SRX

Expand all | Collapse all

Address Book and Security Policy

Jump to Best Answer
  • 1.  Address Book and Security Policy

    Posted 12-15-2017 13:07

    Hello,

     

    I just started using a SRX device two days back only. So this might be very newbie question.

     

    I am basically trying to create a firewall policy using address-books. I just want to confirm that this is the right way to configure this.

     

    1) It's always better to use the global address. If I define a non-global addrress book, that will need to be attached to a zone and that address-book will be usable only inside that zone policy.

    2) Firewall policy are written as shown below. There is no option to have just one policy and have different terms(term1, term2......) like in a routing policy

     

    user@FW-01> show configuration security address-book                                
    global {
        address Test 1.1.1.1/32;
        address New 3.3.3.0/27;
        address-set Test-Set {
            address Test;
            address New;
        }
    }
    
    user@FW-01> show configuration security policies from-zone untrust to-zone trust    
    policy Test {
        match {
            source-address Test-Set;
            destination-address any;
            application junos-tftp;
        }
        then {
            permit;
        }
    }
    policy New_Policy {
        match {
            source-address any;
            destination-address any;
            application junos-ike;
        }
        then {
            permit;
        }
    }
    
    user@FW-01> 


  • 2.  RE: Address Book and Security Policy
    Best Answer

    Posted 12-15-2017 14:27
    Hello,
    Yes ! You are right.
    1. You can configure address under global adress book or under zone address book, if you configure it under zone address book, you can see it under zone. It's better to configure under global address book and without capital letters.
    2. Yes there is not term option, you can configure one rule in one policy. Imagine that each policy is term and from-zone to-zone is policy.



  • 3.  RE: Address Book and Security Policy

     
    Posted 12-15-2017 14:35

    1. I wouldn't say it's always better. Defining addresses in the global address-book is a must for some NAT configurations and global policies. Otherwise I prefer to use address-books attached to zones. It gives you an extra validation check when defining policies.

    2. Yes, there are no terms in security policies.

     

    Regards, Wojtek