Add AI-generated configuration suggestions for 2025-09-05

2025-09-05 03:46:04 +00:00
2 changed files with 70 additions and 25 deletions
--- a/ai-suggestions/suggestion-20250905-033300.conf
+++ b/ai-suggestions/suggestion-20250905-033300.conf
@@ -1,25 +0,0 @@
-# AI-Generated SRX Configuration
-# Generated: 2025-09-05T03:33:00.426249
-# Analysis Period: Last 7 days
-
-{'config': 'set security address-book global address-set INTERNAL-NETS address 192.168.100.0/24', 'reason': 'AI-generated optimization'}
-{'config': 'set security address-book global address-set EXTERNAL-NETS address 0.0.0.0/8', 'reason': 'AI-generated optimization'}
-{'config': 'set security address-book global address-set DMZ-NETS address 10.0.0.0/8', 'reason': 'AI-generated optimization'}
-{'config': 'set security screen ids-option WAN-screen icmp flood threshold 20', 'reason': 'AI-generated optimization'}
-{'config': 'set security screen ids-option WAN-screen tcp syn-flood attack-threshold 20', 'reason': 'AI-generated optimization'}
-{'config': 'set security zones security-zone WAN screen WAN-screen', 'reason': 'AI-generated optimization'}
-{'config': 'set security policy-map INTERNAL-NETS to APP-IDENTITY', 'reason': 'AI-generated optimization'}
-{'config': 'set security policy-map INTERNAL-NETS app-identity junos-https', 'reason': 'AI-generated optimization'}
-{'config': 'set security policy-map INTERNAL-NETS app-identity junos-ssh', 'reason': 'AI-generated optimization'}
-{'config': 'set security policy-map WAN-screen to THREAT-DETECTION', 'reason': 'AI-generated optimization'}
-{'config': 'set security policy-map WAN-screen threat-detection source-INTERNAL-NETS -> sid-200', 'reason': 'AI-generated optimization'}
-{'config': 'set security policy-map WAN-screen threat-detection source-INTERNAL-NETS -> sid-300', 'reason': 'AI-generated optimization'}
-{'config': 'set security policy-map WAN-screen to ANOMaly-DETECTION', 'reason': 'AI-generated optimization'}
-{'config': 'set security policy-map WAN-screen anomaly-detection source-INTERNAL-NETS -> sid-400', 'reason': 'AI-generated optimization'}
-{'config': 'set security rate-limit input interface ge-0/0/1.0.0.1 to 2000 bps', 'reason': 'AI-generated optimization'}
-{'config': 'set security rate-limit input interface ge-0/0/1.1.1.1 to 500 bps', 'reason': 'AI-generated optimization'}
-{'config': 'set security screen DDoS-protection-screen for WAN-screen', 'reason': 'AI-generated optimization'}
-{'config': 'set security screen DDoS-protection-screen icmp-flood-threshold 20', 'reason': 'AI-generated optimization'}
-{'config': 'set security screen DDoS-protection-screen udp-flood-threshold 20', 'reason': 'AI-generated optimization'}
-{'config': 'set security screen DDoS-protection-screen tcp-syn-flood-threshold 20', 'reason': 'AI-generated optimization'}
-{'config': 'set security screen DDoS-protection-screen port-scan-detection enable', 'reason': 'AI-generated optimization'}
--- a/ai-suggestions/suggestion-20250905-034604.conf
+++ b/ai-suggestions/suggestion-20250905-034604.conf
@@ -0,0 +1,70 @@
+# AI-Generated SRX Configuration
+# Generated: 2025-09-05T03:46:04.520883
+# Analysis Period: Last 7 days
+
+# MANDATORY: Address-set definitions
+set security address-book global address-set INTERNAL-NETS address 192.168.100.0/24
+set security address-book global address-set EXTERNAL-NETS address 0.0.0.0/8
+set security address-book global address-set DMZ-NETS address 10.0.0.0/8
+set security screen ids-option WAN-screen icmp flood threshold 20
+# Prevent ICMP floods from overwhelming the network
+set security screen ids-option WAN-screen tcp syn-flood attack-threshold 20
+# Protect against TCP SYN floods
+set security screen ids-option WAN-screen udp-flood-protection threshold 20
+# Prevent UDP floods from consuming bandwidth
+set security address-book entry ANY-EXTERNAL to 0.0.0.0/0
+# Define address book entry for any external source
+set security address-book entry DISCORD-NET1 to 162.159.0.0/16
+# Define address book entry for Discord net1
+set security address-book entry GAMING-NETWORK to 192.168.10.0/24
+# Define address book entry for gaming network
+set security logging session-init enable
+# Enable logging for all sessions
+set security logging session-close enable
+# Enable logging for all session closures
+set security idps-signature-set input-tag 1000
+# Define IDPS signature set for input tag 1000
+set security idps-signature-set output-tag 2000
+# Define IDPS signature set for output tag 2000
+set security application-control rule WAN-rule permit any
+# Allow all traffic from WAN to home network
+set security application-control rule HOME-rule permit any
+# Allow all traffic from home network to WAN
+set security application-control rule GUEST-rule permit any
+# Allow all traffic from guest network to WAN
+set security application-control rule IOT-rule permit any
+# Allow all traffic from IoT network to WAN
+set security application-control rule ENTERTAINMENT-rule permit any
+# Allow all traffic from entertainment network to WAN
+set security application-control rule MGMT-rule permit any
+# Allow all traffic from management network to WAN
+set security application-control rule INFRA-rule permit any
+# Allow all traffic from infrastructure network to WAN
+set security rate-limiting rule source-address WAN-rule any 1000/sec
+# Limit the rate of incoming traffic from any source on WAN to 1000 packets per second
+set security rate-limiting rule source-address HOME-rule any 500/sec
+# Limit the rate of incoming traffic from any source on home network to 500 packets per second
+set security rate-limiting rule source-address GUEST-rule any 300/sec
+# Limit the rate of incoming traffic from any source on guest network to 300 packets per second
+set security rate-limiting rule source-address IOT-rule any 200/sec
+# Limit the rate of incoming traffic from any source on IoT network to 200 packets per second
+set security rate-limiting rule source-address ENTERTAINMENT-rule any 150/sec
+# Limit the rate of incoming traffic from any source on entertainment network to 150 packets per second
+set security rate-limiting rule source-address MGMT-rule any 100/sec
+# Limit the rate of incoming traffic from any source on management network to 100 packets per second
+set security rate-limiting rule source-address INFRA-rule any 50/sec
+# Limit the rate of incoming traffic from any source on infrastructure network to 50 packets per second
+set security rate-limiting rule destination-address WAN-rule any 1000/sec
+# Limit the rate of outgoing traffic to any destination on WAN to 1000 packets per second
+set security rate-limiting rule destination-address HOME-rule any 500/sec
+# Limit the rate of outgoing traffic to any destination on home network to 500 packets per second
+set security rate-limiting rule destination-address GUEST-rule any 300/sec
+# Limit the rate of outgoing traffic to any destination on guest network to 300 packets per second
+set security rate-limiting rule destination-address IOT-rule any 200/sec
+# Limit the rate of outgoing traffic to any destination on IoT network to 200 packets per second
+set security rate-limiting rule destination-address ENTERTAINMENT-rule any 150/sec
+# Limit the rate of outgoing traffic to any destination on entertainment network to 150 packets per second
+set security rate-limiting rule destination-address MGMT-rule any 100/sec
+# Limit the rate of outgoing traffic to any destination on management network to 100 packets per second
+set security rate-limiting rule destination-address INFRA-rule any 50/sec
+# Limit the rate of outgoing traffic to any destination on infrastructure network to 50 packets per second