuid 78ed5146-567c-51e7-c839-b4d6d2b56b10
3745 set subnet 172.22.24.3 255.255.255.255
3746 next
3747 edit "CPFW-OUT"
3748 set uuid 9fc35c1a-570e-51e7-72a3-e83736d3386b
3750 set subnet 172.22.26.3 255.255.255.255
3751 next
3752 edit "CPPRI"
3753 set uuid 86ad98ba-5738-51e7-4f06-eb165946e10a
3755 set subnet 172.23.21.128 255.255.255.255
3756 next
3757 edit "CPHA"
3758 set uuid 94df03a6-5738-51e7-37e4-4d3ae42efa34
3760 set subnet 172.23.21.129 255.255.255.255
3761 next
3762 edit "ATM-Hiwarkhed"
3763 set uuid 7fae5f16-5d89-51e7-5bbd-d12117120bd2
3765 set subnet 192.168.45.101 255.255.255.255
3765 set subnet 192.168.45.101 255.255.255.255
3766 next
3767 edit "ATM-Mundgaon"
3768 set uuid 0adfacec-5d8b-51e7-6dce-ed7d7ee86a0e
3770 set subnet 192.168.42.101 255.255.255.255
3771 next
3772 edit "ATM-Hatrun"
3773 set uuid 77f1982a-5d9c-51e7-e41d-d3fbafd0ba7c
3775 set subnet 192.168.56.101 255.255.255.255
3776 next
3777 edit "Ekuber-DR-Primary"
3778 set uuid 3440e410-6219-51e7-f985-65ee1f0a21fc
3780 set subnet 10.29.1.171 255.255.255.255
3781 next
3782 edit "Ekuber-DR-Backup"
3783 set uuid 7cb36966-6219-51e7-332b-209f1b0452ac
3785 set subnet 10.28.1.171 255.255.255.255
3786 next
3787 edit "DR-ATMInterface"
3788 set uuid 12086aa4-6227-51e7-6dcc-e9861f59388a
3790 set subnet 172.18.18.1 255.255.255.255
3791 next
3792 edit "Nelito-Prasad"
3793 set uuid 67581134-6232-51e7-cad0-e4932b8c5af9
3795 set subnet 192.168.6.38 255.255.255.255
3796 next
3797 edit "DR-Rtgs-Interface"
3798 set uuid 0a04d64e-6240-51e7-ce95-3237d66d2682
3800 set subnet 172.18.18.2 255.255.255.255
3801 next
3802 edit "EMS"
3803 set uuid 4ad4e66a-62fd-51e7-a14c-ec1f77cd2e4e
3805 set subnet 10.29.1.191 255.255.255.255
3806 next
3807 edit "SFMS-Intranet"
3808 set uuid 6803d5f2-62fd-51e7-bdf1-45c5d563afa7
3810 set subnet 10.0.67.166 255.255.255.255
3811 next
3812 edit "CropInsurance"
3813 set uuid 32161722-67a1-51e7-ab36-64a3705ad947
3815 set subnet 192.168.6.145 255.255.255.255
3816 next
3817 edit "ATM-MOP"
3818 set uuid 11742400-72aa-51e7-d026-47cd394f8f39
3820 set subnet 192.168.105.101 255.255.255.255
3821 next
3822 edit "IMPS router"
3823 set uuid 2159efaa-8bf8-51e7-853f-9ecd8bdb18b3
3825 set subnet 172.30.11.2 255.255.255.255
3826 next
3827 edit "IMPS_Telnet"
3828 set uuid 39ad8dbe-8bf8-51e7-9fce-44c7ab38bd3e
3830 set subnet 20.20.20.25 255.255.255.255
3831 next
3832 edit "Finacus-IMPS-LIVE"
3833 set uuid a95be5b0-8bf9-51e7-e830-b5c4302c532b
3835 set subnet 172.17.24.48 255.255.255.255
3836 next
3837 edit "Shende Saheb"
3838 set uuid 4807503a-9214-51e7-9c0b-af9b85f81a51
3839 set comment "For NRLM Portal"
3841 set subnet 192.168.6.88 255.255.255.255
3842 next
3843 edit "IDRBT-INTRANET-2"
3843 edit "IDRBT-INTRANET-2"
3844 set uuid 2b6e7206-97a9-51e7-3b5c-db80263ff783
3846 set subnet 10.100.0.119 255.255.255.255
3847 next
3848 edit "SFMS-INTRANET-2"
3849 set uuid e4588252-97a9-51e7-5e48-6366ed8fa953
3851 set subnet 10.100.0.119 255.255.255.255
3852 next
3853 edit "Mangle"
3854 set uuid 0f883cb6-c391-51e7-45fd-7e29c530aa1a
3855 set comment "FOR PIK VIMA 2017"
3857 set subnet 192.168.6.95 255.255.255.255
3858 next
3859 edit "Finacus - Mobile Banking"
3860 set uuid 772f6472-c394-51e7-2100-8f430454aba9
3862 set subnet 172.17.25.11 255.255.255.255
3863 next
3864 edit "SIEM-SRV"
3865 set uuid 291725be-c3a7-51e7-eafc-7df46e60ba39
3867 set subnet 10.10.10.4 255.255.255.255
3868 next
3869 edit "Finacus-IMPS-UAT"
3870 set uuid 31ea643e-c448-51e7-b089-a5e654231ee3
3872 set subnet 172.18.2.216 255.255.255.255
3873 next
3874 edit "EuronetSwitch-forCivilLines"
3875 set uuid a0359622-c57c-51e7-9259-bfc88b8b6d75
3877 set subnet 10.13.15.65 255.255.255.255
3878 next
3879 edit "Euronet-Checkpoint"
3880 set uuid 92d20b96-c58b-51e7-bc5d-afb4c8236e57
3882 set subnet 10.13.15.65 255.255.255.255
3883 next
3884 edit "HO-Backoffice-INTERNETUSER-2"
3885 set uuid 4dc724d6-c9ce-51e7-2460-654888034f83
3887 set subnet 192.168.6.127 255.255.255.255
3888 next
3889 edit "Biskunde Saheb"
3890 set uuid ff2b4a4a-c9ec-51e7-95e3-730f33376099
3891 set comment "GST"
3893 set subnet 192.168.6.81 255.255.255.255
3894 next
3895 edit "Potmala-Int-135"
3896 set uuid 1231dd02-c9f2-51e7-d998-64fa91600f8b
3897 set comment "Internet allowed as per instructions from Raut Sir"
3899 set subnet 192.168.6.135 255.255.255.255
3900 next
3902 set uuid eeca7e22-cc27-51e7-2504-0bc505d31806
3905 set subnet 192.168.6.133 255.255.255.255
3906 next
3908 set uuid 10c1ea9c-cc28-51e7-9da2-dab66be2c542
3911 set subnet 192.168.6.134 255.255.255.255
3912 next
3914 set uuid 36d2d4d0-cc28-51e7-ff9b-9fed82c259e3
3917 set subnet 192.168.6.136 255.255.255.255
3918 next
3920 set uuid 4fc14346-cc28-51e7-7d22-b371f6344dbf
3920 set uuid 4fc14346-cc28-51e7-7d22-b371f6344dbf
3923 set subnet 192.168.6.137 255.255.255.255
3924 next
3926 set uuid 601cc544-cc28-51e7-2b82-5fd5e5dba171
3929 set subnet 192.168.6.138 255.255.255.255
3930 next
3931 edit "SachinNelito"
3932 set uuid d1b881a8-df00-51e7-9791-169378764cc7
3934 set subnet 192.168.6.151 255.255.255.255
3935 next
3936 edit "GST-INVOICE"
3937 set uuid d2194a28-df2e-51e7-dc57-ccce0f72c562
3938 set comment "GST Invoice Sharing"
3940 set subnet 103.14.162.217 255.255.255.255
3941 next
3942 edit "BBPS1"
3943 set uuid b47b990e-dfd7-51e7-703a-53ddc19cdd71
3945 set subnet 10.13.135.126 255.255.255.255
3946 next
3947 edit "BBPS_HO_AmitPC"
3948 set uuid 6b9b59dc-dfdb-51e7-e077-23ef29e1d2d4
3950 set subnet 192.168.6.26 255.255.255.255
3951 next
3952 edit "HO-Backoffice-INTENETUSER-3"
3953 set uuid 10712376-e3c2-51e7-86a0-db1b74434209
3955 set subnet 192.168.6.128 255.255.255.255
3956 next
3957 edit "CTS-PC"
3958 set uuid 4b813e18-e559-51e7-f15a-5dd71fbfde9a
3960 set subnet 192.168.6.199 255.255.255.255
3961 next
3962 edit "BBPS2"
3963 set uuid ef381b14-e633-51e7-2a0d-8b7fa8bf0178
3965 set subnet 10.13.135.130 255.255.255.255
3966 next
3967 edit "BBPS-Korpe Nagar"
3968 set uuid b99f7f46-e701-51e7-0650-364436e342cd
3971 set start-ip 192.168.8.1
3972 set end-ip 192.168.8.2
3973 next
3974 edit "ABsCsDd"
3975 set uuid 547e7d78-f071-51e7-b339-50c4676a32eb
3976 set type fqdn
3978 set fqdn "https://10.13.135.130/ENBranchPortal/Default.aspx"
3979 next
3980 edit "BBPS_Ratanlal"
3981 set uuid 59d83cd2-f12a-51e7-6741-81e9559a6862
3982 set comment "BBPS Testing"
3984 set subnet 192.168.26.1 255.255.255.255
3985 next
3986 edit "BBPS_KorpeNagar"
3987 set uuid 7405b878-f12a-51e7-e0c2-cc74ad9b0134
3990 set subnet 192.168.8.9 255.255.255.255
3991 next
3992 edit "BBPS_Ratanlal2"
3993 set uuid c8d590a8-f143-51e7-4345-4ad7dfff6dc8
3996 set subnet 192.168.26.2 255.255.255.255
3997 next
3998 edit "BBPS_CIVILLINES_1"
3999 set uuid 0752383c-f1de-51e7-e45f-be0a82f69245
4000 set comment "Civil Line Branch"
4002 set subnet 192.168.6.11 255.255.255.255
4003 next
4004 edit "HO-Backoffice-INTERNETUSER 133"
4005 set uuid 92d17ae2-f433-51e7-0a11-8035573be242
4007 set subnet 192.168.6.133 255.255.255.255
4008 next
4009 edit "HO-Backoffice-INTERNETUSER 138"
4010 set uuid a3b3a3b2-f433-51e7-5e70-9d45a32e2d41
4012 set subnet 192.168.6.138 255.255.255.255
4013 next
4014 edit "HO-BBPS Clients"
4015 set uuid 51ebed6a-f75c-51e7-fd9f-c270b81e517b
4018 set start-ip 192.168.6.148
4019 set end-ip 192.168.6.149
4020 next
4021 edit "BBPS_Washim_Main"
4022 set uuid 04130f02-f77e-51e7-2f14-53010d23df34
4023 set comment "Washim Main Branch"
4025 set subnet 192.168.188.1 255.255.255.255
4026 next
4027 edit "BBPS_Barshitakli"
4028 set uuid a41dbdd0-f9d1-51e7-096c-62c42c1df865
4029 set comment "Barshitakli Branch"
4031 set subnet 192.168.128.1 255.255.255.255
4032 next
4033 edit "BBPS_Akot_Main"
4034 set uuid 3d198db6-f9e1-51e7-55fa-d2c6f03ceef9
4035 set comment "Akot Main Branch"
4037 set subnet 192.168.133.1 255.255.255.255
4038 next
4039 edit "BBPS_Telhara_Main"
4040 set uuid 69c55a52-f9e1-51e7-6fa2-e492118d65f2
4041 set comment "Telhara Main Branch"
4043 set subnet 192.168.143.1 255.255.255.255
4044 next
4045 edit "BBPS_Balapur"
4046 set uuid 85c1bcf0-f9e1-51e7-63c6-9e24dfec677b
4047 set comment "Balapur Branch"
4049 set subnet 192.168.151.1 255.255.255.255
4050 next
4051 edit "BBPS_Patur"
4052 set uuid a1a6228a-f9e1-51e7-922a-f74ac76eb5f5
4053 set comment "Patur Branch"
4055 set subnet 192.168.158.1 255.255.255.255
4056 next
4057 edit "BBPS_Mzr_Main"
4058 set uuid c500cc30-f9e1-51e7-d1e2-8fe2f975ca5c
4059 set comment "Murtizapur Main Branch"
4061 set subnet 192.168.164.1 255.255.255.255
4062 next
4063 edit "BBPS_Karanja_Main"
4064 set uuid e82abf4a-f9e1-51e7-c417-0d8817171f8e
4065 set comment "Karajna Main Branch"
4067 set subnet 192.168.170.1 255.255.255.255
4068 next
4069 edit "BBPS_Mangrulpir_Main"
4070 set uuid 0a9920f8-f9e2-51e7-c340-51709dba0dae
4071 set comment "Mangrulpir Main Branch"
4073 set subnet 192.168.178.1 255.255.255.255
4074 next
4075 edit "BBPS_Manora"
4076 set uuid 1f44b6f2-f9e2-51e7-fefc-a13aac4c9920
4076 set uuid 1f44b6f2-f9e2-51e7-fefc-a13aac4c9920
4077 set comment "Manora Branch"
4079 set subnet 192.168.184.1 255.255.255.255
4080 next
4081 edit "BBPS_Malegaon"
4082 set uuid 441ea686-f9e2-51e7-719b-b9a4c5bab39d
4083 set comment "Malegaon Branch"
4085 set subnet 192.168.193.1 255.255.255.255
4086 next
4087 edit "BBPS_Risod_Main"
4088 set uuid 5c49fff8-f9e2-51e7-f312-62b75c08437f
4089 set comment "Risod Main Branch"
4091 set subnet 192.168.199.1 255.255.255.255
4092 next
4094 set uuid 5df41072-f9e3-51e7-5932-65be8cd3da8a
4095 set comment "Civil Line Branch"
4097 set subnet 192.168.6.12 255.255.255.255
4098 next
4099 edit "BBPS_ZP_63"
4100 set uuid ca062962-f9e3-51e7-ed8d-c18776d8f0d1
4101 set comment "Akola ZP SOPHOS Branch"
4103 set subnet 192.168.63.1 255.255.255.255
4104 next
4105 edit "HO_NEW_IP_Series"
4106 set uuid f870c62c-0000-51e8-73c8-9e4016e167c7
4109 set start-ip 192.168.6.152
4110 set end-ip 192.168.6.158
4111 next
4112 edit "Prasad PC"
4113 set uuid a80f74a6-0007-51e8-7f74-f9413470ef25
4114 set comment "Internet Allowed"
4116 set subnet 192.168.6.36 255.255.255.255
4117 next
4118 edit "Agme Saheb"
4119 set uuid 81eda43e-0bf4-51e8-ae5a-031181320138
4121 set subnet 192.168.6.106 255.255.255.255
4122 next
4123 edit "Finacus_RGCS_1"
4124 set uuid 9118e03c-0cc5-51e8-afd1-976ecf3ed5a0
4126 set subnet 192.168.183.50 255.255.255.255
4127 next
4128 edit "ATM-PALSO"
4129 set uuid b3b153aa-3997-51e8-5bb6-5d999a5139c1
4131 set subnet 192.168.13.101 255.255.255.255
4132 next
4133 edit "PFMS"
4134 set uuid bc17647e-4dfd-51e8-41a0-eb6823c08261
4135 set comment "PFMS SFTP"
4137 set subnet 49.35.221.181 255.255.255.255
4138 next
4139 edit "WashimMain-DVR"
4140 set uuid c5c17472-6001-51e8-aef6-175b8a4f1fbf
4142 set subnet 192.168.88.102 255.255.255.255
4143 next
4144 edit "ATM-SAVRA"
4145 set uuid b7eca524-630d-51e8-7e23-5c6cf09bf0c9
4147 set subnet 192.168.36.101 255.255.255.255
4148 next
4149 edit "BSG - Recon Server"
4150 set uuid 18448416-63e3-51e8-2e95-1d4ae302b1fa
4152 set subnet 192.168.6.198 255.255.255.255
4153 next
4155 set uuid dc1e51c6-67e1-51e8-c6f5-ed8dd706f635
4158 set subnet 192.168.6.139 255.255.255.255
4159 next
4160 edit "Block Internet IP-1"
4161 set uuid f3d9bef6-6fa0-51e8-081e-c79cd52b96d7
4162 set comment "Black Listed IPs"
4164 set subnet 192.147.130.204 255.255.255.255
4165 next
4167 set uuid 7e906668-6fa5-51e8-0c8d-2f0bb15b9cbe
4168 set type fqdn
4170 set fqdn "*.akoladccbank.COM"
4171 next
4172 edit "BBPS API"
4173 set uuid 2f7b075a-7873-51e8-8baa-049a7c88f076
4175 set subnet 172.21.25.3 255.255.255.255
4176 next
4177 edit "ratanlal-BSNL-Wan"
4178 set uuid d460845e-81d1-51e8-9676-de2d4ba7f3b2
4180 set subnet 172.23.40.110 255.255.255.255
4181 next
4182 edit "IMPS Interface"
4183 set uuid 6ef7b13a-a75d-51e8-0507-8ff9abdc4861
4185 set subnet 172.21.25.4 255.255.255.255
4186 next
4187 edit "Euronet NetScaler"
4188 set uuid 4613eada-b4ce-51e8-2e55-e4027989419c
4190 set subnet 10.13.139.23 255.255.255.255
4191 next
4192 edit "Comsolve Webmail"
4193 set uuid 1898f5b8-b4e8-51e8-b84f-0e63a96012a2
4194 set type fqdn
4196 set fqdn "mail.comsolveindia.com"
4197 next
4198 edit "BCS-RuPay"
4199 set uuid 9c7088ca-b802-51e8-7b3a-d7692d05c1d6
4201 set subnet 192.168.162.164 255.255.255.255
4202 next
4203 edit "Comsolve Mail IP"
4204 set uuid 4499e6fe-c0c3-51e8-53c8-6556c4cf018e
4206 set subnet 103.228.50.191 255.255.255.255
4207 next
4208 edit "DropBox_IP"
4209 set uuid 15a93014-c6f1-51e8-ff0f-dd04f2098baa
4211 set subnet 162.125.248.1 255.255.255.255
4212 next
4213 edit "Netscaler_Natted_IP"
4214 set uuid c6868abc-cb8d-51e8-0c00-3d2960db892e
4215 set comment "Natted IP"
4217 set subnet 172.16.108.7 255.255.255.255
4218 next
4219 edit "Drop_Box_Internet"
4220 set uuid a9d5127c-cb96-51e8-27dd-7ad5a00e9c00
4222 set subnet 192.168.6.100 255.255.255.255
4223 next
4224 edit "CA Accounting Module"
4225 set uuid 4a6eb61c-de74-51e8-9a59-5681e75b39a5
4227 set subnet 10.0.67.39 255.255.255.255
4228 next
4229 edit "HUB Infinet IP 1"
4230 set uuid 5d8c1db8-ebc9-51e8-1eca-0f5094b7706f
4232 set subnet 10.29.3.128 255.255.255.255
4233 next
4234 edit "HUB Infinet IP 2"
4235 set uuid 817d4bb6-ebc9-51e8-df88-94e03cc4b6b9
4237 set subnet 10.28.2.162 255.255.255.255
4238 next
4239 edit "IDRBT Accounting Module DR"
4240 set uuid feb49b0a-f13e-51e8-446d-0d92bbcb2810
4242 set subnet 10.30.0.3 255.255.255.255
4243 next
4244 edit "Senryasa"
4245 set uuid 829bcf98-f22e-51e8-fe5a-06c802363698
4247 set subnet 103.241.182.37 255.255.255.255
4248 next
4249 edit "Team Viewer"
4250 set uuid 1ba25b32-f39a-51e8-9ed9-e333c4fb4ef6
4251 set type fqdn
4252 set comment "Block Policy"
4254 set fqdn "teamviewer.com"
4255 next
4256 edit "NFS_URL"
4257 set uuid 193dac76-f461-51e8-7b37-5715a45b4717
4259 set subnet 192.168.171.6 255.255.255.255
4260 next
4261 edit "Finacus_RGCS_2"
4262 set uuid 6ee0d18e-f6e2-51e8-2afc-67d3be5162fb
4264 set subnet 192.168.162.163 255.255.255.255
4265 next
4266 edit "Prasanna Rathod"
4267 set uuid e846c04a-f851-51e8-4e80-7fee0aab3854
4269 set subnet 172.21.28.12 255.255.255.255
4270 next
4272 set uuid ffd4fa60-0b39-51e9-db90-4f75a43a94e1
4274 set subnet 192.168.6.30 255.255.255.255
4275 next
4276 edit "Zabbix_Host"
4277 set uuid 8e63f244-0d9d-51e9-8a07-753486be6364
4279 set subnet 10.10.10.11 255.255.255.255
4280 next
4281 edit "IMPS @ Branch"
4282 set uuid 9f8e7082-0f30-51e9-94e2-a3c88889fad5
4284 set subnet 172.17.2.83 255.255.255.255
4285 next
4286 edit "S.N.Wankhade"
4287 set uuid 57185d74-124e-51e9-c21e-297b7fa501bf
4288 set comment "Approved Internet"
4290 set subnet 192.168.6.118 255.255.255.255
4291 next
4293 set uuid 61a26aea-133f-51e9-23c7-b1efcef7c2da
4294 set comment "Black Listed IPs"
4296 set subnet 185.211.245.170 255.255.255.255
4297 next
4298 edit "TESTSERVR_2"
4299 set uuid 4151cf76-1edc-51e9-e678-94b1bdae0621
4301 set subnet 172.21.27.5 255.255.255.255
4302 next
4303 edit "AWS Cloud"
4304 set uuid d4a83ed4-2302-51e9-cadb-099907d4dd30
4305 set comment "AMAZON Cloud"
4307 set subnet 10.0.4.185 255.255.255.255
4308 next
4309 edit "Nale Saheb"
4309 edit "Nale Saheb"
4310 set uuid bda2a06a-3c1d-51e9-d169-b5c95769e4e6
4311 set comment "GST"
4313 set subnet 192.168.6.85 255.255.255.255
4314 next
4315 edit "HO-Backoffice-INTENETUSER-4"
4316 set uuid bb333f94-3cb6-51e9-e106-c8512b559afe
4318 set subnet 192.168.6.129 255.255.255.255
4319 next
4320 edit "Finacus-IMPS-Webservice"
4321 set uuid 3d9b97ac-4eea-51e9-9fbc-8069a75513fd
4323 set subnet 172.17.2.75 255.255.255.255
4324 next
4325 edit "ISG IP"
4326 set uuid 87826cea-4fb9-51e9-cc25-5adb0bdfaa2f
4327 set comment "ISG MERCHANT LOGIN"
4329 set subnet 110.173.183.4 255.255.255.255
4330 next
4331 edit "ISG MERCHANT PAY"
4332 set uuid 4bbe9b10-4fba-51e9-eff8-a6822b4954f3
4333 set type fqdn
4335 set fqdn "ISGPAY.COM"
4336 next
4337 edit "Netscaler_2"
4338 set uuid 96fff328-4fbd-51e9-3f01-cae4f1976d9d
4340 set subnet 10.13.135.30 255.255.255.255
4341 next
4342 edit "Zabbix_Server"
4343 set uuid 7309b380-668f-51e9-b483-65457d726c21
4345 set subnet 10.10.10.12 255.255.255.255
4346 next
4347 edit "CTS CHQ Printing"
4348 set uuid f7256164-869c-51e9-f3b1-445ce8bd50e1
4351 set start-ip 192.168.6.159
4352 set end-ip 192.168.6.160
4353 next
4354 end
4355 config firewall multicast-address
4356 edit "all"
4357 set start-ip 224.0.0.0
4358 set end-ip 239.255.255.255
4359 next
4360 edit "all_hosts"
4361 set start-ip 224.0.0.1
4362 set end-ip 224.0.0.1
4363 next
4364 edit "all_routers"
4365 set start-ip 224.0.0.2
4366 set end-ip 224.0.0.2
4367 next
4368 edit "Bonjour"
4369 set start-ip 224.0.0.251
4370 set end-ip 224.0.0.251
4371 next
4372 edit "EIGRP"
4373 set start-ip 224.0.0.10
4374 set end-ip 224.0.0.10
4375 next
4376 edit "OSPF"
4377 set start-ip 224.0.0.5
4378 set end-ip 224.0.0.6
4379 next
4380 end
4381 config firewall address6
4382 edit "SSLVPN_TUNNEL_IPv6_ADDR1"
4383 set uuid 57106a30-2b91-51e5-dc1d-7ec5186a8dc9
4384 set ip6 fdff:ffff::/120
4385 next
4386 edit "all"
4387 set uuid 5afcb81a-2b91-51e5-5fa2-7629b8f43364
4387 set uuid 5afcb81a-2b91-51e5-5fa2-7629b8f43364
4388 next
4389 edit "none"
4390 set uuid 5afcd714-2b91-51e5-02a2-94b68df8b9f9
4391 set ip6 ::/128
4392 next
4393 end
4394 config firewall addrgrp
4395 edit "BRANCHES-Group-1"
4396 set uuid 97d1100a-613e-51e5-5c40-29b2bebeb15b
4397 set member "ADGAON BRANCH AT - ADGAON BZ TQ- TELHARA DIST- AKOLA" ↓
..."ADSUL BRANCH AT - ADSUL TQ- TELHARA DIST-AKOLA" "AKOLKHED BRANCH AT - AKOLKHED TQ- ↓
...AKOT" "AKOT CITY BRANCH JAISTHAMBH CHOWK" "BORDI BRANCH AT - BORDI TQ- AKOT" "CHOHATTA ↓
...BAZAR BRANCH AKOT ROAD CHOHATTA BAZAR" "DANAPUR BRANCH AT - DANAPUR TQ-TELHARA ↓
...DIST-AKOLA" "HIWARKHED BRANCH AT POST - HIWARKHED TQ- TELHARA" "KUTASA BRANCH AT -KUTASA ↓
...TQ- AKOLA" "MAHILA BRANCH RAMDASPETH BIRLA GATE" "MUNDGAON BRANCH AT -MUNDGAON TQ- AKOT" ↓
..."NARSING MANDIR BRANCH AKOT NR NARSING MANDIR" "PATHARDI BRANCH AT - PATHARDI TQ- TELHARA ↓
...DIST-AKOLA" "RAUNDALA BRANCH AT - RAUNDALA TQ- AKOT" "SAWARA BRANCH AT- SAWARA TQ- AKOT ↓
...DIST- AKOLA" "TELHARA CITY BRANCH JUNA ATHAWADI BAZAR NR DESHMUKH WADA TE" "WARUL JAULKA ↓
...BRANCH AT - WARUD JAULKA TQ- AKOT" "ZP-WASHIM" "HIWARKHED-EXT"
4398 next
4399 edit "Branches-Group-2"
4400 set uuid 1e1a1a94-6144-51e5-4fc1-6ed4e3f4942c
4401 set member "Belkhed Branch Ta. Telhara" "DABKI ROAD BRANCH NR ↓
...KHANDELWAL HIGH SCHOOL" "KAPAD BAZAR BRANCH RAYAT HAVELI JUNA KAPAD BAZAR" "Kasola Branch ↓
...Ta. Mangrulpir Dist. Washim" "Keshavnagar Branch Ta Risod Dist. Washim" "RATANLAL PLOT BRANCH ↓
...NR RAGHUVANSHI MANGAL KARYALAYA RATANLAL" "CHIKHALGAON BRANCH AT - CHIKHALGAON TQ- AKOLA" ↓
..."DAHIHANDA BRANCH AT - DAHIHANDA TQ- AKOLA" "HARAL BRANCH AT - HARAL TQ- RISOD" "KENWAD ↓
...BRANCH AT - KENWAD TQ- RISOD DIST- WASHIM" "KURANKHED BRANCH AT- KURANKHED TQ- AKOLA" ↓
..."MARKET YARD BRANCH APMC MARKET" "PARAS BRANCH AT- PARAS TQ- BALAPUR . DIST-AKOLA" "VIVARA ↓
...BRANCH AT BABHULGAON TQ - PATUR DIST - AKOLA" "RITHAD BRANCH AT POST- RITHAD TQ- RISDO ↓
...DIST-WASHIM"
4402 next
4404 set uuid aa0a19ce-61c0-51e5-052b-dd1acd89824d
4405 set member "CHIKHALI BRANCH AT - CHIKHALI TQ- RISOD" "DHABA BRANCH ↓
...AT - DHABA TQ- BARSHITAKLI" "DHANAJ BZ BRANCH AT - DHANAJ BZ TQ- KARANJA DIST-WASHIM" ↓
..."KANHERI SARAP BRANCH AT - KANHERI SARAP TQ- BARSHITAKL" "KANSHIVANI BRANCH AT - KANSHIVANI ↓
... TQ- AKOLA" "KARANJA CITY BRANCH BHAJI BAZAR GANDHI CHOWK KARANJA" "PATUR NANDAPUR BRANCH ↓
...AT - PATUR NANDAPUR TQ- AKOLA" "PDKV BRANCH DR PDKV VIDYAPEETH CAMPUS" "RAJESHWAR JAIHIND ↓
...CHOWK BRANCH JAIHIND CHOWK OLD CITY" "WANOJA BRANCH AT- WANOJA TQ- MANGRULPIR DIST- ↓
...WASHIM" "WASHIM CITY BRANCH RAJANI CHOWK NR INDANI SCHOO" "HATRUN BRANCH AT - HATRUN TQ- ↓
...BALAPUR DIST- AKOLA" "JAULKA RLY BRANCH AT -JAULKA RLY TQ- MALEGAON DIST- WASHIM" ↓
..."MANGUL ZANAK BRANCH AT -MANGUL ZANAK TQ- RISOD" "MOHARI BRANCH AT - MOHARI TQ- MANGRULPIR ↓
... DIST- WASHIM" "MOP BRANCH AT - MOP TQ- RISOD" "PALSO BRANCH AT PALSO TQ DIST- AKOLA" ↓
..."PARDI TAKMOR BRANCH AT - PARDI TAKMOR TQ - WASHIM" "POHA BRANCH AT - POHA TQ- KARANJA ↓
...DIST- WASHIM" "SASTI BRANCH AT - SASTI TQ- PATUR DIST- AKOLA" "SHENDURJANA BRANCH AT - ↓
...SHENDURJANA TQ- MANORA DIST- WASHIM" "TONDGAON BRANCH KEKATUMRA EXCHANGE DIST - WASHIM"
4406 next
4408 set uuid 8b4c3d04-61c6-51e5-759b-9080895d659a
4409 set member "KAJALESHWAR BRANCH AT - KAJALESHWAR TQ- KARANJA ↓
...DIST- WASHI" "MANBHA BRANCH AT - MANBHA TQ- KARANJA DIST- WASHIM" "NIMBA BRANCH AT - ↓
...NIMBA TQ- BALAPUR DIST-AKOLA" "PANGRIKUTE BRANCH AT - PANGRIKUTE TQ- MALEGAON DIST- ↓
...WASHIM" "POHARADEVI BRANCH AT - POHARADEVI TQ- MANORA DIST- WASHIM" "UMBARDA BAZAR BRANCH ↓
...AT - UMBARDA BAZAR TQ- KARANJA DIST- W" "AGAR BRANCH AT- AGAR TQ- AKOLA" "DHANORA ↓
...BRANCH AT - DHANORA TQ- MANGRULPIR DIST- WASHIM" "GANDHIGRAM BRANCH AT - GANDHIGRAM TQ- ↓
...AKOLA" "GOREGAON BRANCH AT- GOREGAON TQ- AKOLA" "KINHIRAJA BRANCH AT -KINHIRAJA TQ- ↓
...MALEGAON DIST- WASHIM" "MEDSHI BRANCH AT - MEDSHI TQ- MALEGAON DIST- WASHIM" "MHAISANG ↓
...BRANCH AT POST - MHAISANG TQ- AKOLA" "SAKHARDOH BRANCH SHIVAJI CHOWK MANORA DIST- WASHIM" ↓
..."WAKAD BRANCH AT - WAKAD TQ- RISOD" "KAMARGAON BRANCH AT - KAMARGAON TQ- KARANJA DIST- ↓
...WASHIM" "PINJAR BRANCH AT POST - PINJAR TQ- BARSHITAKLI" "RISOD CITY BRANCH BAGADIYA ↓
...COMPLEX NR SITLAMATA MANDIR RISOD" "RITHAD BRANCH AT POST- RITHAD TQ- RISDO ↓
...DIST-WASHIM" "URAL BRANCH AT POST - URAL TQ- BALAPUR" "SHELUBAZAR BRANCH BHAJI BAZAR ↓
...SHELU BAZAR TQ- MANGRULPIR" "ALEGAON BRANCH AT - ALEGAON TQ- PATUR DIST-AKOLA" ↓
..."MURTIZAPUR CITY BRANCH AT TIDKE COMPLEX MANGALWAR BAZAR MUR" "KURUM BRANCH AT - KURUM ↓
...TQ- MURTIZAPUR" "BORGAON MANJU BRANCH AT POST - BORGAON MANJU TQ- AKOLA" "UMARI BRANCH ↓
...AKOLA AT PATIL MARKET JATHARPETH AKOLA"
4410 next
4411 edit "BranchesGroup-5"
4412 set uuid 34ba59f0-61e2-51e5-0781-05fad79183c8
4413 set member "MAHAN BRANCH VIVIDH KARYAKARI SAHAKARI SANSTHA MAHAN" ↓
..."ANSING BRANCH AT - ANSING TQ DIST- WASHIM" "MANA BRANCH GRAMPANCHAYAT MANA TQ- ↓
...MURTIZAPUR" "CHANNI BRANCH AT POST - CHANNI TQ- PATUR DIST- AKOLA" "MANGRULPIR CITY ↓
...BRANCH NR BIRBALNATH MANDIR MANGRULPIR" "SHIRPUR BRANCH AT- SHIRPUR TQ- MALEGAON" ↓
..."MURTIZAPUR MARKET YARD BRANCH APMC PREMISES MURTIZAPUR" "PATANI CHOWK BRANCH WASHIM PATANI ↓
...CHOWK" "WADEGAON BRANCH AT POST - WADEGAON TQ- BALAPUR" "DR KORPE NAGAR BRANCH KORPE NAGAR ↓
... NR ADARSH COLONY" "VYALA BRANCH AT - VYALA TQ- BALAPUR" "RATANLAL PLOT BRANCH NR ↓
...RAGHUVANSHI MANGAL KARYALAYA RATANLAL" "KHADKI BRANCH AKOLA AT POST - KHADKI" "INZORI ↓
...RAGHUVANSHI MANGAL KARYALAYA RATANLAL" "KHADKI BRANCH AKOLA AT POST - KHADKI" "INZORI ↓
...BRANCH" "Unspecified Branch - Reserved For SOPHOS"
4414 next
4415 edit "ATM-1"
4416 set uuid 951278ee-61ee-51e5-ca6b-d1e960fb3f13
4417 set member "ATM-AKOT-CITI" "ATM-ALEGAON" "ATM-ANSING" "ATM-BALAPUR" ↓
..."ATM-BARSHITAKLI" "ATM-BORGAOM" "ATM-CHOHOTTA" "ATM-DABKIRD" "ATM-DR KORPENAGAR" "ATM-JAULKA" ↓
..."ATM-KAMARGAON" "ATM-KAPAD-BAZAR" "ATM-KARANJA-CITI" "ATM-KARANJA-MAIN" "ATM-KENWAD" ↓
..."ATM-KHADKI" "ATM-KURUM" "ATM-MARKETYARD" "ATM-URAL" "ATM-AKOT-MAIN" "ATM-MANGRULPIR-CITY"
4418 next
4419 edit "ATM-2"
4420 set uuid de7d94b0-61f7-51e5-7d2c-7562b1302a8c
4421 set member "ATM-MALEGAON" "ATM-MANA" "ATM-MANGRULPIR-MAIN" ↓
..."ATM-MANORA" "ATM-MURTIZAPUR-MAIN" "ATM-PATNI-CH" "ATM-PATUR" "ATM-PINJAR" "ATM-RANPISE" ↓
..."ATM-RISOD-MAIN" "ATM-SHELUBAZAR" "ATM-SHENDURJANA" "ATM-SHIRPUR" "ATM-TELHARA" ↓
..."ATM-WADEGAON" "ATM-WASHIM-MAIN" "ATM-ZP" "ATM-GANDHIGRAM" "ATM-Hiwarkhed"
4422 next
4423 edit "APP-SERVERS"
4424 set uuid 878f7c7c-620b-51e5-efa0-b4e95317bfec
4425 set member "APP-1" "APP-2" "APP-CLUSTER"
4426 next
4427 edit "DOMAIN"
4428 set uuid dd63caf8-620c-51e5-b9fe-7e8fa00fc7e9
4429 set member "BDC" "PDC"
4430 next
4431 edit "DATABASE"
4432 set uuid 5e3a0624-620d-51e5-0526-377eb6bd1a93
4433 set member "DATABASE1" "DATABASE2" "SQL-CLUSTER"
4434 next
4435 edit "OLD-DOMAIN"
4436 set uuid 62b14b16-676e-51e5-d3b2-b30d5d170388
4437 set member "OLD-BDC" "OLD-PDC"
4438 next
4439 edit "Routers-GR1"
4440 set uuid 48f471e8-6828-51e5-80cf-8aeffa84b4a2
4441 set member "Router2" "Router3" "Router4" "Router5" "Router7" ↓
..."Router8" "Router9" "Router10" "Router11" "Router12" "Router14" "Router15" "Router16" ↓
..."Router25" "Router13" "Router26" "HO-ROUTER"
4442 next
4444 set uuid bde9ce92-6834-51e5-6234-9a9249f9df26
..."Router31" "Router32" "Router51" "Router52"
4446 next
4448 set uuid 90a2dd1c-683d-51e5-b174-024abfac5687
..."Router76" "Router77" "Router78"
4450 next
4452 set uuid 7c06ff0c-6840-51e5-989b-17a3c806c3b3
4454 next
4456 set uuid 14d23c64-6842-51e5-f80c-25eac35692a9
4457 set member "Router104" "Router103" "Router105" "Router106" ↓
..."Router107" "Router108" "Router109" "Router111" "Router112" "Router113" "Router114" ↓
4458 next
4459 edit "RGCS"
4460 set uuid 5995e7a8-6e49-51e5-9d2a-e598d97f4bb4
4461 set member "RGCS1" "RGCS2" "BCS-RuPay" "NFS_URL"
4462 next
4463 edit "RBI-RTGS"
4464 set uuid ac19cbbe-717f-51e5-4131-7bdd42f4669f
4465 set member "Ekuber-BKP" "Ekuber-PRI" "RTGS-BKP-WAN" "RTGS-NG-WAN" ↓
..."RTGS-PRI-WAN" "IDRBT-TEST-HUB" "PO-1" "PO-2" "PO-Ticketing" "LDAP-1" "LDAP-2" "SFMS" ↓
..."SFMS-DR" "ROUTER" "Ekuber-New" "PO-FAR-DR" "PO-NEAR-DR" "IDRBT-CA" "IDRBT-INTRANET" ↓
..."Ekuber-DR" "IDRBT-TEST-HUB-NEW" "New-SFMS" "IDRBT-INTRANET-NEW" "SFMS_NEW" "IDRBT-INTRANET-2"
4466 next
4467 edit "DC-ADMIN-INTERNET-USERS"
4467 edit "DC-ADMIN-INTERNET-USERS"
4468 set uuid 123482b0-abbc-51e5-29c1-c8d87d0b5819
4469 set member "PRASANNA" "WSUS"
4470 next
4471 edit "ATM-4"
4472 set uuid 05e88706-ad63-51e5-e352-46ac6322d2a4
4473 set member "ATM-HIWARKHED-EXT" "ATM-MAHAN" "ATM-ZP-WASHIM"
4474 next
4475 edit "ATM-5"
4476 set uuid 70453364-ec25-51e5-a527-b9de36f33f20
4477 set member "ATM-MHAISANG" "ATM-Dhaihanda" "ATM-CHANNI" "ATM-DHABA" ↓
..."ATM-DHANAJ" "ATM-KUTASA" "ATM-MANGULZANAK" "ATM-MEDSHI" "ATM-MURTIZAPUR CITY" "ATM-NIMBA" ↓
..."ATM-PANGRIKUTE" "ATM-PARAS" "ATM-POHARADEVI" "ATM-RAUNDLA" "ATM-RITHAD" "ATM-TONDGAO" ↓
..."ATM-UMBARDA BAZAR" "ATM-AKOT-NarsingMandir" "ATM-Kansivni" "ATM-Rajeshwar" "ATM-Adsul" ↓
..."ATM-KARANJA-MARKETYARD" "ATM-Kasola Extn" "ATM-Kinhiraja" "ATM-Mundgaon" "ATM-Hatrun" ↓
..."ATM-MOP" "ATM-PALSO" "ATM-SAVRA"
4478 next
4479 edit "DR-APPSERVERS"
4480 set uuid 7921766e-1452-51e6-85e3-38216e07b0ce
4481 set member "DR-APPLICATION1" "DR-APPLICATION2" "DRAPPCLUSTER"
4482 next
4483 edit "DR-DOMAINS"
4484 set uuid 95871534-1452-51e6-6f2f-f4ad78a88e07
4485 set member "DR-BACKUPDOMAIN" "DR-PRIMARYDOMAIN"
4486 next
4487 edit "DR-DATABASESERVERS"
4488 set uuid b059d090-1452-51e6-9d24-1a3827dc20d7
4489 set member "DR-DATABASE1" "DR-DATABASE2" "DRADCCSQL"
4490 next
4491 edit "BRANCH-GROUP-6"
4492 set uuid 6d08a7c0-28d0-51e6-9e1f-d172b588f7b0
4493 set member "AKOT MAIN BRANCH HIWARKHED ROAD NR PETROL PUMP" ↓
..."TELHARA MAIN BRANCH NR BUS STAND TELHARA" "WASHIM MAIN BRANCH NEAR ST STAND" "BALAPUR BRANCH ↓
...NR BUS STAND BALAPUR" "BARSHITAKLI BRANCH AT POST TQ- BARSHITAKLI" "KARANJA MAIN BRANCH ↓
...BEHIND ST STAND NR TAHASILOFFICE KARANJ" "MALEGAON BRANCH NR NEW BUS STAND MALEGAON ↓
...DIST- WASHIM" "MANGRULPIR MAIN BRANCH BIRBALNATH ROAD NR DR SARKAR CLINIC" "MANORA BRANCH ↓
...AT POST TQ- MANORA DIST-WASHIM" "MURTIZAPUR MAIN BRANCH NR TAHSIL OFFICE MURTIZAPUR" "PATUR ↓
...BRANCH NR OLD BUS STAND PATUR TQ- PATUR" "RISOD MAIN BRANCH NR BUS STAND" "Z P BRANCH NR ↓
...COLLECTOR OFFICE" "KARANJA MARKET YARD" "RANPISE NAGAR BRANCH SAUJANYA MARKET RANPISE NAGAR"
4494 next
4495 edit "Datacenter-Laptops"
4496 set uuid a7302ab6-52f8-51e6-49cf-e9db934e0817
4497 set member "Datacenter-Laptop-1" "Datacenter-Laptop-2"
4498 next
4499 edit "OFFSITE ATM"
4500 set uuid 6f54e5a6-6dc3-51e6-6bcb-745dd85af53b
4501 set member "ATM-OFFSITE-NIMBA" "ATM OFF-SITE PUSAD NAKA"
4502 next
4503 edit "BRANCH-DVR"
4504 set uuid 7be981a6-ee9b-51e6-2286-ce1ee10bc97f
4505 set member "DR-Korpe-Nagar-DVR" "DabkrRD-DVR" "Kapad Bazar-DVR" ↓
..."Ranpise Nagar-DVR" "Barshitakli-DVR" "Khadki-DVR" "Mahan-DVR" "Chohotta-DVR" "AkotMain-DVR" ↓
..."Hiwarkhed Ex-DVR" "Telhara Main-DVR"
4506 next
4507 edit "BBPS_Clients"
4508 set uuid 1d322dee-f9e3-51e7-7e47-6702ea9399ea
4509 set member "BBPS_Akot_Main" "BBPS_Balapur" "BBPS_Barshitakli" ↓
..."BBPS_Karanja_Main" "BBPS_Malegaon" "BBPS_Mangrulpir_Main" "BBPS_Manora" "BBPS_Mzr_Main" ↓
..."BBPS_Patur" "BBPS_Risod_Main" "BBPS_Telhara_Main" "BBPS_Washim_Main" "BBPS_ZP_63"
4510 set comment "BBPS Taluka Branches"
4511 next
4512 end
4513 config firewall service category
4514 edit "General"
4515 set comment "General services."
4516 next
4517 edit "Web Access"
4518 set comment "Web access."
4519 next
4520 edit "File Access"
4521 set comment "File access."
4522 next
4523 edit "Email"
4524 set comment "Email services."
4525 next
4526 edit "Network Services"
4527 set comment "Network services."
4528 next
4528 next
4529 edit "Authentication"
4530 set comment "Authentication service."
4531 next
4532 edit "Remote Access"
4533 set comment "Remote access."
4534 next
4535 edit "Tunneling"
4536 set comment "Tunneling service."
4537 next
4538 edit "VoIP, Messaging & Other Applications"
4539 set comment "VoIP, messaging, and other applications."
4540 next
4541 edit "Web Proxy"
4542 set comment "Explicit web proxy."
4543 next
4544 end
4545 config firewall service custom
4546 edit "ALL"
4547 set category "General"
4548 set protocol IP
4549 next
4550 edit "ALL_TCP"
4552 set tcp-portrange 1-65535
4553 next
4554 edit "ALL_UDP"
4556 set udp-portrange 1-65535
4557 next
4558 edit "ALL_ICMP"
4560 set protocol ICMP
4561 unset icmptype
4562 next
4563 edit "ALL_ICMP6"
4565 set protocol ICMP6
4566 unset icmptype
4567 next
4568 edit "GRE"
4569 set category "Tunneling"
4571 set protocol-number 47
4572 next
4573 edit "AH"
4577 next
4578 edit "ESP"
4582 next
4583 edit "AOL"
4584 set visibility disable
4586 next
4587 edit "BGP"
4588 set category "Network Services"
4589 set tcp-portrange 179
4590 next
4591 edit "DHCP"
4594 next
4595 edit "DNS"
4598 set udp-portrange 53
4599 next
4600 edit "FINGER"
4603 next
4604 edit "FTP"
4605 set category "File Access"
4607 next
4608 edit "FTP_GET"
4611 next
4612 edit "FTP_PUT"
4615 next
4616 edit "GOPHER"
4619 next
4620 edit "H323"
4621 set category "VoIP, Messaging & Other Applications"
4622 set tcp-portrange 1720 1503
4624 next
4625 edit "HTTP"
4626 set category "Web Access"
4628 next
4629 edit "HTTPS"
4630 set category "Web Access"
4632 next
4633 edit "IKE"
4635 set udp-portrange 500 4500
4636 next
4637 edit "IMAP"
4638 set category "Email"
4640 next
4641 edit "IMAPS"
4644 next
4645 edit "Internet-Locator-Service"
4648 next
4649 edit "IRC"
4652 next
4653 edit "L2TP"
4657 next
4658 edit "LDAP"
4659 set category "Authentication"
4661 next
4662 edit "NetMeeting"
4665 next
4666 edit "NFS"
4670 next
4671 edit "NNTP"
4674 next
4675 edit "NTP"
4679 next
4680 edit "OSPF"
4684 next
4684 next
4685 edit "PC-Anywhere"
4686 set category "Remote Access"
4689 next
4690 edit "PING"
4693 set icmptype 8
4694 unset icmpcode
4695 next
4696 edit "TIMESTAMP"
4699 set icmptype 13
4700 unset icmpcode
4701 next
4702 edit "INFO_REQUEST"
4706 unset icmpcode
4707 next
4708 edit "INFO_ADDRESS"
4712 unset icmpcode
4713 next
4714 edit "ONC-RPC"
4718 next
4719 edit "DCE-RPC"
4723 next
4724 edit "POP3"
4727 next
4728 edit "POP3S"
4731 next
4732 edit "PPTP"
4735 next
4736 edit "QUAKE"
4738 set udp-portrange 26000 27000 27910 27960
4739 next
4740 edit "RAUDIO"
4743 next
4744 edit "REXEC"
4747 next
4748 edit "RIP"
4751 next
4752 edit "RLOGIN"
4754 set tcp-portrange 513:512-1023
4755 next
4756 edit "RSH"
4758 set tcp-portrange 514:512-1023
4759 next
4760 edit "SCCP"
4763 next
4764 edit "SIP"
4768 next
4769 edit "SIP-MSNmessenger"
4772 next
4773 edit "SAMBA"
4776 next
4777 edit "SMTP"
4780 next
4781 edit "SMTPS"
4784 next
4785 edit "SNMP"
4789 next
4790 edit "SSH"
4793 next
4794 edit "SYSLOG"
4797 next
4798 edit "TALK"
4801 next
4802 edit "TELNET"
4805 next
4806 edit "TFTP"
4809 next
4810 edit "MGCP"
4813 next
4814 edit "UUCP"
4817 next
4818 edit "VDOLIVE"
4821 next
4822 edit "WAIS"
4825 next
4826 edit "WINFRAME"
4829 next
4830 edit "X-WINDOWS"
4833 next
4834 edit "PING6"
4835 set protocol ICMP6
4838 unset icmpcode
4839 next
4839 next
4840 edit "MS-SQL"
4843 next
4844 edit "MYSQL"
4847 next
4848 edit "RDP"
4851 next
4852 edit "VNC"
4855 next
4856 edit "DHCP6"
4859 next
4860 edit "SQUID"
4863 next
4864 edit "SOCKS"
4868 next
4869 edit "WINS"
4873 next
4874 edit "RADIUS"
4877 next
4878 edit "RADIUS-OLD"
4881 next
4882 edit "CVSPSERVER"
4886 next
4887 edit "AFS3"
4891 next
4892 edit "TRACEROUTE"
4895 next
4896 edit "RTSP"
4898 set tcp-portrange 554 7070 8554
4900 next
4901 edit "MMS"
4905 next
4906 edit "KERBEROS"
4910 next
4911 edit "LDAP_UDP"
4914 next
4915 edit "SMB"
4918 next
4919 edit "NONE"
4922 next
4923 edit "webproxy"
4924 set explicit-proxy enable
4925 set category "Web Proxy"
4926 set protocol ALL
4927 set tcp-portrange 0-65535:0-65535
4928 next
4929 edit "TCP-8065"
4932 next
4933 edit "TCP-8000"
4936 next
4937 edit "TCP-8087"
4940 next
4941 edit "TCP-8014"
4944 next
4945 edit "TCP-2638"
4948 next
4949 edit "TCP-9090"
4952 next
4953 edit "UDP-138"
4956 next
4957 edit "TCP-139"
4960 next
4961 edit "TCP-2967"
4964 next
4965 edit "UDP-39999"
4968 next
4969 edit "TCP-8765"
4972 next
4973 edit "UDP-1812"
4976 next
4977 edit "TCP-8443"
4980 next
4981 edit "UDP-137"
4984 next
4985 edit "TCP-Dynamic"
4988 next
4989 edit "TCP-3268"
4992 next
4993 edit "TCP-464"
4997 next
4998 edit "TCP-9389"
5001 next
5002 edit "TCP-5722"
5005 next
5006 edit "TCP-636"
5009 next
5010 edit "UDP-Dynamic"
5013 next
5014 edit "TCP1415"
5017 next
5018 edit "TCP8868"
5021 next
5022 edit "TCP8872"
5025 next
5026 edit "TCP5001"
5029 next
5030 edit "TCP5004"
5033 next
5034 edit "TCP-9086"
5037 next
5038 edit "TCP-5002"
5041 next
5042 edit "TCP9086"
5045 next
5046 edit "TCP8893"
5049 next
5050 edit "TCP8080"
5053 next
5054 edit "TCP-1423"
5057 next
5058 edit "TCP-1414"
5061 next
5062 edit "TCP-1419"
5065 next
5066 edit "TCP-1420"
5069 next
5070 edit "TCP-1417"
5073 next
5073 next
5074 edit "TCP-1415"
5077 next
5078 edit "TCP-7071"
5081 next
5082 edit "TCP-7025"
5085 next
5086 edit "TCP8003"
5088 next
5089 edit "TCP8002"
5091 next
5092 edit "TCP8004"
5094 next
5095 edit "TCP8085"
5097 next
5098 edit "TCP8081"
5100 next
5101 edit "TCP-8001"
5103 set comment "TCP-8001"
5105 next
5106 edit "TCP-54218"
5109 next
5110 edit "TCP-14147"
5113 next
5114 edit "Internet"
5115 set category "Web Proxy"
5117 next
5118 edit "TCP-5938"
5121 next
5122 edit "TCP/7071-7072"
5125 next
5126 edit "TCP/7780"
5129 next
5130 edit "TCP-3926"
5133 next
5134 edit "TCP/143"
5137 next
5138 edit "TCP/465"
5141 next
5142 edit "TCP/587"
5145 next
5146 edit "TCP/993"
5149 next
5150 edit "TCP/995"
5150 edit "TCP/995"
5153 next
5154 edit "TCP/6415"
5157 next
5158 edit "TCP/22"
5161 next
5162 edit "TCP25000"
5165 next
5166 edit "TCP/7282"
5169 next
5170 edit "TCP/7501"
5173 next
5174 edit "TCP-24010"
5177 next
5178 edit "TCP-50020"
5181 next
5182 edit "TCP-4444"
5186 next
5187 edit "TCP44405"
5190 next
5191 edit "TCP33305"
5193 next
5194 edit "TCP8049"
5197 next
5198 edit "TCP45451"
5200 next
5201 edit "GST-SFTP"
5204 next
5205 edit "TCP8011"
5207 next
5208 edit "BBPSTCP4434"
5210 next
5211 edit "TCP-8012"
5214 next
5215 edit "TCP9095"
5218 next
5219 edit "TCP/15402"
5222 next
5223 edit "VMWARE_1"
5226 next
5227 edit "VMWARE_2"
5230 next
5231 edit "TCP7094"
5234 next
5235 edit "TCP-5201"
5238 next
5239 end
5240 config firewall service group
5241 edit "Email Access"
5242 set member "DNS" "IMAP" "IMAPS" "POP3" "POP3S" "SMTP" "SMTPS"
5243 next
5244 edit "Web Access"
5245 set member "DNS" "HTTP" "HTTPS"
5246 next
5247 edit "Windows AD"
5248 set member "DCE-RPC" "DNS" "KERBEROS" "LDAP" "LDAP_UDP" "SAMBA" "SMB"
5249 next
5250 edit "Exchange Server"
5251 set member "DCE-RPC" "DNS" "HTTPS"
5252 next
5253 edit "APP-Services"
5254 set member "ALL_ICMP" "HTTP" "DCE-RPC" "TCP-8065" "SMB"
5255 set comment "Access to APP server"
5256 next
5257 edit "AntivirusServices"
5258 set member "HTTP" "SMB" "HTTPS" "ALL_ICMP" "TCP-8014" "TCP-2638" ↓
..."TCP-9090" "UDP-138" "TCP-2967" "UDP-39999" "TCP-8765" "SNMP" "UDP-1812" "TCP-8443" "UDP-137" ↓
..."TCP-Dynamic" "SAMBA"
5259 next
5260 edit "Domain-Services"
5261 set member "ALL_ICMP" "TCP-3268" "UDP-Dynamic" "TCP-464" "LDAP" ↓
..."KERBEROS" "DCE-RPC" "TCP-9389" "LDAP_UDP" "DNS" "TCP-5722" "SMB" "TCP-636" "TCP-Dynamic" "NTP"
5262 next
5263 edit "DATABASE-SERVICES"
5264 set member "HTTP" "MS-SQL" "ALL_ICMP" "SMB" "SAMBA" "UDP-137" ↓
..."UDP-138" "HTTPS"
5265 next
5266 edit "BRANCH-ATMS-TO-SWITCH-1"
5267 set member "TCP8868"
5268 next
5269 edit "RBI-SERVICES"
5270 set member "HTTP" "HTTPS" "LDAP" "LDAP_UDP" "MS-SQL" "TELNET" ↓
..."ALL_ICMP" "TCP-1423" "TCP-1414" "TCP1415" "TCP-1417" "TCP-1419" "TCP-1420" "TCP8080"
5271 next
5272 edit "APBS"
5273 set member "TCP8002" "TCP8003" "TCP8004" "TCP-8000" "TCP-8087" ↓
..."TCP-8001" "TCP8011"
5274 set comment "APBS Services"
5275 next
5276 edit "BRANCH-ATMS-TO-SWITCH-2"
5277 set member "TCP8872"
5278 next
5279 edit "IT-Audit"
5280 set member "TCP-139" "SMB"
5281 set comment "Services Required For Audit"
5282 next
5283 end
5284 config webfilter ftgd-local-cat
5285 edit "custom1"
5286 set id 140
5287 next
5288 edit "custom2"
5289 set id 141
5290 next
5291 end
5292 config ips sensor
5293 edit "default"
5294 set comment "Prevent critical attacks."
5295 config entries
5296 edit 1
5297 set severity medium high critical
5298 next
5299 end
5300 next
5300 next
5301 edit "all_default"
5302 set comment "All predefined signatures with default setting."
5303 config entries
5304 edit 1
5305 next
5306 end
5307 next
5308 edit "all_default_pass"
5309 set comment "All predefined signatures with PASS action."
5310 config entries
5311 edit 1
5312 set action pass
5313 next
5314 end
5315 next
5316 edit "protect_http_server"
5317 set comment "Protect against HTTP server-side vulnerabilities."
5318 config entries
5319 edit 1
5320 set location server
5321 set protocol HTTP
5322 next
5323 end
5324 next
5325 edit "protect_email_server"
5326 set comment "Protect against email server-side vulnerabilities."
5327 config entries
5328 edit 1
5329 set location server
5330 set protocol SMTP POP3 IMAP
5331 next
5332 end
5333 next
5334 edit "protect_client"
5335 set comment "Protect against client-side vulnerabilities."
5336 config entries
5337 edit 1
5338 set location client
5339 next
5340 end
5341 next
5342 edit "high_security"
5343 set comment "Blocks all Critical/High/Medium and some Low severity ↓
...vulnerabilities"
5344 config entries
5345 edit 1
5346 set severity medium high critical
5348 set action block
5349 next
5350 edit 2
5351 set severity low
5352 next
5353 end
5354 next
5355 end
5356 config firewall shaper traffic-shaper
5357 edit "high-priority"
5358 set maximum-bandwidth 1048576
5359 set per-policy enable
5360 next
5361 edit "medium-priority"
5363 set priority medium
5365 next
5366 edit "low-priority"
5368 set priority low
5370 next
5371 edit "guarantee-100kbps"
5372 set guaranteed-bandwidth 100
5375 next
5376 edit "shared-1M-pipe"
5378 next
5379 end
5380 config web-proxy global
5381 set proxy-fqdn "default.fqdn"
5382 end
5383 config web-proxy explicit
5385 end
5386 config application list
5387 edit "default"
5388 set comment "Monitor all applications."
5389 unset options
5390 config entries
5391 edit 1
5392 set application 15817 16170 38726 38725 41703 43323 ↓
...43322 41694 38386
5394 set log disable
5395 next
5396 edit 2
5397 set category 3 6 7 8 17 19 23 30
5398 next
5399 edit 3
5400 set category 2 5 12 15 21 22 25 26 28 29 31
5402 next
5403 end
5404 next
5405 edit "block-p2p"
5406 config entries
5407 edit 1
5408 set category 2
5409 next
5410 end
5411 next
5412 edit "monitor-p2p-and-media"
5413 config entries
5414 edit 1
5415 set category 2
5417 next
5418 edit 2
5419 set category 5
5421 next
5422 end
5423 next
5424 edit "Custom_App_Ctrl"
5425 config entries
5426 edit 1
5427 set application 39164 17179
5429 set log disable
5430 next
5431 edit 2
5432 set category 2 3 5 6 7 8 17 19 23 26 28 30 31
5433 next
5434 edit 3
5435 set category 22
5437 next
5438 end
5439 next
5440 end
5441 config dlp filepattern
5442 edit 1
5443 set name "builtin-patterns"
5444 config entries
5445 edit "*.bat"
5446 next
5447 edit "*.com"
5448 next
5449 edit "*.dll"
5450 next
5451 edit "*.doc"
5452 next
5453 edit "*.exe"
5454 next
5455 edit "*.gz"
5456 next
5457 edit "*.hta"
5458 next
5459 edit "*.ppt"
5460 next
5461 edit "*.rar"
5462 next
5463 edit "*.scr"
5464 next
5465 edit "*.tar"
5466 next
5467 edit "*.tgz"
5468 next
5469 edit "*.vb?"
5470 next
5471 edit "*.wps"
5472 next
5473 edit "*.xl?"
5474 next
5475 edit "*.zip"
5476 next
5477 edit "*.pif"
5478 next
5479 edit "*.cpl"
5480 next
5481 end
5482 next
5483 edit 2
5484 set name "all_executables"
5485 config entries
5486 edit "bat"
5487 set filter-type type
5488 set file-type bat
5489 next
5490 edit "exe"
5492 set file-type exe
5493 next
5494 edit "elf"
5496 set file-type elf
5497 next
5498 edit "hta"
5500 set file-type hta
5501 next
5502 end
5503 next
5504 end
5505 config dlp fp-sensitivity
5506 edit "Private"
5507 next
5508 edit "Critical"
5509 next
5510 edit "Warning"
5511 next
5512 end
5513 config dlp sensor
5514 edit "default"
5515 set comment "Log a summary of email and web traffic."
5516 set summary-proto smtp pop3 imap http-get http-post
5517 next
5518 edit "Content_Summary"
5519 set summary-proto smtp pop3 imap http-get http-post ftp nntp mapi
5520 next
5521 edit "Content_Archive"
5522 set full-archive-proto smtp pop3 imap http-get http-post ftp nntp ↓
...mapi
5523 set summary-proto smtp pop3 imap http-get http-post ftp nntp mapi
5524 next
5525 edit "Large-File"
5526 config filter
5527 edit 1
5528 set name "Large-File-Filter"
5529 set proto smtp pop3 imap http-get http-post mapi
5530 set filter-by file-size
5530 set filter-by file-size
5531 set file-size 5120
5532 set action log-only
5533 next
5534 end
5535 next
5536 edit "Credit-Card"
5537 config filter
5538 edit 1
5539 set name "Credit-Card-Filter"
5540 set severity high
5541 set proto smtp pop3 imap http-get http-post mapi
5543 next
5544 edit 2
5545 set name "Credit-Card-Filter"
5547 set type message
5548 set proto smtp pop3 imap http-post mapi
5550 next
5551 end
5552 next
5553 edit "SSN-Sensor"
5554 set comment "Match SSN numbers but NOT WebEx invite emails."
5555 config filter
5556 edit 1
5557 set name "SSN-Sensor-Filter"
5560 set proto smtp pop3 imap mapi
5561 set filter-by regexp
5562 set regexp "WebEx"
5563 next
5564 edit 2
5568 set proto smtp pop3 imap mapi
5569 set filter-by ssn
5571 next
5572 edit 3
5575 set proto smtp pop3 imap http-get http-post ftp mapi
5576 set filter-by ssn
5578 next
5579 end
5580 next
5581 end
5582 config webfilter content
5583 edit 1
5584 set name "default"
5585 config entries
5586 edit "*flipkart*"
5588 next
5589 edit "*amazon*"
5591 next
5592 edit "*.gov.in"
5594 set action exempt
5595 next
5596 edit "https://mahagst.gov.in"
5597 set pattern-type regexp
5600 next
5601 edit "*.npci.org.in*"
5604 next
5605 end
5606 next
5607 end
5608 config webfilter urlfilter
5608 config webfilter urlfilter
5609 edit 1
5610 set name "default"
5611 config entries
5612 edit 2
5613 set url "*.dropbox.com"
5614 set type wildcard
5615 set action allow
5616 next
5617 edit 1
5618 set url "*facebook.com"
5621 next
5622 edit 3
5623 set url "*.google.com"
5626 next
5627 edit 4
5628 set url "*.gmail.com"
5631 next
5632 edit 5
5633 set url "*103.241.182.37:8091/AKOLA/login"
5636 next
5637 edit 6
5638 set url "*.wikipedia.org"
5641 next
5642 edit 7
5643 set url "*.gov.in"
5646 next
5647 edit 8
5648 set url "mahagst.gov.in"
5650 next
5651 edit 9
5652 set url "*.npci.org.in*"
5654 next
5655 end
5656 next
5657 edit 2
5658 set name "Custom Web Filter"
5659 config entries
5660 edit 2
5661 set url "*.*"
5664 next
5665 edit 1
5666 set url "*.dropbox.*"
5669 next
5670 end
5671 next
5672 end
5673 config spamfilter bword
5674 end
5675 config spamfilter bwl
5676 end
5677 config spamfilter mheader
5678 end
5679 config spamfilter dnsbl
5680 end
5681 config spamfilter iptrust
5682 end
5683 config log threat-weight
5684 set blocked-connection critical
5685 config web
5686 edit 1
5686 edit 1
5688 set level high
5689 next
5690 edit 2
5692 set level high
5693 next
5694 edit 3
5696 set level high
5697 next
5698 edit 4
5699 set category 1
5700 set level medium
5701 next
5702 edit 5
5703 set category 3
5705 next
5706 edit 6
5707 set category 4
5709 next
5710 edit 7
5711 set category 5
5713 next
5714 edit 8
5715 set category 6
5717 next
5718 edit 9
5721 next
5722 edit 10
5725 next
5726 edit 11
5729 next
5730 edit 12
5733 next
5734 edit 13
5736 next
5737 edit 14
5739 set level critical
5740 next
5741 end
5742 config application
5743 edit 1
5744 set category 2
5745 next
5746 edit 2
5747 set category 6
5749 next
5750 edit 3
5752 set level critical
5753 next
5754 end
5755 end
5756 config icap profile
5757 edit "default"
5758 next
5759 end
5760 config user radius
5761 edit "FileZilla"
5762 set server "192.168.6.99"
5763 set secret ENC ↓
...mQf/aE/HgVqoGAOsfdhuwSRNd8vjtBSPaSWyL8AltZIF5G0CNP+XLLmOIGMCvwD2Mv8fKaOuZrZu0BZf/6GYnBdsmaAw68 ↓
...mQf/aE/HgVqoGAOsfdhuwSRNd8vjtBSPaSWyL8AltZIF5G0CNP+XLLmOIGMCvwD2Mv8fKaOuZrZu0BZf/6GYnBdsmaAw68 ↓
...+UoOjBP/hfUGYhmtm01J1BiDVjNVQUC2fFpmOrYj5OvjpG7/cIfnWEb2uc4gJ+cYSgKoSCBwWq+EJLiYwyajAXAWlx2KE6 ↓
...BwfGsYhhIQ==
5764 next
5765 end
5766 config user ldap
5767 edit "LDAP-SERVER"
5768 set server "172.21.23.1"
5769 set cnid "dc=adccbcbs,dc=com"
5770 set dn "dc=adccbcbs,dc=com"
5771 set type regular
5772 set username "Administrator@ADCCBCBS.COM"
...LCVkCiW2AQPPPir67M90jZJKLoMXoUy2EccvfbOtrbMqm7O6r1/KFrDI1GE7RYWnU98/iOSidQVojgymD7Xp4OrIDqofWs ↓
...Li/WMI34RH8gTge9EUw/A1QCX+N1Gai2Z6+1XCLUCQ7qQWx5jO81nb5gSnCPgN9VTIh+fgzp6PdFfbTtBTR0HchYO4/6TQ ↓
...7p7slcQG0g==
5774 next
5775 end
5776 config user fsso
5777 edit "Local FSSO Agent"
5778 set server "127.0.0.1"
5779 set ldap-server "LDAP-SERVER"
5780 next
5781 end
5782 config user fortitoken
5783 edit "FTKMOB5AAF45E0EC"
5784 set license "FTMTRIAL00554654"
5785 next
5786 edit "FTKMOB5ADA32FF57"
5787 set license "FTMTRIAL00554654"
5788 next
5789 end
5790 config user local
5791 edit "guest"
5792 set type password
5793 set passwd ENC ↓
...siO/bqYdzsJyhQ3VIeV95gmE7CFa/O/IPGwbHsNfuPGXM1K/wJ/Tvl2sGHuu35oUsAd0nxSRs0xepplOmDF5j5oqez6EfW ↓
...rCy3qQZXUITLxCxcDEg7ycQdEuCNIzjK2BX6ATI79tB+XgMcpJpfi6Ig4JXXifBGyE0843iY1BhFZQfgKWleEzt/pU0Qtr ↓
...M56LeUp4uw==
5794 next
5795 edit "AHB1234"
5796 set type ldap
5798 next
5799 edit "APB1626"
5800 set type ldap
5802 next
5803 edit "VNK1614"
5804 set type ldap
5806 next
5807 edit "USM1562"
5808 set type ldap
5810 next
5811 edit "AMIT"
5812 set type password
5813 set passwd-time 2016-01-07 18:59:28
5814 set passwd ENC ↓
...bwcILMmw2XJYEQB+g/ryRiri+LygN3GeYqH+X5d28/9fTM1Y3AQm5N7kajX9zngTuRIJKyFuTuqV5VQXvk0MW6WZYiCbUU ↓
...lI8oAghsZJPdT8oWamIO2ROaXXEEv4Z/WmejETsNrVjfBFQEpuHH4w4LTdpaBRQ9CebGoEW4DuVSlLSS9YSnflWMVOWC0M ↓
...J68sNFfQ9g==
5815 next
5816 edit "adcc"
5817 set type radius
5818 set radius-server "FileZilla"
5819 next
5820 end
5821 config user setting
5822 set auth-cert "self-sign"
5823 set auth-timeout 30
5824 end
5825 config user group
5826 edit "SSO_Guest_Users"
5827 next
5828 edit "Guest-group"
5829 set member "guest"
5829 set member "guest"
5830 next
5831 end
5832 config user device-group
5833 edit "Mobile Devices"
5834 set member "android-phone" "android-tablet" "blackberry-phone" ↓
..."blackberry-playbook" "ipad" "iphone" "windows-phone" "windows-tablet"
5835 set comment "Phones, tablets, etc."
5836 next
5837 edit "Network Devices"
5838 set member "fortinet-device" "other-network-device" ↓
..."router-nat-device"
5839 set comment "Routers, firewalls, gateways, etc."
5840 next
5841 edit "Others"
5842 set member "gaming-console" "media-streaming"
5843 set comment "Other devices."
5844 next
5845 end
5846 config vpn ssl web host-check-software
5847 edit "FortiClient-AV"
5848 set guid "C86EC76D-5A4C-40E7-BD94-59358E544D81"
5849 next
5850 edit "FortiClient-FW"
5851 set type fw
5852 set guid "528CB157-D384-4593-AAAA-E42DFF111CED"
5853 next
5854 edit "FortiClient-AV-Vista-Win7"
5855 set guid "385618A6-2256-708E-3FB9-7E98B93F91F9"
5856 next
5857 edit "FortiClient-FW-Vista-Win7"
5858 set type fw
5859 set guid "006D9983-6839-71D6-14E6-D7AD47ECD682"
5860 next
5861 edit "AVG-Internet-Security-AV"
5862 set guid "17DDD097-36FF-435F-9E1B-52D74245D6BF"
5863 next
5864 edit "AVG-Internet-Security-FW"
5865 set type fw
5866 set guid "8DECF618-9569-4340-B34A-D78D28969B66"
5867 next
5868 edit "AVG-Internet-Security-AV-Vista-Win7"
5869 set guid "0C939084-9E57-CBDB-EA61-0B0C7F62AF82"
5870 next
5871 edit "AVG-Internet-Security-FW-Vista-Win7"
5872 set type fw
5873 set guid "34A811A1-D438-CA83-C13E-A23981B1E8F9"
5874 next
5875 edit "CA-Anti-Virus"
5876 set guid "17CFD1EA-56CF-40B5-A06B-BD3A27397C93"
5877 next
5878 edit "CA-Internet-Security-AV"
5879 set guid "6B98D35F-BB76-41C0-876B-A50645ED099A"
5880 next
5881 edit "CA-Internet-Security-FW"
5882 set type fw
5883 set guid "38102F93-1B6E-4922-90E1-A35D8DC6DAA3"
5884 next
5885 edit "CA-Internet-Security-AV-Vista-Win7"
5886 set guid "3EED0195-0A4B-4EF3-CC4F-4F401BDC245F"
5887 next
5888 edit "CA-Internet-Security-FW-Vista-Win7"
5889 set type fw
5890 set guid "06D680B0-4024-4FAB-E710-E675E50F6324"
5891 next
5892 edit "CA-Personal-Firewall"
5893 set type fw
5894 set guid "14CB4B80-8E52-45EA-905E-67C1267B4160"
5895 next
5896 edit "F-Secure-Internet-Security-AV"
5897 set guid "E7512ED5-4245-4B4D-AF3A-382D3F313F15"
5898 next
5899 edit "F-Secure-Internet-Security-FW"
5900 set type fw
5901 set guid "D4747503-0346-49EB-9262-997542F79BF4"
5902 next
5903 edit "F-Secure-Internet-Security-AV-Vista-Win7"
5904 set guid "15414183-282E-D62C-CA37-EF24860A2F17"
5905 next
5905 next
5906 edit "F-Secure-Internet-Security-FW-Vista-Win7"
5907 set type fw
5908 set guid "2D7AC0A6-6241-D774-E168-461178D9686C"
5909 next
5910 edit "Kaspersky-AV"
5911 set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0"
5912 next
5913 edit "Kaspersky-FW"
5914 set type fw
5915 set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0"
5916 next
5917 edit "Kaspersky-AV-Vista-Win7"
5918 set guid "AE1D740B-8F0F-D137-211D-873D44B3F4AE"
5919 next
5920 edit "Kaspersky-FW-Vista-Win7"
5921 set type fw
5922 set guid "9626F52E-C560-D06F-0A42-2E08BA60B3D5"
5923 next
5924 edit "McAfee-Internet-Security-Suite-AV"
5925 set guid "84B5EE75-6421-4CDE-A33A-DD43BA9FAD83"
5926 next
5927 edit "McAfee-Internet-Security-Suite-FW"
5928 set type fw
5929 set guid "94894B63-8C7F-4050-BDA4-813CA00DA3E8"
5930 next
5931 edit "McAfee-Internet-Security-Suite-AV-Vista-Win7"
5932 set guid "86355677-4064-3EA7-ABB3-1B136EB04637"
5933 next
5934 edit "McAfee-Internet-Security-Suite-FW-Vista-Win7"
5935 set type fw
5936 set guid "BE0ED752-0A0B-3FFF-80EC-B2269063014C"
5937 next
5938 edit "McAfee-Virus-Scan-Enterprise"
5939 set guid "918A2B0B-2C60-4016-A4AB-E868DEABF7F0"
5940 next
5941 edit "Norton-360-2.0-AV"
5942 set guid "A5F1BC7C-EA33-4247-961C-0217208396C4"
5943 next
5944 edit "Norton-360-2.0-FW"
5945 set type fw
5946 set guid "371C0A40-5A0C-4AD2-A6E5-69C02037FBF3"
5947 next
5948 edit "Norton-360-3.0-AV"
5949 set guid "E10A9785-9598-4754-B552-92431C1C35F8"
5950 next
5951 edit "Norton-360-3.0-FW"
5952 set type fw
5953 set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220"
5954 next
5955 edit "Norton-Internet-Security-AV"
5956 set guid "E10A9785-9598-4754-B552-92431C1C35F8"
5957 next
5958 edit "Norton-Internet-Security-FW"
5959 set type fw
5960 set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220"
5961 next
5962 edit "Norton-Internet-Security-AV-Vista-Win7"
5963 set guid "88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855"
5964 next
5965 edit "Norton-Internet-Security-FW-Vista-Win7"
5966 set type fw
5967 set guid "B0F2DB13-C654-2E74-30D4-99C9310F0F2E"
5968 next
5969 edit "Symantec-Endpoint-Protection-AV"
5970 set guid "FB06448E-52B8-493A-90F3-E43226D3305C"
5971 next
5972 edit "Symantec-Endpoint-Protection-FW"
5973 set type fw
5974 set guid "BE898FE3-CD0B-4014-85A9-03DB9923DDB6"
5975 next
5976 edit "Symantec-Endpoint-Protection-AV-Vista-Win7"
5977 set guid "88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855"
5978 next
5979 edit "Symantec-Endpoint-Protection-FW-Vista-Win7"
5980 set type fw
5981 set guid "B0F2DB13-C654-2E74-30D4-99C9310F0F2E"
5982 next
5983 edit "Panda-Antivirus+Firewall-2008-AV"
5983 edit "Panda-Antivirus+Firewall-2008-AV"
5984 set guid "EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A"
5985 next
5986 edit "Panda-Antivirus+Firewall-2008-FW"
5987 set type fw
5988 set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8"
5989 next
5990 edit "Panda-Internet-Security-AV"
5991 set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0"
5992 next
5993 edit "Panda-Internet-Security-2006~2007-FW"
5994 set type fw
5995 set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0"
5996 next
5997 edit "Panda-Internet-Security-2008~2009-FW"
5998 set type fw
5999 set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8"
6000 next
6001 edit "Sophos-Anti-Virus"
6002 set guid "3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD"
6003 next
6004 edit "Sophos-Enpoint-Secuirty-and-Control-FW"
6005 set type fw
6006 set guid "0786E95E-326A-4524-9691-41EF88FB52EA"
6007 next
6008 edit "Sophos-Enpoint-Secuirty-and-Control-AV-Vista-Win7"
6009 set guid "479CCF92-4960-B3E0-7373-BF453B467D2C"
6010 next
6011 edit "Sophos-Enpoint-Secuirty-and-Control-FW-Vista-Win7"
6012 set type fw
6013 set guid "7FA74EB7-030F-B2B8-582C-1670C5953A57"
6014 next
6015 edit "Trend-Micro-AV"
6016 set guid "7D2296BC-32CC-4519-917E-52E652474AF5"
6017 next
6018 edit "Trend-Micro-FW"
6019 set type fw
6020 set guid "3E790E9E-6A5D-4303-A7F9-185EC20F3EB6"
6021 next
6022 edit "Trend-Micro-AV-Vista-Win7"
6023 set guid "48929DFC-7A52-A34F-8351-C4DBEDBD9C50"
6024 next
6025 edit "Trend-Micro-FW-Vista-Win7"
6026 set type fw
6027 set guid "70A91CD9-303D-A217-A80E-6DEE136EDB2B"
6028 next
6029 edit "ZoneAlarm-AV"
6030 set guid "5D467B10-818C-4CAB-9FF7-6893B5B8F3CF"
6031 next
6032 edit "ZoneAlarm-FW"
6033 set type fw
6034 set guid "829BDA32-94B3-44F4-8446-F8FCFF809F8B"
6035 next
6036 edit "ZoneAlarm-AV-Vista-Win7"
6037 set guid "D61596DF-D219-341C-49B3-AD30538CBC5B"
6038 next
6039 edit "ZoneAlarm-FW-Vista-Win7"
6040 set type fw
6041 set guid "EE2E17FA-9876-3544-62EC-0405AD5FFB20"
6042 next
6043 edit "ESET-Smart-Security-AV"
6044 set guid "19259FAE-8396-A113-46DB-15B0E7DFA289"
6045 next
6046 edit "ESET-Smart-Security-FW"
6047 set type fw
6048 set guid "211E1E8B-C9F9-A04B-6D84-BC85190CE5F2"
6049 next
6050 end
6051 config vpn ssl web portal
6052 edit "full-access"
6053 set tunnel-mode enable
6054 set ipv6-tunnel-mode enable
6055 set web-mode enable
6056 set ip-pools "SSLVPN_TUNNEL_ADDR1"
6057 set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
6058 set page-layout double-column
6059 next
6060 edit "web-access"
6062 next
6063 edit "tunnel-access"
6064 set tunnel-mode enable
6065 set ipv6-tunnel-mode enable
6066 set ip-pools "SSLVPN_TUNNEL_ADDR1"
6067 set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
6068 next
6069 end
6070 config vpn ssl settings
6071 set servercert "Fortinet_Factory"
6072 set port 443
6073 end
6074 config voip profile
6075 edit "default"
6076 set comment "Default VoIP profile."
6077 next
6078 edit "strict"
6079 config sip
6080 set malformed-request-line discard
6081 set malformed-header-via discard
6082 set malformed-header-from discard
6083 set malformed-header-to discard
6084 set malformed-header-call-id discard
6085 set malformed-header-cseq discard
6086 set malformed-header-rack discard
6087 set malformed-header-rseq discard
6088 set malformed-header-contact discard
6089 set malformed-header-record-route discard
6090 set malformed-header-route discard
6091 set malformed-header-expires discard
6092 set malformed-header-content-type discard
6093 set malformed-header-content-length discard
6094 set malformed-header-max-forwards discard
6095 set malformed-header-allow discard
6096 set malformed-header-p-asserted-identity discard
6097 set malformed-header-sdp-v discard
6098 set malformed-header-sdp-o discard
6099 set malformed-header-sdp-s discard
6100 set malformed-header-sdp-i discard
6101 set malformed-header-sdp-c discard
6102 set malformed-header-sdp-b discard
6103 set malformed-header-sdp-z discard
6104 set malformed-header-sdp-k discard
6105 set malformed-header-sdp-a discard
6106 set malformed-header-sdp-t discard
6107 set malformed-header-sdp-r discard
6108 set malformed-header-sdp-m discard
6109 end
6110 next
6111 end
6112 config webfilter profile
6113 edit "default"
6114 set comment "Default web filtering."
6115 set post-action comfort
6116 config override
6117 set ovrd-user-group ""
6118 end
6119 config web
6120 set bword-table 1
6121 set urlfilter-table 1
6122 end
6123 config ftgd-wf
6124 set options http-err-detail
6125 set category-override 140 141
6126 config filters
6127 edit 1
6128 set category 2
6130 next
6131 edit 2
6132 set category 7
6134 next
6135 edit 3
6136 set category 8
6138 next
6138 next
6139 edit 4
6140 set category 9
6142 next
6143 edit 5
6146 next
6147 edit 6
6150 next
6151 edit 7
6154 next
6155 edit 8
6158 next
6159 edit 9
6162 next
6163 edit 10
6166 next
6167 edit 12
6170 next
6171 edit 13
6174 next
6175 edit 14
6178 next
6179 edit 15
6182 next
6183 edit 16
6186 next
6187 edit 17
6190 next
6191 edit 18
6194 next
6195 edit 19
6198 next
6199 edit 20
6202 next
6203 edit 22
6206 next
6207 edit 23
6210 next
6211 edit 24
6214 next
6215 edit 25
6218 next
6219 edit 26
6222 next
6223 edit 27
6226 next
6227 edit 28
6230 next
6231 edit 29
6234 next
6235 edit 30
6238 next
6239 edit 31
6242 next
6243 edit 32
6246 next
6247 edit 33
6250 next
6251 edit 34
6254 next
6255 edit 35
6258 next
6259 edit 36
6262 next
6263 edit 38
6266 next
6267 edit 39
6270 next
6271 edit 40
6274 next
6275 edit 43
6278 next
6279 edit 44
6282 next
6283 edit 45
6284 set category 1
6286 next
6287 edit 46
6288 set category 3
6290 next
6291 edit 47
6292 set category 4
6294 next
6294 next
6295 edit 48
6296 set category 5
6298 next
6299 edit 49
6300 set category 6
6302 next
6303 edit 50
6306 next
6307 edit 51
6310 next
6311 edit 52
6314 next
6315 edit 53
6318 next
6319 edit 54
6322 next
6323 edit 55
6326 next
6327 edit 56
6330 next
6331 edit 57
6334 next
6335 edit 58
6338 next
6339 edit 59
6342 next
6343 edit 60
6346 next
6347 edit 61
6350 next
6351 edit 62
6354 next
6355 edit 63
6358 next
6359 end
6360 set rate-image-urls disable
6361 end
6362 next
6363 edit "web-filter-flow"
6364 set comment "Flow-based web filter profile."
6365 set inspection-mode flow-based
6366 set post-action comfort
6367 config ftgd-wf
6368 config filters
6369 edit 1
6370 set category 2
6371 next
6372 edit 2
6372 edit 2
6373 set category 7
6374 next
6375 edit 3
6376 set category 8
6377 next
6378 edit 4
6379 set category 9
6380 next
6381 edit 5
6383 next
6384 edit 6
6386 next
6387 edit 7
6389 next
6390 edit 8
6392 next
6393 edit 9
6395 next
6396 edit 10
6398 next
6399 edit 11
6400 next
6401 edit 12
6403 next
6404 edit 13
6406 next
6407 edit 14
6409 next
6410 edit 15
6412 next
6413 edit 16
6415 next
6416 edit 17
6418 next
6419 edit 18
6422 next
6423 end
6424 end
6425 next
6426 edit "monitor-all"
6427 set comment "Monitor and log all visited URLs, proxy-based."
6428 config ftgd-wf
6429 unset options
6430 config filters
6431 edit 1
6432 set category 1
6433 next
6434 edit 2
6435 set category 3
6436 next
6437 edit 3
6438 set category 4
6439 next
6440 edit 4
6441 set category 5
6442 next
6443 edit 5
6444 set category 6
6445 next
6446 edit 6
6448 next
6449 edit 7
6449 edit 7
6451 next
6452 edit 8
6454 next
6455 edit 9
6457 next
6458 edit 10
6459 set category 2
6460 next
6461 edit 11
6462 set category 7
6463 next
6464 edit 12
6465 set category 8
6466 next
6467 edit 13
6468 set category 9
6469 next
6470 edit 14
6472 next
6473 edit 15
6475 next
6476 edit 16
6478 next
6479 edit 17
6481 next
6482 edit 18
6484 next
6485 edit 19
6487 next
6488 edit 20
6490 next
6491 edit 21
6493 next
6494 edit 22
6496 next
6497 edit 23
6499 next
6500 edit 24
6502 next
6503 edit 25
6505 next
6506 edit 26
6508 next
6509 edit 27
6511 next
6512 edit 28
6514 next
6515 edit 29
6517 next
6518 edit 30
6520 next
6521 edit 31
6523 next
6524 edit 32
6526 next
6527 edit 33
6527 edit 33
6529 next
6530 edit 34
6532 next
6533 edit 35
6535 next
6536 edit 36
6538 next
6539 edit 37
6541 next
6542 edit 38
6544 next
6545 edit 39
6547 next
6548 edit 40
6550 next
6551 edit 41
6553 next
6554 edit 42
6556 next
6557 edit 43
6559 next
6560 edit 44
6562 next
6563 edit 45
6565 next
6566 edit 46
6568 next
6569 edit 47
6571 next
6572 edit 48
6574 next
6575 edit 49
6577 next
6578 edit 50
6580 next
6581 edit 51
6583 next
6584 edit 52
6586 next
6587 edit 53
6589 next
6590 edit 54
6592 next
6593 edit 55
6595 next
6596 edit 56
6598 next
6599 edit 57
6601 next
6602 edit 58
6604 next
6605 edit 59
6605 edit 59
6607 next
6608 edit 60
6610 next
6611 edit 61
6613 next
6614 edit 62
6616 next
6617 edit 63
6619 next
6620 edit 64
6622 next
6623 edit 65
6625 next
6626 edit 66
6628 next
6629 edit 67
6631 next
6632 edit 68
6634 next
6635 edit 69
6637 next
6638 edit 70
6640 next
6641 edit 71
6643 next
6644 edit 72
6646 next
6647 edit 73
6649 next
6650 edit 74
6652 next
6653 edit 75
6655 next
6656 edit 76
6658 next
6659 edit 77
6661 next
6662 edit 78
6664 next
6665 edit 79
6666 next
6667 end
6668 end
6669 set log-all-url enable
6670 set web-content-log disable
6671 set web-filter-activex-log disable
6672 set web-filter-command-block-log disable
6673 set web-filter-cookie-log disable
6674 set web-filter-applet-log disable
6675 set web-filter-jscript-log disable
6676 set web-filter-js-log disable
6677 set web-filter-vbs-log disable
6678 set web-filter-unknown-log disable
6679 set web-filter-referer-log disable
6680 set web-filter-cookie-removal-log disable
6681 set web-url-log disable
6682 set web-invalid-domain-log disable
6683 set web-ftgd-err-log disable
6683 set web-ftgd-err-log disable
6684 set web-ftgd-quota-usage disable
6685 next
6686 edit "flow-monitor-all"
6687 set comment "Monitor and log all visited URLs, flow-based."
6688 set inspection-mode flow-based
6689 config ftgd-wf
6690 unset options
6691 config filters
6692 edit 1
6693 set category 1
6694 next
6695 edit 2
6696 set category 3
6697 next
6698 edit 3
6699 set category 4
6700 next
6701 edit 4
6702 set category 5
6703 next
6704 edit 5
6705 set category 6
6706 next
6707 edit 6
6709 next
6710 edit 7
6712 next
6713 edit 8
6715 next
6716 edit 9
6718 next
6719 edit 10
6720 set category 2
6721 next
6722 edit 11
6723 set category 7
6724 next
6725 edit 12
6726 set category 8
6727 next
6728 edit 13
6729 set category 9
6730 next
6731 edit 14
6733 next
6734 edit 15
6736 next
6737 edit 16
6739 next
6740 edit 17
6742 next
6743 edit 18
6745 next
6746 edit 19
6748 next
6749 edit 20
6751 next
6752 edit 21
6754 next
6755 edit 22
6757 next
6758 edit 23
6760 next
6761 edit 24
6763 next
6764 edit 25
6766 next
6767 edit 26
6769 next
6770 edit 27
6772 next
6773 edit 28
6775 next
6776 edit 29
6778 next
6779 edit 30
6781 next
6782 edit 31
6784 next
6785 edit 32
6787 next
6788 edit 33
6790 next
6791 edit 34
6793 next
6794 edit 35
6796 next
6797 edit 36
6799 next
6800 edit 37
6802 next
6803 edit 38
6805 next
6806 edit 39
6808 next
6809 edit 40
6811 next
6812 edit 41
6814 next
6815 edit 42
6817 next
6818 edit 43
6820 next
6821 edit 44
6823 next
6824 edit 45
6826 next
6827 edit 46
6829 next
6830 edit 47
6832 next
6833 edit 48
6835 next
6836 edit 49
6838 next
6838 next
6839 edit 50
6841 next
6842 edit 51
6844 next
6845 edit 52
6847 next
6848 edit 53
6850 next
6851 edit 54
6853 next
6854 edit 55
6856 next
6857 edit 56
6859 next
6860 edit 57
6862 next
6863 edit 58
6865 next
6866 edit 59
6868 next
6869 edit 60
6871 next
6872 edit 61
6874 next
6875 edit 62
6877 next
6878 edit 63
6880 next
6881 edit 64
6883 next
6884 edit 65
6886 next
6887 edit 66
6889 next
6890 edit 67
6892 next
6893 edit 68
6895 next
6896 edit 69
6898 next
6899 edit 70
6901 next
6902 edit 71
6904 next
6905 edit 72
6907 next
6908 edit 73
6910 next
6911 edit 74
6913 next
6914 edit 75
6916 next
6916 next
6917 edit 76
6919 next
6920 edit 77
6922 next
6923 edit 78
6925 next
6926 edit 79
6927 next
6928 end
6929 end
6930 setlog-all-url enable
6931 setweb-content-log disable
6932 setweb-filter-activex-log disable
6933 setweb-filter-command-block-log disable
6934 setweb-filter-cookie-log disable
6935 setweb-filter-applet-log disable
6936 setweb-filter-jscript-log disable
6937 setweb-filter-js-log disable
6938 setweb-filter-vbs-log disable
6939 setweb-filter-unknown-log disable
6940 setweb-filter-referer-log disable
6941 setweb-filter-cookie-removal-log disable
6942 setweb-url-log disable
6943 setweb-invalid-domain-log disable
6944 setweb-ftgd-err-log disable
6945 setweb-ftgd-quota-usage disable
6946 next
6947 edit "Custom Web Filter"
6948 config override
6949 set ovrd-user-group ""
6950 end
6951 config web
6952 set urlfilter-table 2
6953 end
6954 config ftgd-wf
6955 unset options
6956 config filters
6957 edit 1
6959 next
6960 edit 2
6962 next
6963 edit 3
6966 next
6967 edit 4
6968 set category 5
6970 next
6971 edit 5
6972 set category 1
6974 next
6975 edit 6
6976 set category 6
6978 next
6979 edit 7
6982 next
6983 edit 8
6984 set category 3
6986 next
6987 edit 9
6988 set category 4
6990 next
6991 edit 10
6994 next
6994 next
6995 edit 11
6998 next
6999 edit 12
7000 set category 7
7002 next
7003 edit 13
7004 set category 9
7006 next
7007 edit 14
7010 next
7011 edit 15
7012 set category 2
7014 next
7015 edit 16
7018 next
7019 edit 17
7022 next
7023 edit 18
7026 next
7027 edit 19
7030 next
7031 edit 20
7034 next
7035 edit 21
7036 set category 8
7038 next
7039 edit 22
7042 next
7043 edit 23
7046 next
7047 edit 24
7050 next
7051 edit 25
7054 next
7055 edit 26
7058 next
7059 edit 27
7062 next
7063 edit 28
7066 next
7067 edit 29
7070 next
7071 edit 30
7074 next
7075 edit 31
7078 next
7079 edit 32
7082 next
7083 edit 33
7086 next
7087 edit 34
7090 next
7091 edit 35
7094 next
7095 edit 36
7098 next
7099 edit 37
7102 next
7103 edit 38
7106 next
7107 edit 39
7110 next
7111 edit 40
7114 next
7115 edit 41
7118 next
7119 edit 42
7122 next
7123 edit 43
7126 next
7127 edit 44
7130 next
7131 edit 45
7134 next
7135 edit 46
7138 next
7139 edit 47
7142 next
7143 edit 48
7146 next
7147 edit 49
7150 next
7151 edit 50
7154 next
7155 edit 51
7158 next
7159 edit 52
7162 next
7163 edit 53
7166 next
7167 edit 54
7170 next
7171 edit 55
7174 next
7175 edit 56
7178 next
7179 edit 57
7182 next
7183 edit 58
7186 next
7187 edit 59
7190 next
7191 edit 60
7194 next
7195 edit 61
7198 next
7199 edit 62
7202 next
7203 edit 63
7206 next
7207 edit 64
7210 next
7211 edit 65
7214 next
7215 edit 66
7218 next
7219 edit 67
7222 next
7223 edit 68
7226 next
7227 edit 69
7227 edit 69
7230 next
7231 edit 70
7234 next
7235 edit 71
7238 next
7239 edit 72
7242 next
7243 edit 73
7246 next
7247 edit 74
7250 next
7251 edit 75
7254 next
7255 edit 76
7258 next
7259 edit 77
7262 next
7263 edit 78
7266 next
7267 edit 79
7270 next
7271 edit 80
7273 next
7274 end
7275 end
7276 next
7277 end
7278 config webfilter override
7279 end
7280 config webfilter override-user
7281 end
7282 config webfilter ftgd-warning
7283 end
7284 config webfilter ftgd-local-rating
7285 end
7286 config webfilter search-engine
7287 edit "google"
7288 set hostname ".*\\.google\\..*"
7289 set url "^\\/((custom|search|images|videosearch|webhp)\\?)"
7290 set query "q="
7291 set safesearch url
7292 set safesearch-str "&safe=active"
7293 next
7294 edit "yahoo"
7295 set hostname ".*\\.yahoo\\..*"
7296 set url "^\\/search(\\/video|\\/images){0,1}(\\?|;)"
7297 set query "p="
7299 set safesearch-str "&vm=r"
7300 next
7301 edit "bing"
7302 set hostname "www\\.bing\\.com"
7303 set url "^(\\/images|\\/videos)?(\\/search|\\/async|\\/asyncv2)\\?"
7304 set query "q="
7306 set safesearch-str "&adlt=strict"
7307 next
7308 edit "yandex"
7309 set hostname "yandex\\..*"
7310 set url "^\\/(yand|images\\/|video\\/)(search)\\?"
7311 set query "text="
7313 set safesearch-str "&family=yes"
7314 next
7315 edit "youtube"
7316 set hostname ".*\\.youtube\\..*"
7317 set safesearch header
7318 next
7319 edit "baidu"
7320 set hostname ".*\\.baidu\\.com"
7321 set url "^\\/s?\\?"
7322 set query "wd="
7323 next
7324 edit "baidu2"
7325 set hostname ".*\\.baidu\\.com"
7326 set url "^\\/(ns|q|m|i|v)\\?"
7327 set query "word="
7328 next
7329 edit "baidu3"
7330 set hostname "tieba\\.baidu\\.com"
7331 set url "^\\/f\\?"
7332 set query "kw="
7333 next
7334 end
7335 config antivirus settings
7336 set grayware enable
7337 end
7338 config antivirus profile
7339 edit "default"
7340 set comment "Scan files and block viruses."
7341 config http
7342 set options scan
7343 end
7344 config ftp
7346 end
7347 config imap
7349 end
7350 config pop3
7352 end
7353 config smtp
7355 end
7356 next
7357 end
7358 config spamfilter profile
7359 edit "default"
7360 set comment "Malware and phishing URL filtering."
7361 next
7362 end
7363 config firewall schedule recurring
7364 edit "always"
7365 set day sunday monday tuesday wednesday thursday friday saturday
7366 next
7367 edit "none"
7368 set day none
7369 next
7370 end
7371 config firewall profile-protocol-options
7372 edit "default"
7373 set comment "All default services."
7374 config http
7375 set ports 80
7376 unset options
7377 unset post-lang
7378 end
7379 config ftp
7380 set ports 21
7381 set options splice
7382 end
7383 config imap
7383 config imap
7384 set ports 143
7385 set options fragmail
7386 end
7387 config mapi
7388 set ports 135
7390 end
7391 config pop3
7392 set ports 110
7394 end
7395 config smtp
7396 set ports 25
7397 set options fragmail splice
7398 end
7399 config nntp
7400 set ports 119
7401 set options splice
7402 end
7403 config dns
7404 set ports 53
7405 end
7406 next
7407 end
7408 config firewall ssl-ssh-profile
7409 edit "deep-inspection"
7410 set comment "Deep inspection."
7411 config https
7412 set ports 443
7413 end
7414 config ftps
7415 set ports 990
7416 end
7417 config imaps
7418 set ports 993
7419 end
7420 config pop3s
7421 set ports 995
7422 end
7423 config smtps
7424 set ports 465
7425 end
7426 config ssh
7427 set ports 22
7428 end
7429 config ssl-exempt
7430 edit 1
7431 set fortiguard-category 31
7432 next
7433 edit 2
7435 next
7436 edit 3
7438 next
7439 edit 4
7440 set type address
7441 set address "apple"
7442 next
7443 edit 5
7445 set address "appstore"
7446 next
7447 edit 6
7449 set address "dropbox.com"
7450 next
7451 edit 7
7453 set address "Gotomeeting"
7454 next
7455 edit 8
7457 set address "icloud"
7458 next
7459 edit 9
7461 set address "itunes"
7462 next
7463 edit 10
7465 set address "android"
7466 next
7467 edit 11
7469 set address "skype"
7470 next
7471 edit 12
7473 set address "swscan.apple.com"
7474 next
7475 edit 13
7477 set address "update.microsoft.com"
7478 next
7479 edit 14
7481 set address "eease"
7482 next
7483 edit 15
7485 set address "google-drive"
7486 next
7487 edit 16
7489 set address "google-play"
7490 next
7491 edit 17
7493 set address "google-play2"
7494 next
7495 edit 18
7497 set address "google-play3"
7498 next
7499 edit 19
7501 set address "microsoft"
7502 next
7503 edit 20
7505 set address "adobe"
7506 next
7507 edit 21
7509 set address "Adobe Login"
7510 next
7511 edit 22
7513 set address "fortinet"
7514 next
7515 edit 23
7517 set address "googleapis.com"
7518 next
7519 edit 24
7521 set address "citrix"
7522 next
7523 edit 25
7525 set address "verisign"
7526 next
7527 edit 26
7529 set address "Windows update 2"
7530 next
7531 edit 27
7533 set address "*.live.com"
7534 next
7535 edit 28
7537 set address "auth.gfx.ms"
7538 next
7538 next
7539 edit 29
7541 set address "autoupdate.opera.com"
7542 next
7543 edit 30
7545 set address "softwareupdate.vmware.com"
7546 next
7547 edit 31
7549 set address "firefox update server"
7550 next
7551 end
7552 next
7553 edit "certificate-inspection"
7554 set comment "SSL handshake inspection."
7555 config ssl
7556 set inspect-all certificate-inspection
7557 end
7558 config https
7559 end
7560 config ftps
7561 end
7562 config imaps
7563 end
7564 config pop3s
7565 end
7566 config smtps
7567 end
7568 config ssh
7569 set ports 22
7570 set status disable
7571 end
7572 next
7573 end
7574 config firewall identity-based-route
7575 end
7576 config firewall policy
7577 edit 203
7578 set uuid f7980252-f3a1-51e8-5f49-ca580b5cab89
7579 set srcintf "DC-Admin"
7580 set dstintf "wan1"
7581 set srcaddr "PRASANNA" "VMWARE-CLIENT" "Vinod Raut"
7582 set dstaddr "all"
7583 set action accept
7584 set schedule "always"
7585 set service "ALL"
7586 set utm-status enable
7587 set logtraffic all
7588 set webfilter-profile "default"
7589 set profile-protocol-options "default"
7590 set ssl-ssh-profile "certificate-inspection"
7591 set nat enable
7592 next
7593 edit 162
7594 set uuid 51510cca-5c8c-51e7-421e-208c0eca2286
7597 set srcaddr "Prasanna Rathod" "VAIBHAV" "MORESIR"
7605 set application-list "Custom_App_Ctrl"
7608 set nat enable
7609 next
7610 edit 1
7611 set uuid 064940ce-5eac-51e5-85e6-0320b6c86b6a
7612 set srcintf "lan"
7614 set srcaddr "all"
7619 next
7620 edit 2
7621 set uuid c379b284-620b-51e5-ad5f-aab7fa3b8e49
7622 set srcintf "DC-Router"
7623 set dstintf "CheckPoint-FW"
7624 set srcaddr "Sophos-Backup-1" "Sophos-Backup-2" "Sophos-Backup-3" ↓
..."Sophos-Backup-4"
7625 set dstaddr "APP-SERVERS" "APP1"
7628 set service "APP-Services"
7630 set label "Branches To Application Server Access"
7631 set nat enable
7632 next
7633 edit 118
7634 set uuid 60989132-36f2-51e6-76e3-1137474aea5a
7637 set srcaddr "BRANCHES-Group-1" "Asegaon, Ta. Mangrulpir District ↓
...Washim,Mangrulpur,Maharashtra" "TUKARAM CHOWK BRANCH, Near Tukaram Hospital, At Sant Tukaram ↓
...Ch" "Branches-Group-2" "Branches-Group-3" "Branches-Group-4" "BranchesGroup-5"
7638 set dstaddr "APP1" "APP-SERVERS"
7643 set label "Branches To Application Server Access"
7644 next
7645 edit 3
7646 set uuid 0e8b27b6-620d-51e5-e31c-dbd61026e2de
7650 set dstaddr "DOMAIN" "PrimaryDomain" "BackupDomain"
7653 set service "Domain-Services"
7655 set label "Branches To Domain Access"
7656 set nat enable
7657 next
7658 edit 119
7659 set uuid b156cde6-36f2-51e6-51d8-478ed56c3efd
7663 set dstaddr "PrimaryDomain" "BackupDomain" "DOMAIN"
7668 set label "Branches To Domain Access"
7669 next
7670 edit 4
7671 set uuid 98ea2b0a-620d-51e5-c203-2f4e4ac60840
7674 set srcaddr "softwareupdate.vmware.com" "Sophos-Backup-1" ↓
..."Sophos-Backup-2" "Sophos-Backup-3" "Sophos-Backup-4"
7675 set dstaddr "DATABASE" "SQLDB"
7678 set service "DATABASE-SERVICES" "ALL_ICMP"
7680 set label "Access To Database"
7681 set nat enable
7682 next
7683 edit 120
7684 set uuid f1eb0656-36f2-51e6-4b21-339b551f0b2c
7688 set dstaddr "DATABASE"
7691 set service "ALL_ICMP" "DATABASE-SERVICES"
7693 set label "Access To Database"
7694 next
7695 edit 5
7696 set uuid c743bae8-673f-51e5-8229-39e6c10c1af7
7699 set srcaddr "DC-ADMIN-USERS" "Datacenter-Laptops" "Vinod Raut"
7700 set dstaddr "APP-SERVERS" "APPLICATION1"
7703 set service "APP-Services" "APBS"
7705 set label "Datacenter To Application"
7706 set nat enable
7707 set fixedport enable
7708 next
7709 edit 189
7710 set uuid d94f8b98-7de1-51e8-ee18-fe465169022c
7713 set srcaddr "VMWARE-CLIENT" "PRASANNA" "VAIBHAV" ↓
..."Datacenter-Laptop-1" "Datacenter-Laptop-2" "DC-ADMIN-USERS" "Vinod Raut" "DC-ADMIN-USERS-2" ↓
..."Nelito_Tech"
7714 set dstaddr "BBPS API"
7717 set service "TRACEROUTE" "ALL_ICMP" "TCP-8012"
7719 set label "Datacenter To BBPSAPI"
7720 next
7721 edit 6
7722 set uuid edde8eb2-673f-51e5-46cf-0932adde0144
7725 set srcaddr "DC-ADMIN-USERS" "Network-Admin" "ProxyServer" ↓
..."Datacenter-Laptops" "Vinod Raut"
7726 set dstaddr "DOMAIN"
7731 set label "Datacenter Users To Domain Access"
7732 set nat enable
7733 next
7734 edit 7
7735 set uuid 0fec4058-6740-51e5-aea1-d299b3f038b2
7738 set srcaddr "DC-ADMIN-USERS" "Datacenter-Laptops" "Vinod Raut"
7742 set service "DATABASE-SERVICES" "RDP"
7744 set label "Datacenter Users To Database Server"
7745 set nat enable
7746 next
7747 edit 8
7748 set uuid fadb4b54-6740-51e5-0e1c-a33bada0ac6f
7749 set srcintf "HO-USERS"
7751 set srcaddr "HO-USER-ACC-SECTION" "HO-USERS-ADM-SECTION" ↓
..."HO-USERS-COMP-SECTION" "HO-USERS-DATAHUB" "HO-USERS-LOAN-SECTION" ↓
..."HO-USERS-STATIONARY-SECTION" "VaidyaSir" "Mr.Kale" "HO-INTERNET-USERS-ATM" "Ho Back-Office" ↓
..."HO_NEW_IP_Series" "CTS-PC" "SachinNelito" "CTS CHQ Printing"
7752 set dstaddr "APP-SERVERS" "APP1"
7757 set label "HO-USERS APP SERVER ACCESS"
7758 set nat enable
7759 next
7760 edit 9
7761 set uuid 1896d1d6-6741-51e5-9bd5-93367fac7f7e
..."HO-USERS-STATIONARY-SECTION" "ATM-CIVIL-LINES" "ATM-FINCRAFT-USER1" "ATM-FINCRAFT-USER2" ↓
..."VaidyaSir" "Mr.Kale" "RTGS-MONITER" "Ho Back-Office" "CTS-PC" "HO_NEW_IP_Series" ↓
..."SachinNelito" "CTS CHQ Printing"
7770 set label "HO-USERS DOMAIN ACCESS"
7771 set nat enable
7772 next
7773 edit 10
7774 set uuid 44ec3f96-6741-51e5-6f95-7ff277f7f34a
7777 set srcaddr "HO-USERS" "HO-USER-ACC-SECTION" "HO-USERS-ADM-SECTION" ↓
..."HO-USERS-STATIONARY-SECTION" "VaidyaSir" "Mr.Kale" "HO-INTERNET-USERS-ATM" "Ho Back-Office" ↓
..."HO_NEW_IP_Series" "CTS CHQ Printing"
7781 set service "DATABASE-SERVICES"
7783 set label "HO-USERS DATABASE SERVER ACCESS"
7784 set nat enable
7785 next
7786 edit 11
7787 set uuid ac8511a4-676a-51e5-0b60-454e8d2e7902
7788 set srcintf "CheckPoint-FW"
7789 set dstintf "DC-Router"
7790 set srcaddr "Antivirus-Server"
7791 set dstaddr "BRANCHES-Group-1" "Branches-Group-2" "Branches-Group-3" ↓
..."Branches-Group-4" "BranchesGroup-5" "TUKARAM CHOWK BRANCH, Near Tukaram Hospital, At Sant ↓
...Tukaram Ch" "Asegaon, Ta. Mangrulpir District Washim,Mangrulpur,Maharashtra" "BRANCH-GROUP-6"
7794 set service "AntivirusServices"
7796 set label "Antivirus Server Access To Branches"
7797 set nat enable
7798 next
7799 edit 14
7800 set uuid 5aa9e796-6829-51e5-789f-bc58da3b8820
7803 set srcaddr "Network-Admin" "VMWARE-CLIENT"
7804 set dstaddr "Routers-GR4" "Routers-GR5" "Routers-GR1" "Routers-GR2" ↓
..."Routers-GR3" "Sophos-Backup-1" "Sophos-Backup-2" "Sophos-Backup-3" "BRANCHES-Group-1" ↓
..."BRANCH-GROUP-6" "Branches-Group-2" "Branches-Group-3" "Branches-Group-4" "BranchesGroup-5" ↓
..."Asegaon, Ta. Mangrulpir District Washim,Mangrulpur,Maharashtra" "TUKARAM CHOWK BRANCH, Near ↓
...Tukaram Hospital, At Sant Tukaram Ch" "Sophos-Backup-4" "ATM-1" "ATM-2" "ATM-4" "ATM-5" ↓
..."OFFSITE ATM" "BBPS_Clients"
7807 set service "PING" "TELNET" "SSH"
7809 set label "Network Monitor"
7810 set nat enable
7811 next
7812 edit 16
7813 set uuid 477d07d0-6b39-51e5-6680-0934529fdc28
7815 set dstintf "ATM"
7816 set srcaddr "ATM-1" "ATM-2"
7817 set dstaddr "Euronet-Switch"
7820 set service "BRANCH-ATMS-TO-SWITCH-1"
7822 next
7823 edit 124
7824 set uuid 11c21fae-3f4b-51e6-5856-a9c6997d9375
7825 set srcintf "ATM"
7827 set srcaddr "EuronetTest1" "EuronetTest2"
7828 set dstaddr "TESTSERVR"
7831 set service "TCP/6415"
7833 next
7834 edit 19
7835 set uuid bd3a5b2a-6b3a-51e5-4225-b880b3d4c600
7838 set srcaddr "Euronet-Switch"
7839 set dstaddr "ATMInterface"
7842 set service "TCP5001" "TCP5004"
7844 next
7845 edit 117
7846 set uuid 9cb2dab4-3527-51e6-63d0-3d79bbc10d07
7849 set srcaddr "EuronetTest1" "EuronetTest2"
7854 set service "TCP/6415"
7856 next
7857 edit 20
7858 set uuid 4c9ef078-6b3b-51e5-e333-7b20262b6d15
7861 set srcaddr "SD-Agent-Euronet"
7862 set dstaddr "ATM-1" "ATM-2" "ATM-4" "ATM-5" "OFFSITE ATM"
7865 set service "TCP-5002"
7867 next
7868 edit 21
7869 set uuid 8981e55e-6b3b-51e5-810d-d751d31a9626
7872 set srcaddr "ATM-1" "ATM-2" "ATM-4"
7873 set dstaddr "SD-Agent-Euronet"
7876 set service "TCP5001" "TCP5004" "TRACEROUTE" "TELNET"
7878 next
7879 edit 23
7880 set uuid 9366bb3a-6cee-51e5-994f-d7f2127ee2b5
7890 set label "Internet Access"
7893 set nat enable
7894 next
7895 edit 161
7896 set uuid a13a2ca0-570d-51e7-aeb4-e16483439085
7899 set srcaddr "CPFW-OUT"
7906 set label "Internet Access"
7907 set nat enable
7908 next
7909 edit 24
7910 set uuid 821bf482-6d87-51e5-b7b2-61faa3ac0f49
7913 set srcaddr "Civil-Lines Branch"
7914 set dstaddr "APP-SERVERS" "APP1" "APPLICATION1"
7917 set service "APP-Services" "APBS"
7919 set label "Civil-Lines Branch APP Server Access"
7920 next
7921 edit 25
7922 set uuid d381d3fa-6d87-51e5-9835-7cd4754c496b
7931 set label "Civil-Lines Branch Domain Access"
7932 next
7933 edit 26
7934 set uuid 0b4e1eec-6d88-51e5-7d72-6156f76718ce
7943 set label "Civil-Lines Branch Dtatabase Access"
7944 next
7945 edit 192
7946 set uuid 0b9fb788-85af-51e8-14ef-10297bc94329
7953 set service "ALL_ICMP" "TRACEROUTE" "TCP-8012"
7955 set label "Civil-Lines Branch Dtatabase Access"
7956 next
7957 edit 27
7958 set uuid 9cc01fa0-6d93-51e5-1669-a5ed2e00801b
7961 set srcaddr "DC-ADMIN-USERS" "nwadm" "MGMNT-PC" "DC-ADMIN-USERS-2" ↓
..."Datacenter-Laptops" "Vinod Raut"
7962 set dstaddr "EMAIL-SERVER" "VMWARE-HOST"
7965 set service "HTTPS" "TCP-8443" "ALL_ICMP" "HTTP" "SMTP" "SMTPS" ↓
..."POP3" "IMAP" "POP3S" "IMAPS" "VMWARE_1" "VMWARE_2"
7967 set label "Email Access to DC-USERS"
7968 set nat enable
7969 next
7970 edit 28
7971 set uuid c2f22bf0-6d93-51e5-f15d-e6bc49df2bae
7974 set srcaddr "BRANCHES-Group-1" "Branches-Group-2" "Branches-Group-3" ↓
...Tukaram Ch" "Asegaon, Ta. Mangrulpir District Washim,Mangrulpur,Maharashtra" "BRANCH-GROUP-6" ↓
..."BRANCH-DVR"
7975 set dstaddr "EMAIL-SERVER"
7978 set service "ALL_ICMP" "HTTPS" "TCP-8443" "SMTPS"
7980 set label "Access to Email Server"
7981 set nat enable
7982 next
7983 edit 30
7984 set uuid dcc2e91a-6dc1-51e5-7670-8db4a3314101
..."HO-USERS-STATIONARY-SECTION" "VaidyaSir" "Mr.Kale" "HO-INTERNET-USERS-ATM" "Ho Back-Office"
7991 set service "ALL_ICMP" "HTTPS" "TCP-8443" "HTTP" "SMTPS" "IMAP" ↓
..."IMAPS" "POP3" "POP3S" "SMTP"
7993 set label "Email-Access-To-HO-USERS"
7994 set nat enable
7995 next
7996 edit 183
7997 set uuid 98e779b2-6f9f-51e8-1d63-0955a5212787
8006 next
8007 edit 31
8008 set uuid 171b5f42-6dc3-51e5-0db0-46f2576f9136
8011 set srcaddr "AAN" "HO-INTERNET-USERS-ACC-SECTION" ↓
..."HO-INTERNET-USERS" "Biskunde Saheb" "Drop_Box_Internet" "Nelito-Prasad"
8019 set application-list "default"
8022 set nat enable
8023 next
8024 edit 32
8025 set uuid e64cfb4a-6dcd-51e5-ecf6-75993423716f
8028 set srcaddr "MGMNT-PC" "CTS Server" "Datacenter-Laptop-2" "WSUS"
8037 set application-list "Custom_App_Ctrl"
8040 set nat enable
8041 next
8042 edit 184
8043 set uuid 9379b318-6fa0-51e8-4b80-50c474ced1c4
8046 set srcaddr "VMWARE-CLIENT"
8047 set dstaddr "Adobe Login" "Block Internet IP-1" "Block Internet IP-2"
8052 next
8053 edit 33
8054 set uuid be2496d6-6e46-51e5-4c36-eed3c8e81e20
8057 set srcaddr "HO-INTERNET-USERS-ATM" "ATM-FINCRAFT-USER1" ↓
..."ATM-FINCRAFT-USER2" "ATM-USER-1" "ATM-USER-2"
8058 set dstaddr "WEB-CMS"
8061 set service "HTTPS" "TCP-9086"
8063 set label "HO-ATM-USERS TO WEB-CMS"
8064 next
8065 edit 34
8066 set uuid 2a200208-6e47-51e5-3867-559a3ead3480
8068 set dstintf "HO-USERS"
8069 set srcaddr "WEB-CMS"
8070 set dstaddr "HO-INTERNET-USERS-ATM"
8073 set service "TCP-9086" "HTTPS"
8075 set label "WEB-CMS TO HO-ATM-USERS"
8076 set nat enable
8077 next
8078 edit 35
8079 set uuid f1f1af52-6e47-51e5-7597-96e65b8ea538
8082 set srcaddr "Euro-SFTP"
8086 set service "SSH" "TCP/22"
8088 set nat enable
8089 next
8090 edit 36
8091 set uuid 1b3e838a-6e48-51e5-739b-4e74a64f3f74
..."ATM-FINCRAFT-USER2" "ATM-FINCRAFT-USER3"
8095 set dstaddr "Euro-SFTP"
8098 set service "SSH"
8100 next
8101 edit 37
8102 set uuid 785dcad4-6e49-51e5-0eb5-b3296f48aa71
..."ATM-FINCRAFT-USER2" "ATM-USER-1" "ATM-USER-2"
8106 set dstaddr "RGCS"
8109 set service "HTTPS"
8111 next
8112 edit 38
8113 set uuid 9f777552-6e49-51e5-5caf-4949689f4c7d
8116 set srcaddr "RGCS"
8122 set nat enable
8123 next
8124 edit 40
8125 set uuid 4792cac8-6f0a-51e5-e063-c26b389bbd45
8128 set srcaddr "DOMAIN"
8129 set dstaddr "OLD-DOMAIN"
8133 set service "Domain-Services" "RDP"
8135 set nat enable
8136 next
8137 edit 46
8138 set uuid 2d7ef786-72fe-51e5-b76d-b13b0ce06377
8141 set srcaddr "RTGS-CLIENT1" "VMWARE-CLIENT"
8142 set dstaddr "RtgsInterface"
8146 set service "RDP" "TCP-139" "SMB"
8148 set label "Email Access to DC-USERS"
8149 set nat enable
8150 next
8151 edit 48
8152 set uuid 040f2f0c-732f-51e5-969e-21ac630bb60d
8155 set srcaddr "Civil-Lines Branch" "CIVIL-LINES-DVR"
8159 set service "ALL_ICMP" "HTTP" "HTTPS" "IMAP" "POP3" "IMAPS" "POP3S" ↓
..."SMTP" "SMTPS" "LDAP" "TCP-7025" "TCP-7071"
8161 set label "Email-Access-TO-Civl-line-Branch"
8162 set nat enable
8163 next
8164 edit 41
8165 set uuid 2e73f9f8-7622-51e5-cd4e-40aff61a5d84
8167 set dstintf "RTGS"
8168 set srcaddr "RtgsInterface"
8169 set dstaddr "SFMS-BACKUP" "SFMS-PRIMARY"
8172 set service "Domain-Services" "ALL_ICMP" "TCP-1415" "TELNET"
8174 set label "Rule for RTGS Interface and SFMS Server"
8175 set nat enable
8176 next
8177 edit 127
8178 set uuid d48b4540-5253-51e6-de7f-0d9d980d076b
8181 set srcaddr "CA-SERVER"
8182 set dstaddr "SFMS-PRIMARY" "SFMS-BACKUP"
8185 set service "ALL_ICMP" "TCP25000" "UDP-137"
8187 set label "Rule for RTGS Interface and SFMS Server"
8188 set nat enable
8189 next
8190 edit 42
8191 set uuid de9f9e0e-7622-51e5-16e4-eb469d419863
8194 set srcaddr "RTGS-CLIENT1" "MGMNT-PC" "WSUS"
8198 set service "ALL_ICMP" "Domain-Services" "HTTP" "HTTPS" "TELNET" ↓
..."TCP8080" "RDP"
8200 set label "Rule for RTGS client and SFMS Server"
8201 set nat enable
8202 next
8203 edit 43
8204 set uuid 670726ae-7623-51e5-0eb1-8d840664926a
8207 set srcaddr "RTGS-CLIENT2" "RTGS-CLIENT3" "RTGS-MONITER"
8208 set dstaddr "SFMS-BACKUP" "SFMS-PRIMARY" "RBI-RTGS" "CA Accounting ↓
...Module"
8211 set service "ALL_ICMP" "TCP8080" "Domain-Services" "HTTP" ↓
..."RBI-SERVICES"
8213 set label "Rule for RTGS Clients and SFMS Servers"
8214 set nat enable
8215 next
8216 edit 141
8217 set uuid 962ddc86-b941-51e6-2fe1-3b728391fa0d
8220 set srcaddr "RTGS-MONITER"
8224 set service "RDP" "ALL_ICMP"
8227 set nat enable
8228 next
8229 edit 169
8230 set uuid 9293c8c2-62fd-51e7-76b4-1740575eb31c
8234 set dstaddr "EMS" "SFMS-Intranet" "SFMS-INTRANET-2"
8237 set service "ALL_ICMP" "TCP8080" "HTTPS" "TRACEROUTE" "HTTP"
8240 next
8241 edit 159
8242 set uuid c8152134-54ee-51e7-58fa-6a3c2045391b
8245 set srcaddr "RTGS-CLIENT2" "RTGS-CLIENT3"
8246 set dstaddr "DR-RTGS-SERVER"
8249 set service "ALL_ICMP" "RBI-SERVICES"
8251 set label "SFMS Server Access to Clients"
8252 next
8253 edit 168
8254 set uuid 37dbe50e-6235-51e7-c8f1-3b1607870072
8258 set dstaddr "DR-RTGS-SERVER" "DR-Rtgs-Interface" "DR-ATMInterface"
8261 set service "ALL_ICMP" "RDP" "TCP-139" "SMB"
8264 next
8265 edit 160
8266 set uuid ec340020-5675-51e7-fba0-76ce601bce9b
8270 set dstaddr "Ekuber-Bkp" "Ekuber-Pri"
8273 set service "ALL_ICMP" "HTTP" "TRACEROUTE" "HTTPS"
8276 next
8277 edit 44
8278 set uuid f8e1c0f2-7623-51e5-12cf-2bf37402a0a3
8279 set srcintf "RTGS"
8281 set srcaddr "SFMS-BACKUP" "SFMS-PRIMARY"
8285 set service "ALL_ICMP" "TCP-1414" "TELNET"
8287 set label "Rule for SFMS and RTGS Interface"
8288 set nat enable
8289 next
8290 edit 45
8291 set uuid c1b17630-7624-51e5-6059-dc17e4ccc450
8294 set srcaddr "SONICWALL-RTGS"
8295 set dstaddr "RTGS-CLIENT2" "RTGS-CLIENT3"
8298 set service "TCP8080" "HTTP" "RBI-SERVICES"
8300 set label "Rule for RBI and RTGS Client"
8301 set nat enable
8302 next
8303 edit 49
8304 set uuid 4ce29acc-7625-51e5-6045-e7e94200cff4
8307 set srcaddr "RTGS-CLIENT1" "MGMNT-PC"
8308 set dstaddr "SONICWALL-RTGS"
8311 set service "ALL_ICMP" "HTTP" "HTTPS" "TELNET"
8313 set label "Rule for Sonicwall Management"
8314 set nat enable
8315 next
8316 edit 51
8317 set uuid 9445f9a6-762d-51e5-0b3d-62ee35124116
8320 set srcaddr "RTGS-CLIENT1" "MGMNT-PC"
8321 set dstaddr "RBI-RTGS"
8324 set service "RBI-SERVICES"
8326 set label "SONICWALL-INTERNET-FW"
8327 next
8328 edit 47
8329 set uuid 9112185c-7671-51e5-26b9-a7694602cabf
8332 set srcaddr "DC-ADMIN-USERS" "RTGS-CLIENT1" "DC-ADMIN-USERS-2" ↓
..."nwadm" "Datacenter-Laptops" "Vinod Raut"
8333 set dstaddr "Antivirus-Server"
8338 set label "Antivirus server Access"
8339 set nat enable
8340 next
8341 edit 50
8342 set uuid 4f245672-76fc-51e5-fb41-d5a5b6bb9ae5
8344 set dstintf "DC-Admin"
8346 set dstaddr "DC-ADMIN-USERS" "DC-ADMIN-USERS-2" "nwadm"
8351 set nat enable
8352 next
8353 edit 204
8354 set uuid c75eb8d2-f703-51e8-0071-639dab300b29
8357 set srcaddr "SachinNelito"
8360 set service "RDP"
8362 set label "Antivirus Access To HO"
8363 next
8364 edit 52
8365 set uuid 6bcd2db8-7728-51e5-5aa4-33a1fe54e970
8368 set srcaddr "HO-USER-ACC-SECTION" "HO-INTERNET-USER" ↓
..."HO-INTERNET-USERS-ACC-SECTION" "HO-INTERNET-USERS-ATM" "HO-USERS-STATIONARY-SECTION" ↓
..."HO-USERS-LOAN-SECTION" "HO-USERS-DATAHUB" "HO-USERS-COMP-SECTION" "Civil-Lines Branch" "Mr. ↓
...Kale" "RTGS-MONITER" "RTGS-CLIENT2" "RTGS-CLIENT3" "HO-USERS-ADM-SECTION" "Ho Back-Office" ↓
..."BSG - Recon Server" "SachinNelito" "CTS CHQ Printing"
8374 set label "Antivirus Access To HO"
8375 set nat enable
8376 next
8377 edit 58
8378 set uuid 9d14c642-83b7-51e5-7ac0-e18ea87de3c5
...Tukaram Ch" "Asegaon, Ta. Mangrulpir District Washim,Mangrulpur,Maharashtra" "BRANCH-GROUP-6"
8387 set label "Antivirus-Group-Updater"
8388 set nat enable
8389 next
8390 edit 62
8391 set uuid d01628d8-a234-51e5-f72f-89709d9bafda
8394 set srcaddr "DC-ADMIN-USERS" "DC-ADMIN-USERS-2" "Datacenter-Laptops" ↓
..."Vinod Raut" "Network-Admin" "Nelito_Tech"
8395 set dstaddr "TESTSERVR" "TESTSERVR_2"
8400 set label "Test-Server Access to DC-USERS"
8401 set nat enable
8402 next
8403 edit 53
8404 set uuid 1679bd34-a24f-51e5-7b07-459d53e1c480
8408 set dstaddr "APP-1" "APPLICATION1"
8411 set service "APBS"
8413 set label "APBS Access"
8414 set nat enable
8415 next
8416 edit 122
8417 set uuid b81a2c12-36f3-51e6-0404-a8e369c8be2f
8417 set uuid b81a2c12-36f3-51e6-0404-a8e369c8be2f
8421 set dstaddr "APP-1"
8426 set label "APBS Access"
8427 next
8428 edit 54
8429 set uuid 36b74a9e-a259-51e5-8d50-51b33e1ffc26
..."HO-USERS-DATAHUB" "HO-USERS-STATIONARY-SECTION" "HO-USERS-LOAN-SECTION" ↓
..."HO-USERS-COMP-SECTION" "Mr.Kale" "VaidyaSir" "Ho Back-Office" "HO-INTERNET-USERS-ATM"
8433 set dstaddr "APP-1" "APPLICATION1"
8438 set label "Access To APBS"
8439 set nat enable
8440 next
8441 edit 59
8442 set uuid 0d8fd6d6-a9b6-51e5-7d9d-b492db9b6e84
8445 set srcaddr "RTGS-CLIENT1"
8451 set label "Domain-Access To RTGS client"
8452 set nat enable
8453 next
8454 edit 64
8455 set uuid dc283352-aa48-51e5-d554-b5cfda0796fd
8458 set srcaddr "ATMInterface"
8459 set dstaddr "eurronet-router" "Euronet-Switch"
8462 set service "ALL_ICMP" "TCP5004" "TELNET" "TCP-5002"
8464 next
8465 edit 65
8466 set uuid edca955c-aa64-51e5-4dfd-14e39fade22d
8469 set srcaddr "ATM-CIVIL-LINES"
8470 set dstaddr "Euronet-Switch" "EuronetTest1" "EuronetTest2"
8473 set service "BRANCH-ATMS-TO-SWITCH-1" "TCP/7282" "TCP/7501" ↓
..."TCP/15402"
8475 set label "ATM-CIVIL-LINES"
8476 next
8477 edit 66
8478 set uuid 7645d3ac-aad7-51e5-33d5-9febd15afd1d
8481 set srcaddr "HO-INTERNET-USERS-ATM"
8487 set label "Domain-Access-To-HO-ATM-USERS"
8488 set nat enable
8489 next
8490 edit 67
8490 edit 67
8491 set uuid 8be031a6-aad9-51e5-8ca5-c44c219c67f4
8500 set label "Domain-Access-To-HO-ATM-USERS"
8501 set nat enable
8502 next
8503 edit 68
8504 set uuid fe50ab08-ab92-51e5-3154-d86e49b8f919
8511 set service "ALL_ICMP" "RDP"
8513 set label "RTGS-Interface Access to RTGS-Client"
8514 set nat enable
8515 next
8516 edit 147
8517 set uuid 64b1a986-e6c7-51e6-d358-99a7e1b9f625
8520 set srcaddr "MGMNT-PC"
8526 set label "RTGS-Interface Access to RTGS-Client"
8527 set nat enable
8528 next
8529 edit 69
8530 set uuid 17f05412-ad3e-51e5-bebb-11a13a585bc6
8533 set srcaddr "DC-ADMIN-USERS" "Vinod Raut" "DC-ADMIN-USERS-2" ↓
..."Datacenter-Laptops"
...Tukaram Ch" "Asegaon, Ta. Mangrulpir District Washim,Mangrulpur,Maharashtra"
8537 set service "ALL_ICMP"
8539 set label "DC-ADMIN ACCESS TO BRANCHES"
8540 set nat enable
8541 next
8542 edit 70
8543 set uuid 8a73b9da-ad4c-51e5-40f1-a51dc50cda26
8546 set srcaddr "RTGS-CLIENT1" "MGMNT-PC" "MGMNT2-PC" "VAIBHAV" "WSUS" ↓
..."VMWARE-CLIENT"
8547 set dstaddr "CA-SERVER"
8552 set label "CA-REMOTE ACCESS"
8553 set nat enable
8554 next
8555 edit 71
8556 set uuid f122a2c4-ad63-51e5-3da9-02972c7d8505
8559 set srcaddr "ATM-4"
8565 next
8566 edit 72
8567 set uuid 79bd04b4-ad71-51e5-8b1f-1ad3ae9ad6e7
8570 set srcaddr "SQL-CLUSTER" "DATABASE1" "DATABASE2"
8571 set dstaddr "Umesh More"
8576 set nat enable
8577 next
8578 edit 75
8579 set uuid e847e9fe-ae29-51e5-0475-715f513b770c
8582 set srcaddr "WSUS" "Datacenter-Laptop-2"
8583 set dstaddr "FileZilla"
8586 set service "FTP" "FTP_PUT" "FTP_GET"
8588 set nat enable
8589 next
8590 edit 77
8591 set uuid e1a875d2-aec4-51e5-71b7-a68ba7f02c21
8595 set dstaddr "SONICWALL-INTERNET"
8598 set service "ALL_ICMP" "HTTP" "HTTPS"
8600 set label "SONICWALL-INTERNET-FW"
8601 set nat enable
8602 next
8603 edit 79
8604 set uuid 21848a9a-aecc-51e5-dc62-963a05fc3f53
8607 set srcaddr "HO-INTERNET-USERS" "HO-INTERNET-USERS-ACC-SECTION" ↓
..."HO-USERS" "HO-USERS-ADM-SECTION" "HO-USERS-COMP-SECTION" "HO-USERS-DATAHUB" ↓
..."HO-USERS-LOAN-SECTION" "HO-USERS-STATIONARY-SECTION" "HO-INTERNET-USERS-ATM" "VaidyaSir" "Mr. ↓
...Kale" "Ho Back-Office" "CTS-PC" "BBPS_CIVILLINES_1" "HO-BBPS Clients" "BSG - Recon Server" ↓
..."HO_NEW_IP_Series"
8613 set label "TestServer Access To HO USERS"
8614 set nat enable
8615 next
8616 edit 78
8617 set uuid aad14280-b119-51e5-5391-c9fbc6cbf6c7
8621 set dstaddr "ATM-1" "ATM-2" "ATM-4" "ATM-5" "OFFSITE ATM"
8624 set service "ALL_ICMP" "PING"
8626 set label "ATM-Users ATM Ping Access"
8627 set nat enable
8628 next
8629 edit 80
8630 set uuid e6ffd062-b5cb-51e5-a2f8-922f70385e44
8639 next
8640 edit 83
8641 set uuid cc73122e-b871-51e5-4dd3-94ae8ad5c3dc
8644 set srcaddr "DC-ADMIN-USERS" "DC-ADMIN-USERS-2" "Vinod Raut" ↓
...Tukaram Ch" "Asegaon, Ta. Mangrulpir District Washim,Mangrulpur,Maharashtra" "BRANCH-GROUP-6" ↓
..."BBPS_Clients"
8648 set service "HTTP" "HTTPS" "TCP-5938"
8650 set label "Team Viewer Access for Branches"
8651 set nat enable
8652 next
8653 edit 84
8654 set uuid 6e193546-b8fd-51e5-dc71-dd3f660f4e78
8657 set srcaddr "WSUS"
8663 set nat enable
8664 next
8665 edit 125
8666 set uuid 04ad25bc-3f63-51e6-d42b-1e8c601536cc
8669 set srcaddr "VMWARE-CLIENT" "PRASANNA" "WSUS"
8670 set dstaddr "BSG - Recon Server"
8674 set service "HTTP" "TCP8080" "TCP/22" "MYSQL" "ALL_ICMP" "RDP"
8676 set nat enable
8677 next
8678 edit 73
8679 set uuid 8144b9c2-be9f-51e5-40f4-cd2489c59230
8683 set dstaddr "ATM-CIVIL-LINES" "ATM-CIVILLINES-2"
8686 set service "TCP-5002" "TCP5004" "TCP5001"
8688 next
8689 edit 81
8690 set uuid e9195370-bf3d-51e5-ef07-ea626658e900
..."Branches-Group-4" "BranchesGroup-5" "Asegaon, Ta. Mangrulpir District ↓
...Ch" "BRANCH-GROUP-6" "Unspecified Branch - Reserved For SOPHOS"
8697 set service "FTP" "FTP_GET" "FTP_PUT" "ALL_ICMP"
8699 set nat enable
8700 next
8701 edit 74
8702 set uuid 5c66fb9c-c5b1-51e5-75b9-5d2c39ca1b8e
8706 set dstaddr "ATMInterface" "IMPS Interface"
8709 set service "RDP" "SMB"
8711 set label "ATMInterface Access to Amit."
8712 set nat enable
8713 next
8714 edit 165
8715 set uuid 1b3aefa2-6227-51e7-9476-cca52c3dc618
8718 set srcaddr "ATM-FINCRAFT-USER1"
8719 set dstaddr "DR-ATMInterface"
8724 set label "ATMInterface Access to Amit."
8725 next
8726 edit 85
8727 set uuid f0a642cc-c5b6-51e5-f5fc-74b67ab08a09
8735 set service "RDP" "SMB" "ALL_ICMP" "PING"
8737 set label "Remote Access For ATMInterface"
8738 set nat enable
8739 next
8740 edit 87
8741 set uuid 495d2862-c8d8-51e5-71af-1a46785debad
8744 set srcaddr "VAIBHAV"
8745 set dstaddr "SMSSERVER"
8748 set service "RDP" "ALL_ICMP" "PING"
8750 set label "Remote Access For SMS Server"
8751 set nat enable
8752 next
8753 edit 89
8754 set uuid 048ebbd8-ce37-51e5-e6d2-725533d60fd3
8757 set srcaddr "WSUS"
8761 set service "SMB" "RDP"
8763 set label "Antivirus Access to Umesh"
8764 set nat enable
8765 next
8766 edit 90
8767 set uuid b3eee66e-cf29-51e5-8a12-a7250d505208
8770 set srcaddr "VBK1037"
8777 set label "Test Server Access to VBK1037"
8778 set nat enable
8779 next
8780 edit 91
8781 set uuid 1077066c-d472-51e5-ec8b-eb4c3ad1a8fe
8785 set dstaddr "VMWARE-HOST" "EMAIL-SERVER" "SIEM-SRV" "Zabbix_Host" ↓
..."Zabbix_Server"
..."Zabbix_Server"
8788 set service "HTTPS" "SSH" "TCP/7071-7072" "TCP/7780" "ALL_ICMP" ↓
..."HTTP"
8790 set nat enable
8791 next
8792 edit 94
8793 set uuid 05318bc8-e04e-51e5-314b-9319654b0b21
..."Branches-Group-4" "BranchesGroup-5" "Asegaon, Ta. Mangrulpir District ↓
...Ch" "BRANCH-GROUP-6"
8797 set dstaddr "VIEW-FRAME"
8800 set service "HTTP"
8802 set nat enable
8803 next
8804 edit 123
8805 set uuid b5c20e40-3dcd-51e6-3c02-3b4ad68edbb8
8808 set srcaddr "BRANCH-GROUP-6" "BRANCHES-Group-1" "Branches-Group-2" ↓
..."Branches-Group-3" "Branches-Group-4" "BranchesGroup-5" "TUKARAM CHOWK BRANCH, Near Tukaram ↓
...Hospital, At Sant Tukaram Ch" "Asegaon, Ta. Mangrulpir District ↓
...Washim,Mangrulpur,Maharashtra" "Sophos-Backup-1" "Sophos-Backup-2" "Sophos-Backup-3" ↓
8809 set dstaddr "MSEB-APP" "CropInsurance"
8812 set service "HTTP" "TCP8080" "TCP-5201" "ALL_ICMP"
8814 set nat enable
8815 next
8816 edit 95
8817 set uuid fc37b090-ec25-51e5-44ec-d4ad133dbfaa
8824 set service "TCP-3926" "TRACEROUTE"
8826 next
8827 edit 96
8828 set uuid 6c8a2a9a-ef54-51e5-3284-cd974c89715b
8837 next
8838 edit 131
8839 set uuid 2af4adcc-6dc5-51e6-a88a-8c23feded1a4
8842 set srcaddr "OFFSITE ATM"
8846 set service "TCP-3926" "TELNET" "ALL_ICMP" "PING"
8848 next
8849 edit 132
8850 set uuid c71bf796-6dc5-51e6-9ee6-eb571d8295f5
8853 set srcaddr "OFFSITE ATM"
8857 set service "TCP5001"
8859 next
8860 edit 86
8861 set uuid e18bd10e-1452-51e6-fc85-4a399e168b5d
8864 set srcaddr "DC-ADMIN-USERS" "MGMNT-PC" "Vinod Raut" ↓
..."Datacenter-Laptops" "DC-ADMIN-USERS-2"
8865 set dstaddr "DR-DOMAINS"
8870 set label "DC-Admin-DRDomains"
8871 set nat enable
8872 next
8873 edit 88
8874 set uuid 0f3a2880-1453-51e6-ed9f-578d76bb0f54
8877 set srcaddr "Civil-Lines Branch" "HO-USER-ACC-SECTION" ↓
..."HO-USERS-DATAHUB" "HO-USERS-STATIONARY-SECTION" "HO-USERS-LOAN-SECTION" ↓
..."HO-USERS-COMP-SECTION" "HO-USERS-ADM-SECTION" "Ho Back-Office" "HO-INTERNET-USERS-ATM" ↓
8878 set dstaddr "DR-DOMAINS"
8883 set label "Head Office-Civil-Lines DR-Domain Access"
8884 set nat enable
8885 next
8886 edit 92
8887 set uuid 28f54818-1453-51e6-9675-2d2f4d166ca8
8890 set srcaddr "Civil-Lines Branch" "HO-INTERNET-USERS-ACC-SECTION" ↓
..."HO-USERS-ADM-SECTION" "HO-USERS-COMP-SECTION" "HO-USERS-DATAHUB" "HO-USERS-LOAN-SECTION" ↓
..."HO-USERS-STATIONARY-SECTION" "HO-USER-ACC-SECTION" "Ho Back-Office" "HO-INTERNET-USERS-ATM" ↓
8891 set dstaddr "DR-APPSERVERS"
8896 set label "Head-Office&Civil-Lines DR-APP Access"
8897 set nat enable
8898 next
8899 edit 93
8900 set uuid 5791699a-1453-51e6-28e3-c1627cc8bbff
8903 set srcaddr "Civil-Lines Branch" "HO-USER-ACC-SECTION" ↓
..."HO-USERS-ADM-SECTION" "HO-USERS-COMP-SECTION" "HO-USERS-DATAHUB" "HO-USERS-LOAN-SECTION" ↓
..."HO-USERS-STATIONARY-SECTION" "Ho Back-Office" "HO-INTERNET-USERS-ATM" "HO_NEW_IP_Series"
8904 set dstaddr "DR-DATABASESERVERS"
8909 set label "Head-Office&Civil-Lines DR-DB-Access "
8910 set nat enable
8911 next
8912 edit 171
8913 set uuid f133b55e-c57c-51e7-2325-76fef3eacc5b
8917 set dstaddr "EuronetSwitch-forCivilLines"
8920 set service "TCP8868" "TRACEROUTE"
8923 set nat enable
8924 next
8924 next
8925 edit 170
8926 set uuid 240de19e-c57c-51e7-e70f-4806b3eea619
8929 set srcaddr "ATM-CIVILLINES-2"
8930 set dstaddr "EuronetSwitch-forCivilLines"
8933 set service "TCP-3926" "TRACEROUTE"
8936 set nat enable
8937 next
8938 edit 166
8939 set uuid 3c8f9f2a-6233-51e7-a223-4a3453f527fe
8942 set srcaddr "Nelito-Prasad"
8949 set nat enable
8950 next
8951 edit 97
8952 set uuid 75a97bfc-1453-51e6-c832-24e4084e1411
8955 set srcaddr "Civil-Lines Branch" "HO-INTERNET-USERS-ACC-SECTION" ↓
..."HO-USER-ACC-SECTION" "HO-USERS-ADM-SECTION" "HO-USERS-COMP-SECTION" "HO-USERS-DATAHUB" ↓
..."HO-USERS-LOAN-SECTION" "HO-USERS-STATIONARY-SECTION" "Ho Back-Office"
8956 set dstaddr "DR-APPLICATION1"
8961 set label "Head-Office&Civil-Lines APBS Access"
8962 set nat enable
8963 next
8964 edit 98
8965 set uuid e871ecc8-1453-51e6-68b1-22b96dd6ba56
8968 set srcaddr "DC-ADMIN-USERS" "Vinod Raut" "DC-ADMIN-USERS-2"
8969 set dstaddr "DR-APPLICATION1"
8974 set label "DC-Admin APBS"
8975 set nat enable
8976 next
8977 edit 99
8978 set uuid 129d04a6-1454-51e6-a3d7-8f01ddecf959
8981 set srcaddr "DC-ADMIN-USERS" "DC-ADMIN-USERS-2" "Vinod Raut" ↓
8987 set label "DC-Admin to DR Database "
8988 set nat enable
8989 next
8990 edit 167
8991 set uuid 9fa7478e-6233-51e7-4832-add8c6f3fb91
8994 set srcaddr "VAIBHAV"
9001 set nat enable
9002 next
9003 edit 129
9004 set uuid 34b52f7a-6051-51e6-c0fa-712c28d4438e
9014 set nat enable
9015 next
9016 edit 100
9017 set uuid 3951d27a-1454-51e6-4e90-f09f1a67a5d3
9020 set srcaddr "DC-ADMIN-USERS" "Vinod Raut" "DC-ADMIN-USERS-2" ↓
9021 set dstaddr "DR-APPSERVERS"
9026 set label "DC-Admin to DR APP servers"
9027 set nat enable
9028 next
9029 edit 130
9030 set uuid 2fdbe20c-6054-51e6-cf54-5a950a70ef58
9034 set dstaddr "DR-APPLICATION1" "DR-APPLICATION2" "DRAPPCLUSTER"
9039 set label "DC-Admin to DR APP servers"
9040 set nat enable
9041 next
9042 edit 101
9043 set uuid e661f67e-15cc-51e6-4eb8-6ecf1d13e33e
9046 set srcaddr "nwadm"
9052 set nat enable
9053 next
9054 edit 102
9055 set uuid e296be70-1681-51e6-58a3-af06ca7ef95a
9064 next
9065 edit 135
9066 set uuid c31c369a-a193-51e6-7173-2ba75de4ea8e
9069 set srcaddr "ATM-CIVIL-LINES" "ATM-CIVILLINES-2"
9075 next
9075 next
9076 edit 103
9077 set uuid 23f5cba4-1682-51e6-fbeb-d65db3fa7a23
9086 next
9087 edit 136
9088 set uuid 456910c8-a194-51e6-25ef-fff46e469173
9092 set dstaddr "ATM-CIVIL-LINES" "ATM-CIVILLINES-2"
9097 next
9098 edit 104
9099 set uuid 21563632-1762-51e6-04e2-57f61fe4f37d
9102 set srcaddr "DR-DOMAINS"
9108 set nat enable
9109 next
9110 edit 190
9111 set uuid 53f04f90-8049-51e8-9de7-e926e4abed98
9114 set srcaddr "BBPS API"
9115 set dstaddr "RATANLAL PLOT BRANCH NR RAGHUVANSHI MANGAL KARYALAYA ↓
...RATANLAL" "PATUR BRANCH NR OLD BUS STAND PATUR TQ- PATUR"
9118 set service "ALL_ICMP" "TRACEROUTE"
9120 next
9121 edit 105
9122 set uuid 71e40152-18d3-51e6-4814-06ce758bea9a
9125 set srcaddr "DOMAIN"
9126 set dstaddr "DR-BACKUPDOMAIN" "DR-PRIMARYDOMAIN"
9132 set nat enable
9133 next
9134 edit 106
9135 set uuid 50c3a8f4-23d9-51e6-4bf7-cc5c37c1201d
9138 set srcaddr "DR-CASERVER"
9139 set dstaddr "sysadmin"
9144 set nat enable
9145 next
9146 edit 107
9147 set uuid 6f13ac08-2629-51e6-6bab-47c7b353477a
9150 set srcaddr "sysadmin" "MGMNT-PC" "VMWARE-CLIENT"
9151 set dstaddr "DR-CASERVER-2" "DR-MONITOR" "DR-DOMAINS"
9156 set nat enable
9157 next
9158 edit 108
9159 set uuid 8db92c60-28ad-51e6-db65-76040ee47fac
9162 set srcaddr "DC-ADMIN-USERS-2"
9163 set dstaddr "APP-SERVERS"
9168 next
9169 edit 109
9170 set uuid c4f74572-28ad-51e6-4f51-c3bf8953e69f
9177 set service "DATABASE-SERVICES" "RDP"
9179 next
9180 edit 110
9181 set uuid ed4cd302-28ad-51e6-6a35-7867c3b0c76c
9190 next
9191 edit 111
9192 set uuid 0d15a25e-28ae-51e6-a8b2-57555e851428
9201 next
9202 edit 112
9203 set uuid cd92889a-28d0-51e6-008c-dfa2f5117f47
9206 set srcaddr "BRANCH-GROUP-6"
9212 next
9213 edit 113
9214 set uuid e668b024-28d0-51e6-2f62-222df30fcd19
9223 next
9224 edit 114
9225 set uuid 06554c58-28d1-51e6-ebf0-de8e1a257f36
9229 set dstaddr "APP-SERVERS"
9234 next
9235 edit 116
9236 set uuid 851fcffe-28d1-51e6-70af-1904b4cc70d6
9245 next
9246 edit 115
9247 set uuid 39849dfc-3eae-51e6-dd8f-1e3c69438555
9250 set srcaddr "TESTSERVR"
9251 set dstaddr "EuronetTest1" "EuronetTest2" "Euronet NetScaler"
9254 set service "TCP/6415" "ALL_ICMP" "TELNET" "TCP9095"
9256 next
9257 edit 185
9258 set uuid 3c649818-7914-51e8-e422-823f43797a39
9261 set srcaddr "BBPS API"
9262 set dstaddr "BBPS2"
9265 set service "HTTPS" "TRACEROUTE" "TELNET"
9267 set label "BBPSAPI-BBPS"
9268 next
9269 edit 121
9270 set uuid 86e326c2-42aa-51e6-213e-90e47b8a31aa
9274 set dstaddr "HO-INTERNET-USERS-ACC-SECTION" ↓
..."HO-USERS-STATIONARY-SECTION" "HO-USERS-LOAN-SECTION" "HO-USERS-DATAHUB" ↓
..."HO-USERS-COMP-SECTION" "HO-USERS-ADM-SECTION" "HO-USER-ACC-SECTION" "HO-INTERNET-USERS-ATM" ↓
..."HO-INTERNET-USERS" "Civil-Lines Branch" "RTGS-CLIENT2" "RTGS-CLIENT3" "Ho Back-Office" ↓
..."SachinNelito" "HO_NEW_IP_Series" "BSG - Recon Server"
9279 set nat enable
9280 next
9281 edit 126
9282 set uuid bd5dabac-4e6a-51e6-931f-4791e425d723
9285 set srcaddr "SFMS-PRIMARY" "SFMS-BACKUP"
9286 set dstaddr "DR-RTGS-SERVER"
9289 set service "ALL_ICMP" "TCP25000"
9291 next
9292 edit 178
9293 set uuid d81fa458-0715-51e8-382b-42ef57a1e51c
9296 set srcaddr "SFMS-BACKUP"
9297 set dstaddr "DR-Rtgs-Interface"
9302 next
9303 edit 153
9304 set uuid 700d407c-4f42-51e7-24da-1a3470a80e2c
9307 set srcaddr "SFMS-PRIMARY" "SFMS-BACKUP"
9313 set nat enable
9314 next
9315 edit 157
9316 set uuid 28ece412-529f-51e7-b8d0-18e625f4ec9f
9319 set srcaddr "SFMS-BACKUP"
9320 set dstaddr "BDC-DR" "PDC-DR"
9325 next
9326 edit 205
9327 set uuid 70f4c926-febc-51e8-c1b9-0121e50c6c3e
9336 next
9337 edit 158
9338 set uuid 0d3ee3a6-54e2-51e7-4ea0-bf99913769cd
9342 set dstaddr "EMAIL-SERVER" "DATABASE" "SIEM-SRV"
9345 set service "ALL_ICMP" "SMTP" "DATABASE-SERVICES" "SYSLOG"
9347 next
9348 edit 128
9349 set uuid cfbd8960-5492-51e6-c3b6-fe495259adbe
9352 set srcaddr "DR-RTGS-SERVER"
9356 set service "ALL_ICMP" "TCP25000"
9358 next
9359 edit 133
9360 set uuid 3ef2c360-a18a-51e6-86da-45362cb91857
9364 set dstaddr "ATM-1" "ATM-2" "ATM-4" "ATM-5" "ATM-OFFSITE-NIMBA" "ATM ↓
...OFF-SITE PUSAD NAKA"
9369 next
9370 edit 134
9371 set uuid 40230f1e-a18b-51e6-4ca4-cf3fc488b4f2
9374 set srcaddr "ATM-1" "ATM-2" "ATM-4" "ATM-5" "ATM-OFFSITE-NIMBA" "ATM ↓
...OFF-SITE PUSAD NAKA"
9378 set service "TCP-50020" "TCP5004"
9380 next
9381 edit 137
9382 set uuid 4cd82f54-b79e-51e6-1dd2-4116e094a632
9385 set srcaddr "NELITODBUSER" "BSG - Recon Server"
9386 set dstaddr "DATABASE1" "DATABASE2" "SQL-CLUSTER"
9391 set nat enable
9392 next
9393 edit 138
9394 set uuid 8e13b4ae-b7b0-51e6-b334-8328b3bf6dbd
9397 set srcaddr "comsolvepc" "SachinNelito"
9398 set dstaddr "Routers-GR1" "Routers-GR2" "Routers-GR3" "Routers-GR4" ↓
..."Routers-GR5" "Sophos-Backup-1" "Sophos-Backup-2" "Sophos-Backup-3" "Sophos-Backup-4" ↓
..."BRANCH-GROUP-6" "BRANCHES-Group-1" "Branches-Group-2" "Branches-Group-3" "Branches-Group-4" ↓
..."BranchesGroup-5" "Asegaon, Ta. Mangrulpir District Washim,Mangrulpur,Maharashtra" "TUKARAM ↓
...CHOWK BRANCH, Near Tukaram Hospital, At Sant Tukaram Ch" "OFFSITE ATM" "BBPS_Clients"
9401 set service "TELNET" "PING" "SSH"
9403 set nat enable
9404 next
9405 edit 139
9406 set uuid d592a2bc-b7b1-51e6-ba7b-1711030dd656
9409 set srcaddr "HO-USERS-COMP-SECTION" "RATHODPC" "SachinNelito"
9410 set dstaddr "BRANCH-GROUP-6" "BRANCHES-Group-1" "Branches-Group-2" ↓
..."Branches-Group-3" "Branches-Group-4" "BranchesGroup-5" "TUKARAM CHOWK BRANCH, Near Tukaram ↓
...Hospital, At Sant Tukaram Ch" "Asegaon, Ta. Mangrulpir District Washim,Mangrulpur,Maharashtra"
9413 set service "HTTP" "HTTPS" "TCP-5938"
9415 set nat enable
9416 next
9417 edit 142
9418 set uuid 6095dcd4-b943-51e6-658c-16aaa771d4ba
9422 set dstaddr "CA-SERVER"
9427 set nat enable
9428 next
9429 edit 143
9430 set uuid 95e8dc5a-b944-51e6-4388-5b73356a394c
9434 set dstaddr "SONICWALL-INTERNET"
9437 set service "ALL_ICMP" "HTTP" "HTTPS"
9439 set nat enable
9440 next
9441 edit 144
9442 set uuid 57d24ebe-b945-51e6-557c-39960973d697
9449 set service "ALL_ICMP" "HTTP" "HTTPS" "Domain-Services" "TELNET" ↓
..."TCP8080" "RDP"
9451 set nat enable
9452 next
9453 edit 145
9454 set uuid dff3bd8c-b945-51e6-d46d-fbd2da712506
9458 set dstaddr "SONICWALL-RTGS"
9461 set service "ALL_ICMP" "HTTP" "HTTPS" "TELNET"
9463 set nat enable
9464 next
9465 edit 146
9466 set uuid f61425f4-e6c5-51e6-49de-729dd92b8cc4
9475 set nat enable
9476 next
9477 edit 148
9478 set uuid 738383f8-04ae-51e7-48fb-1dc5fffa2c71
9481 set srcaddr "comsolvepc"
9482 set dstaddr "SOPHOS-UTM"
9485 set service "HTTPS" "PING" "TCP-4444"
9487 set nat enable
9488 next
9489 edit 149
9490 set uuid e4a135fe-2988-51e7-e9a9-86a0a946c694
9493 set srcaddr "HO-INTERNET-USERS-ATM" "ATM-USER-1" "ATM-USER-2"
9494 set dstaddr "FRM"
9499 next
9500 edit 175
9501 set uuid bf96b626-dfdb-51e7-e942-50089c315149
9504 set srcaddr "RATHODPC" "HO-BBPS Clients"
9505 set dstaddr "BBPS1" "BBPS2"
9508 set service "HTTPS" "ALL_ICMP" "TRACEROUTE" "TELNET"
9510 set label "BBPS Access To Cilent1"
9511 next
9512 edit 151
9513 set uuid fa693374-45f7-51e7-326f-1688b70efaf5
9516 set srcaddr "CHECKPOINT-IP"
9517 set dstaddr "BDC" "PDC"
9520 set service "ALL_ICMP" "PING"
9521 set nat enable
9522 next
9523 edit 152
9524 set uuid 8c05e5d0-502e-51e7-9501-35671a61a998
9525 set srcintf "port10"
9527 set srcaddr "CTRLSFI" "Micro-ATM" "AWS Cloud"
9528 set dstaddr "ATMInterface" "TESTSERVR"
9528 set dstaddr "ATMInterface" "TESTSERVR"
9531 set service "ALL_ICMP" "TCP44405" "TELNET" "TRACEROUTE"
9533 next
9534 edit 154
9535 set uuid e29adfc6-502f-51e7-5ad9-b8e90917836a
9538 set srcaddr "CTRLSFI" "AWS Cloud"
9539 set dstaddr "Euronet-Switch" "EuronetTest2"
9542 set service "TCP33305" "TRACEROUTE" "TCP8049"
9544 next
9545 edit 155
9546 set uuid b352ef92-5034-51e7-103b-006ea5ba436d
9548 set dstintf "port10"
9549 set srcaddr "Euronet-Switch" "EuronetTest2"
9550 set dstaddr "CTRLSFI" "AWS Cloud"
9553 set service "TCP33305" "ALL_ICMP" "TCP8049"
9555 next
9556 edit 156
9557 set uuid 49151eaa-5036-51e7-7078-1bb646245a2a
9560 set srcaddr "ATMInterface" "TESTSERVR"
9561 set dstaddr "CTRLSFI" "AWS Cloud"
9564 set service "TCP44405" "ALL_ICMP" "TELNET" "TRACEROUTE" "TCP7094"
9566 next
9567 edit 163
9568 set uuid 2886c97c-8bfa-51e7-a8d3-f2b81b519cfb
9571 set srcaddr "Finacus-IMPS-LIVE" "IMPS_Telnet" "Finacus - Mobile ↓
...Banking" "Finacus_RGCS_1"
9575 set service "ALL_ICMP" "TCP45451" "TRACEROUTE" "HTTPS"
9577 next
9578 edit 174
9579 set uuid 3897ceae-c84c-51e7-0241-c951366da47e
9582 set srcaddr "Finacus-IMPS-UAT" "IMPS_Telnet" "Finacus - Mobile ↓
...Banking"
9586 set service "ALL_ICMP" "TCP45451" "TRACEROUTE"
9588 next
9589 edit 164
9590 set uuid 642d374e-8bfb-51e7-a95b-6c6cf98eecb5
9593 set srcaddr "ATMInterface" "IMPS Interface"
9594 set dstaddr "Finacus-IMPS-LIVE" "Finacus_RGCS_1"
9597 set service "ALL_ICMP" "TCP45451" "TRACEROUTE" "HTTPS"
9599 next
9600 edit 173
9601 set uuid 0b0df798-c84b-51e7-42bd-29e6e3b46dbb
9605 set dstaddr "Finacus-IMPS-UAT" "IMPS @ Branch"
9608 set service "ALL_ICMP" "TCP45451" "TRACEROUTE" "HTTP"
9610 next
9611 edit 172
9612 set uuid bf8017e6-c58b-51e7-15df-301b824d4cac
9616 set dstaddr "Euronet-Checkpoint"
9619 set service "TCP-3926" "TRACEROUTE" "ALL_ICMP"
9621 next
9622 edit 176
9623 set uuid 6b953844-e6e9-51e7-c40c-d996375b1752
9626 set srcaddr "BBPS_Clients"
9631 set service "HTTPS" "TRACEROUTE"
9633 next
9634 edit 177
9635 set uuid fe1549b0-faae-51e7-12dc-e856c5a19b28
9638 set srcaddr "PRASANNA" "Datacenter-Laptop-2"
9639 set dstaddr "BBPS2" "BBPS1"
9643 set service "HTTPS" "TRACEROUTE" "TELNET"
9645 next
9646 edit 179
9647 set uuid 4c3c5d22-0d97-51e8-c7de-855ef0aba5b4
9650 set srcaddr "ATM-FINCRAFT-USER1" "HO-INTERNET-USERS-ATM"
9651 set dstaddr "Finacus_RGCS_1" "IMPS router" "Finacus - Mobile ↓
...Banking" "Finacus_RGCS_2" "Finacus-IMPS-Webservice"
9654 set service "HTTPS" "TRACEROUTE" "ALL_ICMP" "HTTP"
9656 next
9657 edit 180
9658 set uuid 89326190-0d9c-51e8-a5e2-43d49d2a7514
9661 set srcaddr "Finacus_RGCS_1" "IMPS router" "Finacus - Mobile Banking"
9662 set dstaddr "ATM-FINCRAFT-USER1"
9665 set service "TRACEROUTE" "HTTPS" "ALL_ICMP" "HTTP"
9667 next
9668 edit 181
9669 set uuid f96abd1a-4dff-51e8-28f2-2ac1cdbc00e9
9670 set srcintf "wan1"
9672 set srcaddr "PFMS"
9673 set dstaddr "VMWARE-CLIENT"
9677 set service "FTP" "GST-SFTP"
9679 next
9680 edit 182
9680 edit 182
9681 set uuid 37345c46-5765-51e8-c787-34e87f93f189
9684 set srcaddr "SFMS-PRIMARY"
9690 next
9691 edit 186
9692 set uuid fe6fe4ac-79e7-51e8-2783-0151a8b2f0fc
9701 set label "Antivirus Access to SFMS"
9702 set nat enable
9703 next
9704 edit 191
9705 set uuid bb8520f0-8426-51e8-deb5-df45ca8f2408
9714 set label "Branches To BBPSAPI"
9715 set nat enable
9716 next
9717 edit 187
9718 set uuid 21f8b3f2-7c24-51e8-9159-d82617921778
..."Branches-Group-4" "BranchesGroup-5" "BRANCH-GROUP-6" "ratanlal-BSNL-Wan" "Asegaon, Ta. ↓
...Mangrulpir District Washim,Mangrulpur,Maharashtra"
9727 set label "Branches To BBPSAPI"
9728 next
9729 edit 188
9730 set uuid f053573e-7c24-51e8-6a0d-2b9246e67c17
9733 set srcaddr "HO-USERS"
9737 set service "TCP-8012" "ALL_ICMP" "TRACEROUTE"
9739 set label "HO Users To BBPSAPI"
9740 next
9741 edit 193
9742 set uuid 75068ca2-9a03-51e8-a817-a698e3895042
9746 set dstaddr "IMPS router" "IMPS_Telnet"
9749 set service "ALL_ICMP" "TELNET" "TRACEROUTE"
9751 next
9752 edit 194
9753 set uuid 82e9d70c-b4e8-51e8-aa2e-51482300f90f
9756 set srcaddr "comsolvepc"
9757 set dstaddr "Comsolve Webmail" "Comsolve Mail IP" "ISG IP" "ISG ↓
...MERCHANT PAY"
9762 set nat enable
9763 next
9764 edit 195
9765 set uuid 795105f4-bbf4-51e8-7ea6-849310497eff
9768 set srcaddr "SFMS-PRIMARY"
9775 set nat enable
9776 next
9777 edit 196
9778 set uuid e5bbbd34-c099-51e8-63f5-e0dbac0034ef
9781 set srcaddr "Finacus-IMPS-UAT" "Finacus-IMPS-Webservice"
9782 set dstaddr "Euronet NetScaler" "WEB-CMS" "BBPS2"
9785 set service "TCP9095" "TCP-9086" "HTTPS" "TCP9086"
9787 next
9788 edit 206
9789 set uuid 28db0c2a-0e90-51e9-6a3b-bed2c8765541
9792 set srcaddr "Finacus-IMPS-LIVE"
9798 next
9799 edit 197
9800 set uuid bcb09116-c09a-51e8-5573-31b297f3b509
9803 set srcaddr "Euronet NetScaler"
9804 set dstaddr "Finacus-IMPS-UAT" "Netscaler_Natted_IP"
9808 set service "TRACEROUTE" "TELNET" "TCP9095"
9810 next
9811 edit 198
9812 set uuid 5c24fcb6-c706-51e8-141e-a25de1620053
9815 set srcaddr "VaidyaSir" "PA" "CTS-PC" "SK Mohod" "MILIND" "Vinod ↓
...Kalbande" "CropInsurance"
9821 set nat enable
9822 next
9823 edit 199
9824 set uuid ec8c2fee-cc8e-51e8-1d32-34cbcbf48a6f
9827 set srcaddr "PRASANNA" "MORESIR"
9828 set dstaddr "FRM"
9833 next
9834 edit 200
9835 set uuid 37a7b1e4-d68d-51e8-185e-b19339478dc4
9838 set srcaddr "BSG - Recon Server"
9839 set dstaddr "SIEM-SRV"
9842 set service "ALL_ICMP" "TRACEROUTE" "TELNET" "SYSLOG"
9844 set nat enable
9845 next
9846 edit 201
9847 set uuid d3b51f50-d849-51e8-0a3b-d2a91a600530
9851 set dstaddr "Micro-ATM"
9857 set nat enable
9858 next
9859 edit 202
9860 set uuid 024c41a4-dce6-51e8-a3b8-56251c908b18
9863 set srcaddr "Micro-ATM"
9864 set dstaddr "VMWARE-CLIENT"
9869 set nat enable
9870 next
9871 edit 207
9872 set uuid 35ee912a-17c3-51e9-5b35-62e6f7052cb1
9875 set srcaddr "Nelito_Tech"
9876 set dstaddr "IMPS @ Branch"
9881 next
9882 edit 208
9883 set uuid 1329a7d0-5056-51e9-d338-1f6f3e4bdece
9886 set srcaddr "RATANLAL PLOT BRANCH NR RAGHUVANSHI MANGAL KARYALAYA ↓
...RATANLAL"
9887 set dstaddr "ISG IP" "ISG MERCHANT PAY"
9893 set nat enable
9894 next
9895 edit 209
9896 set uuid 6912d178-6d7d-51e9-ba21-3e7037cae94f
9899 set srcaddr "RATANLAL PLOT BRANCH NR RAGHUVANSHI MANGAL KARYALAYA ↓
...RATANLAL"
9900 set dstaddr "Finacus-IMPS-Webservice"
9903 set service "HTTP"
9905 next
9906 end
9907 config firewall local-in-policy
9907 config firewall local-in-policy
9908 end
9909 config firewall policy6
9910 end
9911 config firewall local-in-policy6
9912 end
9913 config firewall ttl-policy
9914 end
9916 end
9918 end
9919 config firewall explicit-proxy-policy
9920 edit 1
9921 set uuid dcd1716c-b52c-51e5-58cc-67cd81dc1400
9922 set proxy web
9924 set srcaddr "DC-ADMIN-INTERNET-USERS"
9926 set service "webproxy"
9931 next
9932 edit 2
9933 set uuid c56b439c-b52f-51e5-d5be-10db2dd7e753
9934 set proxy web
9936 set srcaddr "GHS" "Shende Saheb"
9946 next
9947 edit 3
9948 set uuid f8064bba-b53b-51e5-71cd-369c8ea66f4e
9949 set proxy web
9951 set srcaddr "Agme Saheb" "Mangle" "S.N.Wankhade" "Nale Saheb" ↓
..."HO-INTERNET-USERS-ATM" "HO-Backoffice-INTENETUSER-3"
9961 next
9962 edit 4
9963 set uuid a522d85c-b5e8-51e5-ccce-0aeca7e7ef52
9964 set proxy web
9966 set srcaddr "VaidyaSir"
9973 next
9974 edit 5
9975 set uuid 81778142-567c-51e7-9eef-3a5c30bcdcea
9976 set proxy web
9984 next
9985 end
9986 config firewall interface-policy
9987 end
9988 config firewall interface-policy6
9989 end
9990 config firewall DoS-policy
9991 end
9992 config firewall DoS-policy6
9993 end
9994 config firewall sniffer
9995 end
9996 config endpoint-control profile
9997 edit "default"
9998 config forticlient-winmac-settings
9999 set forticlient-wf-profile "default"
10000 end
10001 config forticlient-android-settings
10002 end
10003 config forticlient-ios-settings
10004 end
10005 next
10006 end
10007 config wireless-controller wids-profile
10008 edit "default"
10009 set comment "Default WIDS profile."
10010 set ap-scan enable
10011 set wireless-bridge enable
10012 set deauth-broadcast enable
10013 set null-ssid-probe-resp enable
10014 set long-duration-attack enable
10015 set invalid-mac-oui enable
10016 set weak-wep-iv enable
10017 set auth-frame-flood enable
10018 set assoc-frame-flood enable
10019 set spoofed-deauth enable
10020 set asleap-attack enable
10021 set eapol-start-flood enable
10022 set eapol-logoff-flood enable
10023 set eapol-succ-flood enable
10024 set eapol-fail-flood enable
10025 set eapol-pre-succ-flood enable
10026 set eapol-pre-fail-flood enable
10027 next
10028 edit "default-wids-apscan-enabled"
10029 set ap-scan enable
10030 next
10031 end
10032 config wireless-controller wtp-profile
10033 edit "11n-only"
10034 set ap-country US
10035 config radio-1
10036 set band 802.11n
10037 end
10039 set mode disabled
10040 end
10041 next
10042 edit "FAP112B-default"
10043 config platform
10044 set type 112B
10045 end
10048 set band 802.11n
10049 end
10052 end
10053 next
10057 set band 802.11n-5G
10058 end
10060 set band 802.11n
10061 end
10061 end
10062 next
10065 set type 223B
10066 end
10069 set band 802.11n-5G
10070 end
10072 set band 802.11n
10073 end
10074 next
10077 set type 210B
10078 end
10081 set band 802.11n
10082 end
10085 end
10086 next
10089 set type 222B
10090 end
10093 set band 802.11n
10094 end
10096 set band 802.11n-5G
10097 end
10098 next
10101 set type 320B
10102 end
10105 set band 802.11n-5G
10106 end
10108 set band 802.11n
10109 end
10110 next
10111 edit "FAP11C-default"
10113 set type 11C
10114 end
10117 set band 802.11n
10118 end
10121 end
10122 next
10125 set type 14C
10126 end
10129 set band 802.11n
10130 end
10133 end
10134 next
10137 set type 28C
10138 end
10141 set band 802.11n
10142 end
10145 end
10146 next
10149 set type 320C
10150 end
10153 set band 802.11n
10154 end
10156 set band 802.11ac
10157 end
10158 next
10161 set type 221C
10162 end
10165 set band 802.11n
10166 end
10168 set band 802.11ac
10169 end
10170 next
10171 edit "FAP25D-default"
10173 set type 25D
10174 end
10177 set band 802.11n
10178 end
10181 end
10182 next
10185 set type 222C
10186 end
10189 set band 802.11n
10190 end
10192 set band 802.11ac
10193 end
10194 next
10197 set type 224D
10198 end
10201 set band 802.11n-5G
10202 end
10204 set band 802.11n
10205 end
10206 next
10207 edit "FK214B-default"
10209 set type 214B
10210 end
10213 set band 802.11n
10214 end
10217 end
10217 end
10218 next
10221 set type 21D
10222 end
10225 set band 802.11n
10226 end
10229 end
10230 next
10233 set type 24D
10234 end
10237 set band 802.11n
10238 end
10241 end
10242 next
10245 set type 112D
10246 end
10249 set band 802.11n
10250 end
10253 end
10254 next
10257 set type 223C
10258 end
10261 set band 802.11n
10262 end
10264 set band 802.11ac
10265 end
10266 next
10269 set type 321C
10270 end
10273 set band 802.11n
10274 end
10276 set band 802.11ac
10277 end
10278 next
10279 edit "FAPC220C-default"
10282 set band 802.11n
10283 end
10285 unset band
10286 end
10287 next
10288 edit "FAPC225C-default"
10291 set band 802.11n
10292 end
10294 unset band
10294 unset band
10295 end
10296 next
10297 end
10298 config log memory setting
10300 end
10301 config log setting
10302 set fwpolicy-implicit-log enable
10303 end
10304 config router rip
10305 config redistribute "connected"
10306 end
10307 config redistribute "static"
10308 end
10309 config redistribute "ospf"
10310 end
10311 config redistribute "bgp"
10312 end
10313 config redistribute "isis"
10314 end
10315 end
10316 config router ripng
10318 end
10320 end
10322 end
10324 end
10326 end
10327 end
10328 config router static
10329 edit 8
10330 set dst 172.21.23.0 255.255.255.0
10331 set gateway 172.22.26.3
10332 set device "CheckPoint-FW"
10333 set comment "PDC"
10334 next
10335 edit 12
10336 set dst 172.21.25.0 255.255.255.0
10337 set gateway 172.22.26.3
10339 set comment "ATM Interface"
10340 next
10341 edit 18
10342 set dst 10.13.135.39 255.255.255.255
10343 set gateway 172.21.29.3
10344 set device "ATM"
10345 set comment "SDMS-Agent"
10346 next
10347 edit 19
10348 set dst 10.13.135.58 255.255.255.255
10349 set gateway 172.21.29.3
10351 set comment "WEB-CMS"
10352 next
10353 edit 20
10354 set dst 192.168.171.40 255.255.255.255
10355 set gateway 172.21.29.3
10357 set comment "RGCS"
10358 next
10359 edit 21
10360 set dst 192.168.171.33 255.255.255.255
10361 set gateway 172.21.29.3
10363 set comment "RGCS"
10364 next
10365 edit 22
10366 set dst 202.138.123.73 255.255.255.255
10367 set gateway 172.21.29.3
10369 set comment "SFTP"
10370 next
10371 edit 24
10372 set dst 10.28.1.171 255.255.255.255
10372 set dst 10.28.1.171 255.255.255.255
10373 set gateway 172.30.0.50
10374 set device "RTGS"
10375 set comment "Ekuber-Backup"
10376 next
10377 edit 26
10378 set dst 10.29.2.11 255.255.255.255
10379 set gateway 172.30.0.50
10381 set comment "PO-1"
10382 next
10383 edit 27
10384 set dst 10.29.3.51 255.255.255.255
10385 set gateway 172.30.0.50
10387 set comment "PO-2"
10388 next
10389 edit 28
10390 set dst 10.29.1.191 255.255.255.255
10391 set gateway 172.22.26.3
10393 set comment "PO-Ticketing"
10394 next
10395 edit 29
10396 set dst 10.35.3.51 255.255.255.255
10397 set gateway 172.30.0.50
10399 set comment "PO-FAR-DR"
10400 next
10401 edit 30
10402 set dst 10.28.3.51 255.255.255.255
10403 set gateway 172.30.0.50
10405 set comment "PO-NEAR-DR"
10406 next
10407 edit 31
10408 set dst 10.0.67.18 255.255.255.255
10409 set gateway 172.30.0.50
10411 set comment "IDRBT-CA"
10412 next
10413 edit 32
10414 set dst 10.0.67.166 255.255.255.255
10415 set gateway 172.30.0.50
10417 set comment "IDRBT-INTRANET"
10418 next
10419 edit 33
10420 set dst 10.0.67.115 255.255.255.255
10421 set gateway 172.30.0.50
10423 set comment "SFMS-SERVER"
10424 next
10425 edit 35
10426 set dst 10.0.67.194 255.255.255.255
10427 set gateway 172.30.0.50
10429 set comment "SFMS UAT"
10430 next
10431 edit 36
10432 set dst 172.21.22.0 255.255.255.0
10433 set gateway 172.22.26.3
10435 set comment "App Server "
10436 next
10437 edit 38
10438 set dst 192.168.11.0 255.255.255.0
10439 set gateway 192.168.1.100
10440 set device "DC-Router"
10441 set comment "TUKARAM"
10442 next
10443 edit 39
10444 set dst 192.168.26.0 255.255.255.0
10445 set gateway 192.168.1.100
10447 set comment "Ratanlal"
10448 next
10449 edit 40
10450 set dst 192.168.22.0 255.255.255.0
10450 set dst 192.168.22.0 255.255.255.0
10451 set gateway 192.168.1.100
10453 set comment "Umri"
10454 next
10455 edit 41
10456 set dst 192.168.2.0 255.255.255.0
10457 set gateway 192.168.1.100
10459 set comment "MarketYard"
10460 next
10461 edit 42
10462 set dst 192.168.3.0 255.255.255.0
10463 set gateway 192.168.1.100
10465 next
10466 edit 43
10467 set dst 192.168.4.0 255.255.255.0
10468 set gateway 192.168.1.100
10470 next
10471 edit 44
10472 set dst 192.168.7.0 255.255.255.0
10473 set gateway 192.168.1.100
10475 next
10476 edit 45
10477 set dst 192.168.8.0 255.255.255.0
10478 set gateway 192.168.1.100
10481 set comment "korpe nagar"
10482 next
10483 edit 46
10484 set dst 192.168.9.0 255.255.255.0
10485 set gateway 192.168.1.100
10487 set comment "PDKV"
10488 next
10489 edit 47
10490 set dst 192.168.10.0 255.255.255.0
10491 set gateway 192.168.1.100
10493 set comment "Dabaki"
10494 next
10495 edit 48
10496 set dst 192.168.12.0 255.255.255.0
10497 set gateway 192.168.1.100
10499 set comment "Borgaon"
10500 next
10501 edit 49
10502 set dst 192.168.13.0 255.255.255.0
10503 set gateway 192.168.1.100
10505 set comment "Palso"
10506 next
10507 edit 50
10508 set dst 192.168.14.0 255.255.255.0
10509 set gateway 192.168.1.100
10511 set comment "Mhaisang"
10512 next
10513 edit 51
10514 set dst 192.168.15.0 255.255.255.0
10515 set gateway 192.168.1.100
10517 set comment "Kanshivani"
10518 next
10519 edit 52
10520 set dst 192.168.16.0 255.255.255.0
10521 set gateway 192.168.1.100
10523 set comment "Gandhigram"
10524 next
10525 edit 53
10526 set dst 192.168.17.0 255.255.255.0
10527 set gateway 192.168.1.100
10529 set comment "Chikhalgaon"
10530 next
10531 edit 54
10532 set dst 192.168.18.0 255.255.255.0
10533 set gateway 192.168.1.100
10535 set comment "Dahihanda"
10536 next
10537 edit 55
10538 set dst 192.168.19.0 255.255.255.0
10539 set gateway 192.168.1.100
10541 set comment "Patur Nandapur"
10542 next
10543 edit 56
10544 set dst 192.168.20.0 255.255.255.0
10545 set gateway 192.168.1.100
10547 set comment "Kurankhed"
10548 next
10549 edit 57
10550 set dst 192.168.21.0 255.255.255.0
10551 set gateway 192.168.1.100
10553 set comment "Goregaon"
10554 next
10555 edit 59
10556 set dst 192.168.24.0 255.255.255.0
10557 set gateway 192.168.1.100
10559 set comment "Ranpise Nagar"
10560 next
10561 edit 60
10562 set dst 192.168.25.0 255.255.255.0
10563 set gateway 192.168.1.100
10565 set comment "Aagar"
10566 next
10567 edit 61
10568 set dst 192.168.28.0 255.255.255.0
10569 set gateway 192.168.1.100
10571 set comment "Barshitakli"
10572 next
10573 edit 63
10574 set dst 192.168.30.0 255.255.255.0
10575 set gateway 192.168.1.100
10577 set comment "Mahan"
10578 next
10579 edit 64
10580 set dst 192.168.31.0 255.255.255.0
10581 set gateway 192.168.1.100
10583 set comment "Kaneri Sarap"
10584 next
10585 edit 65
10586 set dst 192.168.32.0 255.255.255.0
10587 set gateway 192.168.1.100
10589 set comment "Dhaba"
10590 next
10591 edit 66
10592 set dst 192.168.33.0 255.255.255.0
10593 set gateway 192.168.1.100
10595 set comment "Akot Main"
10596 next
10597 edit 67
10598 set dst 192.168.34.0 255.255.255.0
10599 set gateway 192.168.1.100
10601 set comment "Akot Ct"
10602 next
10603 edit 68
10604 set dst 192.168.35.0 255.255.255.0
10605 set gateway 192.168.1.100
10607 set comment "Akot Narsing Mandir"
10608 next
10609 edit 69
10610 set dst 192.168.36.0 255.255.255.0
10611 set gateway 192.168.1.100
10613 set comment "Savara"
10614 next
10615 edit 70
10616 set dst 192.168.37.0 255.255.255.0
10617 set gateway 192.168.1.100
10619 set comment "Rundala"
10620 next
10621 edit 71
10622 set dst 192.168.38.0 255.255.255.0
10623 set gateway 192.168.1.100
10625 set comment "Chohatta Bazar"
10626 next
10627 edit 72
10628 set dst 192.168.39.0 255.255.255.0
10629 set gateway 192.168.1.100
10631 set comment "Warul Jaulka"
10632 next
10633 edit 73
10634 set dst 192.168.40.0 255.255.255.0
10635 set gateway 192.168.1.100
10637 set comment "Akolkhed"
10638 next
10639 edit 74
10640 set dst 192.168.41.0 255.255.255.0
10641 set gateway 192.168.1.100
10643 set comment "Kutasa"
10644 next
10645 edit 75
10646 set dst 192.168.42.0 255.255.255.0
10647 set gateway 192.168.1.100
10649 set comment "Mundagaon"
10650 next
10651 edit 76
10652 set dst 192.168.110.0 255.255.255.0
10653 set gateway 192.168.1.100
10655 set comment "Bordi Ext"
10656 next
10657 edit 77
10658 set dst 192.168.43.0 255.255.255.0
10659 set gateway 192.168.1.100
10661 set comment "Telhara Main"
10662 next
10663 edit 78
10664 set dst 192.168.44.0 255.255.255.0
10665 set gateway 192.168.1.100
10667 set comment "Telhara City"
10668 next
10669 edit 79
10670 set dst 192.168.45.0 255.255.255.0
10671 set gateway 192.168.1.100
10673 set comment "Hiwarkhed"
10674 next
10675 edit 80
10676 set dst 192.168.46.0 255.255.255.0
10677 set gateway 192.168.1.100
10679 set comment "Danapur"
10680 next
10681 edit 81
10682 set dst 192.168.47.0 255.255.255.0
10683 set gateway 192.168.1.100
10683 set gateway 192.168.1.100
10685 set comment "Pathardi"
10686 next
10687 edit 82
10688 set dst 192.168.48.0 255.255.255.0
10689 set gateway 192.168.1.100
10691 set comment "Belkhed"
10692 next
10693 edit 83
10694 set dst 192.168.49.0 255.255.255.0
10695 set gateway 192.168.1.100
10697 set comment "Aadsul"
10698 next
10699 edit 84
10700 set dst 192.168.50.0 255.255.255.0
10701 set gateway 192.168.1.100
10703 set comment "Aadgaon Bujurg"
10704 next
10705 edit 85
10706 set dst 192.168.51.0 255.255.255.0
10707 set gateway 192.168.1.100
10709 set comment "Balapur"
10710 next
10711 edit 86
10712 set dst 192.168.114.0 255.255.255.0
10713 set gateway 192.168.1.100
10715 set comment "Hiwarkhed Ext"
10716 next
10717 edit 87
10718 set dst 192.168.52.0 255.255.255.0
10719 set gateway 192.168.1.100
10721 set comment "Ural"
10722 next
10723 edit 88
10724 set dst 192.168.53.0 255.255.255.0
10725 set gateway 192.168.1.100
10727 set comment "Wadegaon"
10728 next
10729 edit 89
10730 set dst 192.168.54.0 255.255.255.0
10731 set gateway 192.168.1.100
10733 set comment "Nimba"
10734 next
10735 edit 90
10736 set dst 192.168.55.0 255.255.255.0
10737 set gateway 192.168.1.100
10739 set comment "Paras"
10740 next
10741 edit 91
10742 set dst 192.168.56.0 255.255.255.0
10743 set gateway 192.168.1.100
10745 set comment "Hatrun"
10746 next
10747 edit 92
10748 set dst 192.168.57.0 255.255.255.0
10749 set gateway 192.168.1.100
10751 set comment "Vyala"
10752 next
10753 edit 93
10754 set dst 192.168.58.0 255.255.255.0
10755 set gateway 192.168.1.100
10757 set comment "Patur"
10758 next
10759 edit 94
10760 set dst 192.168.59.0 255.255.255.0
10761 set gateway 192.168.1.100
10761 set gateway 192.168.1.100
10763 set comment "Channi"
10764 next
10765 edit 95
10766 set dst 192.168.60.0 255.255.255.0
10767 set gateway 192.168.1.100
10769 set comment "Aalegaon"
10770 next
10771 edit 96
10772 set dst 192.168.61.0 255.255.255.0
10773 set gateway 192.168.1.100
10775 set comment "Vivra Babulgaon"
10776 next
10777 edit 97
10778 set dst 192.168.62.0 255.255.255.0
10779 set gateway 192.168.1.100
10781 set comment "Sasti"
10782 next
10783 edit 98
10784 set dst 192.168.64.0 255.255.255.0
10785 set gateway 192.168.1.100
10787 set comment "Murtizapur Main"
10788 next
10789 edit 99
10790 set dst 192.168.65.0 255.255.255.0
10791 set gateway 192.168.1.100
10793 set comment "Murtizapur Mkt Yard"
10794 next
10795 edit 100
10796 set dst 192.168.66.0 255.255.255.0
10797 set gateway 192.168.1.100
10799 set comment "Murtizapur Ct"
10800 next
10801 edit 101
10802 set dst 192.168.67.0 255.255.255.0
10803 set gateway 192.168.1.100
10805 set comment "Mana"
10806 next
10807 edit 102
10808 set dst 192.168.68.0 255.255.255.0
10809 set gateway 192.168.1.100
10811 set comment "Kurum"
10812 next
10813 edit 103
10814 set dst 192.168.70.0 255.255.255.0
10815 set gateway 192.168.1.100
10817 set comment "Karanja Main"
10818 next
10819 edit 104
10820 set dst 192.168.71.0 255.255.255.0
10821 set gateway 192.168.1.100
10823 set comment "Karanja Ct"
10824 next
10825 edit 105
10826 set dst 192.168.72.0 255.255.255.0
10827 set gateway 192.168.1.100
10829 set comment "Kamargaon"
10830 next
10831 edit 106
10832 set dst 192.168.73.0 255.255.255.0
10833 set gateway 192.168.1.100
10835 set comment "Umbarda Bazar"
10836 next
10837 edit 107
10838 set dst 192.168.74.0 255.255.255.0
10839 set gateway 192.168.1.100
10839 set gateway 192.168.1.100
10841 set comment "Dhanaj Bujurg"
10842 next
10843 edit 108
10844 set dst 192.168.75.0 255.255.255.0
10845 set gateway 192.168.1.100
10847 set comment "Manabha"
10848 next
10849 edit 109
10850 set dst 192.168.76.0 255.255.255.0
10851 set gateway 192.168.1.100
10853 set comment "Poha"
10854 next
10855 edit 110
10856 set dst 192.168.77.0 255.255.255.0
10857 set gateway 192.168.1.100
10859 set comment "Kajaleshwar"
10860 next
10861 edit 111
10862 set dst 192.168.78.0 255.255.255.0
10863 set gateway 192.168.1.100
10865 set comment "Mangrulpir Main"
10866 next
10867 edit 112
10868 set dst 192.168.79.0 255.255.255.0
10869 set gateway 192.168.1.100
10871 set comment "Mangrulpir Ct"
10872 next
10873 edit 113
10874 set dst 192.168.80.0 255.255.255.0
10875 set gateway 192.168.1.100
10877 set comment "Mohari"
10878 next
10879 edit 114
10880 set dst 192.168.81.0 255.255.255.0
10881 set gateway 192.168.1.100
10883 set comment "Shellu Bazar"
10884 next
10885 edit 115
10886 set dst 192.168.82.0 255.255.255.0
10887 set gateway 192.168.1.100
10889 set comment "Wanoja"
10890 next
10891 edit 116
10892 set dst 192.168.83.0 255.255.255.0
10893 set gateway 192.168.1.100
10895 set comment "Dhanora"
10896 next
10897 edit 117
10898 set dst 192.168.109.0 255.255.255.0
10899 set gateway 192.168.1.100
10901 set comment "Kasola Extension"
10902 next
10903 edit 118
10904 set dst 192.168.112.0 255.255.255.0
10905 set gateway 192.168.1.100
10907 set comment "Aasegaon Ext."
10908 next
10909 edit 119
10910 set dst 192.168.84.0 255.255.255.0
10911 set gateway 192.168.1.100
10913 set comment "Manora"
10914 next
10915 edit 120
10916 set dst 192.168.85.0 255.255.255.0
10917 set gateway 192.168.1.100
10917 set gateway 192.168.1.100
10919 set comment "Shendurjana"
10920 next
10921 edit 121
10922 set dst 192.168.86.0 255.255.255.0
10923 set gateway 192.168.1.100
10925 set comment "Poharadevi"
10926 next
10927 edit 122
10928 set dst 192.168.87.0 255.255.255.0
10929 set gateway 192.168.1.100
10931 set comment "Sakhardoh"
10932 next
10933 edit 123
10934 set dst 192.168.88.0 255.255.255.0
10935 set gateway 192.168.1.100
10937 set comment "Washim Main"
10938 next
10939 edit 124
10940 set dst 192.168.89.0 255.255.255.0
10941 set gateway 192.168.1.100
10943 set comment "Washim City"
10944 next
10945 edit 125
10946 set dst 192.168.90.0 255.255.255.0
10947 set gateway 192.168.1.100
10949 set comment "Ansing"
10950 next
10951 edit 126
10952 set dst 192.168.91.0 255.255.255.0
10953 set gateway 192.168.1.100
10955 set comment "Tondgaon"
10956 next
10957 edit 127
10958 set dst 192.168.92.0 255.255.255.0
10959 set gateway 192.168.1.100
10961 set comment "Pardi Takmor"
10962 next
10963 edit 128
10964 set dst 192.168.111.0 255.255.255.0
10965 set gateway 192.168.1.100
10967 set comment "Washim Patani Chouk "
10968 next
10969 edit 129
10970 set dst 192.168.113.0 255.255.255.0
10971 set gateway 192.168.1.100
10973 set comment "WAshim Zp"
10974 next
10975 edit 130
10976 set dst 192.168.93.0 255.255.255.0
10977 set gateway 192.168.1.100
10979 set comment "Malegaon"
10980 next
10981 edit 131
10982 set dst 192.168.94.0 255.255.255.0
10983 set gateway 192.168.1.100
10985 set comment "Kinhiraja"
10986 next
10987 edit 132
10988 set dst 192.168.95.0 255.255.255.0
10989 set gateway 192.168.1.100
10991 set comment "Shirpur Jain"
10992 next
10993 edit 133
10994 set dst 192.168.96.0 255.255.255.0
10994 set dst 192.168.96.0 255.255.255.0
10995 set gateway 192.168.1.100
10997 set comment "Medshi"
10998 next
10999 edit 134
11000 set dst 192.168.97.0 255.255.255.0
11001 set gateway 192.168.1.100
11003 set comment "Pangrikute"
11004 next
11005 edit 135
11006 set dst 192.168.98.0 255.255.255.0
11007 set gateway 192.168.1.100
11009 set comment "Jaulka Railway"
11010 next
11011 edit 136
11012 set dst 192.168.99.0 255.255.255.0
11013 set gateway 192.168.1.100
11015 set comment "Risod Main"
11016 next
11017 edit 137
11018 set dst 192.168.100.0 255.255.255.0
11019 set gateway 192.168.1.100
11021 set comment "Risod Ct"
11022 next
11023 edit 138
11024 set dst 192.168.101.0 255.255.255.0
11025 set gateway 192.168.1.100
11027 set comment "Rithad"
11028 next
11029 edit 139
11030 set dst 192.168.102.0 255.255.255.0
11031 set gateway 192.168.1.100
11033 set comment "Kenwad"
11034 next
11035 edit 140
11036 set dst 192.168.103.0 255.255.255.0
11037 set gateway 192.168.1.100
11039 set comment "MangulZanak"
11040 next
11041 edit 141
11042 set dst 192.168.104.0 255.255.255.0
11043 set gateway 192.168.1.100
11045 set comment "Haral"
11046 next
11047 edit 142
11048 set dst 192.168.105.0 255.255.255.0
11049 set gateway 192.168.1.100
11051 set comment "Mop"
11052 next
11053 edit 143
11054 set dst 192.168.106.0 255.255.255.0
11055 set gateway 192.168.1.100
11057 set comment "Keshav Nagar"
11058 next
11059 edit 144
11060 set dst 192.168.108.0 255.255.255.0
11061 set gateway 192.168.1.100
11063 set comment "Chikhali Ext."
11064 next
11065 edit 145
11066 set dst 192.168.107.0 255.255.255.0
11067 set gateway 192.168.1.100
11069 set comment "Wakad"
11070 next
11071 edit 148
11072 set dst 172.21.27.1 255.255.255.255
11072 set dst 172.21.27.1 255.255.255.255
11073 set gateway 172.22.26.3
11075 set comment "Test-Server"
11076 next
11077 edit 149
11078 set dst 192.168.251.0 255.255.255.0
11079 set gateway 192.168.1.100
11081 next
11082 edit 150
11083 set dst 10.13.139.2 255.255.255.255
11084 set gateway 172.21.29.3
11086 next
11087 edit 152
11088 set dst 172.21.24.0 255.255.255.0
11089 set gateway 172.22.26.3
11091 next
11092 edit 147
11093 set dst 192.168.250.0 255.255.255.0
11094 set gateway 192.168.1.100
11096 set comment "Sophos-Backup"
11097 next
11098 edit 151
11099 set dst 10.13.15.65 255.255.255.255
11100 set gateway 172.21.29.3
11102 next
11103 edit 154
11104 set dst 10.10.10.0 255.255.255.240
11105 set gateway 172.22.26.5
11107 next
11108 edit 157
11109 set dst 192.168.252.0 255.255.255.0
11110 set gateway 192.168.1.100
11112 next
11113 edit 158
11114 set dst 172.21.21.0 255.255.255.0
11115 set gateway 172.22.26.3
11117 next
11118 edit 162
11119 set dst 10.35.1.171 255.255.255.255
11120 set gateway 172.30.0.50
11122 next
11123 edit 155
11124 set dst 172.17.17.0 255.255.255.0
11125 set gateway 192.168.1.100
11127 next
11128 edit 160
11129 set dst 172.19.19.0 255.255.255.0
11130 set gateway 192.168.1.100
11132 next
11133 edit 146
11134 set gateway 172.22.22.3
11135 set device "wan1"
11136 next
11137 edit 156
11138 set dst 192.168.5.0 255.255.255.0
11139 set gateway 192.168.1.100
11141 next
11142 edit 163
11143 set dst 192.168.23.0 255.255.255.0
11144 set gateway 192.168.1.100
11146 set comment "KHADKI"
11147 next
11148 edit 161
11149 set dst 192.168.29.0 255.255.255.0
11150 set gateway 192.168.1.100
11150 set gateway 192.168.1.100
11152 set comment "Pinjar"
11153 next
11154 edit 165
11155 set dst 172.20.20.0 255.255.255.0
11156 set gateway 192.168.1.100
11158 next
11159 edit 166
11160 set dst 192.168.115.0 255.255.255.0
11161 set gateway 192.168.1.246
11163 set comment "INZORI BRANCH"
11164 next
11165 edit 167
11166 set dst 202.138.123.75 255.255.255.255
11167 set gateway 172.21.29.3
11169 next
11170 edit 168
11171 set dst 192.168.125.0 255.255.255.0
11172 set gateway 192.168.1.100
11174 set comment "KARANJA MKT YARD"
11175 next
11176 edit 164
11177 set dst 172.28.28.0 255.255.255.0
11178 set gateway 172.22.26.3
11180 next
11181 edit 169
11182 set dst 192.168.246.0 255.255.255.248
11183 set gateway 192.168.1.100
11185 set comment "NIMBA OFF-SITE ATM"
11186 next
11187 edit 170
11188 set dst 192.168.253.0 255.255.255.0
11189 set gateway 192.168.1.100
11191 next
11192 edit 171
11193 set dst 192.168.116.0 255.255.255.0
11194 set gateway 192.168.1.100
11196 set comment "KARANJA MARKET YARD"
11197 next
11198 edit 172
11199 set dst 192.168.171.28 255.255.255.255
11200 set gateway 172.21.29.3
11202 set comment "FRM"
11203 next
11204 edit 173
11205 set dst 192.168.246.8 255.255.255.248
11206 set gateway 192.168.1.100
11208 set comment "PUSAD NAKA OFF-SITE ATM"
11209 next
11210 edit 174
11211 set dst 172.23.25.0 255.255.255.0
11212 set gateway 172.30.10.2
11213 set device "port10"
11214 next
11215 edit 175
11216 set dst 172.16.16.0 255.255.255.0
11217 set gateway 172.22.26.3
11220 next
11221 edit 159
11222 set dst 172.16.16.0 255.255.255.0
11223 set gateway 192.168.1.100
11225 next
11226 edit 176
11227 set dst 192.168.63.0 255.255.255.0
11228 set gateway 192.168.1.100
11228 set gateway 192.168.1.100
11230 set comment "Unspecified Branch - Reserved For SOPHOS "
11231 next
11232 edit 180
11233 set dst 172.18.18.1 255.255.255.255
11234 set gateway 172.22.26.3
11236 next
11237 edit 181
11238 set dst 172.18.18.2 255.255.255.255
11239 set gateway 172.22.26.3
11241 next
11242 edit 178
11243 set dst 172.17.24.0 255.255.255.0
11244 set gateway 172.30.11.2
11246 next
11247 edit 179
11248 set dst 10.100.0.119 255.255.255.255
11249 set gateway 172.30.0.50
11251 set comment "IDRBT-INTRANET-2"
11252 next
11253 edit 182
11254 set dst 172.18.2.0 255.255.255.0
11255 set gateway 172.30.11.2
11257 next
11258 edit 183
11259 set dst 10.29.1.171 255.255.255.255
11260 set gateway 172.30.0.50
11262 next
11263 edit 177
11264 set dst 10.29.1.191 255.255.255.255
11265 set gateway 172.30.0.50
11267 next
11268 edit 184
11269 set dst 192.168.188.0 255.255.255.0
11270 set gateway 192.168.1.246
11272 set comment "BBPS_Washim_Main"
11273 next
11274 edit 186
11275 set dst 192.168.128.0 255.255.255.0
11276 set gateway 192.168.1.246
11278 set comment "BBPS_Barshitakli_Branch "
11279 next
11280 edit 187
11281 set dst 192.168.133.0 255.255.255.0
11282 set gateway 192.168.1.246
11284 set comment "BBPS_Akot_Main_Branch"
11285 next
11286 edit 188
11287 set dst 192.168.143.0 255.255.255.0
11288 set gateway 192.168.1.246
11290 set comment "BBPS_Telhara_Main"
11291 next
11292 edit 189
11293 set dst 192.168.151.0 255.255.255.0
11294 set gateway 192.168.1.246
11296 set comment "BBPS_Balapur_Branch"
11297 next
11298 edit 190
11299 set dst 192.168.158.0 255.255.255.0
11300 set gateway 192.168.1.246
11302 set comment "BBPS_Patur_Branch"
11303 next
11304 edit 191
11305 set dst 192.168.164.0 255.255.255.0
11305 set dst 192.168.164.0 255.255.255.0
11306 set gateway 192.168.1.246
11308 set comment "BBPS_Murtizapur_Main"
11309 next
11310 edit 192
11311 set dst 192.168.170.0 255.255.255.0
11312 set gateway 192.168.1.246
11314 set comment "BBPS_Karanja_Main_Branch"
11315 next
11316 edit 193
11317 set dst 192.168.178.0 255.255.255.0
11318 set gateway 192.168.1.246
11320 set comment "BBPS_Mangrulpir_Main_Branch"
11321 next
11322 edit 194
11323 set dst 192.168.184.0 255.255.255.0
11324 set gateway 192.168.1.246
11326 set comment "BBPS_Manora_Branch"
11327 next
11328 edit 195
11329 set dst 192.168.193.0 255.255.255.0
11330 set gateway 192.168.1.246
11332 set comment "BBPS_Malegaon_Branch"
11333 next
11334 edit 196
11335 set dst 192.168.199.0 255.255.255.0
11336 set gateway 192.168.1.246
11338 set comment "BBPS_Risod_Main_Branch"
11339 next
11340 edit 197
11341 set dst 192.168.183.50 255.255.255.255
11342 set gateway 172.30.11.2
11344 set comment "Finacus_RGCS"
11345 next
11346 edit 198
11347 set dst 172.17.25.0 255.255.255.0
11348 set gateway 172.30.11.2
11350 set comment "Finacus_Mobile Banking"
11351 next
11352 edit 185
11353 set dst 10.13.135.130 255.255.255.255
11354 set gateway 172.21.29.3
11356 next
11357 edit 199
11358 set dst 10.13.139.23 255.255.255.255
11359 set gateway 172.21.29.3
11361 set comment "Net Scaler"
11362 next
11363 edit 200
11364 set dst 192.168.162.164 255.255.255.255
11365 set gateway 172.21.29.3
11367 set comment "BCS-RuPay"
11368 next
11369 edit 201
11370 set dst 10.0.67.39 255.255.255.255
11371 set gateway 172.30.0.50
11373 set comment "CA Accounting Module"
11374 next
11375 edit 202
11376 set dst 10.28.2.162 255.255.255.255
11377 set gateway 172.30.0.50
11379 set comment "HUB Infinet IP 1"
11380 next
11381 edit 203
11382 set dst 10.29.3.128 255.255.255.255
11383 set gateway 172.30.0.50
11383 set gateway 172.30.0.50
11385 set comment "HUB Infinet IP 2"
11386 next
11387 edit 204
11388 set dst 192.168.162.163 255.255.255.255
11389 set gateway 172.30.11.2
11391 set comment "Finacus_RGCS_2"
11392 next
11393 edit 205
11394 set dst 192.168.171.6 255.255.255.255
11395 set gateway 172.21.29.3
11397 set comment "NFS URL"
11398 next
11399 edit 206
11400 set dst 172.19.19.0 255.255.255.255
11401 set gateway 172.22.26.3
11403 next
11404 edit 207
11405 set dst 172.17.2.83 255.255.255.255
11406 set gateway 172.30.11.2
11408 set comment "IMPS @ Branch"
11409 next
11410 edit 208
11411 set dst 172.21.27.5 255.255.255.255
11412 set gateway 172.22.26.3
11414 set comment "TESTSERVER_2"
11415 next
11416 edit 209
11417 set dst 10.0.4.185 255.255.255.255
11418 set gateway 172.30.10.2
11420 next
11421 edit 210
11422 set dst 10.13.135.30 255.255.255.255
11423 set gateway 172.21.29.3
11425 set comment "Netscaler_2"
11426 next
11427 edit 211
11428 set dst 172.17.2.75 255.255.255.255
11429 set gateway 172.30.11.2
11431 set comment "WebCMS"
11432 next
11433 end
11434 config router policy
11435 edit 1
11436 set input-device "RTGS"
11437 set src "172.30.0.0/255.255.255.0"
11438 set dst "172.16.16.0/255.255.255.0"
11439 set output-device "CheckPoint-FW"
11440 next
11441 edit 3
11442 set input-device "HO-USERS"
11443 set src "192.168.6.42/255.255.255.255"
11444 set dst "10.28.1.171/255.255.255.255"
11446 next
11447 edit 4
11448 set input-device "HO-USERS"
11449 set src "192.168.6.116/255.255.255.255"
11450 set dst "10.0.67.166/255.255.255.255"
11452 next
11453 end
11454 config router ospf
11456 end
11458 end
11459 config redistribute "rip"
11460 end
11462 end
11464 end
11465 end
11466 config router ospf6
11468 end
11470 end
11472 end
11474 end
11476 end
11477 end
11478 config router bgp
11480 end
11482 end
11484 end
11486 end
11488 end
11489 config redistribute6 "connected"
11490 end
11491 config redistribute6 "rip"
11492 end
11493 config redistribute6 "ospf"
11494 end
11495 config redistribute6 "static"
11496 end
11497 config redistribute6 "isis"
11498 end
11499 end
11500 config router isis
11502 end
11504 end
11506 end
11508 end
11510 end
11511 end
11512 config router multicast
11513 end
Type Hash
MD5 5c2594cfdc4fd52214070ef1edae8815
SHA-1 c91e2e9d4e53267bb540ad1d6c86220e7e547050
Table 183: Fortinet FortiGate Firewall FG100D DC-PERIMETER1 Configuration Hashes
7 Appendix
Logging message severity levels provide a w ay of tagging log messages w ith an indication of how significant the message is. Table
184 lists the various standard logging severity levels that can be configured.
Level Name Description
0 Emergencies The system is unusable.
1 Alerts Immediate action is required
2 Critical Critical conditions
3 Errors Error conditions
4 W arnings W arning conditions
5 Notifications Significant conditions
6 Informational Informational messages
7 Debugging Debugging messages
Table 184: Logging message severity levels
W hen synchronising time from a central source, time zones can configured in order to offset the time information for a specific locality.
This section details the most common time zones.
Region Acronym Time Zone UTC Offset

Australia CST Central Standard Time +9.5 hours
Australia EST Eastern Standard/Summer Time +10 hours
Australia W ST W estern Standard Time +8 hours
Europe BST British Summer Time +1 hour
Europe CEST Central Europe Summer Time +2 hours
Europe CET Central Europe Time +1 hour
Europe EEST Eastern Europe Summer Time +3 hours
Europe EST Eastern Europe Time +2 hours
Europe GMT Greenw ich Mean Time
Europe IST Irish Summer Time +1 hour
Europe MSK Moscow Time +3 hours
Europe W EST W estern Europe Summer Time +1 hour
Europe W ET W estern Europe Time +1 hour
USA and Canada ADT Atlantic Daylight Time -3 hours
USA and Canada AKDT Alaska Standard Daylight Saving Time -8 hours
USA and Canada AKST Alaska Standard Time -9 hours
USA and Canada AST Atlantic Standard Time -4 hours
USA and Canada CDT Central Daylight Saving Time -5 hours
USA and Canada CST Central Standard Time -6 hours
USA and Canada EDT Eastern Daylight Time -4 hours
USA and Canada EST Eastern Standard Time -5 hours
USA and Canada HST Haw aiian Standard Time -10 hours
USA and Canada MDT Mountain Daylight Time -6 hours
USA and Canada MST Mountain Standard Time -7 hours
USA and Canada PDT Pacific Daylight Time -7 hours
USA and Canada PST Pacific Standard Time -3 hours
Table 185: Common time zones
7.3 IP Protocols
This section lists the IP protocols referenced w ithin this report.
Name Description ID RFC

HOPOPT IPv6 Hop-by-Hop Option 0 RFC 1883
ICMP Internet Control Message 1 RFC 792
IGMP Internet Group Management 2 RFC 1112
GGP Gatew ay-to-Gatew ay 3 RFC 823
IPIP IP in IP (encapsulation) 4 RFC 2003
ST Stream 5 RFC 1819
TCP Transmission Control Protocol 6 RFC 793
CBT CBT 7
EGP Exterior Gatew ay Protocol 8 RFC 888
IGP Interior Gatew ay Protocol 9
BBN-RCC-MON BBN RCC Monitoring 10
BBN-RCC-MON BBN RCC Monitoring 10
NVP-II Netw ork Voice Protocol 11 RFC 741
PUP PARC Universal Packet 12
ARGUS ARGUS 13
EMCON EMCON 14
XNET Cross Net Debugger 15
CHAOS Chaos 16
UDP User Datagram Protocol 17 RFC 768
MUX Multiplexing 18
DCN-MEAS DCN Measurement Subsystems 19
HMP Host Monitoring Protocol 20 RFC 869
PRM Packet Radio Measurement 21
XNS-IDP XEROX NS IDP 22
TRUNK-1 Trunk-1 23
TRUNK-2 Trunk-2 24
LEAF-1 Leaf-1 25
LEAF-2 Leaf-2 26
RDP Reliable Data Protocol 27 RFC 908
IRTP Internet Reliable Transactio Protocol 28 RFC 938
ISO-TP4 ISO Transport Protocol Class 4 29 RFC 905
NETBLT Bulk Data Transfer Protocol 30 RFC 969
MFE-NSP MFE Netw ork Services Protocol 31
MERIT-INP MERIT Internodal Protocol 32
DCCP Datagram Congestion Control Protocol 33 RFC 4340
3PC Third Party Connect Protocol 34
IDPR Inter-Domain Policy Routing Protocol 35
XTP XTP 36
DDP Datagram Delivery Protocol 37
IDPR-CMTP IDPR Control Message Transport Protocol 38
TP++ TP++ Transport Protocol 39
IL IL Transport Protocol 40
IPv6 IPv6 in IPv4 (encapsulation) 41
SDRP Source Demand Routing Protocol 42
IPv6-Route Routing Header for IPv6 43
IPv6-Frag Fragment Header for IPv6 44
IDRP Inter-Domain Routing Protocol 45
RSVP Reservation Protocol 46
GRE General Routing Encapsulation 47
DSR Dynamic Source Routing Protocol 48 RFC 4728
BNA BNA 49
ESP Encapsulating Security Payload 50 RFC 2406
AH Authentication Header 51 RFC 2402
I-NLSP Integrated Net Layer Security Protocol 52
SW IPE IP w ith Encryption 53
NARP NBMA Address Resolution Protocol 54 RFC 1735
MOBILE IP Mobility 55
TLSP Transport Layer Security Protocol 56
SKIP SKIP 57
IPv6-ICMP ICMP for IPv6 58 RFC 1883
IPv6-NoNxt No Next Header for IPv6 59 RFC 1883
IPv6-Opts Destination Options for IPv6 60 RFC 1883
Any Host Internal Protocol 61
CFTP CFTP 62
Any Local Netw ork 63
SAT-EXPAK SATNET and Backroom EXPAK 64
KRYPTOLAN Kryptolan 65
RVD MIT Remote Virtual Disk Protocol 66
IPPC Internet Pluribus Packet Core 67
Any Distributed File System 68
SAT-MON SATNET Monitoring 69
VISA VISA Protocol 70
IPCV Internet Packet Core Utility 71
CPNX Computer Protocol Netw ork Executive 72
CPHB Computer Protocol Heart Beat 73
W SN W ang Span Netw ork 74
PVP Packet Video Protocol 75
BR-SAT-MON Backroom SATNET Monitoring 76
SUN-ND SUN ND PROTOCOL-Temporary 77
W B-MON W IDEBAND Monitoring 78
W B-EXPAK W IDEBAND EXPAK 79
ISO-IP ISO Internet Protocol 80
VMTP Versatile Message Transaction Protocol 81 RFC 1045
SECURE-VMTP Secure VMTP 82
VINES VINES 83
TTP TTP 84
NSFNET-IGP NSFNET-IGP 85
DGP Dissimilar Gatew ay Protocol 86
TCF TCF 87
EIGRP Enhanced IGRP 88
OSPF Open Shortest Path First 89 RFC 1583
Sprite-RPC Sprite RPC Protocol 90
LARP Locus Address Resolution Protocol 91
MTP Multicast Transport Protocol 92
AX.25 AX.25 Frames 93
IPIP IP-w ithin-IP Encapsulation Protocol 94
MICP Mobile Internetw orking Control Protocol 95
SCC-SP Semaphore Communications Security Protocol 96
ETHERIP Ethernet-w ithin-IP Encapsulation 97 RFC 3378
ENCAP Encapsulation Header 98 RFC 1241
Any Private Encryption Scheme 99
GMTP GMTP 100
IFMP Ipsilon Flow Management Protocol 101
PNNI PNNI over IP 102
PIM Protocol Independent MulticastP 103
ARIS ARIS 104
SCPS SCPS 105
QNX QNX 106
A/N Active Netw orks 107
IPComp IP Payload Compression Protocol 108 RFC 2393
SNP Sitara Netw orks Protocol 109
Compaq-Peer Compaq Peer Protocol 110
IPX-in-IP IPX in IP 111
VRRP Virtual Router Redundancy Protocol 112 RFC 3768
PGM PGM Reliable Transport Protocol 113
Any 0 Hop Protocol 114
L2TP Layer Tw o Tunneling Protocol 115
DDX D-II Data Exchange 116
IATP Interactive Agent Transfer Protocol 117
STP Schedule Transfer Protocol 118
SRP SpectraLink Radio Protocol 119
UTI UTI 120
SMP Simple Message Protocol 121
SM SM 122
PTP Performance Transparency Protocol 123
ISIS over IPv4 Intermediate System to Intermediate System over IPv4 124
FIRE FIRE 125
CRTP Combat Radio Transport Protocol 126
CRUDP Combat Radio User Datagram 127
SSCOPMCE SSCOPMCE 128
IPLT IPLT 129
SPS Secure Packet Shield 130
PIPE Private IP Encapsulation w ithin IP 131
SCTP Stream Control Transmission Protocol 132
FC Fibre Channel 133
RSVP-E2E-IGNORE RSVP for IPv4 and IPv6 134 RFC 3175
Mobility Header Mobility Support in IPv6 135 RFC 3775
UDPLite Lightw eight UDP 136 RFC 3828
MPLS-in-IP Encapsulating MPLS in IP 137 RFC 4023
MANET MANET Protocols 138
HIP Host Identity Protocol 139 RFC 5201
Unassigned 140 - 252
Use for Experimentation and Testing 253 - 254 RFC 3692
Reserved 255
Table 186: IP Protocols
7.4 ICMP Types
This section lists the ICMP types referenced w ithin this report.
Description Type Code RFC

Echo Reply 0 -1 RFC 792
Destination Unreachable 3 -1 RFC 792
Net Unreachable 3 0 RFC 792
Host Unreachable 3 1 RFC 792
Protocol Unreachable 3 2 RFC 792
Port Unreachable 3 3 RFC 792
Fragementation Needed 3 4 RFC 792
Source Route Failed 3 5 RFC 792
Destination Netw ork Unknow n 3 6 RFC 1122
Destination Host Unknow n 3 7 RFC 1122
Source Host Isolated 3 8 RFC 1122
Communication w ith Destination Netw ork is Administratively Prohibited 3 9 RFC 1122
Communication w ith Destination Host is Administratively Prohibited 3 10 RFC 1122
Destination Netw ork Unreachable for Type of Service 3 11 RFC 1122
Destination Host Unreachable for Type of Service 3 12 RFC 1122
Communication Administratively Prohibited 3 13 RFC 1812
Host Precedence Violation 3 14 RFC 1812
Precedence Cutoff in Effect 3 15 RFC 1812
Source Quench 4 -1 RFC 792
Redirect 5 -1 RFC 792
Redirect Datagram for the Netw ork (or subnet) 5 0 RFC 792
Redirect Datagram for the Host 5 1 RFC 792
Redirect Datagram for the Type of Service and Netw ork 5 2 RFC 792
Redirect Datagram for the Type of Service and Host 5 3 RFC 792
Alternate Host Address 6 -1 RFC 792
Echo 8 -1 RFC 792
Router Advertisement 9 0 RFC 1256
Does Not Route Common Traffic 9 16 RFC 2002
Router Solicitation 10 -1 RFC 1256
Time Exceeded 11 -1 RFC 792
Time to Live Exceeded in Transit 11 0 RFC 792
Fragment Reassembly Time Exceeded 11 1 RFC 792
Parameter Problem 12 -1 RFC 792
Pointer Indicates the Error 12 0 RFC 792
Missing a Required Option 12 1 RFC 1108
Bad Length 12 2 RFC 1108
Timestamp Request 13 -1 RFC 792
Timestamp Reply 14 -1 RFC 792
Information Request 15 -1 RFC 792
Information Reply 16 -1 RFC 792
Address Mask Request 17 -1 RFC 950
Address Mask Reply 18 -1 RFC 950
Traceroute 30 -1 RFC 1393
Datagram Conversion Error 31 -1 RFC 1475
Mobile Host Redirect 32 -1
IPv6 W here-Are-You 33 -1
IPv6 I-Am-Here 34 -1
Mobile Registration Request 35 -1
Mobile Registration Reply 36 -1
Domain Name Request 37 -1 RFC 1788
Domain Name Reply 38 -1 RFC 1788
SKIP 39 -1
Photuris 40 -1 RFC 2521
Bad SPI 40 0 RFC 2521
Authentication Failed 40 1 RFC 2521
Decompression Failed 40 2 RFC 2521
Decryption Failed 40 3 RFC 2521
Need Authentication 40 4 RFC 2521
Need Authorization 40 5 RFC 2521
Table 187: ICMP Types
7.5 Abbreviations
Abbreviation Description
ARP Address Resolution Protocol
ATO Authority to Operate
CLI Command Line Interface
CPU Central Processing Unit
DAA Designated Approving Authority
DHCP Dynamic Host Configuration Protocol
DIACAP DoD Information Assurance Certification and Accreditation Process
DISA Defence Information Systems Agency
DNS Domain Name System
DoD Department of Defence
DoS Denial of Service
HTTP HyperText Transfer Protocol
HTTPS HyperText Transfer Protocol over SSL
IA Information Assurance
IAM Information Assurance Manager
IAO Information Assurance Officer
ICMP Internet Control Message Protocol
ID Identifier
IDS Intrusion Detection System
IP Internet Protocol
IPS Intrusion Protection System
IPv4 Internet Protocol version 4
IPv6 Internet Protocol version 6
MAC Media Access Control
MD5 Message Digest 5
MIB Management Information Base
NMS Netw ork Management System
NSO Netw ork Security Officer
NTP Netw ork Time Protocol
OS Operating System
PII Personally Identifiable Information
RFC Request For Change
SANS SysAdmin Audit Netw ork Security
SNMP Simple Netw ork Management Protocol
SSH Secure Shell
SSL Secure Sockets Layer
SSP System Security Plan
STIG Security Technical Implementation Guide
TCP Transmission Control Protocol
UDP User Datagram Protocol
UTC Coordinated Universal Time
VPN Virtual Private Netw ork
Table 188: Abbreviations
7.6 Nipper Studio Version
This report w as w ritten using Nipper Studio version 2.2.13.

172 DC PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

172 DC PDF

Enviado por

Direitos autorais:

Formatos disponíveis

Nipper Studio

Security Audit Summary

DISA STIG Summary

Name STIG Version I I I II II II III III III

3 DISA STIG Compliance

4.1 DC-PERIMETER1 SANS Policy Compliance Audit

Diagram 1. Severity Classification

Table 1. Audit device scope

1.3 Report Conventions

2.2 Rules Allow Access To Administrative Services

2.3 Rules Allow Access To Clear-Text Protocol Services

2.5 Rules Allow Access To Potentially Unnecessary Services

2.8 Filter Rules That Allow Any Protocol W ere Configured

2.9 W eak SNMP Community Strings W ere Configured

2.11 Filter Drop Rules W ere Configured W ithout Logging

2.12 Proxy ARP W as Enabled

2.17 ICMP Redirect Messages W ere Enabled

2.20 Mitigation Classification

3.2 DC-PERIMETER1 - Firew all Security Technical Implementation Guide

4 SANS Policy Compliance

4.1 DC-PERIMETER1 SANS Policy Compliance Audit

5.2 Fortinet FortiGate Firew all FG100D DC-PERIMETER1 Configuration Report

6.2 Fortinet FortiGate Firew all FG100D DC-PERIMETER1 Raw Configuration

7.2 Common Time Zones

7.4 ICMP Types

1.2 Evaluation Use Only

1.3 Report Conventions

This report makes use of the text conventions detailed in Table 3.

1.4 Compliance Check Results

1.5 Network Filtering Actions

Table 5: Network filter rule actions

2.1.1 Security Issue Overview

2.1.2 Rating System Overview

2.2 Rules Allow Access T o Administrative Services

Rule Active Action Source Destination Service Log

Rule Active Action Source Destination Service Log

Rule Active Action Source Destination Service Log

2.3 Rules Allow Access T o Clear-T ext Protocol Services

Rule Active Action Source Destination Service Log

Rule Active Action Source Destination Service Log

Rule Active Action Source Destination Service Log

Rule Active Action Source Destination Service Log

Rule Active Action Source Destination Service Log

Rule Active Action Source Destination Service Log

Notes for Fortinet FortiGate Firewall FG100D devices:

config firewall policy

config firewall address

2.5 Rules Allow Access T o Potentially Unnecessary Services

Rule Active Action Source Destination Service Log

Rule Active Action Source Destination Service Log

Rule Active Action Source Destination Service Log

2.6 Rules Allow Access T o Potentially Sensitive Services

Rule Active Action Source Destination Service Log

Rule Active Action Source Destination Service Log

Rule Active Action Source Destination Service Log

2.7 Clear-T ext SNMP In Use

2.8 Filter Rules T hat Allow Any Protocol Were Configured

Rule Active Action Source Destination Service Log

Rule Active Action Source Destination Service Log

Rule Active Action Source Destination Service Log

2.9 Weak SNMP Community Strings Were Configured

Community Access Version Weakness

2.10 Filter Allow Rules Were Configured Without Logging