SRX

Hi all,

In the CLI SRX, is it possible we create one global security policy that consists multiple child rule security policy. I means like we create address-set and in the address-set have multiple address-book.

If can then can someone share url how to do it?

Thanks and appreciate any feedback

I don't know if this would do what you're looking for, but you could do something like this:

groups {   trust-to-untrust {      security {         policies {            from-zone <*> to-zone <*> {               policy policy1 {                  // some policy here               }               policy policy2 {                  // another policy here               }            }         }      }   }}

And then, say you have three different ISPs, each in their own zone:

set security policies from-zone trust to-zone untrust-isp-1 apply-groups trust-to-untrustset security policies from-zone trust to-zone untrust-isp-2 apply-groups trust-to-untrustset security policies from-zone trust to-zone untrust-isp-3 apply-groups trust-to-untrust

So if you have to make changes to your internet policies, you can do it all in one place. I don't think this is exactly what you're asking for, but may be it can help. I love using configuration groups.

Hi all,

In the CLI SRX, is it possible we create one global security policy that consists multiple child rule security policy. I means like we create address-set and in the address-set have multiple address-book.

If can then can someone share url how to do it?

Thanks and appreciate any feedback

Hi Nikolay,

Thanks for your feedback. But unfortunately not like that i want. I know we can make group policy using SD. But i just to know whether can possible do on CLI also.

Thanks

I don't know if this would do what you're looking for, but you could do something like this:

groups {   trust-to-untrust {      security {         policies {            from-zone <*> to-zone <*> {               policy policy1 {                  // some policy here               }               policy policy2 {                  // another policy here               }            }         }      }   }}

And then, say you have three different ISPs, each in their own zone:

set security policies from-zone trust to-zone untrust-isp-1 apply-groups trust-to-untrustset security policies from-zone trust to-zone untrust-isp-2 apply-groups trust-to-untrustset security policies from-zone trust to-zone untrust-isp-3 apply-groups trust-to-untrust

So if you have to make changes to your internet policies, you can do it all in one place. I don't think this is exactly what you're asking for, but may be it can help. I love using configuration groups.

Hi all,

In the CLI SRX, is it possible we create one global security policy that consists multiple child rule security policy. I means like we create address-set and in the address-set have multiple address-book.

If can then can someone share url how to do it?

Thanks and appreciate any feedback