junoser 0.4.7 → 0.5.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +19 -0
- data/Gemfile.lock +5 -5
- data/Rakefile +1 -1
- data/commitlint.config.js +1 -0
- data/example/ex-18.1R3-S6.1.xsd +90684 -0
- data/example/mx-21.2R3-S2.9.rb +127445 -0
- data/example/vsrx-18.3R1.9.rb +380 -30
- data/lib/junoser/parser.rb +38309 -29164
- data/lib/junoser/ruler.rb +18 -4
- data/lib/junoser/version.rb +1 -1
- metadata +4 -2
data/example/vsrx-18.3R1.9.rb
CHANGED
|
@@ -2102,14 +2102,14 @@ rule(:configuration) do
|
|
|
2102
2102
|
"pki" ( /* PKI service configuration */
|
|
2103
2103
|
security_pki /* PKI service configuration */
|
|
2104
2104
|
),
|
|
2105
|
-
"
|
|
2106
|
-
|
|
2105
|
+
"group-vpn" ( /* Group VPN configuration */
|
|
2106
|
+
security_group_vpn /* Group VPN configuration */
|
|
2107
2107
|
),
|
|
2108
2108
|
"ipsec" ( /* IPSec configuration */
|
|
2109
2109
|
security_ipsec_vpn /* IPSec configuration */
|
|
2110
2110
|
),
|
|
2111
|
-
"
|
|
2112
|
-
|
|
2111
|
+
"ike" ( /* IKE configuration */
|
|
2112
|
+
security_ike /* IKE configuration */
|
|
2113
2113
|
),
|
|
2114
2114
|
"ipsec-policy" ( /* IPSec policy configuration */
|
|
2115
2115
|
security_ipsec_policies /* IPSec policy configuration */
|
|
@@ -2140,9 +2140,11 @@ rule(:configuration) do
|
|
|
2140
2140
|
ipv4addr /* Source address to be used for sending download request */
|
|
2141
2141
|
),
|
|
2142
2142
|
"proxy-profile" arg /* Proxy profile of security package download */,
|
|
2143
|
+
"routing-instance" arg /* Routing instance for security-package download */,
|
|
2143
2144
|
"install" ( /* Configure install command */
|
|
2144
2145
|
c(
|
|
2145
|
-
"ignore-version-check" /* Skip version check when attack database gets installed
|
|
2146
|
+
"ignore-version-check" /* Skip version check when attack database gets installed */,
|
|
2147
|
+
"ignore-appid-failure" /* Continue idp installation even if appid installation fails */
|
|
2146
2148
|
)
|
|
2147
2149
|
),
|
|
2148
2150
|
"automatic" ( /* Scheduled download and update */
|
|
@@ -2227,7 +2229,19 @@ rule(:configuration) do
|
|
|
2227
2229
|
"session-steering" /* Session steering for session anticipation */,
|
|
2228
2230
|
"idp-bypass-cpu-usg-overload" /* Enable IDP bypass of sessions/packets on CPU usage overload */,
|
|
2229
2231
|
"idp-bypass-cpu-threshold" arg /* Threshold of CPU usage in percentage for IDP bypass */,
|
|
2230
|
-
"idp-bypass-cpu-tolerance" arg /* Tolerance of CPU usage in percentage for IDP bypass
|
|
2232
|
+
"idp-bypass-cpu-tolerance" arg /* Tolerance of CPU usage in percentage for IDP bypass */,
|
|
2233
|
+
"idp-bypass-cpu-tolerance" arg /* Tolerance of CPU usage in percentage for IDP bypass */,
|
|
2234
|
+
"intel-inspect-enable" /* Minimizes IDP processing during system overload */,
|
|
2235
|
+
"intel-inspect-cpu-usg-threshold" arg /* CPU usage threshold percentage for intelligent inspection */,
|
|
2236
|
+
"intel-inspect-cpu-usg-tolerance" arg /* CPU usage tolerance percentage for intelligent inspection */,
|
|
2237
|
+
"intel-inspect-free-mem-threshold" arg /* Free memory threshold percentage for intelligent inspection */,
|
|
2238
|
+
"intel-inspect-mem-tolerance" arg /* Memory tolerance percentage for intelligent inspection */,
|
|
2239
|
+
"intel-inspect-disable-content-decompress" /* Disables payload content decompression */,
|
|
2240
|
+
"intel-inspect-session-bytes-depth" arg /* Session bytes scanning depth */,
|
|
2241
|
+
"intel-inspect-protocols" arg /* Protocols to be processed in Intelligent Inspection mode */,
|
|
2242
|
+
"intel-inspect-signature-severity" ( /* Signature severities to be considered for IDP processing */
|
|
2243
|
+
("minor" | "major" | "critical")
|
|
2244
|
+
)
|
|
2231
2245
|
)
|
|
2232
2246
|
),
|
|
2233
2247
|
"re-assembler" ( /* Re-assembler configuration */
|
|
@@ -2274,11 +2288,16 @@ rule(:configuration) do
|
|
|
2274
2288
|
c(
|
|
2275
2289
|
"enable-packet-pool" /* Enable packet pool */,
|
|
2276
2290
|
"no-enable-packet-pool" /* Don't enable packet pool */,
|
|
2291
|
+
"log-xff-header" /* Log xff header */,
|
|
2277
2292
|
"enable-all-qmodules" /* Enable all qmodules */,
|
|
2278
2293
|
"no-enable-all-qmodules" /* Don't enable all qmodules */,
|
|
2279
2294
|
"policy-lookup-cache" /* Policy lookup cache */,
|
|
2280
2295
|
"no-policy-lookup-cache" /* Don't policy lookup cache */,
|
|
2281
|
-
"memory-limit-percent" arg /* Memory limit percentage
|
|
2296
|
+
"memory-limit-percent" arg /* Memory limit percentage */,
|
|
2297
|
+
"disable-idp-processing" /* Flag to disable IDP processing */,
|
|
2298
|
+
"intelligent-offload" ( /* Intelligently offload the flow */
|
|
2299
|
+
("disable" | "conservative")
|
|
2300
|
+
)
|
|
2282
2301
|
)
|
|
2283
2302
|
),
|
|
2284
2303
|
"detector" ( /* Detector Configuration */
|
|
@@ -2316,7 +2335,10 @@ rule(:configuration) do
|
|
|
2316
2335
|
"logical-system" ( /* Configure max IDP sessions for the logial system */
|
|
2317
2336
|
logical_system_type /* Configure max IDP sessions for the logial system */
|
|
2318
2337
|
),
|
|
2319
|
-
"processes" /* Configure IDP Processes
|
|
2338
|
+
"processes" /* Configure IDP Processes */,
|
|
2339
|
+
"tenant-system" ( /* Configure max IDP sessions for the tenant */
|
|
2340
|
+
tenant_system_type /* Configure max IDP sessions for the tenant */
|
|
2341
|
+
)
|
|
2320
2342
|
)
|
|
2321
2343
|
),
|
|
2322
2344
|
"address-book" ( /* Security address book */
|
|
@@ -8652,7 +8674,7 @@ rule(:application_object) do
|
|
|
8652
8674
|
term_object /* Define individual application protocols */
|
|
8653
8675
|
),
|
|
8654
8676
|
"application-protocol" ( /* Application protocol type */
|
|
8655
|
-
("bootp" | "dce-rpc" | "dce-rpc-portmap" | "dns" | "exec" | "ftp" | "ftp-data" | "gprs-gtp-c" | "gprs-gtp-u" | "gprs-gtp-v0" | "gprs-sctp" | "h323" | "icmp" | "icmpv6" | "ignore" | "iiop" | "ike-esp-nat" | "ip" | "login" | "mgcp-ca" | "mgcp-ua" | "ms-rpc" | "netbios" | "netshow" | "none" | "pptp" | "q931" | "ras" | "realaudio" | "rpc" | "rpc-portmap" | "rsh" | "rtsp" | "sccp" | "sip" | "shell" | "snmp" | "sqlnet" | "sqlnet-v2" | "sun-rpc" | "talk" | "tftp" | "traceroute" | "http" | "winframe" | "https" | "imap" | "smtp" | "ssh" | "telnet" | "twamp")
|
|
8677
|
+
("bootp" | "dce-rpc" | "dce-rpc-portmap" | "dns" | "exec" | "ftp" | "ftp-data" | "gprs-gtp-c" | "gprs-gtp-u" | "gprs-gtp-v0" | "gprs-sctp" | "h323" | "icmp" | "icmpv6" | "ignore" | "iiop" | "ike-esp-nat" | "ip" | "login" | "mgcp-ca" | "mgcp-ua" | "ms-rpc" | "netbios" | "netshow" | "none" | "pptp" | "q931" | "ras" | "realaudio" | "rpc" | "rpc-portmap" | "rsh" | "rtsp" | "sccp" | "sip" | "shell" | "snmp" | "sqlnet" | "sqlnet-v2" | "sun-rpc" | "talk" | "tftp" | "traceroute" | "http" | "winframe" | "https" | "imap" | "smtp" | "ssh" | "telnet" | "twamp" | "pop3" | "smtps" | "imaps" | "pop3s")
|
|
8656
8678
|
),
|
|
8657
8679
|
"protocol" ( /* Match IP protocol type */
|
|
8658
8680
|
("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg)
|
|
@@ -8664,7 +8686,9 @@ rule(:application_object) do
|
|
|
8664
8686
|
("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg)
|
|
8665
8687
|
),
|
|
8666
8688
|
"ether-type" arg /* Match ether type */,
|
|
8667
|
-
"snmp-command"
|
|
8689
|
+
"snmp-command" ( /* Match SNMP command */
|
|
8690
|
+
("get" | "get-next" | "get-response" | "set" | "trap")
|
|
8691
|
+
),
|
|
8668
8692
|
"icmp-type" ( /* Match ICMP message type */
|
|
8669
8693
|
("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg)
|
|
8670
8694
|
),
|
|
@@ -10466,7 +10490,17 @@ rule(:custom_attack_type) do
|
|
|
10466
10490
|
"count" arg /* Number of times this attack is to be triggered */,
|
|
10467
10491
|
"scope" ( /* Scope within which the count occurs */
|
|
10468
10492
|
("peer" | "source" | "destination")
|
|
10469
|
-
)
|
|
10493
|
+
),
|
|
10494
|
+
"interval" arg /* Maximum time-gap between two instances of the attack. Format : MMm-SSs */
|
|
10495
|
+
)
|
|
10496
|
+
),
|
|
10497
|
+
"detection-filter" ( /* Detection filter params */
|
|
10498
|
+
c(
|
|
10499
|
+
"count" arg /* Number of matches for this attack to be triggered. Must be greater than 0 */,
|
|
10500
|
+
"scope" ( /* Scope within which the count occurs */
|
|
10501
|
+
("session" | "source" | "destination")
|
|
10502
|
+
),
|
|
10503
|
+
"interval" arg /* Time period over which count is accrued. Format : MMm-SSs. Minimum value is 1 second */
|
|
10470
10504
|
)
|
|
10471
10505
|
),
|
|
10472
10506
|
"attack-type" ( /* Type of attack */
|
|
@@ -10515,6 +10549,155 @@ rule(:custom_attack_type) do
|
|
|
10515
10549
|
"context" arg /* Context */,
|
|
10516
10550
|
"pattern" arg /* Pattern is the signature of the attack you want to detect */,
|
|
10517
10551
|
"pattern-pcre" arg /* Attack signature pattern in PCRE format */,
|
|
10552
|
+
"content" ( /* Mention the match-modifire parameters to enhance pattern matching */
|
|
10553
|
+
c(
|
|
10554
|
+
"pattern" arg /* Specify match-modifier pattern */,
|
|
10555
|
+
"pcre" arg /* PCRE expression */,
|
|
10556
|
+
"depth" ( /* Maximum depth to search pattern within a packet. Depth is not relative */
|
|
10557
|
+
c(
|
|
10558
|
+
"depth-value" arg /* Specify the value of 'depth' */,
|
|
10559
|
+
"depth-variable" arg /* Specify the variable name from which 'depth' should be extracted */
|
|
10560
|
+
)
|
|
10561
|
+
),
|
|
10562
|
+
"offset" ( /* Where to start searching for a pattern within a packet. Offset value is not relative */
|
|
10563
|
+
c(
|
|
10564
|
+
"offset-value" arg /* Specify the value of 'offset' */,
|
|
10565
|
+
"offset-variable" arg /* Specify the variable name from which 'offset' should be extracted */
|
|
10566
|
+
)
|
|
10567
|
+
),
|
|
10568
|
+
"within" ( /* Maximum Number of bytes present between two conjugative pattern match. within is relative */
|
|
10569
|
+
c(
|
|
10570
|
+
"within-value" arg /* Specify the value of 'within' */,
|
|
10571
|
+
"within-variable" arg /* Specify the variable name from which 'within' should be extracted */
|
|
10572
|
+
)
|
|
10573
|
+
),
|
|
10574
|
+
"distance" ( /* Maximum Length to ignore before searching next pattern match. Distance is relative */
|
|
10575
|
+
c(
|
|
10576
|
+
"distance-value" arg /* Specify the value of 'distance' */,
|
|
10577
|
+
"distance-variable" arg /* Specify the variable name from which 'distance' should be extracted */
|
|
10578
|
+
)
|
|
10579
|
+
),
|
|
10580
|
+
"byte-extract" ( /* Mention the byte-extract parameters for signature in length encoded protocols */
|
|
10581
|
+
c(
|
|
10582
|
+
"bytes" arg /* Specify the number of bytes to extract from packet */,
|
|
10583
|
+
"offset" arg /* Specify the number of bytes in to payload to start processing */,
|
|
10584
|
+
"var-name" arg /* Specify the name of the variable to reference in other rule options */,
|
|
10585
|
+
"relative" /* Specify whether to use an offset relative to last pattern match or not */,
|
|
10586
|
+
"multiplier" arg /* Specify the value to be multiplied against the bytes read */,
|
|
10587
|
+
"endianness" ( /* Specify the endianness with which bytes read should be processed */
|
|
10588
|
+
("Little" | "Big")
|
|
10589
|
+
),
|
|
10590
|
+
"align" ( /* Specify the byte alignment */
|
|
10591
|
+
("2-byte" | "4-byte")
|
|
10592
|
+
),
|
|
10593
|
+
"string" ( /* Specify the data type in which string data should be parsed */
|
|
10594
|
+
("hex" | "dec" | "oct")
|
|
10595
|
+
),
|
|
10596
|
+
"bitmask" arg /* Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format */
|
|
10597
|
+
)
|
|
10598
|
+
),
|
|
10599
|
+
"byte-test" ( /* Mention the byte-test parameters for signature in length encoded protocols */
|
|
10600
|
+
c(
|
|
10601
|
+
"bytes" arg /* Specify the number of bytes to extract from packet */,
|
|
10602
|
+
"offset" ( /* Mention the offset variable name or offset value to be used */
|
|
10603
|
+
c(
|
|
10604
|
+
"offset-value" arg /* Specify the number of bytes in to payload to start processing */,
|
|
10605
|
+
"offset-variable" arg /* Specify the name of the offset variable */
|
|
10606
|
+
)
|
|
10607
|
+
),
|
|
10608
|
+
"rvalue" ( /* Specify the rvalue to test the converted value against */
|
|
10609
|
+
c(
|
|
10610
|
+
"rvalue-value" arg /* Specify the value */,
|
|
10611
|
+
"rvalue-variable" arg /* Specify the variable name */
|
|
10612
|
+
)
|
|
10613
|
+
),
|
|
10614
|
+
"relative" /* Specify whether to use an offset relative to last pattern match or not */,
|
|
10615
|
+
"operator" ( /* Specify the operation to perform on extracted value */
|
|
10616
|
+
("less-than" | "greater-than" | "less-than-or-equal" | "greater-than-or-equal" | "equal" | "bitwise-AND" | "bitwise-XOR")
|
|
10617
|
+
),
|
|
10618
|
+
"negate" /* Check if the operator is not true */,
|
|
10619
|
+
"endianness" ( /* Specify the endianness with which bytes read should be processed */
|
|
10620
|
+
("Little" | "Big")
|
|
10621
|
+
),
|
|
10622
|
+
"string" ( /* Specify the data type in which string data should be parsed */
|
|
10623
|
+
("hex" | "dec" | "oct")
|
|
10624
|
+
),
|
|
10625
|
+
"bitmask" arg /* Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format */
|
|
10626
|
+
)
|
|
10627
|
+
),
|
|
10628
|
+
"byte-math" ( /* Mention the byte-math parameters for signature in length encoded protocols */
|
|
10629
|
+
c(
|
|
10630
|
+
"bytes" arg /* Specify the number of bytes to extract from packet */,
|
|
10631
|
+
"offset" arg /* Specify the number of bytes in to payload to start processing */,
|
|
10632
|
+
"rvalue" ( /* Specify the value to use mathematical operation against */
|
|
10633
|
+
c(
|
|
10634
|
+
"rvalue-value" arg /* Specify the value */,
|
|
10635
|
+
"rvalue-variable" arg /* Specify the variable name */
|
|
10636
|
+
)
|
|
10637
|
+
),
|
|
10638
|
+
"relative" /* Specify whether to use an offset relative to last pattern match or not */,
|
|
10639
|
+
"operator" ( /* Specify the operation to perform on extracted value */
|
|
10640
|
+
("addition" | "subtraction" | "multiplication" | "division" | "right-shift" | "left-shift")
|
|
10641
|
+
),
|
|
10642
|
+
"endianness" ( /* Specify the endianness with which bytes read should be processed */
|
|
10643
|
+
("Little" | "Big")
|
|
10644
|
+
),
|
|
10645
|
+
"string" ( /* Specify the data type in which string data should be parsed */
|
|
10646
|
+
("hex" | "dec" | "oct")
|
|
10647
|
+
),
|
|
10648
|
+
"bitmask" arg /* Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format */,
|
|
10649
|
+
"result" arg /* Specify the variable name to which result should be stored */
|
|
10650
|
+
)
|
|
10651
|
+
),
|
|
10652
|
+
"byte-jump" ( /* Mention the byte-jump parameters for signature in length encoded protocols */
|
|
10653
|
+
c(
|
|
10654
|
+
"bytes" arg /* Specify the number of bytes to extract from packet */,
|
|
10655
|
+
"offset" ( /* Mention the offset variable name or offset value to be used */
|
|
10656
|
+
c(
|
|
10657
|
+
"offset-value" arg /* Specify the number of bytes in to payload to start processing */,
|
|
10658
|
+
"offset-variable" arg /* Specify the name of the offset variable */
|
|
10659
|
+
)
|
|
10660
|
+
),
|
|
10661
|
+
"relative" /* Specify whether to use an offset relative to last pattern match or not */,
|
|
10662
|
+
"multiplier" arg /* Specify the value to be multiplied against the bytes read */,
|
|
10663
|
+
"endianness" ( /* Specify the endianness with which bytes read should be processed */
|
|
10664
|
+
("Little" | "Big")
|
|
10665
|
+
),
|
|
10666
|
+
"align" ( /* Specify the endianness with which bytes read should be processed */
|
|
10667
|
+
("4-byte")
|
|
10668
|
+
),
|
|
10669
|
+
"string" ( /* Specify the data type in which string data should be parsed */
|
|
10670
|
+
("hex" | "dec" | "oct")
|
|
10671
|
+
),
|
|
10672
|
+
"bitmask" arg /* Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format */,
|
|
10673
|
+
"from-beginning" /* Enable jump from the beginning of the payload */,
|
|
10674
|
+
"from-end" /* Enable jump from the end of the payload */,
|
|
10675
|
+
"post-offset" arg /* Specify the number of bytes to skip forward or backward */
|
|
10676
|
+
)
|
|
10677
|
+
),
|
|
10678
|
+
"is-data-at" ( /* Mention the is-data-at parameters for signature in length encoded protocols */
|
|
10679
|
+
c(
|
|
10680
|
+
"offset" ( /* Mention the offset variable name or offset value to be used */
|
|
10681
|
+
c(
|
|
10682
|
+
"offset-value" arg /* Specify the number of bytes in to payload to start processing */,
|
|
10683
|
+
"offset-variable" arg /* Specify the name of the offset variable */
|
|
10684
|
+
)
|
|
10685
|
+
),
|
|
10686
|
+
"relative" /* Specify whether to use an offset relative to last pattern match or not */,
|
|
10687
|
+
"negate" /* Negates the results of the isdataat test */
|
|
10688
|
+
)
|
|
10689
|
+
)
|
|
10690
|
+
)
|
|
10691
|
+
),
|
|
10692
|
+
"optional-parameters" ( /* Mention the optional parameters to enhance pattern matching */
|
|
10693
|
+
c(
|
|
10694
|
+
"min-offset" arg /* Minimum offset in data at which pattern-match can end */,
|
|
10695
|
+
"max-offset" arg /* Maximum offset in data at which pattern-match can end */,
|
|
10696
|
+
"min-length" arg /* Minimum match length required to match the pattern */,
|
|
10697
|
+
"edit-distance" arg /* Match the pattern within this edit distance */,
|
|
10698
|
+
"hamming-distance" arg /* Match the pattern within this hamming distance */
|
|
10699
|
+
)
|
|
10700
|
+
),
|
|
10518
10701
|
"regexp" arg /* Regular expression used for matching repetition of patterns */,
|
|
10519
10702
|
"negate" /* Trigger the attack if condition is not met */,
|
|
10520
10703
|
"direction" ( /* Connection direction of the attack */
|
|
@@ -12030,6 +12213,13 @@ rule(:dynamic_attack_group_type) do
|
|
|
12030
12213
|
"values" arg /* Values for vulnariability-type field */
|
|
12031
12214
|
)
|
|
12032
12215
|
),
|
|
12216
|
+
"excluded" /* Excluded Attacks */,
|
|
12217
|
+
"no-excluded" /* Don't excluded Attacks */,
|
|
12218
|
+
"attack-prefix" ( /* Prefix match for attack names */
|
|
12219
|
+
c(
|
|
12220
|
+
"values" arg /* Values for attack name prefix match */
|
|
12221
|
+
)
|
|
12222
|
+
),
|
|
12033
12223
|
"cvss-score" ("greater-than" | "less-than") ( /* CVSS score of Attack */
|
|
12034
12224
|
c(
|
|
12035
12225
|
"value" arg /* Match value */
|
|
@@ -13211,8 +13401,12 @@ rule(:idp_policy_type) do
|
|
|
13211
13401
|
"source-except" ( /* Don't match source address */
|
|
13212
13402
|
(arg)
|
|
13213
13403
|
),
|
|
13214
|
-
"source-prefix" /* Match source address
|
|
13215
|
-
|
|
13404
|
+
"source-prefix" ( /* Match source address */
|
|
13405
|
+
ipv4prefix /* Match source address */
|
|
13406
|
+
),
|
|
13407
|
+
"source-prefix-except" ( /* Don't match source address */
|
|
13408
|
+
ipv4prefix /* Don't match source address */
|
|
13409
|
+
)
|
|
13216
13410
|
),
|
|
13217
13411
|
"to-zone" ( /* Match to zone */
|
|
13218
13412
|
("any" | arg)
|
|
@@ -13224,8 +13418,12 @@ rule(:idp_policy_type) do
|
|
|
13224
13418
|
"destination-except" ( /* Don't match destination address */
|
|
13225
13419
|
(arg)
|
|
13226
13420
|
),
|
|
13227
|
-
"destination-prefix" /* Match destination address
|
|
13228
|
-
|
|
13421
|
+
"destination-prefix" ( /* Match destination address */
|
|
13422
|
+
ipv4prefix /* Match destination address */
|
|
13423
|
+
),
|
|
13424
|
+
"destination-prefix-except" ( /* Don't match destination address */
|
|
13425
|
+
ipv4prefix /* Don't match destination address */
|
|
13426
|
+
)
|
|
13229
13427
|
),
|
|
13230
13428
|
"application" ( /* Specify application or application-set name to match */
|
|
13231
13429
|
("any" | "default" | arg)
|
|
@@ -13302,6 +13500,16 @@ rule(:idp_policy_type) do
|
|
|
13302
13500
|
),
|
|
13303
13501
|
"severity" ( /* Set rule severity level */
|
|
13304
13502
|
("info" | "warning" | "minor" | "major" | "critical")
|
|
13503
|
+
),
|
|
13504
|
+
"application-services" ( /* Enable application services for this rule */
|
|
13505
|
+
c(
|
|
13506
|
+
"security-intelligence" ( /* Generate security intellegence feeds */
|
|
13507
|
+
c(
|
|
13508
|
+
"add-attacker-ip-to-feed" arg /* Specify the desired feed-name */,
|
|
13509
|
+
"add-target-ip-to-feed" arg /* Specify the desired feed-name */
|
|
13510
|
+
)
|
|
13511
|
+
)
|
|
13512
|
+
)
|
|
13305
13513
|
)
|
|
13306
13514
|
)
|
|
13307
13515
|
),
|
|
@@ -13327,8 +13535,12 @@ rule(:idp_policy_type) do
|
|
|
13327
13535
|
"source-except" ( /* Don't match source address */
|
|
13328
13536
|
(arg)
|
|
13329
13537
|
),
|
|
13330
|
-
"source-prefix" /* Match source address
|
|
13331
|
-
|
|
13538
|
+
"source-prefix" ( /* Match source address */
|
|
13539
|
+
ipv4prefix /* Match source address */
|
|
13540
|
+
),
|
|
13541
|
+
"source-prefix-except" ( /* Don't match source address */
|
|
13542
|
+
ipv4prefix /* Don't match source address */
|
|
13543
|
+
)
|
|
13332
13544
|
),
|
|
13333
13545
|
"to-zone" ( /* Match to zone */
|
|
13334
13546
|
("any" | arg)
|
|
@@ -13340,8 +13552,12 @@ rule(:idp_policy_type) do
|
|
|
13340
13552
|
"destination-except" ( /* Don't match destination address */
|
|
13341
13553
|
(arg)
|
|
13342
13554
|
),
|
|
13343
|
-
"destination-prefix" /* Match destination address
|
|
13344
|
-
|
|
13555
|
+
"destination-prefix" ( /* Match destination address */
|
|
13556
|
+
ipv4prefix /* Match destination address */
|
|
13557
|
+
),
|
|
13558
|
+
"destination-prefix-except" ( /* Don't match destination address */
|
|
13559
|
+
ipv4prefix /* Don't match destination address */
|
|
13560
|
+
)
|
|
13345
13561
|
),
|
|
13346
13562
|
"attacks" ( /* Match attack objects */
|
|
13347
13563
|
c(
|
|
@@ -55982,6 +56198,11 @@ rule(:nat_object) do
|
|
|
55982
56198
|
"pool" ( /* Define a NAT pool */
|
|
55983
56199
|
nat_pool_object /* Define a NAT pool */
|
|
55984
56200
|
),
|
|
56201
|
+
"ipv6-multicast-interfaces" ("all" | "interface-name") ( /* Enable IPv6 multicast filter for IPv6 NAT */
|
|
56202
|
+
c(
|
|
56203
|
+
"disable" /* Disable IPv6 multicast filter for IPv6 NAT */
|
|
56204
|
+
)
|
|
56205
|
+
),
|
|
55985
56206
|
"ipv6-multicast-interfaces" /* Enable IPv6 multicast filter for IPv6 NAT */,
|
|
55986
56207
|
"allow-overlapping-nat-pools" /* Allow usage of overlapping and same nat pools in multiple service sets */,
|
|
55987
56208
|
"rule" ( /* Define a NAT rule */
|
|
@@ -55990,16 +56211,31 @@ rule(:nat_object) do
|
|
|
55990
56211
|
"port-forwarding" ( /* Define a port-forwarding pool */
|
|
55991
56212
|
pf_mapping /* Define a port-forwarding pool */
|
|
55992
56213
|
),
|
|
55993
|
-
"rule-set" /* Defines a set of NAT rules */
|
|
56214
|
+
"rule-set" arg ( /* Defines a set of NAT rules */
|
|
56215
|
+
c(
|
|
56216
|
+
"rule" arg /* Rule to be included in this rule set */
|
|
56217
|
+
)
|
|
56218
|
+
)
|
|
55994
56219
|
)
|
|
55995
56220
|
end
|
|
55996
56221
|
|
|
55997
56222
|
rule(:nat_pool_object) do
|
|
55998
56223
|
arg.as(:arg) (
|
|
55999
56224
|
c(
|
|
56000
|
-
"pgcp" /* NAT pool should be used exclusive by the pgcp service
|
|
56225
|
+
"pgcp" ( /* NAT pool should be used exclusive by the pgcp service */
|
|
56226
|
+
c(
|
|
56227
|
+
"remotely-controlled" /* Remotely controlled NAT pool allocation */,
|
|
56228
|
+
"ports-per-session" arg /* Number of ports to allocate in each call setup */,
|
|
56229
|
+
"hint" arg /* NAT hints */,
|
|
56230
|
+
("tcp" | "udp" | "rtp-avp")
|
|
56231
|
+
)
|
|
56232
|
+
),
|
|
56001
56233
|
"address" arg /* Address or address prefix for NAT */,
|
|
56002
|
-
"interface" /* Interface for nat pool
|
|
56234
|
+
"interface" ( /* Interface for nat pool */
|
|
56235
|
+
sc(
|
|
56236
|
+
interface_unit
|
|
56237
|
+
)
|
|
56238
|
+
).as(:oneline),
|
|
56003
56239
|
"address-overload" /* Nat pool address overload with JunOS */,
|
|
56004
56240
|
"address-range" ( /* Range of addresses for NAT */
|
|
56005
56241
|
s(
|
|
@@ -60449,10 +60685,22 @@ rule(:security_authentication_key_chains) do
|
|
|
60449
60685
|
time /* Start time for key transmission (YYYY-MM-DD.HH:MM) */
|
|
60450
60686
|
),
|
|
60451
60687
|
"algorithm" ( /* Authentication algorithm */
|
|
60452
|
-
("md5" | "hmac-sha-1")
|
|
60688
|
+
("md5" | "hmac-sha-1" | "ao")
|
|
60453
60689
|
),
|
|
60454
60690
|
"options" ( /* Protocol's transmission encoding format */
|
|
60455
60691
|
("basic" | "isis-enhanced")
|
|
60692
|
+
),
|
|
60693
|
+
"ao-attribute" ( /* TCP Authentication option attributes */
|
|
60694
|
+
c(
|
|
60695
|
+
"send-id" arg /* Send id for TCP-AO entry */,
|
|
60696
|
+
"recv-id" arg /* Recv id for TCP-AO entry */,
|
|
60697
|
+
"tcp-ao-option" ( /* Include TCP-AO option within message header */
|
|
60698
|
+
("enabled" | "disabled")
|
|
60699
|
+
),
|
|
60700
|
+
"cryptographic-algorithm" ( /* Cryptographic algorithm for TCP-AO Traffic key and MAC digest generation */
|
|
60701
|
+
("hmac-sha-1-96" | "aes-128-cmac-96")
|
|
60702
|
+
)
|
|
60703
|
+
)
|
|
60456
60704
|
)
|
|
60457
60705
|
)
|
|
60458
60706
|
)
|
|
@@ -61071,6 +61319,7 @@ rule(:security_ike) do
|
|
|
61071
61319
|
"probe-idle-tunnel" /* Send probes same as in optimized mode and also when there is no outgoing & incoming data traffic */,
|
|
61072
61320
|
"always-send" /* Send probes periodically regardless of incoming and outgoing data traffic */
|
|
61073
61321
|
),
|
|
61322
|
+
"always-send" /* Send DPD messages periodically, regardless of traffic */,
|
|
61074
61323
|
"interval" arg /* The time between DPD probe messages Default :10 */,
|
|
61075
61324
|
"threshold" arg /* Maximum number of DPD retransmissions Default :5 */
|
|
61076
61325
|
)
|
|
@@ -61319,6 +61568,21 @@ rule(:security_ipsec_vpn) do
|
|
|
61319
61568
|
),
|
|
61320
61569
|
"security-association" ( /* Define a manual control plane SA */
|
|
61321
61570
|
ipsec_sa /* Define a manual control plane SA */
|
|
61571
|
+
),
|
|
61572
|
+
"internal" ( /* Define an IPSec SA for internal RE-RE communication */
|
|
61573
|
+
c(
|
|
61574
|
+
"security-association" ( /* Define an IPSec security association */
|
|
61575
|
+
ipsec_internal_sa /* Define an IPSec security association */
|
|
61576
|
+
)
|
|
61577
|
+
)
|
|
61578
|
+
),
|
|
61579
|
+
"trusted-channel" ( /* Define an IPSec SA for trusted-channel communication */
|
|
61580
|
+
c(
|
|
61581
|
+
"security-association" ( /* Define an IPSec security association */
|
|
61582
|
+
ipsec_trusted_channel_sa /* Define an IPSec security association */
|
|
61583
|
+
),
|
|
61584
|
+
"port-exclusion-list" arg /* Define port exlusion list */
|
|
61585
|
+
)
|
|
61322
61586
|
)
|
|
61323
61587
|
)
|
|
61324
61588
|
end
|
|
@@ -61603,20 +61867,50 @@ rule(:security_macsec) do
|
|
|
61603
61867
|
),
|
|
61604
61868
|
"connectivity-association" arg ( /* Configure connectivity association properties */
|
|
61605
61869
|
c(
|
|
61606
|
-
"cipher-suite"
|
|
61870
|
+
"cipher-suite" ( /* Cipher suite to be used for encryption */
|
|
61871
|
+
("gcm-aes-128" | "gcm-aes-256" | "gcm-aes-xpn-128" | "gcm-aes-xpn-256")
|
|
61872
|
+
),
|
|
61607
61873
|
"security-mode" ( /* Connectivity association mode */
|
|
61608
61874
|
("dynamic" | "static-sak" | "static-cak")
|
|
61609
61875
|
),
|
|
61610
|
-
"
|
|
61876
|
+
"sak-hash-128" /* Configure to generate 128bit SAK hash to program HW */,
|
|
61877
|
+
"secure-channel" arg ( /* Configure secure channel properties */
|
|
61878
|
+
c(
|
|
61879
|
+
"id" ( /* Secure channel identifier */
|
|
61880
|
+
c(
|
|
61881
|
+
"mac-address" ( /* MAC addresses */
|
|
61882
|
+
mac_addr /* MAC addresses */
|
|
61883
|
+
),
|
|
61884
|
+
"port-id" arg /* Port identifier */
|
|
61885
|
+
)
|
|
61886
|
+
),
|
|
61887
|
+
"direction" ( /* Secure channel direction */
|
|
61888
|
+
("inbound" | "outbound")
|
|
61889
|
+
),
|
|
61890
|
+
"encryption" /* Enable Encryption */,
|
|
61891
|
+
"offset" ( /* Confidentiality offset */
|
|
61892
|
+
("0" | "30" | "50")
|
|
61893
|
+
),
|
|
61894
|
+
"include-sci" /* Include secure channel identifier in MAC Security PDU */,
|
|
61895
|
+
"security-association" arg ( /* Security association */
|
|
61896
|
+
c(
|
|
61897
|
+
"key" arg /* Security association key in hexadecimal format of length 32 */
|
|
61898
|
+
)
|
|
61899
|
+
)
|
|
61900
|
+
)
|
|
61901
|
+
),
|
|
61611
61902
|
"mka" ( /* Configure MAC Security Key Agreement protocol properties */
|
|
61612
61903
|
c(
|
|
61613
61904
|
"transmit-interval" arg /* Configure MKA periodic transmit interval */,
|
|
61905
|
+
"sak-rekey-interval" arg /* Configure SAK rekeying interval */,
|
|
61614
61906
|
"bounded-delay" /* Configure Bounded Hello Time */,
|
|
61907
|
+
"suspend-on-request" /* Configure on key-server to accept suspend-on-request during gres or issu */,
|
|
61908
|
+
"suspend-for" /* Configure to suspend MKA during gres or issu */,
|
|
61615
61909
|
"key-server-priority" arg /* Configure MKA key server priority */,
|
|
61616
61910
|
"must-secure" /* Allow only secure dot1x traffic */,
|
|
61617
61911
|
"should-secure" /* Configure fail open mode for MKA protocol */,
|
|
61618
61912
|
"eapol-address" ( /* Configure EAPOL destination group address */
|
|
61619
|
-
("pae" | "provider-bridge" | "lldp-multicast")
|
|
61913
|
+
("pae" | "provider-bridge" | "lldp-multicast" | arg)
|
|
61620
61914
|
)
|
|
61621
61915
|
)
|
|
61622
61916
|
),
|
|
@@ -61626,6 +61920,7 @@ rule(:security_macsec) do
|
|
|
61626
61920
|
)
|
|
61627
61921
|
),
|
|
61628
61922
|
"no-encryption" /* Disable encryption */,
|
|
61923
|
+
"disable-preceding-key" /* Disable CA preceding key duing key switch-over */,
|
|
61629
61924
|
"offset" ( /* Confidentiality offset */
|
|
61630
61925
|
("0" | "30" | "50")
|
|
61631
61926
|
),
|
|
@@ -61633,14 +61928,35 @@ rule(:security_macsec) do
|
|
|
61633
61928
|
"pre-shared-key" ( /* Configure pre-shared connectivity association key */
|
|
61634
61929
|
c(
|
|
61635
61930
|
"ckn" arg /* Connectivity association key name in hexadecimal format */,
|
|
61636
|
-
"cak" arg /* Connectivity association key in hexadecimal format
|
|
61931
|
+
"cak" arg /* Connectivity association key in hexadecimal format */
|
|
61932
|
+
)
|
|
61933
|
+
),
|
|
61934
|
+
"fallback-key" ( /* Configure fallback key for connectivity association */
|
|
61935
|
+
c(
|
|
61936
|
+
"ckn" arg /* Connectivity association fallback key name in hexadecimal format */,
|
|
61937
|
+
"cak" arg /* Connectivity association fallback key secret in hexadecimal format */
|
|
61637
61938
|
)
|
|
61638
61939
|
),
|
|
61639
61940
|
"pre-shared-key-chain" arg /* Pre-shared key chain name for connectivity association */,
|
|
61640
61941
|
"exclude-protocol" enum(("cdp" | "lldp" | "lacp")) /* Configure protocols to exclude from MAC Security */.as(:oneline)
|
|
61641
61942
|
)
|
|
61642
61943
|
),
|
|
61643
|
-
"interfaces" /* Interfaces on which macsec configuration is applied
|
|
61944
|
+
"interfaces" arg ( /* Interfaces on which macsec configuration is applied */
|
|
61945
|
+
c(
|
|
61946
|
+
"unit" arg ( /* Logical interface */
|
|
61947
|
+
c(
|
|
61948
|
+
"connectivity-association" arg /* Connectivity association name */,
|
|
61949
|
+
"traceoptions" ( /* Tracing options of MKA protocol */
|
|
61950
|
+
mka_trace_options /* Tracing options of MKA protocol */
|
|
61951
|
+
)
|
|
61952
|
+
)
|
|
61953
|
+
),
|
|
61954
|
+
"connectivity-association" arg /* Connectivity association name */,
|
|
61955
|
+
"traceoptions" ( /* Tracing options of MKA protocol */
|
|
61956
|
+
mka_trace_options /* Tracing options of MKA protocol */
|
|
61957
|
+
)
|
|
61958
|
+
)
|
|
61959
|
+
),
|
|
61644
61960
|
"cluster-control-port" arg ( /* Cluster control port on which macsec configuration is applied */
|
|
61645
61961
|
c(
|
|
61646
61962
|
"connectivity-association" arg /* Connectivity association name */,
|
|
@@ -61803,6 +62119,25 @@ rule(:security_pki) do
|
|
|
61803
62119
|
"ca-profiles" arg /* Name of the CA profiles (maximum 20) */
|
|
61804
62120
|
)
|
|
61805
62121
|
),
|
|
62122
|
+
"trap" ( /* Trap options for PKI certificates */
|
|
62123
|
+
c(
|
|
62124
|
+
"certificate-id" arg ( /* Local certificate identifier */
|
|
62125
|
+
c(
|
|
62126
|
+
arg
|
|
62127
|
+
)
|
|
62128
|
+
),
|
|
62129
|
+
"ca-identity" arg ( /* CA identity */
|
|
62130
|
+
c(
|
|
62131
|
+
arg
|
|
62132
|
+
)
|
|
62133
|
+
),
|
|
62134
|
+
"all-certificates" ( /* Trap config for all certificates */
|
|
62135
|
+
c(
|
|
62136
|
+
arg
|
|
62137
|
+
)
|
|
62138
|
+
)
|
|
62139
|
+
)
|
|
62140
|
+
),
|
|
61806
62141
|
"auto-re-enrollment" ( /* Auto re-enroll of certificate */
|
|
61807
62142
|
c(
|
|
61808
62143
|
"cmpv2" ( /* CMPv2 auto re-enrollment configuration */
|
|
@@ -61912,8 +62247,16 @@ rule(:security_traceoptions) do
|
|
|
61912
62247
|
)
|
|
61913
62248
|
).as(:oneline),
|
|
61914
62249
|
"rate-limit" arg /* Limit the incoming rate of trace messages */,
|
|
61915
|
-
"filter" /* Filter parameters for IKE traceoptions
|
|
61916
|
-
|
|
62250
|
+
"filter" ( /* Filter parameters for IKE traceoptions */
|
|
62251
|
+
c(
|
|
62252
|
+
"fpc" arg /* FPC slot number */,
|
|
62253
|
+
"pic" arg /* PIC slot number */
|
|
62254
|
+
)
|
|
62255
|
+
),
|
|
62256
|
+
"flag" enum(("timer" | "routing-socket" | "parse" | "config" | "ike" | "policy-manager" | "general" | "database" | "certificates" | "snmp" | "thread" | "high-availability" | "next-hop-tunnels" | "all" | "ams" | "lic")) /* Tracing parameters */.as(:oneline),
|
|
62257
|
+
"level" ( /* Level of debugging output */
|
|
62258
|
+
("error" | "warning" | "notice" | "info" | "verbose" | "all")
|
|
62259
|
+
)
|
|
61917
62260
|
)
|
|
61918
62261
|
end
|
|
61919
62262
|
|
|
@@ -65982,3 +66325,10 @@ rule(:zone_system_services_object_type) do
|
|
|
65982
66325
|
)
|
|
65983
66326
|
end
|
|
65984
66327
|
|
|
66328
|
+
rule(:tenant_system_type) do
|
|
66329
|
+
arg.as(:arg) (
|
|
66330
|
+
c(
|
|
66331
|
+
"max-sessions" arg /* Max number of IDP sessions */
|
|
66332
|
+
)
|
|
66333
|
+
)
|
|
66334
|
+
end
|