conf/zxtms
The conf/zxtms directory contains a configuration file for each traffic manager in your cluster. The name of each file is the hostname of the traffic manager it represents. These files contain host-specific configuration data and on each installation of the software, the conf/../global.cfg file is sym-linked to the host's own configuration in the conf/zxtms directory. The files may contain a variety of configuration options that are configured in various locations under the System section of the Admin Server UI and the System section of the SOAP API and CLI.
|
Key |
Description |
|
admin!hsts_enable |
Whether or not HSTS (RFC 6797) is enabled for admin server connections. Value type: Yes / No Default value: "No" |
|
admin!hsts_max_age |
The number of seconds that the HSTS header field max-age will be set to Value type: unsigned integer Default value: "31536000" |
|
adminMasterXMLIP |
The Application Firewall master XML IP. Value type: string Default value: "0.0.0.0" |
|
adminMasterXMLPort |
The Application Firewall XML Master port, this port is used on all IP addresses. Value type: unsigned integer Default value: "0" |
|
adminServerPort |
The Application Firewall Administration Server port, this port is only open on localhost. Value type: unsigned integer Default value: "0" |
|
adminSlaveXMLIP |
The Application Firewall slave XML IP. Value type: string Default value: "0.0.0.0" |
|
adminSlaveXMLPort |
The Application Firewall XML Slave port, this port is used on all IP addresses. Value type: unsigned integer Default value: "0" |
|
aod-magic-fixed-decider-base-port |
The base port from which the Application Firewall decider processes should run. Ports will be used sequentially above this for each additional decider process that runs. Value type: unsigned integer Default value: "0" |
|
appliance!card!*!interfaces |
The order of the interfaces of a network card Value type: list Default value: <none> |
|
appliance!card!*!label |
The labels of the installed network cards Value type: string Default value: <none> |
|
appliance!disable_kpti |
Whether the traffic manager appliance should run without kernel page table isolation (KPTI). KPTI provides protection to prevent unprivileged software from being potentially able to read arbitrary memory from the kernel (i.e. the Meltdown attack, CVE-2017-5754); however this protection incurs a general system performance penalty. If you are running trusted software on the appliance, and the trade-off between performance at the cost of 'defense in depth' favors the former in your deployment, you may wish to enable this configuration key. If you are unsure, it is recommended that you leave this key disabled, which is also the default. Value type: Yes / No Default value: "No" |
|
appliance!dnscache |
The DNS cache setting the appliance should use and place in /etc/systemd/resolved.conf. Value type: Yes / No Default value: "Yes" |
|
appliance!dnssec |
The DNSSEC setting the appliance should use and place in /etc/systemd/resolved.conf. Value type: enumeration Default value: "no" Permitted values: yes: DNSSEC enabled no: DNSSEC disabled allow_downgrade: Use DNSSEC when available |
|
appliance!gateway |
The default gateway. Value type: string Default value: <none> |
|
appliance!gateway6 |
The default IPv6 gateway. Value type: string Default value: <none> |
|
appliance!hostname |
Name (hostname.domainname) of the appliance. Value type: string Default value: <none> |
|
appliance!hosts!* |
Static host name entries to be placed in the /etc/hosts file. The * (asterisk) in the key name is the host name, the value is the IP address. Value type: string Default value: <none> |
|
appliance!if!*!autoneg |
Enable or disable auto-negotiation for an interface, the interface name is used in place of the * (asterisk). Value type: Yes / No Default value: <none> |
|
appliance!if!*!duplex |
Enable or disable full-duplex for an interface, the interface name is used in place of the * (asterisk). Value type: Yes / No Default value: <none> |
|
appliance!if!*!mode |
Set the configuriation mode of an interface, the interface name is used in place of the * (asterisk). Value type: enumeration Default value: <none> Permitted values: Static: Static DHCP: DHCP |
|
appliance!if!*!mtu |
Set the maximum transmission unit (MTU) of the interface. Value type: unsigned integer Default value: <none> |
|
appliance!if!*!speed |
Set the speed of an interface, the interface name is used in place of the * (asterisk). Value type: enumeration Default value: <none> Permitted values: 10: 10Mbs 100: 100Mbs 1000: 1Gbs 10000: 10Gbs 40000: 40Gbs 100000: 100Gbs |
|
appliance!ip!*!addr |
Set the IP address for the interface, the interface name is used in place of the * (asterisk). Value type: string Default value: <none> |
|
appliance!ip!*!isexternal |
Set whether or not an interface is externally or internally facing, the interface name is used in place of the * (asterisk). Value type: Yes / No Default value: <none> |
|
appliance!ip!*!mask |
Set the IP mask (netmask) for an interface, the interface name is used in place of the * (asterisk). Value type: string Default value: <none> |
|
appliance!ipmi!lan!access |
Whether IPMI LAN access should be enabled or not. Value type: Yes / No Default value: "No" |
|
appliance!ipmi!lan!addr |
The IP address of the appliance IPMI LAN channel. Value type: string Default value: <none> |
|
appliance!ipmi!lan!gateway |
The default gateway of the IPMI LAN channel. Value type: string Default value: "0.0.0.0" |
|
appliance!ipmi!lan!ipsrc |
The addressing mode the IPMI LAN channel operates. Value type: enumeration Default value: "static" Permitted values: static: Static IP Address dhcp: Address obtained by DHCP |
|
appliance!ipmi!lan!mask |
Set the IP netmask for the IPMI LAN channel. Value type: string Default value: <none> |
|
appliance!ipv4_forwarding |
Whether or not IPv4 forwarding is enabled. Value type: Yes / No Default value: "No" |
|
appliance!ipv6_forwarding |
Whether or not IPv6 forwarding is enabled. Value type: Yes / No Default value: "No" |
|
appliance!licence_agreed |
Whether or not the license agreement has been accepted. This determines whether or not the Initial Configuration wizard is displayed. Value type: Yes / No Default value: "No" |
|
appliance!manageazureroutes |
Whether or not the software manages the Azure policy routing. Value type: Yes / No Default value: "Yes" |
|
appliance!managebootloader |
Whether or not the software manages the system bootloader's password Value type: Yes / No Default value: "Yes" |
|
appliance!managecron |
Whether or not the software manages the system's cronjobs to ensure they are running as the correct user. Value type: Yes / No Default value: "Yes" |
|
appliance!manageec2conf |
Whether or not the software manages the EC2 config. Value type: Yes / No Default value: "Yes" |
|
appliance!managegateway |
Whether or not the software manages the system's gateway configuration. Value type: Yes / No Default value: "Yes" |
|
appliance!managegceroutes |
Whether or not the software manages the GCE routing. Value type: Yes / No Default value: "Yes" |
|
appliance!managehostname |
Whether or not the software manages the system's hostname. Value type: Yes / No Default value: "Yes" |
|
appliance!managehosts |
Whether or not the software manages the system's /etc/hosts file. Value type: Yes / No Default value: "Yes" |
|
appliance!manageif |
Whether or not the software manages system's network interfaces. Value type: Yes / No Default value: "Yes" |
|
appliance!manageip |
Whether or not the software manages the system's IP addresses. Value type: Yes / No Default value: "Yes" |
|
appliance!manageipmi |
Whether or not the software manages the system's IPMI configuration. Value type: Yes / No Default value: "Yes" |
|
appliance!manageiptrans |
Whether or not the software manages the IP transparency Value type: Yes / No Default value: "Yes" |
|
appliance!managenat |
Whether or not the software manages the system's NAT configuration. Value type: Yes / No Default value: "Yes" |
|
appliance!managentpservers |
Whether or not the software manages which NTP servers the system uses. Value type: Yes / No Default value: "Yes" |
|
appliance!managereservedports |
Whether or not the software manages the system configuration for reserved ports Value type: Yes / No Default value: "Yes" |
|
appliance!manageresolver |
Whether or not the software manages the system's name resolution (i.e. the /etc/systemd/resolved.conf file). Value type: Yes / No Default value: "Yes" |
|
appliance!managereturnpath |
Whether or not the software manages return path routing. If disabled, the appliance won't modify iptables / rules / routes for this feature. Value type: Yes / No Default value: "Yes" |
|
appliance!manageroute |
Whether or not the software manages the system's routing tables. Value type: Yes / No Default value: "Yes" |
|
appliance!manageservices |
Whether or not the software manages the system services Value type: Yes / No Default value: "Yes" |
|
appliance!managesnmp |
Whether or not the software manages a system net-snmp service as a proxy to the internal SNMP service. Value type: Yes / No Default value: "Yes" |
|
appliance!managessh |
Whether or not the software manages the system's SSH server settings. Value type: Yes / No Default value: "Yes" |
|
appliance!managetimezone |
Whether or not the software manages the system's timezone setting. Value type: Yes / No Default value: "Yes" |
|
appliance!manageusers |
Whether or not the software manages system users. If enabled then users in the software's 'admin' group will be able to log into the system as a local 'admin' user with root privileges and the local 'root' user will have its password kept in sync with the software's 'admin' user. Value type: Yes / No Default value: "Yes" |
|
appliance!managevpcconf |
Whether or not the software manages the EC2-VPC secondary IPs. Value type: Yes / No Default value: "Yes" |
|
appliance!nameservers |
The IP addresses of the nameservers the appliance should use and place in /etc/systemd/resolved.conf. Value type: string Default value: <none> |
|
appliance!ntpservers |
The NTP servers the appliance should use to synchronize its clock. Value type: string Default value: "0.zeus.pool.ntp.org 1.zeus.pool.ntp.org 2.zeus.pool.ntp.org 3.zeus.pool.ntp.org" |
|
appliance!routes!*!gw |
One of the keys used to specify a route. The IP of the route destination is used in place of the * (asterisk) and the value is the gateway IP to configure for the route. See also appliance!routes!mask and appliance!routes!if. Value type: string Default value: <none> |
|
appliance!routes!*!if |
One of the keys used to specify a route. The IP of the route destination is used in place of the * (asterisk) and the value is the network interface to configure for the route. See also appliance!routes!mask and appliance!routes!gw. Value type: string Default value: <none> |
|
appliance!routes!*!mask |
One of the keys used to specify a route. The IP of the route destination is used in place of the * (asterisk) and the value is the netmask to apply to the IP. See also appliance!routes!gw and appliance!routes!if. Value type: string Default value: <none> |
|
appliance!searchdomains |
The search domains the appliance should use and place in /etc/systemd/resolved.conf. Value type: string Default value: <none> |
|
appliance!ssh!enabled |
Whether or not the SSH server is enabled on the appliance. Value type: Yes / No Default value: "Yes" |
|
appliance!ssh!passwordallowed |
Whether or not the SSH server allows password based login. Value type: Yes / No Default value: "Yes" |
|
appliance!ssh!port |
The port that the SSH server should listen on. Value type: unsigned integer Default value: "22" |
|
appliance!timezone |
The timezone the appliance should use. This must be a path to a timezone file that exists under /usr/share/zoneinfo/. Value type: string Default value: "US/Pacific" |
|
appliance!vlans |
The VLANs the software should raise. A VLAN should be configured using the format <dev>.<vlanid>, where <dev> is the name of a network device that exists in the host system, eth0.100 for example. Value type: list Default value: <none> |
|
authenticationServerIP |
The Application Firewall Authentication Server IP. Value type: string Default value: "0.0.0.0" |
|
cloud_platform |
Cloud platform where the traffic manager is running. Value type: string Default value: <none> |
|
control!bindip |
The IP address that the software should bind to for internal administration communications. See also controlport. If the software is not part of a cluster the default is to use 127.0.0.1 and there should be no reason to touch this setting. If the software is part of a cluster then the default is to listen on all raised IPs, in this case an alternative configuration is to listen on a single IP address. This may be useful if you have a separate management network and wish to restrict control messages to it. It is important to ensure that the controlallow (in the conf/settings.cfg file) is compatible with the IP configured here. Value type: string Default value: "*" |
|
control!canupdate |
Whether or not this instance of the software can send configuration updates to other members of the cluster. When not clustered this key is ignored. When clustered the value can only be changed by another machine in the cluster that has control!update set to Yes. If set to No then it will not be possible to log into the admin server for this instance. Value type: Yes / No Default value: "Yes" |
|
controlport |
The port that the software should listen on for internal administration communications. See also control!bindip. Value type: unsigned integer Default value: "9080" |
|
decisionServerPortBase |
The Application Firewall internal communication base port. The Application Firewall will use ports sequentially above this for internal communication. These ports are bound only to localhost. Value type: unsigned integer Default value: "10000" |
|
ec2!trafficips!public_enis |
List of MAC addresses of interfaces which the traffic manager can use to associate the EC2 elastic IPs (Traffic IPs) to the instance. Value type: list Default value: <none> |
|
externalip |
This is the optional external ip of the traffic manager, which is used to circumvent natting when traffic managers in a cluster span different networks. Value type: string Default value: <none> |
|
flipper!bgp_router_id |
The BGP router id If set to empty, then the IPv4 address used to communicate with the default IPv4 gateway is used instead. Specifying 0.0.0.0 will stop the traffic manager routing software from running the BGP protocol. Value type: string Default value: <none> |
|
flipper!ospfv2_ip |
The traffic manager's permanent IPv4 address which the routing software will use for peering and transit traffic, and as its OSPF router ID. If set to empty, then the address used to communicate with the default IPv4 gateway is used instead. Specifying 0.0.0.0 will stop the traffic manager routing software from running the OSPF protocol. Value type: string Default value: <none> |
|
flipper!ospfv2_neighbor_addrs |
The IP addresses of routers which are expected to be found as OSPFv2 neighbors of the traffic manager. A warning will be reported if some of the expected routers are not peered, and an error will be reported if none of the expected routers are peered. An empty list disables monitoring. The special value %gateway% is a placeholder for the default gateway. Value type: list Default value: "%gateway%" |
|
gid |
The group ID that the software's worker processes will run as. For example, on typical Linux installations this could be set to 65534 for the unprivileged "nobody" group. Value type: string Default value: <none> |
|
iptables!config_enabled |
Whether the Traffic Manager should configure the iptables built-in chains to call Traffic Manager defined rules (e.g. the IP transparency chain). This should only be disabled in case of conflict with other software that manages iptables, e.g. firewalls. When disabled, you will need to add rules manually to use these features - see the user manual for details. Value type: Yes / No Default value: "Yes" |
|
iptrans!fwmark |
The netfilter forwarding mark to use for IP transparency rules Value type: unsigned integer Default value: "320" |
|
iptrans!iptables_enabled |
Whether IP transparency may be used via netfilter/iptables. This requires the iptables socket extension. Value type: Yes / No Default value: "Yes" |
|
iptrans!routing_table |
The special routing table ID to use for IP transparency rules Value type: unsigned integer Default value: "320" |
|
java!port |
The port the Java Extension handler process should listen on. This port will be bound for localhost communications only. Value type: unsigned integer Default value: "9060" |
|
location |
This is the location of the local traffic manager is in. Value type: string Default value: <none> |
|
nameip |
Replace Traffic Manager name with an IP address. Value type: string Default value: <none> |
|
num_aptimizer_threads |
How many worker threads the Web Accelerator process should create to optimise content. By default, one thread will be created for each CPU on the system. Value type: unsigned integer Default value: "0" |
|
num_children |
The number of worker processes the software will run. By default, one child process will be created for each CPU on the system. You may wish to reduce this to effectively "reserve" CPU(s) for other processes running on the host system. Value type: unsigned integer Default value: "0" |
|
numberOfCPUs |
The number of Application Firewall decider process to run. Value type: unsigned integer Default value: "0" |
|
remote_licensing!email_address |
The e-mail address sent as part of a remote licensing request. Value type: string Default value: <none> |
|
remote_licensing!message |
A free-text field sent as part of a remote licensing request. Value type: string Default value: <none> |
|
rest!bindips |
A list of IP Addresses which the REST API will listen on for connections. The list should contain IP addresses (IPv4 or IPv6) or a single entry containing an asterisk (*). This indicates that the REST API should listen on all IP Addresses. Value type: list Default value: "*" |
|
rest!port |
The port on which the REST API should listen for requests. Value type: unsigned integer Default value: "9070" |
|
restServerPort |
The Application Firewall REST Internal API port, this port should not be accessed directly Value type: unsigned integer Default value: "0" |
|
snmp!allow |
Restrict which IP addresses can access the SNMP command responder service. The value can be all, localhost, or a list of IP CIDR subnet masks. For example 10.100.0.0/16 would allow connections from any IP address beginning with 10.100. Value type: list Default value: "all" |
|
snmp!auth_password |
The authentication password. Required (minimum length 8 bytes) if snmp!security_level includes authentication. Requires: snmp!security_level is set to "authNoPriv" Value type: password Default value: <none> |
|
snmp!bindip |
The IP address the SNMP service should bind its listen port to. The value * (asterisk) means SNMP will listen on all IP addresses. Value type: string Default value: "*" |
|
snmp!community |
The community string required for SNMPv1 and SNMPv2c commands. (If empty, all SNMPv1 and SNMPv2c commands will be rejected). Value type: string Default value: "public" |
|
snmp!enabled |
Whether or not the SNMP command responder service should be enabled on this traffic manager. Value type: Yes / No Default value: "No" |
|
snmp!hash_alg |
The hash algorithm for authenticated SNMPv3 communications. Requires: snmp!security_level is set to "authNoPriv" Value type: enumeration Default value: "md5" Permitted values: md5: MD5 sha1: SHA-1 |
|
snmp!port |
The port the SNMP command responder service should listen on. The value default denotes port 161 if the software is running with root privileges, and 1161 otherwise. Value type: string Default value: "default" |
|
snmp!priv_password |
The privacy password. Required (minimum length 8 bytes) if snmp!security_level includes privacy (message encryption). Requires: snmp!security_level is set to "authPriv" Value type: password Default value: <none> |
|
snmp!security_level |
The security level for SNMPv3 communications. Value type: enumeration Default value: "noAuthNoPriv" Permitted values: noAuthNoPriv: No Authentication, No Privacy authNoPriv: Authentication only authPriv: Authentication and Privacy |
|
snmp!username |
The username required for SNMPv3 commands. (If empty, all SNMPv3 commands will be rejected). Value type: string Default value: <none> |
|
trafficip!*!networks |
A configuration of networks keyed by interface, used by flipper to choose an interface to raise a Traffic IP on. Value type: list Default value: <none> |
|
uid |
The user ID that the software's worker processes will run as. For example, on typical Linux installations this could be set to 65534 for the unprivileged "nobody" user. Value type: string Default value: <none> |
|
updateControlCenterPort |
The Application Firewall Updater GUI Backend Port, this port is used on localhost only. Value type: unsigned integer Default value: "0" |
|
updateExternControlCenterPort |
The Application Firewall Updater External Control Center Port, this port is used on localhost only. Value type: unsigned integer Default value: "8091" |
|
updateGUIServerPort |
The Application Firewall Updater GUI Server Port, this port is used on localhost only. Value type: unsigned integer Default value: "0" |
|
updaterIP |
The Application Firewall Updater IP. Value type: string Default value: "0.0.0.0" |