SRX 12.1R5.5 import: address/service (and -group) objects but no security/nat rules

Reply
Highlighted

SRX 12.1R5.5 import: address/service (and -group) objects but no security/nat rules

I've got a valid SRX 12.1R5.5 XML config file.  I've validated it, and it contains security (and NAT) rules.  I understand NAT is work in progress, but I don't get the security policies imported either.  I do get addresses, address groups, services, service groups.

 

The migration log shows:

 

    

2015-10-14 02:57:42

 

Destination Address not found in DB [any-ipv4] at Rule[8]

Generating the Object, add the IP/CIDR

2015-10-14 02:57:42

 

Service not found in DB [junos-icmp-all] at Rule[67]

Generating the Object, add the Protocol/Port

 

This makes me think rules are being imported, but... nothing shows.  This happened in 3.1.5, and I just saw no change in 3.1.6.  Here's an SRX snippet:

 

<configuration junos:commit-seconds="1441378812" junos:commit-localtime="2015-09-04 17:00:12 CEST" junos:commit-user="censored">

[...]

<policies>
<policy>
<from-zone-name>trust</from-zone-name>
<to-zone-name>untrust</to-zone-name>
<policy>
<name>policy_out_Twee_Steden</name>
<match>
<source-address>any</source-address>
<destination-address>addr_10_200_4_0_24</destination-address>
<destination-address>addr_10_200_2_0_24</destination-address>
<destination-address>addr_10_200_1_0_24</destination-address>
<application>any</application>
</match>
<then>
<permit>
</permit>
</then>
</policy>

[...]

</policies>

[...]

</configuration>

 

What's wrong here?  Can I do anything in addition to diagnose (or workaround) this issue?

 

Should I be writing my own little xsl-based SRX tranformator instead?

 

Tags (2)

Re: SRX 12.1R5.5 import: address/service (and -group) objects but no security/nat rules

BTW, I did check what happens if I remove all attributes from the "<configuration>" tag.  No change...

L7 Applicator

Re: SRX 12.1R5.5 import: address/service (and -group) objects but no security/nat rules

Hi,

 

I was able to import this snippet

 

<configuration>

<security>

<policies>

<policy>

<from-zone-name>trust</from-zone-name>

<to-zone-name>untrust</to-zone-name>

<policy>

<name>policy_out_Twee_Steden</name>

<match>

<source-address>any</source-address>

<destination-address>addr_10_200_4_0_24</destination-address>

<destination-address>addr_10_200_2_0_24</destination-address>

<destination-address>addr_10_200_1_0_24</destination-address>

<application>any</application>

</match>

<then>

<permit>

</permit>

</then>

</policy>

</policy>

</policies>

</security>

</configuration>

 

and looks like 

 

Screen Shot 2015-10-14 at 11.34.30.png

 

In your config the rules are under templates?? If yes you have to generate the output whith the templates expanded to see all the rules...

Re: SRX 12.1R5.5 import: address/service (and -group) objects but no security/nat rules

I find no templates in the XML.  The security policies are in the XML tree at /configuration/security/policies, which is not a template, right?

 

I'm willing to share this configuration, if you'd care to have a look.

L7 Applicator

Re: SRX 12.1R5.5 import: address/service (and -group) objects but no security/nat rules

Just send it to fwmigrate@paloaltonetworks.com and we will review.

 

Regards

Re: SRX 12.1R5.5 import: address/service (and -group) objects but no security/nat rules

Thanks, it's been sent there.

L7 Applicator

Re: SRX 12.1R5.5 import: address/service (and -group) objects but no security/nat rules

Hi,

 

we have found the issue. The fix will be released with version 3.2 at the end of this month or first day of November.

 

workaround: remove the single quotes (in some descriptions are included) 

Ex: <description>NAT rule for Aruba Remote AP's</description> Replace by <description>NAT rule for Aruba Remote APs</description> 

 

Regards

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!