This module contains a collection of YANG definitions for ZBFW operational data. Copyright (c) 2018-2020 by Cisco Systems, Inc. ...
Version: 2020-11-01
module Cisco-IOS-XE-fw-oper { yang-version 1; namespace "http://cisco.com/ns/yang/Cisco-IOS-XE-fw-oper"; prefix fw-ios-xe-oper; import cisco-semver { prefix cisco-semver; } organization "Cisco Systems, Inc."; contact "Cisco Systems, Inc. Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 Tel: +1 1800 553-NETS E-mail: cs-yang@cisco.com"; description "This module contains a collection of YANG definitions for ZBFW operational data. Copyright (c) 2018-2020 by Cisco Systems, Inc. All rights reserved."; revision "2020-11-01" { description "Added missing drop causes"; reference "2.2.0"; } revision "2019-05-01" { description "Added semantic version"; reference "2.1.0"; } revision "2018-10-29" { description "- Added Policy AVC Action Drop - Cleaned up spelling errors in descriptions. - Added network configurations. - Renamed top level container from fw-oper-data to zbfw."; reference "2.0.0"; } revision "2018-02-22" { description "Initial revision"; reference "1.0.0"; } cisco-semver:module-version "2.2.0"; cisco-semver:module-version "2.1.0"; cisco-semver:module-version "2.0.0"; cisco-semver:module-version "1.0.0"; grouping fw-drop-stats { description "Firewall Drop Statistics"; leaf catch-all { type uint64; description "Total packet drops seen since bring up"; } leaf l4-max-halfsession { type uint64; description "Packet drops due to maximum L4 half-open sessions reached"; } leaf l4-too-many-pkts { type uint64; description "Packet drops due to exceeding the maximum number of inspectable packets allowed per flow"; } leaf l4-session-limit { type uint64; description "Packet drops for session initiators after exceeding maximum session limit"; } leaf l4-invalid-hdr { type uint64; description "Packet drops due to invalid header/packet length"; } leaf l4-internal-err-undefined-dir { type uint64; description "Packet drops due to a failure in determining direction"; } leaf l4-scb-close { type uint64; description "Packet drops due to session in internal close state"; } leaf l4-tcp-invalid-ack-flag { type uint64; description "Packet drops due to invalid TCP ACK flags"; } leaf l4-tcp-invalid-ack-num { type uint64; description "Packet drops due to invalid ACK number"; } leaf l4-tcp-invalid-tcp-initiator { type uint64; description "Packet drops due to non-SYN packets received without valid session"; } leaf l4-tcp-syn-with-data { type uint64; description "Packet drops due to SYN packets having data"; } leaf l4-tcp-invalid-win-scale-option { type uint64; description "Packet drops due to invalid TCP window scale option"; } leaf l4-tcp-invalid-seg-synsent-state { type uint64; description "Packet drops due to invalid packets received in SYNSENT state"; } leaf l4-tcp-invalid-seg-synrcvd-state { type uint64; description "Packet drops due to invalid packets received in SYNRCVD state"; } leaf l4-tcp-invalid-seg-pkt-too-old { type uint64; description "Packet drops due to packets being too old/out of window"; } leaf l4-tcp-invalid-seg-pkt-win-overflow { type uint64; description "Packet drops due to receiver window overflow (except when vTCP is enabled)"; } leaf l4-tcp-invalid-seg-pyld-after-fin-send { type uint64; description "Packet drops due to payload received after FIN is sent"; } leaf l4-tcp-invalid-flags { type uint64; description "Packet drops due to invalid/unexpected TCP flags"; } leaf l4-tcp-invalid-seq { type uint64; description "Packet drops due to invalid sequence number"; } leaf l4-tcp-retrans-invalid-flags { type uint64; description "Packet drops due to invalid flags in TCP retransmitted packet"; } leaf l4-tcp-l7-ooo-seg { type uint64; description "Packet drops due to L7 not accepting out-of-order TCP segments"; } leaf l4-tcp-syn-flood-drop { type uint64; description "Packet drops during SYN flood attack"; } leaf l4-tcp-internal-err-synflood-alloc-hostdb-fail { type uint64; description "Packet drops due to failure of hostdb allocation during a SYN flood attack"; } leaf l4-tcp-synflood-blackout-drop { type uint64; description "Packet drops due to blackout drop time when exceeding configured half-open connections"; } leaf l4-tcp-unexpect-tcp-payload { type uint64; description "Packet drops due to receiving TCP packet with payload when a response is expected for SYN"; } leaf l4-tcp-syn-in-win { type uint64; description "Packet drops due to receiving SYN in an established connection"; } leaf l4-tcp-rst-in-win { type uint64; description "Packet drops due to receiving RST in an established connection"; } leaf l4-tcp-stray-seg { type uint64; description "Packet drops due to unexpected/stray TCP segments"; } leaf l4-tcp-rst-to-resp { type uint64; description "RST sent to responder in SYNSENT state when ACK sequence is invalid"; } leaf insp-pam-lookup-fail { type uint64; description "Packet drops when policy exists in zone-pair but PAM lookup fails"; } leaf insp-internal-err-get-stat-blk-fail { type uint64; description "Packet drops due to failure to get statistics block"; } leaf insp-dstaddr-lookup-fail { type uint64; description "Packet drops due to destination address lookup failure"; } leaf insp-policy-not-present { type uint64; description "Packet drops due to inspection policy not present in zone-pair"; } leaf insp-sess-miss-policy-not-present { type uint64; description "Packet drops due to session lookup failure and no matching policy present"; } leaf insp-classification-fail { type uint64; description "Packet drops due to protocol classification failure"; } leaf insp-class-action-drop { type uint64; description "Packet drops due to a drop classification action"; } leaf insp-policy-misconfigure { type uint64; description "Packet drops due to failed classification because of misconfigured security policy"; } leaf l4-icmp-too-many-err-pkts { type uint64; description "Packet drops after exceeding the maximum number of ICMP error packets allowed per flow"; } leaf l4-icmp-internal-err-no-nat { type uint64; description "Packet drops when ICMP is network address translated without internal NAT info"; } leaf l4-icmp-internal-err-alloc-fail { type uint64; description "Packet drops when ICMP failed to get error packets"; } leaf l4-icmp-internal-err-get-stat-blk-fail { type uint64; description "Packet drops due to a failure to get statistics block"; } leaf l4-icmp-internal-err-dir-not-identified { type uint64; description "Packet drops due to unidentified ICMP packet direction"; } leaf l4-icmp-scb-close { type uint64; description "Packet drops due to receiving ICMP packets when session is in internal close state"; } leaf l4-icmp-pkt-no-ip-hdr { type uint64; description "Packet drops due to missing IP header in ICMP packets"; } leaf l4-icmp-pkt-too-short { type uint64; description "Packet drops due to ICMP error where packets are too short"; } leaf l4-icmp-err-no-ip-no-icmp { type uint64; description "Packet drops due to packets not identified as IP or ICMP"; } leaf l4-icmp-err-pkts-burst { type uint64; description "Packet drops due to ICMP error where packet bursts exceed a limit of 10"; } leaf l4-icmp-err-multiple-unreach { type uint64; description "Packet drops due to receiving multiple unreachable packets; only 1 is allowed"; } leaf l4-icmp-err-l4-invalid-seq { type uint64; description "Packet drops when inner TCP sequence number of packet does not match that of packet originating the ICMP error"; } leaf l4-icmp-err-l4-invalid-ack { type uint64; description "Packet drops due to inner TCP header invalid ACK"; } leaf l4-icmp-err-policy-not-present { type uint64; description "Packet drops due to missing policy on zone-pair for ICMP"; } leaf l4-icmp-err-classification-fail { type uint64; description "Packet drops due to a miss when doing reverse path flow check"; } leaf syncookie-max-dst { type uint64; description "SYNcookie Packet drops when we've reached maximum number of SYN destinations per zone"; } leaf syncookie-internal-err-alloc-fail { type uint64; description "SYNcookie Packet drops due to a failure in allocating memory in the destination table"; } leaf syncookie-trigger { type uint64; description "Packet drops due to a SYNcookie trigger"; } leaf policy-fragment-drop { type uint64; description "Packet drops due to dropping fragmented packet when first fragment drops"; } leaf policy-action-drop { type uint64; description "Packet drops when policy action is drop"; } leaf policy-icmp-action-drop { type uint64; description "Packet drops when policy action for the ICMP packet is to drop"; } leaf l7-type-drop { type uint64; description "Packet drops when L7 inspection returns drop as the action"; } leaf l7-no-seg { type uint64; description "Packet drops due to receiving segmented packets when ALG does not honor them"; } leaf l7-no-frag { type uint64; description "Packet drops due to receiving fragmented packets when ALG does not honor them"; } leaf l7-unknown-proto { type uint64; description "Packet drops due to unrecognized L7 protocol type"; } leaf l7-alg-ret-drop { type uint64; description "Packet drops due to L7 (ALG) deciding to drop the packet"; } leaf l7-promote-fail-no-zone-pair { type uint64; description "Packet drops due to L7 sub-channel promotion failure due to no zone pair configured for the sub-channel"; } leaf l7-promote-fail-no-policy { type uint64; description "Packet drops due to L7 sub-channel promotion failure due to no policy configured for the sub-channel"; } leaf no-session { type uint64; description "Packet drops due to session creation failure"; } leaf no-new-session { type uint64; description "Packet drops due to internal state not allowing new session creation"; } leaf not-initiator { type uint64; description "Packet drops due to receiving a non-initiator packet for a session"; } leaf invalid-zone { type uint64; description "Packet drops due to a zone not configured for interface"; } leaf ha-ar-standby { type uint64; description "Packet drops due to asymmetric routing not configured and box not in active state"; } leaf no-forwarding-zone { type uint64; description "Packet drops when Firewall is uninitialized"; } leaf backpressure { type uint64; description "Packet drops due to backpressure by log mechanism"; } leaf zone-mismatch { type uint64; description "Packet drops due to zone mismatch"; } leaf fdb-err { type uint64; description "Packet drops due to a failure to register flow with flow database"; } leaf lisp-header-restore-fail { type uint64; description "Packet drops due to LISP header restoration failure"; } leaf lisp-inner-pkt-insane { type uint64; description "Packet drops due to LISP inner packet sanity check failure"; } leaf lisp-inner-ipv4-insane { type uint64; description "Packet drops due to LISP inner packet IPV4 sanity check failure"; } leaf lisp-inner-ipv6-insane { type uint64; description "Packet drops due to LISP inner packet IPV6 sanity check failure"; } leaf policy-avc-action-drop { type uint64; description "Packet drops when AVC policy action is drop"; } leaf l4-icmp-invalid-seq { type uint64; description "Packet drops due to invalid ICMP sequence number"; } leaf l4-udp-max-halfsession { type uint64; description "Packet drops due to UDP half-open session limit exceed"; } leaf l4-icmp-max-halfsession { type uint64; description "Packet drops due to ICMP half-open session limit exceed"; } leaf no-zone-pair-present { type uint64; description "Packet drops due to no zone-pair found"; } } // grouping fw-drop-stats grouping fw-l7-tc-match-app-list-entry { description "Firewall L7 Traffic class protocol list entry"; leaf l7-match-app-name { type string; description "Layer 7 Application Name"; } leaf byte-counters { type uint64; description "Number of bytes matching this application"; } leaf pkt-counters { type uint64; description "Number of packets matching this application"; } } // grouping fw-l7-tc-match-app-list-entry grouping fw-l7-traffic-class-list-entry { description "Firewall L7 Traffic class list"; leaf child-class-name { type string; description "Name of the L7 traffic class"; } leaf parent-class-name { type string; description "Name of the traffic class"; } leaf child-class-action { type string; description "Action for the L7 traffic class"; } leaf pkts-counter { type uint64; description "Total Packets"; } leaf bytes-counter { type uint64; description "Total bytes"; } leaf attempted-conn { type uint64; description "Total number for the attempted connections matching this traffic class"; } leaf current-active-conn { type uint64; description "Current number of active connections matching this traffic class"; } leaf max-active-conn { type uint64; description "Maximum number of active connections seen for this traffic class"; } leaf current-halfopen-conn { type uint64; description "Current number of half-open connections seen for this traffic class"; } leaf max-halfopen-conn { type uint64; description "Maximum number of half-open connections seen for this traffic class"; } leaf current-terminating-conn { type uint64; description "Current number of terminating connections seen for this traffic class"; } leaf max-terminating-conn { type uint64; description "Maximum number of terminating connections seen for this traffic class"; } leaf time-since-last-session-create { type uint64; description "seconds since last session creation"; } list fw-l7-tc-match-app-entry { key "l7-match-app-name"; description "Firewall L7 Traffic class application list entries"; uses fw-ios-xe-oper:fw-l7-tc-match-app-list-entry; } // list fw-l7-tc-match-app-entry } // grouping fw-l7-traffic-class-list-entry grouping fw-tc-proto-list-entry { description "Firewall Traffic class protocol list entry"; leaf proto-id { type uint16; description "Protocol ID"; } leaf protocol-name { type string; description "Protocol Name"; } leaf byte-counters { type uint64; description "Number of bytes matching this protocol"; } leaf pkt-counters { type uint64; description "Number of packets matching this protocol"; } } // grouping fw-tc-proto-list-entry grouping fw-tc-match-list-entry-key { description "Firewall Traffic class match list entry key"; leaf match-name { type string; description "Match Name"; } leaf match-type-id { type uint8; description "Match Type Identifier"; } } // grouping fw-tc-match-list-entry-key grouping fw-tc-match-list-entry { description "Firewall Traffic class match list entry"; leaf match-type { type string; description "Match Type"; } } // grouping fw-tc-match-list-entry grouping fw-traffic-class-list-entry { description "Firewall Traffic class list"; leaf class-name { type string; description "Name of the traffic class"; } leaf zonepair-name { type string; description "Zone pair name"; } leaf class-action { type string; description "Action for the traffic class"; } leaf pkts-counter { type uint64; description "Total Packets"; } leaf bytes-counter { type uint64; description "Total bytes"; } leaf attempted-conn { type uint64; description "Total number for the attempted connections matching this traffic class"; } leaf current-active-conn { type uint64; description "Current number of active connections matching this traffic class"; } leaf max-active-conn { type uint64; description "Maximum number of active connections seen for this traffic class"; } leaf current-halfopen-conn { type uint64; description "Current number of half-open connections seen for this traffic class"; } leaf max-halfopen-conn { type uint64; description "Maximum number of half-open connections seen for this traffic class"; } leaf current-terminating-conn { type uint64; description "Current number of terminating connections seen for this traffic class"; } leaf max-terminating-conn { type uint64; description "Maximum number of terminating connections seen for this traffic class"; } leaf time-since-last-session-create { type uint64; description "Seconds since last session creation"; } list fw-tc-match-entry { key "match-name match-type-id"; description "List of match conditions"; uses fw-ios-xe-oper:fw-tc-match-list-entry-key; uses fw-ios-xe-oper:fw-tc-match-list-entry; } // list fw-tc-match-entry list fw-tc-proto-entry { key "proto-id"; description "Firewall Traffic class protocol list entries"; uses fw-ios-xe-oper:fw-tc-proto-list-entry; } // list fw-tc-proto-entry leaf l7-policy-name { type string; description "Name of the L7 policy applied for this zone pair"; } list fw-l7-traffic-class-entry { key "child-class-name"; description "Firewall L7 Traffic class list entries"; uses fw-ios-xe-oper:fw-l7-traffic-class-list-entry; } // list fw-l7-traffic-class-entry } // grouping fw-traffic-class-list-entry grouping fw-zonepair-list-entries { description "Firewall Zone pair list entries"; leaf zonepair-name { type string; description "Name of the zone pair"; } leaf src-zone-name { type string; description "Name of the source zone"; } leaf dst-zone-name { type string; description "Name of the destination zone"; } leaf policy-name { type string; description "Name of the policy applied for this zone pair"; } list fw-traffic-class-entry { key "class-name"; description "Firewall Traffic class list entries"; uses fw-ios-xe-oper:fw-traffic-class-list-entry; } // list fw-traffic-class-entry } // grouping fw-zonepair-list-entries container zbfw { config false; description "Operational state of ZBFW"; container drop-statistics { presence "fw-drop-stats"; description "Firewall Drop Statistics"; uses fw-ios-xe-oper:fw-drop-stats; } // container drop-statistics list zonepair-statistics { key "zonepair-name"; description "Firewall Zone pair list entries"; uses fw-ios-xe-oper:fw-zonepair-list-entries; } // list zonepair-statistics } // container zbfw } // module Cisco-IOS-XE-fw-oper
© 2023 YumaWorks, Inc. All rights reserved.