SRX

Expand all | Collapse all

mysterious global address-book

Jump to Best Answer
  • 1.  mysterious global address-book

    Posted 05-26-2018 11:12

    I don't see any global address book when I do:

    [edit security]
    root@r1# show address-book r20 { address 20 10.20.1.0/24; attach { zone r20; } }

    But when I try to commit I get an error about there being a global address-book like:

    [edit security zones security-zone r20]
    'address-book'
        Zone specific address books are not allowed when there are global address books defined
    error: configuration check-out failed: (statements constraint check failed)

    Where else should I look to try to delete this mysterious global address book?



  • 2.  RE: mysterious global address-book

     
    Posted 05-26-2018 21:54

    There are two ways you can define address books but you can't use both at once

    set security security-zone a address-book b address c
    
    set security address-book b address c
    set security address-book b attach zone a

    It looks like you have a mix of both. You have to choose one way or another. Second one is recommended.

     

    Regards, Wojtek



  • 3.  RE: mysterious global address-book

    Posted 05-27-2018 19:02

    Hi,

    There are two different methods to create Address Book objects: per zone and globally. It can be created in three locations:
    1. Address book within a zone
    Eg:- set security zones security-zone DMZ address-book address Server 8.8.8.8/32

    2. Address book at the global level
    set security address-book DMZ address Server 8.8.8.8/32
    set security address-book DMZ attach zone DMZ

    3. Address book within the global address book
    set security address-book global address Server 8.8.8.8/32

     

    Historically, each zone had its own address book directly under the zone configuration. In Release  11.2, they moved from the zone level to the device global level. Within this global level, you can create an address book by name and attach it to a zone so those objects are only available within  the zone to which the address book is attached. Within the global level, there is  also a global address book that you can create objects that are available within every zone on the device. The caveat to this is that you either have to do everything zone based or global based. If you have zone-specific address books, you cannot use the global le vel configuration or you will get a commit failure.

     



  • 4.  RE: mysterious global address-book

    Posted 05-29-2018 14:24

    @wdusys, I tried recommened setup like:

    set security address-book b address c
    set security address-book b attach zone a

    but when I try to create an address like:

    [edit security]
    set address-book something address 10.20.0.0/24
                                                     ^
    missing argument.
    
    [edit security]
    r1# set address-book something address 10.20.0.0/24 ?
    Possible completions:
      <ip-prefix>          Numeric IPv4 or IPv6 address with prefix
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
      description          Text description of address
    > dns-name             DNS address name
    > range-address        Address range
    > wildcard-address     Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask

     Meanwhile I deleted the address book I had, but it gives me an error that source address or address-group not found, presumably until I can get one created.

     

    I'm running JunOS 15.1X49-D45

    So I tried to create it like:

    [edit security address-book]
    r1# set  something address a1 10.20.0.0/24

    which worked, but now I get a commit check error:

    # commit check
    [edit security zones security-zone something]
      'address-book'
        Zone specific address books are not allowed when there are global address books defined
    error: configuration check-out failed: (statements constraint check failed)


  • 5.  RE: mysterious global address-book
    Best Answer

     
    Posted 05-30-2018 10:34

    Run in config mode:

    #show security zones | display set | match address-book

    replace set with delete and remove them

    recreate them using global address books

     

    Regards, Wojtek



  • 6.  RE: mysterious global address-book

    Posted 05-30-2018 14:32

    Thanks @wdusys, that worked! I did:

    delete security policies from-zone r20 to-zone untrust policy r20

    then per @nellikka suggestion, created global address and assigned a zone to it like:

    set security address-book r20 address r2 range-address 10.20.0.1 to 10.20.0.254
    set address-book r20 attach zone r20

    And it passes traffic!