This is the fourth post in the Loading Configs series. In this post, we will cover the load update command. We touched on this in post one when we discussed override. This command, update, is less destructive as it will update the configuration, yet the Junos device will only evaluate the differences between the running and what you have staged.
Here is a quick refresher on what we are doing…
For this lab series, we will use a simple topology to demonstrate the different ways to load configs. We have our SRX configured with TRUST and UNTRUST zones, a connection to the Internet, and a Windows 7 PC that has a browser installed. We will focus on making changes to our security policies.
Our current configured security policy is fairly straight forward. NAT, routing, security zones have all been pre-configured for this post. We will be permitting traffic from TRUST to the Internet for HTTP, ICMP, and DNS initially with the goal to add an HTTPS policy and have traffic pass. Our currently configured security policy is below:
security {
policies {
from-zone TRUST to-zone UNTRUST {
policy PERMIT-HTTPS {
match {
source-address any;
destination-address any;
application junos-http;
}
then {
permit;
}
}
policy PERMIT-ICMP {
match {
source-address any;
destination-address any;
application junos-icmp-all;
}
then {
permit;
}
}
policy PERMIT-DNS {
match {
source-address any;
destination-address any;
application [ junos-dns-tcp junos-dns-udp ];
}
then {
permit;
}
}
policy DENY-ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
reject;
}
}
}
}
}
So to use the update command you actually need to replace the entire configuration, not just a part of it. If you recall, merge and patch are used for updating parts of a config while update and replace are used to replace an entire configuration.
For this lab, as we have done in the others, we will permit HTTPS from the TRUST zone to the UNTRUST zone. The config that we will be loading is below. You will notice that it is an entire config, yet the only change is the security policies stanza where we added the junos-https policy. We will demonstrate that on a show | compare.
system {
login {
user jfry {
uid 2000;
class super-user;
authentication {
encrypted-password "$6$qS9xwyuX$y051D3YxFj/taz3pe5LoRs1Y.lzqwWfCHpW.Qb1G.jTpTM0kNx0ttIO5HpZsazyD0vMbB.gZ.vSqbowTGkI/Y."; ## SECRET-DATA
}
}
}
root-authentication {
encrypted-password "$6$xjaKl.oC$e7mKb390YKF8/g/EU7V.ivXdDT8aFQYP8FwGL5eFz6HWFHkoXpMRKoKzSmsK2AfTDt33oCcPL.aRu5SN1KcTB."; ## SECRET-DATA
}
services;
host-name FRYGUY-LAB;
}
security {
nat {
source {
rule-set OVERLOAD {
from zone [ TRUST junos-host ];
to zone UNTRUST;
rule OVERLOAD {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone TRUST to-zone UNTRUST {
policy PERMIT-HTTP {
match {
source-address any;
destination-address any;
application junos-http;
}
then {
permit;
}
}
policy PERMIT-ICMP {
match {
source-address any;
destination-address any;
application junos-icmp-all;
}
then {
permit;
}
}
policy PERMIT-DNS {
match {
source-address any;
destination-address any;
application [ junos-dns-tcp junos-dns-udp ];
}
then {
permit;
}
}
policy PERMIT-HTTPS {
match {
source-address any;
destination-address any;
application junos-https;
}
then {
permit;
}
}
policy DENY-ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
reject;
}
}
}
}
zones {
security-zone UNTRUST {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/4.0;
}
}
security-zone TRUST {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
lo0.0;
ge-0/0/0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.1.1.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
dhcp;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.100.1/32;
}
}
}
}
So let’s load the configuration into the Junos SRX.
jfry@FRYGUY-LAB> edit
Entering configuration mode
[edit]
jfry@FRYGUY-LAB# show | compare
[edit]
jfry@FRYGUY-LAB# load update terminal
[Type ^D at a new line to end input]
system {
login {
user jfry {
uid 2000;
class super-user;
authentication {
encrypted-password "$6$qS9xwyuX$y051D3YxFj/taz3pe5LoRs1Y.lzqwWfCHpW.Qb1G.jTpTM0kNx0ttIO5HpZsazyD0vMbB.gZ.vSqbowTGkI/Y."; ## SECRET-DATA
}
}
}
root-authentication {
encrypted-password "$6$xjaKl.oC$e7mKb390YKF8/g/EU7V.ivXdDT8aFQYP8FwGL5eFz6HWFHkoXpMRKoKzSmsK2AfTDt33oCcPL.aRu5SN1KcTB."; ## SECRET-DATA
}
services;
host-name FRYGUY-LAB;
}
security {
nat {
source {
rule-set OVERLOAD {
from zone [ TRUST junos-host ];
to zone UNTRUST;
rule OVERLOAD {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone TRUST to-zone UNTRUST {
policy PERMIT-HTTP {
match {
source-address any;
destination-address any;
application junos-http;
}
then {
permit;
}
}
policy PERMIT-ICMP {
match {
source-address any;
destination-address any;
application junos-icmp-all;
}
then {
permit;
}
}
policy PERMIT-DNS {
match {
source-address any;
destination-address any;
application [ junos-dns-tcp junos-dns-udp ];
}
then {
permit;
}
}
policy PERMIT-HTTPS {
match {
source-address any;
destination-address any;
application junos-https;
}
then {
permit;
}
}
policy DENY-ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
reject;
}
}
}
}
zones {
security-zone UNTRUST {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/4.0;
}
}
security-zone TRUST {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
lo0.0;
ge-0/0/0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.1.1.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
dhcp;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.100.1/32;
}
}
}
}
load complete
Now we can compare to see what the impact of the change will be.
[edit]
jfry@FRYGUY-LAB# show | compare
[edit]
- version 18.4R1-S3.1;
[edit security policies from-zone TRUST to-zone UNTRUST]
policy PERMIT-DNS { ... }
+ policy PERMIT-HTTPS {
+ match {
+ source-address any;
+ destination-address any;
+ application junos-https;
+ }
+ then {
+ permit;
+ }
+ }
policy DENY-ALL { ... }
As you can see, it will just insert the new policy where we wanted it. Below is a quick video of me running the commands if you want to see.
So where would you use this? Well if you have a bunch of changes you need to make, this might be a good way to make them.