SRX Address-Set Membership Check – Part 2!

I wrote a script a few years ago that would check to see if address entries existed in the more than one address-set. It works well, but it was missing one key component – what happens if an address-set entry contains another address-set?

I’ve since updated the script with a little bit of logic to include tracking this very scenario, and I’ll explain the changes below. The script is still available on GitHub if you want to download a copy and use it for your operations!


SRX Address-Set Membership Check

One of the things I like to standardize in firewall configs is addresses and address-sets. I always recommend creating address-sets and binding address entries into the address-set. From there, we could reference the address-set inside the security policy configuration. This makes it easier to automate changes as we no longer have to hunt inside the security policies to add or remove entries.

Recently I had a situation where I needed to parse through several thousand lines of configuration in a SRX Firewall to determine if address book entries were bound to more than one address-set. In many environments it is very likely that an address book entry is bound to more than one address-set. When that happens there are often unintended consequences that affect traffic flow through the firewall. A host may fall victim to a blocking policy; or worse yet allow more permissive access to sensitive systems!

Since I needed a quick way to do this repeatedly I wrote a simple script in python to parse through a SRX configuration. Read on to see the script!