Rule
A rule indicates the action to be performed for various types of traffic flowing between workload groups.
Properties
| Required | Property Name | Type | Description |
|---|---|---|---|
| optional | _create_time | integer |
Timestamp of resource creation |
| optional | _create_user | string |
ID of the user who created this resource |
| optional | _last_modified_time | integer |
Timestamp of last modification |
| optional | _last_modified_user | string |
ID of the user who last modified this resource |
| optional | _links | array of ResourceLink |
The server will populate this field when returing the resource. Ignored on PUT and POST. |
| optional | _protection | string |
Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity. |
| optional | _revision | integer |
The _revision property describes the current revision of the resource. To prevent clients from overwriting each other’s changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. |
| optional | _schema | string |
Schema for this resource |
| optional | _self | SelfResourceLink |
Link to this resource |
| optional | _system_owned | boolean |
Indicates system owned resource |
| optional | action | string |
The action to be applied to all the services |
| optional | children | array of ChildPolicyConfigResource |
subtree for this type within policy tree containing nested elements. |
| optional | description | string |
Description of this resource |
| optional | destination_groups | array of string |
We need paths as duplicate names may exist for groups under different domains.In order to specify all groups, use the constant “ANY”. This is case insensitive. If “ANY” is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values. |
| optional | destinations_excluded | boolean |
If set to true, the rule gets applied on all the groups that are NOT part of the destination groups. If false, the rule applies to the destination groups |
| optional | direction | string |
Define direction of traffic. |
| optional | disabled | boolean |
Flag to disable the rule. Default is enabled. |
| optional | display_name | string |
Defaults to ID if not set |
| optional | id | string |
Unique identifier of this resource |
| optional | ip_protocol | string |
Type of IP packet that should be matched while enforcing the rule. The value is set to IPV4_IPV6 for Layer3 rule if not specified. For Layer2/Ether rule the value must be null. |
| optional | logged | boolean |
Flag to enable packet logging. Default is disabled. |
| optional | marked_for_delete | boolean |
Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object gets deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects. |
| optional | notes | string |
Text for additional notes on changes. |
| optional | parent_path | string |
Path of its parent |
| optional | path | string |
Absolute path of this object |
| optional | profiles | array of string |
Holds the list of layer 7 service profile paths. These profiles accept attributes and sub-attributes of various network services (e.g. L4 AppId, encryption algorithm, domain name, etc) as key value pairs. |
| optional | relative_path | string |
Path relative from its parent |
| optional | resource_type | string |
The type of this resource. |
| optional | scope | array of string |
The list of policy paths where the rule is applied LR/Edge/T0/T1/LRP etc. Note that a given rule can be applied on multiple LRs/LRPs. |
| optional | sequence_number | integer |
This field is used to resolve conflicts between multiple Rules under Security or Gateway Policy for a Domain If no sequence number is specified in the payload, a value of 0 is assigned by default. If there are multiple rules with the same sequence number then their order is not deterministic. If a specific order of rules is desired, then one has to specify unique sequence numbers or use the POST request on the rule entity with a query parameter action=revise to let the framework assign a sequence number |
| optional | services | array of string |
In order to specify all services, use the constant “ANY”. This is case insensitive. If “ANY” is used, it should be the ONLY element in the services array. Error will be thrown if ANY is used in conjunction with other values. |
| optional | source_groups | array of string |
We need paths as duplicate names may exist for groups under different domains. In order to specify all groups, use the constant “ANY”. This is case insensitive. If “ANY” is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values. |
| optional | sources_excluded | boolean |
If set to true, the rule gets applied on all the groups that are NOT part of the source groups. If false, the rule applies to the source groups |
| optional | tag | string |
User level field which will be printed in CLI and packet logs. |
| optional | tags | array of Tag |
Opaque identifiers meaningful to the API user |
Property of
ChildRule
GatewayPolicy
RuleListResult
SecurityPolicy
Parameter To
Update Gateway Policy Rule
Revise Gateway Policy Rule
Create Security Policy Rule
Update Security Policy Rule
Revise Security Policy Rule
Create Or Replace Gateway Policy Rule
Returned By
Get Gateway Policy Rule
Create Or Replace Gateway Policy Rule
Revise Gateway Policy Rule
Get Security Policy Rule
Create Security Policy Rule
Revise Security Policy Rule
Extends
BaseRule
JSON Example
{
"_create_time": 0,
"_create_user": "string",
"_last_modified_time": 0,
"_last_modified_user": "string",
"_links": [
{
"action": "string",
"href": "string",
"rel": "string"
}
],
"_protection": "string",
"_revision": 0,
"_schema": "string",
"_self": {
"action": "string",
"href": "string",
"rel": "string"
},
"_system_owned": false,
"action": "string",
"children": [
{
"_create_time": 0,
"_create_user": "string",
"_last_modified_time": 0,
"_last_modified_user": "string",
"_links": [
{
"action": "string",
"href": "string",
"rel": "string"
}
],
"_protection": "string",
"_revision": 0,
"_schema": "string",
"_self": {
"action": "string",
"href": "string",
"rel": "string"
},
"_system_owned": false,
"description": "string",
"display_name": "string",
"id": "string",
"marked_for_delete": false,
"resource_type": "string",
"tags": [
{
"scope": "string",
"tag": "string"
}
]
}
],
"description": "string",
"destination_groups": [
"string"
],
"destinations_excluded": false,
"direction": "string",
"disabled": false,
"display_name": "string",
"id": "string",
"ip_protocol": "string",
"logged": false,
"marked_for_delete": false,
"notes": "string",
"parent_path": "string",
"path": "string",
"profiles": [
"string"
],
"relative_path": "string",
"resource_type": "string",
"scope": [
"string"
],
"sequence_number": 0,
"services": [
"string"
],
"source_groups": [
"string"
],
"sources_excluded": false,
"tag": "string",
"tags": [
{
"scope": "string",
"tag": "string"
}
]
}
