| Parameter |
Choices/Defaults |
Comments |
|
ca_path
string
|
|
Path to the CA bundle to be used to verify host's SSL certificate
|
|
category
string
|
Choices:
- Emergency
- SystemRules
- SharedPreRules
- LocalGatewayRules
- AutoServiceRules
Default ←
|
Policy Framework for Edge Firewall provides six pre-defined categories - "Emergency", "SystemRules", "SharedPreRules", "LocalGatewayRules", "AutoServiceRules" and "Default", in order of priority of rules. All categories are allowed for Gatetway Policies that belong to 'default' Domain. However, for user created domains, category is restricted to "SharedPreRules" or "LocalGatewayRules" only. Also, the users can add/modify/delete rules from only the "SharedPreRules" and "LocalGatewayRules" categories. If user doesn't specify the category then defaulted to "Rules". System generated category is used by NSX created rules, for example BFD rules. Autoplumbed category used by NSX verticals to autoplumb data path rules. Finally, "Default" category is the placeholder default rules with lowest in the order of priority
|
|
comments
string
|
|
Comments for security policy lock/unlock
|
|
description
string
|
|
Gateway Policy description.
|
|
display_name
string
|
|
Display name.
If resource ID is not specified, display_name will be used as ID
|
|
hostname
string
/ required
|
|
Deployed NSX manager hostname.
|
|
id
string
|
|
The id of the Gateway Policy
|
|
locked
boolean
|
|
Indicates whether a security policy should be locked. If the security policy is locked by a user, then no other user would be able to modify this security policy. Once the user releases the lock, other users can update this security policy
|
|
nsx_cert_path
string
|
|
Path to the certificate created for the Principal Identity using which the CRUD operations should be performed
|
|
nsx_key_path
string
|
|
Path to the certificate key created for the Principal Identity using which the CRUD operations should be performed
Must be specified if nsx_cert_path is specified
|
|
password
string
|
|
The password to authenticate with the NSX manager.
Must be specified if username is specified
|
|
request_headers
dictionary
|
|
HTTP request headers to be sent to the host while making any request
|
|
rules
list
|
|
Rules that are a part of this GatewayPolicy
|
|
action
string
|
Choices:
- ALLOW
- DROP
- REJECT
|
The action to be applied to all the services
|
|
description
string
|
|
Description of this resource
|
|
destination_groups
list
/ required
|
|
Destination group paths
|
|
destinations_excluded
boolean
|
|
Negation of destination groups
If set to true, the rule gets applied on all the groups that are NOT part of the destination groups. If false, the rule applies to the destination groups.
|
|
direction
string
|
|
Define direction of traffic.
|
|
disabled
boolean
|
|
Flag to disable the rule
|
|
display_name
string
|
|
Identifier to use when displaying entity in logs or GUI.
Defaults to ID if not set
|
|
id
string
/ required
|
|
Unique identifier of this resource
|
|
ip_protocol
string
|
Choices:
- IPV4
- IPV6
- IPV4_IPV6
|
IPv4 vs IPv6 packet type
Type of IP packet that should be matched while enforcing the rule. The value is set to IPV4_IPV6 for Layer3 rule if not specified. For Layer2/Ether rule the value must be null.
|
|
logged
boolean
|
|
Flag to enable packet logging. Default is disabled.
|
|
notes
string
|
|
Text for additional notes on changes
|
|
profiles
list
|
|
Layer 7 service profiles
Holds the list of layer 7 service profile paths. These profiles accept attributes and sub-attributes of various network services (e.g. L4 AppId, encryption algorithm, domain name, etc) as key value pairs
|
|
scope
list
|
|
The list of policy paths where the rule is applied LR/Edge/T0/T1/LRP etc. Note that a given rule can be applied on multiple LRs/LRPs
|
|
sequence_number
integer
|
|
Sequence number of the this Rule
|
|
service_entries
list
/ elements=dictionary
|
|
Raw services
In order to specify raw services this can be used, along with services which contains path to services. This can be empty or null
|
|
services
list
/ required
|
|
Paths of services In order to specify all services, use the constant "ANY". This is case insensitive. If "ANY" is used, it should be the ONLY element in the services array. Error will be thrown if ANY is used in conjunction with other values.
|
|
source_groups
list
/ required
|
|
Source group paths
|
|
sources_excluded
boolean
|
|
Negation of source groups
If set to true, the rule gets applied on all the groups that are NOT part of the source groups. If false, the rule applies to the source groups
|
|
tag
string
|
|
Tag applied on the rule
User level field which will be printed in CLI and packet logs.
|
|
tags
list
/ elements=dictionary
|
|
Opaque identifiers meaningful to the API user
|
|
|
scope
string
|
|
Tag scope
|
|
|
tag
string
|
|
Tag value
|
|
scheduler_path
string
|
|
Path to the scheduler for time based scheduling
Provides a mechanism to apply the rules in this policy for a specified time duration
|
|
scope
list
|
|
The list of group paths where the rules in this policy will get applied. This scope will take precedence over rule level scope. Supported only for security and redirection policies. In case of RedirectionPolicy, it is expected only when the policy is NS and redirecting to service chain.
|
|
sequence_number
integer
|
|
Sequence number to resolve conflicts across Domains
This field is used to resolve conflicts between security policies across domains. In order to change the sequence number of a policy one can fire a POST request on the policy entity with a query parameter action=revise The sequence number field will reflect the value of the computed sequence number upon execution of the above mentioned POST request. For scenarios where the administrator is using a template to update several security policies, the only way to set the sequence number is to explicitly specify the sequence number for each security policy. If no sequence number is specified in the payload, a value of 0 is assigned by default. If there are multiple policies with the same sequence number then their order is not deterministic. If a specific order of policies is desired, then one has to specify unique sequence numbers or use the POST request on the policy entity with a query parameter action=revise to let the framework assign a sequence number
|
|
state
-
/ required
|
|
State can be either 'present' or 'absent'. 'present' is used to create or update resource. 'absent' is used to delete resource.
|
|
stateful
boolean
|
|
Stateful nature of the entries within this security policy.
Stateful or Stateless nature of security policy is enforced on all rules in this security policy. When it is stateful, the state of the network connects are tracked and a stateful packet inspection is performed. Layer3 security policies can be stateful or stateless. By default, they are stateful. Layer2 security policies can only be stateless.
|
|
tags
dictionary
|
|
Opaque identifiers meaningful to the API user.
|
|
scope
string
/ required
|
|
Tag scope.
|
|
tag
string
/ required
|
|
Tag value.
|
|
tcp_strict
boolean
|
|
Enforce strict tcp handshake before allowing data packets
Ensures that a 3 way TCP handshake is done before the data packets are sent. tcp_strict=true is supported only for stateful security policies.
|
|
username
string
|
|
The username to authenticate with the NSX manager.
|
|
validate_certs
boolean
|
|
Enable server certificate verification.
|