You can delete the term default-all from metro-access filter and then use groups to add the term at the end like this:
set groups ADD_DEFAULT_FW firewall family inet filter metro-access default-all all then accept set apply-groups ADD_DEFAULT_FW This will add your default term to the end of the filter after you commit. You will not see the term when you do "show configuration firewall filter metro-access" unless you add " | display inheritance" at the end of the show command If you want to apply this to all firewall filters you can do the following: set groups ADD_DEFAULT_FW firewall family inet filter <*> default-all all then accept set apply-groups ADD_DEFAULT_FW Thanks, Steve On Thu, Dec 17, 2015 at 9:28 AM Chen Jiang <[email protected]> wrote: > Hi! Jordan > > End user's MX has a firewall filter named metro-access has many terms in > it, just like below: > > lab@mx#show firewall family inet filter metro-access > > term inside-test { > > from { > > source-address { > > 124.42.96.208/29; > > } > > } > > then { > > policer inside-test-2m; > > accept; > > } > > } > > term bj_kun_lun_fan_dian-15m { > > from { > > source-address { > > 119.253.129.64/28; > > } > > } > > then { > > policer bj_kun_lun_fan_dian-15m; > > accept; > > } > > } > > ... > > term default-all { > > then accept; > > } > > Every time end user want to add a new network he will create a term match > new net's source address and add it before the last "default-all" term. > > Use JUNOS OP script we could simplify this procedure: auto generate the new > term content and merge it into the configuration (this step is tested > successfully in POC lab), but the new term is always arranged as the last > term in the firewall filter, I haven't find any method to insert the new > term before the original last "accept all" term and it will make traffic > never hit the generated new term. > > Thanks for your help! > > On Thu, Dec 17, 2015 at 8:53 PM, Jordan Head <[email protected]> > wrote: > > > Hi James > > > > An op script could definitely do this, but I haven't seen a basic > template > > for this use case. Depending on *exactly* what you want it to do, it > might > > be a better job for Python, and maybe some netconf. > > > > Here's something that might help get you started. > > > > > > > http://www.juniper.net/documentation/en_US/junos12.3/topics/example/junos-script-automation-op-script-changing-configuration.html > > > > How complex are the rules that need to be generated? Could you provide > > some examples? Feel free to ping me off list if necessary. > > > > -JH > > > > > On Dec 17, 2015, at 2:35 AM, Chen Jiang <[email protected]> wrote: > > > > > > Hi! Experts > > > > > > I have a requirement from end user that want to automate firewall > filter > > > configuration procedure, that means they want to use OP script to > > generate > > > a customized firewall filter term and added it before the last "deny > all" > > > term. > > > > > > I have searched official documents but couldn't find helpful > information, > > > it seems there is no method could manage firewall filter term sequence > in > > > SLAX language. > > > > > > Could you pls shed some light on this if you have experience on this, > > > Thanks! > > > > > > -- > > > BR! > > > > > > > > > > > > James Chen > > > _______________________________________________ > > > juniper-nsp mailing list [email protected] > > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > > > -- > BR! > > > > James Chen > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
