Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Identifying unused address objects

0

0

Article ID: KB33597 KB Last Updated: 29 Dec 2018Version: 1.0
Summary:

This article describes how to identify address objects that are in use and those that are not in use in any policy configuration.

 

Solution:

Use the firewall Command Line Interface (CLI) to view all configured address objects:

SSG140-> get config | i address
set address "Trust" "Address1" 10.1.1.0 255.255.255.0
set address "Trust" "Address2" 10.1.2.0 255.255.255.0
set address "Trust" "Address3" 10.1.3.0 255.255.255.0
set address "Trust" "Address4" 10.1.4.0 255.255.255.0
set address "Trust" "Address5" 10.1.5.0 255.255.255.0

Then search for each address to determine whether it is being used.

Case 1

SSG140-> get config | i "Address1"
set address "Trust" "Address1" 10.1.1.0 255.255.255.0
set policy id 1 from "Trust" to "Untrust"  "Address1" "Any-IPv4" "ANY" permit

This indicates that the object named "Address1" is being used by policy ID 1.

Case 2

SSG140-> get config | i "Address2"
set address "Trust" "Address2" 10.1.2.0 255.255.255.0

This indicates that the object named "Address2" is not being used by any policy.

Case 3

SSG140-> get config | i "Address3"
set address "Trust" "Address3" 10.1.3.0 255.255.255.0
set group address "Trust" "Group1" add "Address3"  <<<< look here

SSG140-> get config | i "Group1"
set group address "Trust" "Group1"
set group address "Trust" "Group1" add "Address3"
set group address "Trust" "Group1" add "Address4"
set policy id 2 from "Trust" to "Untrust"  "Group1" "Any-IPv4" "ANY" permit <<<< look here

This indicates that the object named "Address3" is part of Group1, which, in turn, is being used by policy ID 2. Therefore, this address object is in use.

Case 4

SSG140-> get config | i Address5
set address "Trust" "Address5" 10.1.5.0 255.255.255.0
set src-address "Address5"

This indicates that the address is being used in one of the policies, which has multiple address objects selected.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search