"groups" might help?
https://www.juniper.net/documentation/us/en/software/junos/cli/topics/topic-map/configuration-groups-usage.htmlThis probably needs a bit of tweaking on your side depending on your policies but if you are applying the then statement to ALL policies then something like this might come in handy.
set groups firewall-then security policies from-zone <*> to-zone <*> policy <*> then log session-init
set groups firewall-then security policies from-zone <*> to-zone <*> policy <*> then log session-close
set security apply-groups firewall-then
Thats it! after committing the changes you can verify if this is successfully applied or not by using the "display inheritance" knob.
I did a quick test on a vSRX using the default policies and the groups I suggested above, for your reference:
Current config (default config)
jcluser@vSRX-0# show security policies | display set
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
Apply the changes and commit:
jcluser@vSRX-0# show | compare
[edit]
+ groups {
+ firewall-then {
+ security {
+ policies {
+ from-zone <*> to-zone <*> {
+ policy <*> {
+ then {
+ log {
+ session-init;
+ session-close;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
[edit security]
+ apply-groups firewall-then;
[edit]
jcluser@vSRX-0# commit
commit complete
[edit]
jcluser@vSRX-0#
And verification:
jcluser@vSRX-0# show security policies | display set
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
[edit]
jcluser@vSRX-0# show security policies | display set | display inheritance
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone trust policy default-permit then log session-init
set security policies from-zone trust to-zone trust policy default-permit then log session-close
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit then log session-init
set security policies from-zone trust to-zone untrust policy default-permit then log session-close
[edit]
jcluser@vSRX-0#
Hope it helps :)
Original Message:
Sent: 12-21-2021 15:14
From: ANDREW PARRIS
Subject: Adding a then statement to every policy?
I've been taked with adding a couple of new "then" statements to every single policy, on every firewall, in our network, for logging purposes.
Example:
set security policies from-zone XXXXXXX to-zone YYYYYYY policy ZZZZZZZ then log session-init
set security policies from-zone XXXXXXX to-zone YYYYYYY policy ZZZZZZZ then log session-close
Just one of our firewalls has nearly 2500 policies on it. I don't have time to go through each one and see if those lines already exist. And, I know I can just add those two lines for each policy, and if they already exist, JunOS will ignore them, and if they don't they'll add them. But, still, that's pasting in like nearly 5000 lines, per firewall. I'd like to avoid that.
Is there an easier way to add those two "then" statements to every single policy on the firewall? Greatly appreciated ahead of time!
------------------------------
ANDREW PARRIS
------------------------------