Automation

Working through the learning process of writing scripts and am finding that I'm struggling a bit with the subject.

I'm looking to write some op scripts that will take the output from standard commands and output them to a csv format.

These scripts will be run on the SRX platform running 9.6.

For example:

command: show security policies

output: from-zone, to-zone, policy, state, index, sequence number

Any help to get through this learning process would be greatly appreciated.

First, have you checked out the Day One: Applying JUNOS Automation guide?  You'll need to understand how to ask JUNOS to execute a command and how to parse information within the output, both topics which the guide covers:

http://junos.juniper.net/Day-One-Guides/Day-One-Guide3/

Second, there are a number of examples of scripts which gather information from show commands, you can see them here:

http://code.google.com/p/junoscriptorium/source/browse/trunk/library/juniper/op/display/

I don't know what the rpc for "show security policies" is, but you can always execute it like this:

var $command-rpc = <command> "show security policies";

var $policies = jcs:invoke( $command-rpc );

Last, did you want to output to the screen, or to a file?  If the screen then the above examples should be great, but I don't recall if we have any examples of file output in the repository yet.  If not, then here is a quick code snippet.  Basically you'll want to use the <file-put> rpc to write the contents:

             var  $file-put-rpc =
                <file-put> {
                    <filename> $directory _ "/" _ $output-filename;
                    <encoding> "ascii";
                    <permission> "0666";
                    <delete-if-exist>;
                    <file-contents> $temp-file-contents;
                }
            var $results = jcs:invoke( $file-put-rpc );

The above will store the string contents of the $temp-file-contents variable as an ascii file with 0666 permissions into the $directory directory with a filename of $output-filename.  So you would first assemble your output into the $temp-file-contents string and then use something similar to the code shown above.

Thank you for the reply.

I am working through the Day One guide and other documentation. It's been a while since I've done much scripting and it's taking me a bit of time to figure this all out. I have an urgent need for getting up to speed as quickly as I can to create some scripts for a client.

I'll also take a look at the link to scripts you posted.

I couldn't find the direct rpc for "show security policies", so I had to execute the way you listed.

As for the output, I'm only looking at output to screen. The difficulty I'm having is trying to figure out the reformat section.

Here is a stab at it, perhaps it will help:

If you want this:

output: from-zone, to-zone, policy, state, index, sequence number

And you get the command output like this:

var $command-rpc = <command> "show security policies";

var $policies = jcs:invoke( $command-rpc );

Then I think you could output it in your desired format by using these location paths, but you might need to tweak these a little since I'm not too familiar with this output:

for-each( $policies/security-context/policies/policy-information ) {

    var $source-zone =../../context-information/source-zone-name;

    var $destination-zone =../../context-information/destination-zone-name;

    expr jcs:output( $source-zone, "," , $destination-zone, "," , policy-name, "," , policy-state, "," , policy-identifier, "," , policy-sequence-number );

}

I based that on my reading of "show security policies | display xml".  Let me know if that gives you what you want or not.

Thanks for the attempt.

I guess I'm having trouble with the location paths.

Here's sample output from the system using show security policies | display xml

<rpc-reply xmlns:junos="http://xml.juniper.net/junos/10.0B2/junos">
    <multi-routing-engine-results>
       
        <multi-routing-engine-item>
           
            <re-name>node0</re-name>
           
            <security-policies junos:style="brief">
                <default-policy>deny-all</default-policy>
                <security-context>
                    <context-information>
                        <source-zone-name>WEB</source-zone-name>
                        <destination-zone-name>APP</destination-zone-name>
                    </context-information>
                    <policies>
                        <policy-information>
                            <policy-name>WEB-TO-APP-ANY</policy-name>
                            <policy-state>enabled</policy-state>
                            <policy-identifier>4</policy-identifier>
                            <policy-sequence-number>1</policy-sequence-number>
                            <source-addresses junos:style="brief">
                                <source-address>
                                    <address-name>any</address-name>
                                </source-address>
                            </source-addresses>
                            <destination-addresses junos:style="brief">
                                <destination-address>
                                    <address-name>any</address-name>
                                </destination-address>
                            </destination-addresses>
                            <applications junos:style="brief">
                                <application>
                                    <application-name>any</application-name>
                                </application>
                            </applications>
                            <policy-action>
                                <action-type>permit</action-type>
                                <application-services/>
                            </policy-action>
                        </policy-information>
                    </policies>
                </security-context>

Here is the script.

version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

import "../import/junos.xsl";

match / {
 <op-script-results> {
  var $command-rpc = <command> "show security policies";
  var $rslt = jcs:invoke($command-rpc);
  
  for-each($rslt/multi-routing-engine-results/multi-routing-engine-item/security-policies/policies) {
   var $source=../context-information/source-zone-name;
   var $dest=../context-information/destination-zone-name;
   expr jcs:output($source, "," , $dest);    
  }
 }
}

The node-set variable's context node will be the immediate child of the <rpc-reply>.  Looking at the first few lines of the XML output:

 <rpc-reply xmlns:junos="http://xml.juniper.net/junos/10.0B2/junos">
    <multi-routing-engine-results>
      

We can see that the context node will be <multi-routing-engine-results>, so all your location paths using that variable should jump off of that reference point.

Change your for-each loop to this:

for-each($rslt/multi-routing-engine-item/security-policies/policies) {

And it should work, but keep in mind that the current location-path will loop through <policies> nodes, rather than <policy-information> nodes (if that makes a difference to your script).

Thanks.

When you mention looping through policies rather than policy-information, does that also mean matching on ALL policies, regardless of security-context?

Ken

The current location path will loop through every <policies> node in the entire output.  That might be what you want, or it might not, there are a lot of ways to pull the data it just depends on how you want the output to be structured.

Looking at a router in the lab it appears that there might be a 1 to 1 relationship between <policies> nodes and <policy-information> nodes, but I'm not sure if that is always the case.  In other words, I'm not sure if there would ever be a situation where one <policies> node has more than one <policy-information> child nodes.

I got it to work. Thanks for all you help.

Now I just need to figure out how to do a second set of loops for each policy. This would be to get the source-address, destination-address, and application listings.

Ken