Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] NSM is removing global address objects and replacing them with zone-based objects

0

0

Article ID: KB29501 KB Last Updated: 18 Oct 2020Version: 2.0
Summary:

Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.


This article explains why NSM is replacing the global address book entries with zone-based entries, and shows how to switch NSM to use global address objects.

 

 

A Global Address book is an Address book that is available to all security zones that have no address books attached to them. A zone can use two address books at a time: 1) the global address book, and 2) the address book to which the zone is attached. When a security zone is not attached to any address book, it automatically uses the global address book. Thus, when a security zone is attached to an address book, the system looks up addresses from this address book; otherwise, the system looks up addresses from the default global address book.

Symptoms:

The example below shows the NSM issue with address book entries: All global address book entries are converted into zone address book entries.

Summarize Delta Config Snippet

XML Diff between Device (-) and NSM (+):

/configuration/security/address-book[name="global"]
- <address-book>
- <name>global</name>
- <address>

- <name>host_X.X.X.X</name>
- <ip-prefix>X.X.X.X/X</ip-prefix>
- </address>

/configuration/security/zones/security-zone[name="Zone-A"]/address-book
+ <address-book>

+ <address>
+ <name>host_X.X.X.X</name>
+ <ip-prefix>X.X.X.X/X</ip-prefix>
+ </address>


Config to be sent to Device on next Update Device:

<configuration>
<security>
<address-book operation="delete">
<name>global</name>
</address-book>
<security-zone>
<name>Zone-A</name>
<address-book operation="create">

<address>
<name>host_X.X.X.X</name>
<ip-prefix>X.X.X.X/X</ip-prefix>
</address>

Cause:

The Use global address book option is not enabled in NSM; however, the device is using both Global address book entries.

Note that support for the global address book in zone-based and global-based rules was introduced in NSM 2012.1.

Solution:

Perform the procedure below to correct the problem:

  1. Log into the NSM GUI.

  2. Right-click Device, then select the Use Global Address book option.

  3. Run the command below:

summarize delta config

The Global/Zone address objects will no longer be different.

Modification History:
2020-10-18: Tagged article for EOL/EOE.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search