traffic-proxy

service traffic-proxy <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • id – Traffic proxy service

Instances:

Multiple

Required:

Required:

Required:

service traffic-proxy <id> block
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

HTTP block page configuration

Required:

service traffic-proxy <id> block rule <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • u32 – Block rules based on connections marks

Instances:

Multiple

Required:

service traffic-proxy <id> block rule <u32> connmark
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Connection connmark matching configuration

Instances:

Unique

service traffic-proxy <id> block rule <u32> connmark extra-mark <int>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Match against extended connmark (emark1)

Values:

  • 1 – Extra mark 1 (emark2 is reserved)

Instances:

Multiple

service traffic-proxy <id> block rule <u32> connmark extra-mark <int> value <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • u32 – Value to match against extra connmark

service traffic-proxy <id> block rule <u32> connmark mark <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • u32 – Match against connmark

service traffic-proxy <id> block rule <u32> connmark vrf-mark <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Match against connmark using a VRF

Reference:

system vrf <id>

service traffic-proxy <id> block rule <u32> set
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Variables overrides for this rule

service traffic-proxy <id> block rule <u32> set variable <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • id – Variables to override when this rule matches

Instances:

Multiple

service traffic-proxy <id> block rule <u32> set variable <id> value <txt>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • txt – Override value for this rule

service traffic-proxy <id> block template
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Block page template configuration

service traffic-proxy <id> block template file <file>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • file – HTML template file with placeholders

service traffic-proxy <id> block template variable <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • id – Template variable with default values

Instances:

Multiple

service traffic-proxy <id> block template variable <id> value <txt>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • txt – Default value for the variable

service traffic-proxy <id> disable-ssl-compression
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Disable SSL/TLS compression on all connections

This option is useful when the limiting factor is CPU, not network bandwidth

service traffic-proxy <id> hash-table-size <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Size of hash-table to use for SSL flow tracking

Values:

  • u32 – Number of elements (4096-65536)

service traffic-proxy <id> hash-table-timeout <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Timeout of entries in hash-table

Values:

  • u32 – Timeout in seconds (10-3600)

service traffic-proxy <id> local-vrf <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

VRF to run traffic proxy on

Reference:

system vrf <id>

service traffic-proxy <id> logging
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Enable event logging

service traffic-proxy <id> logging connection
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Log information about new connections

service traffic-proxy <id> logging content
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Log information about decrypted content

service traffic-proxy <id> logging queue
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Show a log in the journal every time a new packet is enqueued

service traffic-proxy <id> mark <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Mark diverted packets

Values:

  • u32 – Integer value from 0 to 2147483647 (0-2147483647)

service traffic-proxy <id> mode <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Proxy operating mode

Values:

  • https – Decode HTTP connection, including the removal of HPKP, HSTS, Upgrade and Alternate Protocol

  • pop3s – Decode POP3 connection

  • smtps – Decode SMTP connection

  • ssl – Do not decode SSL connection, decrypted connection content is treated as opaque stream of bytes

  • http – Decode plain HTTP connection

  • pop3 – Decode plain POP3 connection

  • smtp – Decode plain STMP connection

  • tcp – Do not decode TCP connection, decrypted connection content is treated as opaque stream of bytes

  • autossl – Do not decode SSL connection, work as protocol-independent STARTTLS support

service traffic-proxy <id> port <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Local port to use to intercept traffic

Values:

  • u32 – Numeric port (1-65535)

service traffic-proxy <id> queue <txt>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Traffic queue where decrypted/decoded packets will be sent

Reference:

traffic queue <txt>

service traffic-proxy <id> vrf-mark <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Mark diverted packets using a VRF

Reference:

system vrf <id>

service traffic-proxy <id> x509
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

X.509 configuration parameters

Required:

Required:

service traffic-proxy <id> x509 ca-cert <file>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • file – CA certificate in PEM format to issue certificates forged on-the-fly

service traffic-proxy <id> x509 ca-key <file>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • file – CA private key in PEM format to issue certificates forged on-the-fly

service traffic-proxy <id> x509 dhparam <file>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • file – Diffie-Hellman parameters in PEM format

service traffic-proxy <id> x509 leaf-crl-url <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • id

    URL to use as CRL distribution point

    CRL for all forged certificates

service traffic-proxy <id> x509 leaf-key-size <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k
Values:

  • u32 – Keysize in bits for leaf key RSA