Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] Python script to perform custom commit check on M/MX devices

0

0

Article ID: KB36078 KB Last Updated: 17 Jul 2020Version: 1.0
Summary:

Instead of manually checking for unsupported or service-impacting configurations, a commit script can be used to automatically identify unwanted configurations and prevent their commit.

This article introduces a Python script, which implements a customized and specific commit check that gets triggered upon configuration commit or commit check.

To demonstrate this script, the article uses the example of a syslog/log under a firewall filter that is expected to cause issues on the production unit and that must, therefore, be prevented from being committed.

 

Solution:

The example script identifies which of the firewall filters has syslog/log configured and gives a commit warning for "syslog" and commit error for "log" as demonstrated below.

  1. Write the Python script that gets executed when a commit or commit check is issued.

RE0 > start shell user root
% cd /var/db/scripts/commit/
% vi no_firewall_syslog.py   <--you can name anyname. Make sure its ended with .py.

Insert the following lines:

from junos import Junos_Context
from junos import Junos_Configuration
from jnpr.junos import Device
import jcs
def main():
    root = Junos_Configuration
    for element in root.xpath("./firewall/family/inet/filter"):
        filter_name = element.find('name').text
        if element.find("term/then/syslog") != None :
           jcs.emit_warning("Please remove syslog under firewall filters......:{}".format(filter_name))
        if element.find("term/then/log") != None :
           jcs.emit_error("Please remove log under firewall filters.....{}".format(filter_name))  
if __name__ == '__main__':
    main()
:wq! <saves>

%cli
  1. Configure Python and enable the script. Commit the configuration.
# ​set system scripts language python
#​ set system scripts commit file no_firewall_syslog.py  

Example configuration

show firewall 
family inet {
    filter LOG_ALL {
        term 1 {
            then {
                log;
                accept;
            }
        }
    }
    filter SYSLOG_ALL {
        term 1 {
            then {
                syslog;
                accept;
            }
        }
    }

The following warning/error will be displayed when you try to commit the above configuration.

error: Please remove log under firewall filters.....LOG_ALL
warning: Please remove syslog under firewall filters......:SYSLOG_ALL
error: 1 error reported by commit scripts
error: commit script failure

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search