The Juniper SRX address book is used to configure address range entries used in different zones in the enterprise.
To configure a security policy in Juniper SRX to control traffic between zones, address book entries must be used as source and destination addresses.
Juniper Address Book Fundamental
As I have explained in the introduction, in the security policy it is required to use the name of address range instead of address range itself as the source and destination address.
With juniper SRX address book, we will assign a name for each address ranges used in the enterprise as an entry. for example the name of LAN for the address range 192.168.10.0/24 and WAN for the address range 192.168.1.0/24.
As shown in the figure, by default there is a address-book in juniper SRX devices with the name of “global” but with no entries by default.
“global” address book is the only address book that you can add entries independent of the zones. All other custom address books must be assigned to a zone and addresses related to that zone will be configured as entries into the address book.
When you configure a security policy between two zones, you can call any address entries in the address book as the source or destination address with the condition that it is connected to the correct zone.
But when you configure an address range in the “global” address book, then it can be called as source or destination address in any of the configured zones.
It is recommended that you configure an address book for each zone that you use in your security policies.
Juniper Address Book entries
We have different methods and different options to configure address entries in the address book.
With “prefix”, you can configure an address range with the combination of subnet address and subnet mask. This is perhaps the most usual method to configure an address entry in the address book.
For example, the prefix 192.168.10.0/24 can be used as an entry in address book.
With “address-range”, you can configure an address entry with just configuring the start IP address and the end IP address of a range.
For example the IP address range 192.168.11.10 to 192.168.11.99 can be configured as an entry in address book which can not be configured with one line prefix address.
With “wildcard-address“, you have the possibility to configure the addresses, which cannot be easily configured through prefix or address range.
With “wildcard-address”, you configure a subnet and a wildcard. Wildcard shows which part of subnet is important or can be ignored.
Bit 1 in any position is wildcard shows that the value of exact position in the subnet is important and must be exactly as configured in the subnet.
Bit 0 in any position is wildcard shows that the value of exact position in the subnet is not important and can be ignored.
For example, the subnet 10.0.10.0 with wildcard 255.7.255.0, means that the first and third octet must be exactly 10 as configured in the subnet. But in the second octet, only the value of first three bits from the rights must be exactly as configured in the subnet. In other words the second octet can be 0, 8, 16 and so.
With “dns-name”, we can configure a DNS name as an entry in the address book. For example the domain name “rayka-co.com” can be an entry in address book.
With “address-set”, we can collect some address entries in a new address-set. Therefore in security policy we can use multiple address ranges with calling address-set as the source or destination address.
Juniper Address Book configuration
To configure an address book , we start the command in “security address-book” context.
As you can see by default there is a global address book and we are allowed to configure a custom address-book.
rayka# set security address-book ?
Possible completions:
<book-name> Address book name
global Default global address book name
...
Here is an example how we can configure address book and address set in juniper SRX device.
rayka# run show configuration | display set | grep address-book
set security address-book INSIDE address NET_192_168_10_0__24 192.168.10.0/24
set security address-book INSIDE address NET_192_168_11_10_to_199 range-address 192.168.11.10 to 192.168.11.199
set security address-book INSIDE address NET_10__0_to_7__10_ wildcard-address 10.0.10.0/255.7.255.0
set security address-book INSIDE address RAYKA-CO.COM dns-name rayka-co.com
set security address-book INSIDE address-set LAN address NET_10__0_to_7__10_
set security address-book INSIDE address-set LAN address NET_192_168_10_0__24
set security address-book INSIDE address-set LAN address NET_192_168_11_10_to_199
set security address-book INSIDE address-set LAN address RAYKA-CO.COM
set security address-book INSIDE attach zone inside
set security address-book global address NTP dns-name ntp.pool.org
[edit]
rayka#
rayka# show | compare
[edit security]
+ address-book {
+ INSIDE {
+ address NET_192_168_10_0__24 192.168.10.0/24;
+ address NET_192_168_11_10_to_199 {
+ range-address 192.168.11.10 {
+ to {
+ 192.168.11.199;
+ }
+ }
+ }
+ address NET_10__0_to_7__10_ {
+ wildcard-address 10.0.10.0/255.7.255.0;
+ }
+ address RAYKA-CO.COM {
+ dns-name rayka-co.com;
+ }
+ address-set LAN {
+ address NET_10__0_to_7__10_;
+ address NET_192_168_10_0__24;
+ address NET_192_168_11_10_to_199;
+ address RAYKA-CO.COM;
+ }
+ attach {
+ zone inside;
+ }
+ }
+ global {
+ address NTP {
+ dns-name ntp.pool.org;
+ }
+ }
+ }
[edit]
rayka#
An address book with the name of INSIDE is configured for all address ranges in the inside zone.
It is recommended that one address book for each zone to be configured. But here as an example, I configure just one address book for inside zone.
In the first four line, I configure address ranges with different methods.
In the first line, address range 192.168.10.0/24 is configured.
In the second line, with the help of “range-address” option, a range of IP addresses from 192.168.11.10 to 192.168.11.199 is configured.
In the third line, with the help of “wildcard-address” option, a complex address range is configured as I have explained a few minutes ago.
And in the fourth line, a DNS name, “rayka-co.com” is added in the address book INSIDE.
In the next four lines, an address-set with the name of LAN is configured and all these address ranges are added in this address-set.
In the next line, configured address book is assigned to the inside zone.
In the last line and entry for the address of NTP server is added in “global” address-book which can be used as source or destination address in any zone in security policy.
Now we can apply and commit the configuration.
Juniper Address Book application in security policy
Now let’s look at how the address book and address set are used in security policy.
Also ensure that each zone only has access to its own address book and address set. And addresses in the “global” address book and also “any” are the only addresses that are available in all zones.
Please don’t notice the syntax of the security policy itself since we haven’t still talked about it =. The target is just to see how addresses configured in address books and address sets are used in security policies.
We write a policy from inside zone to the outside zone. Then we match the source addresses, which certainly must be in inside zone.
rayka# set security policies from-zone inside to-zone outside policy TEST match source-address ?
Possible completions:
<address> Address from address book
LAN The address-set in address book INSIDE
NET_10__0_to_7__10_ The address in address book INSIDE
NET_192_168_10_0__24 The address in address book INSIDE
NET_192_168_11_10_to_199 The address in address book INSIDE
NTP The address in address book global
RAYKA-CO.COM The address in address book INSIDE
[ Open a set of values
any Any IPv4 or IPv6 address
any-ipv4 Any IPv4 address
any-ipv6 Any IPv6 address
[edit]
When we use question mark in front of source address, we see that all addresses configured in “INSIDE” address book are available to be configured. In addition to that, NTP address configured in “global” address book and also “any” are also available.
But when we match the destination address, the only addresses available are the NTP address and also “any”. Because we haven’t configured an address book specific for the outside zone that the destination address belongs to.
rayka# set security policies from-zone inside to-zone outside policy TEST match source-address LAN destination-address ?
Possible completions:
<address> Address from address book or static_nat or incoming_nat address
NTP The address in address book global
[ Open a set of values
any Any IPv4 or IPv6 address
any-ipv4 Any IPv4 address
any-ipv6 Any IPv6 address
[edit]