Zone-based vs GlobalWhen dealing with address objects on an SRX running older versions of Junos, they typically would employ a zone-based address-book for it's configuration. When using a zone-based address-book, the address objects referenced in the security policies are created per zone, which means that every zone will have an address-book configuration, and could potentially have duplicate objects.Newer Junos versions use a global address-book configuration. The global address-book reduces complexity in your configuration by managing all address objects in one spot, and if you need to reference the same object in different zones, you aren't defining said object under multiple zones in your configuration.How do I convert?Use the "zone2global" script: https://github.com/scottdware/zone2globalUsing the zone2global script against an SRX (or multiple SRX's) will convert all of your individual zone-based address-books to a single, global one. By default, this configuration is saved in a text file, but you have the option to commit the converted address-book changes immediately, instead of saving it.This script has binaries for all major operating systems: Windows, Mac OS X, and Linux. You can also choose to use the conversion function in your own Go scripts, by using the API from the parent go-junos package.
** Note: You MUST be running a Junos version >= 11.2 in order to take advantage of global address-books.Download the binaries: https://github.com/scottdware/zone2global/releasesgo-junos API: https://github.com/scottdware/go-junos
More detailed examples can be found on my blog post here: http://sdubs.org/srx-how-to-convert-zone-based-address-books-to-a-global-one/
show configuration | display set | save config.txtstart shellsed s”/set security zones.*address-book/set security address-book global/g” config.txt >gconfig.txtexiteditdeleteload set gconfig.txtshow | comparecommit and-quit