[j-nsp] Using apply-groups for last policy on SRX

Tue Jun 28 13:05:41 EDT 2011

General rule for JUNOS groups is that you cannot set something on 
nonexistent object. For instance, if an interface does not exist under [edit 
interfaces] then any group matching on this interface will fail to set 
anything.
It looks like you are trying to define a complete policy inside a group 
while having no matching policy under [edit security policies]:

policy PERMIT-ALL is defined under [edit groups PERMIT-ALL]
policy PERMIT-ALL is not defined under [edit security policies]

-- and this will fail for the reason I mentioned above.
OTOH, I think you can accomplish what you want with commit-script.
HTH
Rgds
Alex

----- Original Message ----- 
From: "John Center" <john.center at villanova.edu>
To: <juniper-nsp at puck.nether.net>
Sent: Tuesday, June 28, 2011 4:57 PM
Subject: [j-nsp] Using apply-groups for last policy on SRX

> Hi,
>
> Is it possible to use apply-group to set the last security policy between 
> zones?  I'm trying to avoid changing the default policy from deny all, but 
> I want to do something like this:
>
> groups {
>     PERMIT-ALL {
>         security {
>             policies {
>                 from-zone <*> to-zone <*> {
>                     policy PERMIT-ALL {
>                         match {
>                             source-address any;
>                             destination-address any;
>                             application any;
>                         }
>                         then {
>                             permit;
>                             log {
>                                 session-init;
>                                 session-close;
>                             }
>                         }
>                     }
>                 }
>             }
>         }
>     }
> }
>
> ...
>
> security {
>      policies {
>        from-zone PROD-SYSTEMS to-zone ADMIN-SYSTEMS {
>
>             policy XXXX {
>                 match {
>                     source-address any;
>                     destination-address any;
>                     application XXXX;
>                 }
>                 then {
>                     permit;
>                 }
>             }
>          ...
>             apply-groups PERMIT-ALL;
>         }
>    }
>
> }
>
> After I'm confident I got all of the applications I need policies for, I 
> just want to remove the apply-groups statement.  Does this make sense? Is 
> there another/better/easier way to do this?
>
> Thanks.
>
>     -John
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp 