Automation

Hello everyone!

I am trying to write an event script, which changes a term in firewall-filter if a route disappears.

I am resolving messages: 

<load-configuration-results>
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm">
<token xmlns="">name</token>
<message xmlns="">syntax error</message>
</xnm:error>
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm">
<token xmlns="">name</token>
<message xmlns="">syntax error</message>
</xnm:error>
<load-error-count>2</load-error-count>
</load-configuration-results>Aug 28 10:33:10 end dump

As far as I understand, a name of a filter itself or  a term leads to such an error.

1. What are the possibillities to solve that problem?

The idea for conditions is that if the result of show route | match x.x.x.x is empty, the term discards packets.

However, the condition doesn`t work.

The script is below.

1) How to deal with 2 errors?

2) That are possible ways to make the condition work?

version 1.0;
ns Junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";

match / {
<event-script-results> {
/*
* Open connection with mgd
*/
var $con = jcs:open();

if (not($con)) {
call emit-error($message = "Not able to connect to local mgd");
}

var $command = <command> "show route | match 0.0.0.0";
var $results = jcs:invoke( $command );
<output> $results;

if (jcs:empty($results)) {
/* apply policy */
var $disable = <configuration> {
<firewall> {
<family> {
<name> "inet";
<filter> {
<name> "CoPP";
<term> {
<name> "remote_access";
<then> {
<discard>;
}
}
}
}
}
}
<output> "default route is absoned";
call jcs:load-configuration($connection = $con, $configuration = $disable);
}

else {
/* undo the policy */
var $acceptance = <configuration> {
<firewall> {
<family> {
<name> "inet";
<filter> {
<name> "CoPP";
<term> {
<name> "remote_access";
<then> {
<accept>;
}
}
}
}
}
}
<output> "default exists";
call jcs:load-configuration($connection = $con, $configuration = $acceptance);
}


/*
* apply policy
*/

/*
* Close the mgd connection
*/
expr jcs:close($con);
}
}

Just from a quick glance, your error message indicates a syntax error. And I think it has to do with the config of your filter. Where you have this config:

if (jcs:empty($results)) {
    /* apply policy */
    var $disable = <configuration> {
        <firewall> {
            <family> {
                <name> "inet";
                    <filter> {
                        <name> "CoPP"; 
                        <term> {
                            <name> "remote_access";
                            <then> {
                                <discard>;
                            }
                        }
                    }
                }
            }
        }
    }
    <output> "default route is absoned";
    call jcs:load-configuration($connection = $con, $configuration = $disable);
}

Instead of '<name> "inet";' it should be:

if (jcs:empty($results)) {
    /* apply policy */
    var $disable = <configuration> {
        <firewall> {
            <family> {
                <inet> {
                    <filter> {
                        <name> "CoPP"; 
                        <term> {
                            <name> "remote_access";
                            <then> {
                                <discard>;
                            }
                        }
                    }
                }
            }
        }
    }
    <output> "default route is absoned";
    call jcs:load-configuration($connection = $con, $configuration = $disable);
}

Try fixing that in both spots where you have this config and give it a try.

Thank you for your answer! It helped.

upd: even if I simplify <command> to "show route 1.2.3.4" and such route doesn`t exist, condition "if (jcs:empty($results))" is never true anyway.