Understanding Address Books

The following guidelines apply to address books:

• An address book for a security zone contains the IP address or domain names of hosts and subnets whose traffic is either allowed, blocked, encrypted, or user-authenticated.
• Address books can have address sets. Each address set has a name and a list of address names.
• Addresses and address sets in the same zone must have distinct names.
• Addresses must conform to the security requirements of the zone.
• Address book entries can include any combination of IPv4 addresses, IPv6 addresses, and Domain Name System (DNS) names.
• The predefined address any is automatically created for each security zone.
• The address book of a security zone must contain all IP addresses that are reachable within that zone.

Policies contain both source and destination zones and addresses. An address is referred to in a policy by the name you give it in the zone address book.

• When traffic is sent to a zone, the zone and address to which the traffic is sent are used as the destination zone and address-matching criteria in policies.
• When traffic is sent from a zone, the zone and address from which it is sent are used as the matching source zone and address in policies.

For more information on the address book configuration syntax and options, see the JUNOS Software CLI Reference.

Note: Specify addresses as network prefixes in the prefix/length format. For example, 1.2.3.0/24 is an acceptable address book address because it translates to a network prefix. However, 1.2.3.4/24 is not acceptable for an address book because it exceeds the subnet length of 24 bits. Everything beyond the subnet length must be entered as 0 (zero). In special scenarios, you can enter a hostname because it can use the full 32-bit address length. An IPv6 address prefix is a combination of an IPv6 prefix (address) and a prefix length. The prefix takes the form ipv6-prefix/prefix-length and represents a block of address space (or a network). The ipv6-prefix variable follows general IPv6 addressing rules. The /prefix-length variable is a decimal value that indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address. For example, 10FA:6604:8136:6502::/64 is a possible IPv6 prefix. For more information on text representation of IPv6 addresses and address prefixes, see RFC 4291, IP Version 6 Addressing Architecture.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Security Policy Address Books and Address Sets Overview
• Understanding Address Sets
• Example: Configuring Address Books
• Example: Configuring Schedulers (CLI)