I quickly tested this config and it fails - but for different reason: SRX
does not like group names in uppercase :-)
When I change the group name to lowercase and without hyphen it works. This
is on 11.1.
So my comment below needs clarification - the upper-level regex (for SRX
it's "from-zone <*> to-zone <*>" regex) needs to match for the lower-level
config to be applied, even if there is no matching regex for lower-level
config (i.e no policy named PERMIT-ALL under [edit security policies)
Cheers
Alex
----- Original Message -----
From: "Alex" <[email protected]>
To: "John Center" <[email protected]>; <[email protected]>
Sent: Tuesday, June 28, 2011 6:05 PM
Subject: Re: [j-nsp] Using apply-groups for last policy on SRX
General rule for JUNOS groups is that you cannot set something on
nonexistent object. For instance, if an interface does not exist under
[edit interfaces] then any group matching on this interface will fail to
set anything.
It looks like you are trying to define a complete policy inside a group
while having no matching policy under [edit security policies]:
policy PERMIT-ALL is defined under [edit groups PERMIT-ALL]
policy PERMIT-ALL is not defined under [edit security policies]
-- and this will fail for the reason I mentioned above.
OTOH, I think you can accomplish what you want with commit-script.
HTH
Rgds
Alex
----- Original Message -----
From: "John Center" <[email protected]>
To: <[email protected]>
Sent: Tuesday, June 28, 2011 4:57 PM
Subject: [j-nsp] Using apply-groups for last policy on SRX
Hi,
Is it possible to use apply-group to set the last security policy between
zones? I'm trying to avoid changing the default policy from deny all,
but I want to do something like this:
groups {
PERMIT-ALL {
security {
policies {
from-zone <*> to-zone <*> {
policy PERMIT-ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
}
}
}
...
security {
policies {
from-zone PROD-SYSTEMS to-zone ADMIN-SYSTEMS {
policy XXXX {
match {
source-address any;
destination-address any;
application XXXX;
}
then {
permit;
}
}
...
apply-groups PERMIT-ALL;
}
}
}
After I'm confident I got all of the applications I need policies for, I
just want to remove the apply-groups statement. Does this make sense? Is
there another/better/easier way to do this?
Thanks.
-John
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
