Ok, Junos on the Juniper SRX platform, y’all are just mocking me now.
Step 1: Create A Policy On The SRX
I’d like to deny ICMP fragmentation needed messages in the lab. I haven’t checked, but I’d guess that the built-in application name would be junos-icmp-fragmentation-needed, so I shouldn’t need to define it.
{primary:node0}[edit]
[email protected]# show | compare
[edit security policies from-zone labint to-zone labext]
+ policy noicmp {
+ match {
+ source-address any;
+ destination-address any;
+ application junos-icmp-fragmentation-needed;
+ }
+ then {
+ deny;
+ }
+ }
Step 2: Check The Config Is Ok
I’ll run my usual ‘commit check’ to make sure everything’s ok:
{primary:node0}[edit]
[email protected]# commit check
[edit security policies from-zone labint to-zone labext policy noicmp match application]
'junos-icmp-fragmentation-needed'
application or application-set must be defined
error: configuration check-out failed: (statements constraint check failed)
Oh, ok, it’s not defined – guess I got it wrong; I’ll define it.
Step 3: Fix the Error
Let’s go edit that application!
[email protected]# edit applications application junos-icmp-fragmentation-needed
error: cannot use reserved identifier: junos-icmp-fragmentation-needed
Or not. Anything beginning with “junos-” is automatically reserved. Doh!
A better error after the commit check then might have been “Doesn't exist, you can't make it exist, try something else, bozo.”
Step 4: Listen for Junos Cackling
The phrase “bite me” springs to mind. 🙂
The cackling happens when you create a groups config and then deactivate “groups” and try to commit…I bet the devs thought that was a great way to mess with people. If you haven’t tried it, it’s amusing.
-=]NSG[=-
Are you talking about what happens due to the group config being disabled and thus all of those built-in applications suddenly not existing? If so, yeah, messy… and would take a while to figure out if you didn’t already know where the built-in application definitions were “configured” (that’s another post coming soon)!
Then…
# edit applications application bozo-icmp-fragmentation-needed
— Pete.
It’s like you know me. Uncanny.