I managed to find an example SLAX script that is able to perform an insert before a specific term.
Unfortunately the SLAX script is quite complex as it is handling a lot of different requirements as it is also supporting Junos Space in a fabric and therefore has to figure out from which node it is to be executed from, and also handling the support for multiple devices..
The script in full is shown below, and I've added some notes here to better explain what the script is doing.
1. curl open and fabric are used to identify if Space is running in a fabric cluster, and from which node in the cluster the script is being executed from.
2. the script iterates through however many devices have been selected from the device management view, and searches for the selected devices so as to identify the api key that is used for each of the selected device(s).
3. The script makes an API call the /api/space/configuration-management/change-requests using the function jspace:addTerm, this function contains the configuration that will be applied to the device(s) via the configuration-management feature of Junos Space.
4. If the job has been accepted then it parses the XML response and displays the results in the script execution window.
5. The function jspace:addTerm contains the information necessary to make an API call to Junos Space using the REST client. The structure of the change-request includes, both a name and description of the change request, and the configuration to apply as XML data. This includes a statement "
<term operation="create" insert="before" name="REJECT">" , which allows us to insert the newly created term before an existing term that in this case is called REJECT. Finally, the change-request includes a syncAfterPush entry which can be set to true or false, so that once the change request has been made either Space will resync with the device or not.
Anyway, this is the approach that I've used in the past to leverage inserting a term before an existing term via Junos Space.
Hope that this might help.
version 1.2;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
ns str = "http://exslt.org/strings";
ns func extension = "http://exslt.org/functions";
ns curl extension = "http://xml.libslax.org/curl";
ns xutil extension = "http://xml.libslax.org/xutil";
ns jspace = "http://jspace-utils/asharp@juniper.net";
import "../import/junos.xsl";
/* Junos Space specific context, name and description */
/* @CONTEXT = "/device" */
/* @NAME = "Add route target to policy" */
/* @DESCRIPTION = "Add route target to policy" */
/* @ISLOCAL = "true" */
var $curl = curl:open();
var $fabric = jspace:fabric();
var $arguments = {
<argument> {
<name> "termname";
<description> "Name of term to add";
<argument> {
<name> "commname";
<description> "Name of community to add";
<argument> {
<name> "vnitarget";
<description> "Name of vnitarget";
main <op-script-results> {
<output> {
if ($fabric) {
var $devices = jspace:credentials();
if ($devices) {
for-each ($devices/device) {
sort host;
var $myhost = host;
/* find the device using API call */
* url, content-type, item-type, condition, item
var $findDevice = curl:perform($curl,jspace:findItem(
"http://" _ $fabric _ ":8080/api/space/device-management/devices",
/* get the key of the selected device */
var $deviceKey = $findDevice/data/devices/device/@key;
/* make changeRequest using the API */
* url, content-type, deviceKey, orig-name, new-name, resync
var $results = curl:perform($curl,jspace:addTerm(
"http://" _ $fabric _ ":8080/api/space/configuration-management/change-requests",
if ($results/headers/code == "200") {
/* job accepted */
expr "Adding term " _ $termname _ "\n";
/* need to see if the commit was successful or not */
/* to get the XML data which is embedded within more xml needs lots of parsing... */
/* parse and convert the raw-data node */
var $parseOne = {
uexpr $results/raw-data/.;
var $parseTwo = xutil:string-to-xml($parseOne);
var $parseThree := {copy-of $parseTwo;}
parse and convert the change-request/xmlData node
this step is only required if you want to display
the configuration that was pushed to the device.
var $xmlDataOne = {
uexpr $parseThree/change-request/xmlData/.;
var $xmlDataTwo = xutil:string-to-xml($xmlDataOne);
var $xmlDataThree := {copy-of $xmlDataTwo;}
copy-of $xmlDataThree;
/* display the change-request/result */
uexpr substring-before($parseThree/change-request/result/.,"rpc-reply: ");
} else {
expr "Job failed with error code " _ $results/headers/code _ "\n";
} else {
expr "Could not identify the fabric!";
* Used to identify the fabric that the script has been executed on
* knowing this is essential in a multi fabric environment when making
* RESTful API calls to Junos Space and using the session cookies for
* authentication.
<func:function name="jspace:fabric"> {
if( $CONTEXT ) {
var $fabric = {
if ( contains( $JSESSIONID, "server") ) {
expr jcs:regex("\.(space-[A-Za-z0-9]+):server",$JSESSIONID)[2];
} else {
expr jcs:regex("\.(space-[A-Za-z0-9]+)",$JSESSIONID)[2];
<func:result select="$fabric">;
} else {
<func:result select="false()">;
/* findItem */
<func:function name="jspace:findItem">
param $url;
param $content-type;
param $item-type;
param $condition;
param $item;
var $curlData := {
<method> "get";
<url> $url;
<header name="Cookie"> "JSESSIONID=" _ $JSESSIONID _ ";Path=/;";
<header name="Cookie"> "JSESSIONIDSSO=" _ $JSESSIONIDSSO _ ";Path=/;";
<param name="filter"> "(" _ $item-type _ " " _ $condition _ " '" _ $item _ "')";
<content-type> $content-type;
<format> "xml";
<func:result select=" $curlData ">;
/* add term */
<func:function name="jspace:addTerm">
param $url;
param $content-type;
param $deviceId;
param $termname;
param $commname;
param $vnitarget;
param $syncAfterPush; /* true | false */
var $curlData := {
<method> "post";
<url> $url;
<content-type> $content-type;
<header name="Cookie"> "JSESSIONID=" _ $JSESSIONID _ ";Path=/;";
<header name="Cookie"> "JSESSIONIDSSO=" _ $JSESSIONIDSSO _ ";Path=/;";
<format> "xml";
<contents> {
uexpr '
<term operation="create" insert="before" name="REJECT">
<name>' _ $termname _ '</name>
<community>' _ $commname _ '</community>
<name>' _ $commname _ '</name>
<members>' _ $vnitarget _ '</members>
<device href="/api/space/device-management/devices/' _ $deviceId _ '"/>
<syncAfterPush>' _ $syncAfterPush _ '</syncAfterPush>
<func:result select=" $curlData ">;
* Can be used to identify selected devices, and their credentials.
* Must be used with PASSDEVICECREDENTIALS = "true" annotation for credentials.
* Must be used with EXECUTIONTYPE = "GROUPEDEXECUTION" annotation for multiple devices
<func:function name="jspace:credentials"> {
if( $CONTEXT ) {
var $splitCredentials = str:split( $credentials, "\\;" );
var $targets := {
for-each ( $splitCredentials ) {
var $splitCredential = str:split( ., "\\:" );
var $user-target = str:split($splitCredential[1], "\@");
var $host = substring-before( substring-after( $deviceipmap, substring-after( $splitCredential[1], "@" ) _ "\":\"" ), "\"" );
<device> {
<ipAddr> {
expr $user-target[2];
<user> {
expr $user-target[1];
<passwd> {
expr $splitCredential[2];
<host> {
expr $host;
<func:result select="$targets">;
} else {
<func:result select="false()">;
I do not have much experience with JunosSpace management, but was able to create few simple Configlets, that I want to apply to a number of SRX service gateways.
At this moment, I am able to apply Configlets that create some objects (like address object) and delete these objects. Preparing the latest (delete), I found that I need to use "delete: xxx", in Configlet Editor.
Then, I wanted to create Configlet that will insert certain policy to SRX devices. No problem with creating policy, but after applying it, policy is inserted at the end of policy list (for certain from-to context). I am not sure, how to insert my policy at certain hierarchy location (for example, before some known policy).
I tried with Configlet that is using following:
security {
policies {
from-zone trust to-zone untrust {
insert policy pol_MyPol before policy pol_Pol1;
I tried also with "insert:" instead of "insert", but all the time, I am getting error, like:
<configuration-text xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" type="subtree"> security {
policies {
from-zone trust to-zone untrust {
insert policy pol_toGit before policy pol_toWindGit;
Job Failure Reason:
<rpc-reply >
<error-message>syntax error</error-message>
<error-path>[edit security policies]</error-path>
<error-message>mgd: statement has no contents; ignored</error-message>
<bad-element>from-zone trust to-zone untrust</bad-element>
Any help how to configure Configlet?
Another point would be: how to create Configlet, that could save rescue configuration (i.e. how to execute "request system configuration rescue save" using Configlet).