Juniper SRX Apply-groups

A while back I wrote a blog post about enabling global logging on security rules.  This week I applied the same technique to enable ping on all zones for testing / troubleshooting purposes.

Instead of adding ping as a host-inbound-traffic system-service to all zones, and if you have a couple this means some configuring, you can solve this by adding just 3 (three) lines of config to the firewall. 

The following config adds a group called 'global-ping' to the groups hierarchy, and it applies the group config to the security zone(s). The last line excludes the junos-host zone from the group. If you don't exclude the junos-host, the commit will fail. 

set groups global-ping security zones security-zone <*> host-inbound-traffic system-services ping
set security zones apply-groups global-ping
set security zones security-zone junos-host apply-groups-except global-ping

This results in the following security zone config:

{primary:node0}[edit security zones]
root@SRX# show | display inheritance
security-zone WLAN {
    host-inbound-traffic {
        system-services {
            ##                          
            ## 'ping' was inherited from group 'global-ping'
            ##
            ping;
        }
    }
    interfaces {
        reth0.2011;
        st0.11;
    }
}
security-zone junos-host {
    apply-groups-except global-ping;
}

When you're done with testing / troubleshooting, just delete the three lines and commit the config to remove the ping option on the zones. 

Posted on July 15, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged srx config apply-groups groups ping firewall Juniper.