No SRX Please, I’m British

Ok, Junos on the Juniper SRX platform, y’all are just mocking me now.

Step 1: Create A Policy On The SRX

I’d like to deny ICMP fragmentation needed messages in the lab. I haven’t checked, but I’d guess that the built-in application name would be junos-icmp-fragmentation-needed, so I shouldn’t need to define it.

{primary:node0}[edit]
john@labfw# show | compare
[edit security policies from-zone labint to-zone labext]
+     policy noicmp {
+         match {
+             source-address any;
+             destination-address any;
+             application junos-icmp-fragmentation-needed;
+         }
+         then {
+             deny;
+         }
+     }

Step 2: Check The Config Is Ok

I’ll run my usual ‘commit check’ to make sure everything’s ok:

{primary:node0}[edit]
john@labfw# commit check
[edit security policies from-zone labint to-zone labext policy noicmp match application]
  'junos-icmp-fragmentation-needed'
    application or application-set must be defined
error: configuration check-out failed: (statements constraint check failed)

Oh, ok, it’s not defined – guess I got it wrong; I’ll define it.

Step 3: Fix the Error

Let’s go edit that application!

john@labfw# edit applications application junos-icmp-fragmentation-needed
error: cannot use reserved identifier: junos-icmp-fragmentation-needed

Or not. Anything beginning with “junos-” is automatically reserved. Doh!

A better error after the commit check then might have been “Doesn't exist, you can't make it exist, try something else, bozo.”

Step 4: Listen for Junos Cackling

The phrase “bite me” springs to mind. 🙂