Hi Alex,
Thanks for responding. I'm not sure I understand what you mean about
the capitalization. The group PERMIT-ALL works under 10.4:
policies {
from-zone PROD-SYSTEMS to-zone ADMIN-SYSTEMS {
##
## 'PERMIT-ALL' was inherited from group 'PERMIT-ALL'
##
policy PERMIT-ALL {
##
## 'match' was inherited from group 'PERMIT-ALL'
##
match {
##
## 'any' was inherited from group 'PERMIT-ALL'
##
source-address any;
##
## 'any' was inherited from group 'PERMIT-ALL'
##
destination-address any;
##
## 'any' was inherited from group 'PERMIT-ALL'
## Warning: application or application-set must be defined
##
application any;
}
##
## 'then' was inherited from group 'PERMIT-ALL'
##
then {
##
## 'permit' was inherited from group 'PERMIT-ALL'
##
permit;
##
## 'log' was inherited from group 'PERMIT-ALL'
##
log {
##
## 'session-init' was inherited from group 'PERMIT-ALL'
##
session-init;
##
## 'session-close' was inherited from group
'PERMIT-ALL'
##
session-close;
}
}
}
}
The only thing strange is the warning above about "application or
application-set must be defined". It appears to be working, though,
otherwise I'd have no connectivity to the subnets behind the firewall.
What I'd like to do is be able to insert other policies before this one
in an economical way. Do you have an example of a commit script that
might do something similar, so I can see an example of what you're
talking about?
Thanks.
-John
On 06/28/2011 01:43 PM, Alex wrote:
I quickly tested this config and it fails - but for different reason: SRX
does not like group names in uppercase :-)
When I change the group name to lowercase and without hyphen it works. This
is on 11.1.
So my comment below needs clarification - the upper-level regex (for SRX
it's "from-zone<*> to-zone<*>" regex) needs to match for the lower-level
config to be applied, even if there is no matching regex for lower-level
config (i.e no policy named PERMIT-ALL under [edit security policies)
Cheers
Alex
----- Original Message -----
From: "Alex"<[email protected]>
To: "John Center"<[email protected]>;<[email protected]>
Sent: Tuesday, June 28, 2011 6:05 PM
Subject: Re: [j-nsp] Using apply-groups for last policy on SRX
General rule for JUNOS groups is that you cannot set something on
nonexistent object. For instance, if an interface does not exist under
[edit interfaces] then any group matching on this interface will fail to
set anything.
It looks like you are trying to define a complete policy inside a group
while having no matching policy under [edit security policies]:
policy PERMIT-ALL is defined under [edit groups PERMIT-ALL]
policy PERMIT-ALL is not defined under [edit security policies]
-- and this will fail for the reason I mentioned above.
OTOH, I think you can accomplish what you want with commit-script.
HTH
Rgds
Alex
----- Original Message -----
From: "John Center"<[email protected]>
To:<[email protected]>
Sent: Tuesday, June 28, 2011 4:57 PM
Subject: [j-nsp] Using apply-groups for last policy on SRX
Hi,
Is it possible to use apply-group to set the last security policy between
zones? I'm trying to avoid changing the default policy from deny all,
but I want to do something like this:
groups {
PERMIT-ALL {
security {
policies {
from-zone<*> to-zone<*> {
policy PERMIT-ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
}
}
}
...
security {
policies {
from-zone PROD-SYSTEMS to-zone ADMIN-SYSTEMS {
policy XXXX {
match {
source-address any;
destination-address any;
application XXXX;
}
then {
permit;
}
}
...
apply-groups PERMIT-ALL;
}
}
}
After I'm confident I got all of the applications I need policies for, I
just want to remove the apply-groups statement. Does this make sense? Is
there another/better/easier way to do this?
Thanks.
-John
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
