This article explains on how to make a Firewall Policy Profile work using script.
By default, SD will only update the Firewall Policy Profile assigned to a Policy only if rules are created from SD. The script attached will update the configuration in DB so that Firewall Policy Profile changes can be pushed from SD. This script will also optionally update the selected Policy-rules with the Rule Options - "Inherit Profile from Policy".
Rule Options - "Inherit Profile from Policy" must be selected in each rule for the Policy profile to work. If a user has 100's of rules and have logging configured in all rules from device command line itself.
Example:
set security policies from-zone trust to-zone untrust policy test then log session-close
set security policies from-zone trust to-zone untrust policy test then count
While importing the firewall policy to SD, all the rules under the policy imported will have the Rule Options "CUSTOM". In this case, it’s difficult to modify individual rules with Rule Options - "Inherit Profile from Policy". This script will help in achieving this task.
This is a limitation in all SD versions. A Problem Report has been created for this. This workaround can be applicable until the issue is fixed permanently.
Work-around:
- Make a backup of the Space database by following the steps in Backing Up the Junos Space Network Management Platform Database. (The process is the same for all Space versions.)
- Download the script file updateProfile.zip.
- SCP the script file to the server and unzip. (Unzip the script on the server to ensure file integrity.)
Example:
unzip updateProfile.zip
- Create or use a default Firewall Policy Profile: Security Director > Firewall Policy > Profiles.
- Assign the profile to a policy: Security Director -> Policy -> edit policy -> Assign the profile. Do not Publish now.
- Run the Script:
sh updateProfile.sh
The script will ask for user inputs: Policy name & Domain name. Choose any of the below given options as required.
- All rules under the policy will be modified with Rule Options - (Inherit Profile from Policy) & the logging profile change will be updated.
Note: Selecting 1 will be useful when user want all rules in in policy to be updated with the new logging profile change in SD.
- The script will only update logging profile to the rules in the policy where Rule Options - (Inherit Profile from Policy) is already chosen.
Note: Selecting 2 will be useful in scenarios where user have custom profile applied for rules and don't want that rules to be changed in SD.
- Once script execution is done. Check preview, if preview looks good then Publish & Update.
Example with Screenshots:
-
If Firewall Policy Profile is not created yet create one.

-
Edit the Security Policy and assign the profile

-
Check preview, you may see “No configuration changes". Don’t publish now.


-
Run the script.

Preview after running script:
