Automation
Automation

SRX: How to convert zone-based address-books to a global one

by on ‎11-30-2015 06:20 AM - edited on ‎09-19-2017 09:13 AM by Administrator Administrator
11.30.15   |   06:20 AM

Zone-based vs Global

When dealing with address objects on an SRX running older versions of Junos, they typically would employ a zone-based address-book for it's configuration. When using a zone-based address-book, the address objects referenced in the security policies are created per zone, which means that every zone will have an address-book configuration, and could potentially have duplicate objects.

Newer Junos versions use a global address-book configuration. The global address-book reduces complexity in your configuration by managing all address objects in one spot, and if you need to reference the same object in different zones, you aren't defining said object under multiple zones in your configuration.

How do I convert?

Use the "zone2global" script: https://github.com/scottdware/zone2global

Using the zone2global script against an SRX (or multiple SRX's) will convert all of your individual zone-based address-books to a single, global one. By default, this configuration is saved in a text file, but you have the option to commit the converted address-book changes immediately, instead of saving it.

This script has binaries for all major operating systems: Windows, Mac OS X, and Linux. You can also choose to use the conversion function in your own Go scripts, by using the API from the parent go-junos package.

 

** Note: You MUST be running a Junos version >= 11.2 in order to take advantage of global address-books.

Download the binaries: https://github.com/scottdware/zone2global/releases
go-junos API: https://github.com/scottdware/go-junos

 

More detailed examples can be found on my blog post here: http://sdubs.org/srx-how-to-convert-zone-based-address-books-to-a-global-one/