openconfig-fw-high-availability

openconfig-version: 0.2.1

Description

Model used to configure & monitor firewall High Availability(HA). The model is comprised primarily of the following sections - - Various global config parameters (such as ha-group-id, ha-mode etc.) - Control link configuration parameters (control link is used to exchange HA control msgs) - Data link configuration parameters (data link is used to exchange information for seamless failover) - HA timers

This model also imports/uses the link-monitoring module, to determine health of firewall cluster based on the status of the interfaces being monitored. Please see that module description for additional details

Imports

openconfig-extensions
openconfig-interfaces
openconfig-inet-types
openconfig-fw-link-monitoring
openconfig-aaa-types
openconfig-types

Identities

base: HA_PEER_MISMATCHED_ITEM

description:
Base type to specify the HA parameters that are not matching amongst HA peers.

SOFTWARE_MISMATCH

description:
Software version is not matching between HA peers.

base identity: HA_PEER_MISMATCHED_ITEM

RUNNING_CONFIG_MISMATCH

description:
Running configuration is not matching between HA peers.

base identity: HA_PEER_MISMATCHED_ITEM

IPS_SIGNATURES_MISMATCH

description:
IPS/IDS signatures are not matching between HA peers.

base identity: HA_PEER_MISMATCHED_ITEM

AVC_SIGNATURES_MISMATCH

description:
AVC signatures are not matching between HA peers.

base identity: HA_PEER_MISMATCHED_ITEM

Data elements

/
ha-groups

description:
Top level container for HA groups

nodetype: container (rw)

/ha-groups/
ha-group

description:
HA group id used to create a logical HA group

nodetype: list (rw)

list keys: [id]

/ha-groups/ha-group/
id

description:
References the group id key.

nodetype: leaf (list key) (rw)

type: leafref

  • path reference: ../config/id

/ha-groups/ha-group/
config

description:
Config container for HA parameters

nodetype: container (rw)

/ha-groups/ha-group/config/
ha-enabled

description:
This must be set to 'true' to initiate firewall participation in a HA cluster. Once set to 'true', this boolean can be flipped to 'false' to DISABLE HA and put a unit in a 'suspended' state while retaining all other HA settings & configuration parameters. At the same time the 'ha-state' leaf under 'ha-parameters-state' must then be updated to 'SUSPENDED'

nodetype: leaf (rw)

type: boolean

default: false

/ha-groups/ha-group/config/
ha-mode

description:
Configurable HA modes

nodetype: leaf (rw)

type: enumeration

  • ACTIVE_PASSIVE
    This value indicates the HA cluster is operating in active/passive mode. In this scenario there are only ever two firewalls in the cluster. The active firewall serves as the 'primary' handling the traffic & the passive firewall acts as a 'secondary' ready to take over if the 'active' unit fails

/ha-groups/ha-group/config/
ha-key

description:
HA key used to encrypt & authenticate HA messages betwen the peers. This is provided in clear-text by the client & expected to be hashed by the firewall in the configuration

nodetype: leaf (rw)

type: string

/ha-groups/ha-group/config/
ha-key-hashed

description:
HA key,used to encrypt & authenticate HA messages between the peers, supplied as a hashed value using the notation described in the definition of the crypt-password-type

nodetype: leaf (rw)

type: oc-aaa-types:crypt-password-type

/ha-groups/ha-group/config/
ha-msg-encryption

description:
When set to true all traffic between firewall units in a HA cluster are encrypted. If operator provided encryption key is supported, that value must be derived from the ha-key/ha-key-hashed leaf nodes. If that is not supported, the vendor is expected to derive it's own keying material

nodetype: leaf (rw)

type: boolean

default: false

/ha-groups/ha-group/config/
id

description:
The high availbility group id for a unit. This value MUST match across both units participating in a HA cluster

nodetype: leaf (rw)

type: uint8

/ha-groups/ha-group/config/
ha-device-id

description:
Specify the device-id to identify the firewall within a HA group. This value MUST be unique to the local-unit and MUST NOT clash with the peer within a ha-group

nodetype: leaf (rw)

type: uint8

/ha-groups/ha-group/config/
preempt

description:
When set to true the firewall forces reelection of the active role after joining the cluster

nodetype: leaf (rw)

type: boolean

default: false

/ha-groups/ha-group/config/
priority

description:
Set priority value for the firewall. This value is used to participate in the election of the active unit in the HA cluster. Firewall with highest priority is elected as the ACTIVE unit

nodetype: leaf (rw)

type: uint8

/ha-groups/ha-group/config/
preempt-hold-timer

description:
Length of time, from the last received Hello message, a firewall will wait before taking over the active role in a HA pair

nodetype: leaf (rw)

type: uint32

units: milliseconds

/ha-groups/ha-group/config/
hello-interval

description:
Interval between hello messages exchanged by the HA peers

nodetype: leaf (rw)

type: uint32

units: milliseconds

/ha-groups/ha-group/config/
global-health-policy

description:
Global health values associated with the interface monitoring state machine

nodetype: leaf (rw)

type: enumeration

  • ANY
    Global health is DOWN if ANY of the monitored interface groups are DOWN
  • ALL
    Global health is DOWN if ALL of the monitored interface groups are DOWN

/ha-groups/ha-group/
state

description:
State container for HA parameters

nodetype: container (ro)

/ha-groups/ha-group/state/
ha-enabled

description:
This must be set to 'true' to initiate firewall participation in a HA cluster. Once set to 'true', this boolean can be flipped to 'false' to DISABLE HA and put a unit in a 'suspended' state while retaining all other HA settings & configuration parameters. At the same time the 'ha-state' leaf under 'ha-parameters-state' must then be updated to 'SUSPENDED'

nodetype: leaf (ro)

type: boolean

default: false

/ha-groups/ha-group/state/
ha-mode

description:
Configurable HA modes

nodetype: leaf (ro)

type: enumeration

  • ACTIVE_PASSIVE
    This value indicates the HA cluster is operating in active/passive mode. In this scenario there are only ever two firewalls in the cluster. The active firewall serves as the 'primary' handling the traffic & the passive firewall acts as a 'secondary' ready to take over if the 'active' unit fails

/ha-groups/ha-group/state/
ha-key

description:
HA key used to encrypt & authenticate HA messages betwen the peers. This is provided in clear-text by the client & expected to be hashed by the firewall in the configuration

nodetype: leaf (ro)

type: string

/ha-groups/ha-group/state/
ha-key-hashed

description:
HA key,used to encrypt & authenticate HA messages between the peers, supplied as a hashed value using the notation described in the definition of the crypt-password-type

nodetype: leaf (ro)

type: oc-aaa-types:crypt-password-type

/ha-groups/ha-group/state/
ha-msg-encryption

description:
When set to true all traffic between firewall units in a HA cluster are encrypted. If operator provided encryption key is supported, that value must be derived from the ha-key/ha-key-hashed leaf nodes. If that is not supported, the vendor is expected to derive it's own keying material

nodetype: leaf (ro)

type: boolean

default: false

/ha-groups/ha-group/state/
id

description:
The high availbility group id for a unit. This value MUST match across both units participating in a HA cluster

nodetype: leaf (ro)

type: uint8

/ha-groups/ha-group/state/
ha-device-id

description:
Specify the device-id to identify the firewall within a HA group. This value MUST be unique to the local-unit and MUST NOT clash with the peer within a ha-group

nodetype: leaf (ro)

type: uint8

/ha-groups/ha-group/state/
preempt

description:
When set to true the firewall forces reelection of the active role after joining the cluster

nodetype: leaf (ro)

type: boolean

default: false

/ha-groups/ha-group/state/
priority

description:
Set priority value for the firewall. This value is used to participate in the election of the active unit in the HA cluster. Firewall with highest priority is elected as the ACTIVE unit

nodetype: leaf (ro)

type: uint8

/ha-groups/ha-group/state/
preempt-hold-timer

description:
Length of time, from the last received Hello message, a firewall will wait before taking over the active role in a HA pair

nodetype: leaf (ro)

type: uint32

units: milliseconds

/ha-groups/ha-group/state/
hello-interval

description:
Interval between hello messages exchanged by the HA peers

nodetype: leaf (ro)

type: uint32

units: milliseconds

/ha-groups/ha-group/state/
global-health-policy

description:
Global health values associated with the interface monitoring state machine

nodetype: leaf (ro)

type: enumeration

  • ANY
    Global health is DOWN if ANY of the monitored interface groups are DOWN
  • ALL
    Global health is DOWN if ALL of the monitored interface groups are DOWN

/ha-groups/ha-group/state/
ha-state

description:
Firewall's operational ha-state

nodetype: leaf (ro)

type: enumeration

  • ACTIVE
    Firewall is 'active' and handling all traffic in a cluster
  • PASSIVE
    Firewall is 'passive' in a two-unit cluster ready to handle traffic if the 'active' unit fails
  • DEGRADED
    Firewall is in a 'degraded' state and unable to join the cluster due to config or operational failures
  • SUSPENDED
    This state represents a firewall which will not join the cluster due to 'ha-enable' set to, or left at it's default of, 'false'

/ha-groups/ha-group/state/
ha-state-last-change

description:
Reports the time the firewall entered its current HA operational state. The value is the timestamp in nanoseconds relative to the Unix Epoch (Jan 1, 1970 00:00:00 UTC).

nodetype: leaf (ro)

type: oc-types:timeticks64

units: nanoseconds

/ha-groups/ha-group/state/
ha-config-sync

description:
Returns 'TRUE' if config sync is operational between HA peers. Returns 'FALSE' otherwise.

nodetype: leaf (ro)

type: boolean

/ha-groups/ha-group/state/
ha-session-sync

description:
Returns 'TRUE' if session sync is operational between HA peers. Returns 'FALSE' otherwise.

nodetype: leaf (ro)

type: boolean

/ha-groups/ha-group/state/
ha-mismatched-parameters

description:
List of HA parameters that are mismatched between peers. Use this list to highlight root cause of HA operational issues that an operator must fix

nodetype: leaf-list (ro)

type: identityref

  • base: HA_PEER_MISMATCHED_ITEM

/ha-groups/ha-group/state/
global-health-status

description:
Global interface monitoring status

nodetype: leaf (ro)

type: enumeration

  • UP
    Global interface monitoring status is UP
  • DOWN
    Global interface monitoring status is DOWN

description:
Top-level container for HA control link

nodetype: container (rw)

description:
Configuration parameters related to primary HA control link

nodetype: container (rw)

description:
Specify which interface will be used to exchange HA control messages between peers

nodetype: leaf (rw)

type: oc-if:base-interface-ref

description:
Specify which TCP/UDP port will be used to exchange control messages

nodetype: leaf (rw)

type: oc-inet:port-number

description:
Specify the ipv4 address used by the fw for the control link

nodetype: leaf (rw)

type: oc-inet:ipv4-prefix

description:
If peer control ipv4 is in a different subnet, specify the gateway ipv4 here to provide reachability

nodetype: leaf (rw)

type: oc-inet:ipv4-address

description:
Specify the ipv6 address used by the fw for the control link

nodetype: leaf (rw)

type: oc-inet:ipv6-prefix

description:
If peer control ipv6 is in a different subnet, specify the gateway ipv6 here to provide reachability

nodetype: leaf (rw)

type: oc-inet:ipv6-address

description:
Specify the peer ipv4 address, if control link is utilizing Layer 3

nodetype: leaf (rw)

type: oc-inet:ipv4-prefix

description:
Specify the peer ipv6 address, if control link is utilizing Layer 3

nodetype: leaf (rw)

type: oc-inet:ipv6-prefix

description:
Operational state data related to primary HA control link

nodetype: container (ro)

description:
Specify which interface will be used to exchange HA control messages between peers

nodetype: leaf (ro)

type: oc-if:base-interface-ref

description:
Specify which TCP/UDP port will be used to exchange control messages

nodetype: leaf (ro)

type: oc-inet:port-number

description:
Specify the ipv4 address used by the fw for the control link

nodetype: leaf (ro)

type: oc-inet:ipv4-prefix

description:
If peer control ipv4 is in a different subnet, specify the gateway ipv4 here to provide reachability

nodetype: leaf (ro)

type: oc-inet:ipv4-address

description:
Specify the ipv6 address used by the fw for the control link

nodetype: leaf (ro)

type: oc-inet:ipv6-prefix

description:
If peer control ipv6 is in a different subnet, specify the gateway ipv6 here to provide reachability

nodetype: leaf (ro)

type: oc-inet:ipv6-address

description:
Specify the peer ipv4 address, if control link is utilizing Layer 3

nodetype: leaf (ro)

type: oc-inet:ipv4-prefix

description:
Specify the peer ipv6 address, if control link is utilizing Layer 3

nodetype: leaf (ro)

type: oc-inet:ipv6-prefix

description:
Data related to backup HA control link

nodetype: container (rw)

description:
Configuration data related to backup HA control link

nodetype: container (rw)

description:
Specify which interface will be used to exchange HA control messages between peers

nodetype: leaf (rw)

type: oc-if:base-interface-ref

description:
Specify which TCP/UDP port will be used to exchange control messages

nodetype: leaf (rw)

type: oc-inet:port-number

description:
Specify the ipv4 address used by the fw for the control link

nodetype: leaf (rw)

type: oc-inet:ipv4-prefix

description:
If peer control ipv4 is in a different subnet, specify the gateway ipv4 here to provide reachability

nodetype: leaf (rw)

type: oc-inet:ipv4-address

description:
Specify the ipv6 address used by the fw for the control link

nodetype: leaf (rw)

type: oc-inet:ipv6-prefix

description:
If peer control ipv6 is in a different subnet, specify the gateway ipv6 here to provide reachability

nodetype: leaf (rw)

type: oc-inet:ipv6-address

description:
Specify the peer ipv4 address, if control link is utilizing Layer 3

nodetype: leaf (rw)

type: oc-inet:ipv4-prefix

description:
Specify the peer ipv6 address, if control link is utilizing Layer 3

nodetype: leaf (rw)

type: oc-inet:ipv6-prefix

description:
Operational state data related to backup HA control link

nodetype: container (ro)

description:
Specify which interface will be used to exchange HA control messages between peers

nodetype: leaf (ro)

type: oc-if:base-interface-ref

description:
Specify which TCP/UDP port will be used to exchange control messages

nodetype: leaf (ro)

type: oc-inet:port-number

description:
Specify the ipv4 address used by the fw for the control link

nodetype: leaf (ro)

type: oc-inet:ipv4-prefix

description:
If peer control ipv4 is in a different subnet, specify the gateway ipv4 here to provide reachability

nodetype: leaf (ro)

type: oc-inet:ipv4-address

description:
Specify the ipv6 address used by the fw for the control link

nodetype: leaf (ro)

type: oc-inet:ipv6-prefix

description:
If peer control ipv6 is in a different subnet, specify the gateway ipv6 here to provide reachability

nodetype: leaf (ro)

type: oc-inet:ipv6-address

description:
Specify the peer ipv4 address, if control link is utilizing Layer 3

nodetype: leaf (ro)

type: oc-inet:ipv4-prefix

description:
Specify the peer ipv6 address, if control link is utilizing Layer 3

nodetype: leaf (ro)

type: oc-inet:ipv6-prefix

description:
Top-level container for HA data link

nodetype: container (rw)

description:
Configuration parameters related to primary HA data link

nodetype: container (rw)

description:
Specify which interface will be used to sync session tables, forwarding tables, ARP tables, IPSEC SAs and any other messages that MUST be exchanged to facilitate seamless traffic handling during a failover event

nodetype: leaf (rw)

type: oc-if:base-interface-ref

description:
Specify which TCP/UDP port will be used to exchange data link messages

nodetype: leaf (rw)

type: oc-inet:port-number

description:
If data link is layer 3, specify the local unit's ipv4 address

nodetype: leaf (rw)

type: oc-inet:ipv4-prefix

description:
If peer data ip is in a different subnet, specify the gateway ip here to provide reachability

nodetype: leaf (rw)

type: oc-inet:ipv4-address

description:
If data link is layer 3, specify the local unit's ipv6 address

nodetype: leaf (rw)

type: oc-inet:ipv6-prefix

description:
If peer data ipv6 is in a different subnet, specify the gateway ipv6 here to provide reachability

nodetype: leaf (rw)

type: oc-inet:ipv6-address

description:
If data link is layer 3, specify the peer's ipv4 address

nodetype: leaf (rw)

type: oc-inet:ipv4-prefix

description:
If data link is layer 3, specify the peer's ipv6 address

nodetype: leaf (rw)

type: oc-inet:ipv6-prefix

description:
Operational state parameters related to primary HA data link

nodetype: container (ro)

description:
Specify which interface will be used to sync session tables, forwarding tables, ARP tables, IPSEC SAs and any other messages that MUST be exchanged to facilitate seamless traffic handling during a failover event

nodetype: leaf (ro)

type: oc-if:base-interface-ref

description:
Specify which TCP/UDP port will be used to exchange data link messages

nodetype: leaf (ro)

type: oc-inet:port-number

description:
If data link is layer 3, specify the local unit's ipv4 address

nodetype: leaf (ro)

type: oc-inet:ipv4-prefix

description:
If peer data ip is in a different subnet, specify the gateway ip here to provide reachability

nodetype: leaf (ro)

type: oc-inet:ipv4-address

description:
If data link is layer 3, specify the local unit's ipv6 address

nodetype: leaf (ro)

type: oc-inet:ipv6-prefix

description:
If peer data ipv6 is in a different subnet, specify the gateway ipv6 here to provide reachability

nodetype: leaf (ro)

type: oc-inet:ipv6-address

description:
If data link is layer 3, specify the peer's ipv4 address

nodetype: leaf (ro)

type: oc-inet:ipv4-prefix

description:
If data link is layer 3, specify the peer's ipv6 address

nodetype: leaf (ro)

type: oc-inet:ipv6-prefix

description:
Parameters related to backup HA data link

nodetype: container (rw)

description:
Configuration parameters related to backup HA data link

nodetype: container (rw)

description:
Specify which interface will be used to sync session tables, forwarding tables, ARP tables, IPSEC SAs and any other messages that MUST be exchanged to facilitate seamless traffic handling during a failover event

nodetype: leaf (rw)

type: oc-if:base-interface-ref

description:
Specify which TCP/UDP port will be used to exchange data link messages

nodetype: leaf (rw)

type: oc-inet:port-number

description:
If data link is layer 3, specify the local unit's ipv4 address

nodetype: leaf (rw)

type: oc-inet:ipv4-prefix

description:
If peer data ip is in a different subnet, specify the gateway ip here to provide reachability

nodetype: leaf (rw)

type: oc-inet:ipv4-address

description:
If data link is layer 3, specify the local unit's ipv6 address

nodetype: leaf (rw)

type: oc-inet:ipv6-prefix

description:
If peer data ipv6 is in a different subnet, specify the gateway ipv6 here to provide reachability

nodetype: leaf (rw)

type: oc-inet:ipv6-address

description:
If data link is layer 3, specify the peer's ipv4 address

nodetype: leaf (rw)

type: oc-inet:ipv4-prefix

description:
If data link is layer 3, specify the peer's ipv6 address

nodetype: leaf (rw)

type: oc-inet:ipv6-prefix

description:
Operational state parameters related to backup HA data link

nodetype: container (ro)

description:
Specify which interface will be used to sync session tables, forwarding tables, ARP tables, IPSEC SAs and any other messages that MUST be exchanged to facilitate seamless traffic handling during a failover event

nodetype: leaf (ro)

type: oc-if:base-interface-ref

description:
Specify which TCP/UDP port will be used to exchange data link messages

nodetype: leaf (ro)

type: oc-inet:port-number

description:
If data link is layer 3, specify the local unit's ipv4 address

nodetype: leaf (ro)

type: oc-inet:ipv4-prefix

description:
If peer data ip is in a different subnet, specify the gateway ip here to provide reachability

nodetype: leaf (ro)

type: oc-inet:ipv4-address

description:
If data link is layer 3, specify the local unit's ipv6 address

nodetype: leaf (ro)

type: oc-inet:ipv6-prefix

description:
If peer data ipv6 is in a different subnet, specify the gateway ipv6 here to provide reachability

nodetype: leaf (ro)

type: oc-inet:ipv6-address

description:
If data link is layer 3, specify the peer's ipv4 address

nodetype: leaf (ro)

type: oc-inet:ipv4-prefix

description:
If data link is layer 3, specify the peer's ipv6 address

nodetype: leaf (ro)

type: oc-inet:ipv6-prefix

/ha-groups/ha-group/
interface-groups

description:
Top level container for monitored interface groups

nodetype: container (rw)

/ha-groups/ha-group/interface-groups/
interface-group

description:
List of interface groups being monitored

nodetype: list (rw)

list keys: [id]

/ha-groups/ha-group/interface-groups/interface-group/
id

description:
Reference to the interface-group key used to bundle interfaces in a logical group

nodetype: leaf (list key) (rw)

type: leafref

  • path reference: ../config/id

/ha-groups/ha-group/interface-groups/interface-group/
config

description:
Configuration parameters for the interface-groups

nodetype: container (rw)

/ha-groups/ha-group/interface-groups/interface-group/config/
id

description:
Assign a unique id to an interface group

nodetype: leaf (rw)

type: union

    type: uint8

    type: string

/ha-groups/ha-group/interface-groups/interface-group/config/
monitored-interfaces

description:
Interface being monitored

nodetype: leaf-list (rw)

type: oc-if:base-interface-ref

/ha-groups/ha-group/interface-groups/interface-group/config/
group-policy

description:
Determines how the State of monitored-interfaces is used to determine the State of the group they are a member of

nodetype: leaf (rw)

type: enumeration

  • ANY
    Group status is DOWN if the status of ANY interface within the group is down.
  • ALL
    Group status is DOWN if the status of ALL interfaces within the group are down.

/ha-groups/ha-group/interface-groups/interface-group/
state

description:
State container for monitored interface-groups.

nodetype: container (ro)

/ha-groups/ha-group/interface-groups/interface-group/state/
id

description:
Assign a unique id to an interface group

nodetype: leaf (ro)

type: union

    type: uint8

    type: string

/ha-groups/ha-group/interface-groups/interface-group/state/
monitored-interfaces

description:
Interface being monitored

nodetype: leaf-list (ro)

type: oc-if:base-interface-ref

/ha-groups/ha-group/interface-groups/interface-group/state/
group-policy

description:
Determines how the State of monitored-interfaces is used to determine the State of the group they are a member of

nodetype: leaf (ro)

type: enumeration

  • ANY
    Group status is DOWN if the status of ANY interface within the group is down.
  • ALL
    Group status is DOWN if the status of ALL interfaces within the group are down.

/ha-groups/ha-group/interface-groups/interface-group/state/
group-status

description:
The status of this interface group

nodetype: leaf (ro)

type: enumeration

  • UP
    Group status is UP
  • DOWN
    Group status is DOWN

openconfig-fw-link-monitoring

openconfig-version: 0.2.1

Description

This model defines interface groups and corresponding monitoring policies for firewall HA groups. It also provides modeling for a global health monitoring policy for the HA group.

Imports

openconfig-extensions
openconfig-interfaces