SRX

Hi,

would it be possible to use apply-groups and wildcards to put a cleanup firewall rule into each possible zone context?

How?

Thanks

Sascha

Hi,

I know its too late to reply to your query, but since i saw a KB article relevant to your query, though of informing you. Its http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=search&viewlocale=en_US&searchid=1312386206729&smlogin=true#

It's never too late 🙂

This was exactly what I was looking for. So thank you!

I also covered this and some additional related topics in my blog:

Juniper SRX Tips :: Uniform Security Policy Modification

Juniper SRX Tips :: Altering Default-Deny Behavior

HTHs.

One more question about this though: Will this work if you are using NSM to manage your SRX?

To answer my own question I asked back in August:

This does not work very well with NSM. If you never import the rulebase back into NSM then NSM won't see those rules added by the apply groups. This will give you very odd effects when viewing traffic logs on NSM. 

You will see zones getting mixed up in the logs. For example, if you have traffic from untrust to trust, that traffic will show up as being from trust to untrust (opposite direction). We've also seen log entries from untrust to untrust even though it was untrust to trust. 

For some reason, NSM does not seem to use the zone information provided in the log files, but instead (seems to) looks them up using rule ID numbers. Since your rule numbers don't match with those on the device (NSM not knowing about the rules added by apply groups), it will see the wrong info. That's the only explanation I have. 

As soon as I had imported the device and used the imported rule base (which then contained the rules added through apply groups), everything looked fine.

To make a long story short: Watch out if you are using NSM.