I.2. Objects

I.2.1. system: System settings

The system settings are the top level attributes of the system which apply globally.

Table I.3. system: Attributes

AttributeTypeDefaultDescription
comment string -Comment
contact string -Contact name
dos-delay unsignedInt 2Interrupt DoS restoration counter, leave at default
dos-limit unsignedInt 1000Interrupt DoS packet limit, leave at default
intro string -Home page text
location string -Location description
log string Web/consoleLog system events
log-debug string Not loggingLog system debug messages
log-error string Web/Flash/consoleLog system errors
log-eth string Web/consoleLog Ethernet messages
log-eth-debug string Not loggingLog Ethernet debug
log-eth-error string Web/Flash/consoleLog Ethernet errors
log-panic string Web logsLog system panic messages
log-stats string Not loggingLog one second stats
name string -System hostname
nat64 IP6Prefix -IPv6 NAT6/4 mapping prefix
nat64-source IP4Addr -IPv6 NAT6/4 return IPv4
soft-watchdog boolean falseDebug - use only if advised; do not use on an unattended FireBrick
source string -Source of data, used in automated config management
sw-update autoloadtype factoryLoad new software automatically
sw-update-profile string -Profile name for when to load new s/w

Table I.4. system: Elements

ElementTypeInstancesDescription
link link Optional, unlimitedHome page links

I.2.2. link: Web links

Links to other web pages

Table I.5. link: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name string -Link name
profile string -Profile name
source string -Source of data, used in automated config management
text string -Link text
url string -Link address

I.2.3. user: Admin users

User names, passwords and abilities for admin users

Table I.6. user: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange -Restrict logins to be from specific IP addresses
comment string -Comment
config config-access fullConfig access level
full-name string -Full name
level user-level ADMINLogin level
name (string) username Not optional User name
otp string -OTP serial number
password Password Not optional User password
profile string -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Restrict login to specific routing table
timeout duration 5:00Login idle timeout (zero to stay logged in)

I.2.4. log: Log target controls

Named logging target

Table I.7. log: Attributes

AttributeTypeDefaultDescription
colour Colour -Colour used in web display
comment string -Comment
console boolean -Log immediately to console
flash boolean -Log immediately to slow flash memory (use with care)
jtag boolean -Log immediately jtag (development use only)
name string Not optional Log target name
profile string -Profile name
source string -Source of data, used in automated config management

Table I.8. log: Elements

ElementTypeInstancesDescription
email log-email Optional, unlimitedEmail settings
syslog log-syslog Optional, unlimitedSyslog settings

I.2.5. log-syslog: Syslog logger settings

Logging to a syslog server

Table I.9. log-syslog: Attributes

AttributeTypeDefaultDescription
comment string -Comment
facility syslog-facility LOCAL0Facility setting
port unsignedShort 514Server port
profile string -Profile name
server IPNameAddr Not optional Syslog server
severity syslog-severity NOTICESeverity setting
source string -Source of data, used in automated config management
source-ip IPAddr -Use specific source IP
table (unsignedByte 0-99) routetable 0Routing table number for sending syslogs

I.2.6. log-email: Email logger settings

Logging to email

Table I.10. log-email: Attributes

AttributeTypeDefaultDescription
comment string -Comment
delay duration 1:00Delay before sending, since first event to send
from string One made up using serial numberSource email address
hold-off duration 1:00:00Delay before sending, since last email
log string Not loggingLog emailing process
log-debug string Not loggingLog emailing debug
log-error string Not loggingLog emailing errors
port unsignedShort 25Server port
profile string -Profile name
retry duration 10:00Delay before sending, since failed send
server IPNameAddr -Smart host to use rather than MX
source string -Source of data, used in automated config management
subject string From first line being loggedSubject
table (unsignedByte 0-99) routetable 0Routing table number for sending email
to string Not optional Target email address

I.2.7. services: System services

System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.

Table I.11. services: Elements

ElementTypeInstancesDescription
dns dns-service OptionalDNS service settings
http http-service OptionalHTTP server settings
ntp ntp-service OptionalNTP client settings (server not implemented yet)
radius radius-service OptionalRADIUS server/proxy settings
snmp snmp-service OptionalSNMP server settings
telnet telnet-service OptionalTelnet server settings

I.2.8. snmp-service: SNMP service settings

The SNMP service has general service settings and also specific attributes for SNMP such as community

Table I.12. snmp-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
community string publicCommunity string
local-only boolean falseRestrict access to locally connected Ethernet subnets only
log string Not loggingLog events
log-debug string Not loggingLog debug
log-error string Log as eventLog errors
port unsignedShort 161Service port
profile string -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

I.2.9. ntp-service: NTP service settings

The NTP settings define how the system clock is set, from what servers, and controls for daylight saving (summer time). The defaults are those that apply to the EU

Table I.13. ntp-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log string Not loggingLog events
log-debug string Not loggingLog debug
log-error string Log as eventLog errors
ntpserver List of IPNameAddr ntp.firebrick.ltd.ukList of time servers (IP or hostname) from which time may be set by ntp
poll duration 1:00:00NTP poll rate
profile string -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number
tz1-name string GMTTimezone 1 name
tz1-offset duration 0Timezone 1 offset from UTC
tz12-date (unsignedByte 1-31) datenum 25Timezone 1 to 2 earliest date in month
tz12-day day SunTimezone 1 to 2 day of week of change
tz12-month month MarTimezone 1 to 2 month
tz12-time time 01:00:00Timezone 1 to 2 local time of change
tz2-name string BSTTimezone 2 name
tz2-offset duration 1:00:00Timezone 2 offset from UTC
tz21-date (unsignedByte 1-31) datenum 25Timezone 2 to 1 earliest date in month
tz21-day day SunTimezone 2 to 1 day of week of change
tz21-month month OctTimezone 2 to 1 month
tz21-time time 02:00:00Timezone 2 to 1 local time of change

I.2.10. telnet-service: Telnet service settings

Telnet control interface

Table I.14. telnet-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log string Not loggingLog events
log-debug string Not loggingLog debug
log-error string Log as eventLog errors
port unsignedShort 23Service port
profile string -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

I.2.11. http-service: HTTP service settings

Web management pages

Table I.15. http-service: Attributes

AttributeTypeDefaultDescription
access-control-allow-origin string -Additional header for cross site javascript
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
css-url string -Additional CSS for web control pages
local-only boolean falseRestrict access to locally connected Ethernet subnets only
log string Not loggingLog events
log-debug string Not loggingLog debug
log-error string Log as eventLog errors
port unsignedShort 80Service port
profile string -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number
trusted List of IPNameRange -List of allowed IP ranges from which additional access to certain functions is available

I.2.12. dns-service: DNS service settings

DNS forwarding resolver service

Table I.16. dns-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
auto-dhcp boolean -Forward and reverse DNS for names in DHCP using this domain
comment string -Comment
domain string -Our domain
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log string Not loggingLog events
log-debug string Not loggingLog debug
log-error string Log as eventLog errors
profile string -Profile name
resolvers List of IPAddr -Recursive DNS resolvers to use
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

Table I.17. dns-service: Elements

ElementTypeInstancesDescription
block dns-block Optional, unlimitedFixed local DNS host blocks
host dns-host Optional, unlimitedFixed local DNS host entries

I.2.13. dns-host: Fixed local DNS host settings

DNS forwarding resolver service

Table I.18. dns-host: Attributes

AttributeTypeDefaultDescription
comment string -Comment
ip List of IPAddr Our IPIP addresses to serve (or our IP if omitted)
name List of string Not optional Host names (can use * as a part of a domain)
profile string -Profile name
restrict List of IPNameRange -List of IP ranges to which this is served
reverse boolean -Map reverse DNS as well
source string -Source of data, used in automated config management
ttl unsignedInt 60Time to live

I.2.14. dns-block: Fixed local DNS blocks

DNS forwarding resolver service

Table I.19. dns-block: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name List of string Not optional Host names (can use * as a part of a domain)
profile string -Profile name
restrict List of IPNameRange -List of IP ranges to which this is served
source string -Source of data, used in automated config management
ttl unsignedInt 60Time to live

I.2.15. radius-service: RADIUS service definition

RADIUS server and proxy definitions

Table I.20. radius-service: Attributes

AttributeTypeDefaultDescription
acct-port unsignedShort 1813Accounting UDP port
auth-port unsignedShort 1812Authentication UDP port
authenticator boolean -Require message authenticator
backup-ip List of IPNameAddr -Target IP(s) or hostname for backup L2TP connection
class string -Class field to send
comment string -Comment
context-name string -Juniper Context-Name (SIN502)
control-port unsignedShort 3799Control UDP port (CoA/DM)
dummy-ip boolean trueSend dummy framed IP response
log string Not loggingLog events
log-debug string -Log debug
log-error string Log as eventLog errors
nsn-conditional boolean -Only send NSN settings if username is not same as calling station id
nsn-tunnel-override-username unsignedByte -Additional response for GGSN usage
nsn-tunnel-user-auth-method unsignedInt -Additional response for GGSN usage
order radiuspriority -Priority tagging of endpoints sent
profile string -Profile name
relay-ip List of IPAddr -Address to copy RADIUS request
relay-port unsignedShort 1812Authentication UDP port for copy RADIUS request
relay-table (unsignedByte 0-99) routetable -Routing table number for copy of RADIUS request
secret Secret -Shared secret for RADIUS requests (needed for replies)
source string -Source of data, used in automated config management
tagged boolean -Tag all attributes that can be
target-hostname string -Hostname for L2TP connection
target-ip List of IPNameAddr -Target IP(s) or hostname for primary L2TP connection
target-secret Secret -Shared secret for L2TP connection
test List of IPAddr -List of IPs that must have routing for this target to be valid (deprecated)
tunnel-assignment-id string -Tunnel Assignment ID to send
tunnel-client-return boolean -Return tunnel client as radius IP

Table I.21. radius-service: Elements

ElementTypeInstancesDescription
match radius-service-match Optional, unlimitedMatching rules for specific responses
server radius-server Optional, unlimitedRADIUS server settings

I.2.16. radius-service-match: Matching rules for RADIUS service

Rules for matching incoming RADIUS requests

Table I.22. radius-service-match: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange -Match source IP address of RADIUS request
authenticator boolean -Require message authenticator
backup-ip List of IPNameAddr -Target IP(s) or hostname for backup L2TP connection
called-station-id List of string -One or more patterns to match called-station-id
calling-station-id List of string -One or more patterns to match calling-station-id
class string -Class field to send
comment string -Comment
context-name string -Juniper Context-Name (SIN502)
dummy-ip boolean trueSend dummy framed IP response
ip List of IPNameRange -Match target IP address of RADIUS request
name string -Name
nsn-conditional boolean -Only send NSN settings if username is not same as calling station id
nsn-tunnel-override-username unsignedByte -Additional response for GGSN usage
nsn-tunnel-user-auth-method unsignedInt -Additional response for GGSN usage
order radiuspriority -Priority tagging of endpoints sent
profile string -Profile name
relay-ip List of IPAddr -Address to copy RADIUS request
relay-port unsignedShort 1812Authentication UDP port for copy RADIUS request
relay-table (unsignedByte 0-99) routetable -Routing table number for copy of RADIUS request
secret Secret -Shared secret for RADIUS requests (needed for replies)
source string -Source of data, used in automated config management
tagged boolean -Tag all attributes that can be
target-hostname string -Hostname for L2TP connection
target-ip List of IPNameAddr -Target IP(s) or hostname for primary L2TP connection
target-secret Secret -Shared secret for L2TP connection
test List of IPAddr -List of IPs that must have routing for this target to be valid (deprecated)
tunnel-assignment-id string -Tunnel Assignment ID to send
tunnel-client-return boolean -Return tunnel client as radius IP
username List of string -One or more patterns to match username

I.2.17. radius-server: RADIUS server settings

Server settings for outgoing RADIUS

Table I.23. radius-server: Attributes

AttributeTypeDefaultDescription
comment string -Comment
host List of IPNameAddr Not optional One or more hostname/IPs of RADIUS servers
max-timeout duration 20Maximum final timeout
min-timeout duration 5Minimum final timeout
name string -Name
port unsignedShort From services/radius settingsUDP port
profile string -Profile name
queue unsignedInt -Concurrent requests over all of these servers (per type)
secret Secret Not optional Shared secret for RADIUS requests
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable -Routing table number
type Set of radiustype AllServer type

I.2.18. ethernet: Physical port controls

Physical port attributes

Table I.24. ethernet: Attributes

AttributeTypeDefaultDescription
autoneg boolean auto negotiate unless manual 10/100 speed and duplex are setPerform link auto-negotiation
clocking LinkClock prefer-slaveGigabit clock setting
crossover Crossover autoPort crossover configuration
duplex LinkDuplex autoDuplex setting for this port
flow LinkFlow noneFlow control setting
green LinkLED Link/ActivityGreen LED setting
optimise boolean trueenable PHY optimisations
port port Not optional Physical port
power-saving LinkPower fullenable PHY power saving
send-fault LinkFault -Send fault status
shutdown boolean falsePower down this port
speed LinkSpeed autoSpeed setting for this port
yellow LinkLED TxYellow LED setting

I.2.19. portdef: Port grouping and naming

Port grouping and naming

Table I.25. portdef: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name string Not optional Name
ports Set of port Not optional Physical port(s)
profile string -Profile name
source string -Source of data, used in automated config management

I.2.20. interface: Port-group/VLAN interface settings

The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface.

Table I.26. interface: Attributes

AttributeTypeDefaultDescription
comment string -Comment
graph (string) graphname -Graph name
link string -Interface to which this is linked at layer 2
log string Not loggingLog events including DHCP and related events
log-debug string Not loggingLog debug
log-error string Log as eventLog errors
mtu (unsignedShort 576-1600) mtu 1500MTU for this interface
name string -Name
ping IPAddr -Ping address to add loss/latency to graph for interface
port string Not optional Port group name
profile string -Profile name
ra-client boolean trueAccept IPv6 RA and create auto config subnets and routes
restrict-mac boolean -Use only one MAC on this interface
source string -Source of data, used in automated config management
source-filter boolean -Source filter traffic received via this interface
table (unsignedByte 0-99) routetable 0Routing table applicable
vlan (unsignedShort 0-4095) vlan 0VLAN ID (0=untagged)

Table I.27. interface: Elements

ElementTypeInstancesDescription
dhcp dhcps Optional, unlimitedDHCP server settings
subnet subnet Optional, unlimitedIP subnet on the interface
vrrp vrrp Optional, unlimitedVRRP settings

I.2.21. subnet: Subnet settings

Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.

Table I.28. subnet: Attributes

AttributeTypeDefaultDescription
accept-dns boolean trueAccept DNS servers specified by DHCP
arp-timeout unsignedShort 60Max lifetime on ARP and ND
bgp bgpmode -BGP announce mode for routes
broadcast boolean falseIf broadcast address allowed
comment string -Comment
gateway List of IPAddr -One or more gateways to install
ip List of IPSubnet Automatic by DHCPOne or more IP/len
localpref unsignedInt 4294967295Localpref for subnet (highest wins)
mtu (unsignedShort 576-1600) mtu As interfaceMTU for subnet
name string -Name
nat boolean falseShort cut to set nat default mode on all IPv4 traffic from subnet (can be overridden by firewall rules)
profile string -Profile name
proxy-arp boolean falseAnswer ARP/ND by proxy if we have routing
ra ramode falseIf to announce IPv6 RA for this subnet
ra-dns List of IP6Addr -List of recursive DNS servers in route announcements
ra-managed dhcpv6control -RA 'M' (managed) flag
ra-max (unsignedShort 4-1800) ra-max 600Max RA send interval
ra-min (unsignedShort 3-1350) ra-min -Min RA send interval
ra-mtu unsignedShort As subnetMTU to use on RA
ra-other dhcpv6control -RA 'O' (other) flag
ra-profile string -Profile, if inactive then forces low priority RA
source string -Source of data, used in automated config management
test IPAddr -Test link state using ARP/ND for this IP
ttl unsignedByte 64TTL for originating traffic via subnet

I.2.22. vrrp: VRRP settings

VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Use different VRID on different VLANs.

Table I.29. vrrp: Attributes

AttributeTypeDefaultDescription
answer-ping boolean trueWhether to answer PING to VRRP IPs when master
comment string -Comment
delay unsignedInt 60Delay after routing established before priority returns to normal
interval unsignedShort 100Transit interval (centiseconds)
ip List of IPAddr Not optional One or more IP addresses to announce
log string Not loggingLog events
log-error string log as eventLog errors
low-priority unsignedByte 1Lower priority applicable until routing established
name string -Name
preempt boolean trueWhether pre-empt allowed
priority unsignedByte 100Normal priority
profile string -Profile name
source string -Source of data, used in automated config management
test List of IPAddr -List of IPs to which routing must exist else low priority (deprecated)
use-vmac boolean trueWhether to use the special VMAC or use normal MAC
version3 boolean v2 for IPv4, v3 for IPv6Use only version 3
vrid unsignedByte 42VRID

I.2.23. dhcps: DHCP server settings

Settings for DHCP server

Table I.30. dhcps: Attributes

AttributeTypeDefaultDescription
boot IP4Addr -Next/boot server
boot-file string -Boot filename
class string -Class match
client-name string -Client name match
comment string -Comment
dns List of IP4Addr Our IPDNS resolvers
domain string From system settingsDNS domain
force boolean -Send all options even if not requested
gateway List of IP4Addr Our IPGateway
ip List of IP4Range 0.0.0.0/0Address pool
lease duration 2:00:00Lease length
log string Not loggingLog events (allocations)
mac List up to 12 (hexBinary) macprefix -Partial or full MAC addresses
name string -Name
ntp List of IP4Addr From system settingsNTP server
profile string -Profile name
source string -Source of data, used in automated config management
syslog List of IP4Addr -Syslog server
time List of IP4Addr Our IPTime server

Table I.31. dhcps: Elements

ElementTypeInstancesDescription
send dhcp-attr-hex Optional, unlimitedAdditional attributes to send (hex)
send-ip dhcp-attr-ip Optional, unlimitedAdditional attributes to send (IP)
send-number dhcp-attr-number Optional, unlimitedAdditional attributes to send (numeric)
send-string dhcp-attr-string Optional, unlimitedAdditional attributes to send (string)

I.2.24. dhcp-attr-hex: DHCP server attributes (hex)

Additional DHCP server attributes (hex)

Table I.32. dhcp-attr-hex: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code
name string -Name
value hexBinary Not optional Value

I.2.25. dhcp-attr-string: DHCP server attributes (string)

Additional DHCP server attributes (string)

Table I.33. dhcp-attr-string: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code
name string -Name
value string Not optional Value

I.2.26. dhcp-attr-number: DHCP server attributes (numeric)

Additional DHCP server attributes (numeric)

Table I.34. dhcp-attr-number: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code
name string -Name
value unsignedInt Not optional Value

I.2.27. dhcp-attr-ip: DHCP server attributes (IP)

Additional DHCP server attributes (IP)

Table I.35. dhcp-attr-ip: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code
name string -Name
value IP4Addr Not optional Value

I.2.28. pppoe: PPPoE settings

PPPoE endpoint settings

Table I.36. pppoe: Attributes

AttributeTypeDefaultDescription
ac-name string Any a/c nameAccess concentrator name
accept-dns boolean trueAccept DNS servers specified by far end
bgp bgpmode -BGP announce mode for routes
comment string -Comment
graph (string) graphname -Graph name
ip-over-lcp boolean autoSends all IP packets as LCP
lcp-rate unsignedByte 10LCP interval (seconds)
lcp-timeout unsignedByte 61LCP timeout (seconds)
local IP4Addr -Local IPv4 address
localpref unsignedInt 4294967295Localpref for route (highest wins)
log string Not loggingLog events
log-debug string Not loggingLog debug
log-error string Not loggingLog as events
mode pppoe-mode clientPPPoE server/client mode
mtu (unsignedShort 576-1600) mtu 1492MTU for link
name string -Name
nat boolean falseNAT traffic to this link unless otherwise set
password Secret -User password
pd-interface List of string AutoInterfaces for IPv6 prefix delegation
port string -Physical port number, or port group name
profile string -Profile name
remote IP4Addr -Remote IPv4 address
routes List of IPPrefix Default gatewayRoutes when link up
service string Any serviceService name
source string -Source of data, used in automated config management
speed unsignedInt -Default egress rate limit (b/s)
table (unsignedByte 0-99) routetable -Routing table number for payload
tcp-mss-fix boolean trueAdjust MSS option in TCP SYN to fix session MSS
username string -User name
vlan (unsignedShort 0-4095) vlan 0VLAN ID (0=untagged)

Table I.37. pppoe: Elements

ElementTypeInstancesDescription
route ppp-route Optional, unlimitedRoutes to apply when ppp link is up

I.2.29. ppp-route: PPP routes

Routes that apply when link is up

Table I.38. ppp-route: Attributes

AttributeTypeDefaultDescription
bgp bgpmode -BGP announce mode for routes
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
profile string -Profile name
source string -Source of data, used in automated config management

I.2.30. route: Static routes

Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.

Table I.39. route: Attributes

AttributeTypeDefaultDescription
bgp bgpmode -BGP announce mode for routes
comment string -Comment
gateway List of IPAddr Not optional One or more target gateway IPs
graph (string) graphname -Graph name
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
profile string -Profile name
source string -Source of data, used in automated config management
speed unsignedInt -Egress rate limit (b/s)
table (unsignedByte 0-99) routetable 0Routing table number

I.2.31. network: Locally originated networks

Network blocks that are announced but not actually added to internal routes - note that blackhole and nowhere objects can also announce but add routing.

Table I.40. network: Attributes

AttributeTypeDefaultDescription
as-path List up to 10 unsignedInt -Custom AS path as if network received
bgp bgpmode trueBGP announce mode for routes
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
profile string -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

I.2.32. blackhole: Dead end networks

Networks that go nowhere

Table I.41. blackhole: Attributes

AttributeTypeDefaultDescription
bgp bgpmode falseBGP announce mode for routes
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
profile string -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

I.2.33. loopback: Locally originated networks

Loopback addresses define local IP addresses

Table I.42. loopback: Attributes

AttributeTypeDefaultDescription
bgp bgpmode -BGP announce mode for routes
comment string -Comment
ip List of IPAddr Not optional One or more local network addresses
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
profile string -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

I.2.34. bgp: Overall BGP settings

The BGP element defines general BGP settings and a list of peer definitions for the individual BGP peers.

Table I.43. bgp: Attributes

AttributeTypeDefaultDescription
as unsignedInt -Our AS
cluster-id IP4Addr -Our cluster ID
comment string -Comment
id IP4Addr -Our router ID
log string Not loggingLog events
name string -Name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

Table I.44. bgp: Elements

ElementTypeInstancesDescription
peer bgppeer Optional, up to 50List of peers/neighbours

I.2.35. bgppeer: BGP peer definitions

The peer definition specifies the attributes of an individual peer. Multiple IP addresses can be specified, typically for IPv4 and IPv6 addresses for the same peer, but this can be used for a group of similar peers.

Table I.45. bgppeer: Attributes

AttributeTypeDefaultDescription
add-own-as boolean -Add our AS on exported routes
allow-export boolean -Ignore no-export community and export anyway
allow-only-their-as boolean -Only accept routes that are solely the peers AS
allow-own-as boolean -Allow our AS inbound
as unsignedInt -Peer AS
capability-as4 boolean trueIf supporting AS4
capability-graceful-restart boolean trueIf supporting Graceful Restart
capability-mpe-ipv4 boolean trueIf supporting MPE for IPv4
capability-mpe-ipv6 boolean trueIf supporting MPE for IPv6
capability-route-refresh boolean trueIf supporting Route Refresh
comment string -Comment
drop-default boolean falseIgnore default route received
export-med unsignedInt -Set MED on exported routes (unless export filter sets it)
holdtime unsignedInt 30Hold time
ignore-bad-optional-partial boolean trueIgnore routes with a recognised badly formed optional that is flagged partial
import-localpref unsignedInt -Set localpref on imported routes (unless import filter sets it)
in-soft boolean -Mark received routes as soft
ip List of IPAddr -One or more IPs of neighbours (omit to allow incoming)
log-debug string Not loggingLog debug
max-prefix (unsignedInt 1-10000) bgp-prefix-limit 10000Limit prefixes (IPv4+IPv6)
md5 Secret -MD5 signing secret
name string -Name
next-hop-self boolean falseForce us as next hop outbound
no-fib boolean -Don't include received routes in packet forwarding
pad unsignedByte -Pad (prefix stuff) our AS by this many
profile string -Profile name
same-ip-type boolean trueOnly accept/send IPv4 routes to IPv4 peers and IPv6 routes to IPv6 peers
send-default boolean falseSend a default route to this peer
send-no-routes boolean falseDon't send any normal routes
shutdown boolean -Shutdown this neighbour (deprecated, use profile)
source string -Source of data, used in automated config management
timer-idle unsignedInt 60Idle time after error
timer-openwait unsignedInt 10Time to wait for OPEN on connection
timer-retry unsignedInt 10Time to retry the neighbour
ttl-security byte -Enable RFC5082 TTL security (if +ve, 1 to 127), i.e. 1 for adjacent router. If -ve (-1 to -128) set forced sending TTL, i.e. -1 for TTL of 1 sending, and not checking.
type peertype normalType of neighbour (affects some defaults)
use-vrrp-as-self boolean trueUse VRRP address as self if possible

Table I.46. bgppeer: Elements

ElementTypeInstancesDescription
export bgpmap OptionalMapping and filtering rules of announcing prefixes to peer
import bgpmap OptionalMapping and filtering rules of accepting prefixes from peer

I.2.36. bgpmap: Mapping and filtering rules of BGP prefixes

This defines the rules for mapping and filtering of prefixes to/from a BGP peer.

Table I.47. bgpmap: Attributes

AttributeTypeDefaultDescription
comment string -Comment
detag List of Community -List of community tags to remove
drop boolean -Do not import/export this prefix
localpref unsignedInt -Set localpref (highest wins)
med unsignedInt -Set MED
prefix List of IPFilter -Drop all that are not in this prefix list
source string -Source of data, used in automated config management
tag List of Community -List of community tags to add

Table I.48. bgpmap: Elements

ElementTypeInstancesDescription
match bgprule Optional, unlimitedList rules, in order of checking

I.2.37. bgprule: Individual mapping/filtering rule

An individual rule for BGP mapping/filtering

Table I.49. bgprule: Attributes

AttributeTypeDefaultDescription
comment string -Comment
community Community -Community that must be present to match
detag List of Community -List of community tags to remove
drop boolean -Do not import/export this prefix
localpref unsignedInt -Set localpref (highest wins)
med unsignedInt -Set MED
name string -Name
prefix List of IPFilter -Prefixes that this rule applies to
source string -Source of data, used in automated config management
tag List of Community -List of community tags to add

I.2.38. cqm: Constant Quality Monitoring settings

Constant quality monitoring (graphs and data) have a number of settings. Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases.

Table I.50. cqm: Attributes

AttributeTypeDefaultDescription
ave Colour #08fColour for average latency
axis Colour blackAxis colour
background Colour whiteBackground colour
bottom unsignedByte 11Pixels space at bottom of graph
dateformat string %Y-%m-%dDate format
dayformat string %aDay format
fail Colour redColour for failed (dropped) seconds
fail-level unsignedInt 1Fail level not expected on low usage
fail-level1 unsignedByte 3Loss level 1
fail-level2 unsignedByte 50Loss level 2
fail-score unsignedByte 200Score for fail and low usage
fail-score1 unsignedByte 100Score for on/above level 1
fail-score2 unsignedByte 200Score for on/above level 2
fail-usage unsignedInt 128000Usage below which fail is not expected
fblogo Colour #bd1220Colour for logo
graticule Colour greyGraticule colour
heading string -Heading of graph
hourformat string %HHour format
key unsignedByte 90Pixels space for key
label-ave string AvLabel for average latency
label-damp string Damp%Label for % shaper damping
label-fail string %FailLabel for seconds (%) failed
label-latency string LatencyLabel for latency
label-max string MaxLabel for maximum latency
label-min string MinLabel for minimum latency
label-off string OffLabel for off line seconds
label-period string PeriodLabel for period
label-poll string PollsLabel for polls
label-rej string %RejectLabel for rejected seconds
label-rx string RxLabel for Rx traffic level
label-score string ScoreLabel for score
label-sent string SentLabel for seconds polled
label-shaper string ShaperLabel for shaper
label-time string TimeLabel for time
label-traffic string Traffic (bit/s)Label for traffic level
label-tx string TxLabel for Tx traffic level
latency-level unsignedInt 100000000Latency level not expected on low usage
latency-level1 unsignedInt 100000000Latency level 1 (ns)
latency-level2 unsignedInt 500000000Latency level 2 (ns)
latency-score unsignedByte 200Score for high latency and low usage
latency-score1 unsignedByte 10Score for on/above level 1
latency-score2 unsignedByte 20Score for on/above level 2
latency-usage unsignedInt 128000Usage below which latency is not expected
left unsignedByte 0Pixels space left of main graph
log string Not loggingLog events
max Colour greenColour for maximum latency
min Colour #008Colour for minimum latency
ms-max positiveInteger 500ms max height
off Colour #c8fColour for off line seconds
outside Colour transparentColour for outer border
ping-update duration 1:00:00Interval for periodic updates
ping-url string -URL for ping list
rej Colour #f8cColour for off line seconds
right unsignedByte 50Pixels space right of main graph
rx Colour #800Colour for Rx traffic level
secret Secret -Secret for MD5 coded URLs
sent Colour #ff8Colour for polled seconds
share-interface string -Interface on which to broadcast data for shaper sharing
share-secret string -Secret to validate shaper sharing
subheading string -Subheading of graph
text Colour blackColour for text
text1 string -Text line 1
text2 string -Text line 2
text3 string -Text line 3
text4 string -Text line 4
timeformat string %Y-%m-%d %H:%M:%STime format
top unsignedByte 4Pixels space at top of graph
tx Colour #080Colour for Tx traffic level

I.2.39. l2tp: L2TP settings

L2TP settings for incoming and outgoing L2TP connections

Table I.51. l2tp: Attributes

AttributeTypeDefaultDescription
accounting-interval duration 1:00:00Periodic interim accounting interval

Table I.52. l2tp: Elements

ElementTypeInstancesDescription
incoming l2tp-incoming Optional, unlimitedIncoming L2TP connections
outgoing l2tp-outgoing Optional, unlimitedOutgoing L2TP connections

I.2.40. l2tp-outgoing: L2TP settings for outgoing L2TP connections

L2TP tunnel settings for outgoing L2TP connections

Table I.53. l2tp-outgoing: Attributes

AttributeTypeDefaultDescription
bgp bgpmode -BGP announce mode for routes
called string -called-station-idi to send
calling string -calling-station-id to send
comment string -Comment
fail-lockout unsignedByte 1Interval kept in failed state
graph string -Graph name
hdlc boolean trueSend HDLC header (FF03) on all PPP frames
hello-interval unsignedByte 10Interval between HELLO messages
hostname string -Hostname quoted on incoming tunnel
ip IPAddr Not optional IP of far end
lcp-rate unsignedByte 10LCP interval (seconds)
lcp-timeout unsignedByte 61LCP timeout (seconds)
local IP4Addr -Local IPv4 address
localpref unsignedInt 4294967295Localpref for remote-ip/routes (highest wins)
log string Not loggingLog events
log-debug string Not loggingLog debug
log-error string Log as eventLog errors
min-retry duration PT10SMinimum session time before retrying connection
mtu (unsignedShort 576-1600) mtu -Default MTU for sessions in this tunnel
name string -Name
open-timeout unsignedByte 10Interval before OPEN considered failed
password Secret -Password for login
payload-table (unsignedByte 0-99) routetable 0Routing table number for payload traffic
profile string -Profile name
remote IP4Addr -Remote IPv4 address
retry-timeout unsignedByte 10Interval to retry sending control messages before fail
routes List of IPPrefix Default gatewayRoutes when link up
rx-speed unsignedInt -Send ingress rate (b/s)
secret Secret -Shared secret
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number for L2TP session
tcp-mss-fix boolean falseAdjust MSS option in TCP SYN to fix session MSS
tx-speed unsignedInt -Egress rate limit (b/s)
username string -User name for login

Table I.54. l2tp-outgoing: Elements

ElementTypeInstancesDescription
route ppp-route Optional, unlimitedRoutes to apply when link is up

I.2.41. l2tp-incoming: L2TP settings for incoming L2TP connections

L2TP tunnel settings for incoming L2TP connections

Table I.55. l2tp-incoming: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange -List of IP ranges from which connects can be made
bgp bgpmode -BGP announce mode for routes
comment string -Comment
damping boolean falseApply damping to sessions if limiting on shaper
dhcpv6dns List of IP6Addr -List of IPv6 DNS servers
dos-limit unsignedInt 10000Per second per session tx packet drop limit for DOS protection
fail-lockout unsignedByte 60Interval kept in failed state
graph string -Graph name
hdlc boolean trueSend HDLC header (FF03) on all PPP frames
hello-interval unsignedByte 60Interval between HELLO messages
hostname string -Hostname quoted on incoming tunnel
icmp-ppp boolean falseUse PPP endpoint for ICMP
ipv6ep IP4Addr -Local end IPv4 for IPv6 tunnels
lcp-mru-fix boolean falseRestart LCP if RAS negotiated MRU is too high
lcp-rate unsignedByte 1LCP interval (seconds)
lcp-timeout unsignedByte 10LCP timeout (seconds)
log string Not loggingLog events
log-debug string Not loggingLog debug
log-error string Log as eventLog errors
mtu (unsignedShort 576-1600) mtu -Default MTU for sessions in this tunnel
name string -Name
open-timeout unsignedByte 60Interval before OPEN considered failed
payload-table (unsignedByte 0-99) routetable 0Routing table number for payload traffic
pppdns1 IP4Addr -PPP DNS1 IPv4 default
pppdns2 IP4Addr -PPP DNS2 IPv4 default
pppip IP4Addr -Local end PPP IPv4
profile string -Profile name
radius string -Name for RADIUS server config to use
relay-nas-ip boolean truePass remote L2TP endpoint as NAS IP
require-platform boolean falseAll sessions require a platform RADIUS first
require-radius-acct boolean -Close session if cannot do RADIUS accounting
retry-timeout unsignedByte 60Interval to retry sending control messages before fail
secret Secret -Shared secret
shutdown boolean falseRefuse all new sessions or tunnels
source string -Source of data, used in automated config management
speed unsignedInt -Default egress rate limit (b/s)
table (unsignedByte 0-99) routetable 0Routing table number for L2TP session
tcp-mss-fix boolean falseAdjust MSS option in TCP SYN to fix session MSS
test List of IPAddr -List of IPs to which routing must exist else tunnel dropped (deprecated)

Table I.56. l2tp-incoming: Elements

ElementTypeInstancesDescription
match l2tp-relay Optional, unlimitedRules for relaying connections and local authentication

I.2.42. l2tp-relay: Relay and local authentication rules for L2TP

Rules for relaying L2TP or local authentication

Table I.57. l2tp-relay: Attributes

AttributeTypeDefaultDescription
called-station-id List of string -One or more patterns to match called-station-id
calling-station-id List of string -One or more patterns to match calling-station-id
comment string -Comment
graph (string) graphname -Graph name
ip-over-lcp boolean -Send IP over LCP (local auth)
localpref unsignedInt 4294967295Localpref for remote-ip/routes (highest wins)
name string -Name
password Secret -Password check
profile string -Profile name
relay-hostname string -Hostname for L2TP connection
relay-ip List of IPAddr -Target IP(s) for L2TP connection
relay-pick boolean -If set, try one of the relay IPs at random first
relay-secret Secret -Shared secret for L2TP connection
remote-ip IP4Addr -Remote end PPP IPv4 (local auth)
remote-netmask IP4Addr -Remote end PPP Netmask (local auth)
routes List of IPPrefix -Additional routes when link up (local auth)
source string -Source of data, used in automated config management
test List of IPAddr -List of IPs that must have routing for this target to be valid (deprecated)
username List of string -One or more patterns to match username

I.2.43. fb105: FB105 tunnel definition

FB105 tunnel definition

Table I.58. fb105: Attributes

AttributeTypeDefaultDescription
bgp bgpmode -BGP announce mode for routes
comment string -Comment
fast-udp boolean trueSend UDP packets marked not to be reordered
graph (string) graphname -Graph name
internal-ip IP4Addr local-ipInternal IP for traffic originated and sent down tunnel
ip IP4Addr dynamic tunnelFar end IP
keep-alive boolean true if ip setConstantly send keep alive packets
local-id unsignedByte Not optional Unique local end tunnel ID
local-ip IP4Addr -Force specific local end IP
localpref unsignedInt 4294967295Localpref for route (highest wins)
log string Not loggingLog events
log-error string Log as eventLog errors
mtu unsignedShort 1500MTU for wrapped packets
name string -Name
ospf-cost unsignedShort 1000Link cost, forces default OSPF on link if set even if OSPF not otherwise configured
payload-table (unsignedByte 0-99) routetable 0Routing table number for payload traffic
port unsignedShort 1UDP port to use
profile string -Profile name
remote-id unsignedByte Not optional Unique remote end tunnel ID
reorder boolean falseReorder incoming tunnel packets
reorder-maxq (unsignedInt 1-100) fb105-reorder-maxq 32Max queue length for out of order packets
reorder-timeout (unsignedInt 10-5000) fb105-reorder-timeout 100Max time to delay out of order packet (ms)
routes List of IPPrefix -Routes when link up
secret Secret UnsignedShared secret for tunnel
set unsignedByte -Set ID for reorder ID tagging (create a set of tunnels together)
sign-all boolean falseAll packets must be signed, not just keepalives
source string -Source of data, used in automated config management
speed unsignedInt no shapingEgress rate limit used (b/s)
table (unsignedByte 0-99) routetable 0Routing table number for tunnel wrappers
tcp-mss-fix boolean trueAdjust MSS option in TCP SYN to fix session MSS

Table I.59. fb105: Elements

ElementTypeInstancesDescription
route fb105-route Optional, unlimitedRoutes to apply to tunnel when up

I.2.44. fb105-route: FB105 routes

Routes for prefixes that are sent to the FB105 tunnel when up

Table I.60. fb105-route: Attributes

AttributeTypeDefaultDescription
bgp bgpmode -BGP announce mode for routes
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
profile string -Profile name
source string -Source of data, used in automated config management

I.2.45. ipsec: IPsec onfiguration

IPsec configuration

Table I.61. ipsec: Attributes

AttributeTypeDefaultDescription
auth-algorithm ipsec-auth-algorithm nullManual setting for authentication algorithm
auth-key hexBinary -Manual key for authentication
bgp bgpmode -BGP announce mode for routes
comment string -Comment
crypt-algorithm ipsec-crypt-algorithm nullManual setting for encryption algorithm
crypt-key hexBinary -Manual key for encryption
graph (string) graphname -Graph name
internal-ipv4 IP4Addr local-ipInternal IPv4 for traffic originated on the FireBrick and sent down tunnel
internal-ipv6 IP6Addr local-ipInternal IPv6 for traffic originated on the FireBrick and sent down tunnel
local-ip IPAddr -Local end IP for tunnel
local-spi (unsignedInt 256-4294967295) ipsec-spi Not optional Local Security Parameters Index
localpref unsignedInt 4294967295Localpref for route (highest wins)
log string Not loggingLog events
log-debug string Not loggingLog debug
log-error string Log as eventLog errors
mode ipsec-mode tunnelEncapsulation mode
mtu unsignedShort 1500MTU for wrapped packets
name string -Name
ospf-cost unsignedShort 1000Link cost, forces default OSPF on link if set even if OSPF not otherwise configured
outer-spi (unsignedInt 256-4294967295) ipsec-spi -Security Parameters Index for outer header
payload-table (unsignedByte 0-99) routetable 0Routing table number for payload traffic
profile string -Profile name
remote-ip IPAddr -Far end IP for tunnel
remote-spi (unsignedInt 256-4294967295) ipsec-spi Not optional Remote Security Parameters Index
routes List of IPPrefix -Routes when link up
source string -Source of data, used in automated config management
speed unsignedInt no shapingEgress rate limit used (b/s)
table (unsignedByte 0-99) routetable 0Routing table number for tunnel wrappers
tcp-mss-fix boolean trueAdjust MSS option in TCP SYN to fix session MSS
type ipsec-type ESPEncapsulation type

Table I.62. ipsec: Elements

ElementTypeInstancesDescription
route ipsec-route Optional, unlimitedRoutes to apply to tunnel when up

I.2.46. ipsec-route: IPsec tunnel routes

Routes for prefixes that are sent to the IPsec tunnel when up

Table I.63. ipsec-route: Attributes

AttributeTypeDefaultDescription
bgp bgpmode -BGP announce mode for routes
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
profile string -Profile name
source string -Source of data, used in automated config management

I.2.47. ping: Ping/graph definition

Base ping config - additional ping targets set via web API or other means

Table I.64. ping: Attributes

AttributeTypeDefaultDescription
comment string -Comment
graph (string) graphname Not optional Graph name
ip IPNameAddr Not optional Far end IP
name string -Name
size (unsignedInt 0-1472) ping-size 0Payload size
slow boolean AutoSlow polling
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number for sending pings

I.2.48. profile: Control profile

General on/off control profile used in various places in the config.

Table I.65. profile: Attributes

AttributeTypeDefaultDescription
and List of string -Active if all specified profiles are active as well as all other tests passing, including 'not'
comment string -Comment
fb105 List of string -FB105 tunnel state (any of these active)
initial boolean trueDefines state at system startup if not using set
interval duration 1Time between tests (e.g. seconds)
invert boolean -Invert final result of testing
log string Not loggingLog target
log-debug string Not loggingLog additional information
name string Not optional Profile name
not string -Active if specified profile is inactive as well as all other tests passing, including 'and'
or List of string -Active if any of these other profiles active regardless of other tests (including 'not' or 'and')
ppp List of string -PPP link state (any of these are up)
recover duration 1Time before recover (i.e. how long test has been passing)
route List of IPAddr -Test passes if all specified addresses are routeable
set boolean -Manual override, ignore ALL other settings
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable -Routing table for ping/route
timeout duration 10Time before timeout (i.e. how long test has been failing)
vrrp List of string -VRRP state (any of these is master)

Table I.66. profile: Elements

ElementTypeInstancesDescription
date profile-date Optional, unlimitedTest passes if within any date range specified
ping profile-ping OptionalTest passes if address is answering pings
time profile-time Optional, unlimitedTest passes if within any time range specified

I.2.49. profile-date: Test passes if within any of the time ranges specified

Time range test in profiles

Table I.67. profile-date: Attributes

AttributeTypeDefaultDescription
comment string -Comment
start dateTime -Start (YYYY-MM-DDTHH:MM:SS)
stop dateTime -End (YYYY-MM-DDTHH:MM:SS)

I.2.50. profile-time: Test passes if within any of the date/time ranges specified

Time range test in profiles

Table I.68. profile-time: Attributes

AttributeTypeDefaultDescription
comment string -Comment
days Set of day -Which days of week apply, default all
start time -Start (HH:MM:SS)
stop time -End (HH:MM:SS)

I.2.51. profile-ping: Test passes if any addresses are pingable

Ping targets

Table I.69. profile-ping: Attributes

AttributeTypeDefaultDescription
flow unsignedShort -Flow label (IPv6)
gateway IPAddr -Ping via specific gateway (bypasses session tracking if set)
ip IPAddr Not optional Target IP
source-ip IPAddr -Source IP
ttl unsignedByte -Time to live / Hop limit

I.2.52. shaper: Traffic shaper

Settings for a named traffic shaper

Table I.70. shaper: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name (string) graphname Not optional Graph name
rx unsignedInt -Rx rate limit/target (b/s)
rx-max unsignedInt -Rx rate limit max
rx-min unsignedInt -Rx rate limit min
rx-min-burst duration -Rx minimum allowed burst time
rx-step unsignedInt -Rx rate reduction per per hour
share boolean -If shaper is shared with other devices
source string -Source of data, used in automated config management
tx unsignedInt -Tx rate limit/target (b/s)
tx-max unsignedInt -Tx rate limit max
tx-min unsignedInt -Tx rate limit min
tx-min-burst duration -Tx minimum allowed burst time
tx-step unsignedInt -Tx rate reduction per hour

Table I.71. shaper: Elements

ElementTypeInstancesDescription
override shaper-override Optional, unlimitedProfile specific variations on main settings

I.2.53. shaper-override: Traffic shaper override based on profile

Settings for a named traffic shaper

Table I.72. shaper-override: Attributes

AttributeTypeDefaultDescription
comment string -Comment
profile string Not optional Profile name
rx unsignedInt -Rx rate limit/target (b/s)
rx-max unsignedInt -Rx rate limit max
rx-min unsignedInt -Rx rate limit min
rx-min-burst duration -Rx minimum allowed burst time
rx-step unsignedInt -Rx rate reduction per per hour
source string -Source of data, used in automated config management
tx unsignedInt -Tx rate limit/target (b/s)
tx-max unsignedInt -Tx rate limit max
tx-min unsignedInt -Tx rate limit min
tx-min-burst duration -Tx minimum allowed burst time
tx-step unsignedInt -Tx rate reduction per hour

I.2.54. ip-group: IP Group

Named IP group

Table I.73. ip-group: Attributes

AttributeTypeDefaultDescription
comment string -Comment
ip List of IPRange -One or more IP ranges or IP/len
name string Not optional Name
source string -Source of data, used in automated config management
users List of string -Include IP of (time limited) logged in web users

I.2.55. route-override: Routing override rules

Routing override rules

Table I.74. route-override: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name string -Name
profile string -Profile name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Applicable routing table

Table I.75. route-override: Elements

ElementTypeInstancesDescription
rule session-route-rule Optional, unlimitedIndividual rules, first match applies

I.2.56. session-route-rule: Routing override rule

Routing override rule

Table I.76. session-route-rule: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name string -Name
profile string -Profile name
protocol List of unsignedByte -Protocol(s) [1=ICMP, 6=TCP, 17=UDP]
set-gateway IPAddr -New gateway
set-graph string -Graph name for shaping/logging (if not set by rule-set)
set-nat boolean -Changed source IP and port to local for NAT
source string -Source of data, used in automated config management
source-interface List of string -Source interface(s)
source-ip List of IPNameRange -Source IP address range(s)
source-port List of PortRange -Source port(s)
target-interface List of string -Target interface(s)
target-ip List of IPNameRange -Target IP address range(s)
target-port List of PortRange -Target port(s)

Table I.77. session-route-rule: Elements

ElementTypeInstancesDescription
share session-route-share Optional, unlimitedLoad shared actions

I.2.57. session-route-share: Route override load sharing

Route override setting for load sharing

Table I.78. session-route-share: Attributes

AttributeTypeDefaultDescription
comment string -Comment
profile string -Profile name
set-gateway IPAddr -New gateway
set-graph string -Graph name for shaping/logging (if not set by rule-set)
set-nat boolean -Changed source IP and port to local for NAT
weight positiveInteger 1Weighting of load share

I.2.58. rule-set: Firewall/mapping rule set

Firewalling rule set with entry criteria and default actions

Table I.79. rule-set: Attributes

AttributeTypeDefaultDescription
comment string -Comment
interface List of string -Source or target interface(s)
ip List of IPNameRange -Source or target IP address range(s)
log string Not loggingLog session start
log-end string Not loggingLog session end
log-no-match string log-startLog if no match
name string -Name
no-match-action firewall-action Not optional Default if no rule matches
profile string -Profile name
protocol List of unsignedByte -Protocol(s) [1=ICMP, 6=TCP, 17=UDP]
source string -Source of data, used in automated config management
source-interface List of string -Source interface(s)
source-ip List of IPNameRange -Source IP address range(s)
source-port List of PortRange -Source port(s)
table (unsignedByte 0-99) routetable 0Applicable routing table
target-interface List of string -Target interface(s)
target-ip List of IPNameRange -Target IP address range(s)
target-port List of PortRange -Target port(s)

Table I.80. rule-set: Elements

ElementTypeInstancesDescription
ip-group ip-group Optional, unlimitedNamed IP groups
rule session-rule Optional, unlimitedIndividual rules, first match applies

I.2.59. session-rule: Firewall rules

Firewall rule

The individual firewall rules are checked in order within the rule-set, and the first match applied. The default action for a rule is continue, so once matched the next rule-set is considered.

Table I.81. session-rule: Attributes

AttributeTypeDefaultDescription
action firewall-action continueAction taken on match
comment string -Comment
interface List of string -Source or target interface(s)
ip List of IPNameRange -Source or target IP address range(s)
log string As rule-setLog session start
log-end string As rule-setLog session end
name string -Name
profile string -Profile name
protocol List of unsignedByte -Protocol(s) [1=ICMP, 6=TCP, 17=UDP]
set-gateway IPAddr -New gateway
set-graph string -Graph name for shaping/logging
set-initial-timeout duration -Initial time-out
set-nat boolean -Changed source IP and port to local for NAT
set-ongoing-timeout duration -Ongoing time-out
set-reverse-graph string -Graph name for shaping/logging (far side of session)
set-source-ip IPAddr -New source IP
set-source-port unsignedShort -New source port
set-table (unsignedByte 0-99) routetable -Set new routing table
set-target-ip IPAddr -New target IP
set-target-port unsignedShort -New target port
source string -Source of data, used in automated config management
source-interface List of string -Source interface(s)
source-ip List of IPNameRange -Source IP address range(s)
source-port List of PortRange -Source port(s)
target-interface List of string -Target interface(s)
target-ip List of IPNameRange -Target IP address range(s)
target-port List of PortRange -Target port(s)

Table I.82. session-rule: Elements

ElementTypeInstancesDescription
share session-share Optional, unlimitedLoad shared actions

I.2.60. session-share: Firewall load sharing

Firewall actions for load sharing

Table I.83. session-share: Attributes

AttributeTypeDefaultDescription
comment string -Comment
profile string -Profile name
set-gateway IPAddr -New gateway
set-graph string -Graph name for shaping/logging
set-nat boolean -Changed source IP and port to local for NAT
set-reverse-graph string -Graph name for shaping/logging (far side of session)
set-source-ip IPAddr -New source IP
set-source-port unsignedShort -New source port
set-table (unsignedByte 0-99) routetable -Set new routing table
set-target-ip IPAddr -New target IP
set-target-port unsignedShort -New target port
weight positiveInteger 1Weighting of load share

I.2.61. voip: Voice over IP config

Voice over IP config

Table I.84. voip: Attributes

AttributeTypeDefaultDescription
area-code string -Local area code (without national prefix)
comment string -Comment
country string 44Local country code
emergency List of string 112 999Emergency numbers
international string 00International dialling prefix
local-digits string 23456789Local numbers start with these digits
local-min-len unsignedByte 5Local numbers min length
log string Not loggingLog calls
log-blf-debug string Not loggingLog subscribe/notify SIP messages
log-cdr string Not loggedLog CDR records
log-debug string Not loggingLog debug and SIP messages
log-error string Log as eventLog errors
log-register string Not loggingLog registrations
log-register-debug string Not loggingLog registration SIP messages
national string 0National dialling prefix
pabx boolean trueOperate as office PABX
pickup string *Call pickup/steal prefix
radius-call string -Name for RADIUS server config to use call routing
radius-cdr string -Name for RADIUS server config to use for CDRs
radius-challenge boolean -Send RADIUS auth to get challenge response
radius-register string -Name for RADIUS server config to use for registrations
realm string FireBrickDefault realm
record-mandatory boolean -Drop call if recording fails
record-server string -Call recording server hostname or address
release string 1470CLI release prefix
security-replies boolean trueDon't challenge or error reply to unrecognised non local IP request
source string -Source of data, used in automated config management
withhold string 141CLI withhold prefix

Table I.85. voip: Elements

ElementTypeInstancesDescription
carrier carrier Optional, up to 200VoIP carriers
group ringgroup Optional, up to 20Ring groups
telephone telephone Optional, up to 200VoIP users
tone tone Optional, up to 25Defined tones

I.2.62. carrier: VoIP carrier details

VoIP carrier details

Table I.86. carrier: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which invite accepted
cli-format voip-format nationalCLI number format for outgoing calls
comment string -Comment
cui string -Chargeable user identity for call accounting of incoming calls
display-name string -Text name to use
expires duration 1:00:00Registration expiry time
extn string -Local number assumed dialled for incoming calls
force-dtmf boolean -Always send DTMF in-band
from string -From SIP address for outbound registration and invites
incoming-format voip-format nationalDialled number format for incoming calls
max-calls unsignedInt -Maximum simultaneous calls allowed
name string Not optional Carrier name
outgoing-format voip-format nationalDialled number format for outgoing calls
password Secret -Carrier password for outbound registration or inbound authenticated calls
profile string -Profile name
proxy string -Carrier proxy hostname or address for registration and calls
registrar string -Carrier hostname for registration
source string -Source of data, used in automated config management
source-ip IPAddr -Source IP to use
table (unsignedByte 0-99) routetable 0Routing table number
to string -To SIP request address for inbound invites, may be @domain for any at a domain
trust-cli boolean trueTrust inbound calling line identity
username string -Carrier username for outbound registration or inbound authenticated calls
withhold string -Mark withheld outbound calls using this dial prefix and send CLI in remote party id

I.2.63. telephone: VoIP telephone authentication user details

VoIP telephone details

Table I.87. telephone: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which registration accepted
allow-pickup List of string Allow all if PABX modeOnly allow pickup from these extensions
allow-subscribe List of string -Only allow subscribe (Busy Lamp Field) from these extensions
area-code string -Local area code (without national prefix) for use from this phone
carrier string -Carrier to use for outbound calls
comment string -Comment
cui string -Chargeable user identity for call accounting
ddi string -Full telephone number (international format starting +)
display-name string -Text name to use
email string -Email address (sent to call recording server)
expires duration 1:00:00Registration expiry time
extn string -Local extension number
local-only boolean trueRestrict access to registrations from Ethernet subnets only
max-calls unsignedInt -Maximum simultaneous calls allowed
name string Not optional User name (local part of 'from')
password Secret -Authentication password
profile string -Profile name
realm string -Realm
record recordoption -Automatically record calls
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number
uk-cli-text uknumberformat AutoSend display name as UK formatted number
username string -Authentication username
wrap-up duration -Wrap up time before new call

I.2.64. tone: Tone definitions

Definition of tones used

Table I.88. tone: Attributes

AttributeTypeDefaultDescription
name string Not optional Tone name
plan string Not optional Plan for frequency and duration, e.g. 400ms@400Hz-3dB+450Hz-3dB

I.2.65. ringgroup: Ring groups

Ring groups

Table I.89. ringgroup: Attributes

AttributeTypeDefaultDescription
allow-pickup List of string -Only allow pickup from these extensions
allow-subscribe List of string -Only allow subscribe (Busy Lamp Field) from these extensions
answer-time duration 30Answer caller if ringing this long
comment string -Comment
cui string -Chargeable user identity for call accounting
ddi string -Full telephone number (international format starting +)
display-name string -Text name to use
email string -Email address (sent to call recording server)
extn string -Local extension number
limit unsignedByte -Number allowed to queue
name string Not optional Group name
order ring-group-order strictOrder of ring
out-of-hours List of string -Numbers to ring if out of profile
overflow List of string -Numbers to ring when more than one call in queue
overflow-time duration 30Include overflow after this time at head of queue
profile string -Profile name
progress-time duration 6Progress to next number after this time
redirect boolean -Allow calls to be diverted before ringing
ring List of string -Numbers to ring
source string -Source of data, used in automated config management
type ring-group-type allType of ring when one call in queue