[j-nsp] Could JUNOS OP Script support generate firewall filter term and added before original one?

Steve Hulshof cereal at gmail.com
Thu Dec 17 10:16:15 EST 2015


Sorry, small mistake in the config....this is what happens when you write
it by hand in an email!

set groups ADD_DEFAULT_FW firewall family inet filter metro-access term
default-all then accept
set apply-groups ADD_DEFAULT_FW

set groups ADD_DEFAULT_FW firewall family inet filter <*> term default-all
then accept
set apply-groups ADD_DEFAULT_FW

On Thu, Dec 17, 2015 at 10:10 AM Steve Hulshof <cereal at gmail.com> wrote:

> You can delete the term default-all from metro-access filter and then use
> groups to add the term at the end like this:
>
> set groups ADD_DEFAULT_FW firewall family inet filter metro-access
> default-all all then accept
> set apply-groups ADD_DEFAULT_FW
>
> This will add your default term to the end of the filter after you commit.
> You will not see the term when you do "show configuration firewall filter
> metro-access" unless you add " | display inheritance" at the end of the
> show command
>
> If you want to apply this to all firewall filters you can do the following:
>
> set groups ADD_DEFAULT_FW firewall family inet filter <*> default-all all
> then accept
> set apply-groups ADD_DEFAULT_FW
>
>
> Thanks,
>
> Steve
>
>
>
> On Thu, Dec 17, 2015 at 9:28 AM Chen Jiang <ilovebgp4 at gmail.com> wrote:
>
>> Hi! Jordan
>>
>> End user's MX has a firewall filter named metro-access has many terms in
>> it, just like below:
>>
>> lab at mx#show firewall family inet filter metro-access
>>
>> term inside-test {
>>
>>             from {
>>
>>                 source-address {
>>
>>                     124.42.96.208/29;
>>
>>                 }
>>
>>             }
>>
>>             then {
>>
>>                 policer inside-test-2m;
>>
>>                 accept;
>>
>>             }
>>
>>         }
>>
>>  term bj_kun_lun_fan_dian-15m {
>>
>>             from {
>>
>>                 source-address {
>>
>>                     119.253.129.64/28;
>>
>>                 }
>>
>>             }
>>
>>             then {
>>
>>                 policer bj_kun_lun_fan_dian-15m;
>>
>>                 accept;
>>
>>             }
>>
>>         }
>>
>> ...
>>
>> term default-all {
>>
>>             then accept;
>>
>>         }
>>
>> Every time end user want to add a new network he will create a term match
>> new net's source address and add it before the last "default-all" term.
>>
>> Use JUNOS OP script we could simplify this procedure: auto generate the
>> new
>> term content and merge it into the configuration (this step is tested
>> successfully in POC lab), but the new term is always arranged as the last
>> term in the firewall filter, I haven't find any method to insert the new
>> term before the original last "accept all" term and it will make traffic
>> never hit the generated new term.
>>
>> Thanks for your help!
>>
>> On Thu, Dec 17, 2015 at 8:53 PM, Jordan Head <jordan.head.ny at gmail.com>
>> wrote:
>>
>> > Hi James
>> >
>> > An op script could definitely do this, but I haven't seen a basic
>> template
>> > for this use case.  Depending on *exactly* what you want it to do, it
>> might
>> > be a better job for Python, and maybe some netconf.
>> >
>> > Here's something that might help get you started.
>> >
>> >
>> >
>> http://www.juniper.net/documentation/en_US/junos12.3/topics/example/junos-script-automation-op-script-changing-configuration.html
>> >
>> > How complex are the rules that need to be generated?  Could you provide
>> > some examples?  Feel free to ping me off list if necessary.
>> >
>> > -JH
>> >
>> > > On Dec 17, 2015, at 2:35 AM, Chen Jiang <ilovebgp4 at gmail.com> wrote:
>> > >
>> > > Hi! Experts
>> > >
>> > > I have a requirement from end user that want to automate firewall
>> filter
>> > > configuration procedure, that means they want to use OP script to
>> > generate
>> > > a customized firewall filter term and added it before the last "deny
>> all"
>> > > term.
>> > >
>> > > I have searched official documents but couldn't find helpful
>> information,
>> > > it seems there is no method could manage firewall filter term
>> sequence in
>> > > SLAX language.
>> > >
>> > > Could you pls shed some light on this if you have experience on this,
>> > > Thanks!
>> > >
>> > > --
>> > > BR!
>> > >
>> > >
>> > >
>> > >           James Chen
>> > > _______________________________________________
>> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >
>>
>>
>>
>> --
>> BR!
>>
>>
>>
>>            James Chen
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>


More information about the juniper-nsp mailing list