a10_ddos_protection
Synopsis
DDOS protection
Parameters
Parameters |
Choices/Defaults |
Comment |
|
|---|---|---|---|
state str/required |
[‘noop’, ‘present’, ‘absent’] |
State of the object to be created. |
|
ansible_host str/required |
Host for AXAPI authentication |
||
ansible_username str/required |
Username for AXAPI authentication |
||
ansible_password str/required |
Password for AXAPI authentication |
||
ansible_port int/required |
Port for AXAPI authentication |
||
a10_device_context_id int |
[‘1-8’] |
Device ID for aVCS configuration |
|
a10_partition str |
Destination/target partition for object/command |
||
toggle str |
‘enable’= enable; ‘disable’= disable; |
||
rate_interval str |
‘100ms’= 100ms; ‘1sec’= 1sec; |
||
src_hash_function str |
‘v1’= v1; ‘v2’= v2; |
||
src_ip_hash_bit int |
Configure which bit hashed on |
||
src_ipv6_hash_bit int |
Configure which bit hashed on |
||
force_routing_on_transp bool |
Force use of routing in transparent mode |
||
disable_on_reboot bool |
Disable DDoS protection upon reboot/reload |
||
rexmit_syn_log bool |
Enable ddos per flow rexmit syn exceeded log |
||
use_route bool |
Use route table, default use receive hop for device initiated traffic |
||
enable_now bool |
Override disable-on-reboot to enable runtime DDOS protection |
||
disable_advanced_core_analysis bool |
Disable advanced context info in coredump file |
||
mpls bool |
Enable MPLS packet inspection |
||
disable_delay_dynamic_src_learning bool |
Disable delay dynamic src entry learning |
||
fast_aging dict |
Field fast_aging |
||
half_open_conn_ratio int |
Minimum half-open session to total session ratio before session fast aging will take effect (default 25) |
||
half_open_conn_threshold int |
Minimum half-open session (percentage) before session fast aging will take effect (default 1) |
||
src_dst_entry_limit str |
‘8M’= 8 Million; ‘16M’= 16 Million; ‘unlimited’= Unlimited; ‘platform-default’= Half of platform maximum; |
||
src_zone_port_entry_limit str |
‘8M’= 8 Million; ‘16M’= 16 Million; ‘unlimited’= Unlimited; ‘platform-default’= Half of platform maximum; |
||
szp_clist_warn_threshold int |
Set threshold percentage of ‘max-src-dst-entry’ for generating warning logs. Including start and end. |
||
szp_warn_threshold int |
Set threshold percentage of ‘max-src-dst-entry’ for generating warning logs. Including start and end. |
||
szp_warn_exceed_enable bool |
Send logs if src-zone-port count exceeds ‘max-src-dst-entry’ |
||
force_traffic_to_same_blade_disable bool |
Allow traffic to be distributed among blades on Chassis |
||
non_zero_win_size_syncookie bool |
Send syn-cookie with fix TCP window size if SYN packet has zero window size (default disabled) |
||
hw_blocking_enable bool |
Enable hardware blacklist blocking for src or dst default entries (default disabled) |
||
hw_blocking_threshold_limit int |
Threshold to initiate hardware blocking (default 10000) |
||
progression_tracking str |
‘enable’= enable; ‘disable’= disable; |
||
disallow_rst_ack_in_syn_auth bool |
Disallow RST-ACK passing syn-auth |
||
fast_path_disable bool |
Disable fast path in SLB processing |
||
close_sess_for_unauth_src_without_rst bool |
When closing unauthenticated sessions, don’t send TCP RST for established TCP sessions. (Default disabled / sending TCP RST for |
||
vxlan_outbound_check str |
‘enable’= enable; ‘disable’= disable; |
||
blacklist_reason_tracking bool |
Enable blacklist reason tracking |
||
uuid str |
uuid of the object |
||
ipv6_src_hash_mask_bits dict |
Field ipv6_src_hash_mask_bits |
||
mask_bit_offset_1 int |
Configure mask bits |
||
mask_bit_offset_2 int |
Configure mask bits |
||
mask_bit_offset_3 int |
Configure mask bits |
||
mask_bit_offset_4 int |
Configure mask bits |
||
mask_bit_offset_5 int |
Configure mask bits |
||
uuid str |
uuid of the object |
||
multi_pu_zone_distribution dict |
Field multi_pu_zone_distribution |
||
distribution_method str |
‘cpu-usage’= Entry/Zone distribution based on CPU usage percentage; ‘traffic- rate’= Entry/Zone distribution based on traffic kbit/pkt rate (Default); |
||
cpu_threshold_per_entry int |
Entry/zone percentage threshold of CPU usage for source hash mode. Requires distribution-method cpu-usage. Default=60 |
||
cpu_threshold_per_pu int |
Per PU percentage threshold of average CPU usage to start check entry usage. Requires distribution-method cpu-usage. Default=80 |
||
rate_pkt_threshold int |
DDOS DST Entry/Zone packet rate threshold for source hash mode |
||
rate_kbit_threshold int |
DDOS DST Entry/Zone kbit rate threshold for source hash mode |
||
uuid str |
uuid of the object |
||
per_service_szp_entry_limit dict |
Field per_service_szp_entry_limit |
||
dns_tcp_limit int |
Szp limit for port / port-range dns-tcp |
||
dns_udp_limit int |
Szp limit for port / port-range dns-udp |
||
http_limit int |
Szp limit for port / port-range http |
||
tcp_limit int |
Szp limit for port / port-range tcp |
||
udp_limit int |
Szp limit for port / port-range udp |
||
ssl_l4_limit int |
Szp limit for port / port-range ssl-l4 |
||
sip_udp_limit int |
Szp limit for port / port-range sip-udp |
||
sip_tcp_limit int |
Szp limit for port / port-range sip-tcp |
||
quic_limit int |
Szp limit for port / port-range quic |
||
ip_proto_icmp_v4_limit int |
Szp limit for ip-proto icmp-v4 |
||
ip_proto_icmp_v6_limit int |
Szp limit for ip-proto icmp-v6 |
||
ip_proto_other_limit int |
Szp limit for ip-proto other |
||
ip_proto_gre_limit int |
Szp limit for ip-proto gre |
||
ip_proto_ipv4_encap_limit int |
Szp limit for ip-proto ipv4-encap |
||
ip_proto_ipv6_encap_limit int |
Szp limit for ip-proto ipv6-encap |
||
ip_proto_custom_limit int |
Szp limit for custom ip-proto |
||
uuid str |
uuid of the object |
||
oper dict |
Field oper |
||
ddos_protection str |
Field ddos_protection |
||
rate_interval str |
Field rate_interval |
||
mode str |
Field mode |
||
use_route str |
Field use_route |
||
tap_interfaces str |
Field tap_interfaces |
||
dst_auto_learning_ipv4 str |
Field dst_auto_learning_ipv4 |
||
dst_auto_learning_ipv6 str |
Field dst_auto_learning_ipv6 |
||
src_auto_learning_ipv4 str |
Field src_auto_learning_ipv4 |
||
src_auto_learning_ipv6 str |
Field src_auto_learning_ipv6 |
||
src_delay_learning str |
Field src_delay_learning |
||
one_arm_mode str |
Field one_arm_mode |
||
hw_syn_cookie str |
Field hw_syn_cookie |
||
sync str |
Field sync |
||
sync_auto_wl str |
Field sync_auto_wl |
||
bgp str |
Field bgp |
||
bgp_auto_wl str |
Field bgp_auto_wl |
||
vrrp str |
Field vrrp |
||
vrrp_auto_wl str |
Field vrrp_auto_wl |
||
mpls_pkt_inspect str |
Field mpls_pkt_inspect |
||
detection str |
Field detection |
||
ddet_mode str |
Field ddet_mode |
||
ddet_cpus int |
Field ddet_cpus |
||
dst_dynamic_overflow_ipv4 str |
Field dst_dynamic_overflow_ipv4 |
||
dst_dynamic_overflow_ipv6 str |
Field dst_dynamic_overflow_ipv6 |
||
src_dynamic_overflow_ipv4 str |
Field src_dynamic_overflow_ipv4 |
||
src_dynamic_overflow_ipv6 str |
Field src_dynamic_overflow_ipv6 |
||
ip_ano_sec_l3 str |
Field ip_ano_sec_l3 |
||
ip_ano_sec_l4_tcp str |
Field ip_ano_sec_l4_tcp |
||
ip_ano_sec_l4_udp str |
Field ip_ano_sec_l4_udp |
||
ip_ano_def_l3 str |
Field ip_ano_def_l3 |
||
ip_ano_def_l4 str |
Field ip_ano_def_l4 |
||
dns_cache_mode str |
Field dns_cache_mode |
||
warm_up str |
Field warm_up |
||
dns_zone_transfer_dedicated_cpus int |
Field dns_zone_transfer_dedicated_cpus |
||
src_dst_entry_limit str |
Field src_dst_entry_limit |
||
src_zone_port_entry_limit str |
Field src_zone_port_entry_limit |
||
src_zone_port_entry_overflow_warning str |
Field src_zone_port_entry_overflow_warning |
||
src_zone_port_entry_warning_threshold int |
Field src_zone_port_entry_warning_threshold |
||
src_zone_port_entry_clist_warning_threshold int |
Field src_zone_port_entry_clist_warning_threshold |
||
interblade_sync_accuracy str |
Field interblade_sync_accuracy |
||
pattern_recognition str |
Field pattern_recognition |
||
pattern_recognition_cpus int |
Field pattern_recognition_cpus |
||
pattern_recognition_hardware_filter str |
Field pattern_recognition_hardware_filter |
||
detection_window_size int |
Field detection_window_size |
||
disallow_rst_ack_in_syn_auth str |
Field disallow_rst_ack_in_syn_auth |
||
non_zero_win_size_syncookie str |
Field non_zero_win_size_syncookie |
||
hw_blocking str |
Field hw_blocking |
||
hw_blocking_threshold int |
Field hw_blocking_threshold |
||
interface_http_health_check str |
Field interface_http_health_check |
||
ipv6_src_hash_mask_bits dict |
Field ipv6_src_hash_mask_bits |
||
Examples
Return Values
- modified_values (changed, dict, )
Values modified (or potential changes if using check_mode) as a result of task operation
- axapi_calls (always, list, )
Sequential list of AXAPI calls made by the task
- endpoint (, str, [‘/axapi/v3/slb/virtual_server’, ‘/axapi/v3/file/ssl-cert’])
The AXAPI endpoint being accessed.
- http_method (, str, [‘POST’, ‘GET’])
HTTP method being used by the primary task to interact with the AXAPI endpoint.
- request_body (, complex, )
Params used to query the AXAPI
- response_body (, complex, )
Response from the AXAPI
Status
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by community.