Recently I’ve had a second requirement to run a command regularly on a Juniper SRX so I thought it worth sharing my examples and some of the things I learnt as I worked through some issues.
Junos automation provides nice flexible set of tools for doing this. Commit scripts, operational scripts and event scripts (which are really op scripts executed by events). All designed to make the management of your Junos device simple and flexible.
Event scripts can be used to do regular tasks. The method of calling the scripts is straight forward, just a time based action. The two different commands I wanted to use, however, required different methods of calling them in their operational scripts.
Why am I running tasks regularly in Junos?
My first requirement for a regularly run command was a strange scenario with a host misbehaving and the only way to fix it was to clear the ARP on the SRX. To make sure the problem was avoided it needed to be done every 5 minutes.
Then last week a colleague found that he could work around a webauth issue by clearing the users on the SRX. To be safe we decided to run this every hour and I wrote up the script to do it.
Scheduling the scripts to run
First we need a definition of a period of time, here I created one for 5 mins and one for an hour. Then we just associate the time as an event with the script as an action.
The scripts need to be defined as their full file name, and they need to be held in /var/db/scripts/event. Unlike running op scripts from Junos CLI, they are referenced in the event script then action with the full filename including suffix.
martyn.lomax@srx> show configuration event-options
generate-event {
every-5mins time-interval 300;
every-hour time-interval 3600;
}
policy clear-arp-hack {
events every-5mins;
then {
event-script clear-arp.slax;
}
}
policy clear-webauth {
events every-hour;
then {
event-script fw-auth.slax;
}
}
event-script {
file clear-arp.slax;
file fw-auth.slax;
}
Of course you can get nice and fancy with the actual events you could match on, then trigger scripts to gather data or perform actions to rectify network outages. I suggest checking the examples on the Juniper website.
Op script method 1: RPC enabled command – clear Arp
For this I first found the required RPC and an example of running an RPC in an operational script. Pretty straight forward.
martyn.lomax@srx> clear arp | display xml rpc <rpc-reply xmlns:junos="http://xml.juniper.net/junos/11.4R1/junos"> <rpc> <clear-arp-table> </clear-arp-table> </rpc> <cli> <banner></banner> </cli> </rpc-reply>
Once you know the RPC, we can call it in the op script. Here you specify the variable with the RPC and call it using jcs:invoke. The event options mentioned above call it at the required frequency.
To do some sanity checking I also put a line in the script to output a message to a syslog file. This should probably be turned off as it is generating it for no real reason every 5 minutes.
martyn.lomax@srx> file show /var/db/scripts/op/clear-arp.slax
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
var $op-script-version = "1.0";
match / {
<op-script-results> {
var $clear-arp-rpc = <clear-arp-table> {
}
var $clear-arp-out = jcs:invoke($clear-arp-rpc);
copy-of $clear-arp-out;
expr jcs:syslog("user.crit","op script clear arp success");
}
}
Op script method 2: non-RPC enabled command restart firewall-authentication-service
This wasn’t quite as easy. There is no RPC command to restart the firewall-authentication -service. Junos will tell you this, for example:
martyn.lomax@srx> restart firewall-authentication-service | display xml rpc <rpc-reply xmlns:junos="http://xml.juniper.net/junos/11.4R1/junos"> <message> xml rpc equivalent of this command is not available. </message> <cli> <banner></banner> </cli> </rpc-reply>
So I went off and did some searching to find out if you could run a “real” Junos CLI command from within the script. I had remembered seeing an example somewhere, and eventually found it in the scriptorium.
You reference a variable with a <command> defined and then use jcs:invoke.
martyn.lomax@srx> file show /var/db/scripts/op/fw-auth.slax
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match / {
<op-script-results> {
var $restart = {
<command> 'restart firewall-authentication-service';
}
var $result = jcs:invoke($restart);
<output> {
expr "Restarting the firewall auth service";
expr ". ";
}
}
}
I left some <output> with messages as this script could also be executed from CLI as an op script.
