Routing
Highlighted
Routing

address-book & address-set equivalent in MX for firewall filters

‎02-01-2018 04:59 AM

Hello community,

Might be a naive question but, how can we make named groups containing prefixes and other named groups in junos under MX?

The closed example is what we have in SRX as  address-book & address-set . 

For example:

address-book Syslog+
+-> address-set internal prefix1
|
+-> address-set internal prefix2
|
+-> address prefix3
|
+> ....

 

I know we can use prefix-lists but can't find a way of defining make a super-set containing several prefix lists under one unique name. 

 

Thanks in advance,

 

Jaime

4 REPLIES 4
Highlighted
Routing

Re: address-book

‎02-01-2018 05:05 AM
Hi,,

You mean this?

[edit]
root@PE2_re# set policy-options prefix-list test 10.0.0.0/24

[edit]
root@PE2_re# set policy-options prefix-list test 10.0.1.0/24

[edit]
root@PE2_re# set policy-options prefix-list test 10.0.2.0/24

[edit]
root@PE2_re# set policy-options prefix-list test 10.0.3.0/24

[edit]
root@PE2_re# show policy-options prefix-list test
10.0.0.0/24;
10.0.1.0/24;
10.0.2.0/24;
10.0.3.0/24;

[edit]
root@PE2_re#
Highlighted
Routing

Re: address-book

‎02-01-2018 05:41 AM

Hi,

 

That is what I'm doing so far. But what a I want is to use nested groups of prefixes like we have in the srx.

Example

SYSLOG-SOURCES 

       |-> SYSLOG-NYC (inside tis group, defined 3 prefixes)

       |-> SYSLOG-LAX (inside tis group, we declare 5 prefixes)

 

So we can have something like this:

 

set firewall family inet filter TERM1 term IN-Allow-SYSLOG from destination-address 148.64.56.88/32
set firewall family inet filter TERM1 term IN-Allow-SYSLOG from source-prefix-list SYSLOG-SOURCES
set firewall family inet filter TERM1 term IN-Allow-SYSLOG from protocol udp
set firewall family inet filter TERM1 term IN-Allow-SYSLOG from destination-port 514
set firewall family inet filter TERM1 term IN-Allow-SYSLOG then accept

 

 

Highlighted
Routing

Re: address-book

‎02-01-2018 06:15 AM
No, I don’t think you can do this in MX
Highlighted
Routing

Re: address-book

‎02-02-2018 09:47 AM

You could reference more than one prefix list to accomplish the same thing:

 

set firewall family inet filter TERM1 term IN-Allow-SYSLOG from destination-address 148.64.56.88/32
set firewall family inet filter TERM1 term IN-Allow-SYSLOG from source-prefix-list SYSLOG-NYC

set firewall family inet filter TERM1 term IN-Allow-SYSLOG from source-prefix-list SYSLOG-LAX
set firewall family inet filter TERM1 term IN-Allow-SYSLOG from protocol udp
set firewall family inet filter TERM1 term IN-Allow-SYSLOG from destination-port 514
set firewall family inet filter TERM1 term IN-Allow-SYSLOG then accept

 

firewall {
    family inet {
        filter TERM1 {
            term IN-Allow-SYSLOG {
                from {
                    destination-address {
                        148.64.56.88/32;
                    }
                    source-prefix-list {
                        SYSLOG-NYC;
                        SYSLOG-LAX;
                    }
                    protocol udp;
                    destination-port 514;
                }
                then accept;
            }
        }
    }
}
Feedback