SRX - How to convert zone-based address books to a global one

Zone-based vs Global

When dealing with address objects on an SRX running older versions of Junos, they typically would employ a zone-based address-book for it's configuration. When using a zone-based address-book, the address objects referenced in the security policies are created per zone, which means that every zone will have an address-book configuration, and could potentially have duplicate objects.

Newer Junos versions use a global address-book configuration. The global address-book reduces complexity in your configuration by managing all address objects in one spot, and if you need to reference the same object in different zones, you aren't defining said object under multiple zones in your configuration.

Example zone-based address-book configuration

security {
	zones {
		security-zone trust {
			address-book {
			    address server-network 192.168.0.0/24;
			    address dns-name-test {
			        dns-name somedomain.com;
			    }
			    address wc-test {
			        wildcard-address 10.1.1.1/255.255.0.255;
			    }
			    address-set Test-Group {
			        address dns-name-test;
			        address wc-test;
			    }
			}
			interfaces {
			    ge-0/0/1.0 {
			        host-inbound-traffic {
			            system-services {
			                ping;
			            }
			        }
			    }
			}
		}
		security-zone untrust {
			address-book {
			    address internet-host 15.6.7.20/32;
			    address ext-website {
			        dns-name website.com;
			    }
			}
			interfaces {
			    ge-0/0/2.0;
			}
		}
	}
}

Example global address-book configuration

security {
	address-book {
	    address server-network 192.168.0.0/24;
	    address dns-name-test {
	        dns-name somedomain.com;
	    }
	    address wc-test {
	        wildcard-address 10.1.1.1/255.255.0.255;
	    }
	    address internet-host 15.6.7.20/32;
	    address ext-website {
	        dns-name website.com;
	    }
	    address-set Test-Group {
	        address dns-name-test;
	        address wc-test;
	    }
	}
	zones {
		security-zone trust {
			interfaces {
			    ge-0/0/1.0 {
			        host-inbound-traffic {
			            system-services {
			                ping;
			            }
			        }
			    }
			}
		}
		security-zone untrust {
			interfaces {
			    ge-0/0/2.0;
			}
		}
	}
}

How do I convert?

Use the zone2global script

zone2global - Convert an SRX from a zone-based address book to a global one.

Usage: zone2global [OPTIONS]
  -commit
        Choose to apply the configuration directly instead of creating a file.
  -p string
        Password
  -srx string
        SRX to run the conversion against. If specifying multiple, enclose in quotes, i.e. "srx240-1 srx1400-2"
  -u string
        Username

When zone2global is run against an SRX (or multiple SRX's), it will convert all of your individual zone-based address-books to a single global one. By default, this configuration is saved in a text file, but you have the option to commit the converted address-book changes immediately, instead of saving it.

You MUST be running a Junos version >= 11.2 in order to take advantage of global address-books.

Example

Running the following will convert the given two SRX zone-based address-books to a global one, and immediately commit the configuration on them:

zone2global.exe -srx "corp-fw1 internet-fw" -u admin -p password -commit

This script has binaries for all major operating systems: Windows, Mac OS X, and Linux. You can also choose to use the conversion function in your own Go scripts, by using the API from the parent go-junos package.