For any additional addresses you may want to add to the group, you run the same command again, but change to the address name of the other addresses, one line at a time.'
command.
Look back at my first reply in this thread for the example.
I will also quickly re-iterate the logic of the SRX address-book structure which should help to solidify the methodology and understanding of the concept:
Original Message:
Sent: 03-22-2024 13:18
From: John Joe
Subject: How to delete global Address Book Name on SRX-345
Bro, you're a genius!. Your solution it's working!.. But, I have another problem: Now, I need to add several group name to one zone, i.e:
set group address "Trust" "G-DEVELOPERs"
set group address "Trust" "G-DEVELOPERs" add "192.168.xx.x/32"
set group address "Trust" "G-HostsCallCenterA"
set group address "Trust" "G-HostsCallCenterA" add "192.168.yy.y/ 32"
set group address "Trust" "G-HostsCallCenterA" add "192.168.yy.y/32"
set group address "Trust" "G-HostsCallCenterA" add "192.168.yy.y/32"
set group address "Trust" "G-INTERNET-CallCenterA" add "192.168.xx.x/32"
set group address "Trust" "G-INTERNET-CallCenterA" add "192.168.xx.x/32"
set group address "Trust" "G-INTERNET-CallCenterA" add "192.168.xx.x/32"
But, when I tried to commit I recieved the following messages:
[edit security address-book G-G-HostsCallCenterA attach zone]
'trust'
Security zone must be unique in address books
[edit security address-book G-HostsCallCenterA attach zone]
'trust'
Security zone must be unique in address books
[edit security address-book G-DEVELOPERs attach zone]
'trust'
Security zone must be unique in address books
error: commit failed: (statements constraint check failed)
Could I create a group and add it to a one zone? How can I do that?
Sorry, I'm losing about this.
Best regards & thanks,
Jo.
------------------------------
John Joe
Original Message:
Sent: 03-22-2024 05:35
From: ANDREY LEO
Subject: How to delete global Address Book Name on SRX-345
Yeah that does seem broken then haha.
Well, I think you mentioned it earlier, but did you do a full convert to the address-book style as per here (You'd need to fill in the 'x's):
delete security zones security-zone trust address-book
delete security zones security-zone trust address-book
delete security zones security-zone untrust address-book
delete security zones security-zone DMZ address-book
delete security zones security-zone SITE address-book
delete security zones security-zone CODE address-book
delete security zones security-zone CODE address-book
delete security zones security-zone CRID address-book
delete security zones security-zone CRID address-book
delete security zones security-zone MEGA address-book
delete security zones security-zone SAB address-book
delete security zones security-zone L3-Client_WiFi address-book
set security address-book trust address 10.xx.xx.xx/24/RED1 10.xx.xx.xx/24 description "10.xx.xx.xx/24/RED1"
set security address-book trust address 192.168.0.0-GUEST 192.168.0.0/24 description 192.168.0.0-GUEST
set security address-book untrust address 000-Traductor-2 dns-name freetranslation.com
set security address-book DMZ address xx.x.x.x/32 xx.x.x.x/32
set security address-book SITE address xx.x.x.x/24-Net-CURr xx.x.x.x/24 description "xx.x.x.x/24 Net CURr"
set security address-book CODE address xx.x.x.x/24-Net-RSL xx.x.x.x/24
set security address-book CODE address xx.x.x.x/32 xx.x.x.x/32
set security address-book CRID address xx.x.x.x/32 xx.x.x.x/32
set security address-book CRID address xx.x.x.x/32 xx.x.x.x/32
set security address-book MEGA address xx.x.x.x/32 xx.x.x.x/32
set security address-book SAB address xx.x.x.x/24 xx.x.x.x/24
set security address-book L3-Client_WiFi address IP-WIFI-192.168.xx.11 xx.x.x.x/32
set security address-book untrust attach zone untrust
set security address-book DMZ attach zone DMZ
set security address-book SITE attach zone SITE
set security address-book CODE attach zone CODE
set security address-book CRID attach zone CRID
set security address-book MEGA attach zone MEGA
set security address-book SAB attach zone SAB
set security address-book L3-Client_WiFi attach zone L3-Client_WiFi
If you get a commit check error after that, try committing the deletes first (although now you'd also have to disable policies to pass the commit check deactivate security policies
), then configure the new set commands for the address (and reactivate the policies activate security policies
), then I guess there's one last search you could do from the configuration terminal:
show | match global | display set
Just searching the whole config for a global term including groups (but not in their inheritance stage), however if you perform the conversion, then you should literally have no conflicting addresses. You can have global and zone-attached, but you can't mix zone-specific and the other two.
------------------------------
ANDREY LEO
Original Message:
Sent: 03-21-2024 14:30
From: John Joe
Subject: How to delete global Address Book Name on SRX-345
@ANDREY LEO,
#show security | display set | display inheritance | no-more
set security log mode stream
set security log format syslog
set security log report
set security pki ca-profile-group Local cert-base-count 135
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close
set security zones security-zone trust address-book address 10.xx.xx.xx/24/RED1 description "10.xx.xx.xx/24/RED1 "
.
.
.
set security zones security-zone trust address-book address 192.168.0.0-GUEST description 192.168.0.0-GUEST
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces irb.0
set security zones security-zone trust interfaces ge-0/0/4.0
set security zones security-zone trust interfaces ge-0/0/7.0
set security zones security-zone untrust address-book address 000-Traductor-2 dns-name freetranslation.com
.
.
.
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/2.0
set security zones security-zone untrust interfaces ge-0/0/6.0
set security zones security-zone untrust interfaces ge-0/0/5.0
.
.
.
set security zones security-zone DMZ address-book address xx.x.x.x/32 xx.x.x.x/32
set security zones security-zone DMZ interfaces ge-0/0/3.0
set security zones security-zone VLAN description VLAN
set security zones security-zone SITE description SITE
set security zones security-zone SITE address-book address xx.x.x.x/24-Net-CURr description "xx.x.x.x/24 Net CURr"
.
.
.
set security zones security-zone CODE description CODE-Center
set security zones security-zone CODE address-book address xx.x.x.x/24-Net-RSL xx.x.x.x/24
set security zones security-zone CODE address-book address xx.x.x.x/32 xx.x.x.x/32
.
.
.
set security zones security-zone CRID description CRID
set security zones security-zone CRID address-book address xx.x.x.x/32 xx.x.x.x/32
set security zones security-zone CRID address-book address xx.x.x.x/32 xx.x.x.x/32
.
.
.
set security zones security-zone MEGA description MEGA
set security zones security-zone MEGA address-book address xx.x.x.x/32
set security zones security-zone SAB description SAB
set security zones security-zone SAB address-book address xx.x.x.x/24
set security zones security-zone WAN-INTERNET-M description WAN-INTERNET-M
set security zones security-zone LAN-INTERNET-M description LAN-INTERNET-M
set security zones security-zone ONVACATION description ONVACATION
set security zones security-zone L3-Client_WiFi description L3-Client_WiFi
set security zones security-zone L3-Client_WiFi address-book address IP-WIFI-192.168.xx.11 xx.x.x.x/32
------------------------------
John Joe
Original Message:
Sent: 03-21-2024 11:59
From: ANDREY LEO
Subject: How to delete global Address Book Name on SRX-345
Hmm, interesting.
What do you get when you run:
show security | display set | display inheritance | no-more
You can blank out any sensitive information.
------------------------------
ANDREY LEO
Original Message:
Sent: 03-21-2024 11:49
From: John Joe
Subject: How to delete global Address Book Name on SRX-345
Thanks you @ANDREY LEO,
I executed the commands, but I still have the same error:
Zone specific address books are not allowed when there are global address books defined
[edit security zones security-zone untrust]
According to the message, the problem is the global Address Book have all zone, right?
Best regards.
Jo.
------------------------------
John Joe
Original Message:
Sent: 03-21-2024 06:36
From: ANDREY LEO
Subject: How to delete global Address Book Name on SRX-345
You would need to change the syntax, similar to when you tried to delete the global address book.
set security address-book <name> address <address-name> <IP Address / Subnet Mask>
i.e.
set security address-book trust address 192.168.1.0/24-Office_LAN 192.168.1.0/24
You must have your zones already defined, and you will have to attach your address book to your zone - it's useful to keep the naming convention for the address-book and zone the same.
set security address-book trust attach zone trust
If you want to create an address-group, you would run this command:
set security address-book trust address-set All_LANs address 192.168.1.0/24-Office_LAN
For any additional addresses you may want to add to the group, you run the same command again, but change to the address name of the other addresses, one line at a time.
And just as an added bonus, you can reference addresses in security policies with this format:
set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.1.0/24-Office_LAN destination-address 8.8.8.8-DNS application junos-dns-udp
set security policies from-zone trust to-zone untrust policy 1 then permit
Hope this helps :)
------------------------------
ANDREY LEO
Original Message:
Sent: 03-20-2024 15:34
From: John Joe
Subject: How to delete global Address Book Name on SRX-345
Hi everyone,
I'm trying to translate the command set group address on ScreenOS to JunOS. To do this, I executed the command: set security zones security-zone <zone> address-book address <name> <ip>, but I received the error:
Zone specific address books are not allowed when there are global address books defined
[edit security zones security-zone untrust]
And, If I try to delete global Address Book Name typing the command: delete security address-book global, I received the error; warning: statement not found
What's wrong? How Can i do this?
Thanks,
Jo.
------------------------------
John Joe
------------------------------