From 94da23d0cb802f983ecb79d14109e6b23f331c75 Mon Sep 17 00:00:00 2001 From: Krzysztof Klimonda Date: Wed, 8 Oct 2025 10:36:59 +0200 Subject: [PATCH] feat(specs): Add spec, tests and examples for panos_dos_protection_profile --- .../panos_dos_protection_profile/resource.tf | 41 + .../resource_dos_protection_profile_test.go | 726 +++++++++++++++++ specs/device/profiles/dos-protection.yaml | 750 ++++++++++++++++++ 3 files changed, 1517 insertions(+) create mode 100644 assets/terraform/examples/resources/panos_dos_protection_profile/resource.tf create mode 100644 assets/terraform/test/resource_dos_protection_profile_test.go create mode 100644 specs/device/profiles/dos-protection.yaml diff --git a/assets/terraform/examples/resources/panos_dos_protection_profile/resource.tf b/assets/terraform/examples/resources/panos_dos_protection_profile/resource.tf new file mode 100644 index 00000000..fc671673 --- /dev/null +++ b/assets/terraform/examples/resources/panos_dos_protection_profile/resource.tf @@ -0,0 +1,41 @@ +resource "panos_dos_protection_profile" "example" { + location = { + device_group = { + name = "my_device_group" + } + } + name = "example-profile" + description = "test description" + disable_override = "no" + type = "aggregate" + resource = { + sessions = { + enabled = true + max_concurrent_limit = 1234 + } + } + flood = { + icmp = { + enable = true + red = { + activate_rate = 123 + alarm_rate = 1234 + block = { + duration = 12345 + } + maximal_rate = 123456 + } + } + tcp_syn = { + enable = true + red = { + activate_rate = 123 + alarm_rate = 1234 + block = { + duration = 12345 + } + maximal_rate = 123456 + } + } + } +} \ No newline at end of file diff --git a/assets/terraform/test/resource_dos_protection_profile_test.go b/assets/terraform/test/resource_dos_protection_profile_test.go new file mode 100644 index 00000000..4245b312 --- /dev/null +++ b/assets/terraform/test/resource_dos_protection_profile_test.go @@ -0,0 +1,726 @@ + +package provider_test + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-testing/config" + "github.com/hashicorp/terraform-plugin-testing/helper/acctest" + "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/hashicorp/terraform-plugin-testing/knownvalue" + "github.com/hashicorp/terraform-plugin-testing/statecheck" + "github.com/hashicorp/terraform-plugin-testing/tfjsonpath" +) + +func TestAccDosProtectionProfile_Basic(t *testing.T) { + t.Parallel() + + nameSuffix := acctest.RandStringFromCharSet(6, acctest.CharSetAlphaNum) + prefix := fmt.Sprintf("test-acc-%s", nameSuffix) + + location := config.ObjectVariable(map[string]config.Variable{ + "device_group": config.ObjectVariable(map[string]config.Variable{ + "name": config.StringVariable(prefix), + }), + }) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProtoV6ProviderFactories: testAccProviders, + Steps: []resource.TestStep{ + { + Config: dosProtectionProfile_Basic_Tmpl, + ConfigVariables: map[string]config.Variable{ + "prefix": config.StringVariable(prefix), + "location": location, + }, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("name"), + knownvalue.StringExact(prefix), + ), + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("description"), + knownvalue.StringExact("test description"), + ), + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("disable_override"), + knownvalue.StringExact("yes"), + ), + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("type"), + knownvalue.StringExact("aggregate"), + ), + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("resource"), + knownvalue.ObjectExact(map[string]knownvalue.Check{ + "sessions": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "enabled": knownvalue.Bool(true), + "max_concurrent_limit": knownvalue.Int64Exact(1234), + }), + }), + ), + }, + }, + }, + }) +} + +const dosProtectionProfile_Basic_Tmpl = ` +variable "prefix" { type = string } +variable "location" { type = any } + +resource "panos_device_group" "example" { + location = { panorama = {} } + name = var.prefix +} + +resource "panos_dos_protection_profile" "example" { + depends_on = [panos_device_group.example] + location = var.location + name = var.prefix + description = "test description" + disable_override = "yes" + type = "aggregate" + resource = { + sessions = { + enabled = true + max_concurrent_limit = 1234 + } + } +} +` + +func TestAccDosProtectionProfile_Classified(t *testing.T) { + t.Parallel() + + nameSuffix := acctest.RandStringFromCharSet(6, acctest.CharSetAlphaNum) + prefix := fmt.Sprintf("test-acc-%s", nameSuffix) + + location := config.ObjectVariable(map[string]config.Variable{ + "device_group": config.ObjectVariable(map[string]config.Variable{ + "name": config.StringVariable(prefix), + }), + }) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProtoV6ProviderFactories: testAccProviders, + Steps: []resource.TestStep{ + { + Config: dosProtectionProfile_Classified_Tmpl, + ConfigVariables: map[string]config.Variable{ + "prefix": config.StringVariable(prefix), + "location": location, + }, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("name"), + knownvalue.StringExact(prefix), + ), + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("type"), + knownvalue.StringExact("classified"), + ), + }, + }, + }, + }) +} + +const dosProtectionProfile_Classified_Tmpl = ` +variable "prefix" { type = string } +variable "location" { type = any } + +resource "panos_device_group" "example" { + location = { panorama = {} } + name = var.prefix +} + +resource "panos_dos_protection_profile" "example" { + depends_on = [panos_device_group.example] + location = var.location + name = var.prefix + type = "classified" +} +` + +func TestAccDosProtectionProfile_ResourceSessions(t *testing.T) { + t.Parallel() + + nameSuffix := acctest.RandStringFromCharSet(6, acctest.CharSetAlphaNum) + prefix := fmt.Sprintf("test-acc-%s", nameSuffix) + + location := config.ObjectVariable(map[string]config.Variable{ + "device_group": config.ObjectVariable(map[string]config.Variable{ + "name": config.StringVariable(prefix), + }), + }) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProtoV6ProviderFactories: testAccProviders, + Steps: []resource.TestStep{ + { + Config: dosProtectionProfile_ResourceSessions_Tmpl, + ConfigVariables: map[string]config.Variable{ + "prefix": config.StringVariable(prefix), + "location": location, + }, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("name"), + knownvalue.StringExact(prefix), + ), + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("resource"), + knownvalue.ObjectExact(map[string]knownvalue.Check{ + "sessions": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "enabled": knownvalue.Bool(true), + "max_concurrent_limit": knownvalue.Int64Exact(1234), + }), + }), + ), + }, + }, + }, + }) +} + +const dosProtectionProfile_ResourceSessions_Tmpl = ` +variable "prefix" { type = string } +variable "location" { type = any } + +resource "panos_device_group" "example" { + location = { panorama = {} } + name = var.prefix +} + +resource "panos_dos_protection_profile" "example" { + depends_on = [panos_device_group.example] + location = var.location + name = var.prefix + resource = { + sessions = { + enabled = true + max_concurrent_limit = 1234 + } + } +} +` + +func TestAccDosProtectionProfile_FloodIcmp(t *testing.T) { + t.Parallel() + + nameSuffix := acctest.RandStringFromCharSet(6, acctest.CharSetAlphaNum) + prefix := fmt.Sprintf("test-acc-%s", nameSuffix) + + location := config.ObjectVariable(map[string]config.Variable{ + "device_group": config.ObjectVariable(map[string]config.Variable{ + "name": config.StringVariable(prefix), + }), + }) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProtoV6ProviderFactories: testAccProviders, + Steps: []resource.TestStep{ + { + Config: dosProtectionProfile_FloodIcmp_Tmpl, + ConfigVariables: map[string]config.Variable{ + "prefix": config.StringVariable(prefix), + "location": location, + }, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("name"), + knownvalue.StringExact(prefix), + ), + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("flood"), + knownvalue.ObjectExact(map[string]knownvalue.Check{ + "icmp": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "enable": knownvalue.Bool(true), + "red": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "activate_rate": knownvalue.Int64Exact(123), + "alarm_rate": knownvalue.Int64Exact(1234), + "block": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "duration": knownvalue.Int64Exact(12345), + }), + "maximal_rate": knownvalue.Int64Exact(123456), + }), + }), + "icmpv6": knownvalue.Null(), + "other_ip": knownvalue.Null(), + "tcp_syn": knownvalue.Null(), + "udp": knownvalue.Null(), + }), + ), + }, + }, + }, + }) +} + +const dosProtectionProfile_FloodIcmp_Tmpl = ` +variable "prefix" { type = string } +variable "location" { type = any } + +resource "panos_device_group" "example" { + location = { panorama = {} } + name = var.prefix +} + +resource "panos_dos_protection_profile" "example" { + depends_on = [panos_device_group.example] + location = var.location + name = var.prefix + flood = { + icmp = { + enable = true + red = { + activate_rate = 123 + alarm_rate = 1234 + block = { + duration = 12345 + } + maximal_rate = 123456 + } + } + } +} +` + +func TestAccDosProtectionProfile_FloodIcmpv6(t *testing.T) { + t.Parallel() + + nameSuffix := acctest.RandStringFromCharSet(6, acctest.CharSetAlphaNum) + prefix := fmt.Sprintf("test-acc-%s", nameSuffix) + + location := config.ObjectVariable(map[string]config.Variable{ + "device_group": config.ObjectVariable(map[string]config.Variable{ + "name": config.StringVariable(prefix), + }), + }) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProtoV6ProviderFactories: testAccProviders, + Steps: []resource.TestStep{ + { + Config: dosProtectionProfile_FloodIcmpv6_Tmpl, + ConfigVariables: map[string]config.Variable{ + "prefix": config.StringVariable(prefix), + "location": location, + }, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("name"), + knownvalue.StringExact(prefix), + ), + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("flood"), + knownvalue.ObjectExact(map[string]knownvalue.Check{ + "icmpv6": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "enable": knownvalue.Bool(true), + "red": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "activate_rate": knownvalue.Int64Exact(123), + "alarm_rate": knownvalue.Int64Exact(1234), + "block": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "duration": knownvalue.Int64Exact(12345), + }), + "maximal_rate": knownvalue.Int64Exact(123456), + }), + }), + "icmp": knownvalue.Null(), + "other_ip": knownvalue.Null(), + "tcp_syn": knownvalue.Null(), + "udp": knownvalue.Null(), + }), + ), + }, + }, + }, + }) +} + +const dosProtectionProfile_FloodIcmpv6_Tmpl = ` +variable "prefix" { type = string } +variable "location" { type = any } + +resource "panos_device_group" "example" { + location = { panorama = {} } + name = var.prefix +} + +resource "panos_dos_protection_profile" "example" { + depends_on = [panos_device_group.example] + location = var.location + name = var.prefix + flood = { + icmpv6 = { + enable = true + red = { + activate_rate = 123 + alarm_rate = 1234 + block = { + duration = 12345 + } + maximal_rate = 123456 + } + } + } +} +` + +func TestAccDosProtectionProfile_FloodOtherIp(t *testing.T) { + t.Parallel() + + nameSuffix := acctest.RandStringFromCharSet(6, acctest.CharSetAlphaNum) + prefix := fmt.Sprintf("test-acc-%s", nameSuffix) + + location := config.ObjectVariable(map[string]config.Variable{ + "device_group": config.ObjectVariable(map[string]config.Variable{ + "name": config.StringVariable(prefix), + }), + }) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProtoV6ProviderFactories: testAccProviders, + Steps: []resource.TestStep{ + { + Config: dosProtectionProfile_FloodOtherIp_Tmpl, + ConfigVariables: map[string]config.Variable{ + "prefix": config.StringVariable(prefix), + "location": location, + }, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("name"), + knownvalue.StringExact(prefix), + ), + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("flood"), + knownvalue.ObjectExact(map[string]knownvalue.Check{ + "other_ip": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "enable": knownvalue.Bool(true), + "red": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "activate_rate": knownvalue.Int64Exact(123), + "alarm_rate": knownvalue.Int64Exact(1234), + "block": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "duration": knownvalue.Int64Exact(12345), + }), + "maximal_rate": knownvalue.Int64Exact(123456), + }), + }), + "icmp": knownvalue.Null(), + "icmpv6": knownvalue.Null(), + "tcp_syn": knownvalue.Null(), + "udp": knownvalue.Null(), + }), + ), + }, + }, + }, + }) +} + +const dosProtectionProfile_FloodOtherIp_Tmpl = ` +variable "prefix" { type = string } +variable "location" { type = any } + +resource "panos_device_group" "example" { + location = { panorama = {} } + name = var.prefix +} + +resource "panos_dos_protection_profile" "example" { + depends_on = [panos_device_group.example] + location = var.location + name = var.prefix + flood = { + other_ip = { + enable = true + red = { + activate_rate = 123 + alarm_rate = 1234 + block = { + duration = 12345 + } + maximal_rate = 123456 + } + } + } +} +` + +func TestAccDosProtectionProfile_FloodUdp(t *testing.T) { + t.Parallel() + + nameSuffix := acctest.RandStringFromCharSet(6, acctest.CharSetAlphaNum) + prefix := fmt.Sprintf("test-acc-%s", nameSuffix) + + location := config.ObjectVariable(map[string]config.Variable{ + "device_group": config.ObjectVariable(map[string]config.Variable{ + "name": config.StringVariable(prefix), + }), + }) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProtoV6ProviderFactories: testAccProviders, + Steps: []resource.TestStep{ + { + Config: dosProtectionProfile_FloodUdp_Tmpl, + ConfigVariables: map[string]config.Variable{ + "prefix": config.StringVariable(prefix), + "location": location, + }, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("name"), + knownvalue.StringExact(prefix), + ), + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("flood"), + knownvalue.ObjectExact(map[string]knownvalue.Check{ + "udp": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "enable": knownvalue.Bool(true), + "red": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "activate_rate": knownvalue.Int64Exact(123), + "alarm_rate": knownvalue.Int64Exact(1234), + "block": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "duration": knownvalue.Int64Exact(12345), + }), + "maximal_rate": knownvalue.Int64Exact(123456), + }), + }), + "icmp": knownvalue.Null(), + "icmpv6": knownvalue.Null(), + "other_ip": knownvalue.Null(), + "tcp_syn": knownvalue.Null(), + }), + ), + }, + }, + }, + }) +} + +const dosProtectionProfile_FloodUdp_Tmpl = ` +variable "prefix" { type = string } +variable "location" { type = any } + +resource "panos_device_group" "example" { + location = { panorama = {} } + name = var.prefix +} + +resource "panos_dos_protection_profile" "example" { + depends_on = [panos_device_group.example] + location = var.location + name = var.prefix + flood = { + udp = { + enable = true + red = { + activate_rate = 123 + alarm_rate = 1234 + block = { + duration = 12345 + } + maximal_rate = 123456 + } + } + } +} +` + +func TestAccDosProtectionProfile_FloodTcpSyn_Red(t *testing.T) { + t.Parallel() + + nameSuffix := acctest.RandStringFromCharSet(6, acctest.CharSetAlphaNum) + prefix := fmt.Sprintf("test-acc-%s", nameSuffix) + + location := config.ObjectVariable(map[string]config.Variable{ + "device_group": config.ObjectVariable(map[string]config.Variable{ + "name": config.StringVariable(prefix), + }), + }) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProtoV6ProviderFactories: testAccProviders, + Steps: []resource.TestStep{ + { + Config: dosProtectionProfile_FloodTcpSyn_Red_Tmpl, + ConfigVariables: map[string]config.Variable{ + "prefix": config.StringVariable(prefix), + "location": location, + }, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("name"), + knownvalue.StringExact(prefix), + ), + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("flood"), + knownvalue.ObjectExact(map[string]knownvalue.Check{ + "tcp_syn": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "enable": knownvalue.Bool(true), + "red": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "activate_rate": knownvalue.Int64Exact(123), + "alarm_rate": knownvalue.Int64Exact(1234), + "block": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "duration": knownvalue.Int64Exact(12345), + }), + "maximal_rate": knownvalue.Int64Exact(123456), + }), + "syn_cookies": knownvalue.Null(), + }), + "icmp": knownvalue.Null(), + "icmpv6": knownvalue.Null(), + "other_ip": knownvalue.Null(), + "udp": knownvalue.Null(), + }), + ), + }, + }, + }, + }) +} + +const dosProtectionProfile_FloodTcpSyn_Red_Tmpl = ` +variable "prefix" { type = string } +variable "location" { type = any } + +resource "panos_device_group" "example" { + location = { panorama = {} } + name = var.prefix +} + +resource "panos_dos_protection_profile" "example" { + depends_on = [panos_device_group.example] + location = var.location + name = var.prefix + flood = { + tcp_syn = { + enable = true + red = { + activate_rate = 123 + alarm_rate = 1234 + block = { + duration = 12345 + } + maximal_rate = 123456 + } + } + } +} +` + +func TestAccDosProtectionProfile_FloodTcpSyn_SynCookies(t *testing.T) { + t.Parallel() + + nameSuffix := acctest.RandStringFromCharSet(6, acctest.CharSetAlphaNum) + prefix := fmt.Sprintf("test-acc-%s", nameSuffix) + + location := config.ObjectVariable(map[string]config.Variable{ + "device_group": config.ObjectVariable(map[string]config.Variable{ + "name": config.StringVariable(prefix), + }), + }) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProtoV6ProviderFactories: testAccProviders, + Steps: []resource.TestStep{ + { + Config: dosProtectionProfile_FloodTcpSyn_SynCookies_Tmpl, + ConfigVariables: map[string]config.Variable{ + "prefix": config.StringVariable(prefix), + "location": location, + }, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("name"), + knownvalue.StringExact(prefix), + ), + statecheck.ExpectKnownValue( + "panos_dos_protection_profile.example", + tfjsonpath.New("flood"), + knownvalue.ObjectExact(map[string]knownvalue.Check{ + "tcp_syn": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "enable": knownvalue.Bool(true), + "syn_cookies": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "activate_rate": knownvalue.Int64Exact(123), + "alarm_rate": knownvalue.Int64Exact(1234), + "block": knownvalue.ObjectExact(map[string]knownvalue.Check{ + "duration": knownvalue.Int64Exact(12345), + }), + "maximal_rate": knownvalue.Int64Exact(123456), + }), + "red": knownvalue.Null(), + }), + "icmp": knownvalue.Null(), + "icmpv6": knownvalue.Null(), + "other_ip": knownvalue.Null(), + "udp": knownvalue.Null(), + }), + ), + }, + }, + }, + }) +} + +const dosProtectionProfile_FloodTcpSyn_SynCookies_Tmpl = ` +variable "prefix" { type = string } +variable "location" { type = any } + +resource "panos_device_group" "example" { + location = { panorama = {} } + name = var.prefix +} + +resource "panos_dos_protection_profile" "example" { + depends_on = [panos_device_group.example] + location = var.location + name = var.prefix + flood = { + tcp_syn = { + enable = true + syn_cookies = { + activate_rate = 123 + alarm_rate = 1234 + block = { + duration = 12345 + } + maximal_rate = 123456 + } + } + } +} +` diff --git a/specs/device/profiles/dos-protection.yaml b/specs/device/profiles/dos-protection.yaml new file mode 100644 index 00000000..83d4619f --- /dev/null +++ b/specs/device/profiles/dos-protection.yaml @@ -0,0 +1,750 @@ +name: dos-protection-profile +terraform_provider_config: + description: DoS Protection Profile + skip_resource: false + skip_datasource: false + resource_type: entry + resource_variants: + - singular + suffix: dos_protection_profile + plural_suffix: '' + plural_name: '' + plural_description: '' +go_sdk_config: + skip: false + package: + - device + - profiles + - dosprotection +panos_xpath: + path: + - profiles + - dos-protection + vars: [] +locations: +- name: shared + xpath: + path: + - config + - shared + vars: [] + description: Panorama shared object + devices: + - panorama + - ngfw + validators: [] + required: false + read_only: false +- name: device-group + xpath: + path: + - config + - devices + - $panorama_device + - device-group + - $device_group + vars: + - name: panorama_device + description: Panorama device name + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: device_group + description: Device Group name + required: true + validators: + - type: not-values + spec: + values: + - value: shared + error: The device group name cannot be "shared". Use the "shared" location + instead + type: entry + description: Located in a specific Device Group + devices: + - panorama + validators: [] + required: false + read_only: false +entries: +- name: name + description: '' + validators: [] +imports: [] +spec: + params: + - name: description + type: string + profiles: + - xpath: + - description + validators: + - type: length + spec: + min: 0 + max: 255 + spec: {} + description: '' + required: false + - name: disable-override + type: enum + profiles: + - xpath: + - disable-override + validators: + - type: values + spec: + values: + - 'yes' + - 'no' + spec: + values: + - value: 'yes' + - value: 'no' + description: disable object override in child device groups + required: false + - name: flood + type: object + profiles: + - xpath: + - flood + validators: [] + spec: + params: + - name: icmp + type: object + profiles: + - xpath: + - icmp + validators: [] + spec: + params: + - name: enable + type: bool + profiles: + - xpath: + - enable + validators: [] + spec: {} + description: '' + required: false + - name: red + type: object + profiles: + - xpath: + - red + validators: [] + spec: + params: + - name: activate-rate + type: int64 + profiles: + - xpath: + - activate-rate + validators: + - type: length + spec: + min: 1 + max: 2000000 + spec: + default: 10000 + description: Connection rate (cps) to start RED + required: false + - name: alarm-rate + type: int64 + profiles: + - xpath: + - alarm-rate + validators: + - type: length + spec: + min: 0 + max: 2000000 + spec: + default: 10000 + description: Connection rate (cps) to generate alarm + required: false + - name: block + type: object + profiles: + - xpath: + - block + validators: [] + spec: + params: + - name: duration + type: int64 + profiles: + - xpath: + - duration + validators: + - type: length + spec: + min: 1 + max: 21600 + spec: + default: 300 + description: '' + required: false + variants: [] + description: Parameters for blocking + required: false + - name: maximal-rate + type: int64 + profiles: + - xpath: + - maximal-rate + validators: + - type: length + spec: + min: 1 + max: 2000000 + spec: + default: 40000 + description: Maximal connection rate (cps) allowed + required: false + variants: [] + description: Random Early Drop + required: false + variants: [] + description: ICMP flood + required: false + - name: icmpv6 + type: object + profiles: + - xpath: + - icmpv6 + validators: [] + spec: + params: + - name: enable + type: bool + profiles: + - xpath: + - enable + validators: [] + spec: {} + description: '' + required: false + - name: red + type: object + profiles: + - xpath: + - red + validators: [] + spec: + params: + - name: activate-rate + type: int64 + profiles: + - xpath: + - activate-rate + validators: + - type: length + spec: + min: 1 + max: 2000000 + spec: + default: 10000 + description: Connection rate (cps) to start RED + required: false + - name: alarm-rate + type: int64 + profiles: + - xpath: + - alarm-rate + validators: + - type: length + spec: + min: 0 + max: 2000000 + spec: + default: 10000 + description: Connection rate (cps) to generate alarm + required: false + - name: block + type: object + profiles: + - xpath: + - block + validators: [] + spec: + params: + - name: duration + type: int64 + profiles: + - xpath: + - duration + validators: + - type: length + spec: + min: 1 + max: 21600 + spec: + default: 300 + description: '' + required: false + variants: [] + description: Parameters for blocking + required: false + - name: maximal-rate + type: int64 + profiles: + - xpath: + - maximal-rate + validators: + - type: length + spec: + min: 1 + max: 2000000 + spec: + default: 40000 + description: Maximal connection rate (cps) allowed + required: false + variants: [] + description: Random Early Drop + required: false + variants: [] + description: ICMPv6 flood + required: false + - name: other-ip + type: object + profiles: + - xpath: + - other-ip + validators: [] + spec: + params: + - name: enable + type: bool + profiles: + - xpath: + - enable + validators: [] + spec: {} + description: '' + required: false + - name: red + type: object + profiles: + - xpath: + - red + validators: [] + spec: + params: + - name: activate-rate + type: int64 + profiles: + - xpath: + - activate-rate + validators: + - type: length + spec: + min: 1 + max: 2000000 + spec: + default: 10000 + description: Connection rate (cps) to start RED + required: false + - name: alarm-rate + type: int64 + profiles: + - xpath: + - alarm-rate + validators: + - type: length + spec: + min: 0 + max: 2000000 + spec: + default: 10000 + description: Connection rate (cps) to generate alarm + required: false + - name: block + type: object + profiles: + - xpath: + - block + validators: [] + spec: + params: + - name: duration + type: int64 + profiles: + - xpath: + - duration + validators: + - type: length + spec: + min: 1 + max: 21600 + spec: + default: 300 + description: '' + required: false + variants: [] + description: Parameters for blocking + required: false + - name: maximal-rate + type: int64 + profiles: + - xpath: + - maximal-rate + validators: + - type: length + spec: + min: 1 + max: 2000000 + spec: + default: 40000 + description: Maximal connection rate (cps) allowed + required: false + variants: [] + description: Random Early Drop + required: false + variants: [] + description: Other IP protocols + required: false + - name: tcp-syn + type: object + profiles: + - xpath: + - tcp-syn + validators: [] + spec: + params: + - name: enable + type: bool + profiles: + - xpath: + - enable + validators: [] + spec: {} + description: '' + required: false + variants: + - name: red + type: object + profiles: + - xpath: + - red + validators: [] + spec: + params: + - name: activate-rate + type: int64 + profiles: + - xpath: + - activate-rate + validators: + - type: length + spec: + min: 1 + max: 2000000 + spec: + default: 10000 + description: Connection rate (cps) to start RED + required: false + - name: alarm-rate + type: int64 + profiles: + - xpath: + - alarm-rate + validators: + - type: length + spec: + min: 0 + max: 2000000 + spec: + default: 10000 + description: Connection rate (cps) to generate alarm + required: false + - name: block + type: object + profiles: + - xpath: + - block + validators: [] + spec: + params: + - name: duration + type: int64 + profiles: + - xpath: + - duration + validators: + - type: length + spec: + min: 1 + max: 21600 + spec: + default: 300 + description: '' + required: false + variants: [] + description: Parameters for blocking + required: false + - name: maximal-rate + type: int64 + profiles: + - xpath: + - maximal-rate + validators: + - type: length + spec: + min: 1 + max: 2000000 + spec: + default: 40000 + description: Maximal connection rate (cps) allowed + required: false + variants: [] + description: Random Early Drop + required: false + variant_group_id: 0 + - name: syn-cookies + type: object + profiles: + - xpath: + - syn-cookies + validators: [] + spec: + params: + - name: activate-rate + type: int64 + profiles: + - xpath: + - activate-rate + validators: + - type: length + spec: + min: 0 + max: 2000000 + spec: + default: 0 + description: Connection rate (cps) to activate SYN cookies proxy + required: false + - name: alarm-rate + type: int64 + profiles: + - xpath: + - alarm-rate + validators: + - type: length + spec: + min: 0 + max: 2000000 + spec: + default: 10000 + description: Connection rate (cps) to generate alarm + required: false + - name: block + type: object + profiles: + - xpath: + - block + validators: [] + spec: + params: + - name: duration + type: int64 + profiles: + - xpath: + - duration + validators: + - type: length + spec: + min: 1 + max: 21600 + spec: + default: 300 + description: '' + required: false + variants: [] + description: Parameters for blocking + required: false + - name: maximal-rate + type: int64 + profiles: + - xpath: + - maximal-rate + validators: + - type: length + spec: + min: 1 + max: 2000000 + spec: + default: 1000000 + description: Maximal connection rate (cps) allowed + required: false + variants: [] + description: SYN cookies + required: false + variant_group_id: 0 + description: SYN flood + required: false + - name: udp + type: object + profiles: + - xpath: + - udp + validators: [] + spec: + params: + - name: enable + type: bool + profiles: + - xpath: + - enable + validators: [] + spec: {} + description: '' + required: false + - name: red + type: object + profiles: + - xpath: + - red + validators: [] + spec: + params: + - name: activate-rate + type: int64 + profiles: + - xpath: + - activate-rate + validators: + - type: length + spec: + min: 1 + max: 2000000 + spec: + default: 10000 + description: Connection rate (cps) to start RED + required: false + - name: alarm-rate + type: int64 + profiles: + - xpath: + - alarm-rate + validators: + - type: length + spec: + min: 0 + max: 2000000 + spec: + default: 10000 + description: Connection rate (cps) to generate alarm + required: false + - name: block + type: object + profiles: + - xpath: + - block + validators: [] + spec: + params: + - name: duration + type: int64 + profiles: + - xpath: + - duration + validators: + - type: length + spec: + min: 1 + max: 21600 + spec: + default: 300 + description: '' + required: false + variants: [] + description: Parameters for blocking + required: false + - name: maximal-rate + type: int64 + profiles: + - xpath: + - maximal-rate + validators: + - type: length + spec: + min: 1 + max: 2000000 + spec: + default: 40000 + description: Maximal connection rate (cps) allowed + required: false + variants: [] + description: Random Early Drop + required: false + variants: [] + description: UDP flood + required: false + variants: [] + description: Flood protection + required: false + - name: resource + type: object + profiles: + - xpath: + - resource + validators: [] + spec: + params: + - name: sessions + type: object + profiles: + - xpath: + - sessions + validators: [] + spec: + params: + - name: enabled + type: bool + profiles: + - xpath: + - enabled + validators: [] + spec: {} + description: '' + required: false + - name: max-concurrent-limit + type: int64 + profiles: + - xpath: + - max-concurrent-limit + validators: + - type: length + spec: + min: 1 + max: 4194304 + spec: + default: 32768 + description: '' + required: false + variants: [] + description: Parameters to protect excessive sessions + required: false + variants: [] + description: Parameters to protect resources + required: false + - name: type + type: enum + profiles: + - xpath: + - type + validators: + - type: values + spec: + values: + - aggregate + - classified + spec: + values: + - value: aggregate + - value: classified + description: '' + required: false + variants: []