Junos security configuration module
Version: 2019-01-01
module junos-es-conf-security { yang-version 1; namespace "http://yang.juniper.net/junos-es/conf/security"; prefix jc-security; import junos-common-ddl-extensions { prefix junos; revision-date "2019-01-01"; } import junos-common-types { prefix jt; revision-date "2019-01-01"; } import junos-es-conf-root { prefix jc; revision-date "2019-01-01"; } organization "Juniper Networks, Inc."; contact "yang-support@juniper.net"; description "Junos security configuration module"; revision "2019-01-01" { description "Junos: 21.3R1.9"; } augment /jc:configuration { uses security-group; } augment /jc:configuration/jc:groups { uses security-group; } grouping security-group { container security { description "Security configuration"; uses apply-advanced; container alarms { description "Configure security alarms"; uses apply-advanced; container audible { presence "enable audible"; description "Beep when new security alarms arrive"; uses apply-advanced; leaf continuous { type empty; description "Keep beeping until all security alarms have been cleared"; } } // container audible container potential-violation { description "Configure potential security violations"; uses apply-advanced; leaf authentication { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 10"; } } description "Raise alarm for specified number of authentication failures"; } leaf cryptographic-self-test { type empty; description "Raise alarm for cryptographic self test failures"; } container decryption-failures { presence "enable decryption-failures"; description "No. of decryption failures before which an alarm needs to be raised"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000000000"; } } default "1000"; description "Threshold value [default is 1000]"; } } // container decryption-failures container encryption-failures { presence "enable encryption-failures"; description "No. of encryption failures before which an alarm needs to be raised"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000000000"; } } default "1000"; description "Threshold value [default is 1000]"; } } // container encryption-failures container ike-phase1-failures { presence "enable ike-phase1-failures"; description "No. of IKE Phase-1 failures before which an alarm needs to be raised"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000000000"; } } default "20"; description "Threshold value [default is 20]"; } } // container ike-phase1-failures container ike-phase2-failures { presence "enable ike-phase2-failures"; description "No. of IKE Phase-2 failures before which an alarm needs to be raised"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000000000"; } } default "20"; description "Threshold value [default is 20]"; } } // container ike-phase2-failures leaf key-generation-self-test { type empty; description "Raise alarm for key generation self test failures"; } leaf non-cryptographic-self-test { type empty; description "Raise alarm for non-cryptographic self test failures"; } container policy { description "Raise alarm for flow policy violations"; uses apply-advanced; container source-ip { presence "enable source-ip"; description "Configure source address type of policy violation"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } default "1000"; description "Number of source IP address matches to raise alarm"; } leaf duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 3600"; } } units "seconds"; default "1"; description "Time window matches must occur within"; } leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10240"; } } default "1024"; description "Total source IP address number that can be done policy violation check concurrently"; } } // container source-ip container destination-ip { presence "enable destination-ip"; description "Configure destination address type of policy violation"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } default "1000"; description "Number of destination IP address matches to raise alarm"; } leaf duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 3600"; } } units "seconds"; default "1"; description "Time window matches must occur within"; } leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10240"; } } default "1024"; description "Total destination IP address number that can be done policy violation check concurrently"; } } // container destination-ip container application { presence "enable application"; description "Configure application type of policy violation"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } default "1000"; description "Number of application matches to raise alarm"; } leaf duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 3600"; } } units "seconds"; default "1"; description "Time window matches must occur within"; } leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10240"; } } default "1024"; description "Total application number that can be done policy violation check concurrently"; } } // container application container policy-match { presence "enable policy-match"; description "Configure policy type of policy violation"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } default "100"; description "Number of policy matches to raise alarm"; } leaf duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 3600"; } } units "seconds"; default "1"; description "Time window matches must occur within"; } leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10240"; } } default "1024"; description "Total concurrent number of policy check violations"; } } // container policy-match } // container policy container replay-attacks { presence "enable replay-attacks"; description "No. of Replay attacks before which an alarm needs to be raised"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000000000"; } } default "1000"; description "Replay threshold value"; } } // container replay-attacks leaf security-log-percent-full { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 100"; } } description "Raise alarm when security log exceeds this percent capacity"; } leaf idp { type empty; description "Raise alarm for idp attack"; } } // container potential-violation } // container alarms container log { description "Configure security log"; uses log-object; } // container log container certificates { description "X.509 certificate configuration"; uses apply-advanced; list local { key "name"; ordered-by user; description "Local X.509 certificate configuration"; uses certificate-object; } // list local leaf path-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "15"; description "Maximum certificate path length"; } leaf maximum-certificates { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 4294967295"; } } default "1024"; description "Maximum number of certificates to cache"; } leaf cache-size { type string; units "bytes"; description "Maximum size of certificate cache"; } leaf cache-timeout-negative { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 4294967295"; } } default "20"; description "Time in seconds to cache negative responses"; } leaf enrollment-retry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1080"; } } description "Number of retry attempts for an enrollment request"; } list certification-authority { key "name"; ordered-by user; description "CA X.509 certificate configuration"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "CA profile name"; } uses apply-advanced; leaf ca-name { type string; description "CA name"; } leaf file { type string; description "File to read certificate from"; } leaf crl { type string; description "File to read crl from"; } leaf enrollment-url { type string; description "URL"; } leaf ldap-url { type string; description "URL"; } leaf encoding { type enumeration { enum "binary" { value 0; description "DER encoding"; } enum "pem" { value 1; description "Privacy-enhanced-mail encoding, base64"; } } default "binary"; description "Encoding to use for certificate or CRL on disk"; } } // list certification-authority } // container certificates container authentication-key-chains { description "Authentication key chain configuration"; uses security-authentication-key-chains; } // container authentication-key-chains container ssh-known-hosts { description "SSH known host list"; uses apply-advanced; list host { key "name"; ordered-by user; description "SSH known host entry"; leaf name { type string; description "Host name"; } uses apply-advanced; leaf rsa1-key { type string; description "Base64 encoded RSA key (protocol version 1)"; } leaf rsa-key { type string; description "Base64 encoded RSA key"; } leaf dsa-key { type string; description "Base64 encoded DSA key"; } leaf ecdsa-key { type string; status deprecated; description "Base64 encoded ECDSA key"; } leaf ecdsa-sha2-nistp256-key { type string; description "Base64 encoded ECDSA-SHA2-NIST256 key"; } leaf ecdsa-sha2-nistp384-key { type string; description "Base64 encoded ECDSA-SHA2-NIST384 key"; } leaf ecdsa-sha2-nistp521-key { type string; description "Base64 encoded ECDSA-SHA2-NIST521 key"; } leaf ed25519-key { type string; description "Base64 encoded ED25519 key"; } } // list host } // container ssh-known-hosts container pki { presence "enable pki"; description "PKI service configuration"; uses security-pki; } // container pki container ike { description "IKE configuration"; uses security-ike; } // container ike container ipsec { description "IPSec configuration"; uses security-ipsec-vpn; } // container ipsec container group-vpn { description "Group VPN configuration"; uses security-group-vpn; } // container group-vpn container ipsec-policy { description "IPSec policy configuration"; uses security-ipsec-policies; } // container ipsec-policy container distribution-profile { description "IPSec Tunnels distribution profile"; uses apply-advanced; leaf fat-core { type empty; description "Power Mode IPSec fat-tunnel mode"; } } // container distribution-profile container idp { description "Configure IDP"; list idp-policy { key "name"; ordered-by user; description "Configure IDP policy"; uses idp-policy-type; } // list idp-policy leaf active-policy { junos:must "("security idp idp-policy $$")"; junos:must-message "Policy must be defined under [security idp idp-policy] "; type string; status deprecated; description "Set active policy"; } leaf default-policy { junos:must "("security idp idp-policy $$")"; junos:must-message "Policy must be defined under [security idp idp-policy] "; type string; description "Set active policy"; } list custom-attack { key "name"; ordered-by user; description "Configure custom attacks"; uses custom-attack-type; } // list custom-attack list custom-attack-group { key "name"; ordered-by user; description "Configure custom attack groups"; uses custom-attack-group-type; } // list custom-attack-group list dynamic-attack-group { key "name"; ordered-by user; description "Configure dynamic attack groups"; uses dynamic-attack-group-type; } // list dynamic-attack-group container traceoptions { description "Trace options for idp services"; uses idpd-traceoptions-type; } // container traceoptions container security-package { description "Security package options"; uses apply-advanced; leaf url { type string; description "URL of Security package download"; } leaf source-address { type jt:ipv4addr; description "Source address to be used for sending download request"; } leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "Referenced Proxy profile must be defined under [services proxy profile] path"; type string { length "1 .. 64"; } description "Proxy profile of security package download"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string; description "Routing instance for security-package download"; } container install { presence "enable install"; description "Configure install command"; uses apply-advanced; leaf ignore-version-check { type empty; description "Skip version check when attack database gets installed"; } leaf ignore-appid-failure { type empty; description "Continue idp installation even if appid installation fails"; } } // container install container automatic { presence "enable automatic"; description "Scheduled download and update"; uses apply-advanced; leaf start-time { type jt:time; description "Start time (YYYY-MM-DD.HH:MM:SS)"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 336"; } } units "hours"; description "Interval"; } leaf download-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } units "minutes"; default "1"; status deprecated; description "Maximum time for download to complete"; } choice enable-disable { leaf enable { type empty; description "Enable"; } } // choice enable-disable } // container automatic } // container security-package container sensor-configuration { description "IDP Sensor Configuration"; container log { description "IDP Log Configuration"; uses apply-advanced; leaf cache-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log cache size"; } container suppression { presence "enable suppression"; description "Log suppression"; uses apply-advanced; choice enable-disable { leaf disable { type empty; description "Disable log suppression"; } } // choice enable-disable choice include-destination-address-choice { leaf include-destination-address { type empty; description "Include destination address while performing a log suppression"; } leaf no-include-destination-address { type empty; description "Don't include destination address while performing a log suppression"; } } // choice include-destination-address-choice leaf start-log { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Suppression start log"; } leaf max-logs-operate { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum logs can be operate on"; } leaf max-time-report { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Time after suppressed logs will be reported"; } } // container suppression } // container log container packet-log { description "IDP Packetlog Configuration"; uses apply-advanced; container total-memory { description "Total memory unit(%)"; uses apply-advanced; leaf percentage-value { type union { type string { pattern "<.*>|$.*"; } type uint32; } } leaf per-logical-domain { type union { type string { pattern "<.*>|$.*"; } type uint32; } } } // container total-memory container max-sessions { description "Max num of sessions in unit(%)"; uses apply-advanced; leaf percentage-value { type union { type string { pattern "<.*>|$.*"; } type uint32; } } leaf per-logical-domain { type union { type string { pattern "<.*>|$.*"; } type uint32; } } } // container max-sessions leaf threshold-logging-interval { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Interval of logs for max limit session/memory reached in minutes"; } leaf source-address { type jt:ipv4addr; description "Source IP address used to transport packetlog to a host"; } container host { description "Destination host to send packetlog to"; uses apply-advanced; leaf ipaddr { type jt:ipv4addr; description "IP address"; } leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "UDP port number"; } } // container host } // container packet-log container application-identification { presence "enable application-identification"; description "Application identification"; uses apply-advanced; choice enable-disable { leaf disable { type empty; description "Disable application identification"; } } // choice enable-disable choice application-system-cache-choice { leaf application-system-cache { type empty; description "Application system cache"; } leaf no-application-system-cache { type empty; description "Don't application system cache"; } } // choice application-system-cache-choice leaf max-tcp-session-packet-memory { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max TCP session memory"; } leaf max-udp-session-packet-memory { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max UDP session memory"; } leaf max-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max sessions that can run AI at the same time"; } leaf max-packet-memory { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max packet memory"; } leaf max-packet-memory-ratio { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Max packet memory ratio"; } leaf max-reass-packet-memory-ratio { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max reass packet memory ratio"; } leaf application-system-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Application system cache timeout"; } } // container application-identification container flow { description "Flow configuration"; uses apply-advanced; choice log-errors-choice { leaf log-errors { type empty; description "Flow log errors"; } leaf no-log-errors { type empty; description "Don't flow log errors"; } } // choice log-errors-choice choice allow-icmp-without-flow-choice { leaf allow-icmp-without-flow { type empty; status deprecated; description "Allow icmp without flow"; } leaf no-allow-icmp-without-flow { type empty; status deprecated; description "Don't allow icmp without flow"; } } // choice allow-icmp-without-flow-choice leaf hash-table-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Flow hash table size"; } leaf reject-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Flow reject timeout"; } leaf max-timers-poll-ticks { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum timers poll ticks"; } leaf fifo-max-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum fifo size"; } leaf udp-anticipated-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum udp anticipated timeout"; } leaf drop-on-limit { type empty; description "Drop connections on exceeding resource limits"; } leaf drop-on-failover { type empty; description "Drop traffic on HA failover sessions"; } leaf drop-if-no-policy-loaded { type empty; description "Drop all traffic till IDP policy gets loaded"; } leaf max-sessions-offset { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum session offset limit percentage"; } leaf min-objcache-limit-lt { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Memory lower threshold limit percentage"; } leaf min-objcache-limit-ut { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Memory upper threshold limit percentage"; } leaf session-steering { type empty; description "Session steering for session anticipation"; } leaf idp-bypass-cpu-usg-overload { type empty; description "Enable IDP bypass of sessions/packets on CPU usage overload"; } leaf idp-bypass-cpu-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "85"; description "Threshold of CPU usage in percentage for IDP bypass"; } leaf idp-bypass-cpu-tolerance { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "5"; description "Tolerance of CPU usage in percentage for IDP bypass"; } leaf intel-inspect-enable { type empty; description "Minimizes IDP processing during system overload"; } leaf intel-inspect-cpu-usg-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "80"; description "CPU usage threshold percentage for intelligent inspection"; } leaf intel-inspect-cpu-usg-tolerance { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "5"; description "CPU usage tolerance percentage for intelligent inspection"; } leaf intel-inspect-free-mem-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "15"; description "Free memory threshold percentage for intelligent inspection"; } leaf intel-inspect-mem-tolerance { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "5"; description "Memory tolerance percentage for intelligent inspection"; } leaf intel-inspect-disable-content-decompress { type empty; description "Disables payload content decompression"; } leaf intel-inspect-session-bytes-depth { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "0"; description "Session bytes scanning depth"; } leaf-list intel-inspect-protocols { type string; ordered-by user; description "Protocols to be processed in Intelligent Inspection mode"; } leaf-list intel-inspect-signature-severity { junos:must "("security idp sensor-configuration flow intel-inspect-enable")"; junos:must-message "intelligent inspection must be enabled under [security idp sensor-configuration flow]"; type enumeration { enum "minor" { value 0; } enum "major" { value 1; } enum "critical" { value 2; } } ordered-by user; description "Signature severities to be considered for IDP processing"; } } // container flow container re-assembler { description "Re-assembler configuration"; uses apply-advanced; choice drop-on-syn-in-window-choice { leaf drop-on-syn-in-window { type empty; description "Drop session when SYN is seen in the window"; } leaf no-drop-on-syn-in-window { type empty; description "Don't drop session when SYN is seen in the window"; } } // choice drop-on-syn-in-window-choice choice ignore-memory-overflow-choice { leaf ignore-memory-overflow { type empty; description "Ignore memory overflow"; } leaf no-ignore-memory-overflow { type empty; description "Don't ignore memory overflow"; } } // choice ignore-memory-overflow-choice choice ignore-reassembly-memory-overflow-choice { leaf ignore-reassembly-memory-overflow { type empty; description "Ignore packet reassembly memory overflow"; } leaf no-ignore-reassembly-memory-overflow { type empty; description "Don't ignore packet reassembly memory overflow"; } } // choice ignore-reassembly-memory-overflow-choice leaf ignore-reassembly-overflow { type empty; description "Ignore global reassembly overflow"; } leaf max-packet-mem { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Maximum packet memory"; } leaf max-flow-mem { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum flow memory"; } leaf max-packet-mem-ratio { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum packet memory ratio"; } leaf action-on-reassembly-failure { type enumeration { enum "ignore" { value 0; description "No action is taken."; } enum "drop" { value 1; description "Drop the packet."; } enum "drop-session" { value 2; description "Drop the session."; } } default "drop"; description "Select the action on reassembly failures"; } choice tcp-error-logging-choice { leaf tcp-error-logging { type empty; description "Enable logging on tcp errors"; } leaf no-tcp-error-logging { type empty; description "Don't enable logging on tcp errors"; } } // choice tcp-error-logging-choice leaf max-synacks-queued { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum syn-acks queued with different SEQ numbers "; } choice force-tcp-window-checks-choice { leaf force-tcp-window-checks { type empty; description "Force TCP window checks if uni-directional policy is configured"; } leaf no-force-tcp-window-checks { type empty; description "Don't force TCP window checks if uni-directional policy is configured"; } } // choice force-tcp-window-checks-choice } // container re-assembler container ips { description "Ips configuration"; uses apply-advanced; choice process-override-choice { leaf process-override { type empty; description "Process override"; } leaf no-process-override { type empty; description "Don't process override"; } } // choice process-override-choice choice detect-shellcode-choice { leaf detect-shellcode { type empty; description "Detect shellcode"; } leaf no-detect-shellcode { type empty; description "Don't detect shellcode"; } } // choice detect-shellcode-choice choice process-ignore-s2c-choice { leaf process-ignore-s2c { type empty; description "Process ignore s2c"; } leaf no-process-ignore-s2c { type empty; description "Don't process ignore s2c"; } } // choice process-ignore-s2c-choice choice ignore-regular-expression-choice { leaf ignore-regular-expression { type empty; description "Ignore regular expression"; } leaf no-ignore-regular-expression { type empty; description "Don't ignore regular expression"; } } // choice ignore-regular-expression-choice leaf process-port { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Process port"; } leaf fifo-max-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum fifo size"; } leaf log-supercede-min { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Minimum log supercede"; } leaf content-decompression-max-memory-kb { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum memory usage in kilo bytes"; } leaf content-decompression-max-ratio { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum decompression ratio supported"; } leaf session-pkt-depth { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Session pkt scanning depth"; } } // container ips container global { description "Global configuration"; uses apply-advanced; choice enable-packet-pool-choice { leaf enable-packet-pool { type empty; description "Enable packet pool"; } leaf no-enable-packet-pool { type empty; description "Don't enable packet pool"; } } // choice enable-packet-pool-choice leaf log-xff-header { type empty; description "Log xff header"; } choice enable-all-qmodules-choice { leaf enable-all-qmodules { type empty; description "Enable all qmodules"; } leaf no-enable-all-qmodules { type empty; description "Don't enable all qmodules"; } } // choice enable-all-qmodules-choice choice policy-lookup-cache-choice { leaf policy-lookup-cache { type empty; description "Policy lookup cache"; } leaf no-policy-lookup-cache { type empty; description "Don't policy lookup cache"; } } // choice policy-lookup-cache-choice leaf memory-limit-percent { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Memory limit percentage"; } leaf disable-idp-processing { type empty; description "Flag to disable IDP processing"; } leaf intelligent-offload { type enumeration { enum "disable" { value 0; description "Disable flow offload"; } enum "conservative" { value 1; description "Increases scrutiny of flows prior to offload"; } } description "Intelligently offload the flow"; } } // container global container detector { description "Detector Configuration"; uses apply-advanced; list protocol-name { key "name"; ordered-by user; description "Apropriate help string"; uses proto-object; } // list protocol-name } // container detector container ssl-inspection { description "SSL inspection"; uses apply-advanced; leaf sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "10000"; description "Number of SSL sessions to inspect"; } leaf session-id-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "seconds"; default "600"; description "Timeout value for SSL session ID cache"; } leaf maximum-cache-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "sessions"; default "100000"; description "Maximum SSL session ID cache size"; } leaf cache-prune-chunk-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "100"; description "Number of cache entries to delete when pruning SSL session ID cache"; } leaf key-protection { type empty; description "Enable SSL key protection"; } } // container ssl-inspection leaf disable-low-memory-handling { type empty; description "Do not abort IDP operations under low memory condition"; } container high-availability { description "High availability configuration"; uses apply-advanced; leaf no-policy-cold-synchronization { type empty; description "Disable policy cold synchronization"; } } // container high-availability container security-configuration { description "IDP security configuration"; uses apply-advanced; leaf protection-mode { type enumeration { enum "datacenter" { value 0; description "Security protection mode for datacenter"; } enum "datacenter-full" { value 1; description "Full security protection mode for datacenter"; } enum "perimeter" { value 2; description "Security protection mode for perimeter"; } enum "perimeter-full" { value 3; description "Full security protection mode for perimeter"; } } description "Enable security protection mode"; } } // container security-configuration } // container sensor-configuration leaf max-sessions { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Max number of IDP sessions"; } list logical-system { key "name"; ordered-by user; description "Configure max IDP sessions for the logial system"; uses logical-system-type; } // list logical-system list tenant-system { key "name"; ordered-by user; description "Configure max IDP sessions for the tenant"; uses tenant-system-type; } // list tenant-system uses apply-advanced; container processes { description "Configure IDP Processes"; uses apply-advanced; } // container processes } // container idp list address-book { key "name"; max-elements 4096; ordered-by user; description "Security address book"; uses named-address-book-type; } // list address-book container alg { description "Configure ALG security options"; uses alg-object; } // container alg container application-firewall { presence "enable application-firewall"; status deprecated; description "Configure application-firewall rule-sets"; uses apply-advanced; container traceoptions { description "Rule-sets Tracing Options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "lookup" { value 1; description "Trace lookup events"; } enum "compilation" { value 2; description "Rule-sets compilation events"; } enum "ipc" { value 3; description "Inter-process communication events"; } enum "all" { value 4; description "Trace everything"; } } } } // list flag } // container traceoptions list profile { key "name"; ordered-by user; description "Configure application-firewall profile"; leaf name { type string { length "1 .. 63"; } description "Surf control integrated profile name"; } uses apply-advanced; container block-message { description "Block message settings"; uses apply-advanced; container type { description "Type of block message desired"; uses apply-advanced; choice type-choice { container custom-text { description "Custom defined block message"; uses apply-advanced; leaf content { type string { length "1 .. 511"; } description "Content of custom-text"; } } // container custom-text container custom-redirect-url { description "Custom redirect URL server"; uses apply-advanced; leaf content { type string { junos:posix-pattern "^https?://.*"; junos:pattern-message "URL must begin with http:// or https://"; length "1 .. 1023"; } description "URL of block message"; } } // container custom-redirect-url } // choice type-choice } // container type } // container block-message } // list profile list rule-sets { key "name"; ordered-by user; description "Configure application-firewall rule-sets"; leaf name { type string { length "1 .. 63"; } description "Application firewall rule-set name"; } uses apply-advanced; list rule { key "name"; ordered-by user; description "Rule"; uses appfw_rule_type; } // list rule container default-rule { presence "enable default-rule"; description "Specify default rule for a rule-set"; uses apply-advanced; choice action { leaf permit { type empty; description "Permit packets"; } container deny { presence "enable deny"; description "Deny packets"; uses apply-advanced; leaf block-message { type empty; description "Block message"; } } // container deny container reject { presence "enable reject"; description "Reject packets"; uses apply-advanced; leaf block-message { type empty; description "Block message"; } } // container reject } // choice action } // container default-rule leaf profile { junos:must "("security application-firewall profile $$")"; junos:must-message "Application-firewall profile must be defined"; type string; description "Profile for block message"; } } // list rule-sets container nested-application { presence "enable nested-application"; status deprecated; description "Configure nested application dynamic lookup"; uses apply-advanced; container dynamic-lookup { presence "enable dynamic-lookup"; description "Configure dynamic lookup"; uses apply-advanced; leaf enable { type empty; description "Enable dynamic lookup"; } } // container dynamic-lookup } // container nested-application } // container application-firewall container application-tracking { presence "enable application-tracking"; description "Application tracking configuration"; uses apply-advanced; leaf disable { type empty; description "Disable Application tracking"; } choice update-interval { leaf first-update-interval { type union { type uint32; type string { pattern "<.*>|$.*"; } } units "minutes"; description "Interval when the first update message is sent"; } leaf first-update { type empty; status deprecated; description "Generate Application tracking initial message when a session is created"; } } // choice update-interval leaf session-update-interval { type union { type uint32; type string { pattern "<.*>|$.*"; } } units "minutes"; description "Frequency in which Application tracking update messages are generated"; } leaf log-session-create { type empty; description "Generate Application tracking session create log"; } leaf log-session-close { type empty; description "Generate Application tracking session close log"; } leaf no-volume-updates { type empty; description "Disable session volume update log"; } } // container application-tracking container utm { description "Content security service configuration"; uses apply-advanced; container traceoptions { description "Trace options for utm"; uses utm-traceoptions; } // container traceoptions container application-proxy { description "Application proxy settings"; uses apply-advanced; container traceoptions { description "Trace options for application proxy"; uses utm-apppxy-traceoptions; } // container traceoptions } // container application-proxy container ipc { description "IPC settings"; uses apply-advanced; container traceoptions { description "Trace options for IPC"; uses utm-ipc-traceoptions; } // container traceoptions } // container ipc container custom-objects { description "Custom-objects settings"; uses apply-advanced; container category-package { description "Category package download and install options"; uses apply-advanced; leaf url { type string; description "HTTPS URL of category package download"; } leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "Referenced Proxy profile must be defined"; type string { length "1 .. 64"; } description "Proxy profile"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string; description "Routing instance name"; } container automatic { description "Scheduled download and install"; uses apply-advanced; leaf start-time { type jt:time; description "Start time (YYYY-MM-DD.HH:MM:SS)"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 336"; } } default "168"; description "Interval in hours"; } leaf enable { type empty; description "Enable automatic download and install"; } } // container automatic } // container category-package list mime-pattern { key "name"; ordered-by user; description "Configure mime-list object"; uses mime-list-type; } // list mime-pattern list filename-extension { key "name"; ordered-by user; description "Configure extension-list object"; uses extension-list-type; } // list filename-extension list url-pattern { key "name"; ordered-by user; description "Configure url-list object"; uses url-list-type; } // list url-pattern list custom-url-category { key "name"; ordered-by user; description "Configure category-list object"; uses category-list-type; } // list custom-url-category list protocol-command { key "name"; ordered-by user; description "Configure command-list object"; uses command-list-type; } // list protocol-command list custom-message { key "name"; ordered-by user; description "Configure custom-message object"; uses custom-message-type; } // list custom-message } // container custom-objects container default-configuration { description "Global default UTM configurations"; uses apply-advanced; container anti-virus { description "Configure anti-virus feature"; uses default-anti-virus-feature; } // container anti-virus container web-filtering { description "Configure web-filtering feature"; uses default-webfilter-feature; } // container web-filtering container anti-spam { description "Configure anti-spam feature"; uses default-anti-spam-feature; } // container anti-spam container content-filtering { description "Configure content filtering feature"; uses default-content-filtering-feature; } // container content-filtering } // container default-configuration container feature-profile { description "Feature-profile settings"; uses apply-advanced; container anti-virus { description "Configure anti-virus feature"; uses anti-virus-feature; } // container anti-virus container web-filtering { description "Configure web-filtering feature"; uses webfilter-feature; } // container web-filtering container anti-spam { description "Configure anti-spam feature"; uses anti-spam-feature; } // container anti-spam container content-filtering { description "Configure content filtering feature"; uses content-filtering-feature; } // container content-filtering } // container feature-profile list utm-policy { key "name"; ordered-by user; description "Configure profile "; uses profile-setting; } // list utm-policy } // container utm container dynamic-address { presence "enable dynamic-address"; description "Configure security dynamic address"; uses apply-advanced; container traceoptions { description "Security dynamic address tracing options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Configuration details"; } enum "control" { value 1; description "Daemon control message"; } enum "ipc" { value 2; description "IPC message sending and receiving"; } enum "ip-entry" { value 3; description "IP entry management"; } enum "file-retrieval" { value 4; description "File retrieval"; } enum "lookup" { value 5; description "Lookup detail"; } enum "all" { value 6; description "Trace everything"; } } } } // list flag } // container traceoptions list feed-server { key "name"; ordered-by user; description "Security dynamic address feed-server"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes and underscores"; length "1 .. 16"; } description "Security dynamic address feed-server name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of feed-server"; } choice hostname-or-url { leaf hostname { type string { length "1 .. 256"; } description "Hostname or IP address of feed-server"; } leaf url { type string { length "1 .. 256"; } description "URL,example:example.url.com;1.1.1.1/<folder-or-file-path>;Browser can verify its validity"; } } // choice hostname-or-url leaf update-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "30 .. 4294967295"; } } units "seconds"; default "300"; description "Interval to retrieve update"; } leaf hold-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } units "seconds"; default "86400"; description "Time to keep IP entry when update failed"; } leaf tls-profile { junos:must "("services ssl initiation profile $$")"; junos:must-message "Referenced SSL initiation profile is not defined"; type string; description "TLS profile"; } container validate-certificate-attributes { junos:must "(".. tls-profile")"; junos:must-message "tls-profile is not configured"; description "Validate some certificate attributes"; uses apply-advanced; leaf subject-or-subject-alternative-names { type empty; description "One of them must match feed server host name"; } } // container validate-certificate-attributes list feed-name { key "name"; ordered-by user; description "Feed name in feed-server"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes and underscores"; length "1 .. 240"; } description "Security dynamic address feed name in feed-server"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of feed in feed-server"; } leaf path { type string { length "1 .. 1024"; } description "Path of feed, appended to feed-server to form a complete URL"; } leaf update-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "30 .. 4294967295"; } } units "seconds"; description "Interval to retrieve update"; } leaf hold-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } units "seconds"; description "Time to keep IP entry when update failed"; } } // list feed-name } // list feed-server list address-name { key "name"; ordered-by user; description "Security dynamic address name"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes and underscores"; length "1 .. 240"; } description "Security dynamic address name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of dynamic address"; } container profile { presence "enable profile"; description "Information to categorize feed data into this dynamic address"; uses apply-advanced; list feed-name { key "name"; max-elements 1; ordered-by user; description "Name of feed in feed-server for this dynamic address"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes and underscores"; length "1 .. 240"; } description "Name of feed in feed-server which is mapped to this dynamic address"; } uses apply-advanced; } // list feed-name list category { junos:must "(!(".. feed-name"))"; junos:must-message "Feed-name can not coexist with category"; key "name"; max-elements 1; ordered-by user; description "Name of category"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes and underscores"; length "1 .. 32"; } description "Name of category"; } uses apply-advanced; leaf feed { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes and underscores"; length "1 .. 32"; } description "Name of feed under category"; } list property { key "name"; max-elements 3; ordered-by user; description "Property to match"; leaf name { type string { length "1 .. 32"; } description "Name of property"; } uses apply-advanced; choice property-value { list string { key "name"; max-elements 256; ordered-by user; description "Value type is strings"; leaf name { type string { length "1 .. 32"; } description "String value"; } uses apply-advanced; } // list string } // choice property-value } // list property } // list category } // container profile leaf session-scan { type empty; description "Trigger session scan when the IP address is added"; } } // list address-name container session-scan { presence "enable session-scan"; description "Trigger session scan for all the dynamic addresses"; uses apply-advanced; leaf hold-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 3600"; } } units "seconds"; default "10"; description "Time interval before the session scan request"; } } // container session-scan } // container dynamic-address container dynamic-vpn { status deprecated; description "Configure dynamic VPN"; uses apply-advanced; container traceoptions { description "Dynamic-vpn trace options"; uses httpd_dvpn_traceoptions_type; } // container traceoptions leaf force-upgrade { type empty; description "Force Upgrade"; } leaf access-profile { junos:must "("access profile $$")"; junos:must-message "Access profile must be defined"; type string; description "Configure access"; } leaf-list interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Interfaces that accept Dynamic-VPN client access"; } list clients { key "name"; ordered-by user; description "Configure for remote access client"; uses clients-object; } // list clients leaf config-check { type empty; description "Perform extra configuration validation"; } } // container dynamic-vpn container remote-access { junos:must "(("system services web-management" && "access firewall-authentication"))"; junos:must-message "web-management and firewall-authentication must be enabled for remote-access"; description "Configure remote access"; uses apply-advanced; container global-options { description "Global remote-access configuration"; uses apply-advanced; leaf auth-token-valid-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } units "seconds"; default "60"; description "Authentication token valid time (seconds) :default 60"; } } // container global-options list profile { key "name"; ordered-by user; description "Remote access profile"; uses remote-access-profile-config; } // list profile list client-config { key "name"; ordered-by user; description "Remote-access client configuration"; uses remote-access-client-config; } // list client-config container traceoptions { description "Remote-access trace configuration"; uses remote-access-traceoptions; } // container traceoptions leaf default-profile { junos:must "("security remote-access profile $$")"; junos:must-message "Remote access default profile should configure"; type string; description "Configure default profile"; } } // container remote-access container dynamic-application { presence "enable dynamic-application"; description "Configure dynamic-application"; uses apply-advanced; container traceoptions { description "Dynamic application tracing options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "lookup" { value 1; description "Trace lookup events"; } enum "compilation" { value 2; description "Rule-sets compilation events"; } enum "ipc" { value 3; description "Inter-process communication events"; } enum "all" { value 4; description "Trace everything"; } } } } // list flag } // container traceoptions list profile { key "name"; ordered-by user; description "Configure application-firewall profile"; leaf name { type string { length "1 .. 63"; } description "Surf control integrated profile name"; } uses apply-advanced; container redirect-message { description "Redirect message settings"; uses apply-advanced; container type { description "Type of redirect message desired"; uses apply-advanced; choice type-choice { container custom-text { description "Custom defined text block message"; uses apply-advanced; leaf content { type string { length "1 .. 511"; } description "Content of custom-text"; } } // container custom-text container redirect-url { description "Custom redirect URL server"; uses apply-advanced; leaf content { type string { junos:posix-pattern "^https?://.*"; junos:pattern-message "URL must begin with http:// or https://"; length "1 .. 1023"; } description "URL of block message"; } } // container redirect-url } // choice type-choice } // container type } // container redirect-message } // list profile } // container dynamic-application container softwires { description "Configure softwire feature"; uses softwires-object; } // container softwires container forwarding-options { description "Security-forwarding-options configuration"; uses apply-advanced; container family { description "Security forwarding-options for family"; uses apply-advanced; container inet6 { description "Family IPv6"; uses apply-advanced; leaf mode { type enumeration { enum "packet-based" { value 0; description "Enable packet-based forwarding"; } enum "flow-based" { value 1; description "Enable flow-based forwarding"; } enum "drop" { value 2; description "Disable forwarding"; } } description "Forwarding mode"; } } // container inet6 container mpls { description "Family MPLS"; uses apply-advanced; leaf mode { type enumeration { enum "packet-based" { junos:must "(!("security policies"))"; junos:must-message "MPLS mode packet-based not allowed when [security policies] are configured."; value 0; description "Enable packet-based forwarding"; } enum "flow-based" { value 1; description "Enable flow-based forwarding for mpls"; } } description "Forwarding mode"; } } // container mpls container iso { description "Family ISO"; uses apply-advanced; leaf mode { type enumeration { enum "packet-based" { value 0; description "Enable packet-based forwarding"; } } description "Forwarding mode"; } } // container iso } // container family list mirror-filter { key "name"; max-elements 15; ordered-by user; description "Security mirror filters"; uses mirror-filter-type; } // list mirror-filter list secure-wire { key "name"; description "Secure-wire cross connections"; uses secure-wire-type; } // list secure-wire container mode { description "Tap or sniffer mode"; uses apply-advanced; container tap { description "Tap mode"; uses apply-advanced; leaf-list interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Tap enabled interface"; } container inspect-pass-through-tunnel { description "Inspect pass-through tunnel"; uses apply-advanced; leaf ipip { type empty; description "IPIP"; } leaf gre { type empty; description "GRE"; } } // container inspect-pass-through-tunnel } // container tap } // container mode container receive-side-scaling { description "Receive side scaling"; uses apply-advanced; container software-rss { description "Software RSS options"; uses apply-advanced; leaf mode { type enumeration { enum "automatic" { value 0; description "Auto select Software RSS mode (default)"; } enum "enable" { value 1; description "Software RSS would be enabled"; } enum "disable" { value 2; description "Software RSS would be disabled"; } } default "automatic"; description "Mode of Software RSS"; } leaf io-thread-number { junos:must "("security forwarding-options receive-side-scaling software-rss mode enable")"; junos:must-message "The IO threads configuration will take effect only when software RSS mode is set to enable, please set it."; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 8"; } } description "Software-RSS IO thread number"; } } // container software-rss container nic-rss { description "NIC RSS options"; uses apply-advanced; leaf mode { type enumeration { enum "disable" { value 0; description "NIC RSS would be disabled"; } } description "Mode of NIC RSS"; } } // container nic-rss } // container receive-side-scaling container security-service { description "Security service actions when memory resource is in shortage"; uses apply-advanced; leaf fail-open { type empty; description "Packet will bypass all the application services "; } } // container security-service container resource-manager { description "Manage the resource for special usage"; uses apply-advanced; container cpu { description "The CPU resource"; uses apply-advanced; leaf re { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 3"; } } description "The count of vCPUs assigned to RE (default is 1)"; } } // container cpu } // container resource-manager leaf no-allow-dataplane-sleep { type empty; description "Disable dataplane sleep"; } container services-offload { description "Service offload option"; uses apply-advanced; leaf disable { type empty; description "Disable services-offload"; } } // container services-offload } // container forwarding-options container advanced-services { description "Advanced services configuration"; uses apply-advanced; container data-plane { description "Data plane configuration"; uses apply-advanced; container memory { description "Data plane memory configuration"; uses apply-advanced; leaf low { type empty; description "Reduce data plane memory"; } } // container memory } // container data-plane } // container advanced-services container flow { description "FLOW configuration"; uses apply-advanced; leaf enhanced-routing-mode { type empty; description "Enable enhanced route scaling"; } container traceoptions { description "Trace options for flow services"; uses flow-traceoptions-object; } // container traceoptions leaf pending-sess-queue-length { type enumeration { enum "normal" { value 0; description "Normal number of sessions queued"; } enum "moderate" { value 1; description "Allow more queued sessions than normal"; } enum "high" { value 2; description "Maximum number of queued sessions"; } } default "normal"; description "Maximum queued length per pending session"; } container enable-reroute-uniform-link-check { description "Enable reroute check with uniform link"; uses apply-advanced; leaf nat { type empty; description "Enable NAT check"; } } // container enable-reroute-uniform-link-check leaf allow-dns-reply { type empty; description "Allow unmatched incoming DNS reply packet"; } leaf route-change-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "6 .. 1800"; } } units "seconds"; default "30"; description "Timeout value for route change to nonexistent route"; } leaf nh-resolve-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 20000"; } } units "milliseconds"; default "10000"; description "Timeout value for nexthop resolve"; } leaf multicast-nh-resolve-retry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 20"; } } default "0"; description "Retry count for nexthop resolve"; } leaf syn-flood-protection-mode { type enumeration { enum "syn-cookie" { value 0; description "Enable SYN cookie protection"; } enum "syn-proxy" { value 1; description "Enable SYN proxy protection"; } } default "syn-cookie"; description "TCP SYN flood protection mode"; } leaf allow-embedded-icmp { type empty; description "Allow embedded ICMP packets not matching a session to pass through"; } leaf mcast-buffer-enhance { type empty; description "Allow to hold more packets during multicast session creation"; } leaf strict-packet-order { type empty; description "Maintain arrival ordering when packets departing"; } leaf allow-reverse-ecmp { type empty; description "Allow reverse ECMP route lookup"; } leaf no-local-favor-ecmp { type empty; description "Not prefer local node in HA ECMP route lookup"; } leaf sync-icmp-session { type empty; description "Allow icmp sessions to sync to peer node"; } leaf ipsec-performance-acceleration { type empty; description "Accelerate the IPSec traffic performance"; } leaf gre-performance-acceleration { type empty; description "Accelerate the GRE traffic performance"; } container aging { description "Aging configuration"; uses apply-advanced; leaf early-ageout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } units "seconds"; default "20"; description "Delay before device declares session invalid"; } leaf low-watermark { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 100"; } } units "percent"; default "100"; description "Percentage of session-table capacity at which aggressive aging-out ends"; } leaf high-watermark { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 100"; } } units "percent"; default "100"; description "Percentage of session-table capacity at which aggressive aging-out starts"; } } // container aging container ethernet-switching { description "Ethernet-switching configuration for flow"; uses apply-advanced; leaf block-non-ip-all { type empty; description "Block all non-IP and non-ARP traffic including broadcast/multicast"; } leaf bypass-non-ip-unicast { junos:must "(!(".. block-non-ip-all"))"; junos:must-message "'bypass-non-ip-unicast' cannot coexist with 'block-non-ip-all'"; type empty; description "Allow all non-IP (including unicast) traffic"; } container no-packet-flooding { presence "enable no-packet-flooding"; description "Stop IP flooding, send ARP/ICMP to trigger MAC learning"; uses apply-advanced; leaf no-trace-route { type empty; description "Don't send ICMP to trigger MAC learning"; } } // container no-packet-flooding leaf bpdu-vlan-flooding { type empty; description "Set 802.1D BPDU flooding based on VLAN"; } } // container ethernet-switching container tcp-mss { description "TCP maximum segment size configuration"; uses apply-advanced; container all-tcp { description "Enable MSS override for all packets"; uses apply-advanced; leaf mss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 65535"; } } description "MSS value"; } } // container all-tcp container ipsec-vpn { presence "enable ipsec-vpn"; description "Enable MSS override for all packets entering IPSec tunnel"; uses apply-advanced; leaf mss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 65535"; } } default "1320"; description "MSS value"; } } // container ipsec-vpn container gre-in { presence "enable gre-in"; description "Enable MSS override for all GRE packets coming out of an IPSec tunnel"; uses apply-advanced; leaf mss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 65535"; } } default "1320"; description "MSS value"; } } // container gre-in container gre-out { presence "enable gre-out"; description "Enable MSS override for all GRE packets entering an IPsec tunnel"; uses apply-advanced; leaf mss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 65535"; } } default "1320"; description "MSS value"; } } // container gre-out } // container tcp-mss container tcp-session { description "Transmission Control Protocol session configuration"; uses apply-advanced; leaf rst-invalidate-session { type empty; description "Immediately end session on receipt of reset (RST) segment"; } leaf fin-invalidate-session { type empty; description "Immediately end session on receipt of fin (FIN) segment"; } leaf rst-sequence-check { type empty; description "Check sequence number in reset (RST) segment"; } leaf no-syn-check { type empty; description "Disable creation-time SYN-flag check"; } leaf strict-syn-check { junos:must "(!(("security flow tcp-session no-syn-check" || "security flow tcp-session no-syn-check-in-tunnel")))"; junos:must-message "strict-syn-check not allowed when no-syn-check or no-syn-check-in-tunnel is configured"; type empty; description "Enable strict syn check"; } leaf no-syn-check-in-tunnel { type empty; description "Disable creation-time SYN-flag check for tunnel packets"; } leaf no-sequence-check { type empty; description "Disable sequence-number checking"; } leaf aggressive-tcp-ack { type empty; description "Enable aggressive TCP ACK, root lsys only"; } leaf tcp-initial-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 300"; } } units "seconds"; default "20"; description "Timeout for TCP session when initialization fails"; } leaf maximum-window { type enumeration { enum "64K" { value 0; description "64K bytes receive window"; } enum "128K" { value 1; description "128K bytes receive window"; } enum "256K" { value 2; description "256K bytes receive window"; } enum "512K" { value 3; description "512K bytes receive window"; } enum "1M" { value 4; description "1M bytes receive window"; } } default "256K"; description "Maximum TCP proxy scaled receive window, default 256K bytes"; } container time-wait-state { presence "enable time-wait-state"; description "Session timeout value in time-wait state, default 150 seconds"; uses apply-advanced; choice session-age-option { leaf session-ageout { type empty; description "Allow session to ageout using service based timeout values"; } leaf session-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 600"; } } units "seconds"; description "Configure session timeout value for time-wait state"; } } // choice session-age-option leaf apply-to-half-close-state { type empty; description "Apply time-wait-state timeout to half-close state"; } } // container time-wait-state } // container tcp-session leaf force-ip-reassembly { type empty; description "Force to reassemble ip fragments"; } leaf preserve-incoming-fragment-size { type empty; description "Preserve incoming fragment size for egress MTU"; } leaf fragment-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 250"; } } default "0"; description "Maximum number of fragments allowed for a packet"; } leaf fragment-reassembly-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60"; } } units "seconds"; default "0"; description "Re-assembly timeout (seconds) for fragments of a packet"; } container log { description "Enable log"; uses apply-advanced; leaf dropped-icmp-packet { type empty; description "Log dropped ICMPv4 packet"; } leaf dropped-illegal-packet { type empty; description "Log dropped illegal packet"; } } // container log container advanced-options { description "Flow config advanced options"; uses apply-advanced; leaf drop-matching-reserved-ip-address { type empty; description "Drop matching reserved source IP address"; } leaf drop-matching-link-local-address { type empty; description "Drop matching link local address"; } leaf reverse-route-packet-mode-vr { type empty; description "Allow reverse route lookup with packet mode vr"; } } // container advanced-options container load-distribution { description "Flow config SPU load distribution"; uses apply-advanced; container session-affinity { description "SPU load distribution based on the service anchor SPU"; uses apply-advanced; leaf ipsec { type empty; description "IPsec service"; } } // container session-affinity } // container load-distribution container packet-log { description "Configure flow packet log"; uses apply-advanced; leaf enable { type empty; description "Enable log for dropped packet"; } leaf throttle-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 32768"; } } units "milliseconds"; default "1024"; description "Interval should be configured as a power of two"; } list packet-filter { key "name"; max-elements 64; ordered-by user; description "Configure packet log filter"; uses flow-filter-type; } // list packet-filter } // container packet-log leaf power-mode-disable { type empty; description "Disable power mode express path processing"; } leaf power-mode-ipsec-qat { type empty; description "Enable qat in power mode ipsec processing"; } } // container flow container firewall-authentication { description "Firewall authentication parameters"; uses apply-advanced; container traceoptions { description "Data-plane firewall authentication tracing options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "Events to include in trace output"; leaf name { type enumeration { enum "authentication" { value 0; description "Data-plane firewall authentication events"; } enum "proxy" { value 1; description "Data-plane firewall authentication proxy events"; } enum "all" { value 2; description "All events"; } } } choice level { leaf terse { type empty; description "Include terse amount of output in trace"; } leaf detail { type empty; description "Include detailed amount of output in trace"; } leaf extensive { type empty; description "Include extensive amount of output in trace"; } } // choice level } // list flag } // container traceoptions } // container firewall-authentication container screen { description "Configure screen feature"; uses apply-advanced; container trap { presence "enable trap"; description "Configure trap interval"; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 3600"; } } units "seconds"; default "2"; description "Trap interval"; } } // container trap list ids-option { key "name"; description "Configure ids-option"; uses ids-option-type; } // list ids-option container traceoptions { description "Trace options for Network Security Screen"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "all" { value 2; description "Trace everything"; } } } } // list flag } // container traceoptions list white-list { key "name"; max-elements 32; description "Set of IP addresses for white list"; uses ids-wlist-type; } // list white-list } // container screen container nat { description "Configure Network Address Translation"; uses nat-object; } // container nat container forwarding-process { description "Configure security forwarding-process options"; uses apply-advanced; leaf enhanced-services-mode { type empty; description "Enable enhanced application services mode"; } container application-services { description "Configure application service options"; uses apply-advanced; leaf maximize-alg-sessions { type empty; description "Maximize ALG session capacity"; } leaf maximize-persistent-nat-capacity { type empty; description "Increase persistent NAT capacity by reducing maximum flow sessions"; } container maximize-cp-sessions { presence "enable maximize-cp-sessions"; status deprecated; description "Maximize CP session capacity"; uses apply-advanced; } // container maximize-cp-sessions leaf session-distribution-mode { junos:must "(!(".. maximize-idp-sessions"))"; junos:must-message "to configure session-distribution-mode, maximize-idp-sessions must not be set"; type enumeration { enum "normal" { value 0; status deprecated; description "Normal mode"; } enum "hash-based" { value 1; status deprecated; description "Hash mode"; } } status deprecated; description "Session distribution mode"; } leaf enable-gtpu-distribution { type empty; description "Enable GTP-U distribution"; } leaf packet-ordering-mode { type enumeration { enum "hardware" { value 0; description "Hardware mode"; } enum "software" { value 1; description "Software mode"; } } description "Packet ordering mode"; } container maximize-idp-sessions { presence "enable maximize-idp-sessions"; description "Run security services in dedicated processes to maximize IDP session capacity"; uses apply-advanced; container weight { description "Adjust the weighting of the resources available for idp"; uses apply-advanced; choice weight { leaf equal { type empty; status deprecated; description "Equal resources to IDP and firewall"; } container idp { presence "enable idp"; description "IDP has more resources than firewall"; uses apply-advanced; } // container idp leaf firewall { type empty; description "Firewall has more resources than IDP"; } } // choice weight } // container weight leaf inline-tap { type empty; description "Configure IDP in inline tap mode"; } } // container maximize-idp-sessions leaf inline-fpga-crypto { type enumeration { enum "disabled" { value 0; description "Disable inline FPGA crypto"; } enum "enabled" { value 1; description "Enable inline FPGA crypto"; } } description "Disable inline FPGA crypto"; } } // container application-services } // container forwarding-process container policies { presence "enable policies"; description "Configure Network Security Policies"; uses policy-object-type; } // container policies container tcp-encap { presence "enable tcp-encap"; description "Configure TCP Encapsulation."; uses apply-advanced; container traceoptions { description "Trace options for TCP encapsulation service"; uses ragw-traceoptions; } // container traceoptions list profile { key "name"; ordered-by user; description "Configure profile."; leaf name { type string { length "1 .. 64"; } description "Profile name identifier."; } uses apply-advanced; leaf ssl-profile { junos:must "("services ssl termination profile $$")"; junos:must-message "Referenced SSL termination profile must be defined"; type string; description "SSL Termination profile"; } leaf log { type empty; description "Enable logging for remote-access"; } } // list profile container global-options { description "Global settings for TCP encapsulation"; leaf enable-tunnel-tracking { type empty; description "Track ESP tunnels"; } } // container global-options } // container tcp-encap container resource-manager { description "Configure resource manager security options"; uses apply-advanced; container traceoptions { description "Traceoptions for resource manager"; uses apply-advanced; list flag { key "name"; ordered-by user; description "Resource manager objects and events to include in trace"; leaf name { type enumeration { enum "client" { value 0; description "Trace resource manager client"; } enum "group" { value 1; description "Trace resource manager group"; } enum "resource" { value 2; description "Trace resource manager resource"; } enum "gate" { value 3; description "Trace resource manager created gates"; } enum "session" { value 4; description "Trace resource manager created session"; } enum "chassis cluster" { value 5; description "Trace resource manager's chassis cluster events"; } enum "messaging" { value 6; description "Trace resource manager messaging"; } enum "service pinhole" { value 7; description "Trace resource manager created service pinholes"; } enum "error" { value 8; description "Trace all resource manager errors"; } enum "all" { value 9; description "Trace all resource manager objects and events"; } } } choice level { leaf terse { type empty; description "Set trace verbosity level to terse"; } leaf detail { type empty; description "Set trace verbosity level to detail"; } leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions container services-memory { presence "enable services-memory"; description "Manage services memory resources"; uses apply-advanced; container match { presence "enable match"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 100"; } } description "Service Memory Threshold"; } } // container match container then { presence "enable then"; description "Action to take if the conditions are matched"; uses apply-advanced; leaf fail-close { junos:must "(!(".. fail-open"))"; junos:must-message "'fail-open' can not be defined with 'fail-close'"; type empty; description "Enable fail-close"; } leaf fail-open { junos:must "(!(".. fail-close"))"; junos:must-message "'fail-close' can not be defined with 'fail-open'"; type empty; description "Enable fail-open"; } leaf drop-flows { type empty; description "Enable drop-flows"; } leaf log { type empty; description "Enable logs"; } leaf alarm { type empty; description "Enable Alarm"; } } // container then } // container services-memory container session-memory { presence "enable session-memory"; description "Manage session memory resources"; uses apply-advanced; container match { presence "enable match"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 100"; } } description "Session Memory Threshold"; } } // container match container then { presence "enable then"; description "Action to take if the conditions are matched"; uses apply-advanced; container session-aggressive-ageout { presence "enable session-aggressive-ageout"; description "Session ageout configuration"; uses apply-advanced; leaf early-ageout { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 65535"; } } description "Delay before device declares session invalid"; } } // container session-aggressive-ageout leaf log { type empty; description "Enable logs"; } leaf alarm { type empty; description "Enable alarms"; } leaf drop-flows { type empty; description "Enable drop-flows"; } } // container then } // container session-memory container cpu { presence "enable cpu"; description "Manage cpu resources"; uses apply-advanced; leaf disable-management { junos:must "(!(".. then"))"; junos:must-message "Cannot define 'then' with disable-management"; junos:must "(!(".. match"))"; junos:must-message "Cannot define 'match' with disable-management"; type empty; description "Disable Resource Manager CPU Management"; } container match { presence "enable match"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 100"; } } description "CPU Useage Threshold"; } } // container match container then { presence "enable then"; description "Action to take if the conditions are matched"; uses apply-advanced; leaf drop-flows { type empty; description "Enable drop-flows"; } leaf drop-cps { type empty; description "Enable drop-cps"; } leaf log { type empty; description "Enable logs"; } leaf alarm { type empty; description "Enable drop-alarm"; } leaf max-session-setup-rate { type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 65535"; } } description "Maximum number of session creations allowed per second"; } } // container then } // container cpu } // container resource-manager container analysis { description "Configure security analysis"; uses apply-advanced; leaf no-report { type empty; description "Stops security analysis reporting"; } } // container analysis container traceoptions { description "Network security daemon tracing options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "routing-socket" { value 1; description "Trace routing socket events"; } enum "compilation" { value 2; description "Trace compilation events"; } enum "all" { value 3; description "Trace everything"; } } } } // list flag leaf rate-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } default "0"; description "Limit the incoming rate of trace messages"; } } // container traceoptions container datapath-debug { description "Datapath debug options"; uses apply-advanced; container traceoptions { description "End to end debug trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file } // container traceoptions container capture-file { description "Packet capture options"; leaf filename { type string; description "Capture file name"; } leaf format { type enumeration { enum "pcap" { value 0; description "PCAP capture format"; } } description "Capture file format"; } leaf size { type string; description "Maximum file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Maximum number of files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read packet-capture files"; } leaf no-world-readable { type empty; description "Don't allow any user to read packet-capture files"; } } // choice world-readable-choice } // container capture-file leaf maximum-capture-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "68 .. 10000"; } } units "bytes"; default "68"; description "Max packet capture length"; } list action-profile { key "name"; ordered-by user; description "Action profile definitions"; uses e2e-action-profile; } // list action-profile list packet-filter { key "name"; max-elements 4; ordered-by user; description "Packet filter configuration"; uses end-to-end-debug-filter; } // list packet-filter } // container datapath-debug container user-identification { description "Configure user-identification"; uses apply-advanced; container traceoptions { description "User-identification Tracing Options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } } // list flag } // container traceoptions list authentication-source { key "name"; description "Configure user-identification authentication-source"; uses authentication-source-type; } // list authentication-source } // container user-identification container zones { description "Zone configuration"; uses apply-advanced; container functional-zone { presence "enable functional-zone"; description "Functional zone"; container management { presence "enable management"; description "Host for out of band management interfaces"; uses apply-advanced; list interfaces { key "name"; ordered-by user; description "Interfaces that are part of this zone"; uses zone-interface-list-type; } // list interfaces leaf screen { junos:must "("security screen ids-option $$")"; junos:must-message "referenced ids-object must be defined under [security screen ids-option]"; type string { length "1 .. 64"; } description "Name of ids option object applied to the zone"; } container host-inbound-traffic { description "Allowed system services & protocols"; uses zone_host_inbound_traffic_t; } // container host-inbound-traffic leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of zone"; } } // container management } // container functional-zone list security-zone { key "name"; ordered-by user; description "Security zones"; uses security-zone-type; } // list security-zone } // container zones leaf advanced-connection-tracking-timeout { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "System wide timeout value in seconds for advanced-connection-tracking entries"; } container advance-policy-based-routing { presence "enable advance-policy-based-routing"; description "Configure Network Security APBR Policies"; uses apply-advanced; container traceoptions { description "Advance policy based routing tracing options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "lookup" { value 1; description "Trace lookup events"; } enum "compilation" { value 2; description "Rule-sets compilation events"; } enum "ipc" { value 3; description "Inter-process communication events"; } enum "all" { value 4; description "Trace everything"; } } } } // list flag } // container traceoptions container tunables { description "Configure advance policy based routing tunables"; uses apply-advanced; leaf max-route-change { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 5"; } } default "1"; description "Maximum route change"; } leaf drop-on-zone-mismatch { type empty; description "Drop session if zone mismatches"; } leaf no-l3l4-app-lookup { type empty; description "Ignore the look up for L3L4 custom app in APBR."; } leaf enable-logging { type empty; description "Enable AppTrack logging"; } } // container tunables list profile { key "name"; ordered-by user; description "Configure advance-policy-based-routing profile"; leaf name { type string { length "1 .. 63"; } description "Advance policy based routing profile name"; } uses apply-advanced; list rule { key "name"; ordered-by user; description "Specify an advance policy based routing rule"; uses apbr_rule_type; } // list rule } // list profile list active-probe-params { key "name"; ordered-by user; description "Active probe's settings"; leaf name { type string { length "1 .. 63"; } description "Active probe setting name"; } uses apply-advanced; container settings { description "Settings"; uses appqoe-probe-params; } // container settings } // list active-probe-params list metrics-profile { key "name"; ordered-by user; description "Configure metric profiles"; leaf name { type string { length "1 .. 63"; } description "Profile name"; } uses apply-advanced; container sla-threshold { description "Configure SLA metric threshold"; uses appqoe_sla_metric_profile; } // container sla-threshold } // list metrics-profile list underlay-interface { key "name"; ordered-by user; status deprecated; description "Underlay interface setting"; leaf name { type union { type jt:interface-device; type string { pattern "<.*>|$.*"; } } description "Underlay Interface name"; } uses apply-advanced; list unit { key "name"; description "One of more logical interface unit-numbers"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1073741823"; } } description "Unit number"; } uses apply-advanced; leaf link-type { type enumeration { enum "IP" { value 0; description "Select IP as the link-type"; } enum "MPLS" { value 1; description "Select MPLS as the link-type"; } } default "IP"; description "Link type of the interface"; } leaf priority { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 255"; } } default "255"; description "Configure the priority for selecting this link"; } leaf speed { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000000"; } } default "1000"; description "Speed of this link in Mbps"; } } // list unit } // list underlay-interface list interface { junos:must "(!(".. underlay-interface"))"; junos:must-message "interface knob cannot be configured along with underlay-interface"; key "name"; ordered-by user; description "Interface setting"; leaf name { type union { type jt:interface-device; type string { pattern "<.*>|$.*"; } } description "Interface name"; } uses apply-advanced; list unit { key "name"; description "One of more logical interface unit-numbers"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1073741823"; } } description "Unit number"; } uses apply-advanced; leaf link-tag { type string { length "1 .. 63"; } description "Configure link-tag. Default is IP"; } leaf priority { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 255"; } } default "255"; description "Configure the priority for selecting this link"; } leaf multipath-bandwidth { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000000"; } } default "1000"; description "Bandwidth of this link in Mbps"; } leaf weight { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 255"; } } default "1"; description "Configure the weight for selecting this link"; } } // list unit } // list interface list overlay-path { key "name"; ordered-by user; description "List of overlay paths"; leaf name { type string { length "1 .. 63"; } description "Create a single instance of overlay path"; } uses apply-advanced; container tunnel-path { presence "enable tunnel-path"; description "Tunnel start & end ip addresses"; uses appqoe-probe-path; } // container tunnel-path container probe-path { presence "enable probe-path"; description "Probe start & end ip addresses"; uses appqoe-probe-path; } // container probe-path } // list overlay-path list destination-path-group { key "name"; ordered-by user; description "Group of tunnels to a particular destination"; leaf name { type string { length "1 .. 63"; } description "Destination group name"; } uses apply-advanced; container probe-routing-instance { presence "enable probe-routing-instance"; description "Set routing instance for the probe-path"; uses apply-advanced; leaf routing-instance-name { type string; description "Name of routing instance"; } } // container probe-routing-instance container inline-gre-encap { presence "enable inline-gre-encap"; description "Enable inline GRE encapsulation"; } // container inline-gre-encap container active-probe-properties { presence "enable active-probe-properties"; description "Additional applicable properties for the destination path group"; uses apply-advanced; leaf active-probe-only { type empty; description "Enable active probing only to the destination path group"; } } // container active-probe-properties list overlay-path { key "name"; max-elements 20; ordered-by user; description "List of paths"; leaf name { type string; description "Name of Overlay Path"; } uses apply-advanced; } // list overlay-path } // list destination-path-group container sla-options { presence "enable sla-options"; description "Global SLA options"; uses apply-advanced; container local-route-switch { presence "enable local-route-switch"; status deprecated; description "Enable/disable Automatic local route switching"; uses apply-advanced; leaf switch-type { type enumeration { enum "enabled" { value 0; description "Enable"; } enum "disabled" { value 1; description "Disable"; } } } } // container local-route-switch container log { presence "enable log"; description "Choose the logging mechanism"; uses apply-advanced; leaf log-options { type enumeration { enum "disabled" { value 0; description "Disable logging"; } enum "syslog" { value 1; description "Choose syslog"; } } } } // container log container log-type { presence "enable log-type"; status deprecated; description "Choose the logging mechanism"; uses apply-advanced; leaf log { type enumeration { enum "disabled" { value 0; description "Disable logging"; } enum "syslog" { value 1; description "Choose syslog"; } } } } // container log-type container max-passive-probe-limit { presence "enable max-passive-probe-limit"; description "Set max passive probe limits"; uses apply-advanced; container number-of-probes { presence "enable number-of-probes"; description "Number of passive probes to be sent"; uses apply-advanced; leaf probes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 5000"; } } default "5000"; description "Number of probes"; } } // container number-of-probes container interval { presence "enable interval"; description "Interval within which to send"; uses apply-advanced; leaf refresh-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "500 .. 1000"; } } default "500"; description "Interval in milli seconds"; } } // container interval } // container max-passive-probe-limit leaf dynamic-load-balancer { type empty; description "Enable dynamic load balancer"; } } // container sla-options list sla-rule { key "name"; ordered-by user; description "Create SLA rule"; leaf name { type string { length "1 .. 63"; } description "Set rule name"; } uses apply-advanced; container link-preferences { junos:must "(!(any "security advance-policy-based-routing sla-rule <*> link-type-affinity"))"; junos:must-message "link-preferences knob cannot be configured along with link-type-affinity"; junos:must "(!(any "security advance-policy-based-routing sla-rule <*> preferred-link-type"))"; junos:must-message "link-preferences knob cannot be configured along with preferred-link-type"; presence "enable link-preferences"; description "Configure the link preferences"; uses apply-advanced; leaf preferred-tag { type string { length "1 .. 63"; } description "Configure the link-tag preference"; } leaf affinity { type enumeration { enum "strict" { value 0; description "Strict link-tag affinity"; } } description "Configure the link-tag affinity"; } } // container link-preferences leaf preferred-link-type { type enumeration { enum "IP" { value 0; status deprecated; description "IP link-type preference"; } enum "MPLS" { value 1; status deprecated; description "MPLS link-type preference"; } enum "Any" { value 2; status deprecated; description "Any link-type preference"; } } status deprecated; description "Configure the link-type preference"; } leaf link-type-affinity { type enumeration { enum "strict" { value 0; status deprecated; description "Strict link-type affinity"; } } status deprecated; description "Configure the link-type affinity"; } container switch-idle-time { presence "enable switch-idle-time"; description "Idle timeout period where no SLA violation will be detected once path switch has happened"; uses apply-advanced; leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "5 .. 300"; } } default "60"; description "Idle timeout period (in seconds)"; } } // container switch-idle-time container metrics-profile { junos:must "(".. active-probe-params")"; junos:must-message "active-probe-params must exist for metrics-profile"; presence "enable metrics-profile"; description "Set metrics profile for the SLA"; uses apply-advanced; leaf metrics-profile-name { type string; description "Metrics Profile name"; } } // container metrics-profile container active-probe-params { junos:must "(".. metrics-profile")"; junos:must-message "metrics-profile must exist for active-probe-params"; presence "enable active-probe-params"; description "Set Probe params for the overlay-path"; uses apply-advanced; leaf probe-params-name { type string; description "Probe parameter's name"; } } // container active-probe-params leaf type { junos:must "((".. active-probe-params" && ".. metrics-profile"))"; junos:must-message "metrics-profile and active-probe-params must exist for saas type SLA"; type enumeration { enum "saas" { value 0; description "Choose SaaS probing for the SLA"; } } description "Choose type of SLA"; } container passive-probe-params { junos:must "((".. active-probe-params" && ".. metrics-profile"))"; junos:must-message "metrics-profile and active-probe-params must exist for passive-probe-params"; presence "enable passive-probe-params"; description "Passive probe settings"; uses apply-advanced; container sampling-percentage { presence "enable sampling-percentage"; description "Mininmum percentage of Sessions to be evaluated for the application"; uses apply-advanced; leaf percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "5"; description "Percentage"; } } // container sampling-percentage container violation-count { presence "enable violation-count"; status deprecated; description "Number of SLA violations within sampling period to be considered as a violation"; uses apply-advanced; leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } default "5"; description "Violation Count"; } } // container violation-count container sampling-period { presence "enable sampling-period"; description "Time period in which the sampling is done"; uses apply-advanced; leaf period { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2000 .. 60000"; } } default "5000"; description "Period (in milli-sec)"; } } // container sampling-period container sla-export-factor { presence "enable sla-export-factor"; description "Enabled sampling window based SLA exporting"; uses apply-advanced; leaf factor { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "5 .. 1000"; } } default "500"; description "No of sampling windows after which to report"; } } // container sla-export-factor container type { presence "enable type"; description "Choose type of SLA measurement"; uses apply-advanced; leaf type-val { type enumeration { enum "book-ended" { value 0; description "Choose custom method of probing within WAN link"; } } } } // container type container sampling-frequency { presence "enable sampling-frequency"; description "Sampling frequency settings"; uses apply-advanced; container interval { presence "enable interval"; description "Time based sampling interval"; uses apply-advanced; leaf sampling-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 500"; } } default "100"; description "Interval in milli seconds"; } } // container interval container ratio { presence "enable ratio"; description "1:N based sampling ratio"; uses apply-advanced; leaf sampling-ratio { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 10000"; } } default "200"; description "Value of N"; } } // container ratio } // container sampling-frequency } // container passive-probe-params container multipath-rule { description "Set AppBased Multipath Routing action"; uses apply-advanced; leaf multipath-rule-name { type string; description "Multipath action parameter's name"; } } // container multipath-rule container violation-count { presence "enable violation-count"; description "Number of SLA violations within sampling period to be considered as a violation"; uses apply-advanced; leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } default "5"; description "Violation Count"; } } // container violation-count } // list sla-rule list multipath-rule { key "name"; ordered-by user; description "APP based MULTIPATH Route Action's settings"; leaf name { type string { length "1 .. 63"; } description "Multipath rule name"; } uses apply-advanced; leaf number-of-paths { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 16"; } } default "2"; description "No. of Paths in Multipath"; } leaf bandwidth-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "50"; description "Bandwidth limit (bps) on slowest link to avoid saturation (%)"; } leaf enable-reverse-wing { type empty; description "Packet copy enabled in reverse direction flow"; } leaf-list application { type string; ordered-by user; } leaf-list application-group { type string; ordered-by user; description "Specify dynamic application group name to match"; } leaf-list link-type { type string { length "1 .. 63"; } ordered-by user; description "List of underlay interface user defined link types"; } leaf-list link-preferences { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } ordered-by user; description "List of interface for link preferences"; } } // list multipath-rule list policy { key "name"; ordered-by user; description "Define a policy context from this zone"; leaf name { junos:must "((".. .. .. .. security zones security-zone $$" || ".. .. .. .. .. security zones security-zone $$"))"; junos:must-message "Security zone must be defined"; type string { length "1 .. 63"; } description "Source zone"; } uses apply-advanced; list policy { key "name"; ordered-by user; description "Define security policy in specified zone-to-zone direction"; uses sla_policy_type; } // list policy } // list policy } // container advance-policy-based-routing container gtp { description "GPRS tunneling protocol configuration"; uses gtp-object; } // container gtp container sctp { presence "enable sctp"; description "GPRS stream control transmission protocol configuration"; uses sctp-object; } // container sctp container ngfw { description "Next generation unified L4/L7 firewall"; uses apply-advanced; container default-profile { description "Unified L4/L7 firewall default profile configuration"; uses apply-advanced; container ssl-proxy { presence "enable ssl-proxy"; description "SSL proxy services"; uses apply-advanced; leaf profile-name { junos:must "("services ssl proxy profile $$")"; junos:must-message "Referenced SSL proxy profile is not defined"; type string; description "Specify SSL proxy service profile name"; } } // container ssl-proxy container application-traffic-control { description "Application traffic control services"; uses jsf_application_traffic_control_rule_set_type; } // container application-traffic-control } // container default-profile } // container ngfw container tunnel-inspection { presence "enable tunnel-inspection"; description "Security tunnel-inspection"; uses apply-advanced; list inspection-profile { key "name"; max-elements 256; ordered-by user; description "Security tunnel-inspection profile"; uses tunnel-inspection-profile-type; } // list inspection-profile list vni { key "name"; max-elements 4096; ordered-by user; description "Security tunnel inspection vni"; uses tunnel-inspection-vni-type; } // list vni container traceoptions { description "Trace options for Network Security tunnel-inspection"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "all" { value 2; description "Trace everything"; } } } } // list flag } // container traceoptions } // container tunnel-inspection container l3vpn { presence "enable l3vpn"; uses apply-advanced; container traceoptions { description "Trace options for Network Security Vrf-group"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "all" { value 2; description "Trace everything"; } } } } // list flag } // container traceoptions list vrf-group { key "name"; description "Configure vrf group"; uses vrf-group-type; } // list vrf-group } // container l3vpn container cloud { presence "enable cloud"; description "Configure Cloud security options"; uses apply-advanced; container aws { description "Configure AWS security options"; uses aws-object; } // container aws container traceoptions { description "Configure cloudagent trace options"; uses apply-advanced; container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 64"; } description "Name of file in which to write trace information"; } } // container file container level { description "Trace level"; uses apply-advanced; choice level { leaf error { type empty; description "Error messages"; } leaf brief { type empty; description "Brief messages"; } leaf detail { type empty; description "Detail messages"; } } // choice level } // container level } // container traceoptions } // container cloud container macsec { description "MAC Security configuration"; uses security-macsec; } // container macsec } // container security } // grouping security-group grouping alg-object { uses apply-advanced; container traceoptions { description "ALG trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "brief" { value 0; description "Brief messages"; } enum "detail" { value 1; description "Detail messages"; } enum "extensive" { value 2; description "Extensive messages"; } enum "verbose" { value 3; description "Verbose messages"; } } default "brief"; description "Set level of tracing output"; } } // container traceoptions container alg-manager { description "Configure ALG-MANAGER"; leaf clear-dont-frag-bit { type empty; description "Enable ALG clear DF(don't frag) bit in IP header"; } container traceoptions { description "ALG-MANAGER trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "ALG-MANAGER trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container alg-manager container alg-support-lib { description "Configure ALG-SUPPORT-LIB"; container traceoptions { description "ALG-SUPPORT-LIB trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "ALG-SUPPORT-LIB trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container alg-support-lib container dns { description "Configure DNS ALG"; uses apply-advanced; leaf disable { type empty; description "Disable DNS ALG"; } leaf maximum-message-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "512 .. 8192"; } } units "bytes"; default "512"; description "Set maximum message length"; } leaf oversize-message-drop { type empty; description "Drop oversized DNS packets"; } container doctoring { description "Configure DNS ALG doctoring"; uses apply-advanced; choice type { leaf none { type empty; description "Disable all DNS ALG Doctoring"; } leaf sanity-check { type empty; description "Perform only DNS ALG sanity checks"; } } // choice type } // container doctoring container traceoptions { description "DNS ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "DNS ALG trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container dns container ftp { description "Configure FTP ALG"; leaf disable { type empty; description "Disable FTP ALG"; } leaf ftps-extension { type empty; description "Enable secure FTP and FTP-ssl protocols"; } leaf line-break-extension { type empty; description "Enable CR+LF line termination"; } leaf allow-mismatch-ip-address { type empty; description "Pass FTP packets with mismatched ip address headers and payload"; } container traceoptions { description "FTP ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "FTP ALG trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container ftp container h323 { presence "enable h323"; description "Configure H.323 ALG"; uses apply-advanced; leaf disable { type empty; description "Disable H.323 ALG"; } leaf endpoint-registration-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 65535"; } } units "seconds"; default "64800"; description "Timeout for endpoints"; } leaf media-source-port-any { type empty; description "Permit media from any source port on the endpoint"; } container application-screen { description "Configure application screens"; uses apply-advanced; container unknown-message { description "Configure ALG action on receiving an unknown message"; uses apply-advanced; leaf permit-nat-applied { type empty; description "Permit unknown messages on packets that are NATed"; } leaf permit-routed { type empty; description "Permit unknown messages on routed packets"; } } // container unknown-message container message-flood { description "Configure Message flood ALG options"; uses apply-advanced; container gatekeeper { description "Set options for gatekeeper messages"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 50000"; } } units "messages per second"; default "1000"; description "Message flood gatekeeper threshold"; } } // container gatekeeper } // container message-flood } // container application-screen container dscp-rewrite { description "DSCP code rewrite"; uses apply-advanced; leaf code-point { type string { junos:posix-pattern "^([01]{6})$"; junos:pattern-message "Must be form of xxxxxx, where x is 1 or 0"; } description "Set dscp codepoint 6-bit string"; } } // container dscp-rewrite container traceoptions { description "H.323 ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "H.323 ALG trace flags"; leaf name { type enumeration { enum "q931" { value 0; description "Enable tracing for Q.931 processing"; } enum "h245" { value 1; description "Enable tracing for H.245 processing"; } enum "ras" { value 2; description "Enable tracing for RAS processing"; } enum "h225-asn1" { value 3; description "Enable tracing for H.225 ASN.1 processing"; } enum "h245-asn1" { value 4; description "Enable tracing for H.245 ASN.1 processing"; } enum "ras-asn1" { value 5; description "Enable tracing for RAS ASN.1 processing"; } enum "chassis-cluster" { value 6; description "Enable tracing for H.323 chassis cluster functions"; } enum "all" { value 7; description "Trace everything"; } } } choice level { leaf terse { type empty; description "Set trace verbosity level to terse"; } leaf detail { type empty; description "Set trace verbosity level to detail"; } leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container h323 container mgcp { presence "enable mgcp"; description "Configure MGCP ALG"; uses apply-advanced; leaf disable { type empty; description "Disable MGCP ALG"; } leaf inactive-media-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 2550"; } } units "seconds"; default "120"; description "Set inactive media timeout"; } leaf transaction-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "3 .. 50"; } } units "seconds"; default "30"; description "Set transaction timeout"; } leaf maximum-call-duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "3 .. 720"; } } units "minutes"; default "720"; description "Set maximum call duration"; } container application-screen { description "Configure application screens"; uses apply-advanced; container unknown-message { description "Configure ALG action on receiving an unknown message"; uses apply-advanced; leaf permit-nat-applied { type empty; description "Permit unknown messages on packets that are NATed"; } leaf permit-routed { type empty; description "Permit unknown messages on routed packets"; } } // container unknown-message container message-flood { description "Set message flood ALG options"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 50000"; } } units "messages per second per MG"; default "100"; description "Message flood threshold"; } } // container message-flood container connection-flood { description "Set connection flood options"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 10000"; } } units "connection requests per second per MG"; default "10"; description "Connection flood threshold"; } } // container connection-flood } // container application-screen container dscp-rewrite { description "DSCP code rewrite"; uses apply-advanced; leaf code-point { type string { junos:posix-pattern "^([01]{6})$"; junos:pattern-message "Must be form of xxxxxx, where x is 1 or 0"; } description "Set dscp codepoint 6-bit string"; } } // container dscp-rewrite container traceoptions { description "MGCP ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "MGCP ALG trace flags"; leaf name { type enumeration { enum "call" { value 0; description "Enable tracing for MGCP call processing"; } enum "decode" { value 1; description "Enable tracing for MGCP decoder operations"; } enum "error" { value 2; description "Enable tracing for MGCP processing errors"; } enum "chassis-cluster" { value 3; description "Enable tracing for MGCP chassis cluster functions"; } enum "nat" { value 4; description "Enable tracing for MGCP Network Address Translation (NAT) processing"; } enum "packet" { value 5; description "Enable tracing for MGCP protocol packet processing"; } enum "rm" { value 6; description "Enable tracing MGCP Resource Management (Resmgr) functions"; } enum "all" { value 7; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container mgcp container msrpc { description "Configure MSRPC ALG"; leaf disable { type empty; description "Disable MSRPC ALG"; } leaf group-max-usage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 100"; } } default "80"; description "Set maximum group usage percentage, default 80"; } leaf map-entry-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "5 .. 4320"; } } units "minutes"; default "480"; description "Set entry timeout, default 8hour"; } container traceoptions { description "MSRPC ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "MSRPC ALG trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container msrpc container sunrpc { description "Configure SUNRPC ALG"; leaf disable { type empty; description "Disable SUNRPC ALG"; } leaf group-max-usage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 100"; } } default "80"; description "Set maximum group usage percentage, default 80"; } leaf map-entry-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "5 .. 4320"; } } units "minutes"; default "480"; description "Set entry timeout, default 8hour"; } container traceoptions { description "SUNRPC ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "SUNRPC ALG trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container sunrpc container rsh { presence "enable rsh"; description "Configure RSH ALG"; uses apply-advanced; leaf disable { type empty; description "Disable RSH ALG"; } container traceoptions { description "RSH ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "RSH ALG trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container rsh container rtsp { presence "enable rtsp"; description "Configure RTSP ALG"; leaf disable { type empty; description "Disable RTSP ALG"; } container traceoptions { description "RTSP ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "RTSP ALG trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container rtsp container sccp { presence "enable sccp"; description "Configure SCCP ALG"; uses apply-advanced; leaf disable { type empty; description "Disable SCCP ALG"; } leaf inactive-media-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } units "seconds"; default "120"; description "Set inactive media timeout"; } container application-screen { description "Configure application screens"; uses apply-advanced; container unknown-message { description "Configure ALG action on receiving an unknown message"; uses apply-advanced; leaf permit-nat-applied { type empty; description "Permit unknown messages on packets that are NATed"; } leaf permit-routed { type empty; description "Permit unknown messages on routed packets"; } } // container unknown-message container call-flood { description "Configure call flood thresholds"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "20"; description "Calls per second per client"; } } // container call-flood } // container application-screen container dscp-rewrite { description "DSCP code rewrite"; uses apply-advanced; leaf code-point { type string { junos:posix-pattern "^([01]{6})$"; junos:pattern-message "Must be form of xxxxxx, where x is 1 or 0"; } description "Set dscp codepoint 6-bit string"; } } // container dscp-rewrite container traceoptions { description "SCCP ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "SCCP ALG trace flags"; leaf name { type enumeration { enum "call" { value 0; description "Enable tracing SCCP call processing"; } enum "cli" { value 1; description "Enable tracing SCCP cli processing"; } enum "decode" { value 2; description "Enable tracing for SCCP decoder operations"; } enum "error" { value 3; description "Enable tracing for SCCP processing errors"; } enum "chassis-cluster" { value 4; description "Enable tracing for SCCP chassis cluster functions"; } enum "init" { value 5; description "Enable tracing for SCCP initialization errors"; } enum "nat" { value 6; description "Enable tracing for SCCP Network Address Translation (NAT) processing"; } enum "rm" { value 7; description "Enable tracing SCCP Resource Management (Resmgr) functions"; } enum "all" { value 8; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container sccp container sip { presence "enable sip"; description "Configure SIP ALG"; uses apply-advanced; leaf disable { type empty; description "Disable SIP ALG"; } leaf inactive-media-timeout { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "10 .. 2550"; } } units "seconds"; default "120"; description "Set inactive media timeout"; } leaf maximum-call-duration { type union { type uint32; type string { pattern "<.*>|$.*"; } } units "minutes"; default "720"; description "Set maximum call duration 0 or 3..720"; } leaf t1-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "500 .. 5000"; } } units "milliseconds"; default "500"; description "Set T1 interval"; } leaf t4-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "5 .. 10"; } } units "seconds"; default "5"; description "Set T4 interval"; } leaf c-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "3 .. 10"; } } units "minutes"; default "3"; description "Set C timeout"; } leaf disable-call-id-hiding { type empty; status deprecated; description "Disable translation of host IP in Call-ID header"; } leaf bulk-call-mode { type empty; description "Enable SIP distribution session in bulk mode"; } leaf enable-call-distribution { type empty; description "Enable Call-id-based SIP call distribution between SPUs"; } leaf retain-hold-resource { type empty; description "Retain SDP resources during call hold"; } container hide-via-headers { description "Hide via headers options"; uses apply-advanced; leaf disable { type empty; description "Disable hide via headers function"; } } // container hide-via-headers list distribution-ip { key "name"; ordered-by user; description "Configure SIP distribute server IPV6 or IPV4 ip"; leaf name { type jt:ipaddr; description "Distribution IP address"; } uses apply-advanced; container distribute-to { description "Distribute sip packet"; uses apply-advanced; container fpc { description "FPC card number"; uses apply-advanced; leaf slot { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 127"; } } description "FPC slot number"; } container pic { description "PIC card number"; uses apply-advanced; leaf slot { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 11"; } } description "Physical Interface Card number"; } } // container pic } // container fpc } // container distribute-to } // list distribution-ip container application-screen { description "Configure application screens"; uses apply-advanced; container unknown-message { description "Configure ALG action on receiving an unknown message"; uses apply-advanced; leaf permit-nat-applied { type empty; description "Permit unknown messages on packets that are NATed"; } leaf permit-routed { type empty; description "Permit unknown messages on routed packets"; } } // container unknown-message container protect { description "Configure Protect options"; uses apply-advanced; container deny { presence "enable deny"; description "Protect deny options"; uses apply-advanced; choice deny-choice { list destination-ip { key "name"; ordered-by user; description "List of protected destination server IP"; leaf name { type jt:ipprefix; description "Protected destination server IPv4 or IPv6 entry"; } uses apply-advanced; } // list destination-ip leaf all { type empty; description "Enable attack protection for all servers"; } } // choice deny-choice leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 3600"; } } units "seconds"; default "5"; description "Timeout value for SIP INVITE attack table entry"; } } // container deny } // container protect } // container application-screen container dscp-rewrite { description "DSCP code rewrite"; uses apply-advanced; leaf code-point { type string { junos:posix-pattern "^([01]{6})$"; junos:pattern-message "Must be form of xxxxxx, where x is 1 or 0"; } description "Set dscp codepoint 6-bit string"; } } // container dscp-rewrite container traceoptions { description "SIP ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "SIP ALG trace flags"; leaf name { type enumeration { enum "call" { value 0; description "Enable tracing for SIP call processing"; } enum "chassis-cluster" { value 1; description "Enable tracing for SIP chassis cluster functions"; } enum "nat" { value 2; description "Enable tracing for SIP Network Address Translation (NAT) processing"; } enum "parser" { value 3; description "Enable tracing for SIP parser operations"; } enum "rm" { value 4; description "Enable tracing SIP Resource Management (Resmgr) functions"; } enum "all" { value 5; description "Trace everything"; } } } choice level { leaf terse { type empty; description "Set trace verbosity level to terse"; } leaf detail { type empty; description "Set trace verbosity level to detail"; } leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container sip container sql { presence "enable sql"; description "Configure SQL ALG"; leaf disable { type empty; description "Disable SQL ALG"; } container traceoptions { description "SQL ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "SQL ALG trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container sql container talk { description "Configure Talk ALG"; leaf disable { type empty; description "Disable Talk ALG"; } container traceoptions { description "TALK ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "TALK ALG trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container talk container tftp { description "Configure TFTP ALG"; leaf disable { type empty; description "Disable TFTP ALG"; } container traceoptions { description "TFTP ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "TFTP ALG trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container tftp container pptp { description "Configure PPTP ALG"; leaf disable { type empty; description "Disable PPTP ALG"; } container traceoptions { description "PPTP ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "PPTP ALG trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container pptp container ike-esp-nat { description "Configure IKE-ESP ALG with NAT"; uses apply-advanced; leaf enable { type empty; description "Enable IKE-ESP ALG"; } leaf esp-gate-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 30"; } } units "seconds"; default "5"; description "Set ESP gate timeout"; } leaf esp-session-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 2400"; } } units "seconds"; default "1800"; description "Set ESP session timeout"; } leaf state-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; default "14400"; description "Set ALG state timeout"; } container traceoptions { description "IKE-ESP ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "IKE-ESP ALG trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Set trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container ike-esp-nat container twamp { presence "enable twamp"; description "Configure TWAMP ALG"; uses apply-advanced; container traceoptions { description "TWAMP ALG trace options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "TWAMP ALG trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } } } choice level { leaf extensive { type empty; description "Trace verbosity level to extensive"; } } // choice level } // list flag } // container traceoptions } // container twamp } // grouping alg-object grouping anti-spam-feature { description "Anti-spam feature"; uses apply-advanced; container sbl { presence "enable sbl"; description "SBL settings"; uses sbl-type; } // container sbl } // grouping anti-spam-feature grouping anti-virus-feature { description "Anti-virus feature"; uses apply-advanced; container mime-whitelist { status deprecated; description "Anti-virus MIME whitelist"; uses apply-advanced; leaf list { junos:must "("security utm custom-objects mime-pattern $$")"; junos:must-message "mime-pattern must be defined"; type string; description "MIME list"; } leaf exception { junos:must "("security utm custom-objects mime-pattern $$")"; junos:must-message "mime-pattern must be defined"; type string; description "Exception settings for MIME white list"; } } // container mime-whitelist leaf url-whitelist { type string; status deprecated; description "Anti-virus URL white list"; } leaf type { type enumeration { enum "sophos-engine" { value 0; status deprecated; description "Anti-virus sophos-engine"; } enum "avira-engine" { value 1; status deprecated; description "Anti-virus avira-engine"; } enum "anti-virus-none" { value 2; status deprecated; } } status deprecated; description "Anti-virus engine type"; } list profile { key "name"; ordered-by user; description "Anti-virus profile"; leaf name { type string { length "1 .. 29"; } description "Anti-virus profile name"; } uses apply-advanced; container fallback-options { presence "enable fallback-options"; description "Anti-virus fallback options"; uses av-fallback-settings; } // container fallback-options container notification-options { presence "enable notification-options"; description "Anti-virus notification options"; uses anti-virus-notification-options; } // container notification-options container mime-whitelist { description "Anti-virus MIME whitelist"; uses apply-advanced; leaf list { junos:must "("security utm custom-objects mime-pattern $$")"; junos:must-message "mime-pattern must be defined"; type string; description "MIME list"; } leaf exception { junos:must "("security utm custom-objects mime-pattern $$")"; junos:must-message "mime-pattern must be defined"; type string; description "Exception settings for MIME white list"; } } // container mime-whitelist leaf url-whitelist { junos:must "("security utm custom-objects custom-url-category $$")"; junos:must-message "custom-url-category must be defined"; type string; description "Anti-virus URL white list"; } } // list profile container traceoptions { status deprecated; description "Trace options for anti-virus feature"; uses anti-virus-traceoptions; } // container traceoptions container sophos-engine { status deprecated; description "Anti-virus sophos-engine"; uses apply-advanced; container server { status deprecated; description "SAV and Anti-Spam first hop DNS server"; uses apply-advanced; leaf ip { type jt:ipaddr; description "SAV and Anti-Spam first hop DNS server ip"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string; description "Routing instance name"; } leaf source-address { type jt:ipaddr; description "Source ip address used to connect server"; } } // container server leaf sxl-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } units "seconds"; status deprecated; description "Sxl sophos anti-virus engine timeout"; } leaf sxl-retry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 5"; } } status deprecated; description "Sxl sophos anti-virus engine query retry (number of times)"; } container pattern-update { presence "enable pattern-update"; status deprecated; description "Anti-virus sophos-engine pattern update"; uses anti-virus-pattern-update; } // container pattern-update list profile { key "name"; ordered-by user; status deprecated; description "Anti-virus sophos-engine profile"; leaf name { type string { length "1 .. 29"; } description "Anti-virus sophos-engine profile name"; } uses apply-advanced; container fallback-options { presence "enable fallback-options"; description "Anti-virus sophos-engine fallback options"; uses av-fallback-settings; } // container fallback-options container scan-options { presence "enable scan-options"; description "Anti-virus sophos-engine scan options"; uses sophos-scan-options; } // container scan-options container trickling { presence "enable trickling"; description "Anti-virus trickling"; uses anti-virus-trickling; } // container trickling container notification-options { presence "enable notification-options"; description "Anti-virus notification options"; uses anti-virus-notification-options; } // container notification-options container mime-whitelist { description "Anti-virus MIME whitelist"; uses apply-advanced; leaf list { junos:must "("security utm custom-objects mime-pattern $$")"; junos:must-message "mime-pattern must be defined"; type string; description "MIME list"; } leaf exception { junos:must "("security utm custom-objects mime-pattern $$")"; junos:must-message "mime-pattern must be defined"; type string; description "Exception settings for MIME white list"; } } // container mime-whitelist leaf url-whitelist { junos:must "("security utm custom-objects custom-url-category $$")"; junos:must-message "custom-url-category must be defined"; type string; description "Anti-virus URL white list"; } } // list profile } // container sophos-engine } // grouping anti-virus-feature grouping anti-virus-notification-options { description "Anti-virus notification options"; uses apply-advanced; container virus-detection { presence "enable virus-detection"; description "Virus detection notification"; uses apply-advanced; leaf type { type enumeration { enum "protocol-only" { value 0; description "Notification in protocol level only"; } enum "message" { value 1; description "Notification in message"; } } description "Virus detection notification type"; } choice notify-mail-sender-choice { leaf notify-mail-sender { type empty; description "Notify mail sender"; } leaf no-notify-mail-sender { type empty; description "Don't notify mail sender"; } } // choice notify-mail-sender-choice leaf custom-message { type string { length "1 .. 512"; } description "Custom message for notification"; } leaf custom-message-subject { type string { length "1 .. 255"; } description "Custom message subject for notification"; } } // container virus-detection container fallback-block { presence "enable fallback-block"; description "Fallback block notification"; uses apply-advanced; leaf type { type enumeration { enum "protocol-only" { value 0; description "Notification in protocol level only"; } enum "message" { value 1; description "Notification in message"; } } description "Fallback block notification type"; } choice notify-mail-sender-choice { leaf notify-mail-sender { type empty; description "Notify mail sender"; } leaf no-notify-mail-sender { type empty; description "Don't notify mail sender"; } } // choice notify-mail-sender-choice leaf custom-message { type string { length "1 .. 512"; } description "Custom message for notification"; } leaf custom-message-subject { type string { length "1 .. 255"; } description "Custom message subject for notification"; } } // container fallback-block container fallback-non-block { presence "enable fallback-non-block"; description "Fallback non block notification"; uses apply-advanced; choice notify-mail-recipient-choice { leaf notify-mail-recipient { type empty; description "Notify mail recipient"; } leaf no-notify-mail-recipient { type empty; description "Don't notify mail recipient"; } } // choice notify-mail-recipient-choice leaf custom-message { type string { length "1 .. 512"; } description "Custom message for notification"; } leaf custom-message-subject { type string { length "1 .. 255"; } description "Custom message subject for notification"; } } // container fallback-non-block } // grouping anti-virus-notification-options grouping anti-virus-pattern-update { description "Anti-virus pattern update"; uses apply-advanced; container email-notify { presence "enable email-notify"; description "Virus pattern file updated notification"; uses apply-advanced; leaf admin-email { type string { length "1 .. 255"; } description "Admin emails to be notified about pattern file update"; } leaf custom-message { type string { length "1 .. 512"; } description "Custom message for notification"; } leaf custom-message-subject { type string { length "1 .. 255"; } description "Custom message subject for notification"; } } // container email-notify leaf url { type string { length "1 .. 256"; } description "Server URL"; } leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "Referenced Proxy profile must be defined"; type string { length "1 .. 64"; } description "Proxy profile"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string; description "Routing instance name"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 10080"; } } description "Interval in minutes to check the update"; } leaf start-time { type jt:time; description "Start time (YYYY-MM-DD.HH:MM:SS)"; } leaf no-autoupdate { type empty; description "Don't automatically update anti-virus pattern"; } } // grouping anti-virus-pattern-update grouping anti-virus-traceoptions { description "Trace options for anti-virus feature"; uses apply-advanced; list flag { key "name"; ordered-by user; description "Trace options for anti-virus feature flag"; leaf name { type enumeration { enum "basic" { value 0; description "Trace anti-virus module generic basic information"; } enum "detail" { value 1; description "Trace anti-virus module generic detail information"; } enum "engine" { value 2; description "Trace scan engine information"; } enum "pattern" { value 3; description "Trace detail information of pattern loading"; } enum "updater" { value 4; description "Trace pattern updater process activities"; } enum "manager" { value 5; description "Trace anti-virus manager process activities"; } enum "worker" { value 6; description "Trace anti-virus worker process activities"; } enum "sendmail" { value 7; description "Trace mail notifier process activities"; } enum "ipc" { value 8; description "Trace communication events with PFE"; } enum "event" { value 9; description "Trace communication events between RE side processes"; } enum "statistics" { value 10; description "Trace statistics information"; } enum "all" { value 11; description "Enable trace all anti-virus trace options"; } } description "Trace options for anti-virus feature flag name"; } } // list flag } // grouping anti-virus-traceoptions grouping anti-virus-trickling { description "Anti-virus trickling"; leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 600"; } } description "Trickling timeout"; } } // grouping anti-virus-trickling grouping apbr_rule_type { leaf name { type string { length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf disable-midstream-routing { type empty; description "Disable midstream routing"; } container match { presence "enable match"; description "Specify security rule match-criteria"; uses apply-advanced; leaf-list dynamic-application { type string; ordered-by user; } leaf-list dynamic-application-group { type string; ordered-by user; description "Specify dynamic application group name to match"; } leaf-list category { type string; ordered-by user; description "Url category"; } leaf-list dscp { type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 63"; } } ordered-by user; description "Specify dscp value to match"; } } // container match container then { presence "enable then"; description "Specify rule action to take when packet match criteria"; uses apply-advanced; container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } } // container routing-instance container sla-rule { presence "enable sla-rule"; description "SLA Rule"; uses apply-advanced; leaf sla-rule-name { type string; description "SLA rule name"; } } // container sla-rule leaf application-services-bypass { type empty; description "Bypass the application services"; } } // container then } // grouping apbr_rule_type grouping appfw_rule_type { leaf name { type string { length "1 .. 63"; } description "Rule name"; } uses apply-advanced; container match { presence "enable match"; description "Specify security rule match-criteria"; uses apply-advanced; leaf-list dynamic-application { type string; ordered-by user; } leaf-list dynamic-application-group { type string; ordered-by user; description "Specify dynamic application group name to match"; } leaf ssl-encryption { type enumeration { enum "any" { value 0; description "Encrypted and non-encrypted rule"; } enum "yes" { value 1; description "Encrypted rule"; } enum "no" { value 2; description "Non-encrypted rule"; } } description "Select SSL encryption rules"; } } // container match container then { presence "enable then"; description "Specify rule action to take when packet match criteria"; uses apply-advanced; choice action { leaf permit { type empty; description "Permit packets"; } container deny { presence "enable deny"; description "Deny packets"; uses apply-advanced; leaf block-message { type empty; description "Redirect sessions"; } } // container deny container reject { presence "enable reject"; description "Reject packets"; uses apply-advanced; leaf block-message { type empty; description "Redirect sessions"; } } // container reject } // choice action } // container then } // grouping appfw_rule_type grouping apply-advanced { description "Apply advanced configuration logic"; leaf-list apply-groups { type string; ordered-by user; description "Groups from which to inherit configuration data"; } leaf-list apply-groups-except { type string; ordered-by user; description "Don't inherit configuration data from these groups"; } list apply-macro { key "name"; ordered-by user; description "Macro and parameters for commit script expansion"; uses apply-macro-type; } // list apply-macro } // grouping apply-advanced grouping apply-macro-type { description "Macro data for commit-script expansion"; leaf name { type string; description "Name of the macro to be expanded"; } list data { key "name"; uses macro-data-type; } // list data } // grouping apply-macro-type grouping appqoe-probe-params { description "Active probe parameters"; uses apply-advanced; container data-fill { description "Probe Data Payload content"; uses apply-advanced; leaf fill { type string { length "1 .. 63"; } description "Repetitive payload string "; } } // container data-fill container data-size { presence "enable data-size"; description "Probe data size"; uses apply-advanced; leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 256"; } } description "Data Payload size of probe packet"; } } // container data-size container per-packet-loss-timeout { presence "enable per-packet-loss-timeout"; description "Time interval between 2 consecutive SaaS probes"; uses apply-advanced; leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "100 .. 10000"; } } default "1000"; description "Interval value in milliseconds"; } } // container per-packet-loss-timeout container probe-interval { presence "enable probe-interval"; description "Time interval between 2 consecutive probes"; uses apply-advanced; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } default "10"; description "Interval value in sec"; } } // container probe-interval container probe-count { presence "enable probe-count"; description "Minimum number of samples to be collected to evaluate SLA measurement"; uses apply-advanced; leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } default "5"; description "Sample count"; } } // container probe-count container burst-size { presence "enable burst-size"; description "Number of probes out of probe count to be sent as a burst"; uses apply-advanced; leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "1"; description "Burst size"; } } // container burst-size container sla-export-interval { description "Enabled time based SLA exporting"; uses apply-advanced; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 600"; } } description "Interval (sec)"; } } // container sla-export-interval container dscp-code-points { description "Mapping of code point aliases to bit strings"; uses apply-advanced; leaf dscp { type string; description "DSCP"; } } // container dscp-code-points container forwarding-class { description "Forwarding class corresponding to the DSCP"; uses apply-advanced; leaf fc-name { type string; description "Forwarding class name"; } } // container forwarding-class container loss-priority { presence "enable loss-priority"; uses apply-advanced; leaf priority { type enumeration { enum "low" { value 0; description "Low loss priority"; } enum "medium-low" { value 1; description "Medium-low loss priority"; } enum "medium-high" { value 2; description "Medium-high loss priority"; } enum "high" { value 3; description "High loss priority"; } } description "Packet loss priority"; } } // container loss-priority } // grouping appqoe-probe-params grouping appqoe-probe-path { description "Set probe path details"; uses apply-advanced; container local { presence "enable local"; description "Local node's info"; uses appqoe-node; } // container local container remote { presence "enable remote"; description "Remote node's info"; uses appqoe-node; } // container remote } // grouping appqoe-probe-path grouping appqoe-node { description "Set node info"; uses apply-advanced; container ip-address { presence "enable ip-address"; description "Set IP address"; uses apply-advanced; leaf ip_address { type jt:ipaddr; description "IP address"; } } // container ip-address } // grouping appqoe-node grouping appqoe_sla_metric_profile { description "Metric Name"; uses apply-advanced; container delay-round-trip { presence "enable delay-round-trip"; description "Maximum acceptable delay"; uses apply-advanced; leaf delay-val { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } description "Delay value(micro-sec)"; } } // container delay-round-trip container jitter { presence "enable jitter"; description "Maximum acceptable jitter"; uses apply-advanced; leaf jitter-val { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } description "Jitter value(micro-sec)"; } } // container jitter container jitter-type { presence "enable jitter-type"; description "Type of Jitter"; uses apply-advanced; leaf type { type enumeration { enum "two-way-jitter" { value 0; description "Two-way-jitter-type"; } enum "egress-jitter" { value 1; description "Egress-jitter-type"; } enum "ingress-jitter" { value 2; description "Ingress-jitter-type"; } } description "Jitter Type"; } } // container jitter-type container packet-loss { presence "enable packet-loss"; description "Maximum acceptable packet-loss"; uses apply-advanced; leaf loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } description "Packet loss percentage"; } } // container packet-loss container match { presence "enable match"; description "Type of SLA match"; uses apply-advanced; leaf sla_match { type enumeration { enum "any-one" { value 0; description "Match any one strings"; } enum "all" { value 1; description "Match all metrics"; } } } } // container match } // grouping appqoe_sla_metric_profile grouping authentication-source-type { description "Configure user-identification authentication-source"; leaf name { type enumeration { enum "local-authentication-table" { value 0; description "Local-authentication-table, default priority is 100."; } enum "unified-access-control" { value 1; description "Unified-access-control, default priority is 200."; } enum "firewall-authentication" { value 2; description "Firewall-authentication, default priority is 150."; } enum "active-directory-authentication-table" { value 3; description "Active-directory-authentication-table, default priority is 125."; } enum "aruba-clearpass" { value 4; description "ClearPass-authentication-table, default priority is 110."; } } description "User-identification authentication-source name"; } uses apply-advanced; choice authentication-source-option { leaf priority { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Larger number means lower priority, 0 for disable"; } } // choice authentication-source-option } // grouping authentication-source-type grouping av-fallback-settings { description "Anti-virus fallback settings"; uses apply-advanced; leaf default { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } } description "Default action"; } leaf content-size { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } } description "Fallback action for over content size"; } leaf engine-not-ready { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } } description "Fallback action for engine not ready"; } leaf timeout { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } } description "Fallback action for engine scan timeout"; } leaf out-of-resources { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } } description "Fallback action for out of resources"; } leaf too-many-requests { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } } description "Fallback action for requests exceed engine limit"; } leaf decompress-err { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } } description "Fallback action for decompress error"; } } // grouping av-fallback-settings grouping aws-object { uses apply-advanced; container cloudwatch { description "Configure AWS CloudWatch"; uses apply-advanced; container metric { description "Configure AWS CloudWatch metric"; uses apply-advanced; leaf collect-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } units "minutes"; default "3"; description "Set metric collection interval"; } leaf namespace { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 32"; } description "Container for collected metrics"; } leaf region { type string; description "Set AWS CloudWatch metric region"; } } // container metric container log { description "Configure AWS CloudWatch metric"; uses apply-advanced; leaf group { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 32"; } description "Group of log streams"; } leaf region { type string; description "Set AWS CloudWatch log region"; } list file { key "name"; description "File from which to collect log data"; leaf name { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 64"; } description "Name of file from which to collect log data"; } uses apply-advanced; leaf security-hub-import { type empty; description "Import security events in the file to AWS Security Hub"; } leaf collect-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } units "minutes"; default "3"; description "Set log collection interval"; } } // list file } // container log } // container cloudwatch } // grouping aws-object grouping category-list-type { description "Configure category-list object"; leaf name { type string { junos:posix-pattern "^[a-zA-Z_]+[a-zA-Z_0-9-]*$"; junos:pattern-message "Must be a string beginning with a letter or underscore and consisting of letters, numbers, dashes and underscores."; length "1 .. 59"; } description "Configure name of category-list object"; } uses apply-advanced; leaf-list value { type string; ordered-by user; description "Configure value of category-list object"; } } // grouping category-list-type grouping certificate-object { leaf name { type string; description "Simple name to identify this certificate"; } uses apply-advanced; leaf certificate { type string; description "Certificate and private key string"; } } // grouping certificate-object grouping clients-object { leaf name { junos:must "((".. user" || ".. user-groups"))"; junos:must-message "user or user-groups must be defined"; type string { length "1 .. 31"; } description "Client config name"; } uses apply-advanced; list remote-protected-resources { key "name"; ordered-by user; description "IP/mask of remote protected resources"; leaf name { type jt:ipv4prefix-mandatory; description "IP/mask of remote protected resources"; } } // list remote-protected-resources list remote-exceptions { key "name"; ordered-by user; description "Ip/mask of exceptions being passthru"; leaf name { type jt:ipv4prefix-mandatory; description "Ip/mask of exceptions being passthru"; } } // list remote-exceptions leaf ipsec-vpn { junos:must "("security ipsec vpn $$")"; junos:must-message "ipsec-vpn must be defined"; type string; description "IPSec VPN assigned to remote access client"; } list user { key "name"; description "Remote IPSec VPN users"; leaf name { type string; description "User name"; } uses apply-advanced; } // list user list user-groups { key "name"; description "Remote IPSec VPN usergroups"; leaf name { type string; description "Usergroup name"; } uses apply-advanced; } // list user-groups } // grouping clients-object grouping command-list-type { description "Configure command-list object"; leaf name { type string { junos:posix-pattern "^[a-zA-Z_]+[a-zA-Z_0-9-]*$"; junos:pattern-message "Must be a string beginning with a letter or underscore and consisting of letters, numbers, dashes and underscores."; length "1 .. 29"; } description "Configure name of command-list object"; } uses apply-advanced; leaf-list value { type string { length "1 .. 64"; } ordered-by user; description "Configure value of command-list object"; } } // grouping command-list-type grouping content-filtering-feature { description "Content-filtering feature"; uses apply-advanced; list profile { key "name"; ordered-by user; description "Content filtering profile"; leaf name { type string { length "1 .. 29"; } description "Content-filtering feature profile name"; } uses apply-advanced; leaf permit-command { junos:must "("security utm custom-objects protocol-command $$")"; junos:must-message "protocol-command must be defined"; type string; description "Permit command list"; } leaf block-command { junos:must "("security utm custom-objects protocol-command $$")"; junos:must-message "protocol-command must be defined"; type string; description "Block command list"; } leaf block-extension { junos:must "("security utm custom-objects filename-extension $$")"; junos:must-message "filename-extension must be defined"; type string; description "Block extension list"; } container block-mime { presence "enable block-mime"; description "Content-filtering feature block MIME"; uses apply-advanced; leaf list { junos:must "("security utm custom-objects mime-pattern $$")"; junos:must-message "mime-pattern must be defined"; type string; description "Block MIME list"; } leaf exception { junos:must "("security utm custom-objects mime-pattern $$")"; junos:must-message "mime-pattern must be defined"; type string; description "Exception of block MIME list"; } } // container block-mime container block-content-type { description "Content-filtering feature block content type"; uses apply-advanced; leaf activex { type empty; description "Block activex"; } leaf java-applet { type empty; description "Block Java-applet"; } leaf exe { type empty; description "Block Windows/dos exe file"; } leaf zip { type empty; description "Block zip file"; } leaf http-cookie { type empty; description "Block HTTP cookie"; } } // container block-content-type container notification-options { presence "enable notification-options"; description "Notification options"; uses apply-advanced; leaf type { type enumeration { enum "protocol-only" { value 0; description "Notification in protocol level"; } enum "message" { value 1; description "Notification in message"; } } description "Notification options type"; } choice notify-mail-sender-choice { leaf notify-mail-sender { type empty; description "Notifiy mail sender"; } leaf no-notify-mail-sender { type empty; description "Don't notifiy mail sender"; } } // choice notify-mail-sender-choice leaf custom-message { type string { length "1 .. 512"; } description "Custom notification message"; } } // container notification-options } // list profile } // grouping content-filtering-feature grouping custom-attack-group-type { description "Define custom attack group"; leaf name { type string; description "Custom attack group name"; } uses apply-advanced; leaf attack-group-description { type string; status deprecated; description "Attack group description in xml format"; } leaf-list group-members { type string; ordered-by user; description "List of attacks/attack groups belonging to this group"; } } // grouping custom-attack-group-type grouping custom-attack-type { description "Define custom attack"; leaf name { type string { junos:posix-pattern "^.{1,60}$"; junos:pattern-message "Custom attack name must be a string of 60 characters or less"; } description "Custom attack name"; } uses apply-advanced; leaf-list attack-description { type string; ordered-by user; description "Attack description"; } leaf recommended-action { type enumeration { enum "none" { value 0; description "No action"; } enum "ignore" { value 1; description "No further inspection on the flow"; } enum "drop-packet" { value 2; description "Drop the packet"; } enum "drop" { value 3; description "Drop the packet and subsequent packets of the flow"; } enum "close-client" { value 4; description "Reset the client side"; } enum "close-server" { value 5; description "Reset the server side"; } enum "close" { value 6; description "Reset both client and server"; } } description "Recommended Action"; } leaf severity { type enumeration { enum "info" { value 0; description "Provide information of attack when it matches."; } enum "warning" { value 1; description "Issue a warning when attack matches."; } enum "minor" { value 2; description "The attack is a minor one."; } enum "major" { value 3; description "The attack is a major one."; } enum "critical" { value 4; description "The attack is a critical one."; } } description "Select the severity that matches the lethality of this attack on your network"; } container time-binding { description "Time binding params"; leaf count { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Number of times this attack is to be triggered"; } leaf scope { junos:must "((!(".. count 0") && !(".. count 1")))"; junos:must-message "Scope should be defined if count > 1"; type enumeration { enum "peer" { value 0; description "If the attack is between a single source and single destination"; } enum "source" { value 1; description "If the attack is from one source and multiple destination"; } enum "destination" { value 2; description "If the attack is from multiple sources to one destination"; } } description "Scope within which the count occurs"; } leaf interval { junos:must "((!(".. count 0") && (!(".. count 1") && (".. count" && ".. scope"))))"; junos:must-message "To configure interval, count & scope should be set and count should be greater than or equal to 2"; type string { junos:posix-pattern "^((([0-5][0-9])[m][-]([0-5][0-9])[s])|([6][0][m][-][0][0][s]))$"; junos:pattern-message "Invalid interval format: Correct format MMm-SSs, with minutes range 00-60, seconds range 00-59"; } default "01m-00s"; description "Maximum time-gap between two instances of the attack. Format : MMm-SSs"; } } // container time-binding container detection-filter { junos:must "(!(".. time-binding"))"; junos:must-message "Time-binding and detection-filter will not be allowed together"; description "Detection filter params"; leaf count { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Number of matches for this attack to be triggered. Must be greater than 0"; } leaf scope { type enumeration { enum "session" { value 0; description "If the attack is between a single source and single destination"; } enum "source" { value 1; description "If the attack is from one source and multiple destination"; } enum "destination" { value 2; description "If the attack is from multiple sources to one destination"; } } description "Scope within which the count occurs"; } leaf interval { type string { junos:posix-pattern "^((([0-5][0-9])[m][-]([0-5][0-9])[s])|([6][0][m][-][0][0][s]))$"; junos:pattern-message "Invalid interval format: Correct format MMm-SSs, with minutes range 00-60, seconds range 00-59"; } description "Time period over which count is accrued. Format : MMm-SSs. Minimum value is 1 second"; } } // container detection-filter container attack-type { description "Type of attack"; uses apply-advanced; container signature { junos:must "(!((".. anomaly" || ".. chain")))"; junos:must-message "Only one attack type is permitted"; description "Signature based attack"; uses apply-advanced; container protocol-binding { description "Protocol binding over which attack will be detected"; uses apply-advanced; choice protocol { container tcp { presence "enable tcp"; description "Attack is for TCP packets only"; uses apply-advanced; list minimum-port { key "name"; ordered-by user; description "Multiple sets of (single port/port ranges) can be specified"; uses port-range; } // list minimum-port } // container tcp container udp { presence "enable udp"; description "Attack is for UDP packets only"; uses apply-advanced; list minimum-port { key "name"; ordered-by user; description "Either single port or port ranges can be specified"; uses port-range; } // list minimum-port } // container udp container rpc { presence "enable rpc"; description "Attack is for RPC packets only"; uses apply-advanced; leaf program-number { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "RPC Program Number"; } } // container rpc leaf icmp { type empty; description "Attack is for ICMP packets only"; } leaf icmpv6 { type empty; description "Attack is for ICMPv6 packets only"; } container ip { presence "enable ip"; description "Attack is for all IP based packets"; uses apply-advanced; leaf protocol-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 139"; } } description "Transport layer protocol number"; } } // container ip container ipv6 { presence "enable ipv6"; description "Attack is for all IPv6 based packets"; uses apply-advanced; leaf protocol-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 139"; } } description "Transport layer protocol number"; } } // container ipv6 leaf application { type string; description "Application name"; } leaf nested-application { type string; status deprecated; description "Nested application name"; } } // choice protocol } // container protocol-binding leaf context { type string; description "Context"; } leaf pattern { junos:must "(".. context")"; junos:must-message "Context must be specified"; type string { length "0 .. 511"; } description "Pattern is the signature of the attack you want to detect"; } leaf pattern-pcre { junos:must "(".. context")"; junos:must-message "Context must be specified"; type string { length "0 .. 511"; } description "Attack signature pattern in PCRE format"; } container content { junos:must "(".. context")"; junos:must-message "Context must be specified"; description "Mention the match-modifire parameters to enhance pattern matching"; leaf pattern { type string; description "Specify match-modifier pattern"; } leaf pcre { type string { length "0 .. 511"; } description "PCRE expression"; } container depth { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum depth to search pattern within a packet. Depth is not relative"; leaf depth-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Specify the value of 'depth'"; } leaf depth-variable { type string; description "Specify the variable name from which 'depth' should be extracted"; } } // container depth container offset { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Where to start searching for a pattern within a packet. Offset value is not relative"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the value of 'offset'"; } leaf offset-variable { type string; description "Specify the variable name from which 'offset' should be extracted"; } } // container offset container within { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum Number of bytes present between two conjugative pattern match. within is relative"; leaf within-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Specify the value of 'within'"; } leaf within-variable { type string; description "Specify the variable name from which 'within' should be extracted"; } } // container within container distance { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum Length to ignore before searching next pattern match. Distance is relative"; leaf distance-value { type union { type string { pattern "<.*>|$.*"; } type int32 { range "-65535 .. 65535"; } } description "Specify the value of 'distance'"; } leaf distance-variable { type string; description "Specify the variable name from which 'distance' should be extracted"; } } // container distance container byte-extract { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-extract parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } leaf offset { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Specify the number of bytes in to payload to start processing"; } leaf var-name { type string; description "Specify the name of the variable to reference in other rule options"; } leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf multiplier { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the value to be multiplied against the bytes read"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf align { type enumeration { enum "2-byte" { value 0; description "Round the number of converted bytes to 2-byte boundary"; } enum "4-byte" { value 1; description "Round the number of converted bytes to 4-byte boundary"; } } description "Specify the byte alignment"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } } // container byte-extract container byte-test { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-test parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset container rvalue { description "Specify the rvalue to test the converted value against"; leaf rvalue-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Specify the value"; } leaf rvalue-variable { type string; description "Specify the variable name"; } } // container rvalue leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf operator { type enumeration { enum "less-than" { value 0; description "Perform operation 'less than'"; } enum "greater-than" { value 1; description "Perform operation 'greater than'"; } enum "less-than-or-equal" { value 2; description "Perform operation 'less than or equal'"; } enum "greater-than-or-equal" { value 3; description "Perform operation 'greater than or equal'"; } enum "equal" { value 4; description "Perform operation 'equal'"; } enum "bitwise-AND" { value 5; description "Perform operation 'bitwise AND'"; } enum "bitwise-XOR" { value 6; description "Perform operation 'bitwise OR'"; } } description "Specify the operation to perform on extracted value"; } leaf negate { type empty; description "Check if the operator is not true"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } } // container byte-test container byte-math { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-math parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } leaf offset { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } container rvalue { description "Specify the value to use mathematical operation against"; leaf rvalue-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Specify the value"; } leaf rvalue-variable { type string; description "Specify the variable name"; } } // container rvalue leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf operator { type enumeration { enum "addition" { value 0; description "Perform operation 'addition'"; } enum "subtraction" { value 1; description "Perform operation 'subtraction'"; } enum "multiplication" { value 2; description "Perform operation 'multiplication'"; } enum "division" { value 3; description "Perform operation 'division'"; } enum "right-shift" { value 4; description "Perform operation 'right shift'"; } enum "left-shift" { value 5; description "Perform operation 'left shift'"; } } description "Specify the operation to perform on extracted value"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } leaf result { type string; description "Specify the variable name to which result should be stored"; } } // container byte-math container byte-jump { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-jump parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf multiplier { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the value to be multiplied against the bytes read"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf align { type enumeration { enum "4-byte" { value 0; description "Round the number of converted bytes to 4-byte boundary"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } leaf from-beginning { type empty; description "Enable jump from the beginning of the payload"; } leaf from-end { type empty; description "Enable jump from the end of the payload"; } leaf post-offset { type union { type string { pattern "<.*>|$.*"; } type int32 { range "-65535 .. 65535"; } } description "Specify the number of bytes to skip forward or backward"; } } // container byte-jump container is-data-at { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the is-data-at parameters for signature in length encoded protocols"; container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf negate { type empty; description "Negates the results of the isdataat test"; } } // container is-data-at } // container content container optional-parameters { junos:must "(".. pattern-pcre")"; junos:must-message "Applicable only for pattern-pcre defined signatures"; description "Mention the optional parameters to enhance pattern matching"; leaf min-offset { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Minimum offset in data at which pattern-match can end"; } leaf max-offset { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Maximum offset in data at which pattern-match can end"; } leaf min-length { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Minimum match length required to match the pattern"; } leaf edit-distance { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Match the pattern within this edit distance"; } leaf hamming-distance { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Match the pattern within this hamming distance"; } } // container optional-parameters leaf regexp { junos:must "((".. pattern" || ".. pattern-pcre"))"; junos:must-message "A pattern or pattern-pcre must be defined "; type string { length "0 .. 511"; } description "Regular expression used for matching repetition of patterns"; } leaf negate { junos:must "(!((".. context normalized-stream" || (".. context normalized-stream256" || (".. context normalized-stream1k" || ".. context normalized-stream8k")))))"; junos:must-message "Negation not supported for normalized-stream contexts"; junos:must "(!((".. context stream" || (".. context stream256" || (".. context stream1k" || ".. context stream8k")))))"; junos:must-message "Negation not supported for stream contexts"; type empty; description "Trigger the attack if condition is not met"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "Client to Server"; } enum "server-to-client" { value 1; description "Server to Client"; } enum "any" { value 2; description "Any direction"; } } description "Connection direction of the attack"; } leaf shellcode { type enumeration { enum "intel" { value 0; description "Detect shellcode for intel platforms"; } enum "sparc" { value 1; description "Detect shellcode for sparc platforms"; } enum "all" { value 2; description "Detect shellcode for both intel and sparc platforms"; } enum "no-shellcode" { value 3; description "Do not detect shellcode"; } } description "Specify shellcode flag for this attack"; } container protocol { description "Protocol header matches"; uses apply-advanced; container ipv4 { description "IPv4 protocol parameters"; uses apply-advanced; container tos { presence "enable tos"; description "Type of Service"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container tos container ihl { presence "enable ihl"; description "Header length in words"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } description "Match value"; } } // container ihl container total-length { presence "enable total-length"; description "Total Length of IP datagram"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container total-length container identification { presence "enable identification"; description "Fragment Identification"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container ip-flags { presence "enable ip-flags"; description "IP Flag bits"; choice rb-choice { leaf rb { type empty; description "Reserved bit"; } leaf no-rb { type empty; description "Don't reserved bit"; } } // choice rb-choice choice mf-choice { leaf mf { type empty; description "More Fragment bit"; } leaf no-mf { type empty; description "Don't more Fragment bit"; } } // choice mf-choice choice df-choice { leaf df { type empty; description "Don't Fragment bit"; } leaf no-df { type empty; description "Don't don't Fragment bit"; } } // choice df-choice } // container ip-flags container ttl { presence "enable ttl"; description "Time to live"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container ttl container protocol { presence "enable protocol"; description "Transport layer protocol"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container protocol container source { presence "enable source"; description "Source IP-address/Hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv4addr; description "Match value"; } } // container source container destination { presence "enable destination"; description "Destination IP-address/Hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv4addr; description "Match value"; } } // container destination container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container ipv4 container ipv6 { description "IPv6 protocol parameters"; uses apply-advanced; container traffic-class { presence "enable traffic-class"; description "Traffic class. Similar to TOS in IPv4"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container traffic-class container payload-length { presence "enable payload-length"; description "Length of the payload in the IPv6 datagram"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container payload-length container flow-label { presence "enable flow-label"; description "Flow label identification"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1048575"; } } description "Match value"; } } // container flow-label container hop-limit { presence "enable hop-limit"; description "Hop limit"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container hop-limit container next-header { presence "enable next-header"; description "The header following the basic IPv6 header"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container next-header container source { presence "enable source"; description "Source IP-address or hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv6addr; description "Match value"; } } // container source container destination { presence "enable destination"; description "Destination IP-address or hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv6addr; description "Match value"; } } // container destination container extension-header { description "IPv6 Extension headers"; uses apply-advanced; container routing-header { presence "enable routing-header"; description "IPv6 Routing extension header"; uses apply-advanced; container header-type { description "Routing header type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container header-type } // container routing-header container destination-option { description "IPv6 Destination option extension header"; uses apply-advanced; container option-type { description "Destination option header type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container option-type container home-address { description "IPv6 Home address of the mobile node"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv6addr; description "Match value"; } } // container home-address } // container destination-option } // container extension-header } // container ipv6 container tcp { junos:must "((!(".. udp") && !(".. icmp")))"; junos:must-message "tcp cannot be specified with udp or icmp"; description "TCP protocol parameters"; uses apply-advanced; container source-port { presence "enable source-port"; description "Source port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container source-port container destination-port { presence "enable destination-port"; description "Destination port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container destination-port container sequence-number { presence "enable sequence-number"; description "Sequence Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Match value"; } } // container sequence-number container ack-number { presence "enable ack-number"; description "Acknowledgement Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Match value"; } } // container ack-number container header-length { presence "enable header-length"; description "Header Length in words"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } description "Match value"; } } // container header-length container reserved { presence "enable reserved"; description "Three reserved bits"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Match value"; } } // container reserved container window-size { presence "enable window-size"; description "Window Size"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container window-size container urgent-pointer { presence "enable urgent-pointer"; description "Urgent Pointer"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container urgent-pointer container tcp-flags { presence "enable tcp-flags"; description "TCP header flags"; choice r1-choice { leaf r1 { type empty; description "Set Reserverd bit 1"; } leaf no-r1 { type empty; description "Don't set Reserverd bit 1"; } } // choice r1-choice choice r2-choice { leaf r2 { type empty; description "Set Reserved bit 2"; } leaf no-r2 { type empty; description "Don't set Reserved bit 2"; } } // choice r2-choice choice urg-choice { leaf urg { type empty; description "Set Urgent bit"; } leaf no-urg { type empty; description "Don't set Urgent bit"; } } // choice urg-choice choice ack-choice { leaf ack { type empty; description "Set Acknowledge bit"; } leaf no-ack { type empty; description "Don't set Acknowledge bit"; } } // choice ack-choice choice psh-choice { leaf psh { type empty; description "Set Push bit"; } leaf no-psh { type empty; description "Don't set Push bit"; } } // choice psh-choice choice rst-choice { leaf rst { type empty; description "Set Reset bit"; } leaf no-rst { type empty; description "Don't set Reset bit"; } } // choice rst-choice choice syn-choice { leaf syn { type empty; description "Set SYN bit"; } leaf no-syn { type empty; description "Don't set SYN bit"; } } // choice syn-choice choice fin-choice { leaf fin { type empty; description "Set FINish bit"; } leaf no-fin { type empty; description "Don't set FINish bit"; } } // choice fin-choice } // container tcp-flags container option { presence "enable option"; description "Kind"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container option container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by TCP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 255"; } } description "Match value"; } } // container data-length container window-scale { presence "enable window-scale"; description "Window scale"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container window-scale container mss { presence "enable mss"; description "Maximum Segment Size"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container mss container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container tcp container udp { junos:must "((!(".. tcp") && !(".. icmp")))"; junos:must-message "udp cannot be specified with tcp or icmp"; description "UDP protocol parameters"; uses apply-advanced; container source-port { presence "enable source-port"; description "Source port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container source-port container destination-port { presence "enable destination-port"; description "Destination port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container destination-port container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by UDP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container udp container icmp { junos:must "((!(".. udp") && (!(".. tcp") && !(".. icmpv6"))))"; junos:must-message "icmp cannot be specified with tcp or udp or icmpv6"; description "ICMP protocol parameters"; uses apply-advanced; container type { presence "enable type"; description "Type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container type container code { presence "enable code"; description "Code"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container code container identification { presence "enable identification"; description "Identifier in echo request/reply"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container sequence-number { presence "enable sequence-number"; description "Sequence Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container sequence-number container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by ICMP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container icmp container icmpv6 { junos:must "((!(".. udp") && (!(".. tcp") && !(".. icmp"))))"; junos:must-message "icmpv6 cannot be specified with tcp or udp or icmp"; description "ICMPv6 protocol parameters"; uses apply-advanced; container type { presence "enable type"; description "Type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container type container code { presence "enable code"; description "Code"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container code container identification { presence "enable identification"; description "Identifier in echo request/reply"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container sequence-number { presence "enable sequence-number"; description "Sequence number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container sequence-number container data-length { presence "enable data-length"; description "Size of IPv6 datagram subtracted by ICMPv6 header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container icmpv6 } // container protocol } // container signature container anomaly { junos:must "(!((".. signature" || ".. chain")))"; junos:must-message "Only one attack type is permitted"; description "Protocol anomaly"; uses apply-advanced; leaf service { type string; description "Service name"; } leaf test { type string; description "Protocol anomaly condition to be checked"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "From Client to Server"; } enum "server-to-client" { value 1; description "From Server to Client"; } enum "any" { value 2; description "Any direction"; } } description "Direction"; } leaf shellcode { type enumeration { enum "intel" { value 0; description "Detect shellcode for intel platforms"; } enum "sparc" { value 1; description "Detect shellcode for sparc platforms"; } enum "all" { value 2; description "Detect shellcode for both intel and sparc platforms"; } enum "no-shellcode" { value 3; description "Do not detect shellcode"; } } description "Specify shellcode flag for this attack"; } } // container anomaly container chain { junos:must "(!((".. signature" || ".. anomaly")))"; junos:must-message "Only one attack type is permitted"; description "Chain attack"; uses apply-advanced; container protocol-binding { description "Protocol binding over which attack will be detected"; uses apply-advanced; choice protocol { container tcp { presence "enable tcp"; description "Attack is for TCP packets only"; uses apply-advanced; list minimum-port { key "name"; ordered-by user; description "Multiple sets of (single port/port ranges) can be specified"; uses port-range; } // list minimum-port } // container tcp container udp { presence "enable udp"; description "Attack is for UDP packets only"; uses apply-advanced; list minimum-port { key "name"; ordered-by user; description "Either single port or port ranges can be specified"; uses port-range; } // list minimum-port } // container udp container rpc { presence "enable rpc"; description "Attack is for RPC packets only"; uses apply-advanced; leaf program-number { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "RPC Program Number"; } } // container rpc leaf icmp { type empty; description "Attack is for ICMP packets only"; } leaf icmpv6 { type empty; description "Attack is for ICMPv6 packets only"; } container ip { presence "enable ip"; description "Attack is for all IP based packets"; uses apply-advanced; leaf protocol-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 139"; } } description "Transport layer protocol number"; } } // container ip container ipv6 { presence "enable ipv6"; description "Attack is for all IPv6 based packets"; uses apply-advanced; leaf protocol-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 139"; } } description "Transport layer protocol number"; } } // container ipv6 leaf application { type string; description "Application name"; } leaf nested-application { type string; status deprecated; description "Nested application name"; } } // choice protocol } // container protocol-binding leaf scope { type enumeration { enum "session" { value 0; description "Allow matches across transactions within the same session"; } enum "transaction" { value 1; description "Allow matches in single transactions within the same session"; } } description "Scope of the attack"; } leaf order { type empty; description "Attacks should match in the order in which they are defined"; } leaf reset { type empty; description "Repeat match should generate a new alert"; } leaf expression { junos:must "(!(".. order"))"; junos:must-message "Boolean Expression cannot be specified with order"; type string; description "Boolean Expression(or, and, oand). Multiple expressions can be combined using parenthesis."; } list member { key "name"; ordered-by user; description "List of member attacks."; uses chain-member-type; } // list member } // container chain } // container attack-type } // grouping custom-attack-type grouping chain-member-type { description "Chain member"; leaf name { type string; description "Custom attack name"; } uses apply-advanced; container attack-type { presence "enable attack-type"; description "Type of attack"; uses apply-advanced; container signature { junos:must "(!(".. anomaly"))"; junos:must-message "Only one attack type is permitted"; description "Signature based attack"; uses apply-advanced; leaf context { type string; description "Context"; } leaf pattern { junos:must "(".. context")"; junos:must-message "Context must be specified"; type string { length "0 .. 511"; } description "Pattern is the signature of the attack you want to detect"; } leaf pattern-pcre { junos:must "(".. context")"; junos:must-message "Context must be specified"; type string { length "0 .. 511"; } description "Attack signature pattern in PCRE format"; } container content { junos:must "(".. context")"; junos:must-message "Context must be specified"; description "Mention the match-modifire parameters to enhance pattern matching"; leaf pattern { type string; description "Specify match-modifier pattern"; } leaf pcre { type string { length "0 .. 511"; } description "PCRE expression"; } container depth { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum depth to search pattern within a packet. Depth is not relative"; leaf depth-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Specify the value of 'depth'"; } leaf depth-variable { type string; description "Specify the variable name from which 'depth' should be extracted"; } } // container depth container offset { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Where to start searching for a pattern within a packet. Offset value is not relative"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the value of 'offset'"; } leaf offset-variable { type string; description "Specify the variable name from which 'offset' should be extracted"; } } // container offset container within { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum Number of bytes present between two conjugative pattern match. within is relative"; leaf within-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Specify the value of 'within'"; } leaf within-variable { type string; description "Specify the variable name from which 'within' should be extracted"; } } // container within container distance { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum Length to ignore before searching next pattern match. Distance is relative"; leaf distance-value { type union { type string { pattern "<.*>|$.*"; } type int32 { range "-65535 .. 65535"; } } description "Specify the value of 'distance'"; } leaf distance-variable { type string; description "Specify the variable name from which 'distance' should be extracted"; } } // container distance container byte-extract { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-extract parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } leaf offset { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Specify the number of bytes in to payload to start processing"; } leaf var-name { type string; description "Specify the name of the variable to reference in other rule options"; } leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf multiplier { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the value to be multiplied against the bytes read"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf align { type enumeration { enum "2-byte" { value 0; description "Round the number of converted bytes to 2-byte boundary"; } enum "4-byte" { value 1; description "Round the number of converted bytes to 4-byte boundary"; } } description "Specify the byte alignment"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } } // container byte-extract container byte-test { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-test parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset container rvalue { description "Specify the rvalue to test the converted value against"; leaf rvalue-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Specify the value"; } leaf rvalue-variable { type string; description "Specify the variable name"; } } // container rvalue leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf operator { type enumeration { enum "less-than" { value 0; description "Perform operation 'less than'"; } enum "greater-than" { value 1; description "Perform operation 'greater than'"; } enum "less-than-or-equal" { value 2; description "Perform operation 'less than or equal'"; } enum "greater-than-or-equal" { value 3; description "Perform operation 'greater than or equal'"; } enum "equal" { value 4; description "Perform operation 'equal'"; } enum "bitwise-AND" { value 5; description "Perform operation 'bitwise AND'"; } enum "bitwise-XOR" { value 6; description "Perform operation 'bitwise OR'"; } } description "Specify the operation to perform on extracted value"; } leaf negate { type empty; description "Check if the operator is not true"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } } // container byte-test container byte-math { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-math parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } leaf offset { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } container rvalue { description "Specify the value to use mathematical operation against"; leaf rvalue-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Specify the value"; } leaf rvalue-variable { type string; description "Specify the variable name"; } } // container rvalue leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf operator { type enumeration { enum "addition" { value 0; description "Perform operation 'addition'"; } enum "subtraction" { value 1; description "Perform operation 'subtraction'"; } enum "multiplication" { value 2; description "Perform operation 'multiplication'"; } enum "division" { value 3; description "Perform operation 'division'"; } enum "right-shift" { value 4; description "Perform operation 'right shift'"; } enum "left-shift" { value 5; description "Perform operation 'left shift'"; } } description "Specify the operation to perform on extracted value"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } leaf result { type string; description "Specify the variable name to which result should be stored"; } } // container byte-math container byte-jump { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-jump parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf multiplier { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the value to be multiplied against the bytes read"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf align { type enumeration { enum "4-byte" { value 0; description "Round the number of converted bytes to 4-byte boundary"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } leaf from-beginning { type empty; description "Enable jump from the beginning of the payload"; } leaf from-end { type empty; description "Enable jump from the end of the payload"; } leaf post-offset { type union { type string { pattern "<.*>|$.*"; } type int32 { range "-65535 .. 65535"; } } description "Specify the number of bytes to skip forward or backward"; } } // container byte-jump container is-data-at { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the is-data-at parameters for signature in length encoded protocols"; container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf negate { type empty; description "Negates the results of the isdataat test"; } } // container is-data-at } // container content container optional-parameters { junos:must "(".. pattern-pcre")"; junos:must-message "Applicable only for pattern-pcre defined signatures"; description "Mention the optional parameters to enhance pattern matching"; leaf min-offset { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Minimum offset in data at which pattern-match can end"; } leaf max-offset { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Maximum offset in data at which pattern-match can end"; } leaf min-length { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Minimum match length required to match the pattern"; } leaf edit-distance { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Match the pattern within this edit distance"; } leaf hamming-distance { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Match the pattern within this hamming distance"; } } // container optional-parameters leaf regexp { junos:must "((".. pattern" || ".. pattern-pcre"))"; junos:must-message "A pattern or pattern-pcre must be defined "; type string { length "0 .. 511"; } description "Regular expression used for matching repetition of patterns"; } leaf negate { junos:must "(!((".. context normalized-stream" || (".. context normalized-stream256" || (".. context normalized-stream1k" || ".. context normalized-stream8k")))))"; junos:must-message "Negation not supported for normalized-stream contexts"; junos:must "(!((".. context stream" || (".. context stream256" || (".. context stream1k" || ".. context stream8k")))))"; junos:must-message "Negation not supported for stream contexts"; type empty; description "Trigger the attack if condition is not met"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "Client to Server"; } enum "server-to-client" { value 1; description "Server to Client"; } enum "any" { value 2; description "Any direction"; } } description "Connection direction of the attack"; } leaf shellcode { type enumeration { enum "intel" { value 0; description "Detect shellcode for intel platforms"; } enum "sparc" { value 1; description "Detect shellcode for sparc platforms"; } enum "all" { value 2; description "Detect shellcode for both intel and sparc platforms"; } enum "no-shellcode" { value 3; description "Do not detect shellcode"; } } description "Specify shellcode flag for this attack"; } container protocol { description "Protocol header matches"; uses apply-advanced; container ipv4 { description "IPv4 protocol parameters"; uses apply-advanced; container tos { presence "enable tos"; description "Type of Service"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container tos container ihl { presence "enable ihl"; description "Header length in words"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } description "Match value"; } } // container ihl container total-length { presence "enable total-length"; description "Total Length of IP datagram"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container total-length container identification { presence "enable identification"; description "Fragment Identification"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container ip-flags { presence "enable ip-flags"; description "IP Flag bits"; choice rb-choice { leaf rb { type empty; description "Reserved bit"; } leaf no-rb { type empty; description "Don't reserved bit"; } } // choice rb-choice choice mf-choice { leaf mf { type empty; description "More Fragment bit"; } leaf no-mf { type empty; description "Don't more Fragment bit"; } } // choice mf-choice choice df-choice { leaf df { type empty; description "Don't Fragment bit"; } leaf no-df { type empty; description "Don't don't Fragment bit"; } } // choice df-choice } // container ip-flags container ttl { presence "enable ttl"; description "Time to live"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container ttl container protocol { presence "enable protocol"; description "Transport layer protocol"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container protocol container source { presence "enable source"; description "Source IP-address/Hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv4addr; description "Match value"; } } // container source container destination { presence "enable destination"; description "Destination IP-address/Hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv4addr; description "Match value"; } } // container destination container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container ipv4 container ipv6 { description "IPv6 protocol parameters"; uses apply-advanced; container traffic-class { presence "enable traffic-class"; description "Traffic class. Similar to TOS in IPv4"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container traffic-class container payload-length { presence "enable payload-length"; description "Length of the payload in the IPv6 datagram"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container payload-length container flow-label { presence "enable flow-label"; description "Flow label identification"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1048575"; } } description "Match value"; } } // container flow-label container hop-limit { presence "enable hop-limit"; description "Hop limit"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container hop-limit container next-header { presence "enable next-header"; description "The header following the basic IPv6 header"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container next-header container source { presence "enable source"; description "Source IP-address or hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv6addr; description "Match value"; } } // container source container destination { presence "enable destination"; description "Destination IP-address or hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv6addr; description "Match value"; } } // container destination container extension-header { description "IPv6 Extension headers"; uses apply-advanced; container routing-header { presence "enable routing-header"; description "IPv6 Routing extension header"; uses apply-advanced; container header-type { description "Routing header type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container header-type } // container routing-header container destination-option { description "IPv6 Destination option extension header"; uses apply-advanced; container option-type { description "Destination option header type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container option-type container home-address { description "IPv6 Home address of the mobile node"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv6addr; description "Match value"; } } // container home-address } // container destination-option } // container extension-header } // container ipv6 container tcp { junos:must "((!(".. udp") && !(".. icmp")))"; junos:must-message "tcp cannot be specified with udp or icmp"; description "TCP protocol parameters"; uses apply-advanced; container source-port { presence "enable source-port"; description "Source port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container source-port container destination-port { presence "enable destination-port"; description "Destination port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container destination-port container sequence-number { presence "enable sequence-number"; description "Sequence Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Match value"; } } // container sequence-number container ack-number { presence "enable ack-number"; description "Acknowledgement Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Match value"; } } // container ack-number container header-length { presence "enable header-length"; description "Header Length in words"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } description "Match value"; } } // container header-length container reserved { presence "enable reserved"; description "Three reserved bits"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Match value"; } } // container reserved container window-size { presence "enable window-size"; description "Window Size"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container window-size container urgent-pointer { presence "enable urgent-pointer"; description "Urgent Pointer"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container urgent-pointer container tcp-flags { presence "enable tcp-flags"; description "TCP header flags"; choice r1-choice { leaf r1 { type empty; description "Set Reserverd bit 1"; } leaf no-r1 { type empty; description "Don't set Reserverd bit 1"; } } // choice r1-choice choice r2-choice { leaf r2 { type empty; description "Set Reserved bit 2"; } leaf no-r2 { type empty; description "Don't set Reserved bit 2"; } } // choice r2-choice choice urg-choice { leaf urg { type empty; description "Set Urgent bit"; } leaf no-urg { type empty; description "Don't set Urgent bit"; } } // choice urg-choice choice ack-choice { leaf ack { type empty; description "Set Acknowledge bit"; } leaf no-ack { type empty; description "Don't set Acknowledge bit"; } } // choice ack-choice choice psh-choice { leaf psh { type empty; description "Set Push bit"; } leaf no-psh { type empty; description "Don't set Push bit"; } } // choice psh-choice choice rst-choice { leaf rst { type empty; description "Set Reset bit"; } leaf no-rst { type empty; description "Don't set Reset bit"; } } // choice rst-choice choice syn-choice { leaf syn { type empty; description "Set SYN bit"; } leaf no-syn { type empty; description "Don't set SYN bit"; } } // choice syn-choice choice fin-choice { leaf fin { type empty; description "Set FINish bit"; } leaf no-fin { type empty; description "Don't set FINish bit"; } } // choice fin-choice } // container tcp-flags container option { presence "enable option"; description "Kind"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container option container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by TCP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 255"; } } description "Match value"; } } // container data-length container window-scale { presence "enable window-scale"; description "Window scale"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container window-scale container mss { presence "enable mss"; description "Maximum Segment Size"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container mss container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container tcp container udp { junos:must "((!(".. tcp") && !(".. icmp")))"; junos:must-message "udp cannot be specified with tcp or icmp"; description "UDP protocol parameters"; uses apply-advanced; container source-port { presence "enable source-port"; description "Source port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container source-port container destination-port { presence "enable destination-port"; description "Destination port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container destination-port container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by UDP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container udp container icmp { junos:must "((!(".. udp") && (!(".. tcp") && !(".. icmpv6"))))"; junos:must-message "icmp cannot be specified with tcp or udp or icmpv6"; description "ICMP protocol parameters"; uses apply-advanced; container type { presence "enable type"; description "Type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container type container code { presence "enable code"; description "Code"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container code container identification { presence "enable identification"; description "Identifier in echo request/reply"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container sequence-number { presence "enable sequence-number"; description "Sequence Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container sequence-number container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by ICMP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container icmp container icmpv6 { junos:must "((!(".. udp") && (!(".. tcp") && !(".. icmp"))))"; junos:must-message "icmpv6 cannot be specified with tcp or udp or icmp"; description "ICMPv6 protocol parameters"; uses apply-advanced; container type { presence "enable type"; description "Type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container type container code { presence "enable code"; description "Code"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container code container identification { presence "enable identification"; description "Identifier in echo request/reply"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container sequence-number { presence "enable sequence-number"; description "Sequence number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container sequence-number container data-length { presence "enable data-length"; description "Size of IPv6 datagram subtracted by ICMPv6 header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container icmpv6 } // container protocol } // container signature container anomaly { junos:must "(!(".. signature"))"; junos:must-message "Only one attack type is permitted"; description "Protocol anomaly"; uses apply-advanced; leaf test { type string; description "Protocol anomaly condition to be checked"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "From Client to Server"; } enum "server-to-client" { value 1; description "From Server to Client"; } enum "any" { value 2; description "Any direction"; } } description "Direction"; } leaf shellcode { type enumeration { enum "intel" { value 0; description "Detect shellcode for intel platforms"; } enum "sparc" { value 1; description "Detect shellcode for sparc platforms"; } enum "all" { value 2; description "Detect shellcode for both intel and sparc platforms"; } enum "no-shellcode" { value 3; description "Do not detect shellcode"; } } description "Specify shellcode flag for this attack"; } } // container anomaly } // container attack-type } // grouping chain-member-type grouping custom-message-type { description "Configure custom-message object"; leaf name { type string { junos:posix-pattern "^[a-zA-Z_]+[a-zA-Z_0-9-]*$"; junos:pattern-message "Must be a string beginning with a letter or underscore and consisting of letters, numbers, dashes and underscores."; length "1 .. 59"; } description "Configure name of custom-message object"; } uses apply-advanced; leaf type { type enumeration { enum "redirect-url" { value 0; description "Redirect URL"; } enum "user-message" { value 1; description "User message"; } enum "custom-page" { value 2; description "Customer page"; } } description "Type of custom message"; } choice contents { leaf content { type string { length "1 .. 1024"; } description "Content of custom message"; } leaf custom-page-file { type string { length "1 .. 64"; } description "Name of custom page file"; } } // choice contents } // grouping custom-message-type grouping default-anti-spam-feature { description "Anti-spam feature"; uses apply-advanced; leaf type { type enumeration { enum "sbl" { value 0; description "Anti-spam sophos sbl"; } enum "anti-spam-none" { value 1; } } description "Anti-spam type"; } leaf address-whitelist { junos:must "("security utm custom-objects url-pattern $$")"; junos:must-message "url-pattern must be defined"; type string; description "Anti-spam whitelist"; } leaf address-blacklist { junos:must "("security utm custom-objects url-pattern $$")"; junos:must-message "url-pattern must be defined"; type string; description "Anti-spam blacklist"; } container traceoptions { description "Trace options for anti-spam feature"; uses anti-spam-traceoptions; } // container traceoptions container sbl { presence "enable sbl"; description "SBL settings"; uses default-sbl-type; } // container sbl } // grouping default-anti-spam-feature grouping anti-spam-traceoptions { description "Trace options for anti-spam feature"; uses apply-advanced; list flag { key "name"; ordered-by user; description "Trace options for anti-spam feature flag"; leaf name { type enumeration { enum "manager" { value 0; description "Trace anti-spam manager information"; } enum "sbl" { value 1; description "Trace SBL server information"; } enum "all" { value 2; description "Enable trace all anti-spam trace options"; } } description "Trace options for anti-spam feature flag name"; } } // list flag } // grouping anti-spam-traceoptions grouping default-anti-virus-feature { description "Anti-virus feature"; uses apply-advanced; container mime-whitelist { description "Anti-virus MIME whitelist"; uses apply-advanced; leaf list { junos:must "("security utm custom-objects mime-pattern $$")"; junos:must-message "mime-pattern must be defined"; type string; description "MIME list"; } leaf exception { junos:must "("security utm custom-objects mime-pattern $$")"; junos:must-message "mime-pattern must be defined"; type string; description "Exception settings for MIME white list"; } } // container mime-whitelist leaf url-whitelist { type string; description "Anti-virus URL white list"; } leaf type { type enumeration { enum "sophos-engine" { value 0; description "Anti-virus sophos-engine"; } enum "avira-engine" { value 1; description "Anti-virus avira-engine"; } enum "anti-virus-none" { value 2; } } default "anti-virus-none"; description "Anti-virus engine type"; } container forwarding-mode { description "Anti-virus forwarding mode"; uses apply-advanced; leaf hold { type empty; description "Hold mode (hold file until analysis is complete, default is CDF mode)"; } leaf inline-tap { type empty; description "Detect-only mode without blocking (default is off)"; } } // container forwarding-mode container scan-options { presence "enable scan-options"; description "Anti-virus scan options"; uses apply-advanced; choice pre-detection-choice { leaf pre-detection { type empty; description "Anti-virus Pre-Detection"; } leaf no-pre-detection { type empty; description "Don't anti-virus Pre-Detection"; } } // choice pre-detection-choice choice uri-check-choice { leaf uri-check { type empty; description "Anti-virus uri-check"; } leaf no-uri-check { type empty; description "Don't anti-virus uri-check"; } } // choice uri-check-choice leaf content-size-limit { type string; units "kilobytes"; description "Content size limit"; } leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1800"; } } units "seconds"; description "Scan engine timeout"; } leaf decompress-layer-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 10"; } } description "Decompress layer limit"; } } // container scan-options container trickling { presence "enable trickling"; description "Anti-virus trickling"; uses anti-virus-trickling; } // container trickling container notification-options { presence "enable notification-options"; description "Anti-virus notification options"; uses anti-virus-notification-options; } // container notification-options container fallback-options { presence "enable fallback-options"; description "Anti-virus fallback options"; uses av-fallback-settings; } // container fallback-options container traceoptions { description "Trace options for anti-virus feature"; uses anti-virus-traceoptions; } // container traceoptions container avira-engine { description "Anti-virus Avira-engine"; uses apply-advanced; container pattern-update { presence "enable pattern-update"; description "Anti-virus avira-engine pattern update"; uses anti-virus-pattern-update; } // container pattern-update } // container avira-engine container sophos-engine { description "Anti-virus sophos-engine"; uses apply-advanced; container server { description "SAV and Anti-Spam first hop DNS server"; uses apply-advanced; leaf ip { type jt:ipaddr; description "SAV and Anti-Spam first hop DNS server ip"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string; description "Routing instance name"; } leaf source-address { type jt:ipaddr; description "Source ip address used to connect server"; } } // container server leaf sxl-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } units "seconds"; default "2"; description "Sxl sophos anti-virus engine timeout"; } leaf sxl-retry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 5"; } } default "1"; description "Sxl sophos anti-virus engine query retry (number of times)"; } container pattern-update { presence "enable pattern-update"; description "Anti-virus sophos-engine pattern update"; uses anti-virus-pattern-update; } // container pattern-update container fallback-options { presence "enable fallback-options"; status deprecated; description "Anti-virus sophos-engine fallback options"; uses av-fallback-settings; } // container fallback-options container scan-options { presence "enable scan-options"; status deprecated; description "Anti-virus sophos-engine scan options"; uses default-sophos-scan-options; } // container scan-options container trickling { presence "enable trickling"; status deprecated; description "Anti-virus trickling"; uses anti-virus-trickling; } // container trickling container notification-options { presence "enable notification-options"; status deprecated; description "Anti-virus notification options"; uses anti-virus-notification-options; } // container notification-options } // container sophos-engine } // grouping default-anti-virus-feature grouping default-content-filtering-feature { description "Content-filtering feature"; uses apply-advanced; leaf type { type enumeration { enum "local" { value 0; description "Content-filtering local"; } enum "content-filtering-none" { value 1; } } default "local"; description "Content-filtering type"; } container traceoptions { description "Trace options for content-filtering feature"; uses content-filtering-traceoptions; } // container traceoptions leaf permit-command { junos:must "("security utm custom-objects protocol-command $$")"; junos:must-message "protocol-command must be defined"; type string; description "Permit command list"; } leaf block-command { junos:must "("security utm custom-objects protocol-command $$")"; junos:must-message "protocol-command must be defined"; type string; description "Block command list"; } leaf block-extension { junos:must "("security utm custom-objects filename-extension $$")"; junos:must-message "filename-extension must be defined"; type string; description "Block extension list"; } container block-mime { presence "enable block-mime"; description "Content-filtering feature block MIME"; uses apply-advanced; leaf list { junos:must "("security utm custom-objects mime-pattern $$")"; junos:must-message "mime-pattern must be defined"; type string; description "Block MIME list"; } leaf exception { junos:must "("security utm custom-objects mime-pattern $$")"; junos:must-message "mime-pattern must be defined"; type string; description "Exception of block MIME list"; } } // container block-mime container block-content-type { description "Content-filtering feature block content type"; uses apply-advanced; leaf activex { type empty; description "Block activex"; } leaf java-applet { type empty; description "Block Java-applet"; } leaf exe { type empty; description "Block Windows/dos exe file"; } leaf zip { type empty; description "Block zip file"; } leaf http-cookie { type empty; description "Block HTTP cookie"; } } // container block-content-type container notification-options { presence "enable notification-options"; description "Notification options"; uses apply-advanced; leaf type { type enumeration { enum "protocol-only" { value 0; description "Notification in protocol level"; } enum "message" { value 1; description "Notification in message"; } } description "Notification options type"; } choice notify-mail-sender-choice { leaf notify-mail-sender { type empty; description "Notifiy mail sender"; } leaf no-notify-mail-sender { type empty; description "Don't notifiy mail sender"; } } // choice notify-mail-sender-choice leaf custom-message { type string { length "1 .. 512"; } description "Custom notification message"; } } // container notification-options } // grouping default-content-filtering-feature grouping content-filtering-traceoptions { description "Trace options for content-filtering feature"; uses apply-advanced; list flag { key "name"; ordered-by user; description "Trace options for content-filtering feature flag"; leaf name { type enumeration { enum "basic" { value 0; description "Trace content-filtering basic information"; } enum "detail" { value 1; description "Trace content-filtering detail information"; } enum "all" { value 2; description "Enable trace all content-filtering trace options"; } } description "Trace options for content-filtering feature flag name"; } } // list flag } // grouping content-filtering-traceoptions grouping default-sbl-type { description "SBL type"; uses apply-advanced; choice sbl-default-server-choice { leaf sbl-default-server { type empty; description "Default SBL server"; } leaf no-sbl-default-server { type empty; description "Don't default SBL server"; } } // choice sbl-default-server-choice leaf spam-action { type enumeration { enum "block" { value 0; description "Block e-mail"; } enum "tag-header" { value 1; description "Tag header of e-mail"; } enum "tag-subject" { value 2; description "Tag subject of e-mail"; } } default "tag-subject"; description "Anti-spam actions"; } leaf custom-tag-string { type string { length "1 .. 512"; } description "Custom tag string"; } } // grouping default-sbl-type grouping default-sophos-scan-options { description "Anti-virus scan options"; uses apply-advanced; choice uri-check-choice { leaf uri-check { type empty; description "Anti-virus uri-check"; } leaf no-uri-check { type empty; description "Don't anti-virus uri-check"; } } // choice uri-check-choice leaf content-size-limit { type string; units "kilobytes"; default "10000"; description "Content size limit"; } leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1800"; } } units "seconds"; description "Scan engine timeout"; } } // grouping default-sophos-scan-options grouping default-webfilter-feature { description "Web-filtering feature settings"; uses apply-advanced; leaf url-whitelist { type string; description "Configure custom URL for whitelist category"; } leaf url-blacklist { type string; description "Configure custom URL for blacklist category"; } leaf http-reassemble { type empty; description "Reassemble HTTP request segments"; } leaf http-persist { type empty; description "Check all HTTP request in a connection"; } leaf type { type enumeration { enum "websense-redirect" { value 0; } enum "juniper-local" { value 1; } enum "juniper-enhanced" { value 2; } enum "web-filtering-none" { value 3; } } default "web-filtering-none"; description "Configure web-filtering engine type"; } container traceoptions { description "Trace options for web-filtering feature"; uses web-filtering-traceoptions; } // container traceoptions container websense-redirect { description "Configure web-filtering websense redirect engine"; uses default-websense-type; } // container websense-redirect container juniper-local { description "Configure web-filtering juniper local engine"; uses default-juniper-local-type; } // container juniper-local container juniper-enhanced { description "Configure web-filtering juniper enhanced engine"; uses default-juniper-enhanced-type; } // container juniper-enhanced } // grouping default-webfilter-feature grouping default-juniper-enhanced-type { description "Juniper Enhanced"; uses apply-advanced; container cache { presence "enable cache"; uses apply-advanced; leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1800"; } } units "minutes"; default "1440"; description "Juniper enhanced cache timeout"; } leaf size { type string; units "kilobytes"; default "1024"; description "Juniper enhanced cache size"; } } // container cache container server { presence "enable server"; description "Juniper enhanced server"; uses juniper-enhanced-server; } // container server container reputation { presence "enable reputation"; description "Customize reputation level"; uses apply-advanced; leaf reputation-very-safe { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "90"; description "Base-reputation-value (default 90)"; } leaf reputation-moderately-safe { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "80"; description "Base-reputation-value (default 80)"; } leaf reputation-fairly-safe { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "70"; description "Base-reputation-value (default 70)"; } leaf reputation-suspicious { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "60"; description "Base-reputation-value (default 60)"; } } // container reputation leaf query-type { type enumeration { enum "url-ip" { value 0; description "Query category by URL and IP address"; } enum "url" { value 1; description "Query category by URL only"; } } description "Juniper enhanced query type"; } leaf base-filter { type string; description "Juniper base filter"; } list category { key "name"; ordered-by user; description "Juniper enhanced category"; uses juniper-enhanced-category-type; } // list category container site-reputation-action { presence "enable site-reputation-action"; description "Juniper enhanced site reputation action"; uses juniper-enhanced-site-reputation-setting; } // container site-reputation-action leaf default { type enumeration { enum "permit" { value 0; description "Permit action"; } enum "block" { value 1; description "Block action"; } enum "log-and-permit" { value 2; description "Log and permit action"; } enum "quarantine" { value 3; description "Quarantine action"; } } description "Juniper enhanced profile default"; } leaf custom-message { junos:must "("security utm custom-objects custom-message $$")"; junos:must-message "custom-message must be defined"; type string; description "Custom message"; } container fallback-settings { presence "enable fallback-settings"; description "Juniper enhanced fallback settings"; uses web-filtering-fallback-setting; } // container fallback-settings leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "seconds"; default "15"; description "Juniper enhanced timeout"; } leaf no-safe-search { type empty; description "Do not perform safe-search for Juniper enhanced protocol"; } } // grouping default-juniper-enhanced-type grouping default-juniper-local-type { description "Juniper local"; uses apply-advanced; leaf default { type enumeration { enum "permit" { value 0; description "Permit action"; } enum "block" { value 1; description "Block action"; } enum "log-and-permit" { value 2; description "Log and permit action"; } } description "Juniper local profile default"; } list category { key "name"; ordered-by user; description "Custom category"; uses custom-category-type; } // list category leaf custom-message { junos:must "("security utm custom-objects custom-message $$")"; junos:must-message "custom-message must be defined"; type string; description "Custom message"; } leaf no-safe-search { type empty; description "Do not perform safe-search for Juniper local protocol"; } container fallback-settings { presence "enable fallback-settings"; description "Juniper local fallback settings"; uses web-filtering-fallback-setting; } // container fallback-settings leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1800"; } } units "seconds"; default "15"; description "Juniper local timeout"; } } // grouping default-juniper-local-type grouping custom-category-type { description "Custom category type"; leaf name { junos:must "("security utm custom-objects custom-url-category $$")"; junos:must-message "custom-url-category must be defined"; type string { length "1 .. 59"; } description "Name of custom category"; } uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } enum "quarantine" { value 3; } } description "Action to perform when web traffic matches category"; } leaf custom-message { junos:must "("security utm custom-objects custom-message $$")"; junos:must-message "custom-message must be defined"; type string; description "Custom message"; } } // grouping custom-category-type grouping default-websense-type { description "Websense redirect"; uses apply-advanced; container server { presence "enable server"; description "Websense redirect server"; uses server; } // container server list category { key "name"; ordered-by user; description "Custom category"; uses custom-category-type; } // list category leaf custom-message { junos:must "("security utm custom-objects custom-message $$")"; junos:must-message "custom-message must be defined"; type string; description "Custom message"; } leaf no-safe-search { type empty; description "Do not perform safe-search for websense redirect protocol"; } container fallback-settings { presence "enable fallback-settings"; description "Websense redirect fallback settings"; uses web-filtering-fallback-setting; } // container fallback-settings leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1800"; } } units "seconds"; default "15"; description "Websense redirect timeout"; } leaf sockets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } default "32"; description "Websense redirect sockets number"; } leaf account { type string { length "1 .. 28"; } description "Websense redirect account"; } } // grouping default-websense-type grouping dynamic-attack-group-type { description "Define dynamic attack group"; leaf name { type string; description "Name of the dynamic attack group"; } uses apply-advanced; leaf attack-group-description { type string; status deprecated; description "Filter name/value in xml format"; } container filters { description "Configure filters"; uses apply-advanced; container direction { presence "enable direction"; description "Direction of attack"; uses apply-advanced; leaf expression { type enumeration { enum "and" { value 0; description "AND values together (recommended if 'exclude-*' values are set)"; } enum "or" { value 1; description "OR values together"; } } default "or"; description "Boolean AND/OR to be used for values"; } leaf-list values { type enumeration { enum "client-to-server" { value 0; description "Select attacks from client to server"; } enum "server-to-client" { value 1; description "Select attacks from server to client"; } enum "any" { value 2; description "Select attacks which can occur in either direction"; } enum "exclude-client-to-server" { value 3; description "Filter out attacks from client to server"; } enum "exclude-server-to-client" { value 4; description "Filter out attacks from server to client"; } enum "exclude-any" { value 5; description "Filter out attacks which occur in either direction"; } } ordered-by user; description "Values for direction field"; } } // container direction container severity { presence "enable severity"; description "Severity of attack"; uses apply-advanced; leaf-list values { type enumeration { enum "info" { value 0; description "Provide information of attack when it matches."; } enum "warning" { value 1; description "Issue a warning when attack matches."; } enum "minor" { value 2; description "The attack is a minor one."; } enum "major" { value 3; description "The attack is a major one."; } enum "critical" { value 4; description "The attack is a critical one."; } } ordered-by user; description "Values for severity field"; } } // container severity container type { presence "enable type"; description "Type of attack"; uses apply-advanced; leaf-list values { type enumeration { enum "signature" { value 0; description "Signature based attacks"; } enum "anomaly" { value 1; description "Protocol anomalies"; } } ordered-by user; description "Values for type field"; } } // container type choice recommended-choice { leaf recommended { type empty; description "Recommended flag"; } leaf no-recommended { type empty; description "Don't recommended flag"; } } // choice recommended-choice container performance { presence "enable performance"; description "Performance of attack"; uses apply-advanced; leaf-list values { type enumeration { enum "unknown" { value 0; description "Performance level unknown"; } enum "fast" { value 1; description "Fast performance"; } enum "normal" { value 2; description "Normal performance"; } enum "slow" { value 3; description "Slow performance"; } } ordered-by user; description "Values for performance field"; } } // container performance container category { presence "enable category"; description "Category of attack"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for category field"; } } // container category container service { presence "enable service"; description "Service/Application of attack"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for service field"; } } // container service container false-positives { presence "enable false-positives"; description "False positive field in attack"; uses apply-advanced; leaf-list values { type enumeration { enum "unknown" { value 0; description "Unknown information"; } enum "rarely" { value 1; description "Rare false positives occurrence"; } enum "occasionally" { value 2; description "Ocassional false positives occurrence"; } enum "frequently" { value 3; description "Frequent false positives occurrence"; } } ordered-by user; description "Values for false-positives field"; } } // container false-positives list vendor { key "name"; ordered-by user; description "Vendor/Product the attack belongs to"; uses vendor-object; } // list vendor container file-type { presence "enable file-type"; description "File type the attack is valid for"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for file-type field"; } } // container file-type container vulnerability-type { presence "enable vulnerability-type"; description "Vulnariability type of attack"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for vulnariability-type field"; } } // container vulnerability-type choice excluded-choice { leaf excluded { type empty; description "Excluded Attacks"; } leaf no-excluded { type empty; description "Don't excluded Attacks"; } } // choice excluded-choice container attack-prefix { presence "enable attack-prefix"; description "Prefix match for attack names"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for attack name prefix match"; } } // container attack-prefix list cvss-score { key "name"; ordered-by user; description "CVSS score of Attack "; leaf name { type enumeration { enum "greater-than" { value 0; description "Match when cvss score is greater"; } enum "less-than" { value 1; description "Match when cvss score is less"; } } description "Match condition of CVSS score"; } uses apply-advanced; leaf value { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type decimal64 { fraction-digits 9; range "0 .. 10"; } description "Match value"; } } // list cvss-score list age-of-attack { key "name"; ordered-by user; description "Age of an Attack "; leaf name { type enumeration { enum "greater-than" { value 0; description "Match when Age of Attack is greater"; } enum "less-than" { value 1; description "Match when Age of Attack is less"; } } description "Match condition of Age of Attack"; } uses apply-advanced; leaf value { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } description "Match value"; } } // list age-of-attack } // container filters } // grouping dynamic-attack-group-type grouping e2e-action-profile { leaf name { type string { length "1 .. 64"; } description "Name of the action profile"; } uses apply-advanced; leaf preserve-trace-order { type empty; description "Preserve trace order (has performance overhead)"; } leaf record-pic-history { type empty; description "Record the PIC(s) in which the packet has been processed"; } list event { key "name"; ordered-by user; uses e2e-event; } // list event list module { key "name"; ordered-by user; uses e2e-module; } // list module } // grouping e2e-action-profile grouping e2e-event { leaf name { type enumeration { enum "np-ingress" { value 0; description "NP ingress"; } enum "np-egress" { value 1; description "NP egress"; } enum "mac-ingress" { value 2; description "SRX1K/3K IOC Mac ingress"; } enum "mac-egress" { value 3; description "SRX1K/3K IOC Mac egress"; } enum "lbt" { value 4; description "Load-Balance-Thread"; } enum "pot" { value 5; description "Packet-Order-Thread"; } enum "jexec" { value 6; description "JExec"; } enum "lt-enter" { value 7; description "LT(Logical Tunnel) enter"; } enum "lt-leave" { value 8; description "LT(Logical Tunnel) leave"; } } description "Name of the event"; } uses apply-advanced; leaf trace { type empty; description "Trace action"; } leaf count { type empty; description "Count action"; } leaf packet-summary { type empty; description "Packet summary action"; } leaf packet-dump { type empty; description "Packet dump action"; } } // grouping e2e-event grouping e2e-module { leaf name { type enumeration { enum "flow" { value 0; description "Flow module"; } } description "Name of the module"; } uses apply-advanced; list flag { key "name"; ordered-by user; description "Events and other information to include in trace output"; leaf name { type enumeration { enum "all" { value 0; description "All flow trace"; } } } } // list flag } // grouping e2e-module grouping end-to-end-debug-filter { description "End to end debug packer filter settings"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string of letters, numbers, dashes or underscores"; length "1 .. 64"; } description "Name of the filter"; } uses apply-advanced; leaf action-profile { type string; description "Actions to take with this filter"; } leaf protocol { type string; description "Match IP protocol type"; } leaf source-prefix { type jt:ipprefix; description "Source IPv4/IPv6 address prefix"; } leaf destination-prefix { type jt:ipprefix; description "Destination IPv4/IPv6 address prefix"; } leaf source-port { type string; description "Match TCP/UDP source port"; } leaf destination-port { type string; description "Match TCP/UDP destination port"; } leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Logical interface"; } } // grouping end-to-end-debug-filter grouping extension-list-type { description "Configure extension-list object"; leaf name { type string { junos:posix-pattern "^[a-zA-Z_]+[a-zA-Z_0-9-]*$"; junos:pattern-message "Must be a string beginning with a letter or underscore and consisting of letters, numbers, dashes and underscores."; length "1 .. 29"; } description "Configure name of extension-list object"; } uses apply-advanced; leaf-list value { type string { length "1 .. 29"; } ordered-by user; description "Configure value of extension-list object"; } } // grouping extension-list-type grouping flow-filter-type { description "Flow filter settings"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string of letters, numbers, dashes or underscores"; length "1 .. 63"; } description "Name of the filter"; } uses apply-advanced; leaf protocol { type string; description "Match IP protocol type"; } leaf source-prefix { type jt:ipprefix; description "Source IP address prefix"; } leaf destination-prefix { type jt:ipprefix; description "Destination IP address prefix"; } leaf conn-tag { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Session connection tag"; } leaf logical-system { type string { length "1 .. 63"; } status deprecated; description "Logical system"; } leaf source-port { type string; description "Match TCP/UDP source port"; } leaf destination-port { type string; description "Match TCP/UDP destination port"; } leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Source logical interface"; } } // grouping flow-filter-type grouping flow-traceoptions-object { description "Trace options for flow services"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Events and other information to include in trace output"; leaf name { type enumeration { enum "all" { value 0; description "All events"; } enum "basic-datapath" { value 1; description "Basic packet flow"; } enum "high-availability" { value 2; description "Flow high-availability information"; } enum "host-traffic" { value 3; description "Flow host-traffic information"; } enum "fragmentation" { value 4; description "Ip fragmentation and reassembly events"; } enum "multicast" { value 5; description "Multicast flow information"; } enum "route" { value 6; description "Route lookup information"; } enum "session" { value 7; description "Session creation and deletion events"; } enum "session-scan" { value 8; description "Session scan information"; } enum "tcp-basic" { value 9; description "TCP packet flow"; } enum "tunnel" { value 10; description "Tunnel information"; } enum "jexec" { value 11; description "Junos forwarding module"; } } } } // list flag leaf rate-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } default "0"; description "Limit the incoming rate of trace messages"; } list packet-filter { key "name"; max-elements 64; ordered-by user; description "Flow packet debug filters"; uses flow-filter-type; } // list packet-filter container trace-level { description "FLow trace level"; uses apply-advanced; choice level { leaf minimal { type empty; description "Significant messages including warning, error, criticality, alert and emergency."; } leaf brief { type empty; description "Brief messages including notice, in addition to minimal messages"; } leaf detail { type empty; description "Detail messages including info and debug, in addition to brief messages"; } } // choice level } // container trace-level leaf root-override { junos:must "((".. file" && ".. flag"))"; junos:must-message "root-override must have root trace file and flag configured"; type empty; description "Allow collect flow trace in root from all logical-systems and tenants"; } } // grouping flow-traceoptions-object grouping gtp-object { uses apply-advanced; list profile { key "name"; description "Configure GTP Profile"; leaf name { type string { length "1 .. 23"; } description "GTP profile name"; } uses apply-advanced; leaf min-message-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Minimum message length, from 0 to 65535 "; } leaf max-message-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "65535"; description "Maximum message length, from 1 to 65535"; } leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } units "hour"; default "1000"; description "Tunnel idle timeout"; } container rate-limit { presence "enable rate-limit"; description "Limit messages per second"; uses rate-limit-object; } // container rate-limit container log { presence "enable log"; description "GPRS tunneling protocol logs"; uses apply-advanced; leaf forwarded { type enumeration { enum "basic" { value 0; description "Basic logs"; } enum "detail" { value 1; description "Detailed logs"; } } description "Log passed good packets"; } leaf event { type enumeration { enum "basic" { value 0; description "Basic logs"; } enum "detail" { value 1; description "Detailed logs"; } } description "Log alarms and tunnel management events"; } leaf prohibited { type enumeration { enum "basic" { value 0; description "Basic logs"; } enum "detail" { value 1; description "Detailed logs"; } } description "Log dropped packets"; } list gtp-u { key "name"; description "Logs for gtp-u"; leaf name { type enumeration { enum "all" { value 0; description "All gtp-u logs"; } enum "dropped" { value 1; description "Dropped gtp-u logs"; } } description "Logs for gtp-u"; } uses apply-advanced; } // list gtp-u container rate-limited { presence "enable rate-limited"; description "Dropped for rate-limit"; uses apply-advanced; choice rate-limited-attr { leaf basic { type empty; description "Basic logs"; } leaf detail { type empty; description "Detailed logs"; } } // choice rate-limited-attr } // container rate-limited } // container log container remove-ie { presence "enable remove-ie"; description "Remove information elements"; uses apply-advanced; list version { key "name"; description "GTP version"; leaf name { type enumeration { enum "v1" { value 0; description "GTP v1"; } } description "Version name"; } uses apply-advanced; list release { key "name"; description "Remove information elements by release"; leaf name { type enumeration { enum "R6" { value 0; description "Release 6"; } enum "R7" { value 1; description "Release 7"; } enum "R8" { value 2; description "Release 8"; } enum "R9" { value 3; description "Release 9"; } } description "Release name"; } uses apply-advanced; } // list release list number { key "name"; description "Remove information elements by number"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } } uses apply-advanced; } // list number } // list version } // container remove-ie container path-rate-limit { description "Limit control messages based on IP pairs"; uses apply-advanced; list message-type { key "name"; description "Specific group of control messages"; leaf name { type enumeration { enum "create-req" { value 0; description "Limit packet-per-second of GTP create request"; } enum "delete-req" { value 1; description "Limit packet-per-second of GTP delete request"; } enum "echo-req" { value 2; description "Limit packet-per-minute of GTP echo request"; } enum "other" { value 3; description "Limit packet-per-second of all other GTP control messages"; } } description "Specific group of control messages"; } uses apply-advanced; container drop-threshold { description "Set drop threshold for path rate limiting"; uses apply-advanced; leaf forward { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10000"; } } description "Limit messages of forward direction"; } leaf reverse { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10000"; } } description "Limit messages of reverse direction"; } } // container drop-threshold container alarm-threshold { description "Set alarm threshold for path rate limiting"; uses apply-advanced; leaf forward { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10000"; } } description "Limit messages of forward direction"; } leaf reverse { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10000"; } } description "Limit messages of reverse direction"; } } // container alarm-threshold } // list message-type } // container path-rate-limit container drop { description "Drop certain type of messages"; uses apply-advanced; list aa-create-pdp { key "name"; ordered-by user; description "Create AA pdp request/response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } } description "GTP version for message"; } uses apply-advanced; } // list aa-create-pdp list aa-delete-pdp { key "name"; ordered-by user; description "Delete AA pdp request/response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } } description "GTP version for message"; } uses apply-advanced; } // list aa-delete-pdp list bearer-resource { key "name"; ordered-by user; description "Bearer resource command/failure message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list bearer-resource list change-notification { key "name"; ordered-by user; description "Change notification request/response message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list change-notification list config-transfer { key "name"; ordered-by user; description "Configuration transfer message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list config-transfer list context { key "name"; ordered-by user; description "Context request/response/ack message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list context list create-bearer { key "name"; ordered-by user; description "Create bearer request/response message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list create-bearer list create-data-forwarding { key "name"; ordered-by user; description "Create indirect data forwarding tunnel request/response message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list create-data-forwarding list create-pdp { key "name"; ordered-by user; description "Create pdp request/response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list create-pdp list create-session { key "name"; ordered-by user; description "Create session request/response message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list create-session list create-tnl-forwarding { key "name"; ordered-by user; description "Create forwarding tunnel request/response message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list create-tnl-forwarding list cs-paging { key "name"; ordered-by user; description "CS paging indication message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list cs-paging list data-record { key "name"; ordered-by user; description "Data record request/response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list data-record list delete-bearer { key "name"; ordered-by user; description "Delete bearer request/response message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list delete-bearer list delete-command { key "name"; ordered-by user; description "Delete bearer command/failure message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list delete-command list delete-data-forwarding { key "name"; ordered-by user; description "Delete indirect data forwarding tunnel request/response message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list delete-data-forwarding list delete-pdn { key "name"; ordered-by user; description "Delete PDN connection set request/response message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list delete-pdn list delete-pdp { key "name"; ordered-by user; description "Delete pdp request/response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list delete-pdp list delete-session { key "name"; ordered-by user; description "Delete session request/response message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list delete-session list detach { key "name"; ordered-by user; description "Detach notification/ack message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list detach list downlink-notification { key "name"; ordered-by user; description "Downlink data notification/ack/failure message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list downlink-notification list echo { key "name"; ordered-by user; description "Echo request/response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "2" { value 2; description "Version 2"; } enum "all" { value 3; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list echo list error-indication { key "name"; ordered-by user; description "Error indication message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list error-indication list failure-report { key "name"; ordered-by user; description "Failure report request/response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list failure-report list fwd-access { key "name"; ordered-by user; description "Forward access context notification/ack message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list fwd-access list fwd-relocation { key "name"; ordered-by user; description "Forward relocation request/response/comp/comp-ack message"; leaf name { type enumeration { enum "1" { value 0; description "Version 1"; } enum "2" { value 1; description "Version 2"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list fwd-relocation list fwd-srns-context { key "name"; ordered-by user; description "Forward SRNS context/context-ack message"; leaf name { type enumeration { enum "1" { value 0; description "Version 1"; } } description "GTP version for message"; } uses apply-advanced; } // list fwd-srns-context list g-pdu { key "name"; ordered-by user; description "G-PDU (user PDU) message/T-PDU"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list g-pdu list identification { key "name"; ordered-by user; description "Identification request/response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "2" { value 2; description "Version 2"; } enum "all" { value 3; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list identification list mbms-session-start { key "name"; ordered-by user; description "MBMS session start request/response message"; leaf name { type enumeration { enum "1" { value 0; description "Version 1"; } enum "2" { value 1; description "Version 2"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list mbms-session-start list mbms-session-stop { key "name"; ordered-by user; description "MBMS session stop request/response message"; leaf name { type enumeration { enum "1" { value 0; description "Version 1"; } enum "2" { value 1; description "Version 2"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list mbms-session-stop list mbms-session-update { key "name"; ordered-by user; description "MBMS session update request/response message"; leaf name { type enumeration { enum "1" { value 0; description "Version 1"; } enum "2" { value 1; description "Version 2"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list mbms-session-update list modify-bearer { key "name"; ordered-by user; description "Modify bearer request/response message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list modify-bearer list modify-command { key "name"; ordered-by user; description "Modify bearer command/failure message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list modify-command list node-alive { key "name"; ordered-by user; description "Node alive request/response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list node-alive list note-ms-present { key "name"; ordered-by user; description "Note MS GPRS present request/response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list note-ms-present list pdu-notification { key "name"; ordered-by user; description "PDU notification requst/response/reject/reject-response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list pdu-notification list ran-info { key "name"; ordered-by user; description "RAN info relay message"; leaf name { type enumeration { enum "1" { value 0; description "Version 1"; } enum "2" { value 1; description "Version 2"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list ran-info list redirection { key "name"; ordered-by user; description "Redirection request/response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list redirection list release-access { key "name"; ordered-by user; description "Release access-bearer request/response message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list release-access list relocation-cancel { key "name"; ordered-by user; description "Relocation cancel request/response message"; leaf name { type enumeration { enum "1" { value 0; description "Version 1"; } enum "2" { value 1; description "Version 2"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list relocation-cancel list resume { key "name"; ordered-by user; description "Resume notification/ack message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list resume list send-route { key "name"; ordered-by user; description "Send route info request/response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list send-route list sgsn-context { key "name"; ordered-by user; description "SGSN context request/response/ack message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list sgsn-context list stop-paging { key "name"; ordered-by user; description "Stop paging indication message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list stop-paging list supported-extension { key "name"; ordered-by user; description "Supported extension headers notification message"; leaf name { type enumeration { enum "1" { value 0; description "Version 1"; } } description "GTP version for message"; } uses apply-advanced; } // list supported-extension list suspend { key "name"; ordered-by user; description "Suspend notification/ack message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list suspend list trace-session { key "name"; ordered-by user; description "Trace session activation/deactivation message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list trace-session list update-bearer { key "name"; ordered-by user; description "Update bearer request/response message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list update-bearer list update-pdn { key "name"; ordered-by user; description "Update PDN connection set request/response message"; leaf name { type enumeration { enum "2" { value 0; description "Version 2"; } } description "GTP version for message"; } uses apply-advanced; } // list update-pdn list update-pdp { key "name"; ordered-by user; description "Update pdp request/response message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "all" { value 2; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list update-pdp list ver-not-supported { key "name"; ordered-by user; description "Version not supported message"; leaf name { type enumeration { enum "0" { value 0; description "Version 0"; } enum "1" { value 1; description "Version 1"; } enum "2" { value 2; description "Version 2"; } enum "all" { value 3; description "All versions"; } } description "GTP version for message"; } uses apply-advanced; } // list ver-not-supported } // container drop list apn { key "name"; description "GTP Access Point Name (APN) filter"; leaf name { type string { junos:posix-pattern "^[*]$|^[*][^*]{1,63}$|^[^*]{1,64}$"; junos:pattern-message "APN pattern string length should be 1-64, support wildcard for the first character"; length "1 .. 64"; } description "Specific APN pattern string"; } uses apply-advanced; list imsi-prefix { key "name"; description "Specific filter prefix digits for International Mobile Subscriber Identification(IMSI)"; leaf name { type string { junos:posix-pattern "^[*]$|^[0-9]{5,15}$"; junos:pattern-message "imsi-prefix should be * or 5-15 digits"; length "1 .. 15"; } description "IMSI prefix should be * or 5-15 digits"; } uses apply-advanced; container action { description "Configure GTP profile APN action"; uses apply-advanced; choice action-c { leaf pass { type empty; description "Pass all selection modes for this APN"; } leaf drop { type empty; description "Drop all selection modes for this APN"; } container selection { presence "enable selection"; description "Allowed selection modes for this APN"; uses apply-advanced; leaf ms { type empty; description "Mobile Station selection mode"; } leaf net { type empty; description "Network selection mode"; } leaf vrf { type empty; description "Subscriber verified mode"; } } // container selection } // choice action-c } // container action } // list imsi-prefix } // list apn leaf restart-path { type enumeration { enum "echo" { value 0; description "Restart GTP paths by detecting restart number stored in the Echo messages"; } enum "create" { value 1; description "Restart GTP paths by detecting restart number stored in the Create messages"; } enum "all" { value 2; description "Restart GTP paths by detecting restart number stored in the Echo or Create messages"; } } description "Restart GTP paths"; } leaf seq-number-validated { type empty; description "Validate G-PDU sequence number"; } leaf gtp-in-gtp-denied { type empty; description "Deny nested GTP"; } leaf u-tunnel-validated { type empty; description "Validate GTP-u tunnel"; } leaf end-user-address-validated { type empty; description "Validate end user address"; } leaf req-timeout { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 30"; } } units "second"; description "Request message timeout, default timeout value 5 seconds"; } leaf handover-on-roaming-intf { type empty; description "Enable tunnel setup by Handover messages on roaming interface"; } container handover-group { description "SGSN handover group configuration"; uses apply-advanced; leaf group-name { junos:must "(("security gprs gtp handover-group $$" || ("security gprs gtp ip-group $$" || ("security gtp handover-group $$" || "security gtp ip-group $$"))))"; junos:must-message "referenced ip-group/handover-group not found"; type string { length "1 .. 23"; } description "SGSN handover group name"; } } // container handover-group leaf listening-mode { type empty; description "Enable listening-mode for GTP inspection"; } container ne-group { description "IP validation check for NE group configuration"; uses apply-advanced; leaf group-name { junos:must "(("security gprs gtp ip-group $$" || "security gtp ip-group $$"))"; junos:must-message "referenced ip-group not found"; type string { length "1 .. 23"; } description "GTP ip group name"; } } // container ne-group container ue-group { description "End User IP validation check for UE group configuration"; uses apply-advanced; leaf group-name { junos:must "(("security gprs gtp ip-group $$" || "security gtp ip-group $$"))"; junos:must-message "referenced ip-group not found"; type string { length "1 .. 23"; } description "GTP ip group name"; } } // container ue-group container must-ie-v1 { description "GTPv1 Must IE check configuration"; uses apply-advanced; leaf msgie-prf-v1-name { junos:must "(("security gprs gtp message-ie-profile-v1 $$" || "security gtp message-ie-profile-v1 $$"))"; junos:must-message "referenced message-ie-profile-v1 not found"; type string { length "1 .. 23"; } description "GTPv1 message-ie profile name"; } } // container must-ie-v1 container must-ie-v2 { description "GTPv2 Must IE check configuration"; uses apply-advanced; leaf msgie-prf-v2-name { junos:must "(("security gprs gtp message-ie-profile-v2 $$" || "security gtp message-ie-profile-v2 $$"))"; junos:must-message "referenced message-ie-profile-v2 not found"; type string { length "1 .. 23"; } description "GTPv2 message-ie profile name"; } } // container must-ie-v2 container remove-ie-v1 { description "GTPv1 IE Removal configuration"; uses apply-advanced; leaf ieset-name { junos:must "(("security gprs gtp ie-set $$" || "security gtp ie-set $$"))"; junos:must-message "referenced ie-set not found"; type string { length "1 .. 23"; } description "GTP ie-set name"; } } // container remove-ie-v1 container remove-ie-v2 { description "GTPv2 IE Removal configuration"; uses apply-advanced; leaf ieset-name { junos:must "(("security gprs gtp ie-set $$" || "security gtp ie-set $$"))"; junos:must-message "referenced ie-set not found"; type string { length "1 .. 23"; } description "GTP ie-set name"; } } // container remove-ie-v2 choice apn-control-c { container apn-control { description "GTP per APN control"; uses apply-advanced; leaf apn-ctrl-name { junos:must "(("security gprs gtp apn-control $$" || "security gtp apn-control $$"))"; junos:must-message "referenced apn-control profile not found"; type string { length "1 .. 23"; } description "APN control profile name"; } } // container apn-control container apn-control-group { description "GTP per APN control group"; uses apply-advanced; leaf apn-ctrl-grp-name { junos:must "(("security gprs gtp apn-control-group $$" || "security gtp apn-control-group $$"))"; junos:must-message "referenced apn-control group not found"; type string { length "1 .. 23"; } description "APN control group name"; } } // container apn-control-group } // choice apn-control-c } // list profile container traceoptions { description "Trace options for GPRS tunneling protocol"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "parser" { value 2; description "Trace parser events"; } enum "chassis-cluster" { value 3; description "Trace chassis cluster events"; } enum "gsn" { value 4; description "Trace gsn events"; } enum "jmpi" { value 5; description "Trace jmpi events"; } enum "tnl" { value 6; description "Trace tnl events"; } enum "req" { value 7; description "Trace req events"; } enum "path" { value 8; description "Trace path events"; } enum "all" { value 9; description "Trace everything"; } } } } // list flag container trace-level { description "GTP trace level"; uses apply-advanced; choice level { leaf error { type empty; description "Match error conditions"; } leaf warning { type empty; description "Match warning messages"; } leaf notice { type empty; description "Match conditions that should be handled specially"; } leaf info { type empty; description "Match informational messages"; } leaf verbose { type empty; description "Match verbose messages"; } } // choice level } // container trace-level } // container traceoptions container handover-default { description "Set handover default deny"; uses apply-advanced; leaf deny { type empty; description "Handover default deny"; } } // container handover-default list ip-group { key "name"; description "Set GTP IP group"; leaf name { type string { length "1 .. 23"; } description "Set ip group name"; } uses apply-advanced; list address-book { key "name"; description "Set addreess book"; leaf name { junos:must "("security address-book $$")"; junos:must-message "referenced address-book not found"; type string { length "1 .. 63"; } description "Set address book name"; } uses apply-advanced; container address-set { description "Set address set"; uses apply-advanced; leaf set-name { type string { length "1 .. 63"; } description "Set address set name"; } } // container address-set } // list address-book } // list ip-group list ie-set { key "name"; max-elements 20; description "Set GTP IE set profile"; leaf name { type string { length "1 .. 23"; } description "Set GTP IE set profile name"; } uses apply-advanced; list ie { key "name"; description "Set IE number"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 255"; } } description "Set IE number"; } uses apply-advanced; } // list ie } // list ie-set list message-ie-profile-v1 { key "name"; max-elements 10; description "Set GTPv1 message IE profile"; leaf name { type string { length "1 .. 23"; } description "Set GTPv1 message IE profile name"; } uses apply-advanced; list message { key "name"; description "Set message type"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 255"; } } description "Set message type"; } uses apply-advanced; list ie { key "name"; description "Set IE number"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 255"; } } description "Set IE number"; } uses apply-advanced; } // list ie } // list message } // list message-ie-profile-v1 list grouped-ie-profile { key "name"; max-elements 100; description "Set GTP grouped IE filter profile"; leaf name { type string { length "1 .. 23"; } description "Set GTP grouped IE filter profile name"; } uses apply-advanced; list ie { key "name"; description "Set IE number"; uses ie-filter-object; } // list ie } // list grouped-ie-profile list message-ie-profile-v2 { key "name"; max-elements 10; description "Set GTP message IE filter profile"; leaf name { type string { length "1 .. 23"; } description "Set message IE filter profile name"; } uses apply-advanced; list message { key "name"; description "Set message type"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 255"; } } description "Set message type"; } uses apply-advanced; list ie { key "name"; description "Set IE number"; uses ie-filter-object; } // list ie } // list message } // list message-ie-profile-v2 list message-list { key "name"; max-elements 10; description "Set message list"; leaf name { type string { length "1 .. 23"; } description "Set message list name"; } uses apply-advanced; list message { key "name"; description "Set message type"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 255"; } } description "Set message type"; } uses apply-advanced; } // list message } // list message-list list rate-limit { key "name"; description "Limiting message rate"; leaf name { type enumeration { enum "default" { value 0; description "Default rate limit policy name"; } } description "Rate limit policy name"; } uses apply-advanced; container message { description "GTP limited message type"; uses message-object; } // container message } // list rate-limit list apn-control { key "name"; max-elements 1024; description "GTP APN control profile"; leaf name { type string { length "1 .. 23"; } description "APN control profile name"; } uses apply-advanced; container apn { description "APN of the APN control profile"; uses apply-advanced; leaf apn-string { type string { length "1 .. 100"; } description "APN string"; } } // container apn container rate-limit { presence "enable rate-limit"; description "APN controlled rate-limit"; uses rate-limit-object; } // container rate-limit } // list apn-control list apn-control-group { key "name"; max-elements 1024; description "GTP APN control profile group"; leaf name { type string { length "1 .. 23"; } description "APN control profile group name"; } uses apply-advanced; list apn-control { key "name"; description "APN control profile"; leaf name { junos:must "(("security gprs gtp apn-control $$" || "security gtp apn-control $$"))"; junos:must-message "referenced apn-control profile not found"; type string { length "1 .. 23"; } description "APN control profile name"; } uses apply-advanced; } // list apn-control } // list apn-control-group } // grouping gtp-object grouping httpd_dvpn_traceoptions_type { description "Trace options for dynamic-vpn process"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Area of HTTPD process to enable debugging output"; leaf name { type enumeration { enum "all" { value 0; description "Trace all areas"; } } } } // list flag } // grouping httpd_dvpn_traceoptions_type grouping idp-policy-type { leaf name { type string; description "IDP policy name"; } container rulebase-ips { description "IPS rulebase"; uses apply-advanced; list rule { key "name"; ordered-by user; description "Configure IPS rule"; leaf name { type string; description "Rule name"; } uses apply-advanced; leaf description { type string; description "Rule description"; } container match { description "Rule match criteria"; uses apply-advanced; leaf from-zone { junos:must "((".. from-zone any" || "security zones security-zone $$"))"; junos:must-message "from-zone should be 'any' or configured under [security zones security-zone]"; type string; default "any"; description "Match from zone"; } choice source { leaf-list source-address { type string; ordered-by user; description "Match source address"; } leaf-list source-except { type string; ordered-by user; description "Don't match source address"; } case case_3 { } // case case_3 case case_4 { } // case case_4 } // choice source leaf to-zone { junos:must "((".. to-zone any" || "security zones security-zone $$"))"; junos:must-message "to-zone should be 'any' or configured under [security zones security-zone]"; type string; default "any"; description "Match to zone"; } choice destination { leaf-list destination-address { type string; ordered-by user; description "Match destination address"; } leaf-list destination-except { type string; ordered-by user; description "Don't match destination address"; } case case_3 { } // case case_3 case case_4 { } // case case_4 } // choice destination leaf application { type string; description "Specify application or application-set name to match"; } container attacks { description "Match attack objects"; uses apply-advanced; leaf-list custom-attacks { type string; ordered-by user; description "Custom attacks"; } leaf-list custom-attack-groups { type string; ordered-by user; description "Custom attack groups"; } leaf-list dynamic-attack-groups { type string; ordered-by user; description "Dynamic attack groups"; } leaf-list predefined-attacks { type string; ordered-by user; description "Predefined attacks"; } leaf-list predefined-attack-groups { type string; ordered-by user; description "Predefined attack groups"; } } // container attacks } // container match container then { uses apply-advanced; container action { choice action { leaf no-action { type empty; description "No action"; } leaf ignore-connection { type empty; description "Ignore"; } container mark-diffserv { description "Mark differentiated services codepoint (DSCP)"; uses apply-advanced; leaf codepoint { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 63"; } } description "Codepoint value"; } } // container mark-diffserv container class-of-service { description "Classification of traffic based on class-of-service"; uses apply-advanced; leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class for outgoing packets"; } leaf dscp-code-point { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 63"; } } description "Differentiated services code point value"; } } // container class-of-service leaf drop-packet { type empty; description "Drop packet"; } leaf drop-connection { type empty; description "Drop connection"; } leaf close-client { type empty; description "Close client"; } leaf close-server { type empty; description "Close server"; } leaf close-client-and-server { type empty; description "Close client and server"; } leaf recommended { junos:must "(".. .. .. match attacks")"; junos:must-message "attacks must also be configured."; type empty; description "Recommended"; } } // choice action } // container action container ip-action { uses apply-advanced; choice ip-action { leaf ip-notify { type empty; description "Notify about future traffic"; } leaf ip-close { type empty; description "Close future connections"; } leaf ip-block { type empty; description "Block future connections"; } } // choice ip-action leaf target { type enumeration { enum "service" { value 0; description "Match source, destination, dst-port and protocol"; } enum "source-zone-address" { value 1; description "Match source-zone and source-address"; } enum "source-address" { value 2; description "Match source"; } enum "destination-address" { value 3; description "Match destination"; } enum "zone-service" { value 4; description "Match source-zone, destination, dst-port, protocol"; } enum "source-zone" { value 5; description "Match source-zone"; } } } leaf log { type empty; description "Log IP action taken"; } leaf log-create { type empty; description "Log IP action creation"; } leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 64800"; } } description "Number of seconds IP action should remain effective"; } leaf refresh-timeout { junos:must "(".. timeout")"; junos:must-message "timeout must be specified"; type empty; description "Refresh timeout when future connections match installed ip-action filter"; } } // container ip-action container notification { presence "enable notification"; description "Configure notification/logging options"; uses apply-advanced; container log-attacks { presence "enable log-attacks"; description "Enable attack logging"; uses apply-advanced; leaf alert { type empty; description "Set alert flag in attack log"; } } // container log-attacks container packet-log { presence "enable packet-log"; uses apply-advanced; leaf pre-attack { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } default "1"; description "No of packets to capture before attack"; } leaf post-attack { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "No of packets to capture after attack"; } leaf post-attack-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1800"; } } default "5"; description "Timeout (seconds) after attack before stopping packet capture"; } } // container packet-log } // container notification leaf severity { type enumeration { enum "info" { value 0; } enum "warning" { value 1; } enum "minor" { value 2; } enum "major" { value 3; } enum "critical" { value 4; } } description "Set rule severity level"; } container application-services { description "Enable application services for this rule"; container security-intelligence { description "Generate security intellegence feeds"; leaf add-attacker-ip-to-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } leaf add-target-ip-to-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } } // container security-intelligence } // container application-services } // container then leaf terminal { type empty; description "Set/Unset terminal flag"; } } // list rule } // container rulebase-ips container rulebase-exempt { description "Exempt rulebase"; uses apply-advanced; list rule { key "name"; ordered-by user; description "Configure exempt rule"; leaf name { type string; description "Rule name"; } uses apply-advanced; leaf description { type string; description "Rule description"; } container match { description "Rule match criteria"; uses apply-advanced; leaf from-zone { junos:must "((".. from-zone any" || "security zones security-zone $$"))"; junos:must-message "from-zone should be 'any' or configured under [security zones security-zone]"; type string; default "any"; description "Match from zone"; } choice source { leaf-list source-address { type string; ordered-by user; description "Match source address"; } leaf-list source-except { type string; ordered-by user; description "Don't match source address"; } case case_3 { } // case case_3 case case_4 { } // case case_4 } // choice source leaf to-zone { junos:must "((".. to-zone any" || "security zones security-zone $$"))"; junos:must-message "to-zone should be 'any' or configured under [security zones security-zone]"; type string; default "any"; description "Match to zone"; } choice destination { leaf-list destination-address { type string; ordered-by user; description "Match destination address"; } leaf-list destination-except { type string; ordered-by user; description "Don't match destination address"; } case case_3 { } // case case_3 case case_4 { } // case case_4 } // choice destination container attacks { description "Match attack objects"; uses apply-advanced; leaf-list custom-attacks { type string; ordered-by user; description "Custom attacks"; } leaf-list custom-attack-groups { type string; ordered-by user; description "Custom attack groups"; } leaf-list dynamic-attack-groups { type string; ordered-by user; description "Dynamic attack groups"; } leaf-list predefined-attacks { type string; ordered-by user; description "Predefined attacks"; } leaf-list predefined-attack-groups { type string; ordered-by user; description "Predefined attack groups"; } } // container attacks } // container match } // list rule } // container rulebase-exempt } // grouping idp-policy-type grouping idpd-traceoptions-type { description "Trace options for idpd"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Events and other information to include in trace output"; leaf name { type enumeration { enum "all" { value 0; description "All events"; } } description "Flag name to include in trace output"; } } // list flag leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } } // grouping idpd-traceoptions-type grouping ids-option-type { description "Configure screen object"; leaf name { type string { length "1 .. 64"; } description "Screen object name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of screen"; } leaf alarm-without-drop { type empty; description "Do not drop packet, only generate alarm"; } leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } enum "input-output" { value 2; description "Match on input to or output from interface"; } } description "Match direction"; } container aggregation { presence "enable aggregation"; description "Configure the source and Destination prefix for a ids-option"; uses apply-advanced; leaf source-prefix-mask { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } description "Source IPV4 prefix"; } leaf destination-prefix-mask { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } description "Destination IPV4 prefix"; } leaf source-prefix-v6-mask { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 128"; } } description "Source IPV6 prefix"; } leaf destination-prefix-v6-mask { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 128"; } } description "Destination IPV6 prefix"; } } // container aggregation container icmp { description "Configure ICMP ids options"; uses apply-advanced; container ip-sweep { presence "enable ip-sweep"; description "Configure ip sweep ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 ICMP packets are detected"; default "5000"; description "Threshold"; } } // container ip-sweep leaf fragment { type empty; description "Enable ICMP fragment ids option"; } leaf large { type empty; description "Enable large ICMP packet (size > 1024) ids option"; } container flood { presence "enable flood"; description "Configure icmp flood ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "ICMP packets per second"; default "1000"; description "Threshold"; } } // container flood leaf ping-death { type empty; description "Enable ping of death ids option"; } leaf icmpv6-malformed { type empty; description "Enable icmpv6 malformed ids option"; } } // container icmp container ip { description "Configure IP layer ids options"; uses apply-advanced; leaf bad-option { type empty; description "Enable ip with bad option ids option"; } leaf record-route-option { type empty; description "Enable ip with record route option ids option"; } leaf timestamp-option { type empty; description "Enable ip with timestamp option ids option"; } leaf security-option { type empty; description "Enable ip with security option ids option"; } leaf stream-option { type empty; description "Enable ip with stream option ids option"; } leaf spoofing { type empty; description "Enable IP address spoofing ids option"; } leaf source-route-option { type empty; description "Enable ip source route ids option"; } leaf loose-source-route-option { type empty; description "Enable ip with loose source route ids option"; } leaf strict-source-route-option { type empty; description "Enable ip with strict source route ids option"; } leaf unknown-protocol { type empty; description "Enable ip unknown protocol ids option"; } leaf block-frag { type empty; description "Enable ip fragment blocking ids option"; } leaf tear-drop { type empty; description "Enable tear drop ids option"; } container ipv6-extension-header { description "Configure ipv6 extension header ids option"; uses apply-advanced; container hop-by-hop-header { presence "enable hop-by-hop-header"; description "Enable ipv6 hop by hop option header ids option"; uses apply-advanced; leaf jumbo-payload-option { type empty; description "Enable jumbo payload option ids option"; } leaf router-alert-option { type empty; description "Enable router alert option ids option"; } leaf quick-start-option { type empty; description "Enable quick start option ids option"; } leaf CALIPSO-option { type empty; description "Enable Common Architecture Label ipv6 Security Option ids option"; } leaf SMF-DPD-option { type empty; description "Enable Simplified Multicast Forwarding ipv6 Duplicate Packet Detection option ids option"; } leaf RPL-option { type empty; description "Enable Routing Protocol for Low-power and Lossy networks option ids option"; } list user-defined-option-type { key "name"; max-elements 256; ordered-by user; description "User-defined option type range"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "User-defined option type low value"; } container to { description "Upper limit of option type range"; uses apply-advanced; leaf type-high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "User-defined option type high value"; } } // container to } // list user-defined-option-type } // container hop-by-hop-header leaf routing-header { type empty; description "Enable ipv6 routing header ids option"; } leaf fragment-header { type empty; description "Enable ipv6 fragment header ids option"; } leaf ESP-header { type empty; description "Enable ipv6 Encapsulating Security Payload header ids option"; } leaf AH-header { type empty; description "Enable ipv6 Authentication Header ids option"; } leaf no-next-header { type empty; description "Enable ipv6 no next header ids option"; } container destination-header { presence "enable destination-header"; description "Enable ipv6 destination option header ids option"; uses apply-advanced; leaf tunnel-encapsulation-limit-option { type empty; description "Enable tunnel encapsulation limit option ids option"; } leaf home-address-option { type empty; description "Enable home address option ids option"; } leaf ILNP-nonce-option { type empty; description "Enable Identifier-Locator Network Protocol Nonce option ids option"; } leaf line-identification-option { type empty; description "Enable line identification option ids option"; } list user-defined-option-type { key "name"; max-elements 256; ordered-by user; description "User-defined option type range"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "User-defined option type low value"; } container to { description "Upper limit of option type range"; uses apply-advanced; leaf type-high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "User-defined option type high value"; } } // container to } // list user-defined-option-type } // container destination-header leaf shim6-header { type empty; description "Enable ipv6 shim header ids option"; } leaf mobility-header { type empty; description "Enable ipv6 mobility header ids option"; } leaf HIP-header { type empty; description "Enable ipv6 Host Identify Protocol header ids option"; } list user-defined-header-type { key "name"; max-elements 256; ordered-by user; description "User-defined header type range"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "User-defined header type low value"; } container to { description "Upper limit of header type range"; uses apply-advanced; leaf type-high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "User-defined header type high value"; } } // container to } // list user-defined-header-type } // container ipv6-extension-header leaf ipv6-extension-header-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 32"; } } description "Enable ipv6 extension header limit ids option"; } leaf ipv6-malformed-header { type empty; description "Enable ipv6 malformed header ids option"; } container tunnel { description "Configure IP tunnel ids options"; uses apply-advanced; leaf bad-inner-header { type empty; description "Enable IP tunnel bad inner header ids option"; } container gre { description "Configure IP tunnel GRE ids option"; uses apply-advanced; leaf gre-6in4 { type empty; description "Enable IP tunnel GRE 6in4 ids option"; } leaf gre-4in6 { type empty; description "Enable IP tunnel GRE 4in6 ids option"; } leaf gre-6in6 { type empty; description "Enable IP tunnel GRE 6in6 ids option"; } leaf gre-4in4 { type empty; description "Enable IP tunnel GRE 4in4 ids option"; } } // container gre container ip-in-udp { description "Configure IP tunnel IPinUDP ids option"; uses apply-advanced; leaf teredo { type empty; description "Enable IP tunnel IPinUDP Teredo ids option"; } } // container ip-in-udp container ipip { description "Configure IP tunnel IPIP ids option"; uses apply-advanced; leaf ipip-6to4relay { type empty; description "Enable IP tunnel IPIP 6to4 Relay ids option"; } leaf ipip-6in4 { type empty; description "Enable IP tunnel IPIP 6in4 ids option"; } leaf ipip-4in6 { type empty; description "Enable IP tunnel IPIP 4in6 ids option"; } leaf ipip-4in4 { type empty; description "Enable IP tunnel IPIP 4in4 ids option"; } leaf ipip-6in6 { type empty; description "Enable IP tunnel IPIP 6in6 ids option"; } leaf ipip-6over4 { type empty; description "Enable IP tunnel IPIP 6over4 ids option"; } leaf isatap { type empty; description "Enable IP tunnel IPIP ISATAP ids option"; } leaf dslite { type empty; description "Enable IP tunnel IPIP DS-Lite ids option"; } } // container ipip } // container tunnel } // container ip container tcp { description "Configure TCP Layer ids options"; uses apply-advanced; leaf syn-fin { type empty; description "Enable SYN and FIN bits set attack ids option"; } leaf fin-no-ack { type empty; description "Enable Fin bit with no ACK bit ids option"; } leaf tcp-no-flag { type empty; description "Enable TCP packet without flag ids option"; } leaf syn-frag { type empty; description "Enable SYN fragment ids option"; } leaf syn-defense { type empty; description "Enable tcp syn-defense"; } container port-scan { presence "enable port-scan"; description "Configure TCP port scan ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 attack packets are detected"; default "5000"; description "Threshold"; } } // container port-scan container syn-ack-ack-proxy { presence "enable syn-ack-ack-proxy"; description "Configure syn-ack-ack proxy ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 250000"; } } units "un-authenticated connections"; default "512"; description "Threshold"; } } // container syn-ack-ack-proxy container syn-flood { presence "enable syn-flood"; description "Configure SYN flood ids option"; uses apply-advanced; leaf alarm-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "requests per second"; default "512"; description "Alarm threshold"; } leaf attack-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "proxied requests per second"; default "200"; description "Attack threshold"; } leaf source-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "SYN pps"; default "4000"; description "Source threshold"; } leaf destination-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "SYN pps"; default "4000"; description "Destination threshold"; } leaf queue-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "200 .. 20000"; } } units "proxied requests in queue"; default "1024"; status deprecated; description "Queue size"; } leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 50"; } } units "seconds"; default "20"; description "SYN flood ager timeout"; } list white-list { key "name"; max-elements 2; description "Set of IP addresses that will not trigger a screen"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "White-list name"; } uses apply-advanced; leaf-list source-address { type jt:ipprefix; max-elements 32; ordered-by user; description "Source address"; } leaf-list destination-address { type jt:ipprefix; max-elements 32; ordered-by user; description "Destination address"; } } // list white-list } // container syn-flood leaf land { type empty; description "Enable land attack ids option"; } leaf winnuke { type empty; description "Enable winnuke attack ids option"; } container tcp-sweep { presence "enable tcp-sweep"; description "Configure TCP sweep ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 TCP packets are detected"; default "5000"; description "Threshold"; } } // container tcp-sweep } // container tcp container udp { description "Configure UDP layer ids options"; uses apply-advanced; container flood { presence "enable flood"; description "Configure UDP flood ids option"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "UDP packets per second"; default "1000"; description "Threshold"; } leaf-list white-list { type string; max-elements 2; ordered-by user; description "Configure UDP flood white list group name"; } } // container flood container udp-sweep { presence "enable udp-sweep"; description "Configure UDP sweep ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 UDP packets are detected"; default "5000"; description "Threshold"; } } // container udp-sweep container port-scan { presence "enable port-scan"; description "Configure UDP port scan ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 attack packets are detected"; default "5000"; description "Threshold"; } } // container port-scan } // container udp container limit-session { description "Limit sessions"; uses apply-advanced; leaf source-ip-based { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions from the same source IP"; } leaf destination-ip-based { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions to the same destination IP"; } container by-source { presence "enable by-source"; description "Limit sessions from the same source IP or subnet"; uses apply-advanced; leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions on the basis of maximum concurrent sessions"; } leaf packet-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of packet rate"; } leaf session-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of session rate"; } container by-protocol { presence "enable by-protocol"; description "Limit sessions on the basis of protocol"; uses by-protocol-object-type; } // container by-protocol leaf-list whitelist { type string; max-elements 10; ordered-by user; description "Configure white list group name"; } } // container by-source container by-destination { presence "enable by-destination"; description "Limit sessions to the same destination IP or subnet"; uses apply-advanced; leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions on the basis of maximum concurrent sessions"; } leaf packet-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of packet rate"; } leaf session-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of session rate"; } container by-protocol { presence "enable by-protocol"; description "Limit sessions on the basis of protocol"; uses by-protocol-object-type; } // container by-protocol leaf-list whitelist { type string; max-elements 10; ordered-by user; description "Configure white list group name"; } } // container by-destination } // container limit-session } // grouping ids-option-type grouping by-protocol-object-type { description "Configure limit-session on the basis of protocol"; uses apply-advanced; container tcp { presence "enable tcp"; description "Configure limit-session on the basis of TCP"; uses by-protocol-object-limit-tcp-type; } // container tcp container udp { presence "enable udp"; description "Configure limit-session on the basis of UDP"; uses by-protocol-object-limit-type; } // container udp container icmp { presence "enable icmp"; description "Configure limit-session on the basis of ICMP"; uses by-protocol-object-limit-type; } // container icmp } // grouping by-protocol-object-type grouping by-protocol-object-limit-tcp-type { description "Configure the limit-session for tcp protocol"; uses apply-advanced; leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions on the basis of maximum concurrent sessions"; } leaf packet-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of packet rate"; } leaf session-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of session rate"; } leaf-list whitelist { type string; max-elements 10; ordered-by user; description "Configure white list group name"; } container syn-cookie { presence "enable syn-cookie"; description "Configure syn-cookie parameters"; uses apply-advanced; leaf mss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 65535"; } } description "TCP maximum segment size"; } leaf threshold-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "TCP-SYN cps rate to trigger SYN-COOKIE"; } leaf threshold-num { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Number of sessions to trigger SYN-COOKIE"; } } // container syn-cookie } // grouping by-protocol-object-limit-tcp-type grouping by-protocol-object-limit-type { description "Configure the limit-session for each protocol"; uses apply-advanced; leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions on the basis of maximum concurrent sessions"; } leaf packet-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of packet rate"; } leaf session-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of session rate"; } leaf-list whitelist { type string; max-elements 10; ordered-by user; description "Configure white list group name"; } } // grouping by-protocol-object-limit-type grouping ids-wlist-type { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "White-list name"; } uses apply-advanced; leaf-list address { type jt:ipprefix; max-elements 32; ordered-by user; description "Address"; } } // grouping ids-wlist-type grouping ie-filter-object { leaf name { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 255"; } } description "Set IE number"; } uses apply-advanced; list instance { key "name"; description "Set instance"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 11"; } } description "Set instance number"; } uses apply-advanced; container grouped-ie-profile { description "Set GTP IE filter for grouped IE"; uses apply-advanced; leaf grpie-prf-name { junos:must "(("security gprs gtp grouped-ie-profile $$" || "security gtp grouped-ie-profile $$"))"; junos:must-message "referenced grouped-ie-profile not found"; type string { length "1 .. 23"; } description "Set grouped IE profile"; } } // container grouped-ie-profile } // list instance } // grouping ie-filter-object grouping jsf_application_traffic_control_rule_set_type { description "Define service application traffic rule-set reference"; uses apply-advanced; leaf rule-set { junos:must "("class-of-service application-traffic-control rule-sets $$")"; junos:must-message "rule-set must be defined"; type string { length "1 .. 64"; } description "Service rule-set name"; } } // grouping jsf_application_traffic_control_rule_set_type grouping juniper-enhanced-category-type { description "Juniper enhanced category type"; leaf name { type string { length "1 .. 59"; } description "Name of Juniper enhanced category"; } uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } enum "quarantine" { value 3; } } description "Action to perform when web traffic matches category"; } leaf custom-message { junos:must "("security utm custom-objects custom-message $$")"; junos:must-message "custom-message must be defined"; type string; description "Custom message"; } } // grouping juniper-enhanced-category-type grouping juniper-enhanced-server { description "Server handling categorization requests"; uses apply-advanced; leaf host { type string; description "Server host IP address or string host name"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Server port"; } leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "Referenced Proxy profile must be defined"; type string { length "1 .. 64"; } description "Proxy profile"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string; description "Routing instance name"; } leaf source-address { type jt:ipaddr; description "Source ip address used to connect server"; } } // grouping juniper-enhanced-server grouping juniper-enhanced-site-reputation-setting { description "Juniper enhanced site reputation settings"; uses apply-advanced; leaf very-safe { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } enum "quarantine" { value 3; } } description "Action when site reputation is very safe"; } leaf moderately-safe { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } enum "quarantine" { value 3; } } description "Action when site reputation is moderately safe"; } leaf fairly-safe { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } enum "quarantine" { value 3; } } description "Action when site reputation is fairly safe"; } leaf suspicious { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } enum "quarantine" { value 3; } } description "Action when site reputation is suspicious"; } leaf harmful { type enumeration { enum "permit" { value 0; } enum "log-and-permit" { value 1; } enum "block" { value 2; } enum "quarantine" { value 3; } } description "Action when site reputation is harmful"; } } // grouping juniper-enhanced-site-reputation-setting grouping log-object { description "Configure security log"; uses apply-advanced; list exclude { key "name"; ordered-by user; status deprecated; description "List of security log criteria to exclude from the audit log"; leaf name { type string; description "Exclude criteria name"; } uses apply-advanced; leaf destination-address { type jt:ipaddr; description "Destination address"; } leaf destination-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Destination port"; } leaf event-id { type string; description "Event ID filter"; } leaf failure { type empty; description "Event was a failure"; } leaf interface-name { type string; description "Name of interface"; } leaf policy-name { type string; description "Policy name filter"; } leaf process { type string; description "Process that generated the event"; } leaf protocol { type string; description "Protocol filter"; } leaf source-address { type jt:ipaddr; description "Source address"; } leaf source-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Source port"; } leaf success { type empty; description "Event was successful"; } leaf username { type string; description "Username filter"; } } // list exclude leaf limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; status deprecated; description "Limit number of security log entries to keep in memory"; } container cache { presence "enable cache"; description "Cache security log events in the audit log buffer"; uses apply-advanced; list exclude { junos:must "(!(".. .. exclude"))"; junos:must-message "'security log cache exclude' and 'security log exclude' are mutually exclusive"; key "name"; ordered-by user; description "List of security log criteria to exclude from the audit log"; leaf name { type string; description "Exclude criteria name"; } uses apply-advanced; leaf destination-address { type jt:ipaddr; description "Destination address"; } leaf destination-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Destination port"; } leaf event-id { type string; description "Event ID filter"; } leaf failure { type empty; description "Event was a failure"; } leaf interface-name { type string; description "Name of interface"; } leaf policy-name { type string; description "Policy name filter"; } leaf process { type string; description "Process that generated the event"; } leaf protocol { type string; description "Protocol filter"; } leaf source-address { type jt:ipaddr; description "Source address"; } leaf source-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Source port"; } leaf success { type empty; description "Event was successful"; } leaf username { type string; description "Username filter"; } } // list exclude leaf limit { junos:must "(!(".. .. limit"))"; junos:must-message "'security log cache limit' and 'security log limit' are mutually exclusive"; type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; description "Limit number of security log entries to keep in memory"; } } // container cache leaf disable { type empty; description "Disable security logging for the device"; } leaf utc-timestamp { type empty; description "Use UTC time for security log timestamps"; } leaf mode { type enumeration { enum "stream" { value 0; description "Process security logs directly in the forwarding plane"; } enum "event" { value 1; description "Process security logs in the control plane"; } enum "stream-event" { value 2; description "Process security logs in both forwarding plane and control plane"; } } description "Controls how security logs are processed and exported"; } leaf event-rate { junos:must "(("security log mode event" || ("services service-set ${service-set} syslog mode event" || ("security log mode stream-event" || "services service-set ${service-set} syslog mode stream-event"))))"; junos:must-message "To configure event-rate, security log must be in event or stream-event mode"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1500"; } } units "logs per second"; description "Control plane event rate"; } leaf format { type enumeration { enum "syslog" { value 0; description "Traditional syslog"; } enum "sd-syslog" { value 1; description "Structured syslog"; } enum "binary" { value 2; description "Binary log"; } } description "Set security log format for the device"; } leaf escape { type empty; description "Enable escape defined by RFC5424 for the sd and binary format logs"; } container time-format { description "Configure year or millisecond for syslog"; uses time-format-object; } // container time-format leaf rate-cap { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 5000"; } } units "logs per second"; description "Data plane event rate"; } leaf max-database-record { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "0"; description "Maximum records in database"; } container report { presence "enable report"; description "Set security log report settings"; uses apply-advanced; container logs-per-table { presence "enable logs-per-table"; description "Log number per table in database"; uses apply-advanced; leaf session-all { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log number of session"; } leaf screen { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log number of screen"; } leaf idp { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log number of idp"; } leaf utm { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log number of utm"; } leaf ipsec-vpn { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log number of ipsec-vpn"; } leaf sky { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log number of sky"; } } // container logs-per-table leaf table-lifetime { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 365"; } } default "90"; description "Table lifetime day(s)"; } container table-mode { presence "enable table-mode"; description "Report table mode"; uses apply-advanced; leaf dense { type empty; description "Applicable when massive log and long duration"; } } // container table-mode container database-filter { presence "enable database-filter"; description "Check the logs whether should be inserted into database"; uses apply-advanced; list event-category { key "name"; ordered-by user; description "Filter by event-category"; leaf name { type enumeration { enum "session" { value 0; description "Session log"; } enum "screen" { value 1; description "Screen log"; } enum "idp" { value 2; description "IDP log"; } enum "webfilter" { value 3; description "Webfilter log"; } enum "content-filter" { value 4; description "Content-filter log"; } enum "anti-virus" { value 5; description "Antivirus log"; } enum "anti-spam" { value 6; description "Anti-spam log"; } enum "ipsec" { value 7; description "IPsec VPN log"; } enum "sky" { value 8; description "Sky ATP log"; } enum "secintel" { value 9; description "Secintel log"; } enum "icap" { value 10; description "ICAP log"; } enum "ssl-proxy" { value 11; description "SSL proxy log"; } enum "dnsf" { value 12; description "DNSF log"; } enum "session-create" { value 13; description "Session create log"; } enum "session-close" { value 14; description "Session close log"; } enum "session-deny" { value 15; description "Session deny log"; } } description "Name"; } uses apply-advanced; } // list event-category leaf exclude { type empty; description "Exclude the logs"; } } // container database-filter } // container report choice source { leaf source-address { junos:must "(!("services service-set ${service-set} syslog mode event"))"; junos:must-message "To configure source address, mode must be stream or stream-event"; type jt:ipaddr; description "Source ip address used when exporting security logs"; } leaf source-interface { junos:must "(!("services service-set ${service-set} syslog mode event"))"; junos:must-message "To configure source interface, mode must be stream or stream-event"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Source interface used when exporting security logs"; } } // choice source container transport { junos:must "(!("services service-set ${service-set} syslog mode event"))"; junos:must-message "To configure transport info, mode must be stream or stream-event"; presence "enable transport"; description "Set security log transport settings"; uses apply-advanced; leaf tcp-connections { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } description "Set tcp connection number per-stream"; } leaf protocol { type enumeration { enum "udp" { value 0; description "UDP transfer for log"; } enum "tcp" { value 1; description "TCP transfer for log"; } enum "tls" { value 2; description "TLS transfer for log"; } } description "Set security log transport protocol for the device"; } leaf tls-profile { junos:must "("services ssl initiation profile $$")"; junos:must-message "SSl profile must be defined under [services ssl initiation profile]"; type string; description "TLS profile"; } } // container transport leaf facility-override { type enumeration { enum "authorization" { value 0; description "Authorization system"; } enum "daemon" { value 1; description "Various system processes"; } enum "ftp" { value 2; description "FTP process"; } enum "kernel" { value 3; description "Kernel"; } enum "user" { value 4; description "User processes"; } enum "local0" { value 5; description "Local logging option number 0"; } enum "local1" { value 6; description "Local logging option number 1"; } enum "local2" { value 7; description "Local logging option number 2"; } enum "local3" { value 8; description "Local logging option number 3"; } enum "local4" { value 9; description "Local logging option number 4"; } enum "local5" { value 10; description "Local logging option number 5"; } enum "local6" { value 11; description "Local logging option number 6"; } enum "local7" { value 12; description "Local logging option number 7"; } } description "Alternate facility for logging to remote host"; } leaf local-log-tag { junos:must "(!("services service-set ${service-set} syslog mode stream"))"; junos:must-message "To configure local-log-tag, mode must be event or stream-event"; type string { junos:posix-pattern "![ =:]{1,15}"; junos:pattern-message "Must be a string of 15 characters or less"; } description "Tag included in logs"; } list local-category { junos:must "(!("services service-set ${service-set} syslog mode stream"))"; junos:must-message "To configure local-category, mode must be event or stream-event"; key "name"; ordered-by user; description "Selects the type of events that may be logged locally"; leaf name { type enumeration { enum "all" { value 0; description "All events are logged"; } enum "content-security" { value 1; description "Content security events are logged"; } enum "fw-auth" { value 2; description "Fw-auth events are logged"; } enum "screen" { value 3; description "Screen events are logged"; } enum "alg" { value 4; description "Alg events are logged"; } enum "nat" { value 5; description "Nat events are logged"; } enum "flow" { value 6; description "Flow events are logged"; } enum "sctp" { value 7; description "Sctp events are logged"; } enum "gtp" { value 8; description "Gtp events are logged"; } enum "ipsec" { value 9; description "Ipsec events are logged"; } enum "idp" { value 10; description "Idp events are logged"; } enum "rtlog" { value 11; description "Rtlog events are logged"; } enum "pst-ds-lite" { value 12; description "Pst-ds-lite events are logged"; } enum "appqos" { value 13; description "Appqos events are logged"; } enum "secintel" { value 14; description "Secintel events are logged"; } enum "aamw" { value 15; description "AAMW events are logged"; } enum "sfw" { value 16; description "Stateful Firewall events are logged"; } enum "session" { value 17; description "Session open and close events are logged"; } enum "session-open" { value 18; description "Session open events are logged"; } enum "session-close" { value 19; description "Session close events are logged"; } enum "urlf" { value 20; description "URLF events are logged"; } enum "ha" { value 21; description "Stateful High-Availability open and close events are logged"; } enum "ha-open" { value 22; description "Stateful High-Availability open events are logged"; } enum "ha-close" { value 23; description "Stateful High-Availability close events are logged"; } enum "pcp" { value 24; description "PCP logs"; } enum "dnsf" { value 25; description "DNSF"; } } } uses apply-advanced; } // list local-category leaf root-streaming { type empty; description "Logs will be streamed from the Root LSYS"; } list stream { junos:must "(!("services service-set ${service-set} syslog mode event"))"; junos:must-message "To configure stream, mode must be stream or stream-event"; key "name"; max-elements 8; ordered-by user; description "Set security log stream settings"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes and underscores"; length "1 .. 63"; } description "Name of security log stream"; } uses apply-advanced; leaf severity { type enumeration { enum "emergency" { value 0; description "Conditions that cause security functions to stop"; } enum "alert" { value 1; description "Conditions that require immediate attention"; } enum "critical" { value 2; description "Critical conditions"; } enum "error" { value 3; description "General error conditions"; } enum "warning" { value 4; description "General warning conditions"; } enum "notice" { value 5; description "Non-error conditions that are of interest"; } enum "info" { value 6; description "Information about normal security operations"; } enum "debug" { value 7; description "Information normally used in debugging"; } } description "Severity threshold for security logs"; } leaf format { type enumeration { enum "syslog" { value 0; description "Traditional syslog"; } enum "sd-syslog" { value 1; description "Structured syslog"; } enum "welf" { value 2; description "Web Trends Extended Log Format"; } enum "binary" { value 3; description "Binary log"; } } description "Specify the log stream format"; } list category { junos:must "(!("security log stream ${stream} filter"))"; junos:must-message "Category is exclusive with filter"; key "name"; ordered-by user; description "Selects the type of events that may be logged"; leaf name { type enumeration { enum "all" { value 0; description "All events are logged"; } enum "content-security" { value 1; description "Content security events are logged"; } enum "fw-auth" { value 2; description "Fw-auth events are logged"; } enum "screen" { value 3; description "Screen events are logged"; } enum "alg" { value 4; description "Alg events are logged"; } enum "nat" { value 5; description "Nat events are logged"; } enum "flow" { value 6; description "Flow events are logged"; } enum "sctp" { value 7; description "Sctp events are logged"; } enum "gtp" { value 8; description "Gtp events are logged"; } enum "ipsec" { value 9; description "Ipsec events are logged"; } enum "idp" { value 10; description "Idp events are logged"; } enum "rtlog" { value 11; description "Rtlog events are logged"; } enum "pst-ds-lite" { value 12; description "Pst-ds-lite events are logged"; } enum "appqos" { value 13; description "Appqos events are logged"; } enum "secintel" { value 14; description "Secintel events are logged"; } enum "aamw" { value 15; description "AAMW events are logged"; } enum "sfw" { value 16; description "Stateful Firewall events are logged"; } enum "session" { value 17; description "Session open and close events are logged"; } enum "session-open" { value 18; description "Session open events are logged"; } enum "session-close" { value 19; description "Session close events are logged"; } enum "urlf" { value 20; description "URLF events are logged"; } enum "ha" { value 21; description "Stateful High-Availability open and close events are logged"; } enum "ha-open" { value 22; description "Stateful High-Availability open events are logged"; } enum "ha-close" { value 23; description "Stateful High-Availability close events are logged"; } enum "pcp" { value 24; description "PCP logs"; } enum "dnsf" { value 25; description "DNSF"; } } } uses apply-advanced; } // list category list filter { junos:must "(!("security log stream ${stream} category"))"; junos:must-message "filter is exclusive with category"; key "name"; ordered-by user; description "Selects the filter to filter the logs to be logged"; leaf name { type enumeration { enum "threat-attack" { value 0; description "Threat-attack security events are logged"; } } } uses apply-advanced; } // list filter container host { junos:must "(!("security log stream ${stream} file"))"; junos:must-message "host is exclusive with file"; junos:must "(("security log source-address" || ("security log source-interface" || ("security log stream ${stream} source-address" || ("services service-set ${service-set} syslog source-interface" || ("services service-set ${service-set} syslog source-address" || "services service-set ${service-set} syslog stream ${stream} source-address"))))))"; junos:must-message "To configure host stream, security log source-address/source-interface must be configured"; description "Destination to send security logs to"; uses host-object; } // container host container rate-limit { description "Rate-limit for security logs"; uses apply-advanced; leaf rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } units "logs per second"; description "Log rate"; } } // container rate-limit container file { junos:must "(!("security log stream ${stream} host"))"; junos:must-message "file is exclusive with host"; description "Security log file options for logs in local file"; uses apply-advanced; leaf localfilename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 256"; } description "Name of local log file"; } leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum size of local log file in megabytes"; } leaf rotation { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "10"; description "Maximum number of rotate files"; } leaf allow-duplicates { type empty; description "To disable log consolidation"; } } // container file container transport { presence "enable transport"; description "Set security log transport settings"; uses apply-advanced; leaf tcp-connections { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } description "Set tcp connection number per-stream"; } leaf protocol { type enumeration { enum "udp" { value 0; description "UDP transfer for log"; } enum "tcp" { value 1; description "TCP transfer for log"; } enum "tls" { value 2; description "TLS transfer for log"; } } description "Set security log transport protocol for the device"; } leaf tls-profile { junos:must "("services ssl initiation profile $$")"; junos:must-message "SSL profile must be defined under [services ssl initiation profile]"; type string; description "TLS profile"; } } // container transport container time-format { description "Configure year or millisecond for syslog"; uses time-format-object; } // container time-format leaf source-address { type jt:ipaddr; description "Source ip address used when exporting security logs"; } } // list stream container file { description "Security log file options for logs in binary/protobuf format"; uses apply-advanced; leaf filename { type string { length "1 .. 256"; } description "Name of log file"; } leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Maximum size of log file in megabytes"; } leaf path { type string { length "1 .. 256"; } description "Path to log files"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 10"; } } description "Maximum number of log files"; } } // container file container apply { description "Apply settings from other features"; uses apply-advanced; leaf dscp-code-point { junos:must "("class-of-service host-outbound-traffic dscp-code-point")"; junos:must-message "class-of-service host-outbound-traffic dscp-code-point must be defined"; type empty; description "Apply setting class-of-service host-outbound-traffic dscp-code-point"; } } // container apply container traceoptions { description "Security log daemon trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "List of things to include in trace"; leaf name { type enumeration { enum "source" { value 0; description "Communication with security log forwarder"; } enum "configuration" { value 1; description "Reading of configuration"; } enum "all" { value 2; description "Everything"; } enum "report" { value 3; description "Trace report"; } enum "hpl" { value 4; description "Trace HPL logging"; } } } } // list flag } // container traceoptions list profile { key "name"; max-elements 10; ordered-by user; description "Security log profile setting"; leaf name { type string { junos:posix-pattern "^[[:alnum:].-]+$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes"; length "1 .. 63"; } description "Name of security log profile"; } uses apply-advanced; list stream-name { junos:must "((".. category" || ".. template"))"; junos:must-message "To send logs must define cagetory or template"; key "name"; max-elements 4; ordered-by user; description "Use which stream "; leaf name { junos:must "("security log stream $$")"; junos:must-message "stream must be defined under [security log stream]"; type string; description "Name of the stream"; } uses apply-advanced; } // list stream-name container category { junos:must "(!(" .. template"))"; junos:must-message "Cannot configure category and template for the same profile"; presence "enable category"; description "Selects the category of events for the profile"; uses apply-advanced; container session { presence "enable session"; description "Select session category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container session container webfilter { presence "enable webfilter"; description "Select webfilter category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container webfilter container antivirus { presence "enable antivirus"; description "Select antivirus category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container antivirus container content-filter { presence "enable content-filter"; description "Select content-filter category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container content-filter container antispam { presence "enable antispam"; description "Select antispam category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container antispam container idp { presence "enable idp"; description "Select idp category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container idp container secintel { presence "enable secintel"; description "Select secintel category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container secintel container aamw { presence "enable aamw"; description "Select aamw category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container aamw container ssl-proxy { presence "enable ssl-proxy"; description "Select ssl-proxy category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container ssl-proxy container apptrack { presence "enable apptrack"; description "Select apptrack category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container apptrack } // container category container default-profile { presence "enable default-profile"; uses apply-advanced; leaf activate { type empty; description "Set this profile as default profile"; } } // container default-profile container template { junos:must "(!(" .. category"))"; junos:must-message "Cannot configure category and template for the same profile"; presence "enable template"; description "Select the template for the profile"; uses apply-advanced; choice template-id { leaf traditional-firewall { type empty; description "Traditional-firewall"; } leaf unified-ngfw { type empty; description "Unified-ngfw"; } leaf sd-wan { type empty; description "Sd-wan"; } } // choice template-id } // container template } // list profile } // grouping log-object grouping host-object { uses apply-advanced; leaf ipaddr { type string { length "1 .. 256"; } description "IP address/Host name"; } leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Host port number"; } leaf routing-instance { junos:must "((("security" && "routing-instances $$ instance-type virtual-router") || "services"))"; junos:must-message "Virtual router must be defined under [routing-instances]"; junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string; description "Routing-instance name"; } leaf log-tag { type string { junos:posix-pattern "![ =:]{1,15}"; junos:pattern-message "Must be a string of 15 characters or less"; } description "Tag included in logs to this host"; } } // grouping host-object grouping logical-system-type { description "Logical system name"; leaf name { junos:must "("logical-systems $$")"; junos:must-message "Logical systems must be defined under [logical-systems] "; type string; description "Logical system name"; } uses apply-advanced; leaf max-sessions { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Max number of IDP sessions"; } } // grouping logical-system-type grouping macro-data-type { leaf name { type string; description "Keyword part of the keyword-value pair"; } leaf value { type string; description "Value part of the keyword-value pair"; } } // grouping macro-data-type grouping message-object { uses apply-advanced; container v0 { description "GTPv0 message type"; uses apply-advanced; leaf msg-list-name { junos:must "(("security gprs gtp message-list $$" || "security gtp message-list $$"))"; junos:must-message "referenced message-list not found"; type string { length "1 .. 23"; } description "GTP message list name"; } } // container v0 container v1 { description "GTPv1 message type"; uses apply-advanced; leaf msg-list-name { junos:must "(("security gprs gtp message-list $$" || "security gtp message-list $$"))"; junos:must-message "referenced message-list not found"; type string { length "1 .. 23"; } description "GTP message list name"; } } // container v1 container v2 { description "GTPv2 message type"; uses apply-advanced; leaf msg-list-name { junos:must "(("security gprs gtp message-list $$" || "security gtp message-list $$"))"; junos:must-message "referenced message-list not found"; type string { length "1 .. 23"; } description "GTP message list name"; } } // container v2 } // grouping message-object grouping mime-list-type { description "Configure mime-list object"; leaf name { type string { junos:posix-pattern "^[a-zA-Z_]+[a-zA-Z_0-9-]*$"; junos:pattern-message "Must be a string beginning with a letter or underscore and consisting of letters, numbers, dashes and underscores."; length "1 .. 40"; } description "Configure name of mime-list object"; } uses apply-advanced; leaf-list value { type string { length "1 .. 249"; } ordered-by user; description "Configure MIME value"; } } // grouping mime-list-type grouping mirror-filter-type { description "Secuirty mirror filter settings"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string of letters, numbers, dashes or underscores"; length "1 .. 63"; } description "Name of the filter"; } uses apply-advanced; leaf protocol { type string; description "Match IP protocol type"; } leaf source-prefix { type jt:ipprefix; description "Source IP address prefix"; } leaf destination-prefix { type jt:ipprefix; description "Destination IP address prefix"; } leaf source-port { type string; description "Match TCP/UDP source port"; } leaf destination-port { type string; description "Match TCP/UDP destination port"; } leaf interface-in { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Incoming Logical interface"; } leaf interface-out { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Outgoing Logical interface"; } container output { description "Configure output interface and MAC address"; uses apply-advanced; leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Outgoing Logical interface"; } leaf destination-mac { type string; description "MAC address to match"; } } // container output } // grouping mirror-filter-type grouping named-address-book-type { description "Configure global address book"; leaf name { type string; description "Address book name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of address book"; } list address { key "name"; ordered-by user; description "Define a security address"; uses address_type; } // list address list address-set { key "name"; ordered-by user; description "Define a security address set"; uses address_set_type; } // list address-set container attach { junos:must "(!("security address-book global attach"))"; junos:must-message "It is not allowed to attach the global address book to any particular interface, zone or routing-instance."; description "Attach this address book to interface, zone or routing-instance"; uses apply-advanced; list zone { key "name"; ordered-by user; description "Define a zone to be attached"; leaf name { junos:must "(unique "security address-book <*> attach zone $$")"; junos:must-message "Security zone must be unique in address books"; junos:must "("security zones security-zone $$")"; junos:must-message "Security zone must be defined"; type string { length "1 .. 63"; } description "Security zone name"; } uses apply-advanced; } // list zone } // container attach } // grouping named-address-book-type grouping address_set_type { leaf name { junos:must "(!(".. .. address $$"))"; junos:must-message "Security address and address-set cannot have same name"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]:./_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, colons, periods, slashes, dashes and underscores"; length "1 .. 63"; } description "Security address-set name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of address set"; } list address { key "name"; max-elements 16384; ordered-by user; description "Address to be included in this set"; leaf name { junos:must "(".. .. .. address $$")"; junos:must-message "referenced address must be defined under address-book"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]:./_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, colons, periods, slashes, dashes and underscores"; length "1 .. 63"; } description "Security address name"; } uses apply-advanced; } // list address list address-set { key "name"; max-elements 16384; ordered-by user; description "Define an address-set name"; leaf name { junos:must "(".. .. .. address-set $$")"; junos:must-message "referenced address must be defined under address-book"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]:./_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, colons, periods, slashes, dashes and underscores"; length "1 .. 63"; } } uses apply-advanced; } // list address-set } // grouping address_set_type grouping address_type { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]:./_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, colons, periods, slashes, dashes and underscores"; length "1 .. 63"; } description "Security address name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of address"; } choice address-content { leaf ip-prefix { type jt:ipprefix; description "Numeric IPv4 or IPv6 address with prefix"; } list dns-name { key "name"; max-elements 1; ordered-by user; description "DNS address name"; uses dns-name-type; } // list dns-name list wildcard-address { key "name"; max-elements 1; ordered-by user; description "Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask"; uses wildcard-address-type; } // list wildcard-address list range-address { key "name"; max-elements 1; ordered-by user; description "Address range"; uses range-address-type; } // list range-address list address-range { key "name"; max-elements 1; ordered-by user; description "Address range"; uses usf-range-address-type; } // list address-range } // choice address-content } // grouping address_type grouping dns-name-type { description "DNS address name"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a valid DNS name"; length "1 .. 253"; } description "Fully qualified hostname"; } uses apply-advanced; leaf ipv4-only { type empty; description "IPv4 dns address"; } leaf ipv6-only { junos:must "(!(".. ipv4-only"))"; junos:must-message "ipv4-only and ipv6-only cannot be configured together"; type empty; description "IPv6 dns address"; } } // grouping dns-name-type grouping nat-object { description "Configure Network Address Translation"; uses apply-advanced; container source { description "Configure Source NAT"; uses ssg-source-nat-object; } // container source container destination { description "Configure Destination NAT"; uses ssg-destination-nat-object; } // container destination container static { description "Configure Static NAT"; uses ssg-static-nat-object; } // container static container proxy-arp { description "Configure Proxy ARP"; uses ssg-proxy-arp-object; } // container proxy-arp container proxy-ndp { description "Configure Proxy NDP"; uses ssg-proxy-ndp-object; } // container proxy-ndp container natv6v4 { description "Configure NAT between IPv6 and IPv4 options"; uses apply-advanced; leaf no-v6-frag-header { type empty; description "V6 packet does not always add fragment header when performing nat translation from v4 side to v6 side "; } } // container natv6v4 leaf allow-overlapping-pools { type empty; description "IP addresses of NAT pools can overlap with other pool"; } container traceoptions { description "NAT trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "routing-socket" { value 2; description "Trace routing socket events"; } enum "routing-protocol" { value 3; description "Trace routing protocol events"; } enum "all" { value 4; description "Trace everything"; } enum "source-nat-re" { value 5; description "Trace source nat events on RE side"; } enum "source-nat-rt" { value 6; description "Trace source nat events on PFE-RT side"; } enum "source-nat-pfe" { value 7; description "Trace source nat events on PFE-ukernel side"; } enum "destination-nat-re" { value 8; description "Trace destination nat events on RE side"; } enum "destination-nat-rt" { value 9; description "Trace destination nat events on PFE-RT side"; } enum "destination-nat-pfe" { value 10; description "Trace destination nat events on PFE-ukernel side"; } enum "static-nat-re" { value 11; description "Trace static nat events on RE side"; } enum "static-nat-rt" { value 12; description "Trace static nat events on PFE-RT side"; } enum "static-nat-pfe" { value 13; description "Trace static nat events on PFE-ukernel side"; } enum "nat-svc-set-re" { value 14; description "Trace NAT and svc-set events on RE side"; } } } leaf syslog { type empty; description "Write NAT flow traces to system log also"; } } // list flag } // container traceoptions list ipv6-multicast-interfaces { key "name"; ordered-by user; description "Enable IPv6 multicast filter for IPv6 NAT"; leaf name { type string; description "Interface name"; } uses apply-advanced; leaf disable { type empty; description "Disable IPv6 multicast filter for IPv6 NAT"; } } // list ipv6-multicast-interfaces list port-forwarding { key "name"; ordered-by user; description "Define a port-forwarding pool"; uses pf_mapping; } // list port-forwarding } // grouping nat-object grouping pf_mapping { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Port Forwarding name"; } uses apply-advanced; list destined-port { key "port translated-port"; max-elements 32; ordered-by user; description "Port forwarding mappings"; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port"; } leaf translated-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Translated port"; } } // list destined-port } // grouping pf_mapping grouping policy-object-type { uses apply-advanced; container traceoptions { description "Network Security Policy Tracing Options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "routing-socket" { value 1; description "Trace routing socket events"; } enum "compilation" { value 2; description "Policy compilation events"; } enum "ipc" { value 3; description "Inter-process communication events"; } enum "rules" { value 4; description "Policy rules related events"; } enum "lookup" { value 5; description "Policy lookup events"; } enum "all" { value 6; description "Trace everything"; } } } } // list flag } // container traceoptions list policy { key "from-zone-name to-zone-name"; ordered-by user; description "Define a policy context from this zone"; leaf from-zone-name { junos:must "((".. .. .. .. security zones security-zone $$" || ".. .. .. .. .. security zones security-zone $$"))"; junos:must-message "Security zone must be defined"; type string { length "1 .. 63"; } description "Source zone"; } leaf to-zone-name { junos:must "((".. .. .. .. security zones security-zone $$" || ".. .. .. .. .. security zones security-zone $$"))"; junos:must-message "Security zone must be defined"; type string { length "1 .. 63"; } description "Destination zone"; } uses apply-advanced; list policy { key "name"; ordered-by user; description "Define security policy in specified zone-to-zone direction"; uses policy_type; } // list policy container application-services { description "Application Services"; uses context_application_services_type; } // container application-services } // list policy container global { description "Define a global policy context"; uses apply-advanced; list policy { key "name"; ordered-by user; description "Define security policy in global context"; uses policy_type; } // list policy } // container global list policy-set { key "name"; ordered-by user; description "Define a policy context for tunnel-inspection"; leaf name { type string { length "1 .. 63"; } description "Policy-set name"; } uses apply-advanced; list policy { key "name"; ordered-by user; description "Define security policy in tunnel-inspection context"; uses policy_type; } // list policy } // list policy-set container default-policy { description "Configure default action when no user-defined policy match"; uses apply-advanced; leaf default-action { type enumeration { enum "permit-all" { value 0; description "Permit all traffic if no policy match"; } enum "deny-all" { value 1; description "Deny all traffic if no policy match"; } } default "deny-all"; description "Default action"; } leaf log-profile { junos:must "("security log profile $$")"; junos:must-message "RTLOG profile must be defined under [security log profile]"; type string; description "Rtlog profile"; } } // container default-policy container policy-rematch { presence "enable policy-rematch"; description "Re-evaluate the policy when changed"; leaf extensive { type empty; description "Perform policy extensive rematch"; } } // container policy-rematch container policy-stats { presence "enable policy-stats"; description "Parameters for policy statistics"; uses apply-advanced; leaf system-wide { type enumeration { enum "enable" { value 0; description "Enable policy system-wide statistics"; } enum "disable" { value 1; description "Disable policy system-wide statistics"; } } description "Enable/Disable system-wide policy statistics"; } } // container policy-stats container pre-id-default-policy { description "Configure default policy action before dynamic application is finally identified"; uses apply-advanced; container then { description "Specify policy action to take when packet match criteria"; uses apply-advanced; container log { description "Enable log"; uses log_type; } // container log container session-timeout { description "Session timeout"; uses session_timeout_type; } // container session-timeout } // container then } // container pre-id-default-policy container unified-policy { description "Unified policies lookup limitations"; uses apply-advanced; leaf max-lookups { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Max lookup times upon micro-app transaction finals"; } } // container unified-policy container dns-cache { description "Define security policy dns-cache behaviors"; uses apply-advanced; container error-response-delete-ip { presence "enable error-response-delete-ip"; description "Clear DNS cache entry IP on error DNS response"; uses apply-advanced; leaf retry-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "5 .. 86400"; } } units "seconds"; default "300"; description "Interval between deleting IP and resending DNS requests"; } } // container error-response-delete-ip } // container dns-cache list stateful-firewall-rule { key "name"; ordered-by user; description "Define a stateful-firewall-rule"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Stateful-firewall-rule name"; } uses apply-advanced; leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } enum "input-output" { value 2; description "Match on input to or output from interface"; } } description "Direction for which the rule match is applied"; } list policy { key "name"; ordered-by user; description "Define a stateful-firewall policy"; uses policy_type; } // list policy } // list stateful-firewall-rule list stateful-firewall-rule-set { key "name"; ordered-by user; description "Defines a set of stateful firewall rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Name of the stateful firewall rule set"; } uses apply-advanced; list stateful-firewall-rule { key "name"; ordered-by user; description "Rule to be included in this stateful firewall rule set"; leaf name { junos:must "("services policies stateful-firewall-rule $$")"; junos:must-message "Undefined stateful-firewall-rule. Rule must be configured under policies"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes, underscores, forward slashes, colons and dots."; } description "Stateful-firewall-rule name"; } uses apply-advanced; } // list stateful-firewall-rule } // list stateful-firewall-rule-set } // grouping policy-object-type grouping context_application_services_type { uses apply-advanced; leaf security-metadata-streaming-policy { junos:must "("services security-metadata-streaming policy $$")"; junos:must-message "security-metadata-streaming policy must be defined"; type string { length "1 .. 63"; } description "Specify security-metadata-streaming-policy"; } } // grouping context_application_services_type grouping log_type { uses apply-advanced; leaf session-init { type empty; description "Log at session init time"; } leaf session-close { type empty; description "Log at session close time"; } leaf session-update { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1440"; } } units "minutes"; default "0"; description "Log with specified interval (0 to disable this log)"; } leaf sfw { type empty; description "Display Stateful-fire-wall SYSLOGs"; } leaf profile { junos:must "("security log profile $$ stream-name")"; junos:must-message "RTLOG profile with stream must be defined under [security log profile]"; type string; description "Name of rtlog profile"; } } // grouping log_type grouping policy_type { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Security policy name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of policy"; } container match { description "Specify security policy match-criteria"; uses apply-advanced; choice source-address_choice { leaf-list source-address { type string; ordered-by user; } } // choice source-address_choice choice destination-address_choice { leaf-list destination-address { type string; ordered-by user; } } // choice destination-address_choice leaf source-address-excluded { type empty; description "Exclude source addresses"; } leaf destination-address-excluded { type empty; description "Exclude destination addresses"; } choice application_type_choice { leaf-list application { type string; ordered-by user; } } // choice application_type_choice choice source_identity_choice { leaf-list source-identity { type string; ordered-by user; } } // choice source_identity_choice choice source_identity_feed_choice { leaf-list source-identity-feed { type string { length "1 .. 64"; } ordered-by user; description "Specify source-identity-feed name from list to match"; } } // choice source_identity_feed_choice choice destination_identity_feed_choice { leaf-list destination-identity-feed { type string { length "1 .. 64"; } ordered-by user; description "Specify destination-identity-feed name from list to match"; } } // choice destination_identity_feed_choice choice source_end_user_profile_choice { container source-end-user-profile { description "Match source end user profile"; uses match_source_end_user_profile_value; } // container source-end-user-profile } // choice source_end_user_profile_choice choice dynamic_application_type_choice { leaf-list dynamic-application { type string; ordered-by user; } } // choice dynamic_application_type_choice choice url_category_type_choice { leaf-list url-category { type string; ordered-by user; } } // choice url_category_type_choice choice from_zone_choice { leaf-list from-zone { type string; ordered-by user; } } // choice from_zone_choice choice to_zone_choice { leaf-list to-zone { type string; ordered-by user; } } // choice to_zone_choice choice source_vrf_choice { leaf-list source-l3vpn-vrf-group { junos:must "("security l3vpn vrf-group $$")"; junos:must-message "referenced vrf-group must configured"; type string; ordered-by user; description "L3VPN group name"; } } // choice source_vrf_choice choice dst_vrf_choice { leaf-list destination-l3vpn-vrf-group { junos:must "("security l3vpn vrf-group $$")"; junos:must-message "referenced vrf-group must configured"; type string; ordered-by user; description "L3VPN group name"; } } // choice dst_vrf_choice } // container match container then { description "Specify policy action to take when packet match criteria"; uses apply-advanced; choice action { container deny { presence "enable deny"; description "Deny packets"; uses apply-advanced; container application-services { description "Application Services"; uses apply-advanced; container security-intelligence { description "Generate security intellegence feeds"; uses security_intelligence_feeds; } // container security-intelligence } // container application-services } // container deny container reject { presence "enable reject"; description "Reject packets"; uses apply-advanced; leaf profile { junos:must "("security dynamic-application profile $$")"; junos:must-message "Dynamic-application profile must be defined"; type string; description "Profile for redirect HTTP/S traffic"; } container ssl-proxy { presence "enable ssl-proxy"; description "SSL proxy services"; uses apply-advanced; leaf profile-name { junos:must "("services ssl proxy profile $$")"; junos:must-message "Referenced SSL proxy profile is not defined"; type string; description "Specify SSL proxy service profile name"; } } // container ssl-proxy container application-services { description "Application Services"; uses apply-advanced; container security-intelligence { description "Generate security intellegence feeds"; uses security_intelligence_feeds; } // container security-intelligence } // container application-services } // container reject container permit { presence "enable permit"; description "Permit packets"; uses apply-advanced; container tunnel { junos:must "(!(".. .. .. match dynamic-application"))"; junos:must-message "Tunnel and dynamic-application can't be applied to same policy"; description "Tunnel packets"; uses tunnel_type; } // container tunnel container firewall-authentication { description "Enable authentication for this policy if permit or tunnel"; uses firewall_authentication_type; } // container firewall-authentication container destination-address { presence "enable destination-address"; description "Enable destination address translation"; uses destination_nat_enable_type; } // container destination-address container application-services { description "Application Services"; uses application_services_type; } // container application-services container tunnel-inspection { description "Enable tunnel inspection"; uses apply-advanced; leaf profile-name { junos:must "((".. .. .. .. .. .. .. security tunnel-inspection inspection-profile $$" || " .. .. .. .. .. .. .. .. security tunnel-inspection inspection-profile $$"))"; junos:must-message "tunnel-inspection profile must be configured"; type string { length "1 .. 63"; } description "Tunnel inspection profile"; } } // container tunnel-inspection container tcp-options { description "Transmission Control Protocol session configuration"; uses apply-advanced; leaf syn-check-required { type empty; description "Enable per policy SYN-flag check"; } leaf sequence-check-required { type empty; description "Enable per policy sequence-number checking"; } leaf initial-tcp-mss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 65535"; } } description "Override MSS value for initial direction"; } leaf reverse-tcp-mss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 65535"; } } description "Override MSS value for reverse direction"; } leaf window-scale { type empty; description "Enable per policy window-scale"; } } // container tcp-options leaf services-offload { type empty; description "Enable services offloading"; } leaf no-services-offload { type empty; description "Disenable services offloading"; } leaf advanced-connection-tracking { type empty; description "Lookup advanced-connection-tracking table on to-zone"; } } // container permit } // choice action container log { description "Enable log"; uses log_type; } // container log container count { presence "enable count"; description "Enable count"; uses count_type; } // container count } // container then leaf scheduler-name { junos:must "("schedulers scheduler $$")"; junos:must-message "scheduler must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of scheduler"; } leaf report-skip { type empty; description "Skip report for this policy"; } } // grouping policy_type grouping application_services_type { description "Application Services"; uses apply-advanced; leaf gtp-profile { junos:must "(!(".. .. .. .. match dynamic-application"))"; junos:must-message "gtp and dynamic-application can't be applied to same policy"; junos:must "("security gtp profile $$")"; junos:must-message "gtp profile must be defined"; type string { length "1 .. 63"; } description "Specify GPRS Tunneling Protocol profile name"; } leaf sctp-profile { junos:must "(!(".. .. .. .. match dynamic-application"))"; junos:must-message "sctp and dynamic-application can't be applied to same policy"; junos:must "("security sctp profile $$")"; junos:must-message "sctp profile must be defined"; type string { length "1 .. 63"; } description "Specify Stream Control Protocol profile name"; } leaf idp { type empty; description "Intrusion detection and prevention"; } leaf packet-capture { junos:must "(".. .. .. .. match dynamic-application junos:UNKNOWN")"; junos:must-message "packet-capture action requires dynamic application junos:UNKNOWN in policy"; type empty; description "Capturing traffic related to this policy"; } leaf idp-policy { type string { length "1 .. 255"; } description "Specify idp policy name"; } container ssl-proxy { presence "enable ssl-proxy"; description "SSL proxy services"; uses apply-advanced; leaf profile-name { junos:must "("services ssl proxy profile $$")"; junos:must-message "Referenced SSL proxy profile is not defined"; type string; description "Specify SSL proxy service profile name"; } } // container ssl-proxy container web-proxy { presence "enable web-proxy"; description "Web proxy services"; uses apply-advanced; leaf profile-name { junos:must "(("services web-proxy secure-proxy profile $$" || "services web-proxy proxy-auto-configuration profile $$"))"; junos:must-message "Referenced Web proxy profile is not defined"; type string; description "Specify Web proxy service profile name"; } } // container web-proxy container uac-policy { presence "enable uac-policy"; description "Enable unified access control enforcement of policy"; uses apply-advanced; leaf captive-portal { junos:must "("services unified-access-control captive-portal $$")"; junos:must-message "Captive portal policy must be defined"; type string { length "1 .. 128"; } } } // container uac-policy leaf utm-policy { junos:must "("security utm utm-policy $$")"; junos:must-message "utm-policy must be defined"; type string { length "1 .. 255"; } description "Specify utm policy name"; } leaf icap-redirect { junos:must "("services icap-redirect profile $$")"; junos:must-message "icap-redirect profile must be defined"; type string { length "1 .. 63"; } description "Specify icap redirect profile name"; } container application-firewall { junos:must "((!(".. .. .. .. match dynamic-application") || (".. .. .. .. match dynamic-application" && ".. .. .. .. match dynamic-application none")))"; junos:must-message "Traditional AppFW and dynamic-application can't be applied to same policy"; status deprecated; description "Application firewall services"; uses jsf_service_rule_set_type; } // container application-firewall container application-traffic-control { description "Application traffic control services"; uses jsf_application_traffic_control_rule_set_type; } // container application-traffic-control choice wx-redirection { leaf redirect-wx { type empty; description "Set WX redirection"; } leaf reverse-redirect-wx { type empty; description "Set WX reverse redirection"; } } // choice wx-redirection leaf security-intelligence-policy { junos:must "("services security-intelligence policy $$")"; junos:must-message "security-intelligence policy must be defined"; type string { length "1 .. 255"; } description "Specify security-intelligence policy name"; } leaf advanced-anti-malware-policy { junos:must "("services advanced-anti-malware policy $$")"; junos:must-message "advanced-anti-malware policy must be defined"; type string { length "1 .. 255"; } description "Specify advanced-anti-malware policy name"; } container security-intelligence { description "Generate security intellegence feeds"; uses security_intelligence_feeds; } // container security-intelligence } // grouping application_services_type grouping count_type { uses apply-advanced; } // grouping count_type grouping destination_nat_enable_type { description "Enable Destination NAT"; uses apply-advanced; choice destination_nat { leaf drop-translated { type empty; description "Drop the policy if NAT translated"; } leaf drop-untranslated { type empty; description "Drop the policy if NAT untranslated"; } } // choice destination_nat } // grouping destination_nat_enable_type grouping firewall_authentication_type { uses apply-advanced; choice auth-type { container pass-through { junos:must "((".. .. .. .. .. .. .. access firewall-authentication pass-through" || ".. .. .. .. .. .. .. .. access firewall-authentication pass-through"))"; junos:must-message "access firewall-authentication pass-through must be configured"; presence "enable pass-through"; description "Pass-through firewall authentication settings"; uses apply-advanced; leaf access-profile { junos:must "(("access profile $$" || (".. .. .. .. .. .. .. .. .. .. access profile $$" && !(".. .. .. .. .. .. .. .. .. .. access disable-tenant-access"))))"; junos:must-message "access-profile must be defined or access to profile is disabled for tenants"; type string { length "1 .. 63"; } description "Specify access profile name"; } leaf-list client-match { type string { length "1 .. 63"; } ordered-by user; description "Name of user or group to match"; } leaf web-redirect { type empty; description "Redirect unauthenticated HTTP requests to the device's internal web server"; } leaf web-redirect-to-https { type empty; description "Redirect unauthenticated HTTP requests to the device's internal HTTPS web server"; } leaf web-authentication-server { type string { length "1 .. 128"; } description "Firewall web authentication server"; } leaf ssl-termination-profile { type string { length "1 .. 63"; } description "Specify SSL termination profile used to the SSL offload"; } leaf auth-only-browser { type empty; description "Authenticate only browser traffic"; } list auth-user-agent { key "name"; ordered-by user; description "Authenticate HTTP traffic with specified user agent"; leaf name { type string { length "1 .. 16"; } description "Authenticate HTTP traffic with specified user agent"; } uses apply-advanced; } // list auth-user-agent } // container pass-through container web-authentication { junos:must "((".. .. .. .. .. .. .. access firewall-authentication web-authentication" || ".. .. .. .. .. .. .. .. access firewall-authentication web-authentication"))"; junos:must-message "access firewall-authentication web-authentication must be configured"; presence "enable web-authentication"; description "Web-authentication settings"; uses apply-advanced; leaf-list client-match { type string { length "1 .. 63"; } ordered-by user; description "Name of user or group to match"; } } // container web-authentication container user-firewall { description "User-firewall firewall authentication settings"; uses apply-advanced; leaf access-profile { junos:must "(("access profile $$" || (".. .. .. .. .. .. .. .. .. .. access profile $$" && !(".. .. .. .. .. .. .. .. .. .. access disable-tenant-access"))))"; junos:must-message "access-profile must be defined or access to profile is disabled for tenants"; type string { length "1 .. 63"; } description "Specify access profile name"; } leaf web-redirect { type empty; description "Redirect unauthenticated HTTP req to web server"; } leaf web-redirect-to-https { type empty; description "Redirect unauthenticated HTTP req to HTTPS web server"; } leaf web-authentication-server { type string { length "1 .. 128"; } description "Firewall web authentication server"; } leaf ssl-termination-profile { type string { length "1 .. 63"; } description "Specify SSL termination profile used to the SSL offload"; } leaf auth-only-browser { type empty; description "Authenticate only browser traffic"; } list auth-user-agent { key "name"; ordered-by user; description "Authenticate HTTP traffic with specified user agent"; leaf name { type string { length "1 .. 16"; } description "Authenticate HTTP traffic with specified user agent"; } uses apply-advanced; } // list auth-user-agent leaf domain { type string { length "1 .. 64"; } description "Specify domain name"; } } // container user-firewall } // choice auth-type leaf push-to-identity-management { type empty; description "Push auth entry to identity management server"; } } // grouping firewall_authentication_type grouping jsf_service_rule_set_type { description "Define service rule set reference"; uses apply-advanced; leaf rule-set { junos:must "("security application-firewall rule-sets $$")"; junos:must-message "rule set must be defined"; type string { length "1 .. 64"; } description "Service rule set name"; } } // grouping jsf_service_rule_set_type grouping match_source_end_user_profile_value { uses apply-advanced; leaf source-end-user-profile-name { junos:must "((".. .. .. .. .. .. services user-identification device-information end-user-profile profile-name $$" || ".. .. .. .. .. .. .. services user-identification device-information end-user-profile profile-name $$"))"; junos:must-message "Services user-identification device-information end-user-profile profile-name must be defined"; type string; description "Specify source-end-user-profile name from list to match"; } } // grouping match_source_end_user_profile_value grouping port-range { description "Port ranges"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Single port/minimum port in the port range"; } leaf maximum-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Maximum port in the port range"; } } // grouping port-range grouping profile-setting { description "UTM policy settings"; leaf name { type string { length "1 .. 29"; } description "UTM policy name"; } uses apply-advanced; container anti-virus { description "UTM policy anti-virus profile"; uses apply-advanced; leaf http-profile { junos:must "(("security utm feature-profile anti-virus sophos-engine profile $$" || "security utm feature-profile anti-virus profile $$"))"; junos:must-message "An anti-virus profile must be defined"; type string; description "Anti-virus profile"; } container ftp { description "FTP profile"; uses apply-advanced; leaf upload-profile { junos:must "(("security utm feature-profile anti-virus sophos-engine profile $$" || "security utm feature-profile anti-virus profile $$"))"; junos:must-message "An anti-virus profile must be defined"; type string; description "Anti-virus profile"; } leaf download-profile { junos:must "(("security utm feature-profile anti-virus sophos-engine profile $$" || "security utm feature-profile anti-virus profile $$"))"; junos:must-message "An anti-virus profile must be defined"; type string; description "Anti-virus profile"; } } // container ftp leaf smtp-profile { junos:must "(("security utm feature-profile anti-virus sophos-engine profile $$" || "security utm feature-profile anti-virus profile $$"))"; junos:must-message "An anti-virus profile must be defined"; type string; description "Anti-virus profile"; } leaf pop3-profile { junos:must "(("security utm feature-profile anti-virus sophos-engine profile $$" || "security utm feature-profile anti-virus profile $$"))"; junos:must-message "An anti-virus profile must be defined"; type string; description "Anti-virus profile"; } leaf imap-profile { junos:must "(("security utm feature-profile anti-virus sophos-engine profile $$" || "security utm feature-profile anti-virus profile $$"))"; junos:must-message "An anti-virus profile must be defined"; type string; description "Anti-virus profile"; } } // container anti-virus container content-filtering { description "Content-filtering profile"; uses apply-advanced; leaf http-profile { junos:must "("security utm feature-profile content-filtering profile $$")"; junos:must-message "content-filtering profile must be defined"; type string; description "Content-filtering profile"; } container ftp { description "FTP profile"; uses apply-advanced; leaf upload-profile { junos:must "("security utm feature-profile content-filtering profile $$")"; junos:must-message "content-filtering profile must be defined"; type string; description "Content-filtering FTP upload profile"; } leaf download-profile { junos:must "("security utm feature-profile content-filtering profile $$")"; junos:must-message "content-filtering profile must be defined"; type string; description "Content-filtering FTP download profile"; } } // container ftp leaf smtp-profile { junos:must "("security utm feature-profile content-filtering profile $$")"; junos:must-message "content-filtering profile must be defined"; type string; description "Content-filtering SMTP profile"; } leaf pop3-profile { junos:must "("security utm feature-profile content-filtering profile $$")"; junos:must-message "content-filtering profile must be defined"; type string; description "Content-filtering POP3 profile"; } leaf imap-profile { junos:must "("security utm feature-profile content-filtering profile $$")"; junos:must-message "content-filtering profile must be defined"; type string; description "Content-filtering IMAP profile"; } } // container content-filtering container web-filtering { description "Web-filtering profile"; uses apply-advanced; leaf http-profile { junos:must "(("security utm feature-profile web-filtering surf-control-integrated profile $$" || ("security utm feature-profile web-filtering websense-redirect profile $$" || ("security utm feature-profile web-filtering juniper-local profile $$" || "security utm feature-profile web-filtering juniper-enhanced profile $$"))))"; junos:must-message "websense-redirect profile or local profile or juniper-enhanced must be defined"; type string; description "Web-filtering HTTP profile"; } } // container web-filtering container anti-spam { description "Anti-spam profile"; uses apply-advanced; leaf smtp-profile { junos:must "("security utm feature-profile anti-spam sbl profile $$")"; junos:must-message "anti-spam sbl profile must be defined"; type string; description "Anti-spam profile"; } } // container anti-spam container traffic-options { status deprecated; description "Traffic options"; uses apply-advanced; container sessions-per-client { description "Sessions per client"; uses apply-advanced; leaf limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 2000"; } } default "2000"; description "Sessions limit"; } leaf over-limit { type enumeration { enum "log-and-permit" { value 0; } enum "block" { value 1; } } description "Over limit number"; } } // container sessions-per-client } // container traffic-options } // grouping profile-setting grouping proto-object { leaf name { type string; } uses apply-advanced; list tunable-name { key "name"; ordered-by user; description "Protocol tunable name"; uses tunable-object; } // list tunable-name } // grouping proto-object grouping ragw-traceoptions { uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "brief" { value 0; description "Brief debugging output"; } enum "detail" { value 1; description "Detailed debugging output"; } enum "extensive" { value 2; description "Extensive debugging output"; } enum "verbose" { value 3; description "Verbose debugging output"; } } default "brief"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace CLI configuration events"; } enum "tunnel" { value 1; description "Trace tunnel install/encap/decap events"; } enum "session" { value 2; description "Trace session related events"; } enum "all" { value 3; description "Trace everything"; } } } } // list flag } // grouping ragw-traceoptions grouping range-address-type { description "Range address"; leaf name { type jt:ipv4addr; description "Lower limit of address range"; } uses apply-advanced; container to { description "Port range upper limit"; uses apply-advanced; leaf range-high { type jt:ipv4addr; description "Upper limit of address range"; } } // container to } // grouping range-address-type grouping rate-limit-object { uses apply-advanced; leaf alarm-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 80000"; } } description "Set alarm threshold for rate-limit"; } leaf drop-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 80000"; } } description "Set drop threshold for rate-limit"; } container message { description "GTP limited message type"; uses message-object; } // container message } // grouping rate-limit-object grouping remote-access-client-config { leaf name { type string { length "1 .. 32"; } description "Name of config object name"; } uses apply-advanced; leaf connection-mode { type enumeration { enum "manual" { value 0; description "Set to manual mode, default mode"; } enum "always" { value 1; description "Set to always mode"; } } default "manual"; description "Set connection-mode of client"; } leaf biometric-authentication { type empty; description "Enable biometric authentication"; } container windows-logon { presence "enable windows-logon"; uses apply-advanced; leaf mode { type enumeration { enum "manual" { value 0; description "Manual Windows logon"; } enum "automatic" { value 1; description "Automatic Windows logon with configured credentials"; } } default "manual"; description "Set windows logon mode"; } leaf domain { type string { length "1 .. 255"; } description "Domain name for automatic windows logon"; } leaf disconnect-at-logoff { type empty; description "Disconnect after logoff"; } leaf flush-credential-at-logoff { type empty; description "Flush cached credentials upon after logoff"; } leaf lead-time-duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 120"; } } units "seconds"; default "45"; description "Lead time duration for domain logon (seconds)"; } leaf eap-auth { type empty; description "EAP Authentication before profile selection"; } leaf auto-dialog-open { type empty; description "Automatically open dialog for connection establishment"; } } // container windows-logon leaf no-dead-peer-detection { type empty; description "Disable dead-peer-detection on client"; } container dead-peer-detection { description "Dead Peer Detection configuration"; uses apply-advanced; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } units "seconds"; default "60"; description "The time between DPD probe messages (seconds) Default :60"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } default "5"; description "Maximum number of DPD retransmissions Default :5"; } } // container dead-peer-detection leaf no-tcp-encap { type empty; description "Disable tcp encapsulation"; } leaf no-eap-tls { type empty; description "Disable EAP-TLS IKEV2 method"; } container certificate { description "Certificate identifier"; uses apply-advanced; leaf no-expiry-warning { junos:must "(!(".. warn-before-expiry"))"; junos:must-message "Certificate must not have both no-expiry-warning or warn-before-expiry configured"; type empty; description "Disable certificate expiry warning"; } leaf no-pin-request-per-connection { type empty; description "Disable certificate pin request per connection"; } leaf warn-before-expiry { junos:must "(!(".. no-expiry-warning"))"; junos:must-message "Certificate must not have both no-expiry-warning or warn-before-expiry configured"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 90"; } } units "days"; default "60"; description "Certificate expiration warning days (1 - 90)"; } } // container certificate } // grouping remote-access-client-config grouping remote-access-profile-config { leaf name { type string { length "1 .. 32"; } description "Profile identifier"; } uses apply-advanced; leaf description { type string { length "1 .. 255"; } description "Text description of remote-access profile"; } leaf ipsec-vpn { junos:must "("security ipsec vpn $$")"; junos:must-message "IPSec VPN object must be defined under [edit security ipsec vpn]"; type string; description "Select the ipsec-vpn policy object"; } leaf access-profile { junos:must "("access profile $$")"; junos:must-message "Access profile must be defined under [edit access profile]"; type string; description "Select the access-profile"; } leaf client-config { junos:must "("security remote-access client-config $$")"; junos:must-message "Referenced group must be defined under [edit security remote-access client-config]"; type string; description "Select the client config object"; } } // grouping remote-access-profile-config grouping remote-access-traceoptions { uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "brief" { value 0; description "Brief debugging output"; } enum "detail" { value 1; description "Detailed debugging output"; } enum "extensive" { value 2; description "Extensive debugging output"; } enum "verbose" { value 3; description "Verbose debugging output"; } } default "brief"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "cli-configuration" { value 0; description "Trace CLI configuration events"; } enum "all" { value 1; description "Trace everything"; } } } } // list flag } // grouping remote-access-traceoptions grouping sbl-type { description "SBL type"; uses apply-advanced; list profile { key "name"; ordered-by user; description "SBL profile"; leaf name { type string { length "1 .. 29"; } description "SBL profile name"; } uses apply-advanced; choice sbl-default-server-choice { leaf sbl-default-server { type empty; description "Default SBL server"; } leaf no-sbl-default-server { type empty; description "Don't default SBL server"; } } // choice sbl-default-server-choice leaf spam-action { type enumeration { enum "block" { value 0; description "Block e-mail"; } enum "tag-header" { value 1; description "Tag header of e-mail"; } enum "tag-subject" { value 2; description "Tag subject of e-mail"; } } description "Anti-spam actions"; } leaf custom-tag-string { type string { length "1 .. 512"; } description "Custom tag string"; } leaf address-whitelist { junos:must "("security utm custom-objects url-pattern $$")"; junos:must-message "url-pattern must be defined"; type string; description "Anti-spam whitelist"; } leaf address-blacklist { junos:must "("security utm custom-objects url-pattern $$")"; junos:must-message "url-pattern must be defined"; type string; description "Anti-spam blacklist"; } } // list profile } // grouping sbl-type grouping sctp-object { uses apply-advanced; list profile { key "name"; description "Configure stream transmission protocol"; leaf name { type string { junos:posix-pattern "^[0-9A-Za-z][_0-9A-Za-z-]{0,30}$"; junos:pattern-message "Must be a string beginning with a letter or number, and consisting of no more than 31 total letters, numbers, dashes and underscores."; length "1 .. 31"; } description "SCTP configuration name"; } uses apply-advanced; leaf nat-only { type empty; description "Only do payload IPs translation for SCTP packet"; } leaf association-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 1440"; } } description "SCTP association timeout length, in minutes"; } leaf handshake-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 30"; } } description "SCTP handshake timeout, in seconds"; } container drop { description "Disallowed SCTP payload message"; uses apply-advanced; list m3ua-service { key "name"; ordered-by user; description "MTP level 3 (MTP3) user adaptation layer service"; leaf name { type enumeration { enum "sccp" { value 0; description "Signaling connection control part"; } enum "tup" { value 1; description "Telephone user part"; } enum "isup" { value 2; description "ISDN user part"; } } } } // list m3ua-service list payload-protocol { key "name"; ordered-by user; description "SCTP payload protocol identifier"; leaf name { type string; } } // list payload-protocol } // container drop container permit { description "Permit SCTP payload message"; uses apply-advanced; list payload-protocol { key "name"; ordered-by user; description "SCTP payload protocol identifier"; leaf name { type string; } } // list payload-protocol } // container permit container limit { description "Packet limits"; uses apply-advanced; list payload-protocol { key "name"; ordered-by user; description "Payload Rate limit"; leaf name { type string; } leaf rate { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 12000"; } } description "Rate limit"; } } // list payload-protocol list address { key "name"; ordered-by user; description "Rate limit for a list of IP addresses"; leaf name { type jt:ipaddr; description "IP address"; } uses apply-advanced; list payload-protocol { key "name"; ordered-by user; description "Payload Rate limit"; leaf name { type string; } leaf rate { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 12000"; } } description "Rate limit"; } } // list payload-protocol } // list address container rate { description "Rate limit"; uses apply-advanced; leaf sccp { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 12000"; } } description "Global SCCP messages rate limit"; } leaf ssp { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 12000"; } } description "Global SSP messages rate limit"; } leaf sst { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 12000"; } } description "Global SST messages rate limit"; } list address { key "name"; ordered-by user; description "Rate limit for a list of IP addresses"; leaf name { type jt:ipaddr; description "IP address"; } uses apply-advanced; leaf sccp { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 12000"; } } description "SCCP messages rate limit"; } leaf ssp { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 12000"; } } description "SSP messages rate limit"; } leaf sst { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 12000"; } } description "SST messages rate limit"; } } // list address } // container rate } // container limit } // list profile container multichunk-inspection { description "Configure for SCTP multi chunks inspection"; uses apply-advanced; choice multichunk-flag { leaf disable { type empty; description "Set multichunk inspection flag to disable"; } } // choice multichunk-flag } // container multichunk-inspection container nullpdu { description "Configure for SCTP NULLPDU protocol value"; uses apply-advanced; container protocol { description "SCTP NULLPDU payload protocol identifier"; uses apply-advanced; choice nullpdu-protocol { leaf ID-0x0000 { type empty; description "Set 0x0000 to be NULLPDU ID value"; } leaf ID-0xFFFF { type empty; description "Set 0xFFFF to be NULLPDU ID value"; } } // choice nullpdu-protocol } // container protocol } // container nullpdu list log { key "name"; ordered-by user; description "GPRS stream control transmission protocol logs"; leaf name { type enumeration { enum "configuration" { value 0; description "Log CLI configuration"; } enum "rate-limit" { value 1; description "Log exceeding rate limits"; } enum "association" { value 2; description "Log association event"; } enum "data-message-drop" { value 3; description "Log the drop of SCTP data message"; } enum "control-message-drop" { value 4; description "Log the drop of SCTP control message"; } enum "control-message-all" { value 5; description "Log SCTP control message both drop and pass"; } } } } // list log container traceoptions { description "Trace options for GPRS stream control transmission protocol"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "detail" { value 1; description "Trace detail events"; } enum "flow" { value 2; description "Trace flow events"; } enum "parser" { value 3; description "Trace parser events"; } enum "chassis-cluster" { value 4; description "Trace chassis cluster events"; } enum "all" { value 5; description "Trace everything"; } } } } // list flag } // container traceoptions } // grouping sctp-object grouping secure-wire-type { description "Secure-wire cross connection"; leaf name { type string { length "1 .. 63"; } description "Secure-wire name"; } uses apply-advanced; leaf-list interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } max-elements 2; description "Secure-wire logical interface"; } } // grouping secure-wire-type grouping security-authentication-key-chains { uses apply-advanced; list key-chain { key "name"; description "Key chain configuration"; leaf name { type string { junos:posix-pattern "!^((__.*__)|(.*[ ].*)|(.{33,}))$"; junos:pattern-message "Must be string of 32 characters or less with no spaces"; } description "Name of authentication key chain"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of this authentication-key-chain"; } leaf tolerance { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } units "seconds"; default "3600"; description "Clock skew tolerance"; } list key { key "name"; description "Authentication element configuration"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 63"; } } description "Authentication element identifier"; } uses apply-advanced; leaf secret { type string { length "1 .. 126"; } description "Authentication key"; } leaf key-name { type string { junos:posix-pattern "^([0-9a-fA-F][0-9a-fA-F]){1,32}$"; junos:pattern-message "Must be an even-length string up to 64 hexadecimal digits (0-9, a-f, A-F)"; length "2 .. 64"; } description "Key name in hexadecimal format used for macsec"; } leaf start-time { type jt:time; description "Start time for key transmission (YYYY-MM-DD.HH:MM)"; } leaf algorithm { type enumeration { enum "md5" { value 0; description "Message Digest 5"; } enum "hmac-sha-1" { junos:must "(".. options isis-enhanced")"; junos:must-message "sha algorithm required isis-enhanced"; value 1; description "Hash-based Message Authentication Code (SHA1) (96 bits)"; } enum "ao" { value 2; description "TCP Authentication Option"; } } default "md5"; description "Authentication algorithm"; } leaf options { type enumeration { enum "basic" { value 0; description "Rudimentary encoding format"; } enum "isis-enhanced" { value 1; description "RFC 5310 based encoding"; } } default "basic"; description "Protocol's transmission encoding format"; } container ao-attribute { junos:must "(!(".. authentication-key"))"; junos:must-message "Cannot be configured with authentication-key"; junos:must "(".. algorithm ao")"; junos:must-message "Can only be configured with authentication-algorithm ao"; description "TCP Authentication option attributes"; uses apply-advanced; leaf send-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Send id for TCP-AO entry"; } leaf recv-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Recv id for TCP-AO entry"; } leaf tcp-ao-option { type enumeration { enum "enabled" { value 0; description "Include the TCP-AO option"; } enum "disabled" { value 1; description "Not include the TCP-AO option"; } } default "disabled"; description "Include TCP-AO option within message header"; } leaf cryptographic-algorithm { type enumeration { enum "hmac-sha-1-96" { value 0; description "Hash-based Message Authentication Code (SHA1) (96 bits)"; } enum "aes-128-cmac-96" { value 1; description "Cipher-based Message Authentication Code (AES128) (96 bits)"; } } default "hmac-sha-1-96"; description "Cryptographic algorithm for TCP-AO Traffic key and MAC digest generation"; } } // container ao-attribute } // list key } // list key-chain } // grouping security-authentication-key-chains grouping security-group-vpn { uses apply-advanced; container member { junos:must "(!(".. server"))"; junos:must-message "Configuring both group-vpn server and group-vpn member is not supported"; description "Group VPN member configuration"; uses gvpn-member; } // container member container server { junos:must "(!(".. member"))"; junos:must-message "Configuring both group-vpn server and group-vpn member is not supported"; description "Group VPN server configuration"; uses gvpn-server; } // container server } // grouping security-group-vpn grouping gvpn-member { uses apply-advanced; container ike { description "Group VPN IKE configuration"; uses gvpn-member-ike; } // container ike container ipsec { description "Group VPN IPsec configuration"; uses gvpn-member-ipsec-vpn; } // container ipsec } // grouping gvpn-member grouping gvpn-member-ike { uses apply-advanced; container traceoptions { description "Trace options for Group VPN Member"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "timer" { value 0; description "Trace internal timer events"; } enum "routing-socket" { value 1; description "Trace routing socket messages"; } enum "parse" { value 2; description "Trace configuration processing"; } enum "config" { value 3; description "Trace configuration download processing"; } enum "ike" { value 4; description "Trace IKE module processing"; } enum "policy-manager" { value 5; description "Trace policy manager processing"; } enum "general" { value 6; description "Trace general events"; } enum "database" { value 7; description "Trace security associations database events"; } enum "certificates" { value 8; description "Trace certificate events"; } enum "snmp" { value 9; description "Trace SNMP operations"; } enum "thread" { value 10; description "Trace thread processing"; } enum "high-availability" { value 11; description "Trace high-availability operations"; } enum "next-hop-tunnels" { value 12; description "Trace next-hop-tunnels operations"; } enum "all" { value 13; description "Trace everything"; } } } } // list flag container gateway-filter { description "Set gateway filter for trace"; uses apply-advanced; leaf local-address { type jt:ipv4addr; description "Use an IP address to identify the local gateway"; } leaf remote-address { type jt:ipv4addr; description "Use an IP address to identify the remote gateway"; } } // container gateway-filter } // container traceoptions list proposal { key "name"; ordered-by user; description "Define an IKE proposal"; uses gvpn-member-ike-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IKE policy"; uses gvpn-ike-policy; } // list policy list gateway { key "name"; ordered-by user; description "Define an IKE gateway"; leaf name { junos:must "(!("security ike gateway $$"))"; junos:must-message "Gateway already defined under [security ike]"; type string { length "1 .. 32"; } description "Label for the remote (peer) gateway"; } uses apply-advanced; leaf ike-policy { junos:must "("security group-vpn member ike policy $$")"; junos:must-message "Referenced IKE policy must be defined under [edit security group-vpn member ike policy]"; type string { length "1 .. 32"; } description "Name of the IKE policy"; } leaf-list server-address { type jt:ipv4addr; max-elements 4; ordered-by user; description "Server Addresses upto 4"; } container local-identity { description "Set the local IKE identity"; choice identity-type { container inet { description "Use an IPv4 address"; uses apply-advanced; leaf identity-ipv4 { type jt:ipv4addr; description "The local IPv4 identity"; } } // container inet container hostname { description "Use a fully-qualified domain name"; uses apply-advanced; leaf identity-hostname { type string; description "The local hostname"; } } // container hostname container user-at-hostname { description "Use an e-mail address"; uses apply-advanced; leaf identity-user { type string; description "The local user-FQDN"; } } // container user-at-hostname } // choice identity-type } // container local-identity container remote-identity { description "Set the remote IKE identity"; choice identity-type { container inet { description "Use an IPv4 address"; uses apply-advanced; leaf identity-ipv4 { type jt:ipv4addr; description "The remote IPv4 identity"; } } // container inet container hostname { description "Use a fully-qualified domain name"; uses apply-advanced; leaf identity-hostname { type string; description "The remote hostname"; } } // container hostname container user-at-hostname { description "Use an e-mail address"; uses apply-advanced; leaf identity-user { type string; description "The remote user-FQDN"; } } // container user-at-hostname } // choice identity-type } // container remote-identity leaf local-address { junos:must "(!(any "security group-vpn member ike gateway <*> server-address $$"))"; junos:must-message "Member can not have the same local address as server"; type jt:ipv4addr; description "Local IPv4 address for group member"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Referenced routing-instance must be defined"; type string; default "default"; description "Name of routing instance that hosts local address"; } } // list gateway } // grouping gvpn-member-ike grouping gvpn-ike-policy { leaf name { junos:must "((".. proposals" || ".. proposal-set"))"; junos:must-message "IKE policy must have either proposals or proposal-set configured"; junos:must "(((".. certificate local-certificate" || ".. pre-shared-key") && !((".. certificate local-certificate" && ".. pre-shared-key"))))"; junos:must-message "IKE policy must have either local certificate or pre-shared key configured"; type string { length "1 .. 32"; } description "Name of policy"; } uses apply-advanced; leaf mode { type enumeration { enum "main" { value 0; description "Main mode"; } enum "aggressive" { value 1; description "Aggressive mode"; } } default "main"; description "Define the IKE mode for Phase 1"; } leaf description { type string { length "1 .. 80"; } description "Text description of IKE policy"; } leaf-list proposals { junos:must "(".. .. .. proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } ordered-by user; description "Name of the proposal"; } container pre-shared-key { description "Define a preshared key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container pre-shared-key } // grouping gvpn-ike-policy grouping gvpn-member-ike-proposal { leaf name { type string { length "1 .. 32"; } description "Name of the IKE proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IKE proposal"; } leaf authentication-method { type enumeration { enum "pre-shared-keys" { value 0; description "Preshared keys"; } } description "Define authentication method"; } leaf dh-group { type enumeration { enum "group14" { value 0; description "Diffie-Hellman Group 14"; } enum "group24" { value 1; description "Diffie-Hellman Group 24"; } } description "Define Diffie-Hellman group"; } leaf authentication-algorithm { type enumeration { enum "sha-256" { value 0; description "SHA 256-bit authentication algorithm"; } enum "sha-384" { value 1; description "SHA 384-bit authentication algorithm"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "aes-128-cbc" { value 0; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 1; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 2; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; default "180"; description "Lifetime, in seconds"; } } // grouping gvpn-member-ike-proposal grouping gvpn-member-ipsec-vpn { uses apply-advanced; list vpn { key "name"; ordered-by user; description "Define an IPSec VPN"; uses ipsec-gvpn-member-template; } // list vpn } // grouping gvpn-member-ipsec-vpn grouping gvpn-server { uses apply-advanced; container traceoptions { description "Trace options for Group VPN debug"; uses gvpn-server-traceoptions; } // container traceoptions container ike { description "Group VPN IKE configuration"; uses gvpn-server-ike; } // container ike container ipsec { description "Group VPN IPsec configuration"; uses gvpn-server-ipsec-vpn; } // container ipsec list group { key "name"; max-elements 50; ordered-by user; description "Define a Group VPN group"; uses gvpn-server-group-template; } // list group } // grouping gvpn-server grouping gvpn-server-group-template { description "Configure a Group VPN group"; leaf name { type string { length "1 .. 32"; } description "Name of the group"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of Group VPN group"; } leaf group-id { junos:must "((".. no-group-check" || unique "security group-vpn server group <*> group-id $$"))"; junos:must-message "Group id must be unique among groups"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Enable Group VPN by defining group id"; } leaf member-threshold { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Maximum number of members in this group"; } container server-cluster { description "Enable server cluster for this group"; uses gvpn-server-cluster; } // container server-cluster list ike-gateway { key "name"; ordered-by user; description "Name of the IKE gateway"; uses gvpn-server-ike-gateway; } // list ike-gateway leaf activation-time-delay { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 900"; } } default "15"; status deprecated; description "Configure delay in seconds for Group VPN key activation"; } leaf anti-replay-time-window { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60000"; } } description "Configure Anti Replay time in milliseconds"; } container server-member-communication { description "Configure Server to Member communication parameters"; uses gvpn-server-member-communication; } // container server-member-communication list ipsec-sa { key "name"; ordered-by user; description "Define a Group VPN group SA"; uses gvpn-server-group-ipsecsa; } // list ipsec-sa } // grouping gvpn-server-group-template grouping gvpn-server-cluster { description "Server-Cluster for group VPN"; uses apply-advanced; leaf server-role { type enumeration { enum "root-server" { value 0; description "Root-server"; } enum "sub-server" { value 1; description "Sub-server"; } } description "Primary or backup server"; } list ike-gateway { key "name"; ordered-by user; description "Name of the IKE gateway"; uses gvpn-server-ike-gateway-sc; } // list ike-gateway leaf retransmission-period { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 60"; } } default "10"; description "Configure retransmission period in seconds Default :10"; } } // grouping gvpn-server-cluster grouping gvpn-server-group-ipsecsa { description "Configure a Group VPN group SA"; leaf name { type string { length "1 .. 32"; } description "Name of the SA"; } uses apply-advanced; leaf proposal { junos:must "("security group-vpn server ipsec proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { length "1 .. 32"; } description "Name of the IPsec proposal"; } list match-policy { key "name"; max-elements 10; ordered-by user; description "Configure a Group VPN group SA"; uses gvpn-server-group-ipsecsa-match; } // list match-policy } // grouping gvpn-server-group-ipsecsa grouping gvpn-server-group-ipsecsa-match { description "Configure a Group VPN group SA policy"; leaf name { type string { length "1 .. 32"; } description "Name of the policy"; } uses apply-advanced; leaf source { type jt:ipv4prefix-mandatory; description "Specify the source IP address to be matched (0.0.0.0/0 for any)"; } leaf destination { type jt:ipv4prefix-mandatory; description "Specify the destination IP address to be matched (0.0.0.0/0 for any)"; } leaf source-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Specify the source port to be matched (0 for any)"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Specify the destination port to be matched (0 for any)"; } leaf protocol { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 254"; } } description "Specify the protocol number to be matched (0 for any)"; } } // grouping gvpn-server-group-ipsecsa-match grouping gvpn-server-ike { uses apply-advanced; list proposal { key "name"; ordered-by user; description "Define an IKE proposal"; uses gvpn-server-ike-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IKE policy"; uses gvpn-ike-policy; } // list policy list gateway { key "name"; ordered-by user; description "Define an IKE gateway"; leaf name { type string { length "1 .. 32"; } description "Label for the remote (peer) gateway"; } uses apply-advanced; leaf ike-policy { junos:must "(!(("security group-vpn server ike policy $$ mode main" && ("security group-vpn server ike policy $$ pre-shared-key" && ".. dynamic"))))"; junos:must-message "Main mode for dynamic peer with Preshared key based authentication is not allowed"; junos:must "("security group-vpn server ike policy $$")"; junos:must-message "Referenced IKE policy must be defined under [edit security group-vpn server ike policy]"; type string { length "1 .. 32"; } description "Name of the IKE policy"; } choice remote-identifier { leaf address { type string { length "1 .. 32"; } description "IP address of peer"; } container dynamic { description "Site to site peer with dynamic IP address"; uses apply-advanced; choice remote-id-type { leaf hostname { type string; description "Use a fully-qualified domain name"; } leaf inet { type jt:ipv4addr; description "Use an IPV4 address to identify the dynamic peer"; } leaf user-at-hostname { type string; description "Use an e-mail address"; } } // choice remote-id-type } // container dynamic } // choice remote-identifier container dead-peer-detection { presence "enable dead-peer-detection"; description "Enable Dead Peer Detection between group-server-cluster servers"; uses apply-advanced; choice mode { leaf always-send { type empty; description "Send probes periodically regardless of incoming and outgoing data traffic "; } } // choice mode leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 60"; } } units "seconds"; default "10"; description "The time between DPD probe messages Default :10"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } default "5"; description "Maximum number of DPD retransmissions Default :5"; } } // container dead-peer-detection container local-identity { description "Set the local IKE identity"; choice identity-type { container inet { description "Use an IPv4 address"; uses apply-advanced; leaf identity-ipv4 { type jt:ipv4addr; description "The local IPv4 identity"; } } // container inet container hostname { description "Use a fully-qualified domain name"; uses apply-advanced; leaf identity-hostname { type string; description "The local hostname"; } } // container hostname container user-at-hostname { description "Use an e-mail address"; uses apply-advanced; leaf identity-user { type string; description "The local user-FQDN"; } } // container user-at-hostname } // choice identity-type } // container local-identity container remote-identity { junos:must "(!(".. dynamic"))"; junos:must-message "Since the remote gateway is dynamic, Define remote identity under dynamic"; description "Set the remote IKE identity"; choice identity-type { container inet { description "Use an IPv4 address"; uses apply-advanced; leaf identity-ipv4 { type jt:ipv4addr; description "The remote IPv4 identity"; } } // container inet container hostname { description "Use a fully-qualified domain name"; uses apply-advanced; leaf identity-hostname { type string; description "The remote hostname"; } } // container hostname container user-at-hostname { description "Use an e-mail address"; uses apply-advanced; leaf identity-user { type string; description "The remote user-FQDN"; } } // container user-at-hostname } // choice identity-type } // container remote-identity leaf local-address { type jt:ipaddr; description "Local IP address for IKE negotiations"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Referenced routing-instance must be defined"; type string; default "default"; description "Name of routing instance that hosts local address"; } } // list gateway } // grouping gvpn-server-ike grouping gvpn-server-ike-gateway { description "Configure a set of IKE gateways"; leaf name { junos:must "(!("security group-vpn server ike gateway $$ dead-peer-detection"))"; junos:must-message "Referenced IKE gateway must NOT be defined with dead-peer-detection"; junos:must "("security group-vpn server ike gateway $$")"; junos:must-message "Referenced IKE gateway must be defined under [edit security group-vpn server ike gateway]"; type string { length "1 .. 32"; } description "Name of the IKE gateway"; } uses apply-advanced; } // grouping gvpn-server-ike-gateway grouping gvpn-server-ike-gateway-sc { description "Configure a set of IKE gateways"; leaf name { junos:must "(!("security group-vpn server ike gateway $$ dynamic"))"; junos:must-message "Referenced IKE gateway must not be dynamic gateway"; junos:must "("security group-vpn server ike gateway $$ dead-peer-detection always-send")"; junos:must-message "Referenced IKE gateway must be defined with dead-peer-detection always-send mode"; type string { length "1 .. 32"; } description "Name of the IKE gateway"; } uses apply-advanced; } // grouping gvpn-server-ike-gateway-sc grouping gvpn-server-ike-proposal { leaf name { type string { length "1 .. 32"; } description "Name of the IKE proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IKE proposal"; } leaf authentication-method { type enumeration { enum "pre-shared-keys" { value 0; description "Preshared keys"; } } description "Define authentication method"; } leaf authentication-algorithm { type enumeration { enum "sha-256" { value 0; description "SHA 256-bit authentication algorithm"; } enum "sha-384" { value 1; description "SHA 384-bit authentication algorithm"; } } description "Define authentication algorithm"; } leaf dh-group { type enumeration { enum "group14" { value 0; description "Diffie-Hellman Group 14"; } enum "group24" { value 1; description "Diffie-Hellman Group 24"; } } description "Define Diffie-Hellman group"; } leaf encryption-algorithm { type enumeration { enum "aes-128-cbc" { value 0; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 1; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 2; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } } // grouping gvpn-server-ike-proposal grouping gvpn-server-ipsec-vpn { uses apply-advanced; list proposal { key "name"; ordered-by user; description "Define an IPSec proposal"; uses gvpn-server-ipsec-proposal; } // list proposal } // grouping gvpn-server-ipsec-vpn grouping gvpn-server-ipsec-proposal { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IPSec proposal"; } leaf authentication-algorithm { type enumeration { enum "hmac-sha-256-128" { value 0; description "HMAC-SHA-256-128 authentication algorithm"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "aes-128-cbc" { value 0; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 1; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 2; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; description "Lifetime, in seconds"; } } // grouping gvpn-server-ipsec-proposal grouping gvpn-server-member-communication { description "Group VPN Server to Member communication"; uses apply-advanced; leaf communication-type { type enumeration { enum "unicast" { value 0; description "Unicast"; } } description "Define type of server member communication"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "300 .. 86400"; } } default "3600"; description "Configure lifetime in seconds"; } leaf retransmission-period { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 60"; } } default "10"; description "Configure retransmission period in seconds"; } leaf number-of-retransmission { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60"; } } default "2"; description "Configure maximum number of retransmission attempts"; } leaf heartbeat { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 3600"; } } default "300"; status deprecated; description "Configure heartbeat period in seconds"; } leaf encryption-algorithm { type enumeration { enum "aes-128-cbc" { value 0; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 1; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 2; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } leaf sig-hash-algorithm { type enumeration { enum "sha-256" { value 0; description "SHA 256-bit sig-hash algorithm"; } enum "sha-384" { value 1; description "SHA 384-bit sig-hash algorithm"; } } description "Define sig-hash algorithm"; } leaf certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Certificate identifier"; } } // grouping gvpn-server-member-communication grouping gvpn-server-traceoptions { description "Group VPN server tracing options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters for GKSD"; leaf name { type enumeration { enum "timer" { value 0; description "Trace internal timer events"; } enum "routing-socket" { value 1; description "Trace routing socket messages"; } enum "parse" { value 2; description "Trace configuration processing"; } enum "config" { value 3; description "Trace configuration download processing"; } enum "ike" { value 4; description "Trace IKE module processing"; } enum "policy-manager" { value 5; description "Trace policy manager processing"; } enum "general" { value 6; description "Trace general events"; } enum "database" { value 7; description "Trace security associations database events"; } enum "certificates" { value 8; description "Trace certificate events"; } enum "snmp" { value 9; description "Trace SNMP operations"; } enum "thread" { value 10; description "Trace thread processing"; } enum "high-availability" { value 11; description "Trace high-availability operations"; } enum "next-hop-tunnels" { value 12; description "Trace next-hop-tunnels operations"; } enum "all" { value 13; description "Trace everything"; } } } } // list flag container gateway-filter { description "Set gateway filter for trace"; uses apply-advanced; leaf local-address { type jt:ipv4addr; description "Use an IPV4 address to identify the local gateway"; } leaf remote-address { type jt:ipv4addr; description "Use an IPV4 address to identify the remote gateway"; } } // container gateway-filter } // grouping gvpn-server-traceoptions grouping ipsec-gvpn-member-template { description "Configure a Group VPN"; leaf name { junos:must "(!("security ipsec vpn $$"))"; junos:must-message "VPN already defined under [security ipsec]"; type string { length "1 .. 32"; } description "Name of the VPN"; } uses apply-advanced; leaf ike-gateway { junos:must "("security group-vpn member ike gateway $$")"; junos:must-message "Referenced IKE gateway must be defined under [edit security group-vpn member ike gateway]"; type string { length "1 .. 32"; } description "Name of IKE gateway"; } leaf group-vpn-external-interface { junos:must "(!("interfaces $$ family bridge"))"; junos:must-message "Bridge interface is not allowed as external-interface"; junos:must "("interfaces $$-IFL")"; junos:must-message "Referenced interface must be configured under [edit interfaces] hierarchy"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "External interface for Group VPN"; } leaf group { junos:must "((".. no-group-check" || unique "security group-vpn member ipsec vpn <*> group $$"))"; junos:must-message "Group id must be unique among group vpns"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Enable Group VPN by defining group id"; } leaf heartbeat-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 10"; } } default "3"; status deprecated; description "Define heartbeat threshold for Group VPN"; } leaf recovery-probe { type empty; description "Enable triggering recovery probe mechanism"; } leaf df-bit { type enumeration { enum "clear" { value 0; description "Clear DF bit of outer header"; } enum "set" { value 1; description "Set DF bit of outer header"; } enum "copy" { value 2; description "Copy DF bit from inner header"; } } default "clear"; description "Specifies how to handle the Don't Fragment bit"; } container fail-open { description "List of fail open rules"; uses ipsec_gvpn_fail_open_rule_object; } // container fail-open container exclude { description "List of exclude rules"; uses ipsec_gvpn_exclude_rule_object; } // container exclude } // grouping ipsec-gvpn-member-template grouping ipsec_gvpn_exclude_rule_object { uses apply-advanced; list rule { key "name"; max-elements 10; ordered-by user; description "Define exlude rules upto 10"; uses ipsec_gvpn_rule_address_object; } // list rule } // grouping ipsec_gvpn_exclude_rule_object grouping ipsec_gvpn_fail_open_rule_object { uses apply-advanced; list rule { key "name"; max-elements 10; ordered-by user; description "Define fail open rules upto 10"; uses ipsec_gvpn_rule_address_object; } // list rule } // grouping ipsec_gvpn_fail_open_rule_object grouping ipsec_gvpn_rule_address_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; container source-address { presence "enable source-address"; description "Match IP source address"; uses ipsec_gvpn_addr_object; } // container source-address container destination-address { presence "enable destination-address"; description "Match IP destination address"; uses ipsec_gvpn_addr_object; } // container destination-address leaf application { junos:must "("applications application $$")"; junos:must-message "Application must be defined"; type string; description "Match application"; } } // grouping ipsec_gvpn_rule_address_object grouping ipsec_gvpn_addr_object { uses apply-advanced; leaf address { type jt:ipv4prefix-only; description "Prefix to match"; } } // grouping ipsec_gvpn_addr_object grouping security-ike { uses apply-advanced; container traceoptions { description "Trace options for IPSec key management"; uses security-traceoptions; } // container traceoptions container respond-bad-spi { presence "enable respond-bad-spi"; description "Respond to IPSec packets with bad SPI values"; leaf max-responses { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 30"; } } default "5"; description "Maximum number of times to respond"; } } // container respond-bad-spi list proposal { key "name"; ordered-by user; description "Define an IKE proposal"; uses ike-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IKE policy"; uses ike-policy; } // list policy list gateway { key "name"; ordered-by user; description "Define an IKE gateway"; leaf name { type string { length "1 .. 32"; } description "Label for the remote (peer) gateway"; } uses apply-advanced; leaf ike-policy { junos:must "(!(("security ike policy $$ reauth-frequency" && ".. aaa access-profile")))"; junos:must-message "Reauth is not allowed with AAA access profile."; junos:must "(!((".. version v2-only" && ("security ike policy $$ pre-shared-key" && ".. dynamic ike-user-type"))))"; junos:must-message "When dynamic ike-user-type is configured, IKEv2 with authentication-method pre-shared-key is not allowed"; junos:must "(!(("security ike policy $$ mode main" && ("security ike policy $$ pre-shared-key" && ".. dynamic"))))"; junos:must-message "Main mode for dynamic peer with Preshared key based authentication is not allowed"; junos:must "("security ike policy $$")"; junos:must-message "Referenced IKE policy must be defined under [edit security ike policy]"; type string { length "1 .. 32"; } description "Name of the IKE policy"; } choice remote-identifier { leaf-list address { type string; ordered-by user; description "Addresses or hostnames of peer:1 primary, upto 4 backups"; } container dynamic { description "Site to site peer with dynamic IP address"; uses apply-advanced; choice remote-id-type { container distinguished-name { presence "enable distinguished-name"; description "Use a distinguished name: "; uses apply-advanced; choice name-type { leaf container { type string; description "Specify the container string"; } leaf wildcard { type string; description "Specify the wildcard string"; } } // choice name-type } // container distinguished-name leaf hostname { type string; description "Use a fully-qualified domain name"; } leaf inet { type jt:ipv4addr; description "Use an IPV4 address to identify the dynamic peer"; } leaf inet6 { type jt:ipv6addr; description "Use an IPV6 address to identify the dynamic peer"; } leaf user-at-hostname { type string; description "Use an e-mail address"; } } // choice remote-id-type leaf connections-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Maximum number of users connected to gateway"; } leaf ike-user-type { type enumeration { enum "group-ike-id" { value 0; description "Email address or FQDN shared as IKED ID by multiple users"; } enum "shared-ike-id" { junos:must "((" .. .. xauth" || " .. .. aaa"))"; junos:must-message "Need to configure aaa at [edit security ike gateway]"; value 1; description "Email address shared as IKED ID by multiple users"; } } description "Type of the IKE ID"; } leaf reject-duplicate-connection { junos:must "(((".. ike-user-type shared-ike-id" || ".. ike-user-type group-ike-id") && !(".. .. aaa")))"; junos:must-message "Supported for shared-ike or group-ike and with non-AAA"; type empty; description "Reject new connection from duplicate IKE-id"; } } // container dynamic } // choice remote-identifier container dead-peer-detection { presence "enable dead-peer-detection"; description "Enable Dead Peer Detection "; uses apply-advanced; choice mode { leaf optimized { type empty; description "Send probes only when there is outgoing and no incoming data traffic - RFC3706 (Default mode)"; } leaf probe-idle-tunnel { type empty; description "Send probes same as in optimized mode and also when there is no outgoing & incoming data traffic"; } leaf always-send { type empty; description "Send probes periodically regardless of incoming and outgoing data traffic "; } } // choice mode leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 60"; } } units "seconds"; default "10"; description "The time between DPD probe messages Default :10"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } default "5"; description "Maximum number of DPD retransmissions Default :5"; } } // container dead-peer-detection leaf no-nat-traversal { type empty; description "Disable IPSec NAT traversal"; } leaf nat-keepalive { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } units "seconds"; default "20"; description "Interval at which to send NAT keepalives"; } container local-identity { description "Set the local IKE identity"; choice identity-type { container inet { description "Use an IPv4 address"; uses apply-advanced; leaf identity-ipv4 { type jt:ipv4addr; description "The local IPv4 identity"; } } // container inet container inet6 { description "Use an IPv6 address"; uses apply-advanced; leaf identity-ipv6 { type jt:ipv6addr; description "The local IPv6 identity"; } } // container inet6 container hostname { description "Use a fully-qualified domain name"; uses apply-advanced; leaf identity-hostname { type string; description "The local hostname"; } } // container hostname container user-at-hostname { description "Use an e-mail address"; uses apply-advanced; leaf identity-user { type string; description "The local user-FQDN"; } } // container user-at-hostname leaf distinguished-name { type empty; description "Use a distinguished name specified in local certificate"; } container key-id { description "Key ID identification values in ASCII string"; uses apply-advanced; leaf string-key-id { type string { length "1 .. 127"; } description "Key ID in ASCII string"; } } // container key-id } // choice identity-type } // container local-identity container remote-identity { junos:must "(!(".. dynamic"))"; junos:must-message "Since the remote gateway is dynamic, Define remote identity under dynamic"; description "Set the remote IKE identity"; choice identity-type { container inet { description "Use an IPv4 address"; uses apply-advanced; leaf identity-ipv4 { type jt:ipv4addr; description "The remote IPv4 identity"; } } // container inet container inet6 { description "Use an IPv6 address"; uses apply-advanced; leaf identity-ipv6 { type jt:ipv6addr; description "The remote IPv6 identity"; } } // container inet6 container hostname { description "Use a fully-qualified domain name"; uses apply-advanced; leaf identity-hostname { type string; description "The remote hostname"; } } // container hostname container user-at-hostname { description "Use an e-mail address"; uses apply-advanced; leaf identity-user { type string; description "The remote user-FQDN"; } } // container user-at-hostname container distinguished-name { presence "enable distinguished-name"; description "Use a distinguished name: "; uses apply-advanced; leaf container { type string; description "Specify the container string"; } leaf wildcard { type string; description "Specify the wildcard string"; } } // container distinguished-name container key-id { description "Key ID identification values in string"; uses apply-advanced; leaf string-key-id { type string { length "1 .. 127"; } description "Key ID in ASCII string"; } } // container key-id } // choice identity-type } // container remote-identity leaf external-interface { junos:must "(!("interfaces $$ family bridge"))"; junos:must-message "Bridge interface is not allowed as external-interface"; junos:must "("interfaces $$-IFL")"; junos:must-message "Referenced interface must be configured under [edit interfaces] hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "External interface for IKE negotiations"; } leaf local-address { type jt:ipaddr; description "Local IP address for IKE negotiations"; } container aaa { junos:must "(!(".. xauth"))"; junos:must-message "Keyword aaa is a replacement to xauth."; description "Use extended authentication"; uses apply-advanced; list access-profile { key "name"; max-elements 1; ordered-by user; description "Access profile information"; uses access-profile-template; } // list access-profile container client { description "AAA client info for authentication"; leaf username { junos:must "(!(" .. .. .. version v2-only"))"; junos:must-message "AAA client is supported for IKEv1 only, not IKEv2."; type string { length "1 .. 128"; } description "AAA client username with 1 to 128 characters"; } leaf password { junos:must "(".. username")"; junos:must-message "Username must be defined"; type string { length "1 .. 128"; } description "AAA client password with 1 to 128 characters"; } } // container client } // container aaa container xauth { status deprecated; description "Use extended authentication"; uses apply-advanced; leaf access-profile { junos:must "(!(" .. client"))"; junos:must-message "Cannot configure a gateway to be xauth server and client at the same time."; junos:must "("access profile $$")"; junos:must-message "access profile needs to be configured"; type string; description "Access profile that contains authentication information"; } container client { description "Xauth client info for authentication"; leaf username { junos:must "(!(" .. .. .. version v2-only"))"; junos:must-message "Xauth is supported for IKEv1 only, not IKEv2."; type string { length "1 .. 128"; } description "XAuth client username with 1 to 128 characters"; } leaf password { junos:must "(".. username")"; junos:must-message "username must be defined"; type string { length "1 .. 128"; } description "XAuth client password with 1 to 128 characters"; } } // container client } // container xauth leaf general-ikeid { junos:must "(!(".. remote-identity"))"; junos:must-message "general-ikeid option is not allowed when remote-identity is configured"; junos:must "(!(".. dynamic"))"; junos:must-message "general-ikd-id option is not available for dynamic peer."; type empty; description "Accept peer IKE-ID in general"; } container advpn { junos:must "((!(".. xauth") && !(".. aaa")))"; junos:must-message "AAA not available with advpn enabled gateway"; presence "enable advpn"; description "Enable Auto Discovery VPN"; uses advpn-suggester-partner; } // container advpn leaf version { type enumeration { enum "v1-only" { value 0; description "The connection must be initiated using IKE version 1"; } enum "v2-only" { value 1; description "The connection must be initiated using IKE version 2"; } } default "v1-only"; description "Negotiate using either IKE v1 or IKE v2 protocol"; } container fragmentation { junos:must "(".. version v2-only")"; junos:must-message "IKEv2 must be configured to use fragementation."; description "IKEv2 fragmentation configuration"; uses apply-advanced; leaf disable { type empty; description "Disable IKEv2 fragmentation"; } leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "570 .. 1320"; } } description "Default 576 bytes for ipv4 and 1280 bytes for ipv6"; } } // container fragmentation leaf tcp-encap-profile { junos:must "("security tcp-encap profile $$")"; junos:must-message "Referenced tcp-encap profile must be defined"; type string; description "Ike over tcp profile name"; } } // list gateway } // grouping security-ike grouping access-profile-template { description "Configure an access profile"; leaf name { junos:must "((!(".. .. .. dynamic") || ".. .. .. dynamic ike-user-type"))"; junos:must-message "DEP is not allowed with XAUTH/AAA access profile."; junos:must "(!(".. .. .. address"))"; junos:must-message "For site-to-site tunnels, aaa access-profile configuration is not allowed"; junos:must "(!(" .. .. client"))"; junos:must-message "Cannot configure a gateway to be XAUTH/AAA server and client at the same time."; junos:must "("access profile $$")"; junos:must-message "Access profile needs to be configured"; type string; description "Access profile name used to authenticate with XAUTH/AAA server"; } uses apply-advanced; leaf config-payload-password { type string { length "1 .. 128"; } description "Common client password for IKEv2 config-payload with 1 to 128 characters"; } } // grouping access-profile-template grouping advpn-suggester-partner { description "Configure ADVPN Suggester Partner"; uses apply-advanced; container suggester { presence "enable suggester"; description "Configure Shortcut Suggester parameters"; uses apply-advanced; leaf disable { type empty; description "Disable Suggester capability"; } } // container suggester container partner { presence "enable partner"; description "Configure Shortcut Partner parameters"; uses apply-advanced; leaf connection-limit { junos:must "(!(".. .. .. dynamic"))"; junos:must-message "ADVPN partner can only be configured on s2s gateway"; type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Maximum number of shortcut connections (default: varies per platform)"; } leaf idle-time { junos:must "(!(".. .. .. dynamic"))"; junos:must-message "ADVPN partner can only be configured on s2s gateway"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 86400"; } } units "seconds"; default "300"; description "The duration (in sec) after which shortcut is torn down (default: 300 sec)"; } leaf idle-threshold { junos:must "(!(".. .. .. dynamic"))"; junos:must-message "ADVPN partner can only be configured on s2s gateway"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "3 .. 5000"; } } default "5"; description "The packet rate below which shortcut is torn down (default: 5 packets/sec)"; } leaf disable { type empty; description "Disable Partner capability"; } } // container partner } // grouping advpn-suggester-partner grouping ike-policy { leaf name { junos:must "(((".. certificate local-certificate" || ".. pre-shared-key") && !((".. certificate local-certificate" && ".. pre-shared-key"))))"; junos:must-message "IKE policy must have either local certificate or pre-shared key configured"; type string { length "1 .. 32"; } description "Name of policy"; } uses apply-advanced; leaf mode { type enumeration { enum "main" { value 0; description "Main mode"; } enum "aggressive" { value 1; description "Aggressive mode"; } } default "main"; description "Define the IKE mode for Phase 1"; } leaf reauth-frequency { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 100"; } } default "0"; description "Re-auth Peer after reauth-frequency times hard lifetime. (0-100) Default:0=Disabled"; } leaf description { type string { length "1 .. 80"; } description "Text description of IKE policy"; } leaf-list proposals { junos:must "(".. .. .. proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } ordered-by user; description "Name of the proposal"; } container certificate { description "Certificate configuration"; uses apply-advanced; leaf local-certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Local certificate identifier"; } container trusted-ca { description "Specify the CA to use"; choice ca { leaf ca-index { type union { type uint32; type string { pattern "<.*>|$.*"; } } status deprecated; description "Index of the preferred CA to use"; } leaf use-all { type empty; status deprecated; description "Use all configured CAs"; } leaf ca-profile { junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced profile must be defined under [edit security pki ca-profile]"; type string; description "Name of the preferred CA to use"; } leaf trusted-ca-group { junos:must "("security pki trusted-ca-group $$")"; junos:must-message "Referenced group must be defined under [edit security pki trusted-ca-group]"; type string; description "Name of the preferred CA group to use"; } } // choice ca } // container trusted-ca leaf peer-certificate-type { type enumeration { enum "pkcs7" { value 0; description "PKCS7 encoding"; } enum "x509-signature" { value 1; description "X509 signature encoding"; } } default "x509-signature"; description "Preferred type of certificate from peer"; } leaf-list policy-oids { type string { length "1 .. 63"; } max-elements 5; ordered-by user; description "Certificate policy object identifiers (maximum 5)"; } } // container certificate leaf proposal-set { type enumeration { enum "basic" { junos:must "(!(".. proposals"))"; junos:must-message "IKE policy must not have both proposals and proposal-set configured"; value 0; description "IKE proposal-set for basic"; } enum "compatible" { junos:must "(!(".. proposals"))"; junos:must-message "IKE policy must not have both proposals and proposal-set configured"; value 1; description "IKE proposal-set for compatible"; } enum "standard" { junos:must "(!(".. proposals"))"; junos:must-message "IKE policy must not have both proposals and proposal-set configured"; value 2; description "IKE proposal-set for standard"; } enum "suiteb-gcm-128" { junos:must "((".. certificate local-certificate" && !(".. pre-shared-key")))"; junos:must-message "Suite B proposal-sets require certificate-based authentication."; junos:must "(!(".. proposals"))"; junos:must-message "IKE policy must not have both proposals and proposal-set configured"; value 3; description "IKE proposal-set for Suite-B-GCM-128"; } enum "suiteb-gcm-256" { junos:must "((".. certificate local-certificate" && !(".. pre-shared-key")))"; junos:must-message "Suite B proposal-sets require certificate-based authentication."; junos:must "(!(".. proposals"))"; junos:must-message "IKE policy must not have both proposals and proposal-set configured"; value 4; description "IKE proposal-set for Suite-B-GCM-256"; } enum "prime-128" { junos:must "((".. certificate local-certificate" && !(".. pre-shared-key")))"; junos:must-message "PRIME proposal-sets require certificate-based authentication."; junos:must "(!(".. proposals"))"; junos:must-message "IKE policy must not have both proposals and proposal-set configured"; value 5; description "IKE proposal-set for PRIME-128"; } enum "prime-256" { junos:must "((".. certificate local-certificate" && !(".. pre-shared-key")))"; junos:must-message "PRIME proposal-sets require certificate-based authentication."; junos:must "(!(".. proposals"))"; junos:must-message "IKE policy must not have both proposals and proposal-set configured"; value 6; description "IKE proposal-set for PRIME-256"; } } description "Types of default IKE proposal-set"; } container pre-shared-key { description "Define a preshared key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container pre-shared-key } // grouping ike-policy grouping ike-proposal { leaf name { type string { length "1 .. 32"; } description "Name of the IKE proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IKE proposal"; } leaf authentication-method { type enumeration { enum "pre-shared-keys" { value 0; description "Preshared keys"; } enum "rsa-signatures" { value 1; description "RSA signatures"; } enum "dsa-signatures" { value 2; description "DSA signatures"; } enum "ecdsa-signatures-256" { value 3; description "ECDSA signatures (256 bit modulus)"; } enum "ecdsa-signatures-384" { value 4; description "ECDSA signatures (384 bit modulus)"; } } description "Define authentication method"; } leaf dh-group { type enumeration { enum "group1" { value 0; description "Diffie-Hellman Group 1"; } enum "group2" { value 1; description "Diffie-Hellman Group 2"; } enum "group5" { value 2; description "Diffie-Hellman Group 5"; } enum "group14" { value 3; description "Diffie-Hellman Group 14"; } enum "group15" { value 4; description "Diffie-Hellman Group 15"; } enum "group16" { value 5; description "Diffie-Hellman Group 16"; } enum "group19" { value 6; description "Diffie-Hellman Group 19"; } enum "group20" { value 7; description "Diffie-Hellman Group 20"; } enum "group24" { value 8; description "Diffie-Hellman Group 24"; } } description "Define Diffie-Hellman group"; } leaf authentication-algorithm { type enumeration { enum "md5" { value 0; description "MD5 authentication algorithm"; } enum "sha1" { value 1; description "SHA1 authentication algorithm"; } enum "sha-256" { value 2; description "SHA 256-bit authentication algorithm"; } enum "sha-384" { value 3; description "SHA 384-bit authentication algorithm"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } enum "aes-128-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "When using aes-gcm for Encryption the Authentication Algorithm must not be set."; value 5; description "AES-GCM 128-bit encryption algorithm"; } enum "aes-256-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "When using aes-gcm for Encryption the Authentication Algorithm must not be set."; value 6; description "AES-GCM 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; description "Lifetime, in seconds"; } } // grouping ike-proposal grouping security-ipsec-policies { uses apply-advanced; list from-zone { key "from-zone-name to-zone"; ordered-by user; description "Define ipsec policy context"; uses security-ipsec-policy; } // list from-zone } // grouping security-ipsec-policies grouping security-ipsec-policy { leaf from-zone-name { junos:must "("security zones security-zone $$")"; junos:must-message "Security zone must be defined"; type string { length "1 .. 63"; } description "Incoming zone"; } leaf to-zone { junos:must "("security zones security-zone $$")"; junos:must-message "Security zone must be defined"; type string { length "1 .. 63"; } description "Outgoing zone"; } uses apply-advanced; leaf ipsec-group-vpn { junos:must "(unique "security ipsec-policy from-zone <*> to-zone <*> ipsec-group-vpn $$")"; junos:must-message "Group VPN can only be referenced by one pair of from-zone and to-zone"; junos:must "("security group-vpn member ipsec vpn $$")"; junos:must-message "Group VPN must be defined"; type string { length "1 .. 32"; } description "Group VPN name"; } } // grouping security-ipsec-policy grouping security-ipsec-vpn { uses apply-advanced; container internal { presence "enable internal"; description "Define an IPSec SA for internal RE-RE communication"; uses apply-advanced; container security-association { presence "enable security-association"; description "Define an IPsec security association"; uses ipsec-internal-sa; } // container security-association } // container internal container traceoptions { description "Trace options for IPSec data-plane debug"; uses ipsec-traceoptions; } // container traceoptions container vpn-monitor-options { presence "enable vpn-monitor-options"; description "Global options for VPN liveliness monitoring"; uses ipsec-vpn-monitor; } // container vpn-monitor-options list proposal { key "name"; ordered-by user; description "Define an IPSec proposal"; uses ipsec-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IPSec policy"; uses ipsec-policy; } // list policy list vpn { key "name"; ordered-by user; description "Define an IPSec VPN"; uses ipsec-vpn-template; } // list vpn list security-association { key "name"; ordered-by user; description "Define a manual control plane SA "; uses ipsec-sa; } // list security-association } // grouping security-ipsec-vpn grouping ipsec-internal-sa { uses apply-advanced; container manual { description "Define a manual security association"; uses apply-advanced; container encryption { description "Define encryption parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "3des-cbc" { value 0; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 1; description "AES-CBC 128-bit encryption algorithm"; } } description "Define encryption algorithm"; } leaf ike-ha-link-encryption { type enumeration { enum "enable" { value 0; description "Enable HA link encryption IKE internal messages"; } } description "Enable HA link encryption IKE internal messages"; } container key { description "Define an encryption key"; choice key-choice { leaf ascii-text { type jt:unreadable; description "Format as text"; } } // choice key-choice } // container key } // container encryption } // container manual } // grouping ipsec-internal-sa grouping ipsec-policy { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec policy"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IPSec policy"; } container perfect-forward-secrecy { description "Define perfect forward secrecy"; uses apply-advanced; leaf keys { type enumeration { enum "group1" { value 0; description "Diffie-Hellman Group 1"; } enum "group2" { value 1; description "Diffie-Hellman Group 2"; } enum "group5" { value 2; description "Diffie-Hellman Group 5"; } enum "group14" { value 3; description "Diffie-Hellman Group 14"; } enum "group15" { value 4; description "Diffie-Hellman Group 15"; } enum "group16" { value 5; description "Diffie-Hellman Group 16"; } enum "group19" { value 6; description "Diffie-Hellman Group 19"; } enum "group20" { value 7; description "Diffie-Hellman Group 20"; } enum "group24" { value 8; description "Diffie-Hellman Group 24"; } } description "Define Diffie-Hellman group"; } } // container perfect-forward-secrecy leaf-list proposals { junos:must "(".. .. .. proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } ordered-by user; description "Name of the proposal"; } leaf proposal-set { type enumeration { enum "basic" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 0; description "IPSEC basic proposal-set"; } enum "compatible" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 1; description "IPSEC compatible proposal-set"; } enum "standard" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 2; description "IPSEC standard proposal-set"; } enum "suiteb-gcm-128" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 3; description "IPSec proposal-set for Suite-B-GCM-128"; } enum "suiteb-gcm-256" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 4; description "IPSec proposal-set for Suite-B-GCM-256"; } enum "prime-128" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 5; description "IPSec proposal-set for PRIME-128"; } enum "prime-256" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 6; description "IPSec proposal-set for PRIME-256"; } } description "Types of default IPSEC proposal-set"; } } // grouping ipsec-policy grouping ipsec-proposal { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IPSec proposal"; } leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption-algorithm"))"; junos:must-message "Encryption algorithm must not be defined for AH"; value 0; description "Authentication header"; } enum "esp" { value 1; description "Encapsulated Security Payload header"; } } description "Define an IPSec protocol for the proposal"; } leaf authentication-algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha-256-128" { value 2; description "HMAC-SHA-256-128 authentication algorithm"; } enum "hmac-sha-256-96" { value 3; description "HMAC-SHA-256-96 authentication algorithm (non-RFC compliant)"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } enum "aes-128-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 5; description "AES-GCM 128-bit encryption algorithm"; } enum "aes-192-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 6; description "AES-GCM 192-bit encryption algorithm"; } enum "aes-256-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 7; description "AES-GCM 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; description "Lifetime, in seconds"; } leaf lifetime-kilobytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 4294967294"; } } units "kilobytes"; description "Lifetime, in kilobytes"; } } // grouping ipsec-proposal grouping ipsec-sa { leaf name { junos:must "(".. manual")"; junos:must-message "Type must be defined for security-association"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of IPSec security association"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of security association"; } leaf mode { type enumeration { enum "transport" { junos:must "(".. manual")"; junos:must-message "Manual block must be configured for transport mode security association"; value 0; description "Transport mode"; } } default "transport"; description "Define security association mode"; } choice sa_choice { container manual { description "Define a manual security association"; uses security-association-manual; } // container manual } // choice sa_choice } // grouping ipsec-sa grouping ipsec-traceoptions { description "Data-plane IPSec tracing options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "Events to include in data-plane IPSec trace output"; leaf name { type enumeration { enum "packet-processing" { value 0; description "Trace data packet processing events"; } enum "packet-drops" { value 1; description "Trace packet drops"; } enum "security-associations" { value 2; description "Trace security association management events"; } enum "next-hop-tunnel-binding" { value 3; description "Trace next-hop tunnel binding events"; } enum "all" { value 4; description "Trace with all flags enabled"; } } } } // list flag } // grouping ipsec-traceoptions grouping ipsec-vpn-monitor { description "Configure VPN monitoring"; uses apply-advanced; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 3600"; } } units "seconds"; default "10"; description "Monitor interval in seconds"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65536"; } } default "10"; description "Number of consecutive failures to determine connectivity"; } } // grouping ipsec-vpn-monitor grouping ipsec-vpn-template { description "Configure an IPSec VPN"; leaf name { type string { length "1 .. 32"; } description "Name of the VPN"; } uses apply-advanced; leaf ha-link-encryption { junos:must "(!(".. manual"))"; junos:must-message "When ha-link-encryption is enabled, manual sa configuration is not allowed"; junos:must "(!(".. df-bit"))"; junos:must-message "When ha-link-encryption is enabled, df-bit configuration is not allowed"; junos:must "(!(".. udp-encapsulate"))"; junos:must-message "When ha-link-encryption is enabled, udp-encapsulate configuration is not allowed"; junos:must "(!(".. ike no-anti-replay"))"; junos:must-message "When ha-link-encryption is enabled, no-anti-replay configuration is not allowed"; junos:must "(!(".. ike proxy-identity"))"; junos:must-message "When ha-link-encryption is enabled, ike proxy-identity configuration is not allowed"; junos:must "(!(".. ike idle-time"))"; junos:must-message "When ha-link-encryption is enabled, ike idle-time configuration is not allowed"; junos:must "(!(".. ike install-interval"))"; junos:must-message "When ha-link-encryption is enabled, ike install-interval configuration is not allowed"; junos:must "(!(".. establish-tunnels responder-only-no-rekey"))"; junos:must-message "When ha-link-encryption is enabled, establish-tunnels responder-only-no-rekey configuration is not allowed"; junos:must "(!(".. establish-tunnels responder-only"))"; junos:must-message "When ha-link-encryption is enabled, establish-tunnels responder-only configuration is not allowed"; junos:must "(!(".. establish-tunnels on-traffic"))"; junos:must-message "When ha-link-encryption is enabled, establish-tunnels on-traffic configuration is not allowed"; junos:must "(!(".. establish-tunnels immediately"))"; junos:must-message "When ha-link-encryption is enabled, establish-tunnels immediately configuration is not allowed"; junos:must "(!(".. traffic-selector"))"; junos:must-message "When ha-link-encryption is enabled, traffic-selector configuration is not allowed"; junos:must "(!(".. vpn-monitor"))"; junos:must-message "When ha-link-encryption is enabled, vpn-monitor configuration is not allowed"; junos:must "(!(".. copy-outer-dscp"))"; junos:must-message "When ha-link-encryption is enabled, copy-outer-dscp configuration is not allowed"; junos:must "(!(".. multi-sa"))"; junos:must-message "When ha-link-encryption is enabled, multi-sa configuration is not allowed"; junos:must "(!(".. bind-interface"))"; junos:must-message "When ha-link-encryption is enabled, bind-interface configuration is not applicable"; type empty; description "Enable HA link encryption"; } leaf bind-interface { junos:must "(!(("interfaces $$-IFL multipoint" && ".. aaa access-profile")))"; junos:must-message "When aaa access-profile is configured under security ike gateway, vpn-monitor configuration is not allowed"; junos:must "(("interfaces $$-IFL" || any "logical-systems <*> interfaces $$-IFL"))"; junos:must-message "Referenced interface must be configured under [edit interfaces] hierarchy"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Bind to tunnel interface (route-based VPN)"; } leaf df-bit { type enumeration { enum "clear" { value 0; description "Clear DF bit of outer header"; } enum "set" { value 1; description "Set DF bit of outer header"; } enum "copy" { value 2; description "Copy DF bit from inner header"; } } description "Specifies how to handle the Don't Fragment bit"; } container multi-sa { junos:must "(!(".. vpn-monitor"))"; junos:must-message "vpn-monitor with multi-sa is not supported"; presence "enable multi-sa"; description "Negotiate multiple SAs based on configuration choice"; uses apply-advanced; choice sa_map { list forwarding-class { key "name"; ordered-by user; leaf name { type string { length "1 .. 32"; } description "Name of forwarding classes"; } uses apply-advanced; } // list forwarding-class } // choice sa_map } // container multi-sa leaf copy-outer-dscp { type empty; description "Enable copying outer IP header DSCP and ECN to inner IP header"; } container vpn-monitor { presence "enable vpn-monitor"; description "Monitor VPN liveliness"; uses ipsec-template-monitor; } // container vpn-monitor choice negotiation { container manual { junos:must "(!(".. traffic-selector"))"; junos:must-message "Manual vpn with traffic selector is not allowed"; description "Define a manual security association"; uses apply-advanced; leaf gateway { type jt:hostname; description "Define the IPSec peer"; } leaf external-interface { junos:must "(!("interfaces $$ family bridge"))"; junos:must-message "Bridge interface is not allowed as external-interface"; junos:must "("interfaces $$-IFL")"; junos:must-message "Referenced interface must be configured under [edit interfaces] hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "External interface for the security association"; } leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption"))"; junos:must-message "Encryption must not be defined for AH"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH"; value 0; description "Authentication header"; } enum "esp" { junos:must "((".. authentication" || ".. encryption"))"; junos:must-message "Either authentication or encryption must be defined for ESP"; value 1; description "Encapsulated Security Payload header"; } } description "Define an IPSec protocol for the security association"; } leaf spi { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "Define security parameter index"; } container authentication { description "Define authentication parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha-256-128" { value 2; description "HMAC-SHA-256-128 authentication algorithm"; } enum "hmac-sha-256-96" { value 3; description "HMAC-SHA-256-96 authentication algorithm (non-RFC compliant)"; } } description "Define authentication algorithm"; } container key { description "Define an authentication key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container authentication container encryption { description "Define encryption parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } enum "aes-128-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "When using aes-gcm for Encryption the Authentication Algorithm must not be set."; value 5; description "AES-GCM 128-bit encryption algorithm"; } enum "aes-256-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "When using aes-gcm for Encryption the Authentication Algorithm must not be set."; value 6; description "AES-GCM 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } container key { description "Define an encryption key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container encryption } // container manual container ike { description "Define an IKE-keyed IPSec vpn"; uses apply-advanced; leaf gateway { junos:must "(!((".. .. ha-link-encryption" && "security ike gateway $$ external-interface")))"; junos:must-message "When ha-link-encryption is enabled, external-interface is pre-defined and cannot be configured in associated IKE Gateway"; junos:must "(!((".. .. ha-link-encryption" && "security ike gateway $$ address")))"; junos:must-message "When ha-link-encryption is enabled, peer address is pre-defined and cannot be configured in associated IKE Gateway"; junos:must "(!((".. .. ha-link-encryption" && "security ike gateway $$ no-nat-traversal")))"; junos:must-message "When ha-link-encryption is enabled, Disable NAT-Traversal is not applicable in associated IKE Gateway"; junos:must "(!((".. .. ha-link-encryption" && "security ike gateway $$ local-identity")))"; junos:must-message "When ha-link-encryption is enabled, local-identity cannot be configured in associated IKE Gateway"; junos:must "(!((".. .. ha-link-encryption" && "security ike gateway $$ general-ikeid")))"; junos:must-message "When ha-link-encryption is enabled, General-IKEID is not applicable in associated IKE Gateway"; junos:must "(!((".. .. ha-link-encryption" && "security ike gateway $$ dynamic")))"; junos:must-message "When ha-link-encryption is enabled, Dynamic is not applicable in associated IKE Gateway"; junos:must "(!((".. .. ha-link-encryption" && "security ike gateway $$ advpn")))"; junos:must-message "When ha-link-encryption is enabled, ADVPN is not applicable in associated IKE Gateway"; junos:must "(!((".. .. ha-link-encryption" && "security ike gateway $$ remote-identity")))"; junos:must-message "When ha-link-encryption is enabled, remote-identity cannot be configured in associated IKE Gateway"; junos:must "(!((".. .. ha-link-encryption" && "security ike gateway $$ tcp-encap-profile")))"; junos:must-message "When ha-link-encryption is enabled, tcp-encap-profile is not applicable on associated IKE Gateway"; junos:must "(!((".. .. ha-link-encryption" && "security ike gateway $$ nat-keepalive")))"; junos:must-message "When ha-link-encryption is enabled, nat-keepalive is not applicable on associated IKE Gateway"; junos:must "(!((".. .. ha-link-encryption" && "security ike gateway $$ local-address")))"; junos:must-message "When ha-link-encryption is enabled, local-address is pre-defined and cannot be configured in associated IKE Gateway"; junos:must "(!((".. .. ha-link-encryption" && "security ike gateway $$ dead-peer-detection")))"; junos:must-message "When ha-link-encryption is enabled, dead-peer-detection (mode:always-send, Interval: 3 sec, Threshold:10) is pre-defined and cannot be configured in associated IKE Gateway"; junos:must "(!((".. .. ha-link-encryption" && "security ike gateway $$ aaa")))"; junos:must-message "When ha-link-encryption is enabled, AAA is not applicable in associated IKE Gateway"; junos:must "(!((".. .. ha-link-encryption" && !("security ike gateway $$ version v2-only"))))"; junos:must-message "When ha-link-encryption is enabled, associated IKE Gateway must be version 2"; junos:must "(!((!(".. .. ha-link-encryption") && (!(".. .. bind-interface") && "security ike gateway $$ version v2-only"))))"; junos:must-message "IKEv2 requires bind-interface configuration as only route-based is supported"; junos:must "(!(("security ike gateway $$ advpn" && ".. proxy-identity")))"; junos:must-message "No proxy-identity support on an advpn enabled gateway"; junos:must "(!(("security ike gateway $$ aaa access-profile" && ".. .. vpn-monitor")))"; junos:must-message "When aaa access-profile is configured under security ike gateway, vpn-monitor configuration is not allowed"; junos:must "(!(("security ike gateway $$ advpn" && ".. .. vpn-monitor destination-ip")))"; junos:must-message "No destination ip support for vpn-monitor in vpn referring to an advpn enabled gateway"; junos:must "(!(("security ike gateway $$ dynamic ike-user-type" && ".. .. vpn-monitor destination-ip")))"; junos:must-message "No destination ip support for vpn-monitor in vpn using shared or group ike"; junos:must "("security ike gateway $$")"; junos:must-message "Referenced IKE gateway must be defined under [edit security ike gateway]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of remote gateway"; } leaf idle-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 999999"; } } units "seconds"; description "Idle time to delete SA"; } leaf no-anti-replay { type empty; description "Disable the anti-replay check"; } container proxy-identity { presence "enable proxy-identity"; description "IPSec proxy-id to use in IKE negotiations"; uses ipsec-template-proxy-id; } // container proxy-identity leaf ipsec-policy { junos:must "("security ipsec policy $$")"; junos:must-message "Referenced IPSec policy must be defined under [edit security ipsec policy]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec policy"; } leaf install-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 10"; } } units "seconds"; default "1"; description "Delay installation of rekeyed outbound SAs on initiator"; } } // container ike } // choice negotiation list traffic-selector { junos:must "(!(".. ike proxy-identity"))"; junos:must-message "Proxy-identity must not be configured with traffic-selector"; junos:must "(".. bind-interface")"; junos:must-message "Bind-interface must be configured under [edit security ipsec vpn] hierarchy"; key "name"; max-elements 200; ordered-by user; description "Traffic selector"; leaf name { type string { length "1 .. 31"; } description "Name of traffic selector"; } uses apply-advanced; leaf local-ip { type jt:ipprefix-mandatory; description "IP address of local traffic-selector"; } leaf remote-ip { type jt:ipprefix-mandatory; description "IP address of remote traffic-selector"; } } // list traffic-selector leaf establish-tunnels { junos:must "(".. ike")"; junos:must-message "VPN must be IKE-keyed to define establish-tunnel method"; type enumeration { enum "immediately" { value 0; description "Establish tunnels immediately"; } enum "on-traffic" { value 1; description "Establish tunnels on traffic"; } } default "on-traffic"; description "Define the criteria to establish tunnels"; } container udp-encapsulate { presence "enable udp-encapsulate"; description "UDP encapsulation of IPsec data traffic"; leaf dest-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1025 .. 65536"; } } default "4565"; description "UDP destination port"; } } // container udp-encapsulate } // grouping ipsec-vpn-template grouping ipsec-template-monitor { junos:must "(!(".. traffic-selector"))"; junos:must-message "vpn-monitor with traffic selector is not supported"; description "Configure VPN monitoring"; uses apply-advanced; leaf optimized { type empty; description "Optimize for scalability"; } leaf source-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Source interface for monitor message"; } leaf destination-ip { type jt:ipaddr; description "Destination IP addres for monitor message"; } container verify-path { presence "enable verify-path"; description "Verify IPSec path using vpn-monitor before bring up st0 state"; uses apply-advanced; leaf destination-ip { type jt:ipaddr; description "Destination IP addres for verify IPSec path"; } leaf packet-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 1350"; } } default "64"; description "Size of the packet"; } } // container verify-path } // grouping ipsec-template-monitor grouping ipsec-template-proxy-id { description "Proxy identity settings"; uses apply-advanced; leaf local { type jt:ipprefix-mandatory; description "Local IP address/prefix length"; } leaf remote { type jt:ipprefix-mandatory; description "Remote IP address/prefix length"; } leaf service { type string { length "1 .. 32"; } description "Name of serivce that passes through, any enables all services"; } } // grouping ipsec-template-proxy-id grouping security-association-manual { uses apply-advanced; list direction { key "name"; ordered-by user; description "Define the direction of the security association"; leaf name { type enumeration { enum "bidirectional" { junos:must "((!(".. .. direction $$={inbound}") && !(".. .. direction $$={outbound}")))"; junos:must-message "Outbound or inbound blocks must not be configured"; value 0; description "Bidirectional security association"; } } } uses apply-advanced; leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption"))"; junos:must-message "Encryption must not be defined for AH"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH"; value 0; description "Authentication header"; } enum "esp" { junos:must "((".. authentication" || ".. encryption"))"; junos:must-message "Either authentication or encryption must be defined for ESP"; value 1; description "Encapsulated Security Payload header"; } } description "Define an IPSec protocol for the security association"; } leaf spi { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "Define security parameter index"; } container authentication { description "Define authentication parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } } description "Define authentication algorithm"; } container key { description "Define an authentication key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container authentication container encryption { description "Define encryption parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } } description "Define encryption algorithm"; } container key { description "Define an encryption key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container encryption } // list direction } // grouping security-association-manual grouping security-macsec { uses apply-advanced; container traceoptions { presence "enable traceoptions"; description "Tracing options for debugging protocol operation"; uses macsec-trace-options; } // container traceoptions list connectivity-association { key "name"; ordered-by user; description "Configure connectivity association properties"; leaf name { type string { length "1 .. 32"; } description "Connectivity association name"; } uses apply-advanced; leaf cipher-suite { type enumeration { enum "gcm-aes-128" { value 0; description "GCM-AES-128 cipher suite"; } enum "gcm-aes-256" { junos:must "(!(".. security-mode static-sak"))"; junos:must-message "GCM-AES-256 cipher suite not allowed for static-sak mode"; value 1; description "GCM-AES-256 cipher suite"; } enum "gcm-aes-xpn-128" { junos:must "(!(".. security-mode static-sak"))"; junos:must-message "GCM-AES-XPN-128 cipher suite not allowed for static-sak mode"; value 2; description "GCM-AES-XPN-128 cipher suite"; } enum "gcm-aes-xpn-256" { junos:must "(!(".. security-mode static-sak"))"; junos:must-message "GCM-AES-XPN-256 cipher suite not allowed for static-sak mode"; value 3; description "GCM-AES-XPN-256 cipher suite"; } } description "Cipher suite to be used for encryption"; } leaf security-mode { junos:must "((!(".. security-mode static-cak") || (".. pre-shared-key cak" || (".. pre-shared-key-chain" || ".. fallback-key cak"))))"; junos:must-message "Pre-shared key or fallback-key or pre-shared-key-chain required for static-cak mode"; type enumeration { enum "dynamic" { value 0; description "Dynamic connectivity and secure association mode (MKA and dot1x)"; } enum "static-sak" { value 1; description "Static secure association key mode (no MKA)"; } enum "static-cak" { value 2; description "Static connectivity association key mode (MKA and Pre-shared key)"; } } description "Connectivity association mode"; } leaf sak-hash-128 { junos:must "((".. cipher-suite gcm-aes-256" || ".. cipher-suite gcm-aes-xpn-256"))"; junos:must-message "Allowed only for cipher-suite gcm-aes-256 or gcm-aes-xpn-256"; type empty; description "Configure to generate 128bit SAK hash to program HW"; } list secure-channel { junos:must "(".. security-mode static-sak")"; junos:must-message "Secure-channel configuration allowed only for static-sak mode"; key "name"; ordered-by user; description "Configure secure channel properties"; leaf name { type string; description "Secure channel name"; } uses apply-advanced; container id { description "Secure channel identifier"; uses apply-advanced; leaf mac-address { type jt:mac-addr; description "MAC addresses"; } leaf port-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port identifier"; } } // container id leaf direction { type enumeration { enum "inbound" { value 0; } enum "outbound" { value 1; } } description "Secure channel direction"; } leaf encryption { type empty; description "Enable Encryption"; } leaf offset { type enumeration { enum "0" { value 0; description "Confidentiality protected for all octets of MACSec PDU data"; } enum "30" { value 1; description "Confidentiality not protected for initial 30 octets of MACSec PDU data"; } enum "50" { value 2; description "Confidentiality not protected for initial 50 octets of MACSec PDU data"; } } description "Confidentiality offset"; } leaf include-sci { type empty; description "Include secure channel identifier in MAC Security PDU"; } list security-association { key "name"; ordered-by user; description "Security association"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 3"; } } description "Security association number"; } uses apply-advanced; leaf key { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F) of length 32"; length "32"; } description "Security association key in hexadecimal format of length 32"; } } // list security-association } // list secure-channel container mka { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "MKA configuration can be set only for dynamic/static-cak modes"; presence "enable mka"; description "Configure MAC Security Key Agreement protocol properties"; uses apply-advanced; leaf transmit-interval { junos:must "(!(".. bounded-delay"))"; junos:must-message "Might not be configured with bounded-delay"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2000 .. 10000"; } } units "milliseconds"; description "Configure MKA periodic transmit interval"; } leaf sak-rekey-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 86400"; } } units "seconds"; description "Configure SAK rekeying interval"; } leaf bounded-delay { junos:must "(".. .. replay-protect replay-window-size")"; junos:must-message "replay-window-size must be configured with bounded-delay"; type empty; description "Configure Bounded Hello Time"; } leaf key-server-priority { junos:must "(".. .. security-mode static-cak")"; junos:must-message "Allowed only for static-cak mode"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } default "16"; description "Configure MKA key server priority"; } leaf must-secure { junos:must "(".. .. security-mode dynamic")"; junos:must-message "Allowed only for dynamic mode"; type empty; description "Allow only secure dot1x traffic"; } leaf should-secure { junos:must "(".. .. security-mode static-cak")"; junos:must-message "Allowed only for static mode"; type empty; description "Configure fail open mode for MKA protocol"; } leaf eapol-address { junos:must "(".. .. security-mode static-cak")"; junos:must-message "Allowed only for static-cak mode"; type string; default "pae"; description "Configure EAPOL destination group address"; } } // container mka container replay-protect { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Not allowed for static-sak mode"; description "Configure replay protection"; uses apply-advanced; leaf replay-window-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } units "packets"; description "Configure replay protection window size"; } } // container replay-protect leaf no-encryption { junos:must "(!(".. offset"))"; junos:must-message "Offset can be configured only with encryption"; junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Encryption for static-sak mode should be configured under secure-channel"; type empty; description "Disable encryption"; } leaf disable-preceding-key { junos:must "(".. security-mode static-cak")"; junos:must-message "Enabling configuration allowed only in static-cak mode"; type empty; description "Disable CA preceding key duing key switch-over"; } leaf offset { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Offset for static-sak mode should be configured under secure-channel"; type enumeration { enum "0" { value 0; description "Confidentiality provided for all octets of data"; } enum "30" { value 1; description "Confidentiality not provided for initial 30 octets of data"; } enum "50" { value 2; description "Confidentiality not provided for initial 50 octets of data"; } } default "0"; description "Confidentiality offset"; } leaf include-sci { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Not allowed for static-sak mode"; type empty; description "Include secure channel identifier in MAC Security PDU"; } container pre-shared-key { junos:must "(".. security-mode static-cak")"; junos:must-message "Pre-shared key configuration allowed only in static-cak mode"; presence "enable pre-shared-key"; description "Configure pre-shared connectivity association key"; uses apply-advanced; leaf ckn { type string { junos:posix-pattern "^([0-9a-fA-F][0-9a-fA-F]){1,32}$"; junos:pattern-message "Must be an even-length string up to 64 hexadecimal digits (0-9, a-f, A-F)"; length "2 .. 64"; } description "Connectivity association key name in hexadecimal format"; } leaf cak { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 64"; } description "Connectivity association key in hexadecimal format"; } } // container pre-shared-key container fallback-key { junos:must "(".. security-mode static-cak")"; junos:must-message "Fallback key configuration allowed only in static-cak mode"; presence "enable fallback-key"; description "Configure fallback key for connectivity association"; uses apply-advanced; leaf ckn { junos:must "(!(".. .. pre-shared-key ckn $$"))"; junos:must-message "fallback-key CKN cannot be same as pre-shared-key CKN"; type string { junos:posix-pattern "^([0-9a-fA-F][0-9a-fA-F]){1,32}$"; junos:pattern-message "Must be an even-length string up to 64 hexadecimal digits (0-9, a-f, A-F)"; length "2 .. 64"; } description "Connectivity association fallback key name in hexadecimal format"; } leaf cak { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 64"; } description "Connectivity association fallback key secret in hexadecimal format"; } } // container fallback-key leaf pre-shared-key-chain { junos:must "(!(".. pre-shared-key"))"; junos:must-message "May not be configured with pre-shared-key"; junos:must "("security authentication-key-chains key-chain $$")"; junos:must-message "authentication-key-chains not defined !!"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Pre-shared key chain name for connectivity association"; } list exclude-protocol { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Not allowed for static-sak mode"; key "name"; ordered-by user; description "Configure protocols to exclude from MAC Security"; leaf name { type enumeration { enum "cdp" { value 0; description "Cisco Discovery Protocol"; } enum "lldp" { value 1; description "Link Level Discovery Protocol"; } enum "lacp" { value 2; description "Link Aggregation Control Protocol"; } } } } // list exclude-protocol } // list connectivity-association list interfaces { key "name"; description "Interfaces on which macsec configuration is applied"; leaf name { type union { type jt:interface-device; type string { pattern "<.*>|$.*"; } } } uses apply-advanced; leaf connectivity-association { junos:must "("security macsec connectivity-association $$")"; junos:must-message "Connectivity association not defined"; type string; description "Connectivity association name"; } container traceoptions { junos:must "(".. connectivity-association")"; junos:must-message "Connectivity association should be configured on interface to enable traceoptions"; presence "enable traceoptions"; description "Tracing options of MKA protocol"; uses mka-trace-options; } // container traceoptions } // list interfaces list cluster-control-port { key "name"; description "Cluster control port on which macsec configuration is applied"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1"; } } description "Port identifier"; } uses apply-advanced; leaf connectivity-association { junos:must "(!("security macsec connectivity-association $$ pre-shared-key-chain"))"; junos:must-message "Pre-shared keychain is not supported on cluster control port"; junos:must "("security macsec connectivity-association $$")"; junos:must-message "Connectivity association not defined"; type string; description "Connectivity association name"; } container traceoptions { presence "enable traceoptions"; description "Tracing options of MKA protocol"; uses mka-trace-options; } // container traceoptions } // list cluster-control-port list cluster-data-port { key "name"; description "Cluster data port on which macsec configuration is applied"; leaf name { junos:must "(!("security macsec connectivity-association $$ pre-shared-key-chain"))"; junos:must-message "Pre-shared keychain is not supported on cluster data port"; type union { type jt:interface-device; type string { pattern "<.*>|$.*"; } } } uses apply-advanced; leaf connectivity-association { junos:must "("security macsec connectivity-association $$")"; junos:must-message "Connectivity association not defined"; type string; description "Connectivity association name"; } container traceoptions { presence "enable traceoptions"; description "Tracing options of MKA protocol"; uses mka-trace-options; } // container traceoptions } // list cluster-data-port } // grouping security-macsec grouping macsec-trace-options { description "Trace options for MACSec Protocol"; uses apply-advanced; container file { description "Trace file options"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf replace { type empty; status deprecated; description "Replace trace file rather than appending to it"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } leaf no-stamp { type empty; status deprecated; description "Do not timestamp trace file"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice } // container file list flag { junos:must "(".. file")"; junos:must-message "Trace file name required to enable tracing"; key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "config" { value 0; description "Trace configuration messages"; } enum "debug" { value 1; description "Trace debug messages"; } enum "normal" { value 2; description "Trace normal messages"; } enum "all" { value 3; description "Trace all"; } } } } // list flag } // grouping macsec-trace-options grouping mka-trace-options { description "Trace options for MKA protocol"; uses apply-advanced; container file { description "Trace file options"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf replace { type empty; status deprecated; description "Replace trace file rather than appending to it"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } leaf no-stamp { type empty; status deprecated; description "Do not timestamp trace file"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice } // container file list flag { junos:must "(".. file")"; junos:must-message "Trace file name required to enable tracing"; key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "mka-packets" { value 0; description "Trace MKA input and output packets"; } enum "state" { value 1; description "Trace MKA state information"; } enum "to-secy" { value 2; description "Trace MKA to SecY state changes"; } enum "keys" { value 3; description "Trace key creation/generation information"; } enum "normal" { value 4; description "Trace normal events"; } enum "all" { value 5; description "Trace all"; } } } } // list flag } // grouping mka-trace-options grouping security-pki { uses apply-advanced; list ca-profile { key "name"; ordered-by user; description "Certificate authority profile configuration"; leaf name { type string { junos:posix-pattern "![/%. ]"; junos:pattern-message "Must not contain '/', %, '.' or a space"; length "1 .. 32"; } description "Name of certificate authority profile"; } uses apply-advanced; leaf ca-identity { type string; description "Certificate authority identifier"; } leaf source-address { type jt:ipaddr; description "Use specified address as source address"; } leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "Referenced Proxy profile must be defined under [edit services proxy profile]"; type string; description "Use specified proxy server"; } leaf routing-instance { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string; description "Use specified routing instance"; } container enrollment { description "Enrollment parameters for certificate authority"; uses apply-advanced; leaf url { type string; description "Enrollment URL of certificate authority"; } leaf retry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1080"; } } default "1000"; description "Number of enrollment retry attempts before aborting"; } leaf retry-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 3600"; } } default "600"; description "Interval in seconds between the enrollment retries"; } } // container enrollment container revocation-check { description "Method for checking certificate revocations"; uses apply-advanced; choice revocation-check-options { leaf use-crl { type empty; description "Use CRL for revocation check"; } leaf use-ocsp { type empty; description "Use OCSP for revocation check"; } leaf disable { type empty; description "Disable revocation check"; } } // choice revocation-check-options container ocsp { presence "enable ocsp"; description "Online Certificate Status Protocol (OCSP) configuration"; uses apply-advanced; list url { key "name"; ordered-by user; leaf name { type string { length "1 .. 500"; } description "HTTP URL for OCSP access location"; } uses apply-advanced; } // list url leaf nonce-payload { type enumeration { enum "enable" { value 0; description "Send nonce paylod in OCSP request"; } enum "disable" { value 1; description "Do not send nonce payload in OCSP request"; } } description "Include nonce payload in OCSP requests"; } leaf disable-responder-revocation-check { type empty; description "Disable OCSP responder certificate revocation check"; } leaf accept-unknown-status { type empty; description "Accept certificates with unknown status"; } container connection-failure { presence "enable connection-failure"; description "Actions on failure to connect to OCSP Responder"; uses apply-advanced; choice connection-failure-options { leaf fallback-crl { type empty; description "Use CRL for revocation check"; } leaf disable { type empty; description "Disable OCSP check on connection failure"; } } // choice connection-failure-options } // container connection-failure } // container ocsp container crl { description "Certificate revocation list configuration"; uses apply-advanced; container disable { leaf on-download-failure { type empty; description "Check revocation status with existing CRL file if present, otherwise skip. This feature must be enabled for manual CRL download."; } } // container disable list url { key "name"; ordered-by user; leaf name { type string { length "1 .. 500"; } description "URL of CRL distribution point for certificate authority"; } uses apply-advanced; leaf password { type jt:unreadable; description "Password for authentication with the server"; } } // list url leaf refresh-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 8784"; } } units "hours"; description "CRL refresh interval"; } } // container crl } // container revocation-check container administrator { description "Administrator information"; uses apply-advanced; leaf email-address { type string; description "Administrator e-mail to which to send certificate requests"; } } // container administrator } // list ca-profile list trusted-ca-group { key "name"; ordered-by user; description "Trusted Certificate Authority group configuration"; leaf name { type string { length "1 .. 63"; } description "Name of the trusted CA group"; } uses apply-advanced; leaf-list ca-profiles { type string { length "1 .. 63"; } max-elements 20; ordered-by user; description "Name of the CA profiles (maximum 20)"; } } // list trusted-ca-group container trap { presence "enable trap"; description "Trap options for PKI certificates"; uses apply-advanced; list certificate-id { key "name"; ordered-by user; description "Local certificate identifier"; leaf name { type string; description "Local cert id"; } uses apply-advanced; leaf days { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "60"; description "Number of days to generate trap (default 60)"; } } // list certificate-id list ca-identity { key "name"; ordered-by user; description "CA identity"; leaf name { junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string; description "CA profile"; } uses apply-advanced; leaf days { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "60"; description "Number of days to generate trap (default 60)"; } } // list ca-identity container all-certificates { presence "enable all-certificates"; description "Trap config for all certificates"; uses apply-advanced; leaf days { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "60"; description "Number of days to generate trap (default 60)"; } } // container all-certificates } // container trap container auto-re-enrollment { description "Auto re-enroll of certificate"; uses apply-advanced; container cmpv2 { presence "enable cmpv2"; description "CMPv2 auto re-enrollment configuration"; uses apply-advanced; list certificate-id { key "name"; ordered-by user; description "CMPv2 auto re-enrollment configuration for certificate-id"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Certificate identifier that needs auto re-enrollment"; } uses apply-advanced; leaf ca-profile-name { junos:must "("security pki ca-profile $$ enrollment url")"; junos:must-message "Referenced ca-profile must have enrollment url configured under [edit security pki ca-profile <ca-profile-name> enrollment url]"; junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of certificate authority profile"; } leaf re-enroll-trigger-time-percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 99"; } } description "Re-enrollment trigger time before expiration as percentage"; } leaf re-generate-keypair { type empty; description "Generate new key-pair for auto-re-enrollment"; } } // list certificate-id } // container cmpv2 container scep { presence "enable scep"; description "SCEP auto re-enrollment configuration"; uses apply-advanced; list certificate-id { key "name"; ordered-by user; description "SCEP auto re-enrollment configuration for certificate-id"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Certificate identifier that needs auto re-enrollment"; } uses apply-advanced; leaf ca-profile-name { junos:must "("security pki ca-profile $$ enrollment url")"; junos:must-message "Referenced ca-profile must have enrollment url configured under [edit security pki ca-profile <ca-profile-name> enrollment url]"; junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of certificate authority profile"; } leaf re-generate-keypair { type empty; description "Generate new key-pair for auto-re-enrollment"; } leaf re-enroll-trigger-time-percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 99"; } } description "Re-enrollment trigger time before expiration as percentage"; } leaf challenge-password { type jt:unreadable; description "Password used by CA for enrollment and revocation"; } container scep-encryption-algorithm { presence "enable scep-encryption-algorithm"; description "SCEP encryption algorithm"; uses apply-advanced; choice scep-encryption-algorithm-options { leaf des { type empty; description "Use DES as SCEP encryption algorithm"; } leaf des3 { type empty; description "Use DES3 as SCEP encryption algorithm"; } } // choice scep-encryption-algorithm-options } // container scep-encryption-algorithm container scep-digest-algorithm { presence "enable scep-digest-algorithm"; description "SCEP digest algorithm"; uses apply-advanced; choice scep-digest-algorithm-options { leaf md5 { type empty; description "Use MD5 as SCEP digest algorithm"; } leaf sha1 { type empty; description "Use SHA1 as SCEP digest algorithm"; } } // choice scep-digest-algorithm-options } // container scep-digest-algorithm } // list certificate-id } // container scep list certificate-id { key "name"; ordered-by user; description "Auto re-enrollment configuration for certificate-id"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Certificate identifier that needs auto re-enrollment"; } uses apply-advanced; leaf ca-profile-name { junos:must "("security pki ca-profile $$ enrollment url")"; junos:must-message "Referenced ca-profile must have enrollment url configured under [edit security pki ca-profile <ca-profile-name> enrollment url]"; junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of certificate authority profile"; } leaf re-generate-keypair { type empty; description "Generate new key-pair for auto-re-enrollment"; } leaf re-enroll-trigger-time-percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 99"; } } description "Re-enrollment trigger time before expiration as percentage"; } leaf challenge-password { type jt:unreadable; description "Password used by CA for enrollment and revocation"; } container scep-encryption-algorithm { presence "enable scep-encryption-algorithm"; description "SCEP encryption algorithm"; uses apply-advanced; choice scep-encryption-algorithm-options { leaf des { type empty; description "Use DES as SCEP encryption algorithm"; } leaf des3 { type empty; description "Use DES3 as SCEP encryption algorithm"; } } // choice scep-encryption-algorithm-options } // container scep-encryption-algorithm container scep-digest-algorithm { presence "enable scep-digest-algorithm"; description "SCEP digest algorithm"; uses apply-advanced; choice scep-digest-algorithm-options { leaf md5 { type empty; description "Use MD5 as SCEP digest algorithm"; } leaf sha1 { type empty; description "Use SHA1 as SCEP digest algorithm"; } } // choice scep-digest-algorithm-options } // container scep-digest-algorithm } // list certificate-id } // container auto-re-enrollment container traceoptions { description "PKI trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "certificate-verification" { value 0; description "PKI certificate verification tracing"; } enum "online-crl-check" { value 1; description "PKI online crl tracing"; } enum "enrollment" { value 2; description "PKI certificate enrollment tracing"; } enum "all" { value 3; description "Trace with all flags enabled"; } } } } // list flag } // container traceoptions } // grouping security-pki grouping security-traceoptions { description "Trace options for key management process"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf rate-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } default "0"; description "Limit the incoming rate of trace messages"; } container filter { description "Filter parameters for IKE traceoptions"; uses apply-advanced; leaf fpc { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "FPC slot number"; } leaf pic { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "PIC slot number"; } } // container filter list flag { key "name"; ordered-by user; description "Tracing parameters for IKE"; leaf name { type enumeration { enum "timer" { value 0; description "Trace internal timer events"; } enum "routing-socket" { value 1; description "Trace routing socket messages"; } enum "parse" { value 2; description "Trace configuration processing"; } enum "config" { value 3; description "Trace configuration download processing"; } enum "ike" { value 4; description "Trace IKE module processing"; } enum "policy-manager" { value 5; description "Trace policy manager processing"; } enum "general" { value 6; description "Trace general events"; } enum "database" { value 7; description "Trace security associations database events"; } enum "certificates" { value 8; description "Trace certificate events"; } enum "snmp" { value 9; description "Trace SNMP operations"; } enum "thread" { value 10; description "Trace thread processing"; } enum "high-availability" { value 11; description "Trace high-availability operations"; } enum "next-hop-tunnels" { value 12; description "Trace next-hop-tunnels operations"; } enum "all" { value 13; description "Trace everything"; } } } } // list flag } // grouping security-traceoptions grouping security-zone-type { description "Security zone"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes and underscores"; length "1 .. 63"; } description "Name of the zone"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of zone"; } leaf tcp-rst { type empty; description "Send RST for NON-SYN packet not matching TCP session"; } container address-book { junos:must "(!("security address-book"))"; junos:must-message "Zone specific address books are not allowed when there are global address books defined"; description "Address book entries"; uses address-book-type; } // container address-book leaf screen { junos:must "("security screen ids-option $$")"; junos:must-message "referenced ids-object must be defined under [security screen ids-option]"; type string { length "1 .. 32"; } description "Name of ids option object applied to the zone"; } container host-inbound-traffic { description "Allowed system services & protocols"; uses zone_host_inbound_traffic_t; } // container host-inbound-traffic list interfaces { key "name"; ordered-by user; description "Interfaces that are part of this zone"; uses zone-interface-list-type; } // list interfaces leaf application-tracking { type empty; description "Enable Application tracking support for this zone"; } leaf source-identity-log { type empty; description "Show user and group info in session log for this zone"; } container advance-policy-based-routing-profile { description "Enable Advance Policy Based Routing on this zone"; uses apply-advanced; leaf profile { type string { length "1 .. 63"; } description "Advance policy based routing profile name"; } } // container advance-policy-based-routing-profile leaf enable-reverse-reroute { type empty; description "Enable Reverse route lookup when there is change in ingress interface"; } leaf unidirectional-session-refreshing { type empty; description "Enable unidirectional session refreshing on this zone"; } container advanced-connection-tracking { description "Enable Advance Policy Based Routing on this zone"; uses apply-advanced; leaf timeout { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Timeout value in seconds for advanced-connection-tracking table for this zone"; } leaf mode { type enumeration { enum "allow-any-host" { value 0; description "Create allow-any-host table, thus policies whose to-zone is this zone can lookup"; } enum "allow-target-host" { value 1; description "Create allow-target-host table, thus policies whose to-zone is this zone can lookup"; } enum "allow-target-host-port" { value 2; description "Create allow-target-host-port table, thus policies whose to-zone is this zone can lookup"; } } } leaf track-all-policies-to-this-zone { type empty; description "Mandate all policies with to-zone set to this zone to do connection track table lookup"; } } // container advanced-connection-tracking } // grouping security-zone-type grouping address-book-type { description "Configure security address book for the zone"; uses apply-advanced; list address { key "name"; ordered-by user; description "Define a security address"; uses address_type; } // list address list address-set { key "name"; ordered-by user; description "Define a security address set"; uses address_set_type; } // list address-set } // grouping address-book-type grouping security_intelligence_feeds { description "Specify the feed post action"; uses apply-advanced; container add-source-ip-to-feed { description "Add Source IP to Feed"; uses apply-advanced; leaf name-of-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } } // container add-source-ip-to-feed container add-destination-ip-to-feed { description "Add Destination IP to Feed"; uses apply-advanced; leaf name-of-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } } // container add-destination-ip-to-feed container add-source-identity-to-feed { description "Add Source Identity to Feed"; uses apply-advanced; leaf name-of-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } } // container add-source-identity-to-feed container add-destination-identity-to-feed { description "Add Destination Identity to Feed"; uses apply-advanced; leaf name-of-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } } // container add-destination-identity-to-feed } // grouping security_intelligence_feeds grouping server { description "Server settings"; uses apply-advanced; leaf host { type string; description "Server host IP address or string host name"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1024 .. 65535"; } } description "Server port"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string; description "Routing instance name"; } leaf source-address { type jt:ipaddr; description "Source ip address used to connect server"; } } // grouping server grouping session_timeout_type { uses apply-advanced; leaf tcp { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Timeout value for tcp sessions"; } leaf udp { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Timeout value for udp sessions"; } leaf ospf { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Timeout value for ospf sessions"; } leaf icmp { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Timeout value for icmp sessions"; } leaf icmp6 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Timeout value for icmp6 sessions"; } leaf others { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Timeout value for other sessions"; } } // grouping session_timeout_type grouping sla_policy_type { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "APBR policy name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of policy"; } container match { description "Specify sla policy match-criteria"; uses apply-advanced; choice source-address_choice { leaf-list source-address { type string; ordered-by user; } } // choice source-address_choice choice destination-address_choice { leaf-list destination-address { type string; ordered-by user; } } // choice destination-address_choice leaf source-address-excluded { type empty; description "Exclude source addresses"; } leaf destination-address-excluded { type empty; description "Exclude destination addresses"; } choice application_type_choice { leaf-list application { junos:must "((".. .. .. .. .. .. .. applications application $$" || (".. .. .. .. .. .. .. applications application-set $$" || (".. .. .. .. .. .. .. .. applications application $$" || ".. .. .. .. .. .. .. .. applications application-set $$"))))"; junos:must-message "application or application-set must be defined"; type string { length "1 .. 63"; } ordered-by user; description "Specify application or application-set name to match"; } } // choice application_type_choice choice source_identity_choice { leaf-list source-identity { type string; ordered-by user; } } // choice source_identity_choice } // container match container then { description "Specify policy action to take when packet match criteria"; uses apply-advanced; choice action { container application-services { description "Application Services"; uses sla_application_services_type; } // container application-services } // choice action } // container then leaf scheduler-name { junos:must "("schedulers scheduler $$")"; junos:must-message "scheduler must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of scheduler"; } } // grouping sla_policy_type grouping sla_application_services_type { description "Application Services"; uses apply-advanced; leaf advance-policy-based-routing-profile { junos:must "("security advance-policy-based-routing profile $$")"; junos:must-message "advance-policy-based-routing profile must be defined"; type string { length "1 .. 63"; } description "Specify APBR profile name"; } } // grouping sla_application_services_type grouping softwires-object { description "Configure softwire feature"; uses apply-advanced; list softwire-name { key "name"; description "Configure softwire object"; uses softwire-option-type; } // list softwire-name container softwire-types { description "Configure softwire objects"; uses apply-advanced; list v6rd { key "name"; description "Configure v6rd object"; uses softwire-option-type; } // list v6rd list ds-lite { key "name"; description "Configure ds-lite object"; uses softwire-option-type; } // list ds-lite list map-e { key "name"; ordered-by user; description "Configure Map-e object"; uses map-e-domain; } // list map-e } // container softwire-types list map-e { key "name"; max-elements 1; ordered-by user; description "Configure a MAP-E domain and domain rules"; uses map-e-domain; } // list map-e container traceoptions { description "Trace options for Network Security DS-Lite"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "all" { value 2; description "Trace everything"; } } } } // list flag } // container traceoptions list rule-set { key "name"; ordered-by user; description "Define a softwire rule set"; uses sw-rule-set-object; } // list rule-set } // grouping softwires-object grouping map-e-domain { description "Configure a MAP-E domain"; leaf name { type string { junos:posix-pattern "![_]"; junos:pattern-message "A special character _ is not allowed"; length "1 .. 11"; } description "MAP-E domain name"; } uses apply-advanced; leaf confidentiality { type empty; description "Configure JUNOS MAP-E confidentiality"; } leaf br-address { type jt:unreadable; description "Ipv6 address of BR"; } container end-user-prefix { description "Configure end-user-prefix value or source interface for obtaining end-user-prefix"; uses apply-advanced; leaf prefix-value { junos:must "(!(".. auto"))"; junos:must-message "Explicit end-user-prefix is not allowed when auto is configured"; type jt:ipv6prefix; description "End user prefix"; } } // container end-user-prefix list rule { key "name"; max-elements 101; ordered-by user; description "Configure a BMR or FMR rule for map-e "; uses map-e-rule; } // list rule leaf role { type enumeration { enum "CE" { value 0; description "CE deployment"; } } description "Define a role of the MAP-E"; } leaf version { type enumeration { enum "3" { value 0; description "Version 3: draft-ietf-softwire-map-03"; } } description "Define version of the MAP-E"; } } // grouping map-e-domain grouping map-e-rule { description "Configure a MAP-E rule"; leaf name { type string { junos:posix-pattern "![_]"; junos:pattern-message "A special character _ is not allowed"; length "1 .. 11"; } description "MAP-E rule name"; } uses apply-advanced; leaf rule-type { type enumeration { enum "BMR" { value 0; description "Define BMR rule type"; } enum "FMR" { value 1; description "Define FMR rule type"; } } description "Define a rule type of MAP-E"; } leaf ipv4-prefix { type jt:unreadable; description "Ipv4 prefix"; } leaf ipv6-prefix { type jt:unreadable; description "Ipv6 prefix"; } leaf ea-bits-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 48"; } } description "EA bits length"; } leaf psid-offset { type jt:unreadable; description "PSID offset"; } leaf psid-len { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16"; } } description "PSID length"; } leaf mtu-v6 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1280 .. 9192"; } } default "9192"; description "MTU for the softwire tunnel"; } leaf v4-reassembly { type empty; description "MAP-E IPv4 reassembly support"; } leaf v6-reassembly { type empty; description "MAP-E IPv6 reassembly support"; } leaf disable-auto-route { type empty; description "MAP-E Disable Auto Route"; } } // grouping map-e-rule grouping softwire-option-type { description "Configure softwire object"; leaf name { type string { length "1 .. 23"; } description "DS-Lite/Softwire object name"; } uses apply-advanced; leaf softwire-concentrator { type jt:ipaddr; description "Concentrator address"; } leaf softwire-type { type enumeration { enum "IPv4-in-IPv6" { value 0; description "Ipv4-in-IPv6"; } enum "v6rd" { value 1; description "V6rd"; } } default "IPv4-in-IPv6"; description "Softwire-type"; } leaf ipv4-prefix { type jt:ipv4prefix; description "6rd customer edge IPV4 prefix"; } leaf v6rd-prefix { type jt:ipv6prefix; description "6rd domain's IPV6 prefix"; } leaf mtu-v4 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "576 .. 9192"; } } description "MTU for the softwire tunnel"; } leaf mtu-v6 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1280 .. 9192"; } } description "MTU for the softwire tunnel"; } leaf auto-update-mtu { type empty; description "Auto update MTU from received ICMPv6 messages"; } leaf copy-dscp { type empty; description "Copy DSCP (type of service) from IPv6 to IPv4 header"; } leaf flow-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16384"; } } default "0"; description "Max Number of IPv4 flows per Softwire"; } leaf session-limit-per-prefix { junos:must "(!(".. flow-limit"))"; junos:must-message "Cannot configure both flow-limit and session-limit-per-prefix in same softwire-concentrator"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16384"; } } default "0"; description "Max number of sessions allowed per Softwire prefix"; } } // grouping softwire-option-type grouping sophos-scan-options { description "Anti-virus scan options"; uses apply-advanced; choice uri-check-choice { leaf uri-check { type empty; description "Anti-virus uri-check"; } leaf no-uri-check { type empty; description "Don't anti-virus uri-check"; } } // choice uri-check-choice leaf content-size-limit { type string; units "kilobytes"; description "Content size limit"; } leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1800"; } } units "seconds"; description "Scan engine timeout"; } } // grouping sophos-scan-options grouping ssg-destination-nat-object { uses apply-advanced; list pool { key "name"; ordered-by user; description "Define a destination address pool"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Pool name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of pool"; } container routing-instance { description "Routing instance"; uses apply-advanced; choice ri-name-choice { leaf default { type empty; description "Default routing-instance"; } leaf ri-name { junos:must "(("routing-instances $$ instance-type virtual-router" || "routing-instances $$ instance-type vrf"))"; junos:must-message "Instance-type virtual-router or vrf must be defined under [routing-instances]"; junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; } description "Routing-instance name"; } } // choice ri-name-choice } // container routing-instance container address { description "Add address or address range to pool"; leaf ipaddr { type jt:ipprefix; description "IPv4 or IPv6 address or address range"; } choice range-port-choice { container to { description "Upper limit of address range"; uses apply-advanced; leaf ipaddr { type jt:ipprefix; description "IPv4 or IPv6 upper limit of address range"; } } // container to leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the port value"; } } // choice range-port-choice } // container address } // list pool list port-forwarding { key "name"; ordered-by user; description "Define a port-forwarding mapping pool"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Port Forwarding mapping name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of port forwarding mapping"; } list destined-port { key "port translated-port"; max-elements 32; ordered-by user; description "Port forwarding mappings"; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port"; } leaf translated-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Translated port"; } } // list destined-port } // list port-forwarding list rule-set { key "name"; ordered-by user; description "Configurate a set of rules"; leaf name { junos:must "((!("services nat source rule-set $$") && !("services nat static rule-set $$")))"; junos:must-message "the rule set name should be unique across all types of nat"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Rule-set name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of rule set"; } container from { description "Where is the traffic from"; choice from-context-choice { leaf-list routing-instance { type string; max-elements 8; description "Source routing instance list"; } leaf-list routing-group { type string; max-elements 8; description "Source routing group list"; } leaf-list zone { type string; max-elements 8; description "Source zone list"; } leaf-list interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } max-elements 8; description "Source interface list"; } } // choice from-context-choice } // container from list rule { key "name"; ordered-by user; description "Destination NAT rule"; uses dest-nat-rule-object; } // list rule leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Match direction"; } } // list rule-set } // grouping ssg-destination-nat-object grouping dest-nat-rule-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Rule name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of rule"; } container dest-nat-rule-match { description "Specify Destination NAT rule match criteria"; uses apply-advanced; leaf-list source-address { type string; max-elements 8; ordered-by user; description "Source address"; } leaf-list source-address-name { type string; max-elements 8; ordered-by user; description "Address/address-set from address book"; } choice dst-choice { container destination-address { description "Destination address"; choice dst-addr-choice { leaf dst-addr { type jt:ipprefix; description "IPv4 or IPv6 destination address"; } leaf any-unicast { type empty; description "Match any unicast address"; } } // choice dst-addr-choice } // container destination-address container destination-address-name { description "Address from address book"; leaf dst-addr-name { type string { length "1 .. 63"; } description "Address from address book"; } } // container destination-address-name } // choice dst-choice list destination-port { key "name"; max-elements 8; ordered-by user; description "Destination port"; leaf name { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port or lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Upper limit of port range"; } } // container to } // list destination-port leaf-list protocol { type string; max-elements 4; ordered-by user; description "IP Protocol"; } leaf-list application { type string; ordered-by user; } } // container dest-nat-rule-match container then { description "Then action"; uses apply-advanced; container destination-nat { description "Destination NAT action"; uses apply-advanced; choice action { leaf off { type empty; description "No action"; } container pool { description "Use Destination NAT pool"; uses apply-advanced; leaf pool-name { junos:must "(".. .. .. .. .. .. .. .. nat destination pool $$")"; junos:must-message "Destination NAT pool name must be defined"; type string { length "1 .. 31"; } description "Name of Destination NAT pool"; } } // container pool leaf destination-prefix { type jt:ipprefix-only; description "Destination prefix to be used for NAT64 and 464 translation type"; } } // choice action container xlat-source-rule { junos:must "(".. destination-prefix")"; junos:must-message "'xlat-source-rule' can be configured only for NAT464 destination rule"; description "Set source nat rule to match for NAT464"; uses apply-advanced; list rule-set { key "name"; max-elements 1; ordered-by user; description "Source nat rule-set"; leaf name { junos:must "("services nat source rule-set $$")"; junos:must-message "source rule-set must be defined under 'services nat'"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Source nat rule-set name"; } uses apply-advanced; leaf rule { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Source NAT rule name"; } } // list rule-set } // container xlat-source-rule container port-forwarding-mappings { description "Use Destination NAT port forwarding mapping pool"; uses apply-advanced; leaf pf-name { junos:must "(".. .. .. .. .. .. .. .. nat destination port-forwarding $$")"; junos:must-message "Port forwarding pool mappings must be defined"; type string { length "1 .. 31"; } description "Name of Port forwarding mappings"; } } // container port-forwarding-mappings container rule-session-count-alarm { description "Config rule-session-count-alarm to destination rule"; uses nat-rule-session-count-alarm-object; } // container rule-session-count-alarm } // container destination-nat leaf syslog { type empty; description "System log information about the packet"; } } // container then } // grouping dest-nat-rule-object grouping nat-rule-session-count-alarm-object { uses apply-advanced; leaf raise-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Raise threshold for rule session count alarm"; } leaf clear-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Clear threshold for session count hit alarm"; } } // grouping nat-rule-session-count-alarm-object grouping ssg-proxy-arp-object { uses apply-advanced; list interface { key "name"; ordered-by user; description "Interface with proxy arp configured"; uses ssg-interface-object; } // list interface } // grouping ssg-proxy-arp-object grouping ssg-interface-object { leaf name { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface name"; } uses apply-advanced; list address { key "name"; ordered-by user; description "Proxy ARP address"; leaf name { type jt:ipv4prefix; description "Address or address range"; } container to { description "Upper limit of address range"; uses apply-advanced; leaf ipaddr { type jt:ipv4prefix; description "Upper limit of address range"; } } // container to } // list address } // grouping ssg-interface-object grouping ssg-proxy-ndp-object { uses apply-advanced; list interface { key "name"; ordered-by user; description "Interface with proxy arp configured"; uses ssg-proxy-ndp-interface-object; } // list interface } // grouping ssg-proxy-ndp-object grouping ssg-proxy-ndp-interface-object { leaf name { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface name"; } uses apply-advanced; list address { key "name"; ordered-by user; description "Proxy ndp address"; leaf name { type jt:ipv6prefix; description "Address or address range"; } container to { description "Upper limit of address range"; uses apply-advanced; leaf ipv6addr { type jt:ipv6addr; description "Upper limit of address range"; } } // container to } // list address } // grouping ssg-proxy-ndp-interface-object grouping ssg-source-nat-object { uses apply-advanced; container persistent-nat { description "Persistent NAT info"; container log { description "Configure persistent NAT log"; choice enable-disable { leaf disable { type empty; description "Disable Persistent NAT log"; } } // choice enable-disable } // container log } // container persistent-nat list pool { key "name"; ordered-by user; description "Define a source address pool"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Pool name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of pool"; } container routing-instance { description "Routing instance"; uses apply-advanced; leaf ri-name { junos:must "("routing-instances $$ instance-type virtual-router")"; junos:must-message "Instance-type virtual-router must be defined under [routing-instances]"; junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; } description "Routing instance name"; } } // container routing-instance list address { key "name"; max-elements 8; ordered-by user; description "Add address to pool"; leaf name { type jt:ipprefix; description "IPv4 or IPv6 address or address range"; } container to { description "Upper limit of address range"; uses apply-advanced; leaf ipaddr { type jt:ipprefix; description "IPv4 or IPv6 upper limit of address range"; } } // container to } // list address container host-address-base { description "The base of host address"; leaf ipaddr { junos:must "(!(".. .. port range"))"; junos:must-message "'port range...' must not be configured when configure host-address-base"; type jt:ipprefix; description "IPv4 or IPv6 base address"; } } // container host-address-base container port { description "Config port attribute to pool"; uses apply-advanced; choice port-choice { leaf no-translation { junos:must "(!(".. automatic"))"; junos:must-message "'automatic' must not be configured when configure port no-translation"; junos:must "(!(".. preserve-range"))"; junos:must-message "'preserve-range' must not be configured when configure port no-translation"; junos:must "(!(".. preserve-parity"))"; junos:must-message "'preserve-parity' must not be configured when configure port no-translation"; type empty; description "Do not perform port translation"; } container range { description "Port range"; uses apply-advanced; choice port-assign-choice { leaf random-allocation { junos:must "(!(".. .. .. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured when configure port assignment as random"; type empty; description "Allocate port randomly"; } leaf round-robin { junos:must "(!(".. .. .. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured when configure port assignment as round-robin"; type empty; description "Allocate port round-robin"; } } // choice port-assign-choice leaf low { junos:must "(!(".. .. .. host-address-base"))"; junos:must-message "'host-address-base' must not be configured when configure port range"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1024 .. 65535"; } } description "Lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { junos:must "(!(".. .. .. .. host-address-base"))"; junos:must-message "'host-address-base' must not be configured when configure port range"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1024 .. 65535"; } } description "Upper limit of port range"; } } // container to container twin-port { description "Twin port range"; uses apply-advanced; leaf low { junos:must "(!(".. .. .. .. host-address-base"))"; junos:must-message "'host-address-base' must not be configured when configure twin port range"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "63488 .. 65535"; } } description "Lower limit of twin port range"; } container to { description "Twin port range upper limit"; uses apply-advanced; leaf high { junos:must "(!(".. .. .. .. .. host-address-base"))"; junos:must-message "'host-address-base' must not be configured when configure twin port range"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "63488 .. 65535"; } } description "Upper limit of twin port range"; } } // container to } // container twin-port } // container range container automatic { description "Port assignment"; uses apply-advanced; choice port-assign-choice { leaf random-allocation { junos:must "(!(".. .. .. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured when configure port assignment as random"; type empty; description "Allocate port randomly"; } leaf round-robin { junos:must "(!(".. .. .. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured when configure port assignment as round-robin"; type empty; description "Allocate port by round-robin"; } } // choice port-assign-choice } // container automatic } // choice port-choice leaf port-overloading-factor { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "2 .. 32"; } } description "Port overloading factor for each IP"; } container block-allocation { presence "enable block-allocation"; description "Port block allocation"; uses block-allocation-object; } // container block-allocation container deterministic { presence "enable deterministic"; description "Deterministic nat allocation"; uses deterministic-object; } // container deterministic leaf preserve-parity { junos:must "(!(".. .. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured when configure preserve-parity"; type empty; description "Allocate port as the same parity as incoming port"; } leaf preserve-range { junos:must "(!(".. .. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured when configure preserve-range"; type empty; description "Allocate port from the same port range as incoming port"; } } // container port container overflow-pool { junos:must "(".. .. .. source pool ${pool} port no-translation")"; junos:must-message "'port no-translation' must be configured on original address pool"; description "Specify an overflow pool"; choice overflow-pool-choice { leaf pool-name { junos:must "(!(".. .. .. .. source pool $$ host-address-base"))"; junos:must-message "'host-address-base' must not be configured on overflow address pool"; junos:must "(!(".. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured on overflow address pool"; junos:must "(!(".. .. .. .. source pool ${pool} overflow-pool ${pool}"))"; junos:must-message "Overflow address pool must not be original address pool"; junos:must "(".. .. .. .. source pool $$")"; junos:must-message "Overflow address pool must be defined under [nat source pool]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Name of source address pool"; } leaf interface { type empty; description "Allow interface pool to support overflow"; } } // choice overflow-pool-choice } // container overflow-pool leaf address-shared { type empty; description "Allow multiple hosts to share an externel address"; } container address-pooling { description "Specify the address-pooling behavior"; choice pooling-choice { leaf paired { type empty; description "Allow address-pooling paired for a source pool with port translation"; } leaf no-paired { type empty; description "Allow address-pooling no-paired for a source pool without port translation"; } } // choice pooling-choice } // container address-pooling container address-persistent { description "Specify the address-persistent behavior"; container subscriber { description "Configure address persistent for subscriber"; leaf ipv6-prefix-length { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "8 .. 128"; } } description "Ipv6 prefix length for address persistent"; } } // container subscriber } // container address-persistent container pool-utilization-alarm { description "Config pool-utilization-alarm to pool"; uses source-nat-pool-utilization-alarm-object; } // container pool-utilization-alarm leaf ei-mapping-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "120 .. 86400"; } } units "second"; description "Endpoint-independent mapping timeout"; } leaf mapping-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "120 .. 86400"; } } units "second"; description "Address-pooling paired and endpoint-independent mapping timeout"; } leaf limit-ports-per-host { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "2 .. 65535"; } } description "Number of ports allocated per host"; } container allocation-domain { description "Specify map-e domain name for pool"; leaf mape-domain-name { junos:must "(!(".. .. address"))"; junos:must-message "'address...' must not be configured when configure allocation-domain"; junos:must "("security softwires map-e $$")"; junos:must-message "mape domain must be defined"; type string { length "1 .. 31"; } description "Name of map-e domain"; } container allocation-rule { description "Specify map-e rule name for pool"; leaf mape-rule-name { type string { length "1 .. 31"; } description "Name of map-e rule"; } } // container allocation-rule } // container allocation-domain } // list pool leaf address-persistent { type empty; description "Allow source address to maintain same translation"; } leaf session-persistence-scan { type empty; description "Allow source to maintain session when session scan"; } leaf session-drop-hold-down { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "30 .. 28800"; } } description "Session drop hold down time"; } container pool-utilization-alarm { description "Configure pool utilization alarm"; uses source-nat-pool-utilization-alarm-object; } // container pool-utilization-alarm container port-randomization { description "Configure Source NAT port randomization"; choice enable-disable { leaf disable { type empty; description "Disable Source NAT port randomization"; } } // choice enable-disable } // container port-randomization container port-round-robin { description "Configure Source NAT port randomization"; choice enable-disable { leaf disable { type empty; description "Disable Source NAT port randomization"; } } // choice enable-disable } // container port-round-robin leaf port-scaling-enlargement { type empty; description "Configure source port scaling to 2.4G only for NGSPC"; } leaf pool-distribution { type empty; description "Configure Source pool distribution, the APPCP bottleneck of NAT CPS can be alleviated."; } container pool-default-port-range { description "Configure Source NAT default port range"; leaf low { junos:must "(!(any "security nat source pool <*> host-address-base"))"; junos:must-message "'host-address-base' must not be configured when configure port range"; type union { type string { pattern "<.*>|$.*"; } type uint16; } description "Lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { junos:must "(!(any "security nat source pool <*> host-address-base"))"; junos:must-message "'host-address-base' must not be configured when configure port range"; type union { type string { pattern "<.*>|$.*"; } type uint16; } description "Upper limit of port range"; } } // container to } // container pool-default-port-range container pool-default-twin-port-range { description "Configure Source NAT default twin port range"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "63488 .. 65535"; } } description "Lower limit of twin port range"; } container to { description "Twin port range upper limit"; uses apply-advanced; leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "63488 .. 65535"; } } description "Upper limit of twin port range"; } } // container to } // container pool-default-twin-port-range container interface { description "Configure interface port overloading for persistent NAT"; uses apply-advanced; choice interface-choice { container port-overloading { description "Configure port overloading"; leaf off { type empty; description "Turn off interface port over-loading"; } } // container port-overloading leaf port-overloading-factor { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port overloading factor for interface NAT"; } } // choice interface-choice } // container interface list rule-set { key "name"; ordered-by user; description "Configurate a set of rules"; leaf name { junos:must "((!("services nat destination rule-set $$") && !("services nat static rule-set $$")))"; junos:must-message "the rule set name should be unique across all types of nat"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Rule-set name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of rule set"; } container from { description "Where is the traffic from"; choice from-context-choice { leaf-list routing-instance { type string; max-elements 8; description "Source routing instance list"; } leaf-list routing-group { type string; max-elements 8; description "Source routing group list"; } leaf-list zone { type string; max-elements 8; description "Source zone list"; } leaf-list interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } max-elements 8; description "Source interface list"; } } // choice from-context-choice } // container from container to { description "Where is the traffic to"; choice from-context-choice { leaf-list routing-instance { type string; max-elements 8; description "Destination routing instance list"; } leaf-list routing-group { type string; max-elements 8; description "Destination routing group list"; } leaf-list zone { type string; max-elements 8; description "Destination zone list"; } leaf-list interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } max-elements 8; description "Destination interface list"; } } // choice from-context-choice } // container to list rule { key "name"; ordered-by user; description "Source NAT rule"; uses src-nat-rule-object; } // list rule leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Match direction"; } } // list rule-set } // grouping ssg-source-nat-object grouping block-allocation-object { description "Port block allocation"; uses apply-advanced; leaf block-size { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 64512"; } } description "Block size"; } leaf maximum-blocks-per-host { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 512"; } } description "Maximum block number per host"; } leaf active-block-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Active block timeout interval"; } leaf interim-logging-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1800 .. 86400"; } } description "Interim Logging interval"; } leaf last-block-recycle-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "120 .. 864000"; } } description "Last Block recycle timeout interval"; } container log { description "Configure port block log"; choice enable-disable { leaf disable { type empty; description "Disable PBA port block log"; } } // choice enable-disable } // container log } // grouping block-allocation-object grouping deterministic-object { description "Deterministic nat allocation"; uses apply-advanced; leaf block-size { type union { type string { pattern "<.*>|$.*"; } type uint16; } description "Block size"; } leaf det-nat-configuration-log-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1800 .. 86400"; } } description "Deterministic nat configuration logging interval"; } container host { description "Host address"; leaf-list address { type jt:ipprefix; max-elements 8; ordered-by user; description "Host ip address"; } leaf-list address-name { type string; max-elements 8; ordered-by user; description "Host address/address-set from address book"; } } // container host leaf include-boundary-addresses { type empty; description "Include network and broadcast in 'match' source address"; } } // grouping deterministic-object grouping source-nat-pool-utilization-alarm-object { uses apply-advanced; leaf raise-threshold { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "50 .. 100"; } } description "Raise threshold for pool utilization alarm"; } leaf clear-threshold { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "40 .. 100"; } } description "Clear threshold for pool utilization alarm"; } } // grouping source-nat-pool-utilization-alarm-object grouping src-nat-rule-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Source NAT Rule name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of rule"; } container src-nat-rule-match { description "Specify Source NAT rule match criteria"; uses apply-advanced; leaf-list source-address { type string; max-elements 8; ordered-by user; description "Source address"; } leaf-list source-address-name { type string; max-elements 8; ordered-by user; description "Address/address-set from address book"; } list source-port { key "name"; max-elements 8; ordered-by user; description "Source port"; leaf name { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port or lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Upper limit of port range"; } } // container to } // list source-port leaf-list destination-address { type string; max-elements 8; ordered-by user; description "Destination address"; } leaf-list destination-address-name { type string; max-elements 8; ordered-by user; description "Address/address-set from address book"; } list destination-port { key "name"; max-elements 8; ordered-by user; description "Destination port"; leaf name { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port or lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Upper limit of port range"; } } // container to } // list destination-port leaf-list protocol { type string; max-elements 4; ordered-by user; description "IP Protocol"; } leaf-list application { type string; ordered-by user; } } // container src-nat-rule-match container then { description "Then action"; uses apply-advanced; container source-nat { description "Source NAT action"; uses apply-advanced; choice action { leaf off { type empty; description "No action"; } container pool { description "Use Source NAT pool"; uses apply-advanced; leaf pool-name { junos:must "(".. .. .. .. .. .. .. .. nat source pool $$")"; junos:must-message "Source NAT pool name must be defined"; type string { length "1 .. 31"; } description "Name of Source NAT pool"; } container persistent-nat { presence "enable persistent-nat"; description "Persistent NAT info"; uses persistent-nat-object; } // container persistent-nat } // container pool container interface { presence "enable interface"; description "Use egress interface address"; uses apply-advanced; container persistent-nat { presence "enable persistent-nat"; description "Persistent NAT info"; uses persistent-nat-object; } // container persistent-nat } // container interface } // choice action leaf clat-prefix { junos:must "((".. .. .. match source-address" || ".. .. .. match source-address-name"))"; junos:must-message "source-address or source-address-name is required for Clat-prefix"; type jt:ipprefix-only; description "An IPv6 prefix to be used for XLAT464 and prefix length can only be 32/40/48/56/64/96"; } leaf clat-ipv6-prefix-length { junos:must "(!(".. .. .. match"))"; junos:must-message "'match' criteria is not applicable when 'clat-ipv6-prefix-length' is configured."; junos:must "(!(".. clat-prefix"))"; junos:must-message "clat-ipv6-prefix-length cannot be configured along with clat-prefix. Either clat-prefix or clat-ipv6-prefix-length can be configured."; type enumeration { enum "32" { value 0; description "The ipv6 prefix length of 32"; } enum "40" { value 1; description "The ipv6 prefix length of 40"; } enum "48" { value 2; description "The ipv6 prefix length of 48"; } enum "56" { value 3; description "The ipv6 prefix length of 56"; } enum "64" { value 4; description "The ipv6 prefix length of 64"; } enum "96" { value 5; description "The ipv6 prefix length of 96"; } } description "The ipv6 prefix length for CLAT source address"; } container rule-session-count-alarm { description "Config rule-session-count-alarm to source rule"; uses nat-rule-session-count-alarm-object; } // container rule-session-count-alarm container mapping-type { description "Source nat mapping type"; leaf endpoint-independent { type empty; description "Endpoint independent mapping"; } leaf address-pooling-paired { type empty; description "Address pooling paired mapping"; } } // container mapping-type container secure-nat-mapping { description "Mapping options for enhanced security"; leaf eif-flow-limit { junos:must "(".. .. filtering-type")"; junos:must-message "eif-flow-limit applies only to filtering-type"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65534"; } } description "Number of inbound flows to be allowed for a EIF mapping"; } container mapping-refresh { description "Enable timer refresh option"; choice refresh-choice { leaf inbound { type empty; description "Enable timer refresh for inbound connections only"; } leaf outbound { type empty; description "Enable timer refresh for outbound connections only"; } leaf inbound-outbound { type empty; description "Enable timer refresh for inbound & outbound connections"; } } // choice refresh-choice } // container mapping-refresh } // container secure-nat-mapping container filtering-type { junos:must "(".. mapping-type endpoint-independent")"; junos:must-message "endpoint independent filtering can not be configured with endpoint-independent mapping only"; description "Source NAT filtering type"; uses apply-advanced; container endpoint-independent { presence "enable endpoint-independent"; description "Endpoint independent filtering"; uses apply-advanced; list prefix-list { key "name"; ordered-by user; description "One or more named lists of source prefixes to match"; leaf name { type string { length "1 .. 63"; } description "Name of prefix list to match against"; } leaf except { type empty; description "Name of prefix list not to match against"; } } // list prefix-list } // container endpoint-independent } // container filtering-type } // container source-nat leaf syslog { type empty; description "System log information about the packet"; } } // container then } // grouping src-nat-rule-object grouping persistent-nat-object { uses apply-advanced; container permit { description "Persistent NAT permit configure"; choice persistent-nat-type-choice { leaf any-remote-host { type empty; description "Permit any remote host"; } leaf target-host { type empty; description "Permit target host"; } leaf target-host-port { type empty; description "Permit target host port"; } } // choice persistent-nat-type-choice } // container permit leaf address-mapping { type empty; description "Address-to-address mapping"; } leaf inactivity-timeout { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "60 .. 7200"; } } description "Inactivity timeout value"; } leaf max-session-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "8 .. 65536"; } } description "The maximum session number value"; } } // grouping persistent-nat-object grouping ssg-static-nat-object { uses apply-advanced; list rule-set { key "name"; ordered-by user; description "Configurate a set of rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Rule-set name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of rule set"; } container from { description "Where is the traffic from"; choice from-context-choice { leaf-list routing-instance { type string; max-elements 8; description "Source routing instance list"; } leaf-list routing-group { type string; max-elements 8; description "Source routing group list"; } leaf-list zone { type string; max-elements 8; description "Source zone list"; } leaf-list interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } max-elements 8; description "Source interface list"; } } // choice from-context-choice } // container from list rule { key "name"; ordered-by user; description "Static NAT rule"; uses static-nat-rule-object; } // list rule leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Match direction"; } } // list rule-set } // grouping ssg-static-nat-object grouping static-nat-rule-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Static Rule name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of rule"; } container static-nat-rule-match { description "Specify Static NAT rule match criteria"; uses apply-advanced; leaf-list source-address { type jt:ipprefix; max-elements 8; ordered-by user; description "Source address"; } leaf-list source-address-name { type string; max-elements 8; ordered-by user; description "Address from address book"; } list source-port { key "name"; max-elements 8; ordered-by user; description "Source port"; leaf name { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port or lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Upper limit of port range"; } } // container to } // list source-port choice dst-choice { container destination-address { description "Destination address"; leaf dst-addr { type jt:ipprefix; description "IPv4 or IPv6 Destination address prefix"; } } // container destination-address container destination-address-name { description "Address from address book"; leaf dst-addr-name { type string { length "1 .. 63"; } description "Address from address book"; } } // container destination-address-name } // choice dst-choice container destination-port { description "Destination port"; leaf low { junos:must "((".. .. .. then static-nat prefix mapped-port" || ".. .. .. then static-nat prefix-name mapped-port"))"; junos:must-message "'then static-nat prefix mapped-port ...' or 'then static-nat prefix-name mapped-port' must be configured when configure 'destination-port'"; type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port or lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Upper limit of port range"; } } // container to } // container destination-port } // container static-nat-rule-match container then { description "Then action"; uses apply-advanced; container static-nat { description "Static NAT action"; uses apply-advanced; choice prefix-choice { container inet { presence "enable inet"; description "Translated to IPv4 address"; uses apply-advanced; leaf routing-instance { type string; description "Routing instance"; } } // container inet container prefix { description "Address prefix"; uses apply-advanced; leaf addr-prefix { type jt:ipprefix; description "IPv4 or IPv6 address prefix value"; } container mapped-port { description "Mapped port"; uses static-nat-rule-mapped-port-object; } // container mapped-port leaf routing-instance { type string; description "Routing instance"; } } // container prefix container prefix-name { description "Address from address book"; uses apply-advanced; leaf addr-prefix-name { type string { length "1 .. 63"; } description "Address from address book"; } container mapped-port { description "Mapped port"; uses static-nat-rule-mapped-port-object; } // container mapped-port leaf routing-instance { type string; description "Routing instance"; } } // container prefix-name container nptv6-prefix { description "NPTv6 address prefix, the longest prefix will be supported is /64"; uses apply-advanced; leaf addr-prefix { type jt:ipprefix; description "IPv6 address prefix value, the longest prefix will be supported is /64"; } leaf routing-instance { type string; description "Routing instance"; } } // container nptv6-prefix container nptv6-prefix-name { description "NPTv6 address from address book"; uses apply-advanced; leaf addr-prefix-name { type string { length "1 .. 63"; } description "IPv6 address from address book"; } leaf routing-instance { type string; description "Routing instance"; } } // container nptv6-prefix-name } // choice prefix-choice container rule-session-count-alarm { description "Config rule-session-count-alarm to static rule"; uses nat-rule-session-count-alarm-object; } // container rule-session-count-alarm } // container static-nat } // container then } // grouping static-nat-rule-object grouping static-nat-rule-mapped-port-object { uses apply-advanced; leaf low { junos:must "(".. .. .. .. .. match destination-port")"; junos:must-message "'match destination-port ...' must be configured when configure 'mapped-port'"; type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port or lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Upper limit of port range"; } } // container to } // grouping static-nat-rule-mapped-port-object grouping sw-rule-set-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Define Rule Set name"; } uses apply-advanced; list rule { key "name"; ordered-by user; description "Define a rule term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; container then { description "Action to take if the condition is matched"; uses apply-advanced; choice designation { leaf ds-lite { junos:must "("services softwires softwire-types ds-lite $$")"; junos:must-message "referenced softwire concentrator must be defined under 'services softwires softwire-types ds-lite'"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Apply DS-Lite softwire"; } leaf v6rd { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Apply 6rd softwire"; } leaf map-e { junos:must "("services softwires softwire-types map-e $$")"; junos:must-message "Undefined softwire concentrator for map-e"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Apply MAP-E softwire"; } } // choice designation } // container then } // list rule leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Match direction"; } } // grouping sw-rule-set-object grouping tenant-system-type { description "Tenant name"; leaf name { junos:must "("tenants $$")"; junos:must-message "Tenants must be defined under [tenants] "; type string; description "Tenant name"; } uses apply-advanced; leaf max-sessions { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Max number of IDP sessions"; } } // grouping tenant-system-type grouping time-format-object { uses apply-advanced; leaf year { type empty; description "Year in time format for syslog"; } leaf millisecond { type empty; description "Millisecond in time format for syslog"; } } // grouping time-format-object grouping tunable-object { leaf name { type string; } uses apply-advanced; leaf tunable-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Protocol tunable value"; } } // grouping tunable-object grouping tunnel-inspection-profile-type { description "Configure tunnel-inspection profile"; leaf name { type string { length "1 .. 63"; } description "Tunnel-inspection profile name"; } uses apply-advanced; choice inspection-type { list vxlan { key "name"; ordered-by user; description "Define a vxlan tunnel"; uses vxlan-tunnel-type; } // list vxlan } // choice inspection-type } // grouping tunnel-inspection-profile-type grouping tunnel-inspection-vni-type { description "VNI config"; leaf name { type string { length "1 .. 64"; } description "VNI name"; } uses apply-advanced; choice vni-type { list vni-range { key "name"; ordered-by user; description "VNI range"; uses vni-range-type; } // list vni-range leaf-list vni-id { type union { type uint32; type string { pattern "<.*>|$.*"; } } ordered-by user; description "VNI ID"; } } // choice vni-type } // grouping tunnel-inspection-vni-type grouping tunnel_type { description "Tunnel packets"; uses apply-advanced; choice ipsec-vpn-choice { leaf ipsec-vpn { junos:must "(!("security ipsec vpn $$ bind-interface"))"; junos:must-message "Route based ipsec-vpn cannot be referenced for policy"; junos:must "("security ipsec vpn $$")"; junos:must-message "Security VPN must be defined"; type string { length "1 .. 63"; } description "Enable VPN with name"; } leaf ipsec-group-vpn { junos:must "("security group-vpn member ipsec vpn $$")"; junos:must-message "Security group VPN must be defined"; type string { length "1 .. 63"; } status deprecated; description "Enable dynamic IPSEC group with name"; } } // choice ipsec-vpn-choice leaf pair-policy { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Policy in the reverse direction, to form a pair"; } } // grouping tunnel_type grouping url-list-type { description "Configure url-list object"; leaf name { type string { junos:posix-pattern "^[a-zA-Z_]+[a-zA-Z_0-9-]*$"; junos:pattern-message "Must be a string beginning with a letter or underscore and consisting of letters, numbers, dashes and underscores."; length "1 .. 29"; } description "Configure name of url-list object"; } uses apply-advanced; leaf-list value { type string { length "1 .. 249"; } ordered-by user; description "Configure value of url-list object"; } } // grouping url-list-type grouping usf-range-address-type { description "Range address"; leaf name { type jt:ipprefix; description "Lower limit of address range"; } uses apply-advanced; container to { description "Port range upper limit"; uses apply-advanced; leaf range-high { type jt:ipprefix; description "Upper limit of address range"; } } // container to } // grouping usf-range-address-type grouping utm-apppxy-traceoptions { description "Traceoptions for utm application proxy process"; uses apply-advanced; list flag { key "name"; ordered-by user; description "Tracing parameters for utm application proxy"; leaf name { type enumeration { enum "abort" { value 0; description "Trace application-proxy session abort"; } enum "application-objects" { value 1; description "Trace application-proxy objects information"; } enum "utm-realtime" { value 2; description "Trace application-proxy realtime-thread information"; } enum "anti-virus" { value 3; description "Trace anti-virus information"; } enum "basic" { value 4; description "Trace application-proxy basic information"; } enum "buffer" { value 5; description "Trace application-proxy data buffer information"; } enum "detail" { value 6; description "Trace application-proxy detailed information"; } enum "ftp-data" { value 7; description "Trace FTP data connection information"; } enum "ftp-control" { value 8; description "Trace FTP control connection information"; } enum "http" { value 9; description "Trace HTTP protocol information"; } enum "imap" { value 10; description "Trace IMAP protocol information"; } enum "memory" { value 11; description "Trace memory usage"; } enum "parser" { value 12; description "Trace protocol parser"; } enum "pfe" { value 13; description "Trace communication with PFE"; } enum "pop3" { value 14; description "Trace POP3 protocol information"; } enum "queue" { value 15; description "Trace queue information"; } enum "smtp" { value 16; description "Trace SMTP protocol information"; } enum "tcp" { value 17; description "Trace TCP level information"; } enum "timer" { value 18; description "Trace timer processing"; } enum "connection-rating" { value 19; description "Trace connection rating information"; } enum "mime" { value 20; description "Trace MIME parser information"; } enum "regex-engine" { value 21; description "Trace Pattern Match Engine (PME) information"; } enum "sophos-anti-virus" { value 22; description "Trace anti-virus sophos engine information"; } enum "all" { value 23; description "Enable all application-proxy trace options"; } } description "Tracing parameters for utm application proxy flag name"; } } // list flag } // grouping utm-apppxy-traceoptions grouping utm-ipc-traceoptions { description "Traceoptions for utm IPC"; uses apply-advanced; list flag { key "name"; ordered-by user; description "Traceoptions for utm IPC flag"; leaf name { type enumeration { enum "basic" { value 0; description "Trace basic IPC related information"; } enum "detail" { value 1; description "Trace detail IPC related information"; } enum "connection-manager" { value 2; description "Trace IPC connection manager"; } enum "connection-status" { value 3; description "Trace IPC connection status"; } enum "pfe" { value 4; description "Trace communication with pfe"; } enum "utm-realtime" { value 5; description "Trace IPC realtime-thread information"; } enum "all" { value 6; description "Enable all IPC trace options"; } } description "Trace options for utm IPC flag name"; } } // list flag } // grouping utm-ipc-traceoptions grouping utm-traceoptions { description "Trace options for utm process"; uses apply-advanced; list flag { key "name"; ordered-by user; description "Tracing UTM information"; leaf name { type enumeration { enum "cli" { value 0; description "Trace CLI"; } enum "daemon" { value 1; description "Trace daemon information"; } enum "ipc" { value 2; description "Trace IPC information"; } enum "pfe" { value 3; description "Trace pfe information"; } enum "all" { value 4; description "Enable all utm trace options"; } } description "Flag name"; } } // list flag } // grouping utm-traceoptions grouping vendor-object { leaf name { type string; description "Values for vendor field"; } uses apply-advanced; leaf product-name { type string; description "Values for product field"; } } // grouping vendor-object grouping vni-range-type { leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16777215"; } } description "VNI range Lower limit"; } uses apply-advanced; container to { description "VNI range upper limit"; uses apply-advanced; leaf range-high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16777215"; } } description "Upper limit of vni range"; } } // container to } // grouping vni-range-type grouping vrf-group-type { description "Configure vrf group object"; leaf name { type string { length "1 .. 64"; } description "Vrf group name"; } uses apply-advanced; leaf-list vrf { junos:must "("routing-instances $$ vrf-table-label")"; junos:must-message "referenced routing-instance must configured with vrf-table-label"; junos:must "("routing-instances $$ instance-type vrf")"; junos:must-message "referenced routing-instance must be vrf type"; type string; ordered-by user; description "L3vpn vrf name"; } } // grouping vrf-group-type grouping vxlan-tunnel-type { description "Configure vxlan tunnel"; leaf name { type string { length "1 .. 63"; } description "Vxlan tunnel name"; } uses apply-advanced; leaf policy-set { junos:must "((".. .. .. .. security policies policy-set $$" || ".. .. .. .. .. security policies policy-set $$"))"; junos:must-message "Security policy policy-set must be defined"; type string { length "1 .. 63"; } description "Define a security policy set"; } list vni { key "name"; max-elements 4096; ordered-by user; description "Define VNI"; uses vni-list-type; } // list vni } // grouping vxlan-tunnel-type grouping vni-list-type { leaf name { type string; description "VNI name"; } } // grouping vni-list-type grouping web-filtering-fallback-setting { description "Web-filtering fallback settings"; uses apply-advanced; leaf default { type enumeration { enum "log-and-permit" { value 0; } enum "block" { value 1; } } description "Fallback default settings"; } leaf server-connectivity { type enumeration { enum "log-and-permit" { value 0; } enum "block" { value 1; } } description "Fallback action when device cannot connect to server"; } leaf timeout { type enumeration { enum "log-and-permit" { value 0; } enum "block" { value 1; } } description "Fallback action when connection to server timeout"; } leaf too-many-requests { type enumeration { enum "log-and-permit" { value 0; } enum "block" { value 1; } } description "Fallback action when requests exceed the limit of engine"; } } // grouping web-filtering-fallback-setting grouping web-filtering-traceoptions { description "Trace options for web-filtering feature"; uses apply-advanced; list flag { key "name"; ordered-by user; description "Trace options for web-filtering feature trace flag"; leaf name { type enumeration { enum "basic" { value 0; description "Trace web-filtering module generic basic information"; } enum "session-manager" { value 1; description "Trace session management information"; } enum "heartbeat" { value 2; description "Trace connectivity information with web-filter server"; } enum "packet" { value 3; description "Trace packet information from session management"; } enum "profile" { value 4; description "Trace profile config information"; } enum "requests" { value 5; description "Trace requests sent to web-filter server"; } enum "response" { value 6; description "Trace response received from web-filter server"; } enum "socket" { value 7; description "Trace communication socket with web-filter server"; } enum "timer" { value 8; description "Trace aging information for requests sent to server"; } enum "ipc" { value 9; description "Trace communication events with PFE"; } enum "cache" { value 10; description "Trace category cache operations"; } enum "enhanced" { value 11; description "Trace Juniper enhanced web-filtering operations"; } enum "all" { value 12; description "Enable trace all anti-virus trace options"; } } description "Trace options for web-filtering feature trace flag name"; } } // list flag } // grouping web-filtering-traceoptions grouping webfilter-feature { description "Web-filtering feature settings"; uses apply-advanced; container surf-control-integrated { status deprecated; description "Configure web-filtering surf-control integrated engine"; uses surf-control-integrated-type; } // container surf-control-integrated container websense-redirect { description "Configure web-filtering websense redirect engine"; uses websense-type; } // container websense-redirect container juniper-local { description "Configure web-filtering juniper local engine"; uses juniper-local-type; } // container juniper-local container juniper-enhanced { description "Configure web-filtering juniper enhanced engine"; uses juniper-enhanced-type; } // container juniper-enhanced } // grouping webfilter-feature grouping juniper-enhanced-type { description "Juniper Enhanced"; uses apply-advanced; list profile { key "name"; ordered-by user; description "Juniper enhanced profile"; leaf name { type string { length "1 .. 29"; } description "Juniper enhanced profile name"; } uses apply-advanced; leaf base-filter { type string; description "Juniper base filter"; } list category { key "name"; ordered-by user; description "Juniper enhanced category"; uses juniper-enhanced-category-type; } // list category container site-reputation-action { presence "enable site-reputation-action"; description "Juniper enhanced site reputation action"; uses juniper-enhanced-site-reputation-setting; } // container site-reputation-action leaf default { type enumeration { enum "permit" { value 0; description "Permit action"; } enum "block" { value 1; description "Block action"; } enum "log-and-permit" { value 2; description "Log and permit action"; } enum "quarantine" { value 3; description "Quarantine action"; } } description "Juniper enhanced profile default"; } leaf custom-message { junos:must "("security utm custom-objects custom-message $$")"; junos:must-message "custom-message must be defined"; type string; description "Custom message"; } container fallback-settings { presence "enable fallback-settings"; description "Juniper enhanced fallback settings"; uses web-filtering-fallback-setting; } // container fallback-settings leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "seconds"; description "Juniper enhanced timeout"; } leaf no-safe-search { type empty; description "Do not perform safe-search for Juniper enhanced protocol"; } } // list profile } // grouping juniper-enhanced-type grouping juniper-local-type { description "Juniper local"; uses apply-advanced; list profile { key "name"; ordered-by user; description "Juniper local profile"; leaf name { type string { length "1 .. 29"; } description "Juniper local profile name"; } uses apply-advanced; leaf default { type enumeration { enum "permit" { value 0; description "Permit action"; } enum "block" { value 1; description "Block action"; } enum "log-and-permit" { value 2; description "Log and permit action"; } } description "Juniper local profile default"; } list category { key "name"; ordered-by user; description "Custom category"; uses custom-category-type; } // list category leaf custom-message { junos:must "("security utm custom-objects custom-message $$")"; junos:must-message "custom-message must be defined"; type string; description "Custom message"; } leaf no-safe-search { type empty; description "Do not perform safe-search for Juniper local protocol"; } container fallback-settings { presence "enable fallback-settings"; description "Juniper local fallback settings"; uses web-filtering-fallback-setting; } // container fallback-settings leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1800"; } } units "seconds"; description "Juniper local timeout"; } } // list profile } // grouping juniper-local-type grouping surf-control-integrated-type { description "Surf control integrated"; uses apply-advanced; container cache { presence "enable cache"; uses apply-advanced; leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1800"; } } units "minutes"; default "1440"; description "Surf control integrated cache timeout"; } leaf size { type string; units "kilobytes"; default "1024"; description "Surf control integrated cache size"; } } // container cache container server { presence "enable server"; description "Surf control server"; uses server; } // container server list profile { key "name"; ordered-by user; description "Surf control integrated profile"; leaf name { type string { length "1 .. 29"; } description "Surf control integrated profile name"; } uses apply-advanced; list category { key "name"; ordered-by user; description "Surf control integrated category"; uses surf-control-integrated-category-type; } // list category leaf default { type enumeration { enum "permit" { value 0; description "Permit action"; } enum "block" { value 1; description "Block action"; } enum "log-and-permit" { value 2; description "Log and permit action"; } } description "Surf control integrated profile default"; } leaf custom-block-message { type string { length "1 .. 512"; } description "Surf control integrated custom block message"; } container fallback-settings { presence "enable fallback-settings"; description "Surf control integrated fallback settings"; uses web-filtering-fallback-setting; } // container fallback-settings leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1800"; } } units "seconds"; default "15"; description "Surf control integrated timeout"; } } // list profile } // grouping surf-control-integrated-type grouping surf-control-integrated-category-type { description "Surf control integrated category type"; leaf name { type string { length "1 .. 59"; } description "Surf control integrated category type name"; } uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Permit action"; } enum "block" { value 1; description "Block action"; } enum "log-and-permit" { value 2; description "Log and permit action"; } } description "Surf control integrated category type action"; } } // grouping surf-control-integrated-category-type grouping websense-type { description "Websense redirect"; uses apply-advanced; list profile { key "name"; ordered-by user; description "Websense redirect profile"; leaf name { type string { length "1 .. 29"; } description "Websense redirect profile name"; } uses apply-advanced; container server { presence "enable server"; description "Websense redirect server"; uses server; } // container server list category { key "name"; ordered-by user; description "Custom category"; uses custom-category-type; } // list category leaf custom-message { junos:must "("security utm custom-objects custom-message $$")"; junos:must-message "custom-message must be defined"; type string; description "Custom message"; } leaf no-safe-search { type empty; description "Do not perform safe-search for websense redirect protocol"; } container fallback-settings { presence "enable fallback-settings"; description "Websense redirect fallback settings"; uses web-filtering-fallback-setting; } // container fallback-settings leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1800"; } } units "seconds"; description "Websense redirect timeout"; } leaf sockets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } description "Websense redirect sockets number"; } leaf account { type string { length "1 .. 28"; } description "Websense redirect account"; } } // list profile } // grouping websense-type grouping wildcard-address-type { description "Wildcard address and mask"; leaf name { type string { length "1 .. 63"; } description "Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask"; } uses apply-advanced; } // grouping wildcard-address-type grouping zone-interface-list-type { description "Logical interfaces in this zone"; leaf name { junos:must "(!(("protocols l2-learning global-mode switching" && "interfaces $$ family ethernet-switching")))"; junos:must-message "Referenced interface must not be ethernet-switching interface of switching mode"; junos:must "(!((!("protocols l2-learning global-mode transparent-bridge") && "interfaces $$ family ethernet-switching")))"; junos:must-message "Referenced interface must not be ethernet-switching interface of switching mode"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Logical interface"; } uses apply-advanced; container host-inbound-traffic { uses interface_host_inbound_traffic_t; } // container host-inbound-traffic } // grouping zone-interface-list-type grouping interface_host_inbound_traffic_t { uses apply-advanced; list system-services { key "name"; ordered-by user; description "Type of incoming system-service traffic to accept"; uses interface-system-services-object-type; } // list system-services list protocols { key "name"; ordered-by user; description "Protocol type of incoming traffic to accept"; uses host-inbound-protocols-object-type; } // list protocols } // grouping interface_host_inbound_traffic_t grouping host-inbound-protocols-object-type { description "Protocol type of incoming traffic to accept"; leaf name { type enumeration { enum "all" { value 0; description "All protocols"; } enum "bfd" { value 1; description "Bidirectional Forwarding Detection"; } enum "bgp" { value 2; description "Border Gateway Protocol"; } enum "dvmrp" { value 3; description "Distance Vector Multicast Routing Protocol"; } enum "igmp" { value 4; description "Internet Group Management Protocol"; } enum "ldp" { value 5; description "Label Distribution Protocol"; } enum "msdp" { value 6; description "Multicast Source Discovery Protocol"; } enum "ndp" { value 7; description "IPv6 Neighbor Discovery Protocol"; } enum "nhrp" { value 8; description "Next Hop Resolution Protocol"; } enum "ospf" { value 9; description "Open Shortest Path First"; } enum "ospf3" { value 10; description "Open Shortest Path First version 3"; } enum "pgm" { value 11; description "Pragmatic General Multicast"; } enum "pim" { value 12; description "Protocol Independent Multicast"; } enum "rip" { value 13; description "Routing Information Protocol"; } enum "ripng" { value 14; description "Routing Information Protocol next generation"; } enum "router-discovery" { value 15; description "Router Discovery"; } enum "rsvp" { value 16; description "Resource Reservation Protocol"; } enum "sap" { value 17; description "Session Announcement Protocol"; } enum "vrrp" { value 18; description "Virtual Router Redundancy Protocol"; } } description "Protocol name"; } uses apply-advanced; leaf except { junos:must "(".. .. protocols all")"; junos:must-message "'except'' statement can be included only along with 'protocols all' statement"; type empty; description "Protocol type of incoming traffic to disallow"; } } // grouping host-inbound-protocols-object-type grouping interface-system-services-object-type { description "Type of incoming system-service traffic to accept"; leaf name { type enumeration { enum "all" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 0; description "All system services"; } enum "bootp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 1; description "Bootp and dhcp relay-agent service"; } enum "dhcp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 2; description "Dynamic Host Configuration Protocol"; } enum "dhcpv6" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 3; description "Enable Dynamic Host Configuration Protocol for IPv6"; } enum "dns" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 4; description "DNS service"; } enum "finger" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 5; description "Finger service"; } enum "ftp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 6; description "FTP"; } enum "ident-reset" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 7; description "Send back TCP RST to IDENT request for port 113"; } enum "http" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 8; description "Web management service using HTTP"; } enum "https" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 9; description "Web management service using HTTP secured by SSL"; } enum "ike" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 10; description "Internet Key Exchange"; } enum "netconf" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 11; description "NETCONF service"; } enum "ping" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 12; description "Internet Control Message Protocol echo requests"; } enum "rlogin" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 13; description "Rlogin service"; } enum "reverse-telnet" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 14; description "Reverse telnet service"; } enum "reverse-ssh" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 15; description "Reverse SSH service"; } enum "rpm" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 16; description "Real-time performance monitoring"; } enum "rsh" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 17; description "Rsh service"; } enum "snmp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 18; description "Simple Network Management Protocol service"; } enum "snmp-trap" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 19; description "Simple Network Management Protocol traps"; } enum "ssh" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 20; description "SSH service"; } enum "telnet" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 21; description "Telnet service"; } enum "traceroute" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 22; description "Traceroute service"; } enum "xnm-ssl" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 23; description "JUNOScript API service over SSL"; } enum "xnm-clear-text" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 24; description "JUNOScript API for unencrypted traffic over TCP"; } enum "tftp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 25; description "TFTP"; } enum "lsping" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 26; description "Label Switched Path ping service"; } enum "ntp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 27; description "Network Time Protocol service"; } enum "sip" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 28; description "Enable Session Initiation Protocol service"; } enum "r2cp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 29; description "Enable Radio-Router Control Protocol service"; } enum "webapi-clear-text" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 30; description "Webapi service using http"; } enum "webapi-ssl" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 31; description "Webapi service using HTTP secured by SSL"; } enum "tcp-encap" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 32; description "Tcp encapsulation service"; } enum "appqoe" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 33; description "APPQOE active probe service"; } enum "high-availability" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 34; description "High Availability service"; } enum "any-service" { value 35; description "Enable services on entire port range"; } } } uses apply-advanced; leaf except { junos:must "(".. .. system-services all")"; junos:must-message "'except'' statement can be included only along with 'system-services all' statement"; type empty; description "Type of incoming system-service traffic to disallow"; } } // grouping interface-system-services-object-type grouping zone_host_inbound_traffic_t { uses apply-advanced; list system-services { key "name"; ordered-by user; description "Type of incoming system-service traffic to accept"; uses zone-system-services-object-type; } // list system-services list protocols { key "name"; ordered-by user; description "Protocol type of incoming traffic to accept"; uses host-inbound-protocols-object-type; } // list protocols } // grouping zone_host_inbound_traffic_t grouping zone-system-services-object-type { description "Type of incoming system-service traffic to accept"; leaf name { type enumeration { enum "all" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 0; description "All system services"; } enum "bootp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 1; description "Bootp and dhcp relay-agent service"; } enum "dhcp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 2; description "Dynamic Host Configuration Protocol"; } enum "dhcpv6" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 3; description "Enable Dynamic Host Configuration Protocol for IPv6"; } enum "dns" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 4; description "DNS service"; } enum "finger" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 5; description "Finger service"; } enum "ftp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 6; description "FTP"; } enum "ident-reset" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 7; description "Send back TCP RST to IDENT request for port 113"; } enum "http" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 8; description "Web management service using HTTP"; } enum "https" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 9; description "Web management service using HTTP secured by SSL"; } enum "ike" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 10; description "Internet Key Exchange"; } enum "netconf" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 11; description "NETCONF service"; } enum "ping" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 12; description "Internet Control Message Protocol echo requests"; } enum "rlogin" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 13; description "Rlogin service"; } enum "reverse-telnet" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 14; description "Reverse telnet service"; } enum "reverse-ssh" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 15; description "Reverse SSH service"; } enum "rpm" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 16; description "Real-time performance monitoring"; } enum "rsh" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 17; description "Rsh service"; } enum "snmp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 18; description "Simple Network Management Protocol service"; } enum "snmp-trap" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 19; description "Simple Network Management Protocol traps"; } enum "ssh" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 20; description "SSH service"; } enum "telnet" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 21; description "Telnet service"; } enum "traceroute" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 22; description "Traceroute service"; } enum "xnm-ssl" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 23; description "JUNOScript API service over SSL"; } enum "xnm-clear-text" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 24; description "JUNOScript API for unencrypted traffic over TCP"; } enum "tftp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 25; description "TFTP"; } enum "lsping" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 26; description "Label Switched Path ping service"; } enum "ntp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 27; description "Network Time Protocol service"; } enum "sip" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 28; description "Enable Session Initiation Protocol service"; } enum "r2cp" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 29; description "Enable Radio-Router Control Protocol service"; } enum "webapi-clear-text" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 30; description "Webapi service using http"; } enum "webapi-ssl" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 31; description "Webapi service using HTTP secured by SSL"; } enum "tcp-encap" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 32; description "Tcp encapsulation service"; } enum "appqoe" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 33; description "APPQOE active probe service"; } enum "high-availability" { junos:must "(!(".. .. system-services $$={any-service}"))"; junos:must-message "If `any` is set other services are disallowed"; value 34; description "High Availability service"; } enum "any-service" { value 35; description "Enable services on entire port range"; } } } uses apply-advanced; leaf except { junos:must "(".. .. system-services all")"; junos:must-message "'except'' statement can be included only along with 'system-services all' statement"; type empty; description "Type of incoming system-service traffic to disallow"; } } // grouping zone-system-services-object-type } // module junos-es-conf-security
© 2023 YumaWorks, Inc. All rights reserved.