[j-nsp] Using apply-groups for last policy on SRX

John Center john.center at villanova.edu
Tue Jun 28 14:12:49 EDT 2011 

Hi Alex,

Thanks for responding.   I'm not sure I understand what you mean about 
the capitalization.  The group PERMIT-ALL works under 10.4:

policies {
     from-zone PROD-SYSTEMS to-zone ADMIN-SYSTEMS {
         ##
         ## 'PERMIT-ALL' was inherited from group 'PERMIT-ALL'
         ##
         policy PERMIT-ALL {
             ##
             ## 'match' was inherited from group 'PERMIT-ALL'
             ##
             match {
                 ##
                 ## 'any' was inherited from group 'PERMIT-ALL'
                 ##
                 source-address any;
                 ##
                 ## 'any' was inherited from group 'PERMIT-ALL'
                 ##
                 destination-address any;
                 ##
                 ## 'any' was inherited from group 'PERMIT-ALL'
                 ## Warning: application or application-set must be defined
                 ##
                 application any;
             }
             ##
             ## 'then' was inherited from group 'PERMIT-ALL'
             ##
             then {
                 ##
                 ## 'permit' was inherited from group 'PERMIT-ALL'
                 ##
                 permit;
                 ##
                 ## 'log' was inherited from group 'PERMIT-ALL'
                 ##
                 log {
                     ##
                     ## 'session-init' was inherited from group 'PERMIT-ALL'
                     ##
                     session-init;
                     ##
                     ## 'session-close' was inherited from group 
'PERMIT-ALL'
                     ##
                     session-close;
                 }
             }
         }
     }

The only thing strange is the warning above about "application or 
application-set must be defined".  It appears to be working, though, 
otherwise I'd have no connectivity to the subnets behind the firewall. 
What I'd like to do is be able to insert other policies before this one 
in an economical way.  Do you have an example of a commit script that 
might do something similar, so I can see an example of what you're 
talking about?

Thanks.

	-John


On 06/28/2011 01:43 PM, Alex wrote:
> I quickly tested this config and it fails - but for different reason: SRX
> does not like group names in uppercase :-)
> When I change the group name to lowercase and without hyphen it works. This
> is on 11.1.
> So my comment below needs clarification  -  the upper-level regex (for SRX
> it's "from-zone<*>  to-zone<*>" regex) needs to match for the lower-level
> config to be applied, even if there is no matching regex for lower-level
> config (i.e no policy named PERMIT-ALL under [edit security policies)
> Cheers
> Alex
>
>
> ----- Original Message -----
> From: "Alex"<alex.arseniev at gmail.com>
> To: "John Center"<john.center at villanova.edu>;<juniper-nsp at puck.nether.net>
> Sent: Tuesday, June 28, 2011 6:05 PM
> Subject: Re: [j-nsp] Using apply-groups for last policy on SRX
>
>
>> General rule for JUNOS groups is that you cannot set something on
>> nonexistent object. For instance, if an interface does not exist under
>> [edit interfaces] then any group matching on this interface will fail to
>> set anything.
>> It looks like you are trying to define a complete policy inside a group
>> while having no matching policy under [edit security policies]:
>>
>> policy PERMIT-ALL is defined under [edit groups PERMIT-ALL]
>> policy PERMIT-ALL is not defined under [edit security policies]
>>
>> -- and this will fail for the reason I mentioned above.
>> OTOH, I think you can accomplish what you want with commit-script.
>> HTH
>> Rgds
>> Alex
>>
>> ----- Original Message -----
>> From: "John Center"<john.center at villanova.edu>
>> To:<juniper-nsp at puck.nether.net>
>> Sent: Tuesday, June 28, 2011 4:57 PM
>> Subject: [j-nsp] Using apply-groups for last policy on SRX
>>
>>
>>> Hi,
>>>
>>> Is it possible to use apply-group to set the last security policy between
>>> zones?  I'm trying to avoid changing the default policy from deny all,
>>> but I want to do something like this:
>>>
>>> groups {
>>>     PERMIT-ALL {
>>>          security {
>>>              policies {
>>>                  from-zone<*>  to-zone<*>  {
>>>                      policy PERMIT-ALL {
>>>                          match {
>>>                              source-address any;
>>>                              destination-address any;
>>>                              application any;
>>>                          }
>>>                          then {
>>>                              permit;
>>>                              log {
>>>                                  session-init;
>>>                                  session-close;
>>>                              }
>>>                          }
>>>                      }
>>>                  }
>>>              }
>>>          }
>>>      }
>>> }
>>>
>>> ...
>>>
>>> security {
>>>      policies {
>>>        from-zone PROD-SYSTEMS to-zone ADMIN-SYSTEMS {
>>>
>>>              policy XXXX {
>>>                  match {
>>>                      source-address any;
>>>                      destination-address any;
>>>                      application XXXX;
>>>                  }
>>>                  then {
>>>                      permit;
>>>                  }
>>>              }
>>>          ...
>>>              apply-groups PERMIT-ALL;
>>>          }
>>>    }
>>>
>>> }
>>>
>>> After I'm confident I got all of the applications I need policies for, I
>>> just want to remove the apply-groups statement.  Does this make sense? Is
>>> there another/better/easier way to do this?
>>>
>>> Thanks.
>>>
>>>      -John
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>

More information about the juniper-nsp mailing list