set security policies from-zone DMZ1 to-zone Trust policy 326 match source-address NCR Outbound SSL
set security policies from-zone DMZ1 to-zone Trust policy 326 match source-address NCR Predictive UA
set security policies from-zone DMZ1 to-zone Trust policy 326 match source-address NCR Predictive WEB
set security policies from-zone DMZ1 to-zone Trust policy 326 match destination-address <translated IP1>
set security policies from-zone DMZ1 to-zone Trust policy 326 match destination-address <translated IP2>
set security policies from-zone DMZ1 to-zone Trust policy 326 match destination-address <translated IP3>
set security policies from-zone DMZ1 to-zone Trust policy 326 match application any
set security policies from-zone DMZ1 to-zone Trust policy 326 then permit
set security nat static rule-set MIP(10.0.28.14) from zone DMZ1
set security nat static rule-set MIP(10.0.28.14) match destination-address 10.0.28.15/32
set security nat static rule-set MIP(10.0.28.14) then static-nat prefix <translated IP1>
set security nat static rule-set MIP(10.0.28.15) from zone DMZ1
set security nat static rule-set MIP(10.0.28.15) match destination-address 10.0.28.15/32
set security nat static rule-set MIP(10.0.28.15) then static-nat prefix <translated IP2>
set security nat static rule-set MIP(10.0.28.16) from zone DMZ1
set security nat static rule-set MIP(10.0.28.16) match destination-address 10.0.28.15/32
set security nat static rule-set MIP(10.0.28.16) then static-nat prefix <translated IP3>
set security nat proxy-arp interface <DMZ1> address 10.0.28.14 to 10.0.28.16
For the MBW:
set firewall policer MIP if-exceeding bandwidth-limit 1024k
set firewall policer MIP if-exceeding burst-size-limit 1500
set firewall policer MIP then discard
set firewall family inet filter DMZ1 term 1 from interface <DMZ1>
set firewall family inet filter DMZ1 term 1 then policer MIP
set firewall family inet filter DMZ1 term 1 then accept
For GBW, you would need to define CoS on the interface.