@pulumi/juniper-mist 0.9.0 → 0.10.0

package/types/output.d.ts

@@ -425,6 +425,10 @@ export declare namespace device {
          * enum: `base`, `remote`
          */
         role?: string;
+        /**
+         * Whether to use WPA3 on the 5 GHz band for mesh links
+         */
+        useWpa3On5?: boolean;
     }
     interface ApPortConfig {
         disabled: boolean;
@@ -934,6 +938,28 @@ export declare namespace device {
          */
         vlanId?: number;
     }
+    interface ApZigbeeConfig {
+        /**
+         * Controls whether new Zigbee devices are allowed to join the network. enum: `always`, `manual`
+         */
+        allowJoin?: string;
+        /**
+         * Zigbee channel (2.4 GHz). `0` means auto; valid fixed values are 11–26
+         */
+        channel?: number;
+        /**
+         * Whether to enable Zigbee on this AP
+         */
+        enabled?: boolean;
+        /**
+         * Extended PAN ID in hex string format; only applicable when `panId` is also specified
+         */
+        extendedPanId?: string;
+        /**
+         * PAN ID in hex string format; if not specified, assigned automatically
+         */
+        panId?: string;
+    }
     interface BaseLatlng {
         lat: number;
         lng: number;
@@ -1042,6 +1068,10 @@ export declare namespace device {
          * Neighbor AS. Value must be in range 1-4294967295 or a variable (e.g. `{{as_variable}}`)
          */
         neighborAs: string;
+        /**
+         * If `via`==`tunnel`, specifies which tunnel (primary/secondary) this neighbor is associated with. enum: `primary`, `secondary`
+         */
+        tunnelVia?: string;
     }
     interface GatewayClusterNode {
         /**
@@ -1164,10 +1194,125 @@ export declare namespace device {
         via: string;
     }
     interface GatewayGatewayMgmt {
+        /**
+         * For SSR only, as direct root access is not allowed
+         */
+        adminSshkeys?: string[];
+        appProbing?: outputs.device.GatewayGatewayMgmtAppProbing;
+        /**
+         * Consumes uplink bandwidth, requires WA license
+         */
+        appUsage?: boolean;
+        autoSignatureUpdate?: outputs.device.GatewayGatewayMgmtAutoSignatureUpdate;
         /**
          * Rollback timer for commit confirmed
          */
         configRevertTimer?: number;
+        /**
+         * For SSR and SRX, disable console port
+         */
+        disableConsole?: boolean;
+        /**
+         * For SSR and SRX, disable management interface
+         */
+        disableOob?: boolean;
+        /**
+         * For SSR and SRX, disable usb interface
+         */
+        disableUsb?: boolean;
+        fipsEnabled?: boolean;
+        probeHosts?: string[];
+        probeHostsv6s?: string[];
+        /**
+         * Restrict inbound-traffic to host
+         * when enabled, all traffic that is not essential to our operation will be dropped
+         * e.g. ntp / dns / traffic to mist will be allowed by default, if dhcpd is enabled, we'll make sure it works
+         */
+        protectRe?: outputs.device.GatewayGatewayMgmtProtectRe;
+        /**
+         * SRX only
+         */
+        rootPassword?: string;
+        securityLogSourceAddress?: string;
+        securityLogSourceInterface?: string;
+    }
+    interface GatewayGatewayMgmtAppProbing {
+        /**
+         * APp-keys from List Applications
+         */
+        apps?: string[];
+        customApps?: outputs.device.GatewayGatewayMgmtAppProbingCustomApp[];
+        enabled?: boolean;
+    }
+    interface GatewayGatewayMgmtAppProbingCustomApp {
+        /**
+         * Required if `protocol`==`icmp`
+         */
+        address?: string;
+        appType?: string;
+        /**
+         * If `protocol`==`http`
+         */
+        hostnames?: string[];
+        key?: string;
+        name?: string;
+        network?: string;
+        /**
+         * If `protocol`==`icmp`
+         */
+        packetSize?: number;
+        /**
+         * enum: `http`, `icmp`
+         */
+        protocol?: string;
+        /**
+         * If `protocol`==`http`
+         */
+        url?: string;
+        vrf?: string;
+    }
+    interface GatewayGatewayMgmtAutoSignatureUpdate {
+        /**
+         * enum: `any`, `fri`, `mon`, `sat`, `sun`, `thu`, `tue`, `wed`
+         */
+        dayOfWeek?: string;
+        enable?: boolean;
+        /**
+         * Optional, Mist will decide the timing
+         */
+        timeOfDay?: string;
+    }
+    interface GatewayGatewayMgmtProtectRe {
+        /**
+         * Optionally, services we'll allow
+         */
+        allowedServices?: string[];
+        customs?: outputs.device.GatewayGatewayMgmtProtectReCustom[];
+        /**
+         * When enabled, all traffic that is not essential to our operation will be dropped
+         * e.g. ntp / dns / traffic to mist will be allowed by default
+         *      if dhcpd is enabled, we'll make sure it works
+         */
+        enabled?: boolean;
+        /**
+         * Whether to enable hit count for Protect_RE policy
+         */
+        hitCount?: boolean;
+        /**
+         * host/subnets we'll allow traffic to/from
+         */
+        trustedHosts?: string[];
+    }
+    interface GatewayGatewayMgmtProtectReCustom {
+        /**
+         * Matched dst port, "0" means any
+         */
+        portRange?: string;
+        /**
+         * enum: `any`, `icmp`, `tcp`, `udp`
+         */
+        protocol?: string;
+        subnets?: string[];
     }
     interface GatewayIdpProfiles {
         /**
@@ -1428,7 +1573,7 @@ export declare namespace device {
         /**
          * enum: `dhcp`, `static`
          */
-        type: string;
+        type?: string;
         /**
          * If supported on the platform. If enabled, DNS will be using this routing-instance, too
          */
@@ -1452,7 +1597,7 @@ export declare namespace device {
         /**
          * enum: `dhcp`, `static`
          */
-        type: string;
+        type?: string;
         /**
          * If supported on the platform. If enabled, DNS will be using this routing-instance, too
          */
@@ -1585,6 +1730,10 @@ export declare namespace device {
          */
         outerVlanId?: number;
         poeDisabled?: boolean;
+        /**
+         * Whether Perpetual PoE capabilities are enabled for a port
+         */
+        poeKeepStateWhenReboot?: boolean;
         /**
          * Only for SRX and if `usage`==`lan`, the name of the Network to be used as the Untagged VLAN
          */
@@ -2049,7 +2198,7 @@ export declare namespace device {
          */
         ipsecLifetime?: number;
         /**
-         * Only if  `provider`==`custom-ipsec`
+         * Only if `provider`==`custom-ipsec`
          */
         ipsecProposals?: outputs.device.GatewayTunnelConfigsIpsecProposal[];
         /**
@@ -2199,7 +2348,7 @@ export declare namespace device {
         internalIps?: string[];
         probeIps?: string[];
         /**
-         * Only if  `provider`==`jse-ipsec` or `provider`==`custom-ipsec`
+         * Only if `provider`==`jse-ipsec` or `provider`==`custom-ipsec`
          */
         remoteIds?: string[];
         wanNames: string[];
@@ -2230,7 +2379,7 @@ export declare namespace device {
         internalIps?: string[];
         probeIps?: string[];
         /**
-         * Only if  `provider`==`jse-ipsec` or `provider`==`custom-ipsec`
+         * Only if `provider`==`jse-ipsec` or `provider`==`custom-ipsec`
          */
         remoteIds?: string[];
         wanNames: string[];
@@ -5083,7 +5232,7 @@ export declare namespace device {
             [key: string]: outputs.device.SwitchDhcpdConfigConfigFixedBindings;
         };
         /**
-         * If `type`==`server`  - optional, `ip` will be used if not provided
+         * If `type`==`server` - optional, `ip` will be used if not provided
          */
         gateway?: string;
         /**
@@ -5173,7 +5322,7 @@ export declare namespace device {
         noResolve?: boolean;
         preference?: number;
         /**
-         * Next-hop IP Address
+         * Next-hop IP Address. Can be a single IP address or an array of IP addresses for ECMP (Equal-Cost Multi-Path) load balancing across multiple next-hops.
          */
         via: string;
     }
@@ -5189,7 +5338,7 @@ export declare namespace device {
         noResolve?: boolean;
         preference?: number;
         /**
-         * Next-hop IP Address
+         * Next-hop IP Address. Can be a single IP address or an array of IP addresses for ECMP (Equal-Cost Multi-Path) load balancing across multiple next-hops.
          */
         via: string;
     }
@@ -5546,7 +5695,11 @@ export declare namespace device {
          */
         aeIdx?: number;
         /**
-         * To use fast timeout
+         * If `aggregated`==`true`, sets the state of the interface as UP when the peer has limited LACP capability. Use case: When a device connected to this AE port is ZTPing for the first time, it will not have LACP configured on the other end. **Note:** Turning this on will enable force-up on one of the interfaces in the bundle only
+         */
+        aeLacpForceUp?: boolean;
+        /**
+         * To use slow timeout
          */
         aeLacpSlow?: boolean;
         aggregated?: boolean;
@@ -5609,6 +5762,10 @@ export declare namespace device {
          * Whether PoE capabilities are disabled for a port
          */
         poeDisabled: boolean;
+        /**
+         * Whether Perpetual PoE is enabled; keeps PoE state across reboots
+         */
+        poeKeepStateWhenReboot?: boolean;
         /**
          * Native network/vlan for untagged traffic
          */
@@ -5749,6 +5906,10 @@ export declare namespace device {
          * Only if `mode`!=`dynamic`. Whether PoE capabilities are disabled for a port
          */
         poeDisabled?: boolean;
+        /**
+         * Only if `mode`!=`dynamic`. Whether Perpetual PoE is enabled; keeps PoE state across reboots
+         */
+        poeKeepStateWhenReboot?: boolean;
         /**
          * PoE priority. enum: `low`, `high`
          */
@@ -6783,6 +6944,10 @@ export declare namespace org {
          * enum: `base`, `remote`
          */
         role?: string;
+        /**
+         * Whether to use WPA3 on the 5 GHz band for mesh links
+         */
+        useWpa3On5?: boolean;
     }
     interface DeviceprofileApPortConfig {
         disabled: boolean;
@@ -7292,6 +7457,28 @@ export declare namespace org {
          */
         vlanId?: number;
     }
+    interface DeviceprofileApZigbeeConfig {
+        /**
+         * Controls whether new Zigbee devices are allowed to join the network. enum: `always`, `manual`
+         */
+        allowJoin?: string;
+        /**
+         * Zigbee channel (2.4 GHz). `0` means auto; valid fixed values are 11–26
+         */
+        channel?: number;
+        /**
+         * Whether to enable Zigbee on this AP
+         */
+        enabled?: boolean;
+        /**
+         * Extended PAN ID in hex string format; only applicable when `panId` is also specified
+         */
+        extendedPanId?: string;
+        /**
+         * PAN ID in hex string format; if not specified, assigned automatically
+         */
+        panId?: string;
+    }
     interface DeviceprofileGatewayBgpConfig {
         /**
          * Optional if `via`==`lan`, `via`==`tunnel` or `via`==`wan`
@@ -7396,6 +7583,10 @@ export declare namespace org {
          * Neighbor AS. Value must be in range 1-4294967295 or a variable (e.g. `{{as_variable}}`)
          */
         neighborAs: string;
+        /**
+         * If `via`==`tunnel`, specifies which tunnel (primary/secondary) this neighbor is associated with. enum: `primary`, `secondary`
+         */
+        tunnelVia?: string;
     }
     interface DeviceprofileGatewayDhcpdConfig {
         /**
@@ -7766,7 +7957,7 @@ export declare namespace org {
         /**
          * enum: `dhcp`, `static`
          */
-        type: string;
+        type?: string;
         /**
          * If supported on the platform. If enabled, DNS will be using this routing-instance, too
          */
@@ -7790,7 +7981,7 @@ export declare namespace org {
         /**
          * enum: `dhcp`, `static`
          */
-        type: string;
+        type?: string;
         /**
          * If supported on the platform. If enabled, DNS will be using this routing-instance, too
          */
@@ -7923,6 +8114,10 @@ export declare namespace org {
          */
         outerVlanId?: number;
         poeDisabled?: boolean;
+        /**
+         * Whether Perpetual PoE capabilities are enabled for a port
+         */
+        poeKeepStateWhenReboot?: boolean;
         /**
          * Only for SRX and if `usage`==`lan`, the name of the Network to be used as the Untagged VLAN
          */
@@ -8377,7 +8572,7 @@ export declare namespace org {
          */
         ipsecLifetime?: number;
         /**
-         * Only if  `provider`==`custom-ipsec`
+         * Only if `provider`==`custom-ipsec`
          */
         ipsecProposals?: outputs.org.DeviceprofileGatewayTunnelConfigsIpsecProposal[];
         /**
@@ -8527,7 +8722,7 @@ export declare namespace org {
         internalIps?: string[];
         probeIps?: string[];
         /**
-         * Only if  `provider`==`jse-ipsec` or `provider`==`custom-ipsec`
+         * Only if `provider`==`jse-ipsec` or `provider`==`custom-ipsec`
          */
         remoteIds?: string[];
         wanNames: string[];
@@ -8558,7 +8753,7 @@ export declare namespace org {
         internalIps?: string[];
         probeIps?: string[];
         /**
-         * Only if  `provider`==`jse-ipsec` or `provider`==`custom-ipsec`
+         * Only if `provider`==`jse-ipsec` or `provider`==`custom-ipsec`
          */
         remoteIds?: string[];
         wanNames: string[];
@@ -8731,6 +8926,10 @@ export declare namespace org {
          * Optional, for ERB or CLOS, you can either use esilag to upstream routers or to also be the virtual-gateway. When `routedAt` != `core`, whether to do virtual-gateway at core as well
          */
         coreAsBorder: boolean;
+        /**
+         * Whether to route management traffic inband; routes will be propagated to downstream switches
+         */
+        enableInbandMgmt?: boolean;
         /**
          * if the mangement traffic goes inbnd, during installation, only the border/core switches are connected to the Internet to allow initial configuration to be pushed down and leave the downstream access switches stay in the Factory Default state enabling inband-ztp allows upstream switches to use LLDP to assign IP and gives Internet to downstream switches in that state
          */
@@ -8914,6 +9113,10 @@ export declare namespace org {
          * Neighbor AS. Value must be in range 1-4294967295 or a variable (e.g. `{{as_variable}}`)
          */
         neighborAs: string;
+        /**
+         * If `via`==`tunnel`, specifies which tunnel (primary/secondary) this neighbor is associated with. enum: `primary`, `secondary`
+         */
+        tunnelVia?: string;
     }
     interface GatewaytemplateDhcpdConfig {
         /**
@@ -9029,6 +9232,127 @@ export declare namespace org {
     interface GatewaytemplateExtraRoutes6 {
         via: string;
     }
+    interface GatewaytemplateGatewayMgmt {
+        /**
+         * For SSR only, as direct root access is not allowed
+         */
+        adminSshkeys?: string[];
+        appProbing?: outputs.org.GatewaytemplateGatewayMgmtAppProbing;
+        /**
+         * Consumes uplink bandwidth, requires WA license
+         */
+        appUsage?: boolean;
+        autoSignatureUpdate?: outputs.org.GatewaytemplateGatewayMgmtAutoSignatureUpdate;
+        /**
+         * Rollback timer for commit confirmed
+         */
+        configRevertTimer: number;
+        /**
+         * For SSR and SRX, disable console port
+         */
+        disableConsole?: boolean;
+        /**
+         * For SSR and SRX, disable management interface
+         */
+        disableOob?: boolean;
+        /**
+         * For SSR and SRX, disable usb interface
+         */
+        disableUsb?: boolean;
+        fipsEnabled?: boolean;
+        probeHosts?: string[];
+        probeHostsv6s?: string[];
+        /**
+         * Restrict inbound-traffic to host
+         * when enabled, all traffic that is not essential to our operation will be dropped
+         * e.g. ntp / dns / traffic to mist will be allowed by default, if dhcpd is enabled, we'll make sure it works
+         */
+        protectRe?: outputs.org.GatewaytemplateGatewayMgmtProtectRe;
+        /**
+         * SRX only
+         */
+        rootPassword?: string;
+        securityLogSourceAddress?: string;
+        securityLogSourceInterface?: string;
+    }
+    interface GatewaytemplateGatewayMgmtAppProbing {
+        /**
+         * APp-keys from List Applications
+         */
+        apps?: string[];
+        customApps?: outputs.org.GatewaytemplateGatewayMgmtAppProbingCustomApp[];
+        enabled?: boolean;
+    }
+    interface GatewaytemplateGatewayMgmtAppProbingCustomApp {
+        /**
+         * Required if `protocol`==`icmp`
+         */
+        address?: string;
+        appType?: string;
+        /**
+         * If `protocol`==`http`
+         */
+        hostnames?: string[];
+        key?: string;
+        name?: string;
+        network?: string;
+        /**
+         * If `protocol`==`icmp`
+         */
+        packetSize?: number;
+        /**
+         * enum: `http`, `icmp`
+         */
+        protocol?: string;
+        /**
+         * If `protocol`==`http`
+         */
+        url?: string;
+        vrf?: string;
+    }
+    interface GatewaytemplateGatewayMgmtAutoSignatureUpdate {
+        /**
+         * enum: `any`, `fri`, `mon`, `sat`, `sun`, `thu`, `tue`, `wed`
+         */
+        dayOfWeek?: string;
+        enable?: boolean;
+        /**
+         * Optional, Mist will decide the timing
+         */
+        timeOfDay?: string;
+    }
+    interface GatewaytemplateGatewayMgmtProtectRe {
+        /**
+         * Optionally, services we'll allow
+         */
+        allowedServices?: string[];
+        customs?: outputs.org.GatewaytemplateGatewayMgmtProtectReCustom[];
+        /**
+         * When enabled, all traffic that is not essential to our operation will be dropped
+         * e.g. ntp / dns / traffic to mist will be allowed by default
+         *      if dhcpd is enabled, we'll make sure it works
+         */
+        enabled?: boolean;
+        /**
+         * Whether to enable hit count for Protect_RE policy
+         */
+        hitCount?: boolean;
+        /**
+         * host/subnets we'll allow traffic to/from
+         */
+        trustedHosts?: string[];
+    }
+    interface GatewaytemplateGatewayMgmtProtectReCustom {
+        /**
+         * Matched dst port, "0" means any
+         */
+        portRange?: string;
+        /**
+         * enum: `any`, `icmp`, `tcp`, `udp`
+         */
+        protocol?: string;
+        subnets?: string[];
+    }
     interface GatewaytemplateIdpProfiles {
         /**
          * enum: `critical`, `standard`, `strict`
@@ -9284,7 +9608,7 @@ export declare namespace org {
         /**
          * enum: `dhcp`, `static`
          */
-        type: string;
+        type?: string;
         /**
          * If supported on the platform. If enabled, DNS will be using this routing-instance, too
          */
@@ -9308,7 +9632,7 @@ export declare namespace org {
         /**
          * enum: `dhcp`, `static`
          */
-        type: string;
+        type?: string;
         /**
          * If supported on the platform. If enabled, DNS will be using this routing-instance, too
          */
@@ -9441,6 +9765,10 @@ export declare namespace org {
          */
         outerVlanId?: number;
         poeDisabled?: boolean;
+        /**
+         * Whether Perpetual PoE capabilities are enabled for a port
+         */
+        poeKeepStateWhenReboot?: boolean;
         /**
          * Only for SRX and if `usage`==`lan`, the name of the Network to be used as the Untagged VLAN
          */
@@ -9895,7 +10223,7 @@ export declare namespace org {
          */
         ipsecLifetime?: number;
         /**
-         * Only if  `provider`==`custom-ipsec`
+         * Only if `provider`==`custom-ipsec`
          */
         ipsecProposals?: outputs.org.GatewaytemplateTunnelConfigsIpsecProposal[];
         /**
@@ -10045,7 +10373,7 @@ export declare namespace org {
         internalIps?: string[];
         probeIps?: string[];
         /**
-         * Only if  `provider`==`jse-ipsec` or `provider`==`custom-ipsec`
+         * Only if `provider`==`jse-ipsec` or `provider`==`custom-ipsec`
          */
         remoteIds?: string[];
         wanNames: string[];
@@ -10076,7 +10404,7 @@ export declare namespace org {
         internalIps?: string[];
         probeIps?: string[];
         /**
-         * Only if  `provider`==`jse-ipsec` or `provider`==`custom-ipsec`
+         * Only if `provider`==`jse-ipsec` or `provider`==`custom-ipsec`
          */
         remoteIds?: string[];
         wanNames: string[];
@@ -13483,7 +13811,7 @@ export declare namespace org {
         noResolve?: boolean;
         preference?: number;
         /**
-         * Next-hop IP Address
+         * Next-hop IP Address. Can be a single IP address or an array of IP addresses for ECMP (Equal-Cost Multi-Path) load balancing across multiple next-hops.
          */
         via: string;
     }
@@ -13499,7 +13827,7 @@ export declare namespace org {
         noResolve?: boolean;
         preference?: number;
         /**
-         * Next-hop IP Address
+         * Next-hop IP Address. Can be a single IP address or an array of IP addresses for ECMP (Equal-Cost Multi-Path) load balancing across multiple next-hops.
          */
         via: string;
     }
@@ -13714,6 +14042,10 @@ export declare namespace org {
          * Only if `mode`!=`dynamic`. Whether PoE capabilities are disabled for a port
          */
         poeDisabled?: boolean;
+        /**
+         * Only if `mode`!=`dynamic`. Whether Perpetual PoE is enabled; keeps PoE state across reboots
+         */
+        poeKeepStateWhenReboot?: boolean;
         /**
          * PoE priority. enum: `low`, `high`
          */
@@ -14362,7 +14694,11 @@ export declare namespace org {
          */
         aeIdx?: number;
         /**
-         * To use fast timeout
+         * If `aggregated`==`true`, sets the state of the interface as UP when the peer has limited LACP capability. Use case: When a device connected to this AE port is ZTPing for the first time, it will not have LACP configured on the other end. **Note:** Turning this on will enable force-up on one of the interfaces in the bundle only
+         */
+        aeLacpForceUp?: boolean;
+        /**
+         * To use slow timeout
          */
         aeLacpSlow?: boolean;
         aggregated?: boolean;
@@ -15089,18 +15425,24 @@ export declare namespace org {
         write: string;
     }
     interface SettingMarvis {
-        autoOperations?: outputs.org.SettingMarvisAutoOperations;
+        /**
+         * Self-driving network automation settings per domain
+         */
+        selfDriving?: outputs.org.SettingMarvisSelfDriving;
     }
-    interface SettingMarvisAutoOperations {
-        apInsufficientCapacity: boolean;
-        apLoop: boolean;
-        apNonCompliant: boolean;
-        bouncePortForAbnormalPoeClient: boolean;
-        disablePortWhenDdosProtocolViolation: boolean;
-        disablePortWhenRogueDhcpServerDetected: boolean;
-        gatewayNonCompliant: boolean;
-        switchMisconfiguredPort: boolean;
-        switchPortStuck: boolean;
+    interface SettingMarvisSelfDriving {
+        wan?: outputs.org.SettingMarvisSelfDrivingWan;
+        wired?: outputs.org.SettingMarvisSelfDrivingWired;
+        wireless?: outputs.org.SettingMarvisSelfDrivingWireless;
+    }
+    interface SettingMarvisSelfDrivingWan {
+        enabled?: boolean;
+    }
+    interface SettingMarvisSelfDrivingWired {
+        enabled?: boolean;
+    }
+    interface SettingMarvisSelfDrivingWireless {
+        enabled?: boolean;
     }
     interface SettingMgmt {
         /**
@@ -15110,13 +15452,17 @@ export declare namespace org {
         /**
          * Whether to use Mist Tunnel for mgmt connectivity, this takes precedence over use_wxtunnel
          */
-        useMxtunnel: boolean;
+        useMxtunnel?: boolean;
         /**
          * Whether to use wxtunnel for mgmt connectivity
          */
-        useWxtunnel: boolean;
+        useWxtunnel?: boolean;
     }
     interface SettingMistNac {
+        /**
+         * allow clients to connect even when the user cert failed. TEAP authenticates both Machine Cert and User Cert. When enabled, clients who only succeed Machine Cert authentication will be accepted.
+         */
+        allowTeapMachineAuthOnly?: boolean;
         /**
          * List of PEM-encoded ca certs
          */
@@ -15136,7 +15482,7 @@ export declare namespace org {
         /**
          * By default, NAC POD failover considers all NAC pods available around the globe, i.e. EU, US, or APAC based, failover happens based on geo IP of the originating site. For strict GDPR compliance NAC POD failover would only happen between the PODs located within the EU environment, and no authentication would take place outside of EU. This is an org setting that is applicable to WLANs, switch templates, mxedge clusters that have mistNac enabled
          */
-        euOnly: boolean;
+        euOnly?: boolean;
         /**
          * Allows customer to enable client fingerprinting for policy enforcement
          */
@@ -15150,6 +15496,10 @@ export declare namespace org {
          */
         idpUserCertLookupField?: string;
         idps: outputs.org.SettingMistNacIdp[];
+        /**
+         * MDM (Mobile Device Management) CoA configuration
+         */
+        mdm?: outputs.org.SettingMistNacMdm;
         /**
          * radius server cert to be presented in EAP TLS
          */
@@ -15171,15 +15521,15 @@ export declare namespace org {
         /**
          * enable/disable writes to NAC DDB fingerprint table
          */
-        enabled: boolean;
+        enabled?: boolean;
         /**
          * enable/disable CoA triggers on fingerprint change for wired clients, always port-bounce
          */
-        generateCoa: boolean;
+        generateCoa?: boolean;
         /**
          * enable/disable CoA triggers on fingerprint change for wireless clients
          */
-        generateWirelessCoa: boolean;
+        generateWirelessCoa?: boolean;
         /**
          * enum: `reauth`, `disconnect`
          */
@@ -15201,6 +15551,12 @@ export declare namespace org {
          */
         userRealms: string[];
     }
+    interface SettingMistNacMdm {
+        /**
+         * CoA type to send. enum: `reauth`, `disconnect`
+         */
+        coaType?: string;
+    }
     interface SettingMistNacServerCert {
         cert?: string;
         key?: string;
@@ -15227,7 +15583,7 @@ export declare namespace org {
         /**
          * Enable channelization
          */
-        channelized: boolean;
+        channelized?: boolean;
         /**
          * Interface speed (e.g. `25g`, `50g`), use the chassis speed by default
          */
@@ -15597,6 +15953,14 @@ export declare namespace org {
          * Whether to trigger EAP reauth when the session ends
          */
         eapReauth: boolean;
+        /**
+         * Enable Beacon Protection; default is false for better compatibility
+         */
+        enableBeaconProtection?: boolean;
+        /**
+         * Enable GCMP-256 encryption suite; default is false for better compatibility
+         */
+        enableGcmp256?: boolean;
         /**
          * Whether to enable MAC Auth, uses the same auth_servers
          */
@@ -17025,6 +17389,10 @@ export declare namespace site {
          * Optional, for ERB or CLOS, you can either use esilag to upstream routers or to also be the virtual-gateway. When `routedAt` != `core`, whether to do virtual-gateway at core as well
          */
         coreAsBorder: boolean;
+        /**
+         * Whether to route management traffic inband; routes will be propagated to downstream switches
+         */
+        enableInbandMgmt?: boolean;
         /**
          * if the mangement traffic goes inbnd, during installation, only the border/core switches are connected to the Internet to allow initial configuration to be pushed down and leave the downstream access switches stay in the Factory Default state enabling inband-ztp allows upstream switches to use LLDP to assign IP and gives Internet to downstream switches in that state
          */
@@ -18597,7 +18965,7 @@ export declare namespace site {
         noResolve?: boolean;
         preference?: number;
         /**
-         * Next-hop IP Address
+         * Next-hop IP Address. Can be a single IP address or an array of IP addresses for ECMP (Equal-Cost Multi-Path) load balancing across multiple next-hops.
          */
         via: string;
     }
@@ -18613,7 +18981,7 @@ export declare namespace site {
         noResolve?: boolean;
         preference?: number;
         /**
-         * Next-hop IP Address
+         * Next-hop IP Address. Can be a single IP address or an array of IP addresses for ECMP (Equal-Cost Multi-Path) load balancing across multiple next-hops.
          */
         via: string;
     }
@@ -18828,6 +19196,10 @@ export declare namespace site {
          * Only if `mode`!=`dynamic`. Whether PoE capabilities are disabled for a port
          */
         poeDisabled?: boolean;
+        /**
+         * Only if `mode`!=`dynamic`. Whether Perpetual PoE is enabled; keeps PoE state across reboots
+         */
+        poeKeepStateWhenReboot?: boolean;
         /**
          * PoE priority. enum: `low`, `high`
          */
@@ -19476,7 +19848,11 @@ export declare namespace site {
          */
         aeIdx?: number;
         /**
-         * To use fast timeout
+         * If `aggregated`==`true`, sets the state of the interface as UP when the peer has limited LACP capability. Use case: When a device connected to this AE port is ZTPing for the first time, it will not have LACP configured on the other end. **Note:** Turning this on will enable force-up on one of the interfaces in the bundle only
+         */
+        aeLacpForceUp?: boolean;
+        /**
+         * To use slow timeout
          */
         aeLacpSlow?: boolean;
         aggregated?: boolean;
@@ -19715,6 +20091,12 @@ export declare namespace site {
          */
         enabled: boolean;
     }
+    interface SettingApSyntheticTest {
+        /**
+         * List or Comma separated list of additional VLAN IDs (on the LAN side or from other WLANs) should we be forwarding bonjour queries/responses
+         */
+        additionalVlanIds?: string[];
+    }
     interface SettingAutoUpgrade {
         /**
          * Custom versions for different models. Property key is the model name (e.g. "AP41")
@@ -20125,6 +20507,36 @@ export declare namespace site {
         protocol: string;
         subnets: string[];
     }
+    interface SettingIotproxy {
+        enabled: boolean;
+        /**
+         * Visionline integration settings for IoT proxy
+         */
+        visionline?: outputs.site.SettingIotproxyVisionline;
+    }
+    interface SettingIotproxyVisionline {
+        /**
+         * Access ID for the Visionline service
+         */
+        accessId?: string;
+        enabled: boolean;
+        /**
+         * Hostname or IP of the Visionline collector
+         */
+        host?: string;
+        /**
+         * Password for the Visionline service
+         */
+        password?: string;
+        /**
+         * TCP port of the Visionline collector
+         */
+        port: number;
+        /**
+         * Username for the Visionline service
+         */
+        username?: string;
+    }
     interface SettingJuniperSrx {
         /**
          * auto_upgrade device first time it is onboarded
@@ -20426,6 +20838,18 @@ export declare namespace site {
          */
         keepWlansUpIfDown: boolean;
     }
+    interface SettingVarsAnnotations {
+        /**
+         * User-provided note to describe what this var was created for
+         */
+        note?: string;
+        /**
+         * Used to identify where to enumerate / auto-complete the field from. Default is `generic` (plain string, no special handling).
+         *
+         * enum: `generic`, `mxtunnelId`
+         */
+        type: string;
+    }
     interface SettingVna {
         /**
          * Enable Virtual Network Assistant (using SUB-VNA license). This applied to AP / Switch / Gateway
@@ -20607,6 +21031,14 @@ export declare namespace site {
          * Whether to trigger EAP reauth when the session ends
          */
         eapReauth: boolean;
+        /**
+         * Enable Beacon Protection; default is false for better compatibility
+         */
+        enableBeaconProtection?: boolean;
+        /**
+         * Enable GCMP-256 encryption suite; default is false for better compatibility
+         */
+        enableGcmp256?: boolean;
         /**
          * Whether to enable MAC Auth, uses the same auth_servers
          */