Convert SRX zone policy to global

SRX platform has two types of security policy: Zone Based and Global and you can mix these two but when mixed it is also posing some challenges. If you want to convert all zone based policies to global, normally there is no builtin tool. Maybe Junos Space provides such tool but I am not aware of it. I searched and couldn’t find one so wanted to write my own. Here is how it works:

WARNING: This conversion kills all the sessions as you migrate to new security rule structure thereby it requires outage and all sessions must be re-established. If you have an IPsec tunnel, through which you make this change, your session will be killed and IPsec tunnel will flap.

You have security policy as below and you saved it in a file named zone-policy.txt:

set security policies from-zone trust to-zone untrust policy allow-all match source-address any
set security policies from-zone trust to-zone untrust policy allow-all match destination-address any
set security policies from-zone trust to-zone untrust policy allow-all match application any
set security policies from-zone trust to-zone untrust policy allow-all then permit

You run the tool as below;

$./zone2global-policy.py zone-policy.txt
set security policies global policy trust-untrust-allow-all match from-zone trust
set security policies global policy trust-untrust-allow-all match to-zone untrust
set security policies global policy trust-untrust-allow-all match source-address any
set security policies global policy trust-untrust-allow-all match destination-address any
set security policies global policy trust-untrust-allow-all match application any
set security policies global policy trust-untrust-allow-all then permit

Global policies also allow you to specific source/destination zones starting from some release that I don’t recall 🙂 so what script does is the following;

  • takes the source and destination zone from the context and prepends onto the security policy name
  • As in the example, you have policy “allow-all” in our zone based rulebase. Converter makes the rule trust-untrust-allow-all and moves it onto global context.
  • sets the from-zone and to-zone settings properly
  • and displays the output
  • what you need to do is to delete all zone based and copy/paste the new ones generated or “load set terminal”

You can fetch the script from my github repo

You need python3 to run the script.

Let me know if you experience any issues or have any feedback.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


3 thoughts on “Convert SRX zone policy to global”

  1. Hello! Do you have any experience setting up traffic shaping and policers on SRX? If so, I would love your guidance and assistance. I’m just trying to set up a really basic traffic shaping on an SRX 340 to bring an interface in line with our ISP bandwidth speed.

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading