SRX

last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  address-book question

     
    Posted 12-01-2011 06:04

    When you attach an address-book to a zone, does that mean addresses in that address-book will be completely unreachable if the SRX sees them sourced from another zone?  For instance, I have a set of addresses that are portable on my network, for purposes of email server redundancy.  Should my email server go down, they are (manually) ported to another part of the network and configured on a warm-standby mail server there.

     

    As it is now, I've configured these addresses in an address-book that is attached to my internal mail zone.  Do I need to delete them from that address-book and put them in the 'global' address-book?



  • 2.  RE: address-book question

     
    Posted 12-01-2011 06:36

    Hello, you should be able to configure an address-set referencing the mail servers also under the "secondary" zone; then you just have to write a security policy to allow the traffic to the secondary zone server. So you will have the same addresses set under both the zones.

    Unfortunately I can't try it now, but you can configure it and try a commit check to make sure that this is possible.

     

     



  • 3.  RE: address-book question

     
    Posted 12-02-2011 05:49

    Thanks!  I'll try it and post the results.



  • 4.  RE: address-book question

    Posted 12-02-2011 07:51
    @evt wrote:

    When you attach an address-book to a zone, does that mean addresses in that address-book will be completely unreachable if the SRX sees them sourced from another zone?  For instance, I have a set of addresses that are portable on my network, for purposes of email server redundancy.  Should my email server go down, they are (manually) ported to another part of the network and configured on a warm-standby mail server there.

     

    As it is now, I've configured these addresses in an address-book that is attached to my internal mail zone.  Do I need to delete them from that address-book and put them in the 'global' address-book?

    What version of Junos are you running? I think it was 11.2 (or 11.1) that introduced a new "architecture" for address-books. In previous version you had a separate address-book for each zone (like in ScreenOS). Which in your case means you would have to create adress-book entries for your standby mailservers in each zone that it operates in.

     

    The new version now allow you to separate the address-books from the zones, so you can basically have a "global" address-book that's valid for all zones. Here you would only need to create your mailservers once and you could use them in all zones.

     

    The release notes of 11.2 or 11.1 (whichever version introduced this, sorry but I don't remember) have a pretty detailed explanation.

     

    While we are at it, said version also introduced a global zone (those familiar with ScreenOS will like this).



  • 5.  RE: address-book question

     
    Posted 12-02-2011 07:57

    I'm on 11.2R4 and I do have the global address zone.  My config looked like this before the change suggested above:

     

    ab-mail {                               
        address net-mx-1-portable-ss 192.168.212.0/23;
        address net-mx-2-portable-ss 192.168.224.0/23;
        address net-mx1 192.168.192.16/29;
        address-set net-mx {
            address net-mx-1-portable-ss;
            address net-mx-2-portable-ss;
        }
        attach {
            zone tr-mail;
        }
    }

     

    My question is primarily about the function of addresses and how they may be bound to zones.  If the address is bound to my zone tr-mail, will the SRX automatically block that address if it sees it come from the untrust zone, regardless of the policy definition of 'any-ipv4'?  Per the suggestion above, I did add the two 'portable' addresses to the global zone, but have not had a chance to test out the passing of traffic from those addresses to the 'tr-mail' zone from 'untrust'.



  • 6.  RE: address-book question
    Best Answer

    Posted 12-02-2011 08:07
    @evt wrote:

     

    My question is primarily about the function of addresses and how they may be bound to zones.  If the address is bound to my zone tr-mail, will the SRX automatically block that address if it sees it come from the untrust zone, regardless of the policy definition of 'any-ipv4'?  Per the suggestion above, I did add the two 'portable' addresses to the global zone, but have not had a chance to test out the passing of traffic from those addresses to the 'tr-mail' zone from 'untrust'.

    Binding address(-books) to zones doesn't do anything on it's own. You have to make use of the addresses in your security policies. That being said, unless you have a rule that permits traffic for one of the address-book entries (regardless of zone) it will be blocked.

     

    If you use "any-ip4" then it will of course be allowed. "Any" on Juniper really means "any".

     

    I am not entirely sure though what happens if you have a screen attached to a zone that does IP-Antispoofing. Someone else will have to chime in here. I remember in ScreenOS you could specify that antispoofing checks use not only routing and interface information to make a decision, it was also possible to use address books. Not sure if this is the same in Junos. If you don't apply antispoofing, you don't need to worry though.

     



  • 7.  RE: address-book question

     
    Posted 12-02-2011 08:10
    @cryptochrome wrote:

    Binding address(-books) to zones doesn't do anything on it's own. You have to make use of the addresses in your security policies. That being said, unless you have a rule that permits traffic for one of the address-book entries (regardless of zone) it will be blocked.

     

    Okay.  With that in mind, what is the point of binding address books to zones, then?  Is it for when you enable anti-spoofing?  Or is it more for organization?



  • 8.  RE: address-book question

    Posted 12-02-2011 08:16
    @evt wrote:
    @cryptochrome wrote:

    Binding address(-books) to zones doesn't do anything on it's own. You have to make use of the addresses in your security policies. That being said, unless you have a rule that permits traffic for one of the address-book entries (regardless of zone) it will be blocked.

     

    Okay.  With that in mind, what is the point of binding address books to zones, then?  Is it for when you enable anti-spoofing?  Or is it more for organization?

    The point is that zone based address books were the only available option until just recently. Not sure where Juniper is going with this. Maybe they eventually remove zone based adressbooks and only keep them in there for legacy reasons for now, or maybe they will keep both options just to have a choice.

     

    Before, all Juniper firewall products (Netscreen, SSG, ScreenOS) were zone based and had zone based address books from the very beginning. They pulled this concept over to the SRX and as it seems, they have changed their mind 🙂