migrating zone based address book to global in Juniper SRX

I have written a small python3 script to convert SRX address books which are in zone base format to global. There was already a ready script on juniper forums but I saw they lack duplicate address checks and it couldn’t connect to some SRX devices. Below is the link to the code and how it can be used.

1) First fetch your current zone based addresses from SRX to a Linux host.

>show configuration security | display set | match address-book | save user@remote-host:/home/user/zone-based-addr.txt

2) Download the tool at https://github.com/rtodto/junosrepo/blob/master/srx_migrate_zone2global.py

3) Let’s say your zone based address book file is like this;

set security zones security-zone trust address-book address addr1 1.1.1.1
set security zones security-zone external address-book address addr1 2.2.2.2
set security zones security-zone internal address-book address addr2 10.1.1.1
set security zones security-zone internal address-book address addr3 10.2.2.2
set security zones security-zone internal address-book address-set my-addr-group address addr2
set security zones security-zone internal address-book address-set my-addr-group address addr3

4) Run the tool against the legacy address book file as below on your Linux or any OS that has Python3 installed.
Once you run you will get the new set based commands as output to be pasted into your SRX box.
If you have a conflict, you will get a message as below but how can a conflict happen?
It is because zone based address books allow you to choose the same address object name
if you blindly convert via another tool it can override your address book entry. In order to
prevent this, tool is simply telling you that address book object “addr1” has more than one
IP address. If both IP addresses are the same, you won’t get a warning.

Once you resolve the conflict i.e rename address book name and update security policies,
simply paste the set/del lines on your SRX command line. Then your address book should be converted.

#./srx_migrate_zone2global.py zone-based-addr.txt
set security address-book global address addr1 1.1.1.1
set security address-book global address addr2 10.1.1.1
set security address-book global address addr3 10.2.2.2
set security address-book global address-set my-addr-group address addr2
set security address-book global address-set my-addr-group address addr3
del security zones security-zone internal address-book
del security zones security-zone trust address-book
del security zones security-zone external address-book


Duplicate address objects found with conflicting object values
**************************************************************
addr1

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN, currently living in the Netherlands and works as a Network Support Engineer. // JNCIE-SEC #223 / RHCE / PCNSE


6 thoughts on “migrating zone based address book to global in Juniper SRX”

  1. Hi,

    Thank you for script. Can you please leave a step by step procedure to execute this script on my srx device.? i am bit confused where need to run this script.

    Thanks,
    Sures

    1. Sures,
      it is a Python code so you need to run it on an OS which has python installed. It can be linux/windows etc. I have also updated the post that it
      must be run on the client PC side (linux/windows) Once you have Python and run it you will get the output to be pasted onto your SRX.

  2. Running into an interesting difficulty w/ the script. Trying to convert roughly 29k zone based addresses to global, the script runs but only rebuilds the address-set entries and not the individual address entries nor does it generate any delete lines to remove the existing zone based entries. No errors being generated either. Simply a case of files to large? Or am I doing something wrong?

    1. 29k shouldn’t be a big number for script but I wonder if there is a config/description which I didn’t expect. If you can send a modified version of the file you try to
      convert, I am happy to check to see why it fails. email genco {AT} rtodto {DOT} net

      1. Thanks, I got it sorted. Something to do with the way the Juniper was saving the output with the | save command. Saving the file manually via SecureCRT ‘Transfer -> receive ascii’ seemed to do the trick.

You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.