<?xml version="1.0"?>
<config version="9.1.0" urldb="paloaltonetworks">
  <shared>
    <admin-role>
      <entry name="vsysadminrole">
        <role>
          <vsys>
            <webui>
              <monitor>
                <logs>
                  <traffic>enable</traffic>
                  <threat>enable</threat>
                  <url>enable</url>
                  <wildfire>enable</wildfire>
                  <data-filtering>enable</data-filtering>
                  <hipmatch>enable</hipmatch>
                  <globalprotect>enable</globalprotect>
                  <iptag>enable</iptag>
                  <userid>enable</userid>
                  <tunnel>enable</tunnel>
                  <authentication>enable</authentication>
                </logs>
                <automated-correlation-engine>
                  <correlation-objects>enable</correlation-objects>
                  <correlated-events>enable</correlated-events>
                </automated-correlation-engine>
                <app-scope>enable</app-scope>
                <session-browser>enable</session-browser>
                <block-ip-list>enable</block-ip-list>
                <pdf-reports>
                  <manage-pdf-summary>enable</manage-pdf-summary>
                  <pdf-summary-reports>enable</pdf-summary-reports>
                  <user-activity-report>enable</user-activity-report>
                  <saas-application-usage-report>enable</saas-application-usage-report>
                  <report-groups>enable</report-groups>
                  <email-scheduler>enable</email-scheduler>
                </pdf-reports>
                <custom-reports>
                  <application-statistics>enable</application-statistics>
                  <data-filtering-log>enable</data-filtering-log>
                  <threat-log>enable</threat-log>
                  <threat-summary>enable</threat-summary>
                  <traffic-log>enable</traffic-log>
                  <traffic-summary>enable</traffic-summary>
                  <url-log>enable</url-log>
                  <url-summary>enable</url-summary>
                  <hipmatch>enable</hipmatch>
                  <globalprotect>enable</globalprotect>
                  <wildfire-log>enable</wildfire-log>
                  <tunnel-log>enable</tunnel-log>
                  <tunnel-summary>enable</tunnel-summary>
                  <iptag>enable</iptag>
                  <userid>enable</userid>
                  <auth>enable</auth>
                </custom-reports>
                <view-custom-reports>enable</view-custom-reports>
              </monitor>
              <policies>
                <security-rulebase>enable</security-rulebase>
                <nat-rulebase>enable</nat-rulebase>
                <qos-rulebase>enable</qos-rulebase>
                <pbf-rulebase>enable</pbf-rulebase>
                <ssl-decryption-rulebase>enable</ssl-decryption-rulebase>
                <tunnel-inspect-rulebase>enable</tunnel-inspect-rulebase>
                <application-override-rulebase>enable</application-override-rulebase>
                <authentication-rulebase>enable</authentication-rulebase>
                <dos-rulebase>enable</dos-rulebase>
                <sdwan-rulebase>enable</sdwan-rulebase>
                <rule-hit-count-reset>enable</rule-hit-count-reset>
              </policies>
              <objects>
                <addresses>enable</addresses>
                <address-groups>enable</address-groups>
                <regions>enable</regions>
                <dynamic-user-groups>enable</dynamic-user-groups>
                <applications>enable</applications>
                <application-groups>enable</application-groups>
                <application-filters>enable</application-filters>
                <services>enable</services>
                <service-groups>enable</service-groups>
                <tags>enable</tags>
                <global-protect>
                  <hip-objects>enable</hip-objects>
                  <hip-profiles>enable</hip-profiles>
                </global-protect>
                <dynamic-block-lists>enable</dynamic-block-lists>
                <custom-objects>
                  <data-patterns>enable</data-patterns>
                  <spyware>enable</spyware>
                  <vulnerability>enable</vulnerability>
                  <url-category>enable</url-category>
                </custom-objects>
                <security-profiles>
                  <antivirus>enable</antivirus>
                  <anti-spyware>enable</anti-spyware>
                  <vulnerability-protection>enable</vulnerability-protection>
                  <url-filtering>enable</url-filtering>
                  <file-blocking>enable</file-blocking>
                  <wildfire-analysis>enable</wildfire-analysis>
                  <data-filtering>enable</data-filtering>
                  <dos-protection>enable</dos-protection>
                </security-profiles>
                <security-profile-groups>enable</security-profile-groups>
                <log-forwarding>enable</log-forwarding>
                <authentication>enable</authentication>
                <decryption>
                  <decryption-profile>enable</decryption-profile>
                </decryption>
                <sdwan>
                  <sdwan-profile>enable</sdwan-profile>
                  <sdwan-dist-profile>enable</sdwan-dist-profile>
                </sdwan>
                <schedules>enable</schedules>
              </objects>
              <network>
                <zones>enable</zones>
                <global-protect>
                  <portals>enable</portals>
                  <gateways>enable</gateways>
                  <mdm>enable</mdm>
                  <device-block-list>enable</device-block-list>
                  <clientless-apps>enable</clientless-apps>
                  <clientless-app-groups>enable</clientless-app-groups>
                </global-protect>
                <sdwan-interface-profile>enable</sdwan-interface-profile>
              </network>
              <privacy>
                <show-full-ip-addresses>enable</show-full-ip-addresses>
                <show-user-names-in-logs-and-reports>enable</show-user-names-in-logs-and-reports>
                <view-pcap-files>enable</view-pcap-files>
              </privacy>
              <validate>enable</validate>
              <save>
                <partial-save>enable</partial-save>
                <save-for-other-admins>enable</save-for-other-admins>
              </save>
              <commit>
                <virtual-systems>enable</virtual-systems>
                <commit-for-other-admins>enable</commit-for-other-admins>
              </commit>
              <tasks>enable</tasks>
            </webui>
            <xmlapi/>
          </vsys>
        </role>
      </entry>
    </admin-role>
    <authentication-profile>
      <entry name="auth">
        <multi-factor-auth>
          <mfa-enable>no</mfa-enable>
        </multi-factor-auth>
        <method>
          <none/>
        </method>
        <allow-list>
          <member>all</member>
        </allow-list>
      </entry>
    </authentication-profile>
    <application-filter>
      <entry name="allowed">
        <category>
          <member>business-systems</member>
          <member>collaboration</member>
          <member>general-internet</member>
        </category>
        <subcategory>
          <member>general-business</member>
          <member>internet-conferencing</member>
          <member>management</member>
          <member>office-programs</member>
          <member>social-business</member>
          <member>software-update</member>
          <member>voip-video</member>
        </subcategory>
        <risk>
          <member>1</member>
          <member>2</member>
          <member>3</member>
        </risk>
      </entry>
    </application-filter>
    <profile-group>
      <entry name="default">
        <virus>
          <member>default</member>
        </virus>
        <spyware>
          <member>strict</member>
        </spyware>
        <vulnerability>
          <member>strict</member>
        </vulnerability>
        <wildfire-analysis>
          <member>default</member>
        </wildfire-analysis>
      </entry>
    </profile-group>
  </shared>
  <devices>
    <entry name="localhost.localdomain">
      <network>
        <interface>
          <ethernet>
                       <entry name="ethernet1/1">
              <layer3>
                <ndp-proxy>
                  <enabled>no</enabled>
                </ndp-proxy>
                <ip>
                  <entry name="10.0.0.0/24"/>
                </ip>
                <lldp>
                  <enable>no</enable>
                </lldp>
              </layer3>
            </entry>
            <entry name="ethernet1/2">
              <layer3>
                <ndp-proxy>
                  <enabled>no</enabled>
                </ndp-proxy>
                <lldp>
                  <enable>no</enable>
                </lldp>
                <ip>
                  <entry name="10.1.0.0/24"/>
                </ip>
              </layer3>
            </entry>
            <entry name="ethernet1/3">
              <layer3>
                <ndp-proxy>
                  <enabled>no</enabled>
                </ndp-proxy>
                <lldp>
                  <enable>no</enable>
                </lldp>
                <ip>
                  <entry name="198.51.100.2/24"/>
                </ip>
              </layer3>
            </entry>
          </ethernet>
          <loopback>
            <units/>
          </loopback>
          <vlan>
            <units/>
          </vlan>
          <tunnel>
            <units/>
          </tunnel>
        </interface>
        <vlan/>
        <virtual-wire/>
        <profiles>
          <monitor-profile>
            <entry name="default">
              <interval>3</interval>
              <threshold>5</threshold>
              <action>wait-recover</action>
            </entry>
          </monitor-profile>
        </profiles>
        <ike>
          <crypto-profiles>
            <ike-crypto-profiles>
              <entry name="default">
                <encryption>
                  <member>aes-128-cbc</member>
                  <member>3des</member>
                </encryption>
                <hash>
                  <member>sha1</member>
                </hash>
                <dh-group>
                  <member>group2</member>
                </dh-group>
                <lifetime>
                  <hours>8</hours>
                </lifetime>
              </entry>
              <entry name="Suite-B-GCM-128">
                <encryption>
                  <member>aes-128-cbc</member>
                </encryption>
                <hash>
                  <member>sha256</member>
                </hash>
                <dh-group>
                  <member>group19</member>
                </dh-group>
                <lifetime>
                  <hours>8</hours>
                </lifetime>
              </entry>
              <entry name="Suite-B-GCM-256">
                <encryption>
                  <member>aes-256-cbc</member>
                </encryption>
                <hash>
                  <member>sha384</member>
                </hash>
                <dh-group>
                  <member>group20</member>
                </dh-group>
                <lifetime>
                  <hours>8</hours>
                </lifetime>
              </entry>
            </ike-crypto-profiles>
            <ipsec-crypto-profiles>
              <entry name="default">
                <esp>
                  <encryption>
                    <member>aes-128-cbc</member>
                    <member>3des</member>
                  </encryption>
                  <authentication>
                    <member>sha1</member>
                  </authentication>
                </esp>
                <dh-group>group2</dh-group>
                <lifetime>
                  <hours>1</hours>
                </lifetime>
              </entry>
              <entry name="Suite-B-GCM-128">
                <esp>
                  <encryption>
                    <member>aes-128-gcm</member>
                  </encryption>
                  <authentication>
                    <member>none</member>
                  </authentication>
                </esp>
                <dh-group>group19</dh-group>
                <lifetime>
                  <hours>1</hours>
                </lifetime>
              </entry>
              <entry name="Suite-B-GCM-256">
                <esp>
                  <encryption>
                    <member>aes-256-gcm</member>
                  </encryption>
                  <authentication>
                    <member>none</member>
                  </authentication>
                </esp>
                <dh-group>group20</dh-group>
                <lifetime>
                  <hours>1</hours>
                </lifetime>
              </entry>
            </ipsec-crypto-profiles>
            <global-protect-app-crypto-profiles>
              <entry name="default">
                <encryption>
                  <member>aes-128-cbc</member>
                </encryption>
                <authentication>
                  <member>sha1</member>
                </authentication>
              </entry>
            </global-protect-app-crypto-profiles>
          </crypto-profiles>
        </ike>
        <qos>
          <profile>
            <entry name="default">
              <class-bandwidth-type>
                <mbps>
                  <class>
                    <entry name="class1">
                      <priority>real-time</priority>
                    </entry>
                    <entry name="class2">
                      <priority>high</priority>
                    </entry>
                    <entry name="class3">
                      <priority>high</priority>
                    </entry>
                    <entry name="class4">
                      <priority>medium</priority>
                    </entry>
                    <entry name="class5">
                      <priority>medium</priority>
                    </entry>
                    <entry name="class6">
                      <priority>low</priority>
                    </entry>
                    <entry name="class7">
                      <priority>low</priority>
                    </entry>
                    <entry name="class8">
                      <priority>low</priority>
                    </entry>
                  </class>
                </mbps>
              </class-bandwidth-type>
            </entry>
          </profile>
        </qos>
        <virtual-router>
          <entry name="v1-default">
            <protocol>
              <bgp>
                <enable>no</enable>
                <dampening-profile>
                  <entry name="default">
                    <cutoff>1.25</cutoff>
                    <reuse>0.5</reuse>
                    <max-hold-time>900</max-hold-time>
                    <decay-half-life-reachable>300</decay-half-life-reachable>
                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
                    <enable>yes</enable>
                  </entry>
                </dampening-profile>
                <routing-options>
                  <graceful-restart>
                    <enable>yes</enable>
                  </graceful-restart>
                </routing-options>
              </bgp>
              <rip>
                <enable>no</enable>
              </rip>
              <ospf>
                <enable>no</enable>
              </ospf>
              <ospfv3>
                <enable>no</enable>
              </ospfv3>
            </protocol>
            <interface>
              <member>ethernet1/1</member>
            </interface>
            <ecmp>
              <algorithm>
                <ip-modulo/>
              </algorithm>
            </ecmp>
            <routing-table>
              <ip>
                <static-route>
                  <entry name="vsys2-subnet">
                    <nexthop>
                      <next-vr>v2-default</next-vr>
                    </nexthop>
                    <bfd>
                      <profile>None</profile>
                    </bfd>
                    <path-monitor>
                      <enable>no</enable>
                      <failure-condition>any</failure-condition>
                      <hold-time>2</hold-time>
                    </path-monitor>
                    <metric>10</metric>
                    <destination>10.1.0.0/24</destination>
                    <route-table>
                      <unicast/>
                    </route-table>
                  </entry>
                  <entry name="dg">
                    <path-monitor>
                      <enable>no</enable>
                      <failure-condition>any</failure-condition>
                      <hold-time>2</hold-time>
                    </path-monitor>
                    <nexthop>
                      <next-vr>sharedVR</next-vr>
                    </nexthop>
                    <bfd>
                      <profile>None</profile>
                    </bfd>
                    <metric>10</metric>
                    <destination>0.0.0.0/0</destination>
                    <route-table>
                      <unicast/>
                    </route-table>
                  </entry>
                </static-route>
              </ip>
            </routing-table>
          </entry>
          <entry name="v2-default">
            <ecmp>
              <algorithm>
                <ip-modulo/>
              </algorithm>
            </ecmp>
            <protocol>
              <bgp>
                <routing-options>
                  <graceful-restart>
                    <enable>yes</enable>
                  </graceful-restart>
                </routing-options>
                <enable>no</enable>
              </bgp>
              <rip>
                <enable>no</enable>
              </rip>
              <ospf>
                <enable>no</enable>
              </ospf>
              <ospfv3>
                <enable>no</enable>
              </ospfv3>
            </protocol>
            <interface>
              <member>ethernet1/2</member>
            </interface>
            <routing-table>
              <ip>
                <static-route>
                  <entry name="vsys1-subnet">
                    <nexthop>
                      <next-vr>v1-default</next-vr>
                    </nexthop>
                    <bfd>
                      <profile>None</profile>
                    </bfd>
                    <path-monitor>
                      <enable>no</enable>
                      <failure-condition>any</failure-condition>
                      <hold-time>2</hold-time>
                    </path-monitor>
                    <metric>10</metric>
                    <destination>10.0.0.0/24</destination>
                    <route-table>
                      <unicast/>
                    </route-table>
                  </entry>
                  <entry name="dg">
                    <path-monitor>
                      <enable>no</enable>
                      <failure-condition>any</failure-condition>
                      <hold-time>2</hold-time>
                    </path-monitor>
                    <nexthop>
                      <next-vr>sharedVR</next-vr>
                    </nexthop>
                    <bfd>
                      <profile>None</profile>
                    </bfd>
                    <metric>10</metric>
                    <destination>0.0.0.0/0</destination>
                    <route-table>
                      <unicast/>
                    </route-table>
                  </entry>
                </static-route>
              </ip>
            </routing-table>
          </entry>
          <entry name="sharedVR">
            <ecmp>
              <algorithm>
                <ip-modulo/>
              </algorithm>
            </ecmp>
            <protocol>
              <bgp>
                <routing-options>
                  <graceful-restart>
                    <enable>yes</enable>
                  </graceful-restart>
                </routing-options>
                <enable>no</enable>
              </bgp>
              <rip>
                <enable>no</enable>
              </rip>
              <ospf>
                <enable>no</enable>
              </ospf>
              <ospfv3>
                <enable>no</enable>
              </ospfv3>
            </protocol>
            <routing-table>
              <ip>
                <static-route>
                  <entry name="dg">
                    <nexthop>
                      <ip-address>198.51.100.1</ip-address>
                    </nexthop>
                    <bfd>
                      <profile>None</profile>
                    </bfd>
                    <path-monitor>
                      <enable>no</enable>
                      <failure-condition>any</failure-condition>
                      <hold-time>2</hold-time>
                    </path-monitor>
                    <interface>ethernet1/3</interface>
                    <metric>10</metric>
                    <destination>0.0.0.0/0</destination>
                    <route-table>
                      <unicast/>
                    </route-table>
                  </entry>
                  <entry name="vsys1">
                    <path-monitor>
                      <enable>no</enable>
                      <failure-condition>any</failure-condition>
                      <hold-time>2</hold-time>
                    </path-monitor>
                    <nexthop>
                      <next-vr>v1-default</next-vr>
                    </nexthop>
                    <bfd>
                      <profile>None</profile>
                    </bfd>
                    <metric>10</metric>
                    <destination>10.0.0.0/24</destination>
                    <route-table>
                      <unicast/>
                    </route-table>
                  </entry>
                  <entry name="vsys2">
                    <path-monitor>
                      <enable>no</enable>
                      <failure-condition>any</failure-condition>
                      <hold-time>2</hold-time>
                    </path-monitor>
                    <nexthop>
                      <next-vr>v2-default</next-vr>
                    </nexthop>
                    <bfd>
                      <profile>None</profile>
                    </bfd>
                    <metric>10</metric>
                    <destination>10.1.0.0/24</destination>
                    <route-table>
                      <unicast/>
                    </route-table>
                  </entry>
                </static-route>
              </ip>
            </routing-table>
            <interface>
              <member>ethernet1/3</member>
            </interface>
          </entry>
        </virtual-router>
        <shared-gateway>
          <entry name="sg1">
            <display-name>SharedGW</display-name>
            <zone>
              <entry name="SGuntrust">
                <network>
                  <layer3>
                    <member>ethernet1/3</member>
                  </layer3>
                </network>
              </entry>
              <entry name="to-vsys1">
                <network>
                  <external>
                    <member>vsys1</member>
                  </external>
                </network>
              </entry>
              <entry name="to-vsys2">
                <network>
                  <external>
                    <member>vsys2</member>
                  </external>
                </network>
              </entry>
            </zone>
            <import>
              <network>
                <interface>
                  <member>ethernet1/3</member>
                </interface>
              </network>
            </import>
            <rulebase>
              <nat>
                <rules>
                  <entry name="vsys1-nat" uuid="4f3371b2-baff-4383-9781-6363911b9737">
                    <source-translation>
                      <dynamic-ip-and-port>
                        <interface-address>
                          <interface>ethernet1/3</interface>
                          <ip>198.51.100.2/24</ip>
                        </interface-address>
                      </dynamic-ip-and-port>
                    </source-translation>
                    <to>
                      <member>SGuntrust</member>
                    </to>
                    <from>
                      <member>to-vsys1</member>
                    </from>
                    <source>
                      <member>any</member>
                    </source>
                    <destination>
                      <member>any</member>
                    </destination>
                    <service>any</service>
                  </entry>
                  <entry name="vsys2-nat" uuid="a5ad7ee8-0a0a-4856-95b1-b2d4524d6673">
                    <source-translation>
                      <dynamic-ip-and-port>
                        <interface-address>
                          <interface>ethernet1/3</interface>
                          <ip>198.51.100.2/24</ip>
                        </interface-address>
                      </dynamic-ip-and-port>
                    </source-translation>
                    <to>
                      <member>SGuntrust</member>
                    </to>
                    <from>
                      <member>to-vsys2</member>
                    </from>
                    <source>
                      <member>any</member>
                    </source>
                    <destination>
                      <member>any</member>
                    </destination>
                    <service>any</service>
                  </entry>
                  <entry name="inbound-vsys1" uuid="51f4bbee-a421-4ce6-b5f8-1bfc55c3841c">
                    <destination-translation>
                      <translated-address>10.0.0.4</translated-address>
                    </destination-translation>
                    <to>
                      <member>SGuntrust</member>
                    </to>
                    <from>
                      <member>SGuntrust</member>
                    </from>
                    <source>
                      <member>any</member>
                    </source>
                    <destination>
                      <member>198.51.100.4</member>
                    </destination>
                    <service>service-https</service>
                  </entry>
                  <entry name="inbound-vsys2" uuid="fafe4ec8-c38c-484c-9ebb-3d085c70dbdd">
                    <destination-translation>
                      <translated-address>10.1.0.5</translated-address>
                    </destination-translation>
                    <to>
                      <member>SGuntrust</member>
                    </to>
                    <from>
                      <member>SGuntrust</member>
                    </from>
                    <source>
                      <member>any</member>
                    </source>
                    <destination>
                      <member>198.51.100.5</member>
                    </destination>
                    <service>service-https</service>
                  </entry>
                </rules>
              </nat>
            </rulebase>
          </entry>
        </shared-gateway>
      </network>
      <deviceconfig>
        <system>
          <ip-address>192.168.27.240</ip-address>
          <netmask>255.255.255.0</netmask>
          <update-server>updates.paloaltonetworks.com</update-server>
          <update-schedule>
            <threats>
              <recurring>
                <hourly>
                  <action>download-and-install</action>
                </hourly>
                <threshold>25</threshold>
              </recurring>
            </threats>
            <anti-virus>
              <recurring>
                <hourly>
                  <action>download-and-install</action>
                </hourly>
                <threshold>5</threshold>
              </recurring>
            </anti-virus>
            <wildfire>
              <recurring>
                <every-hour>
                  <at>45</at>
                  <action>download-and-install</action>
                </every-hour>
              </recurring>
            </wildfire>
          </update-schedule>
          <timezone>US/Pacific</timezone>
          <service>
            <disable-telnet>yes</disable-telnet>
            <disable-http>yes</disable-http>
          </service>
          <hostname>PA-3020</hostname>
          <default-gateway>192.168.27.1</default-gateway>
          <dns-setting>
            <servers>
              <primary>1.1.1.1</primary>
              <secondary>1.0.0.1</secondary>
            </servers>
          </dns-setting>
          <type>
            <dhcp-client>
              <accept-dhcp-domain>yes</accept-dhcp-domain>
              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
              <send-client-id>yes</send-client-id>
              <send-hostname>yes</send-hostname>
            </dhcp-client>
          </type>
        </system>
        <setting>
          <config>
            <rematch>yes</rematch>
          </config>
          <management>
            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
          </management>
        </setting>
      </deviceconfig>
      <vsys>
        <entry name="vsys1">
          <import>
            <network>
              <interface>
                <member>ethernet1/1</member>
                <member>ethernet1/1</member>
                <member>loopback</member>
                <member>tunnel</member>
                <member>vlan</member>
              </interface>
              <virtual-router>
                <member>v1-default</member>
              </virtual-router>
            </network>
            <visible-vsys>
              <member>vsys2</member>
            </visible-vsys>
          </import>
          <application/>
          <application-group/>
          <zone>
            <entry name="trust">
              <network>
                <virtual-wire/>
              </network>
            </entry>
            <entry name="untrust">
              <network>
                <virtual-wire/>
              </network>
            </entry>
            <entry name="L3-untrust-V1">
              <network>
                <layer3/>
              </network>
            </entry>
            <entry name="L3-trust-V1">
              <network>
                <layer3>
                  <member>ethernet1/1</member>
                </layer3>
              </network>
            </entry>
            <entry name="out-to-vsys2">
              <network>
                <external>
                  <member>vsys2</member>
                </external>
              </network>
            </entry>
            <entry name="to-SG-untrust">
              <network>
                <external>
                  <member>sg1</member>
                </external>
              </network>
            </entry>
          </zone>
          <service/>
          <service-group/>
          <schedule/>
          <rulebase>
            <security>
              <rules>
                <entry name="to-vsys2">
                  <to>
                    <member>out-to-vsys2</member>
                  </to>
                  <from>
                    <member>L3-trust-V1</member>
                  </from>
                  <source>
                    <member>any</member>
                  </source>
                  <destination>
                    <member>any</member>
                  </destination>
                  <source-user>
                    <member>any</member>
                  </source-user>
                  <category>
                    <member>any</member>
                  </category>
                  <application>
                    <member>allowed</member>
                  </application>
                  <service>
                    <member>application-default</member>
                  </service>
                  <hip-profiles>
                    <member>any</member>
                  </hip-profiles>
                  <action>allow</action>
                  <profile-setting>
                    <group>
                      <member>default</member>
                    </group>
                  </profile-setting>
                </entry>
                <entry name="internet access">
                  <profile-setting>
                    <group>
                      <member>default</member>
                    </group>
                  </profile-setting>
                  <to>
                    <member>to-SG-untrust</member>
                  </to>
                  <from>
                    <member>L3-trust-V1</member>
                  </from>
                  <source>
                    <member>any</member>
                  </source>
                  <destination>
                    <member>any</member>
                  </destination>
                  <source-user>
                    <member>any</member>
                  </source-user>
                  <category>
                    <member>any</member>
                  </category>
                  <application>
                    <member>allowed</member>
                  </application>
                  <service>
                    <member>application-default</member>
                  </service>
                  <hip-profiles>
                    <member>any</member>
                  </hip-profiles>
                  <action>allow</action>
                </entry>
                <entry name="inbound">
                  <profile-setting>
                    <group>
                      <member>default</member>
                    </group>
                  </profile-setting>
                  <to>
                    <member>L3-trust-V1</member>
                  </to>
                  <from>
                    <member>to-SG-untrust</member>
                  </from>
                  <source>
                    <member>any</member>
                  </source>
                  <destination>
                    <member>198.51.100.4</member>
                  </destination>
                  <source-user>
                    <member>any</member>
                  </source-user>
                  <category>
                    <member>any</member>
                  </category>
                  <application>
                    <member>ssl</member>
                  </application>
                  <service>
                    <member>application-default</member>
                  </service>
                  <hip-profiles>
                    <member>any</member>
                  </hip-profiles>
                  <action>allow</action>
                </entry>
              </rules>
            </security>
          </rulebase>
          <authentication-profile>
            <entry name="authprofile">
              <multi-factor-auth>
                <mfa-enable>no</mfa-enable>
              </multi-factor-auth>
              <method>
                <none/>
              </method>
              <allow-list>
                <member>all</member>
              </allow-list>
            </entry>
            <entry name="auth">
              <multi-factor-auth>
                <mfa-enable>no</mfa-enable>
              </multi-factor-auth>
              <method>
                <none/>
              </method>
              <allow-list>
                <member>all</member>
              </allow-list>
            </entry>
          </authentication-profile>
        </entry>
        <entry name="vsys2">
          <display-name>Beta environment</display-name>
          <zone>
            <entry name="L3-untrust-V2">
              <network>
                <layer3/>
              </network>
            </entry>
            <entry name="L3-trust-V2">
              <network>
                <layer3>
                  <member>ethernet1/2</member>
                </layer3>
              </network>
            </entry>
            <entry name="out-to-vsys1">
              <network>
                <external>
                  <member>vsys1</member>
                </external>
              </network>
            </entry>
            <entry name="to-SG-untrust">
              <network>
                <external>
                  <member>sg1</member>
                </external>
              </network>
            </entry>
          </zone>
          <import>
            <network>
              <interface>
                <member>ethernet1/7</member>
                <member>ethernet1/2</member>
              </interface>
              <virtual-router>
                <member>v2-default</member>
              </virtual-router>
            </network>
            <visible-vsys>
              <member>vsys1</member>
            </visible-vsys>
          </import>
          <profile-group/>
          <application-filter/>
          <rulebase>
            <security>
              <rules>
                <entry name="to-vsys1">
                  <profile-setting>
                    <group>
                      <member>default</member>
                    </group>
                  </profile-setting>
                  <to>
                    <member>out-to-vsys1</member>
                  </to>
                  <from>
                    <member>L3-trust-V2</member>
                  </from>
                  <source>
                    <member>any</member>
                  </source>
                  <destination>
                    <member>any</member>
                  </destination>
                  <source-user>
                    <member>any</member>
                  </source-user>
                  <category>
                    <member>any</member>
                  </category>
                  <application>
                    <member>allowed</member>
                  </application>
                  <service>
                    <member>application-default</member>
                  </service>
                  <hip-profiles>
                    <member>any</member>
                  </hip-profiles>
                  <action>allow</action>
                </entry>
                <entry name="internet access">
                  <profile-setting>
                    <group>
                      <member>default</member>
                    </group>
                  </profile-setting>
                  <to>
                    <member>to-SG-untrust</member>
                  </to>
                  <from>
                    <member>L3-trust-V2</member>
                  </from>
                  <source>
                    <member>any</member>
                  </source>
                  <destination>
                    <member>any</member>
                  </destination>
                  <source-user>
                    <member>any</member>
                  </source-user>
                  <category>
                    <member>any</member>
                  </category>
                  <application>
                    <member>allowed</member>
                  </application>
                  <service>
                    <member>application-default</member>
                  </service>
                  <hip-profiles>
                    <member>any</member>
                  </hip-profiles>
                  <action>allow</action>
                </entry>
                <entry name="inbound">
                  <profile-setting>
                    <group>
                      <member>default</member>
                    </group>
                  </profile-setting>
                  <to>
                    <member>L3-trust-V2</member>
                  </to>
                  <from>
                    <member>to-SG-untrust</member>
                  </from>
                  <source>
                    <member>any</member>
                  </source>
                  <destination>
                    <member>198.51.100.5</member>
                  </destination>
                  <source-user>
                    <member>any</member>
                  </source-user>
                  <category>
                    <member>any</member>
                  </category>
                  <application>
                    <member>ssl</member>
                  </application>
                  <service>
                    <member>application-default</member>
                  </service>
                  <hip-profiles>
                    <member>any</member>
                  </hip-profiles>
                  <action>allow</action>
                </entry>
              </rules>
            </security>
          </rulebase>
        </entry>
      </vsys>
    </entry>
  </devices>
</config>
