SRX Address-Set Membership Check

One of the things I like to standardize in firewall configs is addresses and address-sets. I always recommend creating address-sets and binding address entries into the address-set. From there, we could reference the address-set inside the security policy configuration. This makes it easier to automate changes as we no longer have to hunt inside the security policies to add or remove entries.

Recently I had a situation where I needed to parse through several thousand lines of configuration in a SRX Firewall to determine if address book entries were bound to more than one address-set. In many environments it is very likely that an address book entry is bound to more than one address-set. When that happens there are often unintended consequences that affect traffic flow through the firewall. A host may fall victim to a blocking policy; or worse yet allow more permissive access to sensitive systems!

Since I needed a quick way to do this repeatedly I wrote a simple script in python to parse through a SRX configuration. Read on to see the script!


Running the vMX on VMWare Fusion

Having hardware to test configuration changes, new deployments, or troubleshooting an issue is very useful, and it is often the best way to replicate how an idea will work in a real environment. That being said with the introduction of virtual platforms we now have an acceptable alternative to real hardware in many cases. There are sometimes instances where having access to a dedicated virtual lab is not possible nor practical. Being able to run virtual platforms on your local system is very useful for such cases.

While MacOS has the ability to run KVM-based appliances, sometimes it is just easier to use VMWare Fusion. With a little preparation anyone can run the Juniper’s Virtual MX (vMX) platform on VMWare Fusion. So without further ado, this guide will help you run the vMX on VMWare Fusion.


…And We’re Back!

After an insanely long hiatus it is finally time to bring this blog online, and start venturing into technology again. In addition to the pure technology posts, there may be some additional subjects that will be explored as well. Some very clearly-labeled opinion pieces will be added based on the author’s experiences. One or two technical posts will be coming up in the next few days.