[j-nsp] Using apply-groups for last policy on SRX

Tue Jun 28 13:43:54 EDT 2011

I quickly tested this config and it fails - but for different reason: SRX 
does not like group names in uppercase :-)
When I change the group name to lowercase and without hyphen it works. This 
is on 11.1.
So my comment below needs clarification  -  the upper-level regex (for SRX 
it's "from-zone <*> to-zone <*>" regex) needs to match for the lower-level 
config to be applied, even if there is no matching regex for lower-level 
config (i.e no policy named PERMIT-ALL under [edit security policies)
Cheers
Alex

----- Original Message ----- 
From: "Alex" <alex.arseniev at gmail.com>
To: "John Center" <john.center at villanova.edu>; <juniper-nsp at puck.nether.net>
Sent: Tuesday, June 28, 2011 6:05 PM
Subject: Re: [j-nsp] Using apply-groups for last policy on SRX

> General rule for JUNOS groups is that you cannot set something on 
> nonexistent object. For instance, if an interface does not exist under 
> [edit interfaces] then any group matching on this interface will fail to 
> set anything.
> It looks like you are trying to define a complete policy inside a group 
> while having no matching policy under [edit security policies]:
>
> policy PERMIT-ALL is defined under [edit groups PERMIT-ALL]
> policy PERMIT-ALL is not defined under [edit security policies]
>
> -- and this will fail for the reason I mentioned above.
> OTOH, I think you can accomplish what you want with commit-script.
> HTH
> Rgds
> Alex
>
> ----- Original Message ----- 
> From: "John Center" <john.center at villanova.edu>
> To: <juniper-nsp at puck.nether.net>
> Sent: Tuesday, June 28, 2011 4:57 PM
> Subject: [j-nsp] Using apply-groups for last policy on SRX
>
>
>> Hi,
>>
>> Is it possible to use apply-group to set the last security policy between 
>> zones?  I'm trying to avoid changing the default policy from deny all, 
>> but I want to do something like this:
>>
>> groups {
>>     PERMIT-ALL {
>>         security {
>>             policies {
>>                 from-zone <*> to-zone <*> {
>>                     policy PERMIT-ALL {
>>                         match {
>>                             source-address any;
>>                             destination-address any;
>>                             application any;
>>                         }
>>                         then {
>>                             permit;
>>                             log {
>>                                 session-init;
>>                                 session-close;
>>                             }
>>                         }
>>                     }
>>                 }
>>             }
>>         }
>>     }
>> }
>>
>> ...
>>
>> security {
>>      policies {
>>        from-zone PROD-SYSTEMS to-zone ADMIN-SYSTEMS {
>>
>>             policy XXXX {
>>                 match {
>>                     source-address any;
>>                     destination-address any;
>>                     application XXXX;
>>                 }
>>                 then {
>>                     permit;
>>                 }
>>             }
>>          ...
>>             apply-groups PERMIT-ALL;
>>         }
>>    }
>>
>> }
>>
>> After I'm confident I got all of the applications I need policies for, I 
>> just want to remove the apply-groups statement.  Does this make sense? Is 
>> there another/better/easier way to do this?
>>
>> Thanks.
>>
>>     -John
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> 