SRX Services Gateway
Highlighted
SRX Services Gateway

Unable to save config

‎11-28-2019 04:39 PM

Hi All, I am not sure what i am doing wrong : 

 

The requirement is to allow port 8084 in an existing policy which looks like below: 

I added the below commands from the config mode but each time i try to commit the config i see below error messages:

 

Error messages:

JUNFW-01# commit
[edit security policies from-zone untrust to-zone dmz policy MONITORWEB]
'match'
Missing mandatory statement: 'source-address'
[edit security policies from-zone untrust to-zone dmz policy MONITORWEB]
'match'
Missing mandatory statement: 'destination-address'
[edit security policies from-zone untrust to-zone dmz]
'policy MONITORWEB'
Missing mandatory statement: 'then'
error: commit failed: (missing statements)

 

Newly added commands

--------------------------------

set security policies from-zone untrust to-zone DMZ policy MONITORWEB match source-address any
set security policies from-zone untrust to-zone DMZ policy MONITORWEB match destination-address monitorweb

set security policies from-zone untrust to-zone DMZ policy MONITORWEB match application tcp-8084
set security policies from-zone untrust to-zone DMZ policy MONITORWEB then permit

 

Existing config:

-----------------------

from-zone untrust to-zone DMZ {
policy MONITORWEB {
match {
source-address any;
destination-address monitorweb;
application [ junos-http junos-https ];
}
then {
permit;

4 REPLIES 4
Highlighted
SRX Services Gateway
Solution
Accepted by topic author techvin
‎12-05-2019 04:39 PM

Re: Unable to save config

‎11-28-2019 05:06 PM

Hi,

 

For checking the pending changes try:

 

# show | compare

 

Try also the following commands and then try to configure the sec-policy again.

 

# rollback 0
# commit full
# set security policies from-zone untrust to-zone DMZ policy MONITORWEB match application tcp-8084
#commit full

 

If the commit full doesnt work try:

 

commit synchronize force

 

The last time I experienced a similar problem ( in a EX switch running an old Junos version), I rebooted the device and after that the problem went away.

 

Hope this helps you.

 

Please mark this comment as the Solution if applicable
Highlighted
SRX Services Gateway

Re: Unable to save config

‎11-28-2019 07:04 PM

Hi Thanks for replying. 

 

Yes the rollback 0 solved the issue. I had a query regarding adding a single port or application like tcp-8084 in existing policy ? Will the below single statement and tcp-8084 while not overwriting allowed apps like junos-smtp, junos-https ? The reason why i ask is because when i tried the below single statement it was asking me to provide source address, destination address and then whether to permit or deny to commit. 

set security policies from-zone untrust to-zone DMZ policy MONITORWEB match application tcp-8084

 

Highlighted
SRX Services Gateway

Re: Unable to save config

‎11-28-2019 07:22 PM
There is a typo in zone name in policy. "dmz" and "DMZ". Please use correct zone name. Zone name is case sensitive.
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Unable to save config

[ Edited ]
‎11-28-2019 07:43 PM

Hello,

 

> Adding a single port TCP-8084 to an existing policy will only append to the existing list of match applications

> Existing applications in the policy will be unaffected. The additional added application will be added as an OR condition

> Yes, as Nellika mentioned the error could be due to a typo in the zone name

 

Regards,

 

Vikas