Address Books Explained

You can configure address book objects in various part of the configuration on SRX. Because we have several options, we need to know where we can use which address books. To explain address books simply, I have drawn the following graph.

address_book_types_SRX

Group A
This group contains the zone specific address book object and the configuration must be done under the security zone e.g

set security zones security-zone INTERNET address-book address hostA 192.168.1.1

Group B
This is global address book objects group and configured under [edit security address-book] hierarchy but why do we have two different types of object type e.g

  • Global
  • Zone Attached

It is because global address book objects can be used in any zone. They don’t belong to any particular zone. However Zone Attached address book objects can only be used on the zone that they are attached. Let’s give an example;

Global Address Book Object

set security address-book global address hostB 192.168.1.2

This config means you can use hostB address book object in any zone in your security policy.

Zone Attached Address Book Object

set security address-book INT-ADDR address hostC 192.168.1.3
set security address-book INT-ADDR attach zone INTERNET

This config means you can only use address book object hostC in INTERNET zone.

Now here is the tricky part. I grouped these objects in Group A and B since they are mutually exclusive. In other words, Zone Specific address book object can’t co-exist with Global and Zone Attached address book objects but Global and Zone attached address book objects can co-exist.
If you try to commit the configuration when you have both Zone Specific address book object and Global/Zone Attached then you will get the following error:

[edit]
root@BranchK# commit 
[edit security zones security-zone INTERNET]
  'address-book'
    Zone specific address books are not allowed when there are global address books defined
error: commit failed: (statements constraint check failed)

I hope this clears the concept if you have any confusion about address book objects.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


5 thoughts on “Address Books Explained”

  1. Thanks for the description. So why use zone address books over global address books (or vice versa)?

    1. I prefer global address books actually since I can use them anywhere I like in the security policies and easier for copy/paste too but if you want to be more strict, you may choose zone attached address book entries. I think it all depends on your user experience.

  2. The reason for the 2 methods is simply that Juniper changed their mind on how this should be done. Prior to Junos 11.2 the only method available was address books defined within the zone. It was decided that this could be innefficient as the same address object may need to be used in more than one zone. Juniper now prefer the global address method where zones can be attached if required but both methods are supported although they are mutually exclusive as described by the author.

    It should be noted that objects referred to in NAT configurations must be defined in the ‘global’ address book.

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading