vSRX
Highlighted
vSRX

Zone security

‎04-25-2019 12:57 PM

Hello everyone,

I have vSRX (deployment on virtual machine) 

 

 

Model: vsrx
Junos: 15.1X49-D160.2
JUNOS Software Release [15.1X49-D160.2]

 

 

and try configured zone security on base (with little changes) this config https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-address-books-sets.html.

 

My config

root@SRX-NG-IN# show security
log {
    mode stream;
    report;
}
address-book {
        SOU-ADDR {
        address ad1 10.10.10.10/32;
        attach {
            zone untrust;
        }
    }
}
screen {
    ids-option untrust-screen {
        icmp {
            ping-death;
        }
        ip {
            source-route-option;
            tear-drop;
        }
        tcp {
            syn-flood {
                alarm-threshold 1024;
                attack-threshold 200;
                source-threshold 1024;
                destination-threshold 2048;
                queue-size 2000; ## Warning: 'queue-size' is deprecated
                timeout 20;
            }
            land;
        }
    }
}
policies {
    from-zone trust to-zone trust {
        policy default-permit {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone trust to-zone untrust {
        policy default-permit {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone untrust to-zone trust {
        policy p1 {
            match {
                source-address any;
                destination-address as1;
                application any;
            }
            then {
                permit;
            }
        }
    }
}
zones {
    security-zone trust {
        tcp-rst;
        interfaces {
            ge-0/0/0.0;
        }
    }
    security-zone untrust {
        screen untrust-screen;
        interfaces {
            ge-0/0/1.0;
        }
    }
}

but recieve some error

root@SRX-NG-IN# commit check
[edit security policies from-zone untrust to-zone trust]
  'policy p1'
    Destination address or address_set (as1) not found.
error: configuration check-out failed

Sorry, but I little misunderstand where i did mistake, what I did wrong?

 

 

 

 

 

 

 

4 REPLIES 4
Highlighted
vSRX

Re: Zone security

‎04-25-2019 01:04 PM

You have attached your address-book SOU-ADDR to the untrust zone and your policy is from untrust to trust.  You are using 'as1' as destination-address meaning an address in zone trust - not zone untrust.

 

Either attach the address-book to the trust as well as untrust or make a new one for the trust zone.


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
vSRX

Re: Zone security

‎04-25-2019 01:52 PM

I  attached addess-book SOU-ADDR to trust zone

root@SRX-NG-IN# show security policies from-zone untrust to-zone trust
policy p1 {
    match {
        source-address any;
        destination-address as1;
        application any;
    }
    then {
        permit;
    }
}

[edit]
root@SRX-NG-IN# show security address-book SOU-ADDR
address ad1 10.10.10.10/32;
attach {
    zone trust;
}

And same recieve error

root@SRX-NG-IN# commit check
[edit security policies from-zone untrust to-zone trust]
  'policy p1'
    Destination address or address_set (as1) not found.
error: configuration check-out failed

 

 

 

 

Highlighted
vSRX

Re: Zone security

‎04-25-2019 09:28 PM

Hi,

 

You have defined "ad1" in address book and you are calling it as "as1" in policy.

 

address-book {
        SOU-ADDR {
        address ad1 10.10.10.10/32;
        attach {
            zone untrust;
        }
    }
}

 

 

root@SRX-NG-IN# show security policies from-zone untrust to-zone trust
policy p1 {
    match {
        source-address any;
        destination-address as1;
        application any;
    }
    then {
        permit;
    }
}

 

 

Regards,

 

Rahul

Regards,
Rahul
Highlighted
vSRX

Re: Zone security

‎06-24-2019 04:43 PM

Yuri,

 

Can you confirm if you're all set on this problem or if you require any further assistance on this please?

 

Cheers

Pooja