- Cisco Community
- Technology and Support
- DevNet Hub
- DevNet Networking
- Crosswork Automation Hub
- NSO Developer Hub Discussions
- Re: Handle UTD parse chain ambiguity for IOS CLI NED
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2017 06:25 PM - edited 03-01-2019 03:55 AM
The cisco-ios CLI NED package doesn't currently support the Unified Threat Defense (UTD) feature so I have been trying to add it myself (locally) to get a better understanding of NSO/YANG.
Below is a snippet of the UTD CLI:
utd engine standard
threat-inspection
policy security
threat inspection
utd
engine standard
fail close
The problem I am having is I cannot figure out how to handle both "utd engine standard" and "utd\n engine standard"; where 'utd' is the global-utd submode and 'utd engine standard' is another submode. A follow-up problem to this is, "standard" can also be "advanced", and my understanding is these bolded values need to be a containers, not a leaves, as only containers can add submodes.
Appreciate your help with this.
Below are the diffs of the changes I have made so adding UTD and OpenDNS support so far - here I have tried to add a hidden container for the utd-global config but this isn't working as expected when syncing the config from a device into NSO; only the 'utd engine standard' config is correctly parsed. Please feel free to give me feed back on this:
phpetty@phpetty-ubuntu:~/nso-run/packages/cisco-ios/src$ diff -pW5 ~/packages/tmp/cisco-ios/src/yang/tailf-ned-cisco-ios.yang ~/nso-run/packages/cisco-ios/src/yang/tailf-ned-cisco-ios.yang
*** /home/phpetty/packages/tmp/cisco-ios/src/yang/tailf-ned-cisco-ios.yang 2017-06-23 19:47:43.000000000 +1000
--- /home/phpetty/nso-run/packages/cisco-ios/src/yang/tailf-ned-cisco-ios.yang 2017-07-17 09:56:38.005728828 +1000
*************** module tailf-ned-cisco-ios {
*** 14647,14652 ****
--- 14647,14678 ----
}
}
+ // interface * / umbrella [ in <TAG> | out ]
+ container umbrella {
+ tailf:info "Umbrella interface commands";
+ leaf out {
+ tailf:info "Umbrella Out direction";
+ tailf:cli-full-command;
+ type empty;
+ }
+ leaf in {
+ tailf:info "Umbrella In direction";
+ tailf:cli-full-command;
+ type string {
+ tailf:info "WORD;;Umbrella interface tag";
+ }
+ }
+ }
+
+ // interface * / utd enable
+ container utd {
+ tailf:info "UTD support on this interface";
+ leaf enable {
+ tailf:info "Enable threat defense on this interface";
+ type empty;
+ }
+ }
+
// interface * / zone-member security
container zone-member {
tailf:info "Apply zone name";
*************** module tailf-ned-cisco-ios {
*** 30641,30646 ****
--- 30667,30732 ----
}
}
+ grouping parameter-map-umbrella-global-grouping {
+
+ leaf dnscrypt {
+ tailf:info "Enable DNSCrypt";
+ type empty;
+ }
+
+ leaf local-domain {
+ tailf:info "Local domain processing";
+ tailf:cli-diff-dependency "../../../regex";
+
+ type string {
+ tailf:info "WORD;;Regex parameter-map name";
+ }
+ }
+
+ leaf public-key {
+ tailf:info "DNSCrypt provider public key";
+
+ type string {
+ tailf:info "WORD;;Provider public key";
+ }
+ }
+
+ container resolver {
+ tailf:info "Anycast address";
+
+ leaf ipv4 {
+ tailf:info "IPv4 anycast address";
+
+ type inet:ipv4-address {
+ tailf:info "A.B.C.D;;IPv4 address";
+ }
+ }
+ leaf ivp6 {
+ tailf:info "IPv6 anycast address";
+
+ type inet:ipv6-address{
+ tailf:info "X:X:X:X::X;;IPv6 address";
+ }
+ }
+ }
+
+ leaf token {
+ tailf:info "Config umbrella token";
+
+ type string {
+ tailf:info "WORD;;Token value";
+ }
+ }
+
+ leaf udp-timeout {
+ tailf:info "Config timeout value for UDP sessions";
+
+ type uint8 {
+ tailf:info "Timeout value in seconds";
+ range 1..30;
+ }
+ }
+ }
// qos map dscp * to cos
// qos map dscp * to tx-queue
*************** module tailf-ned-cisco-ios {
*** 73536,73541 ****
--- 73622,73638 ----
}
}
}
+
+ container umbrella {
+ tailf:info "Umbrella mode";
+
+ container global {
+ tailf:info "umbrella global parameter-map";
+ tailf:cli-add-mode;
+ tailf:cli-mode-name "config-profile";
+ uses parameter-map-umbrella-global-grouping;
+ }
+ }
}
}
*************** module tailf-ned-cisco-ios {
*** 77295,77300 ****
--- 77392,77756 ----
}
}
}
+
+ /// ========================================================================
+ /// utd
+ /// ========================================================================
+
+ container utd {
+ tailf:info "Global Unified Threat Defense";
+
+ container utd-global {
+ tailf:cli-add-mode;
+ tailf:cli-mode-name "config-utd";
+ tailf:cli-drop-node-name;
+
+ leaf all-interfaces {
+ tailf:info "Enable intrusion inspection on all supported interfaces";
+ tailf:cli-full-command;
+ type empty;
+ }
+
+ container engine {
+ tailf:info "Select UTD engine mode to run";
+
+ container advanced {
+ tailf:info "Intrusion inspection advanced mode";
+ tailf:cli-add-mode;
+ tailf:cli-mode-name "config-engine-adv";
+ tailf:cli-full-command;
+
+ leaf rate {
+ tailf:info "Specify the pps rate to push to the IDS";
+ type uint32 {
+ tailf:info "<1000-4000000>;;Specify the pps rate to push to the sensor";
+ range 1000..4000000;
+ }
+ }
+
+ uses utd-engine-fail-grouping;
+ }
+
+ container standard {
+ tailf:info "Intrusion inspection standard mode";
+ tailf:cli-add-mode;
+ tailf:cli-mode-name "config-engine-std";
+ tailf:cli-full-command;
+
+ uses utd-engine-fail-grouping;
+ }
+ }
+
+ container redirect {
+ tailf:info "Specify the interface connected to the UTD";
+ container interface {
+ tailf:info "Specify the interface connected to the UTD";
+ uses interface-name-grouping;
+ }
+ }
+ }
+
+ // utd * / engine
+ container engine {
+ tailf:info "UTD engine";
+
+ // utd engine * / advanced
+ container advanced {
+ tailf:info "UTD engine advanced";
+ tailf:cli-add-mode;
+ tailf:cli-mode-name "config-utd-eng-adv";
+ tailf:cli-full-command;
+
+ container threat {
+ tailf:info "Provide threat detection";
+
+ leaf detection {
+ tailf:info "Provide threat detection";
+ tailf:cli-full-command;
+ type empty;
+ }
+ }
+ }
+
+ // utd engine * / standard
+ container standard {
+ tailf:info "UTD engine standard";
+ tailf:cli-add-mode;
+ tailf:cli-mode-name "config-utd-eng-std";
+ tailf:cli-full-command;
+
+ container logging {
+ tailf:info "Provide logging server information";
+
+ leaf syslog {
+ tailf:info "Log the alerts to IOS syslogs";
+ tailf:cli-full-command;
+ type empty;
+ }
+
+ list host {
+ tailf:info "Log the alerts to a host";
+ tailf:cli-suppress-mode;
+ max-elements 10;
+ key ip;
+
+ leaf ip {
+ tailf:cli-suppress-range;
+ type string {
+ tailf:info "WORD;;Provide the URL/IP address of the host";
+ }
+ }
+ }
+ }
+
+ container threat-inspection {
+ tailf:info "IPS (or IDS) specific config commands";
+ tailf:cli-add-mode;
+ tailf:cli-mode-name "config-utd-engstd-insp";
+ tailf:cli-full-command;
+
+ container logging {
+ tailf:info "Provide logging level for the alerts for IPS/IDS";
+ tailf:cli-hide-in-submode;
+
+ leaf level {
+ tailf:info "Provide the log level";
+ type enumeration {
+ enum emerg {
+ tailf:info "Provide emergency level logs (severity = 1)";
+ }
+ enum alert {
+ tailf:info "Provide alert level logs (severity = 2)";
+ }
+ enum crit {
+ tailf:info "Provide critical level logs (severity = 3)";
+ }
+ enum err {
+ tailf:info "Provide error level logs (severity = 4)(default)";
+ }
+ enum warning {
+ tailf:info "Provide notice level logs (severity = 6)";
+ }
+ enum notice {
+ tailf:info "Provide notice level logs (severity = 6)";
+ }
+ enum info {
+ tailf:info "Provide info level logs (severity = 7)";
+ }
+ enum debug {
+ tailf:info "Provide all logs (severity = 8)";
+ }
+ }
+ }
+ }
+
+ leaf policy {
+ tailf:info "Provide the policy option (default=balanced)";
+ tailf:cli-full-command;
+
+ type enumeration {
+ enum balanced {
+ tailf:info "Set the policy to balanced (this is the default option)";
+ }
+ enum connectivity {
+ tailf:info "Set the policy to connectivity (stresses on connectivity over security)";
+ }
+ enum security {
+ tailf:info "Set the policy to security (provide mode exhaustive coverage)";
+ }
+ }
+ }
+
+ leaf threat {
+ tailf:info "Provide the threat detection/protection option (default=detection)";
+ tailf:cli-full-command;
+
+ type enumeration {
+ enum detection {
+ tailf:info "Provide threat detection";
+ }
+ enum protection {
+ tailf:info "Provide threat protection";
+ }
+ }
+ }
+
+ container signature {
+ tailf:info "Provide config options for the signatures";
+ tailf:cli-sequence-commands {
+ tailf:cli-reset-siblings;
+ }
+
+ container update {
+ tailf:info "Provide config options for the signature updates";
+
+ container occur-at {
+ tailf:info "Specify update occurence by calendar time";
+
+ leaf occurrence {
+ tailf:cli-drop-node-name;
+ type enumeration {
+ enum daily {
+ tailf:info "Option for daily update";
+ }
+ enum weekly {
+ tailf:info "Option for weekly update";
+ }
+ enum monthly {
+ tailf:info "Option for monthly update";
+ }
+ }
+ }
+
+ leaf dayWeek {
+ tailf:cli-optional-in-sequence;
+ // should only appear when the weekly enum is used
+ tailf:cli-drop-node-name;
+ type string {
+ tailf:info "WORD;;Days of the week from 0-6, Sunday=0, examples: 0-2 or 1,3,5";
+ }
+ }
+
+ leaf dayMonth {
+ tailf:cli-optional-in-sequence;
+ // should only appear when monthly enum used
+ tailf:cli-drop-node-name;
+ type string {
+ tailf:info "WORD;;Days of the month from 1-31, examples: 1,10,20,30 or 1-11";
+ }
+ }
+
+ leaf hour {
+ tailf:cli-drop-node-name;
+ type uint8 {
+ tailf:info "<0-23>;;Hours of the day in 24-hr time, 0-23, examples: 13 or 7";
+ range "0..23";
+ }
+ }
+
+ leaf minute {
+ tailf:cli-full-command;
+ tailf:cli-drop-node-name;
+ type uint8 {
+ tailf:info "<0-59>;;The minutes from the top of the hour";
+ range "0..59";
+ }
+ }
+ }
+
+ container server {
+ tailf:info "Provide config options for the signature update server";
+
+ container cisco {
+ tailf:info "Use Cisco site to provide updates";
+
+ uses utd-username-password-grouping;
+ }
+ container url {
+ tailf:info "Enter the complete URL for the path to the update server";
+
+ leaf server {
+ tailf:cli-drop-node-name;
+ type string {
+ tailf:info "WORD;;URL for update location (http/https) Example: http://1.2.3.4/path/";
+ }
+ }
+
+ uses utd-username-password-grouping {
+ refine username {
+ tailf:cli-optional-in-sequence;
+ }
+ refine password {
+ tailf:cli-optional-in-sequence;
+ }
+ }
+ }
+ }
+ }
+ }
+
+ leaf whitelist {
+ tailf:info "Enable whitelisting under the utd engine";
+ tailf:cli-full-command;
+ type empty;
+ }
+ }
+ }
+ }
+
+ // utd * / threat-inspection
+ container threat-inspection {
+ tailf:info "UTD Threat Inspection (IPS/IDS) config modes";
+
+ // utd threat-inspection * / whitelist
+ container whitelist {
+ tailf:info "UTD whitelist config submode";
+ tailf:cli-add-mode;
+ tailf:cli-mode-name "config-utd-whitelist";
+ tailf:cli-full-command;
+
+ container signature {
+ tailf:info "Provide signatures for the whitelist";
+
+ container id {
+ tailf:info "Provide signature id for the whitelist";
+
+ list sig-id {
+ tailf:cli-drop-node-name;
+ tailf:cli-suppress-mode;
+ key id;
+
+ leaf id {
+ tailf:cli-suppress-range;
+ type uint32 {
+ tailf:info "<0-4294967295>;;Provide signature id for the whitelist";
+ }
+ }
+
+ // signature id <id> * / comment
+ leaf comment {
+ tailf:info "Provide a comment for the signature";
+ tailf:cli-multi-value;
+ tailf:cli-preformatted;
+ type string {
+ tailf:info "LINE;;Enter the comment string";
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ grouping utd-engine-fail-grouping {
+
+ container fail {
+ tailf:info "Enter the UTD engine fail mode operation";
+
+ leaf close {
+ tailf:info "Drop all IPS/IDS traffic on UTD engine failure";
+ type empty;
+ }
+ }
+ }
+
+ grouping utd-username-password-grouping {
+
+ leaf username {
+ tailf:info "Provide the username for authentication";
+ type string {
+ tailf:info "WORD;;Provide the username for authentication";
+ }
+ }
+
+ leaf password {
+ tailf:info "Provide the password for authentication";
+ type string {
+ tailf:info "WORD;;Provide the password for authentication";
+ }
+ }
+ }
/// ========================================================================
phpetty@phpetty-ubuntu:~/nso-run/packages/cisco-ios/src$
Solved! Go to Solution.
- Labels:
-
Other NSO Topics
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2017 04:43 PM
Modelling the quirks of CLI based devices can be tricky at times. Best to get the NED engineer to do this.
If you are just hacking away, then I've usually done the following:
1. Find a CLI mode/submode with a similar behariour/structure and copy that.
2. Look into the CLI annotations to see if any apply. Some of these annotaitons are documented here:
man tailf_yang_cli_extensions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2017 04:43 PM
Modelling the quirks of CLI based devices can be tricky at times. Best to get the NED engineer to do this.
If you are just hacking away, then I've usually done the following:
1. Find a CLI mode/submode with a similar behariour/structure and copy that.
2. Look into the CLI annotations to see if any apply. Some of these annotaitons are documented here:
man tailf_yang_cli_extensions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide