SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Unable to save config

    Posted 11-28-2019 16:40

    Hi All, I am not sure what i am doing wrong : 

     

    The requirement is to allow port 8084 in an existing policy which looks like below: 

    I added the below commands from the config mode but each time i try to commit the config i see below error messages:

     

    Error messages:

    JUNFW-01# commit
    [edit security policies from-zone untrust to-zone dmz policy MONITORWEB]
    'match'
    Missing mandatory statement: 'source-address'
    [edit security policies from-zone untrust to-zone dmz policy MONITORWEB]
    'match'
    Missing mandatory statement: 'destination-address'
    [edit security policies from-zone untrust to-zone dmz]
    'policy MONITORWEB'
    Missing mandatory statement: 'then'
    error: commit failed: (missing statements)

     

    Newly added commands

    --------------------------------

    set security policies from-zone untrust to-zone DMZ policy MONITORWEB match source-address any
    set security policies from-zone untrust to-zone DMZ policy MONITORWEB match destination-address monitorweb

    set security policies from-zone untrust to-zone DMZ policy MONITORWEB match application tcp-8084
    set security policies from-zone untrust to-zone DMZ policy MONITORWEB then permit

     

    Existing config:

    -----------------------

    from-zone untrust to-zone DMZ {
    policy MONITORWEB {
    match {
    source-address any;
    destination-address monitorweb;
    application [ junos-http junos-https ];
    }
    then {
    permit;



  • 2.  RE: Unable to save config
    Best Answer

    Posted 11-28-2019 17:07

    Hi,

     

    For checking the pending changes try:

     

    # show | compare

     

    Try also the following commands and then try to configure the sec-policy again.

     

    # rollback 0
# commit full
# set security policies from-zone untrust to-zone DMZ policy MONITORWEB match application tcp-8084
#commit full

     

    If the commit full doesnt work try:

     

    commit synchronize force

     

    The last time I experienced a similar problem ( in a EX switch running an old Junos version), I rebooted the device and after that the problem went away.

     

    Hope this helps you.

     



  • 3.  RE: Unable to save config

    Posted 11-28-2019 19:05

    Hi Thanks for replying. 

     

    Yes the rollback 0 solved the issue. I had a query regarding adding a single port or application like tcp-8084 in existing policy ? Will the below single statement and tcp-8084 while not overwriting allowed apps like junos-smtp, junos-https ? The reason why i ask is because when i tried the below single statement it was asking me to provide source address, destination address and then whether to permit or deny to commit. 

    set security policies from-zone untrust to-zone DMZ policy MONITORWEB match application tcp-8084

     



  • 4.  RE: Unable to save config

     
    Posted 11-28-2019 19:44

    Hello,

     

    > Adding a single port TCP-8084 to an existing policy will only append to the existing list of match applications

    > Existing applications in the policy will be unaffected. The additional added application will be added as an OR condition

    > Yes, as Nellika mentioned the error could be due to a typo in the zone name

     

    Regards,

     

    Vikas



  • 5.  RE: Unable to save config

    Posted 11-28-2019 19:22
    There is a typo in zone name in policy. "dmz" and "DMZ". Please use correct zone name. Zone name is case sensitive.