Use variables to dynamically obtain addresses and zones in group firewall policies that are applied to multiple devices. A variable is useful when similar rules can be used across devices where only the zone or address might differ. Using variables instead of static values allows you to create fewer rules and use them more widely.
When you configure variables, you map specific devices to configured values and default values are replaced by these mapping when policies are applied. Note that variables are only used in group policies. They are not applicable to device policies.
Before You Begin
Read the topic.
Decide on the type of variable to define, either address or zone.
Check to see if cloning an existing variable might be more efficient than creating a new one.
Review the Variables main page for an understanding of your current data set. See for field descriptions.
To create a variable object:
- Select Configure > Shared Objects > Variables.
- Click Create.
- Complete the configuration according to the guidelines provided in Table 1 to Table 3.
- Click OK.
A new variable with your configurations is created. You can use this object in policies. You can also assign it to a domain; see Assigning Policies and Profiles to Domains.
Table 1: Variable Profile Settings
Enter a unique name for this variable. It must begin with an alphanumeric character and cannot exceed 63 characters. Dashes and underscores are allowed.
Enter a description for your variable; maximum length is 1,024 characters. You should make this description as useful as possible for all administrators.
Select a type of variable and fill in the corresponding fields. Available types are: Address or Zone. When you select a type, the required fields for that type are shown. See Table 2 for address types. See Table 3 for zone types.
Table 2: Create Variable Address Profile Setting
Select a predefined address by clicking anywhere within this field and choosing an address from the Select Address window or click Add to create a new default address. This default address is replaced with the mapped device-specific address when applied to the group firewall policy.
Select the check box beside each device to which you want to map this variable address. Click the arrow to move the selected device or devices from the Available column to the Selected column. Only devices from the current and child domain are listed. Note that you can use the fields at the top of each column to search for listed devices.
Select a predefined address by clicking anywhere within this field and choosing an address from the Select Address window. The default address is replaced by this device-specific address when applied to a policy that includes the selected device or devices.
Table 3: Create Zone Profile Settings
Enter a zone. This default zone is replaced with the mapped zone when applied to the group firewall policy. The default value is trust.
Select the check box beside each device to which you want to map this variable zone. Click the arrow to move the selected device or devices from the Available column to the Selected column. Note that you can use the fields at the top of each column to search for listed devices.
For SRX Series devices, select a zone from the list. The default zone is replaced by this device-specific zone when applied to a policy that includes the selected device or devices.
Starting in Junos Space Security Director Release 16.2, if you select an MX Series router, the Zone field lists all the AMS interfaces that are assigned to the service set. If you select both SRX Series devices and MX Series routers, both zones and AMS values are listed.