Address Books Explained

You can configure address book objects in various part of the configuration on SRX. Because we have several options, we need to know where we can use which address books. To explain address books simply, I have drawn the following graph.


Group A
This group contains the zone specific address book object and the configuration must be done under the security zone e.g

Group B
This is global address book objects group and configured under [edit security address-book] hierarchy but why do we have two different types of object type e.g

  • Global
  • Zone Attached

It is because global address book objects can be used in any zone. They don’t belong to any particular zone. However Zone Attached address book objects can only be used on the zone that they are attached. Let’s give an example;

Global Address Book Object

This config means you can use hostB address book object in any zone in your security policy.

Zone Attached Address Book Object

This config means you can only use address book object hostC in INTERNET zone.

Now here is the tricky part. I grouped these objects in Group A and B since they are mutually exclusive. In other words, Zone Specific address book object can’t co-exist with Global and Zone Attached address book objects but Global and Zone attached address book objects can co-exist.
If you try to commit the configuration when you have both Zone Specific address book object and Global/Zone Attached then you will get the following error:

I hope this clears the concept if you have any confusion about address book objects.

3 thoughts on “Address Books Explained

  1. jose

    Thanks for the description. So why use zone address books over global address books (or vice versa)?

    1. rtoodtoo Post author

      I prefer global address books actually since I can use them anywhere I like in the security policies and easier for copy/paste too but if you want to be more strict, you may choose zone attached address book entries. I think it all depends on your user experience.

  2. Regalis

    The reason for the 2 methods is simply that Juniper changed their mind on how this should be done. Prior to Junos 11.2 the only method available was address books defined within the zone. It was decided that this could be innefficient as the same address object may need to be used in more than one zone. Juniper now prefer the global address method where zones can be attached if required but both methods are supported although they are mutually exclusive as described by the author.

    It should be noted that objects referred to in NAT configurations must be defined in the ‘global’ address book.


You have a feedback?