SRX Services Gateway
SRX Services Gateway

mysterious global address-book

[ Edited ]
‎05-26-2018 11:11 AM

I don't see any global address book when I do:

[edit security]
root@r1# show address-book r20 { address 20 10.20.1.0/24; attach { zone r20; } }

But when I try to commit I get an error about there being a global address-book like:

[edit security zones security-zone r20]
'address-book'
    Zone specific address books are not allowed when there are global address books defined
error: configuration check-out failed: (statements constraint check failed)

Where else should I look to try to delete this mysterious global address book?

5 REPLIES 5
SRX Services Gateway

Re: mysterious global address-book

‎05-26-2018 09:53 PM

There are two ways you can define address books but you can't use both at once

set security security-zone a address-book b address c

set security address-book b address c
set security address-book b attach zone a

It looks like you have a mix of both. You have to choose one way or another. Second one is recommended.

 

Regards, Wojtek

SRX Services Gateway

Re: mysterious global address-book

‎05-27-2018 07:01 PM

Hi,

There are two different methods to create Address Book objects: per zone and globally. It can be created in three locations:
1. Address book within a zone
Eg:- set security zones security-zone DMZ address-book address Server 8.8.8.8/32

2. Address book at the global level
set security address-book DMZ address Server 8.8.8.8/32
set security address-book DMZ attach zone DMZ

3. Address book within the global address book
set security address-book global address Server 8.8.8.8/32

 

Historically, each zone had its own address book directly under the zone configuration. In Release  11.2, they moved from the zone level to the device global level. Within this global level, you can create an address book by name and attach it to a zone so those objects are only available within  the zone to which the address book is attached. Within the global level, there is  also a global address book that you can create objects that are available within every zone on the device. The caveat to this is that you either have to do everything zone based or global based. If you have zone-specific address books, you cannot use the global le vel configuration or you will get a commit failure.

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: mysterious global address-book

[ Edited ]
‎05-29-2018 02:24 PM

@wdusys, I tried recommened setup like:

set security address-book b address c
set security address-book b attach zone a

but when I try to create an address like:

[edit security]
set address-book something address 10.20.0.0/24
                                                 ^
missing argument.

[edit security]
r1# set address-book something address 10.20.0.0/24 ?
Possible completions:
  <ip-prefix>          Numeric IPv4 or IPv6 address with prefix
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  description          Text description of address
> dns-name             DNS address name
> range-address        Address range
> wildcard-address     Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask

 Meanwhile I deleted the address book I had, but it gives me an error that source address or address-group not found, presumably until I can get one created.

 

I'm running JunOS 15.1X49-D45

So I tried to create it like:

[edit security address-book]
r1# set  something address a1 10.20.0.0/24

which worked, but now I get a commit check error:

# commit check
[edit security zones security-zone something]
  'address-book'
    Zone specific address books are not allowed when there are global address books defined
error: configuration check-out failed: (statements constraint check failed)
SRX Services Gateway
Solution
Accepted by topic author silverst8p
‎05-30-2018 04:59 PM

Re: mysterious global address-book

[ Edited ]
‎05-30-2018 10:33 AM

Run in config mode:

#show security zones | display set | match address-book

replace set with delete and remove them

recreate them using global address books

 

Regards, Wojtek

SRX Services Gateway

Re: mysterious global address-book

[ Edited ]
‎05-30-2018 02:31 PM

Thanks @wdusys, that worked! I did:

delete security policies from-zone r20 to-zone untrust policy r20

then per @nellikka suggestion, created global address and assigned a zone to it like:

set security address-book r20 address r2 range-address 10.20.0.1 to 10.20.0.254
set address-book r20 attach zone r20

And it passes traffic!