Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Adding a Final then accept Term to a Firewall

 

This commit script example adds a then accept statement to any firewall filter that does not already end with an explicit then accept statement.

Requirements

This example uses a device running Junos OS.

Overview and Commit Script

Each firewall filter in Junos OS has an implicit discard action at the end of the filter, which is equivalent to the following explicit filter term:

As a result, if a packet matches none of the terms in the filter, it is discarded. In some cases, you might want to override the default by adding a last term to accept all packets that do not match a firewall filter’s series of match conditions. In this example, the commit script adds a final then accept statement to any firewall filter that does not already end with an explicit then accept statement.

The example script is shown in both XSLT and SLAX syntax:

XSLT Syntax

SLAX Syntax

Configuration

Step-by-Step Procedure

Step-by-Step Procedure

To download, enable, and test the script:

  1. Copy the script into a text file, name the file add-accept.xsl or add-accept.slax as appropriate, and copy it to the /var/db/scripts/commit/ directory on the device.
  2. Select the following test configuration stanzas, and press Ctrl+c to copy them to the clipboard.

    If you are using the SLAX version of the script, change the filename at the [edit system scripts commit file] hierarchy level to add-accept.slax.

  3. In configuration mode, issue the load merge terminal command to merge the stanzas into your device configuration.

    1. At the prompt, paste the contents of the clipboard by using the mouse and the paste icon.

    2. Press Enter.

    3. Press Ctrl+d.

  4. Issue the commit command to commit the configuration.

Verification

Verifying the Configuration

Purpose

Verify that the script behaves as expected.

Action

Review the output of the commit command. The script requires that all firewall filters end with an explicit then accept statement. The sample configuration stanzas include the test filter with two terms but do not include an explicit then accept statement. When you issue the commit command, the script adds the missing then accept statement and commits the configuration. When you issue the commit command, the following output appears:

In configuration mode, issue the show firewall command to review the modified configuration. The following output appears: