a10_ddos_zone_template_tcp
Synopsis
TCP template Configuration
Parameters
Parameters |
Choices/Defaults |
Comment |
|
|---|---|---|---|
state str/required |
[‘noop’, ‘present’, ‘absent’] |
State of the object to be created. |
|
ansible_host str/required |
Host for AXAPI authentication |
||
ansible_username str/required |
Username for AXAPI authentication |
||
ansible_password str/required |
Password for AXAPI authentication |
||
ansible_port int/required |
Port for AXAPI authentication |
||
a10_device_context_id int |
[‘1-8’] |
Device ID for aVCS configuration |
|
a10_partition str |
Destination/target partition for object/command |
||
name str/required |
Field name |
||
age int |
Session age in minutes |
||
concurrent bool |
Enable concurrent port access for non-matching ports (DST support only) |
||
syn_cookie bool |
Enable SYN Cookie |
||
create_conn_on_syn_only bool |
Enable connection establishment on SYN only |
||
filter_match_type str |
‘default’= Stop matching on drop/blacklist action; ‘stop-on-first-match’= Stop matching on first match; |
||
out_of_seq_cfg dict |
Field out_of_seq_cfg |
||
out_of_seq int |
Take action if out-of-seq pkts exceed configured threshold |
||
out_of_seq_action_list_name str |
Configure action-list to take for out-of-seq exceed |
||
out_of_seq_action str |
‘drop’= Drop packets for out-of-seq exceed (Default); ‘blacklist-src’= help Blacklist-src for out-of-seq exceed; ‘ignore’= help Ignore out-of-seq exceed; |
||
per_conn_out_of_seq_rate_cfg dict |
Field per_conn_out_of_seq_rate_cfg |
||
per_conn_out_of_seq_rate_limit int |
Take action if out-of-seq pkt rate exceed configured threshold |
||
per_conn_out_of_seq_rate_action_list_name str |
Configure action-list to take for out-of-seq rate exceed |
||
per_conn_out_of_seq_rate_action str |
‘drop’= Drop packets for out-of-seq rate exceed (Default); ‘blacklist-src’= help Blacklist-src for out-of-seq rate exceed; ‘ignore’= help Ignore out-of-seq rate exceed; |
||
max_rexmit_syn_per_flow_cfg dict |
Field max_rexmit_syn_per_flow_cfg |
||
max_rexmit_syn_per_flow int |
Maximum number of re-transmit SYN per flow |
||
max_rexmit_syn_per_flow_action_list_name str |
Configure action-list to take for max-rexmit-syn-per-flow exceed |
||
max_rexmit_syn_per_flow_action str |
‘drop’= Drop SYN packets for max-rexmit-syn-per-flow exceed (Default); ‘blacklist-src’= help Blacklist-src for max-rexmit-syn-per-flow exceed; |
||
retransmit_cfg dict |
Field retransmit_cfg |
||
retransmit int |
Take action if retransmit pkts exceed configured threshold |
||
retransmit_action_list_name str |
Configure action-list to take for retransmit exceed |
||
retransmit_action str |
‘drop’= Drop packets for retrans exceed (Default); ‘blacklist-src’= help Blacklist-src for retrans exceed; ‘ignore’= help Ignore retrans exceed; |
||
per_conn_retransmit_rate_cfg dict |
Field per_conn_retransmit_rate_cfg |
||
per_conn_retransmit_rate_limit int |
Take action if retransmit pkt rate exceed configured threshold |
||
per_conn_retransmit_rate_action_list_name str |
Configure action-list to take for retransmit rate exceed |
||
per_conn_retransmit_rate_action str |
‘drop’= Drop packets for retrans rate exceed (Default); ‘blacklist-src’= help Blacklist-src for retrans rate exceed; ‘ignore’= help Ignore retrans rate exceed; |
||
zero_win_cfg dict |
Field zero_win_cfg |
||
zero_win int |
Take action if zero window pkts exceed configured threshold |
||
zero_win_action_list_name str |
Configure action-list to take for zero window exceed |
||
zero_win_action str |
‘drop’= Drop packets for zero-win exceed (Default); ‘blacklist-src’= help Blacklist-src for zero-win exceed; ‘ignore’= Ignore zero-win exceed; |
||
per_conn_zero_win_rate_cfg dict |
Field per_conn_zero_win_rate_cfg |
||
per_conn_zero_win_rate_limit int |
Take action if zero window pkt rate exceed configured threshold |
||
per_conn_zero_win_rate_action_list_name str |
Configure action-list to take for zero window rate exceed |
||
per_conn_zero_win_rate_action str |
‘drop’= Drop packets for zero-win rate exceed (Default); ‘blacklist-src’= help Blacklist-src for zero-win rate exceed; ‘ignore’= Ignore zero-win rate exceed; |
||
per_conn_pkt_rate_cfg dict |
Field per_conn_pkt_rate_cfg |
||
per_conn_pkt_rate_limit int |
Packet rate limit per connection per rate-interval |
||
per_conn_pkt_rate_action_list_name str |
Configure action-list to take for per-conn-pkt-rate exceed |
||
per_conn_pkt_rate_action str |
‘drop’= Drop packets for per-conn-pkt-rate exceed (Default); ‘blacklist-src’= help Blacklist-src for per-conn-pkt-rate exceed; ‘ignore’= Ignore per-conn-pkt- rate-exceed; |
||
per_conn_rate_interval str |
‘100ms’= 100ms; ‘1sec’= 1sec; ’10sec’= 10sec; |
||
dst dict |
Field dst |
||
rate_limit dict |
Field rate_limit |
||
src dict |
Field src |
||
rate_limit dict |
Field rate_limit |
||
allow_synack_skip_authentications bool |
Allow create sessions on SYNACK without syn-auth and ack-auth (ASYM Mode only) |
||
synack_rate_limit int |
Config SYNACK rate limit |
||
track_together_with_syn bool |
SYNACK will be counted in Dst Syn-rate limit |
||
allow_syn_otherflags bool |
Treat TCP SYN+PSH as a TCP SYN (DST tcp ports support only) |
||
allow_tcp_tfo bool |
Allow TCP Fast Open |
||
conn_rate_limit_on_syn_only bool |
Only count SYN-initiated connections towards connection-rate tracking |
||
action_on_syn_rto_retry_count int |
Take action if syn-auth RTO-authentication fail over retry time(default=5) |
||
action_on_ack_rto_retry_count int |
Take action if ack-auth RTO-authentication fail over retry time(default=5) |
||
ack_authentication_synack_reset bool |
Reset client TCP SYN+ACK for authentication (DST support only) |
||
known_resp_src_port_cfg dict |
Field known_resp_src_port_cfg |
||
known_resp_src_port bool |
Take action if src-port is less than 1024 |
||
known_resp_src_port_action_list_name str |
Configure action-list to take for well-known src-port |
||
known_resp_src_port_action str |
‘drop’= Drop packets from well-known src-port(Default); ‘blacklist-src’= Blacklist-src from well-known src-port; ‘ignore’= Ignore well-known src-port; |
||
exclude_src_resp_port bool |
Exclude src port equal to dst port |
||
syn_authentication dict |
Field syn_authentication |
||
syn_auth_type str |
‘send-rst’= Send reset to all concurrent client auth attempts after syn cookie check pass; ‘force-rst-by-ack’= Send client a bad ack after syn cookie check pass; ‘force-rst-by-synack’= Send client a bad synack after syn cookie check pass; ‘send-rst-once’= Send RST to one client concurrent auth attempts; |
||
syn_auth_timeout int |
syn retransmit timeout in seconds(default timeout= 5 seconds) |
||
syn_auth_min_delay int |
Minimum delay (in 100ms intervals) between SYN retransmits for retransmit-check to pass |
||
syn_auth_rto bool |
Estimate the RTO and apply the exponential back-off for authentication |
||
syn_auth_pass_action_list_name str |
Configure action-list to take for passing the authentication |
||
syn_auth_pass_action str |
‘authenticate-src’= authenticate-src (Default); |
||
syn_auth_fail_action_list_name str |
Configure action-list to take for failing the authentication. |
||
syn_auth_fail_action str |
‘drop’= Drop packets (Default); ‘blacklist-src’= Blacklist-src; ‘reset’= Send reset to client (Applicable to retransmit-check only); |
||
allow_ra bool |
Allow RA packets to be used for auth |
||
ack_authentication dict |
Field ack_authentication |
||
ack_auth_timeout int |
ack retransmit timeout in seconds(default timeout= 5 seconds) |
||
ack_auth_min_delay int |
Minimum delay (in 100ms intervals) between ACK retransmits for retransmit-check to pass |
||
ack_auth_only bool |
Apply retransmit-check only once per source address for authentication purpose |
||
ack_auth_rto bool |
Estimate the RTO and apply the exponential back-off for authentication |
||
ack_auth_pass_action_list_name str |
Configure action-list to take for passing the authentication |
||
ack_auth_pass_action str |
‘authenticate-src’= authenticate-src (Default); |
||
ack_auth_fail_action_list_name str |
Configure action-list to take for failing the authentication. |
||
ack_auth_fail_action str |
‘drop’= Drop packets (Default); ‘blacklist-src’= Blacklist-src; ‘reset’= Send reset to client; |
||
uuid str |
uuid of the object |
||
user_tag str |
Customized tag |
||
progression_tracking dict |
Field progression_tracking |
||
progression_tracking_enabled str |
‘enable-check’= Enable Progression Tracking Check; |
||
request_response_model str |
‘enable’= Enable Request Response Model; ‘disable’= Disable Request Response Model; |
||
violation int |
Set the violation threshold |
||
ignore_TLS_handshake bool |
Ignore TLS handshake |
||
response_length_max int |
Set the maximum response length |
||
response_length_min int |
Set the minimum response length |
||
request_length_min int |
Set the minimum request length |
||
request_length_max int |
Set the maximum request length |
||
response_request_min_ratio int |
Set the minimum response to request ratio (in unit of 0.1% [1=1000]) |
||
response_request_max_ratio int |
Set the maximum response to request ratio (in unit of 0.1% [1=1000]) |
||
first_request_max_time int |
Set the maximum wait time from connection creation until the first data is transmitted over the connection (100 ms) |
||
request_to_response_max_time int |
Set the maximum request to response time (100 ms) |
||
response_to_request_max_time int |
Set the maximum response to request time (100 ms) |
||
profiling_request_response_model bool |
Enable auto-config progression tracking learning for Request Response model |
||
profiling_connection_life_model bool |
Enable auto-config progression tracking learning for connection model |
||
profiling_time_window_model bool |
Enable auto-config progression tracking learning for time window model |
||
progression_tracking_action_list_name str |
Configure action-list to take when progression tracking violation exceed |
||
progression_tracking_action str |
‘drop’= Drop packets for progression tracking violation exceed (Default); ‘blacklist-src’= Blacklist-src for progression tracking violation exceed; |
||
uuid str |
uuid of the object |
||
connection_tracking dict |
Field connection_tracking |
||
time_window_tracking dict |
Field time_window_tracking |
||
filter_list list |
Field filter_list |
||
tcp_filter_name str |
Field tcp_filter_name |
||
tcp_filter_seq int |
Sequence number |
||
tcp_filter_regex str |
Regex Expression |
||
tcp_filter_inverse_match bool |
Inverse the result of the matching |
||
byte_offset_filter str |
Filter using Berkeley Packet Filter syntax |
||
tcp_filter_action_list_name str |
Configure action-list to take |
||
tcp_filter_action str |
‘drop’= Drop packets (Default); ‘ignore’= Take no action; ‘blacklist-src’= Blacklist-src; ‘authenticate-src’= Authenticate-src; |
||
uuid str |
uuid of the object |
||
user_tag str |
Customized tag |
||
Examples
Return Values
- modified_values (changed, dict, )
Values modified (or potential changes if using check_mode) as a result of task operation
- axapi_calls (always, list, )
Sequential list of AXAPI calls made by the task
- endpoint (, str, [‘/axapi/v3/slb/virtual_server’, ‘/axapi/v3/file/ssl-cert’])
The AXAPI endpoint being accessed.
- http_method (, str, [‘POST’, ‘GET’])
HTTP method being used by the primary task to interact with the AXAPI endpoint.
- request_body (, complex, )
Params used to query the AXAPI
- response_body (, complex, )
Response from the AXAPI
Status
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by community.