migrating zone based address book to global in Juniper SRX

I have written a small python3 script to convert SRX address books which are in zone base format to global. There was already a ready script on juniper forums but I saw they lack duplicate address checks and it couldn’t connect to some SRX devices. Below is the link to the code and how it can be used.

1) First fetch your current zone based addresses from SRX to a Linux host.

>show configuration security | display set | match address-book | save user@remote-host:/home/user/zone-based-addr.txt

2) Download the tool at https://github.com/rtodto/junosrepo/blob/master/srx_migrate_zone2global.py

3) Let’s say your zone based address book file is like this;

set security zones security-zone trust address-book address addr1 1.1.1.1
set security zones security-zone external address-book address addr1 2.2.2.2
set security zones security-zone internal address-book address addr2 10.1.1.1
set security zones security-zone internal address-book address addr3 10.2.2.2
set security zones security-zone internal address-book address-set my-addr-group address addr2
set security zones security-zone internal address-book address-set my-addr-group address addr3

4) Run the tool against the legacy address book file as below on your Linux or any OS that has Python3 installed.
Once you run you will get the new set based commands as output to be pasted into your SRX box.
If you have a conflict, you will get a message as below but how can a conflict happen?
It is because zone based address books allow you to choose the same address object name
if you blindly convert via another tool it can override your address book entry. In order to
prevent this, tool is simply telling you that address book object “addr1” has more than one
IP address. If both IP addresses are the same, you won’t get a warning.

Once you resolve the conflict i.e rename address book name and update security policies,
simply paste the set/del lines on your SRX command line. Then your address book should be converted.

#./srx_migrate_zone2global.py zone-based-addr.txt
set security address-book global address addr1 1.1.1.1
set security address-book global address addr2 10.1.1.1
set security address-book global address addr3 10.2.2.2
set security address-book global address-set my-addr-group address addr2
set security address-book global address-set my-addr-group address addr3
del security zones security-zone internal address-book
del security zones security-zone trust address-book
del security zones security-zone external address-book


Duplicate address objects found with conflicting object values
**************************************************************
addr1

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE


3 thoughts on “migrating zone based address book to global in Juniper SRX”

  1. Hi,

    Thank you for script. Can you please leave a step by step procedure to execute this script on my srx device.? i am bit confused where need to run this script.

    Thanks,
    Sures

    1. Sures,
      it is a Python code so you need to run it on an OS which has python installed. It can be linux/windows etc. I have also updated the post that it
      must be run on the client PC side (linux/windows) Once you have Python and run it you will get the output to be pasted onto your SRX.

You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.