Junos security configuration module
Version: 2019-01-01
module junos-qfx-conf-security { yang-version 1; namespace "http://yang.juniper.net/junos-qfx/conf/security"; prefix jc-security; import junos-common-ddl-extensions { prefix junos; revision-date "2019-01-01"; } import junos-common-types { prefix jt; revision-date "2019-01-01"; } import junos-qfx-conf-root { prefix jc; revision-date "2019-01-01"; } organization "Juniper Networks, Inc."; contact "yang-support@juniper.net"; description "Junos security configuration module"; revision "2019-01-01" { description "Junos: 21.3R1.9"; } augment /jc:configuration { uses security-group; } augment /jc:configuration/jc:groups { uses security-group; } grouping security-group { container security { description "Security configuration"; uses apply-advanced; container alarms { description "Configure security alarms"; uses apply-advanced; container audible { presence "enable audible"; description "Beep when new security alarms arrive"; uses apply-advanced; leaf continuous { type empty; description "Keep beeping until all security alarms have been cleared"; } } // container audible container potential-violation { description "Configure potential security violations"; uses apply-advanced; leaf authentication { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 10"; } } description "Raise alarm for specified number of authentication failures"; } leaf cryptographic-self-test { type empty; description "Raise alarm for cryptographic self test failures"; } leaf key-generation-self-test { type empty; description "Raise alarm for key generation self test failures"; } leaf non-cryptographic-self-test { type empty; description "Raise alarm for non-cryptographic self test failures"; } container policy { description "Raise alarm for flow policy violations"; } // container policy container replay-attacks { presence "enable replay-attacks"; description "No. of Replay attacks before which an alarm needs to be raised"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000000000"; } } default "1000"; description "Replay threshold value"; } } // container replay-attacks leaf security-log-percent-full { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 100"; } } description "Raise alarm when security log exceeds this percent capacity"; } } // container potential-violation } // container alarms container log { description "Configure auditable security logs"; uses log-object; } // container log container certificates { description "X.509 certificate configuration"; uses apply-advanced; list local { key "name"; ordered-by user; description "Local X.509 certificate configuration"; uses certificate-object; } // list local leaf path-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "15"; description "Maximum certificate path length"; } leaf maximum-certificates { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 4294967295"; } } default "1024"; description "Maximum number of certificates to cache"; } leaf cache-size { type string; units "bytes"; description "Maximum size of certificate cache"; } leaf cache-timeout-negative { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 4294967295"; } } default "20"; description "Time in seconds to cache negative responses"; } leaf enrollment-retry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1080"; } } description "Number of retry attempts for an enrollment request"; } list certification-authority { key "name"; ordered-by user; description "CA X.509 certificate configuration"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "CA profile name"; } uses apply-advanced; leaf ca-name { type string; description "CA name"; } leaf file { type string; description "File to read certificate from"; } leaf crl { type string; description "File to read crl from"; } leaf enrollment-url { type string; description "URL"; } leaf ldap-url { type string; description "URL"; } leaf encoding { type enumeration { enum "binary" { value 0; description "DER encoding"; } enum "pem" { value 1; description "Privacy-enhanced-mail encoding, base64"; } } default "binary"; description "Encoding to use for certificate or CRL on disk"; } } // list certification-authority } // container certificates container authentication-key-chains { description "Authentication key chain configuration"; uses security-authentication-key-chains; } // container authentication-key-chains container ssh-known-hosts { description "SSH known host list"; uses apply-advanced; list host { key "name"; ordered-by user; description "SSH known host entry"; leaf name { type string; description "Host name"; } uses apply-advanced; leaf rsa1-key { type string; description "Base64 encoded RSA key (protocol version 1)"; } leaf rsa-key { type string; description "Base64 encoded RSA key"; } leaf dsa-key { type string; description "Base64 encoded DSA key"; } leaf ecdsa-key { type string; status deprecated; description "Base64 encoded ECDSA key"; } leaf ecdsa-sha2-nistp256-key { type string; description "Base64 encoded ECDSA-SHA2-NIST256 key"; } leaf ecdsa-sha2-nistp384-key { type string; description "Base64 encoded ECDSA-SHA2-NIST384 key"; } leaf ecdsa-sha2-nistp521-key { type string; description "Base64 encoded ECDSA-SHA2-NIST521 key"; } leaf ed25519-key { type string; description "Base64 encoded ED25519 key"; } } // list host } // container ssh-known-hosts container pki { presence "enable pki"; description "PKI service configuration"; uses security-pki; } // container pki container group-vpn { description "Group VPN configuration"; uses security-group-vpn; } // container group-vpn container traceoptions { description "Trace options for IPSec key management"; uses security-traceoptions; } // container traceoptions container ipsec { description "IPSec configuration"; uses security-ipsec-vpn; } // container ipsec container ike { description "IKE configuration"; uses security-ike; } // container ike container idp { description "IDP configuration"; list idp-policy { key "name"; ordered-by user; description "Configure IDP policy"; uses idp-policy-type; } // list idp-policy leaf active-policy { junos:must "("security idp idp-policy $$")"; junos:must-message "Policy must be defined under [security idp idp-policy] "; type string; status deprecated; description "Set active policy"; } leaf default-policy { junos:must "("security idp idp-policy $$")"; junos:must-message "Policy must be defined under [security idp idp-policy] "; type string; description "Set active policy"; } list custom-attack { key "name"; ordered-by user; description "Configure custom attacks"; uses custom-attack-type; } // list custom-attack list custom-attack-group { key "name"; ordered-by user; description "Configure custom attack groups"; uses custom-attack-group-type; } // list custom-attack-group list dynamic-attack-group { key "name"; ordered-by user; description "Configure dynamic attack groups"; uses dynamic-attack-group-type; } // list dynamic-attack-group container traceoptions { description "Trace options for idp services"; uses idpd-traceoptions-type; } // container traceoptions container security-package { description "Security package options"; uses apply-advanced; leaf url { type string; description "URL of Security package download"; } leaf source-address { type jt:ipv4addr; description "Source address to be used for sending download request"; } leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "Referenced Proxy profile must be defined under [services proxy profile] path"; type string { length "1 .. 64"; } description "Proxy profile of security package download"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string; description "Routing instance for security-package download"; } container install { presence "enable install"; description "Configure install command"; uses apply-advanced; leaf ignore-version-check { type empty; description "Skip version check when attack database gets installed"; } leaf ignore-appid-failure { type empty; description "Continue idp installation even if appid installation fails"; } } // container install container automatic { presence "enable automatic"; description "Scheduled download and update"; uses apply-advanced; leaf start-time { type jt:time; description "Start time (YYYY-MM-DD.HH:MM:SS)"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 336"; } } units "hours"; description "Interval"; } leaf download-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } units "minutes"; default "1"; status deprecated; description "Maximum time for download to complete"; } choice enable-disable { leaf enable { type empty; description "Enable"; } } // choice enable-disable } // container automatic } // container security-package container sensor-configuration { description "IDP Sensor Configuration"; container log { description "IDP Log Configuration"; uses apply-advanced; leaf cache-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log cache size"; } container suppression { presence "enable suppression"; description "Log suppression"; uses apply-advanced; choice enable-disable { leaf disable { type empty; description "Disable log suppression"; } } // choice enable-disable choice include-destination-address-choice { leaf include-destination-address { type empty; description "Include destination address while performing a log suppression"; } leaf no-include-destination-address { type empty; description "Don't include destination address while performing a log suppression"; } } // choice include-destination-address-choice leaf start-log { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Suppression start log"; } leaf max-logs-operate { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum logs can be operate on"; } leaf max-time-report { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Time after suppressed logs will be reported"; } } // container suppression } // container log container packet-log { description "IDP Packetlog Configuration"; uses apply-advanced; container total-memory { description "Total memory unit(%)"; uses apply-advanced; leaf percentage-value { type union { type string { pattern "<.*>|$.*"; } type uint32; } } leaf per-logical-domain { type union { type string { pattern "<.*>|$.*"; } type uint32; } } } // container total-memory container max-sessions { description "Max num of sessions in unit(%)"; uses apply-advanced; leaf percentage-value { type union { type string { pattern "<.*>|$.*"; } type uint32; } } leaf per-logical-domain { type union { type string { pattern "<.*>|$.*"; } type uint32; } } } // container max-sessions leaf threshold-logging-interval { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Interval of logs for max limit session/memory reached in minutes"; } leaf source-address { type jt:ipv4addr; description "Source IP address used to transport packetlog to a host"; } container host { description "Destination host to send packetlog to"; uses apply-advanced; leaf ipaddr { type jt:ipv4addr; description "IP address"; } leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "UDP port number"; } } // container host } // container packet-log container application-identification { presence "enable application-identification"; description "Application identification"; uses apply-advanced; choice enable-disable { leaf disable { type empty; description "Disable application identification"; } } // choice enable-disable leaf max-tcp-session-packet-memory { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max TCP session memory"; } leaf max-udp-session-packet-memory { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max UDP session memory"; } leaf max-packet-memory { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max packet memory"; } leaf max-packet-memory-ratio { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Max packet memory ratio"; } leaf max-reass-packet-memory-ratio { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max reass packet memory ratio"; } } // container application-identification container flow { description "Flow configuration"; uses apply-advanced; choice log-errors-choice { leaf log-errors { type empty; description "Flow log errors"; } leaf no-log-errors { type empty; description "Don't flow log errors"; } } // choice log-errors-choice choice allow-icmp-without-flow-choice { leaf allow-icmp-without-flow { type empty; status deprecated; description "Allow icmp without flow"; } leaf no-allow-icmp-without-flow { type empty; status deprecated; description "Don't allow icmp without flow"; } } // choice allow-icmp-without-flow-choice leaf hash-table-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Flow hash table size"; } leaf reject-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Flow reject timeout"; } leaf max-timers-poll-ticks { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum timers poll ticks"; } leaf fifo-max-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum fifo size"; } leaf udp-anticipated-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum udp anticipated timeout"; } leaf drop-on-limit { type empty; description "Drop connections on exceeding resource limits"; } leaf drop-on-failover { type empty; description "Drop traffic on HA failover sessions"; } leaf drop-if-no-policy-loaded { type empty; description "Drop all traffic till IDP policy gets loaded"; } leaf max-sessions-offset { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum session offset limit percentage"; } leaf min-objcache-limit-lt { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Memory lower threshold limit percentage"; } leaf min-objcache-limit-ut { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Memory upper threshold limit percentage"; } leaf session-steering { type empty; description "Session steering for session anticipation"; } leaf idp-bypass-cpu-usg-overload { type empty; description "Enable IDP bypass of sessions/packets on CPU usage overload"; } leaf idp-bypass-cpu-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "85"; description "Threshold of CPU usage in percentage for IDP bypass"; } leaf idp-bypass-cpu-tolerance { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "5"; description "Tolerance of CPU usage in percentage for IDP bypass"; } leaf intel-inspect-cpu-usg-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "80"; description "CPU usage threshold percentage for intelligent inspection"; } leaf intel-inspect-cpu-usg-tolerance { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "5"; description "CPU usage tolerance percentage for intelligent inspection"; } leaf intel-inspect-free-mem-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "15"; description "Free memory threshold percentage for intelligent inspection"; } leaf intel-inspect-mem-tolerance { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "5"; description "Memory tolerance percentage for intelligent inspection"; } leaf-list intel-inspect-protocols { type string; ordered-by user; description "Protocols to be processed in Intelligent Inspection mode"; } } // container flow container re-assembler { description "Re-assembler configuration"; uses apply-advanced; choice drop-on-syn-in-window-choice { leaf drop-on-syn-in-window { type empty; description "Drop session when SYN is seen in the window"; } leaf no-drop-on-syn-in-window { type empty; description "Don't drop session when SYN is seen in the window"; } } // choice drop-on-syn-in-window-choice choice ignore-memory-overflow-choice { leaf ignore-memory-overflow { type empty; description "Ignore memory overflow"; } leaf no-ignore-memory-overflow { type empty; description "Don't ignore memory overflow"; } } // choice ignore-memory-overflow-choice choice ignore-reassembly-memory-overflow-choice { leaf ignore-reassembly-memory-overflow { type empty; description "Ignore packet reassembly memory overflow"; } leaf no-ignore-reassembly-memory-overflow { type empty; description "Don't ignore packet reassembly memory overflow"; } } // choice ignore-reassembly-memory-overflow-choice leaf ignore-reassembly-overflow { type empty; description "Ignore global reassembly overflow"; } leaf max-packet-mem { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Maximum packet memory"; } leaf max-flow-mem { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum flow memory"; } leaf max-packet-mem-ratio { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum packet memory ratio"; } leaf action-on-reassembly-failure { type enumeration { enum "ignore" { value 0; description "No action is taken."; } enum "drop" { value 1; description "Drop the packet."; } enum "drop-session" { value 2; description "Drop the session."; } } default "drop"; description "Select the action on reassembly failures"; } choice tcp-error-logging-choice { leaf tcp-error-logging { type empty; description "Enable logging on tcp errors"; } leaf no-tcp-error-logging { type empty; description "Don't enable logging on tcp errors"; } } // choice tcp-error-logging-choice leaf max-synacks-queued { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum syn-acks queued with different SEQ numbers "; } choice force-tcp-window-checks-choice { leaf force-tcp-window-checks { type empty; description "Force TCP window checks if uni-directional policy is configured"; } leaf no-force-tcp-window-checks { type empty; description "Don't force TCP window checks if uni-directional policy is configured"; } } // choice force-tcp-window-checks-choice } // container re-assembler container ips { description "Ips configuration"; uses apply-advanced; choice process-override-choice { leaf process-override { type empty; description "Process override"; } leaf no-process-override { type empty; description "Don't process override"; } } // choice process-override-choice choice detect-shellcode-choice { leaf detect-shellcode { type empty; description "Detect shellcode"; } leaf no-detect-shellcode { type empty; description "Don't detect shellcode"; } } // choice detect-shellcode-choice choice process-ignore-s2c-choice { leaf process-ignore-s2c { type empty; description "Process ignore s2c"; } leaf no-process-ignore-s2c { type empty; description "Don't process ignore s2c"; } } // choice process-ignore-s2c-choice choice ignore-regular-expression-choice { leaf ignore-regular-expression { type empty; description "Ignore regular expression"; } leaf no-ignore-regular-expression { type empty; description "Don't ignore regular expression"; } } // choice ignore-regular-expression-choice leaf process-port { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Process port"; } leaf fifo-max-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum fifo size"; } leaf log-supercede-min { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Minimum log supercede"; } leaf content-decompression-max-memory-kb { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum memory usage in kilo bytes"; } leaf content-decompression-max-ratio { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum decompression ratio supported"; } leaf session-pkt-depth { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Session pkt scanning depth"; } } // container ips container global { description "Global configuration"; uses apply-advanced; choice enable-packet-pool-choice { leaf enable-packet-pool { type empty; description "Enable packet pool"; } leaf no-enable-packet-pool { type empty; description "Don't enable packet pool"; } } // choice enable-packet-pool-choice leaf log-xff-header { type empty; description "Log xff header"; } choice enable-all-qmodules-choice { leaf enable-all-qmodules { type empty; description "Enable all qmodules"; } leaf no-enable-all-qmodules { type empty; description "Don't enable all qmodules"; } } // choice enable-all-qmodules-choice choice policy-lookup-cache-choice { leaf policy-lookup-cache { type empty; description "Policy lookup cache"; } leaf no-policy-lookup-cache { type empty; description "Don't policy lookup cache"; } } // choice policy-lookup-cache-choice leaf memory-limit-percent { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Memory limit percentage"; } leaf disable-idp-processing { type empty; description "Flag to disable IDP processing"; } leaf intelligent-offload { type enumeration { enum "disable" { value 0; description "Disable flow offload"; } enum "conservative" { value 1; description "Increases scrutiny of flows prior to offload"; } } description "Intelligently offload the flow"; } } // container global container detector { description "Detector Configuration"; uses apply-advanced; list protocol-name { key "name"; ordered-by user; description "Apropriate help string"; uses proto-object; } // list protocol-name } // container detector container high-availability { description "High availability configuration"; uses apply-advanced; leaf no-policy-cold-synchronization { type empty; description "Disable policy cold synchronization"; } } // container high-availability container security-configuration { description "IDP security configuration"; uses apply-advanced; leaf protection-mode { type enumeration { enum "datacenter" { value 0; description "Security protection mode for datacenter"; } enum "datacenter-full" { value 1; description "Full security protection mode for datacenter"; } enum "perimeter" { value 2; description "Security protection mode for perimeter"; } enum "perimeter-full" { value 3; description "Full security protection mode for perimeter"; } } description "Enable security protection mode"; } } // container security-configuration } // container sensor-configuration leaf max-sessions { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Max number of IDP sessions"; } list logical-system { key "name"; ordered-by user; description "Configure max IDP sessions for the logial system"; uses logical-system-type; } // list logical-system list tenant-system { key "name"; ordered-by user; description "Configure max IDP sessions for the tenant"; uses tenant-system-type; } // list tenant-system } // container idp container macsec { description "MAC Security configuration"; uses security-macsec; } // container macsec } // container security } // grouping security-group grouping apply-advanced { description "Apply advanced configuration logic"; leaf-list apply-groups { type string; ordered-by user; description "Groups from which to inherit configuration data"; } leaf-list apply-groups-except { type string; ordered-by user; description "Don't inherit configuration data from these groups"; } list apply-macro { key "name"; ordered-by user; description "Macro and parameters for commit script expansion"; uses apply-macro-type; } // list apply-macro } // grouping apply-advanced grouping apply-macro-type { description "Macro data for commit-script expansion"; leaf name { type string; description "Name of the macro to be expanded"; } list data { key "name"; uses macro-data-type; } // list data } // grouping apply-macro-type grouping certificate-object { leaf name { type string; description "Simple name to identify this certificate"; } uses apply-advanced; leaf certificate { type string; description "Certificate and private key string"; } } // grouping certificate-object grouping custom-attack-group-type { description "Define custom attack group"; leaf name { type string; description "Custom attack group name"; } uses apply-advanced; leaf attack-group-description { type string; status deprecated; description "Attack group description in xml format"; } leaf-list group-members { type string; ordered-by user; description "List of attacks/attack groups belonging to this group"; } } // grouping custom-attack-group-type grouping custom-attack-type { description "Define custom attack"; leaf name { type string { junos:posix-pattern "^.{1,60}$"; junos:pattern-message "Custom attack name must be a string of 60 characters or less"; } description "Custom attack name"; } uses apply-advanced; leaf-list attack-description { type string; ordered-by user; description "Attack description"; } leaf recommended-action { type enumeration { enum "none" { value 0; description "No action"; } enum "ignore" { value 1; description "No further inspection on the flow"; } enum "drop-packet" { value 2; description "Drop the packet"; } enum "drop" { value 3; description "Drop the packet and subsequent packets of the flow"; } enum "close-client" { value 4; description "Reset the client side"; } enum "close-server" { value 5; description "Reset the server side"; } enum "close" { value 6; description "Reset both client and server"; } } description "Recommended Action"; } leaf severity { type enumeration { enum "info" { value 0; description "Provide information of attack when it matches."; } enum "warning" { value 1; description "Issue a warning when attack matches."; } enum "minor" { value 2; description "The attack is a minor one."; } enum "major" { value 3; description "The attack is a major one."; } enum "critical" { value 4; description "The attack is a critical one."; } } description "Select the severity that matches the lethality of this attack on your network"; } container time-binding { description "Time binding params"; leaf count { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Number of times this attack is to be triggered"; } leaf scope { junos:must "((!(".. count 0") && !(".. count 1")))"; junos:must-message "Scope should be defined if count > 1"; type enumeration { enum "peer" { value 0; description "If the attack is between a single source and single destination"; } enum "source" { value 1; description "If the attack is from one source and multiple destination"; } enum "destination" { value 2; description "If the attack is from multiple sources to one destination"; } } description "Scope within which the count occurs"; } leaf interval { junos:must "((!(".. count 0") && (!(".. count 1") && (".. count" && ".. scope"))))"; junos:must-message "To configure interval, count & scope should be set and count should be greater than or equal to 2"; type string { junos:posix-pattern "^((([0-5][0-9])[m][-]([0-5][0-9])[s])|([6][0][m][-][0][0][s]))$"; junos:pattern-message "Invalid interval format: Correct format MMm-SSs, with minutes range 00-60, seconds range 00-59"; } default "01m-00s"; description "Maximum time-gap between two instances of the attack. Format : MMm-SSs"; } } // container time-binding container detection-filter { junos:must "(!(".. time-binding"))"; junos:must-message "Time-binding and detection-filter will not be allowed together"; description "Detection filter params"; leaf count { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Number of matches for this attack to be triggered. Must be greater than 0"; } leaf scope { type enumeration { enum "session" { value 0; description "If the attack is between a single source and single destination"; } enum "source" { value 1; description "If the attack is from one source and multiple destination"; } enum "destination" { value 2; description "If the attack is from multiple sources to one destination"; } } description "Scope within which the count occurs"; } leaf interval { type string { junos:posix-pattern "^((([0-5][0-9])[m][-]([0-5][0-9])[s])|([6][0][m][-][0][0][s]))$"; junos:pattern-message "Invalid interval format: Correct format MMm-SSs, with minutes range 00-60, seconds range 00-59"; } description "Time period over which count is accrued. Format : MMm-SSs. Minimum value is 1 second"; } } // container detection-filter container attack-type { description "Type of attack"; uses apply-advanced; container signature { junos:must "(!((".. anomaly" || ".. chain")))"; junos:must-message "Only one attack type is permitted"; description "Signature based attack"; uses apply-advanced; container protocol-binding { description "Protocol binding over which attack will be detected"; uses apply-advanced; choice protocol { container tcp { presence "enable tcp"; description "Attack is for TCP packets only"; uses apply-advanced; list minimum-port { key "name"; ordered-by user; description "Multiple sets of (single port/port ranges) can be specified"; uses port-range; } // list minimum-port } // container tcp container udp { presence "enable udp"; description "Attack is for UDP packets only"; uses apply-advanced; list minimum-port { key "name"; ordered-by user; description "Either single port or port ranges can be specified"; uses port-range; } // list minimum-port } // container udp container rpc { presence "enable rpc"; description "Attack is for RPC packets only"; uses apply-advanced; leaf program-number { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "RPC Program Number"; } } // container rpc leaf icmp { type empty; description "Attack is for ICMP packets only"; } leaf icmpv6 { type empty; description "Attack is for ICMPv6 packets only"; } container ip { presence "enable ip"; description "Attack is for all IP based packets"; uses apply-advanced; leaf protocol-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 139"; } } description "Transport layer protocol number"; } } // container ip container ipv6 { presence "enable ipv6"; description "Attack is for all IPv6 based packets"; uses apply-advanced; leaf protocol-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 139"; } } description "Transport layer protocol number"; } } // container ipv6 leaf application { type string; description "Application name"; } leaf nested-application { type string; status deprecated; description "Nested application name"; } } // choice protocol } // container protocol-binding leaf context { type string; description "Context"; } leaf pattern { junos:must "(".. context")"; junos:must-message "Context must be specified"; type string { length "0 .. 511"; } description "Pattern is the signature of the attack you want to detect"; } leaf pattern-pcre { junos:must "(".. context")"; junos:must-message "Context must be specified"; type string { length "0 .. 511"; } description "Attack signature pattern in PCRE format"; } container content { junos:must "(".. context")"; junos:must-message "Context must be specified"; description "Mention the match-modifire parameters to enhance pattern matching"; leaf pattern { type string; description "Specify match-modifier pattern"; } leaf pcre { type string { length "0 .. 511"; } description "PCRE expression"; } container depth { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum depth to search pattern within a packet. Depth is not relative"; leaf depth-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Specify the value of 'depth'"; } leaf depth-variable { type string; description "Specify the variable name from which 'depth' should be extracted"; } } // container depth container offset { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Where to start searching for a pattern within a packet. Offset value is not relative"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the value of 'offset'"; } leaf offset-variable { type string; description "Specify the variable name from which 'offset' should be extracted"; } } // container offset container within { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum Number of bytes present between two conjugative pattern match. within is relative"; leaf within-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Specify the value of 'within'"; } leaf within-variable { type string; description "Specify the variable name from which 'within' should be extracted"; } } // container within container distance { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum Length to ignore before searching next pattern match. Distance is relative"; leaf distance-value { type union { type string { pattern "<.*>|$.*"; } type int32 { range "-65535 .. 65535"; } } description "Specify the value of 'distance'"; } leaf distance-variable { type string; description "Specify the variable name from which 'distance' should be extracted"; } } // container distance container byte-extract { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-extract parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } leaf offset { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Specify the number of bytes in to payload to start processing"; } leaf var-name { type string; description "Specify the name of the variable to reference in other rule options"; } leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf multiplier { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the value to be multiplied against the bytes read"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf align { type enumeration { enum "2-byte" { value 0; description "Round the number of converted bytes to 2-byte boundary"; } enum "4-byte" { value 1; description "Round the number of converted bytes to 4-byte boundary"; } } description "Specify the byte alignment"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } } // container byte-extract container byte-test { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-test parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset container rvalue { description "Specify the rvalue to test the converted value against"; leaf rvalue-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Specify the value"; } leaf rvalue-variable { type string; description "Specify the variable name"; } } // container rvalue leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf operator { type enumeration { enum "less-than" { value 0; description "Perform operation 'less than'"; } enum "greater-than" { value 1; description "Perform operation 'greater than'"; } enum "less-than-or-equal" { value 2; description "Perform operation 'less than or equal'"; } enum "greater-than-or-equal" { value 3; description "Perform operation 'greater than or equal'"; } enum "equal" { value 4; description "Perform operation 'equal'"; } enum "bitwise-AND" { value 5; description "Perform operation 'bitwise AND'"; } enum "bitwise-XOR" { value 6; description "Perform operation 'bitwise OR'"; } } description "Specify the operation to perform on extracted value"; } leaf negate { type empty; description "Check if the operator is not true"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } } // container byte-test container byte-math { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-math parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } leaf offset { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } container rvalue { description "Specify the value to use mathematical operation against"; leaf rvalue-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Specify the value"; } leaf rvalue-variable { type string; description "Specify the variable name"; } } // container rvalue leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf operator { type enumeration { enum "addition" { value 0; description "Perform operation 'addition'"; } enum "subtraction" { value 1; description "Perform operation 'subtraction'"; } enum "multiplication" { value 2; description "Perform operation 'multiplication'"; } enum "division" { value 3; description "Perform operation 'division'"; } enum "right-shift" { value 4; description "Perform operation 'right shift'"; } enum "left-shift" { value 5; description "Perform operation 'left shift'"; } } description "Specify the operation to perform on extracted value"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } leaf result { type string; description "Specify the variable name to which result should be stored"; } } // container byte-math container byte-jump { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-jump parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf multiplier { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the value to be multiplied against the bytes read"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf align { type enumeration { enum "4-byte" { value 0; description "Round the number of converted bytes to 4-byte boundary"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } leaf from-beginning { type empty; description "Enable jump from the beginning of the payload"; } leaf from-end { type empty; description "Enable jump from the end of the payload"; } leaf post-offset { type union { type string { pattern "<.*>|$.*"; } type int32 { range "-65535 .. 65535"; } } description "Specify the number of bytes to skip forward or backward"; } } // container byte-jump container is-data-at { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the is-data-at parameters for signature in length encoded protocols"; container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf negate { type empty; description "Negates the results of the isdataat test"; } } // container is-data-at } // container content container optional-parameters { junos:must "(".. pattern-pcre")"; junos:must-message "Applicable only for pattern-pcre defined signatures"; description "Mention the optional parameters to enhance pattern matching"; leaf min-offset { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Minimum offset in data at which pattern-match can end"; } leaf max-offset { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Maximum offset in data at which pattern-match can end"; } leaf min-length { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Minimum match length required to match the pattern"; } leaf edit-distance { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Match the pattern within this edit distance"; } leaf hamming-distance { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Match the pattern within this hamming distance"; } } // container optional-parameters leaf regexp { junos:must "((".. pattern" || ".. pattern-pcre"))"; junos:must-message "A pattern or pattern-pcre must be defined "; type string { length "0 .. 511"; } description "Regular expression used for matching repetition of patterns"; } leaf negate { junos:must "(!((".. context normalized-stream" || (".. context normalized-stream256" || (".. context normalized-stream1k" || ".. context normalized-stream8k")))))"; junos:must-message "Negation not supported for normalized-stream contexts"; junos:must "(!((".. context stream" || (".. context stream256" || (".. context stream1k" || ".. context stream8k")))))"; junos:must-message "Negation not supported for stream contexts"; type empty; description "Trigger the attack if condition is not met"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "Client to Server"; } enum "server-to-client" { value 1; description "Server to Client"; } enum "any" { value 2; description "Any direction"; } } description "Connection direction of the attack"; } leaf shellcode { type enumeration { enum "intel" { value 0; description "Detect shellcode for intel platforms"; } enum "sparc" { value 1; description "Detect shellcode for sparc platforms"; } enum "all" { value 2; description "Detect shellcode for both intel and sparc platforms"; } enum "no-shellcode" { value 3; description "Do not detect shellcode"; } } description "Specify shellcode flag for this attack"; } container protocol { description "Protocol header matches"; uses apply-advanced; container ipv4 { description "IPv4 protocol parameters"; uses apply-advanced; container tos { presence "enable tos"; description "Type of Service"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container tos container ihl { presence "enable ihl"; description "Header length in words"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } description "Match value"; } } // container ihl container total-length { presence "enable total-length"; description "Total Length of IP datagram"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container total-length container identification { presence "enable identification"; description "Fragment Identification"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container ip-flags { presence "enable ip-flags"; description "IP Flag bits"; choice rb-choice { leaf rb { type empty; description "Reserved bit"; } leaf no-rb { type empty; description "Don't reserved bit"; } } // choice rb-choice choice mf-choice { leaf mf { type empty; description "More Fragment bit"; } leaf no-mf { type empty; description "Don't more Fragment bit"; } } // choice mf-choice choice df-choice { leaf df { type empty; description "Don't Fragment bit"; } leaf no-df { type empty; description "Don't don't Fragment bit"; } } // choice df-choice } // container ip-flags container ttl { presence "enable ttl"; description "Time to live"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container ttl container protocol { presence "enable protocol"; description "Transport layer protocol"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container protocol container source { presence "enable source"; description "Source IP-address/Hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv4addr; description "Match value"; } } // container source container destination { presence "enable destination"; description "Destination IP-address/Hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv4addr; description "Match value"; } } // container destination container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container ipv4 container ipv6 { description "IPv6 protocol parameters"; uses apply-advanced; container traffic-class { presence "enable traffic-class"; description "Traffic class. Similar to TOS in IPv4"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container traffic-class container payload-length { presence "enable payload-length"; description "Length of the payload in the IPv6 datagram"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container payload-length container flow-label { presence "enable flow-label"; description "Flow label identification"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1048575"; } } description "Match value"; } } // container flow-label container hop-limit { presence "enable hop-limit"; description "Hop limit"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container hop-limit container next-header { presence "enable next-header"; description "The header following the basic IPv6 header"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container next-header container source { presence "enable source"; description "Source IP-address or hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv6addr; description "Match value"; } } // container source container destination { presence "enable destination"; description "Destination IP-address or hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv6addr; description "Match value"; } } // container destination container extension-header { description "IPv6 Extension headers"; uses apply-advanced; container routing-header { presence "enable routing-header"; description "IPv6 Routing extension header"; uses apply-advanced; container header-type { description "Routing header type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container header-type } // container routing-header container destination-option { description "IPv6 Destination option extension header"; uses apply-advanced; container option-type { description "Destination option header type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container option-type container home-address { description "IPv6 Home address of the mobile node"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv6addr; description "Match value"; } } // container home-address } // container destination-option } // container extension-header } // container ipv6 container tcp { junos:must "((!(".. udp") && !(".. icmp")))"; junos:must-message "tcp cannot be specified with udp or icmp"; description "TCP protocol parameters"; uses apply-advanced; container source-port { presence "enable source-port"; description "Source port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container source-port container destination-port { presence "enable destination-port"; description "Destination port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container destination-port container sequence-number { presence "enable sequence-number"; description "Sequence Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Match value"; } } // container sequence-number container ack-number { presence "enable ack-number"; description "Acknowledgement Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Match value"; } } // container ack-number container header-length { presence "enable header-length"; description "Header Length in words"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } description "Match value"; } } // container header-length container reserved { presence "enable reserved"; description "Three reserved bits"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Match value"; } } // container reserved container window-size { presence "enable window-size"; description "Window Size"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container window-size container urgent-pointer { presence "enable urgent-pointer"; description "Urgent Pointer"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container urgent-pointer container tcp-flags { presence "enable tcp-flags"; description "TCP header flags"; choice r1-choice { leaf r1 { type empty; description "Set Reserverd bit 1"; } leaf no-r1 { type empty; description "Don't set Reserverd bit 1"; } } // choice r1-choice choice r2-choice { leaf r2 { type empty; description "Set Reserved bit 2"; } leaf no-r2 { type empty; description "Don't set Reserved bit 2"; } } // choice r2-choice choice urg-choice { leaf urg { type empty; description "Set Urgent bit"; } leaf no-urg { type empty; description "Don't set Urgent bit"; } } // choice urg-choice choice ack-choice { leaf ack { type empty; description "Set Acknowledge bit"; } leaf no-ack { type empty; description "Don't set Acknowledge bit"; } } // choice ack-choice choice psh-choice { leaf psh { type empty; description "Set Push bit"; } leaf no-psh { type empty; description "Don't set Push bit"; } } // choice psh-choice choice rst-choice { leaf rst { type empty; description "Set Reset bit"; } leaf no-rst { type empty; description "Don't set Reset bit"; } } // choice rst-choice choice syn-choice { leaf syn { type empty; description "Set SYN bit"; } leaf no-syn { type empty; description "Don't set SYN bit"; } } // choice syn-choice choice fin-choice { leaf fin { type empty; description "Set FINish bit"; } leaf no-fin { type empty; description "Don't set FINish bit"; } } // choice fin-choice } // container tcp-flags container option { presence "enable option"; description "Kind"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container option container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by TCP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 255"; } } description "Match value"; } } // container data-length container window-scale { presence "enable window-scale"; description "Window scale"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container window-scale container mss { presence "enable mss"; description "Maximum Segment Size"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container mss container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container tcp container udp { junos:must "((!(".. tcp") && !(".. icmp")))"; junos:must-message "udp cannot be specified with tcp or icmp"; description "UDP protocol parameters"; uses apply-advanced; container source-port { presence "enable source-port"; description "Source port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container source-port container destination-port { presence "enable destination-port"; description "Destination port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container destination-port container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by UDP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container udp container icmp { junos:must "((!(".. udp") && (!(".. tcp") && !(".. icmpv6"))))"; junos:must-message "icmp cannot be specified with tcp or udp or icmpv6"; description "ICMP protocol parameters"; uses apply-advanced; container type { presence "enable type"; description "Type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container type container code { presence "enable code"; description "Code"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container code container identification { presence "enable identification"; description "Identifier in echo request/reply"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container sequence-number { presence "enable sequence-number"; description "Sequence Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container sequence-number container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by ICMP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container icmp container icmpv6 { junos:must "((!(".. udp") && (!(".. tcp") && !(".. icmp"))))"; junos:must-message "icmpv6 cannot be specified with tcp or udp or icmp"; description "ICMPv6 protocol parameters"; uses apply-advanced; container type { presence "enable type"; description "Type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container type container code { presence "enable code"; description "Code"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container code container identification { presence "enable identification"; description "Identifier in echo request/reply"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container sequence-number { presence "enable sequence-number"; description "Sequence number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container sequence-number container data-length { presence "enable data-length"; description "Size of IPv6 datagram subtracted by ICMPv6 header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container icmpv6 } // container protocol } // container signature container anomaly { junos:must "(!((".. signature" || ".. chain")))"; junos:must-message "Only one attack type is permitted"; description "Protocol anomaly"; uses apply-advanced; leaf service { type string; description "Service name"; } leaf test { type string; description "Protocol anomaly condition to be checked"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "From Client to Server"; } enum "server-to-client" { value 1; description "From Server to Client"; } enum "any" { value 2; description "Any direction"; } } description "Direction"; } leaf shellcode { type enumeration { enum "intel" { value 0; description "Detect shellcode for intel platforms"; } enum "sparc" { value 1; description "Detect shellcode for sparc platforms"; } enum "all" { value 2; description "Detect shellcode for both intel and sparc platforms"; } enum "no-shellcode" { value 3; description "Do not detect shellcode"; } } description "Specify shellcode flag for this attack"; } } // container anomaly container chain { junos:must "(!((".. signature" || ".. anomaly")))"; junos:must-message "Only one attack type is permitted"; description "Chain attack"; uses apply-advanced; container protocol-binding { description "Protocol binding over which attack will be detected"; uses apply-advanced; choice protocol { container tcp { presence "enable tcp"; description "Attack is for TCP packets only"; uses apply-advanced; list minimum-port { key "name"; ordered-by user; description "Multiple sets of (single port/port ranges) can be specified"; uses port-range; } // list minimum-port } // container tcp container udp { presence "enable udp"; description "Attack is for UDP packets only"; uses apply-advanced; list minimum-port { key "name"; ordered-by user; description "Either single port or port ranges can be specified"; uses port-range; } // list minimum-port } // container udp container rpc { presence "enable rpc"; description "Attack is for RPC packets only"; uses apply-advanced; leaf program-number { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "RPC Program Number"; } } // container rpc leaf icmp { type empty; description "Attack is for ICMP packets only"; } leaf icmpv6 { type empty; description "Attack is for ICMPv6 packets only"; } container ip { presence "enable ip"; description "Attack is for all IP based packets"; uses apply-advanced; leaf protocol-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 139"; } } description "Transport layer protocol number"; } } // container ip container ipv6 { presence "enable ipv6"; description "Attack is for all IPv6 based packets"; uses apply-advanced; leaf protocol-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 139"; } } description "Transport layer protocol number"; } } // container ipv6 leaf application { type string; description "Application name"; } leaf nested-application { type string; status deprecated; description "Nested application name"; } } // choice protocol } // container protocol-binding leaf scope { type enumeration { enum "session" { value 0; description "Allow matches across transactions within the same session"; } enum "transaction" { value 1; description "Allow matches in single transactions within the same session"; } } description "Scope of the attack"; } leaf order { type empty; description "Attacks should match in the order in which they are defined"; } leaf reset { type empty; description "Repeat match should generate a new alert"; } leaf expression { junos:must "(!(".. order"))"; junos:must-message "Boolean Expression cannot be specified with order"; type string; description "Boolean Expression(or, and, oand). Multiple expressions can be combined using parenthesis."; } list member { key "name"; ordered-by user; description "List of member attacks."; uses chain-member-type; } // list member } // container chain } // container attack-type } // grouping custom-attack-type grouping chain-member-type { description "Chain member"; leaf name { type string; description "Custom attack name"; } uses apply-advanced; container attack-type { presence "enable attack-type"; description "Type of attack"; uses apply-advanced; container signature { junos:must "(!(".. anomaly"))"; junos:must-message "Only one attack type is permitted"; description "Signature based attack"; uses apply-advanced; leaf context { type string; description "Context"; } leaf pattern { junos:must "(".. context")"; junos:must-message "Context must be specified"; type string { length "0 .. 511"; } description "Pattern is the signature of the attack you want to detect"; } leaf pattern-pcre { junos:must "(".. context")"; junos:must-message "Context must be specified"; type string { length "0 .. 511"; } description "Attack signature pattern in PCRE format"; } container content { junos:must "(".. context")"; junos:must-message "Context must be specified"; description "Mention the match-modifire parameters to enhance pattern matching"; leaf pattern { type string; description "Specify match-modifier pattern"; } leaf pcre { type string { length "0 .. 511"; } description "PCRE expression"; } container depth { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum depth to search pattern within a packet. Depth is not relative"; leaf depth-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Specify the value of 'depth'"; } leaf depth-variable { type string; description "Specify the variable name from which 'depth' should be extracted"; } } // container depth container offset { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Where to start searching for a pattern within a packet. Offset value is not relative"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the value of 'offset'"; } leaf offset-variable { type string; description "Specify the variable name from which 'offset' should be extracted"; } } // container offset container within { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum Number of bytes present between two conjugative pattern match. within is relative"; leaf within-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Specify the value of 'within'"; } leaf within-variable { type string; description "Specify the variable name from which 'within' should be extracted"; } } // container within container distance { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum Length to ignore before searching next pattern match. Distance is relative"; leaf distance-value { type union { type string { pattern "<.*>|$.*"; } type int32 { range "-65535 .. 65535"; } } description "Specify the value of 'distance'"; } leaf distance-variable { type string; description "Specify the variable name from which 'distance' should be extracted"; } } // container distance container byte-extract { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-extract parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } leaf offset { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Specify the number of bytes in to payload to start processing"; } leaf var-name { type string; description "Specify the name of the variable to reference in other rule options"; } leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf multiplier { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the value to be multiplied against the bytes read"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf align { type enumeration { enum "2-byte" { value 0; description "Round the number of converted bytes to 2-byte boundary"; } enum "4-byte" { value 1; description "Round the number of converted bytes to 4-byte boundary"; } } description "Specify the byte alignment"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } } // container byte-extract container byte-test { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-test parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset container rvalue { description "Specify the rvalue to test the converted value against"; leaf rvalue-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Specify the value"; } leaf rvalue-variable { type string; description "Specify the variable name"; } } // container rvalue leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf operator { type enumeration { enum "less-than" { value 0; description "Perform operation 'less than'"; } enum "greater-than" { value 1; description "Perform operation 'greater than'"; } enum "less-than-or-equal" { value 2; description "Perform operation 'less than or equal'"; } enum "greater-than-or-equal" { value 3; description "Perform operation 'greater than or equal'"; } enum "equal" { value 4; description "Perform operation 'equal'"; } enum "bitwise-AND" { value 5; description "Perform operation 'bitwise AND'"; } enum "bitwise-XOR" { value 6; description "Perform operation 'bitwise OR'"; } } description "Specify the operation to perform on extracted value"; } leaf negate { type empty; description "Check if the operator is not true"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } } // container byte-test container byte-math { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-math parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } leaf offset { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } container rvalue { description "Specify the value to use mathematical operation against"; leaf rvalue-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Specify the value"; } leaf rvalue-variable { type string; description "Specify the variable name"; } } // container rvalue leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf operator { type enumeration { enum "addition" { value 0; description "Perform operation 'addition'"; } enum "subtraction" { value 1; description "Perform operation 'subtraction'"; } enum "multiplication" { value 2; description "Perform operation 'multiplication'"; } enum "division" { value 3; description "Perform operation 'division'"; } enum "right-shift" { value 4; description "Perform operation 'right shift'"; } enum "left-shift" { value 5; description "Perform operation 'left shift'"; } } description "Specify the operation to perform on extracted value"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } leaf result { type string; description "Specify the variable name to which result should be stored"; } } // container byte-math container byte-jump { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-jump parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf multiplier { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the value to be multiplied against the bytes read"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf align { type enumeration { enum "4-byte" { value 0; description "Round the number of converted bytes to 4-byte boundary"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } leaf from-beginning { type empty; description "Enable jump from the beginning of the payload"; } leaf from-end { type empty; description "Enable jump from the end of the payload"; } leaf post-offset { type union { type string { pattern "<.*>|$.*"; } type int32 { range "-65535 .. 65535"; } } description "Specify the number of bytes to skip forward or backward"; } } // container byte-jump container is-data-at { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the is-data-at parameters for signature in length encoded protocols"; container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf negate { type empty; description "Negates the results of the isdataat test"; } } // container is-data-at } // container content container optional-parameters { junos:must "(".. pattern-pcre")"; junos:must-message "Applicable only for pattern-pcre defined signatures"; description "Mention the optional parameters to enhance pattern matching"; leaf min-offset { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Minimum offset in data at which pattern-match can end"; } leaf max-offset { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Maximum offset in data at which pattern-match can end"; } leaf min-length { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Minimum match length required to match the pattern"; } leaf edit-distance { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Match the pattern within this edit distance"; } leaf hamming-distance { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Match the pattern within this hamming distance"; } } // container optional-parameters leaf regexp { junos:must "((".. pattern" || ".. pattern-pcre"))"; junos:must-message "A pattern or pattern-pcre must be defined "; type string { length "0 .. 511"; } description "Regular expression used for matching repetition of patterns"; } leaf negate { junos:must "(!((".. context normalized-stream" || (".. context normalized-stream256" || (".. context normalized-stream1k" || ".. context normalized-stream8k")))))"; junos:must-message "Negation not supported for normalized-stream contexts"; junos:must "(!((".. context stream" || (".. context stream256" || (".. context stream1k" || ".. context stream8k")))))"; junos:must-message "Negation not supported for stream contexts"; type empty; description "Trigger the attack if condition is not met"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "Client to Server"; } enum "server-to-client" { value 1; description "Server to Client"; } enum "any" { value 2; description "Any direction"; } } description "Connection direction of the attack"; } leaf shellcode { type enumeration { enum "intel" { value 0; description "Detect shellcode for intel platforms"; } enum "sparc" { value 1; description "Detect shellcode for sparc platforms"; } enum "all" { value 2; description "Detect shellcode for both intel and sparc platforms"; } enum "no-shellcode" { value 3; description "Do not detect shellcode"; } } description "Specify shellcode flag for this attack"; } container protocol { description "Protocol header matches"; uses apply-advanced; container ipv4 { description "IPv4 protocol parameters"; uses apply-advanced; container tos { presence "enable tos"; description "Type of Service"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container tos container ihl { presence "enable ihl"; description "Header length in words"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } description "Match value"; } } // container ihl container total-length { presence "enable total-length"; description "Total Length of IP datagram"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container total-length container identification { presence "enable identification"; description "Fragment Identification"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container ip-flags { presence "enable ip-flags"; description "IP Flag bits"; choice rb-choice { leaf rb { type empty; description "Reserved bit"; } leaf no-rb { type empty; description "Don't reserved bit"; } } // choice rb-choice choice mf-choice { leaf mf { type empty; description "More Fragment bit"; } leaf no-mf { type empty; description "Don't more Fragment bit"; } } // choice mf-choice choice df-choice { leaf df { type empty; description "Don't Fragment bit"; } leaf no-df { type empty; description "Don't don't Fragment bit"; } } // choice df-choice } // container ip-flags container ttl { presence "enable ttl"; description "Time to live"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container ttl container protocol { presence "enable protocol"; description "Transport layer protocol"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container protocol container source { presence "enable source"; description "Source IP-address/Hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv4addr; description "Match value"; } } // container source container destination { presence "enable destination"; description "Destination IP-address/Hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv4addr; description "Match value"; } } // container destination container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container ipv4 container ipv6 { description "IPv6 protocol parameters"; uses apply-advanced; container traffic-class { presence "enable traffic-class"; description "Traffic class. Similar to TOS in IPv4"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container traffic-class container payload-length { presence "enable payload-length"; description "Length of the payload in the IPv6 datagram"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container payload-length container flow-label { presence "enable flow-label"; description "Flow label identification"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1048575"; } } description "Match value"; } } // container flow-label container hop-limit { presence "enable hop-limit"; description "Hop limit"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container hop-limit container next-header { presence "enable next-header"; description "The header following the basic IPv6 header"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container next-header container source { presence "enable source"; description "Source IP-address or hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv6addr; description "Match value"; } } // container source container destination { presence "enable destination"; description "Destination IP-address or hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv6addr; description "Match value"; } } // container destination container extension-header { description "IPv6 Extension headers"; uses apply-advanced; container routing-header { presence "enable routing-header"; description "IPv6 Routing extension header"; uses apply-advanced; container header-type { description "Routing header type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container header-type } // container routing-header container destination-option { description "IPv6 Destination option extension header"; uses apply-advanced; container option-type { description "Destination option header type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container option-type container home-address { description "IPv6 Home address of the mobile node"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv6addr; description "Match value"; } } // container home-address } // container destination-option } // container extension-header } // container ipv6 container tcp { junos:must "((!(".. udp") && !(".. icmp")))"; junos:must-message "tcp cannot be specified with udp or icmp"; description "TCP protocol parameters"; uses apply-advanced; container source-port { presence "enable source-port"; description "Source port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container source-port container destination-port { presence "enable destination-port"; description "Destination port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container destination-port container sequence-number { presence "enable sequence-number"; description "Sequence Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Match value"; } } // container sequence-number container ack-number { presence "enable ack-number"; description "Acknowledgement Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Match value"; } } // container ack-number container header-length { presence "enable header-length"; description "Header Length in words"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } description "Match value"; } } // container header-length container reserved { presence "enable reserved"; description "Three reserved bits"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Match value"; } } // container reserved container window-size { presence "enable window-size"; description "Window Size"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container window-size container urgent-pointer { presence "enable urgent-pointer"; description "Urgent Pointer"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container urgent-pointer container tcp-flags { presence "enable tcp-flags"; description "TCP header flags"; choice r1-choice { leaf r1 { type empty; description "Set Reserverd bit 1"; } leaf no-r1 { type empty; description "Don't set Reserverd bit 1"; } } // choice r1-choice choice r2-choice { leaf r2 { type empty; description "Set Reserved bit 2"; } leaf no-r2 { type empty; description "Don't set Reserved bit 2"; } } // choice r2-choice choice urg-choice { leaf urg { type empty; description "Set Urgent bit"; } leaf no-urg { type empty; description "Don't set Urgent bit"; } } // choice urg-choice choice ack-choice { leaf ack { type empty; description "Set Acknowledge bit"; } leaf no-ack { type empty; description "Don't set Acknowledge bit"; } } // choice ack-choice choice psh-choice { leaf psh { type empty; description "Set Push bit"; } leaf no-psh { type empty; description "Don't set Push bit"; } } // choice psh-choice choice rst-choice { leaf rst { type empty; description "Set Reset bit"; } leaf no-rst { type empty; description "Don't set Reset bit"; } } // choice rst-choice choice syn-choice { leaf syn { type empty; description "Set SYN bit"; } leaf no-syn { type empty; description "Don't set SYN bit"; } } // choice syn-choice choice fin-choice { leaf fin { type empty; description "Set FINish bit"; } leaf no-fin { type empty; description "Don't set FINish bit"; } } // choice fin-choice } // container tcp-flags container option { presence "enable option"; description "Kind"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container option container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by TCP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 255"; } } description "Match value"; } } // container data-length container window-scale { presence "enable window-scale"; description "Window scale"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container window-scale container mss { presence "enable mss"; description "Maximum Segment Size"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container mss container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container tcp container udp { junos:must "((!(".. tcp") && !(".. icmp")))"; junos:must-message "udp cannot be specified with tcp or icmp"; description "UDP protocol parameters"; uses apply-advanced; container source-port { presence "enable source-port"; description "Source port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container source-port container destination-port { presence "enable destination-port"; description "Destination port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container destination-port container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by UDP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container udp container icmp { junos:must "((!(".. udp") && (!(".. tcp") && !(".. icmpv6"))))"; junos:must-message "icmp cannot be specified with tcp or udp or icmpv6"; description "ICMP protocol parameters"; uses apply-advanced; container type { presence "enable type"; description "Type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container type container code { presence "enable code"; description "Code"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container code container identification { presence "enable identification"; description "Identifier in echo request/reply"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container sequence-number { presence "enable sequence-number"; description "Sequence Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container sequence-number container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by ICMP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container icmp container icmpv6 { junos:must "((!(".. udp") && (!(".. tcp") && !(".. icmp"))))"; junos:must-message "icmpv6 cannot be specified with tcp or udp or icmp"; description "ICMPv6 protocol parameters"; uses apply-advanced; container type { presence "enable type"; description "Type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container type container code { presence "enable code"; description "Code"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container code container identification { presence "enable identification"; description "Identifier in echo request/reply"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container sequence-number { presence "enable sequence-number"; description "Sequence number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container sequence-number container data-length { presence "enable data-length"; description "Size of IPv6 datagram subtracted by ICMPv6 header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container icmpv6 } // container protocol } // container signature container anomaly { junos:must "(!(".. signature"))"; junos:must-message "Only one attack type is permitted"; description "Protocol anomaly"; uses apply-advanced; leaf test { type string; description "Protocol anomaly condition to be checked"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "From Client to Server"; } enum "server-to-client" { value 1; description "From Server to Client"; } enum "any" { value 2; description "Any direction"; } } description "Direction"; } leaf shellcode { type enumeration { enum "intel" { value 0; description "Detect shellcode for intel platforms"; } enum "sparc" { value 1; description "Detect shellcode for sparc platforms"; } enum "all" { value 2; description "Detect shellcode for both intel and sparc platforms"; } enum "no-shellcode" { value 3; description "Do not detect shellcode"; } } description "Specify shellcode flag for this attack"; } } // container anomaly } // container attack-type } // grouping chain-member-type grouping dynamic-attack-group-type { description "Define dynamic attack group"; leaf name { type string; description "Name of the dynamic attack group"; } uses apply-advanced; leaf attack-group-description { type string; status deprecated; description "Filter name/value in xml format"; } container filters { description "Configure filters"; uses apply-advanced; container direction { presence "enable direction"; description "Direction of attack"; uses apply-advanced; leaf expression { type enumeration { enum "and" { value 0; description "AND values together (recommended if 'exclude-*' values are set)"; } enum "or" { value 1; description "OR values together"; } } default "or"; description "Boolean AND/OR to be used for values"; } leaf-list values { type enumeration { enum "client-to-server" { value 0; description "Select attacks from client to server"; } enum "server-to-client" { value 1; description "Select attacks from server to client"; } enum "any" { value 2; description "Select attacks which can occur in either direction"; } enum "exclude-client-to-server" { value 3; description "Filter out attacks from client to server"; } enum "exclude-server-to-client" { value 4; description "Filter out attacks from server to client"; } enum "exclude-any" { value 5; description "Filter out attacks which occur in either direction"; } } ordered-by user; description "Values for direction field"; } } // container direction container severity { presence "enable severity"; description "Severity of attack"; uses apply-advanced; leaf-list values { type enumeration { enum "info" { value 0; description "Provide information of attack when it matches."; } enum "warning" { value 1; description "Issue a warning when attack matches."; } enum "minor" { value 2; description "The attack is a minor one."; } enum "major" { value 3; description "The attack is a major one."; } enum "critical" { value 4; description "The attack is a critical one."; } } ordered-by user; description "Values for severity field"; } } // container severity container type { presence "enable type"; description "Type of attack"; uses apply-advanced; leaf-list values { type enumeration { enum "signature" { value 0; description "Signature based attacks"; } enum "anomaly" { value 1; description "Protocol anomalies"; } } ordered-by user; description "Values for type field"; } } // container type choice recommended-choice { leaf recommended { type empty; description "Recommended flag"; } leaf no-recommended { type empty; description "Don't recommended flag"; } } // choice recommended-choice container performance { presence "enable performance"; description "Performance of attack"; uses apply-advanced; leaf-list values { type enumeration { enum "unknown" { value 0; description "Performance level unknown"; } enum "fast" { value 1; description "Fast performance"; } enum "normal" { value 2; description "Normal performance"; } enum "slow" { value 3; description "Slow performance"; } } ordered-by user; description "Values for performance field"; } } // container performance container category { presence "enable category"; description "Category of attack"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for category field"; } } // container category container service { presence "enable service"; description "Service/Application of attack"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for service field"; } } // container service container false-positives { presence "enable false-positives"; description "False positive field in attack"; uses apply-advanced; leaf-list values { type enumeration { enum "unknown" { value 0; description "Unknown information"; } enum "rarely" { value 1; description "Rare false positives occurrence"; } enum "occasionally" { value 2; description "Ocassional false positives occurrence"; } enum "frequently" { value 3; description "Frequent false positives occurrence"; } } ordered-by user; description "Values for false-positives field"; } } // container false-positives list vendor { key "name"; ordered-by user; description "Vendor/Product the attack belongs to"; uses vendor-object; } // list vendor container file-type { presence "enable file-type"; description "File type the attack is valid for"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for file-type field"; } } // container file-type container vulnerability-type { presence "enable vulnerability-type"; description "Vulnariability type of attack"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for vulnariability-type field"; } } // container vulnerability-type choice excluded-choice { leaf excluded { type empty; description "Excluded Attacks"; } leaf no-excluded { type empty; description "Don't excluded Attacks"; } } // choice excluded-choice container attack-prefix { presence "enable attack-prefix"; description "Prefix match for attack names"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for attack name prefix match"; } } // container attack-prefix list cvss-score { key "name"; ordered-by user; description "CVSS score of Attack "; leaf name { type enumeration { enum "greater-than" { value 0; description "Match when cvss score is greater"; } enum "less-than" { value 1; description "Match when cvss score is less"; } } description "Match condition of CVSS score"; } uses apply-advanced; leaf value { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type decimal64 { fraction-digits 9; range "0 .. 10"; } description "Match value"; } } // list cvss-score list age-of-attack { key "name"; ordered-by user; description "Age of an Attack "; leaf name { type enumeration { enum "greater-than" { value 0; description "Match when Age of Attack is greater"; } enum "less-than" { value 1; description "Match when Age of Attack is less"; } } description "Match condition of Age of Attack"; } uses apply-advanced; leaf value { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } description "Match value"; } } // list age-of-attack } // container filters } // grouping dynamic-attack-group-type grouping idp-policy-type { leaf name { type string; description "IDP policy name"; } container rulebase-ips { description "IPS rulebase"; uses apply-advanced; list rule { key "name"; ordered-by user; description "Configure IPS rule"; leaf name { type string; description "Rule name"; } uses apply-advanced; leaf description { type string; description "Rule description"; } container match { description "Rule match criteria"; uses apply-advanced; leaf from-zone { junos:must "((".. from-zone any" || "security zones security-zone $$"))"; junos:must-message "from-zone should be 'any' or configured under [security zones security-zone]"; type string; default "any"; description "Match from zone"; } choice source { leaf-list source-address { type string; ordered-by user; description "Match source address"; } leaf-list source-except { type string; ordered-by user; description "Don't match source address"; } case case_3 { } // case case_3 case case_4 { } // case case_4 } // choice source leaf to-zone { junos:must "((".. to-zone any" || "security zones security-zone $$"))"; junos:must-message "to-zone should be 'any' or configured under [security zones security-zone]"; type string; default "any"; description "Match to zone"; } choice destination { leaf-list destination-address { type string; ordered-by user; description "Match destination address"; } leaf-list destination-except { type string; ordered-by user; description "Don't match destination address"; } case case_3 { } // case case_3 case case_4 { } // case case_4 } // choice destination leaf application { type string; description "Specify application or application-set name to match"; } container attacks { description "Match attack objects"; uses apply-advanced; leaf-list custom-attacks { type string; ordered-by user; description "Custom attacks"; } leaf-list custom-attack-groups { type string; ordered-by user; description "Custom attack groups"; } leaf-list dynamic-attack-groups { type string; ordered-by user; description "Dynamic attack groups"; } leaf-list predefined-attacks { type string; ordered-by user; description "Predefined attacks"; } leaf-list predefined-attack-groups { type string; ordered-by user; description "Predefined attack groups"; } } // container attacks } // container match container then { uses apply-advanced; container action { choice action { leaf no-action { type empty; description "No action"; } leaf ignore-connection { type empty; description "Ignore"; } container mark-diffserv { description "Mark differentiated services codepoint (DSCP)"; uses apply-advanced; leaf codepoint { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 63"; } } description "Codepoint value"; } } // container mark-diffserv container class-of-service { description "Classification of traffic based on class-of-service"; uses apply-advanced; leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class for outgoing packets"; } leaf dscp-code-point { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 63"; } } description "Differentiated services code point value"; } } // container class-of-service leaf drop-packet { type empty; description "Drop packet"; } leaf drop-connection { type empty; description "Drop connection"; } leaf close-client { type empty; description "Close client"; } leaf close-server { type empty; description "Close server"; } leaf close-client-and-server { type empty; description "Close client and server"; } leaf recommended { junos:must "(".. .. .. match attacks")"; junos:must-message "attacks must also be configured."; type empty; description "Recommended"; } } // choice action } // container action container ip-action { uses apply-advanced; choice ip-action { leaf ip-notify { type empty; description "Notify about future traffic"; } leaf ip-close { type empty; description "Close future connections"; } leaf ip-block { type empty; description "Block future connections"; } } // choice ip-action leaf target { type enumeration { enum "service" { value 0; description "Match source, destination, dst-port and protocol"; } enum "source-zone-address" { value 1; description "Match source-zone and source-address"; } enum "source-address" { value 2; description "Match source"; } enum "destination-address" { value 3; description "Match destination"; } enum "zone-service" { value 4; description "Match source-zone, destination, dst-port, protocol"; } enum "source-zone" { value 5; description "Match source-zone"; } } } leaf log { type empty; description "Log IP action taken"; } leaf log-create { type empty; description "Log IP action creation"; } leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 64800"; } } description "Number of seconds IP action should remain effective"; } leaf refresh-timeout { junos:must "(".. timeout")"; junos:must-message "timeout must be specified"; type empty; description "Refresh timeout when future connections match installed ip-action filter"; } } // container ip-action container notification { presence "enable notification"; description "Configure notification/logging options"; uses apply-advanced; container log-attacks { presence "enable log-attacks"; description "Enable attack logging"; uses apply-advanced; leaf alert { type empty; description "Set alert flag in attack log"; } } // container log-attacks container packet-log { presence "enable packet-log"; uses apply-advanced; leaf pre-attack { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } default "1"; description "No of packets to capture before attack"; } leaf post-attack { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "No of packets to capture after attack"; } leaf post-attack-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1800"; } } default "5"; description "Timeout (seconds) after attack before stopping packet capture"; } } // container packet-log } // container notification leaf severity { type enumeration { enum "info" { value 0; } enum "warning" { value 1; } enum "minor" { value 2; } enum "major" { value 3; } enum "critical" { value 4; } } description "Set rule severity level"; } container application-services { description "Enable application services for this rule"; container security-intelligence { description "Generate security intellegence feeds"; leaf add-attacker-ip-to-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } leaf add-target-ip-to-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } } // container security-intelligence } // container application-services } // container then leaf terminal { type empty; description "Set/Unset terminal flag"; } } // list rule } // container rulebase-ips container rulebase-exempt { description "Exempt rulebase"; uses apply-advanced; list rule { key "name"; ordered-by user; description "Configure exempt rule"; leaf name { type string; description "Rule name"; } uses apply-advanced; leaf description { type string; description "Rule description"; } container match { description "Rule match criteria"; uses apply-advanced; leaf from-zone { junos:must "((".. from-zone any" || "security zones security-zone $$"))"; junos:must-message "from-zone should be 'any' or configured under [security zones security-zone]"; type string; default "any"; description "Match from zone"; } choice source { leaf-list source-address { type string; ordered-by user; description "Match source address"; } leaf-list source-except { type string; ordered-by user; description "Don't match source address"; } case case_3 { } // case case_3 case case_4 { } // case case_4 } // choice source leaf to-zone { junos:must "((".. to-zone any" || "security zones security-zone $$"))"; junos:must-message "to-zone should be 'any' or configured under [security zones security-zone]"; type string; default "any"; description "Match to zone"; } choice destination { leaf-list destination-address { type string; ordered-by user; description "Match destination address"; } leaf-list destination-except { type string; ordered-by user; description "Don't match destination address"; } case case_3 { } // case case_3 case case_4 { } // case case_4 } // choice destination container attacks { description "Match attack objects"; uses apply-advanced; leaf-list custom-attacks { type string; ordered-by user; description "Custom attacks"; } leaf-list custom-attack-groups { type string; ordered-by user; description "Custom attack groups"; } leaf-list dynamic-attack-groups { type string; ordered-by user; description "Dynamic attack groups"; } leaf-list predefined-attacks { type string; ordered-by user; description "Predefined attacks"; } leaf-list predefined-attack-groups { type string; ordered-by user; description "Predefined attack groups"; } } // container attacks } // container match } // list rule } // container rulebase-exempt } // grouping idp-policy-type grouping idpd-traceoptions-type { description "Trace options for idpd"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Events and other information to include in trace output"; leaf name { type enumeration { enum "all" { value 0; description "All events"; } } description "Flag name to include in trace output"; } } // list flag leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } } // grouping idpd-traceoptions-type grouping log-object { description "Configure auditable security logs"; uses apply-advanced; list exclude { key "name"; ordered-by user; status deprecated; description "List of security log criteria to exclude from the audit log"; leaf name { type string; description "Exclude criteria name"; } uses apply-advanced; leaf destination-address { type jt:ipaddr; description "Destination address"; } leaf destination-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Destination port"; } leaf event-id { type string; description "Event ID filter"; } leaf failure { type empty; description "Event was a failure"; } leaf interface-name { type string; description "Name of interface"; } leaf policy-name { type string; description "Policy name filter"; } leaf process { type string; description "Process that generated the event"; } leaf protocol { type string; description "Protocol filter"; } leaf source-address { type jt:ipaddr; description "Source address"; } leaf source-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Source port"; } leaf success { type empty; description "Event was successful"; } leaf username { type string; description "Username filter"; } } // list exclude leaf limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; status deprecated; description "Limit number of security log entries to keep in memory"; } container cache { presence "enable cache"; description "Cache security log events in the audit log buffer"; uses apply-advanced; list exclude { junos:must "(!(".. .. exclude"))"; junos:must-message "'security log cache exclude' and 'security log exclude' are mutually exclusive"; key "name"; ordered-by user; description "List of security log criteria to exclude from the audit log"; leaf name { type string; description "Exclude criteria name"; } uses apply-advanced; leaf destination-address { type jt:ipaddr; description "Destination address"; } leaf destination-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Destination port"; } leaf event-id { type string; description "Event ID filter"; } leaf failure { type empty; description "Event was a failure"; } leaf interface-name { type string; description "Name of interface"; } leaf policy-name { type string; description "Policy name filter"; } leaf process { type string; description "Process that generated the event"; } leaf protocol { type string; description "Protocol filter"; } leaf source-address { type jt:ipaddr; description "Source address"; } leaf source-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Source port"; } leaf success { type empty; description "Event was successful"; } leaf username { type string; description "Username filter"; } } // list exclude leaf limit { junos:must "(!(".. .. limit"))"; junos:must-message "'security log cache limit' and 'security log limit' are mutually exclusive"; type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; description "Limit number of security log entries to keep in memory"; } } // container cache } // grouping log-object grouping logical-system-type { description "Logical system name"; leaf name { junos:must "("logical-systems $$")"; junos:must-message "Logical systems must be defined under [logical-systems] "; type string; description "Logical system name"; } uses apply-advanced; leaf max-sessions { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Max number of IDP sessions"; } } // grouping logical-system-type grouping macro-data-type { leaf name { type string; description "Keyword part of the keyword-value pair"; } leaf value { type string; description "Value part of the keyword-value pair"; } } // grouping macro-data-type grouping port-range { description "Port ranges"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Single port/minimum port in the port range"; } leaf maximum-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Maximum port in the port range"; } } // grouping port-range grouping proto-object { leaf name { type string; } uses apply-advanced; list tunable-name { key "name"; ordered-by user; description "Protocol tunable name"; uses tunable-object; } // list tunable-name } // grouping proto-object grouping security-authentication-key-chains { uses apply-advanced; list key-chain { key "name"; description "Key chain configuration"; leaf name { type string { junos:posix-pattern "!^((__.*__)|(.*[ ].*)|(.{33,}))$"; junos:pattern-message "Must be string of 32 characters or less with no spaces"; } description "Name of authentication key chain"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of this authentication-key-chain"; } leaf tolerance { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } units "seconds"; default "3600"; description "Clock skew tolerance"; } list key { key "name"; description "Authentication element configuration"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 63"; } } description "Authentication element identifier"; } uses apply-advanced; leaf secret { type string { length "1 .. 126"; } description "Authentication key"; } leaf key-name { type string { junos:posix-pattern "^([0-9a-fA-F][0-9a-fA-F]){1,32}$"; junos:pattern-message "Must be an even-length string up to 64 hexadecimal digits (0-9, a-f, A-F)"; length "2 .. 64"; } description "Key name in hexadecimal format used for macsec"; } leaf start-time { type jt:time; description "Start time for key transmission (YYYY-MM-DD.HH:MM)"; } leaf algorithm { type enumeration { enum "md5" { value 0; description "Message Digest 5"; } enum "hmac-sha-1" { junos:must "(".. options isis-enhanced")"; junos:must-message "sha algorithm required isis-enhanced"; value 1; description "Hash-based Message Authentication Code (SHA1) (96 bits)"; } enum "ao" { value 2; description "TCP Authentication Option"; } } default "md5"; description "Authentication algorithm"; } leaf options { type enumeration { enum "basic" { value 0; description "Rudimentary encoding format"; } enum "isis-enhanced" { value 1; description "RFC 5310 based encoding"; } } default "basic"; description "Protocol's transmission encoding format"; } container ao-attribute { junos:must "(!(".. authentication-key"))"; junos:must-message "Cannot be configured with authentication-key"; junos:must "(".. algorithm ao")"; junos:must-message "Can only be configured with authentication-algorithm ao"; description "TCP Authentication option attributes"; uses apply-advanced; leaf send-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Send id for TCP-AO entry"; } leaf recv-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Recv id for TCP-AO entry"; } leaf tcp-ao-option { type enumeration { enum "enabled" { value 0; description "Include the TCP-AO option"; } enum "disabled" { value 1; description "Not include the TCP-AO option"; } } default "disabled"; description "Include TCP-AO option within message header"; } leaf cryptographic-algorithm { type enumeration { enum "hmac-sha-1-96" { value 0; description "Hash-based Message Authentication Code (SHA1) (96 bits)"; } enum "aes-128-cmac-96" { value 1; description "Cipher-based Message Authentication Code (AES128) (96 bits)"; } } default "hmac-sha-1-96"; description "Cryptographic algorithm for TCP-AO Traffic key and MAC digest generation"; } } // container ao-attribute } // list key } // list key-chain } // grouping security-authentication-key-chains grouping security-group-vpn { uses apply-advanced; container member { description "Group VPN member configuration"; uses gvpn-member; } // container member } // grouping security-group-vpn grouping gvpn-member { uses apply-advanced; container ike { description "Group VPN IKE configuration"; uses gvpn-member-ike; } // container ike container ipsec { description "Group VPN IPsec configuration"; uses gvpn-member-ipsec-vpn; } // container ipsec } // grouping gvpn-member grouping gvpn-member-ike { uses apply-advanced; container traceoptions { description "Trace options for Group VPN Member"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "timer" { value 0; description "Trace internal timer events"; } enum "routing-socket" { value 1; description "Trace routing socket messages"; } enum "parse" { value 2; description "Trace configuration processing"; } enum "config" { value 3; description "Trace configuration download processing"; } enum "ike" { value 4; description "Trace IKE module processing"; } enum "policy-manager" { value 5; description "Trace policy manager processing"; } enum "general" { value 6; description "Trace general events"; } enum "database" { value 7; description "Trace security associations database events"; } enum "certificates" { value 8; description "Trace certificate events"; } enum "snmp" { value 9; description "Trace SNMP operations"; } enum "thread" { value 10; description "Trace thread processing"; } enum "high-availability" { value 11; description "Trace high-availability operations"; } enum "next-hop-tunnels" { value 12; description "Trace next-hop-tunnels operations"; } enum "all" { value 13; description "Trace everything"; } } } } // list flag container gateway-filter { description "Set gateway filter for trace"; uses apply-advanced; leaf local-address { type jt:ipv4addr; description "Use an IP address to identify the local gateway"; } leaf remote-address { type jt:ipv4addr; description "Use an IP address to identify the remote gateway"; } } // container gateway-filter } // container traceoptions list proposal { key "name"; ordered-by user; description "Define an IKE proposal"; uses gvpn-member-ike-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IKE policy"; uses gvpn-ike-policy; } // list policy list gateway { key "name"; ordered-by user; description "Define an IKE gateway"; leaf name { junos:must "(!("security ike gateway $$"))"; junos:must-message "Gateway already defined under [security ike]"; type string { length "1 .. 32"; } description "Label for the remote (peer) gateway"; } uses apply-advanced; leaf ike-policy { junos:must "(!("security ike policy $$"))"; junos:must-message "Policy already defined under [security ike]"; junos:must "("security group-vpn member ike policy $$")"; junos:must-message "Referenced IKE policy must be defined under [edit security group-vpn member ike policy]"; type string { length "1 .. 32"; } description "Name of the IKE policy"; } container local-identity { description "Set the local IKE identity"; choice identity-type { container inet { description "Use an IPv4 address"; uses apply-advanced; leaf identity-ipv4 { type jt:ipv4addr; description "The local IPv4 identity"; } } // container inet container hostname { description "Use a fully-qualified domain name"; uses apply-advanced; leaf identity-hostname { type string; description "The local hostname"; } } // container hostname container user-at-hostname { description "Use an e-mail address"; uses apply-advanced; leaf identity-user { type string; description "The local user-FQDN"; } } // container user-at-hostname leaf distinguished-name { type empty; description "Use a distinguished name specified in local certificate"; } } // choice identity-type } // container local-identity leaf local-address { junos:must "(!(any "security group-vpn member ike gateway <*> server-address $$"))"; junos:must-message "Member can not have the same local address as server"; type jt:ipv4addr; description "Local IPv4 address for group member"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Referenced routing-instance must be defined"; type string; default "default"; description "Name of routing instance that hosts local address"; } } // list gateway } // grouping gvpn-member-ike grouping gvpn-ike-policy { leaf name { junos:must "((".. proposals" || ".. proposal-set"))"; junos:must-message "IKE policy must have either proposals or proposal-set configured"; junos:must "(((".. certificate local-certificate" || ".. pre-shared-key") && !((".. certificate local-certificate" && ".. pre-shared-key"))))"; junos:must-message "IKE policy must have either local certificate or pre-shared key configured"; junos:must "(!("security ike policy $$"))"; junos:must-message "Policy already defined under [security ike policy]"; type string { length "1 .. 32"; } description "Name of policy"; } uses apply-advanced; leaf mode { type enumeration { enum "main" { value 0; description "Main mode"; } enum "aggressive" { value 1; description "Aggressive mode"; } } default "main"; description "Define the IKE mode for Phase 1"; } leaf description { type string { length "1 .. 80"; } description "Text description of IKE policy"; } leaf-list proposals { junos:must "(".. .. .. proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } ordered-by user; description "Name of the proposal"; } container certificate { description "Certificate configuration"; uses apply-advanced; leaf local-certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Local certificate identifier"; } container trusted-ca { status deprecated; description "Specify the CA to use"; choice ca { leaf ca-index { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Index of the preferred CA to use"; } leaf use-all { type empty; description "Use all configured CAs"; } } // choice ca } // container trusted-ca leaf peer-certificate-type { type enumeration { enum "pkcs7" { value 0; description "PKCS7 encoding"; } enum "x509-signature" { value 1; description "X509 signature encoding"; } } default "x509-signature"; description "Preferred type of certificate from peer"; } } // container certificate leaf proposal-set { type enumeration { enum "basic" { junos:must "(!(".. proposals"))"; junos:must-message "IKE policy must not have both proposals and proposal-set configured"; value 0; description "IKE proposal-set for basic"; } enum "compatible" { junos:must "(!(".. proposals"))"; junos:must-message "IKE policy must not have both proposals and proposal-set configured"; value 1; description "IKE proposal-set for compatible"; } enum "standard" { junos:must "(!(".. proposals"))"; junos:must-message "IKE policy must not have both proposals and proposal-set configured"; value 2; description "IKE proposal-set for standard"; } } description "Types of default IKE proposal-set"; } container pre-shared-key { description "Define a preshared key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container pre-shared-key } // grouping gvpn-ike-policy grouping gvpn-member-ike-proposal { leaf name { junos:must "(!("security ike proposal $$"))"; junos:must-message "Proposal already defined under [security ike proposal]"; type string { length "1 .. 32"; } description "Name of the IKE proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IKE proposal"; } leaf authentication-method { type enumeration { enum "pre-shared-keys" { value 0; description "Preshared keys"; } enum "rsa-signatures" { value 1; description "RSA signatures"; } enum "dsa-signatures" { value 2; description "DSA signatures"; } } description "Define authentication method"; } leaf dh-group { type enumeration { enum "group1" { value 0; description "Diffie-Hellman Group 1"; } enum "group2" { value 1; description "Diffie-Hellman Group 2"; } enum "group5" { value 2; description "Diffie-Hellman Group 5"; } enum "group14" { value 3; description "Diffie-Hellman Group 14"; } } description "Define Diffie-Hellman group"; } leaf authentication-algorithm { type enumeration { enum "md5" { value 0; description "MD5 authentication algorithm"; } enum "sha1" { value 1; description "SHA1 authentication algorithm"; } enum "sha-256" { value 2; description "SHA 256-bit authentication algorithm"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; default "180"; description "Lifetime, in seconds"; } } // grouping gvpn-member-ike-proposal grouping gvpn-member-ipsec-vpn { uses apply-advanced; list vpn { key "name"; ordered-by user; description "Define an IPSec VPN"; uses ipsec-gvpn-member-template; } // list vpn } // grouping gvpn-member-ipsec-vpn grouping ipsec-gvpn-member-template { description "Configure a Group VPN"; leaf name { junos:must "(!("security ipsec vpn $$"))"; junos:must-message "VPN already defined under [security ipsec]"; type string { length "1 .. 32"; } description "Name of the VPN"; } uses apply-advanced; leaf ike-gateway { junos:must "("security group-vpn member ike gateway $$")"; junos:must-message "Referenced IKE gateway must be defined under [edit security group-vpn member ike gateway]"; type string { length "1 .. 32"; } description "Name of IKE gateway"; } leaf group { junos:must "((".. no-group-check" || unique "security group-vpn member ipsec vpn <*> group $$"))"; junos:must-message "Group id must be unique among group vpns"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Enable Group VPN by defining group id"; } leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Direction for which the rule match is applied"; } leaf tunnel-mtu { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 9192"; } } default "1500"; description "Maximum transmit packet size"; } leaf df-bit { type enumeration { enum "clear" { value 0; description "Clear DF bit of outer header"; } enum "set" { value 1; description "Set DF bit of outer header"; } enum "copy" { value 2; description "Copy DF bit from inner header"; } } default "clear"; description "Specifies how to handle the Don't Fragment bit"; } leaf forward-policy-mismatch { type empty; description "Enables forwarding of policy mismatch packets"; } container fail-open { description "List of fail open rules"; uses ipsec_gvpn_fail_open_rule_object; } // container fail-open } // grouping ipsec-gvpn-member-template grouping ipsec_gvpn_fail_open_rule_object { uses apply-advanced; list rule { key "name"; max-elements 10; ordered-by user; description "Define fail open rules upto 10"; uses ipsec_gvpn_rule_address_object; } // list rule } // grouping ipsec_gvpn_fail_open_rule_object grouping ipsec_gvpn_rule_address_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; container source-address { presence "enable source-address"; description "Match IP source address"; uses ipsec_gvpn_addr_object; } // container source-address container destination-address { presence "enable destination-address"; description "Match IP destination address"; uses ipsec_gvpn_addr_object; } // container destination-address } // grouping ipsec_gvpn_rule_address_object grouping ipsec_gvpn_addr_object { uses apply-advanced; leaf address { type jt:ipv4prefix-only; description "Prefix to match"; } } // grouping ipsec_gvpn_addr_object grouping security-ike { uses apply-advanced; container traceoptions { description "Trace options for IPSec key management"; uses security-traceoptions; } // container traceoptions container respond-bad-spi { presence "enable respond-bad-spi"; description "Respond to IPSec packets with bad SPI values"; leaf max-responses { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 30"; } } default "5"; description "Maximum number of times to respond"; } } // container respond-bad-spi list proposal { key "name"; ordered-by user; description "Define an IKE proposal"; uses ike-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IKE policy"; uses ike-policy; } // list policy list gateway { key "name"; ordered-by user; description "Define an IKE gateway"; leaf name { type string { length "1 .. 32"; } description "Label for the remote (peer) gateway"; } uses apply-advanced; leaf ike-policy { junos:must "(!(("security ike policy $$ mode main" && ("security ike policy $$ pre-shared-key" && ".. dynamic"))))"; junos:must-message "Main mode for dynamic peer with Preshared key based authentication is not allowed"; junos:must "("security ike policy $$")"; junos:must-message "Referenced IKE policy must be defined under [edit security ike policy]"; type string { length "1 .. 32"; } description "Name of the IKE policy"; } choice remote-identifier { leaf-list address { type string; ordered-by user; description "Addresses or hostnames of peer:1 primary, upto 4 backups"; } container dynamic { description "Site to site peer with dynamic IP address"; uses apply-advanced; choice remote-id-type { container distinguished-name { presence "enable distinguished-name"; description "Use a distinguished name: "; uses apply-advanced; choice name-type { leaf container { type string; description "Specify the container string"; } leaf wildcard { type string; description "Specify the wildcard string"; } } // choice name-type } // container distinguished-name leaf hostname { type string; description "Use a fully-qualified domain name"; } leaf inet { type jt:ipv4addr; description "Use an IPV4 address to identify the dynamic peer"; } leaf inet6 { type jt:ipv6addr; description "Use an IPV6 address to identify the dynamic peer"; } leaf user-at-hostname { type string; description "Use an e-mail address"; } } // choice remote-id-type leaf connections-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Maximum number of users connected to gateway"; } leaf ike-user-type { type enumeration { enum "group-ike-id" { value 0; description "Email address or FQDN shared as IKED ID by multiple users"; } enum "shared-ike-id" { junos:must "(" .. .. xauth")"; junos:must-message "Need to configure xauth at [edit security ike gateway]"; value 1; description "Email address shared as IKED ID by multiple users"; } } description "Type of the IKE ID"; } } // container dynamic } // choice remote-identifier container dead-peer-detection { presence "enable dead-peer-detection"; description "Enable RFC-3706 DPD"; uses apply-advanced; leaf always-send { type empty; description "Send DPD messages periodically, regardless of traffic"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 60"; } } units "seconds"; default "10"; description "The interval at which to send DPD messages"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } default "5"; description "Maximum number of DPD retransmissions"; } } // container dead-peer-detection leaf no-nat-traversal { type empty; description "Disable IPSec NAT traversal"; } leaf nat-keepalive { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } units "seconds"; default "5"; description "Interval at which to send NAT keepalives"; } container local-identity { description "Set the local IKE identity"; choice identity-type { container inet { description "Use an IPv4 address"; uses apply-advanced; leaf identity-ipv4 { type jt:ipv4addr; description "The local IPv4 identity"; } } // container inet container inet6 { description "Use an IPv6 address"; uses apply-advanced; leaf identity-ipv6 { type jt:ipv6addr; description "The local IPv6 identity"; } } // container inet6 container hostname { description "Use a fully-qualified domain name"; uses apply-advanced; leaf identity-hostname { type string; description "The local hostname"; } } // container hostname container user-at-hostname { description "Use an e-mail address"; uses apply-advanced; leaf identity-user { type string; description "The local user-FQDN"; } } // container user-at-hostname leaf distinguished-name { type empty; description "Use a distinguished name specified in local certificate"; } } // choice identity-type } // container local-identity container remote-identity { junos:must "(!(".. dynamic"))"; junos:must-message "Since the remote gateway is dynamic, Define remote identity under dynamic"; description "Set the remote IKE identity"; choice identity-type { container inet { description "Use an IPv4 address"; uses apply-advanced; leaf identity-ipv4 { type jt:ipv4addr; description "The remote IPv4 identity"; } } // container inet container inet6 { description "Use an IPv6 address"; uses apply-advanced; leaf identity-ipv6 { type jt:ipv6addr; description "The remote IPv6 identity"; } } // container inet6 container hostname { description "Use a fully-qualified domain name"; uses apply-advanced; leaf identity-hostname { type string; description "The remote hostname"; } } // container hostname container user-at-hostname { description "Use an e-mail address"; uses apply-advanced; leaf identity-user { type string; description "The remote user-FQDN"; } } // container user-at-hostname container distinguished-name { presence "enable distinguished-name"; description "Use a distinguished name: "; uses apply-advanced; leaf container { type string; description "Specify the container string"; } leaf wildcard { type string; description "Specify the wildcard string"; } } // container distinguished-name } // choice identity-type } // container remote-identity leaf external-interface { junos:must "(!("interfaces $$ family bridge"))"; junos:must-message "Bridge interface is not allowed as external-interface"; junos:must "("interfaces $$-IFL")"; junos:must-message "Referenced interface must be configured under [edit interfaces] hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "External interface for IKE negotiations"; } container xauth { description "Use extended authentication"; leaf access-profile { junos:must "("access profile $$")"; junos:must-message "profile needs to be configured"; type string; description "Access profile that contains authentication information"; } } // container xauth leaf general-ikeid { junos:must "(!(".. remote-identity"))"; junos:must-message "general-ikeid option is not allowed when remote-identity is configured"; junos:must "(!(".. dynamic"))"; junos:must-message "general-ikd-id option is not available for dynamic peer."; type empty; description "Accept peer IKE-ID in general"; } leaf version { type enumeration { enum "v1-only" { value 0; description "The connection must be initiated using IKE version 1"; } enum "v2-only" { value 1; description "The connection must be initiated using IKE version 2"; } } default "v1-only"; description "Negotiate using either IKE v1 or IKE v2 protocol"; } } // list gateway } // grouping security-ike grouping ike-policy { leaf name { junos:must "(("security ike policy $$ pre-shared-key" || "security ike policy $$ local-certificate"))"; junos:must-message "Either pre-shared-key or local-certificate must be configured in ike policy"; type jt:ipv4addr; description "IKE peer address"; } uses apply-advanced; leaf mode { type enumeration { enum "main" { value 0; description "Main mode"; } enum "aggressive" { value 1; description "Aggressive mode"; } } description "Define the IKE first phase mode"; } leaf description { type string { length "1 .. 80"; } description "Text description of IKE policy"; } leaf-list proposals { junos:must "(".. .. .. proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } ordered-by user; description "Name of the proposal"; } leaf local-certificate { junos:must "(!(".. local-key-pair $$"))"; junos:must-message "Local certificate and local key pair files must be different"; type string { length "1 .. 255"; } description "File to read certificate from"; } leaf local-key-pair { type string { length "1 .. 255"; } description "File to read key-pair from"; } leaf encoding { type enumeration { enum "binary" { value 0; description "DER encoding"; } enum "pem" { value 1; description "Privacy-enhanced-mail encoding, base64"; } } default "binary"; description "Encoding to use for certificate or CRL on disk"; } leaf identity { type string { length "1 .. 32"; } description "Define the remote certificate name"; } container pre-shared-key { description "Define a preshared key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container pre-shared-key } // grouping ike-policy grouping ike-proposal { leaf name { junos:must "((("services ipsec-vpn ike proposal $$" && !("security ike proposal $$")) || ("security ike proposal $$" && !("services ipsec-vpn ike proposal $$"))))"; junos:must-message "Referenced IKE proposal must not be defined both under [edit security ike proposal] and [edit services ipsec-vpn ike proposal]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IKE proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IKE proposal"; } leaf authentication-method { type enumeration { enum "pre-shared-keys" { value 0; description "Preshared keys"; } enum "rsa-signatures" { value 1; description "RSA signatures"; } enum "dsa-signatures" { value 2; description "DSA signatures"; } enum "ecdsa-signatures-256" { value 3; description "ECDSA signatures (254 bit modulus)"; } enum "ecdsa-signatures-384" { value 4; description "ECDSA signatures (384 bit modulus)"; } } description "Define authentication method"; } leaf dh-group { type enumeration { enum "group1" { value 0; description "Diffie-Hellman Group1"; } enum "group2" { value 1; description "Diffie-Hellman Group2"; } enum "group5" { value 2; description "Diffie-Hellman Group5"; } enum "group14" { value 3; description "Diffie-Hellman Group14"; } enum "group15" { value 4; description "Diffie-Hellman Group15"; } enum "group16" { value 5; description "Diffie-Hellman Group16"; } enum "group19" { value 6; description "Diffie-Hellman Group19"; } enum "group20" { value 7; description "Diffie-Hellman Group20"; } enum "group24" { value 8; description "Diffie-Hellman Group24"; } } description "Define Diffie-Hellman group"; } leaf authentication-algorithm { type enumeration { enum "md5" { value 0; description "MD5 authentication algorithm"; } enum "sha1" { value 1; description "SHA1 authentication algorithm"; } enum "sha-256" { value 2; description "SHA 256-bit authentication algorithm"; } enum "sha-384" { value 3; description "SHA 384-bit authentication algorithm"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; description "Lifetime, in seconds"; } } // grouping ike-proposal grouping security-ipsec-vpn { uses apply-advanced; container traceoptions { description "Trace options for IPSec data-plane debug"; uses ipsec-traceoptions; } // container traceoptions container vpn-monitor-options { presence "enable vpn-monitor-options"; description "Global options for VPN liveliness monitoring"; uses ipsec-vpn-monitor; } // container vpn-monitor-options list proposal { key "name"; ordered-by user; description "Define an IPSec proposal"; uses ipsec-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IPSec policy"; uses ipsec-policy; } // list policy list vpn { key "name"; ordered-by user; description "Define an IPSec VPN"; uses ipsec-vpn-template; } // list vpn list security-association { key "name"; ordered-by user; description "Define an IPSec security association"; uses ipsec-sa; } // list security-association container internal { presence "enable internal"; description "Define an IPSec SA for internal RE-RE communication"; uses apply-advanced; container security-association { presence "enable security-association"; description "Define an IPSec security association"; uses ipsec-internal-sa; } // container security-association } // container internal container trusted-channel { junos:must "("security ipsec trusted-channel security-association")"; junos:must-message "Must configure trusted-channel security-association"; presence "enable trusted-channel"; description "Define an IPSec SA for trusted-channel communication"; uses apply-advanced; container security-association { presence "enable security-association"; description "Define an IPSec security association"; uses ipsec-trusted-channel-sa; } // container security-association leaf-list port-exclusion-list { junos:must "("security ipsec trusted-channel security-association")"; junos:must-message "Must configure trusted-channel security-association"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } ordered-by user; description "Define port exlusion list"; } } // container trusted-channel } // grouping security-ipsec-vpn grouping ipsec-internal-sa { uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of internal security association"; } container manual { description "Define a manual security association"; uses apply-advanced; list direction { key "name"; ordered-by user; description "Define the direction of the security association"; leaf name { type enumeration { enum "inbound" { junos:must "(".. .. direction $$={outbound}")"; junos:must-message "Outbound block must be configured"; value 0; description "Inbound security association"; } enum "outbound" { junos:must "(".. .. direction $$={inbound}")"; junos:must-message "Inbound block must be configured"; value 1; description "Outbound security association"; } enum "bidirectional" { junos:must "((!(".. .. direction $$={inbound}") && !(".. .. direction $$={outbound}")))"; junos:must-message "Outbound or inbound blocks must not be configured"; value 2; description "Bidirectional security association"; } } } uses apply-advanced; leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption"))"; junos:must-message "Encryption must not be defined for AH"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH"; value 0; description "Authentication header"; } enum "esp" { junos:must "((".. authentication" || ".. encryption"))"; junos:must-message "Either authentication or encryption must be defined for ESP"; value 1; description "Encapsulated Security Payload header"; } enum "bundle" { junos:must "(".. auxiliary-spi")"; junos:must-message "Auxiliary SPI must be defined for AH plus ESP bundle"; junos:must "(".. encryption")"; junos:must-message "Encryption must be defined for AH plus ESP bundle"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH plus ESP bundle"; value 2; description "Bundle (AH authentication plus ESP encryption)"; } } description "Define an IPSec protocol for the security association"; } leaf spi { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "Define security parameter index"; } leaf auxiliary-spi { junos:must "(".. protocol bundle")"; junos:must-message "Auxiliary SPI must be configured with protocol bundle only"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "ESP security parameter index for IPSec SA bundle"; } container authentication { description "Define authentication parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha2-256" { value 2; description "HMAC-SHA2-256 authentication algorithm"; } enum "hmac-sha-256-128" { value 3; description "HMAC-SHA-256-128 authentication algorithm"; } } description "Define authentication algorithm"; } container key { description "Define an authentication key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container authentication container encryption { description "Define encryption parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } container key { description "Define an encryption key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container encryption } // list direction } // container manual } // grouping ipsec-internal-sa grouping ipsec-policy { leaf name { junos:must "((("services ipsec-vpn ipsec policy $$" && !("security ipsec policy $$")) || ("security ipsec policy $$" && !("services ipsec-vpn ipsec policy $$"))))"; junos:must-message "Referenced IPSec policy must not be defined both under [edit security ipsec policy] and [edit services ipsec-vpn ipsec policy]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec policy"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IPSec policy"; } container perfect-forward-secrecy { description "Define perfect forward secrecy"; uses apply-advanced; leaf keys { type enumeration { enum "group1" { value 0; description "Diffie-Hellman Group1"; } enum "group2" { value 1; description "Diffie-Hellman Group2"; } enum "group5" { value 2; description "Diffie-Hellman Group5"; } enum "group14" { value 3; description "Diffie-Hellman Group14"; } enum "group15" { value 4; description "Diffie-Hellman Group15"; } enum "group16" { value 5; description "Diffie-Hellman Group16"; } enum "group19" { value 6; description "Diffie-Hellman Group19"; } enum "group20" { value 7; description "Diffie-Hellman Group20"; } enum "group24" { value 8; description "Diffie-Hellman Group24"; } } description "Define Diffie-Hellman group"; } } // container perfect-forward-secrecy leaf-list proposals { junos:must "(".. .. .. proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } ordered-by user; description "Name of the proposal"; } leaf proposal-set { type enumeration { enum "basic" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 0; description "IPSEC basic proposal-set"; } enum "compatible" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 1; description "IPSEC compatible proposal-set"; } enum "standard" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 2; description "IPSEC standard proposal-set"; } } description "Types of default IPSEC proposal-set"; } } // grouping ipsec-policy grouping ipsec-proposal { leaf name { junos:must "((("services ipsec-vpn ipsec proposal $$" && !("security ipsec proposal $$")) || ("security ipsec proposal $$" && !("services ipsec-vpn ipsec proposal $$"))))"; junos:must-message "Referenced IPSec proposal must not be defined both under [edit security ipsec proposal] and [edit services ipsec-vpn ipsec proposal]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IPSec proposal"; } leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption-algorithm"))"; junos:must-message "Encryption algorithm must not be defined for AH"; value 0; description "Authentication header"; } enum "esp" { value 1; description "Encapsulated Security Payload header"; } enum "bundle" { value 2; description "Bundle (AH authentication plus ESP encryption)"; } } description "Define an IPSec protocol for the proposal"; } leaf authentication-algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha-256-128" { junos:must "(".. .. .. .. ipsec-vpn")"; junos:must-message "hmac-sha-256-128 algorithm is not supported for IKE and IPSec configuration in security hierarchy"; value 2; description "HMAC-SHA-256-128 authentication algorithm"; } enum "hmac-sha-256-96" { value 3; description "HMAC-SHA-256-96 authentication algorithm (non-RFC compliant)"; } enum "hmac-sha2-256" { value 4; description "HMAC-SHA2-256 authentication algorithm"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } enum "aes-128-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 5; description "AES-GCM 128-bit encryption algorithm with 16 octet ICV"; } enum "aes-192-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 6; description "AES-GCM 192-bit encryption algorithm with 16 octet ICV"; } enum "aes-256-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 7; description "AES-GCM 256-bit encryption algorithm with 16 octet ICV"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; description "Lifetime, in seconds"; } } // grouping ipsec-proposal grouping ipsec-sa { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of IPSec security association"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of security association"; } leaf mode { type enumeration { enum "transport" { junos:must "(!(".. dynamic"))"; junos:must-message "Dynamic security associations are not supported in transport mode"; junos:must "(".. manual")"; junos:must-message "Manual block must be configured for transport mode security association"; value 0; description "Transport mode"; } enum "tunnel" { value 1; description "Tunnel mode"; } } default "tunnel"; description "Define security association mode"; } choice sa_choice { container manual { description "Define a manual security association"; uses apply-advanced; list direction { key "name"; ordered-by user; description "Define the direction of the security association"; leaf name { type enumeration { enum "inbound" { junos:must "(".. .. direction $$={outbound}")"; junos:must-message "Outbound block must be configured"; value 0; description "Inbound security association"; } enum "outbound" { junos:must "(".. .. direction $$={inbound}")"; junos:must-message "Inbound block must be configured"; value 1; description "Outbound security association"; } enum "bidirectional" { junos:must "((!(".. .. direction $$={inbound}") && !(".. .. direction $$={outbound}")))"; junos:must-message "Outbound or inbound blocks must not be configured"; value 2; description "Bidirectional security association"; } } } uses apply-advanced; leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption"))"; junos:must-message "Encryption must not be defined for AH"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH"; value 0; description "Authentication header"; } enum "esp" { junos:must "((".. authentication" || ".. encryption"))"; junos:must-message "Either authentication or encryption must be defined for ESP"; value 1; description "Encapsulated Security Payload header"; } enum "bundle" { junos:must "(".. auxiliary-spi")"; junos:must-message "Auxiliary SPI must be defined for AH plus ESP bundle"; junos:must "(".. encryption")"; junos:must-message "Encryption must be defined for AH plus ESP bundle"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH plus ESP bundle"; value 2; description "Bundle (AH authentication plus ESP encryption)"; } } description "Define an IPSec protocol for the security association"; } leaf spi { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "Define security parameter index"; } leaf auxiliary-spi { junos:must "(".. protocol bundle")"; junos:must-message "Auxiliary SPI must be configured with protocol bundle only"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "ESP security parameter index for IPSec SA bundle"; } container authentication { description "Define authentication parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha2-256" { value 2; description "HMAC-SHA2-256 authentication algorithm"; } enum "hmac-sha-256-128" { value 3; description "HMAC-SHA-256-128 authentication algorithm"; } } description "Define authentication algorithm"; } container key { description "Define an authentication key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container authentication container encryption { description "Define encryption parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } container key { description "Define an encryption key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container encryption } // list direction } // container manual container dynamic { description "Define a dynamic security association"; uses apply-advanced; leaf replay-window-size { type enumeration { enum "32" { value 0; description "32-packet window size"; } enum "64" { value 1; description "64-packet window size"; } } description "Define replay protection window size"; } leaf ipsec-policy { junos:must "("security ipsec policy $$")"; junos:must-message "Referenced IPSec policy must be defined under [edit security ipsec policy]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec policy"; } } // container dynamic } // choice sa_choice } // grouping ipsec-sa grouping ipsec-traceoptions { description "Data-plane IPSec tracing options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "Events to include in data-plane IPSec trace output"; leaf name { type enumeration { enum "packet-processing" { value 0; description "Trace data packet processing events"; } enum "packet-drops" { value 1; description "Trace packet drops"; } enum "security-associations" { value 2; description "Trace security association management events"; } enum "next-hop-tunnel-binding" { value 3; description "Trace next-hop tunnel binding events"; } enum "all" { value 4; description "Trace with all flags enabled"; } } } } // list flag } // grouping ipsec-traceoptions grouping ipsec-trusted-channel-sa { uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of trusted channel security association"; } container manual { description "Define a manual security association"; uses apply-advanced; list direction { key "name"; ordered-by user; description "Define the direction of the security association"; leaf name { type enumeration { enum "inbound" { junos:must "(".. .. direction $$={outbound}")"; junos:must-message "Outbound block must be configured"; value 0; description "Inbound security association"; } enum "outbound" { junos:must "(".. .. direction $$={inbound}")"; junos:must-message "Inbound block must be configured"; value 1; description "Outbound security association"; } enum "bidirectional" { junos:must "((!(".. .. direction $$={inbound}") && !(".. .. direction $$={outbound}")))"; junos:must-message "Outbound or inbound blocks must not be configured"; value 2; description "Bidirectional security association"; } } } uses apply-advanced; leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption"))"; junos:must-message "Encryption must not be defined for AH"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH"; value 0; description "Authentication header"; } enum "esp" { junos:must "((".. authentication" || ".. encryption"))"; junos:must-message "Either authentication or encryption must be defined for ESP"; value 1; description "Encapsulated Security Payload header"; } enum "bundle" { junos:must "(".. auxiliary-spi")"; junos:must-message "Auxiliary SPI must be defined for AH plus ESP bundle"; junos:must "(".. encryption")"; junos:must-message "Encryption must be defined for AH plus ESP bundle"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH plus ESP bundle"; value 2; description "Bundle (AH authentication plus ESP encryption)"; } } description "Define an IPSec protocol for the security association"; } leaf spi { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "Define security parameter index"; } leaf auxiliary-spi { junos:must "(".. protocol bundle")"; junos:must-message "Auxiliary SPI must be configured with protocol bundle only"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "ESP security parameter index for IPSec SA bundle"; } container authentication { description "Define authentication parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha2-256" { value 2; description "HMAC-SHA2-256 authentication algorithm"; } enum "hmac-sha-256-128" { value 3; description "HMAC-SHA-256-128 authentication algorithm"; } } description "Define authentication algorithm"; } container key { description "Define an authentication key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container authentication container encryption { description "Define encryption parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } container key { description "Define an encryption key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container encryption } // list direction } // container manual } // grouping ipsec-trusted-channel-sa grouping ipsec-vpn-monitor { description "Configure VPN monitoring"; uses apply-advanced; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 3600"; } } units "seconds"; default "10"; description "Monitor interval in seconds"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65536"; } } default "10"; description "Number of consecutive failures to determine connectivity"; } } // grouping ipsec-vpn-monitor grouping ipsec-vpn-template { description "Configure an IPSec VPN"; leaf name { type string { length "1 .. 32"; } description "Name of the VPN"; } uses apply-advanced; leaf bind-interface { junos:must "(("interfaces $$" || any "logical-systems <*> interfaces $$"))"; junos:must-message "Referenced interface must be configured under [edit interfaces] hierarchy"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Bind to tunnel interface (route-based VPN)"; } leaf df-bit { type enumeration { enum "clear" { value 0; description "Clear DF bit of outer header"; } enum "set" { value 1; description "Set DF bit of outer header"; } enum "copy" { value 2; description "Copy DF bit from inner header"; } } description "Specifies how to handle the Don't Fragment bit"; } container vpn-monitor { presence "enable vpn-monitor"; description "Monitor VPN liveliness"; uses ipsec-template-monitor; } // container vpn-monitor choice negotiation { container manual { description "Define a manual security association"; uses apply-advanced; leaf gateway { type jt:hostname; description "Define the IPSec peer"; } leaf external-interface { junos:must "(!("interfaces $$ family bridge"))"; junos:must-message "Bridge interface is not allowed as external-interface"; junos:must "("interfaces $$-IFL")"; junos:must-message "Referenced interface must be configured under [edit interfaces] hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "External interface for the security association"; } leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption"))"; junos:must-message "Encryption must not be defined for AH"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH"; value 0; description "Authentication header"; } enum "esp" { junos:must "((".. authentication" || ".. encryption"))"; junos:must-message "Either authentication or encryption must be defined for ESP"; value 1; description "Encapsulated Security Payload header"; } } description "Define an IPSec protocol for the security association"; } leaf spi { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "Define security parameter index"; } container authentication { description "Define authentication parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha-256-128" { value 2; description "HMAC-SHA-256-128 authentication algorithm"; } enum "hmac-sha-256-96" { value 3; description "HMAC-SHA-256-96 authentication algorithm (non-RFC compliant)"; } } description "Define authentication algorithm"; } container key { description "Define an authentication key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container authentication container encryption { description "Define encryption parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } container key { description "Define an encryption key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container encryption } // container manual container ike { description "Define an IKE-keyed IPSec vpn"; uses apply-advanced; leaf gateway { junos:must "(!(("security ike gateway $$ dynamic ike-user-type" && ".. .. vpn-monitor destination-ip")))"; junos:must-message "No destination ip support for vpn-monitor in vpn using shared or group ike"; junos:must "(!((".. .. bind-interface" && ("security ike gateway $$ dynamic ike-user-type" && "security ike gateway $$ version v2-only"))))"; junos:must-message "No IKEv2 support for shared or group ike in route-based vpn"; junos:must "("security ike gateway $$")"; junos:must-message "Referenced IKE gateway must be defined under [edit security ike gateway]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of remote gateway"; } leaf idle-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 999999"; } } units "seconds"; description "Idle time to delete SA"; } leaf no-anti-replay { type empty; description "Disable the anti-replay check"; } container proxy-identity { presence "enable proxy-identity"; description "IPSec proxy-id to use in IKE negotiations"; uses ipsec-template-proxy-id; } // container proxy-identity leaf ipsec-policy { junos:must "("security ipsec policy $$")"; junos:must-message "Referenced IPSec policy must be defined under [edit security ipsec policy]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec policy"; } leaf install-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 10"; } } units "seconds"; default "1"; description "Delay installation of rekeyed outbound SAs on initiator"; } } // container ike } // choice negotiation leaf establish-tunnels { junos:must "(".. ike")"; junos:must-message "VPN must be IKE-keyed to define establish-tunnel method"; type enumeration { enum "immediately" { value 0; description "Establish tunnels immediately"; } enum "on-traffic" { value 1; description "Establish tunnels on traffic"; } } default "on-traffic"; description "Define the criteria to establish tunnels"; } } // grouping ipsec-vpn-template grouping ipsec-template-monitor { description "Configure VPN monitoring"; uses apply-advanced; leaf optimized { type empty; description "Optimize for scalability"; } leaf source-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Source interface for monitor message"; } leaf destination-ip { type jt:ipaddr; description "Destination IP addres for monitor message"; } } // grouping ipsec-template-monitor grouping ipsec-template-proxy-id { description "Proxy identity settings"; uses apply-advanced; leaf local { type jt:ipprefix-mandatory; description "Local IP address/prefix length"; } leaf remote { type jt:ipprefix-mandatory; description "Remote IP address/prefix length"; } leaf service { type string { length "1 .. 32"; } description "Name of serivce that passes through, any enables all services"; } } // grouping ipsec-template-proxy-id grouping security-macsec { uses apply-advanced; container traceoptions { presence "enable traceoptions"; description "Tracing options for debugging protocol operation"; uses macsec-trace-options; } // container traceoptions list connectivity-association { key "name"; ordered-by user; description "Configure connectivity association properties"; leaf name { type string { length "1 .. 32"; } description "Connectivity association name"; } uses apply-advanced; leaf cipher-suite { type enumeration { enum "gcm-aes-128" { value 0; description "GCM-AES-128 cipher suite"; } enum "gcm-aes-256" { junos:must "(!(".. security-mode static-sak"))"; junos:must-message "GCM-AES-256 cipher suite not allowed for static-sak mode"; value 1; description "GCM-AES-256 cipher suite"; } enum "gcm-aes-xpn-128" { junos:must "(!(".. security-mode static-sak"))"; junos:must-message "GCM-AES-XPN-128 cipher suite not allowed for static-sak mode"; value 2; description "GCM-AES-XPN-128 cipher suite"; } enum "gcm-aes-xpn-256" { junos:must "(!(".. security-mode static-sak"))"; junos:must-message "GCM-AES-XPN-256 cipher suite not allowed for static-sak mode"; value 3; description "GCM-AES-XPN-256 cipher suite"; } } description "Cipher suite to be used for encryption"; } leaf security-mode { junos:must "((!(".. security-mode static-cak") || (".. pre-shared-key cak" || (".. pre-shared-key-chain" || ".. fallback-key cak"))))"; junos:must-message "Pre-shared key or fallback-key or pre-shared-key-chain required for static-cak mode"; type enumeration { enum "dynamic" { value 0; description "Dynamic connectivity and secure association mode (MKA and dot1x)"; } enum "static-sak" { value 1; description "Static secure association key mode (no MKA)"; } enum "static-cak" { value 2; description "Static connectivity association key mode (MKA and Pre-shared key)"; } } description "Connectivity association mode"; } leaf sak-hash-128 { junos:must "((".. cipher-suite gcm-aes-256" || ".. cipher-suite gcm-aes-xpn-256"))"; junos:must-message "Allowed only for cipher-suite gcm-aes-256 or gcm-aes-xpn-256"; type empty; description "Configure to generate 128bit SAK hash to program HW"; } list secure-channel { junos:must "(".. security-mode static-sak")"; junos:must-message "Secure-channel configuration allowed only for static-sak mode"; key "name"; ordered-by user; description "Configure secure channel properties"; leaf name { type string; description "Secure channel name"; } uses apply-advanced; container id { description "Secure channel identifier"; uses apply-advanced; leaf mac-address { type jt:mac-addr; description "MAC addresses"; } leaf port-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port identifier"; } } // container id leaf direction { type enumeration { enum "inbound" { value 0; } enum "outbound" { value 1; } } description "Secure channel direction"; } leaf encryption { type empty; description "Enable Encryption"; } leaf offset { type enumeration { enum "0" { value 0; description "Confidentiality protected for all octets of MACSec PDU data"; } enum "30" { value 1; description "Confidentiality not protected for initial 30 octets of MACSec PDU data"; } enum "50" { value 2; description "Confidentiality not protected for initial 50 octets of MACSec PDU data"; } } description "Confidentiality offset"; } leaf include-sci { type empty; description "Include secure channel identifier in MAC Security PDU"; } list security-association { key "name"; ordered-by user; description "Security association"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 3"; } } description "Security association number"; } uses apply-advanced; leaf key { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F) of length 32"; length "32"; } description "Security association key in hexadecimal format of length 32"; } } // list security-association } // list secure-channel container mka { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "MKA configuration can be set only for dynamic/static-cak modes"; presence "enable mka"; description "Configure MAC Security Key Agreement protocol properties"; uses apply-advanced; leaf transmit-interval { junos:must "(!(".. bounded-delay"))"; junos:must-message "Might not be configured with bounded-delay"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2000 .. 6000"; } } units "milliseconds"; default "2000"; description "Configure MKA periodic transmit interval"; } leaf sak-rekey-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 86400"; } } units "seconds"; description "Configure SAK rekeying interval"; } leaf bounded-delay { junos:must "(".. .. replay-protect replay-window-size")"; junos:must-message "replay-window-size must be configured with bounded-delay"; type empty; description "Configure Bounded Hello Time"; } leaf key-server-priority { junos:must "(".. .. security-mode static-cak")"; junos:must-message "Allowed only for static-cak mode"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } default "16"; description "Configure MKA key server priority"; } leaf must-secure { junos:must "(".. .. security-mode dynamic")"; junos:must-message "Allowed only for dynamic mode"; type empty; description "Allow only secure dot1x traffic"; } leaf should-secure { junos:must "(".. .. security-mode static-cak")"; junos:must-message "Allowed only for static mode"; type empty; description "Configure fail open mode for MKA protocol"; } leaf eapol-address { junos:must "(".. .. security-mode static-cak")"; junos:must-message "Allowed only for static-cak mode"; type string; default "pae"; description "Configure EAPOL destination group address"; } } // container mka container replay-protect { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Not allowed for static-sak mode"; description "Configure replay protection"; uses apply-advanced; leaf replay-window-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } units "packets"; description "Configure replay protection window size"; } } // container replay-protect leaf no-encryption { junos:must "(!(".. offset"))"; junos:must-message "Offset can be configured only with encryption"; junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Encryption for static-sak mode should be configured under secure-channel"; type empty; description "Disable encryption"; } leaf disable-preceding-key { junos:must "(".. security-mode static-cak")"; junos:must-message "Enabling configuration allowed only in static-cak mode"; type empty; description "Disable CA preceding key duing key switch-over"; } leaf offset { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Offset for static-sak mode should be configured under secure-channel"; type enumeration { enum "0" { value 0; description "Confidentiality provided for all octets of data"; } enum "30" { value 1; description "Confidentiality not provided for initial 30 octets of data"; } enum "50" { value 2; description "Confidentiality not provided for initial 50 octets of data"; } } default "0"; description "Confidentiality offset"; } leaf include-sci { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Not allowed for static-sak mode"; type empty; description "Include secure channel identifier in MAC Security PDU"; } container pre-shared-key { junos:must "(".. security-mode static-cak")"; junos:must-message "Pre-shared key configuration allowed only in static-cak mode"; presence "enable pre-shared-key"; description "Configure pre-shared connectivity association key"; uses apply-advanced; leaf ckn { type string { junos:posix-pattern "^([0-9a-fA-F][0-9a-fA-F]){1,32}$"; junos:pattern-message "Must be an even-length string up to 64 hexadecimal digits (0-9, a-f, A-F)"; length "2 .. 64"; } description "Connectivity association key name in hexadecimal format"; } leaf cak { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 64"; } description "Connectivity association key in hexadecimal format"; } } // container pre-shared-key container fallback-key { junos:must "(".. security-mode static-cak")"; junos:must-message "Fallback key configuration allowed only in static-cak mode"; presence "enable fallback-key"; description "Configure fallback key for connectivity association"; uses apply-advanced; leaf ckn { junos:must "(!(".. .. pre-shared-key ckn $$"))"; junos:must-message "fallback-key CKN cannot be same as pre-shared-key CKN"; type string { junos:posix-pattern "^([0-9a-fA-F][0-9a-fA-F]){1,32}$"; junos:pattern-message "Must be an even-length string up to 64 hexadecimal digits (0-9, a-f, A-F)"; length "2 .. 64"; } description "Connectivity association fallback key name in hexadecimal format"; } leaf cak { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 64"; } description "Connectivity association fallback key secret in hexadecimal format"; } } // container fallback-key leaf pre-shared-key-chain { junos:must "(!(".. pre-shared-key"))"; junos:must-message "May not be configured with pre-shared-key"; junos:must "("security authentication-key-chains key-chain $$")"; junos:must-message "authentication-key-chains not defined !!"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Pre-shared key chain name for connectivity association"; } list exclude-protocol { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Not allowed for static-sak mode"; key "name"; ordered-by user; description "Configure protocols to exclude from MAC Security"; leaf name { type enumeration { enum "cdp" { value 0; description "Cisco Discovery Protocol"; } enum "lldp" { value 1; description "Link Level Discovery Protocol"; } enum "lacp" { value 2; description "Link Aggregation Control Protocol"; } } } } // list exclude-protocol } // list connectivity-association list interfaces { key "name"; description "Interfaces on which macsec configuration is applied"; leaf name { type union { type jt:interface-device; type string { pattern "<.*>|$.*"; } } } uses apply-advanced; leaf connectivity-association { junos:must "("security macsec connectivity-association $$")"; junos:must-message "Connectivity association not defined"; type string; description "Connectivity association name"; } container traceoptions { junos:must "(".. connectivity-association")"; junos:must-message "Connectivity association should be configured on interface to enable traceoptions"; presence "enable traceoptions"; description "Tracing options of MKA protocol"; uses mka-trace-options; } // container traceoptions } // list interfaces } // grouping security-macsec grouping macsec-trace-options { description "Trace options for MACSec Protocol"; uses apply-advanced; container file { description "Trace file options"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf replace { type empty; status deprecated; description "Replace trace file rather than appending to it"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } leaf no-stamp { type empty; status deprecated; description "Do not timestamp trace file"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice } // container file list flag { junos:must "(".. file")"; junos:must-message "Trace file name required to enable tracing"; key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "config" { value 0; description "Trace configuration messages"; } enum "debug" { value 1; description "Trace debug messages"; } enum "normal" { value 2; description "Trace normal messages"; } enum "all" { value 3; description "Trace all"; } } } } // list flag } // grouping macsec-trace-options grouping mka-trace-options { description "Trace options for MKA protocol"; uses apply-advanced; container file { description "Trace file options"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf replace { type empty; status deprecated; description "Replace trace file rather than appending to it"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } leaf no-stamp { type empty; status deprecated; description "Do not timestamp trace file"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice } // container file list flag { junos:must "(".. file")"; junos:must-message "Trace file name required to enable tracing"; key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "mka-packets" { value 0; description "Trace MKA input and output packets"; } enum "state" { value 1; description "Trace MKA state information"; } enum "to-secy" { value 2; description "Trace MKA to SecY state changes"; } enum "keys" { value 3; description "Trace key creation/generation information"; } enum "normal" { value 4; description "Trace normal events"; } enum "all" { value 5; description "Trace all"; } } } } // list flag } // grouping mka-trace-options grouping security-pki { uses apply-advanced; list ca-profile { key "name"; ordered-by user; description "Certificate authority profile configuration"; leaf name { type string { junos:posix-pattern "![/%. ]"; junos:pattern-message "Must not contain '/', %, '.' or a space"; length "1 .. 32"; } description "Name of certificate authority profile"; } uses apply-advanced; leaf ca-identity { type string; description "Certificate authority identifier"; } leaf source-address { type jt:ipaddr; description "Use specified address as source address"; } leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "Referenced Proxy profile must be defined under [edit services proxy profile]"; type string; description "Use specified proxy server"; } leaf routing-instance { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string; description "Use specified routing instance"; } container enrollment { description "Enrollment parameters for certificate authority"; uses apply-advanced; leaf url { type string; description "Enrollment URL of certificate authority"; } leaf retry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1080"; } } default "1000"; description "Number of enrollment retry attempts before aborting"; } leaf retry-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 3600"; } } default "600"; description "Interval in seconds between the enrollment retries"; } } // container enrollment container revocation-check { description "Method for checking certificate revocations"; uses apply-advanced; choice revocation-check-options { leaf use-crl { type empty; description "Use CRL for revocation check"; } leaf use-ocsp { type empty; description "Use OCSP for revocation check"; } leaf disable { type empty; description "Disable revocation check"; } } // choice revocation-check-options container ocsp { presence "enable ocsp"; description "Online Certificate Status Protocol (OCSP) configuration"; uses apply-advanced; list url { key "name"; ordered-by user; leaf name { type string { length "1 .. 500"; } description "HTTP URL for OCSP access location"; } uses apply-advanced; } // list url leaf nonce-payload { type enumeration { enum "enable" { value 0; description "Send nonce paylod in OCSP request"; } enum "disable" { value 1; description "Do not send nonce payload in OCSP request"; } } description "Include nonce payload in OCSP requests"; } leaf disable-responder-revocation-check { type empty; description "Disable OCSP responder certificate revocation check"; } leaf accept-unknown-status { type empty; description "Accept certificates with unknown status"; } container connection-failure { presence "enable connection-failure"; description "Actions on failure to connect to OCSP Responder"; uses apply-advanced; choice connection-failure-options { leaf fallback-crl { type empty; description "Use CRL for revocation check"; } leaf disable { type empty; description "Disable OCSP check on connection failure"; } } // choice connection-failure-options } // container connection-failure } // container ocsp container crl { description "Certificate revocation list configuration"; uses apply-advanced; container disable { leaf on-download-failure { type empty; description "Check revocation status with existing CRL file if present, otherwise skip. This feature must be enabled for manual CRL download."; } } // container disable list url { key "name"; ordered-by user; leaf name { type string { length "1 .. 500"; } description "URL of CRL distribution point for certificate authority"; } uses apply-advanced; leaf password { type jt:unreadable; description "Password for authentication with the server"; } } // list url leaf refresh-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 8784"; } } units "hours"; description "CRL refresh interval"; } } // container crl } // container revocation-check container administrator { description "Administrator information"; uses apply-advanced; leaf email-address { type string; description "Administrator e-mail to which to send certificate requests"; } } // container administrator } // list ca-profile list trusted-ca-group { key "name"; ordered-by user; description "Trusted Certificate Authority group configuration"; leaf name { type string { length "1 .. 63"; } description "Name of the trusted CA group"; } uses apply-advanced; leaf-list ca-profiles { type string { length "1 .. 63"; } max-elements 20; ordered-by user; description "Name of the CA profiles (maximum 20)"; } } // list trusted-ca-group container trap { presence "enable trap"; description "Trap options for PKI certificates"; uses apply-advanced; list certificate-id { key "name"; ordered-by user; description "Local certificate identifier"; leaf name { type string; description "Local cert id"; } uses apply-advanced; leaf days { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "60"; description "Number of days to generate trap (default 60)"; } } // list certificate-id list ca-identity { key "name"; ordered-by user; description "CA identity"; leaf name { junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string; description "CA profile"; } uses apply-advanced; leaf days { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "60"; description "Number of days to generate trap (default 60)"; } } // list ca-identity container all-certificates { presence "enable all-certificates"; description "Trap config for all certificates"; uses apply-advanced; leaf days { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "60"; description "Number of days to generate trap (default 60)"; } } // container all-certificates } // container trap container auto-re-enrollment { description "Auto re-enroll of certificate"; uses apply-advanced; container cmpv2 { presence "enable cmpv2"; description "CMPv2 auto re-enrollment configuration"; uses apply-advanced; list certificate-id { key "name"; ordered-by user; description "CMPv2 auto re-enrollment configuration for certificate-id"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Certificate identifier that needs auto re-enrollment"; } uses apply-advanced; leaf ca-profile-name { junos:must "("security pki ca-profile $$ enrollment url")"; junos:must-message "Referenced ca-profile must have enrollment url configured under [edit security pki ca-profile <ca-profile-name> enrollment url]"; junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of certificate authority profile"; } leaf re-enroll-trigger-time-percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 99"; } } description "Re-enrollment trigger time before expiration as percentage"; } leaf re-generate-keypair { type empty; description "Generate new key-pair for auto-re-enrollment"; } } // list certificate-id } // container cmpv2 container scep { presence "enable scep"; description "SCEP auto re-enrollment configuration"; uses apply-advanced; list certificate-id { key "name"; ordered-by user; description "SCEP auto re-enrollment configuration for certificate-id"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Certificate identifier that needs auto re-enrollment"; } uses apply-advanced; leaf ca-profile-name { junos:must "("security pki ca-profile $$ enrollment url")"; junos:must-message "Referenced ca-profile must have enrollment url configured under [edit security pki ca-profile <ca-profile-name> enrollment url]"; junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of certificate authority profile"; } leaf re-generate-keypair { type empty; description "Generate new key-pair for auto-re-enrollment"; } leaf re-enroll-trigger-time-percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 99"; } } description "Re-enrollment trigger time before expiration as percentage"; } leaf challenge-password { type jt:unreadable; description "Password used by CA for enrollment and revocation"; } container scep-encryption-algorithm { presence "enable scep-encryption-algorithm"; description "SCEP encryption algorithm"; uses apply-advanced; choice scep-encryption-algorithm-options { leaf des { type empty; description "Use DES as SCEP encryption algorithm"; } leaf des3 { type empty; description "Use DES3 as SCEP encryption algorithm"; } } // choice scep-encryption-algorithm-options } // container scep-encryption-algorithm container scep-digest-algorithm { presence "enable scep-digest-algorithm"; description "SCEP digest algorithm"; uses apply-advanced; choice scep-digest-algorithm-options { leaf md5 { type empty; description "Use MD5 as SCEP digest algorithm"; } leaf sha1 { type empty; description "Use SHA1 as SCEP digest algorithm"; } } // choice scep-digest-algorithm-options } // container scep-digest-algorithm } // list certificate-id } // container scep list certificate-id { key "name"; ordered-by user; description "Auto re-enrollment configuration for certificate-id"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Certificate identifier that needs auto re-enrollment"; } uses apply-advanced; leaf ca-profile-name { junos:must "("security pki ca-profile $$ enrollment url")"; junos:must-message "Referenced ca-profile must have enrollment url configured under [edit security pki ca-profile <ca-profile-name> enrollment url]"; junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of certificate authority profile"; } leaf re-generate-keypair { type empty; description "Generate new key-pair for auto-re-enrollment"; } leaf re-enroll-trigger-time-percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 99"; } } description "Re-enrollment trigger time before expiration as percentage"; } leaf challenge-password { type jt:unreadable; description "Password used by CA for enrollment and revocation"; } container scep-encryption-algorithm { presence "enable scep-encryption-algorithm"; description "SCEP encryption algorithm"; uses apply-advanced; choice scep-encryption-algorithm-options { leaf des { type empty; description "Use DES as SCEP encryption algorithm"; } leaf des3 { type empty; description "Use DES3 as SCEP encryption algorithm"; } } // choice scep-encryption-algorithm-options } // container scep-encryption-algorithm container scep-digest-algorithm { presence "enable scep-digest-algorithm"; description "SCEP digest algorithm"; uses apply-advanced; choice scep-digest-algorithm-options { leaf md5 { type empty; description "Use MD5 as SCEP digest algorithm"; } leaf sha1 { type empty; description "Use SHA1 as SCEP digest algorithm"; } } // choice scep-digest-algorithm-options } // container scep-digest-algorithm leaf validity-period { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4095"; } } status deprecated; description "Certificate validity period in days from enrollment start date"; } } // list certificate-id } // container auto-re-enrollment container traceoptions { description "PKI trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "certificate-verification" { value 0; description "PKI certificate verification tracing"; } enum "online-crl-check" { value 1; description "PKI online crl tracing"; } enum "enrollment" { value 2; description "PKI certificate enrollment tracing"; } enum "all" { value 3; description "Trace with all flags enabled"; } } } } // list flag } // container traceoptions } // grouping security-pki grouping security-traceoptions { description "Trace options for key management process"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf rate-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } default "0"; description "Limit the incoming rate of trace messages"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "timer" { value 0; description "Trace internal timer events"; } enum "routing-socket" { value 1; description "Trace routing socket messages"; } enum "parse" { value 2; description "Trace configuration processing"; } enum "config" { value 3; description "Trace configuration download processing"; } enum "ike" { value 4; description "Trace IKE module processing"; } enum "policy-manager" { value 5; description "Trace policy manager processing"; } enum "general" { value 6; description "Trace general events"; } enum "database" { value 7; description "Trace security associations database events"; } enum "certificates" { value 8; description "Trace certificate events"; } enum "snmp" { value 9; description "Trace SNMP operations"; } enum "thread" { value 10; description "Trace thread processing"; } enum "high-availability" { value 11; description "Trace high-availability operations"; } enum "next-hop-tunnels" { value 12; description "Trace next-hop-tunnels operations"; } enum "all" { value 13; description "Trace everything"; } enum "ams" { value 14; description "Trace AMS events"; } enum "lic" { value 15; description "Trace License events"; } } } } // list flag leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } } // grouping security-traceoptions grouping tenant-system-type { description "Tenant name"; leaf name { junos:must "("tenants $$")"; junos:must-message "Tenants must be defined under [tenants] "; type string; description "Tenant name"; } uses apply-advanced; leaf max-sessions { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Max number of IDP sessions"; } } // grouping tenant-system-type grouping tunable-object { leaf name { type string; } uses apply-advanced; leaf tunable-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Protocol tunable value"; } } // grouping tunable-object grouping vendor-object { leaf name { type string; description "Values for vendor field"; } uses apply-advanced; leaf product-name { type string; description "Values for product field"; } } // grouping vendor-object } // module junos-qfx-conf-security
© 2023 YumaWorks, Inc. All rights reserved.