[j-nsp] Firewall best practices

[Wayne Tucker]

On Mon, Jun 11, 2012 at 5:04 PM, Ben Dale <bdale at comlinx.com.au> wrote:

> What would really help though is if Junos allowed multiple address-books
> to be bound to a single zone - that way, SRXs buried deeper in your network
> would have access to all address-book entries on a single upstream zone
> with very little configuration management.  I'm sure this concept would
> make tools like Space and NSM easier to use as well - Juniper SRX PLMs are
> you listening out there?  SAVE US!
>
>
It takes some getting used to, but this can be accomplished through
configuration groups:

Here's a vanilla address book on a Junos 10.4 box:

# show security zones security-zone trust address-book
address ironman 192.168.0.16/32;
address knife 192.168.0.8/32;

Create a couple of groups and apply them:

# set groups group1 security zones security-zone trust address-book address
address1 192.168.0.1/32
# set groups group2 security zones security-zone trust address-book address
address2 192.168.0.1/32
# set apply-groups [ group1 group2 ]

And now the address book contains the additional entries:

# show security zones security-zone trust address-book | display
inheritance
address ironman 192.168.0.16/32;
address knife 192.168.0.8/32;
address inet6:sandman 2001:470:ea7c:0:221:6aff:fe66:bdcc/128;
##
## 'address1' was inherited from group 'group1'
## '192.168.0.1/32' was inherited from group 'group1'
##
address address1 192.168.0.1/32;
##
## 'address2' was inherited from group 'group2'
## '192.168.0.1/32' was inherited from group 'group2'
##
address address2 192.168.0.1/32;

An added bonus of having the address book (or almost other configuration)
in a group is that you can use "load replace" (or the equivalent in the XML
API) to keep it consistent when you distribute it around.  Add a few more
layers and you could have a fully fledged system for managing any
configuration bits on a device.

:w