Use variables to dynamically obtain addresses and zones in group firewall policies that are applied to multiple devices. A variable is useful when similar rules can be used across devices where only the zone or address might differ. Using variables instead of static values allows you to create fewer rules and use them more widely.
When you configure variables, you map specific devices to configured values and default values are replaced by these mapping when policies are applied. Note that variables are only used in group policies. They are not applicable to device policies.
Configuring Variables
To create a variable object:
A new variable with your configurations is created. You can use this object in policies. You can also assign it to a domain; see Assigning Policies and Profiles to Domains.
Table 193: Variable Profile Settings
Setting | Guideline |
---|---|
Name | Enter a unique name for this variable. It must begin with an alphanumeric character and cannot exceed 63 characters. Dashes and underscores are allowed. |
Description | Enter a description for your variable; maximum length is 1,024 characters. You should make this description as useful as possible for all administrators. |
Type | Select a type of variable and fill in the corresponding fields. Available types are: Address or Zone. When you select a type, the required fields for that type are shown. See Table 2 for address types. See Table 3 for zone types. |
Table 194: Create Variable Address Profile Setting
Setting | Guideline |
---|---|
Default Address | Select a predefined address by clicking anywhere within this field and choosing an address from the Select Address window or click Add to create a new default address. This default address is replaced with the mapped device-specific address when applied to the group firewall policy. |
Context Value | Select the check box beside each device to which you want to map this variable address. Click the arrow to move the selected device or devices from the Available column to the Selected column. Only devices from the current and child domain are listed. Note that you can use the fields at the top of each column to search for listed devices. |
Address | Select a predefined address by clicking anywhere within this field and choosing an address from the Select Address window. The default address is replaced by this device-specific address when applied to a policy that includes the selected device or devices. |
Table 195: Create Zone Profile Settings
Setting | Guideline |
---|---|
Default Zone | Enter a zone. This default zone is replaced with the mapped zone when applied to the group firewall policy. The default value is trust. |
Context Value | Select the check box beside each device to which you want to map this variable zone. Click the arrow to move the selected device or devices from the Available column to the Selected column. Note that you can use the fields at the top of each column to search for listed devices. |
Zone | For SRX Series devices, select a zone from the list. The default zone is replaced by this device-specific zone when applied to a policy that includes the selected device or devices. If you select an MX Series router, the Zone field lists all the AMS interfaces that are assigned to the service set. If you select both SRX Series devices and MX Series routers, both zones and AMS values are listed. |
© 2017 Juniper Networks, Inc. All rights reserved