Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[vSRX/SRX] Understanding "Max Security Address Books" and the types of address books in vSRX/SRX

0

0

Article ID: KB33561 KB Last Updated: 18 Jan 2019Version: 2.0
Summary:

This article differentiates between the different address books that can be configured in vSRX/SRX devices, and attempts to clear any confusions that may exist about the Max Security Address Books parameter in relation to address books.

 

Symptoms:

In SRX/vSRX devices, the maximum number of address books that can be configured is determined as follows:

root> show log nsd_chk_only | match max
Max Security Zones          = 256
Max Security Address Books  = 256    <-- Maximum number of address books

However, some address-book configuration methods may mislead a user into assuming that the devices allow more than 256 address books to be set, contrary to the above output value.

Below is an example:

root# set security zones security-zone untrust address-book address 1 1.1.1.1/32
|
|
root# set security zones security-zone untrust address-book address 358 2.2.2.100/32
root# show security zones security-zone untrust address-book | count
Count: 358 lines  << Configuration from 1-358 does not output any error.    

 

Cause:

There are three types of address books that can be configured on vSRX/SRX devices: Named, Unnamed, and Global (default) address books. The maximum number of address books that can be configured is determined by using the show log nsd_chk_only | match max command.

In the above example, the number of named address books cannot exceed the applied limit of 256, as indicated. However, the number of unnamed address books can go past the limit per platform, which is demonstrated in the example. Because unnamed address books do not have a name, they cannot be attached to a zone, whereas named address books can be attached to a zone.

To create a named address book and attach it to a zone, use the following command:

Note: One zone can have at most one address book attached.

set security address-book trust_addrbook address src_addr_1 0.0.0.1/32 << address-book name trust_addrbook
set security address-book trust_addrbook attach zone trust

With the above configuration, if you try to create more address books than the limit specified, the following error is shown at the time of commit:

error: address-book quota exceeded (usage 257 > max 256)
error: configuration check-out failed 


 

Solution:

This is expected behavior.

The set security zones security-zone untrust address-book address 1 1.1.1.1/32 command creates an unnamed address book and the address in it. It cannot be attached to a zone and the limit on address-book entries does not apply to it.

On the other hand, the set security address-book trust_addrbook address src_addr_1 0.0.0.1/32 command creates a named address book. It can be attached to a zone and the limit specified in show log nsd_chk_only | match max for address book entries applies to it.

 

Modification History:

2019-01-18: Minor, non-technical modification in Solution section

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search