[j-nsp] Using apply-groups for last policy on SRX
Alex
alex.arseniev at gmail.com
Tue Jun 28 14:39:10 EDT 2011
Re-test #2:
If I type "set" commands, uppercase is accepted.
However, when I use "load merge terminal", the uppercase group name is
errored and converted to "?".
Using your exact example config:
{primary:node1}[edit]
user at host# load merge terminal
[Type ^D at a new line to end input]
groups {
? PERMIT-ALL {
security {
terminal:2:(15) syntax error: PERMIT-ALL
[edit groups "?"]
'? PERMIT-ALL {'
syntax error
policies {
from-zone <*> to-zone <*> {
policy PERMIT-ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
}
}
?}
load complete (1 errors)
{primary:node1}[edit]
user at host# show groups
<snip>
"?" {
security {
policies {
from-zone <*> to-zone <*> {
policy PERMIT-ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
}
}
After renaming "?" to PERMIT-ALL it is accepted and applied without any
further probs:
{primary:node1}[edit]
lab at jimbo# show security policies | display inheritance | except ##
from-zone LAN to-zone VPN {
policy LAN_VPN {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy PERMIT-ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
<snip>
So it looks like a small bug with "load merge terminal" in 11.1 daily I am
using for this test, I guess :-)
As for commit-scripts - check if this one fulfills your requirement
http://www.juniper.net/us/en/community/junos/script-automation/library/configuration/deny-last/
HTH
Rgds
Alex
----- Original Message -----
From: "John Center" <john.center at villanova.edu>
To: <juniper-nsp at puck.nether.net>
Sent: Tuesday, June 28, 2011 7:12 PM
Subject: Re: [j-nsp] Using apply-groups for last policy on SRX
> Hi Alex,
>
> Thanks for responding. I'm not sure I understand what you mean about the
> capitalization. The group PERMIT-ALL works under 10.4:
>
> policies {
> from-zone PROD-SYSTEMS to-zone ADMIN-SYSTEMS {
> ##
> ## 'PERMIT-ALL' was inherited from group 'PERMIT-ALL'
> ##
> policy PERMIT-ALL {
> ##
> ## 'match' was inherited from group 'PERMIT-ALL'
> ##
> match {
> ##
> ## 'any' was inherited from group 'PERMIT-ALL'
> ##
> source-address any;
> ##
> ## 'any' was inherited from group 'PERMIT-ALL'
> ##
> destination-address any;
> ##
> ## 'any' was inherited from group 'PERMIT-ALL'
> ## Warning: application or application-set must be defined
> ##
> application any;
> }
> ##
> ## 'then' was inherited from group 'PERMIT-ALL'
> ##
> then {
> ##
> ## 'permit' was inherited from group 'PERMIT-ALL'
> ##
> permit;
> ##
> ## 'log' was inherited from group 'PERMIT-ALL'
> ##
> log {
> ##
> ## 'session-init' was inherited from group
> 'PERMIT-ALL'
> ##
> session-init;
> ##
> ## 'session-close' was inherited from group
> 'PERMIT-ALL'
> ##
> session-close;
> }
> }
> }
> }
>
> The only thing strange is the warning above about "application or
> application-set must be defined". It appears to be working, though,
> otherwise I'd have no connectivity to the subnets behind the firewall.
> What I'd like to do is be able to insert other policies before this one in
> an economical way. Do you have an example of a commit script that might
> do something similar, so I can see an example of what you're talking
> about?
>
> Thanks.
>
> -John
More information about the juniper-nsp
mailing list