SRX "policy shuffle" code related to http://blog.ciscoinferno.net/policy-shuffle blog http://blog.ciscoinferno.net/policy-shuffle

policy-shuffle.rb

require 'net/netconf/jnpr'
require 'junos-ez/stdlib'
require 'junos-ez/srx'

login = { :target => 'vsrx', :username => 'jeremy',  :password => 'jeremy1',  }

### open a NETCONF session to the SRX device

ndev = Netconf::SSH.new( login )

$stdout.print "Connecting to device #{login[:target]} ... "
ndev.open
$stdout.puts "OK!"

### now bind our EZ toolkit so we can manage zones and policies ...

Junos::Ez::Provider( ndev )
Junos::Ez::SRX::Zones::Provider( ndev, :zones )
Junos::Ez::SRX::Policies::Provider( ndev, :policies )

### add the new address to the zone

addr = ndev.zones["trust"].addrs["CORP-MGMT"]
addr[:description] = "Corporate Management access range"
addr[:ip_prefix] = "192.168.2.0/24"
addr.write!

### declare our change in the form of a Hash structure.
### this could have easily been stored as a YAML file and
### loaded into this program as a Hash.

policy_change = {
  :name => [ 'trust', 'management' ],
  :rules => {
    "TRUST-TO-MANAGEMENT-PERMIT-DENY-ALL" => {
      :match_srcs => ['any'],
      :match_dsts => ['any'],
      :match_apps => ['any'],
      :action => :deny,
      :log_init => true,
    },
    "TRUST-TO-MANAGEMENT-PERMIT-FTP" => {
      :match_srcs => ["CORP-MGMT"],
      :match_dsts => ['any'],
      :match_apps => ['junos-ftp'],
      :action => :permit
    },
    "TRUST-TO-MANAGEMENT-PERMIT-SSH" => {
      :match_srcs => ["CORP-MGMT"],
      :match_dsts => ['any'],
      :match_apps => ['junos-ssh'],
      :action => :permit
    },
    "TRUST-TO-MANAGEMENT-PERMIT-HTTPS" => {
      :match_srcs => ["CORP-MGMT"],
      :match_dsts => ['any'],
      :match_apps => ['junos-https'],
      :action => :permit      
    }
  }
}

### write this policy change to the SRX

ndev.policies.create_from_hash! policy_change

### now we need to reorder the "deny all" rule to be after the "https" rule

deny_all = ndev.policies[ policy_change[:name] ].rules["TRUST-TO-MANAGEMENT-PERMIT-DENY-ALL"]
deny_all.reorder! :after => "TRUST-TO-MANAGEMENT-PERMIT-HTTPS"

### now rename the polciy ...
### rename policy TRUST-TO-MANAGEMENT-PERMIT-DENY-ALL to policy TRUST-TO-MANAGEMENT-DENY-ALL

deny_all.rename! "TRUST-TO-MANAGEMENT-DENY-ALL"

### and then we would commit the change, not-shown here ...

ndev.close

zzOUTPUT.diff

[edit security policies]
+    from-zone trust to-zone management {
+        policy TRUST-TO-MANAGEMENT-PERMIT-FTP {
+            match {
+                source-address CORP-MGMT;
+                destination-address any;
+                application junos-ftp;
+            }
+            then {
+                permit;
+            }
+        }
+        policy TRUST-TO-MANAGEMENT-PERMIT-SSH {
+            match {
+                source-address CORP-MGMT;
+                destination-address any;
+                application junos-ssh;
+            }
+            then {
+                permit;
+            }
+        }
+        policy TRUST-TO-MANAGEMENT-PERMIT-HTTPS {
+            match {
+                source-address CORP-MGMT;
+                destination-address any;
+                application junos-https;
+            }
+            then {
+                permit;
+            }
+        }                              
+        policy TRUST-TO-MANAGEMENT-DENY-ALL {
+            match {
+                source-address any;
+                destination-address any;
+                application any;
+            }
+            then {
+                deny;
+                log {
+                    session-init;
+                }
+            }
+        }
+    }
[edit security zones]
+    security-zone trust {
+        address-book {
+            address CORP-MGMT {
+                description "Corporate Management access range";
+                192.168.2.0/24;
+            }
+        }
+    }