Juniper NETWORK AND SECURITY MANAGER 2010.4 - API GUIDE REV 1, NETWORK AND SECURITY MANAGER 2010.4 User Manual

Juniper Networks Network and Security Manager

API Guide

Release

2010.4

Published: 2010-11-17

Revision 1

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

This productincludes the Envoy SNMP Engine, developed by Epilogue Technology,an Integrated Systems Company.Copyright ©1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Network and Security Manager API Guide

Revision History 17 November, 2010—Revision 1

The information in this document is current as of the date listed in the revision history.

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.

BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER)CONSENT TO BE BOUNDBY THIS AGREEMENT.IF YOUDO NOTOR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (ifthe Customer’sprincipal officeis located outsidethe Americas) (such applicable entitybeing referred to herein as“Juniper”),and (ii) the person or organization thatoriginally purchased from Juniperor an authorized Juniperreseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject topayment ofthe applicablefees andthe limitationsand restrictionsset forth herein, Juniper grants toCustomer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limitsto Customer’s useof the Software. Suchlimits may restrictuse to amaximum numberof seats, registered endpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software,in any form, toany thirdparty; (d)remove any proprietarynotices, labels,or marks on orin any copy of the Softwareor any product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold inthe secondhand market; (f)use any ‘locked’ orkey-restricted feature,function, service, application, operation, orcapability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statementthat accompaniesthe Software (the“Warranty Statement”).Nothing inthis Agreement shallgive riseto any obligation to support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTSOR PROCUREMENTOF SUBSTITUTEGOODS ORSERVICES,OR FOR ANY SPECIAL,INDIRECT,OR CONSEQUENTIALDAMAGES ARISING OUTOF THIS AGREEMENT,THE SOFTWARE,OR ANY JUNIPEROR JUNIPER-SUPPLIEDSOFTWARE. INNO EVENT SHALLJUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license.

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS

227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor ofJuniper whose software is embedded in the Software and any supplier of Juniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in itsown name asif it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL

at http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Part 1 NSM API

Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

NSM API Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

NSM API Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

NSM API Error Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 2 NSM API Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

System Service API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Data Centric Service API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Data Centric Service XML Subtree Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Data Centric Service Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Job Service API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Log Service API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Part 2 API Data Types

Chapter 3 Data Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

API Data Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 4 Common Message Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

SimpleRequestType and SimpleResponseType Data Types . . . . . . . . . . . . . . . . . 21

Chapter 5 Security Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

NSM Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Security Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Backdoor (rb_backdoor_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Exempt (rb_exempt_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Firewall (rb_firewall_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

IDP (rb_idp_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Multicast (rb_multicast_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

SYN Protector (rb_syndef_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Traffic Anomalies (rb_tsig_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Network and Security Manager 2010.4 API Guide

Network Honeypot (rb_portfaker_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Service (service_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Address (address_collection_type) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Schedule Object (scheduleobj_collection_type) . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Attack (attack_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Antivirus (avobj_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

GTP (gtpobj_collection_type) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

DI Profile (DIProfile_collection_type) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Global DIP (globaldip_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Global MIP (globalmpi_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Global VIP (globalvip_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

URL Filter Object (urlfilter_collection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Part 3 Using the NSM API from a Perl Client

Chapter 6 Installing the Perl Client Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Installing the Perl Client Environment on Linux-Unix Machines . . . . . . . . . . . . . . . 75

Installing the Perl Client Environment on Windows Machines . . . . . . . . . . . . . . . . 76

Using a Perl Script to Access the NSM API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Chapter 7 Using the Perl Client to Access the NSM API . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Login and Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Chapter 8 Using the API to Manage Shared Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Using the Perl Client Library with Address Objects . . . . . . . . . . . . . . . . . . . . . . . . 83

Add Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Replace an Address Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Rename Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Read Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Delete Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Delete All Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Using the Perl Client Library with Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . 87

Add Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Add Group-Global Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Read Group-Global Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Replace Group-Global Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Delete All Group-Global Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Using the Perl Client Library with Device Objects . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Read Device Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Part 4 Using the NSM API from a Java Client

Chapter 9 Using APIs for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Chapter 10 Using APIs for Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Create a New Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Update an Existing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Delete a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Get a List of Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Table of Contents

Get a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Assign a Policy to a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Remove a Policy Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Chapter 11 Using APIs for Shared Object Management . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Insert a Shared Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Replace a Shared Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Delete a Shared Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Get a List of Shared Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Get a Shared Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Chapter 12 Using APIs for Job Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Get a Job Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Import a List of Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Update a List of Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Get a Configuration Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Get a Running Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Get the Delta Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Cancel a Job Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Chapter 13 Using APIs for Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Retrieve Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Retrieve the Device List in One Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Part 5 NSM API WSDLs

Chapter 14 Job Service API WSDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

WSDL File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Chapter 15 System Service API WSDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

WSDL File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Chapter 16 Data Centric API WSDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

WSDL File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Chapter 17 Log Service API WSDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

WSDL File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Part 6 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Network and Security Manager 2010.4 API Guide

List of Figures

Part 1 NSM API

Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Figure 1: ErrorType Data Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Part 2 API Data Types

Chapter 3 Data Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Figure 2: NSM API Data Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 4 Common Message Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Figure 3: SimpleRequestType Data Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Figure 4: SimpleResponseType Data Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 5 Security Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Figure 5: NSM Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Figure 6: Backdoor Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Figure 7: Exempt Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Figure 8: Firewall Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Figure 9: Firewall policy_type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Figure 10: IDP Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Figure 11: Multicast Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Figure 12: SYN Protector Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Figure 13: Traffic Anomalies Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Figure 14: Network Honeypot Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Figure 15: Service Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Figure 16: Address Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Figure 17: Schedule Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Figure 18: Antivirus Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Figure 19: GTP Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Figure 20: DI Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Figure 21: Global DIP Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Figure 22: Global MIP Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Figure 23: Global VIP Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Figure 24: URL Filter Object Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Network and Security Manager 2010.4 API Guide

List of Tables

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Table 1: Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Table 2: Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Table 3: Network and Security Manager Publications . . . . . . . . . . . . . . . . . . . . . . xvii

Part 1 NSM API

Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 4: ErrorType Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Chapter 2 NSM API Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Table 5: System Service API Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Table 6: Data Centric API Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Table 7: Job Service API Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Table 8: Log Service API Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Part 2 API Data Types

Chapter 3 Data Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Table 9: API Data Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 4 Common Message Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Table 10: SimpleRequestType and SimpleResponseType Definitions . . . . . . . . . . 22

Chapter 5 Security Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Table 11: NSM Policy Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Table 12: Backdoor Rulebase Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Table 13: Exempt Rulebase Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Table 14: Firewall Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Table 15: IDP Rulebase Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Table 16: Multicast Rulebase Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Table 17: SYN Protector Rulebase Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . 46

Table 18: Traffic Anamolies Rulebase Date Elements . . . . . . . . . . . . . . . . . . . . . . 49

Table 19: Network Honeypot Rulebase Data Elements . . . . . . . . . . . . . . . . . . . . . 52

Table 20: Service Collection Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Table 21: Address Collection Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Table 22: Schedule Object Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Table 23: Attack Collection Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Table 24: Antivirus Collection Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Table 25: GTP Collection Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Table 26: DIP Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Table 27: Global DIP Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Network and Security Manager 2010.4 API Guide

Table 28: Global MIP Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Table 29: Global VIP Data Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Table 30: URL Filter Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

About This Guide

This preface provides the following guidelines for using the NSM API Guide and related Juniper Networks, Inc. technical documents:

•

Objectives on page xv

•

Audience on page xv

•

Conventions on page xv

•

Documentation on page xvii

•

Requesting Technical Support on page xvii

Objectives

This guide explains how to use the Network and Security Manager (NSM) API to manage device configurations and control communications between the API, externalweb clients, and the internal NSM GUI client.

Audience

This guide is written for developersand network administrators whoconfigure and monitor Juniper Networks DMI and non-DMI compliant device routing platforms.

Conventions

•

Customers with technical knowledge of networks and the Internet.

•

Network administratorswho install, configure, andmanage Juniper Networksproducts. Familiarity with the XML language is needed.

The sample screens used throughout this guide are representations of the screens that appear when you install and configure the NSM software. The actual screens may differ.

All examples show default file paths. If you do not accept the installation defaults, your paths will vary from the examples.

Table 1 on page xvi defines text conventions used in this guide.

Network and Security Manager 2010.4 API Guide

Table 1: Text Conventions

ExamplesDescriptionConvention

Bold typeface like this

fixed-width font

Keynames linkedwith a plus (+) sign

Italics

The angle bracket (>)

Table 2 on page xvi defines syntax conventions used in this guide.

•

Represents commands and keywords in text.

•

Represents keywords

•

Represents UI elements

Represents information as displayed on the terminal screen.

keys simultaneously.

•

Emphasizes words

•

Identifies variables

Indicates navigation paths through the UI by clicking menu options and links.

•

Issue the clock source command.

•

Specify the keyword exp-msg.

•

Click User Objects

user inputRepresents text that the user must type.Bold typeface like this

host1#

show ip ospf

Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an area Border Router (ABR)

Ctrl + dIndicates that you must press two or more

•

The product supports two levels of access, user and privileged.

•

clusterID, ipAddress.

Object Manager > User Objects > Local Objects

Table 2: Syntax Conventions

Words separated by the pipe ( | ) symbol

Words enclosed in brackets followed by and asterisk ( [ ]*)

variable to the left or right of this symbol. The keywordor variable canbe optional or required.

can be entered more than once.

Represent required keywords or variables.Words enclosed in braces ( { } )

ExamplesDescriptionConvention

terminal lengthRepresent keywordsWords in plain text

mask, accessListNameRepresent variablesWords in italics

diagnostic | lineRepresent a choice to select one keyword or

[ internal | external ]Represent optional keywords or variables.Words enclosed in brackets ( [ ] )

[ level1 | level2 | 11 ]*Represent optional keywords or variables that

{ permit | deny } { in |out } { clusterId | ipAddress }

Documentation

About This Guide

Table 3 on page xvii describes documentation for the NSM.

Table 3: Network and Security Manager Publications

DescriptionBook

Network and Security Manager Installation Guide

Network and Security Manager Administration Guide

Network and Security Manager Configuring Screen OS and IDP Devices Guide

Network and Security Manager Online Help

Describes the steps to install the NSM management system on a single server or on separate servers. It also includes information on how to install and run the NSMuser interface.This guideis intended for IT administrators responsible for the installation or upgrade of NSM.

Describes how to use and configure key management features in the NSM. Itprovides conceptual information, suggested workflows, and examples. This guide is best used in conjunction with the NSM Online Help,which provides step-by-step instructions for performing management tasks in the NSM UI.

This guide is intended for application administrators or those individuals responsible for owning the server and security infrastructure and configuring the product for multi-user systems. It is also intended for device configuration administrators, firewall and VPN administrators, and network security operation center administrators.

Describes NSM features related to device configuration and management. It also explains how to configure basic andadvanced NSM functionality, including deploying new device configurations, managing security policies and VPNs, and general device administration.

Provides procedures for basic tasks in the NSM user interface. It also includes a brief overview of the NSM system and a description of the GUI elements.

Network and Security Manager API Guide

Network and Security Manager Release Notes

Requesting Technical Support

Technical productsupport is availablethrough theJuniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.

Provides complete syntax and description of the SOAP messaging interface to NSM.

Provides the latest information about features, changes, known problems, resolved problems, and system maximum values. If the information in the Release Notesdiffers from the information found in the documentation set, follow the Release Notes.

Release notes are included on the corresponding software CD and are available on the Juniper Networks Website.

Network and Security Manager 2010.4 API Guide

•

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

•

JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verifyservice entitlement byproduct serial number,use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html

PART 1

NSM API

This part introducesthe Network and Security Manager(NSM) Application Programming Interface (API) with a brief overview, summary of the required client environment, list of the component APIs, and examples.

•

Overview on page 3

•

NSM API Operations on page 7

Network and Security Manager 2010.4 API Guide

CHAPTER 1

Overview

NSM API Features

This section provides general information about the Network and Security Manager (NSM) API.

•

NSM API Features on page 3

•

NSM API Authentication and Authorization on page 4

•

NSM API Error Handling on page 4

The NSM API provides programmatic access to NSM and enables third-party developers to create applications that leverage the power of NSM. The API supports Simple Object Access Protocol/Hypertext Transmission Protocol Secure (SOAP/HTTPS). The SOAP API is built on open standards such as SOAP and the Web Service Definition Language (WSDL) supported by a range of development tools. You can use a third-party SOAP development tool to generate programming language objects and stubs from the WSDL that specifies the message schema. Your application works with data in the format of generated objects; it sends and receives the data by invoking the methods of stubs.

The API provides a rich set of data models for devices and security policies. The models are published in the format of XML schema (XSD).

In this release, the NSM API provides the following features and functions:

•

Central policy management

•

NSM object management

•

NSM directives:

•

Import devices

•

Update device

•

Summarize delta configuration

•

Get running configuration

•

Retrieve device list per domain

Network and Security Manager 2010.4 API Guide

•

Retrieve high level device status

•

Retrieve log packet data

The CommonDataTypes.xsd file contains definitions of the data types described in this chapter.

For more information, see the NSM Release Notes, NSM Administration Guide, and NSM Online Help for client and server setup requirements.

This chapter contains the following sections:

NSM API Authentication and Authorization

Before the API can connect to the NSM server, a user must log into the NSM server using a user name, password, and domain name. This is analogous to the user sign in a regular GUI client. The application includes the authentication token in the subsequent API call requests to the NSM server.

NSM API Error Handling

If the API client encounters an error,either the client receives an error message or an exception is thrown. Two types of errors are possible.

•

Application-level errors result from problems with application-level data on the client side or on the server side.

•

The request is missing a required field. In this case, the request is not sent out from the client side.

•

The request is valid, but a problem occurred when NSM processed the data.

•

Infrastructure errors can occur on the client side or server side. The NSM application-level software does not catch this type of error, so exceptions are thrown by the API client code. The possible errors are:

•

NSM server is down

•

Problem with the client-side or server-side SOAP framework

•

Wrong server address

The NSM server catches all application-level errors and returns the error messages.

The result of a service request is either Success or Failure If a request fails, an error code and error message are returned as part of the response message.

Figure 1 on page 5 shows the basic structure of application-level errors returned by the NSM server. Table 4 on page 5 describes the frequently used ErrorType data type.

Figure 1: ErrorType Data Type

Chapter 1: Overview

Table 4: ErrorType Data Types

DescriptionData Type

ErrorType

These request errors (not infrastructure errors) are issued when the system encounters business data problems (for example, an invalid combination of arguments). This complexType data has the following sequence:

•

ErrorNumber = Unique number that identifies the particular error condition (type = unsignedInt). This data element is only used by the server.

•

ErrorMessage = Brief description of the condition that raised the error (type = string).

•

ErrorActor = The source (location) of the error (type = string).

•

ErrorDetails = Detailed error message (type = string).

Network and Security Manager 2010.4 API Guide

CHAPTER 2

NSM API Operations

The application programminginterface(API) defined byNSM isused toprovision policies, manage and monitor devices, and generate reports. The API has four parts:

•

System Service API on page 7

•

Data Centric Service API on page 8

•

Job Service API on page 11

•

Log Service API on page 13

System Service API

The API System Service processes log in, log out, and system information requests.Table 5 on page 7 summarizes the API data elements.

For information about the WSDL file defining the API, see “System Service API WSDL” on page 129 .

Table 5: System Service API Operations

DescriptionOperation

LoginRequest

Log into NSM server.

Request:

•

domainName = Domain supplied during login. The user logs in to this domain.

NOTE: Use global.<subdomain name> to log in to a subdomain and global to log in to a global domain.

•

userName = User name supplied during login.

•

password = Password supplied during login.

Response:

•

loginStatus = Uses LoginStatusCodeType to return:

“Success” if the login is successful.

“Failure” for login rejection.

“Challenge” if the login request is being challenged but not yet denied.

•

authToken =Token returned for login request success. This token is reused for other requests during the current session.

Network and Security Manager 2010.4 API Guide

Table 5: System Service API Operations (continued)

RespondToChallengeRequest

LogoutRequest

GetSystemInfoRequest

Data Centric Service API

Reuses the token received in LoginResponse to send a response to the challenge. Receives a token if the response is successful.

Request: Answer to the challenge question.

Response: Token received.

Logout from the system.

Request: none

Response: none

This operation retrieves system information (service list and all accessible domain IDs and names).

Request: serviceName

Response: serviceDesc, domain name and domain ID.

NOTE: When using the LoginRequest API, enter global.<subdomain name>

to log in to a particular subdomain. The login fails if just the subdomain name is used.

The Data Centric Service API provides access to the internal data of NSM. It receives incoming data access requests, retrieves the data from NSM, conducts any necessary transformations, and sends the transformed data back as responses. This section introduces the XML subtree filter used with the service and describes the Data Centric data elements.

NOTE: In the current release of NSM, write accessto the deviceobj and sysvpn

from the Data Centric Service is blocked to protect data integrity.

See “Data Centric API WSDL”on page 135 for a description of the API-definingWSDL file.

Data Centric Service XML Subtree Filter

The filter used in the Data Centric Service API is the XML subtree filter defined by NETCONF. Subtree filtering is a mechanism that allows an application to select particular XML subtrees from the configurations from the devices.

A subtree filter consists of zero or more element subtrees, which represent the filter selection criteria.

Five types of components may be present in a subtree filter:

•

Namespace selection

•

Attribute matching expressions

•

Containment nodes

•

Selection nodes

•

Content matching nodes

Only the first four are supported in the NSM API.

Data Centric Service Operations

Table 6 on page 9 summarizes Data Centric Service operations.

Table 6: Data Centric API Operations

GetObjectDependentRequest

Chapter 2: NSM API Operations

DescriptionOperations

Gets objects that refer to the object specified in the request.

Request:

GetObjectViewByCategoryRequest

•

objectIdentifier= Identifies the object to be retrieved (type = objectIdentifierType)

•

dbVersionId= Version of the database (type = unsignedInt)

•

objectFilter = Filter to be applied to the result (type = ObjectFilterType)

•

metadataOnly = Iftrue, only the metadata is returned. Otherwise, the entire object is returned.

Response: object

Gets objects in one category.

Request:

•

category = Schema name of the category (type = string)

•

domainId = Domain of the schema (type = unsignedShort)

•

dbVersionId= Version of the database (type = unsignedInt)

•

objectFilter = Filter to be applied to the result (type = ObjectFilterType)

•

view =Transformationof theobject. Forthe default view, the returnedobject follows the schema with no transformation (type = ViewType).

•

property = Transformation parameters (type = NameValueType).

Response: object

Network and Security Manager 2010.4 API Guide

Table 6: Data Centric API Operations (continued)

GetObjectViewByIdRequest

LockObjectRequest

UnlockObjectRequest

ModifyObjectViewRequest

Gets objects by ID.

Request:

•

objectIdentifier= Identifies the object to be retrieved (type = objectIdentifierType)

•

dbVersionId= Version of the database (type = unsignedInt)

•

objectFilter = Filter to be applied to the result (type = ObjectFilterType)

•

view =Transformationof theobject. Forthe default view, the returnedobject follows the schema with no transformation (type = ViewType).

•

property = Transformation parameters (type = NameValueType).

Response: object

Locks the specified object.

Request: objectIdentifier

Response: objectLockStatus

Unlocks the specified object.

Request: object

Response: objectLockStatus

Modifies the object. All commands in the request are executed in one transaction. ModifyObjectViewRequest supports the following operations:

•

Update Node

•

Insert node before / after

•

Append node

•

Insert Object

•

Replace Object

•

Delete Object

NOTE: You should lockthe object before modifying itand unlock it afterwards. The modification will fail if the object is locked by a different user session. However, a modification request without prior locking can run if the object is not locked by the others. Data corruption does not occur even if an API user forgets to lock an object before modifying it.

Request:

•

command =Command that modifiesthe object (type = ModifyCommand).

Response:

•

metadata

•

objectModification

•

subObjectModification

Table 6: Data Centric API Operations (continued)

Chapter 2: NSM API Operations

QueryObjectViewRequest

ResolveObjectReferenceRequest

Queries the object.

Request:

•

category = Schema name of the category (type = string).

•

simpleQuery = Query expression (type = SimpleQueryType).

•

dbVersionId= Version of the database (type = unsignedInt)

•

objectFilter = Filter to be applied to the result (type = ObjectFilterType)

•

view =Transformationof theobject. Forthe default view, the returnedobject follows the schema with no transformation (type = ViewType).

•

property = Transformation parameters (type = NameValueType).

Response:

•

queryId

•

object

Resolves the object reference.

Request:

•

objectReference = Object reference to be resolved (type = string)

•

dbVersionId= Version of the database (type = unsignedInt)

•

objectFilter = Filter to be applied to the result (type = ObjectFilterType)

Response: object

Job Service API

The Job Service API processes command directives to configure devices and display the results. Table 7 on page 11 summarizes the API operations.

See “Job Service API WSDL” on page 121 for the Web Service Description Language (WSDL) definition of the API.

Table 7: Job Service API Operations

UpdateDeviceRequest

DescriptionOperation

Request to update the device configuration.

Request: JobRequestType

•

jobName= Name of the job.

•

scheduleTime= Time when the job will run. If not specified, the job will run immediately.

•

jobArgs= List of the devices to which the job applies (type = JobArgsType).

Response: JobResponseType

•

status = Job status.

•

jobName = Name of the job.

•

response = Response to the job.

Network and Security Manager 2010.4 API Guide

Table 7: Job Service API Operations (continued)

DescriptionOperation

ImportDeviceRequest

GetConfigSummaryRequest

Request to import a device configuration from physical devices.

Request: JobRequestType

•

jobName= Name of the job.

•

scheduleTime= Time when the job will run. If not specified, the job will run immediately.

•

jobArgs= List of the devices to which the job applies.

Response: JobResponseType

•

status = Job status.

•

jobName = Name of the job.

•

response = Response to the job.

Requestfor asummary ofthe configuration currently running ona physical device.

Request: JobRequestType

•

jobName= Name of the job.

•

scheduleTime= Time when the job will run. If not specified, the job will run immediately.

•

jobArgs= List of the devices to which the job applies.

Response: JobResponseType

•

status = Job status.

•

jobName = Name of the job.

•

response = Response to the job.

GetRunningConfigRequest

Request for the configuration currently running on a physical device.

Request: JobRequestType

•

jobName= Name of the job.

•

scheduleTime= Time when the job will run. If not specified, the job will run immediately.

•

jobArgs= List of the devices to which the job applies.

Response: JobResponseType

•

status = Job status.

•

jobName = Name of the job.

•

response = Response to the job.

+ 140 hidden pages

Juniper NETWORK AND SECURITY MANAGER 2010.4 - API GUIDE REV 1, NETWORK AND SECURITY MANAGER 2010.4 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual