This is incorrect.
wildcard-address accepts a dotted decimal mask, not a subnet mask (cidr or otherwise). 10.10.10.2/24 expands to 10.10.10.2/0.0.0.24. Wildcard masks are used for address matching: https://www.imedita.com/blog/wildcard-masks/
security-zone test {
address-book {
address test {
wildcard-address 10.10.10.2/24;
}
}
test@test> show security policies from-zone test to-zone test detail
...
Destination addresses:
test: 10.10.10.2/0.0.0.24
If you want to configure a subnet as an address book entry, specify the subnet. If you want to configure an IP as an address book entry, specify the IP.
test@test# set security zones security-zone test address-book address test 10.10.1.2
[edit]
test@test# show security zones security-zone test address-book
address test 10.10.1.2/32;
[edit]
test@test# set security zones security-zone test address-book address test 10.10.1.0/24
[edit]
test@test# show security zones security-zone test address-book
address test 10.10.1.0/24;
@sharatainapur wrote:
Hi Networker13,
Greetings,
As per my understanding, the configuration line can either have just the IP address which would set it to /32 network, or you can make it as /24 but using it along with the wildcard-address knob as below:
{primary:node1}[edit]
root@lab# show | compare
[edit]
+ security {
+ zones {
+ security-zone trust {
+ address-book {
+ address web-server 10.10.10.3/24; >>> Error as it expects only IP address.
+ address test 10.10.10.2/32; >>> Works fine as this is just configured as 10.10.10.2
+ address test1 {
+ wildcard-address 10.10.10.4/24; >>> If you want to specify the subnet as well use the knob wildcard-address and this would work.
+ }
+ }
+ }
+ }
+ }
{primary:node1}[edit]
root@lab# commit check
[edit security zones security-zone trust address-book]
'address web-server'
Invalid address entry
error: configuration check-out failed
Hope this helps.
Please mark "Accept as solution" if this answers your query.
Kudos are appreciated too!
Regards,
Sharat Ainapur
#address-book#SRX#wildcard-address