This is the third post in the Loading Configs series. In this post, we will cover the load replace command. This command shines when you want to replace parts of a configuration without having to delete a bunch of stuff. It is really powerful in security policies and firewall filters, places where you tend to want to replace a lot of configs quickly.

Here is a quick refresher on what we are doing…

For this lab series, we will use a simple topology to demonstrate the different ways to load configs. We have our SRX configured with TRUST and UNTRUST zones, a connection to the Internet, and a Windows 7 PC that has a browser installed. We will focus on making changes to our security policies.

This image has an empty alt attribute; its file name is Diagram_r1.jpg

Our current configured security policy is fairly straight forward. NAT, routing, security zones have all been pre-configured for this post. We will be permitting traffic from TRUST to the Internet for HTTP, ICMP, and DNS initially with the goal to add an HTTPS policy and have traffic pass. Our currently configured security policy is below:

security {
    policies {
        from-zone TRUST to-zone UNTRUST {
            policy PERMIT-HTTPS {
                match {
                    source-address any;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit;
                }
            }
            policy PERMIT-ICMP {
                match {
                    source-address any;
                    destination-address any;
                    application junos-icmp-all;
                }
                then {
                    permit;
                }
            }
            policy PERMIT-DNS {
                match {
                    source-address any;         
                    destination-address any;
                    application [ junos-dns-tcp junos-dns-udp ];
                }
                then {
                    permit;
                }
            }
            policy DENY-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    reject;
                }
            }
        }
    }
}

Specifically in this lab, we will collapse all our security polices down into two policies. One that will permit the traffic we specified earlier, including https, and one that will reject all other traffic.

The way that load replace works is that it will replace portions of the config that are specified with replace: next to the stanza that you want to replace. For this example, below is what we are going to load replace into the configuration:

security {
    policies {
        replace: from-zone TRUST to-zone UNTRUST {
            policy PERMIT-TRAFFIC {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-http junos-https junos-icmp-all junos-dns-tcp junos-dns-udp ];
                }
                then {
                    permit;
                }
            }
            policy DENY-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    reject;
                }
            }
       }
    }
}

As you may have noticed the config has been prepended the from-zone TRUST to-zone UNTRUST with the word replace:. This tells the Junos config to replace that entire stanza with what we are loading in. So let us load that code in and compare the results.


[edit]
jfry@FRYGUY-LAB# load replace terminal 
[Type ^D at a new line to end input]
security {
    policies {
        replace: from-zone TRUST to-zone UNTRUST {
            policy PERMIT-TRAFFIC {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-http junos-https junos-icmp-all junos-dns-tcp junos-dns-udp ];
                }
                then {
                    permit;
                }
            }
            policy DENY-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    reject;
                }
            }
       }
    }
}
load complete

[edit]
jfry@FRYGUY-LAB# show | compare 
[edit security policies from-zone TRUST to-zone UNTRUST]
+     policy PERMIT-TRAFFIC {
+         match {
+             source-address any;
+             destination-address any;
+             application [ junos-http junos-https junos-icmp-all junos-dns-tcp junos-dns-udp ];
+         }
+         then {
+             permit;
+         }
+     }
      policy DENY-ALL { ... }
[edit security policies from-zone TRUST to-zone UNTRUST]
-     policy PERMIT-HTTP {
-         match {
-             source-address any;
-             destination-address any;
-             application junos-http;
-         }
-         then {
-             permit;
-         }
-     }                                 
-     policy PERMIT-ICMP {
-         match {
-             source-address any;
-             destination-address any;
-             application junos-icmp-all;
-         }
-         then {
-             permit;
-         }
-     }
-     policy PERMIT-DNS {
-         match {
-             source-address any;
-             destination-address any;
-             application [ junos-dns-tcp junos-dns-udp ];
-         }
-         then {
-             permit;
-         }
-     }
                                        
[edit]
jfry@FRYGUY-LAB# show security policies | no-more 
from-zone TRUST to-zone UNTRUST {
    policy PERMIT-TRAFFIC {
        match {
            source-address any;
            destination-address any;
            application [ junos-http junos-https junos-icmp-all junos-dns-tcp junos-dns-udp ];
        }
        then {
            permit;
        }
    }
    policy DENY-ALL {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            reject;
        }
    }
}

As you can see from the output above, the stanza config that we specified to be replaced was replaced. This command is very useful when you need to make big changes and replace the stanza configuration for firewall filters, prefix-lists, security-polices, just about anything when a big change is involved.

Below is a quick video of the commands above.