No SRX Please, I'm British - MovingPackets.net

Ok, Junos on the Juniper SRX platform, y’all are just mocking me now.

Step 1: Create A Policy On The SRX

I’d like to deny ICMP fragmentation needed messages in the lab. I haven’t checked, but I’d guess that the built-in application name would be junos-icmp-fragmentation-needed, so I shouldn’t need to define it.

{primary:node0}[edit]
john@labfw# show | compare
[edit security policies from-zone labint to-zone labext]
+     policy noicmp {
+         match {
+             source-address any;
+             destination-address any;
+             application junos-icmp-fragmentation-needed;
+         }
+         then {
+             deny;
+         }
+     }

{primary:node0}[edit]

john@labfw# show | compare

[edit security policies from-zone labint to-zone labext]

+ policy noicmp {

+ match {

+ source-address any;

+ destination-address any;

+ application junos-icmp-fragmentation-needed;

+ }

+ then {

+ deny;

+ }

Step 2: Check The Config Is Ok

I’ll run my usual ‘commit check’ to make sure everything’s ok:

{primary:node0}[edit]
john@labfw# commit check
[edit security policies from-zone labint to-zone labext policy noicmp match application]
  'junos-icmp-fragmentation-needed'
    application or application-set must be defined
error: configuration check-out failed: (statements constraint check failed)

{primary:node0}[edit]

john@labfw# commit check

[edit security policies from-zone labint to-zone labext policy noicmp match application]

'junos-icmp-fragmentation-needed'

application or application-set must be defined

error: configuration check-out failed: (statements constraint check failed)

Oh, ok, it’s not defined – guess I got it wrong; I’ll define it.

Step 3: Fix the Error

Let’s go edit that application!

john@labfw# edit applications application junos-icmp-fragmentation-needed
error: cannot use reserved identifier: junos-icmp-fragmentation-needed

john@labfw# edit applications application junos-icmp-fragmentation-needed

error: cannot use reserved identifier: junos-icmp-fragmentation-needed

Or not. Anything beginning with “junos-” is automatically reserved. Doh!

A better error after the commit check then might have been “Doesn't exist, you can't make it exist, try something else, bozo.”

Step 4: Listen for Junos Cackling

The phrase “bite me” springs to mind. 🙂

4 Comments on No SRX Please, I’m British

NSG January 21, 2014 at 11:57 pm
The cackling happens when you create a groups config and then deactivate “groups” and try to commit…I bet the devs thought that was a great way to mess with people. If you haven’t tried it, it’s amusing.
-=]NSG[=-
- John Herbert January 22, 2014 at 8:57 am
  Are you talking about what happens due to the group config being disabled and thus all of those built-in applications suddenly not existing? If so, yeah, messy… and would take a while to figure out if you didn’t already know where the built-in application definitions were “configured” (that’s another post coming soon)!
Pete January 22, 2014 at 8:15 am
Then…
# edit applications application bozo-icmp-fragmentation-needed
— Pete.
- John Herbert January 22, 2014 at 10:06 am
  It’s like you know me. Uncanny.

No SRX Please, I’m British

Step 1: Create A Policy On The SRX

Step 2: Check The Config Is Ok

Step 3: Fix the Error

Step 4: Listen for Junos Cackling

Related

4 Comments on No SRX Please, I’m British

Leave a Reply Cancel reply

Step 1: Create A Policy On The SRX

Step 2: Check The Config Is Ok

Step 3: Fix the Error

Step 4: Listen for Junos Cackling

Share this:

Related

Related Articles

Proposed Junos XML Enhancements

Juniper In-Service Software Downgrade (ISSD)

ICMP Challenge Part 1

4 Comments on No SRX Please, I’m British

Leave a Reply Cancel reply