General rule for JUNOS groups is that you cannot set something on
nonexistent object. For instance, if an interface does not exist under [edit
interfaces] then any group matching on this interface will fail to set
anything.
It looks like you are trying to define a complete policy inside a group
while having no matching policy under [edit security policies]:
policy PERMIT-ALL is defined under [edit groups PERMIT-ALL]
policy PERMIT-ALL is not defined under [edit security policies]
-- and this will fail for the reason I mentioned above.
OTOH, I think you can accomplish what you want with commit-script.
HTH
Rgds
Alex
----- Original Message -----
From: "John Center" <[email protected]>
To: <[email protected]>
Sent: Tuesday, June 28, 2011 4:57 PM
Subject: [j-nsp] Using apply-groups for last policy on SRX
Hi,
Is it possible to use apply-group to set the last security policy between
zones? I'm trying to avoid changing the default policy from deny all, but
I want to do something like this:
groups {
PERMIT-ALL {
security {
policies {
from-zone <*> to-zone <*> {
policy PERMIT-ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
}
}
}
...
security {
policies {
from-zone PROD-SYSTEMS to-zone ADMIN-SYSTEMS {
policy XXXX {
match {
source-address any;
destination-address any;
application XXXX;
}
then {
permit;
}
}
...
apply-groups PERMIT-ALL;
}
}
}
After I'm confident I got all of the applications I need policies for, I
just want to remove the apply-groups statement. Does this make sense? Is
there another/better/easier way to do this?
Thanks.
-John
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
