How to configure address book in Junos OS Richard Pracko

The configuration of address book in Junos OS has changed recently. The “old” and “new” configuration is still valid. What are the differences and what other features are related you can find described in the following article written by Richard Pračko.

Since the release 11.2 Junos security OS introduced a new option for configuring and using the address books. The old option is still supported for backward compatibility.

However the choice which way – “old” or “new” style – will be used needs to be done upfront because the they cannot coexist on the same machine.

The “old” style has the address books defined under the [ edit security zones security-zone] hierarchy:

[edit security zones security-zone trust]
lab@SRX1# show address-book
address PC-1 192.168.1.1/32;
address trust-net 192.168.1.0/24;

The new style has the address book configuration located right under the [edit security] hierarchy and the association to the security zones is done within the address book itself.

[edit security]
lab@SRX1# show address-book
internal-address-books {
    address PC-1 192.168.1.1/32;
    address trust-net 192.168.1.0/24;
    address dmz-net 172.16.100.0/24;
    address mail-server 172.16.100.50/32;
    attach {
      zone trust;
      zone dmz;
    }
}

As shown on the example above each address book can be associated with multiple zones if needed.

Furthermore one new address book – called “global” – has been made available. The global address book is automaticially associated with all security zones defined on the device. As a result regular security policies (i.e. policies defined in a security zones context – “from-zone to-zone”) can use addresses and address-sets from the address book associated with the security zones in the context or from the global address book.

Defining all the addresses and address-sets only in the global address book makes them right away available to all global and regular security policies regardless of the security zones involved. When a new security zone is created it automatically inherits all the addresses and address-sets from the global address book. This can increase the simplicity and efficiency of the configuration.

[edit security]
lab@SRX1# show address-book
internal-address-books {
    address PC-1 192.168.1.1/32;
    address trust-net 192.168.1.0/24;
    address dmz-net 172.16.100.0/24;
    address mail-server 172.16.100.50/32;
    attach {
      zone trust;
      zone dmz;
    }
}
global {
    address corp-net 172.16.0.0/16;
}

[edit security]
lab@SRX1# set policies from-zone trust to-zone untrust policy test1 match source-address?
Possible completions:
PC-1                 The address in address book internal-address-books
  [                    Open a set of values
  any                  Any IPv4 or IPv6 address
  any-ipv4             Any IPv4 address
  any-ipv6             Any IPv6 address
  corp-net             The address in address book global
  dmz-net              The address in address book internal-address-books
  mail-server          The address in address book internal-address-books
  trust-net            The address in address book internal-address-books

--> the list contains the addresses from the "internal-address-books" address book (PC-1, dmz-net, mail-server, trust-net) and the addresses from global address book (corp-net).

 [edit security]
lab@SRX1# set policies from-zone trust to-zone untrust policy test1 match source-address trust-net destination-address ?
Possible completions:
  [                    Open a set of values
  any                  Any IPv4 or IPv6 address
  any-ipv4             Any IPv4 address
  any-ipv6             Any IPv6 address
  corp-net             The address in address book global

--> because the "untrust" zone is not explicitly associated with any address book through configuration only addresses from the global address book are available (corp-net).

 [edit security]
lab@SRX1# show policies from-zone trust to-zone untrust
policy test1 {
    match {
      source-address trust-net;
      destination-address corp-net;
      application any;
    }
    then {
      permit;
    }
}

Global policies can use the address and address-sets only from the global address book.

 [edit security]
lab@SRX1# set policies global policy g1 match source-address ?
Possible completions:
  [                    Open a set of values
  any                  Any IPv4 or IPv6 address
  any-ipv4             Any IPv4 address
  any-ipv6             Any IPv6 address
  corp-net             The address in address book global

Each security zone can be attached to only one address book at a time:

 [edit security]
lab@SRX1# show address-book
internal-address-books {
    address PC-1 192.168.1.1/32;
    address trust-net 192.168.1.0/24;
    address dmz-net 172.16.100.0/24;
    address mail-server 172.16.100.50/32;
    attach {
      zone trust;
      ##
      ## Warning: Security zone must be unique in address books
      ##
      zone dmz;
    }
}
global {
    address corp-net 172.16.0.0/16;
}
test-book {
    attach {
      ##
      ## Warning: Security zone must be unique in address books
      ##
      zone dmz;
    }
}

The commint fails:

[edit security]
lab@SRX1# commit
[edit security address-book internal-address-books attach zone]
  'dmz'
    Security zone must be unique in address books
[edit security address-book test-book attach zone]
  'dmz'
    Security zone must be unique in address books
error: commit failed: (statements constraint check failed)

When using the old style of address book configuration the Junos OS does not allow defining any entries in the address book, which means the global policies can use only predefined address “any”.

The following example demostrates it:

Old style address book defined for trust zone:

[edit security zones security-zone trust]
lab@SRX1# show address-book
address PC-1 192.168.1.1/32;
address trust-net 192.168.1.0/24;

An address entry in the global address book:

[edit security]
lab@SRX1# show address-book
global {
    address corp-net 172.16.0.0/16;
}

The commint fails:

 [edit security]
lab@SRX1# commit

[edit security zones security-zone trust]
  'address-book'
    Zone specific address books are not allowed when there are global address books defined
error: commit failed: (statements constraint check failed)

When the global address entry is removed (the global address book is empty) with old style only the “any” address entries can be referenced in global policies.

[edit security]
lab@SRX1# delete address-book global address corp-net

[edit security]
lab@SRX1# show address-book

[edit security]
lab@SRX1# show zones security-zone trust address-book
address PC-1 192.168.1.1/32;
address trust-net 192.168.1.0/24;

[edit security]
lab@SRX1# set policies global policy g1 match source-address ?
Possible completions:
  <address>            Address from address book
  [                    Open a set of values
  any                  Any IPv4 or IPv6 address
  any-ipv4             Any IPv4 address
  any-ipv6             Any IPv6 address

[edit security]
lab@SRX1# show policies global
policy g1 {
    match {
      source-address any;
      destination-address any;
      application any;
    }
    then {
      permit;
    }
}

The commit now succeeds.

[edit security]
lab@SRX1# commit
commit complete

Juniper Networks provides scripts that convert the address books configuration between old and new styles. Further details can be found here:

http://www.juniper.net/techpubs/en_US/junos12.1×45/information-products/topic-collections/release-notes/12.1×45/topic-72770.html#jd0e11969

http://www.juniper.net/us/en/community/junos/script-automation/library/operations/addr-book-upgrade/