SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX Invalid address entry

    Posted 06-01-2020 13:06

    hello everyone i hope that you all doing well.
    I have an srx 12 when i set an address book and i try to commit i face the following error.

    Any one can help pleaseaddress.png

     


    #SRX


  • 2.  RE: SRX Invalid address entry

     
    Posted 06-01-2020 16:28

    hey Networker13,

     

    Can you please check if you are meeting the following requirements :

     

     

    • Addresses attached to a security zone conform to the security requirements of the zone.

    • The address book that you attach to a security zone must contain all IP addresses that are reachable within that zone.

    • When you configure policies between two zones, you must define the addresses for each of the zone's address books.

    • Addresses in a user-defined address book have a higher lookup priority than addresses in the global address book. Thus, for a security zone that is attached to a user-defined address book, the system searches the user-defined address book first; if no address is found, then it searches the global address book.

     


    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

    Regards,

    Lil Dexx
    JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB



  • 3.  RE: SRX Invalid address entry
    Best Answer

    Posted 06-01-2020 18:24

    Hi Networker13, 

     

    Greetings, 

     

    As per my understanding, the configuration line can either have just the IP address which would set it to /32 network, or you can make it as /24 but using it along with the wildcard-address knob as below:

     

    {primary:node1}[edit]
    root@lab# show | compare 
    [edit]
    +  security {
    +      zones {
    +          security-zone trust {
    +              address-book {
    +                  address web-server 10.10.10.3/24;  >>> Error as it expects only IP address.
    +                  address test 10.10.10.2/32;  >>> Works fine as this is just configured as 10.10.10.2
    +                  address test1 {
    +                      wildcard-address 10.10.10.4/24;  >>> If you want to specify the subnet as well use the knob wildcard-address and this would work.
    +                  }
    +              }
    +          }
    +      }
    +  }
    
    {primary:node1}[edit]
    root@lab# commit check 
    [edit security zones security-zone trust address-book]
      'address web-server'
        Invalid address entry
    error: configuration check-out failed

    Hope this helps.

     

    Please mark "Accept as solution" if this answers your query. 

     

    Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur



  • 4.  RE: SRX Invalid address entry

     
    Posted 06-02-2020 05:21

    This is incorrect.

     

    wildcard-address accepts a dotted decimal mask, not a subnet mask (cidr or otherwise). 10.10.10.2/24 expands to 10.10.10.2/0.0.0.24. Wildcard masks are used for address matching: https://www.imedita.com/blog/wildcard-masks/

     

    security-zone test {
        address-book {
            address test {
                wildcard-address 10.10.10.2/24; 
            }
        }
    
    test@test> show security policies from-zone test to-zone test detail 
    ...
      Destination addresses:
        test: 10.10.10.2/0.0.0.24

     

    If you want to configure a subnet as an address book entry, specify the subnet. If you want to configure an IP as an address book entry, specify the IP.

     

    test@test# set security zones security-zone test address-book address test 10.10.1.2 
    
    [edit]
    test@test# show security zones security-zone test address-book 
    address test 10.10.1.2/32;
    
    [edit]
    test@test# set security zones security-zone test address-book address test 10.10.1.0/24 
    
    [edit]
    test@test# show security zones security-zone test address-book                             
    address test 10.10.1.0/24;

     

     


    @sharatainapur wrote:

    Hi Networker13, 

     

    Greetings, 

     

    As per my understanding, the configuration line can either have just the IP address which would set it to /32 network, or you can make it as /24 but using it along with the wildcard-address knob as below:

     

    {primary:node1}[edit]
    root@lab# show | compare 
    [edit]
    +  security {
    +      zones {
    +          security-zone trust {
    +              address-book {
    +                  address web-server 10.10.10.3/24;  >>> Error as it expects only IP address.
    +                  address test 10.10.10.2/32;  >>> Works fine as this is just configured as 10.10.10.2
    +                  address test1 {
    +                      wildcard-address 10.10.10.4/24;  >>> If you want to specify the subnet as well use the knob wildcard-address and this would work.
    +                  }
    +              }
    +          }
    +      }
    +  }
    
    {primary:node1}[edit]
    root@lab# commit check 
    [edit security zones security-zone trust address-book]
      'address web-server'
        Invalid address entry
    error: configuration check-out failed

    Hope this helps.

     

    Please mark "Accept as solution" if this answers your query. 

     

    Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur


     


    #address-book
    #SRX
    #wildcard-address


  • 5.  RE: SRX Invalid address entry

    Posted 06-02-2020 07:47

    Hi Smicker, 

     

    Thank you for correcting me, checked the link you shared and it gave me clarity on the correct usage of wildcard-address i.e. for the address matching.

    I would like to understand why do I get the below error ?

    I am just trying to configure an IP address other than /32 subnet and get this error.

    root@lab# show | compare 
    [edit]
    +  security {
    +      address-book {
    +          test {
    +              address name1 10.10.10.2/24;
    +          }
    +      }
    +  }
    
    {primary:node1}[edit]
    root@lab# commit check 
    [edit security address-book test]
      'address name1'
        Invalid address entry >> This particular error ?
    error: configuration check-out failed

     

    Regards, 

    Sharat



  • 6.  RE: SRX Invalid address entry

     
    Posted 06-02-2020 08:02

    Sure--if you are trying to create an entry for an entire subnet you need to specify the subnet address: 10.10.10.0/24, not 10.10.10.2/24.

     

    For a single IP, you specify /32 (or not, the SRX will add it). The actual subnet that a remote host lives in is an arbitrary grouping unknown by and unimportant to the SRX.