Junos OS

 View Only
last person joined: 11 hours ago 

Ask questions and share experiences about Junos OS.
  • 1.  Adding a then statement to every policy?

    Posted 12-21-2021 18:15
    I've been taked with adding a couple of new "then" statements to every single policy, on every firewall, in our network, for logging purposes.

    Example:

    set security policies from-zone XXXXXXX to-zone YYYYYYY policy ZZZZZZZ then log session-init
    set security policies from-zone XXXXXXX to-zone YYYYYYY policy ZZZZZZZ then log session-close

    Just one of our firewalls has nearly 2500 policies on it.  I don't have time to go through each one and see if those lines already exist.  And, I know I can just add those two lines for each policy, and if they already exist, JunOS will ignore them, and if they don't they'll add them.   But, still, that's pasting in like nearly 5000 lines, per firewall.  I'd like to avoid that.

    Is there an easier way to add those two "then" statements to every single policy on the firewall?  Greatly appreciated ahead of time!

    ------------------------------
    ANDREW PARRIS
    ------------------------------


  • 2.  RE: Adding a then statement to every policy?

     
    Posted 12-22-2021 05:50
    Copy output of 'show configuration security policies |display set' to text file policies.txt, and from a bash shell run

    cut -d' ' -f1-9 policies.txt |sort -u|while read i; do echo -e "${i} then log session-init\n${i} then log session-close"; done


    Copy that output to another text file newfile.txt and scp it to the firewall. From edit mode run and commit:

    load set /var/tmp/newfile.txt

     




  • 3.  RE: Adding a then statement to every policy?

    Posted 12-22-2021 20:17
    Thank you SO very much!


    ------------------------------
    ANDREW PARRIS
    ------------------------------



  • 4.  RE: Adding a then statement to every policy?

    Posted 12-22-2021 20:16
    "groups"  might help? https://www.juniper.net/documentation/us/en/software/junos/cli/topics/topic-map/configuration-groups-usage.html

    This probably needs a bit of tweaking on your side depending on your policies but if you are applying the then statement to ALL policies then something like this might come in handy.
    set groups firewall-then security policies from-zone <*> to-zone <*> policy <*> then log session-init 
    set groups firewall-then security policies from-zone <*> to-zone <*> policy <*> then log session-close
    set security apply-groups firewall-then

    Thats it! after committing the changes you can verify if this is successfully applied or not by using the "display inheritance" knob. 

    I did a quick test on a vSRX using the default policies and the groups I suggested above, for your reference:

    Current config (default config)

    jcluser@vSRX-0# show security policies | display set                          
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit

    Apply the changes and commit:
    jcluser@vSRX-0# show | compare 
    [edit]
    + groups {
    +     firewall-then {
    +         security {
    +             policies {
    +                 from-zone <*> to-zone <*> {
    +                     policy <*> {
    +                         then {
    +                             log {
    +                                 session-init;
    +                                 session-close;
    +                             }
    +                         }
    +                     }
    +                 }
    +             }
    +         }
    +     }
    + }
    [edit security]
    +  apply-groups firewall-then;
    
    [edit]
    jcluser@vSRX-0# commit 
    commit complete
    
    [edit]
    jcluser@vSRX-0#​

    And verification:
    jcluser@vSRX-0# show security policies | display set    
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    
    [edit]
    jcluser@vSRX-0# show security policies | display set | display inheritance 
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone trust policy default-permit then log session-init
    set security policies from-zone trust to-zone trust policy default-permit then log session-close
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit then log session-init
    set security policies from-zone trust to-zone untrust policy default-permit then log session-close
    
    [edit]
    jcluser@vSRX-0# ​

    Hope it helps :)