Automation
Automation

Scripting How-To: Move 'any/any' reject or deny term to the last term

by Cordelia on ‎08-09-2015 09:13 AM - edited on ‎09-11-2017 03:08 PM by Administrator Administrator
08.09.15   |   09:13 AM

Use deny-last Script to Move Terms to Last Term

 

For SLAX version 1.0 and higher, you can use the deny-last script to move an "any/any" reject or deny term to the last term.

 
Many security policy lists have a blanket reject/deny term as their last term, so that if nothing matches the previous terms, it's not allowed. But if a user adds a new term, the new term is inserted by default at the end of the list of terms, preventing the 'any/any' from doing its job. The deny-last script moves 'any/any' to the proper position as the last term.
 
NOTE:  This script will not work with config groups because they are always the last terms.

Source Code and GitHub Links


The source code below is also available from the following GitHub locations:

Example Configuration

 

1	system {
2	    scripts {
3	        commit {
4	            file deny-last.slax {
5	                description "Move an "any/any" reject or deny term to the last term";
6	            }
7	        }
8	    }
9	}

Example Output

 

01	[edit]
02	lab@host1-a# show security policies   
03	from-zone untrust to-zone trust {
04	    policy allow-ftp {
05	        match {
06	            source-address any;
07	            destination-address any;
08	            application junos-ftp;
09	        }
10	        then {
11	            permit;
12	        }
13	    }
14	    policy deny-any {
15	        match {
16	            source-address any;
17	            destination-address any;
18	            application any;
19	        }
20	        then {
21	            deny;
22	            log {
23	                session-init;
24	            }
25	        }
26	    }
27	    policy allow-smtp {
28	        match {
29	            source-address any;
30	            destination-address any;
31	            application junos-smtp;
32	        }
33	        then {
34	            permit;
35	        }
36	    }
37	}
38	default-policy {
39	    permit-all;
40	}
41	 
42	[edit]
43	lab@host1-a# commit                   
44	[edit security policies policy policy deny-any]
45	  warning: Moved deny/reject any term 'deny-any' to the end of the policy chain.
46	commit complete
47	 
48	[edit]
49	lab@host1-a# show security policies   
50	from-zone untrust to-zone trust {
51	    policy allow-ftp {
52	        match {
53	            source-address any;
54	            destination-address any;
55	            application junos-ftp;
56	        }
57	        then {
58	            permit;
59	        }
60	    }
61	    policy allow-smtp {
62	        match {
63	            source-address any;
64	            destination-address any;
65	            application junos-smtp;
66	        }
67	        then {
68	            permit;
69	        }
70	    }
71	    policy deny-any {
72	        match {
73	            source-address any;
74	            destination-address any;
75	            application any;
76	        }
77	        then {
78	            deny;
79	            log {
80	                session-init;
81	            }
82	        }
83	    }
84	}
85	default-policy {
86	    permit-all;
87	}

 

SLAX Script Contents

 

01	version 1.0;
02	ns junos = "http://xml.juniper.net/junos/*/junos";
03	ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
04	ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
05	 
06	import "../import/junos.xsl";
07	 
08	match configuration {
09	    for-each (security/policies/policy) {
10	        /* Count the number of policies. */
11	        var $policy-count = count(policy);
12	 
13	        /* Find all "match any" "then reject/deny" policies
14	           that are not at the end. */
15	        for-each (policy[match/source-address=="any" &&
16	                         match/destination-address=="any" &&
17	                         match/application=="any" &&
18	                         (then/deny || then/reject) &&
19	                         position() != $policy-count]) {
20	            /* Move the policy to the end. */
21	            call jcs:emit-change() {
22	                with $dot = ..;
23	                with $content = {
24	                    <from-zone-name> ../from-zone-name;
25	                    <to-zone-name> ../to-zone-name;
26	                    <policy insert="after" name=../policy[position() == $policy-count]/na
27	me> {
28	                        <name> name;
29	                    }
30	                }
31	                with $message="Moved deny/reject any term '" _ name _ "' to the end of th
32	e policy chain.";
33	            }
34	        }
35	    }
36	}

XML Script Contents

 

01	<?xml version="1.0"?>
02	<script>
03	  <title>deny-last.slax</title>
04	  <author>phil.shafer</author>
05	  <synopsis>
06	    Move an "any/any" reject or deny term to the last term
07	  </synopsis>
08	  <coe>commit</coe>
09	  <type>security</type>
10	 
11	  <description>
12	Many security policy lists have a blanket reject/deny term as their
13	last term, so that if nothing matches the previous terms, it's not
14	allowed.  But if a user adds a new term, the new term is inserted
15	by default at the end of the list of terms, preventing it from
16	doing its job.
17	 
18	This script moves such a term to the proper position as the last term.
19	 
20	Note that this script will not work with config groups, since they
21	are always the last terms.
22	 
23	  </description>
24	 
25	  <keyword>security</keyword>
26	  <keyword>policies</keyword>
27	  <keyword>last</keyword>
28	  <keyword>term</keyword>
29	  <example>
30	    <title>basic config</title>
31	    <config>example-1.conf</config>
32	    <output>example-1.output</output>
33	  </example>
34	 
35	  <xhtml:script xmlns:xhtml="http://www.w3.org/1999/xhtml"
36	                src="../../../../../web/leaf.js"
37	            type="text/javascript"/>
38	</script>