FireBrick FB2500 V1.11.001 documentation
FireBrick FB2500 configuration documentation. Copyright © 2008-11 FireBrick Ltd.
The top level config element contains all of the FireBrick configuration data.
config: Attributes
Attribute | Type | Description | Default |
patch | integer | Internal use, for s/w updates that change config syntax | |
timestamp | dateTime | Config store time, set automatically when config is saved | |
config: Elements
Element | Type | Instances | Description |
bgp | bgp | Optional, up to 10 | BGP config |
blackhole | blackhole | Optional, unlimited | Black hole (dropped packets) networks |
cqm | cqm | Optional | Constant Quality Monitoring config |
ethernet | ethernet | Optional, unlimited | Ethernet port settings |
fb105 | fb105 | Optional, up to 256 | FB105 tunnel settings |
interface | interface | Optional, up to 8192 | Ethernet interface (port-group/vlan) and subnets |
ip-group | ip-group | Optional, unlimited | Named IP groups |
l2tp | l2tp | Optional | L2TP settings |
log | log | Optional, up to 50 | Log target controls |
loopback | loopback | Optional, unlimited | Extra local addresses |
network | network | Optional, unlimited | Locally originated networks |
nowhere | blackhole | Optional, unlimited | Dead end (icmp error) networks |
ping | ping | Optional, up to 100 | Base ping graph settings |
port | portdef | Optional, up to 4 | Port grouping and naming |
ppp | pppoe | Optional, up to 10 | PPPoE settings |
profile | profile | Optional, unlimited | Control profiles |
route | route | Optional, unlimited | Static routes |
route-override | route-override | Optional, unlimited | Routing override rules |
rule-set | rule-set | Optional, unlimited | Firewall/mapping rules |
services | services | Optional | General system services |
shaper | shaper | Optional, unlimited | Named traffic shapers |
system | system | Optional | System settings |
user | user | Optional, unlimited | Admin users |
Firewall actions for load sharing
session-share: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
profile | string | Profile name | |
set-gateway | IPAddr | New gateway | |
set-graph | string | Graph name for shaping/logging | |
set-nat | boolean | Changed source IP and port to local for NAT | |
set-reverse-graph | string | Graph name for shaping/logging (far side of session) | |
set-source-ip | IPAddr | New source IP | |
set-source-port | unsignedShort | New source port | |
set-table | routetable 0-99 | Set new routing table | |
set-target-ip | IPAddr | New target IP | |
set-target-port | unsignedShort | New target port | |
weight | positiveInteger | Weighting of load share | 1 |
Firewall rule
The individual firewall rules are checked in order within the rule-set, and the first match applied. The default action for a rule is continue, so once matched the next rule-set is considered.
session-rule: Attributes
Attribute | Type | Description | Default |
action | firewall-action | Action taken on match | continue |
comment | string | Comment | |
interface | List of string | Source or target interface(s) | |
ip | List of IPNameRange | Source or target IP address range(s) | |
log | string | Log session start | As rule-set |
log-end | string | Log session end | As rule-set |
name | string | Name | |
profile | string | Profile name | |
protocol | List of unsignedByte | Protocol(s) [1=ICMP, 6=TCP, 17=UDP] | |
set-gateway | IPAddr | New gateway | |
set-graph | string | Graph name for shaping/logging | |
set-initial-timeout | duration | Initial time-out | |
set-nat | boolean | Changed source IP and port to local for NAT | |
set-ongoing-timeout | duration | Ongoing time-out | |
set-reverse-graph | string | Graph name for shaping/logging (far side of session) | |
set-source-ip | IPAddr | New source IP | |
set-source-port | unsignedShort | New source port | |
set-table | routetable 0-99 | Set new routing table | |
set-target-ip | IPAddr | New target IP | |
set-target-port | unsignedShort | New target port | |
source | string | Source of data, used in automated config management | |
source-interface | List of string | Source interface(s) | |
source-ip | List of IPNameRange | Source IP address range(s) | |
source-port | List of PortRange | Source port(s) | |
target-interface | List of string | Target interface(s) | |
target-ip | List of IPNameRange | Target IP address range(s) | |
target-port | List of PortRange | Target port(s) | |
session-rule: Elements
Element | Type | Instances | Description |
share | session-share | Optional, unlimited | Load shared actions |
Firewalling rule set with entry criteria and default actions
rule-set: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
interface | List of string | Source or target interface(s) | |
ip | List of IPNameRange | Source or target IP address range(s) | |
log | string | Log session start | Not logging |
log-end | string | Log session end | Not logging |
log-no-match | string | Log if no match | log-start |
name | string | Name | |
no-match-action | firewall-action | Default if no rule matches | Not optional |
profile | string | Profile name | |
protocol | List of unsignedByte | Protocol(s) [1=ICMP, 6=TCP, 17=UDP] | |
source | string | Source of data, used in automated config management | |
source-interface | List of string | Source interface(s) | |
source-ip | List of IPNameRange | Source IP address range(s) | |
source-port | List of PortRange | Source port(s) | |
table | routetable 0-99 | Applicable routing table | 0 |
target-interface | List of string | Target interface(s) | |
target-ip | List of IPNameRange | Target IP address range(s) | |
target-port | List of PortRange | Target port(s) | |
rule-set: Elements
Element | Type | Instances | Description |
ip-group | ip-group | Optional, unlimited | Named IP groups |
rule | session-rule | Optional, unlimited | Individual rules, first match applies |
Route override setting for load sharing
session-route-share: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
profile | string | Profile name | |
set-gateway | IPAddr | New gateway | |
set-graph | string | Graph name for shaping/logging (if not set by rule-set) | |
set-nat | boolean | Changed source IP and port to local for NAT | |
weight | positiveInteger | Weighting of load share | 1 |
Routing override rule
session-route-rule: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
name | string | Name | |
profile | string | Profile name | |
protocol | List of unsignedByte | Protocol(s) [1=ICMP, 6=TCP, 17=UDP] | |
set-gateway | IPAddr | New gateway | |
set-graph | string | Graph name for shaping/logging (if not set by rule-set) | |
set-nat | boolean | Changed source IP and port to local for NAT | |
source | string | Source of data, used in automated config management | |
source-interface | List of string | Source interface(s) | |
source-ip | List of IPNameRange | Source IP address range(s) | |
source-port | List of PortRange | Source port(s) | |
target-interface | List of string | Target interface(s) | |
target-ip | List of IPNameRange | Target IP address range(s) | |
target-port | List of PortRange | Target port(s) | |
session-route-rule: Elements
Element | Type | Instances | Description |
share | session-route-share | Optional, unlimited | Load shared actions |
Routing override rules
route-override: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
name | string | Name | |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Applicable routing table | 0 |
route-override: Elements
Element | Type | Instances | Description |
rule | session-route-rule | Optional, unlimited | Individual rules, first match applies |
Named IP group
ip-group: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
ip | List of IPRange | One or more IP ranges or IP/len | |
name | string | Name | Not optional |
source | string | Source of data, used in automated config management | |
users | List of string | Include IP of (time limited) logged in web users | |
Settings for a named traffic shaper
Settings for a named traffic shaper
shaper: Elements
Element | Type | Instances | Description |
override | shaper-override | Optional, unlimited | Profile specific variations on main settings |
Ping targets
profile-ping: Attributes
Attribute | Type | Description | Default |
flow | unsignedShort | Flow label (IPv6) | |
gateway | IPAddr | Ping via specific gateway (bypasses session tracking if set) | |
ip | IPAddr | Target IP | Not optional |
source-ip | IPAddr | Source IP | |
ttl | unsignedByte | Time to live / Hop limit | |
Time range test in profiles
profile-time: Attributes
Attribute | Type | Description | Default |
days | Set of day | Which days of week apply, default all | |
start | time | Start (HH:MM:SS) | |
stop | time | End (HH:MM:SS) | |
Time range test in profiles
profile-date: Attributes
Attribute | Type | Description | Default |
start | dateTime | Start (YYYY-MM-DDTHH:MM:SS) | |
stop | dateTime | End (YYYY-MM-DDTHH:MM:SS) | |
General on/off control profile used in various places in the config.
profile: Attributes
Attribute | Type | Description | Default |
and | List of string | Test passes if all specified profiles are active | |
comment | string | Comment | |
fb105 | List of string | FB105 tunnel state (any of these active) | |
initial | boolean | Defines state at system startup if not using set | true |
interval | duration | Test frequency | 1 |
invert | boolean | Invert final result of testing | |
log | string | Log target | Not logging |
log-debug | string | Log additional information | Not logging |
name | string | Profile name | Not optional |
not | string | Test passes if specified profile is inactive | |
or | List of string | Active if any of these other profiles active regardless of other tests | |
ppp | List of string | PPP link state (any of these are up) | |
recover | duration | Time before recover (i.e. how long test has been passing for) | 1 |
route | List of IPAddr | Test passes if all specified addresses are routeable | |
set | boolean | Manual override, ignore all tests, ignore invert setting | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table for ping/route | |
timeout | duration | Time before timeout (i.e. how long test has been failing for) | 10 |
vrrp | List of string | VRRP state (any of these is master) | |
profile: Elements
Element | Type | Instances | Description |
date | profile-date | Optional, unlimited | Test passes if within any date range specified |
ping | profile-ping | Optional | Test passes if address is answering pings |
time | profile-time | Optional, unlimited | Test passes if within any time range specified |
Base ping config - additional ping targets set via web API or other means
ping: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
graph | string | Graph name | Not optional |
ip | IPNameAddr | Far end IP | Not optional |
name | string | Name | |
slow | boolean | Slow polling | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number for sending syslogs | 0 |
Routes for prefixes that are sent to the FB105 tunnel when up
fb105-route: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | |
comment | string | Comment | |
ip | List of IPPrefix | One or more local network prefixes | Not optional |
localpref | unsignedInt | Localpref of network (highest wins) | 4294967295 |
name | string | Name | |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
FB105 tunnel definition
fb105: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | |
comment | string | Comment | |
fast-udp | boolean | Send UDP packets marked not to be reordered | true |
graph | string | Graph name | |
internal-ip | IP4Addr | Internal IP for traffic originated and sent down tunnel | local-ip |
ip | IP4Addr | Far end IP | dynamic tunnel |
keep-alive | boolean | Constantly send keep alive packets | true if ip set |
local-id | unsignedByte | Unique local end tunnel ID | Not optional |
local-ip | IP4Addr | Force specific local end IP | |
localpref | unsignedInt | Localpref for route (highest wins) | 4294967295 |
log | string | Log events | Not logging |
log-error | string | Log errors | Log as event |
mtu | unsignedShort | MTU for wrapped packets | 1500 |
name | string | Name | |
payload-table | routetable 0-99 | Routing table number for payload traffic | 0 |
port | unsignedShort | UDP port to use | 1 |
profile | string | Profile name | |
remote-id | unsignedByte | Unique remote end tunnel ID | Not optional |
reorder | boolean | Reorder incoming tunnel packets | false |
reorder-maxq | fb105-reorder-maxq 1-100 | Max queue length for out of order packets | 32 |
reorder-timeout | fb105-reorder-timeout 10-5000 | Max time to delay out of order packet (ms) | 100 |
routes | List of IPPrefix | Routes when link up | |
secret | Secret | Shared secret for tunnel | Unsigned |
set | unsignedByte | Set ID for reorder ID tagging (create a set of tunnels together) | |
sign-all | boolean | All packets must be signed, not just keepalives | false |
source | string | Source of data, used in automated config management | |
speed | unsignedInt | Egress rate limit used to load balance | no shaping |
table | routetable 0-99 | Routing table number for tunnel wrappers | 0 |
tcp-mss-fix | boolean | Adjust MSS option in TCP SYN to fix session MSS | true |
fb105: Elements
Element | Type | Instances | Description |
route | fb105-route | Optional, unlimited | Routes to apply to tunnel when up |
Server settings for RADIUS Accounting for L2TP
radius-acct: Attributes
Attribute | Type | Description | Default |
attempts | unsignedInt | How many concurrent requests to this server before trying next | 200 |
comment | string | Comment | |
fail-count | unsignedInt | How many failures in a row before blacklisting | 20 |
fail-time | duration | How long to blacklist before retrying (secs) | 120 |
ip | List of IPAddr | One or more IPs of RADIUS servers (picked at random) | Not optional |
name | string | Name | |
port | unsignedShort | Accounting UDP port | 1813 |
profile | string | Profile name | |
relay-nas-ip | boolean | Pass remote L2TP endpoint as NAS IP | |
secret | Secret | Shared secret for RADIUS requests | Not optional |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | |
timeout | duration | Min retry timeout on RADIUS requests | 5 |
Server settings for RADIUS Authentication for L2TP
radius-auth: Attributes
Attribute | Type | Description | Default |
attempts | unsignedInt | How many concurrent requests to this server before trying next | 200 |
comment | string | Comment | |
fail-count | unsignedInt | How many failures in a row before blacklisting | 20 |
fail-time | duration | How long to blacklist before retrying (secs) | 120 |
ip | List of IPAddr | One or more IPs of RADIUS servers (picked at random) | Not optional |
name | string | Name | |
port | unsignedShort | Authentication UDP port | 1812 |
profile | string | Profile name | |
relay-nas-ip | boolean | Pass remote L2TP endpoint as NAS IP | |
secret | Secret | Shared secret for RADIUS requests | Not optional |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | |
timeout | duration | Min retry timeout on RADIUS requests | 5 |
Rules for relaying L2TP or local authentication
l2tp-relay: Attributes
Attribute | Type | Description | Default |
called-station-id | List of string | One or more patterns to match called-station-id | |
calling-station-id | List of string | One or more patterns to match calling-station-id | |
comment | string | Comment | |
graph | string | Graph name | |
localpref | unsignedInt | Localpref for remote-ip/routes (highest wins) | 4294967295 |
name | string | Name | |
password | Secret | Password check | |
profile | string | Profile name | |
relay-hostname | string | Hostname for L2TP connection | |
relay-ip | List of IPAddr | Target IP(s) for L2TP connection | |
relay-secret | Secret | Shared secret for L2TP connection | |
remote-ip | IP4Addr | Remote end PPP IPv4 (local auth) | |
remote-netmask | IP4Addr | Remote end PPP Netmask (local auth) | |
routes | List of IPPrefix | Additional routes when link up (local auth) | |
source | string | Source of data, used in automated config management | |
test | List of IPAddr | List of IPs that must have routing for this target to be valid (deprecated) | |
username | List of string | One or more patterns to match username | |
L2TP tunnel settings for incoming L2TP connections
l2tp-incoming: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | List of IP ranges from which connects can be made | |
bgp | bgpmode | BGP announce mode for routes | |
comment | string | Comment | |
damping | boolean | Apply damping to sessions if limiting on shaper | false |
dhcpv6dns | List of IP6Addr | List of IPv6 DNS servers | |
dos-limit | unsignedInt | Per second per session tx packet drop limit for DOS protection | 10000 |
graph | string | Graph name | |
hdlc | boolean | Send HDLC header (FF03) on all PPP frames | true |
hostname | string | Hostname quoted on incoming tunnel | |
icmp-ppp | boolean | Use PPP endpoint for ICMP | false |
ipv6ep | IP4Addr | Local end IPv4 for IPv6 tunnels | |
lcp-mru-fix | boolean | Restart LCP if RAS negotiated MRU is too high | false |
lcp-rate | unsignedByte | LCP interval (seconds) | 1 |
lcp-timeout | unsignedByte | LCP timeout (seconds) | 10 |
log | string | Log events | Not logging |
log-debug | string | Log debug | Not logging |
log-error | string | Log errors | Log as event |
mtu | mtu 576-1600 | Default MTU for sessions in this tunnel | |
name | string | Name | |
payload-table | routetable 0-99 | Routing table number for payload traffic | 0 |
pppdns1 | IP4Addr | PPP DNS1 IPv4 default | |
pppdns2 | IP4Addr | PPP DNS2 IPv4 default | |
pppip | IP4Addr | Local end PPP IPv4 | |
profile | string | Profile name | |
require-platform | boolean | All sessions require a platform RADIUS first | false |
secret | Secret | Shared secret | |
shutdown | boolean | Refuse all new sessions or tunnels | false |
source | string | Source of data, used in automated config management | |
speed | unsignedInt | Default egress rate limit | |
table | routetable 0-99 | Routing table number for L2TP session | 0 |
tcp-mss-fix | boolean | Adjust MSS option in TCP SYN to fix session MSS | false |
test | List of IPAddr | List of IPs to which routing must exist else tunnel dropped (deprecated) | |
l2tp-incoming: Elements
Element | Type | Instances | Description |
match | l2tp-relay | Optional, unlimited | Rules for relaying connections and local authentication |
L2TP tunnel settings for outgoing L2TP connections
l2tp-outgoing: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | |
called | string | called-station-idi to send | |
calling | string | calling-station-id to send | |
comment | string | Comment | |
graph | string | Graph name | |
hdlc | boolean | Send HDLC header (FF03) on all PPP frames | true |
hostname | string | Hostname quoted on incoming tunnel | |
ip | IPAddr | IP of far end | Not optional |
lcp-rate | unsignedByte | LCP interval (seconds) | 10 |
lcp-timeout | unsignedByte | LCP timeout (seconds) | 61 |
local | IP4Addr | Local IPv4 address | |
localpref | unsignedInt | Localpref for remote-ip/routes (highest wins) | 4294967295 |
log | string | Log events | Not logging |
log-debug | string | Log debug | Not logging |
log-error | string | Log errors | Log as event |
min-retry | duration | Minimum session time before retrying connection | 10 |
mtu | mtu 576-1600 | Default MTU for sessions in this tunnel | |
name | string | Name | |
password | Secret | Password for login | |
payload-table | routetable 0-99 | Routing table number for payload traffic | 0 |
profile | string | Profile name | |
remote | IP4Addr | Remote IPv4 address | |
routes | List of IPPrefix | Routes when link up | Default gateway |
rx-speed | unsignedInt | Send ingress rate | |
secret | Secret | Shared secret | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number for L2TP session | 0 |
tcp-mss-fix | boolean | Adjust MSS option in TCP SYN to fix session MSS | false |
tx-speed | unsignedInt | Egress rate limit | |
username | string | User name for login | |
l2tp-outgoing: Elements
Element | Type | Instances | Description |
route | ppp-route | Optional, unlimited | Routes to apply when link is up |
L2TP settings for incoming and outgoing L2TP connections
l2tp: Attributes
Attribute | Type | Description | Default |
accounting-interval | duration | Periodic interim accounting interval | 3600 |
l2tp: Elements
Element | Type | Instances | Description |
accounting | radius-acct | Optional, unlimited | RADIUS accounting server settings |
authentication | radius-auth | Optional, unlimited | RADIUS authentication server settings |
incoming | l2tp-incoming | Optional, unlimited | Incoming L2TP connections |
outgoing | l2tp-outgoing | Optional, unlimited | Outgoing L2TP connections |
Constant quality monitoring (graphs and data) have a number of settings. Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases.
cqm: Attributes
Attribute | Type | Description | Default |
ave | Colour | Colour for average latency | #0cc |
axis | Colour | Axis colour | black |
background | Colour | Background colour | white |
bottom | unsignedByte | Pixels space at bottom of graph | 11 |
dateformat | string | Date format | %Y-%m-%d |
dayformat | string | Day format | %a |
fail | Colour | Colour for failed (dropped) seconds | red |
fail-level | unsignedInt | Fail level not expected on low usage | 1 |
fail-level1 | unsignedByte | Loss level 1 | 3 |
fail-level2 | unsignedByte | Loss level 2 | 50 |
fail-score | unsignedByte | Score for fail and low usage | 200 |
fail-score1 | unsignedByte | Score for on/above level 1 | 100 |
fail-score2 | unsignedByte | Score for on/above level 2 | 200 |
fail-usage | unsignedInt | Usage below which fail is not expected | 128000 |
fblogo | Colour | Colour for logo | #c00 |
graticule | Colour | Graticule colour | grey |
heading | string | Heading of graph | |
hourformat | string | Hour format | %H |
key | unsignedByte | Pixels space for key | 90 |
label-ave | string | Label for average latency | Ave |
label-damp | string | Label for % shaper damping | Damp% |
label-fail | string | Label for seconds (%) failed | Fail |
label-latency | string | Label for latency | Latency |
label-max | string | Label for maximum latency | Max |
label-min | string | Label for minimum latency | Min |
label-off | string | Label for off line seconds | Off |
label-period | string | Label for period | Period |
label-poll | string | Label for polls | Polls |
label-rx | string | Label for Rx traffic level | Rx |
label-score | string | Label for score | Score |
label-sent | string | Label for seconds polled | Sent |
label-shaper | string | Label for shaper | Shaper |
label-time | string | Label for time | Time |
label-traffic | string | Label for traffic level | Traffic (bit/s) |
label-tx | string | Label for Tx traffic level | Tx |
latency-level | unsignedInt | Latency level not expected on low usage | 100000000 |
latency-level1 | unsignedInt | Latency level 1 (ns) | 100000000 |
latency-level2 | unsignedInt | Latency level 2 (ns) | 500000000 |
latency-score | unsignedByte | Score for high latency and low usage | 200 |
latency-score1 | unsignedByte | Score for on/above level 1 | 10 |
latency-score2 | unsignedByte | Score for on/above level 2 | 20 |
latency-usage | unsignedInt | Usage below which latency is not expected | 128000 |
left | unsignedByte | Pixels space left of main graph | 0 |
log | string | Log events | Not logging |
max | Colour | Colour for maximum latency | green |
min | Colour | Colour for minimum latency | blue |
off | Colour | Colour for off line seconds | #c8f |
outside | Colour | Colour for outer border | transparent |
right | unsignedByte | Pixels space right of main graph | 50 |
rx | Colour | Colour for Rx traffic level | #800 |
secret | Secret | Secret for MD5 coded URLs | |
sent | Colour | Colour for polled seconds | #ff8 |
share-interface | string | Interface on which to broadcast data for shaper sharing | |
share-secret | string | Secret to validate shaper sharing | |
subheading | string | Subheading of graph | |
text | Colour | Colour for text | black |
text1 | string | Text line 1 | |
text2 | string | Text line 2 | |
text3 | string | Text line 3 | |
text4 | string | Text line 4 | |
timeformat | string | Time format | %Y-%m-%d %H:%M:%S |
top | unsignedByte | Pixels space at top of graph | 4 |
tx | Colour | Colour for Tx traffic level | #080 |
An individual rule for BGP mapping/filtering
bgprule: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
detag | List of Community | List of community tags to remove | |
drop | boolean | Do not import/export this prefix | false |
localpref | unsignedInt | Set localpref (highest wins) | |
med | unsignedInt | Set MED | |
name | string | Name | |
prefix | List of IPFilter | Prefixes that this rule applies to | |
source | string | Source of data, used in automated config management | |
tag | List of Community | List of community tags to add | |
This defines the rules for mapping and filtering of prefixes to/from a BGP peer.
bgpmap: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
detag | List of Community | List of community tags to remove | |
drop | boolean | Do not import/export this prefix | false |
localpref | unsignedInt | Set localpref (highest wins) | |
med | unsignedInt | Set MED | |
name | string | Name | |
prefix | List of IPFilter | Drop all that are not in this prefix list | |
source | string | Source of data, used in automated config management | |
tag | List of Community | List of community tags to add | |
bgpmap: Elements
Element | Type | Instances | Description |
match | bgprule | Optional, unlimited | List rules, in order of checking |
The peer definition specifies the attributes of an individual peer. Multiple IP addresses can be specified, typically for IPv4 and IPv6 addresses for the same peer, but this can be used for a group of similar peers.
bgppeer: Attributes
Attribute | Type | Description | Default |
add-own-as | boolean | Add our AS on exported routes | |
allow-export | boolean | Ignore no-export community and export anyway | |
allow-only-their-as | boolean | Only accept routes that are solely the peers AS | |
allow-own-as | boolean | Allow our AS inbound | |
as | unsignedInt | Peer AS | |
capability-as4 | boolean | If supporting AS4 | true |
capability-graceful-restart | boolean | If supporting Graceful Restart | true |
capability-mpe-ipv4 | boolean | If supporting MPE for IPv4 | true |
capability-mpe-ipv6 | boolean | If supporting MPE for IPv6 | true |
capability-route-refresh | boolean | If supporting Route Refresh | true |
comment | string | Comment | |
drop-default | boolean | Ignore default route received | false |
export-med | unsignedInt | Set MED on exported routes (unless export filter sets it) | |
holdtime | unsignedInt | Hold time | 30 |
ignore-bad-optional-partial | boolean | Ignore routes with a recognised badly formed optional that is flagged partial | true |
import-localpref | unsignedInt | Set localpref on imported routes (unless import filter sets it) | |
in-soft | boolean | Mark received routes as soft | |
ip | List of IPAddr | One or more IPs of neighbours (omit to allow incoming) | |
log-debug | string | Log debug | Not logging |
max-prefix | bgp-prefix-limit 1-1000 | Limit prefixes (IPv4+IPv6) | 10000 |
md5 | Secret | MD5 signing secret | |
name | string | Name | |
next-hop-self | boolean | Force us as next hop outbound | false |
no-fib | boolean | Don't include received routes in packet forwarding | |
pad | unsignedByte | Pad (prefix stuff) our AS by this many | |
profile | string | Profile name | |
same-ip-type | boolean | Only accept/send IPv4 routes to IPv4 peers and IPv6 routes to IPv6 peers | true |
send-default | boolean | Send a default route to this peer | false |
send-no-routes | boolean | Don't send any normal routes | false |
shutdown | boolean | Shutdown this neighbour (deprecated, use profile) | |
source | string | Source of data, used in automated config management | |
timer-idle | unsignedInt | Idle time after error | 60 |
timer-openwait | unsignedInt | Time to wait for OPEN on connection | 10 |
timer-retry | unsignedInt | Time to retry the neighbour | 10 |
ttl-security | byte | Enable RFC5082 TTL security (if +ve, 1 to 127), i.e. 1 for adjacent router. If -ve (-1 to -128) set forced sending TTL, i.e. -1 for TTL of 1 sending, and not checking. | |
type | peertype | Type of neighbour (affects some defaults) | normal |
bgppeer: Elements
Element | Type | Instances | Description |
export | bgpmap | Optional, unlimited | Mapping and filtering rules of announcing prefixes to peer |
import | bgpmap | Optional, unlimited | Mapping and filtering rules of accepting prefixes from peer |
The BGP element defines general BGP settings and a list of peer definitions for the individual BGP peers.
bgp: Attributes
Attribute | Type | Description | Default |
as | unsignedInt | Our AS | |
cluster-id | IP4Addr | Our cluster ID | |
comment | string | Comment | |
id | IP4Addr | Our router ID | |
log | string | Log events | Not logging |
name | string | Name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
bgp: Elements
Element | Type | Instances | Description |
peer | bgppeer | Optional, up to 50 | List of peers/neighbours |
Loopback addresses define local IP addresses
loopback: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | |
comment | string | Comment | |
ip | List of IPAddr | One or more local network addresses | Not optional |
localpref | unsignedInt | Localpref of network (highest wins) | 4294967295 |
name | string | Name | |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
Networks that go nowhere
blackhole: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | false |
comment | string | Comment | |
ip | List of IPPrefix | One or more local network prefixes | Not optional |
localpref | unsignedInt | Localpref of network (highest wins) | 4294967295 |
name | string | Name | |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
Network blocks that are announced but not actually added to internal routes - note that blackhole and nowhere objects can also announce but add routing.
network: Attributes
Attribute | Type | Description | Default |
as-path | List of up to 10 unsignedInt | Custom AS path as if network received | |
bgp | bgpmode | BGP announce mode for routes | true |
comment | string | Comment | |
ip | List of IPPrefix | One or more local network prefixes | Not optional |
localpref | unsignedInt | Localpref of network (highest wins) | 4294967295 |
name | string | Name | |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.
route: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | |
comment | string | Comment | |
gateway | List of IPAddr | One or more target gateway IPs | Not optional |
graph | string | Graph name | |
ip | List of IPPrefix | One or more local network prefixes | Not optional |
localpref | unsignedInt | Localpref of network (highest wins) | 4294967295 |
name | string | Name | |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
speed | unsignedInt | Egress rate limit | |
table | routetable 0-99 | Routing table number | 0 |
Routes that apply when link is up
ppp-route: Attributes
Attribute | Type | Description | Default |
bgp | bgpmode | BGP announce mode for routes | |
comment | string | Comment | |
ip | List of IPPrefix | One or more local network prefixes | Not optional |
localpref | unsignedInt | Localpref of network (highest wins) | 4294967295 |
name | string | Name | |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
PPPoE endpoint settings
pppoe: Attributes
Attribute | Type | Description | Default |
ac-name | string | Access concentrator name | Any a/c name |
accept-dns | boolean | Accept DNS servers specified by far end | true |
bgp | bgpmode | BGP announce mode for routes | |
comment | string | Comment | |
graph | string | Graph name | |
ip-over-lcp | boolean | Sends all IP packets as LCP | |
lcp-rate | unsignedByte | LCP interval (seconds) | 10 |
lcp-timeout | unsignedByte | LCP timeout (seconds) | 61 |
local | IP4Addr | Local IPv4 address | |
localpref | unsignedInt | Localpref for route (highest wins) | 4294967295 |
log | string | Log events | Not logging |
log-debug | string | Log debug | Not logging |
log-error | string | Log as events | Not logging |
mode | pppoe-mode | PPPoE server/client mode | client |
mtu | mtu 576-1600 | MTU for link | 1492 |
name | string | Name | |
nat | boolean | NAT traffic to this link unless otherwise set | false |
password | Secret | User password | |
port | string | Physical port number, or port group name | |
profile | string | Profile name | |
remote | IP4Addr | Remote IPv4 address | |
routes | List of IPPrefix | Routes when link up | Default gateway |
service | string | Service name | Any service |
source | string | Source of data, used in automated config management | |
speed | unsignedInt | Default egress rate limit | |
table | routetable 0-99 | Routing table number for payload | From interface |
tcp-mss-fix | boolean | Adjust MSS option in TCP SYN to fix session MSS | true |
username | string | User name | |
vlan | vlan 0-4095 | VLAN ID (0=untagged) | 0 |
pppoe: Elements
Element | Type | Instances | Description |
route | ppp-route | Optional, unlimited | Routes to apply when ppp link is up |
Additional DHCP server attributes (IP)
dhcp-attr-ip: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
force | boolean | Send even if not requested | |
id | unsignedByte | Attribute type code | Not optional |
name | string | Name | |
value | IP4Addr | Value | Not optional |
Additional DHCP server attributes (number)
dhcp-attr-number: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
force | boolean | Send even if not requested | |
id | unsignedByte | Attribute type code | Not optional |
name | string | Name | |
value | unsignedInt | Value | Not optional |
Additional DHCP server attributes (string)
dhcp-attr-string: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
force | boolean | Send even if not requested | |
id | unsignedByte | Attribute type code | Not optional |
name | string | Name | |
value | string | Value | Not optional |
Additional DHCP server attributes (hex)
dhcp-attr-hex: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
force | boolean | Send even if not requested | |
id | unsignedByte | Attribute type code | Not optional |
name | string | Name | |
value | hexBinary | Value | Not optional |
Settings for DHCP server
dhcps: Attributes
Attribute | Type | Description | Default |
boot | IP4Addr | Next/boot server | |
boot-file | string | Boot filename | |
class | string | CLass match | |
client-name | string | Client name match | |
comment | string | Comment | |
dns | List of IP4Addr | DNS resolvers | Our IP |
domain | string | DNS domain | From system settings |
force | boolean | Send all options ever if not requested | |
gateway | List of IP4Addr | Gateway | Our IP |
ip | List of IP4Range | Address pool | 0.0.0.0/0 |
lease | duration | Lease length | PT2H |
log | string | Log events (allocations) | Not logging |
mac | List of up to 12 macprefix (hexBinary) | Partial or full MAC addresses | |
name | string | Name | |
ntp | List of IP4Addr | NTP server | From system settings |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
syslog | List of IP4Addr | Syslog server | |
time | List of IP4Addr | Time server | Our IP |
dhcps: Elements
Element | Type | Instances | Description |
send | dhcp-attr-hex | Optional, unlimited | Additional attributes to send |
send-ip | dhcp-attr-ip | Optional, unlimited | Additional IP attributes to send |
send-number | dhcp-attr-number | Optional, unlimited | Additional numeric attributes to send |
send-string | dhcp-attr-string | Optional, unlimited | Additional string attributes to send |
VRRP settings provide virtual router redundancy for the FireBrick.
Profile inactive does not disable vrrp but forces vrrp low priority.
vrrp: Attributes
Attribute | Type | Description | Default |
answer-ping | boolean | Whether to answer PING to VRRP IPs when master | true |
comment | string | Comment | |
delay | unsignedInt | Delay after routing established before priority returns to normal | 10 |
interval | unsignedShort | Transit interval (centiseconds) | 100 |
ip | List of IPAddr | One or more IP addresses to announce | Not optional |
log | string | Log events | Not logging |
log-error | string | Log errors | log as event |
low-priority | unsignedByte | Lower priority applicable until routing established | 1 |
name | string | Name | |
preempt | boolean | Whether pre-empt allowed | true |
priority | unsignedByte | Normal priority | 100 |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
test | List of IPAddr | List of IPs to which routing must exist else low priority (deprecated) | |
use-vmac | boolean | Whether to use the special VMAC or use normal MAC | true |
version3 | boolean | Use only version 3 | v2 for IPv4, v3 for IPv6 |
vrid | unsignedByte | VRID | 42 |
Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.
subnet: Attributes
Attribute | Type | Description | Default |
arp-timeout | unsignedShort | Max lifetime on ARP and ND | 60 |
bgp | bgpmode | BGP announce mode for routes | |
broadcast | boolean | If broadcast address allowed | false |
comment | string | Comment | |
gateway | List of IPAddr | One or more gateways to install | |
ip | List of IPSubnet | One or more IP/len | Automatic by DHCP |
localpref | unsignedInt | Localpref for subnet (highest wins) | 4294967295 |
mtu | mtu 576-1600 | MTU for subnet | As interface |
name | string | Name | |
nat | boolean | Short cut to set nat default mode on all IPv4 traffic from subnet (can be overridden by firewall rules) | false |
profile | string | Profile name | |
proxy-arp | boolean | Answer ARP/ND by proxy if we have routing | false |
ra | ramode | If to announce IPv6 RA for this subnet | false |
ra-dns | List of IP6Addr | List of recursive DNS servers in route announcements | |
ra-managed | dhcpv6control | RA 'M' (managed) flag | |
ra-max | ra-max 4-1800 | Max RA send interval | 600 |
ra-min | ra-min 3-1350 | Min RA send interval | |
ra-mtu | unsignedShort | MTU to use on RA | As subnet |
ra-other | dhcpv6control | RA 'O' (other) flag | |
ra-profile | string | Profile, if inactive then forces low priority RA | |
source | string | Source of data, used in automated config management | |
ttl | unsignedByte | TTL for originating traffic via subnet | 64 |
The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface.
interface: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
graph | string | Graph name | |
log | string | Log events including DHCP and related events | Not logging |
log-debug | string | Log debug | Not logging |
log-error | string | Log errors | Log as event |
mtu | mtu 576-1600 | MTU for this interface | 1500 |
name | string | Name | |
ping | IPAddr | Ping address to add loss/latency to graph for interface | |
port | string | Port group name | Not optional |
profile | string | Profile name | |
ra-client | boolean | Accept IPv6 RA and create auto config subnets and routes | true |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table applicable | 0 |
vlan | vlan 0-4095 | VLAN ID (0=untagged) | 0 |
interface: Elements
Element | Type | Instances | Description |
dhcp | dhcps | Optional, unlimited | DHCP server settings |
subnet | subnet | Optional, unlimited | IP subnet on the interface |
vrrp | vrrp | Optional, unlimited | VRRP settings |
Port grouping and naming
portdef: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
name | string | Name | Not optional |
ports | Set of port | Physical port(s) | Not optional |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
Physical port attributes
ethernet: Attributes
Attribute | Type | Description | Default |
autoneg | boolean | Perform link auto-negotiation | auto negotiate unless manual 10/100 speed and duplex are set |
clocking | LinkClock | Gigabit clock setting | prefer-slave |
crossover | Crossover | Port crossover configuration | auto |
duplex | LinkDuplex | Duplex setting for this port | auto |
flow | LinkFlow | Flow control setting | none |
green | LinkLED | Green LED setting | Link/Activity |
optimise | boolean | enable PHY optimisations | true |
port | port | Physical port | Not optional |
power-saving | LinkPower | enable PHY power saving | full |
send-fault | LinkFault | Send fault status | |
shutdown | boolean | Power down this port | false |
speed | LinkSpeed | Speed setting for this port | auto |
yellow | LinkLED | Yellow LED setting | Tx |
Rules for matching RADIUS requests
platform-radius-match: Attributes
Attribute | Type | Description | Default |
backup-ip | List of IPNameAddr | Target IP(s) or hostname for backup L2TP connection | |
called-station-id | List of string | One or more patterns to match called-station-id | |
calling-station-id | List of string | One or more patterns to match calling-station-id | |
class | string | Class field to send | |
comment | string | Comment | |
context-name | string | Juniper Context-Name (SIN502) | |
dummy-ip | boolean | Send dummy framed IP response | true |
name | string | Name | |
nsn-conditional | boolean | Only send NSN settings if username is not same as calling station id | |
nsn-tunnel-override-username | unsignedByte | Additional response for GGSN usage | |
nsn-tunnel-user-auth-method | unsignedInt | Additional response for GGSN usage | |
order | radiuspriority | Priority tagging of endpoints sent | |
profile | string | Profile name | |
relay-ip | List of IPAddr | Address to copy RADIUS request | |
relay-port | unsignedShort | Authentication UDP port for copy RADIUS request | 1812 |
relay-table | routetable 0-99 | Routing table number for copy of RADIUS request | |
source | string | Source of data, used in automated config management | |
tagged | boolean | Tag all attributes that can be | |
target-hostname | string | Hostname for L2TP connection | |
target-ip | List of IPNameAddr | Target IP(s) or hostname for primary L2TP connection | |
target-secret | Secret | Shared secret for L2TP connection | |
test | List of IPAddr | List of IPs that must have routing for this target to be valid (deprecated) | |
tunnel-assignment-id | string | Tunnel Assignment ID to send | |
tunnel-client-return | boolean | Return tunnel client as radius IP | |
username | List of string | One or more patterns to match username | |
Platform RADIUS server and proxy definitions
platform-radius: Attributes
Attribute | Type | Description | Default |
acct-port | unsignedShort | Accounting UDP port | 1813 |
backup-ip | List of IPNameAddr | Target IP(s) or hostname for backup L2TP connection | |
class | string | Class field to send | |
comment | string | Comment | |
context-name | string | Juniper Context-Name (SIN502) | |
dummy-ip | boolean | Send dummy framed IP response | true |
log | string | Log events | Not logging |
log-error | string | Log errors | Log as event |
name | string | Name | |
nsn-conditional | boolean | Only send NSN settings if username is not same as calling station id | |
nsn-tunnel-override-username | unsignedByte | Additional response for GGSN usage | |
nsn-tunnel-user-auth-method | unsignedInt | Additional response for GGSN usage | |
order | radiuspriority | Priority tagging of endpoints sent | |
port | unsignedShort | Authentication UDP port | 1812 |
profile | string | Profile name | |
relay-ip | List of IPAddr | Address to copy RADIUS request | |
relay-port | unsignedShort | Authentication UDP port for copy RADIUS request | 1812 |
relay-table | routetable 0-99 | Routing table number for copy of RADIUS request | |
secret | Secret | Shared secret for RADIUS requests (needed for replies) | |
source | string | Source of data, used in automated config management | |
tagged | boolean | Tag all attributes that can be | |
target-hostname | string | Hostname for L2TP connection | |
target-ip | List of IPNameAddr | Target IP(s) or hostname for primary L2TP connection | |
target-secret | Secret | Shared secret for L2TP connection | |
test | List of IPAddr | List of IPs that must have routing for this target to be valid (deprecated) | |
tunnel-assignment-id | string | Tunnel Assignment ID to send | |
tunnel-client-return | boolean | Return tunnel client as radius IP | |
platform-radius: Elements
Element | Type | Instances | Description |
match | platform-radius-match | Optional, unlimited | Matching rules for specific responses |
DNS forwarding resolver service
dns-block: Attributes
Attribute | Type | Description | Default |
host | List of string | Host names (can use * as a part of a domain) | Not optional |
profile | string | Profile name | |
restrict | List of IPNameRange | List of IP ranges to which this is served | |
ttl | unsignedInt | Time to live | 60 |
DNS forwarding resolver service
dns-host: Attributes
Attribute | Type | Description | Default |
host | List of string | Host names (can use * as a part of a domain) | Not optional |
ip | List of IPAddr | IP addresses to serve (or our IP if omitted) | Our IP |
profile | string | Profile name | |
restrict | List of IPNameRange | List of IP ranges to which this is served | |
reverse | boolean | Map reverse DNS as well | |
ttl | unsignedInt | Time to live | 60 |
DNS forwarding resolver service
dns-service: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | List of IP ranges from which service can be accessed | Allow from anywhere |
auto-dhcp | boolean | Forward and reverse DNS for names in DHCP using this domain | |
comment | string | Comment | |
domain | string | Our domain | |
local-only | boolean | Restrict access to locally connected Ethernet subnets only | true |
log | string | Log events | Not logging |
log-debug | string | Log debug | Not logging |
log-error | string | Log errors | Log as event |
profile | string | Profile name | |
resolvers | List of IPAddr | Recursive DNS resolvers to use | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
dns-service: Elements
Element | Type | Instances | Description |
block | dns-block | Optional, unlimited | Fixed local DNS host blocks |
host | dns-host | Optional, unlimited | Fixed local DNS host entries |
Web management pages
http-service: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | List of IP ranges from which service can be accessed | Allow from anywhere |
comment | string | Comment | |
local-only | boolean | Restrict access to locally connected Ethernet subnets only | false |
log | string | Log events | Not logging |
log-debug | string | Log debug | Not logging |
log-error | string | Log errors | Log as event |
port | unsignedShort | Service port | 80 |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
trusted | List of IPNameRange | List of allowed IP ranges from which additional access to certain functions is available | |
Telnet control interface
telnet-service: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | List of IP ranges from which service can be accessed | Allow from anywhere |
comment | string | Comment | |
local-only | boolean | Restrict access to locally connected Ethernet subnets only | true |
log | string | Log events | Not logging |
log-debug | string | Log debug | Not logging |
log-error | string | Log errors | Log as event |
port | unsignedShort | Service port | 23 |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
The NTP settings define how the system clock is set, from what servers, and controls for daylight saving (summer time).
The defaults are those that apply to the EU
ntp-service: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | List of IP ranges from which service can be accessed | Allow from anywhere |
comment | string | Comment | |
local-only | boolean | Restrict access to locally connected Ethernet subnets only | true |
log | string | Log events | Not logging |
log-debug | string | Log debug | Not logging |
log-error | string | Log errors | Log as event |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
timeserver | List of IPNameAddr | List of time servers (IP or hostname) from which time may be set by ntp | |
tz1-name | string | Timezone 1 name | GMT |
tz1-offset | duration | Timezone 1 offset from UTC | 00:00:00 |
tz12-date | datenum 1-31 | Timezone 1 to 2 earliest date in month | 25 |
tz12-day | day | Timezone 1 to 2 day of week of change | Sun |
tz12-month | month | Timezone 1 to 2 month | Mar |
tz12-time | duration | Timezone 1 to 2 local time of change | 01:00:00 |
tz2-name | string | Timezone 2 name | BST |
tz2-offset | duration | Timezone 2 offset from UTC | 01:00:00 |
tz21-date | datenum 1-31 | Timezone 2 to 1 earliest date in month | 25 |
tz21-day | day | Timezone 2 to 1 day of week of change | Sun |
tz21-month | month | Timezone 2 to 1 month | Oct |
tz21-time | duration | Timezone 2 to 1 local time of change | 02:00:00 |
The SNMP service has general service settings and also specific attributes for SNMP such as community
snmp-service: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | List of IP ranges from which service can be accessed | Allow from anywhere |
comment | string | Comment | |
community | string | Community string | public |
local-only | boolean | Restrict access to locally connected Ethernet subnets only | false |
log | string | Log events | Not logging |
log-debug | string | Log debug | Not logging |
log-error | string | Log errors | Log as event |
port | unsignedShort | Service port | 161 |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number | 0 |
System services are various generic services that the system provides, and allows access controls and settings for these to be specified.
The service is only active if the corresponding element is included in services, otherwise it is disabled.
services: Elements
Element | Type | Instances | Description |
dns | dns-service | Optional | DNS service settings |
http | http-service | Optional | HTTP server settings |
ntp | ntp-service | Optional | NTP client settings (server not implemented yet) |
platform-radius | platform-radius | Optional | Platform RADIUS server/proxy settings |
snmp | snmp-service | Optional | SNMP server settings |
telnet | telnet-service | Optional | Telnet server settings |
Logging by SNMP trap
log-snmp: Attributes
Attribute | Type | Description | Default |
OID | string | OID to send | Not optional |
comment | string | Comment | |
port | unsignedShort | Server port | 25 |
profile | string | Profile name | |
server | IPNameAddr | SNMP server | Not optional |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Routing table number for sending syslogs | 0 |
Logging to email
log-email: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
delay | duration | Delay before sending, since first event to send | PT1M |
from | string | Source email address | One made up using serial number |
hold-off | duration | Delay before sending, since last email | PT1H |
log | string | Log emailing process | Not logging |
log-debug | string | Log emailing debug | Not logging |
log-error | string | Log emailing errors | Not logging |
port | unsignedShort | Server port | 25 |
profile | string | Profile name | |
retry | duration | Delay before sending, since failed send | PT10M |
server | IPNameAddr | Smart host to use rather than MX | |
source | string | Source of data, used in automated config management | |
subject | string | Subject | From first line being logged |
table | routetable 0-99 | Routing table number for sending syslogs | 0 |
to | string | Target email address | Not optional |
Logging to a syslog server
Named logging target
log: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
console | boolean | Log immediately to console | |
flash | boolean | Log immediately to slow flash memory (use with care) | |
jtag | boolean | Log immediately jtag (development use only) | |
name | string | Log target name | Not optional |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
log: Elements
Element | Type | Instances | Description |
email | log-email | Optional, unlimited | Email settings |
snmp | log-snmp | Optional, unlimited | SNMP settings (TBA) |
syslog | log-syslog | Optional, unlimited | Syslog settings |
User names, passwords and abilities for admin users
user: Attributes
Attribute | Type | Description | Default |
allow | List of IPNameRange | Restrict logins to be from specific IP addresses | |
comment | string | Comment | |
config | config-access | Config access level | full |
full-name | string | Full name | |
level | user-level | Login level | ADMIN |
name | username (string) | User name | Not optional |
otp | string | OTP serial number | |
password | Password | User password | Not optional |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
table | routetable 0-99 | Restrict login to specific routing table | 0 |
timeout | duration | Login idle timeout (zero to stay logged in) | PT5M |
Links to other web pages
link: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
name | string | Link name | |
profile | string | Profile name | |
source | string | Source of data, used in automated config management | |
text | string | Link text | |
url | string | Link address | |
The system settings are the top level attributes of the system which apply globally.
system: Attributes
Attribute | Type | Description | Default |
comment | string | Comment | |
contact | string | Contact name | |
css-url | string | Additional CSS for web control pages | |
dos-delay | unsignedInt | Interrupt DoS restoration counter, leave at default | 2 |
dos-limit | unsignedInt | Interrupt DoS packet limit, leave at default | 1000 |
fast-reboot | boolean | Debug - causes fast reboot on new code load | |
intro | string | Home page text | |
location | string | Location description | |
log | string | Log system events | Web logs |
log-debug | string | Log system debug messages | Not logging |
log-error | string | Log system errors | Web/Flash/console |
log-eth | string | Log Ethernet messages | Console |
log-eth-debug | string | Log Ethernet debug | Web/Console |
log-eth-error | string | Log Ethernet errors | Web/Flash/console |
log-panic | string | Log system panic messages | Web logs |
log-stats | string | Log one second stats | Not logging |
name | string | System hostname | |
nat64 | IP6Prefix | IPv6 NAT6/4 mapping prefix | |
nat64-source | IP4Addr | IPv6 NAT6/4 return IPv4 | |
soft-watchdog | boolean | Debug - use only if advised; do not use on an unattended FireBrick | false |
source | string | Source of data, used in automated config management | |
sw-update | autoloadtype | Load new software automatically | factory |
sw-update-profile | string | Profile name for when to load new s/w | |
system: Elements
Element | Type | Instances | Description |
link | link | Optional, unlimited | Home page links |
Tag | Description |
continue | Continue rule-set checking |
accept | Allow but no more rule-set checking |
reject | End all rule checking now and set to send ICMP reject |
drop | End all rule checking now and set to drop |
ignore | End all rule checking and ignore (drop) just this packet, not making a session |
Peer type controls many of the defaults for a peer setting. It allows typical settings to be defined with one attribute that reflects the type of peer.
Tag | Description |
normal | Normal BGP operation |
transit | EBGP Mark received as no-export |
peer | EBGP Mark received as no-export, only accept peer AS |
customer | EBGP Allow export as if confederate, only accept peer AS |
internal | IBGP allowing own AS |
reflector | IBGP allowing own AS and working in route reflector mode |
confederate | EBGP confederate |
ixp | Internet exchange point peer on route server |
Tag | Description |
client | Normal PPPoE client connects to access controller |
bras-l2tp | PPPoE server mode linked to L2TP operation |
BGP mode defines the default advertisement mode for prefixes, based on well-known community tags
Tag | Description |
false | Not included in BGP at all |
no-advertise | Not included in BGP, not advertised at all |
no-export | Not normally exported from local AS/confederation |
local-as | Not exported from local AS |
no-peer | Exported with no-peer community tag |
true | Exported as normal with no special tags added |
Tag | Description |
false | Don't set bit or answer on DHCPv6 |
true | Set bit but do not answer on DHCPv6 |
dhcpv6 | Set bit and do answer on DHCPv6 |
IPv6 route announcement mode and level
Tag | Description |
false | Do not announce |
low | Announce as low priority |
medium | Announce as medium priority |
high | Announce as high priority |
true | Announce as default (medium) priority |
Tag | Description |
false | No fault |
true | Send fault |
off-line | Send offline fault (1G) |
ane | Send ANE fault (1G) |
Tag | Description |
none | No power saving |
link-down | Power save only when link is down |
link-up | Power save only when link is up |
full | Full power saving |
Tag | Description |
Link/Activity | On when link up; blink when Tx or Rx activity |
Link1000/Activity | On when link up at 1G; blink when Tx or Rx activity |
Link100/Activity | On when link up at 100M; blink when Tx or Rx activity |
Link10/Activity | On when link up at 10M; blink when Tx or Rx activity |
Link100-1000/Activity | On when link up at 100M or 1G; blink when Tx or Rx activity |
Link10-1000/Activity | On when link up at 10M or 1G; blink when Tx or Rx activity |
Link10-100/Activity | On when link up at 10M or 100M; blink when Tx or Rx activity |
Duplex/Collision | On when full-duplex; blink when half-duplex and collisions detected |
Collision | Blink when collisions detected |
Tx | Blink when Tx activity |
Rx | Blink when Rx activity |
Off | Permanently off |
On | Permanently on |
Link | On when link up |
Link1000 | On when link up at 1G |
Link100 | On when link up at 100M |
Link10 | On when link up at 10M |
Link100-1000 | On when link up at 100M or 1G |
Link10-1000 | On when link up at 10M or 1G |
Link10-100 | On when link up at 10M or 100M |
Duplex | On when full-duplex |
Tag | Description |
prefer-master | Master status negotiated; preference for master |
prefer-slave | Master status negotiated; preference for slave |
force-master | Master status forced |
force-slave | Slave status forced |
Tag | Description |
none | No flow control |
symmetric | Can support two-way flow control |
send-pauses | Can send pauses but does not support pause reception |
any | Can receive pauses and may send pauses if required |
Tag | Description |
half | Half-duplex |
full | Full-duplex |
auto | Duplex determined by autonegotiation |
Tag | Description |
10M | 10Mbit/sec |
100M | 100Mbit/sec |
1G | 1Gbit/sec |
auto | Speed determined by autonegotiation |
Physical port crossover configuration.
Tag | Description |
auto | Crossover is determined automatically |
MDI | Force no crossover |
Tag | Description |
1 | Port 1 |
2 | Port 2 |
3 | Port 3 |
4 | Port 4 |
Tag | Description |
equal | All the same priority |
strict | In order specified |
random | Random order |
calling | Hashed on calling station id |
called | Hashed on called station id |
username | Hashed on full username |
user | Hashed on username before @ |
realm | Hashed on username after @ |
prefix | Hashed on username initial letters and numbers only |
Tag | Description |
Sun | Sunday |
Mon | Monday |
Tue | Tuesday |
Wed | Wednesday |
Thu | Thursday |
Fri | Friday |
Sat | Saturday |
Tag | Description |
Jan | January |
Feb | February |
Mar | March |
Apr | April |
May | May |
Jun | June |
Jul | July |
Aug | August |
Sep | September |
Oct | October |
Nov | November |
Dec | December |
Syslog facility, usually used to control which log file the syslog is written to.
Tag | Description |
KERN | Kernel messages |
USER | User level messges |
MAIL | Mail system |
DAEMON | System Daemons |
AUTH | Security/auth |
SYSLOG | Internal to syslogd |
LPR | Printer |
NEWS | News |
UUCP | UUCP |
CRON | Cron deamon |
AUTHPRIV | private security/auth |
FTP | File transfer |
12 | Unused |
13 | Unused |
14 | Unused |
15 | Unused |
LOCAL0 | Local 0 |
LOCAL1 | Local 1 |
LOCAL2 | Local 2 |
LOCAL3 | Local 3 |
LOCAL4 | Local 4 |
LOCAL5 | Local 5 |
LOCAL6 | Local 6 |
LOCAL7 | Local 7 |
Log severity - different loggable events log at different levels.
Tag | Description |
EMERG | System is unstable |
ALERT | Action must be taken immediately |
CRIT | Critical conditions |
ERR | Error conditions |
WARNING | Warning conditions |
NOTICE | Normal but significant events |
INFO | Informational |
DEBUG | Debug level messages |
NO-LOGGING | No logging |
User login level - commands available are restricted according to assigned level.
Tag | Description |
NOBODY | Unknown or not logged in user |
GUEST | Guest user |
USER | Normal unprivileged user |
ADMIN | System administrator |
DEBUG | System debugger |
Tag | Description |
none | No access unless explicitly listed |
view | View only access (no passwords) |
read | Read only access (with passwords) |
full | Full view and edit access |
Tag | Description |
false | Do no auto load |
factory | Load factory releases |
beta | Load beta test releases |
alpha | Load test releases |
Basic types