No SRX Please, I’m British

Junos

Ok, Junos on the Juniper SRX platform, y’all are just mocking me now.

Step 1: Create A Policy On The SRX

I’d like to deny ICMP fragmentation needed messages in the lab. I haven’t checked, but I’d guess that the built-in application name would be junos-icmp-fragmentation-needed, so I shouldn’t need to define it.

{primary:node0}[edit]
john@labfw# show | compare
[edit security policies from-zone labint to-zone labext]
+     policy noicmp {
+         match {
+             source-address any;
+             destination-address any;
+             application junos-icmp-fragmentation-needed;
+         }
+         then {
+             deny;
+         }
+     }

Step 2: Check The Config Is Ok

I’ll run my usual ‘commit check’ to make sure everything’s ok:

{primary:node0}[edit]
john@labfw# commit check
[edit security policies from-zone labint to-zone labext policy noicmp match application]
  'junos-icmp-fragmentation-needed'
    application or application-set must be defined
error: configuration check-out failed: (statements constraint check failed)

Oh, ok, it’s not defined – guess I got it wrong; I’ll define it.

Step 3: Fix the Error

Let’s go edit that application!

john@labfw# edit applications application junos-icmp-fragmentation-needed
error: cannot use reserved identifier: junos-icmp-fragmentation-needed

Or not. Anything beginning with “junos-” is automatically reserved. Doh!

A better error after the commit check then might have been “Doesn't exist, you can't make it exist, try something else, bozo.

Step 4: Listen for Junos Cackling

The phrase “bite me” springs to mind. 🙂

4 Comments on No SRX Please, I’m British

  1. The cackling happens when you create a groups config and then deactivate “groups” and try to commit…I bet the devs thought that was a great way to mess with people. If you haven’t tried it, it’s amusing.

    -=]NSG[=-

    • Are you talking about what happens due to the group config being disabled and thus all of those built-in applications suddenly not existing? If so, yeah, messy… and would take a while to figure out if you didn’t already know where the built-in application definitions were “configured” (that’s another post coming soon)!

Leave a Reply

Your email address will not be published.


*


 

This site uses Akismet to reduce spam. Learn how your comment data is processed.