example/vmx-17.2R1.13.rb in junoser-0.3.7 vs example/vmx-17.2R1.13.rb in junoser-0.3.8

- old
+ new

@@ -2780,10 +2780,11 @@ "access-profile" ( /* Access profile for this instance */ c( arg /* Profile name */ ) ).as(:oneline), + # Ported from vSRX 18.3R1.9 "security" ( /* Security configuration */ c( "alarms" ( /* Configure security alarms */ c( "audible" ( /* Beep when new security alarms arrive */ @@ -2793,17 +2794,64 @@ ), "potential-violation" ( /* Configure potential security violations */ c( "authentication" arg /* Raise alarm for specified number of authentication failures */, "cryptographic-self-test" /* Raise alarm for cryptographic self test failures */, - "decryption-failures" /* Raise alarm for specified number of decryption failures */, - "encryption-failures" /* Raise alarm for specified number of encryption failures */, - "ike-phase1-failures" /* Raise alarm for specified number of IKE Phase 1 failures */, - "ike-phase2-failures" /* Raise alarm for specified number of IKE Phase 2 failures */, + "decryption-failures" ( /* No. of decryption failures before which an alarm needs to be raised */ + c( + "threshold" arg /* Threshold value [default is 1000] */ + ) + ), + "encryption-failures" ( /* No. of encryption failures before which an alarm needs to be raised */ + c( + "threshold" arg /* Threshold value [default is 1000] */ + ) + ), + "ike-phase1-failures" ( /* No. of IKE Phase-1 failures before which an alarm needs to be raised */ + c( + "threshold" arg /* Threshold value [default is 20] */ + ) + ), + "ike-phase2-failures" ( /* No. of IKE Phase-2 failures before which an alarm needs to be raised */ + c( + "threshold" arg /* Threshold value [default is 20] */ + ) + ), "key-generation-self-test" /* Raise alarm for key generation self test failures */, "non-cryptographic-self-test" /* Raise alarm for non-cryptographic self test failures */, - "policy" /* Raise alarm for flow policy violations */, + "policy" ( /* Raise alarm for flow policy violations */ + c( + "source-ip" ( /* Configure source address type of policy violation */ + c( + "threshold" arg /* Number of source IP address matches to raise alarm */, + "duration" arg /* Time window matches must occur within */, + "size" arg /* Total source IP address number that can be done policy violation check concurrently */ + ) + ), + "destination-ip" ( /* Configure destination address type of policy violation */ + c( + "threshold" arg /* Number of destination IP address matches to raise alarm */, + "duration" arg /* Time window matches must occur within */, + "size" arg /* Total destination IP address number that can be done policy violation check concurrently */ + ) + ), + "application" ( /* Configure application type of policy violation */ + c( + "threshold" arg /* Number of application matches to raise alarm */, + "duration" arg /* Time window matches must occur within */, + "size" arg /* Total application number that can be done policy violation check concurrently */ + ) + ), + "policy-match" ( /* Configure policy type of policy violation */ + c( + "threshold" arg /* Number of policy matches to raise alarm */, + "duration" arg /* Time window matches must occur within */, + "size" arg /* Total concurrent number of policy check violations */ + ) + ) + ) + ), "replay-attacks" ( /* No. of Replay attacks before which an alarm needs to be raised */ c( "threshold" arg /* Replay threshold value */ ) ), @@ -2811,11 +2859,11 @@ "idp" /* Raise alarm for idp attack */ ) ) ) ), - "log" ( /* Configure auditable security logs */ + "log" ( /* Configure security log */ c( "exclude" arg ( /* List of security log criteria to exclude from the audit log */ c( "destination-address" ( /* Destination address */ ipaddr /* Destination address */ @@ -2858,10 +2906,96 @@ "username" arg /* Username filter */ ) ), "limit" arg /* Limit number of security log entries to keep in memory */ ) + ), + "disable" /* Disable security logging for the device */, + "utc-timestamp" /* Use UTC time for security log timestamps */, + "mode" ( /* Controls how security logs are processed and exported */ + ("stream" | "event") + ), + "event-rate" arg /* Control plane event rate */, + "format" ( /* Set security log format for the device */ + ("syslog" | "sd-syslog" | "binary") + ), + "rate-cap" arg /* Data plane event rate */, + "max-database-record" arg /* Maximum records in database */, + "report" /* Set security log report settings */, + c( + "source-address" ( /* Source ip address used when exporting security logs */ + ipaddr /* Source ip address used when exporting security logs */ + ), + "source-interface" ( /* Source interface used when exporting security logs */ + interface_name /* Source interface used when exporting security logs */ + ) + ), + "transport" ( /* Set security log transport settings */ + c( + "tcp-connections" arg /* Set tcp connection number per-stream */, + "protocol" ( /* Set security log transport protocol for the device */ + ("udp" | "tcp" | "tls") + ), + "tls-profile" arg /* TLS profile */ + ) + ), + "facility-override" ( /* Alternate facility for logging to remote host */ + ("authorization" | "daemon" | "ftp" | "kernel" | "user" | "local0" | "local1" | "local2" | "local3" | "local4" | "local5" | "local6" | "local7") + ), + "stream" arg ( /* Set security log stream settings */ + c( + "severity" ( /* Severity threshold for security logs */ + ("emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug") + ), + "format" ( /* Specify the log stream format */ + ("syslog" | "sd-syslog" | "welf" | "binary") + ), + "category" enum(("all" | "content-security" | "fw-auth" | "screen" | "alg" | "nat" | "flow" | "sctp" | "gtp" | "ipsec" | "idp" | "rtlog" | "pst-ds-lite" | "appqos" | "secintel" | "aamw")) /* Selects the type of events that may be logged */, + "filter" enum(("threat-attack")) /* Selects the filter to filter the logs to be logged */, + "host" ( /* Destination to send security logs to */ + host_object /* Destination to send security logs to */ + ), + "rate-limit" ( /* Rate-limit for security logs */ + c( + arg + ) + ), + "file" ( /* Security log file options for logs in local file */ + c( + "localfilename" arg /* Name of local log file */, + "size" arg /* Maximum size of local log file in megabytes */, + "rotation" arg /* Maximum number of rotate files */, + "allow-duplicates" /* To disable log consolidation */ + ) + ) + ) + ), + "file" ( /* Security log file options for logs in binary format */ + c( + "filename" arg /* Name of binary log file */, + "size" arg /* Maximum size of binary log file in megabytes */, + "path" arg /* Path to binary log files */, + "files" arg /* Maximum number of binary log files */ + ) + ), + "traceoptions" ( /* Security log daemon trace options */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "flag" enum(("source" | "configuration" | "all" | "report" | "hpl")) /* List of things to include in trace */.as(:oneline) + ) ) ) ), "certificates" ( /* X.509 certificate configuration */ c( @@ -2885,10 +3019,13 @@ ) ) ) ) ), + "authentication-key-chains" ( /* Authentication key chain configuration */ + security_authentication_key_chains /* Authentication key chain configuration */ + ), "ssh-known-hosts" ( /* SSH known host list */ c( "host" arg ( /* SSH known host entry */ c( "rsa1-key" arg /* Base64 encoded RSA key (protocol version 1) */, @@ -2905,31 +3042,29 @@ ), "key-protection" /* Common-Criteria key-protection configuration */, "pki" ( /* PKI service configuration */ security_pki /* PKI service configuration */ ), - "group-vpn" ( /* Group VPN configuration */ - security_group_vpn /* Group VPN configuration */ + "ike" ( /* IKE configuration */ + security_ike /* IKE configuration */ ), - "traceoptions" ( /* Trace options for IPSec key management */ - security_traceoptions /* Trace options for IPSec key management */ - ), "ipsec" ( /* IPSec configuration */ - security_ipsec /* IPSec configuration */ + security_ipsec_vpn /* IPSec configuration */ ), - "ike" ( /* IKE configuration */ - security_ike /* IKE configuration */ + "group-vpn" ( /* Group VPN configuration */ + security_group_vpn /* Group VPN configuration */ ), - "authentication-key-chains" ( /* Authentication key chain configuration */ - security_authentication_key_chains /* Authentication key chain configuration */ + "ipsec-policy" ( /* IPSec policy configuration */ + security_ipsec_policies /* IPSec policy configuration */ ), - "idp" ( /* IDP configuration */ + "idp" ( /* Configure IDP */ c( "idp-policy" ( /* Configure IDP policy */ idp_policy_type /* Configure IDP policy */ ), "active-policy" arg /* Set active policy */, + "default-policy" arg /* Set active policy */, "custom-attack" ( /* Configure custom attacks */ custom_attack_type /* Configure custom attacks */ ), "custom-attack-group" ( /* Configure custom attack groups */ custom_attack_group_type /* Configure custom attack groups */ @@ -2944,10 +3079,11 @@ c( "url" arg /* URL of Security package download */, "source-address" ( /* Source address to be used for sending download request */ ipv4addr /* Source address to be used for sending download request */ ), + "proxy-profile" arg /* Proxy profile of security package download */, "install" ( /* Configure install command */ c( "ignore-version-check" /* Skip version check when attack database gets installed */ ) ), @@ -3115,18 +3251,1581 @@ ("datacenter" | "datacenter-full" | "perimeter" | "perimeter-full") ) ) ) ) + ), + "max-sessions" arg /* Max number of IDP sessions */, + "logical-system" ( /* Configure max IDP sessions for the logial system */ + logical_system_type /* Configure max IDP sessions for the logial system */ + ), + "processes" /* Configure IDP Processes */ + ) + ), + "address-book" ( /* Security address book */ + named_address_book_type /* Security address book */ + ), + "alg" ( /* Configure ALG security options */ + alg_object /* Configure ALG security options */ + ), + "application-firewall" ( /* Configure application-firewall rule-sets */ + c( + "traceoptions" ( /* Rule-sets Tracing Options */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "flag" enum(("configuration" | "lookup" | "compilation" | "ipc" | "all")) /* Tracing parameters */.as(:oneline) + ) + ), + "profile" arg ( /* Configure application-firewall profile */ + c( + "block-message" ( /* Block message settings */ + c( + "type" ( /* Type of block message desired */ + c( + c( + "custom-text" ( /* Custom defined block message */ + c( + "content" arg /* Content of custom-text */ + ) + ), + "custom-redirect-url" ( /* Custom redirect URL server */ + c( + "content" arg /* URL of block message */ + ) + ) + ) + ) + ) + ) + ) + ) + ), + "rule-sets" arg ( /* Configure application-firewall rule-sets */ + c( + "rule" ( /* Rule */ + appfw_rule_type /* Rule */ + ), + "default-rule" ( /* Specify default rule for a rule-set */ + c( + c( + "permit" /* Permit packets */, + "deny" ( /* Deny packets */ + c( + "block-message" /* Block message */ + ) + ), + "reject" ( /* Reject packets */ + c( + "block-message" /* Block message */ + ) + ) + ) + ) + ), + "profile" arg /* Profile for block message */ + ) + ), + "nested-application" ( /* Configure nested application dynamic lookup */ + c( + "dynamic-lookup" ( /* Configure dynamic lookup */ + c( + "enable" /* Enable dynamic lookup */ + ) + ) + ) ) ) ), + "application-tracking" ( /* Application tracking configuration */ + c( + "disable" /* Disable Application tracking */, + c( + "first-update-interval" arg /* Interval when the first update message is sent */, + "first-update" /* Generate Application tracking initial message when a session is created */ + ), + "session-update-interval" arg /* Frequency in which Application tracking update messages are generated */ + ) + ), + "utm" ( /* Content security service configuration */ + c( + "traceoptions" ( /* Trace options for utm */ + utm_traceoptions /* Trace options for utm */ + ), + "application-proxy" ( /* Application proxy settings */ + c( + "traceoptions" ( /* Trace options for application proxy */ + utm_apppxy_traceoptions /* Trace options for application proxy */ + ) + ) + ), + "ipc" ( /* IPC settings */ + c( + "traceoptions" ( /* Trace options for IPC */ + utm_ipc_traceoptions /* Trace options for IPC */ + ) + ) + ), + "custom-objects" ( /* Custom-objects settings */ + c( + "category-package" ( /* Category package download and install options */ + c( + "url" arg /* HTTPS URL of category package download */, + "proxy-profile" arg /* Proxy profile */, + "routing-instance" arg /* Routing instance name */, + "automatic" ( /* Scheduled download and install */ + c( + "start-time" ( /* Start time (YYYY-MM-DD.HH:MM:SS) */ + time /* Start time (YYYY-MM-DD.HH:MM:SS) */ + ), + "interval" arg /* Interval in hours */, + "enable" /* Enable automatic download and install */ + ) + ) + ) + ), + "mime-pattern" ( /* Configure mime-list object */ + mime_list_type /* Configure mime-list object */ + ), + "filename-extension" ( /* Configure extension-list object */ + extension_list_type /* Configure extension-list object */ + ), + "url-pattern" ( /* Configure url-list object */ + url_list_type /* Configure url-list object */ + ), + "custom-url-category" ( /* Configure category-list object */ + category_list_type /* Configure category-list object */ + ), + "protocol-command" ( /* Configure command-list object */ + command_list_type /* Configure command-list object */ + ), + "custom-message" ( /* Configure custom-message object */ + custom_message_type /* Configure custom-message object */ + ) + ) + ), + "default-configuration" ( /* Global default UTM configurations */ + c( + "anti-virus" ( /* Configure anti-virus feature */ + default_anti_virus_feature /* Configure anti-virus feature */ + ), + "web-filtering" ( /* Configure web-filtering feature */ + default_webfilter_feature /* Configure web-filtering feature */ + ), + "anti-spam" ( /* Configure anti-spam feature */ + default_anti_spam_feature /* Configure anti-spam feature */ + ), + "content-filtering" ( /* Configure content filtering feature */ + default_content_filtering_feature /* Configure content filtering feature */ + ) + ) + ), + "feature-profile" ( /* Feature-profile settings */ + c( + "anti-virus" ( /* Configure anti-virus feature */ + anti_virus_feature /* Configure anti-virus feature */ + ), + "web-filtering" ( /* Configure web-filtering feature */ + webfilter_feature /* Configure web-filtering feature */ + ), + "anti-spam" ( /* Configure anti-spam feature */ + anti_spam_feature /* Configure anti-spam feature */ + ), + "content-filtering" ( /* Configure content filtering feature */ + content_filtering_feature /* Configure content filtering feature */ + ) + ) + ), + "utm-policy" ( /* Configure profile */ + profile_setting /* Configure profile */ + ) + ) + ), + "dynamic-address" ( /* Configure security dynamic address */ + c( + "traceoptions" ( /* Security dynamic address tracing options */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "level" ( /* Level of debugging output */ + ("error" | "warning" | "notice" | "info" | "verbose" | "all") + ), + "flag" enum(("configuration" | "control" | "ipc" | "ip-entry" | "file-retrieval" | "lookup" | "all")) /* Tracing parameters */.as(:oneline) + ) + ), + "feed-server" arg ( /* Security dynamic address feed-server */ + c( + "description" arg /* Text description of feed-server */, + "hostname" arg /* Hostname or IP address of feed-server */, + "update-interval" arg /* Interval to retrieve update */, + "hold-interval" arg /* Time to keep IP entry when update failed */, + "feed-name" arg ( /* Feed name in feed-server */ + c( + "description" arg /* Text description of feed in feed-server */, + "path" arg /* Path of feed, appended to feed-server to form a complete URL */, + "update-interval" arg /* Interval to retrieve update */, + "hold-interval" arg /* Time to keep IP entry when update failed */ + ) + ) + ) + ), + "address-name" arg ( /* Security dynamic address name */ + c( + "description" arg /* Text description of dynamic address */, + "profile" ( /* Information to categorize feed data into this dynamic address */ + c( + "feed-name" arg /* Name of feed in feed-server for this dynamic address */, + "category" arg ( /* Name of category */ + c( + "feed" arg /* Name of feed under category */, + "property" arg ( /* Property to match */ + c( + c( + "string" arg /* Value type is strings */ + ) + ) + ) + ) + ) + ) + ) + ) + ) + ) + ), + "dynamic-vpn" /* Configure dynamic VPN */, + "dynamic-application" ( /* Configure dynamic-application */ + c( + "traceoptions" ( /* Dynamic application tracing options */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "flag" enum(("configuration" | "lookup" | "compilation" | "ipc" | "all")) /* Tracing parameters */.as(:oneline) + ) + ), + "profile" arg ( /* Configure application-firewall profile */ + c( + "redirect-message" ( /* Redirect message settings */ + c( + "type" ( /* Type of redirect message desired */ + c( + c( + "custom-text" ( /* Custom defined text block message */ + c( + "content" arg /* Content of custom-text */ + ) + ), + "redirect-url" ( /* Custom redirect URL server */ + c( + "content" arg /* URL of block message */ + ) + ) + ) + ) + ) + ) + ) + ) + ) + ) + ), + "softwires" ( /* Configure softwire feature */ + softwires_object /* Configure softwire feature */ + ), + "forwarding-options" ( /* Security-forwarding-options configuration */ + c( + "family" ( /* Security forwarding-options for family */ + c( + "inet6" ( /* Family IPv6 */ + c( + "mode" ( /* Forwarding mode */ + ("packet-based" | "flow-based" | "drop") + ) + ) + ), + "mpls" ( /* Family MPLS */ + c( + "mode" ( /* Forwarding mode */ + ("packet-based") + ) + ) + ), + "iso" ( /* Family ISO */ + c( + "mode" ( /* Forwarding mode */ + ("packet-based") + ) + ) + ) + ) + ), + "mirror-filter" ( /* Security mirror filters */ + mirror_filter_type /* Security mirror filters */ + ), + "secure-wire" ( /* Secure-wire cross connections */ + secure_wire_type /* Secure-wire cross connections */ + ) + ) + ), + "advanced-services" /* Advanced services configuration */, + "flow" ( /* FLOW configuration */ + c( + "enhanced-routing-mode" /* Enable enhanced route scaling */, + "traceoptions" ( /* Trace options for flow services */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "flag" enum(("all" | "basic-datapath" | "high-availability" | "host-traffic" | "fragmentation" | "multicast" | "route" | "session" | "session-scan" | "tcp-basic" | "tunnel")) /* Events and other information to include in trace output */.as(:oneline), + "rate-limit" arg /* Limit the incoming rate of trace messages */, + "packet-filter" ( /* Flow packet debug filters */ + flow_filter_type /* Flow packet debug filters */ + ), + "trace-level" ( /* FLow trace level */ + c( + c( + "error" /* Error messages */, + "brief" /* Brief messages */, + "detail" /* Detail messages */ + ) + ) + ) + ) + ), + "pending-sess-queue-length" ( /* Maximum queued length per pending session */ + ("normal" | "moderate" | "high") + ), + "enable-reroute-uniform-link-check" ( /* Enable reroute check with uniform link */ + c( + "nat" /* Enable NAT check */ + ) + ), + "allow-dns-reply" /* Allow unmatched incoming DNS reply packet */, + "route-change-timeout" arg /* Timeout value for route change to nonexistent route */, + "syn-flood-protection-mode" ( /* TCP SYN flood protection mode */ + ("syn-cookie" | "syn-proxy") + ), + "allow-embedded-icmp" /* Allow embedded ICMP packets not matching a session to pass through */, + "mcast-buffer-enhance" /* Allow to hold more packets during multicast session creation */, + "allow-reverse-ecmp" /* Allow reverse ECMP route lookup */, + "sync-icmp-session" /* Allow icmp sessions to sync to peer node */, + "ipsec-performance-acceleration" /* Accelerate the IPSec traffic performance */, + "aging" ( /* Aging configuration */ + c( + "early-ageout" arg /* Delay before device declares session invalid */, + "low-watermark" arg /* Percentage of session-table capacity at which aggressive aging-out ends */, + "high-watermark" arg /* Percentage of session-table capacity at which aggressive aging-out starts */ + ) + ), + "ethernet-switching" ( /* Ethernet-switching configuration for flow */ + c( + "block-non-ip-all" /* Block all non-IP and non-ARP traffic including broadcast/multicast */, + "bypass-non-ip-unicast" /* Allow all non-IP (including unicast) traffic */, + "no-packet-flooding" ( /* Stop IP flooding, send ARP/ICMP to trigger MAC learning */ + c( + "no-trace-route" /* Don't send ICMP to trigger MAC learning */ + ) + ), + "bpdu-vlan-flooding" /* Set 802.1D BPDU flooding based on VLAN */ + ) + ), + "tcp-mss" ( /* TCP maximum segment size configuration */ + c( + "all-tcp" ( /* Enable MSS override for all packets */ + c( + "mss" arg /* MSS value */ + ) + ), + "ipsec-vpn" ( /* Enable MSS override for all packets entering IPSec tunnel */ + c( + "mss" arg /* MSS value */ + ) + ), + "gre-in" ( /* Enable MSS override for all GRE packets coming out of an IPSec tunnel */ + c( + "mss" arg /* MSS value */ + ) + ), + "gre-out" ( /* Enable MSS override for all GRE packets entering an IPsec tunnel */ + c( + "mss" arg /* MSS value */ + ) + ) + ) + ), + "tcp-session" ( /* Transmission Control Protocol session configuration */ + c( + "rst-invalidate-session" /* Immediately end session on receipt of reset (RST) segment */, + "fin-invalidate-session" /* Immediately end session on receipt of fin (FIN) segment */, + "rst-sequence-check" /* Check sequence number in reset (RST) segment */, + "no-syn-check" /* Disable creation-time SYN-flag check */, + "strict-syn-check" /* Enable strict syn check */, + "no-syn-check-in-tunnel" /* Disable creation-time SYN-flag check for tunnel packets */, + "no-sequence-check" /* Disable sequence-number checking */, + "tcp-initial-timeout" arg /* Timeout for TCP session when initialization fails */, + "maximum-window" ( /* Maximum TCP proxy scaled receive window, default 256K bytes */ + ("64K" | "128K" | "256K" | "512K" | "1M") + ), + "time-wait-state" ( /* Session timeout value in time-wait state, default 150 seconds */ + c( + c( + "session-ageout" /* Allow session to ageout using service based timeout values */, + "session-timeout" arg /* Configure session timeout value for time-wait state */ + ), + "apply-to-half-close-state" /* Apply time-wait-state timeout to half-close state */ + ) + ) + ) + ), + "force-ip-reassembly" /* Force to reassemble ip fragments */, + "preserve-incoming-fragment-size" /* Preserve incoming fragment size for egress MTU */, + "advanced-options" ( /* Flow config advanced options */ + c( + "drop-matching-reserved-ip-address" /* Drop matching reserved source IP address */, + "drop-matching-link-local-address" /* Drop matching link local address */, + "reverse-route-packet-mode-vr" /* Allow reverse route lookup with packet mode vr */ + ) + ), + "load-distribution" ( /* Flow config SPU load distribution */ + c( + "session-affinity" /* SPU load distribution based on the service anchor SPU */ + ) + ), + "packet-log" ( /* Configure flow packet log */ + c( + "enable" /* Enable log for dropped packet */, + "throttle-interval" arg /* Interval should be configured as a power of two */, + "packet-filter" ( /* Configure packet log filter */ + flow_filter_type /* Configure packet log filter */ + ) + ) + ), + "power-mode-ipsec" /* Enable power mode ipsec processing */ + ) + ), + "firewall-authentication" ( /* Firewall authentication parameters */ + c( + "traceoptions" ( /* Data-plane firewall authentication tracing options */ + c( + "flag" enum(("authentication" | "proxy" | "all")) ( /* Events to include in trace output */ + c( + c( + "terse" /* Include terse amount of output in trace */, + "detail" /* Include detailed amount of output in trace */, + "extensive" /* Include extensive amount of output in trace */ + ) + ) + ).as(:oneline) + ) + ) + ) + ), + "screen" ( /* Configure screen feature */ + c( + "trap" ( /* Configure trap interval */ + c( + "interval" arg /* Trap interval */ + ) + ).as(:oneline), + "ids-option" ( /* Configure ids-option */ + ids_option_type /* Configure ids-option */ + ), + "traceoptions" ( /* Trace options for Network Security Screen */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "flag" enum(("configuration" | "flow" | "all")) /* Tracing parameters */.as(:oneline) + ) + ), + "white-list" ( /* Set of IP addresses for white list */ + ids_wlist_type /* Set of IP addresses for white list */ + ) + ) + ), + "nat" ( /* Configure Network Address Translation */ + nat_object /* Configure Network Address Translation */ + ), + "forwarding-process" ( /* Configure security forwarding-process options */ + c( + "enhanced-services-mode" /* Enable enhanced application services mode */, + "application-services" ( /* Configure application service options */ + c( + "maximize-alg-sessions" /* Maximize ALG session capacity */, + "maximize-persistent-nat-capacity" /* Increase persistent NAT capacity by reducing maximum flow sessions */, + "maximize-cp-sessions" /* Maximize CP session capacity */, + "session-distribution-mode" arg /* Session distribution mode */, + "enable-gtpu-distribution" /* Enable GTP-U distribution */, + "packet-ordering-mode" arg /* Packet ordering mode */, + "maximize-idp-sessions" /* Run security services in dedicated processes to maximize IDP session capacity */ + ) + ) + ) + ), + "policies" ( /* Configure Network Security Policies */ + policy_object_type /* Configure Network Security Policies */ + ), + "tcp-encap" ( /* Configure TCP Encapsulation. */ + c( + "traceoptions" ( /* Trace options for TCP encapsulation service */ + ragw_traceoptions /* Trace options for TCP encapsulation service */ + ), + "profile" arg ( /* Configure profile. */ + c( + "ssl-profile" arg /* SSL Termination profile */, + "log" /* Enable logging for remote-access */ + ) + ), + "global-options" ( /* Global settings for TCP encapsulation */ + c( + "enable-tunnel-tracking" /* Track ESP tunnels */ + ) + ) + ) + ), + "resource-manager" ( /* Configure resource manager security options */ + c( + "traceoptions" ( /* Traceoptions for resource manager */ + c( + "flag" enum(("client" | "group" | "resource" | "gate" | "session" | "chassis cluster" | "messaging" | "service pinhole" | "error" | "all")) ( /* Resource manager objects and events to include in trace */ + c( + c( + "terse" /* Set trace verbosity level to terse */, + "detail" /* Set trace verbosity level to detail */, + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ), + "analysis" ( /* Configure security analysis */ + c( + "no-report" /* Stops security analysis reporting */ + ) + ), + "traceoptions" ( /* Network security daemon tracing options */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "flag" enum(("configuration" | "routing-socket" | "compilation" | "all")) /* Tracing parameters */.as(:oneline), + "rate-limit" arg /* Limit the incoming rate of trace messages */ + ) + ), + "datapath-debug" ( /* Datapath debug options */ + c( + "traceoptions" ( /* End to end debug trace options */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline) + ) + ), + "capture-file" ( /* Packet capture options */ + c( + arg /* Capture file name */, + "format" ( /* Capture file format */ + ("pcap") + ), + "size" arg /* Maximum file size */, + "files" arg /* Maximum number of files */, + "world-readable" /* Allow any user to read packet-capture files */, + "no-world-readable" /* Don't allow any user to read packet-capture files */ + ) + ).as(:oneline), + "maximum-capture-size" arg /* Max packet capture length */, + "action-profile" ( /* Action profile definitions */ + e2e_action_profile /* Action profile definitions */ + ), + "packet-filter" ( /* Packet filter configuration */ + end_to_end_debug_filter /* Packet filter configuration */ + ) + ) + ), + "user-identification" ( /* Configure user-identification */ + c( + "traceoptions" ( /* User-identification Tracing Options */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "flag" enum(("all")) /* Tracing parameters */.as(:oneline) + ) + ), + "authentication-source" ( /* Configure user-identification authentication-source */ + authentication_source_type /* Configure user-identification authentication-source */ + ) + ) + ), + "zones" ( /* Zone configuration */ + c( + "functional-zone" ( /* Functional zone */ + c( + "management" ( /* Host for out of band management interfaces */ + c( + "interfaces" ( /* Interfaces that are part of this zone */ + zone_interface_list_type /* Interfaces that are part of this zone */ + ), + "screen" arg /* Name of ids option object applied to the zone */, + "host-inbound-traffic" ( /* Allowed system services & protocols */ + zone_host_inbound_traffic_t /* Allowed system services & protocols */ + ), + "description" arg /* Text description of zone */ + ) + ) + ) + ), + "security-zone" ( /* Security zones */ + security_zone_type /* Security zones */ + ) + ) + ), + "advance-policy-based-routing" ( /* Configure Network Security APBR Policies */ + c( + "traceoptions" ( /* Advance policy based routing tracing options */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "flag" enum(("configuration" | "lookup" | "compilation" | "ipc" | "all")) /* Tracing parameters */.as(:oneline) + ) + ), + "tunables" ( /* Configure advance policy based routing tunables */ + c( + "max-route-change" arg /* Maximum route change */, + "drop-on-zone-mismatch" /* Drop session if zone mismatches */, + "enable-logging" /* Enable AppTrack logging */ + ) + ), + "profile" arg ( /* Configure advance-policy-based-routing profile */ + c( + "rule" ( /* Specify an advance policy based routing rule */ + apbr_rule_type /* Specify an advance policy based routing rule */ + ) + ) + ), + "active-probe-params" arg ( /* Active probe's settings */ + c( + "settings" ( /* Settings */ + appqoe_probe_params /* Settings */ + ) + ) + ), + "metrics-profile" arg ( /* Configure metric profiles */ + c( + "sla-threshold" ( /* Configure SLA metric threshold */ + appqoe_sla_metric_profile /* Configure SLA metric threshold */ + ) + ) + ), + "overlay-path" arg ( /* List of overlay paths */ + c( + "tunnel-path" ( /* Tunnel start & end ip addresses */ + appqoe_probe_path /* Tunnel start & end ip addresses */ + ), + "probe-path" ( /* Probe start & end ip addresses */ + appqoe_probe_path /* Probe start & end ip addresses */ + ) + ) + ), + "destination-path-group" arg ( /* Group of tunnels to a particular destination */ + c( + "probe-routing-instance" ( /* Set routing instance for the probe-path */ + c( + arg /* Name of routing instance */ + ) + ), + "overlay-path" arg /* List of paths */ + ) + ), + "sla-options" ( /* Global SLA options */ + c( + "local-route-switch" ( /* Enable/disable Automatic local route switching */ + c( + c( + "enabled" /* Enable */, + "disabled" /* Disable */ + ) + ) + ), + "log-type" ( /* Choose the logging mechanism */ + c( + c( + "syslog" /* Choose syslog */ + ) + ) + ), + "max-passive-probe-limit" ( /* Set max passive probe limits */ + c( + "number-of-probes" ( /* Number of passive probes to be sent */ + c( + arg + ) + ), + "interval" ( /* Interval within which to send */ + c( + arg + ) + ) + ) + ) + ) + ), + "sla-rule" arg ( /* Create SLA rule */ + c( + "switch-idle-time" ( /* Idle timeout period where no SLA violation will be detected once path switch has happened */ + c( + arg + ) + ), + "metrics-profile" ( /* Set metrics profile for the SLA */ + c( + arg /* Metrics Profile name */ + ) + ), + "active-probe-params" ( /* Set Probe params for the overlay-path */ + c( + arg /* Probe parameter's name */ + ) + ), + "passive-probe-params" ( /* Passive probe settings */ + c( + "sampling-percentage" ( /* Mininmum percentage of Sessions to be evaluated for the application */ + c( + arg + ) + ), + "violation-count" ( /* Number of SLA violations within sampling period to be considered as a violation. */ + c( + arg + ) + ), + "sampling-period" ( /* Time period in which the sampling is done */ + c( + arg + ) + ), + "sla-export-factor" ( /* Enabled sampling window based SLA exporting */ + c( + arg + ) + ), + "type" ( /* Choose type of SLA measurement */ + c( + c( + "book-ended" /* Choose custom method of probing within WAN link */ + ) + ) + ), + "sampling-frequency" ( /* Sampling frequency settings */ + c( + "interval" ( /* Time based sampling interval */ + c( + arg + ) + ), + "ratio" ( /* 1:N based sampling ratio */ + c( + arg + ) + ) + ) + ) + ) + ) + ) + ), + "policy" arg ( /* Define a policy context from this zone */ + c( + "policy" ( /* Define security policy in specified zone-to-zone direction */ + sla_policy_type /* Define security policy in specified zone-to-zone direction */ + ) + ) + ) + ) + ), + "gprs" ( /* GPRS configuration */ + c( + "gtp" ( /* GPRS tunneling protocol configuration */ + c( + "profile" arg ( /* Configure GTP Profile */ + c( + "min-message-length" arg /* Minimum message length, from 0 to 65535 */, + "max-message-length" arg /* Maximum message length, from 1 to 65535 */, + "timeout" arg /* Tunnel idle timeout */, + "rate-limit" arg /* Limit messages per second */, + "log" ( /* GPRS tunneling protocol logs */ + c( + "forwarded" ( /* Log passed good packets */ + ("basic" | "detail") + ), + "state-invalid" ( /* Dropped by state-inspection or sanity failure */ + ("basic" | "detail") + ), + "prohibited" ( /* Dropped for type/length/version filtering */ + ("basic" | "detail") + ), + "gtp-u" enum(("all" | "dropped")) /* Logs for gtp-u */, + "rate-limited" ( /* Dropped for rate-limit */ + c( + c( + "basic" /* Basic logs */, + "detail" /* Detailed logs */ + ), + "frequency-number" arg /* Logging frequency over threshold, set by rate-limit */ + ) + ) + ) + ), + "remove-ie" ( /* Remove information elements */ + c( + "version" enum(("v1")) ( /* GTP version */ + c( + "release" enum(("R6" | "R7" | "R8" | "R9")) /* Remove information elements by release */, + "number" ( /* Remove information elements by number */ + c( + arg + ) + ) + ) + ) + ) + ), + "path-rate-limit" ( /* Limit control messages based on IP pairs */ + c( + "message-type" enum(("create-req" | "delete-req" | "echo-req" | "other")) ( /* Specific group of control messages */ + c( + "drop-threshold" ( /* Set drop threshold for path rate limiting */ + c( + "forward" arg /* Limit messages of forward direction */, + "reverse" arg /* Limit messages of reverse direction */ + ) + ), + "alarm-threshold" ( /* Set alarm threshold for path rate limiting */ + c( + "forward" arg /* Limit messages of forward direction */, + "reverse" arg /* Limit messages of reverse direction */ + ) + ) + ) + ) + ) + ), + "drop" ( /* Drop certain type of messages */ + c( + "aa-create-pdp" ( /* Create AA pdp request/response message */ + c( + c( + "0" /* Version 0 */ + ) + ) + ), + "aa-delete-pdp" ( /* Delete AA pdp request/response message */ + c( + c( + "0" /* Version 0 */ + ) + ) + ), + "bearer-resource" ( /* Bearer resource command/failure message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "change-notification" ( /* Change notification request/response message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "config-transfer" ( /* Configuration transfer message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "context" ( /* Context request/response/ack message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "create-bearer" ( /* Create bearer request/response message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "create-data-forwarding" ( /* Create indirect data forwarding tunnel request/response message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "create-pdp" ( /* Create pdp request/response message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "all" /* All versions */ + ) + ) + ), + "create-session" ( /* Create session request/response message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "create-tnl-forwarding" ( /* Create forwarding tunnel request/response message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "cs-paging" ( /* CS paging indication message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "data-record" ( /* Data record request/response message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "all" /* All versions */ + ) + ) + ), + "delete-bearer" ( /* Delete bearer request/response message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "delete-command" ( /* Delete bearer command/failure message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "delete-data-forwarding" ( /* Delete indirect data forwarding tunnel request/response message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "delete-pdn" ( /* Delete PDN connection set request/response message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "delete-pdp" ( /* Delete pdp request/response message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "all" /* All versions */ + ) + ) + ), + "delete-session" ( /* Delete session request/response message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "detach" ( /* Detach notification/ack message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "downlink-notification" ( /* Downlink data notification/ack/failure message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "echo" ( /* Echo request/response message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "2" /* Version 2 */, + "all" /* All versions */ + ) + ) + ), + "error-indication" ( /* Error indication message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "all" /* All versions */ + ) + ) + ), + "failure-report" ( /* Failure report request/response message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "all" /* All versions */ + ) + ) + ), + "fwd-access" ( /* Forward access context notification/ack message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "fwd-relocation" ( /* Forward relocation request/response/comp/comp-ack message */ + c( + c( + "1" /* Version 1 */, + "2" /* Version 2 */, + "all" /* All versions */ + ) + ) + ), + "fwd-srns-context" ( /* Forward SRNS context/context-ack message */ + c( + c( + "1" /* Version 1 */ + ) + ) + ), + "g-pdu" ( /* G-PDU (user PDU) message/T-PDU */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "all" /* All versions */ + ) + ) + ), + "identification" ( /* Identification request/response message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "2" /* Version 2 */, + "all" /* All versions */ + ) + ) + ), + "mbms-session-start" ( /* MBMS session start request/response message */ + c( + c( + "1" /* Version 1 */, + "2" /* Version 2 */, + "all" /* All versions */ + ) + ) + ), + "mbms-session-stop" ( /* MBMS session stop request/response message */ + c( + c( + "1" /* Version 1 */, + "2" /* Version 2 */, + "all" /* All versions */ + ) + ) + ), + "mbms-session-update" ( /* MBMS session update request/response message */ + c( + c( + "1" /* Version 1 */, + "2" /* Version 2 */, + "all" /* All versions */ + ) + ) + ), + "modify-bearer" ( /* Modify bearer request/response message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "modify-command" ( /* Modify bearer command/failure message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "node-alive" ( /* Node alive request/response message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "all" /* All versions */ + ) + ) + ), + "note-ms-present" ( /* Note MS GPRS present request/response message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "all" /* All versions */ + ) + ) + ), + "pdu-notification" ( /* PDU notification requst/response/reject/reject-response message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "all" /* All versions */ + ) + ) + ), + "ran-info" ( /* RAN info relay message */ + c( + c( + "1" /* Version 1 */, + "2" /* Version 2 */, + "all" /* All versions */ + ) + ) + ), + "redirection" ( /* Redirection request/response message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "all" /* All versions */ + ) + ) + ), + "release-access" ( /* Release access-bearer request/response message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "relocation-cancel" ( /* Relocation cancel request/response message */ + c( + c( + "1" /* Version 1 */, + "2" /* Version 2 */, + "all" /* All versions */ + ) + ) + ), + "resume" ( /* Resume notification/ack message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "send-route" ( /* Send route info request/response message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "all" /* All versions */ + ) + ) + ), + "sgsn-context" ( /* SGSN context request/response/ack message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "all" /* All versions */ + ) + ) + ), + "stop-paging" ( /* Stop paging indication message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "supported-extension" ( /* Supported extension headers notification message */ + c( + c( + "1" /* Version 1 */ + ) + ) + ), + "suspend" ( /* Suspend notification/ack message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "trace-session" ( /* Trace session activation/deactivation message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "update-bearer" ( /* Update bearer request/response message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "update-pdn" ( /* Update PDN connection set request/response message */ + c( + c( + "2" /* Version 2 */ + ) + ) + ), + "update-pdp" ( /* Update pdp request/response message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "all" /* All versions */ + ) + ) + ), + "ver-not-supported" ( /* Version not supported message */ + c( + c( + "0" /* Version 0 */, + "1" /* Version 1 */, + "2" /* Version 2 */, + "all" /* All versions */ + ) + ) + ) + ) + ), + "apn" arg ( /* GTP Access Point Name (APN) filter */ + c( + "imsi-prefix" arg ( /* Specific filter prefix digits for International Mobile Subscriber Identification(IMSI) */ + c( + "action" ( /* Configure GTP profile APN action */ + c( + c( + "pass" /* Pass all selection modes for this APN */, + "drop" /* Drop all selection modes for this APN */, + "selection" ( /* Allowed selection modes for this APN */ + c( + "ms" /* Mobile Station selection mode */, + "net" /* Network selection mode */, + "vrf" /* Subscriber verified mode */ + ) + ) + ) + ) + ) + ) + ) + ) + ), + "restart-path" ( /* Restart GTP paths */ + ("echo" | "create" | "all") + ), + "seq-number-validated" /* Validate G-PDU sequence number */, + "gtp-in-gtp-denied" /* Deny nested GTP */, + "u-tunnel-validated" /* Validate GTP-u tunnel */, + "end-user-address-validated" /* Validate end user address */, + "req-timeout" arg /* Request message timeout, default timeout value 5 seconds */, + "handover-on-roaming-intf" /* Enable tunnel setup by Handover messages on roaming interface */, + "handover-group" ( /* SGSN handover group configuration */ + c( + arg + ) + ) + ) + ), + "traceoptions" ( /* Trace options for GPRS tunneling protocol */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "flag" enum(("configuration" | "flow" | "parser" | "chassis-cluster" | "gsn" | "jmpi" | "tnl" | "req" | "path" | "all")) /* Tracing parameters */.as(:oneline), + "trace-level" ( /* GTP trace level */ + c( + c( + "error" /* Match error conditions */, + "warning" /* Match warning messages */, + "notice" /* Match conditions that should be handled specially */, + "info" /* Match informational messages */, + "verbose" /* Match verbose messages */ + ) + ) + ) + ) + ), + "handover-group" arg ( /* Set handover group */ + c( + "address-book" arg ( /* Set addreess book */ + c( + "address-set" ( /* Set address set */ + c( + arg + ) + ) + ) + ) + ) + ), + "handover-default" ( /* Set handover default deny */ + c( + "deny" /* Handover default deny */ + ) + ) + ) + ), + "sctp" ( /* GPRS stream control transmission protocol configuration */ + c( + "profile" arg ( /* Configure stream transmission protocol */ + c( + "nat-only" /* Only do payload IPs translation for SCTP packet */, + "association-timeout" arg /* SCTP association timeout length, in minutes */, + "handshake-timeout" arg /* SCTP handshake timeout, in seconds */, + "drop" ( /* Disallowed SCTP payload message */ + c( + "m3ua-service" enum(("sccp" | "tup" | "isup")) /* MTP level 3 (MTP3) user adaptation layer service */.as(:oneline), + "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "all" | arg)) /* SCTP payload protocol identifier */.as(:oneline) + ) + ), + "permit" ( /* Permit SCTP payload message */ + c( + "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "all" | arg)) /* SCTP payload protocol identifier */.as(:oneline) + ) + ), + "limit" ( /* Packet limits */ + c( + "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "others" | arg)) ( /* Payload Rate limit */ + c( + "rate" arg /* Rate limit */ + ) + ).as(:oneline), + "address" arg ( /* Rate limit for a list of IP addresses */ + c( + "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "others" | arg)) ( /* Payload Rate limit */ + c( + "rate" arg /* Rate limit */ + ) + ).as(:oneline) + ) + ), + "rate" ( /* Rate limit */ + c( + "sccp" arg /* Global SCCP messages rate limit */, + "ssp" arg /* Global SSP messages rate limit */, + "sst" arg /* Global SST messages rate limit */, + "address" arg ( /* Rate limit for a list of IP addresses */ + c( + "sccp" arg /* SCCP messages rate limit */, + "ssp" arg /* SSP messages rate limit */, + "sst" arg /* SST messages rate limit */ + ) + ) + ) + ) + ) + ) + ) + ), + "multichunk-inspection" ( /* Configure for SCTP multi chunks inspection */ + c( + c( + "disable" /* Set multichunk inspection flag to disable */ + ) + ) + ), + "nullpdu" ( /* Configure for SCTP NULLPDU protocol value */ + c( + "protocol" ( /* SCTP NULLPDU payload protocol identifier */ + c( + c( + "ID-0x0000" /* Set 0x0000 to be NULLPDU ID value */, + "ID-0xFFFF" /* Set 0xFFFF to be NULLPDU ID value */ + ) + ) + ) + ) + ), + "log" enum(("configuration" | "rate-limit" | "association" | "data-message-drop" | "control-message-drop" | "control-message-all")) /* GPRS stream control transmission protocol logs */.as(:oneline), + "traceoptions" ( /* Trace options for GPRS stream control transmission protocol */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "flag" enum(("configuration" | "detail" | "flow" | "parser" | "chassis-cluster" | "all")) /* Tracing parameters */.as(:oneline) + ) + ) + ) + ) + ) + ), + "ngfw" ( /* Next generation unified L4/L7 firewall */ + c( + "default-profile" ( /* Unified L4/L7 firewall default profile configuration */ + c( + "ssl-proxy" ( /* SSL proxy services */ + c( + "profile-name" arg /* Specify SSL proxy service profile name */ + ) + ), + "application-traffic-control" ( /* Application traffic control services */ + jsf_application_traffic_control_rule_set_type /* Application traffic control services */ + ) + ) + ) + ) + ), "macsec" ( /* MAC Security configuration */ security_macsec /* MAC Security configuration */ ) ) ), + # End of vSRX 18.3R1.9 "interfaces" ( /* Interface configuration */ c( "pic-set" arg ( /* NP bundling configuration */ c( "interface" arg /* One or more interfaces that use this picset */, @@ -94968,5 +96667,3417 @@ pm_rspan_vlan ) ) ) end + +# Ported from vSRX 18.3R1.9 +rule(:alg_object) do + c( + "traceoptions" ( /* ALG trace options */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "level" ( /* Set level of tracing output */ + ("brief" | "detail" | "extensive" | "verbose") + ) + ) + ), + "alg-manager" ( /* Configure ALG-MANAGER */ + c( + "traceoptions" ( /* ALG-MANAGER trace options */ + c( + "flag" enum(("all")) ( /* ALG-MANAGER trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ).as(:oneline), + "alg-support-lib" ( /* Configure ALG-SUPPORT-LIB */ + c( + "traceoptions" ( /* ALG-SUPPORT-LIB trace options */ + c( + "flag" enum(("all")) ( /* ALG-SUPPORT-LIB trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ).as(:oneline), + "dns" ( /* Configure DNS ALG */ + c( + "disable" /* Disable DNS ALG */, + "maximum-message-length" arg /* Set maximum message length */, + "oversize-message-drop" /* Drop oversized DNS packets */, + "doctoring" ( /* Configure DNS ALG doctoring */ + c( + c( + "none" /* Disable all DNS ALG Doctoring */, + "sanity-check" /* Perform only DNS ALG sanity checks */ + ) + ) + ), + "traceoptions" ( /* DNS ALG trace options */ + c( + "flag" enum(("all")) ( /* DNS ALG trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ), + "ftp" ( /* Configure FTP ALG */ + c( + "disable" /* Disable FTP ALG */, + "ftps-extension" /* Enable secure FTP and FTP-ssl protocols */, + "line-break-extension" /* Enable CR+LF line termination */, + "allow-mismatch-ip-address" /* Pass FTP packets with mismatched ip address headers and payload */, + "traceoptions" ( /* FTP ALG trace options */ + c( + "flag" enum(("all")) ( /* FTP ALG trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ).as(:oneline), + "h323" ( /* Configure H.323 ALG */ + c( + "disable" /* Disable H.323 ALG */, + "endpoint-registration-timeout" arg /* Timeout for endpoints */, + "media-source-port-any" /* Permit media from any source port on the endpoint */, + "application-screen" ( /* Configure application screens */ + c( + "unknown-message" ( /* Configure ALG action on receiving an unknown message */ + c( + "permit-nat-applied" /* Permit unknown messages on packets that are NATed */, + "permit-routed" /* Permit unknown messages on routed packets */ + ) + ), + "message-flood" ( /* Configure Message flood ALG options */ + c( + "gatekeeper" ( /* Set options for gatekeeper messages */ + c( + "threshold" arg /* Message flood gatekeeper threshold */ + ) + ).as(:oneline) + ) + ) + ) + ), + "dscp-rewrite" ( /* DSCP code rewrite */ + c( + "code-point" arg /* Set dscp codepoint 6-bit string */ + ) + ), + "traceoptions" ( /* H.323 ALG trace options */ + c( + "flag" enum(("q931" | "h245" | "ras" | "h225-asn1" | "h245-asn1" | "ras-asn1" | "chassis-cluster" | "all")) ( /* H.323 ALG trace flags */ + c( + c( + "terse" /* Set trace verbosity level to terse */, + "detail" /* Set trace verbosity level to detail */, + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ), + "mgcp" ( /* Configure MGCP ALG */ + c( + "disable" /* Disable MGCP ALG */, + "inactive-media-timeout" arg /* Set inactive media timeout */, + "transaction-timeout" arg /* Set transaction timeout */, + "maximum-call-duration" arg /* Set maximum call duration */, + "application-screen" ( /* Configure application screens */ + c( + "unknown-message" ( /* Configure ALG action on receiving an unknown message */ + c( + "permit-nat-applied" /* Permit unknown messages on packets that are NATed */, + "permit-routed" /* Permit unknown messages on routed packets */ + ) + ), + "message-flood" ( /* Set message flood ALG options */ + c( + "threshold" arg /* Message flood threshold */ + ) + ).as(:oneline), + "connection-flood" ( /* Set connection flood options */ + c( + "threshold" arg /* Connection flood threshold */ + ) + ).as(:oneline) + ) + ), + "dscp-rewrite" ( /* DSCP code rewrite */ + c( + "code-point" arg /* Set dscp codepoint 6-bit string */ + ) + ), + "traceoptions" ( /* MGCP ALG trace options */ + c( + "flag" enum(("call" | "decode" | "error" | "chassis-cluster" | "nat" | "packet" | "rm" | "all")) ( /* MGCP ALG trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ), + "msrpc" ( /* Configure MSRPC ALG */ + c( + "disable" /* Disable MSRPC ALG */, + "group-max-usage" arg /* Set maximum group usage percentage, default 80 */, + "map-entry-timeout" arg /* Set entry timeout, default 8hour */, + "traceoptions" ( /* MSRPC ALG trace options */ + c( + "flag" enum(("all")) ( /* MSRPC ALG trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ).as(:oneline), + "sunrpc" ( /* Configure SUNRPC ALG */ + c( + "disable" /* Disable SUNRPC ALG */, + "group-max-usage" arg /* Set maximum group usage percentage, default 80 */, + "map-entry-timeout" arg /* Set entry timeout, default 8hour */, + "traceoptions" ( /* SUNRPC ALG trace options */ + c( + "flag" enum(("all")) ( /* SUNRPC ALG trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ).as(:oneline), + "rsh" ( /* Configure RSH ALG */ + c( + "disable" /* Disable RSH ALG */, + "traceoptions" ( /* RSH ALG trace options */ + c( + "flag" enum(("all")) ( /* RSH ALG trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ), + "rtsp" ( /* Configure RTSP ALG */ + c( + "disable" /* Disable RTSP ALG */, + "traceoptions" ( /* RTSP ALG trace options */ + c( + "flag" enum(("all")) ( /* RTSP ALG trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ).as(:oneline), + "sccp" ( /* Configure SCCP ALG */ + c( + "disable" /* Disable SCCP ALG */, + "inactive-media-timeout" arg /* Set inactive media timeout */, + "application-screen" ( /* Configure application screens */ + c( + "unknown-message" ( /* Configure ALG action on receiving an unknown message */ + c( + "permit-nat-applied" /* Permit unknown messages on packets that are NATed */, + "permit-routed" /* Permit unknown messages on routed packets */ + ) + ), + "call-flood" ( /* Configure call flood thresholds */ + c( + "threshold" arg /* Calls per second per client */ + ) + ).as(:oneline) + ) + ), + "dscp-rewrite" ( /* DSCP code rewrite */ + c( + "code-point" arg /* Set dscp codepoint 6-bit string */ + ) + ), + "traceoptions" ( /* SCCP ALG trace options */ + c( + "flag" enum(("call" | "cli" | "decode" | "error" | "chassis-cluster" | "init" | "nat" | "rm" | "all")) ( /* SCCP ALG trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ), + "sip" ( /* Configure SIP ALG */ + c( + "disable" /* Disable SIP ALG */, + "inactive-media-timeout" arg /* Set inactive media timeout */, + "maximum-call-duration" arg /* Set maximum call duration */, + "t1-interval" arg /* Set T1 interval */, + "t4-interval" arg /* Set T4 interval */, + "c-timeout" arg /* Set C timeout */, + "disable-call-id-hiding" /* Disable translation of host IP in Call-ID header */, + "retain-hold-resource" /* Retain SDP resources during call hold */, + "hide-via-headers" ( /* Hide via headers options */ + c( + "disable" /* Disable hide via headers function */ + ) + ), + "distribution-ip" /* Configure SIP distribute server IPV6 or IPV4 ip */, + "application-screen" ( /* Configure application screens */ + c( + "unknown-message" ( /* Configure ALG action on receiving an unknown message */ + c( + "permit-nat-applied" /* Permit unknown messages on packets that are NATed */, + "permit-routed" /* Permit unknown messages on routed packets */ + ) + ), + "protect" ( /* Configure Protect options */ + c( + "deny" ( /* Protect deny options */ + c( + c( + "destination-ip" arg /* List of protected destination server IP */, + "all" /* Enable attack protection for all servers */ + ), + "timeout" arg /* Timeout value for SIP INVITE attack table entry */ + ) + ) + ) + ) + ) + ), + "dscp-rewrite" ( /* DSCP code rewrite */ + c( + "code-point" arg /* Set dscp codepoint 6-bit string */ + ) + ), + "traceoptions" ( /* SIP ALG trace options */ + c( + "flag" enum(("call" | "chassis-cluster" | "nat" | "parser" | "rm" | "all")) ( /* SIP ALG trace flags */ + c( + c( + "terse" /* Set trace verbosity level to terse */, + "detail" /* Set trace verbosity level to detail */, + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ), + "sql" ( /* Configure SQL ALG */ + c( + "disable" /* Disable SQL ALG */, + "traceoptions" ( /* SQL ALG trace options */ + c( + "flag" enum(("all")) ( /* SQL ALG trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ).as(:oneline), + "talk" ( /* Configure Talk ALG */ + c( + "disable" /* Disable Talk ALG */, + "traceoptions" ( /* TALK ALG trace options */ + c( + "flag" enum(("all")) ( /* TALK ALG trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ).as(:oneline), + "tftp" ( /* Configure TFTP ALG */ + c( + "disable" /* Disable TFTP ALG */, + "traceoptions" ( /* TFTP ALG trace options */ + c( + "flag" enum(("all")) ( /* TFTP ALG trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ).as(:oneline), + "pptp" ( /* Configure PPTP ALG */ + c( + "disable" /* Disable PPTP ALG */, + "traceoptions" ( /* PPTP ALG trace options */ + c( + "flag" enum(("all")) ( /* PPTP ALG trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ).as(:oneline), + "ike-esp-nat" ( /* Configure IKE-ESP ALG with NAT */ + c( + "enable" /* Enable IKE-ESP ALG */, + "esp-gate-timeout" arg /* Set ESP gate timeout */, + "esp-session-timeout" arg /* Set ESP session timeout */, + "state-timeout" arg /* Set ALG state timeout */, + "traceoptions" ( /* IKE-ESP ALG trace options */ + c( + "flag" enum(("all")) ( /* IKE-ESP ALG trace flags */ + c( + c( + "extensive" /* Set trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ), + "twamp" ( /* Configure TWAMP ALG */ + c( + "traceoptions" ( /* TWAMP ALG trace options */ + c( + "flag" enum(("all")) ( /* TWAMP ALG trace flags */ + c( + c( + "extensive" /* Trace verbosity level to extensive */ + ) + ) + ).as(:oneline) + ) + ) + ) + ) + ) +end + +rule(:anti_spam_feature) do + c( + "sbl" ( /* SBL settings */ + sbl_type /* SBL settings */ + ) + ) +end + +rule(:anti_virus_feature) do + c( + "sophos-engine" ( /* Anti-virus sophos-engine */ + c( + "profile" arg ( /* Anti-virus sophos-engine profile */ + c( + "fallback-options" ( /* Anti-virus sophos-engine fallback options */ + sophos_fallback_settings /* Anti-virus sophos-engine fallback options */ + ), + "scan-options" ( /* Anti-virus sophos-engine scan options */ + sophos_scan_options /* Anti-virus sophos-engine scan options */ + ), + "trickling" ( /* Anti-virus trickling */ + anti_virus_trickling /* Anti-virus trickling */ + ), + "notification-options" ( /* Anti-virus notification options */ + anti_virus_notification_options /* Anti-virus notification options */ + ), + "mime-whitelist" ( /* Anti-virus MIME whitelist */ + c( + "list" arg /* MIME list */, + "exception" arg /* Exception settings for MIME white list */ + ) + ), + "url-whitelist" arg /* Anti-virus URL white list */ + ) + ) + ) + ) + ) +end + +rule(:anti_virus_notification_options) do + c( + "virus-detection" ( /* Virus detection notification */ + c( + "type" ( /* Virus detection notification type */ + ("protocol-only" | "message") + ), + "notify-mail-sender" /* Notify mail sender */, + "no-notify-mail-sender" /* Don't notify mail sender */, + "custom-message" arg /* Custom message for notification */, + "custom-message-subject" arg /* Custom message subject for notification */ + ) + ), + "fallback-block" ( /* Fallback block notification */ + c( + "type" ( /* Fallback block notification type */ + ("protocol-only" | "message") + ), + "notify-mail-sender" /* Notify mail sender */, + "no-notify-mail-sender" /* Don't notify mail sender */, + "custom-message" arg /* Custom message for notification */, + "custom-message-subject" arg /* Custom message subject for notification */ + ) + ), + "fallback-non-block" ( /* Fallback non block notification */ + c( + "notify-mail-recipient" /* Notify mail recipient */, + "no-notify-mail-recipient" /* Don't notify mail recipient */, + "custom-message" arg /* Custom message for notification */, + "custom-message-subject" arg /* Custom message subject for notification */ + ) + ) + ) +end + +rule(:anti_virus_trickling) do + c( + "timeout" arg /* Trickling timeout */ + ).as(:oneline) +end + +rule(:apbr_rule_type) do + arg.as(:arg) ( + c( + "match" ( /* Specify security rule match-criteria */ + c( + "dynamic-application" ( + (arg | "junos:UNKNOWN") + ), + "dynamic-application-group" ( + (arg | "junos:unassigned") + ), + "category" ( + (arg | arg) + ) + ) + ), + "then" ( /* Specify rule action to take when packet match criteria */ + c( + "routing-instance" ( /* Packets are directed to specified routing instance */ + c( + arg /* Name of routing instance */ + ) + ).as(:oneline), + "sla-rule" ( /* SLA Rule */ + c( + arg /* SLA rule name */ + ) + ) + ) + ) + ) + ) +end + +rule(:appfw_rule_type) do + arg.as(:arg) ( + c( + "match" ( /* Specify security rule match-criteria */ + c( + "dynamic-application" ( + (arg | "junos:UNKNOWN") + ), + "dynamic-application-group" ( + (arg | "junos:unassigned") + ), + "ssl-encryption" ( /* Select SSL encryption rules */ + ("any" | "yes" | "no") + ) + ) + ), + "then" ( /* Specify rule action to take when packet match criteria */ + c( + c( + "permit" /* Permit packets */, + "deny" ( /* Deny packets */ + c( + "block-message" /* Redirect sessions */ + ) + ), + "reject" ( /* Reject packets */ + c( + "block-message" /* Redirect sessions */ + ) + ) + ) + ) + ) + ) + ) +end + +rule(:appqoe_probe_params) do + c( + "data-fill" ( /* Probe Data Payload content */ + c( + arg + ) + ), + "data-size" ( /* Probe data size */ + c( + arg + ) + ), + "probe-interval" ( /* Time interval between 2 consecutive probes */ + c( + arg + ) + ), + "probe-count" ( /* Minimum number of samples to be collected to evaluate SLA measurement */ + c( + arg + ) + ), + "burst-size" ( /* Number of probes out of probe count to be sent as a burst */ + c( + arg + ) + ), + "sla-export-interval" ( /* Enabled time based SLA exporting */ + c( + arg + ) + ), + "dscp-code-points" ( /* Mapping of code point aliases to bit strings */ + c( + arg /* DSCP */ + ) + ) + ) +end + +rule(:appqoe_probe_path) do + c( + "local" ( /* Local node's info */ + appqoe_node /* Local node's info */ + ), + "remote" ( /* Remote node's info */ + appqoe_node /* Remote node's info */ + ) + ) +end + +rule(:appqoe_node) do + c( + "ip-address" ( /* Set IP address */ + c( + ipv4addr /* IP address */ + ) + ) + ) +end + +rule(:appqoe_sla_metric_profile) do + c( + "delay-round-trip" ( /* Maximum acceptable delay */ + c( + arg + ) + ), + "jitter" ( /* Maximum acceptable jitter */ + c( + arg + ) + ), + "jitter-type" ( /* Type of Jitter */ + c( + c( + "two-way-jitter" /* Two-way-jitter-type */, + "egress-jitter" /* Egress-jitter-type */, + "ingress-jitter" /* Ingress-jitter-type */ + ) + ) + ), + "packet-loss" ( /* Maximum acceptable packet-loss */ + c( + arg + ) + ), + "match" ( /* Type of SLA match */ + c( + c( + "any-one" /* Match any one strings */, + "all" /* Match all metrics */ + ) + ) + ) + ) +end + +rule(:authentication_source_type) do + ("local-authentication-table" | "unified-access-control" | "firewall-authentication" | "active-directory-authentication-table" | "aruba-clearpass").as(:arg) ( + c( + c( + "priority" arg /* Larger number means lower priority, 0 for disable */ + ) + ) + ) +end + +rule(:category_list_type) do + arg.as(:arg) ( + c( + "value" arg /* Configure value of category-list object */ + ) + ) +end + +rule(:command_list_type) do + arg.as(:arg) ( + c( + "value" arg /* Configure value of command-list object */ + ) + ) +end + +rule(:content_filtering_feature) do + c( + "profile" arg ( /* Content filtering profile */ + c( + "permit-command" arg /* Permit command list */, + "block-command" arg /* Block command list */, + "block-extension" arg /* Block extension list */, + "block-mime" ( /* Content-filtering feature block MIME */ + c( + "list" arg /* Block MIME list */, + "exception" arg /* Exception of block MIME list */ + ) + ), + "block-content-type" ( /* Content-filtering feature block content type */ + c( + "activex" /* Block activex */, + "java-applet" /* Block Java-applet */, + "exe" /* Block Windows/dos exe file */, + "zip" /* Block zip file */, + "http-cookie" /* Block HTTP cookie */ + ) + ), + "notification-options" ( /* Notification options */ + c( + "type" ( /* Notification options type */ + ("protocol-only" | "message") + ), + "notify-mail-sender" /* Notifiy mail sender */, + "no-notify-mail-sender" /* Don't notifiy mail sender */, + "custom-message" arg /* Custom notification message */ + ) + ) + ) + ) + ) +end + +rule(:custom_message_type) do + arg.as(:arg) ( + c( + "type" ( /* Type of custom message */ + ("redirect-url" | "user-message") + ), + "content" arg /* Content of custom message */ + ) + ) +end + +rule(:default_anti_spam_feature) do + c( + "type" ( /* Anti-spam type */ + ("sbl" | "anti-spam-none") + ), + "address-whitelist" arg /* Anti-spam whitelist */, + "address-blacklist" arg /* Anti-spam blacklist */, + "traceoptions" ( /* Trace options for anti-spam feature */ + anti_spam_traceoptions /* Trace options for anti-spam feature */ + ), + "sbl" ( /* SBL settings */ + default_sbl_type /* SBL settings */ + ) + ) +end + +rule(:anti_spam_traceoptions) do + c( + "flag" enum(("manager" | "sbl" | "all")) /* Trace options for anti-spam feature flag */.as(:oneline) + ) +end + +rule(:default_anti_virus_feature) do + c( + "mime-whitelist" ( /* Anti-virus MIME whitelist */ + c( + "list" arg /* MIME list */, + "exception" arg /* Exception settings for MIME white list */ + ) + ), + "url-whitelist" arg /* Anti-virus URL white list */, + "type" ( /* Anti-virus engine type */ + ("sophos-engine" | "anti-virus-none") + ), + "traceoptions" ( /* Trace options for anti-virus feature */ + anti_virus_traceoptions /* Trace options for anti-virus feature */ + ), + "sophos-engine" ( /* Anti-virus sophos-engine */ + c( + "server" ( /* SAV and Anti-Spam first hop DNS server */ + c( + ipaddr /* SAV and Anti-Spam first hop DNS server ip */, + "routing-instance" arg /* Routing instance name */ + ) + ), + "sxl-timeout" arg /* Sxl sophos anti-virus engine timeout */, + "sxl-retry" arg /* Sxl sophos anti-virus engine query retry (number of times) */, + "pattern-update" ( /* Anti-virus sophos-engine pattern update */ + anti_virus_pattern_update /* Anti-virus sophos-engine pattern update */ + ), + "fallback-options" ( /* Anti-virus sophos-engine fallback options */ + sophos_fallback_settings /* Anti-virus sophos-engine fallback options */ + ), + "scan-options" ( /* Anti-virus sophos-engine scan options */ + default_sophos_scan_options /* Anti-virus sophos-engine scan options */ + ), + "trickling" ( /* Anti-virus trickling */ + anti_virus_trickling /* Anti-virus trickling */ + ), + "notification-options" ( /* Anti-virus notification options */ + anti_virus_notification_options /* Anti-virus notification options */ + ) + ) + ) + ) +end + +rule(:anti_virus_pattern_update) do + c( + "email-notify" ( /* Virus pattern file updated notification */ + c( + "admin-email" arg /* Admin emails to be notified about pattern file update */, + "custom-message" arg /* Custom message for notification */, + "custom-message-subject" arg /* Custom message subject for notification */ + ) + ), + "url" arg /* Server URL */, + "proxy-profile" arg /* Proxy profile */, + "routing-instance" arg /* Routing instance name */, + "interval" arg /* Interval to check the update */, + "no-autoupdate" /* Don't automatically update anti-virus pattern */ + ) +end + +rule(:anti_virus_traceoptions) do + c( + "flag" enum(("basic" | "detail" | "engine" | "pattern" | "updater" | "manager" | "worker" | "sendmail" | "ipc" | "event" | "statistics" | "all")) /* Trace options for anti-virus feature flag */.as(:oneline) + ) +end + +rule(:default_content_filtering_feature) do + c( + "type" ( /* Content-filtering type */ + ("local" | "content-filtering-none") + ), + "traceoptions" ( /* Trace options for content-filtering feature */ + content_filtering_traceoptions /* Trace options for content-filtering feature */ + ), + "permit-command" arg /* Permit command list */, + "block-command" arg /* Block command list */, + "block-extension" arg /* Block extension list */, + "block-mime" ( /* Content-filtering feature block MIME */ + c( + "list" arg /* Block MIME list */, + "exception" arg /* Exception of block MIME list */ + ) + ), + "block-content-type" ( /* Content-filtering feature block content type */ + c( + "activex" /* Block activex */, + "java-applet" /* Block Java-applet */, + "exe" /* Block Windows/dos exe file */, + "zip" /* Block zip file */, + "http-cookie" /* Block HTTP cookie */ + ) + ), + "notification-options" ( /* Notification options */ + c( + "type" ( /* Notification options type */ + ("protocol-only" | "message") + ), + "notify-mail-sender" /* Notifiy mail sender */, + "no-notify-mail-sender" /* Don't notifiy mail sender */, + "custom-message" arg /* Custom notification message */ + ) + ) + ) +end + +rule(:content_filtering_traceoptions) do + c( + "flag" enum(("basic" | "detail" | "all")) /* Trace options for content-filtering feature flag */.as(:oneline) + ) +end + +rule(:default_sbl_type) do + c( + "sbl-default-server" /* Default SBL server */, + "no-sbl-default-server" /* Don't default SBL server */, + "spam-action" ( /* Anti-spam actions */ + ("block" | "tag-header" | "tag-subject") + ), + "custom-tag-string" arg /* Custom tag string */ + ) +end + +rule(:default_sophos_scan_options) do + c( + "uri-check" /* Anti-virus uri-check */, + "no-uri-check" /* Don't anti-virus uri-check */, + "content-size-limit" arg /* Content size limit */, + "timeout" arg /* Scan engine timeout */ + ) +end + +rule(:default_webfilter_feature) do + c( + "url-whitelist" arg /* Configure custom URL for whitelist category */, + "url-blacklist" arg /* Configure custom URL for blacklist category */, + "http-reassemble" /* Reassemble HTTP request segments */, + "http-persist" /* Check all HTTP request in a connection */, + "type" ( /* Configure web-filtering engine type */ + ("websense-redirect" | "juniper-local" | "juniper-enhanced" | "web-filtering-none") + ), + "traceoptions" ( /* Trace options for web-filtering feature */ + web_filtering_traceoptions /* Trace options for web-filtering feature */ + ), + "websense-redirect" ( /* Configure web-filtering websense redirect engine */ + default_websense_type /* Configure web-filtering websense redirect engine */ + ), + "juniper-local" ( /* Configure web-filtering juniper local engine */ + default_juniper_local_type /* Configure web-filtering juniper local engine */ + ), + "juniper-enhanced" ( /* Configure web-filtering juniper enhanced engine */ + default_juniper_enhanced_type /* Configure web-filtering juniper enhanced engine */ + ) + ) +end + +rule(:default_juniper_enhanced_type) do + c( + "cache" ( + c( + "timeout" arg /* Juniper enhanced cache timeout */, + "size" arg /* Juniper enhanced cache size */ + ) + ), + "server" ( /* Juniper enhanced server */ + juniper_enhanced_server /* Juniper enhanced server */ + ), + "reputation" ( /* Customize reputation level */ + c( + "reputation-very-safe" arg /* Base-reputation-value */, + "reputation-moderately-safe" arg /* Base-reputation-value */, + "reputation-fairly-safe" arg /* Base-reputation-value */, + "reputation-suspicious" arg /* Base-reputation-value */ + ) + ), + "base-filter" arg /* Juniper base filter */, + "category" ( /* Juniper enhanced category */ + juniper_enhanced_category_type /* Juniper enhanced category */ + ), + "site-reputation-action" ( /* Juniper enhanced site reputation action */ + juniper_enhanced_site_reputation_setting /* Juniper enhanced site reputation action */ + ), + "default" ( /* Juniper enhanced profile default */ + ("permit" | "block" | "log-and-permit" | "quarantine") + ), + "custom-block-message" arg /* Juniper enhanced custom block message sent to HTTP client */, + "quarantine-custom-message" arg /* Juniper enhanced quarantine custom message */, + "fallback-settings" ( /* Juniper enhanced fallback settings */ + web_filtering_fallback_setting /* Juniper enhanced fallback settings */ + ), + "timeout" arg /* Juniper enhanced timeout */, + "no-safe-search" /* Do not perform safe-search for Juniper enhanced protocol */, + "block-message" ( /* Juniper enhanced block message settings */ + web_filtering_block_message /* Juniper enhanced block message settings */ + ), + "quarantine-message" ( /* Juniper enhanced quarantine message settings */ + web_filtering_quarantine_message /* Juniper enhanced quarantine message settings */ + ) + ) +end + +rule(:default_juniper_local_type) do + c( + "default" ( /* Juniper local profile default */ + ("permit" | "block" | "log-and-permit") + ), + "category" ( /* Custom category */ + custom_category_type /* Custom category */ + ), + "custom-block-message" arg /* Juniper local custom block message */, + "quarantine-custom-message" arg /* Juniper local quarantine custom message */, + "block-message" ( /* Juniper local block message settings */ + web_filtering_block_message /* Juniper local block message settings */ + ), + "quarantine-message" ( /* Juniper local quarantine message settings */ + web_filtering_quarantine_message /* Juniper local quarantine message settings */ + ), + "fallback-settings" ( /* Juniper local fallback settings */ + web_filtering_fallback_setting /* Juniper local fallback settings */ + ), + "timeout" arg /* Juniper local timeout */ + ) +end + +rule(:custom_category_type) do + arg.as(:arg) ( + c( + "action" ( /* Action to perform when web traffic matches category */ + ("permit" | "log-and-permit" | "block" | "quarantine") + ), + "custom-message" arg /* Custom message */ + ) + ) +end + +rule(:default_websense_type) do + c( + "server" ( /* Websense redirect server */ + server /* Websense redirect server */ + ), + "category" ( /* Custom category */ + custom_category_type /* Custom category */ + ), + "custom-block-message" arg /* Websense redirect custom block message */, + "quarantine-custom-message" arg /* Websense redirect quarantine custom message */, + "block-message" ( /* Websense redirect block message settings */ + web_filtering_block_message /* Websense redirect block message settings */ + ), + "quarantine-message" ( /* Websense redirect quarantine message settings */ + web_filtering_quarantine_message /* Websense redirect quarantine message settings */ + ), + "fallback-settings" ( /* Websense redirect fallback settings */ + web_filtering_fallback_setting /* Websense redirect fallback settings */ + ), + "timeout" arg /* Websense redirect timeout */, + "sockets" arg /* Websense redirect sockets number */, + "account" arg /* Websense redirect account */ + ) +end + +rule(:e2e_action_profile) do + arg.as(:arg) ( + c( + "preserve-trace-order" /* Preserve trace order (has performance overhead) */, + "record-pic-history" /* Record the PIC(s) in which the packet has been processed */, + "event" ( + e2e_event + ), + "module" ( + e2e_module + ) + ) + ) +end + +rule(:e2e_event) do + ("np-ingress" | "np-egress" | "mac-ingress" | "mac-egress" | "lbt" | "pot" | "jexec" | "lt-enter" | "lt-leave").as(:arg) ( + c( + "trace" /* Trace action */, + "count" /* Count action */, + "packet-summary" /* Packet summary action */, + "packet-dump" /* Packet dump action */ + ) + ) +end + +rule(:e2e_module) do + ("flow").as(:arg) ( + c( + "flag" enum(("all")) /* Events and other information to include in trace output */.as(:oneline) + ) + ) +end + +rule(:end_to_end_debug_filter) do + arg.as(:arg) ( + c( + "action-profile" ( /* Actions to take with this filter */ + ("default" | arg) + ), + "protocol" ( /* Match IP protocol type */ + ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) + ), + "source-prefix" ( /* Source IPv4/IPv6 address prefix */ + ipprefix /* Source IPv4/IPv6 address prefix */ + ), + "destination-prefix" ( /* Destination IPv4/IPv6 address prefix */ + ipprefix /* Destination IPv4/IPv6 address prefix */ + ), + "source-port" ( /* Match TCP/UDP source port */ + ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) + ), + "destination-port" ( /* Match TCP/UDP destination port */ + ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) + ), + "interface" ( /* Logical interface */ + interface_name /* Logical interface */ + ) + ) + ) +end + +rule(:extension_list_type) do + arg.as(:arg) ( + c( + "value" arg /* Configure value of extension-list object */ + ) + ) +end + +rule(:flow_filter_type) do + arg.as(:arg) ( + c( + "protocol" ( /* Match IP protocol type */ + ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) + ), + "source-prefix" ( /* Source IP address prefix */ + ipprefix /* Source IP address prefix */ + ), + "destination-prefix" ( /* Destination IP address prefix */ + ipprefix /* Destination IP address prefix */ + ), + "conn-tag" arg /* Session connection tag */, + "logical-system" arg /* Logical system */, + "source-port" ( /* Match TCP/UDP source port */ + ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) + ), + "destination-port" ( /* Match TCP/UDP destination port */ + ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) + ), + "interface" ( /* Source logical interface */ + interface_name /* Source logical interface */ + ) + ) + ) +end + +rule(:host_object) do + c( + ipaddr /* IP address */, + "port" arg /* Host port number */, + "routing-instance" arg /* Routing-instance name */ + ) +end + +rule(:ids_option_type) do + arg.as(:arg) ( + c( + "description" arg /* Text description of screen */, + "alarm-without-drop" /* Do not drop packet, only generate alarm */, + "match-direction" ( /* Match direction */ + ("input" | "output" | "input-output") + ), + "icmp" ( /* Configure ICMP ids options */ + c( + "ip-sweep" ( /* Configure ip sweep ids option */ + c( + "threshold" arg /* Threshold */ + ) + ).as(:oneline), + "fragment" /* Enable ICMP fragment ids option */, + "large" /* Enable large ICMP packet (size > 1024) ids option */, + "flood" ( /* Configure icmp flood ids option */ + c( + "threshold" arg /* Threshold */ + ) + ).as(:oneline), + "ping-death" /* Enable ping of death ids option */, + "icmpv6-malformed" /* Enable icmpv6 malformed ids option */ + ) + ), + "ip" ( /* Configure IP layer ids options */ + c( + "bad-option" /* Enable ip with bad option ids option */, + "record-route-option" /* Enable ip with record route option ids option */, + "timestamp-option" /* Enable ip with timestamp option ids option */, + "security-option" /* Enable ip with security option ids option */, + "stream-option" /* Enable ip with stream option ids option */, + "spoofing" /* Enable IP address spoofing ids option */, + "source-route-option" /* Enable ip source route ids option */, + "loose-source-route-option" /* Enable ip with loose source route ids option */, + "strict-source-route-option" /* Enable ip with strict source route ids option */, + "unknown-protocol" /* Enable ip unknown protocol ids option */, + "block-frag" /* Enable ip fragment blocking ids option */, + "tear-drop" /* Enable tear drop ids option */, + "ipv6-extension-header" ( /* Configure ipv6 extension header ids option */ + c( + "hop-by-hop-header" ( /* Enable ipv6 hop by hop option header ids option */ + c( + "jumbo-payload-option" /* Enable jumbo payload option ids option */, + "router-alert-option" /* Enable router alert option ids option */, + "quick-start-option" /* Enable quick start option ids option */, + "CALIPSO-option" /* Enable Common Architecture Label ipv6 Security Option ids option */, + "SMF-DPD-option" /* Enable Simplified Multicast Forwarding ipv6 Duplicate Packet Detection option ids option */, + "RPL-option" /* Enable Routing Protocol for Low-power and Lossy networks option ids option */, + "user-defined-option-type" arg ( /* User-defined option type range */ + c( + "to" ( /* Upper limit of option type range */ + c( + arg + ) + ) + ) + ).as(:oneline) + ) + ), + "routing-header" /* Enable ipv6 routing header ids option */, + "fragment-header" /* Enable ipv6 fragment header ids option */, + "ESP-header" /* Enable ipv6 Encapsulating Security Payload header ids option */, + "AH-header" /* Enable ipv6 Authentication Header ids option */, + "no-next-header" /* Enable ipv6 no next header ids option */, + "destination-header" ( /* Enable ipv6 destination option header ids option */ + c( + "tunnel-encapsulation-limit-option" /* Enable tunnel encapsulation limit option ids option */, + "home-address-option" /* Enable home address option ids option */, + "ILNP-nonce-option" /* Enable Identifier-Locator Network Protocol Nonce option ids option */, + "line-identification-option" /* Enable line identification option ids option */, + "user-defined-option-type" arg ( /* User-defined option type range */ + c( + "to" ( /* Upper limit of option type range */ + c( + arg + ) + ) + ) + ).as(:oneline) + ) + ), + "shim6-header" /* Enable ipv6 shim header ids option */, + "mobility-header" /* Enable ipv6 mobility header ids option */, + "HIP-header" /* Enable ipv6 Host Identify Protocol header ids option */, + "user-defined-header-type" arg ( /* User-defined header type range */ + c( + "to" ( /* Upper limit of header type range */ + c( + arg + ) + ) + ) + ).as(:oneline) + ) + ), + "ipv6-extension-header-limit" arg /* Enable ipv6 extension header limit ids option */, + "ipv6-malformed-header" /* Enable ipv6 malformed header ids option */, + "tunnel" ( /* Configure IP tunnel ids options */ + c( + "bad-inner-header" /* Enable IP tunnel bad inner header ids option */, + "gre" ( /* Configure IP tunnel GRE ids option */ + c( + "gre-6in4" /* Enable IP tunnel GRE 6in4 ids option */, + "gre-4in6" /* Enable IP tunnel GRE 4in6 ids option */, + "gre-6in6" /* Enable IP tunnel GRE 6in6 ids option */, + "gre-4in4" /* Enable IP tunnel GRE 4in4 ids option */ + ) + ), + "ip-in-udp" ( /* Configure IP tunnel IPinUDP ids option */ + c( + "teredo" /* Enable IP tunnel IPinUDP Teredo ids option */ + ) + ), + "ipip" ( /* Configure IP tunnel IPIP ids option */ + c( + "ipip-6to4relay" /* Enable IP tunnel IPIP 6to4 Relay ids option */, + "ipip-6in4" /* Enable IP tunnel IPIP 6in4 ids option */, + "ipip-4in6" /* Enable IP tunnel IPIP 4in6 ids option */, + "ipip-4in4" /* Enable IP tunnel IPIP 4in4 ids option */, + "ipip-6in6" /* Enable IP tunnel IPIP 6in6 ids option */, + "ipip-6over4" /* Enable IP tunnel IPIP 6over4 ids option */, + "isatap" /* Enable IP tunnel IPIP ISATAP ids option */, + "dslite" /* Enable IP tunnel IPIP DS-Lite ids option */ + ) + ) + ) + ) + ) + ), + "tcp" ( /* Configure TCP Layer ids options */ + c( + "syn-fin" /* Enable SYN and FIN bits set attack ids option */, + "fin-no-ack" /* Enable Fin bit with no ACK bit ids option */, + "tcp-no-flag" /* Enable TCP packet without flag ids option */, + "syn-frag" /* Enable SYN fragment ids option */, + "port-scan" ( /* Configure TCP port scan ids option */ + c( + "threshold" arg /* Threshold */ + ) + ).as(:oneline), + "syn-ack-ack-proxy" ( /* Configure syn-ack-ack proxy ids option */ + c( + "threshold" arg /* Threshold */ + ) + ).as(:oneline), + "syn-flood" ( /* Configure SYN flood ids option */ + c( + "alarm-threshold" arg /* Alarm threshold */, + "attack-threshold" arg /* Attack threshold */, + "source-threshold" arg /* Source threshold */, + "destination-threshold" arg /* Destination threshold */, + "queue-size" arg /* Queue size */, + "timeout" arg /* SYN flood ager timeout */, + "white-list" arg ( /* Set of IP addresses that will not trigger a screen */ + c( + "source-address" ( /* Source address */ + ipprefix /* Source address */ + ), + "destination-address" ( /* Destination address */ + ipprefix /* Destination address */ + ) + ) + ) + ) + ), + "land" /* Enable land attack ids option */, + "winnuke" /* Enable winnuke attack ids option */, + "tcp-sweep" ( /* Configure TCP sweep ids option */ + c( + "threshold" arg /* Threshold */ + ) + ).as(:oneline) + ) + ), + "udp" ( /* Configure UDP layer ids options */ + c( + "flood" ( /* Configure UDP flood ids option */ + c( + "threshold" arg /* Threshold */, + "white-list" arg /* Configure UDP flood white list group name */ + ) + ), + "udp-sweep" ( /* Configure UDP sweep ids option */ + c( + "threshold" arg /* Threshold */ + ) + ).as(:oneline), + "port-scan" ( /* Configure UDP port scan ids option */ + c( + "threshold" arg /* Threshold */ + ) + ).as(:oneline) + ) + ), + "limit-session" ( /* Limit sessions */ + c( + "source-ip-based" arg /* Limit sessions from the same source IP */, + "destination-ip-based" arg /* Limit sessions to the same destination IP */, + "by-source" ( /* Limit sessions from the same source IP or subnet */ + c( + "maximum-sessions" arg /* Limit sessions on the basis of maximum concurrent sessions */, + "packet-rate" arg /* Limit sessions on the basis of packet rate */, + "session-rate" arg /* Limit sessions on the basis of session rate */, + "by-protocol" ( /* Limit sessions on the basis of protocol */ + by_protocol_object_type /* Limit sessions on the basis of protocol */ + ) + ) + ), + "by-destination" ( /* Limit sessions to the same destination IP or subnet */ + c( + "maximum-sessions" arg /* Limit sessions on the basis of maximum concurrent sessions */, + "packet-rate" arg /* Limit sessions on the basis of packet rate */, + "session-rate" arg /* Limit sessions on the basis of session rate */, + "by-protocol" ( /* Limit sessions on the basis of protocol */ + by_protocol_object_type /* Limit sessions on the basis of protocol */ + ) + ) + ) + ) + ) + ) + ) +end + +rule(:by_protocol_object_type) do + c( + "tcp" ( /* Configure limit-session on the basis of TCP */ + c( + "maximum-sessions" arg /* Limit sessions on the basis of maximum concurrent sessions */, + "packet-rate" arg /* Limit sessions on the basis of packet rate */, + "session-rate" arg /* Limit sessions on the basis of session rate */ + ) + ), + "udp" ( /* Configure limit-session on the basis of UDP */ + c( + "maximum-sessions" arg /* Limit sessions on the basis of maximum concurrent sessions */, + "packet-rate" arg /* Limit sessions on the basis of packet rate */, + "session-rate" arg /* Limit sessions on the basis of session rate */ + ) + ), + "icmp" ( /* Configure limit-session on the basis of ICMP */ + c( + "maximum-sessions" arg /* Limit sessions on the basis of maximum concurrent sessions */, + "packet-rate" arg /* Limit sessions on the basis of packet rate */, + "session-rate" arg /* Limit sessions on the basis of session rate */ + ) + ) + ) +end + +rule(:ids_wlist_type) do + arg.as(:arg) ( + c( + "address" ( /* Address */ + ipprefix /* Address */ + ) + ) + ) +end + +rule(:jsf_application_traffic_control_rule_set_type) do + c( + "rule-set" arg /* Service rule-set name */ + ) +end + +rule(:juniper_enhanced_category_type) do + arg.as(:arg) ( + c( + "action" ( /* Action to perform when web traffic matches category */ + ("permit" | "log-and-permit" | "block" | "quarantine") + ), + "custom-message" arg /* Custom message */ + ) + ) +end + +rule(:juniper_enhanced_server) do + c( + "host" arg /* Server host IP address or string host name */, + "port" arg /* Server port */, + "proxy-profile" arg /* Proxy profile */, + "routing-instance" arg /* Routing instance name */ + ) +end + +rule(:juniper_enhanced_site_reputation_setting) do + c( + "very-safe" ( /* Action when site reputation is very safe */ + ("permit" | "log-and-permit" | "block" | "quarantine") + ), + "moderately-safe" ( /* Action when site reputation is moderately safe */ + ("permit" | "log-and-permit" | "block" | "quarantine") + ), + "fairly-safe" ( /* Action when site reputation is fairly safe */ + ("permit" | "log-and-permit" | "block" | "quarantine") + ), + "suspicious" ( /* Action when site reputation is suspicious */ + ("permit" | "log-and-permit" | "block" | "quarantine") + ), + "harmful" ( /* Action when site reputation is harmful */ + ("permit" | "log-and-permit" | "block" | "quarantine") + ) + ) +end + +rule(:logical_system_type) do + arg.as(:arg) ( + c( + "max-sessions" arg /* Max number of IDP sessions */ + ) + ) +end + +rule(:mime_list_type) do + arg.as(:arg) ( + c( + "value" arg /* Configure MIME value */ + ) + ) +end + +rule(:mirror_filter_type) do + arg.as(:arg) ( + c( + "protocol" ( /* Match IP protocol type */ + ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) + ), + "source-prefix" ( /* Source IP address prefix */ + ipprefix /* Source IP address prefix */ + ), + "destination-prefix" ( /* Destination IP address prefix */ + ipprefix /* Destination IP address prefix */ + ), + "source-port" ( /* Match TCP/UDP source port */ + ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) + ), + "destination-port" ( /* Match TCP/UDP destination port */ + ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) + ), + "interface-in" ( /* Incoming Logical interface */ + interface_name /* Incoming Logical interface */ + ), + "interface-out" ( /* Outgoing Logical interface */ + interface_name /* Outgoing Logical interface */ + ), + "output" ( /* Configure output interface and MAC address */ + c( + "interface" ( /* Outgoing Logical interface */ + interface_name /* Outgoing Logical interface */ + ), + "destination-mac" arg /* MAC address to match */ + ) + ) + ) + ) +end + +rule(:named_address_book_type) do + ("global" | arg).as(:arg) ( + c( + "description" arg /* Text description of address book */, + "address" ( /* Define a security address */ + address_type /* Define a security address */ + ), + "address-set" ( /* Define a security address set */ + address_set_type /* Define a security address set */ + ), + "attach" ( /* Attach this address book to interface, zone or routing-instance */ + c( + "zone" arg /* Define a zone to be attached */ + ) + ) + ) + ) +end + +rule(:address_set_type) do + arg.as(:arg) ( + c( + "description" arg /* Text description of address set */, + "address" arg /* Address to be included in this set */, + "address-set" arg /* Define an address-set name */ + ) + ) +end + +rule(:address_type) do + arg.as(:arg) ( + c( + "description" arg /* Text description of address */, + c( + ipprefix /* Numeric IPv4 or IPv6 address with prefix */, + "dns-name" ( /* DNS address name */ + dns_name_type /* DNS address name */ + ), + "wildcard-address" ( /* Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask */ + wildcard_address_type /* Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask */ + ), + "range-address" ( /* Address range */ + range_address_type /* Address range */ + ) + ) + ) + ) +end + +rule(:dns_name_type) do + arg.as(:arg) ( + c( + "ipv4-only" /* IPv4 dns address */, + "ipv6-only" /* IPv6 dns address */ + ) + ) +end + +rule(:nat_object) do + c( + "source" ( /* Configure Source NAT */ + ssg_source_nat_object /* Configure Source NAT */ + ), + "destination" ( /* Configure Destination NAT */ + ssg_destination_nat_object /* Configure Destination NAT */ + ), + "static" ( /* Configure Static NAT */ + ssg_static_nat_object /* Configure Static NAT */ + ), + "proxy-arp" ( /* Configure Proxy ARP */ + ssg_proxy_arp_object /* Configure Proxy ARP */ + ), + "proxy-ndp" ( /* Configure Proxy NDP */ + ssg_proxy_ndp_object /* Configure Proxy NDP */ + ), + "natv6v4" ( /* Configure NAT between IPv6 and IPv4 options */ + c( + "no-v6-frag-header" /* V6 packet does not always add fragment header when performing nat translation from v4 side to v6 side */ + ) + ), + "allow-overlapping-pools" /* IP addresses of NAT pools can overlap with other pool */, + "traceoptions" ( /* NAT trace options */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "flag" enum(("configuration" | "flow" | "routing-socket" | "routing-protocol" | "all" | "source-nat-re" | "source-nat-rt" | "source-nat-pfe" | "destination-nat-re" | "destination-nat-rt" | "destination-nat-pfe" | "static-nat-re" | "static-nat-rt" | "static-nat-pfe" | "nat-svc-set-re")) ( /* Tracing parameters */ + c( + "syslog" /* Write NAT flow traces to system log also */ + ) + ).as(:oneline) + ) + ), + "pool" ( /* Define a NAT pool */ + nat_pool_object /* Define a NAT pool */ + ), + "ipv6-multicast-interfaces" /* Enable IPv6 multicast filter for IPv6 NAT */, + "allow-overlapping-nat-pools" /* Allow usage of overlapping and same nat pools in multiple service sets */, + "rule" ( /* Define a NAT rule */ + nat_rule_object /* Define a NAT rule */ + ), + "port-forwarding" ( /* Define a port-forwarding pool */ + pf_mapping /* Define a port-forwarding pool */ + ), + "rule-set" /* Defines a set of NAT rules */ + ) +end + +rule(:policy_object_type) do + c( + "traceoptions" ( /* Network Security Policy Tracing Options */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "flag" enum(("configuration" | "routing-socket" | "compilation" | "ipc" | "rules" | "lookup" | "all")) /* Tracing parameters */.as(:oneline) + ) + ), + "policy" ( /* Define a policy context from this zone */ + s( + arg, + "to-zone-name" arg /* Destination zone */, + c( + "policy" ( /* Define security policy in specified zone-to-zone direction */ + policy_type /* Define security policy in specified zone-to-zone direction */ + ) + ) + ) + ), + "global" ( /* Define a global policy context */ + c( + "policy" ( /* Define security policy in global context */ + policy_type /* Define security policy in global context */ + ) + ) + ), + "default-policy" ( /* Configure default action when no user-defined policy match */ + c( + c( + "permit-all" /* Permit all traffic if no policy match */, + "deny-all" /* Deny all traffic if no policy match */ + ) + ) + ), + "policy-rematch" ( /* Re-evaluate the policy when changed */ + c( + "extensive" /* Perform policy extensive rematch */ + ) + ).as(:oneline), + "policy-stats" ( /* Parameters for policy statistics */ + c( + "system-wide" ( /* Enable/Disable system-wide policy statistics */ + ("enable" | "disable") + ) + ) + ), + "pre-id-default-policy" ( /* Configure default policy action before dynamic application is finally identified */ + c( + "then" ( /* Specify policy action to take when packet match criteria */ + c( + "log" ( /* Enable log */ + log_type /* Enable log */ + ), + "session-timeout" ( /* Session timeout */ + session_timeout_type /* Session timeout */ + ) + ) + ) + ) + ), + "stateful-firewall-rule" arg ( /* Define a stateful-firewall-rule */ + c( + "match-direction" ( /* Direction for which the rule match is applied */ + ("input" | "output" | "input-output") + ), + "policy" ( /* Define a stateful-firewall policy */ + policy_type /* Define a stateful-firewall policy */ + ) + ) + ), + "stateful-firewall-rule-set" arg ( /* Defines a set of stateful firewall rules */ + c( + "stateful-firewall-rule" arg /* Rule to be included in this stateful firewall rule set */ + ) + ) + ) +end + +rule(:log_type) do + c( + "session-init" /* Log at session init time */, + "session-close" /* Log at session close time */ + ) +end + +rule(:policy_type) do + arg.as(:arg) ( + c( + "description" arg /* Text description of policy */, + "match" ( /* Specify security policy match-criteria */ + c( + c( + "source-address" ( + ("any" | "any-ipv4" | "any-ipv6" | arg) + ) + ), + c( + "destination-address" ( + ("any" | "any-ipv4" | "any-ipv6" | arg) + ) + ), + "source-address-excluded" /* Exclude source addresses */, + "destination-address-excluded" /* Exclude destination addresses */, + c( + "application" ( + (arg | "junos-defaults") + ) + ), + c( + "source-identity" ( + ("any" | "authenticated-user" | "unauthenticated-user" | "unknown-user" | arg) + ) + ), + c( + "source-end-user-profile" ( /* Match source end user profile */ + match_source_end_user_profile_value /* Match source end user profile */ + ) + ), + c( + "dynamic-application" ( + (arg | "junos:UNKNOWN" | "junos:unassigned" | "any" | "none") + ) + ), + c( + "from-zone" ( + ("any" | arg) + ) + ), + c( + "to-zone" ( + ("any" | arg) + ) + ) + ) + ), + "then" ( /* Specify policy action to take when packet match criteria */ + c( + c( + "deny" /* Deny packets */, + "reject" ( /* Reject packets */ + c( + "profile" arg /* Profile for redirect HTTP/S traffic */, + "ssl-proxy" ( /* SSL proxy services */ + c( + "profile-name" arg /* Specify SSL proxy service profile name */ + ) + ) + ) + ), + "permit" ( /* Permit packets */ + c( + "tunnel" ( /* Tunnel packets */ + tunnel_type /* Tunnel packets */ + ), + "firewall-authentication" ( /* Enable authentication for this policy if permit or tunnel */ + firewall_authentication_type /* Enable authentication for this policy if permit or tunnel */ + ), + "destination-address" ( /* Enable destination address translation */ + destination_nat_enable_type /* Enable destination address translation */ + ), + "application-services" ( /* Application Services */ + application_services_type /* Application Services */ + ), + "tcp-options" ( /* Transmission Control Protocol session configuration */ + c( + "syn-check-required" /* Enable per policy SYN-flag check */, + "sequence-check-required" /* Enable per policy sequence-number checking */, + "initial-tcp-mss" arg /* Override MSS value for initial direction */, + "reverse-tcp-mss" arg /* Override MSS value for reverse direction */, + "window-scale" /* Enable per policy window-scale */ + ) + ), + "services-offload" /* Enable services offloading */ + ) + ) + ), + "log" ( /* Enable log */ + log_type /* Enable log */ + ), + "count" ( /* Enable count */ + count_type /* Enable count */ + ) + ) + ), + "scheduler-name" arg /* Name of scheduler */ + ) + ) +end + +rule(:application_services_type) do + c( + "gprs-gtp-profile" arg /* Specify GPRS Tunneling Protocol profile name */, + "gprs-sctp-profile" arg /* Specify GPRS stream control protocol profile name */, + "idp" /* Intrusion detection and prevention */, + "idp-policy" arg /* Specify idp policy name */, + "ssl-proxy" ( /* SSL proxy services */ + c( + "profile-name" arg /* Specify SSL proxy service profile name */ + ) + ), + "uac-policy" ( /* Enable unified access control enforcement of policy */ + c( + "captive-portal" arg + ) + ), + "utm-policy" arg /* Specify utm policy name */, + "icap-redirect" arg /* Specify icap redirect profile name */, + "application-firewall" ( /* Application firewall services */ + jsf_service_rule_set_type /* Application firewall services */ + ), + "application-traffic-control" ( /* Application traffic control services */ + jsf_application_traffic_control_rule_set_type /* Application traffic control services */ + ), + c( + "redirect-wx" /* Set WX redirection */, + "reverse-redirect-wx" /* Set WX reverse redirection */ + ), + "security-intelligence-policy" arg /* Specify security-intelligence policy name */, + "advanced-anti-malware-policy" arg /* Specify advanced-anti-malware policy name */ + ) +end + +rule(:count_type) do + +end + +rule(:destination_nat_enable_type) do + c( + c( + "drop-translated" /* Drop the policy if NAT translated */, + "drop-untranslated" /* Drop the policy if NAT untranslated */ + ) + ) +end + +rule(:firewall_authentication_type) do + c( + c( + "pass-through" ( /* Pass-through firewall authentication settings */ + c( + "access-profile" arg /* Specify access profile name */, + "client-match" arg, + "web-redirect" /* Redirect unauthenticated HTTP requests to the device's internal web server */, + "web-redirect-to-https" /* Redirect unauthenticated HTTP requests to the device's internal HTTPS web server */, + "ssl-termination-profile" arg /* Specify SSL termination profile used to the SSL offload */, + "auth-only-browser" /* Authenticate only browser traffic */, + "auth-user-agent" arg /* Authenticate HTTP traffic with specified user agent */ + ) + ), + "web-authentication" ( /* Web-authentication settings */ + c( + "client-match" arg + ) + ), + "user-firewall" ( /* User-firewall firewall authentication settings */ + c( + "access-profile" arg /* Specify access profile name */, + "web-redirect" /* Redirect unauthenticated HTTP req to web server */, + "web-redirect-to-https" /* Redirect unauthenticated HTTP req to HTTPS web server */, + "ssl-termination-profile" arg /* Specify SSL termination profile used to the SSL offload */, + "auth-only-browser" /* Authenticate only browser traffic */, + "auth-user-agent" arg /* Authenticate HTTP traffic with specified user agent */, + "domain" arg /* Specify domain name */ + ) + ) + ), + "push-to-identity-management" /* Push auth entry to identity management server */ + ) +end + +rule(:jsf_service_rule_set_type) do + c( + "rule-set" arg /* Service rule set name */ + ) +end + +rule(:match_source_end_user_profile_value) do + c( + arg /* Specify source-end-user-profile name from list to match */ + ) +end + +rule(:profile_setting) do + arg.as(:arg) ( + c( + "anti-virus" ( /* UTM policy anti-virus profile */ + c( + "http-profile" arg /* Anti-virus profile */, + "ftp" ( /* FTP profile */ + c( + "upload-profile" arg /* Anti-virus profile */, + "download-profile" arg /* Anti-virus profile */ + ) + ), + "smtp-profile" arg /* Anti-virus profile */, + "pop3-profile" arg /* Anti-virus profile */, + "imap-profile" arg /* Anti-virus profile */ + ) + ), + "content-filtering" ( /* Content-filtering profile */ + c( + "http-profile" arg /* Content-filtering profile */, + "ftp" ( /* FTP profile */ + c( + "upload-profile" arg /* Content-filtering FTP upload profile */, + "download-profile" arg /* Content-filtering FTP download profile */ + ) + ), + "smtp-profile" arg /* Content-filtering SMTP profile */, + "pop3-profile" arg /* Content-filtering POP3 profile */, + "imap-profile" arg /* Content-filtering IMAP profile */ + ) + ), + "web-filtering" ( /* Web-filtering profile */ + c( + "http-profile" arg /* Web-filtering HTTP profile */ + ) + ), + "anti-spam" ( /* Anti-spam profile */ + c( + "smtp-profile" arg /* Anti-spam profile */ + ) + ), + "traffic-options" ( /* Traffic options */ + c( + "sessions-per-client" ( /* Sessions per client */ + c( + "limit" arg /* Sessions limit */, + "over-limit" ( /* Over limit number */ + ("log-and-permit" | "block") + ) + ) + ) + ) + ) + ) + ) +end + +rule(:ragw_traceoptions) do + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "level" ( /* Level of debugging output */ + ("brief" | "detail" | "extensive" | "verbose") + ), + "flag" enum(("configuration" | "tunnel" | "session" | "all")) /* Tracing parameters */.as(:oneline) + ) +end + +rule(:range_address_type) do + arg.as(:arg) ( + c( + "to" ( /* Port range upper limit */ + c( + ipv4addr /* Upper limit of address range */ + ) + ) + ) + ) +end + +rule(:sbl_type) do + c( + "profile" arg ( /* SBL profile */ + c( + "sbl-default-server" /* Default SBL server */, + "no-sbl-default-server" /* Don't default SBL server */, + "spam-action" ( /* Anti-spam actions */ + ("block" | "tag-header" | "tag-subject") + ), + "custom-tag-string" arg /* Custom tag string */, + "address-whitelist" arg /* Anti-spam whitelist */, + "address-blacklist" arg /* Anti-spam blacklist */ + ) + ) + ) +end + +rule(:secure_wire_type) do + arg.as(:arg) ( + c( + "interface" ( /* Secure-wire logical interface */ + interface_unit /* Secure-wire logical interface */ + ) + ) + ) +end + +rule(:security_ipsec_policies) do + c( + "from-zone" ( /* Define ipsec policy context */ + security_ipsec_policy /* Define ipsec policy context */ + ) + ) +end + +rule(:security_ipsec_policy) do + s( + arg, + "to-zone" arg /* Outgoing zone */, + c( + "ipsec-group-vpn" arg /* Group VPN name */ + ) + ) +end + +rule(:security_ipsec_vpn) do + c( + "internal" ( /* Define an IPSec SA for internal RE-RE communication */ + c( + "security-association" ( /* Define an IPsec security association */ + ipsec_internal_sa /* Define an IPsec security association */ + ) + ) + ), + "traceoptions" ( /* Trace options for IPSec data-plane debug */ + ipsec_traceoptions /* Trace options for IPSec data-plane debug */ + ), + "vpn-monitor-options" ( /* Global options for VPN liveliness monitoring */ + ipsec_vpn_monitor /* Global options for VPN liveliness monitoring */ + ), + "proposal" ( /* Define an IPSec proposal */ + ipsec_proposal /* Define an IPSec proposal */ + ), + "policy" ( /* Define an IPSec policy */ + ipsec_policy /* Define an IPSec policy */ + ), + "vpn" ( /* Define an IPSec VPN */ + ipsec_vpn_template /* Define an IPSec VPN */ + ), + "security-association" ( /* Define a manual control plane SA */ + ipsec_sa /* Define a manual control plane SA */ + ) + ) +end + +rule(:ipsec_traceoptions) do + c( + "flag" enum(("packet-processing" | "packet-drops" | "security-associations" | "next-hop-tunnel-binding" | "all")) /* Events to include in data-plane IPSec trace output */.as(:oneline) + ) +end + +rule(:ipsec_vpn_monitor) do + c( + "interval" arg /* Monitor interval in seconds */, + "threshold" arg /* Number of consecutive failures to determine connectivity */ + ) +end + +rule(:ipsec_vpn_template) do + arg.as(:arg) ( + c( + "bind-interface" ( /* Bind to tunnel interface (route-based VPN) */ + interface_name /* Bind to tunnel interface (route-based VPN) */ + ), + "df-bit" ( /* Specifies how to handle the Don't Fragment bit */ + ("clear" | "set" | "copy") + ), + "multi-sa" ( /* Negotiate multiple SAs based on configuration choice */ + c( + c( + "forwarding-class" arg + ) + ) + ), + "copy-outer-dscp" /* Enable copying outer IP header DSCP and ECN to inner IP header */, + "vpn-monitor" ( /* Monitor VPN liveliness */ + ipsec_template_monitor /* Monitor VPN liveliness */ + ), + c( + "manual" ( /* Define a manual security association */ + c( + "gateway" ( /* Define the IPSec peer */ + hostname /* Define the IPSec peer */ + ), + "external-interface" ( /* External interface for the security association */ + interface_unit /* External interface for the security association */ + ), + "protocol" ( /* Define an IPSec protocol for the security association */ + ("ah" | "esp") + ), + "spi" arg /* Define security parameter index */, + "authentication" ( /* Define authentication parameters */ + c( + "algorithm" ( /* Define authentication algorithm */ + ("hmac-md5-96" | "hmac-sha1-96" | "hmac-sha-256-128" | "hmac-sha-256-96") + ), + "key" ( /* Define an authentication key */ + c( + c( + "ascii-text" arg /* Format as text */, + "hexadecimal" arg /* Format as hexadecimal */ + ) + ) + ).as(:oneline) + ) + ), + "encryption" ( /* Define encryption parameters */ + c( + "algorithm" ( /* Define encryption algorithm */ + ("des-cbc" | "3des-cbc" | "aes-128-cbc" | "aes-192-cbc" | "aes-256-cbc" | "aes-128-gcm" | "aes-256-gcm") + ), + "key" ( /* Define an encryption key */ + c( + c( + "ascii-text" arg /* Format as text */, + "hexadecimal" arg /* Format as hexadecimal */ + ) + ) + ).as(:oneline) + ) + ) + ) + ), + "ike" ( /* Define an IKE-keyed IPSec vpn */ + c( + "gateway" arg /* Name of remote gateway */, + "idle-time" arg /* Idle time to delete SA */, + "no-anti-replay" /* Disable the anti-replay check */, + "proxy-identity" ( /* IPSec proxy-id to use in IKE negotiations */ + ipsec_template_proxy_id /* IPSec proxy-id to use in IKE negotiations */ + ), + "ipsec-policy" arg /* Name of the IPSec policy */, + "install-interval" arg /* Delay installation of rekeyed outbound SAs on initiator */ + ) + ) + ), + "traffic-selector" arg ( /* Traffic selector */ + c( + "local-ip" ( /* IP address of local traffic-selector */ + ipprefix_mandatory /* IP address of local traffic-selector */ + ), + "remote-ip" ( /* IP address of remote traffic-selector */ + ipprefix_mandatory /* IP address of remote traffic-selector */ + ) + ) + ), + "establish-tunnels" ( /* Define the criteria to establish tunnels */ + ("immediately" | "on-traffic") + ), + "passive-mode-tunneling" /* No active IP packet checks before IPSec encapsulation */, + "match-direction" arg /* Direction for which the rule match is applied */, + "tunnel-mtu" arg /* Maximum transmit packet size */, + "udp-encapsulate" ( /* UDP encapsulation of IPsec data traffic */ + c( + "dest-port" arg /* UDP destination port */ + ) + ).as(:oneline) + ) + ) +end + +rule(:ipsec_template_monitor) do + c( + "optimized" /* Optimize for scalability */, + "source-interface" ( /* Source interface for monitor message */ + interface_unit /* Source interface for monitor message */ + ), + "destination-ip" ( /* Destination IP addres for monitor message */ + ipaddr /* Destination IP addres for monitor message */ + ), + "verify-path" ( /* Verify IPSec path using vpn-monitor before bring up st0 state */ + c( + "destination-ip" ( /* Destination IP addres for verify IPSec path */ + ipaddr /* Destination IP addres for verify IPSec path */ + ), + "packet-size" arg /* Size of the packet */ + ) + ) + ) +end + +rule(:ipsec_template_proxy_id) do + c( + "local" ( /* Local IP address/prefix length */ + ipprefix_mandatory /* Local IP address/prefix length */ + ), + "remote" ( /* Remote IP address/prefix length */ + ipprefix_mandatory /* Remote IP address/prefix length */ + ), + "service" arg /* Name of serivce that passes through, any enables all services */ + ) +end + +rule(:security_zone_type) do + arg.as(:arg) ( + c( + "description" arg /* Text description of zone */, + "tcp-rst" /* Send RST for NON-SYN packet not matching TCP session */, + "address-book" ( /* Address book entries */ + address_book_type /* Address book entries */ + ), + "screen" arg /* Name of ids option object applied to the zone */, + "host-inbound-traffic" ( /* Allowed system services & protocols */ + zone_host_inbound_traffic_t /* Allowed system services & protocols */ + ), + "interfaces" ( /* Interfaces that are part of this zone */ + zone_interface_list_type /* Interfaces that are part of this zone */ + ), + "application-tracking" /* Enable Application tracking support for this zone */, + "source-identity-log" /* Show user and group info in session log for this zone */, + "advance-policy-based-routing-profile" ( /* Enable Advance Policy Based Routing on this zone */ + c( + arg + ) + ), + "enable-reverse-reroute" /* Enable Reverse route lookup when there is change in ingress interface */ + ) + ) +end + +rule(:address_book_type) do + c( + "address" ( /* Define a security address */ + address_type /* Define a security address */ + ), + "address-set" ( /* Define a security address set */ + address_set_type /* Define a security address set */ + ) + ) +end + +rule(:server) do + c( + "host" arg /* Server host IP address or string host name */, + "port" arg /* Server port */, + "routing-instance" arg /* Routing instance name */ + ) +end + +rule(:session_timeout_type) do + c( + "tcp" arg /* Timeout value for tcp sessions */, + "udp" arg /* Timeout value for udp sessions */, + "ospf" arg /* Timeout value for ospf sessions */, + "icmp" arg /* Timeout value for icmp sessions */, + "icmp6" arg /* Timeout value for icmp6 sessions */, + "others" arg /* Timeout value for other sessions */ + ) +end + +rule(:sla_policy_type) do + arg.as(:arg) ( + c( + "description" arg /* Text description of policy */, + "match" ( /* Specify sla policy match-criteria */ + c( + c( + "source-address" ( + ("any" | "any-ipv4" | "any-ipv6" | arg) + ) + ), + c( + "destination-address" ( + ("any" | "any-ipv4" | "any-ipv6" | arg) + ) + ), + "source-address-excluded" /* Exclude source addresses */, + "destination-address-excluded" /* Exclude destination addresses */, + c( + "application" arg + ) + ) + ), + "then" ( /* Specify policy action to take when packet match criteria */ + c( + c( + "application-services" ( /* Application Services */ + sla_application_services_type /* Application Services */ + ) + ) + ) + ) + ) + ) +end + +rule(:sla_application_services_type) do + c( + "advance-policy-based-routing-profile" arg /* Specify APBR profile name */ + ) +end + +rule(:softwires_object) do + c( + "softwire-name" ( /* Configure softwire object */ + softwire_option_type /* Configure softwire object */ + ), + "traceoptions" ( /* Trace options for Network Security DS-Lite */ + c( + "no-remote-trace" /* Disable remote tracing */, + "file" ( /* Trace file information */ + c( + arg, + "size" arg /* Maximum trace file size */, + "files" arg /* Maximum number of trace files */, + "world-readable" /* Allow any user to read the log file */, + "no-world-readable" /* Don't allow any user to read the log file */, + "match" ( /* Regular expression for lines to be logged */ + regular_expression /* Regular expression for lines to be logged */ + ) + ) + ).as(:oneline), + "flag" enum(("configuration" | "flow" | "all")) /* Tracing parameters */.as(:oneline) + ) + ), + "rule-set" ( /* Define a softwire rule set */ + sw_rule_set_object /* Define a softwire rule set */ + ) + ) +end + +rule(:softwire_option_type) do + arg.as(:arg) ( + c( + "softwire-concentrator" ( /* Concentrator address */ + ipaddr /* Concentrator address */ + ), + "softwire-type" ( /* Softwire-type */ + ("IPv4-in-IPv6" | "v6rd") + ), + "ipv4-prefix" ( /* 6rd customer edge IPV4 prefix */ + ipv4prefix /* 6rd customer edge IPV4 prefix */ + ), + "v6rd-prefix" ( /* 6rd domain's IPV6 prefix */ + ipv6prefix /* 6rd domain's IPV6 prefix */ + ), + "mtu-v4" arg /* MTU for the softwire tunnel */ + ) + ) +end + +rule(:sophos_fallback_settings) do + c( + "default" ( /* Default action */ + ("permit" | "log-and-permit" | "block") + ), + "content-size" ( /* Fallback action for over content size */ + ("permit" | "log-and-permit" | "block") + ), + "engine-not-ready" ( /* Fallback action for engine not ready */ + ("permit" | "log-and-permit" | "block") + ), + "timeout" ( /* Fallback action for engine scan timeout */ + ("permit" | "log-and-permit" | "block") + ), + "out-of-resources" ( /* Fallback action for out of resources */ + ("permit" | "log-and-permit" | "block") + ), + "too-many-requests" ( /* Fallback action for requests exceed engine limit */ + ("permit" | "log-and-permit" | "block") + ) + ) +end + +rule(:sophos_scan_options) do + c( + "uri-check" /* Anti-virus uri-check */, + "no-uri-check" /* Don't anti-virus uri-check */, + "content-size-limit" arg /* Content size limit */, + "timeout" arg /* Scan engine timeout */ + ) +end + +rule(:ssg_destination_nat_object) do + c( + "pool" arg ( /* Define a destination address pool */ + c( + "description" arg /* Text description of pool */, + "routing-instance" ( /* Routing instance */ + c( + c( + "default" /* Default routing-instance */, + arg + ) + ) + ), + "address" ( /* Add address or address range to pool */ + c( + ipprefix /* IPv4 or IPv6 address or address range */, + c( + "to" ( /* Upper limit of address range */ + c( + ipprefix /* IPv4 or IPv6 upper limit of address range */ + ) + ), + "port" arg /* Specify the port value */ + ) + ) + ).as(:oneline) + ) + ), + "port-forwarding" arg ( /* Define a port-forwarding mapping pool */ + c( + "description" arg /* Text description of port forwarding mapping */, + "destined-port" ( /* Port forwarding mappings */ + s( + arg, + "translated-port" arg /* Translated port */ + ) + ).as(:oneline) + ) + ), + "rule-set" arg ( /* Configurate a set of rules */ + c( + "description" arg /* Text description of rule set */, + "from" ( /* Where is the traffic from */ + c( + c( + "routing-instance" ( /* Source routing instance list */ + ("default" | arg) + ), + "zone" arg /* Source zone list */, + "interface" ( /* Source interface list */ + interface_name /* Source interface list */ + ) + ) + ) + ).as(:oneline), + "rule" ( /* Destination NAT rule */ + dest_nat_rule_object /* Destination NAT rule */ + ), + "match-direction" ( /* Match direction */ + ("input" | "output") + ) + ) + ) + ) +end + +rule(:dest_nat_rule_object) do + arg.as(:arg) ( + c( + "description" arg /* Text description of rule */, + "dest-nat-rule-match" ( /* Specify Destination NAT rule match criteria */ + c( + "source-address" ( /* Source address */ + ipprefix /* Source address */ + ), + "source-address-name" arg /* Address/address-set from address book */, + c( + "destination-address" ( /* Destination address */ + c( + ipprefix /* IPv4 or IPv6 destination address */ + ) + ).as(:oneline), + "destination-address-name" ( /* Address from address book */ + c( + arg + ) + ).as(:oneline) + ), + "destination-port" arg ( /* Destination port */ + c( + "to" ( /* Port range upper limit */ + c( + arg /* Upper limit of port range */ + ) + ) + ) + ).as(:oneline), + "protocol" ( /* IP Protocol */ + ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) + ), + "application" arg + ) + ), + "then" ( /* Then action */ + c( + "destination-nat" ( /* Destination NAT action */ + c( + c( + "off" /* No action */, + "pool" ( /* Use Destination NAT pool */ + c( + arg + ) + ), + "destination-prefix" ( /* Destination prefix to be used for NAT64 and 464 translation type */ + ipprefix_only /* Destination prefix to be used for NAT64 and 464 translation type */ + ) + ), + "port-forwarding-mappings" ( /* Use Destination NAT port forwarding mapping pool */ + c( + arg + ) + ), + "rule-session-count-alarm" ( /* Config rule-session-count-alarm to destination rule */ + nat_rule_session_count_alarm_object /* Config rule-session-count-alarm to destination rule */ + ).as(:oneline) + ) + ) + ) + ) + ) + ) +end + +rule(:nat_rule_session_count_alarm_object) do + c( + "raise-threshold" arg /* Raise threshold for rule session count alarm */, + "clear-threshold" arg /* Clear threshold for session count hit alarm */ + ).as(:oneline) +end + +rule(:ssg_proxy_arp_object) do + c( + "interface" ( /* Interface with proxy arp configured */ + ssg_interface_object /* Interface with proxy arp configured */ + ) + ) +end + +rule(:ssg_interface_object) do + arg.as(:arg) ( + c( + "address" arg ( /* Proxy ARP address */ + c( + "to" ( /* Upper limit of address range */ + c( + ipv4prefix /* Upper limit of address range */ + ) + ) + ) + ).as(:oneline) + ) + ) +end + +rule(:ssg_proxy_ndp_object) do + c( + "interface" ( /* Interface with proxy arp configured */ + ssg_proxy_ndp_interface_object /* Interface with proxy arp configured */ + ) + ) +end + +rule(:ssg_proxy_ndp_interface_object) do + arg.as(:arg) ( + c( + "address" arg ( /* Proxy ndp address */ + c( + "to" ( /* Upper limit of address range */ + c( + ipv6addr /* Upper limit of address range */ + ) + ) + ) + ).as(:oneline) + ) + ) +end + +rule(:ssg_source_nat_object) do + c( + "pool" arg ( /* Define a source address pool */ + c( + "description" arg /* Text description of pool */, + "routing-instance" ( /* Routing instance */ + c( + arg + ) + ), + "address" arg ( /* Add address to pool */ + c( + "to" ( /* Upper limit of address range */ + c( + ipprefix /* IPv4 or IPv6 upper limit of address range */ + ) + ) + ) + ).as(:oneline), + "host-address-base" ( /* The base of host address */ + c( + ipprefix /* IPv4 or IPv6 base address */ + ) + ).as(:oneline), + "port" ( /* Config port attribute to pool */ + c( + c( + "no-translation" /* Do not perform port translation */, + "range" ( /* Port range */ + c( + arg, + "to" ( /* Port range upper limit */ + c( + arg + ) + ), + "twin-port" ( /* Twin port range */ + c( + arg, + "to" ( /* Twin port range upper limit */ + c( + arg + ) + ) + ) + ) + ) + ) + ), + "port-overloading-factor" arg /* Port overloading factor for each IP */, + "block-allocation" ( /* Port block allocation */ + block_allocation_object /* Port block allocation */ + ), + "deterministic" ( /* Deterministic nat allocation */ + deterministic_object /* Deterministic nat allocation */ + ), + "preserve-parity" /* Allocate port as the same parity as incoming port */, + "preserve-range" /* Allocate port from the same port range as incoming port */, + "automatic" ( /* Port assignment */ + c( + c( + "random-allocation" /* Allocate port randomly */, + "round-robin" /* Allocate port by round-robin */ + ) + ) + ) + ) + ), + "overflow-pool" ( /* Specify an overflow pool */ + c( + c( + arg, + "interface" /* Allow interface pool to support overflow */ + ) + ) + ).as(:oneline), + "address-shared" /* Allow multiple hosts to share an externel address */, + "address-pooling" ( /* Specify the address-pooling behavior */ + c( + c( + "paired" /* Allow address-pooling paired for a source pool with port translation */, + "no-paired" /* Allow address-pooling no-paired for a source pool without port translation */ + ) + ) + ).as(:oneline), + "address-persistent" ( /* Specify the address-persistent behavior */ + c( + "subscriber" ( /* Configure address persistent for subscriber */ + c( + "ipv6-prefix-length" arg /* Ipv6 prefix length for address persistent */ + ) + ).as(:oneline) + ) + ).as(:oneline), + "pool-utilization-alarm" ( /* Config pool-utilization-alarm to pool */ + source_nat_pool_utilization_alarm_object /* Config pool-utilization-alarm to pool */ + ).as(:oneline), + "ei-mapping-timeout" arg /* Endpoint-independent mapping timeout */, + "mapping-timeout" arg /* Address-pooling paired and endpoint-independent mapping timeout */, + "limit-ports-per-host" arg /* Number of ports allocated per host */ + ) + ), + "address-persistent" /* Allow source address to maintain same translation */, + "session-persistence-scan" /* Allow source to maintain session when session scan */, + "session-drop-hold-down" arg /* Session drop hold down time */, + "pool-utilization-alarm" ( /* Configure pool utilization alarm */ + source_nat_pool_utilization_alarm_object /* Configure pool utilization alarm */ + ).as(:oneline), + "port-randomization" ( /* Configure Source NAT port randomization */ + c( + ("disable") + ) + ).as(:oneline), + "port-round-robin" /* Configure Source NAT port randomization */.as(:oneline), + "port-scaling-enlargement" /* Configure source port scaling to 2.4G only for NGSPC */, + "pool-distribution" /* Configure Source pool distribution, the APPCP bottleneck of NAT CPS can be alleviated. */, + "pool-default-port-range" ( /* Configure Source NAT default port range */ + c( + arg, + "to" ( /* Port range upper limit */ + c( + arg + ) + ) + ) + ).as(:oneline), + "pool-default-twin-port-range" ( /* Configure Source NAT default twin port range */ + c( + arg, + "to" ( /* Twin port range upper limit */ + c( + arg + ) + ) + ) + ).as(:oneline), + "interface" ( /* Configure interface port overloading for persistent NAT */ + c( + c( + "port-overloading" ( /* Configure port overloading */ + c( + "off" /* Turn off interface port over-loading */ + ) + ).as(:oneline), + "port-overloading-factor" arg /* Port overloading factor for interface NAT */ + ) + ) + ), + "rule-set" arg ( /* Configurate a set of rules */ + c( + "description" arg /* Text description of rule set */, + "from" ( /* Where is the traffic from */ + c( + c( + "routing-instance" ( /* Source routing instance list */ + ("default" | arg) + ), + "zone" arg /* Source zone list */, + "interface" ( /* Source interface list */ + interface_name /* Source interface list */ + ) + ) + ) + ).as(:oneline), + "to" ( /* Where is the traffic to */ + c( + c( + "routing-instance" ( /* Destination routing instance list */ + ("default" | arg) + ), + "zone" arg /* Destination zone list */, + "interface" ( /* Destination interface list */ + interface_name /* Destination interface list */ + ) + ) + ) + ).as(:oneline), + "rule" ( /* Source NAT rule */ + src_nat_rule_object /* Source NAT rule */ + ), + "match-direction" ( /* Match direction */ + ("input" | "output") + ) + ) + ) + ) +end + +rule(:block_allocation_object) do + c( + "block-size" arg /* Block size */, + "maximum-blocks-per-host" arg /* Maximum block number per host */, + "active-block-timeout" arg /* Active block timeout interval */, + "interim-logging-interval" arg /* Interim Logging interval */, + "last-block-recycle-timeout" arg /* Last Block recycle timeout interval */, + "log" ( /* Configure port block log */ + c( + ("disable") + ) + ).as(:oneline) + ) +end + +rule(:deterministic_object) do + c( + "block-size" arg /* Block size */, + "det-nat-configuration-log-interval" arg /* Deterministic nat configuration logging interval */, + "host" ( /* Host address */ + c( + "address" ( /* Host ip address */ + ipprefix /* Host ip address */ + ), + "address-name" arg /* Host address/address-set from address book */ + ) + ).as(:oneline), + "include-boundary-addresses" /* Include network and broadcast in 'match' source address */ + ) +end + +rule(:source_nat_pool_utilization_alarm_object) do + c( + "raise-threshold" arg /* Raise threshold for pool utilization alarm */, + "clear-threshold" arg /* Clear threshold for pool utilization alarm */ + ).as(:oneline) +end + +rule(:src_nat_rule_object) do + arg.as(:arg) ( + c( + "description" arg /* Text description of rule */, + "src-nat-rule-match" ( /* Specify Source NAT rule match criteria */ + c( + "source-address" ( /* Source address */ + ipprefix /* Source address */ + ), + "source-address-name" arg /* Address/address-set from address book */, + "source-port" arg ( /* Source port */ + c( + "to" ( /* Port range upper limit */ + c( + arg /* Upper limit of port range */ + ) + ) + ) + ).as(:oneline), + "destination-address" ( /* Destination address */ + ipprefix /* Destination address */ + ), + "destination-address-name" arg /* Address/address-set from address book */, + "destination-port" arg ( /* Destination port */ + c( + "to" ( /* Port range upper limit */ + c( + arg /* Upper limit of port range */ + ) + ) + ) + ).as(:oneline), + "protocol" ( /* IP Protocol */ + ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) + ), + "application" arg + ) + ), + "then" ( /* Then action */ + c( + "source-nat" ( /* Source NAT action */ + c( + c( + "off" /* No action */, + "pool" ( /* Use Source NAT pool */ + c( + arg, + "persistent-nat" ( /* Persistent NAT info */ + persistent_nat_object /* Persistent NAT info */ + ) + ) + ), + "interface" ( /* Use egress interface address */ + c( + "persistent-nat" ( /* Persistent NAT info */ + persistent_nat_object /* Persistent NAT info */ + ) + ) + ) + ), + "clat-prefix" ( /* An IPv6 prefix to be used for XLAT464 and prefix length can only be 32/40/48/56/64/96 */ + ipprefix_only /* An IPv6 prefix to be used for XLAT464 and prefix length can only be 32/40/48/56/64/96 */ + ), + "rule-session-count-alarm" ( /* Config rule-session-count-alarm to source rule */ + nat_rule_session_count_alarm_object /* Config rule-session-count-alarm to source rule */ + ).as(:oneline), + "mapping-type" ( /* Source nat mapping type */ + c( + "endpoint-independent" /* Endpoint independent mapping */ + ) + ).as(:oneline), + "secure-nat-mapping" ( /* Mapping options for enhanced security */ + c( + "eif-flow-limit" arg /* Number of inbound flows to be allowed for a EIF mapping */, + "mapping-refresh" ( /* Enable timer refresh option */ + c( + c( + "inbound" /* Enable timer refresh for inbound connections only */, + "outbound" /* Enable timer refresh for outbound connections only */, + "inbound-outbound" /* Enable timer refresh for inbound & outbound connections */ + ) + ) + ).as(:oneline) + ) + ).as(:oneline), + "filtering-type" ( /* Source NAT filtering type */ + c( + "endpoint-independent" ( /* Endpoint independent filtering */ + c( + "prefix-list" arg ( /* One or more named lists of source prefixes to match */ + c( + "except" /* Name of prefix list not to match against */ + ) + ).as(:oneline) + ) + ) + ) + ) + ) + ) + ) + ) + ) + ) +end + +rule(:persistent_nat_object) do + c( + "permit" ( /* Persistent NAT permit configure */ + c( + c( + "any-remote-host" /* Permit any remote host */, + "target-host" /* Permit target host */, + "target-host-port" /* Permit target host port */ + ) + ) + ).as(:oneline), + "address-mapping" /* Address-to-address mapping */, + "inactivity-timeout" arg /* Inactivity timeout value */, + "max-session-number" arg /* The maximum session number value */ + ) +end + +rule(:ssg_static_nat_object) do + c( + "rule-set" arg ( /* Configurate a set of rules */ + c( + "description" arg /* Text description of rule set */, + "from" ( /* Where is the traffic from */ + c( + c( + "routing-instance" ( /* Source routing instance list */ + ("default" | arg) + ), + "zone" arg /* Source zone list */, + "interface" ( /* Source interface list */ + interface_name /* Source interface list */ + ) + ) + ) + ).as(:oneline), + "rule" ( /* Static NAT rule */ + static_nat_rule_object /* Static NAT rule */ + ) + ) + ) + ) +end + +rule(:static_nat_rule_object) do + arg.as(:arg) ( + c( + "description" arg /* Text description of rule */, + "static-nat-rule-match" ( /* Specify Static NAT rule match criteria */ + c( + "source-address" ( /* Source address */ + ipprefix /* Source address */ + ), + "source-address-name" arg /* Address from address book */, + "source-port" arg ( /* Source port */ + c( + "to" ( /* Port range upper limit */ + c( + arg /* Upper limit of port range */ + ) + ) + ) + ).as(:oneline), + c( + "destination-address" ( /* Destination address */ + c( + ipprefix /* IPv4 or IPv6 Destination address prefix */ + ) + ).as(:oneline), + "destination-address-name" ( /* Address from address book */ + c( + arg + ) + ).as(:oneline) + ), + "destination-port" ( /* Destination port */ + c( + arg /* Port or lower limit of port range */, + "to" ( /* Port range upper limit */ + c( + arg /* Upper limit of port range */ + ) + ) + ) + ).as(:oneline) + ) + ), + "then" ( /* Then action */ + c( + "static-nat" ( /* Static NAT action */ + c( + c( + "inet" ( /* Translated to IPv4 address */ + c( + "routing-instance" ( /* Routing instance */ + ("default" | arg) + ) + ) + ), + "prefix" ( /* Address prefix */ + c( + ipprefix /* IPv4 or IPv6 address prefix value */, + "mapped-port" ( /* Mapped port */ + static_nat_rule_mapped_port_object /* Mapped port */ + ).as(:oneline), + "routing-instance" ( /* Routing instance */ + ("default" | arg) + ) + ) + ), + "prefix-name" ( /* Address from address book */ + c( + arg, + "mapped-port" ( /* Mapped port */ + static_nat_rule_mapped_port_object /* Mapped port */ + ).as(:oneline), + "routing-instance" ( /* Routing instance */ + ("default" | arg) + ) + ) + ), + "nptv6-prefix" ( /* NPTv6 address prefix, the longest prefix will be supported is /64 */ + c( + ipprefix /* IPv6 address prefix value, the longest prefix will be supported is /64 */, + "routing-instance" ( /* Routing instance */ + ("default" | arg) + ) + ) + ), + "nptv6-prefix-name" ( /* NPTv6 address from address book */ + c( + arg, + "routing-instance" ( /* Routing instance */ + ("default" | arg) + ) + ) + ) + ), + "rule-session-count-alarm" ( /* Config rule-session-count-alarm to static rule */ + nat_rule_session_count_alarm_object /* Config rule-session-count-alarm to static rule */ + ).as(:oneline) + ) + ) + ) + ) + ) + ) +end + +rule(:static_nat_rule_mapped_port_object) do + c( + arg /* Port or lower limit of port range */, + "to" ( /* Port range upper limit */ + c( + arg /* Upper limit of port range */ + ) + ) + ).as(:oneline) +end + +rule(:sw_rule_set_object) do + arg.as(:arg) ( + c( + "rule" arg ( /* Define a rule term */ + c( + "then" ( /* Action to take if the condition is matched */ + c( + c( + "v6rd" arg /* Apply 6rd softwire */ + ) + ) + ) + ) + ), + "match-direction" ( /* Match direction */ + ("input" | "output") + ) + ) + ) +end + +rule(:tunnel_type) do + c( + c( + "ipsec-vpn" arg /* Enable VPN with name */, + "ipsec-group-vpn" arg /* Enable dynamic IPSEC group with name */ + ), + "pair-policy" arg /* Policy in the reverse direction, to form a pair */ + ) +end + +rule(:url_list_type) do + arg.as(:arg) ( + c( + "value" arg /* Configure value of url-list object */ + ) + ) +end + +rule(:utm_apppxy_traceoptions) do + c( + "flag" enum(("abort" | "application-objects" | "utm-realtime" | "anti-virus" | "basic" | "buffer" | "detail" | "ftp-data" | "ftp-control" | "http" | "imap" | "memory" | "parser" | "pfe" | "pop3" | "queue" | "smtp" | "tcp" | "timer" | "connection-rating" | "mime" | "regex-engine" | "sophos-anti-virus" | "all")) /* Tracing parameters for utm application proxy */.as(:oneline) + ) +end + +rule(:utm_ipc_traceoptions) do + c( + "flag" enum(("basic" | "detail" | "connection-manager" | "connection-status" | "pfe" | "utm-realtime" | "all")) /* Traceoptions for utm IPC flag */.as(:oneline) + ) +end + +rule(:utm_traceoptions) do + c( + "flag" enum(("cli" | "daemon" | "ipc" | "pfe" | "all")) /* Tracing UTM information */.as(:oneline) + ) +end + +rule(:web_filtering_block_message) do + c( + "type" ( /* Type of block message desired */ + ("custom-redirect-url") + ), + "url" arg /* URL of block message */ + ) +end + +rule(:web_filtering_fallback_setting) do + c( + "default" ( /* Fallback default settings */ + ("log-and-permit" | "block") + ), + "server-connectivity" ( /* Fallback action when device cannot connect to server */ + ("log-and-permit" | "block") + ), + "timeout" ( /* Fallback action when connection to server timeout */ + ("log-and-permit" | "block") + ), + "too-many-requests" ( /* Fallback action when requests exceed the limit of engine */ + ("log-and-permit" | "block") + ) + ) +end + +rule(:web_filtering_quarantine_message) do + c( + "type" ( /* Type of quarantine message desired */ + ("custom-redirect-url") + ), + "url" arg /* URL of quarantine message */ + ) +end + +rule(:web_filtering_traceoptions) do + c( + "flag" enum(("basic" | "session-manager" | "heartbeat" | "packet" | "profile" | "requests" | "response" | "socket" | "timer" | "ipc" | "cache" | "enhanced" | "all")) /* Trace options for web-filtering feature trace flag */.as(:oneline) + ) +end + +rule(:webfilter_feature) do + c( + "surf-control-integrated" ( /* Configure web-filtering surf-control integrated engine */ + surf_control_integrated_type /* Configure web-filtering surf-control integrated engine */ + ), + "websense-redirect" ( /* Configure web-filtering websense redirect engine */ + websense_type /* Configure web-filtering websense redirect engine */ + ), + "juniper-local" ( /* Configure web-filtering juniper local engine */ + juniper_local_type /* Configure web-filtering juniper local engine */ + ), + "juniper-enhanced" ( /* Configure web-filtering juniper enhanced engine */ + juniper_enhanced_type /* Configure web-filtering juniper enhanced engine */ + ) + ) +end + +rule(:juniper_enhanced_type) do + c( + "profile" arg ( /* Juniper enhanced profile */ + c( + "base-filter" arg /* Juniper base filter */, + "category" ( /* Juniper enhanced category */ + juniper_enhanced_category_type /* Juniper enhanced category */ + ), + "site-reputation-action" ( /* Juniper enhanced site reputation action */ + juniper_enhanced_site_reputation_setting /* Juniper enhanced site reputation action */ + ), + "default" ( /* Juniper enhanced profile default */ + ("permit" | "block" | "log-and-permit" | "quarantine") + ), + "custom-block-message" arg /* Juniper enhanced custom block message sent to HTTP client */, + "quarantine-custom-message" arg /* Juniper enhanced quarantine custom message */, + "fallback-settings" ( /* Juniper enhanced fallback settings */ + web_filtering_fallback_setting /* Juniper enhanced fallback settings */ + ), + "timeout" arg /* Juniper enhanced timeout */, + "no-safe-search" /* Do not perform safe-search for Juniper enhanced protocol */, + "block-message" ( /* Juniper enhanced block message settings */ + web_filtering_block_message /* Juniper enhanced block message settings */ + ), + "quarantine-message" ( /* Juniper enhanced quarantine message settings */ + web_filtering_quarantine_message /* Juniper enhanced quarantine message settings */ + ) + ) + ) + ) +end + +rule(:juniper_local_type) do + c( + "profile" arg ( /* Juniper local profile */ + c( + "default" ( /* Juniper local profile default */ + ("permit" | "block" | "log-and-permit") + ), + "category" ( /* Custom category */ + custom_category_type /* Custom category */ + ), + "custom-block-message" arg /* Juniper local custom block message */, + "quarantine-custom-message" arg /* Juniper local quarantine custom message */, + "block-message" ( /* Juniper local block message settings */ + web_filtering_block_message /* Juniper local block message settings */ + ), + "quarantine-message" ( /* Juniper local quarantine message settings */ + web_filtering_quarantine_message /* Juniper local quarantine message settings */ + ), + "fallback-settings" ( /* Juniper local fallback settings */ + web_filtering_fallback_setting /* Juniper local fallback settings */ + ), + "timeout" arg /* Juniper local timeout */ + ) + ) + ) +end + +rule(:surf_control_integrated_type) do + c( + "cache" ( + c( + "timeout" arg /* Surf control integrated cache timeout */, + "size" arg /* Surf control integrated cache size */ + ) + ), + "server" ( /* Surf control server */ + server /* Surf control server */ + ), + "profile" arg ( /* Surf control integrated profile */ + c( + "category" ( /* Surf control integrated category */ + surf_control_integrated_category_type /* Surf control integrated category */ + ), + "default" ( /* Surf control integrated profile default */ + ("permit" | "block" | "log-and-permit") + ), + "custom-block-message" arg /* Surf control integrated custom block message */, + "fallback-settings" ( /* Surf control integrated fallback settings */ + web_filtering_fallback_setting /* Surf control integrated fallback settings */ + ), + "timeout" arg /* Surf control integrated timeout */ + ) + ) + ) +end + +rule(:surf_control_integrated_category_type) do + arg.as(:arg) ( + c( + "action" ( /* Surf control integrated category type action */ + ("permit" | "block" | "log-and-permit") + ) + ) + ) +end + +rule(:websense_type) do + c( + "profile" arg ( /* Websense redirect profile */ + c( + "server" ( /* Websense redirect server */ + server /* Websense redirect server */ + ), + "category" ( /* Custom category */ + custom_category_type /* Custom category */ + ), + "custom-block-message" arg /* Websense redirect custom block message */, + "quarantine-custom-message" arg /* Websense redirect quarantine custom message */, + "block-message" ( /* Websense redirect block message settings */ + web_filtering_block_message /* Websense redirect block message settings */ + ), + "quarantine-message" ( /* Websense redirect quarantine message settings */ + web_filtering_quarantine_message /* Websense redirect quarantine message settings */ + ), + "fallback-settings" ( /* Websense redirect fallback settings */ + web_filtering_fallback_setting /* Websense redirect fallback settings */ + ), + "timeout" arg /* Websense redirect timeout */, + "sockets" arg /* Websense redirect sockets number */, + "account" arg /* Websense redirect account */ + ) + ) + ) +end + +rule(:wildcard_address_type) do + arg.as(:arg) +end + +rule(:zone_interface_list_type) do + arg.as(:arg) ( + c( + "host-inbound-traffic" ( + interface_host_inbound_traffic_t + ) + ) + ) +end + +rule(:interface_host_inbound_traffic_t) do + c( + "system-services" ( /* Type of incoming system-service traffic to accept */ + interface_system_services_object_type /* Type of incoming system-service traffic to accept */ + ), + "protocols" ( /* Protocol type of incoming traffic to accept */ + host_inbound_protocols_object_type /* Protocol type of incoming traffic to accept */ + ) + ) +end + +rule(:host_inbound_protocols_object_type) do + enum(("all" | "bfd" | "bgp" | "dvmrp" | "igmp" | "ldp" | "msdp" | "ndp" | "nhrp" | "ospf" | "ospf3" | "pgm" | "pim" | "rip" | "ripng" | "router-discovery" | "rsvp" | "sap" | "vrrp")).as(:arg) ( + c( + "except" /* Protocol type of incoming traffic to disallow */ + ) + ) +end + +rule(:interface_system_services_object_type) do + enum(("all" | "bootp" | "dhcp" | "dhcpv6" | "dns" | "finger" | "ftp" | "ident-reset" | "http" | "https" | "ike" | "netconf" | "ping" | "rlogin" | "reverse-telnet" | "reverse-ssh" | "rpm" | "rsh" | "snmp" | "snmp-trap" | "ssh" | "telnet" | "traceroute" | "xnm-ssl" | "xnm-clear-text" | "tftp" | "lsping" | "ntp" | "sip" | "r2cp" | "webapi-clear-text" | "webapi-ssl" | "tcp-encap" | "appqoe" | "any-service")).as(:arg) ( + c( + "except" /* Type of incoming system-service traffic to disallow */ + ) + ) +end + +rule(:zone_host_inbound_traffic_t) do + c( + "system-services" ( /* Type of incoming system-service traffic to accept */ + zone_system_services_object_type /* Type of incoming system-service traffic to accept */ + ), + "protocols" ( /* Protocol type of incoming traffic to accept */ + host_inbound_protocols_object_type /* Protocol type of incoming traffic to accept */ + ) + ) +end + +rule(:zone_system_services_object_type) do + enum(("all" | "bootp" | "dhcp" | "dhcpv6" | "dns" | "finger" | "ftp" | "ident-reset" | "http" | "https" | "ike" | "netconf" | "ping" | "rlogin" | "reverse-telnet" | "reverse-ssh" | "rpm" | "rsh" | "snmp" | "snmp-trap" | "ssh" | "telnet" | "traceroute" | "xnm-ssl" | "xnm-clear-text" | "tftp" | "lsping" | "ntp" | "sip" | "r2cp" | "webapi-clear-text" | "webapi-ssl" | "tcp-encap" | "appqoe" | "any-service")).as(:arg) ( + c( + "except" /* Type of incoming system-service traffic to disallow */ + ) + ) +end +# End of vSRX 18.3R1.9