{ "id":"/axapi/v3/ddos/template/tcp/{name}", "type":"object", "node-type":"list", "title":"tcp", "description":"TCP template Configuration", "properties":{ "name":{ "type":"string", "format":"string-rlx", "minLength":1, "maxLength":63, "optional":false }, "action-cfg":{ "type":"object", "properties":{ "action-on-ack":{ "type":"number", "format":"flag", "default":0, "description":"Monitor tcp ack for age-out session" }, "reset":{ "type":"number", "format":"flag", "default":0, "description":"Send RST to client" }, "timeout":{ "type":"number", "format":"number", "minimum":1, "maximum":31, "description":"ACK retry timeout in sec" }, "min-retry-gap":{ "type":"number", "format":"number", "minimum":1, "maximum":80, "description":"Min gap between 2 ACKs for action-on-ack pass in 100ms interval" }, "authenticate-only":{ "type":"number", "format":"flag", "default":0, "description":"Apply action-on-ack once per source address for authentication purpose" }, "rto-authentication":{ "type":"number", "format":"flag", "default":0, "description":"Estimate the RTO and apply the exponential back-off for authentication" } } }, "action-on-syn-rto-retry-count":{ "type":"number", "format":"number", "minimum":2, "maximum":10, "description":"Take action if action-on-syn RTO-authentication fail over retry time(default:5)", "optional":true }, "action-on-ack-rto-retry-count":{ "type":"number", "format":"number", "minimum":2, "maximum":10, "description":"Take action if action-on-ack RTO-authentication fail over retry time(default:5)", "optional":true }, "age":{ "type":"number", "format":"number", "minimum":1, "maximum":63, "description":"Session age in minutes", "optional":true }, "syn-cookie":{ "type":"number", "format":"flag", "default":0, "description":"Enable SYN Cookie", "optional":true }, "create-conn-on-syn-only":{ "type":"number", "format":"flag", "default":0, "description":"Enable connection establishment on SYN only", "optional":true }, "black-list-out-of-seq":{ "type":"number", "format":"number", "minimum":1, "maximum":64000, "not":"per-conn-out-of-seq-rate-limit", "description":"Black list Src IP if out of seq pkts exceed configured threshold", "optional":true }, "black-list-retransmit":{ "type":"number", "format":"number", "minimum":1, "maximum":64000, "not":"per-conn-retransmit-rate-limit", "description":"Black list Src IP if retransmit pkts exceed configured threshold", "optional":true }, "black-list-zero-win":{ "type":"number", "format":"number", "minimum":1, "maximum":250, "not":"per-conn-zero-win-rate-limit", "description":"Black list Src IP if zero window pkts exceed configured threshold", "optional":true }, "syn-auth":{ "type":"string", "format":"enum", "default":"send-rst", "description":"'send-rst': Send RST to client upon client ACK; 'force-rst-by-ack': Force client RST via the use of ACK; 'force-rst-by-synack': Force client RST via the use of bad SYN|ACK; 'disable': Disable TCP SYN Authentication; 'send-rst-all': Send RST to client for all auth attempts; ", "enum":[ "send-rst", "force-rst-by-ack", "force-rst-by-synack", "disable", "send-rst-all" ], "optional":true }, "conn-rate-limit-on-syn-only":{ "type":"number", "format":"flag", "default":0, "description":"Only count SYN-initiated connections towards connection-rate tracking", "optional":true }, "per-conn-rate-interval":{ "type":"string", "format":"enum", "default":"1sec", "description":"'100ms': 100ms; '1sec': 1sec; '10sec': 10sec; ", "enum":[ "100ms", "1sec", "10sec" ], "optional":true }, "per-conn-pkt-rate-limit":{ "type":"number", "format":"number", "minimum":1, "maximum":16000000, "description":"Packet rate limit per connection per rate-interval", "optional":true }, "per-conn-pkt-rate-action":{ "type":"string", "format":"enum", "default":"drop", "description":"'drop': Drop packets for per-conn-pkt-rate exceed (Default); 'blacklist-src': help Blacklist-src for per-conn-pkt-rate exceed; 'ignore': Ignore per-conn-pkt-rate-exceed; ", "enum":[ "drop", "blacklist-src", "ignore" ], "optional":true }, "per-conn-out-of-seq-rate-limit":{ "type":"number", "format":"number", "minimum":1, "maximum":16000000, "not":"black-list-out-of-seq", "description":"Take action if out-of-seq pkt rate exceed configured threshold", "optional":true }, "per-conn-out-of-seq-rate-action":{ "type":"string", "format":"enum", "default":"drop", "description":"'drop': Drop packets for out-of-seq rate exceed (Default); 'blacklist-src': help Blacklist-src for out-of-seq rate exceed; 'ignore': help Ignore out-of-seq rate exceed; ", "enum":[ "drop", "blacklist-src", "ignore" ], "optional":true }, "per-conn-retransmit-rate-limit":{ "type":"number", "format":"number", "minimum":1, "maximum":16000000, "not":"black-list-retransmit", "description":"Take action if retransmit pkt rate exceed configured threshold", "optional":true }, "per-conn-retransmit-rate-action":{ "type":"string", "format":"enum", "default":"drop", "description":"'drop': Drop packets for retransmit rate exceed (Default); 'blacklist-src': help Blacklist-src for retransmit rate exceed; 'ignore': help Ignore retransmit rate exceed; ", "enum":[ "drop", "blacklist-src", "ignore" ], "optional":true }, "per-conn-zero-win-rate-limit":{ "type":"number", "format":"number", "minimum":1, "maximum":16000000, "not":"black-list-zero-win", "description":"Take action if zero window pkt rate exceed configured threshold", "optional":true }, "per-conn-zero-win-rate-action":{ "type":"string", "format":"enum", "default":"drop", "description":"'drop': Drop packets for zero-win rate exceed (Default); 'blacklist-src': help Blacklist-src for zero-win rate exceed; 'ignore': help Ignore zero-win rate exceed; ", "enum":[ "drop", "blacklist-src", "ignore" ], "optional":true }, "dst":{ "type":"object", "properties":{ "rate-limit":{ "type":"object", "properties":{ "syn-rate-limit":{ "type":"object", "properties":{ "dst-syn-rate-limit":{ "type":"number", "format":"number", "minimum":1, "maximum":16000000 }, "dst-syn-rate-action":{ "type":"string", "format":"enum", "default":"drop", "description":"'drop': Drop packets for syn-rate exceed (Default); 'ignore': Ignore syn-rate-exceed; ", "enum":[ "drop", "ignore" ] } } } } } } }, "src":{ "type":"object", "properties":{ "rate-limit":{ "type":"object", "properties":{ "syn-rate-limit":{ "type":"object", "properties":{ "src-syn-rate-limit":{ "type":"number", "format":"number", "minimum":1, "maximum":16000000 }, "src-syn-rate-action":{ "type":"string", "format":"enum", "default":"drop", "description":"'drop': Drop packets for syn-rate exceed (Default); 'blacklist-src': Blacklist-src for syn-rate exceed; 'ignore': Ignore syn-rate-exceed; ", "enum":[ "drop", "blacklist-src", "ignore" ] } } } } } } }, "allow-synack-skip-authentications":{ "type":"number", "format":"flag", "default":0, "description":"Allow create sessions on SYNACK without syn-auth and ack-auth (ASYM Mode only)", "optional":true }, "synack-rate-limit":{ "type":"number", "format":"number", "minimum":1, "maximum":16000000, "not":"track-together-with-syn", "description":"Config SYNACK rate limit", "optional":true }, "track-together-with-syn":{ "type":"number", "format":"flag", "default":0, "not":"synack-rate-limit", "description":"SYNACK will be counted in Dst Syn-rate limit", "optional":true }, "action-syn-cfg":{ "type":"object", "properties":{ "action-on-syn":{ "type":"number", "format":"flag", "default":0, "description":"Monitor tcp syn for age-out session" }, "action-on-syn-reset":{ "type":"number", "format":"flag", "default":0, "description":"Send RST to client" }, "action-on-syn-timeout":{ "type":"number", "format":"number", "minimum":1, "maximum":31, "description":"SYN retry timeout in sec" }, "action-on-syn-gap":{ "type":"number", "format":"number", "minimum":1, "maximum":80, "description":"Min gap between 2 SYNs for action-on-syn pass in 100ms interval" }, "action-on-syn-rto":{ "type":"number", "format":"flag", "default":0, "description":"Estimate the RTO and apply the exponential back-off for authentication" } } }, "allow-syn-otherflags":{ "type":"number", "format":"flag", "default":0, "description":"Treat TCP SYN+PSH as a TCP SYN (DST tcp ports support only)", "optional":true }, "allow-tcp-tfo":{ "type":"number", "format":"flag", "default":0, "description":"Allow TCP Fast Open", "optional":true }, "ack-authentication-synack-reset":{ "type":"number", "format":"flag", "plat-neg-list":["soft-ax"], "default":0, "description":"Enable Reset client TCP SYN+ACK for authentication (DST support only)", "optional":true }, "drop-known-resp-src-port-cfg":{ "type":"object", "properties":{ "drop-known-resp-src-port":{ "type":"number", "format":"flag", "default":0, "description":"Drop well-known if src-port is less than 1024" }, "exclude-src-resp-port":{ "type":"number", "format":"flag", "default":0, "description":"excluding src port equal destination port" } } }, "tunnel-encap":{ "type":"object", "properties":{ "ip-cfg":{ "type":"object", "properties":{ "ip-encap":{ "type":"number", "format":"flag", "default":0, "description":"Enable Tunnel encapsulation using IP in IP" }, "always":{ "type":"object", "properties":{ "ipv4-addr":{ "type":"string", "format":"ipv4-address", "description":"IPv4 address (IPv6-over-IPv4 / IPv4-over-IPv6 are not supported.)" }, "preserve-src-ipv4":{ "type":"number", "format":"flag", "default":0, "description":"Use original source ip for encapsulation" }, "ipv6-addr":{ "type":"string", "format":"ipv6-address", "description":"IPv6 address (IPv6-over-IPv4 / IPv4-over-IPv6 are not supported.)" }, "preserve-src-ipv6":{ "type":"number", "format":"flag", "default":0, "description":"Use original source ip for encapsulation" } } } } }, "gre-cfg":{ "type":"object", "properties":{ "gre-encap":{ "type":"number", "format":"flag", "default":0, "description":"Enable Tunnel encapsulation using GRE" }, "gre-always":{ "type":"object", "properties":{ "gre-ipv4":{ "type":"string", "format":"ipv4-address", "description":"IPv4 address (IPv6-over-IPv4 / IPv4-over-IPv6 are not supported.)" }, "key-ipv4":{ "type":"string", "format":"string", "minLength":1, "maxLength":10, "description":"Encapsulate with key (Hexadecimal 0x0-0xFFFFFFFF,decimal 0-4294967295)" }, "preserve-src-ipv4-gre":{ "type":"number", "format":"flag", "default":0, "description":"Use original source ip for encapsulation" }, "gre-ipv6":{ "type":"string", "format":"ipv6-address", "description":"IPv6 address (IPv6-over-IPv4 / IPv4-over-IPv6 are not supported.)" }, "key-ipv6":{ "type":"string", "format":"string", "minLength":1, "maxLength":10, "description":"Encapsulate with key (Hexadecimal 0x0-0xFFFFFFFF,decimal 0-4294967295)" }, "preserve-src-ipv6-gre":{ "type":"number", "format":"flag", "default":0, "description":"Use original source ip for encapsulation" } } } } } } }, "uuid":{ "type":"string", "format":"string", "minLength":1, "maxLength":64, "modify-not-allowed":1, "description":"uuid of the object", "optional":true }, "user-tag":{ "type":"string", "format":"string-rlx", "minLength":1, "maxLength":127, "description":"Customized tag", "optional":true }, "filter-list":{ "type":"array", "minItems":1, "items":{ "type":"filter" }, "uniqueItems":true, "$ref":"/axapi/v3/ddos/template/tcp/{name}/filter/{tcp-filter-seq}", "array":[ { "properties":{ "tcp-filter-seq":{ "type":"number", "format":"number", "minimum":1, "maximum":5, "description":"Sequence number", "optional":false }, "tcp-filter-regex":{ "type":"string", "format":"string-rlx", "minLength":1, "maxLength":1275, "description":"Regex Expression", "optional":true }, "byte-offset-filter":{ "type":"string", "format":"string-rlx", "minLength":1, "maxLength":1275, "description":"Filter Expression using Berkeley Packet Filter syntax", "optional":true }, "tcp-filter-unmatched":{ "type":"number", "format":"flag", "default":0, "description":"action taken when it does not match", "optional":true }, "tcp-filter-action":{ "type":"string", "format":"enum", "description":"'blacklist-src': Also blacklist the source when action is taken; 'whitelist-src': Whitelist the source after filter passes, packets are dropped until then; 'count-only': Take no action and continue processing the next filter; ", "enum":[ "blacklist-src", "whitelist-src", "count-only" ], "optional":true }, "uuid":{ "type":"string", "format":"string", "minLength":1, "maxLength":64, "modify-not-allowed":1, "description":"uuid of the object", "optional":true }, "user-tag":{ "type":"string", "format":"string-rlx", "minLength":1, "maxLength":127, "description":"Customized tag", "optional":true } }, "required":[ "tcp-filter-seq" ] } ] } }, "object-keys":[ "name" ], "required":[ "name" ] }