Provides JunOS REST API Integration covering Juniper MX, PTX, QFX, T and SRX Series platforms
This document provides information about the Juniper JunOS Connector, which facilitates automated interactions, with a Juniper JunOS server using FortiSOAR™ playbooks. Add the Juniper JunOS Connector as a step in FortiSOAR™ playbooks and perform automated operations with Juniper JunOS.
Connector Version: 1.0.0
Tested on JunOS: 21
Authored By: Fortinet CSE
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
- You must have the URL of Juniper JunOS server to which you will connect and perform automated operations and username/password credentials to access that appliance.
- The FortiSOAR™ server should have outbound connectivity to port 3443 (or the configured port) on the Juniper JunOS Appliance.
Systemfor operational mode actions (get)System-controlfor configuration mode (add/delete)
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Juniper JunOS connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Device URL | Management IP address or FQDN of the JunOS appliance |
| Port | JunOS REST API TCP port, default is 3443 |
| Username | JunOS Username |
| Password | JunOS Password |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Run Operation Command | Run JunOS CLI in operation mode to fetch data such as routing table, interfaces system info...etc | op_action Information |
| Run Configuration Command | Update JunOS Configuration | config_action Configuration |
| Get Address Set | Get Address Set entries from global address book | get_address_set Configuration |
| Add an Object to Global Address Set | Add and IP address, an FQDN or a whildcard to an address set on the Global address book. 1024 entries Max | add_to_address_book Configuration |
| Delete Object from Global Address Set | Deletes and IP address, an FQDN or a whildcard from the Global address book | delete_from_address_set Configuration |
| Get Prefix List | Get Prefix List entries | get_prefix_list Configuration |
| Add Address(es) to a Prefix List | Add IP address(es) to a prefix-list. 85325 entries Max | add_to_prefix_list Configuration |
| Delete Address(es) from a Prefix List | Delete IP address(es) from a prefix-list | delete_from_prefix_list Configuration |
| Parameter | Description |
|---|---|
| Method | RPC Command to run |
| Custom Method | if the command is not in the list above (Method) you can use a custom one as a Custom method. To get the exact command syntax refer to this example on JunOS: [show route|display xml rpc] |
| Method Parameters | Method parameters in JSON. For example, if the action is get-interface-information the parameter(s) could be [{'interface-name':'ge-0/0/0'}] |
The output contains the following populated JSON schema:
| Parameter | Description |
|---|---|
| Request Payload | HTTP/POST XML Payload as documented here https://www.juniper.net/documentation/us/en/software/junos/rest-api/rest-api.pdf |
The output contains the following populated JSON schema:
| Parameter | Description |
|---|---|
| Address Set | Name of the address set |
| Get Entries Count | If checked, returns only entries count instead of the entries data |
The output contains the following populated JSON schema:
- This action will add object(s) (IP/FQDN/Wildcard) to an address set of the global address book so the address set (defined by the name you use in the Address Set parameter) can be used with any security policy from and to any zone.
- The action doesn't create the security policy, the users have to do it themselves and associate the Address-Set with any policy of their choosing.
- A maximum of 1024 address (IPv4) can be created. each IPv6 takes up a space of 4 IPv4s.
- You can use Get Address Set /count Action to check how many records are there already.
| Parameter | Description |
|---|---|
| Address Set | Name of the address set |
| Object Types | Type of the object(s) to add, only one type is supported at a time. Wildcard format is: A.B.C.D/E.F.G.H |
| Object(s) To Add | IP address, an FQDN or a wildcard to add, for multiple entries use CSV format such as host1.domain.com,host2.domain.com if the type is dns-name |
The output contains the following populated JSON schema:
| Parameter | Description |
|---|---|
| Address set | Name of the address set |
| Object Types | Type of the object(s) to delete, only one type is supported at a time |
| Object(s) To Delete | IP address, an FQDN or a wildcard to delete, for multiple entries use CSV format such as host1.domain.com,host2.domain.com if the type is dns-name |
The output contains the following populated JSON schema:
| Parameter | Description |
|---|---|
| Prefix List | Name of the Prefix List |
| Get Entries Count | If checked, returns only entries count instead of the entries data |
The output contains the following populated JSON schema: 85325
- The action only creates and populates prefix list, you will need to associate it with a firewall filter. For example if the prefix list you create is called Bad-IPs (defined by the prefix list parameter) you will need to add the below configuration to use the prefix list to block traffic from/to its addresses on ge-0/0/0.0.
set firewall family inet filter Blocked-Group term 1 from prefix-list Bad-IPs
set firewall family inet filter Blocked-Group term 1 then discard
set firewall family inet filter Blocked-Group term 99 then accept
set interfaces ge-0/0/0.0 family inet filter input Blocked-Group
set interfaces ge-0/0/0.0 family inet filter ouput Blocked-Group| Parameter | Description |
|---|---|
| Prefix List | Name of the Prefix List |
| Address(es) To Add | IPv4 or IPv6 Address or Addresses (in CSV) to add to the prefix list |
The output contains the following populated JSON schema:
| Parameter | Description |
|---|---|
| Prefix List | Name of the Prefix List |
| Address(es) To Delete | IPv4 or IPv6 Address or Addresses (in CSV) to delete from the prefix list |
The output contains the following populated JSON schema:
The Sample - juniper-junos - 1.0.0 playbook collection comes bundled with the Juniper JunOS connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOARTM after importing the Juniper JunOS connector.