Closed Bug 1182578 Opened 10 years ago Closed 10 years ago

Transition bughunter VMs from PHX1 to SCL3

Categories

(Infrastructure & Operations Graveyard :: NetOps, task)

Product:
Infrastructure & Operations Graveyard
Component:
NetOps
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dcurado, Assigned: dcurado)

References

Details

Attachments

(1 file)

List of VMs and IP addresses involved in the move
2.96 KB, text/plain
Details
No description provided.
darn bugzilla -- hit return and it creates the bug! This bug is a placeholder, to say that the PHX1->SCL3 vmotion team plans on moving the VMs in the PHX1 bughunter vlan to SCL3, using ldvmotion. This work will involve the following steps: - moving the VMs using ldvmotion - configuring DHCP for those hosts on admin1.scl3 - deleting the DHCP configuration for those hosts on admin1.phx1 - add/delete/modify all firewall rules on all firewalls which need it - changing the route for the IP subnet for the bughunter vlan to be advertised from fw1.scl3 - bringing up the reth0 interface on fw1.scl3 and doing a broadcast ping, to get all the VMs in the vlan to update their arp cache with the new default gateway mac address. - note that bughunter also requires a unique ipv4 public address which should duplicate the current functionality in PHX1 - DNS for that (NAT) public IP address should be updated with the new IP in SCL3
We plan on starting this work on July 20th. The VM moves will require an estimated 12 business hours to complete. The gateway move will be done once all VMs have been moved. Outage time during the gateway move should be no more than 30 minutes. The gateway move will likely take place on July 21st or July 22nd, after all VMs have been moved.
Assignee: network-operations → dcurado
Status: NEW → ASSIGNED
Flags: cab-review?
Do we create a new Vlan and subnet for those, or are they going to be included in the "ateam" one? Also please make sure these do NOT use our proxies. Ateam has its own set of proxies to use (inside that subnet).
The answer to your question is not quite as simple as you'd like. a) yes, we're creating a new vlan in SCL3, for a while, it will be connected to the bughunter vlan in PHX1. In other words, those two vlans will be joined together. b) we will not, however, create a new security-zone on fw1.scl3. As vlans are moved from PHX1 to SCL3, we will put those vlans under existing security-zones. Example: the private vlan in SCL3 is vlan-id 75 when we create the phx1-private-vlan-in-scl3, it will have vlan-id 2075 then the private security-zone on fw1.scl3 will include both vlans, connected via reth0.75 and reth0.2075 c) at some point in the future, if it makes sense to do so, the organization can opt to move each host/vm out of vlan-id 2075 and merge them into vlan-id 75. That could happen 1 by 1, in a sane an orderly fashion. (one would hope) HTHs.
Reviewed 7/15 CAB approved
Flags: cab-review? → cab-review+
Here are the configuration changes I plan to make to fw1.scl3 and fw1.phx1, both before the gateway swing, and the configuration I plan to use to implement the gateway swing. ----------------------------------- prior to gateway swing on fw1.phx1 ----------------------------------- set security zones security-zone dc address-book address neo-bughunter 10.8.121.0/24 set security policies from-zone dc to-zone bootstrap policy esxc-set--windows match source-address neo-bughunter set security policies from-zone dc to-zone bootstrap policy esxc-set--windows match destination-address esxc-set set security policies from-zone dc to-zone bootstrap policy esxc-set--windows match application junos-https set security policies from-zone dc to-zone bootstrap policy esxc-set--windows match application esx-transport set security policies from-zone dc to-zone bootstrap policy esxc-set--windows then permit set security policies from-zone dc to-zone private policy permit-neo-bughunter-syslog match source-address neo-bughunter set security policies from-zone dc to-zone private policy permit-neo-bughunter-syslog match destination-address ip-sectools01 set security policies from-zone dc to-zone private policy permit-neo-bughunter-syslog match application junos-syslog set security policies from-zone dc to-zone private policy permit-neo-bughunter-syslog match application arcsite-syslog set security policies from-zone dc to-zone private policy permit-neo-bughunter-syslog then permit set security policies from-zone dc to-zone svc-ops policy mrepo--http match source-address neo-bughunter set security policies from-zone dc to-zone svc-ops policy mrepo--http match destination-address mrepo set security policies from-zone dc to-zone svc-ops policy mrepo--http match application junos-http set security policies from-zone dc to-zone svc-ops policy mrepo--http then permit set security policies from-zone dc to-zone private policy permit-neo-bughunter-netvault-inbound match source-address neo-bughunter set security policies from-zone dc to-zone private policy permit-neo-bughunter-netvault-inbound match destination-address backup1.ops1.phx1 set security policies from-zone dc to-zone private policy permit-neo-bughunter-netvault-inbound match application backbone set security policies from-zone dc to-zone private policy permit-neo-bughunter-netvault-inbound then permit ---------------------------------- prior to gateway swing on fw1.scl3 ---------------------------------- set security zones security-zone neo-bughunter host-inbound-traffic system-services all set security zones security-zone neo-bughunter address-book address sisyphus.bughunter 10.8.121.20/32 set security zones security-zone neo-bughunter address-book address proxy.bughunter.ateam.phx1 10.8.121.66/32 set security zones security-zone neo-bughunter address-book address ns1.bughunter.ateam.phx1.mozilla.com 10.8.121.16/32 set security zones security-zone neo-bughunter address-book address ns2.bughunter.ateam.phx1.mozilla.com 10.8.121.17/32 set security policies from-zone neo-bughunter to-zone untrust policy webservices match source-address any set security policies from-zone neo-bughunter to-zone untrust policy webservices match destination-address any set security policies from-zone neo-bughunter to-zone untrust policy webservices match application junos-dns-udp set security policies from-zone neo-bughunter to-zone untrust policy webservices match application junos-dns-tcp set security policies from-zone neo-bughunter to-zone untrust policy webservices match application junos-http set security policies from-zone neo-bughunter to-zone untrust policy webservices match application junos-https set security policies from-zone neo-bughunter to-zone untrust policy webservices then permit set security policies from-zone neo-bughunter to-zone untrust policy git match source-address any set security policies from-zone neo-bughunter to-zone untrust policy git match destination-address any set security policies from-zone neo-bughunter to-zone untrust policy git match application git set security policies from-zone neo-bughunter to-zone untrust policy git then permit set security policies from-zone neo-bughunter to-zone untrust policy svn--ssh match source-address any set security policies from-zone neo-bughunter to-zone untrust policy svn--ssh match destination-address svn.mozilla.org set security policies from-zone neo-bughunter to-zone untrust policy svn--ssh match application junos-ssh set security policies from-zone neo-bughunter to-zone untrust policy svn--ssh then permit set security policies from-zone neo-bughunter to-zone neo-bughunter apply-groups global-policies set security policies from-zone neo-bughunter to-zone untrust apply-groups global-policies set security policies from-zone neo-bughunter to-zone private apply-groups global-policies set security policies from-zone neo-bughunter to-zone addons apply-groups global-policies set security policies from-zone neo-bughunter to-zone webapp apply-groups global-policies set security policies from-zone neo-bughunter to-zone db apply-groups global-policies set security policies from-zone neo-bughunter to-zone dmz apply-groups global-policies set security policies from-zone neo-bughunter to-zone web apply-groups global-policies set security policies from-zone neo-bughunter to-zone qa apply-groups global-policies set security policies from-zone neo-bughunter to-zone corpdmz apply-groups global-policies set security policies from-zone neo-bughunter to-zone dc apply-groups global-policies set security policies from-zone neo-bughunter to-zone ops apply-groups global-policies set security policies from-zone neo-bughunter to-zone community apply-groups global-policies set security policies from-zone neo-bughunter to-zone metrics apply-groups global-policies set security policies from-zone neo-bughunter to-zone bugs apply-groups global-policies set security policies from-zone neo-bughunter to-zone labs apply-groups global-policies set security policies from-zone neo-bughunter to-zone sec apply-groups global-policies set security policies from-zone neo-bughunter to-zone vpc apply-groups global-policies set security policies from-zone neo-bughunter to-zone paas apply-groups global-policies set security policies from-zone neo-bughunter to-zone bunker apply-groups global-policies set security policies from-zone neo-bughunter to-zone ateam apply-groups global-policies set security policies from-zone neo-bughunter to-zone vpn apply-groups global-policies set security policies from-zone neo-bughunter to-zone refspec-vms apply-groups global-policies set security policies from-zone neo-bughunter to-zone mail apply-groups global-policies set security policies from-zone neo-bughunter to-zone av apply-groups global-policies set security policies from-zone neo-bughunter to-zone trust apply-groups global-policies set security policies from-zone untrust to-zone neo-bughunter apply-groups global-policies set security policies from-zone private to-zone neo-bughunter apply-groups global-policies set security policies from-zone addons to-zone neo-bughunter apply-groups global-policies set security policies from-zone webapp to-zone neo-bughunter apply-groups global-policies set security policies from-zone db to-zone neo-bughunter apply-groups global-policies set security policies from-zone dmz to-zone neo-bughunter apply-groups global-policies set security policies from-zone web to-zone neo-bughunter apply-groups global-policies set security policies from-zone qa to-zone neo-bughunter apply-groups global-policies set security policies from-zone corpdmz to-zone neo-bughunter apply-groups global-policies set security policies from-zone dc to-zone neo-bughunter apply-groups global-policies set security policies from-zone ops to-zone neo-bughunter apply-groups global-policies set security policies from-zone community to-zone neo-bughunter apply-groups global-policies set security policies from-zone metrics to-zone neo-bughunter apply-groups global-policies set security policies from-zone bugs to-zone neo-bughunter apply-groups global-policies set security policies from-zone labs to-zone neo-bughunter apply-groups global-policies set security policies from-zone sec to-zone neo-bughunter apply-groups global-policies set security policies from-zone vpc to-zone neo-bughunter apply-groups global-policies set security policies from-zone paas to-zone neo-bughunter apply-groups global-policies set security policies from-zone bunker to-zone neo-bughunter apply-groups global-policies set security policies from-zone ateam to-zone neo-bughunter apply-groups global-policies set security policies from-zone vpn to-zone neo-bughunter apply-groups global-policies set security policies from-zone refspec-vms to-zone neo-bughunter -vms apply-groups global-policies set security policies from-zone mail to-zone neo-bughunter apply-groups global-policies set security policies from-zone av to-zone neo-bughunter apply-groups global-policies set security policies from-zone trust to-zone neo-bughunter apply-groups global-policies set security zones security-zone ateam address-book address bughunter-osx-009.ateam.scl3 10.22.120.40/32 set security zones security-zone ateam address-book address bughunter-osx-008.ateam.scl3 10.22.120.39/32 set security zones security-zone ateam address-book address bughunter-osx-007.ateam.scl3 10.22.120.38/32 set security zones security-zone ateam address-book address bughunter-osx-006.ateam.scl3 10.22.120.37/32 set security zones security-zone ateam address-book address bughunter-osx-005.ateam.scl3 10.22.120.36/32 set security zones security-zone ateam address-book address bughunter-osx-004.ateam.scl3 10.22.120.35/32 set security zones security-zone ateam address-book address bughunter-osx-003.ateam.scl3 10.22.120.43/32 set security zones security-zone ateam address-book address bughunter-osx-002.ateam.scl3 10.22.120.42/32 set security zones security-zone ateam address-book address bughunter-osx-001.ateam.scl3 10.22.120.41/32 set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http-mysql match source-address bughunter-osx-001.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http-mysql match source-address bughunter-osx-002.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http-mysql match source-address bughunter-osx-003.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http-mysql match source-address bughunter-osx-004.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http-mysql match source-address bughunter-osx-005.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http-mysql match source-address bughunter-osx-006.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http-mysql match source-address bughunter-osx-007.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http-mysql match source-address bughunter-osx-008.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http-mysql match source-address bughunter-osx-009.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http-mysql match destination-address sisyphus.bughunter set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http-mysql match application http set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http-mysql match application mysql set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http-mysql then permit set security policies from-zone ateam to-zone neo-bughunter policy ateam-to-proxy-bughunter match source-address any set security policies from-zone ateam to-zone neo-bughunter policy ateam-to-proxy-bughunter match destination-address proxy.bughunter.ateam.phx1 set security policies from-zone ateam to-zone neo-bughunter policy ateam-to-proxy-bughunter match application squid set security policies from-zone ateam to-zone neo-bughunter policy ateam-to-proxy-bughunter then permit set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns match source-address bughunger-osx-001.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns match source-address bughunger-osx-002.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns match source-address bughunger-osx-003.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns match source-address bughunger-osx-004.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns match source-address bughunger-osx-005.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns match source-address bughunger-osx-006.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns match source-address bughunger-osx-007.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns match source-address bughunger-osx-008.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns match source-address bughunger-osx-009.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns match destination-address ns1.bughunter.ateam.phx1.mozilla.com set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns match destination-address ns2.bughunter.ateam.phx1.mozilla.com set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns match application junos-dns-udp set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns match application junos-dns-tcp set security policies from-zone ateam to-zone neo-bughunter policy bughunter--dns then permit set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter--crashdumps match source-address sp-admin01.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter--crashdumps match destination-address sisyphus.bughunter set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter--crashdumps match application junos-ssh set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter--crashdumps then permit set security zones security-zone dc address-book address ip-ganglia01.private.phx1 10.8.75.28/32 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter--ganglia match source-address ip-ganglia01.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter--ganglia match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter--ganglia match application ganglia set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter--ganglia then permit set security zones security-zone dc address-book address backup1.ops.phx1 10.8.75.36/32 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out match source-address backup1.ops.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out match application backbone-tcp set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out match application backbone-udp set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out then permit set security zones security-zone dc address-book address scan3.private.phx1 10.8.75.144/32 set security policies from-zone dc to-zone neo-bughunter policy scan3--any match source-address scan3.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy scan3--any match destination-address any set security policies from-zone dc to-zone neo-bughunter policy scan3--any match application any set security policies from-zone dc to-zone neo-bughunter policy scan3--any then permit ------------------------------------------------------------------- gateway swing: ------------------------------------------------------------------- ----------- on fw1.phx1: ----------- deactivate interfaces reth0 unit 121 deactivate security zones security-zone bughunter interfaces reth0.121 ----------- on fw1.scl3: ----------- set interfaces reth0 unit 2121 description neo-bughunter set interfaces reth0 unit 2121 vlan-id 2121 set interfaces reth0 unit 2121 family inet address 10.8.121.1/24 set security zones security-zone neo-bughunter interfaces reth0.2121 set forwarding-options helpers bootp interface reth0.2121 set policy-options policy-statement bgp-announce term announce-neo-bughunter from route-filter 10.8.121.0/24 exact set policy-options policy-statement bgp-announce term announce-neo-bughunter then accept edit policy-options policy-statement bgp-announce insert term announce-neo-bughunter before term default-filter top
I re-did all the security policy analysis because I found it pretty confusing to do yesterday. The results from my re-try today feel a lot more solid: ---------------------------------------------------------------------- on fw1.phx1: ---------------------------------------------------------------------- set security zones security-zone dc address-book address neo-bughunter 10.8.121.0/24 set security policies from-zone dc to-zone db policy neo-bughunter-ldap match source-address neo-bughunter set security policies from-zone dc to-zone db policy neo-bughunter-ldap match destination-address ldap set security policies from-zone dc to-zone db policy neo-bughunter-ldap match destination-address ldapmaster.db.phx1-zlb set security policies from-zone dc to-zone db policy neo-bughunter-ldap match application ldap set security policies from-zone dc to-zone db policy neo-bughunter-ldap match application ldaps set security policies from-zone dc to-zone db policy neo-bughunter-ldap then permit set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match source-address neo-bughunter set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy-test set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy1 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy2 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy3 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy4 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy2-v6 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match application squid set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match application junos-http set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy then permit set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match source-address neo-bughunter set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match destination-address rhncap1.dmz.phx1 set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match destination-address rhnproxy2 set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match destination-address rhnproxy set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match application junos-https set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match application junos-http set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy then permit set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo match source-address neo-bughunter set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo match destination-address mreop1.dmz.phx1 set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo match application junos-http set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo match application junos-https set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo then permit set security policies from-zone dc to-zone private policy neo-bughunter-syslog match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-syslog match destination-address ip-sectools01 set security policies from-zone dc to-zone private policy neo-bughunter-syslog match application junos-syslog set security policies from-zone dc to-zone private policy neo-bughunter-syslog match application arcsite-syslog set security policies from-zone dc to-zone private policy neo-bughunter-syslog then permit set security policies from-zone dc to-zone private policy neo-bughunter-netvault-in match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-netvault-in match destination-address backup1.ops.phx1 set security policies from-zone dc to-zone private policy neo-bughunter-netvault-in match application backbone set security policies from-zone dc to-zone private policy neo-bughunter-netvault-in then permit set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 match destination-address syslog1 set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 match application junos-syslog set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 match application as-mgr-tcp set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 then permit set security policies from-zone dc to-zone private policy neo-bughunter-puppet match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-puppet match destination-address puppet1 set security policies from-zone dc to-zone private policy neo-bughunter-puppet match application puppet set security policies from-zone dc to-zone private policy neo-bughunter-puppet match application junos-http set security policies from-zone dc to-zone private policy neo-bughunter-puppet match application mcollective set security policies from-zone dc to-zone private policy neo-bughunter-puppet then permit set security policies from-zone dc to-zone private policy neo-bughunter-misc match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address ip-ns01 set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address ip-ns02 set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address admin1a set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address admin1b set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address admin1-v75 set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-ntp set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-dns-udp set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-dns-tcp set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-dhcp-server set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-tftp set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-http set security policies from-zone dc to-zone private policy neo-bughunter-misc then permit set security policies from-zone dc to-zone private policy neo-bughunter-graphite match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-graphite match destination-address graphite6 set security policies from-zone dc to-zone private policy neo-bughunter-graphite match destination-address graphite-relay set security policies from-zone dc to-zone private policy neo-bughunter-graphite match application graphite set security policies from-zone dc to-zone private policy neo-bughunter-graphite match application statsd set security policies from-zone dc to-zone private policy neo-bughunter-graphite match application tcp-8125 set security policies from-zone dc to-zone private policy neo-bughunter-graphite match application graphite-pickle set security policies from-zone dc to-zone private policy neo-bughunter-graphite then permit set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 match destination-address as-conapp1 set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 match application syslog set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 match application syslog-auditd set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 then permit set security policies from-zone dc to-zone svc-ops policy neo-bughunter-mrepo match source-address neo-bughunter set security policies from-zone dc to-zone svc-ops policy neo-bughunter-mrepo match destination-address mrepo set security policies from-zone dc to-zone svc-ops policy neo-bughunter-mrepo match application junos-http set security policies from-zone dc to-zone svc-ops policy neo-bughunter-mrepo then permit ---------------------------------------------------------------------- on fw1.scl3: ---------------------------------------------------------------------- set security zones security-zone neo-bughunter address-book address sisyphus.bughunter: 10.8.121.20/32 set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices match source-address any set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices match destination-address any set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices match application junos-dns-udp set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices match application junos-dns-tcp set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices match application junos-http set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices match application junos-https set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices then permit set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-git match source-address any set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-git match destination-address any set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-git match application git set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-git then permit set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match source-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match destination-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match application junos-dns-udp set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match application junos-dns-tcp set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match application junos-http set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match application junos-https set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices then permit set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-git match source-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-git match destination-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-git match application git set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-git then permit set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-svn--ssh match source-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-svn--ssh match destination-address svn.mozilla.org set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-svn--ssh match application junos-ssh set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-crashdumps match source-address sp-admin01.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-crashdumps match destination-address sisyphus.bughunter set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-crashdumps match application junos-ssh set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-crashdumps then permit set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-ganglia match source-address ip-ganglia01 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-ganglia match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-ganglia match application ganglia set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-ganglia then permit set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out match source-address backup1.ops.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out match application backbone set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out then permit set security zones security-zone dc address-book address admin1a.private.phx1 10.8.75.6/32 set security zones security-zone dc address-book address admin1b.private.phx1 10.8.75.7/32 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match source-address nagios1.stage.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match source-address nagios1.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match source-address admin1a.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match source-address admin1b.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match application any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 then permit set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-puppet match source-address puppet1.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-puppet match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-puppet match application junos-any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-puppet then permit set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v match source-address p2v1.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v match application junos-ssh set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v match application junos-https set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v then permit set security zones security-zone dc address-book address scan3.private.phx1 10.8.75.144/32 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-scan3 match source-address scan3.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-scan3 match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-scan3 match application any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-scan3 then permit set security zones security-zone ateam address-book address bughunter-osx-001.ateam.scl3 10.22.120.41/32 set security zones security-zone ateam address-book address bughunter-osx-002.ateam.scl3 10.22.120.42/32 set security zones security-zone ateam address-book address bughunter-osx-003.ateam.scl3 10.22.120.43/32 set security zones security-zone ateam address-book address bughunter-osx-004.ateam.scl3 10.22.120.35/32 set security zones security-zone ateam address-book address bughunter-osx-005.ateam.scl3 10.22.120.36/32 set security zones security-zone ateam address-book address bughunter-osx-006.ateam.scl3 10.22.120.37/32 set security zones security-zone ateam address-book address bughunter-osx-007.ateam.scl3 10.22.120.38/32 set security zones security-zone ateam address-book address bughunter-osx-008.ateam.scl3 10.22.120.39/32 set security zones security-zone ateam address-book address bughunter-osx-009.ateam.scl3 10.22.120.40/32 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-001.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-002.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-003.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-004.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-005.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-006.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-007.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-008.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-009.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http match source-address bughunter-osx-set set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http match destination-address sisyphs.bughunter set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http match application junos-http set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http match application mysql set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http then permit set security zones security-zone ateam address-book address ateam 10.22.120.0/24 set security zones security-zone neo-bughunter address-book address bughunter-proxy 10.8.121.66/32 set security policies from-zone ateam to-zone neo-bughunter policy neo-bughunter-ateam-proxy match source-address ateam set security policies from-zone ateam to-zone neo-bughunter policy neo-bughunter-ateam-proxy match destination-address bughunter-proxy set security policies from-zone ateam to-zone neo-bughunter policy neo-bughunter-ateam-proxy match application squid set security policies from-zone ateam to-zone neo-bughunter policy neo-bughunter-ateam-proxy then permit set security zones security-zone neo-bughunter address-book address ns1.neo-bughunter.phx1 10.8.121.16/32 set security zones security-zone neo-bughunter address-book address ns2.neo-bughunter.phx1 10.8.121.17/32 set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match source-address bughunter-osx-set set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match destination-address ns1.neo-bughunter.phx1 set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match destination-address ns2.neo-bughunter.phx1 set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match application junos-dns-udp set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match application junos-dns-tcp set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns then permit set security policies from-zone private to-zone neo-bughunter policy bughunter--bacula match source-address bacula1 set security policies from-zone private to-zone neo-bughunter policy bughunter--bacula match destination-address any set security policies from-zone private to-zone neo-bughunter policy bughunter--bacula match application from-bacula set security policies from-zone private to-zone neo-bughunter policy bughunter--bacula then permit
complete set of changes I plan on making to the firewalls for this transition: ---------------------------------------------------------------------- on fw1.phx1: ---------------------------------------------------------------------- set security zones security-zone dc address-book address neo-bughunter 10.8.121.0/24 set security policies from-zone dc to-zone db policy neo-bughunter-ldap match source-address neo-bughunter set security policies from-zone dc to-zone db policy neo-bughunter-ldap match destination-address ldap set security policies from-zone dc to-zone db policy neo-bughunter-ldap match destination-address ldapmaster.db.phx1-zlb set security policies from-zone dc to-zone db policy neo-bughunter-ldap match application ldap set security policies from-zone dc to-zone db policy neo-bughunter-ldap match application ldaps set security policies from-zone dc to-zone db policy neo-bughunter-ldap then permit set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match source-address neo-bughunter set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy-test set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy1 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy2 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy3 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy4 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy2-v6 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match application squid set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match application junos-http set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy then permit set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match source-address neo-bughunter set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match destination-address rhncap1.dmz.phx1 set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match destination-address rhnproxy2 set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match destination-address rhnproxy set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match application junos-https set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match application junos-http set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy then permit set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo match source-address neo-bughunter set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo match destination-address mreop1.dmz.phx1 set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo match application junos-http set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo match application junos-https set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo then permit set security policies from-zone dc to-zone private policy neo-bughunter-syslog match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-syslog match destination-address ip-sectools01 set security policies from-zone dc to-zone private policy neo-bughunter-syslog match application junos-syslog set security policies from-zone dc to-zone private policy neo-bughunter-syslog match application arcsite-syslog set security policies from-zone dc to-zone private policy neo-bughunter-syslog then permit set security policies from-zone dc to-zone private policy neo-bughunter-netvault-in match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-netvault-in match destination-address backup1.ops.phx1 set security policies from-zone dc to-zone private policy neo-bughunter-netvault-in match application backbone set security policies from-zone dc to-zone private policy neo-bughunter-netvault-in then permit set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 match destination-address syslog1 set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 match application junos-syslog set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 match application as-mgr-tcp set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 then permit set security policies from-zone dc to-zone private policy neo-bughunter-puppet match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-puppet match destination-address puppet1 set security policies from-zone dc to-zone private policy neo-bughunter-puppet match application puppet set security policies from-zone dc to-zone private policy neo-bughunter-puppet match application junos-http set security policies from-zone dc to-zone private policy neo-bughunter-puppet match application mcollective set security policies from-zone dc to-zone private policy neo-bughunter-puppet then permit set security policies from-zone dc to-zone private policy neo-bughunter-misc match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address ip-ns01 set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address ip-ns02 set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address admin1a set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address admin1b set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address admin1-v75 set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-ntp set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-dns-udp set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-dns-tcp set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-dhcp-server set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-tftp set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-http set security policies from-zone dc to-zone private policy neo-bughunter-misc then permit set security policies from-zone dc to-zone private policy neo-bughunter-graphite match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-graphite match destination-address graphite6 set security policies from-zone dc to-zone private policy neo-bughunter-graphite match destination-address graphite-relay set security policies from-zone dc to-zone private policy neo-bughunter-graphite match application graphite set security policies from-zone dc to-zone private policy neo-bughunter-graphite match application statsd set security policies from-zone dc to-zone private policy neo-bughunter-graphite match application tcp-8125 set security policies from-zone dc to-zone private policy neo-bughunter-graphite match application graphite-pickle set security policies from-zone dc to-zone private policy neo-bughunter-graphite then permit set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 match destination-address as-conapp1 set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 match application syslog set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 match application syslog-auditd set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 then permit set security policies from-zone dc to-zone svc-ops policy neo-bughunter-mrepo match source-address neo-bughunter set security policies from-zone dc to-zone svc-ops policy neo-bughunter-mrepo match destination-address mrepo set security policies from-zone dc to-zone svc-ops policy neo-bughunter-mrepo match application junos-http set security policies from-zone dc to-zone svc-ops policy neo-bughunter-mrepo then permit ---------------------------------------------------------------------- on fw1.scl3: ---------------------------------------------------------------------- set security zones security-zone neo-bughunter address-book address sisyphus.bughunter: 10.8.121.20/32 set security zones security-zone neo-bughunter host-inbound-traffic system-services all set security policies from-zone neo-bughunter to-zone neo-bughunter apply-groups global-policies set security policies from-zone neo-bughunter to-zone untrust apply-groups global-policies set security policies from-zone neo-bughunter to-zone private apply-groups global-policies set security policies from-zone neo-bughunter to-zone addons apply-groups global-policies set security policies from-zone neo-bughunter to-zone webapp apply-groups global-policies set security policies from-zone neo-bughunter to-zone db apply-groups global-policies set security policies from-zone neo-bughunter to-zone dmz apply-groups global-policies set security policies from-zone neo-bughunter to-zone web apply-groups global-policies set security policies from-zone neo-bughunter to-zone qa apply-groups global-policies set security policies from-zone neo-bughunter to-zone corpdmz apply-groups global-policies set security policies from-zone neo-bughunter to-zone dc apply-groups global-policies set security policies from-zone neo-bughunter to-zone ops apply-groups global-policies set security policies from-zone neo-bughunter to-zone community apply-groups global-policies set security policies from-zone neo-bughunter to-zone metrics apply-groups global-policies set security policies from-zone neo-bughunter to-zone bugs apply-groups global-policies set security policies from-zone neo-bughunter to-zone labs apply-groups global-policies set security policies from-zone neo-bughunter to-zone sec apply-groups global-policies set security policies from-zone neo-bughunter to-zone vpc apply-groups global-policies set security policies from-zone neo-bughunter to-zone paas apply-groups global-policies set security policies from-zone neo-bughunter to-zone bunker apply-groups global-policies set security policies from-zone neo-bughunter to-zone ateam apply-groups global-policies set security policies from-zone neo-bughunter to-zone vpn apply-groups global-policies set security policies from-zone neo-bughunter to-zone refspec-vms apply-groups global-policies set security policies from-zone neo-bughunter to-zone mail apply-groups global-policies set security policies from-zone neo-bughunter to-zone av apply-groups global-policies set security policies from-zone neo-bughunter to-zone trust apply-groups global-policies set security policies from-zone untrust to-zone neo-bughunter apply-groups global-policies set security policies from-zone private to-zone neo-bughunter apply-groups global-policies set security policies from-zone addons to-zone neo-bughunter apply-groups global-policies set security policies from-zone webapp to-zone neo-bughunter apply-groups global-policies set security policies from-zone db to-zone neo-bughunter apply-groups global-policies set security policies from-zone dmz to-zone neo-bughunter apply-groups global-policies set security policies from-zone web to-zone neo-bughunter apply-groups global-policies set security policies from-zone qa to-zone neo-bughunter apply-groups global-policies set security policies from-zone corpdmz to-zone neo-bughunter apply-groups global-policies set security policies from-zone dc to-zone neo-bughunter apply-groups global-policies set security policies from-zone ops to-zone neo-bughunter apply-groups global-policies set security policies from-zone community to-zone neo-bughunter apply-groups global-policies set security policies from-zone metrics to-zone neo-bughunter apply-groups global-policies set security policies from-zone bugs to-zone neo-bughunter apply-groups global-policies set security policies from-zone labs to-zone neo-bughunter apply-groups global-policies set security policies from-zone sec to-zone neo-bughunter apply-groups global-policies set security policies from-zone vpc to-zone neo-bughunter apply-groups global-policies set security policies from-zone paas to-zone neo-bughunter apply-groups global-policies set security policies from-zone bunker to-zone neo-bughunter apply-groups global-policies set security policies from-zone ateam to-zone neo-bughunter apply-groups global-policies set security policies from-zone vpn to-zone neo-bughunter apply-groups global-policies set security policies from-zone refspec-vms to-zone neo-bughunter -vms apply-groups global-policies set security policies from-zone mail to-zone neo-bughunter apply-groups global-policies set security policies from-zone av to-zone neo-bughunter apply-groups global-policies set security policies from-zone trust to-zone neo-bughunter apply-groups global-policies set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices match source-address any set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices match destination-address any set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices match application junos-dns-udp set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices match application junos-dns-tcp set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices match application junos-http set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices match application junos-https set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-webservices then permit set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-git match source-address any set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-git match destination-address any set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-git match application git set security policies from-zone neo-bughunter to-zone dc policy neo-bughunter-git then permit set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match source-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match destination-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match application junos-dns-udp set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match application junos-dns-tcp set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match application junos-http set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match application junos-https set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices then permit set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-git match source-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-git match destination-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-git match application git set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-git then permit set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-svn--ssh match source-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-svn--ssh match destination-address svn.mozilla.org set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-svn--ssh match application junos-ssh set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-crashdumps match source-address sp-admin01.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-crashdumps match destination-address sisyphus.bughunter set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-crashdumps match application junos-ssh set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-crashdumps then permit set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-ganglia match source-address ip-ganglia01 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-ganglia match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-ganglia match application ganglia set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-ganglia then permit set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out match source-address backup1.ops.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out match application backbone set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out then permit set security zones security-zone dc address-book address admin1a.private.phx1 10.8.75.6/32 set security zones security-zone dc address-book address admin1b.private.phx1 10.8.75.7/32 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match source-address nagios1.stage.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match source-address nagios1.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match source-address admin1a.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match source-address admin1b.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match application any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 then permit set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-puppet match source-address puppet1.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-puppet match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-puppet match application junos-any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-puppet then permit set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v match source-address p2v1.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v match application junos-ssh set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v match application junos-https set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v then permit set security zones security-zone dc address-book address scan3.private.phx1 10.8.75.144/32 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-scan3 match source-address scan3.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-scan3 match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-scan3 match application any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-scan3 then permit set security zones security-zone ateam address-book address bughunter-osx-001.ateam.scl3 10.22.120.41/32 set security zones security-zone ateam address-book address bughunter-osx-002.ateam.scl3 10.22.120.42/32 set security zones security-zone ateam address-book address bughunter-osx-003.ateam.scl3 10.22.120.43/32 set security zones security-zone ateam address-book address bughunter-osx-004.ateam.scl3 10.22.120.35/32 set security zones security-zone ateam address-book address bughunter-osx-005.ateam.scl3 10.22.120.36/32 set security zones security-zone ateam address-book address bughunter-osx-006.ateam.scl3 10.22.120.37/32 set security zones security-zone ateam address-book address bughunter-osx-007.ateam.scl3 10.22.120.38/32 set security zones security-zone ateam address-book address bughunter-osx-008.ateam.scl3 10.22.120.39/32 set security zones security-zone ateam address-book address bughunter-osx-009.ateam.scl3 10.22.120.40/32 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-001.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-002.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-003.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-004.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-005.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-006.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-007.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-008.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-009.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http match source-address bughunter-osx-set set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http match destination-address sisyphs.bughunter set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http match application junos-http set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http match application mysql set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http then permit set security zones security-zone ateam address-book address ateam 10.22.120.0/24 set security zones security-zone neo-bughunter address-book address bughunter-proxy 10.8.121.66/32 set security policies from-zone ateam to-zone neo-bughunter policy neo-bughunter-ateam-proxy match source-address ateam set security policies from-zone ateam to-zone neo-bughunter policy neo-bughunter-ateam-proxy match destination-address bughunter-proxy set security policies from-zone ateam to-zone neo-bughunter policy neo-bughunter-ateam-proxy match application squid set security policies from-zone ateam to-zone neo-bughunter policy neo-bughunter-ateam-proxy then permit set security zones security-zone neo-bughunter address-book address ns1.neo-bughunter.phx1 10.8.121.16/32 set security zones security-zone neo-bughunter address-book address ns2.neo-bughunter.phx1 10.8.121.17/32 set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match source-address bughunter-osx-set set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match destination-address ns1.neo-bughunter.phx1 set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match destination-address ns2.neo-bughunter.phx1 set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match application junos-dns-udp set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match application junos-dns-tcp set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns then permit set security policies from-zone private to-zone neo-bughunter policy bughunter--bacula match source-address bacula1 set security policies from-zone private to-zone neo-bughunter policy bughunter--bacula match destination-address any set security policies from-zone private to-zone neo-bughunter policy bughunter--bacula match application from-bacula set security policies from-zone private to-zone neo-bughunter policy bughunter--bacula then permit ------------------------------------------------------------------- gateway swing: ------------------------------------------------------------------- ----------- on fw1.phx1: ----------- deactivate interfaces reth0 unit 121 deactivate security zones security-zone bughunter interfaces reth0.121 ----------- on fw1.scl3: ----------- set interfaces reth0 unit 2121 description neo-bughunter set interfaces reth0 unit 2121 vlan-id 2121 set interfaces reth0 unit 2121 family inet address 10.8.121.1/24 set security zones security-zone neo-bughunter interfaces reth0.2121 set forwarding-options helpers bootp interface reth0.2121 set policy-options policy-statement bgp-announce term announce-neo-bughunter from route-filter 10.8.121.0/24 exact set policy-options policy-statement bgp-announce term announce-neo-bughunter then accept edit policy-options policy-statement bgp-announce insert term announce-neo-bughunter before term default-filter top
When I went to add the security policies that I had written up, I found several typos and other errors. For the sake of posterity/clarity, here is the corrected version... ---------------------------------------------------------------------- on fw1.phx1: ---------------------------------------------------------------------- set security zones security-zone dc address-book address neo-bughunter 10.8.121.0/24 set security policies from-zone dc to-zone db policy neo-bughunter-ldap match source-address neo-bughunter set security policies from-zone dc to-zone db policy neo-bughunter-ldap match destination-address ldap set security policies from-zone dc to-zone db policy neo-bughunter-ldap match destination-address ldapmaster.db.phx1-zlb set security policies from-zone dc to-zone db policy neo-bughunter-ldap match application ldap set security policies from-zone dc to-zone db policy neo-bughunter-ldap match application ldaps set security policies from-zone dc to-zone db policy neo-bughunter-ldap then permit set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match source-address neo-bughunter set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy-test set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy1 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy2 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy3 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy4 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match destination-address proxy2-v6 set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match application squid set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy match application junos-http set security policies from-zone dc to-zone dmz policy neo-bughunter-proxy then permit set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match source-address neo-bughunter set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match destination-address rhncap1.dmz.phx1 set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match destination-address rhnproxy2 set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match destination-address rhnproxy set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match application junos-https set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy match application junos-http set security policies from-zone dc to-zone dmz policy neo-bughunter-rhnproxy then permit set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo match source-address neo-bughunter set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo match destination-address mrepo1.dmz.phx1 set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo match application junos-http set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo match application junos-https set security policies from-zone dc to-zone dmz policy neo-bughunter-mrepo then permit set security policies from-zone dc to-zone private policy neo-bughunter-syslog match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-syslog match destination-address ip-sectools01 set security policies from-zone dc to-zone private policy neo-bughunter-syslog match application junos-syslog set security policies from-zone dc to-zone private policy neo-bughunter-syslog match application arcsite-syslog set security policies from-zone dc to-zone private policy neo-bughunter-syslog then permit set security policies from-zone dc to-zone private policy neo-bughunter-netvault-in match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-netvault-in match destination-address backup1.ops.phx1 set security policies from-zone dc to-zone private policy neo-bughunter-netvault-in match application backbone set security policies from-zone dc to-zone private policy neo-bughunter-netvault-in then permit set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 match destination-address syslog1 set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 match application junos-syslog set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 match application as-mgr-tcp set security policies from-zone dc to-zone private policy neo-bughunter-syslog1 then permit set security policies from-zone dc to-zone private policy neo-bughunter-puppet match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-puppet match destination-address puppet1 set security policies from-zone dc to-zone private policy neo-bughunter-puppet match application puppet set security policies from-zone dc to-zone private policy neo-bughunter-puppet match application junos-http set security policies from-zone dc to-zone private policy neo-bughunter-puppet match application mcollective set security policies from-zone dc to-zone private policy neo-bughunter-puppet then permit set security policies from-zone dc to-zone private policy neo-bughunter-misc match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address ip-ns01 set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address ip-ns02 set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address admin1a set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address admin1b set security policies from-zone dc to-zone private policy neo-bughunter-misc match destination-address admin1-v75 set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-ntp set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-dns-udp set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-dns-tcp set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-dhcp-server set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-tftp set security policies from-zone dc to-zone private policy neo-bughunter-misc match application junos-http set security policies from-zone dc to-zone private policy neo-bughunter-misc then permit set security policies from-zone dc to-zone private policy neo-bughunter-graphite match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-graphite match destination-address graphite6 set security policies from-zone dc to-zone private policy neo-bughunter-graphite match destination-address graphite-relay set security policies from-zone dc to-zone private policy neo-bughunter-graphite match application graphite set security policies from-zone dc to-zone private policy neo-bughunter-graphite match application statsd set security policies from-zone dc to-zone private policy neo-bughunter-graphite match application tcp-8125 set security policies from-zone dc to-zone private policy neo-bughunter-graphite match application graphite-pickle set security policies from-zone dc to-zone private policy neo-bughunter-graphite then permit set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 match source-address neo-bughunter set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 match destination-address as-conapp1 set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 match application syslog set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 match application syslog-auditd set security policies from-zone dc to-zone private policy neo-bughunter-as-conapp1 then permit set security policies from-zone dc to-zone svc-ops policy neo-bughunter-mrepo match source-address neo-bughunter set security policies from-zone dc to-zone svc-ops policy neo-bughunter-mrepo match destination-address mrepo set security policies from-zone dc to-zone svc-ops policy neo-bughunter-mrepo match application junos-http set security policies from-zone dc to-zone svc-ops policy neo-bughunter-mrepo then permit ---------------------------------------------------------------------- on fw1.scl3: ---------------------------------------------------------------------- set security zones security-zone neo-bughunter address-book address sisyphus.bughunter 10.8.121.20/32 set security zones security-zone neo-bughunter host-inbound-traffic system-services all set security policies from-zone neo-bughunter to-zone neo-bughunter apply-groups global-policies set security policies from-zone neo-bughunter to-zone untrust apply-groups global-policies set security policies from-zone neo-bughunter to-zone private apply-groups global-policies set security policies from-zone neo-bughunter to-zone addons apply-groups global-policies set security policies from-zone neo-bughunter to-zone webapp apply-groups global-policies set security policies from-zone neo-bughunter to-zone db apply-groups global-policies set security policies from-zone neo-bughunter to-zone dmz apply-groups global-policies set security policies from-zone neo-bughunter to-zone web apply-groups global-policies set security policies from-zone neo-bughunter to-zone qa apply-groups global-policies set security policies from-zone neo-bughunter to-zone corpdmz apply-groups global-policies set security policies from-zone neo-bughunter to-zone dc apply-groups global-policies set security policies from-zone neo-bughunter to-zone ops apply-groups global-policies set security policies from-zone neo-bughunter to-zone community apply-groups global-policies set security policies from-zone neo-bughunter to-zone metrics apply-groups global-policies set security policies from-zone neo-bughunter to-zone bugs apply-groups global-policies set security policies from-zone neo-bughunter to-zone labs apply-groups global-policies set security policies from-zone neo-bughunter to-zone sec apply-groups global-policies set security policies from-zone neo-bughunter to-zone vpc apply-groups global-policies set security policies from-zone neo-bughunter to-zone paas apply-groups global-policies set security policies from-zone neo-bughunter to-zone bunker apply-groups global-policies set security policies from-zone neo-bughunter to-zone ateam apply-groups global-policies set security policies from-zone neo-bughunter to-zone vpn apply-groups global-policies set security policies from-zone neo-bughunter to-zone refspec-vms apply-groups global-policies set security policies from-zone neo-bughunter to-zone mail apply-groups global-policies set security policies from-zone neo-bughunter to-zone av apply-groups global-policies set security policies from-zone neo-bughunter to-zone trust apply-groups global-policies set security policies from-zone untrust to-zone neo-bughunter apply-groups global-policies set security policies from-zone private to-zone neo-bughunter apply-groups global-policies set security policies from-zone addons to-zone neo-bughunter apply-groups global-policies set security policies from-zone webapp to-zone neo-bughunter apply-groups global-policies set security policies from-zone db to-zone neo-bughunter apply-groups global-policies set security policies from-zone dmz to-zone neo-bughunter apply-groups global-policies set security policies from-zone web to-zone neo-bughunter apply-groups global-policies set security policies from-zone qa to-zone neo-bughunter apply-groups global-policies set security policies from-zone corpdmz to-zone neo-bughunter apply-groups global-policies set security policies from-zone dc to-zone neo-bughunter apply-groups global-policies set security policies from-zone ops to-zone neo-bughunter apply-groups global-policies set security policies from-zone community to-zone neo-bughunter apply-groups global-policies set security policies from-zone metrics to-zone neo-bughunter apply-groups global-policies set security policies from-zone bugs to-zone neo-bughunter apply-groups global-policies set security policies from-zone labs to-zone neo-bughunter apply-groups global-policies set security policies from-zone sec to-zone neo-bughunter apply-groups global-policies set security policies from-zone vpc to-zone neo-bughunter apply-groups global-policies set security policies from-zone paas to-zone neo-bughunter apply-groups global-policies set security policies from-zone bunker to-zone neo-bughunter apply-groups global-policies set security policies from-zone ateam to-zone neo-bughunter apply-groups global-policies set security policies from-zone vpn to-zone neo-bughunter apply-groups global-policies set security policies from-zone refspec-vms to-zone neo-bughunter apply-groups global-policies set security policies from-zone mail to-zone neo-bughunter apply-groups global-policies set security policies from-zone av to-zone neo-bughunter apply-groups global-policies set security policies from-zone trust to-zone neo-bughunter apply-groups global-policies set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match source-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match destination-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match application junos-dns-udp set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match application junos-dns-tcp set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match application junos-http set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices match application junos-https set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-webservices then permit set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-git match source-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-git match destination-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-git match application git set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-git then permit set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-svn--ssh match source-address any set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-svn--ssh match destination-address svn.mozilla.org set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-svn--ssh match application junos-ssh set security policies from-zone neo-bughunter to-zone untrust policy neo-bughunter-svn--ssh then permit set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-crashdumps match source-address sp-admin01.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-crashdumps match destination-address sisyphus.bughunter set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-crashdumps match application junos-ssh set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-crashdumps then permit set security zones security-zone dc address-book address ip-ganglia01 10.8.75.28/32 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-ganglia match source-address ip-ganglia01 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-ganglia match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-ganglia match application ganglia set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-ganglia then permit set security zones security-zone dc address-book address backup1.ops.phx1 10.8.75.36/32 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out match source-address backup1.ops.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out match application backbone set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-netvault-out then permit set security zones security-zone dc address-book address admin1a.private.phx1 10.8.75.6/32 set security zones security-zone dc address-book address admin1b.private.phx1 10.8.75.7/32 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match source-address nagios1.stage.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match source-address nagios1.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match source-address admin1a.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match source-address admin1b.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 match application any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-nagios-phx1 then permit set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-puppet match source-address puppet1.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-puppet match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-puppet match application any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-puppet then permit set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v match source-address p2v1.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v match application junos-ssh set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v match application junos-https set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-p2v then permit set security zones security-zone dc address-book address scan3.private.phx1 10.8.75.144/32 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-scan3 match source-address scan3.private.phx1 set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-scan3 match destination-address any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-scan3 match application any set security policies from-zone dc to-zone neo-bughunter policy neo-bughunter-scan3 then permit set security zones security-zone ateam address-book address bughunter-osx-001.ateam.scl3 10.22.120.41/32 set security zones security-zone ateam address-book address bughunter-osx-002.ateam.scl3 10.22.120.42/32 set security zones security-zone ateam address-book address bughunter-osx-003.ateam.scl3 10.22.120.43/32 set security zones security-zone ateam address-book address bughunter-osx-004.ateam.scl3 10.22.120.35/32 set security zones security-zone ateam address-book address bughunter-osx-005.ateam.scl3 10.22.120.36/32 set security zones security-zone ateam address-book address bughunter-osx-006.ateam.scl3 10.22.120.37/32 set security zones security-zone ateam address-book address bughunter-osx-007.ateam.scl3 10.22.120.38/32 set security zones security-zone ateam address-book address bughunter-osx-008.ateam.scl3 10.22.120.39/32 set security zones security-zone ateam address-book address bughunter-osx-009.ateam.scl3 10.22.120.40/32 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-001.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-002.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-003.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-004.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-005.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-006.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-007.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-008.ateam.scl3 set security zones security-zone ateam address-book address-set bughunter-osx-set address bughunter-osx-009.ateam.scl3 set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http match source-address bughunter-osx-set set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http match destination-address sisyphus.bughunter set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http match application junos-http set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http match application mysql set security policies from-zone ateam to-zone neo-bughunter policy sisyphus--http then permit set security zones security-zone ateam address-book address ateam 10.22.120.0/24 set security zones security-zone neo-bughunter address-book address bughunter-proxy 10.8.121.66/32 set security policies from-zone ateam to-zone neo-bughunter policy neo-bughunter-ateam-proxy match source-address ateam set security policies from-zone ateam to-zone neo-bughunter policy neo-bughunter-ateam-proxy match destination-address bughunter-proxy set security policies from-zone ateam to-zone neo-bughunter policy neo-bughunter-ateam-proxy match application squid set security policies from-zone ateam to-zone neo-bughunter policy neo-bughunter-ateam-proxy then permit set security zones security-zone neo-bughunter address-book address ns1.neo-bughunter.phx1 10.8.121.16/32 set security zones security-zone neo-bughunter address-book address ns2.neo-bughunter.phx1 10.8.121.17/32 set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match source-address bughunter-osx-set set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match destination-address ns1.neo-bughunter.phx1 set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match destination-address ns2.neo-bughunter.phx1 set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match application junos-dns-udp set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns match application junos-dns-tcp set security policies from-zone ateam to-zone neo-bughunter policy bughunter-dns then permit set security policies from-zone private to-zone neo-bughunter policy bughunter--bacula match source-address bacula1 set security policies from-zone private to-zone neo-bughunter policy bughunter--bacula match destination-address any set security policies from-zone private to-zone neo-bughunter policy bughunter--bacula match application from-bacula set security policies from-zone private to-zone neo-bughunter policy bughunter--bacula then permit ------------------------------------------------------------------- gateway swing: ------------------------------------------------------------------- ----------- on fw1.phx1: ----------- deactivate interfaces reth0 unit 121 deactivate security zones security-zone bughunter interfaces reth0.121 ----------- on fw1.scl3: ----------- set interfaces reth0 unit 2121 description neo-bughunter set interfaces reth0 unit 2121 vlan-id 2121 set interfaces reth0 unit 2121 family inet address 10.8.121.1/24 set security zones security-zone neo-bughunter interfaces reth0.2121 set forwarding-options helpers bootp interface reth0.2121 set policy-options policy-statement bgp-announce term announce-neo-bughunter from route-filter 10.8.121.0/24 exact set policy-options policy-statement bgp-announce term announce-neo-bughunter then accept edit policy-options policy-statement bgp-announce insert term announce-neo-bughunter before term default-filter top
Vlan 2121 in SCL3 has been trunked from the core switches to the firewall. Both fw1.phx1 and fw1.scl3 have been configured with the security policies that will be needed when the gateway move occurs. gcox and cknowles are in the process of vmotioning VMs now. I have liased with rtucker regarding aligning our changes, the gateway swing and the dhcp server change.
Word this morning is that the VMs for bughunter have finished being vmotioned from PHX1 to SCL3.
Indeed. Have emailed the owner to discuss the timing for the gateway swingover. (as well as permission to start on the ateam vlan VMs)
Gateway has been swung. DHCP works. Will leave this bug open for another 24-48 hours in case problems come up.
(In reply to Dave Curado :dcurado from comment #5) > The answer to your question is not quite as simple as you'd like. > > a) yes, we're creating a new vlan in SCL3, for a while, it will be connected > to the > bughunter vlan in PHX1. In other words, those two vlans will be joined > together. > > b) we will not, however, create a new security-zone on fw1.scl3. As vlans > are moved > from PHX1 to SCL3, we will put those vlans under existing security-zones. > > Example: the private vlan in SCL3 is vlan-id 75 > when we create the phx1-private-vlan-in-scl3, it will have vlan-id > 2075 > then the private security-zone on fw1.scl3 will include both vlans, > connected via reth0.75 and reth0.2075 > > c) at some point in the future, if it makes sense to do so, the organization > can opt > to move each host/vm out of vlan-id 2075 and merge them into vlan-id 75. > That could happen 1 by 1, in a sane an orderly fashion. (one would hope) > > HTHs. Thanks, that's helpful. Now you've said that we will not create another security zone in scl3 but we've created one - neo-bughunter. What is it representing?
OK, let me re-state my previous statement. =-) When we move a vlan/subnet from PHX1 to SCL3, if there is a "like minded vlan/subnet" in SCL3, we will put the PHX1 vlan/subnet into the same security zone. If, on the other hand, there is not a "like minded vlan/subnet" in SCL3, then we'll create a new security zone for it. Examples: phx1:bughunter - there was no bughunter vlan in SCL3, so I created a new security zone phx1:ateam - there is an ateam vlan in SCL3, so the neo-ateam vlan will be added to that security zone. Please write with any questions. Thanks.
Thanks, everything makes sense now. And its elegant. MPLS++
The VPLS instance for the bughunter transition has been taken down. No need to leave it up.
It's been several days, and we have not received any problems reports related to this change, so I'm calling this complete. Please re-open this bug if any problems should come up. Thanks.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Change Request: --- → approved
Flags: cab-review+
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: