Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to use Wildcard Addresses in Address Books

0

0

Article ID: KB31110 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:

After using Wildcard Addresses in Address Books, incorrect source or destination IP addresses may match the policy unexpectedly. This is caused by the wrong use of Wildcard Addresses in Address Books.

This article explains how to use Wildcard Addresses in Address Books.

Solution:

Besides IP addresses and domain names, you can specify a wildcard address in an address book. A wildcard address is represented as A.B.C.D/wildcard-mask. The wildcard mask determines which of the bits in the IP address A.B.C.D should be ignored.

Here is an example to match the destination IP address 10.1.1.0/24 in the following policy with Wildcard Addresses in Address Books.

Bad design:

set security policies from-zone trust to-zone untrust policy 1 match source-address any
set security policies from-zone trust to-zone untrust policy 1 match destination-address Test
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
set security zones security-zone untrust address-book address Test wildcard-address 10.1.1.0/24 <--here

root@SRX-240# ...ies from-zone trust to-zone untrust detail
Policy: 1, action-type: permit, State: enabled, Index: 5, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
Test: 10.1.1.0/0.0.0.24 <---here
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No

Wildcard-mask "/24" is recognized as 0.0.0.24 and 24 is 00011000 in binary.
1 means that the equivalent bit must match and 0 means that the equivalent bit does not matter. Therefore, packets with source IP addresses such as 20.1.1.1 and 30.1.1.1 conform to the match criteria. However, packets with source IP addresses such as 10.1.1.8 and 10.1.1.16 do not satisfy the match criteria.

Good design:

set security policies from-zone trust to-zone untrust policy 1 match source-address any
set security policies from-zone trust to-zone untrust policy 1 match destination-address Test
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
set security zones security-zone untrust address-book address Test wildcard-address 10.1.1.0/255.255.255.0 <--here

root@SRX-240# ...ies from-zone trust to-zone untrust detail
Policy: 1, action-type: permit, State: enabled, Index: 5, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
Test: 10.1.1.0/255.255.255.0 <--here
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No

For fundamental knowledge of address books, refer to Understanding Address Books.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search