migrating zone based address book to global in Juniper SRX

I have written a small python3 script to convert SRX address books which are in zone base format to global. There was already a ready script on juniper forums but I saw they lack duplicate address checks and it couldn’t connect to some SRX devices. Below is the link to the code and how it can be used.

1) First fetch your current zone based addresses from SRX to a Linux host.

>show configuration security | display set | match address-book | save user@remote-host:/home/user/zone-based-addr.txt

2) Download the tool at https://github.com/rtodto/junosrepo/blob/master/srx_migrate_zone2global.py

3) Let’s say your zone based address book file is like this;

set security zones security-zone trust address-book address addr1 1.1.1.1
set security zones security-zone external address-book address addr1 2.2.2.2
set security zones security-zone internal address-book address addr2 10.1.1.1
set security zones security-zone internal address-book address addr3 10.2.2.2
set security zones security-zone internal address-book address-set my-addr-group address addr2
set security zones security-zone internal address-book address-set my-addr-group address addr3

4) Run the tool against the legacy address book file as below on your Linux or any OS that has Python3 installed.
Once you run you will get the new set based commands as output to be pasted into your SRX box.
If you have a conflict, you will get a message as below but how can a conflict happen?
It is because zone based address books allow you to choose the same address object name
if you blindly convert via another tool it can override your address book entry. In order to
prevent this, tool is simply telling you that address book object “addr1” has more than one
IP address. If both IP addresses are the same, you won’t get a warning.

Once you resolve the conflict i.e rename address book name and update security policies,
simply paste the set/del lines on your SRX command line. Then your address book should be converted.

#./srx_migrate_zone2global.py zone-based-addr.txt
set security address-book global address addr1 1.1.1.1
set security address-book global address addr2 10.1.1.1
set security address-book global address addr3 10.2.2.2
set security address-book global address-set my-addr-group address addr2
set security address-book global address-set my-addr-group address addr3
del security zones security-zone internal address-book
del security zones security-zone trust address-book
del security zones security-zone external address-book


Duplicate address objects found with conflicting object values
**************************************************************
addr1

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


10 thoughts on “migrating zone based address book to global in Juniper SRX”

  1. Hi,

    Thank you for script. Can you please leave a step by step procedure to execute this script on my srx device.? i am bit confused where need to run this script.

    Thanks,
    Sures

    1. Sures,
      it is a Python code so you need to run it on an OS which has python installed. It can be linux/windows etc. I have also updated the post that it
      must be run on the client PC side (linux/windows) Once you have Python and run it you will get the output to be pasted onto your SRX.

  2. Running into an interesting difficulty w/ the script. Trying to convert roughly 29k zone based addresses to global, the script runs but only rebuilds the address-set entries and not the individual address entries nor does it generate any delete lines to remove the existing zone based entries. No errors being generated either. Simply a case of files to large? Or am I doing something wrong?

    1. 29k shouldn’t be a big number for script but I wonder if there is a config/description which I didn’t expect. If you can send a modified version of the file you try to
      convert, I am happy to check to see why it fails. email genco {AT} rtodto {DOT} net

      1. Thanks, I got it sorted. Something to do with the way the Juniper was saving the output with the | save command. Saving the file manually via SecureCRT ‘Transfer -> receive ascii’ seemed to do the trick.

  3. It looks like the script gives the commands to replace the address objects. But I have attempted to do this manually and the firewall will not allow me to delete an address object that is being used in policies. Is there a solution for this?

    1. Marc,
      issue you are describing is by design on SRX. You can’t delete an address object if it is referenced by a security policy.
      Tool is just migrating address book entries (deleting and re-adding) so you need to delete the object on the security policy if you really want to delete.
      If you are saying that tool has done such deletion without re-adding, let me know (but I need the address object list in order to check)

      thanks

    1. try this.

      show configuration | display set | save config.txt
      start shell
      sed s”/set security zones.*address-book/set security address-book global/g” config.txt >gconfig.txt
      exit
      edit
      delete
      load set gconfig.txt
      show | compare
      commit and-quit

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading