Create or update a ALBWafPolicy

If a ALBWafPolicy with the alb-WafPolicy-id is not
already present, create a new ALBWafPolicy. If it already exists,
update the ALBWafPolicy. This is a full replace.
This API is only available when using VMware NSX-T.

Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/alb-waf-policies/<alb-wafpolicy-id>

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

ALBWafPolicy+

ALBWafPolicy (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
allow_mode_delegation	Allow mode delegation Allow Rules to overwrite the policy mode. This must be set if the policy mode is set to enforcement. Default value when not specified in API or module is interpreted by ALB Controller as true.	boolean	Default: "True"
application_signatures	Application signatures Application Specific Signatures.	ALBWafApplicationSignatures
children	subtree for this type within policy tree subtree for this type within policy tree containing nested elements.	array of ChildPolicyConfigResource Children are not allowed for this type
confidence_override	Confidence override Configure thresholds for confidence labels.	ALBAppLearningConfidenceOverride
created_by	Created by Creator name.	string
crs_groups	Crs groups WAF Rules are categorized in to groups based on their characterization. These groups are system created with CRS groups.	array of ALBWafRuleGroup
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enable_app_learning	Enable app learning Enable Application Learning for this WAF policy. Default value when not specified in API or module is interpreted by ALB Controller as false.	boolean	Default: "False"
enable_auto_rule_updates	Enable auto rule updates Enable Application Learning based rule updates on the WAF Profile. Rules will be programmed in dedicated WAF learning group. Default value when not specified in API or module is interpreted by ALB Controller as true.	boolean	Default: "True"
failure_mode	Failure mode WAF Policy failure mode. This can be 'Open' or 'Closed'. Enum options - WAF_FAILURE_MODE_OPEN, WAF_FAILURE_MODE_CLOSED. Default value when not specified in API or module is interpreted by ALB Controller as WAF_FAILURE_MODE_OPEN.	ALBWafFailureMode	Default: "WAF_FAILURE_MODE_OPEN"
id	Unique identifier of this resource	string	Sortable
learning_params	Learning params Parameters for tuning Application learning.	ALBAppLearningParams
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object gets deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
min_confidence	Min confidence Minimum confidence label required for auto rule updates. Enum options - CONFIDENCE_VERY_HIGH, CONFIDENCE_HIGH, CONFIDENCE_PROBABLE, CONFIDENCE_LOW, CONFIDENCE_NONE. Default value when not specified in API or module is interpreted by ALB Controller as CONFIDENCE_VERY_HIGH.	ALBAppLearningConfidenceLabel	Default: "CONFIDENCE_VERY_HIGH"
mode	Mode WAF Policy mode. This can be detection or enforcement. It can be overwritten by rules if allow_mode_delegation is set. Enum options - WAF_MODE_DETECTION_ONLY, WAF_MODE_ENFORCEMENT. Default value when not specified in API or module is interpreted by ALB Controller as WAF_MODE_DETECTION_ONLY.	ALBWafMode	Default: "WAF_MODE_DETECTION_ONLY"
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
paranoia_level	Paranoia level WAF Ruleset paranoia mode. This is used to select Rules based on the paranoia-level tag. Enum options - WAF_PARANOIA_LEVEL_LOW, WAF_PARANOIA_LEVEL_MEDIUM, WAF_PARANOIA_LEVEL_HIGH, WAF_PARANOIA_LEVEL_EXTREME. Default value when not specified in API or module is interpreted by ALB Controller as WAF_PARANOIA_LEVEL_LOW.	ALBWafParanoiaLevel	Default: "WAF_PARANOIA_LEVEL_LOW"
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
positive_security_model	Positive security model The Positive Security Model. This is used to describe how the request or parts of the request should look like. It is executed in the Request Body Phase of Avi WAF.	ALBWafPositiveSecurityModel
post_crs_groups	Post crs groups WAF Rules are categorized in to groups based on their characterization. These groups are created by the user and will be enforced after the CRS groups.	array of ALBWafRuleGroup
pre_crs_groups	Pre crs groups WAF Rules are categorized in to groups based on their characterization. These groups are created by the user and will be enforced before the CRS groups.	array of ALBWafRuleGroup
relative_path	Relative path of this object Path relative from its parent	string	Readonly
resource_type	Must be set to the value ALBWafPolicy	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entites in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
waf_crs_path	Waf crs path WAF core ruleset used for the CRS part of this Policy. It is a reference to an object of type WafCRS.	string
waf_profile_path	Waf profile path WAF Profile for WAF policy. It is a reference to an object of type WafProfile.	string	Required

Example Request:

{ "allow_mode_delegation": true, "confidence_override": { "confid_high_value": 9500, "confid_low_value": 7500, "confid_probable_value": 9000, "confid_very_high_value": 9999 }, "crs_groups": [ { "enable": true, "index": 0, "name": "CRS_402_Additional_Rules", "rules": [ { "enable": true, "index": 0, "name": "Desync attack detected", "rule": "SecRule &REQUEST_HEADERS:Content-Length \"@gt 0\" \"id:4022010, phase:1, block, t:none, msg:'Desync attack detected', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', ver:'AVI_CRS/2019_2', severity:'WARNING', chain\"\nSecRule &REQUEST_HEADERS:Transfer-Encoding \"@gt 0\" \"setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}', setvar:'tx.http_violation_score=+%{tx.warning_anomaly_score}'\"", "rule_id": "4022010" }, { "enable": true, "index": 1, "name": "Multiple Transfer Encoding Headers detected", "rule": "SecRule &REQUEST_HEADERS:Transfer-Encoding \"@gt 1\" \"id:4022020, phase:1, block, t:none, msg:'Multiple Transfer Encoding Headers detected', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', ver:'AVI_CRS/2019_2', severity:'WARNING', setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}', setvar:'tx.http_violation_score=+%{tx.warning_anomaly_score}'\"", "rule_id": "4022020" }, { "enable": true, "index": 2, "name": "Failed to parse request body.", "rule": "SecRule REQBODY_ERROR \"!@eq 0\" \"id:4022030, phase:2, block, t:none, msg:'Failed to parse request body.', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', ver:'AVI_CRS/2019_3', severity:'CRITICAL', setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"", "rule_id": "4022030" }, { "enable": true, "index": 3, "name": "Multipart request body failed strict validation.", "rule": "SecRule MULTIPART_STRICT_ERROR \"!@eq 0\" \"id:4022031, phase:2, block, t:none, msg:'Multipart request body failed strict validation.', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', ver:'AVI_CRS/2019_3', severity:'CRITICAL', setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'\"", "rule_id": "4022031" } ] } ], "display_name": "test-WAF-Policy", "enable_app_learning": false, "enable_auto_rule_updates": true, "failure_mode": "WAF_FAILURE_MODE_OPEN", "learning_params": { "enable_per_uri_learning": true, "max_params": 100, "max_uris": 500, "min_hits_to_learn": 10000, "sampling_percent": 1, "update_interval": 30 }, "min_confidence": "CONFIDENCE_VERY_HIGH", "mode": "WAF_MODE_DETECTION_ONLY", "paranoia_level": "WAF_PARANOIA_LEVEL_LOW", "waf_crs_path": "/infra/alb-waf-crs/test-waf-crs", "waf_profile_path": "/infra/alb-waf-profiles/test-waf-profile" }

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ALBWafPolicy+

ALBWafPolicy (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
allow_mode_delegation	Allow mode delegation Allow Rules to overwrite the policy mode. This must be set if the policy mode is set to enforcement. Default value when not specified in API or module is interpreted by ALB Controller as true.	boolean	Default: "True"
application_signatures	Application signatures Application Specific Signatures.	ALBWafApplicationSignatures
children	subtree for this type within policy tree subtree for this type within policy tree containing nested elements.	array of ChildPolicyConfigResource Children are not allowed for this type
confidence_override	Confidence override Configure thresholds for confidence labels.	ALBAppLearningConfidenceOverride
created_by	Created by Creator name.	string
crs_groups	Crs groups WAF Rules are categorized in to groups based on their characterization. These groups are system created with CRS groups.	array of ALBWafRuleGroup
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enable_app_learning	Enable app learning Enable Application Learning for this WAF policy. Default value when not specified in API or module is interpreted by ALB Controller as false.	boolean	Default: "False"
enable_auto_rule_updates	Enable auto rule updates Enable Application Learning based rule updates on the WAF Profile. Rules will be programmed in dedicated WAF learning group. Default value when not specified in API or module is interpreted by ALB Controller as true.	boolean	Default: "True"
failure_mode	Failure mode WAF Policy failure mode. This can be 'Open' or 'Closed'. Enum options - WAF_FAILURE_MODE_OPEN, WAF_FAILURE_MODE_CLOSED. Default value when not specified in API or module is interpreted by ALB Controller as WAF_FAILURE_MODE_OPEN.	ALBWafFailureMode	Default: "WAF_FAILURE_MODE_OPEN"
id	Unique identifier of this resource	string	Sortable
learning_params	Learning params Parameters for tuning Application learning.	ALBAppLearningParams
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object gets deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
min_confidence	Min confidence Minimum confidence label required for auto rule updates. Enum options - CONFIDENCE_VERY_HIGH, CONFIDENCE_HIGH, CONFIDENCE_PROBABLE, CONFIDENCE_LOW, CONFIDENCE_NONE. Default value when not specified in API or module is interpreted by ALB Controller as CONFIDENCE_VERY_HIGH.	ALBAppLearningConfidenceLabel	Default: "CONFIDENCE_VERY_HIGH"
mode	Mode WAF Policy mode. This can be detection or enforcement. It can be overwritten by rules if allow_mode_delegation is set. Enum options - WAF_MODE_DETECTION_ONLY, WAF_MODE_ENFORCEMENT. Default value when not specified in API or module is interpreted by ALB Controller as WAF_MODE_DETECTION_ONLY.	ALBWafMode	Default: "WAF_MODE_DETECTION_ONLY"
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
paranoia_level	Paranoia level WAF Ruleset paranoia mode. This is used to select Rules based on the paranoia-level tag. Enum options - WAF_PARANOIA_LEVEL_LOW, WAF_PARANOIA_LEVEL_MEDIUM, WAF_PARANOIA_LEVEL_HIGH, WAF_PARANOIA_LEVEL_EXTREME. Default value when not specified in API or module is interpreted by ALB Controller as WAF_PARANOIA_LEVEL_LOW.	ALBWafParanoiaLevel	Default: "WAF_PARANOIA_LEVEL_LOW"
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
positive_security_model	Positive security model The Positive Security Model. This is used to describe how the request or parts of the request should look like. It is executed in the Request Body Phase of Avi WAF.	ALBWafPositiveSecurityModel
post_crs_groups	Post crs groups WAF Rules are categorized in to groups based on their characterization. These groups are created by the user and will be enforced after the CRS groups.	array of ALBWafRuleGroup
pre_crs_groups	Pre crs groups WAF Rules are categorized in to groups based on their characterization. These groups are created by the user and will be enforced before the CRS groups.	array of ALBWafRuleGroup
relative_path	Relative path of this object Path relative from its parent	string	Readonly
resource_type	Must be set to the value ALBWafPolicy	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entites in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
waf_crs_path	Waf crs path WAF core ruleset used for the CRS part of this Policy. It is a reference to an object of type WafCRS.	string
waf_profile_path	Waf profile path WAF Profile for WAF policy. It is a reference to an object of type WafProfile.	string	Required

Example Response:

{ "_create_time": 1604070856976, "_create_user": "admin", "_last_modified_time": 1604070857297, "_last_modified_user": "admin", "_protection": "NOT_PROTECTED", "_revision": 0, "_system_owned": false, "allow_mode_delegation": true, "crs_groups": [ { "enable": true, "index": 0, "name": "CRS_402_Additional_Rules", "rules": [ { "avi_tags": [ "platform-multi", "language-multi", "attack-protocol", "application-multi" ], "enable": true, "index": 0, "is_sensitive": false, "name": "Desync attack detected", "rule": "SecRule &REQUEST_HEADERS:Content-Length \"@gt 0\" \"id:4022010, phase:1, block, t:none, msg:'Desync attack detected', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', ver:'AVI_CRS/2019_2', severity:'WARNING', chain\"\nSecRule &REQUEST_HEADERS:Transfer-Encoding \"@gt 0\" \"setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}', setvar:'tx.http_violation_score=+%{tx.warning_anomaly_score}'\"", "rule_id": "4022010" } ] } ], "display_name": "test-WAF-Policy", "enable_app_learning": false, "enable_auto_rule_updates": true, "failure_mode": "WAF_FAILURE_MODE_OPEN", "id": "test-WAF-Policy", "is_system_default": true, "learning_params": { "enable_per_uri_learning": true, "max_params": 100, "max_uris": 500, "min_hits_to_learn": 10000, "sampling_percent": 1, "update_interval": 30 }, "marked_for_delete": false, "min_confidence": "CONFIDENCE_VERY_HIGH", "mode": "WAF_MODE_DETECTION_ONLY", "overridden": false, "paranoia_level": "WAF_PARANOIA_LEVEL_LOW", "parent_path": "/infra", "path": "/infra/alb-waf-policies/test-WAF-Policy", "relative_path": "test-WAF-Policy", "resource_type": "ALBWafPolicy", "unique_id": "7ae756f3-bd33-4a73-ae9d-251a33c60c48", "waf_crs_path": "/infra/alb-waf-crs/CRS-2020-3", "waf_profile_path": "/infra/alb-waf-profiles/test-WAF-Policy" }

Create or update a ALBWafPolicy

Request:

ALBWafPolicy (schema)

Example Request:

Successful Response:

ALBWafPolicy (schema)

Example Response:

Required Permissions:

Feature:

Additional Errors: