You could always have your op script delete the default-all term, add your new network term, then re-add the default-all term.
On 17 December 2015 at 14:27, Chen Jiang <iloveb...@gmail.com> wrote: > Hi! Jordan > > End user's MX has a firewall filter named metro-access has many terms in > it, just like below: > > lab@mx#show firewall family inet filter metro-access > > term inside-test { > > from { > > source-address { > > 124.42.96.208/29; > > } > > } > > then { > > policer inside-test-2m; > > accept; > > } > > } > > term bj_kun_lun_fan_dian-15m { > > from { > > source-address { > > 119.253.129.64/28; > > } > > } > > then { > > policer bj_kun_lun_fan_dian-15m; > > accept; > > } > > } > > ... > > term default-all { > > then accept; > > } > > Every time end user want to add a new network he will create a term match > new net's source address and add it before the last "default-all" term. > > Use JUNOS OP script we could simplify this procedure: auto generate the new > term content and merge it into the configuration (this step is tested > successfully in POC lab), but the new term is always arranged as the last > term in the firewall filter, I haven't find any method to insert the new > term before the original last "accept all" term and it will make traffic > never hit the generated new term. > > Thanks for your help! > > On Thu, Dec 17, 2015 at 8:53 PM, Jordan Head <jordan.head...@gmail.com> > wrote: > >> Hi James >> >> An op script could definitely do this, but I haven't seen a basic template >> for this use case. Depending on *exactly* what you want it to do, it might >> be a better job for Python, and maybe some netconf. >> >> Here's something that might help get you started. >> >> >> http://www.juniper.net/documentation/en_US/junos12.3/topics/example/junos-script-automation-op-script-changing-configuration.html >> >> How complex are the rules that need to be generated? Could you provide >> some examples? Feel free to ping me off list if necessary. >> >> -JH >> >> > On Dec 17, 2015, at 2:35 AM, Chen Jiang <iloveb...@gmail.com> wrote: >> > >> > Hi! Experts >> > >> > I have a requirement from end user that want to automate firewall filter >> > configuration procedure, that means they want to use OP script to >> generate >> > a customized firewall filter term and added it before the last "deny all" >> > term. >> > >> > I have searched official documents but couldn't find helpful information, >> > it seems there is no method could manage firewall filter term sequence in >> > SLAX language. >> > >> > Could you pls shed some light on this if you have experience on this, >> > Thanks! >> > >> > -- >> > BR! >> > >> > >> > >> > James Chen >> > _______________________________________________ >> > juniper-nsp mailing list juniper-nsp@puck.nether.net >> > https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > > -- > BR! > > > > James Chen > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp