Sorry, small mistake in the config....this is what happens when you write it by hand in an email!
set groups ADD_DEFAULT_FW firewall family inet filter metro-access term default-all then accept set apply-groups ADD_DEFAULT_FW set groups ADD_DEFAULT_FW firewall family inet filter <*> term default-all then accept set apply-groups ADD_DEFAULT_FW On Thu, Dec 17, 2015 at 10:10 AM Steve Hulshof <cer...@gmail.com> wrote: > You can delete the term default-all from metro-access filter and then use > groups to add the term at the end like this: > > set groups ADD_DEFAULT_FW firewall family inet filter metro-access > default-all all then accept > set apply-groups ADD_DEFAULT_FW > > This will add your default term to the end of the filter after you commit. > You will not see the term when you do "show configuration firewall filter > metro-access" unless you add " | display inheritance" at the end of the > show command > > If you want to apply this to all firewall filters you can do the following: > > set groups ADD_DEFAULT_FW firewall family inet filter <*> default-all all > then accept > set apply-groups ADD_DEFAULT_FW > > > Thanks, > > Steve > > > > On Thu, Dec 17, 2015 at 9:28 AM Chen Jiang <iloveb...@gmail.com> wrote: > >> Hi! Jordan >> >> End user's MX has a firewall filter named metro-access has many terms in >> it, just like below: >> >> lab@mx#show firewall family inet filter metro-access >> >> term inside-test { >> >> from { >> >> source-address { >> >> 124.42.96.208/29; >> >> } >> >> } >> >> then { >> >> policer inside-test-2m; >> >> accept; >> >> } >> >> } >> >> term bj_kun_lun_fan_dian-15m { >> >> from { >> >> source-address { >> >> 119.253.129.64/28; >> >> } >> >> } >> >> then { >> >> policer bj_kun_lun_fan_dian-15m; >> >> accept; >> >> } >> >> } >> >> ... >> >> term default-all { >> >> then accept; >> >> } >> >> Every time end user want to add a new network he will create a term match >> new net's source address and add it before the last "default-all" term. >> >> Use JUNOS OP script we could simplify this procedure: auto generate the >> new >> term content and merge it into the configuration (this step is tested >> successfully in POC lab), but the new term is always arranged as the last >> term in the firewall filter, I haven't find any method to insert the new >> term before the original last "accept all" term and it will make traffic >> never hit the generated new term. >> >> Thanks for your help! >> >> On Thu, Dec 17, 2015 at 8:53 PM, Jordan Head <jordan.head...@gmail.com> >> wrote: >> >> > Hi James >> > >> > An op script could definitely do this, but I haven't seen a basic >> template >> > for this use case. Depending on *exactly* what you want it to do, it >> might >> > be a better job for Python, and maybe some netconf. >> > >> > Here's something that might help get you started. >> > >> > >> > >> http://www.juniper.net/documentation/en_US/junos12.3/topics/example/junos-script-automation-op-script-changing-configuration.html >> > >> > How complex are the rules that need to be generated? Could you provide >> > some examples? Feel free to ping me off list if necessary. >> > >> > -JH >> > >> > > On Dec 17, 2015, at 2:35 AM, Chen Jiang <iloveb...@gmail.com> wrote: >> > > >> > > Hi! Experts >> > > >> > > I have a requirement from end user that want to automate firewall >> filter >> > > configuration procedure, that means they want to use OP script to >> > generate >> > > a customized firewall filter term and added it before the last "deny >> all" >> > > term. >> > > >> > > I have searched official documents but couldn't find helpful >> information, >> > > it seems there is no method could manage firewall filter term >> sequence in >> > > SLAX language. >> > > >> > > Could you pls shed some light on this if you have experience on this, >> > > Thanks! >> > > >> > > -- >> > > BR! >> > > >> > > >> > > >> > > James Chen >> > > _______________________________________________ >> > > juniper-nsp mailing list juniper-nsp@puck.nether.net >> > > https://puck.nether.net/mailman/listinfo/juniper-nsp >> > >> >> >> >> -- >> BR! >> >> >> >> James Chen >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp