SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

SRX Invalid address entry

Jump to Best Answer
  • 1.  SRX Invalid address entry

    Posted 06-01-2020 13:06

    hello everyone i hope that you all doing well.
    I have an srx 12 when i set an address book and i try to commit i face the following error.

    Any one can help pleaseaddress.png

     


    #SRX


  • 2.  RE: SRX Invalid address entry

     
    Posted 06-01-2020 16:28

    hey Networker13,

     

    Can you please check if you are meeting the following requirements :

     

     

    • Addresses attached to a security zone conform to the security requirements of the zone.

    • The address book that you attach to a security zone must contain all IP addresses that are reachable within that zone.

    • When you configure policies between two zones, you must define the addresses for each of the zone's address books.

    • Addresses in a user-defined address book have a higher lookup priority than addresses in the global address book. Thus, for a security zone that is attached to a user-defined address book, the system searches the user-defined address book first; if no address is found, then it searches the global address book.

     


    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

    Regards,

    Lil Dexx
    JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB



  • 3.  RE: SRX Invalid address entry
    Best Answer

    Posted 06-01-2020 18:24

    Hi Networker13, 

     

    Greetings, 

     

    As per my understanding, the configuration line can either have just the IP address which would set it to /32 network, or you can make it as /24 but using it along with the wildcard-address knob as below:

     

    {primary:node1}[edit]
    root@lab# show | compare 
    [edit]
    +  security {
    +      zones {
    +          security-zone trust {
    +              address-book {
    +                  address web-server 10.10.10.3/24;  >>> Error as it expects only IP address.
    +                  address test 10.10.10.2/32;  >>> Works fine as this is just configured as 10.10.10.2
    +                  address test1 {
    +                      wildcard-address 10.10.10.4/24;  >>> If you want to specify the subnet as well use the knob wildcard-address and this would work.
    +                  }
    +              }
    +          }
    +      }
    +  }
    
    {primary:node1}[edit]
    root@lab# commit check 
    [edit security zones security-zone trust address-book]
      'address web-server'
        Invalid address entry
    error: configuration check-out failed

    Hope this helps.

     

    Please mark "Accept as solution" if this answers your query. 

     

    Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur



  • 4.  RE: SRX Invalid address entry

     
    Posted 06-02-2020 05:21

    This is incorrect.

     

    wildcard-address accepts a dotted decimal mask, not a subnet mask (cidr or otherwise). 10.10.10.2/24 expands to 10.10.10.2/0.0.0.24. Wildcard masks are used for address matching: https://www.imedita.com/blog/wildcard-masks/

     

    security-zone test {
        address-book {
            address test {
                wildcard-address 10.10.10.2/24; 
            }
        }
    
    test@test> show security policies from-zone test to-zone test detail 
    ...
      Destination addresses:
        test: 10.10.10.2/0.0.0.24

     

    If you want to configure a subnet as an address book entry, specify the subnet. If you want to configure an IP as an address book entry, specify the IP.

     

    test@test# set security zones security-zone test address-book address test 10.10.1.2 
    
    [edit]
    test@test# show security zones security-zone test address-book 
    address test 10.10.1.2/32;
    
    [edit]
    test@test# set security zones security-zone test address-book address test 10.10.1.0/24 
    
    [edit]
    test@test# show security zones security-zone test address-book                             
    address test 10.10.1.0/24;

     

     


    @sharatainapur wrote:

    Hi Networker13, 

     

    Greetings, 

     

    As per my understanding, the configuration line can either have just the IP address which would set it to /32 network, or you can make it as /24 but using it along with the wildcard-address knob as below:

     

    {primary:node1}[edit]
    root@lab# show | compare 
    [edit]
    +  security {
    +      zones {
    +          security-zone trust {
    +              address-book {
    +                  address web-server 10.10.10.3/24;  >>> Error as it expects only IP address.
    +                  address test 10.10.10.2/32;  >>> Works fine as this is just configured as 10.10.10.2
    +                  address test1 {
    +                      wildcard-address 10.10.10.4/24;  >>> If you want to specify the subnet as well use the knob wildcard-address and this would work.
    +                  }
    +              }
    +          }
    +      }
    +  }
    
    {primary:node1}[edit]
    root@lab# commit check 
    [edit security zones security-zone trust address-book]
      'address web-server'
        Invalid address entry
    error: configuration check-out failed

    Hope this helps.

     

    Please mark "Accept as solution" if this answers your query. 

     

    Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur


     


    #address-book
    #SRX
    #wildcard-address


  • 5.  RE: SRX Invalid address entry

    Posted 06-02-2020 07:47

    Hi Smicker, 

     

    Thank you for correcting me, checked the link you shared and it gave me clarity on the correct usage of wildcard-address i.e. for the address matching.

    I would like to understand why do I get the below error ?

    I am just trying to configure an IP address other than /32 subnet and get this error.

    root@lab# show | compare 
    [edit]
    +  security {
    +      address-book {
    +          test {
    +              address name1 10.10.10.2/24;
    +          }
    +      }
    +  }
    
    {primary:node1}[edit]
    root@lab# commit check 
    [edit security address-book test]
      'address name1'
        Invalid address entry >> This particular error ?
    error: configuration check-out failed

     

    Regards, 

    Sharat



  • 6.  RE: SRX Invalid address entry

     
    Posted 06-02-2020 08:02

    Sure--if you are trying to create an entry for an entire subnet you need to specify the subnet address: 10.10.10.0/24, not 10.10.10.2/24.

     

    For a single IP, you specify /32 (or not, the SRX will add it). The actual subnet that a remote host lives in is an arbitrary grouping unknown by and unimportant to the SRX.