When I say Global address book, I mean using creating addresses on the SRX in this way...
root# set security address-book ?
Possible completions:
<book-name> Address book name
global Default global address book name
Example of address with the Global Address book..
security {
address-book {
global {
address aaaa 1.1.1.1/32;
address bbbb 2.2.2.2/32;
}
}
These Global addresses form a common address pool that should be available for use in any zone as opposed to the old way of creating separate address books under each zone.
1) 12.1R3.5
With a couple off addresses loaded into the Global address book as above, what can we see in the WebUI with 12.1R3.5 loaded?
Configure > Security > Policy Elements > Address Book > Zone > all
Result -> Blank. Nothing to see
Configure > Security > Policy Elements > Address Book > Zone > global
Result -> Blank. Nothing to see
Try and edit a policy. In the WebUI we are in Configure > Security > Policy > Apply Policy.
Result -> Only elements selectable in either Source Address or Destination Address are "any", "any-ipv4" or "any-ipv6" regardless of zone chosen. Our Global address book objects are missing in action.
But lets look further...
What if we use a Named address book attached to a specific zone (But still under the Security/Address book hierarchy) such as in the example below instead of the Global address book. Will that work?
security {
address-book {
TRUST-ADDRESSES {
address dddd 3.3.3.3/32;
address eeee 4.4.4.4/32;
attach {
zone trust;
}
}
}
Lets check...
Configure > Security > Policy Elements > Address Book > Zone > all
Result -> Blank. Nothing to see
Configure > Security > Policy Elements > Address Book > Zone > trust
Result -> Blank. Nothing to see
Try to edit a policy. In the WebUI we are in Configure > Security > Policy > Apply Policy ..then edit a policy
Result -> No good. Our trust addresses do not show up when we select the source or dest zones to be trust. We just see the "any" addresses as per above.
2) 12.1R5.5
Global address book results are as per for 12.1R3.5
Named address book results...(Same config as above)
Configure > Security > Policy Elements > Address Book > Zone > all
Result -> Blank. Nothing to see
Configure > Security > Policy Elements > Address Book > Zone > trust
Result -> Blank. Nothing to see
If we go and and try to edit a policy. In the WebUI we are in Configure > Security > Policy > Apply Policy ..then edit a policy
Result -> Our elements are there when we select the source or dest zone to be trust. Better...
3) 12.1X44-D10.4
Global address book and Named address book under the "Security > Policy Elements > Address Book" hierarchy in the WebUI is still unusable.
However with this version, Global address book entries are finally selectable in policy editing. Further this is the first version that you can configure Global policy through the WebUI as far as I can tell.
The below config is usable in the WebUI Apply Policy section when editing a rule...
security {
address-book {
global {
address wwwww 3.3.3.3/32;
address eeeee 4.4.4.4/32;
}
}
4) CONCLUSION
2 points to make.
1) If you create Zone Based address books ala ScreenOS style all the above features work. I.e you can create/manage addresses and edit policies through the WebUI. No problems at all and as such I have not shown any examples of this.
2) If you want to use any address book under the Security/Address Book hierarchy, understand you will, right now, have to create and edit address objects via the cli. However you can edit the rules in the WebUI depending on the version you use. Not great.
Here is the closest PIR I can find to the issue. There may be others.
At least it acknowledges it is still open but says it's resolved in 12.1R5 - no its not! At least not yet based on my testing.
So why bother using the Global Address book. Why not stick with the Zone based addresses if that is what actually works right now in the WebUI?
Here is what Juniper says about the Global Address book..
"This permits objects to be used across many zones and avoids inefficient use of resources. This change also permits nested groups to be configured within the address book, removing redundancy from repeating address objects."
I agree 100%. Seems more "elegant" to me and that is something that appeals. At the end of the day its my choice and I choose to use it because I can.
Why does this all matter? Ok we choose to use the Global address book so why not just stick to the cli, after all, all the Global features (Zones and Address book) work perfectly in the cli? Well I do live in the cli and I guess that everyone reading this blog probably does or prefers to use the cli. However some people just want to or have to operate the device through a gui without learning Junos. Now I dont think thats a great way to go and I encourage everyone to learn Junos but it doesn't change the fact that not everyone wants to, needs to or can.
Anyway...
Juniper does recognise its an issue so its only a matter of time before its fixed. I am guessing we will see it first fixed in the 12.1X44 stream here...http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2013-01-818&actionBtn=Search
All versions tested on SRX210HE.
No comments:
New comments are not allowed.