Automation

Please forgive this very noob question...

I'm trying to create a very simple script that will run the following:

configure

load replace /path/filename.txt

log errors, if any

commit 

quit

What is the correct SLAX syntax to use to create the op script? 

Much appreciated.

Bill

I tried using this but it doesn't seem to do what I want, which is to replace a firewall filter:

version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";

match / {
<op-script-results> {
<load> {
<replace> {
<filename> "/var/tmp/newfilter.txt" ;
}
}
}
}

I can run the script using the cli (op filterupdate.slax) and I don't have any errors, but the filter is not getting updated.  However, when I run the following commands by themselves then the new filter is applied correctly:

configure

load replace /var/tmp/newfilter.txt

commit check

commit

quit

What am I missing?  It must be too simple...

TIA,

Bill

This request is probably too easy to answer so I'll make it slightly more complex.

I was reading about transient changes, (Applying Junos Configuration Automation, Ch. 11), and found a really cool way to remove the messy key from showing up in the normal configuration output.  Works like a charm.  In fact, that would be ideal for me to apply to the firewall filter when it gets to be thousands of addresses which will surely clutter up the config and add some considerable time when displaying everything else.

So, what I would really like to be able to do is create a script that will be launched upon a user's login and have the nature of being transient such that it will not show up in the config.  Make sense?

Broken down:

1. User alpha logs in to the SRX.

2. A script is launched that replaces the firewall filter, ("configure; load replace myfilter.txt; commit and-quit;")

3. Said script is configured with the "allowed-transients" options to 'hide' it from the config under normal display output.

Is this possible with the SRX??

TIA,

Bill

So I've modified the op script to the following but I'm getting a syntax error:

/* Begin Script */
version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match / {
<op-script-results> {
var $configuration = <configuration> {
<load> {
<replace> {
<filename> "/var/tmp/myfilter.txt";
}
}
}
/* Open a Connection */
var $connection = jcs:open();
/* Call jcs:load-configuration and provide the connection and configuration change to make. */
var $results := { call jcs:load-configuration( $connection, $configuration ); }
/* Check for errors – report them if they occurred */
if( $results//xnm:error ) {
for-each( $results//xnm:error ) {
<output> message;
}
}
/* If there are no errors then report success */
if( jcs:empty( $results//xnm:error ) ) {
<output> "Committed without errors.";
}
/* Close the connection */
var $close-results = jcs:close($connection);
}
}
/* End of Script */

And I'm getting the following errors:

syntax error, expecting </configuration>
syntax error, expecting </configuration>

I have the following in my config:

set system scripts op traceoptions flag output
set system scripts op file myscript.slax

I've modified my script slightly and am no longer receiving syntax errors when running it, but I'm still not getting the desired results.

I changed the forward slash in the "match" statement.  It now reads "match configuration"

I'm wondering about my logic in the "<load> .. <replace> .. <file>" section of the code.  I simply want to run the command:

user# load replace myfilter.txt

If I run this in configuration mode, then the filter I'm trying to update is getting properly updated.  Does anyone here know how I can run this via script??

Here's my current script that seems to run successfully (no errors) but does NOT produce the desired results:

version 1.0;


ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";

match configuration  {
  <op-script-results> {

    var $configuration = { <configuration> {
                        <load> {
                          <replace> {
                            <filename> "/var/tmp/sffilter.txt";
                            }
                          }
                        }
    }

/* Open a Connection */
var $connection = jcs:open();

/* Call jcs:load-configuration and provide the connection and configuration change to make. */
var $results := { call jcs:load-configuration( $connection, $configuration ); }

/* Check for errors – report them if they occurred */
    if( $results//xnm:error ) {
      for-each( $results//xnm:error ) {
        <output> message;
      }
    }
    /* If there are no errors then report success */
    if( jcs:empty( $results//xnm:error ) ) {
      <output> "Committed without errors.";
    }

    /* Close the connection */
    var $close-results = jcs:close($connection);
  }
}

Anyone??

A few things:

1. your script looks like a commit script (the match configuration {}). Is that what you want ? something that gets executed at commit time?   or do you want an "op script" that you would execute interactively ?   

If you're running it interactively (as an op script) then the reason you're not seeing any errors is because nothing is matching on the match configuration statement.

If you want it as an op script then it's contained something like this:

match / {
   <op-script-results> {

           /* code goes here */

   }

}

Make that adjustment and you'll start seeing some errors.  Which brings us to #2.

2. The jcs:load-configuration is expecting an XML representation of the configuration change to be loaded.

It must include a base element of <configuration>, but either a node-set or result tree fragment data
type is acceptable.  Also fwiw,  "<load>" is not a valida configuration item so it and anything after it would be ignored.

If you can share what's in /tmp/sffilter.txt, then I might be able to help you modify your script to generate the xml configuration bits on-the-fly, then update your config with that.    

/doug

Hey Doug,

Thanks for the reply.

The contents of the filter.txt file is:

firewall {
family inet {
replace:
filter myfilter-allow {
           term allow {
                from {
                    address {
address1;
address2;
address3;
                   }
                }
                then {
                    count myfilter-allow;
                    syslog;
                    accept;
                }
            }
     term default {
         then discard;
     }
 }
 }
 }

The number of addresses will get very large - into the tens of thousands.  It's a simple whitelist where only the addresses specified will be able to access a given network (it's applied to an interface of VIP addresses).  The whitelist needs to be updated and modified dynamically.  I'm thinking that a user logging into the system would trigger the script.  Ideally, if I can apply the 'transient-changes' parameter such that the firewall filter is not shown that would be great.  

Appreciate your help very much!!!  🙂

Cheers,

Bill

So this appears to be too difficult for Juniper, right?

No problem.  Rancid works!

Thanks for reading.  

I think sometimes you need to give folks some time to help.

Didn't mean to come across short...

I just think that my problem was probably too easy.  It's literally one line of code that I want to run "on demand."  Using rancid gives me exactly what I want and without a lot of hassle.

I do wish that I could "hide" this part of the config (firewall filter) much like the RSA keys can be "hidden" with a commit script using the transient-changes option.  But I'm satisfied now with at least something that works.

Thanks!!  🙂