| _create_time |
Timestamp of resource creation |
EpochMsTimestamp |
Readonly
Sortable |
| _create_user |
ID of the user who created this resource |
string |
Readonly |
| _last_modified_time |
Timestamp of last modification |
EpochMsTimestamp |
Readonly
Sortable |
| _last_modified_user |
ID of the user who last modified this resource |
string |
Readonly |
| _links |
References related to this resource
The server will populate this field when returing the resource. Ignored on PUT and POST. |
array of ResourceLink |
Readonly |
| _protection |
Indicates protection status of this resource
Protection status is one of the following:
PROTECTED - the client who retrieved the entity is not allowed
to modify it.
NOT_PROTECTED - the client who retrieved the entity is allowed
to modify it
REQUIRE_OVERRIDE - the client who retrieved the entity is a super
user and can modify it, but only when providing
the request header X-Allow-Overwrite=true.
UNKNOWN - the _protection field could not be determined for this
entity.
|
string |
Readonly |
| _revision |
Generation of this resource config
The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. |
int |
|
| _schema |
Schema for this resource |
string |
Readonly |
| _self |
Link to this resource |
SelfResourceLink |
Readonly |
| _system_owned |
Indicates system owned resource |
boolean |
Readonly |
| application_connectivity_strategy |
List of Application Connectivity strategy for this SecurityPolicy
This field indicates the application connectivity policy for the security
policy.
|
array of ApplicationConnectivityStrategy |
Maximum items: 3 |
| category |
A way to classify a security policy, if needed.
- Distributed Firewall -
Policy framework provides five pre-defined categories for classifying
a security policy. They are "Ethernet","Emergency", "Infrastructure"
"Environment" and "Application". There is a pre-determined order in
which the policy framework manages the priority of these security
policies. Ethernet category is for supporting layer 2 firewall rules.
The other four categories are applicable for layer 3 rules. Amongst
them, the Emergency category has the highest priority followed by
Infrastructure, Environment and then Application rules. Administrator
can choose to categorize a security policy into the above categories
or can choose to leave it empty. If empty it will have the least
precedence w.r.t the above four categories.
- Edge Firewall -
Policy Framework for Edge Firewall provides six pre-defined categories
"Emergency", "SystemRules", "SharedPreRules", "LocalGatewayRules",
"AutoServiceRules" and "Default", in order of priority of rules.
All categories are allowed for Gatetway Policies that belong
to 'default' Domain. However, for user created domains, category is
restricted to "SharedPreRules" or "LocalGatewayRules" only. Also, the
users can add/modify/delete rules from only the "SharedPreRules" and
"LocalGatewayRules" categories. If user doesn't specify the category
then defaulted to "Rules". System generated category is used by NSX
created rules, for example BFD rules. Autoplumbed category used by
NSX verticals to autoplumb data path rules. Finally, "Default" category
is the placeholder default rules with lowest in the order of priority.
|
string |
|
| children |
subtree for this type within policy tree
subtree for this type within policy tree containing nested elements.
|
array of ChildPolicyConfigResource
(Abstract type: pass one of the following concrete types)
ChildRule
ChildSecurityPolicyContainerCluster |
|
| comments |
SecurityPolicy lock/unlock comments
Comments for security policy lock/unlock. |
string |
|
| connectivity_preference |
Connectivity preference applicable for this SecurityPolicy
This field indicates the default connectivity policy for the security
policy. Based on the connectivitiy preference, a default rule for this
security policy will be created. An appropriate action will be set on
the rule based on the value of the connectivity preference. If NONE is
selected or no connectivity preference is specified, then no default
rule for the security policy gets created. The default rule that gets
created will be a any-any rule and applied to entities specified in the
scope of the security policy. Specifying the connectivity_preference
without specifying the scope is not allowed. The scope has to be a
Group and one cannot specify IPAddress directly in the group that is
used as scope. This default rule is only applicable for the Layer3
security policies.
ALLOWLIST - Adds a default drop rule. Administrator can then use "allow"
rules to allow traffic between groups
DENYLIST - Adds a default allow rule. Admin can then use "drop" rules
to block traffic between groups
ALLOWLIST_ENABLE_LOGGING - Allowlisting with logging enabled
DENYLIST_ENABLE_LOGGING - Denylisting with logging enabled
NONE - No default rule is created.
|
string |
Enum: ALLOWLIST, DENYLIST, ALLOWLIST_ENABLE_LOGGING, DENYLIST_ENABLE_LOGGING, NONE |
| connectivity_strategy |
Connectivity strategy applicable for this SecurityPolicy
This field indicates the default connectivity policy for the security
policy. Based on the connectivity strategy, a default rule for this
security policy will be created. An appropriate action will be set on
the rule based on the value of the connectivity strategy. If NONE is
selected or no connectivity strategy is specified, then no default
rule for the security policy gets created. The default rule that gets
created will be a any-any rule and applied to entities specified in the
scope of the security policy. Specifying the connectivity_strategy
without specifying the scope is not allowed. The scope has to be a
Group and one cannot specify IPAddress directly in the group that is
used as scope. This default rule is only applicable for the Layer3
security policies.
This property is deprecated. Use the type connectivity_preference instead.
WHITELIST - Adds a default drop rule. Administrator can then use "allow"
rules (aka whitelist) to allow traffic between groups
BLACKLIST - Adds a default allow rule. Admin can then use "drop" rules
(aka blacklist) to block traffic between groups
WHITELIST_ENABLE_LOGGING - Whitelising with logging enabled
BLACKLIST_ENABLE_LOGGING - Blacklisting with logging enabled
NONE - No default rule is created.
|
string |
Deprecated
Enum: WHITELIST, BLACKLIST, WHITELIST_ENABLE_LOGGING, BLACKLIST_ENABLE_LOGGING, NONE |
| default_rule_id |
Default rule ID associated with the connectivity_preference
Based on the value of the connectivity strategy, a default rule is
created for the security policy. The rule id is internally assigned
by the system for this default rule.
|
integer |
Readonly |
| description |
Description of this resource |
string |
Maximum length: 1024
Sortable |
| display_name |
Identifier to use when displaying entity in logs or GUI
Defaults to ID if not set |
string |
Maximum length: 255
Sortable |
| id |
Unique identifier of this resource |
string |
Sortable |
| internal_sequence_number |
Internal sequence number
This field is to indicate the internal sequence number of a policy
with respect to the policies across categories.
|
int |
Readonly |
| is_default |
Default policy flag
A flag to indicate whether policy is a default policy. |
boolean |
Readonly |
| lock_modified_by |
User who locked the security policy
ID of the user who last modified the lock for the secruity policy.
|
string |
Readonly |
| lock_modified_time |
SecuirtyPolicy locked/unlocked time
SecurityPolicy locked/unlocked time in epoch milliseconds. |
EpochMsTimestamp |
Readonly |
| locked |
Lock a security policy
Indicates whether a security policy should be locked. If the
security policy is locked by a user, then no other user would
be able to modify this security policy. Once the user releases
the lock, other users can update this security policy.
|
boolean |
Default: "False" |
| logging_enabled |
Enable logging flag
This property is deprecated.
Flag to enable logging for all the rules in the security policy.
If the value is true then logging will be enabled for all the rules
in the security policy. If the value is false, then the rule level
logging value will be honored.
|
boolean |
Deprecated
Default: "False" |
| marked_for_delete |
Indicates whether the intent object is marked for deletion
Intent objects are not directly deleted from the system when a delete
is invoked on them. They are marked for deletion and only when all the
realized entities for that intent object gets deleted, the intent object
is deleted. Objects that are marked for deletion are not returned in
GET call. One can use the search API to get these objects.
|
boolean |
Readonly
Default: "False" |
| overridden |
Indicates whether this object is the overridden intent object
Global intent objects cannot be modified by the user.
However, certain global intent objects can be overridden locally by use
of this property. In such cases, the overridden local values take
precedence over the globally defined values for the properties.
|
boolean |
Readonly
Default: "False" |
| parent_path |
Path of its parent
Path of its parent |
string |
Readonly |
| path |
Absolute path of this object
Absolute path of this object |
string |
Readonly |
| realization_id |
A unique identifier assigned by the system for realizing intent
This is a UUID generated by the system for realizing the entity object.
In most cases this should be same as 'unique_id' of the entity. However,
in some cases this can be different because of entities have migrated thier
unique identifier to NSX Policy intent objects later in the timeline and did
not use unique_id for realization. Realization id is helpful for users to
debug data path to correlate the configuration with corresponding intent.
|
string |
Readonly |
| relative_path |
Relative path of this object
Path relative from its parent |
string |
Readonly |
| resource_type |
Must be set to the value SecurityPolicy |
string |
|
| rule_count |
Rule count
The count of rules in the policy.
|
int |
Readonly |
| rules |
Rules that are a part of this SecurityPolicy |
array of Rule |
|
| scheduler_path |
Path to the scheduler for time based scheduling
Provides a mechanism to apply the rules in this policy for a specified
time duration.
|
string |
|
| scope |
The list of group paths where the rules in this policy will get
applied. This scope will take precedence over rule level scope.
Supported only for security and redirection policies. In case of
RedirectionPolicy, it is expected only when the policy is NS and
redirecting to service chain.
|
array of string |
Maximum items: 128 |
| sequence_number |
Sequence number to resolve conflicts across Domains
This field is used to resolve conflicts between security policies
across domains. In order to change the sequence number of a policy
one can fire a POST request on the policy entity with
a query parameter action=revise
The sequence number field will reflect the value of the computed
sequence number upon execution of the above mentioned POST request.
For scenarios where the administrator is using a template to update
several security policies, the only way to set the sequence number is
to explicitly specify the sequence number for each security policy.
If no sequence number is specified in the payload, a value of 0 is
assigned by default. If there are multiple policies with the same
sequence number then their order is not deterministic. If a specific
order of policies is desired, then one has to specify unique sequence
numbers or use the POST request on the policy entity with
a query parameter action=revise to let the framework assign a
sequence number.
The value of sequence number must be between 0 and 999,999.
|
int |
Minimum: 0 |
| stateful |
Stateful nature of the entries within this security policy.
Stateful or Stateless nature of security policy is enforced on all
rules in this security policy. When it is stateful, the state of
the network connects are tracked and a stateful packet inspection is
performed.
Layer3 security policies can be stateful or stateless. By default, they are stateful.
Layer2 security policies can only be stateless.
|
boolean |
|
| tags |
Opaque identifiers meaningful to the API user |
array of Tag |
Maximum items: 30 |
| tcp_strict |
Enforce strict tcp handshake before allowing data packets
Ensures that a 3 way TCP handshake is done before the data packets
are sent.
tcp_strict=true is supported only for stateful security policies.
If the tcp_strict flag is not specified and the security policy
is stateful, then tcp_strict will be set to true.
|
boolean |
|
| unique_id |
A unique identifier assigned by the system
This is a UUID generated by the GM/LM to uniquely identify
entites in a federated environment. For entities that are
stretched across multiple sites, the same ID will be used
on all the stretched sites.
|
string |
Readonly |