Junos services configuration module
Version: 2019-01-01
module junos-es-conf-services { yang-version 1; namespace "http://yang.juniper.net/junos-es/conf/services"; prefix jc-services; import junos-common-ddl-extensions { prefix junos; revision-date "2019-01-01"; } import junos-common-types { prefix jt; revision-date "2019-01-01"; } import junos-es-conf-root { prefix jc; revision-date "2019-01-01"; } organization "Juniper Networks, Inc."; contact "yang-support@juniper.net"; description "Junos services configuration module"; revision "2019-01-01" { description "Junos: 21.3R1.9"; } augment /jc:configuration { uses services-group; } augment /jc:configuration/jc:groups { uses services-group; } grouping services-group { container services { description "System services"; uses apply-advanced; container flow-tap { description "Configure flow-tap parameters"; uses apply-advanced; container family { description "Address family of packets to tap"; uses apply-advanced; leaf inet { type empty; description "IPv4 family"; } leaf inet6 { type empty; description "IPv4 family"; } leaf ccc { type empty; description "CCC family"; } } // container family leaf interface { junos:must "(!("services flow-tap tunnel-interface"))"; junos:must-message "tunnel-interface and service interface cannot be confgured together for flowtap application"; junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "Dynamic flow capture cannot be configured when flow tap is configured"; junos:must "("interfaces $$-IFL family inet")"; junos:must-message "Interface with family inet must be defined in the [edit interfaces] hierarchy"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Service interface on which to configure flow-tap service"; } leaf tunnel-interface { junos:must "(!("services flow-tap interface"))"; junos:must-message "tunnel-interface and service interface cannot be confgured together for flowtap application"; junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "Dynamic flow capture cannot be configured when flow tap is configured"; junos:must "("interfaces $$-IFL family inet6")"; junos:must-message "Interface with family inet6 must be defined in the [edit interfaces] hierarchy"; junos:must "("interfaces $$-IFL family inet")"; junos:must-message "Interface with family inet must be defined in the [edit interfaces] hierarchy"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Tunnel interface through which flow-tap would communicate with MD"; } } // container flow-tap container radius-flow-tap { description "Configure radius triggered flow-tap parameters"; uses apply-advanced; leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to intercepted packets"; } leaf source-ipv4-address { type jt:ipv4addr; description "IP Address to use as source address in IPv4 header appended to intercepted packets"; } leaf multicast-interception { type empty; description "Enable Multicast Tapping"; } container interfaces { description "Tunnel Interfaces"; uses apply-advanced; list tunnel-interface { key "name"; uses tunnel_interface_type; } // list tunnel-interface } // container interfaces choice ri_or_ls { leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Referenced routing instance must be defined"; type string; description "Routing instance to be used for radius flow tap"; } list logical-system { key "name"; max-elements 1; ordered-by user; description "Logical system to be used for radius flow tap"; leaf name { junos:must "("logical-systems $$")"; junos:must-message "Referenced logical system must be defined"; type string; description "Logical system name"; } uses apply-advanced; leaf routing-instance { junos:must "("logical-systems ${logical-system} routing-instances $$")"; junos:must-message "Referenced routing instance must be defined"; type string; description "Routing instance to be used for radius flow tap"; } } // list logical-system } // choice ri_or_ls list policy { key "name"; ordered-by user; description "Policy"; leaf name { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Policy Name"; } uses apply-advanced; container inet { description "Protocol family IPv4 drop policy terms"; uses apply-advanced; list drop-policy { key "name"; ordered-by user; description "Define an IPv4 drop policy"; uses drop-policy-term; } // list drop-policy } // container inet container inet6 { description "Protocol family IPv6 drop policy terms"; uses apply-advanced; list drop-policy { key "name"; ordered-by user; description "Define an IPv6 drop policy"; uses drop-policy6-term; } // list drop-policy } // container inet6 } // list policy container snmp { description "SNMP options for radius flow tap"; uses apply-advanced; list notify-targets { key "name"; ordered-by user; description "Target list for packet mirror SNMP notifications"; leaf name { type jt:ipaddr; description "Target IP address"; } uses apply-advanced; } // list notify-targets } // container snmp } // container radius-flow-tap container mobile-flow-tap { description "Configure mobile triggered flow-tap parameters"; uses apply-advanced; container source-interface { junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "mobile flow service and dynamic flow capture service cannot be configured together"; junos:must "(!("services radius-flow-tap"))"; junos:must-message "mobile flow service and radius flow capture service cannot be configured together"; junos:must "(!("services flow-tap"))"; junos:must-message "mobile flow service and flow capture service cannot be configured together"; presence "enable source-interface"; description "Source interface from which IRI packets will be sent"; leaf interface-name { junos:must "("interfaces $$")"; junos:must-message "Interface must be defined"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface name"; } leaf ipv4-address { type jt:ipv4addr; description "Source IPv4 address to be used"; } } // container source-interface } // container mobile-flow-tap container flow-monitoring { presence "enable flow-monitoring"; description "Configure flow monitoring"; uses apply-advanced; container version9 { description "Version 9 configuration"; uses apply-advanced; list template { key "name"; max-elements 10; ordered-by user; description "One or more version 9 templates"; uses version9-template; } // list template } // container version9 container version-ipfix { description "Version IP-Fix configuration"; uses apply-advanced; list template { key "name"; max-elements 10; ordered-by user; description "One or more version ip-fix templates"; uses version-ipfix-template; } // list template } // container version-ipfix } // container flow-monitoring container jdaf { description "Juniper distributed application framework (JDAF)"; uses apply-advanced; leaf-list routing-instances { type string { length "1 .. 128"; } ordered-by user; description "List of routing-instance name for JDAF clients"; } } // container jdaf container rpm { presence "enable rpm"; description "Real-time performance monitoring"; uses apply-advanced; container traceoptions { description "RMOPD trace options"; uses rmopd-traceoptions; } // container traceoptions container bgp { description "BGP options for real-time performance monitoring"; uses apply-advanced; leaf probe-type { type enumeration { enum "icmp-ping" { value 0; description "Send ICMP echo request to target address"; } enum "icmp-ping-timestamp" { value 1; description "Send ICMP timestamp request to target address"; } enum "icmp6-ping" { value 2; description "Send ICMP6 echo request to target address"; } enum "tcp-ping" { value 3; description "Send TCP packets to target"; } enum "udp-ping" { value 4; description "Send UDP packets to target"; } enum "udp-ping-timestamp" { value 5; description "Send UDP packets with timestamp to target"; } } default "icmp-ping"; description "RPM-BGP probe request type"; } leaf probe-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 15"; } } default "1"; description "Total number of probes per test"; } leaf probe-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } units "seconds"; default "3"; description "Delay between probes"; } leaf test-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; default "1"; description "Delay between tests"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "7 .. 65535"; } } description "TCP/UDP port number"; } leaf history-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 512"; } } default "50"; description "Number of stored history entries"; } leaf moving-average-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1024"; } } default "0"; description "Number of samples used for moving average"; } leaf data-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65400"; } } default "0"; description "Size of the data portion of the probes"; } leaf data-fill { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 2048"; } description "Define contents of the data portion of the probes"; } leaf ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 254"; } } default "64"; description "Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet"; } list logical-system { key "name"; description "Logical systems"; uses bgp-logical-system; } // list logical-system list routing-instances { key "name"; description "Routing instances"; uses bgp-routing-instances; } // list routing-instances } // container bgp list probe { key "name"; ordered-by user; description "TCP/UDP/ICMP ping"; leaf name { type string { length "1 .. 32"; } description "Name of owner"; } uses apply-advanced; leaf delegate-probes { type empty; description "Offload real-time performance monitoring probes to MS-MIC/MS-MPC card"; } list test { key "name"; ordered-by user; description "TCP/UDP/ICMP/ICMP6 ping test"; leaf name { type string { length "1 .. 32"; } description "Name of test"; } uses apply-advanced; container rpm-scale { presence "enable rpm-scale"; description "Configuring real-time performance monitoring scale tests"; uses apply-advanced; leaf tests-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Number of probe-tests generated using scale config"; } choice target-type { container target { junos:must "(!(".. source-inet6"))"; junos:must-message "source-inet6 knob not valid for IPV4 probes"; presence "enable target"; description "Target address generation for scale test config"; uses apply-advanced; leaf address-base { type jt:ipv4addr; description "Base address of target host in a.b.c.d format"; } leaf step { type jt:ipv4addr; description "Steps to increment target address in a.b.c.d format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Target address count"; } } // container target container target-inet6 { junos:must "(!(".. source"))"; junos:must-message "source knob not valid for IPV6 probes"; presence "enable target-inet6"; description "IPv6 target address generation for scale test config"; uses apply-advanced; leaf address-base { type jt:ipv6addr; description "Base address of target host in a:b:c:d:e:f:g:h format"; } leaf step { type jt:ipv6addr; description "Steps to increment target address in a:b:c:d:e:f:g:h format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Target address count"; } } // container target-inet6 } // choice target-type choice source-type { container source { junos:must "(!(".. target-inet6"))"; junos:must-message "target-inet6 knob not valid for IPV4 probes"; presence "enable source"; description "Source address generation in scale tests"; uses apply-advanced; leaf address-base { type jt:ipv4addr; description "Base address of host in a.b.c.d format"; } leaf step { type jt:ipv4addr; description "Steps to increment src address in a.b.c.d format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Source-address count"; } } // container source container source-inet6 { junos:must "(!(".. target"))"; junos:must-message "target knob not valid for IPV6 probes"; presence "enable source-inet6"; description "IPv6 source address generation in scale tests"; uses apply-advanced; leaf address-base { type jt:ipv6addr; description "Base address of host in a:b:c:d:e:f:g:h format"; } leaf step { type jt:ipv6addr; description "Steps to increment src address in a:b:c:d:e:f:g:h format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Source-address count"; } } // container source-inet6 } // choice source-type container destination { presence "enable destination"; description "Name of output interface for probes"; uses apply-advanced; leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Base destination interface for scale test"; } leaf subunit-cnt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Subunit count for destination interface for scale test"; } } // container destination } // container rpm-scale leaf probe-type { type enumeration { enum "http-get" { value 0; description "Perform HTTP Get request at target URL"; } enum "http-metadata-get" { value 1; description "Perform HTTP Get request of metadata at target URL"; } enum "icmp-ping" { value 2; description "Send ICMP echo request to target address"; } enum "icmp-ping-timestamp" { value 3; description "Send ICMP timestamp request to target address"; } enum "icmp6-ping" { value 4; description "Send ICMP6 echo request to target address"; } enum "tcp-ping" { value 5; description "Send TCP packets to target"; } enum "udp-ping" { value 6; description "Send UDP packets to target"; } enum "udp-ping-timestamp" { value 7; description "Send UDP packets with timestamp to target"; } } default "icmp-ping"; description "Probe request type"; } container target { presence "enable target"; description "Target destination for probe"; choice target-type { leaf address { junos:must "(!(".. .. inet6-options"))"; junos:must-message "inet6-options knob not valid for IPV4 probes"; type jt:ipv4addr; description "Address of target host"; } leaf inet6-address { junos:must "(!(".. .. source-address"))"; junos:must-message "source-address knob not valid for IPV6 probes"; type jt:ipv6addr; description "Inet6 Address of target host"; } leaf url { junos:must "(!(".. .. inet6-options"))"; junos:must-message "inet6-options knob not valid for IPV4 probes"; type string; description "Fully formed target URL"; } leaf inet6-url { junos:must "(!(".. .. source-address"))"; junos:must-message "source-address knob not valid for IPV6 probes"; type string; description "Fully formed target IPV6 URL"; } } // choice target-type } // container target container inet6-options { presence "enable inet6-options"; description "IPV6 related options"; uses apply-advanced; leaf source-address { type jt:ipv6addr; description "Inet6 Source Address of the probe"; } } // container inet6-options leaf probe-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 15"; } } default "1"; description "Total number of probes per test"; } leaf probe-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } units "seconds"; default "3"; description "Delay between probes"; } leaf test-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; default "1"; description "Delay between tests"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "7 .. 65535"; } } description "TCP/UDP port number"; } leaf source-address { junos:must "(!(".. target inet6-address"))"; junos:must-message "source-address knob for IPV6 based probes is under inet6-options"; type jt:ipv4addr; description "Source address for probe"; } leaf routing-instance { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Routing instance used by probes"; } leaf history-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 512"; } } default "50"; description "Number of stored history entries"; } leaf moving-average-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1024"; } } default "0"; description "Number of samples used for moving average"; } leaf dscp-code-points { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } default "000000"; description "Differentiated Services code point bits or alias"; } leaf data-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65400"; } } default "0"; description "Size of the data portion of the probes"; } leaf data-fill { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 2048"; } description "Define contents of the data portion of the probes"; } leaf ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 254"; } } default "64"; description "Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet"; } container thresholds { presence "enable thresholds"; description "Probe and test threshold values. Set 0 to disable respective threshold"; uses apply-advanced; leaf successive-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "1"; description "Successive probe loss count indicating probe failure"; } leaf total-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "1"; description "Total probe loss count indicating test failure"; } leaf rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum round trip time per probe"; } leaf jitter-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum jitter per test"; } leaf std-dev-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum standard deviation per test"; } leaf egress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination time per probe"; } leaf ingress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source time per probe"; } leaf jitter-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source jitter per test"; } leaf jitter-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination jitter per test"; } leaf std-dev-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source standard deviation per test"; } leaf std-dev-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination standard deviation per test"; } } // container thresholds leaf-list traps { type enumeration { enum "probe-failure" { value 0; description "Successive probe loss threshold reached"; } enum "test-failure" { value 1; description "Total probe loss threshold reached"; } enum "test-completion" { value 2; description "Test completed"; } enum "rtt-exceeded" { value 3; description "Exceeded maximum round trip time threshold"; } enum "std-dev-exceeded" { value 4; description "Exceeded round trip time standard deviation threshold"; } enum "jitter-exceeded" { value 5; description "Exceeded jitter in round trip time threshold"; } enum "ingress-time-exceeded" { value 6; description "Exceeded maximum ingress time threshold"; } enum "ingress-std-dev-exceeded" { value 7; description "Exceeded ingress time standard deviation threshold"; } enum "ingress-jitter-exceeded" { value 8; description "Exceeded jitter in ingress time threshold"; } enum "egress-time-exceeded" { value 9; description "Exceeded maximum egress time threshold"; } enum "egress-std-dev-exceeded" { value 10; description "Exceeded egress time standard deviation threshold"; } enum "egress-jitter-exceeded" { value 11; description "Exceeded jitter in egress time threshold"; } } ordered-by user; description "Trap to send if threshold is met or exceeded"; } leaf destination-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of output interface for probes"; } leaf hardware-timestamp { junos:must "(!(".. target inet6-address"))"; junos:must-message "Hardware timestamping not supported for IPV6 based probes."; junos:must "((!(".. destination-port") || ".. destination-port $$={7}"))"; junos:must-message "For UDP pings, only port 7 can be configured for hardware timestamping."; type empty; description "Packet Forwarding Engine updates timestamps"; } leaf one-way-hardware-timestamp { junos:must "(!(".. target inet6-address"))"; junos:must-message "One-way hardware timestamping not supported for IPV6 based probes."; type empty; description "Enable hardware timestamps for one-way measurements"; } leaf next-hop { type jt:ipv4addr; description "Next-hop to which probe should be sent"; } } // list test } // list probe container probe-server { description "ICMP/TCP/UDP probe server"; uses apply-advanced; container icmp { description "ICMP probe server"; uses apply-advanced; leaf destination-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of output interface for probes"; } } // container icmp container tcp { description "TCP probe server"; uses apply-advanced; leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port number 7 through 65535"; } leaf destination-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of output interface for probes"; } } // container tcp container udp { description "UDP probe server"; uses apply-advanced; leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port number 7 through 65535"; } leaf destination-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of output interface for probes"; } } // container udp } // container probe-server leaf probe-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500"; } } default "100"; description "Maximum number of concurrent probes allowed"; } container rfc2544-benchmarking { presence "enable rfc2544-benchmarking"; description "Rfc2544 benchmarking tests"; uses apply-advanced; container profiles { description "Rfc2544 test profiles"; uses apply-advanced; list test-profile { key "name"; ordered-by user; description "Test-profile definition"; leaf name { junos:must "(".. bandwidth-kbps")"; junos:must-message "bandwidth-kbps has to be configured in a profile"; junos:must "(".. test-type")"; junos:must-message "test-type has to be configured in a profile"; junos:must "(".. packet-size")"; junos:must-message "packet-size has to be configured in a profile"; type string { length "1 .. 32"; } description "Test name"; } uses apply-advanced; leaf test-type { type enumeration { enum "throughput" { value 0; description "Rfc2544 throughput test"; } enum "latency" { value 1; description "Rfc2544 latency test"; } enum "frame-loss" { value 2; description "Rfc2544 frame-loss test"; } enum "back-back-frames" { value 3; description "Rfc2544 back to back frames test"; } } default "throughput"; description "Rfc2544 test type"; } leaf-list packet-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 9216"; } } ordered-by user; description "Size of the test packet"; } leaf bandwidth-kbps { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "10000"; description "Theoretical max service bandwidth in kbps"; } leaf step-percent { junos:must "(".. test-type frame-loss")"; junos:must-message "step-percent is valid only for frame-loss test"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "10"; description "Step percent for test"; } } // list test-profile } // container profiles container tests { presence "enable tests"; description "Rfc2544 test configuration"; uses apply-advanced; list test-name { key "name"; ordered-by user; description "Test definition"; leaf name { junos:must "(".. mode")"; junos:must-message "mode has to be configured in a test"; type string { length "1 .. 32"; } description "Test name"; } uses apply-advanced; leaf test-profile { junos:must "(".. family")"; junos:must-message "family has to be configured in a test"; junos:must "("services rpm rfc2544-benchmarking profiles test-profile $$")"; junos:must-message "test-profile not configured"; type string; description "Name of the test profile"; } leaf source-mac-address { junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "source-mac-address valid only for ccc/bridge/vpls family"; type jt:mac-unicast; description "MAC address of source host in xx:xx:xx:xx:xx:xx format -Generator MAC"; } leaf destination-mac-address { junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "destination-mac-address valid only for ccc/bridge/vpls family"; type jt:mac-unicast; description "MAC address of destination host in xx:xx:xx:xx:xx:xx format -Reflector MAC"; } leaf ovlan-id { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "ovlan-id is not valid for mode ethernet-loopback"; junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "ovlan-id valid only for ccc/bridge/vpls family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 4094"; } } description "Outer vlan id"; } leaf ovlan-priority { junos:must "(".. ovlan-id")"; junos:must-message "ovlan-priority is valid only when ovlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "ovlan-priority is valid only for bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 7"; } } description "Outer vlan priority"; } leaf ovlan-cfi { junos:must "(".. ovlan-id")"; junos:must-message "ovlan-cfi is valid only when ovlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "ovlan-cfi is valid only for bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 1"; } } description "Outer vlan CFI bit"; } leaf outer-tag-protocol-id { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "outer-tag-protocol-id is not valid for mode ethernet-loopback"; junos:must "(".. ovlan-id")"; junos:must-message "outer-tag-protocol-id is valid only when ovlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "outer-tag-protocol-id is valid only for Bridge family"; type string { junos:posix-pattern "^0x[abcdefABCDEF0123456789]{4}$"; junos:pattern-message "Must be hexadecimal bit pattern of form 0xNNNN"; } default "0x8100"; description "Outer tag protocol id"; } leaf ivlan-id { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "ivlan-id is not valid for mode ethernet-loopback"; junos:must "(".. ovlan-id")"; junos:must-message "ivlan-id is valid only when ovlan-id is configured"; junos:must "((".. family ccc" || ".. family bridge"))"; junos:must-message "ivlan-id valid only for ccc/bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 4094"; } } description "Inner vlan id"; } leaf ivlan-priority { junos:must "(".. ivlan-id")"; junos:must-message "ivlan-priority is valid only when ivlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "ivlan-priority is valid only for bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 7"; } } description "Inner vlan priority"; } leaf ivlan-cfi { junos:must "(".. ivlan-id")"; junos:must-message "ivlan-cfi is valid only when ivlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "ivlan-cfi is valid only for bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 1"; } } description "Inner vlan CFI bit"; } leaf service-type { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "service-type is not valid for mode ethernet-loopback"; junos:must "((".. family bridge" || ".. family vpls"))"; junos:must-message "service-type is valid only for bridge family"; type enumeration { enum "eline" { value 0; description "Eline service"; } enum "elan" { value 1; description "Elan service"; } } description "Service type"; } leaf in-service { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "in-service is not valid for mode ethernet-loopback"; junos:must "((".. family bridge" || ".. family vpls"))"; junos:must-message "in-service mode is supported only for bridge/vpls family"; type empty; description "Test executed in-service mode"; } leaf ip-swap { junos:must "((".. mode reflect" || ".. mode ethernet-loopback"))"; junos:must-message "ip-swap is valid only in reflector or ethernet-loopback mode"; junos:must "((".. family bridge" || ".. family vpls"))"; junos:must-message "ip-swap is supported only for bridge/vpls family"; type empty; description "Swap IP in the test payload"; } leaf udp-tcp-port-swap { junos:must "((".. mode reflect" || ".. mode ethernet-loopback"))"; junos:must-message "udp-tcp-port-swap is valid only in reflector or ethernet-loopback mode"; junos:must "((".. family bridge" || ".. family vpls"))"; junos:must-message "udp-tcp-port-swap is supported only for bridge/vpls family"; type empty; description "Swap UDP/TCP port in the test payload"; } leaf disable-signature-check { junos:must "(".. mode reflect")"; junos:must-message "disable-signature-check is valid only in reflector mode"; type empty; description "Signature check disable"; } leaf packet-loss-priority { junos:must "(".. family bridge")"; junos:must-message "packet-loss-priority is valid only for bridge family"; type enumeration { enum "low" { value 0; description "Packet loss priority is low"; } enum "high" { value 1; description "Packet loss priority is high"; } enum "medium-high" { value 2; description "Packet loss priority is medium-high"; } } description "Packet loss priority assigned to the frames"; } leaf dscp-code-points { junos:must "(!(".. mode terminate"))"; junos:must-message "'dscp-code-points' cannot be configured in terminate mode"; junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "'dscp-code-points' cannot be configured in ethernet-loopback mode"; junos:must "(!(".. mode reflect"))"; junos:must-message "'dscp-code-points' cannot be configured in reflector mode"; type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } default "000000"; description "Differentiated Services code point bits or alias"; } leaf mode { type enumeration { enum "reflect" { junos:must "(".. family")"; junos:must-message "family has to be configured in a test"; value 0; description "Reflector end"; } enum "initiate-and-terminate" { junos:must "(".. test-profile")"; junos:must-message "test-profile <profilename> has to be configured in a test when in initiate:and-terminate mode"; value 1; description "Initiate and terminator"; } enum "ethernet-loopback" { junos:must "(".. test-interface")"; junos:must-message "test-interface has to be configured in a test when in ethernet-loopback mode"; junos:must "(".. family bridge")"; junos:must-message "family bridge has to be configured in a test"; value 2; description "Ethernet loopback"; } } description "Test mode"; } leaf reflect-mode { junos:must "((".. mode reflect" || ".. mode ethernet-loopback"))"; junos:must-message "reflect-mode is valid only when test mode is reflect or ethernet-loopback"; type enumeration { enum "mac-swap" { value 0; description "Mac swap "; } enum "no-mac-swap" { junos:must "(!(".. service-type elan"))"; junos:must-message "'no-mac-swap' cannot be configured for elan service-type"; value 1; description "No mac-swap"; } enum "mac-rewrite" { junos:must "(".. destination-mac-address")"; junos:must-message "destination-mac-address needs to be configured with mac-rewrite mode"; junos:must "(".. source-mac-address")"; junos:must-message "source-mac-address needs to be configured with mac-rewrite mode"; junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "'mac-rewrite' cannot be configured for mode ethernet-loopback"; value 2; description "Mac-rewrite"; } } description "Reflect mode"; } leaf family { type enumeration { enum "inet" { junos:must "(".. destination-ipv4-address")"; junos:must-message "destination-ipv4-address has to be configured with inet family"; junos:must "(".. destination-udp-port")"; junos:must-message "destination-udp-port has to be configured with inet family"; value 0; description "Inet family"; } enum "ccc" { junos:must "(".. direction")"; junos:must-message "direction needs to be configured with CCC family"; value 1; description "CCC family "; } enum "bridge" { junos:must "(".. test-interface")"; junos:must-message "test-interface has to be configured with bridge family"; junos:must "(".. direction")"; junos:must-message "Direction needs to be configured with bridge family"; value 2; description "Bridge family "; } enum "vpls" { junos:must "(".. test-interface")"; junos:must-message "test-interface has to be configured with vpls family"; junos:must "(".. source-mac-address")"; junos:must-message "source-mac-address has to be configured with vpls family"; junos:must "(".. destination-mac-address")"; junos:must-message "destination-mac-address has to be configured with vpls family"; junos:must "(".. direction")"; junos:must-message "Direction needs to be configured with vpls family"; value 3; description "VPLS family "; } } description "Family type"; } leaf reflect-etype { junos:must "((".. mode reflect" || ".. mode ethernet-loopback"))"; junos:must-message "reflect-etype valid only with mode reflect or ethernet-loopback"; junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "reflect-etype valid only for CCC/Bridge/VPLS family"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Etype to match for reflect mode"; } leaf direction { junos:must "(".. test-interface")"; junos:must-message "direction must be configured along with test-interface"; junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "direction can be configured only with ccc/bridge/vpls family"; type enumeration { enum "ingress" { value 0; description "Pseudo-wire/Bridge/Vpls Ingress direction"; } enum "egress" { value 1; description "Pseudo-wire/Bridge/Vpls Egress direction"; } } description "Direction of test"; } leaf timestamp-format { type enumeration { enum "microseconds" { value 0; description "Timestamps in microseconds"; } enum "nanoseconds" { value 1; description "Timestamps in nanoseconds"; } } description "Format of timestamp values"; } leaf source-udp-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Source udp port"; } leaf destination-udp-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Destination udp port"; } leaf test-duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5000"; } } default "10"; status deprecated; description "Test duration in minutes"; } leaf test-iterator-duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 1728000"; } } description "Duration of each iteration in seconds"; } leaf test-finish-wait-duration { junos:must "(".. mode initiate-and-terminate")"; junos:must-message "test-finish-wait-duration is valid only when test mode is initiate-and-terminate"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } default "1"; description "Number of seconds to wait after test completes before stopping the test"; } leaf transmit-failure-threshold { type decimal64 { fraction-digits 9; range "0 .. 100"; } default "0.5"; description "Transmit failure-threshold (default 0.5%)"; } leaf receive-failure-threshold { type decimal64 { fraction-digits 9; range "0 .. 100"; } default "0"; description "Receive failure-threshold (default 0%)"; } leaf test-iterator-pass-threshold { type decimal64 { fraction-digits 9; range "0 .. 100"; } default "0.5"; description "Test pass-threshold (default 0.5%)"; } leaf halt-on-prefix-down { junos:must "(".. family inet")"; junos:must-message "halt-on-prefix-down is valid only for inet family"; type empty; description "Halt test on prefix down"; } leaf skip-arp-iteration { type empty; description "Skip arp iteration in tests"; } leaf test-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of interface(ifl) for test"; } leaf destination-ipv4-address { type jt:ipv4addr; description "Destination address for test"; } leaf source-ipv4-address { type jt:ipv4addr; description "Source address for test"; } } // list test-name } // container tests } // container rfc2544-benchmarking container twamp { description "Two-way Active Measurement Protocol configuration"; uses apply-advanced; leaf post-cli-implicit-firewall { type empty; description "Enable post cli implicit firewall"; } container client { description "TWAMP client configuration"; uses apply-advanced; list control-connection { key "name"; ordered-by user; description "TWAMP control session configuration"; leaf name { junos:must "((".. control-type light" || ".. target-address"))"; junos:must-message "managed control-type requires target-address"; type string { length "1 .. 32"; } description "Client name"; } uses apply-advanced; container authentication-mode { description "Authentication modes"; uses apply-advanced; leaf none { type empty; description "No authentication or encryption"; } } // container authentication-mode leaf destination-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of output interface for all test sessions"; } leaf persistent-results { type empty; description "Displays the old results along with present. Default disable"; } leaf control-type { type enumeration { enum "light" { value 0; description "No control connection to manage test sessions"; } enum "managed" { value 1; description "Control connection will negotiate test sessions"; } } default "managed"; description "TWAMP control connection type"; } leaf tcp-keepidle { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } units "seconds"; default "120"; description "Time to start TCP KEEPALIVEs on control connection (default 120)"; } leaf tcp-keepintvl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } units "seconds"; default "5"; description "Delay between succesive TCP KEEPALIVEs (default 5)"; } leaf tcp-keepcnt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 50"; } } default "6"; description "Number of TCP KEEPALIVEs sent (default 6)"; } leaf destination-port { junos:must "(!(".. control-type light"))"; junos:must-message "destination-port requires managed control-type"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "862 .. 65535"; } } default "862"; description "TCP TWAMP client listening port for the test sessions. Default 862"; } leaf history-size { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 500"; } } default "50"; description "Number of stored history entries"; } leaf moving-average-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1024"; } } default "0"; description "Number of samples used for moving average"; } leaf routing-instance { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Routing instance used by the test sessions"; } leaf target-address { junos:must "(!(".. control-type light"))"; junos:must-message "target-address only valid for managed control-type"; type jt:ipv4addr; description "Destination IPv4 address of TWAMP responder"; } leaf test-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967290"; } } default "0"; description "Total number of test session iterations"; } leaf test-interval { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 255"; } } units "seconds"; default "1"; description "Delay between test session iterations"; } container traps { description "Trap to send if threshold is met or exceeded"; uses apply-advanced; leaf test-iteration-done { type empty; description "All test sessions configured under the control connection have completed an iteration"; } leaf control-connection-closed { type empty; description "Control connection closed"; } } // container traps list test-session { key "name"; ordered-by user; description "Test session details"; leaf name { type string { length "1 .. 32"; } description "Test session name"; } uses apply-advanced; leaf target-address { type jt:ipaddr; description "Destination IPv4 or IPv6 address of TWAMP responder"; } leaf destination-port { junos:must "(".. .. control-type light")"; junos:must-message "destination-port requires light control-type"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "862 .. 65535"; } } default "862"; description "Target port number for test"; } leaf data-fill-with-zeros { type empty; description "Fill contents of test packet with zeros"; } leaf data-size { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "60 .. 1400"; } } default "60"; description "Size of the data portion of the probes"; } leaf dscp-code-points { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } default "000000"; description "Differentiated Services code point bits or alias used for TCP control and UDP TWAMP test packets"; } leaf ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 254"; } } default "64"; description "Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet"; } leaf probe-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967290"; } } default "1"; description "Total number of probes per test"; } leaf probe-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } units "seconds"; default "1"; description "Delay between two consecutive probes"; } container thresholds { presence "enable thresholds"; description "TWAMP test threshold values. Set 0 to disable respective threshold"; uses apply-advanced; leaf successive-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "1"; description "Successive probe loss count indicating probe failure"; } leaf total-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967290"; } } default "1"; description "Total probe loss count indicating test failure"; } leaf rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum round trip time per probe"; } leaf max-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; status deprecated; description "Maximum round trip time per test"; } leaf jitter-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum jitter per test"; } leaf std-dev-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum standard deviation per test"; } leaf egress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination time per probe"; } leaf ingress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source time per probe"; } leaf jitter-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source jitter per test"; } leaf jitter-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination jitter per test"; } leaf std-dev-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source standard deviation per test"; } leaf std-dev-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination standard deviation per test"; } } // container thresholds container traps { description "Trap to send if threshold is met or exceeded"; uses apply-advanced; leaf probe-failure { type empty; description "Successive probe loss threshold reached"; } leaf test-failure { type empty; description "Total probe loss threshold reached"; } leaf test-completion { type empty; description "Test completed"; } leaf rtt-exceeded { type empty; description "Exceeded maximum round trip time threshold"; } leaf max-rtt-exceeded { type empty; description "Exceeded maximum round trip time threshold at the end of per test"; } leaf std-dev-exceeded { type empty; description "Exceeded round trip time standard deviation threshold"; } leaf jitter-exceeded { type empty; description "Exceeded jitter in round trip time threshold"; } leaf ingress-time-exceeded { type empty; description "Exceeded maximum ingress time threshold"; } leaf ingress-std-dev-exceeded { type empty; description "Exceeded ingress time standard deviation threshold"; } leaf ingress-jitter-exceeded { type empty; description "Exceeded jitter in ingress time threshold"; } leaf egress-time-exceeded { type empty; description "Exceeded maximum egress time threshold"; } leaf egress-std-dev-exceeded { type empty; description "Exceeded egress time standard deviation threshold"; } leaf egress-jitter-exceeded { type empty; description "Exceeded jitter in egress time threshold"; } } // container traps } // list test-session } // list control-connection } // container client container server { description "TWAMP server configuration"; uses apply-advanced; leaf tcp-keepidle { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } units "seconds"; default "120"; description "Time to start TCP KEEPALIVEs on control connection (default 120)"; } leaf tcp-keepintvl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } units "seconds"; default "5"; description "Delay between succesive TCP KEEPALIVEs (default 5)"; } leaf tcp-keepcnt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 50"; } } default "6"; description "Number of TCP KEEPALIVEs sent (default 6)"; } list routing-instance-list { key "name"; ordered-by user; description "List of allowed routing instances,not more than 100, along with ports"; leaf name { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of the routing instance"; } uses apply-advanced; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port to be used by the routing instance"; } } // list routing-instance-list container authentication-mode { description "Authentication modes"; uses apply-advanced; leaf none { type empty; description "No authentication or encryption"; } container authenticated { presence "enable authenticated"; description "Authenticated mode"; leaf control-only { type empty; status deprecated; description "Authentication mode only for TWAMP control protocol"; } } // container authenticated container encrypted { presence "enable encrypted"; description "Encrypted mode"; leaf control-only { junos:must "(!(".. .. encrypted-control-only"))"; junos:must-message "'encrypted control-only' and 'control-only-encrypted' cannot be configured simultaneously"; type empty; status deprecated; description "Encryption mode only for TWAMP control protocol"; } } // container encrypted leaf control-only-encrypted { type empty; description "Encrypted control and unauthenticated data mode"; } } // container authentication-mode list authentication-key-chain { key "name"; ordered-by user; description "Authentication key chain configuration"; uses twamp-authentication-key-chain; } // list authentication-key-chain leaf server-inactivity-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 30"; } } units "minutes"; default "15"; description "Control packet idle timeout value in minutes, 0 to disable"; } leaf max-connection-duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 120"; } } units "hours"; default "0"; description "Maximum Connection duration in hours, 0 to disable"; } leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 2048"; } } default "64"; description "Maximum number of test sessions for the server"; } leaf maximum-sessions-per-connection { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1024"; } } description "Maximum number of test sessions per client connection"; } leaf maximum-connections { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } default "64"; description "Maximum number of connections for the server"; } leaf maximum-connections-per-client { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500"; } } description "Maximum number of server connections per client"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "862"; description "TWAMP server listening port"; } list client-list { key "name"; ordered-by user; description "List of allowed clients"; leaf name { type string { length "1 .. 127"; } description "Name of client list"; } uses apply-advanced; list address { key "name"; ordered-by user; description "IPv4 prefix of TWAMP client"; leaf name { junos:must "(unique "services rpm twamp server client-list <*> address $$")"; junos:must-message "Same ipv4 address can not be configured under multiple client lists"; type jt:ipv4prefix; description "IPv4 prefix of TWAMP client"; } uses apply-advanced; } // list address } // list client-list container light { presence "enable light"; description "Enable TWAMP server for light control on the default port"; uses apply-advanced; leaf-list port { type union { type uint16; type string { pattern "<.*>|$.*"; } } max-elements 1000; ordered-by user; description "UDP ports reflecting TWAMP light test packets"; } } // container light } // container server } // container twamp } // container rpm container app-engine { description "App-engine"; uses apply-advanced; container security { presence "enable security"; description "Enable app-engine security"; } // container security container monitor-cpu { description "Monitor node CPU usage"; uses monitor-threshold; } // container monitor-cpu container monitor-memory { description "Monitor node memory usage"; uses monitor-threshold; } // container monitor-memory container monitor-storage { description "Monitor storage usage"; uses monitor-threshold; } // container monitor-storage leaf default-compute-node-package { type string; description "Default JunosV App Engine package for appliance"; } list compute-cluster { key "name"; ordered-by user; description "Configure compute cluster"; leaf name { type string { length "1 .. 15"; } description "Compute cluster name"; } uses apply-advanced; container local-management { junos:must "(all ".. compute-node <*> interfaces")"; junos:must-message "Must specify compute-node management interface"; description "Management address connected to compute cluster"; uses apply-advanced; list routing-instance { junos:must "(!(any ".. logical-system <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; key "routing-instance-name"; max-elements 1; ordered-by user; description "Packets are restriction to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } uses apply-advanced; container family { description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // list routing-instance container family { junos:must "(!(any ".. routing-instance <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // container local-management container monitor-cpu { description "Monitor node CPU usage"; uses monitor-threshold; } // container monitor-cpu container monitor-memory { description "Monitor node memory usage"; uses monitor-threshold; } // container monitor-memory container monitor-storage { description "Monitor storage usage"; uses monitor-threshold; } // container monitor-storage list compute-node { key "name"; max-elements 1; ordered-by user; description "Compute node name"; leaf name { type string { length "1 .. 15"; } description "Compute node name"; } uses apply-advanced; container monitor-cpu { description "Monitor node CPU usage"; uses monitor-threshold; } // container monitor-cpu container monitor-memory { description "Monitor node memory usage"; uses monitor-threshold; } // container monitor-memory container monitor-storage { description "Monitor storage usage"; uses monitor-threshold; } // container monitor-storage choice compute-node-identifier { leaf mac-address { junos:must "(".. interfaces")"; junos:must-message "Must specify management interface"; junos:must "(".. .. local-management")"; junos:must-message "Must specify compute cluster local-management"; junos:must "(unique "services app-engine compute-cluster <*> compute-node <*> mac-address $$")"; junos:must-message "MAC address must be unique across compute clusters"; type jt:mac-addr; description "MAC address of the network boot interface"; } case case_2 { } // case case_2 case case_3 { } // case case_3 } // choice compute-node-identifier leaf package { type string; description "JunosV App Engine package"; } container routing-options { description "Route configuration for compute node"; uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(any ".. .. .. rib <*> static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static list rib { key "name"; ordered-by user; description "Routing table options"; leaf name { type string { junos:posix-pattern "inet.0"; junos:pattern-message "Only inet.0 is supported"; length "1 .. 10"; } description "Routing table name"; } uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(".. .. .. .. static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static } // list rib } // container routing-options container interfaces { description "Network interfaces configuration"; uses apply-advanced; list ethernet { key "name"; ordered-by user; description "Interface configuration"; leaf name { junos:must "(!(any ".. .. bridge <*> interface $$"))"; junos:must-message "This interface is already associated with a bridge"; junos:must "(!(".. .. bridge $$"))"; junos:must-message "A bridge is configured with this name"; type string { junos:posix-pattern "^eth[0-9]{1,2}$"; junos:pattern-message "Must be of the form eth<0-99>"; length "1 .. 15"; } description "Interface name"; } uses apply-advanced; leaf management { junos:must "(!(".. ether-options"))"; junos:must-message "This interface belongs to an aggregated interface"; junos:must "(!(".. .. .. fpc"))"; junos:must-message "Must not specify any interface as management with fpc"; junos:must "((".. family inet address" || ".. family inet dhcp"))"; junos:must-message "Management interface must have an address or dhcp configured"; junos:must "(!(".. enable-passthrough"))"; junos:must-message "Management interface cannot be passthrough interface"; type empty; description "Use this as management interface"; } container family { junos:must "(!(".. ether-options"))"; junos:must-message "This interface belongs to an aggregated interface"; description "Protocol family"; uses family; } // container family leaf enable-passthrough { junos:must "(!(".. ether-options"))"; junos:must-message "This interface belongs to an aggregated interface"; junos:must "(!(".. mtu"))"; junos:must-message "Passthrough interface cannot have MTU"; junos:must "(!(".. family inet address"))"; junos:must-message "Passthrough interface cannot have an address"; type empty; description "Enable passthrough on this interface"; } leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } container ether-options { junos:must "((!(".. management") && (!(".. family") && !(".. enable-passthrough"))))"; junos:must-message "Ethernet interface can not exist separately if it is under a aggregated interface and vice versa"; uses apply-advanced; choice agg-intf { leaf ieee-802-3ad { junos:must "(!(".. .. mtu"))"; junos:must-message "Aggregate slave interface cannot have MTU"; junos:must "(!(".. .. .. bridge $$"))"; junos:must-message "A bridge is configured with this name"; type string { junos:posix-pattern "^ae[0-9]{1,2}$"; junos:pattern-message "Must be of the form ae<0-99>"; length "1 .. 15"; } description "Aggregated interface name"; } } // choice agg-intf } // container ether-options } // list ethernet list bridge { key "name"; ordered-by user; description "Bridge configuration"; leaf name { junos:must "(!(any ".. .. bridge <*> interface $$"))"; junos:must-message "Bridge name is already used in one of the bridge interface list"; junos:must "(!(".. .. aggregate $$"))"; junos:must-message "An aggregate interface is configured with this name"; junos:must "(!(".. .. ethernet $$"))"; junos:must-message "An interface is configured with this name"; type string { junos:posix-pattern "^[A-za-z][.0-9A-Za-z_]{1,15}$"; junos:pattern-message "Must be a string of 15 or fewer characters. The string should start with a letter and can contain letters, digits, underscores and periods"; length "1 .. 15"; } description "Bridge name"; } uses apply-advanced; leaf management { junos:must "(!(".. .. .. fpc"))"; junos:must-message "Must not specify any interface as management with FPC compute node"; junos:must "((".. family inet address" || ".. family inet dhcp"))"; junos:must-message "Management bridge must have an address or dhcp configured"; type empty; description "Use this as management bridge"; } container family { description "Protocol family"; uses family; } // container family leaf-list interface { junos:must "((!(".. .. aggregate family inet address") && !(".. .. aggregate family inet dhcp")))"; junos:must-message "Interface associated to bridge can not have address"; type string { length "1 .. 15"; } max-elements 4; ordered-by user; description "Bridge interface list"; } leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } } // list bridge list aggregate { key "name"; ordered-by user; description "Aggregate interface configuration"; leaf name { junos:must "(!(".. .. bridge $$"))"; junos:must-message "A bridge is configured with this name"; junos:must "(!(".. .. ethernet $$"))"; junos:must-message "An interface is configured with this name"; junos:must "(any ".. .. ethernet <*> ether-options ieee-802-3ad $$")"; junos:must-message "Aggregated interface must have some slave interface"; type string { junos:posix-pattern "^ae[0-9]{1,2}$"; junos:pattern-message "Must be of the form ae<0-99>"; length "1 .. 15"; } description "Aggregated interface name"; } uses apply-advanced; leaf management { junos:must "((".. family inet address" || ".. family inet dhcp"))"; junos:must-message "Management aggregate must have an address or dhcp configured"; type empty; description "Use this as management aggregate"; } container family { description "Protocol family"; uses family; } // container family leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } container aggregated-ether-options { presence "enable aggregated-ether-options"; description "Link aggregation parameters"; uses apply-advanced; leaf hash-policy { type enumeration { enum "layer-2" { value 0; description "Uses mac address of both source and destination for hashing"; } enum "layer-3-and-4" { value 1; description "Uses port number and IP address of both source and destination for hashing"; } enum "layer-2-and-3" { value 2; description "Uses mac and IP address of both source and destination for hashing"; } } default "layer-3-and-4"; } leaf miimon { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Link monitoring interval in milli-second"; } } // container aggregated-ether-options } // list aggregate } // container interfaces list syslog { key "name"; ordered-by user; description "System logging facility"; leaf name { type enumeration { enum "any" { value 0; description "All facilities"; } enum "authorization" { value 1; description "Authorization system"; } enum "privileged" { value 2; description "Privileged authorization events"; } enum "cron" { value 3; description "Cron daemon"; } enum "daemon" { value 4; description "Various system processes"; } enum "kernel" { value 5; description "Kernel"; } enum "syslog" { value 6; description "Syslog messages"; } enum "user" { value 7; description "User processes"; } enum "uucp" { value 8; description "UUCP system"; } enum "local0" { value 9; description "Local 0 messages"; } enum "local1" { value 10; description "Local 1 messages"; } enum "local2" { value 11; description "Local 2 messages"; } enum "local3" { value 12; description "Local 3 messages"; } enum "local4" { value 13; description "Local 4 messages"; } enum "local5" { value 14; description "Local 5 messages"; } enum "local6" { value 15; description "Local 6 messages"; } enum "local7" { value 16; description "Local 7 messages"; } } description "Facility type"; } choice level { leaf any { type empty; description "All levels"; } leaf emergency { type empty; description "Panic conditions"; } leaf alert { type empty; description "Conditions that should be corrected immediately"; } leaf critical { type empty; description "Critical conditions"; } leaf error { type empty; description "Error conditions"; } leaf warning { type empty; description "Warning messages"; } leaf notice { type empty; description "Conditions that should be handled specially"; } leaf info { type empty; description "Informational messages"; } leaf debug { type empty; description "Debug messages"; } } // choice level } // list syslog } // list compute-node } // list compute-cluster container virtual-machines { description "Virtual-machine management"; uses apply-advanced; list instance { key "name"; ordered-by user; description "Virtual-machine instance"; leaf name { type string { length "1 .. 39"; } description "Virtual-machine instance identifier"; } uses apply-advanced; leaf cpu { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 16"; } } default "1"; description "Units of CPUs (default 1 cpu)"; } leaf memory { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } units "gigabytes"; default "1"; description "Memory for the virtual-machine (default 1 gigabytes)"; } leaf package { type string { length "1 .. 120"; } description "Virtual-machine package"; } container local-management { description "Management address connected to virtual machine"; uses apply-advanced; list routing-instance { junos:must "(!(any ".. logical-system <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; key "routing-instance-name"; max-elements 1; ordered-by user; description "Packets are restriction to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } uses apply-advanced; container family { description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // list routing-instance container family { junos:must "(!(any ".. routing-instance <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // container local-management list compute-cluster { key "name"; max-elements 1; ordered-by user; description "Compute cluster on which the virtual-machine runs"; leaf name { junos:must "("services app-engine compute-cluster $$")"; junos:must-message "Referenced compute cluster must be defined"; type string { length "1 .. 15"; } description "Compute cluster name"; } uses apply-advanced; leaf compute-node { junos:must "((("services app-engine compute-cluster ${compute-cluster} compute-node $$ fpc" && ".. .. local-management") || !("services app-engine compute-cluster ${compute-cluster} compute-node $$ fpc")))"; junos:must-message "Must specify local-management for virtual machine on FPC compute node"; junos:must "("services app-engine compute-cluster ${compute-cluster} compute-node $$")"; junos:must-message "Referenced compute node must be defined"; type string { length "1 .. 15"; } description "Compute node on which the virtual-machine runs"; } } // list compute-cluster list interface { key "name"; ordered-by user; description "Virtual-machine interface configuration"; leaf name { type string { length "1 .. 31"; } description "Virtual-machine interface name"; } uses apply-advanced; leaf hw-model { type enumeration { enum "e1000g" { value 0; description "Gigabit Ethernet e1000g driver"; } enum "virtio" { value 1; description "Para-virtualizing the interface"; } } default "e1000g"; description "Interface hardware model"; } leaf host-interface { type string { length "1 .. 15"; } description "Passthrough host interface for virtual-machine"; } leaf bridge { junos:must "(!(".. mtu"))"; junos:must-message "Bridged VM interface inherits MTU from the bridge"; junos:must "(!(".. host-interface"))"; junos:must-message "bridge can not defined with passthrough/host-interface"; type string { length "1 .. 15"; } description "Bridge that the interface connected to"; } leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } container family { description "Interface address family"; container inet { presence "enable inet"; description "IPv4 parameters"; uses apply-advanced; list address { key "name"; ordered-by user; description "Interface address/destination prefix"; leaf name { type jt:ipv4prefix; description "Interface address/destination prefix"; } uses apply-advanced; leaf primary { type empty; description "Primary address on the interface"; } } // list address } // container inet } // container family } // list interface container routing-options { description "Route configuration for virutal machine"; uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(any ".. .. .. rib <*> static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static list rib { key "name"; ordered-by user; description "Routing table options"; leaf name { type string { junos:posix-pattern "inet.0"; junos:pattern-message "Only inet.0 is supported"; length "1 .. 10"; } description "Routing table name"; } uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(".. .. .. .. static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static } // list rib } // container routing-options list secondary-disk { key "name"; ordered-by user; description "Virtual-machine disk"; leaf name { type enumeration { enum "hdb" { value 0; description "Disk name is hdb"; } enum "hdc" { value 1; description "Disk name is hdc"; } enum "hdd" { value 2; description "Disk name is hdd"; } } description "Virtual-machine disk name"; } leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 160"; } } units "gigabytes"; description "Virtual-machine secondary disk size"; } } // list secondary-disk } // list instance } // container virtual-machines } // container app-engine container unified-access-control { description "Configure Unified Access Control"; uses apply-advanced; list infranet-controller { key "name"; ordered-by user; description "Configure infranet controller"; leaf name { type string { length "1 .. 31"; } description "Infranet controller name"; } uses apply-advanced; leaf address { type jt:ipv4addr; description "Infranet controller IP address"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "11123"; description "Infranet controller port"; } leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Outgoing interface"; } leaf password { type string { length "1 .. 255"; } description "Infranet controller server password"; } leaf-list ca-profile { type string; ordered-by user; description "Define a list of certificate authority"; } leaf server-certificate-subject { type string { length "1 .. 255"; } description "Subject name of infranet controller certificate to match"; } } // list infranet-controller leaf certificate-verification { type enumeration { enum "warning" { value 0; description "Warn if certificate is not being verified"; } enum "required" { value 1; description "Require certificate verification. Most secure"; } enum "optional" { value 2; description "Make verification optional, no warnings. Least secure"; } } default "warning"; description "Specify certificate verification requirement"; } leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 10000"; } } default "300"; description "Timeout for idle infranet controller link in seconds"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 9999"; } } default "30"; description "Heartbeat interval from infranet controller in seconds"; } leaf timeout-action { type enumeration { enum "close" { value 0; description "Remove existing sessions and block further traffic"; } enum "no-change" { value 1; description "Preserve existing connections; block new sessions"; } enum "open" { value 2; description "Allow traffic for new and existing sessions to go through"; } } default "close"; description "Specify action when infranet controller timeout occurs"; } leaf test-only-mode { type empty; description "Allow all traffic and only log enforcement result"; } container traceoptions { description "UAC trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace with all flags enabled"; } enum "ipc" { value 1; description "IPC tracing"; } enum "config" { value 2; description "Configuration tracing"; } enum "connect" { value 3; description "Communication with infranet controller tracing"; } } } } // list flag } // container traceoptions list captive-portal { key "name"; ordered-by user; description "Unauthenticated HTTP redirect"; leaf name { type string { length "1 .. 128"; } description "Redirect policy name"; } uses apply-advanced; leaf redirect-traffic { type enumeration { enum "unauthenticated" { value 0; description "Redirect unauthenticated traffic"; } enum "all" { value 1; description "Redirect all traffic"; } } description "Traffic to redirect"; } leaf redirect-url { type string { junos:posix-pattern "^https?://([[:alnum:]%]?[[:alnum:]%._-]*[[:alnum:]%]?)(/[[:alnum:]_-]*)*/?([?][[:alnum:]_%+-]*=[[:alnum:]_%+-:/.]*(&[[:alnum:]_%+-]*=[[:alnum:]_%+-:/.]*)*)?$"; junos:pattern-message "Redirect URL be a valid HTTP URL"; length "1 .. 512"; } description "Redirect URL for unauthenticated users"; } } // list captive-portal } // container unified-access-control container captive-portal { description "Captive Portal options"; uses juniper-services-captive-portal; } // container captive-portal container advanced-anti-malware { uses apply-advanced; container connection { presence "enable connection"; description "Cloud service RE connection, only for master logical domain"; uses apply-advanced; leaf url { junos:must "("services advanced-anti-malware connection authentication tls-profile")"; junos:must-message "Authentication profile must be defined"; type string; description "The url of the cloud server [https://<ip or hostname>:<port>]"; } container authentication { description "The authentication profile for using cloud services"; uses apply-advanced; leaf tls-profile { junos:must "(("services ssl initiation profile $$" && "services advanced-anti-malware connection url"))"; junos:must-message "Referenced SSL initiation profile and URL must be defined"; type string; description "TLS profile"; } } // container authentication leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "Referenced Proxy profile must be defined"; type string { length "1 .. 63"; } description "Proxy profile"; } leaf source-address { type jt:ipaddr; description "The source ip for connecting to the cloud server."; } leaf source-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "The source interface for connecting to the cloud server"; } } // container connection container default-policy { presence "enable default-policy"; description "Advanced Anti-malware default policy"; uses apply-advanced; container http { description "Configure HTTP options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } leaf file-verdict-unknown { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict unknown"; } leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict meet threshold"; } container client-notify { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; choice http-choice { leaf file { type string { length "1 .. 255"; } description "File name for http response to client"; } leaf message { type string { length "1 .. 1023"; } description "Block message to client"; } leaf redirect-url { type string { junos:posix-pattern "^https?://.*"; junos:pattern-message "URL must begin with http:// or https://"; length "1 .. 1023"; } description "Redirect url to client"; } } // choice http-choice } // container client-notify container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container http container smtp { description "Configure SMTP options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container smtp container imap { description "Configure IMAP options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container imap container smb { description "Configure SMB options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict meet threshold"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container smb leaf verdict-threshold { type enumeration { enum "1" { value 0; description "Verdict-threshold level 1"; } enum "2" { value 1; description "Verdict-threshold level 2"; } enum "3" { value 2; description "Verdict-threshold level 3"; } enum "4" { value 3; description "Verdict-threshold level 4"; } enum "5" { value 4; description "Verdict-threshold level 5"; } enum "6" { value 5; description "Verdict-threshold level 6"; } enum "7" { value 6; description "Verdict-threshold level 7"; } enum "8" { value 7; description "Verdict-threshold level 8"; } enum "9" { value 8; description "Verdict-threshold level 9"; } enum "10" { value 9; description "Verdict-threshold level 10"; } enum "recommended" { value 10; description "Recommended verdict-threshold"; } } description "Verdict threshold"; } leaf inspection-profile { type string { length "1 .. 63"; } status deprecated; description "Advanced Anti-malware inspection-profile name"; } container fallback-options { description "Fallback options for abnormal conditions"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification container service-not-ready { description "Service not ready yet"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container service-not-ready container invalid-content-size { description "Content size exceed supported range"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container invalid-content-size container out-of-resources { description "Service out of resources"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container out-of-resources container verdict-timeout { description "Verdict timed out"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container verdict-timeout container submission-timeout { description "Submission timed out"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container submission-timeout container unknown-file { description "File type unknown"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container unknown-file } // container fallback-options container default-notification { description "Notification action taken for action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware action"; } } // container default-notification container whitelist-notification { description "Whitelist notification logging option"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware whitelist hit"; } } // container whitelist-notification container blacklist-notification { description "Blacklist notification logging option"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware blacklist hit"; } } // container blacklist-notification } // container default-policy list policy { key "name"; description "Advanced Anti-malware policy"; leaf name { type string { length "1 .. 63"; } description "Policy name, default policy must name (default-policy)"; } uses apply-advanced; container match { status deprecated; description "Policy match conditions"; uses apply-advanced; leaf application { type enumeration { enum "HTTP" { value 0; description "HTTP Traffic"; } } description "Application"; } leaf verdict-threshold { type enumeration { enum "1" { value 0; description "Verdict-threshold level 1"; } enum "2" { value 1; description "Verdict-threshold level 2"; } enum "3" { value 2; description "Verdict-threshold level 3"; } enum "4" { value 3; description "Verdict-threshold level 4"; } enum "5" { value 4; description "Verdict-threshold level 5"; } enum "6" { value 5; description "Verdict-threshold level 6"; } enum "7" { value 6; description "Verdict-threshold level 7"; } enum "8" { value 7; description "Verdict-threshold level 8"; } enum "9" { value 8; description "Verdict-threshold level 9"; } enum "10" { value 9; description "Verdict-threshold level 10"; } enum "recommended" { value 10; description "Recommended verdict-threshold"; } } description "Verdict threshold"; } } // container match container then { junos:must "(".. match")"; junos:must-message "match must be defined"; status deprecated; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict meet threshold"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container then container http { description "Configure HTTP options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } leaf file-verdict-unknown { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict unknown"; } leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict meet threshold"; } container client-notify { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; choice http-choice { leaf file { type string { length "1 .. 255"; } description "File name for http response to client"; } leaf message { type string { length "1 .. 1023"; } description "Block message to client"; } leaf redirect-url { type string { junos:posix-pattern "^https?://.*"; junos:pattern-message "URL must begin with http:// or https://"; length "1 .. 1023"; } description "Redirect url to client"; } } // choice http-choice } // container client-notify container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container http container smtp { description "Configure SMTP options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container smtp container imap { description "Configure IMAP options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container imap container smb { description "Configure SMB options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict meet threshold"; } } // container smb leaf verdict-threshold { type enumeration { enum "1" { value 0; description "Verdict-threshold level 1"; } enum "2" { value 1; description "Verdict-threshold level 2"; } enum "3" { value 2; description "Verdict-threshold level 3"; } enum "4" { value 3; description "Verdict-threshold level 4"; } enum "5" { value 4; description "Verdict-threshold level 5"; } enum "6" { value 5; description "Verdict-threshold level 6"; } enum "7" { value 6; description "Verdict-threshold level 7"; } enum "8" { value 7; description "Verdict-threshold level 8"; } enum "9" { value 8; description "Verdict-threshold level 9"; } enum "10" { value 9; description "Verdict-threshold level 10"; } enum "recommended" { value 10; description "Recommended verdict-threshold"; } } description "Verdict threshold"; } leaf inspection-profile { type string { length "1 .. 63"; } status deprecated; description "Advanced Anti-malware inspection-profile name"; } container fallback-options { description "Fallback options for abnormal conditions"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification container service-not-ready { description "Service not ready yet"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container service-not-ready container invalid-content-size { description "Content size exceed supported range"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container invalid-content-size container out-of-resources { description "Service out of resources"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container out-of-resources container verdict-timeout { description "Verdict timed out"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container verdict-timeout container submission-timeout { description "Submission timed out"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container submission-timeout container unknown-file { description "File type unknown"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container unknown-file } // container fallback-options container default-notification { description "Notification action taken for action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware action"; } } // container default-notification container whitelist-notification { description "Whitelist notification logging option"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware whitelist hit"; } } // container whitelist-notification container blacklist-notification { description "Blacklist notification logging option"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware blacklist hit"; } } // container blacklist-notification } // list policy container traceoptions { description "Advanced Anti-malware trace options"; uses aamwd-traceoptions; } // container traceoptions } // container advanced-anti-malware container application-identification { presence "enable application-identification"; description "Application identification configuration"; uses apply-advanced; leaf enable-heuristics { type empty; status deprecated; description "Enable heuristic application identification"; } container enable-performance-mode { presence "enable enable-performance-mode"; status deprecated; description "Enable performance mode knobs for best DPI performance"; uses apply-advanced; leaf max-packet-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "2"; status deprecated; description "Max packet inspection threshold including both c2s ans s2c direction packets. Default value is 2 if not configured"; } } // container enable-performance-mode leaf imap-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 86400"; } } description "IMAP cache entry timeout in seconds"; } leaf imap-cache-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 512000"; } } description "IMAP cache size, it will be effective only after next appid sigpack install"; } container download { uses apply-advanced; leaf url { type string { junos:posix-pattern "^((file)|(http)|(https)):"; junos:pattern-message "URL starts with http, https or file"; } description "URL for application package download"; } leaf ignore-server-validation { type empty; description "Disable server authentication for Applicaton Signature download"; } container automatic { description "Scheduled download and update"; uses apply-advanced; leaf start-time { type string { junos:posix-pattern "^((([0-9][0-9][0-9][0-9])[-](0[1-9]|1[012])[-](0[1-9]|[12][0-9]|3[01])[.]([0-1][0-9]|[2][0-3])[:]([0-5][0-9])[:]([0-5][0-9]))|((0[1-9]|1[012])[-](0[1-9]|[12][0-9]|3[01])[.]([0-1][0-9]|[2][0-3])[:]([0-5][0-9])))$"; junos:pattern-message "Invalid date; format is either MM-DD.hh:mm or YYYY-MM-DD.hh:mm:ss"; } description "Start time(MM-DD.hh:mm / YYYY-MM-DD.hh:mm:ss)"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "6 .. 720"; } } units "hours"; default "24"; description "Attempt to download new application package"; } } // container automatic leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "proxy profile must be defined"; type string { length "1 .. 128"; } description "Configure web proxy for Application signature download"; } } // container download container statistics { description "Configure application statistics information"; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1440"; } } units "minutes"; default "1"; description "Application statistics collection interval"; } } // container statistics container nested-application-settings { presence "enable nested-application-settings"; status deprecated; description "Nested application settings"; uses apply-advanced; leaf no-nested-application { type empty; description "Disable nested application identification"; } leaf no-application-system-cache { type empty; description "Not to save nested AI match in application system cache"; } } // container nested-application-settings leaf no-application-identification { type empty; status deprecated; description "Disable all application identification methods"; } leaf no-application-system-cache { type empty; description "Disable storing AI result in application system cache"; } leaf no-application-statistics { type empty; description "Disable application statistics"; } leaf max-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 500000"; } } status deprecated; description "Max sessions that can run AI at the same time"; } leaf application-system-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1000000"; } } description "Application system cache entry lifetime"; } container application-system-cache { presence "enable application-system-cache"; description "Enable or Disable application system cache"; uses apply-advanced; leaf security-services { type empty; description "Enable ASC for security services (appfw, appqos, idp, skyatp..)"; } leaf no-miscellaneous-services { type empty; description "Disable ASC for miscellaneous services APBR,..."; } } // container application-system-cache leaf micro-apps { type empty; description "Enable Micro Apps identifcation"; } leaf max-transactions { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 25"; } } description "Number of transaction finals to terminate application classification"; } leaf custom-application-byte-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100000"; } } description "Max bytes to be scanned for identification of custom application"; } leaf max-memory { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 200000"; } } description "Maximum amount of object cache memory JDPI can use (in MB)"; } leaf max-checked-bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 100000"; } } status deprecated; description "Inspect the maximal number of bytes"; } list application { junos:must "((any ". <*> icmp-mapping" || (any ". <*> ip-protocol-mapping" || (any ". <*> address-mapping" || (any ". <*> over" || any ". <*> signature")))))"; junos:must-message "All applications must have either icmp-mapping or ip-protocol-mapping or address-mapping or over or signature object "; key "name"; description "Configure application definition"; leaf name { type string { length "1 .. 63"; } description "A unique application identifier"; } uses apply-advanced; leaf index { junos:must "(unique "services application-identification application <*> index $$")"; junos:must-message "Application index has to be unique among all applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65534"; } } status deprecated; description "Custom index (32768..65534). Application index"; } leaf disable { type empty; status deprecated; description "Disable this application definition in AI"; } leaf cacheable { type empty; description "Cacheable"; } leaf risk { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } description "Risk/Hotness of application"; } leaf description { type string { junos:posix-pattern "^.{1,255}$"; junos:pattern-message "Must be a string of 255 characters or less"; } description "Text description of application"; } leaf priority { type enumeration { enum "high" { value 0; description "Highest priority over all other signatures"; } enum "low" { value 1; description "Lowest priority over all other signatures"; } } default "low"; description "Application matching priority"; } leaf order { junos:must "(unique "services application-identification application <*> order $$")"; junos:must-message "Application order has to be unique among all applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 50000"; } } description "The order value, lower the value higher the priority"; } leaf maximum-transactions { type union { type uint16; type string { pattern "<.*>|$.*"; } } status deprecated; description "Maximum number of transactions matched by AI"; } container icmp-mapping { description "Match ICMP message"; uses apply-advanced; leaf type { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 254"; } } description "Numeric type value"; } leaf code { junos:must "(".. type")"; junos:must-message "ICMP type must be configured"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 254"; } } description "Numeric code value"; } } // container icmp-mapping container ip-protocol-mapping { description "Match IP protocol"; uses apply-advanced; leaf protocol { junos:must "(unique "services application-identification application <*> ip-protocol-mapping protocol $$")"; junos:must-message "Protocol has to be unique among all applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 254"; } } description "Numeric protocol value"; } } // container ip-protocol-mapping list address-mapping { key "name"; ordered-by user; description "Match IP address"; leaf name { type string { length "1 .. 63"; } description "Address name"; } uses apply-advanced; container filter { description "Match IP/port"; uses apply-advanced; leaf ip { type jt:ipprefix; description "IP address and prefix-length"; } container port-range { description "Port ranges"; uses apply-advanced; leaf-list tcp { type string; max-elements 20; ordered-by user; description "TCP port range"; } leaf-list udp { type string; max-elements 20; ordered-by user; description "UDP port range"; } } // container port-range } // container filter } // list address-mapping list over { key "name"; max-elements 8; description "Set of L4/L7 application that carries given application"; leaf name { type string { length "1 .. 63"; } description "A unique application and protocol identifier"; } uses apply-advanced; list signature { key "name"; description "Application signature for pattern matching"; leaf name { type string { length "1 .. 63"; } description "A unique application signature identifier"; } uses apply-advanced; leaf-list port-range { type string; max-elements 64; ordered-by user; description "Port range"; } list member { key "name"; description "Application signature member"; leaf name { type string { junos:posix-pattern "^m(0[1-9]|1[0-5])"; junos:pattern-message "Must be m01 - m15"; length "1 .. 63"; } description "Application signature member identifier in range m01 - m15"; } uses apply-advanced; leaf depth { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 8000"; } } description "Maximum number of bytes to check for context match"; } leaf context { type string; description "Context to be matched on"; } leaf pattern { type string { junos:posix-pattern "^.{1,127}$"; junos:pattern-message "Must be a string of 127 characters or less"; } description "DFA pattern matched on context"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "Client to server"; } enum "server-to-client" { value 1; description "Server to client"; } enum "any" { value 2; description "Any direction"; } } description "Connection direction of the packets to apply pattern matching"; } } // list member } // list signature } // list over } // list application list nested-application { key "name"; status deprecated; description "Configure nested application definition"; leaf name { type string { length "1 .. 63"; } description "A unique application identifier"; } uses apply-advanced; leaf type { junos:must "(unique "services application-identification nested-application <*> type $$")"; junos:must-message "Nested application type has to be unique among all nested applications"; type string { length "1 .. 63"; } description "Well-known application such as FACEBOOK and KAZZA"; } leaf index { junos:must "(!(any "services application-identification application <*> index $$"))"; junos:must-message "Nested application index has to be unique among all applications and nested applications"; junos:must "(unique "services application-identification nested-application <*> index $$")"; junos:must-message "Nested application index has to be unique among all nested applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65534"; } } status deprecated; description "Custom index (32768..65534). Application index"; } leaf protocol { type string { length "1 .. 63"; } description "Name of layer 7 application that carries nested application"; } list signature { key "name"; description "Nested application signature for pattern matching"; leaf name { junos:must "(unique "services application-identification nested-application <*> signature $$")"; junos:must-message "Nested application signature name has to be unique among all nested applications"; type string { length "1 .. 63"; } description "A unique nested application signature identifier"; } uses apply-advanced; list member { key "name"; description "Pattern matched on client-to-server packets"; leaf name { type string { junos:posix-pattern "^m(0[1-9]|1[0-6])"; junos:pattern-message "Must be m01 - m16"; length "1 .. 63"; } description "A unique nested application signature member identifier"; } uses apply-advanced; leaf context { type string; description "Context to be matched on"; } leaf pattern { type string; description "Pattern matched on context"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "Client to server"; } enum "server-to-client" { value 1; description "Server to client"; } enum "any" { value 2; description "Any direction"; } } description "Connection direction of the packets to apply pattern matching"; } leaf check-bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5000"; } } default "1000"; description "Maximum number of bytes to check for stream context "; } } // list member leaf chain-order { type empty; description "The order of members is used to match the pattern"; } leaf maximum-transactions { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Maximum number of transactions matched by AI"; } leaf order { junos:must "(!(any "services application-identification application <*> signature order $$"))"; junos:must-message "Nested application order has to be unique among all applications and nested applications"; junos:must "(unique "services application-identification nested-application <*> signature <*> order $$")"; junos:must-message "Nested application order has to be unique among all nested applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } status deprecated; description "Application matching priority"; } container insert-before { description "Insert before another signature"; uses apply-advanced; leaf insert-before-name { type string; description "An application name"; } } // container insert-before } // list signature } // list nested-application list application-group { key "name"; description "Define application group"; leaf name { type string { length "1 .. 63"; } description "A unique application group identifier"; } uses apply-advanced; list tag-group { key "name"; description "Configure application tag group that belong to this application group"; leaf name { type string { length "1 .. 63"; } description "A unique tag group identifier"; } uses apply-advanced; leaf-list application-tags { type string; max-elements 128; ordered-by user; description "Name of application tag to configure"; } } // list tag-group list application-groups { key "name"; description "Configure child application group(s)"; leaf name { type string { length "1 .. 63"; } description "Name of the child application group"; } uses apply-advanced; } // list application-groups list applications { key "name"; description "Configure applications that belong to this application group"; leaf name { type string { length "1 .. 63"; } description "Configure application name"; } uses apply-advanced; } // list applications leaf disable { type empty; status deprecated; description "Disable this application group definition in AI"; } } // list application-group container traceoptions { description "Trace options for application identification"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Events and other information to include in trace output"; leaf name { type enumeration { enum "all" { value 0; description "All events"; } } description "Flag name to include in trace output"; } } // list flag leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } } // container traceoptions container inspection-limit { description "Bytes and packets limit for AppID inspection."; uses apply-advanced; container tcp { presence "enable tcp"; description "TCP byte/packet inspection limit."; uses apply-advanced; leaf byte-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "6000"; description "TCP byte inspection limit. (Default 6000)"; } leaf packet-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "TCP packet inspection limit."; } } // container tcp container udp { presence "enable udp"; description "UDP byte/packet inspection limit."; uses apply-advanced; leaf byte-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "UDP byte inspection limit."; } leaf packet-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10"; description "UDP packet inspection limit. (Default 10)"; } } // container udp } // container inspection-limit leaf global-offload-byte-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; description "Global byte limit to offload AppID inspection. (Default 10000)"; } container packet-capture { description "To capture the unknown application traffic"; uses apply-advanced; leaf global { type empty; description "Enable global capturing of application traffic"; } leaf aggressive-mode { type empty; description "This mode captures all traffic prior to AppID classification"; } leaf max-packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } description "Maximum number of UDP packets per session"; } leaf max-bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "40 .. 1073741824"; } } units "bytes"; description "Maximum number of TCP bytes per session"; } leaf max-files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 2500"; } } description "Maximum number of unique pcap files"; } leaf no-inconclusive { type empty; description "Disable capturing of inconclusive traffic"; } leaf storage-limit { type string; units "bytes"; description "Maximum disk space"; } leaf buffer-packets-limit { type union { type uint64; type string { pattern "<.*>|$.*"; } } units "bytes"; description "Maximum memory to buffer packets"; } leaf capture-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 525600"; } } description "Timeout to avoid repetitive capture of same traffic (minutes)"; } leaf capture-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } description "Number of repetitive captures of same traffic"; } leaf ssl-unknown { type empty; description "This mode captures all SSL unknown traffic"; } } // container packet-capture leaf l3l4-app-reclassification { type empty; description "Enable l3l4 custom app to be reclassified by jdpi ignoring results from other plugins"; } } // container application-identification container ssl { description "Configuration for Secure Socket Layer support service"; uses apply-advanced; container traceoptions { description "Trace options for Secure Socket Layer support service"; uses ssl-traceoptions; } // container traceoptions container termination { description "Configuration for Secure Socket Layer termination support service"; uses ssl-termination-config; } // container termination container initiation { description "Configuration for Secure Socket Layer initiation support service"; uses ssl-initiation-config; } // container initiation container proxy { description "Configuration for Secure Socket Layer proxy support service"; uses ssl-proxy-config; } // container proxy } // container ssl container web-proxy { description "Configuration for Web Proxy service"; uses apply-advanced; container traceoptions { description "Trace options for Web Proxy service"; uses web-proxy-traceoptions; } // container traceoptions container secure-proxy { description "Configuration for Secure Web Proxy profile "; uses web-config; } // container secure-proxy } // container web-proxy container softwires { description "Configure softwire feature"; uses softwires-object; } // container softwires container screen { description "Configure screen feature"; uses apply-advanced; container trap { presence "enable trap"; description "Configure trap interval"; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 3600"; } } units "seconds"; default "2"; description "Trap interval"; } } // container trap container cpu-throttle { presence "enable cpu-throttle"; description "Configure cpu-throttle percentage"; uses apply-advanced; leaf percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } units "percentage"; description "Percentage of cpu throttle"; } } // container cpu-throttle list ids-option { key "name"; description "Configure ids-option"; uses ids-option-type; } // list ids-option container traceoptions { description "Trace options for Network Security Screen"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "all" { value 2; description "Trace everything"; } } } } // list flag } // container traceoptions list whitelist { key "name"; max-elements 32; description "Set of IP addresses for white list"; uses ids-wlist-type; } // list whitelist } // container screen container icap-redirect { description "Configure ICAP redirection service"; uses apply-advanced; list profile { key "name"; ordered-by user; description "Congifure ICAP service profile"; uses icap-profile-object; } // list profile container traceoptions { description "ICAP redirect trace options"; uses icap-redirect-traceoptions; } // container traceoptions } // container icap-redirect container security-metadata-streaming { uses apply-advanced; list policy { key "name"; description "Security Metadata Streaming policy"; leaf name { type string { length "1 .. 63"; } description "Policy name"; } uses apply-advanced; container http { description "Configure HTTP options"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow traffic"; } } description "Action for HTTP"; } container notification { description "Notification action taken for traffic"; uses apply-advanced; leaf log { type empty; description "Logging option for Security Metadata Streaming actions"; } } // container notification } // container http container dns { description "Configure DNS options"; uses apply-advanced; container cache { description "Storing DNS in Cache till TTL"; uses apply-advanced; container ttl { presence "enable ttl"; description "For setting TTL values"; uses apply-advanced; leaf benign { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 172800"; } } units "seconds"; default "86400"; description "Set Benign TTL value"; } leaf c2 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 172800"; } } units "seconds"; default "86400"; description "Set C2 TTL value"; } } // container ttl } // container cache container detections { description "Type of Detection Methods for DNS Request"; uses apply-advanced; container dga { description "Detecting DGA Algorithms on DNS Packets"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow the packet"; } enum "deny" { value 1; description "Drop the packet"; } enum "sinkhole" { value 2; description "Sinkhole the packet"; } } description "Action to take on the DNS tunneled packet"; } leaf verdict-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "50 .. 500"; } } units "milliseconds"; default "100"; description "Time to wait for a verdict on DNS Packet"; } leaf notification { type enumeration { enum "log" { value 0; description "Log Everything"; } enum "log-detections" { value 1; description "Only log malicious DNS activity"; } } description "Notification action taken for DNS DGA Detection"; } container fallback-options { description "Fallback options for DNS DGA detection"; uses apply-advanced; container notification { description "Notification action taken for the packet"; uses apply-advanced; leaf log { type empty; description "Log DNS Request"; } } // container notification } // container fallback-options } // container dga container tunneling { description "Detecting DNS Tunneling"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow the packet"; } enum "deny" { value 1; description "Drop the packet"; } enum "sinkhole" { value 2; description "Sinkhole the packet"; } } description " Action to take on the DNS tunneled packet"; } leaf notification { type enumeration { enum "log" { value 0; description "Log Everything"; } enum "log-detections" { value 1; description "Only log malicious DNS activity"; } } description "Notification action taken for DNS Tunneling Detection"; } leaf inspection-depth { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 10"; } } default "4"; description "Number of packets to be inspected for Tunnel Detection"; } container fallback-options { description "Fallback options for DNS Tunneling detection"; uses apply-advanced; container notification { description "Notification action taken for the packet"; uses apply-advanced; leaf log { type empty; description "Log DNS Request"; } } // container notification } // container fallback-options } // container tunneling container all { junos:must "((!(" .. dga") && !(" .. tunneling")))"; junos:must-message "All can only be configured if no other detection is configured"; description "All Detections"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow the packet"; } enum "deny" { value 1; description "Drop the packet"; } enum "sinkhole" { value 2; description "Sinkhole the packet"; } } description " Global Action to take on the DNS packet"; } leaf notification { type enumeration { enum "log" { value 0; description "Log Everything"; } enum "log-detections" { value 1; description "Only log malicious DNS activity"; } } description "Global Notification action taken for DNS Detection Methods"; } container fallback-options { description "Fallback options for DNS detections"; uses apply-advanced; container notification { description "Notification action taken for the packet"; uses apply-advanced; leaf log { type empty; description "Log DNS Request"; } } // container notification } // container fallback-options } // container all } // container detections } // container dns } // list policy } // container security-metadata-streaming container user-identification { description "Configure user-identification"; uses apply-advanced; container active-directory-access { presence "enable active-directory-access"; description "Configure active directory access"; uses apply-advanced; container traceoptions { description "Active-directory-access Tracing Options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "active-directory-authentication" { value 0; description "Trace active directory auth"; } enum "configuration" { value 1; description "Trace configuration"; } enum "db" { value 2; description "Trace db"; } enum "ip-user-mapping" { value 3; description "Trace ip-user-mapping module"; } enum "ip-user-probe" { value 4; description "Trace ip-user-probe"; } enum "ipc" { value 5; description "Trace ipc"; } enum "user-group-mapping" { value 6; description "Trace user-group-mapping module"; } enum "wmic" { value 7; description "Trace wmic"; } enum "memory" { value 8; description "Trace memory"; } enum "all" { value 9; description "Trace everything"; } } } } // list flag } // container traceoptions list domain { key "name"; max-elements 2; ordered-by user; description "Configure active-directory-access domain"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "Domain name"; } uses apply-advanced; container user { description "User name"; uses apply-advanced; leaf user-name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "User name"; } leaf password { type string { length "1 .. 128"; } description "Password string"; } } // container user list domain-controller { key "name"; max-elements 10; ordered-by user; description "Domain controller"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "Domain controller name"; } uses apply-advanced; leaf address { type jt:ipaddr; description "Address of domain controller"; } } // list domain-controller container ip-user-mapping { description "Ip-user-mapping"; uses apply-advanced; container discovery-method { description "Discovery method"; uses apply-advanced; container wmi { presence "enable wmi"; description "WMI"; uses apply-advanced; leaf event-log-scanning-interval { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "5 .. 60"; } } units "seconds"; description "Interval of event log scanning"; } leaf initial-event-log-timespan { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 168"; } } units "hours"; description "Event log scanning timespan"; } } // container wmi } // container discovery-method } // container ip-user-mapping container user-group-mapping { description "User-group-mapping"; uses user-group-mapping-type; } // container user-group-mapping } // list domain leaf no-on-demand-probe { type empty; description "Disable on-demand probe"; } leaf authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; description "Authentication entry timeout number (0, 10-1440)"; } leaf invalid-authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; description "Invalid authentication entry timeout number (0, 10-1440)"; } leaf firewall-authentication-forced-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; description "Firewallauth fallback authentication entry forced timeout number (10-1440)"; } leaf wmi-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "3 .. 120"; } } units "seconds"; description "Wmi timeout number"; } leaf thread { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 100"; } } description "Thread to do PC probe"; } leaf probe-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "100 .. 1500"; } } description "PC probe rate per minute"; } leaf-list event-log-identifier { type union { type uint16; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Event log identifier"; } leaf-list logon-type { type union { type uint16; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Logon type"; } container filter { description "Configure filter address or prefix"; uses apply-advanced; list include { key "name"; max-elements 20; ordered-by user; description "Include address"; leaf name { type jt:ipprefix; description "Address or prefix"; } } // list include list exclude { key "name"; max-elements 20; ordered-by user; description "Exclude address"; leaf name { type jt:ipprefix; description "Address or prefix"; } } // list exclude } // container filter } // container active-directory-access list authentication-source { key "name"; max-elements 2; ordered-by user; description "Configure authentication-source"; leaf name { type enumeration { enum "aruba-clearpass" { value 0; description "Authentication source from Aruba ClearPass"; } } description "Authenticaton source name"; } uses apply-advanced; leaf authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; description "Aruba ClearPass authentication entry timeout number (0, 10-1440)"; } leaf invalid-authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; description "Invalid authentication entry timeout number (0, 10-1440)"; } container traceoptions { description "Aruba ClearPass authentication table Tracing Options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace Aruba ClearPass all modules"; } enum "clearpass-authentication" { value 1; description "Trace Aruba ClearPass auth table management module"; } enum "configuration" { value 2; description "Trace Aruba ClearPass configuration"; } enum "dispatcher" { value 3; description "Trace dispatcher module"; } enum "ipc" { value 4; description "Trace ipc"; } enum "user-query" { value 5; description "Trace user-query module"; } enum "memory" { value 6; description "Trace memory"; } } } } // list flag } // container traceoptions container user-query { description "ClearPass individual user query"; uses apply-advanced; container web-server { description "Web server for user query"; uses apply-advanced; leaf server-name { type string { length "1 .. 64"; } description "Web server name"; } leaf connect-method { type enumeration { enum "https" { value 0; description "HTTPS connection to web server"; } enum "http" { value 1; description "HTTP connection to web server"; } } description "Method of connecting to web server"; } leaf address { type string { length "1 .. 128"; } description "IP address or hostname of web server"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "443"; description "Web server port"; } } // container web-server leaf ca-certificate { type string { length "1 .. 256"; } description "Ca-certificate file name"; } leaf client-id { type string { length "1 .. 64"; } description "Client ID for OAuth2 grant"; } leaf client-secret { type string { length "1 .. 128"; } description "Client secret for OAuth2 grant"; } leaf token-api { type string { length "1 .. 128"; } description "API of acquiring token for OAuth2 authentication"; } leaf query-api { type string { length "4 .. 128"; } description "User query API"; } leaf delay-query-time { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 60"; } } units "seconds"; default "15"; description "Delay time to send user query (0~60sec)"; } } // container user-query container no-user-query { presence "enable no-user-query"; description "Disable user query from ClearPass"; } // container no-user-query } // list authentication-source container device-information { description "Device information configuration"; uses apply-advanced; container authentication-source { description "Configure authentication-source"; uses apply-advanced; leaf authentication-source-name { type enumeration { enum "active-directory" { value 0; description "From windows active directory"; } enum "network-access-controller" { value 1; description "From network access controller such as Aruba ClearPass or JIMS"; } enum "no-configured" { value 2; description "No configuring authentication source for device entry"; } } default "no-configured"; } } // container authentication-source container end-user-profile { description "End-user-profile configuration"; uses apply-advanced; list profile-name { key "name"; ordered-by user; description "End-user-profile profile-name configuration"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "End-user-profile profile-name"; } uses apply-advanced; leaf domain-name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "Domain name"; } list attribute { key "name"; ordered-by user; description "Attribute"; leaf name { type string; description "Attribute name"; } uses apply-advanced; choice attribute-value { leaf-list string { type string; max-elements 20; ordered-by user; description "Value type is strings"; } container digital { presence "enable digital"; description "Value type is digital"; uses apply-advanced; leaf-list value { type union { type uint32; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Digital value"; } list from { key "name"; ordered-by user; description "Range of digital value"; leaf name { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Digit range's start value"; } uses apply-advanced; leaf to { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Digit range's end value"; } } // list from } // container digital } // choice attribute-value } // list attribute } // list profile-name } // container end-user-profile container traceoptions { description "Device info related Tracing Options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace device info all modules"; } enum "auth-source" { value 1; description "Trace Auth source module"; } enum "configuration" { value 2; description "Trace Device info configuration"; } enum "device-table" { value 3; description "Trace device table management module"; } enum "ipid-all" { value 4; description "Trace IPID all functions"; } enum "ipid-db" { value 5; description "Trace IPID Database function"; } enum "ipid-entry" { value 6; description "Trace IPID entry management function"; } enum "ipid-ipc" { value 7; description "Trace IPID communication processing function"; } enum "ipid-message" { value 8; description "Trace IPID message processing function"; } enum "ipid-others" { value 9; description "Trace IPID other function"; } enum "ipid-server" { value 10; description "Trace IPID server handling function"; } enum "ipid-statistics" { value 11; description "Trace IPID statistics handling function"; } enum "ipid-task" { value 12; description "Trace IPID task handling function"; } enum "profile-lookup" { value 13; description "Trace End-user-profile lookup function"; } enum "memory" { value 14; description "Trace memory"; } } } } // list flag } // container traceoptions } // container device-information container identity-management { description "Identity management configuration"; uses apply-advanced; leaf authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; default "60"; description "Authentication entry timeout number (0, 10-1440)"; } leaf invalid-authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; default "30"; description "Invalid authentication entry timeout number (0, 10-1440)"; } leaf preserve-valid-user { type empty; description "Null user will not overwrite valid user for the same ip"; } container connection { description "Connection to identity management"; uses identity-management-connection-type; } // container connection container jims-validator { description "Web server from JIMS for Validate or group query request"; uses jims-validator-type; } // container jims-validator container batch-query { description "Batch query parameters"; uses batch-query-type; } // container batch-query container ip-query { description "IP query parameters"; uses apply-advanced; leaf query-delay-time { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 60"; } } units "seconds"; default "15"; description "Delay time to send IP query (0~60sec)"; } container no-ip-query { presence "enable no-ip-query"; description "Disable IP query"; } // container no-ip-query leaf max-connections { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 20"; } } description "Max connection number"; } } // container ip-query container filter { description "Filter for query"; uses apply-advanced; list domain { key "name"; max-elements 20; ordered-by user; description "Domain filter"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "Domain name"; } } // list domain container include-ip { description "Include IP filter"; uses address-filter-type; } // container include-ip container exclude-ip { description "Exclude IP filter"; uses address-filter-type; } // container exclude-ip } // container filter container traceoptions { description "Tracing Options"; uses ims-traceoptions-type; } // container traceoptions } // container identity-management container logical-domain-identity-management { description "Logical domain identity management configuration"; uses apply-advanced; container active { description "Actve mode for logical domain identity management moudule"; uses apply-advanced; leaf authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; default "60"; description "Authentication entry timeout number (0, 10-1440)"; } leaf invalid-authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; default "30"; description "Invalid authentication entry timeout number (0, 10-1440)"; } container ip-query { description "IP query parameters"; uses apply-advanced; leaf query-delay-time { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 60"; } } units "seconds"; default "15"; description "Delay time to send IP query (0~60sec)"; } } // container ip-query container filter { description "Filter for query"; uses apply-advanced; list domain { key "name"; max-elements 20; ordered-by user; description "Domain filter"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "Domain name"; } } // list domain container include-ip { description "Include IP filter"; uses address-filter-type; } // container include-ip container exclude-ip { description "Exclude IP filter"; uses address-filter-type; } // container exclude-ip } // container filter list query-server { key "name"; max-elements 1; ordered-by user; description "Query server"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "Query server name"; } uses apply-advanced; container connection { description "Connection to identity management"; uses ims-connection-type; } // container connection container batch-query { description "Batch query parameters"; uses batch-query-type; } // container batch-query } // list query-server } // container active container traceoptions { description "Tracing Options"; uses ims-traceoptions-type; } // container traceoptions } // container logical-domain-identity-management } // container user-identification container ip-monitoring { description "IP monitoring for route action"; uses apply-advanced; list policy { key "name"; ordered-by user; description "Policy for route action"; leaf name { type string { length "1 .. 64"; } description "Policy name"; } uses apply-advanced; leaf no-preempt { type empty; description "No automatic failback preemption once policy failover"; } container match { description "Matching probing condition"; uses apply-advanced; leaf-list rpm-probe { type string; ordered-by user; description "RPM probe name"; } } // container match container then { description "Action to be taken"; uses action-object-type; } // container then } // list policy container traceoptions { description "IP-Monitoring trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "debug" { value 0; description "Trace debug"; } enum "configuration" { value 1; description "Trace configuration events"; } enum "errors" { value 2; description "Trace errors"; } enum "memory" { value 3; description "Trace memory allocation or deallocation messages"; } enum "event" { value 4; description "Trace events"; } enum "all" { value 5; description "Trace events"; } } } } // list flag } // container traceoptions } // container ip-monitoring container wireless-wan { description "Wireless WAN configuration"; uses apply-advanced; list adapter { key "name"; ordered-by user; description "Wireless adapter name configuration"; leaf name { type string { junos:posix-pattern "^[A-Za-z]+[_0-9A-Za-z-]*$"; junos:pattern-message "Must be a string beginning with a letter and consisting of no more than 16 total letters, numbers, dashes and underscores."; length "1 .. 16"; } description "Wireless adapter name"; } uses apply-advanced; leaf ip-address { type jt:ipaddr; description "Adapter management IP address"; } leaf adapter-type { type enumeration { enum "cx-bridge" { value 0; description "Adapter type - CX-bridge"; } } description "Select adapter type"; } container modem { description "Adapter modem settings"; uses apply-advanced; container usb1 { presence "enable usb1"; description "Adapter USB1 modem name"; uses apply-advanced; leaf description { type string; description "Text description for modem"; } } // container usb1 container usb2 { presence "enable usb2"; description "Adapter USB2 modem name"; uses apply-advanced; leaf description { type string; description "Text description for modem"; } } // container usb2 container usb3 { presence "enable usb3"; description "Adapter USB3 modem name"; uses apply-advanced; leaf description { type string; description "Text description for modem"; } } // container usb3 container expresscard { presence "enable expresscard"; description "Adapter Expresscard modem name"; uses apply-advanced; leaf description { type string; description "Text description for modem"; } } // container expresscard } // container modem } // list adapter } // container wireless-wan container proxy { description "Proxy setting for services"; uses apply-advanced; list profile { key "name"; ordered-by user; description "Proxy profile"; uses proxy-profile-setting; } // list profile } // container proxy container security-intelligence { uses apply-advanced; container category { description "Category to be disabled"; uses apply-advanced; container all { presence "enable all"; description "All categories"; uses apply-advanced; container disable { presence "enable disable"; description "To disable all categories"; } // container disable } // container all list category-name { key "name"; ordered-by user; uses secintel-category-disable; } // list category-name } // container category leaf url { type string; description "Configure the url of feed server [https://<ip or hostname>:<port>/<uri>]"; } leaf url-parameter { type jt:unreadable; description "Configure the parameter of url"; } leaf proxy-profile { junos:must "("services proxy profile")"; junos:must-message "Proxy profile must be defined"; type string { length "1 .. 64"; } description "The proxy profile name"; } container authentication { description "Authenticate to use feed update services"; uses apply-advanced; leaf auth-token { type string { junos:posix-pattern "^[A-Za-z0-9]{32}$"; junos:pattern-message "Auth token must be consisted of 32 alphanumeric characters"; } description "Token string for authentication"; } leaf tls-profile { junos:must "("services ssl initiation profile $$")"; junos:must-message "Referenced SSL initiation profile is not defined"; type string; description "TLS profile"; } } // container authentication leaf http-persist { type empty; description "Inspect all HTTP requests in a connection"; } container traceoptions { description "Security intelligence trace options"; uses secintel-traceoptions; } // container traceoptions list profile { key "name"; ordered-by user; description "Configure security intelligence profile"; uses secintel-profile-setting; } // list profile container default-policy { description "Configure security intelligence default policy"; uses apply-advanced; list category-profiles { key "name"; ordered-by user; description "Security intelligence category profiles"; leaf name { type enumeration { enum "IPFilter" { value 0; description "IPFilter"; } enum "GeoIP" { value 1; description "GeoIP"; } enum "CC" { value 2; description "Command and control"; } enum "Infected-Hosts" { value 3; description "Infected-Hosts"; } enum "DNS" { value 4; description "DNS"; } } description "Name of security intelligence category"; } uses apply-advanced; leaf profile-name { junos:must "("services security-intelligence profile $$")"; junos:must-message "security intelligence profile must be defined"; type string; description "Name of profile"; } } // list category-profiles } // container default-policy list policy { key "name"; ordered-by user; description "Configure security intelligence policy"; uses secintel-policy-setting; } // list policy container global-disable-feed { presence "enable global-disable-feed"; description "Security intelligence global feed disabling setting"; uses apply-advanced; list feed-name { key "name"; max-elements 32; ordered-by user; leaf name { type string { length "1 .. 63"; } description "Name of security intelligence global Command and control feed"; } uses apply-advanced; } // list feed-name container all { presence "enable all"; description "All of security intelligence global Command and control feed"; } // container all } // container global-disable-feed } // container security-intelligence container dns-filtering { presence "enable dns-filtering"; uses apply-advanced; container traceoptions { description "Security intelligence trace options"; uses dnsf-traceoptions-object; } // container traceoptions container sinkhole { presence "enable sinkhole"; description "DNS Sinkhole Configuration"; uses apply-advanced; leaf ipv4-address { type jt:ipv4addr; description "Sinkhole IPv4 address"; } leaf ipv6-address { type jt:ipv6addr; description "Sinkhole IPv6 address"; } leaf fqdn { type string { length "1 .. 80"; } description "FQDN sent as response to MX qeries"; } leaf dns-resp-ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 3600"; } } units "seconds"; default "1800"; description "TTL to be used in DNS response"; } leaf wildcarding-level { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 10"; } } default "2"; description "Wildcarding level for exact match"; } leaf txt-resp-err-code { type enumeration { enum "Noerror" { value 0; description "No error response"; } enum "Refused" { value 1; description "Refuse the DNS Query"; } } default "Refused"; description "Text response error code"; } leaf srv-resp-err-code { type enumeration { enum "Noerror" { value 0; description "No error response"; } enum "Refused" { value 1; description "Refuse the DNS Query"; } } default "Refused"; description "Server response error code"; } } // container sinkhole } // container dns-filtering container pcp { description "Configure Port Control Protocol"; uses pcp-object; } // container pcp container rtlog { presence "enable rtlog"; description "Secure log daemon options"; uses apply-advanced; container traceoptions { description "Security log daemon trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "List of things to include in trace"; leaf name { type enumeration { enum "source" { value 0; description "Communication with security log forwarder"; } enum "configuration" { value 1; description "Reading of configuration"; } enum "all" { value 2; description "Everything"; } enum "report" { value 3; description "Trace report"; } enum "hpl" { value 4; description "Trace HPL logging"; } } } } // list flag } // container traceoptions } // container rtlog container service-interface-pools { description "Configure service interface pools"; uses apply-advanced; list pool { key "name"; ordered-by user; description "Define service interface pool"; uses service_interface_pool_object; } // list pool } // container service-interface-pools container hosted-services { description "Configuration for services performed in the remote server"; uses apply-advanced; list client-profile { key "name"; ordered-by user; description "Configure client profile"; leaf name { type string { length "3 .. 32"; } description "Client profile name"; } uses apply-advanced; leaf transport-type { type enumeration { enum "GRE" { value 0; description "GRE"; } enum "UDP" { value 1; description "UDP"; } enum "TCP" { value 2; description "TCP"; } } description "Transport type"; } leaf client-address { type jt:ipv4addr; description "Client address"; } leaf hosted-service-identifier { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 63"; } } description "Identifier for the service performed on the remote server"; } } // list client-profile list server-profile { key "name"; ordered-by user; description "Configure server profile"; leaf name { type string { length "3 .. 32"; } description "Server profile name"; } uses apply-advanced; leaf transport-type { type enumeration { enum "GRE" { value 0; description "GRE"; } enum "UDP" { value 1; description "UDP"; } enum "TCP" { value 2; description "TCP"; } } description "Transport type"; } leaf server-address { type jt:ipv4addr; description "Server address"; } leaf client-address { type jt:ipv4addr; description "Client address"; } leaf hosted-service-identifier { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 63"; } } description "Identifier for the service performed in the remote server"; } } // list server-profile } // container hosted-services container jflow-log { presence "enable jflow-log"; description "Configure jflow-logging parameters for services"; uses apply-advanced; list collector { key "name"; ordered-by user; description "Collector attributes"; leaf name { type string { length "1 .. 63"; } description "Profile name"; } uses apply-advanced; leaf destination-address { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string of letters, numbers, dashes or underscores"; } description "IPv4 Address or hostname of the collector"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port of the collector"; } leaf source-ip { type jt:ipv4addr; description "Source IPv4 Address from which logging is to be done"; } } // list collector list collector-group { key "name"; ordered-by user; leaf name { type string { length "1 .. 63"; } description "Name of collector-group"; } uses apply-advanced; leaf-list collector { type string { length "1 .. 63"; } max-elements 8; ordered-by user; description "List of Collector profiles"; } } // list collector-group list template-profile { key "name"; ordered-by user; leaf name { junos:must "((any ".. collector <*>" || any ".. collector-group <*>"))"; junos:must-message "template-profile must have a collector or collector-group configured"; type string { length "1 .. 63"; } description "Specify name of the template"; } uses apply-advanced; leaf collector { junos:must "(!(any ".. collector-group <*>"))"; junos:must-message "Collector-group is already configured for this template"; junos:must "("services jflow-log collector $$")"; junos:must-message "The referenced collector is not defined"; type string { length "1 .. 63"; } description "Specify a collector name"; } leaf-list collector-group { junos:must "(!(any ".. collector <*>"))"; junos:must-message "Collector is already configured for this template profile"; type string { length "1 .. 63"; } max-elements 1; ordered-by user; description "Specify a collector-group name"; } leaf template-type { type enumeration { enum "nat" { value 0; description "Enable jflow-logs for NAT events"; } } description "Allow jflow-log for applications"; } leaf version { type enumeration { enum "v9" { value 0; description "Version 9"; } enum "ipfix" { value 1; description "Ipfix"; } } description "Version of jflow-logging"; } container refresh-rate { presence "enable refresh-rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 48000"; } } default "4800"; description "Specify number of packets after which templates are sent to collector"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 1800"; } } default "1800"; description "Specify number of seconds after which templates are sent to collector"; } } // container refresh-rate } // list template-profile } // container jflow-log container service-device-pools { description "Configure service device pools"; uses apply-advanced; list pool { key "name"; ordered-by user; description "Define service device pool"; uses service_device_pool_object; } // list pool } // container service-device-pools container redundancy-set { description "Redundancy-set settings"; uses apply-advanced; container traceoptions { description "Services redundancy trace options"; uses srd-traceoptions-object; } // container traceoptions list rs-id-object { key "name"; ordered-by user; description "Definition of redundancy-set"; uses srd-rs-id-object; } // list rs-id-object } // container redundancy-set container analytics { presence "enable analytics"; description "Traffic analytics configuration options"; uses apply-advanced; container zero-suppression { presence "enable zero-suppression"; description "Configure suppression of zeros for GRPC sensors"; uses apply-advanced; leaf no-zero-suppression { type empty; description "Disable zero suppression"; } } // container zero-suppression list streaming-server { key "name"; ordered-by user; description "Define Telemetry data servers"; leaf name { type string { length "1 .. 128"; } description "Telemetry App server Name"; } uses apply-advanced; leaf remote-address { type jt:ipaddr; description "Telemetry server IP address"; } leaf remote-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Telemetry server Port"; } leaf transport { type enumeration { enum "udp" { value 0; description "Use UDP transport protocol"; } enum "grpc" { value 1; description "Use grpc transport"; } } description "Telemetry export transport protocol"; } leaf dialout { type empty; description "Supports dynamic dialout subscriptions"; } } // list streaming-server list export-profile { key "name"; ordered-by user; description "Telemetry export profile name"; leaf name { type string { length "1 .. 128"; } description "Telemetry export profile name"; } uses apply-advanced; leaf local-address { type jt:ipv4addr; description "Source address for exported packets"; } leaf local-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Source port for exported packets"; } leaf dscp { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 63"; } } description "DSCP value for exported packets"; } leaf forwarding-class { type string { length "1 .. 64"; } description "Forwarding-class for exported packets, applicable only for PFE sensors"; } leaf reporting-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; description "Telemetry interval in seconds, max 24 hours"; } leaf payload-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1400 .. 9192"; } } units "bytes"; default "5000"; description "Telemetry payload size"; } leaf format { type enumeration { enum "gpb" { value 0; description "Use gpb format"; } enum "gpb-sdm" { value 1; description "Use gpb self-describing-message format"; } enum "gpb-gnmi" { value 2; description "Use gnmi format for gpb messages"; } enum "json-gnmi" { value 3; description "Use gnmi format for json messages"; } } description "Telemetry export record format"; } leaf transport { type enumeration { enum "udp" { value 0; description "Use UDP transport protocol"; } enum "grpc" { value 1; description "Use grpc transport"; } } description "Telemetry export transport protocol"; } } // list export-profile list sensor { junos:must "(!("system services cloud-analytics instance"))"; junos:must-message "Cloud analytics shoud not be defined"; key "name"; ordered-by user; description "Define Telemetry sensors"; leaf name { type string { length "1 .. 128"; } description "Name of the sensor"; } uses apply-advanced; leaf-list server-name { type string { length "1 .. 128"; } ordered-by user; description "Define Telemetry server "; } leaf export-name { type string { length "1 .. 128"; } description "Define Telemetry export profiles"; } leaf polling-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } units "nanoseconds"; status deprecated; description "Define sensor polling interval in nano secs (1 .. 4294967295)"; } leaf resource { type string { length "1 .. 255"; } description "System resource identifier string"; } leaf resource-filter { type string { length "1 .. 1024"; } description "Regexp for filtering resource instances (1 .. 1024)"; } leaf subscription-id { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Subscription ID (Used internally to group sensors)"; } leaf suppress-zeros { type empty; description "Supress zeros while data export"; } leaf reporting-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; description "Telemetry interval in seconds, max 24 hours"; } leaf-list end-of-sync-identifiers { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 64"; } } max-elements 10; ordered-by user; description "Set of end-of-syncs for this sensor"; } leaf target-defined { type empty; description "Allow target to decide periodic, on-change or mix"; } leaf life-time { type enumeration { enum "long-lived" { value 0; description "A long-lived subscription"; } enum "one-off" { value 1; description "An one-off subscription"; } } description "Denotes sensor life-time"; } } // list sensor container agent { description "Configure analytics agent"; uses apply-advanced; list service-agents { key "name"; ordered-by user; description "Analytics service agent configuration"; leaf name { type string; description "Analytics service agent name"; } uses apply-advanced; container inputs { description "List of input plugins"; uses apply-advanced; container input-jti-ipfix { presence "enable input-jti-ipfix"; description "Junos grpc IPFIX group plugin"; uses apply-advanced; container parameters { presence "enable parameters"; uses apply-advanced; list record-group { key "name"; max-elements 10; ordered-by user; description "Group sensors"; leaf name { type string; description "Group sensors"; } uses apply-advanced; leaf reporting-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 86400"; } } default "900"; description "Reporting-interval"; } leaf-list record { type enumeration { enum "port-statistics" { value 0; description "Port statistics"; } enum "address-pool-utilization" { value 1; description "Address pool utilization"; } enum "dhcpv4-server-stats" { value 2; description "Dhcpv4 server statistics"; } enum "thermal" { value 3; description "Thermal statistics"; } enum "chassis-inventory" { value 4; description "Chassis inventory details"; } enum "chassis-power" { value 5; description "Chassis power details"; } enum "resource-utilization" { value 6; description "Resource utilization details"; } enum "uptime" { value 7; description "Uptime value"; } enum "subscriber-statistics" { value 8; description "Subscriber statistics"; } enum "interface-metadata" { value 9; description "Interface metadata details"; } enum "interface-queue-statistics" { value 10; description "Interface Queue statistics"; } } ordered-by user; description "Ipfix record name"; } } // list record-group } // container parameters } // container input-jti-ipfix container input-ipfix { presence "enable input-ipfix"; description "Junos IPFIX Mediator input plugin"; uses apply-advanced; container parameters { presence "enable parameters"; description "List of IPFIX parameters"; uses apply-advanced; leaf tcp-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Listening TCP Port for IPFIX Mediator"; } leaf maximum-connections { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500"; } } description "Maximum TCP Connections 1..500"; } leaf vrf-name { type string; description "VRF name on which IPFIX packets are accepted"; } } // container parameters } // container input-ipfix container analytics { presence "enable analytics"; description "Junos Telemetry plugin"; uses apply-advanced; container parameters { presence "enable parameters"; description "List of key:value parameters"; uses apply-advanced; leaf sample-frequency { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; default "5"; description "Interval for sensor data in seconds, max 24 hours"; } leaf sensors { type string { length "1 .. 2048"; } description "Space separated list of sensor paths"; } leaf generate-tags { type empty; description "Enable generation of tags"; } } // container parameters } // container analytics } // container inputs list outputs { key "name"; max-elements 1; ordered-by user; description "List of output plugins"; uses output-plugin; } // list outputs } // list service-agents container traceoptions { presence "enable traceoptions"; uses apply-advanced; leaf flag { type enumeration { enum "trace" { value 0; description "Log level TRACE, will trace everything"; } enum "debug" { value 1; description "Log level DEBUG, will trace debug messages"; } enum "info" { value 2; description "Log level INFO"; } enum "error" { value 3; description "Log level ERROR, will trace all error messages"; } } description "Set log level for tracing"; } leaf filename { type string; default "ntf-agent.log"; description "Configure filename for trace messages"; } } // container traceoptions } // container agent container traceoptions { description "Traffic analytics trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace configuration events"; } enum "configuration" { value 1; description "Log configuration events"; } enum "rtsock" { value 2; description "Trace rtsock message events"; } enum "client-server" { value 3; description "Trace client-server events"; } enum "interface" { value 4; description "Trace interface update events"; } enum "xmlproxy" { value 5; description "Trace xmlproxy events"; } } } leaf disable { type empty; description "Disable this trace flag"; } } // list flag } // container traceoptions list export-profiles { key "name"; ordered-by user; description "Mapping of export-profiles to collectors"; leaf name { type string { length "1 .. 64"; } description "Export profile name"; } uses apply-advanced; leaf stream-format { type enumeration { enum "gpb" { value 0; description "Google protocol buffer format"; } enum "json" { value 1; description "Java script object notation format"; } enum "csv" { value 2; description "Comma separated value"; } enum "tsv" { value 3; description "Tab separated value"; } } default "gpb"; description "Streaming data format"; } container interface { presence "enable interface"; description "Interface specific information"; uses apply-advanced; leaf information { type empty; description "Enable streaming of interface information"; } container statistics { description "Type of statistics to stream"; uses apply-advanced; leaf traffic { type empty; description "Enable streaming of interface traffic statistics"; } leaf queue { type empty; description "Enable streaming of interface queue statistics"; } } // container statistics container status { description "Type of statistics to stream"; uses apply-advanced; leaf link { type empty; description "Enable streaming of interface link status"; } leaf traffic { type empty; description "Enable streaming of interface traffic status"; } leaf queue { type empty; description "Enable streaming of interface queue status"; } } // container status } // container interface container system { presence "enable system"; description "Interface specific information"; uses apply-advanced; leaf information { type empty; description "Enable streaming of system information"; } container status { description "Type of statistics to stream"; uses apply-advanced; leaf traffic { type empty; description "Enable streaming of system traffic status"; } leaf queue { type empty; description "Enable streaming of system queue status"; } } // container status } // container system } // list export-profiles list resource-profiles { key "name"; ordered-by user; description "Mapping of resource profiles to interfaces/queues/system"; leaf name { type string { length "1 .. 64"; } description "Export profile name"; } uses apply-advanced; choice queue-monitoring-choice { leaf queue-monitoring { type empty; description "Enable queue statistics monitoring"; } leaf no-queue-monitoring { type empty; description "Don't enable queue statistics monitoring"; } } // choice queue-monitoring-choice choice traffic-monitoring-choice { leaf traffic-monitoring { type empty; description "Enable traffic statistics monitoring"; } leaf no-traffic-monitoring { type empty; description "Don't enable traffic statistics monitoring"; } } // choice traffic-monitoring-choice container depth-threshold { junos:must "(!(".. latency-threshold"))"; junos:must-message "latency and queue-depth thresholds can not be set together"; description "Depth threshold configuration"; leaf high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1250000000"; } } units "bytes"; description "High queue depth threshold"; } leaf low { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1250000000"; } } units "bytes"; description "Low queue depth threshold"; } } // container depth-threshold container latency-threshold { junos:must "(!(".. depth-threshold"))"; junos:must-message "latency and queue-depth thresholds can not be set together"; description "Latency threshold configuration"; leaf high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100000000"; } } units "nanoseconds"; description "High latency threshold"; } leaf low { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100000000"; } } units "nanoseconds"; description "Low latency threshold"; } } // container latency-threshold } // list resource-profiles container resource { presence "enable resource"; uses apply-advanced; container system { description "System configuration options"; uses apply-advanced; leaf resource-profile { junos:must "("services analytics resource-profiles $$")"; junos:must-message "binded resource-profile in not configured"; type string { length "1 .. 64"; } description "Resouce profile name"; } container polling-interval { description "Polling interval"; uses apply-advanced; leaf traffic-monitoring { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } units "seconds"; description "Traffic statistics polling interval"; } leaf queue-monitoring { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } units "milliseconds"; description "Queue statistics polling interval"; } } // container polling-interval } // container system container interfaces { description "Interface configuration options"; uses apply-advanced; list interface { key "name"; uses interface_type; } // list interface } // container interfaces } // container resource container collector { description "Remote streaming servers configuration options"; uses apply-advanced; container local { description "Remote streaming servers configuration options"; uses apply-advanced; container file { description "Log file information"; leaf filename { type jt:filename; description "Name of file in which to write log information"; } leaf size { type string; description "Maximum log file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } } // container file } // container local list address { key "name"; description "IP address of remote server"; leaf name { type jt:ipaddr; description "IP address"; } uses apply-advanced; list port { key "name"; description "Remote streaming server port number"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port number"; } uses apply-advanced; list transport { key "name"; description "Transport protocol"; leaf name { type enumeration { enum "tcp" { value 0; description "Transmission control protocol"; } enum "udp" { value 1; description "User datagram protocol"; } } } uses apply-advanced; leaf export-profile { junos:must "("services analytics export-profiles $$")"; junos:must-message "binded export-profiles in not configured"; type string { length "1 .. 64"; } description "Export profile name"; } } // list transport } // list port } // list address } // container collector container traffic-statistics { status deprecated; description "Traffic statistics configuration options"; uses apply-advanced; container file { description "Log file information"; leaf filename { type jt:filename; description "Name of file in which to write log information"; } leaf size { type string; description "Maximum log file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } } // container file leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } units "seconds"; description "Traffic statistics polling interval"; } } // container traffic-statistics container queue-statistics { status deprecated; description "Microburst statistics configuration options"; uses apply-advanced; container file { description "Log file information"; leaf filename { type jt:filename; description "Name of file in which to write log information"; } leaf size { type string; description "Maximum log file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } } // container file leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } units "milliseconds"; description "Queue statistics polling interval"; } } // container queue-statistics container interfaces { status deprecated; description "Interface configuration options"; uses apply-advanced; list interface { key "name"; uses interface_type; } // list interface } // container interfaces container streaming-servers { status deprecated; description "Remote streaming servers configuration options"; uses apply-advanced; list address { key "name"; ordered-by user; description "IP address of remote server"; leaf name { type jt:ipaddr; description "IP address"; } uses apply-advanced; list port { key "name"; description "Remote streaming server port number"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port number"; } uses apply-advanced; leaf stream-format { type enumeration { enum "json" { value 0; description "Javascript object notation"; } enum "csv" { value 1; description "Comma separated value"; } enum "tsv" { value 2; description "Tab separated value"; } } description "Streaming data format"; } list stream-type { key "name"; description "Type of statistics to stream"; leaf name { type enumeration { enum "traffic-statistics" { value 0; description "Enable streaming of traffic statistics"; } enum "queue-statistics" { value 1; description "Enable streaming of queue statistics"; } } } uses apply-advanced; } // list stream-type } // list port } // list address } // container streaming-servers } // container analytics } // container services } // grouping services-group grouping aamwd-traceoptions { description "Advanced anti-malware trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } enum "connection" { value 1; description "Trace the connection to server"; } enum "content" { value 2; description "Trace the content buffer management"; } enum "daemon" { value 3; description "Trace advanced-anti-malware daemon"; } enum "http" { value 4; description "Trace http protocol operations"; } enum "identification" { value 5; description "Trace file identification"; } enum "imap" { value 6; description "Trace imap protocol operations"; } enum "parser" { value 7; description "Trace protocol context parser"; } enum "plugin" { value 8; description "Trace advanced-anti-malware plugin"; } enum "policy" { value 9; description "Trace advanced-anti-malware policy"; } enum "smb" { value 10; description "Trace smb protocol operations"; } enum "smtp" { value 11; description "Trace smtp protocol operations"; } } } } // list flag } // grouping aamwd-traceoptions grouping action-object-type { uses apply-advanced; container preferred-route { description "Preferred route action"; uses apply-advanced; leaf withdraw { type empty; description "Withdraw the preferred route"; } list routing-instances { key "name"; ordered-by user; description "Routing-instance"; leaf name { type string; } uses apply-advanced; list route { key "name"; ordered-by user; description "Route"; leaf name { type jt:ipprefix; } uses apply-advanced; choice next_hop { leaf-list next-hop { type union { type jt:ipaddr-or-interface; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Next hop to destination of route-action"; } leaf discard { type empty; description "Drop packets to destination; send no ICMP unreachables"; } } // choice next_hop leaf direct-next-hop { type empty; description "Accept only direct nexthop"; } leaf preferred-metric { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "Preferred metric value assigned to route action"; } } // list route } // list routing-instances list route { key "name"; ordered-by user; description "Route"; leaf name { type jt:ipprefix; } uses apply-advanced; choice next_hop { leaf-list next-hop { type union { type jt:ipaddr-or-interface; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Next hop to destination of route-action"; } leaf discard { type empty; description "Drop packets to destination; send no ICMP unreachables"; } } // choice next_hop leaf direct-next-hop { type empty; description "Accept only direct nexthop"; } leaf preferred-metric { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "Preferred metric value assigned to route action"; } } // list route } // container preferred-route list interface { key "name"; ordered-by user; description "Interface enabling/disabling action"; leaf name { type union { type jt:interface-wildcard; type string { pattern "<.*>|$.*"; } } } uses apply-advanced; choice action { leaf enable { type empty; description "Enable interface"; } leaf disable { type empty; description "Disable interface"; } } // choice action } // list interface } // grouping action-object-type grouping address-filter-type { description "IP address filter"; uses apply-advanced; leaf address-book { type string; description "Referenced address book"; } leaf address-set { type string { length "1 .. 63"; } description "Referenced address set"; } } // grouping address-filter-type grouping apply-advanced { description "Apply advanced configuration logic"; leaf-list apply-groups { type string; ordered-by user; description "Groups from which to inherit configuration data"; } leaf-list apply-groups-except { type string; ordered-by user; description "Don't inherit configuration data from these groups"; } list apply-macro { key "name"; ordered-by user; description "Macro and parameters for commit script expansion"; uses apply-macro-type; } // list apply-macro } // grouping apply-advanced grouping apply-macro-type { description "Macro data for commit-script expansion"; leaf name { type string; description "Name of the macro to be expanded"; } list data { key "name"; uses macro-data-type; } // list data } // grouping apply-macro-type grouping batch-query-type { description "Batch query configuration"; uses apply-advanced; leaf items-per-batch { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "100 .. 1000"; } } default "200"; description "Items number per batch query"; } leaf query-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } units "seconds"; default "5"; description "Query interval"; } } // grouping batch-query-type grouping bgp-logical-system { description "Logical systems configuration for rpm"; leaf name { type string { junos:posix-pattern "![^a-zA-Z0-9_-]|(^(all|.{64,})$)"; junos:pattern-message "Logical-system name is a string consisting of up to 63 letters, numbers, dashes and underscores"; } description "Logical system name"; } uses apply-advanced; list routing-instances { key "name"; description "Routing instances"; uses bgp-routing-instances; } // list routing-instances } // grouping bgp-logical-system grouping bgp-routing-instances { description "Routing-instance configuration for rpm"; leaf name { type string; description "Routing instance name"; } uses apply-advanced; } // grouping bgp-routing-instances grouping dnsf-traceoptions-object { description "URL filtering trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing flag parameters"; leaf name { type enumeration { enum "normal" { value 0; description "Trace normal events"; } enum "config" { value 1; description "Trace dns filtering config events"; } enum "dns" { value 2; description "Trace url filtering DNS crawler events"; } enum "timer" { value 3; description "Trace url filtering timer events"; } enum "connect" { value 4; description "Trace url filtering ipc events"; } enum "parse" { value 5; description "Trace url filtering parse events"; } enum "statistics" { value 6; description "Trace url filtering statistics events"; } enum "system" { value 7; description "Trace url filtering system events"; } enum "operational-commands" { value 8; description "Trace url filtering show events"; } enum "filter" { value 9; description "Trace url filtering filter programming events"; } enum "gencfg" { value 10; description "Trace url filtering gencfg events"; } enum "routing" { value 11; description "Trace url filtering route programming events"; } enum "snmp" { value 12; description "Trace url filtering snmp events"; } enum "all" { value 13; description "Trace everything"; } } } } // list flag } // grouping dnsf-traceoptions-object grouping drop-policy-term { description "One or more drop terms"; leaf name { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; container source-address { presence "enable source-address"; description "Source IP Address"; uses li_policy_addr_simple_object; } // container source-address container destination-address { presence "enable destination-address"; description "Destination IP Address"; uses li_policy_addr_simple_object; } // container destination-address choice source-port_choice { container source-port { description "Match source port"; uses match_li_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match destination port"; uses match_li_simple_port_value; } // container destination-port } // choice destination-port_choice choice protocol_choice { container protocol { description "Match IP protocol type"; uses match_li_simple_protocol_value; } // container protocol } // choice protocol_choice choice dscp_choice { container dscp { description "Match Differentiated Services (DiffServ) code point"; uses match_li_simple_dscp_value; } // container dscp } // choice dscp_choice } // container from } // grouping drop-policy-term grouping drop-policy6-term { description "One or more drop terms"; leaf name { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; container source-address { presence "enable source-address"; description "Source IPv6 Address or Prefix"; uses li_policy_addr6_simple_object; } // container source-address container destination-address { presence "enable destination-address"; description "Destination IPv6 Address or Prefix"; uses li_policy_addr6_simple_object; } // container destination-address choice source-port_choice { container source-port { description "Match source port"; uses match_li_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match destination port"; uses match_li_simple_port_value; } // container destination-port } // choice destination-port_choice choice protocol_choice { container protocol { description "Match IP protocol type"; uses match_li_simple_protocol_value; } // container protocol } // choice protocol_choice choice dscp_choice { container dscp { description "Match Differentiated Services (DiffServ) code point"; uses match_li_simple_dscp_value; } // container dscp } // choice dscp_choice } // container from } // grouping drop-policy6-term grouping family { container inet { description "IPv4 parameters"; uses apply-advanced; choice if-addr { leaf dhcp { type empty; description "Enable DHCP on ethernet interface"; } leaf address { type jt:ipv4prefix; description "Interface address/destination prefix"; } } // choice if-addr } // container inet } // grouping family grouping icap-profile-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "ICAP service profile name"; } uses apply-advanced; list server { key "name"; max-elements 16; ordered-by user; description "Configure service redirection server"; uses icap-redir-server; } // list server container http { description "ICAP methods switch"; uses http-redirect-object; } // container http container fallback-option { description "Failure event actions"; uses icap-redirect-fallback; } // container fallback-option leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "100 .. 50000"; } } default "500"; description "Server response timeout in milliseconds"; } } // grouping icap-profile-object grouping http-redirect-object { uses apply-advanced; leaf redirect-request { type empty; description "Enable redirect service on HTTP request"; } leaf redirect-response { type empty; description "Enable redirect service on HTTP response"; } } // grouping http-redirect-object grouping icap-redir-server { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Server name"; } uses apply-advanced; container authorization { description "User authentication"; uses apply-advanced; leaf authorization-type { type string { length "1 .. 127"; } description "Authentication type. 'Basic' by default"; } container credentials { description "Credentials text"; choice credentials-choice { leaf ascii { type string { length "1 .. 511"; } description "ASCII string"; } leaf base64 { type string { length "1 .. 511"; } description "Base64 string"; } } // choice credentials-choice } // container credentials } // container authorization leaf host { type string { length "1 .. 255"; } description "Host name/IP address"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1025 .. 65535"; } } default "1344"; description "Server listening port"; } leaf reqmod-uri { type string { length "0 .. 1023"; } description "REQMOD option resource identifier"; } leaf respmod-uri { type string { length "0 .. 1023"; } description "RESPMOD option resource identifier"; } container routing-instance { description "Routing instance"; leaf ri-name { junos:must "("routing-instances $$ instance-type virtual-router")"; junos:must-message "Virtual router must be defined under [routing-instances]"; junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; length "1 .. 127"; } description "Routing instance name"; } } // container routing-instance leaf sockets { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 64"; } } default "8"; description "Number of connections to create"; } leaf tls-profile { junos:must "("services ssl initiation profile $$")"; junos:must-message "Referenced SSL initiation profile is not defined"; type string { length "1 .. 63"; } description "TLS profile"; } } // grouping icap-redir-server grouping icap-redirect-fallback { uses apply-advanced; leaf timeout { type enumeration { enum "permit" { value 0; description "Direct permit action"; } enum "log-permit" { value 1; description "Log then permit action"; } enum "block" { value 2; description "Block action"; } } default "permit"; description "Request timeout action"; } leaf connectivity { type enumeration { enum "permit" { value 0; description "Direct permit action"; } enum "log-permit" { value 1; description "Log then permit action"; } enum "block" { value 2; description "Block action"; } } default "permit"; description "Connection-related failure action"; } leaf default-action { type enumeration { enum "permit" { value 0; description "Direct permit action"; } enum "log-permit" { value 1; description "Log then permit action"; } enum "block" { value 2; description "Block action"; } } default "permit"; description "Default failure action"; } } // grouping icap-redirect-fallback grouping icap-redirect-traceoptions { description "ICAP redirect traceoptions"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } enum "icap-redirect-re" { value 1; description "Trace events on RE side"; } enum "icap-redirect-control" { value 2; description "Trace events on PFE-ukernel side"; } enum "icap-redirect-connection" { value 3; description "Trace ICAP server connection events"; } enum "icap-redirect-protocol" { value 4; description "Trace redirect packet events"; } } } } // list flag } // grouping icap-redirect-traceoptions grouping identity-management-connection-type { description "Identity management connection"; uses apply-advanced; leaf connect-method { type enumeration { enum "https" { value 0; description "HTTPS connection"; } enum "http" { value 1; description "HTTP connection"; } } description "Method of connection"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "443"; description "Server port"; } container primary { description "Primary server"; uses identity-server-connection-type; } // container primary container secondary { description "Secondary server"; uses identity-server-connection-type; } // container secondary leaf token-api { type string { length "1 .. 128"; } description "API of acquiring token for OAuth2 authentication"; } leaf query-api { type string { length "4 .. 128"; } description "Query API"; } } // grouping identity-management-connection-type grouping identity-server-connection-type { description "Connection parameters per server"; uses apply-advanced; leaf address { type jt:ipaddr; description "Server address"; } leaf ca-certificate { type string { length "1 .. 256"; } description "Ca-certificate file name"; } leaf client-id { type string { length "1 .. 64"; } description "Client ID for OAuth2 grant"; } leaf client-secret { type string { length "1 .. 128"; } description "Client secret for OAuth2 grant"; } leaf source { type jt:ipaddr; description "Client address"; } leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface name"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string; description "Routing instance name"; } } // grouping identity-server-connection-type grouping ids-option-type { description "Configure screen object"; leaf name { type string { length "1 .. 64"; } description "Screen object name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of screen"; } leaf alarm-without-drop { type empty; description "Do not drop packet, only generate alarm"; } leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } enum "input-output" { value 2; description "Match on input to or output from interface"; } } description "Match direction"; } container aggregation { presence "enable aggregation"; description "Configure the source and Destination prefix for a ids-option"; uses apply-advanced; leaf source-prefix-mask { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } description "Source IPV4 prefix"; } leaf destination-prefix-mask { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } description "Destination IPV4 prefix"; } leaf source-prefix-v6-mask { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 128"; } } description "Source IPV6 prefix"; } leaf destination-prefix-v6-mask { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 128"; } } description "Destination IPV6 prefix"; } } // container aggregation container icmp { description "Configure ICMP ids options"; uses apply-advanced; container ip-sweep { presence "enable ip-sweep"; description "Configure ip sweep ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 ICMP packets are detected"; default "5000"; description "Threshold"; } } // container ip-sweep leaf fragment { type empty; description "Enable ICMP fragment ids option"; } leaf large { type empty; description "Enable large ICMP packet (size > 1024) ids option"; } container flood { presence "enable flood"; description "Configure icmp flood ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "ICMP packets per second"; default "1000"; description "Threshold"; } } // container flood leaf ping-death { type empty; description "Enable ping of death ids option"; } leaf icmpv6-malformed { type empty; description "Enable icmpv6 malformed ids option"; } } // container icmp container ip { description "Configure IP layer ids options"; uses apply-advanced; leaf bad-option { type empty; description "Enable ip with bad option ids option"; } leaf record-route-option { type empty; description "Enable ip with record route option ids option"; } leaf timestamp-option { type empty; description "Enable ip with timestamp option ids option"; } leaf security-option { type empty; description "Enable ip with security option ids option"; } leaf stream-option { type empty; description "Enable ip with stream option ids option"; } leaf spoofing { type empty; description "Enable IP address spoofing ids option"; } leaf source-route-option { type empty; description "Enable ip source route ids option"; } leaf loose-source-route-option { type empty; description "Enable ip with loose source route ids option"; } leaf strict-source-route-option { type empty; description "Enable ip with strict source route ids option"; } leaf unknown-protocol { type empty; description "Enable ip unknown protocol ids option"; } leaf block-frag { type empty; description "Enable ip fragment blocking ids option"; } leaf tear-drop { type empty; description "Enable tear drop ids option"; } container ipv6-extension-header { description "Configure ipv6 extension header ids option"; uses apply-advanced; container hop-by-hop-header { presence "enable hop-by-hop-header"; description "Enable ipv6 hop by hop option header ids option"; uses apply-advanced; leaf jumbo-payload-option { type empty; description "Enable jumbo payload option ids option"; } leaf router-alert-option { type empty; description "Enable router alert option ids option"; } leaf quick-start-option { type empty; description "Enable quick start option ids option"; } leaf CALIPSO-option { type empty; description "Enable Common Architecture Label ipv6 Security Option ids option"; } leaf SMF-DPD-option { type empty; description "Enable Simplified Multicast Forwarding ipv6 Duplicate Packet Detection option ids option"; } leaf RPL-option { type empty; description "Enable Routing Protocol for Low-power and Lossy networks option ids option"; } list user-defined-option-type { key "name"; max-elements 256; ordered-by user; description "User-defined option type range"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "User-defined option type low value"; } container to { description "Upper limit of option type range"; uses apply-advanced; leaf type-high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "User-defined option type high value"; } } // container to } // list user-defined-option-type } // container hop-by-hop-header leaf routing-header { type empty; description "Enable ipv6 routing header ids option"; } leaf fragment-header { type empty; description "Enable ipv6 fragment header ids option"; } leaf ESP-header { type empty; description "Enable ipv6 Encapsulating Security Payload header ids option"; } leaf AH-header { type empty; description "Enable ipv6 Authentication Header ids option"; } leaf no-next-header { type empty; description "Enable ipv6 no next header ids option"; } container destination-header { presence "enable destination-header"; description "Enable ipv6 destination option header ids option"; uses apply-advanced; leaf tunnel-encapsulation-limit-option { type empty; description "Enable tunnel encapsulation limit option ids option"; } leaf home-address-option { type empty; description "Enable home address option ids option"; } leaf ILNP-nonce-option { type empty; description "Enable Identifier-Locator Network Protocol Nonce option ids option"; } leaf line-identification-option { type empty; description "Enable line identification option ids option"; } list user-defined-option-type { key "name"; max-elements 256; ordered-by user; description "User-defined option type range"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "User-defined option type low value"; } container to { description "Upper limit of option type range"; uses apply-advanced; leaf type-high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "User-defined option type high value"; } } // container to } // list user-defined-option-type } // container destination-header leaf shim6-header { type empty; description "Enable ipv6 shim header ids option"; } leaf mobility-header { type empty; description "Enable ipv6 mobility header ids option"; } leaf HIP-header { type empty; description "Enable ipv6 Host Identify Protocol header ids option"; } list user-defined-header-type { key "name"; max-elements 256; ordered-by user; description "User-defined header type range"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "User-defined header type low value"; } container to { description "Upper limit of header type range"; uses apply-advanced; leaf type-high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "User-defined header type high value"; } } // container to } // list user-defined-header-type } // container ipv6-extension-header leaf ipv6-extension-header-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 32"; } } description "Enable ipv6 extension header limit ids option"; } leaf ipv6-malformed-header { type empty; description "Enable ipv6 malformed header ids option"; } container tunnel { description "Configure IP tunnel ids options"; uses apply-advanced; leaf bad-inner-header { type empty; description "Enable IP tunnel bad inner header ids option"; } container gre { description "Configure IP tunnel GRE ids option"; uses apply-advanced; leaf gre-6in4 { type empty; description "Enable IP tunnel GRE 6in4 ids option"; } leaf gre-4in6 { type empty; description "Enable IP tunnel GRE 4in6 ids option"; } leaf gre-6in6 { type empty; description "Enable IP tunnel GRE 6in6 ids option"; } leaf gre-4in4 { type empty; description "Enable IP tunnel GRE 4in4 ids option"; } } // container gre container ip-in-udp { description "Configure IP tunnel IPinUDP ids option"; uses apply-advanced; leaf teredo { type empty; description "Enable IP tunnel IPinUDP Teredo ids option"; } } // container ip-in-udp container ipip { description "Configure IP tunnel IPIP ids option"; uses apply-advanced; leaf ipip-6to4relay { type empty; description "Enable IP tunnel IPIP 6to4 Relay ids option"; } leaf ipip-6in4 { type empty; description "Enable IP tunnel IPIP 6in4 ids option"; } leaf ipip-4in6 { type empty; description "Enable IP tunnel IPIP 4in6 ids option"; } leaf ipip-4in4 { type empty; description "Enable IP tunnel IPIP 4in4 ids option"; } leaf ipip-6in6 { type empty; description "Enable IP tunnel IPIP 6in6 ids option"; } leaf ipip-6over4 { type empty; description "Enable IP tunnel IPIP 6over4 ids option"; } leaf isatap { type empty; description "Enable IP tunnel IPIP ISATAP ids option"; } leaf dslite { type empty; description "Enable IP tunnel IPIP DS-Lite ids option"; } } // container ipip } // container tunnel } // container ip container tcp { description "Configure TCP Layer ids options"; uses apply-advanced; leaf syn-fin { type empty; description "Enable SYN and FIN bits set attack ids option"; } leaf fin-no-ack { type empty; description "Enable Fin bit with no ACK bit ids option"; } leaf tcp-no-flag { type empty; description "Enable TCP packet without flag ids option"; } leaf syn-frag { type empty; description "Enable SYN fragment ids option"; } leaf syn-defense { type empty; description "Enable tcp syn-defense"; } container port-scan { presence "enable port-scan"; description "Configure TCP port scan ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 attack packets are detected"; default "5000"; description "Threshold"; } } // container port-scan container syn-ack-ack-proxy { presence "enable syn-ack-ack-proxy"; description "Configure syn-ack-ack proxy ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 250000"; } } units "un-authenticated connections"; default "512"; description "Threshold"; } } // container syn-ack-ack-proxy container syn-flood { presence "enable syn-flood"; description "Configure SYN flood ids option"; uses apply-advanced; leaf alarm-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "requests per second"; default "512"; description "Alarm threshold"; } leaf attack-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "proxied requests per second"; default "200"; description "Attack threshold"; } leaf source-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "SYN pps"; default "4000"; description "Source threshold"; } leaf destination-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "SYN pps"; default "4000"; description "Destination threshold"; } leaf queue-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "200 .. 20000"; } } units "proxied requests in queue"; default "1024"; status deprecated; description "Queue size"; } leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 50"; } } units "seconds"; default "20"; description "SYN flood ager timeout"; } list white-list { key "name"; max-elements 2; description "Set of IP addresses that will not trigger a screen"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "White-list name"; } uses apply-advanced; leaf-list source-address { type jt:ipprefix; max-elements 32; ordered-by user; description "Source address"; } leaf-list destination-address { type jt:ipprefix; max-elements 32; ordered-by user; description "Destination address"; } } // list white-list } // container syn-flood leaf land { type empty; description "Enable land attack ids option"; } leaf winnuke { type empty; description "Enable winnuke attack ids option"; } container tcp-sweep { presence "enable tcp-sweep"; description "Configure TCP sweep ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 TCP packets are detected"; default "5000"; description "Threshold"; } } // container tcp-sweep } // container tcp container udp { description "Configure UDP layer ids options"; uses apply-advanced; container flood { presence "enable flood"; description "Configure UDP flood ids option"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "UDP packets per second"; default "1000"; description "Threshold"; } leaf-list white-list { type string; max-elements 2; ordered-by user; description "Configure UDP flood white list group name"; } } // container flood container udp-sweep { presence "enable udp-sweep"; description "Configure UDP sweep ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 UDP packets are detected"; default "5000"; description "Threshold"; } } // container udp-sweep container port-scan { presence "enable port-scan"; description "Configure UDP port scan ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 attack packets are detected"; default "5000"; description "Threshold"; } } // container port-scan } // container udp container limit-session { description "Limit sessions"; uses apply-advanced; leaf source-ip-based { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions from the same source IP"; } leaf destination-ip-based { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions to the same destination IP"; } container by-source { presence "enable by-source"; description "Limit sessions from the same source IP or subnet"; uses apply-advanced; leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions on the basis of maximum concurrent sessions"; } leaf packet-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of packet rate"; } leaf session-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of session rate"; } container by-protocol { presence "enable by-protocol"; description "Limit sessions on the basis of protocol"; uses by-protocol-object-type; } // container by-protocol leaf-list whitelist { type string; max-elements 10; ordered-by user; description "Configure white list group name"; } } // container by-source container by-destination { presence "enable by-destination"; description "Limit sessions to the same destination IP or subnet"; uses apply-advanced; leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions on the basis of maximum concurrent sessions"; } leaf packet-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of packet rate"; } leaf session-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of session rate"; } container by-protocol { presence "enable by-protocol"; description "Limit sessions on the basis of protocol"; uses by-protocol-object-type; } // container by-protocol leaf-list whitelist { type string; max-elements 10; ordered-by user; description "Configure white list group name"; } } // container by-destination } // container limit-session } // grouping ids-option-type grouping by-protocol-object-type { description "Configure limit-session on the basis of protocol"; uses apply-advanced; container tcp { presence "enable tcp"; description "Configure limit-session on the basis of TCP"; uses by-protocol-object-limit-tcp-type; } // container tcp container udp { presence "enable udp"; description "Configure limit-session on the basis of UDP"; uses by-protocol-object-limit-type; } // container udp container icmp { presence "enable icmp"; description "Configure limit-session on the basis of ICMP"; uses by-protocol-object-limit-type; } // container icmp } // grouping by-protocol-object-type grouping by-protocol-object-limit-tcp-type { description "Configure the limit-session for tcp protocol"; uses apply-advanced; leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions on the basis of maximum concurrent sessions"; } leaf packet-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of packet rate"; } leaf session-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of session rate"; } leaf-list whitelist { type string; max-elements 10; ordered-by user; description "Configure white list group name"; } container syn-cookie { presence "enable syn-cookie"; description "Configure syn-cookie parameters"; uses apply-advanced; leaf mss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 65535"; } } description "TCP maximum segment size"; } leaf threshold-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "TCP-SYN cps rate to trigger SYN-COOKIE"; } leaf threshold-num { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Number of sessions to trigger SYN-COOKIE"; } } // container syn-cookie } // grouping by-protocol-object-limit-tcp-type grouping by-protocol-object-limit-type { description "Configure the limit-session for each protocol"; uses apply-advanced; leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions on the basis of maximum concurrent sessions"; } leaf packet-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of packet rate"; } leaf session-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of session rate"; } leaf-list whitelist { type string; max-elements 10; ordered-by user; description "Configure white list group name"; } } // grouping by-protocol-object-limit-type grouping ids-wlist-type { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "White-list name"; } uses apply-advanced; leaf-list address { type jt:ipprefix; max-elements 32; ordered-by user; description "Address"; } } // grouping ids-wlist-type grouping ims-connection-type { description "Identity management connection"; uses apply-advanced; leaf connect-method { type enumeration { enum "https" { value 0; description "HTTPS connection"; } enum "http" { value 1; description "HTTP connection"; } } description "Method of connection"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "443"; description "Server port"; } container primary { description "Primary server"; uses server-connection-type; } // container primary container secondary { description "Secondary server"; uses server-connection-type; } // container secondary leaf token-api { type string { length "1 .. 128"; } description "API of acquiring token for OAuth2 authentication"; } leaf query-api { type string { length "4 .. 128"; } description "Query API"; } } // grouping ims-connection-type grouping ims-traceoptions-type { description "Identity management tracing Options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace identity management all modules"; } enum "authentication-management" { value 1; description "Trace advanced-query auth table management module"; } enum "configuration" { value 2; description "Trace identity management configuration"; } enum "dispatcher" { value 3; description "Trace dispatcher module"; } enum "query" { value 4; description "Trace query process"; } enum "jims-validator-query" { value 5; description "Trace jims validator query process"; } enum "memory" { value 6; description "Trace memory"; } } } } // list flag } // grouping ims-traceoptions-type grouping interface_type { description "Physical interface"; leaf name { type string; } uses apply-advanced; choice queue-statistics-choice { leaf queue-statistics { type empty; status deprecated; description "Enable queue statistics collection"; } leaf no-queue-statistics { type empty; status deprecated; description "Don't enable queue statistics collection"; } } // choice queue-statistics-choice choice traffic-statistics-choice { leaf traffic-statistics { type empty; status deprecated; description "Enable traffic statistics collection"; } leaf no-traffic-statistics { type empty; status deprecated; description "Don't enable traffic statistics collection"; } } // choice traffic-statistics-choice leaf resource-profile { junos:must "("services analytics resource-profiles $$")"; junos:must-message "binded resource-profile in not configured"; type string { length "1 .. 64"; } description "Resouce profile name"; } } // grouping interface_type grouping jims-validator-type { description "Web server from JIMS for Validate or group query request"; uses apply-advanced; leaf address { type string { length "1 .. 128"; } description "IP address or hostname of web server"; } leaf client-id { type string { length "1 .. 64"; } description "Client ID for OAuth2 grant"; } leaf client-secret { type string { length "1 .. 128"; } description "Client secret for OAuth2 grant"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "591"; description "Web server port"; } } // grouping jims-validator-type grouping juniper-services-captive-portal { junos:must "(("services captive-portal secure-authentication" || "system services web-management http"))"; junos:must-message "HTTP web service should be enabled"; uses apply-advanced; leaf authentication-profile-name { junos:must "("access profile $$")"; junos:must-message "Access profile name must be defined in the [edit access profile] hierarchy"; type string { length "1 .. 63"; } description "Access profile name to use for authentication"; } container traceoptions { status deprecated; description "Trace options for CAPTIVE PORTAL"; uses apply-advanced; container file { description "Trace file options"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf replace { type empty; status deprecated; description "Replace trace file rather than appending to it"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } leaf no-stamp { type empty; status deprecated; description "Do not timestamp trace file"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "dot1x-debug" { junos:must "(!("services captive-portal traceoptions flag dot1x-event"))"; junos:must-message "Can not configure dot1x-event with dot1x-debug flag"; value 0; description "Trace dot1x events"; } enum "parse" { value 1; description "Trace configuration parsing"; } enum "esw-if" { junos:must "(!("services captive-portal traceoptions flag dot1x-ipc"))"; junos:must-message "Can not configure dot1x-ipc with esw-if flag"; value 2; description "Trace ESW Interactions"; } enum "config-internal" { value 3; description "Trace configuration internals"; } enum "normal" { value 4; description "Trace normal events"; } enum "general" { value 5; description "Trace general events"; } enum "state" { value 6; description "Trace state transitions"; } enum "task" { value 7; description "Trace task processing"; } enum "timer" { value 8; description "Trace task timer processing"; } enum "all" { value 9; description "Trace everything"; } enum "dot1x-ipc" { value 10; description "Trace dot1x IPC interactions"; } enum "dot1x-event" { value 11; description "Trace dot1x events"; } } } leaf disable { type empty; description "Disable this trace flag"; } } // list flag } // container traceoptions list interface { key "name"; description "Captive Portal interface specific options"; leaf name { junos:must "(!("system phone-home"))"; junos:must-message "Can't configure captive-portal along with Phone-home. Delete phone-home config to enable captive-portal"; junos:must "("system services web-management http")"; junos:must-message "HTTP web service should be enabled"; junos:must "((!("switch-options no-mac-learning") || (!(".. .. .. .. .. switch-options no-mac-learning") || !(any ".. .. .. .. .. bridge-domains <*> bridge-options no-mac-learning interface $$-IFL"))))"; junos:must-message "Cannot configure captive-portal on this interface since no-mac-learning is enabled on the same interface"; junos:must "(!("protocols dot1x supplicant interface ${interface}"))"; junos:must-message "Must not configure supplicant and captive-portal on same interface"; junos:must "(!("interfaces $$-IFL family bridge interface-mode trunk"))"; junos:must-message "Cannot configure captive-portal on this interface since the interface-mode is defined as trunk"; junos:must "(!("interfaces $$-IFL family ethernet-switching interface-mode trunk"))"; junos:must-message "Cannot configure captive-portal on this interface since the interface-mode is defined as trunk"; junos:must "(!("interfaces $$-IFL family ethernet-switching port-mode trunk"))"; junos:must-message "Cannot configure captive-portal on this interface since the port-mode is defined as trunk"; type string; } uses apply-advanced; leaf supplicant { type enumeration { enum "single" { value 0; description "Allow multiple clients; authenticate first client only"; } enum "single-secure" { value 1; description "Allow and authenticate only a single client"; } enum "multiple" { value 2; description "Allow multiple clients; authenticate each individually"; } } description "Set supplicant mode for this interface"; } leaf retries { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Number of retries after which port is placed into wait state"; } leaf quiet-period { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } units "seconds"; description "Time to wait after an authentication failure"; } leaf server-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } units "seconds"; description "Authentication server timeout interval"; } leaf session-expiry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } units "seconds"; description "Session Expiry Timeout"; } leaf user-keepalive { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "7 .. 65535"; } } units "minutes"; description "Session keepalive after mac-flush"; } } // list interface leaf secure-authentication { type enumeration { enum "http" { junos:must "("system services web-management http")"; junos:must-message "HTTP web service should be enabled"; value 0; description "Insecure plain-text HTTP will be used for Captive Portal authentication, username and password can be sniffed"; } enum "https" { junos:must "(("system services web-management http" && "system services web-management https"))"; junos:must-message "HTTP and HTTPS web services should be enabled"; value 1; description "Encrypted HTTPS will be used for Captive Portal authentication"; } } default "http"; description "Set secure authentication using encrypted HTTPS or insecure authentication using plain-text HTTP"; } container custom-options { presence "enable custom-options"; description "Captive Portal html user interface customization options"; uses apply-advanced; leaf header-logo { type string { junos:posix-pattern "^.+.((jpg)|(gif)|(jpeg)|(png))$"; junos:pattern-message "Only jpg, jpeg, gif, png image types allowed"; length "1 .. 255"; } description "Path to logo image file"; } leaf header-bgcolor { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Background color of the html header in hex html format"; } leaf header-text-color { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Text color of the html header in hex html format"; } leaf header-message { type string { length "1 .. 2047"; } description "Message to be displayed in the html header"; } leaf banner-message { type string { length "1 .. 2047"; } description "Terms and Conditions of usage message"; } leaf form-header-message { type string { length "1 .. 255"; } description "Message to be displayed in the login form header"; } leaf form-header-bgcolor { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Background color of the login form header in hex html format"; } leaf form-header-text-color { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Text color of the login form header in hex html format"; } leaf form-submit-label { type string { length "1 .. 255"; } description "Label to be displayed for the login form submit button"; } leaf form-reset-label { type string { length "1 .. 255"; } description "Label to be displayed for the login form reset button"; } leaf footer-message { type string { length "1 .. 2047"; } description "Message to be displayed in the html footer"; } leaf footer-bgcolor { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Background color of the html footer in hex html format"; } leaf footer-text-color { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Text color of the footer in hex html format"; } leaf post-authentication-url { type string { length "1 .. 255"; } description "Post authentication redirection URL"; } } // container custom-options } // grouping juniper-services-captive-portal grouping li_policy_addr6_simple_object { uses apply-advanced; leaf address { type jt:ipv6prefix; description "Prefix to match"; } } // grouping li_policy_addr6_simple_object grouping li_policy_addr_simple_object { uses apply-advanced; leaf address { type jt:ipv4prefix; description "Prefix to match"; } } // grouping li_policy_addr_simple_object grouping macro-data-type { leaf name { type string; description "Keyword part of the keyword-value pair"; } leaf value { type string; description "Value part of the keyword-value pair"; } } // grouping macro-data-type grouping match_li_simple_dscp_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_li_simple_dscp_value grouping match_li_simple_port_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_li_simple_port_value grouping match_li_simple_protocol_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_li_simple_protocol_value grouping monitor-threshold { leaf normal { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 100"; } } description "Usage under normal conditions"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 100"; } } description "Threshold upon which alarm is raised"; } } // grouping monitor-threshold grouping output-plugin { leaf name { type string; description "Plugin name"; } uses apply-advanced; list parameters { key "name"; ordered-by user; description "List of key:value parameters for plugin"; uses parameter-pair; } // list parameters } // grouping output-plugin grouping parameter-pair { leaf name { type string; description "Parameter key"; } uses apply-advanced; leaf value { type string; description "Parameter value"; } } // grouping parameter-pair grouping pcp-object { description "Configure Port Control Protocol"; uses apply-advanced; container traceoptions { description "Trace options for PCP-LOG"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "all" { value 2; description "Trace everything"; } } } } // list flag } // container traceoptions list rule-set { key "name"; max-elements 16960; ordered-by user; description "Defines a set of PCP rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services pcp rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set } // grouping pcp-object grouping proxy-profile-setting { description "Proxy profile settings"; leaf name { type string { length "1 .. 64"; } description "Proxy profile name"; } uses apply-advanced; container protocol { description "Protocol level proxy setting"; uses apply-advanced; container http { description "HTTP proxy setting"; uses apply-advanced; leaf host { type string { length "1 .. 256"; } description "Proxy server name or IP address"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } default "3128"; description "Proxy server port"; } } // container http } // container protocol } // grouping proxy-profile-setting grouping rmopd-traceoptions { description "Trace options for remote-monitoring"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "ipc" { value 1; description "Trace ipc messages"; } enum "ppm" { value 2; description "Trace ppm"; } enum "rpd" { value 3; description "Trace rpd events"; } enum "info" { value 4; description "Trace info events"; } enum "statistics" { value 5; description "Trace statistics"; } enum "error" { value 6; description "Trace events related to catastrophic errors in daemon"; } enum "all" { value 7; description "Trace everything"; } } } } // list flag } // grouping rmopd-traceoptions grouping secintel-category-disable { description "Security intelligence category"; leaf name { type enumeration { enum "IPFilter" { value 0; description "IPFilter"; } enum "GeoIP" { value 1; description "GeoIP"; } enum "CC" { value 2; description "Command and control"; } enum "Blacklist" { value 3; description "Blacklist"; } enum "Whitelist" { value 4; description "Whitelist"; } enum "Infected-Hosts" { value 5; description "Infected-Hosts"; } enum "SecProfiling" { value 6; description "SecProfiling"; } enum "DNS" { value 7; description "DNS"; } } description "Name of security intelligence category"; } uses apply-advanced; container disable { presence "enable disable"; description "To disable category for feed update"; } // container disable } // grouping secintel-category-disable grouping secintel-policy-setting { description "Security intelligence policy setting"; leaf name { type string { length "1 .. 63"; } description "Security intelligence policy name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of policy"; } list category-profiles { key "name"; ordered-by user; description "Security intelligence category profiles"; leaf name { type enumeration { enum "IPFilter" { value 0; description "IPFilter"; } enum "GeoIP" { value 1; description "GeoIP"; } enum "CC" { value 2; description "Command and control"; } enum "Infected-Hosts" { value 3; description "Infected-Hosts"; } enum "DNS" { value 4; description "DNS"; } } description "Name of security intelligence category"; } uses apply-advanced; leaf profile-name { junos:must "("services security-intelligence profile $$")"; junos:must-message "security intelligence profile must be defined"; type string; description "Name of profile"; } } // list category-profiles } // grouping secintel-policy-setting grouping secintel-profile-setting { description "Security intelligence profile settings"; leaf name { type string { length "1 .. 63"; } description "Security intelligence profile name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of profile"; } leaf category { type string; description "Profile category name"; } list rule { key "name"; ordered-by user; description "Profile rule name"; uses secintel-profile-rule; } // list rule container default-rule { presence "enable default-rule"; description "Profile default rule"; uses apply-advanced; container then { presence "enable then"; description "Profile default rule action"; uses apply-advanced; container action { description "Security intelligence profile action"; uses apply-advanced; choice action { leaf permit { type empty; description "Permit action"; } container block { description "Block action"; uses apply-advanced; choice action { container drop { presence "enable drop"; description "Drop packet"; } // container drop container close { junos:must "(!(".. .. .. .. .. category DNS"))"; junos:must-message "close action not available on DNS profiles"; presence "enable close"; description "Close session"; uses apply-advanced; container http { description "Http content for block action"; uses apply-advanced; choice http-choice { leaf file { type string; description "File name for http response to client"; } leaf message { type string; description "Block message to client"; } leaf redirect-url { type string { junos:posix-pattern "^https?://.*"; junos:pattern-message "URL must begin with http:// or https://"; length "1 .. 1023"; } description "Redirect url to client"; } } // choice http-choice } // container http } // container close } // choice action } // container block container recommended { junos:must "(!(".. .. .. .. category DNS"))"; junos:must-message "recommend action not available on DNS profiles"; presence "enable recommended"; description "Recommended action from feed server"; } // container recommended leaf sinkhole { junos:must "(".. .. .. .. category DNS")"; junos:must-message "Sinkhole action requires DNS category profile"; type empty; description "DNS sinkhole for DNS profile"; } } // choice action } // container action choice log-choice { leaf log { type empty; description "Log security intelligence block action"; } leaf no-log { type empty; description "Don't log security intelligence block action"; } } // choice log-choice } // container then } // container default-rule } // grouping secintel-profile-setting grouping secintel-profile-rule { description "Security intelligence profile rule"; leaf name { type string { length "1 .. 63"; } description "Profile rule name"; } uses apply-advanced; container match { description "Profile matching feed name and threat levels"; uses apply-advanced; list feed-name { key "name"; max-elements 32; ordered-by user; description "Profile matching feed name"; leaf name { type string { junos:posix-pattern "^[^/;:|=,+*?&<>{}]*$"; junos:pattern-message "Must not be double quotation marks and other special characters as / ; : | = , + * ? & < > { }"; length "1 .. 63"; } } uses apply-advanced; } // list feed-name leaf-list threat-level { type union { type uint32; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Profile matching threat levels, higher number is more severe"; } } // container match container then { description "Profile action and log"; uses apply-advanced; container action { description "Security intelligence profile action"; uses apply-advanced; choice action { leaf permit { type empty; description "Permit action"; } container block { description "Block action"; uses apply-advanced; choice action { container drop { presence "enable drop"; description "Drop packet"; } // container drop container close { junos:must "(!(".. .. .. .. .. category DNS"))"; junos:must-message "close action not available on DNS profiles"; presence "enable close"; description "Close session"; uses apply-advanced; container http { description "Http content for block action"; uses apply-advanced; choice http-choice { leaf file { type string; description "File name for http response to client"; } leaf message { type string; description "Block message to client"; } leaf redirect-url { type string { junos:posix-pattern "^https?://.*"; junos:pattern-message "URL must begin with http:// or https://"; length "1 .. 1023"; } description "Redirect url to client"; } } // choice http-choice } // container http } // container close } // choice action } // container block container recommended { junos:must "(!(".. .. .. .. category DNS"))"; junos:must-message "recommend action not available on DNS profiles"; presence "enable recommended"; description "Recommended action from feed server"; } // container recommended leaf sinkhole { junos:must "(".. .. .. .. category DNS")"; junos:must-message "Sinkhole action requires DNS category profile"; type empty; description "DNS sinkhole for DNS profile"; } } // choice action } // container action container log { presence "enable log"; description "Log security intelligence block action"; } // container log } // container then } // grouping secintel-profile-rule grouping secintel-traceoptions { description "Security intelligence trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } enum "blacklist" { value 1; description "Trace security intelligence Blacklist category"; } enum "cc" { value 2; description "Trace security intelligence CC category"; } enum "infected-hosts" { value 3; description "Trace security intelligence Infected-Hosts category"; } enum "control" { value 4; description "Trace control plane"; } enum "feed" { value 5; description "Trace feed operation"; } enum "ipc" { value 6; description "Trace ipc module"; } enum "infrastucture" { value 7; description "Trace infrastucture functions"; } enum "jwas" { value 8; description "Trace security intelligence JWAS category"; } enum "plugin" { value 9; description "Trace security intelligence plugin services"; } enum "whitelist" { value 10; description "Trace security intelligence Whitelist category"; } enum "secprofiling" { value 11; description "Trace security intelligence Secprofiling category"; } } } } // list flag } // grouping secintel-traceoptions grouping server-connection-type { description "Connection parameters per server"; uses apply-advanced; leaf address { type jt:ipaddr; description "IP address"; } leaf ca-certificate { type string { length "1 .. 256"; } description "Ca-certificate file name"; } leaf client-id { type string { length "1 .. 64"; } description "Client ID for OAuth2 grant"; } leaf client-secret { type string { length "1 .. 128"; } description "Client secret for OAuth2 grant"; } } // grouping server-connection-type grouping service_device_pool_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Service device pool name"; } uses apply-advanced; list interface { key "name"; ordered-by user; description "Service device name"; leaf name { junos:must "(!(any "interfaces <*> aggregated-inline-services-options secondary-interface $$"))"; junos:must-message "must not be defined under asiX aggregated-inline-services-options"; junos:must "(!(any "interfaces <*> aggregated-inline-services-options primary-interface $$"))"; junos:must-message "must not be defined under asiX aggregated-inline-services-options"; type string; } uses apply-advanced; } // list interface } // grouping service_device_pool_object grouping service_interface_pool_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Service interface pool name"; } uses apply-advanced; list interface { key "name"; ordered-by user; description "Service interface name"; leaf name { junos:must "("interfaces $$")"; junos:must-message "referenced interface must be defined"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } } uses apply-advanced; } // list interface } // grouping service_interface_pool_object grouping softwires-object { description "Configure softwire feature"; uses apply-advanced; list softwire-name { key "name"; description "Configure softwire object"; uses softwire-option-type; } // list softwire-name container softwire-types { description "Configure softwire objects"; uses apply-advanced; list v6rd { key "name"; description "Configure v6rd object"; uses softwire-option-type; } // list v6rd list ds-lite { key "name"; description "Configure ds-lite object"; uses softwire-option-type; } // list ds-lite list map-e { key "name"; ordered-by user; description "Configure Map-e object"; uses map-e-domain; } // list map-e } // container softwire-types list map-e { key "name"; max-elements 1; ordered-by user; description "Configure a MAP-E domain and domain rules"; uses map-e-domain; } // list map-e container traceoptions { description "Trace options for Network Security DS-Lite"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "all" { value 2; description "Trace everything"; } } } } // list flag } // container traceoptions list rule-set { key "name"; ordered-by user; description "Define a softwire rule set"; uses sw-rule-set-object; } // list rule-set } // grouping softwires-object grouping map-e-domain { description "Configure a MAP-E domain"; leaf name { type string { junos:posix-pattern "![_]"; junos:pattern-message "A special character _ is not allowed"; length "1 .. 11"; } description "MAP-E domain name"; } uses apply-advanced; leaf confidentiality { type empty; description "Configure JUNOS MAP-E confidentiality"; } leaf br-address { type jt:unreadable; description "Ipv6 address of BR"; } container end-user-prefix { description "Configure end-user-prefix value or source interface for obtaining end-user-prefix"; uses apply-advanced; leaf prefix-value { junos:must "(!(".. auto"))"; junos:must-message "Explicit end-user-prefix is not allowed when auto is configured"; type jt:ipv6prefix; description "End user prefix"; } } // container end-user-prefix list rule { key "name"; max-elements 101; ordered-by user; description "Configure a BMR or FMR rule for map-e "; uses map-e-rule; } // list rule leaf role { type enumeration { enum "CE" { value 0; description "CE deployment"; } } description "Define a role of the MAP-E"; } leaf version { type enumeration { enum "3" { value 0; description "Version 3: draft-ietf-softwire-map-03"; } } description "Define version of the MAP-E"; } } // grouping map-e-domain grouping map-e-rule { description "Configure a MAP-E rule"; leaf name { type string { junos:posix-pattern "![_]"; junos:pattern-message "A special character _ is not allowed"; length "1 .. 11"; } description "MAP-E rule name"; } uses apply-advanced; leaf rule-type { type enumeration { enum "BMR" { value 0; description "Define BMR rule type"; } enum "FMR" { value 1; description "Define FMR rule type"; } } description "Define a rule type of MAP-E"; } leaf ipv4-prefix { type jt:unreadable; description "Ipv4 prefix"; } leaf ipv6-prefix { type jt:unreadable; description "Ipv6 prefix"; } leaf ea-bits-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 48"; } } description "EA bits length"; } leaf psid-offset { type jt:unreadable; description "PSID offset"; } leaf psid-len { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16"; } } description "PSID length"; } leaf mtu-v6 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1280 .. 9192"; } } default "9192"; description "MTU for the softwire tunnel"; } leaf v4-reassembly { type empty; description "MAP-E IPv4 reassembly support"; } leaf v6-reassembly { type empty; description "MAP-E IPv6 reassembly support"; } leaf disable-auto-route { type empty; description "MAP-E Disable Auto Route"; } } // grouping map-e-rule grouping softwire-option-type { description "Configure softwire object"; leaf name { type string { length "1 .. 23"; } description "DS-Lite/Softwire object name"; } uses apply-advanced; leaf softwire-concentrator { type jt:ipaddr; description "Concentrator address"; } leaf softwire-type { type enumeration { enum "IPv4-in-IPv6" { value 0; description "Ipv4-in-IPv6"; } enum "v6rd" { value 1; description "V6rd"; } } default "IPv4-in-IPv6"; description "Softwire-type"; } leaf ipv4-prefix { type jt:ipv4prefix; description "6rd customer edge IPV4 prefix"; } leaf v6rd-prefix { type jt:ipv6prefix; description "6rd domain's IPV6 prefix"; } leaf mtu-v4 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "576 .. 9192"; } } description "MTU for the softwire tunnel"; } leaf mtu-v6 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1280 .. 9192"; } } description "MTU for the softwire tunnel"; } leaf auto-update-mtu { type empty; description "Auto update MTU from received ICMPv6 messages"; } leaf copy-dscp { type empty; description "Copy DSCP (type of service) from IPv6 to IPv4 header"; } leaf flow-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16384"; } } default "0"; description "Max Number of IPv4 flows per Softwire"; } leaf session-limit-per-prefix { junos:must "(!(".. flow-limit"))"; junos:must-message "Cannot configure both flow-limit and session-limit-per-prefix in same softwire-concentrator"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16384"; } } default "0"; description "Max number of sessions allowed per Softwire prefix"; } } // grouping softwire-option-type grouping srd-rs-id-object { description "Definition of redundancy-set"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } description "Redundancy set identifier"; } uses apply-advanced; leaf redundancy-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 16"; } } description "Name of redundancy-group"; } leaf-list redundancy-policy { type string; description "Redundancy-policy list"; } leaf keepalive { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } units "seconds"; default "10"; description "Frequency of SRD hello messages"; } leaf hold-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 3600"; } } units "seconds"; default "30"; description "Time before SRD peer is declared down"; } leaf healthcheck-timer-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 3600"; } } units "seconds"; default "5"; description "Healthcheck timer interval"; } } // grouping srd-rs-id-object grouping srd-traceoptions-object { uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing flag parameters"; leaf name { type enumeration { enum "config" { value 0; description "Trace parse events"; } enum "connect" { value 1; description "Trace ipc events"; } enum "route" { value 2; description "Trace route events"; } enum "ssd" { value 3; description "Trace SDK Service events"; } enum "snmp" { value 4; description "Trace snmp events"; } enum "system" { value 5; description "Trace services redundancy system events"; } enum "opcmd" { value 6; description "Trace operational command events"; } enum "state-machine" { value 7; description "Trace finite-state-machine events"; } enum "kcom" { value 8; description "Trace KCOM events"; } enum "database" { value 9; description "Trace database events"; } enum "swithover" { value 10; description "Trace switchover events"; } enum "stateful-sync" { value 11; description "Trace stateful-sync related events"; } enum "redundancy-group" { value 12; description "Trace redundancy-group related events"; } enum "all" { value 13; description "Trace everything"; } } } } // list flag } // grouping srd-traceoptions-object grouping ssl-initiation-config { uses apply-advanced; list profile { key "name"; ordered-by user; description "SSL client profile"; leaf name { type string { length "1 .. 63"; } description "Profile identifier"; } uses apply-advanced; leaf enable-flow-tracing { type empty; description "Enable flow tracing for the profile"; } leaf protocol-version { type enumeration { enum "all" { value 0; description "TLS version 1.0 or TLS version 1.1 or TLS version 1.2 or TLS version 1.3"; } enum "ssl3" { value 1; description "SSL version 3"; } enum "tls1" { value 2; description "TLS version 1"; } enum "tls11" { value 3; description "TLS version 1.1"; } enum "tls12" { value 4; description "TLS version 1.2"; } enum "tls13" { value 5; description "TLS version 1.3"; } enum "tls12-and-lower" { value 6; description "Dont support TLS 1.3 (downgrade all the connections to TLS 1.2 or below)"; } } default "all"; description "Protocol SSL version accepted"; } leaf preferred-ciphers { type enumeration { enum "strong" { value 0; description "Use ciphers with key strength of 168-bits or greater"; } enum "medium" { value 1; description "Use ciphers with key strength of 128-bits or greater"; } enum "weak" { value 2; description "Use ciphers with key strength of 40-bits or greater"; } enum "custom" { junos:must "(".. custom-ciphers")"; junos:must-message "custom-ciphers must be configured for this choice"; value 3; description "Configure custom cipher suite and order of preference"; } } default "medium"; description "Select preferred ciphers"; } leaf-list custom-ciphers { type enumeration { enum "tls12-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha as custom cipher"; value 0; description "RSA, 128 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha as custom cipher"; value 1; description "RSA, 256 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-gcm-sha384 as custom cipher"; value 2; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "tls12-rsa-aes-256-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha256 as custom cipher"; value 3; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "tls12-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-gcm-sha256 as custom cipher"; value 4; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha256 as custom cipher"; value 5; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-gcm-sha384 as custom cipher"; value 6; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha as custom cipher"; value 7; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha384 as custom cipher"; value 8; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-rsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-3des-ede-cbc-sha as custom cipher"; value 9; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-gcm-sha256 as custom cipher"; value 10; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha as custom cipher"; value 11; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha256 as custom cipher"; value 12; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-gcm-sha384 as custom cipher"; value 13; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha as custom cipher"; value 14; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha384 as custom cipher"; value 15; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-gcm-sha256 as custom cipher"; value 16; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha as custom cipher"; value 17; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha256 as custom cipher"; value 18; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 and to use tls12-ecdhe-ecdsa-3des-ede-cbc-sha as custom cipher"; value 19; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "tls13-with-aes-256-gcm-sha384" { value 20; description "Any key-exchange, Any authentication,256bit aes, sha384 hash"; } enum "tls13-with-aes-128-gcm-sha256" { value 21; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-chacha20-poly1305-sha256" { value 22; description "Any key-exchange, Any authentication,chacha, sha256 hash"; } enum "tls13-with-aes-128-ccm-sha256" { value 23; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-aes-128-ccm8-sha256" { value 24; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "rsa-with-rc4-128-md5" { value 25; description "RSA, 128bit rc4, md5 hash"; } enum "rsa-with-rc4-128-sha" { value 26; description "RSA, 128bit rc4, sha hash"; } enum "rsa-with-des-cbc-sha" { value 27; description "RSA, des cbc, sha hash"; } enum "rsa-with-3des-ede-cbc-sha" { value 28; description "RSA, 3des ede/cbc, sha hash"; } enum "rsa-with-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 29; description "RSA, 128 bit aes/cbc, sha hash"; } enum "rsa-with-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 30; description "RSA, 256 bit aes/cbc, sha hash"; } enum "rsa-export-with-rc4-40-md5" { value 31; description "RSA-export, 40 bit rc4, md5 hash"; } enum "rsa-export-with-des40-cbc-sha" { value 32; description "RSA-export, 40 bit des/cbc, sha hash"; } enum "rsa-export1024-with-des-cbc-sha" { value 33; description "RSA 1024 bit export, des/cbc, sha hash"; } enum "rsa-export1024-with-rc4-56-md5" { value 34; description "RSA 1024 bit export, 56 bit rc4, md5 hash"; } enum "rsa-export1024-with-rc4-56-sha" { value 35; description "RSA 1024 bit export, 56 bit rc4, sha hash"; } enum "rsa-with-aes-256-gcm-sha384" { value 36; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "rsa-with-aes-256-cbc-sha256" { value 37; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "rsa-with-aes-128-gcm-sha256" { value 38; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "rsa-with-aes-128-cbc-sha256" { value 39; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-rsa-with-aes-256-gcm-sha384" { value 40; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha" { value 41; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha384" { value 42; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-rsa-with-3des-ede-cbc-sha" { value 43; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-gcm-sha256" { value 44; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha" { value 45; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha256" { value 46; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-256-gcm-sha384" { value 47; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha" { value 48; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha384" { value 49; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-128-gcm-sha256" { value 50; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha" { value 51; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha256" { value 52; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-3des-ede-cbc-sha" { value 53; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-gcm-sha384" { value 54; description "DHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "dhe-rsa-with-aes-256-cbc-sha" { value 55; description "DHE/rsa, 256 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-cbc-sha256" { value 56; description "DHE/rsa, 256 bit aes/cbc, sha256 hash"; } enum "dhe-rsa-with-3des-ede-cbc-sha" { value 57; description "DHE/rsa, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-gcm-sha256" { value 58; description "DHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "dhe-rsa-with-aes-128-cbc-sha" { value 59; description "DHE/rsa, 128 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-cbc-sha256" { value 60; description "DHE/rsa, 128 bit aes/cbc, sha256 hash"; } } max-elements 64; ordered-by user; description "Custom cipher list"; } leaf enable-session-cache { type empty; description "Enable SSL session cache"; } leaf-list trusted-ca { type string; max-elements 1024; ordered-by user; description "List of trusted certificate authority profiles"; } leaf client-certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Local certificate identifier"; } container actions { description "Traffic related actions"; uses apply-advanced; leaf ignore-server-auth-failure { type empty; description "Ignore server authentication failure"; } container crl { description "Certificate Revocation actions."; leaf disable { type empty; description "Disable CRL validation."; } leaf if-not-present { type enumeration { enum "allow" { value 0; description "Allow session if CRL information is not present."; } enum "drop" { value 1; description "Drop session if CRL information is not present."; } } default "allow"; description "Action if CRL information is not present."; } leaf ignore-hold-instruction-code { type empty; description "Ignore 'Hold Instruction Code' present in the CRL entry."; } } // container crl leaf unsupported-cipher-on-hw { type enumeration { enum "drop" { value 0; description "Drop session if cipher isn't supported on hardware mode"; } enum "software-inspection" { value 1; description "Allow session in software mode"; } } default "drop"; description "Unsupported cipher processing on hardware mode"; } } // container actions } // list profile } // grouping ssl-initiation-config grouping ssl-proxy-config { uses apply-advanced; container global-config { description "Global proxy configuration"; uses apply-advanced; leaf session-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "300 .. 86400"; } } units "seconds"; description "Session cache timeout"; } leaf disable-cert-cache { type empty; description "Disable proxy mode certificate cache"; } leaf certificate-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "300 .. 3600"; } } units "seconds"; description "Certificate cache timeout"; } leaf invalidate-cache-on-crl-update { type empty; description "Invalidate certificate cache on crl update"; } leaf cache-usage-enforcement-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } description "Percentage of total cache size after which per lsys limits will be enforced"; } leaf disable-deferred-profile-selection { junos:must "(!(".. enable-proxy-on-pre-id-policy-match"))"; junos:must-message "Deferred profile selection cannot be disabled when enable-proxy-on-pre-id-policy-match is enabled"; junos:must "(!(".. enable-proxy-on-default-fw-policy-match"))"; junos:must-message "Deferred profile selection cannot be disabled when enable-proxy-on-default-fw-policy-match is enabled"; type empty; description "Disable the deferred profile selection mechanism"; } } // container global-config list profile { key "name"; ordered-by user; description "SSL Proxy profile"; leaf name { type string { length "1 .. 63"; } description "Profile identifier"; } uses apply-advanced; leaf enable-flow-tracing { type empty; description "Enable flow tracing for the profile"; } leaf protocol-version { type enumeration { enum "all" { value 0; description "TLS version 1.0 or TLS version 1.1 or TLS version 1.2 or TLS version 1.3"; } enum "ssl3" { value 1; description "SSL version 3"; } enum "tls1" { value 2; description "TLS version 1"; } enum "tls11" { value 3; description "TLS version 1.1"; } enum "tls12" { value 4; description "TLS version 1.2"; } enum "tls13" { value 5; description "TLS version 1.3"; } enum "tls12-and-lower" { value 6; description "Dont support TLS 1.3 (downgrade all the connections to TLS 1.2 or below)"; } } default "all"; description "Protocol SSL version accepted"; } leaf preferred-ciphers { type enumeration { enum "strong" { value 0; description "Use ciphers with key strength of 168-bits or greater"; } enum "medium" { value 1; description "Use ciphers with key strength of 128-bits or greater"; } enum "weak" { value 2; description "Use ciphers with key strength of 40-bits or greater"; } enum "custom" { junos:must "(".. custom-ciphers")"; junos:must-message "custom-ciphers must be configured for this choice"; value 3; description "Configure custom cipher suite and order of preference"; } } default "medium"; description "Select preferred ciphers"; } leaf-list custom-ciphers { type enumeration { enum "tls12-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha as custom cipher"; value 0; description "RSA, 128 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha as custom cipher"; value 1; description "RSA, 256 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-gcm-sha384 as custom cipher"; value 2; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "tls12-rsa-aes-256-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha256 as custom cipher"; value 3; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "tls12-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-gcm-sha256 as custom cipher"; value 4; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha256 as custom cipher"; value 5; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-gcm-sha384 as custom cipher"; value 6; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha as custom cipher"; value 7; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha384 as custom cipher"; value 8; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-rsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-3des-ede-cbc-sha as custom cipher"; value 9; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-gcm-sha256 as custom cipher"; value 10; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha as custom cipher"; value 11; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha256 as custom cipher"; value 12; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-gcm-sha384 as custom cipher"; value 13; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha as custom cipher"; value 14; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha384 as custom cipher"; value 15; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-gcm-sha256 as custom cipher"; value 16; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha as custom cipher"; value 17; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha256 as custom cipher"; value 18; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 and to use tls12-ecdhe-ecdsa-3des-ede-cbc-sha as custom cipher"; value 19; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "tls13-with-aes-256-gcm-sha384" { value 20; description "Any key-exchange, Any authentication,256bit aes, sha384 hash"; } enum "tls13-with-aes-128-gcm-sha256" { value 21; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-chacha20-poly1305-sha256" { value 22; description "Any key-exchange, Any authentication,chacha, sha256 hash"; } enum "tls13-with-aes-128-ccm-sha256" { value 23; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-aes-128-ccm8-sha256" { value 24; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "rsa-with-rc4-128-md5" { value 25; description "RSA, 128bit rc4, md5 hash"; } enum "rsa-with-rc4-128-sha" { value 26; description "RSA, 128bit rc4, sha hash"; } enum "rsa-with-des-cbc-sha" { value 27; description "RSA, des cbc, sha hash"; } enum "rsa-with-3des-ede-cbc-sha" { value 28; description "RSA, 3des ede/cbc, sha hash"; } enum "rsa-with-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 29; description "RSA, 128 bit aes/cbc, sha hash"; } enum "rsa-with-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 30; description "RSA, 256 bit aes/cbc, sha hash"; } enum "rsa-export-with-rc4-40-md5" { value 31; description "RSA-export, 40 bit rc4, md5 hash"; } enum "rsa-export-with-des40-cbc-sha" { value 32; description "RSA-export, 40 bit des/cbc, sha hash"; } enum "rsa-export1024-with-des-cbc-sha" { value 33; description "RSA 1024 bit export, des/cbc, sha hash"; } enum "rsa-export1024-with-rc4-56-md5" { value 34; description "RSA 1024 bit export, 56 bit rc4, md5 hash"; } enum "rsa-export1024-with-rc4-56-sha" { value 35; description "RSA 1024 bit export, 56 bit rc4, sha hash"; } enum "rsa-with-aes-256-gcm-sha384" { value 36; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "rsa-with-aes-256-cbc-sha256" { value 37; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "rsa-with-aes-128-gcm-sha256" { value 38; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "rsa-with-aes-128-cbc-sha256" { value 39; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-rsa-with-aes-256-gcm-sha384" { value 40; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha" { value 41; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha384" { value 42; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-rsa-with-3des-ede-cbc-sha" { value 43; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-gcm-sha256" { value 44; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha" { value 45; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha256" { value 46; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-256-gcm-sha384" { value 47; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha" { value 48; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha384" { value 49; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-128-gcm-sha256" { value 50; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha" { value 51; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha256" { value 52; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-3des-ede-cbc-sha" { value 53; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-gcm-sha384" { value 54; description "DHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "dhe-rsa-with-aes-256-cbc-sha" { value 55; description "DHE/rsa, 256 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-cbc-sha256" { value 56; description "DHE/rsa, 256 bit aes/cbc, sha256 hash"; } enum "dhe-rsa-with-3des-ede-cbc-sha" { value 57; description "DHE/rsa, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-gcm-sha256" { value 58; description "DHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "dhe-rsa-with-aes-128-cbc-sha" { value 59; description "DHE/rsa, 128 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-cbc-sha256" { value 60; description "DHE/rsa, 128 bit aes/cbc, sha256 hash"; } } max-elements 64; ordered-by user; description "Custom cipher list"; } leaf-list trusted-ca { type string; max-elements 1024; ordered-by user; description "List of trusted certificate authority profiles"; } choice certificate { leaf-list root-ca { type string; max-elements 2; ordered-by user; description "Root certificate for interdicting server certificates in proxy mode"; } leaf-list server-certificate { junos:must "(!("security idp sensor-configuration ssl-inspection sessions"))"; junos:must-message "IDP SSL Inspection should not be configured with ssl proxy profile <> server-certificate"; junos:must "(!(".. actions crl"))"; junos:must-message "actions crl <> should not be configured with server- certificate"; junos:must "(!(".. actions ignore-server-auth-failure"))"; junos:must-message "ignore-server-auth-failure should not be configured with server-certificate"; junos:must "(!(".. trusted-ca"))"; junos:must-message "trusted-ca <> should not be configured with server-certificate"; type string; max-elements 1024; ordered-by user; description "Local certificate identifier"; } } // choice certificate container mirror-decrypt-traffic { description "Configure mirror interface and Destination MAC address"; uses apply-advanced; leaf interface { junos:must "("interfaces $$")"; junos:must-message "Interface must be defined"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface on which SSL decrypted traffic is mirrored"; } leaf destination-mac-address { type jt:mac-addr; description "Mac address of host/server to which decrypted traffic is mirrored"; } leaf only-after-security-policies-enforcement { type empty; description "Enables decrypted Traffic mirroring after policy enforcement"; } } // container mirror-decrypt-traffic leaf-list whitelist { type string; ordered-by user; description "Addresses exempted from SSL Proxy "; } leaf-list whitelist-url-categories { type string; ordered-by user; } container actions { description "Logging and traffic related actions"; uses apply-advanced; leaf ignore-server-auth-failure { type empty; description "Ignore server authentication failure"; } container log { presence "enable log"; description "Logging actions"; leaf all { type empty; description "Log all events"; } leaf sessions-dropped { type empty; description "Log only ssl session drop events"; } leaf sessions-allowed { type empty; description "Log ssl session allow events after an error"; } leaf sessions-ignored { type empty; description "Log session ignore events "; } leaf sessions-whitelisted { type empty; description "Log ssl session whitelist events "; } leaf errors { type empty; description "Log all error events "; } leaf warning { type empty; description "Log all warning events "; } leaf info { type empty; description "Log all information events "; } } // container log container crl { description "Certificate Revocation actions."; leaf disable { type empty; description "Disable CRL validation."; } leaf if-not-present { type enumeration { enum "allow" { value 0; description "Allow session if CRL information is not present."; } enum "drop" { value 1; description "Drop session if CRL information is not present."; } } default "allow"; description "Action if CRL information is not present."; } leaf ignore-hold-instruction-code { type empty; description "Ignore 'Hold Instruction Code' present in the CRL entry."; } } // container crl leaf renegotiation { type enumeration { enum "allow" { value 0; description "Allow secure as well as non secure renegotiation"; } enum "allow-secure" { value 1; description "Allow secure negotiation only (RFC 5746)"; } enum "drop" { value 2; description "Drop session on renegotiation request"; } } default "allow-secure"; description "Renegotiation options"; } leaf disable-session-resumption { type empty; description "Disable session resumption"; } leaf unsupported-cipher-on-hw { type enumeration { enum "drop" { value 0; description "Drop session if cipher isn't supported on hardware mode"; } enum "software-inspection" { value 1; description "Allow session in software mode"; } } default "drop"; description "Unsupported cipher processing on hardware mode"; } leaf allow-strong-certificate { type empty; description "Certificate till 4K key-size processing on standalone SRX300/SRX320 platform"; } } // container actions leaf disable-deferred-profile-selection { type empty; description "Disable the deferred profile selection mechanism at profile level"; } } // list profile } // grouping ssl-proxy-config grouping ssl-termination-config { uses apply-advanced; list profile { key "name"; ordered-by user; description "SSL server profile"; leaf name { type string { length "1 .. 63"; } description "Profile identifier"; } uses apply-advanced; leaf enable-flow-tracing { type empty; description "Enable flow tracing for the profile"; } leaf protocol-version { type enumeration { enum "all" { value 0; description "TLS version 1.0 or TLS version 1.1 or TLS version 1.2 or TLS version 1.3"; } enum "ssl3" { value 1; description "SSL version 3"; } enum "tls1" { value 2; description "TLS version 1"; } enum "tls11" { value 3; description "TLS version 1.1"; } enum "tls12" { value 4; description "TLS version 1.2"; } enum "tls13" { value 5; description "TLS version 1.3"; } enum "tls12-and-lower" { value 6; description "Dont support TLS 1.3 (downgrade all the connections to TLS 1.2 or below)"; } } default "all"; description "Protocol SSL version accepted"; } leaf preferred-ciphers { type enumeration { enum "strong" { value 0; description "Use ciphers with key strength of 168-bits or greater"; } enum "medium" { value 1; description "Use ciphers with key strength of 128-bits or greater"; } enum "weak" { value 2; description "Use ciphers with key strength of 40-bits or greater"; } enum "custom" { junos:must "(".. custom-ciphers")"; junos:must-message "custom-ciphers must be configured for this choice"; value 3; description "Configure custom cipher suite and order of preference"; } } default "medium"; description "Select preferred ciphers"; } leaf-list custom-ciphers { type enumeration { enum "tls12-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha as custom cipher"; value 0; description "RSA, 128 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha as custom cipher"; value 1; description "RSA, 256 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-gcm-sha384 as custom cipher"; value 2; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "tls12-rsa-aes-256-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha256 as custom cipher"; value 3; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "tls12-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-gcm-sha256 as custom cipher"; value 4; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha256 as custom cipher"; value 5; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-gcm-sha384 as custom cipher"; value 6; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha as custom cipher"; value 7; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha384 as custom cipher"; value 8; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-rsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-3des-ede-cbc-sha as custom cipher"; value 9; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-gcm-sha256 as custom cipher"; value 10; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha as custom cipher"; value 11; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha256 as custom cipher"; value 12; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-gcm-sha384 as custom cipher"; value 13; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha as custom cipher"; value 14; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha384 as custom cipher"; value 15; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-gcm-sha256 as custom cipher"; value 16; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha as custom cipher"; value 17; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha256 as custom cipher"; value 18; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 and to use tls12-ecdhe-ecdsa-3des-ede-cbc-sha as custom cipher"; value 19; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "tls13-with-aes-256-gcm-sha384" { value 20; description "Any key-exchange, Any authentication,256bit aes, sha384 hash"; } enum "tls13-with-aes-128-gcm-sha256" { value 21; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-chacha20-poly1305-sha256" { value 22; description "Any key-exchange, Any authentication,chacha, sha256 hash"; } enum "tls13-with-aes-128-ccm-sha256" { value 23; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-aes-128-ccm8-sha256" { value 24; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "rsa-with-rc4-128-md5" { value 25; description "RSA, 128bit rc4, md5 hash"; } enum "rsa-with-rc4-128-sha" { value 26; description "RSA, 128bit rc4, sha hash"; } enum "rsa-with-des-cbc-sha" { value 27; description "RSA, des cbc, sha hash"; } enum "rsa-with-3des-ede-cbc-sha" { value 28; description "RSA, 3des ede/cbc, sha hash"; } enum "rsa-with-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 29; description "RSA, 128 bit aes/cbc, sha hash"; } enum "rsa-with-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 30; description "RSA, 256 bit aes/cbc, sha hash"; } enum "rsa-export-with-rc4-40-md5" { value 31; description "RSA-export, 40 bit rc4, md5 hash"; } enum "rsa-export-with-des40-cbc-sha" { value 32; description "RSA-export, 40 bit des/cbc, sha hash"; } enum "rsa-export1024-with-des-cbc-sha" { value 33; description "RSA 1024 bit export, des/cbc, sha hash"; } enum "rsa-export1024-with-rc4-56-md5" { value 34; description "RSA 1024 bit export, 56 bit rc4, md5 hash"; } enum "rsa-export1024-with-rc4-56-sha" { value 35; description "RSA 1024 bit export, 56 bit rc4, sha hash"; } enum "rsa-with-aes-256-gcm-sha384" { value 36; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "rsa-with-aes-256-cbc-sha256" { value 37; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "rsa-with-aes-128-gcm-sha256" { value 38; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "rsa-with-aes-128-cbc-sha256" { value 39; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-rsa-with-aes-256-gcm-sha384" { value 40; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha" { value 41; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha384" { value 42; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-rsa-with-3des-ede-cbc-sha" { value 43; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-gcm-sha256" { value 44; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha" { value 45; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha256" { value 46; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-256-gcm-sha384" { value 47; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha" { value 48; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha384" { value 49; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-128-gcm-sha256" { value 50; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha" { value 51; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha256" { value 52; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-3des-ede-cbc-sha" { value 53; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-gcm-sha384" { value 54; description "DHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "dhe-rsa-with-aes-256-cbc-sha" { value 55; description "DHE/rsa, 256 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-cbc-sha256" { value 56; description "DHE/rsa, 256 bit aes/cbc, sha256 hash"; } enum "dhe-rsa-with-3des-ede-cbc-sha" { value 57; description "DHE/rsa, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-gcm-sha256" { value 58; description "DHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "dhe-rsa-with-aes-128-cbc-sha" { value 59; description "DHE/rsa, 128 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-cbc-sha256" { value 60; description "DHE/rsa, 128 bit aes/cbc, sha256 hash"; } } max-elements 64; ordered-by user; description "Custom cipher list"; } leaf enable-session-cache { type empty; description "Enable SSL session cache"; } leaf server-certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Local certificate identifier"; } } // list profile } // grouping ssl-termination-config grouping ssl-traceoptions { uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "brief" { value 0; description "Brief debugging output"; } enum "detail" { value 1; description "Detailed debugging output"; } enum "extensive" { value 2; description "Extensive debugging output"; } enum "verbose" { value 3; description "Verbose debugging output"; } } default "brief"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "cli-configuration" { value 0; description "Trace CLI configuration events"; } enum "termination" { value 1; description "Trace termination service events"; } enum "initiation" { value 2; description "Trace initiation service events"; } enum "proxy" { value 3; description "Trace proxy service events"; } enum "selected-profile" { value 4; description "Trace events for profiles with enable-flow-tracing set"; } enum "all" { value 5; description "Trace everything"; } } } } // list flag container packet-filter { description "SSL Packet filter"; uses apply-advanced; leaf source-ip { type jt:ipaddr; description "Source IP address"; } leaf destination-ip { type jt:ipaddr; description "Destination IP address"; } leaf source-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Source port"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port"; } } // container packet-filter } // grouping ssl-traceoptions grouping sw-rule-set-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Define Rule Set name"; } uses apply-advanced; list rule { key "name"; ordered-by user; description "Define a rule term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; container then { description "Action to take if the condition is matched"; uses apply-advanced; choice designation { leaf ds-lite { junos:must "("services softwires softwire-types ds-lite $$")"; junos:must-message "referenced softwire concentrator must be defined under 'services softwires softwire-types ds-lite'"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Apply DS-Lite softwire"; } leaf v6rd { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Apply 6rd softwire"; } leaf map-e { junos:must "("services softwires softwire-types map-e $$")"; junos:must-message "Undefined softwire concentrator for map-e"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Apply MAP-E softwire"; } } // choice designation } // container then } // list rule leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Match direction"; } } // grouping sw-rule-set-object grouping tunnel_interface_type { description "One or more tunnel interfaces on which to configure flow-tap service"; leaf name { junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "Dynamic flow capture cannot be configured when flow-tap is configured"; junos:must "(!("interfaces $$-IFL family inet filter"))"; junos:must-message "Tunnel Interface assigned for Radius-Flow-Tap cannot be configured with firewall filter"; junos:must "("interfaces $$-IFL family inet")"; junos:must-message "Interface with family inet must be defined in the [edit interfaces] hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Tunnel Interface name"; } uses apply-advanced; } // grouping tunnel_interface_type grouping twamp-authentication-key-chain { leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of authentication key chain"; } uses apply-advanced; list key-id { key "name"; description "Authentication element configuration"; leaf name { type string { length "1 .. 80"; } description "Authentication element identifier"; } uses apply-advanced; leaf secret { type string { length "1 .. 256"; } description "Authentication key"; } } // list key-id } // grouping twamp-authentication-key-chain grouping user-group-mapping-type { uses apply-advanced; container ldap { description "LDAP"; uses apply-advanced; leaf authentication-algorithm { type enumeration { enum "simple" { value 0; description "Simple authentication"; } } description "Authentication-algorithm"; } leaf ssl { type empty; description "SSL"; } leaf base { type string { length "1 .. 128"; } description "Base distinguished name"; } container user { description "User name"; uses apply-advanced; leaf user-name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "User name"; } leaf password { type string { length "1 .. 128"; } description "Password string"; } } // container user list address { key "name"; ordered-by user; description "Address of LDAP server"; leaf name { type jt:ipaddr; description "Address"; } uses apply-advanced; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "LDAP port"; } } // list address } // container ldap } // grouping user-group-mapping-type grouping version-ipfix-template { description "One or more version-ipfix templates for flow monitoring"; leaf name { type string; description "Name of template"; } uses apply-advanced; leaf flow-active-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } default "60"; description "Interval after which active flow is exported"; } leaf flow-inactive-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } default "60"; description "Period of inactivity that marks a flow inactive"; } container nexthop-learning { presence "enable nexthop-learning"; description "Nexthop learning parameter. Valid ONLY for INLINE-JFLOW"; uses apply-advanced; choice enable-disable { leaf enable { type empty; description "Enable nexthop learning"; } leaf disable { type empty; description "Disable nexthop learning"; } } // choice enable-disable } // container nexthop-learning container template-refresh-rate { presence "enable template-refresh-rate"; description "Template refresh rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 480000"; } } default "4800"; description "In number of packets"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } description "In number of seconds"; } } // container template-refresh-rate container option-refresh-rate { presence "enable option-refresh-rate"; description "Option template refresh rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 480000"; } } default "4800"; description "In number of packets"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } description "In number of seconds"; } } // container option-refresh-rate choice template-types { container ipv4-template { presence "enable ipv4-template"; description "IPv4 template configuration"; uses apply-advanced; list export-extension { key "name"; ordered-by user; description "IPv4 template configuration with extra fields added to the template"; leaf name { type enumeration { enum "flow-dir" { value 0; description "Flow-direction field type"; } enum "app-id" { value 1; description "Applicationid field type"; } } } uses apply-advanced; } // list export-extension } // container ipv4-template container ipv6-template { presence "enable ipv6-template"; description "IPv6 template configuration"; uses apply-advanced; list export-extension { key "name"; ordered-by user; description "IPv6 template configuration with extra fields added to the template"; leaf name { type enumeration { enum "flow-dir" { value 0; description "Flow-direction field type"; } enum "app-id" { value 1; description "Applicationid field type"; } } } uses apply-advanced; } // list export-extension } // container ipv6-template case case_3 { } // case case_3 case case_4 { } // case case_4 case case_5 { } // case case_5 case case_6 { } // case case_6 } // choice template-types } // grouping version-ipfix-template grouping version9-template { description "One or more version 9 templates for flow monitoring"; leaf name { type string; description "Name of template"; } uses apply-advanced; leaf flow-active-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } default "60"; description "Interval after which active flow is exported"; } leaf flow-inactive-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } default "60"; description "Period of inactivity that marks a flow inactive"; } leaf template-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1024 .. 65535"; } } description "Template id"; } container nexthop-learning { description "Nexthop learning parameter. Valid ONLY for INLINE-JFLOW"; uses apply-advanced; choice enable-disable { leaf enable { type empty; description "Enable nexthop learning"; } leaf disable { type empty; description "Disable nexthop learning"; } } // choice enable-disable } // container nexthop-learning container template-refresh-rate { presence "enable template-refresh-rate"; description "Template refresh rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 480000"; } } default "4800"; description "In number of packets"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } description "In number of seconds"; } } // container template-refresh-rate container option-refresh-rate { presence "enable option-refresh-rate"; description "Option template refresh rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 480000"; } } default "4800"; description "In number of packets"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } description "In number of seconds"; } } // container option-refresh-rate choice template-types { case case_1 { } // case case_1 case case_2 { } // case case_2 container ipv6-template { presence "enable ipv6-template"; description "IPv6 template configuration"; uses apply-advanced; list export-extension { key "name"; ordered-by user; description "IPv6 template configuration with extra fields added to the template"; leaf name { type enumeration { enum "flow-dir" { value 0; description "Applicationid field type"; } enum "app-id" { value 1; description "Applicationid field type"; } } } uses apply-advanced; } // list export-extension container nexthop-options { presence "enable nexthop-options"; description "Additional information retrieved from nexthop"; uses apply-advanced; choice nexthop-types { container mpls { presence "enable mpls"; description "MPLS information retrieved from nexthop"; uses apply-advanced; leaf-list label-position { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 3"; } } max-elements 3; ordered-by user; description "One or more MPLS label positions"; } } // container mpls } // choice nexthop-types } // container nexthop-options } // container ipv6-template container peer-as-billing-template { presence "enable peer-as-billing-template"; description "Peer AS billing template configuration"; } // container peer-as-billing-template container ipv4-template { presence "enable ipv4-template"; description "IPv4 template configuration"; uses apply-advanced; list export-extension { key "name"; ordered-by user; description "IPv4 template configuration with extra fields added to the template"; leaf name { type enumeration { enum "flow-dir" { value 0; description "Applicationid field type"; } enum "app-id" { value 1; description "Applicationid field type"; } } } uses apply-advanced; } // list export-extension } // container ipv4-template case case_6 { } // case case_6 case case_7 { } // case case_7 } // choice template-types } // grouping version9-template grouping web-config { uses apply-advanced; list profile { key "name"; ordered-by user; description "Configure web secure proxy profile"; leaf name { type string { length "1 .. 63"; } description "Web secure proxy profile name"; } uses apply-advanced; list proxy-address { key "name"; ordered-by user; description "Proxy server addresses"; leaf name { type string { length "1 .. 63"; } description "Address name"; } uses apply-advanced; leaf ip { type jt:ipprefix; description "IP address and prefix-length"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Port number"; } } // list proxy-address leaf-list dynamic-web-application { type string; ordered-by user; } leaf-list dynamic-web-application-group { type string; ordered-by user; description "Specify dynamic application group name to match"; } leaf drop-on-dns-error { type empty; description "Drop Web Proxy Session on DNS error"; } } // list profile } // grouping web-config grouping web-proxy-traceoptions { uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "brief" { value 0; description "Brief debugging output"; } enum "detail" { value 1; description "Detailed debugging output"; } enum "extensive" { value 2; description "Extensive debugging output"; } enum "verbose" { value 3; description "Verbose debugging output"; } } default "brief"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "cli-configuration" { value 0; description "Trace CLI configuration events"; } enum "ipc" { value 1; description "Trace Inter-process communication events"; } enum "svc-config" { value 2; description "Trace service configuration events in DataPath"; } enum "flow-session" { value 3; description "Trace flow-session events"; } enum "all" { value 4; description "Trace everything"; } } } } // list flag } // grouping web-proxy-traceoptions } // module junos-es-conf-services
© 2023 YumaWorks, Inc. All rights reserved.