Junos services configuration module
Version: 2019-01-01
module junos-nfx-conf-services { yang-version 1; namespace "http://yang.juniper.net/junos-nfx/conf/services"; prefix jc-services; import junos-common-ddl-extensions { prefix junos; revision-date "2019-01-01"; } import junos-common-types { prefix jt; revision-date "2019-01-01"; } import junos-nfx-conf-root { prefix jc; revision-date "2019-01-01"; } organization "Juniper Networks, Inc."; contact "yang-support@juniper.net"; description "Junos services configuration module"; revision "2019-01-01" { description "Junos: 21.3R1.9"; } augment /jc:configuration { uses services-group; } augment /jc:configuration/jc:groups { uses services-group; } grouping services-group { container services { description "System services"; uses apply-advanced; container jinsightd { presence "enable jinsightd"; description "Health Monitoring services"; uses apply-advanced; container traceoptions { description "Jinsight trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace all events"; } enum "rule-engine" { value 1; description "Log configuration rule engine"; } enum "core" { value 2; description "Trace core message events"; } enum "database" { value 3; description "Trace database events"; } enum "timer" { value 4; description "Trace timer events"; } } } } // list flag } // container traceoptions container subscribe { presence "enable subscribe"; description "Subscription"; uses apply-advanced; leaf health-monitor { type empty; description "Health-monitor parameters"; } } // container subscribe } // container jinsightd container fixed-wireless-access { description "Configuration for fixed wireless access service"; uses apply-advanced; list control-plane { key "name"; max-elements 16; ordered-by user; description "S11 configuration"; leaf name { type string { length "1 .. 63"; } description "S11 connection name"; } uses apply-advanced; container s11 { description "S11 IP address"; uses apply-advanced; leaf v4-address { type jt:ipv4addr; description "IPv4 address configured on interface"; } leaf path-management { type enumeration { enum "enable" { value 0; description "Enable parameter"; } enum "disable" { value 1; description "Disable parameter"; } } default "enable"; description "Enable/disable path management"; } } // container s11 } // list control-plane list apn { key "name"; ordered-by user; description "Configure access point names for fixed wireless connections"; leaf name { type string { junos:posix-pattern "^[.0-9A-Za-z-]{1,100}$"; junos:pattern-message "Must be a string of 100 or fewer characters and may contain letters, numbers, decimals and dashes."; } description "Access point name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^.{1,80}$"; junos:pattern-message "Must be 80 characters or less"; } description "Text description of APN"; } leaf apn-data-type { type enumeration { enum "ipv4" { value 0; description "IPv4 Data type"; } } default "ipv4"; description "Specify APN data type"; } leaf aaa-profile { junos:must "("access profile $$")"; junos:must-message "referenced access profile name must be defined"; type string { length "1 .. 80"; } description "Specify AAA profile for Authorization and Accounting"; } leaf dynamic-profile { junos:must "("dynamic-profiles $$")"; junos:must-message "Referenced dynamic profile must be defined"; type string { length "1 .. 80"; } description "Dynamic profile for the apn"; } leaf ipv4-address-pool { type string { length "1 .. 80"; } description "IPv4 address pool for the apn"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type union { type string { pattern "default"; } type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } } description "Routing instance used for redirect"; } container authentication { description "FWA tunnel authentication"; uses fwa-authentication-type; } // container authentication } // list apn list data-plane { key "name"; max-elements 1; ordered-by user; description "S1-U configuration"; leaf name { type string { length "1 .. 63"; } description "S1-U connection name"; } uses apply-advanced; container s1-u { description "S1-U IP address"; uses apply-advanced; leaf v4-address { type jt:ipv4addr; description "IPv4 address configured on interface"; } } // container s1-u } // list data-plane leaf-list anchor-point { type string { length "1 .. 64"; } ordered-by user; description "Interface used for GTP-U tunnel termination"; } container traceoptions { description "Fixed wirelss access service trace options"; uses bbefwa-trace-options-type; } // container traceoptions } // container fixed-wireless-access container captive-portal-content-delivery { description "Configuration for captive portal and content delivery service"; uses apply-advanced; leaf auto-deactivate { type string; description "Deactivate content delivery service"; } list rule { key "name"; ordered-by user; description "Define a captive portal content delivery rule"; uses cpcd-rule-object-type; } // list rule list rule-set { key "name"; max-elements 16960; ordered-by user; description "Define a set of captive portal content delivery rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services captive-portal-content-delivery rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set list profile { key "name"; ordered-by user; description "One or more rule/rule set in the profile"; leaf name { type string { length "1 .. 63"; } description "Profile name"; } uses apply-advanced; choice cpcd_rules_choice { leaf dynamic { type empty; description "Dynamic profile flag"; } list cpcd-rules { key "name"; ordered-by user; description "List of captive portal content delivery rules"; leaf name { junos:must "("services captive-portal-content-delivery rule $$")"; junos:must-message "referenced cpcd rules must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list cpcd-rules list cpcd-rule-sets { key "name"; ordered-by user; description "List of captive portal content delivery rule sets"; leaf name { junos:must "("services captive-portal-content-delivery rule-set $$")"; junos:must-message "referenced cpcd rule sets must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list cpcd-rule-sets } // choice cpcd_rules_choice container ipda-rewrite-options { description "Ipda rewrite options"; uses apply-advanced; leaf destination-address { type jt:ipaddr; description "Default ipda rewrite IP address"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Default ipda rewrite port"; } } // container ipda-rewrite-options container http-redirect-options { description "Http redirect options"; uses apply-advanced; leaf url { type string { junos:posix-pattern "^((http)|(https)):"; junos:pattern-message "URL must start with http or https"; } description "URL of the captive portal file"; } } // container http-redirect-options leaf auto-deactivate { junos:must "(!(".. dynamic"))"; junos:must-message "auto-deactivate is not applicable for dynamic profile"; type enumeration { enum "never" { value 0; description "Deactivate never"; } enum "initial-get" { value 1; description "Deactivate on initial http-get"; } } description "Deactivate content delivery service"; } } // list profile container traceoptions { description "Captive portal and content delivery trace options"; uses cpcd-trace-options-type; } // container traceoptions } // container captive-portal-content-delivery container dynamic-flow-capture { description "Configure Dynamic Flow Capture parameters"; uses apply-advanced; leaf g-max-duplicates { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 64"; } } default "3"; description "Maximum content destinations for the capture group"; } leaf g-duplicates-dropped-periodicity { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } default "30"; description "Periodicity of DuplicatesDropped notification in secs"; } list capture-group { key "name"; max-elements 16; ordered-by user; description "Configure DFC group parameters"; uses dfc_group_type; } // list capture-group container traceoptions { presence "enable traceoptions"; description "Trace options for dynamic-flow-capture service"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file } // container traceoptions } // container dynamic-flow-capture container flow-tap { description "Configure flow-tap parameters"; uses apply-advanced; container family { description "Address family of packets to tap"; uses apply-advanced; leaf inet { type empty; description "IPv4 family"; } leaf inet6 { type empty; description "IPv4 family"; } leaf ccc { type empty; description "CCC family"; } } // container family leaf interface { junos:must "(!("services flow-tap tunnel-interface"))"; junos:must-message "tunnel-interface and service interface cannot be confgured together for flowtap application"; junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "Dynamic flow capture cannot be configured when flow tap is configured"; junos:must "("interfaces $$-IFL family inet")"; junos:must-message "Interface with family inet must be defined in the [edit interfaces] hierarchy"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Service interface on which to configure flow-tap service"; } leaf tunnel-interface { junos:must "(!("services flow-tap interface"))"; junos:must-message "tunnel-interface and service interface cannot be confgured together for flowtap application"; junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "Dynamic flow capture cannot be configured when flow tap is configured"; junos:must "("interfaces $$-IFL family inet6")"; junos:must-message "Interface with family inet6 must be defined in the [edit interfaces] hierarchy"; junos:must "("interfaces $$-IFL family inet")"; junos:must-message "Interface with family inet must be defined in the [edit interfaces] hierarchy"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Tunnel interface through which flow-tap would communicate with MD"; } } // container flow-tap container radius-flow-tap { description "Configure radius triggered flow-tap parameters"; uses apply-advanced; leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to intercepted packets"; } leaf source-ipv4-address { type jt:ipv4addr; description "IP Address to use as source address in IPv4 header appended to intercepted packets"; } leaf multicast-interception { type empty; description "Enable Multicast Tapping"; } container interfaces { description "Tunnel Interfaces"; uses apply-advanced; list tunnel-interface { key "name"; uses tunnel_interface_type; } // list tunnel-interface } // container interfaces choice ri_or_ls { leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Referenced routing instance must be defined"; type string; description "Routing instance to be used for radius flow tap"; } list logical-system { key "name"; max-elements 1; ordered-by user; description "Logical system to be used for radius flow tap"; leaf name { junos:must "("logical-systems $$")"; junos:must-message "Referenced logical system must be defined"; type string; description "Logical system name"; } uses apply-advanced; leaf routing-instance { junos:must "("logical-systems ${logical-system} routing-instances $$")"; junos:must-message "Referenced routing instance must be defined"; type string; description "Routing instance to be used for radius flow tap"; } } // list logical-system } // choice ri_or_ls list policy { key "name"; ordered-by user; description "Policy"; leaf name { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Policy Name"; } uses apply-advanced; container inet { description "Protocol family IPv4 drop policy terms"; uses apply-advanced; list drop-policy { key "name"; ordered-by user; description "Define an IPv4 drop policy"; uses drop-policy-term; } // list drop-policy } // container inet container inet6 { description "Protocol family IPv6 drop policy terms"; uses apply-advanced; list drop-policy { key "name"; ordered-by user; description "Define an IPv6 drop policy"; uses drop-policy6-term; } // list drop-policy } // container inet6 } // list policy container snmp { description "SNMP options for radius flow tap"; uses apply-advanced; list notify-targets { key "name"; ordered-by user; description "Target list for packet mirror SNMP notifications"; leaf name { type jt:ipaddr; description "Target IP address"; } uses apply-advanced; } // list notify-targets } // container snmp } // container radius-flow-tap container mobile-flow-tap { description "Configure mobile triggered flow-tap parameters"; uses apply-advanced; container source-interface { junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "mobile flow service and dynamic flow capture service cannot be configured together"; junos:must "(!("services radius-flow-tap"))"; junos:must-message "mobile flow service and radius flow capture service cannot be configured together"; junos:must "(!("services flow-tap"))"; junos:must-message "mobile flow service and flow capture service cannot be configured together"; presence "enable source-interface"; description "Source interface from which IRI packets will be sent"; leaf interface-name { junos:must "("interfaces $$")"; junos:must-message "Interface must be defined"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface name"; } leaf ipv4-address { type jt:ipv4addr; description "Source IPv4 address to be used"; } } // container source-interface } // container mobile-flow-tap container flow-monitoring { presence "enable flow-monitoring"; description "Configure flow monitoring"; uses apply-advanced; container version9 { description "Version 9 configuration"; uses apply-advanced; list template { key "name"; max-elements 10; ordered-by user; description "One or more version 9 templates"; uses version9-template; } // list template } // container version9 container version-ipfix { description "Version IP-Fix configuration"; uses apply-advanced; list template { key "name"; max-elements 10; ordered-by user; description "One or more version ip-fix templates"; uses version-ipfix-template; } // list template } // container version-ipfix } // container flow-monitoring container jdaf { description "Juniper distributed application framework (JDAF)"; uses apply-advanced; leaf-list routing-instances { type string { length "1 .. 128"; } ordered-by user; description "List of routing-instance name for JDAF clients"; } } // container jdaf container rpm { presence "enable rpm"; description "Real-time performance monitoring"; uses apply-advanced; container traceoptions { description "RMOPD trace options"; uses rmopd-traceoptions; } // container traceoptions container bgp { description "BGP options for real-time performance monitoring"; uses apply-advanced; leaf probe-type { type enumeration { enum "icmp-ping" { value 0; description "Send ICMP echo request to target address"; } enum "icmp-ping-timestamp" { value 1; description "Send ICMP timestamp request to target address"; } enum "icmp6-ping" { value 2; description "Send ICMP6 echo request to target address"; } enum "tcp-ping" { value 3; description "Send TCP packets to target"; } enum "udp-ping" { value 4; description "Send UDP packets to target"; } enum "udp-ping-timestamp" { value 5; description "Send UDP packets with timestamp to target"; } } default "icmp-ping"; description "RPM-BGP probe request type"; } leaf probe-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 15"; } } default "1"; description "Total number of probes per test"; } leaf probe-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } units "seconds"; default "3"; description "Delay between probes"; } leaf test-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; default "1"; description "Delay between tests"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "7 .. 65535"; } } description "TCP/UDP port number"; } leaf history-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 512"; } } default "50"; description "Number of stored history entries"; } leaf moving-average-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1024"; } } default "0"; description "Number of samples used for moving average"; } leaf data-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65400"; } } default "0"; description "Size of the data portion of the probes"; } leaf data-fill { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 2048"; } description "Define contents of the data portion of the probes"; } leaf ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 254"; } } default "64"; description "Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet"; } list logical-system { key "name"; description "Logical systems"; uses bgp-logical-system; } // list logical-system list routing-instances { key "name"; description "Routing instances"; uses bgp-routing-instances; } // list routing-instances } // container bgp list probe { key "name"; ordered-by user; description "TCP/UDP/ICMP ping"; leaf name { type string { length "1 .. 32"; } description "Name of owner"; } uses apply-advanced; leaf delegate-probes { type empty; description "Offload real-time performance monitoring probes to MS-MIC/MS-MPC card"; } list test { key "name"; ordered-by user; description "TCP/UDP/ICMP/ICMP6 ping test"; leaf name { type string { length "1 .. 32"; } description "Name of test"; } uses apply-advanced; container rpm-scale { presence "enable rpm-scale"; description "Configuring real-time performance monitoring scale tests"; uses apply-advanced; leaf tests-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Number of probe-tests generated using scale config"; } choice target-type { container target { junos:must "(!(".. source-inet6"))"; junos:must-message "source-inet6 knob not valid for IPV4 probes"; presence "enable target"; description "Target address generation for scale test config"; uses apply-advanced; leaf address-base { type jt:ipv4addr; description "Base address of target host in a.b.c.d format"; } leaf step { type jt:ipv4addr; description "Steps to increment target address in a.b.c.d format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Target address count"; } } // container target container target-inet6 { junos:must "(!(".. source"))"; junos:must-message "source knob not valid for IPV6 probes"; presence "enable target-inet6"; description "IPv6 target address generation for scale test config"; uses apply-advanced; leaf address-base { type jt:ipv6addr; description "Base address of target host in a:b:c:d:e:f:g:h format"; } leaf step { type jt:ipv6addr; description "Steps to increment target address in a:b:c:d:e:f:g:h format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Target address count"; } } // container target-inet6 } // choice target-type choice source-type { container source { junos:must "(!(".. target-inet6"))"; junos:must-message "target-inet6 knob not valid for IPV4 probes"; presence "enable source"; description "Source address generation in scale tests"; uses apply-advanced; leaf address-base { type jt:ipv4addr; description "Base address of host in a.b.c.d format"; } leaf step { type jt:ipv4addr; description "Steps to increment src address in a.b.c.d format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Source-address count"; } } // container source container source-inet6 { junos:must "(!(".. target"))"; junos:must-message "target knob not valid for IPV6 probes"; presence "enable source-inet6"; description "IPv6 source address generation in scale tests"; uses apply-advanced; leaf address-base { type jt:ipv6addr; description "Base address of host in a:b:c:d:e:f:g:h format"; } leaf step { type jt:ipv6addr; description "Steps to increment src address in a:b:c:d:e:f:g:h format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Source-address count"; } } // container source-inet6 } // choice source-type container destination { presence "enable destination"; description "Name of output interface for probes"; uses apply-advanced; leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Base destination interface for scale test"; } leaf subunit-cnt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Subunit count for destination interface for scale test"; } } // container destination } // container rpm-scale leaf probe-type { type enumeration { enum "http-get" { value 0; description "Perform HTTP Get request at target URL"; } enum "http-metadata-get" { value 1; description "Perform HTTP Get request of metadata at target URL"; } enum "icmp-ping" { value 2; description "Send ICMP echo request to target address"; } enum "icmp-ping-timestamp" { value 3; description "Send ICMP timestamp request to target address"; } enum "icmp6-ping" { value 4; description "Send ICMP6 echo request to target address"; } enum "tcp-ping" { value 5; description "Send TCP packets to target"; } enum "udp-ping" { value 6; description "Send UDP packets to target"; } enum "udp-ping-timestamp" { value 7; description "Send UDP packets with timestamp to target"; } } default "icmp-ping"; description "Probe request type"; } container target { presence "enable target"; description "Target destination for probe"; choice target-type { leaf address { junos:must "(!(".. .. inet6-options"))"; junos:must-message "inet6-options knob not valid for IPV4 probes"; type jt:ipv4addr; description "Address of target host"; } leaf inet6-address { junos:must "(!(".. .. source-address"))"; junos:must-message "source-address knob not valid for IPV6 probes"; type jt:ipv6addr; description "Inet6 Address of target host"; } leaf url { junos:must "(!(".. .. inet6-options"))"; junos:must-message "inet6-options knob not valid for IPV4 probes"; type string; description "Fully formed target URL"; } leaf inet6-url { junos:must "(!(".. .. source-address"))"; junos:must-message "source-address knob not valid for IPV6 probes"; type string; description "Fully formed target IPV6 URL"; } } // choice target-type } // container target container inet6-options { presence "enable inet6-options"; description "IPV6 related options"; uses apply-advanced; leaf source-address { type jt:ipv6addr; description "Inet6 Source Address of the probe"; } } // container inet6-options leaf probe-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 15"; } } default "1"; description "Total number of probes per test"; } leaf probe-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } units "seconds"; default "3"; description "Delay between probes"; } leaf test-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; default "1"; description "Delay between tests"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "7 .. 65535"; } } description "TCP/UDP port number"; } leaf source-address { junos:must "(!(".. target inet6-address"))"; junos:must-message "source-address knob for IPV6 based probes is under inet6-options"; type jt:ipv4addr; description "Source address for probe"; } leaf routing-instance { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Routing instance used by probes"; } leaf history-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 512"; } } default "50"; description "Number of stored history entries"; } leaf moving-average-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1024"; } } default "0"; description "Number of samples used for moving average"; } leaf dscp-code-points { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } default "000000"; description "Differentiated Services code point bits or alias"; } leaf data-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65400"; } } default "0"; description "Size of the data portion of the probes"; } leaf data-fill { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 2048"; } description "Define contents of the data portion of the probes"; } leaf ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 254"; } } default "64"; description "Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet"; } container thresholds { presence "enable thresholds"; description "Probe and test threshold values. Set 0 to disable respective threshold"; uses apply-advanced; leaf successive-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "1"; description "Successive probe loss count indicating probe failure"; } leaf total-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "1"; description "Total probe loss count indicating test failure"; } leaf rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum round trip time per probe"; } leaf jitter-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum jitter per test"; } leaf std-dev-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum standard deviation per test"; } leaf egress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination time per probe"; } leaf ingress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source time per probe"; } leaf jitter-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source jitter per test"; } leaf jitter-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination jitter per test"; } leaf std-dev-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source standard deviation per test"; } leaf std-dev-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination standard deviation per test"; } } // container thresholds leaf-list traps { type enumeration { enum "probe-failure" { value 0; description "Successive probe loss threshold reached"; } enum "test-failure" { value 1; description "Total probe loss threshold reached"; } enum "test-completion" { value 2; description "Test completed"; } enum "rtt-exceeded" { value 3; description "Exceeded maximum round trip time threshold"; } enum "std-dev-exceeded" { value 4; description "Exceeded round trip time standard deviation threshold"; } enum "jitter-exceeded" { value 5; description "Exceeded jitter in round trip time threshold"; } enum "ingress-time-exceeded" { value 6; description "Exceeded maximum ingress time threshold"; } enum "ingress-std-dev-exceeded" { value 7; description "Exceeded ingress time standard deviation threshold"; } enum "ingress-jitter-exceeded" { value 8; description "Exceeded jitter in ingress time threshold"; } enum "egress-time-exceeded" { value 9; description "Exceeded maximum egress time threshold"; } enum "egress-std-dev-exceeded" { value 10; description "Exceeded egress time standard deviation threshold"; } enum "egress-jitter-exceeded" { value 11; description "Exceeded jitter in egress time threshold"; } } ordered-by user; description "Trap to send if threshold is met or exceeded"; } leaf destination-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of output interface for probes"; } leaf hardware-timestamp { junos:must "(!(".. target inet6-address"))"; junos:must-message "Hardware timestamping not supported for IPV6 based probes."; junos:must "((!(".. destination-port") || ".. destination-port $$={7}"))"; junos:must-message "For UDP pings, only port 7 can be configured for hardware timestamping."; type empty; description "Packet Forwarding Engine updates timestamps"; } leaf one-way-hardware-timestamp { junos:must "(!(".. target inet6-address"))"; junos:must-message "One-way hardware timestamping not supported for IPV6 based probes."; type empty; description "Enable hardware timestamps for one-way measurements"; } leaf next-hop { type jt:ipv4addr; description "Next-hop to which probe should be sent"; } } // list test } // list probe container probe-server { description "ICMP/TCP/UDP probe server"; uses apply-advanced; container icmp { description "ICMP probe server"; uses apply-advanced; leaf destination-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of output interface for probes"; } } // container icmp container tcp { description "TCP probe server"; uses apply-advanced; leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port number 7 through 65535"; } leaf destination-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of output interface for probes"; } } // container tcp container udp { description "UDP probe server"; uses apply-advanced; leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port number 7 through 65535"; } leaf destination-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of output interface for probes"; } } // container udp } // container probe-server leaf probe-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500"; } } default "100"; description "Maximum number of concurrent probes allowed"; } container rfc2544-benchmarking { presence "enable rfc2544-benchmarking"; description "Rfc2544 benchmarking tests"; uses apply-advanced; container profiles { description "Rfc2544 test profiles"; uses apply-advanced; list test-profile { key "name"; ordered-by user; description "Test-profile definition"; leaf name { junos:must "(".. bandwidth-kbps")"; junos:must-message "bandwidth-kbps has to be configured in a profile"; junos:must "(".. test-type")"; junos:must-message "test-type has to be configured in a profile"; junos:must "(".. packet-size")"; junos:must-message "packet-size has to be configured in a profile"; type string { length "1 .. 32"; } description "Test name"; } uses apply-advanced; leaf test-type { type enumeration { enum "throughput" { value 0; description "Rfc2544 throughput test"; } enum "latency" { value 1; description "Rfc2544 latency test"; } enum "frame-loss" { value 2; description "Rfc2544 frame-loss test"; } enum "back-back-frames" { value 3; description "Rfc2544 back to back frames test"; } } default "throughput"; description "Rfc2544 test type"; } leaf-list packet-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 9216"; } } ordered-by user; description "Size of the test packet"; } leaf bandwidth-kbps { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "10000"; description "Theoretical max service bandwidth in kbps"; } leaf step-percent { junos:must "(".. test-type frame-loss")"; junos:must-message "step-percent is valid only for frame-loss test"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "10"; description "Step percent for test"; } } // list test-profile } // container profiles container tests { presence "enable tests"; description "Rfc2544 test configuration"; uses apply-advanced; list test-name { key "name"; ordered-by user; description "Test definition"; leaf name { junos:must "(".. mode")"; junos:must-message "mode has to be configured in a test"; type string { length "1 .. 32"; } description "Test name"; } uses apply-advanced; leaf test-profile { junos:must "(".. family")"; junos:must-message "family has to be configured in a test"; junos:must "("services rpm rfc2544-benchmarking profiles test-profile $$")"; junos:must-message "test-profile not configured"; type string; description "Name of the test profile"; } leaf source-mac-address { junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "source-mac-address valid only for ccc/bridge/vpls family"; type jt:mac-unicast; description "MAC address of source host in xx:xx:xx:xx:xx:xx format -Generator MAC"; } leaf destination-mac-address { junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "destination-mac-address valid only for ccc/bridge/vpls family"; type jt:mac-unicast; description "MAC address of destination host in xx:xx:xx:xx:xx:xx format -Reflector MAC"; } leaf ovlan-id { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "ovlan-id is not valid for mode ethernet-loopback"; junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "ovlan-id valid only for ccc/bridge/vpls family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 4094"; } } description "Outer vlan id"; } leaf ovlan-priority { junos:must "(".. ovlan-id")"; junos:must-message "ovlan-priority is valid only when ovlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "ovlan-priority is valid only for bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 7"; } } description "Outer vlan priority"; } leaf ovlan-cfi { junos:must "(".. ovlan-id")"; junos:must-message "ovlan-cfi is valid only when ovlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "ovlan-cfi is valid only for bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 1"; } } description "Outer vlan CFI bit"; } leaf outer-tag-protocol-id { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "outer-tag-protocol-id is not valid for mode ethernet-loopback"; junos:must "(".. ovlan-id")"; junos:must-message "outer-tag-protocol-id is valid only when ovlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "outer-tag-protocol-id is valid only for Bridge family"; type string { junos:posix-pattern "^0x[abcdefABCDEF0123456789]{4}$"; junos:pattern-message "Must be hexadecimal bit pattern of form 0xNNNN"; } default "0x8100"; description "Outer tag protocol id"; } leaf ivlan-id { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "ivlan-id is not valid for mode ethernet-loopback"; junos:must "(".. ovlan-id")"; junos:must-message "ivlan-id is valid only when ovlan-id is configured"; junos:must "((".. family ccc" || ".. family bridge"))"; junos:must-message "ivlan-id valid only for ccc/bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 4094"; } } description "Inner vlan id"; } leaf ivlan-priority { junos:must "(".. ivlan-id")"; junos:must-message "ivlan-priority is valid only when ivlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "ivlan-priority is valid only for bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 7"; } } description "Inner vlan priority"; } leaf ivlan-cfi { junos:must "(".. ivlan-id")"; junos:must-message "ivlan-cfi is valid only when ivlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "ivlan-cfi is valid only for bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 1"; } } description "Inner vlan CFI bit"; } leaf vlan-id { junos:must "(".. mode ethernet-loopback")"; junos:must-message "vlan-id is valid only for ethernet-loopback mode"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 4094"; } } description "VLAN identifier"; } leaf vlan-priority { junos:must "(".. vlan-id")"; junos:must-message "vlan-priority is valid only when vlan-id is configured"; junos:must "(".. mode ethernet-loopback")"; junos:must-message "vlan-priority is valid only for ethernet-loopback mode"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 7"; } } description "VLAN priority"; } leaf vlan-cfi { junos:must "(".. vlan-id")"; junos:must-message "vlan-cfi is valid only when vlan-id is configured"; junos:must "(".. mode ethernet-loopback")"; junos:must-message "vlan-cfi is valid only for ethernet-loopback mode"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 1"; } } description "VLAN CFI bit"; } leaf service-type { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "service-type is not valid for mode ethernet-loopback"; junos:must "((".. family bridge" || ".. family vpls"))"; junos:must-message "service-type is valid only for bridge family"; type enumeration { enum "eline" { value 0; description "Eline service"; } enum "elan" { value 1; description "Elan service"; } } description "Service type"; } leaf in-service { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "in-service is not valid for mode ethernet-loopback"; junos:must "((".. family bridge" || ".. family vpls"))"; junos:must-message "in-service mode is supported only for bridge/vpls family"; type empty; description "Test executed in-service mode"; } leaf ip-swap { junos:must "((".. mode reflect" || ".. mode ethernet-loopback"))"; junos:must-message "ip-swap is valid only in reflector or ethernet-loopback mode"; junos:must "((".. family bridge" || ".. family vpls"))"; junos:must-message "ip-swap is supported only for bridge/vpls family"; type empty; description "Swap IP in the test payload"; } leaf udp-tcp-port-swap { junos:must "((".. mode reflect" || ".. mode ethernet-loopback"))"; junos:must-message "udp-tcp-port-swap is valid only in reflector or ethernet-loopback mode"; junos:must "((".. family bridge" || ".. family vpls"))"; junos:must-message "udp-tcp-port-swap is supported only for bridge/vpls family"; type empty; description "Swap UDP/TCP port in the test payload"; } leaf ignore-test-interface-state { junos:must "(".. family bridge")"; junos:must-message "ignore-test-interface-state is supported only for bridge family"; type empty; description "Ignore interface state to run the test"; } leaf check-test-interface-mtu { junos:must "(".. family bridge")"; junos:must-message "check-test-interface-mtu is supported only for bridge family"; type empty; description "Check interface MTU to run the test"; } leaf disable-signature-check { junos:must "(".. mode reflect")"; junos:must-message "disable-signature-check is valid only in reflector mode"; type empty; description "Signature check disable"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to the frames"; } leaf packet-loss-priority { junos:must "(".. family bridge")"; junos:must-message "packet-loss-priority is valid only for bridge family"; type enumeration { enum "low" { value 0; description "Packet loss priority is low"; } enum "high" { value 1; description "Packet loss priority is high"; } enum "medium-high" { value 2; description "Packet loss priority is medium-high"; } } description "Packet loss priority assigned to the frames"; } leaf dscp-code-points { junos:must "(!(".. mode terminate"))"; junos:must-message "'dscp-code-points' cannot be configured in terminate mode"; junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "'dscp-code-points' cannot be configured in ethernet-loopback mode"; junos:must "(!(".. mode reflect"))"; junos:must-message "'dscp-code-points' cannot be configured in reflector mode"; type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } default "000000"; description "Differentiated Services code point bits or alias"; } leaf mode { type enumeration { enum "reflect" { junos:must "(".. family")"; junos:must-message "family has to be configured in a test"; value 0; description "Reflector end"; } enum "initiate-and-terminate" { junos:must "(".. test-profile")"; junos:must-message "test-profile <profilename> has to be configured in a test when in initiate:and-terminate mode"; value 1; description "Initiate and terminator"; } enum "ethernet-loopback" { junos:must "(".. test-interface")"; junos:must-message "test-interface has to be configured in a test when in ethernet-loopback mode"; junos:must "(".. family bridge")"; junos:must-message "family bridge has to be configured in a test"; value 2; description "Ethernet loopback"; } } description "Test mode"; } leaf reflect-mode { junos:must "((".. mode reflect" || ".. mode ethernet-loopback"))"; junos:must-message "reflect-mode is valid only when test mode is reflect or ethernet-loopback"; type enumeration { enum "mac-swap" { value 0; description "Mac swap "; } enum "no-mac-swap" { junos:must "(!(".. service-type elan"))"; junos:must-message "'no-mac-swap' cannot be configured for elan service-type"; value 1; description "No mac-swap"; } enum "mac-rewrite" { junos:must "(".. destination-mac-address")"; junos:must-message "destination-mac-address needs to be configured with mac-rewrite mode"; junos:must "(".. source-mac-address")"; junos:must-message "source-mac-address needs to be configured with mac-rewrite mode"; junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "'mac-rewrite' cannot be configured for mode ethernet-loopback"; value 2; description "Mac-rewrite"; } } description "Reflect mode"; } leaf family { type enumeration { enum "inet" { junos:must "(".. destination-ipv4-address")"; junos:must-message "destination-ipv4-address has to be configured with inet family"; junos:must "(".. destination-udp-port")"; junos:must-message "destination-udp-port has to be configured with inet family"; value 0; description "Inet family"; } enum "ccc" { junos:must "(".. direction")"; junos:must-message "direction needs to be configured with CCC family"; value 1; description "CCC family "; } enum "bridge" { junos:must "(".. test-interface")"; junos:must-message "test-interface has to be configured with bridge family"; junos:must "(".. direction")"; junos:must-message "Direction needs to be configured with bridge family"; value 2; description "Bridge family "; } enum "vpls" { junos:must "(".. test-interface")"; junos:must-message "test-interface has to be configured with vpls family"; junos:must "(".. source-mac-address")"; junos:must-message "source-mac-address has to be configured with vpls family"; junos:must "(".. destination-mac-address")"; junos:must-message "destination-mac-address has to be configured with vpls family"; junos:must "(".. direction")"; junos:must-message "Direction needs to be configured with vpls family"; value 3; description "VPLS family "; } } description "Family type"; } leaf reflect-etype { junos:must "((".. mode reflect" || ".. mode ethernet-loopback"))"; junos:must-message "reflect-etype valid only with mode reflect or ethernet-loopback"; junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "reflect-etype valid only for CCC/Bridge/VPLS family"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Etype to match for reflect mode"; } leaf direction { junos:must "(".. test-interface")"; junos:must-message "direction must be configured along with test-interface"; junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "direction can be configured only with ccc/bridge/vpls family"; type enumeration { enum "ingress" { value 0; description "Pseudo-wire/Bridge/Vpls Ingress direction"; } enum "egress" { value 1; description "Pseudo-wire/Bridge/Vpls Egress direction"; } } description "Direction of test"; } leaf timestamp-format { type enumeration { enum "microseconds" { value 0; description "Timestamps in microseconds"; } enum "nanoseconds" { value 1; description "Timestamps in nanoseconds"; } } description "Format of timestamp values"; } leaf source-udp-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Source udp port"; } leaf destination-udp-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Destination udp port"; } leaf test-duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5000"; } } default "10"; status deprecated; description "Test duration in minutes"; } leaf test-iterator-duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 1728000"; } } description "Duration of each iteration in seconds"; } leaf test-finish-wait-duration { junos:must "(".. mode initiate-and-terminate")"; junos:must-message "test-finish-wait-duration is valid only when test mode is initiate-and-terminate"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } default "1"; description "Number of seconds to wait after test completes before stopping the test"; } leaf transmit-failure-threshold { type decimal64 { fraction-digits 9; range "0 .. 100"; } default "0.5"; description "Transmit failure-threshold (default 0.5%)"; } leaf receive-failure-threshold { type decimal64 { fraction-digits 9; range "0 .. 100"; } default "0"; description "Receive failure-threshold (default 0%)"; } leaf test-iterator-pass-threshold { type decimal64 { fraction-digits 9; range "0 .. 100"; } default "0.5"; description "Test pass-threshold (default 0.5%)"; } leaf halt-on-prefix-down { junos:must "(".. family inet")"; junos:must-message "halt-on-prefix-down is valid only for inet family"; type empty; description "Halt test on prefix down"; } leaf skip-arp-iteration { type empty; description "Skip arp iteration in tests"; } leaf test-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of interface(ifl) for test"; } leaf reflector-port { junos:must "((".. family ccc" || ".. family bridge"))"; junos:must-message "'Reflector-port' needs family bridge/ccc"; junos:must "(".. mode reflect")"; junos:must-message "'Reflector-port' can be used only in reflect mode"; type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Front panel port number - ACX5048: [16-53], ACX5096: [64-95, 100-103]"; } leaf destination-ipv4-address { type jt:ipv4addr; description "Destination address for test"; } leaf source-ipv4-address { type jt:ipv4addr; description "Source address for test"; } } // list test-name } // container tests } // container rfc2544-benchmarking container twamp { description "Two-way Active Measurement Protocol configuration"; uses apply-advanced; leaf post-cli-implicit-firewall { type empty; description "Enable post cli implicit firewall"; } container client { description "TWAMP client configuration"; uses apply-advanced; list control-connection { key "name"; ordered-by user; description "TWAMP control session configuration"; leaf name { junos:must "((".. control-type light" || ".. target-address"))"; junos:must-message "managed control-type requires target-address"; type string { length "1 .. 32"; } description "Client name"; } uses apply-advanced; container authentication-mode { description "Authentication modes"; uses apply-advanced; leaf none { type empty; description "No authentication or encryption"; } } // container authentication-mode leaf destination-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of output interface for all test sessions"; } leaf persistent-results { type empty; description "Displays the old results along with present. Default disable"; } leaf control-type { type enumeration { enum "light" { value 0; description "No control connection to manage test sessions"; } enum "managed" { value 1; description "Control connection will negotiate test sessions"; } } default "managed"; description "TWAMP control connection type"; } leaf tcp-keepidle { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } units "seconds"; default "120"; description "Time to start TCP KEEPALIVEs on control connection (default 120)"; } leaf tcp-keepintvl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } units "seconds"; default "5"; description "Delay between succesive TCP KEEPALIVEs (default 5)"; } leaf tcp-keepcnt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 50"; } } default "6"; description "Number of TCP KEEPALIVEs sent (default 6)"; } leaf destination-port { junos:must "(!(".. control-type light"))"; junos:must-message "destination-port requires managed control-type"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "862 .. 65535"; } } default "862"; description "TCP TWAMP client listening port for the test sessions. Default 862"; } leaf history-size { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 500"; } } default "50"; description "Number of stored history entries"; } leaf moving-average-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1024"; } } default "0"; description "Number of samples used for moving average"; } leaf routing-instance { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Routing instance used by the test sessions"; } leaf target-address { junos:must "(!(".. control-type light"))"; junos:must-message "target-address only valid for managed control-type"; type jt:ipv4addr; description "Destination IPv4 address of TWAMP responder"; } leaf test-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967290"; } } default "0"; description "Total number of test session iterations"; } leaf test-interval { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 255"; } } units "seconds"; default "1"; description "Delay between test session iterations"; } container traps { description "Trap to send if threshold is met or exceeded"; uses apply-advanced; leaf test-iteration-done { type empty; description "All test sessions configured under the control connection have completed an iteration"; } leaf control-connection-closed { type empty; description "Control connection closed"; } } // container traps list test-session { key "name"; ordered-by user; description "Test session details"; leaf name { type string { length "1 .. 32"; } description "Test session name"; } uses apply-advanced; leaf target-address { type jt:ipaddr; description "Destination IPv4 or IPv6 address of TWAMP responder"; } leaf destination-port { junos:must "(".. .. control-type light")"; junos:must-message "destination-port requires light control-type"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "862 .. 65535"; } } default "862"; description "Target port number for test"; } leaf data-fill-with-zeros { type empty; description "Fill contents of test packet with zeros"; } leaf data-size { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "60 .. 1400"; } } default "60"; description "Size of the data portion of the probes"; } leaf dscp-code-points { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } default "000000"; description "Differentiated Services code point bits or alias used for TCP control and UDP TWAMP test packets"; } leaf ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 254"; } } default "64"; description "Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet"; } leaf probe-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967290"; } } default "1"; description "Total number of probes per test"; } leaf probe-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } units "seconds"; default "1"; description "Delay between two consecutive probes"; } container thresholds { presence "enable thresholds"; description "TWAMP test threshold values. Set 0 to disable respective threshold"; uses apply-advanced; leaf successive-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "1"; description "Successive probe loss count indicating probe failure"; } leaf total-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967290"; } } default "1"; description "Total probe loss count indicating test failure"; } leaf rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum round trip time per probe"; } leaf max-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; status deprecated; description "Maximum round trip time per test"; } leaf jitter-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum jitter per test"; } leaf std-dev-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum standard deviation per test"; } leaf egress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination time per probe"; } leaf ingress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source time per probe"; } leaf jitter-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source jitter per test"; } leaf jitter-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination jitter per test"; } leaf std-dev-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source standard deviation per test"; } leaf std-dev-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination standard deviation per test"; } } // container thresholds container traps { description "Trap to send if threshold is met or exceeded"; uses apply-advanced; leaf probe-failure { type empty; description "Successive probe loss threshold reached"; } leaf test-failure { type empty; description "Total probe loss threshold reached"; } leaf test-completion { type empty; description "Test completed"; } leaf rtt-exceeded { type empty; description "Exceeded maximum round trip time threshold"; } leaf max-rtt-exceeded { type empty; description "Exceeded maximum round trip time threshold at the end of per test"; } leaf std-dev-exceeded { type empty; description "Exceeded round trip time standard deviation threshold"; } leaf jitter-exceeded { type empty; description "Exceeded jitter in round trip time threshold"; } leaf ingress-time-exceeded { type empty; description "Exceeded maximum ingress time threshold"; } leaf ingress-std-dev-exceeded { type empty; description "Exceeded ingress time standard deviation threshold"; } leaf ingress-jitter-exceeded { type empty; description "Exceeded jitter in ingress time threshold"; } leaf egress-time-exceeded { type empty; description "Exceeded maximum egress time threshold"; } leaf egress-std-dev-exceeded { type empty; description "Exceeded egress time standard deviation threshold"; } leaf egress-jitter-exceeded { type empty; description "Exceeded jitter in egress time threshold"; } } // container traps } // list test-session } // list control-connection } // container client container server { description "TWAMP server configuration"; uses apply-advanced; leaf tcp-keepidle { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } units "seconds"; default "120"; description "Time to start TCP KEEPALIVEs on control connection (default 120)"; } leaf tcp-keepintvl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } units "seconds"; default "5"; description "Delay between succesive TCP KEEPALIVEs (default 5)"; } leaf tcp-keepcnt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 50"; } } default "6"; description "Number of TCP KEEPALIVEs sent (default 6)"; } list routing-instance-list { key "name"; ordered-by user; description "List of allowed routing instances,not more than 100, along with ports"; leaf name { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of the routing instance"; } uses apply-advanced; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port to be used by the routing instance"; } } // list routing-instance-list container authentication-mode { description "Authentication modes"; uses apply-advanced; leaf none { type empty; description "No authentication or encryption"; } container authenticated { presence "enable authenticated"; description "Authenticated mode"; leaf control-only { type empty; status deprecated; description "Authentication mode only for TWAMP control protocol"; } } // container authenticated container encrypted { presence "enable encrypted"; description "Encrypted mode"; leaf control-only { junos:must "(!(".. .. encrypted-control-only"))"; junos:must-message "'encrypted control-only' and 'control-only-encrypted' cannot be configured simultaneously"; type empty; status deprecated; description "Encryption mode only for TWAMP control protocol"; } } // container encrypted leaf control-only-encrypted { type empty; description "Encrypted control and unauthenticated data mode"; } } // container authentication-mode list authentication-key-chain { key "name"; ordered-by user; description "Authentication key chain configuration"; uses twamp-authentication-key-chain; } // list authentication-key-chain leaf server-inactivity-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 30"; } } units "minutes"; default "15"; description "Control packet idle timeout value in minutes, 0 to disable"; } leaf max-connection-duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 120"; } } units "hours"; default "0"; description "Maximum Connection duration in hours, 0 to disable"; } leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 2048"; } } default "64"; description "Maximum number of test sessions for the server"; } leaf maximum-sessions-per-connection { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1024"; } } description "Maximum number of test sessions per client connection"; } leaf maximum-connections { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } default "64"; description "Maximum number of connections for the server"; } leaf maximum-connections-per-client { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500"; } } description "Maximum number of server connections per client"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "862"; description "TWAMP server listening port"; } list client-list { key "name"; ordered-by user; description "List of allowed clients"; leaf name { type string { length "1 .. 127"; } description "Name of client list"; } uses apply-advanced; list address { key "name"; ordered-by user; description "IPv4 prefix of TWAMP client"; leaf name { junos:must "(unique "services rpm twamp server client-list <*> address $$")"; junos:must-message "Same ipv4 address can not be configured under multiple client lists"; type jt:ipv4prefix; description "IPv4 prefix of TWAMP client"; } uses apply-advanced; } // list address } // list client-list container light { presence "enable light"; description "Enable TWAMP server for light control on the default port"; uses apply-advanced; leaf-list port { type union { type uint16; type string { pattern "<.*>|$.*"; } } max-elements 1000; ordered-by user; description "UDP ports reflecting TWAMP light test packets"; } } // container light } // container server } // container twamp } // container rpm container video-monitoring { presence "enable video-monitoring"; description "Video monitoring service"; uses apply-advanced; list templates { key "name"; ordered-by user; description "Template for MDI flows"; leaf name { type string { length "1 .. 32"; } description "Name of template"; } uses apply-advanced; leaf interval-duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 50"; } } description "Monitoring interval in sec"; } leaf inactive-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "30 .. 300"; } } description "Inactive timeout for idle flow in sec"; } container rate { description "Media rate or layer3 pps"; uses apply-advanced; choice rate-choice { leaf media { type string; description "Constant bit rate in bps"; } leaf layer3 { type string; description "Layer3 packet rate in pps"; } } // choice rate-choice } // container rate container delay-factor { description "Delay factor related parameters"; uses apply-advanced; container threshold { description "Threshold for delay factor alarm"; uses apply-advanced; leaf info { type decimal64 { fraction-digits 9; range "0 .. 65535"; } units "milli-sec"; description "Threshold for information alarm"; } leaf warning { type decimal64 { fraction-digits 9; range "0 .. 65535"; } units "milli-sec"; description "Threshold for warning alarm"; } leaf critical { type decimal64 { fraction-digits 9; range "0 .. 65535"; } units "milli-sec"; description "Threshold for critical alarm"; } } // container threshold choice enable-disable { leaf disable { type empty; description "Disable DF Calculation"; } } // choice enable-disable } // container delay-factor container media-loss-rate { description "MLR related parameters"; uses apply-advanced; container threshold { description "Threshold for MLR alarm"; uses apply-advanced; container info { description "Threshold for information alarm"; uses apply-advanced; choice mlr-threshold-choice { leaf packet-count { type jt:unsigned-float; description "MLR threshold value in packets count"; } leaf percentage { type decimal64 { fraction-digits 9; range "0 .. 100"; } description "MLR threshold value in percentage"; } } // choice mlr-threshold-choice } // container info container warning { description "Threshold for warning alarm"; uses apply-advanced; choice mlr-threshold-choice { leaf packet-count { type jt:unsigned-float; description "MLR threshold value in packets count"; } leaf percentage { type decimal64 { fraction-digits 9; range "0 .. 100"; } description "MLR threshold value in percentage"; } } // choice mlr-threshold-choice } // container warning container critical { description "Threshold for critical alarm"; uses apply-advanced; choice mlr-threshold-choice { leaf packet-count { type jt:unsigned-float; description "MLR threshold value in packets count"; } leaf percentage { type decimal64 { fraction-digits 9; range "0 .. 100"; } description "MLR threshold value in percentage"; } } // choice mlr-threshold-choice } // container critical } // container threshold choice enable-disable { leaf disable { type empty; description "Disable MLR Caltulation"; } } // choice enable-disable } // container media-loss-rate container media-rate-variation { description "MRV related parameters"; uses apply-advanced; container threshold { description "Threshold for MRV alarm"; uses apply-advanced; leaf info { type decimal64 { fraction-digits 9; range "0 .. 100"; } description "Threshold for information alarm"; } leaf warning { type decimal64 { fraction-digits 9; range "0 .. 100"; } description "Threshold for warning alarm"; } leaf critical { type decimal64 { fraction-digits 9; range "0 .. 100"; } description "Threshold for critical alarm"; } } // container threshold choice enable-disable { leaf disable { type empty; description "Disable MRV Caltulation"; } } // choice enable-disable } // container media-rate-variation leaf media-packets-count-in-layer3 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } description "Number of media packets in a IP packet"; } leaf media-packet-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 2048"; } } description "Size of media packet"; } } // list templates list interfaces { key "name"; ordered-by user; description "Interfaces to enable video monitoring"; leaf name { junos:must "("interfaces $$-IFL")"; junos:must-message "specified interface is not configured in interfaces hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Name of IFL"; } uses apply-advanced; container family { description "Protocol family"; uses apply-advanced; container inet { description "IPv4 flows"; uses apply-advanced; list input-flows { key "name"; ordered-by user; description "Input flows informations"; leaf name { type string { length "1 .. 32"; } description "Name of flow"; } uses apply-advanced; leaf-list source-address { type jt:ipv4prefix; max-elements 32; ordered-by user; description "Prefix to match"; } leaf-list destination-address { type jt:ipv4prefix; max-elements 32; ordered-by user; description "Prefix to match"; } leaf-list source-port { type string; max-elements 32; ordered-by user; description "Source port number to match"; } leaf-list destination-port { type string; max-elements 32; ordered-by user; description "Destination port number to match"; } leaf template { junos:must "("services video-monitoring templates $$")"; junos:must-message "Referenced template must be defined under 'services video-monitoring templates'"; type string { length "1 .. 32"; } description "Name of template"; } } // list input-flows list output-flows { key "name"; ordered-by user; description "Output flows informations"; leaf name { type string { length "1 .. 32"; } description "Name of flow"; } uses apply-advanced; leaf-list source-address { type jt:ipv4prefix; max-elements 32; ordered-by user; description "Prefix to match"; } leaf-list destination-address { type jt:ipv4prefix; max-elements 32; ordered-by user; description "Prefix to match"; } leaf-list source-port { type string; max-elements 32; ordered-by user; description "Source port number to match"; } leaf-list destination-port { type string; max-elements 32; ordered-by user; description "Destination port number to match"; } leaf template { junos:must "("services video-monitoring templates $$")"; junos:must-message "Referenced template must be defined under 'services video-monitoring templates'"; type string { length "1 .. 32"; } description "Name of template"; } } // list output-flows } // container inet container inet6 { description "IPv6 flows"; uses apply-advanced; list input-flows { key "name"; ordered-by user; description "Input flows informations"; leaf name { type string { length "1 .. 32"; } description "Name of flow"; } uses apply-advanced; leaf-list source-address { type jt:ipv6prefix; max-elements 32; ordered-by user; description "Prefix to match"; } leaf-list destination-address { type jt:ipv6prefix; max-elements 32; ordered-by user; description "Prefix to match"; } leaf-list source-port { type string; max-elements 32; ordered-by user; description "Source port number to match"; } leaf-list destination-port { type string; max-elements 32; ordered-by user; description "Destination port number to match"; } leaf template { junos:must "("services video-monitoring templates $$")"; junos:must-message "Referenced template must be defined under 'services video-monitoring templates'"; type string { length "1 .. 32"; } description "Name of template"; } } // list input-flows list output-flows { key "name"; ordered-by user; description "Output flows informations"; leaf name { type string { length "1 .. 32"; } description "Name of flow"; } uses apply-advanced; leaf-list source-address { type jt:ipv6prefix; max-elements 32; ordered-by user; description "Prefix to match"; } leaf-list destination-address { type jt:ipv6prefix; max-elements 32; ordered-by user; description "Prefix to match"; } leaf-list source-port { type string; max-elements 32; ordered-by user; description "Source port number to match"; } leaf-list destination-port { type string; max-elements 32; ordered-by user; description "Destination port number to match"; } leaf template { junos:must "("services video-monitoring templates $$")"; junos:must-message "Referenced template must be defined under 'services video-monitoring templates'"; type string { length "1 .. 32"; } description "Name of template"; } } // list output-flows } // container inet6 container mpls { description "MPLS flows"; uses apply-advanced; list input-flows { key "name"; ordered-by user; description "Input flows informations"; leaf name { type string { length "1 .. 32"; } description "Name of flow"; } uses apply-advanced; leaf payload-type { type enumeration { enum "ipv4" { value 0; description "IPv4 over MPLS"; } enum "ipv6" { value 1; description "IPv6 over MPLS"; } } description "Specify MPLS payload-type"; } leaf-list source-address { type jt:ipprefix; max-elements 32; ordered-by user; description "Prefix to match"; } leaf-list destination-address { type jt:ipprefix; max-elements 32; ordered-by user; description "Prefix to match"; } leaf-list source-port { type string; max-elements 32; ordered-by user; description "Source port number to match"; } leaf-list destination-port { type string; max-elements 32; ordered-by user; description "Destination port number to match"; } leaf template { junos:must "("services video-monitoring templates $$")"; junos:must-message "Referenced template must be defined under 'services video-monitoring templates'"; type string { length "1 .. 32"; } description "Name of template"; } } // list input-flows list output-flows { key "name"; ordered-by user; description "Output flows informations"; leaf name { type string { length "1 .. 32"; } description "Name of flow"; } uses apply-advanced; leaf payload-type { type enumeration { enum "ipv4" { value 0; description "IPv4 over MPLS"; } enum "ipv6" { value 1; description "IPv6 over MPLS"; } } description "Specify MPLS payload-type"; } leaf-list source-address { type jt:ipprefix; max-elements 32; ordered-by user; description "Prefix to match"; } leaf-list destination-address { type jt:ipprefix; max-elements 32; ordered-by user; description "Prefix to match"; } leaf-list source-port { type string; max-elements 32; ordered-by user; description "Source port number to match"; } leaf-list destination-port { type string; max-elements 32; ordered-by user; description "Destination port number to match"; } leaf template { junos:must "("services video-monitoring templates $$")"; junos:must-message "Referenced template must be defined under 'services video-monitoring templates'"; type string { length "1 .. 32"; } description "Name of template"; } } // list output-flows } // container mpls } // container family } // list interfaces leaf stats-cache-life-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } default "10"; description "Lifetime of cached stats in seconds"; } leaf errors-cache-life-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } default "10"; description "Lifetime of cached errors in seconds"; } leaf flow-cache-life-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } default "10"; description "Lifetime of cached flows in seconds"; } container alarms { description "Alarms for Flows"; uses apply-advanced; container delay-factor { description "DF Alarms"; uses apply-advanced; leaf no-syslog-generation { type empty; description "Don't generate syslog when threshold exceed"; } leaf generate-snmp-traps { junos:must "(".. storm-control")"; junos:must-message "Storm control must be configured"; type empty; description "Generate SNMP traps when threshold exceed"; } container storm-control { presence "enable storm-control"; description "Control frequency of alarm generation"; uses apply-advanced; leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } description "Max number of alarms in specified interval"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } description "Interval in Seconds"; } } // container storm-control container alarm-mode { presence "enable alarm-mode"; description "Mode of alarm generation"; uses apply-advanced; leaf mdi-records-count { junos:must "(".. average")"; junos:must-message "Applicable only if alarm-mode is average"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 10"; } } description "Number of MDI records to average"; } choice alarm_mode { leaf immediate { type empty; description "Alarm will be triggered immediately"; } leaf average { type empty; description "Alarm will be triggered based on average"; } } // choice alarm_mode } // container alarm-mode } // container delay-factor container media-rate-variation { description "MLR Alarms"; uses apply-advanced; leaf no-syslog-generation { type empty; description "Don't generate syslog when threshold exceed"; } leaf generate-snmp-traps { junos:must "(".. storm-control")"; junos:must-message "Storm control must be configured"; type empty; description "Generate SNMP traps when threshold exceed"; } container storm-control { presence "enable storm-control"; description "Control frequency of alarm generation"; uses apply-advanced; leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } description "Max number of alarms in specified interval"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } description "Interval in Seconds"; } } // container storm-control container alarm-mode { presence "enable alarm-mode"; description "Mode of alarm generation"; uses apply-advanced; leaf mdi-records-count { junos:must "(".. average")"; junos:must-message "Applicable only if alarm-mode is average"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 10"; } } description "Number of MDI records to average"; } choice alarm_mode { leaf immediate { type empty; description "Alarm will be triggered immediately"; } leaf average { type empty; description "Alarm will be triggered based on average"; } } // choice alarm_mode } // container alarm-mode } // container media-rate-variation container media-loss-rate { description "MRV Alarms"; uses apply-advanced; leaf no-syslog-generation { type empty; description "Don't generate syslog when threshold exceed"; } leaf generate-snmp-traps { junos:must "(".. storm-control")"; junos:must-message "Storm control must be configured"; type empty; description "Generate SNMP traps when threshold exceed"; } container storm-control { presence "enable storm-control"; description "Control frequency of alarm generation"; uses apply-advanced; leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } description "Max number of alarms in specified interval"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } description "Interval in Seconds"; } } // container storm-control container alarm-mode { presence "enable alarm-mode"; description "Mode of alarm generation"; uses apply-advanced; leaf mdi-records-count { junos:must "(".. average")"; junos:must-message "Applicable only if alarm-mode is average"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 10"; } } description "Number of MDI records to average"; } choice alarm_mode { leaf immediate { type empty; description "Alarm will be triggered immediately"; } leaf average { type empty; description "Alarm will be triggered based on average"; } } // choice alarm_mode } // container alarm-mode } // container media-loss-rate container flow-insert { description "Flow Insert Alarms"; uses apply-advanced; leaf no-syslog-generation { type empty; description "Don't generate syslog when threshold exceed"; } leaf generate-snmp-traps { junos:must "(".. storm-control")"; junos:must-message "Storm control must be configured"; type empty; description "Generate SNMP traps when threshold exceed"; } container storm-control { presence "enable storm-control"; description "Control frequency of alarm generation"; uses apply-advanced; leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } description "Max number of alarms in specified interval"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } description "Interval in Seconds"; } } // container storm-control } // container flow-insert container flow-delete { description "Flow Delete Alarms"; uses apply-advanced; leaf no-syslog-generation { type empty; description "Don't generate syslog when threshold exceed"; } leaf generate-snmp-traps { junos:must "(".. storm-control")"; junos:must-message "Storm control must be configured"; type empty; description "Generate SNMP traps when threshold exceed"; } container storm-control { presence "enable storm-control"; description "Control frequency of alarm generation"; uses apply-advanced; leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } description "Max number of alarms in specified interval"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } description "Interval in Seconds"; } } // container storm-control } // container flow-delete } // container alarms } // container video-monitoring container inline-monitoring { presence "enable inline-monitoring"; description "Inline packet monitoring service"; uses apply-advanced; container traceoptions { description "Trace options for IMOND"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file } // container traceoptions list counter-profile { key "name"; max-elements 8; ordered-by user; description "Custom counter profiles for Inline packet monitoring"; leaf name { type string { length "1 .. 32"; } description "Name of counter-profile"; } uses apply-advanced; list counter { key "name"; max-elements 6; ordered-by user; description "Inline monitoring counter"; leaf name { type string { length "1 .. 32"; } description "Name of counter"; } uses apply-advanced; leaf max-value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Non-overlapping min/max range for counter-type, not exceeding packet contruct"; } leaf min-value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Non-overlapping min/max range for counter-type, not exceeding packet contruct"; } leaf counter-type { type enumeration { enum "packet-range" { value 0; description "Packet range 64-9000 bytes"; } enum "ttl-range" { value 1; description "TTL range 0-255"; } enum "tcp-window-range" { value 2; description "TCP window range 0-65535"; } enum "dos-attack" { value 3; description "DoS attack counter, min/max is not required"; } } description "Counter type"; } } // list counter } // list counter-profile list template { key "name"; max-elements 16; ordered-by user; description "Templates for Inline packet monitoring"; leaf name { type string { length "1 .. 32"; } description "Name of template"; } uses apply-advanced; leaf template-refresh-rate { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "10 .. 600"; } } default "600"; description "Refresh rate in seconds"; } leaf option-template-refresh-rate { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "10 .. 600"; } } default "600"; description "Option refresh rate in seconds"; } leaf observation-domain-id { junos:must "(!(".. .. observation-cloud-id"))"; junos:must-message "observation-domain-id cannot be configured if observation-cloud-id is configured"; type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 255"; } } default "0"; description "Observation domain ID"; } leaf template-id { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1024 .. 65535"; } } description "Template ID"; } leaf option-template-id { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1024 .. 65535"; } } description "Option template ID"; } leaf flow-active-timeout { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "10 .. 600"; } } default "60"; description "Interval after which active flow is exported in seconds"; } leaf flow-inactive-timeout { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "10 .. 600"; } } default "60"; description "Period of inactivity that marks a flow inactive in seconds"; } leaf template-type { type enumeration { enum "ipv4-template" { value 0; description "IPv4 template configuration"; } enum "ipv6-template" { value 1; description "IPv6 template configuration"; } } default "ipv4-template"; description "Template IP version"; } container flow-monitoring { presence "enable flow-monitoring"; uses apply-advanced; leaf sampling-profile { type enumeration { enum "first-N-Packets" { value 0; description "Initial first 'N' packet samples are exported to collector"; } enum "deterministic" { value 1; description "Deterministically 'N'th packet is sampled"; } enum "random" { value 2; description "Random packets are sampled and exported"; } enum "combo-1" { value 3; description "Initial first 'N' packets followed by random packet sampling"; } enum "combo-2" { value 4; description "Initial first 'N' packets followed by deterministic sampling"; } } description "Supported sampling profiles"; } leaf packet-count { junos:must "((".. sampling-profile first-N-Packets " || (" .. sampling-profile combo-1" || " .. sampling-profile combo-2")))"; junos:must-message "'packet-count' should be configured with first-N-Packets/combo-1/combo-2 sampling profiles"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 1023"; } } default "10"; description "Packet count for first-N-Packets/combo-1/combo-2 sampling profiles"; } leaf sampling-rate { junos:must "(!(".. sampling-profile first-N-Packets "))"; junos:must-message "'sampling-rate' cannot be configured with first-N-Packets sampling profiles"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "10000"; description "Sampling rate"; } leaf security-enable { type empty; description "Enable DOS attack detection on monitored flows"; } leaf flow-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "8 .. 10000000"; } } description "Flow meter rate in kbps"; } leaf burst-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "512 .. 256000000"; } } description "Burst size in bytes"; } leaf flow-limit { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 32000"; } } default "32000"; description "Maximum number of flows allowed"; } leaf counter-profile { type string { length "1 .. 32"; } description "Counter profiles per-flow-4-counters, per-flow-6-counters or custom profile"; } } // container flow-monitoring list primary-data-record-fields { key "name"; ordered-by user; description "Primary data record fields"; leaf name { type enumeration { enum "datalink-frame-size" { value 0; description "Datalink Frame Size"; } enum "direction" { value 1; description "Direction"; } enum "egress-interface-snmp-id" { value 2; description "Egress Interface SNMP ID"; } enum "ingress-interface-snmp-id" { value 3; description "Ingress Interface SNMP ID"; } enum "cpid-ingress-interface-index" { value 4; description "CPID Ingress Interface Index"; } enum "cpid-underlying-ingress-interface-index" { value 5; description "CPID Underlying Ingress Interface Index"; } enum "cpid-egress-interface-index" { value 6; description "CPID Egress Interface Index"; } enum "cpid-forwarding-nexthop-id" { value 7; description "CPID Forwarding Nexthop Id"; } enum "cpid-forwarding-exception-code" { value 8; description "CPID Forwarding Exception Code"; } enum "cpid-forwarding-class-drop-priority" { value 9; description "CPID Forwarding Class Drop Priority"; } } description "IPFIX Information Elements"; } } // list primary-data-record-fields } // list template list instance { key "name"; max-elements 16; ordered-by user; description "Inline monitoring instance"; leaf name { type string { length "1 .. 32"; } description "Name of instance"; } uses apply-advanced; leaf template-name { junos:must "("services inline-monitoring template $$")"; junos:must-message "Referenced template must be defined under 'services inline-monitoring template'"; type string { length "1 .. 32"; } description "Template Name"; } leaf maximum-clip-length { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "64 .. 126"; } } description "Maximum packet length"; } list collector { key "name"; max-elements 1; ordered-by user; description "Inline monitoring collector"; leaf name { type string { length "1 .. 32"; } description "Name of collector"; } uses apply-advanced; leaf source-address { type jt:ipv4addr; description "Source address"; } leaf destination-address { type jt:ipv4addr; description "Destination address"; } leaf dscp { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 63"; } } default "0"; description "DSCP Value"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port value"; } leaf forwarding-class { type string { length "1 .. 64"; } description "Forwarding class for exported frames"; } leaf sampling-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 16000000"; } } description "Sampling rate"; } leaf routing-instance { junos:must "("routing-instances $$ instance-type vrf")"; junos:must-message "routing instance should be defined and should be of type Virtual routing forwarding instance(VRF)"; type string; description "Name of routing instance"; } } // list collector } // list instance leaf observation-cloud-id { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 255"; } } description "Observation cloud ID"; } } // container inline-monitoring container app-engine { description "App-engine"; uses apply-advanced; container security { presence "enable security"; description "Enable app-engine security"; } // container security container monitor-cpu { description "Monitor node CPU usage"; uses monitor-threshold; } // container monitor-cpu container monitor-memory { description "Monitor node memory usage"; uses monitor-threshold; } // container monitor-memory container monitor-storage { description "Monitor storage usage"; uses monitor-threshold; } // container monitor-storage leaf default-compute-node-package { type string; description "Default JunosV App Engine package for appliance"; } list compute-cluster { key "name"; ordered-by user; description "Configure compute cluster"; leaf name { type string { length "1 .. 15"; } description "Compute cluster name"; } uses apply-advanced; container local-management { junos:must "(all ".. compute-node <*> interfaces")"; junos:must-message "Must specify compute-node management interface"; description "Management address connected to compute cluster"; uses apply-advanced; list routing-instance { junos:must "(!(any ".. logical-system <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; key "routing-instance-name"; max-elements 1; ordered-by user; description "Packets are restriction to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } uses apply-advanced; container family { description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // list routing-instance container family { junos:must "(!(any ".. routing-instance <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // container local-management container monitor-cpu { description "Monitor node CPU usage"; uses monitor-threshold; } // container monitor-cpu container monitor-memory { description "Monitor node memory usage"; uses monitor-threshold; } // container monitor-memory container monitor-storage { description "Monitor storage usage"; uses monitor-threshold; } // container monitor-storage list compute-node { key "name"; max-elements 1; ordered-by user; description "Compute node name"; leaf name { type string { length "1 .. 15"; } description "Compute node name"; } uses apply-advanced; container monitor-cpu { description "Monitor node CPU usage"; uses monitor-threshold; } // container monitor-cpu container monitor-memory { description "Monitor node memory usage"; uses monitor-threshold; } // container monitor-memory container monitor-storage { description "Monitor storage usage"; uses monitor-threshold; } // container monitor-storage choice compute-node-identifier { leaf mac-address { junos:must "(".. interfaces")"; junos:must-message "Must specify management interface"; junos:must "(".. .. local-management")"; junos:must-message "Must specify compute cluster local-management"; junos:must "(unique "services app-engine compute-cluster <*> compute-node <*> mac-address $$")"; junos:must-message "MAC address must be unique across compute clusters"; type jt:mac-addr; description "MAC address of the network boot interface"; } leaf fpc { junos:must "(!(".. .. local-management"))"; junos:must-message "Must not specify compute cluster local-management"; junos:must "(unique "services app-engine compute-cluster <*> compute-node <*> fpc $$")"; junos:must-message "FPC slot must be unique across compute clusters"; junos:must "(!(".. package"))"; junos:must-message "Must not specify package for FPC slot here. It is necessary and sufficient to specify it under 'chassis fpc <> application-services'"; type union { type string { pattern "<.*>|$.*"; } type uint32; } description "FPC slot number"; } leaf hypervisor { junos:must "(!(".. interfaces"))"; junos:must-message ""; type empty; description "Compute node is hypervisor"; } } // choice compute-node-identifier leaf package { type string; description "JunosV App Engine package"; } container routing-options { description "Route configuration for compute node"; uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(any ".. .. .. rib <*> static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static list rib { key "name"; ordered-by user; description "Routing table options"; leaf name { type string { junos:posix-pattern "inet.0"; junos:pattern-message "Only inet.0 is supported"; length "1 .. 10"; } description "Routing table name"; } uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(".. .. .. .. static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static } // list rib } // container routing-options container interfaces { description "Network interfaces configuration"; uses apply-advanced; list ethernet { key "name"; ordered-by user; description "Interface configuration"; leaf name { junos:must "(!(any ".. .. bridge <*> interface $$"))"; junos:must-message "This interface is already associated with a bridge"; junos:must "(!(".. .. bridge $$"))"; junos:must-message "A bridge is configured with this name"; type string { junos:posix-pattern "^eth[0-9]{1,2}$"; junos:pattern-message "Must be of the form eth<0-99>"; length "1 .. 15"; } description "Interface name"; } uses apply-advanced; leaf management { junos:must "(!(".. ether-options"))"; junos:must-message "This interface belongs to an aggregated interface"; junos:must "(!(".. .. .. fpc"))"; junos:must-message "Must not specify any interface as management with fpc"; junos:must "((".. family inet address" || ".. family inet dhcp"))"; junos:must-message "Management interface must have an address or dhcp configured"; junos:must "(!(".. enable-passthrough"))"; junos:must-message "Management interface cannot be passthrough interface"; type empty; description "Use this as management interface"; } container family { junos:must "(!(".. ether-options"))"; junos:must-message "This interface belongs to an aggregated interface"; description "Protocol family"; uses family; } // container family leaf enable-passthrough { junos:must "(!(".. ether-options"))"; junos:must-message "This interface belongs to an aggregated interface"; junos:must "(!(".. mtu"))"; junos:must-message "Passthrough interface cannot have MTU"; junos:must "(!(".. family inet address"))"; junos:must-message "Passthrough interface cannot have an address"; type empty; description "Enable passthrough on this interface"; } leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } container ether-options { junos:must "((!(".. management") && (!(".. family") && !(".. enable-passthrough"))))"; junos:must-message "Ethernet interface can not exist separately if it is under a aggregated interface and vice versa"; uses apply-advanced; choice agg-intf { leaf ieee-802-3ad { junos:must "(!(".. .. mtu"))"; junos:must-message "Aggregate slave interface cannot have MTU"; junos:must "(!(".. .. .. bridge $$"))"; junos:must-message "A bridge is configured with this name"; type string { junos:posix-pattern "^ae[0-9]{1,2}$"; junos:pattern-message "Must be of the form ae<0-99>"; length "1 .. 15"; } description "Aggregated interface name"; } } // choice agg-intf } // container ether-options } // list ethernet list bridge { key "name"; ordered-by user; description "Bridge configuration"; leaf name { junos:must "(!(any ".. .. bridge <*> interface $$"))"; junos:must-message "Bridge name is already used in one of the bridge interface list"; junos:must "(!(".. .. aggregate $$"))"; junos:must-message "An aggregate interface is configured with this name"; junos:must "(!(".. .. ethernet $$"))"; junos:must-message "An interface is configured with this name"; type string { junos:posix-pattern "^[A-za-z][.0-9A-Za-z_]{1,15}$"; junos:pattern-message "Must be a string of 15 or fewer characters. The string should start with a letter and can contain letters, digits, underscores and periods"; length "1 .. 15"; } description "Bridge name"; } uses apply-advanced; leaf management { junos:must "(!(".. .. .. fpc"))"; junos:must-message "Must not specify any interface as management with FPC compute node"; junos:must "((".. family inet address" || ".. family inet dhcp"))"; junos:must-message "Management bridge must have an address or dhcp configured"; type empty; description "Use this as management bridge"; } container family { description "Protocol family"; uses family; } // container family leaf-list interface { junos:must "((!(".. .. aggregate family inet address") && !(".. .. aggregate family inet dhcp")))"; junos:must-message "Interface associated to bridge can not have address"; type string { length "1 .. 15"; } max-elements 4; ordered-by user; description "Bridge interface list"; } leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } } // list bridge list aggregate { key "name"; ordered-by user; description "Aggregate interface configuration"; leaf name { junos:must "(!(".. .. bridge $$"))"; junos:must-message "A bridge is configured with this name"; junos:must "(!(".. .. ethernet $$"))"; junos:must-message "An interface is configured with this name"; junos:must "(any ".. .. ethernet <*> ether-options ieee-802-3ad $$")"; junos:must-message "Aggregated interface must have some slave interface"; type string { junos:posix-pattern "^ae[0-9]{1,2}$"; junos:pattern-message "Must be of the form ae<0-99>"; length "1 .. 15"; } description "Aggregated interface name"; } uses apply-advanced; leaf management { junos:must "((".. family inet address" || ".. family inet dhcp"))"; junos:must-message "Management aggregate must have an address or dhcp configured"; type empty; description "Use this as management aggregate"; } container family { description "Protocol family"; uses family; } // container family leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } container aggregated-ether-options { presence "enable aggregated-ether-options"; description "Link aggregation parameters"; uses apply-advanced; leaf hash-policy { type enumeration { enum "layer-2" { value 0; description "Uses mac address of both source and destination for hashing"; } enum "layer-3-and-4" { value 1; description "Uses port number and IP address of both source and destination for hashing"; } enum "layer-2-and-3" { value 2; description "Uses mac and IP address of both source and destination for hashing"; } } default "layer-3-and-4"; } leaf miimon { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Link monitoring interval in milli-second"; } } // container aggregated-ether-options } // list aggregate } // container interfaces list syslog { key "name"; ordered-by user; description "System logging facility"; leaf name { type enumeration { enum "any" { value 0; description "All facilities"; } enum "authorization" { value 1; description "Authorization system"; } enum "privileged" { value 2; description "Privileged authorization events"; } enum "cron" { value 3; description "Cron daemon"; } enum "daemon" { value 4; description "Various system processes"; } enum "kernel" { value 5; description "Kernel"; } enum "syslog" { value 6; description "Syslog messages"; } enum "user" { value 7; description "User processes"; } enum "uucp" { value 8; description "UUCP system"; } enum "local0" { value 9; description "Local 0 messages"; } enum "local1" { value 10; description "Local 1 messages"; } enum "local2" { value 11; description "Local 2 messages"; } enum "local3" { value 12; description "Local 3 messages"; } enum "local4" { value 13; description "Local 4 messages"; } enum "local5" { value 14; description "Local 5 messages"; } enum "local6" { value 15; description "Local 6 messages"; } enum "local7" { value 16; description "Local 7 messages"; } } description "Facility type"; } choice level { leaf any { type empty; description "All levels"; } leaf emergency { type empty; description "Panic conditions"; } leaf alert { type empty; description "Conditions that should be corrected immediately"; } leaf critical { type empty; description "Critical conditions"; } leaf error { type empty; description "Error conditions"; } leaf warning { type empty; description "Warning messages"; } leaf notice { type empty; description "Conditions that should be handled specially"; } leaf info { type empty; description "Informational messages"; } leaf debug { type empty; description "Debug messages"; } } // choice level } // list syslog } // list compute-node } // list compute-cluster container virtual-machines { description "Virtual-machine management"; uses apply-advanced; list instance { key "name"; ordered-by user; description "Virtual-machine instance"; leaf name { type string { length "1 .. 39"; } description "Virtual-machine instance identifier"; } uses apply-advanced; leaf cpu { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 16"; } } default "1"; description "Units of CPUs (default 1 cpu)"; } leaf memory { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } units "gigabytes"; default "1"; description "Memory for the virtual-machine (default 1 gigabytes)"; } leaf management-interface { type string { junos:posix-pattern "em0|em1"; junos:pattern-message "valid interface is em0 or em1"; length "1 .. 31"; } description "Virtual-machine management interface name"; } leaf package { type string { length "1 .. 120"; } description "Virtual-machine package"; } container local-management { description "Management address connected to virtual machine"; uses apply-advanced; list routing-instance { junos:must "(!(any ".. logical-system <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; key "routing-instance-name"; max-elements 1; ordered-by user; description "Packets are restriction to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } uses apply-advanced; container family { description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // list routing-instance container family { junos:must "(!(any ".. routing-instance <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // container local-management list compute-cluster { key "name"; max-elements 1; ordered-by user; description "Compute cluster on which the virtual-machine runs"; leaf name { junos:must "("services app-engine compute-cluster $$")"; junos:must-message "Referenced compute cluster must be defined"; type string { length "1 .. 15"; } description "Compute cluster name"; } uses apply-advanced; leaf compute-node { junos:must "((("services app-engine compute-cluster ${compute-cluster} compute-node $$ fpc" && ".. .. local-management") || !("services app-engine compute-cluster ${compute-cluster} compute-node $$ fpc")))"; junos:must-message "Must specify local-management for virtual machine on FPC compute node"; junos:must "("services app-engine compute-cluster ${compute-cluster} compute-node $$")"; junos:must-message "Referenced compute node must be defined"; type string { length "1 .. 15"; } description "Compute node on which the virtual-machine runs"; } } // list compute-cluster list interface { key "name"; ordered-by user; description "Virtual-machine interface configuration"; leaf name { type string { length "1 .. 31"; } description "Virtual-machine interface name"; } uses apply-advanced; leaf hw-model { type enumeration { enum "e1000g" { value 0; description "Gigabit Ethernet e1000g driver"; } enum "virtio" { value 1; description "Para-virtualizing the interface"; } } default "e1000g"; description "Interface hardware model"; } leaf host-interface { type string { length "1 .. 15"; } description "Passthrough host interface for virtual-machine"; } leaf bridge { junos:must "(!(".. mtu"))"; junos:must-message "Bridged VM interface inherits MTU from the bridge"; junos:must "(!(".. host-interface"))"; junos:must-message "bridge can not defined with passthrough/host-interface"; type string { length "1 .. 15"; } description "Bridge that the interface connected to"; } leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } container family { description "Interface address family"; container inet { presence "enable inet"; description "IPv4 parameters"; uses apply-advanced; list address { key "name"; ordered-by user; description "Interface address/destination prefix"; leaf name { type jt:ipv4prefix; description "Interface address/destination prefix"; } uses apply-advanced; leaf primary { type empty; description "Primary address on the interface"; } } // list address } // container inet } // container family } // list interface container routing-options { description "Route configuration for virutal machine"; uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(any ".. .. .. rib <*> static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static list rib { key "name"; ordered-by user; description "Routing table options"; leaf name { type string { junos:posix-pattern "inet.0"; junos:pattern-message "Only inet.0 is supported"; length "1 .. 10"; } description "Routing table name"; } uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(".. .. .. .. static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static } // list rib } // container routing-options list secondary-disk { key "name"; ordered-by user; description "Virtual-machine disk"; leaf name { type enumeration { enum "hdb" { value 0; description "Disk name is hdb"; } enum "hdc" { value 1; description "Disk name is hdc"; } enum "hdd" { value 2; description "Disk name is hdd"; } } description "Virtual-machine disk name"; } leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 160"; } } units "gigabytes"; description "Virtual-machine secondary disk size"; } } // list secondary-disk } // list instance } // container virtual-machines } // container app-engine container unified-access-control { description "Configure Unified Access Control"; uses apply-advanced; list infranet-controller { key "name"; ordered-by user; description "Configure infranet controller"; leaf name { type string { length "1 .. 31"; } description "Infranet controller name"; } uses apply-advanced; leaf address { type jt:ipv4addr; description "Infranet controller IP address"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "11123"; description "Infranet controller port"; } leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Outgoing interface"; } leaf password { type string { length "1 .. 255"; } description "Infranet controller server password"; } leaf-list ca-profile { type string; ordered-by user; description "Define a list of certificate authority"; } leaf server-certificate-subject { type string { length "1 .. 255"; } description "Subject name of infranet controller certificate to match"; } } // list infranet-controller leaf certificate-verification { type enumeration { enum "warning" { value 0; description "Warn if certificate is not being verified"; } enum "required" { value 1; description "Require certificate verification. Most secure"; } enum "optional" { value 2; description "Make verification optional, no warnings. Least secure"; } } default "warning"; description "Specify certificate verification requirement"; } leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 10000"; } } default "300"; description "Timeout for idle infranet controller link in seconds"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 9999"; } } default "30"; description "Heartbeat interval from infranet controller in seconds"; } leaf timeout-action { type enumeration { enum "close" { value 0; description "Remove existing sessions and block further traffic"; } enum "no-change" { value 1; description "Preserve existing connections; block new sessions"; } enum "open" { value 2; description "Allow traffic for new and existing sessions to go through"; } } default "close"; description "Specify action when infranet controller timeout occurs"; } leaf test-only-mode { type empty; description "Allow all traffic and only log enforcement result"; } container traceoptions { description "UAC trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace with all flags enabled"; } enum "ipc" { value 1; description "IPC tracing"; } enum "config" { value 2; description "Configuration tracing"; } enum "connect" { value 3; description "Communication with infranet controller tracing"; } } } } // list flag } // container traceoptions list captive-portal { key "name"; ordered-by user; description "Unauthenticated HTTP redirect"; leaf name { type string { length "1 .. 128"; } description "Redirect policy name"; } uses apply-advanced; leaf redirect-traffic { type enumeration { enum "unauthenticated" { value 0; description "Redirect unauthenticated traffic"; } enum "all" { value 1; description "Redirect all traffic"; } } description "Traffic to redirect"; } leaf redirect-url { type string { junos:posix-pattern "^https?://([[:alnum:]%]?[[:alnum:]%._-]*[[:alnum:]%]?)(/[[:alnum:]_-]*)*/?([?][[:alnum:]_%+-]*=[[:alnum:]_%+-:/.]*(&[[:alnum:]_%+-]*=[[:alnum:]_%+-:/.]*)*)?$"; junos:pattern-message "Redirect URL be a valid HTTP URL"; length "1 .. 512"; } description "Redirect URL for unauthenticated users"; } } // list captive-portal } // container unified-access-control container agf { description "Configuration for access gateway function"; uses apply-advanced; leaf node-name { type string { length "1 .. 150"; } description "AGF node name"; } leaf node-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "AGF node identifier"; } leaf ip-address { type jt:ipv4addr; status deprecated; description "AGF ip address"; } container n2-proxy { presence "enable n2-proxy"; description "N2 proxy settings"; uses apply-advanced; leaf ip-address { type jt:ipv4addr; description "N2 proxy ip address"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } default "65454"; description "N2 proxy port number"; } } // container n2-proxy list plmn { key "name"; ordered-by user; description "AGF public land mobile network"; leaf name { type string { length "1 .. 80"; } description "Public land mobile network name"; } uses apply-advanced; leaf mcc { type string { junos:posix-pattern "^[0-9]{3,3}$"; junos:pattern-message "valid number must consist of 3 digits"; } description "Mobile country code"; } leaf mnc { type string { junos:posix-pattern "^[0-9]{2,3}$"; junos:pattern-message "valid number must consist of 2 or 3 digits"; } description "Mobile network code"; } } // list plmn list tracking-area { key "name"; ordered-by user; description "Tracking area"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16777215"; } } description "Tracking area code"; } uses apply-advanced; list plmn { key "name"; max-elements 1; ordered-by user; description "Public land mobile network"; leaf name { junos:must "("services agf plmn $$")"; junos:must-message "Referenced plmn must be defined"; type string { length "1 .. 80"; } description "Public land mobile network name"; } uses apply-advanced; list s-nssai { key "name"; ordered-by user; description "Single network slice selection assistance information"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 128"; } } description "Single network slice selection assistance information identifier"; } uses apply-advanced; leaf sst { type enumeration { enum "embb" { value 0; description "Enhanced mobile broadband slice"; } enum "urllc" { value 1; description "Ultra-reliable, low latency communications"; } enum "miot" { value 2; description "Massive IoT"; } enum "v2x" { value 3; description "V2X services"; } } description "Slice service type"; } leaf sd { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16777215"; } } default "0"; description "Selection differentiator"; } } // list s-nssai } // list plmn } // list tracking-area list amf { key "name"; max-elements 256; ordered-by user; description "AGF access and mobility management function"; leaf name { type string { length "1 .. 80"; } description "AMF name"; } uses apply-advanced; leaf node-id { junos:must "(unique "amf <*> node-id $$")"; junos:must-message "Node ID has to be unique among all AMFs"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "AMF node identifier"; } leaf ip-address { type jt:ipv4addr; description "AMF ip address"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } default "38412"; description "AMF port number"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Routing instance for AMF connectivity"; } list tracking-area { key "name"; ordered-by user; description "AMF tracking areas"; leaf name { junos:must "("services agf tracking-area $$")"; junos:must-message "Referenced tracking area code must be defined"; type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Tracking area code"; } uses apply-advanced; } // list tracking-area leaf default-amf { type empty; description "Configure a default AMF"; } leaf offline { type empty; description "Offline the AMF"; } } // list amf list user-planes { key "name"; ordered-by user; uses user-plane-object; } // list user-planes } // container agf container flow-collector { description "Configure options to control flow collector"; uses apply-advanced; leaf analyzer-address { type jt:ipv4addr; description "Analyzer IP address field override value"; } leaf analyzer-id { type string { length "1 .. 64"; } description "Analyzer ID field override value"; } leaf retry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 10"; } } default "0"; description "Transfer retry attempt count"; } leaf retry-delay { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60"; } } units "seconds"; default "0"; description "Delay between transfer retry attempts"; } list destinations { key "name"; ordered-by user; description "Configure destination for files"; uses collector_destinations_type; } // list destinations list file-specification { key "name"; description "File format specification"; uses file_specification_type; } // list file-specification container interface-map { presence "enable interface-map"; description "Input interface to Collector PIC mapping"; uses interface_map_type; } // container interface-map container transfer-log-archive { presence "enable transfer-log-archive"; description "Transfer log archive specification"; uses collector_transfer_log_archive_type; } // container transfer-log-archive } // container flow-collector container captive-portal { description "Captive Portal options"; uses juniper-services-captive-portal; } // container captive-portal container advanced-anti-malware { uses apply-advanced; container connection { presence "enable connection"; description "Cloud service RE connection, only for master logical domain"; uses apply-advanced; leaf url { junos:must "("services advanced-anti-malware connection authentication tls-profile")"; junos:must-message "Authentication profile must be defined"; type string; description "The url of the cloud server [https://<ip or hostname>:<port>]"; } container authentication { description "The authentication profile for using cloud services"; uses apply-advanced; leaf tls-profile { junos:must "(("services ssl initiation profile $$" && "services advanced-anti-malware connection url"))"; junos:must-message "Referenced SSL initiation profile and URL must be defined"; type string; description "TLS profile"; } } // container authentication leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "Referenced Proxy profile must be defined"; type string { length "1 .. 63"; } description "Proxy profile"; } leaf source-address { type jt:ipaddr; description "The source ip for connecting to the cloud server."; } leaf source-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "The source interface for connecting to the cloud server"; } } // container connection container default-policy { presence "enable default-policy"; description "Advanced Anti-malware default policy"; uses apply-advanced; container http { description "Configure HTTP options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } leaf file-verdict-unknown { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict unknown"; } leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict meet threshold"; } container client-notify { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; choice http-choice { leaf file { type string { length "1 .. 255"; } description "File name for http response to client"; } leaf message { type string { length "1 .. 1023"; } description "Block message to client"; } leaf redirect-url { type string { junos:posix-pattern "^https?://.*"; junos:pattern-message "URL must begin with http:// or https://"; length "1 .. 1023"; } description "Redirect url to client"; } } // choice http-choice } // container client-notify container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container http container smtp { description "Configure SMTP options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container smtp container imap { description "Configure IMAP options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container imap container smb { description "Configure SMB options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict meet threshold"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container smb leaf verdict-threshold { type enumeration { enum "1" { value 0; description "Verdict-threshold level 1"; } enum "2" { value 1; description "Verdict-threshold level 2"; } enum "3" { value 2; description "Verdict-threshold level 3"; } enum "4" { value 3; description "Verdict-threshold level 4"; } enum "5" { value 4; description "Verdict-threshold level 5"; } enum "6" { value 5; description "Verdict-threshold level 6"; } enum "7" { value 6; description "Verdict-threshold level 7"; } enum "8" { value 7; description "Verdict-threshold level 8"; } enum "9" { value 8; description "Verdict-threshold level 9"; } enum "10" { value 9; description "Verdict-threshold level 10"; } enum "recommended" { value 10; description "Recommended verdict-threshold"; } } description "Verdict threshold"; } leaf inspection-profile { type string { length "1 .. 63"; } status deprecated; description "Advanced Anti-malware inspection-profile name"; } container fallback-options { description "Fallback options for abnormal conditions"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification container service-not-ready { description "Service not ready yet"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container service-not-ready container invalid-content-size { description "Content size exceed supported range"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container invalid-content-size container out-of-resources { description "Service out of resources"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container out-of-resources container verdict-timeout { description "Verdict timed out"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container verdict-timeout container submission-timeout { description "Submission timed out"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container submission-timeout container unknown-file { description "File type unknown"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container unknown-file } // container fallback-options container default-notification { description "Notification action taken for action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware action"; } } // container default-notification container whitelist-notification { description "Whitelist notification logging option"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware whitelist hit"; } } // container whitelist-notification container blacklist-notification { description "Blacklist notification logging option"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware blacklist hit"; } } // container blacklist-notification } // container default-policy list policy { key "name"; description "Advanced Anti-malware policy"; leaf name { type string { length "1 .. 63"; } description "Policy name, default policy must name (default-policy)"; } uses apply-advanced; container match { status deprecated; description "Policy match conditions"; uses apply-advanced; leaf application { type enumeration { enum "HTTP" { value 0; description "HTTP Traffic"; } } description "Application"; } leaf verdict-threshold { type enumeration { enum "1" { value 0; description "Verdict-threshold level 1"; } enum "2" { value 1; description "Verdict-threshold level 2"; } enum "3" { value 2; description "Verdict-threshold level 3"; } enum "4" { value 3; description "Verdict-threshold level 4"; } enum "5" { value 4; description "Verdict-threshold level 5"; } enum "6" { value 5; description "Verdict-threshold level 6"; } enum "7" { value 6; description "Verdict-threshold level 7"; } enum "8" { value 7; description "Verdict-threshold level 8"; } enum "9" { value 8; description "Verdict-threshold level 9"; } enum "10" { value 9; description "Verdict-threshold level 10"; } enum "recommended" { value 10; description "Recommended verdict-threshold"; } } description "Verdict threshold"; } } // container match container then { junos:must "(".. match")"; junos:must-message "match must be defined"; status deprecated; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict meet threshold"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container then container http { description "Configure HTTP options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } leaf file-verdict-unknown { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict unknown"; } leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict meet threshold"; } container client-notify { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; choice http-choice { leaf file { type string { length "1 .. 255"; } description "File name for http response to client"; } leaf message { type string { length "1 .. 1023"; } description "Block message to client"; } leaf redirect-url { type string { junos:posix-pattern "^https?://.*"; junos:pattern-message "URL must begin with http:// or https://"; length "1 .. 1023"; } description "Redirect url to client"; } } // choice http-choice } // container client-notify container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container http container smtp { description "Configure SMTP options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container smtp container imap { description "Configure IMAP options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification } // container imap container smb { description "Configure SMB options"; uses apply-advanced; leaf inspection-profile { type string { length "1 .. 63"; } description "Advanced Anti-malware inspection-profile name (default:default_profile)"; } container notification { description "Notification action taken for contents with verdict meet threshold"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware actions"; } } // container notification leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for contents with verdict meet threshold"; } } // container smb leaf verdict-threshold { type enumeration { enum "1" { value 0; description "Verdict-threshold level 1"; } enum "2" { value 1; description "Verdict-threshold level 2"; } enum "3" { value 2; description "Verdict-threshold level 3"; } enum "4" { value 3; description "Verdict-threshold level 4"; } enum "5" { value 4; description "Verdict-threshold level 5"; } enum "6" { value 5; description "Verdict-threshold level 6"; } enum "7" { value 6; description "Verdict-threshold level 7"; } enum "8" { value 7; description "Verdict-threshold level 8"; } enum "9" { value 8; description "Verdict-threshold level 9"; } enum "10" { value 9; description "Verdict-threshold level 10"; } enum "recommended" { value 10; description "Recommended verdict-threshold"; } } description "Verdict threshold"; } leaf inspection-profile { type string { length "1 .. 63"; } status deprecated; description "Advanced Anti-malware inspection-profile name"; } container fallback-options { description "Fallback options for abnormal conditions"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification container service-not-ready { description "Service not ready yet"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container service-not-ready container invalid-content-size { description "Content size exceed supported range"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container invalid-content-size container out-of-resources { description "Service out of resources"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container out-of-resources container verdict-timeout { description "Verdict timed out"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container verdict-timeout container submission-timeout { description "Submission timed out"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container submission-timeout container unknown-file { description "File type unknown"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow contents"; } enum "block" { value 1; description "Disallow contents"; } } description "Action taken for fallback conditions"; } container notification { description "Notification action taken for fallback action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware fallback action"; } } // container notification } // container unknown-file } // container fallback-options container default-notification { description "Notification action taken for action"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware action"; } } // container default-notification container whitelist-notification { description "Whitelist notification logging option"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware whitelist hit"; } } // container whitelist-notification container blacklist-notification { description "Blacklist notification logging option"; uses apply-advanced; leaf log { type empty; description "Logging option for Advanced Anti-malware blacklist hit"; } } // container blacklist-notification } // list policy container traceoptions { description "Advanced Anti-malware trace options"; uses aamwd-traceoptions; } // container traceoptions } // container advanced-anti-malware container logging { description "Bulk logging configuration"; uses juniper-pic-services-logging-options; } // container logging container application-identification { presence "enable application-identification"; description "Application identification configuration"; uses apply-advanced; leaf enable-heuristics { type empty; status deprecated; description "Enable heuristic application identification"; } container enable-performance-mode { presence "enable enable-performance-mode"; status deprecated; description "Enable performance mode knobs for best DPI performance"; uses apply-advanced; leaf max-packet-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "2"; status deprecated; description "Max packet inspection threshold including both c2s ans s2c direction packets. Default value is 2 if not configured"; } } // container enable-performance-mode leaf imap-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 86400"; } } description "IMAP cache entry timeout in seconds"; } leaf imap-cache-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 512000"; } } description "IMAP cache size, it will be effective only after next appid sigpack install"; } container download { uses apply-advanced; leaf url { type string { junos:posix-pattern "^((file)|(http)|(https)):"; junos:pattern-message "URL starts with http, https or file"; } description "URL for application package download"; } leaf ignore-server-validation { type empty; description "Disable server authentication for Applicaton Signature download"; } container automatic { description "Scheduled download and update"; uses apply-advanced; leaf start-time { type string { junos:posix-pattern "^((([0-9][0-9][0-9][0-9])[-](0[1-9]|1[012])[-](0[1-9]|[12][0-9]|3[01])[.]([0-1][0-9]|[2][0-3])[:]([0-5][0-9])[:]([0-5][0-9]))|((0[1-9]|1[012])[-](0[1-9]|[12][0-9]|3[01])[.]([0-1][0-9]|[2][0-3])[:]([0-5][0-9])))$"; junos:pattern-message "Invalid date; format is either MM-DD.hh:mm or YYYY-MM-DD.hh:mm:ss"; } description "Start time(MM-DD.hh:mm / YYYY-MM-DD.hh:mm:ss)"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "6 .. 720"; } } units "hours"; default "24"; description "Attempt to download new application package"; } } // container automatic leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "proxy profile must be defined"; type string { length "1 .. 128"; } description "Configure web proxy for Application signature download"; } } // container download container statistics { description "Configure application statistics information"; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1440"; } } units "minutes"; default "1"; description "Application statistics collection interval"; } } // container statistics container nested-application-settings { presence "enable nested-application-settings"; status deprecated; description "Nested application settings"; uses apply-advanced; leaf no-nested-application { type empty; description "Disable nested application identification"; } leaf no-application-system-cache { type empty; description "Not to save nested AI match in application system cache"; } } // container nested-application-settings leaf no-application-identification { type empty; status deprecated; description "Disable all application identification methods"; } leaf no-signature-based { type empty; status deprecated; description "Disable signature based method"; } leaf no-protocol-based { type empty; status deprecated; description "Disable protocol based method"; } leaf signature-method-all-ports { type empty; status deprecated; description "Use signature-method on all(including well-known) ports"; } leaf no-clear-application-system-cache { type empty; status deprecated; description "Disable clearing application system cache"; } leaf no-application-system-cache { type empty; description "Disable storing AI result in application system cache"; } leaf no-application-statistics { type empty; description "Disable application statistics"; } leaf max-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 500000"; } } status deprecated; description "Max sessions that can run AI at the same time"; } leaf application-system-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1000000"; } } description "Application system cache entry lifetime"; } container application-system-cache { presence "enable application-system-cache"; description "Enable or Disable application system cache"; uses apply-advanced; leaf security-services { type empty; description "Enable ASC for security services (appfw, appqos, idp, skyatp..)"; } leaf no-miscellaneous-services { type empty; description "Disable ASC for miscellaneous services APBR,..."; } } // container application-system-cache leaf micro-apps { type empty; description "Enable Micro Apps identifcation"; } leaf max-transactions { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 25"; } } description "Number of transaction finals to terminate application classification"; } leaf custom-application-byte-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100000"; } } description "Max bytes to be scanned for identification of custom application"; } leaf max-memory { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 200000"; } } description "Maximum amount of object cache memory JDPI can use (in MB)"; } leaf max-checked-bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 100000"; } } status deprecated; description "Inspect the maximal number of bytes"; } list application { junos:must "((any ". <*> icmp-mapping" || (any ". <*> ip-protocol-mapping" || (any ". <*> address-mapping" || (any ". <*> over" || any ". <*> signature")))))"; junos:must-message "All applications must have either icmp-mapping or ip-protocol-mapping or address-mapping or over or signature object "; key "name"; description "Configure application definition"; leaf name { type string { length "1 .. 63"; } description "A unique application identifier"; } uses apply-advanced; leaf type { junos:must "(unique "services application-identification application <*> type $$")"; junos:must-message "Application type has to be unique among all applications"; type string { length "1 .. 63"; } description "Well-known application such as HTTP and FTP"; } leaf index { junos:must "(unique "services application-identification application <*> index $$")"; junos:must-message "Application index has to be unique among all applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65534"; } } status deprecated; description "Custom index (32768..65534). Application index"; } list tags { key "name"; max-elements 3; ordered-by user; description "Application tags eg. risk factors, technology, traffic type"; leaf name { type string; description "General information about the application type"; } uses apply-advanced; leaf value { type string; description "Value"; } } // list tags leaf session-timeout { type enumeration { enum "0" { value 0; status deprecated; description "No session timeout"; } enum "30" { value 1; status deprecated; description "30 seconds"; } enum "60" { value 2; status deprecated; description "60 seconds"; } enum "1800" { value 3; status deprecated; description "1800 seconds"; } enum "3600" { value 4; status deprecated; description "3600 seconds"; } enum "43200" { value 5; status deprecated; description "43200 seconds (12 hours)"; } enum "86400" { value 6; status deprecated; description "86400 seconds (1 day)"; } enum "2592000" { value 7; status deprecated; description "2592000 seconds (30 days)"; } } default "86400"; status deprecated; description "Lifetime of a session"; } leaf idle-timeout { type enumeration { enum "0" { value 0; status deprecated; description "No idle timeout"; } enum "5" { value 1; status deprecated; description "5 seconds"; } enum "15" { value 2; status deprecated; description "15 seconds"; } enum "30" { value 3; status deprecated; description "30 seconds"; } enum "60" { value 4; status deprecated; description "60 seconds"; } enum "1800" { value 5; status deprecated; description "1800 seconds"; } enum "3600" { value 6; status deprecated; description "3600 seconds"; } } default "30"; status deprecated; description "Remove the session if no packets"; } container type-of-service { status deprecated; description "Type of service"; uses apply-advanced; leaf minimize-delay { type empty; description "Requires minimal delay in packet transmission"; } leaf maximize-throughput { type empty; description "Requires maximal throughput in packet transmission"; } leaf maximize-reliability { type empty; description "Requires maximal reliability in packet transmission"; } leaf minimize-monetary-cost { type empty; description "Requires minimal monetary cost in packet transmission"; } } // container type-of-service leaf disable { type empty; status deprecated; description "Disable this application definition in AI"; } leaf cacheable { type empty; description "Cacheable"; } leaf risk { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } description "Risk/Hotness of application"; } leaf description { type string { junos:posix-pattern "^.{1,255}$"; junos:pattern-message "Must be a string of 255 characters or less"; } description "Text description of application"; } leaf priority { type enumeration { enum "high" { value 0; description "Highest priority over all other signatures"; } enum "low" { value 1; description "Lowest priority over all other signatures"; } } default "low"; description "Application matching priority"; } leaf order { junos:must "(unique "services application-identification application <*> order $$")"; junos:must-message "Application order has to be unique among all applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 50000"; } } description "The order value, lower the value higher the priority"; } leaf maximum-transactions { type union { type uint16; type string { pattern "<.*>|$.*"; } } status deprecated; description "Maximum number of transactions matched by AI"; } leaf alt-name { type string { junos:posix-pattern "^.{1,255}$"; junos:pattern-message "Must be a string of 255 characters or less"; } description "Alt name for the application"; } leaf compatibility { type string { junos:posix-pattern "^.{1,255}$"; junos:pattern-message "Must be a string of 255 characters or less"; } description "Juniper compatibility version"; } container port-mapping { status deprecated; uses apply-advanced; container icmp { description "Match ICMP message"; uses apply-advanced; leaf type { junos:must "(unique "services application-identification application <*> port-mapping icmp type $$")"; junos:must-message "Icmp type has to be unique among all applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 254"; } } description "Numeric type value (0 .. 254)"; } leaf code { junos:must "(".. type")"; junos:must-message "Icmp type must be configured"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 254"; } } description "Numeric code value (0 .. 254)"; } } // container icmp leaf protocol { junos:must "(unique "services application-identification application <*> port-mapping protocol $$")"; junos:must-message "Protocol has to be unique among all applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 254"; } } description "Numeric protocol value (0 .. 254)"; } container port-range { description "Used by port-based AI method"; uses apply-advanced; leaf-list tcp { type string; max-elements 64; ordered-by user; description "TCP port range"; } leaf-list udp { type string; max-elements 64; ordered-by user; description "UDP port range"; } } // container port-range leaf disable { type empty; description "Disable port-based method for this application"; } } // container port-mapping container icmp-mapping { description "Match ICMP message"; uses apply-advanced; leaf type { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 254"; } } description "Numeric type value"; } leaf code { junos:must "(".. type")"; junos:must-message "ICMP type must be configured"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 254"; } } description "Numeric code value"; } leaf order { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } status deprecated; description "The Order value"; } leaf order-priority { type enumeration { enum "high" { value 0; status deprecated; description "Highest priority over all other signatures"; } enum "low" { value 1; status deprecated; description "Lowest priority over all other signatures"; } } default "high"; status deprecated; description "Application matching priority"; } } // container icmp-mapping container ip-protocol-mapping { description "Match IP protocol"; uses apply-advanced; leaf protocol { junos:must "(unique "services application-identification application <*> ip-protocol-mapping protocol $$")"; junos:must-message "Protocol has to be unique among all applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 254"; } } description "Numeric protocol value"; } leaf order { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } status deprecated; description "The Order value"; } leaf order-priority { type enumeration { enum "high" { value 0; status deprecated; description "Highest priority over all other signatures"; } enum "low" { value 1; status deprecated; description "Lowest priority over all other signatures"; } } default "high"; status deprecated; description "Application matching priority"; } } // container ip-protocol-mapping list address-mapping { key "name"; ordered-by user; description "Match IP address"; leaf name { type string { length "1 .. 63"; } description "Address name"; } uses apply-advanced; container filter { description "Match IP/port"; uses apply-advanced; leaf ip { type jt:ipprefix; description "IP address and prefix-length"; } container port-range { description "Port ranges"; uses apply-advanced; leaf-list tcp { type string; max-elements 20; ordered-by user; description "TCP port range"; } leaf-list udp { type string; max-elements 20; ordered-by user; description "UDP port range"; } } // container port-range } // container filter container source { junos:must "((any ". ip <*>" || any ". wildcard-address <*>"))"; junos:must-message "Source must have either ip/prefix or wildcard address"; description "Match IP source address"; uses apply-advanced; leaf ip { type jt:ipprefix; description "IP address and prefix-length"; } container wildcard-address { description "IP wildcard address and mask"; leaf address { type jt:ipaddr; description "IP wildcard address"; } leaf wildcard-mask { type jt:ipaddr; description "IP wildcard address mask"; } } // container wildcard-address container port-range { description "IP port ranges"; uses apply-advanced; leaf-list tcp { type string; max-elements 64; ordered-by user; description "TCP port range"; } leaf-list udp { type string; max-elements 64; ordered-by user; description "UDP port range"; } } // container port-range } // container source container destination { junos:must "((any ". ip <*>" || any ". wildcard-address <*>"))"; junos:must-message "Destination must have either ip/prefix or wildcard address"; description "Match IP destination address"; uses apply-advanced; leaf ip { type jt:ipprefix; description "IP address and prefix-length"; } container wildcard-address { description "IP wildcard address and mask"; leaf address { type jt:ipaddr; description "IP wildcard address"; } leaf wildcard-mask { type jt:ipaddr; description "IP wildcard address mask"; } } // container wildcard-address container port-range { description "IP port ranges"; uses apply-advanced; leaf-list tcp { type string; max-elements 64; ordered-by user; description "TCP port range"; } leaf-list udp { type string; max-elements 64; ordered-by user; description "UDP port range"; } } // container port-range } // container destination leaf order { junos:must "(unique "services application-identification application <*> address-mapping <*> order $$")"; junos:must-message "Address mapping order must be unique among all applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } status deprecated; description "Application matching priority"; } leaf order-priority { type enumeration { enum "high" { value 0; status deprecated; description "Highest priority over all other signatures"; } enum "low" { value 1; status deprecated; description "Lowest priority over all other signatures"; } } default "high"; status deprecated; description "Application matching priority"; } } // list address-mapping list over { key "name"; max-elements 8; description "Set of L4/L7 application that carries given application"; leaf name { type string { length "1 .. 63"; } description "A unique application and protocol identifier"; } uses apply-advanced; leaf protocol { type enumeration { enum "http" { value 0; status deprecated; description "Application over http protocol"; } enum "ssl" { value 1; status deprecated; description "Application over ssl protocol"; } enum "udp" { value 2; status deprecated; description "Application over over udp protocol"; } enum "tcp" { value 3; status deprecated; description "Application over tcp protocol"; } } status deprecated; description "Application protocol"; } leaf chain-order { type empty; description "The order of members is used to match the pattern"; } leaf order-priority { type enumeration { enum "high" { value 0; status deprecated; description "Highest priority over all other signatures"; } enum "low" { value 1; status deprecated; description "Lowest priority over all other signatures"; } } default "high"; status deprecated; description "Application matching priority"; } leaf order { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } status deprecated; description "The order value"; } container port-range { status deprecated; description "Apply signature to packets sent to this port range"; uses apply-advanced; leaf-list tcp { junos:must "(!(".. udp"))"; junos:must-message "udp cannot be specified with tcp"; type string; max-elements 64; ordered-by user; description "TCP port range"; } leaf-list udp { junos:must "(!(".. tcp"))"; junos:must-message "tcp cannot be specified with udp"; type string; max-elements 64; ordered-by user; description "UDP port range"; } } // container port-range list member { key "name"; max-elements 4; status deprecated; description "Pattern matched on client-to-server packets"; leaf name { type string { junos:posix-pattern "^m(0[1-9]|1[0-6])"; junos:pattern-message "Must be m01 - m16"; length "1 .. 63"; } description "A unique application signature member identifier. Must be m01 ..m16"; } uses apply-advanced; leaf context { type string; description "Context to be matched on"; } leaf pattern { type string; description "Pattern matched on context"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "Client to server"; } enum "server-to-client" { value 1; description "Server to client"; } enum "any" { value 2; description "Any direction"; } } description "Connection direction of the packets to apply pattern matching"; } leaf check-bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5000"; } } default "1000"; description "Maximum number of bytes to check for stream context "; } } // list member list signature { key "name"; description "Application signature for pattern matching"; leaf name { type string { length "1 .. 63"; } description "A unique application signature identifier"; } uses apply-advanced; leaf-list port-range { type string; max-elements 64; ordered-by user; description "Port range"; } list member { key "name"; description "Application signature member"; leaf name { type string { junos:posix-pattern "^m(0[1-9]|1[0-5])"; junos:pattern-message "Must be m01 - m15"; length "1 .. 63"; } description "Application signature member identifier in range m01 - m15"; } uses apply-advanced; leaf depth { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 8000"; } } description "Maximum number of bytes to check for context match"; } leaf context { type string; description "Context to be matched on"; } leaf pattern { type string { junos:posix-pattern "^.{1,127}$"; junos:pattern-message "Must be a string of 127 characters or less"; } description "DFA pattern matched on context"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "Client to server"; } enum "server-to-client" { value 1; description "Server to client"; } enum "any" { value 2; description "Any direction"; } } description "Connection direction of the packets to apply pattern matching"; } } // list member } // list signature } // list over } // list application list nested-application { key "name"; status deprecated; description "Configure nested application definition"; leaf name { type string { length "1 .. 63"; } description "A unique application identifier"; } uses apply-advanced; leaf type { junos:must "(unique "services application-identification nested-application <*> type $$")"; junos:must-message "Nested application type has to be unique among all nested applications"; type string { length "1 .. 63"; } description "Well-known application such as FACEBOOK and KAZZA"; } leaf index { junos:must "(!(any "services application-identification application <*> index $$"))"; junos:must-message "Nested application index has to be unique among all applications and nested applications"; junos:must "(unique "services application-identification nested-application <*> index $$")"; junos:must-message "Nested application index has to be unique among all nested applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65534"; } } status deprecated; description "Custom index (32768..65534). Application index"; } leaf protocol { type string { length "1 .. 63"; } description "Name of layer 7 application that carries nested application"; } list signature { key "name"; description "Nested application signature for pattern matching"; leaf name { junos:must "(unique "services application-identification nested-application <*> signature $$")"; junos:must-message "Nested application signature name has to be unique among all nested applications"; type string { length "1 .. 63"; } description "A unique nested application signature identifier"; } uses apply-advanced; list member { key "name"; description "Pattern matched on client-to-server packets"; leaf name { type string { junos:posix-pattern "^m(0[1-9]|1[0-6])"; junos:pattern-message "Must be m01 - m16"; length "1 .. 63"; } description "A unique nested application signature member identifier"; } uses apply-advanced; leaf context { type string; description "Context to be matched on"; } leaf pattern { type string; description "Pattern matched on context"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "Client to server"; } enum "server-to-client" { value 1; description "Server to client"; } enum "any" { value 2; description "Any direction"; } } description "Connection direction of the packets to apply pattern matching"; } leaf check-bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5000"; } } default "1000"; description "Maximum number of bytes to check for stream context "; } } // list member leaf chain-order { type empty; description "The order of members is used to match the pattern"; } leaf maximum-transactions { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Maximum number of transactions matched by AI"; } leaf order { junos:must "(!(any "services application-identification application <*> signature order $$"))"; junos:must-message "Nested application order has to be unique among all applications and nested applications"; junos:must "(unique "services application-identification nested-application <*> signature <*> order $$")"; junos:must-message "Nested application order has to be unique among all nested applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } status deprecated; description "Application matching priority"; } container insert-before { description "Insert before another signature"; uses apply-advanced; leaf insert-before-name { type string; description "An application name"; } } // container insert-before } // list signature } // list nested-application list application-group { key "name"; description "Define application group"; leaf name { type string { length "1 .. 63"; } description "A unique application group identifier"; } uses apply-advanced; list tag-group { key "name"; description "Configure application tag group that belong to this application group"; leaf name { type string { length "1 .. 63"; } description "A unique tag group identifier"; } uses apply-advanced; leaf-list application-tags { type string; max-elements 128; ordered-by user; description "Name of application tag to configure"; } } // list tag-group list application-groups { key "name"; description "Configure child application group(s)"; leaf name { type string { length "1 .. 63"; } description "Name of the child application group"; } uses apply-advanced; } // list application-groups list applications { key "name"; description "Configure applications that belong to this application group"; leaf name { type string { length "1 .. 63"; } description "Configure application name"; } uses apply-advanced; } // list applications leaf disable { type empty; status deprecated; description "Disable this application group definition in AI"; } } // list application-group list rule { key "name"; ordered-by user; status deprecated; description "One or more application rules for address-based method AI"; leaf name { type string { length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf application-name { type string { length "1 .. 63"; } description "Name of application that is target of this rule"; } list address { junos:must "((any ". <*> source" || any ". <*> destination"))"; junos:must-message "All addresses must have either source or destination or both"; key "name"; ordered-by user; description "Configure one of more addresses"; leaf name { type string; description "Address name"; } uses apply-advanced; container source { description "Match IP source address"; uses apply-advanced; leaf ip { type jt:ipv4prefix; description "IP address and prefix-length"; } container port-range { description "IP port ranges"; uses apply-advanced; leaf-list tcp { type string; max-elements 64; ordered-by user; description "TCP port range"; } leaf-list udp { type string; max-elements 64; ordered-by user; description "UDP port range"; } } // container port-range } // container source container destination { description "Match IP destination address"; uses apply-advanced; leaf ip { type jt:ipv4prefix; description "IP address and prefix-length"; } container port-range { description "IP port ranges"; uses apply-advanced; leaf-list tcp { type string; max-elements 64; ordered-by user; description "TCP port range"; } leaf-list udp { type string; max-elements 64; ordered-by user; description "UDP port range"; } } // container port-range } // container destination leaf order { junos:must "(unique "services application-identification rule <*> address <*> order $$")"; junos:must-message "Address order has to be unique among all rules"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Application matching priority"; } } // list address } // list rule list rule-set { key "name"; ordered-by user; status deprecated; description "One or more application rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services application-identification rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set list profile { key "name"; ordered-by user; description "One or more application rule-sets"; leaf name { type string { length "1 .. 63"; } description "Profile name"; } uses apply-advanced; list rule-set { key "name"; ordered-by user; status deprecated; description "One or more rule-sets in the profile"; leaf name { junos:must "("services application-identification rule-set $$")"; junos:must-message "rule set must be configured"; type string { length "1 .. 63"; } description "Rule-set name"; } uses apply-advanced; } // list rule-set } // list profile container traceoptions { description "Trace options for application identification"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Events and other information to include in trace output"; leaf name { type enumeration { enum "all" { value 0; description "All events"; } } description "Flag name to include in trace output"; } } // list flag leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } } // container traceoptions container inspection-limit { description "Bytes and packets limit for AppID inspection."; uses apply-advanced; container tcp { presence "enable tcp"; description "TCP byte/packet inspection limit."; uses apply-advanced; leaf byte-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "6000"; description "TCP byte inspection limit. (Default 6000)"; } leaf packet-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "TCP packet inspection limit."; } } // container tcp container udp { presence "enable udp"; description "UDP byte/packet inspection limit."; uses apply-advanced; leaf byte-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "UDP byte inspection limit."; } leaf packet-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10"; description "UDP packet inspection limit. (Default 10)"; } } // container udp } // container inspection-limit leaf global-offload-byte-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; description "Global byte limit to offload AppID inspection. (Default 10000)"; } container packet-capture { description "To capture the unknown application traffic"; uses apply-advanced; leaf global { type empty; description "Enable global capturing of application traffic"; } leaf aggressive-mode { type empty; description "This mode captures all traffic prior to AppID classification"; } leaf max-packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } description "Maximum number of UDP packets per session"; } leaf max-bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "40 .. 1073741824"; } } units "bytes"; description "Maximum number of TCP bytes per session"; } leaf max-files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 2500"; } } description "Maximum number of unique pcap files"; } leaf no-inconclusive { type empty; description "Disable capturing of inconclusive traffic"; } leaf storage-limit { type string; units "bytes"; description "Maximum disk space"; } leaf buffer-packets-limit { type union { type uint64; type string { pattern "<.*>|$.*"; } } units "bytes"; description "Maximum memory to buffer packets"; } leaf capture-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 525600"; } } description "Timeout to avoid repetitive capture of same traffic (minutes)"; } leaf capture-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } description "Number of repetitive captures of same traffic"; } leaf ssl-unknown { type empty; description "This mode captures all SSL unknown traffic"; } } // container packet-capture leaf l3l4-app-reclassification { type empty; description "Enable l3l4 custom app to be reclassified by jdpi ignoring results from other plugins"; } } // container application-identification list service-set { key "name"; ordered-by user; description "Define a service set"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 52"; } description "Service set name"; } uses apply-advanced; container syslog { description "Define system logging parameters"; uses log-object; } // container syslog leaf max-flows { type string; description "Maximum number of flows allowed for a service set"; } leaf hosted-service-identifier { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 63"; } } description "Service Set to Hosted service Map"; } leaf max-session-setup-rate { type string; description "Maximum number of session creations allowed per second"; } container max-drop-flows { description "Maximum number of drop flows allowed for a service-set"; uses apply-advanced; leaf ingress { type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 8500000"; } } description "Maximum number of ingress drop flows allowed"; } leaf egress { type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 8500000"; } } description "Maximum number of egress drop flows allowed"; } } // container max-drop-flows container snmp-trap-thresholds { presence "enable snmp-trap-thresholds"; description "Define snmp traps for service sets"; uses apply-advanced; container flow { junos:must "(".. .. max-flows")"; junos:must-message "Max flow must be set for configuring flow threshold"; presence "enable flow"; description "Flow Threshold range for a service set"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Lower limit of flow threshold"; } leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Upper limit of flow threshold"; } } // container flow container nat-address-port { presence "enable nat-address-port"; description "Nat Address and port usage trap threshold range"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Lower limit of trap threshold"; } leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Upper limit of trap threshold"; } } // container nat-address-port container session { junos:must "(".. .. service-set-options session-limit")"; junos:must-message "Maximum session limit must be set for configuring session threshold"; presence "enable session"; description "Session threshold range for a service set"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Lower limit of flow threshold"; } leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Upper limit of flow threshold"; } } // container session } // container snmp-trap-thresholds leaf tcp-mss { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "536 .. 65535"; } } description "Enable the limit on TCP Max. Seg. Size in SYN packets"; } container cos-options { presence "enable cos-options"; description "Options for COS service"; uses apply-advanced; leaf match-rules-on-reverse-flow { type empty; description "If forward rules match fails, do it on reverse flow"; } } // container cos-options container softwire-options { presence "enable softwire-options"; description "Options for softwire"; uses apply-advanced; leaf dslite-ipv6-prefix-length { type enumeration { enum "56" { value 0; description "The ipv6 prefix length of 56"; } enum "64" { value 1; description "The ipv6 prefix length of 64"; } enum "96" { value 2; description "The ipv6 prefix length of 96"; } enum "128" { value 3; description "The ipv6 prefix length of 128"; } } default "128"; description "The ipv6 prefix length for subscriber addresses"; } } // container softwire-options container nat-options { description "Options for NAT"; uses apply-advanced; container stateful-nat64 { description "Options for stateful NAT64"; uses apply-advanced; leaf no-v6-frag-header { type empty; description "No fragmentation header in IPv6 header during IPv4 to IPv6 translation"; } leaf clear-dont-fragment-bit { type empty; description "Clear DF bit in IPv4 header if IPv6 packet size is less than 1280 bytes"; } leaf ipv6-mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1280 .. 9192"; } } description "Path MTU of IPv6 network"; } leaf disable-h323-ras { type empty; description "Disable H323 and RAS ALG for NAT64"; } } // container stateful-nat64 container nptv6 { description "Options for NPTv6"; uses apply-advanced; leaf icmpv6-error-messages { type empty; description "Send ICMP Error messages if NPTv6 address translation fails"; } } // container nptv6 leaf land-attack-check { type enumeration { enum "ip-only" { value 0; description "Land attack check is on IP address only"; } enum "ip-port" { value 1; description "Land attack check is on both IP and port"; } } description "Enable land attack checks"; } leaf max-sessions-per-subscriber { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 32000"; } } description "Limit the number of sessions per subscriber"; } leaf snmp-value-match-msmic { type empty; description "Match the MSMIC specific snmp values for the msdpc"; } } // container nat-options container service-set-options { presence "enable service-set-options"; description "Options for service set"; uses apply-advanced; leaf tcp-non-syn { type enumeration { enum "drop-flow" { value 0; description "Drop tcp non SYN first packe"; } enum "drop-flow-send-rst" { value 1; description "Enable sending TCP RST on receiving first non SYN pkt"; } } description "Deny session creation on receiving first non SYN pkt"; } leaf tcp-fast-open { type enumeration { enum "disabled" { value 0; description "TFO option will be stripped and packet will be forwarded"; } enum "drop" { value 1; description "TFO enabled packets will be dropeed"; } } description "Tcp-fast-Open enabled packets will be handled accordingly"; } leaf bypass-traffic-on-pic-failure { type empty; description "Bypass traffic on service PIC failure"; } leaf bypass-traffic-on-exceeding-flow-limits { type empty; description "Bypass traffic when exceeding the max flow limit"; } leaf enable-asymmetric-traffic-processing { type empty; description "Enable service-processing for asymmetric traffic"; } leaf subscriber-awareness { type empty; description "Enable subscriber awareness on the service chain"; } leaf static-subscriber-application { type empty; description "Enable static subscriber on the service set"; } container header-integrity-check { description "Enable/Disable header integrity checks"; uses apply-advanced; leaf enable-all { type empty; description "Enable all header integrity checks"; } } // container header-integrity-check leaf enable-descriptive-session-syslog { type empty; description "This knob enables descriptive session syslogs for OPEN and CLOSE"; } leaf enable-change-on-ams-redistribution { type empty; status deprecated; description "Allow NAT pool change on AMS redistribution"; } leaf routing-engine-services { type empty; description "Enable service-processing at RE"; } leaf inactivity-non-tcp-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Inactivity timeout period for non-TCP established sessions"; } leaf session-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Session timeout period for established sessions"; } container session-limit { presence "enable session-limit"; description "Session limit"; uses apply-advanced; leaf maximum { type string; description "Maximum number of sessions allowed simultaneously"; } } // container session-limit leaf max-sessions-per-subscriber { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 32000"; } } description "Limit the number of sessions per subscriber"; } container tcp-session { presence "enable tcp-session"; description "Transmission Control Protocol session configuration"; uses apply-advanced; leaf tcp-mss { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "536 .. 65535"; } } description "Enable the limit on TCP Max. Seg. Size in SYN packets"; } leaf tcp-tickles { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 30"; } } default "4"; description "Number of TCP keep-alive packets to be sent for bi-directional TCP flows"; } leaf open-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 300"; } } units "seconds"; description "Timeout period for TCP session establishment"; } leaf inactivity-tcp-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Inactivity timeout period for TCP established sessions"; } leaf inactivity-asymm-tcp-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Inactivity timeout period for asymmetric TCP established sessions"; } container ignore-errors { presence "enable ignore-errors"; description "Ignore anomalies or errors"; leaf tcp { type empty; description "TCP protocol errors"; } } // container ignore-errors leaf close-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 300"; } } units "seconds"; description "Timeout period for TCP session tear-down"; } leaf tcp-non-syn { type enumeration { enum "drop-flow" { value 0; description "Drop tcp non SYN first packe"; } enum "drop-flow-send-rst" { value 1; description "Enable sending TCP RST on receiving first non SYN pkt"; } } description "Deny session creation on receiving first non SYN pkt"; } leaf tcp-fast-open { type enumeration { enum "disabled" { value 0; description "TFO option will be stripped and packet will be forwarded"; } enum "drop" { value 1; description "TFO enabled packets will be dropeed"; } } description "Tcp-fast-Open enabled paclets will be handled accordingly"; } } // container tcp-session leaf enforce-global-timeout { type empty; description "Enforce global inactivity or session timeout"; } leaf unidirectional-session-refreshing { type enumeration { enum "input" { value 0; description "Enable unidirectional session refreshing on input"; } enum "output" { value 1; description "Enable unidirectional session refreshing on output"; } } description "Enable unidirectional session refreshing on this service-set"; } } // container service-set-options container replicate-services { description "Define services that will be replicated to peer."; uses apply-advanced; leaf replication-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } default "180"; description "Duration in seconds for which flow should remain active for replication. (Min 180s)"; } leaf disable-replication-capability { type empty; description "Disable replication capability for this service-set"; } } // container replicate-services container allow-multicast { junos:must "(".. next-hop-service")"; junos:must-message "Service-set must be nexthop style to use allow-multicast"; presence "enable allow-multicast"; description "Allow multicast packets"; uses apply-advanced; } // container allow-multicast choice softwire_choice { list softwire-rules { key "name"; ordered-by user; description "List of softwire rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list softwire-rules list softwire-rule-sets { key "name"; ordered-by user; description "List of softwire rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list softwire-rule-sets } // choice softwire_choice list softwires-rule-set { key "name"; ordered-by user; description "List of softwire rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list softwires-rule-set choice stateful_firewall_rules_choice { list stateful-firewall-rules { key "name"; ordered-by user; description "List of stateful firewall rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } } uses apply-advanced; } // list stateful-firewall-rules list stateful-firewall-rule-sets { key "name"; ordered-by user; description "List of stateful firewall rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } } uses apply-advanced; } // list stateful-firewall-rule-sets } // choice stateful_firewall_rules_choice choice ids-option-choice { list ids-option { key "name"; ordered-by user; description "List of ids-options"; leaf name { junos:must "(".. .. .. screen ids-option $$")"; junos:must-message "ids-option must be configured under screens"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 31"; } } uses apply-advanced; } // list ids-option } // choice ids-option-choice choice pcp_rules_choice { list pcp-rules { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "List of PCP rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list pcp-rules list pcp-rule-sets { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "List of PCP rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list pcp-rule-sets } // choice pcp_rules_choice leaf appid-profile { junos:must "("services application-identification profile $$")"; junos:must-message "referenced appid profile must be defined"; type string { length "1 .. 63"; } description "Define AppID profile"; } choice nat_rules_choice { list nat-rules { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "List of NAT rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } } uses apply-advanced; } // list nat-rules list nat-rule-sets { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "List of NAT rule sets"; leaf name { junos:must "(("services nat source rule-set $$" || ("services nat rule-set $$" || ("services nat destination rule-set $$" || "services nat static rule-set $$"))))"; junos:must-message "rule-set must be defined under 'services nat'"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } } uses apply-advanced; } // list nat-rule-sets } // choice nat_rules_choice choice ip_reassembly_rules_choice { list ip-reassembly-rules { key "name"; ordered-by user; description "List of ip-reassembly rules"; leaf name { junos:must "("services ip-reassembly rule $$")"; junos:must-message "referenced ip-reassembly rule must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list ip-reassembly-rules } // choice ip_reassembly_rules_choice choice ids_rules_choice { list ids-rules { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "List of IDS rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list ids-rules list ids-rule-sets { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "List of IDS rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list ids-rule-sets } // choice ids_rules_choice choice cos_rules_choice { list cos-rules { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "One or more CoS rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; } // list cos-rules list cos-rule-sets { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "One or more CoS rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of rule set"; } uses apply-advanced; } // list cos-rule-sets } // choice cos_rules_choice choice aacl_rules_choice { list aacl-rules { key "name"; ordered-by user; description "One or more AACL rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; } // list aacl-rules list aacl-rule-sets { key "name"; ordered-by user; description "One or more AACL rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of rule set"; } uses apply-advanced; } // list aacl-rule-sets } // choice aacl_rules_choice list aacl-dyn-rules { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "One or more AACL rule "; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of dynamic rule set"; } uses apply-advanced; } // list aacl-dyn-rules choice pgcp_rules_choice { list pgcp-rules { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "One or more PGCP rules"; leaf name { junos:must "("services pgcp rule $$")"; junos:must-message "referenced pgcp rule must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; } // list pgcp-rules list pgcp-rule-sets { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "One or more PGCP rule sets"; leaf name { junos:must "("services pgcp rule-set $$")"; junos:must-message "referenced pgcp rule-set must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of rule set"; } uses apply-advanced; } // list pgcp-rule-sets } // choice pgcp_rules_choice container jflow-rules { junos:must "(".. sampling-service")"; junos:must-message "sampling-service must be configured"; junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; presence "enable jflow-rules"; description "One or more jflow rules"; uses apply-advanced; container sampling { junos:must "((any "forwarding-options sampling instance <*>" || "forwarding-options sampling family"))"; junos:must-message "forwarding-options sampling must be configured"; presence "enable sampling"; uses apply-advanced; leaf instance { junos:must "("forwarding-options sampling instance $$")"; junos:must-message "Referenced sampling instance does not exist"; type string { length "1 .. 64"; } description "Name of the instance"; } } // container sampling } // container jflow-rules choice appid-choice { leaf application-identification-profile { junos:must "("services application-identification profile $$")"; junos:must-message "referenced appid profile must be defined"; type string { length "1 .. 63"; } description "Define Application Identification profile"; } } // choice appid-choice leaf pcef-profile { junos:must "("services pcef profile $$")"; junos:must-message "referenced pcef profile must be defined"; type string { length "1 .. 63"; } description "Define PCEF profile"; } leaf lrf-profile { junos:must "("services lrf profile $$")"; junos:must-message "Specified LRF profile must be configured under services lrf profile"; type string { length "1 .. 63"; } description "Define logging and reporting profile"; } leaf hcm-profile { junos:must "("services hcm profile $$")"; junos:must-message "referenced hcm profile must be defined"; type string { length "1 .. 63"; } description "Define HCM profile"; } leaf web-filter-profile { junos:must "("services web-filter profile $$")"; junos:must-message "Specified web filter profile must be configured under services web-filter"; type string { length "1 .. 63"; } description "Define WEB filtering profile"; } choice hcm_url_rules_choice { list hcm-url-rules { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "One or more HCM uri rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; } // list hcm-url-rules list hcm-url-rule-sets { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "One or more HCM url rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of rule set"; } uses apply-advanced; } // list hcm-url-rule-sets } // choice hcm_url_rules_choice choice hcm-tag-rules-choice { list tag-rules { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "One or more HCM tag rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; } // list tag-rules list tag-rule-sets { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "One or more HCM tag rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of rule set"; } uses apply-advanced; } // list tag-rule-sets } // choice hcm-tag-rules-choice choice idppolicy-choice { leaf idp-profile { junos:must "("security idp idp-policy $$")"; junos:must-message "referenced IDP policy must be defined"; type string { length "1 .. 63"; } description "IDP policy to use"; } } // choice idppolicy-choice choice cpcdd-choice { leaf captive-portal-content-delivery-profile { junos:must "("services captive-portal-content-delivery profile $$")"; junos:must-message "referenced cpcdd profile must be defined"; type string { length "1 .. 63"; } description "Define captive portal and content delivery profile"; } } // choice cpcdd-choice choice lpdf-stats-choice { container policy-decision-statistics-profile { description "Define policy decision statistics profile"; uses apply-advanced; leaf profile-name { junos:must "(("system services local-policy-decision-function statistics aacl-statistics-profile $$" || "accounting-options policy-decision-statistics-profile $$"))"; junos:must-message "referenced statistics profile must be defined"; type string { length "1 .. 63"; } description "Policy decision statistics profile name"; } } // container policy-decision-statistics-profile } // choice lpdf-stats-choice choice service_type_choice { container interface-service { description "Define parameters for interface-specific service sets"; uses apply-advanced; leaf service-interface { junos:must "("interfaces $$-IFL")"; junos:must-message "Service interface must be configured"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Services interface to use"; } container load-balancing-options { uses apply-advanced; container hash-keys { presence "enable hash-keys"; uses apply-advanced; leaf resource-triggered { type empty; description "Resource Triggered load balancing"; } leaf-list ingress-key { type enumeration { enum "source-ip" { value 0; description "Source Ip Address"; } enum "destination-ip" { value 1; description "Destination Ip Address"; } enum "protocol" { value 2; description "Protocol"; } enum "iif" { value 3; description "Incoming Interface"; } } ordered-by user; description "Hash Key for the ingress direction"; } leaf-list egress-key { type enumeration { enum "source-ip" { value 0; description "Source Ip Address"; } enum "destination-ip" { value 1; description "Destination Ip Address"; } enum "protocol" { value 2; description "Protocol"; } enum "oif" { value 3; description "Outgoing Interface"; } } ordered-by user; description "Hash Key for the egress direction"; } } // container hash-keys } // container load-balancing-options } // container interface-service container sampling-service { description "Define parameters for sampling service sets"; uses apply-advanced; leaf service-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Services interface to use"; } } // container sampling-service container next-hop-service { description "Define parameters for next-hop service sets"; uses apply-advanced; leaf inside-service-interface { junos:must "(("interfaces $$-IFL family inet" || "interfaces $$-IFL family inet6"))"; junos:must-message "Family inet/inet6 must be configured"; junos:must "("interfaces $$-IFL service-domain inside")"; junos:must-message "Interface requires service-domain inside"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Service interface to inside network"; } leaf outside-service-interface { junos:must "(("interfaces $$-IFL family inet" || "interfaces $$-IFL family inet6"))"; junos:must-message "Family inet/inet6 must be configured"; junos:must "(".. inside-service-interface")"; junos:must-message "Both inside-service-interface and ouside-service-interface must be configured"; junos:must "("interfaces $$-IFL service-domain outside")"; junos:must-message "Interface requires service-domain outside"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Service interface name"; } leaf outside-service-interface-type { type enumeration { enum "local" { value 0; description "Must be local for reassembly service"; } } description "Service interface type local for reassembly service"; } leaf service-interface-pool { junos:must "(!((".. .. cos-rule-sets" || (".. .. cos-rules" || (".. .. ids-rule-sets" || (".. .. ids-rules" || (".. .. ipsec-vpn-rule-sets" || (".. .. ipsec-vpn-rules" || (".. .. nat-rule-sets" || (".. .. nat-rules" || (".. .. stateful-firewall-rule-sets" || (".. .. stateful-firewall-rules" || (".. .. softwire-rule-sets" || ".. .. softwire-rules")))))))))))))"; junos:must-message "Can not define any other rules than pgcp when service-interface-pool is defined"; junos:must "("services service-interface-pools pool $$")"; junos:must-message "referenced service interface pool must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Service interface pool name"; } } // container next-hop-service } // choice service_type_choice list extension-service { key "name"; max-elements 2; ordered-by user; description "Define the customer specific extensions"; leaf name { type string { length "1 .. 63"; } description "Customer-prefixed service name"; } uses apply-advanced; } // list extension-service container service-order { presence "enable service-order"; description "Define of order of services to be applied"; uses apply-advanced; leaf-list forward-flow { type string; ordered-by user; description "Service Order for forward flow"; } leaf-list reverse-flow { type string; ordered-by user; description "Service Order for reverse flow"; } } // container service-order container jflow-log { description "Define Jflow-logging parameters."; uses apply-advanced; leaf template-profile { junos:must "((!(".. .. softwire-rules") && !(".. .. softwire-rule-sets")))"; junos:must-message "Template-profile cannot be configured with softwire-rules or softwire-rule-sets configured"; junos:must "("services jflow-log template-profile $$")"; junos:must-message "The referenced template-profile is not defined"; type string { length "1 .. 63"; } description "Allow jflow messages for applications"; } } // container jflow-log container flow { description "Define flow parameters"; uses apply-advanced; container traceoptions { description "Trace options for flow services"; uses flow-traceoptions-object; } // container traceoptions } // container flow leaf-list ipsec-vpn { type string; ordered-by user; description "List of IPsec VPN policies"; } leaf redundancy-set-id { junos:must "("services redundancy-set $$")"; junos:must-message "Referenced redundancy set must be defined"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } description "Redundancy set identifier"; } } // list service-set container ssl { description "Configuration for Secure Socket Layer support service"; uses apply-advanced; container traceoptions { description "Trace options for Secure Socket Layer support service"; uses ssl-traceoptions; } // container traceoptions container termination { description "Configuration for Secure Socket Layer termination support service"; uses ssl-termination-config; } // container termination container initiation { description "Configuration for Secure Socket Layer initiation support service"; uses ssl-initiation-config; } // container initiation container proxy { description "Configuration for Secure Socket Layer proxy support service"; uses ssl-proxy-config; } // container proxy } // container ssl container web-proxy { description "Configuration for Web Proxy service"; uses apply-advanced; container traceoptions { description "Trace options for Web Proxy service"; uses web-proxy-traceoptions; } // container traceoptions container secure-proxy { description "Configuration for Secure Web Proxy profile "; uses web-config; } // container secure-proxy } // container web-proxy container softwires { description "Configure softwire feature"; uses softwires-object; } // container softwires container screen { description "Configure screen feature"; uses apply-advanced; container trap { presence "enable trap"; description "Configure trap interval"; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 3600"; } } units "seconds"; default "2"; description "Trap interval"; } } // container trap container cpu-throttle { presence "enable cpu-throttle"; description "Configure cpu-throttle percentage"; uses apply-advanced; leaf percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } units "percentage"; description "Percentage of cpu throttle"; } } // container cpu-throttle list ids-option { key "name"; description "Configure ids-option"; uses ids-option-type; } // list ids-option container traceoptions { description "Trace options for Network Security Screen"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "all" { value 2; description "Trace everything"; } } } } // list flag } // container traceoptions list whitelist { key "name"; max-elements 32; description "Set of IP addresses for white list"; uses ids-wlist-type; } // list whitelist } // container screen container icap-redirect { description "Configure ICAP redirection service"; uses apply-advanced; list profile { key "name"; ordered-by user; description "Congifure ICAP service profile"; uses icap-profile-object; } // list profile container traceoptions { description "ICAP redirect trace options"; uses icap-redirect-traceoptions; } // container traceoptions } // container icap-redirect container security-metadata-streaming { uses apply-advanced; list policy { key "name"; description "Security Metadata Streaming policy"; leaf name { type string { length "1 .. 63"; } description "Policy name"; } uses apply-advanced; container http { description "Configure HTTP options"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow traffic"; } } description "Action for HTTP"; } container notification { description "Notification action taken for traffic"; uses apply-advanced; leaf log { type empty; description "Logging option for Security Metadata Streaming actions"; } } // container notification } // container http container dns { description "Configure DNS options"; uses apply-advanced; container cache { description "Storing DNS in Cache till TTL"; uses apply-advanced; container ttl { presence "enable ttl"; description "For setting TTL values"; uses apply-advanced; leaf benign { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 172800"; } } units "seconds"; default "86400"; description "Set Benign TTL value"; } leaf c2 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 172800"; } } units "seconds"; default "86400"; description "Set C2 TTL value"; } } // container ttl } // container cache container detections { description "Type of Detection Methods for DNS Request"; uses apply-advanced; container dga { description "Detecting DGA Algorithms on DNS Packets"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow the packet"; } enum "deny" { value 1; description "Drop the packet"; } enum "sinkhole" { value 2; description "Sinkhole the packet"; } } description "Action to take on the DNS tunneled packet"; } leaf verdict-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "50 .. 500"; } } units "milliseconds"; default "100"; description "Time to wait for a verdict on DNS Packet"; } leaf notification { type enumeration { enum "log" { value 0; description "Log Everything"; } enum "log-detections" { value 1; description "Only log malicious DNS activity"; } } description "Notification action taken for DNS DGA Detection"; } container fallback-options { description "Fallback options for DNS DGA detection"; uses apply-advanced; container notification { description "Notification action taken for the packet"; uses apply-advanced; leaf log { type empty; description "Log DNS Request"; } } // container notification } // container fallback-options } // container dga container tunneling { description "Detecting DNS Tunneling"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow the packet"; } enum "deny" { value 1; description "Drop the packet"; } enum "sinkhole" { value 2; description "Sinkhole the packet"; } } description " Action to take on the DNS tunneled packet"; } leaf notification { type enumeration { enum "log" { value 0; description "Log Everything"; } enum "log-detections" { value 1; description "Only log malicious DNS activity"; } } description "Notification action taken for DNS Tunneling Detection"; } leaf inspection-depth { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 10"; } } default "4"; description "Number of packets to be inspected for Tunnel Detection"; } container fallback-options { description "Fallback options for DNS Tunneling detection"; uses apply-advanced; container notification { description "Notification action taken for the packet"; uses apply-advanced; leaf log { type empty; description "Log DNS Request"; } } // container notification } // container fallback-options } // container tunneling container all { junos:must "((!(" .. dga") && !(" .. tunneling")))"; junos:must-message "All can only be configured if no other detection is configured"; description "All Detections"; uses apply-advanced; leaf action { type enumeration { enum "permit" { value 0; description "Allow the packet"; } enum "deny" { value 1; description "Drop the packet"; } enum "sinkhole" { value 2; description "Sinkhole the packet"; } } description " Global Action to take on the DNS packet"; } leaf notification { type enumeration { enum "log" { value 0; description "Log Everything"; } enum "log-detections" { value 1; description "Only log malicious DNS activity"; } } description "Global Notification action taken for DNS Detection Methods"; } container fallback-options { description "Fallback options for DNS detections"; uses apply-advanced; container notification { description "Notification action taken for the packet"; uses apply-advanced; leaf log { type empty; description "Log DNS Request"; } } // container notification } // container fallback-options } // container all } // container detections } // container dns } // list policy } // container security-metadata-streaming container user-identification { description "Configure user-identification"; uses apply-advanced; container active-directory-access { presence "enable active-directory-access"; description "Configure active directory access"; uses apply-advanced; container traceoptions { description "Active-directory-access Tracing Options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "active-directory-authentication" { value 0; description "Trace active directory auth"; } enum "configuration" { value 1; description "Trace configuration"; } enum "db" { value 2; description "Trace db"; } enum "ip-user-mapping" { value 3; description "Trace ip-user-mapping module"; } enum "ip-user-probe" { value 4; description "Trace ip-user-probe"; } enum "ipc" { value 5; description "Trace ipc"; } enum "user-group-mapping" { value 6; description "Trace user-group-mapping module"; } enum "wmic" { value 7; description "Trace wmic"; } enum "memory" { value 8; description "Trace memory"; } enum "all" { value 9; description "Trace everything"; } } } } // list flag } // container traceoptions list domain { key "name"; max-elements 2; ordered-by user; description "Configure active-directory-access domain"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "Domain name"; } uses apply-advanced; container user { description "User name"; uses apply-advanced; leaf user-name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "User name"; } leaf password { type string { length "1 .. 128"; } description "Password string"; } } // container user list domain-controller { key "name"; max-elements 10; ordered-by user; description "Domain controller"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "Domain controller name"; } uses apply-advanced; leaf address { type jt:ipaddr; description "Address of domain controller"; } } // list domain-controller container ip-user-mapping { description "Ip-user-mapping"; uses apply-advanced; container discovery-method { description "Discovery method"; uses apply-advanced; container wmi { presence "enable wmi"; description "WMI"; uses apply-advanced; leaf event-log-scanning-interval { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "5 .. 60"; } } units "seconds"; description "Interval of event log scanning"; } leaf initial-event-log-timespan { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 168"; } } units "hours"; description "Event log scanning timespan"; } } // container wmi } // container discovery-method } // container ip-user-mapping container user-group-mapping { description "User-group-mapping"; uses user-group-mapping-type; } // container user-group-mapping } // list domain leaf no-on-demand-probe { type empty; description "Disable on-demand probe"; } leaf authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; description "Authentication entry timeout number (0, 10-1440)"; } leaf invalid-authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; description "Invalid authentication entry timeout number (0, 10-1440)"; } leaf firewall-authentication-forced-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; description "Firewallauth fallback authentication entry forced timeout number (10-1440)"; } leaf wmi-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "3 .. 120"; } } units "seconds"; description "Wmi timeout number"; } leaf thread { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 100"; } } description "Thread to do PC probe"; } leaf probe-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "100 .. 1500"; } } description "PC probe rate per minute"; } leaf-list event-log-identifier { type union { type uint16; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Event log identifier"; } leaf-list logon-type { type union { type uint16; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Logon type"; } container filter { description "Configure filter address or prefix"; uses apply-advanced; list include { key "name"; max-elements 20; ordered-by user; description "Include address"; leaf name { type jt:ipprefix; description "Address or prefix"; } } // list include list exclude { key "name"; max-elements 20; ordered-by user; description "Exclude address"; leaf name { type jt:ipprefix; description "Address or prefix"; } } // list exclude } // container filter } // container active-directory-access list authentication-source { key "name"; max-elements 2; ordered-by user; description "Configure authentication-source"; leaf name { type enumeration { enum "aruba-clearpass" { value 0; description "Authentication source from Aruba ClearPass"; } } description "Authenticaton source name"; } uses apply-advanced; leaf authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; description "Aruba ClearPass authentication entry timeout number (0, 10-1440)"; } leaf invalid-authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; description "Invalid authentication entry timeout number (0, 10-1440)"; } container traceoptions { description "Aruba ClearPass authentication table Tracing Options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace Aruba ClearPass all modules"; } enum "clearpass-authentication" { value 1; description "Trace Aruba ClearPass auth table management module"; } enum "configuration" { value 2; description "Trace Aruba ClearPass configuration"; } enum "dispatcher" { value 3; description "Trace dispatcher module"; } enum "ipc" { value 4; description "Trace ipc"; } enum "user-query" { value 5; description "Trace user-query module"; } enum "memory" { value 6; description "Trace memory"; } } } } // list flag } // container traceoptions container user-query { description "ClearPass individual user query"; uses apply-advanced; container web-server { description "Web server for user query"; uses apply-advanced; leaf server-name { type string { length "1 .. 64"; } description "Web server name"; } leaf connect-method { type enumeration { enum "https" { value 0; description "HTTPS connection to web server"; } enum "http" { value 1; description "HTTP connection to web server"; } } description "Method of connecting to web server"; } leaf address { type string { length "1 .. 128"; } description "IP address or hostname of web server"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "443"; description "Web server port"; } } // container web-server leaf ca-certificate { type string { length "1 .. 256"; } description "Ca-certificate file name"; } leaf client-id { type string { length "1 .. 64"; } description "Client ID for OAuth2 grant"; } leaf client-secret { type string { length "1 .. 128"; } description "Client secret for OAuth2 grant"; } leaf token-api { type string { length "1 .. 128"; } description "API of acquiring token for OAuth2 authentication"; } leaf query-api { type string { length "4 .. 128"; } description "User query API"; } leaf delay-query-time { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 60"; } } units "seconds"; default "15"; description "Delay time to send user query (0~60sec)"; } } // container user-query container no-user-query { presence "enable no-user-query"; description "Disable user query from ClearPass"; } // container no-user-query } // list authentication-source container device-information { description "Device information configuration"; uses apply-advanced; container authentication-source { description "Configure authentication-source"; uses apply-advanced; leaf authentication-source-name { type enumeration { enum "active-directory" { value 0; description "From windows active directory"; } enum "network-access-controller" { value 1; description "From network access controller such as Aruba ClearPass or JIMS"; } enum "no-configured" { value 2; description "No configuring authentication source for device entry"; } } default "no-configured"; } } // container authentication-source container end-user-profile { description "End-user-profile configuration"; uses apply-advanced; list profile-name { key "name"; ordered-by user; description "End-user-profile profile-name configuration"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "End-user-profile profile-name"; } uses apply-advanced; leaf domain-name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "Domain name"; } list attribute { key "name"; ordered-by user; description "Attribute"; leaf name { type string; description "Attribute name"; } uses apply-advanced; choice attribute-value { leaf-list string { type string; max-elements 20; ordered-by user; description "Value type is strings"; } container digital { presence "enable digital"; description "Value type is digital"; uses apply-advanced; leaf-list value { type union { type uint32; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Digital value"; } list from { key "name"; ordered-by user; description "Range of digital value"; leaf name { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Digit range's start value"; } uses apply-advanced; leaf to { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Digit range's end value"; } } // list from } // container digital } // choice attribute-value } // list attribute } // list profile-name } // container end-user-profile container traceoptions { description "Device info related Tracing Options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace device info all modules"; } enum "auth-source" { value 1; description "Trace Auth source module"; } enum "configuration" { value 2; description "Trace Device info configuration"; } enum "device-table" { value 3; description "Trace device table management module"; } enum "ipid-all" { value 4; description "Trace IPID all functions"; } enum "ipid-db" { value 5; description "Trace IPID Database function"; } enum "ipid-entry" { value 6; description "Trace IPID entry management function"; } enum "ipid-ipc" { value 7; description "Trace IPID communication processing function"; } enum "ipid-message" { value 8; description "Trace IPID message processing function"; } enum "ipid-others" { value 9; description "Trace IPID other function"; } enum "ipid-server" { value 10; description "Trace IPID server handling function"; } enum "ipid-statistics" { value 11; description "Trace IPID statistics handling function"; } enum "ipid-task" { value 12; description "Trace IPID task handling function"; } enum "profile-lookup" { value 13; description "Trace End-user-profile lookup function"; } enum "memory" { value 14; description "Trace memory"; } } } } // list flag } // container traceoptions } // container device-information container identity-management { description "Identity management configuration"; uses apply-advanced; leaf authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; default "60"; description "Authentication entry timeout number (0, 10-1440)"; } leaf invalid-authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; default "30"; description "Invalid authentication entry timeout number (0, 10-1440)"; } leaf preserve-valid-user { type empty; description "Null user will not overwrite valid user for the same ip"; } container connection { description "Connection to identity management"; uses identity-management-connection-type; } // container connection container jims-validator { description "Web server from JIMS for Validate or group query request"; uses jims-validator-type; } // container jims-validator container batch-query { description "Batch query parameters"; uses batch-query-type; } // container batch-query container ip-query { description "IP query parameters"; uses apply-advanced; leaf query-delay-time { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 60"; } } units "seconds"; default "15"; description "Delay time to send IP query (0~60sec)"; } container no-ip-query { presence "enable no-ip-query"; description "Disable IP query"; } // container no-ip-query leaf max-connections { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 20"; } } description "Max connection number"; } } // container ip-query container filter { description "Filter for query"; uses apply-advanced; list domain { key "name"; max-elements 20; ordered-by user; description "Domain filter"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "Domain name"; } } // list domain container include-ip { description "Include IP filter"; uses address-filter-type; } // container include-ip container exclude-ip { description "Exclude IP filter"; uses address-filter-type; } // container exclude-ip } // container filter container traceoptions { description "Tracing Options"; uses ims-traceoptions-type; } // container traceoptions } // container identity-management container logical-domain-identity-management { description "Logical domain identity management configuration"; uses apply-advanced; container active { description "Actve mode for logical domain identity management moudule"; uses apply-advanced; leaf authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; default "60"; description "Authentication entry timeout number (0, 10-1440)"; } leaf invalid-authentication-entry-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "minutes"; default "30"; description "Invalid authentication entry timeout number (0, 10-1440)"; } container ip-query { description "IP query parameters"; uses apply-advanced; leaf query-delay-time { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 60"; } } units "seconds"; default "15"; description "Delay time to send IP query (0~60sec)"; } } // container ip-query container filter { description "Filter for query"; uses apply-advanced; list domain { key "name"; max-elements 20; ordered-by user; description "Domain filter"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "Domain name"; } } // list domain container include-ip { description "Include IP filter"; uses address-filter-type; } // container include-ip container exclude-ip { description "Exclude IP filter"; uses address-filter-type; } // container exclude-ip } // container filter list query-server { key "name"; max-elements 1; ordered-by user; description "Query server"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "Query server name"; } uses apply-advanced; container connection { description "Connection to identity management"; uses ims-connection-type; } // container connection container batch-query { description "Batch query parameters"; uses batch-query-type; } // container batch-query } // list query-server } // container active container traceoptions { description "Tracing Options"; uses ims-traceoptions-type; } // container traceoptions } // container logical-domain-identity-management } // container user-identification container ip-monitoring { description "IP monitoring for route action"; uses apply-advanced; list policy { key "name"; ordered-by user; description "Policy for route action"; leaf name { type string { length "1 .. 64"; } description "Policy name"; } uses apply-advanced; leaf no-preempt { type empty; description "No automatic failback preemption once policy failover"; } container match { description "Matching probing condition"; uses apply-advanced; leaf-list rpm-probe { type string; ordered-by user; description "RPM probe name"; } } // container match container then { description "Action to be taken"; uses action-object-type; } // container then } // list policy container traceoptions { description "IP-Monitoring trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "debug" { value 0; description "Trace debug"; } enum "configuration" { value 1; description "Trace configuration events"; } enum "errors" { value 2; description "Trace errors"; } enum "memory" { value 3; description "Trace memory allocation or deallocation messages"; } enum "event" { value 4; description "Trace events"; } enum "all" { value 5; description "Trace events"; } } } } // list flag } // container traceoptions } // container ip-monitoring container wireless-wan { description "Wireless WAN configuration"; uses apply-advanced; list adapter { key "name"; ordered-by user; description "Wireless adapter name configuration"; leaf name { type string { junos:posix-pattern "^[A-Za-z]+[_0-9A-Za-z-]*$"; junos:pattern-message "Must be a string beginning with a letter and consisting of no more than 16 total letters, numbers, dashes and underscores."; length "1 .. 16"; } description "Wireless adapter name"; } uses apply-advanced; leaf ip-address { type jt:ipaddr; description "Adapter management IP address"; } leaf adapter-type { type enumeration { enum "cx-bridge" { value 0; description "Adapter type - CX-bridge"; } } description "Select adapter type"; } container modem { description "Adapter modem settings"; uses apply-advanced; container usb1 { presence "enable usb1"; description "Adapter USB1 modem name"; uses apply-advanced; leaf description { type string; description "Text description for modem"; } } // container usb1 container usb2 { presence "enable usb2"; description "Adapter USB2 modem name"; uses apply-advanced; leaf description { type string; description "Text description for modem"; } } // container usb2 container usb3 { presence "enable usb3"; description "Adapter USB3 modem name"; uses apply-advanced; leaf description { type string; description "Text description for modem"; } } // container usb3 container expresscard { presence "enable expresscard"; description "Adapter Expresscard modem name"; uses apply-advanced; leaf description { type string; description "Text description for modem"; } } // container expresscard } // container modem } // list adapter } // container wireless-wan container proxy { description "Proxy setting for services"; uses apply-advanced; list profile { key "name"; ordered-by user; description "Proxy profile"; uses proxy-profile-setting; } // list profile } // container proxy container lrf { description "Logging and reporting service configuration"; uses apply-advanced; list profile { key "name"; max-elements 8; ordered-by user; description "One or more LRF profiles"; uses lrf-profile-object; } // list profile } // container lrf container pcef { description "Policy and Charging Enforcement Function(PCEF) configuration"; uses services-pcef; } // container pcef container mobile-edge { description "Mobile edge configuration"; uses apply-advanced; container gateways { description "Gateways"; uses apply-advanced; leaf description { type string { length "1 .. 64"; } description "Description of the gateway"; } container resource-management { description "Configure resource management packet steering daemon"; uses apply-advanced; container server { description "Configure resource management packet steering daemon"; uses apply-advanced; container traceoptions { description "Resource management packet steering daemon trace options"; uses rmpsd-traceoptions-type; } // container traceoptions } // container server container client { description "Configure resource management packet steering client"; uses apply-advanced; container traceoptions { description "Resource management packet steering client trace options"; uses rmps-clnt-traceoptions-type; } // container traceoptions } // container client } // container resource-management list saegw { key "name"; max-elements 1; ordered-by user; description "SAE gateway name"; uses saegw-names; } // list saegw } // container gateways container pfcp { presence "enable pfcp"; description "Trace options for upad pfcp"; uses apply-advanced; container traceoptions { description "SAEGW upad pfcp trace options"; uses pfcp-traceoptions-type; } // container traceoptions } // container pfcp container session-manager { presence "enable session-manager"; description "Trace options for upad session-manager"; uses apply-advanced; container traceoptions { description "SAEGW upad session-manager trace options"; uses sm-traceoptions-type; } // container traceoptions } // container session-manager container charging-module { presence "enable charging-module"; description "Trace options for upad charging-module"; uses apply-advanced; container traceoptions { description "SAEGW upad charging-module trace options"; uses cm-traceoptions-type; } // container traceoptions } // container charging-module } // container mobile-edge container security-intelligence { uses apply-advanced; leaf url { type string; description "Configure the url of feed server [https://<ip or hostname>:<port>/<uri>]"; } container authentication { description "Authenticate to use feed update services"; uses apply-advanced; leaf auth-token { type string { junos:posix-pattern "^[A-Za-z0-9]{32}$"; junos:pattern-message "Auth token must be consisted of 32 alphanumeric characters"; } description "Token string for authentication"; } leaf tls-profile { junos:must "("services ssl initiation profile $$")"; junos:must-message "Referenced SSL initiation profile is not defined"; type string; description "TLS profile"; } } // container authentication container traceoptions { description "Security intelligence trace options"; uses secintel-traceoptions; } // container traceoptions container category { description "Category to be disabled"; uses apply-advanced; container all { presence "enable all"; description "All categories"; uses apply-advanced; container disable { presence "enable disable"; description "To disable all categories"; } // container disable } // container all list category-name { key "name"; ordered-by user; uses secintel-category-disable; } // list category-name } // container category leaf proxy-profile { junos:must "("services proxy profile")"; junos:must-message "Proxy profile must be defined"; type string { length "1 .. 64"; } description "The proxy profile name"; } leaf http-persist { type empty; description "Inspect all HTTP requests in a connection"; } list profile { key "name"; ordered-by user; description "Configure security intelligence profile"; uses secintel-profile-setting; } // list profile container default-policy { description "Configure security intelligence default policy"; uses apply-advanced; list category-profiles { key "name"; ordered-by user; description "Security intelligence category profiles"; leaf name { type enumeration { enum "IPFilter" { value 0; description "IPFilter"; } enum "GeoIP" { value 1; description "GeoIP"; } enum "CC" { value 2; description "Command and control"; } enum "Infected-Hosts" { value 3; description "Infected-Hosts"; } enum "DNS" { value 4; description "DNS"; } } description "Name of security intelligence category"; } uses apply-advanced; leaf profile-name { junos:must "("services security-intelligence profile $$")"; junos:must-message "security intelligence profile must be defined"; type string; description "Name of profile"; } } // list category-profiles } // container default-policy list policy { key "name"; ordered-by user; description "Configure security intelligence policy"; uses secintel-policy-setting; } // list policy container global-disable-feed { presence "enable global-disable-feed"; description "Security intelligence global feed disabling setting"; uses apply-advanced; list feed-name { key "name"; max-elements 32; ordered-by user; leaf name { type string { length "1 .. 63"; } description "Name of security intelligence global Command and control feed"; } uses apply-advanced; } // list feed-name container all { presence "enable all"; description "All of security intelligence global Command and control feed"; } // container all } // container global-disable-feed } // container security-intelligence container stateful-firewall { description "Configure stateful firewall services"; uses apply-advanced; list rule { key "name"; ordered-by user; description "Define a stateful firewall rule"; uses sfw_rule_object; } // list rule list rule-set { key "name"; max-elements 16960; ordered-by user; description "Define a set of stateful firewall rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services stateful-firewall rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes, underscores, forward slashes, colons and dots."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set } // container stateful-firewall container ip-reassembly { description "Configure ip-reassembly services"; uses apply-advanced; list profile { key "name"; description "Define a ip reassembly profile"; uses ipr_profile_object; } // list profile list rule { key "name"; ordered-by user; description "Define a ip reassembly rule"; uses ipr_rule_object; } // list rule list rule-set { key "name"; max-elements 16960; ordered-by user; description "Define a set of ip reassembly rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services ip-reassembly rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set } // container ip-reassembly container softwire { description "Configure softwire services"; uses apply-advanced; list ipv6-multicast-interfaces { key "name"; ordered-by user; description "Enable IPv6 multicast filter"; leaf name { type string; description "Interface name"; } uses apply-advanced; } // list ipv6-multicast-interfaces container softwire-concentrator { description "Configure softwire concentrators"; uses apply-advanced; list ds-lite { key "name"; ordered-by user; description "Configure DS-Lite concentrator"; uses dslite_object; } // list ds-lite list v6rd { key "name"; ordered-by user; description "Configure 6rd concentrator"; uses v6rd_object; } // list v6rd list map-e { key "name"; ordered-by user; description "Configure MAP-E concentrator"; uses mape_object; } // list map-e } // container softwire-concentrator list rule { key "name"; ordered-by user; description "Define a softwire rule"; uses sw_rule_object; } // list rule list rule-set { key "name"; max-elements 16960; ordered-by user; description "Define a set of softwire rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services softwire rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set } // container softwire container aacl { description "Application Aware Access List services configuration"; uses apply-advanced; list rule { key "name"; ordered-by user; description "One or more AACL rules"; uses aacl_rule_object; } // list rule list rule-set { key "name"; max-elements 16960; ordered-by user; description "Define a Set of AACL rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services aacl rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set list aacl-dyn-rule-set { key "name"; max-elements 16960; ordered-by user; description "Define a set of AACL dynamic rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services aacl rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list aacl-dyn-rule-set } // container aacl container hcm { description "Http Content Management services configuration"; uses apply-advanced; list url-rule { key "name"; ordered-by user; description "One or more url HCM rules"; uses hcm_url_rule_object; } // list url-rule list tag-rule { key "name"; ordered-by user; description "One or more HCM tag rules"; uses hcm_tag_rule_object; } // list tag-rule list url-list { key "name"; ordered-by user; description "List of URL's"; uses hcm_url_list_object; } // list url-list leaf-list tag-attribute { type enumeration { enum "ipv4addr" { value 0; } enum "ipv6addr" { value 1; } } ordered-by user; description "Tag Attributes (Subscriber Aware Attrs: imsi,msisdn,ipv4addr,imei,ipv6addr,apn,ggsnipv4,ggsnipv6)"; } list url-rule-set { key "name"; max-elements 16960; ordered-by user; description "Define a Set of HCM url rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services hcm url-rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list url-rule-set list tag-rule-set { key "name"; max-elements 16960; ordered-by user; description "Define a Set of HCM tag rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services hcm tag-rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list tag-rule-set list profile { key "name"; max-elements 101; ordered-by user; description "HCM Profile Name"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "HCM profile name"; } uses apply-advanced; container tag-rule { description "Tag rule to be included in this profile"; uses apply-advanced; leaf tag-rule-name { junos:must "("services hcm tag-rule $$")"; junos:must-message "tag rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Tag Rule name"; } } // container tag-rule } // list profile } // container hcm container cos { description "Class of Service services configuration"; uses cos-object; } // container cos container pgcp { description "Packet Gateway Control Protocol services configuration"; uses apply-advanced; container traceoptions { description "Trace options for packet gateway service"; uses apply-advanced; container flag { presence "enable flag"; description "Per-component trace options"; uses apply-advanced; leaf default { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Default trace level for all the components"; } container h248-stack { presence "enable h248-stack"; description "H248 stack sub-components"; uses apply-advanced; leaf default { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Default trace level for the H248 stack subcomponents"; } leaf control-association { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Control association trace level"; } leaf media-gateway { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Media gateway trace level"; } leaf messages { type empty; description "Enable H248 dump messages"; } } // container h248-stack container bgf-core { presence "enable bgf-core"; description "BGF core sub-components"; uses apply-advanced; leaf default { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Default trace level for the bgf core subcomponents"; } leaf firewall { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Firewall trace level"; } leaf gate-logic { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Gate trace level"; } leaf policy { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Policy trace level"; } leaf pic-broker { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "PIC broker trace level"; } leaf statistics { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Statistics trace level"; } leaf common { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Common trace level"; } } // container bgf-core container sbc-utils { presence "enable sbc-utils"; description "SBC utils sub-components"; uses apply-advanced; leaf default { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Default trace level for the sbc-utils subcomponents"; } leaf common { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Common utils trace level"; } leaf configuration { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Configuration trace level"; } leaf device-monitor { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Device-monitor trace level"; } leaf ipc { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "IPC trace level"; } leaf memory-management { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Memory mgmt trace level"; } leaf messaging { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Messaging trace level"; } leaf user-interface { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "UI trace level"; } } // container sbc-utils } // container flag container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file } // container traceoptions list media-service { key "name"; max-elements 32; ordered-by user; status deprecated; description "One or more PGCP media service"; uses pgcp_media_service_object; } // list media-service list virtual-interface { key "name"; max-elements 1024; ordered-by user; description "One or more Virtual Interfaces"; uses pgcp_virtual_interface_object; } // list virtual-interface list gateway { key "name"; max-elements 32; ordered-by user; description "One or more Packet Gateways"; uses pgcp_gateway_object; } // list gateway list rule { key "name"; max-elements 64; ordered-by user; description "One or more PGCP rules"; uses pgcp_rule_object; } // list rule list rule-set { key "name"; max-elements 16960; ordered-by user; description "Define a Set of PGCP rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services pgcp rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set container session-mirroring { presence "enable session-mirroring"; description "Session mirroring configuration"; uses pgcp_session_mirroring_object; } // container session-mirroring leaf notification-rate-limit { type union { type string { pattern "<.*>|$.*"; } type int32 { range "10 .. 1000"; } } description "Max number of notifications/second sent to PGC"; } } // container pgcp container border-signaling-gateway { description "Border signaling service configuration"; uses apply-advanced; list gateway { key "name"; max-elements 4; ordered-by user; uses gateway_type; } // list gateway } // container border-signaling-gateway container ids { description "Configure the intrusion detection system"; uses apply-advanced; list rule { key "name"; ordered-by user; description "Define an IDS rule"; uses ids_rule_object; } // list rule list rule-set { key "name"; max-elements 16960; ordered-by user; description "Define a set of IDS rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services ids rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set } // container ids container nat { description "Configure Network Address Translation"; uses nat-object; } // container nat container pcp { description "Configure Port Control Protocol"; uses pcp-object; } // container pcp container l2tp { junos:must "(!("forwarding-options hyper-mode"))"; junos:must-message "To configure services l2tp, 'forwarding-options hyper-mode' should not be configured"; presence "enable l2tp"; description "Configure Layer 2 Tunneling Protocol service"; uses apply-advanced; list tunnel-group { key "name"; ordered-by user; description "Layer 2 Tunneling Protocol profile"; uses l2tp_tunnel_group_object; } // list tunnel-group container ip-reassembly { description "Configure IP Reassembly parameters"; uses apply-advanced; leaf service-set { junos:must "((".. .. .. service-set $$ ip-reassembly-rules" || ".. .. .. service-set $$ ip-reassembly-rule-sets"))"; junos:must-message "Referenced IP Reassembly service-set must be defined"; type string { length "1 .. 63"; } description "Name of IP Reassembly service set"; } } // container ip-reassembly container traceoptions { description "Layer 2 Tunneling Protocol daemon trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "gres" { value 0; description "Trace GRES events"; } enum "init" { value 1; description "Trace daemon initialization"; } enum "events" { value 2; description "Trace interface events"; } enum "memory" { value 3; description "Trace memory management code"; } enum "message" { value 4; description "Trace message processing code"; } enum "packet-error" { value 5; description "Trace Packet error events"; } enum "parse" { value 6; description "Trace parsing events"; } enum "receive-packets" { value 7; description "Trace received L2TP packets"; } enum "session-db" { value 8; description "Trace session database interactions"; } enum "states" { value 9; description "Trace state machine events"; } enum "timer" { value 10; description "Trace timer events"; } enum "transmit-packets" { value 11; description "Trace tranmitted L2TP packets"; } enum "routing-socket" { value 12; description "Trace routing socket events"; } enum "routing-process" { value 13; description "Trace routing process interactions"; } enum "protocol" { value 14; description "Trace Layer 2 Tunneling Protocol events"; } enum "configuration" { value 15; description "Trace configuration events"; } enum "ipc-tx" { value 16; description "Trace IPC transmit events"; } enum "ipc-rx" { value 17; description "Trace IPC receive events"; } enum "general" { value 18; description "Trace general events"; } enum "tunnel" { value 19; description "Trace tunnel events"; } enum "stats" { value 20; description "Trace libstats events"; } enum "authentication" { value 21; description "Trace authentication process interactions"; } enum "all" { value 22; description "Trace everything"; } } } } // list flag leaf debug-level { junos:must "((".. flag protocol" || ".. flag all"))"; junos:must-message "debug-level can be specified only for traceoption flag protocol or all"; type enumeration { enum "error" { value 0; description "Errors"; } enum "detail" { value 1; description "Detailed debug information"; } enum "packet-dump" { value 2; description "Packet decode information"; } } description "Trace level for PPP, L2TP, RADIUS, and UDP"; } container filter { presence "enable filter"; description "Filter to control trace messages"; uses apply-advanced; list protocol { junos:must "((".. .. flag protocol" || ".. .. flag all"))"; junos:must-message "Filter protocol can be specified only for traceoption flag protocol or all"; key "name"; ordered-by user; description "Additional filter for protocol"; leaf name { type enumeration { enum "ppp" { value 0; description "Trace Point-to-Point Protocol events"; } enum "l2tp" { value 1; description "Trace Layer 2 Tunneling Protocol events"; } enum "radius" { value 2; description "Trace RADIUS events"; } enum "udp" { value 3; description "Trace User Datagram Protocol events"; } } } } // list protocol leaf user-name { junos:must "((".. .. flag protocol" || ".. .. flag all"))"; junos:must-message "Filter user name can be specified only for traceoption flag protocol or all"; type string { length "1 .. 64"; } description "Additional filter by user name"; } container user { presence "enable user"; description "Filter by user name"; uses apply-advanced; leaf username { type string { length "1 .. 64"; } description "Name of the user to be filtered"; } } // container user } // container filter list interfaces { key "name"; ordered-by user; description "Layer 2 Tunneling Protocol service interface"; uses l2tp_interface_traceoptions; } // list interfaces } // container traceoptions leaf weighted-load-balancing { junos:must "(!(".. destination-equal-load-balancing"))"; junos:must-message "Both weighted-load-balancing and destination-equal-load-balancing can't be enabled together"; type empty; description "Enable weighted-load-balancing for LAC sessions"; } leaf destination-equal-load-balancing { junos:must "(!(".. weighted-load-balancing"))"; junos:must-message "Both weighted-load-balancing and destination-equal-load-balancing can't be enabled together"; type empty; description "Enable equal load balancing of destinations"; } leaf drain { type empty; description "Prevents creation of destinations, tunnels and sessions"; } leaf failover-within-preference { type empty; description "Enable failover-within-preference level for LAC sessions"; } leaf disable-calling-number-avp { type empty; description "Disable the calling number AVP in ICRQ packet"; } leaf disable-failover-protocol { type empty; status deprecated; description "Disable failover protocol resync mechanism"; } leaf rx-connect-speed-when-equal { type empty; description "Generate rx connect speed AVP when tx equals rx speed"; } leaf tx-connect-speed-method { type enumeration { enum "none" { value 0; description "Disable sending tx/rx speed AVPs"; } enum "static" { value 1; description "Use advisory speed"; } enum "ancp" { value 2; description "Use ANCP sourced tx/rx speed"; } enum "pppoe-ia-tag" { value 3; description "Use tx/rx speed sent in the PPPoE IA tag"; } enum "service-profile" { junos:must "("chassis effective-shaping-rate")"; junos:must-message "The chassis 'effective-shaping-rate' must be enabled when service-profile is set"; value 4; description "Use tx/rx speed from service profile configuration"; } } default "static"; description "TX connect speed method"; } leaf maximum-sessions { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "512000"; description "Maximum number of sessions per chassis"; } container tunnel { description "System wide tunnel attributes"; uses apply-advanced; list name { key "name"; ordered-by user; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 129"; } description "Locally assigned name of the tunnel(in format Destination name/Tunnel name or Tunnel name)"; } list address { junos:must "(!(".. drain"))"; junos:must-message "Multiple times drain is set or drain is set at incorrect level"; key "name"; ordered-by user; description "Address of the tunnel destination"; leaf name { type jt:ipv4addr; description "Address of remote system"; } list routing-instance { junos:must "((!(".. drain") && !(".. .. drain")))"; junos:must-message "Multiple times drain is not allowed"; key "name"; ordered-by user; description "Routing instance in which tunnel exists"; leaf name { type string { junos:posix-pattern "!^((__.*__)|(.*[ ].*)|(.{129,}))$"; junos:pattern-message "Must be a string of 128 characters or less with no spaces."; } description "Routing instance in which tunnel exists"; } leaf drain { type empty; description "Prevents assignment of sessions to tunnel"; } } // list routing-instance leaf drain { type empty; description "Prevents assignment of sessions to tunnel"; } } // list address leaf drain { type empty; description "Prevents sessions assignment to tunnel"; } } // list name leaf assignment-id-format { type enumeration { enum "assignment-id" { value 0; description "Configure the format to be assignment-id only"; } enum "client-server-id" { value 1; description "Configure the format to be client-auth-id + server-auth-id + assignment-id"; } } default "assignment-id"; description "Assignment id format"; } leaf retransmission-count-established { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "2 .. 30"; } } default "7"; description "Max Retransmission count for Established tunnels"; } leaf retransmission-count-not-established { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "2 .. 30"; } } default "5"; description "Max Retransmission count for Not Established tunnels"; } leaf nas-port-method { type enumeration { enum "cisco-avp" { value 0; description "Limited Cisco vendor specific mechanism"; } } description "Tunnel network access server port method"; } leaf minimum-retransmission-timeout { type enumeration { enum "1" { value 0; description "1 second"; } enum "2" { value 1; description "2 seconds"; } enum "4" { value 2; description "4 seconds"; } enum "8" { value 3; description "8 seconds"; } enum "16" { value 4; description "16 seconds"; } } default "1"; description "Min retransmission timeout for control packets in seconds (default 1)"; } leaf idle-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } default "60"; description "Tunnel idle timeout value in seconds"; } leaf rx-window-size { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "4 .. 128"; } } default "4"; description "Tunnel Receive Window Size"; } container tx-address-change { presence "enable tx-address-change"; description "Tunnel Tx Address Change"; uses apply-advanced; leaf accept { junos:must "((!(".. ignore") && (!(".. ignore-ip-address") && (!(".. ignore-udp-port") && (!(".. reject") && (!(".. reject-ip-address") && !(".. reject-udp-port")))))))"; junos:must-message "Both Accept and Ignore/Reject are not allowed"; type empty; description "Accept Tx IP Address or UDP Port Change"; } leaf ignore { junos:must "((!(".. reject") && (!(".. reject-ip-address") && !(".. reject-udp-port"))))"; junos:must-message "Both ignore and reject are not allowed"; type empty; description "Ignore Tx IP Address or UDP Port Change"; } leaf ignore-ip-address { junos:must "((!(".. reject") && !(".. reject-ip-address")))"; junos:must-message "Both ignore-ip-address and reject-ip-address are not allowed"; type empty; description "Ignore Tx IP Address Change"; } leaf ignore-udp-port { junos:must "((!(".. reject") && !(".. reject-udp-port")))"; junos:must-message "Both ignore-udp-port and reject-udp-port are not allowed"; type empty; description "Ignore Tx UDP Port Change"; } leaf reject { junos:must "((!(".. ignore-ip-address") && !(".. ignore-udp-port")))"; junos:must-message "Both ignore and reject are not allowed"; type empty; description "Reject Tx IP Address or UDP Port Change"; } leaf reject-ip-address { junos:must "(!(".. ignore-ip-address"))"; junos:must-message "Both ignore-ip-address and reject-ip-address are not allowed"; type empty; description "Reject Tx IP Address Change"; } leaf reject-udp-port { junos:must "(!(".. ignore-udp-port"))"; junos:must-message "Both ignore-udp-port and reject-udp-port are not allowed"; type empty; description "Reject Tx UDP Port Change"; } } // container tx-address-change leaf maximum-sessions { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "65535"; description "Maximum number of sessions per tunnel"; } leaf failover-resync { type enumeration { enum "silent-failover" { value 0; description "Use silent failover as failover resync mechanism"; } enum "failover-protocol" { value 1; description "Use L2TP failover protocol as failover resync mechanism if peer supports"; } } description "Tunnel Failover Resync Mechanism"; } } // container tunnel leaf destruct-timeout { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "10 .. 3600"; } } default "300"; description "The destruct timeout in seconds"; } leaf tunnel-switch-profile { junos:must "("access tunnel-switch-profile $$")"; junos:must-message "Referenced tunnel switch profile must be defined"; type string { length "1 .. 63"; } description "Default tunnel switch profile name"; } container destination { presence "enable destination"; description "System wide destination attributes"; uses l2tp_destination_object; } // container destination container access-line-information { presence "enable access-line-information"; description "Enable system wide sending of access-line attributes"; uses l2tp_access_line_object; } // container access-line-information list session-limit-group { key "name"; ordered-by user; description "Session-limit-group configuration"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the group"; } uses apply-advanced; leaf maximum-sessions { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Maximum number of sessions per tunnel-group"; } } // list session-limit-group leaf enable-ipv6-services-for-lac { type empty; description "Enable IPv6 services for LAC sessions"; } leaf enable-snmp-tunnel-statistics { type empty; description "Enable L2TP tunnel statistics for availability via SNMP"; } } // container l2tp container adaptive-services-pics { description "Adaptive Services PIC daemon configuration"; uses apply-advanced; container traceoptions { description "Adaptive Services PIC daemon trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "routing-socket" { value 0; description "Trace routing socket events"; } enum "routing-protocol" { value 1; description "Trace routing protocol events"; } enum "service-identification" { value 2; description "Trace service-identification events"; } enum "configuration" { value 3; description "Trace configuration events"; } enum "ipc" { value 4; description "Trace IPC related events"; } enum "kernel-object" { value 5; description "Trace kernel object management"; } enum "snmp" { value 6; description "Trace SNMP operations"; } enum "all" { value 7; description "Trace everything"; } } } } // list flag } // container traceoptions } // container adaptive-services-pics container license-management { description "Configure license management server"; uses apply-advanced; container license-server { presence "enable license-server"; uses apply-advanced; leaf ip-address { type jt:ipv4addr; description "Address of the license log server"; } leaf log-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 86400"; } } default "300"; description "Time interval to send data to Log Collector"; } leaf-list services { type enumeration { enum "jflow" { value 0; description "Jflow Service"; } enum "cgnat" { value 1; description "CGNAT Service"; } enum "firewall" { value 2; description "Firewall Service"; } } ordered-by user; description "List of services that require throughput data export"; } } // container license-server } // container license-management container rtlog { presence "enable rtlog"; description "Secure log daemon options"; uses apply-advanced; container traceoptions { description "Security log daemon trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "List of things to include in trace"; leaf name { type enumeration { enum "source" { value 0; description "Communication with security log forwarder"; } enum "configuration" { value 1; description "Reading of configuration"; } enum "all" { value 2; description "Everything"; } enum "report" { value 3; description "Trace report"; } enum "hpl" { value 4; description "Trace HPL logging"; } } } } // list flag } // container traceoptions } // container rtlog container soft-gre { presence "enable soft-gre"; description "Soft GRE tunnel definitions"; uses apply-advanced; list tunnel-group { key "name"; ordered-by user; uses soft_gre_tunnel_group_object; } // list tunnel-group } // container soft-gre container service-interface-pools { description "Configure service interface pools"; uses apply-advanced; list pool { key "name"; ordered-by user; description "Define service interface pool"; uses service_interface_pool_object; } // list pool } // container service-interface-pools container hosted-services { description "Configuration for services performed in the remote server"; uses apply-advanced; list client-profile { key "name"; ordered-by user; description "Configure client profile"; leaf name { type string { length "3 .. 32"; } description "Client profile name"; } uses apply-advanced; leaf transport-type { type enumeration { enum "GRE" { value 0; description "GRE"; } enum "UDP" { value 1; description "UDP"; } enum "TCP" { value 2; description "TCP"; } } description "Transport type"; } leaf client-address { type jt:ipv4addr; description "Client address"; } leaf hosted-service-identifier { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 63"; } } description "Identifier for the service performed on the remote server"; } } // list client-profile list server-profile { key "name"; ordered-by user; description "Configure server profile"; leaf name { type string { length "3 .. 32"; } description "Server profile name"; } uses apply-advanced; leaf transport-type { type enumeration { enum "GRE" { value 0; description "GRE"; } enum "UDP" { value 1; description "UDP"; } enum "TCP" { value 2; description "TCP"; } } description "Transport type"; } leaf server-address { type jt:ipv4addr; description "Server address"; } leaf client-address { type jt:ipv4addr; description "Client address"; } leaf hosted-service-identifier { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 63"; } } description "Identifier for the service performed in the remote server"; } } // list server-profile } // container hosted-services container jflow-log { presence "enable jflow-log"; description "Configure jflow-logging parameters for services"; uses apply-advanced; list collector { key "name"; ordered-by user; description "Collector attributes"; leaf name { type string { length "1 .. 63"; } description "Profile name"; } uses apply-advanced; leaf destination-address { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string of letters, numbers, dashes or underscores"; } description "IPv4 Address or hostname of the collector"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port of the collector"; } leaf source-ip { type jt:ipv4addr; description "Source IPv4 Address from which logging is to be done"; } } // list collector list collector-group { key "name"; ordered-by user; leaf name { type string { length "1 .. 63"; } description "Name of collector-group"; } uses apply-advanced; leaf-list collector { type string { length "1 .. 63"; } max-elements 8; ordered-by user; description "List of Collector profiles"; } } // list collector-group list template-profile { key "name"; ordered-by user; leaf name { junos:must "((any ".. collector <*>" || any ".. collector-group <*>"))"; junos:must-message "template-profile must have a collector or collector-group configured"; type string { length "1 .. 63"; } description "Specify name of the template"; } uses apply-advanced; leaf collector { junos:must "(!(any ".. collector-group <*>"))"; junos:must-message "Collector-group is already configured for this template"; junos:must "("services jflow-log collector $$")"; junos:must-message "The referenced collector is not defined"; type string { length "1 .. 63"; } description "Specify a collector name"; } leaf-list collector-group { junos:must "(!(any ".. collector <*>"))"; junos:must-message "Collector is already configured for this template profile"; type string { length "1 .. 63"; } max-elements 1; ordered-by user; description "Specify a collector-group name"; } leaf template-type { type enumeration { enum "nat" { value 0; description "Enable jflow-logs for NAT events"; } } description "Allow jflow-log for applications"; } leaf version { type enumeration { enum "v9" { value 0; description "Version 9"; } enum "ipfix" { value 1; description "Ipfix"; } } description "Version of jflow-logging"; } container refresh-rate { presence "enable refresh-rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 48000"; } } default "4800"; description "Specify number of packets after which templates are sent to collector"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 1800"; } } default "1800"; description "Specify number of seconds after which templates are sent to collector"; } } // container refresh-rate } // list template-profile container traceoptions { description "Trace options for JFLOW-LOG"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "all" { value 2; description "Trace everything"; } } } } // list flag } // container traceoptions } // container jflow-log container service-device-pools { description "Configure service device pools"; uses apply-advanced; list pool { key "name"; ordered-by user; description "Define service device pool"; uses service_device_pool_object; } // list pool } // container service-device-pools container redundancy-set { description "Redundancy-set settings"; uses apply-advanced; container traceoptions { description "Services redundancy trace options"; uses srd-traceoptions-object; } // container traceoptions list rs-id-object { key "name"; ordered-by user; description "Definition of redundancy-set"; uses srd-rs-id-object; } // list rs-id-object } // container redundancy-set container analytics { presence "enable analytics"; description "Traffic analytics configuration options"; uses apply-advanced; container zero-suppression { presence "enable zero-suppression"; description "Configure suppression of zeros for GRPC sensors"; uses apply-advanced; leaf no-zero-suppression { type empty; description "Disable zero suppression"; } } // container zero-suppression list streaming-server { key "name"; ordered-by user; description "Define Telemetry data servers"; leaf name { type string { length "1 .. 128"; } description "Telemetry App server Name"; } uses apply-advanced; leaf remote-address { type jt:ipaddr; description "Telemetry server IP address"; } leaf remote-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Telemetry server Port"; } leaf transport { type enumeration { enum "udp" { value 0; description "Use UDP transport protocol"; } enum "grpc" { value 1; description "Use grpc transport"; } } description "Telemetry export transport protocol"; } leaf dialout { type empty; description "Supports dynamic dialout subscriptions"; } } // list streaming-server list export-profile { key "name"; ordered-by user; description "Telemetry export profile name"; leaf name { type string { length "1 .. 128"; } description "Telemetry export profile name"; } uses apply-advanced; leaf local-address { type jt:ipv4addr; description "Source address for exported packets"; } leaf local-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Source port for exported packets"; } leaf dscp { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 63"; } } description "DSCP value for exported packets"; } leaf forwarding-class { type string { length "1 .. 64"; } description "Forwarding-class for exported packets, applicable only for PFE sensors"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Marking when loss priority is low"; } enum "high" { value 1; description "Marking when loss priority is high"; } enum "medium-low" { value 2; description "Marking when loss priority is medium-low"; } enum "medium-high" { value 3; description "Marking when loss priority is medium-high"; } } description "Packet Loss Priority for exported packets, applicable only for PFE sensors"; } leaf reporting-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; description "Telemetry interval in seconds, max 24 hours"; } leaf payload-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1400 .. 9192"; } } units "bytes"; default "5000"; description "Telemetry payload size"; } leaf format { type enumeration { enum "gpb" { value 0; description "Use gpb format"; } enum "gpb-sdm" { value 1; description "Use gpb self-describing-message format"; } enum "gpb-gnmi" { value 2; description "Use gnmi format for gpb messages"; } enum "json-gnmi" { value 3; description "Use gnmi format for json messages"; } } description "Telemetry export record format"; } leaf transport { type enumeration { enum "udp" { value 0; description "Use UDP transport protocol"; } enum "grpc" { value 1; description "Use grpc transport"; } } description "Telemetry export transport protocol"; } } // list export-profile list sensor { junos:must "(!("system services cloud-analytics instance"))"; junos:must-message "Cloud analytics shoud not be defined"; key "name"; ordered-by user; description "Define Telemetry sensors"; leaf name { type string { length "1 .. 128"; } description "Name of the sensor"; } uses apply-advanced; leaf-list server-name { type string { length "1 .. 128"; } ordered-by user; description "Define Telemetry server "; } leaf export-name { type string { length "1 .. 128"; } description "Define Telemetry export profiles"; } leaf polling-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } units "nanoseconds"; status deprecated; description "Define sensor polling interval in nano secs (1 .. 4294967295)"; } leaf resource { type string { length "1 .. 255"; } description "System resource identifier string"; } leaf resource-filter { type string { length "1 .. 1024"; } description "Regexp for filtering resource instances (1 .. 1024)"; } leaf subscription-id { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Subscription ID (Used internally to group sensors)"; } leaf suppress-zeros { type empty; description "Supress zeros while data export"; } leaf reporting-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; description "Telemetry interval in seconds, max 24 hours"; } leaf-list end-of-sync-identifiers { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 64"; } } max-elements 10; ordered-by user; description "Set of end-of-syncs for this sensor"; } leaf target-defined { type empty; description "Allow target to decide periodic, on-change or mix"; } leaf life-time { type enumeration { enum "long-lived" { value 0; description "A long-lived subscription"; } enum "one-off" { value 1; description "An one-off subscription"; } } description "Denotes sensor life-time"; } } // list sensor container agent { description "Configure analytics agent"; uses apply-advanced; list service-agents { key "name"; ordered-by user; description "Analytics service agent configuration"; leaf name { type string; description "Analytics service agent name"; } uses apply-advanced; container inputs { description "List of input plugins"; uses apply-advanced; container input-jti-ipfix { presence "enable input-jti-ipfix"; description "Junos grpc IPFIX group plugin"; uses apply-advanced; container parameters { presence "enable parameters"; uses apply-advanced; list record-group { key "name"; max-elements 10; ordered-by user; description "Group sensors"; leaf name { type string; description "Group sensors"; } uses apply-advanced; leaf reporting-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 86400"; } } default "900"; description "Reporting-interval"; } leaf-list record { type enumeration { enum "port-statistics" { value 0; description "Port statistics"; } enum "address-pool-utilization" { value 1; description "Address pool utilization"; } enum "dhcpv4-server-stats" { value 2; description "Dhcpv4 server statistics"; } enum "thermal" { value 3; description "Thermal statistics"; } enum "chassis-inventory" { value 4; description "Chassis inventory details"; } enum "chassis-power" { value 5; description "Chassis power details"; } enum "resource-utilization" { value 6; description "Resource utilization details"; } enum "uptime" { value 7; description "Uptime value"; } enum "subscriber-statistics" { value 8; description "Subscriber statistics"; } enum "interface-metadata" { value 9; description "Interface metadata details"; } enum "interface-queue-statistics" { value 10; description "Interface Queue statistics"; } } ordered-by user; description "Ipfix record name"; } } // list record-group } // container parameters } // container input-jti-ipfix container input-ipfix { presence "enable input-ipfix"; description "Junos IPFIX Mediator input plugin"; uses apply-advanced; container parameters { presence "enable parameters"; description "List of IPFIX parameters"; uses apply-advanced; leaf tcp-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Listening TCP Port for IPFIX Mediator"; } leaf maximum-connections { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500"; } } description "Maximum TCP Connections 1..500"; } leaf vrf-name { type string; description "VRF name on which IPFIX packets are accepted"; } } // container parameters } // container input-ipfix container analytics { presence "enable analytics"; description "Junos Telemetry plugin"; uses apply-advanced; container parameters { presence "enable parameters"; description "List of key:value parameters"; uses apply-advanced; leaf sample-frequency { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; default "5"; description "Interval for sensor data in seconds, max 24 hours"; } leaf sensors { type string { length "1 .. 2048"; } description "Space separated list of sensor paths"; } leaf generate-tags { type empty; description "Enable generation of tags"; } } // container parameters } // container analytics } // container inputs list outputs { key "name"; max-elements 1; ordered-by user; description "List of output plugins"; uses output-plugin; } // list outputs } // list service-agents container traceoptions { presence "enable traceoptions"; uses apply-advanced; leaf flag { type enumeration { enum "trace" { value 0; description "Log level TRACE, will trace everything"; } enum "debug" { value 1; description "Log level DEBUG, will trace debug messages"; } enum "info" { value 2; description "Log level INFO"; } enum "error" { value 3; description "Log level ERROR, will trace all error messages"; } } description "Set log level for tracing"; } leaf filename { type string; default "ntf-agent.log"; description "Configure filename for trace messages"; } } // container traceoptions } // container agent container traceoptions { description "Traffic analytics trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace configuration events"; } enum "configuration" { value 1; description "Log configuration events"; } enum "rtsock" { value 2; description "Trace rtsock message events"; } enum "client-server" { value 3; description "Trace client-server events"; } enum "interface" { value 4; description "Trace interface update events"; } enum "xmlproxy" { value 5; description "Trace xmlproxy events"; } } } leaf disable { type empty; description "Disable this trace flag"; } } // list flag } // container traceoptions list export-profiles { key "name"; ordered-by user; description "Mapping of export-profiles to collectors"; leaf name { type string { length "1 .. 64"; } description "Export profile name"; } uses apply-advanced; leaf stream-format { type enumeration { enum "gpb" { value 0; description "Google protocol buffer format"; } enum "json" { value 1; description "Java script object notation format"; } enum "csv" { value 2; description "Comma separated value"; } enum "tsv" { value 3; description "Tab separated value"; } } default "gpb"; description "Streaming data format"; } container interface { presence "enable interface"; description "Interface specific information"; uses apply-advanced; leaf information { type empty; description "Enable streaming of interface information"; } container statistics { description "Type of statistics to stream"; uses apply-advanced; leaf traffic { type empty; description "Enable streaming of interface traffic statistics"; } leaf queue { type empty; description "Enable streaming of interface queue statistics"; } } // container statistics container status { description "Type of statistics to stream"; uses apply-advanced; leaf link { type empty; description "Enable streaming of interface link status"; } leaf traffic { type empty; description "Enable streaming of interface traffic status"; } leaf queue { type empty; description "Enable streaming of interface queue status"; } } // container status } // container interface container system { presence "enable system"; description "Interface specific information"; uses apply-advanced; leaf information { type empty; description "Enable streaming of system information"; } container status { description "Type of statistics to stream"; uses apply-advanced; leaf traffic { type empty; description "Enable streaming of system traffic status"; } leaf queue { type empty; description "Enable streaming of system queue status"; } } // container status } // container system } // list export-profiles list resource-profiles { key "name"; ordered-by user; description "Mapping of resource profiles to interfaces/queues/system"; leaf name { type string { length "1 .. 64"; } description "Export profile name"; } uses apply-advanced; choice queue-monitoring-choice { leaf queue-monitoring { type empty; description "Enable queue statistics monitoring"; } leaf no-queue-monitoring { type empty; description "Don't enable queue statistics monitoring"; } } // choice queue-monitoring-choice choice traffic-monitoring-choice { leaf traffic-monitoring { type empty; description "Enable traffic statistics monitoring"; } leaf no-traffic-monitoring { type empty; description "Don't enable traffic statistics monitoring"; } } // choice traffic-monitoring-choice container depth-threshold { junos:must "(!(".. latency-threshold"))"; junos:must-message "latency and queue-depth thresholds can not be set together"; description "Depth threshold configuration"; leaf high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1250000000"; } } units "bytes"; description "High queue depth threshold"; } leaf low { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1250000000"; } } units "bytes"; description "Low queue depth threshold"; } } // container depth-threshold container latency-threshold { junos:must "(!(".. depth-threshold"))"; junos:must-message "latency and queue-depth thresholds can not be set together"; description "Latency threshold configuration"; leaf high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100000000"; } } units "nanoseconds"; description "High latency threshold"; } leaf low { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100000000"; } } units "nanoseconds"; description "Low latency threshold"; } } // container latency-threshold } // list resource-profiles container resource { presence "enable resource"; uses apply-advanced; container system { description "System configuration options"; uses apply-advanced; leaf resource-profile { junos:must "("services analytics resource-profiles $$")"; junos:must-message "binded resource-profile in not configured"; type string { length "1 .. 64"; } description "Resouce profile name"; } container polling-interval { description "Polling interval"; uses apply-advanced; leaf traffic-monitoring { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } units "seconds"; description "Traffic statistics polling interval"; } leaf queue-monitoring { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } units "milliseconds"; description "Queue statistics polling interval"; } } // container polling-interval } // container system container interfaces { description "Interface configuration options"; uses apply-advanced; list interface { key "name"; uses interface_type; } // list interface } // container interfaces } // container resource container collector { description "Remote streaming servers configuration options"; uses apply-advanced; container local { description "Remote streaming servers configuration options"; uses apply-advanced; container file { description "Log file information"; leaf filename { type jt:filename; description "Name of file in which to write log information"; } leaf size { type string; description "Maximum log file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } } // container file } // container local list address { key "name"; description "IP address of remote server"; leaf name { type jt:ipaddr; description "IP address"; } uses apply-advanced; list port { key "name"; description "Remote streaming server port number"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port number"; } uses apply-advanced; list transport { key "name"; description "Transport protocol"; leaf name { type enumeration { enum "tcp" { value 0; description "Transmission control protocol"; } enum "udp" { value 1; description "User datagram protocol"; } } } uses apply-advanced; leaf export-profile { junos:must "("services analytics export-profiles $$")"; junos:must-message "binded export-profiles in not configured"; type string { length "1 .. 64"; } description "Export profile name"; } } // list transport } // list port } // list address } // container collector container traffic-statistics { status deprecated; description "Traffic statistics configuration options"; uses apply-advanced; container file { description "Log file information"; leaf filename { type jt:filename; description "Name of file in which to write log information"; } leaf size { type string; description "Maximum log file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } } // container file leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } units "seconds"; description "Traffic statistics polling interval"; } } // container traffic-statistics container queue-statistics { status deprecated; description "Microburst statistics configuration options"; uses apply-advanced; container file { description "Log file information"; leaf filename { type jt:filename; description "Name of file in which to write log information"; } leaf size { type string; description "Maximum log file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } } // container file leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } units "milliseconds"; description "Queue statistics polling interval"; } } // container queue-statistics container interfaces { status deprecated; description "Interface configuration options"; uses apply-advanced; list interface { key "name"; uses interface_type; } // list interface } // container interfaces container streaming-servers { status deprecated; description "Remote streaming servers configuration options"; uses apply-advanced; list address { key "name"; ordered-by user; description "IP address of remote server"; leaf name { type jt:ipaddr; description "IP address"; } uses apply-advanced; list port { key "name"; description "Remote streaming server port number"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port number"; } uses apply-advanced; leaf stream-format { type enumeration { enum "json" { value 0; description "Javascript object notation"; } enum "csv" { value 1; description "Comma separated value"; } enum "tsv" { value 2; description "Tab separated value"; } } description "Streaming data format"; } list stream-type { key "name"; description "Type of statistics to stream"; leaf name { type enumeration { enum "traffic-statistics" { value 0; description "Enable streaming of traffic statistics"; } enum "queue-statistics" { value 1; description "Enable streaming of queue statistics"; } } } uses apply-advanced; } // list stream-type } // list port } // list address } // container streaming-servers } // container analytics container traffic-load-balance { description "Traffic load balance configuration"; uses tdir_service_load_balance_object; } // container traffic-load-balance container network-monitoring { description "Network monitoring probe configuration"; uses tdir_netmon_object; } // container network-monitoring container policies { presence "enable policies"; uses policy-object-type; } // container policies list address-book { key "name"; max-elements 4096; ordered-by user; description "Services address book"; uses named-address-book-type; } // list address-book container traceoptions { description "Network security daemon tracing options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "routing-socket" { value 1; description "Trace routing socket events"; } enum "compilation" { value 2; description "Trace compilation events"; } enum "all" { value 3; description "Trace everything"; } } } } // list flag leaf rate-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } default "0"; description "Limit the incoming rate of trace messages"; } } // container traceoptions container web-filter { description "Web Filtering service configuration"; uses apply-advanced; leaf multi-tenant-support { type empty; description "Enable multi-tenant-support"; } container multi-tenant-hash { junos:must "(".. multi-tenant-support")"; junos:must-message "Hashed file configuration only relevant in multi-tenant mode"; description "Multi-tenant hashed file configuration"; uses dnsf-multitenant-hash-object; } // container multi-tenant-hash list profile { key "name"; max-elements 8; ordered-by user; description "Web Filter profile"; uses urlf-profile-object; } // list profile container traceoptions { description "Trace options for Web Filter "; uses urlf-traceoptions-object; } // container traceoptions } // container web-filter } // container services } // grouping services-group grouping aacl_rule_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf dynamic { junos:must "(!(".. term"))"; junos:must-message "term can't be combined with dynamic"; junos:must "(!(".. match-direction"))"; junos:must-message "match-direction can't be combined with dynamic"; type empty; description "Make rule dynamic"; } leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } enum "input-output" { value 2; description "Match on input to or output from interface"; } } description "Direction for which the rule match is applied"; } list term { key "name"; ordered-by user; description "One or more terms in AACL rule"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Term name"; } uses apply-advanced; container from { presence "enable from"; description "Match criteria"; uses aacl_match_object; } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf forwarding-class { junos:must "(!(".. discard"))"; junos:must-message "Forwarding class must not be combined with Discard"; junos:must "(".. accept")"; junos:must-message "Forwarding class must be combined with Accept"; type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to outgoing packets"; } leaf count { junos:must "(!(".. discard"))"; junos:must-message "Count must not be combined with Discard"; junos:must "(".. accept")"; junos:must-message "Count must be combined with Accept"; type enumeration { enum "none" { value 0; description "Do not count any application or group"; } enum "application" { value 1; description "Count by application name"; } enum "application-group" { junos:must "((!(".. .. from applications") && (!(".. .. from nested-applications") && (!(".. .. from application-unknown") && !(".. .. from nested-application-unknown")))))"; junos:must-message "Count application-group only applies to application-group match"; value 2; description "Count by application group"; } enum "application-group-any" { junos:must "(".. .. from application-group-any")"; junos:must-message "Count application-group-any only applies to rule application-group-any"; value 3; description "Count all application groups as a single total in group 'any'"; } enum "nested-application" { value 4; description "Count by nested application name"; } } description "Count packets by application or Application group"; } leaf log { junos:must "(" .. .. .. match-direction input-output")"; junos:must-message "Log session must be with match-direction input-output only"; type enumeration { enum "none" { value 0; description "Do not log session information"; } enum "session-start" { value 1; description "Log session start information for this match"; } enum "session-start-end" { value 2; description "Log session start/end information for this match"; } enum "session-start-end-no-stats" { value 3; description "Log session start/end information with no stats"; } enum "session-start-interim-end" { junos:must "(!(".. discard"))"; junos:must-message "Interim stats not allowed with discard action"; value 4; description "Log session start/interim/end information for this match"; } enum "session-interim-end" { junos:must "(!(".. discard"))"; junos:must-message "Interim stats not allowed with discard action"; value 5; description "Log session interim/end information for this match"; } enum "session-end" { value 6; description "Log session end information for this match"; } } description "Log session information for this application match"; } leaf police { junos:must "(!(".. discard"))"; junos:must-message "Police must not be combined with Discard"; junos:must "(".. accept")"; junos:must-message "Police must be combined with Accept"; junos:must "("firewall policer $$")"; junos:must-message "referenced firewall policer must be defined"; type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Policer name"; } choice designation { leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } } // choice designation } // container then } // list term } // grouping aacl_rule_object grouping aacl_match_object { uses apply-advanced; list source-address { key "name"; ordered-by user; description "Match IP source address"; uses sfw_addr_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses sfw_addr_object; } // list destination-address list source-address-range { key "low high"; ordered-by user; description "Match IP source address range"; leaf low { type jt:ipaddr; description "Lower limit of address range"; } leaf high { type jt:ipaddr; description "Upper limit of address range"; } leaf except { type empty; description "Match address not in this prefix"; } } // list source-address-range list source-prefix-list { key "name"; ordered-by user; description "One or more named lists of source prefixes to match"; leaf name { type string; description "Name of prefix list to match against"; } leaf except { type empty; description "Name of prefix list not to match against"; } } // list source-prefix-list list destination-address-range { key "low high"; ordered-by user; description "Match IP destination address range"; leaf low { type jt:ipaddr; description "Lower limit of address range"; } leaf high { type jt:ipaddr; description "Upper limit of address range"; } leaf except { type empty; description "Match address not in this prefix"; } } // list destination-address-range list destination-prefix-list { key "name"; ordered-by user; description "One or more named lists of destination prefixes to match"; leaf name { type string; description "Name of prefix list to match against"; } leaf except { type empty; description "Name of prefix list not to match against"; } } // list destination-prefix-list choice app-rule { leaf application-group-any { type empty; description "Use to wildcard or match any application group"; } leaf application-unknown { type empty; description "Use to specify unknown application as the match criteria."; } leaf nested-application-unknown { type empty; description "Use to specify unknown nested application as the match criteria."; } leaf-list applications { type string; ordered-by user; description "Match one or more applications"; } leaf-list nested-applications { type string; ordered-by user; description "Match one or more nested-applications"; } leaf-list application-groups { type string; ordered-by user; description "Match one or more applications"; } } // choice app-rule } // grouping aacl_match_object grouping aamwd-traceoptions { description "Advanced anti-malware trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } enum "connection" { value 1; description "Trace the connection to server"; } enum "content" { value 2; description "Trace the content buffer management"; } enum "daemon" { value 3; description "Trace advanced-anti-malware daemon"; } enum "http" { value 4; description "Trace http protocol operations"; } enum "identification" { value 5; description "Trace file identification"; } enum "imap" { value 6; description "Trace imap protocol operations"; } enum "parser" { value 7; description "Trace protocol context parser"; } enum "plugin" { value 8; description "Trace advanced-anti-malware plugin"; } enum "policy" { value 9; description "Trace advanced-anti-malware policy"; } enum "smb" { value 10; description "Trace smb protocol operations"; } enum "smtp" { value 11; description "Trace smtp protocol operations"; } } } } // list flag } // grouping aamwd-traceoptions grouping action-object-type { uses apply-advanced; container preferred-route { description "Preferred route action"; uses apply-advanced; leaf withdraw { type empty; description "Withdraw the preferred route"; } list routing-instances { key "name"; ordered-by user; description "Routing-instance"; leaf name { type string; } uses apply-advanced; list route { key "name"; ordered-by user; description "Route"; leaf name { type jt:ipprefix; } uses apply-advanced; choice next_hop { leaf-list next-hop { type union { type jt:ipaddr-or-interface; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Next hop to destination of route-action"; } leaf discard { type empty; description "Drop packets to destination; send no ICMP unreachables"; } } // choice next_hop leaf direct-next-hop { type empty; description "Accept only direct nexthop"; } leaf preferred-metric { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "Preferred metric value assigned to route action"; } } // list route } // list routing-instances list route { key "name"; ordered-by user; description "Route"; leaf name { type jt:ipprefix; } uses apply-advanced; choice next_hop { leaf-list next-hop { type union { type jt:ipaddr-or-interface; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Next hop to destination of route-action"; } leaf discard { type empty; description "Drop packets to destination; send no ICMP unreachables"; } } // choice next_hop leaf direct-next-hop { type empty; description "Accept only direct nexthop"; } leaf preferred-metric { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "Preferred metric value assigned to route action"; } } // list route } // container preferred-route list interface { key "name"; ordered-by user; description "Interface enabling/disabling action"; leaf name { type union { type jt:interface-wildcard; type string { pattern "<.*>|$.*"; } } } uses apply-advanced; choice action { leaf enable { type empty; description "Enable interface"; } leaf disable { type empty; description "Disable interface"; } } // choice action } // list interface } // grouping action-object-type grouping address-filter-type { description "IP address filter"; uses apply-advanced; leaf address-book { type string; description "Referenced address book"; } leaf address-set { type string { length "1 .. 63"; } description "Referenced address set"; } } // grouping address-filter-type grouping apply-advanced { description "Apply advanced configuration logic"; leaf-list apply-groups { type string; ordered-by user; description "Groups from which to inherit configuration data"; } leaf-list apply-groups-except { type string; ordered-by user; description "Don't inherit configuration data from these groups"; } list apply-macro { key "name"; ordered-by user; description "Macro and parameters for commit script expansion"; uses apply-macro-type; } // list apply-macro } // grouping apply-advanced grouping apply-macro-type { description "Macro data for commit-script expansion"; leaf name { type string; description "Name of the macro to be expanded"; } list data { key "name"; uses macro-data-type; } // list data } // grouping apply-macro-type grouping batch-query-type { description "Batch query configuration"; uses apply-advanced; leaf items-per-batch { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "100 .. 1000"; } } default "200"; description "Items number per batch query"; } leaf query-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } units "seconds"; default "5"; description "Query interval"; } } // grouping batch-query-type grouping bbefwa-trace-options-type { description "Trace options for fixed wireless access service"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Fixed wireless access operations to include in debugging trace"; leaf name { type enumeration { enum "configuration" { value 0; description "Configuration operations"; } enum "cli" { value 1; description "Cli command operations"; } enum "general" { value 2; description "Miscellaneous operations"; } enum "statistics" { value 3; description "Statistics operations"; } enum "tunnel" { value 4; description "GTP-U Tunnel operations"; } enum "gateway" { value 5; description "Mobile management entity operations"; } enum "authentication" { value 6; description "Mme authentication operations"; } enum "infra" { value 7; description "Infrastructure operations"; } enum "all" { value 8; description "All operations"; } } } } // list flag } // grouping bbefwa-trace-options-type grouping bgp-logical-system { description "Logical systems configuration for rpm"; leaf name { type string { junos:posix-pattern "![^a-zA-Z0-9_-]|(^(all|.{64,})$)"; junos:pattern-message "Logical-system name is a string consisting of up to 63 letters, numbers, dashes and underscores"; } description "Logical system name"; } uses apply-advanced; list routing-instances { key "name"; description "Routing instances"; uses bgp-routing-instances; } // list routing-instances } // grouping bgp-logical-system grouping bgp-routing-instances { description "Routing-instance configuration for rpm"; leaf name { type string; description "Routing instance name"; } uses apply-advanced; } // grouping bgp-routing-instances grouping cm-traceoptions-type { description "Trace options for SAEGW charging"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "general" { value 0; description "Trace general events"; } enum "state-machine" { value 1; description "Trace state-machine events"; } enum "mirroring" { value 2; description "Trace mirroring events"; } enum "all" { value 3; description "Trace everything"; } } } } // list flag } // grouping cm-traceoptions-type grouping collector_destinations_type { leaf name { type string; description "FTP destination URL (allows {text} macros)"; } uses apply-advanced; leaf password { type jt:unreadable; description "Password for accessing URL"; } } // grouping collector_destinations_type grouping collector_transfer_log_archive_type { uses apply-advanced; leaf filename-prefix { type string { junos:posix-pattern "^[.A-Za-z0-9_-]{1,32}$"; junos:pattern-message "Filename prefix is a string consisting of up to 32 letters, numbers, dashes, points and underscores"; } description "Filename prefix for transfer log"; } leaf maximum-age { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 360"; } } units "minutes"; default "15"; description "Maximum age of transfer log file"; } list archive-sites { key "name"; max-elements 5; ordered-by user; leaf name { type string; description "Primary and failover URLs to receive archive files"; } leaf password { type jt:unreadable; description "Password to log in to the archive site"; } } // list archive-sites } // grouping collector_transfer_log_archive_type grouping cos-object { description "Class of Service services configuration"; uses apply-advanced; list application-profile { key "name"; ordered-by user; description "One or more CoS application profiles"; uses cos_application_profile_object; } // list application-profile list rule { key "name"; ordered-by user; description "One or more CoS rules"; uses cos_rule_object; } // list rule list rule-set { key "name"; max-elements 16960; ordered-by user; description "Define a Set of CoS rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services cos rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set } // grouping cos-object grouping cos_application_profile_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Profile name"; } uses apply-advanced; container sip { presence "enable sip"; description "CoS treatment of Session Initiation Protocol data"; uses apply-advanced; container voice { presence "enable voice"; description "CoS treatment of SIP voice data"; uses apply-advanced; leaf dscp { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } description "Code point alias or bit string"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to outgoing packets"; } } // container voice container video { presence "enable video"; description "CoS treatment of SIP video data"; uses apply-advanced; leaf dscp { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } description "Code point alias or bit string"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to outgoing packets"; } } // container video } // container sip container ftp { presence "enable ftp"; description "CoS treatment for FTP data"; uses apply-advanced; container data { presence "enable data"; uses apply-advanced; leaf dscp { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } description "Code point alias or bit string"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to outgoing packets"; } } // container data } // container ftp } // grouping cos_application_profile_object grouping cos_rule_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } enum "input-output" { value 2; description "Match on input to or output from interface"; } } description "Direction for which the rule match is applied"; } list term { key "name"; ordered-by user; description "One or more terms in CoS rule"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Term name"; } uses apply-advanced; container from { description "Match criteria"; uses sfw_match_object; } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf dscp { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } description "Code point alias or bit string"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to outgoing packets"; } leaf application-profile { junos:must "("services cos application-profile $$")"; junos:must-message "referenced cos profile must be defined"; type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "CoS application profile"; } leaf syslog { type empty; description "System log information about the packet"; } choice designation { leaf reflexive { type empty; description "Apply mirror rule to reverse traffic"; } leaf revert { type empty; description "Apply received COS values to reverse traffic"; } container reverse { presence "enable reverse"; description "CoS treatment for reverse traffic"; uses apply-advanced; leaf dscp { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } description "Code point alias or bit string"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to outgoing packets"; } leaf application-profile { junos:must "("services cos application-profile $$")"; junos:must-message "referenced cos profile must be defined"; type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "CoS application profile"; } leaf syslog { type empty; description "System log information about the packet"; } } // container reverse } // choice designation } // container then } // list term list policy { key "name"; ordered-by user; description "One or more policies in CoS rule"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Policy name"; } uses apply-advanced; container match { description "Match criteria"; uses sfw_match_object; } // container match container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf dscp { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } description "Code point alias or bit string"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to outgoing packets"; } leaf application-profile { junos:must "("services cos application-profile $$")"; junos:must-message "referenced cos profile must be defined"; type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "CoS application profile"; } choice designation { leaf reflexive { type empty; description "Apply mirror rule to reverse traffic"; } leaf revert { type empty; description "Apply received COS values to reverse traffic"; } container reverse { presence "enable reverse"; description "CoS treatment for reverse traffic"; uses apply-advanced; leaf dscp { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } description "Code point alias or bit string"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to outgoing packets"; } leaf application-profile { junos:must "("services cos application-profile $$")"; junos:must-message "referenced cos profile must be defined"; type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "CoS application profile"; } } // container reverse } // choice designation } // container then } // list policy } // grouping cos_rule_object grouping cpcd-rule-object-type { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } enum "input-output" { value 2; description "Match on input to or output from interface"; } } description "Direction for which the rule match is applied"; } list term { key "name"; ordered-by user; description "Define a captive portal content delivery term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses cpcd-match-object-type; } // container from container then { description "Action to take if the 'from' condition is matched"; uses cpcd-action-object-type; } // container then } // list term } // grouping cpcd-rule-object-type grouping cpcd-action-object-type { uses apply-advanced; choice designation { leaf accept { type empty; description "Accept the packet"; } container rewrite { presence "enable rewrite"; description "Rewrite the IP-DA of the packet"; uses apply-advanced; leaf destination-address { type jt:ipaddr; description "The destination IP address"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "The destination port"; } } // container rewrite container redirect { presence "enable redirect"; description "Redirect the http packet"; leaf url { type string { junos:posix-pattern "^((http)|(https)):"; junos:pattern-message "URL must start with http or https"; } description "URL of the captive portal file"; } } // container redirect container insert { description "Insert tag into the http packet"; uses apply-advanced; list tag { key "name"; ordered-by user; description "Tag name to be inserted"; leaf name { type string { length "1 .. 127"; } description "Tag name"; } uses apply-advanced; leaf tag-value { type string; description "Tag value to be inserted"; } } // list tag } // container insert } // choice designation leaf syslog { type empty; description "System log information about the packet"; } } // grouping cpcd-action-object-type grouping cpcd-match-object-type { uses apply-advanced; list destination-address { key "name"; ordered-by user; description "Match IP destination address"; leaf name { type string; description "Match IP address"; } leaf except { type empty; description "Match address not in this prefix"; } } // list destination-address list destination-address-range { key "low high"; ordered-by user; description "Match IP destination address range"; leaf low { type jt:ipaddr; description "Lower limit of address range"; } leaf high { type jt:ipaddr; description "Upper limit of address range"; } leaf except { type empty; description "Match address not in this prefix"; } } // list destination-address-range list destination-prefix-list { key "name"; ordered-by user; description "One or more named lists of destination prefixes to match"; leaf name { junos:must "("policy-options prefix-list $$")"; junos:must-message "referenced policy-options prefix-list must be defined"; type string; description "Name of prefix list to match against"; } leaf except { type empty; description "Name of prefix list not to match against"; } } // list destination-prefix-list list applications { key "name"; ordered-by user; description "Match one or more applications"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; leaf application-protocol { type enumeration { enum "bootp" { value 0; description "Bootstrap protocol"; } enum "dce-rpc" { value 1; description "DCE RPC"; } enum "dce-rpc-portmap" { value 2; description "DCE RPC portmap"; } enum "dns" { value 3; description "Domain Name Service"; } enum "exec" { value 4; description "Remote Execution Protocol"; } enum "ftp" { value 5; description "File Transfer Protocol"; } enum "ftp-data" { value 6; description "File Transfer Protocol Data Session"; } enum "gprs-gtp-c" { value 7; description "GPRS Tunneling Control Plane"; } enum "gprs-gtp-u" { value 8; description "GPRS Tunneling User Plane"; } enum "gprs-gtp-v0" { value 9; description "GPRS Tunneling Version 0"; } enum "gprs-sctp" { value 10; description "GPRS Stream Control Protocol"; } enum "h323" { value 11; description "H.323"; } enum "icmp" { value 12; description "ICMP"; } enum "icmpv6" { value 13; description "ICMPv6"; } enum "ignore" { value 14; description "Ignore application type"; } enum "iiop" { value 15; description "Internet Inter-ORB Protocol"; } enum "ike-esp-nat" { value 16; description "IKE/ESP with NAT"; } enum "ip" { value 17; description "IP"; } enum "login" { value 18; description "Login"; } enum "mgcp-ca" { value 19; description "MGCP-CA"; } enum "mgcp-ua" { value 20; description "MGCP-UA"; } enum "ms-rpc" { value 21; description "Microsoft RPC"; } enum "netbios" { value 22; description "NetBIOS"; } enum "netshow" { value 23; description "NetShow"; } enum "none" { value 24; description "None"; } enum "pptp" { value 25; description "Point-to-Point Tunneling Protocol"; } enum "q931" { value 26; description "Q.931"; } enum "ras" { value 27; description "RAS"; } enum "realaudio" { value 28; description "RealAudio"; } enum "rpc" { value 29; description "RPC"; } enum "rpc-portmap" { value 30; description "RPC portmap"; } enum "rsh" { value 31; description "Remote Shell"; } enum "rtsp" { value 32; description "Real Time Streaming Protocol"; } enum "sccp" { value 33; description "Skinny Client Control Protocol"; } enum "sip" { value 34; description "Session Initiation Protocol"; } enum "shell" { value 35; description "Shell"; } enum "snmp" { value 36; description "SNMP"; } enum "sqlnet" { value 37; description "SQLNet"; } enum "sqlnet-v2" { value 38; description "Oracle SQL*Net Version 2"; } enum "sun-rpc" { value 39; description "Sun Microsystems RPC"; } enum "talk" { value 40; description "Talk Program"; } enum "tftp" { value 41; description "Trivial File Transfer Protocol"; } enum "traceroute" { value 42; description "Traceroute"; } enum "http" { value 43; description "Hypertext Transfer Protocol"; } enum "winframe" { value 44; description "WinFrame"; } enum "https" { value 45; description "Hypertext Transfer Protocol"; } enum "imap" { value 46; description "Internet Mail Access Protocol"; } enum "smtp" { value 47; description "Simple Mail Transfer Protocol"; } enum "ssh" { value 48; description "Secure Shell Protocol"; } enum "telnet" { value 49; description "Telnet Protocol"; } enum "twamp" { value 50; description "Two Way Active Meaurement Protocol"; } enum "pop3" { value 51; description "Post Office Protocol 3 Protocol"; } enum "smtps" { value 52; description "Simple Mail Transfer Protocol Over TLS"; } enum "imaps" { value 53; description "Internet Mail Access Protocol Over TLS"; } enum "pop3s" { value 54; description "Post Office Protocol 3 Protocol Over TLS"; } } description "Application protocol type"; } leaf protocol { type string; description "Match IP protocol type"; } leaf source-port { type string; description "Match TCP/UDP source port"; } leaf destination-port { type string; description "Match TCP/UDP destination port"; } } // list applications } // grouping cpcd-match-object-type grouping cpcd-trace-options-type { description "Trace options for captive portal and content delivery service"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Captive portal operations to include in debugging trace"; leaf name { type enumeration { enum "configuration" { value 0; description "Configuration operations"; } enum "clicommand" { value 1; description "Cli command operations"; } enum "general" { value 2; description "Miscellaneous operations"; } enum "rtsock" { value 3; description "Routing socket operations"; } enum "statistics" { value 4; description "Statistics operations"; } enum "rules" { value 5; description "Rules operations"; } enum "ssets" { value 6; description "Service sets operations"; } enum "ipc" { value 7; description "RE-PIC operations"; } enum "gres" { value 8; description "GRES operations"; } enum "re-services" { value 9; description "RE Service Operations"; } enum "re-svc-debug-stat" { value 10; description "RE Service debug stats"; } enum "all" { value 11; description "All operations"; } } } } // list flag } // grouping cpcd-trace-options-type grouping dfc_group_type { description "Configure DFC group parameters"; leaf name { type string { length "1 .. 64"; } description "DFC group name"; } uses apply-advanced; leaf-list interfaces { type union { type jt:interface-device; type string { pattern "<.*>|$.*"; } } max-elements 1; ordered-by user; description "DFC PIC(s) in this group"; } leaf input-packet-rate-threshold { type string; units "pps"; default "1024000"; description " Input pps (max 300k on MO-III, 1M on MS-400)"; } leaf max-duplicates { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 64"; } } description "Maximum content destinations for the capture group"; } leaf duplicates-dropped-periodicity { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "Periodicity of DuplicatesDropped notification in secs"; } container pic-memory-threshold { description "PIC memory threshold"; leaf percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 100"; } } units "percent"; description "Threshold in percentage"; } } // container pic-memory-threshold list control-source { key "name"; max-elements 64; ordered-by user; description "Configure control source parameters"; uses dfc_control_source_type; } // list control-source list content-destination { key "name"; max-elements 64; ordered-by user; description "Configure content destination parameters"; uses content_destination_type; } // list content-destination } // grouping dfc_group_type grouping content_destination_type { leaf name { type string { length "1 .. 48"; } description "Content destination identifier"; } uses apply-advanced; leaf address { type jt:ipv4addr; description "Content destination IP address"; } leaf ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } default "255"; description "Time to live"; } leaf soft-limit-clear { junos:must "(".. soft-limit")"; junos:must-message "soft limit threshold must be configured for the content destination"; type string; units "bps"; description "Soft limit clear threshold"; } leaf soft-limit { junos:must "(".. soft-limit-clear")"; junos:must-message "soft limit clear threshold must be configured for the content destination"; type string; units "bps"; description "Soft limit threshold"; } leaf hard-limit-target { junos:must "(".. hard-limit")"; junos:must-message "hard limit threshold must be configured for the content destination"; type string; units "bps"; description "Hard limit target threshold"; } leaf hard-limit { junos:must "(".. hard-limit-target")"; junos:must-message "hard limit target threshold must be configured for the content destination"; type string; units "bps"; description "Hard limit threshold"; } } // grouping content_destination_type grouping dfc_control_source_type { leaf name { type string { length "1 .. 48"; } description "Control source identifier"; } uses apply-advanced; leaf-list source-addresses { type jt:ipv4addr; max-elements 8; ordered-by user; description "Allowed control source IP address list"; } leaf service-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Service port"; } list notification-targets { key "name"; max-elements 8; description "Notification target list"; uses dfc_notification_target_type; } // list notification-targets leaf no-syslog { type empty; description "Disable syslog"; } leaf shared-key { type string { length "1 .. 20"; } description "Shared key with control source"; } leaf-list allowed-destinations { type string { length "1 .. 48"; } max-elements 16; ordered-by user; description "Allowed destinations"; } leaf minimum-priority { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } default "0"; description "Minimum priority of the control source"; } } // grouping dfc_control_source_type grouping dfc_notification_target_type { leaf name { type jt:ipv4addr; description "Notification target IP address"; } uses apply-advanced; leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Notification target port"; } } // grouping dfc_notification_target_type grouping dnsf-multitenant-hash-object { uses apply-advanced; container file-hash-key { description "Define web-filter global file key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container file-hash-key leaf hash-method { junos:must "(".. file-hash-key")"; junos:must-message "file-hash-key is mandatory"; type enumeration { enum "hmac-sha2-256" { value 0; description "HMAC-SHA2-256 authentication algorithm"; } } description "Define authentication algorithm"; } } // grouping dnsf-multitenant-hash-object grouping drop-policy-term { description "One or more drop terms"; leaf name { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; container source-address { presence "enable source-address"; description "Source IP Address"; uses li_policy_addr_simple_object; } // container source-address container destination-address { presence "enable destination-address"; description "Destination IP Address"; uses li_policy_addr_simple_object; } // container destination-address choice source-port_choice { container source-port { description "Match source port"; uses match_li_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match destination port"; uses match_li_simple_port_value; } // container destination-port } // choice destination-port_choice choice protocol_choice { container protocol { description "Match IP protocol type"; uses match_li_simple_protocol_value; } // container protocol } // choice protocol_choice choice dscp_choice { container dscp { description "Match Differentiated Services (DiffServ) code point"; uses match_li_simple_dscp_value; } // container dscp } // choice dscp_choice } // container from } // grouping drop-policy-term grouping drop-policy6-term { description "One or more drop terms"; leaf name { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; container source-address { presence "enable source-address"; description "Source IPv6 Address or Prefix"; uses li_policy_addr6_simple_object; } // container source-address container destination-address { presence "enable destination-address"; description "Destination IPv6 Address or Prefix"; uses li_policy_addr6_simple_object; } // container destination-address choice source-port_choice { container source-port { description "Match source port"; uses match_li_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match destination port"; uses match_li_simple_port_value; } // container destination-port } // choice destination-port_choice choice protocol_choice { container protocol { description "Match IP protocol type"; uses match_li_simple_protocol_value; } // container protocol } // choice protocol_choice choice dscp_choice { container dscp { description "Match Differentiated Services (DiffServ) code point"; uses match_li_simple_dscp_value; } // container dscp } // choice dscp_choice } // container from } // grouping drop-policy6-term grouping dslite_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "DS-Lite concentrator name"; } uses apply-advanced; leaf softwire-address { type jt:ipv6addr; description "Softwire concentrator address"; } leaf mtu-v6 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1280 .. 9192"; } } description "MTU for the softwire tunnel"; } leaf copy-dscp { type empty; description "Copy DSCP (type of service) from IPv6 to IPv4 header"; } leaf auto-update-mtu { type empty; description "Auto update MTU from received ICMPv6 messages"; } leaf flow-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16384"; } } default "0"; description "Max Number of IPv4 flows per Softwire"; } leaf session-limit-per-prefix { junos:must "(!(".. flow-limit"))"; junos:must-message "Cannot configure both flow-limit and session-limit-per-prefix in same softwire-concentrator"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16384"; } } default "0"; description "Max number of sessions allowed per Softwire prefix"; } } // grouping dslite_object grouping family { container inet { description "IPv4 parameters"; uses apply-advanced; choice if-addr { leaf dhcp { type empty; description "Enable DHCP on ethernet interface"; } leaf address { type jt:ipv4prefix; description "Interface address/destination prefix"; } } // choice if-addr } // container inet } // grouping family grouping file_specification_type { leaf name { type string; description "Name for file type"; } uses apply-advanced; leaf name-format { type string; description "Format string for filename (allows {text} macros)"; } leaf data-format { type enumeration { enum "flow-compressed" { value 0; description "Flow format (compressed)"; } } description "Data format for flow collection output"; } container transfer { leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 1800"; } } default "600"; description "Timeout in seconds when the file is transferred"; } leaf record-level { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10000 .. 1000000"; } } default "500000"; description "Number of records at which the file is transferred"; } } // container transfer } // grouping file_specification_type grouping flow-traceoptions-object { description "Trace options for flow services"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Events and other information to include in trace output"; leaf name { type enumeration { enum "all" { value 0; description "All events"; } enum "basic-datapath" { value 1; description "Basic packet flow"; } enum "high-availability" { value 2; description "Flow high-availability information"; } enum "host-traffic" { value 3; description "Flow host-traffic information"; } enum "fragmentation" { value 4; description "Ip fragmentation and reassembly events"; } enum "multicast" { value 5; description "Multicast flow information"; } enum "route" { value 6; description "Route lookup information"; } enum "session" { value 7; description "Session creation and deletion events"; } enum "session-scan" { value 8; description "Session scan information"; } enum "tcp-basic" { value 9; description "TCP packet flow"; } enum "tunnel" { value 10; description "Tunnel information"; } enum "jexec" { value 11; description "Junos forwarding module"; } } } } // list flag leaf rate-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } default "0"; description "Limit the incoming rate of trace messages"; } list packet-filter { key "name"; max-elements 64; ordered-by user; description "Flow packet debug filters"; uses flow-filter-type; } // list packet-filter container trace-level { description "FLow trace level"; uses apply-advanced; choice level { leaf minimal { type empty; description "Significant messages including warning, error, criticality, alert and emergency."; } leaf brief { type empty; description "Brief messages including notice, in addition to minimal messages"; } leaf detail { type empty; description "Detail messages including info and debug, in addition to brief messages"; } } // choice level } // container trace-level leaf root-override { junos:must "((".. file" && ".. flag"))"; junos:must-message "root-override must have root trace file and flag configured"; type empty; description "Allow collect flow trace in root from all logical-systems and tenants"; } } // grouping flow-traceoptions-object grouping flow-filter-type { description "Flow filter settings"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string of letters, numbers, dashes or underscores"; length "1 .. 63"; } description "Name of the filter"; } uses apply-advanced; leaf protocol { type string; description "Match IP protocol type"; } leaf source-prefix { type jt:ipprefix; description "Source IP address prefix"; } leaf destination-prefix { type jt:ipprefix; description "Destination IP address prefix"; } leaf conn-tag { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Session connection tag"; } leaf logical-system { type string { length "1 .. 63"; } status deprecated; description "Logical system"; } leaf source-port { type string; description "Match TCP/UDP source port"; } leaf destination-port { type string; description "Match TCP/UDP destination port"; } leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Source logical interface"; } } // grouping flow-filter-type grouping fwa-authentication-type { description "FWA authentication"; uses apply-advanced; leaf password { type string { length "1 .. 64"; } description "Username password to use"; } container username-include { description "Add username options"; uses apply-advanced; leaf delimiter { type string { length "1"; } description "Change delimiter/separator character"; } leaf domain-name { type string { length "1 .. 64"; } description "Add domain name"; } leaf user-prefix { type string { length "1 .. 64"; } description "Add user defined prefix"; } leaf imsi { type empty; description "Include IMSI"; } leaf msisdn { type empty; description "Include MSISDN"; } leaf mei { type empty; description "Include MEI"; } } // container username-include } // grouping fwa-authentication-type grouping gateway_type { leaf name { type string; description "Gateway name"; } uses apply-advanced; leaf service-interface { junos:must "("interfaces $$")"; junos:must-message "Interface must be defined in the interfaces hierarchy"; type union { type jt:interface-device; type string { pattern "<.*>|$.*"; } } description "Associated services interface"; } container sip { presence "enable sip"; uses apply-advanced; container timers { presence "enable timers"; description "Timers configuration"; uses sip_timers_type; } // container timers list new-transaction-policy { key "name"; max-elements 500; ordered-by user; description "Definition of a new-transaction policy"; uses transaction_policy_type; } // list new-transaction-policy list new-transaction-policy-set { key "name"; max-elements 5; ordered-by user; description "Definition of a new-transaction policy set"; uses new_transaction_set_type; } // list new-transaction-policy-set list new-registration-policy { key "name"; max-elements 500; ordered-by user; description "Definition of a new-registration policy"; uses registration_policy_type; } // list new-registration-policy list new-registration-policy-set { key "name"; max-elements 5; ordered-by user; description "Definition of a new-registration policy set"; uses new_registration_set_type; } // list new-registration-policy-set list new-call-usage-policy { key "name"; max-elements 500; ordered-by user; description "Definition of a new-call usage policy"; uses call_usage_policy_type; } // list new-call-usage-policy list new-call-usage-policy-set { key "name"; max-elements 5; ordered-by user; description "Definition of a new-call usage policy set"; uses new_call_usage_set_type; } // list new-call-usage-policy-set container routing-destinations { presence "enable routing-destinations"; description "Definition of routing destinations"; uses routing-destinations; } // container routing-destinations container message-manipulation-rules { description "Definition of manipulation rules"; uses header-manipulation-message-manipulation-rules-type; } // container message-manipulation-rules leaf local-tag-prefix { type string; default "bsg"; description "Local tag prefix"; } list signaling-realms { key "name"; ordered-by user; description "Signaling realm"; uses signaling-realm; } // list signaling-realms leaf local-uri-prefix { type string; default "J"; description "Local URI prefix"; } } // container sip list admission-control { key "name"; max-elements 10; ordered-by user; description "Definition of an admission controller"; uses admission-control-type; } // list admission-control list service-point { key "name"; max-elements 100; ordered-by user; uses service_point_type; } // list service-point container name-resolution-cache { presence "enable name-resolution-cache"; uses name-resolution-cache-type; } // container name-resolution-cache container embedded-spdf { presence "enable embedded-spdf"; uses apply-advanced; list service-class { key "name"; max-elements 5; ordered-by user; description "Definition of service class policies"; leaf name { type string { length "1 .. 63"; } description "Service class name"; } uses apply-advanced; list term { key "name"; max-elements 6; ordered-by user; description "Service class settings by media type"; leaf name { type string; description "Term name"; } uses apply-advanced; container from { presence "enable from"; description "The media-related filter that the rate limiting and DSCP marking are based on"; uses apply-advanced; leaf-list media-type { type enumeration { enum "any-media" { value 0; } enum "audio" { value 1; } enum "video" { value 2; } } ordered-by user; description "Media types to filter on"; } } // container from container then { presence "enable then"; description "The action to take based on the 'from' filter"; uses apply-advanced; leaf reject { type empty; description "Reject the request"; } leaf committed-information-rate { junos:must "(".. committed-burst-size")"; junos:must-message "Committed Burst Size must also be defined"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 2147483647"; } } units "bytes-per-second"; default "0x7FFFFFFF"; description "Committed information rate value per stream"; } leaf committed-burst-size { junos:must "(".. committed-information-rate")"; junos:must-message "Committed Information Rate must also be defined"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "20 .. 2147483647"; } } units "bytes"; default "0x7FFFFFFF"; description "Committed burst size value per stream"; } leaf dscp { type string { junos:posix-pattern "^af[1-4][1-3]$|^be$|^cs[1-7]$|^ef$|^nc[1-2]|^[01]{6}$"; junos:pattern-message "Not a 6-bit pattern or code point alias"; } default "be"; description "Code point alias or 6-bit pattern"; } } // container then } // list term } // list service-class } // container embedded-spdf container traceoptions { description "Trace options for border signaling gateway"; uses apply-advanced; container flag { presence "enable flag"; description "Per-component trace options"; uses apply-advanced; leaf minimum { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Minimum trace level for all the components"; } leaf session-trace { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } description "Trace level for the session tracing component"; } container sip-stack { presence "enable sip-stack"; description "Sip stack trace level options"; uses apply-advanced; leaf event-tracing { type empty; description "Event tracing"; } leaf ips-tracing { type empty; description "IPS tracing"; } leaf per-tracing { type empty; description "Performance tracing"; } leaf dev-logging { type empty; description "Development tracing"; } leaf verbose-logging { type empty; description "Verbose tracing"; } leaf pd-log-level { type enumeration { enum "problem" { value 0; description "Record a problem"; } enum "exception" { value 1; description "Record and exception that has been encountered in the code"; } enum "audit" { value 2; description "Record ordinary events for accounting purposes"; } } description "Set pd trace level"; } leaf pd-log-detail { type enumeration { enum "full" { value 0; description "Full details for every entry"; } enum "summary" { value 1; description "Summary details for every entry"; } } description "Set detail level for DC logs"; } } // container sip-stack container signaling { presence "enable signaling"; description "Signaling component sub-components"; uses apply-advanced; leaf minimum { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Minimum trace level for the signaling subcomponents"; } leaf sip-stack-wrapper { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Sip stack wrapper trace level "; } leaf b2b-wrapper { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "B2B wrapper trace level "; } leaf ua { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "UA trace level "; } leaf b2b { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "B2B trace level "; } leaf topology-hiding { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Topology hiding trace level "; } leaf policy { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Policy trace level "; } leaf name-resolution-cache { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Name resolution cache trace level"; } leaf accounting-trigger { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Accounting trigger trace level"; } leaf event-trigger { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Event trigger trace level"; } leaf packet-capture { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Packet capture trace level"; } } // container signaling container framework { presence "enable framework"; description "Framework component sub-components"; uses apply-advanced; leaf minimum { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Minimum trace level for the framework subcomponents"; } leaf executor { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Executor trace level "; } leaf action { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Action trace level "; } leaf event { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Event trace level "; } leaf freezer { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Freezer trace level "; } leaf memory-pool { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Memory pool trace level "; } } // container framework container datastore { presence "enable datastore"; description "Datastore component sub-components"; uses apply-advanced; leaf minimum { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Minimum trace level for the datastore subcomponents"; } leaf data { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Data trace level "; } leaf handle { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Handle trace level "; } leaf db { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "DB trace level "; } } // container datastore container sbc-utils { presence "enable sbc-utils"; description "SBC utils component sub-components"; uses apply-advanced; leaf minimum { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Minimum trace level for the sbc-utils subcomponents"; } leaf configuration { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Configuration trace level"; } leaf ipc { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "IPC trace level"; } leaf device-monitor { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Device-monitor trace level"; } leaf memory-management { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Memory mgmt trace level"; } leaf message { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Messaging trace level"; } leaf common { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Common utils trace level"; } leaf user-interface { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "User-interface trace level"; } leaf memory-pool { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Memory-pool trace level"; } leaf packet-capture { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "Trace packet capture events"; } } // container sbc-utils } // container flag container file { status deprecated; description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file } // container traceoptions } // grouping gateway_type grouping admission-control-type { leaf name { type string; description "Admission control profile name"; } uses apply-advanced; container dialogs { presence "enable dialogs"; description "Dialog admission control rules"; uses apply-advanced; leaf maximum-concurrent { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 100000"; } } description "Maximum concurrent dialogs allowed"; } leaf committed-attempts-rate { junos:must "(".. committed-burst-size")"; junos:must-message "committed-burst-size must also be defined"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 500"; } } description "Committed rate of dialog admission attempts"; } leaf committed-burst-size { junos:must "(".. committed-attempts-rate")"; junos:must-message "committed-attempts-rate must also be defined"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1000"; } } description "Committed burst size of dialog admission attempts"; } } // container dialogs container transactions { presence "enable transactions"; description "Transaction admission control rules"; uses apply-advanced; leaf maximum-concurrent { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 50000"; } } description "Maximum concurrent transactions allowed"; } leaf committed-attempts-rate { junos:must "(".. committed-burst-size")"; junos:must-message "committed-burst-size must also be defined"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1500"; } } description "Committed rate of transaction admission attempts"; } leaf committed-burst-size { junos:must "(".. committed-attempts-rate")"; junos:must-message "committed-attempts-rate must also be defined"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 3000"; } } description "Committed burst size of transaction admission attempts"; } } // container transactions } // grouping admission-control-type grouping call_usage_policy_type { leaf name { type string; description "Policy name"; } uses apply-advanced; list term { key "name"; max-elements 20; ordered-by user; description "Term definition"; leaf name { type string; description "Term name"; } uses apply-advanced; container from { presence "enable from"; uses apply-advanced; leaf-list source-address { type jt:ipaddr; max-elements 5; ordered-by user; description "Source addresses and masks"; } list method { key "name"; ordered-by user; description "Methods"; uses call-usage-method-type; } // list method container request-uri { presence "enable request-uri"; description "Request URI field"; uses apply-advanced; leaf-list regular-expression { type jt:regular-expression; max-elements 5; ordered-by user; description "Regular expression matched on incoming Request-URI"; } } // container request-uri container contact { presence "enable contact"; description "Contact field"; uses apply-advanced; leaf-list regular-expression { type jt:regular-expression; max-elements 5; ordered-by user; description "Regular expression matched on incoming contact"; } } // container contact } // container from container then { presence "enable then"; description "Action"; uses new_call_then_type; } // container then } // list term } // grouping call_usage_policy_type grouping call-usage-method-type { leaf name { type enumeration { enum "method-invite" { value 0; } } } uses apply-advanced; } // grouping call-usage-method-type grouping hcm_tag_rule_object { leaf name { junos:must "((!("services hcm url-rule $$") && !("services hcm rule $$")))"; junos:must-message "Hcm rules must have unique names"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; list term { key "name"; ordered-by user; description "One or more terms in HCM tag rule"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 32767"; } } description "Term name"; } uses apply-advanced; container from { presence "enable from"; description "Match criteria"; uses hcm_tag_match_object; } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; list tag { key "name"; ordered-by user; description "One or more terms in HCM tag rule"; leaf name { type string { length "1 .. 63"; } description "Tag name"; } uses apply-advanced; leaf tag-header { type string { length "1 .. 63"; } description "Tag header string"; } leaf do-not-rename-existing-tag-header { type empty; description "Disable renaming of the tag header"; } leaf tag-separator { type string { length "1"; } description "Tag separator character"; } leaf-list tag-attribute { type enumeration { enum "ipv4addr" { value 0; } enum "ipv6addr" { value 1; } } ordered-by user; description "One or more tag attributes"; } container encrypt { description "Specify encryption or hashing algorithm"; uses apply-advanced; leaf hash { type enumeration { enum "md5" { value 0; description "Md5 hash"; } } description "Hashing algorithm"; } leaf prefix { type string { length "1 .. 63"; } description "Hash prefix key"; } } // container encrypt leaf ipv4-mask { junos:must "(".. ipv4-or-value")"; junos:must-message "Both mask and or-value must be specified"; type jt:ipv4addr; description "Specify a logical and mask for the x-forwarded-for address"; } leaf ipv4-or-value { junos:must "(".. ipv4-mask")"; junos:must-message "Both mask and or-value must be specified"; type jt:ipv4addr; description "Specify a logical or mask for x-forwarded address"; } leaf ipv6-mask { junos:must "(".. ipv6-or-value")"; junos:must-message "Both mask and or-value must be specified"; type jt:ipv6addr; description "Specify a logical and mask for the x-forwarded-for address"; } leaf ipv6-or-value { junos:must "(".. ipv6-mask")"; junos:must-message "Both mask and or-value must be specified"; type jt:ipv6addr; description "Specify a logical or mask for x-forwarded address"; } } // list tag leaf count { type empty; description "Enable statistics for term"; } } // container then } // list term } // grouping hcm_tag_rule_object grouping hcm_tag_match_object { uses apply-advanced; list destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses sfw_addr_object; } // list destination-address list destination-address-range { key "low high"; ordered-by user; description "Match IP destination address range"; leaf low { type jt:ipaddr; description "Lower limit of address range"; } leaf high { type jt:ipaddr; description "Upper limit of address range"; } leaf except { type empty; description "Match address not in this prefix"; } } // list destination-address-range list destination-prefix-list { key "name"; ordered-by user; description "One or more named lists of destination prefixes to match"; leaf name { junos:must "("policy-options prefix-list $$")"; junos:must-message "Referenced prefix-list is not defined under 'policy-options prefix-list'"; type string; description "Name of prefix list to match against"; } leaf except { type empty; description "Name of prefix list not to match against"; } } // list destination-prefix-list leaf-list destination-ports { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } ordered-by user; description "Destination port list specification"; } list destination-port-range { key "low high"; ordered-by user; description "Match destination port range"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Lower limit of port range"; } leaf high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Upper limit of port range"; } } // list destination-port-range } // grouping hcm_tag_match_object grouping hcm_url_list_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "List name"; } uses apply-advanced; list host { key "name"; ordered-by user; description "One or more host(s)"; leaf name { type string { length "1 .. 32"; } description "Domain name"; } uses apply-advanced; } // list host list request-uri { key "name"; ordered-by user; description "One or more uri's"; leaf name { type string { length "1 .. 40"; } description "Uri name"; } uses apply-advanced; } // list request-uri } // grouping hcm_url_list_object grouping hcm_url_rule_object { leaf name { junos:must "(!("services hcm rule $$"))"; junos:must-message "Hcm rules must have unique names"; junos:must "((!("services hcm rule $$") && !("services hcm tag-rule $$")))"; junos:must-message "Hcm rules must have unique names"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; list term { key "name"; ordered-by user; description "One or more terms in HCM url_rule"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 255"; } } description "Term name"; } uses apply-advanced; container from { presence "enable from"; description "Match criteria"; uses hcm_url_match_object; } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf count { junos:must "(!(".. discard"))"; junos:must-message "Count must not be combined with Discard"; junos:must "(".. accept")"; junos:must-message "Count must be combined with Accept"; type empty; description "Enable statistics for term"; } leaf log-request { type empty; description "Enable logging for term"; } choice designation { leaf accept { type empty; description "Accept the URL"; } leaf discard { type empty; description "Discard the URL"; } } // choice designation } // container then } // list term } // grouping hcm_url_rule_object grouping hcm_url_match_object { uses apply-advanced; list url-list { key "name"; ordered-by user; description "List of Url lists to referance"; leaf name { junos:must "("services hcm url-list $$")"; junos:must-message "referenced url-list rule must be defined"; type string { length "1 .. 63"; } description "Url list name"; } uses apply-advanced; } // list url-list list url { key "name"; ordered-by user; description "Rule specific url list"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 32767"; } } description "Url name"; } uses apply-advanced; list host { key "name"; ordered-by user; description "One or more host(s)"; leaf name { type string { length "1 .. 32"; } description "Domain name"; } uses apply-advanced; } // list host list request-uri { key "name"; ordered-by user; description "One or more uri's"; leaf name { type string { length "1 .. 40"; } description "Uri name"; } uses apply-advanced; } // list request-uri } // list url } // grouping hcm_url_match_object grouping header-manipulation-message-manipulation-rules-type { description "Definition of header manipulation"; uses apply-advanced; list manipulation-rule { key "name"; ordered-by user; description "Definition of manipulation rules"; uses header-manipulation-manipulation-rule-type; } // list manipulation-rule } // grouping header-manipulation-message-manipulation-rules-type grouping header-manipulation-manipulation-rule-type { leaf name { type string; description "Header manipulation rule name"; } uses apply-advanced; container actions { description "Header manipulation actions"; uses header-manipulation-actions-type; } // container actions } // grouping header-manipulation-manipulation-rule-type grouping header-manipulation-actions-type { description "Manipulations on sip-headers or request-uri"; uses apply-advanced; list sip-header { key "name"; max-elements 50; ordered-by user; description "Manipulation of the SIP header"; leaf name { type string; description "SIP header field name"; } uses apply-advanced; container field-value { description "Manipulation on the header's field value"; uses header-manipulation-sip-header-field-value-type; } // container field-value } // list sip-header container request-uri { presence "enable request-uri"; description "Manipulation of the message request-uri"; uses apply-advanced; container field-value { presence "enable field-value"; description "Manipulation on the request-uri field value"; uses apply-advanced; list modify-regular-expression { key "name"; max-elements 5; ordered-by user; description "Set modify regular expression and patterns"; uses header-manipulation-modify-type; } // list modify-regular-expression } // container field-value } // container request-uri } // grouping header-manipulation-actions-type grouping header-manipulation-modify-type { description "Modify header using regular expression"; leaf name { type jt:regular-expression; description "Regular expression pattern"; } leaf with { type string; description "Modification string"; } } // grouping header-manipulation-modify-type grouping header-manipulation-sip-header-field-value-type { uses apply-advanced; leaf remove-all { type empty; description "Remove all headers"; } list remove-regular-expression { key "name"; max-elements 5; ordered-by user; description "Remove field-value"; uses header-manipulation-remove-type; } // list remove-regular-expression list reject-regular-expression { key "name"; max-elements 5; ordered-by user; description "Reject message using regular expression"; uses header-manipulation-reject-type; } // list reject-regular-expression list modify-regular-expression { key "name"; max-elements 5; ordered-by user; description "Modify field-value using regular expression"; uses header-manipulation-modify-type; } // list modify-regular-expression list add { key "name"; max-elements 5; ordered-by user; description "Add field-value to header"; uses header-manipulation-add-type; } // list add list add-missing { key "name"; max-elements 5; ordered-by user; description "Add field-value only if header is missing"; uses header-manipulation-add-missing-type; } // list add-missing list add-overwrite { key "name"; max-elements 5; ordered-by user; description "Overwrite headers field-value"; uses header-manipulation-add-overwrite-type; } // list add-overwrite } // grouping header-manipulation-sip-header-field-value-type grouping header-manipulation-add-missing-type { description "Add header only if missing"; leaf name { type string; description "Field-value to add"; } } // grouping header-manipulation-add-missing-type grouping header-manipulation-add-overwrite-type { description "Overwrite existing header"; leaf name { type string; description "Field-value to add"; } } // grouping header-manipulation-add-overwrite-type grouping header-manipulation-add-type { description "Add header"; leaf name { type string; description "Field-value to add"; } } // grouping header-manipulation-add-type grouping header-manipulation-reject-type { description "Reject messages that match a regular expression"; leaf name { type jt:regular-expression; description "Regular expression pattern"; } } // grouping header-manipulation-reject-type grouping header-manipulation-remove-type { description "Remove headers that match a regular expression"; leaf name { type jt:regular-expression; description "Regular expression pattern"; } } // grouping header-manipulation-remove-type grouping icap-profile-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "ICAP service profile name"; } uses apply-advanced; list server { key "name"; max-elements 16; ordered-by user; description "Configure service redirection server"; uses icap-redir-server; } // list server container http { description "ICAP methods switch"; uses http-redirect-object; } // container http container fallback-option { description "Failure event actions"; uses icap-redirect-fallback; } // container fallback-option leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "100 .. 50000"; } } default "500"; description "Server response timeout in milliseconds"; } } // grouping icap-profile-object grouping http-redirect-object { uses apply-advanced; leaf redirect-request { type empty; description "Enable redirect service on HTTP request"; } leaf redirect-response { type empty; description "Enable redirect service on HTTP response"; } } // grouping http-redirect-object grouping icap-redir-server { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Server name"; } uses apply-advanced; container authorization { description "User authentication"; uses apply-advanced; leaf authorization-type { type string { length "1 .. 127"; } description "Authentication type. 'Basic' by default"; } container credentials { description "Credentials text"; choice credentials-choice { leaf ascii { type string { length "1 .. 511"; } description "ASCII string"; } leaf base64 { type string { length "1 .. 511"; } description "Base64 string"; } } // choice credentials-choice } // container credentials } // container authorization leaf host { type string { length "1 .. 255"; } description "Host name/IP address"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1025 .. 65535"; } } default "1344"; description "Server listening port"; } leaf reqmod-uri { type string { length "0 .. 1023"; } description "REQMOD option resource identifier"; } leaf respmod-uri { type string { length "0 .. 1023"; } description "RESPMOD option resource identifier"; } container routing-instance { description "Routing instance"; leaf ri-name { junos:must "("routing-instances $$ instance-type virtual-router")"; junos:must-message "Virtual router must be defined under [routing-instances]"; junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; length "1 .. 127"; } description "Routing instance name"; } } // container routing-instance leaf sockets { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 64"; } } default "8"; description "Number of connections to create"; } leaf tls-profile { junos:must "("services ssl initiation profile $$")"; junos:must-message "Referenced SSL initiation profile is not defined"; type string { length "1 .. 63"; } description "TLS profile"; } } // grouping icap-redir-server grouping icap-redirect-fallback { uses apply-advanced; leaf timeout { type enumeration { enum "permit" { value 0; description "Direct permit action"; } enum "log-permit" { value 1; description "Log then permit action"; } enum "block" { value 2; description "Block action"; } } default "permit"; description "Request timeout action"; } leaf connectivity { type enumeration { enum "permit" { value 0; description "Direct permit action"; } enum "log-permit" { value 1; description "Log then permit action"; } enum "block" { value 2; description "Block action"; } } default "permit"; description "Connection-related failure action"; } leaf default-action { type enumeration { enum "permit" { value 0; description "Direct permit action"; } enum "log-permit" { value 1; description "Log then permit action"; } enum "block" { value 2; description "Block action"; } } default "permit"; description "Default failure action"; } } // grouping icap-redirect-fallback grouping icap-redirect-traceoptions { description "ICAP redirect traceoptions"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } enum "icap-redirect-re" { value 1; description "Trace events on RE side"; } enum "icap-redirect-control" { value 2; description "Trace events on PFE-ukernel side"; } enum "icap-redirect-connection" { value 3; description "Trace ICAP server connection events"; } enum "icap-redirect-protocol" { value 4; description "Trace redirect packet events"; } } } } // list flag } // grouping icap-redirect-traceoptions grouping identity-management-connection-type { description "Identity management connection"; uses apply-advanced; leaf connect-method { type enumeration { enum "https" { value 0; description "HTTPS connection"; } enum "http" { value 1; description "HTTP connection"; } } description "Method of connection"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "443"; description "Server port"; } container primary { description "Primary server"; uses identity-server-connection-type; } // container primary container secondary { description "Secondary server"; uses identity-server-connection-type; } // container secondary leaf token-api { type string { length "1 .. 128"; } description "API of acquiring token for OAuth2 authentication"; } leaf query-api { type string { length "4 .. 128"; } description "Query API"; } } // grouping identity-management-connection-type grouping identity-server-connection-type { description "Connection parameters per server"; uses apply-advanced; leaf address { type jt:ipaddr; description "Server address"; } leaf ca-certificate { type string { length "1 .. 256"; } description "Ca-certificate file name"; } leaf client-id { type string { length "1 .. 64"; } description "Client ID for OAuth2 grant"; } leaf client-secret { type string { length "1 .. 128"; } description "Client secret for OAuth2 grant"; } leaf source { type jt:ipaddr; description "Client address"; } leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface name"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string; description "Routing instance name"; } } // grouping identity-server-connection-type grouping ids-option-type { description "Configure screen object"; leaf name { type string { length "1 .. 64"; } description "Screen object name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of screen"; } leaf alarm-without-drop { type empty; description "Do not drop packet, only generate alarm"; } leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } enum "input-output" { value 2; description "Match on input to or output from interface"; } } description "Match direction"; } container aggregation { presence "enable aggregation"; description "Configure the source and Destination prefix for a ids-option"; uses apply-advanced; leaf source-prefix-mask { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } description "Source IPV4 prefix"; } leaf destination-prefix-mask { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } description "Destination IPV4 prefix"; } leaf source-prefix-v6-mask { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 128"; } } description "Source IPV6 prefix"; } leaf destination-prefix-v6-mask { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 128"; } } description "Destination IPV6 prefix"; } } // container aggregation container icmp { description "Configure ICMP ids options"; uses apply-advanced; container ip-sweep { presence "enable ip-sweep"; description "Configure ip sweep ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 ICMP packets are detected"; default "5000"; description "Threshold"; } } // container ip-sweep leaf fragment { type empty; description "Enable ICMP fragment ids option"; } leaf large { type empty; description "Enable large ICMP packet (size > 1024) ids option"; } container flood { presence "enable flood"; description "Configure icmp flood ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "ICMP packets per second"; default "1000"; description "Threshold"; } } // container flood leaf ping-death { type empty; description "Enable ping of death ids option"; } leaf icmpv6-malformed { type empty; description "Enable icmpv6 malformed ids option"; } } // container icmp container ip { description "Configure IP layer ids options"; uses apply-advanced; leaf bad-option { type empty; description "Enable ip with bad option ids option"; } leaf record-route-option { type empty; description "Enable ip with record route option ids option"; } leaf timestamp-option { type empty; description "Enable ip with timestamp option ids option"; } leaf security-option { type empty; description "Enable ip with security option ids option"; } leaf stream-option { type empty; description "Enable ip with stream option ids option"; } leaf spoofing { type empty; description "Enable IP address spoofing ids option"; } leaf source-route-option { type empty; description "Enable ip source route ids option"; } leaf loose-source-route-option { type empty; description "Enable ip with loose source route ids option"; } leaf strict-source-route-option { type empty; description "Enable ip with strict source route ids option"; } leaf unknown-protocol { type empty; description "Enable ip unknown protocol ids option"; } leaf block-frag { type empty; description "Enable ip fragment blocking ids option"; } leaf tear-drop { type empty; description "Enable tear drop ids option"; } container ipv6-extension-header { description "Configure ipv6 extension header ids option"; uses apply-advanced; container hop-by-hop-header { presence "enable hop-by-hop-header"; description "Enable ipv6 hop by hop option header ids option"; uses apply-advanced; leaf jumbo-payload-option { type empty; description "Enable jumbo payload option ids option"; } leaf router-alert-option { type empty; description "Enable router alert option ids option"; } leaf quick-start-option { type empty; description "Enable quick start option ids option"; } leaf CALIPSO-option { type empty; description "Enable Common Architecture Label ipv6 Security Option ids option"; } leaf SMF-DPD-option { type empty; description "Enable Simplified Multicast Forwarding ipv6 Duplicate Packet Detection option ids option"; } leaf RPL-option { type empty; description "Enable Routing Protocol for Low-power and Lossy networks option ids option"; } list user-defined-option-type { key "name"; max-elements 256; ordered-by user; description "User-defined option type range"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "User-defined option type low value"; } container to { description "Upper limit of option type range"; uses apply-advanced; leaf type-high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "User-defined option type high value"; } } // container to } // list user-defined-option-type } // container hop-by-hop-header leaf routing-header { type empty; description "Enable ipv6 routing header ids option"; } leaf fragment-header { type empty; description "Enable ipv6 fragment header ids option"; } leaf ESP-header { type empty; description "Enable ipv6 Encapsulating Security Payload header ids option"; } leaf AH-header { type empty; description "Enable ipv6 Authentication Header ids option"; } leaf no-next-header { type empty; description "Enable ipv6 no next header ids option"; } container destination-header { presence "enable destination-header"; description "Enable ipv6 destination option header ids option"; uses apply-advanced; leaf tunnel-encapsulation-limit-option { type empty; description "Enable tunnel encapsulation limit option ids option"; } leaf home-address-option { type empty; description "Enable home address option ids option"; } leaf ILNP-nonce-option { type empty; description "Enable Identifier-Locator Network Protocol Nonce option ids option"; } leaf line-identification-option { type empty; description "Enable line identification option ids option"; } list user-defined-option-type { key "name"; max-elements 256; ordered-by user; description "User-defined option type range"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "User-defined option type low value"; } container to { description "Upper limit of option type range"; uses apply-advanced; leaf type-high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } description "User-defined option type high value"; } } // container to } // list user-defined-option-type } // container destination-header leaf shim6-header { type empty; description "Enable ipv6 shim header ids option"; } leaf mobility-header { type empty; description "Enable ipv6 mobility header ids option"; } leaf HIP-header { type empty; description "Enable ipv6 Host Identify Protocol header ids option"; } list user-defined-header-type { key "name"; max-elements 256; ordered-by user; description "User-defined header type range"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "User-defined header type low value"; } container to { description "Upper limit of header type range"; uses apply-advanced; leaf type-high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "User-defined header type high value"; } } // container to } // list user-defined-header-type } // container ipv6-extension-header leaf ipv6-extension-header-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 32"; } } description "Enable ipv6 extension header limit ids option"; } leaf ipv6-malformed-header { type empty; description "Enable ipv6 malformed header ids option"; } container tunnel { description "Configure IP tunnel ids options"; uses apply-advanced; leaf bad-inner-header { type empty; description "Enable IP tunnel bad inner header ids option"; } container gre { description "Configure IP tunnel GRE ids option"; uses apply-advanced; leaf gre-6in4 { type empty; description "Enable IP tunnel GRE 6in4 ids option"; } leaf gre-4in6 { type empty; description "Enable IP tunnel GRE 4in6 ids option"; } leaf gre-6in6 { type empty; description "Enable IP tunnel GRE 6in6 ids option"; } leaf gre-4in4 { type empty; description "Enable IP tunnel GRE 4in4 ids option"; } } // container gre container ip-in-udp { description "Configure IP tunnel IPinUDP ids option"; uses apply-advanced; leaf teredo { type empty; description "Enable IP tunnel IPinUDP Teredo ids option"; } } // container ip-in-udp container ipip { description "Configure IP tunnel IPIP ids option"; uses apply-advanced; leaf ipip-6to4relay { type empty; description "Enable IP tunnel IPIP 6to4 Relay ids option"; } leaf ipip-6in4 { type empty; description "Enable IP tunnel IPIP 6in4 ids option"; } leaf ipip-4in6 { type empty; description "Enable IP tunnel IPIP 4in6 ids option"; } leaf ipip-4in4 { type empty; description "Enable IP tunnel IPIP 4in4 ids option"; } leaf ipip-6in6 { type empty; description "Enable IP tunnel IPIP 6in6 ids option"; } leaf ipip-6over4 { type empty; description "Enable IP tunnel IPIP 6over4 ids option"; } leaf isatap { type empty; description "Enable IP tunnel IPIP ISATAP ids option"; } leaf dslite { type empty; description "Enable IP tunnel IPIP DS-Lite ids option"; } } // container ipip } // container tunnel } // container ip container tcp { description "Configure TCP Layer ids options"; uses apply-advanced; leaf syn-fin { type empty; description "Enable SYN and FIN bits set attack ids option"; } leaf fin-no-ack { type empty; description "Enable Fin bit with no ACK bit ids option"; } leaf tcp-no-flag { type empty; description "Enable TCP packet without flag ids option"; } leaf syn-frag { type empty; description "Enable SYN fragment ids option"; } leaf syn-defense { type empty; description "Enable tcp syn-defense"; } container port-scan { presence "enable port-scan"; description "Configure TCP port scan ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 attack packets are detected"; default "5000"; description "Threshold"; } } // container port-scan container syn-ack-ack-proxy { presence "enable syn-ack-ack-proxy"; description "Configure syn-ack-ack proxy ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 250000"; } } units "un-authenticated connections"; default "512"; description "Threshold"; } } // container syn-ack-ack-proxy container syn-flood { presence "enable syn-flood"; description "Configure SYN flood ids option"; uses apply-advanced; leaf alarm-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "requests per second"; default "512"; description "Alarm threshold"; } leaf attack-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "proxied requests per second"; default "200"; description "Attack threshold"; } leaf source-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "SYN pps"; default "4000"; description "Source threshold"; } leaf destination-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "SYN pps"; default "4000"; description "Destination threshold"; } leaf queue-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "200 .. 20000"; } } units "proxied requests in queue"; default "1024"; status deprecated; description "Queue size"; } leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 50"; } } units "seconds"; default "20"; description "SYN flood ager timeout"; } list white-list { key "name"; max-elements 2; description "Set of IP addresses that will not trigger a screen"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "White-list name"; } uses apply-advanced; leaf-list source-address { type jt:ipprefix; max-elements 32; ordered-by user; description "Source address"; } leaf-list destination-address { type jt:ipprefix; max-elements 32; ordered-by user; description "Destination address"; } } // list white-list } // container syn-flood leaf land { type empty; description "Enable land attack ids option"; } leaf winnuke { type empty; description "Enable winnuke attack ids option"; } container tcp-sweep { presence "enable tcp-sweep"; description "Configure TCP sweep ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 TCP packets are detected"; default "5000"; description "Threshold"; } } // container tcp-sweep } // container tcp container udp { description "Configure UDP layer ids options"; uses apply-advanced; container flood { presence "enable flood"; description "Configure UDP flood ids option"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "UDP packets per second"; default "1000"; description "Threshold"; } leaf-list white-list { type string; max-elements 2; ordered-by user; description "Configure UDP flood white list group name"; } } // container flood container udp-sweep { presence "enable udp-sweep"; description "Configure UDP sweep ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 UDP packets are detected"; default "5000"; description "Threshold"; } } // container udp-sweep container port-scan { presence "enable port-scan"; description "Configure UDP port scan ids option"; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1000 .. 1000000"; } } units "microseconds in which 10 attack packets are detected"; default "5000"; description "Threshold"; } } // container port-scan } // container udp container limit-session { description "Limit sessions"; uses apply-advanced; leaf source-ip-based { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions from the same source IP"; } leaf destination-ip-based { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions to the same destination IP"; } container by-source { presence "enable by-source"; description "Limit sessions from the same source IP or subnet"; uses apply-advanced; leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions on the basis of maximum concurrent sessions"; } leaf packet-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of packet rate"; } leaf session-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of session rate"; } container by-protocol { presence "enable by-protocol"; description "Limit sessions on the basis of protocol"; uses by-protocol-object-type; } // container by-protocol leaf-list whitelist { type string; max-elements 10; ordered-by user; description "Configure white list group name"; } } // container by-source container by-destination { presence "enable by-destination"; description "Limit sessions to the same destination IP or subnet"; uses apply-advanced; leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions on the basis of maximum concurrent sessions"; } leaf packet-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of packet rate"; } leaf session-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of session rate"; } container by-protocol { presence "enable by-protocol"; description "Limit sessions on the basis of protocol"; uses by-protocol-object-type; } // container by-protocol leaf-list whitelist { type string; max-elements 10; ordered-by user; description "Configure white list group name"; } } // container by-destination } // container limit-session } // grouping ids-option-type grouping by-protocol-object-type { description "Configure limit-session on the basis of protocol"; uses apply-advanced; container tcp { presence "enable tcp"; description "Configure limit-session on the basis of TCP"; uses by-protocol-object-limit-tcp-type; } // container tcp container udp { presence "enable udp"; description "Configure limit-session on the basis of UDP"; uses by-protocol-object-limit-type; } // container udp container icmp { presence "enable icmp"; description "Configure limit-session on the basis of ICMP"; uses by-protocol-object-limit-type; } // container icmp } // grouping by-protocol-object-type grouping by-protocol-object-limit-tcp-type { description "Configure the limit-session for tcp protocol"; uses apply-advanced; leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions on the basis of maximum concurrent sessions"; } leaf packet-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of packet rate"; } leaf session-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of session rate"; } leaf-list whitelist { type string; max-elements 10; ordered-by user; description "Configure white list group name"; } container syn-cookie { presence "enable syn-cookie"; description "Configure syn-cookie parameters"; uses apply-advanced; leaf mss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 65535"; } } description "TCP maximum segment size"; } leaf threshold-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "TCP-SYN cps rate to trigger SYN-COOKIE"; } leaf threshold-num { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Number of sessions to trigger SYN-COOKIE"; } } // container syn-cookie } // grouping by-protocol-object-limit-tcp-type grouping by-protocol-object-limit-type { description "Configure the limit-session for each protocol"; uses apply-advanced; leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Limit sessions on the basis of maximum concurrent sessions"; } leaf packet-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of packet rate"; } leaf session-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Limit sessions on the basis of session rate"; } leaf-list whitelist { type string; max-elements 10; ordered-by user; description "Configure white list group name"; } } // grouping by-protocol-object-limit-type grouping ids-wlist-type { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "White-list name"; } uses apply-advanced; leaf-list address { type jt:ipprefix; max-elements 32; ordered-by user; description "Address"; } } // grouping ids-wlist-type grouping ids_rule_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } enum "input-output" { value 2; description "Match on input to and output from interface"; } } description "Direction for which the rule match is applied"; } list term { key "name"; ordered-by user; description "Define an IDS term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses sfw_match_object; } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice accept_choice { leaf force-entry { type empty; description "Force entries in IDS tables for matching traffic"; } leaf ignore-entry { type empty; description "Ignore IDS events for matching traffic"; } leaf user-interface { type enumeration { enum "trace" { value 0; description "Trace functions entering and exiting"; } enum "debug" { value 1; description "Trace code flow, branching, positive style guide check"; } enum "info" { value 2; description "Summary logs for normal operations"; } enum "warning" { value 3; description "Failure-recovery or Failure of an external entity"; } enum "error" { value 4; description "Failure with short-term affect"; } } default "error"; description "User-interface trace level"; } } // choice accept_choice container aggregation { description "Define aggregation parameters"; uses apply-advanced; leaf source-prefix { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 32"; } } description "Prefix length for IPv4 source addresses"; } leaf destination-prefix { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 32"; } } description "Prefix length for IPv4 destination addresses"; } leaf source-prefix-ipv6 { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 128"; } } description "Prefix length for IPv6 source addresses"; } leaf destination-prefix-ipv6 { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 128"; } } description "Prefix length for IPv6 destination addresses"; } } // container aggregation container logging { description "Define system logging parameters"; uses apply-advanced; leaf threshold { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Threshold above which events should be logged"; } leaf syslog { type empty; description "System log information about the packet"; } } // container logging container syn-cookie { description "Define SYN cookie parameters"; uses apply-advanced; leaf threshold { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Threshold above which SYN cookies are enabled"; } leaf mss { type union { type string { pattern "<.*>|$.*"; } type int32 { range "128 .. 8192"; } } description "MSS value for TCP delayed binding"; } } // container syn-cookie container session-limit { description "Define IDS session limit parameters"; uses apply-advanced; container by-source { description "Define IDS session limit parameters by source"; uses ids_limit_type; } // container by-source container by-destination { description "Define IDS session limit parameters by destination"; uses ids_limit_type; } // container by-destination container by-pair { presence "enable by-pair"; description "Define IDS session limit parameters by source-destination pair"; uses ids_limit_type; } // container by-pair } // container session-limit leaf-list allow-ip-options { type string; ordered-by user; } leaf-list allow-ipv6-extension-header { type string; ordered-by user; } leaf tcp-syn-defense { type empty; description "Enable tcp-syn-defense"; } leaf tcp-syn-fragment-check { type empty; description "Enable tcp syn fragment check"; } leaf tcp-winnuke-check { type empty; description "Enable tcp winnuke check"; } leaf icmp-fragment-check { type empty; description "Enable icmp fragment check"; } leaf icmp-large-packet-check { type empty; description "Enable icmp large packet check"; } leaf land-attack-check { type enumeration { enum "ip-only" { value 0; description "Land attack check is on IP address only"; } enum "ip-port" { value 1; description "Land attack check is on both IP and port"; } } description "Enable land attack checks"; } } // container then } // list term } // grouping ids_rule_object grouping ids_limit_type { uses apply-advanced; leaf maximum { type string; description "Maximum number of open sessions allowed simultaneously"; } leaf rate { type string; description "Maximum number of new sessions allowed per second"; } leaf packets { type string; description "Maximum number of packets allowed per second"; } leaf hold-time { type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 60"; } } units "second"; description "How long to keep limit information after session is deleted"; } container by-protocol { description "Define IDS session limit parameters"; uses apply-advanced; container tcp { description "Define TCP IDS session limits"; uses ids_proto_limit_type; } // container tcp container udp { description "Define UDP IDS session limits by source"; uses ids_proto_limit_type; } // container udp container icmp { description "Define ICMP IDS session limits by source"; uses ids_proto_limit_type; } // container icmp } // container by-protocol } // grouping ids_limit_type grouping ids_proto_limit_type { uses apply-advanced; leaf maximum { type string; description "Maximum number of open sessions allowed simultaneously"; } leaf rate { type string; description "Maximum number of new sessions allowed per second"; } leaf packets { type string; description "Maximum number of packets allowed per second"; } } // grouping ids_proto_limit_type grouping ims-connection-type { description "Identity management connection"; uses apply-advanced; leaf connect-method { type enumeration { enum "https" { value 0; description "HTTPS connection"; } enum "http" { value 1; description "HTTP connection"; } } description "Method of connection"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "443"; description "Server port"; } container primary { description "Primary server"; uses server-connection-type; } // container primary container secondary { description "Secondary server"; uses server-connection-type; } // container secondary leaf token-api { type string { length "1 .. 128"; } description "API of acquiring token for OAuth2 authentication"; } leaf query-api { type string { length "4 .. 128"; } description "Query API"; } } // grouping ims-connection-type grouping ims-traceoptions-type { description "Identity management tracing Options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace identity management all modules"; } enum "authentication-management" { value 1; description "Trace advanced-query auth table management module"; } enum "configuration" { value 2; description "Trace identity management configuration"; } enum "dispatcher" { value 3; description "Trace dispatcher module"; } enum "query" { value 4; description "Trace query process"; } enum "jims-validator-query" { value 5; description "Trace jims validator query process"; } enum "memory" { value 6; description "Trace memory"; } } } } // list flag } // grouping ims-traceoptions-type grouping interface_map_type { uses apply-advanced; leaf file-specification { type string; description "Default file specification"; } leaf collector { type union { type jt:interface-device; type string { pattern "<.*>|$.*"; } } description "Default Collector PIC to be used for flow manipulation"; } list input_intf_to_cpic_map { key "name"; uses input_intf_to_cpic_map_type; } // list input_intf_to_cpic_map } // grouping interface_map_type grouping input_intf_to_cpic_map_type { leaf name { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Input interface for flow collection"; } uses apply-advanced; leaf file-specification { type string; description "File specification to use for this interface"; } leaf collector { type union { type jt:interface-device; type string { pattern "<.*>|$.*"; } } description "Collector PIC to be used for flow manipulation"; } } // grouping input_intf_to_cpic_map_type grouping interface_type { description "Physical interface"; leaf name { type string; } uses apply-advanced; choice queue-statistics-choice { leaf queue-statistics { type empty; status deprecated; description "Enable queue statistics collection"; } leaf no-queue-statistics { type empty; status deprecated; description "Don't enable queue statistics collection"; } } // choice queue-statistics-choice choice traffic-statistics-choice { leaf traffic-statistics { type empty; status deprecated; description "Enable traffic statistics collection"; } leaf no-traffic-statistics { type empty; status deprecated; description "Don't enable traffic statistics collection"; } } // choice traffic-statistics-choice leaf resource-profile { junos:must "("services analytics resource-profiles $$")"; junos:must-message "binded resource-profile in not configured"; type string { length "1 .. 64"; } description "Resouce profile name"; } } // grouping interface_type grouping ipr_profile_object { leaf name { type string { length "1 .. 32"; } description "IP-reassembly profile name"; } uses apply-advanced; leaf timeout { type union { type string { pattern "<.*>|$.*"; } type int32 { range "2 .. 60"; } } description "IP-reassembly timeout value"; } leaf max-reassembly-pending-packets { type union { type string { pattern "<.*>|$.*"; } type int32 { range "100 .. 100000"; } } description "IP-reassembly pending packets"; } } // grouping ipr_profile_object grouping ipr_rule_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } } description "Direction for which the rule match is applied"; } } // grouping ipr_rule_object grouping jims-validator-type { description "Web server from JIMS for Validate or group query request"; uses apply-advanced; leaf address { type string { length "1 .. 128"; } description "IP address or hostname of web server"; } leaf client-id { type string { length "1 .. 64"; } description "Client ID for OAuth2 grant"; } leaf client-secret { type string { length "1 .. 128"; } description "Client secret for OAuth2 grant"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "591"; description "Web server port"; } } // grouping jims-validator-type grouping juniper-pic-services-logging-options { uses apply-advanced; container traceoptions { description "Fsad trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "init" { value 0; description "Trace initialization events"; } enum "bookkeeping" { value 1; description "Trace bookkeeping events"; } enum "connections" { value 2; description "Trace connection-specific events"; } enum "charging" { value 3; description "Trace charging-specific events"; } enum "flow-collector" { value 4; description "Trace flow collector specific events"; } enum "all" { value 5; description "Trace everything"; } } } } // list flag } // container traceoptions } // grouping juniper-pic-services-logging-options grouping juniper-services-captive-portal { junos:must "(("services captive-portal secure-authentication" || "system services web-management http"))"; junos:must-message "HTTP web service should be enabled"; uses apply-advanced; leaf authentication-profile-name { junos:must "("access profile $$")"; junos:must-message "Access profile name must be defined in the [edit access profile] hierarchy"; type string { length "1 .. 63"; } description "Access profile name to use for authentication"; } container traceoptions { status deprecated; description "Trace options for CAPTIVE PORTAL"; uses apply-advanced; container file { description "Trace file options"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf replace { type empty; status deprecated; description "Replace trace file rather than appending to it"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } leaf no-stamp { type empty; status deprecated; description "Do not timestamp trace file"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "dot1x-debug" { junos:must "(!("services captive-portal traceoptions flag dot1x-event"))"; junos:must-message "Can not configure dot1x-event with dot1x-debug flag"; value 0; description "Trace dot1x events"; } enum "parse" { value 1; description "Trace configuration parsing"; } enum "esw-if" { junos:must "(!("services captive-portal traceoptions flag dot1x-ipc"))"; junos:must-message "Can not configure dot1x-ipc with esw-if flag"; value 2; description "Trace ESW Interactions"; } enum "config-internal" { value 3; description "Trace configuration internals"; } enum "normal" { value 4; description "Trace normal events"; } enum "general" { value 5; description "Trace general events"; } enum "state" { value 6; description "Trace state transitions"; } enum "task" { value 7; description "Trace task processing"; } enum "timer" { value 8; description "Trace task timer processing"; } enum "all" { value 9; description "Trace everything"; } enum "dot1x-ipc" { value 10; description "Trace dot1x IPC interactions"; } enum "dot1x-event" { value 11; description "Trace dot1x events"; } } } leaf disable { type empty; description "Disable this trace flag"; } } // list flag } // container traceoptions list interface { key "name"; description "Captive Portal interface specific options"; leaf name { junos:must "(!("system phone-home"))"; junos:must-message "Can't configure captive-portal along with Phone-home. Delete phone-home config to enable captive-portal"; junos:must "("system services web-management http")"; junos:must-message "HTTP web service should be enabled"; junos:must "((!("switch-options no-mac-learning") || (!(".. .. .. .. .. switch-options no-mac-learning") || !(any ".. .. .. .. .. bridge-domains <*> bridge-options no-mac-learning interface $$-IFL"))))"; junos:must-message "Cannot configure captive-portal on this interface since no-mac-learning is enabled on the same interface"; junos:must "(!("protocols dot1x supplicant interface ${interface}"))"; junos:must-message "Must not configure supplicant and captive-portal on same interface"; junos:must "(!("interfaces $$-IFL family bridge interface-mode trunk"))"; junos:must-message "Cannot configure captive-portal on this interface since the interface-mode is defined as trunk"; junos:must "(!("interfaces $$-IFL family ethernet-switching interface-mode trunk"))"; junos:must-message "Cannot configure captive-portal on this interface since the interface-mode is defined as trunk"; junos:must "(!("interfaces $$-IFL family ethernet-switching port-mode trunk"))"; junos:must-message "Cannot configure captive-portal on this interface since the port-mode is defined as trunk"; type string; } uses apply-advanced; leaf supplicant { type enumeration { enum "single" { value 0; description "Allow multiple clients; authenticate first client only"; } enum "single-secure" { value 1; description "Allow and authenticate only a single client"; } enum "multiple" { value 2; description "Allow multiple clients; authenticate each individually"; } } description "Set supplicant mode for this interface"; } leaf retries { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Number of retries after which port is placed into wait state"; } leaf quiet-period { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } units "seconds"; description "Time to wait after an authentication failure"; } leaf server-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } units "seconds"; description "Authentication server timeout interval"; } leaf session-expiry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } units "seconds"; description "Session Expiry Timeout"; } leaf user-keepalive { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "7 .. 65535"; } } units "minutes"; description "Session keepalive after mac-flush"; } } // list interface leaf secure-authentication { type enumeration { enum "http" { junos:must "("system services web-management http")"; junos:must-message "HTTP web service should be enabled"; value 0; description "Insecure plain-text HTTP will be used for Captive Portal authentication, username and password can be sniffed"; } enum "https" { junos:must "(("system services web-management http" && "system services web-management https"))"; junos:must-message "HTTP and HTTPS web services should be enabled"; value 1; description "Encrypted HTTPS will be used for Captive Portal authentication"; } } default "http"; description "Set secure authentication using encrypted HTTPS or insecure authentication using plain-text HTTP"; } container custom-options { presence "enable custom-options"; description "Captive Portal html user interface customization options"; uses apply-advanced; leaf header-logo { type string { junos:posix-pattern "^.+.((jpg)|(gif)|(jpeg)|(png))$"; junos:pattern-message "Only jpg, jpeg, gif, png image types allowed"; length "1 .. 255"; } description "Path to logo image file"; } leaf header-bgcolor { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Background color of the html header in hex html format"; } leaf header-text-color { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Text color of the html header in hex html format"; } leaf header-message { type string { length "1 .. 2047"; } description "Message to be displayed in the html header"; } leaf banner-message { type string { length "1 .. 2047"; } description "Terms and Conditions of usage message"; } leaf form-header-message { type string { length "1 .. 255"; } description "Message to be displayed in the login form header"; } leaf form-header-bgcolor { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Background color of the login form header in hex html format"; } leaf form-header-text-color { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Text color of the login form header in hex html format"; } leaf form-submit-label { type string { length "1 .. 255"; } description "Label to be displayed for the login form submit button"; } leaf form-reset-label { type string { length "1 .. 255"; } description "Label to be displayed for the login form reset button"; } leaf footer-message { type string { length "1 .. 2047"; } description "Message to be displayed in the html footer"; } leaf footer-bgcolor { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Background color of the html footer in hex html format"; } leaf footer-text-color { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Text color of the footer in hex html format"; } leaf post-authentication-url { type string { length "1 .. 255"; } description "Post authentication redirection URL"; } } // container custom-options } // grouping juniper-services-captive-portal grouping l2tp_access_line_object { uses apply-advanced; leaf connection-speed-update { type empty; description "Support connection speed updates"; } } // grouping l2tp_access_line_object grouping l2tp_destination_object { uses apply-advanced; leaf lockout-timeout { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "60 .. 3600"; } } default "300"; description "The lockout timeout in seconds"; } list lockout-result-code { key "name"; ordered-by user; description "The lockout result code"; leaf name { type enumeration { enum "1" { value 0; description "Clear control connection or Loss of carrier"; } enum "2" { value 1; description "Reason indicated in error code"; } enum "3" { value 2; description "Control Channel exists or Administrator reasons"; } enum "4" { value 3; description "Unauthorized for channel or Temporary facilities unavailable"; } enum "5" { value 4; description "Version unsupported or Permanent facilities unavailable"; } enum "6" { value 5; description "Requester shut down or Invalid destination"; } enum "7" { value 6; description "FSM error or No carrier detected"; } enum "8" { value 7; description "Busy signal"; } enum "9" { value 8; description "Lack of dial tone"; } enum "10" { value 9; description "Unable to established within time"; } enum "11" { value 10; description "No framing was detected"; } } description "The lockout result code"; } uses apply-advanced; list error-code { key "name"; ordered-by user; description "The lockout error code"; leaf name { type enumeration { enum "1" { value 0; description "No control connection"; } enum "2" { value 1; description "Length is wrong"; } enum "3" { value 2; description "Field value out of order or Reserved field non-zero"; } enum "4" { value 3; description "Insufficient resources"; } enum "5" { value 4; description "The Session ID is invalid"; } enum "6" { value 5; description "Vendor-specific error"; } enum "7" { value 6; description "Try another LNS destination"; } enum "8" { value 7; description "Session or tunnel was shutdown"; } } description "The lockout error code"; } uses apply-advanced; } // list error-code } // list lockout-result-code list address { key "name"; ordered-by user; leaf name { type jt:ipv4addr; description "Address of remote system"; } container access-line-information { presence "enable access-line-information"; description "Enable sending access-line attributes"; uses apply-advanced; leaf connection-speed-update { type empty; description "Support connection speed updates"; } } // container access-line-information list routing-instance { junos:must "(!(".. drain"))"; junos:must-message "Multiple times drain is not allowed"; key "name"; ordered-by user; description "Routing instance in which destination exists"; leaf name { type string { junos:posix-pattern "!^((__.*__)|(.*[ ].*)|(.{129,}))$"; junos:pattern-message "Must be a string of 128 characters or less with no spaces."; } description "Routing instance in which destination exists"; } leaf drain { type empty; description "Prevents creation of tunnels and sessions at destination"; } } // list routing-instance leaf drain { type empty; description "Prevents creation of tunnels and sessions at destination"; } } // list address list name { key "name"; ordered-by user; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Locally assigned name of the destination"; } leaf drain { type empty; description "Prevents tunnels and sessions at destination"; } } // list name } // grouping l2tp_destination_object grouping l2tp_interface_traceoptions { leaf name { type union { type jt:interface-device; type string { pattern "<.*>|$.*"; } } description "Name of Layer 2 Tunneling Protocol service interface"; } uses apply-advanced; list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "ipc" { value 0; description "Trace L2TP IPC messages between PIC and Routing Engine"; } enum "protocol" { value 1; description "Trace L2TP, PPP, and multilink handling"; } enum "packet-dump" { value 2; description "Dump each packet content based on debug level"; } enum "system" { value 3; description "Trace packet processing on the PIC"; } enum "all" { value 4; description "Trace everything"; } } } } // list flag leaf debug-level { type enumeration { enum "error" { value 0; description "Errors"; } enum "detail" { value 1; description "Detailed debug information"; } enum "extensive" { value 2; description "All PIC debug information"; } } default "error"; description "Trace level for PIC"; } } // grouping l2tp_interface_traceoptions grouping l2tp_tunnel_group_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of Layer 2 Tunneling Protocol profile"; } uses apply-advanced; leaf l2tp-access-profile { junos:must "("access profile $$")"; junos:must-message "referenced access profile must be defined"; type string { length "1 .. 63"; } description "Tunnel profile name"; } leaf ppp-access-profile { junos:must "("access profile $$")"; junos:must-message "referenced access profile must be defined"; type string { length "1 .. 63"; } description "User profile name"; } leaf aaa-access-profile { junos:must "("access profile $$")"; junos:must-message "referenced access profile must be defined"; type string { length "1 .. 63"; } description "AAA profile name"; } leaf receive-window { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "bytes"; default "16"; description "Maximum receive window size"; } leaf maximum-send-window { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "bytes"; default "32"; description "Limits the other end receive window size"; } leaf retransmit-interval { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "seconds"; default "30"; description "Retransmit interval"; } leaf hello-interval { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 3600"; } } units "seconds"; default "60"; description "Hello interval for tunnel keepalive"; } leaf hide-avps { type empty; description "Hide L2TP AVPs"; } leaf no-tos-reflect { type empty; description "Disable ToS bit reflect onto outer L2TP header"; } leaf tos-reflect { type empty; description "Enable ToS bit reflect onto outer L2TP header"; } leaf tunnel-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "seconds"; default "120"; description "Time to tear down tunnel when a connection is lost"; } container local-gateway { presence "enable local-gateway"; uses apply-advanced; leaf address { type jt:ipv4addr; description "L2TP network server IP address"; } leaf gateway-name { type string; description "L2TP network server name for use with remote host"; } } // container local-gateway choice anchor-points { leaf service-interface { junos:must "(!(any "interfaces <*> aggregated-inline-services-options secondary-interface $$"))"; junos:must-message "must not be defined under asiX aggregated-inline-services-options"; junos:must "(!(any "interfaces <*> aggregated-inline-services-options primary-interface $$"))"; junos:must-message "must not be defined under asiX aggregated-inline-services-options"; type string; description "Services interface to use"; } leaf service-device-pool { junos:must "(".. dynamic-profile")"; junos:must-message "This knob can be used only with dynamic-profile"; junos:must "("services service-device-pools pool $$")"; junos:must-message "referenced service device pool must be defined"; type string { length "1 .. 63"; } description "Service interface pool name to use"; } } // choice anchor-points leaf dynamic-profile { junos:must "("dynamic-profiles $$")"; junos:must-message "referenced dynamic profile must be defined"; type string { length "1 .. 80"; } description " dynamic profile for interface to use"; } leaf tunnel-switch-profile { junos:must "(".. dynamic-profile")"; junos:must-message "dynamic profile must be configured with tunnel switch profile"; junos:must "("access tunnel-switch-profile $$")"; junos:must-message "Referenced tunnel switch profile must be defined"; type string { length "1 .. 63"; } description "Tunnel switch profile name"; } container syslog { description "Define system logging parameters"; uses log-object; } // container syslog leaf maximum-sessions { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Maximum number of sessions per tunnel-group"; } leaf service-profile { type string; description "Dynamic service profile(s) to be applied to this session"; } } // grouping l2tp_tunnel_group_object grouping li_policy_addr6_simple_object { uses apply-advanced; leaf address { type jt:ipv6prefix; description "Prefix to match"; } } // grouping li_policy_addr6_simple_object grouping li_policy_addr_simple_object { uses apply-advanced; leaf address { type jt:ipv4prefix; description "Prefix to match"; } } // grouping li_policy_addr_simple_object grouping log-object { description "Configure security log"; uses apply-advanced; list exclude { key "name"; ordered-by user; status deprecated; description "List of security log criteria to exclude from the audit log"; leaf name { type string; description "Exclude criteria name"; } uses apply-advanced; leaf destination-address { type jt:ipaddr; description "Destination address"; } leaf destination-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Destination port"; } leaf event-id { type string; description "Event ID filter"; } leaf failure { type empty; description "Event was a failure"; } leaf interface-name { type string; description "Name of interface"; } leaf policy-name { type string; description "Policy name filter"; } leaf process { type string; description "Process that generated the event"; } leaf protocol { type string; description "Protocol filter"; } leaf source-address { type jt:ipaddr; description "Source address"; } leaf source-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Source port"; } leaf success { type empty; description "Event was successful"; } leaf username { type string; description "Username filter"; } } // list exclude leaf limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; status deprecated; description "Limit number of security log entries to keep in memory"; } container cache { presence "enable cache"; description "Cache security log events in the audit log buffer"; uses apply-advanced; list exclude { junos:must "(!(".. .. exclude"))"; junos:must-message "'security log cache exclude' and 'security log exclude' are mutually exclusive"; key "name"; ordered-by user; description "List of security log criteria to exclude from the audit log"; leaf name { type string; description "Exclude criteria name"; } uses apply-advanced; leaf destination-address { type jt:ipaddr; description "Destination address"; } leaf destination-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Destination port"; } leaf event-id { type string; description "Event ID filter"; } leaf failure { type empty; description "Event was a failure"; } leaf interface-name { type string; description "Name of interface"; } leaf policy-name { type string; description "Policy name filter"; } leaf process { type string; description "Process that generated the event"; } leaf protocol { type string; description "Protocol filter"; } leaf source-address { type jt:ipaddr; description "Source address"; } leaf source-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Source port"; } leaf success { type empty; description "Event was successful"; } leaf username { type string; description "Username filter"; } } // list exclude leaf limit { junos:must "(!(".. .. limit"))"; junos:must-message "'security log cache limit' and 'security log limit' are mutually exclusive"; type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; description "Limit number of security log entries to keep in memory"; } } // container cache list host { key "name"; max-elements 10; ordered-by user; leaf name { type string { junos:posix-pattern "^[[:alnum:]:._-]+$"; junos:pattern-message "Must be a string of letters, numbers, dashes, colons or underscores"; } description "Name of host to notify"; } uses apply-advanced; list contents { key "name"; leaf name { type enumeration { enum "services" { value 0; description "Adaptive Services PIC"; } } description "Facility type"; } choice level { leaf any { type empty; description "All levels"; } leaf emergency { type empty; description "Panic conditions"; } leaf alert { type empty; description "Conditions that should be corrected immediately"; } leaf critical { type empty; description "Critical conditions"; } leaf error { type empty; description "Error conditions"; } leaf warning { type empty; description "Warning messages"; } leaf notice { type empty; description "Conditions that should be handled specially"; } leaf info { type empty; description "Informational messages"; } leaf none { type empty; description "No messages"; } } // choice level } // list contents leaf facility-override { type enumeration { enum "authorization" { value 0; description "Authorization system"; } enum "daemon" { value 1; description "Various system processes"; } enum "ftp" { value 2; description "FTP process"; } enum "kernel" { value 3; description "Kernel"; } enum "user" { value 4; description "User processes"; } enum "local0" { value 5; description "Local logging option number 0"; } enum "local1" { value 6; description "Local logging option number 1"; } enum "local2" { value 7; description "Local logging option number 2"; } enum "local3" { value 8; description "Local logging option number 3"; } enum "local4" { value 9; description "Local logging option number 4"; } enum "local5" { value 10; description "Local logging option number 5"; } enum "local6" { value 11; description "Local logging option number 6"; } enum "local7" { value 12; description "Local logging option number 7"; } } description "Alternate facility for logging to remote host"; } leaf log-prefix { type string { junos:posix-pattern "![ =:]{1,15}"; junos:pattern-message "Must be a string of 15 characters or less"; } description "Prefix for all logging to this host"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "UDP port for syslogd on the host"; } container class { description "Syslog messages classes"; uses apply-advanced; container session-logs { presence "enable session-logs"; description "Allow syslog messages for session events"; uses apply-advanced; container open { presence "enable open"; description "Allow syslog messages for session open events"; } // container open container close { presence "enable close"; description "Allow syslog messages for session close events"; } // container close } // container session-logs container packet-logs { presence "enable packet-logs"; description "Allow syslog messages for packet related events"; } // container packet-logs container stateful-firewall-logs { presence "enable stateful-firewall-logs"; description "Allow syslog messages for stateful firewall events"; } // container stateful-firewall-logs container alg-logs { presence "enable alg-logs"; description "Allow syslog messages for ALG events"; } // container alg-logs container nat-logs { presence "enable nat-logs"; description "Allow syslog messages for NAT events"; uses apply-advanced; container deterministic-nat-configuration-log { presence "enable deterministic-nat-configuration-log"; description "Allow syslog messages for Determinisitic NAT config events"; } // container deterministic-nat-configuration-log } // container nat-logs container ids-logs { presence "enable ids-logs"; description "Allow syslog messages for IDS events"; } // container ids-logs container pcp-logs { presence "enable pcp-logs"; description "PCP logs"; container map { presence "enable map"; description "Allow syslog messages for PCP"; } // container map container debug { presence "enable debug"; description "Allow PCP debug syslogs"; } // container debug } // container pcp-logs container ha-logs { description "Stateful high availability logs"; uses apply-advanced; container open-synchronized { presence "enable open-synchronized"; description "Allow syslog message for session open events"; } // container open-synchronized container close-synchronized { presence "enable close-synchronized"; description "Allow syslog message for session close events"; } // container close-synchronized } // container ha-logs container urlf-logs { presence "enable urlf-logs"; description "Allow syslog messages for URLF events"; } // container urlf-logs } // container class leaf source-address { type jt:ipv4addr; description "Use specified address as source address"; } container tcp-log { presence "enable tcp-log"; description "Enable tcp log for this service-set"; uses apply-advanced; leaf source-address { junos:must "(!(".. .. source-address"))"; junos:must-message "source-address must not be configured under host when tcp-log is configured"; type jt:ipaddr; description "Source address for tcp logging"; } leaf vrf-name { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string; description "Routing instance name for tcp logging"; } leaf ssl-profile { junos:must "("services ssl initiation profile $$")"; junos:must-message "referenced ssl profile must be defined"; type string { length "1 .. 63"; } description "SSL profile name for tcp logging"; } } // container tcp-log } // list host leaf message-rate-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 2147483647"; } } units "messages per second"; description "Maximum syslog messages per second allowed from this interface. Applies per member if set at aggregate level"; } leaf disable { type empty; description "Disable security logging for the device"; } leaf utc-timestamp { type empty; description "Use UTC time for security log timestamps"; } leaf mode { type enumeration { enum "stream" { value 0; description "Process security logs directly in the forwarding plane"; } enum "event" { value 1; description "Process security logs in the control plane"; } enum "stream-event" { value 2; description "Process security logs in both forwarding plane and control plane"; } } description "Controls how security logs are processed and exported"; } leaf event-rate { junos:must "(("security log mode event" || ("services service-set ${service-set} syslog mode event" || ("security log mode stream-event" || "services service-set ${service-set} syslog mode stream-event"))))"; junos:must-message "To configure event-rate, security log must be in event or stream-event mode"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1500"; } } units "logs per second"; description "Control plane event rate"; } leaf format { type enumeration { enum "syslog" { value 0; description "Traditional syslog"; } enum "sd-syslog" { value 1; description "Structured syslog"; } enum "binary" { value 2; description "Binary log"; } } description "Set security log format for the device"; } leaf escape { type empty; description "Enable escape defined by RFC5424 for the sd and binary format logs"; } container time-format { description "Configure year or millisecond for syslog"; uses time-format-object; } // container time-format leaf rate-cap { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 5000"; } } units "logs per second"; description "Data plane event rate"; } leaf max-database-record { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "0"; description "Maximum records in database"; } container report { presence "enable report"; description "Set security log report settings"; uses apply-advanced; container logs-per-table { presence "enable logs-per-table"; description "Log number per table in database"; uses apply-advanced; leaf session-all { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log number of session"; } leaf screen { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log number of screen"; } leaf idp { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log number of idp"; } leaf utm { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log number of utm"; } leaf ipsec-vpn { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log number of ipsec-vpn"; } leaf sky { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log number of sky"; } } // container logs-per-table leaf table-lifetime { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 365"; } } default "90"; description "Table lifetime day(s)"; } container table-mode { presence "enable table-mode"; description "Report table mode"; uses apply-advanced; leaf dense { type empty; description "Applicable when massive log and long duration"; } } // container table-mode container database-filter { presence "enable database-filter"; description "Check the logs whether should be inserted into database"; uses apply-advanced; list event-category { key "name"; ordered-by user; description "Filter by event-category"; leaf name { type enumeration { enum "session" { value 0; description "Session log"; } enum "screen" { value 1; description "Screen log"; } enum "idp" { value 2; description "IDP log"; } enum "webfilter" { value 3; description "Webfilter log"; } enum "content-filter" { value 4; description "Content-filter log"; } enum "anti-virus" { value 5; description "Antivirus log"; } enum "anti-spam" { value 6; description "Anti-spam log"; } enum "ipsec" { value 7; description "IPsec VPN log"; } enum "sky" { value 8; description "Sky ATP log"; } enum "secintel" { value 9; description "Secintel log"; } enum "icap" { value 10; description "ICAP log"; } enum "ssl-proxy" { value 11; description "SSL proxy log"; } enum "dnsf" { value 12; description "DNSF log"; } enum "session-create" { value 13; description "Session create log"; } enum "session-close" { value 14; description "Session close log"; } enum "session-deny" { value 15; description "Session deny log"; } } description "Name"; } uses apply-advanced; } // list event-category leaf exclude { type empty; description "Exclude the logs"; } } // container database-filter } // container report choice source { leaf source-address { junos:must "(!("services service-set ${service-set} syslog mode event"))"; junos:must-message "To configure source address, mode must be stream or stream-event"; type jt:ipaddr; description "Source ip address used when exporting security logs"; } leaf source-interface { junos:must "(!("services service-set ${service-set} syslog mode event"))"; junos:must-message "To configure source interface, mode must be stream or stream-event"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Source interface used when exporting security logs"; } } // choice source container transport { junos:must "(!("services service-set ${service-set} syslog mode event"))"; junos:must-message "To configure transport info, mode must be stream or stream-event"; presence "enable transport"; description "Set security log transport settings"; uses apply-advanced; leaf tcp-connections { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } description "Set tcp connection number per-stream"; } leaf protocol { type enumeration { enum "udp" { value 0; description "UDP transfer for log"; } enum "tcp" { value 1; description "TCP transfer for log"; } enum "tls" { value 2; description "TLS transfer for log"; } } description "Set security log transport protocol for the device"; } leaf tls-profile { junos:must "("services ssl initiation profile $$")"; junos:must-message "SSl profile must be defined under [services ssl initiation profile]"; type string; description "TLS profile"; } } // container transport leaf facility-override { type enumeration { enum "authorization" { value 0; description "Authorization system"; } enum "daemon" { value 1; description "Various system processes"; } enum "ftp" { value 2; description "FTP process"; } enum "kernel" { value 3; description "Kernel"; } enum "user" { value 4; description "User processes"; } enum "local0" { value 5; description "Local logging option number 0"; } enum "local1" { value 6; description "Local logging option number 1"; } enum "local2" { value 7; description "Local logging option number 2"; } enum "local3" { value 8; description "Local logging option number 3"; } enum "local4" { value 9; description "Local logging option number 4"; } enum "local5" { value 10; description "Local logging option number 5"; } enum "local6" { value 11; description "Local logging option number 6"; } enum "local7" { value 12; description "Local logging option number 7"; } } description "Alternate facility for logging to remote host"; } leaf local-log-tag { junos:must "(!("services service-set ${service-set} syslog mode stream"))"; junos:must-message "To configure local-log-tag, mode must be event or stream-event"; type string { junos:posix-pattern "![ =:]{1,15}"; junos:pattern-message "Must be a string of 15 characters or less"; } description "Tag included in logs"; } list local-category { junos:must "(!("services service-set ${service-set} syslog mode stream"))"; junos:must-message "To configure local-category, mode must be event or stream-event"; key "name"; ordered-by user; description "Selects the type of events that may be logged locally"; leaf name { type enumeration { enum "all" { value 0; description "All events are logged"; } enum "content-security" { value 1; description "Content security events are logged"; } enum "fw-auth" { value 2; description "Fw-auth events are logged"; } enum "screen" { value 3; description "Screen events are logged"; } enum "alg" { value 4; description "Alg events are logged"; } enum "nat" { value 5; description "Nat events are logged"; } enum "flow" { value 6; description "Flow events are logged"; } enum "sctp" { value 7; description "Sctp events are logged"; } enum "gtp" { value 8; description "Gtp events are logged"; } enum "ipsec" { value 9; description "Ipsec events are logged"; } enum "idp" { value 10; description "Idp events are logged"; } enum "rtlog" { value 11; description "Rtlog events are logged"; } enum "pst-ds-lite" { value 12; description "Pst-ds-lite events are logged"; } enum "appqos" { value 13; description "Appqos events are logged"; } enum "secintel" { value 14; description "Secintel events are logged"; } enum "aamw" { value 15; description "AAMW events are logged"; } enum "sfw" { value 16; description "Stateful Firewall events are logged"; } enum "session" { value 17; description "Session open and close events are logged"; } enum "session-open" { value 18; description "Session open events are logged"; } enum "session-close" { value 19; description "Session close events are logged"; } enum "urlf" { value 20; description "URLF events are logged"; } enum "ha" { value 21; description "Stateful High-Availability open and close events are logged"; } enum "ha-open" { value 22; description "Stateful High-Availability open events are logged"; } enum "ha-close" { value 23; description "Stateful High-Availability close events are logged"; } enum "pcp" { value 24; description "PCP logs"; } enum "dnsf" { value 25; description "DNSF"; } } } uses apply-advanced; } // list local-category leaf root-streaming { type empty; description "Logs will be streamed from the Root LSYS"; } list stream { junos:must "(!("services service-set ${service-set} syslog mode event"))"; junos:must-message "To configure stream, mode must be stream or stream-event"; key "name"; max-elements 8; ordered-by user; description "Set security log stream settings"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes and underscores"; length "1 .. 63"; } description "Name of security log stream"; } uses apply-advanced; leaf severity { type enumeration { enum "emergency" { value 0; description "Conditions that cause security functions to stop"; } enum "alert" { value 1; description "Conditions that require immediate attention"; } enum "critical" { value 2; description "Critical conditions"; } enum "error" { value 3; description "General error conditions"; } enum "warning" { value 4; description "General warning conditions"; } enum "notice" { value 5; description "Non-error conditions that are of interest"; } enum "info" { value 6; description "Information about normal security operations"; } enum "debug" { value 7; description "Information normally used in debugging"; } } description "Severity threshold for security logs"; } leaf format { type enumeration { enum "syslog" { value 0; description "Traditional syslog"; } enum "sd-syslog" { value 1; description "Structured syslog"; } enum "welf" { value 2; description "Web Trends Extended Log Format"; } enum "binary" { value 3; description "Binary log"; } } description "Specify the log stream format"; } list category { junos:must "(!("security log stream ${stream} filter"))"; junos:must-message "Category is exclusive with filter"; key "name"; ordered-by user; description "Selects the type of events that may be logged"; leaf name { type enumeration { enum "all" { value 0; description "All events are logged"; } enum "content-security" { value 1; description "Content security events are logged"; } enum "fw-auth" { value 2; description "Fw-auth events are logged"; } enum "screen" { value 3; description "Screen events are logged"; } enum "alg" { value 4; description "Alg events are logged"; } enum "nat" { value 5; description "Nat events are logged"; } enum "flow" { value 6; description "Flow events are logged"; } enum "sctp" { value 7; description "Sctp events are logged"; } enum "gtp" { value 8; description "Gtp events are logged"; } enum "ipsec" { value 9; description "Ipsec events are logged"; } enum "idp" { value 10; description "Idp events are logged"; } enum "rtlog" { value 11; description "Rtlog events are logged"; } enum "pst-ds-lite" { value 12; description "Pst-ds-lite events are logged"; } enum "appqos" { value 13; description "Appqos events are logged"; } enum "secintel" { value 14; description "Secintel events are logged"; } enum "aamw" { value 15; description "AAMW events are logged"; } enum "sfw" { value 16; description "Stateful Firewall events are logged"; } enum "session" { value 17; description "Session open and close events are logged"; } enum "session-open" { value 18; description "Session open events are logged"; } enum "session-close" { value 19; description "Session close events are logged"; } enum "urlf" { value 20; description "URLF events are logged"; } enum "ha" { value 21; description "Stateful High-Availability open and close events are logged"; } enum "ha-open" { value 22; description "Stateful High-Availability open events are logged"; } enum "ha-close" { value 23; description "Stateful High-Availability close events are logged"; } enum "pcp" { value 24; description "PCP logs"; } enum "dnsf" { value 25; description "DNSF"; } } } uses apply-advanced; } // list category list filter { junos:must "(!("security log stream ${stream} category"))"; junos:must-message "filter is exclusive with category"; key "name"; ordered-by user; description "Selects the filter to filter the logs to be logged"; leaf name { type enumeration { enum "threat-attack" { value 0; description "Threat-attack security events are logged"; } } } uses apply-advanced; } // list filter container host { junos:must "(!("security log stream ${stream} file"))"; junos:must-message "host is exclusive with file"; junos:must "(("security log source-address" || ("security log source-interface" || ("security log stream ${stream} source-address" || ("services service-set ${service-set} syslog source-interface" || ("services service-set ${service-set} syslog source-address" || "services service-set ${service-set} syslog stream ${stream} source-address"))))))"; junos:must-message "To configure host stream, security log source-address/source-interface must be configured"; description "Destination to send security logs to"; uses host-object; } // container host container rate-limit { description "Rate-limit for security logs"; uses apply-advanced; leaf rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } units "logs per second"; description "Log rate"; } } // container rate-limit container file { junos:must "(!("security log stream ${stream} host"))"; junos:must-message "file is exclusive with host"; description "Security log file options for logs in local file"; uses apply-advanced; leaf localfilename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 256"; } description "Name of local log file"; } leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum size of local log file in megabytes"; } leaf rotation { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "10"; description "Maximum number of rotate files"; } leaf allow-duplicates { type empty; description "To disable log consolidation"; } } // container file container transport { presence "enable transport"; description "Set security log transport settings"; uses apply-advanced; leaf tcp-connections { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } description "Set tcp connection number per-stream"; } leaf protocol { type enumeration { enum "udp" { value 0; description "UDP transfer for log"; } enum "tcp" { value 1; description "TCP transfer for log"; } enum "tls" { value 2; description "TLS transfer for log"; } } description "Set security log transport protocol for the device"; } leaf tls-profile { junos:must "("services ssl initiation profile $$")"; junos:must-message "SSL profile must be defined under [services ssl initiation profile]"; type string; description "TLS profile"; } } // container transport container time-format { description "Configure year or millisecond for syslog"; uses time-format-object; } // container time-format leaf source-address { type jt:ipaddr; description "Source ip address used when exporting security logs"; } } // list stream container file { description "Security log file options for logs in binary/protobuf format"; uses apply-advanced; leaf filename { type string { length "1 .. 256"; } description "Name of log file"; } leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Maximum size of log file in megabytes"; } leaf path { type string { length "1 .. 256"; } description "Path to log files"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 10"; } } description "Maximum number of log files"; } } // container file container apply { description "Apply settings from other features"; uses apply-advanced; leaf dscp-code-point { junos:must "("class-of-service host-outbound-traffic dscp-code-point")"; junos:must-message "class-of-service host-outbound-traffic dscp-code-point must be defined"; type empty; description "Apply setting class-of-service host-outbound-traffic dscp-code-point"; } } // container apply container traceoptions { description "Security log daemon trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "List of things to include in trace"; leaf name { type enumeration { enum "source" { value 0; description "Communication with security log forwarder"; } enum "configuration" { value 1; description "Reading of configuration"; } enum "all" { value 2; description "Everything"; } enum "report" { value 3; description "Trace report"; } enum "hpl" { value 4; description "Trace HPL logging"; } } } } // list flag } // container traceoptions list profile { key "name"; max-elements 10; ordered-by user; description "Security log profile setting"; leaf name { type string { junos:posix-pattern "^[[:alnum:].-]+$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes"; length "1 .. 63"; } description "Name of security log profile"; } uses apply-advanced; list stream-name { junos:must "((".. category" || ".. template"))"; junos:must-message "To send logs must define cagetory or template"; key "name"; max-elements 4; ordered-by user; description "Use which stream "; leaf name { junos:must "("security log stream $$")"; junos:must-message "stream must be defined under [security log stream]"; type string; description "Name of the stream"; } uses apply-advanced; } // list stream-name container category { junos:must "(!(" .. template"))"; junos:must-message "Cannot configure category and template for the same profile"; presence "enable category"; description "Selects the category of events for the profile"; uses apply-advanced; container session { presence "enable session"; description "Select session category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container session container webfilter { presence "enable webfilter"; description "Select webfilter category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container webfilter container antivirus { presence "enable antivirus"; description "Select antivirus category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container antivirus container content-filter { presence "enable content-filter"; description "Select content-filter category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container content-filter container antispam { presence "enable antispam"; description "Select antispam category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container antispam container idp { presence "enable idp"; description "Select idp category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container idp container secintel { presence "enable secintel"; description "Select secintel category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container secintel container aamw { presence "enable aamw"; description "Select aamw category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container aamw container ssl-proxy { presence "enable ssl-proxy"; description "Select ssl-proxy category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container ssl-proxy container apptrack { presence "enable apptrack"; description "Select apptrack category"; uses apply-advanced; list field-extra-name { key "name"; description "Select the extra Fields, only apply to sd-syslog and syslog formt"; leaf name { type enumeration { enum "sd-id" { value 0; description "Add SD-ID field, only apply to sd-syslog and syslog formt"; } enum "hostname" { value 1; description "Add hostname field, only apply to sd-syslog and syslog formt"; } enum "timestamp" { value 2; description "Add timestamp field, only apply to sd-syslog and syslog formt"; } } description "The name of the extra field"; } uses apply-advanced; } // list field-extra-name list field-name { key "name"; ordered-by user; description "Select the fields by order"; leaf name { type string; description "The name of the field"; } uses apply-advanced; } // list field-name } // container apptrack } // container category container default-profile { presence "enable default-profile"; uses apply-advanced; leaf activate { type empty; description "Set this profile as default profile"; } } // container default-profile container template { junos:must "(!(" .. category"))"; junos:must-message "Cannot configure category and template for the same profile"; presence "enable template"; description "Select the template for the profile"; uses apply-advanced; choice template-id { leaf traditional-firewall { type empty; description "Traditional-firewall"; } leaf unified-ngfw { type empty; description "Unified-ngfw"; } leaf sd-wan { type empty; description "Sd-wan"; } } // choice template-id } // container template } // list profile } // grouping log-object grouping host-object { uses apply-advanced; leaf ipaddr { type string { length "1 .. 256"; } description "IP address/Host name"; } leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Host port number"; } leaf routing-instance { junos:must "((("security" && "routing-instances $$ instance-type virtual-router") || "services"))"; junos:must-message "Virtual router must be defined under [routing-instances]"; junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string; description "Routing-instance name"; } leaf log-tag { type string { junos:posix-pattern "![ =:]{1,15}"; junos:pattern-message "Must be a string of 15 characters or less"; } description "Tag included in logs to this host"; } } // grouping host-object grouping lrf-profile-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of profile"; } uses apply-advanced; leaf policy-based-logging { type empty; description "Set rule based on policy"; } leaf http-log-multiple-transactions { type empty; description "Log http multiple transactions"; } list rule { key "name"; max-elements 32; ordered-by user; description "One or more LRF rules"; uses lrf_rule_object; } // list rule list collector { key "name"; max-elements 8; ordered-by user; description "One or more LRF collectors"; uses lrf_collector_object; } // list collector leaf-list vendor-support { type enumeration { enum "ibm" { value 0; description "IBM supported sub-template"; } } ordered-by user; description "LRF 3rd party vendor support sub-template"; } list template { key "name"; max-elements 16; ordered-by user; description "LRF template"; uses lrf-template-object; } // list template container performance-mode { description "Enable performance mode knob for LRF performance"; uses lrf_perf_object; } // container performance-mode } // grouping lrf-profile-object grouping lrf-template-object { leaf name { type string { length "1 .. 32"; } description "Name of template"; } uses apply-advanced; leaf format { type enumeration { enum "ipfix" { value 0; description "IPFIX template"; } } description "Template format"; } leaf-list template-type { type enumeration { enum "ipv4" { value 0; description "IPv4 type"; } enum "ipv4-extended" { value 1; description "IPv4 Extended type"; } enum "ipv6" { value 2; description "IPv6 type"; } enum "ipv6-extended" { value 3; description "IPv6 Extended type"; } enum "transport-layer" { value 4; description "Transport Layer type"; } enum "flow-id" { value 5; description "Flow ID type"; } enum "ipflow" { value 6; description "IPFlow type"; } enum "ipflow-ts" { value 7; description "IPFlow TS type"; } enum "ipflow-extended" { value 8; description "IPFlow Extended type"; } enum "device-data" { value 9; description "Device Data type"; } enum "l7-app" { value 10; description "L7 APP type"; } enum "http" { value 11; description "HTTP type"; } enum "subscriber-data" { value 12; description "Subscriber data type"; } enum "mobile-subscriber" { value 13; description "Mobile subscriber type"; } enum "ifl-subscriber" { value 14; description "IFL based subscriber type"; } enum "wireline-subscriber" { value 15; description "Wireline subscriber type"; } enum "ipflow-tcp-ts" { value 16; description "IPFlow TCP TS type (IBM specific)"; } enum "ipflow-tcp" { value 17; description "IPFlow TCP type"; } enum "video" { value 18; description "Video fields type"; } enum "dns" { value 19; description "DNS fields type"; } enum "status-code-distribution" { value 20; description "Status code distribution for HTTP and DNS"; } enum "pcc" { value 21; description "PCC type"; } } ordered-by user; description "Template type"; } leaf-list trigger-type { type enumeration { enum "session-close" { value 0; description "Session close trigger"; } enum "volume" { value 1; description "Volume trigger"; } enum "time" { value 2; description "Time limit trigger"; } } ordered-by user; description "Trigger type"; } leaf template-tx-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } units "seconds"; default "60"; description "Template export interval"; } } // grouping lrf-template-object grouping lrf_collector_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of collector"; } uses apply-advanced; container destination { presence "enable destination"; description "Destination collector configuration"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Destination IPv4 address of collector"; } leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Destination port of collector"; } } // container destination leaf source-address { type jt:ipv4addr; description "Source address to be used in the export packets"; } } // grouping lrf_collector_object grouping lrf_perf_object { uses apply-advanced; leaf packet-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "20 .. 1000"; } } default "20"; description "Max packet inspection threshold including both c2s and s2c direction packets "; } } // grouping lrf_perf_object grouping lrf_rule_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of rule"; } uses apply-advanced; leaf match-direction { junos:must "(!(".. .. policy-based-logging"))"; junos:must-message "Match direction is not valid when policy based logging is enabled"; type enumeration { enum "client-to-server" { value 0; description "Client to server"; } enum "server-to-client" { value 1; description "Server to client"; } enum "both" { value 2; description "Both client-to-server and server-to-client"; } } default "both"; description "Match direction"; } container from { junos:must "(!(".. .. policy-based-logging"))"; junos:must-message "From is not valid when policy based logging is enabled"; presence "enable from"; description "Match criteria"; uses lrf_match_object; } // container from container then { description "Action to take for matched condition"; uses apply-advanced; container report { presence "enable report"; description "Report action"; uses lrf_report_object; } // container report } // container then } // grouping lrf_rule_object grouping lrf_match_object { uses apply-advanced; list source-prefix-list { key "name"; ordered-by user; description "One or more named lists of source prefixes to match"; leaf name { type string; description "Name of prefix list to match against"; } leaf except { type empty; description "Name of prefix list not to match against"; } } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "One or more named lists of destination prefixes to match"; leaf name { type string; description "Name of prefix list to match against"; } leaf except { type empty; description "Name of prefix list not to match against"; } } // list destination-prefix-list leaf-list source-ports { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } ordered-by user; description "Source port list specification"; } leaf-list destination-ports { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } ordered-by user; description "Destination port list specification"; } leaf app-unknown { type empty; description "Use to specify unknown application as the match criteria"; } list application-names { key "name"; ordered-by user; description "Match one or more applications"; leaf name { type string { length "1 .. 63"; } description "Name of application"; } uses apply-advanced; } // list application-names list application-groups { key "name"; ordered-by user; description "Match one or more application groups"; leaf name { type string { length "1 .. 63"; } description "Name of application group"; } uses apply-advanced; } // list application-groups } // grouping lrf_match_object grouping lrf_report_object { uses apply-advanced; leaf volume-limit { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 1024"; } } units "megabytes"; description "Volume limit"; } leaf time-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 1800"; } } units "seconds"; default "300"; description "Time limit"; } leaf template { junos:must "(".. .. .. .. template $$")"; junos:must-message "Template must be configured under services lrf profile template"; type string; description "Template to be used for export"; } leaf-list collector { type string { length "1 .. 63"; } max-elements 3; ordered-by user; description "List of collectors that receive the export packets"; } } // grouping lrf_report_object grouping macro-data-type { leaf name { type string; description "Keyword part of the keyword-value pair"; } leaf value { type string; description "Value part of the keyword-value pair"; } } // grouping macro-data-type grouping mape_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "MAP-E softwire concentrator name"; } uses apply-advanced; leaf softwire-address { type jt:ipv6addr; description "Softwire concentrator IPV6 Address"; } leaf ipv4-prefix { type jt:ipv4prefix; description "MAP-E domains's rule IPv4 prefix/len"; } leaf mape-prefix { type jt:ipv6prefix; description "MAP-E domain's rule IPV6 prefix/len"; } leaf ea-bits-len { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 48"; } } description "MAP-E domain's rule EA (Embedded Address) len"; } leaf psid-offset { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16"; } } default "4"; description "MAP-E domain's PSID offset"; } leaf psid-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16"; } } description "MAP-E domain's PSID length"; } leaf mtu-v6 { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1280 .. 9192"; } } default "9192"; description "MTU for the MAP-E softwire tunnel"; } leaf version-03 { type empty; description "MAP-E map-03 support"; } leaf v4-reassembly { type empty; description "MAP-E IPv4 reassembly support"; } leaf v6-reassembly { type empty; description "MAP-E IPv6 reassembly support"; } leaf disable-auto-route { type empty; description "MAP-E Disable Auto Route"; } } // grouping mape_object grouping match_li_simple_dscp_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_li_simple_dscp_value grouping match_li_simple_port_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_li_simple_port_value grouping match_li_simple_protocol_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_li_simple_protocol_value grouping monitor-threshold { leaf normal { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 100"; } } description "Usage under normal conditions"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 100"; } } description "Threshold upon which alarm is raised"; } } // grouping monitor-threshold grouping name-resolution-cache-type { description "Configuration of DNS responses cache"; uses apply-advanced; container maximum-time-in-cache { presence "enable maximum-time-in-cache"; description "Maximum time a DNS response may be held in the cache"; choice maximum-time-in-cache { leaf unlimited { type empty; description "Cache according to TTL"; } leaf time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 604800"; } } description "Seconds"; } } // choice maximum-time-in-cache } // container maximum-time-in-cache leaf maximum-records-in-cache { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 50000"; } } default "5000"; description "Maximum number of DNS responses that may be held in the cache"; } leaf blacklist-period { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } default "600"; description "Time (in seconds) a record will be held in the blacklist"; } container accelerations { presence "enable accelerations"; description "Mechanisms for accelerating DNS resolving"; uses apply-advanced; leaf no-refresh-before-ttl-expiry { type empty; description "Don't send a new query for records that are about to expire"; } leaf initiate-next-queries { type empty; description "Immediately initiate queries for referenced entries (e.g A entries referenced from SRV ones)"; } leaf initiate-alternative-queries { type empty; description "Initiate NAPTR, SRV and A record queries, in parallel, for every new SIP URI"; } } // container accelerations } // grouping name-resolution-cache-type grouping named-address-book-type { description "Configure global address book"; leaf name { type string; description "Address book name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of address book"; } list address { key "name"; ordered-by user; description "Define a security address"; uses address_type; } // list address list address-set { key "name"; ordered-by user; description "Define a security address set"; uses address_set_type; } // list address-set container attach { junos:must "(!("security address-book global attach"))"; junos:must-message "It is not allowed to attach the global address book to any particular interface, zone or routing-instance."; description "Attach this address book to interface, zone or routing-instance"; uses apply-advanced; list zone { key "name"; ordered-by user; description "Define a zone to be attached"; leaf name { junos:must "(unique "security address-book <*> attach zone $$")"; junos:must-message "Security zone must be unique in address books"; junos:must "("security zones security-zone $$")"; junos:must-message "Security zone must be defined"; type string { length "1 .. 63"; } description "Security zone name"; } uses apply-advanced; } // list zone } // container attach } // grouping named-address-book-type grouping address_set_type { leaf name { junos:must "(!(".. .. address $$"))"; junos:must-message "Security address and address-set cannot have same name"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]:./_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, colons, periods, slashes, dashes and underscores"; length "1 .. 63"; } description "Security address-set name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of address set"; } list address { key "name"; max-elements 16384; ordered-by user; description "Address to be included in this set"; leaf name { junos:must "(".. .. .. address $$")"; junos:must-message "referenced address must be defined under address-book"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]:./_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, colons, periods, slashes, dashes and underscores"; length "1 .. 63"; } description "Security address name"; } uses apply-advanced; } // list address list address-set { key "name"; max-elements 16384; ordered-by user; description "Define an address-set name"; leaf name { junos:must "(".. .. .. address-set $$")"; junos:must-message "referenced address must be defined under address-book"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]:./_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, colons, periods, slashes, dashes and underscores"; length "1 .. 63"; } } uses apply-advanced; } // list address-set } // grouping address_set_type grouping address_type { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]:./_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, colons, periods, slashes, dashes and underscores"; length "1 .. 63"; } description "Security address name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of address"; } choice address-content { leaf ip-prefix { type jt:ipprefix; description "Numeric IPv4 or IPv6 address with prefix"; } list dns-name { key "name"; max-elements 1; ordered-by user; description "DNS address name"; uses dns-name-type; } // list dns-name list wildcard-address { key "name"; max-elements 1; ordered-by user; description "Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask"; uses wildcard-address-type; } // list wildcard-address list range-address { key "name"; max-elements 1; ordered-by user; description "Address range"; uses range-address-type; } // list range-address list address-range { key "name"; max-elements 1; ordered-by user; description "Address range"; uses usf-range-address-type; } // list address-range } // choice address-content } // grouping address_type grouping dns-name-type { description "DNS address name"; leaf name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a valid DNS name"; length "1 .. 253"; } description "Fully qualified hostname"; } uses apply-advanced; leaf ipv4-only { type empty; description "IPv4 dns address"; } leaf ipv6-only { junos:must "(!(".. ipv4-only"))"; junos:must-message "ipv4-only and ipv6-only cannot be configured together"; type empty; description "IPv6 dns address"; } } // grouping dns-name-type grouping nat-object { description "Configure Network Address Translation"; uses apply-advanced; container source { description "Configure Source NAT"; uses ssg-source-nat-object; } // container source container destination { description "Configure Destination NAT"; uses ssg-destination-nat-object; } // container destination container static { description "Configure Static NAT"; uses ssg-static-nat-object; } // container static container proxy-arp { description "Configure Proxy ARP"; uses ssg-proxy-arp-object; } // container proxy-arp container proxy-ndp { description "Configure Proxy NDP"; uses ssg-proxy-ndp-object; } // container proxy-ndp container natv6v4 { description "Configure NAT between IPv6 and IPv4 options"; uses apply-advanced; leaf no-v6-frag-header { type empty; description "V6 packet does not always add fragment header when performing nat translation from v4 side to v6 side "; } } // container natv6v4 leaf allow-overlapping-pools { type empty; description "IP addresses of NAT pools can overlap with other pool"; } container traceoptions { description "NAT trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "routing-socket" { value 2; description "Trace routing socket events"; } enum "routing-protocol" { value 3; description "Trace routing protocol events"; } enum "all" { value 4; description "Trace everything"; } enum "source-nat-re" { value 5; description "Trace source nat events on RE side"; } enum "source-nat-rt" { value 6; description "Trace source nat events on PFE-RT side"; } enum "source-nat-pfe" { value 7; description "Trace source nat events on PFE-ukernel side"; } enum "destination-nat-re" { value 8; description "Trace destination nat events on RE side"; } enum "destination-nat-rt" { value 9; description "Trace destination nat events on PFE-RT side"; } enum "destination-nat-pfe" { value 10; description "Trace destination nat events on PFE-ukernel side"; } enum "static-nat-re" { value 11; description "Trace static nat events on RE side"; } enum "static-nat-rt" { value 12; description "Trace static nat events on PFE-RT side"; } enum "static-nat-pfe" { value 13; description "Trace static nat events on PFE-ukernel side"; } enum "nat-svc-set-re" { value 14; description "Trace NAT and svc-set events on RE side"; } } } leaf syslog { type empty; description "Write NAT flow traces to system log also"; } } // list flag } // container traceoptions list pool { key "name"; ordered-by user; description "Define a NAT pool"; uses nat_pool_object; } // list pool list ipv6-multicast-interfaces { key "name"; ordered-by user; description "Enable IPv6 multicast filter for IPv6 NAT"; leaf name { type string; description "Interface name"; } uses apply-advanced; leaf disable { type empty; description "Disable IPv6 multicast filter for IPv6 NAT"; } } // list ipv6-multicast-interfaces leaf allow-overlapping-nat-pools { type empty; description "Allow usage of overlapping and same nat pools in multiple service sets"; } list rule { key "name"; ordered-by user; description "Define a NAT rule"; uses nat_rule_object; } // list rule list port-forwarding { key "name"; ordered-by user; description "Define a port-forwarding pool"; uses pf_mapping; } // list port-forwarding list rule-set { key "name"; max-elements 16960; ordered-by user; description "Defines a set of NAT rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services nat rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes, underscores, forward slashes, colons and dots."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set } // grouping nat-object grouping nat_pool_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Pool name"; } uses apply-advanced; container pgcp { presence "enable pgcp"; description "NAT pool should be used exclusive by the pgcp service"; uses apply-advanced; leaf remotely-controlled { type empty; description "Remotely controlled NAT pool allocation"; } leaf ports-per-session { type union { type uint8; type string { pattern "<.*>|$.*"; } } default "2"; description "Number of ports to allocate in each call setup"; } list hint { key "name"; max-elements 5; ordered-by user; description "NAT-hint list (Any string available up to 3 characters, not mandatory field)"; uses nat_pgcp_hint_list_object; } // list hint leaf-list transport { type enumeration { enum "tcp" { value 0; description "TCP"; } enum "udp" { value 1; description "UDP"; } enum "rtp-avp" { value 2; description "RTP/AVP"; } } ordered-by user; description "NAT pool transport types list"; } } // container pgcp list address { key "name"; ordered-by user; description "Address or address prefix for NAT"; leaf name { type jt:ipprefix-only; } uses apply-advanced; } // list address container interface { description "Interface for nat pool"; leaf interface-name { junos:must "(".. .. address-overload")"; junos:must-message "interface must be configured with address-overload in a pool"; junos:must "(!(".. .. address-range"))"; junos:must-message "interface cannot be configured along with address-range in a pool"; junos:must "(!(".. .. address"))"; junos:must-message "interface cannot be configured along with address in a pool"; junos:must "(("interfaces $$-IFL family inet address" || "interfaces $$-IFL family inet dhcp"))"; junos:must-message "Interface with ipv4 address or dhcp-client must be defined in the interfaces hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } } } // container interface leaf address-overload { junos:must "(".. port")"; junos:must-message "port range must be configured with address-overload in a pool"; type empty; description "Nat pool address overload with JunOS"; } list address-range { key "low high"; ordered-by user; description "Range of addresses for NAT"; leaf low { type jt:ipaddr; description "Lower limit of address range"; } leaf high { type jt:ipaddr; description "Upper limit of address range"; } } // list address-range container port { description "Specify ports for NAT"; uses apply-advanced; choice port_choice { container automatic { presence "enable automatic"; uses apply-advanced; choice automatic_choice { leaf auto { type empty; status deprecated; description "Automatically choose ports"; } leaf sequential { type empty; description "Allocate ports in sequence"; } leaf random-allocation { type empty; description "Allocate ports randomly"; } } // choice automatic_choice } // container automatic container range { description "Range of ports"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Lower limit of port range"; } leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Upper limit of port range"; } leaf random-allocation { type empty; description "Allocate ports randomly"; } } // container range } // choice port_choice choice block-allocation-choice { container secured-port-block-allocation { presence "enable secured-port-block-allocation"; description "Secured Port block allocation"; leaf block-size { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 64512"; } } default "128"; description "Number of port per block."; } leaf max-blocks-per-address { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 512"; } } default "8"; description "Max block per address"; } leaf active-block-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } default "120"; description "Active block timeout"; } } // container secured-port-block-allocation container deterministic-port-block-allocation { junos:must "(!(".. preserve-range"))"; junos:must-message "preserve-range is not supported with deterministic-port-block-allocation"; junos:must "(!(".. preserve-parity"))"; junos:must-message "preserve-parity is not supported with deterministic-port-block-allocation"; presence "enable deterministic-port-block-allocation"; description "Deterministic Port Block Allocation"; leaf block-size { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 64512"; } } default "512"; description "Number of ports per block"; } leaf include-boundary-addresses { type empty; description "Include network and broadcast in 'from' src-addresses"; } } // container deterministic-port-block-allocation } // choice block-allocation-choice leaf preserve-parity { type empty; description "Allocate port with same parity as original port"; } leaf preserve-range { type empty; description "Preserve privileged port range after NAT"; } } // container port container address-allocation { junos:must "((".. port automatic random-allocation" || (".. port range random-allocation" || ".. port secured-port-block-allocation")))"; junos:must-message "address-allocation applies only with port automatic random-allocation or port range random-allocation or secured-port-block-allocation"; presence "enable address-allocation"; description "Address allocation method for NAPT"; uses apply-advanced; leaf round-robin { type empty; description "Round robin method of allocation"; } } // container address-allocation leaf mapping-timeout { type union { type int32; type string { pattern "<.*>|$.*"; } } units "second"; default "300"; description "Address-pooling paired and endpoint-independent mapping timeout (120..86400)"; } leaf flow-timeout { type union { type string { pattern "<.*>|$.*"; } type int32 { range "30 .. 86400"; } } units "second"; default "300"; description "Default flow timeout for NAT flows"; } leaf ei-mapping-timeout { type union { type int32; type string { pattern "<.*>|$.*"; } } units "second"; description "Endpoint-independent mapping timeout (120..86400)"; } leaf app-mapping-timeout { junos:must "(!(".. mapping-timeout"))"; junos:must-message "Both app-mapping-timeout and mapping-timeout should not be configured, any one only is allowed"; type union { type int32; type string { pattern "<.*>|$.*"; } } units "second"; description "Address-pooling paired mapping timeout (120..86400)"; } leaf limit-ports-per-address { type union { type string { pattern "<.*>|$.*"; } type int32 { range "2 .. 65435"; } } units "connections"; description "Limit number of ports allocated per host (IP address)"; } container snmp-trap-thresholds { presence "enable snmp-trap-thresholds"; description "Define snmp traps for service sets"; uses apply-advanced; container address-port { presence "enable address-port"; description "Nat pool address and port usage trap threshold range"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Lower limit of pool trap threshold"; } leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Upper limit of pool trap threshold"; } } // container address-port } // container snmp-trap-thresholds } // grouping nat_pool_object grouping nat_pgcp_hint_list_object { description "NAT hints"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]{0,3}$"; junos:pattern-message "NAT-hint is a string which should begin with a digit or a letter only. And consist of up to 3 numbers, dashes and underscores"; length "1 .. 4"; } description "NAT-hint string list"; } } // grouping nat_pgcp_hint_list_object grouping nat_rule_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } enum "input-output" { value 2; description "Match an input to or output from on interface"; } } description "Direction for which the rule match is applied"; } list term { key "name"; ordered-by user; description "Define a NAT term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Term name"; } uses apply-advanced; leaf nat-type { type enumeration { enum "symmetric" { value 0; description "Symmetric NAT"; } enum "full-cone" { value 1; description "Full Cone NAT"; } } description "NAT type (symmetric/full-cone)"; } container from { description "Define match criteria"; uses sfw_match_object; } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice designation { leaf no-translation { junos:must "(!(".. translated"))"; junos:must-message "translated should not be configured when no-translation is configured"; type empty; description "Do not perform translation"; } } // choice designation choice port-forwarding { leaf port-forwarding-mappings { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Port forwarding mappings"; } } // choice port-forwarding container translated { description "Define translation parameters"; uses apply-advanced; choice source-pool-choice { leaf source-pool { junos:must "((!("services nat pool $$ port deterministic-port-block-allocation") || (".. translation-type deterministic-napt44" || ".. translation-type deterministic-napt64")))"; junos:must-message "Deterministic source pool must be used with deterministic-napt44 or deterministic-napt64 rule only"; junos:must "((!(".. address-pooling") || "services nat pool $$ port"))"; junos:must-message "Port configuration is mandatory in the pool used with Address Pooling"; junos:must "((!(".. mapping-type") || "services nat pool $$ port"))"; junos:must-message "Port configuration is mandatory in the pool used with End Point Independent Mapping"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "NAT pool for source translation"; } leaf source-prefix { junos:must "(!(".. translation-type stateful-nat64"))"; junos:must-message "Source prefix is not supported with NAT64"; type jt:ipprefix-only; description "NAT prefix for source translation"; } } // choice source-pool-choice leaf clat-prefix { junos:must "(".. translation-type stateful-nat464")"; junos:must-message "Clat-prefix should only be used with stateful-nat464"; type jt:ipprefix-only; description "Clat-prefix to be used for 464 translation type"; } leaf clat-ipv6-prefix-length { junos:must "(".. translation-type stateful-nat464")"; junos:must-message "Clat-ipv6-prefix-length should only be used with stateful-nat464"; type enumeration { enum "32" { value 0; description "The ipv6 prefix length of 32"; } enum "40" { value 1; description "The ipv6 prefix length of 40"; } enum "48" { value 2; description "The ipv6 prefix length of 48"; } enum "56" { value 3; description "The ipv6 prefix length of 56"; } enum "64" { value 4; description "The ipv6 prefix length of 64"; } enum "96" { value 5; description "The ipv6 prefix length of 96"; } } default "64"; description "The ipv6 prefix length for CLAT source address"; } choice destination-pool-choice { leaf destination-pool { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "NAT pool for destination translation"; } leaf destination-prefix { type jt:ipprefix-only; description "NAT prefix for destination translation"; } } // choice destination-pool-choice choice dns-alg-pool-choice { leaf dns-alg-pool { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "NAT pool for dns alg mappings"; } leaf dns-alg-prefix { type jt:ipprefix-only; description "DNS ALG 96 bit prefix for mapping IPv4 addresses to IPv6 addresses"; } } // choice dns-alg-pool-choice choice dns-map-address-for-destination-translation-choice { leaf use-dns-map-for-destination-translation { type empty; status deprecated; description "Use dns alg address map for destination translation"; } } // choice dns-map-address-for-destination-translation-choice choice overload-pool-choice { leaf overload-pool { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "NAT pool to be used when source pool is overloaded"; } leaf overload-prefix { type jt:ipprefix-only; description "NAT prefix to be used when source pool is overloaded"; } } // choice overload-pool-choice container translation-type { description "Type of translation to perform"; uses apply-advanced; leaf source { type enumeration { enum "static" { value 0; status deprecated; description "Static translation"; } enum "dynamic" { value 1; status deprecated; description "Dynamic translation"; } } status deprecated; description "Type of source translation"; } leaf destination { type enumeration { enum "static" { value 0; status deprecated; description "Static translation"; } } status deprecated; description "Type of destination translation"; } container basic-nat44 { presence "enable basic-nat44"; description "Static source address (IPv4 to IPv4) translation"; } // container basic-nat44 container dynamic-nat44 { presence "enable dynamic-nat44"; description "Dynamic source address only (IPv4 to IPv4) translation"; } // container dynamic-nat44 container napt-44 { presence "enable napt-44"; description "Source address (IPv4 to IPv4) and port translation"; } // container napt-44 container dnat-44 { presence "enable dnat-44"; description "Static Destination address (IPv4 to IPv4) translation"; } // container dnat-44 container stateful-nat64 { presence "enable stateful-nat64"; description "Dynamic source address (IPv6 to IPv4) and prefix removal for destination address (IPv6 to IPv4)translation"; } // container stateful-nat64 container stateful-nat464 { junos:must "(((".. .. .. translated clat-prefix" && (".. .. .. translated destination-prefix" && (".. .. .. .. from destination-address" && (".. .. .. .. from source-address" && (".. .. .. translated source-pool" && !(".. .. .. translated clat-ipv6-prefix-length")))))) || (".. .. .. translated clat-ipv6-prefix-length" && (".. .. .. translated destination-prefix" && (".. .. .. .. from destination-address" && (!(".. .. .. translated clat-prefix") && ".. .. .. translated source-pool"))))))"; junos:must-message "All clat-prefix/destination-prefix/source-address/destination-address/source-pool are required for NAT464 when clat-prefix is configured and clat-ipv6-prefix-length/destination-prefix/destination-address/source-pool are required for NAT464 when clat-ipv6-prefix-length is configured. Either clat-prefix or clat-ipv6-prefix-length should be configured with NAT464 "; presence "enable stateful-nat464"; description "Prefix removal for Src and Dest address (IPv6 to IPv4) translation"; } // container stateful-nat464 container basic-nat-pt { presence "enable basic-nat-pt"; description "NAT-PT (static source address (IPv6 to IPv4) and prefix removal for destination address (IPv6 to IPv4) translation)"; } // container basic-nat-pt container napt-pt { presence "enable napt-pt"; description "NAT-PT (source address (IPv6 to IPv4) and source port and prefix removal for destination address (IPv6 to IPv4) translation)"; } // container napt-pt container basic-nat66 { presence "enable basic-nat66"; description "Static source address (IPv6 to IPv6) translation [same as basic-nat44 but for IPv6 address family]"; } // container basic-nat66 container nptv6 { presence "enable nptv6"; description "Stateless source address (IPv6 to IPv6) translation"; } // container nptv6 container napt-66 { presence "enable napt-66"; description "Source address (IPv6 to IPv6) and port translation [same as napt-44 but for IPv6 address family]"; } // container napt-66 container twice-napt-44 { presence "enable twice-napt-44"; description "Source NAPT and destination static translation for IPv4 address family"; } // container twice-napt-44 container twice-basic-nat-44 { presence "enable twice-basic-nat-44"; description "Source static and destination static translation for IPv4 address family"; } // container twice-basic-nat-44 container twice-dynamic-nat-44 { presence "enable twice-dynamic-nat-44"; description "Source dynamic and destination static translation for IPv4 address family"; } // container twice-dynamic-nat-44 container deterministic-napt44 { junos:must "((".. .. .. .. from source-address" || (".. .. .. .. from source-address-range" || ".. .. .. .. from source-prefix-list")))"; junos:must-message "Deterministic NAT translation requires source-address or source-prefix-list in the from clause"; presence "enable deterministic-napt44"; description "Deterministic source NAPT for IPv4 family"; uses apply-advanced; } // container deterministic-napt44 container deterministic-napt64 { junos:must "((".. .. .. .. from source-address" || (".. .. .. .. from source-address-range" || ".. .. .. .. from source-prefix-list")))"; junos:must-message "Deterministic NAT translation requires source-address or source-prefix-list in the from clause"; presence "enable deterministic-napt64"; description "Deterministic source NAPT for IPv6 family"; } // container deterministic-napt64 } // container translation-type leaf mapping-type { junos:must "((".. translation-type source" || (".. translation-type napt-44" || (".. translation-type deterministic-napt44" || (".. translation-type deterministic-napt64" || (".. translation-type stateful-nat64" || ".. translation-type stateful-nat464"))))))"; junos:must-message "mapping-type applies only to source NAPT"; type enumeration { enum "endpoint-independent" { value 0; description "Endpoint independent mapping"; } } description "Source NAT mapping type"; } leaf flow-type { junos:must "((".. translation-type napt-44" || ".. translation-type dynamic-nat44"))"; junos:must-message "flow-type applies only to napt-44 or dynamic-nat44"; type enumeration { enum "endpoint-independent" { value 0; description "Endpoint independent flow"; } } description "Source NAT flow type"; } leaf ignore-dst-nat-1to1-limitation { type empty; description "Ignore destination NAT 1:1 limitation"; } container secure-nat-mapping { presence "enable secure-nat-mapping"; description "Mapping options for enhanced security"; uses apply-advanced; leaf eif-flow-limit { junos:must "(".. .. filtering-type")"; junos:must-message "eif-flow-limit applies only to filtering-type"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65534"; } } description "Number of inbound flows to be allowed for a EIF mapping"; } leaf mapping-refresh { type enumeration { enum "inbound" { value 0; description "Enable timer refresh for inbound connections only"; } enum "outbound" { value 1; description "Enable timer refresh for outbound connections only"; } enum "inbound-outbound" { value 2; description "Enable timer refresh for inbound & outbound connections"; } } description "Enable timer refresh option"; } leaf flow-refresh { type enumeration { enum "inbound" { value 0; description "Enable timer refresh for inbound connections only"; } enum "outbound" { value 1; description "Enable timer refresh for outbound connections only"; } enum "inbound-outbound" { value 2; description "Enable timer refresh for inbound & outbound connections"; } } description "Enable timer refresh option"; } } // container secure-nat-mapping container filtering-type { junos:must "(".. mapping-type endpoint-independent")"; junos:must-message "endpoint independent filtering can be configured with endpoint-independent mapping only"; junos:must "((".. translation-type source" || (".. translation-type napt-44" || (".. translation-type deterministic-napt44" || (".. translation-type deterministic-napt64" || (".. translation-type stateful-nat64" || ".. translation-type stateful-nat464"))))))"; junos:must-message "filtering-type applies only to source NAPT"; description "Source NAT filtering type"; uses apply-advanced; container endpoint-independent { presence "enable endpoint-independent"; description "Endpoint independent filtering"; uses apply-advanced; list prefix-list { key "name"; ordered-by user; description "One or more named lists of source prefixes to match"; leaf name { type string; description "Name of prefix list to match against"; } leaf except { type empty; description "Name of prefix list not to match against"; } } // list prefix-list } // container endpoint-independent } // container filtering-type leaf address-pooling { junos:must "((".. translation-type source" || (".. translation-type napt-44" || (".. translation-type stateful-nat64" || (".. translation-type stateful-nat464" || (".. translation-type deterministic-napt44" || ".. translation-type deterministic-napt64"))))))"; junos:must-message "address-pooling applies only to source NAPT, stateful NAT64 and stateful NAT464"; type enumeration { enum "paired" { value 0; description "Address pooling behavior of paired"; } } description "Address pooling behavior for source NAT"; } } // container translated leaf syslog { type empty; description "System log information about the packet"; } } // container then } // list term } // grouping nat_rule_object grouping new_call_then_type { uses apply-advanced; leaf trace { type empty; description "Trace messages accepted on this policy"; } container media-policy { description "Media policy parameters"; uses apply-advanced; choice anchoring-policy { leaf no-anchoring { type empty; description "Setting this would bypass media packet gateway processing"; } leaf media-release { type empty; description "Release media - media will not be anchored"; } } // choice anchoring-policy container nat-traversal { presence "enable nat-traversal"; description "Choose when to perform NAT traversal"; uses apply-advanced; leaf nat-traversal-strategy { type enumeration { enum "never" { value 0; description "Never perform NAT traversal"; } enum "always" { value 1; description "Always perform NAT traversal"; } enum "same-as-signaling" { value 2; description "Perform NAT traversal according to signaling"; } } description "Choose when to perform NAT traversal"; } leaf force-bidirectional-media { type empty; description "Force bidirectional media"; } } // container nat-traversal container data-inactivity-detection { description "Configuration of data inactivity indicators"; uses apply-advanced; leaf inactivity-duration { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "30 .. 3600"; } } units "seconds"; description "The amount of time in seconds a stream is inactive before a notification is sent to the SPDF"; } } // container data-inactivity-detection leaf service-class { junos:must "("services border-signaling-gateway gateway ${gateway} embedded-spdf service-class $$")"; junos:must-message "Referenced service class must be defined"; type string { length "1 .. 63"; } description "Rate limiting and dscp marking based on the media type"; } } // container media-policy } // grouping new_call_then_type grouping new_call_usage_set_type { leaf name { type string; description "Policy set name"; } uses apply-advanced; leaf-list policy-name { type string; max-elements 500; ordered-by user; description "Policy name"; } } // grouping new_call_usage_set_type grouping new_registration_set_type { leaf name { type string; description "Policy set name"; } uses apply-advanced; leaf-list policy-name { type string; max-elements 500; ordered-by user; description "Policy name"; } } // grouping new_registration_set_type grouping new_transaction_set_type { leaf name { type string; description "Policy set name"; } uses apply-advanced; leaf-list policy-name { type string; max-elements 500; ordered-by user; description "Policy name"; } } // grouping new_transaction_set_type grouping output-plugin { leaf name { type string; description "Plugin name"; } uses apply-advanced; list parameters { key "name"; ordered-by user; description "List of key:value parameters for plugin"; uses parameter-pair; } // list parameters } // grouping output-plugin grouping parameter-pair { leaf name { type string; description "Parameter key"; } uses apply-advanced; leaf value { type string; description "Parameter value"; } } // grouping parameter-pair grouping pcp-object { description "Configure Port Control Protocol"; uses apply-advanced; container traceoptions { description "Trace options for PCP-LOG"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "all" { value 2; description "Trace everything"; } } } } // list flag } // container traceoptions list server { key "name"; ordered-by user; description "Define a PCP server"; uses pcp-server-object; } // list server list rule { key "name"; ordered-by user; description "Define a PCP rule"; uses pcp-rule-object; } // list rule list rule-set { key "name"; max-elements 16960; ordered-by user; description "Defines a set of PCP rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services pcp rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set } // grouping pcp-object grouping pcp-rule-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Define direction for which the rule match is applied"; } list term { key "name"; ordered-by user; description "Define a PCP term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses sfw_match_object; } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf pcp-server { junos:must "("services pcp server $$")"; junos:must-message "Referenced PCP server must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Define PCP server"; } } // container then } // list term container match { description "Define match criteria"; uses sfw_match_object; } // container match container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf pcp-server { junos:must "("services pcp server $$")"; junos:must-message "Referenced PCP server must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Define PCP server"; } } // container then } // grouping pcp-rule-object grouping pcp-server-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of PCP server"; } uses apply-advanced; leaf ipv4-address { type jt:ipv4addr; description "Configure IPv4 address for this PCP server"; } leaf ipv6-address { junos:must "((".. softwire-concentrator" || ".. softwire-concentrator-name"))"; junos:must-message "softwire-concentrator is a must with ipv6-address, please configure it under this pcp-server"; type jt:ipv6addr; description "Configure IPv6 address for this PCP server"; } leaf softwire-concentrator { junos:must "(!(".. ipv4-address"))"; junos:must-message "referenced softwire-concentrator must be used only with DS-LITE, please remove ipv4-address in this pcp-server"; junos:must "(".. ipv6-address")"; junos:must-message "referenced softwire-concentrator must be used only with DS-LITE, must define ipv6-address in this pcp-server"; junos:must "("services softwire softwire-concentrator ds-lite $$")"; junos:must-message "referenced softwire-concentrator must be defined under 'services softwire softwire-concentrator ds-lite'"; type string { length "1 .. 63"; } description "Softwire ds-lite concentrator"; } leaf softwire-concentrator-name { junos:must "(!(".. ipv4-address"))"; junos:must-message "referenced softwire-concentrator must be used only with DS-LITE, please remove ipv4-address in this pcp-server"; junos:must "(".. ipv6-address")"; junos:must-message "referenced softwire-concentrator must be used only with DS-LITE, must define ipv6-address in this pcp-server"; junos:must "("services softwires softwire-types ds-lite $$")"; junos:must-message "referenced softwire-concentrator must be defined under 'services softwires softwire-types ds-lite'"; type string { length "1 .. 63"; } description "Softwire ds-lite concentrator"; } leaf mapping-lifetime-minimum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "120 .. 3600"; } } units "second"; default "120"; description "Configure the minimum lifetime for any mapping"; } leaf mapping-lifetime-maximum { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "120 .. 4294667"; } } units "second"; default "86400"; description "Configure the maximum lifetime for any mapping"; } leaf short-lifetime-error { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "15 .. 300"; } } units "second"; default "30"; description "Configure duration of a short-lifetime error"; } leaf long-lifetime-error { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "900 .. 18000"; } } units "second"; default "1800"; description "Configure duration of a long-lifetime error"; } leaf max-mappings-per-client { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 128"; } } default "32"; description "Configure maximum mappings permitted per client"; } container pcp-options { description "Configure PCP options supported by this server"; leaf third-party { type empty; description "Enable Third Party option"; } leaf prefer-failure { type empty; description "Enable Prefer Failure option"; } } // container pcp-options container nat-options { description "NAT options of this PCP server"; uses apply-advanced; list pool { key "name"; ordered-by user; description "NAT pool name"; uses nat_pool_list_object; } // list pool } // container nat-options container nat-option { description "NAT option of this PCP server"; uses apply-advanced; list pool { key "name"; ordered-by user; description "NAT pool name"; uses nat_pool_list_object_usf; } // list pool } // container nat-option } // grouping pcp-server-object grouping nat_pool_list_object { description "One or more nat pools"; leaf name { junos:must "("services nat pool $$")"; junos:must-message "referenced nat pool must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } } // grouping nat_pool_list_object grouping nat_pool_list_object_usf { description "One or more nat pools"; leaf name { junos:must "("services nat source pool $$")"; junos:must-message "referenced nat pool must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } } // grouping nat_pool_list_object_usf grouping pf_mapping { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Port Forwarding name"; } uses apply-advanced; list destined-port { key "port translated-port"; max-elements 32; ordered-by user; description "Port forwarding mappings"; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port"; } leaf translated-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Translated port"; } } // list destined-port } // grouping pf_mapping grouping pfcp-traceoptions-type { description "Trace options for SAEGW PFCP"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "decode" { value 1; description "Trace PFCP protocol decode events"; } enum "encode" { value 2; description "Trace PFCP protocol encode events"; } enum "general" { value 3; description "Trace PFCP general events"; } enum "heartbeat" { value 4; description "Trace PFCP heart beat management events"; } enum "request-cache" { value 5; description "Trace PFCP request-cache events"; } enum "operational-commands" { value 6; description "Trace PFCP events related to operational-commands"; } enum "all" { value 7; description "Trace everything"; } } } } // list flag } // grouping pfcp-traceoptions-type grouping pgcp_gateway_object { description "One or more Packet Gateways"; leaf name { type string { length "1 .. 63"; } description "Gateway Name"; } uses apply-advanced; leaf gateway-address { type jt:ipv4addr; description "Local Gateway IP address"; } leaf routing-instance { type string; default "inet.0"; description "Routing instance"; } leaf gateway-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } default "2944"; description "Local Gateway transport port"; } leaf cleanup-timeout { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "5 .. 65535"; } } units "seconds"; description "When expires the PG will clean its gate state (Applicable in disconnections)"; } leaf service-state { type enumeration { enum "in-service" { value 0; description "Gateway is operational"; } enum "out-of-service-forced" { value 1; description "Gateway is nonoperational"; } enum "out-of-service-graceful" { value 2; description "Gateway becomes nonoperational by draining"; } } description "Service state"; } container h248-timers { presence "enable h248-timers"; uses pgcp_h248_timers_object; } // container h248-timers container h248-properties { presence "enable h248-properties"; uses pgcp_h248_properties_object; } // container h248-properties container h248-options { presence "enable h248-options"; uses pgcp_h248_options_object; } // container h248-options leaf max-concurrent-calls { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 20000"; } } default "0"; description "Maximum number of concurrent calls"; } list gateway-controller { key "name"; max-elements 32; ordered-by user; uses pgcp_controller_object; } // list gateway-controller container monitor { description "Monitor voice traffic"; uses apply-advanced; container media { presence "enable media"; description "Monitor media traffic"; uses apply-advanced; leaf rtp { type empty; description "Monitor RTP traffic"; } leaf rtcp { type empty; description "Monitor RTCP traffic"; } } // container media } // container monitor container graceful-restart { presence "enable graceful-restart"; uses apply-advanced; leaf maximum-synchronization-time { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 720"; } } units "seconds"; default "720"; status deprecated; description "Maximum time for synchronization procedure with the PIC"; } leaf maximum-synchronization-mismatches { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 20000"; } } default "250"; description "Maximum number of mismatches for synchronization procedure with the PIC"; } leaf no-synchronization { type empty; description "Disable the synchronization procedure with the PIC"; } leaf catchup-replication-delay { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 600"; } } default "300"; description "Delay between replication of new updates and catch-up"; } } // container graceful-restart container fast-update-filters { presence "enable fast-update-filters"; uses apply-advanced; leaf maximum-terms { type union { type string { pattern "<.*>|$.*"; } type uint64 { range "0 .. 20000"; } } default "2000"; description "Maximum gate rate-limit terms to install at PFE"; } leaf maximum-term-percentage { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 100"; } } default "10"; description "Maximum percentage of gates with rate-limit terms at PFE"; } } // container fast-update-filters container session-mirroring { presence "enable session-mirroring"; uses pgcp_gateway_session_mirroring_object; } // container session-mirroring container data-inactivity-detection { uses apply-advanced; leaf inactivity-delay { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 3600"; } } units "seconds"; default "0"; description "Delay before data inactivity detection starts"; } leaf latch-deadlock-delay { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 3600"; } } units "seconds"; default "0"; description "Delay value used for gates employing NAPT traversal"; } leaf send-notification-on-delay { type empty; description "Send inactivity notification when delay expires"; } leaf inactivity-duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "5 .. 86400"; } } units "seconds"; default "15"; description "Default data inactivity duration (Q-MI)"; } leaf stop-detection-on-drop { type empty; description "Stop detection when gate action is set to drop"; } leaf no-rtcp-check { type empty; description "Do not detect data inactivity on rtcp stream"; } container report-service-change { description "Configure the data-inactivity service-change behavior"; uses apply-advanced; leaf service-change-type { type enumeration { enum "forced-910" { value 0; description "Send FO/910 service change"; } enum "forced-906" { value 1; description "Send FO/906 service change"; } } description "Configure the service-change type to be sent upon data-inactivity"; } } // container report-service-change } // container data-inactivity-detection container overload-control { presence "enable overload-control"; uses apply-advanced; leaf queue-limit-percentage { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 100"; } } default "70"; description "Overload control queue limit percentage"; } leaf reject-new-calls-threshold { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 100"; } } default "80"; description "Overload control reject new calls threshold"; } leaf reject-all-commands-threshold { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 100"; } } default "90"; description "Overload control reject all commands threshold"; } leaf queue-maximum-length { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "10 .. 1000"; } } default "100"; description "Overload control queue maximum length"; } leaf error-code { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "510 .. 511"; } } default "511"; description "Overload control error code"; } } // container overload-control container platform { presence "enable platform"; description "Define the platform on which the gateway should be activated"; uses apply-advanced; choice values { leaf routing-engine { type empty; description "The gateway should be activated on the RE"; } leaf device { junos:must "("interfaces $$")"; junos:must-message "The device name should be defined as an interface"; type union { type jt:interface-device; type string { pattern "<.*>|$.*"; } } description "The gateway should be activated on a services device"; } } // choice values } // container platform leaf ipsec-transport-security-association { type string { length "1 .. 63"; } description "IPsec transport security association name"; } } // grouping pgcp_gateway_object grouping pgcp_controller_object { leaf name { type string { length "1 .. 63"; } description "PGCP Controller Name"; } uses apply-advanced; leaf controller-address { type jt:ipv4addr; description "Gateway controller IP address"; } leaf controller-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } default "2944"; description "Gateway controller port"; } container interim-ah-scheme { presence "enable interim-ah-scheme"; uses pgcp_interim_ah_scheme_object; } // container interim-ah-scheme choice controller-type { leaf remote-controller { junos:must "("services pgcp gateway ${gateway} gateway-controller ${gateway-controller} controller-address")"; junos:must-message "remote-controller requires gateway-controller-address"; junos:must "("services pgcp gateway ${gateway} gateway-address")"; junos:must-message "remote-controller requires gateway-address"; type empty; description "The gateway controller is remote"; } leaf local-controller { junos:must "("services border-signaling-gateway gateway $$")"; junos:must-message "local-controller name should be defined as border-signaling-gateway"; type string { length "1 .. 63"; } description "The gateway controller is local"; } } // choice controller-type } // grouping pgcp_controller_object grouping pgcp_gateway_session_mirroring_object { description "Gateway session mirroring properties"; uses apply-advanced; list delivery-function { key "name"; max-elements 1; ordered-by user; description "Interface for delivering mirrored packets"; uses pgcp_delivery_function_list_object; } // list delivery-function leaf disable-session-mirroring { type empty; description "Disable session mirroring for this gateway"; } } // grouping pgcp_gateway_session_mirroring_object grouping pgcp_delivery_function_list_object { description "Session-mirroring delivery functions"; leaf name { junos:must "(("services pgcp session-mirroring delivery-function $$" && !("services pgcp session-mirroring disable-session-mirroring")))"; junos:must-message "referenced delivery-function must be defined and enabled"; type string { length "1 .. 63"; } } } // grouping pgcp_delivery_function_list_object grouping pgcp_h248_options_object { uses apply-advanced; container service-change { presence "enable service-change"; uses pgcp-h248-service-change-object; } // container service-change leaf audit-observed-events-returns { type empty; description "Activation of history buffer for audit observed events"; } container encoding { presence "enable encoding"; uses apply-advanced; leaf no-octet-string-bit-mirroring { type empty; description "No octet string bit mirroring"; } leaf no-dscp-bit-mirroring { type empty; status deprecated; description "No DSCP bit mirroring"; } leaf use-lower-case { type empty; description "Encode H248 message in lower case"; } } // container encoding container h248-profile { uses apply-advanced; leaf profile-name { type string { junos:posix-pattern "^[A-Za-z][_0-9A-Za-z]{0,63}$"; junos:pattern-message "Must be a string beginning with a letter and consisting of no more than 64 total letters, numbers and underscores."; length "1 .. 64"; } description "The H.248 profile declared by the BGF"; } leaf profile-version { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 99"; } } description "The H.248 profile-version declared by the BGF"; } } // container h248-profile leaf accept-emergency-calls-while-graceful { type empty; description "Accept emergency calls while BGF is in OOS gracefull state"; } leaf implicit-tcp-latch { type empty; description "Latch implicitly upon TCP transport usage"; } leaf implicit-tcp-source-filter { type empty; description "Implicitly filter TCP source addresses"; } } // grouping pgcp_h248_options_object grouping pgcp-h248-service-change-object { uses apply-advanced; container control-association-indications { presence "enable control-association-indications"; description "Control association indications"; uses control-association-indications-object; } // container control-association-indications container virtual-interface-indications { presence "enable virtual-interface-indications"; description "Virtual interface indications"; uses virtual-interface-indications-object; } // container virtual-interface-indications container context-indications { presence "enable context-indications"; description "Context indications"; uses context-indications-object; } // container context-indications leaf use-wildcard-response { type empty; description "Request short response to service-change messages"; } } // grouping pgcp-h248-service-change-object grouping context-indications-object { description "Context indications"; uses apply-advanced; leaf state-loss { type enumeration { enum "forced-915" { value 0; description "State loss"; } enum "forced-910" { value 1; description "State loss reason fo/910"; } enum "none" { value 2; description "Suppress state loss 918 service change"; } } description "Configure state loss service change"; } } // grouping context-indications-object grouping control-association-indications-object { description "Control association indications"; uses apply-advanced; container up { presence "enable up"; uses pgcp-association-up-object; } // container up container down { presence "enable down"; uses pgcp-association-down-object; } // container down container disconnect { presence "enable disconnect"; uses pgcp-association-disconnect-object; } // container disconnect } // grouping control-association-indications-object grouping pgcp-association-disconnect-object { description "Control association disconnect"; uses apply-advanced; leaf reconnect { type enumeration { enum "disconnected-900" { value 0; description "Service restored"; } enum "restart-902" { value 1; description "Warm boot"; } } description "Configure reconnect service change"; } leaf controller-failure { type enumeration { enum "restart-902" { value 0; description "Warm boot"; } enum "failover-909" { value 1; description "Gateway controller impending failure"; } } description "Configure controller failure service change"; } } // grouping pgcp-association-disconnect-object grouping pgcp-association-down-object { description "Control association down"; uses apply-advanced; leaf administrative { type enumeration { enum "forced-905" { value 0; description "Termination taken out of service"; } enum "forced-908" { value 1; description "Gateway impending failure"; } enum "none" { value 2; description "Suppress service change"; } } description "Configure administrative service change"; } leaf failure { type enumeration { enum "forced-904" { value 0; description "Termination malfunctioning"; } enum "forced-908" { value 1; description "Gateway impending failure"; } enum "none" { value 2; description "Suppress service change"; } } description "Configure failure service change"; } leaf graceful { type enumeration { enum "none" { value 0; description "Suppress graceful-905 service change"; } enum "graceful-905" { value 1; description "Termination taken out of service"; } } description "Configure graceful service change"; } } // grouping pgcp-association-down-object grouping pgcp-association-up-object { description "Control association up"; uses apply-advanced; leaf failover-cold { type enumeration { enum "restart-901" { value 0; description "Cold boot"; } enum "failover-920" { value 1; description "Cold failover"; } } description "Configure failover-cold service change"; } leaf failover-warm { type enumeration { enum "restart-902" { value 0; description "Warm boot"; } enum "failover-919" { value 1; description "Warm failover"; } } description "Configure failover-warm service change"; } leaf cancel-graceful { type enumeration { enum "none" { value 0; description "Suppress restart-918 service change"; } enum "restart-918" { value 1; description "Cancel graceful"; } } description "Configure cancel-graceful service change"; } } // grouping pgcp-association-up-object grouping pgcp_h248_properties_object { description "Gateway H248 properties"; uses apply-advanced; container base-root { presence "enable base-root"; description "Setting H248 mg-mgc transaction time values"; uses pgcp_h248_base_root_object; } // container base-root container segmentation { presence "enable segmentation"; uses pgcp_h248_segmentation_object; } // container segmentation container diffserv { presence "enable diffserv"; uses pgcp_h248_diffserv_object; } // container diffserv container hanging-termination-detection { presence "enable hanging-termination-detection"; description "Enabling Hanging termination detection"; uses pgcp-h248-hangterm-object; } // container hanging-termination-detection container traffic-management { presence "enable traffic-management"; description "Setting of h248 traffic management default values"; uses pgcp_h248_traffic_management_object; } // container traffic-management container notification-behavior { presence "enable notification-behavior"; description "Setting of h248 Notify behavior values"; uses pgcp-h248-notification-behavior-object; } // container notification-behavior container application-data-inactivity-detection { presence "enable application-data-inactivity-detection"; description "Setting application data inactivity detection"; uses pgcp-h248-application-data-inactivity-detection-object; } // container application-data-inactivity-detection container event-timestamp-notification { presence "enable event-timestamp-notification"; description "Setting event timestamp notification"; uses pgcp-h248-event-timestamp-notification-object; } // container event-timestamp-notification container inactivity-timer { presence "enable inactivity-timer"; description "Default values for inactivity timeout"; uses pgcp-h248-inactivity-timer-object; } // container inactivity-timer } // grouping pgcp_h248_properties_object grouping pgcp-h248-application-data-inactivity-detection-object { description "Application data inactivity detection"; uses apply-advanced; leaf ip-flow-stop-detection { type enumeration { enum "immediate-notify" { value 0; description "Report all notifications"; } enum "regulated-notify" { value 1; description "Suppress notification according to notification-count"; } } description "Setting ip flow stop detection"; } } // grouping pgcp-h248-application-data-inactivity-detection-object grouping pgcp-h248-event-timestamp-notification-object { description "Event timestamp notification"; uses apply-advanced; leaf request-timestamp { type enumeration { enum "requested" { value 0; description "Send event timestamp"; } enum "suppressed" { value 1; description "Dont send event timestamp"; } enum "autonomous" { value 2; description "Show timestamp at notify request"; } } description "Notification timestamp"; } } // grouping pgcp-h248-event-timestamp-notification-object grouping pgcp-h248-hangterm-object { description "Hanging termination detection timer"; uses apply-advanced; leaf timerx { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 2147480"; } } units "seconds"; default "0"; description "Setting timerx value"; } } // grouping pgcp-h248-hangterm-object grouping pgcp-h248-inactivity-timer-object { description "A timer to verify PGC connectivity"; uses apply-advanced; container inactivity-timeout { presence "enable inactivity-timeout"; uses apply-advanced; leaf detect { type empty; description "Enable/Disable inactivity timer detection"; } container maximum-inactivity-time { uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "100 .. 65535"; } } units "10-milliseconds"; default "12000"; description "Default maximum inactivity timeout"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "100 .. 65535"; } } units "10-milliseconds"; default "100"; description "Minimum range for maximum inactivity timeout"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "100 .. 65535"; } } units "10-milliseconds"; default "65535"; description "Maximum range for maximum inactivity timeout"; } } // container maximum-inactivity-time } // container inactivity-timeout } // grouping pgcp-h248-inactivity-timer-object grouping pgcp-h248-notification-behavior-object { description "Notify behavior parameters"; uses apply-advanced; container notification-regulation { presence "enable notification-regulation"; uses apply-advanced; leaf default { type string { junos:posix-pattern "^(once|100|[0-9]{1,2})$"; junos:pattern-message "Regulation can be 0-100 percentage or 'once'"; } description "Default suppression percentage of Notification behavior Regulation "; } } // container notification-regulation } // grouping pgcp-h248-notification-behavior-object grouping pgcp_h248_base_root_object { uses apply-advanced; container normal-mg-execution-time { presence "enable normal-mg-execution-time"; description "MG transaction response time expected by MGC."; uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 29000"; } } units "milliseconds"; default "500"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 29000"; } } units "milliseconds"; default "500"; description "Minimum range of execution time value"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 29000"; } } units "milliseconds"; default "29000"; description "Maximum range of execution time value"; } } // container normal-mg-execution-time container mg-provisional-response-timer-value { presence "enable mg-provisional-response-timer-value"; description "MG pending response time upon incomplete transaction."; uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 30000"; } } units "milliseconds"; default "2000"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 30000"; } } units "milliseconds"; default "500"; description "Minimum range of timers value"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 30000"; } } units "milliseconds"; default "30000"; description "Maximum range of timer value"; } } // container mg-provisional-response-timer-value container mg-originated-pending-limit { presence "enable mg-originated-pending-limit"; description "Max MG TransactionPendings num recieved."; uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 512"; } } default "4"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 512"; } } default "1"; description "Minimum range of pending limit value"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 512"; } } default "512"; description "Maximum range of pending limit value"; } } // container mg-originated-pending-limit container normal-mgc-execution-time { presence "enable normal-mgc-execution-time"; description "MGC transaction response time expected by MG."; uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 29000"; } } units "milliseconds"; default "500"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 29000"; } } units "milliseconds"; default "500"; description "Minimum range of execution time value"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 29000"; } } units "milliseconds"; default "29000"; description "Maximum range of execution time value"; } } // container normal-mgc-execution-time container mgc-provisional-response-timer-value { presence "enable mgc-provisional-response-timer-value"; description "MGC pending response time upon incomplete transaction."; uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 30000"; } } units "milliseconds"; default "4000"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 30000"; } } units "milliseconds"; default "500"; description "Minimum range of timers value"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 30000"; } } units "milliseconds"; default "30000"; description "Maximum range of timers value"; } } // container mgc-provisional-response-timer-value container mgc-originated-pending-limit { presence "enable mgc-originated-pending-limit"; description "Max MGC TransactionPendings num recieved."; uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 512"; } } default "4"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 512"; } } default "1"; description "Minimum range of pending limit value"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 512"; } } default "512"; description "Maximum range of pending limit value"; } } // container mgc-originated-pending-limit } // grouping pgcp_h248_base_root_object grouping pgcp_h248_diffserv_object { uses apply-advanced; container dscp { presence "enable dscp"; description "Differentiated Services Code Point (DSCP)"; uses apply-advanced; leaf default { type string; default "be"; } leaf ignore-signaled-value { type empty; description "Ignore property value appearing in H.248 signaling"; } } // container dscp } // grouping pgcp_h248_diffserv_object grouping pgcp_h248_segmentation_object { uses apply-advanced; container mgc-segmentation-timer { presence "enable mgc-segmentation-timer"; description "Time the MG waits for remaining segments from MGC"; uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type int32 { range "500 .. 30000"; } } units "milliseconds"; default "4000"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type int32 { range "500 .. 30000"; } } units "milliseconds"; default "500"; description "Minimum range of timer value"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type int32 { range "500 .. 30000"; } } units "milliseconds"; default "30000"; description "Maximum range of timer value"; } } // container mgc-segmentation-timer container mgc-maximum-pdu-size { presence "enable mgc-maximum-pdu-size"; description "Maximum size of the MGC's incoming messages from MG"; uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type int32 { range "512 .. 65507"; } } units "bytes"; default "1472"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type int32 { range "512 .. 65507"; } } units "bytes"; default "512"; description "Minimum range of pdu size value"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type int32 { range "512 .. 65507"; } } units "bytes"; default "65507"; description "Maximum range of pdu size value"; } } // container mgc-maximum-pdu-size container mg-segmentation-timer { presence "enable mg-segmentation-timer"; description "Time the MGC waits for remaining segments from MGC"; uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type int32 { range "500 .. 30000"; } } units "milliseconds"; default "4000"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type int32 { range "500 .. 30000"; } } units "milliseconds"; default "500"; description "Minimum range of timer value"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type int32 { range "500 .. 30000"; } } units "milliseconds"; default "30000"; description "Maximum range of timer value"; } } // container mg-segmentation-timer container mg-maximum-pdu-size { presence "enable mg-maximum-pdu-size"; description "Maximum size of the MG's incoming messages from MGC"; uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type int32 { range "512 .. 65507"; } } units "bytes"; default "1472"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type int32 { range "512 .. 65507"; } } units "bytes"; default "512"; description "Minimum range of pdu size value"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type int32 { range "512 .. 65507"; } } units "bytes"; default "65507"; description "Maximum range of pdu size value"; } } // container mg-maximum-pdu-size } // grouping pgcp_h248_segmentation_object grouping pgcp_h248_timers_object { uses apply-advanced; leaf maximum-waiting-delay { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "100 .. 300000"; } } units "milliseconds"; default "2000"; description "Randomly determined delay before retraversing PGC list (MWD)"; } leaf tmax-retransmission-delay { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1000 .. 60000"; } } units "milliseconds"; default "25000"; description "Delay before PGC is considered down (T-MAX)"; } leaf initial-average-ack-delay { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 4000"; } } units "milliseconds"; default "1000"; description "Assumed initial average reply time (for retransmission rate) (I-AAD)"; } leaf maximum-net-propagation-delay { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "500 .. 10000"; } } units "milliseconds"; default "5000"; description "Worst case network propagation delay (M-NPD), used for calculating LONG-TIMER"; } } // grouping pgcp_h248_timers_object grouping pgcp_h248_traffic_management_object { uses apply-advanced; container sustained-data-rate { presence "enable sustained-data-rate"; description "SDR permitted for the stream"; uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 2147483647"; } } units "bytes-per-second"; default "10000"; description "Default rate value"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 2147483647"; } } units "bytes-per-second"; default "0"; description "Minimum range of rate value"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 2147483647"; } } units "bytes-per-second"; default "0x7FFFFFFF"; description "Maximum range of rate value"; } container rtcp { presence "enable rtcp"; description "Default rtcp rate"; uses pgcp_h248_rtcp_rate_units_object; } // container rtcp leaf rtcp-include { type empty; description "TMAN SDR includes RTCP bandwidth"; } } // container sustained-data-rate container peak-data-rate { presence "enable peak-data-rate"; description "PDR permitted for the stream"; uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 2147483647"; } } units "bytes-per-second"; default "0"; description "Default rate value"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 2147483647"; } } units "bytes-per-second"; default "0"; description "Minimum range of rate value"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 2147483647"; } } units "bytes-per-second"; default "0x7FFFFFFF"; description "Maximum range of rate value"; } container rtcp { presence "enable rtcp"; description "Default rtcp rate"; uses pgcp_h248_rtcp_rate_units_object; } // container rtcp } // container peak-data-rate container max-burst-size { presence "enable max-burst-size"; description "MBS for the stream"; uses apply-advanced; leaf default { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "20 .. 2147483647"; } } units "bytes-per-second"; default "1000"; description "Default rate value"; } leaf minimum { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "20 .. 2147483647"; } } units "bytes-per-second"; default "20"; description "Minimum range of rate value"; } leaf maximum { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "20 .. 2147483647"; } } units "bytes-per-second"; default "0x7FFFFFFF"; description "Maximum range of rate value"; } container rtcp { presence "enable rtcp"; description "Default rtcp rate"; uses pgcp_h248_rtcp_burst_units_object; } // container rtcp } // container max-burst-size } // grouping pgcp_h248_traffic_management_object grouping pgcp_h248_rtcp_burst_units_object { description "RTCP burst parameter settings"; uses apply-advanced; choice values { leaf percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1000"; } } units "percent"; default "100"; description "Value entered is percentage of RTP's parallel value"; } leaf fixed-value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "20 .. 2147483647"; } } units "bytes-per-second"; description "Value entered is a fixed one"; } } // choice values } // grouping pgcp_h248_rtcp_burst_units_object grouping pgcp_h248_rtcp_rate_units_object { description "RTCP rate parameter settings"; uses apply-advanced; choice values { leaf percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1000"; } } units "percent"; default "5"; description "Value entered is percentage of RTP's parallel value"; } leaf fixed-value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 2147483647"; } } units "bytes-per-second"; description "Value entered is a fixed one"; } } // choice values } // grouping pgcp_h248_rtcp_rate_units_object grouping pgcp_interim_ah_scheme_object { uses apply-advanced; leaf algorithm { type enumeration { enum "hmac-null" { value 0; description "NULL authentication algorithm"; } } description "Define authentication algorithm"; } } // grouping pgcp_interim_ah_scheme_object grouping pgcp_media_service_object { description "One or more PGCP media service"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Media Service name"; } uses apply-advanced; leaf nat-pool { junos:must "("services nat pool $$")"; junos:must-message "referenced nat pool must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Pool name"; } } // grouping pgcp_media_service_object grouping pgcp_rule_object { description "One or more PGCP rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf gateway { junos:must "("services pgcp gateway $$")"; junos:must-message "referenced gateway must be defined"; type string { length "1 .. 63"; } description "Gateway Name"; } choice media-svc-nat-pool { list media-service { key "name"; ordered-by user; status deprecated; uses pgcp_media_service_list_object; } // list media-service list nat-pool { key "name"; ordered-by user; description "Define a NAT pool"; uses nat_pool_list_object; } // list nat-pool } // choice media-svc-nat-pool } // grouping pgcp_rule_object grouping pgcp_media_service_list_object { description "One or more PGCP media service"; leaf name { junos:must "("services pgcp media-service $$")"; junos:must-message "referenced media service must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } } // grouping pgcp_media_service_list_object grouping pgcp_session_mirroring_object { description "PGCP session mirroring properties"; uses apply-advanced; list delivery-function { key "name"; max-elements 32; ordered-by user; description "Interface for delivering mirrored packets"; uses pgcp_delivery_function_object; } // list delivery-function leaf disable-session-mirroring { type empty; description "Disable PGCP session mirroring"; } } // grouping pgcp_session_mirroring_object grouping pgcp_delivery_function_object { leaf name { type string { length "1 .. 63"; } description "Delivery function name"; } uses apply-advanced; leaf destination-address { type jt:ipv4addr; description "Delivery function destination IP address"; } leaf destination-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Delivery function destination port"; } leaf network-operator-id { type string { length "5"; } description "Network operator ID"; } leaf source-address { type jt:ipv4addr; description "Network-element-id"; } leaf source-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Network-element-port"; } container memory-managment { presence "enable memory-managment"; description "Measure memory usage"; uses pgcp_debug_mem_mgmt_object; } // container memory-managment } // grouping pgcp_delivery_function_object grouping pgcp_debug_mem_mgmt_object { uses apply-advanced; leaf operational-mode { type enumeration { enum "fast" { value 0; description "Fast memory allocation [does not affect performance]"; } enum "type-tracking" { value 1; description "Track all allocation types [affects performance]"; } enum "location-tracking" { value 2; description "Track all allocation types and functions [affects performance]"; } } description "Memory managment operation mode"; } } // grouping pgcp_debug_mem_mgmt_object grouping pgcp_virtual_interface_object { description "One or more Virtual Interfaces"; leaf name { type string { junos:posix-pattern "^[0-9]$|^[1-9][0-9]$|^[1-9][0-9]{1,2}$|^10[0-2][0-3]$"; junos:pattern-message "The interface name must be a number in the range 0-1023"; length "1 .. 4"; } description "Virtual Interface Name"; } uses apply-advanced; leaf routing-instance { type string; default "inet.0"; description "Routing instance of server to which to forward"; } leaf service-state { type enumeration { enum "in-service" { value 0; description "Virtual Interface is operational"; } enum "out-of-service-forced" { value 1; description "Virtual Interface is nonoperational"; } enum "out-of-service-graceful" { value 2; description "Virtual Interface becomes nonoperational by draining"; } } default "in-service"; description "Service state"; } choice media-svc-nat-pool { list media-service { key "name"; ordered-by user; status deprecated; uses pgcp_media_service_list_object; } // list media-service list nat-pool { key "name"; ordered-by user; description "Define a NAT pool"; uses nat_pool_list_object; } // list nat-pool } // choice media-svc-nat-pool leaf interface { junos:must "("interfaces $$")"; junos:must-message "referenced interface must be defined"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } status deprecated; description "Interface name"; } } // grouping pgcp_virtual_interface_object grouping policy-object-type { uses apply-advanced; container traceoptions { description "Network Security Policy Tracing Options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "routing-socket" { value 1; description "Trace routing socket events"; } enum "compilation" { value 2; description "Policy compilation events"; } enum "ipc" { value 3; description "Inter-process communication events"; } enum "rules" { value 4; description "Policy rules related events"; } enum "lookup" { value 5; description "Policy lookup events"; } enum "all" { value 6; description "Trace everything"; } } } } // list flag } // container traceoptions list policy { key "from-zone-name to-zone-name"; ordered-by user; description "Define a policy context from this zone"; leaf from-zone-name { junos:must "((".. .. .. .. security zones security-zone $$" || ".. .. .. .. .. security zones security-zone $$"))"; junos:must-message "Security zone must be defined"; type string { length "1 .. 63"; } description "Source zone"; } leaf to-zone-name { junos:must "((".. .. .. .. security zones security-zone $$" || ".. .. .. .. .. security zones security-zone $$"))"; junos:must-message "Security zone must be defined"; type string { length "1 .. 63"; } description "Destination zone"; } uses apply-advanced; list policy { key "name"; ordered-by user; description "Define security policy in specified zone-to-zone direction"; uses policy_type; } // list policy container application-services { description "Application Services"; uses context_application_services_type; } // container application-services } // list policy container global { description "Define a global policy context"; uses apply-advanced; list policy { key "name"; ordered-by user; description "Define security policy in global context"; uses policy_type; } // list policy } // container global list policy-set { key "name"; ordered-by user; description "Define a policy context for tunnel-inspection"; leaf name { type string { length "1 .. 63"; } description "Policy-set name"; } uses apply-advanced; list policy { key "name"; ordered-by user; description "Define security policy in tunnel-inspection context"; uses policy_type; } // list policy } // list policy-set container default-policy { description "Configure default action when no user-defined policy match"; uses apply-advanced; leaf default-action { type enumeration { enum "permit-all" { value 0; description "Permit all traffic if no policy match"; } enum "deny-all" { value 1; description "Deny all traffic if no policy match"; } } default "deny-all"; description "Default action"; } leaf log-profile { junos:must "("security log profile $$")"; junos:must-message "RTLOG profile must be defined under [security log profile]"; type string; description "Rtlog profile"; } } // container default-policy container policy-rematch { presence "enable policy-rematch"; description "Re-evaluate the policy when changed"; leaf extensive { type empty; description "Perform policy extensive rematch"; } } // container policy-rematch container policy-stats { presence "enable policy-stats"; description "Parameters for policy statistics"; uses apply-advanced; leaf system-wide { type enumeration { enum "enable" { value 0; description "Enable policy system-wide statistics"; } enum "disable" { value 1; description "Disable policy system-wide statistics"; } } description "Enable/Disable system-wide policy statistics"; } } // container policy-stats container pre-id-default-policy { description "Configure default policy action before dynamic application is finally identified"; uses apply-advanced; container then { description "Specify policy action to take when packet match criteria"; uses apply-advanced; container log { description "Enable log"; uses log_type; } // container log container session-timeout { description "Session timeout"; uses session_timeout_type; } // container session-timeout } // container then } // container pre-id-default-policy container unified-policy { description "Unified policies lookup limitations"; uses apply-advanced; leaf max-lookups { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Max lookup times upon micro-app transaction finals"; } } // container unified-policy container dns-cache { description "Define security policy dns-cache behaviors"; uses apply-advanced; container error-response-delete-ip { presence "enable error-response-delete-ip"; description "Clear DNS cache entry IP on error DNS response"; uses apply-advanced; leaf retry-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "5 .. 86400"; } } units "seconds"; default "300"; description "Interval between deleting IP and resending DNS requests"; } } // container error-response-delete-ip } // container dns-cache list stateful-firewall-rule { key "name"; ordered-by user; description "Define a stateful-firewall-rule"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Stateful-firewall-rule name"; } uses apply-advanced; leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } enum "input-output" { value 2; description "Match on input to or output from interface"; } } description "Direction for which the rule match is applied"; } list policy { key "name"; ordered-by user; description "Define a stateful-firewall policy"; uses policy_type; } // list policy } // list stateful-firewall-rule list stateful-firewall-rule-set { key "name"; ordered-by user; description "Defines a set of stateful firewall rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Name of the stateful firewall rule set"; } uses apply-advanced; list stateful-firewall-rule { key "name"; ordered-by user; description "Rule to be included in this stateful firewall rule set"; leaf name { junos:must "("services policies stateful-firewall-rule $$")"; junos:must-message "Undefined stateful-firewall-rule. Rule must be configured under policies"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes, underscores, forward slashes, colons and dots."; } description "Stateful-firewall-rule name"; } uses apply-advanced; } // list stateful-firewall-rule } // list stateful-firewall-rule-set } // grouping policy-object-type grouping context_application_services_type { uses apply-advanced; leaf security-metadata-streaming-policy { junos:must "("services security-metadata-streaming policy $$")"; junos:must-message "security-metadata-streaming policy must be defined"; type string { length "1 .. 63"; } description "Specify security-metadata-streaming-policy"; } } // grouping context_application_services_type grouping log_type { uses apply-advanced; leaf session-init { type empty; description "Log at session init time"; } leaf session-close { type empty; description "Log at session close time"; } leaf session-update { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1440"; } } units "minutes"; default "0"; description "Log with specified interval (0 to disable this log)"; } leaf sfw { type empty; description "Display Stateful-fire-wall SYSLOGs"; } leaf profile { junos:must "("security log profile $$ stream-name")"; junos:must-message "RTLOG profile with stream must be defined under [security log profile]"; type string; description "Name of rtlog profile"; } } // grouping log_type grouping policy_type { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Security policy name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of policy"; } container match { description "Specify security policy match-criteria"; uses apply-advanced; choice source-address_choice { leaf-list source-address { type string; ordered-by user; } } // choice source-address_choice choice destination-address_choice { leaf-list destination-address { type string; ordered-by user; } } // choice destination-address_choice leaf source-address-excluded { type empty; description "Exclude source addresses"; } leaf destination-address-excluded { type empty; description "Exclude destination addresses"; } choice application_type_choice { leaf-list application { type string; ordered-by user; } } // choice application_type_choice choice source_identity_choice { leaf-list source-identity { type string; ordered-by user; } } // choice source_identity_choice choice source_identity_feed_choice { leaf-list source-identity-feed { type string { length "1 .. 64"; } ordered-by user; description "Specify source-identity-feed name from list to match"; } } // choice source_identity_feed_choice choice destination_identity_feed_choice { leaf-list destination-identity-feed { type string { length "1 .. 64"; } ordered-by user; description "Specify destination-identity-feed name from list to match"; } } // choice destination_identity_feed_choice choice source_end_user_profile_choice { container source-end-user-profile { description "Match source end user profile"; uses match_source_end_user_profile_value; } // container source-end-user-profile } // choice source_end_user_profile_choice choice dynamic_application_type_choice { leaf-list dynamic-application { type string; ordered-by user; } } // choice dynamic_application_type_choice choice url_category_type_choice { leaf-list url-category { type string; ordered-by user; } } // choice url_category_type_choice choice from_zone_choice { leaf-list from-zone { type string; ordered-by user; } } // choice from_zone_choice choice to_zone_choice { leaf-list to-zone { type string; ordered-by user; } } // choice to_zone_choice choice source_vrf_choice { leaf-list source-l3vpn-vrf-group { junos:must "("security l3vpn vrf-group $$")"; junos:must-message "referenced vrf-group must configured"; type string; ordered-by user; description "L3VPN group name"; } } // choice source_vrf_choice choice dst_vrf_choice { leaf-list destination-l3vpn-vrf-group { junos:must "("security l3vpn vrf-group $$")"; junos:must-message "referenced vrf-group must configured"; type string; ordered-by user; description "L3VPN group name"; } } // choice dst_vrf_choice } // container match container then { description "Specify policy action to take when packet match criteria"; uses apply-advanced; choice action { container deny { presence "enable deny"; description "Deny packets"; uses apply-advanced; container application-services { description "Application Services"; uses apply-advanced; container security-intelligence { description "Generate security intellegence feeds"; uses security_intelligence_feeds; } // container security-intelligence } // container application-services } // container deny container reject { presence "enable reject"; description "Reject packets"; uses apply-advanced; leaf profile { junos:must "("security dynamic-application profile $$")"; junos:must-message "Dynamic-application profile must be defined"; type string; description "Profile for redirect HTTP/S traffic"; } container ssl-proxy { presence "enable ssl-proxy"; description "SSL proxy services"; uses apply-advanced; leaf profile-name { junos:must "("services ssl proxy profile $$")"; junos:must-message "Referenced SSL proxy profile is not defined"; type string; description "Specify SSL proxy service profile name"; } } // container ssl-proxy container application-services { description "Application Services"; uses apply-advanced; container security-intelligence { description "Generate security intellegence feeds"; uses security_intelligence_feeds; } // container security-intelligence } // container application-services } // container reject container permit { presence "enable permit"; description "Permit packets"; uses apply-advanced; container tunnel { junos:must "(!(".. .. .. match dynamic-application"))"; junos:must-message "Tunnel and dynamic-application can't be applied to same policy"; description "Tunnel packets"; uses tunnel_type; } // container tunnel container firewall-authentication { description "Enable authentication for this policy if permit or tunnel"; uses firewall_authentication_type; } // container firewall-authentication container destination-address { presence "enable destination-address"; description "Enable destination address translation"; uses destination_nat_enable_type; } // container destination-address container application-services { description "Application Services"; uses application_services_type; } // container application-services container tunnel-inspection { description "Enable tunnel inspection"; uses apply-advanced; leaf profile-name { junos:must "((".. .. .. .. .. .. .. security tunnel-inspection inspection-profile $$" || " .. .. .. .. .. .. .. .. security tunnel-inspection inspection-profile $$"))"; junos:must-message "tunnel-inspection profile must be configured"; type string { length "1 .. 63"; } description "Tunnel inspection profile"; } } // container tunnel-inspection container tcp-options { description "Transmission Control Protocol session configuration"; uses apply-advanced; leaf syn-check-required { type empty; description "Enable per policy SYN-flag check"; } leaf sequence-check-required { type empty; description "Enable per policy sequence-number checking"; } leaf initial-tcp-mss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 65535"; } } description "Override MSS value for initial direction"; } leaf reverse-tcp-mss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 65535"; } } description "Override MSS value for reverse direction"; } leaf window-scale { type empty; description "Enable per policy window-scale"; } } // container tcp-options leaf services-offload { type empty; description "Enable services offloading"; } leaf no-services-offload { type empty; description "Disenable services offloading"; } leaf advanced-connection-tracking { type empty; description "Lookup advanced-connection-tracking table on to-zone"; } } // container permit } // choice action container log { description "Enable log"; uses log_type; } // container log container count { presence "enable count"; description "Enable count"; uses count_type; } // container count } // container then leaf scheduler-name { junos:must "("schedulers scheduler $$")"; junos:must-message "scheduler must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of scheduler"; } leaf report-skip { type empty; description "Skip report for this policy"; } } // grouping policy_type grouping application_services_type { description "Application Services"; uses apply-advanced; leaf gtp-profile { junos:must "(!(".. .. .. .. match dynamic-application"))"; junos:must-message "gtp and dynamic-application can't be applied to same policy"; junos:must "("security gtp profile $$")"; junos:must-message "gtp profile must be defined"; type string { length "1 .. 63"; } description "Specify GPRS Tunneling Protocol profile name"; } leaf sctp-profile { junos:must "(!(".. .. .. .. match dynamic-application"))"; junos:must-message "sctp and dynamic-application can't be applied to same policy"; junos:must "("security sctp profile $$")"; junos:must-message "sctp profile must be defined"; type string { length "1 .. 63"; } description "Specify Stream Control Protocol profile name"; } leaf idp { type empty; description "Intrusion detection and prevention"; } leaf packet-capture { junos:must "(".. .. .. .. match dynamic-application junos:UNKNOWN")"; junos:must-message "packet-capture action requires dynamic application junos:UNKNOWN in policy"; type empty; description "Capturing traffic related to this policy"; } leaf idp-policy { type string { length "1 .. 255"; } description "Specify idp policy name"; } container ssl-proxy { presence "enable ssl-proxy"; description "SSL proxy services"; uses apply-advanced; leaf profile-name { junos:must "("services ssl proxy profile $$")"; junos:must-message "Referenced SSL proxy profile is not defined"; type string; description "Specify SSL proxy service profile name"; } } // container ssl-proxy container web-proxy { presence "enable web-proxy"; description "Web proxy services"; uses apply-advanced; leaf profile-name { junos:must "(("services web-proxy secure-proxy profile $$" || "services web-proxy proxy-auto-configuration profile $$"))"; junos:must-message "Referenced Web proxy profile is not defined"; type string; description "Specify Web proxy service profile name"; } } // container web-proxy container uac-policy { presence "enable uac-policy"; description "Enable unified access control enforcement of policy"; uses apply-advanced; leaf captive-portal { junos:must "("services unified-access-control captive-portal $$")"; junos:must-message "Captive portal policy must be defined"; type string { length "1 .. 128"; } } } // container uac-policy leaf utm-policy { junos:must "("security utm utm-policy $$")"; junos:must-message "utm-policy must be defined"; type string { length "1 .. 255"; } description "Specify utm policy name"; } leaf icap-redirect { junos:must "("services icap-redirect profile $$")"; junos:must-message "icap-redirect profile must be defined"; type string { length "1 .. 63"; } description "Specify icap redirect profile name"; } container application-firewall { junos:must "((!(".. .. .. .. match dynamic-application") || (".. .. .. .. match dynamic-application" && ".. .. .. .. match dynamic-application none")))"; junos:must-message "Traditional AppFW and dynamic-application can't be applied to same policy"; status deprecated; description "Application firewall services"; uses jsf_service_rule_set_type; } // container application-firewall container application-traffic-control { description "Application traffic control services"; uses jsf_application_traffic_control_rule_set_type; } // container application-traffic-control choice wx-redirection { leaf redirect-wx { type empty; description "Set WX redirection"; } leaf reverse-redirect-wx { type empty; description "Set WX reverse redirection"; } } // choice wx-redirection leaf security-intelligence-policy { junos:must "("services security-intelligence policy $$")"; junos:must-message "security-intelligence policy must be defined"; type string { length "1 .. 255"; } description "Specify security-intelligence policy name"; } leaf advanced-anti-malware-policy { junos:must "("services advanced-anti-malware policy $$")"; junos:must-message "advanced-anti-malware policy must be defined"; type string { length "1 .. 255"; } description "Specify advanced-anti-malware policy name"; } container security-intelligence { description "Generate security intellegence feeds"; uses security_intelligence_feeds; } // container security-intelligence } // grouping application_services_type grouping count_type { uses apply-advanced; } // grouping count_type grouping destination_nat_enable_type { description "Enable Destination NAT"; uses apply-advanced; choice destination_nat { leaf drop-translated { type empty; description "Drop the policy if NAT translated"; } leaf drop-untranslated { type empty; description "Drop the policy if NAT untranslated"; } } // choice destination_nat } // grouping destination_nat_enable_type grouping firewall_authentication_type { uses apply-advanced; choice auth-type { container pass-through { junos:must "((".. .. .. .. .. .. .. access firewall-authentication pass-through" || ".. .. .. .. .. .. .. .. access firewall-authentication pass-through"))"; junos:must-message "access firewall-authentication pass-through must be configured"; presence "enable pass-through"; description "Pass-through firewall authentication settings"; uses apply-advanced; leaf access-profile { junos:must "(("access profile $$" || (".. .. .. .. .. .. .. .. .. .. access profile $$" && !(".. .. .. .. .. .. .. .. .. .. access disable-tenant-access"))))"; junos:must-message "access-profile must be defined or access to profile is disabled for tenants"; type string { length "1 .. 63"; } description "Specify access profile name"; } leaf-list client-match { type string { length "1 .. 63"; } ordered-by user; description "Name of user or group to match"; } leaf web-redirect { type empty; description "Redirect unauthenticated HTTP requests to the device's internal web server"; } leaf web-redirect-to-https { type empty; description "Redirect unauthenticated HTTP requests to the device's internal HTTPS web server"; } leaf web-authentication-server { type string { length "1 .. 128"; } description "Firewall web authentication server"; } leaf ssl-termination-profile { type string { length "1 .. 63"; } description "Specify SSL termination profile used to the SSL offload"; } leaf auth-only-browser { type empty; description "Authenticate only browser traffic"; } list auth-user-agent { key "name"; ordered-by user; description "Authenticate HTTP traffic with specified user agent"; leaf name { type string { length "1 .. 16"; } description "Authenticate HTTP traffic with specified user agent"; } uses apply-advanced; } // list auth-user-agent } // container pass-through container web-authentication { junos:must "((".. .. .. .. .. .. .. access firewall-authentication web-authentication" || ".. .. .. .. .. .. .. .. access firewall-authentication web-authentication"))"; junos:must-message "access firewall-authentication web-authentication must be configured"; presence "enable web-authentication"; description "Web-authentication settings"; uses apply-advanced; leaf-list client-match { type string { length "1 .. 63"; } ordered-by user; description "Name of user or group to match"; } } // container web-authentication container user-firewall { description "User-firewall firewall authentication settings"; uses apply-advanced; leaf access-profile { junos:must "(("access profile $$" || (".. .. .. .. .. .. .. .. .. .. access profile $$" && !(".. .. .. .. .. .. .. .. .. .. access disable-tenant-access"))))"; junos:must-message "access-profile must be defined or access to profile is disabled for tenants"; type string { length "1 .. 63"; } description "Specify access profile name"; } leaf web-redirect { type empty; description "Redirect unauthenticated HTTP req to web server"; } leaf web-redirect-to-https { type empty; description "Redirect unauthenticated HTTP req to HTTPS web server"; } leaf web-authentication-server { type string { length "1 .. 128"; } description "Firewall web authentication server"; } leaf ssl-termination-profile { type string { length "1 .. 63"; } description "Specify SSL termination profile used to the SSL offload"; } leaf auth-only-browser { type empty; description "Authenticate only browser traffic"; } list auth-user-agent { key "name"; ordered-by user; description "Authenticate HTTP traffic with specified user agent"; leaf name { type string { length "1 .. 16"; } description "Authenticate HTTP traffic with specified user agent"; } uses apply-advanced; } // list auth-user-agent leaf domain { type string { length "1 .. 64"; } description "Specify domain name"; } } // container user-firewall } // choice auth-type leaf push-to-identity-management { type empty; description "Push auth entry to identity management server"; } } // grouping firewall_authentication_type grouping jsf_application_traffic_control_rule_set_type { description "Define service application traffic rule-set reference"; uses apply-advanced; leaf rule-set { junos:must "("class-of-service application-traffic-control rule-sets $$")"; junos:must-message "rule-set must be defined"; type string { length "1 .. 64"; } description "Service rule-set name"; } } // grouping jsf_application_traffic_control_rule_set_type grouping jsf_service_rule_set_type { description "Define service rule set reference"; uses apply-advanced; leaf rule-set { junos:must "("security application-firewall rule-sets $$")"; junos:must-message "rule set must be defined"; type string { length "1 .. 64"; } description "Service rule set name"; } } // grouping jsf_service_rule_set_type grouping match_source_end_user_profile_value { uses apply-advanced; leaf source-end-user-profile-name { junos:must "((".. .. .. .. .. .. services user-identification device-information end-user-profile profile-name $$" || ".. .. .. .. .. .. .. services user-identification device-information end-user-profile profile-name $$"))"; junos:must-message "Services user-identification device-information end-user-profile profile-name must be defined"; type string; description "Specify source-end-user-profile name from list to match"; } } // grouping match_source_end_user_profile_value grouping proxy-profile-setting { description "Proxy profile settings"; leaf name { type string { length "1 .. 64"; } description "Proxy profile name"; } uses apply-advanced; container protocol { description "Protocol level proxy setting"; uses apply-advanced; container http { description "HTTP proxy setting"; uses apply-advanced; leaf host { type string { length "1 .. 256"; } description "Proxy server name or IP address"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } default "3128"; description "Proxy server port"; } } // container http } // container protocol } // grouping proxy-profile-setting grouping range-address-type { description "Range address"; leaf name { type jt:ipv4addr; description "Lower limit of address range"; } uses apply-advanced; container to { description "Port range upper limit"; uses apply-advanced; leaf range-high { type jt:ipv4addr; description "Upper limit of address range"; } } // container to } // grouping range-address-type grouping registration_policy_type { leaf name { type string; description "Policy name"; } uses apply-advanced; list term { key "name"; max-elements 20; ordered-by user; description "Term definition"; leaf name { type string; description "Term name"; } uses apply-advanced; container from { presence "enable from"; description "From action"; uses new_transaction_from_type; } // container from container then { presence "enable then"; description "Action"; uses new_registration_then_type; } // container then } // list term } // grouping registration_policy_type grouping new_registration_then_type { uses apply-advanced; container nat-traversal { description "How to traverse NAT devices"; uses nat_traversal_action; } // container nat-traversal } // grouping new_registration_then_type grouping nat_traversal_action { uses apply-advanced; leaf nat-traversal-strategy { type enumeration { enum "never" { value 0; description "Never perform NAT traversal"; } enum "always" { value 1; description "Always perform NAT traversal"; } enum "by-via" { value 2; description "Perform NAT traversal only if transport source address does not match VIA header"; } } description "Choose when to perform NAT traversal"; } leaf keepalive-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "15 .. 86400"; } } units "seconds"; default "45"; description "Keepalive interval"; } leaf minimum-registration-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 86400"; } } units "seconds"; default "1"; description "Minimum registration interval allowed in register packet"; } container keepalive-mechanisms { description "A prioritized list of keepalive mechanisms"; uses apply-advanced; leaf register-fast-expiration { type empty; description "Reduce the expiration interval in REGISTER responses"; } } // container keepalive-mechanisms } // grouping nat_traversal_action grouping new_transaction_from_type { uses apply-advanced; leaf-list source-address { type jt:ipaddr; max-elements 5; ordered-by user; description "Source addresses and masks"; } list method { key "name"; ordered-by user; description "Methods"; uses transaction-method-type; } // list method container request-uri { description "Request URI field"; leaf-list regular-expression { type jt:regular-expression; max-elements 5; ordered-by user; description "Regular expression matched on incoming Request-URI"; } leaf registration-state { type enumeration { enum "registered" { value 0; } enum "not-registered" { value 1; } } description "Registration state"; } leaf uri-hiding { type enumeration { enum "hidden-uri" { value 0; } enum "not-hidden-uri" { value 1; } } description "URI hidden"; } } // container request-uri container contact { description "Contact field"; leaf-list regular-expression { type jt:regular-expression; max-elements 5; ordered-by user; description "Regular expression matched on incoming contact"; } leaf registration-state { type enumeration { enum "registered" { value 0; } enum "not-registered" { value 1; } } description "Registration state"; } leaf uri-hiding { type enumeration { enum "hidden-uri" { value 0; } enum "not-hidden-uri" { value 1; } } description "URI hidden"; } } // container contact } // grouping new_transaction_from_type grouping rmopd-traceoptions { description "Trace options for remote-monitoring"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "ipc" { value 1; description "Trace ipc messages"; } enum "ppm" { value 2; description "Trace ppm"; } enum "rpd" { value 3; description "Trace rpd events"; } enum "info" { value 4; description "Trace info events"; } enum "statistics" { value 5; description "Trace statistics"; } enum "error" { value 6; description "Trace events related to catastrophic errors in daemon"; } enum "all" { value 7; description "Trace everything"; } } } } // list flag } // grouping rmopd-traceoptions grouping rmps-clnt-traceoptions-type { description "Trace options for Resource Management and Packet Steering Client"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Resource Management Packet Steering Client to trace"; leaf name { type enumeration { enum "infra" { value 0; description "Trace FSM and Infra code"; } enum "memory" { value 1; description "Trace Memory Management Code"; } enum "communication" { value 2; description "Trace IPC code"; } enum "resource-tables" { value 3; description "Trace Resource Table Code"; } enum "info-tables" { value 4; description "Trace Information Table Code"; } enum "redundancy" { value 5; description "Trace GRES Code"; } enum "all" { value 6; description "Trace All Resource Client Code"; } } } } // list flag } // grouping rmps-clnt-traceoptions-type grouping rmpsd-traceoptions-type { description "Trace options for Resource Management and Packet Steering Daemon"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Resource Management Packet Steering Area to trace"; leaf name { type enumeration { enum "config" { value 0; description "Trace configuration code"; } enum "gres" { value 1; description "Trace GRES code"; } enum "init" { value 2; description "Trace initialization code"; } enum "memory" { value 3; description "Trace memory management code"; } enum "communication" { value 4; description "Trace Infra code"; } enum "license-management" { value 5; description "Trace license management code"; } enum "signal" { value 6; description "Trace signal handling code"; } enum "state" { value 7; description "Trace state handling code"; } enum "timer" { value 8; description "Trace timer code"; } enum "ui" { value 9; description "Trace user interface code"; } enum "resource-manager" { value 10; description "Trace Resource Management Code"; } enum "info-manager" { value 11; description "Trace Information Management Code"; } enum "packet-steering" { value 12; description "Trace packet-steering code"; } enum "all" { value 13; description "Trace all areas of code"; } } } } // list flag } // grouping rmpsd-traceoptions-type grouping routing-destinations { uses apply-advanced; leaf default-availability-check-profile { type string { length "1 .. 256"; } description "Profile that will be used if no other profile was attached to a server"; } list availability-check-profiles { key "name"; max-elements 100; ordered-by user; description "Definitions of servers availability check profiles"; uses availability-check-profile; } // list availability-check-profiles list servers { key "name"; max-elements 5000; ordered-by user; description "Servers definitions"; uses routing-destination-server; } // list servers list clusters { key "name"; max-elements 1000; ordered-by user; description "Clusters definitions"; uses routing-destination-cluster; } // list clusters } // grouping routing-destinations grouping availability-check-profile { leaf name { type string { length "1 .. 256"; } } uses apply-advanced; container keepalive-method { description "How will availability check be done"; choice ping-method { leaf sip-options { type empty; description "Check availability by sending a SIP OPTIONS message"; } } // choice ping-method } // container keepalive-method container keepalive-strategy { presence "enable keepalive-strategy"; description "When will the server be checked for availability"; choice keepalive-strategy { container send-always { presence "enable send-always"; description "Always check the server availability"; uses apply-advanced; leaf failures-before-unavailable { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } default "1"; description "A server is assumed to be unavailable when a keepalive message was not answered this number of times"; } leaf successes-before-available { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } default "1"; description "A server is assumed to be available when a keepalive message was successfully answered this number of times"; } } // container send-always container send-when-unavailable { presence "enable send-when-unavailable"; description "Check the server availability only when it is marked as unavailable"; leaf successes-before-available { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } default "1"; description "A server is assumed to be available when a keepalive message was successfully answered this number of times"; } } // container send-when-unavailable container do-not-send { presence "enable do-not-send"; description "Never perform availability checks of the server"; leaf blackout-period { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; default "600"; description "Time a server will be considered unavailable"; } } // container do-not-send } // choice keepalive-strategy } // container keepalive-strategy container keepalive-interval { description "How often should the server be checked for availability"; uses apply-advanced; leaf available-server { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 86400"; } } units "seconds"; default "32"; description "How often should a server that is marked as available be checked for availablility"; } leaf unavailable-server { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 86400"; } } units "seconds"; default "32"; description "How often should a server that is marked as unavailable be checked for availablility"; } } // container keepalive-interval leaf transaction-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 32"; } } units "seconds"; default "32"; description "A server is assumed to be unavailable when a keepalive message was not answered in this time"; } } // grouping availability-check-profile grouping routing-destination-cluster { leaf name { type string { length "1 .. 256"; } } uses apply-advanced; list server { key "name"; max-elements 25; ordered-by user; leaf name { junos:must "("services border-signaling-gateway gateway ${gateway} sip routing-destinations servers $$")"; junos:must-message "Referenced server must be defined"; type string { length "1 .. 256"; } description "Server name"; } uses apply-advanced; leaf priority { type union { type uint16; type string { pattern "<.*>|$.*"; } } default "1"; description "Defines the redundency order"; } leaf weight { type union { type uint16; type string { pattern "<.*>|$.*"; } } default "1"; description "Defines the load balancing ratio"; } } // list server } // grouping routing-destination-cluster grouping routing-destination-server { leaf name { type string { length "1 .. 256"; } } uses apply-advanced; container address { presence "enable address"; description "Server's address"; uses routing-destination-address; } // container address leaf service-point { junos:must "("services border-signaling-gateway gateway ${gateway} service-point $$")"; junos:must-message "Referenced egress-service-point must be defined"; type string; description "Exit point"; } leaf admission-control { junos:must "("services border-signaling-gateway gateway ${gateway} admission-control $$")"; junos:must-message "Referenced admission control profile must be defined"; type string; description "Admission control profile for the server"; } leaf availability-check-profile { junos:must "("services border-signaling-gateway gateway ${gateway} sip routing-destinations availability-check-profiles $$")"; junos:must-message "Referenced availability check profile must be defined"; type string { length "1 .. 256"; } description "Availability check profile for the server"; } } // grouping routing-destination-server grouping routing-destination-address { leaf ip4-address { type jt:ipaddr; description "IP address"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "5060"; description "Port number"; } container transport-protocol { description "Transport protocol"; uses transport_protocol; } // container transport-protocol } // grouping routing-destination-address grouping saegw-names { description "SAE gateway name"; leaf name { junos:must "(".. system anchor-pfes interface")"; junos:must-message "system anchor-pfes interface must be defined"; junos:must "(".. access-network-peers")"; junos:must-message "access-network-peers must be defined"; junos:must "(".. control-plane-peers")"; junos:must-message "control-plane-peers must be defined"; type string { length "1 .. 64"; } description "SAE gateway Name"; } uses apply-advanced; container system { presence "enable system"; description "System resource configuration"; uses apply-advanced; container anchor-pfes { presence "enable anchor-pfes"; uses anchor-pfes-type; } // container anchor-pfes } // container system container control-plane-peers { description "Control plane peers"; uses apply-advanced; leaf-list local-address { type jt:ipaddr; max-elements 1; ordered-by user; description "IPv6 or IPv4 or both addresses of the local end of the PFCP connection"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Local routing instance of the PFCP"; } leaf heartbeat-interval { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "60 .. 255"; } } units "seconds"; description "Time between two successive heartbeat requests"; } leaf path-management { type enumeration { enum "enable" { value 0; description "Enable parameter"; } enum "disable" { value 1; description "Disable parameter"; } } description "Enable/disable origination of heartbeat message requests to control peers"; } leaf n3-requests { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 5"; } } description "Number of retries of PFCP request messages upon t3-response timeout"; } leaf t3-response { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 5"; } } units "seconds"; description "Waiting time of gateway before retrying a PFCP signaling-request upon response timeout"; } leaf response-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 255"; } } units "seconds"; description "Configure the timeout for the PFCP response cache"; } container apn-services { description "Access point name services name"; uses apply-advanced; list apns { key "name"; max-elements 512; ordered-by user; uses apn-services-names; } // list apns } // container apn-services list peer-groups { key "name"; max-elements 256; ordered-by user; description "Peer groups name"; uses control-peer-groups; } // list peer-groups } // container control-plane-peers container access-network-peers { description "Data plane peers"; uses apply-advanced; leaf-list local-address { type jt:ipv4addr; max-elements 1; ordered-by user; description "IPv4 address of the local end of the GTP-U connection"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Local routing instance of the GTP-U"; } leaf echo-interval { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "60 .. 255"; } } units "seconds"; description "Time between origination of two successive echo requests"; } leaf path-management { type enumeration { enum "enable" { value 0; description "Enable parameter"; } enum "disable" { value 1; description "Disable parameter"; } } description "Enable/disable origination of echo requests to access peers"; } leaf n3-requests { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 5"; } } description "Number of retries of peer management request messages upon t3-response timeout"; } leaf t3-response { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 5"; } } units "seconds"; description "Waiting time of gateway before retrying peer management request upon response timeout"; } list peer-groups { key "name"; max-elements 4000; ordered-by user; description "Peer groups name"; uses access-peer-groups; } // list peer-groups } // container access-network-peers container core-network-peers { description "Core-side GTP-U peers"; uses apply-advanced; leaf-list local-address { type jt:ipv4addr; max-elements 1; ordered-by user; description "IPv4 address of the local end of the GTP-U connection"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Local routing instance of the GTP-U connection"; } leaf echo-interval { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "60 .. 255"; } } units "seconds"; description "Time between origination of two echo requests"; } leaf path-management { type enumeration { enum "enable" { value 0; description "Enable parameter"; } enum "disable" { value 1; description "Disable parameter"; } } description "Enable/disable origination of echo requests to core peers"; } leaf n3-requests { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 5"; } } description "Number of unanswered echo requests for path failure"; } leaf t3-response { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 5"; } } units "seconds"; description "Time between resending unanswered echo requests"; } list peer-groups { key "name"; max-elements 4000; ordered-by user; description "Peer groups name"; uses core-peer-groups; } // list peer-groups } // container core-network-peers } // grouping saegw-names grouping access-peer-groups { description "Peer-group name"; leaf name { type string { length "1 .. 64"; } description "Peer group name"; } uses apply-advanced; container peer { presence "enable peer"; uses apply-advanced; leaf-list address { type jt:ipv4prefix; ordered-by user; description "IPv4 address or prefix value of access network peer"; } leaf hostname { type string { length "1 .. 256"; } description "Name of the access network peer"; } } // container peer leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Routing-instance of GPT-U connection"; } } // grouping access-peer-groups grouping anchor-pfes-type { description "Anchor PFE's configuration"; uses apply-advanced; list interface { key "name"; ordered-by user; description "Anchor PFE interface configuration"; leaf name { type string { length "1 .. 60"; } description "Interface name"; } uses apply-advanced; } // list interface } // grouping anchor-pfes-type grouping apn-services-names { description "APN services configuration"; leaf name { type string { junos:posix-pattern "^[.0-9A-Za-z-]{1,100}$"; junos:pattern-message "Must be a string of 100 or fewer characters and may contain letters, numbers, decimals and dashes."; } description "APN Services Name"; } uses apply-advanced; leaf mobile-interface { junos:must "("interfaces $$")"; junos:must-message "referenced mif interface must be defined in the interfaces hierarchy"; type string { junos:posix-pattern "^(mif.)"; junos:pattern-message "Must be a mobile interface"; length "1 .. 60"; } description "Mobile interface name"; } } // grouping apn-services-names grouping control-peer-groups { description "Peer-group name"; leaf name { type string { length "1 .. 64"; } description "Peer group name"; } uses apply-advanced; container peer { presence "enable peer"; description "Peer address and hostname"; uses apply-advanced; leaf-list address { type jt:ipprefix; ordered-by user; description "IPv4 or IPv6 address or prefix value of control plane peer"; } leaf hostname { type string { length "1 .. 256"; } description "Name of the control plane peer"; } } // container peer leaf initiate-association { type empty; description "Start node association message to control plane peer"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Local routing instance of the PFCP"; } leaf heartbeat-interval { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "60 .. 255"; } } units "seconds"; description "Time between origination of two successive heartbeat requests"; } leaf path-management { type enumeration { enum "enable" { value 0; description "Enable parameter"; } enum "disable" { value 1; description "Disable parameter"; } } description "Enable/disable origination of heartbeat message requests to control peers"; } leaf n3-requests { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 5"; } } description "Number of retries of PFCP request messages upon t3-response timeout"; } leaf t3-response { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 5"; } } units "seconds"; description "Waiting time of gateway before retrying a PFCP signaling-request upon response timeout"; } } // grouping control-peer-groups grouping core-peer-groups { description "Peer-group name"; leaf name { type string { length "1 .. 64"; } description "Peer group name"; } uses apply-advanced; container peer { presence "enable peer"; uses apply-advanced; leaf-list address { type jt:ipv4prefix; ordered-by user; description "IPv4 address or prefix value of core network peer"; } leaf hostname { type string { length "1 .. 256"; } description "Name of the core network peer"; } } // container peer leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Routing-instance of GPT-U connection"; } } // grouping core-peer-groups grouping secintel-category-disable { description "Security intelligence category"; leaf name { type enumeration { enum "IPFilter" { value 0; description "IPFilter"; } enum "GeoIP" { value 1; description "GeoIP"; } enum "CC" { value 2; description "Command and control"; } enum "Blacklist" { value 3; description "Blacklist"; } enum "Whitelist" { value 4; description "Whitelist"; } enum "Infected-Hosts" { value 5; description "Infected-Hosts"; } enum "SecProfiling" { value 6; description "SecProfiling"; } enum "DNS" { value 7; description "DNS"; } } description "Name of security intelligence category"; } uses apply-advanced; container disable { presence "enable disable"; description "To disable category for feed update"; } // container disable } // grouping secintel-category-disable grouping secintel-policy-setting { description "Security intelligence policy setting"; leaf name { type string { length "1 .. 63"; } description "Security intelligence policy name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of policy"; } list category-profiles { key "name"; ordered-by user; description "Security intelligence category profiles"; leaf name { type enumeration { enum "IPFilter" { value 0; description "IPFilter"; } enum "GeoIP" { value 1; description "GeoIP"; } enum "CC" { value 2; description "Command and control"; } enum "Infected-Hosts" { value 3; description "Infected-Hosts"; } enum "DNS" { value 4; description "DNS"; } } description "Name of security intelligence category"; } uses apply-advanced; leaf profile-name { junos:must "("services security-intelligence profile $$")"; junos:must-message "security intelligence profile must be defined"; type string; description "Name of profile"; } } // list category-profiles } // grouping secintel-policy-setting grouping secintel-profile-setting { description "Security intelligence profile settings"; leaf name { type string { length "1 .. 63"; } description "Security intelligence profile name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of profile"; } leaf category { type string; description "Profile category name"; } list rule { key "name"; ordered-by user; description "Profile rule name"; uses secintel-profile-rule; } // list rule container default-rule { presence "enable default-rule"; description "Profile default rule"; uses apply-advanced; container then { presence "enable then"; description "Profile default rule action"; uses apply-advanced; container action { description "Security intelligence profile action"; uses apply-advanced; choice action { leaf permit { type empty; description "Permit action"; } container block { description "Block action"; uses apply-advanced; choice action { container drop { presence "enable drop"; description "Drop packet"; } // container drop container close { junos:must "(!(".. .. .. .. .. category DNS"))"; junos:must-message "close action not available on DNS profiles"; presence "enable close"; description "Close session"; uses apply-advanced; container http { description "Http content for block action"; uses apply-advanced; choice http-choice { leaf file { type string; description "File name for http response to client"; } leaf message { type string; description "Block message to client"; } leaf redirect-url { type string { junos:posix-pattern "^https?://.*"; junos:pattern-message "URL must begin with http:// or https://"; length "1 .. 1023"; } description "Redirect url to client"; } } // choice http-choice } // container http } // container close } // choice action } // container block container recommended { junos:must "(!(".. .. .. .. category DNS"))"; junos:must-message "recommend action not available on DNS profiles"; presence "enable recommended"; description "Recommended action from feed server"; } // container recommended leaf sinkhole { junos:must "(".. .. .. .. category DNS")"; junos:must-message "Sinkhole action requires DNS category profile"; type empty; description "DNS sinkhole for DNS profile"; } } // choice action } // container action choice log-choice { leaf log { type empty; description "Log security intelligence block action"; } leaf no-log { type empty; description "Don't log security intelligence block action"; } } // choice log-choice } // container then } // container default-rule } // grouping secintel-profile-setting grouping secintel-profile-rule { description "Security intelligence profile rule"; leaf name { type string { length "1 .. 63"; } description "Profile rule name"; } uses apply-advanced; container match { description "Profile matching feed name and threat levels"; uses apply-advanced; list feed-name { key "name"; max-elements 32; ordered-by user; description "Profile matching feed name"; leaf name { type string { junos:posix-pattern "^[^/;:|=,+*?&<>{}]*$"; junos:pattern-message "Must not be double quotation marks and other special characters as / ; : | = , + * ? & < > { }"; length "1 .. 63"; } } uses apply-advanced; } // list feed-name leaf-list threat-level { type union { type uint32; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Profile matching threat levels, higher number is more severe"; } } // container match container then { description "Profile action and log"; uses apply-advanced; container action { description "Security intelligence profile action"; uses apply-advanced; choice action { leaf permit { type empty; description "Permit action"; } container block { description "Block action"; uses apply-advanced; choice action { container drop { presence "enable drop"; description "Drop packet"; } // container drop container close { junos:must "(!(".. .. .. .. .. category DNS"))"; junos:must-message "close action not available on DNS profiles"; presence "enable close"; description "Close session"; uses apply-advanced; container http { description "Http content for block action"; uses apply-advanced; choice http-choice { leaf file { type string; description "File name for http response to client"; } leaf message { type string; description "Block message to client"; } leaf redirect-url { type string { junos:posix-pattern "^https?://.*"; junos:pattern-message "URL must begin with http:// or https://"; length "1 .. 1023"; } description "Redirect url to client"; } } // choice http-choice } // container http } // container close } // choice action } // container block container recommended { junos:must "(!(".. .. .. .. category DNS"))"; junos:must-message "recommend action not available on DNS profiles"; presence "enable recommended"; description "Recommended action from feed server"; } // container recommended leaf sinkhole { junos:must "(".. .. .. .. category DNS")"; junos:must-message "Sinkhole action requires DNS category profile"; type empty; description "DNS sinkhole for DNS profile"; } } // choice action } // container action container log { presence "enable log"; description "Log security intelligence block action"; } // container log } // container then } // grouping secintel-profile-rule grouping secintel-traceoptions { description "Security intelligence trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Trace flags"; leaf name { type enumeration { enum "all" { value 0; description "Trace everything"; } enum "feed" { value 1; description "Trace feed operation"; } enum "ipc" { value 2; description "Trace ipc module"; } enum "blacklist" { value 3; description "Trace security intelligence Blacklist category"; } enum "cc" { value 4; description "Trace security intelligence CC category"; } enum "infected-hosts" { value 5; description "Trace security intelligence Infected-Hosts category"; } enum "control" { value 6; description "Trace control plane"; } enum "infrastucture" { value 7; description "Trace infrastucture functions"; } enum "jwas" { value 8; description "Trace security intelligence JWAS category"; } enum "plugin" { value 9; description "Trace security intelligence plugin services"; } enum "whitelist" { value 10; description "Trace security intelligence Whitelist category"; } enum "secprofiling" { value 11; description "Trace security intelligence Secprofiling category"; } } } } // list flag } // grouping secintel-traceoptions grouping security_intelligence_feeds { description "Specify the feed post action"; uses apply-advanced; container add-source-ip-to-feed { description "Add Source IP to Feed"; uses apply-advanced; leaf name-of-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } } // container add-source-ip-to-feed container add-destination-ip-to-feed { description "Add Destination IP to Feed"; uses apply-advanced; leaf name-of-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } } // container add-destination-ip-to-feed container add-source-identity-to-feed { description "Add Source Identity to Feed"; uses apply-advanced; leaf name-of-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } } // container add-source-identity-to-feed container add-destination-identity-to-feed { description "Add Destination Identity to Feed"; uses apply-advanced; leaf name-of-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } } // container add-destination-identity-to-feed } // grouping security_intelligence_feeds grouping server-connection-type { description "Connection parameters per server"; uses apply-advanced; leaf address { type jt:ipaddr; description "IP address"; } leaf ca-certificate { type string { length "1 .. 256"; } description "Ca-certificate file name"; } leaf client-id { type string { length "1 .. 64"; } description "Client ID for OAuth2 grant"; } leaf client-secret { type string { length "1 .. 128"; } description "Client secret for OAuth2 grant"; } } // grouping server-connection-type grouping service_device_pool_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Service device pool name"; } uses apply-advanced; list interface { key "name"; ordered-by user; description "Service device name"; leaf name { junos:must "(!(any "interfaces <*> aggregated-inline-services-options secondary-interface $$"))"; junos:must-message "must not be defined under asiX aggregated-inline-services-options"; junos:must "(!(any "interfaces <*> aggregated-inline-services-options primary-interface $$"))"; junos:must-message "must not be defined under asiX aggregated-inline-services-options"; type string; } uses apply-advanced; } // list interface } // grouping service_device_pool_object grouping service_interface_pool_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Service interface pool name"; } uses apply-advanced; list interface { key "name"; ordered-by user; description "Service interface name"; leaf name { junos:must "("interfaces $$")"; junos:must-message "referenced interface must be defined"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } } uses apply-advanced; } // list interface } // grouping service_interface_pool_object grouping service_point_type { leaf name { type string; description "Service point name"; } uses apply-advanced; leaf service-point-type { type enumeration { enum "sip" { value 0; } } default "sip"; description "Service point type"; } container transport-details { presence "enable transport-details"; description "IP address, port number and transport-protocols for the service-point"; leaf port-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Port number"; } leaf ip-address { type jt:ipaddr; description "IP address"; } leaf tcp { type empty; description "Transport protocol - TCP"; } leaf udp { type empty; description "Transport protocol - UDP"; } leaf fqdn { type string { length "1 .. 128"; } description "Fully Qualified Domain Name"; } } // container transport-details leaf service-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Associated service interface"; } container service-policies { presence "enable service-policies"; uses service_policies_type; } // container service-policies leaf default-media-realm { junos:must "("services pgcp virtual-interface $$")"; junos:must-message "Referenced Virtual Interface must be defined"; type string { length "1 .. 4"; } description "Use this realm for allocating media resources for calls initiated to/from this service-point"; } } // grouping service_point_type grouping service_policies_type { uses apply-advanced; leaf-list new-transaction-input-policies { type string; max-elements 10; ordered-by user; description "New transaction input policy name"; } leaf-list new-transaction-output-policies { type string; max-elements 10; ordered-by user; description "New transaction output policy name"; } leaf-list new-registration-input-policies { type string; max-elements 10; ordered-by user; description "New registration input policy name"; } leaf-list new-call-usage-input-policies { type string; max-elements 10; ordered-by user; description "New call usage input policy name"; } leaf-list new-call-usage-output-policies { type string; max-elements 10; ordered-by user; description "New call usage output policy name"; } } // grouping service_policies_type grouping services-pcef { description "PCEF configuration"; uses apply-advanced; container traceoptions { description "Trace options related to PCEF"; uses pcef-traceoptions; } // container traceoptions container event-trigger-profiles { description "Event trigger profiles"; uses apply-advanced; list profile { key "name"; uses evt-trigger-profile; } // list profile } // container event-trigger-profiles container flow-descriptions { description "PCC flow descriptions"; uses apply-advanced; list definition { key "name"; uses pcc-flow; } // list definition } // container flow-descriptions container pcc-action-profiles { description "PCC action profiles"; uses apply-advanced; list definition { key "name"; uses pcc-action-profile; } // list definition } // container pcc-action-profiles container pcc-rules { description "PCC rules"; uses apply-advanced; list definition { key "name"; uses pcc-rule; } // list definition } // container pcc-rules container pcc-rulebases { description "PCC rulebases"; uses apply-advanced; list definition { key "name"; ordered-by user; uses pcc-rulebase; } // list definition } // container pcc-rulebases container profile { description "PCEF profiles"; uses apply-advanced; list definition { key "name"; ordered-by user; uses pcef-profiles; } // list definition } // container profile } // grouping services-pcef grouping evt-trigger-profile { description "Event trigger profile"; leaf name { type string { length "1 .. 63"; } description "Event trigger profile name"; } uses apply-advanced; leaf rat-change { type empty; description "RAT change trigger"; } leaf sgsn-change { type empty; description "SGSN change trigger"; } leaf plmn-change { type empty; description "PLMN change trigger"; } leaf ip-can-change { type empty; description "IP-CAN change trigger"; } leaf tft-change { type empty; description "TFT change trigger"; } leaf rai-change { type empty; description "RAI change trigger"; } leaf user-location-change { type empty; description "User location change"; } leaf ue-timezone-change { type empty; description "UE timezone change"; } } // grouping evt-trigger-profile grouping pcc-action-profile { description "PCC action profiles"; leaf name { type string { length "1 .. 63"; } description "PCC action profile identifier"; } uses apply-advanced; leaf logging-rule { junos:must "(any "services lrf profile <*> rule $$")"; junos:must-message "Specified rule should be configured under services lrf profile rule"; type string { length "1 .. 63"; } description "Policy based logging rule name"; } container maximum-bit-rate { presence "enable maximum-bit-rate"; description "Maximum bit rate"; leaf uplink { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 6144000"; } } units "kilobits"; default "0"; description "Maximum bit rate uplink"; } leaf downlink { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 6144000"; } } units "kilobits"; default "0"; description "Maximum bit rate downlink"; } } // container maximum-bit-rate container burst-size { presence "enable burst-size"; description "Burst Size"; uses apply-advanced; leaf uplink { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1500 .. 1500000000"; } } units "bytes"; description "Burst size uplink"; } leaf downlink { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1500 .. 1500000000"; } } units "bytes"; description "Burst size downlink"; } } // container burst-size leaf gate-status { type enumeration { enum "uplink" { value 0; description "Enable uplink traffic"; } enum "downlink" { value 1; description "Enable downlink traffic"; } enum "uplink-downlink" { value 2; description "Enable uplink and downlink traffic"; } enum "disable-both" { value 3; description "Disable any traffic"; } } description "Control gate status"; } container charging { description "Charing related configuration"; uses apply-advanced; leaf rating-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967294"; } } description "Rating group"; } leaf service-identifier { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967294"; } } default "0"; description "Service identifier"; } leaf charging-method { type enumeration { enum "online" { value 0; description "Use online charging method"; } enum "offline" { value 1; description "Use offline charging method"; } enum "both" { value 2; description "Use online and offline charging method"; } enum "none" { value 3; description "Use no charging"; } } description "Charging method"; } leaf measurement-method { type enumeration { enum "none" { value 0; description "No default measuring method for charging"; } enum "volume" { value 1; description "Volume based charging"; } enum "time" { value 2; description "Time based charging"; } enum "volume-time" { value 3; description "Volume and time based charging"; } enum "event" { value 4; description "Event based charging"; } } default "volume-time"; description "Charging measure method"; } container application-function-record-info { presence "enable application-function-record-info"; description "Application function record information"; uses apply-advanced; leaf af-charging-identifier { type string { length "1 .. 63"; } description "Application function charging identifier"; } } // container application-function-record-info leaf service-id-level-reporting { type empty; description "Toggle service-id level reporting"; } } // container charging container redirect { description "Redirect to different destination"; uses apply-advanced; leaf url { junos:must "(!(".. routing-instance"))"; junos:must-message "Either url or routing instance can be defined"; type string { length "1 .. 512"; } description "Redirect url name"; } } // container redirect container forwarding-class { description "Classify packet to forwarding class"; uses apply-advanced; leaf class-name { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class name"; } } // container forwarding-class container steering { description "Steering information"; uses apply-advanced; container routing-instance { description "Routing instance information"; leaf uplink { junos:must "("routing-instances $$")"; junos:must-message "routing instance must be defined"; type string; description "Instance name uplink"; } leaf downlink { junos:must "("routing-instances $$")"; junos:must-message "routing instance must be defined"; type string; description "Instance name downlink"; } } // container routing-instance container path { description "HTTP steering information"; choice ip-address-type { leaf ipv4-address { type jt:ipv4prefix; description "IPv4 address of the steering destination"; } leaf ipv6-address { type jt:ipv6prefix; description "IPv6 address of the steering destination"; } } // choice ip-address-type } // container path leaf keep-existing-steering { type empty; description "Keep existing steering"; } } // container steering container hcm-profile { description "HCM Profile"; uses apply-advanced; leaf profile-name { junos:must "("services hcm profile $$")"; junos:must-message "HCM Profile must be configured"; type string; description "HCM Profile Name"; } } // container hcm-profile leaf monitoring-key { type string { length "1 .. 63"; } description "Usage Monitoring key"; } } // grouping pcc-action-profile grouping pcc-flow { description "Configure PCC flow"; leaf name { type string { length "1 .. 63"; } description "PCC flow identifier"; } uses apply-advanced; leaf direction { type enumeration { enum "downlink" { value 0; description "Downlink direction"; } enum "uplink" { value 1; description "Uplink direction"; } enum "both" { value 2; description "Both uplink and downlink directons"; } } description "PCC flow direction"; } leaf protocol { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 255"; } } description "PCC flow IPv4 protocol"; } leaf-list local-ports { junos:must "(!(".. local-port-range"))"; junos:must-message "Either port list or port range can be defined"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } max-elements 3; description "Local port or port list"; } list local-port-range { junos:must "(!(".. local-ports"))"; junos:must-message "Either port list or port range can be defined"; key "low high"; max-elements 3; ordered-by user; description "Local port range"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Lower limit of port range"; } leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Upper limit of port range"; } } // list local-port-range leaf-list remote-ports { junos:must "(!(".. remote-port-range"))"; junos:must-message "Either port list or port range can be defined"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } max-elements 3; description "Remote port or port list"; } list remote-port-range { junos:must "(!(".. remote-ports"))"; junos:must-message "Either port list or port range can be defined"; key "low high"; max-elements 3; ordered-by user; description "Remote port range"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Lower limit of port range"; } leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Upper limit of port range"; } } // list remote-port-range container remote-address { description "Remote address"; choice ip-address-type { leaf ipv4-address { type jt:ipv4prefix; description "IPv4 address for the flow"; } leaf ipv6-address { type jt:ipv6prefix; description "IPv6 address for the flow"; } } // choice ip-address-type } // container remote-address } // grouping pcc-flow grouping pcc-rule { description "PCC rules configuration"; leaf name { type string { junos:posix-pattern "^[.0-9A-Za-z_-]{1,63}$"; junos:pattern-message "Must be a string of 63 or fewer characters and may contain letters, numbers, decimals and dashes."; } description "PCC Rule identifier"; } uses apply-advanced; container from { description "Aggregate of flows using same pcc-action-profile"; uses apply-advanced; list flows { key "name"; max-elements 64; ordered-by user; description "Associate PCC Flows"; leaf name { junos:must "(".. .. .. .. .. flow-descriptions $$")"; junos:must-message "Referenced flow must be defined"; type string { length "1 .. 63"; } description "PCC Flow identifier"; } uses apply-advanced; } // list flows list applications { key "name"; max-elements 10; ordered-by user; description "Associated application signature names"; leaf name { type string { length "1 .. 63"; } description "Signature names"; } uses apply-advanced; } // list applications list nested-applications { key "name"; max-elements 10; ordered-by user; status deprecated; description "Associated nested application signature names"; leaf name { type string { length "1 .. 63"; } description "Nested application signature names"; } uses apply-advanced; } // list nested-applications list application-groups { key "name"; max-elements 10; ordered-by user; description "Application Group signature names"; leaf name { type string { length "1 .. 63"; } description "Application group names"; } uses apply-advanced; } // list application-groups } // container from container then { description "Specified pcc-action-profile"; uses apply-advanced; leaf pcc-action-profile { junos:must "(".. .. .. .. pcc-action-profiles $$")"; junos:must-message "Referenced action profile must be defined"; type string { length "1 .. 63"; } description "PCC Action profile name"; } } // container then } // grouping pcc-rule grouping pcc-rulebase { description "PCC rulebases"; leaf name { type string { junos:posix-pattern "^[.0-9A-Za-z_-]{1,63}$"; junos:pattern-message "Must be a string of 63 or fewer charactars and may contain letters, numbers, decimals and dashes"; } description "PCC Rulebase identifier"; } uses apply-advanced; list pcc-rule { key "name"; max-elements 32; ordered-by user; leaf name { junos:must "(".. .. .. .. pcc-rules $$")"; junos:must-message "Referenced rule must be defined"; type string { junos:posix-pattern "^[.0-9A-Za-z_-]{1,63}$"; junos:pattern-message "Must be a string of 63 or fewer charactars and may contain letters, numbers, decimals and dashes"; length "1 .. 63"; } description "PCC rule name"; } leaf precedence { junos:must "(unique ".. .. pcc-rule <*> precedence $$")"; junos:must-message "Precedence has to unique among rules"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 4000"; } } description "PCC rule precedence"; } } // list pcc-rule } // grouping pcc-rulebase grouping pcef-profiles { description "PCEF profiles"; leaf name { type string { length "1 .. 63"; } description "PCEF profile name"; } uses apply-advanced; leaf control-byte-rating-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967294"; } } description "Rating group id"; } leaf unresolved-flow-action { type enumeration { enum "forward" { value 0; description "Forward"; } enum "drop" { value 1; description "Drop"; } } description "Flow action"; } container maximum-per-pdn-service-flows { description "Max service flows per PDN"; leaf num { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Value"; } } // container maximum-per-pdn-service-flows container dynamic-policy-control { junos:must "(("diameter-profile" || ".. .. .. .. .. system services subscriber-management enable"))"; junos:must-message "diameter-profile must be configured when 'system services subscriber-management' is not enabled"; junos:must "((!(".. static-policy-control") && !(".. aaa-policy-control")))"; junos:must-message "Either static or dynamic or AAA policy control can be specified"; description "Dynamic policy control"; uses apply-advanced; container pcc-rules { description "PCC rules association"; uses apply-advanced; list rule-assoc { key "name"; max-elements 64; ordered-by user; uses profile-rule-assoc; } // list rule-assoc } // container pcc-rules list pcc-rulebases { key "name"; ordered-by user; description "PCC rulebase association"; leaf name { junos:must "(".. .. .. .. .. pcc-rulebases $$")"; junos:must-message "Referenced rulebase must be defined"; type string { length "1 .. 63"; } description "PCC rulebase name"; } uses apply-advanced; } // list pcc-rulebases leaf diameter-profile { junos:must "(".. .. .. .. .. diameter-profiles gx-profile $$")"; junos:must-message "Referenced diameter profile must be defined"; type string { length "1 .. 63"; } description "Diameter profile name"; } leaf event-trigger-profile { junos:must "(".. .. .. .. event-trigger-profiles $$")"; junos:must-message "Referenced event trigger profile must be defined"; type string { length "1 .. 63"; } description "Event trigger profile name"; } leaf session-failover-not-supported { type empty; description "Session failover not supported"; } leaf release { type enumeration { enum "r8" { value 0; description "Gx release 8"; } enum "r9" { value 1; description "Gx release 9"; } } description "To override Gx release to R8|R9"; } } // container dynamic-policy-control container static-policy-control { junos:must "((!(".. dynamic-policy-control") && !(".. aaa-policy-control")))"; junos:must-message "Either static or dynamic or AAA policy control can be specified"; description "Static policy control"; uses apply-advanced; container pcc-rules { description "PCC rules association"; uses apply-advanced; list rule-assoc { key "name"; max-elements 64; ordered-by user; uses profile-static-rule-association; } // list rule-assoc } // container pcc-rules list pcc-rulebases { key "name"; ordered-by user; description "PCC rulebase association"; leaf name { junos:must "(".. .. .. .. .. pcc-rulebases $$")"; junos:must-message "Referenced rulebase must be defined"; type string { length "1 .. 63"; } description "PCC rulebase name"; } uses apply-advanced; leaf time-of-day-profile { junos:must "(".. .. .. .. .. pcc-time-of-day-profiles $$")"; junos:must-message "Referenced time-of-day profile must be defined"; type string { length "1 .. 63"; } description "Time of day profile name"; } } // list pcc-rulebases leaf-list activate-dedicated-bearers { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 9"; } } max-elements 9; description "Enable dedicated bearer activation on initial attach with qci"; } } // container static-policy-control container aaa-policy-control { junos:must "((!(".. static-policy-control") && !(".. dynamic-policy-control")))"; junos:must-message "Either static or dynamic or AAA policy control can be specified"; description "AAA policy control"; uses apply-advanced; leaf profile { junos:must "(".. .. .. .. .. aaa profiles $$")"; junos:must-message "Referenced AAA profile must be defined"; type string { length "1 .. 32"; } description "AAA profile name"; } leaf user-password { type string { length "1 .. 32"; } description "User password"; } list pcc-rulebases { key "name"; ordered-by user; description "PCC rulebase association"; leaf name { junos:must "(".. .. .. .. .. pcc-rulebases $$")"; junos:must-message "Referenced rulebase must be defined"; type string { length "1 .. 63"; } description "PCC rulebase name"; } uses apply-advanced; } // list pcc-rulebases } // container aaa-policy-control } // grouping pcef-profiles grouping pcef-traceoptions { description "Trace options related to PCEF"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "init" { value 0; description "Trace initialization events"; } enum "config" { value 1; description "Trace configuration events"; } enum "general" { value 2; description "Trace general events"; } enum "high-availability" { value 3; description "Trace high availability events"; } enum "debug" { value 4; description "Trace debug internal events"; } enum "fsm" { value 5; description "Trace fsm events"; } enum "tftmgr" { value 6; description "Trace tftmgr events"; } enum "all" { value 7; description "Trace everything"; } } } } // list flag } // grouping pcef-traceoptions grouping profile-rule-assoc { leaf name { junos:must "(".. .. .. .. .. .. pcc-rules $$")"; junos:must-message "Referenced rule must be defined"; type string { length "1 .. 63"; } description "PCC rule name"; } leaf precedence { junos:must "(unique ".. .. <*> precedence $$")"; junos:must-message "Precedence has to unique among rules"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 4000"; } } description "PCC rule precedence"; } } // grouping profile-rule-assoc grouping profile-static-rule-association { leaf name { junos:must "(".. .. .. .. .. .. pcc-rules $$")"; junos:must-message "Referenced rule must be defined"; type string { length "1 .. 63"; } description "PCC rule name"; } leaf precedence { junos:must "(unique ".. .. <*> precedence $$")"; junos:must-message "Precedence has to unique among rules"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 4000"; } } description "PCC rule precedence"; } leaf time-of-day-profile { junos:must "(".. .. .. .. .. .. pcc-time-of-day-profiles $$")"; junos:must-message "Referenced time-of-day profile must be defined"; type string { length "1 .. 63"; } description "Time of day profile name"; } container pcc-action-profile { status deprecated; description "PCC action profile association"; leaf rules-action-profile { junos:must "(".. .. .. .. .. .. .. pcc-action-profiles $$")"; junos:must-message "Referenced action profile must be defined"; type string { length "1 .. 63"; } description "PCC action profile name"; } } // container pcc-action-profile } // grouping profile-static-rule-association grouping session_timeout_type { uses apply-advanced; leaf tcp { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Timeout value for tcp sessions"; } leaf udp { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Timeout value for udp sessions"; } leaf ospf { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Timeout value for ospf sessions"; } leaf icmp { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Timeout value for icmp sessions"; } leaf icmp6 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Timeout value for icmp6 sessions"; } leaf others { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Timeout value for other sessions"; } } // grouping session_timeout_type grouping sfw_addr_object { leaf name { type string; description "Match IP address"; } leaf except { type empty; description "Match address not in this prefix"; } } // grouping sfw_addr_object grouping sfw_match_object { uses apply-advanced; list source-address { key "name"; ordered-by user; description "Match IP source address"; uses sfw_addr_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses sfw_addr_object; } // list destination-address container destination-port { presence "enable destination-port"; uses apply-advanced; choice port_choice { container range { description "Range of ports"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Lower limit of port range"; } leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Upper limit of port range"; } } // container range } // choice port_choice } // container destination-port list source-address-range { key "low high"; ordered-by user; description "Match IP source address range"; leaf low { type jt:ipaddr; description "Lower limit of address range"; } leaf high { type jt:ipaddr; description "Upper limit of address range"; } leaf except { type empty; description "Match address not in this prefix"; } } // list source-address-range list source-prefix-list { key "name"; ordered-by user; description "One or more named lists of source prefixes to match"; leaf name { type string; description "Name of prefix list to match against"; } leaf except { type empty; description "Name of prefix list not to match against"; } } // list source-prefix-list list destination-address-range { key "low high"; ordered-by user; description "Match IP destination address range"; leaf low { type jt:ipaddr; description "Lower limit of address range"; } leaf high { type jt:ipaddr; description "Upper limit of address range"; } leaf except { type empty; description "Match address not in this prefix"; } } // list destination-address-range list destination-prefix-list { key "name"; ordered-by user; description "One or more named lists of destination prefixes to match"; leaf name { type string; description "Name of prefix list to match against"; } leaf except { type empty; description "Name of prefix list not to match against"; } } // list destination-prefix-list leaf-list applications { type string; ordered-by user; description "Match one or more applications"; } list application-sets { key "name"; ordered-by user; description "Match one or more application sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list application-sets leaf-list application { type string; ordered-by user; } } // grouping sfw_match_object grouping sfw_rule_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } enum "input-output" { value 2; description "Match on input to or output from interface"; } } description "Direction for which the rule match is applied"; } list term { key "name"; ordered-by user; description "Define a stateful firewall term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses sfw_match_object; } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice designation { leaf accept { type empty; description "Accept the packet"; } container discard { presence "enable discard"; description "Discard the packet"; uses apply-advanced; } // container discard leaf reject { type empty; description "Reject the packet"; } } // choice designation leaf-list allow-ip-options { type string; ordered-by user; } leaf syslog { type empty; description "System log information about the packet"; } leaf skip-ids { type empty; description "No IDS processing will be done on a matching packet"; } } // container then } // list term } // grouping sfw_rule_object grouping signaling-realm { description "Signaling realm"; leaf name { type string; description "Realm name"; } uses apply-advanced; } // grouping signaling-realm grouping sip_timers_type { uses apply-advanced; leaf inactive-call { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "300 .. 86400"; } } units "seconds"; default "86400"; description "Maximum time for signaling inactivity"; } leaf timer-c { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 300"; } } units "seconds"; default "180"; description "Maximum time to wait for final response on invite"; } } // grouping sip_timers_type grouping sm-traceoptions-type { description "Trace options for SAEGW SM"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "general" { value 0; description "Trace general events"; } enum "state-machine" { value 1; description "Trace state-machine events"; } enum "mirroring" { value 2; description "Trace mirroring events"; } enum "all" { value 3; description "Trace everything"; } } } } // list flag } // grouping sm-traceoptions-type grouping soft_gre_tunnel_group_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; } description "Tunnel group name"; } uses apply-advanced; leaf source-address { type jt:ipaddr; description "Local address of tunnel"; } list destination-networks { key "name"; ordered-by user; description "Create tunnels for routes in these destination networks"; uses soft_gre_destination_network_object; } // list destination-networks leaf service-interface { junos:must "("interfaces $$")"; junos:must-message "Interface must be defined in the interfaces hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Pseudowire interface to use"; } leaf tunnel-idle-timeout { type union { type uint16; type string { pattern "<.*>|$.*"; } } units "seconds"; default "120"; description "Time to tear down tunnel when idle"; } leaf dynamic-profile { junos:must "("dynamic-profiles $$")"; junos:must-message "Referenced dynamic profile must be defined"; type string { length "1 .. 80"; } description "Dynamic profile for tunnel interface"; } } // grouping soft_gre_tunnel_group_object grouping soft_gre_destination_network_object { leaf name { type jt:ipprefix; description "Network prefix"; } uses apply-advanced; } // grouping soft_gre_destination_network_object grouping softwires-object { description "Configure softwire feature"; uses apply-advanced; list softwire-name { key "name"; description "Configure softwire object"; uses softwire-option-type; } // list softwire-name container softwire-types { description "Configure softwire objects"; uses apply-advanced; list v6rd { key "name"; description "Configure v6rd object"; uses softwire-option-type; } // list v6rd list ds-lite { key "name"; description "Configure ds-lite object"; uses softwire-option-type; } // list ds-lite list map-e { key "name"; ordered-by user; description "Configure Map-e object"; uses map-e-domain; } // list map-e } // container softwire-types list map-e { key "name"; max-elements 1; ordered-by user; description "Configure a MAP-E domain and domain rules"; uses map-e-domain; } // list map-e container traceoptions { description "Trace options for Network Security DS-Lite"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "all" { value 2; description "Trace everything"; } } } } // list flag } // container traceoptions list rule-set { key "name"; ordered-by user; description "Define a softwire rule set"; uses sw-rule-set-object; } // list rule-set } // grouping softwires-object grouping map-e-domain { description "Configure a MAP-E domain"; leaf name { type string { junos:posix-pattern "![_]"; junos:pattern-message "A special character _ is not allowed"; length "1 .. 11"; } description "MAP-E domain name"; } uses apply-advanced; leaf confidentiality { type empty; description "Configure JUNOS MAP-E confidentiality"; } leaf br-address { type jt:unreadable; description "Ipv6 address of BR"; } container end-user-prefix { description "Configure end-user-prefix value or source interface for obtaining end-user-prefix"; uses apply-advanced; leaf prefix-value { junos:must "(!(".. auto"))"; junos:must-message "Explicit end-user-prefix is not allowed when auto is configured"; type jt:ipv6prefix; description "End user prefix"; } } // container end-user-prefix list rule { key "name"; max-elements 101; ordered-by user; description "Configure a BMR or FMR rule for map-e "; uses map-e-rule; } // list rule leaf role { type enumeration { enum "CE" { value 0; description "CE deployment"; } } description "Define a role of the MAP-E"; } leaf version { type enumeration { enum "3" { value 0; description "Version 3: draft-ietf-softwire-map-03"; } } description "Define version of the MAP-E"; } } // grouping map-e-domain grouping map-e-rule { description "Configure a MAP-E rule"; leaf name { type string { junos:posix-pattern "![_]"; junos:pattern-message "A special character _ is not allowed"; length "1 .. 11"; } description "MAP-E rule name"; } uses apply-advanced; leaf rule-type { type enumeration { enum "BMR" { value 0; description "Define BMR rule type"; } enum "FMR" { value 1; description "Define FMR rule type"; } } description "Define a rule type of MAP-E"; } leaf ipv4-prefix { type jt:unreadable; description "Ipv4 prefix"; } leaf ipv6-prefix { type jt:unreadable; description "Ipv6 prefix"; } leaf ea-bits-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 48"; } } description "EA bits length"; } leaf psid-offset { type jt:unreadable; description "PSID offset"; } leaf psid-len { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16"; } } description "PSID length"; } leaf mtu-v6 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1280 .. 9192"; } } default "9192"; description "MTU for the softwire tunnel"; } leaf v4-reassembly { type empty; description "MAP-E IPv4 reassembly support"; } leaf v6-reassembly { type empty; description "MAP-E IPv6 reassembly support"; } leaf disable-auto-route { type empty; description "MAP-E Disable Auto Route"; } } // grouping map-e-rule grouping softwire-option-type { description "Configure softwire object"; leaf name { type string { length "1 .. 23"; } description "DS-Lite/Softwire object name"; } uses apply-advanced; leaf softwire-concentrator { type jt:ipaddr; description "Concentrator address"; } leaf softwire-type { type enumeration { enum "IPv4-in-IPv6" { value 0; description "Ipv4-in-IPv6"; } enum "v6rd" { value 1; description "V6rd"; } } default "IPv4-in-IPv6"; description "Softwire-type"; } leaf ipv4-prefix { type jt:ipv4prefix; description "6rd customer edge IPV4 prefix"; } leaf v6rd-prefix { type jt:ipv6prefix; description "6rd domain's IPV6 prefix"; } leaf mtu-v4 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "576 .. 9192"; } } description "MTU for the softwire tunnel"; } leaf mtu-v6 { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1280 .. 9192"; } } description "MTU for the softwire tunnel"; } leaf auto-update-mtu { type empty; description "Auto update MTU from received ICMPv6 messages"; } leaf copy-dscp { type empty; description "Copy DSCP (type of service) from IPv6 to IPv4 header"; } leaf flow-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16384"; } } default "0"; description "Max Number of IPv4 flows per Softwire"; } leaf session-limit-per-prefix { junos:must "(!(".. flow-limit"))"; junos:must-message "Cannot configure both flow-limit and session-limit-per-prefix in same softwire-concentrator"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 16384"; } } default "0"; description "Max number of sessions allowed per Softwire prefix"; } } // grouping softwire-option-type grouping srd-rs-id-object { description "Definition of redundancy-set"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } description "Redundancy set identifier"; } uses apply-advanced; leaf redundancy-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 16"; } } description "Name of redundancy-group"; } leaf-list redundancy-policy { type string; description "Redundancy-policy list"; } leaf keepalive { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } units "seconds"; default "10"; description "Frequency of SRD hello messages"; } leaf hold-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 3600"; } } units "seconds"; default "30"; description "Time before SRD peer is declared down"; } leaf healthcheck-timer-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 3600"; } } units "seconds"; default "5"; description "Healthcheck timer interval"; } } // grouping srd-rs-id-object grouping srd-traceoptions-object { uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing flag parameters"; leaf name { type enumeration { enum "config" { value 0; description "Trace parse events"; } enum "connect" { value 1; description "Trace ipc events"; } enum "route" { value 2; description "Trace route events"; } enum "ssd" { value 3; description "Trace SDK Service events"; } enum "snmp" { value 4; description "Trace snmp events"; } enum "system" { value 5; description "Trace services redundancy system events"; } enum "opcmd" { value 6; description "Trace operational command events"; } enum "state-machine" { value 7; description "Trace finite-state-machine events"; } enum "kcom" { value 8; description "Trace KCOM events"; } enum "database" { value 9; description "Trace database events"; } enum "swithover" { value 10; description "Trace switchover events"; } enum "stateful-sync" { value 11; description "Trace stateful-sync related events"; } enum "redundancy-group" { value 12; description "Trace redundancy-group related events"; } enum "all" { value 13; description "Trace everything"; } } } } // list flag } // grouping srd-traceoptions-object grouping ssg-destination-nat-object { uses apply-advanced; list pool { key "name"; ordered-by user; description "Define a destination address pool"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Pool name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of pool"; } container routing-instance { description "Routing instance"; uses apply-advanced; choice ri-name-choice { leaf default { type empty; description "Default routing-instance"; } leaf ri-name { junos:must "(("routing-instances $$ instance-type virtual-router" || "routing-instances $$ instance-type vrf"))"; junos:must-message "Instance-type virtual-router or vrf must be defined under [routing-instances]"; junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; } description "Routing-instance name"; } } // choice ri-name-choice } // container routing-instance container address { description "Add address or address range to pool"; leaf ipaddr { type jt:ipprefix; description "IPv4 or IPv6 address or address range"; } choice range-port-choice { container to { description "Upper limit of address range"; uses apply-advanced; leaf ipaddr { type jt:ipprefix; description "IPv4 or IPv6 upper limit of address range"; } } // container to leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the port value"; } } // choice range-port-choice } // container address } // list pool list port-forwarding { key "name"; ordered-by user; description "Define a port-forwarding mapping pool"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Port Forwarding mapping name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of port forwarding mapping"; } list destined-port { key "port translated-port"; max-elements 32; ordered-by user; description "Port forwarding mappings"; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port"; } leaf translated-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Translated port"; } } // list destined-port } // list port-forwarding list rule-set { key "name"; ordered-by user; description "Configurate a set of rules"; leaf name { junos:must "((!("services nat source rule-set $$") && !("services nat static rule-set $$")))"; junos:must-message "the rule set name should be unique across all types of nat"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Rule-set name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of rule set"; } container from { description "Where is the traffic from"; choice from-context-choice { leaf-list routing-instance { type string; max-elements 8; description "Source routing instance list"; } leaf-list routing-group { type string; max-elements 8; description "Source routing group list"; } leaf-list zone { type string; max-elements 8; description "Source zone list"; } leaf-list interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } max-elements 8; description "Source interface list"; } } // choice from-context-choice } // container from list rule { key "name"; ordered-by user; description "Destination NAT rule"; uses dest-nat-rule-object; } // list rule leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Match direction"; } } // list rule-set } // grouping ssg-destination-nat-object grouping dest-nat-rule-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Rule name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of rule"; } container dest-nat-rule-match { description "Specify Destination NAT rule match criteria"; uses apply-advanced; leaf-list source-address { type string; max-elements 8; ordered-by user; description "Source address"; } leaf-list source-address-name { type string; max-elements 8; ordered-by user; description "Address/address-set from address book"; } choice dst-choice { container destination-address { description "Destination address"; choice dst-addr-choice { leaf dst-addr { type jt:ipprefix; description "IPv4 or IPv6 destination address"; } leaf any-unicast { type empty; description "Match any unicast address"; } } // choice dst-addr-choice } // container destination-address container destination-address-name { description "Address from address book"; leaf dst-addr-name { type string { length "1 .. 63"; } description "Address from address book"; } } // container destination-address-name } // choice dst-choice list destination-port { key "name"; max-elements 8; ordered-by user; description "Destination port"; leaf name { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port or lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Upper limit of port range"; } } // container to } // list destination-port leaf-list protocol { type string; max-elements 4; ordered-by user; description "IP Protocol"; } leaf-list application { type string; ordered-by user; } } // container dest-nat-rule-match container then { description "Then action"; uses apply-advanced; container destination-nat { description "Destination NAT action"; uses apply-advanced; choice action { leaf off { type empty; description "No action"; } container pool { description "Use Destination NAT pool"; uses apply-advanced; leaf pool-name { junos:must "(".. .. .. .. .. .. .. .. nat destination pool $$")"; junos:must-message "Destination NAT pool name must be defined"; type string { length "1 .. 31"; } description "Name of Destination NAT pool"; } } // container pool leaf destination-prefix { type jt:ipprefix-only; description "Destination prefix to be used for NAT64 and 464 translation type"; } } // choice action container xlat-source-rule { junos:must "(".. destination-prefix")"; junos:must-message "'xlat-source-rule' can be configured only for NAT464 destination rule"; description "Set source nat rule to match for NAT464"; uses apply-advanced; list rule-set { key "name"; max-elements 1; ordered-by user; description "Source nat rule-set"; leaf name { junos:must "("services nat source rule-set $$")"; junos:must-message "source rule-set must be defined under 'services nat'"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Source nat rule-set name"; } uses apply-advanced; leaf rule { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Source NAT rule name"; } } // list rule-set } // container xlat-source-rule container port-forwarding-mappings { description "Use Destination NAT port forwarding mapping pool"; uses apply-advanced; leaf pf-name { junos:must "(".. .. .. .. .. .. .. .. nat destination port-forwarding $$")"; junos:must-message "Port forwarding pool mappings must be defined"; type string { length "1 .. 31"; } description "Name of Port forwarding mappings"; } } // container port-forwarding-mappings container rule-session-count-alarm { description "Config rule-session-count-alarm to destination rule"; uses nat-rule-session-count-alarm-object; } // container rule-session-count-alarm } // container destination-nat leaf syslog { type empty; description "System log information about the packet"; } } // container then } // grouping dest-nat-rule-object grouping nat-rule-session-count-alarm-object { uses apply-advanced; leaf raise-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Raise threshold for rule session count alarm"; } leaf clear-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } description "Clear threshold for session count hit alarm"; } } // grouping nat-rule-session-count-alarm-object grouping ssg-proxy-arp-object { uses apply-advanced; list interface { key "name"; ordered-by user; description "Interface with proxy arp configured"; uses ssg-interface-object; } // list interface } // grouping ssg-proxy-arp-object grouping ssg-interface-object { leaf name { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface name"; } uses apply-advanced; list address { key "name"; ordered-by user; description "Proxy ARP address"; leaf name { type jt:ipv4prefix; description "Address or address range"; } container to { description "Upper limit of address range"; uses apply-advanced; leaf ipaddr { type jt:ipv4prefix; description "Upper limit of address range"; } } // container to } // list address } // grouping ssg-interface-object grouping ssg-proxy-ndp-object { uses apply-advanced; list interface { key "name"; ordered-by user; description "Interface with proxy arp configured"; uses ssg-proxy-ndp-interface-object; } // list interface } // grouping ssg-proxy-ndp-object grouping ssg-proxy-ndp-interface-object { leaf name { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface name"; } uses apply-advanced; list address { key "name"; ordered-by user; description "Proxy ndp address"; leaf name { type jt:ipv6prefix; description "Address or address range"; } container to { description "Upper limit of address range"; uses apply-advanced; leaf ipv6addr { type jt:ipv6addr; description "Upper limit of address range"; } } // container to } // list address } // grouping ssg-proxy-ndp-interface-object grouping ssg-source-nat-object { uses apply-advanced; container persistent-nat { description "Persistent NAT info"; container log { description "Configure persistent NAT log"; choice enable-disable { leaf disable { type empty; description "Disable Persistent NAT log"; } } // choice enable-disable } // container log } // container persistent-nat list pool { key "name"; ordered-by user; description "Define a source address pool"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Pool name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of pool"; } container routing-instance { description "Routing instance"; uses apply-advanced; leaf ri-name { junos:must "("routing-instances $$ instance-type virtual-router")"; junos:must-message "Instance-type virtual-router must be defined under [routing-instances]"; junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; } description "Routing instance name"; } } // container routing-instance list address { key "name"; max-elements 8; ordered-by user; description "Add address to pool"; leaf name { type jt:ipprefix; description "IPv4 or IPv6 address or address range"; } container to { description "Upper limit of address range"; uses apply-advanced; leaf ipaddr { type jt:ipprefix; description "IPv4 or IPv6 upper limit of address range"; } } // container to } // list address container host-address-base { description "The base of host address"; leaf ipaddr { junos:must "(!(".. .. port range"))"; junos:must-message "'port range...' must not be configured when configure host-address-base"; type jt:ipprefix; description "IPv4 or IPv6 base address"; } } // container host-address-base container port { description "Config port attribute to pool"; uses apply-advanced; choice port-choice { leaf no-translation { junos:must "(!(".. automatic"))"; junos:must-message "'automatic' must not be configured when configure port no-translation"; junos:must "(!(".. preserve-range"))"; junos:must-message "'preserve-range' must not be configured when configure port no-translation"; junos:must "(!(".. preserve-parity"))"; junos:must-message "'preserve-parity' must not be configured when configure port no-translation"; type empty; description "Do not perform port translation"; } container range { description "Port range"; uses apply-advanced; choice port-assign-choice { leaf random-allocation { junos:must "(!(".. .. .. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured when configure port assignment as random"; type empty; description "Allocate port randomly"; } leaf round-robin { junos:must "(!(".. .. .. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured when configure port assignment as round-robin"; type empty; description "Allocate port round-robin"; } } // choice port-assign-choice leaf low { junos:must "(!(".. .. .. host-address-base"))"; junos:must-message "'host-address-base' must not be configured when configure port range"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1024 .. 65535"; } } description "Lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { junos:must "(!(".. .. .. .. host-address-base"))"; junos:must-message "'host-address-base' must not be configured when configure port range"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1024 .. 65535"; } } description "Upper limit of port range"; } } // container to container twin-port { description "Twin port range"; uses apply-advanced; leaf low { junos:must "(!(".. .. .. .. host-address-base"))"; junos:must-message "'host-address-base' must not be configured when configure twin port range"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "63488 .. 65535"; } } description "Lower limit of twin port range"; } container to { description "Twin port range upper limit"; uses apply-advanced; leaf high { junos:must "(!(".. .. .. .. .. host-address-base"))"; junos:must-message "'host-address-base' must not be configured when configure twin port range"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "63488 .. 65535"; } } description "Upper limit of twin port range"; } } // container to } // container twin-port } // container range container automatic { description "Port assignment"; uses apply-advanced; choice port-assign-choice { leaf random-allocation { junos:must "(!(".. .. .. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured when configure port assignment as random"; type empty; description "Allocate port randomly"; } leaf round-robin { junos:must "(!(".. .. .. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured when configure port assignment as round-robin"; type empty; description "Allocate port by round-robin"; } } // choice port-assign-choice } // container automatic } // choice port-choice leaf port-overloading-factor { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "2 .. 32"; } } description "Port overloading factor for each IP"; } container block-allocation { presence "enable block-allocation"; description "Port block allocation"; uses block-allocation-object; } // container block-allocation container deterministic { presence "enable deterministic"; description "Deterministic nat allocation"; uses deterministic-object; } // container deterministic leaf preserve-parity { junos:must "(!(".. .. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured when configure preserve-parity"; type empty; description "Allocate port as the same parity as incoming port"; } leaf preserve-range { junos:must "(!(".. .. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured when configure preserve-range"; type empty; description "Allocate port from the same port range as incoming port"; } } // container port container overflow-pool { junos:must "(".. .. .. source pool ${pool} port no-translation")"; junos:must-message "'port no-translation' must be configured on original address pool"; description "Specify an overflow pool"; choice overflow-pool-choice { leaf pool-name { junos:must "(!(".. .. .. .. source pool $$ host-address-base"))"; junos:must-message "'host-address-base' must not be configured on overflow address pool"; junos:must "(!(".. .. .. .. source pool $$ port no-translation"))"; junos:must-message "'port no-translation' must not be configured on overflow address pool"; junos:must "(!(".. .. .. .. source pool ${pool} overflow-pool ${pool}"))"; junos:must-message "Overflow address pool must not be original address pool"; junos:must "(".. .. .. .. source pool $$")"; junos:must-message "Overflow address pool must be defined under [nat source pool]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Name of source address pool"; } leaf interface { type empty; description "Allow interface pool to support overflow"; } } // choice overflow-pool-choice } // container overflow-pool leaf address-shared { type empty; description "Allow multiple hosts to share an externel address"; } container address-pooling { description "Specify the address-pooling behavior"; choice pooling-choice { leaf paired { type empty; description "Allow address-pooling paired for a source pool with port translation"; } leaf no-paired { type empty; description "Allow address-pooling no-paired for a source pool without port translation"; } } // choice pooling-choice } // container address-pooling container address-persistent { description "Specify the address-persistent behavior"; container subscriber { description "Configure address persistent for subscriber"; leaf ipv6-prefix-length { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "8 .. 128"; } } description "Ipv6 prefix length for address persistent"; } } // container subscriber } // container address-persistent container pool-utilization-alarm { description "Config pool-utilization-alarm to pool"; uses source-nat-pool-utilization-alarm-object; } // container pool-utilization-alarm leaf ei-mapping-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "120 .. 86400"; } } units "second"; description "Endpoint-independent mapping timeout"; } leaf mapping-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "120 .. 86400"; } } units "second"; description "Address-pooling paired and endpoint-independent mapping timeout"; } leaf limit-ports-per-host { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "2 .. 65535"; } } description "Number of ports allocated per host"; } container allocation-domain { description "Specify map-e domain name for pool"; leaf mape-domain-name { junos:must "(!(".. .. address"))"; junos:must-message "'address...' must not be configured when configure allocation-domain"; junos:must "("security softwires map-e $$")"; junos:must-message "mape domain must be defined"; type string { length "1 .. 31"; } description "Name of map-e domain"; } container allocation-rule { description "Specify map-e rule name for pool"; leaf mape-rule-name { type string { length "1 .. 31"; } description "Name of map-e rule"; } } // container allocation-rule } // container allocation-domain } // list pool leaf address-persistent { type empty; description "Allow source address to maintain same translation"; } leaf session-persistence-scan { type empty; description "Allow source to maintain session when session scan"; } leaf session-drop-hold-down { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "30 .. 28800"; } } description "Session drop hold down time"; } container pool-utilization-alarm { description "Configure pool utilization alarm"; uses source-nat-pool-utilization-alarm-object; } // container pool-utilization-alarm container port-randomization { description "Configure Source NAT port randomization"; choice enable-disable { leaf disable { type empty; description "Disable Source NAT port randomization"; } } // choice enable-disable } // container port-randomization container port-round-robin { description "Configure Source NAT port randomization"; choice enable-disable { leaf disable { type empty; description "Disable Source NAT port randomization"; } } // choice enable-disable } // container port-round-robin leaf port-scaling-enlargement { type empty; description "Configure source port scaling to 2.4G only for NGSPC"; } leaf pool-distribution { type empty; description "Configure Source pool distribution, the APPCP bottleneck of NAT CPS can be alleviated."; } container pool-default-port-range { description "Configure Source NAT default port range"; leaf low { junos:must "(!(any "security nat source pool <*> host-address-base"))"; junos:must-message "'host-address-base' must not be configured when configure port range"; type union { type string { pattern "<.*>|$.*"; } type uint16; } description "Lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { junos:must "(!(any "security nat source pool <*> host-address-base"))"; junos:must-message "'host-address-base' must not be configured when configure port range"; type union { type string { pattern "<.*>|$.*"; } type uint16; } description "Upper limit of port range"; } } // container to } // container pool-default-port-range container pool-default-twin-port-range { description "Configure Source NAT default twin port range"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "63488 .. 65535"; } } description "Lower limit of twin port range"; } container to { description "Twin port range upper limit"; uses apply-advanced; leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "63488 .. 65535"; } } description "Upper limit of twin port range"; } } // container to } // container pool-default-twin-port-range container interface { description "Configure interface port overloading for persistent NAT"; uses apply-advanced; choice interface-choice { container port-overloading { description "Configure port overloading"; leaf off { type empty; description "Turn off interface port over-loading"; } } // container port-overloading leaf port-overloading-factor { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port overloading factor for interface NAT"; } } // choice interface-choice } // container interface list rule-set { key "name"; ordered-by user; description "Configurate a set of rules"; leaf name { junos:must "((!("services nat destination rule-set $$") && !("services nat static rule-set $$")))"; junos:must-message "the rule set name should be unique across all types of nat"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Rule-set name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of rule set"; } container from { description "Where is the traffic from"; choice from-context-choice { leaf-list routing-instance { type string; max-elements 8; description "Source routing instance list"; } leaf-list routing-group { type string; max-elements 8; description "Source routing group list"; } leaf-list zone { type string; max-elements 8; description "Source zone list"; } leaf-list interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } max-elements 8; description "Source interface list"; } } // choice from-context-choice } // container from container to { description "Where is the traffic to"; choice from-context-choice { leaf-list routing-instance { type string; max-elements 8; description "Destination routing instance list"; } leaf-list routing-group { type string; max-elements 8; description "Destination routing group list"; } leaf-list zone { type string; max-elements 8; description "Destination zone list"; } leaf-list interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } max-elements 8; description "Destination interface list"; } } // choice from-context-choice } // container to list rule { key "name"; ordered-by user; description "Source NAT rule"; uses src-nat-rule-object; } // list rule leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Match direction"; } } // list rule-set } // grouping ssg-source-nat-object grouping block-allocation-object { description "Port block allocation"; uses apply-advanced; leaf block-size { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 64512"; } } description "Block size"; } leaf maximum-blocks-per-host { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 512"; } } description "Maximum block number per host"; } leaf active-block-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Active block timeout interval"; } leaf interim-logging-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1800 .. 86400"; } } description "Interim Logging interval"; } leaf last-block-recycle-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "120 .. 864000"; } } description "Last Block recycle timeout interval"; } container log { description "Configure port block log"; choice enable-disable { leaf disable { type empty; description "Disable PBA port block log"; } } // choice enable-disable } // container log } // grouping block-allocation-object grouping deterministic-object { description "Deterministic nat allocation"; uses apply-advanced; leaf block-size { type union { type string { pattern "<.*>|$.*"; } type uint16; } description "Block size"; } leaf det-nat-configuration-log-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1800 .. 86400"; } } description "Deterministic nat configuration logging interval"; } container host { description "Host address"; leaf-list address { type jt:ipprefix; max-elements 8; ordered-by user; description "Host ip address"; } leaf-list address-name { type string; max-elements 8; ordered-by user; description "Host address/address-set from address book"; } } // container host leaf include-boundary-addresses { type empty; description "Include network and broadcast in 'match' source address"; } } // grouping deterministic-object grouping source-nat-pool-utilization-alarm-object { uses apply-advanced; leaf raise-threshold { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "50 .. 100"; } } description "Raise threshold for pool utilization alarm"; } leaf clear-threshold { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "40 .. 100"; } } description "Clear threshold for pool utilization alarm"; } } // grouping source-nat-pool-utilization-alarm-object grouping src-nat-rule-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Source NAT Rule name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of rule"; } container src-nat-rule-match { description "Specify Source NAT rule match criteria"; uses apply-advanced; leaf-list source-address { type string; max-elements 8; ordered-by user; description "Source address"; } leaf-list source-address-name { type string; max-elements 8; ordered-by user; description "Address/address-set from address book"; } list source-port { key "name"; max-elements 8; ordered-by user; description "Source port"; leaf name { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port or lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Upper limit of port range"; } } // container to } // list source-port leaf-list destination-address { type string; max-elements 8; ordered-by user; description "Destination address"; } leaf-list destination-address-name { type string; max-elements 8; ordered-by user; description "Address/address-set from address book"; } list destination-port { key "name"; max-elements 8; ordered-by user; description "Destination port"; leaf name { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port or lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Upper limit of port range"; } } // container to } // list destination-port leaf-list protocol { type string; max-elements 4; ordered-by user; description "IP Protocol"; } leaf-list application { type string; ordered-by user; } } // container src-nat-rule-match container then { description "Then action"; uses apply-advanced; container source-nat { description "Source NAT action"; uses apply-advanced; choice action { leaf off { type empty; description "No action"; } container pool { description "Use Source NAT pool"; uses apply-advanced; leaf pool-name { junos:must "(".. .. .. .. .. .. .. .. nat source pool $$")"; junos:must-message "Source NAT pool name must be defined"; type string { length "1 .. 31"; } description "Name of Source NAT pool"; } container persistent-nat { presence "enable persistent-nat"; description "Persistent NAT info"; uses persistent-nat-object; } // container persistent-nat } // container pool container interface { presence "enable interface"; description "Use egress interface address"; uses apply-advanced; container persistent-nat { presence "enable persistent-nat"; description "Persistent NAT info"; uses persistent-nat-object; } // container persistent-nat } // container interface } // choice action leaf clat-prefix { junos:must "((".. .. .. match source-address" || ".. .. .. match source-address-name"))"; junos:must-message "source-address or source-address-name is required for Clat-prefix"; type jt:ipprefix-only; description "An IPv6 prefix to be used for XLAT464 and prefix length can only be 32/40/48/56/64/96"; } leaf clat-ipv6-prefix-length { junos:must "(!(".. .. .. match"))"; junos:must-message "'match' criteria is not applicable when 'clat-ipv6-prefix-length' is configured."; junos:must "(!(".. clat-prefix"))"; junos:must-message "clat-ipv6-prefix-length cannot be configured along with clat-prefix. Either clat-prefix or clat-ipv6-prefix-length can be configured."; type enumeration { enum "32" { value 0; description "The ipv6 prefix length of 32"; } enum "40" { value 1; description "The ipv6 prefix length of 40"; } enum "48" { value 2; description "The ipv6 prefix length of 48"; } enum "56" { value 3; description "The ipv6 prefix length of 56"; } enum "64" { value 4; description "The ipv6 prefix length of 64"; } enum "96" { value 5; description "The ipv6 prefix length of 96"; } } description "The ipv6 prefix length for CLAT source address"; } container rule-session-count-alarm { description "Config rule-session-count-alarm to source rule"; uses nat-rule-session-count-alarm-object; } // container rule-session-count-alarm container mapping-type { description "Source nat mapping type"; leaf endpoint-independent { type empty; description "Endpoint independent mapping"; } leaf address-pooling-paired { type empty; description "Address pooling paired mapping"; } } // container mapping-type container secure-nat-mapping { description "Mapping options for enhanced security"; leaf eif-flow-limit { junos:must "(".. .. filtering-type")"; junos:must-message "eif-flow-limit applies only to filtering-type"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65534"; } } description "Number of inbound flows to be allowed for a EIF mapping"; } container mapping-refresh { description "Enable timer refresh option"; choice refresh-choice { leaf inbound { type empty; description "Enable timer refresh for inbound connections only"; } leaf outbound { type empty; description "Enable timer refresh for outbound connections only"; } leaf inbound-outbound { type empty; description "Enable timer refresh for inbound & outbound connections"; } } // choice refresh-choice } // container mapping-refresh } // container secure-nat-mapping container filtering-type { junos:must "(".. mapping-type endpoint-independent")"; junos:must-message "endpoint independent filtering can not be configured with endpoint-independent mapping only"; description "Source NAT filtering type"; uses apply-advanced; container endpoint-independent { presence "enable endpoint-independent"; description "Endpoint independent filtering"; uses apply-advanced; list prefix-list { key "name"; ordered-by user; description "One or more named lists of source prefixes to match"; leaf name { type string { length "1 .. 63"; } description "Name of prefix list to match against"; } leaf except { type empty; description "Name of prefix list not to match against"; } } // list prefix-list } // container endpoint-independent } // container filtering-type } // container source-nat leaf syslog { type empty; description "System log information about the packet"; } } // container then } // grouping src-nat-rule-object grouping persistent-nat-object { uses apply-advanced; container permit { description "Persistent NAT permit configure"; choice persistent-nat-type-choice { leaf any-remote-host { type empty; description "Permit any remote host"; } leaf target-host { type empty; description "Permit target host"; } leaf target-host-port { type empty; description "Permit target host port"; } } // choice persistent-nat-type-choice } // container permit leaf address-mapping { type empty; description "Address-to-address mapping"; } leaf inactivity-timeout { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "60 .. 7200"; } } description "Inactivity timeout value"; } leaf max-session-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "8 .. 65536"; } } description "The maximum session number value"; } } // grouping persistent-nat-object grouping ssg-static-nat-object { uses apply-advanced; list rule-set { key "name"; ordered-by user; description "Configurate a set of rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Rule-set name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of rule set"; } container from { description "Where is the traffic from"; choice from-context-choice { leaf-list routing-instance { type string; max-elements 8; description "Source routing instance list"; } leaf-list routing-group { type string; max-elements 8; description "Source routing group list"; } leaf-list zone { type string; max-elements 8; description "Source zone list"; } leaf-list interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } max-elements 8; description "Source interface list"; } } // choice from-context-choice } // container from list rule { key "name"; ordered-by user; description "Static NAT rule"; uses static-nat-rule-object; } // list rule leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Match direction"; } } // list rule-set } // grouping ssg-static-nat-object grouping ssl-initiation-config { uses apply-advanced; list profile { key "name"; ordered-by user; description "SSL client profile"; leaf name { type string { length "1 .. 63"; } description "Profile identifier"; } uses apply-advanced; leaf enable-flow-tracing { type empty; description "Enable flow tracing for the profile"; } leaf protocol-version { type enumeration { enum "all" { value 0; description "TLS version 1.0 or TLS version 1.1 or TLS version 1.2 or TLS version 1.3"; } enum "ssl3" { value 1; description "SSL version 3"; } enum "tls1" { value 2; description "TLS version 1"; } enum "tls11" { value 3; description "TLS version 1.1"; } enum "tls12" { value 4; description "TLS version 1.2"; } enum "tls13" { value 5; description "TLS version 1.3"; } enum "tls12-and-lower" { value 6; description "Dont support TLS 1.3 (downgrade all the connections to TLS 1.2 or below)"; } } default "all"; description "Protocol SSL version accepted"; } leaf preferred-ciphers { type enumeration { enum "strong" { value 0; description "Use ciphers with key strength of 168-bits or greater"; } enum "medium" { value 1; description "Use ciphers with key strength of 128-bits or greater"; } enum "weak" { value 2; description "Use ciphers with key strength of 40-bits or greater"; } enum "custom" { junos:must "(".. custom-ciphers")"; junos:must-message "custom-ciphers must be configured for this choice"; value 3; description "Configure custom cipher suite and order of preference"; } } default "medium"; description "Select preferred ciphers"; } leaf-list custom-ciphers { type enumeration { enum "tls12-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha as custom cipher"; value 0; description "RSA, 128 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha as custom cipher"; value 1; description "RSA, 256 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-gcm-sha384 as custom cipher"; value 2; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "tls12-rsa-aes-256-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha256 as custom cipher"; value 3; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "tls12-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-gcm-sha256 as custom cipher"; value 4; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha256 as custom cipher"; value 5; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-gcm-sha384 as custom cipher"; value 6; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha as custom cipher"; value 7; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha384 as custom cipher"; value 8; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-rsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-3des-ede-cbc-sha as custom cipher"; value 9; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-gcm-sha256 as custom cipher"; value 10; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha as custom cipher"; value 11; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha256 as custom cipher"; value 12; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-gcm-sha384 as custom cipher"; value 13; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha as custom cipher"; value 14; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha384 as custom cipher"; value 15; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-gcm-sha256 as custom cipher"; value 16; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha as custom cipher"; value 17; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha256 as custom cipher"; value 18; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 and to use tls12-ecdhe-ecdsa-3des-ede-cbc-sha as custom cipher"; value 19; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "tls13-with-aes-256-gcm-sha384" { value 20; description "Any key-exchange, Any authentication,256bit aes, sha384 hash"; } enum "tls13-with-aes-128-gcm-sha256" { value 21; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-chacha20-poly1305-sha256" { value 22; description "Any key-exchange, Any authentication,chacha, sha256 hash"; } enum "tls13-with-aes-128-ccm-sha256" { value 23; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-aes-128-ccm8-sha256" { value 24; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "rsa-with-rc4-128-md5" { value 25; description "RSA, 128bit rc4, md5 hash"; } enum "rsa-with-rc4-128-sha" { value 26; description "RSA, 128bit rc4, sha hash"; } enum "rsa-with-des-cbc-sha" { value 27; description "RSA, des cbc, sha hash"; } enum "rsa-with-3des-ede-cbc-sha" { value 28; description "RSA, 3des ede/cbc, sha hash"; } enum "rsa-with-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 29; description "RSA, 128 bit aes/cbc, sha hash"; } enum "rsa-with-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 30; description "RSA, 256 bit aes/cbc, sha hash"; } enum "rsa-export-with-rc4-40-md5" { value 31; description "RSA-export, 40 bit rc4, md5 hash"; } enum "rsa-export-with-des40-cbc-sha" { value 32; description "RSA-export, 40 bit des/cbc, sha hash"; } enum "rsa-export1024-with-des-cbc-sha" { value 33; description "RSA 1024 bit export, des/cbc, sha hash"; } enum "rsa-export1024-with-rc4-56-md5" { value 34; description "RSA 1024 bit export, 56 bit rc4, md5 hash"; } enum "rsa-export1024-with-rc4-56-sha" { value 35; description "RSA 1024 bit export, 56 bit rc4, sha hash"; } enum "rsa-with-aes-256-gcm-sha384" { value 36; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "rsa-with-aes-256-cbc-sha256" { value 37; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "rsa-with-aes-128-gcm-sha256" { value 38; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "rsa-with-aes-128-cbc-sha256" { value 39; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-rsa-with-aes-256-gcm-sha384" { value 40; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha" { value 41; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha384" { value 42; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-rsa-with-3des-ede-cbc-sha" { value 43; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-gcm-sha256" { value 44; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha" { value 45; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha256" { value 46; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-256-gcm-sha384" { value 47; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha" { value 48; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha384" { value 49; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-128-gcm-sha256" { value 50; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha" { value 51; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha256" { value 52; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-3des-ede-cbc-sha" { value 53; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-gcm-sha384" { value 54; description "DHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "dhe-rsa-with-aes-256-cbc-sha" { value 55; description "DHE/rsa, 256 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-cbc-sha256" { value 56; description "DHE/rsa, 256 bit aes/cbc, sha256 hash"; } enum "dhe-rsa-with-3des-ede-cbc-sha" { value 57; description "DHE/rsa, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-gcm-sha256" { value 58; description "DHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "dhe-rsa-with-aes-128-cbc-sha" { value 59; description "DHE/rsa, 128 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-cbc-sha256" { value 60; description "DHE/rsa, 128 bit aes/cbc, sha256 hash"; } } max-elements 64; ordered-by user; description "Custom cipher list"; } leaf enable-session-cache { type empty; description "Enable SSL session cache"; } leaf-list trusted-ca { type string; max-elements 1024; ordered-by user; description "List of trusted certificate authority profiles"; } leaf client-certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Local certificate identifier"; } container actions { description "Traffic related actions"; uses apply-advanced; leaf ignore-server-auth-failure { type empty; description "Ignore server authentication failure"; } container crl { description "Certificate Revocation actions."; leaf disable { type empty; description "Disable CRL validation."; } leaf if-not-present { type enumeration { enum "allow" { value 0; description "Allow session if CRL information is not present."; } enum "drop" { value 1; description "Drop session if CRL information is not present."; } } default "allow"; description "Action if CRL information is not present."; } leaf ignore-hold-instruction-code { type empty; description "Ignore 'Hold Instruction Code' present in the CRL entry."; } } // container crl leaf unsupported-cipher-on-hw { type enumeration { enum "drop" { value 0; description "Drop session if cipher isn't supported on hardware mode"; } enum "software-inspection" { value 1; description "Allow session in software mode"; } } default "drop"; description "Unsupported cipher processing on hardware mode"; } } // container actions } // list profile } // grouping ssl-initiation-config grouping ssl-proxy-config { uses apply-advanced; container global-config { description "Global proxy configuration"; uses apply-advanced; leaf session-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "300 .. 86400"; } } units "seconds"; description "Session cache timeout"; } leaf disable-cert-cache { type empty; description "Disable proxy mode certificate cache"; } leaf certificate-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "300 .. 3600"; } } units "seconds"; description "Certificate cache timeout"; } leaf invalidate-cache-on-crl-update { type empty; description "Invalidate certificate cache on crl update"; } leaf cache-usage-enforcement-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } description "Percentage of total cache size after which per lsys limits will be enforced"; } leaf disable-deferred-profile-selection { junos:must "(!(".. enable-proxy-on-pre-id-policy-match"))"; junos:must-message "Deferred profile selection cannot be disabled when enable-proxy-on-pre-id-policy-match is enabled"; junos:must "(!(".. enable-proxy-on-default-fw-policy-match"))"; junos:must-message "Deferred profile selection cannot be disabled when enable-proxy-on-default-fw-policy-match is enabled"; type empty; description "Disable the deferred profile selection mechanism"; } } // container global-config list profile { key "name"; ordered-by user; description "SSL Proxy profile"; leaf name { type string { length "1 .. 63"; } description "Profile identifier"; } uses apply-advanced; leaf enable-flow-tracing { type empty; description "Enable flow tracing for the profile"; } leaf protocol-version { type enumeration { enum "all" { value 0; description "TLS version 1.0 or TLS version 1.1 or TLS version 1.2 or TLS version 1.3"; } enum "ssl3" { value 1; description "SSL version 3"; } enum "tls1" { value 2; description "TLS version 1"; } enum "tls11" { value 3; description "TLS version 1.1"; } enum "tls12" { value 4; description "TLS version 1.2"; } enum "tls13" { value 5; description "TLS version 1.3"; } enum "tls12-and-lower" { value 6; description "Dont support TLS 1.3 (downgrade all the connections to TLS 1.2 or below)"; } } default "all"; description "Protocol SSL version accepted"; } leaf preferred-ciphers { type enumeration { enum "strong" { value 0; description "Use ciphers with key strength of 168-bits or greater"; } enum "medium" { value 1; description "Use ciphers with key strength of 128-bits or greater"; } enum "weak" { value 2; description "Use ciphers with key strength of 40-bits or greater"; } enum "custom" { junos:must "(".. custom-ciphers")"; junos:must-message "custom-ciphers must be configured for this choice"; value 3; description "Configure custom cipher suite and order of preference"; } } default "medium"; description "Select preferred ciphers"; } leaf-list custom-ciphers { type enumeration { enum "tls12-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha as custom cipher"; value 0; description "RSA, 128 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha as custom cipher"; value 1; description "RSA, 256 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-gcm-sha384 as custom cipher"; value 2; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "tls12-rsa-aes-256-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha256 as custom cipher"; value 3; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "tls12-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-gcm-sha256 as custom cipher"; value 4; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha256 as custom cipher"; value 5; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-gcm-sha384 as custom cipher"; value 6; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha as custom cipher"; value 7; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha384 as custom cipher"; value 8; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-rsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-3des-ede-cbc-sha as custom cipher"; value 9; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-gcm-sha256 as custom cipher"; value 10; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha as custom cipher"; value 11; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha256 as custom cipher"; value 12; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-gcm-sha384 as custom cipher"; value 13; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha as custom cipher"; value 14; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha384 as custom cipher"; value 15; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-gcm-sha256 as custom cipher"; value 16; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha as custom cipher"; value 17; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha256 as custom cipher"; value 18; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 and to use tls12-ecdhe-ecdsa-3des-ede-cbc-sha as custom cipher"; value 19; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "tls13-with-aes-256-gcm-sha384" { value 20; description "Any key-exchange, Any authentication,256bit aes, sha384 hash"; } enum "tls13-with-aes-128-gcm-sha256" { value 21; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-chacha20-poly1305-sha256" { value 22; description "Any key-exchange, Any authentication,chacha, sha256 hash"; } enum "tls13-with-aes-128-ccm-sha256" { value 23; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-aes-128-ccm8-sha256" { value 24; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "rsa-with-rc4-128-md5" { value 25; description "RSA, 128bit rc4, md5 hash"; } enum "rsa-with-rc4-128-sha" { value 26; description "RSA, 128bit rc4, sha hash"; } enum "rsa-with-des-cbc-sha" { value 27; description "RSA, des cbc, sha hash"; } enum "rsa-with-3des-ede-cbc-sha" { value 28; description "RSA, 3des ede/cbc, sha hash"; } enum "rsa-with-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 29; description "RSA, 128 bit aes/cbc, sha hash"; } enum "rsa-with-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 30; description "RSA, 256 bit aes/cbc, sha hash"; } enum "rsa-export-with-rc4-40-md5" { value 31; description "RSA-export, 40 bit rc4, md5 hash"; } enum "rsa-export-with-des40-cbc-sha" { value 32; description "RSA-export, 40 bit des/cbc, sha hash"; } enum "rsa-export1024-with-des-cbc-sha" { value 33; description "RSA 1024 bit export, des/cbc, sha hash"; } enum "rsa-export1024-with-rc4-56-md5" { value 34; description "RSA 1024 bit export, 56 bit rc4, md5 hash"; } enum "rsa-export1024-with-rc4-56-sha" { value 35; description "RSA 1024 bit export, 56 bit rc4, sha hash"; } enum "rsa-with-aes-256-gcm-sha384" { value 36; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "rsa-with-aes-256-cbc-sha256" { value 37; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "rsa-with-aes-128-gcm-sha256" { value 38; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "rsa-with-aes-128-cbc-sha256" { value 39; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-rsa-with-aes-256-gcm-sha384" { value 40; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha" { value 41; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha384" { value 42; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-rsa-with-3des-ede-cbc-sha" { value 43; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-gcm-sha256" { value 44; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha" { value 45; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha256" { value 46; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-256-gcm-sha384" { value 47; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha" { value 48; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha384" { value 49; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-128-gcm-sha256" { value 50; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha" { value 51; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha256" { value 52; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-3des-ede-cbc-sha" { value 53; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-gcm-sha384" { value 54; description "DHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "dhe-rsa-with-aes-256-cbc-sha" { value 55; description "DHE/rsa, 256 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-cbc-sha256" { value 56; description "DHE/rsa, 256 bit aes/cbc, sha256 hash"; } enum "dhe-rsa-with-3des-ede-cbc-sha" { value 57; description "DHE/rsa, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-gcm-sha256" { value 58; description "DHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "dhe-rsa-with-aes-128-cbc-sha" { value 59; description "DHE/rsa, 128 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-cbc-sha256" { value 60; description "DHE/rsa, 128 bit aes/cbc, sha256 hash"; } } max-elements 64; ordered-by user; description "Custom cipher list"; } leaf-list trusted-ca { type string; max-elements 1024; ordered-by user; description "List of trusted certificate authority profiles"; } choice certificate { leaf-list root-ca { type string; max-elements 2; ordered-by user; description "Root certificate for interdicting server certificates in proxy mode"; } leaf-list server-certificate { junos:must "(!("security idp sensor-configuration ssl-inspection sessions"))"; junos:must-message "IDP SSL Inspection should not be configured with ssl proxy profile <> server-certificate"; junos:must "(!(".. actions crl"))"; junos:must-message "actions crl <> should not be configured with server- certificate"; junos:must "(!(".. actions ignore-server-auth-failure"))"; junos:must-message "ignore-server-auth-failure should not be configured with server-certificate"; junos:must "(!(".. trusted-ca"))"; junos:must-message "trusted-ca <> should not be configured with server-certificate"; type string; max-elements 1024; ordered-by user; description "Local certificate identifier"; } } // choice certificate container mirror-decrypt-traffic { description "Configure mirror interface and Destination MAC address"; uses apply-advanced; leaf interface { junos:must "("interfaces $$")"; junos:must-message "Interface must be defined"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface on which SSL decrypted traffic is mirrored"; } leaf destination-mac-address { type jt:mac-addr; description "Mac address of host/server to which decrypted traffic is mirrored"; } leaf only-after-security-policies-enforcement { type empty; description "Enables decrypted Traffic mirroring after policy enforcement"; } } // container mirror-decrypt-traffic leaf-list whitelist { type string; ordered-by user; description "Addresses exempted from SSL Proxy "; } leaf-list whitelist-url-categories { type string; ordered-by user; } container actions { description "Logging and traffic related actions"; uses apply-advanced; leaf ignore-server-auth-failure { type empty; description "Ignore server authentication failure"; } container log { presence "enable log"; description "Logging actions"; leaf all { type empty; description "Log all events"; } leaf sessions-dropped { type empty; description "Log only ssl session drop events"; } leaf sessions-allowed { type empty; description "Log ssl session allow events after an error"; } leaf sessions-ignored { type empty; description "Log session ignore events "; } leaf sessions-whitelisted { type empty; description "Log ssl session whitelist events "; } leaf errors { type empty; description "Log all error events "; } leaf warning { type empty; description "Log all warning events "; } leaf info { type empty; description "Log all information events "; } } // container log container crl { description "Certificate Revocation actions."; leaf disable { type empty; description "Disable CRL validation."; } leaf if-not-present { type enumeration { enum "allow" { value 0; description "Allow session if CRL information is not present."; } enum "drop" { value 1; description "Drop session if CRL information is not present."; } } default "allow"; description "Action if CRL information is not present."; } leaf ignore-hold-instruction-code { type empty; description "Ignore 'Hold Instruction Code' present in the CRL entry."; } } // container crl leaf renegotiation { type enumeration { enum "allow" { value 0; description "Allow secure as well as non secure renegotiation"; } enum "allow-secure" { value 1; description "Allow secure negotiation only (RFC 5746)"; } enum "drop" { value 2; description "Drop session on renegotiation request"; } } default "allow-secure"; description "Renegotiation options"; } leaf disable-session-resumption { type empty; description "Disable session resumption"; } leaf unsupported-cipher-on-hw { type enumeration { enum "drop" { value 0; description "Drop session if cipher isn't supported on hardware mode"; } enum "software-inspection" { value 1; description "Allow session in software mode"; } } default "drop"; description "Unsupported cipher processing on hardware mode"; } leaf allow-strong-certificate { type empty; description "Certificate till 4K key-size processing on standalone SRX300/SRX320 platform"; } } // container actions leaf disable-deferred-profile-selection { type empty; description "Disable the deferred profile selection mechanism at profile level"; } } // list profile } // grouping ssl-proxy-config grouping ssl-termination-config { uses apply-advanced; list profile { key "name"; ordered-by user; description "SSL server profile"; leaf name { type string { length "1 .. 63"; } description "Profile identifier"; } uses apply-advanced; leaf enable-flow-tracing { type empty; description "Enable flow tracing for the profile"; } leaf protocol-version { type enumeration { enum "all" { value 0; description "TLS version 1.0 or TLS version 1.1 or TLS version 1.2 or TLS version 1.3"; } enum "ssl3" { value 1; description "SSL version 3"; } enum "tls1" { value 2; description "TLS version 1"; } enum "tls11" { value 3; description "TLS version 1.1"; } enum "tls12" { value 4; description "TLS version 1.2"; } enum "tls13" { value 5; description "TLS version 1.3"; } enum "tls12-and-lower" { value 6; description "Dont support TLS 1.3 (downgrade all the connections to TLS 1.2 or below)"; } } default "all"; description "Protocol SSL version accepted"; } leaf preferred-ciphers { type enumeration { enum "strong" { value 0; description "Use ciphers with key strength of 168-bits or greater"; } enum "medium" { value 1; description "Use ciphers with key strength of 128-bits or greater"; } enum "weak" { value 2; description "Use ciphers with key strength of 40-bits or greater"; } enum "custom" { junos:must "(".. custom-ciphers")"; junos:must-message "custom-ciphers must be configured for this choice"; value 3; description "Configure custom cipher suite and order of preference"; } } default "medium"; description "Select preferred ciphers"; } leaf-list custom-ciphers { type enumeration { enum "tls12-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha as custom cipher"; value 0; description "RSA, 128 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha as custom cipher"; value 1; description "RSA, 256 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-gcm-sha384 as custom cipher"; value 2; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "tls12-rsa-aes-256-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha256 as custom cipher"; value 3; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "tls12-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-gcm-sha256 as custom cipher"; value 4; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha256 as custom cipher"; value 5; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-gcm-sha384 as custom cipher"; value 6; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha as custom cipher"; value 7; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha384 as custom cipher"; value 8; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-rsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-3des-ede-cbc-sha as custom cipher"; value 9; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-gcm-sha256 as custom cipher"; value 10; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha as custom cipher"; value 11; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha256 as custom cipher"; value 12; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-gcm-sha384 as custom cipher"; value 13; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha as custom cipher"; value 14; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha384 as custom cipher"; value 15; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-gcm-sha256 as custom cipher"; value 16; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha as custom cipher"; value 17; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha256 as custom cipher"; value 18; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 and to use tls12-ecdhe-ecdsa-3des-ede-cbc-sha as custom cipher"; value 19; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "tls13-with-aes-256-gcm-sha384" { value 20; description "Any key-exchange, Any authentication,256bit aes, sha384 hash"; } enum "tls13-with-aes-128-gcm-sha256" { value 21; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-chacha20-poly1305-sha256" { value 22; description "Any key-exchange, Any authentication,chacha, sha256 hash"; } enum "tls13-with-aes-128-ccm-sha256" { value 23; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-aes-128-ccm8-sha256" { value 24; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "rsa-with-rc4-128-md5" { value 25; description "RSA, 128bit rc4, md5 hash"; } enum "rsa-with-rc4-128-sha" { value 26; description "RSA, 128bit rc4, sha hash"; } enum "rsa-with-des-cbc-sha" { value 27; description "RSA, des cbc, sha hash"; } enum "rsa-with-3des-ede-cbc-sha" { value 28; description "RSA, 3des ede/cbc, sha hash"; } enum "rsa-with-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 29; description "RSA, 128 bit aes/cbc, sha hash"; } enum "rsa-with-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 30; description "RSA, 256 bit aes/cbc, sha hash"; } enum "rsa-export-with-rc4-40-md5" { value 31; description "RSA-export, 40 bit rc4, md5 hash"; } enum "rsa-export-with-des40-cbc-sha" { value 32; description "RSA-export, 40 bit des/cbc, sha hash"; } enum "rsa-export1024-with-des-cbc-sha" { value 33; description "RSA 1024 bit export, des/cbc, sha hash"; } enum "rsa-export1024-with-rc4-56-md5" { value 34; description "RSA 1024 bit export, 56 bit rc4, md5 hash"; } enum "rsa-export1024-with-rc4-56-sha" { value 35; description "RSA 1024 bit export, 56 bit rc4, sha hash"; } enum "rsa-with-aes-256-gcm-sha384" { value 36; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "rsa-with-aes-256-cbc-sha256" { value 37; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "rsa-with-aes-128-gcm-sha256" { value 38; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "rsa-with-aes-128-cbc-sha256" { value 39; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-rsa-with-aes-256-gcm-sha384" { value 40; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha" { value 41; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha384" { value 42; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-rsa-with-3des-ede-cbc-sha" { value 43; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-gcm-sha256" { value 44; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha" { value 45; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha256" { value 46; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-256-gcm-sha384" { value 47; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha" { value 48; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha384" { value 49; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-128-gcm-sha256" { value 50; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha" { value 51; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha256" { value 52; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-3des-ede-cbc-sha" { value 53; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-gcm-sha384" { value 54; description "DHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "dhe-rsa-with-aes-256-cbc-sha" { value 55; description "DHE/rsa, 256 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-cbc-sha256" { value 56; description "DHE/rsa, 256 bit aes/cbc, sha256 hash"; } enum "dhe-rsa-with-3des-ede-cbc-sha" { value 57; description "DHE/rsa, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-gcm-sha256" { value 58; description "DHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "dhe-rsa-with-aes-128-cbc-sha" { value 59; description "DHE/rsa, 128 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-cbc-sha256" { value 60; description "DHE/rsa, 128 bit aes/cbc, sha256 hash"; } } max-elements 64; ordered-by user; description "Custom cipher list"; } leaf enable-session-cache { type empty; description "Enable SSL session cache"; } leaf server-certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Local certificate identifier"; } } // list profile } // grouping ssl-termination-config grouping ssl-traceoptions { uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "brief" { value 0; description "Brief debugging output"; } enum "detail" { value 1; description "Detailed debugging output"; } enum "extensive" { value 2; description "Extensive debugging output"; } enum "verbose" { value 3; description "Verbose debugging output"; } } default "brief"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "cli-configuration" { value 0; description "Trace CLI configuration events"; } enum "termination" { value 1; description "Trace termination service events"; } enum "initiation" { value 2; description "Trace initiation service events"; } enum "proxy" { value 3; description "Trace proxy service events"; } enum "selected-profile" { value 4; description "Trace events for profiles with enable-flow-tracing set"; } enum "all" { value 5; description "Trace everything"; } } } } // list flag container packet-filter { description "SSL Packet filter"; uses apply-advanced; leaf source-ip { type jt:ipaddr; description "Source IP address"; } leaf destination-ip { type jt:ipaddr; description "Destination IP address"; } leaf source-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Source port"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port"; } } // container packet-filter } // grouping ssl-traceoptions grouping static-nat-rule-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 31"; } description "Static Rule name"; } uses apply-advanced; leaf description { type string { junos:posix-pattern "^[^&<> ]+$"; junos:pattern-message "Must be a string excluding '&', '<', '>' and ' '"; length "1 .. 900"; } description "Text description of rule"; } container static-nat-rule-match { description "Specify Static NAT rule match criteria"; uses apply-advanced; leaf-list source-address { type jt:ipprefix; max-elements 8; ordered-by user; description "Source address"; } leaf-list source-address-name { type string; max-elements 8; ordered-by user; description "Address from address book"; } list source-port { key "name"; max-elements 8; ordered-by user; description "Source port"; leaf name { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port or lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Upper limit of port range"; } } // container to } // list source-port choice dst-choice { container destination-address { description "Destination address"; leaf dst-addr { type jt:ipprefix; description "IPv4 or IPv6 Destination address prefix"; } } // container destination-address container destination-address-name { description "Address from address book"; leaf dst-addr-name { type string { length "1 .. 63"; } description "Address from address book"; } } // container destination-address-name } // choice dst-choice container destination-port { description "Destination port"; leaf low { junos:must "((".. .. .. then static-nat prefix mapped-port" || ".. .. .. then static-nat prefix-name mapped-port"))"; junos:must-message "'then static-nat prefix mapped-port ...' or 'then static-nat prefix-name mapped-port' must be configured when configure 'destination-port'"; type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port or lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Upper limit of port range"; } } // container to } // container destination-port } // container static-nat-rule-match container then { description "Then action"; uses apply-advanced; container static-nat { description "Static NAT action"; uses apply-advanced; choice prefix-choice { container inet { presence "enable inet"; description "Translated to IPv4 address"; uses apply-advanced; leaf routing-instance { type string; description "Routing instance"; } } // container inet container prefix { description "Address prefix"; uses apply-advanced; leaf addr-prefix { type jt:ipprefix; description "IPv4 or IPv6 address prefix value"; } container mapped-port { description "Mapped port"; uses static-nat-rule-mapped-port-object; } // container mapped-port leaf routing-instance { type string; description "Routing instance"; } } // container prefix container prefix-name { description "Address from address book"; uses apply-advanced; leaf addr-prefix-name { type string { length "1 .. 63"; } description "Address from address book"; } container mapped-port { description "Mapped port"; uses static-nat-rule-mapped-port-object; } // container mapped-port leaf routing-instance { type string; description "Routing instance"; } } // container prefix-name container nptv6-prefix { description "NPTv6 address prefix, the longest prefix will be supported is /64"; uses apply-advanced; leaf addr-prefix { type jt:ipprefix; description "IPv6 address prefix value, the longest prefix will be supported is /64"; } leaf routing-instance { type string; description "Routing instance"; } } // container nptv6-prefix container nptv6-prefix-name { description "NPTv6 address from address book"; uses apply-advanced; leaf addr-prefix-name { type string { length "1 .. 63"; } description "IPv6 address from address book"; } leaf routing-instance { type string; description "Routing instance"; } } // container nptv6-prefix-name } // choice prefix-choice container rule-session-count-alarm { description "Config rule-session-count-alarm to static rule"; uses nat-rule-session-count-alarm-object; } // container rule-session-count-alarm } // container static-nat } // container then } // grouping static-nat-rule-object grouping static-nat-rule-mapped-port-object { uses apply-advanced; leaf low { junos:must "(".. .. .. .. .. match destination-port")"; junos:must-message "'match destination-port ...' must be configured when configure 'mapped-port'"; type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port or lower limit of port range"; } container to { description "Port range upper limit"; uses apply-advanced; leaf high { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Upper limit of port range"; } } // container to } // grouping static-nat-rule-mapped-port-object grouping sw-rule-set-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Define Rule Set name"; } uses apply-advanced; list rule { key "name"; ordered-by user; description "Define a rule term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; container then { description "Action to take if the condition is matched"; uses apply-advanced; choice designation { leaf ds-lite { junos:must "("services softwires softwire-types ds-lite $$")"; junos:must-message "referenced softwire concentrator must be defined under 'services softwires softwire-types ds-lite'"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Apply DS-Lite softwire"; } leaf v6rd { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Apply 6rd softwire"; } leaf map-e { junos:must "("services softwires softwire-types map-e $$")"; junos:must-message "Undefined softwire concentrator for map-e"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Apply MAP-E softwire"; } } // choice designation } // container then } // list rule leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Match direction"; } } // grouping sw-rule-set-object grouping sw_rule_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Direction for which the rule match is applied"; } list term { key "name"; ordered-by user; description "Define a softwire term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Term name"; } uses apply-advanced; container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice designation { leaf ds-lite { junos:must "("services softwire softwire-concentrator ds-lite $$")"; junos:must-message "referenced softwire concentrator must be defined under 'services softwire softwire-concentrator ds-lite'"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Apply DS-Lite softwire"; } leaf v6rd { junos:must "("services softwire softwire-concentrator v6rd $$")"; junos:must-message "referenced softwire concentrator must be defined under 'services softwire softwire-concentrator v6rd'"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Apply 6rd softwire"; } leaf map-e { junos:must "("services softwire softwire-concentrator map-e $$")"; junos:must-message "referenced softwire concentrator must be defined under 'services softwire softwire-concentrator map-e'"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Apply map-e softwire"; } } // choice designation } // container then } // list term } // grouping sw_rule_object grouping tdir_netmon_object { description "Network monitoring probe configuration"; uses apply-advanced; container traceoptions { description "Net Monitoring trace options"; uses tdir_netmon_traceoptions_object; } // container traceoptions list profile { key "name"; max-elements 32; description "Network monitoring probe profile configuration"; uses tdir_netmon_profile_object; } // list profile list source-interface { key "name"; max-elements 32; description "Network monitoring probe sending interface"; uses tdir_netmon_src_iface; } // list source-interface } // grouping tdir_netmon_object grouping tdir_netmon_profile_object { leaf name { type string { junos:posix-pattern "![.]"; junos:pattern-message "Usage of '.' is not allowed in profile-name"; length "1 .. 20"; } description "Network monitoring probe profile name"; } uses apply-advanced; choice probe-type { container http { presence "enable http"; description "HTTP probe options"; uses tdir_http_probe_object; } // container http leaf icmp { type empty; description "ICMP probe options"; } container tcp { presence "enable tcp"; description "TCP probe options"; uses tdir_tcp_probe_object; } // container tcp container ssl-hello { presence "enable ssl-hello"; description "SSL hello probe options"; uses tdir_ssl_hello_probe_object; } // container ssl-hello container custom { presence "enable custom"; description "Custom probe options"; uses tdir_netmon_custom_probe_object; } // container custom } // choice probe-type leaf probe-interval { type union { type string { pattern "<.*>|$.*"; } type uint32; } units "seconds"; default "5"; description "Probe interval"; } leaf failure-retries { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } default "5"; description "Probe failure retries"; } leaf recovery-retries { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } default "5"; description "Probe recovery retries"; } } // grouping tdir_netmon_profile_object grouping tdir_http_probe_object { description "HTTP probe information"; uses apply-advanced; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } default "80"; description "Port number"; } leaf url { type string { length "1 .. 127"; } description "URL name"; } leaf method { type enumeration { enum "get" { value 0; description "HTTP method GET"; } enum "options" { value 1; description "HTTP method OPTIONS"; } } default "get"; description "HTTP method"; } leaf hostname { type string { length "1 .. 63"; } description "Hostname"; } } // grouping tdir_http_probe_object grouping tdir_netmon_custom_probe_object { description "Custom probe information"; uses apply-advanced; leaf protocol { type enumeration { enum "tcp" { value 0; description "TCP protocol"; } enum "udp" { value 1; description "UDP protocol"; } } description "Custom protocol"; } list cmd { key "name"; max-elements 1; description "Custom probe command configuration"; uses tdir_netmon_custom_probe_command_object; } // list cmd } // grouping tdir_netmon_custom_probe_object grouping tdir_netmon_custom_probe_command_object { description "Command information in custom probe"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 2"; } } description "Custom probe command priority"; } uses apply-advanced; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Port number"; } leaf default-real-service-status { type enumeration { enum "down" { value 0; description "RS marked down by default"; } enum "up" { value 1; description "RS marked up by default"; } } default "down"; description "Default status of real service"; } container send { presence "enable send"; description "Send ASCII string or binary buffer"; uses tdir_netmon_custom_probe_send_object; } // container send container expect { presence "enable expect"; description "Expect ASCII string or binary buffer"; uses tdir_netmon_custom_probe_expect_object; } // container expect } // grouping tdir_netmon_custom_probe_command_object grouping tdir_netmon_custom_probe_expect_object { uses apply-advanced; choice expect_choice { container ascii { presence "enable ascii"; description "Expect ASCII string"; uses tdir_netmon_cust_probe_ascii_expect_obj; } // container ascii container binary { presence "enable binary"; description "Expect binary buffer"; uses tdir_netmon_cust_probe_binary_expect_obj; } // container binary } // choice expect_choice } // grouping tdir_netmon_custom_probe_expect_object grouping tdir_netmon_cust_probe_ascii_expect_obj { leaf ascii-buf { type string { length "1 .. 512"; } } container offset { presence "enable offset"; description "Expect buffer offset"; uses tdir_netmon_cust_probe_expect_offset_obj; } // container offset leaf real-service-action { type enumeration { enum "up" { value 0; description "Mark RS up"; } enum "down" { value 1; description "Mark RS down"; } } default "up"; description "Action on expect match"; } } // grouping tdir_netmon_cust_probe_ascii_expect_obj grouping tdir_netmon_cust_probe_binary_expect_obj { leaf binary-buf { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 512"; } } container offset { presence "enable offset"; description "Expect buffer offset"; uses tdir_netmon_cust_probe_expect_offset_obj; } // container offset leaf real-service-action { type enumeration { enum "up" { value 0; description "Mark RS up"; } enum "down" { value 1; description "Mark RS down"; } } default "up"; description "Action on expect match"; } } // grouping tdir_netmon_cust_probe_binary_expect_obj grouping tdir_netmon_cust_probe_expect_offset_obj { leaf offset { type union { type uint16; type string { pattern "<.*>|$.*"; } } } leaf length { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Expect buffer offset length"; } } // grouping tdir_netmon_cust_probe_expect_offset_obj grouping tdir_netmon_custom_probe_send_object { choice send_choice { leaf ascii { type string { length "1 .. 512"; } description "Send ASCII string"; } leaf binary { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 512"; } description "Send binary buffer"; } } // choice send_choice } // grouping tdir_netmon_custom_probe_send_object grouping tdir_netmon_src_iface { leaf name { type string { length "1 .. 20"; } description "Network monitoring probe source interface name"; } uses apply-advanced; container family { description "Address family"; uses apply-advanced; container inet { description "Address family IPv4"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Address family IPv4 address"; } } // container inet container inet6 { description "Address family IPv6"; uses apply-advanced; leaf address { type jt:ipv6addr; description "Address family IPv6 address"; } } // container inet6 } // container family } // grouping tdir_netmon_src_iface grouping tdir_netmon_traceoptions_object { description "Network Monitoring trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing flag parameters"; leaf name { type enumeration { enum "all-real-services" { value 0; description "Trace all real services"; } enum "messages" { value 1; description "Trace normal events"; } enum "probe" { value 2; description "Trace probe events"; } enum "inter-thread" { value 3; description "Trace inter thread communication events"; } enum "database" { value 4; description "Trace database events"; } enum "file-descriptor-queue" { value 5; description "Trace file descriptor queue events"; } enum "probe-infra" { value 6; description "Trace probe infra events"; } enum "all" { value 7; description "Trace everything"; } } } } // list flag list monitor { key "name"; leaf name { type string { length "1 .. 20"; } description "Monitor name"; } uses apply-advanced; leaf group-name { type string { length "1 .. 20"; } description "Group name"; } leaf real-services-name { type string { length "1 .. 20"; } description "Real service"; } } // list monitor } // grouping tdir_netmon_traceoptions_object grouping tdir_service_load_balance_object { uses apply-advanced; container traceoptions { description "Traffic load balance trace options"; uses tdir_traceoptions_object; } // container traceoptions leaf route-hold-timer { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } default "180"; description "Route hold timer, when PIC is down"; } list instance { key "name"; max-elements 2048; description "Traffic load balance instance configuration"; uses tdir_slb_instance_object; } // list instance list flb-policy { key "name"; max-elements 2048; description "Firewall load balancer instance configuration"; uses tdir_flb_policy_object; } // list flb-policy list interfaces { key "name"; max-elements 8160; description "Client/server facing interfaces"; uses tdir_interfaces_object; } // list interfaces } // grouping tdir_service_load_balance_object grouping tdir_flb_policy_object { leaf name { type string { junos:posix-pattern "![.]"; junos:pattern-message "Usage of '.' is not allowed in instance-name"; length "1 .. 20"; } description "Policy name"; } uses apply-advanced; leaf client-interface { type string { length "1 .. 20"; } description "Client facing interface name"; } leaf server-interface { type string { length "1 .. 20"; } description "Server facing interface name"; } list destination { key "name"; max-elements 8160; description "Destination configuration"; uses tdir_destination_object; } // list destination leaf-list network-monitoring-profile { type string { length "1 .. 20"; } max-elements 2; description "Network monitoring profile name"; } container load-balance-method { presence "enable load-balance-method"; description "Load balance method"; uses apply-advanced; choice method-type { container hash { presence "enable hash"; description "Load balance hash method"; uses apply-advanced; container hash-key { presence "enable hash-key"; description "Hash-key type"; uses tdir_flb_lb_hash_method_obj; } // container hash-key } // container hash leaf random { type empty; description "Load balance random method"; } leaf least-connections { type empty; description "Load balance least-connections method"; } leaf round-robin { type empty; description "Load balance round-robin method"; } } // choice method-type } // container load-balance-method } // grouping tdir_flb_policy_object grouping tdir_destination_object { leaf name { type string { junos:posix-pattern "![.]"; junos:pattern-message "Usage of '.' is not allowed in destination-name"; length "1 .. 20"; } description "Destiation name"; } uses apply-advanced; leaf destination-ip { type jt:ipaddr; description "IP address"; } leaf source-ip { type jt:ipaddr; description "IP address"; } leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface name"; } leaf routing-instance { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; length "1 .. 30"; } description "Routing instance name"; } leaf admin-down { type empty; description "Set the destination to DOWN state"; } } // grouping tdir_destination_object grouping tdir_flb_lb_hash_method_obj { uses apply-advanced; leaf source-ip { type empty; description "Source-address based hashing"; } leaf destination-ip { type empty; description "Destination-address based hashing"; } leaf protocol { type empty; description "Protocol based hashing"; } } // grouping tdir_flb_lb_hash_method_obj grouping tdir_interfaces_object { leaf name { type string { junos:posix-pattern "![.]"; junos:pattern-message "Usage of '.' is not allowed in interface-name"; length "1 .. 20"; } description "Client/server interfaces name"; } uses apply-advanced; list interfaces { key "name"; ordered-by user; description "Interfaces part of this zone"; uses tdir-interface-unit; } // list interfaces } // grouping tdir_interfaces_object grouping tdir-interface-unit { description "Logical interfaces in this zone"; leaf name { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Logical interface"; } uses apply-advanced; } // grouping tdir-interface-unit grouping tdir_slb_instance_object { leaf name { type string { junos:posix-pattern "![.]"; junos:pattern-message "Usage of '.' is not allowed in instance-name"; length "1 .. 20"; } description "Instance name"; } uses apply-advanced; leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface name"; } leaf server-inet-bypass-filter { type string; description "Server Implicit inet bypass filter reference"; } leaf server-inet6-bypass-filter { type string; description "Server Implicit inet6 bypass filter reference"; } leaf-list client-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Client facing interface name"; } leaf-list server-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Server facing interface name"; } leaf client-vrf { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; length "1 .. 30"; } description "Client-side VRF"; } leaf server-vrf { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; length "1 .. 30"; } description "Server-side VRF"; } list group { key "name"; max-elements 32; description "Group configuration"; uses tdir_slb_group_object; } // list group list real-service { key "name"; max-elements 8160; description "Real service configuration"; uses tdir_real_service_object; } // list real-service list virtual-service { key "name"; max-elements 32; description "Virtual service configuration"; uses tdir_virtual_service_object; } // list virtual-service } // grouping tdir_slb_instance_object grouping tdir_real_service_object { leaf name { type string { junos:posix-pattern "![.]"; junos:pattern-message "Usage of '.' is not allowed in real-service-name"; length "1 .. 20"; } description "Real service name"; } uses apply-advanced; leaf address { type jt:ipaddr; description "IP address"; } leaf admin-down { type empty; description "Set the real service to DOWN state"; } } // grouping tdir_real_service_object grouping tdir_slb_group_object { leaf name { type string { junos:posix-pattern "![.]"; junos:pattern-message "Usage of '.' is not allowed in group-name"; length "1 .. 20"; } description "Group name"; } uses apply-advanced; leaf-list real-services { type string { length "1 .. 20"; } max-elements 255; ordered-by user; description "Real services group association"; } leaf routing-instance { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; length "1 .. 30"; } description "Routing instance name"; } leaf health-check-interface-subunit { type union { type uint16; type string { pattern "<.*>|$.*"; } } default "0"; description "Subunit on which the health-check is to be initiated"; } leaf-list network-monitoring-profile { type string { length "1 .. 20"; } max-elements 2; description "Network monitoring profile name"; } container real-service-rejoin-options { description "Real service rejoin options"; uses tdir_auto_rejoin_object; } // container real-service-rejoin-options } // grouping tdir_slb_group_object grouping tdir_auto_rejoin_object { uses apply-advanced; leaf no-auto-rejoin { type empty; description "Disable real service auto-rejoin, when it comes up"; } } // grouping tdir_auto_rejoin_object grouping tdir_ssl_hello_probe_object { description "SSL hello probe information"; uses apply-advanced; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } default "443"; description "Port number"; } leaf version { type enumeration { enum "2" { value 0; description "SSL version 2"; } enum "3" { value 1; description "SSL version 3"; } } default "3"; description "SSL version"; } } // grouping tdir_ssl_hello_probe_object grouping tdir_tcp_probe_object { description "TCP probe information"; uses apply-advanced; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Port number"; } } // grouping tdir_tcp_probe_object grouping tdir_traceoptions_object { description "Traffic load balance trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing flag parameters"; leaf name { type enumeration { enum "normal" { value 0; description "Trace normal events"; } enum "config" { value 1; description "Trace traffic load balance config events"; } enum "connect" { value 2; description "Trace traffic load balance ipc events"; } enum "health" { value 3; description "Trace traffic load balance health events"; } enum "parse" { value 4; description "Trace traffic load balance parse events"; } enum "probe" { value 5; description "Trace traffic load balance probe events"; } enum "route" { value 6; description "Trace traffic load balance route events"; } enum "snmp" { value 7; description "Trace traffic load balance snmp events"; } enum "statistics" { value 8; description "Trace traffic load balance statistics events"; } enum "system" { value 9; description "Trace traffic load balance system events"; } enum "operational-commands" { value 10; description "Trace traffic load balance show events"; } enum "filter" { value 11; description "Trace traffic load balance filter programming events"; } enum "batch" { value 12; description "Trace traffic load balance Batching related events"; } enum "all" { value 13; description "Trace everything"; } } } } // list flag list monitor { key "name"; leaf name { type string { length "1 .. 20"; } description "Monitor name"; } uses apply-advanced; leaf virtual-svc-name { type string { length "1 .. 20"; } description "Virtual service name"; } leaf instance-name { type string { length "1 .. 20"; } description "Instance name"; } } // list monitor container in-memory-tracing { presence "enable in-memory-tracing"; leaf max-lines { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "5120 .. 20480"; } } description "Number of max lines in memory tracing"; } } // container in-memory-tracing } // grouping tdir_traceoptions_object grouping tdir_virtual_service_object { leaf name { type string { junos:posix-pattern "![.]"; junos:pattern-message "Usage of '.' is not allowed in virtual-service"; length "1 .. 20"; } description "Virtual service name"; } uses apply-advanced; leaf mode { type enumeration { enum "layer2-direct-server-return" { value 0; description "Layer2 Direct Server Return mode"; } enum "direct-server-return" { value 1; description "Direct Server Return mode"; } enum "translated" { value 2; description "Translated mode"; } } description "Virtual service mode"; } leaf address { type jt:ipaddr; description "IP address"; } leaf route-metric { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 255"; } } default "1"; description "Route metric"; } leaf rebalance-threshold { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 100"; } } default "25"; description "Rebalance threshold"; } leaf routing-instance { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; length "1 .. 30"; } description "Routing instance name"; } list service { key "name"; max-elements 1; description "Listening service configuration"; uses tdir_virtual_service_svc_object; } // list service leaf-list server-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } ordered-by user; description "Server facing interface name"; } leaf group { junos:must "(".. .. group $$")"; junos:must-message "group is not defined"; type string { length "1 .. 20"; } description "Group name"; } container load-balance-method { presence "enable load-balance-method"; description "Load balance method"; uses apply-advanced; choice method-type { container hash { presence "enable hash"; description "Load balance hash method"; uses apply-advanced; container hash-key { presence "enable hash-key"; description "Hash-key type"; uses tdir_virtual_service_lb_hash_method_obj; } // container hash-key } // container hash leaf random { type empty; description "Load balance random method"; } } // choice method-type } // container load-balance-method } // grouping tdir_virtual_service_object grouping tdir_virtual_service_lb_hash_method_obj { uses apply-advanced; leaf source-ip { type empty; description "Source-address based hashing"; } leaf destination-ip { type empty; description "Destination-address based hashing"; } leaf protocol { type empty; description "Protocol based hashing"; } } // grouping tdir_virtual_service_lb_hash_method_obj grouping tdir_virtual_service_svc_object { description "Service information in virtual service"; leaf name { type string { junos:posix-pattern "![.]"; junos:pattern-message "Usage of '.' is not allowed in virtual-service"; length "1 .. 20"; } description "Service name"; } uses apply-advanced; leaf virtual-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Virtual port number"; } leaf server-listening-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Server listening port"; } leaf protocol { type string; description "Service transport portocol"; } leaf include-real-server-ips-in-server-filter { type empty; description "Includes list of all real server ip address in server filter"; } } // grouping tdir_virtual_service_svc_object grouping time-format-object { uses apply-advanced; leaf year { type empty; description "Year in time format for syslog"; } leaf millisecond { type empty; description "Millisecond in time format for syslog"; } } // grouping time-format-object grouping transaction-method-type { leaf name { type enumeration { enum "method-invite" { value 0; } enum "method-options" { value 1; } enum "method-refer" { value 2; } enum "method-subscribe" { value 3; } enum "method-publish" { value 4; } enum "method-message" { value 5; } enum "method-register" { value 6; } } } uses apply-advanced; } // grouping transaction-method-type grouping transaction_policy_type { leaf name { type string; description "Policy name"; } uses apply-advanced; list term { key "name"; max-elements 20; ordered-by user; description "Term definition"; leaf name { type string; description "Term name"; } uses apply-advanced; container from { presence "enable from"; description "From action"; uses new_transaction_from_type; } // container from container then { presence "enable then"; description "Action"; uses new_transaction_then_type; } // container then } // list term } // grouping transaction_policy_type grouping new_transaction_then_type { uses apply-advanced; leaf accept { type empty; description "Accept the request"; } leaf reject { type empty; description "Reject the request"; } container route { description "How to route the request"; uses route_action; } // container route leaf trace { type empty; description "Trace messages accepted on this policy"; } leaf admission-control { junos:must "("services border-signaling-gateway gateway ${gateway} admission-control $$")"; junos:must-message "Referenced admission controller must be defined"; type string; description "Admission controller for the request"; } container message-manipulation { presence "enable message-manipulation"; description "Definitions of forward and reverse manipulations "; uses apply-advanced; list forward-manipulation { key "name"; max-elements 5; ordered-by user; leaf name { junos:must "("services border-signaling-gateway gateway ${gateway} sip message-manipulation-rules manipulation-rule $$")"; junos:must-message "Referenced message manipulation must be defined"; type string; description "Forward manipulation rules"; } uses apply-advanced; } // list forward-manipulation list reverse-manipulation { key "name"; max-elements 5; ordered-by user; leaf name { junos:must "("services border-signaling-gateway gateway ${gateway} sip message-manipulation-rules manipulation-rule $$")"; junos:must-message "Referenced message manipulation must be defined"; type string; description "Reverse manipulation rules"; } uses apply-advanced; } // list reverse-manipulation } // container message-manipulation leaf signaling-realm { junos:must "("services border-signaling-gateway gateway ${gateway} sip signaling-realms $$")"; junos:must-message "Referenced signaling realm must be defined"; type string; description "Signaling realm"; } container on-3xx-response { presence "enable on-3xx-response"; description "Behavior on receiving a 3XX Response"; uses apply-advanced; choice _3xx_recursion { leaf recursion-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 16"; } } default "16"; description "The number of recursion to manage"; } } // choice _3xx_recursion } // container on-3xx-response } // grouping new_transaction_then_type grouping route_action { uses apply-advanced; container next-hop { junos:must "(!(".. server-cluster"))"; junos:must-message "Definition of a next-hop excludes the definition of a server-cluster"; presence "enable next-hop"; uses apply-advanced; choice next-hop { container address { presence "enable address"; description "Static route by IP address"; uses routing-destination-address; } // container address leaf request-uri { type empty; description "Route by request-uri"; } leaf sip-based { type empty; status deprecated; description "Routing based on the SIP procedures"; } } // choice next-hop } // container next-hop leaf egress-service-point { junos:must "(("services border-signaling-gateway gateway ${gateway} service-point $$" && !(".. server-cluster")))"; junos:must-message "egress-service-point must be defined. Definition of an egress-service-point excludes the definition of a server-cluster"; type string; description "Exit point"; } leaf server-cluster { junos:must "(("services border-signaling-gateway gateway ${gateway} sip routing-destinations clusters $$" && (!(".. egress-service-point") && !(".. next-hop"))))"; junos:must-message "Referenced cluster must be defined. Definition of a server-cluster excludes the definition of egress-service-point or next-hop"; type string; description "Cluster name"; } } // grouping route_action grouping transport_protocol { uses apply-advanced; choice transport-protocol { leaf udp { type empty; } leaf tcp { type empty; } } // choice transport-protocol } // grouping transport_protocol grouping tunnel_interface_type { description "One or more tunnel interfaces on which to configure flow-tap service"; leaf name { junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "Dynamic flow capture cannot be configured when flow-tap is configured"; junos:must "(!("interfaces $$-IFL family inet filter"))"; junos:must-message "Tunnel Interface assigned for Radius-Flow-Tap cannot be configured with firewall filter"; junos:must "("interfaces $$-IFL family inet")"; junos:must-message "Interface with family inet must be defined in the [edit interfaces] hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Tunnel Interface name"; } uses apply-advanced; } // grouping tunnel_interface_type grouping tunnel_type { description "Tunnel packets"; uses apply-advanced; choice ipsec-vpn-choice { leaf ipsec-vpn { junos:must "(!("security ipsec vpn $$ bind-interface"))"; junos:must-message "Route based ipsec-vpn cannot be referenced for policy"; junos:must "("security ipsec vpn $$")"; junos:must-message "Security VPN must be defined"; type string { length "1 .. 63"; } description "Enable VPN with name"; } leaf ipsec-group-vpn { junos:must "("security group-vpn member ipsec vpn $$")"; junos:must-message "Security group VPN must be defined"; type string { length "1 .. 63"; } status deprecated; description "Enable dynamic IPSEC group with name"; } } // choice ipsec-vpn-choice leaf pair-policy { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Policy in the reverse direction, to form a pair"; } } // grouping tunnel_type grouping twamp-authentication-key-chain { leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of authentication key chain"; } uses apply-advanced; list key-id { key "name"; description "Authentication element configuration"; leaf name { type string { length "1 .. 80"; } description "Authentication element identifier"; } uses apply-advanced; leaf secret { type string { length "1 .. 256"; } description "Authentication key"; } } // list key-id } // grouping twamp-authentication-key-chain grouping urlf-profile-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 64"; } description "Name of profile"; } uses apply-advanced; leaf feed-name { junos:must "("services web-filter multi-tenant-support")"; junos:must-message "feed names only relevant in multi-tenant mode"; type string { length "1 .. 64"; } description "Name of feed"; } leaf url-filter-database { junos:must "(!(".. security-intelligence-policy"))"; junos:must-message "Not applicable for security intelligence based profiles"; type string { length "1 .. 1024"; } description "Full path of the file"; } leaf global-dns-filter-stats-log-timer { junos:must "(!(".. security-intelligence-policy"))"; junos:must-message "Not applicable for security intelligence based profiles"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60"; } } units "minutes"; default "5"; description "Global DNS filtering statistics log timer in minutes"; } container security-intelligence-policy { presence "enable security-intelligence-policy"; description "Use the database supplied by security intelligence for blacklisted traffic."; uses apply-advanced; leaf file-type { type enumeration { enum "txt" { value 0; description "Policy DB is a text file"; } enum "json" { value 1; description "Policy DB is in json format"; } } } list threat-level { key "name"; max-elements 10; ordered-by user; description "Define a URL filtering threat level"; uses threat-level-object; } // list threat-level } // container security-intelligence-policy container dns-filter { junos:must "(!(".. security-intelligence-policy"))"; junos:must-message "Not applicable for security intelligence based profiles"; presence "enable dns-filter"; description "DNS filter information"; uses dns-filter-object; } // container dns-filter list url-filter-template { key "name"; max-elements 8000; ordered-by user; description "URL filter template"; uses urlf-template-object; } // list url-filter-template list dns-filter-template { junos:must "(!(".. security-intelligence-policy"))"; junos:must-message "Not applicable for security intelligence based profiles"; key "name"; max-elements 8000; ordered-by user; description "DNS filter template"; uses dnsf-template-object; } // list dns-filter-template } // grouping urlf-profile-object grouping dns-filter-object { uses apply-advanced; leaf database-file { junos:must "(!("services web-filter multi-tenant-support"))"; junos:must-message "Not applicable for multi-tenant"; type string { length "1 .. 1024"; } description "Full path of the DNS filter database file"; } leaf-list dns-server { type jt:ipaddr; max-elements 20; ordered-by user; description "One or more DNS servers addresses"; } container hash-key { description "Define hash key for domains key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container hash-key leaf hash-method { junos:must "(".. hash-key")"; junos:must-message "hash-key is mandatory"; type enumeration { enum "hmac-sha2-256" { value 0; description "HMAC-SHA2-256 authentication algorithm"; } } description "Define authentication algorithm"; } leaf statistics-log-timer { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60"; } } units "minutes"; default "5"; description "DNS log timer in minutes"; } leaf dns-resp-ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 3600"; } } units "seconds"; default "1800"; description "TTL to be used in DNS response"; } leaf wildcarding-level { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 10"; } } default "2"; description "Wildcarding level for exact match"; } leaf txt-resp-err-code { type enumeration { enum "Noerror" { value 0; description "No error response"; } enum "Refused" { value 1; description "Refuse the DNS Query"; } } default "Refused"; description "Text response error code"; } leaf srv-resp-err-code { type enumeration { enum "Noerror" { value 0; description "No error response"; } enum "Refused" { value 1; description "Refuse the DNS Query"; } } default "Refused"; description "Server response error code"; } } // grouping dns-filter-object grouping dnsf-template-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 64"; } description "Name of template"; } uses apply-advanced; leaf feed-name { junos:must "("services web-filter multi-tenant-support")"; junos:must-message "Feed names only relevant in multi-tenant mode"; type string { length "1 .. 64"; } description "Name of feed"; } container dns-filter { presence "enable dns-filter"; description "DNS filter information"; uses dns-filter-object; } // container dns-filter leaf-list client-interfaces { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } max-elements 64; ordered-by user; description "Client facing interfaces on which the dns filtering is applied"; } leaf-list server-interfaces { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } max-elements 64; ordered-by user; description "Server facing interfaces to which traffic destined to"; } leaf client-routing-instance { type string; description "Routing instance name"; } leaf server-routing-instance { type string; description "Routing instance name"; } list term { key "name"; max-elements 64; ordered-by user; description "Define a DNS filtering term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 64"; } description "Term name"; } uses apply-advanced; leaf feed-name { junos:must "("services web-filter multi-tenant-support")"; junos:must-message "Feed names only relevant in multi-tenant mode"; type string { length "1 .. 64"; } description "Name of feed"; } container from { description "Define match criteria"; uses dnsf-match-object; } // container from container then { presence "enable then"; description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice dns-filter-action { leaf dns-sinkhole { type empty; description "DNS sinkhole"; } } // choice dns-filter-action } // container then } // list term } // grouping dnsf-template-object grouping dnsf-match-object { uses apply-advanced; leaf-list src-ip-prefix { type jt:ipprefix; max-elements 64; ordered-by user; description "Source IP Prefix list specification"; } } // grouping dnsf-match-object grouping threat-level-object { leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Threat level value"; } uses apply-advanced; container threat-action { presence "enable threat-action"; description "Action to be taken for the given threat level "; uses apply-advanced; choice secintl-action { leaf accept { type empty; description "Accept"; } leaf log { type empty; description "Log"; } leaf drop { type empty; description "Drop"; } leaf drop-and-log { type empty; description "Drop and log"; } leaf drop-and-sample { type empty; description "Drop and sample"; } leaf drop-log-and-sample { type empty; description "Drop log and sample"; } leaf log-and-sample { type empty; description "Log and sample"; } leaf sample { type empty; description "Push packets to sampling collector"; } } // choice secintl-action } // container threat-action } // grouping threat-level-object grouping urlf-template-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 64"; } description "Name of template"; } uses apply-advanced; leaf-list client-interfaces { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } max-elements 64; ordered-by user; description "Client facing interfaces on which the url filtering is applied"; } leaf-list server-interfaces { junos:must "(!(".. .. security-intelligence-policy"))"; junos:must-message "Not applicable for security intelligence based profiles"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } max-elements 64; ordered-by user; description "Server facing interfaces to which traffic destined to"; } leaf dns-source-interface { junos:must "(!(".. .. security-intelligence-policy"))"; junos:must-message "Not applicable for security intelligence based profiles"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Interface on which the DNS queries are originated"; } leaf dns-routing-instance { junos:must "(!(".. .. security-intelligence-policy"))"; junos:must-message "Not applicable for security intelligence based profiles"; type string; description "Routing instance for DNS queries"; } leaf client-routing-instance { type string; description "Routing instance name"; } leaf-list dns-server { junos:must "(!(".. .. security-intelligence-policy"))"; junos:must-message "DNS server must not be configured for security intelligence based profiles"; type jt:ipaddr; max-elements 2; ordered-by user; description "One or more DNS servers addresses"; } leaf dns-resolution-interval { junos:must "(!(".. .. security-intelligence-policy"))"; junos:must-message "Not applicable for security intelligence based profiles"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 1440"; } } units "minutes"; default "1440"; description "DNS resolution timer in minutes"; } leaf dns-retries { junos:must "(!(".. .. security-intelligence-policy"))"; junos:must-message "Not applicable for security intelligence based profiles"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } default "3"; description "DNS resolution attempts"; } leaf dns-resolution-rate { junos:must "(!(".. .. security-intelligence-policy"))"; junos:must-message "Not applicable for security intelligence based profiles"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "50 .. 100"; } } default "50"; description "DNS resolution rate per chunk interval"; } leaf url-filter-database { junos:must "(!(".. .. security-intelligence-policy"))"; junos:must-message "Not applicable for security intelligence based profiles"; type string { length "1 .. 1024"; } description "Full path of the file"; } leaf disable-url-ip-filtering { junos:must "(!(".. .. security-intelligence-policy"))"; junos:must-message "Not applicable for security intelligence based profiles"; type empty; description "Disable filtering of IPs belonging to blocklisted domains"; } container security-intelligence-policy { presence "enable security-intelligence-policy"; description "Use the database supplied by security intelligence"; uses apply-advanced; list threat-level { key "name"; max-elements 10; ordered-by user; description "Define a URL filtering threat level"; uses template-threat-level-object; } // list threat-level } // container security-intelligence-policy list term { key "name"; max-elements 8; ordered-by user; description "Define a url filtering term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 64"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses urlf-match-object; } // container from container then { presence "enable then"; description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice url-filter-action { leaf redirect-url { type string { length "1 .. 1024"; } description "Redirect URL"; } leaf custom-page { type string { length "1 .. 1025"; } description "Custome page string"; } leaf http-status-code { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "400 .. 599"; } } description "HTTP status code value"; } leaf tcp-reset { type empty; description "TCP Reset"; } leaf accept { type empty; description "Accept"; } } // choice url-filter-action } // container then } // list term } // grouping urlf-template-object grouping template-threat-level-object { leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Threat level value"; } uses apply-advanced; container threat-action { presence "enable threat-action"; description "Action to be taken for the given threat level "; uses apply-advanced; choice secintl-action { leaf drop-and-sample { type empty; description "Drop and sample"; } leaf sample { type empty; description "Push packets to sampling collector"; } } // choice secintl-action } // container threat-action } // grouping template-threat-level-object grouping urlf-match-object { uses apply-advanced; leaf-list src-ip-prefix { type jt:ipprefix; max-elements 10; ordered-by user; description "Source IP Prefix list specification"; } leaf-list dest-ports { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } max-elements 10; ordered-by user; description " Destination port list specification"; } } // grouping urlf-match-object grouping urlf-traceoptions-object { description "URL filtering trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing flag parameters"; leaf name { type enumeration { enum "normal" { value 0; description "Trace normal events"; } enum "config" { value 1; description "Trace url filtering config events"; } enum "dns" { value 2; description "Trace url filtering DNS crawler events"; } enum "timer" { value 3; description "Trace url filtering timer events"; } enum "connect" { value 4; description "Trace url filtering ipc events"; } enum "parse" { value 5; description "Trace url filtering parse events"; } enum "statistics" { value 6; description "Trace url filtering statistics events"; } enum "system" { value 7; description "Trace url filtering system events"; } enum "operational-commands" { value 8; description "Trace url filtering show events"; } enum "filter" { value 9; description "Trace url filtering filter programming events"; } enum "gencfg" { value 10; description "Trace url filtering gencfg events"; } enum "routing" { value 11; description "Trace url filtering route programming events"; } enum "snmp" { value 12; description "Trace url filtering snmp events"; } enum "all" { value 13; description "Trace everything"; } } } } // list flag } // grouping urlf-traceoptions-object grouping user-group-mapping-type { uses apply-advanced; container ldap { description "LDAP"; uses apply-advanced; leaf authentication-algorithm { type enumeration { enum "simple" { value 0; description "Simple authentication"; } } description "Authentication-algorithm"; } leaf ssl { type empty; description "SSL"; } leaf base { type string { length "1 .. 128"; } description "Base distinguished name"; } container user { description "User name"; uses apply-advanced; leaf user-name { type string { junos:posix-pattern "^[[:alnum:]._-]+$|^\\*$"; junos:pattern-message "Must be a string consisting of letters, numbers, dashes, underscores and dots"; length "1 .. 64"; } description "User name"; } leaf password { type string { length "1 .. 128"; } description "Password string"; } } // container user list address { key "name"; ordered-by user; description "Address of LDAP server"; leaf name { type jt:ipaddr; description "Address"; } uses apply-advanced; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "LDAP port"; } } // list address } // container ldap } // grouping user-group-mapping-type grouping user-plane-object { leaf name { type string { length "1 .. 80"; } description "User plane name"; } uses apply-advanced; leaf ip-address { type jt:ipv4addr; description "User plane ip address"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "User plane routing instance"; } leaf data-network-name { type string { length "3 .. 102"; } description "Data network name"; } container colocated-user-plane { presence "enable colocated-user-plane"; description "User plane is colocated"; uses apply-advanced; leaf ip-endpoint-address { type jt:ipv4addr; description "Endpoint ip address of user plane"; } } // container colocated-user-plane } // grouping user-plane-object grouping usf-range-address-type { description "Range address"; leaf name { type jt:ipprefix; description "Lower limit of address range"; } uses apply-advanced; container to { description "Port range upper limit"; uses apply-advanced; leaf range-high { type jt:ipprefix; description "Upper limit of address range"; } } // container to } // grouping usf-range-address-type grouping v6rd_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "6rd concentrator name"; } uses apply-advanced; leaf softwire-address { type jt:ipv4addr; description "Softwire concentrator IPV4 prefix"; } leaf ipv4-prefix { type jt:ipv4prefix; description "6rd customer edge IPV4 prefix"; } leaf v6rd-prefix { type jt:ipv6prefix; description "6rd domain's IPV6 prefix"; } leaf mtu-v4 { type union { type string { pattern "<.*>|$.*"; } type int32 { range "576 .. 9192"; } } description "MTU for the softwire tunnel"; } } // grouping v6rd_object grouping version-ipfix-template { description "One or more version-ipfix templates for flow monitoring"; leaf name { type string; description "Name of template"; } uses apply-advanced; leaf flow-active-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } default "60"; description "Interval after which active flow is exported"; } leaf flow-inactive-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } default "60"; description "Period of inactivity that marks a flow inactive"; } leaf template-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1024 .. 65535"; } } description "Template id"; } leaf option-template-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1024 .. 65535"; } } description "Options template id"; } leaf observation-domain-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } default "0"; description "Observation Domain Id"; } container nexthop-learning { presence "enable nexthop-learning"; description "Nexthop learning parameter. Valid ONLY for INLINE-JFLOW"; uses apply-advanced; choice enable-disable { leaf enable { type empty; description "Enable nexthop learning"; } leaf disable { type empty; description "Disable nexthop learning"; } } // choice enable-disable } // container nexthop-learning container template-refresh-rate { presence "enable template-refresh-rate"; description "Template refresh rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 480000"; } } default "4800"; description "In number of packets"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } description "In number of seconds"; } } // container template-refresh-rate container option-refresh-rate { presence "enable option-refresh-rate"; description "Option template refresh rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 480000"; } } default "4800"; description "In number of packets"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } description "In number of seconds"; } } // container option-refresh-rate choice template-types { container ipv4-template { presence "enable ipv4-template"; description "IPv4 template configuration"; uses apply-advanced; list export-extension { key "name"; ordered-by user; description "IPv4 template configuration with extra fields added to the template"; leaf name { type enumeration { enum "flow-dir" { value 0; description "Flow-direction field type"; } enum "app-id" { value 1; description "Applicationid field type"; } } } uses apply-advanced; } // list export-extension } // container ipv4-template container ipv6-template { presence "enable ipv6-template"; description "IPv6 template configuration"; uses apply-advanced; list export-extension { key "name"; ordered-by user; description "IPv6 template configuration with extra fields added to the template"; leaf name { type enumeration { enum "flow-dir" { value 0; description "Flow-direction field type"; } enum "app-id" { value 1; description "Applicationid field type"; } } } uses apply-advanced; } // list export-extension } // container ipv6-template container vpls-template { junos:must "(!((".. flow-key flow-direction" || ".. flow-key vlan-id")))"; junos:must-message "Flow key flow-direction/flow-key must not be configured with vpls template"; presence "enable vpls-template"; status deprecated; description "VPLS template configuration"; } // container vpls-template container bridge-template { junos:must "(!((".. flow-key flow-direction" || ".. flow-key vlan-id")))"; junos:must-message "Flow key flow-direction/flow-key must not be configured with bridge template"; presence "enable bridge-template"; description "BRIDGE template configuration"; } // container bridge-template container mpls-template { junos:must "((!(".. flow-key") || ".. tunnel-observation"))"; junos:must-message "Flow key must not be configured for mpls template without tunnel observation"; presence "enable mpls-template"; description "MPLS template configuration"; uses apply-advanced; leaf-list label-position { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 8"; } } max-elements 3; ordered-by user; description "One or more MPLS label positions"; } } // container mpls-template container mpls-ipv4-template { presence "enable mpls-ipv4-template"; description "MPLS-IPv4 template must be configured only for MS-MIC and MS-MPC based line cards"; uses apply-advanced; leaf-list label-position { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 8"; } } max-elements 3; ordered-by user; description "One or more MPLS label positions"; } } // container mpls-ipv4-template } // choice template-types container tunnel-observation { junos:must "((".. ipv4-template" || (".. mpls-ipvx-template" || ".. mpls-template")))"; junos:must-message "Tunnel observation must be configured only for ipv4,mpls and mpls-ipvx templates"; description "Tunnel observation"; uses apply-advanced; leaf mpls-over-udp { type empty; description "Mpls-over-udp"; } leaf ipv4 { junos:must "(".. .. mpls-template")"; junos:must-message "Tunnel observation must be set to ipv4 only for mpls template"; type empty; description "IPv4"; } leaf ipv6 { junos:must "(".. .. mpls-template")"; junos:must-message "Tunnel observation must be set to ipv6 only for mpls template"; type empty; description "IPv6"; } } // container tunnel-observation container flow-key { description "Flow key for the template. Valid ONLY for INLINE-JFLOW"; uses apply-advanced; leaf flow-direction { type empty; description "Include flow direction"; } leaf vlan-id { type empty; description "Include vlan ID"; } leaf output-interface { junos:must "((".. .. vpls-template" || ".. .. bridge-template"))"; junos:must-message "Flow-key output interafce must be configured for bridge/vpls template"; type empty; description "Include output interface"; } } // container flow-key } // grouping version-ipfix-template grouping version9-template { description "One or more version 9 templates for flow monitoring"; leaf name { type string; description "Name of template"; } uses apply-advanced; leaf flow-active-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } default "60"; description "Interval after which active flow is exported"; } leaf flow-inactive-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } default "60"; description "Period of inactivity that marks a flow inactive"; } leaf template-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1024 .. 65535"; } } description "Template id"; } leaf option-template-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1024 .. 65535"; } } description "Options template id"; } leaf source-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } default "0"; description "Source Id"; } container nexthop-learning { description "Nexthop learning parameter. Valid ONLY for INLINE-JFLOW"; uses apply-advanced; choice enable-disable { leaf enable { type empty; description "Enable nexthop learning"; } leaf disable { type empty; description "Disable nexthop learning"; } } // choice enable-disable } // container nexthop-learning container template-refresh-rate { presence "enable template-refresh-rate"; description "Template refresh rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 480000"; } } default "4800"; description "In number of packets"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } description "In number of seconds"; } } // container template-refresh-rate container option-refresh-rate { presence "enable option-refresh-rate"; description "Option template refresh rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 480000"; } } default "4800"; description "In number of packets"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } description "In number of seconds"; } } // container option-refresh-rate choice template-types { container mpls-ipv4-template { presence "enable mpls-ipv4-template"; description "MPLS-IPv4 template must be configured only for MS-MIC and MS-MPC based line cards"; uses apply-advanced; leaf-list label-position { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 8"; } } max-elements 3; ordered-by user; description "One or more MPLS label positions"; } } // container mpls-ipv4-template container mpls-template { junos:must "((!(".. flow-key") || ".. tunnel-observation"))"; junos:must-message "Flow key must not be configured for mpls template without tunnel observation"; presence "enable mpls-template"; description "MPLS template configuration"; uses apply-advanced; leaf-list label-position { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 8"; } } max-elements 3; ordered-by user; description "One or more MPLS label positions"; } } // container mpls-template container ipv6-template { presence "enable ipv6-template"; description "IPv6 template configuration"; uses apply-advanced; list export-extension { key "name"; ordered-by user; description "IPv6 template configuration with extra fields added to the template"; leaf name { type enumeration { enum "flow-dir" { value 0; description "Applicationid field type"; } enum "app-id" { value 1; description "Applicationid field type"; } } } uses apply-advanced; } // list export-extension container nexthop-options { presence "enable nexthop-options"; description "Additional information retrieved from nexthop"; uses apply-advanced; choice nexthop-types { container mpls { presence "enable mpls"; description "MPLS information retrieved from nexthop"; uses apply-advanced; leaf-list label-position { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 3"; } } max-elements 3; ordered-by user; description "One or more MPLS label positions"; } } // container mpls } // choice nexthop-types } // container nexthop-options } // container ipv6-template container peer-as-billing-template { presence "enable peer-as-billing-template"; description "Peer AS billing template configuration"; } // container peer-as-billing-template container ipv4-template { presence "enable ipv4-template"; description "IPv4 template configuration"; uses apply-advanced; list export-extension { key "name"; ordered-by user; description "IPv4 template configuration with extra fields added to the template"; leaf name { type enumeration { enum "flow-dir" { value 0; description "Applicationid field type"; } enum "app-id" { value 1; description "Applicationid field type"; } } } uses apply-advanced; } // list export-extension container nexthop-options { presence "enable nexthop-options"; description "Additional information retrieved from nexthop"; uses apply-advanced; choice nexthop-types { container mpls { presence "enable mpls"; description "MPLS information retrieved from nexthop"; uses apply-advanced; leaf-list label-position { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 3"; } } max-elements 3; ordered-by user; description "One or more MPLS label positions"; } } // container mpls } // choice nexthop-types } // container nexthop-options } // container ipv4-template container vpls-template { junos:must "(!((".. flow-key flow-direction" || ".. flow-key vlan-id")))"; junos:must-message "Flow key flow-direction/flow-key must not be configured with vpls template"; presence "enable vpls-template"; status deprecated; description "VPLS template configuration"; } // container vpls-template container bridge-template { junos:must "(!((".. flow-key flow-direction" || ".. flow-key vlan-id")))"; junos:must-message "Flow key flow-direction/flow-key must not be configured with bridge template"; presence "enable bridge-template"; description "BRIDGE template configuration"; } // container bridge-template } // choice template-types container tunnel-observation { junos:must "((".. ipv4-template" || (".. mpls-ipvx-template" || ".. mpls-template")))"; junos:must-message "Tunnel observation must be configured only for ipv4,mpls and mpls-ipvx templates"; description "Tunnel observation"; uses apply-advanced; leaf mpls-over-udp { type empty; description "Mpls-over-udp"; } leaf ipv4 { junos:must "(".. .. mpls-template")"; junos:must-message "Tunnel observation must be set to ipv4 only for mpls template"; type empty; description "IPv4"; } leaf ipv6 { junos:must "(".. .. mpls-template")"; junos:must-message "Tunnel observation must be set to ipv6 only for mpls template"; type empty; description "IPv6"; } } // container tunnel-observation container flow-key { description "Flow key for the template. Valid ONLY for INLINE-JFLOW"; uses apply-advanced; leaf flow-direction { type empty; description "Include flow direction"; } leaf vlan-id { type empty; description "Include vlan ID"; } leaf output-interface { junos:must "((".. .. vpls-template" || ".. .. bridge-template"))"; junos:must-message "Flow-key output interafce must be configured for bridge/vpls template"; type empty; description "Include output interface"; } } // container flow-key } // grouping version9-template grouping virtual-interface-indications-object { description "Virtual interface indications"; uses apply-advanced; container virtual-interface-up { presence "enable virtual-interface-up"; uses pgcp-virtual-interface-up-object; } // container virtual-interface-up container virtual-interface-down { presence "enable virtual-interface-down"; uses pgcp-virtual-interface-down-object; } // container virtual-interface-down } // grouping virtual-interface-indications-object grouping pgcp-virtual-interface-down-object { description "Virtual interface down"; uses apply-advanced; leaf graceful { type enumeration { enum "none" { value 0; description "Suppress graceful-905 service change"; } enum "graceful-905" { value 1; description "Termination taken out of service"; } } description "Configure graceful service change"; } leaf administrative { type enumeration { enum "forced-905" { value 0; description "Termination taken out of service"; } enum "forced-906" { value 1; description "Loss of lower layer connectivity"; } enum "none" { value 2; description "Suppress service change"; } } description "Configure administrative service change"; } leaf failure { type enumeration { enum "forced-904" { value 0; status deprecated; description "Termination malfunctioning"; } enum "forced-906" { value 1; status deprecated; description "Loss of lower layer connectivity"; } enum "none" { value 2; status deprecated; description "Suppress service change"; } } status deprecated; description "Configure failure service change"; } leaf link-loss { type enumeration { enum "forced-906" { value 0; status deprecated; description "Loss of lower layer connectivity"; } enum "none" { value 1; status deprecated; description "Suppress forced-906 service change"; } } status deprecated; description "Configure link-loss service change"; } } // grouping pgcp-virtual-interface-down-object grouping pgcp-virtual-interface-up-object { description "Virtual interface up"; uses apply-advanced; leaf warm { type enumeration { enum "restart-900" { value 0; description "Service restored"; } enum "none" { value 1; description "Suppress restart-900 service change"; } } description "Configure warm-boot service change"; } leaf cancel-graceful { type enumeration { enum "none" { value 0; description "Suppress restart-918 service change"; } enum "restart-918" { value 1; description "Cancel graceful"; } } description "Configure cancel-graceful service change"; } } // grouping pgcp-virtual-interface-up-object grouping web-config { uses apply-advanced; list profile { key "name"; ordered-by user; description "Configure web secure proxy profile"; leaf name { type string { length "1 .. 63"; } description "Web secure proxy profile name"; } uses apply-advanced; list proxy-address { key "name"; ordered-by user; description "Proxy server addresses"; leaf name { type string { length "1 .. 63"; } description "Address name"; } uses apply-advanced; leaf ip { type jt:ipprefix; description "IP address and prefix-length"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Port number"; } } // list proxy-address leaf-list dynamic-web-application { type string; ordered-by user; } leaf-list dynamic-web-application-group { type string; ordered-by user; description "Specify dynamic application group name to match"; } leaf drop-on-dns-error { type empty; description "Drop Web Proxy Session on DNS error"; } } // list profile } // grouping web-config grouping web-proxy-traceoptions { uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "brief" { value 0; description "Brief debugging output"; } enum "detail" { value 1; description "Detailed debugging output"; } enum "extensive" { value 2; description "Extensive debugging output"; } enum "verbose" { value 3; description "Verbose debugging output"; } } default "brief"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "cli-configuration" { value 0; description "Trace CLI configuration events"; } enum "ipc" { value 1; description "Trace Inter-process communication events"; } enum "svc-config" { value 2; description "Trace service configuration events in DataPath"; } enum "flow-session" { value 3; description "Trace flow-session events"; } enum "all" { value 4; description "Trace everything"; } } } } // list flag } // grouping web-proxy-traceoptions grouping wildcard-address-type { description "Wildcard address and mask"; leaf name { type string { length "1 .. 63"; } description "Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask"; } uses apply-advanced; } // grouping wildcard-address-type } // module junos-nfx-conf-services
© 2023 YumaWorks, Inc. All rights reserved.