The Junos API is probably hands down, one of the best API interface for firewalls. And quickest imho to learn and pickup on.
To make a rpc call you need to know the cmd equal. The quickest way to find this is to execute the display xml rpc on the cli for know cli cmds. The output will be in xml and with the corresponding "rpc" string.
e.g { show system uptime )
kfelix@NYCMANCOURTDC> show system uptime | display xml rpc
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/15.1X49/junos">
<rpc>
<get-system-uptime-information>
</get-system-uptime-information>
</rpc>
<cli>
<banner></banner>
</cli>
</rpc-reply>
Now to make a rpc call, you will use curl and call the GET strings with the proper rpc string.
curl http://x.x.x.x:3000/rpc/get-system-uptime-information -u username:yourpassword
Here's a few working examples and with authentication, BUT 1st if your WWW basic authentication fails, you will always get a 401 message " unauthorized "
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic realm="Need basic auth header"
< Content-Type: text/html
< Content-Length: 351
< Date: Mon, 12 Nov 2018 21:41:58 GMT
< Server: lighttpd/1.4.32
{ dump the route table for a junosSRX device }
> GET /rpc/get-route-information HTTP/1.1
> Host: 10.1.1.1:3001
> Authorization: Basic a2ZlbGl50kdFVEVTQTI0MHpjYXIwMQ==
> User-Agent: curl/7.59.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/xml; charset=utf-8
< Transfer-Encoding: chunked
< Date: Mon, 12 Nov 2018 21:42:17 GMT
< Server: lighttpd/1.4.32
<
<route-information xmlns="http://xml.juniper.net/junos/15.1X49/junos-routing" xmlns:junos="http://xml.juniper.net/junos/*/junos">
<!-- keepalive -->
<route-table>
<table-name>inet.0</table-name>
<destination-count>12</destination-count>
<total-route-count>13</total-route-count>
<active-route-count>12</active-route-count>
<holddown-route-count>0</holddown-route-count>
<hidden-route-count>0</hidden-route-count>
<rt junos:style="brief">
<rt-destination>0.0.0.0/0</rt-destination>
<rt-entry>
<active-tag>*</active-tag>
<current-active/>
<last-active/>
<protocol-name>Static</protocol-name>
<preference>5</preference>
<age junos:seconds="43081">11:58:01</age>
<nh>
<selected-next-hop/>
<to>192.124.194.97</to>
<via>ge-0/0/0.0</via>
</nh>
% curl 10.1.1.1:3001/rpc/get-arp-table-information -u kfelix
Enter host password for user 'kfelix':
<arp-table-information xmlns="http://xml.juniper.net/junos/15.1X49/junos-arp" xmlns:junos="http://xml.juniper.net/junos/*/junos" junos:style="normal">
<arp-table-entry>
<mac-address>20:fd:f1:64:ab:81</mac-address>
<ip-address>10.1.0.25</ip-address>
<hostname>10.1.0.25</hostname>
<interface-name>ge-0/0/2.0</interface-name>
<arp-table-entry-flags>
<none/>
</arp-table-entry-flags>
</arp-table-entry>
<arp-table-entry>
<mac-address>10:c3:7b:92:d2:59</mac-address>
<ip-address>10.1.0.26</ip-address>
<hostname>10.1.0.26</hostname>
<interface-name>ge-0/0/2.0</interface-name>
<arp-table-entry-flags>
<none/>
</arp-table-entry-flags>
</arp-table-entry>
<arp-table-entry>
<mac-address>00:16:e0:32:e8:a1</mac-address>
<ip-address>10.1.0.27</ip-address>
<hostname>10.1.0.27</hostname>
<interface-name>ge-0/0/2.0</interface-name>
<arp-table-entry-flags>
<none/>
</arp-table-entry-flags>
</arp-table-entry>
<arp-table-entry>
<mac-address>64:9a:be:cb:1a:0c</mac-address>
<ip-address>10.1.0.28</ip-address>
<hostname>10.1.0.28</hostname>
<interface-name>ge-0/0/2.0</interface-name>
<arp-table-entry-flags>
<none/>
</arp-table-entry-flags>
</arp-table-entry>
<arp-table-entry>
<mac-address>d8:38:fc:38:25:40</mac-address>
NOTE: output cut
{ review policy hit counts }
% curl 10.1.1.1:3001/rpc/get-security-policies-hit-count -u kfelix
Enter host password for user 'kfelix':
<policy-hit-count xmlns="http://xml.juniper.net/junos/15.1X49/junos-security-policy">
<logical-system-name>root-logical-system</logical-system-name>
<policy-hit-count-entry>
<policy-hit-count-index>1</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>trust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>trust-to-trust</policy-hit-count-policy-name>
<policy-hit-count-count>623</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>2</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>trust2untrust</policy-hit-count-policy-name>
<policy-hit-count-count>7839</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>3</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>COMMON</policy-hit-count-policy-name>
<policy-hit-count-count>31049</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>4</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>ALLOWCUST53</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>5</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>VPN</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>6</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>ALLOWDNS</policy-hit-count-policy-name>
<policy-hit-count-count>917</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>7</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>ALLOWCUST222</policy-hit-count-policy-name>
<policy-hit-count-count>3599</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>8</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>ALLOWCUST220</policy-hit-count-policy-name>
<policy-hit-count-count>22524</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>9</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>DENYDNS</policy-hit-count-policy-name>
<policy-hit-count-count>895</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>10</policy-hit-count-index>
<policy-hit-count-from-zone>untrust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>trust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>policy_in_wizard_dyn_vpn</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>11</policy-hit-count-index>
<policy-hit-count-from-zone>untrust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>trust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>VPNn</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>12</policy-hit-count-index>
<policy-hit-count-from-zone>untrust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>APIACCESSS</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>
{ system uptime }
% curl 10.1.1.1:3001/rpc/get-system-uptime-information -u kfelix
Enter host password for user 'kfelix':
<system-uptime-information xmlns="http://xml.juniper.net/junos/15.1X49/junos" xmlns:junos="http://xml.juniper.net/junos/*/junos">
<current-time>
<date-time junos:seconds="1542059265">2018-11-12 21:47:45 UTC</date-time>
</current-time>
<time-source> LOCAL CLOCK </time-source>
<system-booted-time>
<date-time junos:seconds="1542015547">2018-11-12 09:39:07 UTC</date-time>
<time-length junos:seconds="43718">12:08:38</time-length>
</system-booted-time>
<protocols-started-time>
<date-time junos:seconds="1542015547">2018-11-12 09:39:07 UTC</date-time>
<time-length junos:seconds="43718">12:08:38</time-length>
</protocols-started-time>
<last-configured-time>
<date-time junos:seconds="1542016213">2018-11-12 09:50:13 UTC</date-time>
<time-length junos:seconds="43052">11:57:32</time-length>
<user>kfelix</user>
</last-configured-time>
<uptime-information>
<date-time junos:seconds="1542059265">9:47PM</date-time>
<up-time junos:seconds="43748">12:09</up-time>
<active-user-count junos:format="2 users">2</active-user-count>
<load-average-1>0.50</load-average-1>
<load-average-5>0.21</load-average-5>
<load-average-15>0.11</load-average-15>
</uptime-information>
</system-uptime-information>
And finally , NOT all cli cmds have a rpc equal , and if you try to find the equal and none exist, the junos will display the following output.
apiuser@SRX3400> show system processes | display xml rpc
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/15.1X49/junos">
<message>
xml rpc equivalent of this command is not available.
</message>
<cli>
<banner></banner>
</cli>
</rpc-reply>
Enjoy and don't hesitate with using Junos API.
lastly keep in mind the output is in xml by default. You have two ways to display the output in json
lastly keep in mind the output is in xml by default. You have two ways to display the output in json
NOTE: All examples where done on Junos versions 15.1X49-Dxxxxxx
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment