NAT Global Address Book Overview
In Junos OS Release 11.2 and later releases, the address book is moved from the zone level to the device global level. This permits objects to be used across many zones and avoids inefficient use of resources. This change also permits nested groups to be configured within the address book, removing redundancy from repeating address objects.
The Security Director application manages its address book at the global level, assigning objects to devices that are required to create policies. If the device is capable of using a global address book, Security Director pushes address objects used in the policies to the device global address book. Nested address group capability is used in the publish and update feature of Security Director depending on the device capability.
Differences Between Global and Zone-Based Address Books
The global address book is supported in Junos OS Release 11.2 and later releases.
An address book is not configured within a specific zone; therefore, one address book can be associated with multiple zones.
If a global address book is defined, you cannot create zone-based address books.
By default, there is an address book called global associated with all zones.
A zone can be attached to only one address book in addition to the global address book, which contains all zones by default.
Address name overlaps are possible between the global address book and zone address book. For example, Security Director will attempt to match an address in the zone-based address book first, and, if the address is not found, the global address book is checked. You must ensure that the correct address objects are used in the policy.
NAT rules can use address objects only from the global address book. They cannot use addresses from user-defined address books.
Beginning in Junos OS Release 12.1, zone-based address books are no longer supported. Devices running Junos OS Release 12.1 or later must use the global address book.
Beginning in Junos OS Release 11.2, NAT rules can use address objects from the global address book. However, Security Director will still continue to define the NAT address in the rule itself rather than referring to the global address book.