SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  can't deactivate policy on SRX5600

    Posted 07-11-2011 13:16

    Hello Dears,

     

    I'm working on SRX5600, I have configured many zones & security policies, some of these policies I want to deactivate.

     

    some of these policies deactivated successfully but some of them I couldn't deactivate them, when I'm trying to deactivate them I'm getting the following error message:

     

    error
    from from-zone trust to-zone untrust

    1. Missing mandatory statement: 'policy'
    2. commit failed: (missing statements)

     

    any idea please

     

    Thanks,

    Ibrahim


    #deactivatepolicy
    #basics


  • 2.  RE: can't deactivate policy on SRX5600

    Posted 07-11-2011 14:37

    Hi Ibrahim,

     

    It looks like that you have deactivated everything under hierarchy "from from-zone trust to-zone untrust". So when you try to issue commit,the srx throws an error saying the you have configured the hierachy "from from-zone trust to-zone untrust
    " and no policy exists.You need to deactivate the complete hierachy to issue the commit successfully .

     

    Cheers,

    Visitor



  • 3.  RE: can't deactivate policy on SRX5600

    Posted 07-11-2011 22:55

    Hi Visitor,

     

    Thanks for your reply,

     

    Do I have to create another policy & deactivate the old one, because I tried to deactivate it from inside the hierachy.

     

    edit security zone security-zone from-zone trust to-zone untrust

    deactivate.

     

    but i got the same result.

     

    Thanks,

    Ibrahim



  • 4.  RE: can't deactivate policy on SRX5600

     
    Posted 07-11-2011 23:54

    It would help if you typed what steps you've made, or show the deactivated stanza.
    edit security zone security-zone from-zone trust to-zone untrust is not a valid command, looks like a hybrid zone/policy 🙂
    Like Visitor mentioned; if you want to deactivate a policy, it depends on if you have any more policies or not in a specific from/to statement.

     

    If you don't have any more policies under a statement: deactivate security policies from-zone x to-zone y

    If you have more policies under a statement: deactivate security policies from-zone x to-zone y policy z.



  • 5.  RE: can't deactivate policy on SRX5600

    Posted 07-12-2011 03:14

    HI, AdamLin

     

    thanks for your input

     

    I'm sorry I put the configuration of the Zone, anyway when i created another policy in the same zone I was able to deactivate the first one.

     

    I have the following policy

    set security policies from-zone trust to-zone untrust policy data match source-address w.x.y.z

    set security policies from-zone trust to-zone untrust policy data match destination-address w.x.y.z
    set security policies from-zone trust to-zone untrust policy data match application any
    set security policies from-zone trust to-zone untrust policy data then permit


    deactivate security policies from-zone trust to-zone untrust policy data

     

    i couldn't deactivate it, until I created another one

     

    Regards,

    Ibrahim



  • 6.  RE: can't deactivate policy on SRX5600
    Best Answer

     
    Posted 07-12-2011 03:22

    Yes, that's expected, you could also have run:
    deactivate security policies from-zone trust to-zone untrust
    if you didn't want to make a dummy policy.