Model used to configure & monitor firewall High Availability(HA). The model is comprised primarily of the following sections - -...
Version: 2021-06-16
module openconfig-fw-high-availability { yang-version 1; namespace "http://openconfig.net/yang/oc-fw-ha"; prefix oc-fw-ha; import openconfig-extensions { prefix oc-ext; } import openconfig-interfaces { prefix oc-if; } import openconfig-inet-types { prefix oc-inet; } import openconfig-fw-link-monitoring { prefix oc-fw-linkmon; } import openconfig-aaa-types { prefix oc-aaa-types; } import openconfig-types { prefix oc-types; } organization "OpenConfig working group"; contact "OpenConfig working group www.openconfig.net"; description "Model used to configure & monitor firewall High Availability(HA). The model is comprised primarily of the following sections - - Various global config parameters (such as ha-group-id, ha-mode etc.) - Control link configuration parameters (control link is used to exchange HA control msgs) - Data link configuration parameters (data link is used to exchange information for seamless failover) - HA timers This model also imports/uses the link-monitoring module, to determine health of firewall cluster based on the status of the interfaces being monitored. Please see that module description for additional details"; revision "2021-06-16" { description "Remove trailing whitespace"; reference "0.2.1"; } revision "2021-03-21" { description "Adding HA_PEER_MISMATCHED_ITEM identity."; reference "0.2.0"; } revision "2020-06-23" { description "Initial version"; reference "0.1.0"; } oc-ext:openconfig-version "0.2.1"; identity HA_PEER_MISMATCHED_ITEM { description "Base type to specify the HA parameters that are not matching amongst HA peers."; } identity SOFTWARE_MISMATCH { base HA_PEER_MISMATCHED_ITEM; description "Software version is not matching between HA peers."; } identity RUNNING_CONFIG_MISMATCH { base HA_PEER_MISMATCHED_ITEM; description "Running configuration is not matching between HA peers."; } identity IPS_SIGNATURES_MISMATCH { base HA_PEER_MISMATCHED_ITEM; description "IPS/IDS signatures are not matching between HA peers."; } identity AVC_SIGNATURES_MISMATCH { base HA_PEER_MISMATCHED_ITEM; description "AVC signatures are not matching between HA peers."; } grouping control-link-common-config { description "HA Control link configuration parameters"; leaf control-link-interface { type oc-if:base-interface-ref; description "Specify which interface will be used to exchange HA control messages between peers"; } leaf control-link-port { type oc-inet:port-number; description "Specify which TCP/UDP port will be used to exchange control messages"; } leaf control-link-ipv4 { type oc-inet:ipv4-prefix; description "Specify the ipv4 address used by the fw for the control link"; } leaf control-link-gateway { type oc-inet:ipv4-address; description "If peer control ipv4 is in a different subnet, specify the gateway ipv4 here to provide reachability"; } leaf control-link-ipv6 { type oc-inet:ipv6-prefix; description "Specify the ipv6 address used by the fw for the control link"; } leaf control-link-ipv6-gateway { type oc-inet:ipv6-address; description "If peer control ipv6 is in a different subnet, specify the gateway ipv6 here to provide reachability"; } leaf control-link-peer-ipv4 { type oc-inet:ipv4-prefix; description "Specify the peer ipv4 address, if control link is utilizing Layer 3"; } leaf control-link-peer-ipv6 { type oc-inet:ipv6-prefix; description "Specify the peer ipv6 address, if control link is utilizing Layer 3"; } } // grouping control-link-common-config grouping data-link-common-config { description "HA data link configuration parameters"; leaf data-link-interface { type oc-if:base-interface-ref; description "Specify which interface will be used to sync session tables, forwarding tables, ARP tables, IPSEC SAs and any other messages that MUST be exchanged to facilitate seamless traffic handling during a failover event"; } leaf data-link-port { type oc-inet:port-number; description "Specify which TCP/UDP port will be used to exchange data link messages"; } leaf data-link-ipv4 { type oc-inet:ipv4-prefix; description "If data link is layer 3, specify the local unit's ipv4 address"; } leaf data-link-gateway { type oc-inet:ipv4-address; description "If peer data ip is in a different subnet, specify the gateway ip here to provide reachability"; } leaf data-link-ipv6 { type oc-inet:ipv6-prefix; description "If data link is layer 3, specify the local unit's ipv6 address"; } leaf data-link-ipv6-gateway { type oc-inet:ipv6-address; description "If peer data ipv6 is in a different subnet, specify the gateway ipv6 here to provide reachability"; } leaf data-link-peer-ipv4 { type oc-inet:ipv4-prefix; description "If data link is layer 3, specify the peer's ipv4 address"; } leaf data-link-peer-ipv6 { type oc-inet:ipv6-prefix; description "If data link is layer 3, specify the peer's ipv6 address"; } } // grouping data-link-common-config grouping ha-timers-config { description "Used to specify various HA timers"; leaf preempt-hold-timer { type uint32; units "milliseconds"; description "Length of time, from the last received Hello message, a firewall will wait before taking over the active role in a HA pair"; } leaf hello-interval { type uint32; units "milliseconds"; description "Interval between hello messages exchanged by the HA peers"; } } // grouping ha-timers-config grouping ha-parameters-config { description "All parameters needed to bootstrap a HA cluster"; leaf ha-enabled { type boolean; default 'false'; description "This must be set to 'true' to initiate firewall participation in a HA cluster. Once set to 'true', this boolean can be flipped to 'false' to DISABLE HA and put a unit in a 'suspended' state while retaining all other HA settings & configuration parameters. At the same time the 'ha-state' leaf under 'ha-parameters-state' must then be updated to 'SUSPENDED'"; } leaf ha-mode { type enumeration { enum "ACTIVE_PASSIVE" { value 0; description "This value indicates the HA cluster is operating in active/passive mode. In this scenario there are only ever two firewalls in the cluster. The active firewall serves as the 'primary' handling the traffic & the passive firewall acts as a 'secondary' ready to take over if the 'active' unit fails"; } } description "Configurable HA modes"; } leaf ha-key { type string; description "HA key used to encrypt & authenticate HA messages betwen the peers. This is provided in clear-text by the client & expected to be hashed by the firewall in the configuration"; } leaf ha-key-hashed { type oc-aaa-types:crypt-password-type; description "HA key,used to encrypt & authenticate HA messages between the peers, supplied as a hashed value using the notation described in the definition of the crypt-password-type"; } leaf ha-msg-encryption { type boolean; default 'false'; description "When set to true all traffic between firewall units in a HA cluster are encrypted. If operator provided encryption key is supported, that value must be derived from the ha-key/ha-key-hashed leaf nodes. If that is not supported, the vendor is expected to derive it's own keying material"; } leaf id { type uint8; description "The high availbility group id for a unit. This value MUST match across both units participating in a HA cluster"; } leaf ha-device-id { type uint8; description "Specify the device-id to identify the firewall within a HA group. This value MUST be unique to the local-unit and MUST NOT clash with the peer within a ha-group"; } leaf preempt { type boolean; default 'false'; description "When set to true the firewall forces reelection of the active role after joining the cluster"; } leaf priority { type uint8; description "Set priority value for the firewall. This value is used to participate in the election of the active unit in the HA cluster. Firewall with highest priority is elected as the ACTIVE unit"; } uses ha-timers-config; uses oc-fw-linkmon:global-health-config; } // grouping ha-parameters-config grouping ha-parameters-state { description "All parameters needed to monitor a HA cluster"; leaf ha-state { type enumeration { enum "ACTIVE" { value 0; description "Firewall is 'active' and handling all traffic in a cluster"; } enum "PASSIVE" { value 1; description "Firewall is 'passive' in a two-unit cluster ready to handle traffic if the 'active' unit fails"; } enum "DEGRADED" { value 2; description "Firewall is in a 'degraded' state and unable to join the cluster due to config or operational failures"; } enum "SUSPENDED" { value 3; description "This state represents a firewall which will not join the cluster due to 'ha-enable' set to, or left at it's default of, 'false'"; } } description "Firewall's operational ha-state"; } leaf ha-state-last-change { type oc-types:timeticks64; units "nanoseconds"; description "Reports the time the firewall entered its current HA operational state. The value is the timestamp in nanoseconds relative to the Unix Epoch (Jan 1, 1970 00:00:00 UTC)."; } leaf ha-config-sync { type boolean; description "Returns 'TRUE' if config sync is operational between HA peers. Returns 'FALSE' otherwise."; } leaf ha-session-sync { type boolean; description "Returns 'TRUE' if session sync is operational between HA peers. Returns 'FALSE' otherwise."; } leaf-list ha-mismatched-parameters { type identityref { base HA_PEER_MISMATCHED_ITEM; } description "List of HA parameters that are mismatched between peers. Use this list to highlight root cause of HA operational issues that an operator must fix"; } uses oc-fw-linkmon:global-health-state; } // grouping ha-parameters-state grouping control-link-backup { description "Structural grouping for backup HA control link"; container backup { description "Data related to backup HA control link"; container config { description "Configuration data related to backup HA control link"; uses control-link-common-config; } // container config container state { config false; description "Operational state data related to backup HA control link"; uses control-link-common-config; } // container state } // container backup } // grouping control-link-backup grouping control-link-top { description "Structural grouping for HA control link"; container control-link { description "Top-level container for HA control link"; container config { description "Configuration parameters related to primary HA control link"; uses control-link-common-config; } // container config container state { config false; description "Operational state data related to primary HA control link"; uses control-link-common-config; } // container state uses control-link-backup; } // container control-link } // grouping control-link-top grouping data-link-backup { description "Structural grouping for backup HA data link"; container backup { description "Parameters related to backup HA data link"; container config { description "Configuration parameters related to backup HA data link"; uses data-link-common-config; } // container config container state { config false; description "Operational state parameters related to backup HA data link"; uses data-link-common-config; } // container state } // container backup } // grouping data-link-backup grouping data-link-top { description "Structural grouping for HA data link"; container data-link { description "Top-level container for HA data link"; container config { description "Configuration parameters related to primary HA data link"; uses data-link-common-config; } // container config container state { config false; description "Operational state parameters related to primary HA data link"; uses data-link-common-config; } // container state uses data-link-backup; } // container data-link } // grouping data-link-top grouping ha-configuration-top { description "Top level grouping for HA configuration and operational state data"; container ha-groups { description "Top level container for HA groups"; list ha-group { key "id"; description "HA group id used to create a logical HA group"; leaf id { type leafref { path "../config/id"; } description "References the group id key."; } container config { description "Config container for HA parameters"; uses ha-parameters-config; } // container config container state { config false; description "State container for HA parameters"; uses ha-parameters-config; uses ha-parameters-state; } // container state uses control-link-top; uses data-link-top; uses oc-fw-linkmon:interface-group-top; } // list ha-group } // container ha-groups } // grouping ha-configuration-top uses ha-configuration-top; } // module openconfig-fw-high-availability
© 2023 YumaWorks, Inc. All rights reserved.