Junos services configuration module
Version: 2019-01-01
module junos-qfx-conf-services { yang-version 1; namespace "http://yang.juniper.net/junos-qfx/conf/services"; prefix jc-services; import junos-common-ddl-extensions { prefix junos; revision-date "2019-01-01"; } import junos-common-types { prefix jt; revision-date "2019-01-01"; } import junos-qfx-conf-root { prefix jc; revision-date "2019-01-01"; } organization "Juniper Networks, Inc."; contact "yang-support@juniper.net"; description "Junos services configuration module"; revision "2019-01-01" { description "Junos: 21.3R1.9"; } augment /jc:configuration { uses services-group; } augment /jc:configuration/jc:groups { uses services-group; } grouping services-group { container services { description "System services"; uses apply-advanced; container jinsightd { presence "enable jinsightd"; description "Health Monitoring services"; uses apply-advanced; container traceoptions { description "Jinsight trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace all events"; } enum "rule-engine" { value 1; description "Log configuration rule engine"; } enum "core" { value 2; description "Trace core message events"; } enum "database" { value 3; description "Trace database events"; } enum "timer" { value 4; description "Trace timer events"; } } } } // list flag } // container traceoptions } // container jinsightd container flow-tap { description "Configure flow-tap parameters"; uses apply-advanced; container family { description "Address family of packets to tap"; uses apply-advanced; leaf inet { type empty; description "IPv4 family"; } leaf inet6 { type empty; description "IPv4 family"; } leaf ccc { type empty; description "CCC family"; } } // container family leaf interface { junos:must "(!("services flow-tap tunnel-interface"))"; junos:must-message "tunnel-interface and service interface cannot be confgured together for flowtap application"; junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "Dynamic flow capture cannot be configured when flow tap is configured"; junos:must "("interfaces $$-IFL family inet")"; junos:must-message "Interface with family inet must be defined in the [edit interfaces] hierarchy"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Service interface on which to configure flow-tap service"; } leaf tunnel-interface { junos:must "(!("services flow-tap interface"))"; junos:must-message "tunnel-interface and service interface cannot be confgured together for flowtap application"; junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "Dynamic flow capture cannot be configured when flow tap is configured"; junos:must "("interfaces $$-IFL family inet6")"; junos:must-message "Interface with family inet6 must be defined in the [edit interfaces] hierarchy"; junos:must "("interfaces $$-IFL family inet")"; junos:must-message "Interface with family inet must be defined in the [edit interfaces] hierarchy"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Tunnel interface through which flow-tap would communicate with MD"; } } // container flow-tap container radius-flow-tap { description "Configure radius triggered flow-tap parameters"; uses apply-advanced; leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to intercepted packets"; } leaf source-ipv4-address { type jt:ipv4addr; description "IP Address to use as source address in IPv4 header appended to intercepted packets"; } leaf multicast-interception { type empty; description "Enable Multicast Tapping"; } container interfaces { description "Tunnel Interfaces"; uses apply-advanced; list tunnel-interface { key "name"; uses tunnel_interface_type; } // list tunnel-interface } // container interfaces choice ri_or_ls { leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Referenced routing instance must be defined"; type string; description "Routing instance to be used for radius flow tap"; } list logical-system { key "name"; max-elements 1; ordered-by user; description "Logical system to be used for radius flow tap"; leaf name { junos:must "("logical-systems $$")"; junos:must-message "Referenced logical system must be defined"; type string; description "Logical system name"; } uses apply-advanced; leaf routing-instance { junos:must "("logical-systems ${logical-system} routing-instances $$")"; junos:must-message "Referenced routing instance must be defined"; type string; description "Routing instance to be used for radius flow tap"; } } // list logical-system } // choice ri_or_ls list policy { key "name"; ordered-by user; description "Policy"; leaf name { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Policy Name"; } uses apply-advanced; container inet { description "Protocol family IPv4 drop policy terms"; uses apply-advanced; list drop-policy { key "name"; ordered-by user; description "Define an IPv4 drop policy"; uses drop-policy-term; } // list drop-policy } // container inet container inet6 { description "Protocol family IPv6 drop policy terms"; uses apply-advanced; list drop-policy { key "name"; ordered-by user; description "Define an IPv6 drop policy"; uses drop-policy6-term; } // list drop-policy } // container inet6 } // list policy container snmp { description "SNMP options for radius flow tap"; uses apply-advanced; list notify-targets { key "name"; ordered-by user; description "Target list for packet mirror SNMP notifications"; leaf name { type jt:ipaddr; description "Target IP address"; } uses apply-advanced; } // list notify-targets } // container snmp } // container radius-flow-tap container mobile-flow-tap { description "Configure mobile triggered flow-tap parameters"; uses apply-advanced; container source-interface { junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "mobile flow service and dynamic flow capture service cannot be configured together"; junos:must "(!("services radius-flow-tap"))"; junos:must-message "mobile flow service and radius flow capture service cannot be configured together"; junos:must "(!("services flow-tap"))"; junos:must-message "mobile flow service and flow capture service cannot be configured together"; presence "enable source-interface"; description "Source interface from which IRI packets will be sent"; leaf interface-name { junos:must "("interfaces $$")"; junos:must-message "Interface must be defined"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface name"; } leaf ipv4-address { type jt:ipv4addr; description "Source IPv4 address to be used"; } } // container source-interface } // container mobile-flow-tap container flow-monitoring { presence "enable flow-monitoring"; description "Configure flow monitoring"; uses apply-advanced; container version9 { description "Version 9 configuration"; uses apply-advanced; list template { key "name"; max-elements 10; ordered-by user; description "One or more version 9 templates"; uses version9-template; } // list template } // container version9 container version-ipfix { description "Version IP-Fix configuration"; uses apply-advanced; list template { key "name"; max-elements 10; ordered-by user; description "One or more version ip-fix templates"; uses version-ipfix-template; } // list template } // container version-ipfix } // container flow-monitoring container jdaf { description "Juniper distributed application framework (JDAF)"; uses apply-advanced; leaf-list routing-instances { type string { length "1 .. 128"; } ordered-by user; description "List of routing-instance name for JDAF clients"; } } // container jdaf container rpm { presence "enable rpm"; description "Real-time performance monitoring"; uses apply-advanced; container traceoptions { description "RMOPD trace options"; uses rmopd-traceoptions; } // container traceoptions container bgp { description "BGP options for real-time performance monitoring"; uses apply-advanced; leaf probe-type { type enumeration { enum "icmp-ping" { value 0; description "Send ICMP echo request to target address"; } enum "icmp-ping-timestamp" { value 1; description "Send ICMP timestamp request to target address"; } enum "icmp6-ping" { value 2; description "Send ICMP6 echo request to target address"; } enum "tcp-ping" { value 3; description "Send TCP packets to target"; } enum "udp-ping" { value 4; description "Send UDP packets to target"; } enum "udp-ping-timestamp" { value 5; description "Send UDP packets with timestamp to target"; } } default "icmp-ping"; description "RPM-BGP probe request type"; } leaf probe-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 15"; } } default "1"; description "Total number of probes per test"; } leaf probe-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } units "seconds"; default "3"; description "Delay between probes"; } leaf test-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; default "1"; description "Delay between tests"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "7 .. 65535"; } } description "TCP/UDP port number"; } leaf history-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 512"; } } default "50"; description "Number of stored history entries"; } leaf moving-average-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1024"; } } default "0"; description "Number of samples used for moving average"; } leaf data-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65400"; } } default "0"; description "Size of the data portion of the probes"; } leaf data-fill { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 2048"; } description "Define contents of the data portion of the probes"; } leaf ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 254"; } } default "64"; description "Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet"; } list logical-system { key "name"; description "Logical systems"; uses bgp-logical-system; } // list logical-system list routing-instances { key "name"; description "Routing instances"; uses bgp-routing-instances; } // list routing-instances } // container bgp list probe { key "name"; ordered-by user; description "TCP/UDP/ICMP ping"; leaf name { type string { length "1 .. 32"; } description "Name of owner"; } uses apply-advanced; leaf delegate-probes { type empty; description "Offload real-time performance monitoring probes to MS-MIC/MS-MPC card"; } list test { key "name"; ordered-by user; description "TCP/UDP/ICMP/ICMP6 ping test"; leaf name { type string { length "1 .. 32"; } description "Name of test"; } uses apply-advanced; container rpm-scale { presence "enable rpm-scale"; description "Configuring real-time performance monitoring scale tests"; uses apply-advanced; leaf tests-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Number of probe-tests generated using scale config"; } choice target-type { container target { junos:must "(!(".. source-inet6"))"; junos:must-message "source-inet6 knob not valid for IPV4 probes"; presence "enable target"; description "Target address generation for scale test config"; uses apply-advanced; leaf address-base { type jt:ipv4addr; description "Base address of target host in a.b.c.d format"; } leaf step { type jt:ipv4addr; description "Steps to increment target address in a.b.c.d format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Target address count"; } } // container target container target-inet6 { junos:must "(!(".. source"))"; junos:must-message "source knob not valid for IPV6 probes"; presence "enable target-inet6"; description "IPv6 target address generation for scale test config"; uses apply-advanced; leaf address-base { type jt:ipv6addr; description "Base address of target host in a:b:c:d:e:f:g:h format"; } leaf step { type jt:ipv6addr; description "Steps to increment target address in a:b:c:d:e:f:g:h format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Target address count"; } } // container target-inet6 } // choice target-type choice source-type { container source { junos:must "(!(".. target-inet6"))"; junos:must-message "target-inet6 knob not valid for IPV4 probes"; presence "enable source"; description "Source address generation in scale tests"; uses apply-advanced; leaf address-base { type jt:ipv4addr; description "Base address of host in a.b.c.d format"; } leaf step { type jt:ipv4addr; description "Steps to increment src address in a.b.c.d format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Source-address count"; } } // container source container source-inet6 { junos:must "(!(".. target"))"; junos:must-message "target knob not valid for IPV6 probes"; presence "enable source-inet6"; description "IPv6 source address generation in scale tests"; uses apply-advanced; leaf address-base { type jt:ipv6addr; description "Base address of host in a:b:c:d:e:f:g:h format"; } leaf step { type jt:ipv6addr; description "Steps to increment src address in a:b:c:d:e:f:g:h format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Source-address count"; } } // container source-inet6 } // choice source-type container destination { presence "enable destination"; description "Name of output interface for probes"; uses apply-advanced; leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Base destination interface for scale test"; } leaf subunit-cnt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Subunit count for destination interface for scale test"; } } // container destination } // container rpm-scale leaf probe-type { type enumeration { enum "http-get" { value 0; description "Perform HTTP Get request at target URL"; } enum "http-metadata-get" { value 1; description "Perform HTTP Get request of metadata at target URL"; } enum "icmp-ping" { value 2; description "Send ICMP echo request to target address"; } enum "icmp-ping-timestamp" { value 3; description "Send ICMP timestamp request to target address"; } enum "icmp6-ping" { value 4; description "Send ICMP6 echo request to target address"; } enum "tcp-ping" { value 5; description "Send TCP packets to target"; } enum "udp-ping" { value 6; description "Send UDP packets to target"; } enum "udp-ping-timestamp" { value 7; description "Send UDP packets with timestamp to target"; } } default "icmp-ping"; description "Probe request type"; } container target { presence "enable target"; description "Target destination for probe"; choice target-type { leaf address { junos:must "(!(".. .. inet6-options"))"; junos:must-message "inet6-options knob not valid for IPV4 probes"; type jt:ipv4addr; description "Address of target host"; } leaf inet6-address { junos:must "(!(".. .. source-address"))"; junos:must-message "source-address knob not valid for IPV6 probes"; type jt:ipv6addr; description "Inet6 Address of target host"; } leaf url { junos:must "(!(".. .. inet6-options"))"; junos:must-message "inet6-options knob not valid for IPV4 probes"; type string; description "Fully formed target URL"; } leaf inet6-url { junos:must "(!(".. .. source-address"))"; junos:must-message "source-address knob not valid for IPV6 probes"; type string; description "Fully formed target IPV6 URL"; } } // choice target-type } // container target container inet6-options { presence "enable inet6-options"; description "IPV6 related options"; uses apply-advanced; leaf source-address { type jt:ipv6addr; description "Inet6 Source Address of the probe"; } } // container inet6-options leaf probe-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 15"; } } default "1"; description "Total number of probes per test"; } leaf probe-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } units "seconds"; default "3"; description "Delay between probes"; } leaf test-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; default "1"; description "Delay between tests"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "7 .. 65535"; } } description "TCP/UDP port number"; } leaf source-address { junos:must "(!(".. target inet6-address"))"; junos:must-message "source-address knob for IPV6 based probes is under inet6-options"; type jt:ipv4addr; description "Source address for probe"; } leaf routing-instance { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Routing instance used by probes"; } leaf history-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 512"; } } default "50"; description "Number of stored history entries"; } leaf moving-average-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1024"; } } default "0"; description "Number of samples used for moving average"; } leaf dscp-code-points { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } default "000000"; description "Differentiated Services code point bits or alias"; } leaf data-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65400"; } } default "0"; description "Size of the data portion of the probes"; } leaf data-fill { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 2048"; } description "Define contents of the data portion of the probes"; } leaf ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 254"; } } default "64"; description "Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet"; } container thresholds { presence "enable thresholds"; description "Probe and test threshold values. Set 0 to disable respective threshold"; uses apply-advanced; leaf successive-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "1"; description "Successive probe loss count indicating probe failure"; } leaf total-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "1"; description "Total probe loss count indicating test failure"; } leaf rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum round trip time per probe"; } leaf jitter-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum jitter per test"; } leaf std-dev-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum standard deviation per test"; } leaf egress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination time per probe"; } leaf ingress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source time per probe"; } leaf jitter-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source jitter per test"; } leaf jitter-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination jitter per test"; } leaf std-dev-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source standard deviation per test"; } leaf std-dev-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination standard deviation per test"; } } // container thresholds leaf-list traps { type enumeration { enum "probe-failure" { value 0; description "Successive probe loss threshold reached"; } enum "test-failure" { value 1; description "Total probe loss threshold reached"; } enum "test-completion" { value 2; description "Test completed"; } enum "rtt-exceeded" { value 3; description "Exceeded maximum round trip time threshold"; } enum "std-dev-exceeded" { value 4; description "Exceeded round trip time standard deviation threshold"; } enum "jitter-exceeded" { value 5; description "Exceeded jitter in round trip time threshold"; } enum "ingress-time-exceeded" { value 6; description "Exceeded maximum ingress time threshold"; } enum "ingress-std-dev-exceeded" { value 7; description "Exceeded ingress time standard deviation threshold"; } enum "ingress-jitter-exceeded" { value 8; description "Exceeded jitter in ingress time threshold"; } enum "egress-time-exceeded" { value 9; description "Exceeded maximum egress time threshold"; } enum "egress-std-dev-exceeded" { value 10; description "Exceeded egress time standard deviation threshold"; } enum "egress-jitter-exceeded" { value 11; description "Exceeded jitter in egress time threshold"; } } ordered-by user; description "Trap to send if threshold is met or exceeded"; } leaf destination-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of output interface for probes"; } leaf hardware-timestamp { junos:must "(!(".. target inet6-address"))"; junos:must-message "Hardware timestamping not supported for IPV6 based probes."; junos:must "((!(".. destination-port") || ".. destination-port $$={7}"))"; junos:must-message "For UDP pings, only port 7 can be configured for hardware timestamping."; type empty; description "Packet Forwarding Engine updates timestamps"; } leaf one-way-hardware-timestamp { junos:must "(!(".. target inet6-address"))"; junos:must-message "One-way hardware timestamping not supported for IPV6 based probes."; type empty; description "Enable hardware timestamps for one-way measurements"; } leaf next-hop { type jt:ipv4addr; description "Next-hop to which probe should be sent"; } } // list test } // list probe container probe-server { description "ICMP/TCP/UDP probe server"; uses apply-advanced; container tcp { description "TCP probe server"; uses apply-advanced; leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port number 7 through 65535"; } } // container tcp container udp { description "UDP probe server"; uses apply-advanced; leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port number 7 through 65535"; } } // container udp } // container probe-server leaf probe-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500"; } } default "100"; description "Maximum number of concurrent probes allowed"; } container rfc2544-benchmarking { presence "enable rfc2544-benchmarking"; description "Rfc2544 benchmarking tests"; uses apply-advanced; container profiles { description "Rfc2544 test profiles"; uses apply-advanced; list test-profile { key "name"; ordered-by user; description "Test-profile definition"; leaf name { junos:must "(".. bandwidth-kbps")"; junos:must-message "bandwidth-kbps has to be configured in a profile"; junos:must "(".. test-type")"; junos:must-message "test-type has to be configured in a profile"; junos:must "(".. packet-size")"; junos:must-message "packet-size has to be configured in a profile"; type string { length "1 .. 32"; } description "Test name"; } uses apply-advanced; leaf test-type { type enumeration { enum "throughput" { value 0; description "Rfc2544 throughput test"; } enum "latency" { value 1; description "Rfc2544 latency test"; } enum "frame-loss" { value 2; description "Rfc2544 frame-loss test"; } enum "back-back-frames" { value 3; description "Rfc2544 back to back frames test"; } } default "throughput"; description "Rfc2544 test type"; } leaf-list packet-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 9216"; } } ordered-by user; description "Size of the test packet"; } leaf bandwidth-kbps { type union { type string { pattern "<.*>|$.*"; } type uint32; } default "10000"; description "Theoretical max service bandwidth in kbps"; } leaf step-percent { junos:must "(".. test-type frame-loss")"; junos:must-message "step-percent is valid only for frame-loss test"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "10"; description "Step percent for test"; } } // list test-profile } // container profiles container tests { presence "enable tests"; description "Rfc2544 test configuration"; uses apply-advanced; list test-name { key "name"; ordered-by user; description "Test definition"; leaf name { junos:must "(".. mode")"; junos:must-message "mode has to be configured in a test"; type string { length "1 .. 32"; } description "Test name"; } uses apply-advanced; leaf test-profile { junos:must "(".. family")"; junos:must-message "family has to be configured in a test"; junos:must "("services rpm rfc2544-benchmarking profiles test-profile $$")"; junos:must-message "test-profile not configured"; type string; description "Name of the test profile"; } leaf source-mac-address { junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "source-mac-address valid only for ccc/bridge/vpls family"; type jt:mac-unicast; description "MAC address of source host in xx:xx:xx:xx:xx:xx format -Generator MAC"; } leaf destination-mac-address { junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "destination-mac-address valid only for ccc/bridge/vpls family"; type jt:mac-unicast; description "MAC address of destination host in xx:xx:xx:xx:xx:xx format -Reflector MAC"; } leaf ovlan-id { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "ovlan-id is not valid for mode ethernet-loopback"; junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "ovlan-id valid only for ccc/bridge/vpls family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 4094"; } } description "Outer vlan id"; } leaf ovlan-priority { junos:must "(".. ovlan-id")"; junos:must-message "ovlan-priority is valid only when ovlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "ovlan-priority is valid only for bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 7"; } } description "Outer vlan priority"; } leaf ovlan-cfi { junos:must "(".. ovlan-id")"; junos:must-message "ovlan-cfi is valid only when ovlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "ovlan-cfi is valid only for bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 1"; } } description "Outer vlan CFI bit"; } leaf outer-tag-protocol-id { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "outer-tag-protocol-id is not valid for mode ethernet-loopback"; junos:must "(".. ovlan-id")"; junos:must-message "outer-tag-protocol-id is valid only when ovlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "outer-tag-protocol-id is valid only for Bridge family"; type string { junos:posix-pattern "^0x[abcdefABCDEF0123456789]{4}$"; junos:pattern-message "Must be hexadecimal bit pattern of form 0xNNNN"; } default "0x8100"; description "Outer tag protocol id"; } leaf ivlan-id { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "ivlan-id is not valid for mode ethernet-loopback"; junos:must "(".. ovlan-id")"; junos:must-message "ivlan-id is valid only when ovlan-id is configured"; junos:must "((".. family ccc" || ".. family bridge"))"; junos:must-message "ivlan-id valid only for ccc/bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 4094"; } } description "Inner vlan id"; } leaf ivlan-priority { junos:must "(".. ivlan-id")"; junos:must-message "ivlan-priority is valid only when ivlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "ivlan-priority is valid only for bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 7"; } } description "Inner vlan priority"; } leaf ivlan-cfi { junos:must "(".. ivlan-id")"; junos:must-message "ivlan-cfi is valid only when ivlan-id is configured"; junos:must "(".. family bridge")"; junos:must-message "ivlan-cfi is valid only for bridge family"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 1"; } } description "Inner vlan CFI bit"; } leaf vlan-id { junos:must "(".. mode ethernet-loopback")"; junos:must-message "vlan-id is valid only for ethernet-loopback mode"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 4094"; } } description "VLAN identifier"; } leaf vlan-priority { junos:must "(".. vlan-id")"; junos:must-message "vlan-priority is valid only when vlan-id is configured"; junos:must "(".. mode ethernet-loopback")"; junos:must-message "vlan-priority is valid only for ethernet-loopback mode"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 7"; } } description "VLAN priority"; } leaf vlan-cfi { junos:must "(".. vlan-id")"; junos:must-message "vlan-cfi is valid only when vlan-id is configured"; junos:must "(".. mode ethernet-loopback")"; junos:must-message "vlan-cfi is valid only for ethernet-loopback mode"; type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 1"; } } description "VLAN CFI bit"; } leaf service-type { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "service-type is not valid for mode ethernet-loopback"; junos:must "((".. family bridge" || ".. family vpls"))"; junos:must-message "service-type is valid only for bridge family"; type enumeration { enum "eline" { value 0; description "Eline service"; } enum "elan" { value 1; description "Elan service"; } } description "Service type"; } leaf in-service { junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "in-service is not valid for mode ethernet-loopback"; junos:must "((".. family bridge" || ".. family vpls"))"; junos:must-message "in-service mode is supported only for bridge/vpls family"; type empty; description "Test executed in-service mode"; } leaf ip-swap { junos:must "((".. mode reflect" || ".. mode ethernet-loopback"))"; junos:must-message "ip-swap is valid only in reflector or ethernet-loopback mode"; junos:must "((".. family bridge" || ".. family vpls"))"; junos:must-message "ip-swap is supported only for bridge/vpls family"; type empty; description "Swap IP in the test payload"; } leaf udp-tcp-port-swap { junos:must "((".. mode reflect" || ".. mode ethernet-loopback"))"; junos:must-message "udp-tcp-port-swap is valid only in reflector or ethernet-loopback mode"; junos:must "((".. family bridge" || ".. family vpls"))"; junos:must-message "udp-tcp-port-swap is supported only for bridge/vpls family"; type empty; description "Swap UDP/TCP port in the test payload"; } leaf ignore-test-interface-state { junos:must "(".. family bridge")"; junos:must-message "ignore-test-interface-state is supported only for bridge family"; type empty; description "Ignore interface state to run the test"; } leaf check-test-interface-mtu { junos:must "(".. family bridge")"; junos:must-message "check-test-interface-mtu is supported only for bridge family"; type empty; description "Check interface MTU to run the test"; } leaf disable-signature-check { junos:must "(".. mode reflect")"; junos:must-message "disable-signature-check is valid only in reflector mode"; type empty; description "Signature check disable"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to the frames"; } leaf packet-loss-priority { junos:must "(".. family bridge")"; junos:must-message "packet-loss-priority is valid only for bridge family"; type enumeration { enum "low" { value 0; description "Packet loss priority is low"; } enum "high" { value 1; description "Packet loss priority is high"; } enum "medium-high" { value 2; description "Packet loss priority is medium-high"; } } description "Packet loss priority assigned to the frames"; } leaf dscp-code-points { junos:must "(!(".. mode terminate"))"; junos:must-message "'dscp-code-points' cannot be configured in terminate mode"; junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "'dscp-code-points' cannot be configured in ethernet-loopback mode"; junos:must "(!(".. mode reflect"))"; junos:must-message "'dscp-code-points' cannot be configured in reflector mode"; type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } default "000000"; description "Differentiated Services code point bits or alias"; } leaf mode { type enumeration { enum "reflect" { junos:must "(".. family")"; junos:must-message "family has to be configured in a test"; value 0; description "Reflector end"; } enum "initiate-and-terminate" { junos:must "(".. test-profile")"; junos:must-message "test-profile <profilename> has to be configured in a test when in initiate:and-terminate mode"; value 1; description "Initiate and terminator"; } enum "ethernet-loopback" { junos:must "(".. test-interface")"; junos:must-message "test-interface has to be configured in a test when in ethernet-loopback mode"; junos:must "(".. family bridge")"; junos:must-message "family bridge has to be configured in a test"; value 2; description "Ethernet loopback"; } } description "Test mode"; } leaf reflect-mode { junos:must "((".. mode reflect" || ".. mode ethernet-loopback"))"; junos:must-message "reflect-mode is valid only when test mode is reflect or ethernet-loopback"; type enumeration { enum "mac-swap" { value 0; description "Mac swap "; } enum "no-mac-swap" { junos:must "(!(".. service-type elan"))"; junos:must-message "'no-mac-swap' cannot be configured for elan service-type"; value 1; description "No mac-swap"; } enum "mac-rewrite" { junos:must "(".. destination-mac-address")"; junos:must-message "destination-mac-address needs to be configured with mac-rewrite mode"; junos:must "(".. source-mac-address")"; junos:must-message "source-mac-address needs to be configured with mac-rewrite mode"; junos:must "(!(".. mode ethernet-loopback"))"; junos:must-message "'mac-rewrite' cannot be configured for mode ethernet-loopback"; value 2; description "Mac-rewrite"; } } description "Reflect mode"; } leaf family { type enumeration { enum "inet" { junos:must "(".. destination-ipv4-address")"; junos:must-message "destination-ipv4-address has to be configured with inet family"; junos:must "(".. destination-udp-port")"; junos:must-message "destination-udp-port has to be configured with inet family"; value 0; description "Inet family"; } enum "ccc" { junos:must "(".. direction")"; junos:must-message "direction needs to be configured with CCC family"; value 1; description "CCC family "; } enum "bridge" { junos:must "(".. test-interface")"; junos:must-message "test-interface has to be configured with bridge family"; junos:must "(".. direction")"; junos:must-message "Direction needs to be configured with bridge family"; value 2; description "Bridge family "; } enum "vpls" { junos:must "(".. test-interface")"; junos:must-message "test-interface has to be configured with vpls family"; junos:must "(".. source-mac-address")"; junos:must-message "source-mac-address has to be configured with vpls family"; junos:must "(".. destination-mac-address")"; junos:must-message "destination-mac-address has to be configured with vpls family"; junos:must "(".. direction")"; junos:must-message "Direction needs to be configured with vpls family"; value 3; description "VPLS family "; } } description "Family type"; } leaf reflect-etype { junos:must "((".. mode reflect" || ".. mode ethernet-loopback"))"; junos:must-message "reflect-etype valid only with mode reflect or ethernet-loopback"; junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "reflect-etype valid only for CCC/Bridge/VPLS family"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Etype to match for reflect mode"; } leaf direction { junos:must "(".. test-interface")"; junos:must-message "direction must be configured along with test-interface"; junos:must "((".. family ccc" || (".. family bridge" || ".. family vpls")))"; junos:must-message "direction can be configured only with ccc/bridge/vpls family"; type enumeration { enum "ingress" { value 0; description "Pseudo-wire/Bridge/Vpls Ingress direction"; } enum "egress" { value 1; description "Pseudo-wire/Bridge/Vpls Egress direction"; } } description "Direction of test"; } leaf timestamp-format { type enumeration { enum "microseconds" { value 0; description "Timestamps in microseconds"; } enum "nanoseconds" { value 1; description "Timestamps in nanoseconds"; } } description "Format of timestamp values"; } leaf source-udp-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Source udp port"; } leaf destination-udp-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Destination udp port"; } leaf test-duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5000"; } } default "10"; status deprecated; description "Test duration in minutes"; } leaf test-iterator-duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 1728000"; } } description "Duration of each iteration in seconds"; } leaf test-finish-wait-duration { junos:must "(".. mode initiate-and-terminate")"; junos:must-message "test-finish-wait-duration is valid only when test mode is initiate-and-terminate"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } default "1"; description "Number of seconds to wait after test completes before stopping the test"; } leaf transmit-failure-threshold { type decimal64 { fraction-digits 9; range "0 .. 100"; } default "0.5"; description "Transmit failure-threshold (default 0.5%)"; } leaf receive-failure-threshold { type decimal64 { fraction-digits 9; range "0 .. 100"; } default "0"; description "Receive failure-threshold (default 0%)"; } leaf test-iterator-pass-threshold { type decimal64 { fraction-digits 9; range "0 .. 100"; } default "0.5"; description "Test pass-threshold (default 0.5%)"; } leaf halt-on-prefix-down { junos:must "(".. family inet")"; junos:must-message "halt-on-prefix-down is valid only for inet family"; type empty; description "Halt test on prefix down"; } leaf skip-arp-iteration { type empty; description "Skip arp iteration in tests"; } leaf test-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of interface(ifl) for test"; } leaf destination-ipv4-address { type jt:ipv4addr; description "Destination address for test"; } leaf source-ipv4-address { type jt:ipv4addr; description "Source address for test"; } } // list test-name } // container tests } // container rfc2544-benchmarking container twamp { description "Two-way Active Measurement Protocol configuration"; uses apply-advanced; leaf post-cli-implicit-firewall { type empty; description "Enable post cli implicit firewall"; } container client { description "TWAMP client configuration"; uses apply-advanced; list control-connection { key "name"; ordered-by user; description "TWAMP control session configuration"; leaf name { junos:must "((".. control-type light" || ".. target-address"))"; junos:must-message "managed control-type requires target-address"; type string { length "1 .. 32"; } description "Client name"; } uses apply-advanced; container authentication-mode { description "Authentication modes"; uses apply-advanced; leaf none { type empty; description "No authentication or encryption"; } } // container authentication-mode leaf destination-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of output interface for all test sessions"; } leaf persistent-results { type empty; description "Displays the old results along with present. Default disable"; } leaf control-type { type enumeration { enum "light" { value 0; description "No control connection to manage test sessions"; } enum "managed" { value 1; description "Control connection will negotiate test sessions"; } } default "managed"; description "TWAMP control connection type"; } leaf tcp-keepidle { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } units "seconds"; default "120"; description "Time to start TCP KEEPALIVEs on control connection (default 120)"; } leaf tcp-keepintvl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } units "seconds"; default "5"; description "Delay between succesive TCP KEEPALIVEs (default 5)"; } leaf tcp-keepcnt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 50"; } } default "6"; description "Number of TCP KEEPALIVEs sent (default 6)"; } leaf destination-port { junos:must "(!(".. control-type light"))"; junos:must-message "destination-port requires managed control-type"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "862 .. 65535"; } } default "862"; description "TCP TWAMP client listening port for the test sessions. Default 862"; } leaf history-size { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 500"; } } default "50"; description "Number of stored history entries"; } leaf moving-average-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1024"; } } default "0"; description "Number of samples used for moving average"; } leaf routing-instance { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Routing instance used by the test sessions"; } leaf target-address { junos:must "(!(".. control-type light"))"; junos:must-message "target-address only valid for managed control-type"; type jt:ipv4addr; description "Destination IPv4 address of TWAMP responder"; } leaf test-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967290"; } } default "0"; description "Total number of test session iterations"; } leaf test-interval { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 255"; } } units "seconds"; default "1"; description "Delay between test session iterations"; } container traps { description "Trap to send if threshold is met or exceeded"; uses apply-advanced; leaf test-iteration-done { type empty; description "All test sessions configured under the control connection have completed an iteration"; } leaf control-connection-closed { type empty; description "Control connection closed"; } } // container traps list test-session { key "name"; ordered-by user; description "Test session details"; leaf name { type string { length "1 .. 32"; } description "Test session name"; } uses apply-advanced; leaf target-address { type jt:ipaddr; description "Destination IPv4 or IPv6 address of TWAMP responder"; } leaf destination-port { junos:must "(".. .. control-type light")"; junos:must-message "destination-port requires light control-type"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "862 .. 65535"; } } default "862"; description "Target port number for test"; } leaf data-fill-with-zeros { type empty; description "Fill contents of test packet with zeros"; } leaf data-size { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "60 .. 1400"; } } default "60"; description "Size of the data portion of the probes"; } leaf dscp-code-points { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } default "000000"; description "Differentiated Services code point bits or alias used for TCP control and UDP TWAMP test packets"; } leaf ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 254"; } } default "64"; description "Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet"; } leaf probe-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967290"; } } default "1"; description "Total number of probes per test"; } leaf probe-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } units "seconds"; default "1"; description "Delay between two consecutive probes"; } container thresholds { presence "enable thresholds"; description "TWAMP test threshold values. Set 0 to disable respective threshold"; uses apply-advanced; leaf successive-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "1"; description "Successive probe loss count indicating probe failure"; } leaf total-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967290"; } } default "1"; description "Total probe loss count indicating test failure"; } leaf rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum round trip time per probe"; } leaf max-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; status deprecated; description "Maximum round trip time per test"; } leaf jitter-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum jitter per test"; } leaf std-dev-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum standard deviation per test"; } leaf egress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination time per probe"; } leaf ingress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source time per probe"; } leaf jitter-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source jitter per test"; } leaf jitter-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination jitter per test"; } leaf std-dev-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source standard deviation per test"; } leaf std-dev-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination standard deviation per test"; } } // container thresholds container traps { description "Trap to send if threshold is met or exceeded"; uses apply-advanced; leaf probe-failure { type empty; description "Successive probe loss threshold reached"; } leaf test-failure { type empty; description "Total probe loss threshold reached"; } leaf test-completion { type empty; description "Test completed"; } leaf rtt-exceeded { type empty; description "Exceeded maximum round trip time threshold"; } leaf max-rtt-exceeded { type empty; description "Exceeded maximum round trip time threshold at the end of per test"; } leaf std-dev-exceeded { type empty; description "Exceeded round trip time standard deviation threshold"; } leaf jitter-exceeded { type empty; description "Exceeded jitter in round trip time threshold"; } leaf ingress-time-exceeded { type empty; description "Exceeded maximum ingress time threshold"; } leaf ingress-std-dev-exceeded { type empty; description "Exceeded ingress time standard deviation threshold"; } leaf ingress-jitter-exceeded { type empty; description "Exceeded jitter in ingress time threshold"; } leaf egress-time-exceeded { type empty; description "Exceeded maximum egress time threshold"; } leaf egress-std-dev-exceeded { type empty; description "Exceeded egress time standard deviation threshold"; } leaf egress-jitter-exceeded { type empty; description "Exceeded jitter in egress time threshold"; } } // container traps } // list test-session } // list control-connection } // container client container server { description "TWAMP server configuration"; uses apply-advanced; leaf tcp-keepidle { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } units "seconds"; default "120"; description "Time to start TCP KEEPALIVEs on control connection (default 120)"; } leaf tcp-keepintvl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 600"; } } units "seconds"; default "5"; description "Delay between succesive TCP KEEPALIVEs (default 5)"; } leaf tcp-keepcnt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 50"; } } default "6"; description "Number of TCP KEEPALIVEs sent (default 6)"; } list routing-instance-list { key "name"; ordered-by user; description "List of allowed routing instances,not more than 100, along with ports"; leaf name { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of the routing instance"; } uses apply-advanced; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port to be used by the routing instance"; } } // list routing-instance-list container authentication-mode { description "Authentication modes"; uses apply-advanced; leaf none { type empty; description "No authentication or encryption"; } container authenticated { presence "enable authenticated"; description "Authenticated mode"; leaf control-only { type empty; status deprecated; description "Authentication mode only for TWAMP control protocol"; } } // container authenticated container encrypted { presence "enable encrypted"; description "Encrypted mode"; leaf control-only { junos:must "(!(".. .. encrypted-control-only"))"; junos:must-message "'encrypted control-only' and 'control-only-encrypted' cannot be configured simultaneously"; type empty; status deprecated; description "Encryption mode only for TWAMP control protocol"; } } // container encrypted leaf control-only-encrypted { type empty; description "Encrypted control and unauthenticated data mode"; } } // container authentication-mode list authentication-key-chain { key "name"; ordered-by user; description "Authentication key chain configuration"; uses twamp-authentication-key-chain; } // list authentication-key-chain leaf server-inactivity-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 30"; } } units "minutes"; default "15"; description "Control packet idle timeout value in minutes, 0 to disable"; } leaf max-connection-duration { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 120"; } } units "hours"; default "0"; description "Maximum Connection duration in hours, 0 to disable"; } leaf maximum-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 2048"; } } default "64"; description "Maximum number of test sessions for the server"; } leaf maximum-sessions-per-connection { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1024"; } } description "Maximum number of test sessions per client connection"; } leaf maximum-connections { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } default "64"; description "Maximum number of connections for the server"; } leaf maximum-connections-per-client { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500"; } } description "Maximum number of server connections per client"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "862"; description "TWAMP server listening port"; } list client-list { key "name"; ordered-by user; description "List of allowed clients"; leaf name { type string { length "1 .. 127"; } description "Name of client list"; } uses apply-advanced; list address { key "name"; ordered-by user; description "IPv4 prefix of TWAMP client"; leaf name { junos:must "(unique "services rpm twamp server client-list <*> address $$")"; junos:must-message "Same ipv4 address can not be configured under multiple client lists"; type jt:ipv4prefix; description "IPv4 prefix of TWAMP client"; } uses apply-advanced; } // list address } // list client-list container light { presence "enable light"; description "Enable TWAMP server for light control on the default port"; uses apply-advanced; leaf-list port { type union { type uint16; type string { pattern "<.*>|$.*"; } } max-elements 1000; ordered-by user; description "UDP ports reflecting TWAMP light test packets"; } } // container light } // container server } // container twamp } // container rpm container inline-monitoring { presence "enable inline-monitoring"; description "Inline packet monitoring service"; uses apply-advanced; container traceoptions { description "Trace options for IMOND"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file } // container traceoptions list counter-profile { key "name"; max-elements 8; ordered-by user; description "Custom counter profiles for Inline packet monitoring"; leaf name { type string { length "1 .. 32"; } description "Name of counter-profile"; } uses apply-advanced; list counter { key "name"; max-elements 6; ordered-by user; description "Inline monitoring counter"; leaf name { type string { length "1 .. 32"; } description "Name of counter"; } uses apply-advanced; leaf max-value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Non-overlapping min/max range for counter-type, not exceeding packet contruct"; } leaf min-value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Non-overlapping min/max range for counter-type, not exceeding packet contruct"; } leaf counter-type { type enumeration { enum "packet-range" { value 0; description "Packet range 64-9000 bytes"; } enum "ttl-range" { value 1; description "TTL range 0-255"; } enum "tcp-window-range" { value 2; description "TCP window range 0-65535"; } enum "dos-attack" { value 3; description "DoS attack counter, min/max is not required"; } } description "Counter type"; } } // list counter } // list counter-profile list template { key "name"; max-elements 16; ordered-by user; description "Templates for Inline packet monitoring"; leaf name { type string { length "1 .. 32"; } description "Name of template"; } uses apply-advanced; leaf template-refresh-rate { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "10 .. 600"; } } default "600"; description "Refresh rate in seconds"; } leaf option-template-refresh-rate { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "10 .. 600"; } } default "600"; description "Option refresh rate in seconds"; } leaf observation-domain-id { junos:must "(!(".. .. observation-cloud-id"))"; junos:must-message "observation-domain-id cannot be configured if observation-cloud-id is configured"; type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 255"; } } default "0"; description "Observation domain ID"; } leaf template-id { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1024 .. 65535"; } } description "Template ID"; } leaf option-template-id { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1024 .. 65535"; } } description "Option template ID"; } leaf flow-active-timeout { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "10 .. 600"; } } default "60"; description "Interval after which active flow is exported in seconds"; } leaf flow-inactive-timeout { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "10 .. 600"; } } default "60"; description "Period of inactivity that marks a flow inactive in seconds"; } leaf template-type { type enumeration { enum "ipv4-template" { value 0; description "IPv4 template configuration"; } enum "ipv6-template" { value 1; description "IPv6 template configuration"; } } default "ipv4-template"; description "Template IP version"; } container flow-monitoring { presence "enable flow-monitoring"; uses apply-advanced; leaf sampling-profile { type enumeration { enum "first-N-Packets" { value 0; description "Initial first 'N' packet samples are exported to collector"; } enum "deterministic" { value 1; description "Deterministically 'N'th packet is sampled"; } enum "random" { value 2; description "Random packets are sampled and exported"; } enum "combo-1" { value 3; description "Initial first 'N' packets followed by random packet sampling"; } enum "combo-2" { value 4; description "Initial first 'N' packets followed by deterministic sampling"; } } description "Supported sampling profiles"; } leaf packet-count { junos:must "((".. sampling-profile first-N-Packets " || (" .. sampling-profile combo-1" || " .. sampling-profile combo-2")))"; junos:must-message "'packet-count' should be configured with first-N-Packets/combo-1/combo-2 sampling profiles"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 1023"; } } default "10"; description "Packet count for first-N-Packets/combo-1/combo-2 sampling profiles"; } leaf sampling-rate { junos:must "(!(".. sampling-profile first-N-Packets "))"; junos:must-message "'sampling-rate' cannot be configured with first-N-Packets sampling profiles"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "10000"; description "Sampling rate"; } leaf security-enable { type empty; description "Enable DOS attack detection on monitored flows"; } leaf flow-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "8 .. 10000000"; } } description "Flow meter rate in kbps"; } leaf burst-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "512 .. 256000000"; } } description "Burst size in bytes"; } leaf flow-limit { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 32000"; } } default "32000"; description "Maximum number of flows allowed"; } leaf counter-profile { type string { length "1 .. 32"; } description "Counter profiles per-flow-4-counters, per-flow-6-counters or custom profile"; } } // container flow-monitoring list primary-data-record-fields { key "name"; ordered-by user; description "Primary data record fields"; leaf name { type enumeration { enum "datalink-frame-size" { value 0; description "Datalink Frame Size"; } enum "direction" { value 1; description "Direction"; } enum "egress-interface-snmp-id" { value 2; description "Egress Interface SNMP ID"; } enum "ingress-interface-snmp-id" { value 3; description "Ingress Interface SNMP ID"; } enum "cpid-ingress-interface-index" { value 4; description "CPID Ingress Interface Index"; } enum "cpid-underlying-ingress-interface-index" { value 5; description "CPID Underlying Ingress Interface Index"; } enum "cpid-egress-interface-index" { value 6; description "CPID Egress Interface Index"; } enum "cpid-forwarding-nexthop-id" { value 7; description "CPID Forwarding Nexthop Id"; } enum "cpid-forwarding-exception-code" { value 8; description "CPID Forwarding Exception Code"; } enum "cpid-forwarding-class-drop-priority" { value 9; description "CPID Forwarding Class Drop Priority"; } } description "IPFIX Information Elements"; } } // list primary-data-record-fields } // list template list instance { key "name"; max-elements 16; ordered-by user; description "Inline monitoring instance"; leaf name { type string { length "1 .. 32"; } description "Name of instance"; } uses apply-advanced; leaf template-name { junos:must "("services inline-monitoring template $$")"; junos:must-message "Referenced template must be defined under 'services inline-monitoring template'"; type string { length "1 .. 32"; } description "Template Name"; } leaf maximum-clip-length { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "64 .. 126"; } } description "Maximum packet length"; } list collector { key "name"; max-elements 1; ordered-by user; description "Inline monitoring collector"; leaf name { type string { length "1 .. 32"; } description "Name of collector"; } uses apply-advanced; leaf source-address { type jt:ipv4addr; description "Source address"; } leaf destination-address { type jt:ipv4addr; description "Destination address"; } leaf dscp { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 63"; } } default "0"; description "DSCP Value"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port value"; } leaf forwarding-class { type string { length "1 .. 64"; } description "Forwarding class for exported frames"; } leaf sampling-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 16000000"; } } description "Sampling rate"; } leaf routing-instance { junos:must "("routing-instances $$ instance-type vrf")"; junos:must-message "routing instance should be defined and should be of type Virtual routing forwarding instance(VRF)"; type string; description "Name of routing instance"; } } // list collector } // list instance leaf observation-cloud-id { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 255"; } } description "Observation cloud ID"; } } // container inline-monitoring container app-engine { description "App-engine"; uses apply-advanced; container security { presence "enable security"; description "Enable app-engine security"; } // container security container monitor-cpu { description "Monitor node CPU usage"; uses monitor-threshold; } // container monitor-cpu container monitor-memory { description "Monitor node memory usage"; uses monitor-threshold; } // container monitor-memory container monitor-storage { description "Monitor storage usage"; uses monitor-threshold; } // container monitor-storage leaf default-compute-node-package { type string; description "Default JunosV App Engine package for appliance"; } list compute-cluster { key "name"; ordered-by user; description "Configure compute cluster"; leaf name { type string { length "1 .. 15"; } description "Compute cluster name"; } uses apply-advanced; container local-management { junos:must "(all ".. compute-node <*> interfaces")"; junos:must-message "Must specify compute-node management interface"; description "Management address connected to compute cluster"; uses apply-advanced; list routing-instance { junos:must "(!(any ".. logical-system <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; key "routing-instance-name"; max-elements 1; ordered-by user; description "Packets are restriction to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } uses apply-advanced; container family { description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // list routing-instance container family { junos:must "(!(any ".. routing-instance <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // container local-management container monitor-cpu { description "Monitor node CPU usage"; uses monitor-threshold; } // container monitor-cpu container monitor-memory { description "Monitor node memory usage"; uses monitor-threshold; } // container monitor-memory container monitor-storage { description "Monitor storage usage"; uses monitor-threshold; } // container monitor-storage list compute-node { key "name"; max-elements 1; ordered-by user; description "Compute node name"; leaf name { type string { length "1 .. 15"; } description "Compute node name"; } uses apply-advanced; container monitor-cpu { description "Monitor node CPU usage"; uses monitor-threshold; } // container monitor-cpu container monitor-memory { description "Monitor node memory usage"; uses monitor-threshold; } // container monitor-memory container monitor-storage { description "Monitor storage usage"; uses monitor-threshold; } // container monitor-storage choice compute-node-identifier { leaf mac-address { junos:must "(".. interfaces")"; junos:must-message "Must specify management interface"; junos:must "(".. .. local-management")"; junos:must-message "Must specify compute cluster local-management"; junos:must "(unique "services app-engine compute-cluster <*> compute-node <*> mac-address $$")"; junos:must-message "MAC address must be unique across compute clusters"; type jt:mac-addr; description "MAC address of the network boot interface"; } case case_2 { } // case case_2 leaf hypervisor { junos:must "(!(".. interfaces"))"; junos:must-message ""; type empty; description "Compute node is hypervisor"; } } // choice compute-node-identifier leaf package { type string; description "JunosV App Engine package"; } container routing-options { description "Route configuration for compute node"; uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(any ".. .. .. rib <*> static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static list rib { key "name"; ordered-by user; description "Routing table options"; leaf name { type string { junos:posix-pattern "inet.0"; junos:pattern-message "Only inet.0 is supported"; length "1 .. 10"; } description "Routing table name"; } uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(".. .. .. .. static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static } // list rib } // container routing-options container interfaces { description "Network interfaces configuration"; uses apply-advanced; list ethernet { key "name"; ordered-by user; description "Interface configuration"; leaf name { junos:must "(!(any ".. .. bridge <*> interface $$"))"; junos:must-message "This interface is already associated with a bridge"; junos:must "(!(".. .. bridge $$"))"; junos:must-message "A bridge is configured with this name"; type string { junos:posix-pattern "^eth[0-9]{1,2}$"; junos:pattern-message "Must be of the form eth<0-99>"; length "1 .. 15"; } description "Interface name"; } uses apply-advanced; leaf management { junos:must "(!(".. ether-options"))"; junos:must-message "This interface belongs to an aggregated interface"; junos:must "(!(".. .. .. fpc"))"; junos:must-message "Must not specify any interface as management with fpc"; junos:must "((".. family inet address" || ".. family inet dhcp"))"; junos:must-message "Management interface must have an address or dhcp configured"; junos:must "(!(".. enable-passthrough"))"; junos:must-message "Management interface cannot be passthrough interface"; type empty; description "Use this as management interface"; } container family { junos:must "(!(".. ether-options"))"; junos:must-message "This interface belongs to an aggregated interface"; description "Protocol family"; uses family; } // container family leaf enable-passthrough { junos:must "(!(".. ether-options"))"; junos:must-message "This interface belongs to an aggregated interface"; junos:must "(!(".. mtu"))"; junos:must-message "Passthrough interface cannot have MTU"; junos:must "(!(".. family inet address"))"; junos:must-message "Passthrough interface cannot have an address"; type empty; description "Enable passthrough on this interface"; } leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } container ether-options { junos:must "((!(".. management") && (!(".. family") && !(".. enable-passthrough"))))"; junos:must-message "Ethernet interface can not exist separately if it is under a aggregated interface and vice versa"; uses apply-advanced; choice agg-intf { leaf ieee-802-3ad { junos:must "(!(".. .. mtu"))"; junos:must-message "Aggregate slave interface cannot have MTU"; junos:must "(!(".. .. .. bridge $$"))"; junos:must-message "A bridge is configured with this name"; type string { junos:posix-pattern "^ae[0-9]{1,2}$"; junos:pattern-message "Must be of the form ae<0-99>"; length "1 .. 15"; } description "Aggregated interface name"; } } // choice agg-intf } // container ether-options } // list ethernet list bridge { key "name"; ordered-by user; description "Bridge configuration"; leaf name { junos:must "(!(any ".. .. bridge <*> interface $$"))"; junos:must-message "Bridge name is already used in one of the bridge interface list"; junos:must "(!(".. .. aggregate $$"))"; junos:must-message "An aggregate interface is configured with this name"; junos:must "(!(".. .. ethernet $$"))"; junos:must-message "An interface is configured with this name"; type string { junos:posix-pattern "^[A-za-z][.0-9A-Za-z_]{1,15}$"; junos:pattern-message "Must be a string of 15 or fewer characters. The string should start with a letter and can contain letters, digits, underscores and periods"; length "1 .. 15"; } description "Bridge name"; } uses apply-advanced; leaf management { junos:must "(!(".. .. .. fpc"))"; junos:must-message "Must not specify any interface as management with FPC compute node"; junos:must "((".. family inet address" || ".. family inet dhcp"))"; junos:must-message "Management bridge must have an address or dhcp configured"; type empty; description "Use this as management bridge"; } container family { description "Protocol family"; uses family; } // container family leaf-list interface { junos:must "((!(".. .. aggregate family inet address") && !(".. .. aggregate family inet dhcp")))"; junos:must-message "Interface associated to bridge can not have address"; type string { length "1 .. 15"; } max-elements 4; ordered-by user; description "Bridge interface list"; } leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } } // list bridge list aggregate { key "name"; ordered-by user; description "Aggregate interface configuration"; leaf name { junos:must "(!(".. .. bridge $$"))"; junos:must-message "A bridge is configured with this name"; junos:must "(!(".. .. ethernet $$"))"; junos:must-message "An interface is configured with this name"; junos:must "(any ".. .. ethernet <*> ether-options ieee-802-3ad $$")"; junos:must-message "Aggregated interface must have some slave interface"; type string { junos:posix-pattern "^ae[0-9]{1,2}$"; junos:pattern-message "Must be of the form ae<0-99>"; length "1 .. 15"; } description "Aggregated interface name"; } uses apply-advanced; leaf management { junos:must "((".. family inet address" || ".. family inet dhcp"))"; junos:must-message "Management aggregate must have an address or dhcp configured"; type empty; description "Use this as management aggregate"; } container family { description "Protocol family"; uses family; } // container family leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } container aggregated-ether-options { presence "enable aggregated-ether-options"; description "Link aggregation parameters"; uses apply-advanced; leaf hash-policy { type enumeration { enum "layer-2" { value 0; description "Uses mac address of both source and destination for hashing"; } enum "layer-3-and-4" { value 1; description "Uses port number and IP address of both source and destination for hashing"; } enum "layer-2-and-3" { value 2; description "Uses mac and IP address of both source and destination for hashing"; } } default "layer-3-and-4"; } leaf miimon { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Link monitoring interval in milli-second"; } } // container aggregated-ether-options } // list aggregate } // container interfaces list syslog { key "name"; ordered-by user; description "System logging facility"; leaf name { type enumeration { enum "any" { value 0; description "All facilities"; } enum "authorization" { value 1; description "Authorization system"; } enum "privileged" { value 2; description "Privileged authorization events"; } enum "cron" { value 3; description "Cron daemon"; } enum "daemon" { value 4; description "Various system processes"; } enum "kernel" { value 5; description "Kernel"; } enum "syslog" { value 6; description "Syslog messages"; } enum "user" { value 7; description "User processes"; } enum "uucp" { value 8; description "UUCP system"; } enum "local0" { value 9; description "Local 0 messages"; } enum "local1" { value 10; description "Local 1 messages"; } enum "local2" { value 11; description "Local 2 messages"; } enum "local3" { value 12; description "Local 3 messages"; } enum "local4" { value 13; description "Local 4 messages"; } enum "local5" { value 14; description "Local 5 messages"; } enum "local6" { value 15; description "Local 6 messages"; } enum "local7" { value 16; description "Local 7 messages"; } } description "Facility type"; } choice level { leaf any { type empty; description "All levels"; } leaf emergency { type empty; description "Panic conditions"; } leaf alert { type empty; description "Conditions that should be corrected immediately"; } leaf critical { type empty; description "Critical conditions"; } leaf error { type empty; description "Error conditions"; } leaf warning { type empty; description "Warning messages"; } leaf notice { type empty; description "Conditions that should be handled specially"; } leaf info { type empty; description "Informational messages"; } leaf debug { type empty; description "Debug messages"; } } // choice level } // list syslog } // list compute-node } // list compute-cluster container virtual-machines { description "Virtual-machine management"; uses apply-advanced; list instance { key "name"; ordered-by user; description "Virtual-machine instance"; leaf name { type string { length "1 .. 39"; } description "Virtual-machine instance identifier"; } uses apply-advanced; leaf cpu { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 16"; } } default "1"; description "Units of CPUs (default 1 cpu)"; } leaf memory { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } units "gigabytes"; default "1"; description "Memory for the virtual-machine (default 1 gigabytes)"; } leaf management-interface { type string { junos:posix-pattern "em0|em1"; junos:pattern-message "valid interface is em0 or em1"; length "1 .. 31"; } description "Virtual-machine management interface name"; } leaf package { type string { length "1 .. 120"; } description "Virtual-machine package"; } container local-management { description "Management address connected to virtual machine"; uses apply-advanced; list routing-instance { junos:must "(!(any ".. logical-system <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; key "routing-instance-name"; max-elements 1; ordered-by user; description "Packets are restriction to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } uses apply-advanced; container family { description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // list routing-instance container family { junos:must "(!(any ".. routing-instance <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // container local-management list compute-cluster { key "name"; max-elements 1; ordered-by user; description "Compute cluster on which the virtual-machine runs"; leaf name { junos:must "("services app-engine compute-cluster $$")"; junos:must-message "Referenced compute cluster must be defined"; type string { length "1 .. 15"; } description "Compute cluster name"; } uses apply-advanced; leaf compute-node { junos:must "((("services app-engine compute-cluster ${compute-cluster} compute-node $$ fpc" && ".. .. local-management") || !("services app-engine compute-cluster ${compute-cluster} compute-node $$ fpc")))"; junos:must-message "Must specify local-management for virtual machine on FPC compute node"; junos:must "("services app-engine compute-cluster ${compute-cluster} compute-node $$")"; junos:must-message "Referenced compute node must be defined"; type string { length "1 .. 15"; } description "Compute node on which the virtual-machine runs"; } } // list compute-cluster list interface { key "name"; ordered-by user; description "Virtual-machine interface configuration"; leaf name { type string { length "1 .. 31"; } description "Virtual-machine interface name"; } uses apply-advanced; leaf hw-model { type enumeration { enum "e1000g" { value 0; description "Gigabit Ethernet e1000g driver"; } enum "virtio" { value 1; description "Para-virtualizing the interface"; } } default "e1000g"; description "Interface hardware model"; } leaf host-interface { type string { length "1 .. 15"; } description "Passthrough host interface for virtual-machine"; } leaf bridge { junos:must "(!(".. mtu"))"; junos:must-message "Bridged VM interface inherits MTU from the bridge"; junos:must "(!(".. host-interface"))"; junos:must-message "bridge can not defined with passthrough/host-interface"; type string { length "1 .. 15"; } description "Bridge that the interface connected to"; } leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } container family { description "Interface address family"; container inet { presence "enable inet"; description "IPv4 parameters"; uses apply-advanced; list address { key "name"; ordered-by user; description "Interface address/destination prefix"; leaf name { type jt:ipv4prefix; description "Interface address/destination prefix"; } uses apply-advanced; leaf primary { type empty; description "Primary address on the interface"; } } // list address } // container inet } // container family } // list interface container routing-options { description "Route configuration for virutal machine"; uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(any ".. .. .. rib <*> static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static list rib { key "name"; ordered-by user; description "Routing table options"; leaf name { type string { junos:posix-pattern "inet.0"; junos:pattern-message "Only inet.0 is supported"; length "1 .. 10"; } description "Routing table name"; } uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(".. .. .. .. static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static } // list rib } // container routing-options list secondary-disk { key "name"; ordered-by user; description "Virtual-machine disk"; leaf name { type enumeration { enum "hdb" { value 0; description "Disk name is hdb"; } enum "hdc" { value 1; description "Disk name is hdc"; } enum "hdd" { value 2; description "Disk name is hdd"; } } description "Virtual-machine disk name"; } leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 160"; } } units "gigabytes"; description "Virtual-machine secondary disk size"; } } // list secondary-disk } // list instance } // container virtual-machines } // container app-engine container captive-portal { description "Captive Portal options"; uses juniper-services-captive-portal; } // container captive-portal container application-identification { presence "enable application-identification"; description "Application identification configuration"; uses apply-advanced; leaf enable-heuristics { type empty; status deprecated; description "Enable heuristic application identification"; } container enable-performance-mode { presence "enable enable-performance-mode"; status deprecated; description "Enable performance mode knobs for best DPI performance"; uses apply-advanced; leaf max-packet-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "2"; status deprecated; description "Max packet inspection threshold including both c2s ans s2c direction packets. Default value is 2 if not configured"; } } // container enable-performance-mode leaf imap-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 86400"; } } description "IMAP cache entry timeout in seconds"; } leaf imap-cache-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 512000"; } } description "IMAP cache size, it will be effective only after next appid sigpack install"; } container download { uses apply-advanced; leaf url { type string { junos:posix-pattern "^((file)|(http)|(https)):"; junos:pattern-message "URL starts with http, https or file"; } description "URL for application package download"; } leaf ignore-server-validation { type empty; description "Disable server authentication for Applicaton Signature download"; } container automatic { description "Scheduled download and update"; uses apply-advanced; leaf start-time { type string { junos:posix-pattern "^((([0-9][0-9][0-9][0-9])[-](0[1-9]|1[012])[-](0[1-9]|[12][0-9]|3[01])[.]([0-1][0-9]|[2][0-3])[:]([0-5][0-9])[:]([0-5][0-9]))|((0[1-9]|1[012])[-](0[1-9]|[12][0-9]|3[01])[.]([0-1][0-9]|[2][0-3])[:]([0-5][0-9])))$"; junos:pattern-message "Invalid date; format is either MM-DD.hh:mm or YYYY-MM-DD.hh:mm:ss"; } description "Start time(MM-DD.hh:mm / YYYY-MM-DD.hh:mm:ss)"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "6 .. 720"; } } units "hours"; default "24"; description "Attempt to download new application package"; } } // container automatic leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "proxy profile must be defined"; type string { length "1 .. 128"; } description "Configure web proxy for Application signature download"; } } // container download container statistics { description "Configure application statistics information"; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1440"; } } units "minutes"; default "1"; description "Application statistics collection interval"; } } // container statistics container nested-application-settings { presence "enable nested-application-settings"; status deprecated; description "Nested application settings"; uses apply-advanced; leaf no-nested-application { type empty; description "Disable nested application identification"; } leaf no-application-system-cache { type empty; description "Not to save nested AI match in application system cache"; } } // container nested-application-settings leaf no-application-identification { type empty; status deprecated; description "Disable all application identification methods"; } leaf no-application-system-cache { type empty; description "Disable storing AI result in application system cache"; } leaf no-application-statistics { type empty; description "Disable application statistics"; } leaf max-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 500000"; } } status deprecated; description "Max sessions that can run AI at the same time"; } leaf application-system-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1000000"; } } description "Application system cache entry lifetime"; } container application-system-cache { presence "enable application-system-cache"; description "Enable or Disable application system cache"; uses apply-advanced; leaf security-services { type empty; description "Enable ASC for security services (appfw, appqos, idp, skyatp..)"; } leaf no-miscellaneous-services { type empty; description "Disable ASC for miscellaneous services APBR,..."; } } // container application-system-cache leaf micro-apps { type empty; description "Enable Micro Apps identifcation"; } leaf max-transactions { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 25"; } } description "Number of transaction finals to terminate application classification"; } leaf custom-application-byte-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100000"; } } description "Max bytes to be scanned for identification of custom application"; } leaf max-memory { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 200000"; } } description "Maximum amount of object cache memory JDPI can use (in MB)"; } leaf max-checked-bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 100000"; } } status deprecated; description "Inspect the maximal number of bytes"; } list application { junos:must "((any ". <*> icmp-mapping" || (any ". <*> ip-protocol-mapping" || (any ". <*> address-mapping" || (any ". <*> over" || any ". <*> signature")))))"; junos:must-message "All applications must have either icmp-mapping or ip-protocol-mapping or address-mapping or over or signature object "; key "name"; description "Configure application definition"; leaf name { type string { length "1 .. 63"; } description "A unique application identifier"; } uses apply-advanced; leaf index { junos:must "(unique "services application-identification application <*> index $$")"; junos:must-message "Application index has to be unique among all applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65534"; } } status deprecated; description "Custom index (32768..65534). Application index"; } leaf disable { type empty; status deprecated; description "Disable this application definition in AI"; } leaf cacheable { type empty; description "Cacheable"; } leaf risk { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } description "Risk/Hotness of application"; } leaf description { type string { junos:posix-pattern "^.{1,255}$"; junos:pattern-message "Must be a string of 255 characters or less"; } description "Text description of application"; } leaf priority { type enumeration { enum "high" { value 0; description "Highest priority over all other signatures"; } enum "low" { value 1; description "Lowest priority over all other signatures"; } } default "low"; description "Application matching priority"; } leaf order { junos:must "(unique "services application-identification application <*> order $$")"; junos:must-message "Application order has to be unique among all applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 50000"; } } description "The order value, lower the value higher the priority"; } leaf maximum-transactions { type union { type uint16; type string { pattern "<.*>|$.*"; } } status deprecated; description "Maximum number of transactions matched by AI"; } container icmp-mapping { description "Match ICMP message"; uses apply-advanced; leaf type { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 254"; } } description "Numeric type value"; } leaf code { junos:must "(".. type")"; junos:must-message "ICMP type must be configured"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 254"; } } description "Numeric code value"; } } // container icmp-mapping container ip-protocol-mapping { description "Match IP protocol"; uses apply-advanced; leaf protocol { junos:must "(unique "services application-identification application <*> ip-protocol-mapping protocol $$")"; junos:must-message "Protocol has to be unique among all applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 254"; } } description "Numeric protocol value"; } } // container ip-protocol-mapping list address-mapping { key "name"; ordered-by user; description "Match IP address"; leaf name { type string { length "1 .. 63"; } description "Address name"; } uses apply-advanced; container filter { description "Match IP/port"; uses apply-advanced; leaf ip { type jt:ipprefix; description "IP address and prefix-length"; } container port-range { description "Port ranges"; uses apply-advanced; leaf-list tcp { type string; max-elements 20; ordered-by user; description "TCP port range"; } leaf-list udp { type string; max-elements 20; ordered-by user; description "UDP port range"; } } // container port-range } // container filter } // list address-mapping list over { key "name"; max-elements 8; description "Set of L4/L7 application that carries given application"; leaf name { type string { length "1 .. 63"; } description "A unique application and protocol identifier"; } uses apply-advanced; list signature { key "name"; description "Application signature for pattern matching"; leaf name { type string { length "1 .. 63"; } description "A unique application signature identifier"; } uses apply-advanced; leaf-list port-range { type string; max-elements 64; ordered-by user; description "Port range"; } list member { key "name"; description "Application signature member"; leaf name { type string { junos:posix-pattern "^m(0[1-9]|1[0-5])"; junos:pattern-message "Must be m01 - m15"; length "1 .. 63"; } description "Application signature member identifier in range m01 - m15"; } uses apply-advanced; leaf depth { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 8000"; } } description "Maximum number of bytes to check for context match"; } leaf context { type string; description "Context to be matched on"; } leaf pattern { type string { junos:posix-pattern "^.{1,127}$"; junos:pattern-message "Must be a string of 127 characters or less"; } description "DFA pattern matched on context"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "Client to server"; } enum "server-to-client" { value 1; description "Server to client"; } enum "any" { value 2; description "Any direction"; } } description "Connection direction of the packets to apply pattern matching"; } } // list member } // list signature } // list over } // list application list nested-application { key "name"; status deprecated; description "Configure nested application definition"; leaf name { type string { length "1 .. 63"; } description "A unique application identifier"; } uses apply-advanced; leaf type { junos:must "(unique "services application-identification nested-application <*> type $$")"; junos:must-message "Nested application type has to be unique among all nested applications"; type string { length "1 .. 63"; } description "Well-known application such as FACEBOOK and KAZZA"; } leaf index { junos:must "(!(any "services application-identification application <*> index $$"))"; junos:must-message "Nested application index has to be unique among all applications and nested applications"; junos:must "(unique "services application-identification nested-application <*> index $$")"; junos:must-message "Nested application index has to be unique among all nested applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65534"; } } status deprecated; description "Custom index (32768..65534). Application index"; } leaf protocol { type string { length "1 .. 63"; } description "Name of layer 7 application that carries nested application"; } list signature { key "name"; description "Nested application signature for pattern matching"; leaf name { junos:must "(unique "services application-identification nested-application <*> signature $$")"; junos:must-message "Nested application signature name has to be unique among all nested applications"; type string { length "1 .. 63"; } description "A unique nested application signature identifier"; } uses apply-advanced; list member { key "name"; description "Pattern matched on client-to-server packets"; leaf name { type string { junos:posix-pattern "^m(0[1-9]|1[0-6])"; junos:pattern-message "Must be m01 - m16"; length "1 .. 63"; } description "A unique nested application signature member identifier"; } uses apply-advanced; leaf context { type string; description "Context to be matched on"; } leaf pattern { type string; description "Pattern matched on context"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "Client to server"; } enum "server-to-client" { value 1; description "Server to client"; } enum "any" { value 2; description "Any direction"; } } description "Connection direction of the packets to apply pattern matching"; } leaf check-bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5000"; } } default "1000"; description "Maximum number of bytes to check for stream context "; } } // list member leaf chain-order { type empty; description "The order of members is used to match the pattern"; } leaf maximum-transactions { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Maximum number of transactions matched by AI"; } leaf order { junos:must "(!(any "services application-identification application <*> signature order $$"))"; junos:must-message "Nested application order has to be unique among all applications and nested applications"; junos:must "(unique "services application-identification nested-application <*> signature <*> order $$")"; junos:must-message "Nested application order has to be unique among all nested applications"; type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } status deprecated; description "Application matching priority"; } container insert-before { description "Insert before another signature"; uses apply-advanced; leaf insert-before-name { type string; description "An application name"; } } // container insert-before } // list signature } // list nested-application list application-group { key "name"; description "Define application group"; leaf name { type string { length "1 .. 63"; } description "A unique application group identifier"; } uses apply-advanced; list tag-group { key "name"; description "Configure application tag group that belong to this application group"; leaf name { type string { length "1 .. 63"; } description "A unique tag group identifier"; } uses apply-advanced; leaf-list application-tags { type string; max-elements 128; ordered-by user; description "Name of application tag to configure"; } } // list tag-group list application-groups { key "name"; description "Configure child application group(s)"; leaf name { type string { length "1 .. 63"; } description "Name of the child application group"; } uses apply-advanced; } // list application-groups list applications { key "name"; description "Configure applications that belong to this application group"; leaf name { type string { length "1 .. 63"; } description "Configure application name"; } uses apply-advanced; } // list applications leaf disable { type empty; status deprecated; description "Disable this application group definition in AI"; } } // list application-group container traceoptions { description "Trace options for application identification"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Events and other information to include in trace output"; leaf name { type enumeration { enum "all" { value 0; description "All events"; } } description "Flag name to include in trace output"; } } // list flag leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } } // container traceoptions container inspection-limit { description "Bytes and packets limit for AppID inspection."; uses apply-advanced; container tcp { presence "enable tcp"; description "TCP byte/packet inspection limit."; uses apply-advanced; leaf byte-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "6000"; description "TCP byte inspection limit. (Default 6000)"; } leaf packet-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "TCP packet inspection limit."; } } // container tcp container udp { presence "enable udp"; description "UDP byte/packet inspection limit."; uses apply-advanced; leaf byte-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "UDP byte inspection limit."; } leaf packet-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10"; description "UDP packet inspection limit. (Default 10)"; } } // container udp } // container inspection-limit leaf global-offload-byte-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; description "Global byte limit to offload AppID inspection. (Default 10000)"; } container packet-capture { description "To capture the unknown application traffic"; uses apply-advanced; leaf global { type empty; description "Enable global capturing of application traffic"; } leaf aggressive-mode { type empty; description "This mode captures all traffic prior to AppID classification"; } leaf max-packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } description "Maximum number of UDP packets per session"; } leaf max-bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "40 .. 1073741824"; } } units "bytes"; description "Maximum number of TCP bytes per session"; } leaf max-files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 2500"; } } description "Maximum number of unique pcap files"; } leaf no-inconclusive { type empty; description "Disable capturing of inconclusive traffic"; } leaf storage-limit { type string; units "bytes"; description "Maximum disk space"; } leaf buffer-packets-limit { type union { type uint64; type string { pattern "<.*>|$.*"; } } units "bytes"; description "Maximum memory to buffer packets"; } leaf capture-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 525600"; } } description "Timeout to avoid repetitive capture of same traffic (minutes)"; } leaf capture-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } description "Number of repetitive captures of same traffic"; } leaf ssl-unknown { type empty; description "This mode captures all SSL unknown traffic"; } } // container packet-capture leaf l3l4-app-reclassification { type empty; description "Enable l3l4 custom app to be reclassified by jdpi ignoring results from other plugins"; } } // container application-identification list service-set { key "name"; ordered-by user; description "Define a service set"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Service set name"; } uses apply-advanced; container syslog { description "Define system logging parameters"; uses log-object; } // container syslog leaf max-flows { type string; description "Maximum number of flows allowed for a service set"; } leaf hosted-service-identifier { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 63"; } } description "Service Set to Hosted service Map"; } leaf max-session-setup-rate { type string; description "Maximum number of session creations allowed per second"; } container max-drop-flows { description "Maximum number of drop flows allowed for a service-set"; uses apply-advanced; leaf ingress { type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 8500000"; } } description "Maximum number of ingress drop flows allowed"; } leaf egress { type union { type string { pattern "<.*>|$.*"; } type int32 { range "0 .. 8500000"; } } description "Maximum number of egress drop flows allowed"; } } // container max-drop-flows container snmp-trap-thresholds { presence "enable snmp-trap-thresholds"; description "Define snmp traps for service sets"; uses apply-advanced; container flow { junos:must "(".. .. max-flows")"; junos:must-message "Max flow must be set for configuring flow threshold"; presence "enable flow"; description "Flow Threshold range for a service set"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Lower limit of flow threshold"; } leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Upper limit of flow threshold"; } } // container flow container nat-address-port { presence "enable nat-address-port"; description "Nat Address and port usage trap threshold range"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Lower limit of trap threshold"; } leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Upper limit of trap threshold"; } } // container nat-address-port container session { junos:must "(".. .. service-set-options session-limit")"; junos:must-message "Maximum session limit must be set for configuring session threshold"; presence "enable session"; description "Session threshold range for a service set"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Lower limit of flow threshold"; } leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 100"; } } units "percent"; description "Upper limit of flow threshold"; } } // container session } // container snmp-trap-thresholds leaf tcp-mss { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "536 .. 65535"; } } description "Enable the limit on TCP Max. Seg. Size in SYN packets"; } container cos-options { presence "enable cos-options"; description "Options for COS service"; uses apply-advanced; leaf match-rules-on-reverse-flow { type empty; description "If forward rules match fails, do it on reverse flow"; } } // container cos-options container softwire-options { presence "enable softwire-options"; description "Options for softwire"; uses apply-advanced; leaf dslite-ipv6-prefix-length { type enumeration { enum "56" { value 0; description "The ipv6 prefix length of 56"; } enum "64" { value 1; description "The ipv6 prefix length of 64"; } enum "96" { value 2; description "The ipv6 prefix length of 96"; } enum "128" { value 3; description "The ipv6 prefix length of 128"; } } default "128"; description "The ipv6 prefix length for subscriber addresses"; } } // container softwire-options container nat-options { description "Options for NAT"; uses apply-advanced; container stateful-nat64 { description "Options for stateful NAT64"; uses apply-advanced; leaf no-v6-frag-header { type empty; description "No fragmentation header in IPv6 header during IPv4 to IPv6 translation"; } leaf clear-dont-fragment-bit { type empty; description "Clear DF bit in IPv4 header if IPv6 packet size is less than 1280 bytes"; } leaf ipv6-mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1280 .. 9192"; } } description "Path MTU of IPv6 network"; } leaf disable-h323-ras { type empty; description "Disable H323 and RAS ALG for NAT64"; } } // container stateful-nat64 container nptv6 { description "Options for NPTv6"; uses apply-advanced; leaf icmpv6-error-messages { type empty; description "Send ICMP Error messages if NPTv6 address translation fails"; } } // container nptv6 leaf land-attack-check { type enumeration { enum "ip-only" { value 0; description "Land attack check is on IP address only"; } enum "ip-port" { value 1; description "Land attack check is on both IP and port"; } } description "Enable land attack checks"; } leaf max-sessions-per-subscriber { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 32000"; } } description "Limit the number of sessions per subscriber"; } leaf snmp-value-match-msmic { type empty; description "Match the MSMIC specific snmp values for the msdpc"; } } // container nat-options container service-set-options { presence "enable service-set-options"; description "Options for service set"; uses apply-advanced; leaf tcp-non-syn { type enumeration { enum "drop-flow" { value 0; description "Drop tcp non SYN first packe"; } enum "drop-flow-send-rst" { value 1; description "Enable sending TCP RST on receiving first non SYN pkt"; } } description "Deny session creation on receiving first non SYN pkt"; } leaf tcp-fast-open { type enumeration { enum "disabled" { value 0; description "TFO option will be stripped and packet will be forwarded"; } enum "drop" { value 1; description "TFO enabled packets will be dropeed"; } } description "Tcp-fast-Open enabled packets will be handled accordingly"; } leaf bypass-traffic-on-pic-failure { type empty; description "Bypass traffic on service PIC failure"; } leaf bypass-traffic-on-exceeding-flow-limits { type empty; description "Bypass traffic when exceeding the max flow limit"; } leaf enable-asymmetric-traffic-processing { type empty; description "Enable service-processing for asymmetric traffic"; } leaf subscriber-awareness { type empty; description "Enable subscriber awareness on the service chain"; } leaf static-subscriber-application { type empty; description "Enable static subscriber on the service set"; } container header-integrity-check { description "Enable/Disable header integrity checks"; uses apply-advanced; leaf enable-all { type empty; description "Enable all header integrity checks"; } } // container header-integrity-check leaf enable-descriptive-session-syslog { type empty; description "This knob enables descriptive session syslogs for OPEN and CLOSE"; } leaf enable-change-on-ams-redistribution { type empty; status deprecated; description "Allow NAT pool change on AMS redistribution"; } leaf routing-engine-services { type empty; description "Enable service-processing at RE"; } leaf inactivity-non-tcp-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Inactivity timeout period for non-TCP established sessions"; } leaf session-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Session timeout period for established sessions"; } container session-limit { presence "enable session-limit"; description "Session limit"; uses apply-advanced; leaf maximum { type string; description "Maximum number of sessions allowed simultaneously"; } } // container session-limit leaf max-sessions-per-subscriber { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 32000"; } } description "Limit the number of sessions per subscriber"; } container tcp-session { presence "enable tcp-session"; description "Transmission Control Protocol session configuration"; uses apply-advanced; leaf tcp-mss { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "536 .. 65535"; } } description "Enable the limit on TCP Max. Seg. Size in SYN packets"; } leaf tcp-tickles { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 30"; } } default "4"; description "Number of TCP keep-alive packets to be sent for bi-directional TCP flows"; } leaf open-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 300"; } } units "seconds"; description "Timeout period for TCP session establishment"; } leaf inactivity-tcp-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Inactivity timeout period for TCP established sessions"; } leaf inactivity-asymm-tcp-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "4 .. 86400"; } } units "seconds"; description "Inactivity timeout period for asymmetric TCP established sessions"; } container ignore-errors { presence "enable ignore-errors"; description "Ignore anomalies or errors"; leaf tcp { type empty; description "TCP protocol errors"; } } // container ignore-errors leaf close-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 300"; } } units "seconds"; description "Timeout period for TCP session tear-down"; } leaf tcp-non-syn { type enumeration { enum "drop-flow" { value 0; description "Drop tcp non SYN first packe"; } enum "drop-flow-send-rst" { value 1; description "Enable sending TCP RST on receiving first non SYN pkt"; } } description "Deny session creation on receiving first non SYN pkt"; } leaf tcp-fast-open { type enumeration { enum "disabled" { value 0; description "TFO option will be stripped and packet will be forwarded"; } enum "drop" { value 1; description "TFO enabled packets will be dropeed"; } } description "Tcp-fast-Open enabled paclets will be handled accordingly"; } } // container tcp-session leaf enforce-global-timeout { type empty; description "Enforce global inactivity or session timeout"; } leaf unidirectional-session-refreshing { type enumeration { enum "input" { value 0; description "Enable unidirectional session refreshing on input"; } enum "output" { value 1; description "Enable unidirectional session refreshing on output"; } } description "Enable unidirectional session refreshing on this service-set"; } } // container service-set-options container replicate-services { description "Define services that will be replicated to peer."; uses apply-advanced; leaf replication-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } default "180"; description "Duration in seconds for which flow should remain active for replication. (Min 180s)"; } leaf disable-replication-capability { type empty; description "Disable replication capability for this service-set"; } } // container replicate-services container allow-multicast { junos:must "(".. next-hop-service")"; junos:must-message "Service-set must be nexthop style to use allow-multicast"; presence "enable allow-multicast"; description "Allow multicast packets"; uses apply-advanced; } // container allow-multicast choice softwire_choice { list softwire-rules { key "name"; ordered-by user; description "List of softwire rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list softwire-rules list softwire-rule-sets { key "name"; ordered-by user; description "List of softwire rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list softwire-rule-sets } // choice softwire_choice list softwires-rule-set { key "name"; ordered-by user; description "List of softwire rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list softwires-rule-set choice stateful_firewall_rules_choice { list stateful-firewall-rules { junos:must "((!(".. ipsec-vpn-rules") && (!(".. ipsec-vpn-rule-sets") && !(".. ipsec-vpn-options"))))"; junos:must-message "incompatible with IPSec service"; junos:must "(!(".. ipsec-group-vpn"))"; junos:must-message "incompatible with GVPN service"; key "name"; ordered-by user; description "List of stateful firewall rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } } uses apply-advanced; } // list stateful-firewall-rules list stateful-firewall-rule-sets { junos:must "((!(".. ipsec-vpn-rules") && (!(".. ipsec-vpn-rule-sets") && !(".. ipsec-vpn-options"))))"; junos:must-message "incompatible with IPSec service"; junos:must "(!(".. ipsec-group-vpn"))"; junos:must-message "incompatible with GVPN service"; key "name"; ordered-by user; description "List of stateful firewall rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } } uses apply-advanced; } // list stateful-firewall-rule-sets } // choice stateful_firewall_rules_choice choice ids-option-choice { list ids-option { key "name"; ordered-by user; description "List of ids-options"; leaf name { junos:must "(".. .. .. screen ids-option $$")"; junos:must-message "ids-option must be configured under screens"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 31"; } } uses apply-advanced; } // list ids-option } // choice ids-option-choice choice pcp_rules_choice { list pcp-rules { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "List of PCP rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list pcp-rules list pcp-rule-sets { junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "List of PCP rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list pcp-rule-sets } // choice pcp_rules_choice leaf appid-profile { junos:must "("services application-identification profile $$")"; junos:must-message "referenced appid profile must be defined"; type string { length "1 .. 63"; } description "Define AppID profile"; } choice nat_rules_choice { list nat-rules { junos:must "((!(".. ipsec-vpn-rules") && (!(".. ipsec-vpn-rule-sets") && !(".. ipsec-vpn-options"))))"; junos:must-message "incompatible with IPSec service"; junos:must "(!(".. ipsec-group-vpn"))"; junos:must-message "incompatible with GVPN service"; junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "List of NAT rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } } uses apply-advanced; } // list nat-rules list nat-rule-sets { junos:must "((!(".. ipsec-vpn-rules") && (!(".. ipsec-vpn-rule-sets") && !(".. ipsec-vpn-options"))))"; junos:must-message "incompatible with IPSec service"; junos:must "(!(".. ipsec-group-vpn"))"; junos:must-message "incompatible with GVPN service"; junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "List of NAT rule sets"; leaf name { junos:must "(("services nat source rule-set $$" || ("services nat rule-set $$" || ("services nat destination rule-set $$" || "services nat static rule-set $$"))))"; junos:must-message "rule-set must be defined under 'services nat'"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } } uses apply-advanced; } // list nat-rule-sets } // choice nat_rules_choice choice ip_reassembly_rules_choice { list ip-reassembly-rules { key "name"; ordered-by user; description "List of ip-reassembly rules"; leaf name { junos:must "("services ip-reassembly rule $$")"; junos:must-message "referenced ip-reassembly rule must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list ip-reassembly-rules } // choice ip_reassembly_rules_choice choice ids_rules_choice { list ids-rules { junos:must "((!(".. ipsec-vpn-rules") && (!(".. ipsec-vpn-rule-sets") && !(".. ipsec-vpn-options"))))"; junos:must-message "incompatible with IPSec service"; junos:must "(!(".. ipsec-group-vpn"))"; junos:must-message "incompatible with GVPN service"; junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "List of IDS rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list ids-rules list ids-rule-sets { junos:must "((!(".. ipsec-vpn-rules") && (!(".. ipsec-vpn-rule-sets") && !(".. ipsec-vpn-options"))))"; junos:must-message "incompatible with IPSec service"; junos:must "(!(".. ipsec-group-vpn"))"; junos:must-message "incompatible with GVPN service"; junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "List of IDS rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list ids-rule-sets } // choice ids_rules_choice choice cos_rules_choice { list cos-rules { junos:must "((!(".. ipsec-vpn-rules") && (!(".. ipsec-vpn-rule-sets") && !(".. ipsec-vpn-options"))))"; junos:must-message "incompatible with IPSec service"; junos:must "(!(".. ipsec-group-vpn"))"; junos:must-message "incompatible with GVPN service"; junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "One or more CoS rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; } // list cos-rules list cos-rule-sets { junos:must "((!(".. ipsec-vpn-rules") && (!(".. ipsec-vpn-rule-sets") && !(".. ipsec-vpn-options"))))"; junos:must-message "incompatible with IPSec service"; junos:must "(!(".. ipsec-group-vpn"))"; junos:must-message "incompatible with GVPN service"; junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; key "name"; ordered-by user; description "One or more CoS rule sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of rule set"; } uses apply-advanced; } // list cos-rule-sets } // choice cos_rules_choice choice aacl_rules_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice aacl_rules_choice choice pgcp_rules_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice pgcp_rules_choice container jflow-rules { junos:must "(".. sampling-service")"; junos:must-message "sampling-service must be configured"; junos:must "(!(".. extension-service"))"; junos:must-message "incompatible with extension service"; presence "enable jflow-rules"; description "One or more jflow rules"; uses apply-advanced; container sampling { junos:must "((any "forwarding-options sampling instance <*>" || "forwarding-options sampling family"))"; junos:must-message "forwarding-options sampling must be configured"; presence "enable sampling"; uses apply-advanced; leaf instance { junos:must "("forwarding-options sampling instance $$")"; junos:must-message "Referenced sampling instance does not exist"; type string { length "1 .. 64"; } description "Name of the instance"; } } // container sampling } // container jflow-rules leaf pcef-profile { junos:must "("services pcef profile $$")"; junos:must-message "referenced pcef profile must be defined"; type string { length "1 .. 63"; } description "Define PCEF profile"; } leaf lrf-profile { junos:must "("services lrf profile $$")"; junos:must-message "Specified LRF profile must be configured under services lrf profile"; type string { length "1 .. 63"; } description "Define logging and reporting profile"; } leaf hcm-profile { junos:must "("services hcm profile $$")"; junos:must-message "referenced hcm profile must be defined"; type string { length "1 .. 63"; } description "Define HCM profile"; } leaf web-filter-profile { junos:must "("services web-filter profile $$")"; junos:must-message "Specified web filter profile must be configured under services web-filter"; type string { length "1 .. 63"; } description "Define WEB filtering profile"; } choice hcm_url_rules_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice hcm_url_rules_choice choice hcm-tag-rules-choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice hcm-tag-rules-choice choice idppolicy-choice { leaf idp-profile { junos:must "("security idp idp-policy $$")"; junos:must-message "referenced IDP policy must be defined"; type string { length "1 .. 63"; } description "IDP policy to use"; } } // choice idppolicy-choice choice lpdf-stats-choice { case case_1 { } // case case_1 } // choice lpdf-stats-choice choice service_type_choice { container interface-service { description "Define parameters for interface-specific service sets"; uses apply-advanced; leaf service-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Services interface to use"; } } // container interface-service container sampling-service { description "Define parameters for sampling service sets"; uses apply-advanced; leaf service-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Services interface to use"; } } // container sampling-service container next-hop-service { description "Define parameters for next-hop service sets"; uses apply-advanced; leaf inside-service-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Service interface to inside network"; } leaf outside-service-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Service interface name"; } leaf outside-service-interface-type { type enumeration { enum "local" { value 0; description "Must be local for reassembly service"; } } description "Service interface type local for reassembly service"; } leaf service-interface-pool { junos:must "(!((".. .. cos-rule-sets" || (".. .. cos-rules" || (".. .. ids-rule-sets" || (".. .. ids-rules" || (".. .. ipsec-vpn-rule-sets" || (".. .. ipsec-vpn-rules" || (".. .. nat-rule-sets" || (".. .. nat-rules" || (".. .. stateful-firewall-rule-sets" || (".. .. stateful-firewall-rules" || (".. .. softwire-rule-sets" || ".. .. softwire-rules")))))))))))))"; junos:must-message "Can not define any other rules than pgcp when service-interface-pool is defined"; junos:must "("services service-interface-pools pool $$")"; junos:must-message "referenced service interface pool must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Service interface pool name"; } } // container next-hop-service } // choice service_type_choice list extension-service { key "name"; max-elements 2; ordered-by user; description "Define the customer specific extensions"; leaf name { type string { length "1 .. 63"; } description "Customer-prefixed service name"; } uses apply-advanced; } // list extension-service container service-order { presence "enable service-order"; description "Define of order of services to be applied"; uses apply-advanced; leaf-list forward-flow { type string; ordered-by user; description "Service Order for forward flow"; } leaf-list reverse-flow { type string; ordered-by user; description "Service Order for reverse flow"; } } // container service-order container jflow-log { description "Define Jflow-logging parameters."; uses apply-advanced; leaf template-profile { junos:must "((!(".. .. softwire-rules") && !(".. .. softwire-rule-sets")))"; junos:must-message "Template-profile cannot be configured with softwire-rules or softwire-rule-sets configured"; junos:must "("services jflow-log template-profile $$")"; junos:must-message "The referenced template-profile is not defined"; type string { length "1 .. 63"; } description "Allow jflow messages for applications"; } } // container jflow-log container flow { description "Define flow parameters"; uses apply-advanced; container traceoptions { description "Trace options for flow services"; } // container traceoptions } // container flow container ipsec-vpn-options { description "Define IPSec VPN options"; uses service_set_ipsec_vpn_options_object; } // container ipsec-vpn-options choice ipsec_vpn_rules_choice { list ipsec-vpn-rules { junos:must "(".. ipsec-vpn-options local-gateway")"; junos:must-message "Local gateway must be configured with IPSec rules"; key "name"; ordered-by user; description "List of IPSec VPN rules"; leaf name { junos:must "("services ipsec-vpn rule $$")"; junos:must-message "Referenced IPSec VPN rule must be defined under [edit services ipsec-vpn rule]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list ipsec-vpn-rules list ipsec-vpn-rule-sets { junos:must "(".. ipsec-vpn-options local-gateway")"; junos:must-message "Local gateway must be configured with IPSec rule sets"; key "name"; ordered-by user; description "List of IPSec VPN rule sets"; leaf name { junos:must "("services ipsec-vpn rule-set $$")"; junos:must-message "Referenced IPSec VPN rule-set must be defined under [edit services ipsec-vpn rule-set]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list ipsec-vpn-rule-sets } // choice ipsec_vpn_rules_choice leaf ipsec-group-vpn { junos:must "(unique "services service-set <*> ipsec-group-vpn $$")"; junos:must-message "A Group VPN object can be referenced only in one service set"; junos:must "(!(".. ipsec-vpn-rules"))"; junos:must-message "IPSec VPN rules not supported for Group VPN"; junos:must "(!(".. ipsec-vpn-rule-sets"))"; junos:must-message "IPSec VPN rule sets not supported for Group VPN"; junos:must "(!(".. ipsec-vpn-options"))"; junos:must-message "IPSec VPN options not supported for Group VPN"; junos:must "(".. interface-service")"; junos:must-message "Group VPN supported on interface style service-set"; junos:must "("security group-vpn member ipsec vpn $$")"; junos:must-message "referenced group-vpn must be defined"; type string; description "Designate service-set to a Group VPN"; } } // list service-set container ipsec-vpn { description "Configure IPSec VPN service"; uses apply-advanced; list rule { key "name"; ordered-by user; description "Define an IPSec rule"; uses ipsec_vpn_rule_object; } // list rule list rule-set { key "name"; max-elements 16960; ordered-by user; description "Defines a set of IPSec rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services ipsec-vpn rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set container ipsec { description "IPSec configuration"; uses services-ipsec; } // container ipsec container ike { description "IKE configuration"; uses services-ike; } // container ike container traceoptions { junos:must "(!("security traceoptions"))"; junos:must-message "The traceoptions must not be configured under [edit services ipsec-vpn] and [edit security] simultaneously"; description "Trace options for IPSec key management process"; uses ipsec-services-traceoptions; } // container traceoptions leaf no-ipsec-tunnel-in-traceroute { type empty; description "Do not display IPSec tunnel endpoint in traceroute output"; } leaf establish-tunnels { type enumeration { enum "immediately" { value 0; description "Establish tunnels immediately"; } enum "on-traffic" { value 1; description "Establish tunnels on traffic"; } enum "responder-only" { value 2; description "Don't establish tunnels on responder only"; } } default "on-traffic"; description "Define the criteria to establish tunnels"; } leaf clear-ike-sas-on-pic-restart { type empty; description "Clear IKE SAs when the corresponding PIC restarts"; } leaf clear-ipsec-sas-on-pic-restart { type empty; description "Clear IPSec SAs when the corresponding PIC restarts"; } leaf disable-natt { type empty; description "Disable NAT traversal even if NAT is detected"; } } // container ipsec-vpn container ssl { description "Configuration for Secure Socket Layer support service"; uses apply-advanced; container traceoptions { description "Trace options for Secure Socket Layer support service"; uses ssl-traceoptions; } // container traceoptions container termination { description "Configuration for Secure Socket Layer termination support service"; uses ssl-termination-config; } // container termination container initiation { description "Configuration for Secure Socket Layer initiation support service"; uses ssl-initiation-config; } // container initiation container proxy { description "Configuration for Secure Socket Layer proxy support service"; uses ssl-proxy-config; } // container proxy } // container ssl container stateful-firewall { description "Configure stateful firewall services"; uses apply-advanced; list rule { key "name"; ordered-by user; description "Define a stateful firewall rule"; uses sfw_rule_object; } // list rule list rule-set { key "name"; max-elements 16960; ordered-by user; description "Define a set of stateful firewall rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services stateful-firewall rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes, underscores, forward slashes, colons and dots."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set } // container stateful-firewall container nat { description "Configure Network Address Translation"; uses nat-object; } // container nat container pcp { description "Configure Port Control Protocol"; uses pcp-object; } // container pcp container rtlog { presence "enable rtlog"; description "Secure log daemon options"; uses apply-advanced; container traceoptions { description "Security log daemon trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "List of things to include in trace"; leaf name { type enumeration { enum "source" { value 0; description "Communication with security log forwarder"; } enum "configuration" { value 1; description "Reading of configuration"; } enum "all" { value 2; description "Everything"; } enum "report" { value 3; description "Trace report"; } enum "hpl" { value 4; description "Trace HPL logging"; } } } } // list flag } // container traceoptions } // container rtlog container service-interface-pools { description "Configure service interface pools"; uses apply-advanced; list pool { key "name"; ordered-by user; description "Define service interface pool"; uses service_interface_pool_object; } // list pool } // container service-interface-pools container hosted-services { description "Configuration for services performed in the remote server"; uses apply-advanced; list client-profile { key "name"; ordered-by user; description "Configure client profile"; leaf name { type string { length "3 .. 32"; } description "Client profile name"; } uses apply-advanced; leaf transport-type { type enumeration { enum "GRE" { value 0; description "GRE"; } enum "UDP" { value 1; description "UDP"; } enum "TCP" { value 2; description "TCP"; } } description "Transport type"; } leaf client-address { type jt:ipv4addr; description "Client address"; } leaf hosted-service-identifier { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 63"; } } description "Identifier for the service performed on the remote server"; } } // list client-profile list server-profile { key "name"; ordered-by user; description "Configure server profile"; leaf name { type string { length "3 .. 32"; } description "Server profile name"; } uses apply-advanced; leaf transport-type { type enumeration { enum "GRE" { value 0; description "GRE"; } enum "UDP" { value 1; description "UDP"; } enum "TCP" { value 2; description "TCP"; } } description "Transport type"; } leaf server-address { type jt:ipv4addr; description "Server address"; } leaf client-address { type jt:ipv4addr; description "Client address"; } leaf hosted-service-identifier { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 63"; } } description "Identifier for the service performed in the remote server"; } } // list server-profile } // container hosted-services container jflow-log { presence "enable jflow-log"; description "Configure jflow-logging parameters for services"; uses apply-advanced; list collector { key "name"; ordered-by user; description "Collector attributes"; leaf name { type string { length "1 .. 63"; } description "Profile name"; } uses apply-advanced; leaf destination-address { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string of letters, numbers, dashes or underscores"; } description "IPv4 Address or hostname of the collector"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port of the collector"; } leaf source-ip { type jt:ipv4addr; description "Source IPv4 Address from which logging is to be done"; } } // list collector list collector-group { key "name"; ordered-by user; leaf name { type string { length "1 .. 63"; } description "Name of collector-group"; } uses apply-advanced; leaf-list collector { type string { length "1 .. 63"; } max-elements 8; ordered-by user; description "List of Collector profiles"; } } // list collector-group list template-profile { key "name"; ordered-by user; leaf name { junos:must "((any ".. collector <*>" || any ".. collector-group <*>"))"; junos:must-message "template-profile must have a collector or collector-group configured"; type string { length "1 .. 63"; } description "Specify name of the template"; } uses apply-advanced; leaf collector { junos:must "(!(any ".. collector-group <*>"))"; junos:must-message "Collector-group is already configured for this template"; junos:must "("services jflow-log collector $$")"; junos:must-message "The referenced collector is not defined"; type string { length "1 .. 63"; } description "Specify a collector name"; } leaf-list collector-group { junos:must "(!(any ".. collector <*>"))"; junos:must-message "Collector is already configured for this template profile"; type string { length "1 .. 63"; } max-elements 1; ordered-by user; description "Specify a collector-group name"; } leaf template-type { type enumeration { enum "nat" { value 0; description "Enable jflow-logs for NAT events"; } } description "Allow jflow-log for applications"; } leaf version { type enumeration { enum "v9" { value 0; description "Version 9"; } enum "ipfix" { value 1; description "Ipfix"; } } description "Version of jflow-logging"; } container refresh-rate { presence "enable refresh-rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 48000"; } } default "4800"; description "Specify number of packets after which templates are sent to collector"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 1800"; } } default "1800"; description "Specify number of seconds after which templates are sent to collector"; } } // container refresh-rate } // list template-profile } // container jflow-log container service-device-pools { description "Configure service device pools"; uses apply-advanced; list pool { key "name"; ordered-by user; description "Define service device pool"; uses service_device_pool_object; } // list pool } // container service-device-pools container analytics { presence "enable analytics"; description "Traffic analytics configuration options"; uses apply-advanced; container zero-suppression { presence "enable zero-suppression"; description "Configure suppression of zeros for GRPC sensors"; uses apply-advanced; leaf no-zero-suppression { type empty; description "Disable zero suppression"; } } // container zero-suppression list streaming-server { key "name"; ordered-by user; description "Define Telemetry data servers"; leaf name { type string { length "1 .. 128"; } description "Telemetry App server Name"; } uses apply-advanced; leaf remote-address { type jt:ipaddr; description "Telemetry server IP address"; } leaf remote-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Telemetry server Port"; } leaf transport { type enumeration { enum "udp" { value 0; description "Use UDP transport protocol"; } enum "grpc" { value 1; description "Use grpc transport"; } } description "Telemetry export transport protocol"; } leaf dialout { type empty; description "Supports dynamic dialout subscriptions"; } } // list streaming-server list export-profile { key "name"; ordered-by user; description "Telemetry export profile name"; leaf name { type string { length "1 .. 128"; } description "Telemetry export profile name"; } uses apply-advanced; leaf local-address { type jt:ipv4addr; description "Source address for exported packets"; } leaf local-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Source port for exported packets"; } leaf dscp { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 63"; } } description "DSCP value for exported packets"; } leaf forwarding-class { type string { length "1 .. 64"; } description "Forwarding-class for exported packets, applicable only for PFE sensors"; } leaf reporting-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; description "Telemetry interval in seconds, max 24 hours"; } leaf payload-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1400 .. 9192"; } } units "bytes"; default "5000"; description "Telemetry payload size"; } leaf format { type enumeration { enum "gpb" { value 0; description "Use gpb format"; } enum "gpb-sdm" { value 1; description "Use gpb self-describing-message format"; } enum "gpb-gnmi" { value 2; description "Use gnmi format for gpb messages"; } enum "json-gnmi" { value 3; description "Use gnmi format for json messages"; } } description "Telemetry export record format"; } leaf transport { type enumeration { enum "udp" { value 0; description "Use UDP transport protocol"; } enum "grpc" { value 1; description "Use grpc transport"; } } description "Telemetry export transport protocol"; } } // list export-profile list sensor { junos:must "(!("system services cloud-analytics instance"))"; junos:must-message "Cloud analytics shoud not be defined"; key "name"; ordered-by user; description "Define Telemetry sensors"; leaf name { type string { length "1 .. 128"; } description "Name of the sensor"; } uses apply-advanced; leaf-list server-name { type string { length "1 .. 128"; } ordered-by user; description "Define Telemetry server "; } leaf export-name { type string { length "1 .. 128"; } description "Define Telemetry export profiles"; } leaf polling-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } units "nanoseconds"; status deprecated; description "Define sensor polling interval in nano secs (1 .. 4294967295)"; } leaf resource { type string { length "1 .. 255"; } description "System resource identifier string"; } leaf resource-filter { type string { length "1 .. 1024"; } description "Regexp for filtering resource instances (1 .. 1024)"; } leaf subscription-id { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Subscription ID (Used internally to group sensors)"; } leaf suppress-zeros { type empty; description "Supress zeros while data export"; } leaf reporting-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; description "Telemetry interval in seconds, max 24 hours"; } leaf-list end-of-sync-identifiers { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 64"; } } max-elements 10; ordered-by user; description "Set of end-of-syncs for this sensor"; } leaf target-defined { type empty; description "Allow target to decide periodic, on-change or mix"; } leaf life-time { type enumeration { enum "long-lived" { value 0; description "A long-lived subscription"; } enum "one-off" { value 1; description "An one-off subscription"; } } description "Denotes sensor life-time"; } } // list sensor container agent { description "Configure analytics agent"; uses apply-advanced; list service-agents { key "name"; ordered-by user; description "Analytics service agent configuration"; leaf name { type string; description "Analytics service agent name"; } uses apply-advanced; container inputs { description "List of input plugins"; uses apply-advanced; container input-jti-ipfix { presence "enable input-jti-ipfix"; description "Junos grpc IPFIX group plugin"; uses apply-advanced; container parameters { presence "enable parameters"; uses apply-advanced; list record-group { key "name"; max-elements 10; ordered-by user; description "Group sensors"; leaf name { type string; description "Group sensors"; } uses apply-advanced; leaf reporting-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 86400"; } } default "900"; description "Reporting-interval"; } leaf-list record { type enumeration { enum "port-statistics" { value 0; description "Port statistics"; } enum "address-pool-utilization" { value 1; description "Address pool utilization"; } enum "dhcpv4-server-stats" { value 2; description "Dhcpv4 server statistics"; } enum "thermal" { value 3; description "Thermal statistics"; } enum "chassis-inventory" { value 4; description "Chassis inventory details"; } enum "chassis-power" { value 5; description "Chassis power details"; } enum "resource-utilization" { value 6; description "Resource utilization details"; } enum "uptime" { value 7; description "Uptime value"; } enum "subscriber-statistics" { value 8; description "Subscriber statistics"; } enum "interface-metadata" { value 9; description "Interface metadata details"; } enum "interface-queue-statistics" { value 10; description "Interface Queue statistics"; } } ordered-by user; description "Ipfix record name"; } } // list record-group } // container parameters } // container input-jti-ipfix container input-ipfix { presence "enable input-ipfix"; description "Junos IPFIX Mediator input plugin"; uses apply-advanced; container parameters { presence "enable parameters"; description "List of IPFIX parameters"; uses apply-advanced; leaf tcp-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Listening TCP Port for IPFIX Mediator"; } leaf maximum-connections { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500"; } } description "Maximum TCP Connections 1..500"; } leaf vrf-name { type string; description "VRF name on which IPFIX packets are accepted"; } } // container parameters } // container input-ipfix container analytics { presence "enable analytics"; description "Junos Telemetry plugin"; uses apply-advanced; container parameters { presence "enable parameters"; description "List of key:value parameters"; uses apply-advanced; leaf sample-frequency { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; default "5"; description "Interval for sensor data in seconds, max 24 hours"; } leaf sensors { type string { length "1 .. 2048"; } description "Space separated list of sensor paths"; } leaf generate-tags { type empty; description "Enable generation of tags"; } } // container parameters } // container analytics } // container inputs list outputs { key "name"; max-elements 1; ordered-by user; description "List of output plugins"; uses output-plugin; } // list outputs } // list service-agents container traceoptions { presence "enable traceoptions"; uses apply-advanced; leaf flag { type enumeration { enum "trace" { value 0; description "Log level TRACE, will trace everything"; } enum "debug" { value 1; description "Log level DEBUG, will trace debug messages"; } enum "info" { value 2; description "Log level INFO"; } enum "error" { value 3; description "Log level ERROR, will trace all error messages"; } } description "Set log level for tracing"; } leaf filename { type string; default "ntf-agent.log"; description "Configure filename for trace messages"; } } // container traceoptions } // container agent container traceoptions { description "Traffic analytics trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace configuration events"; } enum "configuration" { value 1; description "Log configuration events"; } enum "rtsock" { value 2; description "Trace rtsock message events"; } enum "client-server" { value 3; description "Trace client-server events"; } enum "interface" { value 4; description "Trace interface update events"; } enum "xmlproxy" { value 5; description "Trace xmlproxy events"; } } } leaf disable { type empty; description "Disable this trace flag"; } } // list flag } // container traceoptions list export-profiles { key "name"; ordered-by user; description "Mapping of export-profiles to collectors"; leaf name { type string { length "1 .. 64"; } description "Export profile name"; } uses apply-advanced; leaf stream-format { type enumeration { enum "gpb" { value 0; description "Google protocol buffer format"; } enum "json" { value 1; description "Java script object notation format"; } enum "csv" { value 2; description "Comma separated value"; } enum "tsv" { value 3; description "Tab separated value"; } } default "gpb"; description "Streaming data format"; } container interface { presence "enable interface"; description "Interface specific information"; uses apply-advanced; leaf information { type empty; description "Enable streaming of interface information"; } container statistics { description "Type of statistics to stream"; uses apply-advanced; leaf traffic { type empty; description "Enable streaming of interface traffic statistics"; } leaf queue { type empty; description "Enable streaming of interface queue statistics"; } } // container statistics container status { description "Type of statistics to stream"; uses apply-advanced; leaf link { type empty; description "Enable streaming of interface link status"; } leaf traffic { type empty; description "Enable streaming of interface traffic status"; } leaf queue { type empty; description "Enable streaming of interface queue status"; } } // container status } // container interface container system { presence "enable system"; description "Interface specific information"; uses apply-advanced; leaf information { type empty; description "Enable streaming of system information"; } container status { description "Type of statistics to stream"; uses apply-advanced; leaf traffic { type empty; description "Enable streaming of system traffic status"; } leaf queue { type empty; description "Enable streaming of system queue status"; } } // container status } // container system } // list export-profiles list resource-profiles { key "name"; ordered-by user; description "Mapping of resource profiles to interfaces/queues/system"; leaf name { type string { length "1 .. 64"; } description "Export profile name"; } uses apply-advanced; choice queue-monitoring-choice { leaf queue-monitoring { type empty; description "Enable queue statistics monitoring"; } leaf no-queue-monitoring { type empty; description "Don't enable queue statistics monitoring"; } } // choice queue-monitoring-choice choice traffic-monitoring-choice { leaf traffic-monitoring { type empty; description "Enable traffic statistics monitoring"; } leaf no-traffic-monitoring { type empty; description "Don't enable traffic statistics monitoring"; } } // choice traffic-monitoring-choice container depth-threshold { junos:must "(!(".. latency-threshold"))"; junos:must-message "latency and queue-depth thresholds can not be set together"; description "Depth threshold configuration"; leaf high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1250000000"; } } units "bytes"; description "High queue depth threshold"; } leaf low { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1250000000"; } } units "bytes"; description "Low queue depth threshold"; } } // container depth-threshold container latency-threshold { junos:must "(!(".. depth-threshold"))"; junos:must-message "latency and queue-depth thresholds can not be set together"; description "Latency threshold configuration"; leaf high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100000000"; } } units "nanoseconds"; description "High latency threshold"; } leaf low { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100000000"; } } units "nanoseconds"; description "Low latency threshold"; } } // container latency-threshold } // list resource-profiles container resource { presence "enable resource"; uses apply-advanced; container system { description "System configuration options"; uses apply-advanced; leaf resource-profile { junos:must "("services analytics resource-profiles $$")"; junos:must-message "binded resource-profile in not configured"; type string { length "1 .. 64"; } description "Resouce profile name"; } container polling-interval { description "Polling interval"; uses apply-advanced; leaf traffic-monitoring { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } units "seconds"; description "Traffic statistics polling interval"; } leaf queue-monitoring { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } units "milliseconds"; description "Queue statistics polling interval"; } } // container polling-interval } // container system container interfaces { description "Interface configuration options"; uses apply-advanced; list interface { key "name"; uses interface_type; } // list interface } // container interfaces } // container resource container collector { description "Remote streaming servers configuration options"; uses apply-advanced; container local { description "Remote streaming servers configuration options"; uses apply-advanced; container file { description "Log file information"; leaf filename { type jt:filename; description "Name of file in which to write log information"; } leaf size { type string; description "Maximum log file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } } // container file } // container local list address { key "name"; description "IP address of remote server"; leaf name { type jt:ipaddr; description "IP address"; } uses apply-advanced; list port { key "name"; description "Remote streaming server port number"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port number"; } uses apply-advanced; list transport { key "name"; description "Transport protocol"; leaf name { type enumeration { enum "tcp" { value 0; description "Transmission control protocol"; } enum "udp" { value 1; description "User datagram protocol"; } } } uses apply-advanced; leaf export-profile { junos:must "("services analytics export-profiles $$")"; junos:must-message "binded export-profiles in not configured"; type string { length "1 .. 64"; } description "Export profile name"; } } // list transport } // list port } // list address } // container collector container traffic-statistics { status deprecated; description "Traffic statistics configuration options"; uses apply-advanced; container file { description "Log file information"; leaf filename { type jt:filename; description "Name of file in which to write log information"; } leaf size { type string; description "Maximum log file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } } // container file leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } units "seconds"; description "Traffic statistics polling interval"; } } // container traffic-statistics container queue-statistics { status deprecated; description "Microburst statistics configuration options"; uses apply-advanced; container file { description "Log file information"; leaf filename { type jt:filename; description "Name of file in which to write log information"; } leaf size { type string; description "Maximum log file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } } // container file leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } units "milliseconds"; description "Queue statistics polling interval"; } } // container queue-statistics container interfaces { status deprecated; description "Interface configuration options"; uses apply-advanced; list interface { key "name"; uses interface_type; } // list interface } // container interfaces container streaming-servers { status deprecated; description "Remote streaming servers configuration options"; uses apply-advanced; list address { key "name"; ordered-by user; description "IP address of remote server"; leaf name { type jt:ipaddr; description "IP address"; } uses apply-advanced; list port { key "name"; description "Remote streaming server port number"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port number"; } uses apply-advanced; leaf stream-format { type enumeration { enum "json" { value 0; description "Javascript object notation"; } enum "csv" { value 1; description "Comma separated value"; } enum "tsv" { value 2; description "Tab separated value"; } } description "Streaming data format"; } list stream-type { key "name"; description "Type of statistics to stream"; leaf name { type enumeration { enum "traffic-statistics" { value 0; description "Enable streaming of traffic statistics"; } enum "queue-statistics" { value 1; description "Enable streaming of queue statistics"; } } } uses apply-advanced; } // list stream-type } // list port } // list address } // container streaming-servers } // container analytics } // container services } // grouping services-group grouping apply-advanced { description "Apply advanced configuration logic"; leaf-list apply-groups { type string; ordered-by user; description "Groups from which to inherit configuration data"; } leaf-list apply-groups-except { type string; ordered-by user; description "Don't inherit configuration data from these groups"; } list apply-macro { key "name"; ordered-by user; description "Macro and parameters for commit script expansion"; uses apply-macro-type; } // list apply-macro } // grouping apply-advanced grouping apply-macro-type { description "Macro data for commit-script expansion"; leaf name { type string; description "Name of the macro to be expanded"; } list data { key "name"; uses macro-data-type; } // list data } // grouping apply-macro-type grouping bgp-logical-system { description "Logical systems configuration for rpm"; leaf name { type string { junos:posix-pattern "![^a-zA-Z0-9_-]|(^(all|.{64,})$)"; junos:pattern-message "Logical-system name is a string consisting of up to 63 letters, numbers, dashes and underscores"; } description "Logical system name"; } uses apply-advanced; list routing-instances { key "name"; description "Routing instances"; uses bgp-routing-instances; } // list routing-instances } // grouping bgp-logical-system grouping bgp-routing-instances { description "Routing-instance configuration for rpm"; leaf name { type string; description "Routing instance name"; } uses apply-advanced; } // grouping bgp-routing-instances grouping drop-policy-term { description "One or more drop terms"; leaf name { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; container source-address { presence "enable source-address"; description "Source IP Address"; uses li_policy_addr_simple_object; } // container source-address container destination-address { presence "enable destination-address"; description "Destination IP Address"; uses li_policy_addr_simple_object; } // container destination-address choice source-port_choice { container source-port { description "Match source port"; uses match_li_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match destination port"; uses match_li_simple_port_value; } // container destination-port } // choice destination-port_choice choice protocol_choice { container protocol { description "Match IP protocol type"; uses match_li_simple_protocol_value; } // container protocol } // choice protocol_choice choice dscp_choice { container dscp { description "Match Differentiated Services (DiffServ) code point"; uses match_li_simple_dscp_value; } // container dscp } // choice dscp_choice } // container from } // grouping drop-policy-term grouping drop-policy6-term { description "One or more drop terms"; leaf name { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; container source-address { presence "enable source-address"; description "Source IPv6 Address or Prefix"; uses li_policy_addr6_simple_object; } // container source-address container destination-address { presence "enable destination-address"; description "Destination IPv6 Address or Prefix"; uses li_policy_addr6_simple_object; } // container destination-address choice source-port_choice { container source-port { description "Match source port"; uses match_li_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match destination port"; uses match_li_simple_port_value; } // container destination-port } // choice destination-port_choice choice protocol_choice { container protocol { description "Match IP protocol type"; uses match_li_simple_protocol_value; } // container protocol } // choice protocol_choice choice dscp_choice { container dscp { description "Match Differentiated Services (DiffServ) code point"; uses match_li_simple_dscp_value; } // container dscp } // choice dscp_choice } // container from } // grouping drop-policy6-term grouping family { container inet { description "IPv4 parameters"; uses apply-advanced; choice if-addr { leaf dhcp { type empty; description "Enable DHCP on ethernet interface"; } leaf address { type jt:ipv4prefix; description "Interface address/destination prefix"; } } // choice if-addr } // container inet } // grouping family grouping interface_type { description "Physical interface"; leaf name { type string; } uses apply-advanced; choice queue-statistics-choice { leaf queue-statistics { type empty; status deprecated; description "Enable queue statistics collection"; } leaf no-queue-statistics { type empty; status deprecated; description "Don't enable queue statistics collection"; } } // choice queue-statistics-choice choice traffic-statistics-choice { leaf traffic-statistics { type empty; status deprecated; description "Enable traffic statistics collection"; } leaf no-traffic-statistics { type empty; status deprecated; description "Don't enable traffic statistics collection"; } } // choice traffic-statistics-choice leaf resource-profile { junos:must "("services analytics resource-profiles $$")"; junos:must-message "binded resource-profile in not configured"; type string { length "1 .. 64"; } description "Resouce profile name"; } } // grouping interface_type grouping ipsec-services-traceoptions { description "Trace options for key management process"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "timer" { value 0; description "Trace internal timer events"; } enum "routing-socket" { value 1; description "Trace routing socket messages"; } enum "parse" { value 2; description "Trace configuration processing"; } enum "ike" { value 3; description "Trace IKE module processing"; } enum "policy-manager" { value 4; description "Trace policy manager processing"; } enum "general" { value 5; description "Trace general events"; } enum "database" { value 6; description "Trace security associations database events"; } enum "certificates" { value 7; description "Trace certificate events"; } enum "snmp" { value 8; description "Trace SNMP operations"; } enum "ams" { value 9; description "Trace AMS events"; } enum "lic" { value 10; description "Trace License events"; } enum "all" { value 11; description "Trace everything"; } } } } // list flag } // grouping ipsec-services-traceoptions grouping ipsec_vpn_rule_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; list term { key "name"; ordered-by user; description "Define an IPSec term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses ipsec_vpn_match_object; } // container from container then { presence "enable then"; description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf syslog { type empty; description "System log information about the packet"; } leaf remote-gateway { type jt:ipaddr; description "Remote gateway address"; } leaf backup-remote-gateway { junos:must "(".. dynamic")"; junos:must-message "Backup remote gateway can be configured with dynamic security associations only"; type jt:ipaddr; description "Backup remote gateway address"; } choice sa_choice { container manual { description "Define a manual security association"; uses apply-advanced; list direction { key "name"; ordered-by user; description "Define the direction of the security association"; leaf name { type enumeration { enum "inbound" { junos:must "(".. .. direction $$={outbound}")"; junos:must-message "Outbound block must be configured"; value 0; description "Inbound security association"; } enum "outbound" { junos:must "(".. .. direction $$={inbound}")"; junos:must-message "Inbound block must be configured"; value 1; description "Outbound security association"; } enum "bidirectional" { junos:must "((!(".. .. direction $$={inbound}") && !(".. .. direction $$={outbound}")))"; junos:must-message "Outbound or inbound blocks must not be configured"; value 2; description "Bidirectional security association"; } } } uses apply-advanced; leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption"))"; junos:must-message "Encryption must not be defined for AH"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH"; value 0; description "Authentication header"; } enum "esp" { junos:must "((".. authentication" || ".. encryption"))"; junos:must-message "Either authentication or encryption must be defined for ESP"; value 1; description "Encapsulated Security Payload header"; } enum "bundle" { junos:must "(".. auxiliary-spi")"; junos:must-message "Auxiliary SPI must be defined for AH plus ESP bundle"; junos:must "(".. encryption")"; junos:must-message "Encryption must be defined for AH plus ESP bundle"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH plus ESP bundle"; value 2; description "Bundle (AH authentication plus ESP encryption)"; } } description "Define an IPSec protocol for the security association"; } leaf spi { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "Define security parameter index"; } leaf auxiliary-spi { junos:must "(".. protocol bundle")"; junos:must-message "Auxiliary SPI must be configured with protocol bundle only"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "ESP security parameter index for IPSec SA bundle"; } container authentication { description "Define authentication parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha2-256" { value 2; description "HMAC-SHA2-256 authentication algorithm"; } enum "hmac-sha-256-128" { value 3; description "HMAC-SHA-256-128 authentication algorithm"; } } description "Define authentication algorithm"; } container key { description "Define an authentication key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container authentication container encryption { description "Define encryption parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } container key { description "Define an encryption key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container encryption } // list direction } // container manual container dynamic { description "Define a dynamic security association"; uses apply-advanced; leaf ike-policy { junos:must "(!("services ipsec-vpn ike policy $$ remote-id any-remote-id"))"; junos:must-message "Referenced IKE policy can include 'any-remote-id' statement only in the DEP (dynamic endpoints configuration) mode"; junos:must "(("services ipsec-vpn ike policy $$ pre-shared-key" || "services ipsec-vpn ike policy $$ local-certificate"))"; junos:must-message "Either pre-shared-key or local-certificate must be configured in the referencd ike policy"; junos:must "("services ipsec-vpn ike policy $$")"; junos:must-message "Referenced IKE policy must be defined under [edit services ipsec-vpn ike policy]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IKE policy"; } leaf ipsec-policy { junos:must "("services ipsec-vpn ipsec policy $$")"; junos:must-message "Referenced IPSec policy must be defined under [edit services ipsec-vpn ipsec policy]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec policy"; } leaf natt-install-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 10"; } } units "seconds"; default "0"; description "Installation interval of the IPSEC SA in NAT-T scenario"; } } // container dynamic } // choice sa_choice leaf clear-dont-fragment-bit { junos:must "((!(".. copy-dont-fragment-bit") && !(".. set-dont-fragment-bit")))"; junos:must-message "'clear' option can not be configured if either of 'copy' or 'set' is already configured"; type empty; description "Clear the do not fragment bit"; } leaf copy-dont-fragment-bit { junos:must "((!(".. clear-dont-fragment-bit") && !(".. set-dont-fragment-bit")))"; junos:must-message "'copy' option can not be configured if either of 'clear' or 'set' is already configured"; type empty; description "Copy the do not fragment bit"; } leaf set-dont-fragment-bit { junos:must "((!(".. copy-dont-fragment-bit") && !(".. clear-dont-fragment-bit")))"; junos:must-message "'set' option can not be configured if either of 'clear' or 'copy' is already configured"; type empty; description "Set the do not fragment bit"; } leaf no-anti-replay { junos:must "(!(".. anti-replay-window-size"))"; junos:must-message "anti-replay-window-size must not be defined"; type empty; description "Disable the anti-replay check"; } leaf tunnel-mtu { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } leaf copy-ttl-from-inner-ip-header { type empty; description "Copy the inner ip ttl value to outer ip header"; } leaf ttl { junos:must "(!(" .. copy-ttl-from-inner-ip-header"))"; junos:must-message "TTL value cannot be configured with copy-ttl-from-inner-ip-header option"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 254"; } } default "64"; description "TTL value to be used for outer IP header"; } leaf copy-tos-from-inner-ip-header { type empty; description "Copy the inner ip tos value to outer ip header"; } leaf tos { junos:must "(!(" .. copy-tos-from-inner-ip-header"))"; junos:must-message "ToS value cannot be configured with copy-tos-from-inner-ip-header option"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } default "0"; description "ToS value to be used for outer IP header"; } leaf initiate-dead-peer-detection { type empty; description "Initiate dead peer detection"; } container dead-peer-detection { junos:must "(".. initiate-dead-peer-detection")"; junos:must-message "[ edit services ipsec-vpn rule <*> term <*> then initiate-dead-peer-detection ] must be set"; presence "enable dead-peer-detection"; description "Dead peer detection options"; uses apply-advanced; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 180"; } } units "seconds"; default "10"; description "Interval at which the DPD messages should be sent"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } default "3"; description "Maximum number of DPD messages"; } } // container dead-peer-detection leaf anti-replay-window-size { junos:must "(!(".. no-anti-replay"))"; junos:must-message "no-anti-replay must not be defined"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 4096"; } } description "Size of the anti-replay window"; } } // container then } // list term leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Direction for which the rule match is applied"; } } // grouping ipsec_vpn_rule_object grouping ipsec_vpn_match_object { uses apply-advanced; list source-address { key "name"; max-elements 1; ordered-by user; description "Match IP source address"; uses ipsec_vpn_addr_object; } // list source-address list destination-address { key "name"; max-elements 1; ordered-by user; description "Match IP destination address"; uses ipsec_vpn_addr_object; } // list destination-address leaf ipsec-inside-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "IPSec interface to internal network"; } } // grouping ipsec_vpn_match_object grouping ipsec_vpn_addr_object { leaf name { type jt:ipprefix-only; description "Prefix to match"; } } // grouping ipsec_vpn_addr_object grouping juniper-services-captive-portal { junos:must "(("services captive-portal secure-authentication" || "system services web-management http"))"; junos:must-message "HTTP web service should be enabled"; uses apply-advanced; leaf authentication-profile-name { junos:must "("access profile $$")"; junos:must-message "Access profile name must be defined in the [edit access profile] hierarchy"; type string { length "1 .. 63"; } description "Access profile name to use for authentication"; } container traceoptions { status deprecated; description "Trace options for CAPTIVE PORTAL"; uses apply-advanced; container file { description "Trace file options"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf replace { type empty; status deprecated; description "Replace trace file rather than appending to it"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } leaf no-stamp { type empty; status deprecated; description "Do not timestamp trace file"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "dot1x-debug" { junos:must "(!("services captive-portal traceoptions flag dot1x-event"))"; junos:must-message "Can not configure dot1x-event with dot1x-debug flag"; value 0; description "Trace dot1x events"; } enum "parse" { value 1; description "Trace configuration parsing"; } enum "esw-if" { junos:must "(!("services captive-portal traceoptions flag dot1x-ipc"))"; junos:must-message "Can not configure dot1x-ipc with esw-if flag"; value 2; description "Trace ESW Interactions"; } enum "config-internal" { value 3; description "Trace configuration internals"; } enum "normal" { value 4; description "Trace normal events"; } enum "general" { value 5; description "Trace general events"; } enum "state" { value 6; description "Trace state transitions"; } enum "task" { value 7; description "Trace task processing"; } enum "timer" { value 8; description "Trace task timer processing"; } enum "all" { value 9; description "Trace everything"; } enum "dot1x-ipc" { value 10; description "Trace dot1x IPC interactions"; } enum "dot1x-event" { value 11; description "Trace dot1x events"; } } } leaf disable { type empty; description "Disable this trace flag"; } } // list flag } // container traceoptions list interface { key "name"; description "Captive Portal interface specific options"; leaf name { junos:must "(!("system phone-home"))"; junos:must-message "Can't configure captive-portal along with Phone-home. Delete phone-home config to enable captive-portal"; junos:must "("system services web-management http")"; junos:must-message "HTTP web service should be enabled"; junos:must "((!("switch-options no-mac-learning") || (!(".. .. .. .. .. switch-options no-mac-learning") || !(any ".. .. .. .. .. bridge-domains <*> bridge-options no-mac-learning interface $$-IFL"))))"; junos:must-message "Cannot configure captive-portal on this interface since no-mac-learning is enabled on the same interface"; junos:must "(!("protocols dot1x supplicant interface ${interface}"))"; junos:must-message "Must not configure supplicant and captive-portal on same interface"; junos:must "(!("interfaces $$-IFL family bridge interface-mode trunk"))"; junos:must-message "Cannot configure captive-portal on this interface since the interface-mode is defined as trunk"; junos:must "(!("interfaces $$-IFL family ethernet-switching interface-mode trunk"))"; junos:must-message "Cannot configure captive-portal on this interface since the interface-mode is defined as trunk"; junos:must "(!("interfaces $$-IFL family ethernet-switching port-mode trunk"))"; junos:must-message "Cannot configure captive-portal on this interface since the port-mode is defined as trunk"; type string; } uses apply-advanced; leaf supplicant { type enumeration { enum "single" { value 0; description "Allow multiple clients; authenticate first client only"; } enum "single-secure" { value 1; description "Allow and authenticate only a single client"; } enum "multiple" { value 2; description "Allow multiple clients; authenticate each individually"; } } description "Set supplicant mode for this interface"; } leaf retries { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Number of retries after which port is placed into wait state"; } leaf quiet-period { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } units "seconds"; description "Time to wait after an authentication failure"; } leaf server-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } units "seconds"; description "Authentication server timeout interval"; } leaf session-expiry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } units "seconds"; description "Session Expiry Timeout"; } leaf user-keepalive { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "7 .. 65535"; } } units "minutes"; description "Session keepalive after mac-flush"; } } // list interface leaf secure-authentication { type enumeration { enum "http" { junos:must "("system services web-management http")"; junos:must-message "HTTP web service should be enabled"; value 0; description "Insecure plain-text HTTP will be used for Captive Portal authentication, username and password can be sniffed"; } enum "https" { junos:must "(("system services web-management http" && "system services web-management https"))"; junos:must-message "HTTP and HTTPS web services should be enabled"; value 1; description "Encrypted HTTPS will be used for Captive Portal authentication"; } } default "http"; description "Set secure authentication using encrypted HTTPS or insecure authentication using plain-text HTTP"; } container custom-options { presence "enable custom-options"; description "Captive Portal html user interface customization options"; uses apply-advanced; leaf header-logo { type string { junos:posix-pattern "^.+.((jpg)|(gif)|(jpeg)|(png))$"; junos:pattern-message "Only jpg, jpeg, gif, png image types allowed"; length "1 .. 255"; } description "Path to logo image file"; } leaf header-bgcolor { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Background color of the html header in hex html format"; } leaf header-text-color { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Text color of the html header in hex html format"; } leaf header-message { type string { length "1 .. 2047"; } description "Message to be displayed in the html header"; } leaf banner-message { type string { length "1 .. 2047"; } description "Terms and Conditions of usage message"; } leaf form-header-message { type string { length "1 .. 255"; } description "Message to be displayed in the login form header"; } leaf form-header-bgcolor { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Background color of the login form header in hex html format"; } leaf form-header-text-color { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Text color of the login form header in hex html format"; } leaf form-submit-label { type string { length "1 .. 255"; } description "Label to be displayed for the login form submit button"; } leaf form-reset-label { type string { length "1 .. 255"; } description "Label to be displayed for the login form reset button"; } leaf footer-message { type string { length "1 .. 2047"; } description "Message to be displayed in the html footer"; } leaf footer-bgcolor { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Background color of the html footer in hex html format"; } leaf footer-text-color { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Text color of the footer in hex html format"; } leaf post-authentication-url { type string { length "1 .. 255"; } description "Post authentication redirection URL"; } } // container custom-options } // grouping juniper-services-captive-portal grouping li_policy_addr6_simple_object { uses apply-advanced; leaf address { type jt:ipv6prefix; description "Prefix to match"; } } // grouping li_policy_addr6_simple_object grouping li_policy_addr_simple_object { uses apply-advanced; leaf address { type jt:ipv4prefix; description "Prefix to match"; } } // grouping li_policy_addr_simple_object grouping log-object { description "Configure auditable security logs"; uses apply-advanced; list exclude { key "name"; ordered-by user; status deprecated; description "List of security log criteria to exclude from the audit log"; leaf name { type string; description "Exclude criteria name"; } uses apply-advanced; leaf destination-address { type jt:ipaddr; description "Destination address"; } leaf destination-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Destination port"; } leaf event-id { type string; description "Event ID filter"; } leaf failure { type empty; description "Event was a failure"; } leaf interface-name { type string; description "Name of interface"; } leaf policy-name { type string; description "Policy name filter"; } leaf process { type string; description "Process that generated the event"; } leaf protocol { type string; description "Protocol filter"; } leaf source-address { type jt:ipaddr; description "Source address"; } leaf source-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Source port"; } leaf success { type empty; description "Event was successful"; } leaf username { type string; description "Username filter"; } } // list exclude leaf limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; status deprecated; description "Limit number of security log entries to keep in memory"; } container cache { presence "enable cache"; description "Cache security log events in the audit log buffer"; uses apply-advanced; list exclude { junos:must "(!(".. .. exclude"))"; junos:must-message "'security log cache exclude' and 'security log exclude' are mutually exclusive"; key "name"; ordered-by user; description "List of security log criteria to exclude from the audit log"; leaf name { type string; description "Exclude criteria name"; } uses apply-advanced; leaf destination-address { type jt:ipaddr; description "Destination address"; } leaf destination-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Destination port"; } leaf event-id { type string; description "Event ID filter"; } leaf failure { type empty; description "Event was a failure"; } leaf interface-name { type string; description "Name of interface"; } leaf policy-name { type string; description "Policy name filter"; } leaf process { type string; description "Process that generated the event"; } leaf protocol { type string; description "Protocol filter"; } leaf source-address { type jt:ipaddr; description "Source address"; } leaf source-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Source port"; } leaf success { type empty; description "Event was successful"; } leaf username { type string; description "Username filter"; } } // list exclude leaf limit { junos:must "(!(".. .. limit"))"; junos:must-message "'security log cache limit' and 'security log limit' are mutually exclusive"; type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; description "Limit number of security log entries to keep in memory"; } } // container cache } // grouping log-object grouping macro-data-type { leaf name { type string; description "Keyword part of the keyword-value pair"; } leaf value { type string; description "Value part of the keyword-value pair"; } } // grouping macro-data-type grouping match_li_simple_dscp_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_li_simple_dscp_value grouping match_li_simple_port_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_li_simple_port_value grouping match_li_simple_protocol_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_li_simple_protocol_value grouping monitor-threshold { leaf normal { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 100"; } } description "Usage under normal conditions"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 100"; } } description "Threshold upon which alarm is raised"; } } // grouping monitor-threshold grouping nat-object { description "Configure Network Address Translation"; uses apply-advanced; list ipv6-multicast-interfaces { key "name"; ordered-by user; description "Enable IPv6 multicast filter for IPv6 NAT"; leaf name { type string; description "Interface name"; } uses apply-advanced; leaf disable { type empty; description "Disable IPv6 multicast filter for IPv6 NAT"; } } // list ipv6-multicast-interfaces list port-forwarding { key "name"; ordered-by user; description "Define a port-forwarding pool"; uses pf_mapping; } // list port-forwarding } // grouping nat-object grouping output-plugin { leaf name { type string; description "Plugin name"; } uses apply-advanced; list parameters { key "name"; ordered-by user; description "List of key:value parameters for plugin"; uses parameter-pair; } // list parameters } // grouping output-plugin grouping parameter-pair { leaf name { type string; description "Parameter key"; } uses apply-advanced; leaf value { type string; description "Parameter value"; } } // grouping parameter-pair grouping pcp-object { description "Configure Port Control Protocol"; uses apply-advanced; container traceoptions { description "Trace options for PCP-LOG"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "all" { value 2; description "Trace everything"; } } } } // list flag } // container traceoptions list server { key "name"; ordered-by user; description "Define a PCP server"; uses pcp-server-object; } // list server list rule { key "name"; ordered-by user; description "Define a PCP rule"; uses pcp-rule-object; } // list rule list rule-set { key "name"; max-elements 16960; ordered-by user; description "Defines a set of PCP rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services pcp rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set } // grouping pcp-object grouping pcp-rule-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Define direction for which the rule match is applied"; } list term { key "name"; ordered-by user; description "Define a PCP term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses sfw_match_object; } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf pcp-server { junos:must "("services pcp server $$")"; junos:must-message "Referenced PCP server must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Define PCP server"; } } // container then } // list term container match { description "Define match criteria"; uses sfw_match_object; } // container match container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf pcp-server { junos:must "("services pcp server $$")"; junos:must-message "Referenced PCP server must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Define PCP server"; } } // container then } // grouping pcp-rule-object grouping pcp-server-object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of PCP server"; } uses apply-advanced; leaf ipv4-address { type jt:ipv4addr; description "Configure IPv4 address for this PCP server"; } leaf ipv6-address { junos:must "((".. softwire-concentrator" || ".. softwire-concentrator-name"))"; junos:must-message "softwire-concentrator is a must with ipv6-address, please configure it under this pcp-server"; type jt:ipv6addr; description "Configure IPv6 address for this PCP server"; } leaf softwire-concentrator { junos:must "(!(".. ipv4-address"))"; junos:must-message "referenced softwire-concentrator must be used only with DS-LITE, please remove ipv4-address in this pcp-server"; junos:must "(".. ipv6-address")"; junos:must-message "referenced softwire-concentrator must be used only with DS-LITE, must define ipv6-address in this pcp-server"; junos:must "("services softwire softwire-concentrator ds-lite $$")"; junos:must-message "referenced softwire-concentrator must be defined under 'services softwire softwire-concentrator ds-lite'"; type string { length "1 .. 63"; } description "Softwire ds-lite concentrator"; } leaf softwire-concentrator-name { junos:must "(!(".. ipv4-address"))"; junos:must-message "referenced softwire-concentrator must be used only with DS-LITE, please remove ipv4-address in this pcp-server"; junos:must "(".. ipv6-address")"; junos:must-message "referenced softwire-concentrator must be used only with DS-LITE, must define ipv6-address in this pcp-server"; junos:must "("services softwires softwire-types ds-lite $$")"; junos:must-message "referenced softwire-concentrator must be defined under 'services softwires softwire-types ds-lite'"; type string { length "1 .. 63"; } description "Softwire ds-lite concentrator"; } leaf mapping-lifetime-minimum { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "120 .. 3600"; } } units "second"; default "120"; description "Configure the minimum lifetime for any mapping"; } leaf mapping-lifetime-maximum { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "120 .. 4294667"; } } units "second"; default "86400"; description "Configure the maximum lifetime for any mapping"; } leaf short-lifetime-error { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "15 .. 300"; } } units "second"; default "30"; description "Configure duration of a short-lifetime error"; } leaf long-lifetime-error { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "900 .. 18000"; } } units "second"; default "1800"; description "Configure duration of a long-lifetime error"; } leaf max-mappings-per-client { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 128"; } } default "32"; description "Configure maximum mappings permitted per client"; } container pcp-options { description "Configure PCP options supported by this server"; leaf third-party { type empty; description "Enable Third Party option"; } leaf prefer-failure { type empty; description "Enable Prefer Failure option"; } } // container pcp-options container nat-options { description "NAT options of this PCP server"; uses apply-advanced; list pool { key "name"; ordered-by user; description "NAT pool name"; uses nat_pool_list_object; } // list pool } // container nat-options container nat-option { description "NAT option of this PCP server"; uses apply-advanced; list pool { key "name"; ordered-by user; description "NAT pool name"; uses nat_pool_list_object_usf; } // list pool } // container nat-option } // grouping pcp-server-object grouping nat_pool_list_object { description "One or more nat pools"; leaf name { junos:must "("services nat pool $$")"; junos:must-message "referenced nat pool must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } } // grouping nat_pool_list_object grouping nat_pool_list_object_usf { description "One or more nat pools"; leaf name { junos:must "("services nat source pool $$")"; junos:must-message "referenced nat pool must be defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } } // grouping nat_pool_list_object_usf grouping pf_mapping { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Port Forwarding name"; } uses apply-advanced; list destined-port { key "port translated-port"; max-elements 32; ordered-by user; description "Port forwarding mappings"; leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port"; } leaf translated-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Translated port"; } } // list destined-port } // grouping pf_mapping grouping rmopd-traceoptions { description "Trace options for remote-monitoring"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "ipc" { value 1; description "Trace ipc messages"; } enum "ppm" { value 2; description "Trace ppm"; } enum "rpd" { value 3; description "Trace rpd events"; } enum "info" { value 4; description "Trace info events"; } enum "statistics" { value 5; description "Trace statistics"; } enum "error" { value 6; description "Trace events related to catastrophic errors in daemon"; } enum "all" { value 7; description "Trace everything"; } } } } // list flag } // grouping rmopd-traceoptions grouping service_device_pool_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Service device pool name"; } uses apply-advanced; list interface { key "name"; ordered-by user; description "Service device name"; leaf name { junos:must "(!(any "interfaces <*> aggregated-inline-services-options secondary-interface $$"))"; junos:must-message "must not be defined under asiX aggregated-inline-services-options"; junos:must "(!(any "interfaces <*> aggregated-inline-services-options primary-interface $$"))"; junos:must-message "must not be defined under asiX aggregated-inline-services-options"; type string; } uses apply-advanced; } // list interface } // grouping service_device_pool_object grouping service_interface_pool_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Service interface pool name"; } uses apply-advanced; list interface { key "name"; ordered-by user; description "Service interface name"; leaf name { junos:must "("interfaces $$")"; junos:must-message "referenced interface must be defined"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } } uses apply-advanced; } // list interface } // grouping service_interface_pool_object grouping service_set_ipsec_vpn_options_object { uses apply-advanced; leaf-list trusted-ca { type string; ordered-by user; description "List of trusted certificate authority profiles"; } container local-gateway { description "Address and routing instance for local gateway"; leaf address { type jt:ipaddr; description "Local gateway address"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Referenced routing-instance must be defined"; type string; default "default"; description "Name of routing instance that hosts local gateway"; } leaf gw-interface { junos:must "(("interfaces $$-IFL family inet address" || "interfaces $$-IFL family inet6 address"))"; junos:must-message "gw-interface must be an IFL and Interface with ip address must be defined in the interfaces hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Interface as local gateway"; } } // container local-gateway leaf ike-access-profile { junos:must "("access profile $$")"; junos:must-message "referenced ike access profile must be defined"; type string { length "1 .. 32"; } description "IKE access profile for dynamic peers"; } leaf passive-mode-tunneling { type empty; description "No active IP packet checks before IPSec encapsulation"; } leaf clear-dont-fragment-bit { junos:must "((!(".. copy-dont-fragment-bit") && !(".. set-dont-fragment-bit")))"; junos:must-message "'clear' option can not be configured if either of 'copy' or 'set' is already configured"; type empty; description "Clear the do not fragment bit"; } leaf copy-dont-fragment-bit { junos:must "((!(".. clear-dont-fragment-bit") && !(".. set-dont-fragment-bit")))"; junos:must-message "'copy' option can not be configured if either of 'clear' or 'set' is already configured"; type empty; description "Copy the do not fragment bit"; } leaf set-dont-fragment-bit { junos:must "((!(".. copy-dont-fragment-bit") && !(".. clear-dont-fragment-bit")))"; junos:must-message "'set' option can not be configured if either of 'clear' or 'copy' is already configured"; type empty; description "Set the do not fragment bit"; } leaf tunnel-mtu { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } leaf no-anti-replay { junos:must "(!(".. anti-replay-window-size"))"; junos:must-message "anti-replay-window-size must not be defined"; type empty; description "Disable the anti-replay check"; } leaf anti-replay-window-size { junos:must "(!(".. no-anti-replay"))"; junos:must-message "no-anti-replay must not be defined"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 4096"; } } description "Size of the anti-replay window"; } container udp-encapsulate { presence "enable udp-encapsulate"; description "UDP encapsulation of IPsec data traffic"; leaf dest-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1025 .. 65536"; } } default "4565"; description "UDP destination port"; } } // container udp-encapsulate leaf no-nat-traversal { type empty; description "Disable NAT traversal for this service-set even if NAT is detected"; } leaf nat-keepalive { junos:must "((!(".. no-nat-traversal") && !("services ipsec-vpn disable-natt")))"; junos:must-message "no-nat-traversal or disable-natt must not be defined"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } description "NAT-T keepalive interval in secs"; } leaf no-certificate-chain-in-ike { type empty; description "Send only end-entity certificates"; } } // grouping service_set_ipsec_vpn_options_object grouping services-ike { uses apply-advanced; list proposal { key "name"; ordered-by user; description "Define an IKE proposal"; uses ike-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IKE policy"; uses svc-ike-policy; } // list policy } // grouping services-ike grouping ike-proposal { leaf name { junos:must "((("services ipsec-vpn ike proposal $$" && !("security ike proposal $$")) || ("security ike proposal $$" && !("services ipsec-vpn ike proposal $$"))))"; junos:must-message "Referenced IKE proposal must not be defined both under [edit security ike proposal] and [edit services ipsec-vpn ike proposal]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IKE proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IKE proposal"; } leaf authentication-method { type enumeration { enum "pre-shared-keys" { value 0; description "Preshared keys"; } enum "rsa-signatures" { value 1; description "RSA signatures"; } enum "dsa-signatures" { value 2; description "DSA signatures"; } enum "ecdsa-signatures-256" { value 3; description "ECDSA signatures (254 bit modulus)"; } enum "ecdsa-signatures-384" { value 4; description "ECDSA signatures (384 bit modulus)"; } } description "Define authentication method"; } leaf dh-group { type enumeration { enum "group1" { value 0; description "Diffie-Hellman Group1"; } enum "group2" { value 1; description "Diffie-Hellman Group2"; } enum "group5" { value 2; description "Diffie-Hellman Group5"; } enum "group14" { value 3; description "Diffie-Hellman Group14"; } enum "group15" { value 4; description "Diffie-Hellman Group15"; } enum "group16" { value 5; description "Diffie-Hellman Group16"; } enum "group19" { value 6; description "Diffie-Hellman Group19"; } enum "group20" { value 7; description "Diffie-Hellman Group20"; } enum "group24" { value 8; description "Diffie-Hellman Group24"; } } description "Define Diffie-Hellman group"; } leaf authentication-algorithm { type enumeration { enum "md5" { value 0; description "MD5 authentication algorithm"; } enum "sha1" { value 1; description "SHA1 authentication algorithm"; } enum "sha-256" { value 2; description "SHA 256-bit authentication algorithm"; } enum "sha-384" { value 3; description "SHA 384-bit authentication algorithm"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; description "Lifetime, in seconds"; } } // grouping ike-proposal grouping services-ipsec { uses apply-advanced; list proposal { key "name"; ordered-by user; description "Define an IPSec proposal"; uses ipsec-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IPSec policy"; uses ipsec-policy; } // list policy } // grouping services-ipsec grouping ipsec-policy { leaf name { junos:must "((("services ipsec-vpn ipsec policy $$" && !("security ipsec policy $$")) || ("security ipsec policy $$" && !("services ipsec-vpn ipsec policy $$"))))"; junos:must-message "Referenced IPSec policy must not be defined both under [edit security ipsec policy] and [edit services ipsec-vpn ipsec policy]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec policy"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IPSec policy"; } container perfect-forward-secrecy { description "Define perfect forward secrecy"; uses apply-advanced; leaf keys { type enumeration { enum "group1" { value 0; description "Diffie-Hellman Group1"; } enum "group2" { value 1; description "Diffie-Hellman Group2"; } enum "group5" { value 2; description "Diffie-Hellman Group5"; } enum "group14" { value 3; description "Diffie-Hellman Group14"; } enum "group15" { value 4; description "Diffie-Hellman Group15"; } enum "group16" { value 5; description "Diffie-Hellman Group16"; } enum "group19" { value 6; description "Diffie-Hellman Group19"; } enum "group20" { value 7; description "Diffie-Hellman Group20"; } enum "group24" { value 8; description "Diffie-Hellman Group24"; } } description "Define Diffie-Hellman group"; } } // container perfect-forward-secrecy leaf-list proposals { junos:must "(".. .. .. proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } ordered-by user; description "Name of the proposal"; } leaf proposal-set { type enumeration { enum "basic" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 0; description "IPSEC basic proposal-set"; } enum "compatible" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 1; description "IPSEC compatible proposal-set"; } enum "standard" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 2; description "IPSEC standard proposal-set"; } } description "Types of default IPSEC proposal-set"; } } // grouping ipsec-policy grouping ipsec-proposal { leaf name { junos:must "((("services ipsec-vpn ipsec proposal $$" && !("security ipsec proposal $$")) || ("security ipsec proposal $$" && !("services ipsec-vpn ipsec proposal $$"))))"; junos:must-message "Referenced IPSec proposal must not be defined both under [edit security ipsec proposal] and [edit services ipsec-vpn ipsec proposal]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IPSec proposal"; } leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption-algorithm"))"; junos:must-message "Encryption algorithm must not be defined for AH"; value 0; description "Authentication header"; } enum "esp" { value 1; description "Encapsulated Security Payload header"; } enum "bundle" { value 2; description "Bundle (AH authentication plus ESP encryption)"; } } description "Define an IPSec protocol for the proposal"; } leaf authentication-algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha-256-128" { junos:must "(".. .. .. .. ipsec-vpn")"; junos:must-message "hmac-sha-256-128 algorithm is not supported for IKE and IPSec configuration in security hierarchy"; value 2; description "HMAC-SHA-256-128 authentication algorithm"; } enum "hmac-sha-256-96" { value 3; description "HMAC-SHA-256-96 authentication algorithm (non-RFC compliant)"; } enum "hmac-sha2-256" { value 4; description "HMAC-SHA2-256 authentication algorithm"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } enum "aes-128-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 5; description "AES-GCM 128-bit encryption algorithm with 16 octet ICV"; } enum "aes-192-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 6; description "AES-GCM 192-bit encryption algorithm with 16 octet ICV"; } enum "aes-256-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 7; description "AES-GCM 256-bit encryption algorithm with 16 octet ICV"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; description "Lifetime, in seconds"; } } // grouping ipsec-proposal grouping sfw_match_object { uses apply-advanced; list source-address { key "name"; ordered-by user; description "Match IP source address"; uses sfw_addr_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses sfw_addr_object; } // list destination-address container destination-port { presence "enable destination-port"; uses apply-advanced; choice port_choice { container range { description "Range of ports"; leaf low { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Lower limit of port range"; } leaf high { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Upper limit of port range"; } } // container range } // choice port_choice } // container destination-port list source-address-range { key "low high"; ordered-by user; description "Match IP source address range"; leaf low { type jt:ipaddr; description "Lower limit of address range"; } leaf high { type jt:ipaddr; description "Upper limit of address range"; } leaf except { type empty; description "Match address not in this prefix"; } } // list source-address-range list source-prefix-list { key "name"; ordered-by user; description "One or more named lists of source prefixes to match"; leaf name { type string; description "Name of prefix list to match against"; } leaf except { type empty; description "Name of prefix list not to match against"; } } // list source-prefix-list list destination-address-range { key "low high"; ordered-by user; description "Match IP destination address range"; leaf low { type jt:ipaddr; description "Lower limit of address range"; } leaf high { type jt:ipaddr; description "Upper limit of address range"; } leaf except { type empty; description "Match address not in this prefix"; } } // list destination-address-range list destination-prefix-list { key "name"; ordered-by user; description "One or more named lists of destination prefixes to match"; leaf name { type string; description "Name of prefix list to match against"; } leaf except { type empty; description "Name of prefix list not to match against"; } } // list destination-prefix-list leaf-list applications { type string; ordered-by user; description "Match one or more applications"; } list application-sets { key "name"; ordered-by user; description "Match one or more application sets"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } } uses apply-advanced; } // list application-sets leaf-list application { type string; ordered-by user; } } // grouping sfw_match_object grouping sfw_addr_object { leaf name { type string; description "Match IP address"; } leaf except { type empty; description "Match address not in this prefix"; } } // grouping sfw_addr_object grouping sfw_rule_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } enum "input-output" { value 2; description "Match on input to or output from interface"; } } description "Direction for which the rule match is applied"; } list term { key "name"; ordered-by user; description "Define a stateful firewall term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]/.:_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes, underscores, forward slashes, colons and dots."; length "1 .. 63"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses sfw_match_object; } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice designation { leaf accept { type empty; description "Accept the packet"; } container discard { presence "enable discard"; description "Discard the packet"; uses apply-advanced; } // container discard leaf reject { type empty; description "Reject the packet"; } } // choice designation leaf-list allow-ip-options { type string; ordered-by user; } leaf syslog { type empty; description "System log information about the packet"; } leaf skip-ids { type empty; description "No IDS processing will be done on a matching packet"; } } // container then } // list term } // grouping sfw_rule_object grouping ssl-initiation-config { uses apply-advanced; list profile { key "name"; ordered-by user; description "SSL client profile"; leaf name { type string { length "1 .. 63"; } description "Profile identifier"; } uses apply-advanced; leaf enable-flow-tracing { type empty; description "Enable flow tracing for the profile"; } leaf protocol-version { type enumeration { enum "all" { value 0; description "TLS version 1.0 or TLS version 1.1 or TLS version 1.2 or TLS version 1.3"; } enum "ssl3" { value 1; description "SSL version 3"; } enum "tls1" { value 2; description "TLS version 1"; } enum "tls11" { value 3; description "TLS version 1.1"; } enum "tls12" { value 4; description "TLS version 1.2"; } enum "tls13" { value 5; description "TLS version 1.3"; } enum "tls12-and-lower" { value 6; description "Dont support TLS 1.3 (downgrade all the connections to TLS 1.2 or below)"; } } default "all"; description "Protocol SSL version accepted"; } leaf preferred-ciphers { type enumeration { enum "strong" { value 0; description "Use ciphers with key strength of 168-bits or greater"; } enum "medium" { value 1; description "Use ciphers with key strength of 128-bits or greater"; } enum "weak" { value 2; description "Use ciphers with key strength of 40-bits or greater"; } enum "custom" { junos:must "(".. custom-ciphers")"; junos:must-message "custom-ciphers must be configured for this choice"; value 3; description "Configure custom cipher suite and order of preference"; } } default "medium"; description "Select preferred ciphers"; } leaf-list custom-ciphers { type enumeration { enum "tls12-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha as custom cipher"; value 0; description "RSA, 128 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha as custom cipher"; value 1; description "RSA, 256 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-gcm-sha384 as custom cipher"; value 2; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "tls12-rsa-aes-256-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha256 as custom cipher"; value 3; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "tls12-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-gcm-sha256 as custom cipher"; value 4; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha256 as custom cipher"; value 5; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-gcm-sha384 as custom cipher"; value 6; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha as custom cipher"; value 7; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha384 as custom cipher"; value 8; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-rsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-3des-ede-cbc-sha as custom cipher"; value 9; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-gcm-sha256 as custom cipher"; value 10; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha as custom cipher"; value 11; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha256 as custom cipher"; value 12; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-gcm-sha384 as custom cipher"; value 13; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha as custom cipher"; value 14; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha384 as custom cipher"; value 15; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-gcm-sha256 as custom cipher"; value 16; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha as custom cipher"; value 17; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha256 as custom cipher"; value 18; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 and to use tls12-ecdhe-ecdsa-3des-ede-cbc-sha as custom cipher"; value 19; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "tls13-with-aes-256-gcm-sha384" { value 20; description "Any key-exchange, Any authentication,256bit aes, sha384 hash"; } enum "tls13-with-aes-128-gcm-sha256" { value 21; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-chacha20-poly1305-sha256" { value 22; description "Any key-exchange, Any authentication,chacha, sha256 hash"; } enum "tls13-with-aes-128-ccm-sha256" { value 23; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-aes-128-ccm8-sha256" { value 24; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "rsa-with-rc4-128-md5" { value 25; description "RSA, 128bit rc4, md5 hash"; } enum "rsa-with-rc4-128-sha" { value 26; description "RSA, 128bit rc4, sha hash"; } enum "rsa-with-des-cbc-sha" { value 27; description "RSA, des cbc, sha hash"; } enum "rsa-with-3des-ede-cbc-sha" { value 28; description "RSA, 3des ede/cbc, sha hash"; } enum "rsa-with-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 29; description "RSA, 128 bit aes/cbc, sha hash"; } enum "rsa-with-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 30; description "RSA, 256 bit aes/cbc, sha hash"; } enum "rsa-export-with-rc4-40-md5" { value 31; description "RSA-export, 40 bit rc4, md5 hash"; } enum "rsa-export-with-des40-cbc-sha" { value 32; description "RSA-export, 40 bit des/cbc, sha hash"; } enum "rsa-export1024-with-des-cbc-sha" { value 33; description "RSA 1024 bit export, des/cbc, sha hash"; } enum "rsa-export1024-with-rc4-56-md5" { value 34; description "RSA 1024 bit export, 56 bit rc4, md5 hash"; } enum "rsa-export1024-with-rc4-56-sha" { value 35; description "RSA 1024 bit export, 56 bit rc4, sha hash"; } enum "rsa-with-aes-256-gcm-sha384" { value 36; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "rsa-with-aes-256-cbc-sha256" { value 37; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "rsa-with-aes-128-gcm-sha256" { value 38; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "rsa-with-aes-128-cbc-sha256" { value 39; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-rsa-with-aes-256-gcm-sha384" { value 40; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha" { value 41; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha384" { value 42; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-rsa-with-3des-ede-cbc-sha" { value 43; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-gcm-sha256" { value 44; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha" { value 45; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha256" { value 46; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-256-gcm-sha384" { value 47; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha" { value 48; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha384" { value 49; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-128-gcm-sha256" { value 50; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha" { value 51; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha256" { value 52; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-3des-ede-cbc-sha" { value 53; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-gcm-sha384" { value 54; description "DHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "dhe-rsa-with-aes-256-cbc-sha" { value 55; description "DHE/rsa, 256 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-cbc-sha256" { value 56; description "DHE/rsa, 256 bit aes/cbc, sha256 hash"; } enum "dhe-rsa-with-3des-ede-cbc-sha" { value 57; description "DHE/rsa, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-gcm-sha256" { value 58; description "DHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "dhe-rsa-with-aes-128-cbc-sha" { value 59; description "DHE/rsa, 128 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-cbc-sha256" { value 60; description "DHE/rsa, 128 bit aes/cbc, sha256 hash"; } } max-elements 64; ordered-by user; description "Custom cipher list"; } leaf enable-session-cache { type empty; description "Enable SSL session cache"; } leaf-list trusted-ca { type string; max-elements 1024; ordered-by user; description "List of trusted certificate authority profiles"; } leaf client-certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Local certificate identifier"; } container actions { description "Traffic related actions"; uses apply-advanced; leaf ignore-server-auth-failure { type empty; description "Ignore server authentication failure"; } container crl { description "Certificate Revocation actions."; leaf disable { type empty; description "Disable CRL validation."; } leaf if-not-present { type enumeration { enum "allow" { value 0; description "Allow session if CRL information is not present."; } enum "drop" { value 1; description "Drop session if CRL information is not present."; } } default "allow"; description "Action if CRL information is not present."; } leaf ignore-hold-instruction-code { type empty; description "Ignore 'Hold Instruction Code' present in the CRL entry."; } } // container crl leaf unsupported-cipher-on-hw { type enumeration { enum "drop" { value 0; description "Drop session if cipher isn't supported on hardware mode"; } enum "software-inspection" { value 1; description "Allow session in software mode"; } } default "drop"; description "Unsupported cipher processing on hardware mode"; } } // container actions } // list profile } // grouping ssl-initiation-config grouping ssl-proxy-config { uses apply-advanced; container global-config { description "Global proxy configuration"; uses apply-advanced; leaf session-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "300 .. 86400"; } } units "seconds"; description "Session cache timeout"; } leaf disable-cert-cache { type empty; description "Disable proxy mode certificate cache"; } leaf certificate-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "300 .. 3600"; } } units "seconds"; description "Certificate cache timeout"; } leaf invalidate-cache-on-crl-update { type empty; description "Invalidate certificate cache on crl update"; } leaf cache-usage-enforcement-threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } description "Percentage of total cache size after which per lsys limits will be enforced"; } leaf disable-deferred-profile-selection { junos:must "(!(".. enable-proxy-on-pre-id-policy-match"))"; junos:must-message "Deferred profile selection cannot be disabled when enable-proxy-on-pre-id-policy-match is enabled"; junos:must "(!(".. enable-proxy-on-default-fw-policy-match"))"; junos:must-message "Deferred profile selection cannot be disabled when enable-proxy-on-default-fw-policy-match is enabled"; type empty; description "Disable the deferred profile selection mechanism"; } } // container global-config list profile { key "name"; ordered-by user; description "SSL Proxy profile"; leaf name { type string { length "1 .. 63"; } description "Profile identifier"; } uses apply-advanced; leaf enable-flow-tracing { type empty; description "Enable flow tracing for the profile"; } leaf protocol-version { type enumeration { enum "all" { value 0; description "TLS version 1.0 or TLS version 1.1 or TLS version 1.2 or TLS version 1.3"; } enum "ssl3" { value 1; description "SSL version 3"; } enum "tls1" { value 2; description "TLS version 1"; } enum "tls11" { value 3; description "TLS version 1.1"; } enum "tls12" { value 4; description "TLS version 1.2"; } enum "tls13" { value 5; description "TLS version 1.3"; } enum "tls12-and-lower" { value 6; description "Dont support TLS 1.3 (downgrade all the connections to TLS 1.2 or below)"; } } default "all"; description "Protocol SSL version accepted"; } leaf preferred-ciphers { type enumeration { enum "strong" { value 0; description "Use ciphers with key strength of 168-bits or greater"; } enum "medium" { value 1; description "Use ciphers with key strength of 128-bits or greater"; } enum "weak" { value 2; description "Use ciphers with key strength of 40-bits or greater"; } enum "custom" { junos:must "(".. custom-ciphers")"; junos:must-message "custom-ciphers must be configured for this choice"; value 3; description "Configure custom cipher suite and order of preference"; } } default "medium"; description "Select preferred ciphers"; } leaf-list custom-ciphers { type enumeration { enum "tls12-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha as custom cipher"; value 0; description "RSA, 128 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha as custom cipher"; value 1; description "RSA, 256 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-gcm-sha384 as custom cipher"; value 2; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "tls12-rsa-aes-256-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha256 as custom cipher"; value 3; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "tls12-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-gcm-sha256 as custom cipher"; value 4; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha256 as custom cipher"; value 5; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-gcm-sha384 as custom cipher"; value 6; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha as custom cipher"; value 7; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha384 as custom cipher"; value 8; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-rsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-3des-ede-cbc-sha as custom cipher"; value 9; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-gcm-sha256 as custom cipher"; value 10; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha as custom cipher"; value 11; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha256 as custom cipher"; value 12; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-gcm-sha384 as custom cipher"; value 13; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha as custom cipher"; value 14; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha384 as custom cipher"; value 15; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-gcm-sha256 as custom cipher"; value 16; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha as custom cipher"; value 17; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha256 as custom cipher"; value 18; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 and to use tls12-ecdhe-ecdsa-3des-ede-cbc-sha as custom cipher"; value 19; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "tls13-with-aes-256-gcm-sha384" { value 20; description "Any key-exchange, Any authentication,256bit aes, sha384 hash"; } enum "tls13-with-aes-128-gcm-sha256" { value 21; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-chacha20-poly1305-sha256" { value 22; description "Any key-exchange, Any authentication,chacha, sha256 hash"; } enum "tls13-with-aes-128-ccm-sha256" { value 23; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-aes-128-ccm8-sha256" { value 24; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "rsa-with-rc4-128-md5" { value 25; description "RSA, 128bit rc4, md5 hash"; } enum "rsa-with-rc4-128-sha" { value 26; description "RSA, 128bit rc4, sha hash"; } enum "rsa-with-des-cbc-sha" { value 27; description "RSA, des cbc, sha hash"; } enum "rsa-with-3des-ede-cbc-sha" { value 28; description "RSA, 3des ede/cbc, sha hash"; } enum "rsa-with-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 29; description "RSA, 128 bit aes/cbc, sha hash"; } enum "rsa-with-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 30; description "RSA, 256 bit aes/cbc, sha hash"; } enum "rsa-export-with-rc4-40-md5" { value 31; description "RSA-export, 40 bit rc4, md5 hash"; } enum "rsa-export-with-des40-cbc-sha" { value 32; description "RSA-export, 40 bit des/cbc, sha hash"; } enum "rsa-export1024-with-des-cbc-sha" { value 33; description "RSA 1024 bit export, des/cbc, sha hash"; } enum "rsa-export1024-with-rc4-56-md5" { value 34; description "RSA 1024 bit export, 56 bit rc4, md5 hash"; } enum "rsa-export1024-with-rc4-56-sha" { value 35; description "RSA 1024 bit export, 56 bit rc4, sha hash"; } enum "rsa-with-aes-256-gcm-sha384" { value 36; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "rsa-with-aes-256-cbc-sha256" { value 37; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "rsa-with-aes-128-gcm-sha256" { value 38; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "rsa-with-aes-128-cbc-sha256" { value 39; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-rsa-with-aes-256-gcm-sha384" { value 40; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha" { value 41; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha384" { value 42; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-rsa-with-3des-ede-cbc-sha" { value 43; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-gcm-sha256" { value 44; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha" { value 45; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha256" { value 46; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-256-gcm-sha384" { value 47; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha" { value 48; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha384" { value 49; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-128-gcm-sha256" { value 50; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha" { value 51; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha256" { value 52; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-3des-ede-cbc-sha" { value 53; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-gcm-sha384" { value 54; description "DHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "dhe-rsa-with-aes-256-cbc-sha" { value 55; description "DHE/rsa, 256 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-cbc-sha256" { value 56; description "DHE/rsa, 256 bit aes/cbc, sha256 hash"; } enum "dhe-rsa-with-3des-ede-cbc-sha" { value 57; description "DHE/rsa, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-gcm-sha256" { value 58; description "DHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "dhe-rsa-with-aes-128-cbc-sha" { value 59; description "DHE/rsa, 128 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-cbc-sha256" { value 60; description "DHE/rsa, 128 bit aes/cbc, sha256 hash"; } } max-elements 64; ordered-by user; description "Custom cipher list"; } leaf enable-session-cache { type empty; description "Enable SSL session cache"; } leaf-list trusted-ca { type string; max-elements 1024; ordered-by user; description "List of trusted certificate authority profiles"; } choice certificate { leaf-list root-ca { type string; max-elements 2; ordered-by user; description "Root certificate for interdicting server certificates in proxy mode"; } leaf-list server-certificate { junos:must "(!("security idp sensor-configuration ssl-inspection sessions"))"; junos:must-message "IDP SSL Inspection should not be configured with ssl proxy profile <> server-certificate"; junos:must "(!(".. actions crl"))"; junos:must-message "actions crl <> should not be configured with server- certificate"; junos:must "(!(".. actions ignore-server-auth-failure"))"; junos:must-message "ignore-server-auth-failure should not be configured with server-certificate"; junos:must "(!(".. trusted-ca"))"; junos:must-message "trusted-ca <> should not be configured with server-certificate"; type string; max-elements 1024; ordered-by user; description "Local certificate identifier"; } } // choice certificate container mirror-decrypt-traffic { description "Configure mirror interface and Destination MAC address"; uses apply-advanced; leaf interface { junos:must "("interfaces $$")"; junos:must-message "Interface must be defined"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface on which SSL decrypted traffic is mirrored"; } leaf destination-mac-address { type jt:mac-addr; description "Mac address of host/server to which decrypted traffic is mirrored"; } leaf only-after-security-policies-enforcement { type empty; description "Enables decrypted Traffic mirroring after policy enforcement"; } } // container mirror-decrypt-traffic leaf-list whitelist { type string; ordered-by user; description "Addresses exempted from SSL Proxy "; } leaf-list whitelist-url-categories { type string; ordered-by user; } container actions { description "Logging and traffic related actions"; uses apply-advanced; leaf ignore-server-auth-failure { type empty; description "Ignore server authentication failure"; } container log { presence "enable log"; description "Logging actions"; leaf all { type empty; description "Log all events"; } leaf sessions-dropped { type empty; description "Log only ssl session drop events"; } leaf sessions-allowed { type empty; description "Log ssl session allow events after an error"; } leaf sessions-ignored { type empty; description "Log session ignore events "; } leaf sessions-whitelisted { type empty; description "Log ssl session whitelist events "; } leaf errors { type empty; description "Log all error events "; } leaf warning { type empty; description "Log all warning events "; } leaf info { type empty; description "Log all information events "; } } // container log container crl { description "Certificate Revocation actions."; leaf disable { type empty; description "Disable CRL validation."; } leaf if-not-present { type enumeration { enum "allow" { value 0; description "Allow session if CRL information is not present."; } enum "drop" { value 1; description "Drop session if CRL information is not present."; } } default "allow"; description "Action if CRL information is not present."; } leaf ignore-hold-instruction-code { type empty; description "Ignore 'Hold Instruction Code' present in the CRL entry."; } } // container crl leaf renegotiation { type enumeration { enum "allow" { value 0; description "Allow secure as well as non secure renegotiation"; } enum "allow-secure" { value 1; description "Allow secure negotiation only (RFC 5746)"; } enum "drop" { value 2; description "Drop session on renegotiation request"; } } default "allow-secure"; description "Renegotiation options"; } leaf disable-session-resumption { type empty; description "Disable session resumption"; } leaf unsupported-cipher-on-hw { type enumeration { enum "drop" { value 0; description "Drop session if cipher isn't supported on hardware mode"; } enum "software-inspection" { value 1; description "Allow session in software mode"; } } default "drop"; description "Unsupported cipher processing on hardware mode"; } leaf allow-strong-certificate { type empty; description "Certificate till 4K key-size processing on standalone SRX300/SRX320 platform"; } } // container actions leaf disable-deferred-profile-selection { type empty; description "Disable the deferred profile selection mechanism at profile level"; } } // list profile } // grouping ssl-proxy-config grouping ssl-termination-config { uses apply-advanced; list profile { key "name"; ordered-by user; description "SSL server profile"; leaf name { type string { length "1 .. 63"; } description "Profile identifier"; } uses apply-advanced; leaf enable-flow-tracing { type empty; description "Enable flow tracing for the profile"; } leaf protocol-version { type enumeration { enum "all" { value 0; description "TLS version 1.0 or TLS version 1.1 or TLS version 1.2 or TLS version 1.3"; } enum "ssl3" { value 1; description "SSL version 3"; } enum "tls1" { value 2; description "TLS version 1"; } enum "tls11" { value 3; description "TLS version 1.1"; } enum "tls12" { value 4; description "TLS version 1.2"; } enum "tls13" { value 5; description "TLS version 1.3"; } enum "tls12-and-lower" { value 6; description "Dont support TLS 1.3 (downgrade all the connections to TLS 1.2 or below)"; } } default "all"; description "Protocol SSL version accepted"; } leaf preferred-ciphers { type enumeration { enum "strong" { value 0; description "Use ciphers with key strength of 168-bits or greater"; } enum "medium" { value 1; description "Use ciphers with key strength of 128-bits or greater"; } enum "weak" { value 2; description "Use ciphers with key strength of 40-bits or greater"; } enum "custom" { junos:must "(".. custom-ciphers")"; junos:must-message "custom-ciphers must be configured for this choice"; value 3; description "Configure custom cipher suite and order of preference"; } } default "medium"; description "Select preferred ciphers"; } leaf-list custom-ciphers { type enumeration { enum "tls12-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha as custom cipher"; value 0; description "RSA, 128 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha as custom cipher"; value 1; description "RSA, 256 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-gcm-sha384 as custom cipher"; value 2; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "tls12-rsa-aes-256-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha256 as custom cipher"; value 3; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "tls12-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-gcm-sha256 as custom cipher"; value 4; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha256 as custom cipher"; value 5; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-gcm-sha384 as custom cipher"; value 6; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha as custom cipher"; value 7; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha384 as custom cipher"; value 8; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-rsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-3des-ede-cbc-sha as custom cipher"; value 9; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-gcm-sha256 as custom cipher"; value 10; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha as custom cipher"; value 11; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha256 as custom cipher"; value 12; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-gcm-sha384 as custom cipher"; value 13; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha as custom cipher"; value 14; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha384 as custom cipher"; value 15; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-gcm-sha256 as custom cipher"; value 16; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha as custom cipher"; value 17; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha256 as custom cipher"; value 18; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 and to use tls12-ecdhe-ecdsa-3des-ede-cbc-sha as custom cipher"; value 19; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "tls13-with-aes-256-gcm-sha384" { value 20; description "Any key-exchange, Any authentication,256bit aes, sha384 hash"; } enum "tls13-with-aes-128-gcm-sha256" { value 21; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-chacha20-poly1305-sha256" { value 22; description "Any key-exchange, Any authentication,chacha, sha256 hash"; } enum "tls13-with-aes-128-ccm-sha256" { value 23; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-aes-128-ccm8-sha256" { value 24; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "rsa-with-rc4-128-md5" { value 25; description "RSA, 128bit rc4, md5 hash"; } enum "rsa-with-rc4-128-sha" { value 26; description "RSA, 128bit rc4, sha hash"; } enum "rsa-with-des-cbc-sha" { value 27; description "RSA, des cbc, sha hash"; } enum "rsa-with-3des-ede-cbc-sha" { value 28; description "RSA, 3des ede/cbc, sha hash"; } enum "rsa-with-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 29; description "RSA, 128 bit aes/cbc, sha hash"; } enum "rsa-with-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 30; description "RSA, 256 bit aes/cbc, sha hash"; } enum "rsa-export-with-rc4-40-md5" { value 31; description "RSA-export, 40 bit rc4, md5 hash"; } enum "rsa-export-with-des40-cbc-sha" { value 32; description "RSA-export, 40 bit des/cbc, sha hash"; } enum "rsa-export1024-with-des-cbc-sha" { value 33; description "RSA 1024 bit export, des/cbc, sha hash"; } enum "rsa-export1024-with-rc4-56-md5" { value 34; description "RSA 1024 bit export, 56 bit rc4, md5 hash"; } enum "rsa-export1024-with-rc4-56-sha" { value 35; description "RSA 1024 bit export, 56 bit rc4, sha hash"; } enum "rsa-with-aes-256-gcm-sha384" { value 36; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "rsa-with-aes-256-cbc-sha256" { value 37; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "rsa-with-aes-128-gcm-sha256" { value 38; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "rsa-with-aes-128-cbc-sha256" { value 39; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-rsa-with-aes-256-gcm-sha384" { value 40; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha" { value 41; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha384" { value 42; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-rsa-with-3des-ede-cbc-sha" { value 43; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-gcm-sha256" { value 44; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha" { value 45; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha256" { value 46; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-256-gcm-sha384" { value 47; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha" { value 48; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha384" { value 49; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-128-gcm-sha256" { value 50; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha" { value 51; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha256" { value 52; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-3des-ede-cbc-sha" { value 53; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-gcm-sha384" { value 54; description "DHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "dhe-rsa-with-aes-256-cbc-sha" { value 55; description "DHE/rsa, 256 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-cbc-sha256" { value 56; description "DHE/rsa, 256 bit aes/cbc, sha256 hash"; } enum "dhe-rsa-with-3des-ede-cbc-sha" { value 57; description "DHE/rsa, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-gcm-sha256" { value 58; description "DHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "dhe-rsa-with-aes-128-cbc-sha" { value 59; description "DHE/rsa, 128 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-cbc-sha256" { value 60; description "DHE/rsa, 128 bit aes/cbc, sha256 hash"; } } max-elements 64; ordered-by user; description "Custom cipher list"; } leaf enable-session-cache { type empty; description "Enable SSL session cache"; } leaf-list trusted-ca { type string; max-elements 1024; ordered-by user; description "List of trusted certificate authority profiles"; } leaf server-certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Local certificate identifier"; } } // list profile } // grouping ssl-termination-config grouping ssl-traceoptions { uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "brief" { value 0; description "Brief debugging output"; } enum "detail" { value 1; description "Detailed debugging output"; } enum "extensive" { value 2; description "Extensive debugging output"; } enum "verbose" { value 3; description "Verbose debugging output"; } } default "brief"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "cli-configuration" { value 0; description "Trace CLI configuration events"; } enum "termination" { value 1; description "Trace termination service events"; } enum "initiation" { value 2; description "Trace initiation service events"; } enum "proxy" { value 3; description "Trace proxy service events"; } enum "selected-profile" { value 4; description "Trace events for profiles with enable-flow-tracing set"; } enum "all" { value 5; description "Trace everything"; } } } } // list flag container packet-filter { description "SSL Packet filter"; uses apply-advanced; leaf source-ip { type jt:ipaddr; description "Source IP address"; } leaf destination-ip { type jt:ipaddr; description "Destination IP address"; } leaf source-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Source port"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port"; } } // container packet-filter } // grouping ssl-traceoptions grouping svc-ike-policy { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IKE policy"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IKE policy"; } leaf mode { type enumeration { enum "main" { value 0; description "Main mode"; } enum "aggressive" { value 1; description "Aggressive mode"; } } description "Define the IKE first phase mode"; } leaf version { type enumeration { enum "1" { value 0; description "Initiate IKEv1 negotiation"; } enum "2" { value 1; description "Initiate IKEv2 negotiation"; } } description "Define the IKE version to use for the negotiation"; } leaf-list proposals { junos:must "(".. .. .. proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } ordered-by user; description "Name of the proposal"; } container local-id { description "Define local identification"; choice id-type { leaf ipv4_addr { type jt:ipv4addr; description "One or more IPv4 address identification values"; } leaf distinguished-name { type empty; description "Use a distinguished name specified in local certificate"; } leaf fqdn { type string { length "1 .. 255"; } description "One or more fully qualified domain name values"; } leaf key-id { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "One or more key ID identification values"; } leaf ipv6-addr { type jt:ipv6addr; description "One or more IPv6 address identification values"; } } // choice id-type } // container local-id leaf-list certificate-policy-oids { type string { length "1 .. 63"; } max-elements 5; ordered-by user; description "Allowed certificate policy object identifiers (maximum 5)"; } leaf local-certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Local certificate identifier"; } leaf peer-certificate-type { type enumeration { enum "pkcs7" { value 0; description "PKCS7 encoding"; } enum "x509-signature" { value 1; description "X509 signature encoding"; } } default "x509-signature"; description "Preferred type of certificate from peer"; } container remote-id { description "Define remote identification"; uses apply-advanced; leaf any-remote-id { junos:must "((!(".. distinguished-name") && (!(".. fqdn") && (!(".. ipv4_addr") && (!(".. key-id") && !(".. ipv6-addr"))))))"; junos:must-message "Specific 'remote-id' statement must not be configured when 'any-remote-id' statement is configured."; type empty; description "Allow any remote ID"; } leaf-list ipv4_addr { type jt:ipv4addr; ordered-by user; description "One or more IPv4 address identification values"; } container distinguished-name { description "One or more distinguished name values"; uses apply-advanced; leaf-list container { type string { length "1 .. 255"; } ordered-by user; description "One or more distinguished name container string"; } leaf-list wildcard { type string { length "1 .. 255"; } ordered-by user; description "One or more distinguished name wildcard string"; } leaf-list exact-match { type string { length "1 .. 255"; } ordered-by user; description "One or more distinguished name to do full length exact match"; } } // container distinguished-name leaf-list fqdn { type string { length "1 .. 255"; } ordered-by user; description "One or more fully qualified domain name values"; } leaf-list key-id { type string { length "1 .. 255"; } ordered-by user; description "One or more key ID identification values"; } leaf-list ipv6-addr { type jt:ipv6addr; ordered-by user; description "One or more IPv6 address identification values"; } } // container remote-id container pre-shared-key { description "Define a preshared key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container pre-shared-key container respond-bad-spi { presence "enable respond-bad-spi"; description "Respond to IPSec packets with bad SPI values"; leaf max-responses { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 30"; } } default "5"; description "Maximum number of times to respond"; } } // container respond-bad-spi } // grouping svc-ike-policy grouping tunnel_interface_type { description "One or more tunnel interfaces on which to configure flow-tap service"; leaf name { junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "Dynamic flow capture cannot be configured when flow-tap is configured"; junos:must "(!("interfaces $$-IFL family inet filter"))"; junos:must-message "Tunnel Interface assigned for Radius-Flow-Tap cannot be configured with firewall filter"; junos:must "("interfaces $$-IFL family inet")"; junos:must-message "Interface with family inet must be defined in the [edit interfaces] hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Tunnel Interface name"; } uses apply-advanced; } // grouping tunnel_interface_type grouping twamp-authentication-key-chain { leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of authentication key chain"; } uses apply-advanced; list key-id { key "name"; description "Authentication element configuration"; leaf name { type string { length "1 .. 80"; } description "Authentication element identifier"; } uses apply-advanced; leaf secret { type string { length "1 .. 256"; } description "Authentication key"; } } // list key-id } // grouping twamp-authentication-key-chain grouping version-ipfix-template { description "One or more version-ipfix templates for flow monitoring"; leaf name { type string; description "Name of template"; } uses apply-advanced; leaf flow-active-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } default "60"; description "Interval after which active flow is exported"; } leaf flow-inactive-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } default "60"; description "Period of inactivity that marks a flow inactive"; } leaf template-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1024 .. 65535"; } } description "Template id"; } leaf option-template-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1024 .. 65535"; } } description "Options template id"; } leaf observation-domain-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } default "0"; description "Observation Domain Id"; } container nexthop-learning { presence "enable nexthop-learning"; description "Nexthop learning parameter. Valid ONLY for INLINE-JFLOW"; uses apply-advanced; choice enable-disable { leaf enable { type empty; description "Enable nexthop learning"; } leaf disable { type empty; description "Disable nexthop learning"; } } // choice enable-disable } // container nexthop-learning container template-refresh-rate { presence "enable template-refresh-rate"; description "Template refresh rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 480000"; } } default "4800"; description "In number of packets"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } description "In number of seconds"; } } // container template-refresh-rate container option-refresh-rate { presence "enable option-refresh-rate"; description "Option template refresh rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 480000"; } } default "4800"; description "In number of packets"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } description "In number of seconds"; } } // container option-refresh-rate choice template-types { container ipv4-template { presence "enable ipv4-template"; description "IPv4 template configuration"; uses apply-advanced; list export-extension { key "name"; ordered-by user; description "IPv4 template configuration with extra fields added to the template"; leaf name { type enumeration { enum "flow-dir" { value 0; description "Flow-direction field type"; } enum "app-id" { value 1; description "Applicationid field type"; } } } uses apply-advanced; } // list export-extension } // container ipv4-template container ipv6-template { presence "enable ipv6-template"; description "IPv6 template configuration"; uses apply-advanced; list export-extension { key "name"; ordered-by user; description "IPv6 template configuration with extra fields added to the template"; leaf name { type enumeration { enum "flow-dir" { value 0; description "Flow-direction field type"; } enum "app-id" { value 1; description "Applicationid field type"; } } } uses apply-advanced; } // list export-extension } // container ipv6-template case case_3 { } // case case_3 case case_4 { } // case case_4 container mpls-template { junos:must "((!(".. flow-key") || ".. tunnel-observation"))"; junos:must-message "Flow key must not be configured for mpls template without tunnel observation"; presence "enable mpls-template"; description "MPLS template configuration"; uses apply-advanced; leaf-list label-position { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 8"; } } max-elements 3; ordered-by user; description "One or more MPLS label positions"; } } // container mpls-template case case_6 { } // case case_6 } // choice template-types container tunnel-observation { junos:must "((".. ipv4-template" || (".. mpls-ipvx-template" || ".. mpls-template")))"; junos:must-message "Tunnel observation must be configured only for ipv4,mpls and mpls-ipvx templates"; description "Tunnel observation"; uses apply-advanced; leaf mpls-over-udp { type empty; description "Mpls-over-udp"; } leaf ipv4 { junos:must "(".. .. mpls-template")"; junos:must-message "Tunnel observation must be set to ipv4 only for mpls template"; type empty; description "IPv4"; } leaf ipv6 { junos:must "(".. .. mpls-template")"; junos:must-message "Tunnel observation must be set to ipv6 only for mpls template"; type empty; description "IPv6"; } } // container tunnel-observation container flow-key { description "Flow key for the template. Valid ONLY for INLINE-JFLOW"; uses apply-advanced; leaf flow-direction { type empty; description "Include flow direction"; } leaf vlan-id { type empty; description "Include vlan ID"; } leaf output-interface { junos:must "((".. .. vpls-template" || ".. .. bridge-template"))"; junos:must-message "Flow-key output interafce must be configured for bridge/vpls template"; type empty; description "Include output interface"; } } // container flow-key } // grouping version-ipfix-template grouping version9-template { description "One or more version 9 templates for flow monitoring"; leaf name { type string; description "Name of template"; } uses apply-advanced; leaf flow-active-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } default "60"; description "Interval after which active flow is exported"; } leaf flow-inactive-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } default "60"; description "Period of inactivity that marks a flow inactive"; } leaf template-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1024 .. 65535"; } } description "Template id"; } leaf option-template-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1024 .. 65535"; } } description "Options template id"; } leaf source-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } default "0"; description "Source Id"; } container nexthop-learning { description "Nexthop learning parameter. Valid ONLY for INLINE-JFLOW"; uses apply-advanced; choice enable-disable { leaf enable { type empty; description "Enable nexthop learning"; } leaf disable { type empty; description "Disable nexthop learning"; } } // choice enable-disable } // container nexthop-learning container template-refresh-rate { presence "enable template-refresh-rate"; description "Template refresh rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 480000"; } } default "4800"; description "In number of packets"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } description "In number of seconds"; } } // container template-refresh-rate container option-refresh-rate { presence "enable option-refresh-rate"; description "Option template refresh rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 480000"; } } default "4800"; description "In number of packets"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 600"; } } description "In number of seconds"; } } // container option-refresh-rate choice template-types { case case_1 { } // case case_1 container mpls-template { junos:must "((!(".. flow-key") || ".. tunnel-observation"))"; junos:must-message "Flow key must not be configured for mpls template without tunnel observation"; presence "enable mpls-template"; description "MPLS template configuration"; uses apply-advanced; leaf-list label-position { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 8"; } } max-elements 3; ordered-by user; description "One or more MPLS label positions"; } } // container mpls-template container ipv6-template { presence "enable ipv6-template"; description "IPv6 template configuration"; uses apply-advanced; list export-extension { key "name"; ordered-by user; description "IPv6 template configuration with extra fields added to the template"; leaf name { type enumeration { enum "flow-dir" { value 0; description "Applicationid field type"; } enum "app-id" { value 1; description "Applicationid field type"; } } } uses apply-advanced; } // list export-extension container nexthop-options { presence "enable nexthop-options"; description "Additional information retrieved from nexthop"; uses apply-advanced; choice nexthop-types { container mpls { presence "enable mpls"; description "MPLS information retrieved from nexthop"; uses apply-advanced; leaf-list label-position { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 3"; } } max-elements 3; ordered-by user; description "One or more MPLS label positions"; } } // container mpls } // choice nexthop-types } // container nexthop-options } // container ipv6-template container peer-as-billing-template { presence "enable peer-as-billing-template"; description "Peer AS billing template configuration"; } // container peer-as-billing-template container ipv4-template { presence "enable ipv4-template"; description "IPv4 template configuration"; uses apply-advanced; list export-extension { key "name"; ordered-by user; description "IPv4 template configuration with extra fields added to the template"; leaf name { type enumeration { enum "flow-dir" { value 0; description "Applicationid field type"; } enum "app-id" { value 1; description "Applicationid field type"; } } } uses apply-advanced; } // list export-extension container nexthop-options { presence "enable nexthop-options"; description "Additional information retrieved from nexthop"; uses apply-advanced; choice nexthop-types { container mpls { presence "enable mpls"; description "MPLS information retrieved from nexthop"; uses apply-advanced; leaf-list label-position { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 3"; } } max-elements 3; ordered-by user; description "One or more MPLS label positions"; } } // container mpls } // choice nexthop-types } // container nexthop-options } // container ipv4-template case case_6 { } // case case_6 case case_7 { } // case case_7 } // choice template-types container tunnel-observation { junos:must "((".. ipv4-template" || (".. mpls-ipvx-template" || ".. mpls-template")))"; junos:must-message "Tunnel observation must be configured only for ipv4,mpls and mpls-ipvx templates"; description "Tunnel observation"; uses apply-advanced; leaf mpls-over-udp { type empty; description "Mpls-over-udp"; } leaf ipv4 { junos:must "(".. .. mpls-template")"; junos:must-message "Tunnel observation must be set to ipv4 only for mpls template"; type empty; description "IPv4"; } leaf ipv6 { junos:must "(".. .. mpls-template")"; junos:must-message "Tunnel observation must be set to ipv6 only for mpls template"; type empty; description "IPv6"; } } // container tunnel-observation container flow-key { description "Flow key for the template. Valid ONLY for INLINE-JFLOW"; uses apply-advanced; leaf flow-direction { type empty; description "Include flow direction"; } leaf vlan-id { type empty; description "Include vlan ID"; } leaf output-interface { junos:must "((".. .. vpls-template" || ".. .. bridge-template"))"; junos:must-message "Flow-key output interafce must be configured for bridge/vpls template"; type empty; description "Include output interface"; } } // container flow-key } // grouping version9-template } // module junos-qfx-conf-services
© 2023 YumaWorks, Inc. All rights reserved.