FireBrick FB9000 V1.61.010 configuration objects

This appendix defines the object definitions used in the FireBrick FB9000 configuration. Copyright © 2008-2022 FireBrick Ltd.

Top level config

The top level config element contains all of the FireBrick configuration data.

config: Attributes
AttributeTypeDescriptionDefault
ipIPAddrConfig store IP address
patchintegerInternal use, for s/w updates that change config syntax
serialstringSerial number
timestampdateTimeConfig store time, set automatically when config is saved
versionstringCode version
whostringConfig store username
config: Elements
ElementTypeInstancesDescription
blackholeblackholeOptional, unlimitedBlack hole (dropped packets) networks
cqmcqmOptionalConstant Quality Monitoring config
eapeapOptional, unlimitedUser access control via EAP
ethernetethernetOptional, unlimitedEthernet port settings
interfaceinterfaceOptional, up to 8192Ethernet interface (port-group/vlan) and subnets
ip-groupip-groupOptional, unlimitedNamed IP groups
loglogOptional, up to 63Log target controls
loopbackloopbackOptional, unlimitedExtra local addresses
nowhereblackholeOptional, unlimitedDead end (icmp error) networks
portportdefOptional, up to 10Port grouping and naming
routerouteOptional, unlimitedStatic routes
routing-tablesrouting-tableOptional, unlimitedRouting table settings
servicesservicesOptionalGeneral system services
systemsystemOptionalSystem settings
useruserOptional, unlimitedAdmin users

System settings

The system settings are the top level attributes of the system which apply globally.

system: Attributes
AttributeTypeDescriptionDefault
busy-thresholdunsignedIntMax non-idle time before damping eth rx (millisec)200
commentstringComment
contactstringContact name
cpu-int-reservedpercentage 0-100Min percentage of CPU earmarked for int processing95
emailstringContact email
eth-rx-qsizeunsignedIntSize of eth driver Rx queue256
eth-tx-qsizeunsignedIntSize of eth driver Tx queue512
home-statusbooleanPort status on home pagetrue
introstringHome page text
locationstringLocation description
logNMTOKENLog system eventsWeb/console
log-configNMTOKENLog config loadWeb/Flash/console
log-debugNMTOKENLog system debug messagesNot logging
log-diagnosticNMTOKENLog system diagnostic messagesNot logging
log-errorNMTOKENLog system errorsWeb/Flash/console
log-ethNMTOKENLog Ethernet messagesWeb/console
log-eth-debugNMTOKENLog Ethernet debugNot logging
log-eth-errorNMTOKENLog Ethernet errorsWeb/Flash/console
log-ppp-dumpppp-dumpPPP dump format
log-route-nexthopNMTOKENLog next hop changesNot logged
log-statsNMTOKENLog one second statsNot logging
log-supportNMTOKENLog support messages (e.g. stack trace)
Also works as log-panic, which is deprecated		Web logs
log-tcp-debugNMTOKENLog TCP/TLS debug messagesNot logging
login-introstringLogin page text
namestringSystem hostname
port-led-brightnesspercentage 0-100Brightness of LEDs50
port-statusbooleanLive port LEDs on statustrue
pre-reboot-urlstringURL to GET prior to s/w reboot (typically to warn nagios)
soft-watchdogbooleanDebug - use only if advised; do not use on an unattended FireBrickfalse
sourcestringSource of data, used in automated config management
status-led-colourColourDefault status LED colour
Also works as led, which is deprecated		green
sw-updateautoloadtypeLoad new software automaticallyfactory
sw-update-delayfb-sw-update-delay 0-30Number of days after release to wait before automatically upgrading0
tableroutetable 0-99Routing table number for system functions (s/w updates, etc)0
system: Elements
ElementTypeInstancesDescription
linklinkOptional, unlimitedIntro links

Web links

Links to other web pages

link: Attributes
AttributeTypeDescriptionDefault
commentstringComment
leveluser-levelLogin level requiredGUEST
namestringLink name
sourcestringSource of data, used in automated config management
textstringLink text
urlstringLink address

Default source IP for services using a given table

Default source IP for traffic originated by this FireBrick

routing-table: Attributes
AttributeTypeDescriptionDefault
namestringName
source-ipIP46AddrDefault source IP for services
tableroutetable 0-99Routing table numberNot optional

Admin users

User names, passwords and abilities for admin users

user: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeRestrict logins to be from specific IP addresses
commentstringComment
configconfig-accessConfig access levelfull
full-namestringFull name
leveluser-levelLogin levelADMIN
local-onlybooleanRestrict access to locally connected Ethernet subnets onlyfalse
nameusername (NMTOKEN)User nameNot optional
otp-seedOTPOTP seed (do not edit by hand)
Also works as otp, which is deprecated
passwordPasswordUser passwordNot optional
sourcestringSource of data, used in automated config management
tableroutetable 0-99Restrict login to specific routing table0
timeoutdurationLogin idle timeout (zero to stay logged in, not recommended)5:00

User access controlled by EAP

Identities, passwords and access methods for access controlled with EAP

eap: Attributes
AttributeTypeDescriptionDefault
commentstringComment
full-namestringFull name
methodsSet of eap-methodAllowed methodsNot optional
namestringUser or account nameNot optional
passwordSecretUser passwordNot optional
sourcestringSource of data, used in automated config management
subsystemeap-subsystemAccess controlled subsystemNot optional

Log target controls

Named logging target

log: Attributes
AttributeTypeDescriptionDefault
colourColourColour used in web display
commentstringComment
consolebooleanLog immediately to console
flashbooleanLog immediately to slow flash memory (use with care)
jtagbooleanLog immediately jtag (development use only)
nameNMTOKENLog target nameNot optional
sourcestringSource of data, used in automated config management
systembooleanInclude system logs on web/cli view
log: Elements
ElementTypeInstancesDescription
emaillog-emailOptional, unlimitedEmail settings
sysloglog-syslogOptional, unlimitedSyslog settings

Syslog logger settings

Logging to a syslog server

log-syslog: Attributes
AttributeTypeDescriptionDefault
commentstringComment
facilitysyslog-facilityFacility settingLOCAL0
portunsignedShortServer port514
serverIPNameAddrSyslog serverNot optional
severitysyslog-severitySeverity settingNOTICE
sourcestringSource of data, used in automated config management
source-ipIPAddrUse specific source IP
system-logsbooleanInclude generic system log messages as well
tableroutetable 0-99Routing table number for sending syslogs0

Email logger settings

Logging to email

log-email: Attributes
AttributeTypeDescriptionDefault
commentstringComment
delaydurationDelay before sending, since first event to send1:00
fromstringSource email addressOne made up using serial number
hold-offdurationDelay before sending, since last email1:00:00
logNMTOKENLog emailing processNot logging
log-debugNMTOKENLog emailing debugNot logging
log-errorNMTOKENLog emailing errorsNot logging
portunsignedShortServer port25
retrydurationDelay before sending, since failed send10:00
serverIPNameAddrSmart host to use rather than MX
sourcestringSource of data, used in automated config management
subjectstringSubjectFrom first line being logged
tableroutetable 0-99Routing table number for sending email0
tostringTarget email addressNot optional

System services

System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.

services: Elements
ElementTypeInstancesDescription
dnsdns-serviceOptionalDNS service settings
httphttp-serviceOptionalWeb server settings
snmpsnmp-serviceOptionalSNMP server settings
telnettelnet-serviceOptionalTelnet server settings
timetime-serviceOptionalSystem time server settings
Also works as ntp, which is deprecated

Web service settings

Web management pages

http-service: Attributes
AttributeTypeDescriptionDefault
access-control-allow-originstringAdditional HTTP header
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
certlistList of NMTOKENCertificate(s) to be used for HTTPS sessionsuse any suitable
commentstringComment
content-security-policystringAdditional HTTP header
css-urlstringAdditional CSS for web control pages
https-portunsignedShortService port for HTTPS access443
js-urlstringAdditional javascript for web control pages (logged in/trusted-ip)
local-onlybooleanRestrict access to locally connected Ethernet subnets onlytrue
logNMTOKENLog eventsNot logging
log-clientNMTOKENLog client accessesNot logging
log-client-debugNMTOKENLog client accesses (debug)Not logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
modehttp-modeSecurity modehttp+https
portunsignedShortService port for HTTP access80
referrer-policystringAdditional HTTP headerno-referrer
self-signbooleanCreate self signed certificate for HTTPS when necessarytrue
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number for access to serviceAll
trustedList of IPNameRangeList of allowed IP ranges from which additional access to certain functions is available
x-content-type-optionsstringAdditional HTTP headernosniff
x-frame-optionsstringAdditional HTTP headerSAMEORIGIN
x-xss-protectionstringAdditional HTTP header1; mode=block

DNS service settings

DNS forwarding resolver service

dns-service: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
auto-dhcpbooleanForward and reverse DNS for names in DHCP using this domain
auto-dhcp-newstringName to use for last new DHCP allocation (since last reboot)
cachingbooleanCache relayed DNS entries locallytrue
commentstringComment
domainstringOur domain
fallbackbooleanFor incoming requests, if no server in required table, relay to any DNS availabletrue
fallback-tableroutetable 0-99For incoming requests, if no server in requesting table, relay to any DNS available in this tableDon't fallback
local-onlybooleanRestrict access to locally connected Ethernet subnets onlytrue
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
log-interfaceList of NMTOKENOnly do normal log for specific interface(s)All interfaces
resolversList of IPAddrRecursive DNS resolvers to use
resolvers-tableroutetable 0-99Routing table for specified resolversas table / 0
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number for access to serviceAll
dns-service: Elements
ElementTypeInstancesDescription
blockdns-blockOptional, unlimitedFixed local DNS host blocks
hostdns-hostOptional, unlimitedFixed local DNS host entries

Fixed local DNS host settings

DNS forwarding resolver service

dns-host: Attributes
AttributeTypeDescriptionDefault
commentstringComment
ipList of IPAddrIP addresses to serve (or our IP if omitted)Our IP
nameList of stringHost names (can use * as a part of a domain)Not optional
restrict-interfaceList of NMTOKENOnly apply on certain interface(s)
restrict-toList of IPNameRangeList of IP ranges to which this is served
Also works as restrict, which is deprecated
reversebooleanMap reverse DNS as well
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table applicableany
ttlunsignedIntTime to live60

Fixed local DNS blocks

DNS forwarding resolver service

dns-block: Attributes
AttributeTypeDescriptionDefault
commentstringComment
nameList of stringHost names (can use * as a part of a domain)Not optional
restrict-interfaceList of NMTOKENOnly apply on certain interface(s)
restrict-toList of IPNameRangeList of IP ranges to which this is served
Also works as restrict, which is deprecated
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table applicableany
ttlunsignedIntTime to live60

Telnet service settings

Telnet control interface

telnet-service: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
commentstringComment
local-onlybooleanRestrict access to locally connected Ethernet subnets onlytrue
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
portunsignedShortService port23
promptstringPromptsystem name
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number for access to serviceAll

SNMP service settings

The SNMP service has general service settings and also specific attributes for SNMP such as community

snmp-service: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
commentstringComment
communitySecretCommunity stringpublic
local-onlybooleanRestrict access to locally connected Ethernet subnets onlyfalse
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
portunsignedShortService port161
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number for access to serviceAll

System time server settings

The time settings define which NTP servers to synchronize the system clock from, and provide controls for daylight saving (summer time). The defaults are those that apply to the EU

time-service: Attributes
AttributeTypeDescriptionDefault
allowList of IPNameRangeList of IP ranges from which service can be accessedAllow from anywhere
commentstringComment
legacy-timeserverbooleanServe legacy TIME service on UDP port 37true
local-onlybooleanRestrict access to locally connected Ethernet subnets onlytrue
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-errorNMTOKENLog errorsLog as event
maxpolldurationNTP maximum poll rate1024
minpolldurationNTP minimum poll rate64
ntp-control-allowList of IPNameRangeList of IP ranges from which control (ntpq) requests can be accessedAllow from anywhere
ntp-control-local-onlybooleanRestrict control (ntpq) access to locally connected Ethernet subnets onlytrue
ntp-control-tableroutetable 0-99Routing table number for incoming control (ntpq) requestsAll
ntp-peer-tableroutetable 0-99Routing table number used for outgoing ntp peer requests0
ntp-serversList of IPNameAddrList of NTP time servers (IP or hostname) from which time may be synchronized and served by ntp (Null list disables NTP)
Also works as ntpserver, which is deprecated		ntp.firebrick.ltd.uk
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number for access to serviceAll
tz1-namestringTimezone 1 nameGMT
tz1-offsetdurationTimezone 1 offset from UTC0
tz12-datedatenum 1-31Timezone 1 to 2 earliest date in month25
tz12-daydayTimezone 1 to 2 day of week of changeSun
tz12-monthmonthTimezone 1 to 2 monthMar
tz12-timetimeTimezone 1 to 2 local time of change01:00:00
tz2-namestringTimezone 2 nameBST
tz2-offsetdurationTimezone 2 offset from UTC1:00:00
tz21-datedatenum 1-31Timezone 2 to 1 earliest date in month25
tz21-daydayTimezone 2 to 1 day of week of changeSun
tz21-monthmonthTimezone 2 to 1 monthOct
tz21-timetimeTimezone 2 to 1 local time of change02:00:00

Physical port controls

Physical port attributes

ethernet: Attributes
AttributeTypeDescriptionDefault
autonegbooleanPerform link auto-negotiationtrue
clockingLinkClockGigabit clock settingprefer-slave
flowLinkFlowFlow control settingnone
lacpbooleanSend LACP packetsAuto
left-led-colourColourOverride left (RX) LED colourGreen(1G)/Magenta(10G)
portportPhysical portNot optional
right-led-colourColourOverride right (TX) LED colourYellow(1G)/Cyan(10G)
send-faultLinkFaultSend fault status
shutdownbooleanPower down this portfalse

Port grouping and naming

Port grouping and naming

portdef: Attributes
AttributeTypeDescriptionDefault
commentstringComment
nameNMTOKENNameNot optional
portsSet of portPhysical port(s)Not optional
sourcestringSource of data, used in automated config management
trunktrunk-modeTrunk portsl2-hash

Port-group/VLAN interface settings

The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface.

interface: Attributes
AttributeTypeDescriptionDefault
allow-6in4booleanHandle 6in4 (protocol 41) packetsfalse
commentstringComment
graphgraphname (token)Graph name
linkNMTOKENInterface to which this is linked at layer 2
logNMTOKENLog eventsNot logging
log-debugNMTOKENLog debugNot logging
log-dhcpNMTOKENLog DHCP events not related to a poolNot logging
log-errorNMTOKENLog errorsLog as event
mtumtu 576-2000MTU for this interface1500
nameNMTOKENName
pdbooleanAvailable for IPv6 prefix delegationIf not WAN and not ra-client and no ra subnets
pingIPAddrPing address to add loss/latency to graph for interface
portNMTOKENPort group nameNot optional
ra-clientbooleanAccept IPv6 RA and create auto config subnets and routesIf WAN set
restrict-macbooleanUse only one MAC on this interface
sourcestringSource of data, used in automated config management
source-filtersfoptionSource filter traffic received via this interface
source-filter-tableroutetable 0-99Routing table to use for source filtering checksinterface table
tableroutetable 0-99Routing table applicable0
vlanvlan 0-4095VLAN ID (0=untagged)0
wanbooleanDo not consider this interface 'local' for 'local-only' checks
interface: Elements
ElementTypeInstancesDescription
dhcpdhcpsOptional, unlimitedDHCP server settings
subnetsubnetOptional, unlimitedIP subnet on the interface
vrrpvrrpOptional, unlimitedVRRP settings

Subnet settings

Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.

subnet: Attributes
AttributeTypeDescriptionDefault
accept-dnsbooleanAccept DNS servers specified by DHCPtrue
arp-timeoutunsignedShortMax lifetime on ARP and ND60
broadcastbooleanIf broadcast address allowedfalse
commentstringComment
dhcp-classstringDHCP client option 60 (Class)FB-type
dhcp-client-idstringDHCP client option 61 (Client-Identifier)MAC
gatewayList of IPAddrOne or more gateways to install
ipList of IPSubnetOne or more IP/lenAutomatic by DHCP
localprefunsignedIntLocalpref for subnet (highest wins)4294967295
mtumtu 576-2000MTU for subnetAs interface
namestringName
proxy-arpbooleanAnswer ARP/ND by proxy if we have routingfalse
raramodeIf to announce IPv6 RA for this subnetfalse
ra-autonomousbooleanRA 'A' (autonomous) flagIf managed not set
ra-dnsList of IP6AddrList of recursive DNS servers in route announcementsOur IP
ra-dnsslList of stringList of DNS search domains in route announcements
ra-managedbooleanRA 'M' (managed) flag
ra-maxra-max 4-1800Max RA send interval600
ra-minra-min 3-1350Min RA send intervalra-max/3
ra-mtuunsignedShortMTU to use on RAAs subnet
ra-onlinkbooleanRA 'L' (onlink) flagtrue
ra-otherbooleanRA 'O' (other) flag
simple-dhcpv6booleanSimple DHCPv6 (fixed addresses)
sourcestringSource of data, used in automated config management
testIPAddrTest link state using ARP/ND for this IP
ttlunsignedByteTTL for originating traffic via subnet64

VRRP settings

VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Use different VRID on different VLANs.

vrrp: Attributes
AttributeTypeDescriptionDefault
answer-pingbooleanWhether to answer PING to VRRP IPs when mastertrue
commentstringComment
delayunsignedIntDelay after routing established before priority returns to normal60
intervalunsignedShortTransit interval (centiseconds)100
ipList of IPAddrOne or more IP addresses to announceNot optional
logNMTOKENLog eventsNot logging
log-errorNMTOKENLog errorslog as event
low-priorityunsignedByteLower priority applicable until routing established1
nameNMTOKENName
preemptbooleanWhether pre-empt allowedtrue
priorityunsignedByteNormal priority100
sourcestringSource of data, used in automated config management
use-vmacbooleanWhether to use the special VMAC or use normal MACtrue
version3booleanUse only version 3v2 for IPv4, v3 for IPv6
vridunsignedByteVRID42

DHCP server settings

Settings for DHCP server

dhcps: Attributes
AttributeTypeDescriptionDefault
bootIP4AddrNext/boot server
boot-filestringBoot filename
broadcastbooleanBroadcast replies even if not requested
circuitstringAgent info circuit match
classstringVendor class match
client-namestringClient name match
commentstringComment
dnsList of IP4AddrDNS resolversOur IP
domainstringDNS domainFrom system settings
domain-searchstringDNS domain search list (list will be truncated to fit one attribute)
forcebooleanSend all options even if not requested
gatewayIP4SubnetGatewayOur IP
ipList of IP4RangeAddress pool0.0.0.0/0
leasedurationLease length2:00:00
logNMTOKENLog eventsNot logging
log-declineNMTOKENLog events (declined)Not logging
log-moveNMTOKENLog events (moved)Not logging
log-newNMTOKENLog events (new)Not logging
log-releaseNMTOKENLog events (released)Not logging
log-renewNMTOKENLog events (renewed)Not logging
log-reuseNMTOKENLog events (reused)Not logging
macList of up to 12 macprefix (hexBinary)Partial or full client hardware (MAC) addresses (or client-id MAC if specified)
mac-localbooleanMatch only local or non local MAC addresses
namestringName
ntpList of IP4AddrNTP serverOur IP
sourcestringSource of data, used in automated config management
syslogList of IP4AddrSyslog server
timeList of IP4AddrTime serverOur IP
dhcps: Elements
ElementTypeInstancesDescription
senddhcp-attr-hexOptional, unlimitedAdditional attributes to send (hex)
send-ipdhcp-attr-ipOptional, unlimitedAdditional attributes to send (IP)
send-numberdhcp-attr-numberOptional, unlimitedAdditional attributes to send (numeric)
send-stringdhcp-attr-stringOptional, unlimitedAdditional attributes to send (string)

DHCP server attributes (hex)

Additional DHCP server attributes (hex)

dhcp-attr-hex: Attributes
AttributeTypeDescriptionDefault
commentstringComment
forcebooleanSend even if not requested
idunsignedByteAttribute type code/tagNot optional
namestringName
valuehexBinaryValueNot optional
vendorbooleanAdd as vendor specific option (under option 43)

DHCP server attributes (string)

Additional DHCP server attributes (string)

dhcp-attr-string: Attributes
AttributeTypeDescriptionDefault
commentstringComment
forcebooleanSend even if not requested
idunsignedByteAttribute type code/tagNot optional
namestringName
valuestringValueNot optional
vendorbooleanAdd as vendor specific option (under option 43)

DHCP server attributes (numeric)

Additional DHCP server attributes (numeric)

dhcp-attr-number: Attributes
AttributeTypeDescriptionDefault
commentstringComment
forcebooleanSend even if not requested
idunsignedByteAttribute type code/tagNot optional
namestringName
valueunsignedIntValueNot optional
vendorbooleanAdd as vendor specific option (under option 43)

DHCP server attributes (IP)

Additional DHCP server attributes (IP)

dhcp-attr-ip: Attributes
AttributeTypeDescriptionDefault
commentstringComment
forcebooleanSend even if not requested
idunsignedByteAttribute type code/tagNot optional
namestringName
valueIP4AddrValueNot optional
vendorbooleanAdd as vendor specific option (under option 43)

Static routes

Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.

route: Attributes
AttributeTypeDescriptionDefault
commentstringComment
gatewayList of IPAddrOne or more target gateway IPsNot optional
graphgraphname (token)Graph name
ipList of IPPrefixOne or more network prefixesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
sourcestringSource of data, used in automated config management
speedunsignedIntEgress rate limit (b/s)
tableroutetable 0-99Routing table number0

Dead end networks

Networks that go nowhere

blackhole: Attributes
AttributeTypeDescriptionDefault
commentstringComment
ipList of IPPrefixOne or more network prefixesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0

Locally originated networks

Loopback addresses define local IP addresses

loopback: Attributes
AttributeTypeDescriptionDefault
commentstringComment
ipList of IPAddrOne or more local network addressesNot optional
localprefunsignedIntLocalpref of network (highest wins)4294967295
namestringName
sourcestringSource of data, used in automated config management
tableroutetable 0-99Routing table number0

Constant Quality Monitoring settings

Constant quality monitoring (graphs and data) have a number of settings. Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases.

cqm: Attributes
AttributeTypeDescriptionDefault
auto-refresh-listbooleanAuto refresh graph list pages (for trusted IPs)true
aveColourColour for average latency#08f
axisColourAxis colourblack
backgroundColourBackground colourwhite
bottomunsignedBytePixels space at bottom of graph11
dateformatstringDate format%Y-%m-%d
dayformatstringDay format%a
failColourColour for failed (dropped) secondsred
fail-levelunsignedIntFail level not expected on low usage1
fail-level1unsignedByteLoss level 13
fail-level2unsignedByteLoss level 250
fail-scoreunsignedByteScore for fail and low usage200
fail-score1unsignedByteScore for on/above level 1100
fail-score2unsignedByteScore for on/above level 2200
fail-usageunsignedIntUsage below which fail is not expected128000
fblogoColourColour for logo#bd1220
graticuleColourGraticule colourgrey
headingstringHeading of graph
hourformatstringHour format%H
keyunsignedBytePixels space for key90
label-avestringLabel for average latencyAve
label-failstringLabel for seconds (%) failed%Fail
label-latencystringLabel for latencyLatency
label-maxstringLabel for maximum latencyMax
label-minstringLabel for minimum latencyMin
label-offstringLabel for off line secondsOff
label-periodstringLabel for periodPeriod
label-pollstringLabel for pollsPolls
label-rejstringLabel for rejected seconds%Reject
label-rxstringLabel for Rx traffic levelRx
label-scorestringLabel for scoreScore
label-sentstringLabel for seconds polledSent
label-timestringLabel for timeTime
label-trafficstringLabel for traffic levelTraffic (bit/s)
label-txstringLabel for Tx traffic levelTx
latency-levelunsignedIntLatency level not expected on low usage100000000
latency-level1unsignedIntLatency level 1 (ns)100000000
latency-level2unsignedIntLatency level 2 (ns)500000000
latency-scoreunsignedByteScore for high latency and low usage200
latency-score1unsignedByteScore for on/above level 110
latency-score2unsignedByteScore for on/above level 220
latency-usageunsignedIntUsage below which latency is not expected128000
leftunsignedBytePixels space left of main graph0
logNMTOKENLog eventsNot logging
marker-widthstringStroke width for marker (+) on tx/rx (e.g. 4)
maxColourColour for maximum latencygreen
minColourColour for minimum latency#008
ms-maxpositiveIntegerms max height500
offColourColour for off line seconds#c8f
outsideColourColour for outer bordertransparent
rejColourColour for off line seconds#f8c
rightunsignedBytePixels space right of main graph50
rxColourColour for Rx traffic level#800
secretSecretSecret for SHA1 coded URLs
sentColourColour for polled seconds#ff8
stroke-widthstringStroke line for tx/rx4 if no marker
subheadingstringSubheading of graph
svg-cssstringURL for SVG CSS instead of local style settings
svg-titlebooleanInclude mouseover title text on svg
textColourColour for textblack
text1stringText line 1
text2stringText line 2
text3stringText line 3
text4stringText line 4
timeformatstringTime format%Y-%m-%d %H:%M:%S
topunsignedBytePixels space at top of graph4
txColourColour for Tx traffic level#080

IP Group

Named IP group

ip-group: Attributes
AttributeTypeDescriptionDefault
commentstringComment
ipList of IPRangeOne or more IP ranges or IP/len
namestringNameNot optional
sourcestringSource of data, used in automated config management
usersList of NMTOKENInclude IP of (time limited) logged in web users

User login level

User login level - commands available are restricted according to assigned level.

TagDescription
NOBODYUnknown or not logged in user
GUESTGuest user
USERNormal unprivileged user
ADMINSystem administrator
DEBUGSystem debugger

PPP dump format

TagDescription
defaultMixed hex/decode
decodedDecoded only
decoded+rawDecoded + raw
rawRaw hex

Type of s/w auto load

TagDescription
falseDo no auto load
factoryLoad factory releases
betaLoad beta test releases
alphaLoad test releases

Type of access user has to config

TagDescription
noneNo access unless explicitly listed
viewView only access (no passwords)
readRead only access (with passwords)
demoFull view and edit access but can only test config, not save
testFull view and edit access but must test save config first
fullFull view and edit access

Subsystem with EAP access control

TagDescription
IPsecIPsec/IKEv2 VPN

EAP access method

TagDescription
MD5MD5 Challenge
MSChapV2MS Challenge

Syslog severity

Log severity - different loggable events log at different levels.

TagDescription
EMERGSystem is unstable
ALERTAction must be taken immediately
CRIT Critical conditions
ERRError conditions
WARNINGWarning conditions
NOTICENormal but significant events
INFOInformational
DEBUGDebug level messages
NO-LOGGINGNo logging

Syslog facility

Syslog facility, usually used to control which log file the syslog is written to.

TagDescription
KERNKernel messages
USERUser level messges
MAILMail system
DAEMONSystem Daemons
AUTHSecurity/auth
SYSLOGInternal to syslogd
LPRPrinter
NEWSNews
UUCPUUCP
CRONCron deamon
AUTHPRIVprivate security/auth
FTPFile transfer
12Unused
13Unused
14Unused
15Unused
LOCAL0Local 0
LOCAL1Local 1
LOCAL2Local 2
LOCAL3Local 3
LOCAL4Local 4
LOCAL5Local 5
LOCAL6Local 6
LOCAL7Local 7

HTTP/HTTPS security mode

TagDescription
http-onlyNo HTTPS access
http+httpsBoth HTTP and HTTPS access
https-onlyNo HTTP access
redirect-to-httpsHTTP accesses are redirected to use HTTPS
redirect-to-https-except-trustedHTTP accesses are redirected to use HTTPS (except trusted IPs)

Month name (3 letter)

TagDescription
JanJanuary
FebFebruary
MarMarch
AprApril
MayMay
JunJune
JulJuly
AugAugust
SepSeptember
OctOctober
NovNovember
DecDecember

Day name (3 letter)

TagDescription
SunSunday
MonMonday
TueTuesday
WedWednesday
ThuThursday
FriFriday
SatSaturday

Physical port

TagDescription
0Port 0 (not valid) (deprecated)
1Port 1
2Port 2
3Port 3
4Port 4
5Port 5
6Port 6
7Port 7
8Port 8
9Port 9
10Port 10

Physical port flow control setting

TagDescription
noneNo flow control
symmetricCan support two-way flow control
send-pausesCan send pauses but does not support pause reception
anyCan receive pauses and may send pauses if required

Physical port Gigabit clock master/slave setting

TagDescription
prefer-masterMaster status negotiated; preference for master
prefer-slaveMaster status negotiated; preference for slave
force-masterMaster status forced
force-slaveSlave status forced

Link fault type to send

TagDescription
falseNo fault
trueSend fault
off-lineSend offline fault (1G)
aneSend ANE fault (1G)

Trunk port mode

TagDescription
falseNot trunking
randomRandom trunking
l2-hashL2 hashed trunking
l23-hashL2 and L3 hashed trunking
l3-hashL3 hashed trunking

IPv6 route announce level

IPv6 route announcement mode and level

TagDescription
falseDo not announce
lowAnnounce as low priority
mediumAnnounce as medium priority
highAnnounce as high priority
trueAnnounce as default (medium) priority

Source filter option

TagDescription
falseNo source filter checks
blackholeCheck replies blackholed
nowhereCheck replies valid
selfCheck replies valid and not self
trueCheck replies down same port/vlan

Basic types

TypeDescription
stringtext string
tokentext string
hexBinaryhex coded binary data
integerinteger (-2147483648-2147483647)
positiveIntegerpositive integer (1-4294967295)
unsignedIntunsigned integer (0-4294967295)
unsignedShortunsigned short integer (0-65535)
unsignedByteunsigned byte integer (0-255)
booleanBoolean
dateTimeYYYY-MM-DDTHH:MM:SS date/time
timeHH:MM:SS time
NMTOKENString with no spaces
voidInternal use
IPAddrIP address
IPNameAddrIP address or name
IP4AddrIPv4 address
IP6AddrIPv6 address
IP46AddrIPv4 + IPv6 address
IPPrefixIP address / bitlen
IPRangeIP address / bitlen or range
IPNameRangeIP address / bitlen or range or name
IP4RangeIPv4 address / bitlen or range
IP4PrefixIPv4 address / bitlen
IPSubnetIP address / bitlen
IP4SubnetIPv4 address / bitlen
IPFilterRoute filter
PasswordPassword
OTPOTP
Communityxxx:xxx community
PortRangexxx-xxx port range
Colour#rgb #rrggbb #rgba #rrggbbaa colour
SecretSecret/passphrase
durationPeriod [[HH:]MM:]SS
fb-sw-update-delay[unsignedByte] Number of days to delay upgrade by (0-30)
percentage[unsignedByte] Percentage (0 .. 100) (0-100)
routetable[unsignedByte] Route table number (0-99)
username[NMTOKEN] Login name
ipnamerangelist[IPNameRange] List of IPranges or ip groups
nmtokenlist[NMTOKEN] List of NMTOKEN
stringlist[string] List of strings
iplist[IPAddr] List of IP addresses
ipnamelist[IPNameAddr] List of IP addresses or domain names
datenum[unsignedByte] Day number in month (1-31)
subnetlist[IPSubnet] List of subnets
ra-max[unsignedShort] Route announcement max interval (seconds) (4-1800)
ra-min[unsignedShort] Route announcement min interval (seconds) (3-1350)
ip6list[IP6Addr] List of IPv6 addresses
mtu[unsignedShort] Max transmission unit (576-2000)
vlan[unsignedShort] VLAN ID (0=untagged) (0-4095)
ip4rangelist[IP4Range] List of IP4ranges
macprefixlist[macprefix] List of strings
macprefix[hexBinary] MAC prefix
ip4list[IP4Addr] List of IPv4 addresses
graphname[token] Graph name
prefixlist[IPPrefix] List of IP Prefixes
iprangelist[IPRange] List of IPranges
userlist[username] List of user names
prefix4list[IP4Prefix] List of IPv4 Prefixes
filterlist[IPFilter] List of IP Prefix filters
communitylist[Community] List of BGP communities
portlist[PortRange] List of protocol port ranges
protolist[unsignedByte] List of IP protocols
unsignedIntList[unsignedInt] List of integers
routetableset[routetable] Set of routetables
aslist[unsignedIntList] List of AS numbers
vlan-nz[unsignedShort] VLAN ID (1-4095)
dates[datenum] Set of dates
cug[unsignedShort] CUG ID (1-32767)
tun-id[unsignedShort] Local tunnel ID (1-100)
ses-id[unsignedShort] Local session ID (1-500)
hostname[NMTOKEN] Host name
sip-error[unsignedShort] SIP error code (400-699)
shaper-limit[unsignedShort] Shaper limit (ms) (0-1000)