Automation

I've got a script that I'm using to udpate a firewall filter destination-address. Currently I'm doing two commits - 1 to delete and 1 to set the new destination-address. 

Here's my "delete" configuration to remove the "fake" ip:

var $delete-change = {
                <configuration> {
                    <firewall> {
                        <family> {
                            <inet> {
                                <filter> {
                                    <name> $filtername;
                                    <term> {
                                        <name> $termname;
                                        <from> {
                                            <destination-address delete="delete"> {
                                                <name> $fakeip;
                                             }   
                                        }
                                    }
                                }
                            }
                        }
                    }
                } 
            }

Here's my "add" configuation to add the correct destination-address to filter:

var $add-change = {
                <configuration> {
                    <firewall> {
                        <family> {
                            <inet> {
                                <filter> {
                                    <name> $filtername;
                                    <term> {
                                        <name> $termname;
                                        <from> {
                                            <destination-address> {
                                                <name> $realip;
                                             }   
                                        }
                                    }
                                }
                            }
                        }
                    }
                } 
            }

Is there a way to just replace the destination-address on the filter?

Hi,

I think you should be using replace="replace".  https://www.juniper.net/techpubs/en_US/junos15.1/topics/reference/tag-summary/junos-xml-protocol-replace-attribute.html

Regards,

Andy

I've tried replace=replace on from and it just blows away everything there. Is there a way to replace destination-address?

That's odd, I can see that the RPC is doing the desired results, but not via load-configuration...

An example using just NETCONF works fine.

I'll have to take a look at this some more when I have the chance to, as it's the weekend and I'll be travelling for work next week.

> show configuration firewall filter myPCAP
term 1 {
    from {
        source-address {
            192.168.0.210/32;
        }
        destination-address {
            192.168.0.150/32;
        }
    }
    then {
        sample;
        accept;
    }
}
term 2 {
    from {
        source-address {
            192.168.0.150/32;
        }
        destination-address {
            192.168.0.210/32;
        }
    }
    then {
        sample;
        accept;
    }
}
term allow-all-else {
    then accept;
}

> exit

$ ssh user@192.168.0.210 -s netconf
Password:
<!-- No zombies were killed during the creation of this user interface -->
<!-- user space, class j-super-user -->
<hello>
  <capabilities>
    <capability>urn:ietf:params:xml:ns:netconf:base:1.0</capability>
    <capability>urn:ietf:params:xml:ns:netconf:capability:candidate:1.0</capability>
    <capability>urn:ietf:params:xml:ns:netconf:capability:confirmed-commit:1.0</capability>
    <capability>urn:ietf:params:xml:ns:netconf:capability:validate:1.0</capability>
    <capability>urn:ietf:params:xml:ns:netconf:capability:url:1.0?protocol=http,ftp,file</capability>
    <capability>http://xml.juniper.net/netconf/junos/1.0</capability>
    <capability>http://xml.juniper.net/dmi/system/1.0</capability>
  </capabilities>
  <session-id>71189</session-id>
</hello>
]]>]]>
<rpc><lock><target><candidate/></target></lock></rpc>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X46/junos">
<ok/>
</rpc-reply>
]]>]]>
<rpc><edit-config><target><candidate/></target><default-operation>merge</default-operation><error-option>stop-on-error</error-option><config-text><configuration-text>firewall { filter myPCAP { term 1 { from { replace: source-address 10.1.1.1/32; } } } }</configuration-text></config-text></edit-config></rpc>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X46/junos">
<ok/>
</rpc-reply>
]]>]]>
<rpc><commit-configuration><log>Test rename forum</log></commit-configuration></rpc>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X46/junos">
<ok/>
</rpc-reply>
]]>]]>
<rpc><unlock><target><candidate/></target></unlock></rpc>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X46/junos">
<ok/>
</rpc-reply>
]]>]]>
<rpc><close-session/></rpc>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X46/junos">
<ok/>
</rpc-reply>
]]>]]>
<!-- session end at 2016-07-08 18:53:51 UTC -->

Check the configuration:

$ ssh user@192.168.0.210
Password:
--- JUNOS 12.1X46-D40.2 built 2015-09-26 02:25:28 UTC
space@mySRX> show configuration firewall filter myPCAP
term 1 {
    from {
        source-address {
            10.1.1.1/32;
        }
        destination-address {
            192.168.0.150/32;
        }
    }
    then {
        sample;
        accept;
    }
}
term 2 {
    from {
        source-address {
            192.168.0.150/32;
        }
        destination-address {
            192.168.0.210/32;
        }
    }
    then {
        sample;
        accept;
    }
}
term allow-all-else {
    then accept;
}

Hopefully someone else will have a moment to examine this, I'm obviously missing something here, but failing that I'll try and take a look as soon as I can.

Regards,

Andy

Well I'm none the wiser as to why the behaviour is different between junoscript vs. NETCONF.

I'm able to make the configuration change using a script that relies upon NETCONF or JUNOS-NETCONF.

Example shown below:

      var $session-options := {
        <method> "junos-netconf"; /* also works with "netconf" */
        <username> "bill";
        <passphrase> "abc123";
      }
      var $connection = jcs:open( "192.168.56.2", $session-options );

      var $lock-rpc = <lock> { <target> { <candidate>; } }
      var $res-lock = jcs:execute($connection, $lock-rpc);

      var $edit-rpc = <edit-config> {
        <target> {
          <candidate>;
        }
        <default-operation> "merge";
        <error-option> "stop-on-error";
        <config-text> {
          <configuration-text> "firewall { filter myTest { term 1 { from { replace: destination-address 10.4.4.4/32; } } } }";
        }
      }

      var $res-edit = jcs:execute($connection, $edit-rpc);

      var $commit-rpc = <commit-configuration> { <log> "Test replace"; }
      var $res-commit = jcs:execute($connection, $commit-rpc);

      var $unlock-rpc = <unlock> { <target> { <candidate>;
        }
      }
      var $res-unlock = jcs:execute($connection, $unlock-rpc);

      expr jcs:close($connection);

The obvious catch with this approach, is that I need to supply credentials in order to make the calls, and also an entry is required in .ssh/known_hosts ...

I'll ask some questions about why the behaviour differs between junoscript/netconf/junos-netconf and see where that leads.

Regards,

Andy

It's great that everybody is using NetConf successfully but Slax is still failing and doesn't recognize the replace parameter within the XML.

        var $edit-rpc = {
                <configuration> {
                    <firewall> {
                        <family> {
                            <inet> {
                                <filter> {
                                    <name> $filtername;
                                    <term> {
                                        <name> $termname;
                                        <from> { replace: destination-address 10.4.4.4/32; }
                                        }
                                    }
                                }
                            }
                        }
                    }
        } 

This gives me:

parse error, unexpected T_BARE before 'replace:':

I need a reliable way to udpate the configuration on my SRX. Using NetConf is not reliable if I lose connectivity with the server that's supposed to be pushing this.

Double-check the example I game earlier that used "replace:" and you'll see that the block is defined within quotes, that is why you are getting an error in your statement.

I realise that you are looking for a reliable solution, I haven't found one yet.   I suspect that what you are trying to do is a limitation of junoscript that isnt present with netconf and/or junos-netconf both of which are working for me, as per my earlier examples.

If  I do find out a way to peform a single replace instead of a delete/create approach then I will let you know.  But for now I can only suggest that you use a delete/create approach if as you say you cannot rely on netconf for the purpose of the task.

Regards,

Andy

So I replaced my original script with @asharp's script and it does do something...exactly what my original script did - adds a new entry to the term's from destination-address.

What I don't get is that this is RPC. It shouldn't matter how RPC is invoked.

What Junos version are you guys running? I'm running 12.1X47 on my vSRX.

So I just thought about it...and whenever I'm doing manual edits I always delete first and then set a new destination-address. My previous problem was that I was doing the operations on a separate commit. I modified the script and now I've got a solution that I'm happy with:

version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns ext = "http://xmlsoft.org/XSLT/namespace";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
/*
* This op-script changes a filter's destination address. The inital value is $fakeip changing to $newip.
*/
import "../import/junos.xsl";
var $filtername = "test";
var $termname = "BLOCK-ALL";
var $fakeip = "192.168.1.2/32";
var $newip = "10.168.1.1/32";

match / {
<op-script-results> { 
var $connection = jcs:open();
var $lock-rpc = <lock> { <target> { <candidate>; } }
var $res-lock = jcs:execute($connection, $lock-rpc);
var $edit-rpc = <edit-config> {
<target> {
<candidate>;
}
<error-option> "stop-on-error";
<config-text> {
<configuration-text> "firewall { family inet { filter " _ $filtername _ " { term " _ $termname _ " { from { delete: destination-address " _ $fakeip _ "; replace: destination-address " _ $newip _ "; } } } } }";
}
}
var $res-edit = jcs:execute($connection, $edit-rpc);
var $commit-rpc = <commit-configuration> { <log> "Test replace"; }
var $res-commit = jcs:execute($connection, $commit-rpc);
var $unlock-rpc = <unlock> { <target> { <candidate>;
}
}
var $res-unlock = jcs:execute($connection, $unlock-rpc);
var $close-results = jcs:close($connection);
}
}

So this script deletes the $fakeip from the filter and then adds the $newip. This is exactly what I wanted!! 

Thanks @asharp for your tireless efforts in schooling a newbie 🙂