junoser 0.4.7 → 0.5.1

Sign up to get free protection for your applications and to get access to all the features.
@@ -2102,14 +2102,14 @@ rule(:configuration) do
2102
2102
  "pki" ( /* PKI service configuration */
2103
2103
  security_pki /* PKI service configuration */
2104
2104
  ),
2105
- "ike" ( /* IKE configuration */
2106
- security_ike /* IKE configuration */
2105
+ "group-vpn" ( /* Group VPN configuration */
2106
+ security_group_vpn /* Group VPN configuration */
2107
2107
  ),
2108
2108
  "ipsec" ( /* IPSec configuration */
2109
2109
  security_ipsec_vpn /* IPSec configuration */
2110
2110
  ),
2111
- "group-vpn" ( /* Group VPN configuration */
2112
- security_group_vpn /* Group VPN configuration */
2111
+ "ike" ( /* IKE configuration */
2112
+ security_ike /* IKE configuration */
2113
2113
  ),
2114
2114
  "ipsec-policy" ( /* IPSec policy configuration */
2115
2115
  security_ipsec_policies /* IPSec policy configuration */
@@ -2140,9 +2140,11 @@ rule(:configuration) do
2140
2140
  ipv4addr /* Source address to be used for sending download request */
2141
2141
  ),
2142
2142
  "proxy-profile" arg /* Proxy profile of security package download */,
2143
+ "routing-instance" arg /* Routing instance for security-package download */,
2143
2144
  "install" ( /* Configure install command */
2144
2145
  c(
2145
- "ignore-version-check" /* Skip version check when attack database gets installed */
2146
+ "ignore-version-check" /* Skip version check when attack database gets installed */,
2147
+ "ignore-appid-failure" /* Continue idp installation even if appid installation fails */
2146
2148
  )
2147
2149
  ),
2148
2150
  "automatic" ( /* Scheduled download and update */
@@ -2227,7 +2229,19 @@ rule(:configuration) do
2227
2229
  "session-steering" /* Session steering for session anticipation */,
2228
2230
  "idp-bypass-cpu-usg-overload" /* Enable IDP bypass of sessions/packets on CPU usage overload */,
2229
2231
  "idp-bypass-cpu-threshold" arg /* Threshold of CPU usage in percentage for IDP bypass */,
2230
- "idp-bypass-cpu-tolerance" arg /* Tolerance of CPU usage in percentage for IDP bypass */
2232
+ "idp-bypass-cpu-tolerance" arg /* Tolerance of CPU usage in percentage for IDP bypass */,
2233
+ "idp-bypass-cpu-tolerance" arg /* Tolerance of CPU usage in percentage for IDP bypass */,
2234
+ "intel-inspect-enable" /* Minimizes IDP processing during system overload */,
2235
+ "intel-inspect-cpu-usg-threshold" arg /* CPU usage threshold percentage for intelligent inspection */,
2236
+ "intel-inspect-cpu-usg-tolerance" arg /* CPU usage tolerance percentage for intelligent inspection */,
2237
+ "intel-inspect-free-mem-threshold" arg /* Free memory threshold percentage for intelligent inspection */,
2238
+ "intel-inspect-mem-tolerance" arg /* Memory tolerance percentage for intelligent inspection */,
2239
+ "intel-inspect-disable-content-decompress" /* Disables payload content decompression */,
2240
+ "intel-inspect-session-bytes-depth" arg /* Session bytes scanning depth */,
2241
+ "intel-inspect-protocols" arg /* Protocols to be processed in Intelligent Inspection mode */,
2242
+ "intel-inspect-signature-severity" ( /* Signature severities to be considered for IDP processing */
2243
+ ("minor" | "major" | "critical")
2244
+ )
2231
2245
  )
2232
2246
  ),
2233
2247
  "re-assembler" ( /* Re-assembler configuration */
@@ -2274,11 +2288,16 @@ rule(:configuration) do
2274
2288
  c(
2275
2289
  "enable-packet-pool" /* Enable packet pool */,
2276
2290
  "no-enable-packet-pool" /* Don't enable packet pool */,
2291
+ "log-xff-header" /* Log xff header */,
2277
2292
  "enable-all-qmodules" /* Enable all qmodules */,
2278
2293
  "no-enable-all-qmodules" /* Don't enable all qmodules */,
2279
2294
  "policy-lookup-cache" /* Policy lookup cache */,
2280
2295
  "no-policy-lookup-cache" /* Don't policy lookup cache */,
2281
- "memory-limit-percent" arg /* Memory limit percentage */
2296
+ "memory-limit-percent" arg /* Memory limit percentage */,
2297
+ "disable-idp-processing" /* Flag to disable IDP processing */,
2298
+ "intelligent-offload" ( /* Intelligently offload the flow */
2299
+ ("disable" | "conservative")
2300
+ )
2282
2301
  )
2283
2302
  ),
2284
2303
  "detector" ( /* Detector Configuration */
@@ -2316,7 +2335,10 @@ rule(:configuration) do
2316
2335
  "logical-system" ( /* Configure max IDP sessions for the logial system */
2317
2336
  logical_system_type /* Configure max IDP sessions for the logial system */
2318
2337
  ),
2319
- "processes" /* Configure IDP Processes */
2338
+ "processes" /* Configure IDP Processes */,
2339
+ "tenant-system" ( /* Configure max IDP sessions for the tenant */
2340
+ tenant_system_type /* Configure max IDP sessions for the tenant */
2341
+ )
2320
2342
  )
2321
2343
  ),
2322
2344
  "address-book" ( /* Security address book */
@@ -8652,7 +8674,7 @@ rule(:application_object) do
8652
8674
  term_object /* Define individual application protocols */
8653
8675
  ),
8654
8676
  "application-protocol" ( /* Application protocol type */
8655
- ("bootp" | "dce-rpc" | "dce-rpc-portmap" | "dns" | "exec" | "ftp" | "ftp-data" | "gprs-gtp-c" | "gprs-gtp-u" | "gprs-gtp-v0" | "gprs-sctp" | "h323" | "icmp" | "icmpv6" | "ignore" | "iiop" | "ike-esp-nat" | "ip" | "login" | "mgcp-ca" | "mgcp-ua" | "ms-rpc" | "netbios" | "netshow" | "none" | "pptp" | "q931" | "ras" | "realaudio" | "rpc" | "rpc-portmap" | "rsh" | "rtsp" | "sccp" | "sip" | "shell" | "snmp" | "sqlnet" | "sqlnet-v2" | "sun-rpc" | "talk" | "tftp" | "traceroute" | "http" | "winframe" | "https" | "imap" | "smtp" | "ssh" | "telnet" | "twamp")
8677
+ ("bootp" | "dce-rpc" | "dce-rpc-portmap" | "dns" | "exec" | "ftp" | "ftp-data" | "gprs-gtp-c" | "gprs-gtp-u" | "gprs-gtp-v0" | "gprs-sctp" | "h323" | "icmp" | "icmpv6" | "ignore" | "iiop" | "ike-esp-nat" | "ip" | "login" | "mgcp-ca" | "mgcp-ua" | "ms-rpc" | "netbios" | "netshow" | "none" | "pptp" | "q931" | "ras" | "realaudio" | "rpc" | "rpc-portmap" | "rsh" | "rtsp" | "sccp" | "sip" | "shell" | "snmp" | "sqlnet" | "sqlnet-v2" | "sun-rpc" | "talk" | "tftp" | "traceroute" | "http" | "winframe" | "https" | "imap" | "smtp" | "ssh" | "telnet" | "twamp" | "pop3" | "smtps" | "imaps" | "pop3s")
8656
8678
  ),
8657
8679
  "protocol" ( /* Match IP protocol type */
8658
8680
  ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg)
@@ -8664,7 +8686,9 @@ rule(:application_object) do
8664
8686
  ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg)
8665
8687
  ),
8666
8688
  "ether-type" arg /* Match ether type */,
8667
- "snmp-command" arg /* Match SNMP command */,
8689
+ "snmp-command" ( /* Match SNMP command */
8690
+ ("get" | "get-next" | "get-response" | "set" | "trap")
8691
+ ),
8668
8692
  "icmp-type" ( /* Match ICMP message type */
8669
8693
  ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg)
8670
8694
  ),
@@ -10466,7 +10490,17 @@ rule(:custom_attack_type) do
10466
10490
  "count" arg /* Number of times this attack is to be triggered */,
10467
10491
  "scope" ( /* Scope within which the count occurs */
10468
10492
  ("peer" | "source" | "destination")
10469
- )
10493
+ ),
10494
+ "interval" arg /* Maximum time-gap between two instances of the attack. Format : MMm-SSs */
10495
+ )
10496
+ ),
10497
+ "detection-filter" ( /* Detection filter params */
10498
+ c(
10499
+ "count" arg /* Number of matches for this attack to be triggered. Must be greater than 0 */,
10500
+ "scope" ( /* Scope within which the count occurs */
10501
+ ("session" | "source" | "destination")
10502
+ ),
10503
+ "interval" arg /* Time period over which count is accrued. Format : MMm-SSs. Minimum value is 1 second */
10470
10504
  )
10471
10505
  ),
10472
10506
  "attack-type" ( /* Type of attack */
@@ -10515,6 +10549,155 @@ rule(:custom_attack_type) do
10515
10549
  "context" arg /* Context */,
10516
10550
  "pattern" arg /* Pattern is the signature of the attack you want to detect */,
10517
10551
  "pattern-pcre" arg /* Attack signature pattern in PCRE format */,
10552
+ "content" ( /* Mention the match-modifire parameters to enhance pattern matching */
10553
+ c(
10554
+ "pattern" arg /* Specify match-modifier pattern */,
10555
+ "pcre" arg /* PCRE expression */,
10556
+ "depth" ( /* Maximum depth to search pattern within a packet. Depth is not relative */
10557
+ c(
10558
+ "depth-value" arg /* Specify the value of 'depth' */,
10559
+ "depth-variable" arg /* Specify the variable name from which 'depth' should be extracted */
10560
+ )
10561
+ ),
10562
+ "offset" ( /* Where to start searching for a pattern within a packet. Offset value is not relative */
10563
+ c(
10564
+ "offset-value" arg /* Specify the value of 'offset' */,
10565
+ "offset-variable" arg /* Specify the variable name from which 'offset' should be extracted */
10566
+ )
10567
+ ),
10568
+ "within" ( /* Maximum Number of bytes present between two conjugative pattern match. within is relative */
10569
+ c(
10570
+ "within-value" arg /* Specify the value of 'within' */,
10571
+ "within-variable" arg /* Specify the variable name from which 'within' should be extracted */
10572
+ )
10573
+ ),
10574
+ "distance" ( /* Maximum Length to ignore before searching next pattern match. Distance is relative */
10575
+ c(
10576
+ "distance-value" arg /* Specify the value of 'distance' */,
10577
+ "distance-variable" arg /* Specify the variable name from which 'distance' should be extracted */
10578
+ )
10579
+ ),
10580
+ "byte-extract" ( /* Mention the byte-extract parameters for signature in length encoded protocols */
10581
+ c(
10582
+ "bytes" arg /* Specify the number of bytes to extract from packet */,
10583
+ "offset" arg /* Specify the number of bytes in to payload to start processing */,
10584
+ "var-name" arg /* Specify the name of the variable to reference in other rule options */,
10585
+ "relative" /* Specify whether to use an offset relative to last pattern match or not */,
10586
+ "multiplier" arg /* Specify the value to be multiplied against the bytes read */,
10587
+ "endianness" ( /* Specify the endianness with which bytes read should be processed */
10588
+ ("Little" | "Big")
10589
+ ),
10590
+ "align" ( /* Specify the byte alignment */
10591
+ ("2-byte" | "4-byte")
10592
+ ),
10593
+ "string" ( /* Specify the data type in which string data should be parsed */
10594
+ ("hex" | "dec" | "oct")
10595
+ ),
10596
+ "bitmask" arg /* Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format */
10597
+ )
10598
+ ),
10599
+ "byte-test" ( /* Mention the byte-test parameters for signature in length encoded protocols */
10600
+ c(
10601
+ "bytes" arg /* Specify the number of bytes to extract from packet */,
10602
+ "offset" ( /* Mention the offset variable name or offset value to be used */
10603
+ c(
10604
+ "offset-value" arg /* Specify the number of bytes in to payload to start processing */,
10605
+ "offset-variable" arg /* Specify the name of the offset variable */
10606
+ )
10607
+ ),
10608
+ "rvalue" ( /* Specify the rvalue to test the converted value against */
10609
+ c(
10610
+ "rvalue-value" arg /* Specify the value */,
10611
+ "rvalue-variable" arg /* Specify the variable name */
10612
+ )
10613
+ ),
10614
+ "relative" /* Specify whether to use an offset relative to last pattern match or not */,
10615
+ "operator" ( /* Specify the operation to perform on extracted value */
10616
+ ("less-than" | "greater-than" | "less-than-or-equal" | "greater-than-or-equal" | "equal" | "bitwise-AND" | "bitwise-XOR")
10617
+ ),
10618
+ "negate" /* Check if the operator is not true */,
10619
+ "endianness" ( /* Specify the endianness with which bytes read should be processed */
10620
+ ("Little" | "Big")
10621
+ ),
10622
+ "string" ( /* Specify the data type in which string data should be parsed */
10623
+ ("hex" | "dec" | "oct")
10624
+ ),
10625
+ "bitmask" arg /* Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format */
10626
+ )
10627
+ ),
10628
+ "byte-math" ( /* Mention the byte-math parameters for signature in length encoded protocols */
10629
+ c(
10630
+ "bytes" arg /* Specify the number of bytes to extract from packet */,
10631
+ "offset" arg /* Specify the number of bytes in to payload to start processing */,
10632
+ "rvalue" ( /* Specify the value to use mathematical operation against */
10633
+ c(
10634
+ "rvalue-value" arg /* Specify the value */,
10635
+ "rvalue-variable" arg /* Specify the variable name */
10636
+ )
10637
+ ),
10638
+ "relative" /* Specify whether to use an offset relative to last pattern match or not */,
10639
+ "operator" ( /* Specify the operation to perform on extracted value */
10640
+ ("addition" | "subtraction" | "multiplication" | "division" | "right-shift" | "left-shift")
10641
+ ),
10642
+ "endianness" ( /* Specify the endianness with which bytes read should be processed */
10643
+ ("Little" | "Big")
10644
+ ),
10645
+ "string" ( /* Specify the data type in which string data should be parsed */
10646
+ ("hex" | "dec" | "oct")
10647
+ ),
10648
+ "bitmask" arg /* Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format */,
10649
+ "result" arg /* Specify the variable name to which result should be stored */
10650
+ )
10651
+ ),
10652
+ "byte-jump" ( /* Mention the byte-jump parameters for signature in length encoded protocols */
10653
+ c(
10654
+ "bytes" arg /* Specify the number of bytes to extract from packet */,
10655
+ "offset" ( /* Mention the offset variable name or offset value to be used */
10656
+ c(
10657
+ "offset-value" arg /* Specify the number of bytes in to payload to start processing */,
10658
+ "offset-variable" arg /* Specify the name of the offset variable */
10659
+ )
10660
+ ),
10661
+ "relative" /* Specify whether to use an offset relative to last pattern match or not */,
10662
+ "multiplier" arg /* Specify the value to be multiplied against the bytes read */,
10663
+ "endianness" ( /* Specify the endianness with which bytes read should be processed */
10664
+ ("Little" | "Big")
10665
+ ),
10666
+ "align" ( /* Specify the endianness with which bytes read should be processed */
10667
+ ("4-byte")
10668
+ ),
10669
+ "string" ( /* Specify the data type in which string data should be parsed */
10670
+ ("hex" | "dec" | "oct")
10671
+ ),
10672
+ "bitmask" arg /* Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format */,
10673
+ "from-beginning" /* Enable jump from the beginning of the payload */,
10674
+ "from-end" /* Enable jump from the end of the payload */,
10675
+ "post-offset" arg /* Specify the number of bytes to skip forward or backward */
10676
+ )
10677
+ ),
10678
+ "is-data-at" ( /* Mention the is-data-at parameters for signature in length encoded protocols */
10679
+ c(
10680
+ "offset" ( /* Mention the offset variable name or offset value to be used */
10681
+ c(
10682
+ "offset-value" arg /* Specify the number of bytes in to payload to start processing */,
10683
+ "offset-variable" arg /* Specify the name of the offset variable */
10684
+ )
10685
+ ),
10686
+ "relative" /* Specify whether to use an offset relative to last pattern match or not */,
10687
+ "negate" /* Negates the results of the isdataat test */
10688
+ )
10689
+ )
10690
+ )
10691
+ ),
10692
+ "optional-parameters" ( /* Mention the optional parameters to enhance pattern matching */
10693
+ c(
10694
+ "min-offset" arg /* Minimum offset in data at which pattern-match can end */,
10695
+ "max-offset" arg /* Maximum offset in data at which pattern-match can end */,
10696
+ "min-length" arg /* Minimum match length required to match the pattern */,
10697
+ "edit-distance" arg /* Match the pattern within this edit distance */,
10698
+ "hamming-distance" arg /* Match the pattern within this hamming distance */
10699
+ )
10700
+ ),
10518
10701
  "regexp" arg /* Regular expression used for matching repetition of patterns */,
10519
10702
  "negate" /* Trigger the attack if condition is not met */,
10520
10703
  "direction" ( /* Connection direction of the attack */
@@ -12030,6 +12213,13 @@ rule(:dynamic_attack_group_type) do
12030
12213
  "values" arg /* Values for vulnariability-type field */
12031
12214
  )
12032
12215
  ),
12216
+ "excluded" /* Excluded Attacks */,
12217
+ "no-excluded" /* Don't excluded Attacks */,
12218
+ "attack-prefix" ( /* Prefix match for attack names */
12219
+ c(
12220
+ "values" arg /* Values for attack name prefix match */
12221
+ )
12222
+ ),
12033
12223
  "cvss-score" ("greater-than" | "less-than") ( /* CVSS score of Attack */
12034
12224
  c(
12035
12225
  "value" arg /* Match value */
@@ -13211,8 +13401,12 @@ rule(:idp_policy_type) do
13211
13401
  "source-except" ( /* Don't match source address */
13212
13402
  (arg)
13213
13403
  ),
13214
- "source-prefix" /* Match source address */,
13215
- "source-prefix-except" /* Don't match source address */
13404
+ "source-prefix" ( /* Match source address */
13405
+ ipv4prefix /* Match source address */
13406
+ ),
13407
+ "source-prefix-except" ( /* Don't match source address */
13408
+ ipv4prefix /* Don't match source address */
13409
+ )
13216
13410
  ),
13217
13411
  "to-zone" ( /* Match to zone */
13218
13412
  ("any" | arg)
@@ -13224,8 +13418,12 @@ rule(:idp_policy_type) do
13224
13418
  "destination-except" ( /* Don't match destination address */
13225
13419
  (arg)
13226
13420
  ),
13227
- "destination-prefix" /* Match destination address */,
13228
- "destination-prefix-except" /* Don't match destination address */
13421
+ "destination-prefix" ( /* Match destination address */
13422
+ ipv4prefix /* Match destination address */
13423
+ ),
13424
+ "destination-prefix-except" ( /* Don't match destination address */
13425
+ ipv4prefix /* Don't match destination address */
13426
+ )
13229
13427
  ),
13230
13428
  "application" ( /* Specify application or application-set name to match */
13231
13429
  ("any" | "default" | arg)
@@ -13302,6 +13500,16 @@ rule(:idp_policy_type) do
13302
13500
  ),
13303
13501
  "severity" ( /* Set rule severity level */
13304
13502
  ("info" | "warning" | "minor" | "major" | "critical")
13503
+ ),
13504
+ "application-services" ( /* Enable application services for this rule */
13505
+ c(
13506
+ "security-intelligence" ( /* Generate security intellegence feeds */
13507
+ c(
13508
+ "add-attacker-ip-to-feed" arg /* Specify the desired feed-name */,
13509
+ "add-target-ip-to-feed" arg /* Specify the desired feed-name */
13510
+ )
13511
+ )
13512
+ )
13305
13513
  )
13306
13514
  )
13307
13515
  ),
@@ -13327,8 +13535,12 @@ rule(:idp_policy_type) do
13327
13535
  "source-except" ( /* Don't match source address */
13328
13536
  (arg)
13329
13537
  ),
13330
- "source-prefix" /* Match source address */,
13331
- "source-prefix-except" /* Don't match source address */
13538
+ "source-prefix" ( /* Match source address */
13539
+ ipv4prefix /* Match source address */
13540
+ ),
13541
+ "source-prefix-except" ( /* Don't match source address */
13542
+ ipv4prefix /* Don't match source address */
13543
+ )
13332
13544
  ),
13333
13545
  "to-zone" ( /* Match to zone */
13334
13546
  ("any" | arg)
@@ -13340,8 +13552,12 @@ rule(:idp_policy_type) do
13340
13552
  "destination-except" ( /* Don't match destination address */
13341
13553
  (arg)
13342
13554
  ),
13343
- "destination-prefix" /* Match destination address */,
13344
- "destination-prefix-except" /* Don't match destination address */
13555
+ "destination-prefix" ( /* Match destination address */
13556
+ ipv4prefix /* Match destination address */
13557
+ ),
13558
+ "destination-prefix-except" ( /* Don't match destination address */
13559
+ ipv4prefix /* Don't match destination address */
13560
+ )
13345
13561
  ),
13346
13562
  "attacks" ( /* Match attack objects */
13347
13563
  c(
@@ -55982,6 +56198,11 @@ rule(:nat_object) do
55982
56198
  "pool" ( /* Define a NAT pool */
55983
56199
  nat_pool_object /* Define a NAT pool */
55984
56200
  ),
56201
+ "ipv6-multicast-interfaces" ("all" | "interface-name") ( /* Enable IPv6 multicast filter for IPv6 NAT */
56202
+ c(
56203
+ "disable" /* Disable IPv6 multicast filter for IPv6 NAT */
56204
+ )
56205
+ ),
55985
56206
  "ipv6-multicast-interfaces" /* Enable IPv6 multicast filter for IPv6 NAT */,
55986
56207
  "allow-overlapping-nat-pools" /* Allow usage of overlapping and same nat pools in multiple service sets */,
55987
56208
  "rule" ( /* Define a NAT rule */
@@ -55990,16 +56211,31 @@ rule(:nat_object) do
55990
56211
  "port-forwarding" ( /* Define a port-forwarding pool */
55991
56212
  pf_mapping /* Define a port-forwarding pool */
55992
56213
  ),
55993
- "rule-set" /* Defines a set of NAT rules */
56214
+ "rule-set" arg ( /* Defines a set of NAT rules */
56215
+ c(
56216
+ "rule" arg /* Rule to be included in this rule set */
56217
+ )
56218
+ )
55994
56219
  )
55995
56220
  end
55996
56221
 
55997
56222
  rule(:nat_pool_object) do
55998
56223
  arg.as(:arg) (
55999
56224
  c(
56000
- "pgcp" /* NAT pool should be used exclusive by the pgcp service */,
56225
+ "pgcp" ( /* NAT pool should be used exclusive by the pgcp service */
56226
+ c(
56227
+ "remotely-controlled" /* Remotely controlled NAT pool allocation */,
56228
+ "ports-per-session" arg /* Number of ports to allocate in each call setup */,
56229
+ "hint" arg /* NAT hints */,
56230
+ ("tcp" | "udp" | "rtp-avp")
56231
+ )
56232
+ ),
56001
56233
  "address" arg /* Address or address prefix for NAT */,
56002
- "interface" /* Interface for nat pool */.as(:oneline),
56234
+ "interface" ( /* Interface for nat pool */
56235
+ sc(
56236
+ interface_unit
56237
+ )
56238
+ ).as(:oneline),
56003
56239
  "address-overload" /* Nat pool address overload with JunOS */,
56004
56240
  "address-range" ( /* Range of addresses for NAT */
56005
56241
  s(
@@ -60449,10 +60685,22 @@ rule(:security_authentication_key_chains) do
60449
60685
  time /* Start time for key transmission (YYYY-MM-DD.HH:MM) */
60450
60686
  ),
60451
60687
  "algorithm" ( /* Authentication algorithm */
60452
- ("md5" | "hmac-sha-1")
60688
+ ("md5" | "hmac-sha-1" | "ao")
60453
60689
  ),
60454
60690
  "options" ( /* Protocol's transmission encoding format */
60455
60691
  ("basic" | "isis-enhanced")
60692
+ ),
60693
+ "ao-attribute" ( /* TCP Authentication option attributes */
60694
+ c(
60695
+ "send-id" arg /* Send id for TCP-AO entry */,
60696
+ "recv-id" arg /* Recv id for TCP-AO entry */,
60697
+ "tcp-ao-option" ( /* Include TCP-AO option within message header */
60698
+ ("enabled" | "disabled")
60699
+ ),
60700
+ "cryptographic-algorithm" ( /* Cryptographic algorithm for TCP-AO Traffic key and MAC digest generation */
60701
+ ("hmac-sha-1-96" | "aes-128-cmac-96")
60702
+ )
60703
+ )
60456
60704
  )
60457
60705
  )
60458
60706
  )
@@ -61071,6 +61319,7 @@ rule(:security_ike) do
61071
61319
  "probe-idle-tunnel" /* Send probes same as in optimized mode and also when there is no outgoing & incoming data traffic */,
61072
61320
  "always-send" /* Send probes periodically regardless of incoming and outgoing data traffic */
61073
61321
  ),
61322
+ "always-send" /* Send DPD messages periodically, regardless of traffic */,
61074
61323
  "interval" arg /* The time between DPD probe messages Default :10 */,
61075
61324
  "threshold" arg /* Maximum number of DPD retransmissions Default :5 */
61076
61325
  )
@@ -61319,6 +61568,21 @@ rule(:security_ipsec_vpn) do
61319
61568
  ),
61320
61569
  "security-association" ( /* Define a manual control plane SA */
61321
61570
  ipsec_sa /* Define a manual control plane SA */
61571
+ ),
61572
+ "internal" ( /* Define an IPSec SA for internal RE-RE communication */
61573
+ c(
61574
+ "security-association" ( /* Define an IPSec security association */
61575
+ ipsec_internal_sa /* Define an IPSec security association */
61576
+ )
61577
+ )
61578
+ ),
61579
+ "trusted-channel" ( /* Define an IPSec SA for trusted-channel communication */
61580
+ c(
61581
+ "security-association" ( /* Define an IPSec security association */
61582
+ ipsec_trusted_channel_sa /* Define an IPSec security association */
61583
+ ),
61584
+ "port-exclusion-list" arg /* Define port exlusion list */
61585
+ )
61322
61586
  )
61323
61587
  )
61324
61588
  end
@@ -61603,20 +61867,50 @@ rule(:security_macsec) do
61603
61867
  ),
61604
61868
  "connectivity-association" arg ( /* Configure connectivity association properties */
61605
61869
  c(
61606
- "cipher-suite" arg /* Cipher suite to be used for encryption */,
61870
+ "cipher-suite" ( /* Cipher suite to be used for encryption */
61871
+ ("gcm-aes-128" | "gcm-aes-256" | "gcm-aes-xpn-128" | "gcm-aes-xpn-256")
61872
+ ),
61607
61873
  "security-mode" ( /* Connectivity association mode */
61608
61874
  ("dynamic" | "static-sak" | "static-cak")
61609
61875
  ),
61610
- "secure-channel" /* Configure secure channel properties */,
61876
+ "sak-hash-128" /* Configure to generate 128bit SAK hash to program HW */,
61877
+ "secure-channel" arg ( /* Configure secure channel properties */
61878
+ c(
61879
+ "id" ( /* Secure channel identifier */
61880
+ c(
61881
+ "mac-address" ( /* MAC addresses */
61882
+ mac_addr /* MAC addresses */
61883
+ ),
61884
+ "port-id" arg /* Port identifier */
61885
+ )
61886
+ ),
61887
+ "direction" ( /* Secure channel direction */
61888
+ ("inbound" | "outbound")
61889
+ ),
61890
+ "encryption" /* Enable Encryption */,
61891
+ "offset" ( /* Confidentiality offset */
61892
+ ("0" | "30" | "50")
61893
+ ),
61894
+ "include-sci" /* Include secure channel identifier in MAC Security PDU */,
61895
+ "security-association" arg ( /* Security association */
61896
+ c(
61897
+ "key" arg /* Security association key in hexadecimal format of length 32 */
61898
+ )
61899
+ )
61900
+ )
61901
+ ),
61611
61902
  "mka" ( /* Configure MAC Security Key Agreement protocol properties */
61612
61903
  c(
61613
61904
  "transmit-interval" arg /* Configure MKA periodic transmit interval */,
61905
+ "sak-rekey-interval" arg /* Configure SAK rekeying interval */,
61614
61906
  "bounded-delay" /* Configure Bounded Hello Time */,
61907
+ "suspend-on-request" /* Configure on key-server to accept suspend-on-request during gres or issu */,
61908
+ "suspend-for" /* Configure to suspend MKA during gres or issu */,
61615
61909
  "key-server-priority" arg /* Configure MKA key server priority */,
61616
61910
  "must-secure" /* Allow only secure dot1x traffic */,
61617
61911
  "should-secure" /* Configure fail open mode for MKA protocol */,
61618
61912
  "eapol-address" ( /* Configure EAPOL destination group address */
61619
- ("pae" | "provider-bridge" | "lldp-multicast")
61913
+ ("pae" | "provider-bridge" | "lldp-multicast" | arg)
61620
61914
  )
61621
61915
  )
61622
61916
  ),
@@ -61626,6 +61920,7 @@ rule(:security_macsec) do
61626
61920
  )
61627
61921
  ),
61628
61922
  "no-encryption" /* Disable encryption */,
61923
+ "disable-preceding-key" /* Disable CA preceding key duing key switch-over */,
61629
61924
  "offset" ( /* Confidentiality offset */
61630
61925
  ("0" | "30" | "50")
61631
61926
  ),
@@ -61633,14 +61928,35 @@ rule(:security_macsec) do
61633
61928
  "pre-shared-key" ( /* Configure pre-shared connectivity association key */
61634
61929
  c(
61635
61930
  "ckn" arg /* Connectivity association key name in hexadecimal format */,
61636
- "cak" arg /* Connectivity association key in hexadecimal format (max_length = 64) */
61931
+ "cak" arg /* Connectivity association key in hexadecimal format */
61932
+ )
61933
+ ),
61934
+ "fallback-key" ( /* Configure fallback key for connectivity association */
61935
+ c(
61936
+ "ckn" arg /* Connectivity association fallback key name in hexadecimal format */,
61937
+ "cak" arg /* Connectivity association fallback key secret in hexadecimal format */
61637
61938
  )
61638
61939
  ),
61639
61940
  "pre-shared-key-chain" arg /* Pre-shared key chain name for connectivity association */,
61640
61941
  "exclude-protocol" enum(("cdp" | "lldp" | "lacp")) /* Configure protocols to exclude from MAC Security */.as(:oneline)
61641
61942
  )
61642
61943
  ),
61643
- "interfaces" /* Interfaces on which macsec configuration is applied */,
61944
+ "interfaces" arg ( /* Interfaces on which macsec configuration is applied */
61945
+ c(
61946
+ "unit" arg ( /* Logical interface */
61947
+ c(
61948
+ "connectivity-association" arg /* Connectivity association name */,
61949
+ "traceoptions" ( /* Tracing options of MKA protocol */
61950
+ mka_trace_options /* Tracing options of MKA protocol */
61951
+ )
61952
+ )
61953
+ ),
61954
+ "connectivity-association" arg /* Connectivity association name */,
61955
+ "traceoptions" ( /* Tracing options of MKA protocol */
61956
+ mka_trace_options /* Tracing options of MKA protocol */
61957
+ )
61958
+ )
61959
+ ),
61644
61960
  "cluster-control-port" arg ( /* Cluster control port on which macsec configuration is applied */
61645
61961
  c(
61646
61962
  "connectivity-association" arg /* Connectivity association name */,
@@ -61803,6 +62119,25 @@ rule(:security_pki) do
61803
62119
  "ca-profiles" arg /* Name of the CA profiles (maximum 20) */
61804
62120
  )
61805
62121
  ),
62122
+ "trap" ( /* Trap options for PKI certificates */
62123
+ c(
62124
+ "certificate-id" arg ( /* Local certificate identifier */
62125
+ c(
62126
+ arg
62127
+ )
62128
+ ),
62129
+ "ca-identity" arg ( /* CA identity */
62130
+ c(
62131
+ arg
62132
+ )
62133
+ ),
62134
+ "all-certificates" ( /* Trap config for all certificates */
62135
+ c(
62136
+ arg
62137
+ )
62138
+ )
62139
+ )
62140
+ ),
61806
62141
  "auto-re-enrollment" ( /* Auto re-enroll of certificate */
61807
62142
  c(
61808
62143
  "cmpv2" ( /* CMPv2 auto re-enrollment configuration */
@@ -61912,8 +62247,16 @@ rule(:security_traceoptions) do
61912
62247
  )
61913
62248
  ).as(:oneline),
61914
62249
  "rate-limit" arg /* Limit the incoming rate of trace messages */,
61915
- "filter" /* Filter parameters for IKE traceoptions */,
61916
- "flag" enum(("timer" | "routing-socket" | "parse" | "config" | "ike" | "policy-manager" | "general" | "database" | "certificates" | "snmp" | "thread" | "high-availability" | "next-hop-tunnels" | "all")) /* Tracing parameters for IKE */.as(:oneline)
62250
+ "filter" ( /* Filter parameters for IKE traceoptions */
62251
+ c(
62252
+ "fpc" arg /* FPC slot number */,
62253
+ "pic" arg /* PIC slot number */
62254
+ )
62255
+ ),
62256
+ "flag" enum(("timer" | "routing-socket" | "parse" | "config" | "ike" | "policy-manager" | "general" | "database" | "certificates" | "snmp" | "thread" | "high-availability" | "next-hop-tunnels" | "all" | "ams" | "lic")) /* Tracing parameters */.as(:oneline),
62257
+ "level" ( /* Level of debugging output */
62258
+ ("error" | "warning" | "notice" | "info" | "verbose" | "all")
62259
+ )
61917
62260
  )
61918
62261
  end
61919
62262
 
@@ -65982,3 +66325,10 @@ rule(:zone_system_services_object_type) do
65982
66325
  )
65983
66326
  end
65984
66327
 
66328
+ rule(:tenant_system_type) do
66329
+ arg.as(:arg) (
66330
+ c(
66331
+ "max-sessions" arg /* Max number of IDP sessions */
66332
+ )
66333
+ )
66334
+ end