Hi! Dave Thanks for the information, it's a solution for this issue.
BR! James On Fri, Dec 18, 2015 at 12:04 AM, Dave Bell <[email protected]> wrote: > You could always have your op script delete the default-all term, add > your new network term, then re-add the default-all term. > > On 17 December 2015 at 14:27, Chen Jiang <[email protected]> wrote: > > Hi! Jordan > > > > End user's MX has a firewall filter named metro-access has many terms in > > it, just like below: > > > > lab@mx#show firewall family inet filter metro-access > > > > term inside-test { > > > > from { > > > > source-address { > > > > 124.42.96.208/29; > > > > } > > > > } > > > > then { > > > > policer inside-test-2m; > > > > accept; > > > > } > > > > } > > > > term bj_kun_lun_fan_dian-15m { > > > > from { > > > > source-address { > > > > 119.253.129.64/28; > > > > } > > > > } > > > > then { > > > > policer bj_kun_lun_fan_dian-15m; > > > > accept; > > > > } > > > > } > > > > ... > > > > term default-all { > > > > then accept; > > > > } > > > > Every time end user want to add a new network he will create a term match > > new net's source address and add it before the last "default-all" term. > > > > Use JUNOS OP script we could simplify this procedure: auto generate the > new > > term content and merge it into the configuration (this step is tested > > successfully in POC lab), but the new term is always arranged as the last > > term in the firewall filter, I haven't find any method to insert the new > > term before the original last "accept all" term and it will make traffic > > never hit the generated new term. > > > > Thanks for your help! > > > > On Thu, Dec 17, 2015 at 8:53 PM, Jordan Head <[email protected]> > > wrote: > > > >> Hi James > >> > >> An op script could definitely do this, but I haven't seen a basic > template > >> for this use case. Depending on *exactly* what you want it to do, it > might > >> be a better job for Python, and maybe some netconf. > >> > >> Here's something that might help get you started. > >> > >> > >> > http://www.juniper.net/documentation/en_US/junos12.3/topics/example/junos-script-automation-op-script-changing-configuration.html > >> > >> How complex are the rules that need to be generated? Could you provide > >> some examples? Feel free to ping me off list if necessary. > >> > >> -JH > >> > >> > On Dec 17, 2015, at 2:35 AM, Chen Jiang <[email protected]> wrote: > >> > > >> > Hi! Experts > >> > > >> > I have a requirement from end user that want to automate firewall > filter > >> > configuration procedure, that means they want to use OP script to > >> generate > >> > a customized firewall filter term and added it before the last "deny > all" > >> > term. > >> > > >> > I have searched official documents but couldn't find helpful > information, > >> > it seems there is no method could manage firewall filter term > sequence in > >> > SLAX language. > >> > > >> > Could you pls shed some light on this if you have experience on this, > >> > Thanks! > >> > > >> > -- > >> > BR! > >> > > >> > > >> > > >> > James Chen > >> > _______________________________________________ > >> > juniper-nsp mailing list [email protected] > >> > https://puck.nether.net/mailman/listinfo/juniper-nsp > >> > > > > > > > > -- > > BR! > > > > > > > > James Chen > > _______________________________________________ > > juniper-nsp mailing list [email protected] > > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- BR! James Chen _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
